Merge pull request #2417 from tonistiigi/update-buildkit-240417

vendor: update buildkit to 71f99c52a669

.github/dependabot.yml

@@ -5,6 +5,11 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    ignore:
+      # ignore this dependency
+      # it seems a bug with dependabot as pining to commit sha should not
+      # trigger a new version: https://github.com/docker/buildx/pull/2222#issuecomment-1919092153
+      - dependency-name: "docker/docs"
     labels:
       - "dependencies"
       - "bot"

.github/workflows/build.yml

@@ -24,57 +24,70 @@ env:
   REPO_SLUG: "docker/buildx-bin"
   DESTDIR: "./bin"
   TEST_CACHE_SCOPE: "test"
+  TESTFLAGS: "-v --parallel=6 --timeout=30m"
+  GOTESTSUM_FORMAT: "standard-verbose"
+  GO_VERSION: "1.21"
+  GOTESTSUM_VERSION: "v1.9.0"  # same as one in Dockerfile
 
 jobs:
-  prepare-test:
+  test-integration:
     runs-on: ubuntu-22.04
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.BUILDX_VERSION }}
-          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build
-        uses: docker/bake-action@v4
-        with:
-          targets: integration-test-base
-          set: |
-            *.cache-from=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
-            *.cache-to=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
-
-  test:
-    runs-on: ubuntu-22.04
-    needs:
-      - prepare-test
     env:
-      TESTFLAGS: "-v --parallel=6 --timeout=30m"
       TESTFLAGS_DOCKER: "-v --parallel=1 --timeout=30m"
-      GOTESTSUM_FORMAT: "standard-verbose"
       TEST_IMAGE_BUILD: "0"
       TEST_IMAGE_ID: "buildx-tests"
     strategy:
       fail-fast: false
       matrix:
+        buildkit:
+          - master
+          - latest
+          - buildx-stable-1
+          - v0.13.1
+          - v0.12.5
+          - v0.11.6
         worker:
-          - docker
-          - docker\+containerd  # same as docker, but with containerd snapshotter
           - docker-container
           - remote
         pkg:
           - ./tests
+        mode:
+          - ""
+          - experimental
         include:
-          - pkg: ./...
+          - worker: docker
-            skip-integration-tests: 1
+            pkg: ./tests
+          - worker: docker+containerd  # same as docker, but with containerd snapshotter
+            pkg: ./tests
+          - worker: docker
+            pkg: ./tests
+            mode: experimental
+          - worker: docker+containerd  # same as docker, but with containerd snapshotter
+            pkg: ./tests
+            mode: experimental
     steps:
+      -
+        name: Prepare
+        run: |
+          echo "TESTREPORTS_NAME=${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.buildkit }}-${{ matrix.worker }}-${{ matrix.mode }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+          if [ -n "${{ matrix.buildkit }}" ]; then
+            echo "TEST_BUILDKIT_TAG=${{ matrix.buildkit }}" >> $GITHUB_ENV
+          fi
+          testFlags="--run=//worker=$(echo "${{ matrix.worker }}" | sed 's/\+/\\+/g')$"
+          case "${{ matrix.worker }}" in
+            docker | docker+containerd)
+              echo "TESTFLAGS=${{ env.TESTFLAGS_DOCKER }} $testFlags" >> $GITHUB_ENV
+              ;;
+            *)
+              echo "TESTFLAGS=${{ env.TESTFLAGS }} $testFlags" >> $GITHUB_ENV
+              ;;
+          esac
+          if [[ "${{ matrix.worker }}" == "docker"* ]]; then
+            echo "TEST_DOCKERD=1" >> $GITHUB_ENV
+          fi
+          if [ "${{ matrix.mode }}" = "experimental" ]; then
+            echo "TEST_BUILDX_EXPERIMENTAL=1" >> $GITHUB_ENV
+          fi
       -
         name: Checkout
         uses: actions/checkout@v4
@@ -96,38 +109,108 @@ jobs:
         with:
           targets: integration-test
           set: |
-            *.cache-from=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
             *.output=type=docker,name=${{ env.TEST_IMAGE_ID }}
       -
         name: Test
         run: |
-          export TEST_REPORT_SUFFIX=-${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.skip-integration-tests }}-${{ matrix.worker }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')
           ./hack/test
         env:
-          TEST_DOCKERD: "${{ startsWith(matrix.worker, 'docker') && '1' || '0' }}"
+          TEST_REPORT_SUFFIX: "-${{ env.TESTREPORTS_NAME }}"
-          TESTFLAGS: "${{ (matrix.worker == 'docker' || matrix.worker == 'docker\\+containerd') && env.TESTFLAGS_DOCKER || env.TESTFLAGS }} --run=//worker=${{ matrix.worker }}$"
           TESTPKGS: "${{ matrix.pkg }}"
-          SKIP_INTEGRATION_TESTS: "${{ matrix.skip-integration-tests }}"
       -
         name: Send to Codecov
         if: always()
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           directory: ./bin/testreports
+          flags: integration
+          token: ${{ secrets.CODECOV_TOKEN }}
       -
         name: Generate annotations
         if: always()
-        uses: crazy-max/.github/.github/actions/gotest-annotations@1a64ea6d01db9a48aa61954cb20e265782c167d9
+        uses: crazy-max/.github/.github/actions/gotest-annotations@fa6141aedf23596fb8bdcceab9cce8dadaa31bd9
         with:
           directory: ./bin/testreports
       -
         name: Upload test reports
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: test-reports
+          name: test-reports-${{ env.TESTREPORTS_NAME }}
           path: ./bin/testreports
 
+  test-unit:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-22.04
+          - macos-12
+          - windows-2022
+    env:
+      SKIP_INTEGRATION_TESTS: 1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "${{ env.GO_VERSION }}"
+      -
+        name: Prepare
+        run: |
+          testreportsName=${{ github.job }}--${{ matrix.os }}
+          testreportsBaseDir=./bin/testreports
+          testreportsDir=$testreportsBaseDir/$testreportsName
+          echo "TESTREPORTS_NAME=$testreportsName" >> $GITHUB_ENV
+          echo "TESTREPORTS_BASEDIR=$testreportsBaseDir" >> $GITHUB_ENV
+          echo "TESTREPORTS_DIR=$testreportsDir" >> $GITHUB_ENV
+          mkdir -p $testreportsDir
+        shell: bash
+      -
+        name: Install gotestsum
+        run: |
+          go install gotest.tools/gotestsum@${{ env.GOTESTSUM_VERSION }}
+      -
+        name: Test
+        env:
+          TMPDIR: ${{ runner.temp }}
+        run: |
+          gotestsum \
+            --jsonfile="${{ env.TESTREPORTS_DIR }}/go-test-report.json" \
+            --junitfile="${{ env.TESTREPORTS_DIR }}/junit-report.xml" \
+            --packages="./..." \
+            -- \
+              "-mod=vendor" \
+              "-coverprofile" "${{ env.TESTREPORTS_DIR }}/coverage.txt" \
+              "-covermode" "atomic" ${{ env.TESTFLAGS }}
+        shell: bash
+      -
+        name: Send to Codecov
+        if: always()
+        uses: codecov/codecov-action@v4
+        with:
+          directory: ${{ env.TESTREPORTS_DIR }}
+          env_vars: RUNNER_OS
+          flags: unit
+          token: ${{ secrets.CODECOV_TOKEN }}
+      -
+        name: Generate annotations
+        if: always()
+        uses: crazy-max/.github/.github/actions/gotest-annotations@fa6141aedf23596fb8bdcceab9cce8dadaa31bd9
+        with:
+          directory: ${{ env.TESTREPORTS_DIR }}
+      -
+        name: Upload test reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-reports-${{ env.TESTREPORTS_NAME }}
+          path: ${{ env.TESTREPORTS_BASEDIR }}
+
   prepare-binaries:
     runs-on: ubuntu-22.04
     outputs:
@@ -183,16 +266,17 @@ jobs:
           CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
       -
         name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: buildx
+          name: buildx-${{ env.PLATFORM_PAIR }}
           path: ${{ env.DESTDIR }}/*
           if-no-files-found: error
 
   bin-image:
     runs-on: ubuntu-22.04
     needs:
-      - test
+      - test-integration
+      - test-unit
     if: ${{ github.event_name != 'pull_request' && github.repository == 'docker/buildx' }}
     steps:
       -
@@ -225,8 +309,8 @@ jobs:
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
       -
         name: Build and push image
         uses: docker/bake-action@v4
@@ -244,7 +328,8 @@ jobs:
   release:
     runs-on: ubuntu-22.04
     needs:
-      - test
+      - test-integration
+      - test-unit
       - binaries
     steps:
       -
@@ -252,10 +337,11 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Download binaries
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
-          name: buildx
           path: ${{ env.DESTDIR }}
+          pattern: buildx-*
+          merge-multiple: true
       -
         name: Create checksums
         run: ./hack/hash-files
@@ -270,33 +356,9 @@ jobs:
       -
         name: GitHub Release
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564  # v2.0.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           draft: true
           files: ${{ env.DESTDIR }}/*
-
-  buildkit-edge:
-    runs-on: ubuntu-22.04
-    continue-on-error: true
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.BUILDX_VERSION }}
-          driver-opts: image=moby/buildkit:master
-          buildkitd-flags: --debug
-      -
-        # Just run a bake target to check eveything runs fine
-        name: Build
-        uses: docker/bake-action@v4
-        with:
-          targets: binaries

.github/workflows/codeql.yml

@@ -13,7 +13,7 @@ permissions:
   security-events: write
 
 env:
-  GO_VERSION: 1.21.3
+  GO_VERSION: "1.21"
 
 jobs:
   codeql:
@@ -24,19 +24,19 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
       -
         name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: go
       -
         name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
       -
         name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: "/language:go"

.github/workflows/docs-release.yml

@@ -1,6 +1,11 @@
 name: docs-release
 
 on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Git tag'
+        required: true
   release:
     types:
       - released
@@ -8,7 +13,7 @@ on:
 jobs:
   open-pr:
     runs-on: ubuntu-22.04
-    if: ${{ github.event.release.prerelease != true && github.repository == 'docker/buildx' }}
+    if: ${{ (github.event.release.prerelease != true || github.event.inputs.tag != '') && github.repository == 'docker/buildx' }}
     steps:
       -
         name: Checkout docs repo
@@ -20,39 +25,47 @@ jobs:
       -
         name: Prepare
         run: |
-          rm -rf ./_data/buildx/*
+          rm -rf ./data/buildx/*
+          if [ -n "${{ github.event.inputs.tag }}" ]; then
+            echo "RELEASE_NAME=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
+          else
+            echo "RELEASE_NAME=${{ github.event.release.name }}" >> $GITHUB_ENV
+          fi
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       -
-        name: Build docs
+        name: Generate yaml
         uses: docker/bake-action@v4
         with:
-          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.release.name }}
+          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ env.RELEASE_NAME }}
           targets: update-docs
+          provenance: false
           set: |
             *.output=/tmp/buildx-docs
         env:
           DOCS_FORMATS: yaml
       -
-        name: Copy files
+        name: Copy yaml
         run: |
-          cp /tmp/buildx-docs/out/reference/*.yaml ./_data/buildx/
+          cp /tmp/buildx-docs/out/reference/*.yaml ./data/buildx/
       -
-        name: Commit changes
+        name: Update vendor
         run: |
-          git add -A .
+          make vendor
+        env:
+          VENDOR_MODULE: github.com/docker/buildx@${{ env.RELEASE_NAME }}
       -
         name: Create PR on docs repo
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38
+        uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533  # v6.0.3
         with:
           token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
           push-to-fork: docker-tools-robot/docker.github.io
-          commit-message: "build: update buildx reference to ${{ github.event.release.name }}"
+          commit-message: "vendor: github.com/docker/buildx ${{ env.RELEASE_NAME }}"
           signoff: true
-          branch: dispatch/buildx-ref-${{ github.event.release.name }}
+          branch: dispatch/buildx-ref-${{ env.RELEASE_NAME }}
           delete-branch: true
-          title: Update buildx reference to ${{ github.event.release.name }}
+          title: Update buildx reference to ${{ env.RELEASE_NAME }}
           body: |
-            Update the buildx reference documentation to keep in sync with the latest release `${{ github.event.release.name }}`
+            Update the buildx reference documentation to keep in sync with the latest release `${{ env.RELEASE_NAME }}`
           draft: false

.github/workflows/docs-upstream.yml

@@ -37,6 +37,7 @@ jobs:
         uses: docker/bake-action@v4
         with:
           targets: update-docs
+          provenance: false
           set: |
             *.output=/tmp/buildx-docs
             *.cache-from=type=gha,scope=docs-yaml
@@ -45,18 +46,18 @@ jobs:
           DOCS_FORMATS: yaml
       -
         name: Upload reference YAML docs
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: docs-yaml
           path: /tmp/buildx-docs/out/reference
           retention-days: 1
 
   validate:
-    uses: docker/docs/.github/workflows/validate-upstream.yml@main
+    uses: docker/docs/.github/workflows/validate-upstream.yml@6b73b05acb21edf7995cc5b3c6672d8e314cee7a  # pin for artifact v4 support: https://github.com/docker/docs/pull/19220
     needs:
       - docs-yaml
     with:
       module-name: docker/buildx
       data-files-id: docs-yaml
       data-files-folder: buildx
-      data-files-placeholder-folder: engine/reference/commandline
+      create-placeholder-stubs: true

.github/workflows/e2e.yml

@@ -46,7 +46,7 @@ jobs:
           mv ${{ env.DESTDIR }}/build/buildx ${{ env.DESTDIR }}/build/docker-buildx
       -
         name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: binary
           path: ${{ env.DESTDIR }}/build
@@ -82,6 +82,8 @@ jobs:
             driver-opt: qemu.install=true
           - driver: remote
             endpoint: tcp://localhost:1234
+          - driver: docker-container
+            metadata-provenance: max
         exclude:
           - driver: docker
             multi-node: mnode-true
@@ -103,7 +105,7 @@ jobs:
         if: matrix.driver == 'docker' || matrix.driver == 'docker-container'
       -
         name: Install buildx
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: binary
           path: /home/runner/.docker/cli-plugins
@@ -129,70 +131,15 @@ jobs:
           else
             echo "MULTI_NODE=0" >> $GITHUB_ENV
           fi
+          if [ -n "${{ matrix.metadata-provenance }}" ]; then
+            echo "BUILDX_METADATA_PROVENANCE=${{ matrix.metadata-provenance }}" >> $GITHUB_ENV
+          fi
       -
         name: Install k3s
         if: matrix.driver == 'kubernetes'
-        uses: actions/github-script@v6
+        uses: crazy-max/.github/.github/actions/install-k3s@fa6141aedf23596fb8bdcceab9cce8dadaa31bd9
         with:
-          script: |
+          version: ${{ env.K3S_VERSION }}
-            const fs = require('fs');
-            
-            let wait = function(milliseconds) {
-              return new Promise((resolve, reject) => {
-                if (typeof(milliseconds) !== 'number') { 
-                  throw new Error('milleseconds not a number'); 
-                }
-                setTimeout(() => resolve("done!"), milliseconds)
-              });
-            }
-            
-            try {
-              const kubeconfig="/tmp/buildkit-k3s/kubeconfig.yaml";
-              core.info(`storing kubeconfig in ${kubeconfig}`);
-          
-              await exec.exec('docker', ["run", "-d",
-                "--privileged",
-                "--name=buildkit-k3s",
-                "-e", "K3S_KUBECONFIG_OUTPUT="+kubeconfig,
-                "-e", "K3S_KUBECONFIG_MODE=666",
-                "-v", "/tmp/buildkit-k3s:/tmp/buildkit-k3s",
-                "-p", "6443:6443",
-                "-p", "80:80",
-                "-p", "443:443",
-                "-p", "8080:8080",
-                "rancher/k3s:${{ env.K3S_VERSION }}", "server"
-              ]);
-              await wait(10000);
-              
-              core.exportVariable('KUBECONFIG', kubeconfig);
-              
-              let nodeName;
-              for (let count = 1; count <= 5; count++) {
-                try {
-                  const nodeNameOutput = await exec.getExecOutput("kubectl get nodes --no-headers -oname");
-                  nodeName = nodeNameOutput.stdout
-                } catch (error) {
-                  core.info(`Unable to resolve node name (${error.message}). Attempt ${count} of 5.`)
-                } finally {
-                  if (nodeName) {
-                    break;
-                  }
-                  await wait(5000);
-                }
-              }
-              if (!nodeName) {
-                throw new Error(`Unable to resolve node name after 5 attempts.`);
-              }
-              
-              await exec.exec(`kubectl wait --for=condition=Ready ${nodeName}`);
-            } catch (error) {
-              core.setFailed(error.message);
-            }
-      -
-        name: Print KUBECONFIG
-        if: matrix.driver == 'kubernetes'
-        run: |
-          yq ${{ env.KUBECONFIG }}
       -
         name: Launch remote buildkitd
         if: matrix.driver == 'remote'

.github/workflows/validate.yml

@@ -28,6 +28,12 @@ jobs:
           - validate-docs
           - validate-generated-files
     steps:
+      -
+        name: Prepare
+        run: |
+          if [ "$GITHUB_REPOSITORY" = "docker/buildx" ]; then
+            echo "GOLANGCI_LINT_MULTIPLATFORM=1" >> $GITHUB_ENV
+          fi
       -
         name: Checkout
         uses: actions/checkout@v4

.golangci.yml

@@ -1,5 +1,5 @@
 run:
-  timeout: 10m
+  timeout: 30m
   skip-files:
     - ".*\\.pb\\.go$"
 

Dockerfile

@@ -1,17 +1,22 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.3
+ARG GO_VERSION=1.21
-ARG XX_VERSION=1.2.1
+ARG XX_VERSION=1.4.0
 
-ARG DOCKER_VERSION=24.0.6
+# for testing
+ARG DOCKER_VERSION=26.0.0
 ARG GOTESTSUM_VERSION=v1.9.0
 ARG REGISTRY_VERSION=2.8.0
-ARG BUILDKIT_VERSION=v0.11.6
+ARG BUILDKIT_VERSION=v0.13.1
+ARG UNDOCK_VERSION=0.7.0
 
-# xx is a helper for cross-compilation
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
-
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS golatest
+FROM moby/moby-bin:$DOCKER_VERSION AS docker-engine
+FROM dockereng/cli-bin:$DOCKER_VERSION AS docker-cli
+FROM registry:$REGISTRY_VERSION AS registry
+FROM moby/buildkit:$BUILDKIT_VERSION AS buildkit
+FROM crazymax/undock:$UNDOCK_VERSION AS undock
 
 FROM golatest AS gobase
 COPY --from=xx / /
@@ -20,26 +25,6 @@ ENV GOFLAGS=-mod=vendor
 ENV CGO_ENABLED=0
 WORKDIR /src
 
-FROM registry:$REGISTRY_VERSION AS registry
-
-FROM moby/buildkit:$BUILDKIT_VERSION AS buildkit
-
-FROM gobase AS docker
-ARG TARGETPLATFORM
-ARG DOCKER_VERSION
-WORKDIR /opt/docker
-RUN DOCKER_ARCH=$(case ${TARGETPLATFORM:-linux/amd64} in \
-    "linux/amd64")   echo "x86_64"  ;; \
-    "linux/arm/v6")  echo "armel"   ;; \
-    "linux/arm/v7")  echo "armhf"   ;; \
-    "linux/arm64")   echo "aarch64" ;; \
-    "linux/ppc64le") echo "ppc64le" ;; \
-    "linux/s390x")   echo "s390x"   ;; \
-    *)               echo ""        ;; esac) \
-  && echo "DOCKER_ARCH=$DOCKER_ARCH" \
-  && wget -qO- "https://download.docker.com/linux/static/stable/${DOCKER_ARCH}/docker-${DOCKER_VERSION}.tgz" | tar xvz --strip 1
-RUN ./dockerd --version && ./containerd --version && ./ctr --version && ./runc --version
-
 FROM gobase AS gotestsum
 ARG GOTESTSUM_VERSION
 ENV GOFLAGS=
@@ -105,9 +90,11 @@ RUN apk add --no-cache \
       xz
 COPY --link --from=gotestsum /out/gotestsum /usr/bin/
 COPY --link --from=registry /bin/registry /usr/bin/
-COPY --link --from=docker /opt/docker/* /usr/bin/
+COPY --link --from=docker-engine / /usr/bin/
+COPY --link --from=docker-cli / /usr/bin/
 COPY --link --from=buildkit /usr/bin/buildkitd /usr/bin/
 COPY --link --from=buildkit /usr/bin/buildctl /usr/bin/
+COPY --link --from=undock /usr/local/bin/undock /usr/bin/
 COPY --link --from=binaries /buildx /usr/bin/
 
 FROM integration-test-base AS integration-test

bake/bake.go

@@ -13,7 +13,7 @@ import (
 	"strings"
 	"time"
 
-	composecli "github.com/compose-spec/compose-go/cli"
+	composecli "github.com/compose-spec/compose-go/v2/cli"
 	"github.com/docker/buildx/bake/hclparser"
 	"github.com/docker/buildx/build"
 	controllerapi "github.com/docker/buildx/controller/pb"
@@ -21,6 +21,7 @@ import (
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/config"
+	dockeropts "github.com/docker/cli/opts"
 	hcl "github.com/hashicorp/hcl/v2"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
@@ -699,6 +700,8 @@ type Target struct {
 	NoCache          *bool              `json:"no-cache,omitempty" hcl:"no-cache,optional" cty:"no-cache"`
 	NetworkMode      *string            `json:"-" hcl:"-" cty:"-"`
 	NoCacheFilter    []string           `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional" cty:"no-cache-filter"`
+	ShmSize          *string            `json:"shm-size,omitempty" hcl:"shm-size,optional"`
+	Ulimits          []string           `json:"ulimits,omitempty" hcl:"ulimits,optional"`
 	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and docs/bake-reference.md.
 
 	// linked is a private field to mark a target used as a linked one
@@ -721,6 +724,7 @@ func (t *Target) normalize() {
 	t.CacheTo = removeDupes(t.CacheTo)
 	t.Outputs = removeDupes(t.Outputs)
 	t.NoCacheFilter = removeDupes(t.NoCacheFilter)
+	t.Ulimits = removeDupes(t.Ulimits)
 
 	for k, v := range t.Contexts {
 		if v == "" {
@@ -809,6 +813,12 @@ func (t *Target) Merge(t2 *Target) {
 	if t2.NoCacheFilter != nil { // merge
 		t.NoCacheFilter = append(t.NoCacheFilter, t2.NoCacheFilter...)
 	}
+	if t2.ShmSize != nil { // no merge
+		t.ShmSize = t2.ShmSize
+	}
+	if t2.Ulimits != nil { // merge
+		t.Ulimits = append(t.Ulimits, t2.Ulimits...)
+	}
 	t.Inherits = append(t.Inherits, t2.Inherits...)
 }
 
@@ -873,6 +883,10 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			t.NoCache = &noCache
 		case "no-cache-filter":
 			t.NoCacheFilter = o.ArrValue
+		case "shm-size":
+			t.ShmSize = &value
+		case "ulimits":
+			t.Ulimits = o.ArrValue
 		case "pull":
 			pull, err := strconv.ParseBool(value)
 			if err != nil {
@@ -880,19 +894,17 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			}
 			t.Pull = &pull
 		case "push":
-			_, err := strconv.ParseBool(value)
+			push, err := strconv.ParseBool(value)
 			if err != nil {
 				return errors.Errorf("invalid value %s for boolean key push", value)
 			}
-			if len(t.Outputs) == 0 {
+			t.Outputs = setPushOverride(t.Outputs, push)
-				t.Outputs = append(t.Outputs, "type=image,push=true")
+		case "load":
-			} else {
+			load, err := strconv.ParseBool(value)
-				for i, output := range t.Outputs {
+			if err != nil {
-					if typ := parseOutputType(output); typ == "image" || typ == "registry" {
+				return errors.Errorf("invalid value %s for boolean key load", value)
-						t.Outputs[i] = t.Outputs[i] + ",push=" + value
-					}
-				}
 			}
+			t.Outputs = setLoadOverride(t.Outputs, load)
 		default:
 			return errors.Errorf("unknown key: %s", keys[0])
 		}
@@ -1011,12 +1023,17 @@ func (t *Target) GetName(ectx *hcl.EvalContext, block *hcl.Block, loadDeps func(
 }
 
 func TargetsToBuildOpt(m map[string]*Target, inp *Input) (map[string]build.Options, error) {
+	// make sure local credentials are loaded multiple times for different targets
+	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
+	authProvider := authprovider.NewDockerAuthProvider(dockerConfig, nil)
+
 	m2 := make(map[string]build.Options, len(m))
 	for k, v := range m {
 		bo, err := toBuildOpt(v, inp)
 		if err != nil {
 			return nil, err
 		}
+		bo.Session = append(bo.Session, authProvider)
 		m2[k] = *bo
 	}
 	return m2, nil
@@ -1228,6 +1245,12 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	if t.NetworkMode != nil {
 		networkMode = *t.NetworkMode
 	}
+	shmSize := new(dockeropts.MemBytes)
+	if t.ShmSize != nil {
+		if err := shmSize.Set(*t.ShmSize); err != nil {
+			return nil, errors.Errorf("invalid value %s for membytes key shm-size", *t.ShmSize)
+		}
+	}
 
 	bo := &build.Options{
 		Inputs:        bi,
@@ -1239,6 +1262,7 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 		Pull:          pull,
 		NetworkMode:   networkMode,
 		Linked:        t.linked,
+		ShmSize:       *shmSize,
 	}
 
 	platforms, err := platformutil.Parse(t.Platforms)
@@ -1247,9 +1271,6 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	}
 	bo.Platforms = platforms
 
-	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
-	bo.Session = append(bo.Session, authprovider.NewDockerAuthProvider(dockerConfig, nil))
-
 	secrets, err := buildflags.ParseSecretSpecs(t.Secrets)
 	if err != nil {
 		return nil, err
@@ -1319,6 +1340,14 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 		return nil, err
 	}
 
+	ulimits := dockeropts.NewUlimitOpt(nil)
+	for _, field := range t.Ulimits {
+		if err := ulimits.Set(field); err != nil {
+			return nil, err
+		}
+	}
+	bo.Ulimits = ulimits
+
 	return bo, nil
 }
 
@@ -1363,23 +1392,90 @@ func removeAttestDupes(s []string) []string {
 	return res
 }
 
-func parseOutputType(str string) string {
+func parseOutput(str string) map[string]string {
 	csvReader := csv.NewReader(strings.NewReader(str))
 	fields, err := csvReader.Read()
 	if err != nil {
-		return ""
+		return nil
 	}
+	res := map[string]string{}
 	for _, field := range fields {
 		parts := strings.SplitN(field, "=", 2)
 		if len(parts) == 2 {
-			if parts[0] == "type" {
+			res[parts[0]] = parts[1]
-				return parts[1]
+		}
-			}
+	}
+	return res
+}
+
+func parseOutputType(str string) string {
+	if out := parseOutput(str); out != nil {
+		if v, ok := out["type"]; ok {
+			return v
 		}
 	}
 	return ""
 }
 
+func setPushOverride(outputs []string, push bool) []string {
+	var out []string
+	setPush := true
+	for _, output := range outputs {
+		typ := parseOutputType(output)
+		if typ == "image" || typ == "registry" {
+			// no need to set push if image or registry types already defined
+			setPush = false
+			if typ == "registry" {
+				if !push {
+					// don't set registry output if "push" is false
+					continue
+				}
+				// no need to set "push" attribute to true for registry
+				out = append(out, output)
+				continue
+			}
+			out = append(out, output+",push="+strconv.FormatBool(push))
+		} else {
+			if typ != "docker" {
+				// if there is any output that is not docker, don't set "push"
+				setPush = false
+			}
+			out = append(out, output)
+		}
+	}
+	if push && setPush {
+		out = append(out, "type=image,push=true")
+	}
+	return out
+}
+
+func setLoadOverride(outputs []string, load bool) []string {
+	if !load {
+		return outputs
+	}
+	setLoad := true
+	for _, output := range outputs {
+		if typ := parseOutputType(output); typ == "docker" {
+			if v := parseOutput(output); v != nil {
+				// dest set means we want to output as tar so don't set load
+				if _, ok := v["dest"]; !ok {
+					setLoad = false
+					break
+				}
+			}
+		} else if typ != "image" && typ != "registry" && typ != "oci" {
+			// if there is any output that is not an image, registry
+			// or oci, don't set "load" similar to push override
+			setLoad = false
+			break
+		}
+	}
+	if setLoad {
+		outputs = append(outputs, "type=docker")
+	}
+	return outputs
+}
+
 func validateTargetName(name string) error {
 	if !targetNamePattern.MatchString(name) {
 		return errors.Errorf("only %q are allowed", validTargetNameChars)

bake/bake_test.go

@@ -22,6 +22,8 @@ target "webDEP" {
 		VAR_BOTH = "webDEP"
 	}
 	no-cache = true
+	shm-size = "128m"
+	ulimits = ["nofile=1024:1024"]
 }
 
 target "webapp" {
@@ -45,6 +47,8 @@ target "webapp" {
 		require.Equal(t, ".", *m["webapp"].Context)
 		require.Equal(t, ptrstr("webDEP"), m["webapp"].Args["VAR_INHERITED"])
 		require.Equal(t, true, *m["webapp"].NoCache)
+		require.Equal(t, "128m", *m["webapp"].ShmSize)
+		require.Equal(t, []string{"nofile=1024:1024"}, m["webapp"].Ulimits)
 		require.Nil(t, m["webapp"].Pull)
 
 		require.Equal(t, 1, len(g))
@@ -129,6 +133,12 @@ target "webapp" {
 		require.Equal(t, []string{"webapp"}, g["default"].Targets)
 	})
 
+	t.Run("ShmSizeOverride", func(t *testing.T) {
+		m, _, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.shm-size=256m"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, "256m", *m["webapp"].ShmSize)
+	})
+
 	t.Run("PullOverride", func(t *testing.T) {
 		t.Parallel()
 		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.pull=false"}, nil)
@@ -207,48 +217,252 @@ target "webapp" {
 }
 
 func TestPushOverride(t *testing.T) {
-	t.Parallel()
+	t.Run("empty output", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, "type=image,push=true", m["app"].Outputs[0])
+	})
 
-	fp := File{
+	t.Run("type image", func(t *testing.T) {
-		Name: "docker-bake.hcl",
+		fp := File{
-		Data: []byte(
+			Name: "docker-bake.hcl",
-			`target "app" {
+			Data: []byte(
+				`target "app" {
 				output = ["type=image,compression=zstd"]
 			}`),
-	}
+		}
-	ctx := context.TODO()
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
-	m, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
+		require.NoError(t, err)
-	require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, "type=image,compression=zstd,push=true", m["app"].Outputs[0])
+	})
 
-	require.Equal(t, 1, len(m["app"].Outputs))
+	t.Run("type image push false", func(t *testing.T) {
-	require.Equal(t, "type=image,compression=zstd,push=true", m["app"].Outputs[0])
+		fp := File{
-
+			Name: "docker-bake.hcl",
-	fp = File{
+			Data: []byte(
-		Name: "docker-bake.hcl",
+				`target "app" {
-		Data: []byte(
-			`target "app" {
 				output = ["type=image,compression=zstd"]
 			}`),
-	}
+		}
-	ctx = context.TODO()
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=false"}, nil)
-	m, _, err = ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"*.push=false"}, nil)
+		require.NoError(t, err)
-	require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, "type=image,compression=zstd,push=false", m["app"].Outputs[0])
+	})
 
-	require.Equal(t, 1, len(m["app"].Outputs))
+	t.Run("type registry", func(t *testing.T) {
-	require.Equal(t, "type=image,compression=zstd,push=false", m["app"].Outputs[0])
+		fp := File{
-
+			Name: "docker-bake.hcl",
-	fp = File{
+			Data: []byte(
-		Name: "docker-bake.hcl",
+				`target "app" {
-		Data: []byte(
+				output = ["type=registry"]
-			`target "app" {
 			}`),
-	}
+		}
-	ctx = context.TODO()
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
-	m, _, err = ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
+		require.NoError(t, err)
-	require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, "type=registry", m["app"].Outputs[0])
+	})
 
-	require.Equal(t, 1, len(m["app"].Outputs))
+	t.Run("type registry push false", func(t *testing.T) {
-	require.Equal(t, "type=image,push=true", m["app"].Outputs[0])
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=registry"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=false"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 0, len(m["app"].Outputs))
+	})
+
+	t.Run("type local and empty target", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "foo" {
+		  		output = [ "type=local,dest=out" ]
+			}
+			target "bar" {
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.push=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m))
+		require.Equal(t, 1, len(m["foo"].Outputs))
+		require.Equal(t, []string{"type=local,dest=out"}, m["foo"].Outputs)
+		require.Equal(t, 1, len(m["bar"].Outputs))
+		require.Equal(t, []string{"type=image,push=true"}, m["bar"].Outputs)
+	})
+}
+
+func TestLoadOverride(t *testing.T) {
+	t.Run("empty output", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, "type=docker", m["app"].Outputs[0])
+	})
+
+	t.Run("type docker", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=docker"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=docker"}, m["app"].Outputs)
+	})
+
+	t.Run("type image", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=image"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=image", "type=docker"}, m["app"].Outputs)
+	})
+
+	t.Run("type image load false", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=image"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=false"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=image"}, m["app"].Outputs)
+	})
+
+	t.Run("type registry", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=registry"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=registry", "type=docker"}, m["app"].Outputs)
+	})
+
+	t.Run("type oci", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=oci,dest=out"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=oci,dest=out", "type=docker"}, m["app"].Outputs)
+	})
+
+	t.Run("type docker with dest", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=docker,dest=out"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=docker,dest=out", "type=docker"}, m["app"].Outputs)
+	})
+
+	t.Run("type local and empty target", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "foo" {
+		  		output = [ "type=local,dest=out" ]
+			}
+			target "bar" {
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m))
+		require.Equal(t, 1, len(m["foo"].Outputs))
+		require.Equal(t, []string{"type=local,dest=out"}, m["foo"].Outputs)
+		require.Equal(t, 1, len(m["bar"].Outputs))
+		require.Equal(t, []string{"type=docker"}, m["bar"].Outputs)
+	})
+}
+
+func TestLoadAndPushOverride(t *testing.T) {
+	t.Run("type local and empty target", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "foo" {
+		  		output = [ "type=local,dest=out" ]
+			}
+			target "bar" {
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.load=true", "*.push=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m))
+
+		require.Equal(t, 1, len(m["foo"].Outputs))
+		sort.Strings(m["foo"].Outputs)
+		require.Equal(t, []string{"type=local,dest=out"}, m["foo"].Outputs)
+
+		require.Equal(t, 2, len(m["bar"].Outputs))
+		sort.Strings(m["bar"].Outputs)
+		require.Equal(t, []string{"type=docker", "type=image,push=true"}, m["bar"].Outputs)
+	})
+
+	t.Run("type registry", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "foo" {
+		  		output = [ "type=registry" ]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo"}, []string{"*.load=true", "*.push=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m))
+
+		require.Equal(t, 2, len(m["foo"].Outputs))
+		sort.Strings(m["foo"].Outputs)
+		require.Equal(t, []string{"type=docker", "type=registry"}, m["foo"].Outputs)
+	})
 }
 
 func TestReadTargetsCompose(t *testing.T) {
@@ -297,9 +511,6 @@ services:
 
 	ctx := context.TODO()
 
-	cwd, err := os.Getwd()
-	require.NoError(t, err)
-
 	m, g, err := ReadTargets(ctx, []File{fp, fp2, fp3}, []string{"default"}, nil, nil)
 	require.NoError(t, err)
 
@@ -308,7 +519,7 @@ services:
 
 	require.True(t, ok)
 	require.Equal(t, "Dockerfile.webapp", *m["webapp"].Dockerfile)
-	require.Equal(t, cwd, *m["webapp"].Context)
+	require.Equal(t, ".", *m["webapp"].Context)
 	require.Equal(t, ptrstr("1"), m["webapp"].Args["buildno"])
 	require.Equal(t, ptrstr("12"), m["webapp"].Args["buildno2"])
 
@@ -347,9 +558,6 @@ services:
 
 	ctx := context.TODO()
 
-	cwd, err := os.Getwd()
-	require.NoError(t, err)
-
 	m, _, err := ReadTargets(ctx, []File{fp}, []string{"web.app"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(m))
@@ -372,7 +580,7 @@ services:
 	_, ok = m["web_app"]
 	require.True(t, ok)
 	require.Equal(t, "Dockerfile.webapp", *m["web_app"].Dockerfile)
-	require.Equal(t, cwd, *m["web_app"].Context)
+	require.Equal(t, ".", *m["web_app"].Context)
 	require.Equal(t, ptrstr("1"), m["web_app"].Args["buildno"])
 	require.Equal(t, ptrstr("12"), m["web_app"].Args["buildno2"])
 
@@ -581,9 +789,6 @@ services:
 
 	ctx := context.TODO()
 
-	cwd, err := os.Getwd()
-	require.NoError(t, err)
-
 	m, _, err := ReadTargets(ctx, []File{fp, fp2}, []string{"app1", "app2"}, nil, nil)
 	require.NoError(t, err)
 
@@ -596,7 +801,7 @@ services:
 	require.Equal(t, "Dockerfile", *m["app1"].Dockerfile)
 	require.Equal(t, ".", *m["app1"].Context)
 	require.Equal(t, "Dockerfile", *m["app2"].Dockerfile)
-	require.Equal(t, cwd, *m["app2"].Context)
+	require.Equal(t, ".", *m["app2"].Context)
 }
 
 func TestReadContextFromTargetChain(t *testing.T) {

bake/compose.go

@@ -2,13 +2,16 @@ package bake
 
 import (
 	"context"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 
-	"github.com/compose-spec/compose-go/dotenv"
+	"github.com/compose-spec/compose-go/v2/dotenv"
-	"github.com/compose-spec/compose-go/loader"
+	"github.com/compose-spec/compose-go/v2/loader"
-	compose "github.com/compose-spec/compose-go/types"
+	composetypes "github.com/compose-spec/compose-go/v2/types"
+	dockeropts "github.com/docker/cli/opts"
+	"github.com/docker/go-units"
 	"github.com/pkg/errors"
 	"gopkg.in/yaml.v3"
 )
@@ -18,9 +21,9 @@ func ParseComposeFiles(fs []File) (*Config, error) {
 	if err != nil {
 		return nil, err
 	}
-	var cfgs []compose.ConfigFile
+	var cfgs []composetypes.ConfigFile
 	for _, f := range fs {
-		cfgs = append(cfgs, compose.ConfigFile{
+		cfgs = append(cfgs, composetypes.ConfigFile{
 			Filename: f.Name,
 			Content:  f.Data,
 		})
@@ -28,11 +31,11 @@ func ParseComposeFiles(fs []File) (*Config, error) {
 	return ParseCompose(cfgs, envs)
 }
 
-func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, error) {
+func ParseCompose(cfgs []composetypes.ConfigFile, envs map[string]string) (*Config, error) {
 	if envs == nil {
 		envs = make(map[string]string)
 	}
-	cfg, err := loader.LoadWithContext(context.Background(), compose.ConfigDetails{
+	cfg, err := loader.LoadWithContext(context.Background(), composetypes.ConfigDetails{
 		ConfigFiles: cfgs,
 		Environment: envs,
 	}, func(options *loader.Options) {
@@ -86,6 +89,24 @@ func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, e
 				}
 			}
 
+			var shmSize *string
+			if s.Build.ShmSize > 0 {
+				shmSizeBytes := dockeropts.MemBytes(s.Build.ShmSize)
+				shmSizeStr := shmSizeBytes.String()
+				shmSize = &shmSizeStr
+			}
+
+			var ulimits []string
+			if s.Build.Ulimits != nil {
+				for n, u := range s.Build.Ulimits {
+					ulimit, err := units.ParseUlimit(fmt.Sprintf("%s=%d:%d", n, u.Soft, u.Hard))
+					if err != nil {
+						return nil, err
+					}
+					ulimits = append(ulimits, ulimit.String())
+				}
+			}
+
 			var secrets []string
 			for _, bs := range s.Build.Secrets {
 				secret, err := composeToBuildkitSecret(bs, cfg.Secrets[bs.Source])
@@ -122,6 +143,8 @@ func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, e
 				CacheTo:     s.Build.CacheTo,
 				NetworkMode: &s.Build.Network,
 				Secrets:     secrets,
+				ShmSize:     shmSize,
+				Ulimits:     ulimits,
 			}
 			if err = t.composeExtTarget(s.Build.Extensions); err != nil {
 				return nil, err
@@ -159,8 +182,8 @@ func validateComposeFile(dt []byte, fn string) (bool, error) {
 }
 
 func validateCompose(dt []byte, envs map[string]string) error {
-	_, err := loader.Load(compose.ConfigDetails{
+	_, err := loader.Load(composetypes.ConfigDetails{
-		ConfigFiles: []compose.ConfigFile{
+		ConfigFiles: []composetypes.ConfigFile{
 			{
 				Content: dt,
 			},
@@ -223,7 +246,7 @@ func loadDotEnv(curenv map[string]string, workingDir string) (map[string]string,
 	return curenv, nil
 }
 
-func flatten(in compose.MappingWithEquals) map[string]*string {
+func flatten(in composetypes.MappingWithEquals) map[string]*string {
 	if len(in) == 0 {
 		return nil
 	}
@@ -327,8 +350,8 @@ func (t *Target) composeExtTarget(exts map[string]interface{}) error {
 
 // composeToBuildkitSecret converts secret from compose format to buildkit's
 // csv format.
-func composeToBuildkitSecret(inp compose.ServiceSecretConfig, psecret compose.SecretConfig) (string, error) {
+func composeToBuildkitSecret(inp composetypes.ServiceSecretConfig, psecret composetypes.SecretConfig) (string, error) {
-	if psecret.External.External {
+	if psecret.External {
 		return "", errors.Errorf("unsupported external secret %s", psecret.Name)
 	}
 

bake/compose_test.go

@@ -6,7 +6,7 @@ import (
 	"sort"
 	"testing"
 
-	compose "github.com/compose-spec/compose-go/types"
+	composetypes "github.com/compose-spec/compose-go/v2/types"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -49,10 +49,7 @@ secrets:
     file: /root/.aws/credentials
 `)
 
-	cwd, err := os.Getwd()
+	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
-	require.NoError(t, err)
-
-	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 
 	require.Equal(t, 1, len(c.Groups))
@@ -65,12 +62,12 @@ secrets:
 		return c.Targets[i].Name < c.Targets[j].Name
 	})
 	require.Equal(t, "db", c.Targets[0].Name)
-	require.Equal(t, filepath.Join(cwd, "db"), *c.Targets[0].Context)
+	require.Equal(t, "db", *c.Targets[0].Context)
 	require.Equal(t, []string{"docker.io/tonistiigi/db"}, c.Targets[0].Tags)
 
 	require.Equal(t, "webapp", c.Targets[1].Name)
-	require.Equal(t, filepath.Join(cwd, "dir"), *c.Targets[1].Context)
+	require.Equal(t, "dir", *c.Targets[1].Context)
-	require.Equal(t, map[string]string{"foo": filepath.Join(cwd, "bar")}, c.Targets[1].Contexts)
+	require.Equal(t, map[string]string{"foo": "bar"}, c.Targets[1].Contexts)
 	require.Equal(t, "Dockerfile-alternate", *c.Targets[1].Dockerfile)
 	require.Equal(t, 1, len(c.Targets[1].Args))
 	require.Equal(t, ptrstr("123"), c.Targets[1].Args["buildno"])
@@ -83,7 +80,7 @@ secrets:
 	}, c.Targets[1].Secrets)
 
 	require.Equal(t, "webapp2", c.Targets[2].Name)
-	require.Equal(t, filepath.Join(cwd, "dir"), *c.Targets[2].Context)
+	require.Equal(t, "dir", *c.Targets[2].Context)
 	require.Equal(t, "FROM alpine\n", *c.Targets[2].DockerfileInline)
 }
 
@@ -95,7 +92,7 @@ services:
     webapp:
         build: ./db
 `)
-	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(c.Groups))
 	require.Equal(t, 1, len(c.Targets))
@@ -114,7 +111,7 @@ services:
       target: webapp
 `)
 
-	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 
 	require.Equal(t, 2, len(c.Targets))
@@ -139,7 +136,7 @@ services:
       target: webapp
 `)
 
-	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, 2, len(c.Targets))
 	sort.Slice(c.Targets, func(i, j int) bool {
@@ -170,7 +167,7 @@ services:
 	t.Setenv("BAR", "foo")
 	t.Setenv("ZZZ_BAR", "zzz_foo")
 
-	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, sliceToMap(os.Environ()))
+	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, sliceToMap(os.Environ()))
 	require.NoError(t, err)
 	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["FOO"])
 	require.Equal(t, ptrstr("zzz_foo"), c.Targets[0].Args["BAR"])
@@ -184,7 +181,7 @@ services:
     entrypoint: echo 1
 `)
 
-	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	_, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.Error(t, err)
 }
 
@@ -209,7 +206,7 @@ networks:
           gateway: 10.5.0.254
 `)
 
-	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	_, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 }
 
@@ -226,7 +223,7 @@ services:
         - bar
 `)
 
-	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, []string{"foo", "bar"}, c.Targets[0].Tags)
 }
@@ -263,7 +260,7 @@ networks:
     name: test-net
 `)
 
-	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	_, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 }
 
@@ -306,6 +303,11 @@ services:
       args:
         CT_ECR: foo
         CT_TAG: bar
+      shm_size: 128m
+      ulimits:
+        nofile:
+          soft: 1024
+          hard: 1024
       x-bake:
         secret:
           - id=mysecret,src=/local/secret
@@ -316,7 +318,7 @@ services:
         no-cache: true
 `)
 
-	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, 2, len(c.Targets))
 	sort.Slice(c.Targets, func(i, j int) bool {
@@ -335,6 +337,8 @@ services:
 	require.Equal(t, []string{"linux/arm64"}, c.Targets[1].Platforms)
 	require.Equal(t, []string{"type=docker"}, c.Targets[1].Outputs)
 	require.Equal(t, newBool(true), c.Targets[1].NoCache)
+	require.Equal(t, ptrstr("128MiB"), c.Targets[1].ShmSize)
+	require.Equal(t, []string{"nofile=1024:1024"}, c.Targets[1].Ulimits)
 }
 
 func TestComposeExtDedup(t *testing.T) {
@@ -360,7 +364,7 @@ services:
           - type=local,dest=path/to/cache
 `)
 
-	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, []string{"ct-addon:foo", "ct-addon:baz"}, c.Targets[0].Tags)
@@ -393,7 +397,7 @@ services:
       - ` + envf.Name() + `
 `)
 
-	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, map[string]*string{"CT_ECR": ptrstr("foo"), "FOO": ptrstr("bsdf -csdf"), "NODE_ENV": ptrstr("test")}, c.Targets[0].Args)
 }
@@ -439,7 +443,7 @@ services:
         published: "3306"
         protocol: tcp
 `)
-	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	_, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 }
 
@@ -485,7 +489,7 @@ func TestServiceName(t *testing.T) {
 	for _, tt := range cases {
 		tt := tt
 		t.Run(tt.svc, func(t *testing.T) {
-			_, err := ParseCompose([]compose.ConfigFile{{Content: []byte(`
+			_, err := ParseCompose([]composetypes.ConfigFile{{Content: []byte(`
 services:
   ` + tt.svc + `:
     build:
@@ -556,7 +560,7 @@ services:
 	for _, tt := range cases {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := ParseCompose([]compose.ConfigFile{{Content: tt.dt}}, nil)
+			_, err := ParseCompose([]composetypes.ConfigFile{{Content: tt.dt}}, nil)
 			if tt.wantErr {
 				require.Error(t, err)
 			} else {
@@ -654,7 +658,7 @@ services:
         bar: "baz"
 `)
 
-	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, map[string]*string{"bar": ptrstr("baz")}, c.Targets[0].Args)
 }
@@ -673,7 +677,7 @@ services:
     build:
      context: .
 `)
-	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	_, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 }
 
@@ -704,7 +708,7 @@ services:
 
 	chdir(t, tmpdir)
 	c, err := ParseComposeFiles([]File{{
-		Name: "compose.yml",
+		Name: "composetypes.yml",
 		Data: dt,
 	}})
 	require.NoError(t, err)
@@ -734,7 +738,7 @@ services:
             - node_modules/
 `)
 
-	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	_, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 }
 

bake/hcl_test.go

@@ -1445,6 +1445,39 @@ func TestVarUnsupportedType(t *testing.T) {
 	require.Error(t, err)
 }
 
+func TestHCLIndexOfFunc(t *testing.T) {
+	dt := []byte(`
+		variable "APP_VERSIONS" {
+		  default = [
+			"1.42.4",
+			"1.42.3"
+		  ]
+		}
+		target "default" {
+			args = {
+				APP_VERSION = app_version
+			}
+			matrix = {
+				app_version = APP_VERSIONS
+			}
+			name="app-${replace(app_version, ".", "-")}"
+			tags = [
+				"app:${app_version}",
+				indexof(APP_VERSIONS, app_version) == 0 ? "app:latest" : "",
+			]
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "app-1-42-4", c.Targets[0].Name)
+	require.Equal(t, "app:latest", c.Targets[0].Tags[1])
+	require.Equal(t, "app-1-42-3", c.Targets[1].Name)
+	require.Empty(t, c.Targets[1].Tags[1])
+}
+
 func ptrstr(s interface{}) *string {
 	var n *string
 	if reflect.ValueOf(s).Kind() == reflect.String {

bake/hclparser/stdlib.go

@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/go-cty-funcs/uuid"
 	"github.com/hashicorp/hcl/v2/ext/tryfunc"
 	"github.com/hashicorp/hcl/v2/ext/typeexpr"
+	"github.com/pkg/errors"
 	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/function"
 	"github.com/zclconf/go-cty/cty/function/stdlib"
@@ -52,6 +53,7 @@ var stdlibFunctions = map[string]function.Function{
 	"hasindex":               stdlib.HasIndexFunc,
 	"indent":                 stdlib.IndentFunc,
 	"index":                  stdlib.IndexFunc,
+	"indexof":                indexOfFunc,
 	"int":                    stdlib.IntFunc,
 	"join":                   stdlib.JoinFunc,
 	"jsondecode":             stdlib.JSONDecodeFunc,
@@ -115,6 +117,51 @@ var stdlibFunctions = map[string]function.Function{
 	"zipmap":                 stdlib.ZipmapFunc,
 }
 
+// indexOfFunc constructs a function that finds the element index for a given
+// value in a list.
+var indexOfFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "list",
+			Type: cty.DynamicPseudoType,
+		},
+		{
+			Name: "value",
+			Type: cty.DynamicPseudoType,
+		},
+	},
+	Type: function.StaticReturnType(cty.Number),
+	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+		if !(args[0].Type().IsListType() || args[0].Type().IsTupleType()) {
+			return cty.NilVal, errors.New("argument must be a list or tuple")
+		}
+
+		if !args[0].IsKnown() {
+			return cty.UnknownVal(cty.Number), nil
+		}
+
+		if args[0].LengthInt() == 0 { // Easy path
+			return cty.NilVal, errors.New("cannot search an empty list")
+		}
+
+		for it := args[0].ElementIterator(); it.Next(); {
+			i, v := it.Element()
+			eq, err := stdlib.Equal(v, args[1])
+			if err != nil {
+				return cty.NilVal, err
+			}
+			if !eq.IsKnown() {
+				return cty.UnknownVal(cty.Number), nil
+			}
+			if eq.True() {
+				return i, nil
+			}
+		}
+		return cty.NilVal, errors.New("item not found")
+
+	},
+})
+
 // timestampFunc constructs a function that returns a string representation of the current date and time.
 //
 // This function was imported from terraform's datetime utilities.

bake/hclparser/stdlib_test.go

@@ -0,0 +1,49 @@
+package hclparser
+
+import (
+	"testing"
+
+	"github.com/zclconf/go-cty/cty"
+)
+
+func TestIndexOf(t *testing.T) {
+	type testCase struct {
+		input   cty.Value
+		key     cty.Value
+		want    cty.Value
+		wantErr bool
+	}
+	tests := map[string]testCase{
+		"index 0": {
+			input: cty.TupleVal([]cty.Value{cty.StringVal("one"), cty.NumberIntVal(2.0), cty.NumberIntVal(3), cty.StringVal("four")}),
+			key:   cty.StringVal("one"),
+			want:  cty.NumberIntVal(0),
+		},
+		"index 3": {
+			input: cty.TupleVal([]cty.Value{cty.StringVal("one"), cty.NumberIntVal(2.0), cty.NumberIntVal(3), cty.StringVal("four")}),
+			key:   cty.StringVal("four"),
+			want:  cty.NumberIntVal(3),
+		},
+		"index -1": {
+			input:   cty.TupleVal([]cty.Value{cty.StringVal("one"), cty.NumberIntVal(2.0), cty.NumberIntVal(3), cty.StringVal("four")}),
+			key:     cty.StringVal("3"),
+			wantErr: true,
+		},
+	}
+
+	for name, test := range tests {
+		name, test := name, test
+		t.Run(name, func(t *testing.T) {
+			got, err := indexOfFunc.Call([]cty.Value{test.input, test.key})
+			if err != nil {
+				if test.wantErr {
+					return
+				}
+				t.Fatalf("unexpected error: %s", err)
+			}
+			if !got.RawEquals(test.want) {
+				t.Errorf("wrong result\ngot:  %#v\nwant: %#v", got, test.want)
+			}
+		})
+	}
+}

bake/remote.go

@@ -4,6 +4,8 @@ import (
 	"archive/tar"
 	"bytes"
 	"context"
+	"os"
+	"strings"
 
 	"github.com/docker/buildx/builder"
 	controllerapi "github.com/docker/buildx/controller/pb"
@@ -23,13 +25,34 @@ type Input struct {
 }
 
 func ReadRemoteFiles(ctx context.Context, nodes []builder.Node, url string, names []string, pw progress.Writer) ([]File, *Input, error) {
-	var session []session.Attachable
+	var sessions []session.Attachable
 	var filename string
+
 	st, ok := dockerui.DetectGitContext(url, false)
 	if ok {
-		ssh, err := controllerapi.CreateSSH([]*controllerapi.SSH{{ID: "default"}})
+		if ssh, err := controllerapi.CreateSSH([]*controllerapi.SSH{{
-		if err == nil {
+			ID:    "default",
-			session = append(session, ssh)
+			Paths: strings.Split(os.Getenv("BUILDX_BAKE_GIT_SSH"), ","),
+		}}); err == nil {
+			sessions = append(sessions, ssh)
+		}
+		var gitAuthSecrets []*controllerapi.Secret
+		if _, ok := os.LookupEnv("BUILDX_BAKE_GIT_AUTH_TOKEN"); ok {
+			gitAuthSecrets = append(gitAuthSecrets, &controllerapi.Secret{
+				ID:  llb.GitAuthTokenKey,
+				Env: "BUILDX_BAKE_GIT_AUTH_TOKEN",
+			})
+		}
+		if _, ok := os.LookupEnv("BUILDX_BAKE_GIT_AUTH_HEADER"); ok {
+			gitAuthSecrets = append(gitAuthSecrets, &controllerapi.Secret{
+				ID:  llb.GitAuthHeaderKey,
+				Env: "BUILDX_BAKE_GIT_AUTH_HEADER",
+			})
+		}
+		if len(gitAuthSecrets) > 0 {
+			if secrets, err := controllerapi.CreateSecrets(gitAuthSecrets); err == nil {
+				sessions = append(sessions, secrets)
+			}
 		}
 	} else {
 		st, filename, ok = dockerui.DetectHTTPContext(url)
@@ -59,7 +82,7 @@ func ReadRemoteFiles(ctx context.Context, nodes []builder.Node, url string, name
 
 	ch, done := progress.NewChannel(pw)
 	defer func() { <-done }()
-	_, err = c.Build(ctx, client.SolveOpt{Session: session, Internal: true}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
+	_, err = c.Build(ctx, client.SolveOpt{Session: sessions, Internal: true}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
 		def, err := st.Marshal(ctx)
 		if err != nil {
 			return nil, err

build/build.go

@@ -1,28 +1,20 @@
 package build
 
 import (
-	"bufio"
 	"bytes"
 	"context"
-	"crypto/rand"
 	_ "crypto/sha256" // ensure digests can be computed
 	"encoding/base64"
-	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
 	"os"
-	"path/filepath"
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"
 	"time"
 
-	"github.com/containerd/containerd/content"
-	"github.com/containerd/containerd/content/local"
 	"github.com/containerd/containerd/images"
-	"github.com/containerd/containerd/platforms"
 	"github.com/distribution/reference"
 	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/driver"
@@ -33,21 +25,16 @@ import (
 	"github.com/docker/buildx/util/resolver"
 	"github.com/docker/buildx/util/waitmap"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types"
+	imagetypes "github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
-	"github.com/moby/buildkit/client/ociindex"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	gateway "github.com/moby/buildkit/frontend/gateway/client"
-	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/session"
-	"github.com/moby/buildkit/session/upload/uploadprovider"
 	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/solver/pb"
 	spb "github.com/moby/buildkit/sourcepolicy/pb"
-	"github.com/moby/buildkit/util/apicaps"
 	"github.com/moby/buildkit/util/entitlements"
 	"github.com/moby/buildkit/util/progress/progresswriter"
 	"github.com/moby/buildkit/util/tracing"
@@ -66,7 +53,10 @@ var (
 
 const (
 	//nolint:gosec // G101: false-positive
-	printFallbackImage = "docker/dockerfile:1.5.2-labs@sha256:f2e91734a84c0922ff47aa4098ab775f1dfa932430d2888dd5cad5251fafdac4"
+	printFallbackImage = "docker/dockerfile:1.5@sha256:dbbd5e059e8a07ff7ea6233b213b36aa516b4c53c645f1817a4dd18b83cbea56"
+	// https://github.com/moby/buildkit/commit/71f99c52a669dc0322b5ea57bc28a09c20427227
+	//nolint:gosec // G101: false-positive
+	printLintFallbackImage = "docker.io/docker/dockerfile-upstream@sha256:47663570b6cc49ed90dc6e3215090a366989ab934d12dc93856a8ae0d27a95e7"
 )
 
 type Options struct {
@@ -92,16 +82,18 @@ type Options struct {
 	Target        string
 	Ulimits       *opts.UlimitOpt
 
-	Session      []session.Attachable
+	Session                []session.Attachable
-	Linked       bool // Linked marks this target as exclusively linked (not requested by the user).
+	Linked                 bool // Linked marks this target as exclusively linked (not requested by the user).
-	PrintFunc    *PrintFunc
+	PrintFunc              *PrintFunc
-	SourcePolicy *spb.Policy
+	WithProvenanceResponse bool
-	GroupRef     string
+	SourcePolicy           *spb.Policy
+	GroupRef               string
 }
 
 type PrintFunc struct {
-	Name   string
+	Name         string
-	Format string
+	Format       string
+	IgnoreStatus bool
 }
 
 type Inputs struct {
@@ -118,6 +110,11 @@ type NamedContext struct {
 	State *llb.State
 }
 
+type reqForNode struct {
+	*resolvedNode
+	so *client.SolveOpt
+}
+
 func filterAvailableNodes(nodes []builder.Node) ([]builder.Node, error) {
 	out := make([]builder.Node, 0, len(nodes))
 	err := errors.Errorf("no drivers found")
@@ -152,318 +149,6 @@ func toRepoOnly(in string) (string, error) {
 	return strings.Join(out, ","), nil
 }
 
-func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Options, bopts gateway.BuildOpts, configDir string, pw progress.Writer, docker *dockerutil.Client) (solveOpt *client.SolveOpt, release func(), err error) {
-	nodeDriver := node.Driver
-	defers := make([]func(), 0, 2)
-	releaseF := func() {
-		for _, f := range defers {
-			f()
-		}
-	}
-
-	defer func() {
-		if err != nil {
-			releaseF()
-		}
-	}()
-
-	// inline cache from build arg
-	if v, ok := opt.BuildArgs["BUILDKIT_INLINE_CACHE"]; ok {
-		if v, _ := strconv.ParseBool(v); v {
-			opt.CacheTo = append(opt.CacheTo, client.CacheOptionsEntry{
-				Type:  "inline",
-				Attrs: map[string]string{},
-			})
-		}
-	}
-
-	for _, e := range opt.CacheTo {
-		if e.Type != "inline" && !nodeDriver.Features(ctx)[driver.CacheExport] {
-			return nil, nil, notSupported(driver.CacheExport, nodeDriver, "https://docs.docker.com/go/build-cache-backends/")
-		}
-	}
-
-	cacheTo := make([]client.CacheOptionsEntry, 0, len(opt.CacheTo))
-	for _, e := range opt.CacheTo {
-		if e.Type == "gha" {
-			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.gha")) {
-				continue
-			}
-		} else if e.Type == "s3" {
-			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.s3")) {
-				continue
-			}
-		}
-		cacheTo = append(cacheTo, e)
-	}
-
-	cacheFrom := make([]client.CacheOptionsEntry, 0, len(opt.CacheFrom))
-	for _, e := range opt.CacheFrom {
-		if e.Type == "gha" {
-			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.gha")) {
-				continue
-			}
-		} else if e.Type == "s3" {
-			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.s3")) {
-				continue
-			}
-		}
-		cacheFrom = append(cacheFrom, e)
-	}
-
-	so := client.SolveOpt{
-		Ref:                 opt.Ref,
-		Frontend:            "dockerfile.v0",
-		FrontendAttrs:       map[string]string{},
-		LocalDirs:           map[string]string{},
-		CacheExports:        cacheTo,
-		CacheImports:        cacheFrom,
-		AllowedEntitlements: opt.Allow,
-		SourcePolicy:        opt.SourcePolicy,
-	}
-
-	if so.Ref == "" {
-		so.Ref = identity.NewID()
-	}
-
-	if opt.CgroupParent != "" {
-		so.FrontendAttrs["cgroup-parent"] = opt.CgroupParent
-	}
-
-	if v, ok := opt.BuildArgs["BUILDKIT_MULTI_PLATFORM"]; ok {
-		if v, _ := strconv.ParseBool(v); v {
-			so.FrontendAttrs["multi-platform"] = "true"
-		}
-	}
-
-	if multiDriver {
-		// force creation of manifest list
-		so.FrontendAttrs["multi-platform"] = "true"
-	}
-
-	attests := make(map[string]string)
-	for k, v := range opt.Attests {
-		if v != nil {
-			attests[k] = *v
-		}
-	}
-	supportsAttestations := bopts.LLBCaps.Contains(apicaps.CapID("exporter.image.attestations")) && nodeDriver.Features(ctx)[driver.MultiPlatform]
-	if len(attests) > 0 {
-		if !supportsAttestations {
-			return nil, nil, errors.Errorf("attestations are not supported by the current buildkitd")
-		}
-		for k, v := range attests {
-			so.FrontendAttrs["attest:"+k] = v
-		}
-	}
-
-	if _, ok := opt.Attests["provenance"]; !ok && supportsAttestations {
-		const noAttestEnv = "BUILDX_NO_DEFAULT_ATTESTATIONS"
-		var noProv bool
-		if v, ok := os.LookupEnv(noAttestEnv); ok {
-			noProv, err = strconv.ParseBool(v)
-			if err != nil {
-				return nil, nil, errors.Wrap(err, "invalid "+noAttestEnv)
-			}
-		}
-		if !noProv {
-			so.FrontendAttrs["attest:provenance"] = "mode=min,inline-only=true"
-		}
-	}
-
-	switch len(opt.Exports) {
-	case 1:
-		// valid
-	case 0:
-		if nodeDriver.IsMobyDriver() && !noDefaultLoad() {
-			// backwards compat for docker driver only:
-			// this ensures the build results in a docker image.
-			opt.Exports = []client.ExportEntry{{Type: "image", Attrs: map[string]string{}}}
-		}
-	default:
-		return nil, nil, errors.Errorf("multiple outputs currently unsupported")
-	}
-
-	// fill in image exporter names from tags
-	if len(opt.Tags) > 0 {
-		tags := make([]string, len(opt.Tags))
-		for i, tag := range opt.Tags {
-			ref, err := reference.Parse(tag)
-			if err != nil {
-				return nil, nil, errors.Wrapf(err, "invalid tag %q", tag)
-			}
-			tags[i] = ref.String()
-		}
-		for i, e := range opt.Exports {
-			switch e.Type {
-			case "image", "oci", "docker":
-				opt.Exports[i].Attrs["name"] = strings.Join(tags, ",")
-			}
-		}
-	} else {
-		for _, e := range opt.Exports {
-			if e.Type == "image" && e.Attrs["name"] == "" && e.Attrs["push"] != "" {
-				if ok, _ := strconv.ParseBool(e.Attrs["push"]); ok {
-					return nil, nil, errors.Errorf("tag is needed when pushing to registry")
-				}
-			}
-		}
-	}
-
-	// cacheonly is a fake exporter to opt out of default behaviors
-	exports := make([]client.ExportEntry, 0, len(opt.Exports))
-	for _, e := range opt.Exports {
-		if e.Type != "cacheonly" {
-			exports = append(exports, e)
-		}
-	}
-	opt.Exports = exports
-
-	// set up exporters
-	for i, e := range opt.Exports {
-		if e.Type == "oci" && !nodeDriver.Features(ctx)[driver.OCIExporter] {
-			return nil, nil, notSupported(driver.OCIExporter, nodeDriver, "https://docs.docker.com/go/build-exporters/")
-		}
-		if e.Type == "docker" {
-			features := docker.Features(ctx, e.Attrs["context"])
-			if features[dockerutil.OCIImporter] && e.Output == nil {
-				// rely on oci importer if available (which supports
-				// multi-platform images), otherwise fall back to docker
-				opt.Exports[i].Type = "oci"
-			} else if len(opt.Platforms) > 1 || len(attests) > 0 {
-				if e.Output != nil {
-					return nil, nil, errors.Errorf("docker exporter does not support exporting manifest lists, use the oci exporter instead")
-				}
-				return nil, nil, errors.Errorf("docker exporter does not currently support exporting manifest lists")
-			}
-			if e.Output == nil {
-				if nodeDriver.IsMobyDriver() {
-					e.Type = "image"
-				} else {
-					w, cancel, err := docker.LoadImage(ctx, e.Attrs["context"], pw)
-					if err != nil {
-						return nil, nil, err
-					}
-					defers = append(defers, cancel)
-					opt.Exports[i].Output = func(_ map[string]string) (io.WriteCloser, error) {
-						return w, nil
-					}
-				}
-			} else if !nodeDriver.Features(ctx)[driver.DockerExporter] {
-				return nil, nil, notSupported(driver.DockerExporter, nodeDriver, "https:/docs.docker.com/go/build-exporters/")
-			}
-		}
-		if e.Type == "image" && nodeDriver.IsMobyDriver() {
-			opt.Exports[i].Type = "moby"
-			if e.Attrs["push"] != "" {
-				if ok, _ := strconv.ParseBool(e.Attrs["push"]); ok {
-					if ok, _ := strconv.ParseBool(e.Attrs["push-by-digest"]); ok {
-						return nil, nil, errors.Errorf("push-by-digest is currently not implemented for docker driver, please create a new builder instance")
-					}
-				}
-			}
-		}
-		if e.Type == "docker" || e.Type == "image" || e.Type == "oci" {
-			// inline buildinfo attrs from build arg
-			if v, ok := opt.BuildArgs["BUILDKIT_INLINE_BUILDINFO_ATTRS"]; ok {
-				e.Attrs["buildinfo-attrs"] = v
-			}
-		}
-	}
-
-	so.Exports = opt.Exports
-	so.Session = opt.Session
-
-	releaseLoad, err := LoadInputs(ctx, nodeDriver, opt.Inputs, pw, &so)
-	if err != nil {
-		return nil, nil, err
-	}
-	defers = append(defers, releaseLoad)
-
-	if sharedKey := so.LocalDirs["context"]; sharedKey != "" {
-		if p, err := filepath.Abs(sharedKey); err == nil {
-			sharedKey = filepath.Base(p)
-		}
-		so.SharedKey = sharedKey + ":" + tryNodeIdentifier(configDir)
-	}
-
-	if opt.Pull {
-		so.FrontendAttrs["image-resolve-mode"] = pb.AttrImageResolveModeForcePull
-	} else if nodeDriver.IsMobyDriver() {
-		// moby driver always resolves local images by default
-		so.FrontendAttrs["image-resolve-mode"] = pb.AttrImageResolveModePreferLocal
-	}
-	if opt.Target != "" {
-		so.FrontendAttrs["target"] = opt.Target
-	}
-	if len(opt.NoCacheFilter) > 0 {
-		so.FrontendAttrs["no-cache"] = strings.Join(opt.NoCacheFilter, ",")
-	}
-	if opt.NoCache {
-		so.FrontendAttrs["no-cache"] = ""
-	}
-	for k, v := range opt.BuildArgs {
-		so.FrontendAttrs["build-arg:"+k] = v
-	}
-	for k, v := range opt.Labels {
-		so.FrontendAttrs["label:"+k] = v
-	}
-
-	for k, v := range node.ProxyConfig {
-		if _, ok := opt.BuildArgs[k]; !ok {
-			so.FrontendAttrs["build-arg:"+k] = v
-		}
-	}
-
-	// set platforms
-	if len(opt.Platforms) != 0 {
-		pp := make([]string, len(opt.Platforms))
-		for i, p := range opt.Platforms {
-			pp[i] = platforms.Format(p)
-		}
-		if len(pp) > 1 && !nodeDriver.Features(ctx)[driver.MultiPlatform] {
-			return nil, nil, notSupported(driver.MultiPlatform, nodeDriver, "https://docs.docker.com/go/build-multi-platform/")
-		}
-		so.FrontendAttrs["platform"] = strings.Join(pp, ",")
-	}
-
-	// setup networkmode
-	switch opt.NetworkMode {
-	case "host":
-		so.FrontendAttrs["force-network-mode"] = opt.NetworkMode
-		so.AllowedEntitlements = append(so.AllowedEntitlements, entitlements.EntitlementNetworkHost)
-	case "none":
-		so.FrontendAttrs["force-network-mode"] = opt.NetworkMode
-	case "", "default":
-	default:
-		return nil, nil, errors.Errorf("network mode %q not supported by buildkit - you can define a custom network for your builder using the network driver-opt in buildx create", opt.NetworkMode)
-	}
-
-	// setup extrahosts
-	extraHosts, err := toBuildkitExtraHosts(ctx, opt.ExtraHosts, nodeDriver)
-	if err != nil {
-		return nil, nil, err
-	}
-	if len(extraHosts) > 0 {
-		so.FrontendAttrs["add-hosts"] = extraHosts
-	}
-
-	// setup shm size
-	if opt.ShmSize.Value() > 0 {
-		so.FrontendAttrs["shm-size"] = strconv.FormatInt(opt.ShmSize.Value(), 10)
-	}
-
-	// setup ulimits
-	ulimits, err := toBuildkitUlimits(opt.Ulimits)
-	if err != nil {
-		return nil, nil, err
-	} else if len(ulimits) > 0 {
-		so.FrontendAttrs["ulimit"] = ulimits
-	}
-
-	return &so, releaseF, nil
-}
-
 func Build(ctx context.Context, nodes []builder.Node, opt map[string]Options, docker *dockerutil.Client, configDir string, w progress.Writer) (resp map[string]*client.SolveResponse, err error) {
 	return BuildWithResultHandler(ctx, nodes, opt, docker, configDir, w, nil)
 }
@@ -478,7 +163,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 		return nil, errors.Wrapf(err, "no valid drivers found")
 	}
 
-	var noMobyDriver driver.Driver
+	var noMobyDriver *driver.DriverHandle
 	for _, n := range nodes {
 		if !n.Driver.IsMobyDriver() {
 			noMobyDriver = n.Driver
@@ -489,6 +174,10 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 	if noMobyDriver != nil && !noDefaultLoad() && noPrintFunc(opt) {
 		var noOutputTargets []string
 		for name, opt := range opt {
+			if noMobyDriver.Features(ctx)[driver.DefaultLoad] {
+				continue
+			}
+
 			if !opt.Linked && len(opt.Exports) == 0 {
 				noOutputTargets = append(noOutputTargets, name)
 			}
@@ -509,10 +198,6 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 	if err != nil {
 		return nil, err
 	}
-	driversSolveOpts := make(map[string][]*client.SolveOpt, len(drivers))
-	for k, dps := range drivers {
-		driversSolveOpts[k] = make([]*client.SolveOpt, len(dps))
-	}
 
 	defers := make([]func(), 0, 2)
 	defer func() {
@@ -523,16 +208,18 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 		}
 	}()
 
+	reqForNodes := make(map[string][]*reqForNode)
 	eg, ctx := errgroup.WithContext(ctx)
 
 	for k, opt := range opt {
 		multiDriver := len(drivers[k]) > 1
 		hasMobyDriver := false
-		gitattrs, err := getGitAttributes(ctx, opt.Inputs.ContextPath, opt.Inputs.DockerfilePath)
+		gitattrs, addVCSLocalDir, err := getGitAttributes(ctx, opt.Inputs.ContextPath, opt.Inputs.DockerfilePath)
 		if err != nil {
 			logrus.WithError(err).Warn("current commit information was not captured by the build")
 		}
-		for i, np := range drivers[k] {
+		var reqn []*reqForNode
+		for _, np := range drivers[k] {
 			if np.Node().Driver.IsMobyDriver() {
 				hasMobyDriver = true
 			}
@@ -541,7 +228,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 			if err != nil {
 				return nil, err
 			}
-			so, release, err := toSolveOpt(ctx, np.Node(), multiDriver, opt, gatewayOpts, configDir, w, docker)
+			so, release, err := toSolveOpt(ctx, np.Node(), multiDriver, opt, gatewayOpts, configDir, addVCSLocalDir, w, docker)
 			if err != nil {
 				return nil, err
 			}
@@ -552,8 +239,12 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 				so.FrontendAttrs[k] = v
 			}
 			defers = append(defers, release)
-			driversSolveOpts[k][i] = so
+			reqn = append(reqn, &reqForNode{
+				resolvedNode: np,
+				so:           so,
+			})
 		}
+		reqForNodes[k] = reqn
 		for _, at := range opt.Session {
 			if s, ok := at.(interface {
 				SetLogger(progresswriter.Logger)
@@ -566,8 +257,8 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 
 		// validate for multi-node push
 		if hasMobyDriver && multiDriver {
-			for _, so := range driversSolveOpts[k] {
+			for _, np := range reqForNodes[k] {
-				for _, e := range so.Exports {
+				for _, e := range np.so.Exports {
 					if e.Type == "moby" {
 						if ok, _ := strconv.ParseBool(e.Attrs["push"]); ok {
 							return nil, errors.Errorf("multi-node push can't currently be performed with the docker driver, please switch to a different driver")
@@ -580,9 +271,9 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 
 	// validate that all links between targets use same drivers
 	for name := range opt {
-		dps := drivers[name]
+		dps := reqForNodes[name]
 		for i, dp := range dps {
-			so := driversSolveOpts[name][i]
+			so := reqForNodes[name][i].so
 			for k, v := range so.FrontendAttrs {
 				if strings.HasPrefix(k, "context:") && strings.HasPrefix(v, "target:") {
 					k2 := strings.TrimPrefix(v, "target:")
@@ -610,7 +301,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 	results := waitmap.New()
 
 	multiTarget := len(opt) > 1
-	childTargets := calculateChildTargets(drivers, driversSolveOpts, opt)
+	childTargets := calculateChildTargets(reqForNodes, opt)
 
 	for k, opt := range opt {
 		err := func(k string) error {
@@ -634,7 +325,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 			for i, dp := range dps {
 				i, dp := i, dp
 				node := dp.Node()
-				so := driversSolveOpts[k][i]
+				so := reqForNodes[k][i].so
 				if multiDriver {
 					for i, e := range so.Exports {
 						switch e.Type {
@@ -713,25 +404,8 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 
 						res, err := c.Solve(ctx, req)
 						if err != nil {
-							fallback := false
+							req, ok := fallbackPrintError(err, req)
-							var reqErr *errdefs.UnsupportedSubrequestError
+							if ok {
-							if errors.As(err, &reqErr) {
-								switch reqErr.Name {
-								case "frontend.outline", "frontend.targets":
-									fallback = true
-								default:
-									return nil, err
-								}
-							} else {
-								return nil, err
-							}
-							// buildkit v0.8 vendored in Docker 20.10 does not support typed errors
-							if strings.Contains(err.Error(), "unsupported request frontend.outline") || strings.Contains(err.Error(), "unsupported request frontend.targets") {
-								fallback = true
-							}
-
-							if fallback {
-								req.FrontendOpt["build-arg:BUILDKIT_SYNTAX"] = printFallbackImage
 								res2, err2 := c.Solve(ctx, req)
 								if err2 != nil {
 									return nil, err
@@ -749,6 +423,11 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 						results.Set(rKey, res)
 
 						if children, ok := childTargets[rKey]; ok && len(children) > 0 {
+							// wait for the child targets to register their LLB before evaluating
+							_, err := results.Get(ctx, children...)
+							if err != nil {
+								return nil, err
+							}
 							// we need to wait until the child targets have completed before we can release
 							eg, ctx := errgroup.WithContext(ctx)
 							eg.Go(func() error {
@@ -767,6 +446,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 
 						return res, nil
 					}
+					buildRef := fmt.Sprintf("%s/%s/%s", node.Builder, node.Name, so.Ref)
 					var rr *client.SolveResponse
 					if resultHandleFunc != nil {
 						var resultHandle *ResultHandle
@@ -775,8 +455,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 					} else {
 						rr, err = c.Build(ctx, *so, "buildx", buildFunc, ch)
 					}
-					if desktop.BuildBackendEnabled() && node.Driver.HistoryAPISupported(ctx) {
+					if !so.Internal && desktop.BuildBackendEnabled() && node.Driver.HistoryAPISupported(ctx) {
-						buildRef := fmt.Sprintf("%s/%s/%s", node.Builder, node.Name, so.Ref)
 						if err != nil {
 							return &desktop.ErrorWithBuildRef{
 								Ref: buildRef,
@@ -796,6 +475,12 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 					for k, v := range printRes {
 						rr.ExporterResponse[k] = string(v)
 					}
+					rr.ExporterResponse["buildx.build.ref"] = buildRef
+					if opt.WithProvenanceResponse && node.Driver.HistoryAPISupported(ctx) {
+						if err := setRecordProvenance(ctx, c, rr, so.Ref, pw); err != nil {
+							return err
+						}
+					}
 
 					node := dp.Node().Driver
 					if node.IsMobyDriver() {
@@ -970,7 +655,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 	return resp, nil
 }
 
-func pushWithMoby(ctx context.Context, d driver.Driver, name string, l progress.SubLogger) error {
+func pushWithMoby(ctx context.Context, d *driver.DriverHandle, name string, l progress.SubLogger) error {
 	api := d.Config().DockerAPI
 	if api == nil {
 		return errors.Errorf("invalid empty Docker API reference") // should never happen
@@ -980,7 +665,7 @@ func pushWithMoby(ctx context.Context, d driver.Driver, name string, l progress.
 		return err
 	}
 
-	rc, err := api.ImagePush(ctx, name, types.ImagePushOptions{
+	rc, err := api.ImagePush(ctx, name, imagetypes.PushOptions{
 		RegistryAuth: creds,
 	})
 	if err != nil {
@@ -1050,7 +735,7 @@ func pushWithMoby(ctx context.Context, d driver.Driver, name string, l progress.
 	return nil
 }
 
-func remoteDigestWithMoby(ctx context.Context, d driver.Driver, name string) (string, error) {
+func remoteDigestWithMoby(ctx context.Context, d *driver.DriverHandle, name string) (string, error) {
 	api := d.Config().DockerAPI
 	if api == nil {
 		return "", errors.Errorf("invalid empty Docker API reference") // should never happen
@@ -1073,242 +758,17 @@ func remoteDigestWithMoby(ctx context.Context, d driver.Driver, name string) (st
 	return remoteImage.Descriptor.Digest.String(), nil
 }
 
-func createTempDockerfile(r io.Reader) (string, error) {
-	dir, err := os.MkdirTemp("", "dockerfile")
-	if err != nil {
-		return "", err
-	}
-	f, err := os.Create(filepath.Join(dir, "Dockerfile"))
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-	if _, err := io.Copy(f, r); err != nil {
-		return "", err
-	}
-	return dir, err
-}
-
-func LoadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, pw progress.Writer, target *client.SolveOpt) (func(), error) {
-	if inp.ContextPath == "" {
-		return nil, errors.New("please specify build context (e.g. \".\" for the current directory)")
-	}
-
-	// TODO: handle stdin, symlinks, remote contexts, check files exist
-
-	var (
-		err              error
-		dockerfileReader io.Reader
-		dockerfileDir    string
-		dockerfileName   = inp.DockerfilePath
-		toRemove         []string
-	)
-
-	switch {
-	case inp.ContextState != nil:
-		if target.FrontendInputs == nil {
-			target.FrontendInputs = make(map[string]llb.State)
-		}
-		target.FrontendInputs["context"] = *inp.ContextState
-		target.FrontendInputs["dockerfile"] = *inp.ContextState
-	case inp.ContextPath == "-":
-		if inp.DockerfilePath == "-" {
-			return nil, errStdinConflict
-		}
-
-		buf := bufio.NewReader(inp.InStream)
-		magic, err := buf.Peek(archiveHeaderSize * 2)
-		if err != nil && err != io.EOF {
-			return nil, errors.Wrap(err, "failed to peek context header from STDIN")
-		}
-		if !(err == io.EOF && len(magic) == 0) {
-			if isArchive(magic) {
-				// stdin is context
-				up := uploadprovider.New()
-				target.FrontendAttrs["context"] = up.Add(buf)
-				target.Session = append(target.Session, up)
-			} else {
-				if inp.DockerfilePath != "" {
-					return nil, errDockerfileConflict
-				}
-				// stdin is dockerfile
-				dockerfileReader = buf
-				inp.ContextPath, _ = os.MkdirTemp("", "empty-dir")
-				toRemove = append(toRemove, inp.ContextPath)
-				target.LocalDirs["context"] = inp.ContextPath
-			}
-		}
-	case isLocalDir(inp.ContextPath):
-		target.LocalDirs["context"] = inp.ContextPath
-		switch inp.DockerfilePath {
-		case "-":
-			dockerfileReader = inp.InStream
-		case "":
-			dockerfileDir = inp.ContextPath
-		default:
-			dockerfileDir = filepath.Dir(inp.DockerfilePath)
-			dockerfileName = filepath.Base(inp.DockerfilePath)
-		}
-	case IsRemoteURL(inp.ContextPath):
-		if inp.DockerfilePath == "-" {
-			dockerfileReader = inp.InStream
-		} else if filepath.IsAbs(inp.DockerfilePath) {
-			dockerfileDir = filepath.Dir(inp.DockerfilePath)
-			dockerfileName = filepath.Base(inp.DockerfilePath)
-			target.FrontendAttrs["dockerfilekey"] = "dockerfile"
-		}
-		target.FrontendAttrs["context"] = inp.ContextPath
-	default:
-		return nil, errors.Errorf("unable to prepare context: path %q not found", inp.ContextPath)
-	}
-
-	if inp.DockerfileInline != "" {
-		dockerfileReader = strings.NewReader(inp.DockerfileInline)
-	}
-
-	if dockerfileReader != nil {
-		dockerfileDir, err = createTempDockerfile(dockerfileReader)
-		if err != nil {
-			return nil, err
-		}
-		toRemove = append(toRemove, dockerfileDir)
-		dockerfileName = "Dockerfile"
-		target.FrontendAttrs["dockerfilekey"] = "dockerfile"
-	}
-	if urlutil.IsURL(inp.DockerfilePath) {
-		dockerfileDir, err = createTempDockerfileFromURL(ctx, d, inp.DockerfilePath, pw)
-		if err != nil {
-			return nil, err
-		}
-		toRemove = append(toRemove, dockerfileDir)
-		dockerfileName = "Dockerfile"
-		target.FrontendAttrs["dockerfilekey"] = "dockerfile"
-		delete(target.FrontendInputs, "dockerfile")
-	}
-
-	if dockerfileName == "" {
-		dockerfileName = "Dockerfile"
-	}
-
-	if dockerfileDir != "" {
-		target.LocalDirs["dockerfile"] = dockerfileDir
-		dockerfileName = handleLowercaseDockerfile(dockerfileDir, dockerfileName)
-	}
-
-	target.FrontendAttrs["filename"] = dockerfileName
-
-	for k, v := range inp.NamedContexts {
-		target.FrontendAttrs["frontend.caps"] = "moby.buildkit.frontend.contexts+forward"
-		if v.State != nil {
-			target.FrontendAttrs["context:"+k] = "input:" + k
-			if target.FrontendInputs == nil {
-				target.FrontendInputs = make(map[string]llb.State)
-			}
-			target.FrontendInputs[k] = *v.State
-			continue
-		}
-
-		if IsRemoteURL(v.Path) || strings.HasPrefix(v.Path, "docker-image://") || strings.HasPrefix(v.Path, "target:") {
-			target.FrontendAttrs["context:"+k] = v.Path
-			continue
-		}
-
-		// handle OCI layout
-		if strings.HasPrefix(v.Path, "oci-layout://") {
-			pathAlone := strings.TrimPrefix(v.Path, "oci-layout://")
-			localPath := pathAlone
-			localPath, dig, hasDigest := strings.Cut(localPath, "@")
-			localPath, tag, hasTag := strings.Cut(localPath, ":")
-			if !hasTag {
-				tag = "latest"
-				hasTag = true
-			}
-			idx := ociindex.NewStoreIndex(localPath)
-			if !hasDigest {
-				// lookup by name
-				desc, err := idx.Get(tag)
-				if err != nil {
-					return nil, err
-				}
-				if desc != nil {
-					dig = string(desc.Digest)
-					hasDigest = true
-				}
-			}
-			if !hasDigest {
-				// lookup single
-				desc, err := idx.GetSingle()
-				if err != nil {
-					return nil, err
-				}
-				if desc != nil {
-					dig = string(desc.Digest)
-					hasDigest = true
-				}
-			}
-			if !hasDigest {
-				return nil, errors.Errorf("oci-layout reference %q could not be resolved", v.Path)
-			}
-			_, err := digest.Parse(dig)
-			if err != nil {
-				return nil, errors.Wrapf(err, "invalid oci-layout digest %s", dig)
-			}
-
-			store, err := local.NewStore(localPath)
-			if err != nil {
-				return nil, errors.Wrapf(err, "invalid store at %s", localPath)
-			}
-			storeName := identity.NewID()
-			if target.OCIStores == nil {
-				target.OCIStores = map[string]content.Store{}
-			}
-			target.OCIStores[storeName] = store
-
-			layout := "oci-layout://" + storeName
-			if hasTag {
-				layout += ":" + tag
-			}
-			if hasDigest {
-				layout += "@" + dig
-			}
-
-			target.FrontendAttrs["context:"+k] = layout
-			continue
-		}
-		st, err := os.Stat(v.Path)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to get build context %v", k)
-		}
-		if !st.IsDir() {
-			return nil, errors.Wrapf(syscall.ENOTDIR, "failed to get build context path %v", v)
-		}
-		localName := k
-		if k == "context" || k == "dockerfile" {
-			localName = "_" + k // underscore to avoid collisions
-		}
-		target.LocalDirs[localName] = v.Path
-		target.FrontendAttrs["context:"+k] = "local:" + localName
-	}
-
-	release := func() {
-		for _, dir := range toRemove {
-			os.RemoveAll(dir)
-		}
-	}
-	return release, nil
-}
-
 func resultKey(index int, name string) string {
 	return fmt.Sprintf("%d-%s", index, name)
 }
 
 // calculateChildTargets returns all the targets that depend on current target for reverse index
-func calculateChildTargets(drivers map[string][]*resolvedNode, driversSolveOpts map[string][]*client.SolveOpt, opt map[string]Options) map[string][]string {
+func calculateChildTargets(reqs map[string][]*reqForNode, opt map[string]Options) map[string][]string {
 	out := make(map[string][]string)
 	for name := range opt {
-		dps := drivers[name]
+		dps := reqs[name]
 		for i, dp := range dps {
-			so := driversSolveOpts[name][i]
+			so := reqs[name][i].so
 			for k, v := range so.FrontendAttrs {
 				if strings.HasPrefix(k, "context:") && strings.HasPrefix(v, "target:") {
 					target := resultKey(dp.driverIndex, strings.TrimPrefix(v, "target:"))
@@ -1406,78 +866,44 @@ func waitContextDeps(ctx context.Context, index int, results *waitmap.Map, so *c
 	return nil
 }
 
-func notSupported(f driver.Feature, d driver.Driver, docs string) error {
+func fallbackPrintError(err error, req gateway.SolveRequest) (gateway.SolveRequest, bool) {
-	return errors.Errorf(`%s is not supported for the %s driver.
+	if _, ok := req.FrontendOpt["requestid"]; !ok {
-Switch to a different driver, or turn on the containerd image store, and try again.
+		return req, false
-Learn more at %s`, f, d.Factory().Name(), docs)
-}
-
-func noDefaultLoad() bool {
-	v, ok := os.LookupEnv("BUILDX_NO_DEFAULT_LOAD")
-	if !ok {
-		return false
-	}
-	b, err := strconv.ParseBool(v)
-	if err != nil {
-		logrus.Warnf("invalid non-bool value for BUILDX_NO_DEFAULT_LOAD: %s", v)
-	}
-	return b
-}
-
-// handle https://github.com/moby/moby/pull/10858
-func handleLowercaseDockerfile(dir, p string) string {
-	if filepath.Base(p) != "Dockerfile" {
-		return p
 	}
 
-	f, err := os.Open(filepath.Dir(filepath.Join(dir, p)))
+	fallback := false
-	if err != nil {
+	fallbackLint := false
-		return p
+	var reqErr *errdefs.UnsupportedSubrequestError
-	}
+	if errors.As(err, &reqErr) {
-
+		switch reqErr.Name {
-	names, err := f.Readdirnames(-1)
+		case "frontend.lint":
-	if err != nil {
+			fallbackLint = true
-		return p
+			fallthrough
-	}
+		case "frontend.outline", "frontend.targets":
-
+			fallback = true
-	foundLowerCase := false
+		default:
-	for _, n := range names {
+			return req, false
-		if n == "Dockerfile" {
-			return p
-		}
-		if n == "dockerfile" {
-			foundLowerCase = true
-		}
-	}
-	if foundLowerCase {
-		return filepath.Join(filepath.Dir(p), "dockerfile")
-	}
-	return p
-}
-
-var nodeIdentifierMu sync.Mutex
-
-func tryNodeIdentifier(configDir string) (out string) {
-	nodeIdentifierMu.Lock()
-	defer nodeIdentifierMu.Unlock()
-	sessionFile := filepath.Join(configDir, ".buildNodeID")
-	if _, err := os.Lstat(sessionFile); err != nil {
-		if os.IsNotExist(err) { // create a new file with stored randomness
-			b := make([]byte, 8)
-			if _, err := rand.Read(b); err != nil {
-				return out
-			}
-			if err := os.WriteFile(sessionFile, []byte(hex.EncodeToString(b)), 0600); err != nil {
-				return out
-			}
 		}
 	}
 
-	dt, err := os.ReadFile(sessionFile)
+	// buildkit v0.8 vendored in Docker 20.10 does not support typed errors
-	if err == nil {
+	for _, req := range []string{"frontend.outline", "frontend.targets", "frontend.lint"} {
-		return string(dt)
+		if strings.Contains(err.Error(), "unsupported request "+req) {
+			fallback = true
+		}
+		if req == "frontend.lint" {
+			fallbackLint = true
+		}
 	}
-	return
+
+	if fallback {
+		req.FrontendOpt["build-arg:BUILDKIT_SYNTAX"] = printFallbackImage
+		if fallbackLint {
+			req.FrontendOpt["build-arg:BUILDKIT_SYNTAX"] = printLintFallbackImage
+		}
+		return req, true
+	}
+	return req, false
 }
 
 func noPrintFunc(opt map[string]Options) bool {

build/dial.go

@@ -0,0 +1,62 @@
+package build
+
+import (
+	"context"
+	stderrors "errors"
+	"net"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/progress"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+func Dial(ctx context.Context, nodes []builder.Node, pw progress.Writer, platform *v1.Platform) (net.Conn, error) {
+	nodes, err := filterAvailableNodes(nodes)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(nodes) == 0 {
+		return nil, errors.New("no nodes available")
+	}
+
+	var pls []v1.Platform
+	if platform != nil {
+		pls = []v1.Platform{*platform}
+	}
+
+	opts := map[string]Options{"default": {Platforms: pls}}
+	resolved, err := resolveDrivers(ctx, nodes, opts, pw)
+	if err != nil {
+		return nil, err
+	}
+
+	var dialError error
+	for _, ls := range resolved {
+		for _, rn := range ls {
+			if platform != nil {
+				p := *platform
+				var found bool
+				for _, pp := range rn.platforms {
+					if platforms.Only(p).Match(pp) {
+						found = true
+						break
+					}
+				}
+				if !found {
+					continue
+				}
+			}
+
+			conn, err := nodes[rn.driverIndex].Driver.Dial(ctx)
+			if err == nil {
+				return conn, nil
+			}
+			dialError = stderrors.Join(err)
+		}
+	}
+
+	return nil, errors.Wrap(dialError, "no nodes available")
+}

build/driver.go

@@ -162,10 +162,6 @@ func (r *nodeResolver) resolve(ctx context.Context, ps []specs.Platform, pw prog
 		return nil, true, nil
 	}
 
-	if len(ps) == 0 {
-		ps = []specs.Platform{platforms.DefaultSpec()}
-	}
-
 	perfect := true
 	nodeIdxs := make([]int, 0)
 	for _, p := range ps {
@@ -178,13 +174,24 @@ func (r *nodeResolver) resolve(ctx context.Context, ps []specs.Platform, pw prog
 	}
 
 	var nodes []*resolvedNode
-	for i, idx := range nodeIdxs {
+	if len(nodeIdxs) == 0 {
 		nodes = append(nodes, &resolvedNode{
 			resolver:    r,
-			driverIndex: idx,
+			driverIndex: 0,
-			platforms:   []specs.Platform{ps[i]},
 		})
+	} else {
+		for i, idx := range nodeIdxs {
+			node := &resolvedNode{
+				resolver:    r,
+				driverIndex: idx,
+			}
+			if len(ps) > 0 {
+				node.platforms = []specs.Platform{ps[i]}
+			}
+			nodes = append(nodes, node)
+		}
 	}
+
 	nodes = recombineNodes(nodes)
 	if _, err := r.boot(ctx, nodeIdxs, pw); err != nil {
 		return nil, false, err

build/driver_test.go

@@ -22,6 +22,7 @@ func TestFindDriverSanity(t *testing.T) {
 	require.Len(t, res, 1)
 	require.Equal(t, 0, res[0].driverIndex)
 	require.Equal(t, "aaa", res[0].Node().Builder)
+	require.Equal(t, []specs.Platform{platforms.DefaultSpec()}, res[0].platforms)
 }
 
 func TestFindDriverEmpty(t *testing.T) {
@@ -216,7 +217,7 @@ func TestSelectNodePreferExact(t *testing.T) {
 	require.Equal(t, "bbb", res[0].Node().Builder)
 }
 
-func TestSelectNodeCurrentPlatform(t *testing.T) {
+func TestSelectNodeNoPlatform(t *testing.T) {
 	r := makeTestResolver(map[string][]specs.Platform{
 		"aaa": {platforms.MustParse("linux/foobar")},
 		"bbb": {platforms.DefaultSpec()},
@@ -226,7 +227,8 @@ func TestSelectNodeCurrentPlatform(t *testing.T) {
 	require.NoError(t, err)
 	require.True(t, perfect)
 	require.Len(t, res, 1)
-	require.Equal(t, "bbb", res[0].Node().Builder)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+	require.Empty(t, res[0].platforms)
 }
 
 func TestSelectNodeAdditionalPlatforms(t *testing.T) {

build/git.go

@@ -9,16 +9,18 @@ import (
 	"strings"
 
 	"github.com/docker/buildx/util/gitutil"
+	"github.com/docker/buildx/util/osutil"
+	"github.com/moby/buildkit/client"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )
 
 const DockerfileLabel = "com.docker.image.source.entrypoint"
 
-func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath string) (res map[string]string, _ error) {
+func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath string) (map[string]string, func(key, dir string, so *client.SolveOpt), error) {
-	res = make(map[string]string)
+	res := make(map[string]string)
 	if contextPath == "" {
-		return
+		return nil, nil, nil
 	}
 
 	setGitLabels := false
@@ -37,7 +39,7 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 	}
 
 	if !setGitLabels && !setGitInfo {
-		return
+		return nil, nil, nil
 	}
 
 	// figure out in which directory the git command needs to run in
@@ -45,27 +47,32 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 	if filepath.IsAbs(contextPath) {
 		wd = contextPath
 	} else {
-		cwd, _ := os.Getwd()
+		wd, _ = filepath.Abs(filepath.Join(osutil.GetWd(), contextPath))
-		wd, _ = filepath.Abs(filepath.Join(cwd, contextPath))
 	}
+	wd = osutil.SanitizePath(wd)
 
 	gitc, err := gitutil.New(gitutil.WithContext(ctx), gitutil.WithWorkingDir(wd))
 	if err != nil {
 		if st, err1 := os.Stat(path.Join(wd, ".git")); err1 == nil && st.IsDir() {
-			return res, errors.Wrap(err, "git was not found in the system")
+			return res, nil, errors.Wrap(err, "git was not found in the system")
 		}
-		return
+		return nil, nil, nil
 	}
 
 	if !gitc.IsInsideWorkTree() {
 		if st, err := os.Stat(path.Join(wd, ".git")); err == nil && st.IsDir() {
-			return res, errors.New("failed to read current commit information with git rev-parse --is-inside-work-tree")
+			return res, nil, errors.New("failed to read current commit information with git rev-parse --is-inside-work-tree")
 		}
-		return res, nil
+		return nil, nil, nil
+	}
+
+	root, err := gitc.RootDir()
+	if err != nil {
+		return res, nil, errors.Wrap(err, "failed to get git root dir")
 	}
 
 	if sha, err := gitc.FullCommit(); err != nil && !gitutil.IsUnknownRevision(err) {
-		return res, errors.Wrap(err, "failed to get git commit")
+		return res, nil, errors.Wrap(err, "failed to get git commit")
 	} else if sha != "" {
 		checkDirty := false
 		if v, ok := os.LookupEnv("BUILDX_GIT_CHECK_DIRTY"); ok {
@@ -93,23 +100,32 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 		}
 	}
 
-	if setGitLabels {
+	if setGitLabels && root != "" {
-		if root, err := gitc.RootDir(); err != nil {
+		if dockerfilePath == "" {
-			return res, errors.Wrap(err, "failed to get git root dir")
+			dockerfilePath = filepath.Join(wd, "Dockerfile")
-		} else if root != "" {
+		}
-			if dockerfilePath == "" {
+		if !filepath.IsAbs(dockerfilePath) {
-				dockerfilePath = filepath.Join(wd, "Dockerfile")
+			dockerfilePath = filepath.Join(osutil.GetWd(), dockerfilePath)
-			}
+		}
-			if !filepath.IsAbs(dockerfilePath) {
+		if r, err := filepath.Rel(root, dockerfilePath); err == nil && !strings.HasPrefix(r, "..") {
-				cwd, _ := os.Getwd()
+			res["label:"+DockerfileLabel] = r
-				dockerfilePath = filepath.Join(cwd, dockerfilePath)
-			}
-			dockerfilePath, _ = filepath.Rel(root, dockerfilePath)
-			if !strings.HasPrefix(dockerfilePath, "..") {
-				res["label:"+DockerfileLabel] = dockerfilePath
-			}
 		}
 	}
 
-	return
+	return res, func(key, dir string, so *client.SolveOpt) {
+		if !setGitInfo || root == "" {
+			return
+		}
+		dir, err := filepath.Abs(dir)
+		if err != nil {
+			return
+		}
+		if lp, err := osutil.GetLongPathName(dir); err == nil {
+			dir = lp
+		}
+		dir = osutil.SanitizePath(dir)
+		if r, err := filepath.Rel(root, dir); err == nil && !strings.HasPrefix(r, "..") {
+			so.FrontendAttrs["vcs:localdir:"+key] = r
+		}
+	}, nil
 }

build/git_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/docker/buildx/util/gitutil"
+	"github.com/moby/buildkit/client"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -30,7 +31,7 @@ func setupTest(tb testing.TB) {
 }
 
 func TestGetGitAttributesNotGitRepo(t *testing.T) {
-	_, err := getGitAttributes(context.Background(), t.TempDir(), "Dockerfile")
+	_, _, err := getGitAttributes(context.Background(), t.TempDir(), "Dockerfile")
 	assert.NoError(t, err)
 }
 
@@ -38,14 +39,14 @@ func TestGetGitAttributesBadGitRepo(t *testing.T) {
 	tmp := t.TempDir()
 	require.NoError(t, os.MkdirAll(path.Join(tmp, ".git"), 0755))
 
-	_, err := getGitAttributes(context.Background(), tmp, "Dockerfile")
+	_, _, err := getGitAttributes(context.Background(), tmp, "Dockerfile")
 	assert.Error(t, err)
 }
 
 func TestGetGitAttributesNoContext(t *testing.T) {
 	setupTest(t)
 
-	gitattrs, err := getGitAttributes(context.Background(), "", "Dockerfile")
+	gitattrs, _, err := getGitAttributes(context.Background(), "", "Dockerfile")
 	assert.NoError(t, err)
 	assert.Empty(t, gitattrs)
 }
@@ -114,7 +115,7 @@ func TestGetGitAttributes(t *testing.T) {
 			if tt.envGitInfo != "" {
 				t.Setenv("BUILDX_GIT_INFO", tt.envGitInfo)
 			}
-			gitattrs, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+			gitattrs, _, err := getGitAttributes(context.Background(), ".", "Dockerfile")
 			require.NoError(t, err)
 			for _, e := range tt.expected {
 				assert.Contains(t, gitattrs, e)
@@ -139,7 +140,7 @@ func TestGetGitAttributesDirty(t *testing.T) {
 	require.NoError(t, os.WriteFile(filepath.Join("dir", "Dockerfile"), df, 0644))
 
 	t.Setenv("BUILDX_GIT_LABELS", "true")
-	gitattrs, _ := getGitAttributes(context.Background(), ".", "Dockerfile")
+	gitattrs, _, _ := getGitAttributes(context.Background(), ".", "Dockerfile")
 	assert.Equal(t, 5, len(gitattrs))
 
 	assert.Contains(t, gitattrs, "label:"+DockerfileLabel)
@@ -154,3 +155,55 @@ func TestGetGitAttributesDirty(t *testing.T) {
 	assert.Contains(t, gitattrs, "vcs:revision")
 	assert.True(t, strings.HasSuffix(gitattrs["vcs:revision"], "-dirty"))
 }
+
+func TestLocalDirs(t *testing.T) {
+	setupTest(t)
+
+	so := &client.SolveOpt{
+		FrontendAttrs: map[string]string{},
+	}
+
+	_, addVCSLocalDir, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+	require.NoError(t, err)
+	require.NotNil(t, addVCSLocalDir)
+
+	require.NoError(t, setLocalMount("context", ".", so, addVCSLocalDir))
+	require.Contains(t, so.FrontendAttrs, "vcs:localdir:context")
+	assert.Equal(t, ".", so.FrontendAttrs["vcs:localdir:context"])
+
+	require.NoError(t, setLocalMount("dockerfile", ".", so, addVCSLocalDir))
+	require.Contains(t, so.FrontendAttrs, "vcs:localdir:dockerfile")
+	assert.Equal(t, ".", so.FrontendAttrs["vcs:localdir:dockerfile"])
+}
+
+func TestLocalDirsSub(t *testing.T) {
+	gitutil.Mktmp(t)
+
+	c, err := gitutil.New()
+	require.NoError(t, err)
+	gitutil.GitInit(c, t)
+
+	df := []byte("FROM alpine:latest\n")
+	assert.NoError(t, os.MkdirAll("app", 0755))
+	assert.NoError(t, os.WriteFile("app/Dockerfile", df, 0644))
+
+	gitutil.GitAdd(c, t, "app/Dockerfile")
+	gitutil.GitCommit(c, t, "initial commit")
+	gitutil.GitSetRemote(c, t, "origin", "git@github.com:docker/buildx.git")
+
+	so := &client.SolveOpt{
+		FrontendAttrs: map[string]string{},
+	}
+
+	_, addVCSLocalDir, err := getGitAttributes(context.Background(), ".", "app/Dockerfile")
+	require.NoError(t, err)
+	require.NotNil(t, addVCSLocalDir)
+
+	require.NoError(t, setLocalMount("context", ".", so, addVCSLocalDir))
+	require.Contains(t, so.FrontendAttrs, "vcs:localdir:context")
+	assert.Equal(t, ".", so.FrontendAttrs["vcs:localdir:context"])
+
+	require.NoError(t, setLocalMount("dockerfile", "app", so, addVCSLocalDir))
+	require.Contains(t, so.FrontendAttrs, "vcs:localdir:dockerfile")
+	assert.Equal(t, "app", so.FrontendAttrs["vcs:localdir:dockerfile"])
+}

build/opt.go

@@ -0,0 +1,646 @@
+package build
+
+import (
+	"bufio"
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/content/local"
+	"github.com/containerd/containerd/platforms"
+	"github.com/distribution/reference"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/driver"
+	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/dockerutil"
+	"github.com/docker/buildx/util/osutil"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/docker/builder/remotecontext/urlutil"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/client/ociindex"
+	gateway "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/session/upload/uploadprovider"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/apicaps"
+	"github.com/moby/buildkit/util/entitlements"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/tonistiigi/fsutil"
+)
+
+func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Options, bopts gateway.BuildOpts, configDir string, addVCSLocalDir func(key, dir string, so *client.SolveOpt), pw progress.Writer, docker *dockerutil.Client) (_ *client.SolveOpt, release func(), err error) {
+	nodeDriver := node.Driver
+	defers := make([]func(), 0, 2)
+	releaseF := func() {
+		for _, f := range defers {
+			f()
+		}
+	}
+
+	defer func() {
+		if err != nil {
+			releaseF()
+		}
+	}()
+
+	// inline cache from build arg
+	if v, ok := opt.BuildArgs["BUILDKIT_INLINE_CACHE"]; ok {
+		if v, _ := strconv.ParseBool(v); v {
+			opt.CacheTo = append(opt.CacheTo, client.CacheOptionsEntry{
+				Type:  "inline",
+				Attrs: map[string]string{},
+			})
+		}
+	}
+
+	for _, e := range opt.CacheTo {
+		if e.Type != "inline" && !nodeDriver.Features(ctx)[driver.CacheExport] {
+			return nil, nil, notSupported(driver.CacheExport, nodeDriver, "https://docs.docker.com/go/build-cache-backends/")
+		}
+	}
+
+	cacheTo := make([]client.CacheOptionsEntry, 0, len(opt.CacheTo))
+	for _, e := range opt.CacheTo {
+		if e.Type == "gha" {
+			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.gha")) {
+				continue
+			}
+		} else if e.Type == "s3" {
+			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.s3")) {
+				continue
+			}
+		}
+		cacheTo = append(cacheTo, e)
+	}
+
+	cacheFrom := make([]client.CacheOptionsEntry, 0, len(opt.CacheFrom))
+	for _, e := range opt.CacheFrom {
+		if e.Type == "gha" {
+			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.gha")) {
+				continue
+			}
+		} else if e.Type == "s3" {
+			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.s3")) {
+				continue
+			}
+		}
+		cacheFrom = append(cacheFrom, e)
+	}
+
+	so := client.SolveOpt{
+		Ref:                 opt.Ref,
+		Frontend:            "dockerfile.v0",
+		FrontendAttrs:       map[string]string{},
+		LocalMounts:         map[string]fsutil.FS{},
+		CacheExports:        cacheTo,
+		CacheImports:        cacheFrom,
+		AllowedEntitlements: opt.Allow,
+		SourcePolicy:        opt.SourcePolicy,
+	}
+
+	if so.Ref == "" {
+		so.Ref = identity.NewID()
+	}
+
+	if opt.CgroupParent != "" {
+		so.FrontendAttrs["cgroup-parent"] = opt.CgroupParent
+	}
+
+	if v, ok := opt.BuildArgs["BUILDKIT_MULTI_PLATFORM"]; ok {
+		if v, _ := strconv.ParseBool(v); v {
+			so.FrontendAttrs["multi-platform"] = "true"
+		}
+	}
+
+	if multiDriver {
+		// force creation of manifest list
+		so.FrontendAttrs["multi-platform"] = "true"
+	}
+
+	attests := make(map[string]string)
+	for k, v := range opt.Attests {
+		if v != nil {
+			attests[k] = *v
+		}
+	}
+
+	supportAttestations := bopts.LLBCaps.Contains(apicaps.CapID("exporter.image.attestations")) && nodeDriver.Features(ctx)[driver.MultiPlatform]
+	if len(attests) > 0 {
+		if !supportAttestations {
+			if !nodeDriver.Features(ctx)[driver.MultiPlatform] {
+				return nil, nil, notSupported("Attestation", nodeDriver, "https://docs.docker.com/go/attestations/")
+			}
+			return nil, nil, errors.Errorf("Attestations are not supported by the current BuildKit daemon")
+		}
+		for k, v := range attests {
+			so.FrontendAttrs["attest:"+k] = v
+		}
+	}
+
+	if _, ok := opt.Attests["provenance"]; !ok && supportAttestations {
+		const noAttestEnv = "BUILDX_NO_DEFAULT_ATTESTATIONS"
+		var noProv bool
+		if v, ok := os.LookupEnv(noAttestEnv); ok {
+			noProv, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, nil, errors.Wrap(err, "invalid "+noAttestEnv)
+			}
+		}
+		if !noProv {
+			so.FrontendAttrs["attest:provenance"] = "mode=min,inline-only=true"
+		}
+	}
+
+	switch len(opt.Exports) {
+	case 1:
+		// valid
+	case 0:
+		if !noDefaultLoad() {
+			if nodeDriver.IsMobyDriver() {
+				// backwards compat for docker driver only:
+				// this ensures the build results in a docker image.
+				opt.Exports = []client.ExportEntry{{Type: "image", Attrs: map[string]string{}}}
+			} else if nodeDriver.Features(ctx)[driver.DefaultLoad] {
+				opt.Exports = []client.ExportEntry{{Type: "docker", Attrs: map[string]string{}}}
+			}
+		}
+	default:
+		if err := bopts.LLBCaps.Supports(pb.CapMultipleExporters); err != nil {
+			return nil, nil, errors.Errorf("multiple outputs currently unsupported by the current BuildKit daemon, please upgrade to version v0.13+ or use a single output")
+		}
+	}
+
+	// fill in image exporter names from tags
+	if len(opt.Tags) > 0 {
+		tags := make([]string, len(opt.Tags))
+		for i, tag := range opt.Tags {
+			ref, err := reference.Parse(tag)
+			if err != nil {
+				return nil, nil, errors.Wrapf(err, "invalid tag %q", tag)
+			}
+			tags[i] = ref.String()
+		}
+		for i, e := range opt.Exports {
+			switch e.Type {
+			case "image", "oci", "docker":
+				opt.Exports[i].Attrs["name"] = strings.Join(tags, ",")
+			}
+		}
+	} else {
+		for _, e := range opt.Exports {
+			if e.Type == "image" && e.Attrs["name"] == "" && e.Attrs["push"] != "" {
+				if ok, _ := strconv.ParseBool(e.Attrs["push"]); ok {
+					return nil, nil, errors.Errorf("tag is needed when pushing to registry")
+				}
+			}
+		}
+	}
+
+	// cacheonly is a fake exporter to opt out of default behaviors
+	exports := make([]client.ExportEntry, 0, len(opt.Exports))
+	for _, e := range opt.Exports {
+		if e.Type != "cacheonly" {
+			exports = append(exports, e)
+		}
+	}
+	opt.Exports = exports
+
+	// set up exporters
+	for i, e := range opt.Exports {
+		if e.Type == "oci" && !nodeDriver.Features(ctx)[driver.OCIExporter] {
+			return nil, nil, notSupported(driver.OCIExporter, nodeDriver, "https://docs.docker.com/go/build-exporters/")
+		}
+		if e.Type == "docker" {
+			features := docker.Features(ctx, e.Attrs["context"])
+			if features[dockerutil.OCIImporter] && e.Output == nil {
+				// rely on oci importer if available (which supports
+				// multi-platform images), otherwise fall back to docker
+				opt.Exports[i].Type = "oci"
+			} else if len(opt.Platforms) > 1 || len(attests) > 0 {
+				if e.Output != nil {
+					return nil, nil, errors.Errorf("docker exporter does not support exporting manifest lists, use the oci exporter instead")
+				}
+				return nil, nil, errors.Errorf("docker exporter does not currently support exporting manifest lists")
+			}
+			if e.Output == nil {
+				if nodeDriver.IsMobyDriver() {
+					e.Type = "image"
+				} else {
+					w, cancel, err := docker.LoadImage(ctx, e.Attrs["context"], pw)
+					if err != nil {
+						return nil, nil, err
+					}
+					defers = append(defers, cancel)
+					opt.Exports[i].Output = func(_ map[string]string) (io.WriteCloser, error) {
+						return w, nil
+					}
+				}
+			} else if !nodeDriver.Features(ctx)[driver.DockerExporter] {
+				return nil, nil, notSupported(driver.DockerExporter, nodeDriver, "https://docs.docker.com/go/build-exporters/")
+			}
+		}
+		if e.Type == "image" && nodeDriver.IsMobyDriver() {
+			opt.Exports[i].Type = "moby"
+			if e.Attrs["push"] != "" {
+				if ok, _ := strconv.ParseBool(e.Attrs["push"]); ok {
+					if ok, _ := strconv.ParseBool(e.Attrs["push-by-digest"]); ok {
+						return nil, nil, errors.Errorf("push-by-digest is currently not implemented for docker driver, please create a new builder instance")
+					}
+				}
+			}
+		}
+		if e.Type == "docker" || e.Type == "image" || e.Type == "oci" {
+			// inline buildinfo attrs from build arg
+			if v, ok := opt.BuildArgs["BUILDKIT_INLINE_BUILDINFO_ATTRS"]; ok {
+				e.Attrs["buildinfo-attrs"] = v
+			}
+		}
+	}
+
+	so.Exports = opt.Exports
+	so.Session = opt.Session
+
+	releaseLoad, err := loadInputs(ctx, nodeDriver, opt.Inputs, addVCSLocalDir, pw, &so)
+	if err != nil {
+		return nil, nil, err
+	}
+	defers = append(defers, releaseLoad)
+
+	if sharedKey := so.LocalDirs["context"]; sharedKey != "" {
+		if p, err := filepath.Abs(sharedKey); err == nil {
+			sharedKey = filepath.Base(p)
+		}
+		so.SharedKey = sharedKey + ":" + confutil.TryNodeIdentifier(configDir)
+	}
+
+	if opt.Pull {
+		so.FrontendAttrs["image-resolve-mode"] = pb.AttrImageResolveModeForcePull
+	} else if nodeDriver.IsMobyDriver() {
+		// moby driver always resolves local images by default
+		so.FrontendAttrs["image-resolve-mode"] = pb.AttrImageResolveModePreferLocal
+	}
+	if opt.Target != "" {
+		so.FrontendAttrs["target"] = opt.Target
+	}
+	if len(opt.NoCacheFilter) > 0 {
+		so.FrontendAttrs["no-cache"] = strings.Join(opt.NoCacheFilter, ",")
+	}
+	if opt.NoCache {
+		so.FrontendAttrs["no-cache"] = ""
+	}
+	for k, v := range opt.BuildArgs {
+		so.FrontendAttrs["build-arg:"+k] = v
+	}
+	for k, v := range opt.Labels {
+		so.FrontendAttrs["label:"+k] = v
+	}
+
+	for k, v := range node.ProxyConfig {
+		if _, ok := opt.BuildArgs[k]; !ok {
+			so.FrontendAttrs["build-arg:"+k] = v
+		}
+	}
+
+	// set platforms
+	if len(opt.Platforms) != 0 {
+		pp := make([]string, len(opt.Platforms))
+		for i, p := range opt.Platforms {
+			pp[i] = platforms.Format(p)
+		}
+		if len(pp) > 1 && !nodeDriver.Features(ctx)[driver.MultiPlatform] {
+			return nil, nil, notSupported(driver.MultiPlatform, nodeDriver, "https://docs.docker.com/go/build-multi-platform/")
+		}
+		so.FrontendAttrs["platform"] = strings.Join(pp, ",")
+	}
+
+	// setup networkmode
+	switch opt.NetworkMode {
+	case "host":
+		so.FrontendAttrs["force-network-mode"] = opt.NetworkMode
+		so.AllowedEntitlements = append(so.AllowedEntitlements, entitlements.EntitlementNetworkHost)
+	case "none":
+		so.FrontendAttrs["force-network-mode"] = opt.NetworkMode
+	case "", "default":
+	default:
+		return nil, nil, errors.Errorf("network mode %q not supported by buildkit - you can define a custom network for your builder using the network driver-opt in buildx create", opt.NetworkMode)
+	}
+
+	// setup extrahosts
+	extraHosts, err := toBuildkitExtraHosts(ctx, opt.ExtraHosts, nodeDriver)
+	if err != nil {
+		return nil, nil, err
+	}
+	if len(extraHosts) > 0 {
+		so.FrontendAttrs["add-hosts"] = extraHosts
+	}
+
+	// setup shm size
+	if opt.ShmSize.Value() > 0 {
+		so.FrontendAttrs["shm-size"] = strconv.FormatInt(opt.ShmSize.Value(), 10)
+	}
+
+	// setup ulimits
+	ulimits, err := toBuildkitUlimits(opt.Ulimits)
+	if err != nil {
+		return nil, nil, err
+	} else if len(ulimits) > 0 {
+		so.FrontendAttrs["ulimit"] = ulimits
+	}
+
+	// mark info request as internal
+	if opt.PrintFunc != nil {
+		so.Internal = true
+	}
+
+	return &so, releaseF, nil
+}
+
+func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSLocalDir func(key, dir string, so *client.SolveOpt), pw progress.Writer, target *client.SolveOpt) (func(), error) {
+	if inp.ContextPath == "" {
+		return nil, errors.New("please specify build context (e.g. \".\" for the current directory)")
+	}
+
+	// TODO: handle stdin, symlinks, remote contexts, check files exist
+
+	var (
+		err              error
+		dockerfileReader io.Reader
+		dockerfileDir    string
+		dockerfileName   = inp.DockerfilePath
+		toRemove         []string
+	)
+
+	switch {
+	case inp.ContextState != nil:
+		if target.FrontendInputs == nil {
+			target.FrontendInputs = make(map[string]llb.State)
+		}
+		target.FrontendInputs["context"] = *inp.ContextState
+		target.FrontendInputs["dockerfile"] = *inp.ContextState
+	case inp.ContextPath == "-":
+		if inp.DockerfilePath == "-" {
+			return nil, errStdinConflict
+		}
+
+		buf := bufio.NewReader(inp.InStream)
+		magic, err := buf.Peek(archiveHeaderSize * 2)
+		if err != nil && err != io.EOF {
+			return nil, errors.Wrap(err, "failed to peek context header from STDIN")
+		}
+		if !(err == io.EOF && len(magic) == 0) {
+			if isArchive(magic) {
+				// stdin is context
+				up := uploadprovider.New()
+				target.FrontendAttrs["context"] = up.Add(buf)
+				target.Session = append(target.Session, up)
+			} else {
+				if inp.DockerfilePath != "" {
+					return nil, errDockerfileConflict
+				}
+				// stdin is dockerfile
+				dockerfileReader = buf
+				inp.ContextPath, _ = os.MkdirTemp("", "empty-dir")
+				toRemove = append(toRemove, inp.ContextPath)
+				if err := setLocalMount("context", inp.ContextPath, target, addVCSLocalDir); err != nil {
+					return nil, err
+				}
+			}
+		}
+	case osutil.IsLocalDir(inp.ContextPath):
+		if err := setLocalMount("context", inp.ContextPath, target, addVCSLocalDir); err != nil {
+			return nil, err
+		}
+		switch inp.DockerfilePath {
+		case "-":
+			dockerfileReader = inp.InStream
+		case "":
+			dockerfileDir = inp.ContextPath
+		default:
+			dockerfileDir = filepath.Dir(inp.DockerfilePath)
+			dockerfileName = filepath.Base(inp.DockerfilePath)
+		}
+	case IsRemoteURL(inp.ContextPath):
+		if inp.DockerfilePath == "-" {
+			dockerfileReader = inp.InStream
+		} else if filepath.IsAbs(inp.DockerfilePath) {
+			dockerfileDir = filepath.Dir(inp.DockerfilePath)
+			dockerfileName = filepath.Base(inp.DockerfilePath)
+			target.FrontendAttrs["dockerfilekey"] = "dockerfile"
+		}
+		target.FrontendAttrs["context"] = inp.ContextPath
+	default:
+		return nil, errors.Errorf("unable to prepare context: path %q not found", inp.ContextPath)
+	}
+
+	if inp.DockerfileInline != "" {
+		dockerfileReader = strings.NewReader(inp.DockerfileInline)
+	}
+
+	if dockerfileReader != nil {
+		dockerfileDir, err = createTempDockerfile(dockerfileReader)
+		if err != nil {
+			return nil, err
+		}
+		toRemove = append(toRemove, dockerfileDir)
+		dockerfileName = "Dockerfile"
+		target.FrontendAttrs["dockerfilekey"] = "dockerfile"
+	}
+	if urlutil.IsURL(inp.DockerfilePath) {
+		dockerfileDir, err = createTempDockerfileFromURL(ctx, d, inp.DockerfilePath, pw)
+		if err != nil {
+			return nil, err
+		}
+		toRemove = append(toRemove, dockerfileDir)
+		dockerfileName = "Dockerfile"
+		target.FrontendAttrs["dockerfilekey"] = "dockerfile"
+		delete(target.FrontendInputs, "dockerfile")
+	}
+
+	if dockerfileName == "" {
+		dockerfileName = "Dockerfile"
+	}
+
+	if dockerfileDir != "" {
+		if err := setLocalMount("dockerfile", dockerfileDir, target, addVCSLocalDir); err != nil {
+			return nil, err
+		}
+		dockerfileName = handleLowercaseDockerfile(dockerfileDir, dockerfileName)
+	}
+
+	target.FrontendAttrs["filename"] = dockerfileName
+
+	for k, v := range inp.NamedContexts {
+		target.FrontendAttrs["frontend.caps"] = "moby.buildkit.frontend.contexts+forward"
+		if v.State != nil {
+			target.FrontendAttrs["context:"+k] = "input:" + k
+			if target.FrontendInputs == nil {
+				target.FrontendInputs = make(map[string]llb.State)
+			}
+			target.FrontendInputs[k] = *v.State
+			continue
+		}
+
+		if IsRemoteURL(v.Path) || strings.HasPrefix(v.Path, "docker-image://") || strings.HasPrefix(v.Path, "target:") {
+			target.FrontendAttrs["context:"+k] = v.Path
+			continue
+		}
+
+		// handle OCI layout
+		if strings.HasPrefix(v.Path, "oci-layout://") {
+			pathAlone := strings.TrimPrefix(v.Path, "oci-layout://")
+			localPath := pathAlone
+			localPath, dig, hasDigest := strings.Cut(localPath, "@")
+			localPath, tag, hasTag := strings.Cut(localPath, ":")
+			if !hasTag {
+				tag = "latest"
+				hasTag = true
+			}
+			idx := ociindex.NewStoreIndex(localPath)
+			if !hasDigest {
+				// lookup by name
+				desc, err := idx.Get(tag)
+				if err != nil {
+					return nil, err
+				}
+				if desc != nil {
+					dig = string(desc.Digest)
+					hasDigest = true
+				}
+			}
+			if !hasDigest {
+				// lookup single
+				desc, err := idx.GetSingle()
+				if err != nil {
+					return nil, err
+				}
+				if desc != nil {
+					dig = string(desc.Digest)
+					hasDigest = true
+				}
+			}
+			if !hasDigest {
+				return nil, errors.Errorf("oci-layout reference %q could not be resolved", v.Path)
+			}
+			_, err := digest.Parse(dig)
+			if err != nil {
+				return nil, errors.Wrapf(err, "invalid oci-layout digest %s", dig)
+			}
+
+			store, err := local.NewStore(localPath)
+			if err != nil {
+				return nil, errors.Wrapf(err, "invalid store at %s", localPath)
+			}
+			storeName := identity.NewID()
+			if target.OCIStores == nil {
+				target.OCIStores = map[string]content.Store{}
+			}
+			target.OCIStores[storeName] = store
+
+			layout := "oci-layout://" + storeName
+			if hasTag {
+				layout += ":" + tag
+			}
+			if hasDigest {
+				layout += "@" + dig
+			}
+
+			target.FrontendAttrs["context:"+k] = layout
+			continue
+		}
+		st, err := os.Stat(v.Path)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to get build context %v", k)
+		}
+		if !st.IsDir() {
+			return nil, errors.Wrapf(syscall.ENOTDIR, "failed to get build context path %v", v)
+		}
+		localName := k
+		if k == "context" || k == "dockerfile" {
+			localName = "_" + k // underscore to avoid collisions
+		}
+		if err := setLocalMount(localName, v.Path, target, addVCSLocalDir); err != nil {
+			return nil, err
+		}
+		target.FrontendAttrs["context:"+k] = "local:" + localName
+	}
+
+	release := func() {
+		for _, dir := range toRemove {
+			os.RemoveAll(dir)
+		}
+	}
+	return release, nil
+}
+
+func setLocalMount(name, root string, so *client.SolveOpt, addVCSLocalDir func(key, dir string, so *client.SolveOpt)) error {
+	lm, err := fsutil.NewFS(root)
+	if err != nil {
+		return err
+	}
+	root, err = filepath.EvalSymlinks(root) // keep same behavior as fsutil.NewFS
+	if err != nil {
+		return err
+	}
+	if so.LocalMounts == nil {
+		so.LocalMounts = map[string]fsutil.FS{}
+	}
+	so.LocalMounts[name] = lm
+	if addVCSLocalDir != nil {
+		addVCSLocalDir(name, root, so)
+	}
+	return nil
+}
+
+func createTempDockerfile(r io.Reader) (string, error) {
+	dir, err := os.MkdirTemp("", "dockerfile")
+	if err != nil {
+		return "", err
+	}
+	f, err := os.Create(filepath.Join(dir, "Dockerfile"))
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	if _, err := io.Copy(f, r); err != nil {
+		return "", err
+	}
+	return dir, err
+}
+
+// handle https://github.com/moby/moby/pull/10858
+func handleLowercaseDockerfile(dir, p string) string {
+	if filepath.Base(p) != "Dockerfile" {
+		return p
+	}
+
+	f, err := os.Open(filepath.Dir(filepath.Join(dir, p)))
+	if err != nil {
+		return p
+	}
+
+	names, err := f.Readdirnames(-1)
+	if err != nil {
+		return p
+	}
+
+	foundLowerCase := false
+	for _, n := range names {
+		if n == "Dockerfile" {
+			return p
+		}
+		if n == "dockerfile" {
+			foundLowerCase = true
+		}
+	}
+	if foundLowerCase {
+		return filepath.Join(filepath.Dir(p), "dockerfile")
+	}
+	return p
+}

build/provenance.go

@@ -0,0 +1,157 @@
+package build
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"io"
+	"strings"
+	"sync"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/content/proxy"
+	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/progress"
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/client"
+	provenancetypes "github.com/moby/buildkit/solver/llbsolver/provenance/types"
+	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+type provenancePredicate struct {
+	Builder *provenanceBuilder `json:"builder,omitempty"`
+	provenancetypes.ProvenancePredicate
+}
+
+type provenanceBuilder struct {
+	ID string `json:"id,omitempty"`
+}
+
+func setRecordProvenance(ctx context.Context, c *client.Client, sr *client.SolveResponse, ref string, pw progress.Writer) error {
+	mode := confutil.MetadataProvenance()
+	if mode == confutil.MetadataProvenanceModeDisabled {
+		return nil
+	}
+	pw = progress.ResetTime(pw)
+	return progress.Wrap("resolving provenance for metadata file", pw.Write, func(l progress.SubLogger) error {
+		res, err := fetchProvenance(ctx, c, ref, mode)
+		if err != nil {
+			return err
+		}
+		for k, v := range res {
+			sr.ExporterResponse[k] = v
+		}
+		return nil
+	})
+}
+
+func fetchProvenance(ctx context.Context, c *client.Client, ref string, mode confutil.MetadataProvenanceMode) (out map[string]string, err error) {
+	cl, err := c.ControlClient().ListenBuildHistory(ctx, &controlapi.BuildHistoryRequest{
+		Ref:       ref,
+		EarlyExit: true,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var mu sync.Mutex
+	eg, ctx := errgroup.WithContext(ctx)
+	store := proxy.NewContentStore(c.ContentClient())
+	for {
+		ev, err := cl.Recv()
+		if errors.Is(err, io.EOF) {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+		if ev.Record == nil {
+			continue
+		}
+		if ev.Record.Result != nil {
+			desc := lookupProvenance(ev.Record.Result)
+			if desc == nil {
+				continue
+			}
+			eg.Go(func() error {
+				dt, err := content.ReadBlob(ctx, store, *desc)
+				if err != nil {
+					return errors.Wrapf(err, "failed to load provenance blob from build record")
+				}
+				prv, err := encodeProvenance(dt, mode)
+				if err != nil {
+					return err
+				}
+				mu.Lock()
+				if out == nil {
+					out = make(map[string]string)
+				}
+				out["buildx.build.provenance"] = prv
+				mu.Unlock()
+				return nil
+			})
+		} else if ev.Record.Results != nil {
+			for platform, res := range ev.Record.Results {
+				platform := platform
+				desc := lookupProvenance(res)
+				if desc == nil {
+					continue
+				}
+				eg.Go(func() error {
+					dt, err := content.ReadBlob(ctx, store, *desc)
+					if err != nil {
+						return errors.Wrapf(err, "failed to load provenance blob from build record")
+					}
+					prv, err := encodeProvenance(dt, mode)
+					if err != nil {
+						return err
+					}
+					mu.Lock()
+					if out == nil {
+						out = make(map[string]string)
+					}
+					out["buildx.build.provenance/"+platform] = prv
+					mu.Unlock()
+					return nil
+				})
+			}
+		}
+	}
+	return out, eg.Wait()
+}
+
+func lookupProvenance(res *controlapi.BuildResultInfo) *ocispecs.Descriptor {
+	for _, a := range res.Attestations {
+		if a.MediaType == "application/vnd.in-toto+json" && strings.HasPrefix(a.Annotations["in-toto.io/predicate-type"], "https://slsa.dev/provenance/") {
+			return &ocispecs.Descriptor{
+				Digest:      a.Digest,
+				Size:        a.Size_,
+				MediaType:   a.MediaType,
+				Annotations: a.Annotations,
+			}
+		}
+	}
+	return nil
+}
+
+func encodeProvenance(dt []byte, mode confutil.MetadataProvenanceMode) (string, error) {
+	var prv provenancePredicate
+	if err := json.Unmarshal(dt, &prv); err != nil {
+		return "", errors.Wrapf(err, "failed to unmarshal provenance")
+	}
+	if prv.Builder != nil && prv.Builder.ID == "" {
+		// reset builder if id is empty
+		prv.Builder = nil
+	}
+	if mode == confutil.MetadataProvenanceModeMin {
+		// reset fields for minimal provenance
+		prv.BuildConfig = nil
+		prv.Metadata = nil
+	}
+	dtprv, err := json.Marshal(prv)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to marshal provenance")
+	}
+	return base64.StdEncoding.EncodeToString(dtprv), nil
+}

build/utils.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"net"
 	"os"
+	"strconv"
 	"strings"
 
 	"github.com/docker/buildx/driver"
@@ -13,6 +14,7 @@ import (
 	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/moby/buildkit/util/gitutil"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 const (
@@ -34,11 +36,6 @@ func IsRemoteURL(c string) bool {
 	return false
 }
 
-func isLocalDir(c string) bool {
-	st, err := os.Stat(c)
-	return err == nil && st.IsDir()
-}
-
 func isArchive(header []byte) bool {
 	for _, m := range [][]byte{
 		{0x42, 0x5A, 0x68},                   // bzip2
@@ -65,7 +62,10 @@ func toBuildkitExtraHosts(ctx context.Context, inp []string, nodeDriver *driver.
 	}
 	hosts := make([]string, 0, len(inp))
 	for _, h := range inp {
-		host, ip, ok := strings.Cut(h, ":")
+		host, ip, ok := strings.Cut(h, "=")
+		if !ok {
+			host, ip, ok = strings.Cut(h, ":")
+		}
 		if !ok || host == "" || ip == "" {
 			return "", errors.Errorf("invalid host %s", h)
 		}
@@ -77,8 +77,16 @@ func toBuildkitExtraHosts(ctx context.Context, inp []string, nodeDriver *driver.
 				return "", errors.Wrap(err, "unable to derive the IP value for host-gateway")
 			}
 			ip = hgip.String()
-		} else if net.ParseIP(ip) == nil {
+		} else {
-			return "", errors.Errorf("invalid host %s", h)
+			// If the address is enclosed in square brackets, extract it (for IPv6, but
+			// permit it for IPv4 as well; we don't know the address family here, but it's
+			// unambiguous).
+			if len(ip) > 2 && ip[0] == '[' && ip[len(ip)-1] == ']' {
+				ip = ip[1 : len(ip)-1]
+			}
+			if net.ParseIP(ip) == nil {
+				return "", errors.Errorf("invalid host %s", h)
+			}
 		}
 		hosts = append(hosts, host+"="+ip)
 	}
@@ -96,3 +104,21 @@ func toBuildkitUlimits(inp *opts.UlimitOpt) (string, error) {
 	}
 	return strings.Join(ulimits, ","), nil
 }
+
+func notSupported(f driver.Feature, d *driver.DriverHandle, docs string) error {
+	return errors.Errorf(`%s is not supported for the %s driver.
+Switch to a different driver, or turn on the containerd image store, and try again.
+Learn more at %s`, f, d.Factory().Name(), docs)
+}
+
+func noDefaultLoad() bool {
+	v, ok := os.LookupEnv("BUILDX_NO_DEFAULT_LOAD")
+	if !ok {
+		return false
+	}
+	b, err := strconv.ParseBool(v)
+	if err != nil {
+		logrus.Warnf("invalid non-bool value for BUILDX_NO_DEFAULT_LOAD: %s", v)
+	}
+	return b
+}

build/utils_test.go

@@ -0,0 +1,148 @@
+package build
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestToBuildkitExtraHosts(t *testing.T) {
+	tests := []struct {
+		doc         string
+		input       []string
+		expectedOut string // Expect output==input if not set.
+		expectedErr string // Expect success if not set.
+	}{
+		{
+			doc:         "IPv4, colon sep",
+			input:       []string{`myhost:192.168.0.1`},
+			expectedOut: `myhost=192.168.0.1`,
+		},
+		{
+			doc:   "IPv4, eq sep",
+			input: []string{`myhost=192.168.0.1`},
+		},
+		{
+			doc:         "Weird but permitted, IPv4 with brackets",
+			input:       []string{`myhost=[192.168.0.1]`},
+			expectedOut: `myhost=192.168.0.1`,
+		},
+		{
+			doc:         "Host and domain",
+			input:       []string{`host.and.domain.invalid:10.0.2.1`},
+			expectedOut: `host.and.domain.invalid=10.0.2.1`,
+		},
+		{
+			doc:         "IPv6, colon sep",
+			input:       []string{`anipv6host:2003:ab34:e::1`},
+			expectedOut: `anipv6host=2003:ab34:e::1`,
+		},
+		{
+			doc:         "IPv6, colon sep, brackets",
+			input:       []string{`anipv6host:[2003:ab34:e::1]`},
+			expectedOut: `anipv6host=2003:ab34:e::1`,
+		},
+		{
+			doc:         "IPv6, eq sep, brackets",
+			input:       []string{`anipv6host=[2003:ab34:e::1]`},
+			expectedOut: `anipv6host=2003:ab34:e::1`,
+		},
+		{
+			doc:         "IPv6 localhost, colon sep",
+			input:       []string{`ipv6local:::1`},
+			expectedOut: `ipv6local=::1`,
+		},
+		{
+			doc:   "IPv6 localhost, eq sep",
+			input: []string{`ipv6local=::1`},
+		},
+		{
+			doc:         "IPv6 localhost, eq sep, brackets",
+			input:       []string{`ipv6local=[::1]`},
+			expectedOut: `ipv6local=::1`,
+		},
+		{
+			doc:         "IPv6 localhost, non-canonical, colon sep",
+			input:       []string{`ipv6local:0:0:0:0:0:0:0:1`},
+			expectedOut: `ipv6local=0:0:0:0:0:0:0:1`,
+		},
+		{
+			doc:   "IPv6 localhost, non-canonical, eq sep",
+			input: []string{`ipv6local=0:0:0:0:0:0:0:1`},
+		},
+		{
+			doc:         "IPv6 localhost, non-canonical, eq sep, brackets",
+			input:       []string{`ipv6local=[0:0:0:0:0:0:0:1]`},
+			expectedOut: `ipv6local=0:0:0:0:0:0:0:1`,
+		},
+		{
+			doc:         "Bad address, colon sep",
+			input:       []string{`myhost:192.notanipaddress.1`},
+			expectedErr: `invalid IP address in add-host: "192.notanipaddress.1"`,
+		},
+		{
+			doc:         "Bad address, eq sep",
+			input:       []string{`myhost=192.notanipaddress.1`},
+			expectedErr: `invalid IP address in add-host: "192.notanipaddress.1"`,
+		},
+		{
+			doc:         "No sep",
+			input:       []string{`thathost-nosemicolon10.0.0.1`},
+			expectedErr: `bad format for add-host: "thathost-nosemicolon10.0.0.1"`,
+		},
+		{
+			doc:         "Bad IPv6",
+			input:       []string{`anipv6host:::::1`},
+			expectedErr: `invalid IP address in add-host: "::::1"`,
+		},
+		{
+			doc:         "Bad IPv6, trailing colons",
+			input:       []string{`ipv6local:::0::`},
+			expectedErr: `invalid IP address in add-host: "::0::"`,
+		},
+		{
+			doc:         "Bad IPv6, missing close bracket",
+			input:       []string{`ipv6addr=[::1`},
+			expectedErr: `invalid IP address in add-host: "[::1"`,
+		},
+		{
+			doc:         "Bad IPv6, missing open bracket",
+			input:       []string{`ipv6addr=::1]`},
+			expectedErr: `invalid IP address in add-host: "::1]"`,
+		},
+		{
+			doc:         "Missing address, colon sep",
+			input:       []string{`myhost.invalid:`},
+			expectedErr: `invalid IP address in add-host: ""`,
+		},
+		{
+			doc:         "Missing address, eq sep",
+			input:       []string{`myhost.invalid=`},
+			expectedErr: `invalid IP address in add-host: ""`,
+		},
+		{
+			doc:         "No input",
+			input:       []string{``},
+			expectedErr: `bad format for add-host: ""`,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		if tc.expectedOut == "" {
+			tc.expectedOut = strings.Join(tc.input, ",")
+		}
+		t.Run(tc.doc, func(t *testing.T) {
+			actualOut, actualErr := toBuildkitExtraHosts(context.TODO(), tc.input, nil)
+			if tc.expectedErr == "" {
+				require.Equal(t, tc.expectedOut, actualOut)
+				require.Nil(t, actualErr)
+			} else {
+				require.Zero(t, actualOut)
+				require.Error(t, actualErr, tc.expectedErr)
+			}
+		})
+	}
+}

builder/builder.go

@@ -2,19 +2,31 @@ package builder
 
 import (
 	"context"
+	"encoding/csv"
+	"encoding/json"
+	"net/url"
 	"os"
 	"sort"
+	"strings"
 	"sync"
+	"time"
 
 	"github.com/docker/buildx/driver"
+	k8sutil "github.com/docker/buildx/driver/kubernetes/util"
+	remoteutil "github.com/docker/buildx/driver/remote/util"
+	"github.com/docker/buildx/localstate"
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/dockerutil"
 	"github.com/docker/buildx/util/imagetools"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
+	dopts "github.com/docker/cli/opts"
+	"github.com/google/shlex"
 	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/pkg/errors"
+	"github.com/spf13/pflag"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -247,6 +259,28 @@ func (b *Builder) Factory(ctx context.Context, dialMeta map[string][]string) (_
 	return b.driverFactory.Factory, err
 }
 
+func (b *Builder) MarshalJSON() ([]byte, error) {
+	var berr string
+	if b.err != nil {
+		berr = strings.TrimSpace(b.err.Error())
+	}
+	return json.Marshal(struct {
+		Name         string
+		Driver       string
+		LastActivity time.Time `json:",omitempty"`
+		Dynamic      bool
+		Nodes        []Node
+		Err          string `json:",omitempty"`
+	}{
+		Name:         b.Name,
+		Driver:       b.Driver,
+		LastActivity: b.LastActivity,
+		Dynamic:      b.Dynamic,
+		Nodes:        b.nodes,
+		Err:          berr,
+	})
+}
+
 // GetBuilders returns all builders
 func GetBuilders(dockerCli command.Cli, txn *store.Txn) ([]*Builder, error) {
 	storeng, err := txn.List()
@@ -297,3 +331,347 @@ func GetBuilders(dockerCli command.Cli, txn *store.Txn) ([]*Builder, error) {
 
 	return builders, nil
 }
+
+type CreateOpts struct {
+	Name                string
+	Driver              string
+	NodeName            string
+	Platforms           []string
+	BuildkitdFlags      string
+	BuildkitdConfigFile string
+	DriverOpts          []string
+	Use                 bool
+	Endpoint            string
+	Append              bool
+}
+
+func Create(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts CreateOpts) (*Builder, error) {
+	var err error
+
+	if opts.Name == "default" {
+		return nil, errors.Errorf("default is a reserved name and cannot be used to identify builder instance")
+	} else if opts.Append && opts.Name == "" {
+		return nil, errors.Errorf("append requires a builder name")
+	}
+
+	name := opts.Name
+	if name == "" {
+		name, err = store.GenerateName(txn)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if !opts.Append {
+		contexts, err := dockerCli.ContextStore().List()
+		if err != nil {
+			return nil, err
+		}
+		for _, c := range contexts {
+			if c.Name == name {
+				return nil, errors.Errorf("instance name %q already exists as context builder", name)
+			}
+		}
+	}
+
+	ng, err := txn.NodeGroupByName(name)
+	if err != nil {
+		if os.IsNotExist(errors.Cause(err)) {
+			if opts.Append && opts.Name != "" {
+				return nil, errors.Errorf("failed to find instance %q for append", opts.Name)
+			}
+		} else {
+			return nil, err
+		}
+	}
+
+	buildkitHost := os.Getenv("BUILDKIT_HOST")
+
+	driverName := opts.Driver
+	if driverName == "" {
+		if ng != nil {
+			driverName = ng.Driver
+		} else if opts.Endpoint == "" && buildkitHost != "" {
+			driverName = "remote"
+		} else {
+			f, err := driver.GetDefaultFactory(ctx, opts.Endpoint, dockerCli.Client(), true, nil)
+			if err != nil {
+				return nil, err
+			}
+			if f == nil {
+				return nil, errors.Errorf("no valid drivers found")
+			}
+			driverName = f.Name()
+		}
+	}
+
+	if ng != nil {
+		if opts.NodeName == "" && !opts.Append {
+			return nil, errors.Errorf("existing instance for %q but no append mode, specify the node name to make changes for existing instances", name)
+		}
+		if driverName != ng.Driver {
+			return nil, errors.Errorf("existing instance for %q but has mismatched driver %q", name, ng.Driver)
+		}
+	}
+
+	if _, err := driver.GetFactory(driverName, true); err != nil {
+		return nil, err
+	}
+
+	ngOriginal := ng
+	if ngOriginal != nil {
+		ngOriginal = ngOriginal.Copy()
+	}
+
+	if ng == nil {
+		ng = &store.NodeGroup{
+			Name:   name,
+			Driver: driverName,
+		}
+	}
+
+	driverOpts, err := csvToMap(opts.DriverOpts)
+	if err != nil {
+		return nil, err
+	}
+
+	buildkitdFlags, err := parseBuildkitdFlags(opts.BuildkitdFlags, driverName, driverOpts)
+	if err != nil {
+		return nil, err
+	}
+
+	var ep string
+	var setEp bool
+	switch {
+	case driverName == "kubernetes":
+		if opts.Endpoint != "" {
+			return nil, errors.Errorf("kubernetes driver does not support endpoint args %q", opts.Endpoint)
+		}
+		// generate node name if not provided to avoid duplicated endpoint
+		// error: https://github.com/docker/setup-buildx-action/issues/215
+		nodeName := opts.NodeName
+		if nodeName == "" {
+			nodeName, err = k8sutil.GenerateNodeName(name, txn)
+			if err != nil {
+				return nil, err
+			}
+		}
+		// naming endpoint to make append works
+		ep = (&url.URL{
+			Scheme: driverName,
+			Path:   "/" + name,
+			RawQuery: (&url.Values{
+				"deployment": {nodeName},
+				"kubeconfig": {os.Getenv("KUBECONFIG")},
+			}).Encode(),
+		}).String()
+		setEp = false
+	case driverName == "remote":
+		if opts.Endpoint != "" {
+			ep = opts.Endpoint
+		} else if buildkitHost != "" {
+			ep = buildkitHost
+		} else {
+			return nil, errors.Errorf("no remote endpoint provided")
+		}
+		ep, err = validateBuildkitEndpoint(ep)
+		if err != nil {
+			return nil, err
+		}
+		setEp = true
+	case opts.Endpoint != "":
+		ep, err = validateEndpoint(dockerCli, opts.Endpoint)
+		if err != nil {
+			return nil, err
+		}
+		setEp = true
+	default:
+		if dockerCli.CurrentContext() == "default" && dockerCli.DockerEndpoint().TLSData != nil {
+			return nil, errors.Errorf("could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with context set to <context-name>")
+		}
+		ep, err = dockerutil.GetCurrentEndpoint(dockerCli)
+		if err != nil {
+			return nil, err
+		}
+		setEp = false
+	}
+
+	buildkitdConfigFile := opts.BuildkitdConfigFile
+	if buildkitdConfigFile == "" {
+		// if buildkit daemon config is not provided, check if the default one
+		// is available and use it
+		if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
+			buildkitdConfigFile = f
+		}
+	}
+
+	if err := ng.Update(opts.NodeName, ep, opts.Platforms, setEp, opts.Append, buildkitdFlags, buildkitdConfigFile, driverOpts); err != nil {
+		return nil, err
+	}
+
+	if err := txn.Save(ng); err != nil {
+		return nil, err
+	}
+
+	b, err := New(dockerCli,
+		WithName(ng.Name),
+		WithStore(txn),
+		WithSkippedValidation(),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
+	defer cancel()
+
+	nodes, err := b.LoadNodes(timeoutCtx, WithData())
+	if err != nil {
+		return nil, err
+	}
+
+	for _, node := range nodes {
+		if err := node.Err; err != nil {
+			err := errors.Errorf("failed to initialize builder %s (%s): %s", ng.Name, node.Name, err)
+			var err2 error
+			if ngOriginal == nil {
+				err2 = txn.Remove(ng.Name)
+			} else {
+				err2 = txn.Save(ngOriginal)
+			}
+			if err2 != nil {
+				return nil, errors.Errorf("could not rollback to previous state: %s", err2)
+			}
+			return nil, err
+		}
+	}
+
+	if opts.Use && ep != "" {
+		current, err := dockerutil.GetCurrentEndpoint(dockerCli)
+		if err != nil {
+			return nil, err
+		}
+		if err := txn.SetCurrent(current, ng.Name, false, false); err != nil {
+			return nil, err
+		}
+	}
+
+	return b, nil
+}
+
+type LeaveOpts struct {
+	Name     string
+	NodeName string
+}
+
+func Leave(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts LeaveOpts) error {
+	if opts.Name == "" {
+		return errors.Errorf("leave requires instance name")
+	}
+	if opts.NodeName == "" {
+		return errors.Errorf("leave requires node name")
+	}
+
+	ng, err := txn.NodeGroupByName(opts.Name)
+	if err != nil {
+		if os.IsNotExist(errors.Cause(err)) {
+			return errors.Errorf("failed to find instance %q for leave", opts.Name)
+		}
+		return err
+	}
+
+	if err := ng.Leave(opts.NodeName); err != nil {
+		return err
+	}
+
+	ls, err := localstate.New(confutil.ConfigDir(dockerCli))
+	if err != nil {
+		return err
+	}
+	if err := ls.RemoveBuilderNode(ng.Name, opts.NodeName); err != nil {
+		return err
+	}
+
+	return txn.Save(ng)
+}
+
+func csvToMap(in []string) (map[string]string, error) {
+	if len(in) == 0 {
+		return nil, nil
+	}
+	m := make(map[string]string, len(in))
+	for _, s := range in {
+		csvReader := csv.NewReader(strings.NewReader(s))
+		fields, err := csvReader.Read()
+		if err != nil {
+			return nil, err
+		}
+		for _, v := range fields {
+			p := strings.SplitN(v, "=", 2)
+			if len(p) != 2 {
+				return nil, errors.Errorf("invalid value %q, expecting k=v", v)
+			}
+			m[p[0]] = p[1]
+		}
+	}
+	return m, nil
+}
+
+// validateEndpoint validates that endpoint is either a context or a docker host
+func validateEndpoint(dockerCli command.Cli, ep string) (string, error) {
+	dem, err := dockerutil.GetDockerEndpoint(dockerCli, ep)
+	if err == nil && dem != nil {
+		if ep == "default" {
+			return dem.Host, nil
+		}
+		return ep, nil
+	}
+	h, err := dopts.ParseHost(true, ep)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to parse endpoint %s", ep)
+	}
+	return h, nil
+}
+
+// validateBuildkitEndpoint validates that endpoint is a valid buildkit host
+func validateBuildkitEndpoint(ep string) (string, error) {
+	if err := remoteutil.IsValidEndpoint(ep); err != nil {
+		return "", err
+	}
+	return ep, nil
+}
+
+// parseBuildkitdFlags parses buildkit flags
+func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string) (res []string, err error) {
+	if inp != "" {
+		res, err = shlex.Split(inp)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to parse buildkit flags")
+		}
+	}
+
+	var allowInsecureEntitlements []string
+	flags := pflag.NewFlagSet("buildkitd", pflag.ContinueOnError)
+	flags.Usage = func() {}
+	flags.StringArrayVar(&allowInsecureEntitlements, "allow-insecure-entitlement", nil, "")
+	_ = flags.Parse(res)
+
+	var hasNetworkHostEntitlement bool
+	for _, e := range allowInsecureEntitlements {
+		if e == "network.host" {
+			hasNetworkHostEntitlement = true
+			break
+		}
+	}
+
+	if v, ok := driverOpts["network"]; ok && v == "host" && !hasNetworkHostEntitlement && driver == "docker-container" {
+		// always set network.host entitlement if user has set network=host
+		res = append(res, "--allow-insecure-entitlement=network.host")
+	} else if len(allowInsecureEntitlements) == 0 && (driver == "kubernetes" || driver == "docker-container") {
+		// set network.host entitlement if user does not provide any as
+		// network is isolated for container drivers.
+		res = append(res, "--allow-insecure-entitlement=network.host")
+	}
+
+	return res, nil
+}

builder/builder_test.go

@@ -0,0 +1,139 @@
+package builder
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCsvToMap(t *testing.T) {
+	d := []string{
+		"\"tolerations=key=foo,value=bar;key=foo2,value=bar2\",replicas=1",
+		"namespace=default",
+	}
+	r, err := csvToMap(d)
+
+	require.NoError(t, err)
+
+	require.Contains(t, r, "tolerations")
+	require.Equal(t, r["tolerations"], "key=foo,value=bar;key=foo2,value=bar2")
+
+	require.Contains(t, r, "replicas")
+	require.Equal(t, r["replicas"], "1")
+
+	require.Contains(t, r, "namespace")
+	require.Equal(t, r["namespace"], "default")
+}
+
+func TestParseBuildkitdFlags(t *testing.T) {
+	testCases := []struct {
+		name       string
+		flags      string
+		driver     string
+		driverOpts map[string]string
+		expected   []string
+		wantErr    bool
+	}{
+		{
+			"docker-container no flags",
+			"",
+			"docker-container",
+			nil,
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"kubernetes no flags",
+			"",
+			"kubernetes",
+			nil,
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"remote no flags",
+			"",
+			"remote",
+			nil,
+			nil,
+			false,
+		},
+		{
+			"docker-container with insecure flag",
+			"--allow-insecure-entitlement=security.insecure",
+			"docker-container",
+			nil,
+			[]string{
+				"--allow-insecure-entitlement=security.insecure",
+			},
+			false,
+		},
+		{
+			"docker-container with insecure and host flag",
+			"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
+			"docker-container",
+			nil,
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+				"--allow-insecure-entitlement=security.insecure",
+			},
+			false,
+		},
+		{
+			"docker-container with network host opt",
+			"",
+			"docker-container",
+			map[string]string{"network": "host"},
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"docker-container with host flag and network host opt",
+			"--allow-insecure-entitlement=network.host",
+			"docker-container",
+			map[string]string{"network": "host"},
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"docker-container with insecure, host flag and network host opt",
+			"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
+			"docker-container",
+			map[string]string{"network": "host"},
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+				"--allow-insecure-entitlement=security.insecure",
+			},
+			false,
+		},
+		{
+			"error parsing flags",
+			"foo'",
+			"docker-container",
+			nil,
+			nil,
+			true,
+		},
+	}
+	for _, tt := range testCases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			flags, err := parseBuildkitdFlags(tt.flags, tt.driver, tt.driverOpts)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, flags)
+		})
+	}
+}

builder/node.go

@@ -2,8 +2,11 @@ package builder
 
 import (
 	"context"
+	"encoding/json"
 	"sort"
+	"strings"
 
+	"github.com/containerd/containerd/platforms"
 	"github.com/docker/buildx/driver"
 	ctxkube "github.com/docker/buildx/driver/kubernetes/context"
 	"github.com/docker/buildx/store"
@@ -139,7 +142,7 @@ func (b *Builder) LoadNodes(ctx context.Context, opts ...LoadNodesOption) (_ []N
 					}
 				}
 
-				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.Platforms, b.opts.contextPathHash, lno.dialMeta)
+				d, err := driver.GetDriver(ctx, driver.BuilderName(n.Name), factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.BuildkitdFlags, n.Files, n.DriverOpts, n.Platforms, b.opts.contextPathHash, lno.dialMeta)
 				if err != nil {
 					node.Err = err
 					return nil
@@ -199,6 +202,51 @@ func (b *Builder) LoadNodes(ctx context.Context, opts ...LoadNodesOption) (_ []N
 	return b.nodes, nil
 }
 
+func (n *Node) MarshalJSON() ([]byte, error) {
+	var status string
+	if n.DriverInfo != nil {
+		status = n.DriverInfo.Status.String()
+	}
+	var nerr string
+	if n.Err != nil {
+		status = "error"
+		nerr = strings.TrimSpace(n.Err.Error())
+	}
+	var pp []string
+	for _, p := range n.Platforms {
+		pp = append(pp, platforms.Format(p))
+	}
+	return json.Marshal(struct {
+		Name           string
+		Endpoint       string
+		BuildkitdFlags []string           `json:"Flags,omitempty"`
+		DriverOpts     map[string]string  `json:",omitempty"`
+		Files          map[string][]byte  `json:",omitempty"`
+		Status         string             `json:",omitempty"`
+		ProxyConfig    map[string]string  `json:",omitempty"`
+		Version        string             `json:",omitempty"`
+		Err            string             `json:",omitempty"`
+		IDs            []string           `json:",omitempty"`
+		Platforms      []string           `json:",omitempty"`
+		GCPolicy       []client.PruneInfo `json:",omitempty"`
+		Labels         map[string]string  `json:",omitempty"`
+	}{
+		Name:           n.Name,
+		Endpoint:       n.Endpoint,
+		BuildkitdFlags: n.BuildkitdFlags,
+		DriverOpts:     n.DriverOpts,
+		Files:          n.Files,
+		Status:         status,
+		ProxyConfig:    n.ProxyConfig,
+		Version:        n.Version,
+		Err:            nerr,
+		IDs:            n.IDs,
+		Platforms:      pp,
+		GCPolicy:       n.GCPolicy,
+		Labels:         n.Labels,
+	})
+}
+
 func (n *Node) loadData(ctx context.Context) error {
 	if n.Driver == nil {
 		return nil

commands/bake.go

@@ -23,7 +23,6 @@ import (
 	"github.com/docker/buildx/util/tracing"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/identity"
-	"github.com/moby/buildkit/util/appcontext"
 	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -42,9 +41,7 @@ type bakeOptions struct {
 	exportLoad   bool
 }
 
-func runBake(dockerCli command.Cli, targets []string, in bakeOptions, cFlags commonFlags) (err error) {
+func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in bakeOptions, cFlags commonFlags) (err error) {
-	ctx := appcontext.Context()
-
 	ctx, end, err := tracing.TraceCurrentCommand(ctx, "bake")
 	if err != nil {
 		return err
@@ -75,12 +72,10 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions, cFlags com
 
 	overrides := in.overrides
 	if in.exportPush {
-		if in.exportLoad {
-			return errors.Errorf("push and load may not be set together at the moment")
-		}
 		overrides = append(overrides, "*.push=true")
-	} else if in.exportLoad {
+	}
-		overrides = append(overrides, "*.output=type=docker")
+	if in.exportLoad {
+		overrides = append(overrides, "*.load=true")
 	}
 	if cFlags.noCache != nil {
 		overrides = append(overrides, fmt.Sprintf("*.no-cache=%t", *cFlags.noCache))
@@ -141,7 +136,7 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions, cFlags com
 			if err == nil {
 				err = err1
 			}
-			if err == nil && progressMode != progressui.QuietMode {
+			if err == nil && progressMode != progressui.QuietMode && progressMode != progressui.RawJSONMode {
 				desktop.PrintBuildDetails(os.Stderr, printer.BuildRefs(), term)
 			}
 		}
@@ -207,12 +202,12 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions, cFlags com
 		return nil
 	}
 
-	// local state group
 	groupRef := identity.NewID()
 	var refs []string
 	for k, b := range bo {
 		b.Ref = identity.NewID()
 		b.GroupRef = groupRef
+		b.WithProvenanceResponse = len(in.metadataFile) > 0
 		refs = append(refs, b.Ref)
 		bo[k] = b
 	}
@@ -266,7 +261,7 @@ func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			options.builder = rootOpts.builder
 			options.metadataFile = cFlags.metadataFile
 			// Other common flags (noCache, pull and progress) are processed in runBake function.
-			return runBake(dockerCli, args, options, cFlags)
+			return runBake(cmd.Context(), dockerCli, args, options, cFlags)
 		},
 		ValidArgsFunction: completion.BakeTargets(options.files),
 	}
@@ -295,13 +290,17 @@ func saveLocalStateGroup(dockerCli command.Cli, ref string, lsg localstate.State
 }
 
 func readBakeFiles(ctx context.Context, nodes []builder.Node, url string, names []string, stdin io.Reader, pw progress.Writer) (files []bake.File, inp *bake.Input, err error) {
-	var lnames []string
+	var lnames []string // local
-	var rnames []string
+	var rnames []string // remote
+	var anames []string // both
 	for _, v := range names {
 		if strings.HasPrefix(v, "cwd://") {
-			lnames = append(lnames, strings.TrimPrefix(v, "cwd://"))
+			tname := strings.TrimPrefix(v, "cwd://")
+			lnames = append(lnames, tname)
+			anames = append(anames, tname)
 		} else {
 			rnames = append(rnames, v)
+			anames = append(anames, v)
 		}
 	}
 
@@ -320,7 +319,7 @@ func readBakeFiles(ctx context.Context, nodes []builder.Node, url string, names
 			if url != "" {
 				lfiles, err = bake.ReadLocalFiles(lnames, stdin, sub)
 			} else {
-				lfiles, err = bake.ReadLocalFiles(append(lnames, rnames...), stdin, sub)
+				lfiles, err = bake.ReadLocalFiles(anames, stdin, sub)
 			}
 			return nil
 		})

commands/build.go

@@ -3,8 +3,10 @@ package commands
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
 	"encoding/base64"
 	"encoding/csv"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -13,6 +15,8 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
+	"time"
 
 	"github.com/containerd/console"
 	"github.com/docker/buildx/build"
@@ -27,8 +31,12 @@ import (
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/buildflags"
+	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/desktop"
 	"github.com/docker/buildx/util/ioset"
+	"github.com/docker/buildx/util/metricutil"
+	"github.com/docker/buildx/util/osutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/buildx/util/tracing"
 	"github.com/docker/cli-docs-tool/annotation"
@@ -40,10 +48,10 @@ import (
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	"github.com/moby/buildkit/frontend/subrequests"
+	"github.com/moby/buildkit/frontend/subrequests/lint"
 	"github.com/moby/buildkit/frontend/subrequests/outline"
 	"github.com/moby/buildkit/frontend/subrequests/targets"
 	"github.com/moby/buildkit/solver/errdefs"
-	"github.com/moby/buildkit/util/appcontext"
 	"github.com/moby/buildkit/util/grpcerrors"
 	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/morikuni/aec"
@@ -51,6 +59,8 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/metric"
 	"google.golang.org/grpc/codes"
 )
 
@@ -112,26 +122,27 @@ func (o *buildOptions) toControllerOptions() (*controllerapi.BuildOptions, error
 	}
 
 	opts := controllerapi.BuildOptions{
-		Allow:          o.allow,
+		Allow:                  o.allow,
-		Annotations:    o.annotations,
+		Annotations:            o.annotations,
-		BuildArgs:      buildArgs,
+		BuildArgs:              buildArgs,
-		CgroupParent:   o.cgroupParent,
+		CgroupParent:           o.cgroupParent,
-		ContextPath:    o.contextPath,
+		ContextPath:            o.contextPath,
-		DockerfileName: o.dockerfileName,
+		DockerfileName:         o.dockerfileName,
-		ExtraHosts:     o.extraHosts,
+		ExtraHosts:             o.extraHosts,
-		Labels:         labels,
+		Labels:                 labels,
-		NetworkMode:    o.networkMode,
+		NetworkMode:            o.networkMode,
-		NoCacheFilter:  o.noCacheFilter,
+		NoCacheFilter:          o.noCacheFilter,
-		Platforms:      o.platforms,
+		Platforms:              o.platforms,
-		ShmSize:        int64(o.shmSize),
+		ShmSize:                int64(o.shmSize),
-		Tags:           o.tags,
+		Tags:                   o.tags,
-		Target:         o.target,
+		Target:                 o.target,
-		Ulimits:        dockerUlimitToControllerUlimit(o.ulimits),
+		Ulimits:                dockerUlimitToControllerUlimit(o.ulimits),
-		Builder:        o.builder,
+		Builder:                o.builder,
-		NoCache:        o.noCache,
+		NoCache:                o.noCache,
-		Pull:           o.pull,
+		Pull:                   o.pull,
-		ExportPush:     o.exportPush,
+		ExportPush:             o.exportPush,
-		ExportLoad:     o.exportLoad,
+		ExportLoad:             o.exportLoad,
+		WithProvenanceResponse: len(o.metadataFile) > 0,
 	}
 
 	// TODO: extract env var parsing to a method easily usable by library consumers
@@ -210,8 +221,56 @@ func (o *buildOptions) toDisplayMode() (progressui.DisplayMode, error) {
 	return progress, nil
 }
 
-func runBuild(dockerCli command.Cli, options buildOptions) (err error) {
+func buildMetricAttributes(dockerCli command.Cli, b *builder.Builder, options *buildOptions) attribute.Set {
-	ctx := appcontext.Context()
+	return attribute.NewSet(
+		attribute.String("command.name", "build"),
+		attribute.Stringer("command.options.hash", &buildOptionsHash{
+			buildOptions: options,
+			configDir:    confutil.ConfigDir(dockerCli),
+		}),
+		attribute.String("driver.name", options.builder),
+		attribute.String("driver.type", b.Driver),
+	)
+}
+
+// buildOptionsHash computes a hash for the buildOptions when the String method is invoked.
+// This is done so we can delay the computation of the hash until needed by OTEL using
+// the fmt.Stringer interface.
+type buildOptionsHash struct {
+	*buildOptions
+	configDir  string
+	result     string
+	resultOnce sync.Once
+}
+
+func (o *buildOptionsHash) String() string {
+	o.resultOnce.Do(func() {
+		target := o.target
+		contextPath := o.contextPath
+		dockerfile := o.dockerfileName
+		if dockerfile == "" {
+			dockerfile = "Dockerfile"
+		}
+
+		if contextPath != "-" && osutil.IsLocalDir(contextPath) {
+			contextPath = osutil.ToAbs(contextPath)
+		}
+		salt := confutil.TryNodeIdentifier(o.configDir)
+
+		h := sha256.New()
+		for _, s := range []string{target, contextPath, dockerfile, salt} {
+			_, _ = io.WriteString(h, s)
+			h.Write([]byte{0})
+		}
+		o.result = hex.EncodeToString(h.Sum(nil))
+	})
+	return o.result
+}
+
+func runBuild(ctx context.Context, dockerCli command.Cli, options buildOptions) (err error) {
+	mp := dockerCli.MeterProvider(ctx)
+	defer metricutil.Shutdown(ctx, mp)
+
 	ctx, end, err := tracing.TraceCurrentCommand(ctx, "build")
 	if err != nil {
 		return err
@@ -252,6 +311,7 @@ func runBuild(dockerCli command.Cli, options buildOptions) (err error) {
 	if _, err := console.ConsoleFromFile(os.Stderr); err == nil {
 		term = true
 	}
+	attributes := buildMetricAttributes(dockerCli, b, &options)
 
 	ctx2, cancel := context.WithCancel(context.TODO())
 	defer cancel()
@@ -265,6 +325,7 @@ func runBuild(dockerCli command.Cli, options buildOptions) (err error) {
 			fmt.Sprintf("building with %q instance using %s driver", b.Name, b.Driver),
 			fmt.Sprintf("%s:%s", b.Driver, b.Name),
 		),
+		progress.WithMetrics(mp, attributes),
 		progress.WithOnClose(func() {
 			printWarnings(os.Stderr, printer.Warnings(), progressMode)
 		}),
@@ -273,9 +334,10 @@ func runBuild(dockerCli command.Cli, options buildOptions) (err error) {
 		return err
 	}
 
+	done := timeBuildCommand(mp, attributes)
 	var resp *client.SolveResponse
 	var retErr error
-	if isExperimental() {
+	if confutil.IsExperimental() {
 		resp, retErr = runControllerBuild(ctx, dockerCli, opts, options, printer)
 	} else {
 		resp, retErr = runBasicBuild(ctx, dockerCli, opts, options, printer)
@@ -284,14 +346,19 @@ func runBuild(dockerCli command.Cli, options buildOptions) (err error) {
 	if err := printer.Wait(); retErr == nil {
 		retErr = err
 	}
+
+	done(retErr)
 	if retErr != nil {
 		return retErr
 	}
 
-	if progressMode != progressui.QuietMode {
+	switch progressMode {
-		desktop.PrintBuildDetails(os.Stderr, printer.BuildRefs(), term)
+	case progressui.RawJSONMode:
-	} else {
+		// no additional display
+	case progressui.QuietMode:
 		fmt.Println(getImageID(resp.ExporterResponse))
+	default:
+		desktop.PrintBuildDetails(os.Stderr, printer.BuildRefs(), term)
 	}
 	if options.imageIDFile != "" {
 		if err := os.WriteFile(options.imageIDFile, []byte(getImageID(resp.ExporterResponse)), 0644); err != nil {
@@ -353,14 +420,22 @@ func runControllerBuild(ctx context.Context, dockerCli command.Cli, opts *contro
 	var ref string
 	var retErr error
 	var resp *client.SolveResponse
-	f := ioset.NewSingleForwarder()
+
-	f.SetReader(dockerCli.In())
+	var f *ioset.SingleForwarder
-	pr, pw := io.Pipe()
+	var pr io.ReadCloser
-	f.SetWriter(pw, func() io.WriteCloser {
+	var pw io.WriteCloser
-		pw.Close() // propagate EOF
+	if options.invokeConfig == nil {
-		logrus.Debug("propagating stdin close")
+		pr = dockerCli.In()
-		return nil
+	} else {
-	})
+		f = ioset.NewSingleForwarder()
+		f.SetReader(dockerCli.In())
+		pr, pw = io.Pipe()
+		f.SetWriter(pw, func() io.WriteCloser {
+			pw.Close() // propagate EOF
+			logrus.Debug("propagating stdin close")
+			return nil
+		})
+	}
 
 	ref, resp, err = c.Build(ctx, *opts, pr, printer)
 	if err != nil {
@@ -374,11 +449,13 @@ func runControllerBuild(ctx context.Context, dockerCli command.Cli, opts *contro
 		}
 	}
 
-	if err := pw.Close(); err != nil {
+	if options.invokeConfig != nil {
-		logrus.Debug("failed to close stdin pipe writer")
+		if err := pw.Close(); err != nil {
-	}
+			logrus.Debug("failed to close stdin pipe writer")
-	if err := pr.Close(); err != nil {
+		}
-		logrus.Debug("failed to close stdin pipe reader")
+		if err := pr.Close(); err != nil {
+			logrus.Debug("failed to close stdin pipe reader")
+		}
 	}
 
 	if options.invokeConfig != nil && options.invokeConfig.needsDebug(retErr) {
@@ -472,7 +549,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 				options.invokeConfig = iConfig
 			}
 
-			return runBuild(dockerCli, *options)
+			return runBuild(cmd.Context(), dockerCli, *options)
 		},
 		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 			return nil, cobra.ShellCompDirectiveFilterDirs
@@ -487,7 +564,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 	flags := cmd.Flags()
 
 	flags.StringSliceVar(&options.extraHosts, "add-host", []string{}, `Add a custom host-to-IP mapping (format: "host:ip")`)
-	flags.SetAnnotation("add-host", annotation.ExternalURL, []string{"https://docs.docker.com/engine/reference/commandline/build/#add-host"})
+	flags.SetAnnotation("add-host", annotation.ExternalURL, []string{"https://docs.docker.com/reference/cli/docker/image/build/#add-host"})
 
 	flags.StringSliceVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`)
 
@@ -500,14 +577,14 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 	flags.StringArrayVar(&options.cacheTo, "cache-to", []string{}, `Cache export destinations (e.g., "user/app:cache", "type=local,dest=path/to/dir")`)
 
 	flags.StringVar(&options.cgroupParent, "cgroup-parent", "", `Set the parent cgroup for the "RUN" instructions during build`)
-	flags.SetAnnotation("cgroup-parent", annotation.ExternalURL, []string{"https://docs.docker.com/engine/reference/commandline/build/#cgroup-parent"})
+	flags.SetAnnotation("cgroup-parent", annotation.ExternalURL, []string{"https://docs.docker.com/reference/cli/docker/image/build/#cgroup-parent"})
 
 	flags.StringArrayVar(&options.contexts, "build-context", []string{}, "Additional build contexts (e.g., name=path)")
 
 	flags.StringVarP(&options.dockerfileName, "file", "f", "", `Name of the Dockerfile (default: "PATH/Dockerfile")`)
-	flags.SetAnnotation("file", annotation.ExternalURL, []string{"https://docs.docker.com/engine/reference/commandline/build/#file"})
+	flags.SetAnnotation("file", annotation.ExternalURL, []string{"https://docs.docker.com/reference/cli/docker/image/build/#file"})
 
-	flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to the file")
+	flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to a file")
 
 	flags.StringArrayVar(&options.labels, "label", []string{}, "Set metadata for an image")
 
@@ -521,9 +598,9 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 
 	flags.StringArrayVar(&options.platforms, "platform", platformsDefault, "Set target platform for build")
 
-	if isExperimental() {
+	if confutil.IsExperimental() {
 		flags.StringVar(&options.printFunc, "print", "", "Print result of information request (e.g., outline, targets)")
-		flags.SetAnnotation("print", "experimentalCLI", nil)
+		cobrautil.MarkFlagsExperimental(flags, "print")
 	}
 
 	flags.BoolVar(&options.exportPush, "push", false, `Shorthand for "--output=type=registry"`)
@@ -532,15 +609,15 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 
 	flags.StringArrayVar(&options.secrets, "secret", []string{}, `Secret to expose to the build (format: "id=mysecret[,src=/local/secret]")`)
 
-	flags.Var(&options.shmSize, "shm-size", `Size of "/dev/shm"`)
+	flags.Var(&options.shmSize, "shm-size", `Shared memory size for build containers`)
 
 	flags.StringArrayVar(&options.ssh, "ssh", []string{}, `SSH agent socket or keys to expose to the build (format: "default|<id>[=<socket>|<key>[,<key>]]")`)
 
 	flags.StringArrayVarP(&options.tags, "tag", "t", []string{}, `Name and optionally a tag (format: "name:tag")`)
-	flags.SetAnnotation("tag", annotation.ExternalURL, []string{"https://docs.docker.com/engine/reference/commandline/build/#tag"})
+	flags.SetAnnotation("tag", annotation.ExternalURL, []string{"https://docs.docker.com/reference/cli/docker/image/build/#tag"})
 
 	flags.StringVar(&options.target, "target", "", "Set the target build stage to build")
-	flags.SetAnnotation("target", annotation.ExternalURL, []string{"https://docs.docker.com/engine/reference/commandline/build/#target"})
+	flags.SetAnnotation("target", annotation.ExternalURL, []string{"https://docs.docker.com/reference/cli/docker/image/build/#target"})
 
 	options.ulimits = dockeropts.NewUlimitOpt(nil)
 	flags.Var(options.ulimits, "ulimit", "Ulimit options")
@@ -549,14 +626,12 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 	flags.StringVar(&options.sbom, "sbom", "", `Shorthand for "--attest=type=sbom"`)
 	flags.StringVar(&options.provenance, "provenance", "", `Shorthand for "--attest=type=provenance"`)
 
-	if isExperimental() {
+	if confutil.IsExperimental() {
 		// TODO: move this to debug command if needed
 		flags.StringVar(&options.Root, "root", "", "Specify root directory of server to connect")
-		flags.SetAnnotation("root", "experimentalCLI", nil)
 		flags.BoolVar(&options.Detach, "detach", false, "Detach buildx server (supported only on linux)")
-		flags.SetAnnotation("detach", "experimentalCLI", nil)
 		flags.StringVar(&options.ServerConfig, "server-config", "", "Specify buildx server config file (used only when launching new server)")
-		flags.SetAnnotation("server-config", "experimentalCLI", nil)
+		cobrautil.MarkFlagsExperimental(flags, "root", "detach", "server-config")
 	}
 
 	// hidden flags
@@ -579,7 +654,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 	flags.BoolVar(&ignoreBool, "squash", false, "Squash newly built layers into a single new layer")
 	flags.MarkHidden("squash")
 	flags.SetAnnotation("squash", "flag-warn", []string{"experimental flag squash is removed with BuildKit. You should squash inside build using a multi-stage Dockerfile for efficiency."})
-	flags.SetAnnotation("squash", "experimentalCLI", nil)
+	cobrautil.MarkFlagsExperimental(flags, "squash")
 
 	flags.StringVarP(&ignore, "memory", "m", "", "Memory limit")
 	flags.MarkHidden("memory")
@@ -624,7 +699,7 @@ func commonBuildFlags(options *commonFlags, flags *pflag.FlagSet) {
 	options.noCache = flags.Bool("no-cache", false, "Do not use cache when building the image")
 	flags.StringVar(&options.progress, "progress", "auto", `Set type of progress output ("auto", "plain", "tty"). Use plain to show container output`)
 	options.pull = flags.Bool("pull", false, "Always attempt to pull all referenced images")
-	flags.StringVar(&options.metadataFile, "metadata-file", "", "Write build result metadata to the file")
+	flags.StringVar(&options.metadataFile, "metadata-file", "", "Write build result metadata to a file")
 }
 
 func checkWarnedFlags(f *pflag.Flag) {
@@ -696,14 +771,6 @@ func (w *wrapped) Unwrap() error {
 	return w.err
 }
 
-func isExperimental() bool {
-	if v, ok := os.LookupEnv("BUILDX_EXPERIMENTAL"); ok {
-		vv, _ := strconv.ParseBool(v)
-		return vv
-	}
-	return false
-}
-
 func updateLastActivity(dockerCli command.Cli, ng *store.NodeGroup) error {
 	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
@@ -749,7 +816,7 @@ func dockerUlimitToControllerUlimit(u *dockeropts.UlimitOpt) *controllerapi.Ulim
 }
 
 func printWarnings(w io.Writer, warnings []client.VertexWarning, mode progressui.DisplayMode) {
-	if len(warnings) == 0 || mode == progressui.QuietMode {
+	if len(warnings) == 0 || mode == progressui.QuietMode || mode == progressui.RawJSONMode {
 		return
 	}
 	fmt.Fprintf(w, "\n ")
@@ -796,13 +863,22 @@ func printResult(f *controllerapi.PrintFunc, res map[string]string) error {
 		return printValue(targets.PrintTargets, targets.SubrequestsTargetsDefinition.Version, f.Format, res)
 	case "subrequests.describe":
 		return printValue(subrequests.PrintDescribe, subrequests.SubrequestsDescribeDefinition.Version, f.Format, res)
+	case "lint":
+		return printValue(lint.PrintLintViolations, lint.SubrequestLintDefinition.Version, f.Format, res)
 	default:
-		if dt, ok := res["result.txt"]; ok {
+		if dt, ok := res["result.json"]; ok && f.Format == "json" {
+			fmt.Println(dt)
+		} else if dt, ok := res["result.txt"]; ok {
 			fmt.Print(dt)
 		} else {
 			log.Printf("%s %+v", f, res)
 		}
 	}
+	if v, ok := res["result.statuscode"]; !f.IgnoreStatus && ok {
+		if n, err := strconv.Atoi(v); err == nil && n != 0 {
+			os.Exit(n)
+		}
+	}
 	return nil
 }
 
@@ -926,3 +1002,38 @@ func maybeJSONArray(v string) []string {
 	}
 	return []string{v}
 }
+
+// timeBuildCommand will start a timer for timing the build command. It records the time when the returned
+// function is invoked into a metric.
+func timeBuildCommand(mp metric.MeterProvider, attrs attribute.Set) func(err error) {
+	meter := metricutil.Meter(mp)
+	counter, _ := meter.Float64Counter("command.time",
+		metric.WithDescription("Measures the duration of the build command."),
+		metric.WithUnit("ms"),
+	)
+
+	start := time.Now()
+	return func(err error) {
+		dur := float64(time.Since(start)) / float64(time.Millisecond)
+		extraAttrs := attribute.NewSet()
+		if err != nil {
+			extraAttrs = attribute.NewSet(
+				attribute.String("error.type", otelErrorType(err)),
+			)
+		}
+		counter.Add(context.Background(), dur,
+			metric.WithAttributeSet(attrs),
+			metric.WithAttributeSet(extraAttrs),
+		)
+	}
+}
+
+// otelErrorType returns an attribute for the error type based on the error category.
+// If nil, this function returns an invalid attribute.
+func otelErrorType(err error) string {
+	name := "generic"
+	if errors.Is(err, context.Canceled) {
+		name = "canceled"
+	}
+	return name
+}

commands/create.go

@@ -3,71 +3,34 @@ package commands
 import (
 	"bytes"
 	"context"
-	"encoding/csv"
 	"fmt"
-	"net/url"
-	"os"
-	"strings"
-	"time"
 
 	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/driver"
-	k8sutil "github.com/docker/buildx/driver/kubernetes/util"
-	remoteutil "github.com/docker/buildx/driver/remote/util"
-	"github.com/docker/buildx/localstate"
-	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/cobrautil"
 	"github.com/docker/buildx/util/cobrautil/completion"
-	"github.com/docker/buildx/util/confutil"
-	"github.com/docker/buildx/util/dockerutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	dopts "github.com/docker/cli/opts"
-	"github.com/google/shlex"
-	"github.com/moby/buildkit/util/appcontext"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
 
 type createOptions struct {
-	name         string
+	name                string
-	driver       string
+	driver              string
-	nodeName     string
+	nodeName            string
-	platform     []string
+	platform            []string
-	actionAppend bool
+	actionAppend        bool
-	actionLeave  bool
+	actionLeave         bool
-	use          bool
+	use                 bool
-	flags        string
+	driverOpts          []string
-	configFile   string
+	buildkitdFlags      string
-	driverOpts   []string
+	buildkitdConfigFile string
-	bootstrap    bool
+	bootstrap           bool
 	// upgrade      bool // perform upgrade of the driver
 }
 
-func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
+func runCreate(ctx context.Context, dockerCli command.Cli, in createOptions, args []string) error {
-	ctx := appcontext.Context()
-
-	if in.name == "default" {
-		return errors.Errorf("default is a reserved name and cannot be used to identify builder instance")
-	}
-
-	if in.actionLeave {
-		if in.name == "" {
-			return errors.Errorf("leave requires instance name")
-		}
-		if in.nodeName == "" {
-			return errors.Errorf("leave requires node name but --node not set")
-		}
-	}
-
-	if in.actionAppend {
-		if in.name == "" {
-			logrus.Warnf("append used without name, creating a new instance instead")
-		}
-	}
-
 	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
@@ -75,232 +38,34 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	// Ensure the file lock gets released no matter what happens.
 	defer release()
 
-	name := in.name
+	if in.actionLeave {
-	if name == "" {
+		return builder.Leave(ctx, txn, dockerCli, builder.LeaveOpts{
-		name, err = store.GenerateName(txn)
+			Name:     in.name,
-		if err != nil {
+			NodeName: in.nodeName,
-			return err
+		})
-		}
-	}
-
-	if !in.actionLeave && !in.actionAppend {
-		contexts, err := dockerCli.ContextStore().List()
-		if err != nil {
-			return err
-		}
-		for _, c := range contexts {
-			if c.Name == name {
-				logrus.Warnf("instance name %q already exists as context builder", name)
-				break
-			}
-		}
-	}
-
-	ng, err := txn.NodeGroupByName(name)
-	if err != nil {
-		if os.IsNotExist(errors.Cause(err)) {
-			if in.actionAppend && in.name != "" {
-				logrus.Warnf("failed to find %q for append, creating a new instance instead", in.name)
-			}
-			if in.actionLeave {
-				return errors.Errorf("failed to find instance %q for leave", in.name)
-			}
-		} else {
-			return err
-		}
-	}
-
-	buildkitHost := os.Getenv("BUILDKIT_HOST")
-
-	driverName := in.driver
-	if driverName == "" {
-		if ng != nil {
-			driverName = ng.Driver
-		} else if len(args) == 0 && buildkitHost != "" {
-			driverName = "remote"
-		} else {
-			var arg string
-			if len(args) > 0 {
-				arg = args[0]
-			}
-			f, err := driver.GetDefaultFactory(ctx, arg, dockerCli.Client(), true, nil)
-			if err != nil {
-				return err
-			}
-			if f == nil {
-				return errors.Errorf("no valid drivers found")
-			}
-			driverName = f.Name()
-		}
-	}
-
-	if ng != nil {
-		if in.nodeName == "" && !in.actionAppend {
-			return errors.Errorf("existing instance for %q but no append mode, specify --node to make changes for existing instances", name)
-		}
-		if driverName != ng.Driver {
-			return errors.Errorf("existing instance for %q but has mismatched driver %q", name, ng.Driver)
-		}
-	}
-
-	if _, err := driver.GetFactory(driverName, true); err != nil {
-		return err
-	}
-
-	ngOriginal := ng
-	if ngOriginal != nil {
-		ngOriginal = ngOriginal.Copy()
-	}
-
-	if ng == nil {
-		ng = &store.NodeGroup{
-			Name:   name,
-			Driver: driverName,
-		}
-	}
-
-	var flags []string
-	if in.flags != "" {
-		flags, err = shlex.Split(in.flags)
-		if err != nil {
-			return errors.Wrap(err, "failed to parse buildkit flags")
-		}
 	}
 
 	var ep string
-	var setEp bool
+	if len(args) > 0 {
-	if in.actionLeave {
+		ep = args[0]
-		if err := ng.Leave(in.nodeName); err != nil {
-			return err
-		}
-		ls, err := localstate.New(confutil.ConfigDir(dockerCli))
-		if err != nil {
-			return err
-		}
-		if err := ls.RemoveBuilderNode(ng.Name, in.nodeName); err != nil {
-			return err
-		}
-	} else {
-		switch {
-		case driverName == "kubernetes":
-			if len(args) > 0 {
-				logrus.Warnf("kubernetes driver does not support endpoint args %q", args[0])
-			}
-			// generate node name if not provided to avoid duplicated endpoint
-			// error: https://github.com/docker/setup-buildx-action/issues/215
-			nodeName := in.nodeName
-			if nodeName == "" {
-				nodeName, err = k8sutil.GenerateNodeName(name, txn)
-				if err != nil {
-					return err
-				}
-			}
-			// naming endpoint to make --append works
-			ep = (&url.URL{
-				Scheme: driverName,
-				Path:   "/" + name,
-				RawQuery: (&url.Values{
-					"deployment": {nodeName},
-					"kubeconfig": {os.Getenv("KUBECONFIG")},
-				}).Encode(),
-			}).String()
-			setEp = false
-		case driverName == "remote":
-			if len(args) > 0 {
-				ep = args[0]
-			} else if buildkitHost != "" {
-				ep = buildkitHost
-			} else {
-				return errors.Errorf("no remote endpoint provided")
-			}
-			ep, err = validateBuildkitEndpoint(ep)
-			if err != nil {
-				return err
-			}
-			setEp = true
-		case len(args) > 0:
-			ep, err = validateEndpoint(dockerCli, args[0])
-			if err != nil {
-				return err
-			}
-			setEp = true
-		default:
-			if dockerCli.CurrentContext() == "default" && dockerCli.DockerEndpoint().TLSData != nil {
-				return errors.Errorf("could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with `docker buildx create <context-name>`")
-			}
-			ep, err = dockerutil.GetCurrentEndpoint(dockerCli)
-			if err != nil {
-				return err
-			}
-			setEp = false
-		}
-
-		m, err := csvToMap(in.driverOpts)
-		if err != nil {
-			return err
-		}
-
-		if in.configFile == "" {
-			// if buildkit config is not provided, check if the default one is
-			// available and use it
-			if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
-				logrus.Warnf("Using default BuildKit config in %s", f)
-				in.configFile = f
-			}
-		}
-
-		if err := ng.Update(in.nodeName, ep, in.platform, setEp, in.actionAppend, flags, in.configFile, m); err != nil {
-			return err
-		}
 	}
 
-	if err := txn.Save(ng); err != nil {
+	b, err := builder.Create(ctx, txn, dockerCli, builder.CreateOpts{
-		return err
+		Name:                in.name,
-	}
+		Driver:              in.driver,
-
+		NodeName:            in.nodeName,
-	b, err := builder.New(dockerCli,
+		Platforms:           in.platform,
-		builder.WithName(ng.Name),
+		DriverOpts:          in.driverOpts,
-		builder.WithStore(txn),
+		BuildkitdFlags:      in.buildkitdFlags,
-		builder.WithSkippedValidation(),
+		BuildkitdConfigFile: in.buildkitdConfigFile,
-	)
+		Use:                 in.use,
+		Endpoint:            ep,
+		Append:              in.actionAppend,
+	})
 	if err != nil {
 		return err
 	}
 
-	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
-	defer cancel()
-
-	nodes, err := b.LoadNodes(timeoutCtx, builder.WithData())
-	if err != nil {
-		return err
-	}
-
-	for _, node := range nodes {
-		if err := node.Err; err != nil {
-			err := errors.Errorf("failed to initialize builder %s (%s): %s", ng.Name, node.Name, err)
-			var err2 error
-			if ngOriginal == nil {
-				err2 = txn.Remove(ng.Name)
-			} else {
-				err2 = txn.Save(ngOriginal)
-			}
-			if err2 != nil {
-				logrus.Warnf("Could not rollback to previous state: %s", err2)
-			}
-			return err
-		}
-	}
-
-	if in.use && ep != "" {
-		current, err := dockerutil.GetCurrentEndpoint(dockerCli)
-		if err != nil {
-			return err
-		}
-		if err := txn.SetCurrent(current, ng.Name, false, false); err != nil {
-			return err
-		}
-	}
-
 	// The store is no longer used from this point.
 	// Release it so we aren't holding the file lock during the boot.
 	release()
@@ -311,7 +76,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
-	fmt.Printf("%s\n", ng.Name)
+	fmt.Printf("%s\n", b.Name)
 	return nil
 }
 
@@ -331,7 +96,7 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 		Short: "Create a new builder instance",
 		Args:  cli.RequiresMaxArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runCreate(dockerCli, options, args)
+			return runCreate(cmd.Context(), dockerCli, options, args)
 		},
 		ValidArgsFunction: completion.Disable,
 	}
@@ -341,12 +106,16 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 	flags.StringVar(&options.name, "name", "", "Builder instance name")
 	flags.StringVar(&options.driver, "driver", "", fmt.Sprintf("Driver to use (available: %s)", drivers.String()))
 	flags.StringVar(&options.nodeName, "node", "", "Create/modify node with given name")
-	flags.StringVar(&options.flags, "buildkitd-flags", "", "Flags for buildkitd daemon")
-	flags.StringVar(&options.configFile, "config", "", "BuildKit config file")
 	flags.StringArrayVar(&options.platform, "platform", []string{}, "Fixed platforms for current node")
 	flags.StringArrayVar(&options.driverOpts, "driver-opt", []string{}, "Options for the driver")
-	flags.BoolVar(&options.bootstrap, "bootstrap", false, "Boot builder after creation")
+	flags.StringVar(&options.buildkitdFlags, "buildkitd-flags", "", "BuildKit daemon flags")
 
+	// we allow for both "--config" and "--buildkitd-config", although the latter is the recommended way to avoid ambiguity.
+	flags.StringVar(&options.buildkitdConfigFile, "buildkitd-config", "", "BuildKit daemon config file")
+	flags.StringVar(&options.buildkitdConfigFile, "config", "", "BuildKit daemon config file")
+	flags.MarkHidden("config")
+
+	flags.BoolVar(&options.bootstrap, "bootstrap", false, "Boot builder after creation")
 	flags.BoolVar(&options.actionAppend, "append", false, "Append a node to builder instead of changing it")
 	flags.BoolVar(&options.actionLeave, "leave", false, "Remove a node from builder instead of changing it")
 	flags.BoolVar(&options.use, "use", false, "Set the current builder instance")
@@ -356,49 +125,3 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 
 	return cmd
 }
-
-func csvToMap(in []string) (map[string]string, error) {
-	if len(in) == 0 {
-		return nil, nil
-	}
-	m := make(map[string]string, len(in))
-	for _, s := range in {
-		csvReader := csv.NewReader(strings.NewReader(s))
-		fields, err := csvReader.Read()
-		if err != nil {
-			return nil, err
-		}
-		for _, v := range fields {
-			p := strings.SplitN(v, "=", 2)
-			if len(p) != 2 {
-				return nil, errors.Errorf("invalid value %q, expecting k=v", v)
-			}
-			m[p[0]] = p[1]
-		}
-	}
-	return m, nil
-}
-
-// validateEndpoint validates that endpoint is either a context or a docker host
-func validateEndpoint(dockerCli command.Cli, ep string) (string, error) {
-	dem, err := dockerutil.GetDockerEndpoint(dockerCli, ep)
-	if err == nil && dem != nil {
-		if ep == "default" {
-			return dem.Host, nil
-		}
-		return ep, nil
-	}
-	h, err := dopts.ParseHost(true, ep)
-	if err != nil {
-		return "", errors.Wrapf(err, "failed to parse endpoint %s", ep)
-	}
-	return h, nil
-}
-
-// validateBuildkitEndpoint validates that endpoint is a valid buildkit host
-func validateBuildkitEndpoint(ep string) (string, error) {
-	if err := remoteutil.IsValidEndpoint(ep); err != nil {
-		return "", err
-	}
-	return ep, nil
-}

commands/create_test.go

@@ -1,26 +0,0 @@
-package commands
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestCsvToMap(t *testing.T) {
-	d := []string{
-		"\"tolerations=key=foo,value=bar;key=foo2,value=bar2\",replicas=1",
-		"namespace=default",
-	}
-	r, err := csvToMap(d)
-
-	require.NoError(t, err)
-
-	require.Contains(t, r, "tolerations")
-	require.Equal(t, r["tolerations"], "key=foo,value=bar;key=foo2,value=bar2")
-
-	require.Contains(t, r, "replicas")
-	require.Equal(t, r["replicas"], "1")
-
-	require.Contains(t, r, "namespace")
-	require.Equal(t, r["namespace"], "default")
-}

commands/debug/root.go

@@ -10,6 +10,7 @@ import (
 	"github.com/docker/buildx/controller/control"
 	controllerapi "github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/monitor"
+	"github.com/docker/buildx/util/cobrautil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/progress/progressui"
@@ -42,9 +43,6 @@ func RootCmd(dockerCli command.Cli, children ...DebuggableCmd) *cobra.Command {
 		Use:   "debug",
 		Short: "Start debugger",
 		Args:  cobra.NoArgs,
-		Annotations: map[string]string{
-			"experimentalCLI": "",
-		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			printer, err := progress.NewPrinter(context.TODO(), os.Stderr, progressui.DisplayMode(progressMode))
 			if err != nil {
@@ -73,21 +71,19 @@ func RootCmd(dockerCli command.Cli, children ...DebuggableCmd) *cobra.Command {
 			return err
 		},
 	}
+	cobrautil.MarkCommandExperimental(cmd)
 
 	flags := cmd.Flags()
 	flags.StringVar(&options.InvokeFlag, "invoke", "", "Launch a monitor with executing specified command")
-	flags.SetAnnotation("invoke", "experimentalCLI", nil)
 	flags.StringVar(&options.OnFlag, "on", "error", "When to launch the monitor ([always, error])")
-	flags.SetAnnotation("on", "experimentalCLI", nil)
 
 	flags.StringVar(&controlOptions.Root, "root", "", "Specify root directory of server to connect for the monitor")
-	flags.SetAnnotation("root", "experimentalCLI", nil)
 	flags.BoolVar(&controlOptions.Detach, "detach", runtime.GOOS == "linux", "Detach buildx server for the monitor (supported only on linux)")
-	flags.SetAnnotation("detach", "experimentalCLI", nil)
 	flags.StringVar(&controlOptions.ServerConfig, "server-config", "", "Specify buildx server config file for the monitor (used only when launching new server)")
-	flags.SetAnnotation("server-config", "experimentalCLI", nil)
 	flags.StringVar(&progressMode, "progress", "auto", `Set type of progress output ("auto", "plain", "tty") for the monitor. Use plain to show container output`)
 
+	cobrautil.MarkFlagsExperimental(flags, "invoke", "on", "root", "detach", "server-config")
+
 	for _, c := range children {
 		cmd.AddCommand(c.NewDebugger(&options))
 	}

commands/dial_stdio.go

@@ -0,0 +1,132 @@
+package commands
+
+import (
+	"io"
+	"net"
+	"os"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/moby/buildkit/util/appcontext"
+	"github.com/moby/buildkit/util/progress/progressui"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"golang.org/x/sync/errgroup"
+)
+
+type stdioOptions struct {
+	builder  string
+	platform string
+	progress string
+}
+
+func runDialStdio(dockerCli command.Cli, opts stdioOptions) error {
+	ctx := appcontext.Context()
+
+	contextPathHash, _ := os.Getwd()
+	b, err := builder.New(dockerCli,
+		builder.WithName(opts.builder),
+		builder.WithContextPathHash(contextPathHash),
+	)
+	if err != nil {
+		return err
+	}
+
+	if err = updateLastActivity(dockerCli, b.NodeGroup); err != nil {
+		return errors.Wrapf(err, "failed to update builder last activity time")
+	}
+	nodes, err := b.LoadNodes(ctx)
+	if err != nil {
+		return err
+	}
+
+	printer, err := progress.NewPrinter(ctx, os.Stderr, progressui.DisplayMode(opts.progress), progress.WithPhase("dial-stdio"), progress.WithDesc("builder: "+b.Name, "builder:"+b.Name))
+	if err != nil {
+		return err
+	}
+
+	var p *v1.Platform
+	if opts.platform != "" {
+		pp, err := platforms.Parse(opts.platform)
+		if err != nil {
+			return errors.Wrapf(err, "invalid platform %q", opts.platform)
+		}
+		p = &pp
+	}
+
+	defer printer.Wait()
+
+	return progress.Wrap("Proxying to builder", printer.Write, func(sub progress.SubLogger) error {
+		var conn net.Conn
+
+		err := sub.Wrap("Dialing builder", func() error {
+			conn, err = build.Dial(ctx, nodes, printer, p)
+			if err != nil {
+				return err
+			}
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+
+		defer conn.Close()
+
+		go func() {
+			<-ctx.Done()
+			closeWrite(conn)
+		}()
+
+		var eg errgroup.Group
+
+		eg.Go(func() error {
+			_, err := io.Copy(conn, os.Stdin)
+			closeWrite(conn)
+			return err
+		})
+		eg.Go(func() error {
+			_, err := io.Copy(os.Stdout, conn)
+			closeRead(conn)
+			return err
+		})
+		return eg.Wait()
+	})
+}
+
+func closeRead(conn net.Conn) error {
+	if c, ok := conn.(interface{ CloseRead() error }); ok {
+		return c.CloseRead()
+	}
+	return conn.Close()
+}
+
+func closeWrite(conn net.Conn) error {
+	if c, ok := conn.(interface{ CloseWrite() error }); ok {
+		return c.CloseWrite()
+	}
+	return conn.Close()
+}
+
+func dialStdioCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
+	opts := stdioOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "dial-stdio",
+		Short: "Proxy current stdio streams to builder instance",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.builder = rootOpts.builder
+			return runDialStdio(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	cmd.Flags()
+	flags.StringVar(&opts.platform, "platform", os.Getenv("DOCKER_DEFAULT_PLATFORM"), "Target platform: this is used for node selection")
+	flags.StringVar(&opts.progress, "progress", "quiet", "Set type of progress output (auto, plain, tty).")
+	return cmd
+}

commands/diskusage.go

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"os"
@@ -15,7 +16,6 @@ import (
 	"github.com/docker/cli/opts"
 	"github.com/docker/go-units"
 	"github.com/moby/buildkit/client"
-	"github.com/moby/buildkit/util/appcontext"
 	"github.com/spf13/cobra"
 	"golang.org/x/sync/errgroup"
 )
@@ -26,9 +26,7 @@ type duOptions struct {
 	verbose bool
 }
 
-func runDiskUsage(dockerCli command.Cli, opts duOptions) error {
+func runDiskUsage(ctx context.Context, dockerCli command.Cli, opts duOptions) error {
-	ctx := appcontext.Context()
-
 	pi, err := toBuildkitPruneInfo(opts.filter.Value())
 	if err != nil {
 		return err
@@ -114,7 +112,7 @@ func duCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			options.builder = rootOpts.builder
-			return runDiskUsage(dockerCli, options)
+			return runDiskUsage(cmd.Context(), dockerCli, options)
 		},
 		ValidArgsFunction: completion.Disable,
 	}

commands/imagetools/create.go

@@ -13,7 +13,6 @@ import (
 	"github.com/docker/buildx/util/imagetools"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
-	"github.com/moby/buildkit/util/appcontext"
 	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -32,7 +31,7 @@ type createOptions struct {
 	progress     string
 }
 
-func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
+func runCreate(ctx context.Context, dockerCli command.Cli, in createOptions, args []string) error {
 	if len(args) == 0 && len(in.files) == 0 {
 		return errors.Errorf("no sources specified")
 	}
@@ -113,8 +112,6 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
-	ctx := appcontext.Context()
-
 	b, err := builder.New(dockerCli, builder.WithName(in.builder))
 	if err != nil {
 		return err
@@ -274,7 +271,7 @@ func createCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 		Short: "Create a new image based on source images",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			options.builder = *opts.Builder
-			return runCreate(dockerCli, options, args)
+			return runCreate(cmd.Context(), dockerCli, options, args)
 		},
 		ValidArgsFunction: completion.Disable,
 	}

commands/imagetools/inspect.go

@@ -1,13 +1,14 @@
 package commands
 
 import (
+	"context"
+
 	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/imagetools"
 	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
@@ -18,9 +19,7 @@ type inspectOptions struct {
 	raw     bool
 }
 
-func runInspect(dockerCli command.Cli, in inspectOptions, name string) error {
+func runInspect(ctx context.Context, dockerCli command.Cli, in inspectOptions, name string) error {
-	ctx := appcontext.Context()
-
 	if in.format != "" && in.raw {
 		return errors.Errorf("format and raw cannot be used together")
 	}
@@ -51,7 +50,7 @@ func inspectCmd(dockerCli command.Cli, rootOpts RootOptions) *cobra.Command {
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			options.builder = *rootOpts.Builder
-			return runInspect(dockerCli, options, args[0])
+			return runInspect(cmd.Context(), dockerCli, options, args[0])
 		},
 		ValidArgsFunction: completion.Disable,
 	}

commands/inspect.go

@@ -17,7 +17,6 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/debug"
 	"github.com/docker/go-units"
-	"github.com/moby/buildkit/util/appcontext"
 	"github.com/spf13/cobra"
 )
 
@@ -26,9 +25,7 @@ type inspectOptions struct {
 	builder   string
 }
 
-func runInspect(dockerCli command.Cli, in inspectOptions) error {
+func runInspect(ctx context.Context, dockerCli command.Cli, in inspectOptions) error {
-	ctx := appcontext.Context()
-
 	b, err := builder.New(dockerCli,
 		builder.WithName(in.builder),
 		builder.WithSkippedValidation(),
@@ -87,11 +84,11 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 				fmt.Fprintf(w, "Error:\t%s\n", err.Error())
 			} else {
 				fmt.Fprintf(w, "Status:\t%s\n", nodes[i].DriverInfo.Status)
-				if len(n.Flags) > 0 {
+				if len(n.BuildkitdFlags) > 0 {
-					fmt.Fprintf(w, "Flags:\t%s\n", strings.Join(n.Flags, " "))
+					fmt.Fprintf(w, "BuildKit daemon flags:\t%s\n", strings.Join(n.BuildkitdFlags, " "))
 				}
 				if nodes[i].Version != "" {
-					fmt.Fprintf(w, "Buildkit:\t%s\n", nodes[i].Version)
+					fmt.Fprintf(w, "BuildKit version:\t%s\n", nodes[i].Version)
 				}
 				platforms := platformutil.FormatInGroups(n.Node.Platforms, n.Platforms)
 				if len(platforms) > 0 {
@@ -150,7 +147,7 @@ func inspectCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			if len(args) > 0 {
 				options.builder = args[0]
 			}
-			return runInspect(dockerCli, options)
+			return runInspect(cmd.Context(), dockerCli, options)
 		},
 		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}

commands/ls.go

@@ -2,30 +2,43 @@ package commands
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
-	"io"
+	"sort"
 	"strings"
-	"text/tabwriter"
 	"time"
 
 	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/cobrautil"
 	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/moby/buildkit/util/appcontext"
+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/spf13/cobra"
 	"golang.org/x/sync/errgroup"
 )
 
+const (
+	lsNameNodeHeader       = "NAME/NODE"
+	lsDriverEndpointHeader = "DRIVER/ENDPOINT"
+	lsStatusHeader         = "STATUS"
+	lsLastActivityHeader   = "LAST ACTIVITY"
+	lsBuildkitHeader       = "BUILDKIT"
+	lsPlatformsHeader      = "PLATFORMS"
+
+	lsIndent = ` \_ `
+
+	lsDefaultTableFormat = "table {{.Name}}\t{{.DriverEndpoint}}\t{{.Status}}\t{{.Buildkit}}\t{{.Platforms}}"
+)
+
 type lsOptions struct {
+	format string
 }
 
-func runLs(dockerCli command.Cli, in lsOptions) error {
+func runLs(ctx context.Context, dockerCli command.Cli, in lsOptions) error {
-	ctx := appcontext.Context()
-
 	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
@@ -59,22 +72,9 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 		return err
 	}
 
-	w := tabwriter.NewWriter(dockerCli.Out(), 0, 0, 1, ' ', 0)
+	if hasErrors, err := lsPrint(dockerCli, current, builders, in.format); err != nil {
-	fmt.Fprintf(w, "NAME/NODE\tDRIVER/ENDPOINT\tSTATUS\tBUILDKIT\tPLATFORMS\n")
+		return err
-
+	} else if hasErrors {
-	printErr := false
-	for _, b := range builders {
-		if current.Name == b.Name {
-			b.Name += " *"
-		}
-		if ok := printBuilder(w, b); !ok {
-			printErr = true
-		}
-	}
-
-	w.Flush()
-
-	if printErr {
 		_, _ = fmt.Fprintf(dockerCli.Err(), "\n")
 		for _, b := range builders {
 			if b.Err() != nil {
@@ -92,31 +92,6 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 	return nil
 }
 
-func printBuilder(w io.Writer, b *builder.Builder) (ok bool) {
-	ok = true
-	var err string
-	if b.Err() != nil {
-		ok = false
-		err = "error"
-	}
-	fmt.Fprintf(w, "%s\t%s\t%s\t\t\n", b.Name, b.Driver, err)
-	if b.Err() == nil {
-		for _, n := range b.Nodes() {
-			var status string
-			if n.DriverInfo != nil {
-				status = n.DriverInfo.Status.String()
-			}
-			if n.Err != nil {
-				ok = false
-				fmt.Fprintf(w, "  %s\t%s\t%s\t\t\n", n.Name, n.Endpoint, "error")
-			} else {
-				fmt.Fprintf(w, "  %s\t%s\t%s\t%s\t%s\n", n.Name, n.Endpoint, status, n.Version, strings.Join(platformutil.FormatInGroups(n.Node.Platforms, n.Platforms), ", "))
-			}
-		}
-	}
-	return
-}
-
 func lsCmd(dockerCli command.Cli) *cobra.Command {
 	var options lsOptions
 
@@ -125,13 +100,175 @@ func lsCmd(dockerCli command.Cli) *cobra.Command {
 		Short: "List builder instances",
 		Args:  cli.ExactArgs(0),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runLs(dockerCli, options)
+			return runLs(cmd.Context(), dockerCli, options)
 		},
 		ValidArgsFunction: completion.Disable,
 	}
 
+	flags := cmd.Flags()
+	flags.StringVar(&options.format, "format", formatter.TableFormatKey, "Format the output")
+
 	// hide builder persistent flag for this command
 	cobrautil.HideInheritedFlags(cmd, "builder")
 
 	return cmd
 }
+
+func lsPrint(dockerCli command.Cli, current *store.NodeGroup, builders []*builder.Builder, format string) (hasErrors bool, _ error) {
+	if format == formatter.TableFormatKey {
+		format = lsDefaultTableFormat
+	}
+
+	ctx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.Format(format),
+	}
+
+	sort.SliceStable(builders, func(i, j int) bool {
+		ierr := builders[i].Err() != nil
+		jerr := builders[j].Err() != nil
+		if ierr && !jerr {
+			return false
+		} else if !ierr && jerr {
+			return true
+		}
+		return i < j
+	})
+
+	render := func(format func(subContext formatter.SubContext) error) error {
+		for _, b := range builders {
+			if err := format(&lsContext{
+				Builder: &lsBuilder{
+					Builder: b,
+					Current: b.Name == current.Name,
+				},
+				format: ctx.Format,
+			}); err != nil {
+				return err
+			}
+			if b.Err() != nil {
+				if ctx.Format.IsTable() {
+					hasErrors = true
+				}
+				continue
+			}
+			for _, n := range b.Nodes() {
+				if n.Err != nil {
+					if ctx.Format.IsTable() {
+						hasErrors = true
+					}
+				}
+				if err := format(&lsContext{
+					format: ctx.Format,
+					Builder: &lsBuilder{
+						Builder: b,
+						Current: b.Name == current.Name,
+					},
+					node: n,
+				}); err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+	}
+
+	lsCtx := lsContext{}
+	lsCtx.Header = formatter.SubHeaderContext{
+		"Name":           lsNameNodeHeader,
+		"DriverEndpoint": lsDriverEndpointHeader,
+		"LastActivity":   lsLastActivityHeader,
+		"Status":         lsStatusHeader,
+		"Buildkit":       lsBuildkitHeader,
+		"Platforms":      lsPlatformsHeader,
+	}
+
+	return hasErrors, ctx.Write(&lsCtx, render)
+}
+
+type lsBuilder struct {
+	*builder.Builder
+	Current bool
+}
+
+type lsContext struct {
+	formatter.HeaderContext
+	Builder *lsBuilder
+
+	format formatter.Format
+	node   builder.Node
+}
+
+func (c *lsContext) MarshalJSON() ([]byte, error) {
+	return json.Marshal(c.Builder)
+}
+
+func (c *lsContext) Name() string {
+	if c.node.Name == "" {
+		name := c.Builder.Name
+		if c.Builder.Current && c.format.IsTable() {
+			name += "*"
+		}
+		return name
+	}
+	if c.format.IsTable() {
+		return lsIndent + c.node.Name
+	}
+	return c.node.Name
+}
+
+func (c *lsContext) DriverEndpoint() string {
+	if c.node.Name == "" {
+		return c.Builder.Driver
+	}
+	if c.format.IsTable() {
+		return lsIndent + c.node.Endpoint
+	}
+	return c.node.Endpoint
+}
+
+func (c *lsContext) LastActivity() string {
+	if c.node.Name != "" || c.Builder.LastActivity.IsZero() {
+		return ""
+	}
+	return c.Builder.LastActivity.UTC().Format(time.RFC3339)
+}
+
+func (c *lsContext) Status() string {
+	if c.node.Name == "" {
+		if c.Builder.Err() != nil {
+			return "error"
+		}
+		return ""
+	}
+	if c.node.Err != nil {
+		return "error"
+	}
+	if c.node.DriverInfo != nil {
+		return c.node.DriverInfo.Status.String()
+	}
+	return ""
+}
+
+func (c *lsContext) Buildkit() string {
+	if c.node.Name == "" {
+		return ""
+	}
+	return c.node.Version
+}
+
+func (c *lsContext) Platforms() string {
+	if c.node.Name == "" {
+		return ""
+	}
+	return strings.Join(platformutil.FormatInGroups(c.node.Node.Platforms, c.node.Platforms), ", ")
+}
+
+func (c *lsContext) Error() string {
+	if c.node.Name != "" && c.node.Err != nil {
+		return c.node.Err.Error()
+	} else if err := c.Builder.Err(); err != nil {
+		return err.Error()
+	}
+	return ""
+}

commands/prune.go

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"strings"
@@ -15,7 +16,6 @@ import (
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/go-units"
 	"github.com/moby/buildkit/client"
-	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"golang.org/x/sync/errgroup"
@@ -35,9 +35,7 @@ const (
 	allCacheWarning = `WARNING! This will remove all build cache. Are you sure you want to continue?`
 )
 
-func runPrune(dockerCli command.Cli, opts pruneOptions) error {
+func runPrune(ctx context.Context, dockerCli command.Cli, opts pruneOptions) error {
-	ctx := appcontext.Context()
-
 	pruneFilters := opts.filter.Value()
 	pruneFilters = command.PruneFilters(dockerCli, pruneFilters)
 
@@ -51,8 +49,12 @@ func runPrune(dockerCli command.Cli, opts pruneOptions) error {
 		warning = allCacheWarning
 	}
 
-	if !opts.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
+	if !opts.force {
-		return nil
+		if ok, err := prompt(ctx, dockerCli.In(), dockerCli.Out(), warning); err != nil {
+			return err
+		} else if !ok {
+			return nil
+		}
 	}
 
 	b, err := builder.New(dockerCli, builder.WithName(opts.builder))
@@ -138,7 +140,7 @@ func pruneCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			options.builder = rootOpts.builder
-			return runPrune(dockerCli, options)
+			return runPrune(cmd.Context(), dockerCli, options)
 		},
 		ValidArgsFunction: completion.Disable,
 	}

commands/rm.go

@@ -9,16 +9,14 @@ import (
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/cobrautil/completion"
-	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"golang.org/x/sync/errgroup"
 )
 
 type rmOptions struct {
-	builder     string
+	builders    []string
 	keepState   bool
 	keepDaemon  bool
 	allInactive bool
@@ -29,11 +27,13 @@ const (
 	rmInactiveWarning = `WARNING! This will remove all builders that are not in running state. Are you sure you want to continue?`
 )
 
-func runRm(dockerCli command.Cli, in rmOptions) error {
+func runRm(ctx context.Context, dockerCli command.Cli, in rmOptions) error {
-	ctx := appcontext.Context()
+	if in.allInactive && !in.force {
-
+		if ok, err := prompt(ctx, dockerCli.In(), dockerCli.Out(), rmInactiveWarning); err != nil {
-	if in.allInactive && !in.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), rmInactiveWarning) {
+			return err
-		return nil
+		} else if !ok {
+			return nil
+		}
 	}
 
 	txn, release, err := storeutil.GetStore(dockerCli)
@@ -46,33 +46,52 @@ func runRm(dockerCli command.Cli, in rmOptions) error {
 		return rmAllInactive(ctx, txn, dockerCli, in)
 	}
 
-	b, err := builder.New(dockerCli,
+	eg, _ := errgroup.WithContext(ctx)
-		builder.WithName(in.builder),
+	for _, name := range in.builders {
-		builder.WithStore(txn),
+		func(name string) {
-		builder.WithSkippedValidation(),
+			eg.Go(func() (err error) {
-	)
+				defer func() {
-	if err != nil {
+					if err == nil {
-		return err
+						_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", name)
+					} else {
+						_, _ = fmt.Fprintf(dockerCli.Err(), "failed to remove %s: %v\n", name, err)
+					}
+				}()
+
+				b, err := builder.New(dockerCli,
+					builder.WithName(name),
+					builder.WithStore(txn),
+					builder.WithSkippedValidation(),
+				)
+				if err != nil {
+					return err
+				}
+
+				nodes, err := b.LoadNodes(ctx)
+				if err != nil {
+					return err
+				}
+
+				if cb := b.ContextName(); cb != "" {
+					return errors.Errorf("context builder cannot be removed, run `docker context rm %s` to remove this context", cb)
+				}
+
+				err1 := rm(ctx, nodes, in)
+				if err := txn.Remove(b.Name); err != nil {
+					return err
+				}
+				if err1 != nil {
+					return err1
+				}
+
+				return nil
+			})
+		}(name)
 	}
 
-	nodes, err := b.LoadNodes(ctx)
+	if err := eg.Wait(); err != nil {
-	if err != nil {
+		return errors.New("failed to remove one or more builders")
-		return err
 	}
-
-	if cb := b.ContextName(); cb != "" {
-		return errors.Errorf("context builder cannot be removed, run `docker context rm %s` to remove this context", cb)
-	}
-
-	err1 := rm(ctx, nodes, in)
-	if err := txn.Remove(b.Name); err != nil {
-		return err
-	}
-	if err1 != nil {
-		return err1
-	}
-
-	_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", b.Name)
 	return nil
 }
 
@@ -80,25 +99,24 @@ func rmCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	var options rmOptions
 
 	cmd := &cobra.Command{
-		Use:   "rm [NAME]",
+		Use:   "rm [OPTIONS] [NAME] [NAME...]",
-		Short: "Remove a builder instance",
+		Short: "Remove one or more builder instances",
-		Args:  cli.RequiresMaxArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			options.builder = rootOpts.builder
+			options.builders = []string{rootOpts.builder}
 			if len(args) > 0 {
 				if options.allInactive {
 					return errors.New("cannot specify builder name when --all-inactive is set")
 				}
-				options.builder = args[0]
+				options.builders = args
 			}
-			return runRm(dockerCli, options)
+			return runRm(cmd.Context(), dockerCli, options)
 		},
 		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}
 
 	flags := cmd.Flags()
 	flags.BoolVar(&options.keepState, "keep-state", false, "Keep BuildKit state")
-	flags.BoolVar(&options.keepDaemon, "keep-daemon", false, "Keep the buildkitd daemon running")
+	flags.BoolVar(&options.keepDaemon, "keep-daemon", false, "Keep the BuildKit daemon running")
 	flags.BoolVar(&options.allInactive, "all-inactive", false, "Remove all inactive builders")
 	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
 

commands/root.go

@@ -7,12 +7,14 @@ import (
 	imagetoolscmd "github.com/docker/buildx/commands/imagetools"
 	"github.com/docker/buildx/controller/remote"
 	"github.com/docker/buildx/util/cobrautil/completion"
+	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/logutil"
 	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli-plugins/plugin"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/debug"
+	"github.com/moby/buildkit/util/appcontext"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -29,12 +31,15 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		CompletionOptions: cobra.CompletionOptions{
 			HiddenDefaultCmd: true,
 		},
-	}
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-	if isPlugin {
+			cmd.SetContext(appcontext.Context())
-		cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
+			if !isPlugin {
+				return nil
+			}
 			return plugin.PersistentPreRunE(cmd, args)
-		}
+		},
-	} else {
+	}
+	if !isPlugin {
 		// match plugin behavior for standalone mode
 		// https://github.com/docker/cli/blob/6c9eb708fa6d17765d71965f90e1c59cea686ee9/cli-plugins/plugin/plugin.go#L117-L127
 		cmd.SilenceUsage = true
@@ -59,6 +64,10 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		"using default config store",
 	))
 
+	if !confutil.IsExperimental() {
+		cmd.SetHelpTemplate(cmd.HelpTemplate() + "\nExperimental commands and flags are hidden. Set BUILDX_EXPERIMENTAL=1 to show them.\n")
+	}
+
 	addCommands(cmd, dockerCli)
 	return cmd
 }
@@ -75,6 +84,7 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		buildCmd(dockerCli, opts, nil),
 		bakeCmd(dockerCli, opts),
 		createCmd(dockerCli),
+		dialStdioCmd(dockerCli, opts),
 		rmCmd(dockerCli, opts),
 		lsCmd(dockerCli),
 		useCmd(dockerCli, opts),
@@ -87,7 +97,7 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		duCmd(dockerCli, opts),
 		imagetoolscmd.RootCmd(dockerCli, imagetoolscmd.RootOptions{Builder: &opts.builder}),
 	)
-	if isExperimental() {
+	if confutil.IsExperimental() {
 		cmd.AddCommand(debugcmd.RootCmd(dockerCli,
 			newDebuggableBuild(dockerCli, opts),
 		))

commands/stop.go

@@ -7,7 +7,6 @@ import (
 	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/moby/buildkit/util/appcontext"
 	"github.com/spf13/cobra"
 )
 
@@ -15,9 +14,7 @@ type stopOptions struct {
 	builder string
 }
 
-func runStop(dockerCli command.Cli, in stopOptions) error {
+func runStop(ctx context.Context, dockerCli command.Cli, in stopOptions) error {
-	ctx := appcontext.Context()
-
 	b, err := builder.New(dockerCli,
 		builder.WithName(in.builder),
 		builder.WithSkippedValidation(),
@@ -45,7 +42,7 @@ func stopCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			if len(args) > 0 {
 				options.builder = args[0]
 			}
-			return runStop(dockerCli, options)
+			return runStop(cmd.Context(), dockerCli, options)
 		},
 		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}

commands/util.go

@@ -0,0 +1,57 @@
+package commands
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"runtime"
+	"strings"
+
+	"github.com/docker/cli/cli/streams"
+)
+
+func prompt(ctx context.Context, ins io.Reader, out io.Writer, msg string) (bool, error) {
+	done := make(chan struct{})
+	var ok bool
+	go func() {
+		ok = promptForConfirmation(ins, out, msg)
+		close(done)
+	}()
+	select {
+	case <-ctx.Done():
+		return false, context.Cause(ctx)
+	case <-done:
+		return ok, nil
+	}
+}
+
+// promptForConfirmation requests and checks confirmation from user.
+// This will display the provided message followed by ' [y/N] '. If
+// the user input 'y' or 'Y' it returns true other false.  If no
+// message is provided "Are you sure you want to proceed? [y/N] "
+// will be used instead.
+//
+// Copied from github.com/docker/cli since the upstream version changed
+// recently with an incompatible change.
+//
+// See https://github.com/docker/buildx/pull/2359#discussion_r1544736494
+// for discussion on the issue.
+func promptForConfirmation(ins io.Reader, outs io.Writer, message string) bool {
+	if message == "" {
+		message = "Are you sure you want to proceed?"
+	}
+	message += " [y/N] "
+
+	_, _ = fmt.Fprint(outs, message)
+
+	// On Windows, force the use of the regular OS stdin stream.
+	if runtime.GOOS == "windows" {
+		ins = streams.NewIn(os.Stdin)
+	}
+
+	reader := bufio.NewReader(ins)
+	answer, _, _ := reader.ReadLine()
+	return strings.ToLower(string(answer)) == "y"
+}

controller/build/build.go

@@ -53,20 +53,21 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 			InStream:       inStream,
 			NamedContexts:  contexts,
 		},
-		Ref:           in.Ref,
+		Ref:                    in.Ref,
-		BuildArgs:     in.BuildArgs,
+		BuildArgs:              in.BuildArgs,
-		CgroupParent:  in.CgroupParent,
+		CgroupParent:           in.CgroupParent,
-		ExtraHosts:    in.ExtraHosts,
+		ExtraHosts:             in.ExtraHosts,
-		Labels:        in.Labels,
+		Labels:                 in.Labels,
-		NetworkMode:   in.NetworkMode,
+		NetworkMode:            in.NetworkMode,
-		NoCache:       in.NoCache,
+		NoCache:                in.NoCache,
-		NoCacheFilter: in.NoCacheFilter,
+		NoCacheFilter:          in.NoCacheFilter,
-		Pull:          in.Pull,
+		Pull:                   in.Pull,
-		ShmSize:       dockeropts.MemBytes(in.ShmSize),
+		ShmSize:                dockeropts.MemBytes(in.ShmSize),
-		Tags:          in.Tags,
+		Tags:                   in.Tags,
-		Target:        in.Target,
+		Target:                 in.Target,
-		Ulimits:       controllerUlimitOpt2DockerUlimit(in.Ulimits),
+		Ulimits:                controllerUlimitOpt2DockerUlimit(in.Ulimits),
-		GroupRef:      in.GroupRef,
+		GroupRef:               in.GroupRef,
+		WithProvenanceResponse: in.WithProvenanceResponse,
 	}
 
 	platforms, err := platformutil.Parse(in.Platforms)
@@ -99,38 +100,38 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 		return nil, nil, err
 	}
 	if in.ExportPush {
-		if in.ExportLoad {
+		var pushUsed bool
-			return nil, nil, errors.Errorf("push and load may not be set together at the moment")
+		for i := range outputs {
+			if outputs[i].Type == client.ExporterImage {
+				outputs[i].Attrs["push"] = "true"
+				pushUsed = true
+			}
 		}
-		if len(outputs) == 0 {
+		if !pushUsed {
-			outputs = []client.ExportEntry{{
+			outputs = append(outputs, client.ExportEntry{
-				Type: "image",
+				Type: client.ExporterImage,
 				Attrs: map[string]string{
 					"push": "true",
 				},
-			}}
+			})
-		} else {
-			switch outputs[0].Type {
-			case "image":
-				outputs[0].Attrs["push"] = "true"
-			default:
-				return nil, nil, errors.Errorf("push and %q output can't be used together", outputs[0].Type)
-			}
 		}
 	}
 	if in.ExportLoad {
-		if len(outputs) == 0 {
+		var loadUsed bool
-			outputs = []client.ExportEntry{{
+		for i := range outputs {
-				Type:  "docker",
+			if outputs[i].Type == client.ExporterDocker {
-				Attrs: map[string]string{},
+				if _, ok := outputs[i].Attrs["dest"]; !ok {
-			}}
+					loadUsed = true
-		} else {
+					break
-			switch outputs[0].Type {
+				}
-			case "docker":
-			default:
-				return nil, nil, errors.Errorf("load and %q output can't be used together", outputs[0].Type)
 			}
 		}
+		if !loadUsed {
+			outputs = append(outputs, client.ExportEntry{
+				Type:  client.ExporterDocker,
+				Attrs: map[string]string{},
+			})
+		}
 	}
 
 	annotations, err := buildflags.ParseAnnotations(in.Annotations)
@@ -160,8 +161,9 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 
 	if in.PrintFunc != nil {
 		opts.PrintFunc = &build.PrintFunc{
-			Name:   in.PrintFunc.Name,
+			Name:         in.PrintFunc.Name,
-			Format: in.PrintFunc.Format,
+			Format:       in.PrintFunc.Format,
+			IgnoreStatus: in.PrintFunc.IgnoreStatus,
 		}
 	}
 

controller/pb/controller.pb.go

@@ -271,40 +271,41 @@ func (m *BuildRequest) GetOptions() *BuildOptions {
 }
 
 type BuildOptions struct {
-	ContextPath          string               `protobuf:"bytes,1,opt,name=ContextPath,proto3" json:"ContextPath,omitempty"`
+	ContextPath            string               `protobuf:"bytes,1,opt,name=ContextPath,proto3" json:"ContextPath,omitempty"`
-	DockerfileName       string               `protobuf:"bytes,2,opt,name=DockerfileName,proto3" json:"DockerfileName,omitempty"`
+	DockerfileName         string               `protobuf:"bytes,2,opt,name=DockerfileName,proto3" json:"DockerfileName,omitempty"`
-	PrintFunc            *PrintFunc           `protobuf:"bytes,3,opt,name=PrintFunc,proto3" json:"PrintFunc,omitempty"`
+	PrintFunc              *PrintFunc           `protobuf:"bytes,3,opt,name=PrintFunc,proto3" json:"PrintFunc,omitempty"`
-	NamedContexts        map[string]string    `protobuf:"bytes,4,rep,name=NamedContexts,proto3" json:"NamedContexts,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	NamedContexts          map[string]string    `protobuf:"bytes,4,rep,name=NamedContexts,proto3" json:"NamedContexts,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	Allow                []string             `protobuf:"bytes,5,rep,name=Allow,proto3" json:"Allow,omitempty"`
+	Allow                  []string             `protobuf:"bytes,5,rep,name=Allow,proto3" json:"Allow,omitempty"`
-	Attests              []*Attest            `protobuf:"bytes,6,rep,name=Attests,proto3" json:"Attests,omitempty"`
+	Attests                []*Attest            `protobuf:"bytes,6,rep,name=Attests,proto3" json:"Attests,omitempty"`
-	BuildArgs            map[string]string    `protobuf:"bytes,7,rep,name=BuildArgs,proto3" json:"BuildArgs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	BuildArgs              map[string]string    `protobuf:"bytes,7,rep,name=BuildArgs,proto3" json:"BuildArgs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	CacheFrom            []*CacheOptionsEntry `protobuf:"bytes,8,rep,name=CacheFrom,proto3" json:"CacheFrom,omitempty"`
+	CacheFrom              []*CacheOptionsEntry `protobuf:"bytes,8,rep,name=CacheFrom,proto3" json:"CacheFrom,omitempty"`
-	CacheTo              []*CacheOptionsEntry `protobuf:"bytes,9,rep,name=CacheTo,proto3" json:"CacheTo,omitempty"`
+	CacheTo                []*CacheOptionsEntry `protobuf:"bytes,9,rep,name=CacheTo,proto3" json:"CacheTo,omitempty"`
-	CgroupParent         string               `protobuf:"bytes,10,opt,name=CgroupParent,proto3" json:"CgroupParent,omitempty"`
+	CgroupParent           string               `protobuf:"bytes,10,opt,name=CgroupParent,proto3" json:"CgroupParent,omitempty"`
-	Exports              []*ExportEntry       `protobuf:"bytes,11,rep,name=Exports,proto3" json:"Exports,omitempty"`
+	Exports                []*ExportEntry       `protobuf:"bytes,11,rep,name=Exports,proto3" json:"Exports,omitempty"`
-	ExtraHosts           []string             `protobuf:"bytes,12,rep,name=ExtraHosts,proto3" json:"ExtraHosts,omitempty"`
+	ExtraHosts             []string             `protobuf:"bytes,12,rep,name=ExtraHosts,proto3" json:"ExtraHosts,omitempty"`
-	Labels               map[string]string    `protobuf:"bytes,13,rep,name=Labels,proto3" json:"Labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Labels                 map[string]string    `protobuf:"bytes,13,rep,name=Labels,proto3" json:"Labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	NetworkMode          string               `protobuf:"bytes,14,opt,name=NetworkMode,proto3" json:"NetworkMode,omitempty"`
+	NetworkMode            string               `protobuf:"bytes,14,opt,name=NetworkMode,proto3" json:"NetworkMode,omitempty"`
-	NoCacheFilter        []string             `protobuf:"bytes,15,rep,name=NoCacheFilter,proto3" json:"NoCacheFilter,omitempty"`
+	NoCacheFilter          []string             `protobuf:"bytes,15,rep,name=NoCacheFilter,proto3" json:"NoCacheFilter,omitempty"`
-	Platforms            []string             `protobuf:"bytes,16,rep,name=Platforms,proto3" json:"Platforms,omitempty"`
+	Platforms              []string             `protobuf:"bytes,16,rep,name=Platforms,proto3" json:"Platforms,omitempty"`
-	Secrets              []*Secret            `protobuf:"bytes,17,rep,name=Secrets,proto3" json:"Secrets,omitempty"`
+	Secrets                []*Secret            `protobuf:"bytes,17,rep,name=Secrets,proto3" json:"Secrets,omitempty"`
-	ShmSize              int64                `protobuf:"varint,18,opt,name=ShmSize,proto3" json:"ShmSize,omitempty"`
+	ShmSize                int64                `protobuf:"varint,18,opt,name=ShmSize,proto3" json:"ShmSize,omitempty"`
-	SSH                  []*SSH               `protobuf:"bytes,19,rep,name=SSH,proto3" json:"SSH,omitempty"`
+	SSH                    []*SSH               `protobuf:"bytes,19,rep,name=SSH,proto3" json:"SSH,omitempty"`
-	Tags                 []string             `protobuf:"bytes,20,rep,name=Tags,proto3" json:"Tags,omitempty"`
+	Tags                   []string             `protobuf:"bytes,20,rep,name=Tags,proto3" json:"Tags,omitempty"`
-	Target               string               `protobuf:"bytes,21,opt,name=Target,proto3" json:"Target,omitempty"`
+	Target                 string               `protobuf:"bytes,21,opt,name=Target,proto3" json:"Target,omitempty"`
-	Ulimits              *UlimitOpt           `protobuf:"bytes,22,opt,name=Ulimits,proto3" json:"Ulimits,omitempty"`
+	Ulimits                *UlimitOpt           `protobuf:"bytes,22,opt,name=Ulimits,proto3" json:"Ulimits,omitempty"`
-	Builder              string               `protobuf:"bytes,23,opt,name=Builder,proto3" json:"Builder,omitempty"`
+	Builder                string               `protobuf:"bytes,23,opt,name=Builder,proto3" json:"Builder,omitempty"`
-	NoCache              bool                 `protobuf:"varint,24,opt,name=NoCache,proto3" json:"NoCache,omitempty"`
+	NoCache                bool                 `protobuf:"varint,24,opt,name=NoCache,proto3" json:"NoCache,omitempty"`
-	Pull                 bool                 `protobuf:"varint,25,opt,name=Pull,proto3" json:"Pull,omitempty"`
+	Pull                   bool                 `protobuf:"varint,25,opt,name=Pull,proto3" json:"Pull,omitempty"`
-	ExportPush           bool                 `protobuf:"varint,26,opt,name=ExportPush,proto3" json:"ExportPush,omitempty"`
+	ExportPush             bool                 `protobuf:"varint,26,opt,name=ExportPush,proto3" json:"ExportPush,omitempty"`
-	ExportLoad           bool                 `protobuf:"varint,27,opt,name=ExportLoad,proto3" json:"ExportLoad,omitempty"`
+	ExportLoad             bool                 `protobuf:"varint,27,opt,name=ExportLoad,proto3" json:"ExportLoad,omitempty"`
-	SourcePolicy         *pb.Policy           `protobuf:"bytes,28,opt,name=SourcePolicy,proto3" json:"SourcePolicy,omitempty"`
+	SourcePolicy           *pb.Policy           `protobuf:"bytes,28,opt,name=SourcePolicy,proto3" json:"SourcePolicy,omitempty"`
-	Ref                  string               `protobuf:"bytes,29,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	Ref                    string               `protobuf:"bytes,29,opt,name=Ref,proto3" json:"Ref,omitempty"`
-	GroupRef             string               `protobuf:"bytes,30,opt,name=GroupRef,proto3" json:"GroupRef,omitempty"`
+	GroupRef               string               `protobuf:"bytes,30,opt,name=GroupRef,proto3" json:"GroupRef,omitempty"`
-	Annotations          []string             `protobuf:"bytes,31,rep,name=Annotations,proto3" json:"Annotations,omitempty"`
+	Annotations            []string             `protobuf:"bytes,31,rep,name=Annotations,proto3" json:"Annotations,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}             `json:"-"`
+	WithProvenanceResponse bool                 `protobuf:"varint,32,opt,name=WithProvenanceResponse,proto3" json:"WithProvenanceResponse,omitempty"`
-	XXX_unrecognized     []byte               `json:"-"`
+	XXX_NoUnkeyedLiteral   struct{}             `json:"-"`
-	XXX_sizecache        int32                `json:"-"`
+	XXX_unrecognized       []byte               `json:"-"`
+	XXX_sizecache          int32                `json:"-"`
 }
 
 func (m *BuildOptions) Reset()         { *m = BuildOptions{} }
@@ -548,6 +549,13 @@ func (m *BuildOptions) GetAnnotations() []string {
 	return nil
 }
 
+func (m *BuildOptions) GetWithProvenanceResponse() bool {
+	if m != nil {
+		return m.WithProvenanceResponse
+	}
+	return false
+}
+
 type ExportEntry struct {
 	Type                 string            `protobuf:"bytes,1,opt,name=Type,proto3" json:"Type,omitempty"`
 	Attrs                map[string]string `protobuf:"bytes,2,rep,name=Attrs,proto3" json:"Attrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
@@ -805,6 +813,7 @@ func (m *Secret) GetEnv() string {
 type PrintFunc struct {
 	Name                 string   `protobuf:"bytes,1,opt,name=Name,proto3" json:"Name,omitempty"`
 	Format               string   `protobuf:"bytes,2,opt,name=Format,proto3" json:"Format,omitempty"`
+	IgnoreStatus         bool     `protobuf:"varint,3,opt,name=IgnoreStatus,proto3" json:"IgnoreStatus,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@@ -848,6 +857,13 @@ func (m *PrintFunc) GetFormat() string {
 	return ""
 }
 
+func (m *PrintFunc) GetIgnoreStatus() bool {
+	if m != nil {
+		return m.IgnoreStatus
+	}
+	return false
+}
+
 type InspectRequest struct {
 	Ref                  string   `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
@@ -2078,128 +2094,130 @@ func init() {
 func init() { proto.RegisterFile("controller.proto", fileDescriptor_ed7f10298fa1d90f) }
 
 var fileDescriptor_ed7f10298fa1d90f = []byte{
-	// 1922 bytes of a gzipped FileDescriptorProto
+	// 1960 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x58, 0x5f, 0x73, 0x1b, 0x49,
 	0x11, 0x67, 0x25, 0x59, 0x7f, 0x5a, 0x96, 0xcf, 0x19, 0x9c, 0x30, 0xd9, 0xe4, 0x12, 0x67, 0x93,
-	0x1c, 0x2a, 0x42, 0xc9, 0x77, 0x3e, 0x82, 0x2f, 0x97, 0xbb, 0x2a, 0x6c, 0xd9, 0xc2, 0xbe, 0x4a,
+	0x1c, 0x2a, 0x42, 0xc9, 0x77, 0x3e, 0x72, 0xb9, 0x5c, 0xee, 0xaa, 0xb0, 0x65, 0x0b, 0xfb, 0x2a,
-	0x6c, 0xd7, 0xca, 0xc9, 0x15, 0x50, 0xc5, 0xd5, 0x5a, 0x1a, 0xcb, 0x5b, 0x5a, 0xed, 0x88, 0x9d,
+	0xb1, 0x5d, 0x23, 0x27, 0x29, 0xb8, 0x2a, 0xae, 0x56, 0xd2, 0x58, 0xde, 0xd2, 0x6a, 0x47, 0xec,
-	0x91, 0x6d, 0xf1, 0xc4, 0x03, 0xbc, 0x51, 0x14, 0x5f, 0x83, 0xe2, 0x23, 0xf0, 0xc4, 0x37, 0xe2,
+	0x8c, 0x64, 0x8b, 0x27, 0x1e, 0xe0, 0x8d, 0xe2, 0x7b, 0x50, 0x7c, 0x04, 0x9e, 0x78, 0xe3, 0xe3,
-	0x23, 0x50, 0xd3, 0x33, 0xbb, 0x5a, 0x59, 0x5a, 0xd9, 0x86, 0x27, 0x4d, 0xf7, 0xfe, 0xba, 0x7b,
+	0xf0, 0x11, 0xa8, 0xf9, 0xb3, 0xab, 0x5d, 0x4b, 0x2b, 0xdb, 0xf0, 0xa4, 0xe9, 0x9e, 0x5f, 0x77,
-	0xba, 0xa7, 0xa7, 0xbb, 0x47, 0xb0, 0xda, 0xe1, 0xa1, 0x8c, 0x78, 0x10, 0xb0, 0xa8, 0x31, 0x8c,
+	0x4f, 0xf7, 0xf6, 0x74, 0xf7, 0x08, 0xd6, 0xbb, 0x2c, 0x10, 0x21, 0xf3, 0x7d, 0x1a, 0x36, 0x46,
-	0xb8, 0xe4, 0x64, 0xed, 0x74, 0xe4, 0x07, 0xdd, 0xab, 0x46, 0xea, 0xc3, 0xc5, 0x17, 0xf6, 0xdb,
+	0x21, 0x13, 0x0c, 0x6d, 0x74, 0xc6, 0x9e, 0xdf, 0xbb, 0x6c, 0x24, 0x36, 0x26, 0x5f, 0xd8, 0x6f,
-	0x9e, 0x2f, 0xcf, 0x47, 0xa7, 0x8d, 0x0e, 0x1f, 0x6c, 0x0c, 0xf8, 0xe9, 0x78, 0x03, 0x51, 0x7d,
+	0xfa, 0x9e, 0x38, 0x1f, 0x77, 0x1a, 0x5d, 0x36, 0xdc, 0x1a, 0xb2, 0xce, 0x74, 0x4b, 0xa1, 0x06,
-	0x5f, 0x6e, 0x78, 0x43, 0x7f, 0x43, 0xb0, 0xe8, 0xc2, 0xef, 0x30, 0xb1, 0x61, 0x84, 0xe2, 0x5f,
+	0x9e, 0xd8, 0x72, 0x47, 0xde, 0x16, 0xa7, 0xe1, 0xc4, 0xeb, 0x52, 0xbe, 0x65, 0x84, 0xa2, 0x5f,
-	0xad, 0xd2, 0x7e, 0x9d, 0x29, 0x2c, 0xf8, 0x28, 0xea, 0xb0, 0x21, 0x0f, 0xfc, 0xce, 0x78, 0x63,
+	0xad, 0xd2, 0x7e, 0x99, 0x29, 0xcc, 0xd9, 0x38, 0xec, 0xd2, 0x11, 0xf3, 0xbd, 0xee, 0x74, 0x6b,
-	0x78, 0xba, 0xa1, 0x57, 0x5a, 0xcc, 0xa9, 0xc3, 0xda, 0x3b, 0x5f, 0xc8, 0xe3, 0x88, 0x77, 0x98,
+	0xd4, 0xd9, 0xd2, 0x2b, 0x2d, 0xe6, 0xd4, 0x61, 0xe3, 0xad, 0xc7, 0xc5, 0x49, 0xc8, 0xba, 0x94,
-	0x10, 0x4c, 0xb8, 0xec, 0x0f, 0x23, 0x26, 0x24, 0x59, 0x85, 0xbc, 0xcb, 0xce, 0xa8, 0xb5, 0x6e,
+	0x73, 0xca, 0x09, 0xfd, 0xc3, 0x98, 0x72, 0x81, 0xd6, 0x21, 0x4f, 0xe8, 0x19, 0xb6, 0x36, 0xad,
-	0xd5, 0x2b, 0xae, 0x5a, 0x3a, 0xc7, 0x70, 0xff, 0x1a, 0x52, 0x0c, 0x79, 0x28, 0x18, 0xd9, 0x82,
+	0x7a, 0x85, 0xc8, 0xa5, 0x73, 0x02, 0x77, 0xaf, 0x20, 0xf9, 0x88, 0x05, 0x9c, 0xa2, 0x57, 0xb0,
-	0xa5, 0x83, 0xf0, 0x8c, 0x0b, 0x6a, 0xad, 0xe7, 0xeb, 0xd5, 0xcd, 0x67, 0x8d, 0x79, 0xce, 0x35,
+	0x72, 0x18, 0x9c, 0x31, 0x8e, 0xad, 0xcd, 0x7c, 0xbd, 0xba, 0xfd, 0xa4, 0xb1, 0xc8, 0xb9, 0x86,
-	0x8c, 0x9c, 0x42, 0xba, 0x1a, 0xef, 0x08, 0xa8, 0xa6, 0xb8, 0xe4, 0x31, 0x54, 0x62, 0x72, 0xd7,
+	0x91, 0x93, 0x48, 0xa2, 0xf1, 0x0e, 0x87, 0x6a, 0x82, 0x8b, 0x1e, 0x42, 0x25, 0x22, 0xf7, 0x8c,
-	0x18, 0x9e, 0x30, 0x48, 0x0b, 0x96, 0x0f, 0xc2, 0x0b, 0xde, 0x67, 0x4d, 0x1e, 0x9e, 0xf9, 0x3d,
+	0xe1, 0x19, 0x03, 0xb5, 0x60, 0xf5, 0x30, 0x98, 0xb0, 0x01, 0x6d, 0xb2, 0xe0, 0xcc, 0xeb, 0xe3,
-	0x9a, 0x5b, 0xb7, 0xea, 0xd5, 0x4d, 0x67, 0xbe, 0xb1, 0x34, 0xd2, 0x9d, 0x92, 0x73, 0xbe, 0x03,
+	0xdc, 0xa6, 0x55, 0xaf, 0x6e, 0x3b, 0x8b, 0x8d, 0x25, 0x91, 0x24, 0x25, 0xe7, 0x7c, 0x0f, 0x78,
-	0xba, 0xeb, 0x8b, 0x0e, 0x0f, 0x43, 0xd6, 0x89, 0x9d, 0xc9, 0x74, 0x7a, 0x7a, 0x4f, 0xb9, 0x6b,
+	0xcf, 0xe3, 0x5d, 0x16, 0x04, 0xb4, 0x1b, 0x39, 0x93, 0xe9, 0x74, 0xfa, 0x4c, 0xb9, 0x2b, 0x67,
-	0x7b, 0x72, 0x1e, 0xc1, 0xc3, 0x39, 0xba, 0x74, 0x58, 0x9c, 0xdf, 0xc3, 0xf2, 0x8e, 0xda, 0x5b,
+	0x72, 0x1e, 0xc0, 0xfd, 0x05, 0xba, 0x74, 0x58, 0x9c, 0xdf, 0xc3, 0xea, 0xae, 0x3c, 0x5b, 0xb6,
-	0xb6, 0xf2, 0x6f, 0xa0, 0x74, 0x34, 0x94, 0x3e, 0x0f, 0xc5, 0x62, 0x6f, 0x50, 0x8d, 0x41, 0xba,
+	0xf2, 0x6f, 0xa1, 0x74, 0x3c, 0x12, 0x1e, 0x0b, 0xf8, 0x72, 0x6f, 0x94, 0x1a, 0x83, 0x24, 0x91,
-	0xb1, 0x88, 0xf3, 0xf7, 0x65, 0x63, 0xc0, 0x30, 0xc8, 0x3a, 0x54, 0x9b, 0x3c, 0x94, 0xec, 0x4a,
+	0x88, 0xf3, 0xef, 0x55, 0x63, 0xc0, 0x30, 0xd0, 0x26, 0x54, 0x9b, 0x2c, 0x10, 0xf4, 0x52, 0x9c,
-	0x1e, 0x7b, 0xf2, 0xdc, 0x18, 0x4a, 0xb3, 0xc8, 0x67, 0xb0, 0xb2, 0xcb, 0x3b, 0x7d, 0x16, 0x9d,
+	0xb8, 0xe2, 0xdc, 0x18, 0x4a, 0xb2, 0xd0, 0x67, 0xb0, 0xb6, 0xc7, 0xba, 0x03, 0x1a, 0x9e, 0x79,
-	0xf9, 0x01, 0x3b, 0xf4, 0x06, 0xcc, 0xb8, 0x74, 0x8d, 0x4b, 0xbe, 0x55, 0x5e, 0xfb, 0xa1, 0x6c,
+	0x3e, 0x3d, 0x72, 0x87, 0xd4, 0xb8, 0x74, 0x85, 0x8b, 0xbe, 0x93, 0x5e, 0x7b, 0x81, 0x68, 0x8d,
-	0x8d, 0xc2, 0x0e, 0xcd, 0xe3, 0xd6, 0x9e, 0x66, 0x9d, 0xaa, 0x81, 0xb9, 0x13, 0x09, 0xf2, 0x3b,
+	0x83, 0x2e, 0xce, 0xab, 0xa3, 0x3d, 0xce, 0xfa, 0xaa, 0x06, 0x46, 0x66, 0x12, 0xe8, 0x07, 0xa8,
-	0xa8, 0x29, 0x35, 0x5d, 0x63, 0x5a, 0xd0, 0x02, 0x26, 0xc6, 0xeb, 0x9b, 0xbd, 0x6b, 0x4c, 0xc9,
+	0x49, 0x35, 0x3d, 0x63, 0x9a, 0xe3, 0x82, 0x4a, 0x8c, 0x97, 0xd7, 0x7b, 0xd7, 0x48, 0xc9, 0xed,
-	0xed, 0x85, 0x32, 0x1a, 0xbb, 0xd3, 0xba, 0xc8, 0x1a, 0x2c, 0x6d, 0x07, 0x01, 0xbf, 0xa4, 0x4b,
+	0x07, 0x22, 0x9c, 0x92, 0xb4, 0x2e, 0xb4, 0x01, 0x2b, 0x3b, 0xbe, 0xcf, 0x2e, 0xf0, 0xca, 0x66,
-	0xeb, 0xf9, 0x7a, 0xc5, 0xd5, 0x04, 0xf9, 0x25, 0x94, 0xb6, 0xa5, 0x64, 0x42, 0x0a, 0x5a, 0x44,
+	0xbe, 0x5e, 0x21, 0x9a, 0x40, 0x5f, 0x41, 0x69, 0x47, 0x08, 0xca, 0x05, 0xc7, 0x45, 0x65, 0xec,
-	0x63, 0x8f, 0xe7, 0x1b, 0xd3, 0x20, 0x37, 0x06, 0x93, 0x23, 0xa8, 0xa0, 0xfd, 0xed, 0xa8, 0x27,
+	0xe1, 0x62, 0x63, 0x1a, 0x44, 0x22, 0x30, 0x3a, 0x86, 0x8a, 0xb2, 0xbf, 0x13, 0xf6, 0x39, 0x2e,
-	0x68, 0x09, 0x25, 0xbf, 0xb8, 0xc5, 0x36, 0x13, 0x19, 0xbd, 0xc5, 0x89, 0x0e, 0xb2, 0x07, 0x95,
+	0x29, 0xc9, 0x2f, 0x6e, 0x70, 0xcc, 0x58, 0x46, 0x1f, 0x71, 0xa6, 0x03, 0xed, 0x43, 0xa5, 0xe9,
-	0xa6, 0xd7, 0x39, 0x67, 0xad, 0x88, 0x0f, 0x68, 0x19, 0x15, 0xfe, 0x74, 0xbe, 0x42, 0x84, 0x19,
+	0x76, 0xcf, 0x69, 0x2b, 0x64, 0x43, 0x5c, 0x56, 0x0a, 0x7f, 0xbe, 0x58, 0xa1, 0x82, 0x19, 0x85,
-	0x85, 0x46, 0x4d, 0x22, 0x49, 0xb6, 0xa1, 0x84, 0xc4, 0x09, 0xa7, 0x95, 0xbb, 0x29, 0x89, 0xe5,
+	0x46, 0x4d, 0x2c, 0x89, 0x76, 0xa0, 0xa4, 0x88, 0x53, 0x86, 0x2b, 0xb7, 0x53, 0x12, 0xc9, 0x21,
-	0x88, 0x03, 0xcb, 0xcd, 0x5e, 0xc4, 0x47, 0xc3, 0x63, 0x2f, 0x62, 0xa1, 0xa4, 0x80, 0x47, 0x3d,
+	0x07, 0x56, 0x9b, 0xfd, 0x90, 0x8d, 0x47, 0x27, 0x6e, 0x48, 0x03, 0x81, 0x41, 0x7d, 0xea, 0x14,
-	0xc5, 0x23, 0x6f, 0xa1, 0xb4, 0x77, 0x35, 0xe4, 0x91, 0x14, 0xb4, 0xba, 0xe8, 0xf2, 0x6a, 0x90,
+	0x0f, 0xbd, 0x81, 0xd2, 0xfe, 0xe5, 0x88, 0x85, 0x82, 0xe3, 0xea, 0xb2, 0xcb, 0xab, 0x41, 0xc6,
-	0x31, 0x60, 0x24, 0xc8, 0x13, 0x80, 0xbd, 0x2b, 0x19, 0x79, 0xfb, 0x5c, 0x85, 0x7d, 0x19, 0x8f,
+	0x80, 0x91, 0x40, 0x8f, 0x00, 0xf6, 0x2f, 0x45, 0xe8, 0x1e, 0x30, 0x19, 0xf6, 0x55, 0xf5, 0x39,
-	0x23, 0xc5, 0x21, 0x2d, 0x28, 0xbe, 0xf3, 0x4e, 0x59, 0x20, 0x68, 0x0d, 0x75, 0x37, 0x6e, 0x11,
+	0x12, 0x1c, 0xd4, 0x82, 0xe2, 0x5b, 0xb7, 0x43, 0x7d, 0x8e, 0x6b, 0x4a, 0x77, 0xe3, 0x06, 0x81,
-	0x58, 0x2d, 0xa0, 0x0d, 0x19, 0x69, 0x95, 0xd7, 0x87, 0x4c, 0x5e, 0xf2, 0xa8, 0xff, 0x9e, 0x77,
+	0xd5, 0x02, 0xda, 0x90, 0x91, 0x96, 0x79, 0x7d, 0x44, 0xc5, 0x05, 0x0b, 0x07, 0xef, 0x58, 0x8f,
-	0x19, 0x5d, 0xd1, 0x79, 0x9d, 0x62, 0x91, 0x17, 0x50, 0x3b, 0xe4, 0x3a, 0x78, 0x7e, 0x20, 0x59,
+	0xe2, 0x35, 0x9d, 0xd7, 0x09, 0x16, 0x7a, 0x06, 0xb5, 0x23, 0xa6, 0x83, 0xe7, 0xf9, 0x82, 0x86,
-	0x44, 0x3f, 0xc1, 0xcd, 0x4c, 0x33, 0xf1, 0x2e, 0x07, 0x9e, 0x3c, 0xe3, 0xd1, 0x40, 0xd0, 0x55,
+	0xf8, 0x13, 0x75, 0x98, 0x34, 0x53, 0xdd, 0x65, 0xdf, 0x15, 0x67, 0x2c, 0x1c, 0x72, 0xbc, 0xae,
-	0x44, 0x4c, 0x18, 0x2a, 0x83, 0xda, 0xac, 0x13, 0x31, 0x29, 0xe8, 0xbd, 0x45, 0x19, 0xa4, 0x41,
+	0x10, 0x33, 0x86, 0xcc, 0xa0, 0x36, 0xed, 0x86, 0x54, 0x70, 0x7c, 0x67, 0x59, 0x06, 0x69, 0x10,
-	0x6e, 0x0c, 0x26, 0x14, 0x4a, 0xed, 0xf3, 0x41, 0xdb, 0xff, 0x23, 0xa3, 0x64, 0xdd, 0xaa, 0xe7,
+	0x89, 0xc0, 0x08, 0x43, 0xa9, 0x7d, 0x3e, 0x6c, 0x7b, 0x7f, 0xa4, 0x18, 0x6d, 0x5a, 0xf5, 0x3c,
-	0xdd, 0x98, 0x24, 0xaf, 0x20, 0xdf, 0x6e, 0xef, 0xd3, 0x1f, 0xa3, 0xb6, 0x87, 0x19, 0xda, 0xda,
+	0x89, 0x48, 0xf4, 0x02, 0xf2, 0xed, 0xf6, 0x01, 0xfe, 0xa9, 0xd2, 0x76, 0x3f, 0x43, 0x5b, 0xfb,
-	0xfb, 0xae, 0x42, 0x11, 0x02, 0x85, 0x13, 0xaf, 0x27, 0xe8, 0x1a, 0xee, 0x0b, 0xd7, 0xe4, 0x01,
+	0x80, 0x48, 0x14, 0x42, 0x50, 0x38, 0x75, 0xfb, 0x1c, 0x6f, 0xa8, 0x73, 0xa9, 0x35, 0xba, 0x07,
-	0x14, 0x4f, 0xbc, 0xa8, 0xc7, 0x24, 0xbd, 0x8f, 0x3e, 0x1b, 0x8a, 0xbc, 0x81, 0xd2, 0x87, 0xc0,
+	0xc5, 0x53, 0x37, 0xec, 0x53, 0x81, 0xef, 0x2a, 0x9f, 0x0d, 0x85, 0x5e, 0x43, 0xe9, 0xbd, 0xef,
-	0x1f, 0xf8, 0x52, 0xd0, 0x07, 0x8b, 0x2e, 0xa7, 0x06, 0x1d, 0x0d, 0xa5, 0x1b, 0xe3, 0xd5, 0x6e,
+	0x0d, 0x3d, 0xc1, 0xf1, 0xbd, 0x65, 0x97, 0x53, 0x83, 0x8e, 0x47, 0x82, 0x44, 0x78, 0x79, 0x5a,
-	0x31, 0xde, 0x2c, 0xa2, 0x3f, 0x41, 0x9d, 0x31, 0xa9, 0xbe, 0x98, 0x70, 0x51, 0xba, 0x6e, 0xd5,
+	0x15, 0x6f, 0x1a, 0xe2, 0x9f, 0x29, 0x9d, 0x11, 0x29, 0x77, 0x4c, 0xb8, 0x30, 0xde, 0xb4, 0xea,
-	0xcb, 0x6e, 0x4c, 0xaa, 0xad, 0x1d, 0x8f, 0x82, 0x80, 0x3e, 0x44, 0x36, 0xae, 0xf5, 0xd9, 0xab,
+	0x65, 0x12, 0x91, 0xf2, 0x68, 0x27, 0x63, 0xdf, 0xc7, 0xf7, 0x15, 0x5b, 0xad, 0xf5, 0xb7, 0x97,
-	0x34, 0x38, 0x1e, 0x89, 0x73, 0x6a, 0xe3, 0x97, 0x14, 0x67, 0xf2, 0xfd, 0x1d, 0xf7, 0xba, 0xf4,
+	0x69, 0x70, 0x32, 0xe6, 0xe7, 0xd8, 0x56, 0x3b, 0x09, 0xce, 0x6c, 0xff, 0x2d, 0x73, 0x7b, 0xf8,
-	0x51, 0xfa, 0xbb, 0xe2, 0x90, 0x03, 0x58, 0x6e, 0x63, 0x5b, 0x3a, 0xc6, 0x66, 0x44, 0x1f, 0xa3,
+	0x41, 0x72, 0x5f, 0x72, 0xd0, 0x21, 0xac, 0xb6, 0x55, 0x5b, 0x3a, 0x51, 0xcd, 0x08, 0x3f, 0x54,
-	0x1f, 0x2f, 0x1b, 0xaa, 0x73, 0x35, 0xe2, 0xce, 0xa5, 0x7c, 0x48, 0x37, 0xaf, 0x86, 0x06, 0xbb,
+	0x7e, 0x3c, 0x6f, 0xc8, 0xce, 0xd5, 0x88, 0x3a, 0x97, 0xf4, 0x21, 0xd9, 0xbc, 0x1a, 0x1a, 0x4c,
-	0x53, 0xa2, 0x71, 0x5d, 0xfd, 0x74, 0x52, 0x57, 0x6d, 0x28, 0xff, 0x5a, 0x25, 0xb9, 0x62, 0x3f,
+	0x52, 0xa2, 0x51, 0x5d, 0xfd, 0x74, 0x56, 0x57, 0x6d, 0x28, 0xff, 0x46, 0x26, 0xb9, 0x64, 0x3f,
-	0x41, 0x76, 0x42, 0xab, 0x64, 0xda, 0x0e, 0x43, 0x2e, 0x3d, 0x5d, 0x77, 0x9f, 0x62, 0xb8, 0xd3,
+	0x52, 0xec, 0x98, 0x96, 0xc9, 0xb4, 0x13, 0x04, 0x4c, 0xb8, 0xba, 0xee, 0x3e, 0x56, 0xe1, 0x4e,
-	0x2c, 0xfb, 0x57, 0x40, 0x66, 0xab, 0x90, 0xb2, 0xd2, 0x67, 0xe3, 0xb8, 0x7a, 0xf7, 0xd9, 0x58,
+	0xb2, 0xd0, 0x57, 0x70, 0xef, 0xa3, 0x27, 0xce, 0x4f, 0x42, 0x36, 0xa1, 0x81, 0x1b, 0x74, 0x69,
-	0x15, 0xa2, 0x0b, 0x2f, 0x18, 0xc5, 0x35, 0x54, 0x13, 0x5f, 0xe7, 0xbe, 0xb2, 0xec, 0x6f, 0x60,
+	0x54, 0xd1, 0xf1, 0xa6, 0x72, 0x23, 0x63, 0xd7, 0xfe, 0x35, 0xa0, 0xf9, 0xea, 0x25, 0x4f, 0x37,
-	0x65, 0xba, 0x40, 0xdc, 0x49, 0xfa, 0x0d, 0x54, 0x53, 0xb7, 0xe0, 0x2e, 0xa2, 0xce, 0xbf, 0x2d,
+	0xa0, 0xd3, 0xa8, 0xea, 0x0f, 0xe8, 0x54, 0x16, 0xb0, 0x89, 0xeb, 0x8f, 0xa3, 0xda, 0xab, 0x89,
-	0xa8, 0xa6, 0xae, 0x2a, 0x26, 0xd5, 0x78, 0xc8, 0x8c, 0x30, 0xae, 0xc9, 0x0e, 0x2c, 0x6d, 0x4b,
+	0x6f, 0x72, 0x5f, 0x5b, 0xf6, 0xb7, 0xb0, 0x96, 0x2e, 0x2c, 0xb7, 0x92, 0x7e, 0x0d, 0xd5, 0xc4,
-	0x19, 0xa9, 0x96, 0xa3, 0xf2, 0xf2, 0xe7, 0x37, 0x5e, 0xf8, 0x06, 0xc2, 0xf5, 0x95, 0xd4, 0xa2,
+	0xed, 0xb9, 0x8d, 0xa8, 0xf3, 0x2f, 0x0b, 0xaa, 0x89, 0x2b, 0xae, 0x92, 0x71, 0x3a, 0xa2, 0x46,
-	0x2a, 0x88, 0xbb, 0x4c, 0x48, 0x3f, 0xc4, 0x90, 0x61, 0x87, 0xa8, 0xb8, 0x69, 0x96, 0xfd, 0x15,
+	0x58, 0xad, 0xd1, 0x2e, 0xac, 0xec, 0x08, 0x11, 0xca, 0x56, 0x25, 0xf3, 0xf9, 0x97, 0xd7, 0x16,
-	0xc0, 0x44, 0xec, 0x4e, 0x3e, 0xfc, 0xd3, 0x82, 0x7b, 0x33, 0x55, 0x6d, 0xae, 0x27, 0xfb, 0xd3,
+	0x8a, 0x86, 0x82, 0xeb, 0xab, 0xac, 0x45, 0x65, 0xf0, 0xf7, 0x28, 0x17, 0x5e, 0xa0, 0x42, 0xad,
-	0x9e, 0x6c, 0xde, 0xb2, 0x42, 0xce, 0xfa, 0xf3, 0x7f, 0xec, 0xf6, 0x10, 0x8a, 0xba, 0x95, 0xcc,
+	0x3a, 0x4b, 0x85, 0x24, 0x59, 0xf6, 0xd7, 0x00, 0x33, 0xb1, 0x5b, 0xf9, 0xf0, 0x0f, 0x0b, 0xee,
-	0xdd, 0xa1, 0x0d, 0xe5, 0x5d, 0x5f, 0x78, 0xa7, 0x01, 0xeb, 0xa2, 0x68, 0xd9, 0x4d, 0x68, 0xec,
+	0xcc, 0x55, 0xc3, 0x85, 0x9e, 0x1c, 0xa4, 0x3d, 0xd9, 0xbe, 0x61, 0x65, 0x9d, 0xf7, 0xe7, 0xff,
-	0x63, 0xb8, 0x7b, 0x1d, 0x3d, 0x4d, 0x38, 0xba, 0x66, 0x90, 0x15, 0xc8, 0x25, 0x33, 0x50, 0xee,
+	0x38, 0xed, 0x11, 0x14, 0x75, 0x0b, 0x5a, 0x78, 0x42, 0x1b, 0xca, 0x7b, 0x1e, 0x77, 0x3b, 0x3e,
-	0x60, 0x57, 0x81, 0x55, 0x03, 0xd7, 0xae, 0x56, 0x5c, 0x4d, 0x38, 0x2d, 0x28, 0xea, 0x2a, 0x34,
+	0xed, 0x29, 0xd1, 0x32, 0x89, 0x69, 0xd5, 0xff, 0xd4, 0xe9, 0x75, 0xf4, 0x34, 0xe1, 0xe8, 0x5a,
-	0x83, 0xb7, 0xa1, 0xdc, 0xf2, 0x03, 0x86, 0x73, 0x80, 0xde, 0x73, 0x42, 0x2b, 0xf7, 0xf6, 0xc2,
+	0x83, 0xd6, 0x20, 0x17, 0xcf, 0x4e, 0xb9, 0xc3, 0x3d, 0x09, 0x96, 0x8d, 0x5f, 0xbb, 0x5a, 0x21,
-	0x0b, 0x63, 0x56, 0x2d, 0x9d, 0xad, 0x54, 0xbb, 0x57, 0x7e, 0xe0, 0x64, 0x60, 0xfc, 0xc0, 0x79,
+	0x9a, 0x70, 0x5a, 0x50, 0xd4, 0xd5, 0x6b, 0x0e, 0x6f, 0x43, 0xb9, 0xe5, 0xf9, 0x54, 0xcd, 0x0f,
-	0xe0, 0x01, 0x14, 0x5b, 0x3c, 0x1a, 0x78, 0xd2, 0x28, 0x33, 0x94, 0xe3, 0xc0, 0xca, 0x41, 0x28,
+	0xfa, 0xcc, 0x31, 0x2d, 0xdd, 0xdb, 0x0f, 0x26, 0xc6, 0xac, 0x5c, 0x3a, 0x3f, 0x24, 0xc6, 0x04,
-	0x86, 0xac, 0x23, 0xb3, 0xc7, 0xc6, 0x23, 0xf8, 0x24, 0xc1, 0x98, 0x81, 0x31, 0x35, 0xf7, 0x58,
+	0xe9, 0x87, 0x9a, 0x28, 0x8c, 0x1f, 0x6a, 0x8e, 0xb8, 0x07, 0xc5, 0x16, 0x0b, 0x87, 0xae, 0x30,
-	0x77, 0x9f, 0x7b, 0xfe, 0x61, 0x41, 0x25, 0xa9, 0x6c, 0xa4, 0x09, 0x45, 0x3c, 0x8d, 0x78, 0xfa,
+	0xca, 0x0c, 0x25, 0x5b, 0xd3, 0x61, 0x3f, 0x60, 0x21, 0x6d, 0x0b, 0x57, 0x8c, 0xb5, 0x2b, 0x65,
-	0x7c, 0x75, 0x43, 0x29, 0x6c, 0x7c, 0x44, 0xb4, 0xe9, 0x30, 0x5a, 0xd4, 0xfe, 0x1e, 0xaa, 0x29,
+	0x92, 0xe2, 0x39, 0x0e, 0xac, 0x1d, 0x06, 0x7c, 0x44, 0xbb, 0x22, 0x7b, 0x24, 0x3d, 0x86, 0x4f,
-	0xf6, 0x9c, 0x04, 0xd8, 0x4c, 0x27, 0x40, 0x66, 0x6b, 0xd0, 0x46, 0xd2, 0xe9, 0xb1, 0x0b, 0x45,
+	0x62, 0x8c, 0x19, 0x46, 0x13, 0x33, 0x95, 0x75, 0xfb, 0x99, 0xea, 0xef, 0x16, 0x54, 0xe2, 0xaa,
-	0xcd, 0x9c, 0x1b, 0x56, 0x02, 0x85, 0x7d, 0x2f, 0xd2, 0xa9, 0x91, 0x77, 0x71, 0xad, 0x78, 0x6d,
+	0x89, 0x9a, 0x50, 0x54, 0x5f, 0x2c, 0x9a, 0x6c, 0x5f, 0x5c, 0x53, 0x66, 0x1b, 0x1f, 0x14, 0xda,
-	0x7e, 0x26, 0xf1, 0x78, 0xf2, 0x2e, 0xae, 0x9d, 0x7f, 0x59, 0x50, 0x33, 0xa3, 0xa4, 0x89, 0x20,
+	0x74, 0x2f, 0x2d, 0x6a, 0x7f, 0x84, 0x6a, 0x82, 0xbd, 0x20, 0x49, 0xb6, 0x93, 0x49, 0x92, 0xd9,
-	0x83, 0x55, 0x7d, 0x43, 0x59, 0x14, 0xf3, 0x8c, 0xff, 0x6f, 0x16, 0x84, 0x32, 0x86, 0x36, 0xae,
+	0x76, 0xb4, 0x91, 0x64, 0x0a, 0xed, 0x41, 0x51, 0x33, 0x17, 0x86, 0x1e, 0x41, 0xe1, 0xc0, 0x0d,
-	0xcb, 0xea, 0x68, 0xcc, 0xa8, 0xb4, 0x9b, 0x70, 0x7f, 0x2e, 0xf4, 0x4e, 0x57, 0xe4, 0x25, 0xdc,
+	0x75, 0xfa, 0xe4, 0x89, 0x5a, 0x4b, 0x5e, 0x9b, 0x9d, 0x09, 0x15, 0xee, 0x3c, 0x51, 0x6b, 0xe7,
-	0x9b, 0x0c, 0xc9, 0xd9, 0x79, 0xb2, 0x06, 0x24, 0x0d, 0x33, 0x43, 0xf4, 0x53, 0xa8, 0xaa, 0x47,
+	0x9f, 0x16, 0xd4, 0xcc, 0x98, 0x6a, 0x22, 0x48, 0x61, 0x5d, 0xdf, 0x62, 0x1a, 0xc6, 0x95, 0x4f,
-	0x47, 0xb6, 0x98, 0x03, 0xcb, 0x1a, 0x60, 0x22, 0x43, 0xa0, 0xd0, 0x67, 0x63, 0x9d, 0x0d, 0x15,
+	0xfb, 0xff, 0x7a, 0x49, 0x28, 0x23, 0x68, 0xe3, 0xaa, 0xac, 0x8e, 0xc6, 0x9c, 0x4a, 0xbb, 0x09,
-	0x17, 0xd7, 0xce, 0xdf, 0x2c, 0xf5, 0x76, 0x18, 0x8e, 0xe4, 0x7b, 0x26, 0x84, 0xd7, 0x53, 0x09,
+	0x77, 0x17, 0x42, 0x6f, 0x75, 0x8d, 0x9e, 0xc3, 0x9d, 0xd9, 0x00, 0x9e, 0x9d, 0x27, 0x1b, 0x80,
-	0x58, 0x38, 0x08, 0x7d, 0x69, 0xb2, 0xef, 0xb3, 0xac, 0x37, 0xc4, 0x70, 0x24, 0x15, 0xcc, 0x48,
+	0x92, 0x30, 0x33, 0xa0, 0x3f, 0x86, 0xaa, 0x7c, 0xd0, 0x64, 0x8b, 0x39, 0xb0, 0xaa, 0x01, 0x26,
-	0xed, 0xff, 0xc8, 0x45, 0x29, 0xb2, 0x05, 0x85, 0x5d, 0x4f, 0x7a, 0x26, 0x17, 0x32, 0x26, 0x26,
+	0x32, 0x08, 0x0a, 0x03, 0x3a, 0xd5, 0xd9, 0x50, 0x21, 0x6a, 0xed, 0xfc, 0xcd, 0x92, 0xef, 0x92,
-	0x85, 0x48, 0x09, 0x2a, 0x72, 0xa7, 0xa4, 0x1e, 0x4a, 0xc3, 0x91, 0x74, 0x5e, 0xc0, 0xea, 0x75,
+	0xd1, 0x58, 0xbc, 0xa3, 0x9c, 0xbb, 0x7d, 0x99, 0x80, 0x85, 0xc3, 0xc0, 0x13, 0x26, 0xfb, 0x3e,
-	0xed, 0x73, 0x5c, 0xfb, 0x12, 0xaa, 0x29, 0x2d, 0x78, 0x6f, 0x8f, 0x5a, 0x08, 0x28, 0xbb, 0x6a,
+	0xcb, 0x7a, 0x9f, 0x8c, 0xc6, 0x42, 0xc2, 0x8c, 0xd4, 0xc1, 0x4f, 0x88, 0x92, 0x42, 0xaf, 0xa0,
-	0xa9, 0x7c, 0x4d, 0x36, 0xb2, 0xac, 0x6d, 0x38, 0x9f, 0x40, 0x0d, 0x55, 0x27, 0x11, 0xfc, 0x53,
+	0xb0, 0xe7, 0x0a, 0xd7, 0xe4, 0x42, 0xc6, 0x34, 0x26, 0x11, 0x09, 0x41, 0x49, 0xee, 0x96, 0xe4,
-	0x0e, 0x4a, 0xb1, 0x8a, 0xad, 0x29, 0xbf, 0x9f, 0x65, 0xf9, 0x3d, 0xeb, 0xf2, 0x6b, 0x28, 0xa8,
+	0x23, 0x6c, 0x34, 0x16, 0xce, 0x33, 0x58, 0xbf, 0xaa, 0x7d, 0x81, 0x6b, 0x5f, 0x42, 0x35, 0xa1,
-	0xfa, 0x61, 0x5c, 0xce, 0x18, 0x37, 0x5a, 0xdd, 0x94, 0x98, 0x82, 0x93, 0x6f, 0xa1, 0xe8, 0x32,
+	0x45, 0xdd, 0xed, 0xe3, 0x96, 0x02, 0x94, 0x89, 0x5c, 0x4a, 0x5f, 0xe3, 0x83, 0xac, 0x6a, 0x1b,
-	0xa1, 0x46, 0x23, 0xfd, 0x88, 0x78, 0x3e, 0x5f, 0x50, 0x63, 0x26, 0xc2, 0x46, 0x48, 0x89, 0xb7,
+	0xce, 0x27, 0x50, 0x53, 0xaa, 0xe3, 0x08, 0xfe, 0x29, 0x07, 0xa5, 0x48, 0xc5, 0xab, 0x94, 0xdf,
-	0xfd, 0x5e, 0xe8, 0x05, 0xb4, 0xb0, 0x48, 0x5c, 0x63, 0x52, 0xe2, 0x9a, 0x31, 0x09, 0xf7, 0x5f,
+	0x4f, 0xb2, 0xfc, 0x9e, 0x77, 0xf9, 0x25, 0x14, 0x64, 0x8d, 0x31, 0x2e, 0x67, 0x8c, 0x32, 0xad,
-	0x2c, 0xa8, 0x2e, 0x0c, 0xf5, 0xe2, 0x67, 0xde, 0xcc, 0xd3, 0x33, 0xff, 0x3f, 0x3e, 0x3d, 0xff,
+	0x5e, 0x42, 0x4c, 0xc2, 0xd1, 0x77, 0x50, 0x24, 0x94, 0xcb, 0xb1, 0x4b, 0x3f, 0x50, 0x9e, 0x2e,
-	0x9c, 0x9b, 0x56, 0x84, 0x53, 0x92, 0xba, 0x4f, 0x43, 0xee, 0x87, 0xd2, 0xa4, 0x6c, 0x8a, 0xa3,
+	0x16, 0xd4, 0x98, 0x99, 0xb0, 0x11, 0x92, 0xe2, 0x6d, 0xaf, 0x1f, 0xb8, 0x3e, 0x2e, 0x2c, 0x13,
-	0x36, 0xda, 0x1c, 0x74, 0x4d, 0xd1, 0x57, 0x4b, 0x75, 0xcd, 0x0e, 0xb9, 0xe2, 0x55, 0x31, 0x0d,
+	0xd7, 0x98, 0x84, 0xb8, 0x66, 0xcc, 0xc2, 0xfd, 0x17, 0x0b, 0xaa, 0x4b, 0x43, 0xbd, 0xfc, 0x09,
-	0x34, 0x31, 0x29, 0xe9, 0x79, 0x53, 0xd2, 0x55, 0x6a, 0x7c, 0x10, 0x2c, 0xc2, 0xc0, 0x55, 0x5c,
+	0x39, 0xf7, 0xac, 0xcd, 0xff, 0x8f, 0xcf, 0xda, 0x3f, 0xe7, 0xd2, 0x8a, 0xd4, 0x04, 0x26, 0xef,
-	0x5c, 0xab, 0x2a, 0x7e, 0xc8, 0x91, 0xbb, 0x84, 0xc2, 0x86, 0x42, 0x2b, 0x97, 0x5d, 0x5a, 0xd4,
+	0xd3, 0x88, 0x79, 0x81, 0x30, 0x29, 0x9b, 0xe0, 0xc8, 0x83, 0x36, 0x87, 0x3d, 0xd3, 0x18, 0xe4,
-	0xe1, 0x68, 0x5e, 0xc6, 0x56, 0x2e, 0xbb, 0xb4, 0x94, 0x58, 0xb9, 0x44, 0x2b, 0x27, 0x72, 0x4c,
+	0x52, 0x5e, 0xb3, 0x23, 0x26, 0x79, 0x55, 0x95, 0x06, 0x9a, 0x98, 0x95, 0xfd, 0xbc, 0x29, 0xfb,
-	0xcb, 0x3a, 0x01, 0x4f, 0xe4, 0x58, 0xb5, 0x19, 0x97, 0x07, 0xc1, 0xa9, 0xd7, 0xe9, 0xd3, 0x8a,
+	0x32, 0x35, 0xde, 0x73, 0x1a, 0xaa, 0xc0, 0x55, 0x88, 0x5a, 0xcb, 0x4a, 0x7f, 0xc4, 0x14, 0x77,
-	0xee, 0x6f, 0x31, 0xad, 0xe6, 0x49, 0x15, 0x73, 0xdf, 0x0b, 0xf0, 0xe5, 0x51, 0x76, 0x63, 0xd2,
+	0x45, 0x09, 0x1b, 0x4a, 0x59, 0xb9, 0xe8, 0xe1, 0xa2, 0x0e, 0x47, 0xf3, 0x22, 0xb2, 0x72, 0xd1,
-	0xd9, 0x86, 0x4a, 0x92, 0x2a, 0xaa, 0x73, 0xb5, 0xba, 0x78, 0x14, 0x35, 0x37, 0xd7, 0xea, 0xc6,
+	0xc3, 0xa5, 0xd8, 0xca, 0x85, 0xb2, 0x72, 0x2a, 0xa6, 0xb8, 0xac, 0x13, 0xf0, 0x54, 0x4c, 0x65,
-	0x59, 0x9e, 0x9b, 0xcd, 0xf2, 0x7c, 0x2a, 0xcb, 0xb7, 0xa0, 0x36, 0x95, 0x34, 0x0a, 0xe4, 0xf2,
+	0x2b, 0x22, 0xcc, 0xf7, 0x3b, 0x6e, 0x77, 0x80, 0x2b, 0xba, 0x07, 0x46, 0xb4, 0x9c, 0x55, 0x65,
-	0x4b, 0x61, 0x14, 0xe1, 0x5a, 0xf1, 0x9a, 0x3c, 0xd0, 0x6f, 0xeb, 0x9a, 0x8b, 0x6b, 0xe7, 0x39,
+	0xcc, 0x3d, 0xd7, 0x57, 0xaf, 0x9a, 0x32, 0x89, 0x48, 0x67, 0x07, 0x2a, 0x71, 0xaa, 0xc8, 0xee,
-	0xd4, 0xa6, 0xd2, 0x65, 0x5e, 0x5d, 0x76, 0x9e, 0x41, 0xad, 0x2d, 0x3d, 0x39, 0x5a, 0xf0, 0x67,
+	0xd6, 0xea, 0xa9, 0x4f, 0x51, 0x23, 0xb9, 0x56, 0x2f, 0xca, 0xf2, 0xdc, 0x7c, 0x96, 0xe7, 0x13,
-	0xc8, 0x7f, 0x2c, 0x58, 0x89, 0x31, 0xa6, 0xf2, 0xfc, 0x02, 0xca, 0x17, 0x2c, 0x92, 0xec, 0x2a,
+	0x59, 0xfe, 0x0a, 0x6a, 0xa9, 0xa4, 0x91, 0x20, 0xc2, 0x2e, 0xb8, 0x51, 0xa4, 0xd6, 0x92, 0xd7,
-	0xe9, 0x45, 0x74, 0x76, 0x9c, 0xfd, 0x88, 0x08, 0x37, 0x41, 0x92, 0xaf, 0xa1, 0x2c, 0x50, 0x0f,
+	0x64, 0xbe, 0x7e, 0xb7, 0xd7, 0x88, 0x5a, 0x3b, 0x4f, 0xa1, 0x96, 0x4a, 0x97, 0x45, 0x75, 0xd9,
-	0x8b, 0xe7, 0x98, 0x27, 0x59, 0x52, 0xc6, 0x5e, 0x82, 0x27, 0x1b, 0x50, 0x08, 0x78, 0x4f, 0xe0,
+	0x79, 0x02, 0x35, 0xdd, 0xe0, 0xb2, 0xcb, 0xce, 0x7f, 0x2c, 0x58, 0x8b, 0x30, 0xa6, 0xf2, 0xfc,
-	0xb9, 0x57, 0x37, 0x1f, 0x65, 0xc9, 0xbd, 0xe3, 0x3d, 0x17, 0x81, 0xe4, 0x2d, 0x94, 0x2f, 0xbd,
+	0x0a, 0xca, 0x13, 0x1a, 0x0a, 0x7a, 0x19, 0xf7, 0x22, 0x3c, 0x3f, 0x2a, 0x7f, 0x50, 0x08, 0x12,
-	0x28, 0xf4, 0xc3, 0x5e, 0xfc, 0x26, 0x7f, 0x9a, 0x25, 0xf4, 0xbd, 0xc6, 0xb9, 0x89, 0x80, 0x53,
+	0x23, 0xd1, 0x37, 0x50, 0xe6, 0x4a, 0x0f, 0x8d, 0x66, 0x9d, 0x47, 0x59, 0x52, 0xc6, 0x5e, 0x8c,
-	0x53, 0x97, 0xe8, 0x8c, 0x9b, 0x98, 0x38, 0xbf, 0x51, 0xb9, 0xac, 0x48, 0xe3, 0xfe, 0x01, 0xd4,
+	0x47, 0x5b, 0x50, 0xf0, 0x59, 0x9f, 0xab, 0xef, 0x5e, 0xdd, 0x7e, 0x90, 0x25, 0xf7, 0x96, 0xf5,
-	0xf4, 0x7d, 0xf8, 0xc8, 0x22, 0xa1, 0xa6, 0x42, 0x6b, 0xd1, 0x9d, 0xdd, 0x49, 0x43, 0xdd, 0x69,
+	0x89, 0x02, 0xa2, 0x37, 0x50, 0xbe, 0x70, 0xc3, 0xc0, 0x0b, 0xfa, 0xd1, 0x7b, 0xff, 0x71, 0x96,
-	0x49, 0xe7, 0x07, 0xd3, 0xee, 0x62, 0x86, 0xca, 0xa5, 0xa1, 0xd7, 0xe9, 0x7b, 0xbd, 0xf8, 0x9c,
+	0xd0, 0x47, 0x8d, 0x23, 0xb1, 0x80, 0x53, 0x93, 0x97, 0xe8, 0x8c, 0x99, 0x98, 0x38, 0xbf, 0x95,
-	0x62, 0x52, 0x7d, 0xb9, 0x30, 0xf6, 0xf4, 0xb5, 0x8d, 0x49, 0x95, 0x9b, 0x11, 0xbb, 0xf0, 0xc5,
+	0xb9, 0x2c, 0x49, 0xe3, 0xfe, 0x21, 0xd4, 0xf4, 0x7d, 0xf8, 0x40, 0x43, 0x2e, 0x27, 0x47, 0x6b,
-	0x64, 0x40, 0x4d, 0xe8, 0xcd, 0xbf, 0x96, 0x00, 0x9a, 0xc9, 0x7e, 0xc8, 0x31, 0x2c, 0xa1, 0x3d,
+	0xd9, 0x9d, 0xdd, 0x4d, 0x42, 0x49, 0x5a, 0xd2, 0xf9, 0xd1, 0xb4, 0xbb, 0x88, 0x21, 0x73, 0x69,
-	0xe2, 0x2c, 0x6c, 0x9e, 0xe8, 0xb7, 0xfd, 0xfc, 0x16, 0x0d, 0x96, 0x7c, 0x54, 0xc9, 0x8f, 0x43,
+	0xe4, 0x76, 0x07, 0x6e, 0x3f, 0xfa, 0x4e, 0x11, 0x29, 0x77, 0x26, 0xc6, 0x9e, 0xbe, 0xb6, 0x11,
-	0x0f, 0x79, 0x91, 0x55, 0x26, 0xd2, 0x73, 0x93, 0xfd, 0xf2, 0x06, 0x94, 0xd1, 0xfb, 0x01, 0x8a,
+	0x29, 0x73, 0x33, 0xa4, 0x13, 0x8f, 0xcf, 0x86, 0xd8, 0x98, 0xde, 0xfe, 0x6b, 0x09, 0xa0, 0x19,
-	0x3a, 0x0b, 0x48, 0x56, 0x2d, 0x4c, 0xe7, 0xad, 0xfd, 0x62, 0x31, 0x48, 0x2b, 0xfd, 0xdc, 0x22,
+	0x9f, 0x07, 0x9d, 0xc0, 0x8a, 0xb2, 0x87, 0x9c, 0xa5, 0xcd, 0x53, 0xf9, 0x6d, 0x3f, 0xbd, 0x41,
-	0xae, 0xa9, 0x94, 0xc4, 0x59, 0xd0, 0x0a, 0xcd, 0x8d, 0xc9, 0x0a, 0xc0, 0x54, 0xd7, 0xa9, 0x5b,
+	0x83, 0x45, 0x1f, 0x64, 0xf2, 0xab, 0xa1, 0x07, 0x3d, 0xcb, 0x2a, 0x13, 0xc9, 0xb9, 0xc9, 0x7e,
-	0xe4, 0x3b, 0x28, 0xea, 0x5a, 0x47, 0x3e, 0x9d, 0x2f, 0x10, 0xeb, 0x5b, 0xfc, 0xb9, 0x6e, 0x7d,
+	0x7e, 0x0d, 0xca, 0xe8, 0x7d, 0x0f, 0x45, 0x9d, 0x05, 0x28, 0xab, 0x16, 0x26, 0xf3, 0xd6, 0x7e,
-	0x6e, 0x91, 0xf7, 0x50, 0x50, 0x4d, 0x9e, 0x64, 0x74, 0xac, 0xd4, 0x84, 0x60, 0x3b, 0x8b, 0x20,
+	0xb6, 0x1c, 0xa4, 0x95, 0x7e, 0x6e, 0x21, 0x62, 0x2a, 0x25, 0x72, 0x96, 0xb4, 0x42, 0x73, 0x63,
-	0x26, 0x8a, 0x3f, 0x00, 0x4c, 0x46, 0x0d, 0x92, 0xf1, 0xcf, 0xca, 0xcc, 0xcc, 0x62, 0xd7, 0x6f,
+	0xb2, 0x02, 0x90, 0xea, 0x3a, 0x75, 0x0b, 0x7d, 0x0f, 0x45, 0x5d, 0xeb, 0xd0, 0xa7, 0x8b, 0x05,
-	0x06, 0x1a, 0x03, 0xef, 0x55, 0x9f, 0x3d, 0xe3, 0x24, 0xb3, 0xc3, 0x26, 0xd7, 0xc8, 0x76, 0x16,
+	0x22, 0x7d, 0xcb, 0xb7, 0xeb, 0xd6, 0xe7, 0x16, 0x7a, 0x07, 0x05, 0xd9, 0xe4, 0x51, 0x46, 0xc7,
-	0x41, 0x8c, 0xba, 0x73, 0xa8, 0x4d, 0xfd, 0xf3, 0x4a, 0x7e, 0x96, 0xed, 0xe4, 0xf5, 0x3f, 0x72,
+	0x4a, 0x4c, 0x08, 0xb6, 0xb3, 0x0c, 0x62, 0xa2, 0xf8, 0x23, 0xc0, 0x6c, 0xd4, 0x40, 0x19, 0xff,
-	0xed, 0x57, 0xb7, 0xc2, 0x1a, 0x4b, 0x32, 0x3d, 0xab, 0x99, 0xcf, 0xa4, 0x71, 0x93, 0xdf, 0xd3,
+	0xda, 0xcc, 0xcd, 0x2c, 0x76, 0xfd, 0x7a, 0xa0, 0x31, 0xf0, 0x4e, 0xf6, 0xd9, 0x33, 0x86, 0x32,
-	0xff, 0xa2, 0xda, 0x1b, 0xb7, 0xc6, 0x6b, 0xab, 0x3b, 0x85, 0xdf, 0xe6, 0x86, 0xa7, 0xa7, 0x45,
+	0x3b, 0x6c, 0x7c, 0x8d, 0x6c, 0x67, 0x19, 0xc4, 0xa8, 0x3b, 0x87, 0x5a, 0xea, 0x5f, 0x5d, 0xf4,
-	0xfc, 0x43, 0xfa, 0xcb, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xe3, 0x77, 0x0e, 0x2f, 0x2e, 0x17,
+	0x8b, 0x6c, 0x27, 0xaf, 0xfe, 0x49, 0x6c, 0xbf, 0xb8, 0x11, 0xd6, 0x58, 0x12, 0xc9, 0x59, 0xcd,
-	0x00, 0x00,
+	0x6c, 0xa3, 0xc6, 0x75, 0x7e, 0xa7, 0xff, 0xa1, 0xb5, 0xb7, 0x6e, 0x8c, 0xd7, 0x56, 0x77, 0x0b,
+	0xbf, 0xcb, 0x8d, 0x3a, 0x9d, 0xa2, 0xfa, 0xb3, 0xfb, 0xcb, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff,
+	0xc1, 0x07, 0x8b, 0x2b, 0x8a, 0x17, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.

controller/pb/controller.proto

@@ -80,6 +80,7 @@ message BuildOptions {
   string Ref = 29;
   string GroupRef = 30;
   repeated string Annotations = 31;
+  bool WithProvenanceResponse = 32;
 }
 
 message ExportEntry {
@@ -111,8 +112,9 @@ message Secret {
 }
 
 message PrintFunc {
-	string Name = 1;
+  string Name = 1;
-	string Format = 2;
+  string Format = 2;
+  bool IgnoreStatus = 3;
 }
 
 message InspectRequest {

controller/pb/export.go

@@ -15,6 +15,7 @@ func CreateExports(entries []*ExportEntry) ([]client.ExportEntry, error) {
 	if len(entries) == 0 {
 		return nil, nil
 	}
+	var stdoutUsed bool
 	for _, entry := range entries {
 		if entry.Type == "" {
 			return nil, errors.Errorf("type is required for output")
@@ -68,10 +69,14 @@ func CreateExports(entries []*ExportEntry) ([]client.ExportEntry, error) {
 				entry.Destination = "-"
 			}
 			if entry.Destination == "-" {
+				if stdoutUsed {
+					return nil, errors.Errorf("multiple outputs configured to write to stdout")
+				}
 				if _, err := console.ConsoleFromFile(os.Stdout); err == nil {
 					return nil, errors.Errorf("dest file is required for %s exporter. refusing to write to console", out.Type)
 				}
 				out.Output = wrapWriteCloser(os.Stdout)
+				stdoutUsed = true
 			} else if entry.Destination != "" {
 				fi, err := os.Stat(entry.Destination)
 				if err != nil && !os.IsNotExist(err) {

docker-bake.hcl

@@ -7,6 +7,9 @@ variable "DOCS_FORMATS" {
 variable "DESTDIR" {
   default = "./bin"
 }
+variable "GOLANGCI_LINT_MULTIPLATFORM" {
+  default = null
+}
 
 # Special target: https://github.com/docker/metadata-action#bake-definition
 target "meta-helper" {
@@ -32,6 +35,17 @@ target "lint" {
   inherits = ["_common"]
   dockerfile = "./hack/dockerfiles/lint.Dockerfile"
   output = ["type=cacheonly"]
+  platforms = GOLANGCI_LINT_MULTIPLATFORM != null ? [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "windows/amd64",
+    "windows/arm64"
+  ] : []
 }
 
 target "validate-vendor" {
@@ -166,6 +180,9 @@ variable "HTTPS_PROXY" {
 variable "NO_PROXY" {
   default = ""
 }
+variable "TEST_BUILDKIT_TAG" {
+  default = null
+}
 
 target "integration-test-base" {
   inherits = ["_common"]
@@ -173,6 +190,7 @@ target "integration-test-base" {
     HTTP_PROXY = HTTP_PROXY
     HTTPS_PROXY = HTTPS_PROXY
     NO_PROXY = NO_PROXY
+    BUILDKIT_VERSION = TEST_BUILDKIT_TAG
   }
   target = "integration-test-base"
   output = ["type=cacheonly"]

docs/bake-reference.md

@@ -213,7 +213,7 @@ target "webapp" {
 The following table shows the complete list of attributes that you can assign to a target:
 
 | Name                                            | Type    | Description                                                          |
-| ----------------------------------------------- | ------- | -------------------------------------------------------------------- |
+|-------------------------------------------------|---------|----------------------------------------------------------------------|
 | [`args`](#targetargs)                           | Map     | Build arguments                                                      |
 | [`annotations`](#targetannotations)             | List    | Exporter annotations                                                 |
 | [`attest`](#targetattest)                       | List    | Build attestations                                                   |
@@ -233,9 +233,11 @@ The following table shows the complete list of attributes that you can assign to
 | [`platforms`](#targetplatforms)                 | List    | Target platforms                                                     |
 | [`pull`](#targetpull)                           | Boolean | Always pull images                                                   |
 | [`secret`](#targetsecret)                       | List    | Secrets to expose to the build                                       |
+| [`shm-size`](#targetshm-size)                   | List    | Size of `/dev/shm`                                                   |
 | [`ssh`](#targetssh)                             | List    | SSH agent sockets or keys to expose to the build                     |
 | [`tags`](#targettags)                           | List    | Image names and tags                                                 |
 | [`target`](#targettarget)                       | String  | Target build stage                                                   |
+| [`ulimits`](#targetulimits)                     | List    | Ulimit options                                                       |
 
 ### `target.args`
 
@@ -274,13 +276,13 @@ target "db" {
 
 ### `target.annotations`
 
-The `annotations` attribute is a shortcut to allow you to easily set a list of
+The `annotations` attribute lets you add annotations to images built with bake.
-annotations on the target.
+The key takes a list of annotations, in the format of `KEY=VALUE`.
 
 ```hcl
 target "default" {
   output = ["type=image,name=foo"]
-  annotations = ["key=value"]
+  annotations = ["org.opencontainers.image.authors=dvdksn"]
 }
 ```
 
@@ -288,10 +290,25 @@ is the same as
 
 ```hcl
 target "default" {
-  output = ["type=image,name=foo,annotation.key=value"]
+  output = ["type=image,name=foo,annotation.org.opencontainers.image.authors=dvdksn"]
 }
 ```
 
+By default, the annotation is added to image manifests. You can configure the
+level of the annotations by adding a prefix to the annotation, containing a
+comma-separated list of all the levels that you want to annotate. The following
+example adds annotations to both the image index and manifests.
+
+```hcl
+target "default" {
+  output = ["type=image,name=foo"]
+  annotations = ["index,manifest:org.opencontainers.image.authors=dvdksn"]
+}
+```
+
+Read about the supported levels in
+[Specifying annotation levels](https://docs.docker.com/build/building/annotations/#specifying-annotation-levels).
+
 ### `target.attest`
 
 The `attest` attribute lets you apply [build attestations][attestations] to the target.
@@ -817,6 +834,29 @@ RUN --mount=type=secret,id=KUBECONFIG \
     KUBECONFIG=$(cat /run/secrets/KUBECONFIG) helm upgrade --install
 ```
 
+### `target.shm-size`
+
+Sets the size of the shared memory allocated for build containers when using
+`RUN` instructions.
+
+The format is `<number><unit>`. `number` must be greater than `0`. Unit is
+optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g`
+(gigabytes). If you omit the unit, the system uses bytes.
+
+This is the same as the `--shm-size` flag for `docker build`.
+
+```hcl
+target "default" {
+  shm-size = "128m"
+}
+```
+
+> **Note**
+>
+> In most cases, it is recommended to let the builder automatically determine
+> the appropriate configurations. Manual adjustments should only be considered
+> when specific performance tuning is required for complex build scenarios.
+
 ### `target.ssh`
 
 Defines SSH agent sockets or keys to expose to the build.
@@ -863,6 +903,32 @@ target "default" {
 }
 ```
 
+### `target.ulimits`
+
+Ulimits overrides the default ulimits of build's containers when using `RUN`
+instructions and are specified with a soft and hard limit as such:
+`<type>=<soft limit>[:<hard limit>]`, for example:
+
+```hcl
+target "app" {
+  ulimits = [
+    "nofile=1024:1024"
+  ]
+}
+```
+
+> **Note**
+>
+> If you do not provide a `hard limit`, the `soft limit` is used
+> for both values. If no `ulimits` are set, they are inherited from
+> the default `ulimits` set on the daemon.
+
+> **Note**
+>
+> In most cases, it is recommended to let the builder automatically determine
+> the appropriate configurations. Manual adjustments should only be considered
+> when specific performance tuning is required for complex build scenarios.
+
 ## Group
 
 Groups allow you to invoke multiple builds (targets) at once.
@@ -1054,20 +1120,20 @@ target "webapp-dev" {
 
 [attestations]: https://docs.docker.com/build/attestations/
 [bake_stdlib]: https://github.com/docker/buildx/blob/master/bake/hclparser/stdlib.go
-[build-arg]: https://docs.docker.com/engine/reference/commandline/build/#build-arg
+[build-arg]: https://docs.docker.com/reference/cli/docker/image/build/#build-arg
-[build-context]: https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
+[build-context]: https://docs.docker.com/reference/cli/docker/buildx/build/#build-context
 [cache-backends]: https://docs.docker.com/build/cache/backends/
-[cache-from]: https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from
+[cache-from]: https://docs.docker.com/reference/cli/docker/buildx/build/#cache-from
-[cache-to]: https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to
+[cache-to]: https://docs.docker.com/reference/cli/docker/buildx/build/#cache-to
-[context]: https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
+[context]: https://docs.docker.com/reference/cli/docker/buildx/build/#build-context
-[file]: https://docs.docker.com/engine/reference/commandline/build/#file
+[file]: https://docs.docker.com/reference/cli/docker/image/build/#file
 [go-cty]: https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib
 [hcl-funcs]: https://docs.docker.com/build/bake/hcl-funcs/
-[output]: https://docs.docker.com/engine/reference/commandline/buildx_build/#output
+[output]: https://docs.docker.com/reference/cli/docker/buildx/build/#output
-[platform]: https://docs.docker.com/engine/reference/commandline/buildx_build/#platform
+[platform]: https://docs.docker.com/reference/cli/docker/buildx/build/#platform
-[run_mount_secret]: https://docs.docker.com/engine/reference/builder/#run---mounttypesecret
+[run_mount_secret]: https://docs.docker.com/reference/dockerfile/#run---mounttypesecret
-[secret]: https://docs.docker.com/engine/reference/commandline/buildx_build/#secret
+[secret]: https://docs.docker.com/reference/cli/docker/buildx/build/#secret
-[ssh]: https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh
+[ssh]: https://docs.docker.com/reference/cli/docker/buildx/build/#ssh
-[tag]: https://docs.docker.com/engine/reference/commandline/build/#tag
+[tag]: https://docs.docker.com/reference/cli/docker/image/build/#tag
-[target]: https://docs.docker.com/engine/reference/commandline/build/#target
+[target]: https://docs.docker.com/reference/cli/docker/image/build/#target
 [userfunc]: https://github.com/hashicorp/hcl/tree/main/ext/userfunc

docs/generate.go

@@ -3,6 +3,7 @@ package main
 import (
 	"log"
 	"os"
+	"strings"
 
 	"github.com/docker/buildx/commands"
 	clidocstool "github.com/docker/cli-docs-tool"
@@ -26,6 +27,28 @@ type options struct {
 	formats []string
 }
 
+// fixUpExperimentalCLI trims the " (EXPERIMENTAL)" suffix from the CLI output,
+// as docs.docker.com already displays "experimental (CLI)",
+//
+// https://github.com/docker/buildx/pull/2188#issuecomment-1889487022
+func fixUpExperimentalCLI(cmd *cobra.Command) {
+	const (
+		annotationExperimentalCLI = "experimentalCLI"
+		suffixExperimental        = " (EXPERIMENTAL)"
+	)
+	if _, ok := cmd.Annotations[annotationExperimentalCLI]; ok {
+		cmd.Short = strings.TrimSuffix(cmd.Short, suffixExperimental)
+	}
+	cmd.Flags().VisitAll(func(f *pflag.Flag) {
+		if _, ok := f.Annotations[annotationExperimentalCLI]; ok {
+			f.Usage = strings.TrimSuffix(f.Usage, suffixExperimental)
+		}
+	})
+	for _, c := range cmd.Commands() {
+		fixUpExperimentalCLI(c)
+	}
+}
+
 func gen(opts *options) error {
 	log.SetFlags(0)
 
@@ -57,6 +80,8 @@ func gen(opts *options) error {
 				return err
 			}
 		case "yaml":
+			// fix up is needed only for yaml (used for generating docs.docker.com contents)
+			fixUpExperimentalCLI(cmd)
 			if err = c.GenYamlTree(cmd); err != nil {
 				return err
 			}

docs/reference/buildx.md

@@ -1,6 +1,6 @@
 # buildx
 
-```
+```text
 docker buildx [OPTIONS] COMMAND
 ```
 
@@ -9,21 +9,22 @@ Extended build capabilities with BuildKit
 
 ### Subcommands
 
-| Name                                 | Description                            |
+| Name                                 | Description                                     |
-|:-------------------------------------|:---------------------------------------|
+|:-------------------------------------|:------------------------------------------------|
-| [`bake`](buildx_bake.md)             | Build from a file                      |
+| [`bake`](buildx_bake.md)             | Build from a file                               |
-| [`build`](buildx_build.md)           | Start a build                          |
+| [`build`](buildx_build.md)           | Start a build                                   |
-| [`create`](buildx_create.md)         | Create a new builder instance          |
+| [`create`](buildx_create.md)         | Create a new builder instance                   |
-| [`debug`](buildx_debug.md)           | Start debugger                         |
+| [`debug`](buildx_debug.md)           | Start debugger (EXPERIMENTAL)                   |
-| [`du`](buildx_du.md)                 | Disk usage                             |
+| [`dial-stdio`](buildx_dial-stdio.md) | Proxy current stdio streams to builder instance |
-| [`imagetools`](buildx_imagetools.md) | Commands to work on images in registry |
+| [`du`](buildx_du.md)                 | Disk usage                                      |
-| [`inspect`](buildx_inspect.md)       | Inspect current builder instance       |
+| [`imagetools`](buildx_imagetools.md) | Commands to work on images in registry          |
-| [`ls`](buildx_ls.md)                 | List builder instances                 |
+| [`inspect`](buildx_inspect.md)       | Inspect current builder instance                |
-| [`prune`](buildx_prune.md)           | Remove build cache                     |
+| [`ls`](buildx_ls.md)                 | List builder instances                          |
-| [`rm`](buildx_rm.md)                 | Remove a builder instance              |
+| [`prune`](buildx_prune.md)           | Remove build cache                              |
-| [`stop`](buildx_stop.md)             | Stop builder instance                  |
+| [`rm`](buildx_rm.md)                 | Remove one or more builder instances            |
-| [`use`](buildx_use.md)               | Set the current builder instance       |
+| [`stop`](buildx_stop.md)             | Stop builder instance                           |
-| [`version`](buildx_version.md)       | Show buildx version information        |
+| [`use`](buildx_use.md)               | Set the current builder instance                |
+| [`version`](buildx_version.md)       | Show buildx version information                 |
 
 
 ### Options

docs/reference/buildx_bake.md

@@ -1,6 +1,6 @@
 # buildx bake
 
-```
+```text
 docker buildx bake [OPTIONS] [TARGET...]
 ```
 
@@ -13,27 +13,27 @@ Build from a file
 
 ### Options
 
-| Name                             | Type          | Default | Description                                                                              |
+| Name                                | Type          | Default | Description                                                                              |
-|:---------------------------------|:--------------|:--------|:-----------------------------------------------------------------------------------------|
+|:------------------------------------|:--------------|:--------|:-----------------------------------------------------------------------------------------|
-| [`--builder`](#builder)          | `string`      |         | Override the configured builder instance                                                 |
+| [`--builder`](#builder)             | `string`      |         | Override the configured builder instance                                                 |
-| [`-f`](#file), [`--file`](#file) | `stringArray` |         | Build definition file                                                                    |
+| [`-f`](#file), [`--file`](#file)    | `stringArray` |         | Build definition file                                                                    |
-| `--load`                         |               |         | Shorthand for `--set=*.output=type=docker`                                               |
+| `--load`                            |               |         | Shorthand for `--set=*.output=type=docker`                                               |
-| `--metadata-file`                | `string`      |         | Write build result metadata to the file                                                  |
+| [`--metadata-file`](#metadata-file) | `string`      |         | Write build result metadata to a file                                                    |
-| [`--no-cache`](#no-cache)        |               |         | Do not use cache when building the image                                                 |
+| [`--no-cache`](#no-cache)           |               |         | Do not use cache when building the image                                                 |
-| [`--print`](#print)              |               |         | Print the options without building                                                       |
+| [`--print`](#print)                 |               |         | Print the options without building                                                       |
-| [`--progress`](#progress)        | `string`      | `auto`  | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output |
+| [`--progress`](#progress)           | `string`      | `auto`  | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output |
-| [`--provenance`](#provenance)    | `string`      |         | Shorthand for `--set=*.attest=type=provenance`                                           |
+| [`--provenance`](#provenance)       | `string`      |         | Shorthand for `--set=*.attest=type=provenance`                                           |
-| [`--pull`](#pull)                |               |         | Always attempt to pull all referenced images                                             |
+| [`--pull`](#pull)                   |               |         | Always attempt to pull all referenced images                                             |
-| `--push`                         |               |         | Shorthand for `--set=*.output=type=registry`                                             |
+| `--push`                            |               |         | Shorthand for `--set=*.output=type=registry`                                             |
-| [`--sbom`](#sbom)                | `string`      |         | Shorthand for `--set=*.attest=type=sbom`                                                 |
+| [`--sbom`](#sbom)                   | `string`      |         | Shorthand for `--set=*.attest=type=sbom`                                                 |
-| [`--set`](#set)                  | `stringArray` |         | Override target value (e.g., `targetpattern.key=value`)                                  |
+| [`--set`](#set)                     | `stringArray` |         | Override target value (e.g., `targetpattern.key=value`)                                  |
 
 
 <!---MARKER_GEN_END-->
 
 ## Description
 
-Bake is a high-level build command. Each specified target will run in parallel
+Bake is a high-level build command. Each specified target runs in parallel
 as part of the build.
 
 Read [High-level build options with Bake](https://docs.docker.com/build/bake/)
@@ -54,8 +54,8 @@ Same as [`buildx --builder`](buildx.md#builder).
 ### <a name="file"></a> Specify a build definition file (-f, --file)
 
 Use the `-f` / `--file` option to specify the build definition file to use.
-The file can be an HCL, JSON or Compose file. If multiple files are specified
+The file can be an HCL, JSON or Compose file. If multiple files are specified,
-they are all read and configurations are combined.
+all are read and the build configurations are combined.
 
 You can pass the names of the targets to build, to build only specific target(s).
 The following example builds the `db` and `webapp-release` targets that are
@@ -90,9 +90,80 @@ $ docker buildx bake -f docker-bake.dev.hcl db webapp-release
 See the [Bake file reference](https://docs.docker.com/build/bake/reference/)
 for more details.
 
-### <a name="no-cache"></a> Do not use cache when building the image (--no-cache)
+### <a name="metadata-file"></a> Write build results metadata to a file (--metadata-file)
 
-Same as `build --no-cache`. Do not use cache when building the image.
+Similar to [`buildx build --metadata-file`](buildx_build.md#metadata-file) but
+writes a map of results for each target such as:
+
+```hcl
+# docker-bake.hcl
+group "default" {
+  targets = ["db", "webapp-dev"]
+}
+
+target "db" {
+  dockerfile = "Dockerfile.db"
+  tags = ["docker.io/username/db"]
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp"]
+}
+```
+
+```console
+$ docker buildx bake --load --metadata-file metadata.json .
+$ cat metadata.json
+```
+
+```json
+{
+  "db": {
+    "buildx.build.provenance": {},
+    "buildx.build.ref": "mybuilder/mybuilder0/0fjb6ubs52xx3vygf6fgdl611",
+    "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
+    "containerimage.descriptor": {
+      "annotations": {
+        "config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
+        "org.opencontainers.image.created": "2022-02-08T21:28:03Z"
+      },
+      "digest": "sha256:19ffeab6f8bc9293ac2c3fdf94ebe28396254c993aea0b5a542cfb02e0883fa3",
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "size": 506
+    },
+    "containerimage.digest": "sha256:19ffeab6f8bc9293ac2c3fdf94ebe28396254c993aea0b5a542cfb02e0883fa3"
+  },
+  "webapp-dev": {
+    "buildx.build.provenance": {},
+    "buildx.build.ref": "mybuilder/mybuilder0/kamngmcgyzebqxwu98b4lfv3n",
+    "containerimage.config.digest": "sha256:9651cc2b3c508f697c9c43b67b64c8359c2865c019e680aac1c11f4b875b67e0",
+    "containerimage.descriptor": {
+      "annotations": {
+        "config.digest": "sha256:9651cc2b3c508f697c9c43b67b64c8359c2865c019e680aac1c11f4b875b67e0",
+        "org.opencontainers.image.created": "2022-02-08T21:28:15Z"
+      },
+      "digest": "sha256:6d9ac9237a84afe1516540f40a0fafdc86859b2141954b4d643af7066d598b74",
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "size": 506
+    },
+    "containerimage.digest": "sha256:6d9ac9237a84afe1516540f40a0fafdc86859b2141954b4d643af7066d598b74"
+  }
+}
+```
+
+> **Note**
+>
+> Build record [provenance](https://docs.docker.com/build/attestations/slsa-provenance/#provenance-attestation-example)
+> (`buildx.build.provenance`) includes minimal provenance by default. Set the
+> `BUILDX_METADATA_PROVENANCE` environment variable to customize this behavior:
+> * `min` sets minimal provenance (default).
+> * `max` sets full provenance.
+> * `disabled`, `false` or `0` does not set any provenance.
+
+### <a name="no-cache"></a> Don't use cache when building the image (--no-cache)
+
+Same as `build --no-cache`. Don't use cache when building the image.
 
 ### <a name="print"></a> Print the options without building (--print)
 
@@ -154,7 +225,7 @@ $ docker buildx bake --set *.platform=linux/arm64     # overrides platform for a
 $ docker buildx bake --set foo*.no-cache              # bypass caching only for targets starting with 'foo'
 ```
 
-Complete list of overridable fields:
+You can override the following fields:
 
 * `args`
 * `cache-from`
@@ -162,6 +233,7 @@ Complete list of overridable fields:
 * `context`
 * `dockerfile`
 * `labels`
+* `load`
 * `no-cache`
 * `no-cache-filter`
 * `output`

docs/reference/buildx_build.md

@@ -1,6 +1,6 @@
 # buildx build
 
-```
+```text
 docker buildx build [OPTIONS] PATH | URL | -
 ```
 
@@ -13,44 +13,44 @@ Start a build
 
 ### Options
 
-| Name                                                                                                                                                   | Type          | Default   | Description                                                                                         |
+| Name                                                                                                                                               | Type          | Default   | Description                                                                                         |
-|:-------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------|:----------|:----------------------------------------------------------------------------------------------------|
+|:---------------------------------------------------------------------------------------------------------------------------------------------------|:--------------|:----------|:----------------------------------------------------------------------------------------------------|
-| [`--add-host`](https://docs.docker.com/engine/reference/commandline/build/#add-host)                                                                   | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                 |
+| [`--add-host`](https://docs.docker.com/reference/cli/docker/image/build/#add-host)                                                                 | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                 |
-| [`--allow`](#allow)                                                                                                                                    | `stringSlice` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                      |
+| [`--allow`](#allow)                                                                                                                                | `stringSlice` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                      |
-| `--annotation`                                                                                                                                         | `stringArray` |           | Add annotation to the image                                                                         |
+| [`--annotation`](#annotation)                                                                                                                      | `stringArray` |           | Add annotation to the image                                                                         |
-| [`--attest`](#attest)                                                                                                                                  | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                        |
+| [`--attest`](#attest)                                                                                                                              | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                        |
-| [`--build-arg`](#build-arg)                                                                                                                            | `stringArray` |           | Set build-time variables                                                                            |
+| [`--build-arg`](#build-arg)                                                                                                                        | `stringArray` |           | Set build-time variables                                                                            |
-| [`--build-context`](#build-context)                                                                                                                    | `stringArray` |           | Additional build contexts (e.g., name=path)                                                         |
+| [`--build-context`](#build-context)                                                                                                                | `stringArray` |           | Additional build contexts (e.g., name=path)                                                         |
-| [`--builder`](#builder)                                                                                                                                | `string`      |           | Override the configured builder instance                                                            |
+| [`--builder`](#builder)                                                                                                                            | `string`      |           | Override the configured builder instance                                                            |
-| [`--cache-from`](#cache-from)                                                                                                                          | `stringArray` |           | External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`)                       |
+| [`--cache-from`](#cache-from)                                                                                                                      | `stringArray` |           | External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`)                       |
-| [`--cache-to`](#cache-to)                                                                                                                              | `stringArray` |           | Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`)                   |
+| [`--cache-to`](#cache-to)                                                                                                                          | `stringArray` |           | Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`)                   |
-| [`--cgroup-parent`](https://docs.docker.com/engine/reference/commandline/build/#cgroup-parent)                                                         | `string`      |           | Set the parent cgroup for the `RUN` instructions during build                                       |
+| [`--cgroup-parent`](https://docs.docker.com/reference/cli/docker/image/build/#cgroup-parent)                                                       | `string`      |           | Set the parent cgroup for the `RUN` instructions during build                                       |
-| `--detach`                                                                                                                                             |               |           | Detach buildx server (supported only on linux)                                                      |
+| `--detach`                                                                                                                                         |               |           | Detach buildx server (supported only on linux) (EXPERIMENTAL)                                       |
-| [`-f`](https://docs.docker.com/engine/reference/commandline/build/#file), [`--file`](https://docs.docker.com/engine/reference/commandline/build/#file) | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
+| [`-f`](https://docs.docker.com/reference/cli/docker/image/build/#file), [`--file`](https://docs.docker.com/reference/cli/docker/image/build/#file) | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
-| `--iidfile`                                                                                                                                            | `string`      |           | Write the image ID to the file                                                                      |
+| `--iidfile`                                                                                                                                        | `string`      |           | Write the image ID to a file                                                                        |
-| `--label`                                                                                                                                              | `stringArray` |           | Set metadata for an image                                                                           |
+| `--label`                                                                                                                                          | `stringArray` |           | Set metadata for an image                                                                           |
-| [`--load`](#load)                                                                                                                                      |               |           | Shorthand for `--output=type=docker`                                                                |
+| [`--load`](#load)                                                                                                                                  |               |           | Shorthand for `--output=type=docker`                                                                |
-| [`--metadata-file`](#metadata-file)                                                                                                                    | `string`      |           | Write build result metadata to the file                                                             |
+| [`--metadata-file`](#metadata-file)                                                                                                                | `string`      |           | Write build result metadata to a file                                                               |
-| `--network`                                                                                                                                            | `string`      | `default` | Set the networking mode for the `RUN` instructions during build                                     |
+| `--network`                                                                                                                                        | `string`      | `default` | Set the networking mode for the `RUN` instructions during build                                     |
-| `--no-cache`                                                                                                                                           |               |           | Do not use cache when building the image                                                            |
+| `--no-cache`                                                                                                                                       |               |           | Do not use cache when building the image                                                            |
-| `--no-cache-filter`                                                                                                                                    | `stringArray` |           | Do not cache specified stages                                                                       |
+| [`--no-cache-filter`](#no-cache-filter)                                                                                                            | `stringArray` |           | Do not cache specified stages                                                                       |
-| [`-o`](#output), [`--output`](#output)                                                                                                                 | `stringArray` |           | Output destination (format: `type=local,dest=path`)                                                 |
+| [`-o`](#output), [`--output`](#output)                                                                                                             | `stringArray` |           | Output destination (format: `type=local,dest=path`)                                                 |
-| [`--platform`](#platform)                                                                                                                              | `stringArray` |           | Set target platform for build                                                                       |
+| [`--platform`](#platform)                                                                                                                          | `stringArray` |           | Set target platform for build                                                                       |
-| `--print`                                                                                                                                              | `string`      |           | Print result of information request (e.g., outline, targets)                                        |
+| `--print`                                                                                                                                          | `string`      |           | Print result of information request (e.g., outline, targets) (EXPERIMENTAL)                         |
-| [`--progress`](#progress)                                                                                                                              | `string`      | `auto`    | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output            |
+| [`--progress`](#progress)                                                                                                                          | `string`      | `auto`    | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output            |
-| [`--provenance`](#provenance)                                                                                                                          | `string`      |           | Shorthand for `--attest=type=provenance`                                                            |
+| [`--provenance`](#provenance)                                                                                                                      | `string`      |           | Shorthand for `--attest=type=provenance`                                                            |
-| `--pull`                                                                                                                                               |               |           | Always attempt to pull all referenced images                                                        |
+| `--pull`                                                                                                                                           |               |           | Always attempt to pull all referenced images                                                        |
-| [`--push`](#push)                                                                                                                                      |               |           | Shorthand for `--output=type=registry`                                                              |
+| [`--push`](#push)                                                                                                                                  |               |           | Shorthand for `--output=type=registry`                                                              |
-| `-q`, `--quiet`                                                                                                                                        |               |           | Suppress the build output and print image ID on success                                             |
+| `-q`, `--quiet`                                                                                                                                    |               |           | Suppress the build output and print image ID on success                                             |
-| `--root`                                                                                                                                               | `string`      |           | Specify root directory of server to connect                                                         |
+| `--root`                                                                                                                                           | `string`      |           | Specify root directory of server to connect (EXPERIMENTAL)                                          |
-| [`--sbom`](#sbom)                                                                                                                                      | `string`      |           | Shorthand for `--attest=type=sbom`                                                                  |
+| [`--sbom`](#sbom)                                                                                                                                  | `string`      |           | Shorthand for `--attest=type=sbom`                                                                  |
-| [`--secret`](#secret)                                                                                                                                  | `stringArray` |           | Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`)                           |
+| [`--secret`](#secret)                                                                                                                              | `stringArray` |           | Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`)                           |
-| `--server-config`                                                                                                                                      | `string`      |           | Specify buildx server config file (used only when launching new server)                             |
+| `--server-config`                                                                                                                                  | `string`      |           | Specify buildx server config file (used only when launching new server) (EXPERIMENTAL)              |
-| [`--shm-size`](#shm-size)                                                                                                                              | `bytes`       | `0`       | Size of `/dev/shm`                                                                                  |
+| [`--shm-size`](#shm-size)                                                                                                                          | `bytes`       | `0`       | Shared memory size for build containers                                                             |
-| [`--ssh`](#ssh)                                                                                                                                        | `stringArray` |           | SSH agent socket or keys to expose to the build (format: `default\|<id>[=<socket>\|<key>[,<key>]]`) |
+| [`--ssh`](#ssh)                                                                                                                                    | `stringArray` |           | SSH agent socket or keys to expose to the build (format: `default\|<id>[=<socket>\|<key>[,<key>]]`) |
-| [`-t`](https://docs.docker.com/engine/reference/commandline/build/#tag), [`--tag`](https://docs.docker.com/engine/reference/commandline/build/#tag)    | `stringArray` |           | Name and optionally a tag (format: `name:tag`)                                                      |
+| [`-t`](https://docs.docker.com/reference/cli/docker/image/build/#tag), [`--tag`](https://docs.docker.com/reference/cli/docker/image/build/#tag)    | `stringArray` |           | Name and optionally a tag (format: `name:tag`)                                                      |
-| [`--target`](https://docs.docker.com/engine/reference/commandline/build/#target)                                                                       | `string`      |           | Set the target build stage to build                                                                 |
+| [`--target`](https://docs.docker.com/reference/cli/docker/image/build/#target)                                                                     | `string`      |           | Set the target build stage to build                                                                 |
-| [`--ulimit`](#ulimit)                                                                                                                                  | `ulimit`      |           | Ulimit options                                                                                      |
+| [`--ulimit`](#ulimit)                                                                                                                              | `ulimit`      |           | Ulimit options                                                                                      |
 
 
 <!---MARKER_GEN_END-->
@@ -64,14 +64,60 @@ The `buildx build` command starts a build using BuildKit. This command is simila
 to the UI of `docker build` command and takes the same flags and arguments.
 
 For documentation on most of these flags, refer to the [`docker build`
-documentation](https://docs.docker.com/engine/reference/commandline/build/). In
+documentation](https://docs.docker.com/reference/cli/docker/image/build/).
-here we'll document a subset of the new flags.
+This page describes a subset of the new flags.
 
 ## Examples
 
+### <a name="annotation"></a> Create annotations (--annotation)
+
+```text
+--annotation="key=value"
+--annotation="[type:]key=value"
+```
+
+Add OCI annotations to the image index, manifest, or descriptor.
+The following example adds the `foo=bar` annotation to the image manifests:
+
+```console
+$ docker buildx build -t TAG --annotation "foo=bar" --push .
+```
+
+You can optionally add a type prefix to specify the level of the annotation. By
+default, the image manifest is annotated. The following example adds the
+`foo=bar` annotation the image index instead of the manifests:
+
+```console
+$ docker buildx build -t TAG --annotation "index:foo=bar" --push .
+```
+
+You can specify multiple types, separated by a comma (,) to add the annotation
+to multiple image components. The following example adds the `foo=bar`
+annotation to image index, descriptors, manifests:
+
+```console
+$ docker buildx build -t TAG --annotation "index,manifest,manifest-descriptor:foo=bar" --push .
+```
+
+You can also specify a platform qualifier in square brackets (`[os/arch]`) in
+the type prefix, to apply the annotation to a subset of manifests with the
+matching platform. The following example adds the `foo=bar` annotation only to
+the manifest with the `linux/amd64` platform:
+
+```console
+$ docker buildx build -t TAG --annotation "manifest[linux/amd64]:foo=bar" --push .
+```
+
+Wildcards are not supported in the platform qualifier; you can't specify a type
+prefix like `manifest[linux/*]` to add annotations only to manifests which has
+`linux` as the OS platform.
+
+For more information about annotations, see
+[Annotations](https://docs.docker.com/build/building/annotations/).
+
 ### <a name="attest"></a> Create attestations (--attest)
 
-```
+```text
 --attest=type=sbom,...
 --attest=type=provenance,...
 ```
@@ -98,7 +144,7 @@ BuildKit currently supports:
 
 ### <a name="allow"></a> Allow extra privileged entitlement (--allow)
 
-```
+```text
 --allow=ENTITLEMENT
 ```
 
@@ -106,12 +152,10 @@ Allow extra privileged entitlement. List of entitlements:
 
 - `network.host` - Allows executions with host networking.
 - `security.insecure` - Allows executions without sandbox. See
-  [related Dockerfile extensions](https://docs.docker.com/engine/reference/builder/#run---securitysandbox).
+  [related Dockerfile extensions](https://docs.docker.com/reference/dockerfile/#run---security).
 
-For entitlements to be enabled, the `buildkitd` daemon also needs to allow them
+For entitlements to be enabled, the BuildKit daemon also needs to allow them
-with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags))
+with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags)).
-
-**Examples**
 
 ```console
 $ docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure'
@@ -120,25 +164,23 @@ $ docker buildx build --allow security.insecure .
 
 ### <a name="build-arg"></a> Set build-time variables (--build-arg)
 
-Same as [`docker build` command](https://docs.docker.com/engine/reference/commandline/build/#build-arg).
+Same as [`docker build` command](https://docs.docker.com/reference/cli/docker/image/build/#build-arg).
 
-There are also useful built-in build args like:
+There are also useful built-in build arguments, such as:
 
-* `BUILDKIT_CONTEXT_KEEP_GIT_DIR=<bool>` trigger git context to keep the `.git` directory
+* `BUILDKIT_CONTEXT_KEEP_GIT_DIR=<bool>`: trigger git context to keep the `.git` directory
-* `BUILDKIT_INLINE_CACHE=<bool>` inline cache metadata to image config or not
+* `BUILDKIT_INLINE_CACHE=<bool>`: inline cache metadata to image config or not
-* `BUILDKIT_MULTI_PLATFORM=<bool>` opt into deterministic output regardless of multi-platform output or not
+* `BUILDKIT_MULTI_PLATFORM=<bool>`: opt into deterministic output regardless of multi-platform output or not
 
 ```console
 $ docker buildx build --build-arg BUILDKIT_MULTI_PLATFORM=1 .
 ```
 
-> **Note**
+Learn more about the built-in build arguments in the [Dockerfile reference docs](https://docs.docker.com/reference/dockerfile/#buildkit-built-in-build-args).
->
-> More built-in build args can be found in [Dockerfile reference docs](https://docs.docker.com/engine/reference/builder/#buildkit-built-in-build-args).
 
 ### <a name="build-context"></a> Additional build contexts (--build-context)
 
-```
+```text
 --build-context=name=VALUE
 ```
 
@@ -166,7 +208,7 @@ FROM alpine
 COPY --from=project myfile /
 ```
 
-#### <a name="source-oci-layout"></a> Source image from OCI layout directory
+#### <a name="source-oci-layout"></a> Use an OCI layout directory as build context
 
 Source an image from a local [OCI layout compliant directory](https://github.com/opencontainers/image-spec/blob/main/image-layout.md),
 either by tag, or by digest:
@@ -194,7 +236,7 @@ Same as [`buildx --builder`](buildx.md#builder).
 
 ### <a name="cache-from"></a> Use an external cache source for a build (--cache-from)
 
-```
+```text
 --cache-from=[NAME|type=TYPE[,KEY=VALUE]]
 ```
 
@@ -230,7 +272,7 @@ More info about cache exporters and available attributes: https://github.com/mob
 
 ### <a name="cache-to"></a> Export build cache to an external cache destination (--cache-to)
 
-```
+```text
 --cache-to=[NAME|type=TYPE[,KEY=VALUE]]
 ```
 
@@ -247,9 +289,8 @@ Export build cache to an external cache destination. Supported types are
 - [`s3` type](https://github.com/moby/buildkit#s3-cache-experimental) exports
   cache to a S3 bucket.
 
-`docker` driver currently only supports exporting inline cache metadata to image
+The `docker` driver only supports cache exports using the `inline` and `local`
-configuration. Alternatively, `--build-arg BUILDKIT_INLINE_CACHE=1` can be used
+cache backends.
-to trigger inline cache exporter.
 
 Attribute key:
 
@@ -273,7 +314,7 @@ More info about cache exporters and available attributes: https://github.com/mob
 Shorthand for [`--output=type=docker`](#docker). Will automatically load the
 single-platform build result to `docker images`.
 
-### <a name="metadata-file"></a> Write build result metadata to the file (--metadata-file)
+### <a name="metadata-file"></a> Write build result metadata to a file (--metadata-file)
 
 To output build metadata such as the image digest, pass the `--metadata-file` flag.
 The metadata will be written as a JSON object to the specified file. The
@@ -283,8 +324,11 @@ directory of the specified file must already exist and be writable.
 $ docker buildx build --load --metadata-file metadata.json .
 $ cat metadata.json
 ```
+
 ```json
 {
+  "buildx.build.provenance": {},
+  "buildx.build.ref": "mybuilder/mybuilder0/0fjb6ubs52xx3vygf6fgdl611",
   "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
   "containerimage.descriptor": {
     "annotations": {
@@ -299,16 +343,80 @@ $ cat metadata.json
 }
 ```
 
+> **Note**
+>
+> Build record [provenance](https://docs.docker.com/build/attestations/slsa-provenance/#provenance-attestation-example)
+> (`buildx.build.provenance`) includes minimal provenance by default. Set the
+> `BUILDX_METADATA_PROVENANCE` environment variable to customize this behavior:
+> * `min` sets minimal provenance (default).
+> * `max` sets full provenance.
+> * `disabled`, `false` or `0` does not set any provenance.
+
+### <a name="no-cache-filter"></a> Ignore build cache for specific stages (--no-cache-filter)
+
+The `--no-cache-filter` lets you specify one or more stages of a multi-stage
+Dockerfile for which build cache should be ignored. To specify multiple stages,
+use a comma-separated syntax:
+
+```console
+$ docker buildx build --no-cache-filter stage1,stage2,stage3 .
+```
+
+For example, the following Dockerfile contains four stages:
+
+- `base`
+- `install`
+- `test`
+- `release`
+
+```dockerfile
+# syntax=docker/dockerfile:1
+
+FROM oven/bun:1 as base
+WORKDIR /app
+
+FROM base AS install
+WORKDIR /temp/dev
+RUN --mount=type=bind,source=package.json,target=package.json \
+    --mount=type=bind,source=bun.lockb,target=bun.lockb \
+    bun install --frozen-lockfile
+
+FROM base AS test
+COPY --from=install /temp/dev/node_modules node_modules
+COPY . .
+RUN bun test
+
+FROM base AS release
+ENV NODE_ENV=production
+COPY --from=install /temp/dev/node_modules node_modules
+COPY . .
+ENTRYPOINT ["bun", "run", "index.js"]
+```
+
+To ignore the cache for the `install` stage:
+
+```console
+$ docker buildx build --no-cache-filter install .
+```
+
+To ignore the cache the `install` and `release` stages:
+
+```console
+$ docker buildx build --no-cache-filter install,release .
+```
+
+The arguments for the `--no-cache-filter` flag must be names of stages.
+
 ### <a name="output"></a> Set the export action for the build result (-o, --output)
 
-```
+```text
 -o, --output=[PATH,-,type=TYPE[,KEY=VALUE]
 ```
 
 Sets the export action for the build result. In `docker build` all builds finish
 by creating a container image and exporting it to `docker images`. `buildx` makes
 this step configurable allowing results to be exported directly to the client,
-oci image tarballs, registry etc.
+OCI image tarballs, registry etc.
 
 Buildx with `docker` driver currently only supports local, tarball exporter and
 image exporter. `docker-container` driver supports all the exporters.
@@ -320,12 +428,16 @@ exporter and write to `stdout`.
 ```console
 $ docker buildx build -o . .
 $ docker buildx build -o outdir .
-$ docker buildx build -o - - > out.tar
+$ docker buildx build -o - . > out.tar
 $ docker buildx build -o type=docker .
 $ docker buildx build -o type=docker,dest=- . > myimage.tar
 $ docker buildx build -t tonistiigi/foo -o type=registry
 ```
 
+> **Note **
+>
+> Since BuildKit v0.13.0 multiple outputs can be specified by repeating the flag.
+
 Supported exported types are:
 
 #### `local`
@@ -363,15 +475,15 @@ The `docker` export type writes the single-platform result image as a [Docker im
 specification](https://github.com/docker/docker/blob/v20.10.2/image/spec/v1.2.md)
 tarball on the client. Tarballs created by this exporter are also OCI compatible.
 
-Currently, multi-platform images cannot be exported with the `docker` export type.
+The default image store in Docker Engine doesn't support loading multi-platform
-The most common usecase for multi-platform images is to directly push to a registry
+images. You can enable the containerd image store, or push multi-platform images
-(see [`registry`](#registry)).
+is to directly push to a registry, see [`registry`](#registry).
 
 Attribute keys:
 
-- `dest` - destination path where tarball will be written. If not specified the
+- `dest` - destination path where tarball will be written. If not specified,
-  tar will be loaded automatically to the current docker instance.
+  the tar will be loaded automatically to the local image store.
-- `context` - name for the docker context where to import the result
+- `context` - name for the Docker context where to import the result
 
 #### `image`
 
@@ -382,7 +494,7 @@ can be automatically pushed to a registry by specifying attributes.
 Attribute keys:
 
 - `name` - name (references) for the new image.
-- `push` - boolean to automatically push the image.
+- `push` - Boolean to automatically push the image.
 
 #### `registry`
 
@@ -390,7 +502,7 @@ The `registry` exporter is a shortcut for `type=image,push=true`.
 
 ### <a name="platform"></a> Set the target platforms for the build (--platform)
 
-```
+```text
 --platform=value[,value]
 ```
 
@@ -419,12 +531,12 @@ and `arm` architectures. You can see what runtime platforms your current builder
 instance supports by running `docker buildx inspect --bootstrap`.
 
 Inside a `Dockerfile`, you can access the current platform value through
-`TARGETPLATFORM` build argument. Please refer to the [`docker build`
+`TARGETPLATFORM` build argument. Refer to the [`docker build`
-documentation](https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope)
+documentation](https://docs.docker.com/reference/dockerfile/#automatic-platform-args-in-the-global-scope)
 for the full description of automatic platform argument variants .
 
-The formatting for the platform specifier is defined in the [containerd source
+You can find the formatting definition for the platform specifier in the
-code](https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63).
+[containerd source code](https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63).
 
 ```console
 $ docker buildx build --platform=linux/arm64 .
@@ -434,11 +546,11 @@ $ docker buildx build --platform=darwin .
 
 ### <a name="progress"></a> Set type of progress output (--progress)
 
-```
+```text
 --progress=VALUE
 ```
 
-Set type of progress output (auto, plain, tty). Use plain to show container
+Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container
 output (default "auto").
 
 > **Note**
@@ -472,15 +584,18 @@ provenance attestations for the build result. For example,
 `--provenance=mode=max` can be used as an abbreviation for
 `--attest=type=provenance,mode=max`.
 
-Additionally, `--provenance` can be used with boolean values to broadly enable
+Additionally, `--provenance` can be used with Boolean values to enable or disable
-or disable provenance attestations. For example, `--provenance=false` can be
+provenance attestations. For example, `--provenance=false` disables all provenance attestations,
-used to disable all provenance attestations, while `--provenance=true` can be
+while `--provenance=true` enables all provenance attestations.
-used to enable all provenance attestations.
 
 By default, a minimal provenance attestation will be created for the build
-result, which will only be attached for images pushed to registries.
+result. Note that the default image store in Docker Engine doesn't support
+attestations. Provenance attestations only persist for images pushed directly
+to a registry if you use the default image store. Alternatively, you can switch
+to using the containerd image store.
 
-For more information, see [here](https://docs.docker.com/build/attestations/slsa-provenance/).
+For more information about provenance attestations, see
+[here](https://docs.docker.com/build/attestations/slsa-provenance/).
 
 ### <a name="push"></a> Push the build result to a registry (--push)
 
@@ -494,28 +609,40 @@ attestations for the build result. For example,
 `--sbom=generator=<user>/<generator-image>` can be used as an abbreviation for
 `--attest=type=sbom,generator=<user>/<generator-image>`.
 
-Additionally, `--sbom` can be used with boolean values to broadly enable or
+Additionally, `--sbom` can be used with Boolean values to enable or disable
-disable SBOM attestations. For example, `--sbom=false` can be used to disable
+SBOM attestations. For example, `--sbom=false` disables all SBOM attestations.
-all SBOM attestations.
+
+Note that the default image store in Docker Engine doesn't support
+attestations. Provenance attestations only persist for images pushed directly
+to a registry if you use the default image store. Alternatively, you can switch
+to using the containerd image store.
 
 For more information, see [here](https://docs.docker.com/build/attestations/sbom/).
 
 ### <a name="secret"></a> Secret to expose to the build (--secret)
 
-```
+```text
 --secret=[type=TYPE[,KEY=VALUE]
 ```
 
-Exposes secret to the build. The secret can be used by the build using
+Exposes secrets (authentication credentials, tokens) to the build.
-[`RUN --mount=type=secret` mount](https://docs.docker.com/engine/reference/builder/#run---mounttypesecret).
+A secret can be mounted into the build using a `RUN --mount=type=secret` mount in the
+[Dockerfile](https://docs.docker.com/reference/dockerfile/#run---mounttypesecret).
+For more information about how to use build secrets, see
+[Build secrets](https://docs.docker.com/build/building/secrets/).
 
-If `type` is unset it will be detected. Supported types are:
+Supported types are:
+
+- [`file`](#file)
+- [`env`](#env)
+
+Buildx attempts to detect the `type` automatically if unset.
 
 #### `file`
 
 Attribute keys:
 
-- `id` - ID of the secret. Defaults to basename of the `src` path.
+- `id` - ID of the secret. Defaults to base name of the `src` path.
 - `src`, `source` - Secret filename. `id` used if unset.
 
 ```dockerfile
@@ -549,15 +676,24 @@ RUN --mount=type=bind,target=. \
 $ SECRET_TOKEN=token docker buildx build --secret id=SECRET_TOKEN .
 ```
 
-### <a name="shm-size"></a> Size of /dev/shm (--shm-size)
+### <a name="shm-size"></a> Shared memory size for build containers (--shm-size)
+
+Sets the size of the shared memory allocated for build containers when using
+`RUN` instructions.
 
 The format is `<number><unit>`. `number` must be greater than `0`. Unit is
 optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g`
 (gigabytes). If you omit the unit, the system uses bytes.
 
+> **Note**
+>
+> In most cases, it is recommended to let the builder automatically determine
+> the appropriate configurations. Manual adjustments should only be considered
+> when specific performance tuning is required for complex build scenarios.
+
 ### <a name="ssh"></a> SSH agent socket or keys to expose to the build (--ssh)
 
-```
+```text
 --ssh=default|<id>[=<socket>|<key>[,<key>]]
 ```
 
@@ -565,7 +701,7 @@ This can be useful when some commands in your Dockerfile need specific SSH
 authentication (e.g., cloning a private repository).
 
 `--ssh` exposes SSH agent socket or keys to the build and can be used with the
-[`RUN --mount=type=ssh` mount](https://docs.docker.com/engine/reference/builder/#run---mounttypessh).
+[`RUN --mount=type=ssh` mount](https://docs.docker.com/reference/dockerfile/#run---mounttypessh).
 
 Example to access Gitlab using an SSH agent socket:
 
@@ -588,7 +724,8 @@ $ docker buildx build --ssh default=$SSH_AUTH_SOCK .
 
 ### <a name="ulimit"></a> Set ulimits (--ulimit)
 
-`--ulimit` is specified with a soft and hard limit as such:
+`--ulimit` overrides the default ulimits of build's containers when using `RUN`
+instructions and are specified with a soft and hard limit as such:
 `<type>=<soft limit>[:<hard limit>]`, for example:
 
 ```console
@@ -597,6 +734,12 @@ $ docker buildx build --ulimit nofile=1024:1024 .
 
 > **Note**
 >
-> If you do not provide a `hard limit`, the `soft limit` is used
+> If you don't provide a `hard limit`, the `soft limit` is used
-> for both values. If no `ulimits` are set, they are inherited from
+> for both values. If no `ulimits` are set, they're inherited from
 > the default `ulimits` set on the daemon.
+
+> **Note**
+>
+> In most cases, it is recommended to let the builder automatically determine
+> the appropriate configurations. Manual adjustments should only be considered
+> when specific performance tuning is required for complex build scenarios.

docs/reference/buildx_create.md

@@ -1,6 +1,6 @@
 # buildx create
 
-```
+```text
 docker buildx create [OPTIONS] [CONTEXT|ENDPOINT]
 ```
 
@@ -9,19 +9,19 @@ Create a new builder instance
 
 ### Options
 
-| Name                                    | Type          | Default | Description                                                           |
+| Name                                      | Type          | Default | Description                                                           |
-|:----------------------------------------|:--------------|:--------|:----------------------------------------------------------------------|
+|:------------------------------------------|:--------------|:--------|:----------------------------------------------------------------------|
-| [`--append`](#append)                   |               |         | Append a node to builder instead of changing it                       |
+| [`--append`](#append)                     |               |         | Append a node to builder instead of changing it                       |
-| `--bootstrap`                           |               |         | Boot builder after creation                                           |
+| `--bootstrap`                             |               |         | Boot builder after creation                                           |
-| [`--buildkitd-flags`](#buildkitd-flags) | `string`      |         | Flags for buildkitd daemon                                            |
+| [`--buildkitd-config`](#buildkitd-config) | `string`      |         | BuildKit daemon config file                                           |
-| [`--config`](#config)                   | `string`      |         | BuildKit config file                                                  |
+| [`--buildkitd-flags`](#buildkitd-flags)   | `string`      |         | BuildKit daemon flags                                                 |
-| [`--driver`](#driver)                   | `string`      |         | Driver to use (available: `docker-container`, `kubernetes`, `remote`) |
+| [`--driver`](#driver)                     | `string`      |         | Driver to use (available: `docker-container`, `kubernetes`, `remote`) |
-| [`--driver-opt`](#driver-opt)           | `stringArray` |         | Options for the driver                                                |
+| [`--driver-opt`](#driver-opt)             | `stringArray` |         | Options for the driver                                                |
-| [`--leave`](#leave)                     |               |         | Remove a node from builder instead of changing it                     |
+| [`--leave`](#leave)                       |               |         | Remove a node from builder instead of changing it                     |
-| [`--name`](#name)                       | `string`      |         | Builder instance name                                                 |
+| [`--name`](#name)                         | `string`      |         | Builder instance name                                                 |
-| [`--node`](#node)                       | `string`      |         | Create/modify node with given name                                    |
+| [`--node`](#node)                         | `string`      |         | Create/modify node with given name                                    |
-| [`--platform`](#platform)               | `stringArray` |         | Fixed platforms for current node                                      |
+| [`--platform`](#platform)                 | `stringArray` |         | Fixed platforms for current node                                      |
-| [`--use`](#use)                         |               |         | Set the current builder instance                                      |
+| [`--use`](#use)                           |               |         | Set the current builder instance                                      |
 
 
 <!---MARKER_GEN_END-->
@@ -29,9 +29,9 @@ Create a new builder instance
 
 ## Description
 
-Create makes a new builder instance pointing to a docker context or endpoint,
+Create makes a new builder instance pointing to a Docker context or endpoint,
 where context is the name of a context from `docker context ls` and endpoint is
-the address for docker socket (eg. `DOCKER_HOST` value).
+the address for Docker socket (eg. `DOCKER_HOST` value).
 
 By default, the current Docker configuration is used for determining the
 context/endpoint value.
@@ -55,31 +55,18 @@ $ docker buildx create --name eager_beaver --append mycontext2
 eager_beaver
 ```
 
-### <a name="buildkitd-flags"></a> Specify options for the buildkitd daemon (--buildkitd-flags)
+### <a name="buildkitd-config"></a> Specify a configuration file for the BuildKit daemon (--buildkitd-config)
 
-```
+```text
---buildkitd-flags FLAGS
+--buildkitd-config FILE
 ```
 
-Adds flags when starting the buildkitd daemon. They take precedence over the
+Specifies the configuration file for the BuildKit daemon to use. The
-configuration file specified by [`--config`](#config). See `buildkitd --help`
+configuration can be overridden by [`--buildkitd-flags`](#buildkitd-flags).
-for the available flags.
+See an [example BuildKit daemon configuration file](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md).
 
-```
+If you don't specify a configuration file, Buildx looks for one by default in:
---buildkitd-flags '--debug --debugaddr 0.0.0.0:6666'
-```
 
-### <a name="config"></a> Specify a configuration file for the buildkitd daemon (--config)
-
-```
---config FILE
-```
-
-Specifies the configuration file for the buildkitd daemon to use. The configuration
-can be overridden by [`--buildkitd-flags`](#buildkitd-flags).
-See an [example buildkitd configuration file](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md).
-
-If the configuration file is not specified, will look for one by default in:
 * `$BUILDX_CONFIG/buildkitd.default.toml`
 * `$DOCKER_CONFIG/buildx/buildkitd.default.toml`
 * `~/.docker/buildx/buildkitd.default.toml`
@@ -89,25 +76,62 @@ certificates for registries in the `buildkitd.toml` configuration, the files
 will be copied into the container under `/etc/buildkit/certs` and configuration
 will be updated to reflect that.
 
+### <a name="buildkitd-flags"></a> Specify options for the BuildKit daemon (--buildkitd-flags)
+
+```text
+--buildkitd-flags FLAGS
+```
+
+Adds flags when starting the BuildKit daemon. They take precedence over the
+configuration file specified by [`--buildkitd-config`](#buildkitd-config). See
+`buildkitd --help` for the available flags.
+
+```text
+--buildkitd-flags '--debug --debugaddr 0.0.0.0:6666'
+```
+
+#### BuildKit daemon network mode
+
+You can specify the network mode for the BuildKit daemon with either the
+configuration file specified by [`--buildkitd-config`](#buildkitd-config) using the
+`worker.oci.networkMode` option or `--oci-worker-net` flag here. The default
+value is `auto` and can be one of `bridge`, `cni`, `host`:
+
+```text
+--buildkitd-flags '--oci-worker-net bridge'
+```
+
+> **Note**
+>
+> Network mode "bridge" is supported since BuildKit v0.13 and will become the
+> default in next v0.14.
+
 ### <a name="driver"></a> Set the builder driver to use (--driver)
 
-```
+```text
 --driver DRIVER
 ```
 
-Sets the builder driver to be used. There are two available drivers, each have
+Sets the builder driver to be used. A driver is a configuration of a BuildKit
-their own specificities.
+backend. Buildx supports the following drivers:
+
+* `docker` (default)
+* `docker-container`
+* `kubernetes`
+* `remote`
+
+For more information about build drivers, see [here](https://docs.docker.com/build/drivers/).
 
 #### `docker` driver
 
-Uses the builder that is built into the docker daemon. With this driver,
+Uses the builder that is built into the Docker daemon. With this driver,
 the [`--load`](buildx_build.md#load) flag is implied by default on
 `buildx build`. However, building multi-platform images or exporting cache is
 not currently supported.
 
 #### `docker-container` driver
 
-Uses a BuildKit container that will be spawned via docker. With this driver,
+Uses a BuildKit container that will be spawned via Docker. With this driver,
 both building multi-platform images and exporting cache are supported.
 
 Unlike `docker` driver, built images will not automatically appear in
@@ -116,7 +140,7 @@ to achieve that.
 
 #### `kubernetes` driver
 
-Uses a kubernetes pods. With this driver, you can spin up pods with defined
+Uses Kubernetes pods. With this driver, you can spin up pods with defined
 BuildKit container image to build your images.
 
 Unlike `docker` driver, built images will not automatically appear in
@@ -125,8 +149,8 @@ to achieve that.
 
 #### `remote` driver
 
-Uses a remote instance of buildkitd over an arbitrary connection. With this
+Uses a remote instance of BuildKit daemon over an arbitrary connection. With
-driver, you manually create and manage instances of buildkit yourself, and
+this driver, you manually create and manage instances of buildkit yourself, and
 configure buildx to point at it.
 
 Unlike `docker` driver, built images will not automatically appear in
@@ -135,59 +159,18 @@ to achieve that.
 
 ### <a name="driver-opt"></a> Set additional driver-specific options (--driver-opt)
 
-```
+```text
 --driver-opt OPTIONS
 ```
 
 Passes additional driver-specific options.
+For information about available driver options, refer to the detailed
+documentation for the specific driver:
 
-Note: When using quoted values for the `nodeselector`, `annotations`, `labels` or
+* [`docker` driver](https://docs.docker.com/build/drivers/docker/)
-`tolerations` options, ensure that quotes are escaped correctly for your shell.
+* [`docker-container` driver](https://docs.docker.com/build/drivers/docker-container/)
-
+* [`kubernetes` driver](https://docs.docker.com/build/drivers/kubernetes/)
-#### `docker` driver
+* [`remote` driver](https://docs.docker.com/build/drivers/remote/)
-
-No driver options.
-
-#### `docker-container` driver
-
-- `image=IMAGE` - Sets the BuildKit image to use for the container.
-- `memory=MEMORY` - Sets the amount of memory the container can use.
-- `memory-swap=MEMORY_SWAP` - Sets the memory swap limit for the container.
-- `cpu-quota=CPU_QUOTA` - Imposes a CPU CFS quota on the container.
-- `cpu-period=CPU_PERIOD` - Sets the CPU CFS scheduler period for the container.
-- `cpu-shares=CPU_SHARES` - Configures CPU shares (relative weight) of the container.
-- `cpuset-cpus=CPUSET_CPUS` - Limits the set of CPU cores the container can use.
-- `cpuset-mems=CPUSET_MEMS` - Limits the set of CPU memory nodes the container can use.
-- `network=NETMODE` - Sets the network mode for the container.
-- `cgroup-parent=CGROUP` - Sets the cgroup parent of the container if docker is using the "cgroupfs" driver. Defaults to `/docker/buildx`.
-
-Before you configure the resource limits for the container, read about [configuring runtime resource constraints for containers](https://docs.docker.com/config/containers/resource_constraints/).
-
-#### `kubernetes` driver
-
-- `image=IMAGE` - Sets the container image to be used for running buildkit.
-- `namespace=NS` - Sets the Kubernetes namespace. Defaults to the current namespace.
-- `replicas=N` - Sets the number of `Pod` replicas. Defaults to 1.
-- `requests.cpu` - Sets the request CPU value specified in units of Kubernetes CPU. Example `requests.cpu=100m`, `requests.cpu=2`
-- `requests.memory` - Sets the request memory value specified in bytes or with a valid suffix. Example `requests.memory=500Mi`, `requests.memory=4G`
-- `limits.cpu` - Sets the limit CPU value specified in units of Kubernetes CPU. Example `limits.cpu=100m`, `limits.cpu=2`
-- `limits.memory` - Sets the limit memory value specified in bytes or with a valid suffix. Example `limits.memory=500Mi`, `limits.memory=4G`
-- `serviceaccount` - Sets the created pod's service account. Example `serviceaccount=example-sa`
-- `"nodeselector=label1=value1,label2=value2"` - Sets the kv of `Pod` nodeSelector. No Defaults. Example `nodeselector=kubernetes.io/arch=arm64`
-- `"annotations=domain/thing1=value1,domain/thing2=value2"` - Sets additional annotations on the deployments and pods. No Defaults. Example `annotations=example.com/owner=sarah`
-- `"labels=domain/thing1=value1,domain/thing2=value2"` - Sets additional labels on the deployments and pods. No Defaults. Example `labels=example.com/team=rd`
-- `"tolerations=key=foo,value=bar;key=foo2,operator=exists;key=foo3,effect=NoSchedule"` - Sets the `Pod` tolerations. Accepts the same values as the kube manifest tolera>tions. Key-value pairs are separated by `,`, tolerations are separated by `;`. No Defaults. Example `tolerations=operator=exists`
-- `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. Needs Kubernetes 1.19 or later. [Using Ubuntu host kernel is recommended](https://github.com/moby/buildkit/blob/master/docs/rootless.md). Defaults to false.
-- `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky"
-- `qemu.install=(true|false)` - Install QEMU emulation for multi platforms support.
-- `qemu.image=IMAGE` - Sets the QEMU emulation image. Defaults to `tonistiigi/binfmt:latest`
-
-#### `remote` driver
-
-- `key=KEY` - Sets the TLS client key.
-- `cert=CERT` - Sets the TLS client certificate to present to buildkitd.
-- `cacert=CACERT` - Sets the TLS certificate authority used for validation.
-- `servername=SERVER` - Sets the TLS server name to be used in requests (defaults to the endpoint hostname).
 
 ### <a name="leave"></a> Remove a node from a builder (--leave)
 
@@ -201,7 +184,7 @@ $ docker buildx create --name mybuilder --node mybuilder0 --leave
 
 ### <a name="name"></a> Specify the name of the builder (--name)
 
-```
+```text
 --name NAME
 ```
 
@@ -210,17 +193,17 @@ If none is specified, one will be automatically generated.
 
 ### <a name="node"></a> Specify the name of the node (--node)
 
-```
+```text
 --node NODE
 ```
 
 The `--node` flag specifies the name of the node to be created or modified. If
-none is specified, it is the name of the builder it belongs to, with an index
+you don't specify a name, the node name defaults to the name of the builder it
-number suffix.
+belongs to, with an index number suffix.
 
 ### <a name="platform"></a> Set the platforms supported by the node (--platform)
 
-```
+```text
 --platform PLATFORMS
 ```
 

docs/reference/buildx_debug.md

@@ -1,7 +1,7 @@
 # docker buildx debug
 
 <!---MARKER_GEN_START-->
-Start debugger
+Start debugger (EXPERIMENTAL)
 
 ### Subcommands
 
@@ -15,12 +15,12 @@ Start debugger
 | Name              | Type     | Default | Description                                                                                              |
 |:------------------|:---------|:--------|:---------------------------------------------------------------------------------------------------------|
 | `--builder`       | `string` |         | Override the configured builder instance                                                                 |
-| `--detach`        |          |         | Detach buildx server for the monitor (supported only on linux)                                           |
+| `--detach`        | `bool`   | `true`  | Detach buildx server for the monitor (supported only on linux) (EXPERIMENTAL)                            |
-| `--invoke`        | `string` |         | Launch a monitor with executing specified command                                                        |
+| `--invoke`        | `string` |         | Launch a monitor with executing specified command (EXPERIMENTAL)                                         |
-| `--on`            | `string` | `error` | When to launch the monitor ([always, error])                                                             |
+| `--on`            | `string` | `error` | When to launch the monitor ([always, error]) (EXPERIMENTAL)                                              |
 | `--progress`      | `string` | `auto`  | Set type of progress output (`auto`, `plain`, `tty`) for the monitor. Use plain to show container output |
-| `--root`          | `string` |         | Specify root directory of server to connect for the monitor                                              |
+| `--root`          | `string` |         | Specify root directory of server to connect for the monitor (EXPERIMENTAL)                               |
-| `--server-config` | `string` |         | Specify buildx server config file for the monitor (used only when launching new server)                  |
+| `--server-config` | `string` |         | Specify buildx server config file for the monitor (used only when launching new server) (EXPERIMENTAL)   |
 
 
 <!---MARKER_GEN_END-->

docs/reference/buildx_debug_build.md

@@ -9,44 +9,44 @@ Start a build
 
 ### Options
 
-| Name                                                                                                                                                   | Type          | Default   | Description                                                                                         |
+| Name                                                                                                                                               | Type          | Default   | Description                                                                                         |
-|:-------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------|:----------|:----------------------------------------------------------------------------------------------------|
+|:---------------------------------------------------------------------------------------------------------------------------------------------------|:--------------|:----------|:----------------------------------------------------------------------------------------------------|
-| [`--add-host`](https://docs.docker.com/engine/reference/commandline/build/#add-host)                                                                   | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                 |
+| [`--add-host`](https://docs.docker.com/reference/cli/docker/image/build/#add-host)                                                                 | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                 |
-| `--allow`                                                                                                                                              | `stringSlice` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                      |
+| `--allow`                                                                                                                                          | `stringSlice` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                      |
-| `--annotation`                                                                                                                                         | `stringArray` |           | Add annotation to the image                                                                         |
+| `--annotation`                                                                                                                                     | `stringArray` |           | Add annotation to the image                                                                         |
-| `--attest`                                                                                                                                             | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                        |
+| `--attest`                                                                                                                                         | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                        |
-| `--build-arg`                                                                                                                                          | `stringArray` |           | Set build-time variables                                                                            |
+| `--build-arg`                                                                                                                                      | `stringArray` |           | Set build-time variables                                                                            |
-| `--build-context`                                                                                                                                      | `stringArray` |           | Additional build contexts (e.g., name=path)                                                         |
+| `--build-context`                                                                                                                                  | `stringArray` |           | Additional build contexts (e.g., name=path)                                                         |
-| `--builder`                                                                                                                                            | `string`      |           | Override the configured builder instance                                                            |
+| `--builder`                                                                                                                                        | `string`      |           | Override the configured builder instance                                                            |
-| `--cache-from`                                                                                                                                         | `stringArray` |           | External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`)                       |
+| `--cache-from`                                                                                                                                     | `stringArray` |           | External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`)                       |
-| `--cache-to`                                                                                                                                           | `stringArray` |           | Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`)                   |
+| `--cache-to`                                                                                                                                       | `stringArray` |           | Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`)                   |
-| [`--cgroup-parent`](https://docs.docker.com/engine/reference/commandline/build/#cgroup-parent)                                                         | `string`      |           | Set the parent cgroup for the `RUN` instructions during build                                       |
+| [`--cgroup-parent`](https://docs.docker.com/reference/cli/docker/image/build/#cgroup-parent)                                                       | `string`      |           | Set the parent cgroup for the `RUN` instructions during build                                       |
-| `--detach`                                                                                                                                             |               |           | Detach buildx server (supported only on linux)                                                      |
+| `--detach`                                                                                                                                         |               |           | Detach buildx server (supported only on linux) (EXPERIMENTAL)                                       |
-| [`-f`](https://docs.docker.com/engine/reference/commandline/build/#file), [`--file`](https://docs.docker.com/engine/reference/commandline/build/#file) | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
+| [`-f`](https://docs.docker.com/reference/cli/docker/image/build/#file), [`--file`](https://docs.docker.com/reference/cli/docker/image/build/#file) | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
-| `--iidfile`                                                                                                                                            | `string`      |           | Write the image ID to the file                                                                      |
+| `--iidfile`                                                                                                                                        | `string`      |           | Write the image ID to a file                                                                        |
-| `--label`                                                                                                                                              | `stringArray` |           | Set metadata for an image                                                                           |
+| `--label`                                                                                                                                          | `stringArray` |           | Set metadata for an image                                                                           |
-| `--load`                                                                                                                                               |               |           | Shorthand for `--output=type=docker`                                                                |
+| `--load`                                                                                                                                           |               |           | Shorthand for `--output=type=docker`                                                                |
-| `--metadata-file`                                                                                                                                      | `string`      |           | Write build result metadata to the file                                                             |
+| `--metadata-file`                                                                                                                                  | `string`      |           | Write build result metadata to a file                                                               |
-| `--network`                                                                                                                                            | `string`      | `default` | Set the networking mode for the `RUN` instructions during build                                     |
+| `--network`                                                                                                                                        | `string`      | `default` | Set the networking mode for the `RUN` instructions during build                                     |
-| `--no-cache`                                                                                                                                           |               |           | Do not use cache when building the image                                                            |
+| `--no-cache`                                                                                                                                       |               |           | Do not use cache when building the image                                                            |
-| `--no-cache-filter`                                                                                                                                    | `stringArray` |           | Do not cache specified stages                                                                       |
+| `--no-cache-filter`                                                                                                                                | `stringArray` |           | Do not cache specified stages                                                                       |
-| `-o`, `--output`                                                                                                                                       | `stringArray` |           | Output destination (format: `type=local,dest=path`)                                                 |
+| `-o`, `--output`                                                                                                                                   | `stringArray` |           | Output destination (format: `type=local,dest=path`)                                                 |
-| `--platform`                                                                                                                                           | `stringArray` |           | Set target platform for build                                                                       |
+| `--platform`                                                                                                                                       | `stringArray` |           | Set target platform for build                                                                       |
-| `--print`                                                                                                                                              | `string`      |           | Print result of information request (e.g., outline, targets)                                        |
+| `--print`                                                                                                                                          | `string`      |           | Print result of information request (e.g., outline, targets) (EXPERIMENTAL)                         |
-| `--progress`                                                                                                                                           | `string`      | `auto`    | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output            |
+| `--progress`                                                                                                                                       | `string`      | `auto`    | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output            |
-| `--provenance`                                                                                                                                         | `string`      |           | Shorthand for `--attest=type=provenance`                                                            |
+| `--provenance`                                                                                                                                     | `string`      |           | Shorthand for `--attest=type=provenance`                                                            |
-| `--pull`                                                                                                                                               |               |           | Always attempt to pull all referenced images                                                        |
+| `--pull`                                                                                                                                           |               |           | Always attempt to pull all referenced images                                                        |
-| `--push`                                                                                                                                               |               |           | Shorthand for `--output=type=registry`                                                              |
+| `--push`                                                                                                                                           |               |           | Shorthand for `--output=type=registry`                                                              |
-| `-q`, `--quiet`                                                                                                                                        |               |           | Suppress the build output and print image ID on success                                             |
+| `-q`, `--quiet`                                                                                                                                    |               |           | Suppress the build output and print image ID on success                                             |
-| `--root`                                                                                                                                               | `string`      |           | Specify root directory of server to connect                                                         |
+| `--root`                                                                                                                                           | `string`      |           | Specify root directory of server to connect (EXPERIMENTAL)                                          |
-| `--sbom`                                                                                                                                               | `string`      |           | Shorthand for `--attest=type=sbom`                                                                  |
+| `--sbom`                                                                                                                                           | `string`      |           | Shorthand for `--attest=type=sbom`                                                                  |
-| `--secret`                                                                                                                                             | `stringArray` |           | Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`)                           |
+| `--secret`                                                                                                                                         | `stringArray` |           | Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`)                           |
-| `--server-config`                                                                                                                                      | `string`      |           | Specify buildx server config file (used only when launching new server)                             |
+| `--server-config`                                                                                                                                  | `string`      |           | Specify buildx server config file (used only when launching new server) (EXPERIMENTAL)              |
-| `--shm-size`                                                                                                                                           | `bytes`       | `0`       | Size of `/dev/shm`                                                                                  |
+| `--shm-size`                                                                                                                                       | `bytes`       | `0`       | Shared memory size for build containers                                                             |
-| `--ssh`                                                                                                                                                | `stringArray` |           | SSH agent socket or keys to expose to the build (format: `default\|<id>[=<socket>\|<key>[,<key>]]`) |
+| `--ssh`                                                                                                                                            | `stringArray` |           | SSH agent socket or keys to expose to the build (format: `default\|<id>[=<socket>\|<key>[,<key>]]`) |
-| [`-t`](https://docs.docker.com/engine/reference/commandline/build/#tag), [`--tag`](https://docs.docker.com/engine/reference/commandline/build/#tag)    | `stringArray` |           | Name and optionally a tag (format: `name:tag`)                                                      |
+| [`-t`](https://docs.docker.com/reference/cli/docker/image/build/#tag), [`--tag`](https://docs.docker.com/reference/cli/docker/image/build/#tag)    | `stringArray` |           | Name and optionally a tag (format: `name:tag`)                                                      |
-| [`--target`](https://docs.docker.com/engine/reference/commandline/build/#target)                                                                       | `string`      |           | Set the target build stage to build                                                                 |
+| [`--target`](https://docs.docker.com/reference/cli/docker/image/build/#target)                                                                     | `string`      |           | Set the target build stage to build                                                                 |
-| `--ulimit`                                                                                                                                             | `ulimit`      |           | Ulimit options                                                                                      |
+| `--ulimit`                                                                                                                                         | `ulimit`      |           | Ulimit options                                                                                      |
 
 
 <!---MARKER_GEN_END-->

docs/reference/buildx_dial-stdio.md

@@ -0,0 +1,47 @@
+# docker buildx dial-stdio
+
+<!---MARKER_GEN_START-->
+Proxy current stdio streams to builder instance
+
+### Options
+
+| Name         | Type     | Default | Description                                      |
+|:-------------|:---------|:--------|:-------------------------------------------------|
+| `--builder`  | `string` |         | Override the configured builder instance         |
+| `--platform` | `string` |         | Target platform: this is used for node selection |
+| `--progress` | `string` | `quiet` | Set type of progress output (auto, plain, tty).  |
+
+
+<!---MARKER_GEN_END-->
+
+## Description
+
+dial-stdio uses the stdin and stdout streams of the command to proxy to the configured builder instance.
+It is not intended to be used by humans, but rather by other tools that want to interact with the builder instance via BuildKit API.
+
+## Examples
+
+Example go program that uses the dial-stdio command wire up a buildkit client.
+This is for example use only and may not be suitable for production use.
+
+```go
+client.New(ctx, "", client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
+    c1, c2 := net.Pipe()
+    cmd := exec.Command("docker", "buildx", "dial-stdio")
+    cmd.Stdin = c1
+    cmd.Stdout = c1
+
+    if err := cmd.Start(); err != nil {
+        c1.Close()
+        c2.Close()
+        return nil, err
+    }
+
+    go func() {
+        cmd.Wait()
+        c2.Close()
+    }()
+
+    return c2
+}))
+```

docs/reference/buildx_du.md

@@ -1,6 +1,6 @@
 # buildx du
 
-```
+```text
 docker buildx du
 ```
 
@@ -13,13 +13,106 @@ Disk usage
 |:------------------------|:---------|:--------|:-----------------------------------------|
 | [`--builder`](#builder) | `string` |         | Override the configured builder instance |
 | `--filter`              | `filter` |         | Provide filter values                    |
-| `--verbose`             |          |         | Provide a more verbose output            |
+| [`--verbose`](#verbose) |          |         | Provide a more verbose output            |
 
 
 <!---MARKER_GEN_END-->
 
 ## Examples
 
+### Show disk usage
+
+The `docker buildx du` command shows the disk usage for the currently selected
+builder.
+
+```console
+$ docker buildx du
+ID                                RECLAIMABLE    SIZE          LAST ACCESSED
+12wgll9os87pazzft8lt0yztp*        true           1.704GB       13 days ago
+iupsv3it5ubh92aweb7c1wojc*        true           1.297GB       36 minutes ago
+ek4ve8h4obyv5kld6vicmtqyn         true           811.7MB       13 days ago
+isovrfnmkelzhtdx942w9vjcb*        true           811.7MB       13 days ago
+0jty7mjrndi1yo7xkv1baralh         true           810.5MB       13 days ago
+jyzkefmsysqiaakgwmjgxjpcz*        true           810.5MB       13 days ago
+z8w1y95jn93gvj92jtaj6uhwk         true           318MB         2 weeks ago
+rz2zgfcwlfxsxd7d41w2sz2tt         true           8.224kB*      43 hours ago
+n5bkzpewmk2eiu6hn9tzx18jd         true           8.224kB*      43 hours ago
+ao94g6vtbzdl6k5zgdmrmnwpt         true           8.224kB*      43 hours ago
+2pyjep7njm0wh39vcingxb97i         true           8.224kB*      43 hours ago
+Shared:        115.5MB
+Private:       10.25GB
+Reclaimable:   10.36GB
+Total:         10.36GB
+```
+
+If `RECLAIMABLE` is false, the `docker buildx du prune` command won't delete
+the record, even if you use `--all`. That's because the record is actively in
+use by some component of the builder.
+
+The asterisks (\*) in the default output indicate the following:
+
+- An asterisk next to an ID (`zu7m6evdpebh5h8kfkpw9dlf2*`) indicates that the record
+  is mutable. The size of the record may change, or another build can take ownership of
+  it and change or commit to it. If you run the `du` command again, this item may
+  not be there anymore, or the size might be different.
+- An asterisk next to a size (`8.288kB*`) indicates that the record is shared.
+  Storage of the record is shared with some other resource, typically an image.
+  If you prune such a record then you will lose build cache but only metadata
+  will be deleted as the image still needs to actual storage layers.
+
+### <a name="verbose"></a> Use verbose output (--verbose)
+
+The verbose output of the `docker buildx du` command is useful for inspecting
+the disk usage records in more detail. The verbose output shows the mutable and
+shared states more clearly, as well as additional information about the
+corresponding layer.
+
+```console
+$ docker buildx du --verbose
+...
+Last used:      2 days ago
+Type:           regular
+
+ID:             05d0elirb4mmvpmnzbrp3ssrg
+Parent:         e8sfdn4mygrg7msi9ak1dy6op
+Created at:     2023-11-20 09:53:30.881558721 +0000 UTC
+Mutable:        false
+Reclaimable:    true
+Shared:         false
+Size:           0B
+Description:    [gobase 3/3] WORKDIR /src
+Usage count:    3
+Last used:      24 hours ago
+Type:           regular
+
+Reclaimable:    4.453GB
+Total:          4.453GB
+```
+
 ### <a name="builder"></a> Override the configured builder instance (--builder)
 
-Same as [`buildx --builder`](buildx.md#builder).
+Use the `--builder` flag to inspect the disk usage of a particular builder.
+
+```console
+$ docker buildx du --builder youthful_shtern
+ID                                RECLAIMABLE    SIZE          LAST ACCESSED
+g41agepgdczekxg2mtw0dujsv*        true           1.312GB       47 hours ago
+e6ycrsa0bn9akigqgzu0sc6kr         true           318MB         47 hours ago
+our9zg4ndly65ze1ccczdksiz         true           204.9MB       45 hours ago
+b7xv3xpxnwupc81tc9ya3mgq6*        true           120.6MB       47 hours ago
+zihgye15ss6vum3wmck9egdoy*        true           79.81MB       2 days ago
+aaydharssv1ug98yhuwclkfrh*        true           79.81MB       2 days ago
+ta1r4vmnjug5dhub76as4kkol*        true           74.51MB       47 hours ago
+murma9f83j9h8miifbq68udjf*        true           74.51MB       47 hours ago
+47f961866a49g5y8myz80ixw1*        true           74.51MB       47 hours ago
+tzh99xtzlaf6txllh3cobag8t         true           74.49MB       47 hours ago
+ld6laoeuo1kwapysu6afwqybl*        true           59.89MB       47 hours ago
+yitxizi5kaplpyomqpos2cryp*        true           59.83MB       47 hours ago
+iy8aa4b7qjn0qmy9wiga9cj8w         true           33.65MB       47 hours ago
+mci7okeijyp8aqqk16j80dy09         true           19.86MB       47 hours ago
+lqvj091he652slxdla4wom3pz         true           14.08MB       47 hours ago
+fkt31oiv793nd26h42llsjcw7*        true           11.87MB       2 days ago
+uj802yxtvkcjysnjb4kgwvn2v         true           11.68MB       45 hours ago
+Reclaimable:    2.627GB
+Total:          2.627GB
+```

docs/reference/buildx_imagetools.md

@@ -1,6 +1,6 @@
 # buildx imagetools
 
-```
+```text
 docker buildx imagetools [OPTIONS] COMMAND
 ```
 
@@ -26,8 +26,9 @@ Commands to work on images in registry
 
 ## Description
 
-Imagetools contains commands for working with manifest lists in the registry.
+The `imagetools` commands contains subcommands for working with manifest lists
-These commands are useful for inspecting multi-platform build results.
+in container registries. These commands are useful for inspecting manifests
+to check multi-platform configuration and attestations.
 
 ## Examples
 

docs/reference/buildx_imagetools_create.md

@@ -1,6 +1,6 @@
 # buildx imagetools create
 
-```
+```text
 docker buildx imagetools create [OPTIONS] [SOURCE] [SOURCE...]
 ```
 
@@ -11,7 +11,7 @@ Create a new image based on source images
 
 | Name                             | Type          | Default | Description                                                                              |
 |:---------------------------------|:--------------|:--------|:-----------------------------------------------------------------------------------------|
-| `--annotation`                   | `stringArray` |         | Add annotation to the image                                                              |
+| [`--annotation`](#annotation)    | `stringArray` |         | Add annotation to the image                                                              |
 | [`--append`](#append)            |               |         | Append to existing manifest                                                              |
 | [`--builder`](#builder)          | `string`      |         | Override the configured builder instance                                                 |
 | [`--dry-run`](#dry-run)          |               |         | Show final image instead of pushing                                                      |
@@ -31,6 +31,34 @@ specified, create performs a carbon copy.
 
 ## Examples
 
+### <a name="annotation"></a> Add annotations to an image (--annotation)
+
+The `--annotation` flag lets you add annotations the image index, manifest,
+and descriptors when creating a new image.
+
+The following command creates a `foo/bar:latest` image with the
+`org.opencontainers.image.authors` annotation on the image index.
+
+```console
+$ docker buildx imagetools create \
+  --annotation "index:org.opencontainers.image.authors=dvdksn" \
+  --tag foo/bar:latest \
+  foo/bar:alpha foo/bar:beta foo/bar:gamma
+```
+
+> **Note**
+>
+> The `imagetools create` command supports adding annotations to the image
+> index and descriptor, using the following type prefixes:
+>
+> - `index:`
+> - `manifest-descriptor:`
+>
+> It doesn't support annotating manifests or OCI layouts.
+
+For more information about annotations, see
+[Annotations](https://docs.docker.com/build/building/annotations/).
+
 ### <a name="append"></a> Append new sources to an existing manifest list (--append)
 
 Use the `--append` flag to append the new sources to an existing manifest list
@@ -46,7 +74,7 @@ Use the `--dry-run` flag to not push the image, just show it.
 
 ### <a name="file"></a> Read source descriptor from a file (-f, --file)
 
-```
+```text
 -f FILE or --file FILE
 ```
 
@@ -67,7 +95,7 @@ The supported fields for the descriptor are defined in [OCI spec](https://github
 
 ### <a name="tag"></a> Set reference for new image  (-t, --tag)
 
-```
+```text
 -t IMAGE or --tag IMAGE
 ```
 

docs/reference/buildx_imagetools_inspect.md

@@ -1,6 +1,6 @@
 # buildx imagetools inspect
 
-```
+```text
 docker buildx imagetools inspect [OPTIONS] NAME
 ```
 
@@ -123,23 +123,93 @@ Manifests:
 
 #### JSON output
 
-A `json` go template func is also available if you want to render fields as
+A `json` template function is also available if you want to render fields in
-JSON bytes:
+JSON format:
 
 ```console
-$ docker buildx imagetools inspect crazymax/loop --format "{{json .Manifest}}"
+$ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .Manifest}}"
 ```
+
 ```json
 {
-  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+  "schemaVersion": 2,
-  "digest": "sha256:a9ca35b798e0b198f9be7f3b8b53982e9a6cf96814cb10d78083f40ad8c127f1",
+  "mediaType": "application/vnd.oci.image.index.v1+json",
-  "size": 949
+  "digest": "sha256:7007b387ccd52bd42a050f2e8020e56e64622c9269bf7bbe257b326fe99daf19",
+  "size": 855,
+  "manifests": [
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55",
+      "size": 673,
+      "platform": {
+        "architecture": "amd64",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:a9de632c16998489fd63fbca42a03431df00639cfb2ecb8982bf9984b83c5b2b",
+      "size": 839,
+      "annotations": {
+        "vnd.docker.reference.digest": "sha256:fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55",
+        "vnd.docker.reference.type": "attestation-manifest"
+      },
+      "platform": {
+        "architecture": "unknown",
+        "os": "unknown"
+      }
+    }
+  ]
+}
+```
+
+```console
+$ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .Image}}"
+```
+
+```json
+{
+  "created": "2022-12-01T11:46:47.713777178Z",
+  "architecture": "amd64",
+  "os": "linux",
+  "config": {
+    "Env": [
+      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    ],
+    "Cmd": [
+      "/bin/sh"
+    ]
+  },
+  "rootfs": {
+    "type": "layers",
+    "diff_ids": [
+      "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf",
+      "sha256:d85d09ab4b4e921666ccc2db8532e857bf3476b7588e52c9c17741d7af14204f"
+    ]
+  },
+  "history": [
+    {
+      "created": "2022-11-22T22:19:28.870801855Z",
+      "created_by": "/bin/sh -c #(nop) ADD file:587cae71969871d3c6456d844a8795df9b64b12c710c275295a1182b46f630e7 in / "
+    },
+    {
+      "created": "2022-11-22T22:19:29.008562326Z",
+      "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+      "empty_layer": true
+    },
+    {
+      "created": "2022-12-01T11:46:47.713777178Z",
+      "created_by": "RUN /bin/sh -c apk add curl # buildkit",
+      "comment": "buildkit.dockerfile.v0"
+    }
+  ]
 }
 ```
 
 ```console
 $ docker buildx imagetools inspect moby/buildkit:master --format "{{json .Manifest}}"
 ```
+
 ```json
 {
   "schemaVersion": 2,
@@ -284,11 +354,13 @@ $ docker buildx imagetools inspect moby/buildkit:master --format "{{json .Manife
 }
 ```
 
-Following command provides [SLSA](https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-provenance.md) JSON output:
+The following command provides [SLSA](https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-provenance.md)
+JSON output:
 
 ```console
 $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .Provenance}}"
 ```
+
 ```json
 {
   "SLSA": {
@@ -343,11 +415,13 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .Pr
 }
 ```
 
-Following command provides [SBOM](https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md) JSON output:
+The following command provides [SBOM](https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md)
+JSON output:
 
 ```console
 $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .SBOM}}"
 ```
+
 ```json
 {
   "SPDX": {
@@ -372,6 +446,7 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .SB
 ```console
 $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .}}"
 ```
+
 ```json
 {
   "name": "crazymax/buildkit:attest",
@@ -440,75 +515,6 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .}}
         "comment": "buildkit.dockerfile.v0"
       }
     ]
-  },
-  "Provenance": {
-    "SLSA": {
-      "builder": {
-        "id": ""
-      },
-      "buildType": "https://mobyproject.org/buildkit@v1",
-      "materials": [
-        {
-          "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
-          "digest": {
-            "sha256": "b45f1d207e16c3a3a5a10b254ad8ad358d01f7ea090d382b95c6b2ee2b3ef765"
-          }
-        },
-        {
-          "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64",
-          "digest": {
-            "sha256": "8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
-          }
-        }
-      ],
-      "invocation": {
-        "configSource": {},
-        "parameters": {
-          "frontend": "dockerfile.v0",
-          "locals": [
-            {
-              "name": "context"
-            },
-            {
-              "name": "dockerfile"
-            }
-          ]
-        },
-        "environment": {
-          "platform": "linux/amd64"
-        }
-      },
-      "metadata": {
-        "buildInvocationID": "02tdha2xkbxvin87mz9drhag4",
-        "buildStartedOn": "2022-12-01T11:50:07.264704131Z",
-        "buildFinishedOn": "2022-12-01T11:50:08.243788739Z",
-        "reproducible": false,
-        "completeness": {
-          "parameters": true,
-          "environment": true,
-          "materials": false
-        },
-        "https://mobyproject.org/buildkit@v1#metadata": {}
-      }
-    }
-  },
-  "SBOM": {
-    "SPDX": {
-      "SPDXID": "SPDXRef-DOCUMENT",
-      "creationInfo": {
-        "created": "2022-12-01T11:46:48.063400162Z",
-        "creators": [
-          "Tool: syft-v0.60.3",
-          "Tool: buildkit-1ace2bb",
-          "Organization: Anchore, Inc"
-        ],
-        "licenseListVersion": "3.18"
-      },
-      "dataLicense": "CC0-1.0",
-      "documentNamespace": "https://anchore.com/syft/dir/run/src/core-0a4ccc6d-1a72-4c3a-a40e-3df1a2ffca94",
-      "files": [...],
-      "spdxVersion": "SPDX-2.2"
-    }
   }
 }
 ```
@@ -522,6 +528,7 @@ go template function:
 ```console
 $ docker buildx imagetools inspect --format '{{json (index .Image "linux/s390x")}}' moby/buildkit:master
 ```
+
 ```json
 {
   "created": "2022-11-30T17:42:26.414957336Z",
@@ -588,15 +595,14 @@ $ docker buildx imagetools inspect --format '{{json (index .Image "linux/s390x")
 }
 ```
 
-### <a name="raw"></a> Show original, unformatted JSON manifest (--raw)
+### <a name="raw"></a> Show original JSON manifest (--raw)
 
-Use the `--raw` option to print the unformatted JSON manifest bytes.
+Use the `--raw` option to print the raw JSON manifest.
-
-> `jq` is used here to get a better rendering of the output result.
 
 ```console
-$ docker buildx imagetools inspect --raw crazymax/loop | jq
+$ docker buildx imagetools inspect --raw crazymax/loop
 ```
+
 ```json
 {
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
@@ -629,6 +635,7 @@ $ docker buildx imagetools inspect --raw crazymax/loop | jq
 ```console
 $ docker buildx imagetools inspect --raw moby/buildkit:master | jq
 ```
+
 ```json
 {
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",

docs/reference/buildx_inspect.md

@@ -1,6 +1,6 @@
 # buildx inspect
 
-```
+```text
 docker buildx inspect [NAME]
 ```
 
@@ -27,7 +27,7 @@ Shows information about the current or specified builder.
 
 Use the `--bootstrap` option to ensure that the builder is running before
 inspecting it. If the driver is `docker-container`, then `--bootstrap` starts
-the buildkit container and waits until it is operational. Bootstrapping is
+the BuildKit container and waits until it's operational. Bootstrapping is
 automatically done during build, and therefore not necessary. The same BuildKit
 container is used during the lifetime of the associated builder node (as
 displayed in `buildx ls`).
@@ -45,7 +45,9 @@ The following example shows information about a builder instance named
 
 > **Note**
 >
-> Asterisk `*` next to node build platform(s) indicate they had been set manually during `buildx create`. Otherwise, it had been autodetected.
+> The asterisk (`*`) next to node build platform(s) indicate they have been
+> manually set during `buildx create`. Otherwise the platforms were
+> automatically detected.
 
 ```console
 $ docker buildx inspect elated_tesla

docs/reference/buildx_ls.md

@@ -1,29 +1,84 @@
 # buildx ls
 
-```
+```text
 docker buildx ls
 ```
 
 <!---MARKER_GEN_START-->
 List builder instances
 
+### Options
+
+| Name                  | Type     | Default | Description       |
+|:----------------------|:---------|:--------|:------------------|
+| [`--format`](#format) | `string` | `table` | Format the output |
+
 
 <!---MARKER_GEN_END-->
 
 ## Description
 
-Lists all builder instances and the nodes for each instance
+Lists all builder instances and the nodes for each instance.
 
 ```console
 $ docker buildx ls
-NAME/NODE       DRIVER/ENDPOINT             STATUS  BUILDKIT PLATFORMS
+NAME/NODE           DRIVER/ENDPOINT                   STATUS    BUILDKIT   PLATFORMS
-elated_tesla *  docker-container
+elated_tesla*       docker-container
-  elated_tesla0 unix:///var/run/docker.sock running v0.10.3  linux/amd64
+ \_ elated_tesla0    \_ unix:///var/run/docker.sock   running   v0.10.3    linux/amd64
-  elated_tesla1 ssh://ubuntu@1.2.3.4        running v0.10.3  linux/arm64*, linux/arm/v7, linux/arm/v6
+ \_ elated_tesla1    \_ ssh://ubuntu@1.2.3.4          running   v0.10.3    linux/arm64*, linux/arm/v7, linux/arm/v6
-default         docker
+default             docker
-  default       default                     running v0.8.2   linux/amd64
+ \_ default          \_ default                       running   v0.8.2     linux/amd64
 ```
 
 Each builder has one or more nodes associated with it. The current builder's
 name is marked with a `*` in `NAME/NODE` and explicit node to build against for
 the target platform marked with a `*` in the `PLATFORMS` column.
+
+## Examples
+
+### <a name="format"></a> Format the output (--format)
+
+The formatting options (`--format`) pretty-prints builder instances output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+| Placeholder       | Description                                 |
+|-------------------|---------------------------------------------|
+| `.Name`           | Builder or node name                        |
+| `.DriverEndpoint` | Driver (for builder) or Endpoint (for node) |
+| `.LastActivity`   | Builder last activity                       |
+| `.Status`         | Builder or node status                      |
+| `.Buildkit`       | BuildKit version of the node                |
+| `.Platforms`      | Available node's platforms                  |
+| `.Error`          | Error                                       |
+| `.Builder`        | Builder object                              |
+
+When using the `--format` option, the `ls` command will either output the data
+exactly as the template declares or, when using the `table` directive, includes
+column headers as well.
+
+The following example uses a template without headers and outputs the
+`Name` and `DriverEndpoint` entries separated by a colon (`:`):
+
+```console
+$ docker buildx ls --format "{{.Name}}: {{.DriverEndpoint}}"
+elated_tesla: docker-container
+elated_tesla0: unix:///var/run/docker.sock
+elated_tesla1: ssh://ubuntu@1.2.3.4
+default: docker
+default: default
+```
+
+The `Builder` placeholder can be used to access the builder object and its
+fields. For example, the following template outputs the builder's and
+nodes' names with their respective endpoints:
+
+```console
+$ docker buildx ls --format "{{.Builder.Name}}: {{range .Builder.Nodes}}\n  {{.Name}}: {{.Endpoint}}{{end}}"
+elated_tesla:
+  elated_tesla0: unix:///var/run/docker.sock
+  elated_tesla1: ssh://ubuntu@1.2.3.4
+default: docker
+  default: default
+```

docs/reference/buildx_prune.md

@@ -1,6 +1,6 @@
 # buildx prune
 
-```
+```text
 docker buildx prune
 ```
 

docs/reference/buildx_rm.md

@@ -1,11 +1,11 @@
 # buildx rm
 
-```
+```text
-docker buildx rm [NAME]
+docker buildx rm [OPTIONS] [NAME] [NAME...]
 ```
 
 <!---MARKER_GEN_START-->
-Remove a builder instance
+Remove one or more builder instances
 
 ### Options
 
@@ -14,7 +14,7 @@ Remove a builder instance
 | [`--all-inactive`](#all-inactive)   |          |         | Remove all inactive builders             |
 | [`--builder`](#builder)             | `string` |         | Override the configured builder instance |
 | [`-f`](#force), [`--force`](#force) |          |         | Do not prompt for confirmation           |
-| [`--keep-daemon`](#keep-daemon)     |          |         | Keep the buildkitd daemon running        |
+| [`--keep-daemon`](#keep-daemon)     |          |         | Keep the BuildKit daemon running         |
 | [`--keep-state`](#keep-state)       |          |         | Keep BuildKit state                      |
 
 
@@ -48,12 +48,15 @@ Do not prompt for confirmation before removing inactive builders.
 $ docker buildx rm --all-inactive --force
 ```
 
-### <a name="keep-daemon"></a> Keep the buildkitd daemon running (--keep-daemon)
+### <a name="keep-daemon"></a> Keep the BuildKit daemon running (--keep-daemon)
 
-Keep the buildkitd daemon running after the buildx context is removed. This is useful when you manage buildkitd daemons and buildx contexts independently.
+Keep the BuildKit daemon running after the buildx context is removed. This is
-Currently, only supported by the [`docker-container` and `kubernetes` drivers](buildx_create.md#driver).
+useful when you manage BuildKit daemons and buildx contexts independently.
+Only supported by the
+[`docker-container`](https://docs.docker.com/build/drivers/docker-container/)
+and [`kubernetes`](https://docs.docker.com/build/drivers/kubernetes/) drivers.
 
 ### <a name="keep-state"></a> Keep BuildKit state (--keep-state)
 
 Keep BuildKit state, so it can be reused by a new builder with the same name.
-Currently, only supported by the [`docker-container` driver](buildx_create.md#driver).
+Currently, only supported by the [`docker-container` driver](https://docs.docker.com/build/drivers/docker-container/).

docs/reference/buildx_stop.md

@@ -18,7 +18,7 @@ Stop builder instance
 
 ## Description
 
-Stops the specified or current builder. This will not prevent buildx build to
+Stops the specified or current builder. This does not prevent buildx build to
 restart the builder. The implementation of stop depends on the driver.
 
 ## Examples

docs/reference/buildx_version.md

@@ -1,6 +1,6 @@
 # buildx version
 
-```
+```text
 docker buildx version
 ```
 
@@ -16,5 +16,5 @@ View version information
 
 ```console
 $ docker buildx version
-github.com/docker/buildx v0.5.1-docker 11057da37336192bfc57d81e02359ba7ba848e4a
+github.com/docker/buildx v0.11.2 9872040b6626fb7d87ef7296fd5b832e8cc2ad17
 ```

driver/docker-container/driver.go

@@ -20,15 +20,16 @@ import (
 	"github.com/docker/cli/opts"
 	dockertypes "github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
+	imagetypes "github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/system"
 	dockerclient "github.com/docker/docker/client"
 	"github.com/docker/docker/errdefs"
 	dockerarchive "github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/moby/buildkit/client"
-	"github.com/moby/buildkit/util/tracing/detect"
 	"github.com/pkg/errors"
 )
 
@@ -39,18 +40,23 @@ const (
 
 type Driver struct {
 	driver.InitConfig
-	factory      driver.Factory
+	factory driver.Factory
-	netMode      string
+
-	image        string
+	// if you add fields, remember to update docs:
-	memory       opts.MemBytes
+	// https://github.com/docker/docs/blob/main/content/build/drivers/docker-container.md
-	memorySwap   opts.MemSwapBytes
+	netMode       string
-	cpuQuota     int64
+	image         string
-	cpuPeriod    int64
+	memory        opts.MemBytes
-	cpuShares    int64
+	memorySwap    opts.MemSwapBytes
-	cpusetCpus   string
+	cpuQuota      int64
-	cpusetMems   string
+	cpuPeriod     int64
-	cgroupParent string
+	cpuShares     int64
-	env          []string
+	cpusetCpus    string
+	cpusetMems    string
+	cgroupParent  string
+	restartPolicy container.RestartPolicy
+	env           []string
+	defaultLoad   bool
 }
 
 func (d *Driver) IsMobyDriver() bool {
@@ -90,7 +96,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 		if err != nil {
 			return err
 		}
-		rc, err := d.DockerAPI.ImageCreate(ctx, imageName, dockertypes.ImageCreateOptions{
+		rc, err := d.DockerAPI.ImageCreate(ctx, imageName, imagetypes.CreateOptions{
 			RegistryAuth: ra,
 		})
 		if err != nil {
@@ -117,7 +123,8 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 	useInit := true // let it cleanup exited processes created by BuildKit's container API
 	return l.Wrap("creating container "+d.Name, func() error {
 		hc := &container.HostConfig{
-			Privileged: true,
+			Privileged:    true,
+			RestartPolicy: d.restartPolicy,
 			Mounts: []mount.Mount{
 				{
 					Type:   mount.TypeVolume,
@@ -161,7 +168,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 				}
 			}
 
-			secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
+			secOpts, err := system.DecodeSecurityOptions(info.SecurityOptions)
 			if err != nil {
 				return err
 			}
@@ -220,7 +227,7 @@ func (d *Driver) wait(ctx context.Context, l progress.SubLogger) error {
 }
 
 func (d *Driver) copyLogs(ctx context.Context, l progress.SubLogger) error {
-	rc, err := d.DockerAPI.ContainerLogs(ctx, d.Name, dockertypes.ContainerLogsOptions{
+	rc, err := d.DockerAPI.ContainerLogs(ctx, d.Name, container.LogsOptions{
 		ShowStdout: true, ShowStderr: true,
 	})
 	if err != nil {
@@ -298,7 +305,7 @@ func (d *Driver) run(ctx context.Context, cmd []string, stdout, stderr io.Writer
 }
 
 func (d *Driver) start(ctx context.Context, l progress.SubLogger) error {
-	return d.DockerAPI.ContainerStart(ctx, d.Name, dockertypes.ContainerStartOptions{})
+	return d.DockerAPI.ContainerStart(ctx, d.Name, container.StartOptions{})
 }
 
 func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
@@ -356,18 +363,18 @@ func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error {
 		return err
 	}
 	if info.Status != driver.Inactive {
-		container, err := d.DockerAPI.ContainerInspect(ctx, d.Name)
+		ctr, err := d.DockerAPI.ContainerInspect(ctx, d.Name)
 		if err != nil {
 			return err
 		}
 		if rmDaemon {
-			if err := d.DockerAPI.ContainerRemove(ctx, d.Name, dockertypes.ContainerRemoveOptions{
+			if err := d.DockerAPI.ContainerRemove(ctx, d.Name, container.RemoveOptions{
 				RemoveVolumes: true,
 				Force:         force,
 			}); err != nil {
 				return err
 			}
-			for _, v := range container.Mounts {
+			for _, v := range ctr.Mounts {
 				if v.Name != d.Name+volumeStateSuffix {
 					continue
 				}
@@ -380,30 +387,30 @@ func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error {
 	return nil
 }
 
-func (d *Driver) Client(ctx context.Context) (*client.Client, error) {
+func (d *Driver) Dial(ctx context.Context) (net.Conn, error) {
 	_, conn, err := d.exec(ctx, []string{"buildctl", "dial-stdio"})
 	if err != nil {
 		return nil, err
 	}
-
 	conn = demuxConn(conn)
+	return conn, nil
+}
 
-	exp, err := detect.Exporter()
+func (d *Driver) Client(ctx context.Context, opts ...client.ClientOpt) (*client.Client, error) {
+	conn, err := d.Dial(ctx)
 	if err != nil {
 		return nil, err
 	}
 
-	var opts []client.ClientOpt
 	var counter int64
-	opts = append(opts, client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
+	opts = append([]client.ClientOpt{
-		if atomic.AddInt64(&counter, 1) > 1 {
+		client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
-			return nil, net.ErrClosed
+			if atomic.AddInt64(&counter, 1) > 1 {
-		}
+				return nil, net.ErrClosed
-		return conn, nil
+			}
-	}))
+			return conn, nil
-	if td, ok := exp.(client.TracerDelegate); ok {
+		}),
-		opts = append(opts, client.WithTracerDelegate(td))
+	}, opts...)
-	}
 	return client.New(ctx, "", opts...)
 }
 
@@ -417,6 +424,7 @@ func (d *Driver) Features(ctx context.Context) map[driver.Feature]bool {
 		driver.DockerExporter: true,
 		driver.CacheExport:    true,
 		driver.MultiPlatform:  true,
+		driver.DefaultLoad:    d.defaultLoad,
 	}
 }
 
@@ -481,7 +489,7 @@ func writeConfigFiles(m map[string][]byte) (_ string, err error) {
 }
 
 func getBuildkitFlags(initConfig driver.InitConfig) []string {
-	flags := initConfig.BuildkitFlags
+	flags := initConfig.BuildkitdFlags
 	if _, ok := initConfig.Files[buildkitdConfigFile]; ok {
 		// There's no way for us to determine the appropriate default configuration
 		// path and the default path can vary depending on if the image is normal

driver/docker-container/factory.go

@@ -7,12 +7,14 @@ import (
 	"strings"
 
 	"github.com/docker/buildx/driver"
+	dockeropts "github.com/docker/cli/opts"
 	dockerclient "github.com/docker/docker/client"
 	"github.com/pkg/errors"
 )
 
 const prioritySupported = 30
 const priorityUnsupported = 70
+const defaultRestartPolicy = "unless-stopped"
 
 func init() {
 	driver.Register(&factory{})
@@ -40,22 +42,27 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 	if cfg.DockerAPI == nil {
 		return nil, errors.Errorf("%s driver requires docker API access", f.Name())
 	}
-	d := &Driver{factory: f, InitConfig: cfg}
+	rp, err := dockeropts.ParseRestartPolicy(defaultRestartPolicy)
+	if err != nil {
+		return nil, err
+	}
+	d := &Driver{
+		factory:       f,
+		InitConfig:    cfg,
+		restartPolicy: rp,
+	}
 	for k, v := range cfg.DriverOpts {
 		switch {
 		case k == "network":
 			d.netMode = v
-			if v == "host" {
-				d.InitConfig.BuildkitFlags = append(d.InitConfig.BuildkitFlags, "--allow-insecure-entitlement=network.host")
-			}
 		case k == "image":
 			d.image = v
 		case k == "memory":
-			if err := d.memory.Set(v); err == nil {
+			if err := d.memory.Set(v); err != nil {
 				return nil, err
 			}
 		case k == "memory-swap":
-			if err := d.memorySwap.Set(v); err == nil {
+			if err := d.memorySwap.Set(v); err != nil {
 				return nil, err
 			}
 		case k == "cpu-period":
@@ -82,6 +89,16 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 			d.cpusetMems = v
 		case k == "cgroup-parent":
 			d.cgroupParent = v
+		case k == "restart-policy":
+			d.restartPolicy, err = dockeropts.ParseRestartPolicy(v)
+			if err != nil {
+				return nil, err
+			}
+		case k == "default-load":
+			d.defaultLoad, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, err
+			}
 		case strings.HasPrefix(k, "env."):
 			envName := strings.TrimPrefix(k, "env.")
 			if envName == "" {

driver/docker/driver.go

@@ -9,7 +9,6 @@ import (
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/util/progress"
 	"github.com/moby/buildkit/client"
-	"github.com/moby/buildkit/util/tracing/detect"
 	"github.com/pkg/errors"
 )
 
@@ -17,6 +16,8 @@ type Driver struct {
 	factory driver.Factory
 	driver.InitConfig
 
+	// if you add fields, remember to update docs:
+	// https://github.com/docker/docs/blob/main/content/build/drivers/docker.md
 	features    features
 	hostGateway hostGateway
 }
@@ -55,22 +56,18 @@ func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error {
 	return nil
 }
 
-func (d *Driver) Client(ctx context.Context) (*client.Client, error) {
+func (d *Driver) Dial(ctx context.Context) (net.Conn, error) {
-	opts := []client.ClientOpt{
+	return d.DockerAPI.DialHijack(ctx, "/grpc", "h2c", d.DialMeta)
+}
+
+func (d *Driver) Client(ctx context.Context, opts ...client.ClientOpt) (*client.Client, error) {
+	opts = append([]client.ClientOpt{
 		client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
-			return d.DockerAPI.DialHijack(ctx, "/grpc", "h2c", d.DialMeta)
+			return d.Dial(ctx)
 		}), client.WithSessionDialer(func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error) {
 			return d.DockerAPI.DialHijack(ctx, "/session", proto, meta)
 		}),
-	}
+	}, opts...)
-
-	exp, err := detect.Exporter()
-	if err != nil {
-		return nil, err
-	}
-	if td, ok := exp.(client.TracerDelegate); ok {
-		opts = append(opts, client.WithTracerDelegate(td))
-	}
 	return client.New(ctx, "", opts...)
 }
 
@@ -96,6 +93,7 @@ func (d *Driver) Features(ctx context.Context) map[driver.Feature]bool {
 			driver.DockerExporter: useContainerdSnapshotter,
 			driver.CacheExport:    useContainerdSnapshotter,
 			driver.MultiPlatform:  useContainerdSnapshotter,
+			driver.DefaultLoad:    true,
 		}
 	})
 	return d.features.list

driver/driver.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"io"
 	"net"
+	"strings"
 
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/util/progress"
@@ -59,13 +60,27 @@ type Driver interface {
 	Version(context.Context) (string, error)
 	Stop(ctx context.Context, force bool) error
 	Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error
-	Client(ctx context.Context) (*client.Client, error)
+	Dial(ctx context.Context) (net.Conn, error)
+	Client(ctx context.Context, opts ...client.ClientOpt) (*client.Client, error)
 	Features(ctx context.Context) map[Feature]bool
 	HostGatewayIP(ctx context.Context) (net.IP, error)
 	IsMobyDriver() bool
 	Config() InitConfig
 }
 
+const builderNamePrefix = "buildx_buildkit_"
+
+func BuilderName(name string) string {
+	return builderNamePrefix + name
+}
+
+func ParseBuilderName(name string) (string, error) {
+	if !strings.HasPrefix(name, builderNamePrefix) {
+		return "", errors.Errorf("invalid builder name %q, must have %q prefix", name, builderNamePrefix)
+	}
+	return strings.TrimPrefix(name, builderNamePrefix), nil
+}
+
 func Boot(ctx, clientContext context.Context, d *DriverHandle, pw progress.Writer) (*client.Client, error) {
 	try := 0
 	for {

driver/features.go

@@ -7,3 +7,5 @@ const DockerExporter Feature = "Docker exporter"
 
 const CacheExport Feature = "Cache export"
 const MultiPlatform Feature = "Multi-platform build"
+
+const DefaultLoad Feature = "Automatically load images to the Docker Engine image store"

driver/kubernetes/driver.go

@@ -15,7 +15,6 @@ import (
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/moby/buildkit/client"
-	"github.com/moby/buildkit/util/tracing/detect"
 	"github.com/pkg/errors"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -38,7 +37,10 @@ const (
 
 type Driver struct {
 	driver.InitConfig
-	factory          driver.Factory
+	factory driver.Factory
+
+	// if you add fields, remember to update docs:
+	// https://github.com/docker/docs/blob/main/content/build/drivers/kubernetes.md
 	minReplicas      int
 	deployment       *appsv1.Deployment
 	configMaps       []*corev1.ConfigMap
@@ -47,6 +49,7 @@ type Driver struct {
 	podClient        clientcorev1.PodInterface
 	configMapClient  clientcorev1.ConfigMapInterface
 	podChooser       podchooser.PodChooser
+	defaultLoad      bool
 }
 
 func (d *Driver) IsMobyDriver() bool {
@@ -186,7 +189,7 @@ func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error {
 	return nil
 }
 
-func (d *Driver) Client(ctx context.Context) (*client.Client, error) {
+func (d *Driver) Dial(ctx context.Context) (net.Conn, error) {
 	restClient := d.clientset.CoreV1().RESTClient()
 	restClientConfig, err := d.KubeClientConfig.ClientConfig()
 	if err != nil {
@@ -205,19 +208,15 @@ func (d *Driver) Client(ctx context.Context) (*client.Client, error) {
 	if err != nil {
 		return nil, err
 	}
+	return conn, nil
+}
 
-	exp, err := detect.Exporter()
+func (d *Driver) Client(ctx context.Context, opts ...client.ClientOpt) (*client.Client, error) {
-	if err != nil {
+	opts = append([]client.ClientOpt{
-		return nil, err
+		client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
-	}
+			return d.Dial(ctx)
-
+		}),
-	var opts []client.ClientOpt
+	}, opts...)
-	opts = append(opts, client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
-		return conn, nil
-	}))
-	if td, ok := exp.(client.TracerDelegate); ok {
-		opts = append(opts, client.WithTracerDelegate(td))
-	}
 	return client.New(ctx, "", opts...)
 }
 
@@ -231,6 +230,7 @@ func (d *Driver) Features(_ context.Context) map[driver.Feature]bool {
 		driver.DockerExporter: d.DockerAPI != nil,
 		driver.CacheExport:    true,
 		driver.MultiPlatform:  true, // Untested (needs multiple Driver instances)
+		driver.DefaultLoad:    d.defaultLoad,
 	}
 }
 

driver/kubernetes/factory.go

@@ -68,11 +68,13 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 		clientset:  clientset,
 	}
 
-	deploymentOpt, loadbalance, namespace, err := f.processDriverOpts(deploymentName, namespace, cfg)
+	deploymentOpt, loadbalance, namespace, defaultLoad, err := f.processDriverOpts(deploymentName, namespace, cfg)
 	if nil != err {
 		return nil, err
 	}
 
+	d.defaultLoad = defaultLoad
+
 	d.deployment, d.configMaps, err = manifest.NewDeployment(deploymentOpt)
 	if err != nil {
 		return nil, err
@@ -100,17 +102,19 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 	return d, nil
 }
 
-func (f *factory) processDriverOpts(deploymentName string, namespace string, cfg driver.InitConfig) (*manifest.DeploymentOpt, string, string, error) {
+func (f *factory) processDriverOpts(deploymentName string, namespace string, cfg driver.InitConfig) (*manifest.DeploymentOpt, string, string, bool, error) {
 	deploymentOpt := &manifest.DeploymentOpt{
 		Name:          deploymentName,
 		Image:         bkimage.DefaultImage,
 		Replicas:      1,
-		BuildkitFlags: cfg.BuildkitFlags,
+		BuildkitFlags: cfg.BuildkitdFlags,
 		Rootless:      false,
 		Platforms:     cfg.Platforms,
 		ConfigFiles:   cfg.Files,
 	}
 
+	defaultLoad := false
+
 	deploymentOpt.Qemu.Image = bkimage.QemuImage
 
 	loadbalance := LoadbalanceSticky
@@ -127,40 +131,46 @@ func (f *factory) processDriverOpts(deploymentName string, namespace string, cfg
 		case "replicas":
 			deploymentOpt.Replicas, err = strconv.Atoi(v)
 			if err != nil {
-				return nil, "", "", err
+				return nil, "", "", false, err
 			}
 		case "requests.cpu":
 			deploymentOpt.RequestsCPU = v
 		case "requests.memory":
 			deploymentOpt.RequestsMemory = v
+		case "requests.ephemeral-storage":
+			deploymentOpt.RequestsEphemeralStorage = v
 		case "limits.cpu":
 			deploymentOpt.LimitsCPU = v
 		case "limits.memory":
 			deploymentOpt.LimitsMemory = v
+		case "limits.ephemeral-storage":
+			deploymentOpt.LimitsEphemeralStorage = v
 		case "rootless":
 			deploymentOpt.Rootless, err = strconv.ParseBool(v)
 			if err != nil {
-				return nil, "", "", err
+				return nil, "", "", false, err
 			}
 			if _, isImage := cfg.DriverOpts["image"]; !isImage {
 				deploymentOpt.Image = bkimage.DefaultRootlessImage
 			}
+		case "schedulername":
+			deploymentOpt.SchedulerName = v
 		case "serviceaccount":
 			deploymentOpt.ServiceAccountName = v
 		case "nodeselector":
 			deploymentOpt.NodeSelector, err = splitMultiValues(v, ",", "=")
 			if err != nil {
-				return nil, "", "", errors.Wrap(err, "cannot parse node selector")
+				return nil, "", "", false, errors.Wrap(err, "cannot parse node selector")
 			}
 		case "annotations":
 			deploymentOpt.CustomAnnotations, err = splitMultiValues(v, ",", "=")
 			if err != nil {
-				return nil, "", "", errors.Wrap(err, "cannot parse annotations")
+				return nil, "", "", false, errors.Wrap(err, "cannot parse annotations")
 			}
 		case "labels":
 			deploymentOpt.CustomLabels, err = splitMultiValues(v, ",", "=")
 			if err != nil {
-				return nil, "", "", errors.Wrap(err, "cannot parse labels")
+				return nil, "", "", false, errors.Wrap(err, "cannot parse labels")
 			}
 		case "tolerations":
 			ts := strings.Split(v, ";")
@@ -185,12 +195,12 @@ func (f *factory) processDriverOpts(deploymentName string, namespace string, cfg
 						case "tolerationSeconds":
 							c, err := strconv.Atoi(kv[1])
 							if nil != err {
-								return nil, "", "", err
+								return nil, "", "", false, err
 							}
 							c64 := int64(c)
 							t.TolerationSeconds = &c64
 						default:
-							return nil, "", "", errors.Errorf("invalid tolaration %q", v)
+							return nil, "", "", false, errors.Errorf("invalid tolaration %q", v)
 						}
 					}
 				}
@@ -202,24 +212,29 @@ func (f *factory) processDriverOpts(deploymentName string, namespace string, cfg
 			case LoadbalanceSticky:
 			case LoadbalanceRandom:
 			default:
-				return nil, "", "", errors.Errorf("invalid loadbalance %q", v)
+				return nil, "", "", false, errors.Errorf("invalid loadbalance %q", v)
 			}
 			loadbalance = v
 		case "qemu.install":
 			deploymentOpt.Qemu.Install, err = strconv.ParseBool(v)
 			if err != nil {
-				return nil, "", "", err
+				return nil, "", "", false, err
 			}
 		case "qemu.image":
 			if v != "" {
 				deploymentOpt.Qemu.Image = v
 			}
+		case "default-load":
+			defaultLoad, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, "", "", false, err
+			}
 		default:
-			return nil, "", "", errors.Errorf("invalid driver option %s for driver %s", k, DriverName)
+			return nil, "", "", false, errors.Errorf("invalid driver option %s for driver %s", k, DriverName)
 		}
 	}
 
-	return deploymentOpt, loadbalance, namespace, nil
+	return deploymentOpt, loadbalance, namespace, defaultLoad, nil
 }
 
 func splitMultiValues(in string, itemsep string, kvsep string) (map[string]string, error) {
@@ -244,10 +259,10 @@ func (f *factory) AllowsInstances() bool {
 // eg. "buildx_buildkit_loving_mendeleev0" -> "loving-mendeleev0"
 func buildxNameToDeploymentName(bx string) (string, error) {
 	// TODO: commands.util.go should not pass "buildx_buildkit_" prefix to drivers
-	if !strings.HasPrefix(bx, "buildx_buildkit_") {
+	s, err := driver.ParseBuilderName(bx)
-		return "", errors.Errorf("expected a string with \"buildx_buildkit_\", got %q", bx)
+	if err != nil {
+		return "", err
 	}
-	s := strings.TrimPrefix(bx, "buildx_buildkit_")
 	s = strings.ReplaceAll(s, "_", "-")
 	return s, nil
 }

driver/kubernetes/factory_test.go

@@ -29,7 +29,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 	}
 
 	cfg := driver.InitConfig{
-		Name:             "buildx_buildkit_test",
+		Name:             driver.BuilderName("test"),
 		KubeClientConfig: &kcc,
 	}
 	f := factory{}
@@ -52,8 +52,9 @@ func TestFactory_processDriverOpts(t *testing.T) {
 				"loadbalance":     "random",
 				"qemu.install":    "true",
 				"qemu.image":      "qemu:latest",
+				"default-load":    "true",
 			}
-			r, loadbalance, ns, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			r, loadbalance, ns, defaultLoad, err := f.processDriverOpts(cfg.Name, "test", cfg)
 
 			nodeSelectors := map[string]string{
 				"selector1": "value1",
@@ -102,6 +103,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			require.Equal(t, LoadbalanceRandom, loadbalance)
 			require.True(t, r.Qemu.Install)
 			require.Equal(t, "qemu:latest", r.Qemu.Image)
+			require.True(t, defaultLoad)
 		},
 	)
 
@@ -109,7 +111,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 		"NoOptions", func(t *testing.T) {
 			cfg.DriverOpts = map[string]string{}
 
-			r, loadbalance, ns, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			r, loadbalance, ns, defaultLoad, err := f.processDriverOpts(cfg.Name, "test", cfg)
 
 			require.NoError(t, err)
 
@@ -128,6 +130,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			require.Equal(t, LoadbalanceSticky, loadbalance)
 			require.False(t, r.Qemu.Install)
 			require.Equal(t, bkimage.QemuImage, r.Qemu.Image)
+			require.False(t, defaultLoad)
 		},
 	)
 
@@ -138,7 +141,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 				"loadbalance": "sticky",
 			}
 
-			r, loadbalance, ns, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			r, loadbalance, ns, defaultLoad, err := f.processDriverOpts(cfg.Name, "test", cfg)
 
 			require.NoError(t, err)
 
@@ -157,6 +160,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			require.Equal(t, LoadbalanceSticky, loadbalance)
 			require.False(t, r.Qemu.Install)
 			require.Equal(t, bkimage.QemuImage, r.Qemu.Image)
+			require.False(t, defaultLoad)
 		},
 	)
 
@@ -165,7 +169,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			cfg.DriverOpts = map[string]string{
 				"replicas": "invalid",
 			}
-			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			_, _, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
 			require.Error(t, err)
 		},
 	)
@@ -175,7 +179,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			cfg.DriverOpts = map[string]string{
 				"rootless": "invalid",
 			}
-			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			_, _, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
 			require.Error(t, err)
 		},
 	)
@@ -185,7 +189,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			cfg.DriverOpts = map[string]string{
 				"tolerations": "key=foo,value=bar,invalid=foo2",
 			}
-			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			_, _, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
 			require.Error(t, err)
 		},
 	)
@@ -195,7 +199,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			cfg.DriverOpts = map[string]string{
 				"tolerations": "key=foo,value=bar,tolerationSeconds=invalid",
 			}
-			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			_, _, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
 			require.Error(t, err)
 		},
 	)
@@ -205,7 +209,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			cfg.DriverOpts = map[string]string{
 				"annotations": "key,value",
 			}
-			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			_, _, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
 			require.Error(t, err)
 		},
 	)
@@ -215,7 +219,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			cfg.DriverOpts = map[string]string{
 				"labels": "key=value=foo",
 			}
-			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			_, _, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
 			require.Error(t, err)
 		},
 	)
@@ -225,7 +229,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			cfg.DriverOpts = map[string]string{
 				"loadbalance": "invalid",
 			}
-			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			_, _, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
 			require.Error(t, err)
 		},
 	)
@@ -235,7 +239,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			cfg.DriverOpts = map[string]string{
 				"qemu.install": "invalid",
 			}
-			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			_, _, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
 			require.Error(t, err)
 		},
 	)
@@ -245,7 +249,7 @@ func TestFactory_processDriverOpts(t *testing.T) {
 			cfg.DriverOpts = map[string]string{
 				"invalid": "foo",
 			}
-			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+			_, _, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
 			require.Error(t, err)
 		},
 	)

driver/kubernetes/manifest/manifest.go

@@ -20,6 +20,7 @@ type DeploymentOpt struct {
 	Image              string
 	Replicas           int
 	ServiceAccountName string
+	SchedulerName      string
 
 	// Qemu
 	Qemu struct {
@@ -32,16 +33,18 @@ type DeploymentOpt struct {
 	// files mounted at /etc/buildkitd
 	ConfigFiles map[string][]byte
 
-	Rootless          bool
+	Rootless                 bool
-	NodeSelector      map[string]string
+	NodeSelector             map[string]string
-	CustomAnnotations map[string]string
+	CustomAnnotations        map[string]string
-	CustomLabels      map[string]string
+	CustomLabels             map[string]string
-	Tolerations       []corev1.Toleration
+	Tolerations              []corev1.Toleration
-	RequestsCPU       string
+	RequestsCPU              string
-	RequestsMemory    string
+	RequestsMemory           string
-	LimitsCPU         string
+	RequestsEphemeralStorage string
-	LimitsMemory      string
+	LimitsCPU                string
-	Platforms         []v1.Platform
+	LimitsMemory             string
+	LimitsEphemeralStorage   string
+	Platforms                []v1.Platform
 }
 
 const (
@@ -105,6 +108,7 @@ func NewDeployment(opt *DeploymentOpt) (d *appsv1.Deployment, c []*corev1.Config
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: opt.ServiceAccountName,
+					SchedulerName:      opt.SchedulerName,
 					Containers: []corev1.Container{
 						{
 							Name:  containerName,
@@ -205,6 +209,14 @@ func NewDeployment(opt *DeploymentOpt) (d *appsv1.Deployment, c []*corev1.Config
 		d.Spec.Template.Spec.Containers[0].Resources.Requests[corev1.ResourceMemory] = reqMemory
 	}
 
+	if opt.RequestsEphemeralStorage != "" {
+		reqEphemeralStorage, err := resource.ParseQuantity(opt.RequestsEphemeralStorage)
+		if err != nil {
+			return nil, nil, err
+		}
+		d.Spec.Template.Spec.Containers[0].Resources.Requests[corev1.ResourceEphemeralStorage] = reqEphemeralStorage
+	}
+
 	if opt.LimitsCPU != "" {
 		limCPU, err := resource.ParseQuantity(opt.LimitsCPU)
 		if err != nil {
@@ -221,6 +233,14 @@ func NewDeployment(opt *DeploymentOpt) (d *appsv1.Deployment, c []*corev1.Config
 		d.Spec.Template.Spec.Containers[0].Resources.Limits[corev1.ResourceMemory] = limMemory
 	}
 
+	if opt.LimitsEphemeralStorage != "" {
+		limEphemeralStorage, err := resource.ParseQuantity(opt.LimitsEphemeralStorage)
+		if err != nil {
+			return nil, nil, err
+		}
+		d.Spec.Template.Spec.Containers[0].Resources.Limits[corev1.ResourceEphemeralStorage] = limEphemeralStorage
+	}
+
 	return
 }
 

driver/manager.go

@@ -9,6 +9,7 @@ import (
 
 	dockerclient "github.com/docker/docker/client"
 	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/util/tracing/detect"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"k8s.io/client-go/rest"
@@ -52,7 +53,7 @@ type InitConfig struct {
 	EndpointAddr     string
 	DockerAPI        dockerclient.APIClient
 	KubeClientConfig KubeClientConfig
-	BuildkitFlags    []string
+	BuildkitdFlags   []string
 	Files            map[string][]byte
 	DriverOpts       map[string]string
 	Auth             Auth
@@ -103,13 +104,13 @@ func GetFactory(name string, instanceRequired bool) (Factory, error) {
 	return nil, errors.Errorf("failed to find driver %q", name)
 }
 
-func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, flags []string, files map[string][]byte, do map[string]string, platforms []specs.Platform, contextPathHash string, dialMeta map[string][]string) (*DriverHandle, error) {
+func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, buildkitdFlags []string, files map[string][]byte, do map[string]string, platforms []specs.Platform, contextPathHash string, dialMeta map[string][]string) (*DriverHandle, error) {
 	ic := InitConfig{
 		EndpointAddr:     endpointAddr,
 		DockerAPI:        api,
 		KubeClientConfig: kcc,
 		Name:             name,
-		BuildkitFlags:    flags,
+		BuildkitdFlags:   buildkitdFlags,
 		DriverOpts:       do,
 		Auth:             auth,
 		Platforms:        platforms,
@@ -156,11 +157,28 @@ type DriverHandle struct {
 
 func (d *DriverHandle) Client(ctx context.Context) (*client.Client, error) {
 	d.once.Do(func() {
-		d.client, d.err = d.Driver.Client(ctx)
+		opts, err := d.getClientOptions()
+		if err != nil {
+			d.err = err
+			return
+		}
+		d.client, d.err = d.Driver.Client(ctx, opts...)
 	})
 	return d.client, d.err
 }
 
+func (d *DriverHandle) getClientOptions() ([]client.ClientOpt, error) {
+	exp, _, err := detect.Exporter()
+	if err != nil {
+		return nil, err
+	} else if td, ok := exp.(client.TracerDelegate); ok {
+		return []client.ClientOpt{
+			client.WithTracerDelegate(td),
+		}, nil
+	}
+	return nil, nil
+}
+
 func (d *DriverHandle) HistoryAPISupported(ctx context.Context) bool {
 	d.historyAPISupportedOnce.Do(func() {
 		if c, err := d.Client(ctx); err == nil {

driver/remote/driver.go

@@ -2,19 +2,29 @@ package remote
 
 import (
 	"context"
-	"errors"
+	"crypto/tls"
+	"crypto/x509"
 	"net"
+	"os"
+	"strings"
+	"time"
 
 	"github.com/docker/buildx/driver"
+	util "github.com/docker/buildx/driver/remote/util"
 	"github.com/docker/buildx/util/progress"
 	"github.com/moby/buildkit/client"
-	"github.com/moby/buildkit/util/tracing/detect"
+	"github.com/moby/buildkit/client/connhelper"
+	"github.com/pkg/errors"
 )
 
 type Driver struct {
 	factory driver.Factory
 	driver.InitConfig
+
+	// if you add fields, remember to update docs:
+	// https://github.com/docker/docs/blob/main/content/build/drivers/remote.md
 	*tlsOpts
+	defaultLoad bool
 }
 
 type tlsOpts struct {
@@ -29,7 +39,11 @@ func (d *Driver) Bootstrap(ctx context.Context, l progress.Logger) error {
 	if err != nil {
 		return err
 	}
-	return c.Wait(ctx)
+	return progress.Wrap("[internal] waiting for connection", l, func(_ progress.SubLogger) error {
+		ctx, cancel := context.WithTimeout(ctx, 20*time.Second)
+		defer cancel()
+		return c.Wait(ctx)
+	})
 }
 
 func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
@@ -63,25 +77,71 @@ func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error {
 	return nil
 }
 
-func (d *Driver) Client(ctx context.Context) (*client.Client, error) {
+func (d *Driver) Client(ctx context.Context, opts ...client.ClientOpt) (*client.Client, error) {
-	opts := []client.ClientOpt{}
+	opts = append([]client.ClientOpt{
+		client.WithContextDialer(func(ctx context.Context, _ string) (net.Conn, error) {
+			return d.Dial(ctx)
+		}),
+	}, opts...)
+	return client.New(ctx, "", opts...)
+}
 
-	exp, err := detect.Exporter()
+func (d *Driver) Dial(ctx context.Context) (net.Conn, error) {
+	addr := d.InitConfig.EndpointAddr
+	ch, err := connhelper.GetConnectionHelper(addr)
 	if err != nil {
 		return nil, err
 	}
-	if td, ok := exp.(client.TracerDelegate); ok {
+	if ch != nil {
-		opts = append(opts, client.WithTracerDelegate(td))
+		return ch.ContextDialer(ctx, addr)
+	}
+
+	network, addr, ok := strings.Cut(addr, "://")
+	if !ok {
+		return nil, errors.Errorf("invalid endpoint address: %s", d.InitConfig.EndpointAddr)
+	}
+
+	conn, err := util.DialContext(ctx, network, addr)
+
+	if err != nil {
+		return nil, errors.WithStack(err)
 	}
 
 	if d.tlsOpts != nil {
-		opts = append(opts, []client.ClientOpt{
+		cfg, err := loadTLS(d.tlsOpts)
-			client.WithServerConfig(d.tlsOpts.serverName, d.tlsOpts.caCert),
+		if err != nil {
-			client.WithCredentials(d.tlsOpts.cert, d.tlsOpts.key),
+			return nil, errors.Wrap(err, "error loading tls config")
-		}...)
+		}
+		conn = tls.Client(conn, cfg)
+	}
+	return conn, nil
+}
+
+func loadTLS(opts *tlsOpts) (*tls.Config, error) {
+	cfg := &tls.Config{
+		ServerName: opts.serverName,
+		RootCAs:    x509.NewCertPool(),
 	}
 
-	return client.New(ctx, d.InitConfig.EndpointAddr, opts...)
+	if opts.caCert != "" {
+		ca, err := os.ReadFile(opts.caCert)
+		if err != nil {
+			return nil, errors.Wrap(err, "could not read ca certificate")
+		}
+		if ok := cfg.RootCAs.AppendCertsFromPEM(ca); !ok {
+			return nil, errors.New("failed to append ca certs")
+		}
+	}
+
+	if opts.cert != "" || opts.key != "" {
+		cert, err := tls.LoadX509KeyPair(opts.cert, opts.key)
+		if err != nil {
+			return nil, errors.Wrap(err, "could not read certificate/key")
+		}
+		cfg.Certificates = append(cfg.Certificates, cert)
+	}
+
+	return cfg, nil
 }
 
 func (d *Driver) Features(ctx context.Context) map[driver.Feature]bool {
@@ -90,6 +150,7 @@ func (d *Driver) Features(ctx context.Context) map[driver.Feature]bool {
 		driver.DockerExporter: true,
 		driver.CacheExport:    true,
 		driver.MultiPlatform:  true,
+		driver.DefaultLoad:    d.defaultLoad,
 	}
 }
 

driver/remote/factory.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/url"
 	"path/filepath"
+	"strconv"
 	"strings"
 
 	// import connhelpers for special url schemes
@@ -46,7 +47,7 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 	if len(cfg.Files) > 0 {
 		return nil, errors.Errorf("setting config file is not supported for remote driver")
 	}
-	if len(cfg.BuildkitFlags) > 0 {
+	if len(cfg.BuildkitdFlags) > 0 {
 		return nil, errors.Errorf("setting buildkit flags is not supported for remote driver")
 	}
 
@@ -80,6 +81,12 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 			}
 			tls.key = v
 			tlsEnabled = true
+		case "default-load":
+			parsed, err := strconv.ParseBool(v)
+			if err != nil {
+				return nil, err
+			}
+			d.defaultLoad = parsed
 		default:
 			return nil, errors.Errorf("invalid driver option %s for remote driver", k)
 		}

driver/remote/util/dialer_unix.go

@@ -0,0 +1,17 @@
+//go:build !windows
+// +build !windows
+
+package remote
+
+import (
+	"context"
+	"net"
+)
+
+func DialContext(ctx context.Context, network string, addr string) (net.Conn, error) {
+	dialer := &net.Dialer{}
+
+	conn, err := dialer.DialContext(ctx, network, addr)
+
+	return conn, err
+}

driver/remote/util/dialer_windows.go

@@ -0,0 +1,23 @@
+package remote
+
+import (
+	"context"
+	"net"
+
+	"github.com/Microsoft/go-winio"
+)
+
+func DialContext(ctx context.Context, network string, addr string) (net.Conn, error) {
+	var conn net.Conn
+	var err error
+
+	// dial context doesn't support named pipes
+	if network == "npipe" {
+		conn, err = winio.DialPipeContext(ctx, addr)
+	} else {
+		dialer := &net.Dialer{}
+		conn, err = dialer.DialContext(ctx, network, addr)
+	}
+
+	return conn, err
+}

driver/remote/util/endpoint.go

@@ -12,6 +12,7 @@ var schemes = map[string]struct{}{
 	"ssh":              {},
 	"docker-container": {},
 	"kube-pod":         {},
+	"npipe":            {},
 }
 
 func IsValidEndpoint(ep string) error {

go.mod

@@ -1,164 +1,177 @@
 module github.com/docker/buildx
 
-go 1.20
+go 1.21
 
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
-	github.com/aws/aws-sdk-go-v2/config v1.18.16
+	github.com/Microsoft/go-winio v0.6.1
-	github.com/compose-spec/compose-go v1.20.0
+	github.com/aws/aws-sdk-go-v2/config v1.26.6
-	github.com/containerd/console v1.0.3
+	github.com/compose-spec/compose-go/v2 v2.0.2
-	github.com/containerd/containerd v1.7.7
+	github.com/containerd/console v1.0.4
-	github.com/containerd/continuity v0.4.2
+	github.com/containerd/containerd v1.7.15
+	github.com/containerd/continuity v0.4.3
 	github.com/containerd/log v0.1.0
 	github.com/containerd/typeurl/v2 v2.1.1
 	github.com/creack/pty v1.1.18
 	github.com/distribution/reference v0.5.0
-	github.com/docker/cli v24.0.5+incompatible
+	github.com/docker/cli v26.0.1-0.20240410153731-b6c552212837+incompatible // v26.1.0-dev
-	github.com/docker/cli-docs-tool v0.6.0
+	github.com/docker/cli-docs-tool v0.7.0
-	github.com/docker/docker v24.0.5+incompatible
+	github.com/docker/docker v26.0.0+incompatible
 	github.com/docker/go-units v0.5.0
 	github.com/gofrs/flock v0.8.1
 	github.com/gogo/protobuf v1.3.2
-	github.com/golang/protobuf v1.5.3
+	github.com/golang/protobuf v1.5.4
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
-	github.com/google/uuid v1.3.0
+	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-cty-funcs v0.0.0-20230405223818-a090f58aa992
-	github.com/hashicorp/hcl/v2 v2.19.1
+	github.com/hashicorp/hcl/v2 v2.20.1
-	github.com/moby/buildkit v0.13.0-beta1.0.20231023114302-d5c1d785b042
+	github.com/in-toto/in-toto-golang v0.5.0
-	github.com/moby/sys/mountinfo v0.6.2
+	github.com/moby/buildkit v0.13.0-rc3.0.20240417151852-71f99c52a669 // v0.14.0-dev
+	github.com/moby/sys/mountinfo v0.7.1
 	github.com/moby/sys/signal v0.7.0
 	github.com/morikuni/aec v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc5
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/errors v0.9.1
-	github.com/serialx/hashring v0.0.0-20190422032157-8b2912629002
+	github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
-	github.com/zclconf/go-cty v1.14.1
+	github.com/tonistiigi/fsutil v0.0.0-20240301111122-7525a1af2bb5
-	go.opentelemetry.io/otel v1.14.0
+	github.com/zclconf/go-cty v1.14.4
-	go.opentelemetry.io/otel/trace v1.14.0
+	go.opentelemetry.io/otel v1.21.0
-	golang.org/x/mod v0.11.0
+	go.opentelemetry.io/otel/metric v1.21.0
-	golang.org/x/sync v0.3.0
+	go.opentelemetry.io/otel/trace v1.21.0
-	golang.org/x/term v0.13.0
+	golang.org/x/mod v0.14.0
-	google.golang.org/grpc v1.53.0
+	golang.org/x/sync v0.6.0
+	golang.org/x/sys v0.18.0
+	golang.org/x/term v0.18.0
+	google.golang.org/grpc v1.59.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.26.7
+	k8s.io/api v0.29.2
-	k8s.io/apimachinery v0.26.7
+	k8s.io/apimachinery v0.29.2
-	k8s.io/apiserver v0.26.7
+	k8s.io/apiserver v0.29.2
-	k8s.io/client-go v0.26.7
+	k8s.io/client-go v0.29.2
 )
 
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Microsoft/hcsshim v0.11.4 // indirect
-	github.com/Microsoft/hcsshim v0.11.1 // indirect
 	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-cidr v1.0.1 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.17.6 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.16 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.24 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.31 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.12.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.18.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
-	github.com/aws/smithy-go v1.13.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
+	github.com/aws/smithy-go v1.19.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/containerd/ttrpc v1.2.2 // indirect
+	github.com/containerd/ttrpc v1.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fvbommel/sortorder v1.0.1 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/googleapis v1.4.1 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
-	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
-	github.com/in-toto/in-toto-golang v0.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.16.3 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/opencontainers/runc v1.1.9 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.14.0 // indirect
+	github.com/prometheus/client_golang v1.17.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.42.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/theupdateframework/notary v0.7.0 // indirect
-	github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/tonistiigi/vt100 v0.0.0-20230623042737-f9a4f7ef6531 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.40.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.40.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.42.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.42.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.42.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
-	go.opentelemetry.io/otel/metric v0.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.42.0 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.21.0 // indirect
-	golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.21.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
-	golang.org/x/oauth2 v0.5.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/oauth2 v0.11.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.7.0 // indirect
+	golang.org/x/tools v0.17.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
+	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.90.1 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
+	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
-	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )

hack/dockerfiles/docs.Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.3
+ARG GO_VERSION=1.21
 ARG FORMATS=md,yaml
 
 FROM golang:${GO_VERSION}-alpine AS docsgen

hack/dockerfiles/generated-files.Dockerfile

@@ -5,7 +5,7 @@
 # Copyright The Buildx Authors.
 # Licensed under the Apache License, Version 2.0
 
-ARG GO_VERSION="1.21.3"
+ARG GO_VERSION="1.21"
 ARG PROTOC_VERSION="3.11.4"
 
 # protoc is dynamically linked to glibc so can't use alpine base

hack/dockerfiles/lint.Dockerfile

@@ -1,14 +1,19 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.3
+ARG GO_VERSION=1.21
+ARG XX_VERSION=1.3.0
 ARG GOLANGCI_LINT_VERSION=1.54.2
 
-FROM golang:${GO_VERSION}-alpine
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine
 RUN apk add --no-cache git gcc musl-dev
 ENV GOFLAGS="-buildvcs=false"
 ARG GOLANGCI_LINT_VERSION
 RUN wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v${GOLANGCI_LINT_VERSION}
+COPY --link --from=xx / /
 WORKDIR /go/src/github.com/docker/buildx
+ARG TARGETPLATFORM
 RUN --mount=target=/go/src/github.com/docker/buildx \
-    --mount=target=/root/.cache,type=cache \
+    --mount=target=/root/.cache,type=cache,id=lint-cache-$TARGETPLATFORM \
+    xx-go --wrap && \
     golangci-lint run

hack/dockerfiles/vendor.Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.3
+ARG GO_VERSION=1.21
 ARG MODOUTDATED_VERSION=v0.8.0
 
 FROM golang:${GO_VERSION}-alpine AS base

hack/test

@@ -10,7 +10,9 @@ set -eu -o pipefail
 : "${TEST_REPORT_SUFFIX=}"
 : "${TEST_KEEP_CACHE=}"
 : "${TEST_DOCKERD=}"
+: "${TEST_BUILDKIT_TAG=}"
 : "${TEST_BUILDKIT_IMAGE=}"
+: "${TEST_BUILDX_EXPERIMENTAL=}"
 
 if [ "$TEST_IMAGE_BUILD" = "1" ]; then
   ${BUILDX_CMD} bake integration-test --set "*.output=type=docker,name=$TEST_IMAGE_ID"
@@ -24,11 +26,11 @@ gotestArgs="-mod=vendor -coverprofile=/testreports/coverage-report$TEST_REPORT_S
 
 cacheVolume="buildx-test-cache"
 if ! docker container inspect "$cacheVolume" >/dev/null 2>/dev/null; then
-  docker create -v /root/.cache -v /root/.cache/registry -v /go/pkg/mod --name "$cacheVolume" alpine
+  docker create -v /root/.cache -v /root/.cache/registry -v /root/.cache/undock -v /go/pkg/mod --name "$cacheVolume" alpine
 fi
 if [ "$TEST_KEEP_CACHE" != "1" ]; then
   trap 'docker rm -v $cacheVolume' EXIT
 fi
 
-cid=$(docker create --rm -v /tmp $testReportsVol --volumes-from=$cacheVolume -e GITHUB_REF -e TEST_DOCKERD -e TEST_BUILDKIT_IMAGE -e SKIP_INTEGRATION_TESTS -e GOTESTSUM_FORMAT ${BUILDKIT_INTEGRATION_SNAPSHOTTER:+"-eBUILDKIT_INTEGRATION_SNAPSHOTTER"} -e BUILDKIT_REGISTRY_MIRROR_DIR=/root/.cache/registry --privileged $TEST_IMAGE_ID gotestsum $gotestsumArgs --packages="${TESTPKGS:-./...}" -- $gotestArgs ${TESTFLAGS:--v})
+cid=$(docker create --rm -v /tmp $testReportsVol --volumes-from=$cacheVolume -e GITHUB_REF -e TEST_DOCKERD -e TEST_BUILDKIT_IMAGE -e TEST_BUILDKIT_TAG -e TEST_BUILDX_EXPERIMENTAL -e SKIP_INTEGRATION_TESTS -e GOTESTSUM_FORMAT ${BUILDKIT_INTEGRATION_SNAPSHOTTER:+"-eBUILDKIT_INTEGRATION_SNAPSHOTTER"} -e BUILDKIT_REGISTRY_MIRROR_DIR=/root/.cache/registry --privileged $TEST_IMAGE_ID gotestsum $gotestsumArgs --packages="${TESTPKGS:-./...}" -- $gotestArgs ${TESTFLAGS:--v})
 docker start -a -i $cid

hack/test-driver

@@ -49,7 +49,7 @@ if [ "$DRIVER" != "docker" ]; then
     for platform in ${PLATFORMS//,/ }; do
       createFlags=""
       if [ -f "$BUILDKIT_CFG" ]; then
-        createFlags="$createFlags --config=${BUILDKIT_CFG}"
+        createFlags="$createFlags --buildkitd-config=${BUILDKIT_CFG}"
       fi
       if [ "$firstNode" = "0" ]; then
         createFlags="$createFlags --append"
@@ -71,7 +71,7 @@ if [ "$DRIVER" != "docker" ]; then
   else
     createFlags=""
     if [ -f "$BUILDKIT_CFG" ]; then
-      createFlags="$createFlags --config=${BUILDKIT_CFG}"
+      createFlags="$createFlags --buildkitd-config=${BUILDKIT_CFG}"
     fi
     buildxCmd create ${createFlags} \
       --bootstrap \

store/nodegroup.go

@@ -24,11 +24,11 @@ type NodeGroup struct {
 }
 
 type Node struct {
-	Name       string
+	Name           string
-	Endpoint   string
+	Endpoint       string
-	Platforms  []specs.Platform
+	Platforms      []specs.Platform
-	Flags      []string
+	DriverOpts     map[string]string
-	DriverOpts map[string]string
+	BuildkitdFlags []string `json:"Flags"` // keep the field name for backward compatibility
 
 	Files map[string][]byte
 }
@@ -48,7 +48,7 @@ func (ng *NodeGroup) Leave(name string) error {
 	return nil
 }
 
-func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpointsSet bool, actionAppend bool, flags []string, configFile string, do map[string]string) error {
+func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpointsSet bool, actionAppend bool, buildkitdFlags []string, buildkitdConfigFile string, do map[string]string) error {
 	if ng.Dynamic {
 		return errors.New("dynamic node group does not support Update")
 	}
@@ -66,8 +66,8 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
 	}
 
 	var files map[string][]byte
-	if configFile != "" {
+	if buildkitdConfigFile != "" {
-		files, err = confutil.LoadConfigFiles(configFile)
+		files, err = confutil.LoadConfigFiles(buildkitdConfigFile)
 		if err != nil {
 			return err
 		}
@@ -83,15 +83,15 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
 		if len(platforms) > 0 {
 			n.Platforms = pp
 		}
-		if flags != nil {
+		if buildkitdFlags != nil {
-			n.Flags = flags
+			n.BuildkitdFlags = buildkitdFlags
 			needsRestart = true
 		}
 		if do != nil {
 			n.DriverOpts = do
 			needsRestart = true
 		}
-		if configFile != "" {
+		if buildkitdConfigFile != "" {
 			for k, v := range files {
 				n.Files[k] = v
 			}
@@ -115,12 +115,12 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
 	}
 
 	n := Node{
-		Name:       name,
+		Name:           name,
-		Endpoint:   endpoint,
+		Endpoint:       endpoint,
-		Platforms:  pp,
+		Platforms:      pp,
-		Flags:      flags,
+		DriverOpts:     do,
-		DriverOpts: do,
+		BuildkitdFlags: buildkitdFlags,
-		Files:      files,
+		Files:          files,
 	}
 
 	ng.Nodes = append(ng.Nodes, n)
@@ -143,8 +143,8 @@ func (ng *NodeGroup) Copy() *NodeGroup {
 func (n *Node) Copy() *Node {
 	platforms := []specs.Platform{}
 	copy(platforms, n.Platforms)
-	flags := []string{}
+	buildkitdFlags := []string{}
-	copy(flags, n.Flags)
+	copy(buildkitdFlags, n.BuildkitdFlags)
 	driverOpts := map[string]string{}
 	for k, v := range n.DriverOpts {
 		driverOpts[k] = v
@@ -156,12 +156,12 @@ func (n *Node) Copy() *Node {
 		files[k] = vv
 	}
 	return &Node{
-		Name:       n.Name,
+		Name:           n.Name,
-		Endpoint:   n.Endpoint,
+		Endpoint:       n.Endpoint,
-		Platforms:  platforms,
+		Platforms:      platforms,
-		Flags:      flags,
+		BuildkitdFlags: buildkitdFlags,
-		DriverOpts: driverOpts,
+		DriverOpts:     driverOpts,
-		Files:      files,
+		Files:          files,
 	}
 }
 

store/nodegroup_test.go

@@ -28,8 +28,8 @@ func TestNodeGroupUpdate(t *testing.T) {
 	require.Equal(t, []string{"linux/arm64"}, platformutil.Format(ng.Nodes[1].Platforms))
 
 	require.Equal(t, "foo2", ng.Nodes[0].Endpoint)
-	require.Equal(t, []string{"--debug"}, ng.Nodes[0].Flags)
+	require.Equal(t, []string{"--debug"}, ng.Nodes[0].BuildkitdFlags)
-	require.Equal(t, []string(nil), ng.Nodes[1].Flags)
+	require.Equal(t, []string(nil), ng.Nodes[1].BuildkitdFlags)
 
 	// duplicate endpoint
 	err = ng.Update("foo1", "foo2", nil, true, false, nil, "", nil)

tests/bake.go

@@ -1,13 +1,20 @@
 package tests
 
 import (
+	"encoding/json"
+	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
 
 	"github.com/containerd/continuity/fs/fstest"
 	"github.com/docker/buildx/util/gitutil"
+	"github.com/moby/buildkit/identity"
+	provenancetypes "github.com/moby/buildkit/solver/llbsolver/provenance/types"
+	"github.com/moby/buildkit/util/contentutil"
+	"github.com/moby/buildkit/util/testutil"
 	"github.com/moby/buildkit/util/testutil/integration"
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
 )
 
@@ -22,8 +29,10 @@ var bakeTests = []func(t *testing.T, sb integration.Sandbox){
 	testBakeLocal,
 	testBakeLocalMulti,
 	testBakeRemote,
+	testBakeRemoteAuth,
 	testBakeRemoteCmdContext,
 	testBakeRemoteLocalOverride,
+	testBakeLocalCwdOverride,
 	testBakeRemoteCmdContextOverride,
 	testBakeRemoteContextSubdir,
 	testBakeRemoteCmdContextEscapeRoot,
@@ -31,6 +40,11 @@ var bakeTests = []func(t *testing.T, sb integration.Sandbox){
 	testBakeRemoteDockerfileCwd,
 	testBakeRemoteLocalContextRemoteDockerfile,
 	testBakeEmpty,
+	testBakeShmSize,
+	testBakeUlimits,
+	testBakeMetadata,
+	testBakeMultiExporters,
+	testBakeLoadPush,
 }
 
 func testBakeLocal(t *testing.T, sb integration.Sandbox) {
@@ -53,7 +67,7 @@ target "default" {
 
 	cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain", "--set", "*.output=type=local,dest="+dirDest))
 	out, err := cmd.CombinedOutput()
-	require.NoError(t, err, out)
+	require.NoError(t, err, string(out))
 	require.Contains(t, string(out), `#1 [internal] load local bake definitions`)
 	require.Contains(t, string(out), `#1 reading docker-bake.hcl`)
 
@@ -131,6 +145,41 @@ EOT
 	require.FileExists(t, filepath.Join(dirDest, "foo"))
 }
 
+func testBakeRemoteAuth(t *testing.T, sb integration.Sandbox) {
+	bakefile := []byte(`
+target "default" {
+	dockerfile-inline = <<EOT
+FROM scratch
+COPY foo /foo
+EOT
+}
+`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+	)
+	dirDest := t.TempDir()
+
+	git, err := gitutil.New(gitutil.WithWorkingDir(dir))
+	require.NoError(t, err)
+
+	gitutil.GitInit(git, t)
+	gitutil.GitAdd(git, t, "docker-bake.hcl", "foo")
+	gitutil.GitCommit(git, t, "initial commit")
+
+	token := identity.NewID()
+	addr := gitutil.GitServeHTTP(git, t, gitutil.WithAccessToken(token))
+
+	out, err := bakeCmd(sb, withDir(dir),
+		withEnv("BUILDX_BAKE_GIT_AUTH_TOKEN="+token),
+		withArgs(addr, "--set", "*.output=type=local,dest="+dirDest),
+	)
+	require.NoError(t, err, out)
+
+	require.FileExists(t, filepath.Join(dirDest, "foo"))
+}
+
 func testBakeRemoteLocalOverride(t *testing.T, sb integration.Sandbox) {
 	remoteBakefile := []byte(`
 target "default" {
@@ -173,6 +222,41 @@ EOT
 	require.FileExists(t, filepath.Join(dirDest, "bar"))
 }
 
+func testBakeLocalCwdOverride(t *testing.T, sb integration.Sandbox) {
+	bakeFile := []byte(`
+target "default" {
+	dockerfile-inline = <<EOT
+FROM scratch
+COPY foo /foo
+EOT
+}
+`)
+	cwdBakefile := []byte(`
+target "default" {
+	dockerfile-inline = <<EOT
+FROM scratch
+COPY bar /bar
+EOT
+}
+`)
+
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakeFile, 0600),
+		fstest.CreateFile("docker-bake-cwd.hcl", cwdBakefile, 0600),
+		fstest.CreateFile("bar", []byte("bar"), 0600),
+	)
+	dirDest := t.TempDir()
+
+	cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--file", "docker-bake.hcl", "--file", "cwd://docker-bake-cwd.hcl", "--progress=plain", "--set", "*.output=type=local,dest="+dirDest))
+	dt, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(dt))
+	require.Contains(t, string(dt), `#1 [internal] load local bake definitions`)
+	require.Contains(t, string(dt), `#1 reading docker-bake.hcl`)
+	require.Contains(t, string(dt), `#1 reading docker-bake-cwd.hcl`)
+	require.FileExists(t, filepath.Join(dirDest, "bar"))
+}
+
 func testBakeRemoteCmdContext(t *testing.T, sb integration.Sandbox) {
 	bakefile := []byte(`
 target "default" {
@@ -484,3 +568,256 @@ func testBakeEmpty(t *testing.T, sb integration.Sandbox) {
 	require.Error(t, err, out)
 	require.Contains(t, out, "couldn't find a bake definition")
 }
+
+func testBakeShmSize(t *testing.T, sb integration.Sandbox) {
+	dockerfile := []byte(`
+FROM busybox AS build
+RUN mount | grep /dev/shm > /shmsize
+FROM scratch
+COPY --from=build /shmsize /
+	`)
+	bakefile := []byte(`
+target "default" {
+  shm-size = "128m"
+}
+`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+	)
+
+	dirDest := t.TempDir()
+
+	out, err := bakeCmd(
+		sb,
+		withDir(dir),
+		withArgs("--set", "*.output=type=local,dest="+dirDest),
+	)
+	require.NoError(t, err, out)
+
+	dt, err := os.ReadFile(filepath.Join(dirDest, "shmsize"))
+	require.NoError(t, err)
+	require.Contains(t, string(dt), `size=131072k`)
+}
+
+func testBakeUlimits(t *testing.T, sb integration.Sandbox) {
+	dockerfile := []byte(`
+FROM busybox AS build
+RUN ulimit -n > first > /ulimit
+FROM scratch
+COPY --from=build /ulimit /
+	`)
+	bakefile := []byte(`
+target "default" {
+  ulimits = ["nofile=1024:1024"]
+}
+`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+	)
+
+	dirDest := t.TempDir()
+
+	out, err := bakeCmd(
+		sb,
+		withDir(dir),
+		withArgs("--set", "*.output=type=local,dest="+dirDest),
+	)
+	require.NoError(t, err, out)
+
+	dt, err := os.ReadFile(filepath.Join(dirDest, "ulimit"))
+	require.NoError(t, err)
+	require.Contains(t, string(dt), `1024`)
+}
+
+func testBakeMetadata(t *testing.T, sb integration.Sandbox) {
+	t.Run("max", func(t *testing.T) {
+		bakeMetadata(t, sb, "max")
+	})
+	t.Run("min", func(t *testing.T) {
+		bakeMetadata(t, sb, "min")
+	})
+	t.Run("disabled", func(t *testing.T) {
+		bakeMetadata(t, sb, "disabled")
+	})
+}
+
+func bakeMetadata(t *testing.T, sb integration.Sandbox, metadataMode string) {
+	dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+	bakefile := []byte(`
+target "default" {
+}
+`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+	)
+
+	dirDest := t.TempDir()
+
+	outFlag := "default.output=type=docker"
+	if sb.DockerAddress() == "" {
+		// there is no Docker atm to load the image
+		outFlag += ",dest=" + dirDest + "/image.tar"
+	}
+
+	cmd := buildxCmd(
+		sb,
+		withDir(dir),
+		withArgs("bake", "--metadata-file", filepath.Join(dirDest, "md.json"), "--set", outFlag),
+		withEnv("BUILDX_METADATA_PROVENANCE="+metadataMode),
+	)
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, err, out)
+
+	dt, err := os.ReadFile(filepath.Join(dirDest, "md.json"))
+	require.NoError(t, err)
+
+	type mdT struct {
+		Default struct {
+			BuildRef        string                 `json:"buildx.build.ref"`
+			BuildProvenance map[string]interface{} `json:"buildx.build.provenance"`
+		} `json:"default"`
+	}
+	var md mdT
+	err = json.Unmarshal(dt, &md)
+	require.NoError(t, err)
+
+	require.NotEmpty(t, md.Default.BuildRef)
+	if metadataMode == "disabled" {
+		require.Empty(t, md.Default.BuildProvenance)
+		return
+	}
+	require.NotEmpty(t, md.Default.BuildProvenance)
+
+	dtprv, err := json.Marshal(md.Default.BuildProvenance)
+	require.NoError(t, err)
+
+	var prv provenancetypes.ProvenancePredicate
+	require.NoError(t, json.Unmarshal(dtprv, &prv))
+	require.Equal(t, provenancetypes.BuildKitBuildType, prv.BuildType)
+}
+
+func testBakeMultiExporters(t *testing.T, sb integration.Sandbox) {
+	if !isDockerContainerWorker(sb) {
+		t.Skip("only testing with docker-container worker")
+	}
+	skipNoCompatBuildKit(t, sb, ">= 0.13.0-0", "multi exporters")
+
+	registry, err := sb.NewRegistry()
+	if errors.Is(err, integration.ErrRequirements) {
+		t.Skip(err.Error())
+	}
+	require.NoError(t, err)
+
+	targetReg := registry + "/buildx/registry:latest"
+	targetStore := "buildx:local-" + identity.NewID()
+
+	t.Cleanup(func() {
+		cmd := dockerCmd(sb, withArgs("image", "rm", targetStore))
+		cmd.Stderr = os.Stderr
+		require.NoError(t, cmd.Run())
+	})
+
+	dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+	bakefile := []byte(`
+target "default" {
+}
+`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+	)
+
+	outputs := []string{
+		"--set", fmt.Sprintf("*.output=type=image,name=%s,push=true", targetReg),
+		"--set", fmt.Sprintf("*.output=type=docker,name=%s", targetStore),
+		"--set", fmt.Sprintf("*.output=type=oci,dest=%s/result", dir),
+	}
+	cmd := buildxCmd(sb, withDir(dir), withArgs("bake"), withArgs(outputs...))
+	outb, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(outb))
+
+	// test registry
+	desc, provider, err := contentutil.ProviderFromRef(targetReg)
+	require.NoError(t, err)
+	_, err = testutil.ReadImages(sb.Context(), provider, desc)
+	require.NoError(t, err)
+
+	// test docker store
+	cmd = dockerCmd(sb, withArgs("image", "inspect", targetStore))
+	cmd.Stderr = os.Stderr
+	require.NoError(t, cmd.Run())
+
+	// test oci
+	_, err = os.ReadFile(fmt.Sprintf("%s/result", dir))
+	require.NoError(t, err)
+
+	// TODO: test metadata file when supported by multi exporters https://github.com/docker/buildx/issues/2181
+}
+
+func testBakeLoadPush(t *testing.T, sb integration.Sandbox) {
+	if !isDockerContainerWorker(sb) {
+		t.Skip("only testing with docker-container worker")
+	}
+	skipNoCompatBuildKit(t, sb, ">= 0.13.0-0", "multi exporters")
+
+	registry, err := sb.NewRegistry()
+	if errors.Is(err, integration.ErrRequirements) {
+		t.Skip(err.Error())
+	}
+	require.NoError(t, err)
+
+	target := registry + "/buildx/registry:" + identity.NewID()
+
+	t.Cleanup(func() {
+		cmd := dockerCmd(sb, withArgs("image", "rm", target))
+		cmd.Stderr = os.Stderr
+		require.NoError(t, cmd.Run())
+	})
+
+	dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+	bakefile := []byte(`
+target "default" {
+}
+`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+	)
+
+	cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--push", "--load", fmt.Sprintf("--set=*.tags=%s", target)))
+	outb, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(outb))
+
+	// test registry
+	desc, provider, err := contentutil.ProviderFromRef(target)
+	require.NoError(t, err)
+	_, err = testutil.ReadImages(sb.Context(), provider, desc)
+	require.NoError(t, err)
+
+	// test docker store
+	cmd = dockerCmd(sb, withArgs("image", "inspect", target))
+	cmd.Stderr = os.Stderr
+	require.NoError(t, cmd.Run())
+
+	// TODO: test metadata file when supported by multi exporters https://github.com/docker/buildx/issues/2181
+}

tests/build.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net"
 	"os"
 	"path"
 	"path/filepath"
@@ -15,6 +16,9 @@ import (
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/continuity/fs/fstest"
 	"github.com/creack/pty"
+	"github.com/moby/buildkit/identity"
+	provenancetypes "github.com/moby/buildkit/solver/llbsolver/provenance/types"
+	"github.com/moby/buildkit/util/appdefaults"
 	"github.com/moby/buildkit/util/contentutil"
 	"github.com/moby/buildkit/util/testutil"
 	"github.com/moby/buildkit/util/testutil/integration"
@@ -33,6 +37,7 @@ func buildCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {
 
 var buildTests = []func(t *testing.T, sb integration.Sandbox){
 	testBuild,
+	testBuildStdin,
 	testImageIDOutput,
 	testBuildLocalExport,
 	testBuildRegistryExport,
@@ -48,6 +53,14 @@ var buildTests = []func(t *testing.T, sb integration.Sandbox){
 	testBuildOCIExportNotSupported,
 	testBuildMultiPlatformNotSupported,
 	testDockerHostGateway,
+	testBuildNetworkModeBridge,
+	testBuildShmSize,
+	testBuildUlimit,
+	testBuildMetadata,
+	testBuildMultiExporters,
+	testBuildLoadPush,
+	testBuildSecret,
+	testBuildDefaultLoad,
 }
 
 func testBuild(t *testing.T, sb integration.Sandbox) {
@@ -56,6 +69,26 @@ func testBuild(t *testing.T, sb integration.Sandbox) {
 	require.NoError(t, err, string(out))
 }
 
+func testBuildStdin(t *testing.T, sb integration.Sandbox) {
+	dockerfile := []byte(`
+FROM busybox:latest AS base
+COPY foo /etc/foo
+RUN cp /etc/foo /etc/bar
+
+FROM scratch
+COPY --from=base /etc/bar /bar
+`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+	)
+
+	cmd := buildxCmd(sb, withDir(dir), withArgs("build", "--progress=quiet", "-f-", dir))
+	cmd.Stdin = bytes.NewReader(dockerfile)
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+}
+
 func testBuildLocalExport(t *testing.T, sb integration.Sandbox) {
 	dir := createTestProject(t)
 	out, err := buildCmd(sb, withArgs(fmt.Sprintf("--output=type=local,dest=%s/result", dir), dir))
@@ -116,9 +149,13 @@ func testBuildRegistryExportAttestations(t *testing.T, sb integration.Sandbox) {
 	target := registry + "/buildx/registry:latest"
 
 	out, err := buildCmd(sb, withArgs(fmt.Sprintf("--output=type=image,name=%s,push=true", target), "--provenance=true", dir))
-	if sb.Name() == "docker" {
+	if isMobyWorker(sb) {
 		require.Error(t, err)
-		require.Contains(t, out, "attestations are not supported")
+		require.Contains(t, out, "Attestation is not supported")
+		return
+	} else if !isMobyContainerdSnapWorker(sb) && !matchesBuildKitVersion(t, sb, ">= 0.11.0-0") {
+		require.Error(t, err)
+		require.Contains(t, out, "Attestations are not supported by the current BuildKit daemon")
 		return
 	}
 	require.NoError(t, err, string(out))
@@ -191,7 +228,7 @@ func testImageIDOutput(t *testing.T, sb integration.Sandbox) {
 
 func testBuildMobyFromLocalImage(t *testing.T, sb integration.Sandbox) {
 	if !isDockerWorker(sb) {
-		t.Skip("skipping test for non-docker workers")
+		t.Skip("only testing with docker workers")
 	}
 
 	// pull image
@@ -238,6 +275,7 @@ RUN busybox | head -1 | grep v1.36.1
 }
 
 func testBuildDetailsLink(t *testing.T, sb integration.Sandbox) {
+	skipNoCompatBuildKit(t, sb, ">= 0.11.0-0", "build details link")
 	buildDetailsPattern := regexp.MustCompile(`(?m)^View build details: docker-desktop://dashboard/build/[^/]+/[^/]+/[^/]+\n$`)
 
 	// build simple dockerfile
@@ -269,6 +307,11 @@ RUN echo foo > /bar`)
 	require.NoError(t, err, string(out))
 	require.True(t, buildDetailsPattern.MatchString(string(out)), fmt.Sprintf("expected build details link in output, got %q", out))
 
+	if isExperimental() {
+		// FIXME: https://github.com/docker/buildx/issues/2382
+		t.Skip("build details link not displayed in experimental mode when build fails: https://github.com/docker/buildx/issues/2382")
+	}
+
 	// build erroneous dockerfile
 	dockerfile = []byte(`FROM busybox:latest
 RUN exit 1`)
@@ -279,26 +322,9 @@ RUN exit 1`)
 	require.True(t, buildDetailsPattern.MatchString(string(out)), fmt.Sprintf("expected build details link in output, got %q", out))
 }
 
-func createTestProject(t *testing.T) string {
-	dockerfile := []byte(`
-FROM busybox:latest AS base
-COPY foo /etc/foo
-RUN cp /etc/foo /etc/bar
-
-FROM scratch
-COPY --from=base /etc/bar /bar
-`)
-	dir := tmpdir(
-		t,
-		fstest.CreateFile("Dockerfile", dockerfile, 0600),
-		fstest.CreateFile("foo", []byte("foo"), 0600),
-	)
-	return dir
-}
-
 func testBuildProgress(t *testing.T, sb integration.Sandbox) {
 	dir := createTestProject(t)
-	driver, _, _ := strings.Cut(sb.Name(), "+")
+	sbDriver, _ := driverName(sb.Name())
 	name := sb.Address()
 
 	// progress=tty
@@ -309,7 +335,7 @@ func testBuildProgress(t *testing.T, sb integration.Sandbox) {
 	io.Copy(buf, f)
 	ttyOutput := buf.String()
 	require.Contains(t, ttyOutput, "[+] Building")
-	require.Contains(t, ttyOutput, fmt.Sprintf("%s:%s", driver, name))
+	require.Contains(t, ttyOutput, fmt.Sprintf("%s:%s", sbDriver, name))
 	require.Contains(t, ttyOutput, "=> [internal] load build definition from Dockerfile")
 	require.Contains(t, ttyOutput, "=> [base 1/3] FROM docker.io/library/busybox:latest")
 
@@ -317,15 +343,16 @@ func testBuildProgress(t *testing.T, sb integration.Sandbox) {
 	cmd = buildxCmd(sb, withArgs("build", "--progress=plain", "--output=type=cacheonly", dir))
 	plainOutput, err := cmd.CombinedOutput()
 	require.NoError(t, err)
-	require.Contains(t, string(plainOutput), fmt.Sprintf(`#0 building with "%s" instance using %s driver`, name, driver))
+	require.Contains(t, string(plainOutput), fmt.Sprintf(`#0 building with "%s" instance using %s driver`, name, sbDriver))
 	require.Contains(t, string(plainOutput), "[internal] load build definition from Dockerfile")
 	require.Contains(t, string(plainOutput), "[base 1/3] FROM docker.io/library/busybox:latest")
 }
 
 func testBuildAnnotations(t *testing.T, sb integration.Sandbox) {
-	if sb.Name() == "docker" {
+	if isMobyWorker(sb) {
 		t.Skip("annotations not supported on docker worker")
 	}
+	skipNoCompatBuildKit(t, sb, ">= 0.11.0-0", "annotations")
 
 	dir := createTestProject(t)
 
@@ -382,8 +409,8 @@ func testBuildLabelNoKey(t *testing.T, sb integration.Sandbox) {
 }
 
 func testBuildCacheExportNotSupported(t *testing.T, sb integration.Sandbox) {
-	if sb.Name() != "docker" {
+	if !isMobyWorker(sb) {
-		t.Skip("skipping test for non-docker workers")
+		t.Skip("only testing with docker worker")
 	}
 
 	dir := createTestProject(t)
@@ -394,8 +421,8 @@ func testBuildCacheExportNotSupported(t *testing.T, sb integration.Sandbox) {
 }
 
 func testBuildOCIExportNotSupported(t *testing.T, sb integration.Sandbox) {
-	if sb.Name() != "docker" {
+	if !isMobyWorker(sb) {
-		t.Skip("skipping test for non-docker workers")
+		t.Skip("only testing with docker worker")
 	}
 
 	dir := createTestProject(t)
@@ -406,8 +433,8 @@ func testBuildOCIExportNotSupported(t *testing.T, sb integration.Sandbox) {
 }
 
 func testBuildMultiPlatformNotSupported(t *testing.T, sb integration.Sandbox) {
-	if sb.Name() != "docker" {
+	if !isMobyWorker(sb) {
-		t.Skip("skipping test for non-docker workers")
+		t.Skip("only testing with docker worker")
 	}
 
 	dir := createTestProject(t)
@@ -432,3 +459,353 @@ RUN ping -c 1 buildx.host-gateway-ip.local
 		require.NoError(t, err, string(out))
 	}
 }
+
+func testBuildNetworkModeBridge(t *testing.T, sb integration.Sandbox) {
+	if !isDockerContainerWorker(sb) {
+		t.Skip("only testing with docker-container worker")
+	}
+	skipNoCompatBuildKit(t, sb, ">= 0.13.0-0", "network bridge")
+
+	var builderName string
+	t.Cleanup(func() {
+		if builderName == "" {
+			return
+		}
+		out, err := rmCmd(sb, withArgs(builderName))
+		require.NoError(t, err, out)
+	})
+
+	out, err := createCmd(sb, withArgs(
+		"--driver", "docker-container",
+		"--buildkitd-flags=--oci-worker-net=bridge --allow-insecure-entitlement=network.host",
+	))
+	require.NoError(t, err, out)
+	builderName = strings.TrimSpace(out)
+
+	dockerfile := []byte(`
+FROM busybox AS build
+RUN ip a show eth0 | awk '/inet / {split($2, a, "/"); print a[1]}' > /ip-bridge.txt
+RUN --network=host ip a show eth0 | awk '/inet / {split($2, a, "/"); print a[1]}' > /ip-host.txt
+FROM scratch
+COPY --from=build /ip*.txt /`)
+	dir := tmpdir(t, fstest.CreateFile("Dockerfile", dockerfile, 0600))
+
+	cmd := buildxCmd(sb, withArgs("build", "--allow=network.host", fmt.Sprintf("--output=type=local,dest=%s", dir), dir))
+	cmd.Env = append(cmd.Env, "BUILDX_BUILDER="+builderName)
+	outb, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(outb))
+
+	dt, err := os.ReadFile(filepath.Join(dir, "ip-bridge.txt"))
+	require.NoError(t, err)
+
+	ipBridge := net.ParseIP(strings.TrimSpace(string(dt)))
+	require.NotNil(t, ipBridge)
+
+	_, subnet, err := net.ParseCIDR(appdefaults.BridgeSubnet)
+	require.NoError(t, err)
+	require.True(t, subnet.Contains(ipBridge))
+
+	dt, err = os.ReadFile(filepath.Join(dir, "ip-host.txt"))
+	require.NoError(t, err)
+
+	ip := net.ParseIP(strings.TrimSpace(string(dt)))
+	require.NotNil(t, ip)
+
+	require.NotEqual(t, ip, ipBridge)
+}
+
+func testBuildShmSize(t *testing.T, sb integration.Sandbox) {
+	dockerfile := []byte(`
+FROM busybox AS build
+RUN mount | grep /dev/shm > /shmsize
+FROM scratch
+COPY --from=build /shmsize /
+	`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+	)
+
+	cmd := buildxCmd(sb, withArgs("build", "--shm-size=128m", fmt.Sprintf("--output=type=local,dest=%s", dir), dir))
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+
+	dt, err := os.ReadFile(filepath.Join(dir, "shmsize"))
+	require.NoError(t, err)
+	require.Contains(t, string(dt), `size=131072k`)
+}
+
+func testBuildUlimit(t *testing.T, sb integration.Sandbox) {
+	dockerfile := []byte(`
+FROM busybox AS build
+RUN ulimit -n > first > /ulimit
+FROM scratch
+COPY --from=build /ulimit /
+	`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+	)
+
+	cmd := buildxCmd(sb, withArgs("build", "--ulimit=nofile=1024:1024", fmt.Sprintf("--output=type=local,dest=%s", dir), dir))
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+
+	dt, err := os.ReadFile(filepath.Join(dir, "ulimit"))
+	require.NoError(t, err)
+	require.Contains(t, string(dt), `1024`)
+}
+
+func testBuildMetadata(t *testing.T, sb integration.Sandbox) {
+	t.Run("max", func(t *testing.T) {
+		buildMetadata(t, sb, "max")
+	})
+	t.Run("min", func(t *testing.T) {
+		buildMetadata(t, sb, "min")
+	})
+	t.Run("disabled", func(t *testing.T) {
+		buildMetadata(t, sb, "disabled")
+	})
+}
+
+func buildMetadata(t *testing.T, sb integration.Sandbox, metadataMode string) {
+	dir := createTestProject(t)
+	dirDest := t.TempDir()
+
+	outFlag := "--output=type=docker"
+	if sb.DockerAddress() == "" {
+		// there is no Docker atm to load the image
+		outFlag += ",dest=" + dirDest + "/image.tar"
+	}
+
+	cmd := buildxCmd(
+		sb,
+		withArgs("build", outFlag, "--metadata-file", filepath.Join(dirDest, "md.json"), dir),
+		withEnv("BUILDX_METADATA_PROVENANCE="+metadataMode),
+	)
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+
+	dt, err := os.ReadFile(filepath.Join(dirDest, "md.json"))
+	require.NoError(t, err)
+
+	type mdT struct {
+		BuildRef        string                 `json:"buildx.build.ref"`
+		BuildProvenance map[string]interface{} `json:"buildx.build.provenance"`
+	}
+	var md mdT
+	err = json.Unmarshal(dt, &md)
+	require.NoError(t, err)
+
+	require.NotEmpty(t, md.BuildRef)
+	if metadataMode == "disabled" {
+		require.Empty(t, md.BuildProvenance)
+		return
+	}
+	require.NotEmpty(t, md.BuildProvenance)
+
+	dtprv, err := json.Marshal(md.BuildProvenance)
+	require.NoError(t, err)
+
+	var prv provenancetypes.ProvenancePredicate
+	require.NoError(t, json.Unmarshal(dtprv, &prv))
+	require.Equal(t, provenancetypes.BuildKitBuildType, prv.BuildType)
+}
+
+func testBuildMultiExporters(t *testing.T, sb integration.Sandbox) {
+	if !isDockerContainerWorker(sb) {
+		t.Skip("only testing with docker-container worker")
+	}
+	skipNoCompatBuildKit(t, sb, ">= 0.13.0-0", "multi exporters")
+
+	registry, err := sb.NewRegistry()
+	if errors.Is(err, integration.ErrRequirements) {
+		t.Skip(err.Error())
+	}
+	require.NoError(t, err)
+
+	targetReg := registry + "/buildx/registry:latest"
+	targetStore := "buildx:local-" + identity.NewID()
+
+	t.Cleanup(func() {
+		cmd := dockerCmd(sb, withArgs("image", "rm", targetStore))
+		cmd.Stderr = os.Stderr
+		require.NoError(t, cmd.Run())
+	})
+
+	dir := createTestProject(t)
+
+	outputs := []string{
+		"--output", fmt.Sprintf("type=image,name=%s,push=true", targetReg),
+		"--output", fmt.Sprintf("type=docker,name=%s", targetStore),
+		"--output", fmt.Sprintf("type=oci,dest=%s/result", dir),
+	}
+	cmd := buildxCmd(sb, withArgs("build"), withArgs(outputs...), withArgs(dir))
+	outb, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(outb))
+
+	// test registry
+	desc, provider, err := contentutil.ProviderFromRef(targetReg)
+	require.NoError(t, err)
+	_, err = testutil.ReadImages(sb.Context(), provider, desc)
+	require.NoError(t, err)
+
+	// test docker store
+	cmd = dockerCmd(sb, withArgs("image", "inspect", targetStore))
+	cmd.Stderr = os.Stderr
+	require.NoError(t, cmd.Run())
+
+	// test oci
+	_, err = os.ReadFile(fmt.Sprintf("%s/result", dir))
+	require.NoError(t, err)
+
+	// TODO: test metadata file when supported by multi exporters https://github.com/docker/buildx/issues/2181
+}
+
+func testBuildLoadPush(t *testing.T, sb integration.Sandbox) {
+	if !isDockerContainerWorker(sb) {
+		t.Skip("only testing with docker-container worker")
+	}
+	skipNoCompatBuildKit(t, sb, ">= 0.13.0-0", "multi exporters")
+
+	registry, err := sb.NewRegistry()
+	if errors.Is(err, integration.ErrRequirements) {
+		t.Skip(err.Error())
+	}
+	require.NoError(t, err)
+
+	target := registry + "/buildx/registry:" + identity.NewID()
+
+	t.Cleanup(func() {
+		cmd := dockerCmd(sb, withArgs("image", "rm", target))
+		cmd.Stderr = os.Stderr
+		require.NoError(t, cmd.Run())
+	})
+
+	dir := createTestProject(t)
+
+	cmd := buildxCmd(sb, withArgs(
+		"build", "--push", "--load",
+		fmt.Sprintf("-t=%s", target),
+		dir,
+	))
+	outb, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(outb))
+
+	// test registry
+	desc, provider, err := contentutil.ProviderFromRef(target)
+	require.NoError(t, err)
+	_, err = testutil.ReadImages(sb.Context(), provider, desc)
+	require.NoError(t, err)
+
+	// test docker store
+	cmd = dockerCmd(sb, withArgs("image", "inspect", target))
+	cmd.Stderr = os.Stderr
+	require.NoError(t, cmd.Run())
+
+	// TODO: test metadata file when supported by multi exporters https://github.com/docker/buildx/issues/2181
+}
+
+func testBuildSecret(t *testing.T, sb integration.Sandbox) {
+	token := "abcd1234"
+	dockerfile := []byte(`
+FROM busybox AS build
+RUN --mount=type=secret,id=token cat /run/secrets/token | tee /token
+FROM scratch
+COPY --from=build /token /
+	`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+		fstest.CreateFile("tokenfile", []byte(token), 0600),
+	)
+
+	t.Run("env", func(t *testing.T) {
+		t.Cleanup(func() {
+			_ = os.Remove(filepath.Join(dir, "token"))
+		})
+
+		cmd := buildxCmd(sb, withEnv("TOKEN="+token), withArgs("build", "--secret=id=token,env=TOKEN", fmt.Sprintf("--output=type=local,dest=%s", dir), dir))
+		out, err := cmd.CombinedOutput()
+		require.NoError(t, err, string(out))
+
+		dt, err := os.ReadFile(filepath.Join(dir, "token"))
+		require.NoError(t, err)
+		require.Equal(t, token, string(dt))
+	})
+
+	t.Run("file", func(t *testing.T) {
+		t.Cleanup(func() {
+			_ = os.Remove(filepath.Join(dir, "token"))
+		})
+
+		cmd := buildxCmd(sb, withArgs("build", "--secret=id=token,src="+path.Join(dir, "tokenfile"), fmt.Sprintf("--output=type=local,dest=%s", dir), dir))
+		out, err := cmd.CombinedOutput()
+		require.NoError(t, err, string(out))
+
+		dt, err := os.ReadFile(filepath.Join(dir, "token"))
+		require.NoError(t, err)
+		require.Equal(t, token, string(dt))
+	})
+}
+
+func testBuildDefaultLoad(t *testing.T, sb integration.Sandbox) {
+	if !isDockerWorker(sb) {
+		t.Skip("only testing with docker workers")
+	}
+
+	tag := "buildx/build:" + identity.NewID()
+
+	var builderName string
+	t.Cleanup(func() {
+		if builderName == "" {
+			return
+		}
+
+		cmd := dockerCmd(sb, withArgs("image", "rm", tag))
+		cmd.Stderr = os.Stderr
+		require.NoError(t, cmd.Run())
+
+		out, err := rmCmd(sb, withArgs(builderName))
+		require.NoError(t, err, out)
+	})
+
+	out, err := createCmd(sb, withArgs(
+		"--driver", "docker-container",
+		"--driver-opt", "default-load=true",
+	))
+	require.NoError(t, err, out)
+	builderName = strings.TrimSpace(out)
+
+	dir := createTestProject(t)
+
+	cmd := buildxCmd(sb, withArgs(
+		"build",
+		fmt.Sprintf("-t=%s", tag),
+		dir,
+	))
+	cmd.Env = append(cmd.Env, "BUILDX_BUILDER="+builderName)
+	outb, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(outb))
+
+	cmd = dockerCmd(sb, withArgs("image", "inspect", tag))
+	cmd.Stderr = os.Stderr
+	require.NoError(t, cmd.Run())
+}
+
+func createTestProject(t *testing.T) string {
+	dockerfile := []byte(`
+FROM busybox:latest AS base
+COPY foo /etc/foo
+RUN cp /etc/foo /etc/bar
+
+FROM scratch
+COPY --from=base /etc/bar /bar
+`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+	)
+	return dir
+}

tests/create.go

@@ -0,0 +1,110 @@
+package tests
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/docker/buildx/driver"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/util/testutil/integration"
+	"github.com/stretchr/testify/require"
+)
+
+func createCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {
+	opts = append([]cmdOpt{withArgs("create")}, opts...)
+	cmd := buildxCmd(sb, opts...)
+	out, err := cmd.CombinedOutput()
+	return string(out), err
+}
+
+var createTests = []func(t *testing.T, sb integration.Sandbox){
+	testCreateMemoryLimit,
+	testCreateRestartAlways,
+	testCreateRemoteContainer,
+}
+
+func testCreateMemoryLimit(t *testing.T, sb integration.Sandbox) {
+	if !isDockerContainerWorker(sb) {
+		t.Skip("only testing with docker-container worker")
+	}
+
+	var builderName string
+	t.Cleanup(func() {
+		if builderName == "" {
+			return
+		}
+		out, err := rmCmd(sb, withArgs(builderName))
+		require.NoError(t, err, out)
+	})
+
+	out, err := createCmd(sb, withArgs("--driver", "docker-container", "--driver-opt", "network=host", "--driver-opt", "memory=1g"))
+	require.NoError(t, err, out)
+	builderName = strings.TrimSpace(out)
+}
+
+func testCreateRestartAlways(t *testing.T, sb integration.Sandbox) {
+	if !isDockerContainerWorker(sb) {
+		t.Skip("only testing with docker-container worker")
+	}
+
+	var builderName string
+	t.Cleanup(func() {
+		if builderName == "" {
+			return
+		}
+		out, err := rmCmd(sb, withArgs(builderName))
+		require.NoError(t, err, out)
+	})
+
+	out, err := createCmd(sb, withArgs("--driver", "docker-container", "--driver-opt", "restart-policy=always"))
+	require.NoError(t, err, out)
+	builderName = strings.TrimSpace(out)
+}
+
+func testCreateRemoteContainer(t *testing.T, sb integration.Sandbox) {
+	if !isDockerWorker(sb) {
+		t.Skip("only testing with docker workers")
+	}
+
+	ctnBuilderName := "ctn-builder-" + identity.NewID()
+	remoteBuilderName := "remote-builder-" + identity.NewID()
+	var hasCtnBuilder, hasRemoteBuilder bool
+	t.Cleanup(func() {
+		if hasCtnBuilder {
+			out, err := rmCmd(sb, withArgs(ctnBuilderName))
+			require.NoError(t, err, out)
+		}
+		if hasRemoteBuilder {
+			out, err := rmCmd(sb, withArgs(remoteBuilderName))
+			require.NoError(t, err, out)
+		}
+	})
+
+	out, err := createCmd(sb, withArgs("--driver", "docker-container", "--name", ctnBuilderName))
+	require.NoError(t, err, out)
+	hasCtnBuilder = true
+
+	out, err = inspectCmd(sb, withArgs("--bootstrap", ctnBuilderName))
+	require.NoError(t, err, out)
+
+	cmd := dockerCmd(sb, withArgs("container", "inspect", fmt.Sprintf("%s0", driver.BuilderName(ctnBuilderName))))
+	cmd.Stderr = os.Stderr
+	require.NoError(t, cmd.Run())
+
+	out, err = createCmd(sb, withArgs("--driver", "remote", "--name", remoteBuilderName, fmt.Sprintf("docker-container://%s0", driver.BuilderName(ctnBuilderName))))
+	require.NoError(t, err, out)
+	hasRemoteBuilder = true
+
+	out, err = inspectCmd(sb, withArgs(remoteBuilderName))
+	require.NoError(t, err, out)
+
+	for _, line := range strings.Split(out, "\n") {
+		if v, ok := strings.CutPrefix(line, "Status:"); ok {
+			require.Equal(t, strings.TrimSpace(v), "running")
+			return
+		}
+	}
+	require.Fail(t, "remote builder is not running")
+}

tests/dialstdio.go

@@ -0,0 +1,125 @@
+package tests
+
+import (
+	"bytes"
+	"context"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/docker/buildx/util/progress"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/client/llb"
+	gwclient "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/util/progress/progressui"
+	"github.com/moby/buildkit/util/testutil/integration"
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var dialstdioTests = []func(t *testing.T, sb integration.Sandbox){
+	testDialStdio,
+}
+
+func testDialStdio(t *testing.T, sb integration.Sandbox) {
+	do := func(t *testing.T, pipe func(t *testing.T, cmd *exec.Cmd) net.Conn) {
+		errBuf := bytes.NewBuffer(nil)
+		defer func() {
+			if t.Failed() {
+				t.Log(errBuf.String())
+			}
+		}()
+		var cmd *exec.Cmd
+		c, err := client.New(sb.Context(), "", client.WithContextDialer(func(ctx context.Context, _ string) (net.Conn, error) {
+			cmd = buildxCmd(sb, withArgs("dial-stdio", "--progress", "auto"))
+			conn := pipe(t, cmd)
+			cmd.Stderr = errBuf
+			if err := cmd.Start(); err != nil {
+				return nil, errors.Wrap(err, errBuf.String())
+			}
+
+			return conn, nil
+		}))
+		require.NoError(t, err)
+
+		defer func() {
+			c.Close()
+			// Since the client is closed (and as such the connection shutdown), the buildx command should exit cleanly.
+			chErr := make(chan error, 1)
+			go func() {
+				chErr <- cmd.Wait()
+			}()
+			select {
+			case <-time.After(10 * time.Second):
+				t.Error("timeout waiting for buildx command to exit")
+			case <-chErr:
+				assert.NoError(t, err)
+			}
+		}()
+
+		skipNoCompatBuildKit(t, sb, ">= 0.11.0-0", "unknown method Info for service moby.buildkit.v1.Control")
+		_, err = c.Info(sb.Context())
+		require.NoError(t, err)
+
+		require.Contains(t, errBuf.String(), "builder: "+sb.Address())
+
+		dir := t.TempDir()
+
+		f, err := os.CreateTemp(dir, "log")
+		require.NoError(t, err)
+		defer f.Close()
+
+		defer func() {
+			if t.Failed() {
+				dt, _ := os.ReadFile(f.Name())
+				t.Log(string(dt))
+			}
+		}()
+
+		p, err := progress.NewPrinter(sb.Context(), f, progressui.AutoMode)
+		require.NoError(t, err)
+
+		ch, chDone := progress.NewChannel(p)
+		done := func() {
+			select {
+			case <-sb.Context().Done():
+			case <-chDone:
+			}
+		}
+
+		_, err = c.Build(sb.Context(), client.SolveOpt{
+			Exports: []client.ExportEntry{
+				{Type: "local", OutputDir: dir},
+			},
+		}, "", func(ctx context.Context, gwc gwclient.Client) (*gwclient.Result, error) {
+			def, err := llb.Scratch().File(llb.Mkfile("hello", 0o600, []byte("world"))).Marshal(ctx)
+			if err != nil {
+				return nil, err
+			}
+
+			return gwc.Solve(ctx, gwclient.SolveRequest{
+				Definition: def.ToPB(),
+			})
+		}, ch)
+		done()
+		require.NoError(t, err)
+
+		dt, err := os.ReadFile(filepath.Join(dir, "hello"))
+		require.NoError(t, err)
+		require.Equal(t, "world", string(dt))
+	}
+
+	t.Run("conn=netpipe", func(t *testing.T) {
+		t.Parallel()
+		do(t, func(t *testing.T, cmd *exec.Cmd) net.Conn {
+			c1, c2 := net.Pipe()
+			cmd.Stdin = c1
+			cmd.Stdout = c1
+			return c2
+		})
+	})
+}

tests/imagetools.go

@@ -22,8 +22,8 @@ var imagetoolsTests = []func(t *testing.T, sb integration.Sandbox){
 }
 
 func testImagetoolsCopyManifest(t *testing.T, sb integration.Sandbox) {
-	if sb.Name() != "docker-container" {
+	if !isDockerContainerWorker(sb) {
-		t.Skip("imagetools tests are not driver specific and only run on docker-container")
+		t.Skip("only testing with docker-container worker, imagetools only runs on docker-container")
 	}
 
 	dir := createDockerfile(t)
@@ -81,8 +81,8 @@ func testImagetoolsCopyManifest(t *testing.T, sb integration.Sandbox) {
 }
 
 func testImagetoolsCopyIndex(t *testing.T, sb integration.Sandbox) {
-	if sb.Name() != "docker-container" {
+	if !isDockerContainerWorker(sb) {
-		t.Skip("imagetools tests are not driver specific and only run on docker-container")
+		t.Skip("only testing with docker-container worker, imagetools only runs on docker-container")
 	}
 
 	dir := createDockerfile(t)
@@ -130,8 +130,8 @@ func testImagetoolsCopyIndex(t *testing.T, sb integration.Sandbox) {
 }
 
 func testImagetoolsInspectAndFilter(t *testing.T, sb integration.Sandbox) {
-	if sb.Name() != "docker-container" {
+	if !isDockerContainerWorker(sb) {
-		t.Skip("imagetools tests are not driver specific and only run on docker-container")
+		t.Skip("only testing with docker-container worker, imagetools only runs on docker-container")
 	}
 
 	dir := createDockerfile(t)
@@ -181,8 +181,8 @@ func testImagetoolsInspectAndFilter(t *testing.T, sb integration.Sandbox) {
 }
 
 func testImagetoolsAnnotation(t *testing.T, sb integration.Sandbox) {
-	if sb.Name() != "docker-container" {
+	if !isDockerContainerWorker(sb) {
-		t.Skip("imagetools tests are not driver specific and only run on docker-container")
+		t.Skip("only testing with docker-container worker, imagetools only runs on docker-container")
 	}
 
 	dir := createDockerfile(t)