Merge pull request #1813 from jedevc/oci-export-on-containerd

vendor: github.com/compose-spec/compose-go v1.14.0

.dockerignore

@@ -1,2 +1 @@
 bin/
-cross-out/

.github/CONTRIBUTING.md

@@ -116,6 +116,60 @@ commit automatically with `git commit -s`.
 
 ### Run the unit- and integration-tests
 
+Running tests:
+
+```bash
+make test
+```
+
+This runs all unit and integration tests, in a containerized environment.
+Locally, every package can be tested separately with standard Go tools, but
+integration tests are skipped if local user doesn't have enough permissions or
+worker binaries are not installed.
+
+```bash
+# run unit tests only
+make test-unit
+
+# run integration tests only
+make test-integration
+
+# test a specific package
+TESTPKGS=./bake make test
+
+# run all integration tests with a specific worker
+TESTFLAGS="--run=//worker=remote -v" make test-integration
+
+# run a specific integration test
+TESTFLAGS="--run /TestBuild/worker=remote/ -v" make test-integration
+
+# run a selection of integration tests using a regexp
+TESTFLAGS="--run /TestBuild.*/worker=remote/ -v" make test-integration
+```
+
+> **Note**
+>
+> Set `TEST_KEEP_CACHE=1` for the test framework to keep external dependant
+> images in a docker volume if you are repeatedly calling `make test`. This
+> helps to avoid rate limiting on the remote registry side.
+
+> **Note**
+>
+> Set `TEST_DOCKERD=1` for the test framework to enable the docker workers,
+> specifically the `docker` and `docker-container` drivers.
+>
+> The docker tests cannot be run in parallel, so require passing `--parallel=1`
+> in `TESTFLAGS`.
+
+> **Note**
+>
+> If you are working behind a proxy, you can set some of or all
+> `HTTP_PROXY=http://ip:port`, `HTTPS_PROXY=http://ip:port`, `NO_PROXY=http://ip:port`
+> for the test framework to specify the proxy build args.
+
+
+### Run the helper commands
+
 To enter a demo container environment and experiment, you may run:
 
 ```

.github/ISSUE_TEMPLATE/bug.yml

@@ -0,0 +1,124 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
+name: Bug Report
+description: Report a bug
+labels:
+  - status/triage
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to report a bug!
+        If this is a security issue please report it to the [Docker Security team](mailto:security@docker.com).
+
+  - type: checkboxes
+    attributes:
+      label: Contributing guidelines
+      description: |
+        Please read the contributing guidelines before proceeding.
+      options:
+        - label: I've read the [contributing guidelines](https://github.com/docker/buildx/blob/master/.github/CONTRIBUTING.md) and wholeheartedly agree
+          required: true
+
+  - type: checkboxes
+    attributes:
+      label: I've found a bug and checked that ...
+      description: |
+        Make sure that your request fulfills all of the following requirements.
+        If one requirement cannot be satisfied, explain in detail why.
+      options:
+        - label: ... the documentation does not mention anything about my problem
+        - label: ... there are no open or closed issues that are related to my problem
+
+  - type: textarea
+    attributes:
+      label: Description
+      description: |
+        Please provide a brief description of the bug in 1-2 sentences.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Expected behaviour
+      description: |
+        Please describe precisely what you'd expect to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Actual behaviour
+      description: |
+        Please describe precisely what is actually happening.
+    validations:
+      required: true
+
+  - type: input
+    attributes:
+      label: Buildx version
+      description: |
+        Output of `docker buildx version` command.
+        Example: `github.com/docker/buildx v0.8.1 5fac64c2c49dae1320f2b51f1a899ca451935554`
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Docker info
+      description: |
+        Output of `docker info` command.
+      render: text
+
+  - type: textarea
+    attributes:
+      label: Builders list
+      description: |
+        Output of `docker buildx ls` command.
+      render: text
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Configuration
+      description: >
+        Please provide a minimal Dockerfile, bake definition (if applicable) and
+        invoked commands to help reproducing your issue.
+      placeholder: |
+        ```dockerfile
+        FROM alpine
+        echo hello
+        ```
+        
+        ```hcl
+        group "default" {
+          targets = ["app"]
+        }
+        target "app" {
+          dockerfile = "Dockerfile"
+          target = "build"
+        }
+        ```
+        
+        ```console
+        $ docker buildx build .
+        $ docker buildx bake
+        ```
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Build logs
+      description: |
+        Please provide logs output (and/or BuildKit logs if applicable).
+      render: text
+    validations:
+      required: false
+
+  - type: textarea
+    attributes:
+      label: Additional info
+      description: |
+        Please provide any additional information that could be useful.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,12 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
+blank_issues_enabled: true
+contact_links:
+  - name: Questions and Discussions
+    url: https://github.com/docker/buildx/discussions/new
+    about: Use Github Discussions to ask questions and/or open discussion topics.
+  - name: Command line reference
+    url: https://docs.docker.com/engine/reference/commandline/buildx/
+    about: Read the command line reference.
+  - name: Documentation
+    url: https://docs.docker.com/build/
+    about: Read the documentation.

.github/ISSUE_TEMPLATE/feature.yml

@@ -0,0 +1,15 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
+name: Feature request
+description: Missing functionality? Come tell us about it!
+labels:
+  - kind/enhancement
+  - status/triage
+
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What is the feature you want to see?
+    validations:
+      required: true

.github/SECURITY.md

@@ -0,0 +1,12 @@
+# Reporting security issues
+
+The project maintainers take security seriously. If you discover a security
+issue, please bring it to their attention right away!
+
+**Please _DO NOT_ file a public issue**, instead send your report privately to
+[security@docker.com](mailto:security@docker.com).
+
+Security reports are greatly appreciated, and we will publicly thank you for it.
+We also like to send gifts—if you're into schwag, make sure to let
+us know. We currently do not offer a paid security bounty program, but are not
+ruling it out in the future.

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    open-pull-requests-limit: 10
+    directory: "/"
+    schedule:
+      interval: "daily"
+    labels:
+      - "dependencies"
+      - "bot"

.github/releases.json

@@ -0,0 +1,735 @@
+{
+  "latest": {
+    "id": 90741208,
+    "tag_name": "v0.10.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/checksums.txt"
+    ]
+  },
+  "v0.10.2": {
+    "id": 90741208,
+    "tag_name": "v0.10.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/checksums.txt"
+    ]
+  },
+  "v0.10.1": {
+    "id": 90346950,
+    "tag_name": "v0.10.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/checksums.txt"
+    ]
+  },
+  "v0.10.0": {
+    "id": 88388110,
+    "tag_name": "v0.10.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/checksums.txt"
+    ]
+  },
+  "v0.10.0-rc3": {
+    "id": 88191592,
+    "tag_name": "v0.10.0-rc3",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.0-rc3",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/checksums.txt"
+    ]
+  },
+  "v0.10.0-rc2": {
+    "id": 86248476,
+    "tag_name": "v0.10.0-rc2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.0-rc2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/checksums.txt"
+    ]
+  },
+  "v0.10.0-rc1": {
+    "id": 85963900,
+    "tag_name": "v0.10.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/checksums.txt"
+    ]
+  },
+  "v0.9.1": {
+    "id": 74760068,
+    "tag_name": "v0.9.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.9.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/checksums.txt"
+    ]
+  },
+  "v0.9.0": {
+    "id": 74546589,
+    "tag_name": "v0.9.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.9.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/checksums.txt"
+    ]
+  },
+  "v0.9.0-rc2": {
+    "id": 74052235,
+    "tag_name": "v0.9.0-rc2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.9.0-rc2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/checksums.txt"
+    ]
+  },
+  "v0.9.0-rc1": {
+    "id": 73389692,
+    "tag_name": "v0.9.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.9.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/checksums.txt"
+    ]
+  },
+  "v0.8.2": {
+    "id": 63479740,
+    "tag_name": "v0.8.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.8.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/checksums.txt"
+    ]
+  },
+  "v0.8.1": {
+    "id": 62289050,
+    "tag_name": "v0.8.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.8.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/checksums.txt"
+    ]
+  },
+  "v0.8.0": {
+    "id": 61423774,
+    "tag_name": "v0.8.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.8.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/checksums.txt"
+    ]
+  },
+  "v0.8.0-rc1": {
+    "id": 60513568,
+    "tag_name": "v0.8.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.8.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/checksums.txt"
+    ]
+  },
+  "v0.7.1": {
+    "id": 54098347,
+    "tag_name": "v0.7.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.7.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/checksums.txt"
+    ]
+  },
+  "v0.7.0": {
+    "id": 53109422,
+    "tag_name": "v0.7.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.7.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/checksums.txt"
+    ]
+  },
+  "v0.7.0-rc1": {
+    "id": 52726324,
+    "tag_name": "v0.7.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.7.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/checksums.txt"
+    ]
+  },
+  "v0.6.3": {
+    "id": 48691641,
+    "tag_name": "v0.6.3",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.6.3",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.windows-arm64.exe"
+    ]
+  },
+  "v0.6.2": {
+    "id": 48207405,
+    "tag_name": "v0.6.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.6.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.windows-arm64.exe"
+    ]
+  },
+  "v0.6.1": {
+    "id": 47064772,
+    "tag_name": "v0.6.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.6.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.windows-arm64.exe"
+    ]
+  },
+  "v0.6.0": {
+    "id": 46343260,
+    "tag_name": "v0.6.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.6.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.windows-arm64.exe"
+    ]
+  },
+  "v0.6.0-rc1": {
+    "id": 46230351,
+    "tag_name": "v0.6.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.6.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.windows-arm64.exe"
+    ]
+  },
+  "v0.5.1": {
+    "id": 35276550,
+    "tag_name": "v0.5.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.5.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.darwin-universal",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.windows-amd64.exe"
+    ]
+  },
+  "v0.5.0": {
+    "id": 35268960,
+    "tag_name": "v0.5.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.5.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.darwin-universal",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.windows-amd64.exe"
+    ]
+  },
+  "v0.5.0-rc1": {
+    "id": 35015334,
+    "tag_name": "v0.5.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.5.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.windows-amd64.exe"
+    ]
+  },
+  "v0.4.2": {
+    "id": 30007794,
+    "tag_name": "v0.4.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.4.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.windows-amd64.exe"
+    ]
+  },
+  "v0.4.1": {
+    "id": 26067509,
+    "tag_name": "v0.4.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.4.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.windows-amd64.exe"
+    ]
+  },
+  "v0.4.0": {
+    "id": 26028174,
+    "tag_name": "v0.4.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.4.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.windows-amd64.exe"
+    ]
+  },
+  "v0.3.1": {
+    "id": 20316235,
+    "tag_name": "v0.3.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.3.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.windows-amd64.exe"
+    ]
+  },
+  "v0.3.0": {
+    "id": 19029664,
+    "tag_name": "v0.3.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.3.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.windows-amd64.exe"
+    ]
+  },
+  "v0.2.2": {
+    "id": 17671545,
+    "tag_name": "v0.2.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.2.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.windows-amd64.exe"
+    ]
+  },
+  "v0.2.1": {
+    "id": 17582885,
+    "tag_name": "v0.2.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.2.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.windows-amd64.exe"
+    ]
+  },
+  "v0.2.0": {
+    "id": 16965310,
+    "tag_name": "v0.2.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.2.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.windows-amd64.exe"
+    ]
+  }
+}

.github/workflows/build.yml

@@ -1,185 +1,299 @@
 name: build
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   workflow_dispatch:
   push:
     branches:
       - 'master'
+      - 'v[0-9]*'
     tags:
       - 'v*'
   pull_request:
-    branches:
-      - 'master'
+    paths-ignore:
+      - '.github/releases.json'
+      - 'README.md'
+      - 'docs/**'
 
 env:
-  REPO_SLUG_ORIGIN: "moby/buildkit:master"
-  CACHEKEY_BINARIES: "binaries"
-  PLATFORMS: "linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x,linux/ppc64le"
+  BUILDX_VERSION: "latest"
+  BUILDKIT_IMAGE: "moby/buildkit:latest"
+  REPO_SLUG: "docker/buildx-bin"
+  DESTDIR: "./bin"
+  TEST_CACHE_SCOPE: "test"
 
 jobs:
-  base:
-    runs-on: ubuntu-latest
+  prepare-test:
+    runs-on: ubuntu-22.04
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Cache ${{ env.CACHEKEY_BINARIES }}
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          key: ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-
+        uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
       -
-        name: Build ${{ env.CACHEKEY_BINARIES }}
-        run: |
-          ./hack/build_ci_first_pass binaries
-        env:
-          CACHEDIR_FROM: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          CACHEDIR_TO: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}-new
-      -
-        # FIXME: Temp fix for https://github.com/moby/buildkit/issues/1850
-        name: Move cache
-        run: |
-          rm -rf /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          mv /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}-new /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
+        name: Build
+        uses: docker/bake-action@v3
+        with:
+          targets: integration-test-base
+          set: |
+            *.cache-from=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
+            *.cache-to=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
 
   test:
-    runs-on: ubuntu-latest
-    needs: [base]
+    runs-on: ubuntu-22.04
+    needs:
+      - prepare-test
+    env:
+      TESTFLAGS: "-v --parallel=6 --timeout=30m"
+      TESTFLAGS_DOCKER: "-v --parallel=1 --timeout=30m"
+      GOTESTSUM_FORMAT: "standard-verbose"
+      TEST_IMAGE_BUILD: "0"
+      TEST_IMAGE_ID: "buildx-tests"
+    strategy:
+      fail-fast: false
+      matrix:
+        worker:
+          - docker
+          - docker-container
+          - remote
+        pkg:
+          - ./tests
+        include:
+          - pkg: ./...
+            skip-integration-tests: 1
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Cache ${{ env.CACHEKEY_BINARIES }}
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          key: ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-
+        uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build test image
+        uses: docker/bake-action@v3
+        with:
+          targets: integration-test
+          set: |
+            *.cache-from=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
+            *.output=type=docker,name=${{ env.TEST_IMAGE_ID }}
       -
         name: Test
         run: |
-          make test
+          export TEST_REPORT_SUFFIX=-${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.skip-integration-tests }}-${{ matrix.worker }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')
+          ./hack/test
         env:
-          TEST_COVERAGE: 1
-          TESTFLAGS: -v --parallel=6 --timeout=20m
-          CACHEDIR_FROM: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
+          TEST_DOCKERD: "${{ (matrix.worker == 'docker' || matrix.worker == 'docker-container') && '1' || '0' }}"
+          TESTFLAGS: "${{ (matrix.worker == 'docker' || matrix.worker == 'docker-container') && env.TESTFLAGS_DOCKER || env.TESTFLAGS }} --run=//worker=${{ matrix.worker }}$"
+          TESTPKGS: "${{ matrix.pkg }}"
+          SKIP_INTEGRATION_TESTS: "${{ matrix.skip-integration-tests }}"
       -
         name: Send to Codecov
-        uses: codecov/codecov-action@v1
+        if: always()
+        uses: codecov/codecov-action@v3
         with:
-          file: ./coverage/coverage.txt
+          directory: ./bin/testreports
+      -
+        name: Generate annotations
+        if: always()
+        uses: crazy-max/.github/.github/actions/gotest-annotations@1a64ea6d01db9a48aa61954cb20e265782c167d9
+        with:
+          directory: ./bin/testreports
+      -
+        name: Upload test reports
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: test-reports
+          path: ./bin/testreports
 
-  cross:
-    runs-on: ubuntu-latest
-    needs: [base]
+  prepare-binaries:
+    runs-on: ubuntu-22.04
+    outputs:
+      matrix: ${{ steps.platforms.outputs.matrix }}
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
-        name: Cache ${{ env.CACHEKEY_BINARIES }}
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          key: ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
-      -
-        name: Cross
+        name: Create matrix
+        id: platforms
         run: |
-          make cross
-        env:
-          TARGETPLATFORM: ${{ env.PLATFORMS }},darwin/amd64,windows/amd64
-          CACHEDIR_FROM: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
+          echo "matrix=$(docker buildx bake binaries-cross --print | jq -cr '.target."binaries-cross".platforms')" >>${GITHUB_OUTPUT}
+      -
+        name: Show matrix
+        run: |
+          echo ${{ steps.platforms.outputs.matrix }}
 
   binaries:
-    runs-on: ubuntu-latest
-    needs: [test, cross]
+    runs-on: ubuntu-22.04
+    needs:
+      - prepare-binaries
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: ${{ fromJson(needs.prepare-binaries.outputs.matrix) }}
+    steps:
+      -
+        name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build
+        run: |
+          make release
+        env:
+          PLATFORMS: ${{ matrix.platform }}
+          CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
+          CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
+      -
+        name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: buildx
+          path: ${{ env.DESTDIR }}/*
+          if-no-files-found: error
+
+  bin-image:
+    runs-on: ubuntu-22.04
+    needs:
+      - test
+    if: ${{ github.event_name != 'pull_request' && github.repository == 'docker/buildx' }}
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Prepare
-        id: prep
-        run: |
-          TAG=pr
-          if [[ $GITHUB_REF == refs/tags/v* ]]; then
-            TAG=${GITHUB_REF#refs/tags/}
-          elif [[ $GITHUB_REF == refs/heads/* ]]; then
-            TAG=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
-          fi
-          echo ::set-output name=tag::${TAG}
-      -
-        name: Cache ${{ env.CACHEKEY_BINARIES }}
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          key: ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-
+        uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
       -
-        name: Build ${{ steps.prep.outputs.tag }}
-        run: |
-          ./hack/release "${{ steps.prep.outputs.tag }}" release-out
-        env:
-          PLATFORMS: ${{ env.PLATFORMS }},darwin/amd64,windows/amd64
-          CACHEDIR_FROM: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.REPO_SLUG }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+          bake-target: meta-helper
       -
-        name: Move artifacts
-        run: |
-          mv ./release-out/**/* ./release-out/
+        name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
-        name: Upload artifacts
-        uses: actions/upload-artifact@v2
+        name: Build and push image
+        uses: docker/bake-action@v3
+        with:
+          files: |
+            ./docker-bake.hcl
+            ${{ steps.meta.outputs.bake-file }}
+          targets: image-cross
+          push: ${{ github.event_name != 'pull_request' }}
+          sbom: true
+          set: |
+            *.cache-from=type=gha,scope=bin-image
+            *.cache-to=type=gha,scope=bin-image,mode=max
+
+  release:
+    runs-on: ubuntu-22.04
+    needs:
+      - test
+      - binaries
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Download binaries
+        uses: actions/download-artifact@v3
         with:
           name: buildx
-          path: ./release-out/*
-          if-no-files-found: error
+          path: ${{ env.DESTDIR }}
+      -
+        name: Create checksums
+        run: ./hack/hash-files
+      -
+        name: List artifacts
+        run: |
+          tree -nh ${{ env.DESTDIR }}
+      -
+        name: Check artifacts
+        run: |
+          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
       -
         name: GitHub Release
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           draft: true
-          files: ./release-out/*
-          name: ${{ steps.prep.outputs.tag }}
+          files: ${{ env.DESTDIR }}/*
+
+  buildkit-edge:
+    runs-on: ubuntu-22.04
+    continue-on-error: true
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=moby/buildkit:master
+          buildkitd-flags: --debug
+      -
+        # Just run a bake target to check eveything runs fine
+        name: Build
+        uses: docker/bake-action@v3
+        with:
+          targets: binaries

.github/workflows/docs-release.yml

@@ -0,0 +1,58 @@
+name: docs-release
+
+on:
+  release:
+    types:
+      - released
+
+jobs:
+  open-pr:
+    runs-on: ubuntu-22.04
+    if: ${{ github.event.release.prerelease != true && github.repository == 'docker/buildx' }}
+    steps:
+      -
+        name: Checkout docs repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
+          repository: docker/docs
+          ref: main
+      -
+        name: Prepare
+        run: |
+          rm -rf ./_data/buildx/*
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Build docs
+        uses: docker/bake-action@v3
+        with:
+          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.release.name }}
+          targets: update-docs
+          set: |
+            *.output=/tmp/buildx-docs
+        env:
+          DOCS_FORMATS: yaml
+      -
+        name: Copy files
+        run: |
+          cp /tmp/buildx-docs/out/reference/*.yaml ./_data/buildx/
+      -
+        name: Commit changes
+        run: |
+          git add -A .
+      -
+        name: Create PR on docs repo
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666
+        with:
+          token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
+          push-to-fork: docker-tools-robot/docker.github.io
+          commit-message: "build: update buildx reference to ${{ github.event.release.name }}"
+          signoff: true
+          branch: dispatch/buildx-ref-${{ github.event.release.name }}
+          delete-branch: true
+          title: Update buildx reference to ${{ github.event.release.name }}
+          body: |
+            Update the buildx reference documentation to keep in sync with the latest release `${{ github.event.release.name }}`
+          draft: false

.github/workflows/docs-upstream.yml

@@ -0,0 +1,62 @@
+# this workflow runs the remote validate bake target from docker/docker.github.io
+# to check if yaml reference docs and markdown files used in this repo are still valid
+# https://github.com/docker/docker.github.io/blob/98c7c9535063ae4cd2cd0a31478a21d16d2f07a3/docker-bake.hcl#L34-L36
+name: docs-upstream
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v[0-9]*'
+    paths:
+      - '.github/workflows/docs-upstream.yml'
+      - 'docs/**'
+  pull_request:
+    paths:
+      - '.github/workflows/docs-upstream.yml'
+      - 'docs/**'
+
+jobs:
+  docs-yaml:
+    runs-on: ubuntu-22.04
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+      -
+        name: Build reference YAML docs
+        uses: docker/bake-action@v3
+        with:
+          targets: update-docs
+          set: |
+            *.output=/tmp/buildx-docs
+            *.cache-from=type=gha,scope=docs-yaml
+            *.cache-to=type=gha,scope=docs-yaml,mode=max
+        env:
+          DOCS_FORMATS: yaml
+      -
+        name: Upload reference YAML docs
+        uses: actions/upload-artifact@v3
+        with:
+          name: docs-yaml
+          path: /tmp/buildx-docs/out/reference
+          retention-days: 1
+
+  validate:
+    uses: docker/docs/.github/workflows/validate-upstream.yml@main
+    needs:
+      - docs-yaml
+    with:
+      repo: https://github.com/${{ github.repository }}
+      data-files-id: docs-yaml
+      data-files-folder: buildx
+      data-files-placeholder-folder: engine/reference/commandline

.github/workflows/e2e.yml

@@ -0,0 +1,216 @@
+name: e2e
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'v[0-9]*'
+  pull_request:
+    paths-ignore:
+      - '.github/releases.json'
+      - 'README.md'
+      - 'docs/**'
+
+env:
+  DESTDIR: "./bin"
+  K3S_VERSION: "v1.21.2-k3s1"
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+      -
+        name: Build
+        uses: docker/bake-action@v3
+        with:
+          targets: binaries
+          set: |
+            *.cache-from=type=gha,scope=release
+            *.cache-from=type=gha,scope=binaries
+            *.cache-to=type=gha,scope=binaries
+      -
+        name: Rename binary
+        run: |
+          mv ${{ env.DESTDIR }}/build/buildx ${{ env.DESTDIR }}/build/docker-buildx
+      -
+        name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: binary
+          path: ${{ env.DESTDIR }}/build
+          if-no-files-found: error
+          retention-days: 7
+
+  driver:
+    runs-on: ubuntu-20.04
+    needs:
+      - build
+    strategy:
+      fail-fast: false
+      matrix:
+        driver:
+          - docker
+          - docker-container
+          - kubernetes
+          - remote
+        buildkit:
+          - moby/buildkit:buildx-stable-1
+          - moby/buildkit:master
+        buildkit-cfg:
+          - bkcfg-false
+          - bkcfg-true
+        multi-node:
+          - mnode-false
+          - mnode-true
+        platforms:
+          - linux/amd64
+          - linux/amd64,linux/arm64
+        include:
+          - driver: kubernetes
+            driver-opt: qemu.install=true
+          - driver: remote
+            endpoint: tcp://localhost:1234
+        exclude:
+          - driver: docker
+            multi-node: mnode-true
+          - driver: docker
+            buildkit-cfg: bkcfg-true
+          - driver: docker-container
+            multi-node: mnode-true
+          - driver: remote
+            multi-node: mnode-true
+          - driver: remote
+            buildkit-cfg: bkcfg-true
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        if: matrix.driver == 'docker' || matrix.driver == 'docker-container'
+      -
+        name: Install buildx
+        uses: actions/download-artifact@v3
+        with:
+          name: binary
+          path: /home/runner/.docker/cli-plugins
+      -
+        name: Fix perms and check
+        run: |
+          chmod +x /home/runner/.docker/cli-plugins/docker-buildx
+          docker buildx version
+      -
+        name: Init env vars
+        run: |
+          # BuildKit cfg
+          if [ "${{ matrix.buildkit-cfg }}" = "bkcfg-true" ]; then
+            cat > "/tmp/buildkitd.toml" <<EOL
+          [worker.oci]
+            max-parallelism = 2
+          EOL
+            echo "BUILDKIT_CFG=/tmp/buildkitd.toml" >> $GITHUB_ENV
+          fi
+          # Multi node
+          if [ "${{ matrix.multi-node }}" = "mnode-true" ]; then
+            echo "MULTI_NODE=1" >> $GITHUB_ENV
+          else
+            echo "MULTI_NODE=0" >> $GITHUB_ENV
+          fi
+      -
+        name: Install k3s
+        if: matrix.driver == 'kubernetes'
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const fs = require('fs');
+            
+            let wait = function(milliseconds) {
+              return new Promise((resolve, reject) => {
+                if (typeof(milliseconds) !== 'number') { 
+                  throw new Error('milleseconds not a number'); 
+                }
+                setTimeout(() => resolve("done!"), milliseconds)
+              });
+            }
+            
+            try {
+              const kubeconfig="/tmp/buildkit-k3s/kubeconfig.yaml";
+              core.info(`storing kubeconfig in ${kubeconfig}`);
+          
+              await exec.exec('docker', ["run", "-d",
+                "--privileged",
+                "--name=buildkit-k3s",
+                "-e", "K3S_KUBECONFIG_OUTPUT="+kubeconfig,
+                "-e", "K3S_KUBECONFIG_MODE=666",
+                "-v", "/tmp/buildkit-k3s:/tmp/buildkit-k3s",
+                "-p", "6443:6443",
+                "-p", "80:80",
+                "-p", "443:443",
+                "-p", "8080:8080",
+                "rancher/k3s:${{ env.K3S_VERSION }}", "server"
+              ]);
+              await wait(10000);
+              
+              core.exportVariable('KUBECONFIG', kubeconfig);
+              
+              let nodeName;
+              for (let count = 1; count <= 5; count++) {
+                try {
+                  const nodeNameOutput = await exec.getExecOutput("kubectl get nodes --no-headers -oname");
+                  nodeName = nodeNameOutput.stdout
+                } catch (error) {
+                  core.info(`Unable to resolve node name (${error.message}). Attempt ${count} of 5.`)
+                } finally {
+                  if (nodeName) {
+                    break;
+                  }
+                  await wait(5000);
+                }
+              }
+              if (!nodeName) {
+                throw new Error(`Unable to resolve node name after 5 attempts.`);
+              }
+              
+              await exec.exec(`kubectl wait --for=condition=Ready ${nodeName}`);
+            } catch (error) {
+              core.setFailed(error.message);
+            }
+      -
+        name: Print KUBECONFIG
+        if: matrix.driver == 'kubernetes'
+        run: |
+          yq ${{ env.KUBECONFIG }}
+      -
+        name: Launch remote buildkitd
+        if: matrix.driver == 'remote'
+        run: |
+          docker run -d \
+            --privileged \
+            --name=remote-buildkit \
+            -p 1234:1234 \
+            ${{ matrix.buildkit }} \
+            --addr unix:///run/buildkit/buildkitd.sock \
+            --addr tcp://0.0.0.0:1234
+      -
+        name: Test
+        run: |
+          make test-driver
+        env:
+          BUILDKIT_IMAGE: ${{ matrix.buildkit }}
+          DRIVER: ${{ matrix.driver }}
+          DRIVER_OPT: ${{ matrix.driver-opt }}
+          ENDPOINT: ${{ matrix.endpoint }}
+          PLATFORMS: ${{ matrix.platforms }}

.github/workflows/godev.yml

@@ -1,25 +0,0 @@
-# Workflow used to make a request to proxy.golang.org to refresh cache on https://pkg.go.dev/github.com/docker/buildx
-# when a released of buildx is produced
-name: godev
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  update:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.13
-      -
-        name: Call pkg.go.dev
-        run: |
-          go get github.com/${GITHUB_REPOSITORY}@${GITHUB_REF#refs/tags/}
-        env:
-          GO111MODULE: on
-          GOPROXY: https://proxy.golang.org

.github/workflows/validate.yml

@@ -1,37 +1,41 @@
 name: validate
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   workflow_dispatch:
   push:
     branches:
       - 'master'
+      - 'v[0-9]*'
     tags:
       - 'v*'
   pull_request:
-    branches:
-      - 'master'
-
-env:
-  REPO_SLUG_ORIGIN: "moby/buildkit:master"
+    paths-ignore:
+      - '.github/releases.json'
 
 jobs:
   validate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix:
         target:
           - lint
           - validate-vendor
+          - validate-docs
+          - validate-generated-files
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
+          version: latest
       -
         name: Run
         run: |

.gitignore

@@ -1,3 +1 @@
-bin
-coverage
-cross-out
+/bin

.golangci.yml

@@ -0,0 +1,49 @@
+run:
+  timeout: 10m
+  skip-files:
+    - ".*\\.pb\\.go$"
+
+  modules-download-mode: vendor
+
+  build-tags:
+
+linters:
+  enable:
+    - gofmt
+    - govet
+    - depguard
+    - goimports
+    - ineffassign
+    - misspell
+    - unused
+    - revive
+    - staticcheck
+    - typecheck
+    - nolintlint
+    - gosec
+    - forbidigo
+  disable-all: true
+
+linters-settings:
+  depguard:
+    list-type: blacklist
+    include-go-root: true
+    packages:
+      # The io/ioutil package has been deprecated.
+      # https://go.dev/doc/go1.16#ioutil
+      - io/ioutil
+  forbidigo:
+    forbid:
+      - '^fmt\.Errorf(# use errors\.Errorf instead)?$'
+  gosec:
+    excludes:
+      - G204  # Audit use of command execution
+      - G402  # TLS MinVersion too low
+    config:
+      G306: "0644"
+
+issues:
+  exclude-rules:
+    - linters:
+        - revive
+      text: "stutters"

.mailmap

@@ -1,6 +1,13 @@
 # This file lists all individuals having contributed content to the repository.
-# For how it is generated, see `hack/generate-authors`.
+# For how it is generated, see hack/dockerfiles/authors.Dockerfile.
 
+CrazyMax <github@crazymax.dev>
+CrazyMax <github@crazymax.dev> <1951866+crazy-max@users.noreply.github.com>
+CrazyMax <github@crazymax.dev> <crazy-max@users.noreply.github.com>
+Sebastiaan van Stijn <github@gone.nl>
+Sebastiaan van Stijn <github@gone.nl> <thaJeztah@users.noreply.github.com>
 Tibor Vass <tibor@docker.com>
 Tibor Vass <tibor@docker.com> <tiborvass@users.noreply.github.com>
 Tõnis Tiigi <tonistiigi@gmail.com>
+Ulysses Souza <ulyssessouza@gmail.com>
+Wang Jinglei <morlay.null@gmail.com>

.yamllint.yml

@@ -1,13 +0,0 @@
-ignore: |
-  /vendor
-
-extends: default
-
-yaml-files:
-  - '*.yaml'
-  - '*.yml'
-
-rules:
-  truthy: disable
-  line-length: disable
-  document-start: disable

AUTHORS

@@ -1,7 +1,45 @@
 # This file lists all individuals having contributed content to the repository.
-# For how it is generated, see `scripts/generate-authors.sh`.
+# For how it is generated, see hack/dockerfiles/authors.Dockerfile.
 
+Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Alex Couture-Beil <alex@earthly.dev>
+Andrew Haines <andrew.haines@zencargo.com>
+Andy MacKinlay <admackin@users.noreply.github.com>
+Anthony Poschen <zanven42@gmail.com>
+Artur Klauser <Artur.Klauser@computer.org>
+Batuhan Apaydın <developerguy2@gmail.com>
 Bin Du <bindu@microsoft.com>
+Brandon Philips <brandon@ifup.org>
 Brian Goff <cpuguy83@gmail.com>
+CrazyMax <github@crazymax.dev>
+dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
+Devin Bayer <dev@doubly.so>
+Djordje Lukic <djordje.lukic@docker.com>
+Dmytro Makovey <dmytro.makovey@docker.com>
+Donghui Wang <977675308@qq.com>
+faust <faustin@fala.red>
+Felipe Santos <felipecassiors@gmail.com>
+Fernando Miguel <github@FernandoMiguel.net>
+gfrancesco <gfrancesco@users.noreply.github.com>
+gracenoah <gracenoahgh@gmail.com>
+Hollow Man <hollowman@hollowman.ml>
+Ilya Dmitrichenko <errordeveloper@gmail.com>
+Jack Laxson <jackjrabbit@gmail.com>
+Jean-Yves Gastaud <jygastaud@gmail.com>
+khs1994 <khs1994@khs1994.com>
+Kotaro Adachi <k33asby@gmail.com>
+l00397676 <lujingxiao@huawei.com>
+Michal Augustyn <michal.augustyn@mail.com>
+Patrick Van Stee <patrick@vanstee.me>
+Saul Shanabrook <s.shanabrook@gmail.com>
+Sebastiaan van Stijn <github@gone.nl>
+SHIMA Tatsuya <ts1s1andn@gmail.com>
+Silvin Lubecki <silvin.lubecki@docker.com>
+Solomon Hykes <sh.github.6811@hykes.org>
+Sune Keller <absukl@almbrand.dk>
 Tibor Vass <tibor@docker.com>
 Tõnis Tiigi <tonistiigi@gmail.com>
+Ulysses Souza <ulyssessouza@gmail.com>
+Wang Jinglei <morlay.null@gmail.com>
+Xiang Dai <764524258@qq.com>
+zelahi <elahi.zuhayr@gmail.com>

Dockerfile

@@ -1,76 +1,114 @@
-# syntax=docker/dockerfile:1.1-experimental
+# syntax=docker/dockerfile:1
 
-ARG DOCKERD_VERSION=19.03-rc
-ARG CLI_VERSION=19.03
+ARG GO_VERSION=1.20
+ARG XX_VERSION=1.2.1
+ARG DOCKERD_VERSION=20.10.14
+ARG GOTESTSUM_VERSION=v1.9.0
+ARG REGISTRY_VERSION=2.8.0
+ARG BUILDKIT_VERSION=v0.11.6
 
 FROM docker:$DOCKERD_VERSION AS dockerd-release
 
-# xgo is a helper for golang cross-compilation
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:golang@sha256:6f7d999551dd471b58f70716754290495690efa8421e0a1fcf18eb11d0c0a537 AS xgo
+# xx is a helper for cross-compilation
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-FROM --platform=$BUILDPLATFORM golang:1.13-alpine AS gobase
-COPY --from=xgo / /
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS golatest
+
+FROM golatest AS gobase
+COPY --from=xx / /
 RUN apk add --no-cache file git
 ENV GOFLAGS=-mod=vendor
+ENV CGO_ENABLED=0
 WORKDIR /src
 
+FROM registry:$REGISTRY_VERSION AS registry
+
+FROM moby/buildkit:$BUILDKIT_VERSION AS buildkit
+
+FROM gobase AS gotestsum
+ARG GOTESTSUM_VERSION
+ENV GOFLAGS=
+RUN --mount=target=/root/.cache,type=cache \
+  GOBIN=/out/ go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" && \
+  /out/gotestsum --version
+
 FROM gobase AS buildx-version
-RUN --mount=target=. \
-  PKG=github.com/docker/buildx VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) REVISION=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi); \
-  echo "-X ${PKG}/version.Version=${VERSION} -X ${PKG}/version.Revision=${REVISION} -X ${PKG}/version.Package=${PKG}" | tee /tmp/.ldflags; \
-  echo -n "${VERSION}" | tee /tmp/.version;
+RUN --mount=type=bind,target=. <<EOT
+  set -e
+  mkdir /buildx-version
+  echo -n "$(./hack/git-meta version)" | tee /buildx-version/version
+  echo -n "$(./hack/git-meta revision)" | tee /buildx-version/revision
+EOT
 
 FROM gobase AS buildx-build
-ENV CGO_ENABLED=0
 ARG TARGETPLATFORM
-RUN --mount=target=. --mount=target=/root/.cache,type=cache \
-  --mount=target=/go/pkg/mod,type=cache \
-  --mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=buildx-version \
-  set -x; go build -ldflags "$(cat /tmp/.ldflags)" -o /usr/bin/buildx ./cmd/buildx && \
-  file /usr/bin/buildx && file /usr/bin/buildx | egrep "statically linked|Mach-O|Windows"
+RUN --mount=type=bind,target=. \
+  --mount=type=cache,target=/root/.cache \
+  --mount=type=cache,target=/go/pkg/mod \
+  --mount=type=bind,from=buildx-version,source=/buildx-version,target=/buildx-version <<EOT
+  set -e
+  xx-go --wrap
+  DESTDIR=/usr/bin VERSION=$(cat /buildx-version/version) REVISION=$(cat /buildx-version/revision) GO_EXTRA_LDFLAGS="-s -w" ./hack/build
+  xx-verify --static /usr/bin/docker-buildx
+EOT
 
-FROM buildx-build AS integration-tests
-COPY . .
+FROM gobase AS test
+ENV SKIP_INTEGRATION_TESTS=1
+RUN --mount=type=bind,target=. \
+  --mount=type=cache,target=/root/.cache \
+  --mount=type=cache,target=/go/pkg/mod \
+  go test -v -coverprofile=/tmp/coverage.txt -covermode=atomic ./... && \
+  go tool cover -func=/tmp/coverage.txt
 
-# FROM golang:1.12-alpine AS docker-cli-build
-# RUN apk add -U git bash coreutils gcc musl-dev
-# ENV CGO_ENABLED=0
-# ARG REPO=github.com/tiborvass/cli
-# ARG BRANCH=cli-plugin-aliases
-# ARG CLI_VERSION
-# WORKDIR /go/src/github.com/docker/cli
-# RUN git clone git://$REPO . && git checkout $BRANCH
-# RUN ./scripts/build/binary
+FROM scratch AS test-coverage
+COPY --from=test /tmp/coverage.txt /coverage.txt
 
 FROM scratch AS binaries-unix
-COPY --from=buildx-build /usr/bin/buildx /
+COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx
 
 FROM binaries-unix AS binaries-darwin
 FROM binaries-unix AS binaries-linux
 
 FROM scratch AS binaries-windows
-COPY --from=buildx-build /usr/bin/buildx /buildx.exe
+COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx.exe
 
 FROM binaries-$TARGETOS AS binaries
+# enable scanning for this stage
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
+FROM gobase AS integration-test-base
+RUN apk add --no-cache docker runc containerd
+COPY --link --from=gotestsum /out/gotestsum /usr/bin/
+COPY --link --from=registry /bin/registry /usr/bin/
+COPY --link --from=buildkit /usr/bin/buildkitd /usr/bin/
+COPY --link --from=buildkit /usr/bin/buildctl /usr/bin/
+COPY --link --from=binaries /buildx /usr/bin/
+
+FROM integration-test-base AS integration-test
+COPY . .
+
+# Release
 FROM --platform=$BUILDPLATFORM alpine AS releaser
 WORKDIR /work
 ARG TARGETPLATFORM
 RUN --mount=from=binaries \
-  --mount=source=/tmp/.version,target=/tmp/.version,from=buildx-version \
-  mkdir -p /out && cp buildx* "/out/buildx-$(cat /tmp/.version).$(echo $TARGETPLATFORM | sed 's/\//-/g')$(ls buildx* | sed -e 's/^buildx//')"
+  --mount=type=bind,from=buildx-version,source=/buildx-version,target=/buildx-version <<EOT
+  set -e
+  mkdir -p /out
+  cp buildx* "/out/buildx-$(cat /buildx-version/version).$(echo $TARGETPLATFORM | sed 's/\//-/g')$(ls buildx* | sed -e 's/^buildx//')"
+EOT
 
 FROM scratch AS release
 COPY --from=releaser /out/ /
 
-FROM alpine AS demo-env
+# Shell
+FROM docker:$DOCKERD_VERSION AS dockerd-release
+FROM alpine AS shell
 RUN apk add --no-cache iptables tmux git vim less openssh
 RUN mkdir -p /usr/local/lib/docker/cli-plugins && ln -s /usr/local/bin/buildx /usr/local/lib/docker/cli-plugins/docker-buildx
 COPY ./hack/demo-env/entrypoint.sh /usr/local/bin
 COPY ./hack/demo-env/tmux.conf /root/.tmux.conf
 COPY --from=dockerd-release /usr/local/bin /usr/local/bin
-#COPY --from=docker-cli-build /go/src/github.com/docker/cli/build/docker /usr/local/bin
-
 WORKDIR /work
 COPY ./hack/demo-env/examples .
 COPY --from=binaries / /usr/local/bin/

MAINTAINERS

@@ -150,6 +150,9 @@ made through a pull request.
 	[Org.Maintainers]
 
 		people = [
+			"akihirosuda",
+			"crazy-max",
+			"jedevc",
 			"tiborvass",
 			"tonistiigi",
 		]
@@ -176,6 +179,21 @@ made through a pull request.
 # All other sections should refer to people by their canonical key
 # in the people section.
 
+	[people.akihirosuda]
+	Name = "Akihiro Suda"
+	Email = "akihiro.suda.cz@hco.ntt.co.jp"
+	GitHub = "AkihiroSuda"
+
+	[people.crazy-max]
+	Name = "Kevin Alvarez"
+	Email = "contact@crazymax.dev"
+	GitHub = "crazy-max"
+
+	[people.jedevc]
+	Name = "Justin Chadwell"
+	Email = "me@jedevc.com"
+	GitHub = "jedevc"
+
 	[people.thajeztah]
 	Name = "Sebastiaan van Stijn"
 	Email = "github@gone.nl"

Makefile

@@ -1,34 +1,96 @@
+ifneq (, $(BUILDX_BIN))
+	export BUILDX_CMD = $(BUILDX_BIN)
+else ifneq (, $(shell docker buildx version))
+	export BUILDX_CMD = docker buildx
+else ifneq (, $(shell which buildx))
+	export BUILDX_CMD = $(which buildx)
+endif
+
+export BUILDX_CMD ?= docker buildx
+
+.PHONY: all
+all: binaries
+
+.PHONY: build
+build:
+	./hack/build
+
+.PHONY: shell
 shell:
 	./hack/shell
 
+.PHONY: binaries
 binaries:
-	./hack/binaries
+	$(BUILDX_CMD) bake binaries
 
+.PHONY: binaries-cross
 binaries-cross:
-	EXPORT_LOCAL=cross-out ./hack/cross
-
-cross:
-	./hack/cross
+	$(BUILDX_CMD) bake binaries-cross
 
+.PHONY: install
 install: binaries
 	mkdir -p ~/.docker/cli-plugins
-	cp bin/buildx ~/.docker/cli-plugins/docker-buildx
+	install bin/build/buildx ~/.docker/cli-plugins/docker-buildx
 
+.PHONY: release
+release:
+	./hack/release
+
+.PHONY: validate-all
+validate-all: lint test validate-vendor validate-docs validate-generated-files
+
+.PHONY: lint
 lint:
-	./hack/lint
+	$(BUILDX_CMD) bake lint
 
+.PHONY: test
 test:
 	./hack/test
 
+.PHONY: test-unit
+test-unit:
+	TESTPKGS=./... SKIP_INTEGRATION_TESTS=1 ./hack/test
+
+.PHONY: test
+test-integration:
+	TESTPKGS=./tests ./hack/test
+
+.PHONY: validate-vendor
 validate-vendor:
-	./hack/validate-vendor
+	$(BUILDX_CMD) bake validate-vendor
 
-validate-all: lint test validate-vendor
+.PHONY: validate-docs
+validate-docs:
+	$(BUILDX_CMD) bake validate-docs
 
+.PHONY: validate-authors
+validate-authors:
+	$(BUILDX_CMD) bake validate-authors
+
+.PHONY: validate-generated-files
+validate-generated-files:
+	$(BUILDX_CMD) bake validate-generated-files
+
+.PHONY: test-driver
+test-driver:
+	./hack/test-driver
+
+.PHONY: vendor
 vendor:
 	./hack/update-vendor
 
-generate-authors:
-	./hack/generate-authors
+.PHONY: docs
+docs:
+	./hack/update-docs
 
-.PHONY: vendor lint shell binaries install binaries-cross validate-all generate-authors
+.PHONY: authors
+authors:
+	$(BUILDX_CMD) bake update-authors
+
+.PHONY: mod-outdated
+mod-outdated:
+	$(BUILDX_CMD) bake mod-outdated
+
+.PHONY: generated-files
+generated-files:
+	$(BUILDX_CMD) bake update-generated-files

bake/compose.go

@@ -1,50 +1,48 @@
 package bake
 
 import (
-	"fmt"
 	"os"
-	"reflect"
+	"path/filepath"
 	"strings"
 
-	"github.com/docker/cli/cli/compose/loader"
-	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/compose-spec/compose-go/dotenv"
+	"github.com/compose-spec/compose-go/loader"
+	compose "github.com/compose-spec/compose-go/types"
+	"github.com/pkg/errors"
+	"gopkg.in/yaml.v3"
 )
 
-func parseCompose(dt []byte) (*composetypes.Config, error) {
-	parsed, err := loader.ParseYAML([]byte(dt))
+func ParseComposeFiles(fs []File) (*Config, error) {
+	envs, err := composeEnv()
 	if err != nil {
 		return nil, err
 	}
-	return loader.Load(composetypes.ConfigDetails{
-		ConfigFiles: []composetypes.ConfigFile{
-			{
-				Config: parsed,
-			},
-		},
-		Environment: envMap(os.Environ()),
+	var cfgs []compose.ConfigFile
+	for _, f := range fs {
+		cfgs = append(cfgs, compose.ConfigFile{
+			Filename: f.Name,
+			Content:  f.Data,
 		})
 	}
-
-func envMap(env []string) map[string]string {
-	result := make(map[string]string, len(env))
-	for _, s := range env {
-		kv := strings.SplitN(s, "=", 2)
-		if len(kv) != 2 {
-			continue
-		}
-		result[kv[0]] = kv[1]
-	}
-	return result
+	return ParseCompose(cfgs, envs)
 }
 
-func ParseCompose(dt []byte) (*Config, error) {
-	cfg, err := parseCompose(dt)
+func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, error) {
+	if envs == nil {
+		envs = make(map[string]string)
+	}
+	cfg, err := loader.Load(compose.ConfigDetails{
+		ConfigFiles: cfgs,
+		Environment: envs,
+	}, func(options *loader.Options) {
+		options.SetProjectName("bake", false)
+		options.SkipNormalization = true
+	})
 	if err != nil {
 		return nil, err
 	}
 
 	var c Config
-	var zeroBuildConfig composetypes.BuildConfig
 	if len(cfg.Services) > 0 {
 		c.Groups = []*Group{}
 		c.Targets = []*Target{}
@@ -52,15 +50,15 @@ func ParseCompose(dt []byte) (*Config, error) {
 		g := &Group{Name: "default"}
 
 		for _, s := range cfg.Services {
-
-			if reflect.DeepEqual(s.Build, zeroBuildConfig) {
-				// if not make sure they're setting an image or it's invalid d-c.yml
-				if s.Image == "" {
-					return nil, fmt.Errorf("compose file invalid: service %s has neither an image nor a build context specified. At least one must be provided.", s.Name)
-				}
+			if s.Build == nil {
 				continue
 			}
 
+			targetName := sanitizeTargetName(s.Name)
+			if err = validateTargetName(targetName); err != nil {
+				return nil, errors.Wrapf(err, "invalid service name %q", targetName)
+			}
+
 			var contextPathP *string
 			if s.Build.Context != "" {
 				contextPath := s.Build.Context
@@ -71,21 +69,65 @@ func ParseCompose(dt []byte) (*Config, error) {
 				dockerfilePath := s.Build.Dockerfile
 				dockerfilePathP = &dockerfilePath
 			}
-			g.Targets = append(g.Targets, s.Name)
+			var dockerfileInlineP *string
+			if s.Build.DockerfileInline != "" {
+				dockerfileInline := s.Build.DockerfileInline
+				dockerfileInlineP = &dockerfileInline
+			}
+
+			var additionalContexts map[string]string
+			if s.Build.AdditionalContexts != nil {
+				additionalContexts = map[string]string{}
+				for k, v := range s.Build.AdditionalContexts {
+					additionalContexts[k] = v
+				}
+			}
+
+			var secrets []string
+			for _, bs := range s.Build.Secrets {
+				secret, err := composeToBuildkitSecret(bs, cfg.Secrets[bs.Source])
+				if err != nil {
+					return nil, err
+				}
+				secrets = append(secrets, secret)
+			}
+
+			// compose does not support nil values for labels
+			labels := map[string]*string{}
+			for k, v := range s.Build.Labels {
+				v := v
+				labels[k] = &v
+			}
+
+			g.Targets = append(g.Targets, targetName)
 			t := &Target{
-				Name:       s.Name,
+				Name:             targetName,
 				Context:          contextPathP,
+				Contexts:         additionalContexts,
 				Dockerfile:       dockerfilePathP,
-				Labels:     s.Build.Labels,
-				Args:       toMap(s.Build.Args),
+				DockerfileInline: dockerfileInlineP,
+				Tags:             s.Build.Tags,
+				Labels:           labels,
+				Args: flatten(s.Build.Args.Resolve(func(val string) (string, bool) {
+					if val, ok := s.Environment[val]; ok && val != nil {
+						return *val, true
+					}
+					val, ok := cfg.Environment[val]
+					return val, ok
+				})),
 				CacheFrom:   s.Build.CacheFrom,
-				// TODO: add platforms
+				CacheTo:     s.Build.CacheTo,
+				NetworkMode: &s.Build.Network,
+				Secrets:     secrets,
+			}
+			if err = t.composeExtTarget(s.Build.Extensions); err != nil {
+				return nil, err
 			}
 			if s.Build.Target != "" {
 				target := s.Build.Target
 				t.Target = &target
 			}
-			if s.Image != "" {
+			if len(t.Tags) == 0 && s.Image != "" {
 				t.Tags = []string{s.Image}
 			}
 			c.Targets = append(c.Targets, t)
@@ -97,14 +139,206 @@ func ParseCompose(dt []byte) (*Config, error) {
 	return &c, nil
 }
 
-func toMap(in composetypes.MappingWithEquals) map[string]string {
-	m := map[string]string{}
+func validateComposeFile(dt []byte, fn string) (bool, error) {
+	envs, err := composeEnv()
+	if err != nil {
+		return true, err
+	}
+	fnl := strings.ToLower(fn)
+	if strings.HasSuffix(fnl, ".yml") || strings.HasSuffix(fnl, ".yaml") {
+		return true, validateCompose(dt, envs)
+	}
+	if strings.HasSuffix(fnl, ".json") || strings.HasSuffix(fnl, ".hcl") {
+		return false, nil
+	}
+	err = validateCompose(dt, envs)
+	return err == nil, err
+}
+
+func validateCompose(dt []byte, envs map[string]string) error {
+	_, err := loader.Load(compose.ConfigDetails{
+		ConfigFiles: []compose.ConfigFile{
+			{
+				Content: dt,
+			},
+		},
+		Environment: envs,
+	}, func(options *loader.Options) {
+		options.SetProjectName("bake", false)
+		options.SkipNormalization = true
+		// consistency is checked later in ParseCompose to ensure multiple
+		// compose files can be merged together
+		options.SkipConsistencyCheck = true
+	})
+	return err
+}
+
+func composeEnv() (map[string]string, error) {
+	envs := sliceToMap(os.Environ())
+	if wd, err := os.Getwd(); err == nil {
+		envs, err = loadDotEnv(envs, wd)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return envs, nil
+}
+
+func loadDotEnv(curenv map[string]string, workingDir string) (map[string]string, error) {
+	if curenv == nil {
+		curenv = make(map[string]string)
+	}
+
+	ef, err := filepath.Abs(filepath.Join(workingDir, ".env"))
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err = os.Stat(ef); os.IsNotExist(err) {
+		return curenv, nil
+	} else if err != nil {
+		return nil, err
+	}
+
+	dt, err := os.ReadFile(ef)
+	if err != nil {
+		return nil, err
+	}
+
+	envs, err := dotenv.UnmarshalBytesWithLookup(dt, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	for k, v := range envs {
+		if _, set := curenv[k]; set {
+			continue
+		}
+		curenv[k] = v
+	}
+
+	return curenv, nil
+}
+
+func flatten(in compose.MappingWithEquals) map[string]*string {
+	if len(in) == 0 {
+		return nil
+	}
+	out := map[string]*string{}
 	for k, v := range in {
-		if v != nil {
-			m[k] = *v
+		if v == nil {
+			continue
+		}
+		out[k] = v
+	}
+	return out
+}
+
+// xbake Compose build extension provides fields not (yet) available in
+// Compose build specification: https://github.com/compose-spec/compose-spec/blob/master/build.md
+type xbake struct {
+	Tags          stringArray `yaml:"tags,omitempty"`
+	CacheFrom     stringArray `yaml:"cache-from,omitempty"`
+	CacheTo       stringArray `yaml:"cache-to,omitempty"`
+	Secrets       stringArray `yaml:"secret,omitempty"`
+	SSH           stringArray `yaml:"ssh,omitempty"`
+	Platforms     stringArray `yaml:"platforms,omitempty"`
+	Outputs       stringArray `yaml:"output,omitempty"`
+	Pull          *bool       `yaml:"pull,omitempty"`
+	NoCache       *bool       `yaml:"no-cache,omitempty"`
+	NoCacheFilter stringArray `yaml:"no-cache-filter,omitempty"`
+	Contexts      stringMap   `yaml:"contexts,omitempty"`
+	// don't forget to update documentation if you add a new field:
+	// docs/manuals/bake/compose-file.md#extension-field-with-x-bake
+}
+
+type stringMap map[string]string
+type stringArray []string
+
+func (sa *stringArray) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var multi []string
+	err := unmarshal(&multi)
+	if err != nil {
+		var single string
+		if err := unmarshal(&single); err != nil {
+			return err
+		}
+		*sa = strings.Fields(single)
 	} else {
-			m[k] = os.Getenv(k)
+		*sa = multi
 	}
+	return nil
 }
-	return m
+
+// composeExtTarget converts Compose build extension x-bake to bake Target
+// https://github.com/compose-spec/compose-spec/blob/master/spec.md#extension
+func (t *Target) composeExtTarget(exts map[string]interface{}) error {
+	var xb xbake
+
+	ext, ok := exts["x-bake"]
+	if !ok || ext == nil {
+		return nil
+	}
+
+	yb, _ := yaml.Marshal(ext)
+	if err := yaml.Unmarshal(yb, &xb); err != nil {
+		return err
+	}
+
+	if len(xb.Tags) > 0 {
+		t.Tags = dedupSlice(append(t.Tags, xb.Tags...))
+	}
+	if len(xb.CacheFrom) > 0 {
+		t.CacheFrom = dedupSlice(append(t.CacheFrom, xb.CacheFrom...))
+	}
+	if len(xb.CacheTo) > 0 {
+		t.CacheTo = dedupSlice(append(t.CacheTo, xb.CacheTo...))
+	}
+	if len(xb.Secrets) > 0 {
+		t.Secrets = dedupSlice(append(t.Secrets, xb.Secrets...))
+	}
+	if len(xb.SSH) > 0 {
+		t.SSH = dedupSlice(append(t.SSH, xb.SSH...))
+	}
+	if len(xb.Platforms) > 0 {
+		t.Platforms = dedupSlice(append(t.Platforms, xb.Platforms...))
+	}
+	if len(xb.Outputs) > 0 {
+		t.Outputs = dedupSlice(append(t.Outputs, xb.Outputs...))
+	}
+	if xb.Pull != nil {
+		t.Pull = xb.Pull
+	}
+	if xb.NoCache != nil {
+		t.NoCache = xb.NoCache
+	}
+	if len(xb.NoCacheFilter) > 0 {
+		t.NoCacheFilter = dedupSlice(append(t.NoCacheFilter, xb.NoCacheFilter...))
+	}
+	if len(xb.Contexts) > 0 {
+		t.Contexts = dedupMap(t.Contexts, xb.Contexts)
+	}
+
+	return nil
+}
+
+// composeToBuildkitSecret converts secret from compose format to buildkit's
+// csv format.
+func composeToBuildkitSecret(inp compose.ServiceSecretConfig, psecret compose.SecretConfig) (string, error) {
+	if psecret.External.External {
+		return "", errors.Errorf("unsupported external secret %s", psecret.Name)
+	}
+
+	var bkattrs []string
+	if inp.Source != "" {
+		bkattrs = append(bkattrs, "id="+inp.Source)
+	}
+	if psecret.File != "" {
+		bkattrs = append(bkattrs, "src="+psecret.File)
+	}
+	if psecret.Environment != "" {
+		bkattrs = append(bkattrs, "env="+psecret.Environment)
+	}
+
+	return strings.Join(bkattrs, ","), nil
 }

bake/compose_test.go

@@ -1,16 +1,18 @@
 package bake
 
 import (
+	"os"
+	"path/filepath"
 	"sort"
 	"testing"
 
+	compose "github.com/compose-spec/compose-go/types"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
 func TestParseCompose(t *testing.T) {
 	var dt = []byte(`
-version: "3"
-
 services:
   db:
     build: ./db
@@ -19,52 +21,83 @@ services:
   webapp:
     build:
       context: ./dir
+      additional_contexts:
+        foo: /bar
       dockerfile: Dockerfile-alternate
+      network:
+        none
       args:
         buildno: 123
+      cache_from:
+        - type=local,src=path/to/cache
+      cache_to:
+        - type=local,dest=path/to/cache
+      secrets:
+        - token
+        - aws
+  webapp2:
+    build:
+      context: ./dir
+      dockerfile_inline: |
+        FROM alpine
+secrets:
+  token:
+    environment: ENV_TOKEN
+  aws:
+    file: /root/.aws/credentials
 `)
 
-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 
 	require.Equal(t, 1, len(c.Groups))
-	require.Equal(t, c.Groups[0].Name, "default")
+	require.Equal(t, "default", c.Groups[0].Name)
 	sort.Strings(c.Groups[0].Targets)
-	require.Equal(t, []string{"db", "webapp"}, c.Groups[0].Targets)
+	require.Equal(t, []string{"db", "webapp", "webapp2"}, c.Groups[0].Targets)
 
-	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, 3, len(c.Targets))
 	sort.Slice(c.Targets, func(i, j int) bool {
 		return c.Targets[i].Name < c.Targets[j].Name
 	})
 	require.Equal(t, "db", c.Targets[0].Name)
 	require.Equal(t, "./db", *c.Targets[0].Context)
+	require.Equal(t, []string{"docker.io/tonistiigi/db"}, c.Targets[0].Tags)
 
 	require.Equal(t, "webapp", c.Targets[1].Name)
 	require.Equal(t, "./dir", *c.Targets[1].Context)
+	require.Equal(t, map[string]string{"foo": "/bar"}, c.Targets[1].Contexts)
 	require.Equal(t, "Dockerfile-alternate", *c.Targets[1].Dockerfile)
 	require.Equal(t, 1, len(c.Targets[1].Args))
-	require.Equal(t, "123", c.Targets[1].Args["buildno"])
+	require.Equal(t, ptrstr("123"), c.Targets[1].Args["buildno"])
+	require.Equal(t, []string{"type=local,src=path/to/cache"}, c.Targets[1].CacheFrom)
+	require.Equal(t, []string{"type=local,dest=path/to/cache"}, c.Targets[1].CacheTo)
+	require.Equal(t, "none", *c.Targets[1].NetworkMode)
+	require.Equal(t, []string{
+		"id=token,env=ENV_TOKEN",
+		"id=aws,src=/root/.aws/credentials",
+	}, c.Targets[1].Secrets)
+
+	require.Equal(t, "webapp2", c.Targets[2].Name)
+	require.Equal(t, "./dir", *c.Targets[2].Context)
+	require.Equal(t, "FROM alpine\n", *c.Targets[2].DockerfileInline)
 }
 
 func TestNoBuildOutOfTreeService(t *testing.T) {
 	var dt = []byte(`
-version: "3.7"
-
 services:
     external:
         image: "verycooldb:1337"
     webapp:
         build: ./db
 `)
-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(c.Groups))
+	require.Equal(t, 1, len(c.Targets))
 }
 
 func TestParseComposeTarget(t *testing.T) {
 	var dt = []byte(`
-version: "3.7"
-
 services:
   db:
     build:
@@ -76,7 +109,7 @@ services:
       target: webapp
 `)
 
-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 
 	require.Equal(t, 2, len(c.Targets))
@@ -91,8 +124,6 @@ services:
 
 func TestComposeBuildWithoutContext(t *testing.T) {
 	var dt = []byte(`
-version: "3.7"
-
 services:
   db:
     build:
@@ -103,33 +134,540 @@ services:
       target: webapp
 `)
 
-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, 2, len(c.Targets))
 	sort.Slice(c.Targets, func(i, j int) bool {
 		return c.Targets[i].Name < c.Targets[j].Name
 	})
-	require.Equal(t, c.Targets[0].Name, "db")
+	require.Equal(t, "db", c.Targets[0].Name)
 	require.Equal(t, "db", *c.Targets[0].Target)
-	require.Equal(t, c.Targets[1].Name, "webapp")
+	require.Equal(t, "webapp", c.Targets[1].Name)
 	require.Equal(t, "webapp", *c.Targets[1].Target)
 }
 
-func TestBogusCompose(t *testing.T) {
+func TestBuildArgEnvCompose(t *testing.T) {
 	var dt = []byte(`
-version: "3.7"
-
+version: "3.8"
 services:
-  db:
-    labels:
-      - "foo"
-  webapp:
+  example:
+    image: example
     build:
       context: .
-      target: webapp
+      dockerfile: Dockerfile
+      args:
+        FOO:
+        BAR: $ZZZ_BAR
+        BRB: FOO
 `)
 
-	_, err := ParseCompose(dt)
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "has neither an image nor a build context specified. At least one must be provided")
+	t.Setenv("FOO", "bar")
+	t.Setenv("BAR", "foo")
+	t.Setenv("ZZZ_BAR", "zzz_foo")
+
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, sliceToMap(os.Environ()))
+	require.NoError(t, err)
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["FOO"])
+	require.Equal(t, ptrstr("zzz_foo"), c.Targets[0].Args["BAR"])
+	require.Equal(t, ptrstr("FOO"), c.Targets[0].Args["BRB"])
+}
+
+func TestInconsistentComposeFile(t *testing.T) {
+	var dt = []byte(`
+services:
+  webapp:
+    entrypoint: echo 1
+`)
+
+	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.Error(t, err)
+}
+
+func TestAdvancedNetwork(t *testing.T) {
+	var dt = []byte(`
+services:
+  db:
+    networks:
+      - example.com
+    build:
+      context: ./db
+      target: db
+
+networks:
+  example.com:
+    name: example.com
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 10.5.0.0/24
+          ip_range: 10.5.0.0/24
+          gateway: 10.5.0.254
+`)
+
+	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+}
+
+func TestTags(t *testing.T) {
+	var dt = []byte(`
+services:
+  example:
+    image: example
+    build:
+      context: .
+      dockerfile: Dockerfile
+      tags:
+        - foo
+        - bar
+`)
+
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+	require.Equal(t, []string{"foo", "bar"}, c.Targets[0].Tags)
+}
+
+func TestDependsOnList(t *testing.T) {
+	var dt = []byte(`
+version: "3.8"
+
+services:
+  example-container:
+    image: example/fails:latest
+    build:
+      context: .
+      dockerfile: Dockerfile
+    depends_on:
+      other-container:
+        condition: service_healthy
+    networks:
+      default:
+        aliases:
+          - integration-tests
+
+  other-container:
+    image: example/other:latest
+    healthcheck:
+      test: ["CMD", "echo", "success"]
+      retries: 5
+      interval: 5s
+      timeout: 10s
+      start_period: 5s
+
+networks:
+  default:
+    name: test-net
+`)
+
+	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+}
+
+func TestComposeExt(t *testing.T) {
+	var dt = []byte(`
+services:
+  addon:
+    image: ct-addon:bar
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+      cache_from:
+        - user/app:cache
+      cache_to:
+        - user/app:cache
+      tags:
+        - ct-addon:baz
+      args:
+        CT_ECR: foo
+        CT_TAG: bar
+      x-bake:
+        contexts:
+          alpine: docker-image://alpine:3.13
+        tags:
+          - ct-addon:foo
+          - ct-addon:alp
+        platforms:
+          - linux/amd64
+          - linux/arm64
+        cache-from:
+          - type=local,src=path/to/cache
+        cache-to:
+          - type=local,dest=path/to/cache
+        pull: true
+
+  aws:
+    image: ct-fake-aws:bar
+    build:
+      dockerfile: ./aws.Dockerfile
+      args:
+        CT_ECR: foo
+        CT_TAG: bar
+      x-bake:
+        secret:
+          - id=mysecret,src=/local/secret
+          - id=mysecret2,src=/local/secret2
+        ssh: default
+        platforms: linux/arm64
+        output: type=docker
+        no-cache: true
+`)
+
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+	require.Equal(t, 2, len(c.Targets))
+	sort.Slice(c.Targets, func(i, j int) bool {
+		return c.Targets[i].Name < c.Targets[j].Name
+	})
+	require.Equal(t, map[string]*string{"CT_ECR": ptrstr("foo"), "CT_TAG": ptrstr("bar")}, c.Targets[0].Args)
+	require.Equal(t, []string{"ct-addon:baz", "ct-addon:foo", "ct-addon:alp"}, c.Targets[0].Tags)
+	require.Equal(t, []string{"linux/amd64", "linux/arm64"}, c.Targets[0].Platforms)
+	require.Equal(t, []string{"user/app:cache", "type=local,src=path/to/cache"}, c.Targets[0].CacheFrom)
+	require.Equal(t, []string{"user/app:cache", "type=local,dest=path/to/cache"}, c.Targets[0].CacheTo)
+	require.Equal(t, newBool(true), c.Targets[0].Pull)
+	require.Equal(t, map[string]string{"alpine": "docker-image://alpine:3.13"}, c.Targets[0].Contexts)
+	require.Equal(t, []string{"ct-fake-aws:bar"}, c.Targets[1].Tags)
+	require.Equal(t, []string{"id=mysecret,src=/local/secret", "id=mysecret2,src=/local/secret2"}, c.Targets[1].Secrets)
+	require.Equal(t, []string{"default"}, c.Targets[1].SSH)
+	require.Equal(t, []string{"linux/arm64"}, c.Targets[1].Platforms)
+	require.Equal(t, []string{"type=docker"}, c.Targets[1].Outputs)
+	require.Equal(t, newBool(true), c.Targets[1].NoCache)
+}
+
+func TestComposeExtDedup(t *testing.T) {
+	var dt = []byte(`
+services:
+  webapp:
+    image: app:bar
+    build:
+      cache_from:
+        - user/app:cache
+      cache_to:
+        - user/app:cache
+      tags:
+        - ct-addon:foo
+      x-bake:
+        tags:
+          - ct-addon:foo
+          - ct-addon:baz
+        cache-from:
+          - user/app:cache
+          - type=local,src=path/to/cache
+        cache-to:
+          - type=local,dest=path/to/cache
+`)
+
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+	require.Equal(t, 1, len(c.Targets))
+	require.Equal(t, []string{"ct-addon:foo", "ct-addon:baz"}, c.Targets[0].Tags)
+	require.Equal(t, []string{"user/app:cache", "type=local,src=path/to/cache"}, c.Targets[0].CacheFrom)
+	require.Equal(t, []string{"user/app:cache", "type=local,dest=path/to/cache"}, c.Targets[0].CacheTo)
+}
+
+func TestEnv(t *testing.T) {
+	envf, err := os.CreateTemp("", "env")
+	require.NoError(t, err)
+	defer os.Remove(envf.Name())
+
+	_, err = envf.WriteString("FOO=bsdf -csdf\n")
+	require.NoError(t, err)
+
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: .
+     args:
+        CT_ECR: foo
+        FOO:
+        NODE_ENV:
+    environment:
+      - NODE_ENV=test
+      - AWS_ACCESS_KEY_ID=dummy
+      - AWS_SECRET_ACCESS_KEY=dummy
+    env_file:
+      - ` + envf.Name() + `
+`)
+
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{"CT_ECR": ptrstr("foo"), "FOO": ptrstr("bsdf -csdf"), "NODE_ENV": ptrstr("test")}, c.Targets[0].Args)
+}
+
+func TestDotEnv(t *testing.T) {
+	tmpdir := t.TempDir()
+
+	err := os.WriteFile(filepath.Join(tmpdir, ".env"), []byte("FOO=bar"), 0644)
+	require.NoError(t, err)
+
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: .
+     args:
+        FOO:
+`)
+
+	chdir(t, tmpdir)
+	c, err := ParseComposeFiles([]File{{
+		Name: "docker-compose.yml",
+		Data: dt,
+	}})
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{"FOO": ptrstr("bar")}, c.Targets[0].Args)
+}
+
+func TestPorts(t *testing.T) {
+	var dt = []byte(`
+services:
+  foo:
+    build:
+     context: .
+    ports:
+      - 3306:3306
+  bar:
+    build:
+     context: .
+    ports:
+      - mode: ingress
+        target: 3306
+        published: "3306"
+        protocol: tcp
+`)
+	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+}
+
+func newBool(val bool) *bool {
+	b := val
+	return &b
+}
+
+func TestServiceName(t *testing.T) {
+	cases := []struct {
+		svc     string
+		wantErr bool
+	}{
+		{
+			svc:     "a",
+			wantErr: false,
+		},
+		{
+			svc:     "abc",
+			wantErr: false,
+		},
+		{
+			svc:     "a.b",
+			wantErr: false,
+		},
+		{
+			svc:     "_a",
+			wantErr: false,
+		},
+		{
+			svc:     "a_b",
+			wantErr: false,
+		},
+		{
+			svc:     "AbC",
+			wantErr: false,
+		},
+		{
+			svc:     "AbC-0123",
+			wantErr: false,
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.svc, func(t *testing.T) {
+			_, err := ParseCompose([]compose.ConfigFile{{Content: []byte(`
+services:
+  ` + tt.svc + `:
+    build:
+      context: .
+`)}}, nil)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestValidateComposeSecret(t *testing.T) {
+	cases := []struct {
+		name    string
+		dt      []byte
+		wantErr bool
+	}{
+		{
+			name: "secret set by file",
+			dt: []byte(`
+secrets:
+  foo:
+    file: .secret
+`),
+			wantErr: false,
+		},
+		{
+			name: "secret set by environment",
+			dt: []byte(`
+secrets:
+  foo:
+    environment: TOKEN
+`),
+			wantErr: false,
+		},
+		{
+			name: "external secret",
+			dt: []byte(`
+secrets:
+  foo:
+    external: true
+`),
+			wantErr: false,
+		},
+		{
+			name: "unset secret",
+			dt: []byte(`
+secrets:
+  foo: {}
+`),
+			wantErr: true,
+		},
+		{
+			name: "undefined secret",
+			dt: []byte(`
+services:
+  foo:
+    build:
+      secrets:
+        - token
+`),
+			wantErr: true,
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := ParseCompose([]compose.ConfigFile{{Content: tt.dt}}, nil)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestValidateComposeFile(t *testing.T) {
+	cases := []struct {
+		name      string
+		fn        string
+		dt        []byte
+		isCompose bool
+		wantErr   bool
+	}{
+		{
+			name: "empty service",
+			fn:   "docker-compose.yml",
+			dt: []byte(`
+services:
+  foo:
+`),
+			isCompose: true,
+			wantErr:   true,
+		},
+		{
+			name: "build",
+			fn:   "docker-compose.yml",
+			dt: []byte(`
+services:
+  foo:
+    build: .
+`),
+			isCompose: true,
+			wantErr:   false,
+		},
+		{
+			name: "image",
+			fn:   "docker-compose.yml",
+			dt: []byte(`
+services:
+  simple:
+    image: nginx
+`),
+			isCompose: true,
+			wantErr:   false,
+		},
+		{
+			name: "unknown ext",
+			fn:   "docker-compose.foo",
+			dt: []byte(`
+services:
+  simple:
+    image: nginx
+`),
+			isCompose: true,
+			wantErr:   false,
+		},
+		{
+			name: "hcl",
+			fn:   "docker-bake.hcl",
+			dt: []byte(`
+target "default" {
+  dockerfile = "test"
+}
+`),
+			isCompose: false,
+			wantErr:   false,
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			isCompose, err := validateComposeFile(tt.dt, tt.fn)
+			assert.Equal(t, tt.isCompose, isCompose)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestComposeNullArgs(t *testing.T) {
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: .
+     args:
+        FOO: null
+        bar: "baz"
+`)
+
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{"bar": ptrstr("baz")}, c.Targets[0].Args)
+}
+
+// chdir changes the current working directory to the named directory,
+// and then restore the original working directory at the end of the test.
+func chdir(t *testing.T, dir string) {
+	olddir, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("chdir: %v", err)
+	}
+	if err := os.Chdir(dir); err != nil {
+		t.Fatalf("chdir %s: %v", dir, err)
+	}
+	t.Cleanup(func() {
+		if err := os.Chdir(olddir); err != nil {
+			t.Errorf("chdir to original working directory %s: %v", olddir, err)
+			os.Exit(1)
+		}
+	})
 }

bake/hcl.go

@@ -1,200 +1,42 @@
 package bake
 
 import (
-	"os"
 	"strings"
 
-	hcl "github.com/hashicorp/hcl/v2"
-	"github.com/hashicorp/hcl/v2/ext/userfunc"
-	"github.com/hashicorp/hcl/v2/hclsimple"
-	"github.com/hashicorp/hcl/v2/hclsyntax"
-	"github.com/hashicorp/hcl/v2/json"
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/hclparse"
 	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/solver/pb"
-	"github.com/zclconf/go-cty/cty"
-	"github.com/zclconf/go-cty/cty/function"
-	"github.com/zclconf/go-cty/cty/function/stdlib"
 )
 
-// Collection of generally useful functions in cty-using applications, which
-// HCL supports. These functions are available for use in HCL files.
-var (
-	stdlibFunctions = map[string]function.Function{
-		"absolute":               stdlib.AbsoluteFunc,
-		"add":                    stdlib.AddFunc,
-		"and":                    stdlib.AndFunc,
-		"byteslen":               stdlib.BytesLenFunc,
-		"bytesslice":             stdlib.BytesSliceFunc,
-		"chomp":                  stdlib.ChompFunc,
-		"chunklist":              stdlib.ChunklistFunc,
-		"ceil":                   stdlib.CeilFunc,
-		"csvdecode":              stdlib.CSVDecodeFunc,
-		"coalesce":               stdlib.CoalesceFunc,
-		"coalescelist":           stdlib.CoalesceListFunc,
-		"compact":                stdlib.CompactFunc,
-		"concat":                 stdlib.ConcatFunc,
-		"contains":               stdlib.ContainsFunc,
-		"distinct":               stdlib.DistinctFunc,
-		"divide":                 stdlib.DivideFunc,
-		"element":                stdlib.ElementFunc,
-		"equal":                  stdlib.EqualFunc,
-		"flatten":                stdlib.FlattenFunc,
-		"floor":                  stdlib.FloorFunc,
-		"formatdate":             stdlib.FormatDateFunc,
-		"format":                 stdlib.FormatFunc,
-		"formatlist":             stdlib.FormatListFunc,
-		"greaterthan":            stdlib.GreaterThanFunc,
-		"greaterthanorequalto":   stdlib.GreaterThanOrEqualToFunc,
-		"hasindex":               stdlib.HasIndexFunc,
-		"indent":                 stdlib.IndentFunc,
-		"index":                  stdlib.IndexFunc,
-		"int":                    stdlib.IntFunc,
-		"jsondecode":             stdlib.JSONDecodeFunc,
-		"jsonencode":             stdlib.JSONEncodeFunc,
-		"keys":                   stdlib.KeysFunc,
-		"join":                   stdlib.JoinFunc,
-		"length":                 stdlib.LengthFunc,
-		"lessthan":               stdlib.LessThanFunc,
-		"lessthanorequalto":      stdlib.LessThanOrEqualToFunc,
-		"log":                    stdlib.LogFunc,
-		"lookup":                 stdlib.LookupFunc,
-		"lower":                  stdlib.LowerFunc,
-		"max":                    stdlib.MaxFunc,
-		"merge":                  stdlib.MergeFunc,
-		"min":                    stdlib.MinFunc,
-		"modulo":                 stdlib.ModuloFunc,
-		"multiply":               stdlib.MultiplyFunc,
-		"negate":                 stdlib.NegateFunc,
-		"notequal":               stdlib.NotEqualFunc,
-		"not":                    stdlib.NotFunc,
-		"or":                     stdlib.OrFunc,
-		"parseint":               stdlib.ParseIntFunc,
-		"pow":                    stdlib.PowFunc,
-		"range":                  stdlib.RangeFunc,
-		"regexall":               stdlib.RegexAllFunc,
-		"regex":                  stdlib.RegexFunc,
-		"reverse":                stdlib.ReverseFunc,
-		"reverselist":            stdlib.ReverseListFunc,
-		"sethaselement":          stdlib.SetHasElementFunc,
-		"setintersection":        stdlib.SetIntersectionFunc,
-		"setsubtract":            stdlib.SetSubtractFunc,
-		"setsymmetricdifference": stdlib.SetSymmetricDifferenceFunc,
-		"setunion":               stdlib.SetUnionFunc,
-		"signum":                 stdlib.SignumFunc,
-		"slice":                  stdlib.SliceFunc,
-		"sort":                   stdlib.SortFunc,
-		"split":                  stdlib.SplitFunc,
-		"strlen":                 stdlib.StrlenFunc,
-		"substr":                 stdlib.SubstrFunc,
-		"subtract":               stdlib.SubtractFunc,
-		"timeadd":                stdlib.TimeAddFunc,
-		"title":                  stdlib.TitleFunc,
-		"trim":                   stdlib.TrimFunc,
-		"trimprefix":             stdlib.TrimPrefixFunc,
-		"trimspace":              stdlib.TrimSpaceFunc,
-		"trimsuffix":             stdlib.TrimSuffixFunc,
-		"upper":                  stdlib.UpperFunc,
-		"values":                 stdlib.ValuesFunc,
-		"zipmap":                 stdlib.ZipmapFunc,
-	}
-)
-
-// Used in the first pass of decoding instead of the Config struct to disallow
-// interpolation while parsing variable blocks.
-type staticConfig struct {
-	Variables []*Variable `hcl:"variable,block"`
-	Remain    hcl.Body    `hcl:",remain"`
-}
-
-func ParseHCL(dt []byte, fn string) (_ *Config, err error) {
-	if strings.HasSuffix(fn, ".json") || strings.HasSuffix(fn, ".hcl") {
-		return parseHCL(dt, fn)
-	}
-	cfg, err := parseHCL(dt, fn+".hcl")
-	if err != nil {
-		cfg2, err2 := parseHCL(dt, fn+".json")
-		if err2 == nil {
-			return cfg2, nil
-		}
-	}
-	return cfg, err
-}
-
-func parseHCL(dt []byte, fn string) (_ *Config, err error) {
-	defer func() {
-		err = formatHCLError(dt, err)
-	}()
-
-	// Decode user defined functions, first parsing as hcl and falling back to
-	// json, returning errors based on the file suffix.
-	file, hcldiags := hclsyntax.ParseConfig(dt, fn, hcl.Pos{Line: 1, Column: 1})
-	if hcldiags.HasErrors() {
-		var jsondiags hcl.Diagnostics
-		file, jsondiags = json.Parse(dt, fn)
-		if jsondiags.HasErrors() {
-			fnl := strings.ToLower(fn)
-			if strings.HasSuffix(fnl, ".json") {
-				return nil, jsondiags
-			} else {
-				return nil, hcldiags
-			}
-		}
-	}
-
-	userFunctions, _, diags := userfunc.DecodeUserFunctions(file.Body, "function", func() *hcl.EvalContext {
-		return &hcl.EvalContext{
-			Functions: stdlibFunctions,
-		}
-	})
+func ParseHCLFile(dt []byte, fn string) (*hcl.File, bool, error) {
+	var err error
+	if strings.HasSuffix(fn, ".json") {
+		f, diags := hclparse.NewParser().ParseJSON(dt, fn)
 		if diags.HasErrors() {
-		return nil, diags
+			err = diags
+		}
+		return f, true, err
+	}
+	if strings.HasSuffix(fn, ".hcl") {
+		f, diags := hclparse.NewParser().ParseHCL(dt, fn)
+		if diags.HasErrors() {
+			err = diags
+		}
+		return f, true, err
+	}
+	f, diags := hclparse.NewParser().ParseHCL(dt, fn+".hcl")
+	if diags.HasErrors() {
+		f, diags2 := hclparse.NewParser().ParseJSON(dt, fn+".json")
+		if !diags2.HasErrors() {
+			return f, true, nil
+		}
+		return nil, false, diags
+	}
+	return f, true, nil
 }
 
-	var sc staticConfig
-
-	// Decode only variable blocks without interpolation.
-	if err := hclsimple.Decode(fn, dt, nil, &sc); err != nil {
-		return nil, err
-	}
-
-	// Set all variables to their default value if defined.
-	variables := make(map[string]cty.Value)
-	for _, variable := range sc.Variables {
-		variables[variable.Name] = cty.StringVal(variable.Default)
-	}
-
-	// Override default with values from environment.
-	for _, env := range os.Environ() {
-		parts := strings.SplitN(env, "=", 2)
-		name, value := parts[0], parts[1]
-		if _, ok := variables[name]; ok {
-			variables[name] = cty.StringVal(value)
-		}
-	}
-
-	functions := make(map[string]function.Function)
-	for k, v := range stdlibFunctions {
-		functions[k] = v
-	}
-	for k, v := range userFunctions {
-		functions[k] = v
-	}
-
-	ctx := &hcl.EvalContext{
-		Variables: variables,
-		Functions: functions,
-	}
-
-	var c Config
-
-	// Decode with variables and functions.
-	if err := hclsimple.Decode(fn, dt, ctx, &c); err != nil {
-		return nil, err
-	}
-	return &c, nil
-}
-
-func formatHCLError(dt []byte, err error) error {
+func formatHCLError(err error, files []File) error {
 	if err == nil {
 		return nil
 	}
@@ -207,6 +49,13 @@ func formatHCLError(dt []byte, err error) error {
 			continue
 		}
 		if d.Subject != nil {
+			var dt []byte
+			for _, f := range files {
+				if d.Subject.Filename == f.Name {
+					dt = f.Data
+					break
+				}
+			}
 			src := errdefs.Source{
 				Info: &pb.SourceInfo{
 					Filename: d.Subject.Filename,

bake/hclparser/body.go

@@ -0,0 +1,103 @@
+package hclparser
+
+import (
+	"github.com/hashicorp/hcl/v2"
+)
+
+type filterBody struct {
+	body    hcl.Body
+	schema  *hcl.BodySchema
+	exclude bool
+}
+
+func FilterIncludeBody(body hcl.Body, schema *hcl.BodySchema) hcl.Body {
+	return &filterBody{
+		body:   body,
+		schema: schema,
+	}
+}
+
+func FilterExcludeBody(body hcl.Body, schema *hcl.BodySchema) hcl.Body {
+	return &filterBody{
+		body:    body,
+		schema:  schema,
+		exclude: true,
+	}
+}
+
+func (b *filterBody) Content(schema *hcl.BodySchema) (*hcl.BodyContent, hcl.Diagnostics) {
+	if b.exclude {
+		schema = subtractSchemas(schema, b.schema)
+	} else {
+		schema = intersectSchemas(schema, b.schema)
+	}
+	content, _, diag := b.body.PartialContent(schema)
+	return content, diag
+}
+
+func (b *filterBody) PartialContent(schema *hcl.BodySchema) (*hcl.BodyContent, hcl.Body, hcl.Diagnostics) {
+	if b.exclude {
+		schema = subtractSchemas(schema, b.schema)
+	} else {
+		schema = intersectSchemas(schema, b.schema)
+	}
+	return b.body.PartialContent(schema)
+}
+
+func (b *filterBody) JustAttributes() (hcl.Attributes, hcl.Diagnostics) {
+	return b.body.JustAttributes()
+}
+
+func (b *filterBody) MissingItemRange() hcl.Range {
+	return b.body.MissingItemRange()
+}
+
+func intersectSchemas(a, b *hcl.BodySchema) *hcl.BodySchema {
+	result := &hcl.BodySchema{}
+	for _, blockA := range a.Blocks {
+		for _, blockB := range b.Blocks {
+			if blockA.Type == blockB.Type {
+				result.Blocks = append(result.Blocks, blockA)
+				break
+			}
+		}
+	}
+	for _, attrA := range a.Attributes {
+		for _, attrB := range b.Attributes {
+			if attrA.Name == attrB.Name {
+				result.Attributes = append(result.Attributes, attrA)
+				break
+			}
+		}
+	}
+	return result
+}
+
+func subtractSchemas(a, b *hcl.BodySchema) *hcl.BodySchema {
+	result := &hcl.BodySchema{}
+	for _, blockA := range a.Blocks {
+		found := false
+		for _, blockB := range b.Blocks {
+			if blockA.Type == blockB.Type {
+				found = true
+				break
+			}
+		}
+		if !found {
+			result.Blocks = append(result.Blocks, blockA)
+		}
+	}
+	for _, attrA := range a.Attributes {
+		found := false
+		for _, attrB := range b.Attributes {
+			if attrA.Name == attrB.Name {
+				found = true
+				break
+			}
+		}
+		if !found {
+			result.Attributes = append(result.Attributes, attrA)
+		}
+	}
+	return result
+}

bake/hclparser/expr.go

@@ -0,0 +1,145 @@
+package hclparser
+
+import (
+	"reflect"
+	"unsafe"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/hclsyntax"
+	"github.com/pkg/errors"
+)
+
+func funcCalls(exp hcl.Expression) ([]string, hcl.Diagnostics) {
+	node, ok := exp.(hclsyntax.Node)
+	if !ok {
+		fns, err := jsonFuncCallsRecursive(exp)
+		if err != nil {
+			return nil, wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
+		}
+		return fns, nil
+	}
+
+	var funcnames []string
+	hcldiags := hclsyntax.VisitAll(node, func(n hclsyntax.Node) hcl.Diagnostics {
+		if fe, ok := n.(*hclsyntax.FunctionCallExpr); ok {
+			funcnames = append(funcnames, fe.Name)
+		}
+		return nil
+	})
+	if hcldiags.HasErrors() {
+		return nil, hcldiags
+	}
+	return funcnames, nil
+}
+
+func jsonFuncCallsRecursive(exp hcl.Expression) ([]string, error) {
+	je, ok := exp.(jsonExp)
+	if !ok {
+		return nil, errors.Errorf("invalid expression type %T", exp)
+	}
+	m := map[string]struct{}{}
+	for _, e := range elementExpressions(je, exp) {
+		if err := appendJSONFuncCalls(e, m); err != nil {
+			return nil, err
+		}
+	}
+	arr := make([]string, 0, len(m))
+	for n := range m {
+		arr = append(arr, n)
+	}
+	return arr, nil
+}
+
+func appendJSONFuncCalls(exp hcl.Expression, m map[string]struct{}) error {
+	v := reflect.ValueOf(exp)
+	if v.Kind() != reflect.Ptr || v.IsNil() {
+		return errors.Errorf("invalid json expression kind %T %v", exp, v.Kind())
+	}
+	src := v.Elem().FieldByName("src")
+	if src.IsZero() {
+		return errors.Errorf("%v has no property src", v.Elem().Type())
+	}
+	if src.Kind() != reflect.Interface {
+		return errors.Errorf("%v src is not interface: %v", src.Type(), src.Kind())
+	}
+	src = src.Elem()
+	if src.IsNil() {
+		return nil
+	}
+	if src.Kind() == reflect.Ptr {
+		src = src.Elem()
+	}
+	if src.Kind() != reflect.Struct {
+		return errors.Errorf("%v is not struct: %v", src.Type(), src.Kind())
+	}
+
+	// hcl/v2/json/ast#stringVal
+	val := src.FieldByName("Value")
+	if !val.IsValid() || val.IsZero() {
+		return nil
+	}
+	rng := src.FieldByName("SrcRange")
+	if rng.IsZero() {
+		return nil
+	}
+	var stringVal struct {
+		Value    string
+		SrcRange hcl.Range
+	}
+
+	if !val.Type().AssignableTo(reflect.ValueOf(stringVal.Value).Type()) {
+		return nil
+	}
+	if !rng.Type().AssignableTo(reflect.ValueOf(stringVal.SrcRange).Type()) {
+		return nil
+	}
+	// reflect.Set does not work for unexported fields
+	stringVal.Value = *(*string)(unsafe.Pointer(val.UnsafeAddr()))
+	stringVal.SrcRange = *(*hcl.Range)(unsafe.Pointer(rng.UnsafeAddr()))
+
+	expr, diags := hclsyntax.ParseExpression([]byte(stringVal.Value), stringVal.SrcRange.Filename, stringVal.SrcRange.Start)
+	if diags.HasErrors() {
+		return nil
+	}
+
+	fns, err := funcCalls(expr)
+	if err != nil {
+		return err
+	}
+
+	for _, fn := range fns {
+		m[fn] = struct{}{}
+	}
+
+	return nil
+}
+
+type jsonExp interface {
+	ExprList() []hcl.Expression
+	ExprMap() []hcl.KeyValuePair
+}
+
+func elementExpressions(je jsonExp, exp hcl.Expression) []hcl.Expression {
+	list := je.ExprList()
+	if len(list) != 0 {
+		exp := make([]hcl.Expression, 0, len(list))
+		for _, e := range list {
+			if je, ok := e.(jsonExp); ok {
+				exp = append(exp, elementExpressions(je, e)...)
+			}
+		}
+		return exp
+	}
+	kvlist := je.ExprMap()
+	if len(kvlist) != 0 {
+		exp := make([]hcl.Expression, 0, len(kvlist)*2)
+		for _, p := range kvlist {
+			exp = append(exp, p.Key)
+			if je, ok := p.Value.(jsonExp); ok {
+				exp = append(exp, elementExpressions(je, p.Value)...)
+			}
+		}
+		return exp
+	}
+	return []hcl.Expression{exp}
+}

bake/hclparser/hclparser.go

@@ -0,0 +1,903 @@
+package hclparser
+
+import (
+	"encoding/binary"
+	"fmt"
+	"hash/fnv"
+	"math"
+	"math/big"
+	"reflect"
+	"strconv"
+	"strings"
+
+	"github.com/docker/buildx/util/userfunc"
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/gohcl"
+	"github.com/pkg/errors"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/gocty"
+)
+
+type Opt struct {
+	LookupVar     func(string) (string, bool)
+	Vars          map[string]string
+	ValidateLabel func(string) error
+}
+
+type variable struct {
+	Name    string         `json:"-" hcl:"name,label"`
+	Default *hcl.Attribute `json:"default,omitempty" hcl:"default,optional"`
+	Body    hcl.Body       `json:"-" hcl:",body"`
+}
+
+type functionDef struct {
+	Name     string         `json:"-" hcl:"name,label"`
+	Params   *hcl.Attribute `json:"params,omitempty" hcl:"params"`
+	Variadic *hcl.Attribute `json:"variadic_param,omitempty" hcl:"variadic_params"`
+	Result   *hcl.Attribute `json:"result,omitempty" hcl:"result"`
+}
+
+type inputs struct {
+	Variables []*variable    `hcl:"variable,block"`
+	Functions []*functionDef `hcl:"function,block"`
+
+	Remain hcl.Body `json:"-" hcl:",remain"`
+}
+
+type parser struct {
+	opt Opt
+
+	vars  map[string]*variable
+	attrs map[string]*hcl.Attribute
+	funcs map[string]*functionDef
+
+	blocks       map[string]map[string][]*hcl.Block
+	blockValues  map[*hcl.Block][]reflect.Value
+	blockEvalCtx map[*hcl.Block][]*hcl.EvalContext
+	blockNames   map[*hcl.Block][]string
+	blockTypes   map[string]reflect.Type
+
+	ectx *hcl.EvalContext
+
+	progressV map[uint64]struct{}
+	progressF map[uint64]struct{}
+	progressB map[uint64]map[string]struct{}
+	doneB     map[uint64]map[string]struct{}
+}
+
+type WithEvalContexts interface {
+	GetEvalContexts(base *hcl.EvalContext, block *hcl.Block, loadDeps func(hcl.Expression) hcl.Diagnostics) ([]*hcl.EvalContext, error)
+}
+
+type WithGetName interface {
+	GetName(ectx *hcl.EvalContext, block *hcl.Block, loadDeps func(hcl.Expression) hcl.Diagnostics) (string, error)
+}
+
+var errUndefined = errors.New("undefined")
+
+func (p *parser) loadDeps(ectx *hcl.EvalContext, exp hcl.Expression, exclude map[string]struct{}, allowMissing bool) hcl.Diagnostics {
+	fns, hcldiags := funcCalls(exp)
+	if hcldiags.HasErrors() {
+		return hcldiags
+	}
+
+	for _, fn := range fns {
+		if err := p.resolveFunction(ectx, fn); err != nil {
+			if allowMissing && errors.Is(err, errUndefined) {
+				continue
+			}
+			return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
+		}
+	}
+
+	for _, v := range exp.Variables() {
+		if _, ok := exclude[v.RootName()]; ok {
+			continue
+		}
+		if _, ok := p.blockTypes[v.RootName()]; ok {
+			blockType := v.RootName()
+
+			split := v.SimpleSplit().Rel
+			if len(split) == 0 {
+				return hcl.Diagnostics{
+					&hcl.Diagnostic{
+						Severity: hcl.DiagError,
+						Summary:  "Invalid expression",
+						Detail:   fmt.Sprintf("cannot access %s as a variable", blockType),
+						Subject:  exp.Range().Ptr(),
+						Context:  exp.Range().Ptr(),
+					},
+				}
+			}
+			blockName, ok := split[0].(hcl.TraverseAttr)
+			if !ok {
+				return hcl.Diagnostics{
+					&hcl.Diagnostic{
+						Severity: hcl.DiagError,
+						Summary:  "Invalid expression",
+						Detail:   fmt.Sprintf("cannot traverse %s without attribute", blockType),
+						Subject:  exp.Range().Ptr(),
+						Context:  exp.Range().Ptr(),
+					},
+				}
+			}
+			blocks := p.blocks[blockType][blockName.Name]
+			if len(blocks) == 0 {
+				continue
+			}
+
+			var target *hcl.BodySchema
+			if len(split) > 1 {
+				if attr, ok := split[1].(hcl.TraverseAttr); ok {
+					target = &hcl.BodySchema{
+						Attributes: []hcl.AttributeSchema{{Name: attr.Name}},
+						Blocks:     []hcl.BlockHeaderSchema{{Type: attr.Name}},
+					}
+				}
+			}
+			for _, block := range blocks {
+				if err := p.resolveBlock(block, target); err != nil {
+					if allowMissing && errors.Is(err, errUndefined) {
+						continue
+					}
+					return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
+				}
+			}
+		} else {
+			if err := p.resolveValue(ectx, v.RootName()); err != nil {
+				if allowMissing && errors.Is(err, errUndefined) {
+					continue
+				}
+				return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
+			}
+		}
+	}
+
+	return nil
+}
+
+// resolveFunction forces evaluation of a function, storing the result into the
+// parser.
+func (p *parser) resolveFunction(ectx *hcl.EvalContext, name string) error {
+	if _, ok := p.ectx.Functions[name]; ok {
+		return nil
+	}
+	if _, ok := ectx.Functions[name]; ok {
+		return nil
+	}
+	f, ok := p.funcs[name]
+	if !ok {
+		return errors.Wrapf(errUndefined, "function %q does not exist", name)
+	}
+	if _, ok := p.progressF[key(ectx, name)]; ok {
+		return errors.Errorf("function cycle not allowed for %s", name)
+	}
+	p.progressF[key(ectx, name)] = struct{}{}
+
+	if f.Result == nil {
+		return errors.Errorf("empty result not allowed for %s", name)
+	}
+	if f.Params == nil {
+		return errors.Errorf("empty params not allowed for %s", name)
+	}
+
+	paramExprs, paramsDiags := hcl.ExprList(f.Params.Expr)
+	if paramsDiags.HasErrors() {
+		return paramsDiags
+	}
+	var diags hcl.Diagnostics
+	params := map[string]struct{}{}
+	for _, paramExpr := range paramExprs {
+		param := hcl.ExprAsKeyword(paramExpr)
+		if param == "" {
+			diags = append(diags, &hcl.Diagnostic{
+				Severity: hcl.DiagError,
+				Summary:  "Invalid param element",
+				Detail:   "Each parameter name must be an identifier.",
+				Subject:  paramExpr.Range().Ptr(),
+			})
+		}
+		params[param] = struct{}{}
+	}
+	var variadic hcl.Expression
+	if f.Variadic != nil {
+		variadic = f.Variadic.Expr
+		param := hcl.ExprAsKeyword(variadic)
+		if param == "" {
+			diags = append(diags, &hcl.Diagnostic{
+				Severity: hcl.DiagError,
+				Summary:  "Invalid param element",
+				Detail:   "Each parameter name must be an identifier.",
+				Subject:  f.Variadic.Range.Ptr(),
+			})
+		}
+		params[param] = struct{}{}
+	}
+	if diags.HasErrors() {
+		return diags
+	}
+
+	if diags := p.loadDeps(p.ectx, f.Result.Expr, params, false); diags.HasErrors() {
+		return diags
+	}
+
+	v, diags := userfunc.NewFunction(f.Params.Expr, variadic, f.Result.Expr, func() *hcl.EvalContext {
+		return p.ectx
+	})
+	if diags.HasErrors() {
+		return diags
+	}
+	p.ectx.Functions[name] = v
+
+	return nil
+}
+
+// resolveValue forces evaluation of a named value, storing the result into the
+// parser.
+func (p *parser) resolveValue(ectx *hcl.EvalContext, name string) (err error) {
+	if _, ok := p.ectx.Variables[name]; ok {
+		return nil
+	}
+	if _, ok := ectx.Variables[name]; ok {
+		return nil
+	}
+	if _, ok := p.progressV[key(ectx, name)]; ok {
+		return errors.Errorf("variable cycle not allowed for %s", name)
+	}
+	p.progressV[key(ectx, name)] = struct{}{}
+
+	var v *cty.Value
+	defer func() {
+		if v != nil {
+			p.ectx.Variables[name] = *v
+		}
+	}()
+
+	def, ok := p.attrs[name]
+	if _, builtin := p.opt.Vars[name]; !ok && !builtin {
+		vr, ok := p.vars[name]
+		if !ok {
+			return errors.Wrapf(errUndefined, "variable %q does not exist", name)
+		}
+		def = vr.Default
+		ectx = p.ectx
+	}
+
+	if def == nil {
+		val, ok := p.opt.Vars[name]
+		if !ok {
+			val, _ = p.opt.LookupVar(name)
+		}
+		vv := cty.StringVal(val)
+		v = &vv
+		return
+	}
+
+	if diags := p.loadDeps(ectx, def.Expr, nil, true); diags.HasErrors() {
+		return diags
+	}
+	vv, diags := def.Expr.Value(ectx)
+	if diags.HasErrors() {
+		return diags
+	}
+
+	_, isVar := p.vars[name]
+
+	if envv, ok := p.opt.LookupVar(name); ok && isVar {
+		switch {
+		case vv.Type().Equals(cty.Bool):
+			b, err := strconv.ParseBool(envv)
+			if err != nil {
+				return errors.Wrapf(err, "failed to parse %s as bool", name)
+			}
+			vv = cty.BoolVal(b)
+		case vv.Type().Equals(cty.String), vv.Type().Equals(cty.DynamicPseudoType):
+			vv = cty.StringVal(envv)
+		case vv.Type().Equals(cty.Number):
+			n, err := strconv.ParseFloat(envv, 64)
+			if err == nil && (math.IsNaN(n) || math.IsInf(n, 0)) {
+				err = errors.Errorf("invalid number value")
+			}
+			if err != nil {
+				return errors.Wrapf(err, "failed to parse %s as number", name)
+			}
+			vv = cty.NumberVal(big.NewFloat(n))
+		default:
+			// TODO: support lists with csv values
+			return errors.Errorf("unsupported type %s for variable %s", vv.Type().FriendlyName(), name)
+		}
+	}
+	v = &vv
+	return nil
+}
+
+// resolveBlock force evaluates a block, storing the result in the parser. If a
+// target schema is provided, only the attributes and blocks present in the
+// schema will be evaluated.
+func (p *parser) resolveBlock(block *hcl.Block, target *hcl.BodySchema) (err error) {
+	// prepare the variable map for this type
+	if _, ok := p.ectx.Variables[block.Type]; !ok {
+		p.ectx.Variables[block.Type] = cty.MapValEmpty(cty.Map(cty.String))
+	}
+
+	// prepare the output destination and evaluation context
+	t, ok := p.blockTypes[block.Type]
+	if !ok {
+		return nil
+	}
+	var outputs []reflect.Value
+	var ectxs []*hcl.EvalContext
+	if prev, ok := p.blockValues[block]; ok {
+		outputs = prev
+		ectxs = p.blockEvalCtx[block]
+	} else {
+		if v, ok := reflect.New(t).Interface().(WithEvalContexts); ok {
+			ectxs, err = v.GetEvalContexts(p.ectx, block, func(expr hcl.Expression) hcl.Diagnostics {
+				return p.loadDeps(p.ectx, expr, nil, true)
+			})
+			if err != nil {
+				return err
+			}
+			for _, ectx := range ectxs {
+				if ectx != p.ectx && ectx.Parent() != p.ectx {
+					return errors.Errorf("EvalContext must return a context with the correct parent")
+				}
+			}
+		} else {
+			ectxs = append([]*hcl.EvalContext{}, p.ectx)
+		}
+		for range ectxs {
+			outputs = append(outputs, reflect.New(t))
+		}
+	}
+	p.blockValues[block] = outputs
+	p.blockEvalCtx[block] = ectxs
+
+	for i, output := range outputs {
+		target := target
+		ectx := ectxs[i]
+		name := block.Labels[0]
+		if names, ok := p.blockNames[block]; ok {
+			name = names[i]
+		}
+
+		if _, ok := p.doneB[key(block, ectx)]; !ok {
+			p.doneB[key(block, ectx)] = map[string]struct{}{}
+		}
+		if _, ok := p.progressB[key(block, ectx)]; !ok {
+			p.progressB[key(block, ectx)] = map[string]struct{}{}
+		}
+
+		if target != nil {
+			// filter out attributes and blocks that are already evaluated
+			original := target
+			target = &hcl.BodySchema{}
+			for _, a := range original.Attributes {
+				if _, ok := p.doneB[key(block, ectx)][a.Name]; !ok {
+					target.Attributes = append(target.Attributes, a)
+				}
+			}
+			for _, b := range original.Blocks {
+				if _, ok := p.doneB[key(block, ectx)][b.Type]; !ok {
+					target.Blocks = append(target.Blocks, b)
+				}
+			}
+			if len(target.Attributes) == 0 && len(target.Blocks) == 0 {
+				return nil
+			}
+		}
+
+		if target != nil {
+			// detect reference cycles
+			for _, a := range target.Attributes {
+				if _, ok := p.progressB[key(block, ectx)][a.Name]; ok {
+					return errors.Errorf("reference cycle not allowed for %s.%s.%s", block.Type, name, a.Name)
+				}
+			}
+			for _, b := range target.Blocks {
+				if _, ok := p.progressB[key(block, ectx)][b.Type]; ok {
+					return errors.Errorf("reference cycle not allowed for %s.%s.%s", block.Type, name, b.Type)
+				}
+			}
+			for _, a := range target.Attributes {
+				p.progressB[key(block, ectx)][a.Name] = struct{}{}
+			}
+			for _, b := range target.Blocks {
+				p.progressB[key(block, ectx)][b.Type] = struct{}{}
+			}
+		}
+
+		// create a filtered body that contains only the target properties
+		body := func() hcl.Body {
+			if target != nil {
+				return FilterIncludeBody(block.Body, target)
+			}
+
+			filter := &hcl.BodySchema{}
+			for k := range p.doneB[key(block, ectx)] {
+				filter.Attributes = append(filter.Attributes, hcl.AttributeSchema{Name: k})
+				filter.Blocks = append(filter.Blocks, hcl.BlockHeaderSchema{Type: k})
+			}
+			return FilterExcludeBody(block.Body, filter)
+		}
+
+		// load dependencies from all targeted properties
+		schema, _ := gohcl.ImpliedBodySchema(reflect.New(t).Interface())
+		content, _, diag := body().PartialContent(schema)
+		if diag.HasErrors() {
+			return diag
+		}
+		for _, a := range content.Attributes {
+			diag := p.loadDeps(ectx, a.Expr, nil, true)
+			if diag.HasErrors() {
+				return diag
+			}
+		}
+		for _, b := range content.Blocks {
+			err := p.resolveBlock(b, nil)
+			if err != nil {
+				return err
+			}
+		}
+
+		// decode!
+		diag = gohcl.DecodeBody(body(), ectx, output.Interface())
+		if diag.HasErrors() {
+			return diag
+		}
+
+		// mark all targeted properties as done
+		for _, a := range content.Attributes {
+			p.doneB[key(block, ectx)][a.Name] = struct{}{}
+		}
+		for _, b := range content.Blocks {
+			p.doneB[key(block, ectx)][b.Type] = struct{}{}
+		}
+		if target != nil {
+			for _, a := range target.Attributes {
+				p.doneB[key(block, ectx)][a.Name] = struct{}{}
+			}
+			for _, b := range target.Blocks {
+				p.doneB[key(block, ectx)][b.Type] = struct{}{}
+			}
+		}
+
+		// store the result into the evaluation context (so it can be referenced)
+		outputType, err := gocty.ImpliedType(output.Interface())
+		if err != nil {
+			return err
+		}
+		outputValue, err := gocty.ToCtyValue(output.Interface(), outputType)
+		if err != nil {
+			return err
+		}
+		var m map[string]cty.Value
+		if m2, ok := p.ectx.Variables[block.Type]; ok {
+			m = m2.AsValueMap()
+		}
+		if m == nil {
+			m = map[string]cty.Value{}
+		}
+		m[name] = outputValue
+		p.ectx.Variables[block.Type] = cty.MapVal(m)
+	}
+
+	return nil
+}
+
+// resolveBlockNames returns the names of the block, calling resolveBlock to
+// evaluate any label fields to correctly resolve the name.
+func (p *parser) resolveBlockNames(block *hcl.Block) ([]string, error) {
+	if names, ok := p.blockNames[block]; ok {
+		return names, nil
+	}
+
+	if err := p.resolveBlock(block, &hcl.BodySchema{}); err != nil {
+		return nil, err
+	}
+
+	names := make([]string, 0, len(p.blockValues[block]))
+	for i, val := range p.blockValues[block] {
+		ectx := p.blockEvalCtx[block][i]
+
+		name := block.Labels[0]
+		if err := p.opt.ValidateLabel(name); err != nil {
+			return nil, err
+		}
+
+		if v, ok := val.Interface().(WithGetName); ok {
+			var err error
+			name, err = v.GetName(ectx, block, func(expr hcl.Expression) hcl.Diagnostics {
+				return p.loadDeps(ectx, expr, nil, true)
+			})
+			if err != nil {
+				return nil, err
+			}
+			if err := p.opt.ValidateLabel(name); err != nil {
+				return nil, err
+			}
+		}
+
+		setName(val, name)
+		names = append(names, name)
+	}
+
+	found := map[string]struct{}{}
+	for _, name := range names {
+		if _, ok := found[name]; ok {
+			return nil, errors.Errorf("duplicate name %q", name)
+		}
+		found[name] = struct{}{}
+	}
+
+	p.blockNames[block] = names
+	return names, nil
+}
+
+func Parse(b hcl.Body, opt Opt, val interface{}) (map[string]map[string][]string, hcl.Diagnostics) {
+	reserved := map[string]struct{}{}
+	schema, _ := gohcl.ImpliedBodySchema(val)
+
+	for _, bs := range schema.Blocks {
+		reserved[bs.Type] = struct{}{}
+	}
+	for k := range opt.Vars {
+		reserved[k] = struct{}{}
+	}
+
+	var defs inputs
+	if err := gohcl.DecodeBody(b, nil, &defs); err != nil {
+		return nil, err
+	}
+	defsSchema, _ := gohcl.ImpliedBodySchema(defs)
+
+	if opt.LookupVar == nil {
+		opt.LookupVar = func(string) (string, bool) {
+			return "", false
+		}
+	}
+
+	if opt.ValidateLabel == nil {
+		opt.ValidateLabel = func(string) error {
+			return nil
+		}
+	}
+
+	p := &parser{
+		opt: opt,
+
+		vars:  map[string]*variable{},
+		attrs: map[string]*hcl.Attribute{},
+		funcs: map[string]*functionDef{},
+
+		blocks:       map[string]map[string][]*hcl.Block{},
+		blockValues:  map[*hcl.Block][]reflect.Value{},
+		blockEvalCtx: map[*hcl.Block][]*hcl.EvalContext{},
+		blockNames:   map[*hcl.Block][]string{},
+		blockTypes:   map[string]reflect.Type{},
+		ectx: &hcl.EvalContext{
+			Variables: map[string]cty.Value{},
+			Functions: Stdlib(),
+		},
+
+		progressV: map[uint64]struct{}{},
+		progressF: map[uint64]struct{}{},
+		progressB: map[uint64]map[string]struct{}{},
+		doneB:     map[uint64]map[string]struct{}{},
+	}
+
+	for _, v := range defs.Variables {
+		// TODO: validate name
+		if _, ok := reserved[v.Name]; ok {
+			continue
+		}
+		p.vars[v.Name] = v
+	}
+	for _, v := range defs.Functions {
+		// TODO: validate name
+		if _, ok := reserved[v.Name]; ok {
+			continue
+		}
+		p.funcs[v.Name] = v
+	}
+
+	content, b, diags := b.PartialContent(schema)
+	if diags.HasErrors() {
+		return nil, diags
+	}
+
+	blocks, b, diags := b.PartialContent(defsSchema)
+	if diags.HasErrors() {
+		return nil, diags
+	}
+
+	attrs, diags := b.JustAttributes()
+	if diags.HasErrors() {
+		if d := removeAttributesDiags(diags, reserved, p.vars); len(d) > 0 {
+			return nil, d
+		}
+	}
+
+	for _, v := range attrs {
+		if _, ok := reserved[v.Name]; ok {
+			continue
+		}
+		p.attrs[v.Name] = v
+	}
+	delete(p.attrs, "function")
+
+	for k := range p.opt.Vars {
+		_ = p.resolveValue(p.ectx, k)
+	}
+
+	for _, a := range content.Attributes {
+		return nil, hcl.Diagnostics{
+			&hcl.Diagnostic{
+				Severity: hcl.DiagError,
+				Summary:  "Invalid attribute",
+				Detail:   "global attributes currently not supported",
+				Subject:  &a.Range,
+				Context:  &a.Range,
+			},
+		}
+	}
+
+	for k := range p.vars {
+		if err := p.resolveValue(p.ectx, k); err != nil {
+			if diags, ok := err.(hcl.Diagnostics); ok {
+				return nil, diags
+			}
+			r := p.vars[k].Body.MissingItemRange()
+			return nil, wrapErrorDiagnostic("Invalid value", err, &r, &r)
+		}
+	}
+
+	for k := range p.funcs {
+		if err := p.resolveFunction(p.ectx, k); err != nil {
+			if diags, ok := err.(hcl.Diagnostics); ok {
+				return nil, diags
+			}
+			var subject *hcl.Range
+			var context *hcl.Range
+			if p.funcs[k].Params != nil {
+				subject = &p.funcs[k].Params.Range
+				context = subject
+			} else {
+				for _, block := range blocks.Blocks {
+					if block.Type == "function" && len(block.Labels) == 1 && block.Labels[0] == k {
+						subject = &block.LabelRanges[0]
+						context = &block.DefRange
+						break
+					}
+				}
+			}
+			return nil, wrapErrorDiagnostic("Invalid function", err, subject, context)
+		}
+	}
+
+	type value struct {
+		reflect.Value
+		idx int
+	}
+	type field struct {
+		idx    int
+		typ    reflect.Type
+		values map[string]value
+	}
+	types := map[string]field{}
+	renamed := map[string]map[string][]string{}
+	vt := reflect.ValueOf(val).Elem().Type()
+	for i := 0; i < vt.NumField(); i++ {
+		tags := strings.Split(vt.Field(i).Tag.Get("hcl"), ",")
+
+		p.blockTypes[tags[0]] = vt.Field(i).Type.Elem().Elem()
+		types[tags[0]] = field{
+			idx:    i,
+			typ:    vt.Field(i).Type,
+			values: make(map[string]value),
+		}
+		renamed[tags[0]] = map[string][]string{}
+	}
+
+	tmpBlocks := map[string]map[string][]*hcl.Block{}
+	for _, b := range content.Blocks {
+		if len(b.Labels) == 0 || len(b.Labels) > 1 {
+			return nil, hcl.Diagnostics{
+				&hcl.Diagnostic{
+					Severity: hcl.DiagError,
+					Summary:  "Invalid block",
+					Detail:   fmt.Sprintf("invalid block label: %v", b.Labels),
+					Subject:  &b.LabelRanges[0],
+					Context:  &b.LabelRanges[0],
+				},
+			}
+		}
+
+		bm, ok := tmpBlocks[b.Type]
+		if !ok {
+			bm = map[string][]*hcl.Block{}
+			tmpBlocks[b.Type] = bm
+		}
+
+		names, err := p.resolveBlockNames(b)
+		if err != nil {
+			return nil, wrapErrorDiagnostic("Invalid name", err, &b.LabelRanges[0], &b.LabelRanges[0])
+		}
+		for _, name := range names {
+			bm[name] = append(bm[name], b)
+			renamed[b.Type][b.Labels[0]] = append(renamed[b.Type][b.Labels[0]], name)
+		}
+	}
+	p.blocks = tmpBlocks
+
+	diags = hcl.Diagnostics{}
+	for _, b := range content.Blocks {
+		v := reflect.ValueOf(val)
+
+		err := p.resolveBlock(b, nil)
+		if err != nil {
+			if diag, ok := err.(hcl.Diagnostics); ok {
+				if diag.HasErrors() {
+					diags = append(diags, diag...)
+					continue
+				}
+			} else {
+				return nil, wrapErrorDiagnostic("Invalid block", err, &b.LabelRanges[0], &b.DefRange)
+			}
+		}
+
+		vvs := p.blockValues[b]
+		for _, vv := range vvs {
+			t := types[b.Type]
+			lblIndex, lblExists := getNameIndex(vv)
+			lblName, _ := getName(vv)
+			oldValue, exists := t.values[lblName]
+			if !exists && lblExists {
+				if v.Elem().Field(t.idx).Type().Kind() == reflect.Slice {
+					for i := 0; i < v.Elem().Field(t.idx).Len(); i++ {
+						if lblName == v.Elem().Field(t.idx).Index(i).Elem().Field(lblIndex).String() {
+							exists = true
+							oldValue = value{Value: v.Elem().Field(t.idx).Index(i), idx: i}
+							break
+						}
+					}
+				}
+			}
+			if exists {
+				if m := oldValue.Value.MethodByName("Merge"); m.IsValid() {
+					m.Call([]reflect.Value{vv})
+				} else {
+					v.Elem().Field(t.idx).Index(oldValue.idx).Set(vv)
+				}
+			} else {
+				slice := v.Elem().Field(t.idx)
+				if slice.IsNil() {
+					slice = reflect.New(t.typ).Elem()
+				}
+				t.values[lblName] = value{Value: vv, idx: slice.Len()}
+				v.Elem().Field(t.idx).Set(reflect.Append(slice, vv))
+			}
+		}
+	}
+	if diags.HasErrors() {
+		return nil, diags
+	}
+
+	for k := range p.attrs {
+		if err := p.resolveValue(p.ectx, k); err != nil {
+			if diags, ok := err.(hcl.Diagnostics); ok {
+				return nil, diags
+			}
+			return nil, wrapErrorDiagnostic("Invalid attribute", err, &p.attrs[k].Range, &p.attrs[k].Range)
+		}
+	}
+
+	return renamed, nil
+}
+
+// wrapErrorDiagnostic wraps an error into a hcl.Diagnostics object.
+// If the error is already an hcl.Diagnostics object, it is returned as is.
+func wrapErrorDiagnostic(message string, err error, subject *hcl.Range, context *hcl.Range) hcl.Diagnostics {
+	switch err := err.(type) {
+	case *hcl.Diagnostic:
+		return hcl.Diagnostics{err}
+	case hcl.Diagnostics:
+		return err
+	default:
+		return hcl.Diagnostics{
+			&hcl.Diagnostic{
+				Severity: hcl.DiagError,
+				Summary:  message,
+				Detail:   err.Error(),
+				Subject:  subject,
+				Context:  context,
+			},
+		}
+	}
+}
+
+func setName(v reflect.Value, name string) {
+	numFields := v.Elem().Type().NumField()
+	for i := 0; i < numFields; i++ {
+		parts := strings.Split(v.Elem().Type().Field(i).Tag.Get("hcl"), ",")
+		for _, t := range parts[1:] {
+			if t == "label" {
+				v.Elem().Field(i).Set(reflect.ValueOf(name))
+			}
+		}
+	}
+}
+
+func getName(v reflect.Value) (string, bool) {
+	numFields := v.Elem().Type().NumField()
+	for i := 0; i < numFields; i++ {
+		parts := strings.Split(v.Elem().Type().Field(i).Tag.Get("hcl"), ",")
+		for _, t := range parts[1:] {
+			if t == "label" {
+				return v.Elem().Field(i).String(), true
+			}
+		}
+	}
+	return "", false
+}
+
+func getNameIndex(v reflect.Value) (int, bool) {
+	numFields := v.Elem().Type().NumField()
+	for i := 0; i < numFields; i++ {
+		parts := strings.Split(v.Elem().Type().Field(i).Tag.Get("hcl"), ",")
+		for _, t := range parts[1:] {
+			if t == "label" {
+				return i, true
+			}
+		}
+	}
+	return 0, false
+}
+
+func removeAttributesDiags(diags hcl.Diagnostics, reserved map[string]struct{}, vars map[string]*variable) hcl.Diagnostics {
+	var fdiags hcl.Diagnostics
+	for _, d := range diags {
+		if fout := func(d *hcl.Diagnostic) bool {
+			// https://github.com/docker/buildx/pull/541
+			if d.Detail == "Blocks are not allowed here." {
+				return true
+			}
+			for r := range reserved {
+				// JSON body objects don't handle repeated blocks like HCL but
+				// reserved name attributes should be allowed when multi bodies are merged.
+				// https://github.com/hashicorp/hcl/blob/main/json/spec.md#blocks
+				if strings.HasPrefix(d.Detail, fmt.Sprintf(`Argument "%s" was already set at `, r)) {
+					return true
+				}
+			}
+			for v := range vars {
+				// Do the same for global variables
+				if strings.HasPrefix(d.Detail, fmt.Sprintf(`Argument "%s" was already set at `, v)) {
+					return true
+				}
+			}
+			return false
+		}(d); !fout {
+			fdiags = append(fdiags, d)
+		}
+	}
+	return fdiags
+}
+
+// key returns a unique hash for the given values
+func key(ks ...any) uint64 {
+	hash := fnv.New64a()
+	for _, k := range ks {
+		v := reflect.ValueOf(k)
+		switch v.Kind() {
+		case reflect.String:
+			hash.Write([]byte(v.String()))
+		case reflect.Pointer:
+			ptr := reflect.ValueOf(k).Pointer()
+			binary.Write(hash, binary.LittleEndian, uint64(ptr))
+		default:
+			panic(fmt.Sprintf("unknown key kind %s", v.Kind().String()))
+		}
+	}
+	return hash.Sum64()
+}

bake/hclparser/stdlib.go

@@ -0,0 +1,135 @@
+package hclparser
+
+import (
+	"time"
+
+	"github.com/hashicorp/go-cty-funcs/cidr"
+	"github.com/hashicorp/go-cty-funcs/crypto"
+	"github.com/hashicorp/go-cty-funcs/encoding"
+	"github.com/hashicorp/go-cty-funcs/uuid"
+	"github.com/hashicorp/hcl/v2/ext/tryfunc"
+	"github.com/hashicorp/hcl/v2/ext/typeexpr"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+	"github.com/zclconf/go-cty/cty/function/stdlib"
+)
+
+var stdlibFunctions = map[string]function.Function{
+	"absolute":               stdlib.AbsoluteFunc,
+	"add":                    stdlib.AddFunc,
+	"and":                    stdlib.AndFunc,
+	"base64decode":           encoding.Base64DecodeFunc,
+	"base64encode":           encoding.Base64EncodeFunc,
+	"bcrypt":                 crypto.BcryptFunc,
+	"byteslen":               stdlib.BytesLenFunc,
+	"bytesslice":             stdlib.BytesSliceFunc,
+	"can":                    tryfunc.CanFunc,
+	"ceil":                   stdlib.CeilFunc,
+	"chomp":                  stdlib.ChompFunc,
+	"chunklist":              stdlib.ChunklistFunc,
+	"cidrhost":               cidr.HostFunc,
+	"cidrnetmask":            cidr.NetmaskFunc,
+	"cidrsubnet":             cidr.SubnetFunc,
+	"cidrsubnets":            cidr.SubnetsFunc,
+	"coalesce":               stdlib.CoalesceFunc,
+	"coalescelist":           stdlib.CoalesceListFunc,
+	"compact":                stdlib.CompactFunc,
+	"concat":                 stdlib.ConcatFunc,
+	"contains":               stdlib.ContainsFunc,
+	"convert":                typeexpr.ConvertFunc,
+	"csvdecode":              stdlib.CSVDecodeFunc,
+	"distinct":               stdlib.DistinctFunc,
+	"divide":                 stdlib.DivideFunc,
+	"element":                stdlib.ElementFunc,
+	"equal":                  stdlib.EqualFunc,
+	"flatten":                stdlib.FlattenFunc,
+	"floor":                  stdlib.FloorFunc,
+	"format":                 stdlib.FormatFunc,
+	"formatdate":             stdlib.FormatDateFunc,
+	"formatlist":             stdlib.FormatListFunc,
+	"greaterthan":            stdlib.GreaterThanFunc,
+	"greaterthanorequalto":   stdlib.GreaterThanOrEqualToFunc,
+	"hasindex":               stdlib.HasIndexFunc,
+	"indent":                 stdlib.IndentFunc,
+	"index":                  stdlib.IndexFunc,
+	"int":                    stdlib.IntFunc,
+	"join":                   stdlib.JoinFunc,
+	"jsondecode":             stdlib.JSONDecodeFunc,
+	"jsonencode":             stdlib.JSONEncodeFunc,
+	"keys":                   stdlib.KeysFunc,
+	"length":                 stdlib.LengthFunc,
+	"lessthan":               stdlib.LessThanFunc,
+	"lessthanorequalto":      stdlib.LessThanOrEqualToFunc,
+	"log":                    stdlib.LogFunc,
+	"lookup":                 stdlib.LookupFunc,
+	"lower":                  stdlib.LowerFunc,
+	"max":                    stdlib.MaxFunc,
+	"md5":                    crypto.Md5Func,
+	"merge":                  stdlib.MergeFunc,
+	"min":                    stdlib.MinFunc,
+	"modulo":                 stdlib.ModuloFunc,
+	"multiply":               stdlib.MultiplyFunc,
+	"negate":                 stdlib.NegateFunc,
+	"not":                    stdlib.NotFunc,
+	"notequal":               stdlib.NotEqualFunc,
+	"or":                     stdlib.OrFunc,
+	"parseint":               stdlib.ParseIntFunc,
+	"pow":                    stdlib.PowFunc,
+	"range":                  stdlib.RangeFunc,
+	"regex_replace":          stdlib.RegexReplaceFunc,
+	"regex":                  stdlib.RegexFunc,
+	"regexall":               stdlib.RegexAllFunc,
+	"replace":                stdlib.ReplaceFunc,
+	"reverse":                stdlib.ReverseFunc,
+	"reverselist":            stdlib.ReverseListFunc,
+	"rsadecrypt":             crypto.RsaDecryptFunc,
+	"sethaselement":          stdlib.SetHasElementFunc,
+	"setintersection":        stdlib.SetIntersectionFunc,
+	"setproduct":             stdlib.SetProductFunc,
+	"setsubtract":            stdlib.SetSubtractFunc,
+	"setsymmetricdifference": stdlib.SetSymmetricDifferenceFunc,
+	"setunion":               stdlib.SetUnionFunc,
+	"sha1":                   crypto.Sha1Func,
+	"sha256":                 crypto.Sha256Func,
+	"sha512":                 crypto.Sha512Func,
+	"signum":                 stdlib.SignumFunc,
+	"slice":                  stdlib.SliceFunc,
+	"sort":                   stdlib.SortFunc,
+	"split":                  stdlib.SplitFunc,
+	"strlen":                 stdlib.StrlenFunc,
+	"substr":                 stdlib.SubstrFunc,
+	"subtract":               stdlib.SubtractFunc,
+	"timeadd":                stdlib.TimeAddFunc,
+	"timestamp":              timestampFunc,
+	"title":                  stdlib.TitleFunc,
+	"trim":                   stdlib.TrimFunc,
+	"trimprefix":             stdlib.TrimPrefixFunc,
+	"trimspace":              stdlib.TrimSpaceFunc,
+	"trimsuffix":             stdlib.TrimSuffixFunc,
+	"try":                    tryfunc.TryFunc,
+	"upper":                  stdlib.UpperFunc,
+	"urlencode":              encoding.URLEncodeFunc,
+	"uuidv4":                 uuid.V4Func,
+	"uuidv5":                 uuid.V5Func,
+	"values":                 stdlib.ValuesFunc,
+	"zipmap":                 stdlib.ZipmapFunc,
+}
+
+// timestampFunc constructs a function that returns a string representation of the current date and time.
+//
+// This function was imported from terraform's datetime utilities.
+var timestampFunc = function.New(&function.Spec{
+	Params: []function.Parameter{},
+	Type:   function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+		return cty.StringVal(time.Now().UTC().Format(time.RFC3339)), nil
+	},
+})
+
+func Stdlib() map[string]function.Function {
+	funcs := make(map[string]function.Function, len(stdlibFunctions))
+	for k, v := range stdlibFunctions {
+		funcs[k] = v
+	}
+	return funcs
+}

bake/remote.go

@@ -4,14 +4,16 @@ import (
 	"archive/tar"
 	"bytes"
 	"context"
-	"strings"
 
-	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	controllerapi "github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/util/progress"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend/dockerui"
 	gwclient "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/session"
 	"github.com/pkg/errors"
 )
 
@@ -20,10 +22,17 @@ type Input struct {
 	URL   string
 }
 
-func ReadRemoteFiles(ctx context.Context, dis []build.DriverInfo, url string, names []string, pw progress.Writer) ([]File, *Input, error) {
-	st, filename, ok := detectHttpContext(url)
-	if !ok {
-		st, ok = detectGitContext(url)
+func ReadRemoteFiles(ctx context.Context, nodes []builder.Node, url string, names []string, pw progress.Writer) ([]File, *Input, error) {
+	var session []session.Attachable
+	var filename string
+	st, ok := dockerui.DetectGitContext(url, false)
+	if ok {
+		ssh, err := controllerapi.CreateSSH([]*controllerapi.SSH{{ID: "default"}})
+		if err == nil {
+			session = append(session, ssh)
+		}
+	} else {
+		st, filename, ok = dockerui.DetectHTTPContext(url)
 		if !ok {
 			return nil, nil, errors.Errorf("not url context")
 		}
@@ -32,25 +41,25 @@ func ReadRemoteFiles(ctx context.Context, dis []build.DriverInfo, url string, na
 	inp := &Input{State: st, URL: url}
 	var files []File
 
-	var di *build.DriverInfo
-	for _, d := range dis {
-		if d.Err == nil {
-			di = &d
+	var node *builder.Node
+	for i, n := range nodes {
+		if n.Err == nil {
+			node = &nodes[i]
 			continue
 		}
 	}
-	if di == nil {
+	if node == nil {
 		return nil, nil, nil
 	}
 
-	c, err := driver.Boot(ctx, di.Driver, pw)
+	c, err := driver.Boot(ctx, ctx, node.Driver, pw)
 	if err != nil {
 		return nil, nil, err
 	}
 
 	ch, done := progress.NewChannel(pw)
 	defer func() { <-done }()
-	_, err = c.Build(ctx, client.SolveOpt{}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
+	_, err = c.Build(ctx, client.SolveOpt{Session: session}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
 		def, err := st.Marshal(ctx)
 		if err != nil {
 			return nil, err
@@ -82,51 +91,6 @@ func ReadRemoteFiles(ctx context.Context, dis []build.DriverInfo, url string, na
 	return files, inp, nil
 }
 
-func IsRemoteURL(url string) bool {
-	if _, _, ok := detectHttpContext(url); ok {
-		return true
-	}
-	if _, ok := detectGitContext(url); ok {
-		return true
-	}
-	return false
-}
-
-func detectHttpContext(url string) (*llb.State, string, bool) {
-	if httpPrefix.MatchString(url) {
-		httpContext := llb.HTTP(url, llb.Filename("context"), llb.WithCustomName("[internal] load remote build context"))
-		return &httpContext, "context", true
-	}
-	return nil, "", false
-}
-
-func detectGitContext(ref string) (*llb.State, bool) {
-	found := false
-	if httpPrefix.MatchString(ref) && gitURLPathWithFragmentSuffix.MatchString(ref) {
-		found = true
-	}
-
-	for _, prefix := range []string{"git://", "github.com/", "git@"} {
-		if strings.HasPrefix(ref, prefix) {
-			found = true
-			break
-		}
-	}
-	if !found {
-		return nil, false
-	}
-
-	parts := strings.SplitN(ref, "#", 2)
-	branch := ""
-	if len(parts) > 1 {
-		branch = parts[1]
-	}
-	gitOpts := []llb.GitOption{llb.WithCustomName("[internal] load git source " + ref)}
-
-	st := llb.Git(parts[0], branch, gitOpts...)
-	return &st, true
-}
-
 func isArchive(header []byte) bool {
 	for _, m := range [][]byte{
 		{0x42, 0x5A, 0x68},                   // bzip2

build/cache.go

@@ -1,60 +0,0 @@
-package build
-
-import (
-	"encoding/csv"
-	"strings"
-
-	"github.com/moby/buildkit/client"
-	"github.com/pkg/errors"
-)
-
-func ParseCacheEntry(in []string) ([]client.CacheOptionsEntry, error) {
-	imports := make([]client.CacheOptionsEntry, 0, len(in))
-	for _, in := range in {
-		csvReader := csv.NewReader(strings.NewReader(in))
-		fields, err := csvReader.Read()
-		if err != nil {
-			return nil, err
-		}
-		if isRefOnlyFormat(fields) {
-			for _, field := range fields {
-				imports = append(imports, client.CacheOptionsEntry{
-					Type:  "registry",
-					Attrs: map[string]string{"ref": field},
-				})
-			}
-			continue
-		}
-		im := client.CacheOptionsEntry{
-			Attrs: map[string]string{},
-		}
-		for _, field := range fields {
-			parts := strings.SplitN(field, "=", 2)
-			if len(parts) != 2 {
-				return nil, errors.Errorf("invalid value %s", field)
-			}
-			key := strings.ToLower(parts[0])
-			value := parts[1]
-			switch key {
-			case "type":
-				im.Type = value
-			default:
-				im.Attrs[key] = value
-			}
-		}
-		if im.Type == "" {
-			return nil, errors.Errorf("type required form> %q", in)
-		}
-		imports = append(imports, im)
-	}
-	return imports, nil
-}
-
-func isRefOnlyFormat(in []string) bool {
-	for _, v := range in {
-		if strings.Contains(v, "=") {
-			return false
-		}
-	}
-	return true
-}

build/git.go

@@ -0,0 +1,115 @@
+package build
+
+import (
+	"context"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/docker/buildx/util/gitutil"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+const DockerfileLabel = "com.docker.image.source.entrypoint"
+
+func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath string) (res map[string]string, _ error) {
+	res = make(map[string]string)
+	if contextPath == "" {
+		return
+	}
+
+	setGitLabels := false
+	if v, ok := os.LookupEnv("BUILDX_GIT_LABELS"); ok {
+		if v == "full" { // backward compatibility with old "full" mode
+			setGitLabels = true
+		} else if v, err := strconv.ParseBool(v); err == nil {
+			setGitLabels = v
+		}
+	}
+	setGitInfo := true
+	if v, ok := os.LookupEnv("BUILDX_GIT_INFO"); ok {
+		if v, err := strconv.ParseBool(v); err == nil {
+			setGitInfo = v
+		}
+	}
+
+	if !setGitLabels && !setGitInfo {
+		return
+	}
+
+	// figure out in which directory the git command needs to run in
+	var wd string
+	if filepath.IsAbs(contextPath) {
+		wd = contextPath
+	} else {
+		cwd, _ := os.Getwd()
+		wd, _ = filepath.Abs(filepath.Join(cwd, contextPath))
+	}
+
+	gitc, err := gitutil.New(gitutil.WithContext(ctx), gitutil.WithWorkingDir(wd))
+	if err != nil {
+		if st, err := os.Stat(path.Join(wd, ".git")); err == nil && st.IsDir() {
+			return res, errors.New("buildx: git was not found in the system. Current commit information was not captured by the build")
+		}
+		return
+	}
+
+	if !gitc.IsInsideWorkTree() {
+		if st, err := os.Stat(path.Join(wd, ".git")); err == nil && st.IsDir() {
+			return res, errors.New("buildx: failed to read current commit information with git rev-parse --is-inside-work-tree")
+		}
+		return res, nil
+	}
+
+	if sha, err := gitc.FullCommit(); err != nil && !gitutil.IsUnknownRevision(err) {
+		return res, errors.Wrapf(err, "buildx: failed to get git commit")
+	} else if sha != "" {
+		checkDirty := false
+		if v, ok := os.LookupEnv("BUILDX_GIT_CHECK_DIRTY"); ok {
+			if v, err := strconv.ParseBool(v); err == nil {
+				checkDirty = v
+			}
+		}
+		if checkDirty && gitc.IsDirty() {
+			sha += "-dirty"
+		}
+		if setGitLabels {
+			res["label:"+specs.AnnotationRevision] = sha
+		}
+		if setGitInfo {
+			res["vcs:revision"] = sha
+		}
+	}
+
+	if rurl, err := gitc.RemoteURL(); err == nil && rurl != "" {
+		if setGitLabels {
+			res["label:"+specs.AnnotationSource] = rurl
+		}
+		if setGitInfo {
+			res["vcs:source"] = rurl
+		}
+	}
+
+	if setGitLabels {
+		if root, err := gitc.RootDir(); err != nil {
+			return res, errors.Wrapf(err, "buildx: failed to get git root dir")
+		} else if root != "" {
+			if dockerfilePath == "" {
+				dockerfilePath = filepath.Join(wd, "Dockerfile")
+			}
+			if !filepath.IsAbs(dockerfilePath) {
+				cwd, _ := os.Getwd()
+				dockerfilePath = filepath.Join(cwd, dockerfilePath)
+			}
+			dockerfilePath, _ = filepath.Rel(root, dockerfilePath)
+			if !strings.HasPrefix(dockerfilePath, "..") {
+				res["label:"+DockerfileLabel] = dockerfilePath
+			}
+		}
+	}
+
+	return
+}

build/git_test.go

@@ -0,0 +1,156 @@
+package build
+
+import (
+	"context"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/docker/buildx/util/gitutil"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func setupTest(tb testing.TB) {
+	gitutil.Mktmp(tb)
+
+	c, err := gitutil.New()
+	require.NoError(tb, err)
+	gitutil.GitInit(c, tb)
+
+	df := []byte("FROM alpine:latest\n")
+	assert.NoError(tb, os.WriteFile("Dockerfile", df, 0644))
+
+	gitutil.GitAdd(c, tb, "Dockerfile")
+	gitutil.GitCommit(c, tb, "initial commit")
+	gitutil.GitSetRemote(c, tb, "origin", "git@github.com:docker/buildx.git")
+}
+
+func TestGetGitAttributesNotGitRepo(t *testing.T) {
+	_, err := getGitAttributes(context.Background(), t.TempDir(), "Dockerfile")
+	assert.NoError(t, err)
+}
+
+func TestGetGitAttributesBadGitRepo(t *testing.T) {
+	tmp := t.TempDir()
+	require.NoError(t, os.MkdirAll(path.Join(tmp, ".git"), 0755))
+
+	_, err := getGitAttributes(context.Background(), tmp, "Dockerfile")
+	assert.Error(t, err)
+}
+
+func TestGetGitAttributesNoContext(t *testing.T) {
+	setupTest(t)
+
+	gitattrs, err := getGitAttributes(context.Background(), "", "Dockerfile")
+	assert.NoError(t, err)
+	assert.Empty(t, gitattrs)
+}
+
+func TestGetGitAttributes(t *testing.T) {
+	cases := []struct {
+		name         string
+		envGitLabels string
+		envGitInfo   string
+		expected     []string
+	}{
+		{
+			name:         "default",
+			envGitLabels: "",
+			envGitInfo:   "",
+			expected: []string{
+				"vcs:revision",
+				"vcs:source",
+			},
+		},
+		{
+			name:         "none",
+			envGitLabels: "false",
+			envGitInfo:   "false",
+			expected:     []string{},
+		},
+		{
+			name:         "gitinfo",
+			envGitLabels: "false",
+			envGitInfo:   "true",
+			expected: []string{
+				"vcs:revision",
+				"vcs:source",
+			},
+		},
+		{
+			name:         "gitlabels",
+			envGitLabels: "true",
+			envGitInfo:   "false",
+			expected: []string{
+				"label:" + DockerfileLabel,
+				"label:" + specs.AnnotationRevision,
+				"label:" + specs.AnnotationSource,
+			},
+		},
+		{
+			name:         "both",
+			envGitLabels: "true",
+			envGitInfo:   "",
+			expected: []string{
+				"label:" + DockerfileLabel,
+				"label:" + specs.AnnotationRevision,
+				"label:" + specs.AnnotationSource,
+				"vcs:revision",
+				"vcs:source",
+			},
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			setupTest(t)
+			if tt.envGitLabels != "" {
+				t.Setenv("BUILDX_GIT_LABELS", tt.envGitLabels)
+			}
+			if tt.envGitInfo != "" {
+				t.Setenv("BUILDX_GIT_INFO", tt.envGitInfo)
+			}
+			gitattrs, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+			require.NoError(t, err)
+			for _, e := range tt.expected {
+				assert.Contains(t, gitattrs, e)
+				assert.NotEmpty(t, gitattrs[e])
+				if e == "label:"+DockerfileLabel {
+					assert.Equal(t, "Dockerfile", gitattrs[e])
+				} else if e == "label:"+specs.AnnotationSource || e == "vcs:source" {
+					assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs[e])
+				}
+			}
+		})
+	}
+}
+
+func TestGetGitAttributesDirty(t *testing.T) {
+	setupTest(t)
+	t.Setenv("BUILDX_GIT_CHECK_DIRTY", "true")
+
+	// make a change to test dirty flag
+	df := []byte("FROM alpine:edge\n")
+	require.NoError(t, os.Mkdir("dir", 0755))
+	require.NoError(t, os.WriteFile(filepath.Join("dir", "Dockerfile"), df, 0644))
+
+	t.Setenv("BUILDX_GIT_LABELS", "true")
+	gitattrs, _ := getGitAttributes(context.Background(), ".", "Dockerfile")
+	assert.Equal(t, 5, len(gitattrs))
+
+	assert.Contains(t, gitattrs, "label:"+DockerfileLabel)
+	assert.Equal(t, "Dockerfile", gitattrs["label:"+DockerfileLabel])
+	assert.Contains(t, gitattrs, "label:"+specs.AnnotationSource)
+	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["label:"+specs.AnnotationSource])
+	assert.Contains(t, gitattrs, "label:"+specs.AnnotationRevision)
+	assert.True(t, strings.HasSuffix(gitattrs["label:"+specs.AnnotationRevision], "-dirty"))
+
+	assert.Contains(t, gitattrs, "vcs:source")
+	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["vcs:source"])
+	assert.Contains(t, gitattrs, "vcs:revision")
+	assert.True(t, strings.HasSuffix(gitattrs["vcs:revision"], "-dirty"))
+}

build/invoke.go

@@ -0,0 +1,138 @@
+package build
+
+import (
+	"context"
+	_ "crypto/sha256" // ensure digests can be computed
+	"io"
+	"sync"
+	"sync/atomic"
+	"syscall"
+
+	controllerapi "github.com/docker/buildx/controller/pb"
+	gateway "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type Container struct {
+	cancelOnce      sync.Once
+	containerCancel func()
+	isUnavailable   atomic.Bool
+	initStarted     atomic.Bool
+	container       gateway.Container
+	releaseCh       chan struct{}
+	resultCtx       *ResultHandle
+}
+
+func NewContainer(ctx context.Context, resultCtx *ResultHandle, cfg *controllerapi.InvokeConfig) (*Container, error) {
+	mainCtx := ctx
+
+	ctrCh := make(chan *Container)
+	errCh := make(chan error)
+	go func() {
+		err := resultCtx.build(func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+			ctx, cancel := context.WithCancel(ctx)
+			go func() {
+				<-mainCtx.Done()
+				cancel()
+			}()
+
+			containerCfg, err := resultCtx.getContainerConfig(ctx, c, cfg)
+			if err != nil {
+				return nil, err
+			}
+			containerCtx, containerCancel := context.WithCancel(ctx)
+			defer containerCancel()
+			bkContainer, err := c.NewContainer(containerCtx, containerCfg)
+			if err != nil {
+				return nil, err
+			}
+			releaseCh := make(chan struct{})
+			container := &Container{
+				containerCancel: containerCancel,
+				container:       bkContainer,
+				releaseCh:       releaseCh,
+				resultCtx:       resultCtx,
+			}
+			doneCh := make(chan struct{})
+			defer close(doneCh)
+			resultCtx.registerCleanup(func() {
+				container.Cancel()
+				<-doneCh
+			})
+			ctrCh <- container
+			<-container.releaseCh
+
+			return nil, bkContainer.Release(ctx)
+		})
+		if err != nil {
+			errCh <- err
+		}
+	}()
+	select {
+	case ctr := <-ctrCh:
+		return ctr, nil
+	case err := <-errCh:
+		return nil, err
+	case <-mainCtx.Done():
+		return nil, mainCtx.Err()
+	}
+}
+
+func (c *Container) Cancel() {
+	c.markUnavailable()
+	c.cancelOnce.Do(func() {
+		if c.containerCancel != nil {
+			c.containerCancel()
+		}
+		close(c.releaseCh)
+	})
+}
+
+func (c *Container) IsUnavailable() bool {
+	return c.isUnavailable.Load()
+}
+
+func (c *Container) markUnavailable() {
+	c.isUnavailable.Store(true)
+}
+
+func (c *Container) Exec(ctx context.Context, cfg *controllerapi.InvokeConfig, stdin io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) error {
+	if isInit := c.initStarted.CompareAndSwap(false, true); isInit {
+		defer func() {
+			// container can't be used after init exits
+			c.markUnavailable()
+		}()
+	}
+	err := exec(ctx, c.resultCtx, cfg, c.container, stdin, stdout, stderr)
+	if err != nil {
+		// Container becomes unavailable if one of the processes fails in it.
+		c.markUnavailable()
+	}
+	return err
+}
+
+func exec(ctx context.Context, resultCtx *ResultHandle, cfg *controllerapi.InvokeConfig, ctr gateway.Container, stdin io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) error {
+	processCfg, err := resultCtx.getProcessConfig(cfg, stdin, stdout, stderr)
+	if err != nil {
+		return err
+	}
+	proc, err := ctr.Start(ctx, processCfg)
+	if err != nil {
+		return errors.Errorf("failed to start container: %v", err)
+	}
+
+	doneCh := make(chan struct{})
+	defer close(doneCh)
+	go func() {
+		select {
+		case <-ctx.Done():
+			if err := proc.Signal(ctx, syscall.SIGKILL); err != nil {
+				logrus.Warnf("failed to kill process: %v", err)
+			}
+		case <-doneCh:
+		}
+	}()
+
+	return proc.Wait()
+}

build/output.go

@@ -1,115 +0,0 @@
-package build
-
-import (
-	"encoding/csv"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/containerd/console"
-	"github.com/moby/buildkit/client"
-	"github.com/pkg/errors"
-)
-
-func ParseOutputs(inp []string) ([]client.ExportEntry, error) {
-	var outs []client.ExportEntry
-	if len(inp) == 0 {
-		return nil, nil
-	}
-	for _, s := range inp {
-		csvReader := csv.NewReader(strings.NewReader(s))
-		fields, err := csvReader.Read()
-		if err != nil {
-			return nil, err
-		}
-
-		out := client.ExportEntry{
-			Attrs: map[string]string{},
-		}
-		if len(fields) == 1 && fields[0] == s && !strings.HasPrefix(s, "type=") {
-			if s != "-" {
-				outs = append(outs, client.ExportEntry{
-					Type:      client.ExporterLocal,
-					OutputDir: s,
-				})
-				continue
-			}
-			out = client.ExportEntry{
-				Type: client.ExporterTar,
-				Attrs: map[string]string{
-					"dest": s,
-				},
-			}
-		}
-
-		if out.Type == "" {
-			for _, field := range fields {
-				parts := strings.SplitN(field, "=", 2)
-				if len(parts) != 2 {
-					return nil, errors.Errorf("invalid value %s", field)
-				}
-				key := strings.TrimSpace(strings.ToLower(parts[0]))
-				value := parts[1]
-				switch key {
-				case "type":
-					out.Type = value
-				default:
-					out.Attrs[key] = value
-				}
-			}
-		}
-		if out.Type == "" {
-			return nil, errors.Errorf("type is required for output")
-		}
-
-		// handle client side
-		switch out.Type {
-		case client.ExporterLocal:
-			dest, ok := out.Attrs["dest"]
-			if !ok {
-				return nil, errors.Errorf("dest is required for local output")
-			}
-			out.OutputDir = dest
-			delete(out.Attrs, "dest")
-		case client.ExporterOCI, client.ExporterDocker, client.ExporterTar:
-			dest, ok := out.Attrs["dest"]
-			if !ok {
-				if out.Type != client.ExporterDocker {
-					dest = "-"
-				}
-			}
-			if dest == "-" {
-				if _, err := console.ConsoleFromFile(os.Stdout); err == nil {
-					return nil, errors.Errorf("output file is required for %s exporter. refusing to write to console", out.Type)
-				}
-				out.Output = wrapWriteCloser(os.Stdout)
-			} else if dest != "" {
-				fi, err := os.Stat(dest)
-				if err != nil && !os.IsNotExist(err) {
-					return nil, errors.Wrapf(err, "invalid destination file: %s", dest)
-				}
-				if err == nil && fi.IsDir() {
-					return nil, errors.Errorf("destination file %s is a directory", dest)
-				}
-				f, err := os.Create(dest)
-				if err != nil {
-					return nil, errors.Errorf("failed to open %s", err)
-				}
-				out.Output = wrapWriteCloser(f)
-			}
-			delete(out.Attrs, "dest")
-		case "registry":
-			out.Type = client.ExporterImage
-			out.Attrs["push"] = "true"
-		}
-
-		outs = append(outs, out)
-	}
-	return outs, nil
-}
-
-func wrapWriteCloser(wc io.WriteCloser) func(map[string]string) (io.WriteCloser, error) {
-	return func(map[string]string) (io.WriteCloser, error) {
-		return wc, nil
-	}
-}

build/result.go

@@ -0,0 +1,494 @@
+package build
+
+import (
+	"context"
+	_ "crypto/sha256" // ensure digests can be computed
+	"encoding/json"
+	"io"
+	"sync"
+
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/exporter/containerimage/exptypes"
+	gateway "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/solver/errdefs"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/solver/result"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+)
+
+// NewResultHandle makes a call to client.Build, additionally returning a
+// opaque ResultHandle alongside the standard response and error.
+//
+// This ResultHandle can be used to execute additional build steps in the same
+// context as the build occurred, which can allow easy debugging of build
+// failures and successes.
+//
+// If the returned ResultHandle is not nil, the caller must call Done() on it.
+func NewResultHandle(ctx context.Context, cc *client.Client, opt client.SolveOpt, product string, buildFunc gateway.BuildFunc, ch chan *client.SolveStatus) (*ResultHandle, *client.SolveResponse, error) {
+	// Create a new context to wrap the original, and cancel it when the
+	// caller-provided context is cancelled.
+	//
+	// We derive the context from the background context so that we can forbid
+	// cancellation of the build request after <-done is closed (which we do
+	// before returning the ResultHandle).
+	baseCtx := ctx
+	ctx, cancel := context.WithCancelCause(context.Background())
+	done := make(chan struct{})
+	go func() {
+		select {
+		case <-baseCtx.Done():
+			cancel(baseCtx.Err())
+		case <-done:
+			// Once done is closed, we've recorded a ResultHandle, so we
+			// shouldn't allow cancelling the underlying build request anymore.
+		}
+	}()
+
+	// Create a new channel to forward status messages to the original.
+	//
+	// We do this so that we can discard status messages after the main portion
+	// of the build is complete. This is necessary for the solve error case,
+	// where the original gateway is kept open until the ResultHandle is
+	// closed - we don't want progress messages from operations in that
+	// ResultHandle to display after this function exits.
+	//
+	// Additionally, callers should wait for the progress channel to be closed.
+	// If we keep the session open and never close the progress channel, the
+	// caller will likely hang.
+	baseCh := ch
+	ch = make(chan *client.SolveStatus)
+	go func() {
+		for {
+			s, ok := <-ch
+			if !ok {
+				return
+			}
+			select {
+			case <-baseCh:
+				// base channel is closed, discard status messages
+			default:
+				baseCh <- s
+			}
+		}
+	}()
+	defer close(baseCh)
+
+	var resp *client.SolveResponse
+	var respErr error
+	var respHandle *ResultHandle
+
+	go func() {
+		defer cancel(context.Canceled) // ensure no dangling processes
+
+		var res *gateway.Result
+		var err error
+		resp, err = cc.Build(ctx, opt, product, func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+			var err error
+			res, err = buildFunc(ctx, c)
+
+			if res != nil && err == nil {
+				// Force evaluation of the build result (otherwise, we likely
+				// won't get a solve error)
+				def, err2 := getDefinition(ctx, res)
+				if err2 != nil {
+					return nil, err2
+				}
+				res, err = evalDefinition(ctx, c, def)
+			}
+
+			if err != nil {
+				// Scenario 1: we failed to evaluate a node somewhere in the
+				// build graph.
+				//
+				// In this case, we construct a ResultHandle from this
+				// original Build session, and return it alongside the original
+				// build error. We then need to keep the gateway session open
+				// until the caller explicitly closes the ResultHandle.
+
+				var se *errdefs.SolveError
+				if errors.As(err, &se) {
+					respHandle = &ResultHandle{
+						done:     make(chan struct{}),
+						solveErr: se,
+						gwClient: c,
+						gwCtx:    ctx,
+					}
+					respErr = se
+					close(done)
+
+					// Block until the caller closes the ResultHandle.
+					select {
+					case <-respHandle.done:
+					case <-ctx.Done():
+					}
+				}
+			}
+			return res, err
+		}, ch)
+		if respHandle != nil {
+			return
+		}
+		if err != nil {
+			// Something unexpected failed during the build, we didn't succeed,
+			// but we also didn't make it far enough to create a ResultHandle.
+			respErr = err
+			close(done)
+			return
+		}
+
+		// Scenario 2: we successfully built the image with no errors.
+		//
+		// In this case, the original gateway session has now been closed
+		// since the Build has been completed. So, we need to create a new
+		// gateway session to populate the ResultHandle. To do this, we
+		// need to re-evaluate the target result, in this new session. This
+		// should be instantaneous since the result should be cached.
+
+		def, err := getDefinition(ctx, res)
+		if err != nil {
+			respErr = err
+			close(done)
+			return
+		}
+
+		// NOTE: ideally this second connection should be lazily opened
+		opt := opt
+		opt.Ref = ""
+		opt.Exports = nil
+		opt.CacheExports = nil
+		_, respErr = cc.Build(ctx, opt, "buildx", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+			res, err := evalDefinition(ctx, c, def)
+			if err != nil {
+				// This should probably not happen, since we've previously
+				// successfully evaluated the same result with no issues.
+				return nil, errors.Wrap(err, "inconsistent solve result")
+			}
+			respHandle = &ResultHandle{
+				done:     make(chan struct{}),
+				res:      res,
+				gwClient: c,
+				gwCtx:    ctx,
+			}
+			close(done)
+
+			// Block until the caller closes the ResultHandle.
+			select {
+			case <-respHandle.done:
+			case <-ctx.Done():
+			}
+			return nil, ctx.Err()
+		}, nil)
+		if respHandle != nil {
+			return
+		}
+		close(done)
+	}()
+
+	// Block until the other thread signals that it's completed the build.
+	select {
+	case <-done:
+	case <-baseCtx.Done():
+		if respErr == nil {
+			respErr = baseCtx.Err()
+		}
+	}
+	return respHandle, resp, respErr
+}
+
+// getDefinition converts a gateway result into a collection of definitions for
+// each ref in the result.
+func getDefinition(ctx context.Context, res *gateway.Result) (*result.Result[*pb.Definition], error) {
+	return result.ConvertResult(res, func(ref gateway.Reference) (*pb.Definition, error) {
+		st, err := ref.ToState()
+		if err != nil {
+			return nil, err
+		}
+		def, err := st.Marshal(ctx)
+		if err != nil {
+			return nil, err
+		}
+		return def.ToPB(), nil
+	})
+}
+
+// evalDefinition performs the reverse of getDefinition, converting a
+// collection of definitions into a gateway result.
+func evalDefinition(ctx context.Context, c gateway.Client, defs *result.Result[*pb.Definition]) (*gateway.Result, error) {
+	// force evaluation of all targets in parallel
+	results := make(map[*pb.Definition]*gateway.Result)
+	resultsMu := sync.Mutex{}
+	eg, egCtx := errgroup.WithContext(ctx)
+	defs.EachRef(func(def *pb.Definition) error {
+		eg.Go(func() error {
+			res, err := c.Solve(egCtx, gateway.SolveRequest{
+				Evaluate:   true,
+				Definition: def,
+			})
+			if err != nil {
+				return err
+			}
+			resultsMu.Lock()
+			results[def] = res
+			resultsMu.Unlock()
+			return nil
+		})
+		return nil
+	})
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+	res, _ := result.ConvertResult(defs, func(def *pb.Definition) (gateway.Reference, error) {
+		if res, ok := results[def]; ok {
+			return res.Ref, nil
+		}
+		return nil, nil
+	})
+	return res, nil
+}
+
+// ResultHandle is a build result with the client that built it.
+type ResultHandle struct {
+	res      *gateway.Result
+	solveErr *errdefs.SolveError
+
+	done     chan struct{}
+	doneOnce sync.Once
+
+	gwClient gateway.Client
+	gwCtx    context.Context
+
+	cleanups   []func()
+	cleanupsMu sync.Mutex
+}
+
+func (r *ResultHandle) Done() {
+	r.doneOnce.Do(func() {
+		r.cleanupsMu.Lock()
+		cleanups := r.cleanups
+		r.cleanups = nil
+		r.cleanupsMu.Unlock()
+		for _, f := range cleanups {
+			f()
+		}
+
+		close(r.done)
+		<-r.gwCtx.Done()
+	})
+}
+
+func (r *ResultHandle) registerCleanup(f func()) {
+	r.cleanupsMu.Lock()
+	r.cleanups = append(r.cleanups, f)
+	r.cleanupsMu.Unlock()
+}
+
+func (r *ResultHandle) build(buildFunc gateway.BuildFunc) (err error) {
+	_, err = buildFunc(r.gwCtx, r.gwClient)
+	return err
+}
+
+func (r *ResultHandle) getContainerConfig(ctx context.Context, c gateway.Client, cfg *controllerapi.InvokeConfig) (containerCfg gateway.NewContainerRequest, _ error) {
+	if r.res != nil && r.solveErr == nil {
+		logrus.Debugf("creating container from successful build")
+		ccfg, err := containerConfigFromResult(ctx, r.res, c, *cfg)
+		if err != nil {
+			return containerCfg, err
+		}
+		containerCfg = *ccfg
+	} else {
+		logrus.Debugf("creating container from failed build %+v", cfg)
+		ccfg, err := containerConfigFromError(r.solveErr, *cfg)
+		if err != nil {
+			return containerCfg, errors.Wrapf(err, "no result nor error is available")
+		}
+		containerCfg = *ccfg
+	}
+	return containerCfg, nil
+}
+
+func (r *ResultHandle) getProcessConfig(cfg *controllerapi.InvokeConfig, stdin io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) (_ gateway.StartRequest, err error) {
+	processCfg := newStartRequest(stdin, stdout, stderr)
+	if r.res != nil && r.solveErr == nil {
+		logrus.Debugf("creating container from successful build")
+		if err := populateProcessConfigFromResult(&processCfg, r.res, *cfg); err != nil {
+			return processCfg, err
+		}
+	} else {
+		logrus.Debugf("creating container from failed build %+v", cfg)
+		if err := populateProcessConfigFromError(&processCfg, r.solveErr, *cfg); err != nil {
+			return processCfg, err
+		}
+	}
+	return processCfg, nil
+}
+
+func containerConfigFromResult(ctx context.Context, res *gateway.Result, c gateway.Client, cfg controllerapi.InvokeConfig) (*gateway.NewContainerRequest, error) {
+	if cfg.Initial {
+		return nil, errors.Errorf("starting from the container from the initial state of the step is supported only on the failed steps")
+	}
+
+	ps, err := exptypes.ParsePlatforms(res.Metadata)
+	if err != nil {
+		return nil, err
+	}
+	ref, ok := res.FindRef(ps.Platforms[0].ID)
+	if !ok {
+		return nil, errors.Errorf("no reference found")
+	}
+
+	return &gateway.NewContainerRequest{
+		Mounts: []gateway.Mount{
+			{
+				Dest:      "/",
+				MountType: pb.MountType_BIND,
+				Ref:       ref,
+			},
+		},
+	}, nil
+}
+
+func populateProcessConfigFromResult(req *gateway.StartRequest, res *gateway.Result, cfg controllerapi.InvokeConfig) error {
+	imgData := res.Metadata[exptypes.ExporterImageConfigKey]
+	var img *specs.Image
+	if len(imgData) > 0 {
+		img = &specs.Image{}
+		if err := json.Unmarshal(imgData, img); err != nil {
+			return err
+		}
+	}
+
+	user := ""
+	if !cfg.NoUser {
+		user = cfg.User
+	} else if img != nil {
+		user = img.Config.User
+	}
+
+	cwd := ""
+	if !cfg.NoCwd {
+		cwd = cfg.Cwd
+	} else if img != nil {
+		cwd = img.Config.WorkingDir
+	}
+
+	env := []string{}
+	if img != nil {
+		env = append(env, img.Config.Env...)
+	}
+	env = append(env, cfg.Env...)
+
+	args := []string{}
+	if cfg.Entrypoint != nil {
+		args = append(args, cfg.Entrypoint...)
+	} else if img != nil {
+		args = append(args, img.Config.Entrypoint...)
+	}
+	if cfg.Cmd != nil {
+		args = append(args, cfg.Cmd...)
+	} else if img != nil {
+		args = append(args, img.Config.Cmd...)
+	}
+
+	req.Args = args
+	req.Env = env
+	req.User = user
+	req.Cwd = cwd
+	req.Tty = cfg.Tty
+
+	return nil
+}
+
+func containerConfigFromError(solveErr *errdefs.SolveError, cfg controllerapi.InvokeConfig) (*gateway.NewContainerRequest, error) {
+	exec, err := execOpFromError(solveErr)
+	if err != nil {
+		return nil, err
+	}
+	var mounts []gateway.Mount
+	for i, mnt := range exec.Mounts {
+		rid := solveErr.Solve.MountIDs[i]
+		if cfg.Initial {
+			rid = solveErr.Solve.InputIDs[i]
+		}
+		mounts = append(mounts, gateway.Mount{
+			Selector:  mnt.Selector,
+			Dest:      mnt.Dest,
+			ResultID:  rid,
+			Readonly:  mnt.Readonly,
+			MountType: mnt.MountType,
+			CacheOpt:  mnt.CacheOpt,
+			SecretOpt: mnt.SecretOpt,
+			SSHOpt:    mnt.SSHOpt,
+		})
+	}
+	return &gateway.NewContainerRequest{
+		Mounts:  mounts,
+		NetMode: exec.Network,
+	}, nil
+}
+
+func populateProcessConfigFromError(req *gateway.StartRequest, solveErr *errdefs.SolveError, cfg controllerapi.InvokeConfig) error {
+	exec, err := execOpFromError(solveErr)
+	if err != nil {
+		return err
+	}
+	meta := exec.Meta
+	user := ""
+	if !cfg.NoUser {
+		user = cfg.User
+	} else {
+		user = meta.User
+	}
+
+	cwd := ""
+	if !cfg.NoCwd {
+		cwd = cfg.Cwd
+	} else {
+		cwd = meta.Cwd
+	}
+
+	env := append(meta.Env, cfg.Env...)
+
+	args := []string{}
+	if cfg.Entrypoint != nil {
+		args = append(args, cfg.Entrypoint...)
+	}
+	if cfg.Cmd != nil {
+		args = append(args, cfg.Cmd...)
+	}
+	if len(args) == 0 {
+		args = meta.Args
+	}
+
+	req.Args = args
+	req.Env = env
+	req.User = user
+	req.Cwd = cwd
+	req.Tty = cfg.Tty
+
+	return nil
+}
+
+func execOpFromError(solveErr *errdefs.SolveError) (*pb.ExecOp, error) {
+	if solveErr == nil {
+		return nil, errors.Errorf("no error is available")
+	}
+	switch op := solveErr.Solve.Op.GetOp().(type) {
+	case *pb.Op_Exec:
+		return op.Exec, nil
+	default:
+		return nil, errors.Errorf("invoke: unsupported error type")
+	}
+	// TODO: support other ops
+}
+
+func newStartRequest(stdin io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) gateway.StartRequest {
+	return gateway.StartRequest{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+	}
+}

build/secrets.go

@@ -1,60 +0,0 @@
-package build
-
-import (
-	"encoding/csv"
-	"strings"
-
-	"github.com/moby/buildkit/session"
-	"github.com/moby/buildkit/session/secrets/secretsprovider"
-	"github.com/pkg/errors"
-)
-
-func ParseSecretSpecs(sl []string) (session.Attachable, error) {
-	fs := make([]secretsprovider.Source, 0, len(sl))
-	for _, v := range sl {
-		s, err := parseSecret(v)
-		if err != nil {
-			return nil, err
-		}
-		fs = append(fs, *s)
-	}
-	store, err := secretsprovider.NewStore(fs)
-	if err != nil {
-		return nil, err
-	}
-	return secretsprovider.NewSecretProvider(store), nil
-}
-
-func parseSecret(value string) (*secretsprovider.Source, error) {
-	csvReader := csv.NewReader(strings.NewReader(value))
-	fields, err := csvReader.Read()
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to parse csv secret")
-	}
-
-	fs := secretsprovider.Source{}
-
-	for _, field := range fields {
-		parts := strings.SplitN(field, "=", 2)
-		key := strings.ToLower(parts[0])
-
-		if len(parts) != 2 {
-			return nil, errors.Errorf("invalid field '%s' must be a key=value pair", field)
-		}
-
-		value := parts[1]
-		switch key {
-		case "type":
-			if value != "file" {
-				return nil, errors.Errorf("unsupported secret type %q", value)
-			}
-		case "id":
-			fs.ID = value
-		case "source", "src":
-			fs.FilePath = value
-		default:
-			return nil, errors.Errorf("unexpected key '%s' in '%s'", key, field)
-		}
-	}
-	return &fs, nil
-}

build/ssh.go

@@ -1,31 +0,0 @@
-package build
-
-import (
-	"strings"
-
-	"github.com/moby/buildkit/session"
-	"github.com/moby/buildkit/session/sshforward/sshprovider"
-)
-
-func ParseSSHSpecs(sl []string) (session.Attachable, error) {
-	configs := make([]sshprovider.AgentConfig, 0, len(sl))
-	for _, v := range sl {
-		c, err := parseSSH(v)
-		if err != nil {
-			return nil, err
-		}
-		configs = append(configs, *c)
-	}
-	return sshprovider.NewSSHAgentProvider(configs)
-}
-
-func parseSSH(value string) (*sshprovider.AgentConfig, error) {
-	parts := strings.SplitN(value, "=", 2)
-	cfg := sshprovider.AgentConfig{
-		ID: parts[0],
-	}
-	if len(parts) > 1 {
-		cfg.Paths = strings.Split(parts[1], ",")
-	}
-	return &cfg, nil
-}

build/url.go

@@ -2,7 +2,7 @@ package build
 
 import (
 	"context"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 
 	"github.com/docker/buildx/driver"
@@ -14,7 +14,7 @@ import (
 )
 
 func createTempDockerfileFromURL(ctx context.Context, d driver.Driver, url string, pw progress.Writer) (string, error) {
-	c, err := driver.Boot(ctx, d, pw)
+	c, err := driver.Boot(ctx, ctx, d, pw)
 	if err != nil {
 		return "", err
 	}
@@ -53,11 +53,11 @@ func createTempDockerfileFromURL(ctx context.Context, d driver.Driver, url strin
 		if err != nil {
 			return nil, err
 		}
-		dir, err := ioutil.TempDir("", "buildx")
+		dir, err := os.MkdirTemp("", "buildx")
 		if err != nil {
 			return nil, err
 		}
-		if err := ioutil.WriteFile(filepath.Join(dir, "Dockerfile"), dt, 0600); err != nil {
+		if err := os.WriteFile(filepath.Join(dir, "Dockerfile"), dt, 0600); err != nil {
 			return nil, err
 		}
 		out = dir

build/utils.go

@@ -7,11 +7,30 @@ import (
 	"os"
 	"strings"
 
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/builder/remotecontext/urlutil"
+	"github.com/moby/buildkit/util/gitutil"
 	"github.com/pkg/errors"
 )
 
+const (
 	// archiveHeaderSize is the number of bytes in an archive header
-const archiveHeaderSize = 512
+	archiveHeaderSize = 512
+	// mobyHostGatewayName defines a special string which users can append to
+	// --add-host to add an extra entry in /etc/hosts that maps
+	// host.docker.internal to the host IP
+	mobyHostGatewayName = "host-gateway"
+)
+
+func IsRemoteURL(c string) bool {
+	if urlutil.IsURL(c) {
+		return true
+	}
+	if _, err := gitutil.ParseGitRef(c); err == nil {
+		return true
+	}
+	return false
+}
 
 func isLocalDir(c string) bool {
 	st, err := os.Stat(c)
@@ -38,18 +57,35 @@ func isArchive(header []byte) bool {
 }
 
 // toBuildkitExtraHosts converts hosts from docker key:value format to buildkit's csv format
-func toBuildkitExtraHosts(inp []string) (string, error) {
+func toBuildkitExtraHosts(inp []string, mobyDriver bool) (string, error) {
 	if len(inp) == 0 {
 		return "", nil
 	}
 	hosts := make([]string, 0, len(inp))
 	for _, h := range inp {
-		parts := strings.Split(h, ":")
-
-		if len(parts) != 2 || parts[0] == "" || net.ParseIP(parts[1]) == nil {
+		host, ip, ok := strings.Cut(h, ":")
+		if !ok || host == "" || ip == "" {
 			return "", errors.Errorf("invalid host %s", h)
 		}
-		hosts = append(hosts, parts[0]+"="+parts[1])
+		// Skip IP address validation for "host-gateway" string with moby driver
+		if !mobyDriver || ip != mobyHostGatewayName {
+			if net.ParseIP(ip) == nil {
+				return "", errors.Errorf("invalid host %s", h)
+			}
+		}
+		hosts = append(hosts, host+"="+ip)
 	}
 	return strings.Join(hosts, ","), nil
 }
+
+// toBuildkitUlimits converts ulimits from docker type=soft:hard format to buildkit's csv format
+func toBuildkitUlimits(inp *opts.UlimitOpt) (string, error) {
+	if inp == nil || len(inp.GetList()) == 0 {
+		return "", nil
+	}
+	ulimits := make([]string, 0, len(inp.GetList()))
+	for _, ulimit := range inp.GetList() {
+		ulimits = append(ulimits, ulimit.String())
+	}
+	return strings.Join(ulimits, ","), nil
+}

builder/builder.go

@@ -0,0 +1,292 @@
+package builder
+
+import (
+	"context"
+	"os"
+	"sort"
+	"sync"
+
+	"github.com/docker/buildx/driver"
+	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/dockerutil"
+	"github.com/docker/buildx/util/imagetools"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+// Builder represents an active builder object
+type Builder struct {
+	*store.NodeGroup
+	driverFactory driverFactory
+	nodes         []Node
+	opts          builderOpts
+	err           error
+}
+
+type builderOpts struct {
+	dockerCli       command.Cli
+	name            string
+	txn             *store.Txn
+	contextPathHash string
+	validate        bool
+}
+
+// Option provides a variadic option for configuring the builder.
+type Option func(b *Builder)
+
+// WithName sets builder name.
+func WithName(name string) Option {
+	return func(b *Builder) {
+		b.opts.name = name
+	}
+}
+
+// WithStore sets a store instance used at init.
+func WithStore(txn *store.Txn) Option {
+	return func(b *Builder) {
+		b.opts.txn = txn
+	}
+}
+
+// WithContextPathHash is used for determining pods in k8s driver instance.
+func WithContextPathHash(contextPathHash string) Option {
+	return func(b *Builder) {
+		b.opts.contextPathHash = contextPathHash
+	}
+}
+
+// WithSkippedValidation skips builder context validation.
+func WithSkippedValidation() Option {
+	return func(b *Builder) {
+		b.opts.validate = false
+	}
+}
+
+// New initializes a new builder client
+func New(dockerCli command.Cli, opts ...Option) (_ *Builder, err error) {
+	b := &Builder{
+		opts: builderOpts{
+			dockerCli: dockerCli,
+			validate:  true,
+		},
+	}
+	for _, opt := range opts {
+		opt(b)
+	}
+
+	if b.opts.txn == nil {
+		// if store instance is nil we create a short-lived one using the
+		// default store and ensure we release it on completion
+		var release func()
+		b.opts.txn, release, err = storeutil.GetStore(dockerCli)
+		if err != nil {
+			return nil, err
+		}
+		defer release()
+	}
+
+	if b.opts.name != "" {
+		if b.NodeGroup, err = storeutil.GetNodeGroup(b.opts.txn, dockerCli, b.opts.name); err != nil {
+			return nil, err
+		}
+	} else {
+		if b.NodeGroup, err = storeutil.GetCurrentInstance(b.opts.txn, dockerCli); err != nil {
+			return nil, err
+		}
+	}
+	if b.opts.validate {
+		if err = b.Validate(); err != nil {
+			return nil, err
+		}
+	}
+
+	return b, nil
+}
+
+// Validate validates builder context
+func (b *Builder) Validate() error {
+	if b.NodeGroup != nil && b.NodeGroup.DockerContext {
+		list, err := b.opts.dockerCli.ContextStore().List()
+		if err != nil {
+			return err
+		}
+		currentContext := b.opts.dockerCli.CurrentContext()
+		for _, l := range list {
+			if l.Name == b.Name && l.Name != currentContext {
+				return errors.Errorf("use `docker --context=%s buildx` to switch to context %q", l.Name, l.Name)
+			}
+		}
+	}
+	return nil
+}
+
+// ContextName returns builder context name if available.
+func (b *Builder) ContextName() string {
+	ctxbuilders, err := b.opts.dockerCli.ContextStore().List()
+	if err != nil {
+		return ""
+	}
+	for _, cb := range ctxbuilders {
+		if b.NodeGroup.Driver == "docker" && len(b.NodeGroup.Nodes) == 1 && b.NodeGroup.Nodes[0].Endpoint == cb.Name {
+			return cb.Name
+		}
+	}
+	return ""
+}
+
+// ImageOpt returns registry auth configuration
+func (b *Builder) ImageOpt() (imagetools.Opt, error) {
+	return storeutil.GetImageConfig(b.opts.dockerCli, b.NodeGroup)
+}
+
+// Boot bootstrap a builder
+func (b *Builder) Boot(ctx context.Context) (bool, error) {
+	toBoot := make([]int, 0, len(b.nodes))
+	for idx, d := range b.nodes {
+		if d.Err != nil || d.Driver == nil || d.DriverInfo == nil {
+			continue
+		}
+		if d.DriverInfo.Status != driver.Running {
+			toBoot = append(toBoot, idx)
+		}
+	}
+	if len(toBoot) == 0 {
+		return false, nil
+	}
+
+	printer, err := progress.NewPrinter(context.TODO(), os.Stderr, os.Stderr, progress.PrinterModeAuto)
+	if err != nil {
+		return false, err
+	}
+
+	baseCtx := ctx
+	eg, _ := errgroup.WithContext(ctx)
+	for _, idx := range toBoot {
+		func(idx int) {
+			eg.Go(func() error {
+				pw := progress.WithPrefix(printer, b.NodeGroup.Nodes[idx].Name, len(toBoot) > 1)
+				_, err := driver.Boot(ctx, baseCtx, b.nodes[idx].Driver, pw)
+				if err != nil {
+					b.nodes[idx].Err = err
+				}
+				return nil
+			})
+		}(idx)
+	}
+
+	err = eg.Wait()
+	err1 := printer.Wait()
+	if err == nil {
+		err = err1
+	}
+
+	return true, err
+}
+
+// Inactive checks if all nodes are inactive for this builder.
+func (b *Builder) Inactive() bool {
+	for _, d := range b.nodes {
+		if d.DriverInfo != nil && d.DriverInfo.Status == driver.Running {
+			return false
+		}
+	}
+	return true
+}
+
+// Err returns error if any.
+func (b *Builder) Err() error {
+	return b.err
+}
+
+type driverFactory struct {
+	driver.Factory
+	once sync.Once
+}
+
+// Factory returns the driver factory.
+func (b *Builder) Factory(ctx context.Context) (_ driver.Factory, err error) {
+	b.driverFactory.once.Do(func() {
+		if b.Driver != "" {
+			b.driverFactory.Factory, err = driver.GetFactory(b.Driver, true)
+			if err != nil {
+				return
+			}
+		} else {
+			// empty driver means nodegroup was implicitly created as a default
+			// driver for a docker context and allows falling back to a
+			// docker-container driver for older daemon that doesn't support
+			// buildkit (< 18.06).
+			ep := b.NodeGroup.Nodes[0].Endpoint
+			var dockerapi *dockerutil.ClientAPI
+			dockerapi, err = dockerutil.NewClientAPI(b.opts.dockerCli, b.NodeGroup.Nodes[0].Endpoint)
+			if err != nil {
+				return
+			}
+			// check if endpoint is healthy is needed to determine the driver type.
+			// if this fails then can't continue with driver selection.
+			if _, err = dockerapi.Ping(ctx); err != nil {
+				return
+			}
+			b.driverFactory.Factory, err = driver.GetDefaultFactory(ctx, ep, dockerapi, false)
+			if err != nil {
+				return
+			}
+			b.Driver = b.driverFactory.Factory.Name()
+		}
+	})
+	return b.driverFactory.Factory, err
+}
+
+// GetBuilders returns all builders
+func GetBuilders(dockerCli command.Cli, txn *store.Txn) ([]*Builder, error) {
+	storeng, err := txn.List()
+	if err != nil {
+		return nil, err
+	}
+
+	builders := make([]*Builder, len(storeng))
+	seen := make(map[string]struct{})
+	for i, ng := range storeng {
+		b, err := New(dockerCli,
+			WithName(ng.Name),
+			WithStore(txn),
+			WithSkippedValidation(),
+		)
+		if err != nil {
+			return nil, err
+		}
+		builders[i] = b
+		seen[b.NodeGroup.Name] = struct{}{}
+	}
+
+	contexts, err := dockerCli.ContextStore().List()
+	if err != nil {
+		return nil, err
+	}
+	sort.Slice(contexts, func(i, j int) bool {
+		return contexts[i].Name < contexts[j].Name
+	})
+
+	for _, c := range contexts {
+		// if a context has the same name as an instance from the store, do not
+		// add it to the builders list. An instance from the store takes
+		// precedence over context builders.
+		if _, ok := seen[c.Name]; ok {
+			continue
+		}
+		b, err := New(dockerCli,
+			WithName(c.Name),
+			WithStore(txn),
+			WithSkippedValidation(),
+		)
+		if err != nil {
+			return nil, err
+		}
+		builders = append(builders, b)
+	}
+
+	return builders, nil
+}

builder/node.go

@@ -0,0 +1,211 @@
+package builder
+
+import (
+	"context"
+
+	"github.com/docker/buildx/driver"
+	ctxkube "github.com/docker/buildx/driver/kubernetes/context"
+	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/dockerutil"
+	"github.com/docker/buildx/util/imagetools"
+	"github.com/docker/buildx/util/platformutil"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/util/grpcerrors"
+	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc/codes"
+)
+
+type Node struct {
+	store.Node
+	Builder     string
+	Driver      driver.Driver
+	DriverInfo  *driver.Info
+	Platforms   []ocispecs.Platform
+	GCPolicy    []client.PruneInfo
+	Labels      map[string]string
+	ImageOpt    imagetools.Opt
+	ProxyConfig map[string]string
+	Version     string
+	Err         error
+}
+
+// Nodes returns nodes for this builder.
+func (b *Builder) Nodes() []Node {
+	return b.nodes
+}
+
+// LoadNodes loads and returns nodes for this builder.
+// TODO: this should be a method on a Node object and lazy load data for each driver.
+func (b *Builder) LoadNodes(ctx context.Context, withData bool) (_ []Node, err error) {
+	eg, _ := errgroup.WithContext(ctx)
+	b.nodes = make([]Node, len(b.NodeGroup.Nodes))
+
+	defer func() {
+		if b.err == nil && err != nil {
+			b.err = err
+		}
+	}()
+
+	factory, err := b.Factory(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	imageopt, err := b.ImageOpt()
+	if err != nil {
+		return nil, err
+	}
+
+	for i, n := range b.NodeGroup.Nodes {
+		func(i int, n store.Node) {
+			eg.Go(func() error {
+				node := Node{
+					Node:        n,
+					ProxyConfig: storeutil.GetProxyConfig(b.opts.dockerCli),
+					Platforms:   n.Platforms,
+					Builder:     b.Name,
+				}
+				defer func() {
+					b.nodes[i] = node
+				}()
+
+				dockerapi, err := dockerutil.NewClientAPI(b.opts.dockerCli, n.Endpoint)
+				if err != nil {
+					node.Err = err
+					return nil
+				}
+
+				contextStore := b.opts.dockerCli.ContextStore()
+
+				var kcc driver.KubeClientConfig
+				kcc, err = ctxkube.ConfigFromContext(n.Endpoint, contextStore)
+				if err != nil {
+					// err is returned if n.Endpoint is non-context name like "unix:///var/run/docker.sock".
+					// try again with name="default".
+					// FIXME(@AkihiroSuda): n should retain real context name.
+					kcc, err = ctxkube.ConfigFromContext("default", contextStore)
+					if err != nil {
+						logrus.Error(err)
+					}
+				}
+
+				tryToUseKubeConfigInCluster := false
+				if kcc == nil {
+					tryToUseKubeConfigInCluster = true
+				} else {
+					if _, err := kcc.ClientConfig(); err != nil {
+						tryToUseKubeConfigInCluster = true
+					}
+				}
+				if tryToUseKubeConfigInCluster {
+					kccInCluster := driver.KubeClientConfigInCluster{}
+					if _, err := kccInCluster.ClientConfig(); err == nil {
+						logrus.Debug("using kube config in cluster")
+						kcc = kccInCluster
+					}
+				}
+
+				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.Platforms, b.opts.contextPathHash)
+				if err != nil {
+					node.Err = err
+					return nil
+				}
+				node.Driver = d
+				node.ImageOpt = imageopt
+
+				if withData {
+					if err := node.loadData(ctx); err != nil {
+						node.Err = err
+					}
+				}
+				return nil
+			})
+		}(i, n)
+	}
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+
+	// TODO: This should be done in the routine loading driver data
+	if withData {
+		kubernetesDriverCount := 0
+		for _, d := range b.nodes {
+			if d.DriverInfo != nil && len(d.DriverInfo.DynamicNodes) > 0 {
+				kubernetesDriverCount++
+			}
+		}
+
+		isAllKubernetesDrivers := len(b.nodes) == kubernetesDriverCount
+		if isAllKubernetesDrivers {
+			var nodes []Node
+			var dynamicNodes []store.Node
+			for _, di := range b.nodes {
+				// dynamic nodes are used in Kubernetes driver.
+				// Kubernetes' pods are dynamically mapped to BuildKit Nodes.
+				if di.DriverInfo != nil && len(di.DriverInfo.DynamicNodes) > 0 {
+					for i := 0; i < len(di.DriverInfo.DynamicNodes); i++ {
+						diClone := di
+						if pl := di.DriverInfo.DynamicNodes[i].Platforms; len(pl) > 0 {
+							diClone.Platforms = pl
+						}
+						nodes = append(nodes, di)
+					}
+					dynamicNodes = append(dynamicNodes, di.DriverInfo.DynamicNodes...)
+				}
+			}
+
+			// not append (remove the static nodes in the store)
+			b.NodeGroup.Nodes = dynamicNodes
+			b.nodes = nodes
+			b.NodeGroup.Dynamic = true
+		}
+	}
+
+	return b.nodes, nil
+}
+
+func (n *Node) loadData(ctx context.Context) error {
+	if n.Driver == nil {
+		return nil
+	}
+	info, err := n.Driver.Info(ctx)
+	if err != nil {
+		return err
+	}
+	n.DriverInfo = info
+	if n.DriverInfo.Status == driver.Running {
+		driverClient, err := n.Driver.Client(ctx)
+		if err != nil {
+			return err
+		}
+		workers, err := driverClient.ListWorkers(ctx)
+		if err != nil {
+			return errors.Wrap(err, "listing workers")
+		}
+		for idx, w := range workers {
+			n.Platforms = append(n.Platforms, w.Platforms...)
+			if idx == 0 {
+				n.GCPolicy = w.GCPolicy
+				n.Labels = w.Labels
+			}
+		}
+		n.Platforms = platformutil.Dedupe(n.Platforms)
+		inf, err := driverClient.Info(ctx)
+		if err != nil {
+			if st, ok := grpcerrors.AsGRPCStatus(err); ok && st.Code() == codes.Unimplemented {
+				n.Version, err = n.Driver.Version(ctx)
+				if err != nil {
+					return errors.Wrap(err, "getting version")
+				}
+			}
+		} else {
+			n.Version = inf.BuildkitVersion.Version
+		}
+	}
+	return nil
+}

cmd/buildx/main.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/containerd/containerd/pkg/seed"
 	"github.com/docker/buildx/commands"
+	"github.com/docker/buildx/util/desktop"
 	"github.com/docker/buildx/version"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli-plugins/manager"
@@ -16,59 +16,60 @@ import (
 	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/util/stack"
 
-	// FIXME: "k8s.io/client-go/plugin/pkg/client/auth/azure" is excluded because of compilation error
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	//nolint:staticcheck // vendored dependencies may still use this
+	"github.com/containerd/containerd/pkg/seed"
+
 	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-	_ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
 
 	_ "github.com/docker/buildx/driver/docker"
 	_ "github.com/docker/buildx/driver/docker-container"
 	_ "github.com/docker/buildx/driver/kubernetes"
+	_ "github.com/docker/buildx/driver/remote"
 )
 
-var experimental string
-
 func init() {
+	//nolint:staticcheck
 	seed.WithTimeAndRand()
+
 	stack.SetVersionInfo(version.Version, version.Revision)
 }
 
-func main() {
-	if os.Getenv("DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND") == "" {
-		if len(os.Args) < 2 || os.Args[1] != manager.MetadataSubcommandName {
-			dockerCli, err := command.NewDockerCli()
-			if err != nil {
-				fmt.Fprintln(os.Stderr, err)
-				os.Exit(1)
-			}
-			opts := cliflags.NewClientOptions()
-			dockerCli.Initialize(opts)
-			rootCmd := commands.NewRootCmd(os.Args[0], false, dockerCli)
-			if err := rootCmd.Execute(); err != nil {
-				os.Exit(1)
-			}
-			os.Exit(0)
+func runStandalone(cmd *command.DockerCli) error {
+	if err := cmd.Initialize(cliflags.NewClientOptions()); err != nil {
+		return err
 	}
+	rootCmd := commands.NewRootCmd(os.Args[0], false, cmd)
+	return rootCmd.Execute()
 }
 
-	dockerCli, err := command.NewDockerCli()
-	if err != nil {
-		fmt.Fprintln(os.Stderr, err)
-		os.Exit(1)
-	}
-
-	p := commands.NewRootCmd("buildx", true, dockerCli)
-	meta := manager.Metadata{
+func runPlugin(cmd *command.DockerCli) error {
+	rootCmd := commands.NewRootCmd("buildx", true, cmd)
+	return plugin.RunPlugin(cmd, rootCmd, manager.Metadata{
 		SchemaVersion: "0.1.0",
 		Vendor:        "Docker Inc.",
 		Version:       version.Version,
-		Experimental:  experimental != "",
+	})
+}
+
+func main() {
+	cmd, err := command.NewDockerCli()
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+
+	if plugin.RunningStandalone() {
+		err = runStandalone(cmd)
+	} else {
+		err = runPlugin(cmd)
+	}
+	if err == nil {
+		return
 	}
 
-	if err := plugin.RunPlugin(dockerCli, p, meta); err != nil {
 	if sterr, ok := err.(cli.StatusError); ok {
 		if sterr.Status != "" {
-				fmt.Fprintln(dockerCli.Err(), sterr.Status)
+			fmt.Fprintln(cmd.Err(), sterr.Status)
 		}
 		// StatusError should only be used for errors, and all errors should
 		// have a non-zero exit status, so never exit with 0
@@ -77,16 +78,18 @@ func main() {
 		}
 		os.Exit(sterr.StatusCode)
 	}
-		for _, s := range errdefs.Sources(err) {
-			s.Print(dockerCli.Err())
-		}
 
+	for _, s := range errdefs.Sources(err) {
+		s.Print(cmd.Err())
+	}
 	if debug.IsEnabled() {
-			fmt.Fprintf(dockerCli.Err(), "error: %+v", stack.Formatter(err))
+		fmt.Fprintf(cmd.Err(), "ERROR: %+v", stack.Formatter(err))
 	} else {
-			fmt.Fprintf(dockerCli.Err(), "error: %v\n", err)
+		fmt.Fprintf(cmd.Err(), "ERROR: %v\n", err)
+	}
+	if ebr, ok := err.(*desktop.ErrorWithBuildRef); ok {
+		ebr.Print(cmd.Err())
 	}
 
 	os.Exit(1)
 }
-}

cmd/buildx/tracing.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"github.com/moby/buildkit/util/tracing/detect"
+	"go.opentelemetry.io/otel"
+
+	_ "github.com/moby/buildkit/util/tracing/detect/delegated"
+	_ "github.com/moby/buildkit/util/tracing/env"
+)
+
+func init() {
+	detect.ServiceName = "buildx"
+	// do not log tracing errors to stdio
+	otel.SetErrorHandler(skipErrors{})
+}
+
+type skipErrors struct{}
+
+func (skipErrors) Handle(err error) {}

commands/bake.go

@@ -6,9 +6,18 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/containerd/console"
+	"github.com/containerd/containerd/platforms"
 	"github.com/docker/buildx/bake"
 	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/buildflags"
+	"github.com/docker/buildx/util/cobrautil/completion"
+	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/desktop"
+	"github.com/docker/buildx/util/dockerutil"
 	"github.com/docker/buildx/util/progress"
+	"github.com/docker/buildx/util/tracing"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
@@ -17,20 +26,41 @@ import (
 
 type bakeOptions struct {
 	files      []string
-	printOnly bool
 	overrides  []string
-	commonOptions
+	printOnly  bool
+	sbom       string
+	provenance string
+
+	builder      string
+	metadataFile string
+	exportPush   bool
+	exportLoad   bool
 }
 
-func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error) {
+func runBake(dockerCli command.Cli, targets []string, in bakeOptions, cFlags commonFlags) (err error) {
 	ctx := appcontext.Context()
 
+	ctx, end, err := tracing.TraceCurrentCommand(ctx, "bake")
+	if err != nil {
+		return err
+	}
+	defer func() {
+		end(err)
+	}()
+
 	var url string
+	cmdContext := "cwd://"
 
 	if len(targets) > 0 {
-		if bake.IsRemoteURL(targets[0]) {
+		if build.IsRemoteURL(targets[0]) {
 			url = targets[0]
 			targets = targets[1:]
+			if len(targets) > 0 {
+				if build.IsRemoteURL(targets[0]) {
+					cmdContext = targets[0]
+					targets = targets[1:]
+				}
+			}
 		}
 	}
 
@@ -43,21 +73,63 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 		if in.exportLoad {
 			return errors.Errorf("push and load may not be set together at the moment")
 		}
-		overrides = append(overrides, "*.output=type=registry")
+		overrides = append(overrides, "*.push=true")
 	} else if in.exportLoad {
 		overrides = append(overrides, "*.output=type=docker")
 	}
-	if in.noCache != nil {
-		overrides = append(overrides, fmt.Sprintf("*.no-cache=%t", *in.noCache))
+	if cFlags.noCache != nil {
+		overrides = append(overrides, fmt.Sprintf("*.no-cache=%t", *cFlags.noCache))
 	}
-	if in.pull != nil {
-		overrides = append(overrides, fmt.Sprintf("*.pull=%t", *in.pull))
+	if cFlags.pull != nil {
+		overrides = append(overrides, fmt.Sprintf("*.pull=%t", *cFlags.pull))
+	}
+	if in.sbom != "" {
+		overrides = append(overrides, fmt.Sprintf("*.attest=%s", buildflags.CanonicalizeAttest("sbom", in.sbom)))
+	}
+	if in.provenance != "" {
+		overrides = append(overrides, fmt.Sprintf("*.attest=%s", buildflags.CanonicalizeAttest("provenance", in.provenance)))
 	}
 	contextPathHash, _ := os.Getwd()
 
 	ctx2, cancel := context.WithCancel(context.TODO())
 	defer cancel()
-	printer := progress.NewPrinter(ctx2, os.Stderr, in.progress)
+
+	var nodes []builder.Node
+	var files []bake.File
+	var inp *bake.Input
+	var progressConsoleDesc, progressTextDesc string
+
+	// instance only needed for reading remote bake files or building
+	if url != "" || !in.printOnly {
+		b, err := builder.New(dockerCli,
+			builder.WithName(in.builder),
+			builder.WithContextPathHash(contextPathHash),
+		)
+		if err != nil {
+			return err
+		}
+		if err = updateLastActivity(dockerCli, b.NodeGroup); err != nil {
+			return errors.Wrapf(err, "failed to update builder last activity time")
+		}
+		nodes, err = b.LoadNodes(ctx, false)
+		if err != nil {
+			return err
+		}
+		progressConsoleDesc = fmt.Sprintf("%s:%s", b.Driver, b.Name)
+		progressTextDesc = fmt.Sprintf("building with %q instance using %s driver", b.Name, b.Driver)
+	}
+
+	var term bool
+	if _, err := console.ConsoleFromFile(os.Stderr); err == nil {
+		term = true
+	}
+
+	printer, err := progress.NewPrinter(ctx2, os.Stderr, os.Stderr, cFlags.progress,
+		progress.WithDesc(progressTextDesc, progressConsoleDesc),
+	)
+	if err != nil {
+		return err
+	}
 
 	defer func() {
 		if printer != nil {
@@ -65,18 +137,14 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 			if err == nil {
 				err = err1
 			}
+			if err == nil && cFlags.progress != progress.PrinterModeQuiet {
+				desktop.PrintBuildDetails(os.Stderr, printer.BuildRefs(), term)
+			}
 		}
 	}()
 
-	dis, err := getInstanceOrDefault(ctx, dockerCli, in.builder, contextPathHash)
-	if err != nil {
-		return err
-	}
-
-	var files []bake.File
-	var inp *bake.Input
 	if url != "" {
-		files, inp, err = bake.ReadRemoteFiles(ctx, dis, url, in.files, printer)
+		files, inp, err = bake.ReadRemoteFiles(ctx, nodes, url, in.files, printer)
 	} else {
 		files, err = bake.ReadLocalFiles(in.files)
 	}
@@ -84,13 +152,43 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 		return err
 	}
 
-	m, err := bake.ReadTargets(ctx, files, targets, overrides)
+	tgts, grps, err := bake.ReadTargets(ctx, files, targets, overrides, map[string]string{
+		// don't forget to update documentation if you add a new
+		// built-in variable: docs/bake-reference.md#built-in-variables
+		"BAKE_CMD_CONTEXT":    cmdContext,
+		"BAKE_LOCAL_PLATFORM": platforms.DefaultString(),
+	})
+	if err != nil {
+		return err
+	}
+
+	if v := os.Getenv("SOURCE_DATE_EPOCH"); v != "" {
+		// TODO: extract env var parsing to a method easily usable by library consumers
+		for _, t := range tgts {
+			if _, ok := t.Args["SOURCE_DATE_EPOCH"]; ok {
+				continue
+			}
+			if t.Args == nil {
+				t.Args = map[string]*string{}
+			}
+			t.Args["SOURCE_DATE_EPOCH"] = &v
+		}
+	}
+
+	// this function can update target context string from the input so call before printOnly check
+	bo, err := bake.TargetsToBuildOpt(tgts, inp)
 	if err != nil {
 		return err
 	}
 
 	if in.printOnly {
-		dt, err := json.MarshalIndent(map[string]map[string]*bake.Target{"target": m}, "", "   ")
+		dt, err := json.MarshalIndent(struct {
+			Group  map[string]*bake.Group  `json:"group,omitempty"`
+			Target map[string]*bake.Target `json:"target"`
+		}{
+			grps,
+			tgts,
+		}, "", "  ")
 		if err != nil {
 			return err
 		}
@@ -103,17 +201,27 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 		return nil
 	}
 
-	bo, err := bake.TargetsToBuildOpt(m, inp)
+	resp, err := build.Build(ctx, nodes, bo, dockerutil.NewClient(dockerCli), confutil.ConfigDir(dockerCli), printer)
 	if err != nil {
-		return err
+		return wrapBuildError(err, true)
+	}
+
+	if len(in.metadataFile) > 0 {
+		dt := make(map[string]interface{})
+		for t, r := range resp {
+			dt[t] = decodeExporterResponse(r.ExporterResponse)
+		}
+		if err := writeMetadataFile(in.metadataFile, dt); err != nil {
+			return err
+		}
 	}
 
-	_, err = build.Build(ctx, dis, bo, dockerAPI(dockerCli), dockerCli.ConfigFile(), printer)
 	return err
 }
 
 func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	var options bakeOptions
+	var cFlags commonFlags
 
 	cmd := &cobra.Command{
 		Use:     "bake [OPTIONS] [TARGET...]",
@@ -122,25 +230,30 @@ func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			// reset to nil to avoid override is unset
 			if !cmd.Flags().Lookup("no-cache").Changed {
-				options.noCache = nil
+				cFlags.noCache = nil
 			}
 			if !cmd.Flags().Lookup("pull").Changed {
-				options.pull = nil
+				cFlags.pull = nil
 			}
-			options.commonOptions.builder = rootOpts.builder
-			return runBake(dockerCli, args, options)
+			options.builder = rootOpts.builder
+			options.metadataFile = cFlags.metadataFile
+			// Other common flags (noCache, pull and progress) are processed in runBake function.
+			return runBake(dockerCli, args, options, cFlags)
 		},
+		ValidArgsFunction: completion.BakeTargets(options.files),
 	}
 
 	flags := cmd.Flags()
 
 	flags.StringArrayVarP(&options.files, "file", "f", []string{}, "Build definition file")
+	flags.BoolVar(&options.exportLoad, "load", false, `Shorthand for "--set=*.output=type=docker"`)
 	flags.BoolVar(&options.printOnly, "print", false, "Print the options without building")
-	flags.StringArrayVar(&options.overrides, "set", nil, "Override target value (eg: targetpattern.key=value)")
-	flags.BoolVar(&options.exportPush, "push", false, "Shorthand for --set=*.output=type=registry")
-	flags.BoolVar(&options.exportLoad, "load", false, "Shorthand for --set=*.output=type=docker")
+	flags.BoolVar(&options.exportPush, "push", false, `Shorthand for "--set=*.output=type=registry"`)
+	flags.StringVar(&options.sbom, "sbom", "", `Shorthand for "--set=*.attest=type=sbom"`)
+	flags.StringVar(&options.provenance, "provenance", "", `Shorthand for "--set=*.attest=type=provenance"`)
+	flags.StringArrayVar(&options.overrides, "set", nil, `Override target value (e.g., "targetpattern.key=value")`)
 
-	commonBuildFlags(&options.commonOptions, flags)
+	commonBuildFlags(&cFlags, flags)
 
 	return cmd
 }

commands/create.go

@@ -1,15 +1,29 @@
 package commands
 
 import (
+	"bytes"
+	"context"
 	"encoding/csv"
 	"fmt"
+	"net/url"
 	"os"
 	"strings"
+	"time"
 
+	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/driver"
+	k8sutil "github.com/docker/buildx/driver/kubernetes/util"
+	remoteutil "github.com/docker/buildx/driver/remote/util"
+	"github.com/docker/buildx/localstate"
 	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/cobrautil/completion"
+	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/dockerutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	dopts "github.com/docker/cli/opts"
 	"github.com/google/shlex"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
@@ -28,6 +42,7 @@ type createOptions struct {
 	flags        string
 	configFile   string
 	driverOpts   []string
+	bootstrap    bool
 	// upgrade      bool // perform upgrade of the driver
 }
 
@@ -53,23 +68,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
-	driverName := in.driver
-	if driverName == "" {
-		f, err := driver.GetDefaultFactory(ctx, dockerCli.Client(), true)
-		if err != nil {
-			return err
-		}
-		if f == nil {
-			return errors.Errorf("no valid drivers found")
-		}
-		driverName = f.Name()
-	}
-
-	if driver.GetFactory(driverName, true) == nil {
-		return errors.Errorf("failed to find driver %q", in.driver)
-	}
-
-	txn, release, err := getStore(dockerCli)
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
 	}
@@ -83,6 +82,19 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
+	if !in.actionLeave && !in.actionAppend {
+		contexts, err := dockerCli.ContextStore().List()
+		if err != nil {
+			return err
+		}
+		for _, c := range contexts {
+			if c.Name == name {
+				logrus.Warnf("instance name %q already exists as context builder", name)
+				break
+			}
+		}
+	}
+
 	ng, err := txn.NodeGroupByName(name)
 	if err != nil {
 		if os.IsNotExist(errors.Cause(err)) {
@@ -90,29 +102,62 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 				logrus.Warnf("failed to find %q for append, creating a new instance instead", in.name)
 			}
 			if in.actionLeave {
-				return errors.Errorf("failed to find instance %q for leave", name)
+				return errors.Errorf("failed to find instance %q for leave", in.name)
 			}
 		} else {
 			return err
 		}
 	}
 
+	buildkitHost := os.Getenv("BUILDKIT_HOST")
+
+	driverName := in.driver
+	if driverName == "" {
+		if ng != nil {
+			driverName = ng.Driver
+		} else if len(args) == 0 && buildkitHost != "" {
+			driverName = "remote"
+		} else {
+			var arg string
+			if len(args) > 0 {
+				arg = args[0]
+			}
+			f, err := driver.GetDefaultFactory(ctx, arg, dockerCli.Client(), true)
+			if err != nil {
+				return err
+			}
+			if f == nil {
+				return errors.Errorf("no valid drivers found")
+			}
+			driverName = f.Name()
+		}
+	}
+
 	if ng != nil {
 		if in.nodeName == "" && !in.actionAppend {
-			return errors.Errorf("existing instance for %s but no append mode, specify --node to make changes for existing instances", name)
+			return errors.Errorf("existing instance for %q but no append mode, specify --node to make changes for existing instances", name)
 		}
+		if driverName != ng.Driver {
+			return errors.Errorf("existing instance for %q but has mismatched driver %q", name, ng.Driver)
+		}
+	}
+
+	if _, err := driver.GetFactory(driverName, true); err != nil {
+		return err
+	}
+
+	ngOriginal := ng
+	if ngOriginal != nil {
+		ngOriginal = ngOriginal.Copy()
 	}
 
 	if ng == nil {
 		ng = &store.NodeGroup{
 			Name:   name,
+			Driver: driverName,
 		}
 	}
 
-	if ng.Driver == "" || in.driver != "" {
-		ng.Driver = driverName
-	}
-
 	var flags []string
 	if in.flags != "" {
 		flags, err = shlex.Split(in.flags)
@@ -122,37 +167,88 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	}
 
 	var ep string
+	var setEp bool
 	if in.actionLeave {
 		if err := ng.Leave(in.nodeName); err != nil {
 			return err
 		}
+		ls, err := localstate.New(confutil.ConfigDir(dockerCli))
+		if err != nil {
+			return err
+		}
+		if err := ls.RemoveBuilderNode(ng.Name, in.nodeName); err != nil {
+			return err
+		}
 	} else {
+		switch {
+		case driverName == "kubernetes":
 			if len(args) > 0 {
+				logrus.Warnf("kubernetes driver does not support endpoint args %q", args[0])
+			}
+			// generate node name if not provided to avoid duplicated endpoint
+			// error: https://github.com/docker/setup-buildx-action/issues/215
+			nodeName := in.nodeName
+			if nodeName == "" {
+				nodeName, err = k8sutil.GenerateNodeName(name, txn)
+				if err != nil {
+					return err
+				}
+			}
+			// naming endpoint to make --append works
+			ep = (&url.URL{
+				Scheme: driverName,
+				Path:   "/" + name,
+				RawQuery: (&url.Values{
+					"deployment": {nodeName},
+					"kubeconfig": {os.Getenv("KUBECONFIG")},
+				}).Encode(),
+			}).String()
+			setEp = false
+		case driverName == "remote":
+			if len(args) > 0 {
+				ep = args[0]
+			} else if buildkitHost != "" {
+				ep = buildkitHost
+			} else {
+				return errors.Errorf("no remote endpoint provided")
+			}
+			ep, err = validateBuildkitEndpoint(ep)
+			if err != nil {
+				return err
+			}
+			setEp = true
+		case len(args) > 0:
 			ep, err = validateEndpoint(dockerCli, args[0])
 			if err != nil {
 				return err
 			}
-		} else {
+			setEp = true
+		default:
 			if dockerCli.CurrentContext() == "default" && dockerCli.DockerEndpoint().TLSData != nil {
 				return errors.Errorf("could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with `docker buildx create <context-name>`")
 			}
-
-			ep, err = getCurrentEndpoint(dockerCli)
+			ep, err = dockerutil.GetCurrentEndpoint(dockerCli)
 			if err != nil {
 				return err
 			}
-		}
-
-		if in.driver == "kubernetes" {
-			// naming endpoint to make --append works
-			ep = fmt.Sprintf("%s://%s?deployment=%s", in.driver, in.name, in.nodeName)
+			setEp = false
 		}
 
 		m, err := csvToMap(in.driverOpts)
 		if err != nil {
 			return err
 		}
-		if err := ng.Update(in.nodeName, ep, in.platform, len(args) > 0, in.actionAppend, flags, in.configFile, m); err != nil {
+
+		if in.configFile == "" {
+			// if buildkit config is not provided, check if the default one is
+			// available and use it
+			if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
+				logrus.Warnf("Using default BuildKit config in %s", f)
+				in.configFile = f
+			}
+		}
+
+		if err := ng.Update(in.nodeName, ep, in.platform, setEp, in.actionAppend, flags, in.configFile, m); err != nil {
 			return err
 		}
 	}
@@ -161,8 +257,41 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		return err
 	}
 
+	b, err := builder.New(dockerCli,
+		builder.WithName(ng.Name),
+		builder.WithStore(txn),
+		builder.WithSkippedValidation(),
+	)
+	if err != nil {
+		return err
+	}
+
+	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
+	defer cancel()
+
+	nodes, err := b.LoadNodes(timeoutCtx, true)
+	if err != nil {
+		return err
+	}
+
+	for _, node := range nodes {
+		if err := node.Err; err != nil {
+			err := errors.Errorf("failed to initialize builder %s (%s): %s", ng.Name, node.Name, err)
+			var err2 error
+			if ngOriginal == nil {
+				err2 = txn.Remove(ng.Name)
+			} else {
+				err2 = txn.Save(ngOriginal)
+			}
+			if err2 != nil {
+				logrus.Warnf("Could not rollback to previous state: %s", err2)
+			}
+			return err
+		}
+	}
+
 	if in.use && ep != "" {
-		current, err := getCurrentEndpoint(dockerCli)
+		current, err := dockerutil.GetCurrentEndpoint(dockerCli)
 		if err != nil {
 			return err
 		}
@@ -171,6 +300,12 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
+	if in.bootstrap {
+		if _, err = b.Boot(ctx); err != nil {
+			return err
+		}
+	}
+
 	fmt.Printf("%s\n", ng.Name)
 	return nil
 }
@@ -178,9 +313,12 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 func createCmd(dockerCli command.Cli) *cobra.Command {
 	var options createOptions
 
-	var drivers []string
-	for s := range driver.GetFactories() {
-		drivers = append(drivers, s)
+	var drivers bytes.Buffer
+	for _, d := range driver.GetFactories(true) {
+		if len(drivers.String()) > 0 {
+			drivers.WriteString(", ")
+		}
+		drivers.WriteString(fmt.Sprintf(`"%s"`, d.Name()))
 	}
 
 	cmd := &cobra.Command{
@@ -190,28 +328,34 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runCreate(dockerCli, options, args)
 		},
+		ValidArgsFunction: completion.Disable,
 	}
 
 	flags := cmd.Flags()
 
 	flags.StringVar(&options.name, "name", "", "Builder instance name")
-	flags.StringVar(&options.driver, "driver", "", fmt.Sprintf("Driver to use (available: %v)", drivers))
+	flags.StringVar(&options.driver, "driver", "", fmt.Sprintf("Driver to use (available: %s)", drivers.String()))
 	flags.StringVar(&options.nodeName, "node", "", "Create/modify node with given name")
 	flags.StringVar(&options.flags, "buildkitd-flags", "", "Flags for buildkitd daemon")
 	flags.StringVar(&options.configFile, "config", "", "BuildKit config file")
 	flags.StringArrayVar(&options.platform, "platform", []string{}, "Fixed platforms for current node")
 	flags.StringArrayVar(&options.driverOpts, "driver-opt", []string{}, "Options for the driver")
+	flags.BoolVar(&options.bootstrap, "bootstrap", false, "Boot builder after creation")
 
 	flags.BoolVar(&options.actionAppend, "append", false, "Append a node to builder instead of changing it")
 	flags.BoolVar(&options.actionLeave, "leave", false, "Remove a node from builder instead of changing it")
 	flags.BoolVar(&options.use, "use", false, "Set the current builder instance")
 
-	_ = flags
+	// hide builder persistent flag for this command
+	cobrautil.HideInheritedFlags(cmd, "builder")
 
 	return cmd
 }
 
 func csvToMap(in []string) (map[string]string, error) {
+	if len(in) == 0 {
+		return nil, nil
+	}
 	m := make(map[string]string, len(in))
 	for _, s := range in {
 		csvReader := csv.NewReader(strings.NewReader(s))
@@ -229,3 +373,27 @@ func csvToMap(in []string) (map[string]string, error) {
 	}
 	return m, nil
 }
+
+// validateEndpoint validates that endpoint is either a context or a docker host
+func validateEndpoint(dockerCli command.Cli, ep string) (string, error) {
+	dem, err := dockerutil.GetDockerEndpoint(dockerCli, ep)
+	if err == nil && dem != nil {
+		if ep == "default" {
+			return dem.Host, nil
+		}
+		return ep, nil
+	}
+	h, err := dopts.ParseHost(true, ep)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to parse endpoint %s", ep)
+	}
+	return h, nil
+}
+
+// validateBuildkitEndpoint validates that endpoint is a valid buildkit host
+func validateBuildkitEndpoint(ep string) (string, error) {
+	if err := remoteutil.IsValidEndpoint(ep); err != nil {
+		return "", err
+	}
+	return ep, nil
+}

commands/create_test.go

@@ -0,0 +1,26 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCsvToMap(t *testing.T) {
+	d := []string{
+		"\"tolerations=key=foo,value=bar;key=foo2,value=bar2\",replicas=1",
+		"namespace=default",
+	}
+	r, err := csvToMap(d)
+
+	require.NoError(t, err)
+
+	require.Contains(t, r, "tolerations")
+	require.Equal(t, r["tolerations"], "key=foo,value=bar;key=foo2,value=bar2")
+
+	require.Contains(t, r, "replicas")
+	require.Equal(t, r["replicas"], "1")
+
+	require.Contains(t, r, "namespace")
+	require.Equal(t, r["namespace"], "default")
+}

commands/debug-shell.go

@@ -0,0 +1,70 @@
+package commands
+
+import (
+	"context"
+	"os"
+	"runtime"
+
+	"github.com/containerd/console"
+	"github.com/docker/buildx/controller"
+	"github.com/docker/buildx/controller/control"
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/monitor"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func debugShellCmd(dockerCli command.Cli) *cobra.Command {
+	var options control.ControlOptions
+	var progressMode string
+
+	cmd := &cobra.Command{
+		Use:   "debug-shell",
+		Short: "Start a monitor",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			printer, err := progress.NewPrinter(context.TODO(), os.Stderr, os.Stderr, progressMode)
+			if err != nil {
+				return err
+			}
+
+			ctx := context.TODO()
+			c, err := controller.NewController(ctx, options, dockerCli, printer)
+			if err != nil {
+				return err
+			}
+			defer func() {
+				if err := c.Close(); err != nil {
+					logrus.Warnf("failed to close server connection %v", err)
+				}
+			}()
+			con := console.Current()
+			if err := con.SetRaw(); err != nil {
+				return errors.Errorf("failed to configure terminal: %v", err)
+			}
+
+			err = monitor.RunMonitor(ctx, "", nil, controllerapi.InvokeConfig{
+				Tty: true,
+			}, c, os.Stdin, os.Stdout, os.Stderr, printer)
+			con.Reset()
+			return err
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.StringVar(&options.Root, "root", "", "Specify root directory of server to connect [experimental]")
+	flags.BoolVar(&options.Detach, "detach", runtime.GOOS == "linux", "Detach buildx server (supported only on linux) [experimental]")
+	flags.StringVar(&options.ServerConfig, "server-config", "", "Specify buildx server config file (used only when launching new server) [experimental]")
+	flags.StringVar(&progressMode, "progress", "auto", `Set type of progress output ("auto", "plain", "tty"). Use plain to show container output`)
+
+	return cmd
+}
+
+func addDebugShellCommand(cmd *cobra.Command, dockerCli command.Cli) {
+	cmd.AddCommand(
+		debugShellCmd(dockerCli),
+	)
+}

commands/diskusage.go

@@ -4,16 +4,19 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strings"
 	"text/tabwriter"
+	"time"
 
-	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/opts"
+	"github.com/docker/go-units"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/spf13/cobra"
-	"github.com/tonistiigi/units"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -31,25 +34,29 @@ func runDiskUsage(dockerCli command.Cli, opts duOptions) error {
 		return err
 	}
 
-	dis, err := getInstanceOrDefault(ctx, dockerCli, opts.builder, "")
+	b, err := builder.New(dockerCli, builder.WithName(opts.builder))
 	if err != nil {
 		return err
 	}
 
-	for _, di := range dis {
-		if di.Err != nil {
+	nodes, err := b.LoadNodes(ctx, false)
+	if err != nil {
 		return err
 	}
+	for _, node := range nodes {
+		if node.Err != nil {
+			return node.Err
+		}
 	}
 
-	out := make([][]*client.UsageInfo, len(dis))
+	out := make([][]*client.UsageInfo, len(nodes))
 
 	eg, ctx := errgroup.WithContext(ctx)
-	for i, di := range dis {
-		func(i int, di build.DriverInfo) {
+	for i, node := range nodes {
+		func(i int, node builder.Node) {
 			eg.Go(func() error {
-				if di.Driver != nil {
-					c, err := di.Driver.Client(ctx)
+				if node.Driver != nil {
+					c, err := node.Driver.Client(ctx)
 					if err != nil {
 						return err
 					}
@@ -62,7 +69,7 @@ func runDiskUsage(dockerCli command.Cli, opts duOptions) error {
 				}
 				return nil
 			})
-		}(i, di)
+		}(i, node)
 	}
 
 	if err := eg.Wait(); err != nil {
@@ -109,6 +116,7 @@ func duCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			options.builder = rootOpts.builder
 			return runDiskUsage(dockerCli, options)
 		},
+		ValidArgsFunction: completion.Disable,
 	}
 
 	flags := cmd.Flags()
@@ -125,20 +133,20 @@ func printKV(w io.Writer, k string, v interface{}) {
 func printVerbose(tw *tabwriter.Writer, du []*client.UsageInfo) {
 	for _, di := range du {
 		printKV(tw, "ID", di.ID)
-		if di.Parent != "" {
-			printKV(tw, "Parent", di.Parent)
+		if len(di.Parents) != 0 {
+			printKV(tw, "Parent", strings.Join(di.Parents, ","))
 		}
 		printKV(tw, "Created at", di.CreatedAt)
 		printKV(tw, "Mutable", di.Mutable)
 		printKV(tw, "Reclaimable", !di.InUse)
 		printKV(tw, "Shared", di.Shared)
-		printKV(tw, "Size", fmt.Sprintf("%.2f", units.Bytes(di.Size)))
+		printKV(tw, "Size", units.HumanSize(float64(di.Size)))
 		if di.Description != "" {
 			printKV(tw, "Description", di.Description)
 		}
 		printKV(tw, "Usage count", di.UsageCount)
 		if di.LastUsedAt != nil {
-			printKV(tw, "Last used", di.LastUsedAt)
+			printKV(tw, "Last used", units.HumanDuration(time.Since(*di.LastUsedAt))+" ago")
 		}
 		if di.RecordType != "" {
 			printKV(tw, "Type", di.RecordType)
@@ -159,11 +167,15 @@ func printTableRow(tw *tabwriter.Writer, di *client.UsageInfo) {
 	if di.Mutable {
 		id += "*"
 	}
-	size := fmt.Sprintf("%.2f", units.Bytes(di.Size))
+	size := units.HumanSize(float64(di.Size))
 	if di.Shared {
 		size += "*"
 	}
-	fmt.Fprintf(tw, "%-71s\t%-11v\t%s\t\n", id, !di.InUse, size)
+	lastAccessed := ""
+	if di.LastUsedAt != nil {
+		lastAccessed = units.HumanDuration(time.Since(*di.LastUsedAt)) + " ago"
+	}
+	fmt.Fprintf(tw, "%-40s\t%-5v\t%-10s\t%s\n", id, !di.InUse, size, lastAccessed)
 }
 
 func printSummary(tw *tabwriter.Writer, dus [][]*client.UsageInfo) {
@@ -185,14 +197,12 @@ func printSummary(tw *tabwriter.Writer, dus [][]*client.UsageInfo) {
 		}
 	}
 
-	tw = tabwriter.NewWriter(os.Stdout, 1, 8, 1, '\t', 0)
-
 	if shared > 0 {
-		fmt.Fprintf(tw, "Shared:\t%.2f\n", units.Bytes(shared))
-		fmt.Fprintf(tw, "Private:\t%.2f\n", units.Bytes(total-shared))
+		fmt.Fprintf(tw, "Shared:\t%s\n", units.HumanSize(float64(shared)))
+		fmt.Fprintf(tw, "Private:\t%s\n", units.HumanSize(float64(total-shared)))
 	}
 
-	fmt.Fprintf(tw, "Reclaimable:\t%.2f\n", units.Bytes(reclaimable))
-	fmt.Fprintf(tw, "Total:\t%.2f\n", units.Bytes(total))
+	fmt.Fprintf(tw, "Reclaimable:\t%s\n", units.HumanSize(float64(reclaimable)))
+	fmt.Fprintf(tw, "Total:\t%s\n", units.HumanSize(float64(total)))
 	tw.Flush()
 }

commands/imagetools/create.go

@@ -1,12 +1,16 @@
 package commands
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strings"
 
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/imagetools"
+	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/util/appcontext"
@@ -18,10 +22,12 @@ import (
 )
 
 type createOptions struct {
+	builder      string
 	files        []string
 	tags         []string
 	dryrun       bool
 	actionAppend bool
+	progress     string
 }
 
 func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
@@ -35,7 +41,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 
 	fileArgs := make([]string, len(in.files))
 	for i, f := range in.files {
-		dt, err := ioutil.ReadFile(f)
+		dt, err := os.ReadFile(f)
 		if err != nil {
 			return err
 		}
@@ -75,35 +81,48 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	if len(repos) == 0 {
 		return errors.Errorf("no repositories specified, please set a reference in tag or source")
 	}
-	if len(repos) > 1 {
-		return errors.Errorf("multiple repositories currently not supported, found %v", repos)
-	}
 
-	var repo string
-	for r := range repos {
-		repo = r
+	var defaultRepo *string
+	if len(repos) == 1 {
+		for repo := range repos {
+			defaultRepo = &repo
+		}
 	}
 
 	for i, s := range srcs {
-		if s.Ref == nil && s.Desc.MediaType == "" && s.Desc.Digest != "" {
-			n, err := reference.ParseNormalizedNamed(repo)
+		if s.Ref == nil {
+			if defaultRepo == nil {
+				return errors.Errorf("multiple repositories specified, cannot infer repository for %q", args[i])
+			}
+			n, err := reference.ParseNormalizedNamed(*defaultRepo)
 			if err != nil {
 				return err
 			}
+			if s.Desc.MediaType == "" && s.Desc.Digest != "" {
 				r, err := reference.WithDigest(n, s.Desc.Digest)
 				if err != nil {
 					return err
 				}
 				srcs[i].Ref = r
 				sourceRefs = true
+			} else {
+				srcs[i].Ref = reference.TagNameOnly(n)
+			}
 		}
 	}
 
 	ctx := appcontext.Context()
 
-	r := imagetools.New(imagetools.Opt{
-		Auth: dockerCli.ConfigFile(),
-	})
+	b, err := builder.New(dockerCli, builder.WithName(in.builder))
+	if err != nil {
+		return err
+	}
+	imageopt, err := b.ImageOpt()
+	if err != nil {
+		return err
+	}
+
+	r := imagetools.New(imageopt)
 
 	if sourceRefs {
 		eg, ctx2 := errgroup.WithContext(ctx)
@@ -117,8 +136,15 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 					if err != nil {
 						return err
 					}
-					srcs[i].Ref = nil
+					if srcs[i].Desc.Digest == "" {
 						srcs[i].Desc = desc
+					} else {
+						var err error
+						srcs[i].Desc, err = mergeDesc(desc, srcs[i].Desc)
+						if err != nil {
+							return err
+						}
+					}
 					return nil
 				})
 			}(i)
@@ -128,12 +154,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
-	descs := make([]ocispec.Descriptor, len(srcs))
-	for i := range descs {
-		descs[i] = srcs[i].Desc
-	}
-
-	dt, desc, err := r.Combine(ctx, repo, descs)
+	dt, desc, err := r.Combine(ctx, srcs)
 	if err != nil {
 		return err
 	}
@@ -144,31 +165,58 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	}
 
 	// new resolver cause need new auth
-	r = imagetools.New(imagetools.Opt{
-		Auth: dockerCli.ConfigFile(),
-	})
+	r = imagetools.New(imageopt)
 
-	for _, t := range tags {
-		if err := r.Push(ctx, t, desc, dt); err != nil {
+	ctx2, cancel := context.WithCancel(context.TODO())
+	defer cancel()
+	printer, err := progress.NewPrinter(ctx2, os.Stderr, os.Stderr, in.progress)
+	if err != nil {
 		return err
 	}
-		fmt.Println(t.String())
+
+	eg, _ := errgroup.WithContext(ctx)
+	pw := progress.WithPrefix(printer, "internal", true)
+
+	for _, t := range tags {
+		t := t
+		eg.Go(func() error {
+			return progress.Wrap(fmt.Sprintf("pushing %s", t.String()), pw.Write, func(sub progress.SubLogger) error {
+				eg2, _ := errgroup.WithContext(ctx)
+				for _, s := range srcs {
+					if reference.Domain(s.Ref) == reference.Domain(t) && reference.Path(s.Ref) == reference.Path(t) {
+						continue
+					}
+					s := s
+					eg2.Go(func() error {
+						sub.Log(1, []byte(fmt.Sprintf("copying %s from %s to %s\n", s.Desc.Digest.String(), s.Ref.String(), t.String())))
+						return r.Copy(ctx, s, t)
+					})
 				}
 
-	return nil
+				if err := eg2.Wait(); err != nil {
+					return err
+				}
+				sub.Log(1, []byte(fmt.Sprintf("pushing %s to %s\n", desc.Digest.String(), t.String())))
+				return r.Push(ctx, t, desc, dt)
+			})
+		})
 	}
 
-type src struct {
-	Desc ocispec.Descriptor
-	Ref  reference.Named
+	err = eg.Wait()
+	err1 := printer.Wait()
+	if err == nil {
+		err = err1
 	}
 
-func parseSources(in []string) ([]*src, error) {
-	out := make([]*src, len(in))
+	return err
+}
+
+func parseSources(in []string) ([]*imagetools.Source, error) {
+	out := make([]*imagetools.Source, len(in))
 	for i, in := range in {
 		s, err := parseSource(in)
 		if err != nil {
-			return nil, errors.Wrapf(err, "failed to parse source %q, valid sources are digests, refereces and descriptors", in)
+			return nil, errors.Wrapf(err, "failed to parse source %q, valid sources are digests, references and descriptors", in)
 		}
 		out[i] = s
 	}
@@ -187,11 +235,11 @@ func parseRefs(in []string) ([]reference.Named, error) {
 	return refs, nil
 }
 
-func parseSource(in string) (*src, error) {
+func parseSource(in string) (*imagetools.Source, error) {
 	// source can be a digest, reference or a descriptor JSON
 	dgst, err := digest.Parse(in)
 	if err == nil {
-		return &src{
+		return &imagetools.Source{
 			Desc: ocispec.Descriptor{
 				Digest: dgst,
 			},
@@ -202,39 +250,55 @@ func parseSource(in string) (*src, error) {
 
 	ref, err := reference.ParseNormalizedNamed(in)
 	if err == nil {
-		return &src{
+		return &imagetools.Source{
 			Ref: ref,
 		}, nil
 	} else if !strings.HasPrefix(in, "{") {
 		return nil, err
 	}
 
-	var s src
+	var s imagetools.Source
 	if err := json.Unmarshal([]byte(in), &s.Desc); err != nil {
 		return nil, errors.WithStack(err)
 	}
 	return &s, nil
 }
 
-func createCmd(dockerCli command.Cli) *cobra.Command {
+func createCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 	var options createOptions
 
 	cmd := &cobra.Command{
 		Use:   "create [OPTIONS] [SOURCE] [SOURCE...]",
 		Short: "Create a new image based on source images",
 		RunE: func(cmd *cobra.Command, args []string) error {
+			options.builder = *opts.Builder
 			return runCreate(dockerCli, options, args)
 		},
+		ValidArgsFunction: completion.Disable,
 	}
 
 	flags := cmd.Flags()
-
 	flags.StringArrayVarP(&options.files, "file", "f", []string{}, "Read source descriptor from file")
 	flags.StringArrayVarP(&options.tags, "tag", "t", []string{}, "Set reference for new image")
 	flags.BoolVar(&options.dryrun, "dry-run", false, "Show final image instead of pushing")
 	flags.BoolVar(&options.actionAppend, "append", false, "Append to existing manifest")
-
-	_ = flags
+	flags.StringVar(&options.progress, "progress", "auto", `Set type of progress output ("auto", "plain", "tty"). Use plain to show container output`)
 
 	return cmd
 }
+
+func mergeDesc(d1, d2 ocispec.Descriptor) (ocispec.Descriptor, error) {
+	if d2.Size != 0 && d1.Size != d2.Size {
+		return ocispec.Descriptor{}, errors.Errorf("invalid size mismatch for %s, %d != %d", d1.Digest, d2.Size, d1.Size)
+	}
+	if d2.MediaType != "" {
+		d1.MediaType = d2.MediaType
+	}
+	if len(d2.Annotations) != 0 {
+		d1.Annotations = d2.Annotations // no merge so support removes
+	}
+	if d2.Platform != nil {
+		d1.Platform = d2.Platform // missing items filled in later from image config
+	}
+	return d1, nil
+}

commands/imagetools/inspect.go

@@ -1,68 +1,67 @@
 package commands
 
 import (
-	"fmt"
-	"os"
-
-	"github.com/containerd/containerd/images"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/imagetools"
+	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
 type inspectOptions struct {
+	builder string
+	format  string
 	raw     bool
 }
 
 func runInspect(dockerCli command.Cli, in inspectOptions, name string) error {
 	ctx := appcontext.Context()
 
-	r := imagetools.New(imagetools.Opt{
-		Auth: dockerCli.ConfigFile(),
-	})
+	if in.format != "" && in.raw {
+		return errors.Errorf("format and raw cannot be used together")
+	}
 
-	dt, desc, err := r.Get(ctx, name)
+	b, err := builder.New(dockerCli, builder.WithName(in.builder))
+	if err != nil {
+		return err
+	}
+	imageopt, err := b.ImageOpt()
 	if err != nil {
 		return err
 	}
 
-	if in.raw {
-		fmt.Printf("%s", dt) // avoid newline to keep digest
-		return nil
+	p, err := imagetools.NewPrinter(ctx, imageopt, name, in.format)
+	if err != nil {
+		return err
 	}
 
-	switch desc.MediaType {
-	// case images.MediaTypeDockerSchema2Manifest, specs.MediaTypeImageManifest:
-	// TODO: handle distribution manifest and schema1
-	case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
-		imagetools.PrintManifestList(dt, desc, name, os.Stdout)
-	default:
-		fmt.Printf("%s\n", dt)
+	return p.Print(in.raw, dockerCli.Out())
 }
 
-	return nil
-}
-
-func inspectCmd(dockerCli command.Cli) *cobra.Command {
+func inspectCmd(dockerCli command.Cli, rootOpts RootOptions) *cobra.Command {
 	var options inspectOptions
 
 	cmd := &cobra.Command{
 		Use:   "inspect [OPTIONS] NAME",
-		Short: "Show details of image in the registry",
+		Short: "Show details of an image in the registry",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
+			options.builder = *rootOpts.Builder
 			return runInspect(dockerCli, options, args[0])
 		},
+		ValidArgsFunction: completion.Disable,
 	}
 
 	flags := cmd.Flags()
 
-	flags.BoolVar(&options.raw, "raw", false, "Show original JSON manifest")
+	flags.StringVar(&options.format, "format", "", "Format the output using the given Go template")
+	flags.SetAnnotation("format", annotation.DefaultValue, []string{`"{{.Manifest}}"`})
 
-	_ = flags
+	flags.BoolVar(&options.raw, "raw", false, "Show original, unformatted JSON manifest")
 
 	return cmd
 }

commands/imagetools/root.go

@@ -1,19 +1,25 @@
 package commands
 
 import (
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli/command"
 	"github.com/spf13/cobra"
 )
 
-func RootCmd(dockerCli command.Cli) *cobra.Command {
+type RootOptions struct {
+	Builder *string
+}
+
+func RootCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:               "imagetools",
 		Short:             "Commands to work on images in registry",
+		ValidArgsFunction: completion.Disable,
 	}
 
 	cmd.AddCommand(
-		inspectCmd(dockerCli),
-		createCmd(dockerCli),
+		createCmd(dockerCli, opts),
+		inspectCmd(dockerCli, opts),
 	)
 
 	return cmd

commands/inspect.go

@@ -4,21 +4,21 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"sort"
 	"strings"
 	"text/tabwriter"
 	"time"
 
-	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/driver"
-	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/platformutil"
-	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/debug"
+	"github.com/docker/go-units"
 	"github.com/moby/buildkit/util/appcontext"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
-	"golang.org/x/sync/errgroup"
 )
 
 type inspectOptions struct {
@@ -26,103 +26,106 @@ type inspectOptions struct {
 	builder   string
 }
 
-type dinfo struct {
-	di        *build.DriverInfo
-	info      *driver.Info
-	platforms []specs.Platform
-	err       error
-}
-
-type nginfo struct {
-	ng      *store.NodeGroup
-	drivers []dinfo
-	err     error
-}
-
 func runInspect(dockerCli command.Cli, in inspectOptions) error {
 	ctx := appcontext.Context()
 
-	txn, release, err := getStore(dockerCli)
+	b, err := builder.New(dockerCli,
+		builder.WithName(in.builder),
+		builder.WithSkippedValidation(),
+	)
 	if err != nil {
 		return err
 	}
-	defer release()
-
-	var ng *store.NodeGroup
-
-	if in.builder != "" {
-		ng, err = getNodeGroup(txn, dockerCli, in.builder)
-		if err != nil {
-			return err
-		}
-	} else {
-		ng, err = getCurrentInstance(txn, dockerCli)
-		if err != nil {
-			return err
-		}
-	}
-
-	if ng == nil {
-		ng = &store.NodeGroup{
-			Name: "default",
-			Nodes: []store.Node{{
-				Name:     "default",
-				Endpoint: "default",
-			}},
-		}
-	}
-
-	ngi := &nginfo{ng: ng}
 
 	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
 	defer cancel()
 
-	err = loadNodeGroupData(timeoutCtx, dockerCli, ngi)
-
-	var bootNgi *nginfo
+	nodes, err := b.LoadNodes(timeoutCtx, true)
 	if in.bootstrap {
 		var ok bool
-		ok, err = boot(ctx, ngi, dockerCli)
+		ok, err = b.Boot(ctx)
 		if err != nil {
 			return err
 		}
-		bootNgi = ngi
 		if ok {
-			ngi = &nginfo{ng: ng}
-			err = loadNodeGroupData(ctx, dockerCli, ngi)
+			nodes, err = b.LoadNodes(timeoutCtx, true)
 		}
 	}
 
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', 0)
-	fmt.Fprintf(w, "Name:\t%s\n", ngi.ng.Name)
-	fmt.Fprintf(w, "Driver:\t%s\n", ngi.ng.Driver)
+	fmt.Fprintf(w, "Name:\t%s\n", b.Name)
+	fmt.Fprintf(w, "Driver:\t%s\n", b.Driver)
+	if !b.NodeGroup.LastActivity.IsZero() {
+		fmt.Fprintf(w, "Last Activity:\t%v\n", b.NodeGroup.LastActivity)
+	}
+
 	if err != nil {
 		fmt.Fprintf(w, "Error:\t%s\n", err.Error())
-	} else if ngi.err != nil {
-		fmt.Fprintf(w, "Error:\t%s\n", ngi.err.Error())
+	} else if b.Err() != nil {
+		fmt.Fprintf(w, "Error:\t%s\n", b.Err().Error())
 	}
 	if err == nil {
 		fmt.Fprintln(w, "")
 		fmt.Fprintln(w, "Nodes:")
 
-		for i, n := range ngi.ng.Nodes {
+		for i, n := range nodes {
 			if i != 0 {
 				fmt.Fprintln(w, "")
 			}
 			fmt.Fprintf(w, "Name:\t%s\n", n.Name)
 			fmt.Fprintf(w, "Endpoint:\t%s\n", n.Endpoint)
-			if err := ngi.drivers[i].di.Err; err != nil {
+
+			var driverOpts []string
+			for k, v := range n.DriverOpts {
+				driverOpts = append(driverOpts, fmt.Sprintf("%s=%q", k, v))
+			}
+			if len(driverOpts) > 0 {
+				fmt.Fprintf(w, "Driver Options:\t%s\n", strings.Join(driverOpts, " "))
+			}
+
+			if err := n.Err; err != nil {
 				fmt.Fprintf(w, "Error:\t%s\n", err.Error())
-			} else if err := ngi.drivers[i].err; err != nil {
-				fmt.Fprintf(w, "Error:\t%s\n", err.Error())
-			} else if bootNgi != nil && len(bootNgi.drivers) > i && bootNgi.drivers[i].err != nil {
-				fmt.Fprintf(w, "Error:\t%s\n", bootNgi.drivers[i].err.Error())
 			} else {
-				fmt.Fprintf(w, "Status:\t%s\n", ngi.drivers[i].info.Status)
+				fmt.Fprintf(w, "Status:\t%s\n", nodes[i].DriverInfo.Status)
 				if len(n.Flags) > 0 {
 					fmt.Fprintf(w, "Flags:\t%s\n", strings.Join(n.Flags, " "))
 				}
-				fmt.Fprintf(w, "Platforms:\t%s\n", strings.Join(platformutil.FormatInGroups(n.Platforms, ngi.drivers[i].platforms), ", "))
+				if nodes[i].Version != "" {
+					fmt.Fprintf(w, "Buildkit:\t%s\n", nodes[i].Version)
+				}
+				fmt.Fprintf(w, "Platforms:\t%s\n", strings.Join(platformutil.FormatInGroups(n.Node.Platforms, n.Platforms), ", "))
+				if debug.IsEnabled() {
+					fmt.Fprintf(w, "Features:\n")
+					features := nodes[i].Driver.Features(ctx)
+					featKeys := make([]string, 0, len(features))
+					for k := range features {
+						featKeys = append(featKeys, string(k))
+					}
+					sort.Strings(featKeys)
+					for _, k := range featKeys {
+						fmt.Fprintf(w, "\t%s:\t%t\n", k, features[driver.Feature(k)])
+					}
+				}
+				if len(nodes[i].Labels) > 0 {
+					fmt.Fprintf(w, "Labels:\n")
+					for _, k := range sortedKeys(nodes[i].Labels) {
+						v := nodes[i].Labels[k]
+						fmt.Fprintf(w, "\t%s:\t%s\n", k, v)
+					}
+				}
+				for ri, rule := range nodes[i].GCPolicy {
+					fmt.Fprintf(w, "GC Policy rule#%d:\n", ri)
+					fmt.Fprintf(w, "\tAll:\t%v\n", rule.All)
+					if len(rule.Filter) > 0 {
+						fmt.Fprintf(w, "\tFilters:\t%s\n", strings.Join(rule.Filter, " "))
+					}
+					if rule.KeepDuration > 0 {
+						fmt.Fprintf(w, "\tKeep Duration:\t%v\n", rule.KeepDuration.String())
+					}
+					if rule.KeepBytes > 0 {
+						fmt.Fprintf(w, "\tKeep Bytes:\t%s\n", units.BytesSize(float64(rule.KeepBytes)))
+					}
+				}
 			}
 		}
 	}
@@ -146,52 +149,22 @@ func inspectCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			}
 			return runInspect(dockerCli, options)
 		},
+		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}
 
 	flags := cmd.Flags()
-
 	flags.BoolVar(&options.bootstrap, "bootstrap", false, "Ensure builder has booted before inspecting")
 
-	_ = flags
-
 	return cmd
 }
 
-func boot(ctx context.Context, ngi *nginfo, dockerCli command.Cli) (bool, error) {
-	toBoot := make([]int, 0, len(ngi.drivers))
-	for i, d := range ngi.drivers {
-		if d.err != nil || d.di.Err != nil || d.di.Driver == nil || d.info == nil {
-			continue
+func sortedKeys(m map[string]string) []string {
+	s := make([]string, len(m))
+	i := 0
+	for k := range m {
+		s[i] = k
+		i++
 	}
-		if d.info.Status != driver.Running {
-			toBoot = append(toBoot, i)
-		}
-	}
-	if len(toBoot) == 0 {
-		return false, nil
-	}
-
-	printer := progress.NewPrinter(context.TODO(), os.Stderr, "auto")
-
-	eg, _ := errgroup.WithContext(ctx)
-	for _, idx := range toBoot {
-		func(idx int) {
-			eg.Go(func() error {
-				pw := progress.WithPrefix(printer, ngi.ng.Nodes[idx].Name, len(toBoot) > 1)
-				_, err := driver.Boot(ctx, ngi.drivers[idx].di.Driver, pw)
-				if err != nil {
-					ngi.drivers[idx].err = err
-				}
-				return nil
-			})
-		}(idx)
-	}
-
-	err := eg.Wait()
-	err1 := printer.Wait()
-	if err == nil {
-		err = err1
-	}
-
-	return true, err
+	sort.Strings(s)
+	return s
 }

commands/install.go

@@ -3,6 +3,8 @@ package commands
 import (
 	"os"
 
+	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config"
@@ -46,7 +48,11 @@ func installCmd(dockerCli command.Cli) *cobra.Command {
 			return runInstall(dockerCli, options)
 		},
 		Hidden:            true,
+		ValidArgsFunction: completion.Disable,
 	}
 
+	// hide builder persistent flag for this command
+	cobrautil.HideInheritedFlags(cmd, "builder")
+
 	return cmd
 }

commands/ls.go

@@ -4,12 +4,14 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"os"
 	"strings"
 	"text/tabwriter"
 	"time"
 
-	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
@@ -24,51 +26,30 @@ type lsOptions struct {
 func runLs(dockerCli command.Cli, in lsOptions) error {
 	ctx := appcontext.Context()
 
-	txn, release, err := getStore(dockerCli)
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
 	}
 	defer release()
 
-	ctx, cancel := context.WithTimeout(ctx, 20*time.Second)
+	current, err := storeutil.GetCurrentInstance(txn, dockerCli)
+	if err != nil {
+		return err
+	}
+
+	builders, err := builder.GetBuilders(dockerCli, txn)
+	if err != nil {
+		return err
+	}
+
+	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
 	defer cancel()
 
-	ll, err := txn.List()
-	if err != nil {
-		return err
-	}
-
-	builders := make([]*nginfo, len(ll))
-	for i, ng := range ll {
-		builders[i] = &nginfo{ng: ng}
-	}
-
-	list, err := dockerCli.ContextStore().List()
-	if err != nil {
-		return err
-	}
-	ctxbuilders := make([]*nginfo, len(list))
-	for i, l := range list {
-		ctxbuilders[i] = &nginfo{ng: &store.NodeGroup{
-			Name: l.Name,
-			Nodes: []store.Node{{
-				Name:     l.Name,
-				Endpoint: l.Name,
-			}},
-		}}
-	}
-
-	builders = append(builders, ctxbuilders...)
-
-	eg, _ := errgroup.WithContext(ctx)
-
+	eg, _ := errgroup.WithContext(timeoutCtx)
 	for _, b := range builders {
-		func(b *nginfo) {
+		func(b *builder.Builder) {
 			eg.Go(func() error {
-				err = loadNodeGroupData(ctx, dockerCli, b)
-				if b.err == nil && err != nil {
-					b.err = err
-				}
+				_, _ = b.LoadNodes(timeoutCtx, true)
 				return nil
 			})
 		}(b)
@@ -78,61 +59,62 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 		return err
 	}
 
-	currentName := "default"
-	current, err := getCurrentInstance(txn, dockerCli)
-	if err != nil {
-		return err
-	}
-	if current != nil {
-		currentName = current.Name
-		if current.Name == "default" {
-			currentName = current.Nodes[0].Endpoint
-		}
-	}
+	w := tabwriter.NewWriter(dockerCli.Out(), 0, 0, 1, ' ', 0)
+	fmt.Fprintf(w, "NAME/NODE\tDRIVER/ENDPOINT\tSTATUS\tBUILDKIT\tPLATFORMS\n")
 
-	w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', 0)
-	fmt.Fprintf(w, "NAME/NODE\tDRIVER/ENDPOINT\tSTATUS\tPLATFORMS\n")
-
-	currentSet := false
+	printErr := false
 	for _, b := range builders {
-		if !currentSet && b.ng.Name == currentName {
-			b.ng.Name += " *"
-			currentSet = true
+		if current.Name == b.Name {
+			b.Name += " *"
+		}
+		if ok := printBuilder(w, b); !ok {
+			printErr = true
 		}
-		printngi(w, b)
 	}
 
 	w.Flush()
 
+	if printErr {
+		_, _ = fmt.Fprintf(dockerCli.Err(), "\n")
+		for _, b := range builders {
+			if b.Err() != nil {
+				_, _ = fmt.Fprintf(dockerCli.Err(), "Cannot load builder %s: %s\n", b.Name, strings.TrimSpace(b.Err().Error()))
+			} else {
+				for _, d := range b.Nodes() {
+					if d.Err != nil {
+						_, _ = fmt.Fprintf(dockerCli.Err(), "Failed to get status for %s (%s): %s\n", b.Name, d.Name, strings.TrimSpace(d.Err.Error()))
+					}
+				}
+			}
+		}
+	}
+
 	return nil
 }
 
-func printngi(w io.Writer, ngi *nginfo) {
+func printBuilder(w io.Writer, b *builder.Builder) (ok bool) {
+	ok = true
 	var err string
-	if ngi.err != nil {
-		err = ngi.err.Error()
-	}
-	fmt.Fprintf(w, "%s\t%s\t%s\t\n", ngi.ng.Name, ngi.ng.Driver, err)
-	if ngi.err == nil {
-		for idx, n := range ngi.ng.Nodes {
-			d := ngi.drivers[idx]
-			var err string
-			if d.err != nil {
-				err = d.err.Error()
-			} else if d.di.Err != nil {
-				err = d.di.Err.Error()
+	if b.Err() != nil {
+		ok = false
+		err = "error"
 	}
+	fmt.Fprintf(w, "%s\t%s\t%s\t\t\n", b.Name, b.Driver, err)
+	if b.Err() == nil {
+		for _, n := range b.Nodes() {
 			var status string
-			if d.info != nil {
-				status = d.info.Status.String()
+			if n.DriverInfo != nil {
+				status = n.DriverInfo.Status.String()
 			}
-			if err != "" {
-				fmt.Fprintf(w, "  %s\t%s\t%s\n", n.Name, n.Endpoint, err)
+			if n.Err != nil {
+				ok = false
+				fmt.Fprintf(w, "  %s\t%s\t%s\t\t\n", n.Name, n.Endpoint, "error")
 			} else {
-				fmt.Fprintf(w, "  %s\t%s\t%s\t%s\n", n.Name, n.Endpoint, status, strings.Join(platformutil.FormatInGroups(n.Platforms, d.platforms), ", "))
+				fmt.Fprintf(w, "  %s\t%s\t%s\t%s\t%s\n", n.Name, n.Endpoint, status, n.Version, strings.Join(platformutil.FormatInGroups(n.Node.Platforms, n.Platforms), ", "))
 			}
 		}
 	}
+	return
 }
 
 func lsCmd(dockerCli command.Cli) *cobra.Command {
@@ -145,7 +127,11 @@ func lsCmd(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runLs(dockerCli, options)
 		},
+		ValidArgsFunction: completion.Disable,
 	}
 
+	// hide builder persistent flag for this command
+	cobrautil.HideInheritedFlags(cmd, "builder")
+
 	return cmd
 }

commands/prune.go

@@ -7,16 +7,17 @@ import (
 	"text/tabwriter"
 	"time"
 
-	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/go-units"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
-	"github.com/tonistiigi/units"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -54,15 +55,19 @@ func runPrune(dockerCli command.Cli, opts pruneOptions) error {
 		return nil
 	}
 
-	dis, err := getInstanceOrDefault(ctx, dockerCli, opts.builder, "")
+	b, err := builder.New(dockerCli, builder.WithName(opts.builder))
 	if err != nil {
 		return err
 	}
 
-	for _, di := range dis {
-		if di.Err != nil {
+	nodes, err := b.LoadNodes(ctx, false)
+	if err != nil {
 		return err
 	}
+	for _, node := range nodes {
+		if node.Err != nil {
+			return node.Err
+		}
 	}
 
 	ch := make(chan client.UsageInfo)
@@ -90,11 +95,11 @@ func runPrune(dockerCli command.Cli, opts pruneOptions) error {
 	}()
 
 	eg, ctx := errgroup.WithContext(ctx)
-	for _, di := range dis {
-		func(di build.DriverInfo) {
+	for _, node := range nodes {
+		func(node builder.Node) {
 			eg.Go(func() error {
-				if di.Driver != nil {
-					c, err := di.Driver.Client(ctx)
+				if node.Driver != nil {
+					c, err := node.Driver.Client(ctx)
 					if err != nil {
 						return err
 					}
@@ -109,7 +114,7 @@ func runPrune(dockerCli command.Cli, opts pruneOptions) error {
 				}
 				return nil
 			})
-		}(di)
+		}(node)
 	}
 
 	if err := eg.Wait(); err != nil {
@@ -119,7 +124,7 @@ func runPrune(dockerCli command.Cli, opts pruneOptions) error {
 	<-printed
 
 	tw = tabwriter.NewWriter(os.Stdout, 1, 8, 1, '\t', 0)
-	fmt.Fprintf(tw, "Total:\t%.2f\n", units.Bytes(total))
+	fmt.Fprintf(tw, "Total:\t%s\n", units.HumanSize(float64(total)))
 	tw.Flush()
 	return nil
 }
@@ -135,11 +140,12 @@ func pruneCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			options.builder = rootOpts.builder
 			return runPrune(dockerCli, options)
 		},
+		ValidArgsFunction: completion.Disable,
 	}
 
 	flags := cmd.Flags()
-	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused images, not just dangling ones")
-	flags.Var(&options.filter, "filter", "Provide filter values (e.g. 'until=24h')")
+	flags.BoolVarP(&options.all, "all", "a", false, "Include internal/frontend images")
+	flags.Var(&options.filter, "filter", `Provide filter values (e.g., "until=24h")`)
 	flags.Var(&options.keepStorage, "keep-storage", "Amount of disk space to keep for cache")
 	flags.BoolVar(&options.verbose, "verbose", false, "Provide a more verbose output")
 	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
@@ -155,9 +161,9 @@ func toBuildkitPruneInfo(f filters.Args) (*client.PruneInfo, error) {
 	if len(untilValues) > 0 && len(unusedForValues) > 0 {
 		return nil, errors.Errorf("conflicting filters %q and %q", "until", "unused-for")
 	}
-	filterKey := "until"
+	untilKey := "until"
 	if len(unusedForValues) > 0 {
-		filterKey = "unused-for"
+		untilKey = "unused-for"
 	}
 	untilValues = append(untilValues, unusedForValues...)
 
@@ -168,23 +174,27 @@ func toBuildkitPruneInfo(f filters.Args) (*client.PruneInfo, error) {
 		var err error
 		until, err = time.ParseDuration(untilValues[0])
 		if err != nil {
-			return nil, errors.Wrapf(err, "%q filter expects a duration (e.g., '24h')", filterKey)
+			return nil, errors.Wrapf(err, "%q filter expects a duration (e.g., '24h')", untilKey)
 		}
 	default:
 		return nil, errors.Errorf("filters expect only one value")
 	}
 
-	bkFilter := make([]string, 0, f.Len())
-	for _, field := range f.Keys() {
-		values := f.Get(field)
+	filters := make([]string, 0, f.Len())
+	for _, filterKey := range f.Keys() {
+		if filterKey == untilKey {
+			continue
+		}
+
+		values := f.Get(filterKey)
 		switch len(values) {
 		case 0:
-			bkFilter = append(bkFilter, field)
+			filters = append(filters, filterKey)
 		case 1:
-			if field == "id" {
-				bkFilter = append(bkFilter, field+"~="+values[0])
+			if filterKey == "id" {
+				filters = append(filters, filterKey+"~="+values[0])
 			} else {
-				bkFilter = append(bkFilter, field+"=="+values[0])
+				filters = append(filters, filterKey+"=="+values[0])
 			}
 		default:
 			return nil, errors.Errorf("filters expect only one value")
@@ -192,6 +202,6 @@ func toBuildkitPruneInfo(f filters.Args) (*client.PruneInfo, error) {
 	}
 	return &client.PruneInfo{
 		KeepDuration: until,
-		Filter:       []string{strings.Join(bkFilter, ",")},
+		Filter:       []string{strings.Join(filters, ",")},
 	}, nil
 }

commands/rm.go

@@ -2,51 +2,77 @@ package commands
 
 import (
 	"context"
+	"fmt"
+	"time"
 
+	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"golang.org/x/sync/errgroup"
 )
 
 type rmOptions struct {
 	builder     string
+	keepState   bool
+	keepDaemon  bool
+	allInactive bool
+	force       bool
 }
 
+const (
+	rmInactiveWarning = `WARNING! This will remove all builders that are not in running state. Are you sure you want to continue?`
+)
+
 func runRm(dockerCli command.Cli, in rmOptions) error {
 	ctx := appcontext.Context()
 
-	txn, release, err := getStore(dockerCli)
+	if in.allInactive && !in.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), rmInactiveWarning) {
+		return nil
+	}
+
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
 	}
 	defer release()
 
-	if in.builder != "" {
-		ng, err := getNodeGroup(txn, dockerCli, in.builder)
+	if in.allInactive {
+		return rmAllInactive(ctx, txn, dockerCli, in)
+	}
+
+	b, err := builder.New(dockerCli,
+		builder.WithName(in.builder),
+		builder.WithStore(txn),
+		builder.WithSkippedValidation(),
+	)
 	if err != nil {
 		return err
 	}
-		err1 := stop(ctx, dockerCli, ng, true)
-		if err := txn.Remove(ng.Name); err != nil {
-			return err
-		}
-		return err1
-	}
 
-	ng, err := getCurrentInstance(txn, dockerCli)
+	nodes, err := b.LoadNodes(ctx, false)
 	if err != nil {
 		return err
 	}
-	if ng != nil {
-		err1 := stop(ctx, dockerCli, ng, true)
-		if err := txn.Remove(ng.Name); err != nil {
+
+	if cb := b.ContextName(); cb != "" {
+		return errors.Errorf("context builder cannot be removed, run `docker context rm %s` to remove this context", cb)
+	}
+
+	err1 := rm(ctx, nodes, in)
+	if err := txn.Remove(b.Name); err != nil {
 		return err
 	}
+	if err1 != nil {
 		return err1
 	}
 
+	_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", b.Name)
 	return nil
 }
 
@@ -60,57 +86,78 @@ func rmCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			options.builder = rootOpts.builder
 			if len(args) > 0 {
+				if options.allInactive {
+					return errors.New("cannot specify builder name when --all-inactive is set")
+				}
 				options.builder = args[0]
 			}
 			return runRm(dockerCli, options)
 		},
+		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}
 
+	flags := cmd.Flags()
+	flags.BoolVar(&options.keepState, "keep-state", false, "Keep BuildKit state")
+	flags.BoolVar(&options.keepDaemon, "keep-daemon", false, "Keep the buildkitd daemon running")
+	flags.BoolVar(&options.allInactive, "all-inactive", false, "Remove all inactive builders")
+	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
+
 	return cmd
 }
 
-func stop(ctx context.Context, dockerCli command.Cli, ng *store.NodeGroup, rm bool) error {
-	dis, err := driversForNodeGroup(ctx, dockerCli, ng, "")
-	if err != nil {
-		return err
+func rm(ctx context.Context, nodes []builder.Node, in rmOptions) (err error) {
+	for _, node := range nodes {
+		if node.Driver == nil {
+			continue
 		}
-	for _, di := range dis {
-		if di.Driver != nil {
-			if err := di.Driver.Stop(ctx, true); err != nil {
-				return err
-			}
-			if rm {
-				if err := di.Driver.Rm(ctx, true); err != nil {
+		// Do not stop the buildkitd daemon when --keep-daemon is provided
+		if !in.keepDaemon {
+			if err := node.Driver.Stop(ctx, true); err != nil {
 				return err
 			}
 		}
+		if err := node.Driver.Rm(ctx, true, !in.keepState, !in.keepDaemon); err != nil {
+			return err
 		}
-		if di.Err != nil {
-			err = di.Err
+		if node.Err != nil {
+			err = node.Err
 		}
 	}
 	return err
 }
 
-func stopCurrent(ctx context.Context, dockerCli command.Cli, rm bool) error {
-	dis, err := getDefaultDrivers(ctx, dockerCli, false, "")
+func rmAllInactive(ctx context.Context, txn *store.Txn, dockerCli command.Cli, in rmOptions) error {
+	builders, err := builder.GetBuilders(dockerCli, txn)
 	if err != nil {
 		return err
 	}
-	for _, di := range dis {
-		if di.Driver != nil {
-			if err := di.Driver.Stop(ctx, true); err != nil {
+
+	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
+	defer cancel()
+
+	eg, _ := errgroup.WithContext(timeoutCtx)
+	for _, b := range builders {
+		func(b *builder.Builder) {
+			eg.Go(func() error {
+				nodes, err := b.LoadNodes(timeoutCtx, true)
+				if err != nil {
+					return errors.Wrapf(err, "cannot load %s", b.Name)
+				}
+				if b.Dynamic {
+					return nil
+				}
+				if b.Inactive() {
+					rmerr := rm(ctx, nodes, in)
+					if err := txn.Remove(b.Name); err != nil {
 						return err
 					}
-			if rm {
-				if err := di.Driver.Rm(ctx, true); err != nil {
-					return err
+					_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", b.Name)
+					return rmerr
 				}
+				return nil
+			})
+		}(b)
 	}
-		}
-		if di.Err != nil {
-			err = di.Err
-		}
-	}
-	return err
+
+	return eg.Wait()
 }

commands/root.go

@@ -4,23 +4,65 @@ import (
 	"os"
 
 	imagetoolscmd "github.com/docker/buildx/commands/imagetools"
+	"github.com/docker/buildx/controller/remote"
+	"github.com/docker/buildx/util/cobrautil/completion"
+	"github.com/docker/buildx/util/logutil"
+	"github.com/docker/cli-docs-tool/annotation"
+	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli-plugins/plugin"
 	"github.com/docker/cli/cli/command"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
 
 func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
-		Short: "Build with BuildKit",
+		Short: "Docker Buildx",
+		Long:  `Extended build capabilities with BuildKit`,
 		Use:   name,
+		Annotations: map[string]string{
+			annotation.CodeDelimiter: `"`,
+		},
+		CompletionOptions: cobra.CompletionOptions{
+			HiddenDefaultCmd: true,
+		},
 	}
 	if isPlugin {
 		cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
 			return plugin.PersistentPreRunE(cmd, args)
 		}
+	} else {
+		// match plugin behavior for standalone mode
+		// https://github.com/docker/cli/blob/6c9eb708fa6d17765d71965f90e1c59cea686ee9/cli-plugins/plugin/plugin.go#L117-L127
+		cmd.SilenceUsage = true
+		cmd.SilenceErrors = true
+		cmd.TraverseChildren = true
+		cmd.DisableFlagsInUseLine = true
+		cli.DisableFlagsInUseLine(cmd)
 	}
 
+	logrus.SetFormatter(&logutil.Formatter{})
+
+	logrus.AddHook(logutil.NewFilter([]logrus.Level{
+		logrus.DebugLevel,
+	},
+		"serving grpc connection",
+		"stopping session",
+		"using default config store",
+	))
+
+	// filter out useless commandConn.CloseWrite warning message that can occur
+	// when listing builder instances with "buildx ls" for those that are
+	// unreachable: "commandConn.CloseWrite: commandconn: failed to wait: signal: killed"
+	// https://github.com/docker/cli/blob/3fb4fb83dfb5db0c0753a8316f21aea54dab32c5/cli/connhelper/commandconn/commandconn.go#L203-L214
+	logrus.AddHook(logutil.NewFilter([]logrus.Level{
+		logrus.WarnLevel,
+	},
+		"commandConn.CloseWrite:",
+		"commandConn.CloseRead:",
+	))
+
 	addCommands(cmd, dockerCli)
 	return cmd
 }
@@ -47,7 +89,16 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		versionCmd(dockerCli),
 		pruneCmd(dockerCli, opts),
 		duCmd(dockerCli, opts),
-		imagetoolscmd.RootCmd(dockerCli),
+		imagetoolscmd.RootCmd(dockerCli, imagetoolscmd.RootOptions{Builder: &opts.builder}),
+	)
+	if isExperimental() {
+		remote.AddControllerCommands(cmd, dockerCli)
+		addDebugShellCommand(cmd, dockerCli)
+	}
+
+	cmd.RegisterFlagCompletionFunc( //nolint:errcheck
+		"builder",
+		completion.BuilderNames(dockerCli),
 	)
 }
 

commands/stop.go

@@ -1,6 +1,10 @@
 package commands
 
 import (
+	"context"
+
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
@@ -14,32 +18,19 @@ type stopOptions struct {
 func runStop(dockerCli command.Cli, in stopOptions) error {
 	ctx := appcontext.Context()
 
-	txn, release, err := getStore(dockerCli)
+	b, err := builder.New(dockerCli,
+		builder.WithName(in.builder),
+		builder.WithSkippedValidation(),
+	)
 	if err != nil {
 		return err
 	}
-	defer release()
-
-	if in.builder != "" {
-		ng, err := getNodeGroup(txn, dockerCli, in.builder)
+	nodes, err := b.LoadNodes(ctx, false)
 	if err != nil {
 		return err
 	}
-		if err := stop(ctx, dockerCli, ng, false); err != nil {
-			return err
-		}
-		return nil
-	}
 
-	ng, err := getCurrentInstance(txn, dockerCli)
-	if err != nil {
-		return err
-	}
-	if ng != nil {
-		return stop(ctx, dockerCli, ng, false)
-	}
-
-	return stopCurrent(ctx, dockerCli, false)
+	return stop(ctx, nodes)
 }
 
 func stopCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
@@ -56,13 +47,22 @@ func stopCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			}
 			return runStop(dockerCli, options)
 		},
+		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}
 
-	flags := cmd.Flags()
-
-	// flags.StringArrayVarP(&options.outputs, "output", "o", []string{}, "Output destination (format: type=local,dest=path)")
-
-	_ = flags
-
 	return cmd
 }
+
+func stop(ctx context.Context, nodes []builder.Node) (err error) {
+	for _, node := range nodes {
+		if node.Driver != nil {
+			if err := node.Driver.Stop(ctx, true); err != nil {
+				return err
+			}
+		}
+		if node.Err != nil {
+			err = node.Err
+		}
+	}
+	return err
+}

commands/uninstall.go

@@ -3,6 +3,8 @@ package commands
 import (
 	"os"
 
+	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config"
@@ -52,7 +54,11 @@ func uninstallCmd(dockerCli command.Cli) *cobra.Command {
 			return runUninstall(dockerCli, options)
 		},
 		Hidden:            true,
+		ValidArgsFunction: completion.Disable,
 	}
 
+	// hide builder persistent flag for this command
+	cobrautil.HideInheritedFlags(cmd, "builder")
+
 	return cmd
 }

commands/use.go

@@ -3,6 +3,9 @@ package commands
 import (
 	"os"
 
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/cobrautil/completion"
+	"github.com/docker/buildx/util/dockerutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/pkg/errors"
@@ -16,7 +19,7 @@ type useOptions struct {
 }
 
 func runUse(dockerCli command.Cli, in useOptions) error {
-	txn, release, err := getStore(dockerCli)
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
 	}
@@ -28,7 +31,7 @@ func runUse(dockerCli command.Cli, in useOptions) error {
 				return errors.Errorf("run `docker context use default` to switch to default context")
 			}
 			if in.builder == "default" || in.builder == dockerCli.CurrentContext() {
-				ep, err := getCurrentEndpoint(dockerCli)
+				ep, err := dockerutil.GetCurrentEndpoint(dockerCli)
 				if err != nil {
 					return err
 				}
@@ -51,7 +54,7 @@ func runUse(dockerCli command.Cli, in useOptions) error {
 		return errors.Wrapf(err, "failed to find instance %q", in.builder)
 	}
 
-	ep, err := getCurrentEndpoint(dockerCli)
+	ep, err := dockerutil.GetCurrentEndpoint(dockerCli)
 	if err != nil {
 		return err
 	}
@@ -76,14 +79,12 @@ func useCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			}
 			return runUse(dockerCli, options)
 		},
+		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}
 
 	flags := cmd.Flags()
-
 	flags.BoolVar(&options.isGlobal, "global", false, "Builder persists context changes")
 	flags.BoolVar(&options.isDefault, "default", false, "Set builder as default for current context")
 
-	_ = flags
-
 	return cmd
 }

commands/util.go

@@ -1,445 +0,0 @@
-package commands
-
-import (
-	"context"
-	"os"
-	"path/filepath"
-
-	"github.com/docker/buildx/build"
-	"github.com/docker/buildx/driver"
-	"github.com/docker/buildx/store"
-	"github.com/docker/buildx/util/platformutil"
-	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/context/docker"
-	"github.com/docker/cli/cli/context/kubernetes"
-	dopts "github.com/docker/cli/opts"
-	dockerclient "github.com/docker/docker/client"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sync/errgroup"
-)
-
-// getStore returns current builder instance store
-func getStore(dockerCli command.Cli) (*store.Txn, func(), error) {
-	s, err := store.New(getConfigStorePath(dockerCli))
-	if err != nil {
-		return nil, nil, err
-	}
-	return s.Txn()
-}
-
-// getConfigStorePath will look for correct configuration store path;
-// if `$BUILDX_CONFIG` is set - use it, otherwise use parent directory
-// of Docker config file (i.e. `${DOCKER_CONFIG}/buildx`)
-func getConfigStorePath(dockerCli command.Cli) string {
-	if buildxConfig := os.Getenv("BUILDX_CONFIG"); buildxConfig != "" {
-		logrus.Debugf("using config store %q based in \"$BUILDX_CONFIG\" environment variable", buildxConfig)
-		return buildxConfig
-	}
-
-	buildxConfig := filepath.Join(filepath.Dir(dockerCli.ConfigFile().Filename), "buildx")
-	logrus.Debugf("using default config store %q", buildxConfig)
-	return buildxConfig
-}
-
-// getCurrentEndpoint returns the current default endpoint value
-func getCurrentEndpoint(dockerCli command.Cli) (string, error) {
-	name := dockerCli.CurrentContext()
-	if name != "default" {
-		return name, nil
-	}
-	de, err := getDockerEndpoint(dockerCli, name)
-	if err != nil {
-		return "", errors.Errorf("docker endpoint for %q not found", name)
-	}
-	return de, nil
-}
-
-// getDockerEndpoint returns docker endpoint string for given context
-func getDockerEndpoint(dockerCli command.Cli, name string) (string, error) {
-	list, err := dockerCli.ContextStore().List()
-	if err != nil {
-		return "", err
-	}
-	for _, l := range list {
-		if l.Name == name {
-			ep, ok := l.Endpoints["docker"]
-			if !ok {
-				return "", errors.Errorf("context %q does not have a Docker endpoint", name)
-			}
-			typed, ok := ep.(docker.EndpointMeta)
-			if !ok {
-				return "", errors.Errorf("endpoint %q is not of type EndpointMeta, %T", ep, ep)
-			}
-			return typed.Host, nil
-		}
-	}
-	return "", nil
-}
-
-// validateEndpoint validates that endpoint is either a context or a docker host
-func validateEndpoint(dockerCli command.Cli, ep string) (string, error) {
-	de, err := getDockerEndpoint(dockerCli, ep)
-	if err == nil && de != "" {
-		if ep == "default" {
-			return de, nil
-		}
-		return ep, nil
-	}
-	h, err := dopts.ParseHost(true, ep)
-	if err != nil {
-		return "", errors.Wrapf(err, "failed to parse endpoint %s", ep)
-	}
-	return h, nil
-}
-
-// getCurrentInstance finds the current builder instance
-func getCurrentInstance(txn *store.Txn, dockerCli command.Cli) (*store.NodeGroup, error) {
-	ep, err := getCurrentEndpoint(dockerCli)
-	if err != nil {
-		return nil, err
-	}
-	ng, err := txn.Current(ep)
-	if err != nil {
-		return nil, err
-	}
-	if ng == nil {
-		ng, _ = getNodeGroup(txn, dockerCli, dockerCli.CurrentContext())
-	}
-
-	return ng, nil
-}
-
-// getNodeGroup returns nodegroup based on the name
-func getNodeGroup(txn *store.Txn, dockerCli command.Cli, name string) (*store.NodeGroup, error) {
-	ng, err := txn.NodeGroupByName(name)
-	if err != nil {
-		if !os.IsNotExist(errors.Cause(err)) {
-			return nil, err
-		}
-	}
-	if ng != nil {
-		return ng, nil
-	}
-
-	if name == "default" {
-		name = dockerCli.CurrentContext()
-	}
-
-	list, err := dockerCli.ContextStore().List()
-	if err != nil {
-		return nil, err
-	}
-	for _, l := range list {
-		if l.Name == name {
-			return &store.NodeGroup{
-				Name: "default",
-				Nodes: []store.Node{
-					{
-						Name:     "default",
-						Endpoint: name,
-					},
-				},
-			}, nil
-		}
-	}
-
-	return nil, errors.Errorf("no builder %q found", name)
-}
-
-// driversForNodeGroup returns drivers for a nodegroup instance
-func driversForNodeGroup(ctx context.Context, dockerCli command.Cli, ng *store.NodeGroup, contextPathHash string) ([]build.DriverInfo, error) {
-	eg, _ := errgroup.WithContext(ctx)
-
-	dis := make([]build.DriverInfo, len(ng.Nodes))
-
-	var f driver.Factory
-	if ng.Driver != "" {
-		f = driver.GetFactory(ng.Driver, true)
-		if f == nil {
-			return nil, errors.Errorf("failed to find driver %q", f)
-		}
-	} else {
-		dockerapi, err := clientForEndpoint(dockerCli, ng.Nodes[0].Endpoint)
-		if err != nil {
-			return nil, err
-		}
-		f, err = driver.GetDefaultFactory(ctx, dockerapi, false)
-		if err != nil {
-			return nil, err
-		}
-		ng.Driver = f.Name()
-	}
-
-	for i, n := range ng.Nodes {
-		func(i int, n store.Node) {
-			eg.Go(func() error {
-				di := build.DriverInfo{
-					Name:     n.Name,
-					Platform: n.Platforms,
-				}
-				defer func() {
-					dis[i] = di
-				}()
-				dockerapi, err := clientForEndpoint(dockerCli, n.Endpoint)
-				if err != nil {
-					di.Err = err
-					return nil
-				}
-				// TODO: replace the following line with dockerclient.WithAPIVersionNegotiation option in clientForEndpoint
-				dockerapi.NegotiateAPIVersion(ctx)
-
-				contextStore := dockerCli.ContextStore()
-
-				var kcc driver.KubeClientConfig
-				kcc, err = kubernetes.ConfigFromContext(n.Endpoint, contextStore)
-				if err != nil {
-					// err is returned if n.Endpoint is non-context name like "unix:///var/run/docker.sock".
-					// try again with name="default".
-					// FIXME: n should retain real context name.
-					kcc, err = kubernetes.ConfigFromContext("default", contextStore)
-					if err != nil {
-						logrus.Error(err)
-					}
-				}
-
-				tryToUseKubeConfigInCluster := false
-				if kcc == nil {
-					tryToUseKubeConfigInCluster = true
-				} else {
-					if _, err := kcc.ClientConfig(); err != nil {
-						tryToUseKubeConfigInCluster = true
-					}
-				}
-				if tryToUseKubeConfigInCluster {
-					kccInCluster := driver.KubeClientConfigInCluster{}
-					if _, err := kccInCluster.ClientConfig(); err == nil {
-						logrus.Debug("using kube config in cluster")
-						kcc = kccInCluster
-					}
-				}
-
-				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, f, dockerapi, dockerCli.ConfigFile(), kcc, n.Flags, n.ConfigFile, n.DriverOpts, n.Platforms, contextPathHash)
-				if err != nil {
-					di.Err = err
-					return nil
-				}
-				di.Driver = d
-				return nil
-			})
-		}(i, n)
-	}
-
-	if err := eg.Wait(); err != nil {
-		return nil, err
-	}
-
-	return dis, nil
-}
-
-// clientForEndpoint returns a docker client for an endpoint
-func clientForEndpoint(dockerCli command.Cli, name string) (dockerclient.APIClient, error) {
-	list, err := dockerCli.ContextStore().List()
-	if err != nil {
-		return nil, err
-	}
-	for _, l := range list {
-		if l.Name == name {
-			dep, ok := l.Endpoints["docker"]
-			if !ok {
-				return nil, errors.Errorf("context %q does not have a Docker endpoint", name)
-			}
-			epm, ok := dep.(docker.EndpointMeta)
-			if !ok {
-				return nil, errors.Errorf("endpoint %q is not of type EndpointMeta, %T", dep, dep)
-			}
-			ep, err := docker.WithTLSData(dockerCli.ContextStore(), name, epm)
-			if err != nil {
-				return nil, err
-			}
-			clientOpts, err := ep.ClientOpts()
-			if err != nil {
-				return nil, err
-			}
-			return dockerclient.NewClientWithOpts(clientOpts...)
-		}
-	}
-
-	ep := docker.Endpoint{
-		EndpointMeta: docker.EndpointMeta{
-			Host: name,
-		},
-	}
-
-	clientOpts, err := ep.ClientOpts()
-	if err != nil {
-		return nil, err
-	}
-
-	return dockerclient.NewClientWithOpts(clientOpts...)
-}
-
-func getInstanceOrDefault(ctx context.Context, dockerCli command.Cli, instance, contextPathHash string) ([]build.DriverInfo, error) {
-	var defaultOnly bool
-
-	if instance == "default" && instance != dockerCli.CurrentContext() {
-		return nil, errors.Errorf("use `docker --context=default buildx` to switch to default context")
-	}
-	if instance == "default" || instance == dockerCli.CurrentContext() {
-		instance = ""
-		defaultOnly = true
-	}
-	list, err := dockerCli.ContextStore().List()
-	if err != nil {
-		return nil, err
-	}
-	for _, l := range list {
-		if l.Name == instance {
-			return nil, errors.Errorf("use `docker --context=%s buildx` to switch to context %s", instance, instance)
-		}
-	}
-
-	if instance != "" {
-		return getInstanceByName(ctx, dockerCli, instance, contextPathHash)
-	}
-	return getDefaultDrivers(ctx, dockerCli, defaultOnly, contextPathHash)
-}
-
-func getInstanceByName(ctx context.Context, dockerCli command.Cli, instance, contextPathHash string) ([]build.DriverInfo, error) {
-	txn, release, err := getStore(dockerCli)
-	if err != nil {
-		return nil, err
-	}
-	defer release()
-
-	ng, err := txn.NodeGroupByName(instance)
-	if err != nil {
-		return nil, err
-	}
-	return driversForNodeGroup(ctx, dockerCli, ng, contextPathHash)
-}
-
-// getDefaultDrivers returns drivers based on current cli config
-func getDefaultDrivers(ctx context.Context, dockerCli command.Cli, defaultOnly bool, contextPathHash string) ([]build.DriverInfo, error) {
-	txn, release, err := getStore(dockerCli)
-	if err != nil {
-		return nil, err
-	}
-	defer release()
-
-	if !defaultOnly {
-		ng, err := getCurrentInstance(txn, dockerCli)
-		if err != nil {
-			return nil, err
-		}
-
-		if ng != nil {
-			return driversForNodeGroup(ctx, dockerCli, ng, contextPathHash)
-		}
-	}
-
-	d, err := driver.GetDriver(ctx, "buildx_buildkit_default", nil, dockerCli.Client(), dockerCli.ConfigFile(), nil, nil, "", nil, nil, contextPathHash)
-	if err != nil {
-		return nil, err
-	}
-	return []build.DriverInfo{
-		{
-			Name:   "default",
-			Driver: d,
-		},
-	}, nil
-}
-
-func loadInfoData(ctx context.Context, d *dinfo) error {
-	if d.di.Driver == nil {
-		return nil
-	}
-	info, err := d.di.Driver.Info(ctx)
-	if err != nil {
-		return err
-	}
-	d.info = info
-	if info.Status == driver.Running {
-		c, err := d.di.Driver.Client(ctx)
-		if err != nil {
-			return err
-		}
-		workers, err := c.ListWorkers(ctx)
-		if err != nil {
-			return errors.Wrap(err, "listing workers")
-		}
-		for _, w := range workers {
-			for _, p := range w.Platforms {
-				d.platforms = append(d.platforms, p)
-			}
-		}
-		d.platforms = platformutil.Dedupe(d.platforms)
-	}
-	return nil
-}
-
-func loadNodeGroupData(ctx context.Context, dockerCli command.Cli, ngi *nginfo) error {
-	eg, _ := errgroup.WithContext(ctx)
-
-	dis, err := driversForNodeGroup(ctx, dockerCli, ngi.ng, "")
-	if err != nil {
-		return err
-	}
-	ngi.drivers = make([]dinfo, len(dis))
-	for i, di := range dis {
-		d := di
-		ngi.drivers[i].di = &d
-		func(d *dinfo) {
-			eg.Go(func() error {
-				if err := loadInfoData(ctx, d); err != nil {
-					d.err = err
-				}
-				return nil
-			})
-		}(&ngi.drivers[i])
-	}
-
-	if eg.Wait(); err != nil {
-		return err
-	}
-
-	// skip when multi drivers
-	if len(ngi.drivers) == 1 {
-		for _, di := range ngi.drivers {
-			// dynamic nodes are used in Kubernetes driver.
-			// Kubernetes pods are dynamically mapped to BuildKit Nodes.
-			if di.info != nil && len(di.info.DynamicNodes) > 0 {
-				var drivers []dinfo
-				for i := 0; i < len(di.info.DynamicNodes); i++ {
-					// all []dinfo share *build.DriverInfo and *driver.Info
-					diClone := di
-					if pl := di.info.DynamicNodes[i].Platforms; len(pl) > 0 {
-						diClone.platforms = pl
-					}
-					drivers = append(drivers, di)
-				}
-				// not append (remove the static nodes in the store)
-				ngi.ng.Nodes = di.info.DynamicNodes
-				ngi.ng.Dynamic = true
-				ngi.drivers = drivers
-				return nil
-			}
-		}
-	}
-	return nil
-}
-
-func dockerAPI(dockerCli command.Cli) *api {
-	return &api{dockerCli: dockerCli}
-}
-
-type api struct {
-	dockerCli command.Cli
-}
-
-func (a *api) DockerAPI(name string) (dockerclient.APIClient, error) {
-	if name == "" {
-		name = a.dockerCli.CurrentContext()
-	}
-	return clientForEndpoint(a.dockerCli, name)
-}

commands/version.go

@@ -3,6 +3,8 @@ package commands
 import (
 	"fmt"
 
+	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/version"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
@@ -22,6 +24,11 @@ func versionCmd(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runVersion(dockerCli)
 		},
+		ValidArgsFunction: completion.Disable,
 	}
+
+	// hide builder persistent flag for this command
+	cobrautil.HideInheritedFlags(cmd, "builder")
+
 	return cmd
 }

controller/build/build.go

@@ -0,0 +1,266 @@
+package build
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/buildflags"
+	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/dockerutil"
+	"github.com/docker/buildx/util/platformutil"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config"
+	dockeropts "github.com/docker/cli/opts"
+	"github.com/docker/go-units"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/session/auth/authprovider"
+	"github.com/moby/buildkit/util/grpcerrors"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc/codes"
+)
+
+const defaultTargetName = "default"
+
+// RunBuild runs the specified build and returns the result.
+//
+// NOTE: When an error happens during the build and this function acquires the debuggable *build.ResultHandle,
+// this function returns it in addition to the error (i.e. it does "return nil, res, err"). The caller can
+// inspect the result and debug the cause of that error.
+func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.BuildOptions, inStream io.Reader, progress progress.Writer, generateResult bool) (*client.SolveResponse, *build.ResultHandle, error) {
+	if in.NoCache && len(in.NoCacheFilter) > 0 {
+		return nil, nil, errors.Errorf("--no-cache and --no-cache-filter cannot currently be used together")
+	}
+
+	contexts := map[string]build.NamedContext{}
+	for name, path := range in.NamedContexts {
+		contexts[name] = build.NamedContext{Path: path}
+	}
+
+	opts := build.Options{
+		Inputs: build.Inputs{
+			ContextPath:    in.ContextPath,
+			DockerfilePath: in.DockerfileName,
+			InStream:       inStream,
+			NamedContexts:  contexts,
+		},
+		BuildArgs:     in.BuildArgs,
+		ExtraHosts:    in.ExtraHosts,
+		Labels:        in.Labels,
+		NetworkMode:   in.NetworkMode,
+		NoCache:       in.NoCache,
+		NoCacheFilter: in.NoCacheFilter,
+		Pull:          in.Pull,
+		ShmSize:       dockeropts.MemBytes(in.ShmSize),
+		Tags:          in.Tags,
+		Target:        in.Target,
+		Ulimits:       controllerUlimitOpt2DockerUlimit(in.Ulimits),
+	}
+
+	platforms, err := platformutil.Parse(in.Platforms)
+	if err != nil {
+		return nil, nil, err
+	}
+	opts.Platforms = platforms
+
+	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
+	opts.Session = append(opts.Session, authprovider.NewDockerAuthProvider(dockerConfig))
+
+	secrets, err := controllerapi.CreateSecrets(in.Secrets)
+	if err != nil {
+		return nil, nil, err
+	}
+	opts.Session = append(opts.Session, secrets)
+
+	sshSpecs := in.SSH
+	if len(sshSpecs) == 0 && buildflags.IsGitSSH(in.ContextPath) {
+		sshSpecs = append(sshSpecs, &controllerapi.SSH{ID: "default"})
+	}
+	ssh, err := controllerapi.CreateSSH(sshSpecs)
+	if err != nil {
+		return nil, nil, err
+	}
+	opts.Session = append(opts.Session, ssh)
+
+	outputs, err := controllerapi.CreateExports(in.Exports)
+	if err != nil {
+		return nil, nil, err
+	}
+	if in.ExportPush {
+		if in.ExportLoad {
+			return nil, nil, errors.Errorf("push and load may not be set together at the moment")
+		}
+		if len(outputs) == 0 {
+			outputs = []client.ExportEntry{{
+				Type: "image",
+				Attrs: map[string]string{
+					"push": "true",
+				},
+			}}
+		} else {
+			switch outputs[0].Type {
+			case "image":
+				outputs[0].Attrs["push"] = "true"
+			default:
+				return nil, nil, errors.Errorf("push and %q output can't be used together", outputs[0].Type)
+			}
+		}
+	}
+	if in.ExportLoad {
+		if len(outputs) == 0 {
+			outputs = []client.ExportEntry{{
+				Type:  "docker",
+				Attrs: map[string]string{},
+			}}
+		} else {
+			switch outputs[0].Type {
+			case "docker":
+			default:
+				return nil, nil, errors.Errorf("load and %q output can't be used together", outputs[0].Type)
+			}
+		}
+	}
+	opts.Exports = outputs
+
+	opts.CacheFrom = controllerapi.CreateCaches(in.CacheFrom)
+	opts.CacheTo = controllerapi.CreateCaches(in.CacheTo)
+
+	opts.Attests = controllerapi.CreateAttestations(in.Attests)
+
+	opts.SourcePolicy = in.SourcePolicy
+
+	allow, err := buildflags.ParseEntitlements(in.Allow)
+	if err != nil {
+		return nil, nil, err
+	}
+	opts.Allow = allow
+
+	if in.PrintFunc != nil {
+		opts.PrintFunc = &build.PrintFunc{
+			Name:   in.PrintFunc.Name,
+			Format: in.PrintFunc.Format,
+		}
+	}
+
+	// key string used for kubernetes "sticky" mode
+	contextPathHash, err := filepath.Abs(in.ContextPath)
+	if err != nil {
+		contextPathHash = in.ContextPath
+	}
+
+	// TODO: this should not be loaded this side of the controller api
+	b, err := builder.New(dockerCli,
+		builder.WithName(in.Builder),
+		builder.WithContextPathHash(contextPathHash),
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+	if err = updateLastActivity(dockerCli, b.NodeGroup); err != nil {
+		return nil, nil, errors.Wrapf(err, "failed to update builder last activity time")
+	}
+	nodes, err := b.LoadNodes(ctx, false)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	resp, res, err := buildTargets(ctx, dockerCli, b.NodeGroup, nodes, map[string]build.Options{defaultTargetName: opts}, progress, generateResult)
+	err = wrapBuildError(err, false)
+	if err != nil {
+		// NOTE: buildTargets can return *build.ResultHandle even on error.
+		return nil, res, err
+	}
+	return resp, res, nil
+}
+
+// buildTargets runs the specified build and returns the result.
+//
+// NOTE: When an error happens during the build and this function acquires the debuggable *build.ResultHandle,
+// this function returns it in addition to the error (i.e. it does "return nil, res, err"). The caller can
+// inspect the result and debug the cause of that error.
+func buildTargets(ctx context.Context, dockerCli command.Cli, ng *store.NodeGroup, nodes []builder.Node, opts map[string]build.Options, progress progress.Writer, generateResult bool) (*client.SolveResponse, *build.ResultHandle, error) {
+	var res *build.ResultHandle
+	var resp map[string]*client.SolveResponse
+	var err error
+	if generateResult {
+		var mu sync.Mutex
+		var idx int
+		resp, err = build.BuildWithResultHandler(ctx, nodes, opts, dockerutil.NewClient(dockerCli), confutil.ConfigDir(dockerCli), progress, func(driverIndex int, gotRes *build.ResultHandle) {
+			mu.Lock()
+			defer mu.Unlock()
+			if res == nil || driverIndex < idx {
+				idx, res = driverIndex, gotRes
+			}
+		})
+	} else {
+		resp, err = build.Build(ctx, nodes, opts, dockerutil.NewClient(dockerCli), confutil.ConfigDir(dockerCli), progress)
+	}
+	if err != nil {
+		return nil, res, err
+	}
+	return resp[defaultTargetName], res, err
+}
+
+func wrapBuildError(err error, bake bool) error {
+	if err == nil {
+		return nil
+	}
+	st, ok := grpcerrors.AsGRPCStatus(err)
+	if ok {
+		if st.Code() == codes.Unimplemented && strings.Contains(st.Message(), "unsupported frontend capability moby.buildkit.frontend.contexts") {
+			msg := "current frontend does not support --build-context."
+			if bake {
+				msg = "current frontend does not support defining additional contexts for targets."
+			}
+			msg += " Named contexts are supported since Dockerfile v1.4. Use #syntax directive in Dockerfile or update to latest BuildKit."
+			return &wrapped{err, msg}
+		}
+	}
+	return err
+}
+
+type wrapped struct {
+	err error
+	msg string
+}
+
+func (w *wrapped) Error() string {
+	return w.msg
+}
+
+func (w *wrapped) Unwrap() error {
+	return w.err
+}
+
+func updateLastActivity(dockerCli command.Cli, ng *store.NodeGroup) error {
+	txn, release, err := storeutil.GetStore(dockerCli)
+	if err != nil {
+		return err
+	}
+	defer release()
+	return txn.UpdateLastActivity(ng)
+}
+
+func controllerUlimitOpt2DockerUlimit(u *controllerapi.UlimitOpt) *dockeropts.UlimitOpt {
+	if u == nil {
+		return nil
+	}
+	values := make(map[string]*units.Ulimit)
+	for k, v := range u.Values {
+		values[k] = &units.Ulimit{
+			Name: v.Name,
+			Hard: v.Hard,
+			Soft: v.Soft,
+		}
+	}
+	return dockeropts.NewUlimitOpt(&values)
+}

controller/control/controller.go

@@ -0,0 +1,32 @@
+package control
+
+import (
+	"context"
+	"io"
+
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/util/progress"
+	"github.com/moby/buildkit/client"
+)
+
+type BuildxController interface {
+	Build(ctx context.Context, options controllerapi.BuildOptions, in io.ReadCloser, progress progress.Writer) (ref string, resp *client.SolveResponse, err error)
+	// Invoke starts an IO session into the specified process.
+	// If pid doesn't matche to any running processes, it starts a new process with the specified config.
+	// If there is no container running or InvokeConfig.Rollback is speicfied, the process will start in a newly created container.
+	// NOTE: If needed, in the future, we can split this API into three APIs (NewContainer, NewProcess and Attach).
+	Invoke(ctx context.Context, ref, pid string, options controllerapi.InvokeConfig, ioIn io.ReadCloser, ioOut io.WriteCloser, ioErr io.WriteCloser) error
+	Kill(ctx context.Context) error
+	Close() error
+	List(ctx context.Context) (refs []string, _ error)
+	Disconnect(ctx context.Context, ref string) error
+	ListProcesses(ctx context.Context, ref string) (infos []*controllerapi.ProcessInfo, retErr error)
+	DisconnectProcess(ctx context.Context, ref, pid string) error
+	Inspect(ctx context.Context, ref string) (*controllerapi.InspectResponse, error)
+}
+
+type ControlOptions struct {
+	ServerConfig string
+	Root         string
+	Detach       bool
+}

controller/controller.go

@@ -0,0 +1,36 @@
+package controller
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/buildx/controller/control"
+	"github.com/docker/buildx/controller/local"
+	"github.com/docker/buildx/controller/remote"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+)
+
+func NewController(ctx context.Context, opts control.ControlOptions, dockerCli command.Cli, pw progress.Writer) (control.BuildxController, error) {
+	var name string
+	if opts.Detach {
+		name = "remote"
+	} else {
+		name = "local"
+	}
+
+	var c control.BuildxController
+	err := progress.Wrap(fmt.Sprintf("[internal] connecting to %s controller", name), pw.Write, func(l progress.SubLogger) (err error) {
+		if opts.Detach {
+			c, err = remote.NewRemoteBuildxController(ctx, dockerCli, opts, l)
+		} else {
+			c = local.NewLocalBuildxController(ctx, dockerCli, l)
+		}
+		return err
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to start buildx controller")
+	}
+	return c, nil
+}

controller/errdefs/build.go

@@ -0,0 +1,34 @@
+package errdefs
+
+import (
+	"github.com/containerd/typeurl/v2"
+	"github.com/moby/buildkit/util/grpcerrors"
+)
+
+func init() {
+	typeurl.Register((*Build)(nil), "github.com/docker/buildx", "errdefs.Build+json")
+}
+
+type BuildError struct {
+	Build
+	error
+}
+
+func (e *BuildError) Unwrap() error {
+	return e.error
+}
+
+func (e *BuildError) ToProto() grpcerrors.TypedErrorProto {
+	return &e.Build
+}
+
+func WrapBuild(err error, ref string) error {
+	if err == nil {
+		return nil
+	}
+	return &BuildError{Build: Build{Ref: ref}, error: err}
+}
+
+func (b *Build) WrapError(err error) error {
+	return &BuildError{error: err, Build: *b}
+}

controller/errdefs/errdefs.pb.go

@@ -0,0 +1,77 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: errdefs.proto
+
+package errdefs
+
+import (
+	fmt "fmt"
+	proto "github.com/gogo/protobuf/proto"
+	_ "github.com/moby/buildkit/solver/pb"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+
+type Build struct {
+	Ref                  string   `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *Build) Reset()         { *m = Build{} }
+func (m *Build) String() string { return proto.CompactTextString(m) }
+func (*Build) ProtoMessage()    {}
+func (*Build) Descriptor() ([]byte, []int) {
+	return fileDescriptor_689dc58a5060aff5, []int{0}
+}
+func (m *Build) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_Build.Unmarshal(m, b)
+}
+func (m *Build) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_Build.Marshal(b, m, deterministic)
+}
+func (m *Build) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Build.Merge(m, src)
+}
+func (m *Build) XXX_Size() int {
+	return xxx_messageInfo_Build.Size(m)
+}
+func (m *Build) XXX_DiscardUnknown() {
+	xxx_messageInfo_Build.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Build proto.InternalMessageInfo
+
+func (m *Build) GetRef() string {
+	if m != nil {
+		return m.Ref
+	}
+	return ""
+}
+
+func init() {
+	proto.RegisterType((*Build)(nil), "errdefs.Build")
+}
+
+func init() { proto.RegisterFile("errdefs.proto", fileDescriptor_689dc58a5060aff5) }
+
+var fileDescriptor_689dc58a5060aff5 = []byte{
+	// 111 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4d, 0x2d, 0x2a, 0x4a,
+	0x49, 0x4d, 0x2b, 0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0x87, 0x72, 0xa5, 0x74, 0xd2,
+	0x33, 0x4b, 0x32, 0x4a, 0x93, 0xf4, 0x92, 0xf3, 0x73, 0xf5, 0x73, 0xf3, 0x93, 0x2a, 0xf5, 0x93,
+	0x4a, 0x33, 0x73, 0x52, 0xb2, 0x33, 0x4b, 0xf4, 0x8b, 0xf3, 0x73, 0xca, 0x52, 0x8b, 0xf4, 0x0b,
+	0x92, 0xf4, 0xf3, 0x0b, 0xa0, 0xda, 0x94, 0x24, 0xb9, 0x58, 0x9d, 0x40, 0xf2, 0x42, 0x02, 0x5c,
+	0xcc, 0x41, 0xa9, 0x69, 0x12, 0x8c, 0x0a, 0x8c, 0x1a, 0x9c, 0x41, 0x20, 0x66, 0x12, 0x1b, 0x58,
+	0x85, 0x31, 0x20, 0x00, 0x00, 0xff, 0xff, 0x56, 0x52, 0x41, 0x91, 0x69, 0x00, 0x00, 0x00,
+}

controller/errdefs/errdefs.proto

@@ -0,0 +1,9 @@
+syntax = "proto3";
+
+package errdefs;
+
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+
+message Build {
+  string Ref = 1;
+}

controller/errdefs/generate.go

@@ -0,0 +1,3 @@
+package errdefs
+
+//go:generate protoc -I=. -I=../../vendor/ --gogo_out=plugins=grpc:. errdefs.proto

controller/local/controller.go

@@ -0,0 +1,146 @@
+package local
+
+import (
+	"context"
+	"io"
+	"sync/atomic"
+
+	"github.com/docker/buildx/build"
+	cbuild "github.com/docker/buildx/controller/build"
+	"github.com/docker/buildx/controller/control"
+	controllererrors "github.com/docker/buildx/controller/errdefs"
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/controller/processes"
+	"github.com/docker/buildx/util/ioset"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/moby/buildkit/client"
+	"github.com/pkg/errors"
+)
+
+func NewLocalBuildxController(ctx context.Context, dockerCli command.Cli, logger progress.SubLogger) control.BuildxController {
+	return &localController{
+		dockerCli: dockerCli,
+		ref:       "local",
+		processes: processes.NewManager(),
+	}
+}
+
+type buildConfig struct {
+	// TODO: these two structs should be merged
+	// Discussion: https://github.com/docker/buildx/pull/1640#discussion_r1113279719
+	resultCtx    *build.ResultHandle
+	buildOptions *controllerapi.BuildOptions
+}
+
+type localController struct {
+	dockerCli   command.Cli
+	ref         string
+	buildConfig buildConfig
+	processes   *processes.Manager
+
+	buildOnGoing atomic.Bool
+}
+
+func (b *localController) Build(ctx context.Context, options controllerapi.BuildOptions, in io.ReadCloser, progress progress.Writer) (string, *client.SolveResponse, error) {
+	if !b.buildOnGoing.CompareAndSwap(false, true) {
+		return "", nil, errors.New("build ongoing")
+	}
+	defer b.buildOnGoing.Store(false)
+
+	resp, res, buildErr := cbuild.RunBuild(ctx, b.dockerCli, options, in, progress, true)
+	// NOTE: RunBuild can return *build.ResultHandle even on error.
+	if res != nil {
+		b.buildConfig = buildConfig{
+			resultCtx:    res,
+			buildOptions: &options,
+		}
+		if buildErr != nil {
+			buildErr = controllererrors.WrapBuild(buildErr, b.ref)
+		}
+	}
+	if buildErr != nil {
+		return "", nil, buildErr
+	}
+	return b.ref, resp, nil
+}
+
+func (b *localController) ListProcesses(ctx context.Context, ref string) (infos []*controllerapi.ProcessInfo, retErr error) {
+	if ref != b.ref {
+		return nil, errors.Errorf("unknown ref %q", ref)
+	}
+	return b.processes.ListProcesses(), nil
+}
+
+func (b *localController) DisconnectProcess(ctx context.Context, ref, pid string) error {
+	if ref != b.ref {
+		return errors.Errorf("unknown ref %q", ref)
+	}
+	return b.processes.DeleteProcess(pid)
+}
+
+func (b *localController) cancelRunningProcesses() {
+	b.processes.CancelRunningProcesses()
+}
+
+func (b *localController) Invoke(ctx context.Context, ref string, pid string, cfg controllerapi.InvokeConfig, ioIn io.ReadCloser, ioOut io.WriteCloser, ioErr io.WriteCloser) error {
+	if ref != b.ref {
+		return errors.Errorf("unknown ref %q", ref)
+	}
+
+	proc, ok := b.processes.Get(pid)
+	if !ok {
+		// Start a new process.
+		if b.buildConfig.resultCtx == nil {
+			return errors.New("no build result is registered")
+		}
+		var err error
+		proc, err = b.processes.StartProcess(pid, b.buildConfig.resultCtx, &cfg)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Attach containerIn to this process
+	ioCancelledCh := make(chan struct{})
+	proc.ForwardIO(&ioset.In{Stdin: ioIn, Stdout: ioOut, Stderr: ioErr}, func() { close(ioCancelledCh) })
+
+	select {
+	case <-ioCancelledCh:
+		return errors.Errorf("io cancelled")
+	case err := <-proc.Done():
+		return err
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
+func (b *localController) Kill(context.Context) error {
+	b.Close()
+	return nil
+}
+
+func (b *localController) Close() error {
+	b.cancelRunningProcesses()
+	if b.buildConfig.resultCtx != nil {
+		b.buildConfig.resultCtx.Done()
+	}
+	// TODO: cancel ongoing builds?
+	return nil
+}
+
+func (b *localController) List(ctx context.Context) (res []string, _ error) {
+	return []string{b.ref}, nil
+}
+
+func (b *localController) Disconnect(ctx context.Context, key string) error {
+	b.Close()
+	return nil
+}
+
+func (b *localController) Inspect(ctx context.Context, ref string) (*controllerapi.InspectResponse, error) {
+	if ref != b.ref {
+		return nil, errors.Errorf("unknown ref %q", ref)
+	}
+	return &controllerapi.InspectResponse{Options: b.buildConfig.buildOptions}, nil
+}

controller/pb/attest.go

@@ -0,0 +1,20 @@
+package pb
+
+func CreateAttestations(attests []*Attest) map[string]*string {
+	result := map[string]*string{}
+	for _, attest := range attests {
+		// ignore duplicates
+		if _, ok := result[attest.Type]; ok {
+			continue
+		}
+
+		if attest.Disabled {
+			result[attest.Type] = nil
+			continue
+		}
+
+		attrs := attest.Attrs
+		result[attest.Type] = &attrs
+	}
+	return result
+}

controller/pb/cache.go

@@ -0,0 +1,21 @@
+package pb
+
+import "github.com/moby/buildkit/client"
+
+func CreateCaches(entries []*CacheOptionsEntry) []client.CacheOptionsEntry {
+	var outs []client.CacheOptionsEntry
+	if len(entries) == 0 {
+		return nil
+	}
+	for _, entry := range entries {
+		out := client.CacheOptionsEntry{
+			Type:  entry.Type,
+			Attrs: map[string]string{},
+		}
+		for k, v := range entry.Attrs {
+			out.Attrs[k] = v
+		}
+		outs = append(outs, out)
+	}
+	return outs
+}

controller/pb/controller.proto

@@ -0,0 +1,244 @@
+syntax = "proto3";
+
+package buildx.controller.v1;
+
+import "github.com/moby/buildkit/api/services/control/control.proto";
+import "github.com/moby/buildkit/sourcepolicy/pb/policy.proto";
+
+option go_package = "pb";
+
+service Controller {
+  rpc Build(BuildRequest) returns (BuildResponse);
+  rpc Inspect(InspectRequest) returns (InspectResponse);
+  rpc Status(StatusRequest) returns (stream StatusResponse);
+  rpc Input(stream InputMessage) returns (InputResponse);
+  rpc Invoke(stream Message) returns (stream Message);
+  rpc List(ListRequest) returns (ListResponse);
+  rpc Disconnect(DisconnectRequest) returns (DisconnectResponse);
+  rpc Info(InfoRequest) returns (InfoResponse);
+  rpc ListProcesses(ListProcessesRequest) returns (ListProcessesResponse);
+  rpc DisconnectProcess(DisconnectProcessRequest) returns (DisconnectProcessResponse);
+}
+
+message ListProcessesRequest {
+  string Ref = 1;
+}
+
+message ListProcessesResponse {
+  repeated ProcessInfo Infos = 1;
+}
+
+message ProcessInfo {
+  string ProcessID = 1;
+  InvokeConfig InvokeConfig = 2;
+}
+
+message DisconnectProcessRequest {
+  string Ref = 1;
+  string ProcessID = 2;
+}
+
+message DisconnectProcessResponse {
+}
+
+message BuildRequest {
+  string Ref = 1;
+  BuildOptions Options = 2;
+}
+
+message BuildOptions {
+  string ContextPath = 1;
+  string DockerfileName = 2;
+  PrintFunc PrintFunc = 3;
+  map<string, string> NamedContexts = 4;
+
+  repeated string Allow = 5;
+  repeated Attest Attests = 6;
+  map<string, string> BuildArgs = 7;
+  repeated CacheOptionsEntry CacheFrom = 8;
+  repeated CacheOptionsEntry CacheTo = 9;
+  string CgroupParent = 10;
+  repeated ExportEntry Exports = 11;
+  repeated string ExtraHosts = 12;
+  map<string, string> Labels = 13;
+  string NetworkMode = 14;
+  repeated string NoCacheFilter = 15;
+  repeated string Platforms = 16;
+  repeated Secret Secrets = 17;
+  int64 ShmSize = 18;
+  repeated SSH SSH = 19;
+  repeated string Tags = 20;
+  string Target = 21;
+  UlimitOpt Ulimits = 22;
+
+  string Builder = 23;
+  bool NoCache = 24;
+  bool Pull = 25;
+  bool ExportPush = 26;
+  bool ExportLoad = 27;
+  moby.buildkit.v1.sourcepolicy.Policy SourcePolicy = 28;
+}
+
+message ExportEntry {
+  string Type = 1;
+  map<string, string> Attrs = 2;
+  string Destination = 3;
+}
+
+message CacheOptionsEntry {
+  string Type = 1;
+  map<string, string> Attrs = 2;
+}
+
+message Attest {
+  string Type = 1;
+  bool Disabled = 2;
+  string Attrs = 3;
+}
+
+message SSH {
+  string ID = 1;
+  repeated string Paths = 2;
+}
+
+message Secret {
+  string ID = 1;
+  string FilePath = 2;
+  string Env = 3;
+}
+
+message PrintFunc {
+	string Name = 1;
+	string Format = 2;
+}
+
+message InspectRequest {
+  string Ref = 1;
+}
+
+message InspectResponse {
+  BuildOptions Options = 1;
+}
+
+message UlimitOpt {
+  map<string, Ulimit> values = 1;
+}
+
+message Ulimit {
+  string Name = 1;
+  int64 Hard = 2;
+  int64 Soft = 3;
+}
+
+message BuildResponse {
+	map<string, string> ExporterResponse = 1;
+}
+
+message DisconnectRequest {
+  string Ref = 1;
+}
+
+message DisconnectResponse {}
+
+message ListRequest {
+  string Ref = 1;
+}
+
+message ListResponse {
+  repeated string keys = 1;
+}
+
+message InputMessage {
+  oneof Input {
+    InputInitMessage Init = 1;
+    DataMessage Data = 2;
+  }
+}
+
+message InputInitMessage {
+  string Ref = 1;
+}
+
+message DataMessage {
+  bool EOF = 1;    // true if eof was reached
+  bytes Data = 2;  // should be chunked smaller than 4MB:
+                   // https://pkg.go.dev/google.golang.org/grpc#MaxRecvMsgSize
+}
+
+message InputResponse {}
+
+message Message {
+  oneof Input {
+    InitMessage Init = 1;
+    // FdMessage used from client to server for input (stdin) and
+    // from server to client for output (stdout, stderr)
+    FdMessage File = 2;
+    // ResizeMessage used from client to server for terminal resize events
+    ResizeMessage Resize = 3;
+    // SignalMessage is used from client to server to send signal events
+    SignalMessage Signal = 4;
+  }
+}
+
+message InitMessage {
+  string Ref = 1;
+
+  // If ProcessID already exists in the server, it tries to connect to it
+  // instead of invoking the new one. In this case, InvokeConfig will be ignored.
+  string ProcessID = 2;
+  InvokeConfig InvokeConfig = 3;
+}
+
+message InvokeConfig {
+  repeated string Entrypoint = 1;
+  repeated string Cmd = 2;
+  repeated string Env = 3;
+  string User = 4;
+  bool NoUser = 5; // Do not set user but use the image's default
+  string Cwd = 6;
+  bool NoCwd = 7; // Do not set cwd but use the image's default
+  bool Tty = 8;
+  bool Rollback = 9; // Kill all process in the container and recreate it.
+  bool Initial = 10; // Run container from the initial state of that stage (supported only on the failed step)
+}
+
+message FdMessage {
+  uint32 Fd = 1;   // what fd the data was from
+  bool EOF = 2;    // true if eof was reached
+  bytes Data = 3;  // should be chunked smaller than 4MB:
+                   // https://pkg.go.dev/google.golang.org/grpc#MaxRecvMsgSize
+}
+
+message ResizeMessage {
+  uint32 Rows = 1;
+  uint32 Cols = 2;
+}
+
+message SignalMessage {
+  // we only send name (ie HUP, INT) because the int values
+  // are platform dependent.
+  string Name = 1;
+}
+
+message StatusRequest {
+  string Ref = 1;
+}
+
+message StatusResponse {
+  repeated moby.buildkit.v1.Vertex vertexes = 1;
+  repeated moby.buildkit.v1.VertexStatus statuses = 2;
+  repeated moby.buildkit.v1.VertexLog logs = 3;
+  repeated moby.buildkit.v1.VertexWarning warnings = 4;
+}
+
+message InfoRequest {}
+
+message InfoResponse {
+  BuildxVersion buildxVersion = 1;
+}
+
+message BuildxVersion {
+  string package = 1;
+  string version = 2;
+  string revision = 3;
+}

controller/pb/export.go

@@ -0,0 +1,100 @@
+package pb
+
+import (
+	"io"
+	"os"
+	"strconv"
+
+	"github.com/containerd/console"
+	"github.com/moby/buildkit/client"
+	"github.com/pkg/errors"
+)
+
+func CreateExports(entries []*ExportEntry) ([]client.ExportEntry, error) {
+	var outs []client.ExportEntry
+	if len(entries) == 0 {
+		return nil, nil
+	}
+	for _, entry := range entries {
+		if entry.Type == "" {
+			return nil, errors.Errorf("type is required for output")
+		}
+
+		out := client.ExportEntry{
+			Type:  entry.Type,
+			Attrs: map[string]string{},
+		}
+		for k, v := range entry.Attrs {
+			out.Attrs[k] = v
+		}
+
+		supportFile := false
+		supportDir := false
+		switch out.Type {
+		case client.ExporterLocal:
+			supportDir = true
+		case client.ExporterTar:
+			supportFile = true
+		case client.ExporterOCI, client.ExporterDocker:
+			tar, err := strconv.ParseBool(out.Attrs["tar"])
+			if err != nil {
+				tar = true
+			}
+			supportFile = tar
+			supportDir = !tar
+		case "registry":
+			out.Type = client.ExporterImage
+		}
+
+		if supportDir {
+			if entry.Destination == "" {
+				return nil, errors.Errorf("dest is required for %s exporter", out.Type)
+			}
+			if entry.Destination == "-" {
+				return nil, errors.Errorf("dest cannot be stdout for %s exporter", out.Type)
+			}
+
+			fi, err := os.Stat(entry.Destination)
+			if err != nil && !os.IsNotExist(err) {
+				return nil, errors.Wrapf(err, "invalid destination directory: %s", entry.Destination)
+			}
+			if err == nil && !fi.IsDir() {
+				return nil, errors.Errorf("destination directory %s is a file", entry.Destination)
+			}
+			out.OutputDir = entry.Destination
+		}
+		if supportFile {
+			if entry.Destination == "" && out.Type != client.ExporterDocker {
+				entry.Destination = "-"
+			}
+			if entry.Destination == "-" {
+				if _, err := console.ConsoleFromFile(os.Stdout); err == nil {
+					return nil, errors.Errorf("dest file is required for %s exporter. refusing to write to console", out.Type)
+				}
+				out.Output = wrapWriteCloser(os.Stdout)
+			} else if entry.Destination != "" {
+				fi, err := os.Stat(entry.Destination)
+				if err != nil && !os.IsNotExist(err) {
+					return nil, errors.Wrapf(err, "invalid destination file: %s", entry.Destination)
+				}
+				if err == nil && fi.IsDir() {
+					return nil, errors.Errorf("destination file %s is a directory", entry.Destination)
+				}
+				f, err := os.Create(entry.Destination)
+				if err != nil {
+					return nil, errors.Errorf("failed to open %s", err)
+				}
+				out.Output = wrapWriteCloser(f)
+			}
+		}
+
+		outs = append(outs, out)
+	}
+	return outs, nil
+}
+
+func wrapWriteCloser(wc io.WriteCloser) func(map[string]string) (io.WriteCloser, error) {
+	return func(map[string]string) (io.WriteCloser, error) {
+		return wc, nil
+	}
+}

controller/pb/generate.go

@@ -0,0 +1,3 @@
+package pb
+
+//go:generate protoc -I=. -I=../../vendor/ --gogo_out=plugins=grpc:. controller.proto

controller/pb/path.go

@@ -0,0 +1,175 @@
+package pb
+
+import (
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/builder/remotecontext/urlutil"
+	"github.com/moby/buildkit/util/gitutil"
+)
+
+// ResolveOptionPaths resolves all paths contained in BuildOptions
+// and replaces them to absolute paths.
+func ResolveOptionPaths(options *BuildOptions) (_ *BuildOptions, err error) {
+	localContext := false
+	if options.ContextPath != "" && options.ContextPath != "-" {
+		if !isRemoteURL(options.ContextPath) {
+			localContext = true
+			options.ContextPath, err = filepath.Abs(options.ContextPath)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+	if options.DockerfileName != "" && options.DockerfileName != "-" {
+		if localContext && !urlutil.IsURL(options.DockerfileName) {
+			options.DockerfileName, err = filepath.Abs(options.DockerfileName)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	var contexts map[string]string
+	for k, v := range options.NamedContexts {
+		if isRemoteURL(v) || strings.HasPrefix(v, "docker-image://") {
+			// url prefix, this is a remote path
+		} else if strings.HasPrefix(v, "oci-layout://") {
+			// oci layout prefix, this is a local path
+			p := strings.TrimPrefix(v, "oci-layout://")
+			p, err = filepath.Abs(p)
+			if err != nil {
+				return nil, err
+			}
+			v = "oci-layout://" + p
+		} else {
+			// no prefix, assume local path
+			v, err = filepath.Abs(v)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if contexts == nil {
+			contexts = make(map[string]string)
+		}
+		contexts[k] = v
+	}
+	options.NamedContexts = contexts
+
+	var cacheFrom []*CacheOptionsEntry
+	for _, co := range options.CacheFrom {
+		switch co.Type {
+		case "local":
+			var attrs map[string]string
+			for k, v := range co.Attrs {
+				if attrs == nil {
+					attrs = make(map[string]string)
+				}
+				switch k {
+				case "src":
+					p := v
+					if p != "" {
+						p, err = filepath.Abs(p)
+						if err != nil {
+							return nil, err
+						}
+					}
+					attrs[k] = p
+				default:
+					attrs[k] = v
+				}
+			}
+			co.Attrs = attrs
+			cacheFrom = append(cacheFrom, co)
+		default:
+			cacheFrom = append(cacheFrom, co)
+		}
+	}
+	options.CacheFrom = cacheFrom
+
+	var cacheTo []*CacheOptionsEntry
+	for _, co := range options.CacheTo {
+		switch co.Type {
+		case "local":
+			var attrs map[string]string
+			for k, v := range co.Attrs {
+				if attrs == nil {
+					attrs = make(map[string]string)
+				}
+				switch k {
+				case "dest":
+					p := v
+					if p != "" {
+						p, err = filepath.Abs(p)
+						if err != nil {
+							return nil, err
+						}
+					}
+					attrs[k] = p
+				default:
+					attrs[k] = v
+				}
+			}
+			co.Attrs = attrs
+			cacheTo = append(cacheTo, co)
+		default:
+			cacheTo = append(cacheTo, co)
+		}
+	}
+	options.CacheTo = cacheTo
+	var exports []*ExportEntry
+	for _, e := range options.Exports {
+		if e.Destination != "" && e.Destination != "-" {
+			e.Destination, err = filepath.Abs(e.Destination)
+			if err != nil {
+				return nil, err
+			}
+		}
+		exports = append(exports, e)
+	}
+	options.Exports = exports
+
+	var secrets []*Secret
+	for _, s := range options.Secrets {
+		if s.FilePath != "" {
+			s.FilePath, err = filepath.Abs(s.FilePath)
+			if err != nil {
+				return nil, err
+			}
+		}
+		secrets = append(secrets, s)
+	}
+	options.Secrets = secrets
+
+	var ssh []*SSH
+	for _, s := range options.SSH {
+		var ps []string
+		for _, pt := range s.Paths {
+			p := pt
+			if p != "" {
+				p, err = filepath.Abs(p)
+				if err != nil {
+					return nil, err
+				}
+			}
+			ps = append(ps, p)
+
+		}
+		s.Paths = ps
+		ssh = append(ssh, s)
+	}
+	options.SSH = ssh
+
+	return options, nil
+}
+
+func isRemoteURL(c string) bool {
+	if urlutil.IsURL(c) {
+		return true
+	}
+	if _, err := gitutil.ParseGitRef(c); err == nil {
+		return true
+	}
+	return false
+}

controller/pb/path_test.go

@@ -0,0 +1,247 @@
+package pb
+
+import (
+	"os"
+	"path/filepath"
+	"reflect"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestResolvePaths(t *testing.T) {
+	tmpwd, err := os.MkdirTemp("", "testresolvepaths")
+	require.NoError(t, err)
+	defer os.Remove(tmpwd)
+	require.NoError(t, os.Chdir(tmpwd))
+	tests := []struct {
+		name    string
+		options BuildOptions
+		want    BuildOptions
+	}{
+		{
+			name:    "contextpath",
+			options: BuildOptions{ContextPath: "test"},
+			want:    BuildOptions{ContextPath: filepath.Join(tmpwd, "test")},
+		},
+		{
+			name:    "contextpath-cwd",
+			options: BuildOptions{ContextPath: "."},
+			want:    BuildOptions{ContextPath: tmpwd},
+		},
+		{
+			name:    "contextpath-dash",
+			options: BuildOptions{ContextPath: "-"},
+			want:    BuildOptions{ContextPath: "-"},
+		},
+		{
+			name:    "contextpath-ssh",
+			options: BuildOptions{ContextPath: "git@github.com:docker/buildx.git"},
+			want:    BuildOptions{ContextPath: "git@github.com:docker/buildx.git"},
+		},
+		{
+			name:    "dockerfilename",
+			options: BuildOptions{DockerfileName: "test", ContextPath: "."},
+			want:    BuildOptions{DockerfileName: filepath.Join(tmpwd, "test"), ContextPath: tmpwd},
+		},
+		{
+			name:    "dockerfilename-dash",
+			options: BuildOptions{DockerfileName: "-", ContextPath: "."},
+			want:    BuildOptions{DockerfileName: "-", ContextPath: tmpwd},
+		},
+		{
+			name:    "dockerfilename-remote",
+			options: BuildOptions{DockerfileName: "test", ContextPath: "git@github.com:docker/buildx.git"},
+			want:    BuildOptions{DockerfileName: "test", ContextPath: "git@github.com:docker/buildx.git"},
+		},
+		{
+			name: "contexts",
+			options: BuildOptions{NamedContexts: map[string]string{"a": "test1", "b": "test2",
+				"alpine": "docker-image://alpine@sha256:0123456789", "project": "https://github.com/myuser/project.git"}},
+			want: BuildOptions{NamedContexts: map[string]string{"a": filepath.Join(tmpwd, "test1"), "b": filepath.Join(tmpwd, "test2"),
+				"alpine": "docker-image://alpine@sha256:0123456789", "project": "https://github.com/myuser/project.git"}},
+		},
+		{
+			name: "cache-from",
+			options: BuildOptions{
+				CacheFrom: []*CacheOptionsEntry{
+					{
+						Type:  "local",
+						Attrs: map[string]string{"src": "test"},
+					},
+					{
+						Type:  "registry",
+						Attrs: map[string]string{"ref": "user/app"},
+					},
+				},
+			},
+			want: BuildOptions{
+				CacheFrom: []*CacheOptionsEntry{
+					{
+						Type:  "local",
+						Attrs: map[string]string{"src": filepath.Join(tmpwd, "test")},
+					},
+					{
+						Type:  "registry",
+						Attrs: map[string]string{"ref": "user/app"},
+					},
+				},
+			},
+		},
+		{
+			name: "cache-to",
+			options: BuildOptions{
+				CacheTo: []*CacheOptionsEntry{
+					{
+						Type:  "local",
+						Attrs: map[string]string{"dest": "test"},
+					},
+					{
+						Type:  "registry",
+						Attrs: map[string]string{"ref": "user/app"},
+					},
+				},
+			},
+			want: BuildOptions{
+				CacheTo: []*CacheOptionsEntry{
+					{
+						Type:  "local",
+						Attrs: map[string]string{"dest": filepath.Join(tmpwd, "test")},
+					},
+					{
+						Type:  "registry",
+						Attrs: map[string]string{"ref": "user/app"},
+					},
+				},
+			},
+		},
+		{
+			name: "exports",
+			options: BuildOptions{
+				Exports: []*ExportEntry{
+					{
+						Type:        "local",
+						Destination: "-",
+					},
+					{
+						Type:        "local",
+						Destination: "test1",
+					},
+					{
+						Type:        "tar",
+						Destination: "test3",
+					},
+					{
+						Type:        "oci",
+						Destination: "-",
+					},
+					{
+						Type:        "docker",
+						Destination: "test4",
+					},
+					{
+						Type:  "image",
+						Attrs: map[string]string{"push": "true"},
+					},
+				},
+			},
+			want: BuildOptions{
+				Exports: []*ExportEntry{
+					{
+						Type:        "local",
+						Destination: "-",
+					},
+					{
+						Type:        "local",
+						Destination: filepath.Join(tmpwd, "test1"),
+					},
+					{
+						Type:        "tar",
+						Destination: filepath.Join(tmpwd, "test3"),
+					},
+					{
+						Type:        "oci",
+						Destination: "-",
+					},
+					{
+						Type:        "docker",
+						Destination: filepath.Join(tmpwd, "test4"),
+					},
+					{
+						Type:  "image",
+						Attrs: map[string]string{"push": "true"},
+					},
+				},
+			},
+		},
+		{
+			name: "secrets",
+			options: BuildOptions{
+				Secrets: []*Secret{
+					{
+						FilePath: "test1",
+					},
+					{
+						ID:  "val",
+						Env: "a",
+					},
+					{
+						ID:       "test",
+						FilePath: "test3",
+					},
+				},
+			},
+			want: BuildOptions{
+				Secrets: []*Secret{
+					{
+						FilePath: filepath.Join(tmpwd, "test1"),
+					},
+					{
+						ID:  "val",
+						Env: "a",
+					},
+					{
+						ID:       "test",
+						FilePath: filepath.Join(tmpwd, "test3"),
+					},
+				},
+			},
+		},
+		{
+			name: "ssh",
+			options: BuildOptions{
+				SSH: []*SSH{
+					{
+						ID:    "default",
+						Paths: []string{"test1", "test2"},
+					},
+					{
+						ID:    "a",
+						Paths: []string{"test3"},
+					},
+				},
+			},
+			want: BuildOptions{
+				SSH: []*SSH{
+					{
+						ID:    "default",
+						Paths: []string{filepath.Join(tmpwd, "test1"), filepath.Join(tmpwd, "test2")},
+					},
+					{
+						ID:    "a",
+						Paths: []string{filepath.Join(tmpwd, "test3")},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ResolveOptionPaths(&tt.options)
+			require.NoError(t, err)
+			if !reflect.DeepEqual(tt.want, *got) {
+				t.Fatalf("expected %#v, got %#v", tt.want, *got)
+			}
+		})
+	}
+}

controller/pb/progress.go

@@ -0,0 +1,126 @@
+package pb
+
+import (
+	"github.com/docker/buildx/util/progress"
+	control "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/client"
+	"github.com/opencontainers/go-digest"
+)
+
+type writer struct {
+	ch chan<- *StatusResponse
+}
+
+func NewProgressWriter(ch chan<- *StatusResponse) progress.Writer {
+	return &writer{ch: ch}
+}
+
+func (w *writer) Write(status *client.SolveStatus) {
+	w.ch <- ToControlStatus(status)
+}
+
+func (w *writer) WriteBuildRef(target string, ref string) {
+	return
+}
+
+func (w *writer) ValidateLogSource(digest.Digest, interface{}) bool {
+	return true
+}
+
+func (w *writer) ClearLogSource(interface{}) {}
+
+func ToControlStatus(s *client.SolveStatus) *StatusResponse {
+	resp := StatusResponse{}
+	for _, v := range s.Vertexes {
+		resp.Vertexes = append(resp.Vertexes, &control.Vertex{
+			Digest:        v.Digest,
+			Inputs:        v.Inputs,
+			Name:          v.Name,
+			Started:       v.Started,
+			Completed:     v.Completed,
+			Error:         v.Error,
+			Cached:        v.Cached,
+			ProgressGroup: v.ProgressGroup,
+		})
+	}
+	for _, v := range s.Statuses {
+		resp.Statuses = append(resp.Statuses, &control.VertexStatus{
+			ID:        v.ID,
+			Vertex:    v.Vertex,
+			Name:      v.Name,
+			Total:     v.Total,
+			Current:   v.Current,
+			Timestamp: v.Timestamp,
+			Started:   v.Started,
+			Completed: v.Completed,
+		})
+	}
+	for _, v := range s.Logs {
+		resp.Logs = append(resp.Logs, &control.VertexLog{
+			Vertex:    v.Vertex,
+			Stream:    int64(v.Stream),
+			Msg:       v.Data,
+			Timestamp: v.Timestamp,
+		})
+	}
+	for _, v := range s.Warnings {
+		resp.Warnings = append(resp.Warnings, &control.VertexWarning{
+			Vertex: v.Vertex,
+			Level:  int64(v.Level),
+			Short:  v.Short,
+			Detail: v.Detail,
+			Url:    v.URL,
+			Info:   v.SourceInfo,
+			Ranges: v.Range,
+		})
+	}
+	return &resp
+}
+
+func FromControlStatus(resp *StatusResponse) *client.SolveStatus {
+	s := client.SolveStatus{}
+	for _, v := range resp.Vertexes {
+		s.Vertexes = append(s.Vertexes, &client.Vertex{
+			Digest:        v.Digest,
+			Inputs:        v.Inputs,
+			Name:          v.Name,
+			Started:       v.Started,
+			Completed:     v.Completed,
+			Error:         v.Error,
+			Cached:        v.Cached,
+			ProgressGroup: v.ProgressGroup,
+		})
+	}
+	for _, v := range resp.Statuses {
+		s.Statuses = append(s.Statuses, &client.VertexStatus{
+			ID:        v.ID,
+			Vertex:    v.Vertex,
+			Name:      v.Name,
+			Total:     v.Total,
+			Current:   v.Current,
+			Timestamp: v.Timestamp,
+			Started:   v.Started,
+			Completed: v.Completed,
+		})
+	}
+	for _, v := range resp.Logs {
+		s.Logs = append(s.Logs, &client.VertexLog{
+			Vertex:    v.Vertex,
+			Stream:    int(v.Stream),
+			Data:      v.Msg,
+			Timestamp: v.Timestamp,
+		})
+	}
+	for _, v := range resp.Warnings {
+		s.Warnings = append(s.Warnings, &client.VertexWarning{
+			Vertex:     v.Vertex,
+			Level:      int(v.Level),
+			Short:      v.Short,
+			Detail:     v.Detail,
+			URL:        v.Url,
+			SourceInfo: v.Info,
+			Range:      v.Ranges,
+		})
+	}
+	return &s
+}

controller/pb/secrets.go

@@ -0,0 +1,22 @@
+package pb
+
+import (
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/secrets/secretsprovider"
+)
+
+func CreateSecrets(secrets []*Secret) (session.Attachable, error) {
+	fs := make([]secretsprovider.Source, 0, len(secrets))
+	for _, secret := range secrets {
+		fs = append(fs, secretsprovider.Source{
+			ID:       secret.ID,
+			FilePath: secret.FilePath,
+			Env:      secret.Env,
+		})
+	}
+	store, err := secretsprovider.NewStore(fs)
+	if err != nil {
+		return nil, err
+	}
+	return secretsprovider.NewSecretProvider(store), nil
+}

controller/pb/ssh.go

@@ -0,0 +1,18 @@
+package pb
+
+import (
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/sshforward/sshprovider"
+)
+
+func CreateSSH(ssh []*SSH) (session.Attachable, error) {
+	configs := make([]sshprovider.AgentConfig, 0, len(ssh))
+	for _, ssh := range ssh {
+		cfg := sshprovider.AgentConfig{
+			ID:    ssh.ID,
+			Paths: append([]string{}, ssh.Paths...),
+		}
+		configs = append(configs, cfg)
+	}
+	return sshprovider.NewSSHAgentProvider(configs)
+}

controller/processes/processes.go

@@ -0,0 +1,149 @@
+package processes
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+
+	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/util/ioset"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Process provides methods to control a process.
+type Process struct {
+	inEnd         *ioset.Forwarder
+	invokeConfig  *pb.InvokeConfig
+	errCh         chan error
+	processCancel func()
+	serveIOCancel func()
+}
+
+// ForwardIO forwards process's io to the specified reader/writer.
+// Optionally specify ioCancelCallback which will be called when
+// the process closes the specified IO. This will be useful for additional cleanup.
+func (p *Process) ForwardIO(in *ioset.In, ioCancelCallback func()) {
+	p.inEnd.SetIn(in)
+	if f := p.serveIOCancel; f != nil {
+		f()
+	}
+	p.serveIOCancel = ioCancelCallback
+}
+
+// Done returns a channel where error or nil will be sent
+// when the process exits.
+// TODO: change this to Wait()
+func (p *Process) Done() <-chan error {
+	return p.errCh
+}
+
+// Manager manages a set of proceses.
+type Manager struct {
+	container atomic.Value
+	processes sync.Map
+}
+
+// NewManager creates and returns a Manager.
+func NewManager() *Manager {
+	return &Manager{}
+}
+
+// Get returns the specified process.
+func (m *Manager) Get(id string) (*Process, bool) {
+	v, ok := m.processes.Load(id)
+	if !ok {
+		return nil, false
+	}
+	return v.(*Process), true
+}
+
+// CancelRunningProcesses cancels execution of all running processes.
+func (m *Manager) CancelRunningProcesses() {
+	var funcs []func()
+	m.processes.Range(func(key, value any) bool {
+		funcs = append(funcs, value.(*Process).processCancel)
+		m.processes.Delete(key)
+		return true
+	})
+	for _, f := range funcs {
+		f()
+	}
+}
+
+// ListProcesses lists all running processes.
+func (m *Manager) ListProcesses() (res []*pb.ProcessInfo) {
+	m.processes.Range(func(key, value any) bool {
+		res = append(res, &pb.ProcessInfo{
+			ProcessID:    key.(string),
+			InvokeConfig: value.(*Process).invokeConfig,
+		})
+		return true
+	})
+	return res
+}
+
+// DeleteProcess deletes the specified process.
+func (m *Manager) DeleteProcess(id string) error {
+	p, ok := m.processes.LoadAndDelete(id)
+	if !ok {
+		return errors.Errorf("unknown process %q", id)
+	}
+	p.(*Process).processCancel()
+	return nil
+}
+
+// StartProcess starts a process in the container.
+// When a container isn't available (i.e. first time invoking or the container has exited) or cfg.Rollback is set,
+// this method will start a new container and run the process in it. Otherwise, this method starts a new process in the
+// existing container.
+func (m *Manager) StartProcess(pid string, resultCtx *build.ResultHandle, cfg *pb.InvokeConfig) (*Process, error) {
+	// Get the target result to invoke a container from
+	var ctr *build.Container
+	if a := m.container.Load(); a != nil {
+		ctr = a.(*build.Container)
+	}
+	if cfg.Rollback || ctr == nil || ctr.IsUnavailable() {
+		go m.CancelRunningProcesses()
+		// (Re)create a new container if this is rollback or first time to invoke a process.
+		if ctr != nil {
+			go ctr.Cancel() // Finish the existing container
+		}
+		var err error
+		ctr, err = build.NewContainer(context.TODO(), resultCtx, cfg)
+		if err != nil {
+			return nil, errors.Errorf("failed to create container %v", err)
+		}
+		m.container.Store(ctr)
+	}
+	// [client(ForwardIO)] <-forwarder(switchable)-> [out] <-pipe-> [in] <- [process]
+	in, out := ioset.Pipe()
+	f := ioset.NewForwarder()
+	f.PropagateStdinClose = false
+	f.SetOut(&out)
+
+	// Register process
+	ctx, cancel := context.WithCancel(context.TODO())
+	var cancelOnce sync.Once
+	processCancelFunc := func() { cancelOnce.Do(func() { cancel(); f.Close(); in.Close(); out.Close() }) }
+	p := &Process{
+		inEnd:         f,
+		invokeConfig:  cfg,
+		processCancel: processCancelFunc,
+		errCh:         make(chan error),
+	}
+	m.processes.Store(pid, p)
+	go func() {
+		var err error
+		if err = ctr.Exec(ctx, cfg, in.Stdin, in.Stdout, in.Stderr); err != nil {
+			logrus.Errorf("failed to exec process: %v", err)
+		}
+		logrus.Debugf("finished process %s %v", pid, cfg.Entrypoint)
+		m.processes.Delete(pid)
+		processCancelFunc()
+		p.errCh <- err
+	}()
+
+	return p, nil
+}

controller/remote/client.go

@@ -0,0 +1,240 @@
+package remote
+
+import (
+	"context"
+	"io"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/defaults"
+	"github.com/containerd/containerd/pkg/dialer"
+	"github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/util/progress"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/util/grpcerrors"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/backoff"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func NewClient(ctx context.Context, addr string) (*Client, error) {
+	backoffConfig := backoff.DefaultConfig
+	backoffConfig.MaxDelay = 3 * time.Second
+	connParams := grpc.ConnectParams{
+		Backoff: backoffConfig,
+	}
+	gopts := []grpc.DialOption{
+		grpc.WithBlock(),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithConnectParams(connParams),
+		grpc.WithContextDialer(dialer.ContextDialer),
+		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
+		grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
+		grpc.WithUnaryInterceptor(grpcerrors.UnaryClientInterceptor),
+		grpc.WithStreamInterceptor(grpcerrors.StreamClientInterceptor),
+	}
+	conn, err := grpc.DialContext(ctx, dialer.DialAddress(addr), gopts...)
+	if err != nil {
+		return nil, err
+	}
+	return &Client{conn: conn}, nil
+}
+
+type Client struct {
+	conn      *grpc.ClientConn
+	closeOnce sync.Once
+}
+
+func (c *Client) Close() (err error) {
+	c.closeOnce.Do(func() {
+		err = c.conn.Close()
+	})
+	return
+}
+
+func (c *Client) Version(ctx context.Context) (string, string, string, error) {
+	res, err := c.client().Info(ctx, &pb.InfoRequest{})
+	if err != nil {
+		return "", "", "", err
+	}
+	v := res.BuildxVersion
+	return v.Package, v.Version, v.Revision, nil
+}
+
+func (c *Client) List(ctx context.Context) (keys []string, retErr error) {
+	res, err := c.client().List(ctx, &pb.ListRequest{})
+	if err != nil {
+		return nil, err
+	}
+	return res.Keys, nil
+}
+
+func (c *Client) Disconnect(ctx context.Context, key string) error {
+	if key == "" {
+		return nil
+	}
+	_, err := c.client().Disconnect(ctx, &pb.DisconnectRequest{Ref: key})
+	return err
+}
+
+func (c *Client) ListProcesses(ctx context.Context, ref string) (infos []*pb.ProcessInfo, retErr error) {
+	res, err := c.client().ListProcesses(ctx, &pb.ListProcessesRequest{Ref: ref})
+	if err != nil {
+		return nil, err
+	}
+	return res.Infos, nil
+}
+
+func (c *Client) DisconnectProcess(ctx context.Context, ref, pid string) error {
+	_, err := c.client().DisconnectProcess(ctx, &pb.DisconnectProcessRequest{Ref: ref, ProcessID: pid})
+	return err
+}
+
+func (c *Client) Invoke(ctx context.Context, ref string, pid string, invokeConfig pb.InvokeConfig, in io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) error {
+	if ref == "" || pid == "" {
+		return errors.New("build reference must be specified")
+	}
+	stream, err := c.client().Invoke(ctx)
+	if err != nil {
+		return err
+	}
+	return attachIO(ctx, stream, &pb.InitMessage{Ref: ref, ProcessID: pid, InvokeConfig: &invokeConfig}, ioAttachConfig{
+		stdin:  in,
+		stdout: stdout,
+		stderr: stderr,
+		// TODO: Signal, Resize
+	})
+}
+
+func (c *Client) Inspect(ctx context.Context, ref string) (*pb.InspectResponse, error) {
+	return c.client().Inspect(ctx, &pb.InspectRequest{Ref: ref})
+}
+
+func (c *Client) Build(ctx context.Context, options pb.BuildOptions, in io.ReadCloser, progress progress.Writer) (string, *client.SolveResponse, error) {
+	ref := identity.NewID()
+	statusChan := make(chan *client.SolveStatus)
+	eg, egCtx := errgroup.WithContext(ctx)
+	var resp *client.SolveResponse
+	eg.Go(func() error {
+		defer close(statusChan)
+		var err error
+		resp, err = c.build(egCtx, ref, options, in, statusChan)
+		return err
+	})
+	eg.Go(func() error {
+		for s := range statusChan {
+			st := s
+			progress.Write(st)
+		}
+		return nil
+	})
+	return ref, resp, eg.Wait()
+}
+
+func (c *Client) build(ctx context.Context, ref string, options pb.BuildOptions, in io.ReadCloser, statusChan chan *client.SolveStatus) (*client.SolveResponse, error) {
+	eg, egCtx := errgroup.WithContext(ctx)
+	done := make(chan struct{})
+
+	var resp *client.SolveResponse
+
+	eg.Go(func() error {
+		defer close(done)
+		pbResp, err := c.client().Build(egCtx, &pb.BuildRequest{
+			Ref:     ref,
+			Options: &options,
+		})
+		if err != nil {
+			return err
+		}
+		resp = &client.SolveResponse{
+			ExporterResponse: pbResp.ExporterResponse,
+		}
+		return nil
+	})
+	eg.Go(func() error {
+		stream, err := c.client().Status(egCtx, &pb.StatusRequest{
+			Ref: ref,
+		})
+		if err != nil {
+			return err
+		}
+		for {
+			resp, err := stream.Recv()
+			if err != nil {
+				if err == io.EOF {
+					return nil
+				}
+				return errors.Wrap(err, "failed to receive status")
+			}
+			statusChan <- pb.FromControlStatus(resp)
+		}
+	})
+	if in != nil {
+		eg.Go(func() error {
+			stream, err := c.client().Input(egCtx)
+			if err != nil {
+				return err
+			}
+			if err := stream.Send(&pb.InputMessage{
+				Input: &pb.InputMessage_Init{
+					Init: &pb.InputInitMessage{
+						Ref: ref,
+					},
+				},
+			}); err != nil {
+				return errors.Wrap(err, "failed to init input")
+			}
+
+			inReader, inWriter := io.Pipe()
+			eg2, _ := errgroup.WithContext(ctx)
+			eg2.Go(func() error {
+				<-done
+				return inWriter.Close()
+			})
+			go func() {
+				// do not wait for read completion but return here and let the caller send EOF
+				// this allows us to return on ctx.Done() without being blocked by this reader.
+				io.Copy(inWriter, in)
+				inWriter.Close()
+			}()
+			eg2.Go(func() error {
+				for {
+					buf := make([]byte, 32*1024)
+					n, err := inReader.Read(buf)
+					if err != nil {
+						if err == io.EOF {
+							break // break loop and send EOF
+						}
+						return err
+					} else if n > 0 {
+						if stream.Send(&pb.InputMessage{
+							Input: &pb.InputMessage_Data{
+								Data: &pb.DataMessage{
+									Data: buf[:n],
+								},
+							},
+						}); err != nil {
+							return err
+						}
+					}
+				}
+				return stream.Send(&pb.InputMessage{
+					Input: &pb.InputMessage_Data{
+						Data: &pb.DataMessage{
+							EOF: true,
+						},
+					},
+				})
+			})
+			return eg2.Wait()
+		})
+	}
+	return resp, eg.Wait()
+}
+
+func (c *Client) client() pb.ControllerClient {
+	return pb.NewControllerClient(c.conn)
+}

controller/remote/controller.go

@@ -0,0 +1,333 @@
+//go:build linux
+
+package remote
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"strconv"
+	"syscall"
+	"time"
+
+	"github.com/containerd/containerd/log"
+	"github.com/docker/buildx/build"
+	cbuild "github.com/docker/buildx/controller/build"
+	"github.com/docker/buildx/controller/control"
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/buildx/version"
+	"github.com/docker/cli/cli/command"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/util/grpcerrors"
+	"github.com/pelletier/go-toml"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+)
+
+const (
+	serveCommandName = "_INTERNAL_SERVE"
+)
+
+var (
+	defaultLogFilename    = fmt.Sprintf("buildx.%s.log", version.Revision)
+	defaultSocketFilename = fmt.Sprintf("buildx.%s.sock", version.Revision)
+	defaultPIDFilename    = fmt.Sprintf("buildx.%s.pid", version.Revision)
+)
+
+type serverConfig struct {
+	// Specify buildx server root
+	Root string `toml:"root"`
+
+	// LogLevel sets the logging level [trace, debug, info, warn, error, fatal, panic]
+	LogLevel string `toml:"log_level"`
+
+	// Specify file to output buildx server log
+	LogFile string `toml:"log_file"`
+}
+
+func NewRemoteBuildxController(ctx context.Context, dockerCli command.Cli, opts control.ControlOptions, logger progress.SubLogger) (control.BuildxController, error) {
+	rootDir := opts.Root
+	if rootDir == "" {
+		rootDir = rootDataDir(dockerCli)
+	}
+	serverRoot := filepath.Join(rootDir, "shared")
+
+	// connect to buildx server if it is already running
+	ctx2, cancel := context.WithTimeout(ctx, 1*time.Second)
+	c, err := newBuildxClientAndCheck(ctx2, filepath.Join(serverRoot, defaultSocketFilename))
+	cancel()
+	if err != nil {
+		if !errors.Is(err, context.DeadlineExceeded) {
+			return nil, errors.Wrap(err, "cannot connect to the buildx server")
+		}
+	} else {
+		return &buildxController{c, serverRoot}, nil
+	}
+
+	// start buildx server via subcommand
+	err = logger.Wrap("no buildx server found; launching...", func() error {
+		launchFlags := []string{}
+		if opts.ServerConfig != "" {
+			launchFlags = append(launchFlags, "--config", opts.ServerConfig)
+		}
+		logFile, err := getLogFilePath(dockerCli, opts.ServerConfig)
+		if err != nil {
+			return err
+		}
+		wait, err := launch(ctx, logFile, append([]string{serveCommandName}, launchFlags...)...)
+		if err != nil {
+			return err
+		}
+		go wait()
+
+		// wait for buildx server to be ready
+		ctx2, cancel = context.WithTimeout(ctx, 10*time.Second)
+		c, err = newBuildxClientAndCheck(ctx2, filepath.Join(serverRoot, defaultSocketFilename))
+		cancel()
+		if err != nil {
+			return errors.Wrap(err, "cannot connect to the buildx server")
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &buildxController{c, serverRoot}, nil
+}
+
+func AddControllerCommands(cmd *cobra.Command, dockerCli command.Cli) {
+	cmd.AddCommand(
+		serveCmd(dockerCli),
+	)
+}
+
+func serveCmd(dockerCli command.Cli) *cobra.Command {
+	var serverConfigPath string
+	cmd := &cobra.Command{
+		Use:    fmt.Sprintf("%s [OPTIONS]", serveCommandName),
+		Hidden: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// Parse config
+			config, err := getConfig(dockerCli, serverConfigPath)
+			if err != nil {
+				return err
+			}
+			if config.LogLevel == "" {
+				logrus.SetLevel(logrus.InfoLevel)
+			} else {
+				lvl, err := logrus.ParseLevel(config.LogLevel)
+				if err != nil {
+					return errors.Wrap(err, "failed to prepare logger")
+				}
+				logrus.SetLevel(lvl)
+			}
+			logrus.SetFormatter(&logrus.JSONFormatter{
+				TimestampFormat: log.RFC3339NanoFixed,
+			})
+			root, err := prepareRootDir(dockerCli, config)
+			if err != nil {
+				return err
+			}
+			pidF := filepath.Join(root, defaultPIDFilename)
+			if err := os.WriteFile(pidF, []byte(fmt.Sprintf("%d", os.Getpid())), 0600); err != nil {
+				return err
+			}
+			defer func() {
+				if err := os.Remove(pidF); err != nil {
+					logrus.Errorf("failed to clean up info file %q: %v", pidF, err)
+				}
+			}()
+
+			// prepare server
+			b := NewServer(func(ctx context.Context, options *controllerapi.BuildOptions, stdin io.Reader, progress progress.Writer) (*client.SolveResponse, *build.ResultHandle, error) {
+				return cbuild.RunBuild(ctx, dockerCli, *options, stdin, progress, true)
+			})
+			defer b.Close()
+
+			// serve server
+			addr := filepath.Join(root, defaultSocketFilename)
+			if err := os.Remove(addr); err != nil && !os.IsNotExist(err) { // avoid EADDRINUSE
+				return err
+			}
+			defer func() {
+				if err := os.Remove(addr); err != nil {
+					logrus.Errorf("failed to clean up socket %q: %v", addr, err)
+				}
+			}()
+			logrus.Infof("starting server at %q", addr)
+			l, err := net.Listen("unix", addr)
+			if err != nil {
+				return err
+			}
+			rpc := grpc.NewServer(
+				grpc.UnaryInterceptor(grpcerrors.UnaryServerInterceptor),
+				grpc.StreamInterceptor(grpcerrors.StreamServerInterceptor),
+			)
+			controllerapi.RegisterControllerServer(rpc, b)
+			doneCh := make(chan struct{})
+			errCh := make(chan error, 1)
+			go func() {
+				defer close(doneCh)
+				if err := rpc.Serve(l); err != nil {
+					errCh <- errors.Wrapf(err, "error on serving via socket %q", addr)
+				}
+			}()
+
+			var s os.Signal
+			sigCh := make(chan os.Signal, 1)
+			signal.Notify(sigCh, syscall.SIGINT)
+			signal.Notify(sigCh, syscall.SIGTERM)
+			select {
+			case err := <-errCh:
+				logrus.Errorf("got error %s, exiting", err)
+				return err
+			case s = <-sigCh:
+				logrus.Infof("got signal %s, exiting", s)
+				return nil
+			case <-doneCh:
+				logrus.Infof("rpc server done, exiting")
+				return nil
+			}
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&serverConfigPath, "config", "", "Specify buildx server config file")
+	return cmd
+}
+
+func getLogFilePath(dockerCli command.Cli, configPath string) (string, error) {
+	config, err := getConfig(dockerCli, configPath)
+	if err != nil {
+		return "", err
+	}
+	if config.LogFile == "" {
+		root, err := prepareRootDir(dockerCli, config)
+		if err != nil {
+			return "", err
+		}
+		return filepath.Join(root, defaultLogFilename), nil
+	}
+	return config.LogFile, nil
+}
+
+func getConfig(dockerCli command.Cli, configPath string) (*serverConfig, error) {
+	var defaultConfigPath bool
+	if configPath == "" {
+		defaultRoot := rootDataDir(dockerCli)
+		configPath = filepath.Join(defaultRoot, "config.toml")
+		defaultConfigPath = true
+	}
+	var config serverConfig
+	tree, err := toml.LoadFile(configPath)
+	if err != nil && !(os.IsNotExist(err) && defaultConfigPath) {
+		return nil, errors.Wrapf(err, "failed to read config %q", configPath)
+	} else if err == nil {
+		if err := tree.Unmarshal(&config); err != nil {
+			return nil, errors.Wrapf(err, "failed to unmarshal config %q", configPath)
+		}
+	}
+	return &config, nil
+}
+
+func prepareRootDir(dockerCli command.Cli, config *serverConfig) (string, error) {
+	rootDir := config.Root
+	if rootDir == "" {
+		rootDir = rootDataDir(dockerCli)
+	}
+	if rootDir == "" {
+		return "", errors.New("buildx root dir must be determined")
+	}
+	if err := os.MkdirAll(rootDir, 0700); err != nil {
+		return "", err
+	}
+	serverRoot := filepath.Join(rootDir, "shared")
+	if err := os.MkdirAll(serverRoot, 0700); err != nil {
+		return "", err
+	}
+	return serverRoot, nil
+}
+
+func rootDataDir(dockerCli command.Cli) string {
+	return filepath.Join(confutil.ConfigDir(dockerCli), "controller")
+}
+
+func newBuildxClientAndCheck(ctx context.Context, addr string) (*Client, error) {
+	c, err := NewClient(ctx, addr)
+	if err != nil {
+		return nil, err
+	}
+	p, v, r, err := c.Version(ctx)
+	if err != nil {
+		return nil, err
+	}
+	logrus.Debugf("connected to server (\"%v %v %v\")", p, v, r)
+	if !(p == version.Package && v == version.Version && r == version.Revision) {
+		return nil, errors.Errorf("version mismatch (client: \"%v %v %v\", server: \"%v %v %v\")", version.Package, version.Version, version.Revision, p, v, r)
+	}
+	return c, nil
+}
+
+type buildxController struct {
+	*Client
+	serverRoot string
+}
+
+func (c *buildxController) Kill(ctx context.Context) error {
+	pidB, err := os.ReadFile(filepath.Join(c.serverRoot, defaultPIDFilename))
+	if err != nil {
+		return err
+	}
+	pid, err := strconv.ParseInt(string(pidB), 10, 64)
+	if err != nil {
+		return err
+	}
+	if pid <= 0 {
+		return errors.New("no PID is recorded for buildx server")
+	}
+	p, err := os.FindProcess(int(pid))
+	if err != nil {
+		return err
+	}
+	if err := p.Signal(syscall.SIGINT); err != nil {
+		return err
+	}
+	// TODO: Should we send SIGKILL if process doesn't finish?
+	return nil
+}
+
+func launch(ctx context.Context, logFile string, args ...string) (func() error, error) {
+	// set absolute path of binary, since we set the working directory to the root
+	pathname, err := os.Executable()
+	if err != nil {
+		return nil, err
+	}
+	bCmd := exec.CommandContext(ctx, pathname, args...)
+	if logFile != "" {
+		f, err := os.OpenFile(logFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+		if err != nil {
+			return nil, err
+		}
+		defer f.Close()
+		bCmd.Stdout = f
+		bCmd.Stderr = f
+	}
+	bCmd.Stdin = nil
+	bCmd.Dir = "/"
+	bCmd.SysProcAttr = &syscall.SysProcAttr{
+		Setsid: true,
+	}
+	if err := bCmd.Start(); err != nil {
+		return nil, err
+	}
+	return bCmd.Wait, nil
+}

controller/remote/controller_nolinux.go

@@ -0,0 +1,19 @@
+//go:build !linux
+
+package remote
+
+import (
+	"context"
+
+	"github.com/docker/buildx/controller/control"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+func NewRemoteBuildxController(ctx context.Context, dockerCli command.Cli, opts control.ControlOptions, logger progress.SubLogger) (control.BuildxController, error) {
+	return nil, errors.New("remote buildx unsupported")
+}
+
+func AddControllerCommands(cmd *cobra.Command, dockerCli command.Cli) {}

controller/remote/io.go

@@ -0,0 +1,430 @@
+package remote
+
+import (
+	"context"
+	"io"
+	"syscall"
+	"time"
+
+	"github.com/docker/buildx/controller/pb"
+	"github.com/moby/sys/signal"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+)
+
+type msgStream interface {
+	Send(*pb.Message) error
+	Recv() (*pb.Message, error)
+}
+
+type ioServerConfig struct {
+	stdin          io.WriteCloser
+	stdout, stderr io.ReadCloser
+
+	// signalFn is a callback function called when a signal is reached to the client.
+	signalFn func(context.Context, syscall.Signal) error
+
+	// resizeFn is a callback function called when a resize event is reached to the client.
+	resizeFn func(context.Context, winSize) error
+}
+
+func serveIO(attachCtx context.Context, srv msgStream, initFn func(*pb.InitMessage) error, ioConfig *ioServerConfig) (err error) {
+	stdin, stdout, stderr := ioConfig.stdin, ioConfig.stdout, ioConfig.stderr
+	stream := &debugStream{srv, "server=" + time.Now().String()}
+	eg, ctx := errgroup.WithContext(attachCtx)
+	done := make(chan struct{})
+
+	msg, err := receive(ctx, stream)
+	if err != nil {
+		return err
+	}
+	init := msg.GetInit()
+	if init == nil {
+		return errors.Errorf("unexpected message: %T; wanted init", msg.GetInput())
+	}
+	ref := init.Ref
+	if ref == "" {
+		return errors.New("no ref is provided")
+	}
+	if err := initFn(init); err != nil {
+		return errors.Wrap(err, "failed to initialize IO server")
+	}
+
+	if stdout != nil {
+		stdoutReader, stdoutWriter := io.Pipe()
+		eg.Go(func() error {
+			<-done
+			return stdoutWriter.Close()
+		})
+
+		go func() {
+			// do not wait for read completion but return here and let the caller send EOF
+			// this allows us to return on ctx.Done() without being blocked by this reader.
+			io.Copy(stdoutWriter, stdout)
+			stdoutWriter.Close()
+		}()
+
+		eg.Go(func() error {
+			defer stdoutReader.Close()
+			return copyToStream(1, stream, stdoutReader)
+		})
+	}
+
+	if stderr != nil {
+		stderrReader, stderrWriter := io.Pipe()
+		eg.Go(func() error {
+			<-done
+			return stderrWriter.Close()
+		})
+
+		go func() {
+			// do not wait for read completion but return here and let the caller send EOF
+			// this allows us to return on ctx.Done() without being blocked by this reader.
+			io.Copy(stderrWriter, stderr)
+			stderrWriter.Close()
+		}()
+
+		eg.Go(func() error {
+			defer stderrReader.Close()
+			return copyToStream(2, stream, stderrReader)
+		})
+	}
+
+	msgCh := make(chan *pb.Message)
+	eg.Go(func() error {
+		defer close(msgCh)
+		for {
+			msg, err := receive(ctx, stream)
+			if err != nil {
+				return err
+			}
+			select {
+			case msgCh <- msg:
+			case <-done:
+				return nil
+			case <-ctx.Done():
+				return nil
+			}
+		}
+	})
+
+	eg.Go(func() error {
+		defer close(done)
+		for {
+			var msg *pb.Message
+			select {
+			case msg = <-msgCh:
+			case <-ctx.Done():
+				return nil
+			}
+			if msg == nil {
+				return nil
+			}
+			if file := msg.GetFile(); file != nil {
+				if file.Fd != 0 {
+					return errors.Errorf("unexpected fd: %v", file.Fd)
+				}
+				if stdin == nil {
+					continue // no stdin destination is specified so ignore the data
+				}
+				if len(file.Data) > 0 {
+					_, err := stdin.Write(file.Data)
+					if err != nil {
+						return err
+					}
+				}
+				if file.EOF {
+					stdin.Close()
+				}
+			} else if resize := msg.GetResize(); resize != nil {
+				if ioConfig.resizeFn != nil {
+					ioConfig.resizeFn(ctx, winSize{
+						cols: resize.Cols,
+						rows: resize.Rows,
+					})
+				}
+			} else if sig := msg.GetSignal(); sig != nil {
+				if ioConfig.signalFn != nil {
+					syscallSignal, ok := signal.SignalMap[sig.Name]
+					if !ok {
+						continue
+					}
+					ioConfig.signalFn(ctx, syscallSignal)
+				}
+			} else {
+				return errors.Errorf("unexpected message: %T", msg.GetInput())
+			}
+		}
+	})
+
+	return eg.Wait()
+}
+
+type ioAttachConfig struct {
+	stdin          io.ReadCloser
+	stdout, stderr io.WriteCloser
+	signal         <-chan syscall.Signal
+	resize         <-chan winSize
+}
+
+type winSize struct {
+	rows uint32
+	cols uint32
+}
+
+func attachIO(ctx context.Context, stream msgStream, initMessage *pb.InitMessage, cfg ioAttachConfig) (retErr error) {
+	eg, ctx := errgroup.WithContext(ctx)
+	done := make(chan struct{})
+
+	if err := stream.Send(&pb.Message{
+		Input: &pb.Message_Init{
+			Init: initMessage,
+		},
+	}); err != nil {
+		return errors.Wrap(err, "failed to init")
+	}
+
+	if cfg.stdin != nil {
+		stdinReader, stdinWriter := io.Pipe()
+		eg.Go(func() error {
+			<-done
+			return stdinWriter.Close()
+		})
+
+		go func() {
+			// do not wait for read completion but return here and let the caller send EOF
+			// this allows us to return on ctx.Done() without being blocked by this reader.
+			io.Copy(stdinWriter, cfg.stdin)
+			stdinWriter.Close()
+		}()
+
+		eg.Go(func() error {
+			defer stdinReader.Close()
+			return copyToStream(0, stream, stdinReader)
+		})
+	}
+
+	if cfg.signal != nil {
+		eg.Go(func() error {
+			for {
+				var sig syscall.Signal
+				select {
+				case sig = <-cfg.signal:
+				case <-done:
+					return nil
+				case <-ctx.Done():
+					return nil
+				}
+				name := sigToName[sig]
+				if name == "" {
+					continue
+				}
+				if err := stream.Send(&pb.Message{
+					Input: &pb.Message_Signal{
+						Signal: &pb.SignalMessage{
+							Name: name,
+						},
+					},
+				}); err != nil {
+					return errors.Wrap(err, "failed to send signal")
+				}
+			}
+		})
+	}
+
+	if cfg.resize != nil {
+		eg.Go(func() error {
+			for {
+				var win winSize
+				select {
+				case win = <-cfg.resize:
+				case <-done:
+					return nil
+				case <-ctx.Done():
+					return nil
+				}
+				if err := stream.Send(&pb.Message{
+					Input: &pb.Message_Resize{
+						Resize: &pb.ResizeMessage{
+							Rows: win.rows,
+							Cols: win.cols,
+						},
+					},
+				}); err != nil {
+					return errors.Wrap(err, "failed to send resize")
+				}
+			}
+		})
+	}
+
+	msgCh := make(chan *pb.Message)
+	eg.Go(func() error {
+		defer close(msgCh)
+		for {
+			msg, err := receive(ctx, stream)
+			if err != nil {
+				return err
+			}
+			select {
+			case msgCh <- msg:
+			case <-done:
+				return nil
+			case <-ctx.Done():
+				return nil
+			}
+		}
+	})
+
+	eg.Go(func() error {
+		eofs := make(map[uint32]struct{})
+		defer close(done)
+		for {
+			var msg *pb.Message
+			select {
+			case msg = <-msgCh:
+			case <-ctx.Done():
+				return nil
+			}
+			if msg == nil {
+				return nil
+			}
+			if file := msg.GetFile(); file != nil {
+				if _, ok := eofs[file.Fd]; ok {
+					continue
+				}
+				var out io.WriteCloser
+				switch file.Fd {
+				case 1:
+					out = cfg.stdout
+				case 2:
+					out = cfg.stderr
+				default:
+					return errors.Errorf("unsupported fd %d", file.Fd)
+
+				}
+				if out == nil {
+					logrus.Warnf("attachIO: no writer for fd %d", file.Fd)
+					continue
+				}
+				if len(file.Data) > 0 {
+					if _, err := out.Write(file.Data); err != nil {
+						return err
+					}
+				}
+				if file.EOF {
+					eofs[file.Fd] = struct{}{}
+				}
+			} else {
+				return errors.Errorf("unexpected message: %T", msg.GetInput())
+			}
+		}
+	})
+
+	return eg.Wait()
+}
+
+func receive(ctx context.Context, stream msgStream) (*pb.Message, error) {
+	msgCh := make(chan *pb.Message)
+	errCh := make(chan error)
+	go func() {
+		msg, err := stream.Recv()
+		if err != nil {
+			if errors.Is(err, io.EOF) {
+				return
+			}
+			errCh <- err
+			return
+		}
+		msgCh <- msg
+	}()
+	select {
+	case msg := <-msgCh:
+		return msg, nil
+	case err := <-errCh:
+		return nil, err
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	}
+}
+
+func copyToStream(fd uint32, snd msgStream, r io.Reader) error {
+	for {
+		buf := make([]byte, 32*1024)
+		n, err := r.Read(buf)
+		if err != nil {
+			if err == io.EOF {
+				break // break loop and send EOF
+			}
+			return err
+		} else if n > 0 {
+			if snd.Send(&pb.Message{
+				Input: &pb.Message_File{
+					File: &pb.FdMessage{
+						Fd:   fd,
+						Data: buf[:n],
+					},
+				},
+			}); err != nil {
+				return err
+			}
+		}
+	}
+	return snd.Send(&pb.Message{
+		Input: &pb.Message_File{
+			File: &pb.FdMessage{
+				Fd:  fd,
+				EOF: true,
+			},
+		},
+	})
+}
+
+var sigToName = map[syscall.Signal]string{}
+
+func init() {
+	for name, value := range signal.SignalMap {
+		sigToName[value] = name
+	}
+}
+
+type debugStream struct {
+	msgStream
+	prefix string
+}
+
+func (s *debugStream) Send(msg *pb.Message) error {
+	switch m := msg.GetInput().(type) {
+	case *pb.Message_File:
+		if m.File.EOF {
+			logrus.Debugf("|---> File Message (sender:%v) fd=%d, EOF", s.prefix, m.File.Fd)
+		} else {
+			logrus.Debugf("|---> File Message (sender:%v) fd=%d, %d bytes", s.prefix, m.File.Fd, len(m.File.Data))
+		}
+	case *pb.Message_Resize:
+		logrus.Debugf("|---> Resize Message (sender:%v): %+v", s.prefix, m.Resize)
+	case *pb.Message_Signal:
+		logrus.Debugf("|---> Signal Message (sender:%v): %s", s.prefix, m.Signal.Name)
+	}
+	return s.msgStream.Send(msg)
+}
+
+func (s *debugStream) Recv() (*pb.Message, error) {
+	msg, err := s.msgStream.Recv()
+	if err != nil {
+		return nil, err
+	}
+	switch m := msg.GetInput().(type) {
+	case *pb.Message_File:
+		if m.File.EOF {
+			logrus.Debugf("|<--- File Message (receiver:%v) fd=%d, EOF", s.prefix, m.File.Fd)
+		} else {
+			logrus.Debugf("|<--- File Message (receiver:%v) fd=%d, %d bytes", s.prefix, m.File.Fd, len(m.File.Data))
+		}
+	case *pb.Message_Resize:
+		logrus.Debugf("|<--- Resize Message (receiver:%v): %+v", s.prefix, m.Resize)
+	case *pb.Message_Signal:
+		logrus.Debugf("|<--- Signal Message (receiver:%v): %s", s.prefix, m.Signal.Name)
+	}
+	return msg, nil
+}

controller/remote/server.go

@@ -0,0 +1,441 @@
+package remote
+
+import (
+	"context"
+	"io"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/docker/buildx/build"
+	controllererrors "github.com/docker/buildx/controller/errdefs"
+	"github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/controller/processes"
+	"github.com/docker/buildx/util/ioset"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/buildx/version"
+	"github.com/moby/buildkit/client"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+type BuildFunc func(ctx context.Context, options *pb.BuildOptions, stdin io.Reader, progress progress.Writer) (resp *client.SolveResponse, res *build.ResultHandle, err error)
+
+func NewServer(buildFunc BuildFunc) *Server {
+	return &Server{
+		buildFunc: buildFunc,
+	}
+}
+
+type Server struct {
+	buildFunc BuildFunc
+	session   map[string]*session
+	sessionMu sync.Mutex
+}
+
+type session struct {
+	buildOnGoing atomic.Bool
+	statusChan   chan *pb.StatusResponse
+	cancelBuild  func()
+	buildOptions *pb.BuildOptions
+	inputPipe    *io.PipeWriter
+
+	result *build.ResultHandle
+
+	processes *processes.Manager
+}
+
+func (s *session) cancelRunningProcesses() {
+	s.processes.CancelRunningProcesses()
+}
+
+func (m *Server) ListProcesses(ctx context.Context, req *pb.ListProcessesRequest) (res *pb.ListProcessesResponse, err error) {
+	m.sessionMu.Lock()
+	defer m.sessionMu.Unlock()
+	s, ok := m.session[req.Ref]
+	if !ok {
+		return nil, errors.Errorf("unknown ref %q", req.Ref)
+	}
+	res = new(pb.ListProcessesResponse)
+	for _, p := range s.processes.ListProcesses() {
+		res.Infos = append(res.Infos, p)
+	}
+	return res, nil
+}
+
+func (m *Server) DisconnectProcess(ctx context.Context, req *pb.DisconnectProcessRequest) (res *pb.DisconnectProcessResponse, err error) {
+	m.sessionMu.Lock()
+	defer m.sessionMu.Unlock()
+	s, ok := m.session[req.Ref]
+	if !ok {
+		return nil, errors.Errorf("unknown ref %q", req.Ref)
+	}
+	return res, s.processes.DeleteProcess(req.ProcessID)
+}
+
+func (m *Server) Info(ctx context.Context, req *pb.InfoRequest) (res *pb.InfoResponse, err error) {
+	return &pb.InfoResponse{
+		BuildxVersion: &pb.BuildxVersion{
+			Package:  version.Package,
+			Version:  version.Version,
+			Revision: version.Revision,
+		},
+	}, nil
+}
+
+func (m *Server) List(ctx context.Context, req *pb.ListRequest) (res *pb.ListResponse, err error) {
+	keys := make(map[string]struct{})
+
+	m.sessionMu.Lock()
+	for k := range m.session {
+		keys[k] = struct{}{}
+	}
+	m.sessionMu.Unlock()
+
+	var keysL []string
+	for k := range keys {
+		keysL = append(keysL, k)
+	}
+	return &pb.ListResponse{
+		Keys: keysL,
+	}, nil
+}
+
+func (m *Server) Disconnect(ctx context.Context, req *pb.DisconnectRequest) (res *pb.DisconnectResponse, err error) {
+	key := req.Ref
+	if key == "" {
+		return nil, errors.New("disconnect: empty key")
+	}
+
+	m.sessionMu.Lock()
+	if s, ok := m.session[key]; ok {
+		if s.cancelBuild != nil {
+			s.cancelBuild()
+		}
+		s.cancelRunningProcesses()
+		if s.result != nil {
+			s.result.Done()
+		}
+	}
+	delete(m.session, key)
+	m.sessionMu.Unlock()
+
+	return &pb.DisconnectResponse{}, nil
+}
+
+func (m *Server) Close() error {
+	m.sessionMu.Lock()
+	for k := range m.session {
+		if s, ok := m.session[k]; ok {
+			if s.cancelBuild != nil {
+				s.cancelBuild()
+			}
+			s.cancelRunningProcesses()
+		}
+	}
+	m.sessionMu.Unlock()
+	return nil
+}
+
+func (m *Server) Inspect(ctx context.Context, req *pb.InspectRequest) (*pb.InspectResponse, error) {
+	ref := req.Ref
+	if ref == "" {
+		return nil, errors.New("inspect: empty key")
+	}
+	var bo *pb.BuildOptions
+	m.sessionMu.Lock()
+	if s, ok := m.session[ref]; ok {
+		bo = s.buildOptions
+	} else {
+		m.sessionMu.Unlock()
+		return nil, errors.Errorf("inspect: unknown key %v", ref)
+	}
+	m.sessionMu.Unlock()
+	return &pb.InspectResponse{Options: bo}, nil
+}
+
+func (m *Server) Build(ctx context.Context, req *pb.BuildRequest) (*pb.BuildResponse, error) {
+	ref := req.Ref
+	if ref == "" {
+		return nil, errors.New("build: empty key")
+	}
+
+	// Prepare status channel and session
+	m.sessionMu.Lock()
+	if m.session == nil {
+		m.session = make(map[string]*session)
+	}
+	s, ok := m.session[ref]
+	if ok {
+		if !s.buildOnGoing.CompareAndSwap(false, true) {
+			m.sessionMu.Unlock()
+			return &pb.BuildResponse{}, errors.New("build ongoing")
+		}
+		s.cancelRunningProcesses()
+		s.result = nil
+	} else {
+		s = &session{}
+		s.buildOnGoing.Store(true)
+	}
+
+	s.processes = processes.NewManager()
+	statusChan := make(chan *pb.StatusResponse)
+	s.statusChan = statusChan
+	inR, inW := io.Pipe()
+	defer inR.Close()
+	s.inputPipe = inW
+	m.session[ref] = s
+	m.sessionMu.Unlock()
+	defer func() {
+		close(statusChan)
+		m.sessionMu.Lock()
+		s, ok := m.session[ref]
+		if ok {
+			s.statusChan = nil
+			s.buildOnGoing.Store(false)
+		}
+		m.sessionMu.Unlock()
+	}()
+
+	pw := pb.NewProgressWriter(statusChan)
+
+	// Build the specified request
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+	resp, res, buildErr := m.buildFunc(ctx, req.Options, inR, pw)
+	m.sessionMu.Lock()
+	if s, ok := m.session[ref]; ok {
+		// NOTE: buildFunc can return *build.ResultHandle even on error (e.g. when it's implemented using (github.com/docker/buildx/controller/build).RunBuild).
+		if res != nil {
+			s.result = res
+			s.cancelBuild = cancel
+			s.buildOptions = req.Options
+			m.session[ref] = s
+			if buildErr != nil {
+				buildErr = controllererrors.WrapBuild(buildErr, ref)
+			}
+		}
+	} else {
+		m.sessionMu.Unlock()
+		return nil, errors.Errorf("build: unknown key %v", ref)
+	}
+	m.sessionMu.Unlock()
+
+	if buildErr != nil {
+		return nil, buildErr
+	}
+
+	if resp == nil {
+		resp = &client.SolveResponse{}
+	}
+	return &pb.BuildResponse{
+		ExporterResponse: resp.ExporterResponse,
+	}, nil
+}
+
+func (m *Server) Status(req *pb.StatusRequest, stream pb.Controller_StatusServer) error {
+	ref := req.Ref
+	if ref == "" {
+		return errors.New("status: empty key")
+	}
+
+	// Wait and get status channel prepared by Build()
+	var statusChan <-chan *pb.StatusResponse
+	for {
+		// TODO: timeout?
+		m.sessionMu.Lock()
+		if _, ok := m.session[ref]; !ok || m.session[ref].statusChan == nil {
+			m.sessionMu.Unlock()
+			time.Sleep(time.Millisecond) // TODO: wait Build without busy loop and make it cancellable
+			continue
+		}
+		statusChan = m.session[ref].statusChan
+		m.sessionMu.Unlock()
+		break
+	}
+
+	// forward status
+	for ss := range statusChan {
+		if ss == nil {
+			break
+		}
+		if err := stream.Send(ss); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Server) Input(stream pb.Controller_InputServer) (err error) {
+	// Get the target ref from init message
+	msg, err := stream.Recv()
+	if err != nil {
+		if !errors.Is(err, io.EOF) {
+			return err
+		}
+		return nil
+	}
+	init := msg.GetInit()
+	if init == nil {
+		return errors.Errorf("unexpected message: %T; wanted init", msg.GetInit())
+	}
+	ref := init.Ref
+	if ref == "" {
+		return errors.New("input: no ref is provided")
+	}
+
+	// Wait and get input stream pipe prepared by Build()
+	var inputPipeW *io.PipeWriter
+	for {
+		// TODO: timeout?
+		m.sessionMu.Lock()
+		if _, ok := m.session[ref]; !ok || m.session[ref].inputPipe == nil {
+			m.sessionMu.Unlock()
+			time.Sleep(time.Millisecond) // TODO: wait Build without busy loop and make it cancellable
+			continue
+		}
+		inputPipeW = m.session[ref].inputPipe
+		m.sessionMu.Unlock()
+		break
+	}
+
+	// Forward input stream
+	eg, ctx := errgroup.WithContext(context.TODO())
+	done := make(chan struct{})
+	msgCh := make(chan *pb.InputMessage)
+	eg.Go(func() error {
+		defer close(msgCh)
+		for {
+			msg, err := stream.Recv()
+			if err != nil {
+				if !errors.Is(err, io.EOF) {
+					return err
+				}
+				return nil
+			}
+			select {
+			case msgCh <- msg:
+			case <-done:
+				return nil
+			case <-ctx.Done():
+				return nil
+			}
+		}
+	})
+	eg.Go(func() (retErr error) {
+		defer close(done)
+		defer func() {
+			if retErr != nil {
+				inputPipeW.CloseWithError(retErr)
+				return
+			}
+			inputPipeW.Close()
+		}()
+		for {
+			var msg *pb.InputMessage
+			select {
+			case msg = <-msgCh:
+			case <-ctx.Done():
+				return errors.Wrap(ctx.Err(), "canceled")
+			}
+			if msg == nil {
+				return nil
+			}
+			if data := msg.GetData(); data != nil {
+				if len(data.Data) > 0 {
+					_, err := inputPipeW.Write(data.Data)
+					if err != nil {
+						return err
+					}
+				}
+				if data.EOF {
+					return nil
+				}
+			}
+		}
+	})
+
+	return eg.Wait()
+}
+
+func (m *Server) Invoke(srv pb.Controller_InvokeServer) error {
+	containerIn, containerOut := ioset.Pipe()
+	defer func() { containerOut.Close(); containerIn.Close() }()
+
+	initDoneCh := make(chan *processes.Process)
+	initErrCh := make(chan error)
+	eg, egCtx := errgroup.WithContext(context.TODO())
+	srvIOCtx, srvIOCancel := context.WithCancel(egCtx)
+	eg.Go(func() error {
+		defer srvIOCancel()
+		return serveIO(srvIOCtx, srv, func(initMessage *pb.InitMessage) (retErr error) {
+			defer func() {
+				if retErr != nil {
+					initErrCh <- retErr
+				}
+			}()
+			ref := initMessage.Ref
+			cfg := initMessage.InvokeConfig
+
+			m.sessionMu.Lock()
+			s, ok := m.session[ref]
+			if !ok {
+				m.sessionMu.Unlock()
+				return errors.Errorf("invoke: unknown key %v", ref)
+			}
+			m.sessionMu.Unlock()
+
+			pid := initMessage.ProcessID
+			if pid == "" {
+				return errors.Errorf("invoke: specify process ID")
+			}
+			proc, ok := s.processes.Get(pid)
+			if !ok {
+				// Start a new process.
+				if cfg == nil {
+					return errors.New("no container config is provided")
+				}
+				var err error
+				proc, err = s.processes.StartProcess(pid, s.result, cfg)
+				if err != nil {
+					return err
+				}
+			}
+			// Attach containerIn to this process
+			proc.ForwardIO(&containerIn, srvIOCancel)
+			initDoneCh <- proc
+			return nil
+		}, &ioServerConfig{
+			stdin:  containerOut.Stdin,
+			stdout: containerOut.Stdout,
+			stderr: containerOut.Stderr,
+			// TODO: signal, resize
+		})
+	})
+	eg.Go(func() (rErr error) {
+		defer srvIOCancel()
+		// Wait for init done
+		var proc *processes.Process
+		select {
+		case p := <-initDoneCh:
+			proc = p
+		case err := <-initErrCh:
+			return err
+		case <-egCtx.Done():
+			return egCtx.Err()
+		}
+
+		// Wait for IO done
+		select {
+		case <-srvIOCtx.Done():
+			return srvIOCtx.Err()
+		case err := <-proc.Done():
+			return err
+		case <-egCtx.Done():
+			return egCtx.Err()
+		}
+	})
+
+	return eg.Wait()
+}

docker-bake.hcl

@@ -0,0 +1,184 @@
+variable "GO_VERSION" {
+  default = "1.20"
+}
+variable "DOCS_FORMATS" {
+  default = "md"
+}
+variable "DESTDIR" {
+  default = "./bin"
+}
+
+# Special target: https://github.com/docker/metadata-action#bake-definition
+target "meta-helper" {
+  tags = ["docker/buildx-bin:local"]
+}
+
+target "_common" {
+  args = {
+    GO_VERSION = GO_VERSION
+    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+  }
+}
+
+group "default" {
+  targets = ["binaries"]
+}
+
+group "validate" {
+  targets = ["lint", "validate-vendor", "validate-docs"]
+}
+
+target "lint" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  output = ["type=cacheonly"]
+}
+
+target "validate-vendor" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "validate-docs" {
+  inherits = ["_common"]
+  args = {
+    FORMATS = DOCS_FORMATS
+    BUILDX_EXPERIMENTAL = 1 // enables experimental cmds/flags for docs generation
+  }
+  dockerfile = "./hack/dockerfiles/docs.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "validate-authors" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/authors.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "validate-generated-files" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/generated-files.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "update-vendor" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "update"
+  output = ["."]
+}
+
+target "update-docs" {
+  inherits = ["_common"]
+  args = {
+    FORMATS = DOCS_FORMATS
+    BUILDX_EXPERIMENTAL = 1 // enables experimental cmds/flags for docs generation
+  }
+  dockerfile = "./hack/dockerfiles/docs.Dockerfile"
+  target = "update"
+  output = ["./docs/reference"]
+}
+
+target "update-authors" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/authors.Dockerfile"
+  target = "update"
+  output = ["."]
+}
+
+target "update-generated-files" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/generated-files.Dockerfile"
+  target = "update"
+  output = ["."]
+}
+
+target "mod-outdated" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "outdated"
+  no-cache-filter = ["outdated"]
+  output = ["type=cacheonly"]
+}
+
+target "test" {
+  inherits = ["_common"]
+  target = "test-coverage"
+  output = ["${DESTDIR}/coverage"]
+}
+
+target "binaries" {
+  inherits = ["_common"]
+  target = "binaries"
+  output = ["${DESTDIR}/build"]
+  platforms = ["local"]
+}
+
+target "binaries-cross" {
+  inherits = ["binaries"]
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm/v6",
+    "linux/arm/v7",
+    "linux/arm64",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "linux/s390x",
+    "windows/amd64",
+    "windows/arm64"
+  ]
+}
+
+target "release" {
+  inherits = ["binaries-cross"]
+  target = "release"
+  output = ["${DESTDIR}/release"]
+}
+
+target "image" {
+  inherits = ["meta-helper", "binaries"]
+  output = ["type=image"]
+}
+
+target "image-cross" {
+  inherits = ["meta-helper", "binaries-cross"]
+  output = ["type=image"]
+}
+
+target "image-local" {
+  inherits = ["image"]
+  output = ["type=docker"]
+}
+
+variable "HTTP_PROXY" {
+  default = ""
+}
+variable "HTTPS_PROXY" {
+  default = ""
+}
+variable "NO_PROXY" {
+  default = ""
+}
+
+target "integration-test-base" {
+  inherits = ["_common"]
+  args = {
+    HTTP_PROXY = HTTP_PROXY
+    HTTPS_PROXY = HTTPS_PROXY
+    NO_PROXY = NO_PROXY
+  }
+  target = "integration-test-base"
+  output = ["type=cacheonly"]
+}
+
+target "integration-test" {
+  inherits = ["integration-test-base"]
+  target = "integration-test"
+}

docs/bake-reference.md

@@ -0,0 +1,952 @@
+# Bake file reference
+
+The Bake file is a file for defining workflows that you run using `docker buildx bake`.
+
+## File format
+
+You can define your Bake file in the following file formats:
+
+- HashiCorp Configuration Language (HCL)
+- JSON
+- YAML (Compose file)
+
+By default, Bake uses the following lookup order to find the configuration file:
+
+1. `docker-bake.override.hcl`
+2. `docker-bake.hcl`
+3. `docker-bake.override.json`
+4. `docker-bake.json`
+5. `docker-compose.yaml`
+6. `docker-compose.yml`
+
+Bake searches for the file in the current working directory.
+You can specify the file location explicitly using the `--file` flag:
+
+```console
+$ docker buildx bake --file=../docker/bake.hcl --print
+```
+
+## Syntax
+
+The Bake file supports the following property types:
+
+- `target`: build targets
+- `group`: collections of build targets
+- `variable`: build arguments and variables
+- `function`: custom Bake functions
+
+You define properties as hierarchical blocks in the Bake file.
+You can assign one or more attributes to a property.
+
+The following snippet shows a JSON representation of a simple Bake file.
+This Bake file defines three properties: a variable, a group, and a target.
+
+```json
+{
+  "variable": {
+    "TAG": {
+      "default": "latest"
+    }
+  },
+  "group": {
+    "default": {
+      "targets": ["webapp"]
+    }
+  },
+  "target": {
+    "webapp": {
+      "dockerfile": "Dockerfile",
+      "tags": ["docker.io/username/webapp:${TAG}"]
+    }
+  }
+}
+```
+
+In the JSON representation of a Bake file, properties are objects,
+and attributes are values assigned to those objects.
+
+The following example shows the same Bake file in the HCL format:
+
+```hcl
+variable "TAG" {
+  default = "latest"
+}
+
+group "default" {
+  targets = ["webapp"]
+}
+
+target "webapp" {
+  dockerfile = "Dockerfile"
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+```
+
+HCL is the preferred format for Bake files.
+Aside from syntactic differences,
+HCL lets you use features that the JSON and YAML formats don't support.
+
+The examples in this document use the HCL format.
+
+## Target
+
+A target reflects a single `docker build` invocation.
+Consider the following build command:
+
+```console
+$ docker build \
+  --file=Dockerfile.webapp \
+  --tag=docker.io/username/webapp:latest \
+  https://github.com/username/webapp
+```
+
+You can express this command in a Bake file as follows:
+
+```hcl
+target "webapp" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+  context = "https://github.com/username/webapp"
+}
+```
+
+The following table shows the complete list of attributes that you can assign to a target:
+
+| Name                                            | Type    | Description                                                          |
+| ----------------------------------------------- | ------- | -------------------------------------------------------------------- |
+| [`args`](#targetargs)                           | Map     | Build arguments                                                      |
+| [`attest`](#targetattest)                       | List    | Build attestations                                                   |
+| [`cache-from`](#targetcache-from)               | List    | External cache sources                                               |
+| [`cache-to`](#targetcache-to)                   | List    | External cache destinations                                          |
+| [`context`](#targetcontext)                     | String  | Set of files located in the specified path or URL                    |
+| [`contexts`](#targetcontexts)                   | Map     | Additional build contexts                                            |
+| [`dockerfile-inline`](#targetdockerfile-inline) | String  | Inline Dockerfile string                                             |
+| [`dockerfile`](#targetdockerfile)               | String  | Dockerfile location                                                  |
+| [`inherits`](#targetinherits)                   | List    | Inherit attributes from other targets                                |
+| [`labels`](#targetlabels)                       | Map     | Metadata for images                                                  |
+| [`matrix`](#targetmatrix)                       | Map     | Define a set of variables that forks a target into multiple targets. |
+| [`name`](#targetname)                           | String  | Override the target name when using a matrix.                        |
+| [`no-cache-filter`](#targetno-cache-filter)     | List    | Disable build cache for specific stages                              |
+| [`no-cache`](#targetno-cache)                   | Boolean | Disable build cache completely                                       |
+| [`output`](#targetoutput)                       | List    | Output destinations                                                  |
+| [`platforms`](#targetplatforms)                 | List    | Target platforms                                                     |
+| [`pull`](#targetpull)                           | Boolean | Always pull images                                                   |
+| [`secret`](#targetsecret)                       | List    | Secrets to expose to the build                                       |
+| [`ssh`](#targetssh)                             | List    | SSH agent sockets or keys to expose to the build                     |
+| [`tags`](#targettags)                           | List    | Image names and tags                                                 |
+| [`target`](#targettarget)                       | String  | Target build stage                                                   |
+
+### `target.args`
+
+Use the `args` attribute to define build arguments for the target.
+This has the same effect as passing a [`--build-arg`][build-arg] flag to the build command.
+
+```hcl
+target "default" {
+  args = {
+    VERSION = "0.0.0+unknown"
+  }
+}
+```
+
+You can set `args` attributes to use `null` values.
+Doing so forces the `target` to use the `ARG` value specified in the Dockerfile.
+
+```hcl
+variable "GO_VERSION" {
+  default = "1.20.3"
+}
+
+target "webapp" {
+  dockerfile = "webapp.Dockerfile"
+  tags = ["docker.io/username/webapp"]
+}
+
+target "db" {
+  args = {
+    GO_VERSION = null
+  }
+  dockerfile = "db.Dockerfile"
+  tags = ["docker.io/username/db"]
+}
+```
+
+### `target.attest`
+
+The `attest` attribute lets you apply [build attestations][attestations] to the target.
+This attribute accepts the long-form CSV version of attestation parameters.
+
+```hcl
+target "default" {
+  attest = [
+    "type=provenance,mode=min",
+    "type=sbom"
+  ]
+}
+```
+
+### `target.cache-from`
+
+Build cache sources.
+The builder imports cache from the locations you specify.
+It uses the [Buildx cache storage backends][cache-backends],
+and it works the same way as the [`--cache-from`][cache-from] flag.
+This takes a list value, so you can specify multiple cache sources.
+
+```hcl
+target "app" {
+  cache-from = [
+    "type=s3,region=eu-west-1,bucket=mybucket",
+    "user/repo:cache",
+  ]
+}
+```
+
+### `target.cache-to`
+
+Build cache export destinations.
+The builder exports its build cache to the locations you specify.
+It uses the [Buildx cache storage backends][cache-backends],
+and it works the same way as the [`--cache-to` flag][cache-to].
+This takes a list value, so you can specify multiple cache export targets.
+
+```hcl
+target "app" {
+  cache-to = [
+    "type=s3,region=eu-west-1,bucket=mybucket",
+    "type=inline"
+  ]
+}
+```
+
+### `target.context`
+
+Specifies the location of the build context to use for this target.
+Accepts a URL or a directory path.
+This is the same as the [build context][context] positional argument
+that you pass to the build command.
+
+```hcl
+target "app" {
+  context = "./src/www"
+}
+```
+
+This resolves to the current working directory (`"."`) by default.
+
+```console
+$ docker buildx bake --print -f - <<< 'target "default" {}'
+[+] Building 0.0s (0/0)
+{
+  "target": {
+    "default": {
+      "context": ".",
+      "dockerfile": "Dockerfile"
+    }
+  }
+}
+```
+
+### `target.contexts`
+
+Additional build contexts.
+This is the same as the [`--build-context` flag][build-context].
+This attribute takes a map, where keys result in named contexts that you can
+reference in your builds.
+
+You can specify different types of contexts, such local directories, Git URLs,
+and even other Bake targets. Bake automatically determines the type of
+a context based on the pattern of the context value.
+
+| Context type    | Example                                   |
+| --------------- | ----------------------------------------- |
+| Container image | `docker-image://alpine@sha256:0123456789` |
+| Git URL         | `https://github.com/user/proj.git`        |
+| HTTP URL        | `https://example.com/files`               |
+| Local directory | `../path/to/src`                          |
+| Bake target     | `target:base`                             |
+
+#### Pin an image version
+
+```hcl
+# docker-bake.hcl
+target "app" {
+    contexts = {
+        alpine = "docker-image://alpine:3.13"
+    }
+}
+```
+
+```Dockerfile
+# Dockerfile
+FROM alpine
+RUN echo "Hello world"
+```
+
+#### Use a local directory
+
+```hcl
+# docker-bake.hcl
+target "app" {
+    contexts = {
+        src = "../path/to/source"
+    }
+}
+```
+
+```Dockerfile
+# Dockerfile
+FROM scratch AS src
+FROM golang
+COPY --from=src . .
+```
+
+#### Use another target as base
+
+> **Note**
+>
+> You should prefer to use regular multi-stage builds over this option. You can
+> Use this feature when you have multiple Dockerfiles that can't be easily
+> merged into one.
+
+```hcl
+# docker-bake.hcl
+target "base" {
+    dockerfile = "baseapp.Dockerfile"
+}
+target "app" {
+    contexts = {
+        baseapp = "target:base"
+    }
+}
+```
+
+```Dockerfile
+# Dockerfile
+FROM baseapp
+RUN echo "Hello world"
+```
+
+### `target.dockerfile-inline`
+
+Uses the string value as an inline Dockerfile for the build target.
+
+```hcl
+target "default" {
+  dockerfile-inline = "FROM alpine\nENTRYPOINT [\"echo\", \"hello\"]"
+}
+```
+
+The `dockerfile-inline` takes precedence over the `dockerfile` attribute.
+If you specify both, Bake uses the inline version.
+
+### `target.dockerfile`
+
+Name of the Dockerfile to use for the build.
+This is the same as the [`--file` flag][file] for the `docker build` command.
+
+```hcl
+target "default" {
+  dockerfile = "./src/www/Dockerfile"
+}
+```
+
+Resolves to `"Dockerfile"` by default.
+
+```console
+$ docker buildx bake --print -f - <<< 'target "default" {}'
+[+] Building 0.0s (0/0)
+{
+  "target": {
+    "default": {
+      "context": ".",
+      "dockerfile": "Dockerfile"
+    }
+  }
+}
+```
+
+### `target.inherits`
+
+A target can inherit attributes from other targets.
+Use `inherits` to reference from one target to another.
+
+In the following example,
+the `app-dev` target specifies an image name and tag.
+The `app-release` target uses `inherits` to reuse the tag name.
+
+```hcl
+variable "TAG" {
+  default = "latest"
+}
+
+target "app-dev" {
+  tags = ["docker.io/username/myapp:${TAG}"]
+}
+
+target "app-release" {
+  inherits = ["app-dev"]
+  platforms = ["linux/amd64", "linux/arm64"]
+}
+```
+
+The `inherits` attribute is a list,
+meaning you can reuse attributes from multiple other targets.
+In the following example, the `app-release` target reuses attributes
+from both the `app-dev` and `_release` targets.
+
+```hcl
+target "app-dev" {
+  args = {
+    GO_VERSION = "1.20"
+    BUILDX_EXPERIMENTAL = 1
+  }
+  tags = ["docker.io/username/myapp"]
+  dockerfile = "app.Dockerfile"
+  labels = {
+    "org.opencontainers.image.source" = "https://github.com/username/myapp"
+  }
+}
+
+target "_release" {
+  args = {
+    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+    BUILDX_EXPERIMENTAL = 0
+  }
+}
+
+target "app-release" {
+  inherits = ["app-dev", "_release"]
+  platforms = ["linux/amd64", "linux/arm64"]
+}
+```
+
+When inheriting attributes from multiple targets and there's a conflict,
+the target that appears last in the `inherits` list takes precedence.
+The previous example defines the `BUILDX_EXPERIMENTAL` argument twice for the `app-release` target.
+It resolves to `0` because the `_release` target appears last in the inheritance chain:
+
+```console
+$ docker buildx bake --print app-release
+[+] Building 0.0s (0/0)
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app-release"
+      ]
+    }
+  },
+  "target": {
+    "app-release": {
+      "context": ".",
+      "dockerfile": "app.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "BUILDX_EXPERIMENTAL": "0",
+        "GO_VERSION": "1.20"
+      },
+      "labels": {
+        "org.opencontainers.image.source": "https://github.com/username/myapp"
+      },
+      "tags": [
+        "docker.io/username/myapp"
+      ],
+      "platforms": [
+        "linux/amd64",
+        "linux/arm64"
+      ]
+    }
+  }
+}
+```
+
+### `target.labels`
+
+Assigns image labels to the build.
+This is the same as the `--label` flag for `docker build`.
+
+```hcl
+target "default" {
+  labels = {
+    "org.opencontainers.image.source" = "https://github.com/username/myapp"
+    "com.docker.image.source.entrypoint" = "Dockerfile"
+  }
+}
+```
+
+It's possible to use a `null` value for labels.
+If you do, the builder uses the label value specified in the Dockerfile.
+
+### `target.matrix`
+
+A matrix strategy lets you fork a single target into multiple different
+variants, based on parameters that you specify.
+This works in a similar way to [Matrix strategies for GitHub Actions].
+You can use this to reduce duplication in your bake definition.
+
+The `matrix` attribute is a map of parameter names to lists of values.
+Bake builds each possible combination of values as a separate target.
+
+Each generated target **must** have a unique name.
+To specify how target names should resolve, use the `name` attribute.
+
+The following example resolves the `app` target to `app-foo` and `app-bar`.
+It also uses the matrix value to define the [target build stage](#targettarget).
+
+```hcl
+target "app" {
+  name = "app-${tgt}"
+  matrix = {
+    tgt = ["foo", "bar"]
+  }
+  target = tgt
+}
+```
+
+```console
+$ docker buildx bake --print app
+[+] Building 0.0s (0/0)
+{
+  "group": {
+    "app": {
+      "targets": [
+        "app-foo",
+        "app-bar"
+      ]
+    },
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app-bar": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "target": "bar"
+    },
+    "app-foo": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "target": "foo"
+    }
+  }
+}
+```
+
+#### Multiple axes
+
+You can specify multiple keys in your matrix to fork a target on multiple axes.
+When using multiple matrix keys, Bake builds every possible variant.
+
+The following example builds four targets:
+
+- `app-foo-1-0`
+- `app-foo-2-0`
+- `app-bar-1-0`
+- `app-bar-2-0`
+
+```hcl
+target "app" {
+  name = "app-${tgt}-${replace(version, ".", "-")}"
+  matrix = {
+    tgt = ["foo", "bar"]
+    version = ["1.0", "2.0"]
+  }
+  target = tgt
+  args = {
+    VERSION = version
+  }
+}
+```
+
+#### Multiple values per matrix target
+
+If you want to differentiate the matrix on more than just a single value,
+you can use maps as matrix values. Bake creates a target for each map,
+and you can access the nested values using dot notation.
+
+The following example builds two targets:
+
+- `app-foo-1-0`
+- `app-bar-2-0`
+
+```hcl
+target "app" {
+  name = "app-${item.tgt}-${replace(item.version, ".", "-")}"
+  matrix = {
+    item = [
+      {
+        tgt = "foo"
+        version = "1.0"
+      },
+      {
+        tgt = "bar"
+        version = "2.0"
+      }
+    ]
+  }
+  target = item.tgt
+  args = {
+    VERSION = item.version
+  }
+}
+```
+
+### `target.name`
+
+Specify name resolution for targets that use a matrix strategy.
+The following example resolves the `app` target to `app-foo` and `app-bar`.
+
+```hcl
+target "app" {
+  name = "app-${tgt}"
+  matrix = {
+    tgt = ["foo", "bar"]
+  }
+  target = tgt
+}
+```
+
+### `target.no-cache-filter`
+
+Don't use build cache for the specified stages.
+This is the same as the `--no-cache-filter` flag for `docker build`.
+The following example avoids build cache for the `foo` build stage.
+
+```hcl
+target "default" {
+  no-cache-filter = ["foo"]
+}
+```
+
+### `target.no-cache`
+
+Don't use cache when building the image.
+This is the same as the `--no-cache` flag for `docker build`.
+
+```hcl
+target "default" {
+  no-cache = 1
+}
+```
+
+### `target.output`
+
+Configuration for exporting the build output.
+This is the same as the [`--output` flag][output].
+The following example configures the target to use a cache-only output,
+
+```hcl
+target "default" {
+  output = ["type=cacheonly"]
+}
+```
+
+### `target.platforms`
+
+Set target platforms for the build target.
+This is the same as the [`--platform` flag][platform].
+The following example creates a multi-platform build for three architectures.
+
+```hcl
+target "default" {
+  platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7"]
+}
+```
+
+### `target.pull`
+
+Configures whether the builder should attempt to pull images when building the target.
+This is the same as the `--pull` flag for `docker build`.
+The following example forces the builder to always pull all images referenced in the build target.
+
+```hcl
+target "default" {
+  pull = "always"
+}
+```
+
+### `target.secret`
+
+Defines secrets to expose to the build target.
+This is the same as the [`--secret` flag][secret].
+
+```hcl
+variable "HOME" {
+  default = null
+}
+
+target "default" {
+  secret = [
+    "type=env,id=KUBECONFIG",
+    "type=file,id=aws,src=${HOME}/.aws/credentials"
+  ]
+}
+```
+
+This lets you [mount the secret][run_mount_secret] in your Dockerfile.
+
+```dockerfile
+RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
+    aws cloudfront create-invalidation ...
+RUN --mount=type=secret,id=KUBECONFIG \
+    KUBECONFIG=$(cat /run/secrets/KUBECONFIG) helm upgrade --install
+```
+
+### `target.ssh`
+
+Defines SSH agent sockets or keys to expose to the build.
+This is the same as the [`--ssh` flag][ssh].
+This can be useful if you need to access private repositories during a build.
+
+```hcl
+target "default" {
+  ssh = ["default"]
+}
+```
+
+```dockerfile
+FROM alpine
+RUN --mount=type=ssh \
+    apk add git openssh-client \
+    && install -m 0700 -d ~/.ssh \
+    && ssh-keyscan github.com >> ~/.ssh/known_hosts \
+    && git clone git@github.com:user/my-private-repo.git
+```
+
+### `target.tags`
+
+Image names and tags to use for the build target.
+This is the same as the [`--tag` flag][tag].
+
+```hcl
+target "default" {
+  tags = [
+    "org/repo:latest",
+    "myregistry.azurecr.io/team/image:v1"
+  ]
+}
+```
+
+### `target.target`
+
+Set the target build stage to build.
+This is the same as the [`--target` flag][target].
+
+```hcl
+target "default" {
+  target = "binaries"
+}
+```
+
+## Group
+
+Groups allow you to invoke multiple builds (targets) at once.
+
+```hcl
+group "default" {
+  targets = ["db", "webapp-dev"]
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+}
+
+target "db" {
+  dockerfile = "Dockerfile.db"
+  tags = ["docker.io/username/db"]
+}
+```
+
+Groups take precedence over targets, if both exist with the same name.
+The following bake file builds the `default` group.
+Bake ignores the `default` target.
+
+```hcl
+target "default" {
+  dockerfile-inline = "FROM ubuntu"
+}
+
+group "default" {
+  targets = ["alpine", "debian"]
+}
+target "alpine" {
+  dockerfile-inline = "FROM alpine"
+}
+target "debian" {
+  dockerfile-inline = "FROM debian"
+}
+```
+
+## Variable
+
+The HCL file format supports variable block definitions.
+You can use variables as build arguments in your Dockerfile,
+or interpolate them in attribute values in your Bake file.
+
+```hcl
+variable "TAG" {
+  default = "latest"
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+```
+
+You can assign a default value for a variable in the Bake file,
+or assign a `null` value to it. If you assign a `null` value,
+Buildx uses the default value from the Dockerfile instead.
+
+You can override variable defaults set in the Bake file using environment variables.
+The following example sets the `TAG` variable to `dev`,
+overriding the default `latest` value shown in the previous example.
+
+```console
+$ TAG=dev docker buildx bake webapp-dev
+```
+
+### Built-in variables
+
+The following variables are built-ins that you can use with Bake without having
+to define them.
+
+| Variable              | Description                                                                         |
+| --------------------- | ----------------------------------------------------------------------------------- |
+| `BAKE_CMD_CONTEXT`    | Holds the main context when building using a remote Bake file.                      |
+| `BAKE_LOCAL_PLATFORM` | Returns the current platform’s default platform specification (e.g. `linux/amd64`). |
+
+### Use environment variable as default
+
+You can set a Bake variable to use the value of an environment variable as a default value:
+
+```hcl
+variable "HOME" {
+  default = "$HOME"
+}
+```
+
+### Interpolate variables into attributes
+
+To interpolate a variable into an attribute string value,
+you must use curly brackets.
+The following doesn't work:
+
+```hcl
+variable "HOME" {
+  default = "$HOME"
+}
+
+target "default" {
+  ssh = ["default=$HOME/.ssh/id_rsa"]
+}
+```
+
+Wrap the variable in curly brackets where you want to insert it:
+
+```diff
+  variable "HOME" {
+    default = "$HOME"
+  }
+
+  target "default" {
+-   ssh = ["default=$HOME/.ssh/id_rsa"]
++   ssh = ["default=${HOME}/.ssh/id_rsa"]
+  }
+```
+
+Before you can interpolate a variable into an attribute,
+first you must declare it in the bake file,
+as demonstrated in the following example.
+
+```console
+$ cat docker-bake.hcl
+target "default" {
+  dockerfile-inline = "FROM ${BASE_IMAGE}"
+}
+$ docker buildx bake
+[+] Building 0.0s (0/0)
+docker-bake.hcl:2
+--------------------
+   1 |     target "default" {
+   2 | >>>   dockerfile-inline = "FROM ${BASE_IMAGE}"
+   3 |     }
+   4 |
+--------------------
+ERROR: docker-bake.hcl:2,31-41: Unknown variable; There is no variable named "BASE_IMAGE"., and 1 other diagnostic(s)
+$ cat >> docker-bake.hcl
+
+variable "BASE_IMAGE" {
+  default = "alpine"
+}
+
+$ docker buildx bake
+[+] Building 0.6s (5/5) FINISHED
+```
+
+## Function
+
+A [set of general-purpose functions][bake_stdlib]
+provided by [go-cty][go-cty]
+are available for use in HCL files:
+
+```hcl
+# docker-bake.hcl
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+  args = {
+    buildno = "${add(123, 1)}"
+  }
+}
+```
+
+In addition, [user defined functions][userfunc]
+are also supported:
+
+```hcl
+# docker-bake.hcl
+function "increment" {
+  params = [number]
+  result = number + 1
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+  args = {
+    buildno = "${increment(123)}"
+  }
+}
+```
+
+> **Note**
+>
+> See [User defined HCL functions][hcl-funcs] page for more details.
+
+<!-- external links -->
+
+[attestations]: https://docs.docker.com/build/attestations/
+[bake_stdlib]: https://github.com/docker/buildx/blob/master/bake/hclparser/stdlib.go
+[build-arg]: https://docs.docker.com/engine/reference/commandline/build/#build-arg
+[build-context]: https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
+[cache-backends]: https://docs.docker.com/build/cache/backends/
+[cache-from]: https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from
+[cache-to]: https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to
+[context]: https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
+[file]: https://docs.docker.com/engine/reference/commandline/build/#file
+[go-cty]: https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib
+[hcl-funcs]: https://docs.docker.com/build/bake/hcl-funcs/
+[output]: https://docs.docker.com/engine/reference/commandline/buildx_build/#output
+[platform]: https://docs.docker.com/engine/reference/commandline/buildx_build/#platform
+[run_mount_secret]: https://docs.docker.com/engine/reference/builder/#run---mounttypesecret
+[secret]: https://docs.docker.com/engine/reference/commandline/buildx_build/#secret
+[ssh]: https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh
+[tag]: https://docs.docker.com/engine/reference/commandline/build/#tag
+[target]: https://docs.docker.com/engine/reference/commandline/build/#target
+[userfunc]: https://github.com/hashicorp/hcl/tree/main/ext/userfunc

docs/generate.go

@@ -0,0 +1,90 @@
+package main
+
+import (
+	"log"
+	"os"
+
+	"github.com/docker/buildx/commands"
+	clidocstool "github.com/docker/cli-docs-tool"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+
+	// import drivers otherwise factories are empty
+	// for --driver output flag usage
+	_ "github.com/docker/buildx/driver/docker"
+	_ "github.com/docker/buildx/driver/docker-container"
+	_ "github.com/docker/buildx/driver/kubernetes"
+	_ "github.com/docker/buildx/driver/remote"
+)
+
+const defaultSourcePath = "docs/reference/"
+
+type options struct {
+	source  string
+	formats []string
+}
+
+func gen(opts *options) error {
+	log.SetFlags(0)
+
+	dockerCLI, err := command.NewDockerCli()
+	if err != nil {
+		return err
+	}
+	cmd := &cobra.Command{
+		Use:               "docker [OPTIONS] COMMAND [ARG...]",
+		Short:             "The base command for the Docker CLI.",
+		DisableAutoGenTag: true,
+	}
+
+	cmd.AddCommand(commands.NewRootCmd("buildx", true, dockerCLI))
+
+	c, err := clidocstool.New(clidocstool.Options{
+		Root:      cmd,
+		SourceDir: opts.source,
+		Plugin:    true,
+	})
+	if err != nil {
+		return err
+	}
+
+	for _, format := range opts.formats {
+		switch format {
+		case "md":
+			if err = c.GenMarkdownTree(cmd); err != nil {
+				return err
+			}
+		case "yaml":
+			if err = c.GenYamlTree(cmd); err != nil {
+				return err
+			}
+		default:
+			return errors.Errorf("unknown format %q", format)
+		}
+	}
+
+	return nil
+}
+
+func run() error {
+	opts := &options{}
+	flags := pflag.NewFlagSet(os.Args[0], pflag.ContinueOnError)
+	flags.StringVar(&opts.source, "source", defaultSourcePath, "Docs source folder")
+	flags.StringSliceVar(&opts.formats, "formats", []string{}, "Format (md, yaml)")
+	if err := flags.Parse(os.Args[1:]); err != nil {
+		return err
+	}
+	if len(opts.formats) == 0 {
+		return errors.New("Docs format required")
+	}
+	return gen(opts)
+}
+
+func main() {
+	if err := run(); err != nil {
+		log.Printf("ERROR: %+v", err)
+		os.Exit(1)
+	}
+}

docs/guides/cicd.md

@@ -0,0 +1,3 @@
+# CI/CD
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/)

docs/guides/cni-networking.md

@@ -0,0 +1,3 @@
+# CNI networking
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/buildkit/configure/#cni-networking)

docs/guides/color-output.md

@@ -0,0 +1,3 @@
+# Color output controls
+
+This page has moved to [Docker Docs website](https://docs.docker.com/build/building/env-vars/#buildkit_colors)