Merge pull request #974 from crazy-max/k8s-azure-auth

kubernetes: enable azure auth

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    open-pull-requests-limit: 10
+    directory: "/"
+    schedule:
+      interval: "daily"
+    labels:
+      - "dependencies"
+      - "bot"

.github/workflows/build.yml

@@ -1,5 +1,9 @@
 name: build
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   workflow_dispatch:
   push:
@@ -15,161 +19,45 @@ on:
 
 env:
   REPO_SLUG: "docker/buildx-bin"
-  REPO_SLUG_ORIGIN: "moby/buildkit:master"
-  CACHEKEY_BINARIES: "binaries"
-  PLATFORMS: "linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x,linux/ppc64le,linux/riscv64"
+  RELEASE_OUT: "./release-out"
 
 jobs:
-  base:
+  build:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Cache ${{ env.CACHEKEY_BINARIES }}
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          key: ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-
+        uses: actions/checkout@v3
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
-      -
-        name: Build ${{ env.CACHEKEY_BINARIES }}
-        run: |
-          ./hack/build_ci_first_pass binaries
-        env:
-          CACHEDIR_FROM: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          CACHEDIR_TO: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}-new
-      -
-        # FIXME: Temp fix for https://github.com/moby/buildkit/issues/1850
-        name: Move cache
-        run: |
-          rm -rf /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          mv /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}-new /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-
-  test:
-    runs-on: ubuntu-latest
-    needs: [base]
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Cache ${{ env.CACHEKEY_BINARIES }}
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          key: ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
+          version: latest
       -
         name: Test
         run: |
           make test
-        env:
-          TEST_COVERAGE: 1
-          TESTFLAGS: -v --parallel=6 --timeout=20m
-          CACHEDIR_FROM: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
       -
         name: Send to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
         with:
           file: ./coverage/coverage.txt
-
-  cross:
-    runs-on: ubuntu-latest
-    needs: [base]
-    steps:
       -
-        name: Checkout
-        uses: actions/checkout@v2
+        name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@906832f62b7baa936e3fbef72b029308af505ee7
       -
-        name: Cache ${{ env.CACHEKEY_BINARIES }}
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          key: ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
-      -
-        name: Cross
+        name: Build binaries
         run: |
-          make cross
+          make release
         env:
-          TARGETPLATFORM: ${{ env.PLATFORMS }},darwin/amd64,darwin/arm64,windows/amd64,windows/arm64
-          CACHEDIR_FROM: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-
-  binaries:
-    runs-on: ubuntu-latest
-    needs: [test, cross]
-    env:
-      RELEASE_OUT: ./release-out
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Prepare
-        id: prep
-        run: |
-          TAG=pr
-          if [[ $GITHUB_REF == refs/tags/v* ]]; then
-            TAG=${GITHUB_REF#refs/tags/}
-          elif [[ $GITHUB_REF == refs/heads/* ]]; then
-            TAG=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
-          fi
-          echo ::set-output name=tag::${TAG}
-      -
-        name: Cache ${{ env.CACHEKEY_BINARIES }}
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          key: ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-${{ env.CACHEKEY_BINARIES }}-
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
-      -
-        name: Build ${{ steps.prep.outputs.tag }}
-        run: |
-          ./hack/release ${{ env.RELEASE_OUT }}
-        env:
-          PLATFORMS: ${{ env.PLATFORMS }},darwin/amd64,darwin/arm64,windows/amd64,windows/arm64
-          CACHEDIR_FROM: /tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
+          CACHE_FROM: type=gha,scope=release
+          CACHE_TO: type=gha,scope=release
       -
         name: Upload artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: buildx
           path: ${{ env.RELEASE_OUT }}/*
@@ -177,7 +65,7 @@ jobs:
       -
         name: Docker meta
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: |
             ${{ env.REPO_SLUG }}
@@ -185,31 +73,53 @@ jobs:
             type=ref,event=branch
             type=ref,event=pr
             type=semver,pattern={{version}}
+          bake-target: meta-helper
       -
         name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push image
-        uses: docker/build-push-action@v2
+        uses: docker/bake-action@v2
         with:
-          context: .
-          target: binaries
+          files: |
+            ./docker-bake.hcl
+            ${{ steps.meta.outputs.bake-file }}
+          targets: image-cross
           push: ${{ github.event_name != 'pull_request' }}
-          cache-from: type=local,src=/tmp/.buildx-cache/${{ env.CACHEKEY_BINARIES }}
-          platforms: ${{ env.PLATFORMS }},darwin/amd64,darwin/arm64,windows/amd64,windows/arm64
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
       -
         name: GitHub Release
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           draft: true
           files: ${{ env.RELEASE_OUT }}/*
-          name: ${{ steps.prep.outputs.tag }}
+
+  buildkit-edge:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+          driver-opts: image=moby/buildkit:master
+          buildkitd-flags: --debug
+      -
+        # Just run a bake target to check eveything runs fine
+        name: Build
+        uses: docker/bake-action@v2
+        with:
+          targets: binaries-cross

.github/workflows/docs.yml

@@ -0,0 +1,56 @@
+name: docs
+
+on:
+  release:
+    types: [ published ]
+
+jobs:
+  open-pr:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout docs repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
+          repository: docker/docker.github.io
+          ref: master
+      -
+        name: Prepare
+        run: |
+          rm -rf ./_data/buildx/*
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Build docs
+        uses: docker/bake-action@v2
+        with:
+          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.release.name }}
+          targets: update-docs
+          set: |
+            *.output=/tmp/buildx-docs
+        env:
+          DOCS_FORMATS: yaml
+      -
+        name: Copy files
+        run: |
+          cp /tmp/buildx-docs/out/reference/*.yaml ./_data/buildx/
+      -
+        name: Commit changes
+        run: |
+          git add -A .
+      -
+        name: Create PR on docs repo
+        uses: peter-evans/create-pull-request@923ad837f191474af6b1721408744feb989a4c27 # v4.0.4
+        with:
+          token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
+          push-to-fork: docker-tools-robot/docker.github.io
+          commit-message: "build: update buildx reference to ${{ github.event.release.name }}"
+          signoff: true
+          branch: dispatch/buildx-ref-${{ github.event.release.name }}
+          delete-branch: true
+          title: Update buildx reference to ${{ github.event.release.name }}
+          body: |
+            Update the buildx reference documentation to keep in sync with the latest release `${{ github.event.release.name }}`
+          draft: false

.github/workflows/e2e.yml

@@ -0,0 +1,166 @@
+name: e2e
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'v[0-9]*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v[0-9]*'
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    env:
+      BIN_OUT: ./bin
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+      -
+        name: Build
+        uses: docker/bake-action@v2
+        with:
+          targets: binaries
+          set: |
+            *.cache-from=type=gha,scope=release
+            *.cache-from=type=gha,scope=binaries
+            *.cache-to=type=gha,scope=binaries
+      -
+        name: Rename binary
+        run: |
+          mv ${{ env.BIN_OUT }}/buildx ${{ env.BIN_OUT }}/docker-buildx
+      -
+        name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: binary
+          path: ${{ env.BIN_OUT }}
+          if-no-files-found: error
+          retention-days: 7
+
+  driver:
+    runs-on: ubuntu-20.04
+    needs:
+      - build
+    strategy:
+      fail-fast: false
+      matrix:
+        driver:
+          - docker
+          - docker-container
+          - kubernetes
+          - remote
+        buildkit:
+          - moby/buildkit:buildx-stable-1
+          - moby/buildkit:master
+        buildkit-cfg:
+          - bkcfg-false
+          - bkcfg-true
+        multi-node:
+          - mnode-false
+          - mnode-true
+        platforms:
+          - linux/amd64
+          - linux/amd64,linux/arm64
+        include:
+          - driver: kubernetes
+            driver-opt: qemu.install=true
+          - driver: remote
+            endpoint: tcp://localhost:1234
+        exclude:
+          - driver: docker
+            multi-node: mnode-true
+          - driver: docker
+            buildkit-cfg: bkcfg-true
+          - driver: docker-container
+            multi-node: mnode-true
+          - driver: remote
+            multi-node: mnode-true
+          - driver: remote
+            buildkit-cfg: bkcfg-true
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        if: matrix.driver == 'docker' || matrix.driver == 'docker-container'
+      -
+        name: Install buildx
+        uses: actions/download-artifact@v3
+        with:
+          name: binary
+          path: /home/runner/.docker/cli-plugins
+      -
+        name: Fix perms and check
+        run: |
+          chmod +x /home/runner/.docker/cli-plugins/docker-buildx
+          docker buildx version
+      -
+        name: Init env vars
+        run: |
+          # BuildKit cfg
+          if [ "${{ matrix.buildkit-cfg }}" = "bkcfg-true" ]; then
+            cat > "/tmp/buildkitd.toml" <<EOL
+          [worker.oci]
+            max-parallelism = 2
+          EOL
+            echo "BUILDKIT_CFG=/tmp/buildkitd.toml" >> $GITHUB_ENV
+          fi
+          # Multi node
+          if [ "${{ matrix.multi-node }}" = "mnode-true" ]; then
+            echo "MULTI_NODE=1" >> $GITHUB_ENV
+          else
+            echo "MULTI_NODE=0" >> $GITHUB_ENV
+          fi
+      -
+        name: Install k3s
+        if: matrix.driver == 'kubernetes'
+        uses: debianmaster/actions-k3s@b9cf3f599fd118699a3c8a0d18a2f2bda6cf4ce4
+        id: k3s
+        with:
+          version: v1.21.2-k3s1
+      -
+        name: Config k3s
+        if: matrix.driver == 'kubernetes'
+        run: |
+          (set -x ; cat ${{ steps.k3s.outputs.kubeconfig }})
+      -
+        name: Check k3s nodes
+        if: matrix.driver == 'kubernetes'
+        run: |
+          kubectl get nodes
+      -
+        name: Launch remote buildkitd
+        if: matrix.driver == 'remote'
+        run: |
+          docker run -d \
+            --privileged \
+            --name=remote-buildkit \
+            -p 1234:1234 \
+            ${{ matrix.buildkit }} \
+            --addr unix:///run/buildkit/buildkitd.sock \
+            --addr tcp://0.0.0.0:1234
+      -
+        name: Test
+        run: |
+          make test-driver
+        env:
+          BUILDKIT_IMAGE: ${{ matrix.buildkit }}
+          DRIVER: ${{ matrix.driver }}
+          DRIVER_OPT: ${{ matrix.driver-opt }}
+          ENDPOINT: ${{ matrix.endpoint }}
+          PLATFORMS: ${{ matrix.platforms }}

.github/workflows/godev.yml

@@ -1,25 +0,0 @@
-# Workflow used to make a request to proxy.golang.org to refresh cache on https://pkg.go.dev/github.com/docker/buildx
-# when a released of buildx is produced
-name: godev
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  update:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.13
-      -
-        name: Call pkg.go.dev
-        run: |
-          go get github.com/${GITHUB_REPOSITORY}@${GITHUB_REF#refs/tags/}
-        env:
-          GO111MODULE: on
-          GOPROXY: https://proxy.golang.org

.github/workflows/validate.yml

@@ -1,5 +1,9 @@
 name: validate
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   workflow_dispatch:
   push:
@@ -13,9 +17,6 @@ on:
       - 'master'
       - 'v[0-9]*'
 
-env:
-  REPO_SLUG_ORIGIN: "moby/buildkit:master"
-
 jobs:
   validate:
     runs-on: ubuntu-latest
@@ -29,13 +30,33 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
-          driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
+          version: latest
       -
         name: Run
         run: |
           make ${{ matrix.target }}
+
+  validate-docs-yaml:
+    runs-on: ubuntu-latest
+    needs:
+      - validate
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+      -
+        name: Run
+        run: |
+          make docs
+        env:
+          FORMATS: yaml

.golangci.yml

@@ -12,19 +12,29 @@ linters:
     - gofmt
     - govet
     - deadcode
+    - depguard
     - goimports
     - ineffassign
     - misspell
     - unused
     - varcheck
-    - golint
+    - revive
     - staticcheck
     - typecheck
     - structcheck
   disable-all: true
 
+linters-settings:
+  depguard:
+    list-type: blacklist
+    include-go-root: true
+    packages:
+      # The io/ioutil package has been deprecated.
+      # https://go.dev/doc/go1.16#ioutil
+      - io/ioutil
+
 issues:
   exclude-rules:
     - linters:
-        - golint
+        - revive
       text: "stutters"

.mailmap

@@ -1,6 +1,13 @@
 # This file lists all individuals having contributed content to the repository.
-# For how it is generated, see `hack/generate-authors`.
+# For how it is generated, see hack/dockerfiles/authors.Dockerfile.
 
+CrazyMax <github@crazymax.dev>
+CrazyMax <github@crazymax.dev> <1951866+crazy-max@users.noreply.github.com>
+CrazyMax <github@crazymax.dev> <crazy-max@users.noreply.github.com>
+Sebastiaan van Stijn <github@gone.nl>
+Sebastiaan van Stijn <github@gone.nl> <thaJeztah@users.noreply.github.com>
 Tibor Vass <tibor@docker.com>
 Tibor Vass <tibor@docker.com> <tiborvass@users.noreply.github.com>
 Tõnis Tiigi <tonistiigi@gmail.com>
+Ulysses Souza <ulyssessouza@gmail.com>
+Wang Jinglei <morlay.null@gmail.com>

.yamllint.yml

@@ -1,13 +0,0 @@
-ignore: |
-  /vendor
-
-extends: default
-
-yaml-files:
-  - '*.yaml'
-  - '*.yml'
-
-rules:
-  truthy: disable
-  line-length: disable
-  document-start: disable

AUTHORS

@@ -1,7 +1,45 @@
 # This file lists all individuals having contributed content to the repository.
-# For how it is generated, see `scripts/generate-authors.sh`.
+# For how it is generated, see hack/dockerfiles/authors.Dockerfile.
 
+Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Alex Couture-Beil <alex@earthly.dev>
+Andrew Haines <andrew.haines@zencargo.com>
+Andy MacKinlay <admackin@users.noreply.github.com>
+Anthony Poschen <zanven42@gmail.com>
+Artur Klauser <Artur.Klauser@computer.org>
+Batuhan Apaydın <developerguy2@gmail.com>
 Bin Du <bindu@microsoft.com>
+Brandon Philips <brandon@ifup.org>
 Brian Goff <cpuguy83@gmail.com>
+CrazyMax <github@crazymax.dev>
+dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
+Devin Bayer <dev@doubly.so>
+Djordje Lukic <djordje.lukic@docker.com>
+Dmytro Makovey <dmytro.makovey@docker.com>
+Donghui Wang <977675308@qq.com>
+faust <faustin@fala.red>
+Felipe Santos <felipecassiors@gmail.com>
+Fernando Miguel <github@FernandoMiguel.net>
+gfrancesco <gfrancesco@users.noreply.github.com>
+gracenoah <gracenoahgh@gmail.com>
+Hollow Man <hollowman@hollowman.ml>
+Ilya Dmitrichenko <errordeveloper@gmail.com>
+Jack Laxson <jackjrabbit@gmail.com>
+Jean-Yves Gastaud <jygastaud@gmail.com>
+khs1994 <khs1994@khs1994.com>
+Kotaro Adachi <k33asby@gmail.com>
+l00397676 <lujingxiao@huawei.com>
+Michal Augustyn <michal.augustyn@mail.com>
+Patrick Van Stee <patrick@vanstee.me>
+Saul Shanabrook <s.shanabrook@gmail.com>
+Sebastiaan van Stijn <github@gone.nl>
+SHIMA Tatsuya <ts1s1andn@gmail.com>
+Silvin Lubecki <silvin.lubecki@docker.com>
+Solomon Hykes <sh.github.6811@hykes.org>
+Sune Keller <absukl@almbrand.dk>
 Tibor Vass <tibor@docker.com>
 Tõnis Tiigi <tonistiigi@gmail.com>
+Ulysses Souza <ulyssessouza@gmail.com>
+Wang Jinglei <morlay.null@gmail.com>
+Xiang Dai <764524258@qq.com>
+zelahi <elahi.zuhayr@gmail.com>

Dockerfile

@@ -1,27 +1,21 @@
-# syntax=docker/dockerfile:1.2
+# syntax=docker/dockerfile:1.4
 
-ARG DOCKERD_VERSION=19.03
-ARG CLI_VERSION=19.03
+ARG GO_VERSION=1.18
+ARG XX_VERSION=1.1.2
+ARG DOCKERD_VERSION=20.10.14
 
 FROM docker:$DOCKERD_VERSION AS dockerd-release
 
 # xx is a helper for cross-compilation
-FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04 AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-FROM --platform=$BUILDPLATFORM golang:1.16-alpine AS golatest
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS golatest
 
-FROM golatest AS go-linux
-FROM golatest AS go-darwin
-FROM golatest AS go-windows-amd64
-FROM golatest AS go-windows-386
-FROM golatest AS go-windows-arm
-FROM --platform=$BUILDPLATFORM golang:1.17beta1-alpine AS go-windows-arm64
-FROM go-windows-${TARGETARCH} AS go-windows
-
-FROM go-${TARGETOS} AS gobase
+FROM golatest AS gobase
 COPY --from=xx / /
 RUN apk add --no-cache file git
 ENV GOFLAGS=-mod=vendor
+ENV CGO_ENABLED=0
 WORKDIR /src
 
 FROM gobase AS buildx-version
@@ -31,56 +25,55 @@ RUN --mount=target=. \
   echo -n "${VERSION}" | tee /tmp/.version;
 
 FROM gobase AS buildx-build
-ENV CGO_ENABLED=0
+ARG LDFLAGS="-w -s"
 ARG TARGETPLATFORM
-RUN --mount=target=. --mount=target=/root/.cache,type=cache \
-  --mount=target=/go/pkg/mod,type=cache \
-  --mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=buildx-version \
-  set -x; xx-go build -ldflags "$(cat /tmp/.ldflags)" -o /usr/bin/buildx ./cmd/buildx && \
+RUN --mount=type=bind,target=. \
+  --mount=type=cache,target=/root/.cache \
+  --mount=type=cache,target=/go/pkg/mod \
+  --mount=type=bind,source=/tmp/.ldflags,target=/tmp/.ldflags,from=buildx-version \
+  set -x; xx-go build -ldflags "$(cat /tmp/.ldflags) ${LDFLAGS}" -o /usr/bin/buildx ./cmd/buildx && \
   xx-verify --static /usr/bin/buildx
 
-FROM buildx-build AS integration-tests
-COPY . .
+FROM gobase AS test
+RUN --mount=type=bind,target=. \
+  --mount=type=cache,target=/root/.cache \
+  --mount=type=cache,target=/go/pkg/mod \
+  go test -v -coverprofile=/tmp/coverage.txt -covermode=atomic ./... && \
+  go tool cover -func=/tmp/coverage.txt
 
-# FROM golang:1.12-alpine AS docker-cli-build
-# RUN apk add -U git bash coreutils gcc musl-dev
-# ENV CGO_ENABLED=0
-# ARG REPO=github.com/tiborvass/cli
-# ARG BRANCH=cli-plugin-aliases
-# ARG CLI_VERSION
-# WORKDIR /go/src/github.com/docker/cli
-# RUN git clone git://$REPO . && git checkout $BRANCH
-# RUN ./scripts/build/binary
+FROM scratch AS test-coverage
+COPY --from=test /tmp/coverage.txt /coverage.txt
 
 FROM scratch AS binaries-unix
-COPY --from=buildx-build /usr/bin/buildx /
+COPY --link --from=buildx-build /usr/bin/buildx /
 
 FROM binaries-unix AS binaries-darwin
 FROM binaries-unix AS binaries-linux
 
 FROM scratch AS binaries-windows
-COPY --from=buildx-build /usr/bin/buildx /buildx.exe
+COPY --link --from=buildx-build /usr/bin/buildx /buildx.exe
 
 FROM binaries-$TARGETOS AS binaries
 
+# Release
 FROM --platform=$BUILDPLATFORM alpine AS releaser
 WORKDIR /work
 ARG TARGETPLATFORM
 RUN --mount=from=binaries \
-  --mount=source=/tmp/.version,target=/tmp/.version,from=buildx-version \
+  --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=buildx-version \
   mkdir -p /out && cp buildx* "/out/buildx-$(cat /tmp/.version).$(echo $TARGETPLATFORM | sed 's/\//-/g')$(ls buildx* | sed -e 's/^buildx//')"
 
 FROM scratch AS release
 COPY --from=releaser /out/ /
 
-FROM alpine AS demo-env
+# Shell
+FROM docker:$DOCKERD_VERSION AS dockerd-release
+FROM alpine AS shell
 RUN apk add --no-cache iptables tmux git vim less openssh
 RUN mkdir -p /usr/local/lib/docker/cli-plugins && ln -s /usr/local/bin/buildx /usr/local/lib/docker/cli-plugins/docker-buildx
 COPY ./hack/demo-env/entrypoint.sh /usr/local/bin
 COPY ./hack/demo-env/tmux.conf /root/.tmux.conf
 COPY --from=dockerd-release /usr/local/bin /usr/local/bin
-#COPY --from=docker-cli-build /go/src/github.com/docker/cli/build/docker /usr/local/bin
-
 WORKDIR /work
 COPY ./hack/demo-env/examples .
 COPY --from=binaries / /usr/local/bin/

Makefile

@@ -1,40 +1,62 @@
+ifneq (, $(BUILDX_BIN))
+	export BUILDX_CMD = $(BUILDX_BIN)
+else ifneq (, $(shell docker buildx version))
+	export BUILDX_CMD = docker buildx
+else ifneq (, $(shell which buildx))
+	export BUILDX_CMD = $(which buildx)
+else
+	$(error "Buildx is required: https://github.com/docker/buildx#installing")
+endif
+
+export BIN_OUT = ./bin
+export RELEASE_OUT = ./release-out
+
 shell:
 	./hack/shell
 
 binaries:
-	./hack/binaries
+	$(BUILDX_CMD) bake binaries
 
 binaries-cross:
-	EXPORT_LOCAL=cross-out ./hack/cross
-
-cross:
-	./hack/cross
+	$(BUILDX_CMD) bake binaries-cross
 
 install: binaries
 	mkdir -p ~/.docker/cli-plugins
 	install bin/buildx ~/.docker/cli-plugins/docker-buildx
 
-lint:
-	./hack/lint
-
-test:
-	./hack/test
-
-validate-vendor:
-	./hack/validate-vendor
-	
-validate-docs:
-	./hack/validate-docs
+release:
+	./hack/release
 
 validate-all: lint test validate-vendor validate-docs
 
+lint:
+	$(BUILDX_CMD) bake lint
+
+test:
+	$(BUILDX_CMD) bake test
+
+validate-vendor:
+	$(BUILDX_CMD) bake validate-vendor
+
+validate-docs:
+	$(BUILDX_CMD) bake validate-docs
+
+validate-authors:
+	$(BUILDX_CMD) bake validate-authors
+
+test-driver:
+	./hack/test-driver
+
 vendor:
 	./hack/update-vendor
 
 docs:
 	./hack/update-docs
 
-generate-authors:
-	./hack/generate-authors
+authors:
+	$(BUILDX_CMD) bake update-authors
 
-.PHONY: vendor lint shell binaries install binaries-cross validate-all generate-authors validate-docs docs
+mod-outdated:
+	$(BUILDX_CMD) bake mod-outdated
+
+.PHONY: shell binaries binaries-cross install release validate-all lint validate-vendor validate-docs validate-authors vendor docs authors

README.md

@@ -1,11 +1,13 @@
 # buildx
 
-[![PkgGoDev](https://img.shields.io/badge/go.dev-docs-007d9c?logo=go&logoColor=white)](https://pkg.go.dev/github.com/docker/buildx)
-[![Build Status](https://github.com/docker/buildx/workflows/build/badge.svg)](https://github.com/docker/buildx/actions?query=workflow%3Abuild)
-[![Go Report Card](https://goreportcard.com/badge/github.com/docker/buildx)](https://goreportcard.com/report/github.com/docker/buildx)
-[![codecov](https://codecov.io/gh/docker/buildx/branch/master/graph/badge.svg)](https://codecov.io/gh/docker/buildx)
+[![GitHub release](https://img.shields.io/github/release/docker/buildx.svg?style=flat-square)](https://github.com/docker/buildx/releases/latest)
+[![PkgGoDev](https://img.shields.io/badge/go.dev-docs-007d9c?style=flat-square&logo=go&logoColor=white)](https://pkg.go.dev/github.com/docker/buildx)
+[![Build Status](https://img.shields.io/github/workflow/status/docker/buildx/build?label=build&logo=github&style=flat-square)](https://github.com/docker/buildx/actions?query=workflow%3Abuild)
+[![Go Report Card](https://goreportcard.com/badge/github.com/docker/buildx?style=flat-square)](https://goreportcard.com/report/github.com/docker/buildx)
+[![codecov](https://img.shields.io/codecov/c/github/docker/buildx?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/buildx)
 
-`buildx` is a Docker CLI plugin for extended build capabilities with [BuildKit](https://github.com/moby/buildkit).
+`buildx` is a Docker CLI plugin for extended build capabilities with
+[BuildKit](https://github.com/moby/buildkit).
 
 Key features:
 
@@ -20,74 +22,136 @@ Key features:
 # Table of Contents
 
 - [Installing](#installing)
-  - [Docker](#docker)
-  - [Binary release](#binary-release)
-  - [From `Dockerfile`](#from-dockerfile)
+  - [Windows and macOS](#windows-and-macos)
+  - [Linux packages](#linux-packages)
+  - [Manual download](#manual-download)
+  - [Dockerfile](#dockerfile)
+- [Set buildx as the default builder](#set-buildx-as-the-default-builder)
 - [Building](#building)
-  - [with Docker 18.09+](#with-docker-1809)
-  - [with buildx or Docker 19.03](#with-buildx-or-docker-1903)
 - [Getting started](#getting-started)
   - [Building with buildx](#building-with-buildx)
   - [Working with builder instances](#working-with-builder-instances)
   - [Building multi-platform images](#building-multi-platform-images)
-  - [High-level build options](#high-level-build-options)
-- [Documentation](docs/reference)
-  - [`buildx build [OPTIONS] PATH | URL | -`](docs/reference/buildx_build.md)
-  - [`buildx create [OPTIONS] [CONTEXT|ENDPOINT]`](docs/reference/buildx_create.md)
-  - [`buildx use NAME`](docs/reference/buildx_use.md)
-  - [`buildx inspect [NAME]`](docs/reference/buildx_inspect.md)
+- [Guides](docs/guides)
+  - [High-level build options with Bake](docs/guides/bake/index.md)
+  - [CI/CD](docs/guides/cicd.md)
+  - [CNI networking](docs/guides/cni-networking.md)
+  - [Using a custom network](docs/guides/custom-network.md)
+  - [Using a custom registry configuration](docs/guides/custom-registry-config.md)
+  - [OpenTelemetry support](docs/guides/opentelemetry.md)
+  - [Registry mirror](docs/guides/registry-mirror.md)
+  - [Drivers](docs/guides/drivers/index.md)
+  - [Resource limiting](docs/guides/resource-limiting.md)
+- [Reference](docs/reference/buildx.md)
+  - [`buildx bake`](docs/reference/buildx_bake.md)
+  - [`buildx build`](docs/reference/buildx_build.md)
+  - [`buildx create`](docs/reference/buildx_create.md)
+  - [`buildx du`](docs/reference/buildx_du.md)
+  - [`buildx imagetools`](docs/reference/buildx_imagetools.md)
+    - [`buildx imagetools create`](docs/reference/buildx_imagetools_create.md)
+    - [`buildx imagetools inspect`](docs/reference/buildx_imagetools_inspect.md)
+  - [`buildx inspect`](docs/reference/buildx_inspect.md)
+  - [`buildx install`](docs/reference/buildx_install.md)
   - [`buildx ls`](docs/reference/buildx_ls.md)
-  - [`buildx stop [NAME]`](docs/reference/buildx_stop.md)
-  - [`buildx rm [NAME]`](docs/reference/buildx_rm.md)
-  - [`buildx bake [OPTIONS] [TARGET...]`](docs/reference/buildx_bake.md)
-  - [`buildx imagetools create [OPTIONS] [SOURCE] [SOURCE...]`](docs/reference/buildx_imagetools_create.md)
-  - [`buildx imagetools inspect NAME`](docs/reference/buildx_imagetools_inspect.md)
-- [Setting buildx as default builder in Docker 19.03+](#setting-buildx-as-default-builder-in-docker-1903)
+  - [`buildx prune`](docs/reference/buildx_prune.md)
+  - [`buildx rm`](docs/reference/buildx_rm.md)
+  - [`buildx stop`](docs/reference/buildx_stop.md)
+  - [`buildx uninstall`](docs/reference/buildx_uninstall.md)
+  - [`buildx use`](docs/reference/buildx_use.md)
+  - [`buildx version`](docs/reference/buildx_version.md)
 - [Contributing](#contributing)
 
-
 # Installing
 
-Using `buildx` as a docker CLI plugin requires using Docker 19.03 or newer. A limited set of functionality works with older versions of Docker when invoking the binary directly.
+Using `buildx` as a docker CLI plugin requires using Docker 19.03 or newer.
+A limited set of functionality works with older versions of Docker when
+invoking the binary directly.
 
-### Docker
+## Windows and macOS
 
-`buildx` comes bundled with Docker Desktop and in latest Docker CE packages, but may not be included in all Linux distros (in which case follow the binary release instructions).
+Docker Buildx is included in [Docker Desktop](https://docs.docker.com/desktop/)
+for Windows and macOS.
 
-### Binary release
+## Linux packages
 
-Download the latest binary release from https://github.com/docker/buildx/releases/latest and copy it to `~/.docker/cli-plugins` folder with name `docker-buildx`.
+Docker Linux packages also include Docker Buildx when installed using the
+[DEB or RPM packages](https://docs.docker.com/engine/install/).
 
-Change the permission to execute:
-```sh
-chmod a+x ~/.docker/cli-plugins/docker-buildx
-```
+## Manual download
 
-### From `Dockerfile`
+> **Important**
+>
+> This section is for unattended installation of the buildx component. These
+> instructions are mostly suitable for testing purposes. We do not recommend
+> installing buildx using manual download in production environments as they
+> will not be updated automatically with security updates.
+>
+> On Windows and macOS, we recommend that you install [Docker Desktop](https://docs.docker.com/desktop/)
+> instead. For Linux, we recommend that you follow the [instructions specific for your distribution](#linux-packages).
 
-Here is how to use buildx inside a Dockerfile through the [`docker/buildx-bin`](https://hub.docker.com/r/docker/buildx-bin) image:
+You can also download the latest binary from the [GitHub releases page](https://github.com/docker/buildx/releases/latest).
+
+Rename the relevant binary and copy it to the destination matching your OS:
+
+| OS       | Binary name          | Destination folder                       |
+| -------- | -------------------- | -----------------------------------------|
+| Linux    | `docker-buildx`      | `$HOME/.docker/cli-plugins`              |
+| macOS    | `docker-buildx`      | `$HOME/.docker/cli-plugins`              |
+| Windows  | `docker-buildx.exe`  | `%USERPROFILE%\.docker\cli-plugins`      |
+
+Or copy it into one of these folders for installing it system-wide.
+
+On Unix environments:
+
+* `/usr/local/lib/docker/cli-plugins` OR `/usr/local/libexec/docker/cli-plugins`
+* `/usr/lib/docker/cli-plugins` OR `/usr/libexec/docker/cli-plugins`
+
+On Windows:
+
+* `C:\ProgramData\Docker\cli-plugins`
+* `C:\Program Files\Docker\cli-plugins`
+
+> **Note**
+>
+> On Unix environments, it may also be necessary to make it executable with `chmod +x`:
+> ```shell
+> $ chmod +x ~/.docker/cli-plugins/docker-buildx
+> ```
+
+## Dockerfile
+
+Here is how to install and use Buildx inside a Dockerfile through the
+[`docker/buildx-bin`](https://hub.docker.com/r/docker/buildx-bin) image:
 
 ```Dockerfile
 FROM docker
-COPY --from=docker/buildx-bin:latest /buildx /usr/libexec/docker/cli-plugins/docker-buildx
+COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
 RUN docker buildx version
 ```
 
+# Set buildx as the default builder
+
+Running the command [`docker buildx install`](docs/reference/buildx_install.md)
+sets up docker builder command as an alias to `docker buildx build`. This
+results in the ability to have `docker build` use the current buildx builder.
+
+To remove this alias, run [`docker buildx uninstall`](docs/reference/buildx_uninstall.md).
 
 # Building
 
+```console
+# Buildx 0.6+
+$ docker buildx bake "https://github.com/docker/buildx.git"
+$ mkdir -p ~/.docker/cli-plugins
+$ mv ./bin/buildx ~/.docker/cli-plugins/docker-buildx
 
-### with buildx or Docker 19.03+
-```
-$ export DOCKER_BUILDKIT=1
-$ docker build --platform=local -o . git://github.com/docker/buildx
+# Docker 19.03+
+$ DOCKER_BUILDKIT=1 docker build --platform=local -o . "https://github.com/docker/buildx.git"
 $ mkdir -p ~/.docker/cli-plugins
 $ mv buildx ~/.docker/cli-plugins/docker-buildx
-```
 
-### with Docker 18.09+
-```
-$ git clone git://github.com/docker/buildx && cd buildx
+# Local 
+$ git clone https://github.com/docker/buildx.git && cd buildx
 $ make install
 ```
 
@@ -95,65 +159,145 @@ $ make install
 
 ## Building with buildx
 
-Buildx is a Docker CLI plugin that extends the `docker build` command with the full support of the features provided by [Moby BuildKit](https://github.com/moby/buildkit) builder toolkit. It provides the same user experience as `docker build` with many new features like creating scoped builder instances and building against multiple nodes concurrently.
+Buildx is a Docker CLI plugin that extends the `docker build` command with the
+full support of the features provided by [Moby BuildKit](https://github.com/moby/buildkit)
+builder toolkit. It provides the same user experience as `docker build` with
+many new features like creating scoped builder instances and building against
+multiple nodes concurrently.
 
-After installation, buildx can be accessed through the `docker buildx` command with Docker 19.03.  `docker buildx build` is the command for starting a new build. With Docker versions older than 19.03 buildx binary can be called directly to access the `docker buildx` subcommands.
+After installation, buildx can be accessed through the `docker buildx` command
+with Docker 19.03.  `docker buildx build` is the command for starting a new
+build. With Docker versions older than 19.03 buildx binary can be called
+directly to access the `docker buildx` subcommands.
 
-```
+```console
 $ docker buildx build .
 [+] Building 8.4s (23/32)
  => ...
 ```
 
+Buildx will always build using the BuildKit engine and does not require
+`DOCKER_BUILDKIT=1` environment variable for starting builds.
 
-Buildx will always build using the BuildKit engine and does not require `DOCKER_BUILDKIT=1` environment variable for starting builds.
+The `docker buildx build` command supports features available for `docker build`,
+including features such as outputs configuration, inline build caching, and
+specifying target platform. In addition, Buildx also supports new features that
+are not yet available for regular `docker build` like building manifest lists,
+distributed caching, and exporting build results to OCI image tarballs.
 
-Buildx build command supports the features available for `docker build` including the new features in Docker 19.03 such as outputs configuration, inline build caching or specifying target platform. In addition, buildx supports new features not yet available for regular `docker build` like building manifest lists, distributed caching, exporting build results to OCI image tarballs etc.
+Buildx is flexible and can be run in different configurations that are exposed
+through various "drivers". Each driver defines how and where a build should
+run, and have different feature sets.
 
-Buildx is supposed to be flexible and can be run in different configurations that are exposed through a driver concept. Currently, we support a "docker" driver that uses the BuildKit library bundled into the Docker daemon binary, and a "docker-container" driver that automatically launches BuildKit inside a Docker container. We plan to add more drivers in the future, for example, one that would allow running buildx inside an (unprivileged) container.
-
-The user experience of using buildx is very similar across drivers, but there are some features that are not currently supported by the "docker" driver, because the BuildKit library bundled into docker daemon currently uses a different storage component. In contrast, all images built with "docker" driver are automatically added to the "docker images" view by default, whereas when using other drivers the method for outputting an image needs to be selected with `--output`.
+We currently support the following drivers:
+- The `docker` driver ([guide](docs/guides/drivers/docker.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `docker-container` driver ([guide](docs/guides/drivers/docker-container.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `kubernetes` driver ([guide](docs/guides/drivers/kubernetes.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `remote` driver ([guide](docs/guides/drivers/remote.md))
 
+For more information on drivers, see the [drivers guide](docs/guides/drivers/index.md).
 
 ## Working with builder instances
 
-By default, buildx will initially use the "docker" driver if it is supported, providing a very similar user experience to the native `docker build`. But using a local shared daemon is only one way to build your applications.
+By default, buildx will initially use the `docker` driver if it is supported,
+providing a very similar user experience to the native `docker build`. Note that
+you must use a local shared daemon to build your applications.
 
-Buildx allows you to create new instances of isolated builders. This can be used for getting a scoped environment for your CI builds that does not change the state of the shared daemon or for isolating the builds for different projects. You can create a new instance for a set of remote nodes, forming a build farm, and quickly switch between them.
+Buildx allows you to create new instances of isolated builders. This can be
+used for getting a scoped environment for your CI builds that does not change
+the state of the shared daemon or for isolating the builds for different
+projects. You can create a new instance for a set of remote nodes, forming a
+build farm, and quickly switch between them.
 
-New instances can be created with `docker buildx create` command. This will create a new builder instance with a single node based on your current configuration. To use a remote node you can specify the `DOCKER_HOST` or remote context name while creating the new builder. After creating a new instance you can manage its lifecycle with the `inspect`, `stop` and `rm` commands and list all available builders with `ls`. After creating a new builder you can also append new nodes to it.
+You can create new instances using the [`docker buildx create`](docs/reference/buildx_create.md)
+command. This creates a new builder instance with a single node based on your
+current configuration.
 
-To switch between different builders, use `docker buildx use <name>`. After running this command the build commands would automatically keep using this builder.
+To use a remote node you can specify the `DOCKER_HOST` or the remote context name
+while creating the new builder. After creating a new instance, you can manage its
+lifecycle using the [`docker buildx inspect`](docs/reference/buildx_inspect.md),
+[`docker buildx stop`](docs/reference/buildx_stop.md), and
+[`docker buildx rm`](docs/reference/buildx_rm.md) commands. To list all
+available builders, use [`buildx ls`](docs/reference/buildx_ls.md). After
+creating a new builder you can also append new nodes to it.
 
-Docker 19.03 also features a new `docker context` command that can be used for giving names for remote Docker API endpoints. Buildx integrates with `docker context` so that all of your contexts automatically get a default builder instance. While creating a new builder instance or when adding a node to it you can also set the context name as the target.
+To switch between different builders, use [`docker buildx use <name>`](docs/reference/buildx_use.md).
+After running this command, the build commands will automatically use this
+builder.
+
+Docker also features a [`docker context`](https://docs.docker.com/engine/reference/commandline/context/)
+command that can be used for giving names for remote Docker API endpoints.
+Buildx integrates with `docker context` so that all of your contexts
+automatically get a default builder instance. While creating a new builder
+instance or when adding a node to it you can also set the context name as the
+target.
 
 ## Building multi-platform images
 
-BuildKit is designed to work well for building for multiple platforms and not only for the architecture and operating system that the user invoking the build happens to run.
+BuildKit is designed to work well for building for multiple platforms and not
+only for the architecture and operating system that the user invoking the build
+happens to run.
 
-When invoking a build, the `--platform` flag can be used to specify the target platform for the build output, (e.g. linux/amd64, linux/arm64, darwin/amd64). When the current builder instance is backed by the "docker-container" driver, multiple platforms can be specified together. In this case, a manifest list will be built, containing images for all of the specified architectures. When this image is used in `docker run` or `docker service`, Docker will pick the correct image based on the node’s platform.
+When you invoke a build, you can set the `--platform` flag to specify the target
+platform for the build output, (for example, `linux/amd64`, `linux/arm64`, or
+`darwin/amd64`).
 
-Multi-platform images can be built by mainly three different strategies that are all supported by buildx and Dockerfiles. You can use the QEMU emulation support in the kernel, build on multiple native nodes using the same builder instance or use a stage in Dockerfile to cross-compile to different architectures.
+When the current builder instance is backed by the `docker-container` or 
+`kubernetes` driver, you can specify multiple platforms together. In this case,
+it builds a manifest list which contains images for all specified architectures.
+When you use this image in [`docker run`](https://docs.docker.com/engine/reference/commandline/run/)
+or [`docker service`](https://docs.docker.com/engine/reference/commandline/service/),
+Docker picks the correct image based on the node's platform.
 
-QEMU is the easiest way to get started if your node already supports it (e.g. if you are using Docker Desktop). It requires no changes to your Dockerfile and BuildKit will automatically detect the secondary architectures that are available. When BuildKit needs to run a binary for a different architecture it will automatically load it through a binary registered in the binfmt_misc handler. For QEMU binaries registered with binfmt_misc on the host OS to work transparently inside containers they must be registered with the fix_binary flag. This requires a kernel >= 4.8 and binfmt-support >= 2.1.7. You can check for proper registration by checking if `F` is among the flags in `/proc/sys/fs/binfmt_misc/qemu-*`. While Docker Desktop comes preconfigured with binfmt_misc support for additional platforms, for other installations it likely needs to be installed using [`tonistiigi/binfmt`](https://github.com/tonistiigi/binfmt) image.
+You can build multi-platform images using three different strategies that are
+supported by Buildx and Dockerfiles:
 
-```
+1. Using the QEMU emulation support in the kernel
+2. Building on multiple native nodes using the same builder instance
+3. Using a stage in Dockerfile to cross-compile to different architectures
+
+QEMU is the easiest way to get started if your node already supports it (for
+example. if you are using Docker Desktop). It requires no changes to your
+Dockerfile and BuildKit automatically detects the secondary architectures that
+are available. When BuildKit needs to run a binary for a different architecture,
+it automatically loads it through a binary registered in the `binfmt_misc`
+handler.
+
+For QEMU binaries registered with `binfmt_misc` on the host OS to work
+transparently inside containers they must be registered with the `fix_binary`
+flag. This requires a kernel >= 4.8 and binfmt-support >= 2.1.7. You can check
+for proper registration by checking if `F` is among the flags in
+`/proc/sys/fs/binfmt_misc/qemu-*`. While Docker Desktop comes preconfigured
+with `binfmt_misc` support for additional platforms, for other installations
+it likely needs to be installed using [`tonistiigi/binfmt`](https://github.com/tonistiigi/binfmt)
+image.
+
+```console
 $ docker run --privileged --rm tonistiigi/binfmt --install all
 ```
 
-Using multiple native nodes provides better support for more complicated cases not handled by QEMU and generally have better performance. Additional nodes can be added to the builder instance with `--append` flag.
+Using multiple native nodes provide better support for more complicated cases
+that are not handled by QEMU and generally have better performance. You can
+add additional nodes to the builder instance using the `--append` flag.
 
-```
-# assuming contexts node-amd64 and node-arm64 exist in "docker context ls"
+Assuming contexts `node-amd64` and `node-arm64` exist in `docker context ls`;
+
+```console
 $ docker buildx create --use --name mybuild node-amd64
 mybuild
 $ docker buildx create --append --name mybuild node-arm64
 $ docker buildx build --platform linux/amd64,linux/arm64 .
 ```
 
-Finally, depending on your project, the language that you use may have good support for cross-compilation. In that case, multi-stage builds in Dockerfiles can be effectively used to build binaries for the platform specified with `--platform` using the native architecture of the build node. List of build arguments like `BUILDPLATFORM` and `TARGETPLATFORM` are available automatically inside your Dockerfile and can be leveraged by the processes running as part of your build.
+Finally, depending on your project, the language that you use may have good
+support for cross-compilation. In that case, multi-stage builds in Dockerfiles
+can be effectively used to build binaries for the platform specified with
+`--platform` using the native architecture of the build node. A list of build
+arguments like `BUILDPLATFORM` and `TARGETPLATFORM` is available automatically
+inside your Dockerfile and can be leveraged by the processes running as part
+of your build.
 
-```
+```dockerfile
 FROM --platform=$BUILDPLATFORM golang:alpine AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
@@ -162,25 +306,12 @@ FROM alpine
 COPY --from=build /log /log
 ```
 
+You can also use [`tonistiigi/xx`](https://github.com/tonistiigi/xx) Dockerfile
+cross-compilation helpers for more advanced use-cases.
 
 ## High-level build options
 
-Buildx also aims to provide support for higher level build concepts that go beyond invoking a single build command. We want to support building all the images in your application together and let the users define project specific reusable build flows that can then be easily invoked by anyone.
-
-BuildKit has great support for efficiently handling multiple concurrent build requests and deduplicating work. While build commands can be combined with general-purpose command runners (eg. make), these tools generally invoke builds in sequence and therefore can’t leverage the full potential of BuildKit parallelization or combine BuildKit’s output for the user. For this use case we have added a command called `docker buildx bake`.
-
-Currently, the bake command supports building images from compose files, similar to `compose build` but allowing all the services to be built concurrently as part of a single request.
-
-There is also support for custom build rules from HCL/JSON files allowing better code reuse and different target groups. The design of bake is in very early stages and we are looking for feedback from users.
-
-[`buildx bake` Reference Docs](docs/reference/buildx_bake.md)
-
-# Setting buildx as default builder in Docker 19.03+
-
-Running `docker buildx install` sets up `docker builder` command as an alias to `docker buildx`. This results in the ability to have `docker build` use the current buildx builder.
-
-To remove this alias, you can run `docker buildx uninstall`.
-
+See [`docs/guides/bake/index.md`](docs/guides/bake/index.md) for more details.
 
 # Contributing
 

bake/bake.go

@@ -2,11 +2,14 @@ package bake
 
 import (
 	"context"
+	"encoding/csv"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"path"
+	"path/filepath"
 	"regexp"
+	"sort"
 	"strconv"
 	"strings"
 
@@ -14,21 +17,32 @@ import (
 	"github.com/docker/buildx/build"
 	"github.com/docker/buildx/util/buildflags"
 	"github.com/docker/buildx/util/platformutil"
-	"github.com/docker/docker/pkg/urlutil"
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/docker/builder/remotecontext/urlutil"
 	hcl "github.com/hashicorp/hcl/v2"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/session/auth/authprovider"
 	"github.com/pkg/errors"
 )
 
-var httpPrefix = regexp.MustCompile(`^https?://`)
-var gitURLPathWithFragmentSuffix = regexp.MustCompile(`\.git(?:#.+)?$`)
+var (
+	httpPrefix                   = regexp.MustCompile(`^https?://`)
+	gitURLPathWithFragmentSuffix = regexp.MustCompile(`\.git(?:#.+)?$`)
+
+	validTargetNameChars = `[a-zA-Z0-9_-]+`
+	targetNamePattern    = regexp.MustCompile(`^` + validTargetNameChars + `$`)
+)
 
 type File struct {
 	Name string
 	Data []byte
 }
 
+type Override struct {
+	Value    string
+	ArrValue []string
+}
+
 func defaultFilenames() []string {
 	return []string{
 		"docker-compose.yml",  // support app
@@ -49,41 +63,102 @@ func ReadLocalFiles(names []string) ([]File, error) {
 	out := make([]File, 0, len(names))
 
 	for _, n := range names {
-		dt, err := ioutil.ReadFile(n)
-		if err != nil {
-			if isDefault && errors.Is(err, os.ErrNotExist) {
-				continue
+		var dt []byte
+		var err error
+		if n == "-" {
+			dt, err = io.ReadAll(os.Stdin)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			dt, err = os.ReadFile(n)
+			if err != nil {
+				if isDefault && errors.Is(err, os.ErrNotExist) {
+					continue
+				}
+				return nil, err
 			}
-			return nil, err
 		}
 		out = append(out, File{Name: n, Data: dt})
 	}
 	return out, nil
 }
 
-func ReadTargets(ctx context.Context, files []File, targets, overrides []string, defaults map[string]string) (map[string]*Target, error) {
+func ReadTargets(ctx context.Context, files []File, targets, overrides []string, defaults map[string]string) (map[string]*Target, []*Group, error) {
 	c, err := ParseFiles(files, defaults)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
+	}
+
+	for i, t := range targets {
+		targets[i] = sanitizeTargetName(t)
 	}
 
 	o, err := c.newOverrides(overrides)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	m := map[string]*Target{}
 	for _, n := range targets {
 		for _, n := range c.ResolveGroup(n) {
 			t, err := c.ResolveTarget(n, o)
 			if err != nil {
-				return nil, err
+				return nil, nil, err
 			}
 			if t != nil {
 				m[n] = t
 			}
 		}
 	}
-	return m, nil
+
+	var g []*Group
+	if len(targets) == 0 || (len(targets) == 1 && targets[0] == "default") {
+		for _, group := range c.Groups {
+			if group.Name != "default" {
+				continue
+			}
+			g = []*Group{{Targets: group.Targets}}
+		}
+	} else {
+		var gt []string
+		for _, target := range targets {
+			isGroup := false
+			for _, group := range c.Groups {
+				if target == group.Name {
+					gt = append(gt, group.Targets...)
+					isGroup = true
+					break
+				}
+			}
+			if !isGroup {
+				gt = append(gt, target)
+			}
+		}
+		g = []*Group{{Targets: dedupString(gt)}}
+	}
+
+	for name, t := range m {
+		if err := c.loadLinks(name, t, m, o, nil); err != nil {
+			return nil, nil, err
+		}
+	}
+
+	return m, g, nil
+}
+
+func dedupString(s []string) []string {
+	if len(s) == 0 {
+		return s
+	}
+	var res []string
+	seen := make(map[string]struct{})
+	for _, val := range s {
+		if _, ok := seen[val]; !ok {
+			res = append(res, val)
+			seen[val] = struct{}{}
+		}
+	}
+	return res
 }
 
 func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error) {
@@ -119,8 +194,9 @@ func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error)
 
 	if len(fs) > 0 {
 		if err := hclparser.Parse(hcl.MergeFiles(fs), hclparser.Opt{
-			LookupVar: os.LookupEnv,
-			Vars:      defaults,
+			LookupVar:     os.LookupEnv,
+			Vars:          defaults,
+			ValidateLabel: validateTargetName,
 		}, &c); err.HasErrors() {
 			return nil, err
 		}
@@ -240,10 +316,46 @@ func (c Config) expandTargets(pattern string) ([]string, error) {
 	return names, nil
 }
 
-func (c Config) newOverrides(v []string) (map[string]*Target, error) {
-	m := map[string]*Target{}
-	for _, v := range v {
+func (c Config) loadLinks(name string, t *Target, m map[string]*Target, o map[string]map[string]Override, visited []string) error {
+	visited = append(visited, name)
+	for _, v := range t.Contexts {
+		if strings.HasPrefix(v, "target:") {
+			target := strings.TrimPrefix(v, "target:")
+			if target == t.Name {
+				return errors.Errorf("target %s cannot link to itself", target)
+			}
+			for _, v := range visited {
+				if v == target {
+					return errors.Errorf("infinite loop from %s to %s", name, target)
+				}
+			}
+			t2, ok := m[target]
+			if !ok {
+				var err error
+				t2, err = c.ResolveTarget(target, o)
+				if err != nil {
+					return err
+				}
+				t2.Outputs = nil
+				t2.linked = true
+				m[target] = t2
+			}
+			if err := c.loadLinks(target, t2, m, o, visited); err != nil {
+				return err
+			}
+			if len(t.Platforms) > 1 && len(t2.Platforms) > 1 {
+				if !sliceEqual(t.Platforms, t2.Platforms) {
+					return errors.Errorf("target %s can't be used by %s because it is defined for different platforms %v and %v", target, name, t2.Platforms, t.Platforms)
+				}
+			}
+		}
+	}
+	return nil
+}
 
+func (c Config) newOverrides(v []string) (map[string]map[string]Override, error) {
+	m := map[string]map[string]Override{}
+	for _, v := range v {
 		parts := strings.SplitN(v, "=", 2)
 		keys := strings.SplitN(parts[0], ".", 3)
 		if len(keys) < 2 {
@@ -260,85 +372,58 @@ func (c Config) newOverrides(v []string) (map[string]*Target, error) {
 			return nil, err
 		}
 
+		kk := strings.SplitN(parts[0], ".", 2)
+
 		for _, name := range names {
 			t, ok := m[name]
 			if !ok {
-				t = &Target{}
+				t = map[string]Override{}
+				m[name] = t
 			}
 
+			o := t[kk[1]]
+
 			switch keys[1] {
-			case "context":
-				t.Context = &parts[1]
-			case "dockerfile":
-				t.Dockerfile = &parts[1]
+			case "output", "cache-to", "cache-from", "tags", "platform", "secrets", "ssh":
+				if len(parts) == 2 {
+					o.ArrValue = append(o.ArrValue, parts[1])
+				}
 			case "args":
 				if len(keys) != 3 {
 					return nil, errors.Errorf("invalid key %s, args requires name", parts[0])
 				}
-				if t.Args == nil {
-					t.Args = map[string]string{}
-				}
 				if len(parts) < 2 {
 					v, ok := os.LookupEnv(keys[2])
-					if ok {
-						t.Args[keys[2]] = v
+					if !ok {
+						continue
 					}
-				} else {
-					t.Args[keys[2]] = parts[1]
+					o.Value = v
 				}
-			case "labels":
+				fallthrough
+			case "contexts":
 				if len(keys) != 3 {
-					return nil, errors.Errorf("invalid key %s, lanels requires name", parts[0])
+					return nil, errors.Errorf("invalid key %s, contexts requires name", parts[0])
 				}
-				if t.Labels == nil {
-					t.Labels = map[string]string{}
-				}
-				t.Labels[keys[2]] = parts[1]
-			case "tags":
-				t.Tags = append(t.Tags, parts[1])
-			case "cache-from":
-				t.CacheFrom = append(t.CacheFrom, parts[1])
-			case "cache-to":
-				t.CacheTo = append(t.CacheTo, parts[1])
-			case "target":
-				s := parts[1]
-				t.Target = &s
-			case "secrets":
-				t.Secrets = append(t.Secrets, parts[1])
-			case "ssh":
-				t.SSH = append(t.SSH, parts[1])
-			case "platform":
-				t.Platforms = append(t.Platforms, parts[1])
-			case "output":
-				t.Outputs = append(t.Outputs, parts[1])
-			case "no-cache":
-				noCache, err := strconv.ParseBool(parts[1])
-				if err != nil {
-					return nil, errors.Errorf("invalid value %s for boolean key no-cache", parts[1])
-				}
-				t.NoCache = &noCache
-			case "pull":
-				pull, err := strconv.ParseBool(parts[1])
-				if err != nil {
-					return nil, errors.Errorf("invalid value %s for boolean key pull", parts[1])
-				}
-				t.Pull = &pull
+				fallthrough
 			default:
-				return nil, errors.Errorf("unknown key: %s", keys[1])
+				if len(parts) == 2 {
+					o.Value = parts[1]
+				}
 			}
-			m[name] = t
+
+			t[kk[1]] = o
 		}
 	}
 	return m, nil
 }
 
 func (c Config) ResolveGroup(name string) []string {
-	return c.group(name, map[string]struct{}{})
+	return dedupString(c.group(name, map[string][]string{}))
 }
 
-func (c Config) group(name string, visited map[string]struct{}) []string {
+func (c Config) group(name string, visited map[string][]string) []string {
 	if _, ok := visited[name]; ok {
-		return nil
+		return visited[name]
 	}
 	var g *Group
 	for _, group := range c.Groups {
@@ -350,19 +435,26 @@ func (c Config) group(name string, visited map[string]struct{}) []string {
 	if g == nil {
 		return []string{name}
 	}
-	visited[name] = struct{}{}
+	visited[name] = []string{}
 	targets := make([]string, 0, len(g.Targets))
 	for _, t := range g.Targets {
-		targets = append(targets, c.group(t, visited)...)
+		tgroup := c.group(t, visited)
+		if len(tgroup) > 0 {
+			targets = append(targets, tgroup...)
+		} else {
+			targets = append(targets, t)
+		}
 	}
+	visited[name] = targets
 	return targets
 }
 
-func (c Config) ResolveTarget(name string, overrides map[string]*Target) (*Target, error) {
-	t, err := c.target(name, map[string]struct{}{}, overrides)
+func (c Config) ResolveTarget(name string, overrides map[string]map[string]Override) (*Target, error) {
+	t, err := c.target(name, map[string]*Target{}, overrides)
 	if err != nil {
 		return nil, err
 	}
+	t.Inherits = nil
 	if t.Context == nil {
 		s := "."
 		t.Context = &s
@@ -374,11 +466,11 @@ func (c Config) ResolveTarget(name string, overrides map[string]*Target) (*Targe
 	return t, nil
 }
 
-func (c Config) target(name string, visited map[string]struct{}, overrides map[string]*Target) (*Target, error) {
-	if _, ok := visited[name]; ok {
-		return nil, nil
+func (c Config) target(name string, visited map[string]*Target, overrides map[string]map[string]Override) (*Target, error) {
+	if t, ok := visited[name]; ok {
+		return t, nil
 	}
-	visited[name] = struct{}{}
+	visited[name] = nil
 	var t *Target
 	for _, target := range c.Targets {
 		if target.Name == name {
@@ -399,15 +491,15 @@ func (c Config) target(name string, visited map[string]struct{}, overrides map[s
 			tt.Merge(t)
 		}
 	}
-	t.Inherits = nil
 	m := defaultTarget()
 	m.Merge(tt)
 	m.Merge(t)
 	tt = m
-	if override, ok := overrides[name]; ok {
-		tt.Merge(override)
+	if err := tt.AddOverrides(overrides[name]); err != nil {
+		return nil, err
 	}
 	tt.normalize()
+	visited[name] = tt
 	return tt, nil
 }
 
@@ -424,6 +516,7 @@ type Target struct {
 	Inherits []string `json:"inherits,omitempty" hcl:"inherits,optional"`
 
 	Context          *string           `json:"context,omitempty" hcl:"context,optional"`
+	Contexts         map[string]string `json:"contexts,omitempty" hcl:"contexts,optional"`
 	Dockerfile       *string           `json:"dockerfile,omitempty" hcl:"dockerfile,optional"`
 	DockerfileInline *string           `json:"dockerfile-inline,omitempty" hcl:"dockerfile-inline,optional"`
 	Args             map[string]string `json:"args,omitempty" hcl:"args,optional"`
@@ -438,8 +531,12 @@ type Target struct {
 	Outputs          []string          `json:"output,omitempty" hcl:"output,optional"`
 	Pull             *bool             `json:"pull,omitempty" hcl:"pull,optional"`
 	NoCache          *bool             `json:"no-cache,omitempty" hcl:"no-cache,optional"`
+	NetworkMode      *string           `json:"-" hcl:"-"`
+	NoCacheFilter    []string          `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional"`
+	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and docs/guides/bake/file-definition.md.
 
-	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and README.
+	// linked is a private field to mark a target used as a linked one
+	linked bool
 }
 
 func (t *Target) normalize() {
@@ -450,6 +547,16 @@ func (t *Target) normalize() {
 	t.CacheFrom = removeDupes(t.CacheFrom)
 	t.CacheTo = removeDupes(t.CacheTo)
 	t.Outputs = removeDupes(t.Outputs)
+	t.NoCacheFilter = removeDupes(t.NoCacheFilter)
+
+	for k, v := range t.Contexts {
+		if v == "" {
+			delete(t.Contexts, k)
+		}
+	}
+	if len(t.Contexts) == 0 {
+		t.Contexts = nil
+	}
 }
 
 func (t *Target) Merge(t2 *Target) {
@@ -468,6 +575,12 @@ func (t *Target) Merge(t2 *Target) {
 		}
 		t.Args[k] = v
 	}
+	for k, v := range t2.Contexts {
+		if t.Contexts == nil {
+			t.Contexts = map[string]string{}
+		}
+		t.Contexts[k] = v
+	}
 	for k, v := range t2.Labels {
 		if t.Labels == nil {
 			t.Labels = map[string]string{}
@@ -504,9 +617,99 @@ func (t *Target) Merge(t2 *Target) {
 	if t2.NoCache != nil {
 		t.NoCache = t2.NoCache
 	}
+	if t2.NetworkMode != nil {
+		t.NetworkMode = t2.NetworkMode
+	}
+	if t2.NoCacheFilter != nil { // merge
+		t.NoCacheFilter = append(t.NoCacheFilter, t2.NoCacheFilter...)
+	}
 	t.Inherits = append(t.Inherits, t2.Inherits...)
 }
 
+func (t *Target) AddOverrides(overrides map[string]Override) error {
+	for key, o := range overrides {
+		value := o.Value
+		keys := strings.SplitN(key, ".", 2)
+		switch keys[0] {
+		case "context":
+			t.Context = &value
+		case "dockerfile":
+			t.Dockerfile = &value
+		case "args":
+			if len(keys) != 2 {
+				return errors.Errorf("args require name")
+			}
+			if t.Args == nil {
+				t.Args = map[string]string{}
+			}
+			t.Args[keys[1]] = value
+		case "contexts":
+			if len(keys) != 2 {
+				return errors.Errorf("contexts require name")
+			}
+			if t.Contexts == nil {
+				t.Contexts = map[string]string{}
+			}
+			t.Contexts[keys[1]] = value
+		case "labels":
+			if len(keys) != 2 {
+				return errors.Errorf("labels require name")
+			}
+			if t.Labels == nil {
+				t.Labels = map[string]string{}
+			}
+			t.Labels[keys[1]] = value
+		case "tags":
+			t.Tags = o.ArrValue
+		case "cache-from":
+			t.CacheFrom = o.ArrValue
+		case "cache-to":
+			t.CacheTo = o.ArrValue
+		case "target":
+			t.Target = &value
+		case "secrets":
+			t.Secrets = o.ArrValue
+		case "ssh":
+			t.SSH = o.ArrValue
+		case "platform":
+			t.Platforms = o.ArrValue
+		case "output":
+			t.Outputs = o.ArrValue
+		case "no-cache":
+			noCache, err := strconv.ParseBool(value)
+			if err != nil {
+				return errors.Errorf("invalid value %s for boolean key no-cache", value)
+			}
+			t.NoCache = &noCache
+		case "no-cache-filter":
+			t.NoCacheFilter = o.ArrValue
+		case "pull":
+			pull, err := strconv.ParseBool(value)
+			if err != nil {
+				return errors.Errorf("invalid value %s for boolean key pull", value)
+			}
+			t.Pull = &pull
+		case "push":
+			_, err := strconv.ParseBool(value)
+			if err != nil {
+				return errors.Errorf("invalid value %s for boolean key push", value)
+			}
+			if len(t.Outputs) == 0 {
+				t.Outputs = append(t.Outputs, "type=image,push=true")
+			} else {
+				for i, output := range t.Outputs {
+					if typ := parseOutputType(output); typ == "image" || typ == "registry" {
+						t.Outputs[i] = t.Outputs[i] + ",push=" + value
+					}
+				}
+			}
+		default:
+			return errors.Errorf("unknown key: %s", keys[0])
+		}
+	}
+	return nil
+}
+
 func TargetsToBuildOpt(m map[string]*Target, inp *Input) (map[string]build.Options, error) {
 	m2 := make(map[string]build.Options, len(m))
 	for k, v := range m {
@@ -523,6 +726,21 @@ func updateContext(t *build.Inputs, inp *Input) {
 	if inp == nil || inp.State == nil {
 		return
 	}
+
+	for k, v := range t.NamedContexts {
+		if v.Path == "." {
+			t.NamedContexts[k] = build.NamedContext{Path: inp.URL}
+		}
+		if strings.HasPrefix(v.Path, "cwd://") || strings.HasPrefix(v.Path, "target:") || strings.HasPrefix(v.Path, "docker-image:") {
+			continue
+		}
+		if IsRemoteURL(v.Path) {
+			continue
+		}
+		st := llb.Scratch().File(llb.Copy(*inp.State, v.Path, "/"), llb.WithCustomNamef("set context %s to %s", k, v.Path))
+		t.NamedContexts[k] = build.NamedContext{State: &st}
+	}
+
 	if t.ContextPath == "." {
 		t.ContextPath = inp.URL
 		return
@@ -537,6 +755,59 @@ func updateContext(t *build.Inputs, inp *Input) {
 	t.ContextState = &st
 }
 
+// validateContextsEntitlements is a basic check to ensure contexts do not
+// escape local directories when loaded from remote sources. This is to be
+// replaced with proper entitlements support in the future.
+func validateContextsEntitlements(t build.Inputs, inp *Input) error {
+	if inp == nil || inp.State == nil {
+		return nil
+	}
+	if v, ok := os.LookupEnv("BAKE_ALLOW_REMOTE_FS_ACCESS"); ok {
+		if vv, _ := strconv.ParseBool(v); vv {
+			return nil
+		}
+	}
+	if t.ContextState == nil {
+		if err := checkPath(t.ContextPath); err != nil {
+			return err
+		}
+	}
+	for _, v := range t.NamedContexts {
+		if v.State != nil {
+			continue
+		}
+		if err := checkPath(v.Path); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func checkPath(p string) error {
+	if IsRemoteURL(p) || strings.HasPrefix(p, "target:") || strings.HasPrefix(p, "docker-image:") {
+		return nil
+	}
+	p, err := filepath.EvalSymlinks(p)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+	wd, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+	rel, err := filepath.Rel(wd, p)
+	if err != nil {
+		return err
+	}
+	if strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
+		return errors.Errorf("path %s is outside of the working directory, please set BAKE_ALLOW_REMOTE_FS_ACCESS=1", p)
+	}
+	return nil
+}
+
 func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	if v := t.Context; v != nil && *v == "-" {
 		return nil, errors.Errorf("context from stdin not allowed in bake")
@@ -569,10 +840,15 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	if t.Pull != nil {
 		pull = *t.Pull
 	}
+	networkMode := ""
+	if t.NetworkMode != nil {
+		networkMode = *t.NetworkMode
+	}
 
 	bi := build.Inputs{
 		ContextPath:    contextPath,
 		DockerfilePath: dockerfilePath,
+		NamedContexts:  toNamedContexts(t.Contexts),
 	}
 	if t.DockerfileInline != nil {
 		bi.DockerfileInline = *t.DockerfileInline
@@ -581,16 +857,28 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	if strings.HasPrefix(bi.ContextPath, "cwd://") {
 		bi.ContextPath = path.Clean(strings.TrimPrefix(bi.ContextPath, "cwd://"))
 	}
+	for k, v := range bi.NamedContexts {
+		if strings.HasPrefix(v.Path, "cwd://") {
+			bi.NamedContexts[k] = build.NamedContext{Path: path.Clean(strings.TrimPrefix(v.Path, "cwd://"))}
+		}
+	}
+
+	if err := validateContextsEntitlements(bi, inp); err != nil {
+		return nil, err
+	}
 
 	t.Context = &bi.ContextPath
 
 	bo := &build.Options{
-		Inputs:    bi,
-		Tags:      t.Tags,
-		BuildArgs: t.Args,
-		Labels:    t.Labels,
-		NoCache:   noCache,
-		Pull:      pull,
+		Inputs:        bi,
+		Tags:          t.Tags,
+		BuildArgs:     t.Args,
+		Labels:        t.Labels,
+		NoCache:       noCache,
+		NoCacheFilter: t.NoCacheFilter,
+		Pull:          pull,
+		NetworkMode:   networkMode,
+		Linked:        t.linked,
 	}
 
 	platforms, err := platformutil.Parse(t.Platforms)
@@ -599,7 +887,8 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	}
 	bo.Platforms = platforms
 
-	bo.Session = append(bo.Session, authprovider.NewDockerAuthProvider(os.Stderr))
+	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
+	bo.Session = append(bo.Session, authprovider.NewDockerAuthProvider(dockerConfig))
 
 	secrets, err := buildflags.ParseSecretSpecs(t.Secrets)
 	if err != nil {
@@ -666,3 +955,56 @@ func removeDupes(s []string) []string {
 func isRemoteResource(str string) bool {
 	return urlutil.IsGitURL(str) || urlutil.IsURL(str)
 }
+
+func parseOutputType(str string) string {
+	csvReader := csv.NewReader(strings.NewReader(str))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return ""
+	}
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+		if len(parts) == 2 {
+			if parts[0] == "type" {
+				return parts[1]
+			}
+		}
+	}
+	return ""
+}
+
+func validateTargetName(name string) error {
+	if !targetNamePattern.MatchString(name) {
+		return errors.Errorf("only %q are allowed", validTargetNameChars)
+	}
+	return nil
+}
+
+func sanitizeTargetName(target string) string {
+	// as stipulated in compose spec, service name can contain a dot so as
+	// best-effort and to avoid any potential ambiguity, we replace the dot
+	// with an underscore.
+	return strings.ReplaceAll(target, ".", "_")
+}
+
+func sliceEqual(s1, s2 []string) bool {
+	if len(s1) != len(s2) {
+		return false
+	}
+	sort.Strings(s1)
+	sort.Strings(s2)
+	for i := range s1 {
+		if s1[i] != s2[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func toNamedContexts(m map[string]string) map[string]build.NamedContext {
+	m2 := make(map[string]build.NamedContext, len(m))
+	for k, v := range m {
+		m2[k] = build.NamedContext{Path: v}
+	}
+	return m2
+}

bake/compose.go

@@ -3,13 +3,17 @@ package bake
 import (
 	"fmt"
 	"os"
-	"reflect"
 	"strings"
 
 	"github.com/compose-spec/compose-go/loader"
 	compose "github.com/compose-spec/compose-go/types"
+	"github.com/pkg/errors"
+	"gopkg.in/yaml.v3"
 )
 
+// errComposeInvalid is returned when a compose file is invalid
+var errComposeInvalid = errors.New("invalid compose file")
+
 func parseCompose(dt []byte) (*compose.Project, error) {
 	return loader.Load(compose.ConfigDetails{
 		ConfigFiles: []compose.ConfigFile{
@@ -20,6 +24,7 @@ func parseCompose(dt []byte) (*compose.Project, error) {
 		Environment: envMap(os.Environ()),
 	}, func(options *loader.Options) {
 		options.SkipNormalization = true
+		options.SkipConsistencyCheck = true
 	})
 }
 
@@ -40,9 +45,11 @@ func ParseCompose(dt []byte) (*Config, error) {
 	if err != nil {
 		return nil, err
 	}
+	if err = composeValidate(cfg); err != nil {
+		return nil, err
+	}
 
 	var c Config
-	var zeroBuildConfig compose.BuildConfig
 	if len(cfg.Services) > 0 {
 		c.Groups = []*Group{}
 		c.Targets = []*Target{}
@@ -50,13 +57,13 @@ func ParseCompose(dt []byte) (*Config, error) {
 		g := &Group{Name: "default"}
 
 		for _, s := range cfg.Services {
+			if s.Build == nil {
+				s.Build = &compose.BuildConfig{}
+			}
 
-			if s.Build == nil || reflect.DeepEqual(s.Build, zeroBuildConfig) {
-				// if not make sure they're setting an image or it's invalid d-c.yml
-				if s.Image == "" {
-					return nil, fmt.Errorf("compose file invalid: service %s has neither an image nor a build context specified. At least one must be provided", s.Name)
-				}
-				continue
+			targetName := sanitizeTargetName(s.Name)
+			if err = validateTargetName(targetName); err != nil {
+				return nil, errors.Wrapf(err, "invalid service name %q", targetName)
 			}
 
 			var contextPathP *string
@@ -69,24 +76,43 @@ func ParseCompose(dt []byte) (*Config, error) {
 				dockerfilePath := s.Build.Dockerfile
 				dockerfilePathP = &dockerfilePath
 			}
-			g.Targets = append(g.Targets, s.Name)
+
+			var secrets []string
+			for _, bs := range s.Build.Secrets {
+				secret, err := composeToBuildkitSecret(bs, cfg.Secrets[bs.Source])
+				if err != nil {
+					return nil, err
+				}
+				secrets = append(secrets, secret)
+			}
+
+			g.Targets = append(g.Targets, targetName)
 			t := &Target{
-				Name:       s.Name,
+				Name:       targetName,
 				Context:    contextPathP,
 				Dockerfile: dockerfilePathP,
+				Tags:       s.Build.Tags,
 				Labels:     s.Build.Labels,
 				Args: flatten(s.Build.Args.Resolve(func(val string) (string, bool) {
+					if val, ok := s.Environment[val]; ok && val != nil {
+						return *val, true
+					}
 					val, ok := cfg.Environment[val]
 					return val, ok
 				})),
-				CacheFrom: s.Build.CacheFrom,
-				// TODO: add platforms
+				CacheFrom:   s.Build.CacheFrom,
+				CacheTo:     s.Build.CacheTo,
+				NetworkMode: &s.Build.Network,
+				Secrets:     secrets,
+			}
+			if err = t.composeExtTarget(s.Build.Extensions); err != nil {
+				return nil, err
 			}
 			if s.Build.Target != "" {
 				target := s.Build.Target
 				t.Target = &target
 			}
-			if s.Image != "" {
+			if len(t.Tags) == 0 && s.Image != "" {
 				t.Tags = []string{s.Image}
 			}
 			c.Targets = append(c.Targets, t)
@@ -111,3 +137,129 @@ func flatten(in compose.MappingWithEquals) compose.Mapping {
 	}
 	return out
 }
+
+// xbake Compose build extension provides fields not (yet) available in
+// Compose build specification: https://github.com/compose-spec/compose-spec/blob/master/build.md
+type xbake struct {
+	Tags          stringArray `yaml:"tags,omitempty"`
+	CacheFrom     stringArray `yaml:"cache-from,omitempty"`
+	CacheTo       stringArray `yaml:"cache-to,omitempty"`
+	Secrets       stringArray `yaml:"secret,omitempty"`
+	SSH           stringArray `yaml:"ssh,omitempty"`
+	Platforms     stringArray `yaml:"platforms,omitempty"`
+	Outputs       stringArray `yaml:"output,omitempty"`
+	Pull          *bool       `yaml:"pull,omitempty"`
+	NoCache       *bool       `yaml:"no-cache,omitempty"`
+	NoCacheFilter stringArray `yaml:"no-cache-filter,omitempty"`
+	// don't forget to update documentation if you add a new field:
+	// docs/guides/bake/compose-file.md#extension-field-with-x-bake
+}
+
+type stringArray []string
+
+func (sa *stringArray) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var multi []string
+	err := unmarshal(&multi)
+	if err != nil {
+		var single string
+		if err := unmarshal(&single); err != nil {
+			return err
+		}
+		*sa = strings.Fields(single)
+	} else {
+		*sa = multi
+	}
+	return nil
+}
+
+// composeExtTarget converts Compose build extension x-bake to bake Target
+// https://github.com/compose-spec/compose-spec/blob/master/spec.md#extension
+func (t *Target) composeExtTarget(exts map[string]interface{}) error {
+	var xb xbake
+
+	ext, ok := exts["x-bake"]
+	if !ok || ext == nil {
+		return nil
+	}
+
+	yb, _ := yaml.Marshal(ext)
+	if err := yaml.Unmarshal(yb, &xb); err != nil {
+		return err
+	}
+
+	if len(xb.Tags) > 0 {
+		t.Tags = dedupString(append(t.Tags, xb.Tags...))
+	}
+	if len(xb.CacheFrom) > 0 {
+		t.CacheFrom = dedupString(append(t.CacheFrom, xb.CacheFrom...))
+	}
+	if len(xb.CacheTo) > 0 {
+		t.CacheTo = dedupString(append(t.CacheTo, xb.CacheTo...))
+	}
+	if len(xb.Secrets) > 0 {
+		t.Secrets = dedupString(append(t.Secrets, xb.Secrets...))
+	}
+	if len(xb.SSH) > 0 {
+		t.SSH = dedupString(append(t.SSH, xb.SSH...))
+	}
+	if len(xb.Platforms) > 0 {
+		t.Platforms = dedupString(append(t.Platforms, xb.Platforms...))
+	}
+	if len(xb.Outputs) > 0 {
+		t.Outputs = dedupString(append(t.Outputs, xb.Outputs...))
+	}
+	if xb.Pull != nil {
+		t.Pull = xb.Pull
+	}
+	if xb.NoCache != nil {
+		t.NoCache = xb.NoCache
+	}
+	if len(xb.NoCacheFilter) > 0 {
+		t.NoCacheFilter = dedupString(append(t.NoCacheFilter, xb.NoCacheFilter...))
+	}
+
+	return nil
+}
+
+// composeValidate validates a compose file
+func composeValidate(project *compose.Project) error {
+	for _, s := range project.Services {
+		if s.Build != nil {
+			for _, secret := range s.Build.Secrets {
+				if _, ok := project.Secrets[secret.Source]; !ok {
+					return errors.Wrap(errComposeInvalid, fmt.Sprintf("service %q refers to undefined build secret %s", sanitizeTargetName(s.Name), secret.Source))
+				}
+			}
+		}
+	}
+	for name, secret := range project.Secrets {
+		if secret.External.External {
+			continue
+		}
+		if secret.File == "" && secret.Environment == "" {
+			return errors.Wrap(errComposeInvalid, fmt.Sprintf("secret %q must declare either `file` or `environment`", name))
+		}
+	}
+	return nil
+}
+
+// composeToBuildkitSecret converts secret from compose format to buildkit's
+// csv format.
+func composeToBuildkitSecret(inp compose.ServiceSecretConfig, psecret compose.SecretConfig) (string, error) {
+	if psecret.External.External {
+		return "", errors.Errorf("unsupported external secret %s", psecret.Name)
+	}
+
+	var bkattrs []string
+	if inp.Source != "" {
+		bkattrs = append(bkattrs, "id="+inp.Source)
+	}
+	if psecret.File != "" {
+		bkattrs = append(bkattrs, "src="+psecret.File)
+	}
+	if psecret.Environment != "" {
+		bkattrs = append(bkattrs, "env="+psecret.Environment)
+	}
+
+	return strings.Join(bkattrs, ","), nil
+}

bake/compose_test.go

@@ -19,8 +19,22 @@ services:
     build:
       context: ./dir
       dockerfile: Dockerfile-alternate
+      network:
+        none
       args:
         buildno: 123
+      cache_from:
+        - type=local,src=path/to/cache
+      cache_to:
+        - type=local,dest=path/to/cache
+      secrets:
+        - token
+        - aws
+secrets:
+  token:
+    environment: ENV_TOKEN
+  aws:
+    file: /root/.aws/credentials
 `)
 
 	c, err := ParseCompose(dt)
@@ -37,12 +51,20 @@ services:
 	})
 	require.Equal(t, "db", c.Targets[0].Name)
 	require.Equal(t, "./db", *c.Targets[0].Context)
+	require.Equal(t, []string{"docker.io/tonistiigi/db"}, c.Targets[0].Tags)
 
 	require.Equal(t, "webapp", c.Targets[1].Name)
 	require.Equal(t, "./dir", *c.Targets[1].Context)
 	require.Equal(t, "Dockerfile-alternate", *c.Targets[1].Dockerfile)
 	require.Equal(t, 1, len(c.Targets[1].Args))
 	require.Equal(t, "123", c.Targets[1].Args["buildno"])
+	require.Equal(t, c.Targets[1].CacheFrom, []string{"type=local,src=path/to/cache"})
+	require.Equal(t, c.Targets[1].CacheTo, []string{"type=local,dest=path/to/cache"})
+	require.Equal(t, "none", *c.Targets[1].NetworkMode)
+	require.Equal(t, []string{
+		"id=token,env=ENV_TOKEN",
+		"id=aws,src=/root/.aws/credentials",
+	}, c.Targets[1].Secrets)
 }
 
 func TestNoBuildOutOfTreeService(t *testing.T) {
@@ -137,21 +159,15 @@ services:
 	require.Equal(t, c.Targets[0].Args["BRB"], "FOO")
 }
 
-func TestBogusCompose(t *testing.T) {
+func TestInconsistentComposeFile(t *testing.T) {
 	var dt = []byte(`
 services:
-  db:
-    labels:
-      - "foo"
   webapp:
-    build:
-      context: .
-      target: webapp
+    entrypoint: echo 1
 `)
 
 	_, err := ParseCompose(dt)
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "has neither an image nor a build context specified: invalid compose project")
+	require.NoError(t, err)
 }
 
 func TestAdvancedNetwork(t *testing.T) {
@@ -179,6 +195,24 @@ networks:
 	require.NoError(t, err)
 }
 
+func TestTags(t *testing.T) {
+	var dt = []byte(`
+services:
+  example:
+    image: example
+    build:
+      context: .
+      dockerfile: Dockerfile
+      tags:
+        - foo
+        - bar
+`)
+
+	c, err := ParseCompose(dt)
+	require.NoError(t, err)
+	require.Equal(t, c.Targets[0].Tags, []string{"foo", "bar"})
+}
+
 func TestDependsOnList(t *testing.T) {
 	var dt = []byte(`
 version: "3.8"
@@ -214,3 +248,275 @@ networks:
 	_, err := ParseCompose(dt)
 	require.NoError(t, err)
 }
+
+func TestComposeExt(t *testing.T) {
+	var dt = []byte(`
+services:
+  addon:
+    image: ct-addon:bar
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+      cache_from:
+        - user/app:cache
+      cache_to:
+        - user/app:cache
+      tags:
+        - ct-addon:baz
+      args:
+        CT_ECR: foo
+        CT_TAG: bar
+      x-bake:
+        tags:
+          - ct-addon:foo
+          - ct-addon:alp
+        platforms:
+          - linux/amd64
+          - linux/arm64
+        cache-from:
+          - type=local,src=path/to/cache
+        cache-to:
+          - type=local,dest=path/to/cache
+        pull: true
+
+  aws:
+    image: ct-fake-aws:bar
+    build:
+      dockerfile: ./aws.Dockerfile
+      args:
+        CT_ECR: foo
+        CT_TAG: bar
+      x-bake:
+        secret:
+          - id=mysecret,src=/local/secret
+          - id=mysecret2,src=/local/secret2
+        ssh: default
+        platforms: linux/arm64
+        output: type=docker
+        no-cache: true
+`)
+
+	c, err := ParseCompose(dt)
+	require.NoError(t, err)
+	require.Equal(t, 2, len(c.Targets))
+	sort.Slice(c.Targets, func(i, j int) bool {
+		return c.Targets[i].Name < c.Targets[j].Name
+	})
+	require.Equal(t, c.Targets[0].Args, map[string]string{"CT_ECR": "foo", "CT_TAG": "bar"})
+	require.Equal(t, c.Targets[0].Tags, []string{"ct-addon:baz", "ct-addon:foo", "ct-addon:alp"})
+	require.Equal(t, c.Targets[0].Platforms, []string{"linux/amd64", "linux/arm64"})
+	require.Equal(t, c.Targets[0].CacheFrom, []string{"user/app:cache", "type=local,src=path/to/cache"})
+	require.Equal(t, c.Targets[0].CacheTo, []string{"user/app:cache", "type=local,dest=path/to/cache"})
+	require.Equal(t, c.Targets[0].Pull, newBool(true))
+	require.Equal(t, c.Targets[1].Tags, []string{"ct-fake-aws:bar"})
+	require.Equal(t, c.Targets[1].Secrets, []string{"id=mysecret,src=/local/secret", "id=mysecret2,src=/local/secret2"})
+	require.Equal(t, c.Targets[1].SSH, []string{"default"})
+	require.Equal(t, c.Targets[1].Platforms, []string{"linux/arm64"})
+	require.Equal(t, c.Targets[1].Outputs, []string{"type=docker"})
+	require.Equal(t, c.Targets[1].NoCache, newBool(true))
+}
+
+func TestComposeExtDedup(t *testing.T) {
+	var dt = []byte(`
+services:
+  webapp:
+    image: app:bar
+    build:
+      cache_from:
+        - user/app:cache
+      cache_to:
+        - user/app:cache
+      tags:
+        - ct-addon:foo
+      x-bake:
+        tags:
+          - ct-addon:foo
+          - ct-addon:baz
+        cache-from:
+          - user/app:cache
+          - type=local,src=path/to/cache
+        cache-to:
+          - type=local,dest=path/to/cache
+`)
+
+	c, err := ParseCompose(dt)
+	require.NoError(t, err)
+	require.Equal(t, 1, len(c.Targets))
+	require.Equal(t, c.Targets[0].Tags, []string{"ct-addon:foo", "ct-addon:baz"})
+	require.Equal(t, c.Targets[0].CacheFrom, []string{"user/app:cache", "type=local,src=path/to/cache"})
+	require.Equal(t, c.Targets[0].CacheTo, []string{"user/app:cache", "type=local,dest=path/to/cache"})
+}
+
+func TestEnv(t *testing.T) {
+	envf, err := os.CreateTemp("", "env")
+	require.NoError(t, err)
+	defer os.Remove(envf.Name())
+
+	_, err = envf.WriteString("FOO=bsdf -csdf\n")
+	require.NoError(t, err)
+
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: .
+     args:
+        CT_ECR: foo
+        FOO:
+        NODE_ENV:
+    environment:
+      - NODE_ENV=test
+      - AWS_ACCESS_KEY_ID=dummy
+      - AWS_SECRET_ACCESS_KEY=dummy
+    env_file:
+      - ` + envf.Name() + `
+`)
+
+	c, err := ParseCompose(dt)
+	require.NoError(t, err)
+	require.Equal(t, c.Targets[0].Args, map[string]string{"CT_ECR": "foo", "FOO": "bsdf -csdf", "NODE_ENV": "test"})
+}
+
+func TestPorts(t *testing.T) {
+	var dt = []byte(`
+services:
+  foo:
+    build:
+     context: .
+    ports:
+      - 3306:3306
+  bar:
+    build:
+     context: .
+    ports:
+      - mode: ingress
+        target: 3306
+        published: "3306"
+        protocol: tcp
+`)
+	_, err := ParseCompose(dt)
+	require.NoError(t, err)
+}
+
+func newBool(val bool) *bool {
+	b := val
+	return &b
+}
+
+func TestServiceName(t *testing.T) {
+	cases := []struct {
+		svc     string
+		wantErr bool
+	}{
+		{
+			svc:     "a",
+			wantErr: false,
+		},
+		{
+			svc:     "abc",
+			wantErr: false,
+		},
+		{
+			svc:     "a.b",
+			wantErr: false,
+		},
+		{
+			svc:     "_a",
+			wantErr: false,
+		},
+		{
+			svc:     "a_b",
+			wantErr: false,
+		},
+		{
+			svc:     "AbC",
+			wantErr: false,
+		},
+		{
+			svc:     "AbC-0123",
+			wantErr: false,
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.svc, func(t *testing.T) {
+			_, err := ParseCompose([]byte(`
+services:
+  ` + tt.svc + `:
+    build:
+      context: .
+`))
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestValidateComposeSecret(t *testing.T) {
+	cases := []struct {
+		name    string
+		dt      []byte
+		wantErr bool
+	}{
+		{
+			name: "secret set by file",
+			dt: []byte(`
+secrets:
+  foo:
+    file: .secret
+`),
+			wantErr: false,
+		},
+		{
+			name: "secret set by environment",
+			dt: []byte(`
+secrets:
+  foo:
+    environment: TOKEN
+`),
+			wantErr: false,
+		},
+		{
+			name: "external secret",
+			dt: []byte(`
+secrets:
+  foo:
+    external: true
+`),
+			wantErr: false,
+		},
+		{
+			name: "unset secret",
+			dt: []byte(`
+secrets:
+  foo: {}
+`),
+			wantErr: true,
+		},
+		{
+			name: "undefined secret",
+			dt: []byte(`
+services:
+  foo:
+    build:
+      secrets:
+        - token
+`),
+			wantErr: true,
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := ParseCompose(tt.dt)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

bake/hcl.go

@@ -3,7 +3,7 @@ package bake
 import (
 	"strings"
 
-	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2"
 	"github.com/hashicorp/hcl/v2/hclparse"
 	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/solver/pb"

bake/hcl_test.go

@@ -620,3 +620,165 @@ func TestHCLBuiltinVars(t *testing.T) {
 	require.Equal(t, "foo", *c.Targets[0].Context)
 	require.Equal(t, "test", *c.Targets[0].Dockerfile)
 }
+
+func TestCombineHCLAndJSONTargets(t *testing.T) {
+	c, err := ParseFiles([]File{
+		{
+			Name: "docker-bake.hcl",
+			Data: []byte(`
+group "default" {
+  targets = ["a"]
+}
+
+target "metadata-a" {}
+target "metadata-b" {}
+
+target "a" {
+  inherits = ["metadata-a"]
+  context = "."
+  target = "a"
+}
+
+target "b" {
+  inherits = ["metadata-b"]
+  context = "."
+  target = "b"
+}`),
+		},
+		{
+			Name: "metadata-a.json",
+			Data: []byte(`
+{
+  "target": [{
+    "metadata-a": [{
+      "tags": [
+        "app/a:1.0.0",
+        "app/a:latest"
+      ]
+    }]
+  }]
+}`),
+		},
+		{
+			Name: "metadata-b.json",
+			Data: []byte(`
+{
+  "target": [{
+    "metadata-b": [{
+      "tags": [
+        "app/b:1.0.0",
+        "app/b:latest"
+      ]
+    }]
+  }]
+}`),
+		},
+	}, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(c.Groups))
+	require.Equal(t, "default", c.Groups[0].Name)
+	require.Equal(t, []string{"a"}, c.Groups[0].Targets)
+
+	require.Equal(t, 4, len(c.Targets))
+
+	require.Equal(t, c.Targets[0].Name, "metadata-a")
+	require.Equal(t, []string{"app/a:1.0.0", "app/a:latest"}, c.Targets[0].Tags)
+
+	require.Equal(t, c.Targets[1].Name, "metadata-b")
+	require.Equal(t, []string{"app/b:1.0.0", "app/b:latest"}, c.Targets[1].Tags)
+
+	require.Equal(t, c.Targets[2].Name, "a")
+	require.Equal(t, ".", *c.Targets[2].Context)
+	require.Equal(t, "a", *c.Targets[2].Target)
+
+	require.Equal(t, c.Targets[3].Name, "b")
+	require.Equal(t, ".", *c.Targets[3].Context)
+	require.Equal(t, "b", *c.Targets[3].Target)
+}
+
+func TestCombineHCLAndJSONVars(t *testing.T) {
+	c, err := ParseFiles([]File{
+		{
+			Name: "docker-bake.hcl",
+			Data: []byte(`
+variable "ABC" {
+  default = "foo"
+}
+variable "DEF" {
+  default = ""
+}
+group "default" {
+  targets = ["one"]
+}
+target "one" {
+  args = {
+    a = "pre-${ABC}"
+  }
+}
+target "two" {
+  args = {
+    b = "pre-${DEF}"
+  }
+}`),
+		},
+		{
+			Name: "foo.json",
+			Data: []byte(`{"variable": {"DEF": {"default": "bar"}}, "target": { "one": { "args": {"a": "pre-${ABC}-${DEF}"}} } }`),
+		},
+		{
+			Name: "bar.json",
+			Data: []byte(`{"ABC": "ghi", "DEF": "jkl"}`),
+		},
+	}, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(c.Groups))
+	require.Equal(t, "default", c.Groups[0].Name)
+	require.Equal(t, []string{"one"}, c.Groups[0].Targets)
+
+	require.Equal(t, 2, len(c.Targets))
+
+	require.Equal(t, c.Targets[0].Name, "one")
+	require.Equal(t, map[string]string{"a": "pre-ghi-jkl"}, c.Targets[0].Args)
+
+	require.Equal(t, c.Targets[1].Name, "two")
+	require.Equal(t, map[string]string{"b": "pre-jkl"}, c.Targets[1].Args)
+}
+
+func TestEmptyVariableJSON(t *testing.T) {
+	dt := []byte(`{
+	  "variable": {
+	    "VAR": {}
+	  }
+	}`)
+	_, err := ParseFile(dt, "docker-bake.json")
+	require.NoError(t, err)
+}
+
+func TestFunctionNoParams(t *testing.T) {
+	dt := []byte(`
+		function "foo" {
+			result = "bar"
+		}
+		target "foo_target" {
+			args = {
+				test = foo()
+			}
+		}
+		`)
+
+	_, err := ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+}
+
+func TestFunctionNoResult(t *testing.T) {
+	dt := []byte(`
+		function "foo" {
+			params = ["a"]
+		}
+		`)
+
+	_, err := ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+}

bake/hclparser/hclparser.go

@@ -16,8 +16,9 @@ import (
 )
 
 type Opt struct {
-	LookupVar func(string) (string, bool)
-	Vars      map[string]string
+	LookupVar     func(string) (string, bool)
+	Vars          map[string]string
+	ValidateLabel func(string) error
 }
 
 type variable struct {
@@ -110,6 +111,13 @@ func (p *parser) resolveFunction(name string) error {
 	}
 	p.progressF[name] = struct{}{}
 
+	if f.Result == nil {
+		return errors.Errorf("empty result not allowed for %s", name)
+	}
+	if f.Params == nil {
+		return errors.Errorf("empty params not allowed for %s", name)
+	}
+
 	paramExprs, paramsDiags := hcl.ExprList(f.Params.Expr)
 	if paramsDiags.HasErrors() {
 		return paramsDiags
@@ -255,6 +263,7 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 	if err := gohcl.DecodeBody(b, nil, &defs); err != nil {
 		return err
 	}
+	defsSchema, _ := gohcl.ImpliedBodySchema(defs)
 
 	if opt.LookupVar == nil {
 		opt.LookupVar = func(string) (string, bool) {
@@ -262,6 +271,12 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 		}
 	}
 
+	if opt.ValidateLabel == nil {
+		opt.ValidateLabel = func(string) error {
+			return nil
+		}
+	}
+
 	p := &parser{
 		opt: opt,
 
@@ -293,12 +308,20 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 		p.funcs[v.Name] = v
 	}
 
+	content, b, diags := b.PartialContent(schema)
+	if diags.HasErrors() {
+		return diags
+	}
+
+	blocks, b, diags := b.PartialContent(defsSchema)
+	if diags.HasErrors() {
+		return diags
+	}
+
 	attrs, diags := b.JustAttributes()
 	if diags.HasErrors() {
-		for _, d := range diags {
-			if d.Detail != "Blocks are not allowed here." {
-				return diags
-			}
+		if d := removeAttributesDiags(diags, reserved, p.vars); len(d) > 0 {
+			return d
 		}
 	}
 
@@ -354,23 +377,32 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 			if diags, ok := err.(hcl.Diagnostics); ok {
 				return diags
 			}
+			var subject *hcl.Range
+			var context *hcl.Range
+			if p.funcs[k].Params != nil {
+				subject = &p.funcs[k].Params.Range
+				context = subject
+			} else {
+				for _, block := range blocks.Blocks {
+					if block.Type == "function" && len(block.Labels) == 1 && block.Labels[0] == k {
+						subject = &block.LabelRanges[0]
+						context = &block.DefRange
+						break
+					}
+				}
+			}
 			return hcl.Diagnostics{
 				&hcl.Diagnostic{
 					Severity: hcl.DiagError,
 					Summary:  "Invalid function",
 					Detail:   err.Error(),
-					Subject:  &p.funcs[k].Params.Range,
-					Context:  &p.funcs[k].Params.Range,
+					Subject:  subject,
+					Context:  context,
 				},
 			}
 		}
 	}
 
-	content, _, diags := b.PartialContent(schema)
-	if diags.HasErrors() {
-		return diags
-	}
-
 	for _, a := range content.Attributes {
 		return hcl.Diagnostics{
 			&hcl.Diagnostic{
@@ -446,6 +478,17 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 			continue
 		}
 
+		if err := opt.ValidateLabel(b.Labels[0]); err != nil {
+			return hcl.Diagnostics{
+				&hcl.Diagnostic{
+					Severity: hcl.DiagError,
+					Summary:  "Invalid name",
+					Detail:   err.Error(),
+					Subject:  &b.LabelRanges[0],
+				},
+			}
+		}
+
 		lblIndex := setLabel(vv, b.Labels[0])
 
 		oldValue, exists := t.values[b.Labels[0]]
@@ -496,3 +539,33 @@ func setLabel(v reflect.Value, lbl string) int {
 	}
 	return -1
 }
+
+func removeAttributesDiags(diags hcl.Diagnostics, reserved map[string]struct{}, vars map[string]*variable) hcl.Diagnostics {
+	var fdiags hcl.Diagnostics
+	for _, d := range diags {
+		if fout := func(d *hcl.Diagnostic) bool {
+			// https://github.com/docker/buildx/pull/541
+			if d.Detail == "Blocks are not allowed here." {
+				return true
+			}
+			for r := range reserved {
+				// JSON body objects don't handle repeated blocks like HCL but
+				// reserved name attributes should be allowed when multi bodies are merged.
+				// https://github.com/hashicorp/hcl/blob/main/json/spec.md#blocks
+				if strings.HasPrefix(d.Detail, fmt.Sprintf(`Argument "%s" was already set at `, r)) {
+					return true
+				}
+			}
+			for v := range vars {
+				// Do the same for global variables
+				if strings.HasPrefix(d.Detail, fmt.Sprintf(`Argument "%s" was already set at `, v)) {
+					return true
+				}
+			}
+			return false
+		}(d); !fout {
+			fdiags = append(fdiags, d)
+		}
+	}
+	return fdiags
+}

bake/hclparser/stdlib.go

@@ -1,12 +1,15 @@
 package hclparser
 
 import (
+	"time"
+
 	"github.com/hashicorp/go-cty-funcs/cidr"
 	"github.com/hashicorp/go-cty-funcs/crypto"
 	"github.com/hashicorp/go-cty-funcs/encoding"
 	"github.com/hashicorp/go-cty-funcs/uuid"
 	"github.com/hashicorp/hcl/v2/ext/tryfunc"
 	"github.com/hashicorp/hcl/v2/ext/typeexpr"
+	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/function"
 	"github.com/zclconf/go-cty/cty/function/stdlib"
 )
@@ -96,6 +99,7 @@ var stdlibFunctions = map[string]function.Function{
 	"substr":                 stdlib.SubstrFunc,
 	"subtract":               stdlib.SubtractFunc,
 	"timeadd":                stdlib.TimeAddFunc,
+	"timestamp":              timestampFunc,
 	"title":                  stdlib.TitleFunc,
 	"trim":                   stdlib.TrimFunc,
 	"trimprefix":             stdlib.TrimPrefixFunc,
@@ -109,3 +113,14 @@ var stdlibFunctions = map[string]function.Function{
 	"values":                 stdlib.ValuesFunc,
 	"zipmap":                 stdlib.ZipmapFunc,
 }
+
+// timestampFunc constructs a function that returns a string representation of the current date and time.
+//
+// This function was imported from terraform's datetime utilities.
+var timestampFunc = function.New(&function.Spec{
+	Params: []function.Parameter{},
+	Type:   function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+		return cty.StringVal(time.Now().UTC().Format(time.RFC3339)), nil
+	},
+})

bake/remote.go

@@ -21,9 +21,10 @@ type Input struct {
 }
 
 func ReadRemoteFiles(ctx context.Context, dis []build.DriverInfo, url string, names []string, pw progress.Writer) ([]File, *Input, error) {
-	st, filename, ok := detectHTTPContext(url)
+	var filename string
+	st, ok := detectGitContext(url)
 	if !ok {
-		st, ok = detectGitContext(url)
+		st, filename, ok = detectHTTPContext(url)
 		if !ok {
 			return nil, nil, errors.Errorf("not url context")
 		}

build/build.go

@@ -2,34 +2,44 @@ package build
 
 import (
 	"bufio"
+	"bytes"
 	"context"
+	"crypto/rand"
+	_ "crypto/sha256" // ensure digests can be computed
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"sync"
+	"syscall"
 	"time"
 
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/content/local"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/platforms"
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/util/imagetools"
 	"github.com/docker/buildx/util/progress"
-	clitypes "github.com/docker/cli/cli/config/types"
+	"github.com/docker/buildx/util/resolver"
+	"github.com/docker/buildx/util/waitmap"
+	"github.com/docker/cli/opts"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/builder/remotecontext/urlutil"
 	dockerclient "github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/jsonmessage"
-	"github.com/docker/docker/pkg/urlutil"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	gateway "github.com/moby/buildkit/frontend/gateway/client"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/upload/uploadprovider"
+	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/apicaps"
 	"github.com/moby/buildkit/util/entitlements"
 	"github.com/moby/buildkit/util/progress/progresswriter"
@@ -48,26 +58,30 @@ var (
 )
 
 type Options struct {
-	Inputs      Inputs
-	Tags        []string
-	Labels      map[string]string
-	BuildArgs   map[string]string
-	Pull        bool
-	ImageIDFile string
-	ExtraHosts  []string
-	NetworkMode string
+	Inputs Inputs
 
-	NoCache   bool
-	Target    string
-	Platforms []specs.Platform
-	Exports   []client.ExportEntry
-	Session   []session.Attachable
+	Allow         []entitlements.Entitlement
+	BuildArgs     map[string]string
+	CacheFrom     []client.CacheOptionsEntry
+	CacheTo       []client.CacheOptionsEntry
+	CgroupParent  string
+	Exports       []client.ExportEntry
+	ExtraHosts    []string
+	ImageIDFile   string
+	Labels        map[string]string
+	NetworkMode   string
+	NoCache       bool
+	NoCacheFilter []string
+	Platforms     []specs.Platform
+	Pull          bool
+	Session       []session.Attachable
+	ShmSize       opts.MemBytes
+	Tags          []string
+	Target        string
+	Ulimits       *opts.UlimitOpt
 
-	CacheFrom []client.CacheOptionsEntry
-	CacheTo   []client.CacheOptionsEntry
-
-	Allow []entitlements.Entitlement
-	// DockerTarget
+	// Linked marks this target as exclusively linked (not requested by the user).
+	Linked bool
 }
 
 type Inputs struct {
@@ -76,17 +90,21 @@ type Inputs struct {
 	InStream         io.Reader
 	ContextState     *llb.State
 	DockerfileInline string
+	NamedContexts    map[string]NamedContext
+}
+
+type NamedContext struct {
+	Path  string
+	State *llb.State
 }
 
 type DriverInfo struct {
-	Driver   driver.Driver
-	Name     string
-	Platform []specs.Platform
-	Err      error
-}
-
-type Auth interface {
-	GetAuthConfig(registryHostname string) (clitypes.AuthConfig, error)
+	Driver      driver.Driver
+	Name        string
+	Platform    []specs.Platform
+	Err         error
+	ImageOpt    imagetools.Opt
+	ProxyConfig map[string]string
 }
 
 type DockerAPI interface {
@@ -177,6 +195,10 @@ func splitToDriverPairs(availablePlatforms map[string]int, opt map[string]Option
 			pp = append(pp, p)
 			mm[idx] = pp
 		}
+		// if no platform is specified, use first driver
+		if len(mm) == 0 {
+			mm[0] = nil
+		}
 		dps := make([]driverPair, 0, 2)
 		for idx, pp := range mm {
 			dps = append(dps, driverPair{driverIndex: idx, platforms: pp})
@@ -186,8 +208,8 @@ func splitToDriverPairs(availablePlatforms map[string]int, opt map[string]Option
 	return m
 }
 
-func resolveDrivers(ctx context.Context, drivers []DriverInfo, auth Auth, opt map[string]Options, pw progress.Writer) (map[string][]driverPair, []*client.Client, error) {
-	dps, clients, err := resolveDriversBase(ctx, drivers, auth, opt, pw)
+func resolveDrivers(ctx context.Context, drivers []DriverInfo, opt map[string]Options, pw progress.Writer) (map[string][]driverPair, []*client.Client, error) {
+	dps, clients, err := resolveDriversBase(ctx, drivers, opt, pw)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -214,8 +236,7 @@ func resolveDrivers(ctx context.Context, drivers []DriverInfo, auth Auth, opt ma
 	}
 
 	err = eg.Wait()
-	span.RecordError(err)
-	span.End()
+	tracing.FinishWithError(span, err)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -228,7 +249,7 @@ func resolveDrivers(ctx context.Context, drivers []DriverInfo, auth Auth, opt ma
 	return dps, clients, nil
 }
 
-func resolveDriversBase(ctx context.Context, drivers []DriverInfo, auth Auth, opt map[string]Options, pw progress.Writer) (map[string][]driverPair, []*client.Client, error) {
+func resolveDriversBase(ctx context.Context, drivers []DriverInfo, opt map[string]Options, pw progress.Writer) (map[string][]driverPair, []*client.Client, error) {
 	availablePlatforms := map[string]int{}
 	for i, d := range drivers {
 		for _, p := range d.Platform {
@@ -334,7 +355,8 @@ func toRepoOnly(in string) (string, error) {
 	return strings.Join(out, ","), nil
 }
 
-func toSolveOpt(ctx context.Context, d driver.Driver, multiDriver bool, opt Options, bopts gateway.BuildOpts, pw progress.Writer, dl dockerLoadCallback) (solveOpt *client.SolveOpt, release func(), err error) {
+func toSolveOpt(ctx context.Context, di DriverInfo, multiDriver bool, opt Options, bopts gateway.BuildOpts, configDir string, pw progress.Writer, dl dockerLoadCallback) (solveOpt *client.SolveOpt, release func(), err error) {
+	d := di.Driver
 	defers := make([]func(), 0, 2)
 	releaseF := func() {
 		for _, f := range defers {
@@ -400,6 +422,10 @@ func toSolveOpt(ctx context.Context, d driver.Driver, multiDriver bool, opt Opti
 		AllowedEntitlements: opt.Allow,
 	}
 
+	if opt.CgroupParent != "" {
+		so.FrontendAttrs["cgroup-parent"] = opt.CgroupParent
+	}
+
 	if v, ok := opt.BuildArgs["BUILDKIT_MULTI_PLATFORM"]; ok {
 		if v, _ := strconv.ParseBool(v); v {
 			so.FrontendAttrs["multi-platform"] = "true"
@@ -496,6 +522,12 @@ func toSolveOpt(ctx context.Context, d driver.Driver, multiDriver bool, opt Opti
 				}
 			}
 		}
+		if e.Type == "docker" || e.Type == "image" || e.Type == "oci" {
+			// inline buildinfo attrs from build arg
+			if v, ok := opt.BuildArgs["BUILDKIT_INLINE_BUILDINFO_ATTRS"]; ok {
+				e.Attrs["buildinfo-attrs"] = v
+			}
+		}
 	}
 
 	so.Exports = opt.Exports
@@ -507,12 +539,22 @@ func toSolveOpt(ctx context.Context, d driver.Driver, multiDriver bool, opt Opti
 	}
 	defers = append(defers, releaseLoad)
 
+	if sharedKey := so.LocalDirs["context"]; sharedKey != "" {
+		if p, err := filepath.Abs(sharedKey); err == nil {
+			sharedKey = filepath.Base(p)
+		}
+		so.SharedKey = sharedKey + ":" + tryNodeIdentifier(configDir)
+	}
+
 	if opt.Pull {
 		so.FrontendAttrs["image-resolve-mode"] = "pull"
 	}
 	if opt.Target != "" {
 		so.FrontendAttrs["target"] = opt.Target
 	}
+	if len(opt.NoCacheFilter) > 0 {
+		so.FrontendAttrs["no-cache"] = strings.Join(opt.NoCacheFilter, ",")
+	}
 	if opt.NoCache {
 		so.FrontendAttrs["no-cache"] = ""
 	}
@@ -523,6 +565,12 @@ func toSolveOpt(ctx context.Context, d driver.Driver, multiDriver bool, opt Opti
 		so.FrontendAttrs["label:"+k] = v
 	}
 
+	for k, v := range di.ProxyConfig {
+		if _, ok := opt.BuildArgs[k]; !ok {
+			so.FrontendAttrs["build-arg:"+k] = v
+		}
+	}
+
 	// set platforms
 	if len(opt.Platforms) != 0 {
 		pp := make([]string, len(opt.Platforms))
@@ -544,7 +592,7 @@ func toSolveOpt(ctx context.Context, d driver.Driver, multiDriver bool, opt Opti
 		so.FrontendAttrs["force-network-mode"] = opt.NetworkMode
 	case "", "default":
 	default:
-		return nil, nil, errors.Errorf("network mode %q not supported by buildkit", opt.NetworkMode)
+		return nil, nil, errors.Errorf("network mode %q not supported by buildkit - you can define a custom network for your builder using the network driver-opt in buildx create", opt.NetworkMode)
 	}
 
 	// setup extrahosts
@@ -554,10 +602,117 @@ func toSolveOpt(ctx context.Context, d driver.Driver, multiDriver bool, opt Opti
 	}
 	so.FrontendAttrs["add-hosts"] = extraHosts
 
+	// setup shm size
+	if opt.ShmSize.Value() > 0 {
+		so.FrontendAttrs["shm-size"] = strconv.FormatInt(opt.ShmSize.Value(), 10)
+	}
+
+	// setup ulimits
+	ulimits, err := toBuildkitUlimits(opt.Ulimits)
+	if err != nil {
+		return nil, nil, err
+	} else if len(ulimits) > 0 {
+		so.FrontendAttrs["ulimit"] = ulimits
+	}
+
 	return &so, releaseF, nil
 }
 
-func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, docker DockerAPI, auth Auth, w progress.Writer) (resp map[string]*client.SolveResponse, err error) {
+// ContainerConfig is configuration for a container to run.
+type ContainerConfig struct {
+	ResultCtx *ResultContext
+	Args      []string
+	Env       []string
+	User      string
+	Cwd       string
+	Tty       bool
+	Stdin     io.ReadCloser
+	Stdout    io.WriteCloser
+	Stderr    io.WriteCloser
+}
+
+// ResultContext is a build result with the client that built it.
+type ResultContext struct {
+	Client *client.Client
+	Res    *gateway.Result
+}
+
+// Invoke invokes a build result as a container.
+func Invoke(ctx context.Context, cfg ContainerConfig) error {
+	if cfg.ResultCtx == nil {
+		return errors.Errorf("result must be provided")
+	}
+	c, res := cfg.ResultCtx.Client, cfg.ResultCtx.Res
+	_, err := c.Build(ctx, client.SolveOpt{}, "buildx", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+		if res.Ref == nil {
+			return nil, errors.Errorf("no reference is registered")
+		}
+		st, err := res.Ref.ToState()
+		if err != nil {
+			return nil, err
+		}
+		def, err := st.Marshal(ctx)
+		if err != nil {
+			return nil, err
+		}
+		imgRef, err := c.Solve(ctx, gateway.SolveRequest{
+			Definition: def.ToPB(),
+		})
+		if err != nil {
+			return nil, err
+		}
+		ctr, err := c.NewContainer(ctx, gateway.NewContainerRequest{
+			Mounts: []gateway.Mount{
+				{
+					Dest:      "/",
+					MountType: pb.MountType_BIND,
+					Ref:       imgRef.Ref,
+				},
+			},
+		})
+		if err != nil {
+			return nil, err
+		}
+		defer ctr.Release(ctx)
+		proc, err := ctr.Start(ctx, gateway.StartRequest{
+			Args:   cfg.Args,
+			Env:    cfg.Env,
+			User:   cfg.User,
+			Cwd:    cfg.Cwd,
+			Tty:    cfg.Tty,
+			Stdin:  cfg.Stdin,
+			Stdout: cfg.Stdout,
+			Stderr: cfg.Stderr,
+		})
+		if err != nil {
+			return nil, errors.Errorf("failed to start container: %v", err)
+		}
+		errCh := make(chan error)
+		doneCh := make(chan struct{})
+		go func() {
+			if err := proc.Wait(); err != nil {
+				errCh <- err
+				return
+			}
+			close(doneCh)
+		}()
+		select {
+		case <-doneCh:
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case err := <-errCh:
+			return nil, err
+		}
+		return nil, nil
+	}, nil)
+	return err
+}
+
+func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, docker DockerAPI, configDir string, w progress.Writer) (resp map[string]*client.SolveResponse, err error) {
+	return BuildWithResultHandler(ctx, drivers, opt, docker, configDir, w, nil)
+}
+
+func BuildWithResultHandler(ctx context.Context, drivers []DriverInfo, opt map[string]Options, docker DockerAPI, configDir string, w progress.Writer, resultHandleFunc func(driverIndex int, rCtx *ResultContext)) (resp map[string]*client.SolveResponse, err error) {
 	if len(drivers) == 0 {
 		return nil, errors.Errorf("driver required for build")
 	}
@@ -576,15 +731,25 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 	}
 
 	if noMobyDriver != nil && !noDefaultLoad() {
-		for _, opt := range opt {
-			if len(opt.Exports) == 0 {
-				logrus.Warnf("No output specified for %s driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load", noMobyDriver.Factory().Name())
-				break
+		var noOutputTargets []string
+		for name, opt := range opt {
+			if !opt.Linked && len(opt.Exports) == 0 {
+				noOutputTargets = append(noOutputTargets, name)
 			}
 		}
+		if len(noOutputTargets) > 0 {
+			var warnNoOutputBuf bytes.Buffer
+			warnNoOutputBuf.WriteString("No output specified ")
+			if len(noOutputTargets) == 1 && noOutputTargets[0] == "default" {
+				warnNoOutputBuf.WriteString(fmt.Sprintf("with %s driver", noMobyDriver.Factory().Name()))
+			} else {
+				warnNoOutputBuf.WriteString(fmt.Sprintf("for %s target(s) with %s driver", strings.Join(noOutputTargets, ", "), noMobyDriver.Factory().Name()))
+			}
+			logrus.Warnf("%s. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load", warnNoOutputBuf.String())
+		}
 	}
 
-	m, clients, err := resolveDrivers(ctx, drivers, auth, opt, w)
+	m, clients, err := resolveDrivers(ctx, drivers, opt, w)
 	if err != nil {
 		return nil, err
 	}
@@ -604,12 +769,12 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 		multiDriver := len(m[k]) > 1
 		hasMobyDriver := false
 		for i, dp := range m[k] {
-			d := drivers[dp.driverIndex].Driver
-			if d.IsMobyDriver() {
+			di := drivers[dp.driverIndex]
+			if di.Driver.IsMobyDriver() {
 				hasMobyDriver = true
 			}
 			opt.Platforms = dp.platforms
-			so, release, err := toSolveOpt(ctx, d, multiDriver, opt, dp.bopts, w, func(name string) (io.WriteCloser, func(), error) {
+			so, release, err := toSolveOpt(ctx, di, multiDriver, opt, dp.bopts, configDir, w, func(name string) (io.WriteCloser, func(), error) {
 				return newDockerLoader(ctx, docker, name, w)
 			})
 			if err != nil {
@@ -642,8 +807,35 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 		}
 	}
 
+	// validate that all links between targets use same drivers
+	for name := range opt {
+		dps := m[name]
+		for _, dp := range dps {
+			for k, v := range dp.so.FrontendAttrs {
+				if strings.HasPrefix(k, "context:") && strings.HasPrefix(v, "target:") {
+					k2 := strings.TrimPrefix(v, "target:")
+					dps2, ok := m[k2]
+					if !ok {
+						return nil, errors.Errorf("failed to find target %s for context %s", k2, strings.TrimPrefix(k, "context:")) // should be validated before already
+					}
+					var found bool
+					for _, dp2 := range dps2 {
+						if dp2.driverIndex == dp.driverIndex {
+							found = true
+							break
+						}
+					}
+					if !found {
+						return nil, errors.Errorf("failed to use %s as context %s for %s because targets build with different drivers", k2, strings.TrimPrefix(k, "context:"), name)
+					}
+				}
+			}
+		}
+	}
+
 	resp = map[string]*client.SolveResponse{}
 	var respMu sync.Mutex
+	results := waitmap.New()
 
 	multiTarget := len(opt) > 1
 
@@ -664,12 +856,12 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 			wg.Add(len(dps))
 
 			var pushNames string
+			var insecurePush bool
 
 			eg.Go(func() (err error) {
 				defer func() {
 					if span != nil {
-						span.RecordError(err)
-						span.End()
+						tracing.FinishWithError(span, err)
 					}
 				}()
 				pw := progress.WithPrefix(w, "default", false)
@@ -684,8 +876,12 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 				resp[k] = res[0]
 				respMu.Unlock()
 				if len(res) == 1 {
+					dgst := res[0].ExporterResponse[exptypes.ExporterImageDigestKey]
+					if v, ok := res[0].ExporterResponse[exptypes.ExporterImageConfigDigestKey]; ok {
+						dgst = v
+					}
 					if opt.ImageIDFile != "" {
-						return ioutil.WriteFile(opt.ImageIDFile, []byte(res[0].ExporterResponse["containerimage.digest"]), 0644)
+						return os.WriteFile(opt.ImageIDFile, []byte(dgst), 0644)
 					}
 					return nil
 				}
@@ -695,7 +891,7 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 						descs := make([]specs.Descriptor, 0, len(res))
 
 						for _, r := range res {
-							s, ok := r.ExporterResponse["containerimage.digest"]
+							s, ok := r.ExporterResponse[exptypes.ExporterImageDigestKey]
 							if ok {
 								descs = append(descs, specs.Descriptor{
 									Digest:    digest.Digest(s),
@@ -705,22 +901,55 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 							}
 						}
 						if len(descs) > 0 {
-							itpull := imagetools.New(imagetools.Opt{
-								Auth: auth,
-							})
-
+							var imageopt imagetools.Opt
+							for _, dp := range dps {
+								imageopt = drivers[dp.driverIndex].ImageOpt
+								break
+							}
 							names := strings.Split(pushNames, ",")
-							dt, desc, err := itpull.Combine(ctx, names[0], descs)
+
+							if insecurePush {
+								insecureTrue := true
+								httpTrue := true
+								nn, err := reference.ParseNormalizedNamed(names[0])
+								if err != nil {
+									return err
+								}
+								imageopt.RegistryConfig = map[string]resolver.RegistryConfig{
+									reference.Domain(nn): {
+										Insecure:  &insecureTrue,
+										PlainHTTP: &httpTrue,
+									},
+								}
+							}
+
+							itpull := imagetools.New(imageopt)
+
+							ref, err := reference.ParseNormalizedNamed(names[0])
+							if err != nil {
+								return err
+							}
+							ref = reference.TagNameOnly(ref)
+
+							srcs := make([]*imagetools.Source, len(descs))
+							for i, desc := range descs {
+								srcs[i] = &imagetools.Source{
+									Desc: desc,
+									Ref:  ref,
+								}
+							}
+
+							dt, desc, err := itpull.Combine(ctx, srcs)
 							if err != nil {
 								return err
 							}
 							if opt.ImageIDFile != "" {
-								return ioutil.WriteFile(opt.ImageIDFile, []byte(desc.Digest), 0644)
+								if err := os.WriteFile(opt.ImageIDFile, []byte(desc.Digest), 0644); err != nil {
+									return err
+								}
 							}
 
-							itpush := imagetools.New(imagetools.Opt{
-								Auth: auth,
-							})
+							itpush := imagetools.New(imageopt)
 
 							for _, n := range names {
 								nn, err := reference.ParseNormalizedNamed(n)
@@ -748,7 +977,6 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 
 			for i, dp := range dps {
 				so := *dp.so
-
 				if multiDriver {
 					for i, e := range so.Exports {
 						switch e.Type {
@@ -765,6 +993,9 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 									if err != nil {
 										return err
 									}
+									if ok, _ := strconv.ParseBool(e.Attrs["registry.insecure"]); ok {
+										insecurePush = true
+									}
 									e.Attrs["name"] = names
 									e.Attrs["push-by-digest"] = "true"
 									so.Exports[i].Attrs = e.Attrs
@@ -778,14 +1009,47 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 					pw := progress.WithPrefix(w, k, multiTarget)
 
 					c := clients[dp.driverIndex]
-
-					pw = progress.ResetTime(pw)
-
 					eg.Go(func() error {
+						pw = progress.ResetTime(pw)
 						defer wg.Done()
+
+						if err := waitContextDeps(ctx, dp.driverIndex, results, &so); err != nil {
+							return err
+						}
+
+						frontendInputs := make(map[string]*pb.Definition)
+						for key, st := range so.FrontendInputs {
+							def, err := st.Marshal(ctx)
+							if err != nil {
+								return err
+							}
+							frontendInputs[key] = def.ToPB()
+						}
+
+						req := gateway.SolveRequest{
+							Frontend:       so.Frontend,
+							FrontendOpt:    so.FrontendAttrs,
+							FrontendInputs: frontendInputs,
+						}
+						so.Frontend = ""
+						so.FrontendAttrs = nil
+						so.FrontendInputs = nil
+
 						ch, done := progress.NewChannel(pw)
 						defer func() { <-done }()
-						rr, err := c.Solve(ctx, nil, so, ch)
+
+						cc := c
+						rr, err := c.Build(ctx, so, "buildx", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+							res, err := c.Solve(ctx, req)
+							if err != nil {
+								return nil, err
+							}
+							results.Set(resultKey(dp.driverIndex, k), res)
+							if resultHandleFunc != nil {
+								resultHandleFunc(dp.driverIndex, &ResultContext{cc, res})
+							}
+							return res, nil
+						}, ch)
 						if err != nil {
 							return err
 						}
@@ -801,13 +1065,27 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 											return errors.Errorf("tag is needed when pushing to registry")
 										}
 										pw := progress.ResetTime(pw)
-										for _, name := range strings.Split(pushNames, ",") {
+										pushList := strings.Split(pushNames, ",")
+										for _, name := range pushList {
 											if err := progress.Wrap(fmt.Sprintf("pushing %s with docker", name), pw.Write, func(l progress.SubLogger) error {
 												return pushWithMoby(ctx, d, name, l)
 											}); err != nil {
 												return err
 											}
 										}
+										remoteDigest, err := remoteDigestWithMoby(ctx, d, pushList[0])
+										if err == nil && remoteDigest != "" {
+											// old daemons might not have containerimage.config.digest set
+											// in response so use containerimage.digest value for it if available
+											if _, ok := rr.ExporterResponse[exptypes.ExporterImageConfigDigestKey]; !ok {
+												if v, ok := rr.ExporterResponse[exptypes.ExporterImageDigestKey]; ok {
+													rr.ExporterResponse[exptypes.ExporterImageConfigDigestKey] = v
+												}
+											}
+											rr.ExporterResponse[exptypes.ExporterImageDigestKey] = remoteDigest
+										} else if err != nil {
+											return err
+										}
 									}
 								}
 							}
@@ -912,8 +1190,31 @@ func pushWithMoby(ctx context.Context, d driver.Driver, name string, l progress.
 	return nil
 }
 
+func remoteDigestWithMoby(ctx context.Context, d driver.Driver, name string) (string, error) {
+	api := d.Config().DockerAPI
+	if api == nil {
+		return "", errors.Errorf("invalid empty Docker API reference") // should never happen
+	}
+	creds, err := imagetools.RegistryAuthForRef(name, d.Config().Auth)
+	if err != nil {
+		return "", err
+	}
+	image, _, err := api.ImageInspectWithRaw(ctx, name)
+	if err != nil {
+		return "", err
+	}
+	if len(image.RepoDigests) == 0 {
+		return "", nil
+	}
+	remoteImage, err := api.DistributionInspect(ctx, name, creds)
+	if err != nil {
+		return "", err
+	}
+	return remoteImage.Descriptor.Digest.String(), nil
+}
+
 func createTempDockerfile(r io.Reader) (string, error) {
-	dir, err := ioutil.TempDir("", "dockerfile")
+	dir, err := os.MkdirTemp("", "dockerfile")
 	if err != nil {
 		return "", err
 	}
@@ -972,7 +1273,7 @@ func LoadInputs(ctx context.Context, d driver.Driver, inp Inputs, pw progress.Wr
 				}
 				// stdin is dockerfile
 				dockerfileReader = buf
-				inp.ContextPath, _ = ioutil.TempDir("", "empty-dir")
+				inp.ContextPath, _ = os.MkdirTemp("", "empty-dir")
 				toRemove = append(toRemove, inp.ContextPath)
 				target.LocalDirs["context"] = inp.ContextPath
 			}
@@ -992,7 +1293,7 @@ func LoadInputs(ctx context.Context, d driver.Driver, inp Inputs, pw progress.Wr
 
 	case urlutil.IsGitURL(inp.ContextPath), urlutil.IsURL(inp.ContextPath):
 		if inp.DockerfilePath == "-" {
-			return nil, errors.Errorf("Dockerfile from stdin is not supported with remote contexts")
+			dockerfileReader = inp.InStream
 		}
 		target.FrontendAttrs["context"] = inp.ContextPath
 	default:
@@ -1034,6 +1335,62 @@ func LoadInputs(ctx context.Context, d driver.Driver, inp Inputs, pw progress.Wr
 
 	target.FrontendAttrs["filename"] = dockerfileName
 
+	for k, v := range inp.NamedContexts {
+		target.FrontendAttrs["frontend.caps"] = "moby.buildkit.frontend.contexts+forward"
+		if v.State != nil {
+			target.FrontendAttrs["context:"+k] = "input:" + k
+			if target.FrontendInputs == nil {
+				target.FrontendInputs = make(map[string]llb.State)
+			}
+			target.FrontendInputs[k] = *v.State
+			continue
+		}
+
+		if urlutil.IsGitURL(v.Path) || urlutil.IsURL(v.Path) || strings.HasPrefix(v.Path, "docker-image://") || strings.HasPrefix(v.Path, "target:") {
+			target.FrontendAttrs["context:"+k] = v.Path
+			continue
+		}
+
+		// handle OCI layout
+		if strings.HasPrefix(v.Path, "oci-layout://") {
+			pathAlone := strings.TrimPrefix(v.Path, "oci-layout://")
+			parts := strings.SplitN(pathAlone, "@", 2)
+			if len(parts) != 2 {
+				return nil, errors.Errorf("invalid oci-layout context %s, must be oci-layout:///path/to/layout@sha256:hash", v.Path)
+			}
+			localPath := parts[0]
+			dgst, err := digest.Parse(parts[1])
+			if err != nil {
+				return nil, errors.Wrapf(err, "invalid oci-layout context %s, does not have proper hash, must be oci-layout:///path/to/layout@sha256:hash", v.Path)
+			}
+			store, err := local.NewStore(localPath)
+			if err != nil {
+				return nil, errors.Wrapf(err, "invalid store at %s", localPath)
+			}
+			// now we can add it
+			if target.OCIStores == nil {
+				target.OCIStores = map[string]content.Store{}
+			}
+			target.OCIStores[k] = store
+
+			target.FrontendAttrs["context:"+k] = fmt.Sprintf("oci-layout:%s@%s", k, dgst.String())
+			continue
+		}
+		st, err := os.Stat(v.Path)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to get build context %v", k)
+		}
+		if !st.IsDir() {
+			return nil, errors.Wrapf(syscall.ENOTDIR, "failed to get build context path %v", v)
+		}
+		localName := k
+		if k == "context" || k == "dockerfile" {
+			localName = "_" + k // underscore to avoid collisions
+		}
+		target.LocalDirs[localName] = v.Path
+		target.FrontendAttrs["context:"+k] = "local:" + localName
+	}
+
 	release := func() {
 		for _, dir := range toRemove {
 			os.RemoveAll(dir)
@@ -1042,6 +1399,96 @@ func LoadInputs(ctx context.Context, d driver.Driver, inp Inputs, pw progress.Wr
 	return release, nil
 }
 
+func resultKey(index int, name string) string {
+	return fmt.Sprintf("%d-%s", index, name)
+}
+
+func waitContextDeps(ctx context.Context, index int, results *waitmap.Map, so *client.SolveOpt) error {
+	m := map[string]string{}
+	for k, v := range so.FrontendAttrs {
+		if strings.HasPrefix(k, "context:") && strings.HasPrefix(v, "target:") {
+			target := resultKey(index, strings.TrimPrefix(v, "target:"))
+			m[target] = k
+		}
+	}
+	if len(m) == 0 {
+		return nil
+	}
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	res, err := results.Get(ctx, keys...)
+	if err != nil {
+		return err
+	}
+
+	for k, v := range m {
+		r, ok := res[k]
+		if !ok {
+			continue
+		}
+		rr, ok := r.(*gateway.Result)
+		if !ok {
+			return errors.Errorf("invalid result type %T", rr)
+		}
+		if so.FrontendAttrs == nil {
+			so.FrontendAttrs = map[string]string{}
+		}
+		if so.FrontendInputs == nil {
+			so.FrontendInputs = map[string]llb.State{}
+		}
+		if len(rr.Refs) > 0 {
+			for platform, r := range rr.Refs {
+				st, err := r.ToState()
+				if err != nil {
+					return err
+				}
+				so.FrontendInputs[k+"::"+platform] = st
+				so.FrontendAttrs[v+"::"+platform] = "input:" + k + "::" + platform
+				metadata := make(map[string][]byte)
+				if dt, ok := rr.Metadata[exptypes.ExporterImageConfigKey+"/"+platform]; ok {
+					metadata[exptypes.ExporterImageConfigKey] = dt
+				}
+				if dt, ok := rr.Metadata[exptypes.ExporterBuildInfo+"/"+platform]; ok {
+					metadata[exptypes.ExporterBuildInfo] = dt
+				}
+				if len(metadata) > 0 {
+					dt, err := json.Marshal(metadata)
+					if err != nil {
+						return err
+					}
+					so.FrontendAttrs["input-metadata:"+k+"::"+platform] = string(dt)
+				}
+			}
+			delete(so.FrontendAttrs, v)
+		}
+		if rr.Ref != nil {
+			st, err := rr.Ref.ToState()
+			if err != nil {
+				return err
+			}
+			so.FrontendInputs[k] = st
+			so.FrontendAttrs[v] = "input:" + k
+			metadata := make(map[string][]byte)
+			if dt, ok := rr.Metadata[exptypes.ExporterImageConfigKey]; ok {
+				metadata[exptypes.ExporterImageConfigKey] = dt
+			}
+			if dt, ok := rr.Metadata[exptypes.ExporterBuildInfo]; ok {
+				metadata[exptypes.ExporterBuildInfo] = dt
+			}
+			if len(metadata) > 0 {
+				dt, err := json.Marshal(metadata)
+				if err != nil {
+					return err
+				}
+				so.FrontendAttrs["input-metadata:"+k] = string(dt)
+			}
+		}
+	}
+	return nil
+}
+
 func notSupported(d driver.Driver, f driver.Feature) error {
 	return errors.Errorf("%s feature is currently not supported for %s driver. Please switch to a different driver (eg. \"docker buildx create --use\")", f, d.Factory().Name())
 }
@@ -1158,3 +1605,28 @@ func wrapWriteCloser(wc io.WriteCloser) func(map[string]string) (io.WriteCloser,
 		return wc, nil
 	}
 }
+
+var nodeIdentifierMu sync.Mutex
+
+func tryNodeIdentifier(configDir string) (out string) {
+	nodeIdentifierMu.Lock()
+	defer nodeIdentifierMu.Unlock()
+	sessionFile := filepath.Join(configDir, ".buildNodeID")
+	if _, err := os.Lstat(sessionFile); err != nil {
+		if os.IsNotExist(err) { // create a new file with stored randomness
+			b := make([]byte, 8)
+			if _, err := rand.Read(b); err != nil {
+				return out
+			}
+			if err := os.WriteFile(sessionFile, []byte(hex.EncodeToString(b)), 0600); err != nil {
+				return out
+			}
+		}
+	}
+
+	dt, err := os.ReadFile(sessionFile)
+	if err == nil {
+		return string(dt)
+	}
+	return
+}

build/url.go

@@ -2,7 +2,7 @@ package build
 
 import (
 	"context"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 
 	"github.com/docker/buildx/driver"
@@ -53,11 +53,11 @@ func createTempDockerfileFromURL(ctx context.Context, d driver.Driver, url strin
 		if err != nil {
 			return nil, err
 		}
-		dir, err := ioutil.TempDir("", "buildx")
+		dir, err := os.MkdirTemp("", "buildx")
 		if err != nil {
 			return nil, err
 		}
-		if err := ioutil.WriteFile(filepath.Join(dir, "Dockerfile"), dt, 0600); err != nil {
+		if err := os.WriteFile(filepath.Join(dir, "Dockerfile"), dt, 0600); err != nil {
 			return nil, err
 		}
 		out = dir

build/utils.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/docker/cli/opts"
 	"github.com/pkg/errors"
 )
 
@@ -53,3 +54,15 @@ func toBuildkitExtraHosts(inp []string) (string, error) {
 	}
 	return strings.Join(hosts, ","), nil
 }
+
+// toBuildkitUlimits converts ulimits from docker type=soft:hard format to buildkit's csv format
+func toBuildkitUlimits(inp *opts.UlimitOpt) (string, error) {
+	if inp == nil || len(inp.GetList()) == 0 {
+		return "", nil
+	}
+	ulimits := make([]string, 0, len(inp.GetList()))
+	for _, ulimit := range inp.GetList() {
+		ulimits = append(ulimits, ulimit.String())
+	}
+	return strings.Join(ulimits, ","), nil
+}

cmd/buildx/main.go

@@ -15,13 +15,8 @@ import (
 	cliflags "github.com/docker/cli/cli/flags"
 	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/util/stack"
-	"github.com/moby/buildkit/util/tracing/detect"
-	"go.opentelemetry.io/otel"
 
-	_ "github.com/moby/buildkit/util/tracing/detect/delegated"
-	_ "github.com/moby/buildkit/util/tracing/env"
-
-	// FIXME: "k8s.io/client-go/plugin/pkg/client/auth/azure" is excluded because of compilation error
+	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
@@ -29,77 +24,67 @@ import (
 	_ "github.com/docker/buildx/driver/docker"
 	_ "github.com/docker/buildx/driver/docker-container"
 	_ "github.com/docker/buildx/driver/kubernetes"
+	_ "github.com/docker/buildx/driver/remote"
 )
 
-var experimental string
-
 func init() {
 	seed.WithTimeAndRand()
 	stack.SetVersionInfo(version.Version, version.Revision)
+}
 
-	detect.ServiceName = "buildx"
-	// do not log tracing errors to stdio
-	otel.SetErrorHandler(skipErrors{})
+func runStandalone(cmd *command.DockerCli) error {
+	if err := cmd.Initialize(cliflags.NewClientOptions()); err != nil {
+		return err
+	}
+	rootCmd := commands.NewRootCmd(os.Args[0], false, cmd)
+	return rootCmd.Execute()
+}
+
+func runPlugin(cmd *command.DockerCli) error {
+	rootCmd := commands.NewRootCmd("buildx", true, cmd)
+	return plugin.RunPlugin(cmd, rootCmd, manager.Metadata{
+		SchemaVersion: "0.1.0",
+		Vendor:        "Docker Inc.",
+		Version:       version.Version,
+	})
 }
 
 func main() {
-	if os.Getenv("DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND") == "" {
-		if len(os.Args) < 2 || os.Args[1] != manager.MetadataSubcommandName {
-			dockerCli, err := command.NewDockerCli()
-			if err != nil {
-				fmt.Fprintln(os.Stderr, err)
-				os.Exit(1)
-			}
-			opts := cliflags.NewClientOptions()
-			dockerCli.Initialize(opts)
-			rootCmd := commands.NewRootCmd(os.Args[0], false, dockerCli)
-			if err := rootCmd.Execute(); err != nil {
-				os.Exit(1)
-			}
-			os.Exit(0)
-		}
-	}
-
-	dockerCli, err := command.NewDockerCli()
+	cmd, err := command.NewDockerCli()
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}
 
-	p := commands.NewRootCmd("buildx", true, dockerCli)
-	meta := manager.Metadata{
-		SchemaVersion: "0.1.0",
-		Vendor:        "Docker Inc.",
-		Version:       version.Version,
-		Experimental:  experimental != "",
+	if plugin.RunningStandalone() {
+		err = runStandalone(cmd)
+	} else {
+		err = runPlugin(cmd)
+	}
+	if err == nil {
+		return
 	}
 
-	if err := plugin.RunPlugin(dockerCli, p, meta); err != nil {
-		if sterr, ok := err.(cli.StatusError); ok {
-			if sterr.Status != "" {
-				fmt.Fprintln(dockerCli.Err(), sterr.Status)
-			}
-			// StatusError should only be used for errors, and all errors should
-			// have a non-zero exit status, so never exit with 0
-			if sterr.StatusCode == 0 {
-				os.Exit(1)
-			}
-			os.Exit(sterr.StatusCode)
+	if sterr, ok := err.(cli.StatusError); ok {
+		if sterr.Status != "" {
+			fmt.Fprintln(cmd.Err(), sterr.Status)
 		}
-		for _, s := range errdefs.Sources(err) {
-			s.Print(dockerCli.Err())
+		// StatusError should only be used for errors, and all errors should
+		// have a non-zero exit status, so never exit with 0
+		if sterr.StatusCode == 0 {
+			os.Exit(1)
 		}
-
-		if debug.IsEnabled() {
-			fmt.Fprintf(dockerCli.Err(), "error: %+v", stack.Formatter(err))
-		} else {
-			fmt.Fprintf(dockerCli.Err(), "error: %v\n", err)
-		}
-
-		os.Exit(1)
+		os.Exit(sterr.StatusCode)
 	}
+
+	for _, s := range errdefs.Sources(err) {
+		s.Print(cmd.Err())
+	}
+	if debug.IsEnabled() {
+		fmt.Fprintf(cmd.Err(), "ERROR: %+v", stack.Formatter(err))
+	} else {
+		fmt.Fprintf(cmd.Err(), "ERROR: %v\n", err)
+	}
+
+	os.Exit(1)
 }
-
-type skipErrors struct{}
-
-func (skipErrors) Handle(err error) {}

cmd/buildx/tracing.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"github.com/moby/buildkit/util/tracing/detect"
+	"go.opentelemetry.io/otel"
+
+	_ "github.com/moby/buildkit/util/tracing/detect/delegated"
+	_ "github.com/moby/buildkit/util/tracing/env"
+)
+
+func init() {
+	detect.ServiceName = "buildx"
+	// do not log tracing errors to stdio
+	otel.SetErrorHandler(skipErrors{})
+}
+
+type skipErrors struct{}
+
+func (skipErrors) Handle(err error) {}

commands/bake.go

@@ -6,12 +6,13 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/containerd/containerd/platforms"
 	"github.com/docker/buildx/bake"
 	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/buildx/util/tracing"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/docker/pkg/ioutils"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -19,8 +20,8 @@ import (
 
 type bakeOptions struct {
 	files     []string
-	printOnly bool
 	overrides []string
+	printOnly bool
 	commonOptions
 }
 
@@ -46,7 +47,6 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 				if bake.IsRemoteURL(targets[0]) {
 					cmdContext = targets[0]
 					targets = targets[1:]
-
 				}
 			}
 		}
@@ -61,7 +61,7 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 		if in.exportLoad {
 			return errors.Errorf("push and load may not be set together at the moment")
 		}
-		overrides = append(overrides, "*.output=type=registry")
+		overrides = append(overrides, "*.push=true")
 	} else if in.exportLoad {
 		overrides = append(overrides, "*.output=type=docker")
 	}
@@ -75,7 +75,7 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 
 	ctx2, cancel := context.WithCancel(context.TODO())
 	defer cancel()
-	printer := progress.NewPrinter(ctx2, os.Stderr, in.progress)
+	printer := progress.NewPrinter(ctx2, os.Stderr, os.Stderr, in.progress)
 
 	defer func() {
 		if printer != nil {
@@ -103,21 +103,36 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 		return err
 	}
 
-	m, err := bake.ReadTargets(ctx, files, targets, overrides, map[string]string{
-		"BAKE_CMD_CONTEXT": cmdContext,
+	tgts, grps, err := bake.ReadTargets(ctx, files, targets, overrides, map[string]string{
+		// don't forget to update documentation if you add a new
+		// built-in variable: docs/guides/bake/file-definition.md#built-in-variables
+		"BAKE_CMD_CONTEXT":    cmdContext,
+		"BAKE_LOCAL_PLATFORM": platforms.DefaultString(),
 	})
 	if err != nil {
 		return err
 	}
 
 	// this function can update target context string from the input so call before printOnly check
-	bo, err := bake.TargetsToBuildOpt(m, inp)
+	bo, err := bake.TargetsToBuildOpt(tgts, inp)
 	if err != nil {
 		return err
 	}
 
 	if in.printOnly {
-		dt, err := json.MarshalIndent(map[string]map[string]*bake.Target{"target": m}, "", "  ")
+		var defg map[string]*bake.Group
+		if len(grps) == 1 {
+			defg = map[string]*bake.Group{
+				"default": grps[0],
+			}
+		}
+		dt, err := json.MarshalIndent(struct {
+			Group  map[string]*bake.Group  `json:"group,omitempty"`
+			Target map[string]*bake.Target `json:"target"`
+		}{
+			defg,
+			tgts,
+		}, "", "  ")
 		if err != nil {
 			return err
 		}
@@ -130,21 +145,17 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 		return nil
 	}
 
-	resp, err := build.Build(ctx, dis, bo, dockerAPI(dockerCli), dockerCli.ConfigFile(), printer)
+	resp, err := build.Build(ctx, dis, bo, dockerAPI(dockerCli), confutil.ConfigDir(dockerCli), printer)
 	if err != nil {
-		return err
+		return wrapBuildError(err, true)
 	}
 
-	if len(in.metadataFile) > 0 && resp != nil {
-		mdata := map[string]map[string]string{}
-		for k, r := range resp {
-			mdata[k] = r.ExporterResponse
+	if len(in.metadataFile) > 0 {
+		dt := make(map[string]interface{})
+		for t, r := range resp {
+			dt[t] = decodeExporterResponse(r.ExporterResponse)
 		}
-		mdatab, err := json.MarshalIndent(mdata, "", "  ")
-		if err != nil {
-			return err
-		}
-		if err := ioutils.AtomicWriteFile(in.metadataFile, mdatab, 0644); err != nil {
+		if err := writeMetadataFile(in.metadataFile, dt); err != nil {
 			return err
 		}
 	}
@@ -175,10 +186,10 @@ func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	flags := cmd.Flags()
 
 	flags.StringArrayVarP(&options.files, "file", "f", []string{}, "Build definition file")
+	flags.BoolVar(&options.exportLoad, "load", false, `Shorthand for "--set=*.output=type=docker"`)
 	flags.BoolVar(&options.printOnly, "print", false, "Print the options without building")
-	flags.StringArrayVar(&options.overrides, "set", nil, "Override target value (eg: targetpattern.key=value)")
-	flags.BoolVar(&options.exportPush, "push", false, "Shorthand for --set=*.output=type=registry")
-	flags.BoolVar(&options.exportLoad, "load", false, "Shorthand for --set=*.output=type=docker")
+	flags.BoolVar(&options.exportPush, "push", false, `Shorthand for "--set=*.output=type=registry"`)
+	flags.StringArrayVar(&options.overrides, "set", nil, `Override target value (e.g., "targetpattern.key=value")`)
 
 	commonBuildFlags(&options.commonOptions, flags)
 

commands/build.go

@@ -1,79 +1,85 @@
 package commands
 
 import (
+	"bytes"
 	"context"
+	"encoding/base64"
+	"encoding/csv"
 	"encoding/json"
+	"fmt"
+	"io"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
+	"sync"
 
+	"github.com/containerd/console"
 	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/monitor"
 	"github.com/docker/buildx/util/buildflags"
+	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/buildx/util/tracing"
+	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config"
+	dockeropts "github.com/docker/cli/opts"
+	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/go-units"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/session/auth/authprovider"
+	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/util/appcontext"
+	"github.com/moby/buildkit/util/grpcerrors"
+	"github.com/morikuni/aec"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"google.golang.org/grpc/codes"
 )
 
 const defaultTargetName = "default"
 
 type buildOptions struct {
-	commonOptions
 	contextPath    string
 	dockerfileName string
-	tags           []string
-	labels         []string
-	buildArgs      []string
 
-	cacheFrom   []string
-	cacheTo     []string
-	target      string
-	platforms   []string
-	secrets     []string
-	ssh         []string
-	outputs     []string
-	imageIDFile string
-	extraHosts  []string
-	networkMode string
-
-	// unimplemented
-	squash bool
-	quiet  bool
-
-	allow []string
-
-	// hidden
-	// untrusted   bool
-	// ulimits        *opts.UlimitOpt
-	// memory         opts.MemBytes
-	// memorySwap     opts.MemSwapBytes
-	// shmSize        opts.MemBytes
-	// cpuShares      int64
-	// cpuPeriod      int64
-	// cpuQuota       int64
-	// cpuSetCpus     string
-	// cpuSetMems     string
-	// cgroupParent   string
-	// isolation      string
-	// compress    bool
-	// securityOpt []string
+	allow         []string
+	buildArgs     []string
+	cacheFrom     []string
+	cacheTo       []string
+	cgroupParent  string
+	contexts      []string
+	extraHosts    []string
+	imageIDFile   string
+	labels        []string
+	networkMode   string
+	noCacheFilter []string
+	outputs       []string
+	platforms     []string
+	quiet         bool
+	secrets       []string
+	shmSize       dockeropts.MemBytes
+	ssh           []string
+	tags          []string
+	target        string
+	ulimits       *dockeropts.UlimitOpt
+	invoke        string
+	commonOptions
 }
 
 type commonOptions struct {
 	builder      string
+	metadataFile string
 	noCache      *bool
 	progress     string
 	pull         *bool
-	metadataFile string
+
 	// golangci-lint#826
 	// nolint:structcheck
 	exportPush bool
@@ -82,13 +88,6 @@ type commonOptions struct {
 }
 
 func runBuild(dockerCli command.Cli, in buildOptions) (err error) {
-	if in.squash {
-		return errors.Errorf("squash currently not implemented")
-	}
-	if in.quiet {
-		logrus.Warnf("quiet currently not implemented")
-	}
-
 	ctx := appcontext.Context()
 
 	ctx, end, err := tracing.TraceCurrentCommand(ctx, "build")
@@ -108,21 +107,40 @@ func runBuild(dockerCli command.Cli, in buildOptions) (err error) {
 		pull = *in.pull
 	}
 
+	if noCache && len(in.noCacheFilter) > 0 {
+		return errors.Errorf("--no-cache and --no-cache-filter cannot currently be used together")
+	}
+
+	if in.quiet && in.progress != "auto" && in.progress != "quiet" {
+		return errors.Errorf("progress=%s and quiet cannot be used together", in.progress)
+	} else if in.quiet {
+		in.progress = "quiet"
+	}
+
+	contexts, err := parseContextNames(in.contexts)
+	if err != nil {
+		return err
+	}
+
 	opts := build.Options{
 		Inputs: build.Inputs{
 			ContextPath:    in.contextPath,
 			DockerfilePath: in.dockerfileName,
 			InStream:       os.Stdin,
+			NamedContexts:  contexts,
 		},
-		Tags:        in.tags,
-		Labels:      listToMap(in.labels, false),
-		BuildArgs:   listToMap(in.buildArgs, true),
-		Pull:        pull,
-		NoCache:     noCache,
-		Target:      in.target,
-		ImageIDFile: in.imageIDFile,
-		ExtraHosts:  in.extraHosts,
-		NetworkMode: in.networkMode,
+		BuildArgs:     listToMap(in.buildArgs, true),
+		ExtraHosts:    in.extraHosts,
+		ImageIDFile:   in.imageIDFile,
+		Labels:        listToMap(in.labels, false),
+		NetworkMode:   in.networkMode,
+		NoCache:       noCache,
+		NoCacheFilter: in.noCacheFilter,
+		Pull:          pull,
+		ShmSize:       in.shmSize,
+		Tags:          in.tags,
+		Target:        in.target,
+		Ulimits:       in.ulimits,
 	}
 
 	platforms, err := platformutil.Parse(in.platforms)
@@ -131,7 +149,8 @@ func runBuild(dockerCli command.Cli, in buildOptions) (err error) {
 	}
 	opts.Platforms = platforms
 
-	opts.Session = append(opts.Session, authprovider.NewDockerAuthProvider(os.Stderr))
+	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
+	opts.Session = append(opts.Session, authprovider.NewDockerAuthProvider(dockerConfig))
 
 	secrets, err := buildflags.ParseSecretSpecs(in.secrets)
 	if err != nil {
@@ -214,43 +233,182 @@ func runBuild(dockerCli command.Cli, in buildOptions) (err error) {
 		contextPathHash = in.contextPath
 	}
 
-	return buildTargets(ctx, dockerCli, map[string]build.Options{defaultTargetName: opts}, in.progress, contextPathHash, in.builder, in.metadataFile)
-}
-
-func buildTargets(ctx context.Context, dockerCli command.Cli, opts map[string]build.Options, progressMode, contextPathHash, instance string, metadataFile string) error {
-	dis, err := getInstanceOrDefault(ctx, dockerCli, instance, contextPathHash)
+	imageID, res, err := buildTargets(ctx, dockerCli, map[string]build.Options{defaultTargetName: opts}, in.progress, contextPathHash, in.builder, in.metadataFile)
+	err = wrapBuildError(err, false)
 	if err != nil {
 		return err
 	}
 
+	if in.invoke != "" {
+		cfg, err := parseInvokeConfig(in.invoke)
+		if err != nil {
+			return err
+		}
+		cfg.ResultCtx = res
+		con := console.Current()
+		if err := con.SetRaw(); err != nil {
+			return errors.Errorf("failed to configure terminal: %v", err)
+		}
+		err = monitor.RunMonitor(ctx, cfg, func(ctx context.Context) (*build.ResultContext, error) {
+			_, rr, err := buildTargets(ctx, dockerCli, map[string]build.Options{defaultTargetName: opts}, in.progress, contextPathHash, in.builder, in.metadataFile)
+			return rr, err
+		}, io.NopCloser(os.Stdin), nopCloser{os.Stdout}, nopCloser{os.Stderr})
+		if err != nil {
+			logrus.Warnf("failed to run monitor: %v", err)
+		}
+		con.Reset()
+	}
+
+	if in.quiet {
+		fmt.Println(imageID)
+	}
+	return nil
+}
+
+type nopCloser struct {
+	io.WriteCloser
+}
+
+func (c nopCloser) Close() error { return nil }
+
+func buildTargets(ctx context.Context, dockerCli command.Cli, opts map[string]build.Options, progressMode, contextPathHash, instance string, metadataFile string) (imageID string, res *build.ResultContext, err error) {
+	dis, err := getInstanceOrDefault(ctx, dockerCli, instance, contextPathHash)
+	if err != nil {
+		return "", nil, err
+	}
+
 	ctx2, cancel := context.WithCancel(context.TODO())
 	defer cancel()
-	printer := progress.NewPrinter(ctx2, os.Stderr, progressMode)
 
-	resp, err := build.Build(ctx, dis, opts, dockerAPI(dockerCli), dockerCli.ConfigFile(), printer)
+	printer := progress.NewPrinter(ctx2, os.Stderr, os.Stderr, progressMode)
+
+	var mu sync.Mutex
+	var idx int
+	resp, err := build.BuildWithResultHandler(ctx, dis, opts, dockerAPI(dockerCli), confutil.ConfigDir(dockerCli), printer, func(driverIndex int, gotRes *build.ResultContext) {
+		mu.Lock()
+		defer mu.Unlock()
+		if res == nil || driverIndex < idx {
+			idx, res = driverIndex, gotRes
+		}
+	})
 	err1 := printer.Wait()
 	if err == nil {
 		err = err1
 	}
 	if err != nil {
-		return err
+		return "", nil, err
 	}
 
 	if len(metadataFile) > 0 && resp != nil {
-		mdatab, err := json.MarshalIndent(resp[defaultTargetName].ExporterResponse, "", "  ")
-		if err != nil {
-			return err
-		}
-		if err := ioutils.AtomicWriteFile(metadataFile, mdatab, 0644); err != nil {
-			return err
+		if err := writeMetadataFile(metadataFile, decodeExporterResponse(resp[defaultTargetName].ExporterResponse)); err != nil {
+			return "", nil, err
 		}
 	}
 
-	return err
+	printWarnings(os.Stderr, printer.Warnings(), progressMode)
+
+	return resp[defaultTargetName].ExporterResponse["containerimage.digest"], res, err
+}
+
+func parseInvokeConfig(invoke string) (cfg build.ContainerConfig, err error) {
+	csvReader := csv.NewReader(strings.NewReader(invoke))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return cfg, err
+	}
+	cfg.Tty = true
+	if len(fields) == 1 && !strings.Contains(fields[0], "=") {
+		cfg.Args = []string{fields[0]}
+		return cfg, nil
+	}
+	var entrypoint string
+	var args []string
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+		if len(parts) != 2 {
+			return cfg, errors.Errorf("invalid value %s", field)
+		}
+		key := strings.ToLower(parts[0])
+		value := parts[1]
+		switch key {
+		case "args":
+			args = append(args, value) // TODO: support JSON
+		case "entrypoint":
+			entrypoint = value // TODO: support JSON
+		case "env":
+			cfg.Env = append(cfg.Env, value)
+		case "user":
+			cfg.User = value
+		case "cwd":
+			cfg.Cwd = value
+		case "tty":
+			cfg.Tty, err = strconv.ParseBool(value)
+			if err != nil {
+				return cfg, errors.Errorf("failed to parse tty: %v", err)
+			}
+		default:
+			return cfg, errors.Errorf("unknown key %q", key)
+		}
+	}
+	cfg.Args = args
+	if entrypoint != "" {
+		cfg.Args = append([]string{entrypoint}, cfg.Args...)
+	}
+	if len(cfg.Args) == 0 {
+		cfg.Args = []string{"sh"}
+	}
+	return cfg, nil
+}
+
+func printWarnings(w io.Writer, warnings []client.VertexWarning, mode string) {
+	if len(warnings) == 0 || mode == progress.PrinterModeQuiet {
+		return
+	}
+	fmt.Fprintf(w, "\n ")
+	sb := &bytes.Buffer{}
+	if len(warnings) == 1 {
+		fmt.Fprintf(sb, "1 warning found")
+	} else {
+		fmt.Fprintf(sb, "%d warnings found", len(warnings))
+	}
+	if logrus.GetLevel() < logrus.DebugLevel {
+		fmt.Fprintf(sb, " (use --debug to expand)")
+	}
+	fmt.Fprintf(sb, ":\n")
+	fmt.Fprint(w, aec.Apply(sb.String(), aec.YellowF))
+
+	for _, warn := range warnings {
+		fmt.Fprintf(w, " - %s\n", warn.Short)
+		if logrus.GetLevel() < logrus.DebugLevel {
+			continue
+		}
+		for _, d := range warn.Detail {
+			fmt.Fprintf(w, "%s\n", d)
+		}
+		if warn.URL != "" {
+			fmt.Fprintf(w, "More info: %s\n", warn.URL)
+		}
+		if warn.SourceInfo != nil && warn.Range != nil {
+			src := errdefs.Source{
+				Info:   warn.SourceInfo,
+				Ranges: warn.Range,
+			}
+			src.Print(w)
+		}
+		fmt.Fprintf(w, "\n")
+
+	}
+}
+
+func newBuildOptions() buildOptions {
+	ulimits := make(map[string]*units.Ulimit)
+	return buildOptions{
+		ulimits: dockeropts.NewUlimitOpt(&ulimits),
+	}
 }
 
 func buildCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
-	var options buildOptions
+	options := newBuildOptions()
 
 	cmd := &cobra.Command{
 		Use:     "build [OPTIONS] PATH | URL | -",
@@ -260,103 +418,144 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			options.contextPath = args[0]
 			options.builder = rootOpts.builder
+			cmd.Flags().VisitAll(checkWarnedFlags)
 			return runBuild(dockerCli, options)
 		},
 	}
 
+	var platformsDefault []string
+	if v := os.Getenv("DOCKER_DEFAULT_PLATFORM"); v != "" {
+		platformsDefault = []string{v}
+	}
+
 	flags := cmd.Flags()
 
-	flags.BoolVar(&options.exportPush, "push", false, "Shorthand for --output=type=registry")
-	flags.BoolVar(&options.exportLoad, "load", false, "Shorthand for --output=type=docker")
+	flags.StringSliceVar(&options.extraHosts, "add-host", []string{}, `Add a custom host-to-IP mapping (format: "host:ip")`)
+	flags.SetAnnotation("add-host", annotation.ExternalURL, []string{"https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host"})
+
+	flags.StringSliceVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`)
 
-	flags.StringArrayVarP(&options.tags, "tag", "t", []string{}, "Name and optionally a tag in the 'name:tag' format")
-	flags.SetAnnotation("tag", "docs.external.url", []string{"https://docs.docker.com/engine/reference/commandline/build/#tag-an-image--t"})
 	flags.StringArrayVar(&options.buildArgs, "build-arg", []string{}, "Set build-time variables")
-	flags.SetAnnotation("build-arg", "docs.external.url", []string{"https://docs.docker.com/engine/reference/commandline/build/#set-build-time-variables---build-arg"})
 
-	flags.StringVarP(&options.dockerfileName, "file", "f", "", "Name of the Dockerfile (Default is 'PATH/Dockerfile')")
-	flags.SetAnnotation("file", "docs.external.url", []string{"https://docs.docker.com/engine/reference/commandline/build/#specify-a-dockerfile--f"})
+	flags.StringArrayVar(&options.cacheFrom, "cache-from", []string{}, `External cache sources (e.g., "user/app:cache", "type=local,src=path/to/dir")`)
+
+	flags.StringArrayVar(&options.cacheTo, "cache-to", []string{}, `Cache export destinations (e.g., "user/app:cache", "type=local,dest=path/to/dir")`)
+
+	flags.StringVar(&options.cgroupParent, "cgroup-parent", "", "Optional parent cgroup for the container")
+	flags.SetAnnotation("cgroup-parent", annotation.ExternalURL, []string{"https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent"})
+
+	flags.StringArrayVar(&options.contexts, "build-context", []string{}, "Additional build contexts (e.g., name=path)")
+
+	flags.StringVarP(&options.dockerfileName, "file", "f", "", `Name of the Dockerfile (default: "PATH/Dockerfile")`)
+	flags.SetAnnotation("file", annotation.ExternalURL, []string{"https://docs.docker.com/engine/reference/commandline/build/#specify-a-dockerfile--f"})
+
+	flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to the file")
 
 	flags.StringArrayVar(&options.labels, "label", []string{}, "Set metadata for an image")
 
-	flags.StringArrayVar(&options.cacheFrom, "cache-from", []string{}, "External cache sources (eg. user/app:cache, type=local,src=path/to/dir)")
-	flags.StringArrayVar(&options.cacheTo, "cache-to", []string{}, "Cache export destinations (eg. user/app:cache, type=local,dest=path/to/dir)")
+	flags.BoolVar(&options.exportLoad, "load", false, `Shorthand for "--output=type=docker"`)
 
-	flags.StringVar(&options.target, "target", "", "Set the target build stage to build.")
-	flags.SetAnnotation("target", "docs.external.url", []string{"https://docs.docker.com/engine/reference/commandline/build/#specifying-target-build-stage---target"})
+	flags.StringVar(&options.networkMode, "network", "default", `Set the networking mode for the "RUN" instructions during build`)
 
-	flags.StringSliceVar(&options.allow, "allow", []string{}, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
+	flags.StringArrayVar(&options.noCacheFilter, "no-cache-filter", []string{}, "Do not cache specified stages")
+
+	flags.StringArrayVarP(&options.outputs, "output", "o", []string{}, `Output destination (format: "type=local,dest=path")`)
+
+	flags.StringArrayVar(&options.platforms, "platform", platformsDefault, "Set target platform for build")
+
+	flags.BoolVar(&options.exportPush, "push", false, `Shorthand for "--output=type=registry"`)
 
-	// not implemented
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the build output and print image ID on success")
-	flags.StringVar(&options.networkMode, "network", "default", "Set the networking mode for the RUN instructions during build")
-	flags.StringSliceVar(&options.extraHosts, "add-host", []string{}, "Add a custom host-to-IP mapping (host:ip)")
-	flags.SetAnnotation("add-host", "docs.external.url", []string{"https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host"})
-	flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to the file")
-	flags.BoolVar(&options.squash, "squash", false, "Squash newly built layers into a single new layer")
-	flags.MarkHidden("quiet")
-	flags.MarkHidden("squash")
+
+	flags.StringArrayVar(&options.secrets, "secret", []string{}, `Secret to expose to the build (format: "id=mysecret[,src=/local/secret]")`)
+
+	flags.Var(&options.shmSize, "shm-size", `Size of "/dev/shm"`)
+
+	flags.StringArrayVar(&options.ssh, "ssh", []string{}, `SSH agent socket or keys to expose to the build (format: "default|<id>[=<socket>|<key>[,<key>]]")`)
+
+	flags.StringArrayVarP(&options.tags, "tag", "t", []string{}, `Name and optionally a tag (format: "name:tag")`)
+	flags.SetAnnotation("tag", annotation.ExternalURL, []string{"https://docs.docker.com/engine/reference/commandline/build/#tag-an-image--t"})
+
+	flags.StringVar(&options.target, "target", "", "Set the target build stage to build")
+	flags.SetAnnotation("target", annotation.ExternalURL, []string{"https://docs.docker.com/engine/reference/commandline/build/#specifying-target-build-stage---target"})
+
+	flags.Var(options.ulimits, "ulimit", "Ulimit options")
+
+	if os.Getenv("BUILDX_EXPERIMENTAL") == "1" {
+		flags.StringVar(&options.invoke, "invoke", "", "Invoke a command after the build. BUILDX_EXPERIMENTAL=1 is required.")
+	}
 
 	// hidden flags
 	var ignore string
 	var ignoreSlice []string
 	var ignoreBool bool
 	var ignoreInt int64
-	flags.StringVar(&ignore, "ulimit", "", "Ulimit options")
-	flags.MarkHidden("ulimit")
-	flags.StringSliceVar(&ignoreSlice, "security-opt", []string{}, "Security options")
-	flags.MarkHidden("security-opt")
+
 	flags.BoolVar(&ignoreBool, "compress", false, "Compress the build context using gzip")
 	flags.MarkHidden("compress")
-	flags.StringVarP(&ignore, "memory", "m", "", "Memory limit")
-	flags.MarkHidden("memory")
-	flags.StringVar(&ignore, "memory-swap", "", "Swap limit equal to memory plus swap: '-1' to enable unlimited swap")
-	flags.MarkHidden("memory-swap")
-	flags.StringVar(&ignore, "shm-size", "", "Size of /dev/shm")
-	flags.MarkHidden("shm-size")
-	flags.Int64VarP(&ignoreInt, "cpu-shares", "c", 0, "CPU shares (relative weight)")
-	flags.MarkHidden("cpu-shares")
-	flags.Int64Var(&ignoreInt, "cpu-period", 0, "Limit the CPU CFS (Completely Fair Scheduler) period")
-	flags.MarkHidden("cpu-period")
-	flags.Int64Var(&ignoreInt, "cpu-quota", 0, "Limit the CPU CFS (Completely Fair Scheduler) quota")
-	flags.MarkHidden("cpu-quota")
-	flags.StringVar(&ignore, "cpuset-cpus", "", "CPUs in which to allow execution (0-3, 0,1)")
-	flags.MarkHidden("cpuset-cpus")
-	flags.StringVar(&ignore, "cpuset-mems", "", "MEMs in which to allow execution (0-3, 0,1)")
-	flags.MarkHidden("cpuset-mems")
-	flags.StringVar(&ignore, "cgroup-parent", "", "Optional parent cgroup for the container")
-	flags.MarkHidden("cgroup-parent")
+
 	flags.StringVar(&ignore, "isolation", "", "Container isolation technology")
 	flags.MarkHidden("isolation")
+	flags.SetAnnotation("isolation", "flag-warn", []string{"isolation flag is deprecated with BuildKit."})
+
+	flags.StringSliceVar(&ignoreSlice, "security-opt", []string{}, "Security options")
+	flags.MarkHidden("security-opt")
+	flags.SetAnnotation("security-opt", "flag-warn", []string{`security-opt flag is deprecated. "RUN --security=insecure" should be used with BuildKit.`})
+
+	flags.BoolVar(&ignoreBool, "squash", false, "Squash newly built layers into a single new layer")
+	flags.MarkHidden("squash")
+	flags.SetAnnotation("squash", "flag-warn", []string{"experimental flag squash is removed with BuildKit. You should squash inside build using a multi-stage Dockerfile for efficiency."})
+
+	flags.StringVarP(&ignore, "memory", "m", "", "Memory limit")
+	flags.MarkHidden("memory")
+
+	flags.StringVar(&ignore, "memory-swap", "", `Swap limit equal to memory plus swap: "-1" to enable unlimited swap`)
+	flags.MarkHidden("memory-swap")
+
+	flags.Int64VarP(&ignoreInt, "cpu-shares", "c", 0, "CPU shares (relative weight)")
+	flags.MarkHidden("cpu-shares")
+
+	flags.Int64Var(&ignoreInt, "cpu-period", 0, "Limit the CPU CFS (Completely Fair Scheduler) period")
+	flags.MarkHidden("cpu-period")
+
+	flags.Int64Var(&ignoreInt, "cpu-quota", 0, "Limit the CPU CFS (Completely Fair Scheduler) quota")
+	flags.MarkHidden("cpu-quota")
+
+	flags.StringVar(&ignore, "cpuset-cpus", "", `CPUs in which to allow execution ("0-3", "0,1")`)
+	flags.MarkHidden("cpuset-cpus")
+
+	flags.StringVar(&ignore, "cpuset-mems", "", `MEMs in which to allow execution ("0-3", "0,1")`)
+	flags.MarkHidden("cpuset-mems")
+
 	flags.BoolVar(&ignoreBool, "rm", true, "Remove intermediate containers after a successful build")
 	flags.MarkHidden("rm")
+
 	flags.BoolVar(&ignoreBool, "force-rm", false, "Always remove intermediate containers")
 	flags.MarkHidden("force-rm")
 
-	platformsDefault := []string{}
-	if v := os.Getenv("DOCKER_DEFAULT_PLATFORM"); v != "" {
-		platformsDefault = []string{v}
-	}
-	flags.StringArrayVar(&options.platforms, "platform", platformsDefault, "Set target platform for build")
-
-	flags.StringArrayVar(&options.secrets, "secret", []string{}, "Secret file to expose to the build: id=mysecret,src=/local/secret")
-
-	flags.StringArrayVar(&options.ssh, "ssh", []string{}, "SSH agent socket or keys to expose to the build (format: default|<id>[=<socket>|<key>[,<key>]])")
-
-	flags.StringArrayVarP(&options.outputs, "output", "o", []string{}, "Output destination (format: type=local,dest=path)")
-
 	commonBuildFlags(&options.commonOptions, flags)
-
 	return cmd
 }
 
 func commonBuildFlags(options *commonOptions, flags *pflag.FlagSet) {
 	options.noCache = flags.Bool("no-cache", false, "Do not use cache when building the image")
-	flags.StringVar(&options.progress, "progress", "auto", "Set type of progress output (auto, plain, tty). Use plain to show container output")
-	options.pull = flags.Bool("pull", false, "Always attempt to pull a newer version of the image")
+	flags.StringVar(&options.progress, "progress", "auto", `Set type of progress output ("auto", "plain", "tty"). Use plain to show container output`)
+	options.pull = flags.Bool("pull", false, "Always attempt to pull all referenced images")
 	flags.StringVar(&options.metadataFile, "metadata-file", "", "Write build result metadata to the file")
 }
 
+func checkWarnedFlags(f *pflag.Flag) {
+	if !f.Changed {
+		return
+	}
+	for t, m := range f.Annotations {
+		switch t {
+		case "flag-warn":
+			logrus.Warn(m[0])
+		}
+	}
+}
+
 func listToMap(values []string, defaultEnv bool) map[string]string {
 	result := make(map[string]string, len(values))
 	for _, value := range values {
@@ -376,3 +575,80 @@ func listToMap(values []string, defaultEnv bool) map[string]string {
 	}
 	return result
 }
+
+func parseContextNames(values []string) (map[string]build.NamedContext, error) {
+	if len(values) == 0 {
+		return nil, nil
+	}
+	result := make(map[string]build.NamedContext, len(values))
+	for _, value := range values {
+		kv := strings.SplitN(value, "=", 2)
+		if len(kv) != 2 {
+			return nil, errors.Errorf("invalid context value: %s, expected key=value", value)
+		}
+		named, err := reference.ParseNormalizedNamed(kv[0])
+		if err != nil {
+			return nil, errors.Wrapf(err, "invalid context name %s", kv[0])
+		}
+		name := strings.TrimSuffix(reference.FamiliarString(named), ":latest")
+		result[name] = build.NamedContext{Path: kv[1]}
+	}
+	return result, nil
+}
+
+func writeMetadataFile(filename string, dt interface{}) error {
+	b, err := json.MarshalIndent(dt, "", "  ")
+	if err != nil {
+		return err
+	}
+	return ioutils.AtomicWriteFile(filename, b, 0644)
+}
+
+func decodeExporterResponse(exporterResponse map[string]string) map[string]interface{} {
+	out := make(map[string]interface{})
+	for k, v := range exporterResponse {
+		dt, err := base64.StdEncoding.DecodeString(v)
+		if err != nil {
+			out[k] = v
+			continue
+		}
+		var raw map[string]interface{}
+		if err = json.Unmarshal(dt, &raw); err != nil || len(raw) == 0 {
+			out[k] = v
+			continue
+		}
+		out[k] = json.RawMessage(dt)
+	}
+	return out
+}
+
+func wrapBuildError(err error, bake bool) error {
+	if err == nil {
+		return nil
+	}
+	st, ok := grpcerrors.AsGRPCStatus(err)
+	if ok {
+		if st.Code() == codes.Unimplemented && strings.Contains(st.Message(), "unsupported frontend capability moby.buildkit.frontend.contexts") {
+			msg := "current frontend does not support --build-context."
+			if bake {
+				msg = "current frontend does not support defining additional contexts for targets."
+			}
+			msg += " Named contexts are supported since Dockerfile v1.4. Use #syntax directive in Dockerfile or update to latest BuildKit."
+			return &wrapped{err, msg}
+		}
+	}
+	return err
+}
+
+type wrapped struct {
+	err error
+	msg string
+}
+
+func (w *wrapped) Error() string {
+	return w.msg
+}
+
+func (w *wrapped) Unwrap() error {
+	return w.err
+}

commands/create.go

@@ -1,14 +1,20 @@
 package commands
 
 import (
+	"bytes"
+	"context"
 	"encoding/csv"
 	"fmt"
 	"net/url"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/google/shlex"
@@ -29,6 +35,7 @@ type createOptions struct {
 	flags        string
 	configFile   string
 	driverOpts   []string
+	bootstrap    bool
 	// upgrade      bool // perform upgrade of the driver
 }
 
@@ -54,23 +61,33 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
+	buildkitHost := os.Getenv("BUILDKIT_HOST")
+
 	driverName := in.driver
 	if driverName == "" {
-		f, err := driver.GetDefaultFactory(ctx, dockerCli.Client(), true)
-		if err != nil {
-			return err
+		if len(args) == 0 && buildkitHost != "" {
+			driverName = "remote"
+		} else {
+			var arg string
+			if len(args) > 0 {
+				arg = args[0]
+			}
+			f, err := driver.GetDefaultFactory(ctx, arg, dockerCli.Client(), true)
+			if err != nil {
+				return err
+			}
+			if f == nil {
+				return errors.Errorf("no valid drivers found")
+			}
+			driverName = f.Name()
 		}
-		if f == nil {
-			return errors.Errorf("no valid drivers found")
-		}
-		driverName = f.Name()
 	}
 
 	if driver.GetFactory(driverName, true) == nil {
 		return errors.Errorf("failed to find driver %q", in.driver)
 	}
 
-	txn, release, err := getStore(dockerCli)
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
 	}
@@ -84,6 +101,19 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
+	if !in.actionLeave && !in.actionAppend {
+		contexts, err := dockerCli.ContextStore().List()
+		if err != nil {
+			return err
+		}
+		for _, c := range contexts {
+			if c.Name == name {
+				logrus.Warnf("instance name %q already exists as context builder", name)
+				break
+			}
+		}
+	}
+
 	ng, err := txn.NodeGroupByName(name)
 	if err != nil {
 		if os.IsNotExist(errors.Cause(err)) {
@@ -104,6 +134,11 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
+	ngOriginal := ng
+	if ngOriginal != nil {
+		ngOriginal = ngOriginal.Copy()
+	}
+
 	if ng == nil {
 		ng = &store.NodeGroup{
 			Name: name,
@@ -123,44 +158,69 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	}
 
 	var ep string
+	var setEp bool
 	if in.actionLeave {
 		if err := ng.Leave(in.nodeName); err != nil {
 			return err
 		}
 	} else {
-		if len(args) > 0 {
-			ep, err = validateEndpoint(dockerCli, args[0])
-			if err != nil {
-				return err
-			}
-		} else {
-			if dockerCli.CurrentContext() == "default" && dockerCli.DockerEndpoint().TLSData != nil {
-				return errors.Errorf("could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with `docker buildx create <context-name>`")
-			}
-
-			ep, err = getCurrentEndpoint(dockerCli)
-			if err != nil {
-				return err
-			}
-		}
-
-		if in.driver == "kubernetes" {
+		switch {
+		case driverName == "kubernetes":
 			// naming endpoint to make --append works
 			ep = (&url.URL{
-				Scheme: in.driver,
+				Scheme: driverName,
 				Path:   "/" + in.name,
 				RawQuery: (&url.Values{
 					"deployment": {in.nodeName},
 					"kubeconfig": {os.Getenv("KUBECONFIG")},
 				}).Encode(),
 			}).String()
+			setEp = false
+		case driverName == "remote":
+			if len(args) > 0 {
+				ep = args[0]
+			} else if buildkitHost != "" {
+				ep = buildkitHost
+			} else {
+				return errors.Errorf("no remote endpoint provided")
+			}
+			ep, err = validateBuildkitEndpoint(ep)
+			if err != nil {
+				return err
+			}
+			setEp = true
+		case len(args) > 0:
+			ep, err = validateEndpoint(dockerCli, args[0])
+			if err != nil {
+				return err
+			}
+			setEp = true
+		default:
+			if dockerCli.CurrentContext() == "default" && dockerCli.DockerEndpoint().TLSData != nil {
+				return errors.Errorf("could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with `docker buildx create <context-name>`")
+			}
+			ep, err = storeutil.GetCurrentEndpoint(dockerCli)
+			if err != nil {
+				return err
+			}
+			setEp = false
 		}
 
 		m, err := csvToMap(in.driverOpts)
 		if err != nil {
 			return err
 		}
-		if err := ng.Update(in.nodeName, ep, in.platform, len(args) > 0, in.actionAppend, flags, in.configFile, m); err != nil {
+
+		if in.configFile == "" {
+			// if buildkit config is not provided, check if the default one is
+			// available and use it
+			if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
+				logrus.Warnf("Using default BuildKit config in %s", f)
+				in.configFile = f
+			}
+		}
+
+		if err := ng.Update(in.nodeName, ep, in.platform, setEp, in.actionAppend, flags, in.configFile, m); err != nil {
 			return err
 		}
 	}
@@ -169,8 +229,32 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		return err
 	}
 
+	ngi := &nginfo{ng: ng}
+
+	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
+	defer cancel()
+
+	if err = loadNodeGroupData(timeoutCtx, dockerCli, ngi); err != nil {
+		return err
+	}
+	for _, info := range ngi.drivers {
+		if err := info.di.Err; err != nil {
+			err := errors.Errorf("failed to initialize builder %s (%s): %s", ng.Name, info.di.Name, err)
+			var err2 error
+			if ngOriginal == nil {
+				err2 = txn.Remove(ng.Name)
+			} else {
+				err2 = txn.Save(ngOriginal)
+			}
+			if err2 != nil {
+				logrus.Warnf("Could not rollback to previous state: %s", err2)
+			}
+			return err
+		}
+	}
+
 	if in.use && ep != "" {
-		current, err := getCurrentEndpoint(dockerCli)
+		current, err := storeutil.GetCurrentEndpoint(dockerCli)
 		if err != nil {
 			return err
 		}
@@ -179,6 +263,12 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
+	if in.bootstrap {
+		if _, err = boot(ctx, ngi); err != nil {
+			return err
+		}
+	}
+
 	fmt.Printf("%s\n", ng.Name)
 	return nil
 }
@@ -186,9 +276,12 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 func createCmd(dockerCli command.Cli) *cobra.Command {
 	var options createOptions
 
-	var drivers []string
-	for s := range driver.GetFactories() {
-		drivers = append(drivers, s)
+	var drivers bytes.Buffer
+	for _, d := range driver.GetFactories() {
+		if len(drivers.String()) > 0 {
+			drivers.WriteString(", ")
+		}
+		drivers.WriteString(fmt.Sprintf(`"%s"`, d.Name()))
 	}
 
 	cmd := &cobra.Command{
@@ -203,18 +296,20 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 	flags := cmd.Flags()
 
 	flags.StringVar(&options.name, "name", "", "Builder instance name")
-	flags.StringVar(&options.driver, "driver", "", fmt.Sprintf("Driver to use (available: %v)", drivers))
+	flags.StringVar(&options.driver, "driver", "", fmt.Sprintf("Driver to use (available: %s)", drivers.String()))
 	flags.StringVar(&options.nodeName, "node", "", "Create/modify node with given name")
 	flags.StringVar(&options.flags, "buildkitd-flags", "", "Flags for buildkitd daemon")
 	flags.StringVar(&options.configFile, "config", "", "BuildKit config file")
 	flags.StringArrayVar(&options.platform, "platform", []string{}, "Fixed platforms for current node")
 	flags.StringArrayVar(&options.driverOpts, "driver-opt", []string{}, "Options for the driver")
+	flags.BoolVar(&options.bootstrap, "bootstrap", false, "Boot builder after creation")
 
 	flags.BoolVar(&options.actionAppend, "append", false, "Append a node to builder instead of changing it")
 	flags.BoolVar(&options.actionLeave, "leave", false, "Remove a node from builder instead of changing it")
 	flags.BoolVar(&options.use, "use", false, "Set the current builder instance")
 
-	_ = flags
+	// hide builder persistent flag for this command
+	cobrautil.HideInheritedFlags(cmd, "builder")
 
 	return cmd
 }

commands/create_test.go

@@ -0,0 +1,26 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCsvToMap(t *testing.T) {
+	d := []string{
+		"\"tolerations=key=foo,value=bar;key=foo2,value=bar2\",replicas=1",
+		"namespace=default",
+	}
+	r, err := csvToMap(d)
+
+	require.NoError(t, err)
+
+	require.Contains(t, r, "tolerations")
+	require.Equal(t, r["tolerations"], "key=foo,value=bar;key=foo2,value=bar2")
+
+	require.Contains(t, r, "replicas")
+	require.Equal(t, r["replicas"], "1")
+
+	require.Contains(t, r, "namespace")
+	require.Equal(t, r["namespace"], "default")
+}

commands/diskusage.go

@@ -4,16 +4,18 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strings"
 	"text/tabwriter"
+	"time"
 
 	"github.com/docker/buildx/build"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/opts"
+	"github.com/docker/go-units"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/spf13/cobra"
-	"github.com/tonistiigi/units"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -125,20 +127,20 @@ func printKV(w io.Writer, k string, v interface{}) {
 func printVerbose(tw *tabwriter.Writer, du []*client.UsageInfo) {
 	for _, di := range du {
 		printKV(tw, "ID", di.ID)
-		if di.Parent != "" {
-			printKV(tw, "Parent", di.Parent)
+		if len(di.Parents) != 0 {
+			printKV(tw, "Parent", strings.Join(di.Parents, ","))
 		}
 		printKV(tw, "Created at", di.CreatedAt)
 		printKV(tw, "Mutable", di.Mutable)
 		printKV(tw, "Reclaimable", !di.InUse)
 		printKV(tw, "Shared", di.Shared)
-		printKV(tw, "Size", fmt.Sprintf("%.2f", units.Bytes(di.Size)))
+		printKV(tw, "Size", units.HumanSize(float64(di.Size)))
 		if di.Description != "" {
 			printKV(tw, "Description", di.Description)
 		}
 		printKV(tw, "Usage count", di.UsageCount)
 		if di.LastUsedAt != nil {
-			printKV(tw, "Last used", di.LastUsedAt)
+			printKV(tw, "Last used", units.HumanDuration(time.Since(*di.LastUsedAt))+" ago")
 		}
 		if di.RecordType != "" {
 			printKV(tw, "Type", di.RecordType)
@@ -159,11 +161,15 @@ func printTableRow(tw *tabwriter.Writer, di *client.UsageInfo) {
 	if di.Mutable {
 		id += "*"
 	}
-	size := fmt.Sprintf("%.2f", units.Bytes(di.Size))
+	size := units.HumanSize(float64(di.Size))
 	if di.Shared {
 		size += "*"
 	}
-	fmt.Fprintf(tw, "%-71s\t%-11v\t%s\t\n", id, !di.InUse, size)
+	lastAccessed := ""
+	if di.LastUsedAt != nil {
+		lastAccessed = units.HumanDuration(time.Since(*di.LastUsedAt)) + " ago"
+	}
+	fmt.Fprintf(tw, "%-40s\t%-5v\t%-10s\t%s\n", id, !di.InUse, size, lastAccessed)
 }
 
 func printSummary(tw *tabwriter.Writer, dus [][]*client.UsageInfo) {
@@ -186,11 +192,11 @@ func printSummary(tw *tabwriter.Writer, dus [][]*client.UsageInfo) {
 	}
 
 	if shared > 0 {
-		fmt.Fprintf(tw, "Shared:\t%.2f\n", units.Bytes(shared))
-		fmt.Fprintf(tw, "Private:\t%.2f\n", units.Bytes(total-shared))
+		fmt.Fprintf(tw, "Shared:\t%s\n", units.HumanSize(float64(shared)))
+		fmt.Fprintf(tw, "Private:\t%s\n", units.HumanSize(float64(total-shared)))
 	}
 
-	fmt.Fprintf(tw, "Reclaimable:\t%.2f\n", units.Bytes(reclaimable))
-	fmt.Fprintf(tw, "Total:\t%.2f\n", units.Bytes(total))
+	fmt.Fprintf(tw, "Reclaimable:\t%s\n", units.HumanSize(float64(reclaimable)))
+	fmt.Fprintf(tw, "Total:\t%s\n", units.HumanSize(float64(total)))
 	tw.Flush()
 }

commands/imagetools/create.go

@@ -1,12 +1,16 @@
 package commands
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strings"
 
+	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/imagetools"
+	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/util/appcontext"
@@ -18,10 +22,12 @@ import (
 )
 
 type createOptions struct {
+	builder      string
 	files        []string
 	tags         []string
 	dryrun       bool
 	actionAppend bool
+	progress     string
 }
 
 func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
@@ -35,7 +41,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 
 	fileArgs := make([]string, len(in.files))
 	for i, f := range in.files {
-		dt, err := ioutil.ReadFile(f)
+		dt, err := os.ReadFile(f)
 		if err != nil {
 			return err
 		}
@@ -75,18 +81,21 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	if len(repos) == 0 {
 		return errors.Errorf("no repositories specified, please set a reference in tag or source")
 	}
-	if len(repos) > 1 {
-		return errors.Errorf("multiple repositories currently not supported, found %v", repos)
-	}
 
-	var repo string
-	for r := range repos {
-		repo = r
+	var defaultRepo *string
+	if len(repos) == 1 {
+		for repo := range repos {
+			defaultRepo = &repo
+		}
 	}
 
 	for i, s := range srcs {
 		if s.Ref == nil && s.Desc.MediaType == "" && s.Desc.Digest != "" {
-			n, err := reference.ParseNormalizedNamed(repo)
+			if defaultRepo == nil {
+				return errors.Errorf("multiple repositories specified, cannot infer repository for %q", args[i])
+			}
+
+			n, err := reference.ParseNormalizedNamed(*defaultRepo)
 			if err != nil {
 				return err
 			}
@@ -101,9 +110,32 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 
 	ctx := appcontext.Context()
 
-	r := imagetools.New(imagetools.Opt{
-		Auth: dockerCli.ConfigFile(),
-	})
+	txn, release, err := storeutil.GetStore(dockerCli)
+	if err != nil {
+		return err
+	}
+	defer release()
+
+	var ng *store.NodeGroup
+
+	if in.builder != "" {
+		ng, err = storeutil.GetNodeGroup(txn, dockerCli, in.builder)
+		if err != nil {
+			return err
+		}
+	} else {
+		ng, err = storeutil.GetCurrentInstance(txn, dockerCli)
+		if err != nil {
+			return err
+		}
+	}
+
+	imageopt, err := storeutil.GetImageConfig(dockerCli, ng)
+	if err != nil {
+		return err
+	}
+
+	r := imagetools.New(imageopt)
 
 	if sourceRefs {
 		eg, ctx2 := errgroup.WithContext(ctx)
@@ -117,7 +149,6 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 					if err != nil {
 						return err
 					}
-					srcs[i].Ref = nil
 					if srcs[i].Desc.Digest == "" {
 						srcs[i].Desc = desc
 					} else {
@@ -136,12 +167,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}
 
-	descs := make([]ocispec.Descriptor, len(srcs))
-	for i := range descs {
-		descs[i] = srcs[i].Desc
-	}
-
-	dt, desc, err := r.Combine(ctx, repo, descs)
+	dt, desc, err := r.Combine(ctx, srcs)
 	if err != nil {
 		return err
 	}
@@ -152,27 +178,51 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	}
 
 	// new resolver cause need new auth
-	r = imagetools.New(imagetools.Opt{
-		Auth: dockerCli.ConfigFile(),
-	})
+	r = imagetools.New(imageopt)
+
+	ctx2, cancel := context.WithCancel(context.TODO())
+	defer cancel()
+	printer := progress.NewPrinter(ctx2, os.Stderr, os.Stderr, in.progress)
+
+	eg, _ := errgroup.WithContext(ctx)
+	pw := progress.WithPrefix(printer, "internal", true)
 
 	for _, t := range tags {
-		if err := r.Push(ctx, t, desc, dt); err != nil {
-			return err
-		}
-		fmt.Println(t.String())
+		t := t
+		eg.Go(func() error {
+			return progress.Wrap(fmt.Sprintf("pushing %s", t.String()), pw.Write, func(sub progress.SubLogger) error {
+				eg2, _ := errgroup.WithContext(ctx)
+				for _, s := range srcs {
+					if reference.Domain(s.Ref) == reference.Domain(t) && reference.Path(s.Ref) == reference.Path(t) {
+						continue
+					}
+					s := s
+					eg2.Go(func() error {
+						sub.Log(1, []byte(fmt.Sprintf("copying %s from %s to %s\n", s.Desc.Digest.String(), s.Ref.String(), t.String())))
+						return r.Copy(ctx, s, t)
+					})
+				}
+
+				if err := eg2.Wait(); err != nil {
+					return err
+				}
+				sub.Log(1, []byte(fmt.Sprintf("pushing %s to %s\n", desc.Digest.String(), t.String())))
+				return r.Push(ctx, t, desc, dt)
+			})
+		})
 	}
 
-	return nil
+	err = eg.Wait()
+	err1 := printer.Wait()
+	if err == nil {
+		err = err1
+	}
+
+	return err
 }
 
-type src struct {
-	Desc ocispec.Descriptor
-	Ref  reference.Named
-}
-
-func parseSources(in []string) ([]*src, error) {
-	out := make([]*src, len(in))
+func parseSources(in []string) ([]*imagetools.Source, error) {
+	out := make([]*imagetools.Source, len(in))
 	for i, in := range in {
 		s, err := parseSource(in)
 		if err != nil {
@@ -195,11 +245,11 @@ func parseRefs(in []string) ([]reference.Named, error) {
 	return refs, nil
 }
 
-func parseSource(in string) (*src, error) {
+func parseSource(in string) (*imagetools.Source, error) {
 	// source can be a digest, reference or a descriptor JSON
 	dgst, err := digest.Parse(in)
 	if err == nil {
-		return &src{
+		return &imagetools.Source{
 			Desc: ocispec.Descriptor{
 				Digest: dgst,
 			},
@@ -210,39 +260,38 @@ func parseSource(in string) (*src, error) {
 
 	ref, err := reference.ParseNormalizedNamed(in)
 	if err == nil {
-		return &src{
+		return &imagetools.Source{
 			Ref: ref,
 		}, nil
 	} else if !strings.HasPrefix(in, "{") {
 		return nil, err
 	}
 
-	var s src
+	var s imagetools.Source
 	if err := json.Unmarshal([]byte(in), &s.Desc); err != nil {
 		return nil, errors.WithStack(err)
 	}
 	return &s, nil
 }
 
-func createCmd(dockerCli command.Cli) *cobra.Command {
+func createCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 	var options createOptions
 
 	cmd := &cobra.Command{
 		Use:   "create [OPTIONS] [SOURCE] [SOURCE...]",
 		Short: "Create a new image based on source images",
 		RunE: func(cmd *cobra.Command, args []string) error {
+			options.builder = *opts.Builder
 			return runCreate(dockerCli, options, args)
 		},
 	}
 
 	flags := cmd.Flags()
-
 	flags.StringArrayVarP(&options.files, "file", "f", []string{}, "Read source descriptor from file")
 	flags.StringArrayVarP(&options.tags, "tag", "t", []string{}, "Set reference for new image")
 	flags.BoolVar(&options.dryrun, "dry-run", false, "Show final image instead of pushing")
 	flags.BoolVar(&options.actionAppend, "append", false, "Append to existing manifest")
-
-	_ = flags
+	flags.StringVar(&options.progress, "progress", "auto", `Set type of progress output ("auto", "plain", "tty"). Use plain to show container output`)
 
 	return cmd
 }

commands/imagetools/inspect.go

@@ -1,68 +1,82 @@
 package commands
 
 import (
-	"fmt"
-	"os"
-
-	"github.com/containerd/containerd/images"
+	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/imagetools"
+	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
 type inspectOptions struct {
-	raw bool
+	builder string
+	format  string
+	raw     bool
 }
 
 func runInspect(dockerCli command.Cli, in inspectOptions, name string) error {
 	ctx := appcontext.Context()
 
-	r := imagetools.New(imagetools.Opt{
-		Auth: dockerCli.ConfigFile(),
-	})
+	if in.format != "" && in.raw {
+		return errors.Errorf("format and raw cannot be used together")
+	}
 
-	dt, desc, err := r.Get(ctx, name)
+	txn, release, err := storeutil.GetStore(dockerCli)
+	if err != nil {
+		return err
+	}
+	defer release()
+
+	var ng *store.NodeGroup
+
+	if in.builder != "" {
+		ng, err = storeutil.GetNodeGroup(txn, dockerCli, in.builder)
+		if err != nil {
+			return err
+		}
+	} else {
+		ng, err = storeutil.GetCurrentInstance(txn, dockerCli)
+		if err != nil {
+			return err
+		}
+	}
+
+	imageopt, err := storeutil.GetImageConfig(dockerCli, ng)
 	if err != nil {
 		return err
 	}
 
-	if in.raw {
-		fmt.Printf("%s", dt) // avoid newline to keep digest
-		return nil
+	p, err := imagetools.NewPrinter(ctx, imageopt, name, in.format)
+	if err != nil {
+		return err
 	}
 
-	switch desc.MediaType {
-	// case images.MediaTypeDockerSchema2Manifest, specs.MediaTypeImageManifest:
-	// TODO: handle distribution manifest and schema1
-	case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
-		return imagetools.PrintManifestList(dt, desc, name, os.Stdout)
-	default:
-		fmt.Printf("%s\n", dt)
-	}
-
-	return nil
+	return p.Print(in.raw, dockerCli.Out())
 }
 
-func inspectCmd(dockerCli command.Cli) *cobra.Command {
+func inspectCmd(dockerCli command.Cli, rootOpts RootOptions) *cobra.Command {
 	var options inspectOptions
 
 	cmd := &cobra.Command{
 		Use:   "inspect [OPTIONS] NAME",
-		Short: "Show details of image in the registry",
+		Short: "Show details of an image in the registry",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
+			options.builder = *rootOpts.Builder
 			return runInspect(dockerCli, options, args[0])
 		},
 	}
 
 	flags := cmd.Flags()
 
-	flags.BoolVar(&options.raw, "raw", false, "Show original JSON manifest")
+	flags.StringVar(&options.format, "format", "", "Format the output using the given Go template")
+	flags.SetAnnotation("format", annotation.DefaultValue, []string{`"{{.Manifest}}"`})
 
-	_ = flags
+	flags.BoolVar(&options.raw, "raw", false, "Show original, unformatted JSON manifest")
 
 	return cmd
 }

commands/imagetools/root.go

@@ -5,15 +5,19 @@ import (
 	"github.com/spf13/cobra"
 )
 
-func RootCmd(dockerCli command.Cli) *cobra.Command {
+type RootOptions struct {
+	Builder *string
+}
+
+func RootCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "imagetools",
 		Short: "Commands to work on images in registry",
 	}
 
 	cmd.AddCommand(
-		inspectCmd(dockerCli),
-		createCmd(dockerCli),
+		createCmd(dockerCli, opts),
+		inspectCmd(dockerCli, opts),
 	)
 
 	return cmd

commands/inspect.go

@@ -8,17 +8,13 @@ import (
 	"text/tabwriter"
 	"time"
 
-	"github.com/docker/buildx/build"
-	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/platformutil"
-	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
-	"golang.org/x/sync/errgroup"
 )
 
 type inspectOptions struct {
@@ -26,23 +22,10 @@ type inspectOptions struct {
 	builder   string
 }
 
-type dinfo struct {
-	di        *build.DriverInfo
-	info      *driver.Info
-	platforms []specs.Platform
-	err       error
-}
-
-type nginfo struct {
-	ng      *store.NodeGroup
-	drivers []dinfo
-	err     error
-}
-
 func runInspect(dockerCli command.Cli, in inspectOptions) error {
 	ctx := appcontext.Context()
 
-	txn, release, err := getStore(dockerCli)
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
 	}
@@ -51,12 +34,12 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 	var ng *store.NodeGroup
 
 	if in.builder != "" {
-		ng, err = getNodeGroup(txn, dockerCli, in.builder)
+		ng, err = storeutil.GetNodeGroup(txn, dockerCli, in.builder)
 		if err != nil {
 			return err
 		}
 	} else {
-		ng, err = getCurrentInstance(txn, dockerCli)
+		ng, err = storeutil.GetCurrentInstance(txn, dockerCli)
 		if err != nil {
 			return err
 		}
@@ -82,7 +65,7 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 	var bootNgi *nginfo
 	if in.bootstrap {
 		var ok bool
-		ok, err = boot(ctx, ngi, dockerCli)
+		ok, err = boot(ctx, ngi)
 		if err != nil {
 			return err
 		}
@@ -96,6 +79,7 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', 0)
 	fmt.Fprintf(w, "Name:\t%s\n", ngi.ng.Name)
 	fmt.Fprintf(w, "Driver:\t%s\n", ngi.ng.Driver)
+
 	if err != nil {
 		fmt.Fprintf(w, "Error:\t%s\n", err.Error())
 	} else if ngi.err != nil {
@@ -111,6 +95,15 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 			}
 			fmt.Fprintf(w, "Name:\t%s\n", n.Name)
 			fmt.Fprintf(w, "Endpoint:\t%s\n", n.Endpoint)
+
+			var driverOpts []string
+			for k, v := range n.DriverOpts {
+				driverOpts = append(driverOpts, fmt.Sprintf("%s=%q", k, v))
+			}
+			if len(driverOpts) > 0 {
+				fmt.Fprintf(w, "Driver Options:\t%s\n", strings.Join(driverOpts, " "))
+			}
+
 			if err := ngi.drivers[i].di.Err; err != nil {
 				fmt.Fprintf(w, "Error:\t%s\n", err.Error())
 			} else if err := ngi.drivers[i].err; err != nil {
@@ -149,50 +142,7 @@ func inspectCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	}
 
 	flags := cmd.Flags()
-
 	flags.BoolVar(&options.bootstrap, "bootstrap", false, "Ensure builder has booted before inspecting")
 
-	_ = flags
-
 	return cmd
 }
-
-func boot(ctx context.Context, ngi *nginfo, dockerCli command.Cli) (bool, error) {
-	toBoot := make([]int, 0, len(ngi.drivers))
-	for i, d := range ngi.drivers {
-		if d.err != nil || d.di.Err != nil || d.di.Driver == nil || d.info == nil {
-			continue
-		}
-		if d.info.Status != driver.Running {
-			toBoot = append(toBoot, i)
-		}
-	}
-	if len(toBoot) == 0 {
-		return false, nil
-	}
-
-	printer := progress.NewPrinter(context.TODO(), os.Stderr, "auto")
-
-	baseCtx := ctx
-	eg, _ := errgroup.WithContext(ctx)
-	for _, idx := range toBoot {
-		func(idx int) {
-			eg.Go(func() error {
-				pw := progress.WithPrefix(printer, ngi.ng.Nodes[idx].Name, len(toBoot) > 1)
-				_, err := driver.Boot(ctx, baseCtx, ngi.drivers[idx].di.Driver, pw)
-				if err != nil {
-					ngi.drivers[idx].err = err
-				}
-				return nil
-			})
-		}(idx)
-	}
-
-	err := eg.Wait()
-	err1 := printer.Wait()
-	if err == nil {
-		err = err1
-	}
-
-	return true, err
-}

commands/install.go

@@ -3,6 +3,7 @@ package commands
 import (
 	"os"
 
+	"github.com/docker/buildx/util/cobrautil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config"
@@ -48,5 +49,8 @@ func installCmd(dockerCli command.Cli) *cobra.Command {
 		Hidden: true,
 	}
 
+	// hide builder persistent flag for this command
+	cobrautil.HideInheritedFlags(cmd, "builder")
+
 	return cmd
 }

commands/ls.go

@@ -4,12 +4,14 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"os"
+	"sort"
 	"strings"
 	"text/tabwriter"
 	"time"
 
 	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/cobrautil"
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
@@ -24,7 +26,7 @@ type lsOptions struct {
 func runLs(dockerCli command.Cli, in lsOptions) error {
 	ctx := appcontext.Context()
 
-	txn, release, err := getStore(dockerCli)
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
 	}
@@ -43,23 +45,30 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 		builders[i] = &nginfo{ng: ng}
 	}
 
-	list, err := dockerCli.ContextStore().List()
+	contexts, err := dockerCli.ContextStore().List()
 	if err != nil {
 		return err
 	}
-	ctxbuilders := make([]*nginfo, len(list))
-	for i, l := range list {
-		ctxbuilders[i] = &nginfo{ng: &store.NodeGroup{
-			Name: l.Name,
+	sort.Slice(contexts, func(i, j int) bool {
+		return contexts[i].Name < contexts[j].Name
+	})
+	for _, c := range contexts {
+		ngi := &nginfo{ng: &store.NodeGroup{
+			Name: c.Name,
 			Nodes: []store.Node{{
-				Name:     l.Name,
-				Endpoint: l.Name,
+				Name:     c.Name,
+				Endpoint: c.Name,
 			}},
 		}}
+		// if a context has the same name as an instance from the store, do not
+		// add it to the builders list. An instance from the store takes
+		// precedence over context builders.
+		if hasNodeGroup(builders, ngi) {
+			continue
+		}
+		builders = append(builders, ngi)
 	}
 
-	builders = append(builders, ctxbuilders...)
-
 	eg, _ := errgroup.WithContext(ctx)
 
 	for _, b := range builders {
@@ -79,7 +88,7 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 	}
 
 	currentName := "default"
-	current, err := getCurrentInstance(txn, dockerCli)
+	current, err := storeutil.GetCurrentInstance(txn, dockerCli)
 	if err != nil {
 		return err
 	}
@@ -90,49 +99,72 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 		}
 	}
 
-	w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', 0)
-	fmt.Fprintf(w, "NAME/NODE\tDRIVER/ENDPOINT\tSTATUS\tPLATFORMS\n")
+	w := tabwriter.NewWriter(dockerCli.Out(), 0, 0, 1, ' ', 0)
+	fmt.Fprintf(w, "NAME/NODE\tDRIVER/ENDPOINT\tSTATUS\tBUILDKIT\tPLATFORMS\n")
 
 	currentSet := false
+	printErr := false
 	for _, b := range builders {
 		if !currentSet && b.ng.Name == currentName {
 			b.ng.Name += " *"
 			currentSet = true
 		}
-		printngi(w, b)
+		if ok := printngi(w, b); !ok {
+			printErr = true
+		}
 	}
 
 	w.Flush()
 
+	if printErr {
+		_, _ = fmt.Fprintf(dockerCli.Err(), "\n")
+		for _, b := range builders {
+			if b.err != nil {
+				_, _ = fmt.Fprintf(dockerCli.Err(), "Cannot load builder %s: %s\n", b.ng.Name, strings.TrimSpace(b.err.Error()))
+			} else {
+				for idx, n := range b.ng.Nodes {
+					d := b.drivers[idx]
+					var nodeErr string
+					if d.err != nil {
+						nodeErr = d.err.Error()
+					} else if d.di.Err != nil {
+						nodeErr = d.di.Err.Error()
+					}
+					if nodeErr != "" {
+						_, _ = fmt.Fprintf(dockerCli.Err(), "Failed to get status for %s (%s): %s\n", b.ng.Name, n.Name, strings.TrimSpace(nodeErr))
+					}
+				}
+			}
+		}
+	}
+
 	return nil
 }
 
-func printngi(w io.Writer, ngi *nginfo) {
+func printngi(w io.Writer, ngi *nginfo) (ok bool) {
+	ok = true
 	var err string
 	if ngi.err != nil {
-		err = ngi.err.Error()
+		ok = false
+		err = "error"
 	}
-	fmt.Fprintf(w, "%s\t%s\t%s\t\n", ngi.ng.Name, ngi.ng.Driver, err)
+	fmt.Fprintf(w, "%s\t%s\t%s\t\t\n", ngi.ng.Name, ngi.ng.Driver, err)
 	if ngi.err == nil {
 		for idx, n := range ngi.ng.Nodes {
 			d := ngi.drivers[idx]
-			var err string
-			if d.err != nil {
-				err = d.err.Error()
-			} else if d.di.Err != nil {
-				err = d.di.Err.Error()
-			}
 			var status string
 			if d.info != nil {
 				status = d.info.Status.String()
 			}
-			if err != "" {
-				fmt.Fprintf(w, "  %s\t%s\t%s\n", n.Name, n.Endpoint, err)
+			if d.err != nil || d.di.Err != nil {
+				ok = false
+				fmt.Fprintf(w, "  %s\t%s\t%s\t\t\n", n.Name, n.Endpoint, "error")
 			} else {
-				fmt.Fprintf(w, "  %s\t%s\t%s\t%s\n", n.Name, n.Endpoint, status, strings.Join(platformutil.FormatInGroups(n.Platforms, d.platforms), ", "))
+				fmt.Fprintf(w, "  %s\t%s\t%s\t%s\t%s\n", n.Name, n.Endpoint, status, d.version, strings.Join(platformutil.FormatInGroups(n.Platforms, d.platforms), ", "))
 			}
 		}
 	}
+	return
 }
 
 func lsCmd(dockerCli command.Cli) *cobra.Command {
@@ -147,5 +179,8 @@ func lsCmd(dockerCli command.Cli) *cobra.Command {
 		},
 	}
 
+	// hide builder persistent flag for this command
+	cobrautil.HideInheritedFlags(cmd, "builder")
+
 	return cmd
 }

commands/prune.go

@@ -12,11 +12,11 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/go-units"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
-	"github.com/tonistiigi/units"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -119,7 +119,7 @@ func runPrune(dockerCli command.Cli, opts pruneOptions) error {
 	<-printed
 
 	tw = tabwriter.NewWriter(os.Stdout, 1, 8, 1, '\t', 0)
-	fmt.Fprintf(tw, "Total:\t%.2f\n", units.Bytes(total))
+	fmt.Fprintf(tw, "Total:\t%s\n", units.HumanSize(float64(total)))
 	tw.Flush()
 	return nil
 }
@@ -139,7 +139,7 @@ func pruneCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 
 	flags := cmd.Flags()
 	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused images, not just dangling ones")
-	flags.Var(&options.filter, "filter", "Provide filter values (e.g. 'until=24h')")
+	flags.Var(&options.filter, "filter", `Provide filter values (e.g., "until=24h")`)
 	flags.Var(&options.keepStorage, "keep-storage", "Amount of disk space to keep for cache")
 	flags.BoolVar(&options.verbose, "verbose", false, "Provide a more verbose output")
 	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")

commands/rm.go

@@ -2,52 +2,83 @@ package commands
 
 import (
 	"context"
+	"fmt"
+	"time"
 
 	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"golang.org/x/sync/errgroup"
 )
 
 type rmOptions struct {
-	builder   string
-	keepState bool
+	builder     string
+	keepState   bool
+	keepDaemon  bool
+	allInactive bool
+	force       bool
 }
 
+const (
+	rmInactiveWarning = `WARNING! This will remove all builders that are not in running state. Are you sure you want to continue?`
+)
+
 func runRm(dockerCli command.Cli, in rmOptions) error {
 	ctx := appcontext.Context()
 
-	txn, release, err := getStore(dockerCli)
+	if in.allInactive && !in.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), rmInactiveWarning) {
+		return nil
+	}
+
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
 	}
 	defer release()
 
+	if in.allInactive {
+		return rmAllInactive(ctx, txn, dockerCli, in)
+	}
+
+	var ng *store.NodeGroup
 	if in.builder != "" {
-		ng, err := getNodeGroup(txn, dockerCli, in.builder)
+		ng, err = storeutil.GetNodeGroup(txn, dockerCli, in.builder)
 		if err != nil {
 			return err
 		}
-		err1 := rm(ctx, dockerCli, ng, in.keepState)
-		if err := txn.Remove(ng.Name); err != nil {
+	} else {
+		ng, err = storeutil.GetCurrentInstance(txn, dockerCli)
+		if err != nil {
 			return err
 		}
-		return err1
+	}
+	if ng == nil {
+		return nil
 	}
 
-	ng, err := getCurrentInstance(txn, dockerCli)
+	ctxbuilders, err := dockerCli.ContextStore().List()
 	if err != nil {
 		return err
 	}
-	if ng != nil {
-		err1 := rm(ctx, dockerCli, ng, in.keepState)
-		if err := txn.Remove(ng.Name); err != nil {
-			return err
+	for _, cb := range ctxbuilders {
+		if ng.Driver == "docker" && len(ng.Nodes) == 1 && ng.Nodes[0].Endpoint == cb.Name {
+			return errors.Errorf("context builder cannot be removed, run `docker context rm %s` to remove this context", cb.Name)
 		}
+	}
+
+	err1 := rm(ctx, dockerCli, in, ng)
+	if err := txn.Remove(ng.Name); err != nil {
+		return err
+	}
+	if err1 != nil {
 		return err1
 	}
 
+	_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", ng.Name)
 	return nil
 }
 
@@ -61,6 +92,9 @@ func rmCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			options.builder = rootOpts.builder
 			if len(args) > 0 {
+				if options.allInactive {
+					return errors.New("cannot specify builder name when --all-inactive is set")
+				}
 				options.builder = args[0]
 			}
 			return runRm(dockerCli, options)
@@ -69,23 +103,30 @@ func rmCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 
 	flags := cmd.Flags()
 	flags.BoolVar(&options.keepState, "keep-state", false, "Keep BuildKit state")
+	flags.BoolVar(&options.keepDaemon, "keep-daemon", false, "Keep the buildkitd daemon running")
+	flags.BoolVar(&options.allInactive, "all-inactive", false, "Remove all inactive builders")
+	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
 
 	return cmd
 }
 
-func rm(ctx context.Context, dockerCli command.Cli, ng *store.NodeGroup, keepState bool) error {
+func rm(ctx context.Context, dockerCli command.Cli, in rmOptions, ng *store.NodeGroup) error {
 	dis, err := driversForNodeGroup(ctx, dockerCli, ng, "")
 	if err != nil {
 		return err
 	}
 	for _, di := range dis {
-		if di.Driver != nil {
+		if di.Driver == nil {
+			continue
+		}
+		// Do not stop the buildkitd daemon when --keep-daemon is provided
+		if !in.keepDaemon {
 			if err := di.Driver.Stop(ctx, true); err != nil {
 				return err
 			}
-			if err := di.Driver.Rm(ctx, true, !keepState); err != nil {
-				return err
-			}
+		}
+		if err := di.Driver.Rm(ctx, true, !in.keepState, !in.keepDaemon); err != nil {
+			return err
 		}
 		if di.Err != nil {
 			err = di.Err
@@ -93,3 +134,43 @@ func rm(ctx context.Context, dockerCli command.Cli, ng *store.NodeGroup, keepSta
 	}
 	return err
 }
+
+func rmAllInactive(ctx context.Context, txn *store.Txn, dockerCli command.Cli, in rmOptions) error {
+	ctx, cancel := context.WithTimeout(ctx, 20*time.Second)
+	defer cancel()
+
+	ll, err := txn.List()
+	if err != nil {
+		return err
+	}
+
+	builders := make([]*nginfo, len(ll))
+	for i, ng := range ll {
+		builders[i] = &nginfo{ng: ng}
+	}
+
+	eg, _ := errgroup.WithContext(ctx)
+	for _, b := range builders {
+		func(b *nginfo) {
+			eg.Go(func() error {
+				if err := loadNodeGroupData(ctx, dockerCli, b); err != nil {
+					return errors.Wrapf(err, "cannot load %s", b.ng.Name)
+				}
+				if b.ng.Dynamic {
+					return nil
+				}
+				if b.inactive() {
+					rmerr := rm(ctx, dockerCli, in, b.ng)
+					if err := txn.Remove(b.ng.Name); err != nil {
+						return err
+					}
+					_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", b.ng.Name)
+					return rmerr
+				}
+				return nil
+			})
+		}(b)
+	}
+
+	return eg.Wait()
+}

commands/root.go

@@ -4,23 +4,60 @@ import (
 	"os"
 
 	imagetoolscmd "github.com/docker/buildx/commands/imagetools"
+	"github.com/docker/buildx/util/logutil"
+	"github.com/docker/cli-docs-tool/annotation"
+	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli-plugins/plugin"
 	"github.com/docker/cli/cli/command"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
 
 func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
-		Short: "Build with BuildKit",
+		Short: "Docker Buildx",
+		Long:  `Extended build capabilities with BuildKit`,
 		Use:   name,
+		Annotations: map[string]string{
+			annotation.CodeDelimiter: `"`,
+		},
 	}
 	if isPlugin {
 		cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
 			return plugin.PersistentPreRunE(cmd, args)
 		}
+	} else {
+		// match plugin behavior for standalone mode
+		// https://github.com/docker/cli/blob/6c9eb708fa6d17765d71965f90e1c59cea686ee9/cli-plugins/plugin/plugin.go#L117-L127
+		cmd.SilenceUsage = true
+		cmd.SilenceErrors = true
+		cmd.TraverseChildren = true
+		cmd.DisableFlagsInUseLine = true
+		cli.DisableFlagsInUseLine(cmd)
 	}
 
+	logrus.SetFormatter(&logutil.Formatter{})
+
+	logrus.AddHook(logutil.NewFilter([]logrus.Level{
+		logrus.DebugLevel,
+	},
+		"serving grpc connection",
+		"stopping session",
+		"using default config store",
+	))
+
+	// filter out useless commandConn.CloseWrite warning message that can occur
+	// when listing builder instances with "buildx ls" for those that are
+	// unreachable: "commandConn.CloseWrite: commandconn: failed to wait: signal: killed"
+	// https://github.com/docker/cli/blob/3fb4fb83dfb5db0c0753a8316f21aea54dab32c5/cli/connhelper/commandconn/commandconn.go#L203-L214
+	logrus.AddHook(logutil.NewFilter([]logrus.Level{
+		logrus.WarnLevel,
+	},
+		"commandConn.CloseWrite:",
+		"commandConn.CloseRead:",
+	))
+
 	addCommands(cmd, dockerCli)
 	return cmd
 }
@@ -47,7 +84,7 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		versionCmd(dockerCli),
 		pruneCmd(dockerCli, opts),
 		duCmd(dockerCli, opts),
-		imagetoolscmd.RootCmd(dockerCli),
+		imagetoolscmd.RootCmd(dockerCli, imagetoolscmd.RootOptions{Builder: &opts.builder}),
 	)
 }
 

commands/stop.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
@@ -17,14 +18,14 @@ type stopOptions struct {
 func runStop(dockerCli command.Cli, in stopOptions) error {
 	ctx := appcontext.Context()
 
-	txn, release, err := getStore(dockerCli)
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
 	}
 	defer release()
 
 	if in.builder != "" {
-		ng, err := getNodeGroup(txn, dockerCli, in.builder)
+		ng, err := storeutil.GetNodeGroup(txn, dockerCli, in.builder)
 		if err != nil {
 			return err
 		}
@@ -34,7 +35,7 @@ func runStop(dockerCli command.Cli, in stopOptions) error {
 		return nil
 	}
 
-	ng, err := getCurrentInstance(txn, dockerCli)
+	ng, err := storeutil.GetCurrentInstance(txn, dockerCli)
 	if err != nil {
 		return err
 	}
@@ -61,12 +62,6 @@ func stopCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 		},
 	}
 
-	flags := cmd.Flags()
-
-	// flags.StringArrayVarP(&options.outputs, "output", "o", []string{}, "Output destination (format: type=local,dest=path)")
-
-	_ = flags
-
 	return cmd
 }
 

commands/uninstall.go

@@ -3,6 +3,7 @@ package commands
 import (
 	"os"
 
+	"github.com/docker/buildx/util/cobrautil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config"
@@ -54,5 +55,8 @@ func uninstallCmd(dockerCli command.Cli) *cobra.Command {
 		Hidden: true,
 	}
 
+	// hide builder persistent flag for this command
+	cobrautil.HideInheritedFlags(cmd, "builder")
+
 	return cmd
 }

commands/use.go

@@ -3,6 +3,7 @@ package commands
 import (
 	"os"
 
+	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/pkg/errors"
@@ -16,7 +17,7 @@ type useOptions struct {
 }
 
 func runUse(dockerCli command.Cli, in useOptions) error {
-	txn, release, err := getStore(dockerCli)
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
 	}
@@ -28,7 +29,7 @@ func runUse(dockerCli command.Cli, in useOptions) error {
 				return errors.Errorf("run `docker context use default` to switch to default context")
 			}
 			if in.builder == "default" || in.builder == dockerCli.CurrentContext() {
-				ep, err := getCurrentEndpoint(dockerCli)
+				ep, err := storeutil.GetCurrentEndpoint(dockerCli)
 				if err != nil {
 					return err
 				}
@@ -51,7 +52,7 @@ func runUse(dockerCli command.Cli, in useOptions) error {
 		return errors.Wrapf(err, "failed to find instance %q", in.builder)
 	}
 
-	ep, err := getCurrentEndpoint(dockerCli)
+	ep, err := storeutil.GetCurrentEndpoint(dockerCli)
 	if err != nil {
 		return err
 	}
@@ -79,11 +80,8 @@ func useCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	}
 
 	flags := cmd.Flags()
-
 	flags.BoolVar(&options.isGlobal, "global", false, "Builder persists context changes")
 	flags.BoolVar(&options.isDefault, "default", false, "Set builder as default for current context")
 
-	_ = flags
-
 	return cmd
 }

commands/util.go

@@ -4,86 +4,33 @@ import (
 	"context"
 	"net/url"
 	"os"
-	"path/filepath"
 	"strings"
 
 	"github.com/docker/buildx/build"
 	"github.com/docker/buildx/driver"
+	ctxkube "github.com/docker/buildx/driver/kubernetes/context"
+	remoteutil "github.com/docker/buildx/driver/remote/util"
 	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/platformutil"
+	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/context/docker"
-	"github.com/docker/cli/cli/context/kubernetes"
 	ctxstore "github.com/docker/cli/cli/context/store"
 	dopts "github.com/docker/cli/opts"
 	dockerclient "github.com/docker/docker/client"
+	"github.com/moby/buildkit/util/grpcerrors"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc/codes"
 	"k8s.io/client-go/tools/clientcmd"
 )
 
-// getStore returns current builder instance store
-func getStore(dockerCli command.Cli) (*store.Txn, func(), error) {
-	s, err := store.New(getConfigStorePath(dockerCli))
-	if err != nil {
-		return nil, nil, err
-	}
-	return s.Txn()
-}
-
-// getConfigStorePath will look for correct configuration store path;
-// if `$BUILDX_CONFIG` is set - use it, otherwise use parent directory
-// of Docker config file (i.e. `${DOCKER_CONFIG}/buildx`)
-func getConfigStorePath(dockerCli command.Cli) string {
-	if buildxConfig := os.Getenv("BUILDX_CONFIG"); buildxConfig != "" {
-		logrus.Debugf("using config store %q based in \"$BUILDX_CONFIG\" environment variable", buildxConfig)
-		return buildxConfig
-	}
-
-	buildxConfig := filepath.Join(filepath.Dir(dockerCli.ConfigFile().Filename), "buildx")
-	logrus.Debugf("using default config store %q", buildxConfig)
-	return buildxConfig
-}
-
-// getCurrentEndpoint returns the current default endpoint value
-func getCurrentEndpoint(dockerCli command.Cli) (string, error) {
-	name := dockerCli.CurrentContext()
-	if name != "default" {
-		return name, nil
-	}
-	de, err := getDockerEndpoint(dockerCli, name)
-	if err != nil {
-		return "", errors.Errorf("docker endpoint for %q not found", name)
-	}
-	return de, nil
-}
-
-// getDockerEndpoint returns docker endpoint string for given context
-func getDockerEndpoint(dockerCli command.Cli, name string) (string, error) {
-	list, err := dockerCli.ContextStore().List()
-	if err != nil {
-		return "", err
-	}
-	for _, l := range list {
-		if l.Name == name {
-			ep, ok := l.Endpoints["docker"]
-			if !ok {
-				return "", errors.Errorf("context %q does not have a Docker endpoint", name)
-			}
-			typed, ok := ep.(docker.EndpointMeta)
-			if !ok {
-				return "", errors.Errorf("endpoint %q is not of type EndpointMeta, %T", ep, ep)
-			}
-			return typed.Host, nil
-		}
-	}
-	return "", nil
-}
-
 // validateEndpoint validates that endpoint is either a context or a docker host
 func validateEndpoint(dockerCli command.Cli, ep string) (string, error) {
-	de, err := getDockerEndpoint(dockerCli, ep)
+	de, err := storeutil.GetDockerEndpoint(dockerCli, ep)
 	if err == nil && de != "" {
 		if ep == "default" {
 			return de, nil
@@ -97,58 +44,12 @@ func validateEndpoint(dockerCli command.Cli, ep string) (string, error) {
 	return h, nil
 }
 
-// getCurrentInstance finds the current builder instance
-func getCurrentInstance(txn *store.Txn, dockerCli command.Cli) (*store.NodeGroup, error) {
-	ep, err := getCurrentEndpoint(dockerCli)
-	if err != nil {
-		return nil, err
+// validateBuildkitEndpoint validates that endpoint is a valid buildkit host
+func validateBuildkitEndpoint(ep string) (string, error) {
+	if err := remoteutil.IsValidEndpoint(ep); err != nil {
+		return "", err
 	}
-	ng, err := txn.Current(ep)
-	if err != nil {
-		return nil, err
-	}
-	if ng == nil {
-		ng, _ = getNodeGroup(txn, dockerCli, dockerCli.CurrentContext())
-	}
-
-	return ng, nil
-}
-
-// getNodeGroup returns nodegroup based on the name
-func getNodeGroup(txn *store.Txn, dockerCli command.Cli, name string) (*store.NodeGroup, error) {
-	ng, err := txn.NodeGroupByName(name)
-	if err != nil {
-		if !os.IsNotExist(errors.Cause(err)) {
-			return nil, err
-		}
-	}
-	if ng != nil {
-		return ng, nil
-	}
-
-	if name == "default" {
-		name = dockerCli.CurrentContext()
-	}
-
-	list, err := dockerCli.ContextStore().List()
-	if err != nil {
-		return nil, err
-	}
-	for _, l := range list {
-		if l.Name == name {
-			return &store.NodeGroup{
-				Name: "default",
-				Nodes: []store.Node{
-					{
-						Name:     "default",
-						Endpoint: name,
-					},
-				},
-			}, nil
-		}
-	}
-
-	return nil, errors.Errorf("no builder %q found", name)
+	return ep, nil
 }
 
 // driversForNodeGroup returns drivers for a nodegroup instance
@@ -164,27 +65,43 @@ func driversForNodeGroup(ctx context.Context, dockerCli command.Cli, ng *store.N
 			return nil, errors.Errorf("failed to find driver %q", f)
 		}
 	} else {
-		dockerapi, err := clientForEndpoint(dockerCli, ng.Nodes[0].Endpoint)
+		// empty driver means nodegroup was implicitly created as a default
+		// driver for a docker context and allows falling back to a
+		// docker-container driver for older daemon that doesn't support
+		// buildkit (< 18.06).
+		ep := ng.Nodes[0].Endpoint
+		dockerapi, err := clientForEndpoint(dockerCli, ep)
 		if err != nil {
 			return nil, err
 		}
-		f, err = driver.GetDefaultFactory(ctx, dockerapi, false)
+		// check if endpoint is healthy is needed to determine the driver type.
+		// if this fails then can't continue with driver selection.
+		if _, err = dockerapi.Ping(ctx); err != nil {
+			return nil, err
+		}
+		f, err = driver.GetDefaultFactory(ctx, ep, dockerapi, false)
 		if err != nil {
 			return nil, err
 		}
 		ng.Driver = f.Name()
 	}
+	imageopt, err := storeutil.GetImageConfig(dockerCli, ng)
+	if err != nil {
+		return nil, err
+	}
 
 	for i, n := range ng.Nodes {
 		func(i int, n store.Node) {
 			eg.Go(func() error {
 				di := build.DriverInfo{
-					Name:     n.Name,
-					Platform: n.Platforms,
+					Name:        n.Name,
+					Platform:    n.Platforms,
+					ProxyConfig: storeutil.GetProxyConfig(dockerCli),
 				}
 				defer func() {
 					dis[i] = di
 				}()
+
 				dockerapi, err := clientForEndpoint(dockerCli, n.Endpoint)
 				if err != nil {
 					di.Err = err
@@ -223,12 +140,13 @@ func driversForNodeGroup(ctx context.Context, dockerCli command.Cli, ng *store.N
 					}
 				}
 
-				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, f, dockerapi, dockerCli.ConfigFile(), kcc, n.Flags, n.ConfigFile, n.DriverOpts, n.Platforms, contextPathHash)
+				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, f, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.Platforms, contextPathHash)
 				if err != nil {
 					di.Err = err
 					return nil
 				}
 				di.Driver = d
+				di.ImageOpt = imageopt
 				return nil
 			})
 		}(i, n)
@@ -244,16 +162,17 @@ func driversForNodeGroup(ctx context.Context, dockerCli command.Cli, ng *store.N
 func configFromContext(endpointName string, s ctxstore.Reader) (clientcmd.ClientConfig, error) {
 	if strings.HasPrefix(endpointName, "kubernetes://") {
 		u, _ := url.Parse(endpointName)
-
 		if kubeconfig := u.Query().Get("kubeconfig"); kubeconfig != "" {
-			clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
-				&clientcmd.ClientConfigLoadingRules{ExplicitPath: kubeconfig},
-				&clientcmd.ConfigOverrides{},
-			)
-			return clientConfig, nil
+			_ = os.Setenv(clientcmd.RecommendedConfigPathEnvVar, kubeconfig)
 		}
+		rules := clientcmd.NewDefaultClientConfigLoadingRules()
+		apiConfig, err := rules.Load()
+		if err != nil {
+			return nil, err
+		}
+		return clientcmd.NewDefaultClientConfig(*apiConfig, &clientcmd.ConfigOverrides{}), nil
 	}
-	return kubernetes.ConfigFromContext(endpointName, s)
+	return ctxkube.ConfigFromContext(endpointName, s)
 }
 
 // clientForEndpoint returns a docker client for an endpoint
@@ -325,7 +244,7 @@ func getInstanceOrDefault(ctx context.Context, dockerCli command.Cli, instance,
 }
 
 func getInstanceByName(ctx context.Context, dockerCli command.Cli, instance, contextPathHash string) ([]build.DriverInfo, error) {
-	txn, release, err := getStore(dockerCli)
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return nil, err
 	}
@@ -340,14 +259,14 @@ func getInstanceByName(ctx context.Context, dockerCli command.Cli, instance, con
 
 // getDefaultDrivers returns drivers based on current cli config
 func getDefaultDrivers(ctx context.Context, dockerCli command.Cli, defaultOnly bool, contextPathHash string) ([]build.DriverInfo, error) {
-	txn, release, err := getStore(dockerCli)
+	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return nil, err
 	}
 	defer release()
 
 	if !defaultOnly {
-		ng, err := getCurrentInstance(txn, dockerCli)
+		ng, err := storeutil.GetCurrentInstance(txn, dockerCli)
 		if err != nil {
 			return nil, err
 		}
@@ -357,14 +276,21 @@ func getDefaultDrivers(ctx context.Context, dockerCli command.Cli, defaultOnly b
 		}
 	}
 
-	d, err := driver.GetDriver(ctx, "buildx_buildkit_default", nil, dockerCli.Client(), dockerCli.ConfigFile(), nil, nil, "", nil, nil, contextPathHash)
+	imageopt, err := storeutil.GetImageConfig(dockerCli, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	d, err := driver.GetDriver(ctx, "buildx_buildkit_default", nil, "", dockerCli.Client(), imageopt.Auth, nil, nil, nil, nil, nil, contextPathHash)
 	if err != nil {
 		return nil, err
 	}
 	return []build.DriverInfo{
 		{
-			Name:   "default",
-			Driver: d,
+			Name:        "default",
+			Driver:      d,
+			ImageOpt:    imageopt,
+			ProxyConfig: storeutil.GetProxyConfig(dockerCli),
 		},
 	}, nil
 }
@@ -388,11 +314,20 @@ func loadInfoData(ctx context.Context, d *dinfo) error {
 			return errors.Wrap(err, "listing workers")
 		}
 		for _, w := range workers {
-			for _, p := range w.Platforms {
-				d.platforms = append(d.platforms, p)
-			}
+			d.platforms = append(d.platforms, w.Platforms...)
 		}
 		d.platforms = platformutil.Dedupe(d.platforms)
+		inf, err := c.Info(ctx)
+		if err != nil {
+			if st, ok := grpcerrors.AsGRPCStatus(err); ok && st.Code() == codes.Unimplemented {
+				d.version, err = d.di.Driver.Version(ctx)
+				if err != nil {
+					return errors.Wrap(err, "getting version")
+				}
+			}
+		} else {
+			d.version = inf.BuildkitVersion.Version
+		}
 	}
 	return nil
 }
@@ -461,6 +396,15 @@ func loadNodeGroupData(ctx context.Context, dockerCli command.Cli, ngi *nginfo)
 	return nil
 }
 
+func hasNodeGroup(list []*nginfo, ngi *nginfo) bool {
+	for _, l := range list {
+		if ngi.ng.Name == l.ng.Name {
+			return true
+		}
+	}
+	return false
+}
+
 func dockerAPI(dockerCli command.Cli) *api {
 	return &api{dockerCli: dockerCli}
 }
@@ -475,3 +419,68 @@ func (a *api) DockerAPI(name string) (dockerclient.APIClient, error) {
 	}
 	return clientForEndpoint(a.dockerCli, name)
 }
+
+type dinfo struct {
+	di        *build.DriverInfo
+	info      *driver.Info
+	platforms []specs.Platform
+	version   string
+	err       error
+}
+
+type nginfo struct {
+	ng      *store.NodeGroup
+	drivers []dinfo
+	err     error
+}
+
+// inactive checks if all nodes are inactive for this builder
+func (n *nginfo) inactive() bool {
+	for idx := range n.ng.Nodes {
+		d := n.drivers[idx]
+		if d.info != nil && d.info.Status == driver.Running {
+			return false
+		}
+	}
+	return true
+}
+
+func boot(ctx context.Context, ngi *nginfo) (bool, error) {
+	toBoot := make([]int, 0, len(ngi.drivers))
+	for i, d := range ngi.drivers {
+		if d.err != nil || d.di.Err != nil || d.di.Driver == nil || d.info == nil {
+			continue
+		}
+		if d.info.Status != driver.Running {
+			toBoot = append(toBoot, i)
+		}
+	}
+	if len(toBoot) == 0 {
+		return false, nil
+	}
+
+	printer := progress.NewPrinter(context.TODO(), os.Stderr, os.Stderr, "auto")
+
+	baseCtx := ctx
+	eg, _ := errgroup.WithContext(ctx)
+	for _, idx := range toBoot {
+		func(idx int) {
+			eg.Go(func() error {
+				pw := progress.WithPrefix(printer, ngi.ng.Nodes[idx].Name, len(toBoot) > 1)
+				_, err := driver.Boot(ctx, baseCtx, ngi.drivers[idx].di.Driver, pw)
+				if err != nil {
+					ngi.drivers[idx].err = err
+				}
+				return nil
+			})
+		}(idx)
+	}
+
+	err := eg.Wait()
+	err1 := printer.Wait()
+	if err == nil {
+		err = err1
+	}
+
+	return true, err
+}

commands/version.go

@@ -3,6 +3,7 @@ package commands
 import (
 	"fmt"
 
+	"github.com/docker/buildx/util/cobrautil"
 	"github.com/docker/buildx/version"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
@@ -23,5 +24,9 @@ func versionCmd(dockerCli command.Cli) *cobra.Command {
 			return runVersion(dockerCli)
 		},
 	}
+
+	// hide builder persistent flag for this command
+	cobrautil.HideInheritedFlags(cmd, "builder")
+
 	return cmd
 }

docker-bake.hcl

@@ -0,0 +1,145 @@
+variable "GO_VERSION" {
+  default = "1.18"
+}
+variable "BIN_OUT" {
+  default = "./bin"
+}
+variable "RELEASE_OUT" {
+  default = "./release-out"
+}
+variable "DOCS_FORMATS" {
+  default = "md"
+}
+
+// Special target: https://github.com/docker/metadata-action#bake-definition
+target "meta-helper" {
+  tags = ["docker/buildx-bin:local"]
+}
+
+target "_common" {
+  args = {
+    GO_VERSION = GO_VERSION
+    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+  }
+}
+
+group "default" {
+  targets = ["binaries"]
+}
+
+group "validate" {
+  targets = ["lint", "validate-vendor", "validate-docs"]
+}
+
+target "lint" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  output = ["type=cacheonly"]
+}
+
+target "validate-vendor" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "validate-docs" {
+  inherits = ["_common"]
+  args = {
+    FORMATS = DOCS_FORMATS
+  }
+  dockerfile = "./hack/dockerfiles/docs.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "validate-authors" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/authors.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "update-vendor" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "update"
+  output = ["."]
+}
+
+target "update-docs" {
+  inherits = ["_common"]
+  args = {
+    FORMATS = DOCS_FORMATS
+  }
+  dockerfile = "./hack/dockerfiles/docs.Dockerfile"
+  target = "update"
+  output = ["./docs/reference"]
+}
+
+target "update-authors" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/authors.Dockerfile"
+  target = "update"
+  output = ["."]
+}
+
+target "mod-outdated" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "outdated"
+  no-cache-filter = ["outdated"]
+  output = ["type=cacheonly"]
+}
+
+target "test" {
+  inherits = ["_common"]
+  target = "test-coverage"
+  output = ["./coverage"]
+}
+
+target "binaries" {
+  inherits = ["_common"]
+  target = "binaries"
+  output = [BIN_OUT]
+  platforms = ["local"]
+}
+
+target "binaries-cross" {
+  inherits = ["binaries"]
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm/v6",
+    "linux/arm/v7",
+    "linux/arm64",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "linux/s390x",
+    "windows/amd64",
+    "windows/arm64"
+  ]
+}
+
+target "release" {
+  inherits = ["binaries-cross"]
+  target = "release"
+  output = [RELEASE_OUT]
+}
+
+target "image" {
+  inherits = ["meta-helper", "binaries"]
+  output = ["type=image"]
+}
+
+target "image-cross" {
+  inherits = ["meta-helper", "binaries-cross"]
+  output = ["type=image"]
+}
+
+target "image-local" {
+  inherits = ["image"]
+  output = ["type=docker"]
+}

docs/docsgen/generate.go

@@ -1,198 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"io/ioutil"
-	"log"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/docker/buildx/commands"
-	"github.com/docker/cli/cli/command"
-	"github.com/pkg/errors"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-)
-
-const descriptionSourcePath = "docs/reference/"
-
-func generateDocs(opts *options) error {
-	dockerCLI, err := command.NewDockerCli()
-	if err != nil {
-		return err
-	}
-	cmd := &cobra.Command{
-		Use:   "docker [OPTIONS] COMMAND [ARG...]",
-		Short: "The base command for the Docker CLI.",
-	}
-	cmd.AddCommand(commands.NewRootCmd("buildx", true, dockerCLI))
-	return genCmd(cmd, opts.target)
-}
-
-func getMDFilename(cmd *cobra.Command) string {
-	name := cmd.CommandPath()
-	if i := strings.Index(name, " "); i >= 0 {
-		name = name[i+1:]
-	}
-	return strings.ReplaceAll(name, " ", "_") + ".md"
-}
-
-func genCmd(cmd *cobra.Command, dir string) error {
-	for _, c := range cmd.Commands() {
-		if err := genCmd(c, dir); err != nil {
-			return err
-		}
-	}
-	if !cmd.HasParent() {
-		return nil
-	}
-
-	mdFile := getMDFilename(cmd)
-	fullPath := filepath.Join(dir, mdFile)
-
-	content, err := ioutil.ReadFile(fullPath)
-	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			return errors.Wrapf(err, "%s does not exist", mdFile)
-		}
-	}
-
-	cs := string(content)
-
-	markerStart := "<!---MARKER_GEN_START-->"
-	markerEnd := "<!---MARKER_GEN_END-->"
-
-	start := strings.Index(cs, markerStart)
-	end := strings.Index(cs, markerEnd)
-
-	if start == -1 {
-		return errors.Errorf("no start marker in %s", mdFile)
-	}
-	if end == -1 {
-		return errors.Errorf("no end marker in %s", mdFile)
-	}
-
-	out, err := cmdOutput(cmd, cs)
-	if err != nil {
-		return err
-	}
-	cont := cs[:start] + markerStart + "\n" + out + "\n" + cs[end:]
-
-	fi, err := os.Stat(fullPath)
-	if err != nil {
-		return err
-	}
-	if err := ioutil.WriteFile(fullPath, []byte(cont), fi.Mode()); err != nil {
-		return errors.Wrapf(err, "failed to write %s", fullPath)
-	}
-	log.Printf("updated %s", fullPath)
-	return nil
-}
-
-func makeLink(txt, link string, f *pflag.Flag, isAnchor bool) string {
-	link = "#" + link
-	annotations, ok := f.Annotations["docs.external.url"]
-	if ok && len(annotations) > 0 {
-		link = annotations[0]
-	} else {
-		if !isAnchor {
-			return txt
-		}
-	}
-
-	return "[" + txt + "](" + link + ")"
-}
-
-func cmdOutput(cmd *cobra.Command, old string) (string, error) {
-	b := &strings.Builder{}
-
-	desc := cmd.Short
-	if cmd.Long != "" {
-		desc = cmd.Long
-	}
-	if desc != "" {
-		fmt.Fprintf(b, "%s\n\n", desc)
-	}
-
-	if len(cmd.Aliases) != 0 {
-		fmt.Fprintf(b, "### Aliases\n\n`%s`", cmd.Name())
-		for _, a := range cmd.Aliases {
-			fmt.Fprintf(b, ", `%s`", a)
-		}
-		fmt.Fprint(b, "\n\n")
-	}
-
-	if len(cmd.Commands()) != 0 {
-		fmt.Fprint(b, "### Subcommands\n\n")
-		fmt.Fprint(b, "| Name | Description |\n")
-		fmt.Fprint(b, "| --- | --- |\n")
-		for _, c := range cmd.Commands() {
-			fmt.Fprintf(b, "| [`%s`](%s) | %s |\n", c.Name(), getMDFilename(c), c.Short)
-		}
-		fmt.Fprint(b, "\n\n")
-	}
-
-	hasFlags := cmd.Flags().HasAvailableFlags()
-
-	cmd.Flags().AddFlagSet(cmd.InheritedFlags())
-
-	if hasFlags {
-		fmt.Fprint(b, "### Options\n\n")
-		fmt.Fprint(b, "| Name | Description |\n")
-		fmt.Fprint(b, "| --- | --- |\n")
-
-		cmd.Flags().VisitAll(func(f *pflag.Flag) {
-			if f.Hidden {
-				return
-			}
-			isLink := strings.Contains(old, "<a name=\""+f.Name+"\"></a>")
-			fmt.Fprint(b, "| ")
-			if f.Shorthand != "" {
-				name := "`-" + f.Shorthand + "`"
-				name = makeLink(name, f.Name, f, isLink)
-				fmt.Fprintf(b, "%s, ", name)
-			}
-			name := "`--" + f.Name
-			if f.Value.Type() != "bool" {
-				name += " " + f.Value.Type()
-			}
-			name += "`"
-			name = makeLink(name, f.Name, f, isLink)
-			fmt.Fprintf(b, "%s | %s |\n", name, f.Usage)
-		})
-		fmt.Fprintln(b, "")
-	}
-
-	return b.String(), nil
-}
-
-type options struct {
-	target string
-}
-
-func parseArgs() (*options, error) {
-	opts := &options{}
-	flags := pflag.NewFlagSet(os.Args[0], pflag.ContinueOnError)
-	flags.StringVar(&opts.target, "target", descriptionSourcePath, "Docs directory")
-	err := flags.Parse(os.Args[1:])
-	return opts, err
-}
-
-func main() {
-	if err := run(); err != nil {
-		log.Printf("error: %+v", err)
-		os.Exit(1)
-	}
-}
-
-func run() error {
-	opts, err := parseArgs()
-	if err != nil {
-		return err
-	}
-	if err := generateDocs(opts); err != nil {
-		return err
-	}
-	return nil
-}

docs/generate.go

@@ -0,0 +1,90 @@
+package main
+
+import (
+	"log"
+	"os"
+
+	"github.com/docker/buildx/commands"
+	clidocstool "github.com/docker/cli-docs-tool"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+
+	// import drivers otherwise factories are empty
+	// for --driver output flag usage
+	_ "github.com/docker/buildx/driver/docker"
+	_ "github.com/docker/buildx/driver/docker-container"
+	_ "github.com/docker/buildx/driver/kubernetes"
+	_ "github.com/docker/buildx/driver/remote"
+)
+
+const defaultSourcePath = "docs/reference/"
+
+type options struct {
+	source  string
+	formats []string
+}
+
+func gen(opts *options) error {
+	log.SetFlags(0)
+
+	dockerCLI, err := command.NewDockerCli()
+	if err != nil {
+		return err
+	}
+	cmd := &cobra.Command{
+		Use:               "docker [OPTIONS] COMMAND [ARG...]",
+		Short:             "The base command for the Docker CLI.",
+		DisableAutoGenTag: true,
+	}
+
+	cmd.AddCommand(commands.NewRootCmd("buildx", true, dockerCLI))
+
+	c, err := clidocstool.New(clidocstool.Options{
+		Root:      cmd,
+		SourceDir: opts.source,
+		Plugin:    true,
+	})
+	if err != nil {
+		return err
+	}
+
+	for _, format := range opts.formats {
+		switch format {
+		case "md":
+			if err = c.GenMarkdownTree(cmd); err != nil {
+				return err
+			}
+		case "yaml":
+			if err = c.GenYamlTree(cmd); err != nil {
+				return err
+			}
+		default:
+			return errors.Errorf("unknown format %q", format)
+		}
+	}
+
+	return nil
+}
+
+func run() error {
+	opts := &options{}
+	flags := pflag.NewFlagSet(os.Args[0], pflag.ContinueOnError)
+	flags.StringVar(&opts.source, "source", defaultSourcePath, "Docs source folder")
+	flags.StringSliceVar(&opts.formats, "formats", []string{}, "Format (md, yaml)")
+	if err := flags.Parse(os.Args[1:]); err != nil {
+		return err
+	}
+	if len(opts.formats) == 0 {
+		return errors.New("Docs format required")
+	}
+	return gen(opts)
+}
+
+func main() {
+	if err := run(); err != nil {
+		log.Printf("ERROR: %+v", err)
+		os.Exit(1)
+	}
+}

docs/guides/bake/build-contexts.md

@@ -0,0 +1,74 @@
+# Defining additional build contexts and linking targets
+
+In addition to the main `context` key that defines the build context each target
+can also define additional named contexts with a map defined with key `contexts`.
+These values map to the `--build-context` flag in the [build command](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context).
+
+Inside the Dockerfile these contexts can be used with the `FROM` instruction or `--from` flag.
+
+The value can be a local source directory, container image (with `docker-image://` prefix),
+Git URL, HTTP URL or a name of another target in the Bake file (with `target:` prefix).
+
+## Pinning alpine image
+
+```dockerfile
+# syntax=docker/dockerfile:1
+FROM alpine
+RUN echo "Hello world"
+```
+
+```hcl
+# docker-bake.hcl
+target "app" {
+  contexts = {
+    alpine = "docker-image://alpine:3.13"
+  }
+}
+```
+
+## Using a secondary source directory
+
+```dockerfile
+# syntax=docker/dockerfile:1
+FROM scratch AS src
+
+FROM golang
+COPY --from=src . .
+```
+
+```hcl
+# docker-bake.hcl
+target "app" {
+  contexts = {
+    src = "../path/to/source"
+  }
+}
+```
+
+## Using a result of one target as a base image in another target
+
+To use a result of one target as a build context of another, specity the target
+name with `target:` prefix.
+
+```dockerfile
+# syntax=docker/dockerfile:1
+FROM baseapp
+RUN echo "Hello world"
+```
+
+```hcl
+# docker-bake.hcl
+target "base" {
+  dockerfile = "baseapp.Dockerfile"
+}
+
+target "app" {
+  contexts = {
+    baseapp = "target:base"
+  }
+}
+```
+
+Please note that in most cases you should just use a single multi-stage
+Dockerfile with multiple targets for similar behavior. This case is recommended
+when you have multiple Dockerfiles that can't be easily merged into one.

docs/guides/bake/compose-file.md

@@ -0,0 +1,219 @@
+# Building from Compose file
+
+## Specification
+
+Bake uses the [compose-spec](https://docs.docker.com/compose/compose-file/) to
+parse a compose file and translate each service to a [target](file-definition.md#target).
+
+```yaml
+# docker-compose.yml
+services:
+  webapp-dev: 
+    build: &build-dev
+      dockerfile: Dockerfile.webapp
+      tags:
+        - docker.io/username/webapp:latest
+      cache_from:
+        - docker.io/username/webapp:cache
+      cache_to:
+        - docker.io/username/webapp:cache
+
+  webapp-release:
+    build:
+      <<: *build-dev
+      x-bake:
+        platforms:
+          - linux/amd64
+          - linux/arm64
+
+  db:
+    image: docker.io/username/db
+    build:
+      dockerfile: Dockerfile.db
+```
+
+```console
+$ docker buildx bake --print
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "db",
+        "webapp-dev",
+        "webapp-release"
+      ]
+    }
+  },
+  "target": {
+    "db": {
+      "context": ".",
+      "dockerfile": "Dockerfile.db",
+      "tags": [
+        "docker.io/username/db"
+      ]
+    },
+    "webapp-dev": {
+      "context": ".",
+      "dockerfile": "Dockerfile.webapp",
+      "tags": [
+        "docker.io/username/webapp:latest"
+      ],
+      "cache-from": [
+        "docker.io/username/webapp:cache"
+      ],
+      "cache-to": [
+        "docker.io/username/webapp:cache"
+      ]
+    },
+    "webapp-release": {
+      "context": ".",
+      "dockerfile": "Dockerfile.webapp",
+      "tags": [
+        "docker.io/username/webapp:latest"
+      ],
+      "cache-from": [
+        "docker.io/username/webapp:cache"
+      ],
+      "cache-to": [
+        "docker.io/username/webapp:cache"
+      ],
+      "platforms": [
+        "linux/amd64",
+        "linux/arm64"
+      ]
+    }
+  }
+}
+```
+
+Unlike the [HCL format](file-definition.md#hcl-definition), there are some
+limitations with the compose format:
+
+* Specifying variables or global scope attributes is not yet supported
+* `inherits` service field is not supported, but you can use [YAML anchors](https://docs.docker.com/compose/compose-file/#fragments) to reference other services like the example above
+
+## Extension field with `x-bake`
+
+Even if some fields are not (yet) available in the compose specification, you
+can use the [special extension](https://docs.docker.com/compose/compose-file/#extension)
+field `x-bake` in your compose file to evaluate extra fields:
+
+```yaml
+# docker-compose.yml
+services:
+  addon:
+    image: ct-addon:bar
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+      args:
+        CT_ECR: foo
+        CT_TAG: bar
+      x-bake:
+        tags:
+          - ct-addon:foo
+          - ct-addon:alp
+        platforms:
+          - linux/amd64
+          - linux/arm64
+        cache-from:
+          - user/app:cache
+          - type=local,src=path/to/cache
+        cache-to:
+          - type=local,dest=path/to/cache
+        pull: true
+
+  aws:
+    image: ct-fake-aws:bar
+    build:
+      dockerfile: ./aws.Dockerfile
+      args:
+        CT_ECR: foo
+        CT_TAG: bar
+      x-bake:
+        secret:
+          - id=mysecret,src=./secret
+          - id=mysecret2,src=./secret2
+        platforms: linux/arm64
+        output: type=docker
+        no-cache: true
+```
+
+```console
+$ docker buildx bake --print
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "aws",
+        "addon"
+      ]
+    }
+  },
+  "target": {
+    "addon": {
+      "context": ".",
+      "dockerfile": "./Dockerfile",
+      "args": {
+        "CT_ECR": "foo",
+        "CT_TAG": "bar"
+      },
+      "tags": [
+        "ct-addon:foo",
+        "ct-addon:alp"
+      ],
+      "cache-from": [
+        "user/app:cache",
+        "type=local,src=path/to/cache"
+      ],
+      "cache-to": [
+        "type=local,dest=path/to/cache"
+      ],
+      "platforms": [
+        "linux/amd64",
+        "linux/arm64"
+      ],
+      "pull": true
+    },
+    "aws": {
+      "context": ".",
+      "dockerfile": "./aws.Dockerfile",
+      "args": {
+        "CT_ECR": "foo",
+        "CT_TAG": "bar"
+      },
+      "tags": [
+        "ct-fake-aws:bar"
+      ],
+      "secret": [
+        "id=mysecret,src=./secret",
+        "id=mysecret2,src=./secret2"
+      ],
+      "platforms": [
+        "linux/arm64"
+      ],
+      "output": [
+        "type=docker"
+      ],
+      "no-cache": true
+    }
+  }
+}
+```
+
+Complete list of valid fields for `x-bake`:
+
+* `cache-from`
+* `cache-to`
+* `no-cache`
+* `no-cache-filter`
+* `output`
+* `platforms`
+* `pull`
+* `secret`
+* `ssh`
+* `tags`

docs/guides/bake/configuring-build.md

@@ -0,0 +1,216 @@
+# Configuring builds
+
+Bake supports loading build definition from files, but sometimes you need even
+more flexibility to configure this definition.
+
+For this use case, you can define variables inside the bake files that can be
+set by the user with environment variables or by [attribute definitions](#global-scope-attributes)
+in other bake files. If you wish to change a specific value for a single
+invocation you can use the `--set` flag [from the command line](#from-command-line).
+
+## Global scope attributes
+
+You can define global scope attributes in HCL/JSON and use them for code reuse
+and setting values for variables. This means you can do a "data-only" HCL file
+with the values you want to set/override and use it in the list of regular
+output files.
+
+```hcl
+# docker-bake.hcl
+variable "FOO" {
+  default = "abc"
+}
+
+target "app" {
+  args = {
+    v1 = "pre-${FOO}"
+  }
+}
+```
+
+You can use this file directly:
+
+```console
+$ docker buildx bake --print app
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "v1": "pre-abc"
+      }
+    }
+  }
+}
+```
+
+Or create an override configuration file:
+
+```hcl
+# env.hcl
+WHOAMI="myuser"
+FOO="def-${WHOAMI}"
+```
+
+And invoke bake together with both of the files:
+
+```console
+$ docker buildx bake -f docker-bake.hcl -f env.hcl --print app
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "v1": "pre-def-myuser"
+      }
+    }
+  }
+}
+```
+
+## From command line
+
+You can also override target configurations from the command line with the
+[`--set` flag](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set):
+
+```hcl
+# docker-bake.hcl
+target "app" {
+  args = {
+    mybuildarg = "foo"
+  }
+}
+```
+
+```console
+$ docker buildx bake --set app.args.mybuildarg=bar --set app.platform=linux/arm64 app --print
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "mybuildarg": "bar"
+      },
+      "platforms": [
+        "linux/arm64"
+      ]
+    }
+  }
+}
+```
+
+Pattern matching syntax defined in [https://golang.org/pkg/path/#Match](https://golang.org/pkg/path/#Match)
+is also supported:
+
+```console
+$ docker buildx bake --set foo*.args.mybuildarg=value  # overrides build arg for all targets starting with "foo"
+$ docker buildx bake --set *.platform=linux/arm64      # overrides platform for all targets
+$ docker buildx bake --set foo*.no-cache               # bypass caching only for targets starting with "foo"
+```
+
+Complete list of overridable fields:
+
+* `args`
+* `cache-from`
+* `cache-to`
+* `context`
+* `dockerfile`
+* `labels`
+* `no-cache`
+* `output`
+* `platform`
+* `pull`
+* `secrets`
+* `ssh`
+* `tags`
+* `target`
+
+## Using variables in variables across files
+
+When multiple files are specified, one file can use variables defined in
+another file.
+
+```hcl
+# docker-bake1.hcl
+variable "FOO" {
+  default = upper("${BASE}def")
+}
+
+variable "BAR" {
+  default = "-${FOO}-"
+}
+
+target "app" {
+  args = {
+    v1 = "pre-${BAR}"
+  }
+}
+```
+
+```hcl
+# docker-bake2.hcl
+variable "BASE" {
+  default = "abc"
+}
+
+target "app" {
+  args = {
+    v2 = "${FOO}-post"
+  }
+}
+```
+
+```console
+$ docker buildx bake -f docker-bake1.hcl -f docker-bake2.hcl --print app
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "v1": "pre--ABCDEF-",
+        "v2": "ABCDEF-post"
+      }
+    }
+  }
+}
+```

docs/guides/bake/file-definition.md

@@ -0,0 +1,440 @@
+# Bake file definition
+
+`buildx bake` supports HCL, JSON and Compose file format for defining build
+[groups](#group), [targets](#target) as well as [variables](#variable) and
+[functions](#functions). It looks for build definition files in the current
+directory in the following order:
+
+* `docker-compose.yml`
+* `docker-compose.yaml`
+* `docker-bake.json`
+* `docker-bake.override.json`
+* `docker-bake.hcl`
+* `docker-bake.override.hcl`
+
+## Specification
+
+Inside a bake file you can declare group, target and variable blocks to define
+project specific reusable build flows.
+
+### Target
+
+A target reflects a single docker build invocation with the same options that
+you would specify for `docker build`:
+
+```hcl
+# docker-bake.hcl
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+}
+```
+```console
+$ docker buildx bake webapp-dev
+```
+
+> **Note**
+>
+> In the case of compose files, each service corresponds to a target.
+> If compose service name contains a dot it will be replaced with an underscore.
+
+Complete list of valid target fields available for [HCL](#hcl-definition) and
+[JSON](#json-definition) definitions:
+
+| Name                | Type   | Description                                                                                                                                     |
+|---------------------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------|
+| `inherits`          | List   | [Inherit build options](#merging-and-inheritance) from other targets                                                                            |
+| `args`              | Map    | Set build-time variables (same as [`--build-arg` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                     |
+| `cache-from`        | List   | External cache sources (same as [`--cache-from` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                      |
+| `cache-to`          | List   | Cache export destinations (same as [`--cache-to` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                     |
+| `context`           | String | Set of files located in the specified path or URL                                                                                               |
+| `contexts`          | Map    | Additional build contexts (same as [`--build-context` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                |
+| `dockerfile`        | String | Name of the Dockerfile (same as [`--file` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                            |
+| `dockerfile-inline` | String | Inline Dockerfile content                                                                                                                       |
+| `labels`            | Map    | Set metadata for an image (same as [`--label` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                        |
+| `no-cache`          | Bool   | Do not use cache when building the image (same as [`--no-cache` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))      |
+| `no-cache-filter`   | List   | Do not cache specified stages (same as [`--no-cache-filter` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))          |
+| `output`            | List   | Output destination (same as [`--output` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                              |
+| `platforms`         | List   | Set target platforms for build (same as [`--platform` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                |
+| `pull`              | Bool   | Always attempt to pull all referenced images (same as [`--pull` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))      |
+| `secret`            | List   | Secret to expose to the build (same as [`--secret` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                   |
+| `ssh`               | List   | SSH agent socket or keys to expose to the build (same as [`--ssh` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))    |
+| `tags`              | List   | Name and optionally a tag in the format `name:tag` (same as [`--tag` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/)) |
+| `target`            | String | Set the target build stage to build (same as [`--target` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))             |
+
+### Group
+
+A group is a grouping of targets:
+
+```hcl
+# docker-bake.hcl
+group "build" {
+  targets = ["db", "webapp-dev"]
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+}
+
+target "db" {
+  dockerfile = "Dockerfile.db"
+  tags = ["docker.io/username/db"]
+}
+```
+```console
+$ docker buildx bake build
+```
+
+### Variable
+
+Similar to how Terraform provides a way to [define variables](https://www.terraform.io/docs/configuration/variables.html#declaring-an-input-variable),
+the HCL file format also supports variable block definitions. These can be used
+to define variables with values provided by the current environment, or a
+default value when unset:
+
+```hcl
+# docker-bake.hcl
+variable "TAG" {
+  default = "latest"
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+```
+```console
+$ docker buildx bake webapp-dev          # will use the default value "latest"
+$ TAG=dev docker buildx bake webapp-dev  # will use the TAG environment variable value
+```
+
+> **Tip**
+>
+> See also the [Configuring builds](configuring-build.md) page for advanced usage.
+
+### Functions
+
+A [set of generally useful functions](https://github.com/docker/buildx/blob/master/bake/hclparser/stdlib.go)
+provided by [go-cty](https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib)
+are available for use in HCL files:
+
+```hcl
+# docker-bake.hcl
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+  args = {
+    buildno = "${add(123, 1)}"
+  }
+}
+```
+
+In addition, [user defined functions](https://github.com/hashicorp/hcl/tree/main/ext/userfunc)
+are also supported:
+
+```hcl
+# docker-bake.hcl
+function "increment" {
+  params = [number]
+  result = number + 1
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+  args = {
+    buildno = "${increment(123)}"
+  }
+}
+```
+
+> **Note**
+>
+> See [User defined HCL functions](hcl-funcs.md) page for more details.
+
+## Built-in variables
+
+* `BAKE_CMD_CONTEXT` can be used to access the main `context` for bake command
+  from a bake file that has been [imported remotely](file-definition.md#remote-definition).
+* `BAKE_LOCAL_PLATFORM` returns the current platform's default platform
+  specification (e.g. `linux/amd64`).
+
+## Merging and inheritance
+
+Multiple files can include the same target and final build options will be
+determined by merging them together:
+
+```hcl
+# docker-bake.hcl
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+}
+```
+```hcl
+# docker-bake2.hcl
+target "webapp-dev" {
+  tags = ["docker.io/username/webapp:dev"]
+}
+```
+```console
+$ docker buildx bake -f docker-bake.hcl -f docker-bake2.hcl webapp-dev
+```
+
+A group can specify its list of targets with the `targets` option. A target can
+inherit build options by setting the `inherits` option to the list of targets or
+groups to inherit from:
+
+```hcl
+# docker-bake.hcl
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+
+target "webapp-release" {
+  inherits = ["webapp-dev"]
+  platforms = ["linux/amd64", "linux/arm64"]
+}
+```
+
+## `default` target/group
+
+When you invoke `bake` you specify what targets/groups you want to build. If no
+arguments is specified, the group/target named `default` will be built:
+
+```hcl
+# docker-bake.hcl
+target "default" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+}
+```
+```console
+$ docker buildx bake
+```
+
+## Definitions
+
+### HCL definition
+
+HCL definition file is recommended as its experience is more aligned with buildx UX
+and also allows better code reuse, different target groups and extended features.
+
+```hcl
+# docker-bake.hcl
+variable "TAG" {
+  default = "latest"
+}
+
+group "default" {
+  targets = ["db", "webapp-dev"]
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+
+target "webapp-release" {
+  inherits = ["webapp-dev"]
+  platforms = ["linux/amd64", "linux/arm64"]
+}
+
+target "db" {
+  dockerfile = "Dockerfile.db"
+  tags = ["docker.io/username/db"]
+}
+```
+
+### JSON definition
+
+```json
+{
+  "variable": {
+    "TAG": {
+      "default": "latest"
+    }
+  },
+  "group": {
+    "default": {
+      "targets": [
+        "db",
+        "webapp-dev"
+      ]
+    }
+  },
+  "target": {
+    "webapp-dev": {
+      "dockerfile": "Dockerfile.webapp",
+      "tags": [
+        "docker.io/username/webapp:${TAG}"
+      ]
+    },
+    "webapp-release": {
+      "inherits": [
+        "webapp-dev"
+      ],
+      "platforms": [
+        "linux/amd64",
+        "linux/arm64"
+      ]
+    },
+    "db": {
+      "dockerfile": "Dockerfile.db",
+      "tags": [
+        "docker.io/username/db"
+      ]
+    }
+  }
+}
+```
+
+### Compose file
+
+```yaml
+# docker-compose.yml
+services:
+  webapp:
+    image: docker.io/username/webapp:latest
+    build:
+      dockerfile: Dockerfile.webapp
+
+  db:
+    image: docker.io/username/db
+    build:
+      dockerfile: Dockerfile.db
+```
+
+> **Note**
+>
+> See [Building from Compose file](compose-file.md) page for more details.
+
+## Remote definition
+
+You can also build bake files directly from a remote Git repository or HTTPS URL:
+
+```console
+$ docker buildx bake "https://github.com/docker/cli.git#v20.10.11" --print
+#1 [internal] load git source https://github.com/docker/cli.git#v20.10.11
+#1 0.745 e8f1871b077b64bcb4a13334b7146492773769f7       refs/tags/v20.10.11
+#1 2.022 From https://github.com/docker/cli
+#1 2.022  * [new tag]         v20.10.11  -> v20.10.11
+#1 DONE 2.9s
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "binary"
+      ]
+    }
+  },
+  "target": {
+    "binary": {
+      "context": "https://github.com/docker/cli.git#v20.10.11",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "BASE_VARIANT": "alpine",
+        "GO_STRIP": "",
+        "VERSION": ""
+      },
+      "target": "binary",
+      "platforms": [
+        "local"
+      ],
+      "output": [
+        "build"
+      ]
+    }
+  }
+}
+```
+
+As you can see the context is fixed to `https://github.com/docker/cli.git` even if
+[no context is actually defined](https://github.com/docker/cli/blob/2776a6d694f988c0c1df61cad4bfac0f54e481c8/docker-bake.hcl#L17-L26)
+in the definition.
+
+If you want to access the main context for bake command from a bake file
+that has been imported remotely, you can use the [`BAKE_CMD_CONTEXT` built-in var](#built-in-variables).
+
+```console
+$ cat https://raw.githubusercontent.com/tonistiigi/buildx/remote-test/docker-bake.hcl
+```
+```hcl
+target "default" {
+  context = BAKE_CMD_CONTEXT
+  dockerfile-inline = <<EOT
+FROM alpine
+WORKDIR /src
+COPY . .
+RUN ls -l && stop
+EOT
+}
+```
+
+```console
+$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" --print
+```
+```json
+{
+  "target": {
+    "default": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "dockerfile-inline": "FROM alpine\nWORKDIR /src\nCOPY . .\nRUN ls -l \u0026\u0026 stop\n"
+    }
+  }
+}
+```
+
+```console
+$ touch foo bar
+$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test"
+```
+```text
+...
+ > [4/4] RUN ls -l && stop:
+#8 0.101 total 0
+#8 0.102 -rw-r--r--    1 root     root             0 Jul 27 18:47 bar
+#8 0.102 -rw-r--r--    1 root     root             0 Jul 27 18:47 foo
+#8 0.102 /bin/sh: stop: not found
+```
+
+```console
+$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" "https://github.com/docker/cli.git#v20.10.11" --print
+#1 [internal] load git source https://github.com/tonistiigi/buildx.git#remote-test
+#1 0.429 577303add004dd7efeb13434d69ea030d35f7888       refs/heads/remote-test
+#1 CACHED
+```
+```json
+{
+  "target": {
+    "default": {
+      "context": "https://github.com/docker/cli.git#v20.10.11",
+      "dockerfile": "Dockerfile",
+      "dockerfile-inline": "FROM alpine\nWORKDIR /src\nCOPY . .\nRUN ls -l \u0026\u0026 stop\n"
+    }
+  }
+}
+```
+
+```console
+$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" "https://github.com/docker/cli.git#v20.10.11"
+```
+```text
+...
+ > [4/4] RUN ls -l && stop:
+#8 0.136 drwxrwxrwx    5 root     root          4096 Jul 27 18:31 kubernetes
+#8 0.136 drwxrwxrwx    3 root     root          4096 Jul 27 18:31 man
+#8 0.136 drwxrwxrwx    2 root     root          4096 Jul 27 18:31 opts
+#8 0.136 -rw-rw-rw-    1 root     root          1893 Jul 27 18:31 poule.yml
+#8 0.136 drwxrwxrwx    7 root     root          4096 Jul 27 18:31 scripts
+#8 0.136 drwxrwxrwx    3 root     root          4096 Jul 27 18:31 service
+#8 0.136 drwxrwxrwx    2 root     root          4096 Jul 27 18:31 templates
+#8 0.136 drwxrwxrwx   10 root     root          4096 Jul 27 18:31 vendor
+#8 0.136 -rwxrwxrwx    1 root     root          9620 Jul 27 18:31 vendor.conf
+#8 0.136 /bin/sh: stop: not found
+```

docs/guides/bake/hcl-funcs.md

@@ -0,0 +1,327 @@
+# User defined HCL functions
+
+## Using interpolation to tag an image with the git sha
+
+As shown in the [File definition](file-definition.md#variable) page, `bake`
+supports variable blocks which are assigned to matching environment variables
+or default values:
+
+```hcl
+# docker-bake.hcl
+variable "TAG" {
+  default = "latest"
+}
+
+group "default" {
+  targets = ["webapp"]
+}
+
+target "webapp" {
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+```
+
+alternatively, in json format:
+
+```json
+{
+  "variable": {
+    "TAG": {
+      "default": "latest"
+    }
+  },
+  "group": {
+    "default": {
+      "targets": ["webapp"]
+    }
+  },
+  "target": {
+    "webapp": {
+      "tags": ["docker.io/username/webapp:${TAG}"]
+    }
+  }
+}
+```
+
+```console
+$ docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "docker.io/username/webapp:latest"
+      ]
+    }
+  }
+}
+```
+
+```console
+$ TAG=$(git rev-parse --short HEAD) docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "docker.io/username/webapp:985e9e9"
+      ]
+    }
+  }
+}
+```
+
+## Using the `add` function
+
+You can use [`go-cty` stdlib functions](https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib).
+Here we are using the `add` function.
+
+```hcl
+# docker-bake.hcl
+variable "TAG" {
+  default = "latest"
+}
+
+group "default" {
+  targets = ["webapp"]
+}
+
+target "webapp" {
+  args = {
+    buildno = "${add(123, 1)}"
+  }
+}
+```
+
+```console
+$ docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "buildno": "124"
+      }
+    }
+  }
+}
+```
+
+## Defining an `increment` function
+
+It also supports [user defined functions](https://github.com/hashicorp/hcl/tree/main/ext/userfunc).
+The following example defines a simple an `increment` function.
+
+```hcl
+# docker-bake.hcl
+function "increment" {
+  params = [number]
+  result = number + 1
+}
+
+group "default" {
+  targets = ["webapp"]
+}
+
+target "webapp" {
+  args = {
+    buildno = "${increment(123)}"
+  }
+}
+```
+
+```console
+$ docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "buildno": "124"
+      }
+    }
+  }
+}
+```
+
+## Only adding tags if a variable is not empty using an `notequal`
+
+Here we are using the conditional `notequal` function which is just for
+symmetry with the `equal` one.
+
+```hcl
+# docker-bake.hcl
+variable "TAG" {default="" }
+
+group "default" {
+  targets = [
+    "webapp",
+  ]
+}
+
+target "webapp" {
+  context="."
+  dockerfile="Dockerfile"
+  tags = [
+    "my-image:latest",
+    notequal("",TAG) ? "my-image:${TAG}": "",
+  ]
+}
+```
+
+```console
+$ docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "my-image:latest"
+      ]
+    }
+  }
+}
+```
+
+## Using variables in functions
+
+You can refer variables to other variables like the target blocks can. Stdlib
+functions can also be called but user functions can't at the moment.
+
+```hcl
+# docker-bake.hcl
+variable "REPO" {
+  default = "user/repo"
+}
+
+function "tag" {
+  params = [tag]
+  result = ["${REPO}:${tag}"]
+}
+
+target "webapp" {
+  tags = tag("v1")
+}
+```
+
+```console
+$ docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "user/repo:v1"
+      ]
+    }
+  }
+}
+```
+
+## Using typed variables
+
+Non-string variables are also accepted. The value passed with env is parsed
+into suitable type first.
+
+```hcl
+# docker-bake.hcl
+variable "FOO" {
+  default = 3
+}
+
+variable "IS_FOO" {
+  default = true
+}
+
+target "app" {
+  args = {
+    v1 = FOO > 5 ? "higher" : "lower" 
+    v2 = IS_FOO ? "yes" : "no"
+  }
+}
+```
+
+```console
+$ docker buildx bake --print app
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "v1": "lower",
+        "v2": "yes"
+      }
+    }
+  }
+}
+```

docs/guides/bake/index.md

@@ -0,0 +1,36 @@
+# High-level build options with Bake
+
+> This command is experimental.
+>
+> The design of bake is in early stages, and we are looking for [feedback from users](https://github.com/docker/buildx/issues).
+{: .experimental }
+
+Buildx also aims to provide support for high-level build concepts that go beyond
+invoking a single build command. We want to support building all the images in
+your application together and let the users define project specific reusable
+build flows that can then be easily invoked by anyone.
+
+[BuildKit](https://github.com/moby/buildkit) efficiently handles multiple
+concurrent build requests and de-duplicating work. The build commands can be
+combined with general-purpose command runners (for example, `make`). However,
+these tools generally invoke builds in sequence  and therefore cannot leverage
+the full potential of BuildKit parallelization, or combine BuildKit's output
+for the user. For this use case, we have added a command called
+[`docker buildx bake`](https://docs.docker.com/engine/reference/commandline/buildx_bake/).
+
+The `bake` command supports building images from HCL, JSON and Compose files.
+This is similar to [`docker compose build`](https://docs.docker.com/compose/reference/build/),
+but allowing all the services to be built concurrently as part of a single
+request. If multiple files are specified they are all read and configurations are
+combined.
+
+We recommend using HCL files as its experience is more aligned with buildx UX
+and also allows better code reuse, different target groups and extended features.
+
+## Next steps
+
+* [File definition](file-definition.md)
+* [Configuring builds](configuring-build.md)
+* [User defined HCL functions](hcl-funcs.md)
+* [Defining additional build contexts and linking targets](build-contexts.md)
+* [Building from Compose file](compose-file.md)

docs/guides/cicd.md

@@ -0,0 +1,48 @@
+# CI/CD
+
+## GitHub Actions
+
+Docker provides a [GitHub Action that will build and push your image](https://github.com/docker/build-push-action/#about)
+using Buildx. Here is a simple workflow:
+
+```yaml
+name: ci
+
+on:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v2 
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          tags: user/app:latest
+```
+
+In this example we are also using 3 other actions:
+
+* [`setup-buildx`](https://github.com/docker/setup-buildx-action) action will create and boot a builder using by
+default the `docker-container` [builder driver](../reference/buildx_create.md#driver).
+This is **not required but recommended** using it to be able to build multi-platform images, export cache, etc.
+* [`setup-qemu`](https://github.com/docker/setup-qemu-action) action can be useful if you want
+to add emulation support with QEMU to be able to build against more platforms.
+* [`login`](https://github.com/docker/login-action) action will take care to log
+in against a Docker registry.

docs/guides/cni-networking.md

@@ -0,0 +1,23 @@
+# CNI networking
+
+It can be useful to use a bridge network for your builder if for example you
+encounter a network port contention during multiple builds. If you're using
+the BuildKit image, CNI is not yet available in it, but you can create
+[a custom BuildKit image with CNI support](https://github.com/moby/buildkit/blob/master/docs/cni-networking.md).
+
+Now build this image:
+
+```console
+$ docker buildx build --tag buildkit-cni:local --load .
+```
+
+Then [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/) that
+will use this image:
+
+```console
+$ docker buildx create --use \
+  --name mybuilder \
+  --driver docker-container \
+  --driver-opt "image=buildkit-cni:local" \
+  --buildkitd-flags "--oci-worker-net=cni"
+```

docs/guides/color-output.md

@@ -0,0 +1,20 @@
+# Color output controls
+
+Buildx has support for modifying the colors that are used to output information
+to the terminal. You can set the environment variable `BUILDKIT_COLORS` to
+something like `run=123,20,245:error=yellow:cancel=blue:warning=white` to set
+the colors that you would like to use:
+
+![Progress output custom colors](https://user-images.githubusercontent.com/1951866/180584033-24522385-cafd-4a54-a4a2-18f5ce74eb27.png)
+
+Setting `NO_COLOR` to anything will disable any colorized output as recommended
+by [no-color.org](https://no-color.org/):
+
+![Progress output no color](https://user-images.githubusercontent.com/1951866/180584037-e28f9997-dd4c-49cf-8b26-04864815de19.png)
+
+> **Note**
+>
+> Parsing errors will be reported but ignored. This will result in default
+> color values being used where needed.
+
+See also [the list of pre-defined colors](https://github.com/moby/buildkit/blob/master/util/progress/progressui/colors.go).

docs/guides/custom-network.md

@@ -0,0 +1,34 @@
+# Using a custom network
+
+[Create a network](https://docs.docker.com/engine/reference/commandline/network_create/)
+named `foonet`:
+
+```console
+$ docker network create foonet
+```
+
+[Create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
+named `mybuilder` that will use this network:
+
+```console
+$ docker buildx create --use \
+  --name mybuilder \
+  --driver docker-container \
+  --driver-opt "network=foonet"
+```
+
+Boot and [inspect `mybuilder`](https://docs.docker.com/engine/reference/commandline/buildx_inspect/):
+
+```console
+$ docker buildx inspect --bootstrap
+```
+
+[Inspect the builder container](https://docs.docker.com/engine/reference/commandline/inspect/)
+and see what network is being used:
+
+{% raw %}
+```console
+$ docker inspect buildx_buildkit_mybuilder0 --format={{.NetworkSettings.Networks}}
+map[foonet:0xc00018c0c0]
+```
+{% endraw %}

docs/guides/custom-registry-config.md

@@ -0,0 +1,63 @@
+# Using a custom registry configuration
+
+If you [create a `docker-container` or `kubernetes` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/) and
+have specified certificates for registries in the [BuildKit daemon configuration](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md),
+the files will be copied into the container under `/etc/buildkit/certs` and
+configuration will be updated to reflect that.
+
+Take the following `buildkitd.toml` configuration that will be used for
+pushing an image to this registry using self-signed certificates:
+
+```toml
+# /etc/buildkitd.toml
+debug = true
+[registry."myregistry.com"]
+  ca=["/etc/certs/myregistry.pem"]
+  [[registry."myregistry.com".keypair]]
+    key="/etc/certs/myregistry_key.pem"
+    cert="/etc/certs/myregistry_cert.pem"
+```
+
+Here we have configured a self-signed certificate for `myregistry.com` registry.
+
+Now [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
+that will use this BuildKit configuration:
+
+```console
+$ docker buildx create --use \
+  --name mybuilder \
+  --driver docker-container \
+  --config /etc/buildkitd.toml
+```
+
+Inspecting the builder container, you can see that buildkitd configuration
+has changed:
+
+```console
+$ docker exec -it buildx_buildkit_mybuilder0 cat /etc/buildkit/buildkitd.toml
+```
+```toml
+debug = true
+
+[registry]
+
+  [registry."myregistry.com"]
+    ca = ["/etc/buildkit/certs/myregistry.com/myregistry.pem"]
+
+    [[registry."myregistry.com".keypair]]
+      cert = "/etc/buildkit/certs/myregistry.com/myregistry_cert.pem"
+      key = "/etc/buildkit/certs/myregistry.com/myregistry_key.pem"
+```
+
+And certificates copied inside the container:
+
+```console
+$ docker exec -it buildx_buildkit_mybuilder0 ls /etc/buildkit/certs/myregistry.com/
+myregistry.pem    myregistry_cert.pem   myregistry_key.pem
+```
+
+Now you should be able to push to the registry with this builder:
+
+```console
+$ docker buildx build --push --tag myregistry.com/myimage:latest .
+```

docs/guides/drivers/docker-container.md

@@ -0,0 +1,75 @@
+# Docker container driver
+
+The buildx docker-container driver allows creation of a managed and
+customizable BuildKit environment inside a dedicated Docker container.
+
+Using the docker-container driver has a couple of advantages over the basic
+docker driver. Firstly, we can manually override the version of buildkit to
+use, meaning that we can access the latest and greatest features as soon as
+they're released, instead of waiting to upgrade to a newer version of Docker.
+Additionally, we can access more complex features like multi-architecture
+builds and the more advanced cache exporters, which are currently unsupported
+in the default docker driver.
+
+We can easily create a new builder that uses the docker-container driver:
+
+```console
+$ docker buildx create --name container --driver docker-container
+container
+```
+
+We should then be able to see it on our list of available builders:
+
+```console
+$ docker buildx ls
+NAME/NODE       DRIVER/ENDPOINT      STATUS   BUILDKIT PLATFORMS
+container       docker-container                       
+  container0    desktop-linux        inactive          
+default         docker                                 
+  default       default              running  20.10.17 linux/amd64, linux/386
+```
+
+If we trigger a build, the appropriate `moby/buildkit` image will be pulled
+from [Docker Hub](https://hub.docker.com/u/moby/buildkit), the image started,
+and our build submitted to our containerized build server.
+
+```console
+$ docker buildx build -t <image> --builder=container .
+WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
+#1 [internal] booting buildkit
+#1 pulling image moby/buildkit:buildx-stable-1
+#1 pulling image moby/buildkit:buildx-stable-1 1.9s done
+#1 creating container buildx_buildkit_container0
+#1 creating container buildx_buildkit_container0 0.5s done
+#1 DONE 2.4s
+...
+```
+
+Note the warning "Build result will only remain in the build cache" - unlike
+the `docker` driver, the built image must be explicitly loaded into the local
+image store. We can use the `--load` flag for this:
+
+```console
+$ docker buildx build --load -t <image> --builder=container .
+...
+ => exporting to oci image format                                                                                                      7.7s
+ => => exporting layers                                                                                                                4.9s
+ => => exporting manifest sha256:4e4ca161fa338be2c303445411900ebbc5fc086153a0b846ac12996960b479d3                                      0.0s 
+ => => exporting config sha256:adf3eec768a14b6e183a1010cb96d91155a82fd722a1091440c88f3747f1f53f                                        0.0s 
+ => => sending tarball                                                                                                                 2.8s 
+ => importing to docker   
+```
+
+The image should then be available in the image store:
+
+```console
+$ docker image ls
+REPOSITORY                       TAG               IMAGE ID       CREATED             SIZE
+<image>                          latest            adf3eec768a1   2 minutes ago       197MB
+```
+
+## Further reading
+
+For more information on the docker-container driver, see the [buildx reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver).
+
+<!--- FIXME: for 0.9, make reference link relative --->

docs/guides/drivers/docker.md

@@ -0,0 +1,50 @@
+# Docker driver
+
+The buildx docker driver is the default builtin driver, that uses the BuildKit
+server components built directly into the docker engine.
+
+No setup should be required for the docker driver - it should already be
+configured for you:
+
+```console
+$ docker buildx ls
+NAME/NODE       DRIVER/ENDPOINT      STATUS   BUILDKIT PLATFORMS
+default         docker                                 
+  default       default              running  20.10.17 linux/amd64, linux/386
+```
+
+This builder is ready to build with out-of-the-box, requiring no extra setup,
+so you can get going with a `docker buildx build` as soon as you like.
+
+Depending on your personal setup, you may find multiple builders in your list
+the use the docker driver. For example, on a system that runs both a package
+managed version of dockerd, as well as Docker Desktop, you might have the
+following:
+
+```console
+NAME/NODE       DRIVER/ENDPOINT STATUS  BUILDKIT PLATFORMS
+default         docker                           
+  default       default         running 20.10.17 linux/amd64, linux/386
+desktop-linux * docker                           
+  desktop-linux desktop-linux   running 20.10.17 linux/amd64, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6
+```
+
+This is because the docker driver builders are automatically pulled from
+the available [Docker Contexts](https://docs.docker.com/engine/context/working-with-contexts/).
+When you add new contexts using `docker context create`, these will appear in
+your list of buildx builders.
+
+Unlike the [other drivers](../index.md), builders using the docker driver
+cannot be manually created, and can only be automatically created from the
+docker context. Additionally, they cannot be configured to a specific BuildKit
+version, and cannot take any extra parameters, as these are both preset by the
+Docker engine internally.
+
+If you want the extra configuration and flexibility without too much more
+overhead, then see the help page for the [docker-container driver](./docker-container.md).
+
+## Further reading
+
+For more information on the docker driver, see the [buildx reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver).
+
+<!--- FIXME: for 0.9, make reference link relative --->

docs/guides/drivers/index.md

@@ -0,0 +1,41 @@
+# Buildx drivers overview
+
+The buildx client connects out to the BuildKit backend to execute builds -
+Buildx drivers allow fine-grained control over management of the backend, and
+supports several different options for where and how BuildKit should run.
+
+Currently, we support the following drivers:
+
+- The `docker` driver, that uses the BuildKit library bundled into the Docker
+  daemon.
+  ([guide](./docker.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `docker-container` driver, that launches a dedicated BuildKit container
+  using Docker, for access to advanced features.
+  ([guide](./docker-container.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `kubernetes` driver, that launches dedicated BuildKit pods in a
+  remote Kubernetes cluster, for scalable builds.
+  ([guide](./kubernetes.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `remote` driver, that allows directly connecting to a manually managed
+  BuildKit daemon, for more custom setups.
+  ([guide](./remote.md))
+
+<!--- FIXME: for 0.9, make links relative, and add reference link for remote --->
+
+To create a new builder that uses one of the above drivers, you can use the
+[`docker buildx create`](https://docs.docker.com/engine/reference/commandline/buildx_create/) command:
+
+```console
+$ docker buildx create --name=<builder-name> --driver=<driver> --driver-opt=<driver-options>
+```
+
+The build experience is very similar across drivers, however, there are some
+features that are not evenly supported across the board, notably, the `docker`
+driver does not include support for certain output/caching types.
+
+| Feature                       |    `docker`     | `docker-container` | `kubernetes` |        `remote`        |
+| :---------------------------- | :-------------: | :----------------: | :----------: | :--------------------: |
+| **Automatic `--load`**        |        ✅        |         ❌          |      ❌       |           ❌            |
+| **Cache export**              | ❔ (inline only) |         ✅          |      ✅       |           ✅            |
+| **Docker/OCI tarball output** |        ❌        |         ✅          |      ✅       |           ✅            |
+| **Multi-arch images**         |        ❌        |         ✅          |      ✅       |           ✅            |
+| **BuildKit configuration**    |        ❌        |         ✅          |      ✅       | ❔ (managed externally) |

docs/guides/drivers/kubernetes.md

@@ -0,0 +1,238 @@
+# Kubernetes driver
+
+The buildx kubernetes driver allows connecting your local development or ci
+environments to your kubernetes cluster to allow access to more powerful
+and varied compute resources.
+
+This guide assumes you already have an existing kubernetes cluster - if you don't already
+have one, you can easily follow along by installing
+[minikube](https://minikube.sigs.k8s.io/docs/).
+
+Before connecting buildx to your cluster, you may want to create a dedicated
+namespace using `kubectl` to keep your buildx-managed resources separate. You
+can call your namespace anything you want, or use the existing `default`
+namespace, but we'll create a `buildkit` namespace for now:
+
+```console
+$ kubectl create namespace buildkit
+```
+
+Then create a new buildx builder:
+
+```console
+$ docker buildx create \
+  --bootstrap \
+  --name=kube \
+  --driver=kubernetes \
+  --driver-opt=namespace=buildkit
+```
+
+This assumes that the kubernetes cluster you want to connect to is currently
+accessible via the kubectl command, with the `KUBECONFIG` environment variable
+[set appropriately](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#set-the-kubeconfig-environment-variable)
+if neccessary.
+
+You should now be able to see the builder in the list of buildx builders:
+
+```console
+$ docker buildx ls
+NAME/NODE                DRIVER/ENDPOINT STATUS  PLATFORMS
+kube                     kubernetes              
+  kube0-6977cdcb75-k9h9m                 running linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
+default *                docker
+  default                default         running linux/amd64, linux/386
+```
+
+The buildx driver creates the neccessary resources on your cluster in the
+specified namespace (in this case, `buildkit`), while keeping your
+driver configuration locally. You can see the running pods with:
+
+```console
+$ kubectl -n buildkit get deployments
+NAME    READY   UP-TO-DATE   AVAILABLE   AGE
+kube0   1/1     1            1           32s
+
+$ kubectl -n buildkit get pods
+NAME                     READY   STATUS    RESTARTS   AGE
+kube0-6977cdcb75-k9h9m   1/1     Running   0          32s
+```
+
+You can use your new builder by including the `--builder` flag when running
+buildx commands. For example (replacing `<user>` and `<image>` with your Docker
+Hub username and desired image output respectively):
+
+```console
+$ docker buildx build . \
+  --builder=kube \
+  -t <user>/<image> \
+  --push
+```
+
+## Scaling Buildkit
+
+One of the main advantages of the kubernetes builder is that you can easily
+scale your builder up and down to handle increased build load. These controls
+are exposed via the following options:
+
+- `replicas=N`
+  - This scales the number of buildkit pods to the desired size. By default,
+    only a single pod will be created, but increasing this allows taking of
+    advantage of multiple nodes in your cluster.
+- `requests.cpu`, `requests.memory`, `limits.cpu`, `limits.memory`
+  - These options allow requesting and limiting the resources available to each
+    buildkit pod according to the official kubernetes documentation
+    [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+    
+For example, to create 4 replica buildkit pods:
+
+```console
+$ docker buildx create \
+  --bootstrap \
+  --name=kube \
+  --driver=kubernetes \
+  --driver-opt=namespace=buildkit,replicas=4
+```
+
+Listing the pods, we get:
+
+```console
+$ kubectl -n buildkit get deployments
+NAME    READY   UP-TO-DATE   AVAILABLE   AGE
+kube0   4/4     4            4           8s
+
+$ kubectl -n buildkit get pods
+NAME                     READY   STATUS    RESTARTS   AGE
+kube0-6977cdcb75-48ld2   1/1     Running   0          8s
+kube0-6977cdcb75-rkc6b   1/1     Running   0          8s
+kube0-6977cdcb75-vb4ks   1/1     Running   0          8s
+kube0-6977cdcb75-z4fzs   1/1     Running   0          8s
+```
+    
+Additionally, you can use the `loadbalance=(sticky|random)` option to control
+the load-balancing behavior when there are multiple replicas. While `random`
+should selects random nodes from the available pool, which should provide
+better balancing across all replicas, `sticky` (the default) attempts to
+connect the same build performed multiple times to the same node each time,
+ensuring better local cache utilization.
+
+For more information on scalability, see the options for [buildx create](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver-opt).
+
+## Multi-platform builds
+
+The kubernetes buildx driver has support for creating [multi-platform images](https://docs.docker.com/build/buildx/multiplatform-images/),
+for easily building for multiple platforms at once.
+
+### QEMU
+
+Like the other containerized driver `docker-container`, the kubernetes driver
+also supports using [QEMU](https://www.qemu.org/) (user mode) to build
+non-native platforms. If using a default setup like above, no extra setup
+should be needed, you should just be able to start building for other
+architectures, by including the `--platform` flag.
+
+For example, to build a Linux image for `amd64` and `arm64`:
+
+```console
+$ docker buildx build . \
+  --builder=kube \
+  --platform=linux/amd64,linux/arm64 \
+  -t <user>/<image> \
+  --push
+```
+
+> **Warning**
+> QEMU performs full-system emulation of non-native platforms, which is *much*
+> slower than native builds. Compute-heavy tasks like compilation and
+> compression/decompression will likely take a large performance hit.
+
+Note, if you're using a custom buildkit image using the `image=<image>` driver
+option, or invoking non-native binaries from within your build, you may need to
+explicitly enable QEMU using the `qemu.install` option during driver creation:
+
+```console
+$ docker buildx create \
+  --bootstrap \
+  --name=kube \
+  --driver=kubernetes \
+  --driver-opt=namespace=buildkit,qemu.install=true
+```
+
+### Native
+
+If you have access to cluster nodes of different architectures, we can
+configure the kubernetes driver to take advantage of these for native builds.
+To do this, we need to use the `--append` feature of `docker buildx create`.
+
+To start, we can create our builder with explicit support for a single
+architecture, `amd64`:
+
+```console
+$ docker buildx create \
+  --bootstrap \
+  --name=kube \
+  --driver=kubernetes \
+  --platform=linux/amd64 \
+  --node=builder-amd64 \
+  --driver-opt=namespace=buildkit,nodeselector="kubernetes.io/arch=amd64"
+```
+
+This creates a buildx builder `kube` containing a single builder node `builder-amd64`.
+Note that the buildx concept of a node is not the same as the kubernetes
+concept of a node - the buildx node in this case could connect multiple
+kubernetes nodes of the same architecture together.
+
+With our `kube` driver created, we can now introduce another architecture into
+the mix, for example, like before we can use `arm64`:
+
+```console
+$ docker buildx create \
+  --append \
+  --bootstrap \
+  --name=kube \
+  --driver=kubernetes \
+  --platform=linux/arm64 \
+  --node=builder-arm64 \
+  --driver-opt=namespace=buildkit,nodeselector="kubernetes.io/arch=arm64"
+```
+
+If you list builders now, you should be able to see both nodes present:
+
+```console
+$ docker buildx ls
+NAME/NODE       DRIVER/ENDPOINT                                         STATUS   PLATFORMS
+kube            kubernetes                                                       
+  builder-amd64 kubernetes:///kube?deployment=builder-amd64&kubeconfig= running  linux/amd64*, linux/amd64/v2, linux/amd64/v3, linux/386
+  builder-arm64 kubernetes:///kube?deployment=builder-arm64&kubeconfig= running  linux/arm64*
+```
+
+You should now be able to build multi-arch images with `amd64` and `arm64`
+combined, by specifying those platforms together in your buildx command:
+
+```console
+$ docker buildx build --builder=kube --platform=linux/amd64,linux/arm64 -t <user>/<image> --push .
+```
+
+You can repeat the `buildx create --append` command for as many different
+architectures that you want to support.
+
+## Rootless mode
+
+The kubernetes driver supports rootless mode. For more information on how
+rootless mode works, and it's requirements, see [here](https://github.com/moby/buildkit/blob/master/docs/rootless.md).
+
+To enable it in your cluster, you can use the `rootless=true` driver option:
+
+```console
+$ docker buildx create \
+  --name=kube \
+  --driver=kubernetes \
+  --driver-opt=namespace=buildkit,rootless=true
+```
+
+This will create your pods without `securityContext.privileged`.
+
+## Further reading
+
+For more information on the kubernetes driver, see the [buildx reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver).
+
+<!--- FIXME: for 0.9, make reference link relative --->

docs/guides/drivers/remote.md

@@ -0,0 +1,178 @@
+# Remote driver
+
+The buildx remote driver allows for more complex custom build workloads that
+allow users to connect to external buildkit instances. This is useful for
+scenarios that require manual management of the buildkit daemon, or where a
+buildkit daemon is exposed from another source.
+
+To connect to a running buildkitd instance:
+
+```console
+$ docker buildx create \
+  --name remote \
+  --driver remote \
+  tcp://localhost:1234
+```
+
+## Remote Buildkit over Unix sockets
+
+In this scenario, we'll create a setup with buildkitd listening on a unix
+socket, and have buildx connect through it.
+
+Firstly, ensure that [buildkit](https://github.com/moby/buildkit) is installed.
+For example, you can launch an instance of buildkitd with:
+
+```console
+$ sudo ./buildkitd --group $(id -gn) --addr unix://$HOME/buildkitd.sock
+```
+
+Alternatively, [see here](https://github.com/moby/buildkit/blob/master/docs/rootless.md)
+for running buildkitd in rootless mode or [here](https://github.com/moby/buildkit/tree/master/examples/systemd)
+for examples of running it as a systemd service.
+
+You should now have a unix socket accessible to your user, that is available to
+connect to:
+
+```console
+$ ls -lh /home/user/buildkitd.sock
+srw-rw---- 1 root user 0 May  5 11:04 /home/user/buildkitd.sock
+```
+
+You can then connect buildx to it with the remote driver:
+
+```console
+$ docker buildx create \
+  --name remote-unix \
+  --driver remote \
+  unix://$HOME/buildkitd.sock
+```
+        
+If you list available builders, you should then see `remote-unix` among them:
+
+```console
+$ docker buildx ls
+NAME/NODE           DRIVER/ENDPOINT                        STATUS  PLATFORMS
+remote-unix         remote
+  remote-unix0      unix:///home/.../buildkitd.sock        running linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
+default *           docker
+  default           default                                running linux/amd64, linux/386
+```
+
+We can switch to this new builder as the default using `docker buildx use remote-unix`,
+or specify it per build:
+
+```console
+$ docker buildx build --builder=remote-unix -t test --load .
+```
+
+(remember that `--load` is necessary when not using the default `docker`
+driver, to load the build result into the docker daemon)
+
+## Remote Buildkit in Docker container
+
+In this scenario, we'll create a similar setup to the `docker-container`
+driver, by manually booting a buildkit docker container and connecting to it
+using the buildx remote driver. In most cases you'd probably just use the
+`docker-container` driver that connects to buildkit through the Docker daemon,
+but in this case we manually create a container and access it via it's exposed
+port.
+
+First, we need to generate certificates for buildkit - you can use the 
+[create-certs.sh](https://github.com/moby/buildkit/v0.10.3/master/examples/kubernetes/create-certs.sh)
+script as a starting point. Note, that while it is *possible* to expose
+buildkit over TCP without using TLS, it is **not recommended**, since this will
+allow arbitrary access to buildkit without credentials.
+
+With our certificates generated in `.certs/`, we startup the container:
+
+```console
+$ docker run -d --rm \
+  --name=remote-buildkitd \
+  --privileged \
+  -p 1234:1234 \
+  -v $PWD/.certs:/etc/buildkit/certs \
+  moby/buildkit:latest \
+  --addr tcp://0.0.0.0:1234 \
+  --tlscacert /etc/buildkit/certs/ca.pem \
+  --tlscert /etc/buildkit/certs/daemon-cert.pem \
+  --tlskey /etc/buildkit/certs/daemon-key.pem
+```
+
+The above command starts a buildkit container and exposes the daemon's port
+1234 to localhost.
+
+We can now connect to this running container using buildx:
+
+```console
+$ docker buildx create \
+  --name remote-container \
+  --driver remote \
+  --driver-opt cacert=.certs/ca.pem,cert=.certs/client-cert.pem,key=.certs/client-key.pem,servername=... \
+  tcp://localhost:1234
+```
+
+Alternatively, we could use the `docker-container://` URL scheme to connect
+to the buildkit container without specifying a port:
+
+```console
+$ docker buildx create \
+  --name remote-container \
+  --driver remote \
+  docker-container://remote-container
+```
+
+## Remote Buildkit in Kubernetes
+
+In this scenario, we'll create a similar setup to the `kubernetes` driver by
+manually creating a buildkit `Deployment`. While the `kubernetes` driver will
+do this under-the-hood, it might sometimes be desirable to scale buildkit
+manually. Additionally, when executing builds from inside Kubernetes pods,
+the buildx builder will need to be recreated from within each pod or copied
+between them.
+
+Firstly, we can create a kubernetes deployment of buildkitd, as per the
+instructions [here](https://github.com/moby/buildkit/tree/master/examples/kubernetes).
+Following the guide, we setup certificates for the buildkit daemon and client
+(as above using [create-certs.sh](https://github.com/moby/buildkit/blob/v0.10.3/examples/kubernetes/create-certs.sh))
+and create a `Deployment` of buildkit pods with a service that connects to
+them.
+
+Assuming that the service is called `buildkitd`, we can create a remote builder
+in buildx, ensuring that the listed certificate files are present:
+
+```console
+$ docker buildx create \
+  --name remote-kubernetes \
+  --driver remote \
+  --driver-opt cacert=.certs/ca.pem,cert=.certs/client-cert.pem,key=.certs/client-key.pem \
+  tcp://buildkitd.default.svc:1234
+```
+
+Note that the above will only work in-cluster (since the buildkit setup guide
+only creates a ClusterIP service). To configure the builder to be accessible
+remotely, you can use an appropriately configured Ingress, which is outside the
+scope of this guide.
+
+To access the service remotely, we can use the port forwarding mechanism in
+kubectl:
+
+```console
+$ kubectl port-forward svc/buildkitd 1234:1234
+```
+
+Then you can simply point the remote driver at `tcp://localhost:1234`.
+
+Alternatively, we could use the `kube-pod://` URL scheme to connect
+directly to a buildkit pod through the kubernetes api (note that this method
+will only connect to a single pod in the deployment):
+
+```console
+$ kubectl get pods --selector=app=buildkitd -o json | jq -r '.items[].metadata.name
+buildkitd-XXXXXXXXXX-xxxxx
+$ docker buildx create \
+  --name remote-container \
+  --driver remote \
+  kube-pod://buildkitd-XXXXXXXXXX-xxxxx
+```
+
+<!--- FIXME: for 0.9, add further reading section with link to reference --->

docs/guides/opentelemetry.md

@@ -0,0 +1,31 @@
+# OpenTelemetry support
+
+To capture the trace to [Jaeger](https://github.com/jaegertracing/jaeger), set
+`JAEGER_TRACE` environment variable to the collection address using a `driver-opt`.
+
+First create a Jaeger container:
+
+```console
+$ docker run -d --name jaeger -p "6831:6831/udp" -p "16686:16686" jaegertracing/all-in-one
+```
+
+Then [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
+that will use the Jaeger instance via the `JAEGER_TRACE` env var:
+
+```console
+$ docker buildx create --use \
+  --name mybuilder \
+  --driver docker-container \
+  --driver-opt "network=host" \
+  --driver-opt "env.JAEGER_TRACE=localhost:6831"
+```
+
+Boot and [inspect `mybuilder`](https://docs.docker.com/engine/reference/commandline/buildx_inspect/):
+
+```console
+$ docker buildx inspect --bootstrap
+```
+
+Buildx commands should be traced at `http://127.0.0.1:16686/`:
+
+![OpenTelemetry Buildx Bake](https://user-images.githubusercontent.com/1951866/124468052-ef085400-dd98-11eb-84ab-7ac8e261dd52.png)

docs/guides/registry-mirror.md

@@ -0,0 +1,62 @@
+# Registry mirror
+
+You can define a registry mirror to use for your builds by providing a [BuildKit daemon configuration](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md)
+while creating a builder with the [`--config` flags](https://docs.docker.com/engine/reference/commandline/buildx_create/#config).
+
+```toml
+# /etc/buildkitd.toml
+debug = true
+[registry."docker.io"]
+  mirrors = ["mirror.gcr.io"]
+```
+
+> **Note**
+>
+> `debug = true` has been added to be able to debug requests
+> in the BuildKit daemon and see if the mirror is effectively used.
+
+Then [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
+that will use this BuildKit configuration:
+
+```console
+$ docker buildx create --use \
+  --name mybuilder \
+  --driver docker-container \
+  --config /etc/buildkitd.toml
+```
+
+Boot and [inspect `mybuilder`](https://docs.docker.com/engine/reference/commandline/buildx_inspect/):
+
+```console
+$ docker buildx inspect --bootstrap
+```
+
+Build an image:
+
+```console
+$ docker buildx build --load . -f-<<EOF
+FROM alpine
+RUN echo "hello world"
+EOF
+```
+
+Now let's check the BuildKit logs in the builder container:
+
+```console
+$ docker logs buildx_buildkit_mybuilder0
+```
+```text
+...
+time="2022-02-06T17:47:48Z" level=debug msg="do request" request.header.accept="application/vnd.docker.container.image.v1+json, */*" request.header.user-agent=containerd/1.5.8+unknown request.method=GET spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
+time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=1356 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=1469 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:25:17 GMT" response.header.etag="\"774380abda8f4eae9a149e5d5d3efc83\"" response.header.expires="Sun, 06 Feb 2022 18:25:17 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:57 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788077652182 response.header.x-goog-hash="crc32c=V3DSrg==" response.header.x-goog-hash.1="md5=d0OAq9qPTq6aFJ5dXT78gw==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=1469 response.header.x-guploader-uploadid=ADPycduqQipVAXc3tzXmTzKQ2gTT6CV736B2J628smtD1iDytEyiYCgvvdD8zz9BT1J1sASUq9pW_ctUyC4B-v2jvhIxnZTlKg response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
+time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=760 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=1471 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:35:13 GMT" response.header.etag="\"35d688bd15327daafcdb4d4395e616a8\"" response.header.expires="Sun, 06 Feb 2022 18:35:13 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:12 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788032100793 response.header.x-goog-hash="crc32c=aWgRjA==" response.header.x-goog-hash.1="md5=NdaIvRUyfar8201DleYWqA==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=1471 response.header.x-guploader-uploadid=ADPycdtR-gJYwC7yHquIkJWFFG8FovDySvtmRnZBqlO3yVDanBXh_VqKYt400yhuf0XbQ3ZMB9IZV2vlcyHezn_Pu3a1SMMtiw response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
+time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
+time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
+time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
+time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
+time="2022-02-06T17:47:48Z" level=debug msg="do request" request.header.accept="application/vnd.docker.image.rootfs.diff.tar.gzip, */*" request.header.user-agent=containerd/1.5.8+unknown request.method=GET spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
+time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=1356 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=2818413 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:25:17 GMT" response.header.etag="\"1d55e7be5a77c4a908ad11bc33ebea1c\"" response.header.expires="Sun, 06 Feb 2022 18:25:17 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:06 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788026431708 response.header.x-goog-hash="crc32c=ZojF+g==" response.header.x-goog-hash.1="md5=HVXnvlp3xKkIrRG8M+vqHA==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=2818413 response.header.x-guploader-uploadid=ADPycdsebqxiTBJqZ0bv9zBigjFxgQydD2ESZSkKchpE0ILlN9Ibko3C5r4fJTJ4UR9ddp-UBd-2v_4eRpZ8Yo2llW_j4k8WhQ response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
+...
+```
+
+As you can see, requests come from the GCR registry mirror (`response.header.x-goog*`).

docs/guides/resource-limiting.md

@@ -0,0 +1,33 @@
+# Resource limiting
+
+## Max parallelism
+
+You can limit the parallelism of the BuildKit solver, which is particularly useful
+for low-powered machines, using a [BuildKit daemon configuration](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md)
+while creating a builder with the [`--config` flags](https://docs.docker.com/engine/reference/commandline/buildx_create/#config).
+
+```toml
+# /etc/buildkitd.toml
+[worker.oci]
+  max-parallelism = 4
+```
+
+Now you can [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
+that will use this BuildKit configuration to limit parallelism.
+
+```console
+$ docker buildx create --use \
+  --name mybuilder \
+  --driver docker-container \
+  --config /etc/buildkitd.toml
+```
+
+## Limit on TCP connections
+
+We are also now limiting TCP connections to **4 per registry** with an additional
+connection not used for layer pulls and pushes. This limitation will be able to
+manage TCP connection per host to avoid your build being stuck while pulling
+images. The additional connection is used for metadata requests
+(image config retrieval) to enhance the overall build time.
+
+More info: [moby/buildkit#2259](https://github.com/moby/buildkit/pull/2259)

docs/reference/buildx.md

@@ -5,7 +5,7 @@ docker buildx [OPTIONS] COMMAND
 ```
 
 <!---MARKER_GEN_START-->
-Build with BuildKit
+Extended build capabilities with BuildKit
 
 ### Subcommands
 
@@ -27,5 +27,17 @@ Build with BuildKit
 | [`version`](buildx_version.md) | Show buildx version information |
 
 
+### Options
+
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+
 
 <!---MARKER_GEN_END-->
+
+## Examples
+
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+You can also use the `BUILDX_BUILDER` environment variable.

docs/reference/buildx_bake.md

@@ -9,22 +9,22 @@ Build from a file
 
 ### Aliases
 
-`bake`, `f`
+`docker buildx bake`, `docker buildx f`
 
 ### Options
 
-| Name | Description |
-| --- | --- |
-| `--builder string` | Override the configured builder instance |
-| [`-f`](#file), [`--file stringArray`](#file) | Build definition file |
-| `--load` | Shorthand for --set=*.output=type=docker |
-| `--metadata-file string` | Write build result metadata to the file |
-| [`--no-cache`](#no-cache) | Do not use cache when building the image |
-| [`--print`](#print) | Print the options without building |
-| [`--progress string`](#progress) | Set type of progress output (auto, plain, tty). Use plain to show container output |
-| [`--pull`](#pull) | Always attempt to pull a newer version of the image |
-| `--push` | Shorthand for --set=*.output=type=registry |
-| [`--set stringArray`](#set) | Override target value (eg: targetpattern.key=value) |
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+| [`-f`](#file), [`--file`](#file) | `stringArray` |  | Build definition file |
+| `--load` |  |  | Shorthand for `--set=*.output=type=docker` |
+| `--metadata-file` | `string` |  | Write build result metadata to the file |
+| [`--no-cache`](#no-cache) |  |  | Do not use cache when building the image |
+| [`--print`](#print) |  |  | Print the options without building |
+| [`--progress`](#progress) | `string` | `auto` | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output |
+| [`--pull`](#pull) |  |  | Always attempt to pull all referenced images |
+| `--push` |  |  | Shorthand for `--set=*.output=type=registry` |
+| [`--set`](#set) | `stringArray` |  | Override target value (e.g., `targetpattern.key=value`) |
 
 
 <!---MARKER_GEN_END-->
@@ -34,108 +34,94 @@ Build from a file
 Bake is a high-level build command. Each specified target will run in parallel
 as part of the build.
 
-Read [High-level build options](https://github.com/docker/buildx#high-level-build-options) for introduction.
+Read [High-level build options with Bake](https://docs.docker.com/build/bake/)
+guide for introduction to writing bake files.
 
-Please note that `buildx bake` command may receive backwards incompatible features in the future if needed. We are looking for feedback on improving the command and extending the functionality further.
+> **Note**
+>
+> `buildx bake` command may receive backwards incompatible features in the future
+> if needed. We are looking for feedback on improving the command and extending
+> the functionality further.
 
 ## Examples
 
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).
+
 ### <a name="file"></a> Specify a build definition file (-f, --file)
 
-By default, `buildx bake` looks for build definition files in the current directory,
-the following are parsed:
-
-- `docker-compose.yml`
-- `docker-compose.yaml`
-- `docker-bake.json`
-- `docker-bake.override.json`
-- `docker-bake.hcl`
-- `docker-bake.override.hcl`
-
-Use the `-f` / `--file` option to specify the build definition file to use. The
-file can be a Docker Compose, JSON or HCL file. If multiple files are specified
+Use the `-f` / `--file` option to specify the build definition file to use.
+The file can be an HCL, JSON or Compose file. If multiple files are specified
 they are all read and configurations are combined.
 
-The following example uses a Docker Compose file named `docker-compose.dev.yaml`
-as build definition file, and builds all targets in the file:
+You can pass the names of the targets to build, to build only specific target(s).
+The following example builds the `db` and `webapp-release` targets that are
+defined in the `docker-bake.dev.hcl` file:
 
-```console
-$ docker buildx bake -f docker-compose.dev.yaml
+```hcl
+# docker-bake.dev.hcl
+group "default" {
+  targets = ["db", "webapp-dev"]
+}
 
-[+] Building 66.3s (30/30) FINISHED
- => [frontend internal] load build definition from Dockerfile  0.1s
- => => transferring dockerfile: 36B                            0.0s
- => [backend internal] load build definition from Dockerfile   0.2s
- => => transferring dockerfile: 3.73kB                         0.0s
- => [database internal] load build definition from Dockerfile  0.1s
- => => transferring dockerfile: 5.77kB                         0.0s
- ...
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp"]
+}
+
+target "webapp-release" {
+  inherits = ["webapp-dev"]
+  platforms = ["linux/amd64", "linux/arm64"]
+}
+
+target "db" {
+  dockerfile = "Dockerfile.db"
+  tags = ["docker.io/username/db"]
+}
 ```
 
-Pass the names of the targets to build, to build only specific target(s). The
-following example builds the `backend` and `database` targets that are defined
-in the `docker-compose.dev.yaml` file, skipping the build for the `frontend`
-target:
-
 ```console
-$ docker buildx bake -f docker-compose.dev.yaml backend database
-
-[+] Building 2.4s (13/13) FINISHED
- => [backend internal] load build definition from Dockerfile  0.1s
- => => transferring dockerfile: 81B                           0.0s
- => [database internal] load build definition from Dockerfile 0.2s
- => => transferring dockerfile: 36B                           0.0s
- => [backend internal] load .dockerignore                     0.3s
- ...
+$ docker buildx bake -f docker-bake.dev.hcl db webapp-release
 ```
 
+See our [file definition](https://docs.docker.com/build/bake/file-definition/)
+guide for more details.
+
 ### <a name="no-cache"></a> Do not use cache when building the image (--no-cache)
 
 Same as `build --no-cache`. Do not use cache when building the image.
 
 ### <a name="print"></a> Print the options without building (--print)
 
-Prints the resulting options of the targets desired to be built, in a JSON format,
-without starting a build.
+Prints the resulting options of the targets desired to be built, in a JSON
+format, without starting a build.
 
 ```console
 $ docker buildx bake -f docker-bake.hcl --print db
 {
-   "target": {
-      "db": {
-         "context": "./",
-         "dockerfile": "Dockerfile",
-         "tags": [
-            "docker.io/tiborvass/db"
-         ]
-      }
-   }
+  "group": {
+    "default": {
+      "targets": [
+        "db"
+      ]
+    }
+  },
+  "target": {
+    "db": {
+      "context": "./",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "docker.io/tiborvass/db"
+      ]
+    }
+  }
 }
 ```
 
 ### <a name="progress"></a> Set type of progress output (--progress)
 
-Same as [`build --progress`](buildx_build.md#progress). Set type of progress
-output (auto, plain, tty). Use plain to show container output (default "auto").
-
-> You can also use the `BUILDKIT_PROGRESS` environment variable to set its value.
-
-The following example uses `plain` output during the build:
-
-```console
-$ docker buildx bake --progress=plain
-
-#2 [backend internal] load build definition from Dockerfile.test
-#2 sha256:de70cb0bb6ed8044f7b9b1b53b67f624e2ccfb93d96bb48b70c1fba562489618
-#2 ...
-
-#1 [database internal] load build definition from Dockerfile.test
-#1 sha256:453cb50abd941762900a1212657a35fc4aad107f5d180b0ee9d93d6b74481bce
-#1 transferring dockerfile: 36B done
-#1 DONE 0.1s
-...
-```
-
+Same as [`build --progress`](buildx_build.md#progress).
 
 ### <a name="pull"></a> Always attempt to pull a newer version of the image (--pull)
 
@@ -147,10 +133,8 @@ Same as `build --pull`.
 --set targetpattern.key[.subkey]=value
 ```
 
-Override target configurations from command line. The pattern matching syntax is
-defined in https://golang.org/pkg/path/#Match.
-
-**Examples**
+Override target configurations from command line. The pattern matching syntax
+is defined in https://golang.org/pkg/path/#Match.
 
 ```console
 $ docker buildx bake --set target.args.mybuildarg=value
@@ -161,216 +145,20 @@ $ docker buildx bake --set foo*.no-cache              # bypass caching only for
 ```
 
 Complete list of overridable fields:
-args, cache-from, cache-to, context, dockerfile, labels, no-cache, output, platform,
-pull, secrets, ssh, tags, target
 
-### File definition
-
-In addition to compose files, bake supports a JSON and an equivalent HCL file
-format for defining build groups and targets.
-
-A target reflects a single docker build invocation with the same options that
-you would specify for `docker build`. A group is a grouping of targets.
-
-Multiple files can include the same target and final build options will be
-determined by merging them together.
-
-In the case of compose files, each service corresponds to a target.
-
-A group can specify its list of targets with the `targets` option. A target can
-inherit build options by setting the `inherits` option to the list of targets or
-groups to inherit from.
-
-Note: Design of bake command is work in progress, the user experience may change
-based on feedback.
-
-
-**Example HCL definition**
-
-```hcl
-group "default" {
-    targets = ["db", "webapp-dev"]
-}
-
-target "webapp-dev" {
-    dockerfile = "Dockerfile.webapp"
-    tags = ["docker.io/username/webapp"]
-}
-
-target "webapp-release" {
-    inherits = ["webapp-dev"]
-    platforms = ["linux/amd64", "linux/arm64"]
-}
-
-target "db" {
-    dockerfile = "Dockerfile.db"
-    tags = ["docker.io/username/db"]
-}
-```
-
-Complete list of valid target fields:
-
-`args`, `cache-from`, `cache-to`, `context`, `dockerfile`, `inherits`, `labels`,
-`no-cache`, `output`, `platform`, `pull`, `secrets`, `ssh`, `tags`, `target`
-
-### HCL variables and functions
-
-Similar to how Terraform provides a way to [define variables](https://www.terraform.io/docs/configuration/variables.html#declaring-an-input-variable),
-the HCL file format also supports variable block definitions. These can be used
-to define variables with values provided by the current environment, or a default
-value when unset.
-
-
-Example of using interpolation to tag an image with the git sha:
-
-```console
-$ cat <<'EOF' > docker-bake.hcl
-variable "TAG" {
-    default = "latest"
-}
-
-group "default" {
-    targets = ["webapp"]
-}
-
-target "webapp" {
-    tags = ["docker.io/username/webapp:${TAG}"]
-}
-EOF
-
-$ docker buildx bake --print webapp
-{
-   "target": {
-      "webapp": {
-         "context": ".",
-         "dockerfile": "Dockerfile",
-         "tags": [
-            "docker.io/username/webapp:latest"
-         ]
-      }
-   }
-}
-
-$ TAG=$(git rev-parse --short HEAD) docker buildx bake --print webapp
-{
-   "target": {
-      "webapp": {
-         "context": ".",
-         "dockerfile": "Dockerfile",
-         "tags": [
-            "docker.io/username/webapp:985e9e9"
-         ]
-      }
-   }
-}
-```
-
-
-A [set of generally useful functions](https://github.com/docker/buildx/blob/master/bake/hclparser/stdlib.go)
-provided by [go-cty](https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib)
-are available for use in HCL files. In addition, [user defined functions](https://github.com/hashicorp/hcl/tree/main/ext/userfunc)
-are also supported.
-
-Example of using the `add` function:
-
-```console
-$ cat <<'EOF' > docker-bake.hcl
-variable "TAG" {
-    default = "latest"
-}
-
-group "default" {
-    targets = ["webapp"]
-}
-
-target "webapp" {
-    args = {
-        buildno = "${add(123, 1)}"
-    }
-}
-EOF
-
-$ docker buildx bake --print webapp
-{
-   "target": {
-      "webapp": {
-         "context": ".",
-         "dockerfile": "Dockerfile",
-         "args": {
-            "buildno": "124"
-         }
-      }
-   }
-}
-```
-
-Example of defining an `increment` function:
-
-```console
-$ cat <<'EOF' > docker-bake.hcl
-function "increment" {
-    params = [number]
-    result = number + 1
-}
-
-group "default" {
-    targets = ["webapp"]
-}
-
-target "webapp" {
-    args = {
-        buildno = "${increment(123)}"
-    }
-}
-EOF
-
-$ docker buildx bake --print webapp
-{
-   "target": {
-      "webapp": {
-         "context": ".",
-         "dockerfile": "Dockerfile",
-         "args": {
-            "buildno": "124"
-         }
-      }
-   }
-}
-```
-
-Example of only adding tags if a variable is not empty using an `notequal`
-function:
-
-```console
-$ cat <<'EOF' > docker-bake.hcl
-variable "TAG" {default="" }
-
-group "default" {
-    targets = [
-        "webapp",
-    ]
-}
-
-target "webapp" {
-    context="."
-    dockerfile="Dockerfile"
-    tags = [
-        "my-image:latest",
-        notequal("",TAG) ? "my-image:${TAG}": "",
-    ]
-}
-EOF
-
-$ docker buildx bake --print webapp
-{
-   "target": {
-      "webapp": {
-         "context": ".",
-         "dockerfile": "Dockerfile",
-         "tags": [
-            "my-image:latest"
-         ]
-      }
-   }
-}
-```
+* `args`
+* `cache-from`
+* `cache-to`
+* `context`
+* `dockerfile`
+* `labels`
+* `no-cache`
+* `no-cache-filter`
+* `output`
+* `platform`
+* `pull`
+* `push`
+* `secrets`
+* `ssh`
+* `tags`
+* `target`

docs/reference/buildx_build.md

@@ -9,34 +9,40 @@ Start a build
 
 ### Aliases
 
-`build`, `b`
+`docker buildx build`, `docker buildx b`
 
 ### Options
 
-| Name | Description |
-| --- | --- |
-| [`--add-host stringSlice`](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) | Add a custom host-to-IP mapping (host:ip) |
-| [`--allow stringSlice`](#allow) | Allow extra privileged entitlement, e.g. network.host, security.insecure |
-| [`--build-arg stringArray`](https://docs.docker.com/engine/reference/commandline/build/#set-build-time-variables---build-arg) | Set build-time variables |
-| `--builder string` | Override the configured builder instance |
-| [`--cache-from stringArray`](#cache-from) | External cache sources (eg. user/app:cache, type=local,src=path/to/dir) |
-| [`--cache-to stringArray`](#cache-to) | Cache export destinations (eg. user/app:cache, type=local,dest=path/to/dir) |
-| [`-f`](https://docs.docker.com/engine/reference/commandline/build/#specify-a-dockerfile--f), [`--file string`](https://docs.docker.com/engine/reference/commandline/build/#specify-a-dockerfile--f) | Name of the Dockerfile (Default is 'PATH/Dockerfile') |
-| `--iidfile string` | Write the image ID to the file |
-| `--label stringArray` | Set metadata for an image |
-| [`--load`](#load) | Shorthand for --output=type=docker |
-| `--metadata-file string` | Write build result metadata to the file |
-| `--network string` | Set the networking mode for the RUN instructions during build |
-| `--no-cache` | Do not use cache when building the image |
-| [`-o`](#output), [`--output stringArray`](#output) | Output destination (format: type=local,dest=path) |
-| [`--platform stringArray`](#platform) | Set target platform for build |
-| [`--progress string`](#progress) | Set type of progress output (auto, plain, tty). Use plain to show container output |
-| `--pull` | Always attempt to pull a newer version of the image |
-| [`--push`](#push) | Shorthand for --output=type=registry |
-| `--secret stringArray` | Secret file to expose to the build: id=mysecret,src=/local/secret |
-| `--ssh stringArray` | SSH agent socket or keys to expose to the build (format: default|<id>[=<socket>|<key>[,<key>]]) |
-| [`-t`](https://docs.docker.com/engine/reference/commandline/build/#tag-an-image--t), [`--tag stringArray`](https://docs.docker.com/engine/reference/commandline/build/#tag-an-image--t) | Name and optionally a tag in the 'name:tag' format |
-| [`--target string`](https://docs.docker.com/engine/reference/commandline/build/#specifying-target-build-stage---target) | Set the target build stage to build. |
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--add-host`](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) | `stringSlice` |  | Add a custom host-to-IP mapping (format: `host:ip`) |
+| [`--allow`](#allow) | `stringSlice` |  | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`) |
+| [`--build-arg`](#build-arg) | `stringArray` |  | Set build-time variables |
+| [`--build-context`](#build-context) | `stringArray` |  | Additional build contexts (e.g., name=path) |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+| [`--cache-from`](#cache-from) | `stringArray` |  | External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`) |
+| [`--cache-to`](#cache-to) | `stringArray` |  | Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`) |
+| [`--cgroup-parent`](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) | `string` |  | Optional parent cgroup for the container |
+| [`-f`](https://docs.docker.com/engine/reference/commandline/build/#specify-a-dockerfile--f), [`--file`](https://docs.docker.com/engine/reference/commandline/build/#specify-a-dockerfile--f) | `string` |  | Name of the Dockerfile (default: `PATH/Dockerfile`) |
+| `--iidfile` | `string` |  | Write the image ID to the file |
+| `--label` | `stringArray` |  | Set metadata for an image |
+| [`--load`](#load) |  |  | Shorthand for `--output=type=docker` |
+| [`--metadata-file`](#metadata-file) | `string` |  | Write build result metadata to the file |
+| `--network` | `string` | `default` | Set the networking mode for the `RUN` instructions during build |
+| `--no-cache` |  |  | Do not use cache when building the image |
+| `--no-cache-filter` | `stringArray` |  | Do not cache specified stages |
+| [`-o`](#output), [`--output`](#output) | `stringArray` |  | Output destination (format: `type=local,dest=path`) |
+| [`--platform`](#platform) | `stringArray` |  | Set target platform for build |
+| [`--progress`](#progress) | `string` | `auto` | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output |
+| `--pull` |  |  | Always attempt to pull all referenced images |
+| [`--push`](#push) |  |  | Shorthand for `--output=type=registry` |
+| `-q`, `--quiet` |  |  | Suppress the build output and print image ID on success |
+| [`--secret`](#secret) | `stringArray` |  | Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`) |
+| [`--shm-size`](#shm-size) | `bytes` | `0` | Size of `/dev/shm` |
+| [`--ssh`](#ssh) | `stringArray` |  | SSH agent socket or keys to expose to the build (format: `default\|<id>[=<socket>\|<key>[,<key>]]`) |
+| [`-t`](https://docs.docker.com/engine/reference/commandline/build/#tag-an-image--t), [`--tag`](https://docs.docker.com/engine/reference/commandline/build/#tag-an-image--t) | `stringArray` |  | Name and optionally a tag (format: `name:tag`) |
+| [`--target`](https://docs.docker.com/engine/reference/commandline/build/#specifying-target-build-stage---target) | `string` |  | Set the target build stage to build |
+| [`--ulimit`](#ulimit) | `ulimit` |  | Ulimit options |
 
 
 <!---MARKER_GEN_END-->
@@ -48,76 +54,228 @@ to the UI of `docker build` command and takes the same flags and arguments.
 
 For documentation on most of these flags, refer to the [`docker build`
 documentation](https://docs.docker.com/engine/reference/commandline/build/). In
-here we’ll document a subset of the new flags.
+here we'll document a subset of the new flags.
 
 ## Examples
 
-### <a name="platform"></a> Set the target platforms for the build (--platform)
+### <a name="allow"></a> Allow extra privileged entitlement (--allow)
 
 ```
---platform=value[,value]
+--allow=ENTITLEMENT
 ```
 
-Set the target platform for the build. All `FROM` commands inside the Dockerfile
-without their own `--platform` flag will pull base images for this platform and
-this value will also be the platform of the resulting image. The default value
-will be the current platform of the buildkit daemon.
+Allow extra privileged entitlement. List of entitlements:
 
-When using `docker-container` driver with `buildx`, this flag can accept multiple
-values as an input separated by a comma. With multiple values the result will be
-built for all of the specified platforms and joined together into a single manifest
-list.
+- `network.host` - Allows executions with host networking.
+- `security.insecure` - Allows executions without sandbox. See
+  [related Dockerfile extensions](https://docs.docker.com/engine/reference/builder/#run---securitysandbox).
 
-If the `Dockerfile` needs to invoke the `RUN` command, the builder needs runtime
-support for the specified platform. In a clean setup, you can only execute `RUN`
-commands for your system architecture.
-If your kernel supports [`binfmt_misc`](https://en.wikipedia.org/wiki/Binfmt_misc)
-launchers for secondary architectures, buildx will pick them up automatically.
-Docker desktop releases come with `binfmt_misc` automatically configured for `arm64`
-and `arm` architectures. You can see what runtime platforms your current builder
-instance supports by running `docker buildx inspect --bootstrap`.
-
-Inside a `Dockerfile`, you can access the current platform value through
-`TARGETPLATFORM` build argument. Please refer to the [`docker build`
-documentation](https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope)
-for the full description of automatic platform argument variants .
-
-The formatting for the platform specifier is defined in the [containerd source
-code](https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63).
+For entitlements to be enabled, the `buildkitd` daemon also needs to allow them
+with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags))
 
 **Examples**
 
 ```console
-$ docker buildx build --platform=linux/arm64 .
-$ docker buildx build --platform=linux/amd64,linux/arm64,linux/arm/v7 .
-$ docker buildx build --platform=darwin .
+$ docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure'
+$ docker buildx build --allow security.insecure .
 ```
 
-### <a name="progress"></a> Set type of progress output (--progress)
+### <a name="build-arg"></a> Set build-time variables (--build-arg)
 
-```
---progress=VALUE
-```
+Same as [`docker build` command](https://docs.docker.com/engine/reference/commandline/build/#set-build-time-variables---build-arg).
 
-Set type of progress output (auto, plain, tty). Use plain to show container
-output (default "auto").
+There are also useful built-in build args like:
 
-> You can also use the `BUILDKIT_PROGRESS` environment variable to set
-> its value.
-
-The following example uses `plain` output during the build:
+* `BUILDKIT_CONTEXT_KEEP_GIT_DIR=<bool>` trigger git context to keep the `.git` directory
+* `BUILDKIT_INLINE_BUILDINFO_ATTRS=<bool>` inline build info attributes in image config or not
+* `BUILDKIT_INLINE_CACHE=<bool>` inline cache metadata to image config or not
+* `BUILDKIT_MULTI_PLATFORM=<bool>` opt into deterministic output regardless of multi-platform output or not
 
 ```console
-$ docker buildx build --load --progress=plain .
+$ docker buildx build --build-arg BUILDKIT_MULTI_PLATFORM=1 .
+```
 
-#1 [internal] load build definition from Dockerfile
-#1 transferring dockerfile: 227B 0.0s done
-#1 DONE 0.1s
+> **Note**
+>
+> More built-in build args can be found in [Dockerfile reference docs](https://docs.docker.com/engine/reference/builder/#buildkit-built-in-build-args).
 
-#2 [internal] load .dockerignore
-#2 transferring context: 129B 0.0s done
-#2 DONE 0.0s
-...
+### <a name="build-context"></a> Additional build contexts (--build-context)
+
+```
+--build-context=name=VALUE
+```
+
+Define additional build context with specified contents. In Dockerfile the context can be accessed when `FROM name` or `--from=name` is used.
+When Dockerfile defines a stage with the same name it is overwritten.
+
+The value can be a local source directory, [local OCI layout compliant directory](https://github.com/opencontainers/image-spec/blob/main/image-layout.md), container image (with docker-image:// prefix), Git or HTTP URL.
+
+Replace `alpine:latest` with a pinned one:
+
+```console
+$ docker buildx build --build-context alpine=docker-image://alpine@sha256:0123456789 .
+```
+
+Expose a secondary local source directory:
+
+```console
+$ docker buildx build --build-context project=path/to/project/source .
+# docker buildx build --build-context project=https://github.com/myuser/project.git .
+```
+
+```Dockerfile
+FROM alpine
+COPY --from=project myfile /
+```
+
+#### <a name="source-oci-layout"></a> Source image from OCI layout directory
+
+Source an image from a local [OCI layout compliant directory](https://github.com/opencontainers/image-spec/blob/main/image-layout.md):
+
+```console
+$ docker buildx build --build-context foo=oci-layout:///path/to/local/layout@sha256:abcd12345 .
+```
+
+```Dockerfile
+FROM alpine
+RUN apk add git
+
+COPY --from=foo myfile /
+
+FROM foo
+```
+
+The OCI layout directory must be compliant with the [OCI layout specification](https://github.com/opencontainers/image-spec/blob/main/image-layout.md). It looks _solely_ for hashes. It does not
+do any form of `image:tag` resolution to find the hash of the manifest; that is up to you.
+
+The format of the `--build-context` must be: `<context>=oci-layout://<path-to-local-layout>@sha256:<hash-of-manifest>`, where:
+
+* `context` is the name of the build context as used in the `Dockerfile`.
+* `path-to-local-layout` is the path on the local machine, where you are running `docker build`, to the spec-compliant OCI layout.
+* `hash-of-manifest` is the hash of the manifest for the image. It can be a single-architecture manifest or a multi-architecture index.
+
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).
+
+### <a name="cache-from"></a> Use an external cache source for a build (--cache-from)
+
+```
+--cache-from=[NAME|type=TYPE[,KEY=VALUE]]
+```
+
+Use an external cache source for a build. Supported types are `registry`,
+`local` and `gha`.
+
+- [`registry` source](https://github.com/moby/buildkit#registry-push-image-and-cache-separately)
+  can import cache from a cache manifest or (special) image configuration on the
+  registry.
+- [`local` source](https://github.com/moby/buildkit#local-directory-1) can
+  import cache from local files previously exported with `--cache-to`.
+- [`gha` source](https://github.com/moby/buildkit#github-actions-cache-experimental)
+  can import cache from a previously exported cache with `--cache-to` in your
+  GitHub repository
+
+If no type is specified, `registry` exporter is used with a specified reference.
+
+`docker` driver currently only supports importing build cache from the registry.
+
+```console
+$ docker buildx build --cache-from=user/app:cache .
+$ docker buildx build --cache-from=user/app .
+$ docker buildx build --cache-from=type=registry,ref=user/app .
+$ docker buildx build --cache-from=type=local,src=path/to/cache .
+$ docker buildx build --cache-from=type=gha .
+```
+
+More info about cache exporters and available attributes: https://github.com/moby/buildkit#export-cache
+
+### <a name="cache-to"></a> Export build cache to an external cache destination (--cache-to)
+
+```
+--cache-to=[NAME|type=TYPE[,KEY=VALUE]]
+```
+
+Export build cache to an external cache destination. Supported types are
+`registry`, `local`, `inline` and `gha`.
+
+- [`registry` type](https://github.com/moby/buildkit#registry-push-image-and-cache-separately) exports build cache to a cache manifest in the registry.
+- [`local` type](https://github.com/moby/buildkit#local-directory-1) type
+  exports cache to a local directory on the client.
+- [`inline` type](https://github.com/moby/buildkit#inline-push-image-and-cache-together)
+  type writes the cache metadata into the image configuration.
+- [`gha` type](https://github.com/moby/buildkit#github-actions-cache-experimental)
+  type exports cache through the [Github Actions Cache service API](https://github.com/tonistiigi/go-actions-cache/blob/master/api.md#authentication).
+
+`docker` driver currently only supports exporting inline cache metadata to image
+configuration. Alternatively, `--build-arg BUILDKIT_INLINE_CACHE=1` can be used
+to trigger inline cache exporter.
+
+Attribute key:
+
+- `mode` - Specifies how many layers are exported with the cache. `min` on only
+  exports layers already in the final build stage, `max` exports layers for
+  all stages. Metadata is always exported for the whole build.
+
+```console
+$ docker buildx build --cache-to=user/app:cache .
+$ docker buildx build --cache-to=type=inline .
+$ docker buildx build --cache-to=type=registry,ref=user/app .
+$ docker buildx build --cache-to=type=local,dest=path/to/cache .
+$ docker buildx build --cache-to=type=gha .
+```
+
+More info about cache exporters and available attributes: https://github.com/moby/buildkit#export-cache
+
+### <a name="load"></a> Load the single-platform build result to `docker images` (--load)
+
+Shorthand for [`--output=type=docker`](#docker). Will automatically load the
+single-platform build result to `docker images`.
+
+### <a name="metadata-file"></a> Write build result metadata to the file (--metadata-file)
+
+To output build metadata such as the image digest, pass the `--metadata-file` flag.
+The metadata will be written as a JSON object to the specified file. The
+directory of the specified file must already exist and be writable.
+
+```console
+$ docker buildx build --load --metadata-file metadata.json .
+$ cat metadata.json
+```
+```json
+{
+  "containerimage.buildinfo": {
+    "frontend": "dockerfile.v0",
+    "attrs": {
+      "context": "https://github.com/crazy-max/buildkit-buildsources-test.git#master",
+      "filename": "Dockerfile",
+      "source": "docker/dockerfile:master"
+    },
+    "sources": [
+      {
+        "type": "docker-image",
+        "ref": "docker.io/docker/buildx-bin:0.6.1@sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0",
+        "pin": "sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0"
+      },
+      {
+        "type": "docker-image",
+        "ref": "docker.io/library/alpine:3.13",
+        "pin": "sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c"
+      }
+    ]
+  },
+  "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
+  "containerimage.descriptor": {
+    "annotations": {
+      "config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
+      "org.opencontainers.image.created": "2022-02-08T21:28:03Z"
+    },
+    "digest": "sha256:19ffeab6f8bc9293ac2c3fdf94ebe28396254c993aea0b5a542cfb02e0883fa3",
+    "mediaType": "application/vnd.oci.image.manifest.v1+json",
+    "size": 506
+  },
+  "containerimage.digest": "sha256:19ffeab6f8bc9293ac2c3fdf94ebe28396254c993aea0b5a542cfb02e0883fa3"
+}
 ```
 
 ### <a name="output"></a> Set the export action for the build result (-o, --output)
@@ -138,8 +296,6 @@ If just the path is specified as a value, `buildx` will use the local exporter
 with this path as the destination. If the value is "-", `buildx` will use `tar`
 exporter and write to `stdout`.
 
-**Examples**
-
 ```console
 $ docker buildx build -o . .
 $ docker buildx build -o outdir .
@@ -193,7 +349,7 @@ The most common usecase for multi-platform images is to directly push to a regis
 Attribute keys:
 
 - `dest` - destination path where tarball will be written. If not specified the
-tar will be loaded automatically to the current docker instance.
+  tar will be loaded automatically to the current docker instance.
 - `context` - name for the docker context where to import the result
 
 #### `image`
@@ -211,89 +367,180 @@ Attribute keys:
 
 The `registry` exporter is a shortcut for `type=image,push=true`.
 
+### <a name="platform"></a> Set the target platforms for the build (--platform)
+
+```
+--platform=value[,value]
+```
+
+Set the target platform for the build. All `FROM` commands inside the Dockerfile
+without their own `--platform` flag will pull base images for this platform and
+this value will also be the platform of the resulting image. The default value
+will be the current platform of the buildkit daemon.
+
+When using `docker-container` driver with `buildx`, this flag can accept multiple
+values as an input separated by a comma. With multiple values the result will be
+built for all of the specified platforms and joined together into a single manifest
+list.
+
+If the `Dockerfile` needs to invoke the `RUN` command, the builder needs runtime
+support for the specified platform. In a clean setup, you can only execute `RUN`
+commands for your system architecture.
+If your kernel supports [`binfmt_misc`](https://en.wikipedia.org/wiki/Binfmt_misc)
+launchers for secondary architectures, buildx will pick them up automatically.
+Docker desktop releases come with `binfmt_misc` automatically configured for `arm64`
+and `arm` architectures. You can see what runtime platforms your current builder
+instance supports by running `docker buildx inspect --bootstrap`.
+
+Inside a `Dockerfile`, you can access the current platform value through
+`TARGETPLATFORM` build argument. Please refer to the [`docker build`
+documentation](https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope)
+for the full description of automatic platform argument variants .
+
+The formatting for the platform specifier is defined in the [containerd source
+code](https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63).
+
+```console
+$ docker buildx build --platform=linux/arm64 .
+$ docker buildx build --platform=linux/amd64,linux/arm64,linux/arm/v7 .
+$ docker buildx build --platform=darwin .
+```
+
+### <a name="progress"></a> Set type of progress output (--progress)
+
+```
+--progress=VALUE
+```
+
+Set type of progress output (auto, plain, tty). Use plain to show container
+output (default "auto").
+
+> **Note**
+>
+> You can also use the `BUILDKIT_PROGRESS` environment variable to set its value.
+
+The following example uses `plain` output during the build:
+
+```console
+$ docker buildx build --load --progress=plain .
+
+#1 [internal] load build definition from Dockerfile
+#1 transferring dockerfile: 227B 0.0s done
+#1 DONE 0.1s
+
+#2 [internal] load .dockerignore
+#2 transferring context: 129B 0.0s done
+#2 DONE 0.0s
+...
+```
+
+> **Note**
+>
+> Check also our [Color output controls guide](https://docs.docker.com/build/guides/color-output/)
+> for modifying the colors that are used to output information to the terminal.
 
 ### <a name="push"></a> Push the build result to a registry (--push)
 
 Shorthand for [`--output=type=registry`](#registry). Will automatically push the
 build result to registry.
 
-### <a name="load"></a> Load the single-platform build result to `docker images` (--load)
-
-Shorthand for [`--output=type=docker`](#docker). Will automatically load the
-single-platform build result to `docker images`.
-
-### <a name="cache-from"></a> Use an external cache source for a build (--cache-from)
+### <a name="secret"></a> Secret to expose to the build (--secret)
 
 ```
---cache-from=[NAME|type=TYPE[,KEY=VALUE]]
+--secret=[type=TYPE[,KEY=VALUE]
 ```
 
-Use an external cache source for a build. Supported types are `registry` and `local`.
-The `registry` source can import cache from a cache manifest or (special) image
-configuration on the registry. The `local` source can import cache from local
-files previously exported with `--cache-to`.
+Exposes secret to the build. The secret can be used by the build using
+[`RUN --mount=type=secret` mount](https://docs.docker.com/engine/reference/builder/#run---mounttypesecret).
 
-If no type is specified, `registry` exporter is used with a specified reference.
+If `type` is unset it will be detected. Supported types are:
 
-`docker` driver currently only supports importing build cache from the registry.
+#### `file`
 
-**Examples**
+Attribute keys:
+
+- `id` - ID of the secret. Defaults to basename of the `src` path.
+- `src`, `source` - Secret filename. `id` used if unset.
+
+```dockerfile
+# syntax=docker/dockerfile:1.4
+FROM python:3
+RUN pip install awscli
+RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
+  aws s3 cp s3://... ...
+```
 
 ```console
-$ docker buildx build --cache-from=user/app:cache .
-$ docker buildx build --cache-from=user/app .
-$ docker buildx build --cache-from=type=registry,ref=user/app .
-$ docker buildx build --cache-from=type=local,src=path/to/cache .
+$ docker buildx build --secret id=aws,src=$HOME/.aws/credentials .
 ```
 
-### <a name="cache-to"></a> Export build cache to an external cache destination (--cache-to)
+#### `env`
 
+Attribute keys:
+
+- `id` - ID of the secret. Defaults to `env` name.
+- `env` - Secret environment variable. `id` used if unset, otherwise will look for `src`, `source` if `id` unset.
+
+```dockerfile
+# syntax=docker/dockerfile:1.4
+FROM node:alpine
+RUN --mount=type=bind,target=. \
+  --mount=type=secret,id=SECRET_TOKEN \
+  SECRET_TOKEN=$(cat /run/secrets/SECRET_TOKEN) yarn run test
 ```
---cache-to=[NAME|type=TYPE[,KEY=VALUE]]
-```
-
-Export build cache to an external cache destination. Supported types are `registry`,
-`local` and `inline`. Registry exports build cache to a cache manifest in the
-registry, local exports cache to a local directory on the client and inline writes
-the cache metadata into the image configuration.
-
-`docker` driver currently only supports exporting inline cache metadata to image
-configuration. Alternatively, `--build-arg BUILDKIT_INLINE_CACHE=1` can be used
-to trigger inline cache exporter.
-
-Attribute key:
-
-- `mode` - Specifies how many layers are exported with the cache. “min” on only
-exports layers already in the final build stage, “max” exports layers for
-all stages. Metadata is always exported for the whole build.
-
-**Examples**
 
 ```console
-$ docker buildx build --cache-to=user/app:cache .
-$ docker buildx build --cache-to=type=inline .
-$ docker buildx build --cache-to=type=registry,ref=user/app .
-$ docker buildx build --cache-to=type=local,dest=path/to/cache .
+$ SECRET_TOKEN=token docker buildx build --secret id=SECRET_TOKEN .
 ```
 
-### <a name="allow"></a> Allow extra privileged entitlement (--allow)
+### <a name="shm-size"></a> Size of /dev/shm (--shm-size)
+
+The format is `<number><unit>`. `number` must be greater than `0`. Unit is
+optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g`
+(gigabytes). If you omit the unit, the system uses bytes.
+
+### <a name="ssh"></a> SSH agent socket or keys to expose to the build (--ssh)
 
 ```
---allow=ENTITLEMENT
+--ssh=default|<id>[=<socket>|<key>[,<key>]]
 ```
 
-Allow extra privileged entitlement. List of entitlements:
+This can be useful when some commands in your Dockerfile need specific SSH
+authentication (e.g., cloning a private repository).
 
-- `network.host` - Allows executions with host networking.
-- `security.insecure` - Allows executions without sandbox. See
-[related Dockerfile extensions](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md#run---securityinsecuresandbox).
+`--ssh` exposes SSH agent socket or keys to the build and can be used with the
+[`RUN --mount=type=ssh` mount](https://docs.docker.com/engine/reference/builder/#run---mounttypessh).
 
-For entitlements to be enabled, the `buildkitd` daemon also needs to allow them
-with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#--buildkitd-flags-flags))
+Example to access Gitlab using an SSH agent socket:
 
-**Examples**
+```dockerfile
+# syntax=docker/dockerfile:1.4
+FROM alpine
+RUN apk add --no-cache openssh-client
+RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts
+RUN --mount=type=ssh ssh -q -T git@gitlab.com 2>&1 | tee /hello
+# "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here
+# with the type of build progress is defined as `plain`.
+```
 
 ```console
-$ docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure'
-$ docker buildx build --allow security.insecure .
+$ eval $(ssh-agent)
+$ ssh-add ~/.ssh/id_rsa
+(Input your passphrase here)
+$ docker buildx build --ssh default=$SSH_AUTH_SOCK .
 ```
+
+### <a name="ulimit"></a> Set ulimits (--ulimit)
+
+`--ulimit` is specified with a soft and hard limit as such:
+`<type>=<soft limit>[:<hard limit>]`, for example:
+
+```console
+$ docker buildx build --ulimit nofile=1024:1024 .
+```
+
+> **Note**
+>
+> If you do not provide a `hard limit`, the `soft limit` is used
+> for both values. If no `ulimits` are set, they are inherited from
+> the default `ulimits` set on the daemon.

docs/reference/buildx_create.md

@@ -9,19 +9,19 @@ Create a new builder instance
 
 ### Options
 
-| Name | Description |
-| --- | --- |
-| [`--append`](#append) | Append a node to builder instead of changing it |
-| `--builder string` | Override the configured builder instance |
-| [`--buildkitd-flags string`](#buildkitd-flags) | Flags for buildkitd daemon |
-| [`--config string`](#config) | BuildKit config file |
-| [`--driver string`](#driver) | Driver to use (available: []) |
-| [`--driver-opt stringArray`](#driver-opt) | Options for the driver |
-| [`--leave`](#leave) | Remove a node from builder instead of changing it |
-| [`--name string`](#name) | Builder instance name |
-| [`--node string`](#node) | Create/modify node with given name |
-| [`--platform stringArray`](#platform) | Fixed platforms for current node |
-| [`--use`](#use) | Set the current builder instance |
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--append`](#append) |  |  | Append a node to builder instead of changing it |
+| `--bootstrap` |  |  | Boot builder after creation |
+| [`--buildkitd-flags`](#buildkitd-flags) | `string` |  | Flags for buildkitd daemon |
+| [`--config`](#config) | `string` |  | BuildKit config file |
+| [`--driver`](#driver) | `string` |  | Driver to use (available: `docker`, `docker-container`, `kubernetes`, `remote`) |
+| [`--driver-opt`](#driver-opt) | `stringArray` |  | Options for the driver |
+| [`--leave`](#leave) |  |  | Remove a node from builder instead of changing it |
+| [`--name`](#name) | `string` |  | Builder instance name |
+| [`--node`](#node) | `string` |  | Create/modify node with given name |
+| [`--platform`](#platform) | `stringArray` |  | Fixed platforms for current node |
+| [`--use`](#use) |  |  | Set the current builder instance |
 
 
 <!---MARKER_GEN_END-->
@@ -47,8 +47,6 @@ The `--append` flag changes the action of the command to append a new node to an
 existing builder specified by `--name`. Buildx will choose an appropriate node
 for a build based on the platforms it supports.
 
-**Examples**
-
 ```console
 $ docker buildx create mycontext1
 eager_beaver
@@ -64,11 +62,9 @@ eager_beaver
 ```
 
 Adds flags when starting the buildkitd daemon. They take precedence over the
-configuration file specified by [`--config`](#--config-file). See `buildkitd --help`
+configuration file specified by [`--config`](#config). See `buildkitd --help`
 for the available flags.
 
-**Example**
-
 ```
 --buildkitd-flags '--debug --debugaddr 0.0.0.0:6666'
 ```
@@ -80,9 +76,19 @@ for the available flags.
 ```
 
 Specifies the configuration file for the buildkitd daemon to use. The configuration
-can be overridden by [`--buildkitd-flags`](#--buildkitd-flags-flags).
+can be overridden by [`--buildkitd-flags`](#buildkitd-flags).
 See an [example buildkitd configuration file](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md).
 
+If the configuration file is not specified, will look for one by default in:
+* `$BUILDX_CONFIG/buildkitd.default.toml`
+* `$DOCKER_CONFIG/buildx/buildkitd.default.toml`
+* `~/.docker/buildx/buildkitd.default.toml`
+
+Note that if you create a `docker-container` builder and have specified
+certificates for registries in the `buildkitd.toml` configuration, the files
+will be copied into the container under `/etc/buildkit/certs` and configuration
+will be updated to reflect that.
+
 ### <a name="driver"></a> Set the builder driver to use (--driver)
 
 ```
@@ -92,17 +98,40 @@ See an [example buildkitd configuration file](https://github.com/moby/buildkit/b
 Sets the builder driver to be used. There are two available drivers, each have
 their own specificities.
 
-- `docker` - Uses the builder that is built into the docker daemon. With this
-  driver, the [`--load`](buildx_build.md#--load) flag is implied by default on
-  `buildx build`. However, building multi-platform images or exporting cache is
-  not currently supported.
-- `docker-container` - Uses a buildkit container that will be spawned via docker.
-  With this driver, both building multi-platform images and exporting cache are
-  supported. However, images built will not automatically appear in `docker images`
-  (see [`build --load`](buildx_build.md#--load)).
-- `kubernetes` - Uses a kubernetes pods. With this driver, you can spin up pods
-  with defined buildkit container image to build your images.
+#### `docker` driver
 
+Uses the builder that is built into the docker daemon. With this driver,
+the [`--load`](buildx_build.md#load) flag is implied by default on
+`buildx build`. However, building multi-platform images or exporting cache is
+not currently supported.
+
+#### `docker-container` driver
+
+Uses a BuildKit container that will be spawned via docker. With this driver,
+both building multi-platform images and exporting cache are supported.
+
+Unlike `docker` driver, built images will not automatically appear in
+`docker images` and [`build --load`](buildx_build.md#load) needs to be used
+to achieve that.
+
+#### `kubernetes` driver
+
+Uses a kubernetes pods. With this driver, you can spin up pods with defined
+BuildKit container image to build your images.
+
+Unlike `docker` driver, built images will not automatically appear in
+`docker images` and [`build --load`](buildx_build.md#load) needs to be used
+to achieve that.
+
+#### `remote` driver
+
+Uses a remote instance of buildkitd over an arbitrary connection. With this
+driver, you manually create and manage instances of buildkit yourself, and
+configure buildx to point at it.
+
+Unlike `docker` driver, built images will not automatically appear in
+`docker images` and [`build --load`](buildx_build.md#load) needs to be used
+to achieve that.
 
 ### <a name="driver-opt"></a> Set additional driver-specific options (--driver-opt)
 
@@ -110,28 +139,43 @@ their own specificities.
 --driver-opt OPTIONS
 ```
 
-Passes additional driver-specific options. Details for each driver:
+Passes additional driver-specific options.
 
-- `docker` - No driver options
-- `docker-container`
-    - `image=IMAGE` - Sets the container image to be used for running buildkit.
-    - `network=NETMODE` - Sets the network mode for running the buildkit container.
-    - Example:
+Note: When using quoted values for example for the `nodeselector` or
+`tolerations` options, ensure that quotes are escaped correctly for your shell.
 
-      ```console
-      --driver docker-container --driver-opt image=moby/buildkit:master,network=host
-      ```
-- `kubernetes`
-    - `image=IMAGE` - Sets the container image to be used for running buildkit.
-    - `namespace=NS` - Sets the Kubernetes namespace. Defaults to the current namespace.
-    - `replicas=N` - Sets the number of `Pod` replicas. Defaults to 1.
-    - `requests.cpu` - Sets the request CPU value specified in units of Kubernetes CPU. Example `requests.cpu=100m`, `requests.cpu=2`
-    - `requests.memory` - Sets the request memory value specified in bytes or with a valid suffix. Example `requests.memory=500Mi`, `requests.memory=4G`
-    - `limits.cpu` - Sets the limit CPU value specified in units of Kubernetes CPU. Example `limits.cpu=100m`, `limits.cpu=2`
-    - `limits.memory` - Sets the limit memory value specified in bytes or with a valid suffix. Example `limits.memory=500Mi`, `limits.memory=4G`
-    - `nodeselector="label1=value1,label2=value2"` - Sets the kv of `Pod` nodeSelector. No Defaults. Example `nodeselector=kubernetes.io/arch=arm64`
-    - `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. [Using Ubuntu host kernel is recommended](https://github.com/moby/buildkit/blob/master/docs/rootless.md). Defaults to false.
-    - `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky"
+#### `docker` driver
+
+No driver options.
+
+#### `docker-container` driver
+
+- `image=IMAGE` - Sets the container image to be used for running buildkit.
+- `network=NETMODE` - Sets the network mode for running the buildkit container.
+- `cgroup-parent=CGROUP` - Sets the cgroup parent of the buildkit container if docker is using the "cgroupfs" driver. Defaults to `/docker/buildx`.
+
+#### `kubernetes` driver
+
+- `image=IMAGE` - Sets the container image to be used for running buildkit.
+- `namespace=NS` - Sets the Kubernetes namespace. Defaults to the current namespace.
+- `replicas=N` - Sets the number of `Pod` replicas. Defaults to 1.
+- `requests.cpu` - Sets the request CPU value specified in units of Kubernetes CPU. Example `requests.cpu=100m`, `requests.cpu=2`
+- `requests.memory` - Sets the request memory value specified in bytes or with a valid suffix. Example `requests.memory=500Mi`, `requests.memory=4G`
+- `limits.cpu` - Sets the limit CPU value specified in units of Kubernetes CPU. Example `limits.cpu=100m`, `limits.cpu=2`
+- `limits.memory` - Sets the limit memory value specified in bytes or with a valid suffix. Example `limits.memory=500Mi`, `limits.memory=4G`
+- `"nodeselector=label1=value1,label2=value2"` - Sets the kv of `Pod` nodeSelector. No Defaults. Example `nodeselector=kubernetes.io/arch=arm64`
+- `"tolerations=key=foo,value=bar;key=foo2,operator=exists;key=foo3,effect=NoSchedule"` - Sets the `Pod` tolerations. Accepts the same values as the kube manifest tolera>tions. Key-value pairs are separated by `,`, tolerations are separated by `;`. No Defaults. Example `tolerations=operator=exists`
+- `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. Needs Kubernetes 1.19 or later. [Using Ubuntu host kernel is recommended](https://github.com/moby/buildkit/blob/master/docs/rootless.md). Defaults to false.
+- `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky"
+- `qemu.install=(true|false)` - Install QEMU emulation for multi platforms support.
+- `qemu.image=IMAGE` - Sets the QEMU emulation image. Defaults to `tonistiigi/binfmt:latest`
+
+#### `remote` driver
+
+- `key=KEY` - Sets the TLS client key.
+- `cert=CERT` - Sets the TLS client certificate to present to buildkitd.
+- `cacert=CACERT` - Sets the TLS certificate authority used for validation.
+- `servername=SERVER` - Sets the TLS server name to be used in requests (defaults to the endpoint hostname).
 
 ### <a name="leave"></a> Remove a node from a builder (--leave)
 
@@ -139,8 +183,6 @@ The `--leave` flag changes the action of the command to remove a node from a
 builder. The builder needs to be specified with `--name` and node that is removed
 is set with `--node`.
 
-**Examples**
-
 ```console
 $ docker buildx create --name mybuilder --node mybuilder0 --leave
 ```
@@ -164,7 +206,7 @@ The `--node` flag specifies the name of the node to be created or modified. If
 none is specified, it is the name of the builder it belongs to, with an index
 number suffix.
 
-### <a name="platform"></a> Set the platforms supported by the node
+### <a name="platform"></a> Set the platforms supported by the node (--platform)
 
 ```
 --platform PLATFORMS
@@ -176,14 +218,12 @@ will also automatically detect the platforms it supports, but manual values take
 priority over the detected ones and can be used when multiple nodes support
 building for the same platform.
 
-**Examples**
-
 ```console
 $ docker buildx create --platform linux/amd64
 $ docker buildx create --platform linux/arm64,linux/arm/v8
 ```
 
-### <a name="use"></a> Automatically switch to the newly created builder
+### <a name="use"></a> Automatically switch to the newly created builder (--use)
 
 The `--use` flag automatically switches the current builder to the newly created
 one. Equivalent to running `docker buildx use $(docker buildx create ...)`.

docs/reference/buildx_du.md

@@ -9,11 +9,17 @@ Disk usage
 
 ### Options
 
-| Name | Description |
-| --- | --- |
-| `--builder string` | Override the configured builder instance |
-| `--filter filter` | Provide filter values |
-| `--verbose` | Provide a more verbose output |
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+| `--filter` | `filter` |  | Provide filter values |
+| `--verbose` |  |  | Provide a more verbose output |
 
 
 <!---MARKER_GEN_END-->
+
+## Examples
+
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).

docs/reference/buildx_imagetools.md

@@ -12,9 +12,15 @@ Commands to work on images in registry
 | Name | Description |
 | --- | --- |
 | [`create`](buildx_imagetools_create.md) | Create a new image based on source images |
-| [`inspect`](buildx_imagetools_inspect.md) | Show details of image in the registry |
+| [`inspect`](buildx_imagetools_inspect.md) | Show details of an image in the registry |
 
 
+### Options
+
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+
 
 <!---MARKER_GEN_END-->
 
@@ -22,3 +28,9 @@ Commands to work on images in registry
 
 Imagetools contains commands for working with manifest lists in the registry.
 These commands are useful for inspecting multi-platform build results.
+
+## Examples
+
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).

docs/reference/buildx_imagetools_create.md

@@ -9,22 +9,20 @@ Create a new image based on source images
 
 ### Options
 
-| Name | Description |
-| --- | --- |
-| [`--append`](#append) | Append to existing manifest |
-| `--builder string` | Override the configured builder instance |
-| [`--dry-run`](#dry-run) | Show final image instead of pushing |
-| [`-f`](#file), [`--file stringArray`](#file) | Read source descriptor from file |
-| [`-t`](#tag), [`--tag stringArray`](#tag) | Set reference for new image |
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--append`](#append) |  |  | Append to existing manifest |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+| [`--dry-run`](#dry-run) |  |  | Show final image instead of pushing |
+| [`-f`](#file), [`--file`](#file) | `stringArray` |  | Read source descriptor from file |
+| `--progress` | `string` | `auto` | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output |
+| [`-t`](#tag), [`--tag`](#tag) | `stringArray` |  | Set reference for new image |
 
 
 <!---MARKER_GEN_END-->
 
 ## Description
 
-Imagetools contains commands for working with manifest lists in the registry.
-These commands are useful for inspecting multi-platform build results.
-
 Create a new manifest list based on source manifests. The source manifests can
 be manifest lists or single platform distribution manifests and must already
 exist in the registry where the new manifest is created. If only one source is
@@ -37,6 +35,10 @@ specified, create performs a carbon copy.
 Use the `--append` flag to append the new sources to an existing manifest list
 in the destination.
 
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).
+
 ### <a name="dry-run"></a> Show final image instead of pushing (--dry-run)
 
 Use the `--dry-run` flag to not push the image, just show it.
@@ -53,16 +55,15 @@ or a JSON of OCI descriptor object.
 In order to define annotations or additional platform properties like `os.version` and
 `os.features` you need to add them in the OCI descriptor object encoded in JSON.
 
-```
-docker buildx imagetools inspect --raw alpine | jq '.manifests[0] | .platform."os.version"="10.1"' > descr.json
-docker buildx imagetools create -f descr.json myuser/image
+```console
+$ docker buildx imagetools inspect --raw alpine | jq '.manifests[0] | .platform."os.version"="10.1"' > descr.json
+$ docker buildx imagetools create -f descr.json myuser/image
 ```
 
 The descriptor in the file is merged with existing descriptor in the registry if it exists.
 
 The supported fields for the descriptor are defined in [OCI spec](https://github.com/opencontainers/image-spec/blob/master/descriptor.md#properties) .
 
-
 ### <a name="tag"></a> Set reference for new image  (-t, --tag)
 
 ```
@@ -71,10 +72,7 @@ The supported fields for the descriptor are defined in [OCI spec](https://github
 
 Use the `-t` or `--tag` flag to set the name of the image to be created.
 
-**Examples**
-
 ```console
 $ docker buildx imagetools create --dry-run alpine@sha256:5c40b3c27b9f13c873fefb2139765c56ce97fd50230f1f2d5c91e55dec171907 sha256:c4ba6347b0e4258ce6a6de2401619316f982b7bcc529f73d2a410d0097730204
-
 $ docker buildx imagetools create -t tonistiigi/myapp -f image1 -f image2
 ```

docs/reference/buildx_imagetools_inspect.md

@@ -5,43 +5,628 @@ docker buildx imagetools inspect [OPTIONS] NAME
 ```
 
 <!---MARKER_GEN_START-->
-Show details of image in the registry
+Show details of an image in the registry
 
 ### Options
 
-| Name | Description |
-| --- | --- |
-| `--builder string` | Override the configured builder instance |
-| [`--raw`](#raw) | Show original JSON manifest |
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+| [`--format`](#format) | `string` | `{{.Manifest}}` | Format the output using the given Go template |
+| [`--raw`](#raw) |  |  | Show original, unformatted JSON manifest |
 
 
 <!---MARKER_GEN_END-->
 
 ## Description
 
-Show details of image in the registry.
-
-Example:
+Show details of an image in the registry.
 
 ```console
 $ docker buildx imagetools inspect alpine
-
 Name:      docker.io/library/alpine:latest
 MediaType: application/vnd.docker.distribution.manifest.list.v2+json
-Digest:    sha256:28ef97b8686a0b5399129e9b763d5b7e5ff03576aa5580d6f4182a49c5fe1913
+Digest:    sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300
 
 Manifests:
-  Name:      docker.io/library/alpine:latest@sha256:5c40b3c27b9f13c873fefb2139765c56ce97fd50230f1f2d5c91e55dec171907
+  Name:      docker.io/library/alpine:latest@sha256:e7d88de73db3d3fd9b2d63aa7f447a10fd0220b7cbf39803c803f2af9ba256b3
   MediaType: application/vnd.docker.distribution.manifest.v2+json
   Platform:  linux/amd64
 
-  Name:      docker.io/library/alpine:latest@sha256:c4ba6347b0e4258ce6a6de2401619316f982b7bcc529f73d2a410d0097730204
+  Name:      docker.io/library/alpine:latest@sha256:e047bc2af17934d38c5a7fa9f46d443f1de3a7675546402592ef805cfa929f9d
   MediaType: application/vnd.docker.distribution.manifest.v2+json
   Platform:  linux/arm/v6
- ...
+
+  Name:      docker.io/library/alpine:latest@sha256:8483ecd016885d8dba70426fda133c30466f661bb041490d525658f1aac73822
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/arm/v7
+
+  Name:      docker.io/library/alpine:latest@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/arm64/v8
+
+  Name:      docker.io/library/alpine:latest@sha256:2689e157117d2da668ad4699549e55eba1ceb79cb7862368b30919f0488213f4
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/386
+
+  Name:      docker.io/library/alpine:latest@sha256:2042a492bcdd847a01cd7f119cd48caa180da696ed2aedd085001a78664407d6
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/ppc64le
+
+  Name:      docker.io/library/alpine:latest@sha256:49e322ab6690e73a4909f787bcbdb873631264ff4a108cddfd9f9c249ba1d58e
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/s390x
+```
+
+## Examples
+
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).
+
+### <a name="format"></a> Format the output (--format)
+
+Format the output using the given Go template. Defaults to `{{.Manifest}}` if
+unset. Following fields are available:
+
+* `.Name`: provides the reference of the image
+* `.Manifest`: provides the manifest or manifest list
+* `.Image`: provides the image config
+* `.BuildInfo`: provides [build info from image config](https://github.com/moby/buildkit/blob/master/docs/build-repro.md#image-config)
+
+#### `.Name`
+
+```console
+$ docker buildx imagetools inspect alpine --format "{{.Name}}"
+Name: docker.io/library/alpine:latest
+```
+
+#### `.Manifest`
+
+```console
+$ docker buildx imagetools inspect crazymax/loop --format "{{.Manifest}}"
+Name:      docker.io/crazymax/loop:latest
+MediaType: application/vnd.docker.distribution.manifest.v2+json
+Digest:    sha256:08602e7340970e92bde5e0a2e887c1fde4d9ae753d1e05efb4c8ef3b609f97f1
+```
+
+```console
+$ docker buildx imagetools inspect moby/buildkit:master --format "{{.Manifest}}"
+Name:      docker.io/moby/buildkit:master
+MediaType: application/vnd.docker.distribution.manifest.list.v2+json
+Digest:    sha256:3183f7ce54d1efb44c34b84f428ae10aaf141e553c6b52a7ff44cc7083a05a66
+
+Manifests:
+  Name:      docker.io/moby/buildkit:master@sha256:667d28c9fb33820ce686887a717a148e89fa77f9097f9352996bbcce99d352b1
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/amd64
+
+  Name:      docker.io/moby/buildkit:master@sha256:71789527b64ab3d7b3de01d364b449cd7f7a3da758218fbf73b9c9aae05a6775
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/arm/v7
+
+  Name:      docker.io/moby/buildkit:master@sha256:fb64667e1ce6ab0d05478f3a8402af07b27737598dcf9a510fb1d792b13a66be
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/arm64
+
+  Name:      docker.io/moby/buildkit:master@sha256:1c3ddf95a0788e23f72f25800c05abc4458946685e2b66788c3d978cde6da92b
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/s390x
+
+  Name:      docker.io/moby/buildkit:master@sha256:05bcde6d460a284e5bc88026cd070277e8380355de3126cbc8fe8a452708c6b1
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/ppc64le
+
+  Name:      docker.io/moby/buildkit:master@sha256:c04c57765304ab84f4f9807fff3e11605c3a60e16435c734b02c723680f6bd6e
+  MediaType: application/vnd.docker.distribution.manifest.v2+json
+  Platform:  linux/riscv64
+```
+
+#### `.BuildInfo`
+
+```console
+$ docker buildx imagetools inspect crazymax/buildx:buildinfo --format "{{.BuildInfo}}"
+Name: docker.io/crazymax/buildx:buildinfo
+Frontend: dockerfile.v0
+Attrs:
+  filename:      Dockerfile
+  source:        docker/dockerfile-upstream:master-labs
+  build-arg:bar: foo
+  build-arg:foo: bar
+Sources:
+  Type: docker-image
+  Ref:  docker.io/docker/buildx-bin:0.6.1@sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0
+  Pin:  sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0
+
+  Type: docker-image
+  Ref:  docker.io/library/alpine:3.13
+  Pin:  sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c
+
+  Type: docker-image
+  Ref:  docker.io/moby/buildkit:v0.9.0
+  Pin:  sha256:8dc668e7f66db1c044aadbed306020743516a94848793e0f81f94a087ee78cab
+
+  Type: docker-image
+  Ref:  docker.io/tonistiigi/xx@sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04
+  Pin:  sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04
+
+  Type: http
+  Ref:  https://raw.githubusercontent.com/moby/moby/master/README.md
+  Pin:  sha256:419455202b0ef97e480d7f8199b26a721a417818bc0e2d106975f74323f25e6c
+```
+
+#### JSON output
+
+A `json` go template func is also available if you want to render fields as
+JSON bytes:
+
+```console
+$ docker buildx imagetools inspect crazymax/loop --format "{{json .Manifest}}"
+```
+```json
+{
+  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+  "digest": "sha256:08602e7340970e92bde5e0a2e887c1fde4d9ae753d1e05efb4c8ef3b609f97f1",
+  "size": 949
+}
+```
+
+```console
+$ docker buildx imagetools inspect moby/buildkit:master --format "{{json .Manifest}}"
+```
+```json
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+  "digest": "sha256:79d97f205e2799d99a3a8ae2a1ef17acb331e11784262c3faada847dc6972c52",
+  "size": 2010,
+  "manifests": [
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:bd1e78f06de26610fadf4eb9d04b1a45a545799d6342701726e952cc0c11c912",
+      "size": 1158,
+      "platform": {
+        "architecture": "amd64",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:d37dcced63ec0965824fca644f0ac9efad8569434ec15b4c83adfcb3dcfc743b",
+      "size": 1158,
+      "platform": {
+        "architecture": "arm",
+        "os": "linux",
+        "variant": "v7"
+      }
+    },
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:ce142eb2255e6af46f2809e159fd03081697c7605a3de03b9cbe9a52ddb244bf",
+      "size": 1158,
+      "platform": {
+        "architecture": "arm64",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:f59bfb5062fff76ce464bfa4e25ebaaaac887d6818238e119d68613c456d360c",
+      "size": 1158,
+      "platform": {
+        "architecture": "s390x",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:cc96426e0c50a78105d5637d31356db5dd6ec594f21b24276e534a32da09645c",
+      "size": 1159,
+      "platform": {
+        "architecture": "ppc64le",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:39f9c1e2878e6c333acb23187d6b205ce82ed934c60da326cb2c698192631478",
+      "size": 1158,
+      "platform": {
+        "architecture": "riscv64",
+        "os": "linux"
+      }
+    }
+  ]
+}
+```
+
+```console
+$ docker buildx imagetools inspect crazymax/buildx:buildinfo --format "{{json .BuildInfo}}"
+```
+```json
+{
+  "frontend": "dockerfile.v0",
+  "attrs": {
+    "build-arg:bar": "foo",
+    "build-arg:foo": "bar",
+    "filename": "Dockerfile",
+    "source": "crazymax/dockerfile:buildattrs"
+  },
+  "sources": [
+    {
+      "type": "docker-image",
+      "ref": "docker.io/docker/buildx-bin:0.6.1@sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0",
+      "pin": "sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0"
+    },
+    {
+      "type": "docker-image",
+      "ref": "docker.io/library/alpine:3.13@sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c",
+      "pin": "sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c"
+    },
+    {
+      "type": "docker-image",
+      "ref": "docker.io/moby/buildkit:v0.9.0@sha256:8dc668e7f66db1c044aadbed306020743516a94848793e0f81f94a087ee78cab",
+      "pin": "sha256:8dc668e7f66db1c044aadbed306020743516a94848793e0f81f94a087ee78cab"
+    },
+    {
+      "type": "docker-image",
+      "ref": "docker.io/tonistiigi/xx@sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04",
+      "pin": "sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04"
+    },
+    {
+      "type": "http",
+      "ref": "https://raw.githubusercontent.com/moby/moby/master/README.md",
+      "pin": "sha256:419455202b0ef97e480d7f8199b26a721a417818bc0e2d106975f74323f25e6c"
+    }
+  ]
+}
+```
+
+```console
+$ docker buildx imagetools inspect crazymax/buildx:buildinfo --format "{{json .}}"
+```
+```json
+{
+  "name": "crazymax/buildx:buildinfo",
+  "manifest": {
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "digest": "sha256:899d2c7acbc124d406820857bb51d9089717bbe4e22b97eb4bc5789e99f09f83",
+    "size": 2628
+  },
+  "image": {
+    "created": "2022-02-24T12:27:43.627154558Z",
+    "architecture": "amd64",
+    "os": "linux",
+    "config": {
+      "Env": [
+        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        "DOCKER_TLS_CERTDIR=/certs",
+        "DOCKER_CLI_EXPERIMENTAL=enabled"
+      ],
+      "Entrypoint": [
+        "docker-entrypoint.sh"
+      ],
+      "Cmd": [
+        "sh"
+      ]
+    },
+    "rootfs": {
+      "type": "layers",
+      "diff_ids": [
+        "sha256:7fcb75871b2101082203959c83514ac8a9f4ecfee77a0fe9aa73bbe56afdf1b4",
+        "sha256:d3c0b963ff5684160641f936d6a4aa14efc8ff27b6edac255c07f2d03ff92e82",
+        "sha256:3f8d78f13fa9b1f35d3bc3f1351d03a027c38018c37baca73f93eecdea17f244",
+        "sha256:8e6eb1137b182ae0c3f5d40ca46341fda2eaeeeb5fa516a9a2bf96171238e2e0",
+        "sha256:fde4c869a56b54dd76d7352ddaa813fd96202bda30b9dceb2c2f2ad22fa2e6ce",
+        "sha256:52025823edb284321af7846419899234b3c66219bf06061692b709875ed0760f",
+        "sha256:50adb5982dbf6126c7cf279ac3181d1e39fc9116b610b947a3dadae6f7e7c5bc",
+        "sha256:9801c319e1c66c5d295e78b2d3e80547e73c7e3c63a4b71e97c8ca357224af24",
+        "sha256:dfbfac44d5d228c49b42194c8a2f470abd6916d072f612a6fb14318e94fde8ae",
+        "sha256:3dfb74e19dedf61568b917c19b0fd3ee4580870027ca0b6054baf239855d1322",
+        "sha256:b182e707c23e4f19be73f9022a99d2d1ca7bf1ca8f280d40e4d1c10a6f51550e"
+      ]
+    },
+    "history": [
+      {
+        "created": "2021-11-12T17:19:58.698676655Z",
+        "created_by": "/bin/sh -c #(nop) ADD file:5a707b9d6cb5fff532e4c2141bc35707593f21da5528c9e71ae2ddb6ba4a4eb6 in / "
+      },
+      {
+        "created": "2021-11-12T17:19:58.948920855Z",
+        "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+        "empty_layer": true
+      },
+      {
+        "created": "2022-02-24T12:27:38.285594601Z",
+        "created_by": "RUN /bin/sh -c apk --update --no-cache add     bash     ca-certificates     openssh-client   \u0026\u0026 rm -rf /tmp/* /var/cache/apk/* # buildkit",
+        "comment": "buildkit.dockerfile.v0"
+      },
+      {
+        "created": "2022-02-24T12:27:41.061874167Z",
+        "created_by": "COPY /opt/docker/ /usr/local/bin/ # buildkit",
+        "comment": "buildkit.dockerfile.v0"
+      },
+      {
+        "created": "2022-02-24T12:27:41.174098947Z",
+        "created_by": "COPY /usr/bin/buildctl /usr/local/bin/buildctl # buildkit",
+        "comment": "buildkit.dockerfile.v0"
+      },
+      {
+        "created": "2022-02-24T12:27:41.320343683Z",
+        "created_by": "COPY /usr/bin/buildkit* /usr/local/bin/ # buildkit",
+        "comment": "buildkit.dockerfile.v0"
+      },
+      {
+        "created": "2022-02-24T12:27:41.447149933Z",
+        "created_by": "COPY /buildx /usr/libexec/docker/cli-plugins/docker-buildx # buildkit",
+        "comment": "buildkit.dockerfile.v0"
+      },
+      {
+        "created": "2022-02-24T12:27:43.057722191Z",
+        "created_by": "COPY /opt/docker-compose /usr/libexec/docker/cli-plugins/docker-compose # buildkit",
+        "comment": "buildkit.dockerfile.v0"
+      },
+      {
+        "created": "2022-02-24T12:27:43.145224134Z",
+        "created_by": "ADD https://raw.githubusercontent.com/moby/moby/master/README.md / # buildkit",
+        "comment": "buildkit.dockerfile.v0"
+      },
+      {
+        "created": "2022-02-24T12:27:43.422212427Z",
+        "created_by": "ENV DOCKER_TLS_CERTDIR=/certs",
+        "comment": "buildkit.dockerfile.v0",
+        "empty_layer": true
+      },
+      {
+        "created": "2022-02-24T12:27:43.422212427Z",
+        "created_by": "ENV DOCKER_CLI_EXPERIMENTAL=enabled",
+        "comment": "buildkit.dockerfile.v0",
+        "empty_layer": true
+      },
+      {
+        "created": "2022-02-24T12:27:43.422212427Z",
+        "created_by": "RUN /bin/sh -c docker --version   \u0026\u0026 buildkitd --version   \u0026\u0026 buildctl --version   \u0026\u0026 docker buildx version   \u0026\u0026 docker compose version   \u0026\u0026 mkdir /certs /certs/client   \u0026\u0026 chmod 1777 /certs /certs/client # buildkit",
+        "comment": "buildkit.dockerfile.v0"
+      },
+      {
+        "created": "2022-02-24T12:27:43.514320155Z",
+        "created_by": "COPY rootfs/modprobe.sh /usr/local/bin/modprobe # buildkit",
+        "comment": "buildkit.dockerfile.v0"
+      },
+      {
+        "created": "2022-02-24T12:27:43.627154558Z",
+        "created_by": "COPY rootfs/docker-entrypoint.sh /usr/local/bin/ # buildkit",
+        "comment": "buildkit.dockerfile.v0"
+      },
+      {
+        "created": "2022-02-24T12:27:43.627154558Z",
+        "created_by": "ENTRYPOINT [\"docker-entrypoint.sh\"]",
+        "comment": "buildkit.dockerfile.v0",
+        "empty_layer": true
+      },
+      {
+        "created": "2022-02-24T12:27:43.627154558Z",
+        "created_by": "CMD [\"sh\"]",
+        "comment": "buildkit.dockerfile.v0",
+        "empty_layer": true
+      }
+    ]
+  },
+  "buildinfo": {
+    "frontend": "dockerfile.v0",
+    "attrs": {
+      "build-arg:bar": "foo",
+      "build-arg:foo": "bar",
+      "filename": "Dockerfile",
+      "source": "docker/dockerfile-upstream:master-labs"
+    },
+    "sources": [
+      {
+        "type": "docker-image",
+        "ref": "docker.io/docker/buildx-bin:0.6.1@sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0",
+        "pin": "sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0"
+      },
+      {
+        "type": "docker-image",
+        "ref": "docker.io/library/alpine:3.13",
+        "pin": "sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c"
+      },
+      {
+        "type": "docker-image",
+        "ref": "docker.io/moby/buildkit:v0.9.0",
+        "pin": "sha256:8dc668e7f66db1c044aadbed306020743516a94848793e0f81f94a087ee78cab"
+      },
+      {
+        "type": "docker-image",
+        "ref": "docker.io/tonistiigi/xx@sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04",
+        "pin": "sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04"
+      },
+      {
+        "type": "http",
+        "ref": "https://raw.githubusercontent.com/moby/moby/master/README.md",
+        "pin": "sha256:419455202b0ef97e480d7f8199b26a721a417818bc0e2d106975f74323f25e6c"
+      }
+    ]
+  }
+}
+```
+
+#### Multi-platform
+
+Multi-platform images are supported for `.Image` and `.BuildInfo` fields. If
+you want to pick up a specific platform, you can specify it using the `index`
+go template function:
+
+```console
+$ docker buildx imagetools inspect --format '{{json (index .Image "linux/s390x")}}' moby/buildkit:master
+```
+```json
+{
+  "created": "2022-02-25T17:13:27.89891722Z",
+  "architecture": "s390x",
+  "os": "linux",
+  "config": {
+    "Env": [
+      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    ],
+    "Entrypoint": [
+      "buildkitd"
+    ],
+    "Volumes": {
+      "/var/lib/buildkit": {}
+    }
+  },
+  "rootfs": {
+    "type": "layers",
+    "diff_ids": [
+      "sha256:41048e32d0684349141cf05f629c5fc3c5915d1f3426b66dbb8953a540e01e1e",
+      "sha256:2651209b9208fff6c053bc3c17353cb07874e50f1a9bc96d6afd03aef63de76a",
+      "sha256:6741ed7e73039d853fa8902246a4c7e8bf9dd09652fd1b08251bc5f9e8876a7f",
+      "sha256:92ac046adeeb65c86ae3f0b458dee04ad4a462e417661c04d77642c66494f69b"
+    ]
+  },
+  "history": [
+    {
+      "created": "2021-11-24T20:41:23.709681315Z",
+      "created_by": "/bin/sh -c #(nop) ADD file:cd24c711a2ef431b3ff94f9a02bfc42f159bc60de1d0eceecafea4e8af02441d in / "
+    },
+    {
+      "created": "2021-11-24T20:41:23.94211262Z",
+      "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+      "empty_layer": true
+    },
+    {
+      "created": "2022-01-26T18:15:21.449825391Z",
+      "created_by": "RUN /bin/sh -c apk add --no-cache fuse3 git openssh pigz xz   \u0026\u0026 ln -s fusermount3 /usr/bin/fusermount # buildkit",
+      "comment": "buildkit.dockerfile.v0"
+    },
+    {
+      "created": "2022-02-24T00:34:00.924540012Z",
+      "created_by": "COPY examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/ # buildkit",
+      "comment": "buildkit.dockerfile.v0"
+    },
+    {
+      "created": "2022-02-25T17:13:27.89891722Z",
+      "created_by": "VOLUME [/var/lib/buildkit]",
+      "comment": "buildkit.dockerfile.v0",
+      "empty_layer": true
+    },
+    {
+      "created": "2022-02-25T17:13:27.89891722Z",
+      "created_by": "COPY / /usr/bin/ # buildkit",
+      "comment": "buildkit.dockerfile.v0"
+    },
+    {
+      "created": "2022-02-25T17:13:27.89891722Z",
+      "created_by": "ENTRYPOINT [\"buildkitd\"]",
+      "comment": "buildkit.dockerfile.v0",
+      "empty_layer": true
+    }
+  ]
+}
 ```
 
 ### <a name="raw"></a> Show original, unformatted JSON manifest (--raw)
 
-Use the `--raw` option to print the original JSON bytes instead of the formatted
-output.
+Use the `--raw` option to print the unformatted JSON manifest bytes.
+
+> `jq` is used here to get a better rendering of the output result.
+
+```console
+$ docker buildx imagetools inspect --raw crazymax/loop | jq
+```
+```json
+{
+  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+  "schemaVersion": 2,
+  "config": {
+    "mediaType": "application/vnd.docker.container.image.v1+json",
+    "digest": "sha256:7ace7d324e79b360b2db8b820d83081863d96d22e734cdf297a8e7fd83f6ceb3",
+    "size": 2298
+  },
+  "layers": [
+    {
+      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+      "digest": "sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b",
+      "size": 2811478
+    },
+    {
+      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+      "digest": "sha256:726d3732a87e1c430d67e8969de6b222a889d45e045ebae1a008a37ba38f3b1f",
+      "size": 1776812
+    },
+    {
+      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+      "digest": "sha256:5d7cf9b33148a8f220c84f27dd2cfae46aca019a3ea3fbf7274f6d6dbfae8f3b",
+      "size": 382855
+    }
+  ]
+}
+```
+
+```console
+$ docker buildx imagetools inspect --raw moby/buildkit:master | jq
+```
+```json
+{
+  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+  "schemaVersion": 2,
+  "manifests": [
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:667d28c9fb33820ce686887a717a148e89fa77f9097f9352996bbcce99d352b1",
+      "size": 1158,
+      "platform": {
+        "architecture": "amd64",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:71789527b64ab3d7b3de01d364b449cd7f7a3da758218fbf73b9c9aae05a6775",
+      "size": 1158,
+      "platform": {
+        "architecture": "arm",
+        "os": "linux",
+        "variant": "v7"
+      }
+    },
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:fb64667e1ce6ab0d05478f3a8402af07b27737598dcf9a510fb1d792b13a66be",
+      "size": 1158,
+      "platform": {
+        "architecture": "arm64",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:1c3ddf95a0788e23f72f25800c05abc4458946685e2b66788c3d978cde6da92b",
+      "size": 1158,
+      "platform": {
+        "architecture": "s390x",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:05bcde6d460a284e5bc88026cd070277e8380355de3126cbc8fe8a452708c6b1",
+      "size": 1159,
+      "platform": {
+        "architecture": "ppc64le",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "digest": "sha256:c04c57765304ab84f4f9807fff3e11605c3a60e16435c734b02c723680f6bd6e",
+      "size": 1158,
+      "platform": {
+        "architecture": "riscv64",
+        "os": "linux"
+      }
+    }
+  ]
+}
+```

docs/reference/buildx_inspect.md

@@ -9,10 +9,10 @@ Inspect current builder instance
 
 ### Options
 
-| Name | Description |
-| --- | --- |
-| [`--bootstrap`](#bootstrap) | Ensure builder has booted before inspecting |
-| `--builder string` | Override the configured builder instance |
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--bootstrap`](#bootstrap) |  |  | Ensure builder has booted before inspecting |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
 
 
 <!---MARKER_GEN_END-->
@@ -23,6 +23,19 @@ Shows information about the current or specified builder.
 
 ## Examples
 
+### <a name="bootstrap"></a> Ensure that the builder is running before inspecting (--bootstrap)
+
+Use the `--bootstrap` option to ensure that the builder is running before
+inspecting it. If the driver is `docker-container`, then `--bootstrap` starts
+the buildkit container and waits until it is operational. Bootstrapping is
+automatically done during build, and therefore not necessary. The same BuildKit
+container is used during the lifetime of the associated builder node (as
+displayed in `buildx ls`).
+
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).
+
 ### Get information about a builder instance
 
 By default, `inspect` shows information about the current builder. Specify the
@@ -30,6 +43,10 @@ name of the builder to inspect to get information about that builder.
 The following example shows information about a builder instance named
 `elated_tesla`:
 
+> **Note**
+> 
+> Asterisk `*` next to node build platform(s) indicate they had been set manually during `buildx create`. Otherwise, it had been autodetected.
+
 ```console
 $ docker buildx inspect elated_tesla
 
@@ -45,14 +62,5 @@ Platforms: linux/amd64
 Name:      elated_tesla1
 Endpoint:  ssh://ubuntu@1.2.3.4
 Status:    running
-Platforms: linux/arm64, linux/arm/v7, linux/arm/v6
+Platforms: linux/arm64*, linux/arm/v7, linux/arm/v6
 ```
-
-### <a name="bootstrap"></a> Ensure that the builder is running before inspecting (--bootstrap)
-
-Use the `--bootstrap` option to ensure that the builder is running before
-inspecting it. If the driver is `docker-container`, then `--bootstrap` starts
-the buildkit container and waits until it is operational. Bootstrapping is
-automatically done during build, and therefore not necessary. The same BuildKit
-container is used during the lifetime of the associated builder node (as
-displayed in `buildx ls`).

docs/reference/buildx_ls.md

@@ -14,18 +14,16 @@ List builder instances
 
 Lists all builder instances and the nodes for each instance
 
-**Example**
-
 ```console
 $ docker buildx ls
-
-NAME/NODE       DRIVER/ENDPOINT             STATUS  PLATFORMS
+NAME/NODE       DRIVER/ENDPOINT             STATUS  BUILDKIT PLATFORMS
 elated_tesla *  docker-container
-  elated_tesla0 unix:///var/run/docker.sock running linux/amd64
-  elated_tesla1 ssh://ubuntu@1.2.3.4        running linux/arm64, linux/arm/v7, linux/arm/v6
+  elated_tesla0 unix:///var/run/docker.sock running v0.10.3  linux/amd64
+  elated_tesla1 ssh://ubuntu@1.2.3.4        running v0.10.3  linux/arm64*, linux/arm/v7, linux/arm/v6
 default         docker
-  default       default                     running linux/amd64
+  default       default                     running 20.10.14 linux/amd64
 ```
 
 Each builder has one or more nodes associated with it. The current builder's
-name is marked with a `*`.
+name is marked with a `*` in `NAME/NODE` and explicit node to build against for
+the target platform marked with a `*` in the `PLATFORMS` column.

docs/reference/buildx_prune.md

@@ -9,15 +9,20 @@ Remove build cache
 
 ### Options
 
-| Name | Description |
-| --- | --- |
-| `-a`, `--all` | Remove all unused images, not just dangling ones |
-| `--builder string` | Override the configured builder instance |
-| `--filter filter` | Provide filter values (e.g. 'until=24h') |
-| `-f`, `--force` | Do not prompt for confirmation |
-| `--keep-storage bytes` | Amount of disk space to keep for cache |
-| `--verbose` | Provide a more verbose output |
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| `-a`, `--all` |  |  | Remove all unused images, not just dangling ones |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+| `--filter` | `filter` |  | Provide filter values (e.g., `until=24h`) |
+| `-f`, `--force` |  |  | Do not prompt for confirmation |
+| `--keep-storage` | `bytes` | `0` | Amount of disk space to keep for cache |
+| `--verbose` |  |  | Provide a more verbose output |
 
 
 <!---MARKER_GEN_END-->
 
+## Examples
+
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).

docs/reference/buildx_rm.md

@@ -9,10 +9,13 @@ Remove a builder instance
 
 ### Options
 
-| Name | Description |
-| --- | --- |
-| `--builder string` | Override the configured builder instance |
-| [`--keep-state`](#keep-state) | Keep BuildKit state |
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--all-inactive`](#all-inactive) |  |  | Remove all inactive builders |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+| [`-f`](#force), [`--force`](#force) |  |  | Do not prompt for confirmation |
+| [`--keep-daemon`](#keep-daemon) |  |  | Keep the buildkitd daemon running |
+| [`--keep-state`](#keep-state) |  |  | Keep BuildKit state |
 
 
 <!---MARKER_GEN_END-->
@@ -24,6 +27,32 @@ default builder.
 
 ## Examples
 
+### <a name="all-inactive"></a> Remove all inactive builders (--all-inactive)
+
+Remove builders that are not in running state.
+
+```console
+$ docker buildx rm --all-inactive
+WARNING! This will remove all builders that are not in running state. Are you sure you want to continue? [y/N] y
+```
+
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).
+
+### <a name="force"></a> Do not prompt for confirmation (--force)
+
+Do not prompt for confirmation before removing inactive builders.
+
+```console
+$ docker buildx rm --all-inactive --force
+```
+
+### <a name="keep-daemon"></a> Keep the buildkitd daemon running (--keep-daemon)
+
+Keep the buildkitd daemon running after the buildx context is removed. This is useful when you manage buildkitd daemons and buildx contexts independently.
+Currently, only supported by the [`docker-container` and `kubernetes` drivers](buildx_create.md#driver).
+
 ### <a name="keep-state"></a> Keep BuildKit state (--keep-state)
 
 Keep BuildKit state, so it can be reused by a new builder with the same name.

docs/reference/buildx_stop.md

@@ -7,6 +7,12 @@ docker buildx stop [NAME]
 <!---MARKER_GEN_START-->
 Stop builder instance
 
+### Options
+
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+
 
 <!---MARKER_GEN_END-->
 
@@ -14,3 +20,9 @@ Stop builder instance
 
 Stops the specified or current builder. This will not prevent buildx build to
 restart the builder. The implementation of stop depends on the driver.
+
+## Examples
+
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).

docs/reference/buildx_use.md

@@ -9,11 +9,11 @@ Set the current builder instance
 
 ### Options
 
-| Name | Description |
-| --- | --- |
-| `--builder string` | Override the configured builder instance |
-| `--default` | Set builder as default for current context |
-| `--global` | Builder persists context changes |
+| Name | Type | Default | Description |
+| --- | --- | --- | --- |
+| [`--builder`](#builder) | `string` |  | Override the configured builder instance |
+| `--default` |  |  | Set builder as default for current context |
+| `--global` |  |  | Builder persists context changes |
 
 
 <!---MARKER_GEN_END-->
@@ -23,3 +23,9 @@ Set the current builder instance
 Switches the current builder instance. Build commands invoked after this command
 will run on a specified builder. Alternatively, a context name can be used to
 switch to the default builder of that context.
+
+## Examples
+
+### <a name="builder"></a> Override the configured builder instance (--builder)
+
+Same as [`buildx --builder`](buildx.md#builder).

docs/reference/buildx_version.md

@@ -10,10 +10,9 @@ Show buildx version information
 
 <!---MARKER_GEN_END-->
 
-## Examples
-
-### View version information
+## Description
 
+View version information
 
 ```console
 $ docker buildx version

driver/bkimage/bkimage.go

@@ -2,5 +2,6 @@ package bkimage
 
 const (
 	DefaultImage         = "moby/buildkit:buildx-stable-1" // TODO: make this verified
+	QemuImage            = "tonistiigi/binfmt:latest"      // TODO: make this verified
 	DefaultRootlessImage = DefaultImage + "-rootless"
 )

driver/docker-container/driver.go

@@ -1,17 +1,19 @@
 package docker
 
 import (
-	"archive/tar"
 	"bytes"
 	"context"
 	"io"
-	"io/ioutil"
 	"net"
 	"os"
+	"path"
+	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/driver/bkimage"
+	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/imagetools"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/docker/api/types"
@@ -20,6 +22,8 @@ import (
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
 	dockerclient "github.com/docker/docker/client"
+	dockerarchive "github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/util/tracing/detect"
@@ -28,20 +32,16 @@ import (
 
 const (
 	volumeStateSuffix = "_state"
-
-	// containerStateDir is the location where buildkitd inside the container
-	// stores its state. The container driver creates a Linux container, so
-	// this should match the location for Linux, as defined in:
-	// https://github.com/moby/buildkit/blob/v0.9.0/util/appdefaults/appdefaults_unix.go#L11-L15
-	containerBuildKitRootDir = "/var/lib/buildkit"
 )
 
 type Driver struct {
 	driver.InitConfig
-	factory driver.Factory
-	netMode string
-	image   string
-	env     []string
+	factory      driver.Factory
+	userNSRemap  bool // true if dockerd is running with userns-remap mode
+	netMode      string
+	image        string
+	cgroupParent string
+	env          []string
 }
 
 func (d *Driver) IsMobyDriver() bool {
@@ -90,7 +90,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 		if err != nil {
 			return err
 		}
-		_, err = io.Copy(ioutil.Discard, rc)
+		_, err = io.Copy(io.Discard, rc)
 		return err
 	}); err != nil {
 		// image pulling failed, check if it exists in local image store.
@@ -113,30 +113,34 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 	if err := l.Wrap("creating container "+d.Name, func() error {
 		hc := &container.HostConfig{
 			Privileged: true,
-			UsernsMode: "host",
 			Mounts: []mount.Mount{
 				{
 					Type:   mount.TypeVolume,
 					Source: d.Name + volumeStateSuffix,
-					Target: containerBuildKitRootDir,
+					Target: confutil.DefaultBuildKitStateDir,
 				},
 			},
 		}
+		if d.userNSRemap {
+			hc.UsernsMode = "host"
+		}
 		if d.netMode != "" {
 			hc.NetworkMode = container.NetworkMode(d.netMode)
 		}
+		if info, err := d.DockerAPI.Info(ctx); err == nil && info.CgroupDriver == "cgroupfs" {
+			// Place all buildkit containers inside this cgroup by default so limits can be attached
+			// to all build activity on the host.
+			hc.CgroupParent = "/docker/buildx"
+			if d.cgroupParent != "" {
+				hc.CgroupParent = d.cgroupParent
+			}
+		}
 		_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
 		if err != nil {
 			return err
 		}
-		if f := d.InitConfig.ConfigFile; f != "" {
-			buf, err := readFileToTar(f)
-			if err != nil {
-				return err
-			}
-			if err := d.DockerAPI.CopyToContainer(ctx, d.Name, "/", buf, dockertypes.CopyToContainerOptions{}); err != nil {
-				return err
-			}
+		if err := d.copyToContainer(ctx, d.InitConfig.Files); err != nil {
+			return err
 		}
 		if err := d.start(ctx, l); err != nil {
 			return err
@@ -196,6 +200,24 @@ func (d *Driver) copyLogs(ctx context.Context, l progress.SubLogger) error {
 	return rc.Close()
 }
 
+func (d *Driver) copyToContainer(ctx context.Context, files map[string][]byte) error {
+	srcPath, err := writeConfigFiles(files)
+	if err != nil {
+		return err
+	}
+	if srcPath != "" {
+		defer os.RemoveAll(srcPath)
+	}
+	srcArchive, err := dockerarchive.TarWithOptions(srcPath, &dockerarchive.TarOptions{
+		ChownOpts: &idtools.Identity{UID: 0, GID: 0},
+	})
+	if err != nil {
+		return err
+	}
+	defer srcArchive.Close()
+	return d.DockerAPI.CopyToContainer(ctx, d.Name, "/", srcArchive, dockertypes.CopyToContainerOptions{})
+}
+
 func (d *Driver) exec(ctx context.Context, cmd []string) (string, net.Conn, error) {
 	execConfig := types.ExecConfig{
 		Cmd:          cmd,
@@ -265,18 +287,34 @@ func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
 	}, nil
 }
 
+func (d *Driver) Version(ctx context.Context) (string, error) {
+	bufStdout := &bytes.Buffer{}
+	bufStderr := &bytes.Buffer{}
+	if err := d.run(ctx, []string{"buildkitd", "--version"}, bufStdout, bufStderr); err != nil {
+		if bufStderr.Len() > 0 {
+			return "", errors.Wrap(err, bufStderr.String())
+		}
+		return "", err
+	}
+	version := strings.Fields(bufStdout.String())
+	if len(version) != 4 {
+		return "", errors.Errorf("unexpected version format: %s", bufStdout.String())
+	}
+	return version[2], nil
+}
+
 func (d *Driver) Stop(ctx context.Context, force bool) error {
 	info, err := d.Info(ctx)
 	if err != nil {
 		return err
 	}
 	if info.Status == driver.Running {
-		return d.DockerAPI.ContainerStop(ctx, d.Name, nil)
+		return d.DockerAPI.ContainerStop(ctx, d.Name, container.StopOptions{})
 	}
 	return nil
 }
 
-func (d *Driver) Rm(ctx context.Context, force bool, rmVolume bool) error {
+func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error {
 	info, err := d.Info(ctx)
 	if err != nil {
 		return err
@@ -286,20 +324,22 @@ func (d *Driver) Rm(ctx context.Context, force bool, rmVolume bool) error {
 		if err != nil {
 			return err
 		}
-		if err := d.DockerAPI.ContainerRemove(ctx, d.Name, dockertypes.ContainerRemoveOptions{
-			RemoveVolumes: true,
-			Force:         force,
-		}); err != nil {
-			return err
-		}
-		for _, v := range container.Mounts {
-			if v.Name == d.Name+volumeStateSuffix {
+		if rmDaemon {
+			if err := d.DockerAPI.ContainerRemove(ctx, d.Name, dockertypes.ContainerRemoveOptions{
+				RemoveVolumes: true,
+				Force:         force,
+			}); err != nil {
+				return err
+			}
+			for _, v := range container.Mounts {
+				if v.Name != d.Name+volumeStateSuffix {
+					continue
+				}
 				if rmVolume {
 					return d.DockerAPI.VolumeRemove(ctx, d.Name+volumeStateSuffix, false)
 				}
 			}
 		}
-
 	}
 	return nil
 }
@@ -357,29 +397,6 @@ func (d *demux) Read(dt []byte) (int, error) {
 	return d.Reader.Read(dt)
 }
 
-func readFileToTar(fn string) (*bytes.Buffer, error) {
-	buf := bytes.NewBuffer(nil)
-	tw := tar.NewWriter(buf)
-	dt, err := ioutil.ReadFile(fn)
-	if err != nil {
-		return nil, err
-	}
-	if err := tw.WriteHeader(&tar.Header{
-		Name: "/etc/buildkit/buildkitd.toml",
-		Size: int64(len(dt)),
-		Mode: 0644,
-	}); err != nil {
-		return nil, err
-	}
-	if _, err := tw.Write(dt); err != nil {
-		return nil, err
-	}
-	if err := tw.Close(); err != nil {
-		return nil, err
-	}
-	return buf, nil
-}
-
 type logWriter struct {
 	logger progress.SubLogger
 	stream int
@@ -389,3 +406,27 @@ func (l *logWriter) Write(dt []byte) (int, error) {
 	l.logger.Log(l.stream, dt)
 	return len(dt), nil
 }
+
+func writeConfigFiles(m map[string][]byte) (_ string, err error) {
+	// Temp dir that will be copied to the container
+	tmpDir, err := os.MkdirTemp("", "buildkitd-config")
+	if err != nil {
+		return "", err
+	}
+	defer func() {
+		if err != nil {
+			os.RemoveAll(tmpDir)
+		}
+	}()
+	for f, dt := range m {
+		f = path.Join(confutil.DefaultBuildKitConfigDir, f)
+		p := filepath.Join(tmpDir, f)
+		if err := os.MkdirAll(filepath.Dir(p), 0700); err != nil {
+			return "", err
+		}
+		if err := os.WriteFile(p, dt, 0600); err != nil {
+			return "", err
+		}
+	}
+	return tmpDir, nil
+}

driver/docker-container/factory.go

@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/docker/buildx/driver"
+	dockertypes "github.com/docker/docker/api/types"
 	dockerclient "github.com/docker/docker/client"
 	"github.com/pkg/errors"
 )
@@ -28,7 +29,7 @@ func (*factory) Usage() string {
 	return "docker-container"
 }
 
-func (*factory) Priority(ctx context.Context, api dockerclient.APIClient) int {
+func (*factory) Priority(ctx context.Context, endpoint string, api dockerclient.APIClient) int {
 	if api == nil {
 		return priorityUnsupported
 	}
@@ -40,6 +41,20 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 		return nil, errors.Errorf("%s driver requires docker API access", f.Name())
 	}
 	d := &Driver{factory: f, InitConfig: cfg}
+	dockerInfo, err := cfg.DockerAPI.Info(ctx)
+	if err != nil {
+		return nil, err
+	}
+	secOpts, err := dockertypes.DecodeSecurityOptions(dockerInfo.SecurityOptions)
+	if err != nil {
+		return nil, err
+	}
+	for _, f := range secOpts {
+		if f.Name == "userns" {
+			d.userNSRemap = true
+			break
+		}
+	}
 	for k, v := range cfg.DriverOpts {
 		switch {
 		case k == "network":
@@ -49,6 +64,8 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 			}
 		case k == "image":
 			d.image = v
+		case k == "cgroup-parent":
+			d.cgroupParent = v
 		case strings.HasPrefix(k, "env."):
 			envName := strings.TrimPrefix(k, "env.")
 			if envName == "" {

driver/docker/driver.go

@@ -29,17 +29,27 @@ func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
 	}, nil
 }
 
+func (d *Driver) Version(ctx context.Context) (string, error) {
+	v, err := d.DockerAPI.ServerVersion(ctx)
+	if err != nil {
+		return "", errors.Wrapf(driver.ErrNotConnecting, err.Error())
+	}
+	return v.Version, nil
+}
+
 func (d *Driver) Stop(ctx context.Context, force bool) error {
 	return nil
 }
 
-func (d *Driver) Rm(ctx context.Context, force bool, rmVolume bool) error {
+func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error {
 	return nil
 }
 
 func (d *Driver) Client(ctx context.Context) (*client.Client, error) {
 	return client.New(ctx, "", client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
 		return d.DockerAPI.DialHijack(ctx, "/grpc", "h2c", nil)
+	}), client.WithSessionDialer(func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error) {
+		return d.DockerAPI.DialHijack(ctx, "/session", proto, meta)
 	}))
 }
 

driver/docker/factory.go

@@ -26,7 +26,7 @@ func (*factory) Usage() string {
 	return "docker"
 }
 
-func (*factory) Priority(ctx context.Context, api dockerclient.APIClient) int {
+func (*factory) Priority(ctx context.Context, endpoint string, api dockerclient.APIClient) int {
 	if api == nil {
 		return priorityUnsupported
 	}
@@ -44,7 +44,7 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 	if cfg.DockerAPI == nil {
 		return nil, errors.Errorf("docker driver requires docker API access")
 	}
-	if cfg.ConfigFile != "" {
+	if len(cfg.Files) > 0 {
 		return nil, errors.Errorf("setting config file is not supported for docker driver, use dockerd configuration file")
 	}
 

driver/driver.go

@@ -53,8 +53,9 @@ type Driver interface {
 	Factory() Factory
 	Bootstrap(context.Context, progress.Logger) error
 	Info(context.Context) (*Info, error)
+	Version(context.Context) (string, error)
 	Stop(ctx context.Context, force bool) error
-	Rm(ctx context.Context, force bool, rmVolume bool) error
+	Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error
 	Client(ctx context.Context) (*client.Client, error)
 	Features() map[Feature]bool
 	IsMobyDriver() bool

driver/kubernetes/context/constants.go

@@ -1,4 +1,4 @@
-package kubernetes
+package context
 
 const (
 	// KubernetesEndpoint is the kubernetes endpoint name in a stored context

driver/kubernetes/context/endpoint_test.go

@@ -0,0 +1,224 @@
+package context
+
+import (
+	"os"
+	"testing"
+
+	"github.com/docker/cli/cli/context"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+func testEndpoint(server, defaultNamespace string, ca, cert, key []byte, skipTLSVerify bool) Endpoint {
+	var tlsData *context.TLSData
+	if ca != nil || cert != nil || key != nil {
+		tlsData = &context.TLSData{
+			CA:   ca,
+			Cert: cert,
+			Key:  key,
+		}
+	}
+	return Endpoint{
+		EndpointMeta: EndpointMeta{
+			EndpointMetaBase: context.EndpointMetaBase{
+				Host:          server,
+				SkipTLSVerify: skipTLSVerify,
+			},
+			DefaultNamespace: defaultNamespace,
+		},
+		TLSData: tlsData,
+	}
+}
+
+var testStoreCfg = store.NewConfig(
+	func() interface{} {
+		return &map[string]interface{}{}
+	},
+	store.EndpointTypeGetter(KubernetesEndpoint, func() interface{} { return &EndpointMeta{} }),
+)
+
+func TestSaveLoadContexts(t *testing.T) {
+	storeDir, err := os.MkdirTemp("", "test-load-save-k8-context")
+	require.NoError(t, err)
+	defer os.RemoveAll(storeDir)
+	store := store.New(storeDir, testStoreCfg)
+	require.NoError(t, save(store, testEndpoint("https://test", "test", nil, nil, nil, false), "raw-notls"))
+	require.NoError(t, save(store, testEndpoint("https://test", "test", nil, nil, nil, true), "raw-notls-skip"))
+	require.NoError(t, save(store, testEndpoint("https://test", "test", []byte("ca"), []byte("cert"), []byte("key"), true), "raw-tls"))
+
+	kcFile, err := os.CreateTemp(os.TempDir(), "test-load-save-k8-context")
+	require.NoError(t, err)
+	defer os.Remove(kcFile.Name())
+	defer kcFile.Close()
+	cfg := clientcmdapi.NewConfig()
+	cfg.AuthInfos["user"] = clientcmdapi.NewAuthInfo()
+	cfg.Contexts["context1"] = clientcmdapi.NewContext()
+	cfg.Clusters["cluster1"] = clientcmdapi.NewCluster()
+	cfg.Contexts["context2"] = clientcmdapi.NewContext()
+	cfg.Clusters["cluster2"] = clientcmdapi.NewCluster()
+	cfg.AuthInfos["user"].ClientCertificateData = []byte("cert")
+	cfg.AuthInfos["user"].ClientKeyData = []byte("key")
+	cfg.Clusters["cluster1"].Server = "https://server1"
+	cfg.Clusters["cluster1"].InsecureSkipTLSVerify = true
+	cfg.Clusters["cluster2"].Server = "https://server2"
+	cfg.Clusters["cluster2"].CertificateAuthorityData = []byte("ca")
+	cfg.Contexts["context1"].AuthInfo = "user"
+	cfg.Contexts["context1"].Cluster = "cluster1"
+	cfg.Contexts["context1"].Namespace = "namespace1"
+	cfg.Contexts["context2"].AuthInfo = "user"
+	cfg.Contexts["context2"].Cluster = "cluster2"
+	cfg.Contexts["context2"].Namespace = "namespace2"
+	cfg.CurrentContext = "context1"
+	cfgData, err := clientcmd.Write(*cfg)
+	require.NoError(t, err)
+	_, err = kcFile.Write(cfgData)
+	require.NoError(t, err)
+	kcFile.Close()
+
+	epDefault, err := FromKubeConfig(kcFile.Name(), "", "")
+	require.NoError(t, err)
+	epContext2, err := FromKubeConfig(kcFile.Name(), "context2", "namespace-override")
+	require.NoError(t, err)
+	require.NoError(t, save(store, epDefault, "embed-default-context"))
+	require.NoError(t, save(store, epContext2, "embed-context2"))
+
+	rawNoTLSMeta, err := store.GetMetadata("raw-notls")
+	require.NoError(t, err)
+	rawNoTLSSkipMeta, err := store.GetMetadata("raw-notls-skip")
+	require.NoError(t, err)
+	rawTLSMeta, err := store.GetMetadata("raw-tls")
+	require.NoError(t, err)
+	embededDefaultMeta, err := store.GetMetadata("embed-default-context")
+	require.NoError(t, err)
+	embededContext2Meta, err := store.GetMetadata("embed-context2")
+	require.NoError(t, err)
+
+	rawNoTLS := EndpointFromContext(rawNoTLSMeta)
+	rawNoTLSSkip := EndpointFromContext(rawNoTLSSkipMeta)
+	rawTLS := EndpointFromContext(rawTLSMeta)
+	embededDefault := EndpointFromContext(embededDefaultMeta)
+	embededContext2 := EndpointFromContext(embededContext2Meta)
+
+	rawNoTLSEP, err := rawNoTLS.WithTLSData(store, "raw-notls")
+	require.NoError(t, err)
+	checkClientConfig(t, rawNoTLSEP, "https://test", "test", nil, nil, nil, false)
+	rawNoTLSSkipEP, err := rawNoTLSSkip.WithTLSData(store, "raw-notls-skip")
+	require.NoError(t, err)
+	checkClientConfig(t, rawNoTLSSkipEP, "https://test", "test", nil, nil, nil, true)
+	rawTLSEP, err := rawTLS.WithTLSData(store, "raw-tls")
+	require.NoError(t, err)
+	checkClientConfig(t, rawTLSEP, "https://test", "test", []byte("ca"), []byte("cert"), []byte("key"), true)
+	embededDefaultEP, err := embededDefault.WithTLSData(store, "embed-default-context")
+	require.NoError(t, err)
+	checkClientConfig(t, embededDefaultEP, "https://server1", "namespace1", nil, []byte("cert"), []byte("key"), true)
+	embededContext2EP, err := embededContext2.WithTLSData(store, "embed-context2")
+	require.NoError(t, err)
+	checkClientConfig(t, embededContext2EP, "https://server2", "namespace-override", []byte("ca"), []byte("cert"), []byte("key"), false)
+}
+
+func checkClientConfig(t *testing.T, ep Endpoint, server, namespace string, ca, cert, key []byte, skipTLSVerify bool) {
+	config := ep.KubernetesConfig()
+	cfg, err := config.ClientConfig()
+	require.NoError(t, err)
+	ns, _, _ := config.Namespace()
+	assert.Equal(t, server, cfg.Host)
+	assert.Equal(t, namespace, ns)
+	assert.Equal(t, ca, cfg.CAData)
+	assert.Equal(t, cert, cfg.CertData)
+	assert.Equal(t, key, cfg.KeyData)
+	assert.Equal(t, skipTLSVerify, cfg.Insecure)
+}
+
+func save(s store.Writer, ep Endpoint, name string) error {
+	meta := store.Metadata{
+		Endpoints: map[string]interface{}{
+			KubernetesEndpoint: ep.EndpointMeta,
+		},
+		Name: name,
+	}
+	if err := s.CreateOrUpdate(meta); err != nil {
+		return err
+	}
+	return s.ResetEndpointTLSMaterial(name, KubernetesEndpoint, ep.TLSData.ToStoreTLSData())
+}
+
+func TestSaveLoadGKEConfig(t *testing.T) {
+	storeDir, err := os.MkdirTemp("", t.Name())
+	require.NoError(t, err)
+	defer os.RemoveAll(storeDir)
+	store := store.New(storeDir, testStoreCfg)
+	cfg, err := clientcmd.LoadFromFile("fixtures/gke-kubeconfig")
+	require.NoError(t, err)
+	clientCfg := clientcmd.NewDefaultClientConfig(*cfg, &clientcmd.ConfigOverrides{})
+	expectedCfg, err := clientCfg.ClientConfig()
+	require.NoError(t, err)
+	ep, err := FromKubeConfig("fixtures/gke-kubeconfig", "", "")
+	require.NoError(t, err)
+	require.NoError(t, save(store, ep, "gke-context"))
+	persistedMetadata, err := store.GetMetadata("gke-context")
+	require.NoError(t, err)
+	persistedEPMeta := EndpointFromContext(persistedMetadata)
+	assert.True(t, persistedEPMeta != nil)
+	persistedEP, err := persistedEPMeta.WithTLSData(store, "gke-context")
+	require.NoError(t, err)
+	persistedCfg := persistedEP.KubernetesConfig()
+	actualCfg, err := persistedCfg.ClientConfig()
+	require.NoError(t, err)
+	assert.Equal(t, expectedCfg.AuthProvider, actualCfg.AuthProvider)
+}
+
+func TestSaveLoadEKSConfig(t *testing.T) {
+	storeDir, err := os.MkdirTemp("", t.Name())
+	require.NoError(t, err)
+	defer os.RemoveAll(storeDir)
+	store := store.New(storeDir, testStoreCfg)
+	cfg, err := clientcmd.LoadFromFile("fixtures/eks-kubeconfig")
+	require.NoError(t, err)
+	clientCfg := clientcmd.NewDefaultClientConfig(*cfg, &clientcmd.ConfigOverrides{})
+	expectedCfg, err := clientCfg.ClientConfig()
+	require.NoError(t, err)
+	ep, err := FromKubeConfig("fixtures/eks-kubeconfig", "", "")
+	require.NoError(t, err)
+	require.NoError(t, save(store, ep, "eks-context"))
+	persistedMetadata, err := store.GetMetadata("eks-context")
+	require.NoError(t, err)
+	persistedEPMeta := EndpointFromContext(persistedMetadata)
+	assert.True(t, persistedEPMeta != nil)
+	persistedEP, err := persistedEPMeta.WithTLSData(store, "eks-context")
+	require.NoError(t, err)
+	persistedCfg := persistedEP.KubernetesConfig()
+	actualCfg, err := persistedCfg.ClientConfig()
+	require.NoError(t, err)
+	assert.Equal(t, expectedCfg.ExecProvider, actualCfg.ExecProvider)
+}
+
+func TestSaveLoadK3SConfig(t *testing.T) {
+	storeDir, err := os.MkdirTemp("", t.Name())
+	require.NoError(t, err)
+	defer os.RemoveAll(storeDir)
+	store := store.New(storeDir, testStoreCfg)
+	cfg, err := clientcmd.LoadFromFile("fixtures/k3s-kubeconfig")
+	require.NoError(t, err)
+	clientCfg := clientcmd.NewDefaultClientConfig(*cfg, &clientcmd.ConfigOverrides{})
+	expectedCfg, err := clientCfg.ClientConfig()
+	require.NoError(t, err)
+	ep, err := FromKubeConfig("fixtures/k3s-kubeconfig", "", "")
+	require.NoError(t, err)
+	require.NoError(t, save(store, ep, "k3s-context"))
+	persistedMetadata, err := store.GetMetadata("k3s-context")
+	require.NoError(t, err)
+	persistedEPMeta := EndpointFromContext(persistedMetadata)
+	assert.True(t, persistedEPMeta != nil)
+	persistedEP, err := persistedEPMeta.WithTLSData(store, "k3s-context")
+	require.NoError(t, err)
+	persistedCfg := persistedEP.KubernetesConfig()
+	actualCfg, err := persistedCfg.ClientConfig()
+	require.NoError(t, err)
+	assert.True(t, len(actualCfg.Username) > 0)
+	assert.True(t, len(actualCfg.Password) > 0)
+	assert.Equal(t, expectedCfg.Username, actualCfg.Username)
+	assert.Equal(t, expectedCfg.Password, actualCfg.Password)
+}

driver/kubernetes/context/fixtures/eks-kubeconfig

@@ -0,0 +1,23 @@
+  apiVersion: v1
+  clusters:
+  - cluster:
+      server: https://some-server      
+    name: kubernetes
+  contexts:
+  - context:
+      cluster: kubernetes
+      user: aws
+    name: aws
+  current-context: aws
+  kind: Config
+  preferences: {}
+  users:
+  - name: aws
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1alpha1
+        command: heptio-authenticator-aws
+        args:
+          - "token"
+          - "-i"
+          - "eks-cf"

driver/kubernetes/context/fixtures/gke-kubeconfig

@@ -0,0 +1,23 @@
+apiVersion: v1
+clusters:
+- cluster:    
+    server: https://some-server
+  name: gke_sample
+contexts:
+- context:
+    cluster: gke_sample
+    user: gke_sample
+  name: gke_sample
+current-context: gke_sample
+kind: Config
+preferences: {}
+users:
+- name: gke_sample
+  user:
+    auth-provider:
+      config:
+        cmd-args: config config-helper --format=json
+        cmd-path: /google/google-cloud-sdk/bin/gcloud
+        expiry-key: '{.credential.token_expiry}'
+        token-key: '{.credential.access_token}'
+      name: gcp

driver/kubernetes/context/fixtures/k3s-kubeconfig

@@ -0,0 +1,20 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: dGhlLWNh
+    server: https://someserver
+  name: test-cluster
+contexts:
+- context:
+    cluster: test-cluster
+    user: test-user
+    namespace: zoinx
+  name: test
+current-context: test
+kind: Config
+preferences: {}
+users:
+- name: test-user
+  user:
+    username: admin
+    password: testpwd

driver/kubernetes/context/fixtures/test-kubeconfig

@@ -0,0 +1,20 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: dGhlLWNh
+    server: https://someserver
+  name: test-cluster
+contexts:
+- context:
+    cluster: test-cluster
+    user: test-user
+    namespace: zoinx
+  name: test
+current-context: test
+kind: Config
+preferences: {}
+users:
+- name: test-user
+  user:
+    client-certificate-data: dGhlLWNlcnQ=
+    client-key-data: dGhlLWtleQ==

driver/kubernetes/context/load.go

@@ -1,4 +1,4 @@
-package kubernetes
+package context
 
 import (
 	"os"
@@ -7,9 +7,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/context"
 	"github.com/docker/cli/cli/context/store"
-	api "github.com/docker/compose-on-kubernetes/api"
 	"github.com/docker/docker/pkg/homedir"
-	"github.com/pkg/errors"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
@@ -88,23 +86,18 @@ func (c *Endpoint) KubernetesConfig() clientcmd.ClientConfig {
 
 // ResolveDefault returns endpoint metadata for the default Kubernetes
 // endpoint, which is derived from the env-based kubeconfig.
-func (c *EndpointMeta) ResolveDefault(stackOrchestrator command.Orchestrator) (interface{}, *store.EndpointTLSData, error) {
+func (c *EndpointMeta) ResolveDefault() (interface{}, *store.EndpointTLSData, error) {
 	kubeconfig := os.Getenv("KUBECONFIG")
 	if kubeconfig == "" {
 		kubeconfig = filepath.Join(homedir.Get(), ".kube/config")
 	}
 	kubeEP, err := FromKubeConfig(kubeconfig, "", "")
 	if err != nil {
-		if stackOrchestrator == command.OrchestratorKubernetes || stackOrchestrator == command.OrchestratorAll {
-			return nil, nil, errors.Wrapf(err, "default orchestrator is %s but unable to resolve kubernetes endpoint", stackOrchestrator)
-		}
-
 		// We deliberately quash the error here, returning nil
 		// for the first argument is sufficient to indicate we weren't able to
 		// provide a default
 		return nil, nil, nil
 	}
-
 	var tls *store.EndpointTLSData
 	if kubeEP.TLSData != nil {
 		tls = kubeEP.TLSData.ToStoreTLSData()
@@ -142,5 +135,21 @@ func ConfigFromContext(name string, s store.Reader) (clientcmd.ClientConfig, err
 		return ep.KubernetesConfig(), nil
 	}
 	// context has no kubernetes endpoint
-	return api.NewKubernetesConfig(""), nil
+	return NewKubernetesConfig(""), nil
+}
+
+// NewKubernetesConfig resolves the path to the desired Kubernetes configuration
+// file based on the KUBECONFIG environment variable and command line flags.
+func NewKubernetesConfig(configPath string) clientcmd.ClientConfig {
+	kubeConfig := configPath
+	if kubeConfig == "" {
+		if config := os.Getenv("KUBECONFIG"); config != "" {
+			kubeConfig = config
+		} else {
+			kubeConfig = filepath.Join(homedir.Get(), ".kube/config")
+		}
+	}
+	return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+		&clientcmd.ClientConfigLoadingRules{ExplicitPath: kubeConfig},
+		&clientcmd.ConfigOverrides{})
 }

driver/kubernetes/context/load_test.go

@@ -0,0 +1,23 @@
+package context
+
+import (
+	"os"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config/configfile"
+	cliflags "github.com/docker/cli/cli/flags"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDefaultContextInitializer(t *testing.T) {
+	cli, err := command.NewDockerCli()
+	require.NoError(t, err)
+	os.Setenv("KUBECONFIG", "./fixtures/test-kubeconfig")
+	defer os.Unsetenv("KUBECONFIG")
+	ctx, err := command.ResolveDefaultContext(&cliflags.CommonOptions{}, &configfile.ConfigFile{}, command.DefaultContextStoreConfig(), cli.Err())
+	require.NoError(t, err)
+	assert.Equal(t, "default", ctx.Meta.Name)
+	assert.Equal(t, "zoinx", ctx.Meta.Endpoints[KubernetesEndpoint].(EndpointMeta).DefaultNamespace)
+}

driver/kubernetes/context/save.go

@@ -1,7 +1,7 @@
-package kubernetes
+package context
 
 import (
-	"io/ioutil"
+	"os"
 
 	"github.com/docker/cli/cli/context"
 	"k8s.io/client-go/tools/clientcmd"
@@ -63,7 +63,7 @@ func FromKubeConfig(kubeconfig, kubeContext, namespaceOverride string) (Endpoint
 
 func readFileOrDefault(path string, defaultValue []byte) ([]byte, error) {
 	if path != "" {
-		return ioutil.ReadFile(path)
+		return os.ReadFile(path)
 	}
 	return defaultValue, nil
 }

driver/kubernetes/driver.go

@@ -18,6 +18,8 @@ import (
 	"github.com/moby/buildkit/util/tracing/detect"
 	"github.com/pkg/errors"
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	clientappsv1 "k8s.io/client-go/kubernetes/typed/apps/v1"
@@ -39,15 +41,18 @@ type Driver struct {
 	factory          driver.Factory
 	minReplicas      int
 	deployment       *appsv1.Deployment
+	configMaps       []*corev1.ConfigMap
 	clientset        *kubernetes.Clientset
 	deploymentClient clientappsv1.DeploymentInterface
 	podClient        clientcorev1.PodInterface
+	configMapClient  clientcorev1.ConfigMapInterface
 	podChooser       podchooser.PodChooser
 }
 
 func (d *Driver) IsMobyDriver() bool {
 	return false
 }
+
 func (d *Driver) Config() driver.InitConfig {
 	return d.InitConfig
 }
@@ -56,7 +61,24 @@ func (d *Driver) Bootstrap(ctx context.Context, l progress.Logger) error {
 	return progress.Wrap("[internal] booting buildkit", l, func(sub progress.SubLogger) error {
 		_, err := d.deploymentClient.Get(ctx, d.deployment.Name, metav1.GetOptions{})
 		if err != nil {
-			// TODO: return err if err != ErrNotFound
+			if !apierrors.IsNotFound(err) {
+				return errors.Wrapf(err, "error for bootstrap %q", d.deployment.Name)
+			}
+
+			for _, cfg := range d.configMaps {
+				// create ConfigMap first if exists
+				_, err = d.configMapClient.Create(ctx, cfg, metav1.CreateOptions{})
+				if err != nil {
+					if !apierrors.IsAlreadyExists(err) {
+						return errors.Wrapf(err, "error while calling configMapClient.Create for %q", cfg.Name)
+					}
+					_, err = d.configMapClient.Update(ctx, cfg, metav1.UpdateOptions{})
+					if err != nil {
+						return errors.Wrapf(err, "error while calling configMapClient.Update for %q", cfg.Name)
+					}
+				}
+			}
+
 			_, err = d.deploymentClient.Create(ctx, d.deployment, metav1.CreateOptions{})
 			if err != nil {
 				return errors.Wrapf(err, "error while calling deploymentClient.Create for %q", d.deployment.Name)
@@ -138,14 +160,31 @@ func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
 	}, nil
 }
 
+func (d *Driver) Version(ctx context.Context) (string, error) {
+	return "", nil
+}
+
 func (d *Driver) Stop(ctx context.Context, force bool) error {
 	// future version may scale the replicas to zero here
 	return nil
 }
 
-func (d *Driver) Rm(ctx context.Context, force bool, rmVolume bool) error {
+func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error {
+	if !rmDaemon {
+		return nil
+	}
+
 	if err := d.deploymentClient.Delete(ctx, d.deployment.Name, metav1.DeleteOptions{}); err != nil {
-		return errors.Wrapf(err, "error while calling deploymentClient.Delete for %q", d.deployment.Name)
+		if !apierrors.IsNotFound(err) {
+			return errors.Wrapf(err, "error while calling deploymentClient.Delete for %q", d.deployment.Name)
+		}
+	}
+	for _, cfg := range d.configMaps {
+		if err := d.configMapClient.Delete(ctx, cfg.Name, metav1.DeleteOptions{}); err != nil {
+			if !apierrors.IsNotFound(err) {
+				return errors.Wrapf(err, "error while calling configMapClient.Delete for %q", cfg.Name)
+			}
+		}
 	}
 	return nil
 }

driver/kubernetes/factory.go

@@ -5,6 +5,8 @@ import (
 	"strconv"
 	"strings"
 
+	corev1 "k8s.io/api/core/v1"
+
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/driver/bkimage"
 	"github.com/docker/buildx/driver/kubernetes/manifest"
@@ -32,7 +34,7 @@ func (*factory) Usage() string {
 	return DriverName
 }
 
-func (*factory) Priority(ctx context.Context, api dockerclient.APIClient) int {
+func (*factory) Priority(ctx context.Context, endpoint string, api dockerclient.APIClient) int {
 	if api == nil {
 		return priorityUnsupported
 	}
@@ -59,78 +61,29 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 	if err != nil {
 		return nil, err
 	}
+
 	d := &Driver{
 		factory:    f,
 		InitConfig: cfg,
 		clientset:  clientset,
 	}
-	deploymentOpt := &manifest.DeploymentOpt{
-		Name:          deploymentName,
-		Image:         bkimage.DefaultImage,
-		Replicas:      1,
-		BuildkitFlags: cfg.BuildkitFlags,
-		Rootless:      false,
-		Platforms:     cfg.Platforms,
+
+	deploymentOpt, loadbalance, namespace, err := f.processDriverOpts(deploymentName, namespace, cfg)
+	if nil != err {
+		return nil, err
 	}
-	loadbalance := LoadbalanceSticky
-	imageOverride := ""
-	for k, v := range cfg.DriverOpts {
-		switch k {
-		case "image":
-			imageOverride = v
-		case "namespace":
-			namespace = v
-		case "replicas":
-			deploymentOpt.Replicas, err = strconv.Atoi(v)
-			if err != nil {
-				return nil, err
-			}
-		case "requests.cpu":
-			deploymentOpt.RequestsCPU = v
-		case "requests.memory":
-			deploymentOpt.RequestsMemory = v
-		case "limits.cpu":
-			deploymentOpt.LimitsCPU = v
-		case "limits.memory":
-			deploymentOpt.LimitsMemory = v
-		case "rootless":
-			deploymentOpt.Rootless, err = strconv.ParseBool(v)
-			if err != nil {
-				return nil, err
-			}
-			deploymentOpt.Image = bkimage.DefaultRootlessImage
-		case "nodeselector":
-			kvs := strings.Split(strings.Trim(v, `"`), ",")
-			s := map[string]string{}
-			for i := range kvs {
-				kv := strings.Split(kvs[i], "=")
-				if len(kv) == 2 {
-					s[kv[0]] = kv[1]
-				}
-			}
-			deploymentOpt.NodeSelector = s
-		case "loadbalance":
-			switch v {
-			case LoadbalanceSticky:
-			case LoadbalanceRandom:
-			default:
-				return nil, errors.Errorf("invalid loadbalance %q", v)
-			}
-			loadbalance = v
-		default:
-			return nil, errors.Errorf("invalid driver option %s for driver %s", k, DriverName)
-		}
-	}
-	if imageOverride != "" {
-		deploymentOpt.Image = imageOverride
-	}
-	d.deployment, err = manifest.NewDeployment(deploymentOpt)
+
+	d.deployment, d.configMaps, err = manifest.NewDeployment(deploymentOpt)
 	if err != nil {
 		return nil, err
 	}
+
 	d.minReplicas = deploymentOpt.Replicas
+
 	d.deploymentClient = clientset.AppsV1().Deployments(namespace)
 	d.podClient = clientset.CoreV1().Pods(namespace)
+	d.configMapClient = clientset.CoreV1().ConfigMaps(namespace)
+
 	switch loadbalance {
 	case LoadbalanceSticky:
 		d.podChooser = &podchooser.StickyPodChooser{
@@ -147,6 +100,121 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 	return d, nil
 }
 
+func (f *factory) processDriverOpts(deploymentName string, namespace string, cfg driver.InitConfig) (*manifest.DeploymentOpt, string, string, error) {
+	deploymentOpt := &manifest.DeploymentOpt{
+		Name:          deploymentName,
+		Image:         bkimage.DefaultImage,
+		Replicas:      1,
+		BuildkitFlags: cfg.BuildkitFlags,
+		Rootless:      false,
+		Platforms:     cfg.Platforms,
+		ConfigFiles:   cfg.Files,
+	}
+
+	deploymentOpt.Qemu.Image = bkimage.QemuImage
+
+	loadbalance := LoadbalanceSticky
+	var err error
+
+	for k, v := range cfg.DriverOpts {
+		switch k {
+		case "image":
+			if v != "" {
+				deploymentOpt.Image = v
+			}
+		case "namespace":
+			namespace = v
+		case "replicas":
+			deploymentOpt.Replicas, err = strconv.Atoi(v)
+			if err != nil {
+				return nil, "", "", err
+			}
+		case "requests.cpu":
+			deploymentOpt.RequestsCPU = v
+		case "requests.memory":
+			deploymentOpt.RequestsMemory = v
+		case "limits.cpu":
+			deploymentOpt.LimitsCPU = v
+		case "limits.memory":
+			deploymentOpt.LimitsMemory = v
+		case "rootless":
+			deploymentOpt.Rootless, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, "", "", err
+			}
+			if _, isImage := cfg.DriverOpts["image"]; !isImage {
+				deploymentOpt.Image = bkimage.DefaultRootlessImage
+			}
+		case "nodeselector":
+			kvs := strings.Split(strings.Trim(v, `"`), ",")
+			s := map[string]string{}
+			for i := range kvs {
+				kv := strings.Split(kvs[i], "=")
+				if len(kv) == 2 {
+					s[kv[0]] = kv[1]
+				}
+			}
+			deploymentOpt.NodeSelector = s
+		case "tolerations":
+			ts := strings.Split(v, ";")
+			deploymentOpt.Tolerations = []corev1.Toleration{}
+			for i := range ts {
+				kvs := strings.Split(ts[i], ",")
+
+				t := corev1.Toleration{}
+
+				for j := range kvs {
+					kv := strings.Split(kvs[j], "=")
+					if len(kv) == 2 {
+						switch kv[0] {
+						case "key":
+							t.Key = kv[1]
+						case "operator":
+							t.Operator = corev1.TolerationOperator(kv[1])
+						case "value":
+							t.Value = kv[1]
+						case "effect":
+							t.Effect = corev1.TaintEffect(kv[1])
+						case "tolerationSeconds":
+							c, err := strconv.Atoi(kv[1])
+							if nil != err {
+								return nil, "", "", err
+							}
+							c64 := int64(c)
+							t.TolerationSeconds = &c64
+						default:
+							return nil, "", "", errors.Errorf("invalid tolaration %q", v)
+						}
+					}
+				}
+
+				deploymentOpt.Tolerations = append(deploymentOpt.Tolerations, t)
+			}
+		case "loadbalance":
+			switch v {
+			case LoadbalanceSticky:
+			case LoadbalanceRandom:
+			default:
+				return nil, "", "", errors.Errorf("invalid loadbalance %q", v)
+			}
+			loadbalance = v
+		case "qemu.install":
+			deploymentOpt.Qemu.Install, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, "", "", err
+			}
+		case "qemu.image":
+			if v != "" {
+				deploymentOpt.Qemu.Image = v
+			}
+		default:
+			return nil, "", "", errors.Errorf("invalid driver option %s for driver %s", k, DriverName)
+		}
+	}
+
+	return deploymentOpt, loadbalance, namespace, nil
+}
+
 func (f *factory) AllowsInstances() bool {
 	return true
 }