Merge pull request #1415 from jedevc/cherry-pick-1383-to-0.9

[0.9] driver: don't create tracer delegate opt if tracer is nil
driver: don't create tracer delegate opt if tracer is nil
2025-08-14 15:55:54 +08:00 · 2022-11-21 10:29:09 +01:00 · 2022-11-18 13:36:31 +00:00 · 2022-11-18 13:48:30 +01:00 · 2022-11-15 15:54:43 +00:00 · 2022-11-01 22:34:53 -07:00
897 changed files with 51871 additions and 21053 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    open-pull-requests-limit: 10
+    directory: "/"
+    schedule:
+      interval: "daily"
+    labels:
+      - "dependencies"
+      - "bot"
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,9 @@
 name: build

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
  workflow_dispatch:
  push:
@@ -18,42 +22,110 @@ env:
  RELEASE_OUT: "./release-out"

 jobs:
-  build:
+  test:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: actions/checkout@v3
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
      -
        name: Test
-        run: |
-          make test
+        uses: docker/bake-action@v2
+        with:
+          targets: test
+          set: |
+            *.cache-from=type=gha,scope=test
+            *.cache-to=type=gha,scope=test
      -
-        name: Send to Codecov
-        uses: codecov/codecov-action@v2
+        name: Upload coverage
+        uses: codecov/codecov-action@v3
        with:
          file: ./coverage/coverage.txt
+
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.platforms.outputs.matrix }}
+    steps:
      -
-        name: Build binaries
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Create matrix
+        id: platforms
        run: |
-          make release
+          echo ::set-output name=matrix::$(docker buildx bake binaries-cross --print | jq -cr '.target."binaries-cross".platforms')
+      -
+        name: Show matrix
+        run: |
+          echo ${{ steps.platforms.outputs.matrix }}
+
+  binaries:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
+      -
+        name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+      -
+        name: Build
+        uses: docker/bake-action@v2
+        with:
+          targets: release
+          set: |
+            *.platform=${{ matrix.platform }}
+            *.cache-from=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
+            *.cache-to=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
      -
        name: Upload artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
        with:
          name: buildx
          path: ${{ env.RELEASE_OUT }}/*
          if-no-files-found: error
+
+  bin-image:
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name != 'pull_request' }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
      -
        name: Docker meta
        id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
        with:
          images: |
            ${{ env.REPO_SLUG }}
@@ -65,23 +137,52 @@ jobs:
      -
        name: Login to DockerHub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      -
        name: Build and push image
-        uses: docker/bake-action@v1
+        uses: docker/bake-action@v2
        with:
          files: |
            ./docker-bake.hcl
            ${{ steps.meta.outputs.bake-file }}
          targets: image-cross
          push: ${{ github.event_name != 'pull_request' }}
+          set: |
+            *.cache-from=type=gha,scope=bin-image
+            *.cache-to=type=gha,scope=bin-image,mode=max
+
+  release:
+    runs-on: ubuntu-latest
+    needs:
+      - binaries
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Download binaries
+        uses: actions/download-artifact@v3
+        with:
+          name: buildx
+          path: ${{ env.RELEASE_OUT }}
+      -
+        name: Create checksums
+        run: ./hack/hash-files
+      -
+        name: List artifacts
+        run: |
+          tree -nh ${{ env.RELEASE_OUT }}
+      -
+        name: Check artifacts
+        run: |
+          find ${{ env.RELEASE_OUT }} -type f -exec file -e ascii -- {} +
      -
        name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -94,19 +195,20 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
        with:
+          version: latest
          driver-opts: image=moby/buildkit:master
          buildkitd-flags: --debug
      -
        # Just run a bake target to check eveything runs fine
        name: Build
-        uses: docker/bake-action@v1
+        uses: docker/bake-action@v2
        with:
-          targets: binaries-cross
+          targets: binaries
--- a/.github/workflows/docs-release.yml
+++ b/.github/workflows/docs-release.yml
@@ -0,0 +1,56 @@
+name: docs-release
+
+on:
+  release:
+    types: [ released ]
+
+jobs:
+  open-pr:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout docs repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
+          repository: docker/docker.github.io
+          ref: master
+      -
+        name: Prepare
+        run: |
+          rm -rf ./_data/buildx/*
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Build docs
+        uses: docker/bake-action@v2
+        with:
+          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.release.name }}
+          targets: update-docs
+          set: |
+            *.output=/tmp/buildx-docs
+        env:
+          DOCS_FORMATS: yaml
+      -
+        name: Copy files
+        run: |
+          cp /tmp/buildx-docs/out/reference/*.yaml ./_data/buildx/
+      -
+        name: Commit changes
+        run: |
+          git add -A .
+      -
+        name: Create PR on docs repo
+        uses: peter-evans/create-pull-request@923ad837f191474af6b1721408744feb989a4c27 # v4.0.4
+        with:
+          token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
+          push-to-fork: docker-tools-robot/docker.github.io
+          commit-message: "build: update buildx reference to ${{ github.event.release.name }}"
+          signoff: true
+          branch: dispatch/buildx-ref-${{ github.event.release.name }}
+          delete-branch: true
+          title: Update buildx reference to ${{ github.event.release.name }}
+          body: |
+            Update the buildx reference documentation to keep in sync with the latest release `${{ github.event.release.name }}`
+          draft: false
--- a/.github/workflows/docs-upstream.yml
+++ b/.github/workflows/docs-upstream.yml
@@ -0,0 +1,118 @@
+# this workflow runs the remote validate bake target from docker/docker.github.io
+# to check if yaml reference docs and markdown files used in this repo are still valid
+# https://github.com/docker/docker.github.io/blob/98c7c9535063ae4cd2cd0a31478a21d16d2f07a3/docker-bake.hcl#L34-L36
+name: docs-upstream
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v[0-9]*'
+    paths:
+      - '.github/workflows/docs-upstream.yml'
+      - 'docs/**'
+  pull_request:
+    paths:
+      - '.github/workflows/docs-upstream.yml'
+      - 'docs/**'
+
+jobs:
+  docs-yaml:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+      -
+        name: Build reference YAML docs
+        uses: docker/bake-action@v2
+        with:
+          targets: update-docs
+          set: |
+            *.output=/tmp/buildx-docs
+            *.cache-from=type=gha,scope=docs-yaml
+            *.cache-to=type=gha,scope=docs-yaml,mode=max
+        env:
+          DOCS_FORMATS: yaml
+      -
+        name: Upload reference YAML docs
+        uses: actions/upload-artifact@v3
+        with:
+          name: docs-yaml
+          path: /tmp/buildx-docs/out/reference
+          retention-days: 1
+
+  validate:
+    runs-on: ubuntu-latest
+    needs:
+      - docs-yaml
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+          repository: docker/docker.github.io
+      -
+        name: Install js-yaml
+        run: npm install js-yaml
+      -
+        # use the actual buildx ref that triggers this workflow, so we make
+        # sure pages fetched by docs repo are still valid
+        # https://github.com/docker/docker.github.io/blob/98c7c9535063ae4cd2cd0a31478a21d16d2f07a3/_config.yml#L164-L173
+        name: Set correct ref to fetch remote resources
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const fs = require('fs');
+            const yaml = require('js-yaml');
+
+            const configFile = '_config.yml'
+            const config = yaml.load(fs.readFileSync(configFile, 'utf8'));
+            for (const remote of config['fetch-remote']) {
+              if (remote['repo'] != 'https://github.com/docker/buildx') {
+                continue;
+              }
+              remote['ref'] = "${{ github.ref }}";
+            }
+
+            try {
+              fs.writeFileSync(configFile, yaml.dump(config), 'utf8')
+            } catch (err) {
+              console.error(err.message)
+              process.exit(1)
+            }
+      -
+        name: Prepare
+        run: |
+          # print docs jekyll config updated in previous step
+          yq _config.yml
+          # cleanup reference yaml docs and js-yaml module
+          rm -rf ./_data/buildx/* ./node_modules
+      -
+        name: Download built reference YAML docs
+        uses: actions/download-artifact@v3
+        with:
+          name: docs-yaml
+          path: ./_data/buildx/
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+      -
+        name: Validate
+        uses: docker/bake-action@v2
+        with:
+          targets: validate
+          set: |
+            *.cache-from=type=gha,scope=docs-upstream
+            *.cache-to=type=gha,scope=docs-upstream,mode=max
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -1,5 +1,9 @@
 name: e2e

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
  workflow_dispatch:
  push:
@@ -12,8 +16,44 @@ on:
      - 'v[0-9]*'

 jobs:
+  build:
+    runs-on: ubuntu-20.04
+    env:
+      BIN_OUT: ./bin
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+      -
+        name: Build
+        uses: docker/bake-action@v2
+        with:
+          targets: binaries
+          set: |
+            *.cache-from=type=gha,scope=release
+            *.cache-from=type=gha,scope=binaries
+            *.cache-to=type=gha,scope=binaries
+      -
+        name: Rename binary
+        run: |
+          mv ${{ env.BIN_OUT }}/buildx ${{ env.BIN_OUT }}/docker-buildx
+      -
+        name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: binary
+          path: ${{ env.BIN_OUT }}
+          if-no-files-found: error
+          retention-days: 7
+
  driver:
    runs-on: ubuntu-20.04
+    needs:
+      - build
    strategy:
      fail-fast: false
      matrix:
@@ -21,6 +61,7 @@ jobs:
          - docker
          - docker-container
          - kubernetes
+          - remote
        buildkit:
          - moby/buildkit:buildx-stable-1
          - moby/buildkit:master
@@ -36,6 +77,8 @@ jobs:
        include:
          - driver: kubernetes
            driver-opt: qemu.install=true
+          - driver: remote
+            endpoint: tcp://localhost:1234
        exclude:
          - driver: docker
            multi-node: mnode-true
@@ -43,18 +86,28 @@ jobs:
            buildkit-cfg: bkcfg-true
          - driver: docker-container
            multi-node: mnode-true
+          - driver: remote
+            multi-node: mnode-true
+          - driver: remote
+            buildkit-cfg: bkcfg-true
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
        if: matrix.driver == 'docker' || matrix.driver == 'docker-container'
      -
        name: Install buildx
+        uses: actions/download-artifact@v3
+        with:
+          name: binary
+          path: /home/runner/.docker/cli-plugins
+      -
+        name: Fix perms and check
        run: |
-          make install
+          chmod +x /home/runner/.docker/cli-plugins/docker-buildx
          docker buildx version
      -
        name: Init env vars
@@ -76,7 +129,7 @@ jobs:
      -
        name: Install k3s
        if: matrix.driver == 'kubernetes'
-        uses: debianmaster/actions-k3s@v1.0.3
+        uses: debianmaster/actions-k3s@b9cf3f599fd118699a3c8a0d18a2f2bda6cf4ce4
        id: k3s
        with:
          version: v1.21.2-k3s1
@@ -90,6 +143,17 @@ jobs:
        if: matrix.driver == 'kubernetes'
        run: |
          kubectl get nodes
+      -
+        name: Launch remote buildkitd
+        if: matrix.driver == 'remote'
+        run: |
+          docker run -d \
+            --privileged \
+            --name=remote-buildkit \
+            -p 1234:1234 \
+            ${{ matrix.buildkit }} \
+            --addr unix:///run/buildkit/buildkitd.sock \
+            --addr tcp://0.0.0.0:1234
      -
        name: Test
        run: |
@@ -98,4 +162,5 @@ jobs:
          BUILDKIT_IMAGE: ${{ matrix.buildkit }}
          DRIVER: ${{ matrix.driver }}
          DRIVER_OPT: ${{ matrix.driver-opt }}
+          ENDPOINT: ${{ matrix.endpoint }}
          PLATFORMS: ${{ matrix.platforms }}
--- a/.github/workflows/godev.yml
+++ b/.github/workflows/godev.yml
@@ -1,25 +0,0 @@
-# Workflow used to make a request to proxy.golang.org to refresh cache on https://pkg.go.dev/github.com/docker/buildx
-# when a released of buildx is produced
-name: godev
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  update:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.13
-      -
-        name: Call pkg.go.dev
-        run: |
-          go get github.com/${GITHUB_REPOSITORY}@${GITHUB_REF#refs/tags/}
-        env:
-          GO111MODULE: on
-          GOPROXY: https://proxy.golang.org
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -1,5 +1,9 @@
 name: validate

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
  workflow_dispatch:
  push:
@@ -26,23 +30,13 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
      -
        name: Run
        run: |
          make ${{ matrix.target }}
-
-  validate-docs-yaml:
-    runs-on: ubuntu-latest
-    needs:
-      - validate
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Run
-        run: |
-          make docs
-        env:
-          FORMATS: yaml
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -12,19 +12,29 @@ linters:
    - gofmt
    - govet
    - deadcode
+    - depguard
    - goimports
    - ineffassign
    - misspell
    - unused
    - varcheck
-    - golint
+    - revive
    - staticcheck
    - typecheck
    - structcheck
  disable-all: true

+linters-settings:
+  depguard:
+    list-type: blacklist
+    include-go-root: true
+    packages:
+      # The io/ioutil package has been deprecated.
+      # https://go.dev/doc/go1.16#ioutil
+      - io/ioutil
+
 issues:
  exclude-rules:
    - linters:
-        - golint
+        - revive
      text: "stutters"
--- a/.yamllint.yml
+++ b/.yamllint.yml
@@ -1,13 +0,0 @@
-ignore: |
-  /vendor
-
-extends: default
-
-yaml-files:
-  - '*.yaml'
-  - '*.yml'
-
-rules:
-  truthy: disable
-  line-length: disable
-  document-start: disable
--- a/17
+++ b/17
@@ -1,12 +1,13 @@
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1.4

-ARG GO_VERSION=1.17
-ARG DOCKERD_VERSION=20.10.8
+ARG GO_VERSION=1.18
+ARG XX_VERSION=1.1.2
+ARG DOCKERD_VERSION=20.10.14

 FROM docker:$DOCKERD_VERSION AS dockerd-release

 # xx is a helper for cross-compilation
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.0.0 AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx

 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS golatest

@@ -14,6 +15,7 @@ FROM golatest AS gobase
 COPY --from=xx / /
 RUN apk add --no-cache file git
 ENV GOFLAGS=-mod=vendor
+ENV CGO_ENABLED=0
 WORKDIR /src

 FROM gobase AS buildx-version
@@ -23,7 +25,6 @@ RUN --mount=target=. \
  echo -n "${VERSION}" | tee /tmp/.version;

 FROM gobase AS buildx-build
-ENV CGO_ENABLED=0
 ARG LDFLAGS="-w -s"
 ARG TARGETPLATFORM
 RUN --mount=type=bind,target=. \
@@ -33,7 +34,7 @@ RUN --mount=type=bind,target=. \
  set -x; xx-go build -ldflags "$(cat /tmp/.ldflags) ${LDFLAGS}" -o /usr/bin/buildx ./cmd/buildx && \
  xx-verify --static /usr/bin/buildx

-FROM buildx-build AS test
+FROM gobase AS test
 RUN --mount=type=bind,target=. \
  --mount=type=cache,target=/root/.cache \
  --mount=type=cache,target=/go/pkg/mod \
@@ -44,13 +45,13 @@ FROM scratch AS test-coverage
 COPY --from=test /tmp/coverage.txt /coverage.txt

 FROM scratch AS binaries-unix
-COPY --from=buildx-build /usr/bin/buildx /
+COPY --link --from=buildx-build /usr/bin/buildx /

 FROM binaries-unix AS binaries-darwin
 FROM binaries-unix AS binaries-linux

 FROM scratch AS binaries-windows
-COPY --from=buildx-build /usr/bin/buildx /buildx.exe
+COPY --link --from=buildx-build /usr/bin/buildx /buildx.exe

 FROM binaries-$TARGETOS AS binaries

--- a/6
+++ b/6
@@ -152,6 +152,7 @@ made through a pull request.
 		people = [
 			"akihirosuda",
 			"crazy-max",
+			"jedevc",
 			"tiborvass",
 			"tonistiigi",
 		]
@@ -188,6 +189,11 @@ made through a pull request.
 	Email = "contact@crazymax.dev"
 	GitHub = "crazy-max"

+	[people.jedevc]
+	Name = "Justin Chadwell"
+	Email = "me@jedevc.com"
+	GitHub = "jedevc"
+
 	[people.thajeztah]
 	Name = "Sebastiaan van Stijn"
 	Email = "github@gone.nl"
--- a/README.md
+++ b/README.md
@@ -32,14 +32,16 @@ Key features:
  - [Building with buildx](#building-with-buildx)
  - [Working with builder instances](#working-with-builder-instances)
  - [Building multi-platform images](#building-multi-platform-images)
-  - [High-level build options](#high-level-build-options)
 - [Guides](docs/guides)
+  - [High-level build options with Bake](docs/guides/bake/index.md)
  - [CI/CD](docs/guides/cicd.md)
  - [CNI networking](docs/guides/cni-networking.md)
-  - [Registry mirror](docs/guides/registry-mirror.md)
-  - [Resource limiting](docs/guides/resource-limiting.md)
  - [Using a custom network](docs/guides/custom-network.md)
  - [Using a custom registry configuration](docs/guides/custom-registry-config.md)
+  - [OpenTelemetry support](docs/guides/opentelemetry.md)
+  - [Registry mirror](docs/guides/registry-mirror.md)
+  - [Drivers](docs/guides/drivers/index.md)
+  - [Resource limiting](docs/guides/resource-limiting.md)
 - [Reference](docs/reference/buildx.md)
  - [`buildx bake`](docs/reference/buildx_bake.md)
  - [`buildx build`](docs/reference/buildx_build.md)
@@ -183,23 +185,17 @@ specifying target platform. In addition, Buildx also supports new features that
 are not yet available for regular `docker build` like building manifest lists,
 distributed caching, and exporting build results to OCI image tarballs.

-Buildx is supposed to be flexible and can be run in different configurations
-that are exposed through a driver concept. Currently, we support a
-[`docker` driver](docs/reference/buildx_create.md#docker-driver) that uses
-the BuildKit library bundled into the Docker daemon binary, a
-[`docker-container` driver](docs/reference/buildx_create.md#docker-container-driver)
-that automatically launches BuildKit inside a Docker container and a
-[`kubernetes` driver](docs/reference/buildx_create.md#kubernetes-driver) to
-spin up pods with defined BuildKit container image to build your images. We
-plan to add more drivers in the future.
+Buildx is flexible and can be run in different configurations that are exposed
+through various "drivers". Each driver defines how and where a build should
+run, and have different feature sets.

-The user experience of using buildx is very similar across drivers, but there
-are some features that are not currently supported by the `docker` driver,
-because the BuildKit library bundled into docker daemon currently uses a
-different storage component. In contrast, all images built with `docker` driver
-are automatically added to the `docker images` view by default, whereas when
-using other drivers the method for outputting an image needs to be selected
-with `--output`.
+We currently support the following drivers:
+- The `docker` driver ([guide](docs/guides/drivers/docker.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `docker-container` driver ([guide](docs/guides/drivers/docker-container.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `kubernetes` driver ([guide](docs/guides/drivers/kubernetes.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `remote` driver ([guide](docs/guides/drivers/remote.md))
+
+For more information on drivers, see the [drivers guide](docs/guides/drivers/index.md).

 ## Working with builder instances

@@ -315,26 +311,7 @@ cross-compilation helpers for more advanced use-cases.

 ## High-level build options

-Buildx also aims to provide support for high-level build concepts that go beyond
-invoking a single build command. We want to support building all the images in
-your application together and let the users define project specific reusable
-build flows that can then be easily invoked by anyone.
-
-BuildKit efficiently handles multiple concurrent build requests and
-de-duplicating work. The build commands can be combined with general-purpose
-command runners (for example, `make`). However, these tools generally invoke
-builds in sequence  and therefore cannot leverage the full potential of BuildKit
-parallelization, or combine BuildKit’s output for the user. For this use case,
-we have added a command called [`docker buildx bake`](docs/reference/buildx_bake.md).
-
-The `bake` command supports building images from compose files, similar to
-[`docker-compose build`](https://docs.docker.com/compose/reference/build/),
-but allowing all the services to be built concurrently as part of a single
-request.
-
-There is also support for custom build rules from HCL/JSON files allowing
-better code reuse and different target groups. The design of bake is in very
-early stages and we are looking for feedback from users.
+See [`docs/guides/bake/index.md`](docs/guides/bake/index.md) for more details.

 # Contributing

--- a/bake/bake.go
+++ b/bake/bake.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"encoding/csv"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"path"
 	"path/filepath"
@@ -17,7 +17,8 @@ import (
 	"github.com/docker/buildx/build"
 	"github.com/docker/buildx/util/buildflags"
 	"github.com/docker/buildx/util/platformutil"
-	"github.com/docker/docker/pkg/urlutil"
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/docker/builder/remotecontext/urlutil"
 	hcl "github.com/hashicorp/hcl/v2"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/session/auth/authprovider"
@@ -65,12 +66,12 @@ func ReadLocalFiles(names []string) ([]File, error) {
 		var dt []byte
 		var err error
 		if n == "-" {
-			dt, err = ioutil.ReadAll(os.Stdin)
+			dt, err = io.ReadAll(os.Stdin)
 			if err != nil {
 				return nil, err
 			}
 		} else {
-			dt, err = ioutil.ReadFile(n)
+			dt, err = os.ReadFile(n)
 			if err != nil {
 				if isDefault && errors.Is(err, os.ErrNotExist) {
 					continue
@@ -89,6 +90,10 @@ func ReadTargets(ctx context.Context, files []File, targets, overrides []string,
 		return nil, nil, err
 	}

+	for i, t := range targets {
+		targets[i] = sanitizeTargetName(t)
+	}
+
 	o, err := c.newOverrides(overrides)
 	if err != nil {
 		return nil, nil, err
@@ -129,7 +134,7 @@ func ReadTargets(ctx context.Context, files []File, targets, overrides []string,
 				gt = append(gt, target)
 			}
 		}
-		g = []*Group{{Targets: dedupString(gt)}}
+		g = []*Group{{Targets: dedupSlice(gt)}}
 	}

 	for name, t := range m {
@@ -141,7 +146,7 @@ func ReadTargets(ctx context.Context, files []File, targets, overrides []string,
 	return m, g, nil
 }

-func dedupString(s []string) []string {
+func dedupSlice(s []string) []string {
 	if len(s) == 0 {
 		return s
 	}
@@ -156,21 +161,54 @@ func dedupString(s []string) []string {
 	return res
 }

+func dedupMap(ms ...map[string]string) map[string]string {
+	if len(ms) == 0 {
+		return nil
+	}
+	res := map[string]string{}
+	for _, m := range ms {
+		if len(m) == 0 {
+			continue
+		}
+		for k, v := range m {
+			if _, ok := res[k]; !ok {
+				res[k] = v
+			}
+		}
+	}
+	return res
+}
+
+func sliceToMap(env []string) (res map[string]string) {
+	res = make(map[string]string)
+	for _, s := range env {
+		kv := strings.SplitN(s, "=", 2)
+		key := kv[0]
+		switch {
+		case len(kv) == 1:
+			res[key] = ""
+		default:
+			res[key] = kv[1]
+		}
+	}
+	return
+}
+
 func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error) {
 	defer func() {
 		err = formatHCLError(err, files)
 	}()

 	var c Config
-	var fs []*hcl.File
+	var composeFiles []File
+	var hclFiles []*hcl.File
 	for _, f := range files {
-		cfg, isCompose, composeErr := ParseComposeFile(f.Data, f.Name)
+		isCompose, composeErr := validateComposeFile(f.Data, f.Name)
 		if isCompose {
 			if composeErr != nil {
 				return nil, composeErr
 			}
-			c = mergeConfig(c, *cfg)
-			c = dedupeConfig(c)
+			composeFiles = append(composeFiles, f)
 		}
 		if !isCompose {
 			hf, isHCL, err := ParseHCLFile(f.Data, f.Name)
@@ -178,7 +216,7 @@ func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error)
 				if err != nil {
 					return nil, err
 				}
-				fs = append(fs, hf)
+				hclFiles = append(hclFiles, hf)
 			} else if composeErr != nil {
 				return nil, fmt.Errorf("failed to parse %s: parsing yaml: %v, parsing hcl: %w", f.Name, composeErr, err)
 			} else {
@@ -187,8 +225,17 @@ func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error)
 		}
 	}

-	if len(fs) > 0 {
-		if err := hclparser.Parse(hcl.MergeFiles(fs), hclparser.Opt{
+	if len(composeFiles) > 0 {
+		cfg, cmperr := ParseComposeFiles(composeFiles)
+		if cmperr != nil {
+			return nil, errors.Wrap(cmperr, "failed to parse compose file")
+		}
+		c = mergeConfig(c, *cfg)
+		c = dedupeConfig(c)
+	}
+
+	if len(hclFiles) > 0 {
+		if err := hclparser.Parse(hcl.MergeFiles(hclFiles), hclparser.Opt{
 			LookupVar:     os.LookupEnv,
 			Vars:          defaults,
 			ValidateLabel: validateTargetName,
@@ -196,18 +243,25 @@ func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error)
 			return nil, err
 		}
 	}
+
 	return &c, nil
 }

 func dedupeConfig(c Config) Config {
 	c2 := c
+	c2.Groups = make([]*Group, 0, len(c2.Groups))
+	for _, g := range c.Groups {
+		g1 := *g
+		g1.Targets = dedupSlice(g1.Targets)
+		c2.Groups = append(c2.Groups, &g1)
+	}
 	c2.Targets = make([]*Target, 0, len(c2.Targets))
-	m := map[string]*Target{}
+	mt := map[string]*Target{}
 	for _, t := range c.Targets {
-		if t2, ok := m[t.Name]; ok {
+		if t2, ok := mt[t.Name]; ok {
 			t2.Merge(t)
 		} else {
-			m[t.Name] = t
+			mt[t.Name] = t
 			c2.Targets = append(c2.Targets, t)
 		}
 	}
@@ -218,19 +272,6 @@ func ParseFile(dt []byte, fn string) (*Config, error) {
 	return ParseFiles([]File{{Data: dt, Name: fn}}, nil)
 }

-func ParseComposeFile(dt []byte, fn string) (*Config, bool, error) {
-	fnl := strings.ToLower(fn)
-	if strings.HasSuffix(fnl, ".yml") || strings.HasSuffix(fnl, ".yaml") {
-		cfg, err := ParseCompose(dt)
-		return cfg, true, err
-	}
-	if strings.HasSuffix(fnl, ".json") || strings.HasSuffix(fnl, ".hcl") {
-		return nil, false, nil
-	}
-	cfg, err := ParseCompose(dt)
-	return cfg, err == nil, err
-}
-
 type Config struct {
 	Groups  []*Group  `json:"group" hcl:"group,block"`
 	Targets []*Target `json:"target" hcl:"target,block"`
@@ -332,6 +373,7 @@ func (c Config) loadLinks(name string, t *Target, m map[string]*Target, o map[st
 					return err
 				}
 				t2.Outputs = nil
+				t2.linked = true
 				m[target] = t2
 			}
 			if err := c.loadLinks(target, t2, m, o, visited); err != nil {
@@ -412,12 +454,12 @@ func (c Config) newOverrides(v []string) (map[string]map[string]Override, error)
 }

 func (c Config) ResolveGroup(name string) []string {
-	return c.group(name, map[string]struct{}{})
+	return dedupSlice(c.group(name, map[string][]string{}))
 }

-func (c Config) group(name string, visited map[string]struct{}) []string {
+func (c Config) group(name string, visited map[string][]string) []string {
 	if _, ok := visited[name]; ok {
-		return nil
+		return visited[name]
 	}
 	var g *Group
 	for _, group := range c.Groups {
@@ -429,7 +471,7 @@ func (c Config) group(name string, visited map[string]struct{}) []string {
 	if g == nil {
 		return []string{name}
 	}
-	visited[name] = struct{}{}
+	visited[name] = []string{}
 	targets := make([]string, 0, len(g.Targets))
 	for _, t := range g.Targets {
 		tgroup := c.group(t, visited)
@@ -439,6 +481,7 @@ func (c Config) group(name string, visited map[string]struct{}) []string {
 			targets = append(targets, t)
 		}
 	}
+	visited[name] = targets
 	return targets
 }

@@ -526,7 +569,10 @@ type Target struct {
 	NoCache          *bool             `json:"no-cache,omitempty" hcl:"no-cache,optional"`
 	NetworkMode      *string           `json:"-" hcl:"-"`
 	NoCacheFilter    []string          `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional"`
-	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and README.
+	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and docs/guides/bake/file-definition.md.
+
+	// linked is a private field to mark a target used as a linked one
+	linked bool
 }

 func (t *Target) normalize() {
@@ -868,6 +914,7 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 		NoCacheFilter: t.NoCacheFilter,
 		Pull:          pull,
 		NetworkMode:   networkMode,
+		Linked:        t.linked,
 	}

 	platforms, err := platformutil.Parse(t.Platforms)
@@ -876,7 +923,8 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	}
 	bo.Platforms = platforms

-	bo.Session = append(bo.Session, authprovider.NewDockerAuthProvider(os.Stderr))
+	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
+	bo.Session = append(bo.Session, authprovider.NewDockerAuthProvider(dockerConfig))

 	secrets, err := buildflags.ParseSecretSpecs(t.Secrets)
 	if err != nil {
@@ -968,6 +1016,13 @@ func validateTargetName(name string) error {
 	return nil
 }

+func sanitizeTargetName(target string) string {
+	// as stipulated in compose spec, service name can contain a dot so as
+	// best-effort and to avoid any potential ambiguity, we replace the dot
+	// with an underscore.
+	return strings.ReplaceAll(target, ".", "_")
+}
+
 func sliceEqual(s1, s2 []string) bool {
 	if len(s1) != len(s2) {
 		return false
--- a/bake/bake_test.go
+++ b/bake/bake_test.go
@@ -278,9 +278,19 @@ services:
 `),
 	}

+	fp3 := File{
+		Name: "docker-compose3.yml",
+		Data: []byte(
+			`version: "3"
+services:
+  webapp:
+    entrypoint: echo 1
+`),
+	}
+
 	ctx := context.TODO()

-	m, g, err := ReadTargets(ctx, []File{fp, fp2}, []string{"default"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fp, fp2, fp3}, []string{"default"}, nil, nil)
 	require.NoError(t, err)

 	require.Equal(t, 3, len(m))
@@ -297,6 +307,67 @@ services:
 	require.Equal(t, []string{"db", "newservice", "webapp"}, g[0].Targets)
 }

+func TestReadTargetsWithDotCompose(t *testing.T) {
+	t.Parallel()
+
+	fp := File{
+		Name: "docker-compose.yml",
+		Data: []byte(
+			`version: "3"
+services:
+  web.app:
+    build:
+      dockerfile: Dockerfile.webapp
+      args:
+        buildno: 1
+`),
+	}
+
+	fp2 := File{
+		Name: "docker-compose2.yml",
+		Data: []byte(
+			`version: "3"
+services:
+  web_app:
+    build:
+      args:
+        buildno2: 12
+`),
+	}
+
+	ctx := context.TODO()
+
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"web.app"}, nil, nil)
+	require.NoError(t, err)
+	require.Equal(t, 1, len(m))
+	_, ok := m["web_app"]
+	require.True(t, ok)
+	require.Equal(t, "Dockerfile.webapp", *m["web_app"].Dockerfile)
+	require.Equal(t, "1", m["web_app"].Args["buildno"])
+
+	m, _, err = ReadTargets(ctx, []File{fp2}, []string{"web_app"}, nil, nil)
+	require.NoError(t, err)
+	require.Equal(t, 1, len(m))
+	_, ok = m["web_app"]
+	require.True(t, ok)
+	require.Equal(t, "Dockerfile", *m["web_app"].Dockerfile)
+	require.Equal(t, "12", m["web_app"].Args["buildno2"])
+
+	m, g, err := ReadTargets(ctx, []File{fp, fp2}, []string{"default"}, nil, nil)
+	require.NoError(t, err)
+	require.Equal(t, 1, len(m))
+	_, ok = m["web_app"]
+	require.True(t, ok)
+	require.Equal(t, "Dockerfile.webapp", *m["web_app"].Dockerfile)
+	require.Equal(t, ".", *m["web_app"].Context)
+	require.Equal(t, "1", m["web_app"].Args["buildno"])
+	require.Equal(t, "12", m["web_app"].Args["buildno2"])
+
+	require.Equal(t, 1, len(g))
+	sort.Strings(g[0].Targets)
+	require.Equal(t, []string{"web_app"}, g[0].Targets)
+}
+
 func TestHCLCwdPrefix(t *testing.T) {
 	fp := File{
 		Name: "docker-bake.hcl",
@@ -446,6 +517,41 @@ func TestReadContextFromTargetUnknown(t *testing.T) {
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "failed to find target bar")
 }
+
+func TestReadEmptyTargets(t *testing.T) {
+	t.Parallel()
+
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(`target "app1" {}`),
+	}
+
+	fp2 := File{
+		Name: "docker-compose.yml",
+		Data: []byte(`
+services:
+  app2:
+    build: {}
+`),
+	}
+
+	ctx := context.TODO()
+
+	m, _, err := ReadTargets(ctx, []File{fp, fp2}, []string{"app1", "app2"}, nil, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(m))
+	_, ok := m["app1"]
+	require.True(t, ok)
+	_, ok = m["app2"]
+	require.True(t, ok)
+
+	require.Equal(t, "Dockerfile", *m["app1"].Dockerfile)
+	require.Equal(t, ".", *m["app1"].Context)
+	require.Equal(t, "Dockerfile", *m["app2"].Dockerfile)
+	require.Equal(t, ".", *m["app2"].Context)
+}
+
 func TestReadContextFromTargetChain(t *testing.T) {
 	ctx := context.TODO()
 	fp := File{
@@ -1045,3 +1151,111 @@ func TestTargetName(t *testing.T) {
 		})
 	}
 }
+
+func TestNestedGroupsWithSameTarget(t *testing.T) {
+	ctx := context.TODO()
+
+	f := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(`
+group "a" {
+  targets = ["b", "c"]
+}
+
+group "b" {
+  targets = ["d"]
+}
+
+group "c" {
+  targets = ["b"]
+}
+
+target "d" {
+  context = "."
+  dockerfile = "./testdockerfile"
+}
+
+group "e" {
+  targets = ["a", "f"]
+}
+
+target "f" {
+  context = "./foo"
+}`)}
+
+	cases := []struct {
+		name     string
+		targets  []string
+		ntargets int
+	}{
+		{
+			name:     "a",
+			targets:  []string{"b", "c"},
+			ntargets: 1,
+		},
+		{
+			name:     "b",
+			targets:  []string{"d"},
+			ntargets: 1,
+		},
+		{
+			name:     "c",
+			targets:  []string{"b"},
+			ntargets: 1,
+		},
+		{
+			name:     "d",
+			targets:  []string{"d"},
+			ntargets: 1,
+		},
+		{
+			name:     "e",
+			targets:  []string{"a", "f"},
+			ntargets: 2,
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			m, g, err := ReadTargets(ctx, []File{f}, []string{tt.name}, nil, nil)
+			require.NoError(t, err)
+			require.Equal(t, 1, len(g))
+			require.Equal(t, tt.targets, g[0].Targets)
+			require.Equal(t, tt.ntargets, len(m))
+			require.Equal(t, ".", *m["d"].Context)
+			require.Equal(t, "./testdockerfile", *m["d"].Dockerfile)
+		})
+	}
+}
+
+func TestUnknownExt(t *testing.T) {
+	dt := []byte(`
+		target "app" {
+			context = "dir"
+			args = {
+				v1 = "foo"
+			}
+		}
+		`)
+	dt2 := []byte(`
+services:
+  app:
+    build:
+      dockerfile: Dockerfile-alternate
+      args:
+        v2: "bar"
+`)
+
+	c, err := ParseFiles([]File{
+		{Data: dt, Name: "c1.foo"},
+		{Data: dt2, Name: "c2.bar"},
+	}, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(c.Targets))
+	require.Equal(t, "app", c.Targets[0].Name)
+	require.Equal(t, "foo", c.Targets[0].Args["v1"])
+	require.Equal(t, "bar", c.Targets[0].Args["v2"])
+	require.Equal(t, "dir", *c.Targets[0].Context)
+	require.Equal(t, "Dockerfile-alternate", *c.Targets[0].Dockerfile)
+}
--- a/bake/compose.go
+++ b/bake/compose.go
@@ -1,49 +1,44 @@
 package bake

 import (
-	"fmt"
 	"os"
-	"reflect"
+	"path/filepath"
 	"strings"

+	"github.com/compose-spec/compose-go/dotenv"
 	"github.com/compose-spec/compose-go/loader"
 	compose "github.com/compose-spec/compose-go/types"
 	"github.com/pkg/errors"
+	"gopkg.in/yaml.v3"
 )

-func parseCompose(dt []byte) (*compose.Project, error) {
-	return loader.Load(compose.ConfigDetails{
-		ConfigFiles: []compose.ConfigFile{
-			{
-				Content: dt,
-			},
-		},
-		Environment: envMap(os.Environ()),
+func ParseComposeFiles(fs []File) (*Config, error) {
+	envs, err := composeEnv()
+	if err != nil {
+		return nil, err
+	}
+	var cfgs []compose.ConfigFile
+	for _, f := range fs {
+		cfgs = append(cfgs, compose.ConfigFile{
+			Filename: f.Name,
+			Content:  f.Data,
+		})
+	}
+	return ParseCompose(cfgs, envs)
+}
+
+func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, error) {
+	cfg, err := loader.Load(compose.ConfigDetails{
+		ConfigFiles: cfgs,
+		Environment: envs,
 	}, func(options *loader.Options) {
 		options.SkipNormalization = true
 	})
-}
-
-func envMap(env []string) map[string]string {
-	result := make(map[string]string, len(env))
-	for _, s := range env {
-		kv := strings.SplitN(s, "=", 2)
-		if len(kv) != 2 {
-			continue
-		}
-		result[kv[0]] = kv[1]
-	}
-	return result
-}
-
-func ParseCompose(dt []byte) (*Config, error) {
-	cfg, err := parseCompose(dt)
 	if err != nil {
 		return nil, err
 	}

 	var c Config
-	var zeroBuildConfig compose.BuildConfig
 	if len(cfg.Services) > 0 {
 		c.Groups = []*Group{}
 		c.Targets = []*Target{}
@@ -51,17 +46,13 @@ func ParseCompose(dt []byte) (*Config, error) {
 		g := &Group{Name: "default"}

 		for _, s := range cfg.Services {
-
-			if s.Build == nil || reflect.DeepEqual(s.Build, zeroBuildConfig) {
-				// if not make sure they're setting an image or it's invalid d-c.yml
-				if s.Image == "" {
-					return nil, fmt.Errorf("compose file invalid: service %s has neither an image nor a build context specified. At least one must be provided", s.Name)
-				}
+			if s.Build == nil {
 				continue
 			}

-			if err = validateTargetName(s.Name); err != nil {
-				return nil, errors.Wrapf(err, "invalid service name %q", s.Name)
+			targetName := sanitizeTargetName(s.Name)
+			if err = validateTargetName(targetName); err != nil {
+				return nil, errors.Wrapf(err, "invalid service name %q", targetName)
 			}

 			var contextPathP *string
@@ -74,11 +65,22 @@ func ParseCompose(dt []byte) (*Config, error) {
 				dockerfilePath := s.Build.Dockerfile
 				dockerfilePathP = &dockerfilePath
 			}
-			g.Targets = append(g.Targets, s.Name)
+
+			var secrets []string
+			for _, bs := range s.Build.Secrets {
+				secret, err := composeToBuildkitSecret(bs, cfg.Secrets[bs.Source])
+				if err != nil {
+					return nil, err
+				}
+				secrets = append(secrets, secret)
+			}
+
+			g.Targets = append(g.Targets, targetName)
 			t := &Target{
-				Name:       s.Name,
+				Name:       targetName,
 				Context:    contextPathP,
 				Dockerfile: dockerfilePathP,
+				Tags:       s.Build.Tags,
 				Labels:     s.Build.Labels,
 				Args: flatten(s.Build.Args.Resolve(func(val string) (string, bool) {
 					if val, ok := s.Environment[val]; ok && val != nil {
@@ -88,7 +90,9 @@ func ParseCompose(dt []byte) (*Config, error) {
 					return val, ok
 				})),
 				CacheFrom:   s.Build.CacheFrom,
+				CacheTo:     s.Build.CacheTo,
 				NetworkMode: &s.Build.Network,
+				Secrets:     secrets,
 			}
 			if err = t.composeExtTarget(s.Build.Extensions); err != nil {
 				return nil, err
@@ -109,6 +113,86 @@ func ParseCompose(dt []byte) (*Config, error) {
 	return &c, nil
 }

+func validateComposeFile(dt []byte, fn string) (bool, error) {
+	envs, err := composeEnv()
+	if err != nil {
+		return true, err
+	}
+	fnl := strings.ToLower(fn)
+	if strings.HasSuffix(fnl, ".yml") || strings.HasSuffix(fnl, ".yaml") {
+		return true, validateCompose(dt, envs)
+	}
+	if strings.HasSuffix(fnl, ".json") || strings.HasSuffix(fnl, ".hcl") {
+		return false, nil
+	}
+	err = validateCompose(dt, envs)
+	return err == nil, err
+}
+
+func validateCompose(dt []byte, envs map[string]string) error {
+	_, err := loader.Load(compose.ConfigDetails{
+		ConfigFiles: []compose.ConfigFile{
+			{
+				Content: dt,
+			},
+		},
+		Environment: envs,
+	}, func(options *loader.Options) {
+		options.SkipNormalization = true
+		// consistency is checked later in ParseCompose to ensure multiple
+		// compose files can be merged together
+		options.SkipConsistencyCheck = true
+	})
+	return err
+}
+
+func composeEnv() (map[string]string, error) {
+	envs := sliceToMap(os.Environ())
+	if wd, err := os.Getwd(); err == nil {
+		envs, err = loadDotEnv(envs, wd)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return envs, nil
+}
+
+func loadDotEnv(curenv map[string]string, workingDir string) (map[string]string, error) {
+	if curenv == nil {
+		curenv = make(map[string]string)
+	}
+
+	ef, err := filepath.Abs(filepath.Join(workingDir, ".env"))
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err = os.Stat(ef); os.IsNotExist(err) {
+		return curenv, nil
+	} else if err != nil {
+		return nil, err
+	}
+
+	dt, err := os.ReadFile(ef)
+	if err != nil {
+		return nil, err
+	}
+
+	envs, err := dotenv.UnmarshalBytes(dt)
+	if err != nil {
+		return nil, err
+	}
+
+	for k, v := range envs {
+		if _, set := curenv[k]; set {
+			continue
+		}
+		curenv[k] = v
+	}
+
+	return curenv, nil
+}
+
 func flatten(in compose.MappingWithEquals) compose.Mapping {
 	if len(in) == 0 {
 		return nil
@@ -123,89 +207,111 @@ func flatten(in compose.MappingWithEquals) compose.Mapping {
 	return out
 }

-// composeExtTarget converts Compose build extension x-bake to bake Target
-// https://github.com/compose-spec/compose-spec/blob/master/spec.md#extension
-func (t *Target) composeExtTarget(exts map[string]interface{}) error {
-	if ext, ok := exts["x-bake"]; ok {
-		for key, val := range ext.(map[string]interface{}) {
-			switch key {
-			case "tags":
-				if res, k := val.(string); k {
-					t.Tags = append(t.Tags, res)
-				} else {
-					for _, res := range val.([]interface{}) {
-						t.Tags = append(t.Tags, res.(string))
-					}
-				}
-			case "cache-from":
-				t.CacheFrom = []string{} // Needed to override the main field
-				if res, k := val.(string); k {
-					t.CacheFrom = append(t.CacheFrom, res)
-				} else {
-					for _, res := range val.([]interface{}) {
-						t.CacheFrom = append(t.CacheFrom, res.(string))
-					}
-				}
-			case "cache-to":
-				if res, k := val.(string); k {
-					t.CacheTo = append(t.CacheTo, res)
-				} else {
-					for _, res := range val.([]interface{}) {
-						t.CacheTo = append(t.CacheTo, res.(string))
-					}
-				}
-			case "secret":
-				if res, k := val.(string); k {
-					t.Secrets = append(t.Secrets, res)
-				} else {
-					for _, res := range val.([]interface{}) {
-						t.Secrets = append(t.Secrets, res.(string))
-					}
-				}
-			case "ssh":
-				if res, k := val.(string); k {
-					t.SSH = append(t.SSH, res)
-				} else {
-					for _, res := range val.([]interface{}) {
-						t.SSH = append(t.SSH, res.(string))
-					}
-				}
-			case "platforms":
-				if res, k := val.(string); k {
-					t.Platforms = append(t.Platforms, res)
-				} else {
-					for _, res := range val.([]interface{}) {
-						t.Platforms = append(t.Platforms, res.(string))
-					}
-				}
-			case "output":
-				if res, k := val.(string); k {
-					t.Outputs = append(t.Outputs, res)
-				} else {
-					for _, res := range val.([]interface{}) {
-						t.Outputs = append(t.Outputs, res.(string))
-					}
-				}
-			case "pull":
-				if res, ok := val.(bool); ok {
-					t.Pull = &res
-				}
-			case "no-cache":
-				if res, ok := val.(bool); ok {
-					t.NoCache = &res
-				}
-			case "no-cache-filter":
-				if res, k := val.(string); k {
-					t.NoCacheFilter = append(t.NoCacheFilter, res)
-				} else {
-					for _, res := range val.([]interface{}) {
-						t.NoCacheFilter = append(t.NoCacheFilter, res.(string))
-					}
-				}
-			default:
-				return fmt.Errorf("compose file invalid: unkwown %s field for x-bake", key)
-			}
+// xbake Compose build extension provides fields not (yet) available in
+// Compose build specification: https://github.com/compose-spec/compose-spec/blob/master/build.md
+type xbake struct {
+	Tags          stringArray `yaml:"tags,omitempty"`
+	CacheFrom     stringArray `yaml:"cache-from,omitempty"`
+	CacheTo       stringArray `yaml:"cache-to,omitempty"`
+	Secrets       stringArray `yaml:"secret,omitempty"`
+	SSH           stringArray `yaml:"ssh,omitempty"`
+	Platforms     stringArray `yaml:"platforms,omitempty"`
+	Outputs       stringArray `yaml:"output,omitempty"`
+	Pull          *bool       `yaml:"pull,omitempty"`
+	NoCache       *bool       `yaml:"no-cache,omitempty"`
+	NoCacheFilter stringArray `yaml:"no-cache-filter,omitempty"`
+	Contexts      stringMap   `yaml:"contexts,omitempty"`
+	// don't forget to update documentation if you add a new field:
+	// docs/guides/bake/compose-file.md#extension-field-with-x-bake
+}
+
+type stringMap map[string]string
+type stringArray []string
+
+func (sa *stringArray) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var multi []string
+	err := unmarshal(&multi)
+	if err != nil {
+		var single string
+		if err := unmarshal(&single); err != nil {
+			return err
 		}
+		*sa = strings.Fields(single)
+	} else {
+		*sa = multi
 	}
 	return nil
 }
+
+// composeExtTarget converts Compose build extension x-bake to bake Target
+// https://github.com/compose-spec/compose-spec/blob/master/spec.md#extension
+func (t *Target) composeExtTarget(exts map[string]interface{}) error {
+	var xb xbake
+
+	ext, ok := exts["x-bake"]
+	if !ok || ext == nil {
+		return nil
+	}
+
+	yb, _ := yaml.Marshal(ext)
+	if err := yaml.Unmarshal(yb, &xb); err != nil {
+		return err
+	}
+
+	if len(xb.Tags) > 0 {
+		t.Tags = dedupSlice(append(t.Tags, xb.Tags...))
+	}
+	if len(xb.CacheFrom) > 0 {
+		t.CacheFrom = dedupSlice(append(t.CacheFrom, xb.CacheFrom...))
+	}
+	if len(xb.CacheTo) > 0 {
+		t.CacheTo = dedupSlice(append(t.CacheTo, xb.CacheTo...))
+	}
+	if len(xb.Secrets) > 0 {
+		t.Secrets = dedupSlice(append(t.Secrets, xb.Secrets...))
+	}
+	if len(xb.SSH) > 0 {
+		t.SSH = dedupSlice(append(t.SSH, xb.SSH...))
+	}
+	if len(xb.Platforms) > 0 {
+		t.Platforms = dedupSlice(append(t.Platforms, xb.Platforms...))
+	}
+	if len(xb.Outputs) > 0 {
+		t.Outputs = dedupSlice(append(t.Outputs, xb.Outputs...))
+	}
+	if xb.Pull != nil {
+		t.Pull = xb.Pull
+	}
+	if xb.NoCache != nil {
+		t.NoCache = xb.NoCache
+	}
+	if len(xb.NoCacheFilter) > 0 {
+		t.NoCacheFilter = dedupSlice(append(t.NoCacheFilter, xb.NoCacheFilter...))
+	}
+	if len(xb.Contexts) > 0 {
+		t.Contexts = dedupMap(t.Contexts, xb.Contexts)
+	}
+
+	return nil
+}
+
+// composeToBuildkitSecret converts secret from compose format to buildkit's
+// csv format.
+func composeToBuildkitSecret(inp compose.ServiceSecretConfig, psecret compose.SecretConfig) (string, error) {
+	if psecret.External.External {
+		return "", errors.Errorf("unsupported external secret %s", psecret.Name)
+	}
+
+	var bkattrs []string
+	if inp.Source != "" {
+		bkattrs = append(bkattrs, "id="+inp.Source)
+	}
+	if psecret.File != "" {
+		bkattrs = append(bkattrs, "src="+psecret.File)
+	}
+	if psecret.Environment != "" {
+		bkattrs = append(bkattrs, "env="+psecret.Environment)
+	}
+
+	return strings.Join(bkattrs, ","), nil
+}
--- a/bake/compose_test.go
+++ b/bake/compose_test.go
@@ -2,9 +2,12 @@ package bake

 import (
 	"os"
+	"path/filepath"
 	"sort"
 	"testing"

+	compose "github.com/compose-spec/compose-go/types"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

@@ -23,13 +26,25 @@ services:
        none
      args:
        buildno: 123
+      cache_from:
+        - type=local,src=path/to/cache
+      cache_to:
+        - type=local,dest=path/to/cache
+      secrets:
+        - token
+        - aws
+secrets:
+  token:
+    environment: ENV_TOKEN
+  aws:
+    file: /root/.aws/credentials
 `)

-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)

 	require.Equal(t, 1, len(c.Groups))
-	require.Equal(t, c.Groups[0].Name, "default")
+	require.Equal(t, "default", c.Groups[0].Name)
 	sort.Strings(c.Groups[0].Targets)
 	require.Equal(t, []string{"db", "webapp"}, c.Groups[0].Targets)

@@ -39,13 +54,20 @@ services:
 	})
 	require.Equal(t, "db", c.Targets[0].Name)
 	require.Equal(t, "./db", *c.Targets[0].Context)
+	require.Equal(t, []string{"docker.io/tonistiigi/db"}, c.Targets[0].Tags)

 	require.Equal(t, "webapp", c.Targets[1].Name)
 	require.Equal(t, "./dir", *c.Targets[1].Context)
 	require.Equal(t, "Dockerfile-alternate", *c.Targets[1].Dockerfile)
 	require.Equal(t, 1, len(c.Targets[1].Args))
 	require.Equal(t, "123", c.Targets[1].Args["buildno"])
+	require.Equal(t, []string{"type=local,src=path/to/cache"}, c.Targets[1].CacheFrom)
+	require.Equal(t, []string{"type=local,dest=path/to/cache"}, c.Targets[1].CacheTo)
 	require.Equal(t, "none", *c.Targets[1].NetworkMode)
+	require.Equal(t, []string{
+		"id=token,env=ENV_TOKEN",
+		"id=aws,src=/root/.aws/credentials",
+	}, c.Targets[1].Secrets)
 }

 func TestNoBuildOutOfTreeService(t *testing.T) {
@@ -56,9 +78,10 @@ services:
    webapp:
        build: ./db
 `)
-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(c.Groups))
+	require.Equal(t, 1, len(c.Targets))
 }

 func TestParseComposeTarget(t *testing.T) {
@@ -74,7 +97,7 @@ services:
      target: webapp
 `)

-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)

 	require.Equal(t, 2, len(c.Targets))
@@ -99,15 +122,15 @@ services:
      target: webapp
 `)

-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, 2, len(c.Targets))
 	sort.Slice(c.Targets, func(i, j int) bool {
 		return c.Targets[i].Name < c.Targets[j].Name
 	})
-	require.Equal(t, c.Targets[0].Name, "db")
+	require.Equal(t, "db", c.Targets[0].Name)
 	require.Equal(t, "db", *c.Targets[0].Target)
-	require.Equal(t, c.Targets[1].Name, "webapp")
+	require.Equal(t, "webapp", c.Targets[1].Name)
 	require.Equal(t, "webapp", *c.Targets[1].Target)
 }

@@ -133,28 +156,22 @@ services:
 	os.Setenv("ZZZ_BAR", "zzz_foo")
 	defer os.Unsetenv("ZZZ_BAR")

-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, sliceToMap(os.Environ()))
 	require.NoError(t, err)
-	require.Equal(t, c.Targets[0].Args["FOO"], "bar")
-	require.Equal(t, c.Targets[0].Args["BAR"], "zzz_foo")
-	require.Equal(t, c.Targets[0].Args["BRB"], "FOO")
+	require.Equal(t, "bar", c.Targets[0].Args["FOO"])
+	require.Equal(t, "zzz_foo", c.Targets[0].Args["BAR"])
+	require.Equal(t, "FOO", c.Targets[0].Args["BRB"])
 }

-func TestBogusCompose(t *testing.T) {
+func TestInconsistentComposeFile(t *testing.T) {
 	var dt = []byte(`
 services:
-  db:
-    labels:
-      - "foo"
  webapp:
-    build:
-      context: .
-      target: webapp
+    entrypoint: echo 1
 `)

-	_, err := ParseCompose(dt)
+	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.Error(t, err)
-	require.Contains(t, err.Error(), "has neither an image nor a build context specified: invalid compose project")
 }

 func TestAdvancedNetwork(t *testing.T) {
@@ -178,10 +195,28 @@ networks:
          gateway: 10.5.0.254
 `)

-	_, err := ParseCompose(dt)
+	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 }

+func TestTags(t *testing.T) {
+	var dt = []byte(`
+services:
+  example:
+    image: example
+    build:
+      context: .
+      dockerfile: Dockerfile
+      tags:
+        - foo
+        - bar
+`)
+
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+	require.Equal(t, []string{"foo", "bar"}, c.Targets[0].Tags)
+}
+
 func TestDependsOnList(t *testing.T) {
 	var dt = []byte(`
 version: "3.8"
@@ -214,7 +249,7 @@ networks:
    name: test-net
 `)

-	_, err := ParseCompose(dt)
+	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 }

@@ -228,10 +263,16 @@ services:
      dockerfile: ./Dockerfile
      cache_from:
        - user/app:cache
+      cache_to:
+        - user/app:cache
+      tags:
+        - ct-addon:baz
      args:
        CT_ECR: foo
        CT_TAG: bar
      x-bake:
+        contexts:
+          alpine: docker-image://alpine:3.13
        tags:
          - ct-addon:foo
          - ct-addon:alp
@@ -240,7 +281,8 @@ services:
          - linux/arm64
        cache-from:
          - type=local,src=path/to/cache
-        cache-to: local,dest=path/to/cache
+        cache-to:
+          - type=local,dest=path/to/cache
        pull: true

  aws:
@@ -260,24 +302,56 @@ services:
        no-cache: true
 `)

-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
 	require.Equal(t, 2, len(c.Targets))
 	sort.Slice(c.Targets, func(i, j int) bool {
 		return c.Targets[i].Name < c.Targets[j].Name
 	})
-	require.Equal(t, c.Targets[0].Args, map[string]string{"CT_ECR": "foo", "CT_TAG": "bar"})
-	require.Equal(t, c.Targets[0].Tags, []string{"ct-addon:foo", "ct-addon:alp"})
-	require.Equal(t, c.Targets[0].Platforms, []string{"linux/amd64", "linux/arm64"})
-	require.Equal(t, c.Targets[0].CacheFrom, []string{"type=local,src=path/to/cache"})
-	require.Equal(t, c.Targets[0].CacheTo, []string{"local,dest=path/to/cache"})
-	require.Equal(t, c.Targets[0].Pull, newBool(true))
-	require.Equal(t, c.Targets[1].Tags, []string{"ct-fake-aws:bar"})
-	require.Equal(t, c.Targets[1].Secrets, []string{"id=mysecret,src=/local/secret", "id=mysecret2,src=/local/secret2"})
-	require.Equal(t, c.Targets[1].SSH, []string{"default"})
-	require.Equal(t, c.Targets[1].Platforms, []string{"linux/arm64"})
-	require.Equal(t, c.Targets[1].Outputs, []string{"type=docker"})
-	require.Equal(t, c.Targets[1].NoCache, newBool(true))
+	require.Equal(t, map[string]string{"CT_ECR": "foo", "CT_TAG": "bar"}, c.Targets[0].Args)
+	require.Equal(t, []string{"ct-addon:baz", "ct-addon:foo", "ct-addon:alp"}, c.Targets[0].Tags)
+	require.Equal(t, []string{"linux/amd64", "linux/arm64"}, c.Targets[0].Platforms)
+	require.Equal(t, []string{"user/app:cache", "type=local,src=path/to/cache"}, c.Targets[0].CacheFrom)
+	require.Equal(t, []string{"user/app:cache", "type=local,dest=path/to/cache"}, c.Targets[0].CacheTo)
+	require.Equal(t, newBool(true), c.Targets[0].Pull)
+	require.Equal(t, map[string]string{"alpine": "docker-image://alpine:3.13"}, c.Targets[0].Contexts)
+	require.Equal(t, []string{"ct-fake-aws:bar"}, c.Targets[1].Tags)
+	require.Equal(t, []string{"id=mysecret,src=/local/secret", "id=mysecret2,src=/local/secret2"}, c.Targets[1].Secrets)
+	require.Equal(t, []string{"default"}, c.Targets[1].SSH)
+	require.Equal(t, []string{"linux/arm64"}, c.Targets[1].Platforms)
+	require.Equal(t, []string{"type=docker"}, c.Targets[1].Outputs)
+	require.Equal(t, newBool(true), c.Targets[1].NoCache)
+}
+
+func TestComposeExtDedup(t *testing.T) {
+	var dt = []byte(`
+services:
+  webapp:
+    image: app:bar
+    build:
+      cache_from:
+        - user/app:cache
+      cache_to:
+        - user/app:cache
+      tags:
+        - ct-addon:foo
+      x-bake:
+        tags:
+          - ct-addon:foo
+          - ct-addon:baz
+        cache-from:
+          - user/app:cache
+          - type=local,src=path/to/cache
+        cache-to:
+          - type=local,dest=path/to/cache
+`)
+
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+	require.Equal(t, 1, len(c.Targets))
+	require.Equal(t, []string{"ct-addon:foo", "ct-addon:baz"}, c.Targets[0].Tags)
+	require.Equal(t, []string{"user/app:cache", "type=local,src=path/to/cache"}, c.Targets[0].CacheFrom)
+	require.Equal(t, []string{"user/app:cache", "type=local,dest=path/to/cache"}, c.Targets[0].CacheTo)
 }

 func TestEnv(t *testing.T) {
@@ -305,9 +379,54 @@ services:
      - ` + envf.Name() + `
 `)

-	c, err := ParseCompose(dt)
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+	require.Equal(t, map[string]string{"CT_ECR": "foo", "FOO": "bsdf -csdf", "NODE_ENV": "test"}, c.Targets[0].Args)
+}
+
+func TestDotEnv(t *testing.T) {
+	tmpdir := t.TempDir()
+
+	err := os.WriteFile(filepath.Join(tmpdir, ".env"), []byte("FOO=bar"), 0644)
+	require.NoError(t, err)
+
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: .
+     args:
+        FOO:
+`)
+
+	chdir(t, tmpdir)
+	c, err := ParseComposeFiles([]File{{
+		Name: "docker-compose.yml",
+		Data: dt,
+	}})
+	require.NoError(t, err)
+	require.Equal(t, map[string]string{"FOO": "bar"}, c.Targets[0].Args)
+}
+
+func TestPorts(t *testing.T) {
+	var dt = []byte(`
+services:
+  foo:
+    build:
+     context: .
+    ports:
+      - 3306:3306
+  bar:
+    build:
+     context: .
+    ports:
+      - mode: ingress
+        target: 3306
+        published: "3306"
+        protocol: tcp
+`)
+	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
-	require.Equal(t, c.Targets[0].Args, map[string]string{"CT_ECR": "foo", "FOO": "bsdf -csdf", "NODE_ENV": "test"})
 }

 func newBool(val bool) *bool {
@@ -330,7 +449,7 @@ func TestServiceName(t *testing.T) {
 		},
 		{
 			svc:     "a.b",
-			wantErr: true,
+			wantErr: false,
 		},
 		{
 			svc:     "_a",
@@ -352,12 +471,12 @@ func TestServiceName(t *testing.T) {
 	for _, tt := range cases {
 		tt := tt
 		t.Run(tt.svc, func(t *testing.T) {
-			_, err := ParseCompose([]byte(`
+			_, err := ParseCompose([]compose.ConfigFile{{Content: []byte(`
 services:
  ` + tt.svc + `:
    build:
      context: .
-`))
+`)}}, nil)
 			if tt.wantErr {
 				require.Error(t, err)
 			} else {
@@ -366,3 +485,164 @@ services:
 		})
 	}
 }
+
+func TestValidateComposeSecret(t *testing.T) {
+	cases := []struct {
+		name    string
+		dt      []byte
+		wantErr bool
+	}{
+		{
+			name: "secret set by file",
+			dt: []byte(`
+secrets:
+  foo:
+    file: .secret
+`),
+			wantErr: false,
+		},
+		{
+			name: "secret set by environment",
+			dt: []byte(`
+secrets:
+  foo:
+    environment: TOKEN
+`),
+			wantErr: false,
+		},
+		{
+			name: "external secret",
+			dt: []byte(`
+secrets:
+  foo:
+    external: true
+`),
+			wantErr: false,
+		},
+		{
+			name: "unset secret",
+			dt: []byte(`
+secrets:
+  foo: {}
+`),
+			wantErr: true,
+		},
+		{
+			name: "undefined secret",
+			dt: []byte(`
+services:
+  foo:
+    build:
+      secrets:
+        - token
+`),
+			wantErr: true,
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := ParseCompose([]compose.ConfigFile{{Content: tt.dt}}, nil)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestValidateComposeFile(t *testing.T) {
+	cases := []struct {
+		name      string
+		fn        string
+		dt        []byte
+		isCompose bool
+		wantErr   bool
+	}{
+		{
+			name: "empty service",
+			fn:   "docker-compose.yml",
+			dt: []byte(`
+services:
+  foo:
+`),
+			isCompose: true,
+			wantErr:   true,
+		},
+		{
+			name: "build",
+			fn:   "docker-compose.yml",
+			dt: []byte(`
+services:
+  foo:
+    build: .
+`),
+			isCompose: true,
+			wantErr:   false,
+		},
+		{
+			name: "image",
+			fn:   "docker-compose.yml",
+			dt: []byte(`
+services:
+  simple:
+    image: nginx
+`),
+			isCompose: true,
+			wantErr:   false,
+		},
+		{
+			name: "unknown ext",
+			fn:   "docker-compose.foo",
+			dt: []byte(`
+services:
+  simple:
+    image: nginx
+`),
+			isCompose: true,
+			wantErr:   false,
+		},
+		{
+			name: "hcl",
+			fn:   "docker-bake.hcl",
+			dt: []byte(`
+target "default" {
+  dockerfile = "test"
+}
+`),
+			isCompose: false,
+			wantErr:   false,
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			isCompose, err := validateComposeFile(tt.dt, tt.fn)
+			assert.Equal(t, tt.isCompose, isCompose)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
+// chdir changes the current working directory to the named directory,
+// and then restore the original working directory at the end of the test.
+func chdir(t *testing.T, dir string) {
+	olddir, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("chdir: %v", err)
+	}
+	if err := os.Chdir(dir); err != nil {
+		t.Fatalf("chdir %s: %v", dir, err)
+	}
+	t.Cleanup(func() {
+		if err := os.Chdir(olddir); err != nil {
+			t.Errorf("chdir to original working directory %s: %v", olddir, err)
+			os.Exit(1)
+		}
+	})
+}
--- a/bake/hcl_test.go
+++ b/bake/hcl_test.go
@@ -620,3 +620,165 @@ func TestHCLBuiltinVars(t *testing.T) {
 	require.Equal(t, "foo", *c.Targets[0].Context)
 	require.Equal(t, "test", *c.Targets[0].Dockerfile)
 }
+
+func TestCombineHCLAndJSONTargets(t *testing.T) {
+	c, err := ParseFiles([]File{
+		{
+			Name: "docker-bake.hcl",
+			Data: []byte(`
+group "default" {
+  targets = ["a"]
+}
+
+target "metadata-a" {}
+target "metadata-b" {}
+
+target "a" {
+  inherits = ["metadata-a"]
+  context = "."
+  target = "a"
+}
+
+target "b" {
+  inherits = ["metadata-b"]
+  context = "."
+  target = "b"
+}`),
+		},
+		{
+			Name: "metadata-a.json",
+			Data: []byte(`
+{
+  "target": [{
+    "metadata-a": [{
+      "tags": [
+        "app/a:1.0.0",
+        "app/a:latest"
+      ]
+    }]
+  }]
+}`),
+		},
+		{
+			Name: "metadata-b.json",
+			Data: []byte(`
+{
+  "target": [{
+    "metadata-b": [{
+      "tags": [
+        "app/b:1.0.0",
+        "app/b:latest"
+      ]
+    }]
+  }]
+}`),
+		},
+	}, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(c.Groups))
+	require.Equal(t, "default", c.Groups[0].Name)
+	require.Equal(t, []string{"a"}, c.Groups[0].Targets)
+
+	require.Equal(t, 4, len(c.Targets))
+
+	require.Equal(t, c.Targets[0].Name, "metadata-a")
+	require.Equal(t, []string{"app/a:1.0.0", "app/a:latest"}, c.Targets[0].Tags)
+
+	require.Equal(t, c.Targets[1].Name, "metadata-b")
+	require.Equal(t, []string{"app/b:1.0.0", "app/b:latest"}, c.Targets[1].Tags)
+
+	require.Equal(t, c.Targets[2].Name, "a")
+	require.Equal(t, ".", *c.Targets[2].Context)
+	require.Equal(t, "a", *c.Targets[2].Target)
+
+	require.Equal(t, c.Targets[3].Name, "b")
+	require.Equal(t, ".", *c.Targets[3].Context)
+	require.Equal(t, "b", *c.Targets[3].Target)
+}
+
+func TestCombineHCLAndJSONVars(t *testing.T) {
+	c, err := ParseFiles([]File{
+		{
+			Name: "docker-bake.hcl",
+			Data: []byte(`
+variable "ABC" {
+  default = "foo"
+}
+variable "DEF" {
+  default = ""
+}
+group "default" {
+  targets = ["one"]
+}
+target "one" {
+  args = {
+    a = "pre-${ABC}"
+  }
+}
+target "two" {
+  args = {
+    b = "pre-${DEF}"
+  }
+}`),
+		},
+		{
+			Name: "foo.json",
+			Data: []byte(`{"variable": {"DEF": {"default": "bar"}}, "target": { "one": { "args": {"a": "pre-${ABC}-${DEF}"}} } }`),
+		},
+		{
+			Name: "bar.json",
+			Data: []byte(`{"ABC": "ghi", "DEF": "jkl"}`),
+		},
+	}, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(c.Groups))
+	require.Equal(t, "default", c.Groups[0].Name)
+	require.Equal(t, []string{"one"}, c.Groups[0].Targets)
+
+	require.Equal(t, 2, len(c.Targets))
+
+	require.Equal(t, c.Targets[0].Name, "one")
+	require.Equal(t, map[string]string{"a": "pre-ghi-jkl"}, c.Targets[0].Args)
+
+	require.Equal(t, c.Targets[1].Name, "two")
+	require.Equal(t, map[string]string{"b": "pre-jkl"}, c.Targets[1].Args)
+}
+
+func TestEmptyVariableJSON(t *testing.T) {
+	dt := []byte(`{
+	  "variable": {
+	    "VAR": {}
+	  }
+	}`)
+	_, err := ParseFile(dt, "docker-bake.json")
+	require.NoError(t, err)
+}
+
+func TestFunctionNoParams(t *testing.T) {
+	dt := []byte(`
+		function "foo" {
+			result = "bar"
+		}
+		target "foo_target" {
+			args = {
+				test = foo()
+			}
+		}
+		`)
+
+	_, err := ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+}
+
+func TestFunctionNoResult(t *testing.T) {
+	dt := []byte(`
+		function "foo" {
+			params = ["a"]
+		}
+		`)
+
+	_, err := ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+}
--- a/bake/hclparser/hclparser.go
+++ b/bake/hclparser/hclparser.go
@@ -111,6 +111,13 @@ func (p *parser) resolveFunction(name string) error {
 	}
 	p.progressF[name] = struct{}{}

+	if f.Result == nil {
+		return errors.Errorf("empty result not allowed for %s", name)
+	}
+	if f.Params == nil {
+		return errors.Errorf("empty params not allowed for %s", name)
+	}
+
 	paramExprs, paramsDiags := hcl.ExprList(f.Params.Expr)
 	if paramsDiags.HasErrors() {
 		return paramsDiags
@@ -256,6 +263,7 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 	if err := gohcl.DecodeBody(b, nil, &defs); err != nil {
 		return err
 	}
+	defsSchema, _ := gohcl.ImpliedBodySchema(defs)

 	if opt.LookupVar == nil {
 		opt.LookupVar = func(string) (string, bool) {
@@ -300,12 +308,20 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 		p.funcs[v.Name] = v
 	}

+	content, b, diags := b.PartialContent(schema)
+	if diags.HasErrors() {
+		return diags
+	}
+
+	blocks, b, diags := b.PartialContent(defsSchema)
+	if diags.HasErrors() {
+		return diags
+	}
+
 	attrs, diags := b.JustAttributes()
 	if diags.HasErrors() {
-		for _, d := range diags {
-			if d.Detail != "Blocks are not allowed here." {
-				return diags
-			}
+		if d := removeAttributesDiags(diags, reserved, p.vars); len(d) > 0 {
+			return d
 		}
 	}

@@ -361,23 +377,32 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 			if diags, ok := err.(hcl.Diagnostics); ok {
 				return diags
 			}
+			var subject *hcl.Range
+			var context *hcl.Range
+			if p.funcs[k].Params != nil {
+				subject = &p.funcs[k].Params.Range
+				context = subject
+			} else {
+				for _, block := range blocks.Blocks {
+					if block.Type == "function" && len(block.Labels) == 1 && block.Labels[0] == k {
+						subject = &block.LabelRanges[0]
+						context = &block.DefRange
+						break
+					}
+				}
+			}
 			return hcl.Diagnostics{
 				&hcl.Diagnostic{
 					Severity: hcl.DiagError,
 					Summary:  "Invalid function",
 					Detail:   err.Error(),
-					Subject:  &p.funcs[k].Params.Range,
-					Context:  &p.funcs[k].Params.Range,
+					Subject:  subject,
+					Context:  context,
 				},
 			}
 		}
 	}

-	content, _, diags := b.PartialContent(schema)
-	if diags.HasErrors() {
-		return diags
-	}
-
 	for _, a := range content.Attributes {
 		return hcl.Diagnostics{
 			&hcl.Diagnostic{
@@ -514,3 +539,33 @@ func setLabel(v reflect.Value, lbl string) int {
 	}
 	return -1
 }
+
+func removeAttributesDiags(diags hcl.Diagnostics, reserved map[string]struct{}, vars map[string]*variable) hcl.Diagnostics {
+	var fdiags hcl.Diagnostics
+	for _, d := range diags {
+		if fout := func(d *hcl.Diagnostic) bool {
+			// https://github.com/docker/buildx/pull/541
+			if d.Detail == "Blocks are not allowed here." {
+				return true
+			}
+			for r := range reserved {
+				// JSON body objects don't handle repeated blocks like HCL but
+				// reserved name attributes should be allowed when multi bodies are merged.
+				// https://github.com/hashicorp/hcl/blob/main/json/spec.md#blocks
+				if strings.HasPrefix(d.Detail, fmt.Sprintf(`Argument "%s" was already set at `, r)) {
+					return true
+				}
+			}
+			for v := range vars {
+				// Do the same for global variables
+				if strings.HasPrefix(d.Detail, fmt.Sprintf(`Argument "%s" was already set at `, v)) {
+					return true
+				}
+			}
+			return false
+		}(d); !fout {
+			fdiags = append(fdiags, d)
+		}
+	}
+	return fdiags
+}
--- a/bake/hclparser/stdlib.go
+++ b/bake/hclparser/stdlib.go
@@ -1,12 +1,15 @@
 package hclparser

 import (
+	"time"
+
 	"github.com/hashicorp/go-cty-funcs/cidr"
 	"github.com/hashicorp/go-cty-funcs/crypto"
 	"github.com/hashicorp/go-cty-funcs/encoding"
 	"github.com/hashicorp/go-cty-funcs/uuid"
 	"github.com/hashicorp/hcl/v2/ext/tryfunc"
 	"github.com/hashicorp/hcl/v2/ext/typeexpr"
+	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/function"
 	"github.com/zclconf/go-cty/cty/function/stdlib"
 )
@@ -96,6 +99,7 @@ var stdlibFunctions = map[string]function.Function{
 	"substr":                 stdlib.SubstrFunc,
 	"subtract":               stdlib.SubtractFunc,
 	"timeadd":                stdlib.TimeAddFunc,
+	"timestamp":              timestampFunc,
 	"title":                  stdlib.TitleFunc,
 	"trim":                   stdlib.TrimFunc,
 	"trimprefix":             stdlib.TrimPrefixFunc,
@@ -109,3 +113,14 @@ var stdlibFunctions = map[string]function.Function{
 	"values":                 stdlib.ValuesFunc,
 	"zipmap":                 stdlib.ZipmapFunc,
 }
+
+// timestampFunc constructs a function that returns a string representation of the current date and time.
+//
+// This function was imported from terraform's datetime utilities.
+var timestampFunc = function.New(&function.Spec{
+	Params: []function.Parameter{},
+	Type:   function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+		return cty.StringVal(time.Now().UTC().Format(time.RFC3339)), nil
+	},
+})
--- a/build/build.go
+++ b/build/build.go
@@ -2,13 +2,14 @@ package build

 import (
 	"bufio"
+	"bytes"
 	"context"
 	"crypto/rand"
+	_ "crypto/sha256" // ensure digests can be computed
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -17,6 +18,8 @@ import (
 	"syscall"
 	"time"

+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/content/local"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/platforms"
 	"github.com/docker/buildx/driver"
@@ -27,15 +30,16 @@ import (
 	"github.com/docker/cli/opts"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/builder/remotecontext/urlutil"
 	dockerclient "github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/jsonmessage"
-	"github.com/docker/docker/pkg/urlutil"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	gateway "github.com/moby/buildkit/frontend/gateway/client"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/upload/uploadprovider"
+	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/apicaps"
 	"github.com/moby/buildkit/util/entitlements"
@@ -54,6 +58,10 @@ var (
 	errDockerfileConflict = errors.New("ambiguous Dockerfile source: both stdin and flag correspond to Dockerfiles")
 )

+const (
+	printFallbackImage = "docker/dockerfile-upstream:1.4-outline@sha256:627443ff4e2d0f635d429cfc1da5388bcd5a70949c38adcd3cd7c4e5df67c73c"
+)
+
 type Options struct {
 	Inputs Inputs

@@ -76,6 +84,15 @@ type Options struct {
 	Tags          []string
 	Target        string
 	Ulimits       *opts.UlimitOpt
+
+	// Linked marks this target as exclusively linked (not requested by the user).
+	Linked    bool
+	PrintFunc *PrintFunc
+}
+
+type PrintFunc struct {
+	Name   string
+	Format string
 }

 type Inputs struct {
@@ -586,7 +603,7 @@ func toSolveOpt(ctx context.Context, di DriverInfo, multiDriver bool, opt Option
 		so.FrontendAttrs["force-network-mode"] = opt.NetworkMode
 	case "", "default":
 	default:
-		return nil, nil, errors.Errorf("network mode %q not supported by buildkit. You can define a custom network for your builder using the network driver-opt in buildx create.", opt.NetworkMode)
+		return nil, nil, errors.Errorf("network mode %q not supported by buildkit - you can define a custom network for your builder using the network driver-opt in buildx create", opt.NetworkMode)
 	}

 	// setup extrahosts
@@ -612,7 +629,111 @@ func toSolveOpt(ctx context.Context, di DriverInfo, multiDriver bool, opt Option
 	return &so, releaseF, nil
 }

+// ContainerConfig is configuration for a container to run.
+type ContainerConfig struct {
+	ResultCtx *ResultContext
+	Args      []string
+	Env       []string
+	User      string
+	Cwd       string
+	Tty       bool
+	Stdin     io.ReadCloser
+	Stdout    io.WriteCloser
+	Stderr    io.WriteCloser
+}
+
+// ResultContext is a build result with the client that built it.
+type ResultContext struct {
+	Client *client.Client
+	Res    *gateway.Result
+}
+
+// Invoke invokes a build result as a container.
+func Invoke(ctx context.Context, cfg ContainerConfig) error {
+	if cfg.ResultCtx == nil {
+		return errors.Errorf("result must be provided")
+	}
+	c, res := cfg.ResultCtx.Client, cfg.ResultCtx.Res
+
+	mainCtx := ctx
+
+	_, err := c.Build(context.TODO(), client.SolveOpt{}, "buildx", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+		ctx, cancel := context.WithCancel(ctx)
+		go func() {
+			<-mainCtx.Done()
+			cancel()
+		}()
+
+		if res.Ref == nil {
+			return nil, errors.Errorf("no reference is registered")
+		}
+		st, err := res.Ref.ToState()
+		if err != nil {
+			return nil, err
+		}
+		def, err := st.Marshal(ctx)
+		if err != nil {
+			return nil, err
+		}
+		imgRef, err := c.Solve(ctx, gateway.SolveRequest{
+			Definition: def.ToPB(),
+		})
+		if err != nil {
+			return nil, err
+		}
+		ctr, err := c.NewContainer(ctx, gateway.NewContainerRequest{
+			Mounts: []gateway.Mount{
+				{
+					Dest:      "/",
+					MountType: pb.MountType_BIND,
+					Ref:       imgRef.Ref,
+				},
+			},
+		})
+		if err != nil {
+			return nil, err
+		}
+		defer ctr.Release(context.TODO())
+
+		proc, err := ctr.Start(ctx, gateway.StartRequest{
+			Args:   cfg.Args,
+			Env:    cfg.Env,
+			User:   cfg.User,
+			Cwd:    cfg.Cwd,
+			Tty:    cfg.Tty,
+			Stdin:  cfg.Stdin,
+			Stdout: cfg.Stdout,
+			Stderr: cfg.Stderr,
+		})
+		if err != nil {
+			return nil, errors.Errorf("failed to start container: %v", err)
+		}
+		errCh := make(chan error)
+		doneCh := make(chan struct{})
+		go func() {
+			if err := proc.Wait(); err != nil {
+				errCh <- err
+				return
+			}
+			close(doneCh)
+		}()
+		select {
+		case <-doneCh:
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case err := <-errCh:
+			return nil, err
+		}
+		return nil, nil
+	}, nil)
+	return err
+}
+
 func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, docker DockerAPI, configDir string, w progress.Writer) (resp map[string]*client.SolveResponse, err error) {
+	return BuildWithResultHandler(ctx, drivers, opt, docker, configDir, w, nil, false)
+}
+
+func BuildWithResultHandler(ctx context.Context, drivers []DriverInfo, opt map[string]Options, docker DockerAPI, configDir string, w progress.Writer, resultHandleFunc func(driverIndex int, rCtx *ResultContext), allowNoOutput bool) (resp map[string]*client.SolveResponse, err error) {
 	if len(drivers) == 0 {
 		return nil, errors.Errorf("driver required for build")
 	}
@@ -630,13 +751,23 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 		}
 	}

-	if noMobyDriver != nil && !noDefaultLoad() {
-		for _, opt := range opt {
-			if len(opt.Exports) == 0 {
-				logrus.Warnf("No output specified for %s driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load", noMobyDriver.Factory().Name())
-				break
+	if noMobyDriver != nil && !noDefaultLoad() && noPrintFunc(opt) {
+		var noOutputTargets []string
+		for name, opt := range opt {
+			if !opt.Linked && len(opt.Exports) == 0 {
+				noOutputTargets = append(noOutputTargets, name)
 			}
 		}
+		if len(noOutputTargets) > 0 && !allowNoOutput {
+			var warnNoOutputBuf bytes.Buffer
+			warnNoOutputBuf.WriteString("No output specified ")
+			if len(noOutputTargets) == 1 && noOutputTargets[0] == "default" {
+				warnNoOutputBuf.WriteString(fmt.Sprintf("with %s driver", noMobyDriver.Factory().Name()))
+			} else {
+				warnNoOutputBuf.WriteString(fmt.Sprintf("for %s target(s) with %s driver", strings.Join(noOutputTargets, ", "), noMobyDriver.Factory().Name()))
+			}
+			logrus.Warnf("%s. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load", warnNoOutputBuf.String())
+		}
 	}

 	m, clients, err := resolveDrivers(ctx, drivers, opt, w)
@@ -771,7 +902,7 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 						dgst = v
 					}
 					if opt.ImageIDFile != "" {
-						return ioutil.WriteFile(opt.ImageIDFile, []byte(dgst), 0644)
+						return os.WriteFile(opt.ImageIDFile, []byte(dgst), 0644)
 					}
 					return nil
 				}
@@ -815,12 +946,26 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do

 							itpull := imagetools.New(imageopt)

-							dt, desc, err := itpull.Combine(ctx, names[0], descs)
+							ref, err := reference.ParseNormalizedNamed(names[0])
+							if err != nil {
+								return err
+							}
+							ref = reference.TagNameOnly(ref)
+
+							srcs := make([]*imagetools.Source, len(descs))
+							for i, desc := range descs {
+								srcs[i] = &imagetools.Source{
+									Desc: desc,
+									Ref:  ref,
+								}
+							}
+
+							dt, desc, err := itpull.Combine(ctx, srcs)
 							if err != nil {
 								return err
 							}
 							if opt.ImageIDFile != "" {
-								if err := ioutil.WriteFile(opt.ImageIDFile, []byte(desc.Digest), 0644); err != nil {
+								if err := os.WriteFile(opt.ImageIDFile, []byte(desc.Digest), 0644); err != nil {
 									return err
 								}
 							}
@@ -914,19 +1059,70 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 						ch, done := progress.NewChannel(pw)
 						defer func() { <-done }()

+						cc := c
+						var printRes map[string][]byte
 						rr, err := c.Build(ctx, so, "buildx", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
-							res, err := c.Solve(ctx, req)
-							if err != nil {
-								return nil, err
+							var isFallback bool
+							var origErr error
+							for {
+								if opt.PrintFunc != nil {
+									if _, ok := req.FrontendOpt["frontend.caps"]; !ok {
+										req.FrontendOpt["frontend.caps"] = "moby.buildkit.frontend.subrequests+forward"
+									} else {
+										req.FrontendOpt["frontend.caps"] += ",moby.buildkit.frontend.subrequests+forward"
+									}
+									req.FrontendOpt["requestid"] = "frontend." + opt.PrintFunc.Name
+									if isFallback {
+										req.FrontendOpt["build-arg:BUILDKIT_SYNTAX"] = printFallbackImage
+									}
+								}
+								res, err := c.Solve(ctx, req)
+								if err != nil {
+									if origErr != nil {
+										return nil, err
+									}
+									var reqErr *errdefs.UnsupportedSubrequestError
+									if !isFallback {
+										if errors.As(err, &reqErr) {
+											switch reqErr.Name {
+											case "frontend.outline", "frontend.targets":
+												isFallback = true
+												origErr = err
+												continue
+											}
+											return nil, err
+										}
+										// buildkit v0.8 vendored in Docker 20.10 does not support typed errors
+										if strings.Contains(err.Error(), "unsupported request frontend.outline") || strings.Contains(err.Error(), "unsupported request frontend.targets") {
+											isFallback = true
+											origErr = err
+											continue
+										}
+									}
+									return nil, err
+								}
+								if opt.PrintFunc != nil {
+									printRes = res.Metadata
+								}
+								results.Set(resultKey(dp.driverIndex, k), res)
+								if resultHandleFunc != nil {
+									resultHandleFunc(dp.driverIndex, &ResultContext{cc, res})
+								}
+								return res, nil
 							}
-							results.Set(resultKey(dp.driverIndex, k), res)
-							return res, nil
 						}, ch)
 						if err != nil {
 							return err
 						}
 						res[i] = rr

+						if rr.ExporterResponse == nil {
+							rr.ExporterResponse = map[string]string{}
+						}
+						for k, v := range printRes {
+							rr.ExporterResponse[k] = string(v)
+						}
+
 						d := drivers[dp.driverIndex].Driver
 						if d.IsMobyDriver() {
 							for _, e := range so.Exports {
@@ -1086,7 +1282,7 @@ func remoteDigestWithMoby(ctx context.Context, d driver.Driver, name string) (st
 }

 func createTempDockerfile(r io.Reader) (string, error) {
-	dir, err := ioutil.TempDir("", "dockerfile")
+	dir, err := os.MkdirTemp("", "dockerfile")
 	if err != nil {
 		return "", err
 	}
@@ -1145,7 +1341,7 @@ func LoadInputs(ctx context.Context, d driver.Driver, inp Inputs, pw progress.Wr
 				}
 				// stdin is dockerfile
 				dockerfileReader = buf
-				inp.ContextPath, _ = ioutil.TempDir("", "empty-dir")
+				inp.ContextPath, _ = os.MkdirTemp("", "empty-dir")
 				toRemove = append(toRemove, inp.ContextPath)
 				target.LocalDirs["context"] = inp.ContextPath
 			}
@@ -1165,7 +1361,7 @@ func LoadInputs(ctx context.Context, d driver.Driver, inp Inputs, pw progress.Wr

 	case urlutil.IsGitURL(inp.ContextPath), urlutil.IsURL(inp.ContextPath):
 		if inp.DockerfilePath == "-" {
-			return nil, errors.Errorf("Dockerfile from stdin is not supported with remote contexts")
+			dockerfileReader = inp.InStream
 		}
 		target.FrontendAttrs["context"] = inp.ContextPath
 	default:
@@ -1222,6 +1418,32 @@ func LoadInputs(ctx context.Context, d driver.Driver, inp Inputs, pw progress.Wr
 			target.FrontendAttrs["context:"+k] = v.Path
 			continue
 		}
+
+		// handle OCI layout
+		if strings.HasPrefix(v.Path, "oci-layout://") {
+			pathAlone := strings.TrimPrefix(v.Path, "oci-layout://")
+			parts := strings.SplitN(pathAlone, "@", 2)
+			if len(parts) != 2 {
+				return nil, errors.Errorf("invalid oci-layout context %s, must be oci-layout:///path/to/layout@sha256:hash", v.Path)
+			}
+			localPath := parts[0]
+			dgst, err := digest.Parse(parts[1])
+			if err != nil {
+				return nil, errors.Wrapf(err, "invalid oci-layout context %s, does not have proper hash, must be oci-layout:///path/to/layout@sha256:hash", v.Path)
+			}
+			store, err := local.NewStore(localPath)
+			if err != nil {
+				return nil, errors.Wrapf(err, "invalid store at %s", localPath)
+			}
+			// now we can add it
+			if target.OCIStores == nil {
+				target.OCIStores = map[string]content.Store{}
+			}
+			target.OCIStores[k] = store
+
+			target.FrontendAttrs["context:"+k] = fmt.Sprintf("oci-layout:%s@%s", k, dgst.String())
+			continue
+		}
 		st, err := os.Stat(v.Path)
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to get build context %v", k)
@@ -1464,15 +1686,24 @@ func tryNodeIdentifier(configDir string) (out string) {
 			if _, err := rand.Read(b); err != nil {
 				return out
 			}
-			if err := ioutil.WriteFile(sessionFile, []byte(hex.EncodeToString(b)), 0600); err != nil {
+			if err := os.WriteFile(sessionFile, []byte(hex.EncodeToString(b)), 0600); err != nil {
 				return out
 			}
 		}
 	}

-	dt, err := ioutil.ReadFile(sessionFile)
+	dt, err := os.ReadFile(sessionFile)
 	if err == nil {
 		return string(dt)
 	}
 	return
 }
+
+func noPrintFunc(opt map[string]Options) bool {
+	for _, v := range opt {
+		if v.PrintFunc != nil {
+			return false
+		}
+	}
+	return true
+}
--- a/build/url.go
+++ b/build/url.go
@@ -2,7 +2,7 @@ package build

 import (
 	"context"
-	"io/ioutil"
+	"os"
 	"path/filepath"

 	"github.com/docker/buildx/driver"
@@ -53,11 +53,11 @@ func createTempDockerfileFromURL(ctx context.Context, d driver.Driver, url strin
 		if err != nil {
 			return nil, err
 		}
-		dir, err := ioutil.TempDir("", "buildx")
+		dir, err := os.MkdirTemp("", "buildx")
 		if err != nil {
 			return nil, err
 		}
-		if err := ioutil.WriteFile(filepath.Join(dir, "Dockerfile"), dt, 0600); err != nil {
+		if err := os.WriteFile(filepath.Join(dir, "Dockerfile"), dt, 0600); err != nil {
 			return nil, err
 		}
 		out = dir
--- a/cmd/buildx/main.go
+++ b/cmd/buildx/main.go
@@ -15,13 +15,8 @@ import (
 	cliflags "github.com/docker/cli/cli/flags"
 	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/util/stack"
-	"github.com/moby/buildkit/util/tracing/detect"
-	"go.opentelemetry.io/otel"

-	_ "github.com/moby/buildkit/util/tracing/detect/delegated"
-	_ "github.com/moby/buildkit/util/tracing/env"
-
-	// FIXME: "k8s.io/client-go/plugin/pkg/client/auth/azure" is excluded because of compilation error
+	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
@@ -29,75 +24,67 @@ import (
 	_ "github.com/docker/buildx/driver/docker"
 	_ "github.com/docker/buildx/driver/docker-container"
 	_ "github.com/docker/buildx/driver/kubernetes"
+	_ "github.com/docker/buildx/driver/remote"
 )

-var experimental string
-
 func init() {
 	seed.WithTimeAndRand()
 	stack.SetVersionInfo(version.Version, version.Revision)
+}

-	detect.ServiceName = "buildx"
-	// do not log tracing errors to stdio
-	otel.SetErrorHandler(skipErrors{})
+func runStandalone(cmd *command.DockerCli) error {
+	if err := cmd.Initialize(cliflags.NewClientOptions()); err != nil {
+		return err
+	}
+	rootCmd := commands.NewRootCmd(os.Args[0], false, cmd)
+	return rootCmd.Execute()
+}
+
+func runPlugin(cmd *command.DockerCli) error {
+	rootCmd := commands.NewRootCmd("buildx", true, cmd)
+	return plugin.RunPlugin(cmd, rootCmd, manager.Metadata{
+		SchemaVersion: "0.1.0",
+		Vendor:        "Docker Inc.",
+		Version:       version.Version,
+	})
 }

 func main() {
-	if plugin.RunningStandalone() {
-		dockerCli, err := command.NewDockerCli()
-		if err != nil {
-			fmt.Fprintln(os.Stderr, err)
-			os.Exit(1)
-		}
-		opts := cliflags.NewClientOptions()
-		dockerCli.Initialize(opts)
-		rootCmd := commands.NewRootCmd(os.Args[0], false, dockerCli)
-		if err := rootCmd.Execute(); err != nil {
-			os.Exit(1)
-		}
-		os.Exit(0)
-	}
-
-	dockerCli, err := command.NewDockerCli()
+	cmd, err := command.NewDockerCli()
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}

-	p := commands.NewRootCmd("buildx", true, dockerCli)
-	meta := manager.Metadata{
-		SchemaVersion: "0.1.0",
-		Vendor:        "Docker Inc.",
-		Version:       version.Version,
-		Experimental:  experimental != "",
+	if plugin.RunningStandalone() {
+		err = runStandalone(cmd)
+	} else {
+		err = runPlugin(cmd)
+	}
+	if err == nil {
+		return
 	}

-	if err := plugin.RunPlugin(dockerCli, p, meta); err != nil {
-		if sterr, ok := err.(cli.StatusError); ok {
-			if sterr.Status != "" {
-				fmt.Fprintln(dockerCli.Err(), sterr.Status)
-			}
-			// StatusError should only be used for errors, and all errors should
-			// have a non-zero exit status, so never exit with 0
-			if sterr.StatusCode == 0 {
-				os.Exit(1)
-			}
-			os.Exit(sterr.StatusCode)
+	if sterr, ok := err.(cli.StatusError); ok {
+		if sterr.Status != "" {
+			fmt.Fprintln(cmd.Err(), sterr.Status)
 		}
-		for _, s := range errdefs.Sources(err) {
-			s.Print(dockerCli.Err())
+		// StatusError should only be used for errors, and all errors should
+		// have a non-zero exit status, so never exit with 0
+		if sterr.StatusCode == 0 {
+			os.Exit(1)
 		}
-
-		if debug.IsEnabled() {
-			fmt.Fprintf(dockerCli.Err(), "error: %+v", stack.Formatter(err))
-		} else {
-			fmt.Fprintf(dockerCli.Err(), "error: %v\n", err)
-		}
-
-		os.Exit(1)
+		os.Exit(sterr.StatusCode)
 	}
+
+	for _, s := range errdefs.Sources(err) {
+		s.Print(cmd.Err())
+	}
+	if debug.IsEnabled() {
+		fmt.Fprintf(cmd.Err(), "ERROR: %+v", stack.Formatter(err))
+	} else {
+		fmt.Fprintf(cmd.Err(), "ERROR: %v\n", err)
+	}
+
+	os.Exit(1)
 }
-
-type skipErrors struct{}
-
-func (skipErrors) Handle(err error) {}
--- a/cmd/buildx/tracing.go
+++ b/cmd/buildx/tracing.go
@@ -0,0 +1,19 @@
+package main
+
+import (
+	"github.com/moby/buildkit/util/tracing/detect"
+	"go.opentelemetry.io/otel"
+
+	_ "github.com/moby/buildkit/util/tracing/detect/delegated"
+	_ "github.com/moby/buildkit/util/tracing/env"
+)
+
+func init() {
+	detect.ServiceName = "buildx"
+	// do not log tracing errors to stdio
+	otel.SetErrorHandler(skipErrors{})
+}
+
+type skipErrors struct{}
+
+func (skipErrors) Handle(err error) {}
--- a/commands/bake.go
+++ b/commands/bake.go
@@ -104,8 +104,8 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 	}

 	tgts, grps, err := bake.ReadTargets(ctx, files, targets, overrides, map[string]string{
-		// Don't forget to update documentation if you add a new
-		// built-in variable: docs/reference/buildx_bake.md#built-in-variables
+		// don't forget to update documentation if you add a new
+		// built-in variable: docs/guides/bake/file-definition.md#built-in-variables
 		"BAKE_CMD_CONTEXT":    cmdContext,
 		"BAKE_LOCAL_PLATFORM": platforms.DefaultString(),
 	})
--- a/commands/build.go
+++ b/commands/build.go
@@ -4,14 +4,19 @@ import (
 	"bytes"
 	"context"
 	"encoding/base64"
+	"encoding/csv"
 	"encoding/json"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
+	"sync"

+	"github.com/containerd/console"
 	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/monitor"
 	"github.com/docker/buildx/util/buildflags"
 	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/platformutil"
@@ -20,6 +25,7 @@ import (
 	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config"
 	dockeropts "github.com/docker/cli/opts"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/pkg/ioutils"
@@ -42,6 +48,7 @@ const defaultTargetName = "default"
 type buildOptions struct {
 	contextPath    string
 	dockerfileName string
+	printFunc      string

 	allow         []string
 	buildArgs     []string
@@ -63,6 +70,7 @@ type buildOptions struct {
 	tags          []string
 	target        string
 	ulimits       *dockeropts.UlimitOpt
+	invoke        string
 	commonOptions
 }

@@ -115,6 +123,11 @@ func runBuild(dockerCli command.Cli, in buildOptions) (err error) {
 		return err
 	}

+	printFunc, err := parsePrintFunc(in.printFunc)
+	if err != nil {
+		return err
+	}
+
 	opts := build.Options{
 		Inputs: build.Inputs{
 			ContextPath:    in.contextPath,
@@ -134,6 +147,7 @@ func runBuild(dockerCli command.Cli, in buildOptions) (err error) {
 		Tags:          in.tags,
 		Target:        in.target,
 		Ulimits:       in.ulimits,
+		PrintFunc:     printFunc,
 	}

 	platforms, err := platformutil.Parse(in.platforms)
@@ -142,7 +156,8 @@ func runBuild(dockerCli command.Cli, in buildOptions) (err error) {
 	}
 	opts.Platforms = platforms

-	opts.Session = append(opts.Session, authprovider.NewDockerAuthProvider(os.Stderr))
+	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
+	opts.Session = append(opts.Session, authprovider.NewDockerAuthProvider(dockerConfig))

 	secrets, err := buildflags.ParseSecretSpecs(in.secrets)
 	if err != nil {
@@ -225,22 +240,48 @@ func runBuild(dockerCli command.Cli, in buildOptions) (err error) {
 		contextPathHash = in.contextPath
 	}

-	imageID, err := buildTargets(ctx, dockerCli, map[string]build.Options{defaultTargetName: opts}, in.progress, contextPathHash, in.builder, in.metadataFile)
+	imageID, res, err := buildTargets(ctx, dockerCli, map[string]build.Options{defaultTargetName: opts}, in.progress, contextPathHash, in.builder, in.metadataFile, in.invoke != "")
 	err = wrapBuildError(err, false)
 	if err != nil {
 		return err
 	}

+	if in.invoke != "" {
+		cfg, err := parseInvokeConfig(in.invoke)
+		if err != nil {
+			return err
+		}
+		cfg.ResultCtx = res
+		con := console.Current()
+		if err := con.SetRaw(); err != nil {
+			return errors.Errorf("failed to configure terminal: %v", err)
+		}
+		err = monitor.RunMonitor(ctx, cfg, func(ctx context.Context) (*build.ResultContext, error) {
+			_, rr, err := buildTargets(ctx, dockerCli, map[string]build.Options{defaultTargetName: opts}, in.progress, contextPathHash, in.builder, in.metadataFile, true)
+			return rr, err
+		}, io.NopCloser(os.Stdin), nopCloser{os.Stdout}, nopCloser{os.Stderr})
+		if err != nil {
+			logrus.Warnf("failed to run monitor: %v", err)
+		}
+		con.Reset()
+	}
+
 	if in.quiet {
 		fmt.Println(imageID)
 	}
 	return nil
 }

-func buildTargets(ctx context.Context, dockerCli command.Cli, opts map[string]build.Options, progressMode, contextPathHash, instance string, metadataFile string) (imageID string, err error) {
+type nopCloser struct {
+	io.WriteCloser
+}
+
+func (c nopCloser) Close() error { return nil }
+
+func buildTargets(ctx context.Context, dockerCli command.Cli, opts map[string]build.Options, progressMode, contextPathHash, instance string, metadataFile string, allowNoOutput bool) (imageID string, res *build.ResultContext, err error) {
 	dis, err := getInstanceOrDefault(ctx, dockerCli, instance, contextPathHash)
 	if err != nil {
-		return "", err
+		return "", nil, err
 	}

 	ctx2, cancel := context.WithCancel(context.TODO())
@@ -248,24 +289,90 @@ func buildTargets(ctx context.Context, dockerCli command.Cli, opts map[string]bu

 	printer := progress.NewPrinter(ctx2, os.Stderr, os.Stderr, progressMode)

-	resp, err := build.Build(ctx, dis, opts, dockerAPI(dockerCli), confutil.ConfigDir(dockerCli), printer)
+	var mu sync.Mutex
+	var idx int
+	resp, err := build.BuildWithResultHandler(ctx, dis, opts, dockerAPI(dockerCli), confutil.ConfigDir(dockerCli), printer, func(driverIndex int, gotRes *build.ResultContext) {
+		mu.Lock()
+		defer mu.Unlock()
+		if res == nil || driverIndex < idx {
+			idx, res = driverIndex, gotRes
+		}
+	}, allowNoOutput)
 	err1 := printer.Wait()
 	if err == nil {
 		err = err1
 	}
 	if err != nil {
-		return "", err
+		return "", nil, err
 	}

 	if len(metadataFile) > 0 && resp != nil {
 		if err := writeMetadataFile(metadataFile, decodeExporterResponse(resp[defaultTargetName].ExporterResponse)); err != nil {
-			return "", err
+			return "", nil, err
 		}
 	}

 	printWarnings(os.Stderr, printer.Warnings(), progressMode)

-	return resp[defaultTargetName].ExporterResponse["containerimage.digest"], err
+	for k := range resp {
+		if opts[k].PrintFunc != nil {
+			if err := printResult(opts[k].PrintFunc, resp[k].ExporterResponse); err != nil {
+				return "", nil, err
+			}
+		}
+	}
+
+	return resp[defaultTargetName].ExporterResponse["containerimage.digest"], res, err
+}
+
+func parseInvokeConfig(invoke string) (cfg build.ContainerConfig, err error) {
+	csvReader := csv.NewReader(strings.NewReader(invoke))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return cfg, err
+	}
+	cfg.Tty = true
+	if len(fields) == 1 && !strings.Contains(fields[0], "=") {
+		cfg.Args = []string{fields[0]}
+		return cfg, nil
+	}
+	var entrypoint string
+	var args []string
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+		if len(parts) != 2 {
+			return cfg, errors.Errorf("invalid value %s", field)
+		}
+		key := strings.ToLower(parts[0])
+		value := parts[1]
+		switch key {
+		case "args":
+			args = append(args, value) // TODO: support JSON
+		case "entrypoint":
+			entrypoint = value // TODO: support JSON
+		case "env":
+			cfg.Env = append(cfg.Env, value)
+		case "user":
+			cfg.User = value
+		case "cwd":
+			cfg.Cwd = value
+		case "tty":
+			cfg.Tty, err = strconv.ParseBool(value)
+			if err != nil {
+				return cfg, errors.Errorf("failed to parse tty: %v", err)
+			}
+		default:
+			return cfg, errors.Errorf("unknown key %q", key)
+		}
+	}
+	cfg.Args = args
+	if entrypoint != "" {
+		cfg.Args = append([]string{entrypoint}, cfg.Args...)
+	}
+	if len(cfg.Args) == 0 {
+		cfg.Args = []string{"sh"}
+	}
+	return cfg, nil
 }

 func printWarnings(w io.Writer, warnings []client.VertexWarning, mode string) {
@@ -371,6 +478,10 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {

 	flags.StringArrayVar(&options.platforms, "platform", platformsDefault, "Set target platform for build")

+	if isExperimental() {
+		flags.StringVar(&options.printFunc, "print", "", "Print result of information request (e.g., outline, targets) [experimental]")
+	}
+
 	flags.BoolVar(&options.exportPush, "push", false, `Shorthand for "--output=type=registry"`)

 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the build output and print image ID on success")
@@ -389,6 +500,10 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {

 	flags.Var(options.ulimits, "ulimit", "Ulimit options")

+	if isExperimental() {
+		flags.StringVar(&options.invoke, "invoke", "", "Invoke a command after the build [experimental]")
+	}
+
 	// hidden flags
 	var ignore string
 	var ignoreSlice []string
@@ -500,6 +615,34 @@ func parseContextNames(values []string) (map[string]build.NamedContext, error) {
 	return result, nil
 }

+func parsePrintFunc(str string) (*build.PrintFunc, error) {
+	if str == "" {
+		return nil, nil
+	}
+	csvReader := csv.NewReader(strings.NewReader(str))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return nil, err
+	}
+	f := &build.PrintFunc{}
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+		if len(parts) == 2 {
+			if parts[0] == "format" {
+				f.Format = parts[1]
+			} else {
+				return nil, errors.Errorf("invalid print field: %s", field)
+			}
+		} else {
+			if f.Name != "" {
+				return nil, errors.Errorf("invalid print value: %s", str)
+			}
+			f.Name = field
+		}
+	}
+	return f, nil
+}
+
 func writeMetadataFile(filename string, dt interface{}) error {
 	b, err := json.MarshalIndent(dt, "", "  ")
 	if err != nil {
@@ -556,3 +699,11 @@ func (w *wrapped) Error() string {
 func (w *wrapped) Unwrap() error {
 	return w.err
 }
+
+func isExperimental() bool {
+	if v, ok := os.LookupEnv("BUILDX_EXPERIMENTAL"); ok {
+		vv, _ := strconv.ParseBool(v)
+		return vv
+	}
+	return false
+}
--- a/commands/create.go
+++ b/commands/create.go
@@ -14,6 +14,7 @@ import (
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/google/shlex"
@@ -60,22 +61,6 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}

-	driverName := in.driver
-	if driverName == "" {
-		f, err := driver.GetDefaultFactory(ctx, dockerCli.Client(), true)
-		if err != nil {
-			return err
-		}
-		if f == nil {
-			return errors.Errorf("no valid drivers found")
-		}
-		driverName = f.Name()
-	}
-
-	if driver.GetFactory(driverName, true) == nil {
-		return errors.Errorf("failed to find driver %q", in.driver)
-	}
-
 	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
 		return err
@@ -90,6 +75,19 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}

+	if !in.actionLeave && !in.actionAppend {
+		contexts, err := dockerCli.ContextStore().List()
+		if err != nil {
+			return err
+		}
+		for _, c := range contexts {
+			if c.Name == name {
+				logrus.Warnf("instance name %q already exists as context builder", name)
+				break
+			}
+		}
+	}
+
 	ng, err := txn.NodeGroupByName(name)
 	if err != nil {
 		if os.IsNotExist(errors.Cause(err)) {
@@ -97,29 +95,62 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 				logrus.Warnf("failed to find %q for append, creating a new instance instead", in.name)
 			}
 			if in.actionLeave {
-				return errors.Errorf("failed to find instance %q for leave", name)
+				return errors.Errorf("failed to find instance %q for leave", in.name)
 			}
 		} else {
 			return err
 		}
 	}

+	buildkitHost := os.Getenv("BUILDKIT_HOST")
+
+	driverName := in.driver
+	if driverName == "" {
+		if ng != nil {
+			driverName = ng.Driver
+		} else if len(args) == 0 && buildkitHost != "" {
+			driverName = "remote"
+		} else {
+			var arg string
+			if len(args) > 0 {
+				arg = args[0]
+			}
+			f, err := driver.GetDefaultFactory(ctx, arg, dockerCli.Client(), true)
+			if err != nil {
+				return err
+			}
+			if f == nil {
+				return errors.Errorf("no valid drivers found")
+			}
+			driverName = f.Name()
+		}
+	}
+
 	if ng != nil {
 		if in.nodeName == "" && !in.actionAppend {
-			return errors.Errorf("existing instance for %s but no append mode, specify --node to make changes for existing instances", name)
+			return errors.Errorf("existing instance for %q but no append mode, specify --node to make changes for existing instances", name)
 		}
+		if driverName != ng.Driver {
+			return errors.Errorf("existing instance for %q but has mismatched driver %q", name, ng.Driver)
+		}
+	}
+
+	if _, err := driver.GetFactory(driverName, true); err != nil {
+		return err
+	}
+
+	ngOriginal := ng
+	if ngOriginal != nil {
+		ngOriginal = ngOriginal.Copy()
 	}

 	if ng == nil {
 		ng = &store.NodeGroup{
-			Name: name,
+			Name:   name,
+			Driver: driverName,
 		}
 	}

-	if ng.Driver == "" || in.driver != "" {
-		ng.Driver = driverName
-	}
-
 	var flags []string
 	if in.flags != "" {
 		flags, err = shlex.Split(in.flags)
@@ -129,44 +160,72 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	}

 	var ep string
+	var setEp bool
 	if in.actionLeave {
 		if err := ng.Leave(in.nodeName); err != nil {
 			return err
 		}
 	} else {
-		if len(args) > 0 {
-			ep, err = validateEndpoint(dockerCli, args[0])
-			if err != nil {
-				return err
+		switch {
+		case driverName == "kubernetes":
+			if len(args) > 0 {
+				logrus.Warnf("kubernetes driver does not support endpoint args %q", args[0])
 			}
-		} else {
-			if dockerCli.CurrentContext() == "default" && dockerCli.DockerEndpoint().TLSData != nil {
-				return errors.Errorf("could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with `docker buildx create <context-name>`")
-			}
-
-			ep, err = storeutil.GetCurrentEndpoint(dockerCli)
-			if err != nil {
-				return err
-			}
-		}
-
-		if in.driver == "kubernetes" {
 			// naming endpoint to make --append works
 			ep = (&url.URL{
-				Scheme: in.driver,
+				Scheme: driverName,
 				Path:   "/" + in.name,
 				RawQuery: (&url.Values{
 					"deployment": {in.nodeName},
 					"kubeconfig": {os.Getenv("KUBECONFIG")},
 				}).Encode(),
 			}).String()
+			setEp = false
+		case driverName == "remote":
+			if len(args) > 0 {
+				ep = args[0]
+			} else if buildkitHost != "" {
+				ep = buildkitHost
+			} else {
+				return errors.Errorf("no remote endpoint provided")
+			}
+			ep, err = validateBuildkitEndpoint(ep)
+			if err != nil {
+				return err
+			}
+			setEp = true
+		case len(args) > 0:
+			ep, err = validateEndpoint(dockerCli, args[0])
+			if err != nil {
+				return err
+			}
+			setEp = true
+		default:
+			if dockerCli.CurrentContext() == "default" && dockerCli.DockerEndpoint().TLSData != nil {
+				return errors.Errorf("could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with `docker buildx create <context-name>`")
+			}
+			ep, err = storeutil.GetCurrentEndpoint(dockerCli)
+			if err != nil {
+				return err
+			}
+			setEp = false
 		}

 		m, err := csvToMap(in.driverOpts)
 		if err != nil {
 			return err
 		}
-		if err := ng.Update(in.nodeName, ep, in.platform, len(args) > 0, in.actionAppend, flags, in.configFile, m); err != nil {
+
+		if in.configFile == "" {
+			// if buildkit config is not provided, check if the default one is
+			// available and use it
+			if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
+				logrus.Warnf("Using default BuildKit config in %s", f)
+				in.configFile = f
+			}
+		}
+
+		if err := ng.Update(in.nodeName, ep, in.platform, setEp, in.actionAppend, flags, in.configFile, m); err != nil {
 			return err
 		}
 	}
@@ -175,6 +234,30 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		return err
 	}

+	ngi := &nginfo{ng: ng}
+
+	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
+	defer cancel()
+
+	if err = loadNodeGroupData(timeoutCtx, dockerCli, ngi); err != nil {
+		return err
+	}
+	for _, info := range ngi.drivers {
+		if err := info.di.Err; err != nil {
+			err := errors.Errorf("failed to initialize builder %s (%s): %s", ng.Name, info.di.Name, err)
+			var err2 error
+			if ngOriginal == nil {
+				err2 = txn.Remove(ng.Name)
+			} else {
+				err2 = txn.Save(ngOriginal)
+			}
+			if err2 != nil {
+				logrus.Warnf("Could not rollback to previous state: %s", err2)
+			}
+			return err
+		}
+	}
+
 	if in.use && ep != "" {
 		current, err := storeutil.GetCurrentEndpoint(dockerCli)
 		if err != nil {
@@ -185,15 +268,6 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}

-	ngi := &nginfo{ng: ng}
-
-	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
-	defer cancel()
-
-	if err = loadNodeGroupData(timeoutCtx, dockerCli, ngi); err != nil {
-		return err
-	}
-
 	if in.bootstrap {
 		if _, err = boot(ctx, ngi); err != nil {
 			return err
@@ -208,7 +282,7 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 	var options createOptions

 	var drivers bytes.Buffer
-	for _, d := range driver.GetFactories() {
+	for _, d := range driver.GetFactories(true) {
 		if len(drivers.String()) > 0 {
 			drivers.WriteString(", ")
 		}
@@ -246,6 +320,9 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 }

 func csvToMap(in []string) (map[string]string, error) {
+	if len(in) == 0 {
+		return nil, nil
+	}
 	m := make(map[string]string, len(in))
 	for _, s := range in {
 		csvReader := csv.NewReader(strings.NewReader(s))
--- a/commands/create_test.go
+++ b/commands/create_test.go
@@ -0,0 +1,26 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCsvToMap(t *testing.T) {
+	d := []string{
+		"\"tolerations=key=foo,value=bar;key=foo2,value=bar2\",replicas=1",
+		"namespace=default",
+	}
+	r, err := csvToMap(d)
+
+	require.NoError(t, err)
+
+	require.Contains(t, r, "tolerations")
+	require.Equal(t, r["tolerations"], "key=foo,value=bar;key=foo2,value=bar2")
+
+	require.Contains(t, r, "replicas")
+	require.Equal(t, r["replicas"], "1")
+
+	require.Contains(t, r, "namespace")
+	require.Equal(t, r["namespace"], "default")
+}
--- a/commands/imagetools/create.go
+++ b/commands/imagetools/create.go
@@ -1,14 +1,16 @@
 package commands

 import (
+	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strings"

 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/imagetools"
+	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/util/appcontext"
@@ -25,6 +27,7 @@ type createOptions struct {
 	tags         []string
 	dryrun       bool
 	actionAppend bool
+	progress     string
 }

 func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
@@ -38,7 +41,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {

 	fileArgs := make([]string, len(in.files))
 	for i, f := range in.files {
-		dt, err := ioutil.ReadFile(f)
+		dt, err := os.ReadFile(f)
 		if err != nil {
 			return err
 		}
@@ -78,18 +81,21 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	if len(repos) == 0 {
 		return errors.Errorf("no repositories specified, please set a reference in tag or source")
 	}
-	if len(repos) > 1 {
-		return errors.Errorf("multiple repositories currently not supported, found %v", repos)
-	}

-	var repo string
-	for r := range repos {
-		repo = r
+	var defaultRepo *string
+	if len(repos) == 1 {
+		for repo := range repos {
+			defaultRepo = &repo
+		}
 	}

 	for i, s := range srcs {
 		if s.Ref == nil && s.Desc.MediaType == "" && s.Desc.Digest != "" {
-			n, err := reference.ParseNormalizedNamed(repo)
+			if defaultRepo == nil {
+				return errors.Errorf("multiple repositories specified, cannot infer repository for %q", args[i])
+			}
+
+			n, err := reference.ParseNormalizedNamed(*defaultRepo)
 			if err != nil {
 				return err
 			}
@@ -143,7 +149,6 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 					if err != nil {
 						return err
 					}
-					srcs[i].Ref = nil
 					if srcs[i].Desc.Digest == "" {
 						srcs[i].Desc = desc
 					} else {
@@ -162,12 +167,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}

-	descs := make([]ocispec.Descriptor, len(srcs))
-	for i := range descs {
-		descs[i] = srcs[i].Desc
-	}
-
-	dt, desc, err := r.Combine(ctx, repo, descs)
+	dt, desc, err := r.Combine(ctx, srcs)
 	if err != nil {
 		return err
 	}
@@ -180,23 +180,49 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	// new resolver cause need new auth
 	r = imagetools.New(imageopt)

+	ctx2, cancel := context.WithCancel(context.TODO())
+	defer cancel()
+	printer := progress.NewPrinter(ctx2, os.Stderr, os.Stderr, in.progress)
+
+	eg, _ := errgroup.WithContext(ctx)
+	pw := progress.WithPrefix(printer, "internal", true)
+
 	for _, t := range tags {
-		if err := r.Push(ctx, t, desc, dt); err != nil {
-			return err
-		}
-		fmt.Println(t.String())
+		t := t
+		eg.Go(func() error {
+			return progress.Wrap(fmt.Sprintf("pushing %s", t.String()), pw.Write, func(sub progress.SubLogger) error {
+				eg2, _ := errgroup.WithContext(ctx)
+				for _, s := range srcs {
+					if reference.Domain(s.Ref) == reference.Domain(t) && reference.Path(s.Ref) == reference.Path(t) {
+						continue
+					}
+					s := s
+					eg2.Go(func() error {
+						sub.Log(1, []byte(fmt.Sprintf("copying %s from %s to %s\n", s.Desc.Digest.String(), s.Ref.String(), t.String())))
+						return r.Copy(ctx, s, t)
+					})
+				}
+
+				if err := eg2.Wait(); err != nil {
+					return err
+				}
+				sub.Log(1, []byte(fmt.Sprintf("pushing %s to %s\n", desc.Digest.String(), t.String())))
+				return r.Push(ctx, t, desc, dt)
+			})
+		})
 	}

-	return nil
+	err = eg.Wait()
+	err1 := printer.Wait()
+	if err == nil {
+		err = err1
+	}
+
+	return err
 }

-type src struct {
-	Desc ocispec.Descriptor
-	Ref  reference.Named
-}
-
-func parseSources(in []string) ([]*src, error) {
-	out := make([]*src, len(in))
+func parseSources(in []string) ([]*imagetools.Source, error) {
+	out := make([]*imagetools.Source, len(in))
 	for i, in := range in {
 		s, err := parseSource(in)
 		if err != nil {
@@ -219,11 +245,11 @@ func parseRefs(in []string) ([]reference.Named, error) {
 	return refs, nil
 }

-func parseSource(in string) (*src, error) {
+func parseSource(in string) (*imagetools.Source, error) {
 	// source can be a digest, reference or a descriptor JSON
 	dgst, err := digest.Parse(in)
 	if err == nil {
-		return &src{
+		return &imagetools.Source{
 			Desc: ocispec.Descriptor{
 				Digest: dgst,
 			},
@@ -234,14 +260,14 @@ func parseSource(in string) (*src, error) {

 	ref, err := reference.ParseNormalizedNamed(in)
 	if err == nil {
-		return &src{
+		return &imagetools.Source{
 			Ref: ref,
 		}, nil
 	} else if !strings.HasPrefix(in, "{") {
 		return nil, err
 	}

-	var s src
+	var s imagetools.Source
 	if err := json.Unmarshal([]byte(in), &s.Desc); err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -255,7 +281,7 @@ func createCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 		Use:   "create [OPTIONS] [SOURCE] [SOURCE...]",
 		Short: "Create a new image based on source images",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			options.builder = opts.Builder
+			options.builder = *opts.Builder
 			return runCreate(dockerCli, options, args)
 		},
 	}
@@ -265,6 +291,7 @@ func createCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 	flags.StringArrayVarP(&options.tags, "tag", "t", []string{}, "Set reference for new image")
 	flags.BoolVar(&options.dryrun, "dry-run", false, "Show final image instead of pushing")
 	flags.BoolVar(&options.actionAppend, "append", false, "Append to existing manifest")
+	flags.StringVar(&options.progress, "progress", "auto", `Set type of progress output ("auto", "plain", "tty"). Use plain to show container output`)

 	return cmd
 }
--- a/commands/imagetools/inspect.go
+++ b/commands/imagetools/inspect.go
@@ -66,7 +66,7 @@ func inspectCmd(dockerCli command.Cli, rootOpts RootOptions) *cobra.Command {
 		Short: "Show details of an image in the registry",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			options.builder = rootOpts.Builder
+			options.builder = *rootOpts.Builder
 			return runInspect(dockerCli, options, args[0])
 		},
 	}
--- a/commands/imagetools/root.go
+++ b/commands/imagetools/root.go
@@ -6,7 +6,7 @@ import (
 )

 type RootOptions struct {
-	Builder string
+	Builder *string
 }

 func RootCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
--- a/commands/inspect.go
+++ b/commands/inspect.go
@@ -79,6 +79,7 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', 0)
 	fmt.Fprintf(w, "Name:\t%s\n", ngi.ng.Name)
 	fmt.Fprintf(w, "Driver:\t%s\n", ngi.ng.Driver)
+
 	if err != nil {
 		fmt.Fprintf(w, "Error:\t%s\n", err.Error())
 	} else if ngi.err != nil {
@@ -94,6 +95,15 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 			}
 			fmt.Fprintf(w, "Name:\t%s\n", n.Name)
 			fmt.Fprintf(w, "Endpoint:\t%s\n", n.Endpoint)
+
+			var driverOpts []string
+			for k, v := range n.DriverOpts {
+				driverOpts = append(driverOpts, fmt.Sprintf("%s=%q", k, v))
+			}
+			if len(driverOpts) > 0 {
+				fmt.Fprintf(w, "Driver Options:\t%s\n", strings.Join(driverOpts, " "))
+			}
+
 			if err := ngi.drivers[i].di.Err; err != nil {
 				fmt.Fprintf(w, "Error:\t%s\n", err.Error())
 			} else if err := ngi.drivers[i].err; err != nil {
@@ -105,6 +115,9 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 				if len(n.Flags) > 0 {
 					fmt.Fprintf(w, "Flags:\t%s\n", strings.Join(n.Flags, " "))
 				}
+				if ngi.drivers[i].version != "" {
+					fmt.Fprintf(w, "Buildkit:\t%s\n", ngi.drivers[i].version)
+				}
 				fmt.Fprintf(w, "Platforms:\t%s\n", strings.Join(platformutil.FormatInGroups(n.Platforms, ngi.drivers[i].platforms), ", "))
 			}
 		}
--- a/commands/ls.go
+++ b/commands/ls.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"os"
+	"sort"
 	"strings"
 	"text/tabwriter"
 	"time"
@@ -45,23 +45,30 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 		builders[i] = &nginfo{ng: ng}
 	}

-	list, err := dockerCli.ContextStore().List()
+	contexts, err := dockerCli.ContextStore().List()
 	if err != nil {
 		return err
 	}
-	ctxbuilders := make([]*nginfo, len(list))
-	for i, l := range list {
-		ctxbuilders[i] = &nginfo{ng: &store.NodeGroup{
-			Name: l.Name,
+	sort.Slice(contexts, func(i, j int) bool {
+		return contexts[i].Name < contexts[j].Name
+	})
+	for _, c := range contexts {
+		ngi := &nginfo{ng: &store.NodeGroup{
+			Name: c.Name,
 			Nodes: []store.Node{{
-				Name:     l.Name,
-				Endpoint: l.Name,
+				Name:     c.Name,
+				Endpoint: c.Name,
 			}},
 		}}
+		// if a context has the same name as an instance from the store, do not
+		// add it to the builders list. An instance from the store takes
+		// precedence over context builders.
+		if hasNodeGroup(builders, ngi) {
+			continue
+		}
+		builders = append(builders, ngi)
 	}

-	builders = append(builders, ctxbuilders...)
-
 	eg, _ := errgroup.WithContext(ctx)

 	for _, b := range builders {
@@ -92,49 +99,72 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 		}
 	}

-	w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', 0)
-	fmt.Fprintf(w, "NAME/NODE\tDRIVER/ENDPOINT\tSTATUS\tPLATFORMS\n")
+	w := tabwriter.NewWriter(dockerCli.Out(), 0, 0, 1, ' ', 0)
+	fmt.Fprintf(w, "NAME/NODE\tDRIVER/ENDPOINT\tSTATUS\tBUILDKIT\tPLATFORMS\n")

 	currentSet := false
+	printErr := false
 	for _, b := range builders {
 		if !currentSet && b.ng.Name == currentName {
 			b.ng.Name += " *"
 			currentSet = true
 		}
-		printngi(w, b)
+		if ok := printngi(w, b); !ok {
+			printErr = true
+		}
 	}

 	w.Flush()

+	if printErr {
+		_, _ = fmt.Fprintf(dockerCli.Err(), "\n")
+		for _, b := range builders {
+			if b.err != nil {
+				_, _ = fmt.Fprintf(dockerCli.Err(), "Cannot load builder %s: %s\n", b.ng.Name, strings.TrimSpace(b.err.Error()))
+			} else {
+				for idx, n := range b.ng.Nodes {
+					d := b.drivers[idx]
+					var nodeErr string
+					if d.err != nil {
+						nodeErr = d.err.Error()
+					} else if d.di.Err != nil {
+						nodeErr = d.di.Err.Error()
+					}
+					if nodeErr != "" {
+						_, _ = fmt.Fprintf(dockerCli.Err(), "Failed to get status for %s (%s): %s\n", b.ng.Name, n.Name, strings.TrimSpace(nodeErr))
+					}
+				}
+			}
+		}
+	}
+
 	return nil
 }

-func printngi(w io.Writer, ngi *nginfo) {
+func printngi(w io.Writer, ngi *nginfo) (ok bool) {
+	ok = true
 	var err string
 	if ngi.err != nil {
-		err = ngi.err.Error()
+		ok = false
+		err = "error"
 	}
-	fmt.Fprintf(w, "%s\t%s\t%s\t\n", ngi.ng.Name, ngi.ng.Driver, err)
+	fmt.Fprintf(w, "%s\t%s\t%s\t\t\n", ngi.ng.Name, ngi.ng.Driver, err)
 	if ngi.err == nil {
 		for idx, n := range ngi.ng.Nodes {
 			d := ngi.drivers[idx]
-			var err string
-			if d.err != nil {
-				err = d.err.Error()
-			} else if d.di.Err != nil {
-				err = d.di.Err.Error()
-			}
 			var status string
 			if d.info != nil {
 				status = d.info.Status.String()
 			}
-			if err != "" {
-				fmt.Fprintf(w, "  %s\t%s\t%s\n", n.Name, n.Endpoint, err)
+			if d.err != nil || d.di.Err != nil {
+				ok = false
+				fmt.Fprintf(w, "  %s\t%s\t%s\t\t\n", n.Name, n.Endpoint, "error")
 			} else {
-				fmt.Fprintf(w, "  %s\t%s\t%s\t%s\n", n.Name, n.Endpoint, status, strings.Join(platformutil.FormatInGroups(n.Platforms, d.platforms), ", "))
+				fmt.Fprintf(w, "  %s\t%s\t%s\t%s\t%s\n", n.Name, n.Endpoint, status, d.version, strings.Join(platformutil.FormatInGroups(n.Platforms, d.platforms), ", "))
 			}
 		}
 	}
+	return
 }

 func lsCmd(dockerCli command.Cli) *cobra.Command {
--- a/commands/print.go
+++ b/commands/print.go
@@ -0,0 +1,48 @@
+package commands
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"os"
+
+	"github.com/docker/buildx/build"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/moby/buildkit/frontend/subrequests"
+	"github.com/moby/buildkit/frontend/subrequests/outline"
+	"github.com/moby/buildkit/frontend/subrequests/targets"
+)
+
+func printResult(f *build.PrintFunc, res map[string]string) error {
+	switch f.Name {
+	case "outline":
+		return printValue(outline.PrintOutline, outline.SubrequestsOutlineDefinition.Version, f.Format, res)
+	case "targets":
+		return printValue(targets.PrintTargets, targets.SubrequestsTargetsDefinition.Version, f.Format, res)
+	case "subrequests.describe":
+		return printValue(subrequests.PrintDescribe, subrequests.SubrequestsDescribeDefinition.Version, f.Format, res)
+	default:
+		if dt, ok := res["result.txt"]; ok {
+			fmt.Print(dt)
+		} else {
+			log.Printf("%s %+v", f, res)
+		}
+	}
+	return nil
+}
+
+type printFunc func([]byte, io.Writer) error
+
+func printValue(printer printFunc, version string, format string, res map[string]string) error {
+	if format == "json" {
+		fmt.Fprintln(os.Stdout, res["result.json"])
+		return nil
+	}
+
+	if res["version"] != "" && versions.LessThan(version, res["version"]) && res["result.txt"] != "" {
+		// structure is too new and we don't know how to print it
+		fmt.Fprint(os.Stdout, res["result.txt"])
+		return nil
+	}
+	return printer([]byte(res["result.json"]), os.Stdout)
+}
--- a/commands/prune.go
+++ b/commands/prune.go
@@ -138,7 +138,7 @@ func pruneCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	}

 	flags := cmd.Flags()
-	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused images, not just dangling ones")
+	flags.BoolVarP(&options.all, "all", "a", false, "Include internal/frontend images")
 	flags.Var(&options.filter, "filter", `Provide filter values (e.g., "until=24h")`)
 	flags.Var(&options.keepStorage, "keep-storage", "Amount of disk space to keep for cache")
 	flags.BoolVar(&options.verbose, "verbose", false, "Provide a more verbose output")
@@ -155,9 +155,9 @@ func toBuildkitPruneInfo(f filters.Args) (*client.PruneInfo, error) {
 	if len(untilValues) > 0 && len(unusedForValues) > 0 {
 		return nil, errors.Errorf("conflicting filters %q and %q", "until", "unused-for")
 	}
-	filterKey := "until"
+	untilKey := "until"
 	if len(unusedForValues) > 0 {
-		filterKey = "unused-for"
+		untilKey = "unused-for"
 	}
 	untilValues = append(untilValues, unusedForValues...)

@@ -168,23 +168,27 @@ func toBuildkitPruneInfo(f filters.Args) (*client.PruneInfo, error) {
 		var err error
 		until, err = time.ParseDuration(untilValues[0])
 		if err != nil {
-			return nil, errors.Wrapf(err, "%q filter expects a duration (e.g., '24h')", filterKey)
+			return nil, errors.Wrapf(err, "%q filter expects a duration (e.g., '24h')", untilKey)
 		}
 	default:
 		return nil, errors.Errorf("filters expect only one value")
 	}

-	bkFilter := make([]string, 0, f.Len())
-	for _, field := range f.Keys() {
-		values := f.Get(field)
+	filters := make([]string, 0, f.Len())
+	for _, filterKey := range f.Keys() {
+		if filterKey == untilKey {
+			continue
+		}
+
+		values := f.Get(filterKey)
 		switch len(values) {
 		case 0:
-			bkFilter = append(bkFilter, field)
+			filters = append(filters, filterKey)
 		case 1:
-			if field == "id" {
-				bkFilter = append(bkFilter, field+"~="+values[0])
+			if filterKey == "id" {
+				filters = append(filters, filterKey+"~="+values[0])
 			} else {
-				bkFilter = append(bkFilter, field+"=="+values[0])
+				filters = append(filters, filterKey+"=="+values[0])
 			}
 		default:
 			return nil, errors.Errorf("filters expect only one value")
@@ -192,6 +196,6 @@ func toBuildkitPruneInfo(f filters.Args) (*client.PruneInfo, error) {
 	}
 	return &client.PruneInfo{
 		KeepDuration: until,
-		Filter:       []string{strings.Join(bkFilter, ",")},
+		Filter:       []string{strings.Join(filters, ",")},
 	}, nil
 }
--- a/commands/rm.go
+++ b/commands/rm.go
@@ -2,6 +2,7 @@ package commands

 import (
 	"context"
+	"fmt"
 	"time"

 	"github.com/docker/buildx/store"
@@ -43,30 +44,41 @@ func runRm(dockerCli command.Cli, in rmOptions) error {
 		return rmAllInactive(ctx, txn, dockerCli, in)
 	}

+	var ng *store.NodeGroup
 	if in.builder != "" {
-		ng, err := storeutil.GetNodeGroup(txn, dockerCli, in.builder)
+		ng, err = storeutil.GetNodeGroup(txn, dockerCli, in.builder)
 		if err != nil {
 			return err
 		}
-		err1 := rm(ctx, dockerCli, in, ng)
-		if err := txn.Remove(ng.Name); err != nil {
+	} else {
+		ng, err = storeutil.GetCurrentInstance(txn, dockerCli)
+		if err != nil {
 			return err
 		}
-		return err1
+	}
+	if ng == nil {
+		return nil
 	}

-	ng, err := storeutil.GetCurrentInstance(txn, dockerCli)
+	ctxbuilders, err := dockerCli.ContextStore().List()
 	if err != nil {
 		return err
 	}
-	if ng != nil {
-		err1 := rm(ctx, dockerCli, in, ng)
-		if err := txn.Remove(ng.Name); err != nil {
-			return err
+	for _, cb := range ctxbuilders {
+		if ng.Driver == "docker" && len(ng.Nodes) == 1 && ng.Nodes[0].Endpoint == cb.Name {
+			return errors.Errorf("context builder cannot be removed, run `docker context rm %s` to remove this context", cb.Name)
 		}
+	}
+
+	err1 := rm(ctx, dockerCli, in, ng)
+	if err := txn.Remove(ng.Name); err != nil {
+		return err
+	}
+	if err1 != nil {
 		return err1
 	}

+	_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", ng.Name)
 	return nil
 }

@@ -152,6 +164,7 @@ func rmAllInactive(ctx context.Context, txn *store.Txn, dockerCli command.Cli, i
 					if err := txn.Remove(b.ng.Name); err != nil {
 						return err
 					}
+					_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", b.ng.Name)
 					return rmerr
 				}
 				return nil
--- a/commands/root.go
+++ b/commands/root.go
@@ -6,6 +6,7 @@ import (
 	imagetoolscmd "github.com/docker/buildx/commands/imagetools"
 	"github.com/docker/buildx/util/logutil"
 	"github.com/docker/cli-docs-tool/annotation"
+	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli-plugins/plugin"
 	"github.com/docker/cli/cli/command"
 	"github.com/sirupsen/logrus"
@@ -26,6 +27,14 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
 			return plugin.PersistentPreRunE(cmd, args)
 		}
+	} else {
+		// match plugin behavior for standalone mode
+		// https://github.com/docker/cli/blob/6c9eb708fa6d17765d71965f90e1c59cea686ee9/cli-plugins/plugin/plugin.go#L117-L127
+		cmd.SilenceUsage = true
+		cmd.SilenceErrors = true
+		cmd.TraverseChildren = true
+		cmd.DisableFlagsInUseLine = true
+		cli.DisableFlagsInUseLine(cmd)
 	}

 	logrus.SetFormatter(&logutil.Formatter{})
@@ -46,6 +55,7 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		logrus.WarnLevel,
 	},
 		"commandConn.CloseWrite:",
+		"commandConn.CloseRead:",
 	))

 	addCommands(cmd, dockerCli)
@@ -74,7 +84,7 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		versionCmd(dockerCli),
 		pruneCmd(dockerCli, opts),
 		duCmd(dockerCli, opts),
-		imagetoolscmd.RootCmd(dockerCli, imagetoolscmd.RootOptions{Builder: opts.builder}),
+		imagetoolscmd.RootCmd(dockerCli, imagetoolscmd.RootOptions{Builder: &opts.builder}),
 	)
 }

--- a/commands/util.go
+++ b/commands/util.go
@@ -9,6 +9,7 @@ import (
 	"github.com/docker/buildx/build"
 	"github.com/docker/buildx/driver"
 	ctxkube "github.com/docker/buildx/driver/kubernetes/context"
+	remoteutil "github.com/docker/buildx/driver/remote/util"
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/platformutil"
@@ -18,10 +19,12 @@ import (
 	ctxstore "github.com/docker/cli/cli/context/store"
 	dopts "github.com/docker/cli/opts"
 	dockerclient "github.com/docker/docker/client"
+	"github.com/moby/buildkit/util/grpcerrors"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc/codes"
 	"k8s.io/client-go/tools/clientcmd"
 )

@@ -41,6 +44,14 @@ func validateEndpoint(dockerCli command.Cli, ep string) (string, error) {
 	return h, nil
 }

+// validateBuildkitEndpoint validates that endpoint is a valid buildkit host
+func validateBuildkitEndpoint(ep string) (string, error) {
+	if err := remoteutil.IsValidEndpoint(ep); err != nil {
+		return "", err
+	}
+	return ep, nil
+}
+
 // driversForNodeGroup returns drivers for a nodegroup instance
 func driversForNodeGroup(ctx context.Context, dockerCli command.Cli, ng *store.NodeGroup, contextPathHash string) ([]build.DriverInfo, error) {
 	eg, _ := errgroup.WithContext(ctx)
@@ -49,16 +60,27 @@ func driversForNodeGroup(ctx context.Context, dockerCli command.Cli, ng *store.N

 	var f driver.Factory
 	if ng.Driver != "" {
-		f = driver.GetFactory(ng.Driver, true)
-		if f == nil {
-			return nil, errors.Errorf("failed to find driver %q", f)
-		}
-	} else {
-		dockerapi, err := clientForEndpoint(dockerCli, ng.Nodes[0].Endpoint)
+		var err error
+		f, err = driver.GetFactory(ng.Driver, true)
 		if err != nil {
 			return nil, err
 		}
-		f, err = driver.GetDefaultFactory(ctx, dockerapi, false)
+	} else {
+		// empty driver means nodegroup was implicitly created as a default
+		// driver for a docker context and allows falling back to a
+		// docker-container driver for older daemon that doesn't support
+		// buildkit (< 18.06).
+		ep := ng.Nodes[0].Endpoint
+		dockerapi, err := clientForEndpoint(dockerCli, ep)
+		if err != nil {
+			return nil, err
+		}
+		// check if endpoint is healthy is needed to determine the driver type.
+		// if this fails then can't continue with driver selection.
+		if _, err = dockerapi.Ping(ctx); err != nil {
+			return nil, err
+		}
+		f, err = driver.GetDefaultFactory(ctx, ep, dockerapi, false)
 		if err != nil {
 			return nil, err
 		}
@@ -80,6 +102,7 @@ func driversForNodeGroup(ctx context.Context, dockerCli command.Cli, ng *store.N
 				defer func() {
 					dis[i] = di
 				}()
+
 				dockerapi, err := clientForEndpoint(dockerCli, n.Endpoint)
 				if err != nil {
 					di.Err = err
@@ -118,7 +141,7 @@ func driversForNodeGroup(ctx context.Context, dockerCli command.Cli, ng *store.N
 					}
 				}

-				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, f, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.Platforms, contextPathHash)
+				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, f, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.Platforms, contextPathHash)
 				if err != nil {
 					di.Err = err
 					return nil
@@ -259,7 +282,7 @@ func getDefaultDrivers(ctx context.Context, dockerCli command.Cli, defaultOnly b
 		return nil, err
 	}

-	d, err := driver.GetDriver(ctx, "buildx_buildkit_default", nil, dockerCli.Client(), imageopt.Auth, nil, nil, nil, nil, nil, contextPathHash)
+	d, err := driver.GetDriver(ctx, "buildx_buildkit_default", nil, "", dockerCli.Client(), imageopt.Auth, nil, nil, nil, nil, nil, contextPathHash)
 	if err != nil {
 		return nil, err
 	}
@@ -295,6 +318,17 @@ func loadInfoData(ctx context.Context, d *dinfo) error {
 			d.platforms = append(d.platforms, w.Platforms...)
 		}
 		d.platforms = platformutil.Dedupe(d.platforms)
+		inf, err := c.Info(ctx)
+		if err != nil {
+			if st, ok := grpcerrors.AsGRPCStatus(err); ok && st.Code() == codes.Unimplemented {
+				d.version, err = d.di.Driver.Version(ctx)
+				if err != nil {
+					return errors.Wrap(err, "getting version")
+				}
+			}
+		} else {
+			d.version = inf.BuildkitVersion.Version
+		}
 	}
 	return nil
 }
@@ -363,6 +397,15 @@ func loadNodeGroupData(ctx context.Context, dockerCli command.Cli, ngi *nginfo)
 	return nil
 }

+func hasNodeGroup(list []*nginfo, ngi *nginfo) bool {
+	for _, l := range list {
+		if ngi.ng.Name == l.ng.Name {
+			return true
+		}
+	}
+	return false
+}
+
 func dockerAPI(dockerCli command.Cli) *api {
 	return &api{dockerCli: dockerCli}
 }
@@ -382,6 +425,7 @@ type dinfo struct {
 	di        *build.DriverInfo
 	info      *driver.Info
 	platforms []specs.Platform
+	version   string
 	err       error
 }

--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-  default = "1.17"
+  default = "1.18"
 }
 variable "BIN_OUT" {
  default = "./bin"
@@ -20,6 +20,7 @@ target "_common" {
  args = {
    GO_VERSION = GO_VERSION
    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+    BUILDX_EXPERIMENTAL = 1
  }
 }

@@ -89,11 +90,7 @@ target "mod-outdated" {
  inherits = ["_common"]
  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
  target = "outdated"
-  args = {
-    // used to invalidate cache for outdated run stage
-    // can be dropped when https://github.com/moby/buildkit/issues/1213 fixed
-    _RANDOM = uuidv4()
-  }
+  no-cache-filter = ["outdated"]
  output = ["type=cacheonly"]
 }

--- a/docs/generate.go
+++ b/docs/generate.go
@@ -16,6 +16,7 @@ import (
 	_ "github.com/docker/buildx/driver/docker"
 	_ "github.com/docker/buildx/driver/docker-container"
 	_ "github.com/docker/buildx/driver/kubernetes"
+	_ "github.com/docker/buildx/driver/remote"
 )

 const defaultSourcePath = "docs/reference/"
--- a/docs/guides/bake/build-contexts.md
+++ b/docs/guides/bake/build-contexts.md
@@ -0,0 +1,74 @@
+# Defining additional build contexts and linking targets
+
+In addition to the main `context` key that defines the build context each target
+can also define additional named contexts with a map defined with key `contexts`.
+These values map to the `--build-context` flag in the [build command](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context).
+
+Inside the Dockerfile these contexts can be used with the `FROM` instruction or `--from` flag.
+
+The value can be a local source directory, container image (with `docker-image://` prefix),
+Git URL, HTTP URL or a name of another target in the Bake file (with `target:` prefix).
+
+## Pinning alpine image
+
+```dockerfile
+# syntax=docker/dockerfile:1
+FROM alpine
+RUN echo "Hello world"
+```
+
+```hcl
+# docker-bake.hcl
+target "app" {
+  contexts = {
+    alpine = "docker-image://alpine:3.13"
+  }
+}
+```
+
+## Using a secondary source directory
+
+```dockerfile
+# syntax=docker/dockerfile:1
+FROM scratch AS src
+
+FROM golang
+COPY --from=src . .
+```
+
+```hcl
+# docker-bake.hcl
+target "app" {
+  contexts = {
+    src = "../path/to/source"
+  }
+}
+```
+
+## Using a result of one target as a base image in another target
+
+To use a result of one target as a build context of another, specity the target
+name with `target:` prefix.
+
+```dockerfile
+# syntax=docker/dockerfile:1
+FROM baseapp
+RUN echo "Hello world"
+```
+
+```hcl
+# docker-bake.hcl
+target "base" {
+  dockerfile = "baseapp.Dockerfile"
+}
+
+target "app" {
+  contexts = {
+    baseapp = "target:base"
+  }
+}
+```
+
+Please note that in most cases you should just use a single multi-stage
+Dockerfile with multiple targets for similar behavior. This case is recommended
+when you have multiple Dockerfiles that can't be easily merged into one.
--- a/docs/guides/bake/compose-file.md
+++ b/docs/guides/bake/compose-file.md
@@ -0,0 +1,270 @@
+# Building from Compose file
+
+## Specification
+
+Bake uses the [compose-spec](https://docs.docker.com/compose/compose-file/) to
+parse a compose file and translate each service to a [target](file-definition.md#target).
+
+```yaml
+# docker-compose.yml
+services:
+  webapp-dev: 
+    build: &build-dev
+      dockerfile: Dockerfile.webapp
+      tags:
+        - docker.io/username/webapp:latest
+      cache_from:
+        - docker.io/username/webapp:cache
+      cache_to:
+        - docker.io/username/webapp:cache
+
+  webapp-release:
+    build:
+      <<: *build-dev
+      x-bake:
+        platforms:
+          - linux/amd64
+          - linux/arm64
+
+  db:
+    image: docker.io/username/db
+    build:
+      dockerfile: Dockerfile.db
+```
+
+```console
+$ docker buildx bake --print
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "db",
+        "webapp-dev",
+        "webapp-release"
+      ]
+    }
+  },
+  "target": {
+    "db": {
+      "context": ".",
+      "dockerfile": "Dockerfile.db",
+      "tags": [
+        "docker.io/username/db"
+      ]
+    },
+    "webapp-dev": {
+      "context": ".",
+      "dockerfile": "Dockerfile.webapp",
+      "tags": [
+        "docker.io/username/webapp:latest"
+      ],
+      "cache-from": [
+        "docker.io/username/webapp:cache"
+      ],
+      "cache-to": [
+        "docker.io/username/webapp:cache"
+      ]
+    },
+    "webapp-release": {
+      "context": ".",
+      "dockerfile": "Dockerfile.webapp",
+      "tags": [
+        "docker.io/username/webapp:latest"
+      ],
+      "cache-from": [
+        "docker.io/username/webapp:cache"
+      ],
+      "cache-to": [
+        "docker.io/username/webapp:cache"
+      ],
+      "platforms": [
+        "linux/amd64",
+        "linux/arm64"
+      ]
+    }
+  }
+}
+```
+
+Unlike the [HCL format](file-definition.md#hcl-definition), there are some
+limitations with the compose format:
+
+* Specifying variables or global scope attributes is not yet supported
+* `inherits` service field is not supported, but you can use [YAML anchors](https://docs.docker.com/compose/compose-file/#fragments) to reference other services like the example above
+
+## `.env` file
+
+You can declare default environment variables in an environment file named
+`.env`. This file will be loaded from the current working directory,
+where the command is executed and applied to compose definitions passed
+with `-f`.
+
+```yaml
+# docker-compose.yml
+services:
+  webapp:
+    image: docker.io/username/webapp:${TAG:-v1.0.0}
+    build:
+      dockerfile: Dockerfile
+```
+
+```
+# .env
+TAG=v1.1.0
+```
+
+```console
+$ docker buildx bake --print
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "docker.io/username/webapp:v1.1.0"
+      ]
+    }
+  }
+}
+```
+
+> **Note**
+>
+> System environment variables take precedence over environment variables
+> in `.env` file.
+
+## Extension field with `x-bake`
+
+Even if some fields are not (yet) available in the compose specification, you
+can use the [special extension](https://docs.docker.com/compose/compose-file/#extension)
+field `x-bake` in your compose file to evaluate extra fields:
+
+```yaml
+# docker-compose.yml
+services:
+  addon:
+    image: ct-addon:bar
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+      args:
+        CT_ECR: foo
+        CT_TAG: bar
+      x-bake:
+        tags:
+          - ct-addon:foo
+          - ct-addon:alp
+        platforms:
+          - linux/amd64
+          - linux/arm64
+        cache-from:
+          - user/app:cache
+          - type=local,src=path/to/cache
+        cache-to:
+          - type=local,dest=path/to/cache
+        pull: true
+
+  aws:
+    image: ct-fake-aws:bar
+    build:
+      dockerfile: ./aws.Dockerfile
+      args:
+        CT_ECR: foo
+        CT_TAG: bar
+      x-bake:
+        secret:
+          - id=mysecret,src=./secret
+          - id=mysecret2,src=./secret2
+        platforms: linux/arm64
+        output: type=docker
+        no-cache: true
+```
+
+```console
+$ docker buildx bake --print
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "aws",
+        "addon"
+      ]
+    }
+  },
+  "target": {
+    "addon": {
+      "context": ".",
+      "dockerfile": "./Dockerfile",
+      "args": {
+        "CT_ECR": "foo",
+        "CT_TAG": "bar"
+      },
+      "tags": [
+        "ct-addon:foo",
+        "ct-addon:alp"
+      ],
+      "cache-from": [
+        "user/app:cache",
+        "type=local,src=path/to/cache"
+      ],
+      "cache-to": [
+        "type=local,dest=path/to/cache"
+      ],
+      "platforms": [
+        "linux/amd64",
+        "linux/arm64"
+      ],
+      "pull": true
+    },
+    "aws": {
+      "context": ".",
+      "dockerfile": "./aws.Dockerfile",
+      "args": {
+        "CT_ECR": "foo",
+        "CT_TAG": "bar"
+      },
+      "tags": [
+        "ct-fake-aws:bar"
+      ],
+      "secret": [
+        "id=mysecret,src=./secret",
+        "id=mysecret2,src=./secret2"
+      ],
+      "platforms": [
+        "linux/arm64"
+      ],
+      "output": [
+        "type=docker"
+      ],
+      "no-cache": true
+    }
+  }
+}
+```
+
+Complete list of valid fields for `x-bake`:
+
+* `cache-from`
+* `cache-to`
+* `contexts`
+* `no-cache`
+* `no-cache-filter`
+* `output`
+* `platforms`
+* `pull`
+* `secret`
+* `ssh`
+* `tags`
--- a/docs/guides/bake/configuring-build.md
+++ b/docs/guides/bake/configuring-build.md
@@ -0,0 +1,216 @@
+# Configuring builds
+
+Bake supports loading build definition from files, but sometimes you need even
+more flexibility to configure this definition.
+
+For this use case, you can define variables inside the bake files that can be
+set by the user with environment variables or by [attribute definitions](#global-scope-attributes)
+in other bake files. If you wish to change a specific value for a single
+invocation you can use the `--set` flag [from the command line](#from-command-line).
+
+## Global scope attributes
+
+You can define global scope attributes in HCL/JSON and use them for code reuse
+and setting values for variables. This means you can do a "data-only" HCL file
+with the values you want to set/override and use it in the list of regular
+output files.
+
+```hcl
+# docker-bake.hcl
+variable "FOO" {
+  default = "abc"
+}
+
+target "app" {
+  args = {
+    v1 = "pre-${FOO}"
+  }
+}
+```
+
+You can use this file directly:
+
+```console
+$ docker buildx bake --print app
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "v1": "pre-abc"
+      }
+    }
+  }
+}
+```
+
+Or create an override configuration file:
+
+```hcl
+# env.hcl
+WHOAMI="myuser"
+FOO="def-${WHOAMI}"
+```
+
+And invoke bake together with both of the files:
+
+```console
+$ docker buildx bake -f docker-bake.hcl -f env.hcl --print app
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "v1": "pre-def-myuser"
+      }
+    }
+  }
+}
+```
+
+## From command line
+
+You can also override target configurations from the command line with the
+[`--set` flag](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set):
+
+```hcl
+# docker-bake.hcl
+target "app" {
+  args = {
+    mybuildarg = "foo"
+  }
+}
+```
+
+```console
+$ docker buildx bake --set app.args.mybuildarg=bar --set app.platform=linux/arm64 app --print
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "mybuildarg": "bar"
+      },
+      "platforms": [
+        "linux/arm64"
+      ]
+    }
+  }
+}
+```
+
+Pattern matching syntax defined in [https://golang.org/pkg/path/#Match](https://golang.org/pkg/path/#Match)
+is also supported:
+
+```console
+$ docker buildx bake --set foo*.args.mybuildarg=value  # overrides build arg for all targets starting with "foo"
+$ docker buildx bake --set *.platform=linux/arm64      # overrides platform for all targets
+$ docker buildx bake --set foo*.no-cache               # bypass caching only for targets starting with "foo"
+```
+
+Complete list of overridable fields:
+
+* `args`
+* `cache-from`
+* `cache-to`
+* `context`
+* `dockerfile`
+* `labels`
+* `no-cache`
+* `output`
+* `platform`
+* `pull`
+* `secrets`
+* `ssh`
+* `tags`
+* `target`
+
+## Using variables in variables across files
+
+When multiple files are specified, one file can use variables defined in
+another file.
+
+```hcl
+# docker-bake1.hcl
+variable "FOO" {
+  default = upper("${BASE}def")
+}
+
+variable "BAR" {
+  default = "-${FOO}-"
+}
+
+target "app" {
+  args = {
+    v1 = "pre-${BAR}"
+  }
+}
+```
+
+```hcl
+# docker-bake2.hcl
+variable "BASE" {
+  default = "abc"
+}
+
+target "app" {
+  args = {
+    v2 = "${FOO}-post"
+  }
+}
+```
+
+```console
+$ docker buildx bake -f docker-bake1.hcl -f docker-bake2.hcl --print app
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "v1": "pre--ABCDEF-",
+        "v2": "ABCDEF-post"
+      }
+    }
+  }
+}
+```
--- a/docs/guides/bake/file-definition.md
+++ b/docs/guides/bake/file-definition.md
@@ -0,0 +1,440 @@
+# Bake file definition
+
+`buildx bake` supports HCL, JSON and Compose file format for defining build
+[groups](#group), [targets](#target) as well as [variables](#variable) and
+[functions](#functions). It looks for build definition files in the current
+directory in the following order:
+
+* `docker-compose.yml`
+* `docker-compose.yaml`
+* `docker-bake.json`
+* `docker-bake.override.json`
+* `docker-bake.hcl`
+* `docker-bake.override.hcl`
+
+## Specification
+
+Inside a bake file you can declare group, target and variable blocks to define
+project specific reusable build flows.
+
+### Target
+
+A target reflects a single docker build invocation with the same options that
+you would specify for `docker build`:
+
+```hcl
+# docker-bake.hcl
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+}
+```
+```console
+$ docker buildx bake webapp-dev
+```
+
+> **Note**
+>
+> In the case of compose files, each service corresponds to a target.
+> If compose service name contains a dot it will be replaced with an underscore.
+
+Complete list of valid target fields available for [HCL](#hcl-definition) and
+[JSON](#json-definition) definitions:
+
+| Name                | Type   | Description                                                                                                                                     |
+|---------------------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------|
+| `inherits`          | List   | [Inherit build options](#merging-and-inheritance) from other targets                                                                            |
+| `args`              | Map    | Set build-time variables (same as [`--build-arg` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                     |
+| `cache-from`        | List   | External cache sources (same as [`--cache-from` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                      |
+| `cache-to`          | List   | Cache export destinations (same as [`--cache-to` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                     |
+| `context`           | String | Set of files located in the specified path or URL                                                                                               |
+| `contexts`          | Map    | Additional build contexts (same as [`--build-context` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                |
+| `dockerfile`        | String | Name of the Dockerfile (same as [`--file` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                            |
+| `dockerfile-inline` | String | Inline Dockerfile content                                                                                                                       |
+| `labels`            | Map    | Set metadata for an image (same as [`--label` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                        |
+| `no-cache`          | Bool   | Do not use cache when building the image (same as [`--no-cache` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))      |
+| `no-cache-filter`   | List   | Do not cache specified stages (same as [`--no-cache-filter` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))          |
+| `output`            | List   | Output destination (same as [`--output` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                              |
+| `platforms`         | List   | Set target platforms for build (same as [`--platform` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                |
+| `pull`              | Bool   | Always attempt to pull all referenced images (same as [`--pull` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))      |
+| `secret`            | List   | Secret to expose to the build (same as [`--secret` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                   |
+| `ssh`               | List   | SSH agent socket or keys to expose to the build (same as [`--ssh` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))    |
+| `tags`              | List   | Name and optionally a tag in the format `name:tag` (same as [`--tag` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/)) |
+| `target`            | String | Set the target build stage to build (same as [`--target` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))             |
+
+### Group
+
+A group is a grouping of targets:
+
+```hcl
+# docker-bake.hcl
+group "build" {
+  targets = ["db", "webapp-dev"]
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+}
+
+target "db" {
+  dockerfile = "Dockerfile.db"
+  tags = ["docker.io/username/db"]
+}
+```
+```console
+$ docker buildx bake build
+```
+
+### Variable
+
+Similar to how Terraform provides a way to [define variables](https://www.terraform.io/docs/configuration/variables.html#declaring-an-input-variable),
+the HCL file format also supports variable block definitions. These can be used
+to define variables with values provided by the current environment, or a
+default value when unset:
+
+```hcl
+# docker-bake.hcl
+variable "TAG" {
+  default = "latest"
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+```
+```console
+$ docker buildx bake webapp-dev          # will use the default value "latest"
+$ TAG=dev docker buildx bake webapp-dev  # will use the TAG environment variable value
+```
+
+> **Tip**
+>
+> See also the [Configuring builds](configuring-build.md) page for advanced usage.
+
+### Functions
+
+A [set of generally useful functions](https://github.com/docker/buildx/blob/master/bake/hclparser/stdlib.go)
+provided by [go-cty](https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib)
+are available for use in HCL files:
+
+```hcl
+# docker-bake.hcl
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+  args = {
+    buildno = "${add(123, 1)}"
+  }
+}
+```
+
+In addition, [user defined functions](https://github.com/hashicorp/hcl/tree/main/ext/userfunc)
+are also supported:
+
+```hcl
+# docker-bake.hcl
+function "increment" {
+  params = [number]
+  result = number + 1
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+  args = {
+    buildno = "${increment(123)}"
+  }
+}
+```
+
+> **Note**
+>
+> See [User defined HCL functions](hcl-funcs.md) page for more details.
+
+## Built-in variables
+
+* `BAKE_CMD_CONTEXT` can be used to access the main `context` for bake command
+  from a bake file that has been [imported remotely](file-definition.md#remote-definition).
+* `BAKE_LOCAL_PLATFORM` returns the current platform's default platform
+  specification (e.g. `linux/amd64`).
+
+## Merging and inheritance
+
+Multiple files can include the same target and final build options will be
+determined by merging them together:
+
+```hcl
+# docker-bake.hcl
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+}
+```
+```hcl
+# docker-bake2.hcl
+target "webapp-dev" {
+  tags = ["docker.io/username/webapp:dev"]
+}
+```
+```console
+$ docker buildx bake -f docker-bake.hcl -f docker-bake2.hcl webapp-dev
+```
+
+A group can specify its list of targets with the `targets` option. A target can
+inherit build options by setting the `inherits` option to the list of targets or
+groups to inherit from:
+
+```hcl
+# docker-bake.hcl
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+
+target "webapp-release" {
+  inherits = ["webapp-dev"]
+  platforms = ["linux/amd64", "linux/arm64"]
+}
+```
+
+## `default` target/group
+
+When you invoke `bake` you specify what targets/groups you want to build. If no
+arguments is specified, the group/target named `default` will be built:
+
+```hcl
+# docker-bake.hcl
+target "default" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+}
+```
+```console
+$ docker buildx bake
+```
+
+## Definitions
+
+### HCL definition
+
+HCL definition file is recommended as its experience is more aligned with buildx UX
+and also allows better code reuse, different target groups and extended features.
+
+```hcl
+# docker-bake.hcl
+variable "TAG" {
+  default = "latest"
+}
+
+group "default" {
+  targets = ["db", "webapp-dev"]
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+
+target "webapp-release" {
+  inherits = ["webapp-dev"]
+  platforms = ["linux/amd64", "linux/arm64"]
+}
+
+target "db" {
+  dockerfile = "Dockerfile.db"
+  tags = ["docker.io/username/db"]
+}
+```
+
+### JSON definition
+
+```json
+{
+  "variable": {
+    "TAG": {
+      "default": "latest"
+    }
+  },
+  "group": {
+    "default": {
+      "targets": [
+        "db",
+        "webapp-dev"
+      ]
+    }
+  },
+  "target": {
+    "webapp-dev": {
+      "dockerfile": "Dockerfile.webapp",
+      "tags": [
+        "docker.io/username/webapp:${TAG}"
+      ]
+    },
+    "webapp-release": {
+      "inherits": [
+        "webapp-dev"
+      ],
+      "platforms": [
+        "linux/amd64",
+        "linux/arm64"
+      ]
+    },
+    "db": {
+      "dockerfile": "Dockerfile.db",
+      "tags": [
+        "docker.io/username/db"
+      ]
+    }
+  }
+}
+```
+
+### Compose file
+
+```yaml
+# docker-compose.yml
+services:
+  webapp:
+    image: docker.io/username/webapp:latest
+    build:
+      dockerfile: Dockerfile.webapp
+
+  db:
+    image: docker.io/username/db
+    build:
+      dockerfile: Dockerfile.db
+```
+
+> **Note**
+>
+> See [Building from Compose file](compose-file.md) page for more details.
+
+## Remote definition
+
+You can also build bake files directly from a remote Git repository or HTTPS URL:
+
+```console
+$ docker buildx bake "https://github.com/docker/cli.git#v20.10.11" --print
+#1 [internal] load git source https://github.com/docker/cli.git#v20.10.11
+#1 0.745 e8f1871b077b64bcb4a13334b7146492773769f7       refs/tags/v20.10.11
+#1 2.022 From https://github.com/docker/cli
+#1 2.022  * [new tag]         v20.10.11  -> v20.10.11
+#1 DONE 2.9s
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "binary"
+      ]
+    }
+  },
+  "target": {
+    "binary": {
+      "context": "https://github.com/docker/cli.git#v20.10.11",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "BASE_VARIANT": "alpine",
+        "GO_STRIP": "",
+        "VERSION": ""
+      },
+      "target": "binary",
+      "platforms": [
+        "local"
+      ],
+      "output": [
+        "build"
+      ]
+    }
+  }
+}
+```
+
+As you can see the context is fixed to `https://github.com/docker/cli.git` even if
+[no context is actually defined](https://github.com/docker/cli/blob/2776a6d694f988c0c1df61cad4bfac0f54e481c8/docker-bake.hcl#L17-L26)
+in the definition.
+
+If you want to access the main context for bake command from a bake file
+that has been imported remotely, you can use the [`BAKE_CMD_CONTEXT` built-in var](#built-in-variables).
+
+```console
+$ cat https://raw.githubusercontent.com/tonistiigi/buildx/remote-test/docker-bake.hcl
+```
+```hcl
+target "default" {
+  context = BAKE_CMD_CONTEXT
+  dockerfile-inline = <<EOT
+FROM alpine
+WORKDIR /src
+COPY . .
+RUN ls -l && stop
+EOT
+}
+```
+
+```console
+$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" --print
+```
+```json
+{
+  "target": {
+    "default": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "dockerfile-inline": "FROM alpine\nWORKDIR /src\nCOPY . .\nRUN ls -l \u0026\u0026 stop\n"
+    }
+  }
+}
+```
+
+```console
+$ touch foo bar
+$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test"
+```
+```text
+...
+ > [4/4] RUN ls -l && stop:
+#8 0.101 total 0
+#8 0.102 -rw-r--r--    1 root     root             0 Jul 27 18:47 bar
+#8 0.102 -rw-r--r--    1 root     root             0 Jul 27 18:47 foo
+#8 0.102 /bin/sh: stop: not found
+```
+
+```console
+$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" "https://github.com/docker/cli.git#v20.10.11" --print
+#1 [internal] load git source https://github.com/tonistiigi/buildx.git#remote-test
+#1 0.429 577303add004dd7efeb13434d69ea030d35f7888       refs/heads/remote-test
+#1 CACHED
+```
+```json
+{
+  "target": {
+    "default": {
+      "context": "https://github.com/docker/cli.git#v20.10.11",
+      "dockerfile": "Dockerfile",
+      "dockerfile-inline": "FROM alpine\nWORKDIR /src\nCOPY . .\nRUN ls -l \u0026\u0026 stop\n"
+    }
+  }
+}
+```
+
+```console
+$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" "https://github.com/docker/cli.git#v20.10.11"
+```
+```text
+...
+ > [4/4] RUN ls -l && stop:
+#8 0.136 drwxrwxrwx    5 root     root          4096 Jul 27 18:31 kubernetes
+#8 0.136 drwxrwxrwx    3 root     root          4096 Jul 27 18:31 man
+#8 0.136 drwxrwxrwx    2 root     root          4096 Jul 27 18:31 opts
+#8 0.136 -rw-rw-rw-    1 root     root          1893 Jul 27 18:31 poule.yml
+#8 0.136 drwxrwxrwx    7 root     root          4096 Jul 27 18:31 scripts
+#8 0.136 drwxrwxrwx    3 root     root          4096 Jul 27 18:31 service
+#8 0.136 drwxrwxrwx    2 root     root          4096 Jul 27 18:31 templates
+#8 0.136 drwxrwxrwx   10 root     root          4096 Jul 27 18:31 vendor
+#8 0.136 -rwxrwxrwx    1 root     root          9620 Jul 27 18:31 vendor.conf
+#8 0.136 /bin/sh: stop: not found
+```
--- a/docs/guides/bake/hcl-funcs.md
+++ b/docs/guides/bake/hcl-funcs.md
@@ -0,0 +1,327 @@
+# User defined HCL functions
+
+## Using interpolation to tag an image with the git sha
+
+As shown in the [File definition](file-definition.md#variable) page, `bake`
+supports variable blocks which are assigned to matching environment variables
+or default values:
+
+```hcl
+# docker-bake.hcl
+variable "TAG" {
+  default = "latest"
+}
+
+group "default" {
+  targets = ["webapp"]
+}
+
+target "webapp" {
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+```
+
+alternatively, in json format:
+
+```json
+{
+  "variable": {
+    "TAG": {
+      "default": "latest"
+    }
+  },
+  "group": {
+    "default": {
+      "targets": ["webapp"]
+    }
+  },
+  "target": {
+    "webapp": {
+      "tags": ["docker.io/username/webapp:${TAG}"]
+    }
+  }
+}
+```
+
+```console
+$ docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "docker.io/username/webapp:latest"
+      ]
+    }
+  }
+}
+```
+
+```console
+$ TAG=$(git rev-parse --short HEAD) docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "docker.io/username/webapp:985e9e9"
+      ]
+    }
+  }
+}
+```
+
+## Using the `add` function
+
+You can use [`go-cty` stdlib functions](https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib).
+Here we are using the `add` function.
+
+```hcl
+# docker-bake.hcl
+variable "TAG" {
+  default = "latest"
+}
+
+group "default" {
+  targets = ["webapp"]
+}
+
+target "webapp" {
+  args = {
+    buildno = "${add(123, 1)}"
+  }
+}
+```
+
+```console
+$ docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "buildno": "124"
+      }
+    }
+  }
+}
+```
+
+## Defining an `increment` function
+
+It also supports [user defined functions](https://github.com/hashicorp/hcl/tree/main/ext/userfunc).
+The following example defines a simple an `increment` function.
+
+```hcl
+# docker-bake.hcl
+function "increment" {
+  params = [number]
+  result = number + 1
+}
+
+group "default" {
+  targets = ["webapp"]
+}
+
+target "webapp" {
+  args = {
+    buildno = "${increment(123)}"
+  }
+}
+```
+
+```console
+$ docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "buildno": "124"
+      }
+    }
+  }
+}
+```
+
+## Only adding tags if a variable is not empty using an `notequal`
+
+Here we are using the conditional `notequal` function which is just for
+symmetry with the `equal` one.
+
+```hcl
+# docker-bake.hcl
+variable "TAG" {default="" }
+
+group "default" {
+  targets = [
+    "webapp",
+  ]
+}
+
+target "webapp" {
+  context="."
+  dockerfile="Dockerfile"
+  tags = [
+    "my-image:latest",
+    notequal("",TAG) ? "my-image:${TAG}": "",
+  ]
+}
+```
+
+```console
+$ docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "my-image:latest"
+      ]
+    }
+  }
+}
+```
+
+## Using variables in functions
+
+You can refer variables to other variables like the target blocks can. Stdlib
+functions can also be called but user functions can't at the moment.
+
+```hcl
+# docker-bake.hcl
+variable "REPO" {
+  default = "user/repo"
+}
+
+function "tag" {
+  params = [tag]
+  result = ["${REPO}:${tag}"]
+}
+
+target "webapp" {
+  tags = tag("v1")
+}
+```
+
+```console
+$ docker buildx bake --print webapp
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "webapp"
+      ]
+    }
+  },
+  "target": {
+    "webapp": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "tags": [
+        "user/repo:v1"
+      ]
+    }
+  }
+}
+```
+
+## Using typed variables
+
+Non-string variables are also accepted. The value passed with env is parsed
+into suitable type first.
+
+```hcl
+# docker-bake.hcl
+variable "FOO" {
+  default = 3
+}
+
+variable "IS_FOO" {
+  default = true
+}
+
+target "app" {
+  args = {
+    v1 = FOO > 5 ? "higher" : "lower" 
+    v2 = IS_FOO ? "yes" : "no"
+  }
+}
+```
+
+```console
+$ docker buildx bake --print app
+```
+```json
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app"
+      ]
+    }
+  },
+  "target": {
+    "app": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "v1": "lower",
+        "v2": "yes"
+      }
+    }
+  }
+}
+```
--- a/docs/guides/bake/index.md
+++ b/docs/guides/bake/index.md
@@ -0,0 +1,36 @@
+# High-level build options with Bake
+
+> This command is experimental.
+>
+> The design of bake is in early stages, and we are looking for [feedback from users](https://github.com/docker/buildx/issues).
+{: .experimental }
+
+Buildx also aims to provide support for high-level build concepts that go beyond
+invoking a single build command. We want to support building all the images in
+your application together and let the users define project specific reusable
+build flows that can then be easily invoked by anyone.
+
+[BuildKit](https://github.com/moby/buildkit) efficiently handles multiple
+concurrent build requests and de-duplicating work. The build commands can be
+combined with general-purpose command runners (for example, `make`). However,
+these tools generally invoke builds in sequence  and therefore cannot leverage
+the full potential of BuildKit parallelization, or combine BuildKit's output
+for the user. For this use case, we have added a command called
+[`docker buildx bake`](https://docs.docker.com/engine/reference/commandline/buildx_bake/).
+
+The `bake` command supports building images from HCL, JSON and Compose files.
+This is similar to [`docker compose build`](https://docs.docker.com/compose/reference/build/),
+but allowing all the services to be built concurrently as part of a single
+request. If multiple files are specified they are all read and configurations are
+combined.
+
+We recommend using HCL files as its experience is more aligned with buildx UX
+and also allows better code reuse, different target groups and extended features.
+
+## Next steps
+
+* [File definition](file-definition.md)
+* [Configuring builds](configuring-build.md)
+* [User defined HCL functions](hcl-funcs.md)
+* [Defining additional build contexts and linking targets](build-contexts.md)
+* [Building from Compose file](compose-file.md)
--- a/docs/guides/cicd.md
+++ b/docs/guides/cicd.md
@@ -19,13 +19,13 @@ jobs:
    steps:
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
      -
        name: Login to DockerHub
-        uses: docker/login-action@v1 
+        uses: docker/login-action@v2 
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
--- a/docs/guides/cni-networking.md
+++ b/docs/guides/cni-networking.md
@@ -11,7 +11,7 @@ Now build this image:
 $ docker buildx build --tag buildkit-cni:local --load .
 ```

-Then [create a `docker-container` builder](../reference/buildx_create.md) that
+Then [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/) that
 will use this image:

 ```console
--- a/docs/guides/color-output.md
+++ b/docs/guides/color-output.md
@@ -0,0 +1,20 @@
+# Color output controls
+
+Buildx has support for modifying the colors that are used to output information
+to the terminal. You can set the environment variable `BUILDKIT_COLORS` to
+something like `run=123,20,245:error=yellow:cancel=blue:warning=white` to set
+the colors that you would like to use:
+
+![Progress output custom colors](https://user-images.githubusercontent.com/1951866/180584033-24522385-cafd-4a54-a4a2-18f5ce74eb27.png)
+
+Setting `NO_COLOR` to anything will disable any colorized output as recommended
+by [no-color.org](https://no-color.org/):
+
+![Progress output no color](https://user-images.githubusercontent.com/1951866/180584037-e28f9997-dd4c-49cf-8b26-04864815de19.png)
+
+> **Note**
+>
+> Parsing errors will be reported but ignored. This will result in default
+> color values being used where needed.
+
+See also [the list of pre-defined colors](https://github.com/moby/buildkit/blob/master/util/progress/progressui/colors.go).
--- a/docs/guides/custom-network.md
+++ b/docs/guides/custom-network.md
@@ -7,8 +7,8 @@ named `foonet`:
 $ docker network create foonet
 ```

-[Create a `docker-container` builder](../reference/buildx_create.md) named
-`mybuilder` that will use this network:
+[Create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
+named `mybuilder` that will use this network:

 ```console
 $ docker buildx create --use \
@@ -17,7 +17,7 @@ $ docker buildx create --use \
  --driver-opt "network=foonet"
 ```

-Boot and [inspect `mybuilder`](../reference/buildx_inspect.md):
+Boot and [inspect `mybuilder`](https://docs.docker.com/engine/reference/commandline/buildx_inspect/):

 ```console
 $ docker buildx inspect --bootstrap
@@ -26,23 +26,9 @@ $ docker buildx inspect --bootstrap
 [Inspect the builder container](https://docs.docker.com/engine/reference/commandline/inspect/)
 and see what network is being used:

+{% raw %}
 ```console
 $ docker inspect buildx_buildkit_mybuilder0 --format={{.NetworkSettings.Networks}}
 map[foonet:0xc00018c0c0]
 ```
-
-## What's `buildx_buildkit_mybuilder0`?
-
-`buildx_buildkit_mybuilder0` is the container name. It can be broken down like this:
-
-* `buildx_buildkit_` is a hardcoded prefix
-* `mybuilder0` is the name of the node (defaults to builder name + position in the list of nodes)
-
-```console
-$ docker buildx ls
-NAME/NODE     DRIVER/ENDPOINT                        STATUS                 PLATFORMS
-mybuilder *   docker-container
-  mybuilder0  unix:///var/run/docker.sock            running                linux/amd64, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6     
-default       docker
-  default     default                                running                linux/amd64, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6
-```
+{% endraw %}
--- a/docs/guides/custom-registry-config.md
+++ b/docs/guides/custom-registry-config.md
@@ -1,6 +1,6 @@
 # Using a custom registry configuration

-If you [create a `docker-container` or `kubernetes` builder](../reference/buildx_create.md) and
+If you [create a `docker-container` or `kubernetes` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/) and
 have specified certificates for registries in the [BuildKit daemon configuration](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md),
 the files will be copied into the container under `/etc/buildkit/certs` and
 configuration will be updated to reflect that.
@@ -8,7 +8,8 @@ configuration will be updated to reflect that.
 Take the following `buildkitd.toml` configuration that will be used for
 pushing an image to this registry using self-signed certificates:

-```toml"
+```toml
+# /etc/buildkitd.toml
 debug = true
 [registry."myregistry.com"]
  ca=["/etc/certs/myregistry.pem"]
@@ -16,11 +17,10 @@ debug = true
    key="/etc/certs/myregistry_key.pem"
    cert="/etc/certs/myregistry_cert.pem"
 ```
-> `/etc/buildkitd.toml`

 Here we have configured a self-signed certificate for `myregistry.com` registry.

-Now [create a `docker-container` builder](../reference/buildx_create.md)
+Now [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
 that will use this BuildKit configuration:

 ```console
--- a/docs/guides/drivers/docker-container.md
+++ b/docs/guides/drivers/docker-container.md
@@ -0,0 +1,75 @@
+# Docker container driver
+
+The buildx docker-container driver allows creation of a managed and
+customizable BuildKit environment inside a dedicated Docker container.
+
+Using the docker-container driver has a couple of advantages over the basic
+docker driver. Firstly, we can manually override the version of buildkit to
+use, meaning that we can access the latest and greatest features as soon as
+they're released, instead of waiting to upgrade to a newer version of Docker.
+Additionally, we can access more complex features like multi-architecture
+builds and the more advanced cache exporters, which are currently unsupported
+in the default docker driver.
+
+We can easily create a new builder that uses the docker-container driver:
+
+```console
+$ docker buildx create --name container --driver docker-container
+container
+```
+
+We should then be able to see it on our list of available builders:
+
+```console
+$ docker buildx ls
+NAME/NODE       DRIVER/ENDPOINT      STATUS   BUILDKIT PLATFORMS
+container       docker-container                       
+  container0    desktop-linux        inactive          
+default         docker                                 
+  default       default              running  20.10.17 linux/amd64, linux/386
+```
+
+If we trigger a build, the appropriate `moby/buildkit` image will be pulled
+from [Docker Hub](https://hub.docker.com/u/moby/buildkit), the image started,
+and our build submitted to our containerized build server.
+
+```console
+$ docker buildx build -t <image> --builder=container .
+WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
+#1 [internal] booting buildkit
+#1 pulling image moby/buildkit:buildx-stable-1
+#1 pulling image moby/buildkit:buildx-stable-1 1.9s done
+#1 creating container buildx_buildkit_container0
+#1 creating container buildx_buildkit_container0 0.5s done
+#1 DONE 2.4s
+...
+```
+
+Note the warning "Build result will only remain in the build cache" - unlike
+the `docker` driver, the built image must be explicitly loaded into the local
+image store. We can use the `--load` flag for this:
+
+```console
+$ docker buildx build --load -t <image> --builder=container .
+...
+ => exporting to oci image format                                                                                                      7.7s
+ => => exporting layers                                                                                                                4.9s
+ => => exporting manifest sha256:4e4ca161fa338be2c303445411900ebbc5fc086153a0b846ac12996960b479d3                                      0.0s 
+ => => exporting config sha256:adf3eec768a14b6e183a1010cb96d91155a82fd722a1091440c88f3747f1f53f                                        0.0s 
+ => => sending tarball                                                                                                                 2.8s 
+ => importing to docker   
+```
+
+The image should then be available in the image store:
+
+```console
+$ docker image ls
+REPOSITORY                       TAG               IMAGE ID       CREATED             SIZE
+<image>                          latest            adf3eec768a1   2 minutes ago       197MB
+```
+
+## Further reading
+
+For more information on the docker-container driver, see the [buildx reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver).
+
+<!--- FIXME: for 0.9, make reference link relative --->
--- a/docs/guides/drivers/docker.md
+++ b/docs/guides/drivers/docker.md
@@ -0,0 +1,50 @@
+# Docker driver
+
+The buildx docker driver is the default builtin driver, that uses the BuildKit
+server components built directly into the docker engine.
+
+No setup should be required for the docker driver - it should already be
+configured for you:
+
+```console
+$ docker buildx ls
+NAME/NODE       DRIVER/ENDPOINT      STATUS   BUILDKIT PLATFORMS
+default         docker                                 
+  default       default              running  20.10.17 linux/amd64, linux/386
+```
+
+This builder is ready to build with out-of-the-box, requiring no extra setup,
+so you can get going with a `docker buildx build` as soon as you like.
+
+Depending on your personal setup, you may find multiple builders in your list
+the use the docker driver. For example, on a system that runs both a package
+managed version of dockerd, as well as Docker Desktop, you might have the
+following:
+
+```console
+NAME/NODE       DRIVER/ENDPOINT STATUS  BUILDKIT PLATFORMS
+default         docker                           
+  default       default         running 20.10.17 linux/amd64, linux/386
+desktop-linux * docker                           
+  desktop-linux desktop-linux   running 20.10.17 linux/amd64, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6
+```
+
+This is because the docker driver builders are automatically pulled from
+the available [Docker Contexts](https://docs.docker.com/engine/context/working-with-contexts/).
+When you add new contexts using `docker context create`, these will appear in
+your list of buildx builders.
+
+Unlike the [other drivers](../index.md), builders using the docker driver
+cannot be manually created, and can only be automatically created from the
+docker context. Additionally, they cannot be configured to a specific BuildKit
+version, and cannot take any extra parameters, as these are both preset by the
+Docker engine internally.
+
+If you want the extra configuration and flexibility without too much more
+overhead, then see the help page for the [docker-container driver](./docker-container.md).
+
+## Further reading
+
+For more information on the docker driver, see the [buildx reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver).
+
+<!--- FIXME: for 0.9, make reference link relative --->
--- a/docs/guides/drivers/index.md
+++ b/docs/guides/drivers/index.md
@@ -0,0 +1,41 @@
+# Buildx drivers overview
+
+The buildx client connects out to the BuildKit backend to execute builds -
+Buildx drivers allow fine-grained control over management of the backend, and
+supports several different options for where and how BuildKit should run.
+
+Currently, we support the following drivers:
+
+- The `docker` driver, that uses the BuildKit library bundled into the Docker
+  daemon.
+  ([guide](./docker.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `docker-container` driver, that launches a dedicated BuildKit container
+  using Docker, for access to advanced features.
+  ([guide](./docker-container.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `kubernetes` driver, that launches dedicated BuildKit pods in a
+  remote Kubernetes cluster, for scalable builds.
+  ([guide](./kubernetes.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `remote` driver, that allows directly connecting to a manually managed
+  BuildKit daemon, for more custom setups.
+  ([guide](./remote.md))
+
+<!--- FIXME: for 0.9, make links relative, and add reference link for remote --->
+
+To create a new builder that uses one of the above drivers, you can use the
+[`docker buildx create`](https://docs.docker.com/engine/reference/commandline/buildx_create/) command:
+
+```console
+$ docker buildx create --name=<builder-name> --driver=<driver> --driver-opt=<driver-options>
+```
+
+The build experience is very similar across drivers, however, there are some
+features that are not evenly supported across the board, notably, the `docker`
+driver does not include support for certain output/caching types.
+
+| Feature                       |    `docker`     | `docker-container` | `kubernetes` |        `remote`        |
+| :---------------------------- | :-------------: | :----------------: | :----------: | :--------------------: |
+| **Automatic `--load`**        |        ✅        |         ❌          |      ❌       |           ❌            |
+| **Cache export**              | ❔ (inline only) |         ✅          |      ✅       |           ✅            |
+| **Docker/OCI tarball output** |        ❌        |         ✅          |      ✅       |           ✅            |
+| **Multi-arch images**         |        ❌        |         ✅          |      ✅       |           ✅            |
+| **BuildKit configuration**    |        ❌        |         ✅          |      ✅       | ❔ (managed externally) |
--- a/docs/guides/drivers/kubernetes.md
+++ b/docs/guides/drivers/kubernetes.md
@@ -0,0 +1,238 @@
+# Kubernetes driver
+
+The buildx kubernetes driver allows connecting your local development or ci
+environments to your kubernetes cluster to allow access to more powerful
+and varied compute resources.
+
+This guide assumes you already have an existing kubernetes cluster - if you don't already
+have one, you can easily follow along by installing
+[minikube](https://minikube.sigs.k8s.io/docs/).
+
+Before connecting buildx to your cluster, you may want to create a dedicated
+namespace using `kubectl` to keep your buildx-managed resources separate. You
+can call your namespace anything you want, or use the existing `default`
+namespace, but we'll create a `buildkit` namespace for now:
+
+```console
+$ kubectl create namespace buildkit
+```
+
+Then create a new buildx builder:
+
+```console
+$ docker buildx create \
+  --bootstrap \
+  --name=kube \
+  --driver=kubernetes \
+  --driver-opt=namespace=buildkit
+```
+
+This assumes that the kubernetes cluster you want to connect to is currently
+accessible via the kubectl command, with the `KUBECONFIG` environment variable
+[set appropriately](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#set-the-kubeconfig-environment-variable)
+if neccessary.
+
+You should now be able to see the builder in the list of buildx builders:
+
+```console
+$ docker buildx ls
+NAME/NODE                DRIVER/ENDPOINT STATUS  PLATFORMS
+kube                     kubernetes              
+  kube0-6977cdcb75-k9h9m                 running linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
+default *                docker
+  default                default         running linux/amd64, linux/386
+```
+
+The buildx driver creates the neccessary resources on your cluster in the
+specified namespace (in this case, `buildkit`), while keeping your
+driver configuration locally. You can see the running pods with:
+
+```console
+$ kubectl -n buildkit get deployments
+NAME    READY   UP-TO-DATE   AVAILABLE   AGE
+kube0   1/1     1            1           32s
+
+$ kubectl -n buildkit get pods
+NAME                     READY   STATUS    RESTARTS   AGE
+kube0-6977cdcb75-k9h9m   1/1     Running   0          32s
+```
+
+You can use your new builder by including the `--builder` flag when running
+buildx commands. For example (replacing `<user>` and `<image>` with your Docker
+Hub username and desired image output respectively):
+
+```console
+$ docker buildx build . \
+  --builder=kube \
+  -t <user>/<image> \
+  --push
+```
+
+## Scaling Buildkit
+
+One of the main advantages of the kubernetes builder is that you can easily
+scale your builder up and down to handle increased build load. These controls
+are exposed via the following options:
+
+- `replicas=N`
+  - This scales the number of buildkit pods to the desired size. By default,
+    only a single pod will be created, but increasing this allows taking of
+    advantage of multiple nodes in your cluster.
+- `requests.cpu`, `requests.memory`, `limits.cpu`, `limits.memory`
+  - These options allow requesting and limiting the resources available to each
+    buildkit pod according to the official kubernetes documentation
+    [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+    
+For example, to create 4 replica buildkit pods:
+
+```console
+$ docker buildx create \
+  --bootstrap \
+  --name=kube \
+  --driver=kubernetes \
+  --driver-opt=namespace=buildkit,replicas=4
+```
+
+Listing the pods, we get:
+
+```console
+$ kubectl -n buildkit get deployments
+NAME    READY   UP-TO-DATE   AVAILABLE   AGE
+kube0   4/4     4            4           8s
+
+$ kubectl -n buildkit get pods
+NAME                     READY   STATUS    RESTARTS   AGE
+kube0-6977cdcb75-48ld2   1/1     Running   0          8s
+kube0-6977cdcb75-rkc6b   1/1     Running   0          8s
+kube0-6977cdcb75-vb4ks   1/1     Running   0          8s
+kube0-6977cdcb75-z4fzs   1/1     Running   0          8s
+```
+    
+Additionally, you can use the `loadbalance=(sticky|random)` option to control
+the load-balancing behavior when there are multiple replicas. While `random`
+should selects random nodes from the available pool, which should provide
+better balancing across all replicas, `sticky` (the default) attempts to
+connect the same build performed multiple times to the same node each time,
+ensuring better local cache utilization.
+
+For more information on scalability, see the options for [buildx create](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver-opt).
+
+## Multi-platform builds
+
+The kubernetes buildx driver has support for creating [multi-platform images](https://docs.docker.com/build/buildx/multiplatform-images/),
+for easily building for multiple platforms at once.
+
+### QEMU
+
+Like the other containerized driver `docker-container`, the kubernetes driver
+also supports using [QEMU](https://www.qemu.org/) (user mode) to build
+non-native platforms. If using a default setup like above, no extra setup
+should be needed, you should just be able to start building for other
+architectures, by including the `--platform` flag.
+
+For example, to build a Linux image for `amd64` and `arm64`:
+
+```console
+$ docker buildx build . \
+  --builder=kube \
+  --platform=linux/amd64,linux/arm64 \
+  -t <user>/<image> \
+  --push
+```
+
+> **Warning**
+> QEMU performs full-system emulation of non-native platforms, which is *much*
+> slower than native builds. Compute-heavy tasks like compilation and
+> compression/decompression will likely take a large performance hit.
+
+Note, if you're using a custom buildkit image using the `image=<image>` driver
+option, or invoking non-native binaries from within your build, you may need to
+explicitly enable QEMU using the `qemu.install` option during driver creation:
+
+```console
+$ docker buildx create \
+  --bootstrap \
+  --name=kube \
+  --driver=kubernetes \
+  --driver-opt=namespace=buildkit,qemu.install=true
+```
+
+### Native
+
+If you have access to cluster nodes of different architectures, we can
+configure the kubernetes driver to take advantage of these for native builds.
+To do this, we need to use the `--append` feature of `docker buildx create`.
+
+To start, we can create our builder with explicit support for a single
+architecture, `amd64`:
+
+```console
+$ docker buildx create \
+  --bootstrap \
+  --name=kube \
+  --driver=kubernetes \
+  --platform=linux/amd64 \
+  --node=builder-amd64 \
+  --driver-opt=namespace=buildkit,nodeselector="kubernetes.io/arch=amd64"
+```
+
+This creates a buildx builder `kube` containing a single builder node `builder-amd64`.
+Note that the buildx concept of a node is not the same as the kubernetes
+concept of a node - the buildx node in this case could connect multiple
+kubernetes nodes of the same architecture together.
+
+With our `kube` driver created, we can now introduce another architecture into
+the mix, for example, like before we can use `arm64`:
+
+```console
+$ docker buildx create \
+  --append \
+  --bootstrap \
+  --name=kube \
+  --driver=kubernetes \
+  --platform=linux/arm64 \
+  --node=builder-arm64 \
+  --driver-opt=namespace=buildkit,nodeselector="kubernetes.io/arch=arm64"
+```
+
+If you list builders now, you should be able to see both nodes present:
+
+```console
+$ docker buildx ls
+NAME/NODE       DRIVER/ENDPOINT                                         STATUS   PLATFORMS
+kube            kubernetes                                                       
+  builder-amd64 kubernetes:///kube?deployment=builder-amd64&kubeconfig= running  linux/amd64*, linux/amd64/v2, linux/amd64/v3, linux/386
+  builder-arm64 kubernetes:///kube?deployment=builder-arm64&kubeconfig= running  linux/arm64*
+```
+
+You should now be able to build multi-arch images with `amd64` and `arm64`
+combined, by specifying those platforms together in your buildx command:
+
+```console
+$ docker buildx build --builder=kube --platform=linux/amd64,linux/arm64 -t <user>/<image> --push .
+```
+
+You can repeat the `buildx create --append` command for as many different
+architectures that you want to support.
+
+## Rootless mode
+
+The kubernetes driver supports rootless mode. For more information on how
+rootless mode works, and it's requirements, see [here](https://github.com/moby/buildkit/blob/master/docs/rootless.md).
+
+To enable it in your cluster, you can use the `rootless=true` driver option:
+
+```console
+$ docker buildx create \
+  --name=kube \
+  --driver=kubernetes \
+  --driver-opt=namespace=buildkit,rootless=true
+```
+
+This will create your pods without `securityContext.privileged`.
+
+## Further reading
+
+For more information on the kubernetes driver, see the [buildx reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver).
+
+<!--- FIXME: for 0.9, make reference link relative --->
--- a/docs/guides/drivers/remote.md
+++ b/docs/guides/drivers/remote.md
@@ -0,0 +1,178 @@
+# Remote driver
+
+The buildx remote driver allows for more complex custom build workloads that
+allow users to connect to external buildkit instances. This is useful for
+scenarios that require manual management of the buildkit daemon, or where a
+buildkit daemon is exposed from another source.
+
+To connect to a running buildkitd instance:
+
+```console
+$ docker buildx create \
+  --name remote \
+  --driver remote \
+  tcp://localhost:1234
+```
+
+## Remote Buildkit over Unix sockets
+
+In this scenario, we'll create a setup with buildkitd listening on a unix
+socket, and have buildx connect through it.
+
+Firstly, ensure that [buildkit](https://github.com/moby/buildkit) is installed.
+For example, you can launch an instance of buildkitd with:
+
+```console
+$ sudo ./buildkitd --group $(id -gn) --addr unix://$HOME/buildkitd.sock
+```
+
+Alternatively, [see here](https://github.com/moby/buildkit/blob/master/docs/rootless.md)
+for running buildkitd in rootless mode or [here](https://github.com/moby/buildkit/tree/master/examples/systemd)
+for examples of running it as a systemd service.
+
+You should now have a unix socket accessible to your user, that is available to
+connect to:
+
+```console
+$ ls -lh /home/user/buildkitd.sock
+srw-rw---- 1 root user 0 May  5 11:04 /home/user/buildkitd.sock
+```
+
+You can then connect buildx to it with the remote driver:
+
+```console
+$ docker buildx create \
+  --name remote-unix \
+  --driver remote \
+  unix://$HOME/buildkitd.sock
+```
+        
+If you list available builders, you should then see `remote-unix` among them:
+
+```console
+$ docker buildx ls
+NAME/NODE           DRIVER/ENDPOINT                        STATUS  PLATFORMS
+remote-unix         remote
+  remote-unix0      unix:///home/.../buildkitd.sock        running linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
+default *           docker
+  default           default                                running linux/amd64, linux/386
+```
+
+We can switch to this new builder as the default using `docker buildx use remote-unix`,
+or specify it per build:
+
+```console
+$ docker buildx build --builder=remote-unix -t test --load .
+```
+
+(remember that `--load` is necessary when not using the default `docker`
+driver, to load the build result into the docker daemon)
+
+## Remote Buildkit in Docker container
+
+In this scenario, we'll create a similar setup to the `docker-container`
+driver, by manually booting a buildkit docker container and connecting to it
+using the buildx remote driver. In most cases you'd probably just use the
+`docker-container` driver that connects to buildkit through the Docker daemon,
+but in this case we manually create a container and access it via it's exposed
+port.
+
+First, we need to generate certificates for buildkit - you can use the 
+[create-certs.sh](https://github.com/moby/buildkit/v0.10.3/master/examples/kubernetes/create-certs.sh)
+script as a starting point. Note, that while it is *possible* to expose
+buildkit over TCP without using TLS, it is **not recommended**, since this will
+allow arbitrary access to buildkit without credentials.
+
+With our certificates generated in `.certs/`, we startup the container:
+
+```console
+$ docker run -d --rm \
+  --name=remote-buildkitd \
+  --privileged \
+  -p 1234:1234 \
+  -v $PWD/.certs:/etc/buildkit/certs \
+  moby/buildkit:latest \
+  --addr tcp://0.0.0.0:1234 \
+  --tlscacert /etc/buildkit/certs/ca.pem \
+  --tlscert /etc/buildkit/certs/daemon-cert.pem \
+  --tlskey /etc/buildkit/certs/daemon-key.pem
+```
+
+The above command starts a buildkit container and exposes the daemon's port
+1234 to localhost.
+
+We can now connect to this running container using buildx:
+
+```console
+$ docker buildx create \
+  --name remote-container \
+  --driver remote \
+  --driver-opt cacert=.certs/ca.pem,cert=.certs/client-cert.pem,key=.certs/client-key.pem,servername=... \
+  tcp://localhost:1234
+```
+
+Alternatively, we could use the `docker-container://` URL scheme to connect
+to the buildkit container without specifying a port:
+
+```console
+$ docker buildx create \
+  --name remote-container \
+  --driver remote \
+  docker-container://remote-container
+```
+
+## Remote Buildkit in Kubernetes
+
+In this scenario, we'll create a similar setup to the `kubernetes` driver by
+manually creating a buildkit `Deployment`. While the `kubernetes` driver will
+do this under-the-hood, it might sometimes be desirable to scale buildkit
+manually. Additionally, when executing builds from inside Kubernetes pods,
+the buildx builder will need to be recreated from within each pod or copied
+between them.
+
+Firstly, we can create a kubernetes deployment of buildkitd, as per the
+instructions [here](https://github.com/moby/buildkit/tree/master/examples/kubernetes).
+Following the guide, we setup certificates for the buildkit daemon and client
+(as above using [create-certs.sh](https://github.com/moby/buildkit/blob/v0.10.3/examples/kubernetes/create-certs.sh))
+and create a `Deployment` of buildkit pods with a service that connects to
+them.
+
+Assuming that the service is called `buildkitd`, we can create a remote builder
+in buildx, ensuring that the listed certificate files are present:
+
+```console
+$ docker buildx create \
+  --name remote-kubernetes \
+  --driver remote \
+  --driver-opt cacert=.certs/ca.pem,cert=.certs/client-cert.pem,key=.certs/client-key.pem \
+  tcp://buildkitd.default.svc:1234
+```
+
+Note that the above will only work in-cluster (since the buildkit setup guide
+only creates a ClusterIP service). To configure the builder to be accessible
+remotely, you can use an appropriately configured Ingress, which is outside the
+scope of this guide.
+
+To access the service remotely, we can use the port forwarding mechanism in
+kubectl:
+
+```console
+$ kubectl port-forward svc/buildkitd 1234:1234
+```
+
+Then you can simply point the remote driver at `tcp://localhost:1234`.
+
+Alternatively, we could use the `kube-pod://` URL scheme to connect
+directly to a buildkit pod through the kubernetes api (note that this method
+will only connect to a single pod in the deployment):
+
+```console
+$ kubectl get pods --selector=app=buildkitd -o json | jq -r '.items[].metadata.name
+buildkitd-XXXXXXXXXX-xxxxx
+$ docker buildx create \
+  --name remote-container \
+  --driver remote \
+  kube-pod://buildkitd-XXXXXXXXXX-xxxxx
+```
+
+<!--- FIXME: for 0.9, add further reading section with link to reference --->
--- a/docs/guides/opentelemetry.md
+++ b/docs/guides/opentelemetry.md
@@ -9,7 +9,7 @@ First create a Jaeger container:
 $ docker run -d --name jaeger -p "6831:6831/udp" -p "16686:16686" jaegertracing/all-in-one
 ```

-Then [create a `docker-container` builder](../reference/buildx_create.md)
+Then [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
 that will use the Jaeger instance via the `JAEGER_TRACE` env var:

 ```console
@@ -20,7 +20,7 @@ $ docker buildx create --use \
  --driver-opt "env.JAEGER_TRACE=localhost:6831"
 ```

-Boot and [inspect `mybuilder`](../reference/buildx_inspect.md):
+Boot and [inspect `mybuilder`](https://docs.docker.com/engine/reference/commandline/buildx_inspect/):

 ```console
 $ docker buildx inspect --bootstrap
@@ -28,4 +28,4 @@ $ docker buildx inspect --bootstrap

 Buildx commands should be traced at `http://127.0.0.1:16686/`:

-![](https://user-images.githubusercontent.com/1951866/124468052-ef085400-dd98-11eb-84ab-7ac8e261dd52.png)
+![OpenTelemetry Buildx Bake](https://user-images.githubusercontent.com/1951866/124468052-ef085400-dd98-11eb-84ab-7ac8e261dd52.png)
--- a/docs/guides/registry-mirror.md
+++ b/docs/guides/registry-mirror.md
@@ -1,19 +1,21 @@
 # Registry mirror

 You can define a registry mirror to use for your builds by providing a [BuildKit daemon configuration](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md)
-while creating a builder with the [`--config` flags](../reference/buildx_create.md#config).
+while creating a builder with the [`--config` flags](https://docs.docker.com/engine/reference/commandline/buildx_create/#config).

 ```toml
+# /etc/buildkitd.toml
 debug = true
 [registry."docker.io"]
  mirrors = ["mirror.gcr.io"]
 ```
-> `/etc/buildkitd.toml`

-> :information_source: `debug = true` has been added to be able to debug requests
-in the BuildKit daemon and see if the mirror is effectively used.
+> **Note**
+>
+> `debug = true` has been added to be able to debug requests
+> in the BuildKit daemon and see if the mirror is effectively used.

-Then [create a `docker-container` builder](../reference/buildx_create.md)
+Then [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
 that will use this BuildKit configuration:

 ```console
@@ -23,7 +25,7 @@ $ docker buildx create --use \
  --config /etc/buildkitd.toml
 ```

-Boot and [inspect `mybuilder`](../reference/buildx_inspect.md):
+Boot and [inspect `mybuilder`](https://docs.docker.com/engine/reference/commandline/buildx_inspect/):

 ```console
 $ docker buildx inspect --bootstrap
--- a/docs/guides/resource-limiting.md
+++ b/docs/guides/resource-limiting.md
@@ -4,15 +4,15 @@

 You can limit the parallelism of the BuildKit solver, which is particularly useful
 for low-powered machines, using a [BuildKit daemon configuration](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md)
-while creating a builder with the [`--config` flags](../reference/buildx_create.md#config).
+while creating a builder with the [`--config` flags](https://docs.docker.com/engine/reference/commandline/buildx_create/#config).

 ```toml
+# /etc/buildkitd.toml
 [worker.oci]
  max-parallelism = 4
 ```
-> `/etc/buildkitd.toml`

-Now you can [create a `docker-container` builder](../reference/buildx_create.md)
+Now you can [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
 that will use this BuildKit configuration to limit parallelism.

 ```console
--- a/docs/reference/buildx_bake.md
+++ b/docs/reference/buildx_bake.md
@@ -9,7 +9,7 @@ Build from a file

 ### Aliases

-`bake`, `f`
+`docker buildx bake`, `docker buildx f`

 ### Options

@@ -34,12 +34,14 @@ Build from a file
 Bake is a high-level build command. Each specified target will run in parallel
 as part of the build.

-Read [High-level build options](https://github.com/docker/buildx#high-level-build-options)
-for introduction.
+Read [High-level build options with Bake](https://docs.docker.com/build/bake/)
+guide for introduction to writing bake files.

-Please note that `buildx bake` command may receive backwards incompatible
-features in the future if needed. We are looking for feedback on improving the
-command and extending the functionality further.
+> **Note**
+>
+> `buildx bake` command may receive backwards incompatible features in the future
+> if needed. We are looking for feedback on improving the command and extending
+> the functionality further.

 ## Examples

@@ -49,166 +51,42 @@ Same as [`buildx --builder`](buildx.md#builder).

 ### <a name="file"></a> Specify a build definition file (-f, --file)

-By default, `buildx bake` looks for build definition files in the current
-directory, the following are parsed:
-
- `docker-compose.yml`
- `docker-compose.yaml`
- `docker-bake.json`
- `docker-bake.override.json`
- `docker-bake.hcl`
- `docker-bake.override.hcl`
-
-Use the `-f` / `--file` option to specify the build definition file to use. The
-file can be a Docker Compose, JSON or HCL file. If multiple files are specified
+Use the `-f` / `--file` option to specify the build definition file to use.
+The file can be an HCL, JSON or Compose file. If multiple files are specified
 they are all read and configurations are combined.

-The following example uses a Docker Compose file named `docker-compose.dev.yaml`
-as build definition file, and builds all targets in the file:
+You can pass the names of the targets to build, to build only specific target(s).
+The following example builds the `db` and `webapp-release` targets that are
+defined in the `docker-bake.dev.hcl` file:

-```console
-$ docker buildx bake -f docker-compose.dev.yaml
-
-[+] Building 66.3s (30/30) FINISHED
- => [frontend internal] load build definition from Dockerfile  0.1s
- => => transferring dockerfile: 36B                            0.0s
- => [backend internal] load build definition from Dockerfile   0.2s
- => => transferring dockerfile: 3.73kB                         0.0s
- => [database internal] load build definition from Dockerfile  0.1s
- => => transferring dockerfile: 5.77kB                         0.0s
- ...
-```
-
-Pass the names of the targets to build, to build only specific target(s). The
-following example builds the `backend` and `database` targets that are defined
-in the `docker-compose.dev.yaml` file, skipping the build for the `frontend`
-target:
-
-```console
-$ docker buildx bake -f docker-compose.dev.yaml backend database
-
-[+] Building 2.4s (13/13) FINISHED
- => [backend internal] load build definition from Dockerfile  0.1s
- => => transferring dockerfile: 81B                           0.0s
- => [database internal] load build definition from Dockerfile 0.2s
- => => transferring dockerfile: 36B                           0.0s
- => [backend internal] load .dockerignore                     0.3s
- ...
-```
-
-You can also use a remote `git` bake definition:
-
-```console
-$ docker buildx bake "https://github.com/docker/cli.git#v20.10.11" --print
-#1 [internal] load git source https://github.com/docker/cli.git#v20.10.11
-#1 0.745 e8f1871b077b64bcb4a13334b7146492773769f7       refs/tags/v20.10.11
-#1 2.022 From https://github.com/docker/cli
-#1 2.022  * [new tag]         v20.10.11  -> v20.10.11
-#1 DONE 2.9s
-{
-  "group": {
-    "default": {
-      "targets": [
-        "binary"
-      ]
-    }
-  },
-  "target": {
-    "binary": {
-      "context": "https://github.com/docker/cli.git#v20.10.11",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "BASE_VARIANT": "alpine",
-        "GO_STRIP": "",
-        "VERSION": ""
-      },
-      "target": "binary",
-      "platforms": [
-        "local"
-      ],
-      "output": [
-        "build"
-      ]
-    }
-  }
+```hcl
+# docker-bake.dev.hcl
+group "default" {
+  targets = ["db", "webapp-dev"]
 }
-```

-As you can see the context is fixed to `https://github.com/docker/cli.git` even if
-[no context is actually defined](https://github.com/docker/cli/blob/2776a6d694f988c0c1df61cad4bfac0f54e481c8/docker-bake.hcl#L17-L26)
-in the definition.
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp"]
+}

-If you want to access the main context for bake command from a bake file
-that has been imported remotely, you can use the `BAKE_CMD_CONTEXT` builtin var:
+target "webapp-release" {
+  inherits = ["webapp-dev"]
+  platforms = ["linux/amd64", "linux/arm64"]
+}

-```console
-$ cat https://raw.githubusercontent.com/tonistiigi/buildx/remote-test/docker-bake.hcl
-target "default" {
-  context = BAKE_CMD_CONTEXT
-  dockerfile-inline = <<EOT
-FROM alpine
-WORKDIR /src
-COPY . .
-RUN ls -l && stop
-EOT
+target "db" {
+  dockerfile = "Dockerfile.db"
+  tags = ["docker.io/username/db"]
 }
 ```

 ```console
-$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" --print
-{
-  "target": {
-    "default": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "dockerfile-inline": "FROM alpine\nWORKDIR /src\nCOPY . .\nRUN ls -l \u0026\u0026 stop\n"
-    }
-  }
-}
+$ docker buildx bake -f docker-bake.dev.hcl db webapp-release
 ```

-```console
-$ touch foo bar
-$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test"
-...
- > [4/4] RUN ls -l && stop:
-#8 0.101 total 0
-#8 0.102 -rw-r--r--    1 root     root             0 Jul 27 18:47 bar
-#8 0.102 -rw-r--r--    1 root     root             0 Jul 27 18:47 foo
-#8 0.102 /bin/sh: stop: not found
-```
-
-```console
-$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" "https://github.com/docker/cli.git#v20.10.11" --print
-#1 [internal] load git source https://github.com/tonistiigi/buildx.git#remote-test
-#1 0.429 577303add004dd7efeb13434d69ea030d35f7888       refs/heads/remote-test
-#1 CACHED
-{
-  "target": {
-    "default": {
-      "context": "https://github.com/docker/cli.git#v20.10.11",
-      "dockerfile": "Dockerfile",
-      "dockerfile-inline": "FROM alpine\nWORKDIR /src\nCOPY . .\nRUN ls -l \u0026\u0026 stop\n"
-    }
-  }
-}
-```
-
-```console
-$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" "https://github.com/docker/cli.git#v20.10.11"
-...
- > [4/4] RUN ls -l && stop:
-#8 0.136 drwxrwxrwx    5 root     root          4096 Jul 27 18:31 kubernetes
-#8 0.136 drwxrwxrwx    3 root     root          4096 Jul 27 18:31 man
-#8 0.136 drwxrwxrwx    2 root     root          4096 Jul 27 18:31 opts
-#8 0.136 -rw-rw-rw-    1 root     root          1893 Jul 27 18:31 poule.yml
-#8 0.136 drwxrwxrwx    7 root     root          4096 Jul 27 18:31 scripts
-#8 0.136 drwxrwxrwx    3 root     root          4096 Jul 27 18:31 service
-#8 0.136 drwxrwxrwx    2 root     root          4096 Jul 27 18:31 templates
-#8 0.136 drwxrwxrwx   10 root     root          4096 Jul 27 18:31 vendor
-#8 0.136 -rwxrwxrwx    1 root     root          9620 Jul 27 18:31 vendor.conf
-#8 0.136 /bin/sh: stop: not found
-```
+See our [file definition](https://docs.docker.com/build/bake/file-definition/)
+guide for more details.

 ### <a name="no-cache"></a> Do not use cache when building the image (--no-cache)

@@ -243,26 +121,7 @@ $ docker buildx bake -f docker-bake.hcl --print db

 ### <a name="progress"></a> Set type of progress output (--progress)

-Same as [`build --progress`](buildx_build.md#progress). Set type of progress
-output (auto, plain, tty). Use plain to show container output (default "auto").
-
-> You can also use the `BUILDKIT_PROGRESS` environment variable to set its value.
-
-The following example uses `plain` output during the build:
-
-```console
-$ docker buildx bake --progress=plain
-
-#2 [backend internal] load build definition from Dockerfile.test
-#2 sha256:de70cb0bb6ed8044f7b9b1b53b67f624e2ccfb93d96bb48b70c1fba562489618
-#2 ...
-
-#1 [database internal] load build definition from Dockerfile.test
-#1 sha256:453cb50abd941762900a1212657a35fc4aad107f5d180b0ee9d93d6b74481bce
-#1 transferring dockerfile: 36B done
-#1 DONE 0.1s
-...
-```
+Same as [`build --progress`](buildx_build.md#progress).

 ### <a name="pull"></a> Always attempt to pull a newer version of the image (--pull)

@@ -286,701 +145,20 @@ $ docker buildx bake --set foo*.no-cache              # bypass caching only for
 ```

 Complete list of overridable fields:
-`args`, `cache-from`, `cache-to`, `context`, `dockerfile`, `labels`, `no-cache`,
-`output`, `platform`, `pull`, `secrets`, `ssh`, `tags`, `target`

-### File definition
-
-In addition to compose files, bake supports a JSON and an equivalent HCL file
-format for defining build groups and targets.
-
-A target reflects a single docker build invocation with the same options that
-you would specify for `docker build`. A group is a grouping of targets.
-
-Multiple files can include the same target and final build options will be
-determined by merging them together.
-
-In the case of compose files, each service corresponds to a target.
-
-A group can specify its list of targets with the `targets` option. A target can
-inherit build options by setting the `inherits` option to the list of targets or
-groups to inherit from.
-
-Note: Design of bake command is work in progress, the user experience may change
-based on feedback.
-
-HCL definition example:
-
-```hcl
-group "default" {
-    targets = ["db", "webapp-dev"]
-}
-
-target "webapp-dev" {
-    dockerfile = "Dockerfile.webapp"
-    tags = ["docker.io/username/webapp"]
-}
-
-target "webapp-release" {
-    inherits = ["webapp-dev"]
-    platforms = ["linux/amd64", "linux/arm64"]
-}
-
-target "db" {
-    dockerfile = "Dockerfile.db"
-    tags = ["docker.io/username/db"]
-}
-```
-
-Complete list of valid target fields:
-
-`args`, `cache-from`, `cache-to`, `context`, `contexts`, `dockerfile`, `inherits`, `labels`,
-`no-cache`, `no-cache-filter`, `output`, `platform`, `pull`, `secrets`, `ssh`, `tags`, `target`
-
-### Global scope attributes
-
-You can define global scope attributes in HCL/JSON and use them for code reuse
-and setting values for variables. This means you can do a "data-only" HCL file
-with the values you want to set/override and use it in the list of regular
-output files.
-
-```hcl
-# docker-bake.hcl
-variable "FOO" {
-    default = "abc"
-}
-
-target "app" {
-    args = {
-        v1 = "pre-${FOO}"
-    }
-}
-```
-
-You can use this file directly:
-
-```console
-$ docker buildx bake --print app
-{
-  "group": {
-    "default": {
-      "targets": [
-        "app"
-      ]
-    }
-  },
-  "target": {
-    "app": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "v1": "pre-abc"
-      }
-    }
-  }
-}
-```
-
-Or create an override configuration file:
-
-```hcl
-# env.hcl
-WHOAMI="myuser"
-FOO="def-${WHOAMI}"
-```
-
-And invoke bake together with both of the files:
-
-```console
-$ docker buildx bake -f docker-bake.hcl -f env.hcl --print app
-{
-  "group": {
-    "default": {
-      "targets": [
-        "app"
-      ]
-    }
-  },
-  "target": {
-    "app": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "v1": "pre-def-myuser"
-      }
-    }
-  }
-}
-```
-
-### HCL variables and functions
-
-Similar to how Terraform provides a way to [define variables](https://www.terraform.io/docs/configuration/variables.html#declaring-an-input-variable),
-the HCL file format also supports variable block definitions. These can be used
-to define variables with values provided by the current environment, or a
-default value when unset.
-
-A [set of generally useful functions](https://github.com/docker/buildx/blob/master/bake/hclparser/stdlib.go)
-provided by [go-cty](https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib)
-are available for use in HCL files. In addition, [user defined functions](https://github.com/hashicorp/hcl/tree/main/ext/userfunc)
-are also supported.
-
-#### Using interpolation to tag an image with the git sha
-
-Bake supports variable blocks which are assigned to matching environment
-variables or default values.
-
-```hcl
-# docker-bake.hcl
-variable "TAG" {
-    default = "latest"
-}
-
-group "default" {
-    targets = ["webapp"]
-}
-
-target "webapp" {
-    tags = ["docker.io/username/webapp:${TAG}"]
-}
-```
-
-alternatively, in json format:
-
-```json
-{
-  "variable": {
-    "TAG": {
-      "default": "latest"
-    }
-  }
-  "group": {
-    "default": {
-      "targets": ["webapp"]
-    }
-  },
-  "target": {
-    "webapp": {
-      "tags": ["docker.io/username/webapp:${TAG}"]
-    }
-  }
-}
-```
-
-```console
-$ docker buildx bake --print webapp
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "tags": [
-        "docker.io/username/webapp:latest"
-      ]
-    }
-  }
-}
-```
-
-```console
-$ TAG=$(git rev-parse --short HEAD) docker buildx bake --print webapp
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "tags": [
-        "docker.io/username/webapp:985e9e9"
-      ]
-    }
-  }
-}
-```
-
-#### Using the `add` function
-
-You can use [`go-cty` stdlib functions](https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib).
-Here we are using the `add` function.
-
-```hcl
-# docker-bake.hcl
-variable "TAG" {
-    default = "latest"
-}
-
-group "default" {
-    targets = ["webapp"]
-}
-
-target "webapp" {
-    args = {
-        buildno = "${add(123, 1)}"
-    }
-}
-```
-
-```console
-$ docker buildx bake --print webapp
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "buildno": "124"
-      }
-    }
-  }
-}
-```
-
-#### Defining an `increment` function
-
-It also supports [user defined functions](https://github.com/hashicorp/hcl/tree/main/ext/userfunc).
-The following example defines a simple an `increment` function.
-
-```hcl
-# docker-bake.hcl
-function "increment" {
-    params = [number]
-    result = number + 1
-}
-
-group "default" {
-    targets = ["webapp"]
-}
-
-target "webapp" {
-    args = {
-        buildno = "${increment(123)}"
-    }
-}
-```
-
-```console
-$ docker buildx bake --print webapp
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "buildno": "124"
-      }
-    }
-  }
-}
-```
-
-#### Only adding tags if a variable is not empty using an `notequal`
-
-Here we are using the conditional `notequal` function which is just for
-symmetry with the `equal` one.
-
-```hcl
-# docker-bake.hcl
-variable "TAG" {default="" }
-
-group "default" {
-    targets = [
-        "webapp",
-    ]
-}
-
-target "webapp" {
-    context="."
-    dockerfile="Dockerfile"
-    tags = [
-        "my-image:latest",
-        notequal("",TAG) ? "my-image:${TAG}": "",
-    ]
-}
-```
-
-```console
-$ docker buildx bake --print webapp
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "tags": [
-        "my-image:latest"
-      ]
-    }
-  }
-}
-```
-
-#### Using variables in functions
-
-You can refer variables to other variables like the target blocks can. Stdlib
-functions can also be called but user functions can't at the moment.
-
-```hcl
-# docker-bake.hcl
-variable "REPO" {
-    default = "user/repo"
-}
-
-function "tag" {
-    params = [tag]
-    result = ["${REPO}:${tag}"]
-}
-
-target "webapp" {
-    tags = tag("v1")
-}
-```
-
-```console
-$ docker buildx bake --print webapp
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "tags": [
-        "user/repo:v1"
-      ]
-    }
-  }
-}
-```
-
-#### Using variables in variables across files
-
-When multiple files are specified, one file can use variables defined in
-another file.
-
-```hcl
-# docker-bake1.hcl
-variable "FOO" {
-    default = upper("${BASE}def")
-}
-
-variable "BAR" {
-    default = "-${FOO}-"
-}
-
-target "app" {
-    args = {
-        v1 = "pre-${BAR}"
-    }
-}
-```
-
-```hcl
-# docker-bake2.hcl
-variable "BASE" {
-    default = "abc"
-}
-
-target "app" {
-    args = {
-        v2 = "${FOO}-post"
-    }
-}
-```
-
-```console
-$ docker buildx bake -f docker-bake1.hcl -f docker-bake2.hcl --print app
-{
-  "group": {
-    "default": {
-      "targets": [
-        "app"
-      ]
-    }
-  },
-  "target": {
-    "app": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "v1": "pre--ABCDEF-",
-        "v2": "ABCDEF-post"
-      }
-    }
-  }
-}
-```
-
-#### Using typed variables
-
-Non-string variables are also accepted. The value passed with env is parsed
-into suitable type first.
-
-```hcl
-# docker-bake.hcl
-variable "FOO" {
-    default = 3
-}
-
-variable "IS_FOO" {
-    default = true
-}
-
-target "app" {
-    args = {
-        v1 = FOO > 5 ? "higher" : "lower" 
-        v2 = IS_FOO ? "yes" : "no"
-    }
-}
-```
-
-```console
-$ docker buildx bake --print app
-{
-  "group": {
-    "default": {
-      "targets": [
-        "app"
-      ]
-    }
-  },
-  "target": {
-    "app": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "v1": "lower",
-        "v2": "yes"
-      }
-    }
-  }
-}
-```
-
-### Defining additional build contexts and linking targets
-
-In addition to the main `context` key that defines the build context each target can also define additional named contexts with a map defined with key `contexts`. These values map to the `--build-context` flag in the [build command](buildx_build.md#build-context).
-
-Inside the Dockerfile these contexts can be used with the `FROM` instruction or `--from` flag.
-
-The value can be a local source directory, container image (with docker-image:// prefix), Git URL, HTTP URL or a name of another target in the Bake file (with target: prefix).
-
-#### Pinning alpine image
-
-```Dockerfile
-# Dockerfile
-FROM alpine
-RUN echo "Hello world"
-```
-
-```hcl
-# docker-bake.hcl
-target "app" {
-    contexts = {
-        alpine = "docker-image://alpine:3.13"
-    }
-}
-```
-
-#### Using a secondary source directory
-
-```Dockerfile
-# Dockerfile
-
-FROM scratch AS src
-
-FROM golang
-COPY --from=src . .
-```
-
-```hcl
-# docker-bake.hcl
-target "app" {
-    contexts = {
-        src = "../path/to/source"
-    }
-}
-```
-
-#### Using a result of one target as a base image in another target
-
-To use a result of one target as a build context of another, specity the target name with `target:` prefix.
-
-```Dockerfile
-# Dockerfile
-FROM baseapp
-RUN echo "Hello world"
-```
-
-```hcl
-# docker-bake.hcl
-
-target "base" {
-    dockerfile = "baseapp.Dockerfile"
-}
-
-target "app" {
-    contexts = {
-        baseapp = "target:base"
-    }
-}
-```
-
-Please note that in most cases you should just use a single multi-stage Dockerfile with multiple targets for similar behavior. This case is recommended when you have multiple Dockerfiles that can't be easily merged into one.
-
-### Extension field with Compose
-
-[Special extension](https://github.com/compose-spec/compose-spec/blob/master/spec.md#extension)
-field `x-bake` can be used in your compose file to evaluate fields that are not
-(yet) available in the [build definition](https://github.com/compose-spec/compose-spec/blob/master/build.md#build-definition).
-
-```yaml
-# docker-compose.yml
-services:
-  addon:
-    image: ct-addon:bar
-    build:
-      context: .
-      dockerfile: ./Dockerfile
-      args:
-        CT_ECR: foo
-        CT_TAG: bar
-      x-bake:
-        tags:
-          - ct-addon:foo
-          - ct-addon:alp
-        platforms:
-          - linux/amd64
-          - linux/arm64
-        cache-from:
-          - user/app:cache
-          - type=local,src=path/to/cache
-        cache-to: type=local,dest=path/to/cache
-        pull: true
-
-  aws:
-    image: ct-fake-aws:bar
-    build:
-      dockerfile: ./aws.Dockerfile
-      args:
-        CT_ECR: foo
-        CT_TAG: bar
-      x-bake:
-        secret:
-          - id=mysecret,src=./secret
-          - id=mysecret2,src=./secret2
-        platforms: linux/arm64
-        output: type=docker
-        no-cache: true
-```
-
-```console
-$ docker buildx bake --print
-{
-  "group": {
-    "default": {
-      "targets": [
-        "aws",
-        "addon"
-      ]
-    }
-  },
-  "target": {
-    "addon": {
-      "context": ".",
-      "dockerfile": "./Dockerfile",
-      "args": {
-        "CT_ECR": "foo",
-        "CT_TAG": "bar"
-      },
-      "tags": [
-        "ct-addon:foo",
-        "ct-addon:alp"
-      ],
-      "cache-from": [
-        "user/app:cache",
-        "type=local,src=path/to/cache"
-      ],
-      "cache-to": [
-        "type=local,dest=path/to/cache"
-      ],
-      "platforms": [
-        "linux/amd64",
-        "linux/arm64"
-      ],
-      "pull": true
-    },
-    "aws": {
-      "context": ".",
-      "dockerfile": "./aws.Dockerfile",
-      "args": {
-        "CT_ECR": "foo",
-        "CT_TAG": "bar"
-      },
-      "tags": [
-        "ct-fake-aws:bar"
-      ],
-      "secret": [
-        "id=mysecret,src=./secret",
-        "id=mysecret2,src=./secret2"
-      ],
-      "platforms": [
-        "linux/arm64"
-      ],
-      "output": [
-        "type=docker"
-      ],
-      "no-cache": true
-    }
-  }
-}
-```
-
-Complete list of valid fields for `x-bake`:
-
-`tags`, `cache-from`, `cache-to`, `secret`, `ssh`, `platforms`, `output`,
-`pull`, `no-cache`, `no-cache-filter`
-
-### Built-in variables
-
-* `BAKE_CMD_CONTEXT` can be used to access the main `context` for bake command
-from a bake file that has been [imported remotely](#file).
-* `BAKE_LOCAL_PLATFORM` returns the current platform's default platform
-specification (e.g. `linux/amd64`).
+* `args`
+* `cache-from`
+* `cache-to`
+* `context`
+* `dockerfile`
+* `labels`
+* `no-cache`
+* `no-cache-filter`
+* `output`
+* `platform`
+* `pull`
+* `push`
+* `secrets`
+* `ssh`
+* `tags`
+* `target`
--- a/docs/reference/buildx_build.md
+++ b/docs/reference/buildx_build.md
@@ -9,7 +9,7 @@ Start a build

 ### Aliases

-`build`, `b`
+`docker buildx build`, `docker buildx b`

 ### Options

@@ -25,6 +25,7 @@ Start a build
 | [`--cgroup-parent`](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) | `string` |  | Optional parent cgroup for the container |
 | [`-f`](https://docs.docker.com/engine/reference/commandline/build/#specify-a-dockerfile--f), [`--file`](https://docs.docker.com/engine/reference/commandline/build/#specify-a-dockerfile--f) | `string` |  | Name of the Dockerfile (default: `PATH/Dockerfile`) |
 | `--iidfile` | `string` |  | Write the image ID to the file |
+| `--invoke` | `string` |  | Invoke a command after the build [experimental] |
 | `--label` | `stringArray` |  | Set metadata for an image |
 | [`--load`](#load) |  |  | Shorthand for `--output=type=docker` |
 | [`--metadata-file`](#metadata-file) | `string` |  | Write build result metadata to the file |
@@ -33,6 +34,7 @@ Start a build
 | `--no-cache-filter` | `stringArray` |  | Do not cache specified stages |
 | [`-o`](#output), [`--output`](#output) | `stringArray` |  | Output destination (format: `type=local,dest=path`) |
 | [`--platform`](#platform) | `stringArray` |  | Set target platform for build |
+| `--print` | `string` |  | Print result of information request (e.g., outline, targets) [experimental] |
 | [`--progress`](#progress) | `string` | `auto` | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output |
 | `--pull` |  |  | Always attempt to pull all referenced images |
 | [`--push`](#push) |  |  | Shorthand for `--output=type=registry` |
@@ -47,6 +49,9 @@ Start a build

 <!---MARKER_GEN_END-->

+Flags marked with `[experimental]` need to be explicitly enabled by setting the
+`BUILDX_EXPERIMENTAL=1` environment variable.
+
 ## Description

 The `buildx build` command starts a build using BuildKit. This command is similar
@@ -68,7 +73,7 @@ Allow extra privileged entitlement. List of entitlements:

 - `network.host` - Allows executions with host networking.
 - `security.insecure` - Allows executions without sandbox. See
-  [related Dockerfile extensions](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md#run---securityinsecuresandbox).
+  [related Dockerfile extensions](https://docs.docker.com/engine/reference/builder/#run---securitysandbox).

 For entitlements to be enabled, the `buildkitd` daemon also needs to allow them
 with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags))
@@ -89,13 +94,15 @@ There are also useful built-in build args like:
 * `BUILDKIT_CONTEXT_KEEP_GIT_DIR=<bool>` trigger git context to keep the `.git` directory
 * `BUILDKIT_INLINE_BUILDINFO_ATTRS=<bool>` inline build info attributes in image config or not
 * `BUILDKIT_INLINE_CACHE=<bool>` inline cache metadata to image config or not
-* `BUILDKIT_MULTI_PLATFORM=<bool>` opt into determnistic output regardless of multi-platform output or not
+* `BUILDKIT_MULTI_PLATFORM=<bool>` opt into deterministic output regardless of multi-platform output or not

 ```console
 $ docker buildx build --build-arg BUILDKIT_MULTI_PLATFORM=1 .
 ```

-More built-in build args can be found in [dockerfile frontend docs](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#built-in-build-args).
+> **Note**
+>
+> More built-in build args can be found in [Dockerfile reference docs](https://docs.docker.com/engine/reference/builder/#buildkit-built-in-build-args).

 ### <a name="build-context"></a> Additional build contexts (--build-context)

@@ -106,7 +113,7 @@ More built-in build args can be found in [dockerfile frontend docs](https://gith
 Define additional build context with specified contents. In Dockerfile the context can be accessed when `FROM name` or `--from=name` is used.
 When Dockerfile defines a stage with the same name it is overwritten.

-The value can be a local source directory, container image (with docker-image:// prefix), Git or HTTP URL.
+The value can be a local source directory, [local OCI layout compliant directory](https://github.com/opencontainers/image-spec/blob/main/image-layout.md), container image (with docker-image:// prefix), Git or HTTP URL.

 Replace `alpine:latest` with a pinned one:

@@ -126,6 +133,32 @@ FROM alpine
 COPY --from=project myfile /
 ```

+#### <a name="source-oci-layout"></a> Source image from OCI layout directory
+
+Source an image from a local [OCI layout compliant directory](https://github.com/opencontainers/image-spec/blob/main/image-layout.md):
+
+```console
+$ docker buildx build --build-context foo=oci-layout:///path/to/local/layout@sha256:abcd12345 .
+```
+
+```Dockerfile
+FROM alpine
+RUN apk add git
+
+COPY --from=foo myfile /
+
+FROM foo
+```
+
+The OCI layout directory must be compliant with the [OCI layout specification](https://github.com/opencontainers/image-spec/blob/main/image-layout.md). It looks _solely_ for hashes. It does not
+do any form of `image:tag` resolution to find the hash of the manifest; that is up to you.
+
+The format of the `--build-context` must be: `<context>=oci-layout://<path-to-local-layout>@sha256:<hash-of-manifest>`, where:
+
+* `context` is the name of the build context as used in the `Dockerfile`.
+* `path-to-local-layout` is the path on the local machine, where you are running `docker build`, to the spec-compliant OCI layout.
+* `hash-of-manifest` is the hash of the manifest for the image. It can be a single-architecture manifest or a multi-architecture index.
+
 ### <a name="builder"></a> Override the configured builder instance (--builder)

 Same as [`buildx --builder`](buildx.md#builder).
@@ -387,8 +420,9 @@ $ docker buildx build --platform=darwin .
 Set type of progress output (auto, plain, tty). Use plain to show container
 output (default "auto").

-> You can also use the `BUILDKIT_PROGRESS` environment variable to set
-> its value.
+> **Note**
+>
+> You can also use the `BUILDKIT_PROGRESS` environment variable to set its value.

 The following example uses `plain` output during the build:

@@ -405,6 +439,11 @@ $ docker buildx build --load --progress=plain .
 ...
 ```

+> **Note**
+>
+> Check also our [Color output controls guide](https://github.com/docker/buildx/blob/master/docs/guides/color-output.md)
+> for modifying the colors that are used to output information to the terminal.
+
 ### <a name="push"></a> Push the build result to a registry (--push)

 Shorthand for [`--output=type=registry`](#registry). Will automatically push the
@@ -417,7 +456,7 @@ build result to registry.
 ```

 Exposes secret to the build. The secret can be used by the build using
-[`RUN --mount=type=secret` mount](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#run---mounttypesecret).
+[`RUN --mount=type=secret` mount](https://docs.docker.com/engine/reference/builder/#run---mounttypesecret).

 If `type` is unset it will be detected. Supported types are:

@@ -429,7 +468,7 @@ Attribute keys:
 - `src`, `source` - Secret filename. `id` used if unset.

 ```dockerfile
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1.4
 FROM python:3
 RUN pip install awscli
 RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
@@ -448,7 +487,7 @@ Attribute keys:
 - `env` - Secret environment variable. `id` used if unset, otherwise will look for `src`, `source` if `id` unset.

 ```dockerfile
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1.4
 FROM node:alpine
 RUN --mount=type=bind,target=. \
  --mount=type=secret,id=SECRET_TOKEN \
@@ -475,12 +514,12 @@ This can be useful when some commands in your Dockerfile need specific SSH
 authentication (e.g., cloning a private repository).

 `--ssh` exposes SSH agent socket or keys to the build and can be used with the
-[`RUN --mount=type=ssh` mount](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#run---mounttypessh).
+[`RUN --mount=type=ssh` mount](https://docs.docker.com/engine/reference/builder/#run---mounttypessh).

 Example to access Gitlab using an SSH agent socket:

 ```dockerfile
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1.4
 FROM alpine
 RUN apk add --no-cache openssh-client
 RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts
--- a/docs/reference/buildx_create.md
+++ b/docs/reference/buildx_create.md
@@ -15,7 +15,7 @@ Create a new builder instance
 | `--bootstrap` |  |  | Boot builder after creation |
 | [`--buildkitd-flags`](#buildkitd-flags) | `string` |  | Flags for buildkitd daemon |
 | [`--config`](#config) | `string` |  | BuildKit config file |
-| [`--driver`](#driver) | `string` |  | Driver to use (available: `docker`, `docker-container`, `kubernetes`) |
+| [`--driver`](#driver) | `string` |  | Driver to use (available: `docker-container`, `kubernetes`, `remote`) |
 | [`--driver-opt`](#driver-opt) | `stringArray` |  | Options for the driver |
 | [`--leave`](#leave) |  |  | Remove a node from builder instead of changing it |
 | [`--name`](#name) | `string` |  | Builder instance name |
@@ -79,6 +79,11 @@ Specifies the configuration file for the buildkitd daemon to use. The configurat
 can be overridden by [`--buildkitd-flags`](#buildkitd-flags).
 See an [example buildkitd configuration file](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md).

+If the configuration file is not specified, will look for one by default in:
+* `$BUILDX_CONFIG/buildkitd.default.toml`
+* `$DOCKER_CONFIG/buildx/buildkitd.default.toml`
+* `~/.docker/buildx/buildkitd.default.toml`
+
 Note that if you create a `docker-container` builder and have specified
 certificates for registries in the `buildkitd.toml` configuration, the files
 will be copied into the container under `/etc/buildkit/certs` and configuration
@@ -118,32 +123,59 @@ Unlike `docker` driver, built images will not automatically appear in
 `docker images` and [`build --load`](buildx_build.md#load) needs to be used
 to achieve that.

+#### `remote` driver
+
+Uses a remote instance of buildkitd over an arbitrary connection. With this
+driver, you manually create and manage instances of buildkit yourself, and
+configure buildx to point at it.
+
+Unlike `docker` driver, built images will not automatically appear in
+`docker images` and [`build --load`](buildx_build.md#load) needs to be used
+to achieve that.
+
 ### <a name="driver-opt"></a> Set additional driver-specific options (--driver-opt)

 ```
 --driver-opt OPTIONS
 ```

-Passes additional driver-specific options. Details for each driver:
+Passes additional driver-specific options.

- `docker` - No driver options
- `docker-container`
-  - `image=IMAGE` - Sets the container image to be used for running buildkit.
-  - `network=NETMODE` - Sets the network mode for running the buildkit container.
-  - `cgroup-parent=CGROUP` - Sets the cgroup parent of the buildkit container if docker is using the "cgroupfs" driver. Defaults to `/docker/buildx`.
- `kubernetes`
-  - `image=IMAGE` - Sets the container image to be used for running buildkit.
-  - `namespace=NS` - Sets the Kubernetes namespace. Defaults to the current namespace.
-  - `replicas=N` - Sets the number of `Pod` replicas. Defaults to 1.
-  - `requests.cpu` - Sets the request CPU value specified in units of Kubernetes CPU. Example `requests.cpu=100m`, `requests.cpu=2`
-  - `requests.memory` - Sets the request memory value specified in bytes or with a valid suffix. Example `requests.memory=500Mi`, `requests.memory=4G`
-  - `limits.cpu` - Sets the limit CPU value specified in units of Kubernetes CPU. Example `limits.cpu=100m`, `limits.cpu=2`
-  - `limits.memory` - Sets the limit memory value specified in bytes or with a valid suffix. Example `limits.memory=500Mi`, `limits.memory=4G`
-  - `nodeselector="label1=value1,label2=value2"` - Sets the kv of `Pod` nodeSelector. No Defaults. Example `nodeselector=kubernetes.io/arch=arm64`
-  - `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. [Using Ubuntu host kernel is recommended](https://github.com/moby/buildkit/blob/master/docs/rootless.md). Defaults to false.
-  - `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky"
-  - `qemu.install=(true|false)` - Install QEMU emulation for multi platforms support.
-  - `qemu.image=IMAGE` - Sets the QEMU emulation image. Defaults to `tonistiigi/binfmt:latest`
+Note: When using quoted values for example for the `nodeselector` or
+`tolerations` options, ensure that quotes are escaped correctly for your shell.
+
+#### `docker` driver
+
+No driver options.
+
+#### `docker-container` driver
+
+- `image=IMAGE` - Sets the container image to be used for running buildkit.
+- `network=NETMODE` - Sets the network mode for running the buildkit container.
+- `cgroup-parent=CGROUP` - Sets the cgroup parent of the buildkit container if docker is using the "cgroupfs" driver. Defaults to `/docker/buildx`.
+
+#### `kubernetes` driver
+
+- `image=IMAGE` - Sets the container image to be used for running buildkit.
+- `namespace=NS` - Sets the Kubernetes namespace. Defaults to the current namespace.
+- `replicas=N` - Sets the number of `Pod` replicas. Defaults to 1.
+- `requests.cpu` - Sets the request CPU value specified in units of Kubernetes CPU. Example `requests.cpu=100m`, `requests.cpu=2`
+- `requests.memory` - Sets the request memory value specified in bytes or with a valid suffix. Example `requests.memory=500Mi`, `requests.memory=4G`
+- `limits.cpu` - Sets the limit CPU value specified in units of Kubernetes CPU. Example `limits.cpu=100m`, `limits.cpu=2`
+- `limits.memory` - Sets the limit memory value specified in bytes or with a valid suffix. Example `limits.memory=500Mi`, `limits.memory=4G`
+- `"nodeselector=label1=value1,label2=value2"` - Sets the kv of `Pod` nodeSelector. No Defaults. Example `nodeselector=kubernetes.io/arch=arm64`
+- `"tolerations=key=foo,value=bar;key=foo2,operator=exists;key=foo3,effect=NoSchedule"` - Sets the `Pod` tolerations. Accepts the same values as the kube manifest tolera>tions. Key-value pairs are separated by `,`, tolerations are separated by `;`. No Defaults. Example `tolerations=operator=exists`
+- `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. Needs Kubernetes 1.19 or later. [Using Ubuntu host kernel is recommended](https://github.com/moby/buildkit/blob/master/docs/rootless.md). Defaults to false.
+- `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky"
+- `qemu.install=(true|false)` - Install QEMU emulation for multi platforms support.
+- `qemu.image=IMAGE` - Sets the QEMU emulation image. Defaults to `tonistiigi/binfmt:latest`
+
+#### `remote` driver
+
+- `key=KEY` - Sets the TLS client key.
+- `cert=CERT` - Sets the TLS client certificate to present to buildkitd.
+- `cacert=CACERT` - Sets the TLS certificate authority used for validation.
+- `servername=SERVER` - Sets the TLS server name to be used in requests (defaults to the endpoint hostname).

 ### <a name="leave"></a> Remove a node from a builder (--leave)

--- a/docs/reference/buildx_imagetools_create.md
+++ b/docs/reference/buildx_imagetools_create.md
@@ -15,6 +15,7 @@ Create a new image based on source images
 | [`--builder`](#builder) | `string` |  | Override the configured builder instance |
 | [`--dry-run`](#dry-run) |  |  | Show final image instead of pushing |
 | [`-f`](#file), [`--file`](#file) | `stringArray` |  | Read source descriptor from file |
+| `--progress` | `string` | `auto` | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output |
 | [`-t`](#tag), [`--tag`](#tag) | `stringArray` |  | Set reference for new image |


--- a/docs/reference/buildx_inspect.md
+++ b/docs/reference/buildx_inspect.md
@@ -43,6 +43,10 @@ name of the builder to inspect to get information about that builder.
 The following example shows information about a builder instance named
 `elated_tesla`:

+> **Note**
+>
+> Asterisk `*` next to node build platform(s) indicate they had been set manually during `buildx create`. Otherwise, it had been autodetected.
+
 ```console
 $ docker buildx inspect elated_tesla

@@ -53,10 +57,12 @@ Nodes:
 Name:      elated_tesla0
 Endpoint:  unix:///var/run/docker.sock
 Status:    running
+Buildkit:  v0.10.3
 Platforms: linux/amd64

 Name:      elated_tesla1
 Endpoint:  ssh://ubuntu@1.2.3.4
 Status:    running
-Platforms: linux/arm64, linux/arm/v7, linux/arm/v6
+Buildkit:  v0.10.3
+Platforms: linux/arm64*, linux/arm/v7, linux/arm/v6
 ```
--- a/docs/reference/buildx_ls.md
+++ b/docs/reference/buildx_ls.md
@@ -16,13 +16,12 @@ Lists all builder instances and the nodes for each instance

 ```console
 $ docker buildx ls
-
-NAME/NODE       DRIVER/ENDPOINT             STATUS  PLATFORMS
+NAME/NODE       DRIVER/ENDPOINT             STATUS  BUILDKIT PLATFORMS
 elated_tesla *  docker-container
-  elated_tesla0 unix:///var/run/docker.sock running linux/amd64
-  elated_tesla1 ssh://ubuntu@1.2.3.4        running linux/arm64*, linux/arm/v7, linux/arm/v6
+  elated_tesla0 unix:///var/run/docker.sock running v0.10.3  linux/amd64
+  elated_tesla1 ssh://ubuntu@1.2.3.4        running v0.10.3  linux/arm64*, linux/arm/v7, linux/arm/v6
 default         docker
-  default       default                     running linux/amd64
+  default       default                     running 20.10.14 linux/amd64
 ```

 Each builder has one or more nodes associated with it. The current builder's
--- a/docs/reference/buildx_prune.md
+++ b/docs/reference/buildx_prune.md
@@ -11,7 +11,7 @@ Remove build cache

 | Name | Type | Default | Description |
 | --- | --- | --- | --- |
-| `-a`, `--all` |  |  | Remove all unused images, not just dangling ones |
+| `-a`, `--all` |  |  | Include internal/frontend images |
 | [`--builder`](#builder) | `string` |  | Override the configured builder instance |
 | `--filter` | `filter` |  | Provide filter values (e.g., `until=24h`) |
 | `-f`, `--force` |  |  | Do not prompt for confirmation |
@@ -21,6 +21,26 @@ Remove build cache

 <!---MARKER_GEN_END-->

+## Description
+
+Clears the build cache of the selected builder.
+
+You can finely control what cache data is kept using:
+
+- The `--filter=until=<duration>` flag to keep images that have been used in
+  the last `<duration>` time.
+
+  `<duration>` is a duration string, e.g. `24h` or `2h30m`, with allowable
+  units of `(h)ours`, `(m)inutes` and `(s)econds`.
+
+- The `--keep-storage=<size>` flag to keep `<size>` bytes of data in the cache.
+
+  `<size>` is a human-readable memory string, e.g. `128mb`, `2gb`, etc. Units
+  are case-insensitive.
+
+- The `--all` flag to allow clearing internal helper images and frontend images
+  set using the `#syntax=` directive or the `BUILDKIT_SYNTAX` build argument.
+
 ## Examples

 ### <a name="builder"></a> Override the configured builder instance (--builder)
--- a/driver/docker-container/driver.go
+++ b/driver/docker-container/driver.go
@@ -4,11 +4,11 @@ import (
 	"bytes"
 	"context"
 	"io"
-	"io/ioutil"
 	"net"
 	"os"
 	"path"
 	"path/filepath"
+	"strings"
 	"time"

 	"github.com/docker/buildx/driver"
@@ -90,7 +90,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 		if err != nil {
 			return err
 		}
-		_, err = io.Copy(ioutil.Discard, rc)
+		_, err = io.Copy(io.Discard, rc)
 		return err
 	}); err != nil {
 		// image pulling failed, check if it exists in local image store.
@@ -287,13 +287,29 @@ func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
 	}, nil
 }

+func (d *Driver) Version(ctx context.Context) (string, error) {
+	bufStdout := &bytes.Buffer{}
+	bufStderr := &bytes.Buffer{}
+	if err := d.run(ctx, []string{"buildkitd", "--version"}, bufStdout, bufStderr); err != nil {
+		if bufStderr.Len() > 0 {
+			return "", errors.Wrap(err, bufStderr.String())
+		}
+		return "", err
+	}
+	version := strings.Fields(bufStdout.String())
+	if len(version) != 4 {
+		return "", errors.Errorf("unexpected version format: %s", bufStdout.String())
+	}
+	return version[2], nil
+}
+
 func (d *Driver) Stop(ctx context.Context, force bool) error {
 	info, err := d.Info(ctx)
 	if err != nil {
 		return err
 	}
 	if info.Status == driver.Running {
-		return d.DockerAPI.ContainerStop(ctx, d.Name, nil)
+		return d.DockerAPI.ContainerStop(ctx, d.Name, container.StopOptions{})
 	}
 	return nil
 }
@@ -341,11 +357,14 @@ func (d *Driver) Client(ctx context.Context) (*client.Client, error) {
 		return nil, err
 	}

-	td, _ := exp.(client.TracerDelegate)
-
-	return client.New(ctx, "", client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
+	var opts []client.ClientOpt
+	opts = append(opts, client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
 		return conn, nil
-	}), client.WithTracerDelegate(td))
+	}))
+	if td, ok := exp.(client.TracerDelegate); ok {
+		opts = append(opts, client.WithTracerDelegate(td))
+	}
+	return client.New(ctx, "", opts...)
 }

 func (d *Driver) Factory() driver.Factory {
--- a/driver/docker-container/factory.go
+++ b/driver/docker-container/factory.go
@@ -29,7 +29,7 @@ func (*factory) Usage() string {
 	return "docker-container"
 }

-func (*factory) Priority(ctx context.Context, api dockerclient.APIClient) int {
+func (*factory) Priority(ctx context.Context, endpoint string, api dockerclient.APIClient) int {
 	if api == nil {
 		return priorityUnsupported
 	}
--- a/driver/docker/driver.go
+++ b/driver/docker/driver.go
@@ -29,6 +29,14 @@ func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
 	}, nil
 }

+func (d *Driver) Version(ctx context.Context) (string, error) {
+	v, err := d.DockerAPI.ServerVersion(ctx)
+	if err != nil {
+		return "", errors.Wrapf(driver.ErrNotConnecting, err.Error())
+	}
+	return v.Version, nil
+}
+
 func (d *Driver) Stop(ctx context.Context, force bool) error {
 	return nil
 }
@@ -46,11 +54,22 @@ func (d *Driver) Client(ctx context.Context) (*client.Client, error) {
 }

 func (d *Driver) Features() map[driver.Feature]bool {
+	var useContainerdSnapshotter bool
+	ctx := context.Background()
+	c, err := d.Client(ctx)
+	if err == nil {
+		workers, _ := c.ListWorkers(ctx)
+		for _, w := range workers {
+			if _, ok := w.Labels["org.mobyproject.buildkit.worker.snapshotter"]; ok {
+				useContainerdSnapshotter = true
+			}
+		}
+	}
 	return map[driver.Feature]bool{
-		driver.OCIExporter:    false,
-		driver.DockerExporter: false,
-		driver.CacheExport:    false,
-		driver.MultiPlatform:  false,
+		driver.OCIExporter:    useContainerdSnapshotter,
+		driver.DockerExporter: useContainerdSnapshotter,
+		driver.CacheExport:    useContainerdSnapshotter,
+		driver.MultiPlatform:  useContainerdSnapshotter,
 	}
 }

--- a/driver/docker/factory.go
+++ b/driver/docker/factory.go
@@ -26,7 +26,7 @@ func (*factory) Usage() string {
 	return "docker"
 }

-func (*factory) Priority(ctx context.Context, api dockerclient.APIClient) int {
+func (*factory) Priority(ctx context.Context, endpoint string, api dockerclient.APIClient) int {
 	if api == nil {
 		return priorityUnsupported
 	}
--- a/driver/driver.go
+++ b/driver/driver.go
@@ -53,6 +53,7 @@ type Driver interface {
 	Factory() Factory
 	Bootstrap(context.Context, progress.Logger) error
 	Info(context.Context) (*Info, error)
+	Version(context.Context) (string, error)
 	Stop(ctx context.Context, force bool) error
 	Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error
 	Client(ctx context.Context) (*client.Client, error)
--- a/driver/kubernetes/context/endpoint_test.go
+++ b/driver/kubernetes/context/endpoint_test.go
@@ -1,7 +1,6 @@
 package context

 import (
-	"io/ioutil"
 	"os"
 	"testing"

@@ -42,7 +41,7 @@ var testStoreCfg = store.NewConfig(
 )

 func TestSaveLoadContexts(t *testing.T) {
-	storeDir, err := ioutil.TempDir("", "test-load-save-k8-context")
+	storeDir, err := os.MkdirTemp("", "test-load-save-k8-context")
 	require.NoError(t, err)
 	defer os.RemoveAll(storeDir)
 	store := store.New(storeDir, testStoreCfg)
@@ -50,7 +49,7 @@ func TestSaveLoadContexts(t *testing.T) {
 	require.NoError(t, save(store, testEndpoint("https://test", "test", nil, nil, nil, true), "raw-notls-skip"))
 	require.NoError(t, save(store, testEndpoint("https://test", "test", []byte("ca"), []byte("cert"), []byte("key"), true), "raw-tls"))

-	kcFile, err := ioutil.TempFile(os.TempDir(), "test-load-save-k8-context")
+	kcFile, err := os.CreateTemp(os.TempDir(), "test-load-save-k8-context")
 	require.NoError(t, err)
 	defer os.Remove(kcFile.Name())
 	defer kcFile.Close()
@@ -147,7 +146,7 @@ func save(s store.Writer, ep Endpoint, name string) error {
 }

 func TestSaveLoadGKEConfig(t *testing.T) {
-	storeDir, err := ioutil.TempDir("", t.Name())
+	storeDir, err := os.MkdirTemp("", t.Name())
 	require.NoError(t, err)
 	defer os.RemoveAll(storeDir)
 	store := store.New(storeDir, testStoreCfg)
@@ -172,7 +171,7 @@ func TestSaveLoadGKEConfig(t *testing.T) {
 }

 func TestSaveLoadEKSConfig(t *testing.T) {
-	storeDir, err := ioutil.TempDir("", t.Name())
+	storeDir, err := os.MkdirTemp("", t.Name())
 	require.NoError(t, err)
 	defer os.RemoveAll(storeDir)
 	store := store.New(storeDir, testStoreCfg)
@@ -197,7 +196,7 @@ func TestSaveLoadEKSConfig(t *testing.T) {
 }

 func TestSaveLoadK3SConfig(t *testing.T) {
-	storeDir, err := ioutil.TempDir("", t.Name())
+	storeDir, err := os.MkdirTemp("", t.Name())
 	require.NoError(t, err)
 	defer os.RemoveAll(storeDir)
 	store := store.New(storeDir, testStoreCfg)
--- a/driver/kubernetes/context/load_test.go
+++ b/driver/kubernetes/context/load_test.go
@@ -5,18 +5,15 @@ import (
 	"testing"

 	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/config/configfile"
 	cliflags "github.com/docker/cli/cli/flags"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

 func TestDefaultContextInitializer(t *testing.T) {
-	cli, err := command.NewDockerCli()
-	require.NoError(t, err)
 	os.Setenv("KUBECONFIG", "./fixtures/test-kubeconfig")
 	defer os.Unsetenv("KUBECONFIG")
-	ctx, err := command.ResolveDefaultContext(&cliflags.CommonOptions{}, &configfile.ConfigFile{}, command.DefaultContextStoreConfig(), cli.Err())
+	ctx, err := command.ResolveDefaultContext(&cliflags.CommonOptions{}, command.DefaultContextStoreConfig())
 	require.NoError(t, err)
 	assert.Equal(t, "default", ctx.Meta.Name)
 	assert.Equal(t, "zoinx", ctx.Meta.Endpoints[KubernetesEndpoint].(EndpointMeta).DefaultNamespace)
--- a/driver/kubernetes/context/save.go
+++ b/driver/kubernetes/context/save.go
@@ -1,7 +1,7 @@
 package context

 import (
-	"io/ioutil"
+	"os"

 	"github.com/docker/cli/cli/context"
 	"k8s.io/client-go/tools/clientcmd"
@@ -63,7 +63,7 @@ func FromKubeConfig(kubeconfig, kubeContext, namespaceOverride string) (Endpoint

 func readFileOrDefault(path string, defaultValue []byte) ([]byte, error) {
 	if path != "" {
-		return ioutil.ReadFile(path)
+		return os.ReadFile(path)
 	}
 	return defaultValue, nil
 }
--- a/driver/kubernetes/driver.go
+++ b/driver/kubernetes/driver.go
@@ -160,6 +160,10 @@ func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
 	}, nil
 }

+func (d *Driver) Version(ctx context.Context) (string, error) {
+	return "", nil
+}
+
 func (d *Driver) Stop(ctx context.Context, force bool) error {
 	// future version may scale the replicas to zero here
 	return nil
@@ -211,11 +215,14 @@ func (d *Driver) Client(ctx context.Context) (*client.Client, error) {
 		return nil, err
 	}

-	td, _ := exp.(client.TracerDelegate)
-
-	return client.New(ctx, "", client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
+	var opts []client.ClientOpt
+	opts = append(opts, client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
 		return conn, nil
-	}), client.WithTracerDelegate(td))
+	}))
+	if td, ok := exp.(client.TracerDelegate); ok {
+		opts = append(opts, client.WithTracerDelegate(td))
+	}
+	return client.New(ctx, "", opts...)
 }

 func (d *Driver) Factory() driver.Factory {
--- a/driver/kubernetes/factory.go
+++ b/driver/kubernetes/factory.go
@@ -5,6 +5,8 @@ import (
 	"strconv"
 	"strings"

+	corev1 "k8s.io/api/core/v1"
+
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/driver/bkimage"
 	"github.com/docker/buildx/driver/kubernetes/manifest"
@@ -32,7 +34,7 @@ func (*factory) Usage() string {
 	return DriverName
 }

-func (*factory) Priority(ctx context.Context, api dockerclient.APIClient) int {
+func (*factory) Priority(ctx context.Context, endpoint string, api dockerclient.APIClient) int {
 	if api == nil {
 		return priorityUnsupported
 	}
@@ -66,77 +68,9 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 		clientset:  clientset,
 	}

-	deploymentOpt := &manifest.DeploymentOpt{
-		Name:          deploymentName,
-		Image:         bkimage.DefaultImage,
-		Replicas:      1,
-		BuildkitFlags: cfg.BuildkitFlags,
-		Rootless:      false,
-		Platforms:     cfg.Platforms,
-		ConfigFiles:   cfg.Files,
-	}
-
-	deploymentOpt.Qemu.Image = bkimage.QemuImage
-
-	loadbalance := LoadbalanceSticky
-
-	for k, v := range cfg.DriverOpts {
-		switch k {
-		case "image":
-			if v != "" {
-				deploymentOpt.Image = v
-			}
-		case "namespace":
-			namespace = v
-		case "replicas":
-			deploymentOpt.Replicas, err = strconv.Atoi(v)
-			if err != nil {
-				return nil, err
-			}
-		case "requests.cpu":
-			deploymentOpt.RequestsCPU = v
-		case "requests.memory":
-			deploymentOpt.RequestsMemory = v
-		case "limits.cpu":
-			deploymentOpt.LimitsCPU = v
-		case "limits.memory":
-			deploymentOpt.LimitsMemory = v
-		case "rootless":
-			deploymentOpt.Rootless, err = strconv.ParseBool(v)
-			if err != nil {
-				return nil, err
-			}
-			deploymentOpt.Image = bkimage.DefaultRootlessImage
-		case "nodeselector":
-			kvs := strings.Split(strings.Trim(v, `"`), ",")
-			s := map[string]string{}
-			for i := range kvs {
-				kv := strings.Split(kvs[i], "=")
-				if len(kv) == 2 {
-					s[kv[0]] = kv[1]
-				}
-			}
-			deploymentOpt.NodeSelector = s
-		case "loadbalance":
-			switch v {
-			case LoadbalanceSticky:
-			case LoadbalanceRandom:
-			default:
-				return nil, errors.Errorf("invalid loadbalance %q", v)
-			}
-			loadbalance = v
-		case "qemu.install":
-			deploymentOpt.Qemu.Install, err = strconv.ParseBool(v)
-			if err != nil {
-				return nil, err
-			}
-		case "qemu.image":
-			if v != "" {
-				deploymentOpt.Qemu.Image = v
-			}
-		default:
-			return nil, errors.Errorf("invalid driver option %s for driver %s", k, DriverName)
-		}
+	deploymentOpt, loadbalance, namespace, err := f.processDriverOpts(deploymentName, namespace, cfg)
+	if nil != err {
+		return nil, err
 	}

 	d.deployment, d.configMaps, err = manifest.NewDeployment(deploymentOpt)
@@ -166,6 +100,121 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 	return d, nil
 }

+func (f *factory) processDriverOpts(deploymentName string, namespace string, cfg driver.InitConfig) (*manifest.DeploymentOpt, string, string, error) {
+	deploymentOpt := &manifest.DeploymentOpt{
+		Name:          deploymentName,
+		Image:         bkimage.DefaultImage,
+		Replicas:      1,
+		BuildkitFlags: cfg.BuildkitFlags,
+		Rootless:      false,
+		Platforms:     cfg.Platforms,
+		ConfigFiles:   cfg.Files,
+	}
+
+	deploymentOpt.Qemu.Image = bkimage.QemuImage
+
+	loadbalance := LoadbalanceSticky
+	var err error
+
+	for k, v := range cfg.DriverOpts {
+		switch k {
+		case "image":
+			if v != "" {
+				deploymentOpt.Image = v
+			}
+		case "namespace":
+			namespace = v
+		case "replicas":
+			deploymentOpt.Replicas, err = strconv.Atoi(v)
+			if err != nil {
+				return nil, "", "", err
+			}
+		case "requests.cpu":
+			deploymentOpt.RequestsCPU = v
+		case "requests.memory":
+			deploymentOpt.RequestsMemory = v
+		case "limits.cpu":
+			deploymentOpt.LimitsCPU = v
+		case "limits.memory":
+			deploymentOpt.LimitsMemory = v
+		case "rootless":
+			deploymentOpt.Rootless, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, "", "", err
+			}
+			if _, isImage := cfg.DriverOpts["image"]; !isImage {
+				deploymentOpt.Image = bkimage.DefaultRootlessImage
+			}
+		case "nodeselector":
+			kvs := strings.Split(strings.Trim(v, `"`), ",")
+			s := map[string]string{}
+			for i := range kvs {
+				kv := strings.Split(kvs[i], "=")
+				if len(kv) == 2 {
+					s[kv[0]] = kv[1]
+				}
+			}
+			deploymentOpt.NodeSelector = s
+		case "tolerations":
+			ts := strings.Split(v, ";")
+			deploymentOpt.Tolerations = []corev1.Toleration{}
+			for i := range ts {
+				kvs := strings.Split(ts[i], ",")
+
+				t := corev1.Toleration{}
+
+				for j := range kvs {
+					kv := strings.Split(kvs[j], "=")
+					if len(kv) == 2 {
+						switch kv[0] {
+						case "key":
+							t.Key = kv[1]
+						case "operator":
+							t.Operator = corev1.TolerationOperator(kv[1])
+						case "value":
+							t.Value = kv[1]
+						case "effect":
+							t.Effect = corev1.TaintEffect(kv[1])
+						case "tolerationSeconds":
+							c, err := strconv.Atoi(kv[1])
+							if nil != err {
+								return nil, "", "", err
+							}
+							c64 := int64(c)
+							t.TolerationSeconds = &c64
+						default:
+							return nil, "", "", errors.Errorf("invalid tolaration %q", v)
+						}
+					}
+				}
+
+				deploymentOpt.Tolerations = append(deploymentOpt.Tolerations, t)
+			}
+		case "loadbalance":
+			switch v {
+			case LoadbalanceSticky:
+			case LoadbalanceRandom:
+			default:
+				return nil, "", "", errors.Errorf("invalid loadbalance %q", v)
+			}
+			loadbalance = v
+		case "qemu.install":
+			deploymentOpt.Qemu.Install, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, "", "", err
+			}
+		case "qemu.image":
+			if v != "" {
+				deploymentOpt.Qemu.Image = v
+			}
+		default:
+			return nil, "", "", errors.Errorf("invalid driver option %s for driver %s", k, DriverName)
+		}
+	}
+
+	return deploymentOpt, loadbalance, namespace, nil
+}
+
 func (f *factory) AllowsInstances() bool {
 	return true
 }
--- a/driver/kubernetes/factory_test.go
+++ b/driver/kubernetes/factory_test.go
@@ -0,0 +1,230 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/docker/buildx/driver"
+	"github.com/docker/buildx/driver/bkimage"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/rest"
+)
+
+type mockKubeClientConfig struct {
+	clientConfig *rest.Config
+	namespace    string
+}
+
+func (r *mockKubeClientConfig) ClientConfig() (*rest.Config, error) {
+	return r.clientConfig, nil
+}
+
+func (r *mockKubeClientConfig) Namespace() (string, bool, error) {
+	return r.namespace, true, nil
+}
+
+func TestFactory_processDriverOpts(t *testing.T) {
+	kcc := mockKubeClientConfig{
+		clientConfig: &rest.Config{},
+	}
+
+	cfg := driver.InitConfig{
+		Name:             "buildx_buildkit_test",
+		KubeClientConfig: &kcc,
+	}
+	f := factory{}
+
+	t.Run(
+		"ValidOptions", func(t *testing.T) {
+			cfg.DriverOpts = map[string]string{
+				"namespace":       "test-ns",
+				"image":           "test:latest",
+				"replicas":        "2",
+				"requests.cpu":    "100m",
+				"requests.memory": "32Mi",
+				"limits.cpu":      "200m",
+				"limits.memory":   "64Mi",
+				"rootless":        "true",
+				"nodeselector":    "selector1=value1,selector2=value2",
+				"tolerations":     "key=tolerationKey1,value=tolerationValue1,operator=Equal,effect=NoSchedule,tolerationSeconds=60;key=tolerationKey2,operator=Exists",
+				"loadbalance":     "random",
+				"qemu.install":    "true",
+				"qemu.image":      "qemu:latest",
+			}
+			ns := "test"
+
+			r, loadbalance, ns, err := f.processDriverOpts(cfg.Name, ns, cfg)
+
+			nodeSelectors := map[string]string{
+				"selector1": "value1",
+				"selector2": "value2",
+			}
+
+			ts := int64(60)
+			tolerations := []v1.Toleration{
+				{
+					Key:               "tolerationKey1",
+					Operator:          v1.TolerationOpEqual,
+					Value:             "tolerationValue1",
+					Effect:            v1.TaintEffectNoSchedule,
+					TolerationSeconds: &ts,
+				},
+				{
+					Key:      "tolerationKey2",
+					Operator: v1.TolerationOpExists,
+				},
+			}
+
+			require.NoError(t, err)
+
+			require.Equal(t, "test-ns", ns)
+			require.Equal(t, "test:latest", r.Image)
+			require.Equal(t, 2, r.Replicas)
+			require.Equal(t, "100m", r.RequestsCPU)
+			require.Equal(t, "32Mi", r.RequestsMemory)
+			require.Equal(t, "200m", r.LimitsCPU)
+			require.Equal(t, "64Mi", r.LimitsMemory)
+			require.True(t, r.Rootless)
+			require.Equal(t, nodeSelectors, r.NodeSelector)
+			require.Equal(t, tolerations, r.Tolerations)
+			require.Equal(t, LoadbalanceRandom, loadbalance)
+			require.True(t, r.Qemu.Install)
+			require.Equal(t, "qemu:latest", r.Qemu.Image)
+		},
+	)
+
+	t.Run(
+		"NoOptions", func(t *testing.T) {
+			cfg.DriverOpts = map[string]string{}
+
+			r, loadbalance, ns, err := f.processDriverOpts(cfg.Name, "test", cfg)
+
+			require.NoError(t, err)
+
+			require.Equal(t, "test", ns)
+			require.Equal(t, bkimage.DefaultImage, r.Image)
+			require.Equal(t, 1, r.Replicas)
+			require.Equal(t, "", r.RequestsCPU)
+			require.Equal(t, "", r.RequestsMemory)
+			require.Equal(t, "", r.LimitsCPU)
+			require.Equal(t, "", r.LimitsMemory)
+			require.False(t, r.Rootless)
+			require.Empty(t, r.NodeSelector)
+			require.Empty(t, r.Tolerations)
+			require.Equal(t, LoadbalanceSticky, loadbalance)
+			require.False(t, r.Qemu.Install)
+			require.Equal(t, bkimage.QemuImage, r.Qemu.Image)
+		},
+	)
+
+	t.Run(
+		"RootlessOverride", func(t *testing.T) {
+			cfg.DriverOpts = map[string]string{
+				"rootless":    "true",
+				"loadbalance": "sticky",
+			}
+
+			r, loadbalance, ns, err := f.processDriverOpts(cfg.Name, "test", cfg)
+
+			require.NoError(t, err)
+
+			require.Equal(t, "test", ns)
+			require.Equal(t, bkimage.DefaultRootlessImage, r.Image)
+			require.Equal(t, 1, r.Replicas)
+			require.Equal(t, "", r.RequestsCPU)
+			require.Equal(t, "", r.RequestsMemory)
+			require.Equal(t, "", r.LimitsCPU)
+			require.Equal(t, "", r.LimitsMemory)
+			require.True(t, r.Rootless)
+			require.Empty(t, r.NodeSelector)
+			require.Empty(t, r.Tolerations)
+			require.Equal(t, LoadbalanceSticky, loadbalance)
+			require.False(t, r.Qemu.Install)
+			require.Equal(t, bkimage.QemuImage, r.Qemu.Image)
+		},
+	)
+
+	t.Run(
+		"InvalidReplicas", func(t *testing.T) {
+			cfg.DriverOpts = map[string]string{
+				"replicas": "invalid",
+			}
+
+			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+
+			require.Error(t, err)
+		},
+	)
+
+	t.Run(
+		"InvalidRootless", func(t *testing.T) {
+			cfg.DriverOpts = map[string]string{
+				"rootless": "invalid",
+			}
+
+			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+
+			require.Error(t, err)
+		},
+	)
+
+	t.Run(
+		"InvalidTolerationKeyword", func(t *testing.T) {
+			cfg.DriverOpts = map[string]string{
+				"tolerations": "key=foo,value=bar,invalid=foo2",
+			}
+
+			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+
+			require.Error(t, err)
+		},
+	)
+
+	t.Run(
+		"InvalidTolerationSeconds", func(t *testing.T) {
+			cfg.DriverOpts = map[string]string{
+				"tolerations": "key=foo,value=bar,tolerationSeconds=invalid",
+			}
+
+			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+
+			require.Error(t, err)
+		},
+	)
+
+	t.Run(
+		"InvalidLoadBalance", func(t *testing.T) {
+			cfg.DriverOpts = map[string]string{
+				"loadbalance": "invalid",
+			}
+
+			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+
+			require.Error(t, err)
+		},
+	)
+
+	t.Run(
+		"InvalidQemuInstall", func(t *testing.T) {
+			cfg.DriverOpts = map[string]string{
+				"qemu.install": "invalid",
+			}
+
+			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+
+			require.Error(t, err)
+		},
+	)
+
+	t.Run(
+		"InvalidOption", func(t *testing.T) {
+			cfg.DriverOpts = map[string]string{
+				"invalid": "foo",
+			}
+
+			_, _, _, err := f.processDriverOpts(cfg.Name, "test", cfg)
+
+			require.Error(t, err)
+		},
+	)
+}
--- a/driver/kubernetes/manifest/manifest.go
+++ b/driver/kubernetes/manifest/manifest.go
@@ -32,6 +32,7 @@ type DeploymentOpt struct {

 	Rootless       bool
 	NodeSelector   map[string]string
+	Tolerations    []corev1.Toleration
 	RequestsCPU    string
 	RequestsMemory string
 	LimitsCPU      string
@@ -159,6 +160,10 @@ func NewDeployment(opt *DeploymentOpt) (d *appsv1.Deployment, c []*corev1.Config
 		d.Spec.Template.Spec.NodeSelector = opt.NodeSelector
 	}

+	if len(opt.Tolerations) > 0 {
+		d.Spec.Template.Spec.Tolerations = opt.Tolerations
+	}
+
 	if opt.RequestsCPU != "" {
 		reqCPU, err := resource.ParseQuantity(opt.RequestsCPU)
 		if err != nil {
@@ -199,12 +204,33 @@ func toRootless(d *appsv1.Deployment) error {
 		d.Spec.Template.Spec.Containers[0].Args,
 		"--oci-worker-no-process-sandbox",
 	)
-	d.Spec.Template.Spec.Containers[0].SecurityContext = nil
+	d.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeUnconfined,
+		},
+	}
 	if d.Spec.Template.ObjectMeta.Annotations == nil {
-		d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 2)
+		d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 1)
 	}
 	d.Spec.Template.ObjectMeta.Annotations["container.apparmor.security.beta.kubernetes.io/"+containerName] = "unconfined"
-	d.Spec.Template.ObjectMeta.Annotations["container.seccomp.security.alpha.kubernetes.io/"+containerName] = "unconfined"
+
+	// Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too,
+	// but the default VOLUME does not work with rootless on Google's Container-Optimized OS
+	// as it is mounted with `nosuid,nodev`.
+	// https://github.com/moby/buildkit/issues/879#issuecomment-1240347038
+	// https://github.com/moby/buildkit/pull/3097
+	const emptyDirVolName = "buildkitd"
+	d.Spec.Template.Spec.Containers[0].VolumeMounts = append(d.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
+		Name:      emptyDirVolName,
+		MountPath: "/home/user/.local/share/buildkit",
+	})
+	d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, corev1.Volume{
+		Name: emptyDirVolName,
+		VolumeSource: corev1.VolumeSource{
+			EmptyDir: &corev1.EmptyDirVolumeSource{},
+		},
+	})
+
 	return nil
 }

--- a/driver/kubernetes/podchooser/podchooser.go
+++ b/driver/kubernetes/podchooser/podchooser.go
@@ -6,6 +6,7 @@ import (
 	"sort"
 	"time"

+	"github.com/pkg/errors"
 	"github.com/serialx/hashring"
 	"github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
@@ -29,6 +30,9 @@ func (pc *RandomPodChooser) ChoosePod(ctx context.Context) (*corev1.Pod, error)
 	if err != nil {
 		return nil, err
 	}
+	if len(pods) == 0 {
+		return nil, errors.New("no running buildkit pods found")
+	}
 	randSource := pc.RandSource
 	if randSource == nil {
 		randSource = rand.NewSource(time.Now().Unix())
--- a/driver/manager.go
+++ b/driver/manager.go
@@ -2,7 +2,7 @@ package driver

 import (
 	"context"
-	"io/ioutil"
+	"os"
 	"sort"
 	"strings"
 	"sync"
@@ -18,7 +18,7 @@ import (
 type Factory interface {
 	Name() string
 	Usage() string
-	Priority(context.Context, dockerclient.APIClient) int
+	Priority(ctx context.Context, endpoint string, api dockerclient.APIClient) int
 	New(ctx context.Context, cfg InitConfig) (Driver, error)
 	AllowsInstances() bool
 }
@@ -40,7 +40,7 @@ func (k KubeClientConfigInCluster) ClientConfig() (*rest.Config, error) {
 }

 func (k KubeClientConfigInCluster) Namespace() (string, bool, error) {
-	namespace, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	namespace, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
 	if err != nil {
 		return "", false, err
 	}
@@ -50,6 +50,7 @@ func (k KubeClientConfigInCluster) Namespace() (string, bool, error) {
 type InitConfig struct {
 	// This object needs updates to be generic for different drivers
 	Name             string
+	EndpointAddr     string
 	DockerAPI        dockerclient.APIClient
 	KubeClientConfig KubeClientConfig
 	BuildkitFlags    []string
@@ -70,7 +71,7 @@ func Register(f Factory) {
 	drivers[f.Name()] = f
 }

-func GetDefaultFactory(ctx context.Context, c dockerclient.APIClient, instanceRequired bool) (Factory, error) {
+func GetDefaultFactory(ctx context.Context, ep string, c dockerclient.APIClient, instanceRequired bool) (Factory, error) {
 	if len(drivers) == 0 {
 		return nil, errors.Errorf("no drivers available")
 	}
@@ -83,7 +84,7 @@ func GetDefaultFactory(ctx context.Context, c dockerclient.APIClient, instanceRe
 		if instanceRequired && !f.AllowsInstances() {
 			continue
 		}
-		dd = append(dd, p{f: f, priority: f.Priority(ctx, c)})
+		dd = append(dd, p{f: f, priority: f.Priority(ctx, ep, c)})
 	}
 	sort.Slice(dd, func(i, j int) bool {
 		return dd[i].priority < dd[j].priority
@@ -91,20 +92,21 @@ func GetDefaultFactory(ctx context.Context, c dockerclient.APIClient, instanceRe
 	return dd[0].f, nil
 }

-func GetFactory(name string, instanceRequired bool) Factory {
+func GetFactory(name string, instanceRequired bool) (Factory, error) {
 	for _, f := range drivers {
-		if instanceRequired && !f.AllowsInstances() {
-			continue
-		}
 		if f.Name() == name {
-			return f
+			if instanceRequired && !f.AllowsInstances() {
+				return nil, errors.Errorf("additional instances of driver %q cannot be created", name)
+			}
+			return f, nil
 		}
 	}
-	return nil
+	return nil, errors.Errorf("failed to find driver %q", name)
 }

-func GetDriver(ctx context.Context, name string, f Factory, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, flags []string, files map[string][]byte, do map[string]string, platforms []specs.Platform, contextPathHash string) (Driver, error) {
+func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, flags []string, files map[string][]byte, do map[string]string, platforms []specs.Platform, contextPathHash string) (Driver, error) {
 	ic := InitConfig{
+		EndpointAddr:     endpointAddr,
 		DockerAPI:        api,
 		KubeClientConfig: kcc,
 		Name:             name,
@@ -117,7 +119,7 @@ func GetDriver(ctx context.Context, name string, f Factory, api dockerclient.API
 	}
 	if f == nil {
 		var err error
-		f, err = GetDefaultFactory(ctx, api, false)
+		f, err = GetDefaultFactory(ctx, endpointAddr, api, false)
 		if err != nil {
 			return nil, err
 		}
@@ -129,9 +131,12 @@ func GetDriver(ctx context.Context, name string, f Factory, api dockerclient.API
 	return &cachedDriver{Driver: d}, nil
 }

-func GetFactories() []Factory {
+func GetFactories(instanceRequired bool) []Factory {
 	ds := make([]Factory, 0, len(drivers))
 	for _, d := range drivers {
+		if instanceRequired && !d.AllowsInstances() {
+			continue
+		}
 		ds = append(ds, d)
 	}
 	sort.Slice(ds, func(i, j int) bool {
--- a/driver/remote/driver.go
+++ b/driver/remote/driver.go
@@ -0,0 +1,106 @@
+package remote
+
+import (
+	"context"
+	"time"
+
+	"github.com/docker/buildx/driver"
+	"github.com/docker/buildx/util/progress"
+	"github.com/moby/buildkit/client"
+)
+
+type Driver struct {
+	factory driver.Factory
+	driver.InitConfig
+	*tlsOpts
+}
+
+type tlsOpts struct {
+	serverName string
+	caCert     string
+	cert       string
+	key        string
+}
+
+func (d *Driver) Bootstrap(ctx context.Context, l progress.Logger) error {
+	for i := 0; ; i++ {
+		info, err := d.Info(ctx)
+		if err != nil {
+			return err
+		}
+		if info.Status != driver.Inactive {
+			return nil
+		}
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			if i > 10 {
+				i = 10
+			}
+			time.Sleep(time.Duration(i) * time.Second)
+		}
+	}
+}
+
+func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
+	c, err := d.Client(ctx)
+	if err != nil {
+		return &driver.Info{
+			Status: driver.Inactive,
+		}, nil
+	}
+
+	if _, err := c.ListWorkers(ctx); err != nil {
+		return &driver.Info{
+			Status: driver.Inactive,
+		}, nil
+	}
+
+	return &driver.Info{
+		Status: driver.Running,
+	}, nil
+}
+
+func (d *Driver) Version(ctx context.Context) (string, error) {
+	return "", nil
+}
+
+func (d *Driver) Stop(ctx context.Context, force bool) error {
+	return nil
+}
+
+func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error {
+	return nil
+}
+
+func (d *Driver) Client(ctx context.Context) (*client.Client, error) {
+	opts := []client.ClientOpt{}
+	if d.tlsOpts != nil {
+		opts = append(opts, client.WithCredentials(d.tlsOpts.serverName, d.tlsOpts.caCert, d.tlsOpts.cert, d.tlsOpts.key))
+	}
+
+	return client.New(ctx, d.InitConfig.EndpointAddr, opts...)
+}
+
+func (d *Driver) Features() map[driver.Feature]bool {
+	return map[driver.Feature]bool{
+		driver.OCIExporter:    true,
+		driver.DockerExporter: false,
+		driver.CacheExport:    true,
+		driver.MultiPlatform:  true,
+	}
+}
+
+func (d *Driver) Factory() driver.Factory {
+	return d.factory
+}
+
+func (d *Driver) IsMobyDriver() bool {
+	return false
+}
+
+func (d *Driver) Config() driver.InitConfig {
+	return d.InitConfig
+}
--- a/driver/remote/factory.go
+++ b/driver/remote/factory.go
@@ -0,0 +1,118 @@
+package remote
+
+import (
+	"context"
+	"net/url"
+	"path/filepath"
+	"strings"
+
+	// import connhelpers for special url schemes
+	_ "github.com/moby/buildkit/client/connhelper/dockercontainer"
+	_ "github.com/moby/buildkit/client/connhelper/kubepod"
+	_ "github.com/moby/buildkit/client/connhelper/ssh"
+
+	"github.com/docker/buildx/driver"
+	util "github.com/docker/buildx/driver/remote/util"
+	dockerclient "github.com/docker/docker/client"
+	"github.com/pkg/errors"
+)
+
+const prioritySupported = 20
+const priorityUnsupported = 90
+
+func init() {
+	driver.Register(&factory{})
+}
+
+type factory struct {
+}
+
+func (*factory) Name() string {
+	return "remote"
+}
+
+func (*factory) Usage() string {
+	return "remote"
+}
+
+func (*factory) Priority(ctx context.Context, endpoint string, api dockerclient.APIClient) int {
+	if util.IsValidEndpoint(endpoint) != nil {
+		return priorityUnsupported
+	}
+	return prioritySupported
+}
+
+func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver, error) {
+	if len(cfg.Files) > 0 {
+		return nil, errors.Errorf("setting config file is not supported for remote driver")
+	}
+	if len(cfg.BuildkitFlags) > 0 {
+		return nil, errors.Errorf("setting buildkit flags is not supported for remote driver")
+	}
+
+	d := &Driver{
+		factory:    f,
+		InitConfig: cfg,
+	}
+
+	tls := &tlsOpts{}
+	tlsEnabled := false
+	for k, v := range cfg.DriverOpts {
+		switch k {
+		case "servername":
+			tls.serverName = v
+			tlsEnabled = true
+		case "cacert":
+			if !filepath.IsAbs(v) {
+				return nil, errors.Errorf("non-absolute path '%s' provided for %s", v, k)
+			}
+			tls.caCert = v
+			tlsEnabled = true
+		case "cert":
+			if !filepath.IsAbs(v) {
+				return nil, errors.Errorf("non-absolute path '%s' provided for %s", v, k)
+			}
+			tls.cert = v
+			tlsEnabled = true
+		case "key":
+			if !filepath.IsAbs(v) {
+				return nil, errors.Errorf("non-absolute path '%s' provided for %s", v, k)
+			}
+			tls.key = v
+			tlsEnabled = true
+		default:
+			return nil, errors.Errorf("invalid driver option %s for remote driver", k)
+		}
+	}
+
+	if tlsEnabled {
+		if tls.serverName == "" {
+			// guess servername as hostname of target address
+			uri, err := url.Parse(cfg.EndpointAddr)
+			if err != nil {
+				return nil, err
+			}
+			tls.serverName = uri.Hostname()
+		}
+		missing := []string{}
+		if tls.caCert == "" {
+			missing = append(missing, "cacert")
+		}
+		if tls.cert == "" {
+			missing = append(missing, "cert")
+		}
+		if tls.key == "" {
+			missing = append(missing, "key")
+		}
+		if len(missing) > 0 {
+			return nil, errors.Errorf("tls enabled, but missing keys %s", strings.Join(missing, ", "))
+		}
+		d.tlsOpts = tls
+	}
+
+	return d, nil
+}
+
+func (f *factory) AllowsInstances() bool {
+	return true
+}
--- a/driver/remote/util/endpoint.go
+++ b/driver/remote/util/endpoint.go
@@ -0,0 +1,26 @@
+package remote
+
+import (
+	"net/url"
+
+	"github.com/pkg/errors"
+)
+
+var schemes = map[string]struct{}{
+	"tcp":              {},
+	"unix":             {},
+	"ssh":              {},
+	"docker-container": {},
+	"kube-pod":         {},
+}
+
+func IsValidEndpoint(ep string) error {
+	endpoint, err := url.Parse(ep)
+	if err != nil {
+		return errors.Wrapf(err, "failed to parse endpoint %s", ep)
+	}
+	if _, ok := schemes[endpoint.Scheme]; !ok {
+		return errors.Errorf("unrecognized url scheme %s", endpoint.Scheme)
+	}
+	return nil
+}
--- a/go.mod
+++ b/go.mod
@@ -1,63 +1,162 @@
 module github.com/docker/buildx

-go 1.16
+go 1.17

 require (
-	github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 // indirect
-	github.com/bugsnag/bugsnag-go v1.4.1 // indirect
-	github.com/bugsnag/panicwrap v1.2.0 // indirect
-	github.com/cenkalti/backoff v2.1.1+incompatible // indirect
-	github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e // indirect
-	github.com/compose-spec/compose-go v1.0.8
+	github.com/compose-spec/compose-go v1.4.0
 	github.com/containerd/console v1.0.3
-	github.com/containerd/containerd v1.6.1
-	github.com/docker/cli v20.10.12+incompatible
-	github.com/docker/cli-docs-tool v0.4.0
-	github.com/docker/distribution v2.8.0+incompatible
-	github.com/docker/docker v20.10.7+incompatible
-	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
+	github.com/containerd/containerd v1.6.6
+	github.com/docker/cli v20.10.17+incompatible // v22.06.x - see "replace" for the actual version
+	github.com/docker/cli-docs-tool v0.5.0
+	github.com/docker/distribution v2.8.1+incompatible
+	github.com/docker/docker v20.10.17+incompatible // v22.06.x - see "replace" for the actual version
 	github.com/docker/go-units v0.4.0
-	github.com/docker/libtrust v0.0.0-20150526203908-9cbd2a1374f4 // indirect
-	github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484 // indirect
-	github.com/fvbommel/sortorder v1.0.1 // indirect
 	github.com/gofrs/flock v0.7.3
-	github.com/gofrs/uuid v3.3.0+incompatible // indirect
-	github.com/google/certificate-transparency-go v1.0.21 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
-	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
 	github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840
 	github.com/hashicorp/hcl/v2 v2.8.2
-	github.com/jinzhu/gorm v1.9.2 // indirect
-	github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a // indirect
-	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
-	github.com/moby/buildkit v0.10.0-rc2.0.20220308185020-fdecd0ae108b
+	github.com/moby/buildkit v0.10.1-0.20220816171719-55ba9d14360a
 	github.com/morikuni/aec v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5
+	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799
 	github.com/pelletier/go-toml v1.9.4
 	github.com/pkg/errors v0.9.1
 	github.com/serialx/hashring v0.0.0-20190422032157-8b2912629002
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.2.1
+	github.com/sirupsen/logrus v1.9.0
+	github.com/spf13/cobra v1.5.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.7.0
-	github.com/theupdateframework/notary v0.6.1 // indirect
+	github.com/stretchr/testify v1.8.0
 	github.com/zclconf/go-cty v1.10.0
 	go.opentelemetry.io/otel v1.4.1
 	go.opentelemetry.io/otel/trace v1.4.1
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	google.golang.org/grpc v1.44.0
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	google.golang.org/grpc v1.47.0
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/api v0.23.5
+	k8s.io/apimachinery v0.23.5
+	k8s.io/client-go v0.23.5
+)
+
+require (
+	cloud.google.com/go v0.81.0 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 // indirect
+	github.com/apparentlymart/go-cidr v1.0.1 // indirect
+	github.com/apparentlymart/go-textseg/v12 v12.0.0 // indirect
+	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bugsnag/bugsnag-go v1.4.1 // indirect
+	github.com/bugsnag/panicwrap v1.2.0 // indirect
+	github.com/cenkalti/backoff v2.1.1+incompatible // indirect
+	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e // indirect
+	github.com/containerd/continuity v0.3.0 // indirect
+	github.com/containerd/ttrpc v1.1.0 // indirect
+	github.com/containerd/typeurl v1.0.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/distribution/distribution/v3 v3.0.0-20220725133111-4bf3547399eb // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/docker/libtrust v0.0.0-20150526203908-9cbd2a1374f4 // indirect
+	github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484 // indirect
+	github.com/felixge/httpsnoop v1.0.2 // indirect
+	github.com/fvbommel/sortorder v1.0.1 // indirect
+	github.com/go-logr/logr v1.2.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-sql-driver/mysql v1.6.0 // indirect
+	github.com/gogo/googleapis v1.4.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/certificate-transparency-go v1.0.21 // indirect
+	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
+	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jinzhu/gorm v1.9.2 // indirect
+	github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
+	github.com/klauspost/compress v1.15.7 // indirect
+	github.com/kr/pretty v0.3.0 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/spdystream v0.2.0 // indirect
+	github.com/moby/sys/signal v0.6.0 // indirect
+	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/opencontainers/runc v1.1.3 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.12.2 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/rogpeppe/go-internal v1.8.1 // indirect
+	github.com/theupdateframework/notary v0.6.1 // indirect
+	github.com/tonistiigi/fsutil v0.0.0-20220510150904-0dbf3a8a7d58 // indirect
+	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
+	github.com/tonistiigi/vt100 v0.0.0-20210615222946-8066bb97264f // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.29.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.29.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.29.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.4.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.4.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.4.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.4.1 // indirect
+	go.opentelemetry.io/otel/internal/metric v0.27.0 // indirect
+	go.opentelemetry.io/otel/metric v0.27.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.4.1 // indirect
+	go.opentelemetry.io/proto/otlp v0.12.0 // indirect
+	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
+	golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f // indirect
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/dancannon/gorethink.v3 v3.0.5 // indirect
 	gopkg.in/fatih/pool.v2 v2.0.0 // indirect
 	gopkg.in/gorethink/gorethink.v3 v3.0.5 // indirect
-	k8s.io/api v0.23.4
-	k8s.io/apimachinery v0.23.4
-	k8s.io/client-go v0.23.4
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/klog/v2 v2.30.0 // indirect
+	k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
+	sigs.k8s.io/yaml v1.2.0 // indirect
 )

 replace (
-	github.com/docker/cli => github.com/docker/cli v20.10.3-0.20220226190722-8667ccd1124c+incompatible
-	github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220121014307-40bb9831756f+incompatible
+	github.com/docker/cli => github.com/docker/cli v20.10.3-0.20220803220330-418ca3b4d46f+incompatible // master (v22.06-dev)
+	github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220720171342-a60b458179aa+incompatible // 22.06 branch (v22.06-dev)
 	k8s.io/api => k8s.io/api v0.22.4
 	k8s.io/apimachinery => k8s.io/apimachinery v0.22.4
 	k8s.io/client-go => k8s.io/client-go v0.22.4
--- a/go.sum
+++ b/go.sum
--- a/hack/dockerfiles/authors.Dockerfile
+++ b/hack/dockerfiles/authors.Dockerfile
@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.3-labs
+# syntax=docker/dockerfile:1.4

 FROM alpine:3.14 AS gen
 RUN apk add --no-cache git
--- a/hack/dockerfiles/docs.Dockerfile
+++ b/hack/dockerfiles/docs.Dockerfile
@@ -1,6 +1,6 @@
-# syntax=docker/dockerfile:1.3-labs
+# syntax=docker/dockerfile:1.4

-ARG GO_VERSION=1.17
+ARG GO_VERSION=1.18
 ARG FORMATS=md,yaml

 FROM golang:${GO_VERSION}-alpine AS docsgen
@@ -14,6 +14,7 @@ RUN apk add --no-cache rsync git
 WORKDIR /src
 COPY --from=docsgen /out/docsgen /usr/bin
 ARG FORMATS
+ARG BUILDX_EXPERIMENTAL
 RUN --mount=target=/context \
  --mount=target=.,type=tmpfs <<EOT
 set -e
--- a/hack/dockerfiles/lint.Dockerfile
+++ b/hack/dockerfiles/lint.Dockerfile
@@ -1,12 +1,10 @@
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1.4

-ARG GO_VERSION=1.17
+ARG GO_VERSION=1.18

 FROM golang:${GO_VERSION}-alpine
-RUN apk add --no-cache gcc musl-dev yamllint
-RUN wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.36.0
+RUN apk add --no-cache git gcc musl-dev
+RUN wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.45.2
 WORKDIR /go/src/github.com/docker/buildx
 RUN --mount=target=/go/src/github.com/docker/buildx --mount=target=/root/.cache,type=cache \
  golangci-lint run
-RUN --mount=target=/go/src/github.com/docker/buildx --mount=target=/root/.cache,type=cache \
-  yamllint -c .yamllint.yml --strict .
--- a/hack/dockerfiles/vendor.Dockerfile
+++ b/hack/dockerfiles/vendor.Dockerfile
@@ -1,6 +1,6 @@
-# syntax=docker/dockerfile:1.3-labs
+# syntax=docker/dockerfile:1.4

-ARG GO_VERSION=1.17
+ARG GO_VERSION=1.18
 ARG MODOUTDATED_VERSION=v0.8.0

 FROM golang:${GO_VERSION}-alpine AS base
@@ -13,7 +13,7 @@ RUN --mount=target=/context \
  --mount=target=/go/pkg/mod,type=cache <<EOT
 set -e
 rsync -a /context/. .
-go mod tidy
+go mod tidy -compat=1.17
 go mod vendor
 mkdir /out
 cp -r go.mod go.sum vendor /out
@@ -39,7 +39,6 @@ EOT

 FROM psampaz/go-mod-outdated:${MODOUTDATED_VERSION} AS go-mod-outdated
 FROM base AS outdated
-ARG _RANDOM
 RUN --mount=target=.,ro \
  --mount=target=/go/pkg/mod,type=cache \
  --mount=from=go-mod-outdated,source=/home/go-mod-outdated,target=/usr/bin/go-mod-outdated \
--- a/hack/hash-files
+++ b/hack/hash-files
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+: ${RELEASE_OUT=./release-out}
+
+# checksums
+if ! type shasum > /dev/null 2>&1; then
+  echo >&2 "ERROR: shasum is required"
+  exit 1
+fi
+find ./${RELEASE_OUT}/ -type f \( -iname "buildx-*" ! -iname "*darwin*" \) -print0 | sort -z | xargs -r0 shasum -a 256 -b | sed 's# .*/#  #' > ./${RELEASE_OUT}/checksums.txt
+
+# verify
+(
+  cd ./${RELEASE_OUT}
+  shasum -a 256 -U -c checksums.txt
+)
--- a/hack/release
+++ b/hack/release
@@ -4,17 +4,25 @@ set -eu -o pipefail

 : ${BUILDX_CMD=docker buildx}
 : ${RELEASE_OUT=./release-out}
+: ${CACHE_FROM=}
+: ${CACHE_TO=}
+
+if [ -n "$CACHE_FROM" ]; then
+  for cfrom in $CACHE_FROM; do
+    cacheFlags+=(--set "*.cache-from=$cfrom")
+  done
+fi
+if [ -n "$CACHE_TO" ]; then
+  for cto in $CACHE_TO; do
+    cacheFlags+=(--set "*.cache-to=$cto")
+  done
+fi

 # release
-(set -x ; ${BUILDX_CMD} bake --set "*.output=$RELEASE_OUT" release)
+(set -x ; ${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$RELEASE_OUT" release)

 # wrap binaries
 mv -f ./${RELEASE_OUT}/**/* ./${RELEASE_OUT}/
 find ./${RELEASE_OUT} -type d -empty -delete

-# checksums
-if ! type shasum > /dev/null 2>&1; then
-  echo >&2 "ERROR: shasum is required"
-  exit 1
-fi
-find ./${RELEASE_OUT}/ -type f \( -iname "buildx-*" ! -iname "*darwin*" \) -print0 | sort -z | xargs -r0 shasum -a 256 -b | sed 's# .*/# #' > ./${RELEASE_OUT}/checksums.txt
+source ./hack/hash-files
--- a/hack/test-driver
+++ b/hack/test-driver
@@ -7,6 +7,7 @@ set -eu -o pipefail
 : ${BUILDKIT_CFG=}
 : ${DRIVER=docker-container}
 : ${DRIVER_OPT=}
+: ${ENDPOINT=}
 : ${MULTI_NODE=0}
 : ${PLATFORMS=linux/amd64,linux/arm64}

@@ -34,9 +35,11 @@ else
  buildPlatformFlag=--platform="${PLATFORMS}"
 fi

-driverOpt=image=${BUILDKIT_IMAGE}
+if [ "$DRIVER" != "remote" ]; then
+  driverOpt=${driverOpt:+"${driverOpt},"}image=${BUILDKIT_IMAGE}
+fi
 if [ -n "$DRIVER_OPT" ]; then
-  driverOpt=$driverOpt,$DRIVER_OPT
+  driverOpt=${driverOpt:+"${driverOpt},"}$DRIVER_OPT
 fi

 # create builder except for docker driver
@@ -52,11 +55,13 @@ if [ "$DRIVER" != "docker" ]; then
        createFlags="$createFlags --append"
      fi
      buildxCmd create ${createFlags} \
+        --bootstrap \
        --name="${builderName}" \
        --node="${builderName}-${platform/\//-}" \
+        --platform="${platform}" \
        --driver="${DRIVER}" \
-        --driver-opt="${driverOpt}" \
-        --platform="${platform}"
+        ${driverOpt:+"--driver-opt=${driverOpt}"} \
+        ${ENDPOINT}
      firstNode=0
    done
  else
@@ -65,10 +70,12 @@ if [ "$DRIVER" != "docker" ]; then
      createFlags="$createFlags --config=${BUILDKIT_CFG}"
    fi
    buildxCmd create ${createFlags} \
+      --bootstrap \
      --name="${builderName}" \
+      --platform="${PLATFORMS}" \
      --driver="${DRIVER}" \
-      --driver-opt="${driverOpt}" \
-      --platform="${PLATFORMS}"
+      ${driverOpt:+"--driver-opt=${driverOpt}"} \
+      ${ENDPOINT}
  fi
 fi

--- a/monitor/monitor.go
+++ b/monitor/monitor.go
@@ -0,0 +1,516 @@
+package monitor
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"sync"
+
+	"github.com/docker/buildx/build"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/term"
+)
+
+const helpMessage = `
+Available commads are:
+  reload   reloads the context and build it.
+  rollback re-runs the interactive container with initial rootfs contents.
+  exit     exits monitor.
+  help     shows this message.
+`
+
+// RunMonitor provides an interactive session for running and managing containers via specified IO.
+func RunMonitor(ctx context.Context, containerConfig build.ContainerConfig, reloadFunc func(context.Context) (*build.ResultContext, error), stdin io.ReadCloser, stdout, stderr io.WriteCloser) error {
+	monitorIn, monitorOut := ioSetPipe()
+	defer monitorIn.Close()
+	monitorEnableCh := make(chan struct{})
+	monitorDisableCh := make(chan struct{})
+	monitorOutCtx := ioSetOutContext{monitorOut,
+		func() { monitorEnableCh <- struct{}{} },
+		func() { monitorDisableCh <- struct{}{} },
+	}
+
+	containerIn, containerOut := ioSetPipe()
+	defer containerIn.Close()
+	containerOutCtx := ioSetOutContext{containerOut,
+		// send newline to hopefully get the prompt; TODO: better UI (e.g. reprinting the last line)
+		func() { containerOut.stdin.Write([]byte("\n")) },
+		func() {},
+	}
+
+	m := &monitor{
+		invokeIO: newIOForwarder(containerIn),
+		muxIO: newMuxIO(ioSetIn{stdin, stdout, stderr}, []ioSetOutContext{monitorOutCtx, containerOutCtx}, 1, func(prev int, res int) string {
+			if prev == 0 && res == 0 {
+				// No toggle happened because container I/O isn't enabled.
+				return "No running interactive containers. You can start one by issuing rollback command\n"
+			}
+			return "Switched IO\n"
+		}),
+	}
+
+	// Start container automatically
+	fmt.Fprintf(stdout, "Launching interactive container. Press Ctrl-a-c to switch to monitor console\n")
+	m.rollback(ctx, containerConfig)
+
+	// Serve monitor commands
+	monitorForwarder := newIOForwarder(monitorIn)
+	for {
+		<-monitorEnableCh
+		in, out := ioSetPipe()
+		monitorForwarder.setDestination(&out)
+		doneCh, errCh := make(chan struct{}), make(chan error)
+		go func() {
+			defer close(doneCh)
+			defer in.Close()
+			go func() {
+				<-ctx.Done()
+				in.Close()
+			}()
+			t := term.NewTerminal(readWriter{in.stdin, in.stdout}, "(buildx) ")
+			for {
+				l, err := t.ReadLine()
+				if err != nil {
+					if err != io.EOF {
+						errCh <- err
+						return
+					}
+					return
+				}
+				switch l {
+				case "":
+					// nop
+				case "reload":
+					res, err := reloadFunc(ctx)
+					if err != nil {
+						fmt.Printf("failed to reload: %v\n", err)
+					} else {
+						// rollback the running container with the new result
+						containerConfig.ResultCtx = res
+						m.rollback(ctx, containerConfig)
+						fmt.Fprint(stdout, "Interactive container was restarted. Press Ctrl-a-c to switch to the new container\n")
+					}
+				case "rollback":
+					m.rollback(ctx, containerConfig)
+					fmt.Fprint(stdout, "Interactive container was restarted. Press Ctrl-a-c to switch to the new container\n")
+				case "exit":
+					return
+				case "help":
+					fmt.Fprint(stdout, helpMessage)
+				default:
+					fmt.Printf("unknown command: %q\n", l)
+					fmt.Fprint(stdout, helpMessage)
+				}
+			}
+		}()
+		select {
+		case <-doneCh:
+			if m.curInvokeCancel != nil {
+				m.curInvokeCancel()
+			}
+			return nil
+		case err := <-errCh:
+			if m.curInvokeCancel != nil {
+				m.curInvokeCancel()
+			}
+			return err
+		case <-monitorDisableCh:
+		}
+		monitorForwarder.setDestination(nil)
+	}
+}
+
+type readWriter struct {
+	io.Reader
+	io.Writer
+}
+
+type monitor struct {
+	muxIO           *muxIO
+	invokeIO        *ioForwarder
+	curInvokeCancel func()
+}
+
+func (m *monitor) rollback(ctx context.Context, cfg build.ContainerConfig) {
+	if m.curInvokeCancel != nil {
+		m.curInvokeCancel() // Finish the running container if exists
+	}
+	go func() {
+		// Start a new container
+		if err := m.invoke(ctx, cfg); err != nil {
+			logrus.Debugf("invoke error: %v", err)
+		}
+	}()
+}
+
+func (m *monitor) invoke(ctx context.Context, cfg build.ContainerConfig) error {
+	m.muxIO.enable(1)
+	defer m.muxIO.disable(1)
+	invokeCtx, invokeCancel := context.WithCancel(ctx)
+
+	containerIn, containerOut := ioSetPipe()
+	m.invokeIO.setDestination(&containerOut)
+	waitInvokeDoneCh := make(chan struct{})
+	var cancelOnce sync.Once
+	curInvokeCancel := func() {
+		cancelOnce.Do(func() {
+			containerIn.Close()
+			m.invokeIO.setDestination(nil)
+			invokeCancel()
+		})
+		<-waitInvokeDoneCh
+	}
+	defer curInvokeCancel()
+	m.curInvokeCancel = curInvokeCancel
+
+	cfg.Stdin = containerIn.stdin
+	cfg.Stdout = containerIn.stdout
+	cfg.Stderr = containerIn.stderr
+	err := build.Invoke(invokeCtx, cfg)
+	close(waitInvokeDoneCh)
+
+	return err
+}
+
+type ioForwarder struct {
+	curIO    *ioSetOut
+	mu       sync.Mutex
+	updateCh chan struct{}
+}
+
+func newIOForwarder(in ioSetIn) *ioForwarder {
+	f := &ioForwarder{
+		updateCh: make(chan struct{}),
+	}
+	doneCh := make(chan struct{})
+	go func() {
+		for {
+			f.mu.Lock()
+			w := f.curIO
+			f.mu.Unlock()
+			if w != nil && w.stdout != nil && w.stderr != nil {
+				go func() {
+					if _, err := io.Copy(in.stdout, w.stdout); err != nil && err != io.ErrClosedPipe {
+						// ErrClosedPipe is OK as we close this read end during setDestination.
+						logrus.WithError(err).Warnf("failed to forward stdout: %v", err)
+					}
+				}()
+				go func() {
+					if _, err := io.Copy(in.stderr, w.stderr); err != nil && err != io.ErrClosedPipe {
+						// ErrClosedPipe is OK as we close this read end during setDestination.
+						logrus.WithError(err).Warnf("failed to forward stderr: %v", err)
+					}
+				}()
+			}
+			select {
+			case <-f.updateCh:
+			case <-doneCh:
+				return
+			}
+		}
+	}()
+	go func() {
+		if err := copyToFunc(in.stdin, func() (io.Writer, error) {
+			f.mu.Lock()
+			w := f.curIO
+			f.mu.Unlock()
+			if w != nil {
+				return w.stdin, nil
+			}
+			return nil, nil
+		}); err != nil && err != io.ErrClosedPipe {
+			logrus.WithError(err).Warnf("failed to forward IO: %v", err)
+		}
+		close(doneCh)
+
+		if w := f.curIO; w != nil {
+			// Propagate close
+			if err := w.Close(); err != nil {
+				logrus.WithError(err).Warnf("failed to forwarded stdin IO: %v", err)
+			}
+		}
+	}()
+	return f
+}
+
+func (f *ioForwarder) setDestination(out *ioSetOut) {
+	f.mu.Lock()
+	if f.curIO != nil {
+		// close all stream on the current IO no to mix with the new IO
+		f.curIO.Close()
+	}
+	f.curIO = out
+	f.mu.Unlock()
+	f.updateCh <- struct{}{}
+}
+
+type ioSetOutContext struct {
+	ioSetOut
+	enableHook  func()
+	disableHook func()
+}
+
+// newMuxIO forwards IO stream to/from "in" and "outs".
+// "outs" are closed automatically when "in" reaches EOF.
+// "in" doesn't closed automatically so the caller needs to explicitly close it.
+func newMuxIO(in ioSetIn, out []ioSetOutContext, initIdx int, toggleMessage func(prev int, res int) string) *muxIO {
+	m := &muxIO{
+		enabled:       make(map[int]struct{}),
+		in:            in,
+		out:           out,
+		closedCh:      make(chan struct{}),
+		toggleMessage: toggleMessage,
+	}
+	for i := range out {
+		m.enabled[i] = struct{}{}
+	}
+	m.maxCur = len(out)
+	m.cur = initIdx
+	var wg sync.WaitGroup
+	var mu sync.Mutex
+	for i, o := range out {
+		i, o := i, o
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			if err := copyToFunc(o.stdout, func() (io.Writer, error) {
+				if m.cur == i {
+					return in.stdout, nil
+				}
+				return nil, nil
+			}); err != nil {
+				logrus.WithField("output index", i).WithError(err).Warnf("failed to write stdout")
+			}
+			if err := o.stdout.Close(); err != nil {
+				logrus.WithField("output index", i).WithError(err).Warnf("failed to close stdout")
+			}
+		}()
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			if err := copyToFunc(o.stderr, func() (io.Writer, error) {
+				if m.cur == i {
+					return in.stderr, nil
+				}
+				return nil, nil
+			}); err != nil {
+				logrus.WithField("output index", i).WithError(err).Warnf("failed to write stderr")
+			}
+			if err := o.stderr.Close(); err != nil {
+				logrus.WithField("output index", i).WithError(err).Warnf("failed to close stderr")
+			}
+		}()
+	}
+	go func() {
+		errToggle := errors.Errorf("toggle IO")
+		for {
+			prevIsControlSequence := false
+			if err := copyToFunc(traceReader(in.stdin, func(r rune) (bool, error) {
+				// Toggle IO when it detects C-a-c
+				// TODO: make it configurable if needed
+				if int(r) == 1 {
+					prevIsControlSequence = true
+					return false, nil
+				}
+				defer func() { prevIsControlSequence = false }()
+				if prevIsControlSequence {
+					if string(r) == "c" {
+						return false, errToggle
+					}
+				}
+				return true, nil
+			}), func() (io.Writer, error) {
+				mu.Lock()
+				o := out[m.cur]
+				mu.Unlock()
+				return o.stdin, nil
+			}); !errors.Is(err, errToggle) {
+				if err != nil {
+					logrus.WithError(err).Warnf("failed to read stdin")
+				}
+				break
+			}
+			m.toggleIO()
+		}
+
+		// propagate stdin EOF
+		for i, o := range out {
+			if err := o.stdin.Close(); err != nil {
+				logrus.WithError(err).Warnf("failed to close stdin of %d", i)
+			}
+		}
+		wg.Wait()
+		close(m.closedCh)
+	}()
+	return m
+}
+
+type muxIO struct {
+	cur           int
+	maxCur        int
+	enabled       map[int]struct{}
+	mu            sync.Mutex
+	in            ioSetIn
+	out           []ioSetOutContext
+	closedCh      chan struct{}
+	toggleMessage func(prev int, res int) string
+}
+
+func (m *muxIO) waitClosed() {
+	<-m.closedCh
+}
+
+func (m *muxIO) enable(i int) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.enabled[i] = struct{}{}
+}
+
+func (m *muxIO) disable(i int) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if i == 0 {
+		return errors.Errorf("disabling 0th io is prohibited")
+	}
+	delete(m.enabled, i)
+	if m.cur == i {
+		m.toggleIO()
+	}
+	return nil
+}
+
+func (m *muxIO) toggleIO() {
+	if m.out[m.cur].disableHook != nil {
+		m.out[m.cur].disableHook()
+	}
+	prev := m.cur
+	for {
+		if m.cur+1 >= m.maxCur {
+			m.cur = 0
+		} else {
+			m.cur++
+		}
+		if _, ok := m.enabled[m.cur]; !ok {
+			continue
+		}
+		break
+	}
+	res := m.cur
+	if m.out[m.cur].enableHook != nil {
+		m.out[m.cur].enableHook()
+	}
+	fmt.Fprint(m.in.stdout, m.toggleMessage(prev, res))
+}
+
+func traceReader(r io.ReadCloser, f func(rune) (bool, error)) io.ReadCloser {
+	pr, pw := io.Pipe()
+	go func() {
+		br := bufio.NewReader(r)
+		for {
+			rn, _, err := br.ReadRune()
+			if err != nil {
+				if err == io.EOF {
+					pw.Close()
+					return
+				}
+				pw.CloseWithError(err)
+				return
+			}
+			if isWrite, err := f(rn); err != nil {
+				pw.CloseWithError(err)
+				return
+			} else if !isWrite {
+				continue
+			}
+			if _, err := pw.Write([]byte(string(rn))); err != nil {
+				pw.CloseWithError(err)
+				return
+			}
+		}
+	}()
+	return &readerWithClose{
+		Reader: pr,
+		closeFunc: func() error {
+			pr.Close()
+			return r.Close()
+		},
+	}
+}
+
+func copyToFunc(r io.Reader, wFunc func() (io.Writer, error)) error {
+	buf := make([]byte, 4096)
+	for {
+		n, readErr := r.Read(buf)
+		if readErr != nil && readErr != io.EOF {
+			return readErr
+		}
+		w, err := wFunc()
+		if err != nil {
+			return err
+		}
+		if w != nil {
+			if _, err := w.Write(buf[:n]); err != nil {
+				logrus.WithError(err).Debugf("failed to copy")
+			}
+		}
+		if readErr == io.EOF {
+			return nil
+		}
+	}
+}
+
+func ioSetPipe() (ioSetIn, ioSetOut) {
+	r1, w1 := io.Pipe()
+	r2, w2 := io.Pipe()
+	r3, w3 := io.Pipe()
+	return ioSetIn{r1, w2, w3}, ioSetOut{w1, r2, r3}
+}
+
+type ioSetIn struct {
+	stdin  io.ReadCloser
+	stdout io.WriteCloser
+	stderr io.WriteCloser
+}
+
+func (s ioSetIn) Close() (retErr error) {
+	if err := s.stdin.Close(); err != nil {
+		retErr = err
+	}
+	if err := s.stdout.Close(); err != nil {
+		retErr = err
+	}
+	if err := s.stderr.Close(); err != nil {
+		retErr = err
+	}
+	return
+}
+
+type ioSetOut struct {
+	stdin  io.WriteCloser
+	stdout io.ReadCloser
+	stderr io.ReadCloser
+}
+
+func (s ioSetOut) Close() (retErr error) {
+	if err := s.stdin.Close(); err != nil {
+		retErr = err
+	}
+	if err := s.stdout.Close(); err != nil {
+		retErr = err
+	}
+	if err := s.stderr.Close(); err != nil {
+		retErr = err
+	}
+	return
+}
+
+type readerWithClose struct {
+	io.Reader
+	closeFunc func() error
+}
+
+func (r *readerWithClose) Close() error {
+	return r.closeFunc()
+}
--- a/monitor/monitor_test.go
+++ b/monitor/monitor_test.go
@@ -0,0 +1,321 @@
+package monitor
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"regexp"
+	"strings"
+	"testing"
+
+	"golang.org/x/sync/errgroup"
+)
+
+// TestMuxIO tests muxIO
+func TestMuxIO(t *testing.T) {
+	tests := []struct {
+		name       string
+		inputs     []instruction
+		initIdx    int
+		outputsNum int
+		wants      []string
+
+		// Everytime string is written to the mux stdin, the output end
+		// that received the string write backs to the string that is masked with
+		// its index number. This is useful to check if writeback is written from the
+		// expected output destination.
+		wantsMaskedOutput string
+	}{
+		{
+			name: "single output",
+			inputs: []instruction{
+				input("foo\nbar\n"),
+				toggle(),
+				input("1234"),
+				toggle(),
+				input("456"),
+			},
+			initIdx:           0,
+			outputsNum:        1,
+			wants:             []string{"foo\nbar\n1234456"},
+			wantsMaskedOutput: `^0+$`,
+		},
+		{
+			name: "multi output",
+			inputs: []instruction{
+				input("foo\nbar\n"),
+				toggle(),
+				input("12" + string([]rune{rune(1)}) + "34abc"),
+				toggle(),
+				input("456"),
+			},
+			initIdx:           0,
+			outputsNum:        3,
+			wants:             []string{"foo\nbar\n", "1234abc", "456"},
+			wantsMaskedOutput: `^0+1+2+$`,
+		},
+		{
+			name: "multi output with nonzero index",
+			inputs: []instruction{
+				input("foo\nbar\n"),
+				toggle(),
+				input("1234"),
+				toggle(),
+				input("456"),
+			},
+			initIdx:           1,
+			outputsNum:        3,
+			wants:             []string{"456", "foo\nbar\n", "1234"},
+			wantsMaskedOutput: `^1+2+0+$`,
+		},
+		{
+			name: "multi output many toggles",
+			inputs: []instruction{
+				input("foo\nbar\n"),
+				toggle(),
+				input("1234"),
+				toggle(),
+				toggle(),
+				input("456"),
+				toggle(),
+				input("%%%%"),
+				toggle(),
+				toggle(),
+				toggle(),
+				input("aaaa"),
+			},
+			initIdx:           0,
+			outputsNum:        3,
+			wants:             []string{"foo\nbar\n456", "1234%%%%aaaa", ""},
+			wantsMaskedOutput: `^0+1+0+1+$`,
+		},
+		{
+			name: "enable disable",
+			inputs: []instruction{
+				input("foo\nbar\n"),
+				toggle(),
+				input("1234"),
+				toggle(),
+				input("456"),
+				disable(2),
+				input("%%%%"),
+				enable(2),
+				toggle(),
+				toggle(),
+				input("aaa"),
+				disable(2),
+				disable(1),
+				input("1111"),
+				toggle(),
+				input("2222"),
+				toggle(),
+				input("3333"),
+			},
+			initIdx:           0,
+			outputsNum:        3,
+			wants:             []string{"foo\nbar\n%%%%111122223333", "1234", "456aaa"},
+			wantsMaskedOutput: `^0+1+2+0+2+0+$`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			inBuf, end, in := newTestIn(t)
+			var outBufs []*outBuf
+			var outs []ioSetOutContext
+			if tt.outputsNum != len(tt.wants) {
+				t.Fatalf("wants != outputsNum")
+			}
+			for i := 0; i < tt.outputsNum; i++ {
+				outBuf, out := newTestOut(t, i)
+				outBufs = append(outBufs, outBuf)
+				outs = append(outs, ioSetOutContext{out, nil, nil})
+			}
+			mio := newMuxIO(in, outs, tt.initIdx, func(prev int, res int) string { return "" })
+			for _, i := range tt.inputs {
+				// Add input to muxIO
+				istr, writeback := i(mio)
+				if _, err := end.stdin.Write([]byte(istr)); err != nil {
+					t.Fatalf("failed to write data to stdin: %v", err)
+				}
+
+				// Wait for writeback of this input
+				var eg errgroup.Group
+				eg.Go(func() error {
+					outbuf := make([]byte, len(writeback))
+					if _, err := io.ReadAtLeast(end.stdout, outbuf, len(outbuf)); err != nil {
+						return err
+					}
+					return nil
+				})
+				eg.Go(func() error {
+					errbuf := make([]byte, len(writeback))
+					if _, err := io.ReadAtLeast(end.stderr, errbuf, len(errbuf)); err != nil {
+						return err
+					}
+					return nil
+				})
+				if err := eg.Wait(); err != nil {
+					t.Fatalf("failed to wait for output: %v", err)
+				}
+			}
+
+			// Close stdin on this muxIO
+			end.stdin.Close()
+
+			// Wait for all output ends reach EOF
+			mio.waitClosed()
+
+			// Close stdout/stderr as well
+			in.Close()
+
+			// Check if each output end received expected string
+			<-inBuf.doneCh
+			for i, o := range outBufs {
+				<-o.doneCh
+				if o.stdin != tt.wants[i] {
+					t.Fatalf("output[%d]: got %q; wanted %q", i, o.stdin, tt.wants[i])
+				}
+			}
+
+			// Check if expected string is returned from expected outputs
+			if !regexp.MustCompile(tt.wantsMaskedOutput).MatchString(inBuf.stdout) {
+				t.Fatalf("stdout: got %q; wanted %q", inBuf.stdout, tt.wantsMaskedOutput)
+			}
+			if !regexp.MustCompile(tt.wantsMaskedOutput).MatchString(inBuf.stderr) {
+				t.Fatalf("stderr: got %q; wanted %q", inBuf.stderr, tt.wantsMaskedOutput)
+			}
+		})
+	}
+}
+
+type instruction func(m *muxIO) (intput string, writeBackView string)
+
+func input(s string) instruction {
+	return func(m *muxIO) (string, string) {
+		return s, strings.ReplaceAll(s, string([]rune{rune(1)}), "")
+	}
+}
+
+func toggle() instruction {
+	return func(m *muxIO) (string, string) {
+		return string([]rune{rune(1)}) + "c", ""
+	}
+}
+
+func enable(i int) instruction {
+	return func(m *muxIO) (string, string) {
+		m.enable(i)
+		return "", ""
+	}
+}
+
+func disable(i int) instruction {
+	return func(m *muxIO) (string, string) {
+		m.disable(i)
+		return "", ""
+	}
+}
+
+type inBuf struct {
+	stdout string
+	stderr string
+	doneCh chan struct{}
+}
+
+func newTestIn(t *testing.T) (*inBuf, ioSetOut, ioSetIn) {
+	ti := &inBuf{
+		doneCh: make(chan struct{}),
+	}
+	gotOutR, gotOutW := io.Pipe()
+	gotErrR, gotErrW := io.Pipe()
+	outR, outW := io.Pipe()
+	var eg errgroup.Group
+	eg.Go(func() error {
+		buf := new(bytes.Buffer)
+		if _, err := io.Copy(io.MultiWriter(gotOutW, buf), outR); err != nil {
+			return err
+		}
+		ti.stdout = buf.String()
+		return nil
+	})
+	errR, errW := io.Pipe()
+	eg.Go(func() error {
+		buf := new(bytes.Buffer)
+		if _, err := io.Copy(io.MultiWriter(gotErrW, buf), errR); err != nil {
+			return err
+		}
+		ti.stderr = buf.String()
+		return nil
+	})
+	go func() {
+		eg.Wait()
+		close(ti.doneCh)
+	}()
+	inR, inW := io.Pipe()
+	return ti, ioSetOut{inW, gotOutR, gotErrR}, ioSetIn{inR, outW, errW}
+}
+
+type outBuf struct {
+	idx    int
+	stdin  string
+	doneCh chan struct{}
+}
+
+func newTestOut(t *testing.T, idx int) (*outBuf, ioSetOut) {
+	to := &outBuf{
+		idx:    idx,
+		doneCh: make(chan struct{}),
+	}
+	inR, inW := io.Pipe()
+	outR, outW := io.Pipe()
+	errR, errW := io.Pipe()
+	go func() {
+		defer inR.Close()
+		defer outW.Close()
+		defer errW.Close()
+		buf := new(bytes.Buffer)
+		mw := io.MultiWriter(buf,
+			writeMasked(outW, fmt.Sprintf("%d", to.idx)),
+			writeMasked(errW, fmt.Sprintf("%d", to.idx)),
+		)
+		if _, err := io.Copy(mw, inR); err != nil {
+			inR.CloseWithError(err)
+			outW.CloseWithError(err)
+			errW.CloseWithError(err)
+			return
+		}
+		to.stdin = string(buf.Bytes())
+		outW.Close()
+		errW.Close()
+		close(to.doneCh)
+	}()
+	return to, ioSetOut{inW, outR, errR}
+}
+
+func writeMasked(w io.Writer, s string) io.Writer {
+	buf := make([]byte, 4096)
+	pr, pw := io.Pipe()
+	go func() {
+		for {
+			n, readErr := pr.Read(buf)
+			if readErr != nil && readErr != io.EOF {
+				pr.CloseWithError(readErr)
+				return
+			}
+			var masked string
+			for i := 0; i < n; i++ {
+				masked += s
+			}
+			if _, err := w.Write([]byte(masked)); err != nil {
+				pr.CloseWithError(err)
+				return
+			}
+			if readErr == io.EOF {
+				pr.Close()
+				return
+			}
+		}
+	}()
+	return pw
+}
--- a/store/nodegroup.go
+++ b/store/nodegroup.go
@@ -8,6 +8,7 @@ import (
 	"github.com/docker/buildx/util/platformutil"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

 type NodeGroup struct {
@@ -59,17 +60,42 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
 		return err
 	}

+	var files map[string][]byte
+	if configFile != "" {
+		files, err = confutil.LoadConfigFiles(configFile)
+		if err != nil {
+			return err
+		}
+	}
+
 	if i != -1 {
 		n := ng.Nodes[i]
+		needsRestart := false
 		if endpointsSet {
 			n.Endpoint = endpoint
+			needsRestart = true
 		}
 		if len(platforms) > 0 {
 			n.Platforms = pp
 		}
 		if flags != nil {
 			n.Flags = flags
+			needsRestart = true
 		}
+		if do != nil {
+			n.DriverOpts = do
+			needsRestart = true
+		}
+		if configFile != "" {
+			for k, v := range files {
+				n.Files[k] = v
+			}
+			needsRestart = true
+		}
+		if needsRestart {
+			logrus.Warn("new settings may not be used until builder is restarted")
+		}
+
 		ng.Nodes[i] = n
 		if err := ng.validateDuplicates(endpoint, i); err != nil {
 			return err
@@ -92,14 +118,7 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
 		Platforms:  pp,
 		Flags:      flags,
 		DriverOpts: do,
-	}
-
-	if configFile != "" {
-		files, err := confutil.LoadConfigFiles(configFile)
-		if err != nil {
-			return err
-		}
-		n.Files = files
+		Files:      files,
 	}

 	ng.Nodes = append(ng.Nodes, n)
@@ -110,6 +129,44 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
 	return nil
 }

+func (ng *NodeGroup) Copy() *NodeGroup {
+	nodes := make([]Node, len(ng.Nodes))
+	for i, node := range ng.Nodes {
+		nodes[i] = *node.Copy()
+	}
+	return &NodeGroup{
+		Name:    ng.Name,
+		Driver:  ng.Driver,
+		Nodes:   nodes,
+		Dynamic: ng.Dynamic,
+	}
+}
+
+func (n *Node) Copy() *Node {
+	platforms := []specs.Platform{}
+	copy(platforms, n.Platforms)
+	flags := []string{}
+	copy(flags, n.Flags)
+	driverOpts := map[string]string{}
+	for k, v := range n.DriverOpts {
+		driverOpts[k] = v
+	}
+	files := map[string][]byte{}
+	for k, v := range n.Files {
+		vv := []byte{}
+		copy(vv, v)
+		files[k] = vv
+	}
+	return &Node{
+		Name:       n.Name,
+		Endpoint:   n.Endpoint,
+		Platforms:  platforms,
+		Flags:      flags,
+		DriverOpts: driverOpts,
+		Files:      files,
+	}
+}
+
 func (ng *NodeGroup) validateDuplicates(ep string, idx int) error {
 	i := 0
 	for _, n := range ng.Nodes {
--- a/store/store.go
+++ b/store/store.go
@@ -2,7 +2,6 @@ package store

 import (
 	"encoding/json"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -46,7 +45,7 @@ type Txn struct {

 func (t *Txn) List() ([]*NodeGroup, error) {
 	pp := filepath.Join(t.s.root, "instances")
-	fis, err := ioutil.ReadDir(pp)
+	fis, err := os.ReadDir(pp)
 	if err != nil {
 		return nil, err
 	}
@@ -75,7 +74,7 @@ func (t *Txn) NodeGroupByName(name string) (*NodeGroup, error) {
 	if err != nil {
 		return nil, err
 	}
-	dt, err := ioutil.ReadFile(filepath.Join(t.s.root, "instances", name))
+	dt, err := os.ReadFile(filepath.Join(t.s.root, "instances", name))
 	if err != nil {
 		return nil, err
 	}
@@ -144,7 +143,7 @@ func (t *Txn) reset(key string) error {
 }

 func (t *Txn) Current(key string) (*NodeGroup, error) {
-	dt, err := ioutil.ReadFile(filepath.Join(t.s.root, "current"))
+	dt, err := os.ReadFile(filepath.Join(t.s.root, "current"))
 	if err != nil {
 		if !os.IsNotExist(err) {
 			return nil, err
@@ -175,7 +174,7 @@ func (t *Txn) Current(key string) (*NodeGroup, error) {

 	h := toHash(key)

-	dt, err = ioutil.ReadFile(filepath.Join(t.s.root, "defaults", h))
+	dt, err = os.ReadFile(filepath.Join(t.s.root, "defaults", h))
 	if err != nil {
 		if os.IsNotExist(err) {
 			t.reset(key)
--- a/store/store_test.go
+++ b/store/store_test.go
@@ -1,7 +1,6 @@
 package store

 import (
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -12,7 +11,7 @@ import (

 func TestEmptyStartup(t *testing.T) {
 	t.Parallel()
-	tmpdir, err := ioutil.TempDir("", "buildx-store")
+	tmpdir, err := os.MkdirTemp("", "buildx-store")
 	require.NoError(t, err)
 	defer os.RemoveAll(tmpdir)

@@ -30,7 +29,7 @@ func TestEmptyStartup(t *testing.T) {

 func TestNodeLocking(t *testing.T) {
 	t.Parallel()
-	tmpdir, err := ioutil.TempDir("", "buildx-store")
+	tmpdir, err := os.MkdirTemp("", "buildx-store")
 	require.NoError(t, err)
 	defer os.RemoveAll(tmpdir)

@@ -65,7 +64,7 @@ func TestNodeLocking(t *testing.T) {

 func TestNodeManagement(t *testing.T) {
 	t.Parallel()
-	tmpdir, err := ioutil.TempDir("", "buildx-store")
+	tmpdir, err := os.MkdirTemp("", "buildx-store")
 	require.NoError(t, err)
 	defer os.RemoveAll(tmpdir)

--- a/util/confutil/config.go
+++ b/util/confutil/config.go
@@ -2,6 +2,7 @@ package confutil

 import (
 	"os"
+	"path"
 	"path/filepath"

 	"github.com/docker/cli/cli/command"
@@ -24,6 +25,15 @@ func ConfigDir(dockerCli command.Cli) string {
 	return buildxConfig
 }

+// DefaultConfigFile returns the default BuildKit configuration file path
+func DefaultConfigFile(dockerCli command.Cli) (string, bool) {
+	f := path.Join(ConfigDir(dockerCli), "buildkitd.default.toml")
+	if _, err := os.Stat(f); err == nil {
+		return f, true
+	}
+	return "", false
+}
+
 // loadConfigTree loads BuildKit config toml tree
 func loadConfigTree(fp string) (*toml.Tree, error) {
 	f, err := os.Open(fp)
--- a/util/imagetools/create.go
+++ b/util/imagetools/create.go
@@ -4,12 +4,15 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"net/url"
+	"strings"

 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/platforms"
 	"github.com/docker/distribution/reference"
+	"github.com/moby/buildkit/util/contentutil"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/specs-go"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -17,46 +20,46 @@ import (
 	"golang.org/x/sync/errgroup"
 )

-func (r *Resolver) Combine(ctx context.Context, in string, descs []ocispec.Descriptor) ([]byte, ocispec.Descriptor, error) {
-	ref, err := parseRef(in)
-	if err != nil {
-		return nil, ocispec.Descriptor{}, err
-	}
+type Source struct {
+	Desc ocispec.Descriptor
+	Ref  reference.Named
+}

+func (r *Resolver) Combine(ctx context.Context, srcs []*Source) ([]byte, ocispec.Descriptor, error) {
 	eg, ctx := errgroup.WithContext(ctx)

-	dts := make([][]byte, len(descs))
+	dts := make([][]byte, len(srcs))
 	for i := range dts {
 		func(i int) {
 			eg.Go(func() error {
-				dt, err := r.GetDescriptor(ctx, ref.String(), descs[i])
+				dt, err := r.GetDescriptor(ctx, srcs[i].Ref.String(), srcs[i].Desc)
 				if err != nil {
 					return err
 				}
 				dts[i] = dt

-				if descs[i].MediaType == "" {
+				if srcs[i].Desc.MediaType == "" {
 					mt, err := detectMediaType(dt)
 					if err != nil {
 						return err
 					}
-					descs[i].MediaType = mt
+					srcs[i].Desc.MediaType = mt
 				}

-				mt := descs[i].MediaType
+				mt := srcs[i].Desc.MediaType

 				switch mt {
 				case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
-					p := descs[i].Platform
-					if descs[i].Platform == nil {
+					p := srcs[i].Desc.Platform
+					if srcs[i].Desc.Platform == nil {
 						p = &ocispec.Platform{}
 					}
 					if p.OS == "" || p.Architecture == "" {
-						if err := r.loadPlatform(ctx, p, in, dt); err != nil {
+						if err := r.loadPlatform(ctx, p, srcs[i].Ref.String(), dt); err != nil {
 							return err
 						}
 					}
-					descs[i].Platform = p
+					srcs[i].Desc.Platform = p
 				case images.MediaTypeDockerSchema1Manifest:
 					return errors.Errorf("schema1 manifests are not allowed in manifest lists")
 				}
@@ -71,14 +74,14 @@ func (r *Resolver) Combine(ctx context.Context, in string, descs []ocispec.Descr
 	}

 	// on single source, return original bytes
-	if len(descs) == 1 {
-		if mt := descs[0].MediaType; mt == images.MediaTypeDockerSchema2ManifestList || mt == ocispec.MediaTypeImageIndex {
-			return dts[0], descs[0], nil
+	if len(srcs) == 1 {
+		if mt := srcs[0].Desc.MediaType; mt == images.MediaTypeDockerSchema2ManifestList || mt == ocispec.MediaTypeImageIndex {
+			return dts[0], srcs[0].Desc, nil
 		}
 	}

 	m := map[digest.Digest]int{}
-	newDescs := make([]ocispec.Descriptor, 0, len(descs))
+	newDescs := make([]ocispec.Descriptor, 0, len(srcs))

 	addDesc := func(d ocispec.Descriptor) {
 		idx, ok := m[d.Digest]
@@ -103,8 +106,8 @@ func (r *Resolver) Combine(ctx context.Context, in string, descs []ocispec.Descr
 		}
 	}

-	for i, desc := range descs {
-		switch desc.MediaType {
+	for i, src := range srcs {
+		switch src.Desc.MediaType {
 		case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
 			var mfst ocispec.Index
 			if err := json.Unmarshal(dts[i], &mfst); err != nil {
@@ -114,7 +117,7 @@ func (r *Resolver) Combine(ctx context.Context, in string, descs []ocispec.Descr
 				addDesc(d)
 			}
 		default:
-			addDesc(desc)
+			addDesc(src.Desc)
 		}
 	}

@@ -169,6 +172,37 @@ func (r *Resolver) Push(ctx context.Context, ref reference.Named, desc ocispec.D
 	return err
 }

+func (r *Resolver) Copy(ctx context.Context, src *Source, dest reference.Named) error {
+	dest = reference.TagNameOnly(dest)
+	p, err := r.resolver().Pusher(ctx, dest.String())
+	if err != nil {
+		return err
+	}
+
+	srcRef := reference.TagNameOnly(src.Ref)
+	f, err := r.resolver().Fetcher(ctx, srcRef.String())
+	if err != nil {
+		return err
+	}
+
+	refspec := reference.TrimNamed(src.Ref).String()
+	u, err := url.Parse("dummy://" + refspec)
+	if err != nil {
+		return err
+	}
+	source, repo := u.Hostname(), strings.TrimPrefix(u.Path, "/")
+	if src.Desc.Annotations == nil {
+		src.Desc.Annotations = make(map[string]string)
+	}
+	src.Desc.Annotations["containerd.io/distribution.source."+source] = repo
+
+	err = contentutil.CopyChain(ctx, contentutil.FromPusher(p), contentutil.FromFetcher(f), src.Desc)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func (r *Resolver) loadPlatform(ctx context.Context, p2 *ocispec.Platform, in string, dt []byte) error {
 	var manifest ocispec.Manifest
 	if err := json.Unmarshal(dt, &manifest); err != nil {
--- a/util/imagetools/printers.go
+++ b/util/imagetools/printers.go
@@ -2,13 +2,13 @@ package imagetools

 import (
 	"context"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
 	"os"
 	"sort"
 	"strings"
+	"sync"
 	"text/tabwriter"
 	"text/template"

@@ -16,9 +16,9 @@ import (
 	"github.com/containerd/containerd/platforms"
 	"github.com/docker/distribution/reference"
 	binfotypes "github.com/moby/buildkit/util/buildinfo/types"
+	"github.com/moby/buildkit/util/imageutil"
 	"github.com/opencontainers/go-digest"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	"golang.org/x/sync/errgroup"
 )

@@ -60,7 +60,9 @@ func NewPrinter(ctx context.Context, opt Opt, name string, format string) (*Prin
 	switch manifest.MediaType {
 	case images.MediaTypeDockerSchema2ManifestList, ocispecs.MediaTypeImageIndex:
 		for _, m := range index.Manifests {
-			pforms = append(pforms, *m.Platform)
+			if m.Platform != nil {
+				pforms = append(pforms, *m.Platform)
+			}
 		}
 	default:
 		pforms = append(pforms, platforms.DefaultSpec())
@@ -111,7 +113,9 @@ func (p *Printer) Print(raw bool, out io.Writer) error {
 	}

 	imageconfigs := make(map[string]*ocispecs.Image)
+	imageconfigsMutex := sync.Mutex{}
 	buildinfos := make(map[string]*binfotypes.BuildInfo)
+	buildinfosMutex := sync.Mutex{}

 	eg, _ := errgroup.WithContext(p.ctx)
 	for _, platform := range p.platforms {
@@ -121,12 +125,16 @@ func (p *Printer) Print(raw bool, out io.Writer) error {
 				if err != nil {
 					return err
 				} else if img != nil {
+					imageconfigsMutex.Lock()
 					imageconfigs[platforms.Format(platform)] = img
+					imageconfigsMutex.Unlock()
 				}
-				if bi, err := p.getBuildInfo(dtic); err != nil {
+				if bi, err := imageutil.BuildInfo(dtic); err != nil {
 					return err
 				} else if bi != nil {
+					buildinfosMutex.Lock()
 					buildinfos[platforms.Format(platform)] = bi
+					buildinfosMutex.Unlock()
 				}
 				return nil
 			})
@@ -335,23 +343,3 @@ func (p *Printer) getImageConfig(platform *ocispecs.Platform) (*ocispecs.Image,
 	}
 	return img, dtic, nil
 }
-
-func (p *Printer) getBuildInfo(dtic []byte) (*binfotypes.BuildInfo, error) {
-	var binfo *binfotypes.BuildInfo
-	if len(dtic) > 0 {
-		var biconfig binfotypes.ImageConfig
-		if err := json.Unmarshal(dtic, &biconfig); err != nil {
-			return nil, errors.Wrap(err, "failed to unmarshal image config")
-		}
-		if len(biconfig.BuildInfo) > 0 {
-			dtbi, err := base64.StdEncoding.DecodeString(biconfig.BuildInfo)
-			if err != nil {
-				return nil, errors.Wrap(err, "failed to decode build info")
-			}
-			if err = json.Unmarshal(dtbi, &binfo); err != nil {
-				return nil, errors.Wrap(err, "failed to unmarshal build info")
-			}
-		}
-	}
-	return binfo, nil
-}
--- a/util/logutil/filter.go
+++ b/util/logutil/filter.go
@@ -1,7 +1,7 @@
 package logutil

 import (
-	"io/ioutil"
+	"io"
 	"strings"

 	"github.com/sirupsen/logrus"
@@ -9,7 +9,7 @@ import (

 func NewFilter(levels []logrus.Level, filters ...string) logrus.Hook {
 	dl := logrus.New()
-	dl.SetOutput(ioutil.Discard)
+	dl.SetOutput(io.Discard)
 	return &logsFilter{
 		levels:        levels,
 		filters:       filters,
--- a/Show More
+++ b/Show More