diff --git a/go.mod b/go.mod
index 9462cb67a..7be3c83ba 100644
--- a/go.mod
+++ b/go.mod
@@ -53,7 +53,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
-	github.com/docker/docker v27.5.1+incompatible // indirect
+	github.com/docker/docker v28.0.0+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/fatih/color v1.16.0 // indirect
diff --git a/go.sum b/go.sum
index 07bcdff83..7c4a30e68 100644
--- a/go.sum
+++ b/go.sum
@@ -66,8 +66,8 @@ github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPc
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
-github.com/docker/docker v27.5.1+incompatible h1:4PYU5dnBYqRQi0294d1FBECqT9ECWeQAIfE8q4YnPY8=
-github.com/docker/docker v27.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.0.0+incompatible h1:Olh0KS820sJ7nPsBKChVhk5pzqcwDR15fumfAd/p9hM=
+github.com/docker/docker v28.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
diff --git a/vendor/github.com/docker/docker/AUTHORS b/vendor/github.com/docker/docker/AUTHORS
index 5f93eeb4e..88032defe 100644
--- a/vendor/github.com/docker/docker/AUTHORS
+++ b/vendor/github.com/docker/docker/AUTHORS
@@ -2,7 +2,9 @@
 # This file lists all contributors to the repository.
 # See hack/generate-authors.sh to make modifications.
 
+7sunarni <710720732@qq.com>
 Aanand Prasad <aanand.prasad@gmail.com>
+Aarni Koskela <akx@iki.fi>
 Aaron Davidson <aaron@databricks.com>
 Aaron Feng <aaron.feng@gmail.com>
 Aaron Hnatiw <aaron@griddio.com>
@@ -11,6 +13,7 @@ Aaron L. Xu <liker.xu@foxmail.com>
 Aaron Lehmann <alehmann@netflix.com>
 Aaron Welch <welch@packet.net>
 Aaron Yoshitake <airandfingers@gmail.com>
+Abdur Rehman <abdur_rehman@mentor.com>
 Abel Muiño <amuino@gmail.com>
 Abhijeet Kasurde <akasurde@redhat.com>
 Abhinandan Prativadi <aprativadi@gmail.com>
@@ -24,9 +27,11 @@ Adam Avilla <aavilla@yp.com>
 Adam Dobrawy <naczelnik@jawnosc.tk>
 Adam Eijdenberg <adam.eijdenberg@gmail.com>
 Adam Kunk <adam.kunk@tiaa-cref.org>
+Adam Lamers <adam.lamers@wmsdev.pl>
 Adam Miller <admiller@redhat.com>
 Adam Mills <adam@armills.info>
 Adam Pointer <adam.pointer@skybettingandgaming.com>
+Adam Simon <adamsimon85100@gmail.com>
 Adam Singer <financeCoding@gmail.com>
 Adam Thornton <adam.thornton@maryville.com>
 Adam Walz <adam@adamwalz.net>
@@ -119,6 +124,7 @@ amangoel <amangoel@gmail.com>
 Amen Belayneh <amenbelayneh@gmail.com>
 Ameya Gawde <agawde@mirantis.com>
 Amir Goldstein <amir73il@aquasec.com>
+AmirBuddy <badinlu.amirhossein@gmail.com>
 Amit Bakshi <ambakshi@gmail.com>
 Amit Krishnan <amit.krishnan@oracle.com>
 Amit Shukla <amit.shukla@docker.com>
@@ -168,6 +174,7 @@ Andrey Kolomentsev <andrey.kolomentsev@docker.com>
 Andrey Petrov <andrey.petrov@shazow.net>
 Andrey Stolbovsky <andrey.stolbovsky@gmail.com>
 André Martins <aanm90@gmail.com>
+Andrés Maldonado <maldonado@codelutin.com>
 Andy Chambers <anchambers@paypal.com>
 andy diller <dillera@gmail.com>
 Andy Goldstein <agoldste@redhat.com>
@@ -219,6 +226,7 @@ Artur Meyster <arthurfbi@yahoo.com>
 Arun Gupta <arun.gupta@gmail.com>
 Asad Saeeduddin <masaeedu@gmail.com>
 Asbjørn Enge <asbjorn@hanafjedle.net>
+Ashly Mathew <ashly.mathew@sap.com>
 Austin Vazquez <macedonv@amazon.com>
 averagehuman <averagehuman@users.noreply.github.com>
 Avi Das <andas222@gmail.com>
@@ -345,6 +353,7 @@ Chance Zibolski <chance.zibolski@gmail.com>
 Chander Govindarajan <chandergovind@gmail.com>
 Chanhun Jeong <keyolk@gmail.com>
 Chao Wang <wangchao.fnst@cn.fujitsu.com>
+Charity Kathure <ckathure@microsoft.com>
 Charles Chan <charleswhchan@users.noreply.github.com>
 Charles Hooper <charles.hooper@dotcloud.com>
 Charles Law <claw@conduce.com>
@@ -480,6 +489,7 @@ Daniel Farrell <dfarrell@redhat.com>
 Daniel Garcia <daniel@danielgarcia.info>
 Daniel Gasienica <daniel@gasienica.ch>
 Daniel Grunwell <mwgrunny@gmail.com>
+Daniel Guns <danbguns@gmail.com>
 Daniel Helfand <helfand.4@gmail.com>
 Daniel Hiltgen <daniel.hiltgen@docker.com>
 Daniel J Walsh <dwalsh@redhat.com>
@@ -763,6 +773,7 @@ Frank Macreery <frank@macreery.com>
 Frank Rosquin <frank.rosquin+github@gmail.com>
 Frank Villaro-Dixon <frank.villarodixon@merkle.com>
 Frank Yang <yyb196@gmail.com>
+François Scala <github@arcenik.net>
 Fred Lifton <fred.lifton@docker.com>
 Frederick F. Kautz IV <fkautz@redhat.com>
 Frederico F. de Oliveira <FreddieOliveira@users.noreply.github.com>
@@ -798,6 +809,7 @@ GennadySpb <lipenkov@gmail.com>
 Geoff Levand <geoff@infradead.org>
 Geoffrey Bachelet <grosfrais@gmail.com>
 Geon Kim <geon0250@gmail.com>
+George Adams <georgeadams1995@gmail.com>
 George Kontridze <george@bugsnag.com>
 George Ma <mayangang@outlook.com>
 George MacRorie <gmacr31@gmail.com>
@@ -826,6 +838,7 @@ Gopikannan Venugopalsamy <gopikannan.venugopalsamy@gmail.com>
 Gosuke Miyashita <gosukenator@gmail.com>
 Gou Rao <gou@portworx.com>
 Govinda Fichtner <govinda.fichtner@googlemail.com>
+Grace Choi <grace.54109@gmail.com>
 Grant Millar <rid@cylo.io>
 Grant Reaber <grant.reaber@gmail.com>
 Graydon Hoare <graydon@pobox.com>
@@ -966,6 +979,7 @@ James Nugent <james@jen20.com>
 James Sanders <james3sanders@gmail.com>
 James Turnbull <james@lovedthanlost.net>
 James Watkins-Harvey <jwatkins@progi-media.com>
+Jameson Hyde <jameson.hyde@docker.com>
 Jamie Hannaford <jamie@limetree.org>
 Jamshid Afshar <jafshar@yahoo.com>
 Jan Breig <git@pygos.space>
@@ -1064,13 +1078,16 @@ Jim Perrin <jperrin@centos.org>
 Jimmy Cuadra <jimmy@jimmycuadra.com>
 Jimmy Puckett <jimmy.puckett@spinen.com>
 Jimmy Song <rootsongjc@gmail.com>
+jinjiadu <jinjiadu@aliyun.com>
 Jinsoo Park <cellpjs@gmail.com>
 Jintao Zhang <zhangjintao9020@gmail.com>
 Jiri Appl <jiria@microsoft.com>
 Jiri Popelka <jpopelka@redhat.com>
 Jiuyue Ma <majiuyue@huawei.com>
 Jiří Župka <jzupka@redhat.com>
+jjimbo137 <115816493+jjimbo137@users.noreply.github.com>
 Joakim Roubert <joakim.roubert@axis.com>
+Joan Grau <grautxo.dev@proton.me>
 Joao Fernandes <joao.fernandes@docker.com>
 Joao Trindade <trindade.joao@gmail.com>
 Joe Beda <joe.github@bedafamily.com>
@@ -1155,6 +1172,7 @@ Josiah Kiehl <jkiehl@riotgames.com>
 José Tomás Albornoz <jojo@eljojo.net>
 Joyce Jang <mail@joycejang.com>
 JP <jpellerin@leapfrogonline.com>
+JSchltggr <jschltggr@gmail.com>
 Julian Taylor <jtaylor.debian@googlemail.com>
 Julien Barbier <write0@gmail.com>
 Julien Bisconti <veggiemonk@users.noreply.github.com>
@@ -1289,6 +1307,7 @@ Laura Brehm <laurabrehm@hey.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Bernaille <laurent.bernaille@datadoghq.com>
 Laurent Erignoux <lerignoux@gmail.com>
+Laurent Goderre <laurent.goderre@docker.com>
 Laurie Voss <github@seldo.com>
 Leandro Motta Barros <lmb@stackedboxes.org>
 Leandro Siqueira <leandro.siqueira@gmail.com>
@@ -1369,6 +1388,7 @@ Madhan Raj Mookkandy <MadhanRaj.Mookkandy@microsoft.com>
 Madhav Puri <madhav.puri@gmail.com>
 Madhu Venugopal <mavenugo@gmail.com>
 Mageee <fangpuyi@foxmail.com>
+maggie44 <64841595+maggie44@users.noreply.github.com>
 Mahesh Tiyyagura <tmahesh@gmail.com>
 malnick <malnick@gmail..com>
 Malte Janduda <mail@janduda.net>
@@ -1579,6 +1599,7 @@ Muayyad Alsadi <alsadi@gmail.com>
 Muhammad Zohaib Aslam <zohaibse011@gmail.com>
 Mustafa Akın <mustafa91@gmail.com>
 Muthukumar R <muthur@gmail.com>
+Myeongjoon Kim <kimmj8409@gmail.com>
 Máximo Cuadros <mcuadros@gmail.com>
 Médi-Rémi Hashim <medimatrix@users.noreply.github.com>
 Nace Oroz <orkica@gmail.com>
@@ -1593,6 +1614,7 @@ Natasha Jarus <linuxmercedes@gmail.com>
 Nate Brennand <nate.brennand@clever.com>
 Nate Eagleson <nate@nateeag.com>
 Nate Jones <nate@endot.org>
+Nathan Baulch <nathan.baulch@gmail.com>
 Nathan Carlson <carl4403@umn.edu>
 Nathan Herald <me@nathanherald.com>
 Nathan Hsieh <hsieh.nathan@gmail.com>
@@ -1655,6 +1677,7 @@ Nuutti Kotivuori <naked@iki.fi>
 nzwsch <hi@nzwsch.com>
 O.S. Tezer <ostezer@gmail.com>
 objectified <objectified@gmail.com>
+Octol1ttle <l1ttleofficial@outlook.com>
 Odin Ugedal <odin@ugedal.com>
 Oguz Bilgic <fisyonet@gmail.com>
 Oh Jinkyun <tintypemolly@gmail.com>
@@ -1763,6 +1786,7 @@ Pierre Carrier <pierre@meteor.com>
 Pierre Dal-Pra <dalpra.pierre@gmail.com>
 Pierre Wacrenier <pierre.wacrenier@gmail.com>
 Pierre-Alain RIVIERE <pariviere@ippon.fr>
+pinglanlu <pinglanlu@outlook.com>
 Piotr Bogdan <ppbogdan@gmail.com>
 Piotr Karbowski <piotr.karbowski@protonmail.ch>
 Porjo <porjo38@yahoo.com.au>
@@ -1790,6 +1814,7 @@ Quentin Tayssier <qtayssier@gmail.com>
 r0n22 <cameron.regan@gmail.com>
 Rachit Sharma <rachitsharma613@gmail.com>
 Radostin Stoyanov <rstoyanov1@gmail.com>
+Rafael Fernández López <ereslibre@ereslibre.es>
 Rafal Jeczalik <rjeczalik@gmail.com>
 Rafe Colton <rafael.colton@gmail.com>
 Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
@@ -1856,7 +1881,7 @@ Robin Speekenbrink <robin@kingsquare.nl>
 Robin Thoni <robin@rthoni.com>
 robpc <rpcann@gmail.com>
 Rodolfo Carvalho <rhcarvalho@gmail.com>
-Rodrigo Campos <rodrigo@kinvolk.io>
+Rodrigo Campos <rodrigoca@microsoft.com>
 Rodrigo Vaz <rodrigo.vaz@gmail.com>
 Roel Van Nyen <roel.vannyen@gmail.com>
 Roger Peppe <rogpeppe@gmail.com>
@@ -1995,6 +2020,7 @@ Sevki Hasirci <s@sevki.org>
 Shane Canon <scanon@lbl.gov>
 Shane da Silva <shane@dasilva.io>
 Shaun Kaasten <shaunk@gmail.com>
+Shaun Thompson <shaun.thompson@docker.com>
 shaunol <shaunol@gmail.com>
 Shawn Landden <shawn@churchofgit.com>
 Shawn Siefkas <shawn.siefkas@meredith.com>
@@ -2013,6 +2039,7 @@ Shijun Qin <qinshijun16@mails.ucas.ac.cn>
 Shishir Mahajan <shishir.mahajan@redhat.com>
 Shoubhik Bose <sbose78@gmail.com>
 Shourya Sarcar <shourya.sarcar@gmail.com>
+Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
 Shu-Wai Chow <shu-wai.chow@seattlechildrens.org>
 shuai-z <zs.broccoli@gmail.com>
 Shukui Yang <yangshukui@huawei.com>
@@ -2100,6 +2127,7 @@ Sébastien Stormacq <sebsto@users.noreply.github.com>
 Sören Tempel <soeren+git@soeren-tempel.net>
 Tabakhase <mail@tabakhase.com>
 Tadej Janež <tadej.j@nez.si>
+Tadeusz Dudkiewicz <tadeusz.dudkiewicz@rtbhouse.com>
 Takuto Sato <tockn.jp@gmail.com>
 tang0th <tang0th@gmx.com>
 Tangi Colin <tangicolin@gmail.com>
@@ -2107,6 +2135,7 @@ Tatsuki Sugiura <sugi@nemui.org>
 Tatsushi Inagaki <e29253@jp.ibm.com>
 Taylan Isikdemir <taylani@google.com>
 Taylor Jones <monitorjbl@gmail.com>
+tcpdumppy <847462026@qq.com>
 Ted M. Young <tedyoung@gmail.com>
 Tehmasp Chaudhri <tehmasp@gmail.com>
 Tejaswini Duggaraju <naduggar@microsoft.com>
@@ -2391,6 +2420,7 @@ You-Sheng Yang (楊有勝) <vicamo@gmail.com>
 youcai <omegacoleman@gmail.com>
 Youcef YEKHLEF <yyekhlef@gmail.com>
 Youfu Zhang <zhangyoufu@gmail.com>
+YR Chen <stevapple@icloud.com>
 Yu Changchun <yuchangchun1@huawei.com>
 Yu Chengxia <yuchengxia@huawei.com>
 Yu Peng <yu.peng36@zte.com.cn>
diff --git a/vendor/github.com/docker/docker/api/types/common/id_response.go b/vendor/github.com/docker/docker/api/types/common/id_response.go
new file mode 100644
index 000000000..22e8c60a4
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/common/id_response.go
@@ -0,0 +1,13 @@
+package common
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// IDResponse Response to an API call that returns just an Id
+// swagger:model IDResponse
+type IDResponse struct {
+
+	// The id of the newly created object.
+	// Required: true
+	ID string `json:"Id"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/commit.go b/vendor/github.com/docker/docker/api/types/container/commit.go
new file mode 100644
index 000000000..6fd1b0ead
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/commit.go
@@ -0,0 +1,7 @@
+package container
+
+import "github.com/docker/docker/api/types/common"
+
+// CommitResponse response for the commit API call, containing the ID of the
+// image that was produced.
+type CommitResponse = common.IDResponse
diff --git a/vendor/github.com/docker/docker/api/types/container/container.go b/vendor/github.com/docker/docker/api/types/container/container.go
new file mode 100644
index 000000000..65fabbf42
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/container.go
@@ -0,0 +1,188 @@
+package container
+
+import (
+	"io"
+	"os"
+	"time"
+
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/storage"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// ContainerUpdateOKBody OK response to ContainerUpdate operation
+//
+// Deprecated: use [UpdateResponse]. This alias will be removed in the next release.
+type ContainerUpdateOKBody = UpdateResponse
+
+// ContainerTopOKBody OK response to ContainerTop operation
+//
+// Deprecated: use [TopResponse]. This alias will be removed in the next release.
+type ContainerTopOKBody = TopResponse
+
+// PruneReport contains the response for Engine API:
+// POST "/containers/prune"
+type PruneReport struct {
+	ContainersDeleted []string
+	SpaceReclaimed    uint64
+}
+
+// PathStat is used to encode the header from
+// GET "/containers/{name:.*}/archive"
+// "Name" is the file or directory name.
+type PathStat struct {
+	Name       string      `json:"name"`
+	Size       int64       `json:"size"`
+	Mode       os.FileMode `json:"mode"`
+	Mtime      time.Time   `json:"mtime"`
+	LinkTarget string      `json:"linkTarget"`
+}
+
+// CopyToContainerOptions holds information
+// about files to copy into a container
+type CopyToContainerOptions struct {
+	AllowOverwriteDirWithFile bool
+	CopyUIDGID                bool
+}
+
+// StatsResponseReader wraps an io.ReadCloser to read (a stream of) stats
+// for a container, as produced by the GET "/stats" endpoint.
+//
+// The OSType field is set to the server's platform to allow
+// platform-specific handling of the response.
+//
+// TODO(thaJeztah): remove this wrapper, and make OSType part of [StatsResponse].
+type StatsResponseReader struct {
+	Body   io.ReadCloser `json:"body"`
+	OSType string        `json:"ostype"`
+}
+
+// MountPoint represents a mount point configuration inside the container.
+// This is used for reporting the mountpoints in use by a container.
+type MountPoint struct {
+	// Type is the type of mount, see `Type<foo>` definitions in
+	// github.com/docker/docker/api/types/mount.Type
+	Type mount.Type `json:",omitempty"`
+
+	// Name is the name reference to the underlying data defined by `Source`
+	// e.g., the volume name.
+	Name string `json:",omitempty"`
+
+	// Source is the source location of the mount.
+	//
+	// For volumes, this contains the storage location of the volume (within
+	// `/var/lib/docker/volumes/`). For bind-mounts, and `npipe`, this contains
+	// the source (host) part of the bind-mount. For `tmpfs` mount points, this
+	// field is empty.
+	Source string
+
+	// Destination is the path relative to the container root (`/`) where the
+	// Source is mounted inside the container.
+	Destination string
+
+	// Driver is the volume driver used to create the volume (if it is a volume).
+	Driver string `json:",omitempty"`
+
+	// Mode is a comma separated list of options supplied by the user when
+	// creating the bind/volume mount.
+	//
+	// The default is platform-specific (`"z"` on Linux, empty on Windows).
+	Mode string
+
+	// RW indicates whether the mount is mounted writable (read-write).
+	RW bool
+
+	// Propagation describes how mounts are propagated from the host into the
+	// mount point, and vice-versa. Refer to the Linux kernel documentation
+	// for details:
+	// https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt
+	//
+	// This field is not used on Windows.
+	Propagation mount.Propagation
+}
+
+// State stores container's running state
+// it's part of ContainerJSONBase and returned by "inspect" command
+type State struct {
+	Status     string // String representation of the container state. Can be one of "created", "running", "paused", "restarting", "removing", "exited", or "dead"
+	Running    bool
+	Paused     bool
+	Restarting bool
+	OOMKilled  bool
+	Dead       bool
+	Pid        int
+	ExitCode   int
+	Error      string
+	StartedAt  string
+	FinishedAt string
+	Health     *Health `json:",omitempty"`
+}
+
+// Summary contains response of Engine API:
+// GET "/containers/json"
+type Summary struct {
+	ID                      string `json:"Id"`
+	Names                   []string
+	Image                   string
+	ImageID                 string
+	ImageManifestDescriptor *ocispec.Descriptor `json:"ImageManifestDescriptor,omitempty"`
+	Command                 string
+	Created                 int64
+	Ports                   []Port
+	SizeRw                  int64 `json:",omitempty"`
+	SizeRootFs              int64 `json:",omitempty"`
+	Labels                  map[string]string
+	State                   string
+	Status                  string
+	HostConfig              struct {
+		NetworkMode string            `json:",omitempty"`
+		Annotations map[string]string `json:",omitempty"`
+	}
+	NetworkSettings *NetworkSettingsSummary
+	Mounts          []MountPoint
+}
+
+// ContainerJSONBase contains response of Engine API GET "/containers/{name:.*}/json"
+// for API version 1.18 and older.
+//
+// TODO(thaJeztah): combine ContainerJSONBase and InspectResponse into a single struct.
+// The split between ContainerJSONBase (ContainerJSONBase) and InspectResponse (InspectResponse)
+// was done in commit 6deaa58ba5f051039643cedceee97c8695e2af74 (https://github.com/moby/moby/pull/13675).
+// ContainerJSONBase contained all fields for API < 1.19, and InspectResponse
+// held fields that were added in API 1.19 and up. Given that the minimum
+// supported API version is now 1.24, we no longer use the separate type.
+type ContainerJSONBase struct {
+	ID              string `json:"Id"`
+	Created         string
+	Path            string
+	Args            []string
+	State           *State
+	Image           string
+	ResolvConfPath  string
+	HostnamePath    string
+	HostsPath       string
+	LogPath         string
+	Name            string
+	RestartCount    int
+	Driver          string
+	Platform        string
+	MountLabel      string
+	ProcessLabel    string
+	AppArmorProfile string
+	ExecIDs         []string
+	HostConfig      *HostConfig
+	GraphDriver     storage.DriverData
+	SizeRw          *int64 `json:",omitempty"`
+	SizeRootFs      *int64 `json:",omitempty"`
+}
+
+// InspectResponse is the response for the GET "/containers/{name:.*}/json"
+// endpoint.
+type InspectResponse struct {
+	*ContainerJSONBase
+	Mounts          []MountPoint
+	Config          *Config
+	NetworkSettings *NetworkSettings
+	// ImageManifestDescriptor is the descriptor of a platform-specific manifest of the image used to create the container.
+	ImageManifestDescriptor *ocispec.Descriptor `json:"ImageManifestDescriptor,omitempty"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/container_top.go b/vendor/github.com/docker/docker/api/types/container/container_top.go
deleted file mode 100644
index 63381da36..000000000
--- a/vendor/github.com/docker/docker/api/types/container/container_top.go
+++ /dev/null
@@ -1,22 +0,0 @@
-package container // import "github.com/docker/docker/api/types/container"
-
-// ----------------------------------------------------------------------------
-// Code generated by `swagger generate operation`. DO NOT EDIT.
-//
-// See hack/generate-swagger-api.sh
-// ----------------------------------------------------------------------------
-
-// ContainerTopOKBody OK response to ContainerTop operation
-// swagger:model ContainerTopOKBody
-type ContainerTopOKBody struct {
-
-	// Each process running in the container, where each is process
-	// is an array of values corresponding to the titles.
-	//
-	// Required: true
-	Processes [][]string `json:"Processes"`
-
-	// The ps column titles
-	// Required: true
-	Titles []string `json:"Titles"`
-}
diff --git a/vendor/github.com/docker/docker/api/types/container/container_update.go b/vendor/github.com/docker/docker/api/types/container/container_update.go
deleted file mode 100644
index c10f175ea..000000000
--- a/vendor/github.com/docker/docker/api/types/container/container_update.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package container // import "github.com/docker/docker/api/types/container"
-
-// ----------------------------------------------------------------------------
-// Code generated by `swagger generate operation`. DO NOT EDIT.
-//
-// See hack/generate-swagger-api.sh
-// ----------------------------------------------------------------------------
-
-// ContainerUpdateOKBody OK response to ContainerUpdate operation
-// swagger:model ContainerUpdateOKBody
-type ContainerUpdateOKBody struct {
-
-	// warnings
-	// Required: true
-	Warnings []string `json:"Warnings"`
-}
diff --git a/vendor/github.com/docker/docker/api/types/container/create_request.go b/vendor/github.com/docker/docker/api/types/container/create_request.go
new file mode 100644
index 000000000..e98dd6ad4
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/create_request.go
@@ -0,0 +1,13 @@
+package container
+
+import "github.com/docker/docker/api/types/network"
+
+// CreateRequest is the request message sent to the server for container
+// create calls. It is a config wrapper that holds the container [Config]
+// (portable) and the corresponding [HostConfig] (non-portable) and
+// [network.NetworkingConfig].
+type CreateRequest struct {
+	*Config
+	HostConfig       *HostConfig               `json:"HostConfig,omitempty"`
+	NetworkingConfig *network.NetworkingConfig `json:"NetworkingConfig,omitempty"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/exec.go b/vendor/github.com/docker/docker/api/types/container/exec.go
new file mode 100644
index 000000000..f4b22376e
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/exec.go
@@ -0,0 +1,51 @@
+package container
+
+import "github.com/docker/docker/api/types/common"
+
+// ExecCreateResponse is the response for a successful exec-create request.
+// It holds the ID of the exec that was created.
+//
+// TODO(thaJeztah): make this a distinct type.
+type ExecCreateResponse = common.IDResponse
+
+// ExecOptions is a small subset of the Config struct that holds the configuration
+// for the exec feature of docker.
+type ExecOptions struct {
+	User         string   // User that will run the command
+	Privileged   bool     // Is the container in privileged mode
+	Tty          bool     // Attach standard streams to a tty.
+	ConsoleSize  *[2]uint `json:",omitempty"` // Initial console size [height, width]
+	AttachStdin  bool     // Attach the standard input, makes possible user interaction
+	AttachStderr bool     // Attach the standard error
+	AttachStdout bool     // Attach the standard output
+	Detach       bool     // Execute in detach mode
+	DetachKeys   string   // Escape keys for detach
+	Env          []string // Environment variables
+	WorkingDir   string   // Working directory
+	Cmd          []string // Execution commands and args
+}
+
+// ExecStartOptions is a temp struct used by execStart
+// Config fields is part of ExecConfig in runconfig package
+type ExecStartOptions struct {
+	// ExecStart will first check if it's detached
+	Detach bool
+	// Check if there's a tty
+	Tty bool
+	// Terminal size [height, width], unused if Tty == false
+	ConsoleSize *[2]uint `json:",omitempty"`
+}
+
+// ExecAttachOptions is a temp struct used by execAttach.
+//
+// TODO(thaJeztah): make this a separate type; ContainerExecAttach does not use the Detach option, and cannot run detached.
+type ExecAttachOptions = ExecStartOptions
+
+// ExecInspect holds information returned by exec inspect.
+type ExecInspect struct {
+	ExecID      string `json:"ID"`
+	ContainerID string
+	Running     bool
+	ExitCode    int
+	Pid         int
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/health.go b/vendor/github.com/docker/docker/api/types/container/health.go
new file mode 100644
index 000000000..93663746f
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/health.go
@@ -0,0 +1,26 @@
+package container
+
+import "time"
+
+// Health states
+const (
+	NoHealthcheck = "none"      // Indicates there is no healthcheck
+	Starting      = "starting"  // Starting indicates that the container is not yet ready
+	Healthy       = "healthy"   // Healthy indicates that the container is running correctly
+	Unhealthy     = "unhealthy" // Unhealthy indicates that the container has a problem
+)
+
+// Health stores information about the container's healthcheck results
+type Health struct {
+	Status        string               // Status is one of [Starting], [Healthy] or [Unhealthy].
+	FailingStreak int                  // FailingStreak is the number of consecutive failures
+	Log           []*HealthcheckResult // Log contains the last few results (oldest first)
+}
+
+// HealthcheckResult stores information about a single run of a healthcheck probe
+type HealthcheckResult struct {
+	Start    time.Time // Start is the time this check started
+	End      time.Time // End is the time this check ended
+	ExitCode int       // ExitCode meanings: 0=healthy, 1=unhealthy, 2=reserved (considered unhealthy), else=error running probe
+	Output   string    // Output from last check
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/network_settings.go b/vendor/github.com/docker/docker/api/types/container/network_settings.go
new file mode 100644
index 000000000..afec0e543
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/network_settings.go
@@ -0,0 +1,56 @@
+package container
+
+import (
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/go-connections/nat"
+)
+
+// NetworkSettings exposes the network settings in the api
+type NetworkSettings struct {
+	NetworkSettingsBase
+	DefaultNetworkSettings
+	Networks map[string]*network.EndpointSettings
+}
+
+// NetworkSettingsBase holds networking state for a container when inspecting it.
+type NetworkSettingsBase struct {
+	Bridge     string      // Bridge contains the name of the default bridge interface iff it was set through the daemon --bridge flag.
+	SandboxID  string      // SandboxID uniquely represents a container's network stack
+	SandboxKey string      // SandboxKey identifies the sandbox
+	Ports      nat.PortMap // Ports is a collection of PortBinding indexed by Port
+
+	// HairpinMode specifies if hairpin NAT should be enabled on the virtual interface
+	//
+	// Deprecated: This field is never set and will be removed in a future release.
+	HairpinMode bool
+	// LinkLocalIPv6Address is an IPv6 unicast address using the link-local prefix
+	//
+	// Deprecated: This field is never set and will be removed in a future release.
+	LinkLocalIPv6Address string
+	// LinkLocalIPv6PrefixLen is the prefix length of an IPv6 unicast address
+	//
+	// Deprecated: This field is never set and will be removed in a future release.
+	LinkLocalIPv6PrefixLen int
+	SecondaryIPAddresses   []network.Address // Deprecated: This field is never set and will be removed in a future release.
+	SecondaryIPv6Addresses []network.Address // Deprecated: This field is never set and will be removed in a future release.
+}
+
+// DefaultNetworkSettings holds network information
+// during the 2 release deprecation period.
+// It will be removed in Docker 1.11.
+type DefaultNetworkSettings struct {
+	EndpointID          string // EndpointID uniquely represents a service endpoint in a Sandbox
+	Gateway             string // Gateway holds the gateway address for the network
+	GlobalIPv6Address   string // GlobalIPv6Address holds network's global IPv6 address
+	GlobalIPv6PrefixLen int    // GlobalIPv6PrefixLen represents mask length of network's global IPv6 address
+	IPAddress           string // IPAddress holds the IPv4 address for the network
+	IPPrefixLen         int    // IPPrefixLen represents mask length of network's IPv4 address
+	IPv6Gateway         string // IPv6Gateway holds gateway address specific for IPv6
+	MacAddress          string // MacAddress holds the MAC address for the network
+}
+
+// NetworkSettingsSummary provides a summary of container's networks
+// in /containers/json
+type NetworkSettingsSummary struct {
+	Networks map[string]*network.EndpointSettings
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/port.go b/vendor/github.com/docker/docker/api/types/container/port.go
new file mode 100644
index 000000000..895043cfe
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/port.go
@@ -0,0 +1,23 @@
+package container
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// Port An open port on a container
+// swagger:model Port
+type Port struct {
+
+	// Host IP address that the container's port is mapped to
+	IP string `json:"IP,omitempty"`
+
+	// Port on the container
+	// Required: true
+	PrivatePort uint16 `json:"PrivatePort"`
+
+	// Port exposed on the host
+	PublicPort uint16 `json:"PublicPort,omitempty"`
+
+	// type
+	// Required: true
+	Type string `json:"Type"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/stats.go b/vendor/github.com/docker/docker/api/types/container/stats.go
new file mode 100644
index 000000000..3bfeb4849
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/stats.go
@@ -0,0 +1,177 @@
+package container
+
+import "time"
+
+// ThrottlingData stores CPU throttling stats of one running container.
+// Not used on Windows.
+type ThrottlingData struct {
+	// Number of periods with throttling active
+	Periods uint64 `json:"periods"`
+	// Number of periods when the container hits its throttling limit.
+	ThrottledPeriods uint64 `json:"throttled_periods"`
+	// Aggregate time the container was throttled for in nanoseconds.
+	ThrottledTime uint64 `json:"throttled_time"`
+}
+
+// CPUUsage stores All CPU stats aggregated since container inception.
+type CPUUsage struct {
+	// Total CPU time consumed.
+	// Units: nanoseconds (Linux)
+	// Units: 100's of nanoseconds (Windows)
+	TotalUsage uint64 `json:"total_usage"`
+
+	// Total CPU time consumed per core (Linux). Not used on Windows.
+	// Units: nanoseconds.
+	PercpuUsage []uint64 `json:"percpu_usage,omitempty"`
+
+	// Time spent by tasks of the cgroup in kernel mode (Linux).
+	// Time spent by all container processes in kernel mode (Windows).
+	// Units: nanoseconds (Linux).
+	// Units: 100's of nanoseconds (Windows). Not populated for Hyper-V Containers.
+	UsageInKernelmode uint64 `json:"usage_in_kernelmode"`
+
+	// Time spent by tasks of the cgroup in user mode (Linux).
+	// Time spent by all container processes in user mode (Windows).
+	// Units: nanoseconds (Linux).
+	// Units: 100's of nanoseconds (Windows). Not populated for Hyper-V Containers
+	UsageInUsermode uint64 `json:"usage_in_usermode"`
+}
+
+// CPUStats aggregates and wraps all CPU related info of container
+type CPUStats struct {
+	// CPU Usage. Linux and Windows.
+	CPUUsage CPUUsage `json:"cpu_usage"`
+
+	// System Usage. Linux only.
+	SystemUsage uint64 `json:"system_cpu_usage,omitempty"`
+
+	// Online CPUs. Linux only.
+	OnlineCPUs uint32 `json:"online_cpus,omitempty"`
+
+	// Throttling Data. Linux only.
+	ThrottlingData ThrottlingData `json:"throttling_data,omitempty"`
+}
+
+// MemoryStats aggregates all memory stats since container inception on Linux.
+// Windows returns stats for commit and private working set only.
+type MemoryStats struct {
+	// Linux Memory Stats
+
+	// current res_counter usage for memory
+	Usage uint64 `json:"usage,omitempty"`
+	// maximum usage ever recorded.
+	MaxUsage uint64 `json:"max_usage,omitempty"`
+	// TODO(vishh): Export these as stronger types.
+	// all the stats exported via memory.stat.
+	Stats map[string]uint64 `json:"stats,omitempty"`
+	// number of times memory usage hits limits.
+	Failcnt uint64 `json:"failcnt,omitempty"`
+	Limit   uint64 `json:"limit,omitempty"`
+
+	// Windows Memory Stats
+	// See https://technet.microsoft.com/en-us/magazine/ff382715.aspx
+
+	// committed bytes
+	Commit uint64 `json:"commitbytes,omitempty"`
+	// peak committed bytes
+	CommitPeak uint64 `json:"commitpeakbytes,omitempty"`
+	// private working set
+	PrivateWorkingSet uint64 `json:"privateworkingset,omitempty"`
+}
+
+// BlkioStatEntry is one small entity to store a piece of Blkio stats
+// Not used on Windows.
+type BlkioStatEntry struct {
+	Major uint64 `json:"major"`
+	Minor uint64 `json:"minor"`
+	Op    string `json:"op"`
+	Value uint64 `json:"value"`
+}
+
+// BlkioStats stores All IO service stats for data read and write.
+// This is a Linux specific structure as the differences between expressing
+// block I/O on Windows and Linux are sufficiently significant to make
+// little sense attempting to morph into a combined structure.
+type BlkioStats struct {
+	// number of bytes transferred to and from the block device
+	IoServiceBytesRecursive []BlkioStatEntry `json:"io_service_bytes_recursive"`
+	IoServicedRecursive     []BlkioStatEntry `json:"io_serviced_recursive"`
+	IoQueuedRecursive       []BlkioStatEntry `json:"io_queue_recursive"`
+	IoServiceTimeRecursive  []BlkioStatEntry `json:"io_service_time_recursive"`
+	IoWaitTimeRecursive     []BlkioStatEntry `json:"io_wait_time_recursive"`
+	IoMergedRecursive       []BlkioStatEntry `json:"io_merged_recursive"`
+	IoTimeRecursive         []BlkioStatEntry `json:"io_time_recursive"`
+	SectorsRecursive        []BlkioStatEntry `json:"sectors_recursive"`
+}
+
+// StorageStats is the disk I/O stats for read/write on Windows.
+type StorageStats struct {
+	ReadCountNormalized  uint64 `json:"read_count_normalized,omitempty"`
+	ReadSizeBytes        uint64 `json:"read_size_bytes,omitempty"`
+	WriteCountNormalized uint64 `json:"write_count_normalized,omitempty"`
+	WriteSizeBytes       uint64 `json:"write_size_bytes,omitempty"`
+}
+
+// NetworkStats aggregates the network stats of one container
+type NetworkStats struct {
+	// Bytes received. Windows and Linux.
+	RxBytes uint64 `json:"rx_bytes"`
+	// Packets received. Windows and Linux.
+	RxPackets uint64 `json:"rx_packets"`
+	// Received errors. Not used on Windows. Note that we don't `omitempty` this
+	// field as it is expected in the >=v1.21 API stats structure.
+	RxErrors uint64 `json:"rx_errors"`
+	// Incoming packets dropped. Windows and Linux.
+	RxDropped uint64 `json:"rx_dropped"`
+	// Bytes sent. Windows and Linux.
+	TxBytes uint64 `json:"tx_bytes"`
+	// Packets sent. Windows and Linux.
+	TxPackets uint64 `json:"tx_packets"`
+	// Sent errors. Not used on Windows. Note that we don't `omitempty` this
+	// field as it is expected in the >=v1.21 API stats structure.
+	TxErrors uint64 `json:"tx_errors"`
+	// Outgoing packets dropped. Windows and Linux.
+	TxDropped uint64 `json:"tx_dropped"`
+	// Endpoint ID. Not used on Linux.
+	EndpointID string `json:"endpoint_id,omitempty"`
+	// Instance ID. Not used on Linux.
+	InstanceID string `json:"instance_id,omitempty"`
+}
+
+// PidsStats contains the stats of a container's pids
+type PidsStats struct {
+	// Current is the number of pids in the cgroup
+	Current uint64 `json:"current,omitempty"`
+	// Limit is the hard limit on the number of pids in the cgroup.
+	// A "Limit" of 0 means that there is no limit.
+	Limit uint64 `json:"limit,omitempty"`
+}
+
+// Stats is Ultimate struct aggregating all types of stats of one container
+//
+// Deprecated: use [StatsResponse] instead. This type will be removed in the next release.
+type Stats = StatsResponse
+
+// StatsResponse aggregates all types of stats of one container.
+type StatsResponse struct {
+	Name string `json:"name,omitempty"`
+	ID   string `json:"id,omitempty"`
+
+	// Common stats
+	Read    time.Time `json:"read"`
+	PreRead time.Time `json:"preread"`
+
+	// Linux specific stats, not populated on Windows.
+	PidsStats  PidsStats  `json:"pids_stats,omitempty"`
+	BlkioStats BlkioStats `json:"blkio_stats,omitempty"`
+
+	// Windows specific stats, not populated on Linux.
+	NumProcs     uint32       `json:"num_procs"`
+	StorageStats StorageStats `json:"storage_stats,omitempty"`
+
+	// Shared stats
+	CPUStats    CPUStats                `json:"cpu_stats,omitempty"`
+	PreCPUStats CPUStats                `json:"precpu_stats,omitempty"` // "Pre"="Previous"
+	MemoryStats MemoryStats             `json:"memory_stats,omitempty"`
+	Networks    map[string]NetworkStats `json:"networks,omitempty"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/top_response.go b/vendor/github.com/docker/docker/api/types/container/top_response.go
new file mode 100644
index 000000000..b4bae5ef0
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/top_response.go
@@ -0,0 +1,18 @@
+package container
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// TopResponse ContainerTopResponse
+//
+// Container "top" response.
+// swagger:model TopResponse
+type TopResponse struct {
+
+	// Each process running in the container, where each process
+	// is an array of values corresponding to the titles.
+	Processes [][]string `json:"Processes"`
+
+	// The ps column titles
+	Titles []string `json:"Titles"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/update_response.go b/vendor/github.com/docker/docker/api/types/container/update_response.go
new file mode 100644
index 000000000..e2b5bf5ac
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/update_response.go
@@ -0,0 +1,14 @@
+package container
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// UpdateResponse ContainerUpdateResponse
+//
+// Response for a successful container-update.
+// swagger:model UpdateResponse
+type UpdateResponse struct {
+
+	// Warnings encountered when updating the container.
+	Warnings []string `json:"Warnings"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/filters/errors.go b/vendor/github.com/docker/docker/api/types/filters/errors.go
index f52f69440..b8a690d67 100644
--- a/vendor/github.com/docker/docker/api/types/filters/errors.go
+++ b/vendor/github.com/docker/docker/api/types/filters/errors.go
@@ -22,16 +22,3 @@ func (e invalidFilter) Error() string {
 
 // InvalidParameter marks this error as ErrInvalidParameter
 func (e invalidFilter) InvalidParameter() {}
-
-// unreachableCode is an error indicating that the code path was not expected to be reached.
-type unreachableCode struct {
-	Filter string
-	Value  []string
-}
-
-// System marks this error as ErrSystem
-func (e unreachableCode) System() {}
-
-func (e unreachableCode) Error() string {
-	return fmt.Sprintf("unreachable code reached for filter: %q with values: %s", e.Filter, e.Value)
-}
diff --git a/vendor/github.com/docker/docker/api/types/filters/parse.go b/vendor/github.com/docker/docker/api/types/filters/parse.go
index 0914b2a44..2085ff38f 100644
--- a/vendor/github.com/docker/docker/api/types/filters/parse.go
+++ b/vendor/github.com/docker/docker/api/types/filters/parse.go
@@ -200,7 +200,6 @@ func (args Args) Match(field, source string) bool {
 // Error is not nil only if the filter values are not valid boolean or are conflicting.
 func (args Args) GetBoolOrDefault(key string, defaultValue bool) (bool, error) {
 	fieldValues, ok := args.fields[key]
-
 	if !ok {
 		return defaultValue, nil
 	}
@@ -211,20 +210,11 @@ func (args Args) GetBoolOrDefault(key string, defaultValue bool) (bool, error) {
 
 	isFalse := fieldValues["0"] || fieldValues["false"]
 	isTrue := fieldValues["1"] || fieldValues["true"]
-
-	conflicting := isFalse && isTrue
-	invalid := !isFalse && !isTrue
-
-	if conflicting || invalid {
+	if isFalse == isTrue {
+		// Either no or conflicting truthy/falsy value were provided
 		return defaultValue, &invalidFilter{key, args.Get(key)}
-	} else if isFalse {
-		return false, nil
-	} else if isTrue {
-		return true, nil
 	}
-
-	// This code shouldn't be reached.
-	return defaultValue, &unreachableCode{Filter: key, Value: args.Get(key)}
+	return isTrue, nil
 }
 
 // ExactMatch returns true if the source matches exactly one of the values.
diff --git a/vendor/github.com/docker/docker/api/types/mount/mount.go b/vendor/github.com/docker/docker/api/types/mount/mount.go
index c68dcf65b..d98dbec99 100644
--- a/vendor/github.com/docker/docker/api/types/mount/mount.go
+++ b/vendor/github.com/docker/docker/api/types/mount/mount.go
@@ -19,6 +19,8 @@ const (
 	TypeNamedPipe Type = "npipe"
 	// TypeCluster is the type for Swarm Cluster Volumes.
 	TypeCluster Type = "cluster"
+	// TypeImage is the type for mounting another image's filesystem
+	TypeImage Type = "image"
 )
 
 // Mount represents a mount (volume).
@@ -34,6 +36,7 @@ type Mount struct {
 
 	BindOptions    *BindOptions    `json:",omitempty"`
 	VolumeOptions  *VolumeOptions  `json:",omitempty"`
+	ImageOptions   *ImageOptions   `json:",omitempty"`
 	TmpfsOptions   *TmpfsOptions   `json:",omitempty"`
 	ClusterOptions *ClusterOptions `json:",omitempty"`
 }
@@ -100,6 +103,10 @@ type VolumeOptions struct {
 	DriverConfig *Driver           `json:",omitempty"`
 }
 
+type ImageOptions struct {
+	Subpath string `json:",omitempty"`
+}
+
 // Driver represents a volume driver.
 type Driver struct {
 	Name    string            `json:",omitempty"`
diff --git a/vendor/github.com/docker/docker/api/types/network/create_response.go b/vendor/github.com/docker/docker/api/types/network/create_response.go
new file mode 100644
index 000000000..c32b35bff
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/network/create_response.go
@@ -0,0 +1,19 @@
+package network
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// CreateResponse NetworkCreateResponse
+//
+// OK response to NetworkCreate operation
+// swagger:model CreateResponse
+type CreateResponse struct {
+
+	// The ID of the created network.
+	// Required: true
+	ID string `json:"Id"`
+
+	// Warnings encountered when creating the container
+	// Required: true
+	Warning string `json:"Warning"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/network/endpoint.go b/vendor/github.com/docker/docker/api/types/network/endpoint.go
index 0fbb40b35..167ac70ab 100644
--- a/vendor/github.com/docker/docker/api/types/network/endpoint.go
+++ b/vendor/github.com/docker/docker/api/types/network/endpoint.go
@@ -19,6 +19,12 @@ type EndpointSettings struct {
 	// generated address).
 	MacAddress string
 	DriverOpts map[string]string
+
+	// GwPriority determines which endpoint will provide the default gateway
+	// for the container. The endpoint with the highest priority will be used.
+	// If multiple endpoints have the same priority, they are lexicographically
+	// sorted based on their network name, and the one that sorts first is picked.
+	GwPriority int
 	// Operational data
 	NetworkID           string
 	EndpointID          string
diff --git a/vendor/github.com/docker/docker/api/types/network/network.go b/vendor/github.com/docker/docker/api/types/network/network.go
index c8db97a7e..d34b8ab72 100644
--- a/vendor/github.com/docker/docker/api/types/network/network.go
+++ b/vendor/github.com/docker/docker/api/types/network/network.go
@@ -33,6 +33,7 @@ type CreateRequest struct {
 type CreateOptions struct {
 	Driver     string            // Driver is the driver-name used to create the network (e.g. `bridge`, `overlay`)
 	Scope      string            // Scope describes the level at which the network exists (e.g. `swarm` for cluster-wide or `local` for machine level).
+	EnableIPv4 *bool             `json:",omitempty"` // EnableIPv4 represents whether to enable IPv4.
 	EnableIPv6 *bool             `json:",omitempty"` // EnableIPv6 represents whether to enable IPv6.
 	IPAM       *IPAM             // IPAM is the network's IP Address Management.
 	Internal   bool              // Internal represents if the network is used internal only.
@@ -76,7 +77,8 @@ type Inspect struct {
 	Created    time.Time                   // Created is the time the network created
 	Scope      string                      // Scope describes the level at which the network exists (e.g. `swarm` for cluster-wide or `local` for machine level)
 	Driver     string                      // Driver is the Driver name used to create the network (e.g. `bridge`, `overlay`)
-	EnableIPv6 bool                        // EnableIPv6 represents whether to enable IPv6
+	EnableIPv4 bool                        // EnableIPv4 represents whether IPv4 is enabled
+	EnableIPv6 bool                        // EnableIPv6 represents whether IPv6 is enabled
 	IPAM       IPAM                        // IPAM is the network's IP Address Management
 	Internal   bool                        // Internal represents if the network is used internal only
 	Attachable bool                        // Attachable represents if the global scope is manually attachable by regular containers from workers in swarm mode.
diff --git a/vendor/github.com/docker/docker/api/types/registry/authconfig.go b/vendor/github.com/docker/docker/api/types/registry/authconfig.go
index 8e383f6e6..ebd5e4b9e 100644
--- a/vendor/github.com/docker/docker/api/types/registry/authconfig.go
+++ b/vendor/github.com/docker/docker/api/types/registry/authconfig.go
@@ -1,17 +1,29 @@
 package registry // import "github.com/docker/docker/api/types/registry"
 import (
+	"context"
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"io"
 	"strings"
-
-	"github.com/pkg/errors"
 )
 
 // AuthHeader is the name of the header used to send encoded registry
 // authorization credentials for registry operations (push/pull).
 const AuthHeader = "X-Registry-Auth"
 
+// RequestAuthConfig is a function interface that clients can supply
+// to retry operations after getting an authorization error.
+//
+// The function must return the [AuthHeader] value ([AuthConfig]), encoded
+// in base64url format ([RFC4648, section 5]), which can be decoded by
+// [DecodeAuthConfig].
+//
+// It must return an error if the privilege request fails.
+//
+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
+type RequestAuthConfig func(context.Context) (string, error)
+
 // AuthConfig contains authorization information for connecting to a Registry.
 type AuthConfig struct {
 	Username string `json:"username,omitempty"`
@@ -85,7 +97,7 @@ func decodeAuthConfigFromReader(rdr io.Reader) (*AuthConfig, error) {
 }
 
 func invalid(err error) error {
-	return errInvalidParameter{errors.Wrap(err, "invalid X-Registry-Auth header")}
+	return errInvalidParameter{fmt.Errorf("invalid X-Registry-Auth header: %w", err)}
 }
 
 type errInvalidParameter struct{ error }
diff --git a/vendor/github.com/docker/docker/api/types/registry/registry.go b/vendor/github.com/docker/docker/api/types/registry/registry.go
index 75ee07b15..b0a4d604f 100644
--- a/vendor/github.com/docker/docker/api/types/registry/registry.go
+++ b/vendor/github.com/docker/docker/api/types/registry/registry.go
@@ -9,11 +9,29 @@ import (
 
 // ServiceConfig stores daemon registry services configuration.
 type ServiceConfig struct {
-	AllowNondistributableArtifactsCIDRs     []*NetIPNet
-	AllowNondistributableArtifactsHostnames []string
-	InsecureRegistryCIDRs                   []*NetIPNet           `json:"InsecureRegistryCIDRs"`
-	IndexConfigs                            map[string]*IndexInfo `json:"IndexConfigs"`
-	Mirrors                                 []string
+	AllowNondistributableArtifactsCIDRs     []*NetIPNet `json:"AllowNondistributableArtifactsCIDRs,omitempty"`     // Deprecated: non-distributable artifacts are deprecated and enabled by default. This field will be removed in the next release.
+	AllowNondistributableArtifactsHostnames []string    `json:"AllowNondistributableArtifactsHostnames,omitempty"` // Deprecated: non-distributable artifacts are deprecated and enabled by default. This field will be removed in the next release.
+
+	InsecureRegistryCIDRs []*NetIPNet           `json:"InsecureRegistryCIDRs"`
+	IndexConfigs          map[string]*IndexInfo `json:"IndexConfigs"`
+	Mirrors               []string
+}
+
+// MarshalJSON implements a custom marshaler to include legacy fields
+// in API responses.
+func (sc ServiceConfig) MarshalJSON() ([]byte, error) {
+	tmp := map[string]interface{}{
+		"InsecureRegistryCIDRs": sc.InsecureRegistryCIDRs,
+		"IndexConfigs":          sc.IndexConfigs,
+		"Mirrors":               sc.Mirrors,
+	}
+	if sc.AllowNondistributableArtifactsCIDRs != nil {
+		tmp["AllowNondistributableArtifactsCIDRs"] = nil
+	}
+	if sc.AllowNondistributableArtifactsHostnames != nil {
+		tmp["AllowNondistributableArtifactsHostnames"] = nil
+	}
+	return json.Marshal(tmp)
 }
 
 // NetIPNet is the net.IPNet type, which can be marshalled and
diff --git a/vendor/github.com/docker/docker/api/types/registry/search.go b/vendor/github.com/docker/docker/api/types/registry/search.go
new file mode 100644
index 000000000..994ca4c6f
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/registry/search.go
@@ -0,0 +1,48 @@
+package registry
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types/filters"
+)
+
+// SearchOptions holds parameters to search images with.
+type SearchOptions struct {
+	RegistryAuth string
+
+	// PrivilegeFunc is a function that clients can supply to retry operations
+	// after getting an authorization error. This function returns the registry
+	// authentication header value in base64 encoded format, or an error if the
+	// privilege request fails.
+	//
+	// For details, refer to [github.com/docker/docker/api/types/registry.RequestAuthConfig].
+	PrivilegeFunc func(context.Context) (string, error)
+	Filters       filters.Args
+	Limit         int
+}
+
+// SearchResult describes a search result returned from a registry
+type SearchResult struct {
+	// StarCount indicates the number of stars this repository has
+	StarCount int `json:"star_count"`
+	// IsOfficial is true if the result is from an official repository.
+	IsOfficial bool `json:"is_official"`
+	// Name is the name of the repository
+	Name string `json:"name"`
+	// IsAutomated indicates whether the result is automated.
+	//
+	// Deprecated: the "is_automated" field is deprecated and will always be "false".
+	IsAutomated bool `json:"is_automated"`
+	// Description is a textual description of the repository
+	Description string `json:"description"`
+}
+
+// SearchResults lists a collection search results returned from a registry
+type SearchResults struct {
+	// Query contains the query string that generated the search results
+	Query string `json:"query"`
+	// NumResults indicates the number of results the query returned
+	NumResults int `json:"num_results"`
+	// Results is a slice containing the actual results for the search
+	Results []SearchResult `json:"results"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/storage/driver_data.go b/vendor/github.com/docker/docker/api/types/storage/driver_data.go
new file mode 100644
index 000000000..009e21309
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/storage/driver_data.go
@@ -0,0 +1,23 @@
+package storage
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// DriverData Information about the storage driver used to store the container's and
+// image's filesystem.
+//
+// swagger:model DriverData
+type DriverData struct {
+
+	// Low-level storage metadata, provided as key/value pairs.
+	//
+	// This information is driver-specific, and depends on the storage-driver
+	// in use, and should be used for informational purposes only.
+	//
+	// Required: true
+	Data map[string]string `json:"Data"`
+
+	// Name of the storage driver.
+	// Required: true
+	Name string `json:"Name"`
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive.go b/vendor/github.com/docker/docker/pkg/archive/archive.go
index cde64f08e..b05780406 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive.go
@@ -1,5 +1,5 @@
 // Package archive provides helper functions for dealing with archive files.
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"archive/tar"
@@ -9,26 +9,26 @@ import (
 	"compress/gzip"
 	"context"
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"runtime/debug"
 	"strconv"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"syscall"
 	"time"
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/pkg/idtools"
-	"github.com/docker/docker/pkg/ioutils"
-	"github.com/docker/docker/pkg/pools"
-	"github.com/docker/docker/pkg/system"
 	"github.com/klauspost/compress/zstd"
 	"github.com/moby/patternmatcher"
 	"github.com/moby/sys/sequential"
-	"github.com/pkg/errors"
 )
 
 // ImpliedDirectoryMode represents the mode (Unix permissions) applied to directories that are implied by files in a
@@ -215,17 +215,66 @@ func gzDecompress(ctx context.Context, buf io.Reader) (io.ReadCloser, error) {
 	return cmdStream(exec.CommandContext(ctx, unpigzPath, "-d", "-c"), buf)
 }
 
-func wrapReadCloser(readBuf io.ReadCloser, cancel context.CancelFunc) io.ReadCloser {
-	return ioutils.NewReadCloserWrapper(readBuf, func() error {
-		cancel()
-		return readBuf.Close()
-	})
+type readCloserWrapper struct {
+	io.Reader
+	closer func() error
+	closed atomic.Bool
+}
+
+func (r *readCloserWrapper) Close() error {
+	if !r.closed.CompareAndSwap(false, true) {
+		log.G(context.TODO()).Error("subsequent attempt to close readCloserWrapper")
+		if log.GetLevel() >= log.DebugLevel {
+			log.G(context.TODO()).Errorf("stack trace: %s", string(debug.Stack()))
+		}
+
+		return nil
+	}
+	if r.closer != nil {
+		return r.closer()
+	}
+	return nil
+}
+
+var (
+	bufioReader32KPool = &sync.Pool{
+		New: func() interface{} { return bufio.NewReaderSize(nil, 32*1024) },
+	}
+)
+
+type bufferedReader struct {
+	buf *bufio.Reader
+}
+
+func newBufferedReader(r io.Reader) *bufferedReader {
+	buf := bufioReader32KPool.Get().(*bufio.Reader)
+	buf.Reset(r)
+	return &bufferedReader{buf}
+}
+
+func (r *bufferedReader) Read(p []byte) (n int, err error) {
+	if r.buf == nil {
+		return 0, io.EOF
+	}
+	n, err = r.buf.Read(p)
+	if err == io.EOF {
+		r.buf.Reset(nil)
+		bufioReader32KPool.Put(r.buf)
+		r.buf = nil
+	}
+	return
+}
+
+func (r *bufferedReader) Peek(n int) ([]byte, error) {
+	if r.buf == nil {
+		return nil, io.EOF
+	}
+	return r.buf.Peek(n)
 }
 
 // DecompressStream decompresses the archive and returns a ReaderCloser with the decompressed archive.
 func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
-	p := pools.BufioReader32KPool
-	buf := p.Get(archive)
+	buf := newBufferedReader(archive)
 	bs, err := buf.Peek(10)
 	if err != nil && err != io.EOF {
 		// Note: we'll ignore any io.EOF error because there are some odd
@@ -240,8 +289,9 @@ func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
 	compression := DetectCompression(bs)
 	switch compression {
 	case Uncompressed:
-		readBufWrapper := p.NewReadCloserWrapper(buf, buf)
-		return readBufWrapper, nil
+		return &readCloserWrapper{
+			Reader: buf,
+		}, nil
 	case Gzip:
 		ctx, cancel := context.WithCancel(context.Background())
 
@@ -250,12 +300,18 @@ func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
 			cancel()
 			return nil, err
 		}
-		readBufWrapper := p.NewReadCloserWrapper(buf, gzReader)
-		return wrapReadCloser(readBufWrapper, cancel), nil
+		return &readCloserWrapper{
+			Reader: gzReader,
+			closer: func() error {
+				cancel()
+				return gzReader.Close()
+			},
+		}, nil
 	case Bzip2:
 		bz2Reader := bzip2.NewReader(buf)
-		readBufWrapper := p.NewReadCloserWrapper(buf, bz2Reader)
-		return readBufWrapper, nil
+		return &readCloserWrapper{
+			Reader: bz2Reader,
+		}, nil
 	case Xz:
 		ctx, cancel := context.WithCancel(context.Background())
 
@@ -264,32 +320,44 @@ func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
 			cancel()
 			return nil, err
 		}
-		readBufWrapper := p.NewReadCloserWrapper(buf, xzReader)
-		return wrapReadCloser(readBufWrapper, cancel), nil
+
+		return &readCloserWrapper{
+			Reader: xzReader,
+			closer: func() error {
+				cancel()
+				return xzReader.Close()
+			},
+		}, nil
 	case Zstd:
 		zstdReader, err := zstd.NewReader(buf)
 		if err != nil {
 			return nil, err
 		}
-		readBufWrapper := p.NewReadCloserWrapper(buf, zstdReader)
-		return readBufWrapper, nil
+		return &readCloserWrapper{
+			Reader: zstdReader,
+			closer: func() error {
+				zstdReader.Close()
+				return nil
+			},
+		}, nil
 	default:
 		return nil, fmt.Errorf("Unsupported compression format %s", (&compression).Extension())
 	}
 }
 
+type nopWriteCloser struct {
+	io.Writer
+}
+
+func (nopWriteCloser) Close() error { return nil }
+
 // CompressStream compresses the dest with specified compression algorithm.
 func CompressStream(dest io.Writer, compression Compression) (io.WriteCloser, error) {
-	p := pools.BufioWriter32KPool
-	buf := p.Get(dest)
 	switch compression {
 	case Uncompressed:
-		writeBufWrapper := p.NewWriteCloserWrapper(buf, buf)
-		return writeBufWrapper, nil
+		return nopWriteCloser{dest}, nil
 	case Gzip:
-		gzWriter := gzip.NewWriter(dest)
-		writeBufWrapper := p.NewWriteCloserWrapper(buf, gzWriter)
-		return writeBufWrapper, nil
+		return gzip.NewWriter(dest), nil
 	case Bzip2, Xz:
 		// archive/bzip2 does not support writing, and there is no xz support at all
 		// However, this is not a problem as docker only currently generates gzipped tars
@@ -360,7 +428,7 @@ func ReplaceFileTarWrapper(inputTarStream io.ReadCloser, mods map[string]TarModi
 					pipeWriter.CloseWithError(err)
 					return
 				}
-				if _, err := pools.Copy(tarWriter, tarReader); err != nil {
+				if _, err := copyWithBuffer(tarWriter, tarReader); err != nil {
 					pipeWriter.CloseWithError(err)
 					return
 				}
@@ -404,13 +472,35 @@ func (compression *Compression) Extension() string {
 	return ""
 }
 
+// assert that we implement [tar.FileInfoNames].
+//
+// TODO(thaJeztah): disabled to allow compiling on < go1.23. un-comment once we drop support for older versions of go.
+// var _ tar.FileInfoNames = (*nosysFileInfo)(nil)
+
 // nosysFileInfo hides the system-dependent info of the wrapped FileInfo to
 // prevent tar.FileInfoHeader from introspecting it and potentially calling into
 // glibc.
+//
+// It implements [tar.FileInfoNames] to further prevent [tar.FileInfoHeader]
+// from performing any lookups on go1.23 and up. see https://go.dev/issue/50102
 type nosysFileInfo struct {
 	os.FileInfo
 }
 
+// Uname stubs out looking up username. It implements [tar.FileInfoNames]
+// to prevent [tar.FileInfoHeader] from loading libraries to perform
+// username lookups.
+func (fi nosysFileInfo) Uname() (string, error) {
+	return "", nil
+}
+
+// Gname stubs out looking up group-name. It implements [tar.FileInfoNames]
+// to prevent [tar.FileInfoHeader] from loading libraries to perform
+// username lookups.
+func (fi nosysFileInfo) Gname() (string, error) {
+	return "", nil
+}
+
 func (fi nosysFileInfo) Sys() interface{} {
 	// A Sys value of type *tar.Header is safe as it is system-independent.
 	// The tar.FileInfoHeader function copies the fields into the returned
@@ -484,7 +574,7 @@ func ReadSecurityXattrToTarHeader(path string, hdr *tar.Header) error {
 		vfsCapRevision2 = 2
 		vfsCapRevision3 = 3
 	)
-	capability, _ := system.Lgetxattr(path, "security.capability")
+	capability, _ := lgetxattr(path, "security.capability")
 	if capability != nil {
 		if capability[versionOffset] == vfsCapRevision3 {
 			// Convert VFS_CAP_REVISION_3 to VFS_CAP_REVISION_2 as root UID makes no
@@ -507,7 +597,6 @@ type tarWhiteoutConverter interface {
 
 type tarAppender struct {
 	TarWriter *tar.Writer
-	Buffer    *bufio.Writer
 
 	// for hardlink mapping
 	SeenFiles       map[uint64]string
@@ -525,21 +614,11 @@ func newTarAppender(idMapping idtools.IdentityMapping, writer io.Writer, chownOp
 	return &tarAppender{
 		SeenFiles:       make(map[uint64]string),
 		TarWriter:       tar.NewWriter(writer),
-		Buffer:          pools.BufioWriter32KPool.Get(nil),
 		IdentityMapping: idMapping,
 		ChownOpts:       chownOpts,
 	}
 }
 
-// CanonicalTarNameForPath canonicalizes relativePath to a POSIX-style path using
-// forward slashes. It is an alias for [filepath.ToSlash], which is a no-op on
-// Linux and Unix.
-//
-// Deprecated: use [filepath.ToSlash]. This function will be removed in the next release.
-func CanonicalTarNameForPath(relativePath string) string {
-	return filepath.ToSlash(relativePath)
-}
-
 // canonicalTarName provides a platform-independent and consistent POSIX-style
 // path for files and directories to be archived regardless of the platform.
 func canonicalTarName(name string, isDir bool) string {
@@ -652,17 +731,11 @@ func (ta *tarAppender) addTarFile(path, name string) error {
 			return err
 		}
 
-		ta.Buffer.Reset(ta.TarWriter)
-		defer ta.Buffer.Reset(nil)
-		_, err = io.Copy(ta.Buffer, file)
+		_, err = copyWithBuffer(ta.TarWriter, file)
 		file.Close()
 		if err != nil {
 			return err
 		}
-		err = ta.Buffer.Flush()
-		if err != nil {
-			return err
-		}
 	}
 
 	return nil
@@ -705,7 +778,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 		if err != nil {
 			return err
 		}
-		if _, err := io.Copy(file, reader); err != nil {
+		if _, err := copyWithBuffer(file, reader); err != nil {
 			file.Close()
 			return err
 		}
@@ -771,11 +844,11 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 			chownOpts = &idtools.Identity{UID: hdr.Uid, GID: hdr.Gid}
 		}
 		if err := os.Lchown(path, chownOpts.UID, chownOpts.GID); err != nil {
-			msg := "failed to Lchown %q for UID %d, GID %d"
+			var msg string
 			if inUserns && errors.Is(err, syscall.EINVAL) {
-				msg += " (try increasing the number of subordinate IDs in /etc/subuid and /etc/subgid)"
+				msg = " (try increasing the number of subordinate IDs in /etc/subuid and /etc/subgid)"
 			}
-			return errors.Wrapf(err, msg, path, hdr.Uid, hdr.Gid)
+			return fmt.Errorf("failed to Lchown %q for UID %d, GID %d%s: %w", path, hdr.Uid, hdr.Gid, msg, err)
 		}
 	}
 
@@ -785,7 +858,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 		if !ok {
 			continue
 		}
-		if err := system.Lsetxattr(path, xattr, []byte(value), 0); err != nil {
+		if err := lsetxattr(path, xattr, []byte(value), 0); err != nil {
 			if bestEffortXattrs && errors.Is(err, syscall.ENOTSUP) || errors.Is(err, syscall.EPERM) {
 				// EPERM occurs if modifying xattrs is not allowed. This can
 				// happen when running in userns with restrictions (ChromeOS).
@@ -808,26 +881,22 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 		return err
 	}
 
-	aTime := hdr.AccessTime
-	if aTime.Before(hdr.ModTime) {
-		// Last access time should never be before last modified time.
-		aTime = hdr.ModTime
-	}
+	aTime := boundTime(latestTime(hdr.AccessTime, hdr.ModTime))
+	mTime := boundTime(hdr.ModTime)
 
-	// system.Chtimes doesn't support a NOFOLLOW flag atm
+	// chtimes doesn't support a NOFOLLOW flag atm
 	if hdr.Typeflag == tar.TypeLink {
 		if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
-			if err := system.Chtimes(path, aTime, hdr.ModTime); err != nil {
+			if err := chtimes(path, aTime, mTime); err != nil {
 				return err
 			}
 		}
 	} else if hdr.Typeflag != tar.TypeSymlink {
-		if err := system.Chtimes(path, aTime, hdr.ModTime); err != nil {
+		if err := chtimes(path, aTime, mTime); err != nil {
 			return err
 		}
 	} else {
-		ts := []syscall.Timespec{timeToTimespec(aTime), timeToTimespec(hdr.ModTime)}
-		if err := system.LUtimesNano(path, ts); err != nil && err != system.ErrNotSupportedPlatform {
+		if err := lchtimes(path, aTime, mTime); err != nil {
 			return err
 		}
 	}
@@ -920,9 +989,6 @@ func (t *Tarballer) Do() {
 		}
 	}()
 
-	// this buffer is needed for the duration of this piped stream
-	defer pools.BufioWriter32KPool.Put(ta.Buffer)
-
 	// In general we log errors here but ignore them because
 	// during e.g. a diff operation the container can continue
 	// mutating the filesystem and we can see transient errors
@@ -1078,8 +1144,6 @@ func (t *Tarballer) Do() {
 // Unpack unpacks the decompressedArchive to dest with options.
 func Unpack(decompressedArchive io.Reader, dest string, options *TarOptions) error {
 	tr := tar.NewReader(decompressedArchive)
-	trBuf := pools.BufioReader32KPool.Get(nil)
-	defer pools.BufioReader32KPool.Put(trBuf)
 
 	var dirs []*tar.Header
 	whiteoutConverter := getWhiteoutConverter(options.WhiteoutFormat)
@@ -1156,7 +1220,6 @@ loop:
 				}
 			}
 		}
-		trBuf.Reset(tr)
 
 		if err := remapIDs(options.IDMap, hdr); err != nil {
 			return err
@@ -1172,7 +1235,7 @@ loop:
 			}
 		}
 
-		if err := createTarFile(path, dest, hdr, trBuf, options); err != nil {
+		if err := createTarFile(path, dest, hdr, tr, options); err != nil {
 			return err
 		}
 
@@ -1187,7 +1250,7 @@ loop:
 		// #nosec G305 -- The header was checked for path traversal before it was appended to the dirs slice.
 		path := filepath.Join(dest, hdr.Name)
 
-		if err := system.Chtimes(path, hdr.AccessTime, hdr.ModTime); err != nil {
+		if err := chtimes(path, boundTime(latestTime(hdr.AccessTime, hdr.ModTime)), boundTime(hdr.ModTime)); err != nil {
 			return err
 		}
 	}
@@ -1336,7 +1399,7 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
 		dst = filepath.Join(dst, filepath.Base(src))
 	}
 	// Create the holding directory if necessary
-	if err := system.MkdirAll(filepath.Dir(dst), 0o700); err != nil {
+	if err := os.MkdirAll(filepath.Dir(dst), 0o700); err != nil {
 		return err
 	}
 
@@ -1375,7 +1438,7 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
 			if err := tw.WriteHeader(hdr); err != nil {
 				return err
 			}
-			if _, err := io.Copy(tw, srcF); err != nil {
+			if _, err := copyWithBuffer(tw, srcF); err != nil {
 				return err
 			}
 			return nil
@@ -1433,68 +1496,14 @@ func cmdStream(cmd *exec.Cmd, input io.Reader) (io.ReadCloser, error) {
 		close(done)
 	}()
 
-	return ioutils.NewReadCloserWrapper(pipeR, func() error {
-		// Close pipeR, and then wait for the command to complete before returning. We have to close pipeR first, as
-		// cmd.Wait waits for any non-file stdout/stderr/stdin to close.
-		err := pipeR.Close()
-		<-done
-		return err
-	}), nil
-}
-
-// NewTempArchive reads the content of src into a temporary file, and returns the contents
-// of that file as an archive. The archive can only be read once - as soon as reading completes,
-// the file will be deleted.
-//
-// Deprecated: NewTempArchive is only used in tests and will be removed in the next release.
-func NewTempArchive(src io.Reader, dir string) (*TempArchive, error) {
-	f, err := os.CreateTemp(dir, "")
-	if err != nil {
-		return nil, err
-	}
-	if _, err := io.Copy(f, src); err != nil {
-		return nil, err
-	}
-	if _, err := f.Seek(0, 0); err != nil {
-		return nil, err
-	}
-	st, err := f.Stat()
-	if err != nil {
-		return nil, err
-	}
-	size := st.Size()
-	return &TempArchive{File: f, Size: size}, nil
-}
-
-// TempArchive is a temporary archive. The archive can only be read once - as soon as reading completes,
-// the file will be deleted.
-//
-// Deprecated: TempArchive is only used in tests and will be removed in the next release.
-type TempArchive struct {
-	*os.File
-	Size   int64 // Pre-computed from Stat().Size() as a convenience
-	read   int64
-	closed bool
-}
-
-// Close closes the underlying file if it's still open, or does a no-op
-// to allow callers to try to close the TempArchive multiple times safely.
-func (archive *TempArchive) Close() error {
-	if archive.closed {
-		return nil
-	}
-
-	archive.closed = true
-
-	return archive.File.Close()
-}
-
-func (archive *TempArchive) Read(data []byte) (int, error) {
-	n, err := archive.File.Read(data)
-	archive.read += int64(n)
-	if err != nil || archive.read == archive.Size {
-		archive.Close()
-		os.Remove(archive.File.Name())
-	}
-	return n, err
+	return &readCloserWrapper{
+		Reader: pipeR,
+		closer: func() error {
+			// Close pipeR, and then wait for the command to complete before returning. We have to close pipeR first, as
+			// cmd.Wait waits for any non-file stdout/stderr/stdin to close.
+			err := pipeR.Close()
+			<-done
+			return err
+		},
+	}, nil
 }
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_linux.go b/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
index b9d2a538a..631d2e3c5 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
@@ -1,14 +1,13 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"archive/tar"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 
-	"github.com/docker/docker/pkg/system"
 	"github.com/moby/sys/userns"
-	"github.com/pkg/errors"
 	"golang.org/x/sys/unix"
 )
 
@@ -39,7 +38,7 @@ func (overlayWhiteoutConverter) ConvertWrite(hdr *tar.Header, path string, fi os
 		}
 
 		// convert opaque dirs to AUFS format by writing an empty file with the prefix
-		opaque, err := system.Lgetxattr(path, opaqueXattrName)
+		opaque, err := lgetxattr(path, opaqueXattrName)
 		if err != nil {
 			return nil, err
 		}
@@ -79,7 +78,7 @@ func (c overlayWhiteoutConverter) ConvertRead(hdr *tar.Header, path string) (boo
 
 		err := unix.Setxattr(dir, opaqueXattrName, []byte{'y'}, 0)
 		if err != nil {
-			return false, errors.Wrapf(err, "setxattr(%q, %s=y)", dir, opaqueXattrName)
+			return false, fmt.Errorf("setxattr('%s', %s=y): %w", dir, opaqueXattrName, err)
 		}
 		// don't write the file itself
 		return false, err
@@ -91,7 +90,7 @@ func (c overlayWhiteoutConverter) ConvertRead(hdr *tar.Header, path string) (boo
 		originalPath := filepath.Join(dir, originalBase)
 
 		if err := unix.Mknod(originalPath, unix.S_IFCHR, 0); err != nil {
-			return false, errors.Wrapf(err, "failed to mknod(%q, S_IFCHR, 0)", originalPath)
+			return false, fmt.Errorf("failed to mknod('%s', S_IFCHR, 0): %w", originalPath, err)
 		}
 		if err := os.Chown(originalPath, hdr.Uid, hdr.Gid); err != nil {
 			return false, err
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_other.go b/vendor/github.com/docker/docker/pkg/archive/archive_other.go
index 7dee1f7a4..6495549f6 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_other.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_other.go
@@ -1,6 +1,6 @@
 //go:build !linux
 
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 func getWhiteoutConverter(format WhiteoutFormat) tarWhiteoutConverter {
 	return nil
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_unix.go b/vendor/github.com/docker/docker/pkg/archive/archive_unix.go
index f559a3056..9c70d1789 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_unix.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_unix.go
@@ -1,6 +1,6 @@
 //go:build !windows
 
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"archive/tar"
@@ -12,7 +12,6 @@ import (
 	"syscall"
 
 	"github.com/docker/docker/pkg/idtools"
-	"github.com/docker/docker/pkg/system"
 	"golang.org/x/sys/unix"
 )
 
@@ -109,7 +108,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
 		mode |= unix.S_IFIFO
 	}
 
-	return system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor)))
+	return mknod(path, mode, unix.Mkdev(uint32(hdr.Devmajor), uint32(hdr.Devminor)))
 }
 
 func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error {
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_windows.go b/vendor/github.com/docker/docker/pkg/archive/archive_windows.go
index e25c64b41..031608162 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_windows.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_windows.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"archive/tar"
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes.go b/vendor/github.com/docker/docker/pkg/archive/changes.go
index 5f12ca401..79c810a68 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes.go
+++ b/vendor/github.com/docker/docker/pkg/archive/changes.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"archive/tar"
@@ -6,17 +6,15 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
-	"syscall"
 	"time"
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/pkg/idtools"
-	"github.com/docker/docker/pkg/pools"
-	"github.com/docker/docker/pkg/system"
 )
 
 // ChangeType represents the change type.
@@ -74,11 +72,6 @@ func sameFsTime(a, b time.Time) bool {
 			(a.Nanosecond() == 0 || b.Nanosecond() == 0))
 }
 
-func sameFsTimeSpec(a, b syscall.Timespec) bool {
-	return a.Sec == b.Sec &&
-		(a.Nsec == b.Nsec || a.Nsec == 0 || b.Nsec == 0)
-}
-
 // Changes walks the path rw and determines changes for the files in the path,
 // with respect to the parent layers
 func Changes(layers []string, rw string) ([]Change, error) {
@@ -210,7 +203,7 @@ func changes(layers []string, rw string, dc deleteChange, sc skipChange) ([]Chan
 type FileInfo struct {
 	parent     *FileInfo
 	name       string
-	stat       *system.StatT
+	stat       fs.FileInfo
 	children   map[string]*FileInfo
 	capability []byte
 	added      bool
@@ -395,9 +388,6 @@ func ExportChanges(dir string, changes []Change, idMap idtools.IdentityMapping)
 	go func() {
 		ta := newTarAppender(idMap, writer, nil)
 
-		// this buffer is needed for the duration of this piped stream
-		defer pools.BufioWriter32KPool.Put(ta.Buffer)
-
 		sort.Sort(changesByPath(changes))
 
 		// In general we log errors here but ignore them because
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_linux.go b/vendor/github.com/docker/docker/pkg/archive/changes_linux.go
index 81fcbc5ba..9a041b098 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes_linux.go
+++ b/vendor/github.com/docker/docker/pkg/archive/changes_linux.go
@@ -1,15 +1,14 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
-	"bytes"
 	"fmt"
 	"os"
 	"path/filepath"
 	"sort"
+	"strings"
 	"syscall"
 	"unsafe"
 
-	"github.com/docker/docker/pkg/system"
 	"golang.org/x/sys/unix"
 )
 
@@ -74,12 +73,8 @@ func walkchunk(path string, fi os.FileInfo, dir string, root *FileInfo) error {
 		parent:   parent,
 	}
 	cpath := filepath.Join(dir, path)
-	stat, err := system.FromStatT(fi.Sys().(*syscall.Stat_t))
-	if err != nil {
-		return err
-	}
-	info.stat = stat
-	info.capability, _ = system.Lgetxattr(cpath, "security.capability") // lgetxattr(2): fs access
+	info.stat = fi
+	info.capability, _ = lgetxattr(cpath, "security.capability") // lgetxattr(2): fs access
 	parent.children[info.name] = info
 	return nil
 }
@@ -148,7 +143,7 @@ func (w *walker) walk(path string, i1, i2 os.FileInfo) (err error) {
 		ni1 := names1[ix1]
 		ni2 := names2[ix2]
 
-		switch bytes.Compare([]byte(ni1.name), []byte(ni2.name)) {
+		switch strings.Compare(ni1.name, ni2.name) {
 		case -1: // ni1 < ni2 -- advance ni1
 			// we will not encounter ni1 in names2
 			names = append(names, ni1.name)
@@ -261,13 +256,13 @@ func readdirnames(dirname string) (names []nameIno, err error) {
 func parseDirent(buf []byte, names []nameIno) (consumed int, newnames []nameIno) {
 	origlen := len(buf)
 	for len(buf) > 0 {
-		dirent := (*unix.Dirent)(unsafe.Pointer(&buf[0]))
+		dirent := (*unix.Dirent)(unsafe.Pointer(&buf[0])) // #nosec G103 -- Ignore "G103: Use of unsafe calls should be audited"
 		buf = buf[dirent.Reclen:]
 		if dirent.Ino == 0 { // File absent in directory.
 			continue
 		}
-		bytes := (*[10000]byte)(unsafe.Pointer(&dirent.Name[0]))
-		name := string(bytes[0:clen(bytes[:])])
+		b := (*[10000]byte)(unsafe.Pointer(&dirent.Name[0])) // #nosec G103 -- Ignore "G103: Use of unsafe calls should be audited"
+		name := string(b[0:clen(b[:])])
 		if name == "." || name == ".." { // Useless names
 			continue
 		}
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_other.go b/vendor/github.com/docker/docker/pkg/archive/changes_other.go
index 28f741a25..a8a3a5a6f 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes_other.go
+++ b/vendor/github.com/docker/docker/pkg/archive/changes_other.go
@@ -1,6 +1,6 @@
 //go:build !linux
 
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"fmt"
@@ -8,8 +8,6 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
-
-	"github.com/docker/docker/pkg/system"
 )
 
 func collectFileInfoForChanges(oldDir, newDir string) (*FileInfo, *FileInfo, error) {
@@ -72,7 +70,7 @@ func collectFileInfo(sourceDir string) (*FileInfo, error) {
 			return fmt.Errorf("collectFileInfo: Unexpectedly no parent for %s", relPath)
 		}
 
-		s, err := system.Lstat(path)
+		s, err := os.Lstat(path)
 		if err != nil {
 			return err
 		}
@@ -84,11 +82,7 @@ func collectFileInfo(sourceDir string) (*FileInfo, error) {
 			stat:     s,
 		}
 
-		// system.Lgetxattr is only implemented on Linux and produces an error
-		// on other platforms. This code is intentionally left commented-out
-		// as a reminder to include this code if this would ever be implemented
-		// on other platforms.
-		// info.capability, _ = system.Lgetxattr(path, "security.capability")
+		info.capability, _ = lgetxattr(path, "security.capability")
 
 		parent.children[info.name] = info
 
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_unix.go b/vendor/github.com/docker/docker/pkg/archive/changes_unix.go
index 853c73ee8..4dd98bd29 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes_unix.go
+++ b/vendor/github.com/docker/docker/pkg/archive/changes_unix.go
@@ -1,21 +1,21 @@
 //go:build !windows
 
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
+	"io/fs"
 	"os"
 	"syscall"
-
-	"github.com/docker/docker/pkg/system"
-	"golang.org/x/sys/unix"
 )
 
-func statDifferent(oldStat *system.StatT, newStat *system.StatT) bool {
+func statDifferent(oldStat fs.FileInfo, newStat fs.FileInfo) bool {
+	oldSys := oldStat.Sys().(*syscall.Stat_t)
+	newSys := newStat.Sys().(*syscall.Stat_t)
 	// Don't look at size for dirs, its not a good measure of change
 	if oldStat.Mode() != newStat.Mode() ||
-		oldStat.UID() != newStat.UID() ||
-		oldStat.GID() != newStat.GID() ||
-		oldStat.Rdev() != newStat.Rdev() ||
+		oldSys.Uid != newSys.Uid ||
+		oldSys.Gid != newSys.Gid ||
+		oldSys.Rdev != newSys.Rdev ||
 		// Don't look at size or modification time for dirs, its not a good
 		// measure of change. See https://github.com/moby/moby/issues/9874
 		// for a description of the issue with modification time, and
@@ -23,15 +23,15 @@ func statDifferent(oldStat *system.StatT, newStat *system.StatT) bool {
 		// (Note that in the Windows implementation of this function,
 		// modification time IS taken as a change). See
 		// https://github.com/moby/moby/pull/37982 for more information.
-		(oldStat.Mode()&unix.S_IFDIR != unix.S_IFDIR &&
-			(!sameFsTimeSpec(oldStat.Mtim(), newStat.Mtim()) || (oldStat.Size() != newStat.Size()))) {
+		(!oldStat.Mode().IsDir() &&
+			(!sameFsTime(oldStat.ModTime(), newStat.ModTime()) || (oldStat.Size() != newStat.Size()))) {
 		return true
 	}
 	return false
 }
 
 func (info *FileInfo) isDir() bool {
-	return info.parent == nil || info.stat.Mode()&unix.S_IFDIR != 0
+	return info.parent == nil || info.stat.Mode().IsDir()
 }
 
 func getIno(fi os.FileInfo) uint64 {
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_windows.go b/vendor/github.com/docker/docker/pkg/archive/changes_windows.go
index 9906685e4..c89605c78 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes_windows.go
+++ b/vendor/github.com/docker/docker/pkg/archive/changes_windows.go
@@ -1,19 +1,18 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
+	"io/fs"
 	"os"
-
-	"github.com/docker/docker/pkg/system"
 )
 
-func statDifferent(oldStat *system.StatT, newStat *system.StatT) bool {
+func statDifferent(oldStat fs.FileInfo, newStat fs.FileInfo) bool {
 	// Note there is slight difference between the Linux and Windows
 	// implementations here. Due to https://github.com/moby/moby/issues/9874,
 	// and the fix at https://github.com/moby/moby/pull/11422, Linux does not
 	// consider a change to the directory time as a change. Windows on NTFS
 	// does. See https://github.com/moby/moby/pull/37982 for more information.
 
-	if !sameFsTime(oldStat.Mtim(), newStat.Mtim()) ||
+	if !sameFsTime(oldStat.ModTime(), newStat.ModTime()) ||
 		oldStat.Mode() != newStat.Mode() ||
 		oldStat.Size() != newStat.Size() && !oldStat.Mode().IsDir() {
 		return true
diff --git a/vendor/github.com/docker/docker/pkg/archive/copy.go b/vendor/github.com/docker/docker/pkg/archive/copy.go
index 01eadc30d..cddf18ecd 100644
--- a/vendor/github.com/docker/docker/pkg/archive/copy.go
+++ b/vendor/github.com/docker/docker/pkg/archive/copy.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"archive/tar"
@@ -8,9 +8,9 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 
 	"github.com/containerd/log"
-	"github.com/docker/docker/pkg/system"
 )
 
 // Errors used or returned by this file.
@@ -21,6 +21,17 @@ var (
 	ErrInvalidCopySource = errors.New("invalid copy source content")
 )
 
+var copyPool = sync.Pool{
+	New: func() interface{} { s := make([]byte, 32*1024); return &s },
+}
+
+func copyWithBuffer(dst io.Writer, src io.Reader) (written int64, err error) {
+	buf := copyPool.Get().(*[]byte)
+	written, err = io.CopyBuffer(dst, src, *buf)
+	copyPool.Put(buf)
+	return
+}
+
 // PreserveTrailingDotOrSeparator returns the given cleaned path (after
 // processing using any utility functions from the path or filepath stdlib
 // packages) and appends a trailing `/.` or `/` if its corresponding  original
@@ -203,7 +214,7 @@ func CopyInfoDestinationPath(path string) (info CopyInfo, err error) {
 			return CopyInfo{}, err
 		}
 
-		if !system.IsAbs(linkTarget) {
+		if !filepath.IsAbs(linkTarget) {
 			// Join with the parent directory.
 			dstParent, _ := SplitPathDirEntry(path)
 			linkTarget = filepath.Join(dstParent, linkTarget)
diff --git a/vendor/github.com/docker/docker/pkg/archive/copy_unix.go b/vendor/github.com/docker/docker/pkg/archive/copy_unix.go
index 065bd4add..f57928244 100644
--- a/vendor/github.com/docker/docker/pkg/archive/copy_unix.go
+++ b/vendor/github.com/docker/docker/pkg/archive/copy_unix.go
@@ -1,6 +1,6 @@
 //go:build !windows
 
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"path/filepath"
diff --git a/vendor/github.com/docker/docker/pkg/archive/copy_windows.go b/vendor/github.com/docker/docker/pkg/archive/copy_windows.go
index a878d1bac..2b775b45c 100644
--- a/vendor/github.com/docker/docker/pkg/archive/copy_windows.go
+++ b/vendor/github.com/docker/docker/pkg/archive/copy_windows.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"path/filepath"
diff --git a/vendor/github.com/docker/docker/pkg/archive/dev_freebsd.go b/vendor/github.com/docker/docker/pkg/archive/dev_freebsd.go
new file mode 100644
index 000000000..aa8e29154
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/dev_freebsd.go
@@ -0,0 +1,7 @@
+//go:build freebsd
+
+package archive
+
+import "golang.org/x/sys/unix"
+
+var mknod = unix.Mknod
diff --git a/vendor/github.com/docker/docker/pkg/archive/dev_unix.go b/vendor/github.com/docker/docker/pkg/archive/dev_unix.go
new file mode 100644
index 000000000..dffc596f9
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/dev_unix.go
@@ -0,0 +1,9 @@
+//go:build !windows && !freebsd
+
+package archive
+
+import "golang.org/x/sys/unix"
+
+func mknod(path string, mode uint32, dev uint64) error {
+	return unix.Mknod(path, mode, int(dev))
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/diff.go b/vendor/github.com/docker/docker/pkg/archive/diff.go
index e080e310a..d5a394cdc 100644
--- a/vendor/github.com/docker/docker/pkg/archive/diff.go
+++ b/vendor/github.com/docker/docker/pkg/archive/diff.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"archive/tar"
@@ -11,8 +11,6 @@ import (
 	"strings"
 
 	"github.com/containerd/log"
-	"github.com/docker/docker/pkg/pools"
-	"github.com/docker/docker/pkg/system"
 )
 
 // UnpackLayer unpack `layer` to a `dest`. The stream `layer` can be
@@ -20,8 +18,6 @@ import (
 // Returns the size in bytes of the contents of the layer.
 func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64, err error) {
 	tr := tar.NewReader(layer)
-	trBuf := pools.BufioReader32KPool.Get(tr)
-	defer pools.BufioReader32KPool.Put(trBuf)
 
 	var dirs []*tar.Header
 	unpackedPaths := make(map[string]struct{})
@@ -160,8 +156,7 @@ func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64,
 				}
 			}
 
-			trBuf.Reset(tr)
-			srcData := io.Reader(trBuf)
+			srcData := io.Reader(tr)
 			srcHdr := hdr
 
 			// Hard links into /.wh..wh.plnk don't work, as we don't extract that directory, so
@@ -200,7 +195,7 @@ func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64,
 	for _, hdr := range dirs {
 		// #nosec G305 -- The header was checked for path traversal before it was appended to the dirs slice.
 		path := filepath.Join(dest, hdr.Name)
-		if err := system.Chtimes(path, hdr.AccessTime, hdr.ModTime); err != nil {
+		if err := chtimes(path, hdr.AccessTime, hdr.ModTime); err != nil {
 			return 0, err
 		}
 	}
diff --git a/vendor/github.com/docker/docker/pkg/archive/time.go b/vendor/github.com/docker/docker/pkg/archive/time.go
new file mode 100644
index 000000000..4e9ae9508
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/time.go
@@ -0,0 +1,38 @@
+package archive
+
+import (
+	"syscall"
+	"time"
+	"unsafe"
+)
+
+var (
+	minTime = time.Unix(0, 0)
+	maxTime time.Time
+)
+
+func init() {
+	if unsafe.Sizeof(syscall.Timespec{}.Nsec) == 8 {
+		// This is a 64 bit timespec
+		// os.Chtimes limits time to the following
+		maxTime = time.Unix(0, 1<<63-1)
+	} else {
+		// This is a 32 bit timespec
+		maxTime = time.Unix(1<<31-1, 0)
+	}
+}
+
+func boundTime(t time.Time) time.Time {
+	if t.Before(minTime) || t.After(maxTime) {
+		return minTime
+	}
+
+	return t
+}
+
+func latestTime(t1, t2 time.Time) time.Time {
+	if t1.Before(t2) {
+		return t2
+	}
+	return t1
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/time_linux.go b/vendor/github.com/docker/docker/pkg/archive/time_linux.go
deleted file mode 100644
index 797143ee8..000000000
--- a/vendor/github.com/docker/docker/pkg/archive/time_linux.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package archive // import "github.com/docker/docker/pkg/archive"
-
-import (
-	"syscall"
-	"time"
-)
-
-func timeToTimespec(time time.Time) (ts syscall.Timespec) {
-	if time.IsZero() {
-		// Return UTIME_OMIT special value
-		ts.Sec = 0
-		ts.Nsec = (1 << 30) - 2
-		return
-	}
-	return syscall.NsecToTimespec(time.UnixNano())
-}
diff --git a/vendor/github.com/docker/docker/pkg/archive/time_nonwindows.go b/vendor/github.com/docker/docker/pkg/archive/time_nonwindows.go
new file mode 100644
index 000000000..8ce83bd0b
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/time_nonwindows.go
@@ -0,0 +1,40 @@
+//go:build !windows
+
+package archive
+
+import (
+	"os"
+	"time"
+
+	"golang.org/x/sys/unix"
+)
+
+// chtimes changes the access time and modified time of a file at the given path.
+// If the modified time is prior to the Unix Epoch (unixMinTime), or after the
+// end of Unix Time (unixEpochTime), os.Chtimes has undefined behavior. In this
+// case, Chtimes defaults to Unix Epoch, just in case.
+func chtimes(name string, atime time.Time, mtime time.Time) error {
+	return os.Chtimes(name, atime, mtime)
+}
+
+func timeToTimespec(time time.Time) (ts unix.Timespec) {
+	if time.IsZero() {
+		// Return UTIME_OMIT special value
+		ts.Sec = 0
+		ts.Nsec = (1 << 30) - 2
+		return
+	}
+	return unix.NsecToTimespec(time.UnixNano())
+}
+
+func lchtimes(name string, atime time.Time, mtime time.Time) error {
+	utimes := [2]unix.Timespec{
+		timeToTimespec(atime),
+		timeToTimespec(mtime),
+	}
+	err := unix.UtimesNanoAt(unix.AT_FDCWD, name, utimes[0:], unix.AT_SYMLINK_NOFOLLOW)
+	if err != nil && err != unix.ENOSYS {
+		return err
+	}
+	return err
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/time_unsupported.go b/vendor/github.com/docker/docker/pkg/archive/time_unsupported.go
deleted file mode 100644
index 14c4ceb1d..000000000
--- a/vendor/github.com/docker/docker/pkg/archive/time_unsupported.go
+++ /dev/null
@@ -1,16 +0,0 @@
-//go:build !linux
-
-package archive // import "github.com/docker/docker/pkg/archive"
-
-import (
-	"syscall"
-	"time"
-)
-
-func timeToTimespec(time time.Time) (ts syscall.Timespec) {
-	nsec := int64(0)
-	if !time.IsZero() {
-		nsec = time.UnixNano()
-	}
-	return syscall.NsecToTimespec(nsec)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/chtimes_windows.go b/vendor/github.com/docker/docker/pkg/archive/time_windows.go
similarity index 50%
rename from vendor/github.com/docker/docker/pkg/system/chtimes_windows.go
rename to vendor/github.com/docker/docker/pkg/archive/time_windows.go
index ab478f5c3..af1f7c8f3 100644
--- a/vendor/github.com/docker/docker/pkg/system/chtimes_windows.go
+++ b/vendor/github.com/docker/docker/pkg/archive/time_windows.go
@@ -1,15 +1,18 @@
-package system // import "github.com/docker/docker/pkg/system"
+package archive
 
 import (
+	"os"
 	"time"
 
 	"golang.org/x/sys/windows"
 )
 
-// setCTime will set the create time on a file. On Windows, this requires
-// calling SetFileTime and explicitly including the create time.
-func setCTime(path string, ctime time.Time) error {
-	pathp, err := windows.UTF16PtrFromString(path)
+func chtimes(name string, atime time.Time, mtime time.Time) error {
+	if err := os.Chtimes(name, atime, mtime); err != nil {
+		return err
+	}
+
+	pathp, err := windows.UTF16PtrFromString(name)
 	if err != nil {
 		return err
 	}
@@ -20,6 +23,10 @@ func setCTime(path string, ctime time.Time) error {
 		return err
 	}
 	defer windows.Close(h)
-	c := windows.NsecToFiletime(ctime.UnixNano())
+	c := windows.NsecToFiletime(mtime.UnixNano())
 	return windows.SetFileTime(h, &c, nil, nil)
 }
+
+func lchtimes(name string, atime time.Time, mtime time.Time) error {
+	return nil
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/whiteouts.go b/vendor/github.com/docker/docker/pkg/archive/whiteouts.go
index 4c072a87e..d20478a10 100644
--- a/vendor/github.com/docker/docker/pkg/archive/whiteouts.go
+++ b/vendor/github.com/docker/docker/pkg/archive/whiteouts.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 // Whiteouts are files with a special meaning for the layered filesystem.
 // Docker uses AUFS whiteout files inside exported archives. In other
diff --git a/vendor/github.com/docker/docker/pkg/archive/wrap.go b/vendor/github.com/docker/docker/pkg/archive/wrap.go
index 032db82ce..903befd76 100644
--- a/vendor/github.com/docker/docker/pkg/archive/wrap.go
+++ b/vendor/github.com/docker/docker/pkg/archive/wrap.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
 
 import (
 	"archive/tar"
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_supported.go b/vendor/github.com/docker/docker/pkg/archive/xattr_supported.go
new file mode 100644
index 000000000..652a1f0f3
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/xattr_supported.go
@@ -0,0 +1,52 @@
+//go:build linux || darwin || freebsd || netbsd
+
+package archive
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+
+	"golang.org/x/sys/unix"
+)
+
+// lgetxattr retrieves the value of the extended attribute identified by attr
+// and associated with the given path in the file system.
+// It returns a nil slice and nil error if the xattr is not set.
+func lgetxattr(path string, attr string) ([]byte, error) {
+	// Start with a 128 length byte array
+	dest := make([]byte, 128)
+	sz, err := unix.Lgetxattr(path, attr, dest)
+
+	for errors.Is(err, unix.ERANGE) {
+		// Buffer too small, use zero-sized buffer to get the actual size
+		sz, err = unix.Lgetxattr(path, attr, []byte{})
+		if err != nil {
+			return nil, wrapPathError("lgetxattr", path, attr, err)
+		}
+		dest = make([]byte, sz)
+		sz, err = unix.Lgetxattr(path, attr, dest)
+	}
+
+	if err != nil {
+		if errors.Is(err, noattr) {
+			return nil, nil
+		}
+		return nil, wrapPathError("lgetxattr", path, attr, err)
+	}
+
+	return dest[:sz], nil
+}
+
+// lsetxattr sets the value of the extended attribute identified by attr
+// and associated with the given path in the file system.
+func lsetxattr(path string, attr string, data []byte, flags int) error {
+	return wrapPathError("lsetxattr", path, attr, unix.Lsetxattr(path, attr, data, flags))
+}
+
+func wrapPathError(op, path, attr string, err error) error {
+	if err == nil {
+		return nil
+	}
+	return &fs.PathError{Op: op, Path: path, Err: fmt.Errorf("xattr %q: %w", attr, err)}
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_supported_linux.go b/vendor/github.com/docker/docker/pkg/archive/xattr_supported_linux.go
new file mode 100644
index 000000000..f2e76465a
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/xattr_supported_linux.go
@@ -0,0 +1,5 @@
+package archive
+
+import "golang.org/x/sys/unix"
+
+var noattr = unix.ENODATA
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_supported_unix.go b/vendor/github.com/docker/docker/pkg/archive/xattr_supported_unix.go
new file mode 100644
index 000000000..4d8824158
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/xattr_supported_unix.go
@@ -0,0 +1,7 @@
+//go:build !linux && !windows
+
+package archive
+
+import "golang.org/x/sys/unix"
+
+var noattr = unix.ENOATTR
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_unsupported.go b/vendor/github.com/docker/docker/pkg/archive/xattr_unsupported.go
new file mode 100644
index 000000000..b0d9165cd
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/xattr_unsupported.go
@@ -0,0 +1,11 @@
+//go:build !linux && !darwin && !freebsd && !netbsd
+
+package archive
+
+func lgetxattr(path string, attr string) ([]byte, error) {
+	return nil, nil
+}
+
+func lsetxattr(path string, attr string, data []byte, flags int) error {
+	return nil
+}
diff --git a/vendor/github.com/docker/docker/pkg/idtools/idtools.go b/vendor/github.com/docker/docker/pkg/idtools/idtools.go
index 79d682c69..d2fbd943a 100644
--- a/vendor/github.com/docker/docker/pkg/idtools/idtools.go
+++ b/vendor/github.com/docker/docker/pkg/idtools/idtools.go
@@ -1,11 +1,8 @@
-package idtools // import "github.com/docker/docker/pkg/idtools"
+package idtools
 
 import (
-	"bufio"
 	"fmt"
 	"os"
-	"strconv"
-	"strings"
 )
 
 // IDMap contains a single entry for user namespace range remapping. An array
@@ -17,22 +14,6 @@ type IDMap struct {
 	Size        int `json:"size"`
 }
 
-type subIDRange struct {
-	Start  int
-	Length int
-}
-
-type ranges []subIDRange
-
-func (e ranges) Len() int           { return len(e) }
-func (e ranges) Swap(i, j int)      { e[i], e[j] = e[j], e[i] }
-func (e ranges) Less(i, j int) bool { return e[i].Start < e[j].Start }
-
-const (
-	subuidFileName = "/etc/subuid"
-	subgidFileName = "/etc/subgid"
-)
-
 // MkdirAllAndChown creates a directory (include any along the path) and then modifies
 // ownership to the requested uid/gid.  If the directory already exists, this
 // function will still change ownership and permissions.
@@ -162,67 +143,6 @@ func (i IdentityMapping) Empty() bool {
 	return len(i.UIDMaps) == 0 && len(i.GIDMaps) == 0
 }
 
-func createIDMap(subidRanges ranges) []IDMap {
-	idMap := []IDMap{}
-
-	containerID := 0
-	for _, idrange := range subidRanges {
-		idMap = append(idMap, IDMap{
-			ContainerID: containerID,
-			HostID:      idrange.Start,
-			Size:        idrange.Length,
-		})
-		containerID = containerID + idrange.Length
-	}
-	return idMap
-}
-
-func parseSubuid(username string) (ranges, error) {
-	return parseSubidFile(subuidFileName, username)
-}
-
-func parseSubgid(username string) (ranges, error) {
-	return parseSubidFile(subgidFileName, username)
-}
-
-// parseSubidFile will read the appropriate file (/etc/subuid or /etc/subgid)
-// and return all found ranges for a specified username. If the special value
-// "ALL" is supplied for username, then all ranges in the file will be returned
-func parseSubidFile(path, username string) (ranges, error) {
-	var rangeList ranges
-
-	subidFile, err := os.Open(path)
-	if err != nil {
-		return rangeList, err
-	}
-	defer subidFile.Close()
-
-	s := bufio.NewScanner(subidFile)
-	for s.Scan() {
-		text := strings.TrimSpace(s.Text())
-		if text == "" || strings.HasPrefix(text, "#") {
-			continue
-		}
-		parts := strings.Split(text, ":")
-		if len(parts) != 3 {
-			return rangeList, fmt.Errorf("Cannot parse subuid/gid information: Format not correct for %s file", path)
-		}
-		if parts[0] == username || username == "ALL" {
-			startid, err := strconv.Atoi(parts[1])
-			if err != nil {
-				return rangeList, fmt.Errorf("String to int conversion failed during subuid/gid parsing of %s: %v", path, err)
-			}
-			length, err := strconv.Atoi(parts[2])
-			if err != nil {
-				return rangeList, fmt.Errorf("String to int conversion failed during subuid/gid parsing of %s: %v", path, err)
-			}
-			rangeList = append(rangeList, subIDRange{startid, length})
-		}
-	}
-
-	return rangeList, s.Err()
-}
-
 // CurrentIdentity returns the identity of the current process
 func CurrentIdentity() Identity {
 	return Identity{UID: os.Getuid(), GID: os.Getegid()}
diff --git a/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go b/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go
index cd621bdcc..1f11fe474 100644
--- a/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go
+++ b/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go
@@ -1,13 +1,10 @@
 //go:build !windows
 
-package idtools // import "github.com/docker/docker/pkg/idtools"
+package idtools
 
 import (
-	"bytes"
 	"fmt"
-	"io"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strconv"
 	"syscall"
@@ -72,127 +69,25 @@ func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting
 	return nil
 }
 
-// LookupUser uses traditional local system files lookup (from libcontainer/user) on a username,
-// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+// LookupUser uses traditional local system files lookup (from libcontainer/user) on a username
+//
+// Deprecated: use [user.LookupUser] instead
 func LookupUser(name string) (user.User, error) {
-	// first try a local system files lookup using existing capabilities
-	usr, err := user.LookupUser(name)
-	if err == nil {
-		return usr, nil
-	}
-	// local files lookup failed; attempt to call `getent` to query configured passwd dbs
-	usr, err = getentUser(name)
-	if err != nil {
-		return user.User{}, err
-	}
-	return usr, nil
+	return user.LookupUser(name)
 }
 
-// LookupUID uses traditional local system files lookup (from libcontainer/user) on a uid,
-// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+// LookupUID uses traditional local system files lookup (from libcontainer/user) on a uid
+//
+// Deprecated: use [user.LookupUid] instead
 func LookupUID(uid int) (user.User, error) {
-	// first try a local system files lookup using existing capabilities
-	usr, err := user.LookupUid(uid)
-	if err == nil {
-		return usr, nil
-	}
-	// local files lookup failed; attempt to call `getent` to query configured passwd dbs
-	return getentUser(strconv.Itoa(uid))
-}
-
-func getentUser(name string) (user.User, error) {
-	reader, err := callGetent("passwd", name)
-	if err != nil {
-		return user.User{}, err
-	}
-	users, err := user.ParsePasswd(reader)
-	if err != nil {
-		return user.User{}, err
-	}
-	if len(users) == 0 {
-		return user.User{}, fmt.Errorf("getent failed to find passwd entry for %q", name)
-	}
-	return users[0], nil
+	return user.LookupUid(uid)
 }
 
 // LookupGroup uses traditional local system files lookup (from libcontainer/user) on a group name,
-// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+//
+// Deprecated: use [user.LookupGroup] instead
 func LookupGroup(name string) (user.Group, error) {
-	// first try a local system files lookup using existing capabilities
-	group, err := user.LookupGroup(name)
-	if err == nil {
-		return group, nil
-	}
-	// local files lookup failed; attempt to call `getent` to query configured group dbs
-	return getentGroup(name)
-}
-
-// LookupGID uses traditional local system files lookup (from libcontainer/user) on a group ID,
-// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
-func LookupGID(gid int) (user.Group, error) {
-	// first try a local system files lookup using existing capabilities
-	group, err := user.LookupGid(gid)
-	if err == nil {
-		return group, nil
-	}
-	// local files lookup failed; attempt to call `getent` to query configured group dbs
-	return getentGroup(strconv.Itoa(gid))
-}
-
-func getentGroup(name string) (user.Group, error) {
-	reader, err := callGetent("group", name)
-	if err != nil {
-		return user.Group{}, err
-	}
-	groups, err := user.ParseGroup(reader)
-	if err != nil {
-		return user.Group{}, err
-	}
-	if len(groups) == 0 {
-		return user.Group{}, fmt.Errorf("getent failed to find groups entry for %q", name)
-	}
-	return groups[0], nil
-}
-
-func callGetent(database, key string) (io.Reader, error) {
-	getentCmd, err := resolveBinary("getent")
-	// if no `getent` command within the execution environment, can't do anything else
-	if err != nil {
-		return nil, fmt.Errorf("unable to find getent command: %w", err)
-	}
-	command := exec.Command(getentCmd, database, key)
-	// we run getent within container filesystem, but without /dev so /dev/null is not available for exec to mock stdin
-	command.Stdin = io.NopCloser(bytes.NewReader(nil))
-	out, err := command.CombinedOutput()
-	if err != nil {
-		exitCode, errC := getExitCode(err)
-		if errC != nil {
-			return nil, err
-		}
-		switch exitCode {
-		case 1:
-			return nil, fmt.Errorf("getent reported invalid parameters/database unknown")
-		case 2:
-			return nil, fmt.Errorf("getent unable to find entry %q in %s database", key, database)
-		case 3:
-			return nil, fmt.Errorf("getent database doesn't support enumeration")
-		default:
-			return nil, err
-		}
-	}
-	return bytes.NewReader(out), nil
-}
-
-// getExitCode returns the ExitStatus of the specified error if its type is
-// exec.ExitError, returns 0 and an error otherwise.
-func getExitCode(err error) (int, error) {
-	exitCode := 0
-	if exiterr, ok := err.(*exec.ExitError); ok {
-		if procExit, ok := exiterr.Sys().(syscall.WaitStatus); ok {
-			return procExit.ExitStatus(), nil
-		}
-	}
-	return exitCode, fmt.Errorf("failed to get exit code")
+	return user.LookupGroup(name)
 }
 
 // setPermissions performs a chown/chmod only if the uid/gid don't match what's requested
@@ -223,16 +118,17 @@ func setPermissions(p string, mode os.FileMode, owner Identity, stat os.FileInfo
 // using the data from /etc/sub{uid,gid} ranges, creates the
 // proper uid and gid remapping ranges for that user/group pair
 func LoadIdentityMapping(name string) (IdentityMapping, error) {
-	usr, err := LookupUser(name)
+	// TODO: Consider adding support for calling out to "getent"
+	usr, err := user.LookupUser(name)
 	if err != nil {
 		return IdentityMapping{}, fmt.Errorf("could not get user for username %s: %v", name, err)
 	}
 
-	subuidRanges, err := lookupSubUIDRanges(usr)
+	subuidRanges, err := lookupSubRangesFile("/etc/subuid", usr)
 	if err != nil {
 		return IdentityMapping{}, err
 	}
-	subgidRanges, err := lookupSubGIDRanges(usr)
+	subgidRanges, err := lookupSubRangesFile("/etc/subgid", usr)
 	if err != nil {
 		return IdentityMapping{}, err
 	}
@@ -243,36 +139,28 @@ func LoadIdentityMapping(name string) (IdentityMapping, error) {
 	}, nil
 }
 
-func lookupSubUIDRanges(usr user.User) ([]IDMap, error) {
-	rangeList, err := parseSubuid(strconv.Itoa(usr.Uid))
+func lookupSubRangesFile(path string, usr user.User) ([]IDMap, error) {
+	uidstr := strconv.Itoa(usr.Uid)
+	rangeList, err := user.ParseSubIDFileFilter(path, func(sid user.SubID) bool {
+		return sid.Name == usr.Name || sid.Name == uidstr
+	})
 	if err != nil {
 		return nil, err
 	}
-	if len(rangeList) == 0 {
-		rangeList, err = parseSubuid(usr.Name)
-		if err != nil {
-			return nil, err
-		}
-	}
 	if len(rangeList) == 0 {
 		return nil, fmt.Errorf("no subuid ranges found for user %q", usr.Name)
 	}
-	return createIDMap(rangeList), nil
-}
 
-func lookupSubGIDRanges(usr user.User) ([]IDMap, error) {
-	rangeList, err := parseSubgid(strconv.Itoa(usr.Uid))
-	if err != nil {
-		return nil, err
-	}
-	if len(rangeList) == 0 {
-		rangeList, err = parseSubgid(usr.Name)
-		if err != nil {
-			return nil, err
-		}
-	}
-	if len(rangeList) == 0 {
-		return nil, fmt.Errorf("no subgid ranges found for user %q", usr.Name)
+	idMap := []IDMap{}
+
+	containerID := 0
+	for _, idrange := range rangeList {
+		idMap = append(idMap, IDMap{
+			ContainerID: containerID,
+			HostID:      int(idrange.SubID),
+			Size:        int(idrange.Count),
+		})
+		containerID = containerID + int(idrange.Count)
 	}
-	return createIDMap(rangeList), nil
+	return idMap, nil
 }
diff --git a/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go b/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go
index 32953f456..a12b14040 100644
--- a/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go
+++ b/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go
@@ -1,24 +1,24 @@
-package idtools // import "github.com/docker/docker/pkg/idtools"
+package idtools
 
 import (
 	"os"
-
-	"github.com/docker/docker/pkg/system"
 )
 
 const (
 	SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
 )
 
+// TODO(thaJeztah): these magic consts need a source of reference, and should be defined in a canonical location
 const (
 	ContainerAdministratorSidString = "S-1-5-93-2-1"
-	ContainerUserSidString          = "S-1-5-93-2-2"
+
+	ContainerUserSidString = "S-1-5-93-2-2"
 )
 
-// This is currently a wrapper around MkdirAll, however, since currently
+// This is currently a wrapper around [os.MkdirAll] since currently
 // permissions aren't set through this path, the identity isn't utilized.
 // Ownership is handled elsewhere, but in the future could be support here
 // too.
 func mkdirAs(path string, _ os.FileMode, _ Identity, _, _ bool) error {
-	return system.MkdirAll(path, 0)
+	return os.MkdirAll(path, 0)
 }
diff --git a/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_linux.go b/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_linux.go
deleted file mode 100644
index f0c075e20..000000000
--- a/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_linux.go
+++ /dev/null
@@ -1,166 +0,0 @@
-package idtools // import "github.com/docker/docker/pkg/idtools"
-
-import (
-	"fmt"
-	"os/exec"
-	"regexp"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-)
-
-// add a user and/or group to Linux /etc/passwd, /etc/group using standard
-// Linux distribution commands:
-// adduser --system --shell /bin/false --disabled-login --disabled-password --no-create-home --group <username>
-// useradd -r -s /bin/false <username>
-
-var (
-	once        sync.Once
-	userCommand string
-	idOutRegexp = regexp.MustCompile(`uid=([0-9]+).*gid=([0-9]+)`)
-)
-
-const (
-	// default length for a UID/GID subordinate range
-	defaultRangeLen   = 65536
-	defaultRangeStart = 100000
-)
-
-// AddNamespaceRangesUser takes a username and uses the standard system
-// utility to create a system user/group pair used to hold the
-// /etc/sub{uid,gid} ranges which will be used for user namespace
-// mapping ranges in containers.
-func AddNamespaceRangesUser(name string) (int, int, error) {
-	if err := addUser(name); err != nil {
-		return -1, -1, fmt.Errorf("error adding user %q: %v", name, err)
-	}
-
-	// Query the system for the created uid and gid pair
-	out, err := exec.Command("id", name).CombinedOutput()
-	if err != nil {
-		return -1, -1, fmt.Errorf("error trying to find uid/gid for new user %q: %v", name, err)
-	}
-	matches := idOutRegexp.FindStringSubmatch(strings.TrimSpace(string(out)))
-	if len(matches) != 3 {
-		return -1, -1, fmt.Errorf("can't find uid, gid from `id` output: %q", string(out))
-	}
-	uid, err := strconv.Atoi(matches[1])
-	if err != nil {
-		return -1, -1, fmt.Errorf("can't convert found uid (%s) to int: %v", matches[1], err)
-	}
-	gid, err := strconv.Atoi(matches[2])
-	if err != nil {
-		return -1, -1, fmt.Errorf("Can't convert found gid (%s) to int: %v", matches[2], err)
-	}
-
-	// Now we need to create the subuid/subgid ranges for our new user/group (system users
-	// do not get auto-created ranges in subuid/subgid)
-
-	if err := createSubordinateRanges(name); err != nil {
-		return -1, -1, fmt.Errorf("couldn't create subordinate ID ranges: %v", err)
-	}
-	return uid, gid, nil
-}
-
-func addUser(name string) error {
-	once.Do(func() {
-		// set up which commands are used for adding users/groups dependent on distro
-		if _, err := resolveBinary("adduser"); err == nil {
-			userCommand = "adduser"
-		} else if _, err := resolveBinary("useradd"); err == nil {
-			userCommand = "useradd"
-		}
-	})
-	var args []string
-	switch userCommand {
-	case "adduser":
-		args = []string{"--system", "--shell", "/bin/false", "--no-create-home", "--disabled-login", "--disabled-password", "--group", name}
-	case "useradd":
-		args = []string{"-r", "-s", "/bin/false", name}
-	default:
-		return fmt.Errorf("cannot add user; no useradd/adduser binary found")
-	}
-
-	if out, err := exec.Command(userCommand, args...).CombinedOutput(); err != nil {
-		return fmt.Errorf("failed to add user with error: %v; output: %q", err, string(out))
-	}
-	return nil
-}
-
-func createSubordinateRanges(name string) error {
-	// first, we should verify that ranges weren't automatically created
-	// by the distro tooling
-	ranges, err := parseSubuid(name)
-	if err != nil {
-		return fmt.Errorf("error while looking for subuid ranges for user %q: %v", name, err)
-	}
-	if len(ranges) == 0 {
-		// no UID ranges; let's create one
-		startID, err := findNextUIDRange()
-		if err != nil {
-			return fmt.Errorf("can't find available subuid range: %v", err)
-		}
-		idRange := fmt.Sprintf("%d-%d", startID, startID+defaultRangeLen-1)
-		out, err := exec.Command("usermod", "-v", idRange, name).CombinedOutput()
-		if err != nil {
-			return fmt.Errorf("unable to add subuid range to user: %q; output: %s, err: %v", name, out, err)
-		}
-	}
-
-	ranges, err = parseSubgid(name)
-	if err != nil {
-		return fmt.Errorf("error while looking for subgid ranges for user %q: %v", name, err)
-	}
-	if len(ranges) == 0 {
-		// no GID ranges; let's create one
-		startID, err := findNextGIDRange()
-		if err != nil {
-			return fmt.Errorf("can't find available subgid range: %v", err)
-		}
-		idRange := fmt.Sprintf("%d-%d", startID, startID+defaultRangeLen-1)
-		out, err := exec.Command("usermod", "-w", idRange, name).CombinedOutput()
-		if err != nil {
-			return fmt.Errorf("unable to add subgid range to user: %q; output: %s, err: %v", name, out, err)
-		}
-	}
-	return nil
-}
-
-func findNextUIDRange() (int, error) {
-	ranges, err := parseSubuid("ALL")
-	if err != nil {
-		return -1, fmt.Errorf("couldn't parse all ranges in /etc/subuid file: %v", err)
-	}
-	sort.Sort(ranges)
-	return findNextRangeStart(ranges)
-}
-
-func findNextGIDRange() (int, error) {
-	ranges, err := parseSubgid("ALL")
-	if err != nil {
-		return -1, fmt.Errorf("couldn't parse all ranges in /etc/subgid file: %v", err)
-	}
-	sort.Sort(ranges)
-	return findNextRangeStart(ranges)
-}
-
-func findNextRangeStart(rangeList ranges) (int, error) {
-	startID := defaultRangeStart
-	for _, arange := range rangeList {
-		if wouldOverlap(arange, startID) {
-			startID = arange.Start + arange.Length
-		}
-	}
-	return startID, nil
-}
-
-func wouldOverlap(arange subIDRange, ID int) bool {
-	low := ID
-	high := ID + defaultRangeLen
-	if (low >= arange.Start && low <= arange.Start+arange.Length) ||
-		(high <= arange.Start+arange.Length && high >= arange.Start) {
-		return true
-	}
-	return false
-}
diff --git a/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_unsupported.go b/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_unsupported.go
deleted file mode 100644
index 6a9311c4a..000000000
--- a/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_unsupported.go
+++ /dev/null
@@ -1,12 +0,0 @@
-//go:build !linux
-
-package idtools // import "github.com/docker/docker/pkg/idtools"
-
-import "fmt"
-
-// AddNamespaceRangesUser takes a name and finds an unused uid, gid pair
-// and calls the appropriate helper function to add the group and then
-// the user to the group in /etc/group and /etc/passwd respectively.
-func AddNamespaceRangesUser(name string) (int, int, error) {
-	return -1, -1, fmt.Errorf("No support for adding users or groups on this OS")
-}
diff --git a/vendor/github.com/docker/docker/pkg/idtools/utils_unix.go b/vendor/github.com/docker/docker/pkg/idtools/utils_unix.go
deleted file mode 100644
index 517a2f52c..000000000
--- a/vendor/github.com/docker/docker/pkg/idtools/utils_unix.go
+++ /dev/null
@@ -1,26 +0,0 @@
-//go:build !windows
-
-package idtools // import "github.com/docker/docker/pkg/idtools"
-
-import (
-	"fmt"
-	"os/exec"
-	"path/filepath"
-)
-
-func resolveBinary(binname string) (string, error) {
-	binaryPath, err := exec.LookPath(binname)
-	if err != nil {
-		return "", err
-	}
-	resolvedPath, err := filepath.EvalSymlinks(binaryPath)
-	if err != nil {
-		return "", err
-	}
-	// only return no error if the final resolved binary basename
-	// matches what was searched for
-	if filepath.Base(resolvedPath) == binname {
-		return resolvedPath, nil
-	}
-	return "", fmt.Errorf("Binary %q does not resolve to a binary of that name in $PATH (%q)", binname, resolvedPath)
-}
diff --git a/vendor/github.com/docker/docker/pkg/ioutils/buffer.go b/vendor/github.com/docker/docker/pkg/ioutils/buffer.go
deleted file mode 100644
index 466f79294..000000000
--- a/vendor/github.com/docker/docker/pkg/ioutils/buffer.go
+++ /dev/null
@@ -1,51 +0,0 @@
-package ioutils // import "github.com/docker/docker/pkg/ioutils"
-
-import (
-	"errors"
-	"io"
-)
-
-var errBufferFull = errors.New("buffer is full")
-
-type fixedBuffer struct {
-	buf      []byte
-	pos      int
-	lastRead int
-}
-
-func (b *fixedBuffer) Write(p []byte) (int, error) {
-	n := copy(b.buf[b.pos:cap(b.buf)], p)
-	b.pos += n
-
-	if n < len(p) {
-		if b.pos == cap(b.buf) {
-			return n, errBufferFull
-		}
-		return n, io.ErrShortWrite
-	}
-	return n, nil
-}
-
-func (b *fixedBuffer) Read(p []byte) (int, error) {
-	n := copy(p, b.buf[b.lastRead:b.pos])
-	b.lastRead += n
-	return n, nil
-}
-
-func (b *fixedBuffer) Len() int {
-	return b.pos - b.lastRead
-}
-
-func (b *fixedBuffer) Cap() int {
-	return cap(b.buf)
-}
-
-func (b *fixedBuffer) Reset() {
-	b.pos = 0
-	b.lastRead = 0
-	b.buf = b.buf[:0]
-}
-
-func (b *fixedBuffer) String() string {
-	return string(b.buf[b.lastRead:b.pos])
-}
diff --git a/vendor/github.com/docker/docker/pkg/ioutils/bytespipe.go b/vendor/github.com/docker/docker/pkg/ioutils/bytespipe.go
deleted file mode 100644
index 85450bf6b..000000000
--- a/vendor/github.com/docker/docker/pkg/ioutils/bytespipe.go
+++ /dev/null
@@ -1,193 +0,0 @@
-package ioutils // import "github.com/docker/docker/pkg/ioutils"
-
-import (
-	"errors"
-	"io"
-	"sync"
-)
-
-// maxCap is the highest capacity to use in byte slices that buffer data.
-const maxCap = 1e6
-
-// minCap is the lowest capacity to use in byte slices that buffer data
-const minCap = 64
-
-// blockThreshold is the minimum number of bytes in the buffer which will cause
-// a write to BytesPipe to block when allocating a new slice.
-const blockThreshold = 1e6
-
-var (
-	// ErrClosed is returned when Write is called on a closed BytesPipe.
-	//
-	// Deprecated: this type is only used internally, and will be removed in the next release.
-	ErrClosed = errors.New("write to closed BytesPipe")
-
-	bufPools     = make(map[int]*sync.Pool)
-	bufPoolsLock sync.Mutex
-)
-
-// BytesPipe is io.ReadWriteCloser which works similarly to pipe(queue).
-// All written data may be read at most once. Also, BytesPipe allocates
-// and releases new byte slices to adjust to current needs, so the buffer
-// won't be overgrown after peak loads.
-//
-// Deprecated: this type is only used internally, and will be removed in the next release.
-type BytesPipe struct {
-	mu        sync.Mutex
-	wait      *sync.Cond
-	buf       []*fixedBuffer
-	bufLen    int
-	closeErr  error // error to return from next Read. set to nil if not closed.
-	readBlock bool  // check read BytesPipe is Wait() or not
-}
-
-// NewBytesPipe creates new BytesPipe, initialized by specified slice.
-// If buf is nil, then it will be initialized with slice which cap is 64.
-// buf will be adjusted in a way that len(buf) == 0, cap(buf) == cap(buf).
-//
-// Deprecated: this function is only used internally, and will be removed in the next release.
-func NewBytesPipe() *BytesPipe {
-	bp := &BytesPipe{}
-	bp.buf = append(bp.buf, getBuffer(minCap))
-	bp.wait = sync.NewCond(&bp.mu)
-	return bp
-}
-
-// Write writes p to BytesPipe.
-// It can allocate new []byte slices in a process of writing.
-func (bp *BytesPipe) Write(p []byte) (int, error) {
-	bp.mu.Lock()
-	defer bp.mu.Unlock()
-
-	written := 0
-loop0:
-	for {
-		if bp.closeErr != nil {
-			return written, ErrClosed
-		}
-
-		if len(bp.buf) == 0 {
-			bp.buf = append(bp.buf, getBuffer(64))
-		}
-		// get the last buffer
-		b := bp.buf[len(bp.buf)-1]
-
-		n, err := b.Write(p)
-		written += n
-		bp.bufLen += n
-
-		// errBufferFull is an error we expect to get if the buffer is full
-		if err != nil && err != errBufferFull {
-			bp.wait.Broadcast()
-			return written, err
-		}
-
-		// if there was enough room to write all then break
-		if len(p) == n {
-			break
-		}
-
-		// more data: write to the next slice
-		p = p[n:]
-
-		// make sure the buffer doesn't grow too big from this write
-		for bp.bufLen >= blockThreshold {
-			if bp.readBlock {
-				bp.wait.Broadcast()
-			}
-			bp.wait.Wait()
-			if bp.closeErr != nil {
-				continue loop0
-			}
-		}
-
-		// add new byte slice to the buffers slice and continue writing
-		nextCap := b.Cap() * 2
-		if nextCap > maxCap {
-			nextCap = maxCap
-		}
-		bp.buf = append(bp.buf, getBuffer(nextCap))
-	}
-	bp.wait.Broadcast()
-	return written, nil
-}
-
-// CloseWithError causes further reads from a BytesPipe to return immediately.
-func (bp *BytesPipe) CloseWithError(err error) error {
-	bp.mu.Lock()
-	if err != nil {
-		bp.closeErr = err
-	} else {
-		bp.closeErr = io.EOF
-	}
-	bp.wait.Broadcast()
-	bp.mu.Unlock()
-	return nil
-}
-
-// Close causes further reads from a BytesPipe to return immediately.
-func (bp *BytesPipe) Close() error {
-	return bp.CloseWithError(nil)
-}
-
-// Read reads bytes from BytesPipe.
-// Data could be read only once.
-func (bp *BytesPipe) Read(p []byte) (n int, err error) {
-	bp.mu.Lock()
-	defer bp.mu.Unlock()
-	if bp.bufLen == 0 {
-		if bp.closeErr != nil {
-			return 0, bp.closeErr
-		}
-		bp.readBlock = true
-		bp.wait.Wait()
-		bp.readBlock = false
-		if bp.bufLen == 0 && bp.closeErr != nil {
-			return 0, bp.closeErr
-		}
-	}
-
-	for bp.bufLen > 0 {
-		b := bp.buf[0]
-		read, _ := b.Read(p) // ignore error since fixedBuffer doesn't really return an error
-		n += read
-		bp.bufLen -= read
-
-		if b.Len() == 0 {
-			// it's empty so return it to the pool and move to the next one
-			returnBuffer(b)
-			bp.buf[0] = nil
-			bp.buf = bp.buf[1:]
-		}
-
-		if len(p) == read {
-			break
-		}
-
-		p = p[read:]
-	}
-
-	bp.wait.Broadcast()
-	return
-}
-
-func returnBuffer(b *fixedBuffer) {
-	b.Reset()
-	bufPoolsLock.Lock()
-	pool := bufPools[b.Cap()]
-	bufPoolsLock.Unlock()
-	if pool != nil {
-		pool.Put(b)
-	}
-}
-
-func getBuffer(size int) *fixedBuffer {
-	bufPoolsLock.Lock()
-	pool, ok := bufPools[size]
-	if !ok {
-		pool = &sync.Pool{New: func() interface{} { return &fixedBuffer{buf: make([]byte, 0, size)} }}
-		bufPools[size] = pool
-	}
-	bufPoolsLock.Unlock()
-	return pool.Get().(*fixedBuffer)
-}
diff --git a/vendor/github.com/docker/docker/pkg/ioutils/fswriters.go b/vendor/github.com/docker/docker/pkg/ioutils/fswriters.go
deleted file mode 100644
index 05da97b0e..000000000
--- a/vendor/github.com/docker/docker/pkg/ioutils/fswriters.go
+++ /dev/null
@@ -1,163 +0,0 @@
-package ioutils // import "github.com/docker/docker/pkg/ioutils"
-
-import (
-	"io"
-	"os"
-	"path/filepath"
-)
-
-// NewAtomicFileWriter returns WriteCloser so that writing to it writes to a
-// temporary file and closing it atomically changes the temporary file to
-// destination path. Writing and closing concurrently is not allowed.
-// NOTE: umask is not considered for the file's permissions.
-func NewAtomicFileWriter(filename string, perm os.FileMode) (io.WriteCloser, error) {
-	f, err := os.CreateTemp(filepath.Dir(filename), ".tmp-"+filepath.Base(filename))
-	if err != nil {
-		return nil, err
-	}
-
-	abspath, err := filepath.Abs(filename)
-	if err != nil {
-		return nil, err
-	}
-	return &atomicFileWriter{
-		f:    f,
-		fn:   abspath,
-		perm: perm,
-	}, nil
-}
-
-// AtomicWriteFile atomically writes data to a file named by filename and with the specified permission bits.
-// NOTE: umask is not considered for the file's permissions.
-func AtomicWriteFile(filename string, data []byte, perm os.FileMode) error {
-	f, err := NewAtomicFileWriter(filename, perm)
-	if err != nil {
-		return err
-	}
-	n, err := f.Write(data)
-	if err == nil && n < len(data) {
-		err = io.ErrShortWrite
-		f.(*atomicFileWriter).writeErr = err
-	}
-	if err1 := f.Close(); err == nil {
-		err = err1
-	}
-	return err
-}
-
-type atomicFileWriter struct {
-	f        *os.File
-	fn       string
-	writeErr error
-	perm     os.FileMode
-}
-
-func (w *atomicFileWriter) Write(dt []byte) (int, error) {
-	n, err := w.f.Write(dt)
-	if err != nil {
-		w.writeErr = err
-	}
-	return n, err
-}
-
-func (w *atomicFileWriter) Close() (retErr error) {
-	defer func() {
-		if retErr != nil || w.writeErr != nil {
-			os.Remove(w.f.Name())
-		}
-	}()
-	if err := w.f.Sync(); err != nil {
-		w.f.Close()
-		return err
-	}
-	if err := w.f.Close(); err != nil {
-		return err
-	}
-	if err := os.Chmod(w.f.Name(), w.perm); err != nil {
-		return err
-	}
-	if w.writeErr == nil {
-		return os.Rename(w.f.Name(), w.fn)
-	}
-	return nil
-}
-
-// AtomicWriteSet is used to atomically write a set
-// of files and ensure they are visible at the same time.
-// Must be committed to a new directory.
-type AtomicWriteSet struct {
-	root string
-}
-
-// NewAtomicWriteSet creates a new atomic write set to
-// atomically create a set of files. The given directory
-// is used as the base directory for storing files before
-// commit. If no temporary directory is given the system
-// default is used.
-func NewAtomicWriteSet(tmpDir string) (*AtomicWriteSet, error) {
-	td, err := os.MkdirTemp(tmpDir, "write-set-")
-	if err != nil {
-		return nil, err
-	}
-
-	return &AtomicWriteSet{
-		root: td,
-	}, nil
-}
-
-// WriteFile writes a file to the set, guaranteeing the file
-// has been synced.
-func (ws *AtomicWriteSet) WriteFile(filename string, data []byte, perm os.FileMode) error {
-	f, err := ws.FileWriter(filename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, perm)
-	if err != nil {
-		return err
-	}
-	n, err := f.Write(data)
-	if err == nil && n < len(data) {
-		err = io.ErrShortWrite
-	}
-	if err1 := f.Close(); err == nil {
-		err = err1
-	}
-	return err
-}
-
-type syncFileCloser struct {
-	*os.File
-}
-
-func (w syncFileCloser) Close() error {
-	err := w.File.Sync()
-	if err1 := w.File.Close(); err == nil {
-		err = err1
-	}
-	return err
-}
-
-// FileWriter opens a file writer inside the set. The file
-// should be synced and closed before calling commit.
-func (ws *AtomicWriteSet) FileWriter(name string, flag int, perm os.FileMode) (io.WriteCloser, error) {
-	f, err := os.OpenFile(filepath.Join(ws.root, name), flag, perm)
-	if err != nil {
-		return nil, err
-	}
-	return syncFileCloser{f}, nil
-}
-
-// Cancel cancels the set and removes all temporary data
-// created in the set.
-func (ws *AtomicWriteSet) Cancel() error {
-	return os.RemoveAll(ws.root)
-}
-
-// Commit moves all created files to the target directory. The
-// target directory must not exist and the parent of the target
-// directory must exist.
-func (ws *AtomicWriteSet) Commit(target string) error {
-	return os.Rename(ws.root, target)
-}
-
-// String returns the location the set is writing to.
-func (ws *AtomicWriteSet) String() string {
-	return ws.root
-}
diff --git a/vendor/github.com/docker/docker/pkg/ioutils/readers.go b/vendor/github.com/docker/docker/pkg/ioutils/readers.go
deleted file mode 100644
index e03d3fee7..000000000
--- a/vendor/github.com/docker/docker/pkg/ioutils/readers.go
+++ /dev/null
@@ -1,172 +0,0 @@
-package ioutils // import "github.com/docker/docker/pkg/ioutils"
-
-import (
-	"context"
-	"io"
-	"runtime/debug"
-	"sync/atomic"
-
-	// make sure crypto.SHA256, crypto.sha512 and crypto.SHA384 are registered
-	// TODO remove once https://github.com/opencontainers/go-digest/pull/64 is merged.
-	_ "crypto/sha256"
-	_ "crypto/sha512"
-
-	"github.com/containerd/log"
-)
-
-// ReadCloserWrapper wraps an io.Reader, and implements an io.ReadCloser
-// It calls the given callback function when closed. It should be constructed
-// with NewReadCloserWrapper
-type ReadCloserWrapper struct {
-	io.Reader
-	closer func() error
-	closed atomic.Bool
-}
-
-// Close calls back the passed closer function
-func (r *ReadCloserWrapper) Close() error {
-	if !r.closed.CompareAndSwap(false, true) {
-		subsequentCloseWarn("ReadCloserWrapper")
-		return nil
-	}
-	return r.closer()
-}
-
-// NewReadCloserWrapper returns a new io.ReadCloser.
-func NewReadCloserWrapper(r io.Reader, closer func() error) io.ReadCloser {
-	return &ReadCloserWrapper{
-		Reader: r,
-		closer: closer,
-	}
-}
-
-type readerErrWrapper struct {
-	reader io.Reader
-	closer func()
-}
-
-func (r *readerErrWrapper) Read(p []byte) (int, error) {
-	n, err := r.reader.Read(p)
-	if err != nil {
-		r.closer()
-	}
-	return n, err
-}
-
-// NewReaderErrWrapper returns a new io.Reader.
-func NewReaderErrWrapper(r io.Reader, closer func()) io.Reader {
-	return &readerErrWrapper{
-		reader: r,
-		closer: closer,
-	}
-}
-
-// OnEOFReader wraps an io.ReadCloser and a function
-// the function will run at the end of file or close the file.
-type OnEOFReader struct {
-	Rc io.ReadCloser
-	Fn func()
-}
-
-func (r *OnEOFReader) Read(p []byte) (n int, err error) {
-	n, err = r.Rc.Read(p)
-	if err == io.EOF {
-		r.runFunc()
-	}
-	return
-}
-
-// Close closes the file and run the function.
-func (r *OnEOFReader) Close() error {
-	err := r.Rc.Close()
-	r.runFunc()
-	return err
-}
-
-func (r *OnEOFReader) runFunc() {
-	if fn := r.Fn; fn != nil {
-		fn()
-		r.Fn = nil
-	}
-}
-
-// cancelReadCloser wraps an io.ReadCloser with a context for cancelling read
-// operations.
-type cancelReadCloser struct {
-	cancel func()
-	pR     *io.PipeReader // Stream to read from
-	pW     *io.PipeWriter
-	closed atomic.Bool
-}
-
-// NewCancelReadCloser creates a wrapper that closes the ReadCloser when the
-// context is cancelled. The returned io.ReadCloser must be closed when it is
-// no longer needed.
-func NewCancelReadCloser(ctx context.Context, in io.ReadCloser) io.ReadCloser {
-	pR, pW := io.Pipe()
-
-	// Create a context used to signal when the pipe is closed
-	doneCtx, cancel := context.WithCancel(context.Background())
-
-	p := &cancelReadCloser{
-		cancel: cancel,
-		pR:     pR,
-		pW:     pW,
-	}
-
-	go func() {
-		_, err := io.Copy(pW, in)
-		select {
-		case <-ctx.Done():
-			// If the context was closed, p.closeWithError
-			// was already called. Calling it again would
-			// change the error that Read returns.
-		default:
-			p.closeWithError(err)
-		}
-		in.Close()
-	}()
-	go func() {
-		for {
-			select {
-			case <-ctx.Done():
-				p.closeWithError(ctx.Err())
-			case <-doneCtx.Done():
-				return
-			}
-		}
-	}()
-
-	return p
-}
-
-// Read wraps the Read method of the pipe that provides data from the wrapped
-// ReadCloser.
-func (p *cancelReadCloser) Read(buf []byte) (n int, err error) {
-	return p.pR.Read(buf)
-}
-
-// closeWithError closes the wrapper and its underlying reader. It will
-// cause future calls to Read to return err.
-func (p *cancelReadCloser) closeWithError(err error) {
-	p.pW.CloseWithError(err)
-	p.cancel()
-}
-
-// Close closes the wrapper its underlying reader. It will cause
-// future calls to Read to return io.EOF.
-func (p *cancelReadCloser) Close() error {
-	if !p.closed.CompareAndSwap(false, true) {
-		subsequentCloseWarn("cancelReadCloser")
-		return nil
-	}
-	p.closeWithError(io.EOF)
-	return nil
-}
-
-func subsequentCloseWarn(name string) {
-	log.G(context.TODO()).Error("subsequent attempt to close " + name)
-	if log.GetLevel() >= log.DebugLevel {
-		log.G(context.TODO()).Errorf("stack trace: %s", string(debug.Stack()))
-	}
-}
diff --git a/vendor/github.com/docker/docker/pkg/ioutils/writeflusher.go b/vendor/github.com/docker/docker/pkg/ioutils/writeflusher.go
deleted file mode 100644
index d8a8893ff..000000000
--- a/vendor/github.com/docker/docker/pkg/ioutils/writeflusher.go
+++ /dev/null
@@ -1,98 +0,0 @@
-package ioutils // import "github.com/docker/docker/pkg/ioutils"
-
-import (
-	"io"
-	"sync"
-)
-
-// WriteFlusher wraps the Write and Flush operation ensuring that every write
-// is a flush. In addition, the Close method can be called to intercept
-// Read/Write calls if the targets lifecycle has already ended.
-type WriteFlusher struct {
-	w           io.Writer
-	flusher     flusher
-	flushed     chan struct{}
-	flushedOnce sync.Once
-	closed      chan struct{}
-	closeLock   sync.Mutex
-}
-
-type flusher interface {
-	Flush()
-}
-
-var errWriteFlusherClosed = io.EOF
-
-func (wf *WriteFlusher) Write(b []byte) (n int, err error) {
-	select {
-	case <-wf.closed:
-		return 0, errWriteFlusherClosed
-	default:
-	}
-
-	n, err = wf.w.Write(b)
-	wf.Flush() // every write is a flush.
-	return n, err
-}
-
-// Flush the stream immediately.
-func (wf *WriteFlusher) Flush() {
-	select {
-	case <-wf.closed:
-		return
-	default:
-	}
-
-	wf.flushedOnce.Do(func() {
-		close(wf.flushed)
-	})
-	wf.flusher.Flush()
-}
-
-// Flushed returns the state of flushed.
-// If it's flushed, return true, or else it return false.
-func (wf *WriteFlusher) Flushed() bool {
-	// BUG(stevvooe): Remove this method. Its use is inherently racy. Seems to
-	// be used to detect whether or a response code has been issued or not.
-	// Another hook should be used instead.
-	var flushed bool
-	select {
-	case <-wf.flushed:
-		flushed = true
-	default:
-	}
-	return flushed
-}
-
-// Close closes the write flusher, disallowing any further writes to the
-// target. After the flusher is closed, all calls to write or flush will
-// result in an error.
-func (wf *WriteFlusher) Close() error {
-	wf.closeLock.Lock()
-	defer wf.closeLock.Unlock()
-
-	select {
-	case <-wf.closed:
-		return errWriteFlusherClosed
-	default:
-		close(wf.closed)
-	}
-	return nil
-}
-
-// nopFlusher represents a type which flush operation is nop.
-type nopFlusher struct{}
-
-// Flush is a nop operation.
-func (f *nopFlusher) Flush() {}
-
-// NewWriteFlusher returns a new WriteFlusher.
-func NewWriteFlusher(w io.Writer) *WriteFlusher {
-	var fl flusher
-	if f, ok := w.(flusher); ok {
-		fl = f
-	} else {
-		fl = &nopFlusher{}
-	}
-	return &WriteFlusher{w: w, flusher: fl, closed: make(chan struct{}), flushed: make(chan struct{})}
-}
diff --git a/vendor/github.com/docker/docker/pkg/ioutils/writers.go b/vendor/github.com/docker/docker/pkg/ioutils/writers.go
deleted file mode 100644
index aec8b4c03..000000000
--- a/vendor/github.com/docker/docker/pkg/ioutils/writers.go
+++ /dev/null
@@ -1,81 +0,0 @@
-package ioutils // import "github.com/docker/docker/pkg/ioutils"
-
-import (
-	"io"
-	"sync/atomic"
-)
-
-// NopWriter represents a type which write operation is nop.
-//
-// Deprecated: use [io.Discard] instead. This type will be removed in the next release.
-type NopWriter struct{}
-
-func (*NopWriter) Write(buf []byte) (int, error) {
-	return len(buf), nil
-}
-
-type nopWriteCloser struct {
-	io.Writer
-}
-
-func (w *nopWriteCloser) Close() error { return nil }
-
-// NopWriteCloser returns a nopWriteCloser.
-//
-// Deprecated: This function is no longer used and will be removed in the next release.
-func NopWriteCloser(w io.Writer) io.WriteCloser {
-	return &nopWriteCloser{w}
-}
-
-// NopFlusher represents a type which flush operation is nop.
-//
-// Deprecated: NopFlusher is only used internally and will be removed in the next release.
-type NopFlusher = nopFlusher
-
-type writeCloserWrapper struct {
-	io.Writer
-	closer func() error
-	closed atomic.Bool
-}
-
-func (r *writeCloserWrapper) Close() error {
-	if !r.closed.CompareAndSwap(false, true) {
-		subsequentCloseWarn("WriteCloserWrapper")
-		return nil
-	}
-	return r.closer()
-}
-
-// NewWriteCloserWrapper returns a new io.WriteCloser.
-func NewWriteCloserWrapper(r io.Writer, closer func() error) io.WriteCloser {
-	return &writeCloserWrapper{
-		Writer: r,
-		closer: closer,
-	}
-}
-
-// WriteCounter wraps a concrete io.Writer and hold a count of the number
-// of bytes written to the writer during a "session".
-// This can be convenient when write return is masked
-// (e.g., json.Encoder.Encode())
-//
-// Deprecated: this type is no longer used and will be removed in the next release.
-type WriteCounter struct {
-	Count  int64
-	Writer io.Writer
-}
-
-// NewWriteCounter returns a new WriteCounter.
-//
-// Deprecated: this function is no longer used and will be removed in the next release.
-func NewWriteCounter(w io.Writer) *WriteCounter {
-	return &WriteCounter{
-		Writer: w,
-	}
-}
-
-func (wc *WriteCounter) Write(p []byte) (count int, err error) {
-	count, err = wc.Writer.Write(p)
-	wc.Count += int64(count)
-	return
-}
diff --git a/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go b/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go
index 037327b90..1a05de4da 100644
--- a/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go
+++ b/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go
@@ -53,10 +53,9 @@ type JSONProgress struct {
 
 func (p *JSONProgress) String() string {
 	var (
-		width       = p.width()
-		pbBox       string
-		numbersBox  string
-		timeLeftBox string
+		width      = p.width()
+		pbBox      string
+		numbersBox string
 	)
 	if p.Current <= 0 && p.Total <= 0 {
 		return ""
@@ -104,14 +103,14 @@ func (p *JSONProgress) String() string {
 		}
 	}
 
-	if p.Current > 0 && p.Start > 0 && percentage < 50 {
-		fromStart := p.now().Sub(time.Unix(p.Start, 0))
-		perEntry := fromStart / time.Duration(p.Current)
-		left := time.Duration(p.Total-p.Current) * perEntry
-		left = (left / time.Second) * time.Second
-
-		if width > 50 {
-			timeLeftBox = " " + left.String()
+	// Show approximation of remaining time if there's enough width.
+	var timeLeftBox string
+	if width > 50 {
+		if p.Current > 0 && p.Start > 0 && percentage < 50 {
+			fromStart := p.now().Sub(time.Unix(p.Start, 0))
+			perEntry := fromStart / time.Duration(p.Current)
+			left := time.Duration(p.Total-p.Current) * perEntry
+			timeLeftBox = " " + left.Round(time.Second).String()
 		}
 	}
 	return pbBox + numbersBox + timeLeftBox
@@ -143,16 +142,24 @@ func (p *JSONProgress) width() int {
 // the created time, where it from, status, ID of the
 // message. It's used for docker events.
 type JSONMessage struct {
-	Stream          string        `json:"stream,omitempty"`
-	Status          string        `json:"status,omitempty"`
-	Progress        *JSONProgress `json:"progressDetail,omitempty"`
-	ProgressMessage string        `json:"progress,omitempty"` // deprecated
-	ID              string        `json:"id,omitempty"`
-	From            string        `json:"from,omitempty"`
-	Time            int64         `json:"time,omitempty"`
-	TimeNano        int64         `json:"timeNano,omitempty"`
-	Error           *JSONError    `json:"errorDetail,omitempty"`
-	ErrorMessage    string        `json:"error,omitempty"` // deprecated
+	Stream   string        `json:"stream,omitempty"`
+	Status   string        `json:"status,omitempty"`
+	Progress *JSONProgress `json:"progressDetail,omitempty"`
+
+	// ProgressMessage is a pre-formatted presentation of [Progress].
+	//
+	// Deprecated: this field is deprecated since docker v0.7.1 / API v1.8. Use the information in [Progress] instead. This field will be omitted in a future release.
+	ProgressMessage string     `json:"progress,omitempty"`
+	ID              string     `json:"id,omitempty"`
+	From            string     `json:"from,omitempty"`
+	Time            int64      `json:"time,omitempty"`
+	TimeNano        int64      `json:"timeNano,omitempty"`
+	Error           *JSONError `json:"errorDetail,omitempty"`
+
+	// ErrorMessage contains errors encountered during the operation.
+	//
+	// Deprecated: this field is deprecated since docker v0.6.0 / API v1.4. Use [Error.Message] instead. This field will be omitted in a future release.
+	ErrorMessage string `json:"error,omitempty"` // deprecated
 	// Aux contains out-of-band data, such as digests for push signing and image id after building.
 	Aux *json.RawMessage `json:"aux,omitempty"`
 }
diff --git a/vendor/github.com/docker/docker/pkg/pools/pools.go b/vendor/github.com/docker/docker/pkg/pools/pools.go
deleted file mode 100644
index 3ea3012b1..000000000
--- a/vendor/github.com/docker/docker/pkg/pools/pools.go
+++ /dev/null
@@ -1,137 +0,0 @@
-// Package pools provides a collection of pools which provide various
-// data types with buffers. These can be used to lower the number of
-// memory allocations and reuse buffers.
-//
-// New pools should be added to this package to allow them to be
-// shared across packages.
-//
-// Utility functions which operate on pools should be added to this
-// package to allow them to be reused.
-package pools // import "github.com/docker/docker/pkg/pools"
-
-import (
-	"bufio"
-	"io"
-	"sync"
-
-	"github.com/docker/docker/pkg/ioutils"
-)
-
-const buffer32K = 32 * 1024
-
-var (
-	// BufioReader32KPool is a pool which returns bufio.Reader with a 32K buffer.
-	BufioReader32KPool = newBufioReaderPoolWithSize(buffer32K)
-	// BufioWriter32KPool is a pool which returns bufio.Writer with a 32K buffer.
-	BufioWriter32KPool = newBufioWriterPoolWithSize(buffer32K)
-	buffer32KPool      = newBufferPoolWithSize(buffer32K)
-)
-
-// BufioReaderPool is a bufio reader that uses sync.Pool.
-type BufioReaderPool struct {
-	pool sync.Pool
-}
-
-// newBufioReaderPoolWithSize is unexported because new pools should be
-// added here to be shared where required.
-func newBufioReaderPoolWithSize(size int) *BufioReaderPool {
-	return &BufioReaderPool{
-		pool: sync.Pool{
-			New: func() interface{} { return bufio.NewReaderSize(nil, size) },
-		},
-	}
-}
-
-// Get returns a bufio.Reader which reads from r. The buffer size is that of the pool.
-func (bufPool *BufioReaderPool) Get(r io.Reader) *bufio.Reader {
-	buf := bufPool.pool.Get().(*bufio.Reader)
-	buf.Reset(r)
-	return buf
-}
-
-// Put puts the bufio.Reader back into the pool.
-func (bufPool *BufioReaderPool) Put(b *bufio.Reader) {
-	b.Reset(nil)
-	bufPool.pool.Put(b)
-}
-
-type bufferPool struct {
-	pool sync.Pool
-}
-
-func newBufferPoolWithSize(size int) *bufferPool {
-	return &bufferPool{
-		pool: sync.Pool{
-			New: func() interface{} { s := make([]byte, size); return &s },
-		},
-	}
-}
-
-func (bp *bufferPool) Get() *[]byte {
-	return bp.pool.Get().(*[]byte)
-}
-
-func (bp *bufferPool) Put(b *[]byte) {
-	bp.pool.Put(b)
-}
-
-// Copy is a convenience wrapper which uses a buffer to avoid allocation in io.Copy.
-func Copy(dst io.Writer, src io.Reader) (written int64, err error) {
-	buf := buffer32KPool.Get()
-	written, err = io.CopyBuffer(dst, src, *buf)
-	buffer32KPool.Put(buf)
-	return
-}
-
-// NewReadCloserWrapper returns a wrapper which puts the bufio.Reader back
-// into the pool and closes the reader if it's an io.ReadCloser.
-func (bufPool *BufioReaderPool) NewReadCloserWrapper(buf *bufio.Reader, r io.Reader) io.ReadCloser {
-	return ioutils.NewReadCloserWrapper(r, func() error {
-		if readCloser, ok := r.(io.ReadCloser); ok {
-			readCloser.Close()
-		}
-		bufPool.Put(buf)
-		return nil
-	})
-}
-
-// BufioWriterPool is a bufio writer that uses sync.Pool.
-type BufioWriterPool struct {
-	pool sync.Pool
-}
-
-// newBufioWriterPoolWithSize is unexported because new pools should be
-// added here to be shared where required.
-func newBufioWriterPoolWithSize(size int) *BufioWriterPool {
-	return &BufioWriterPool{
-		pool: sync.Pool{
-			New: func() interface{} { return bufio.NewWriterSize(nil, size) },
-		},
-	}
-}
-
-// Get returns a bufio.Writer which writes to w. The buffer size is that of the pool.
-func (bufPool *BufioWriterPool) Get(w io.Writer) *bufio.Writer {
-	buf := bufPool.pool.Get().(*bufio.Writer)
-	buf.Reset(w)
-	return buf
-}
-
-// Put puts the bufio.Writer back into the pool.
-func (bufPool *BufioWriterPool) Put(b *bufio.Writer) {
-	b.Reset(nil)
-	bufPool.pool.Put(b)
-}
-
-// NewWriteCloserWrapper returns a wrapper which puts the bufio.Writer back
-// into the pool and closes the writer if it's an io.WriteCloser.
-func (bufPool *BufioWriterPool) NewWriteCloserWrapper(buf *bufio.Writer, w io.Writer) io.WriteCloser {
-	return ioutils.NewWriteCloserWrapper(w, func() error {
-		buf.Flush()
-		if writeCloser, ok := w.(io.WriteCloser); ok {
-			writeCloser.Close()
-		}
-		bufPool.Put(buf)
-		return nil
-	})
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/args_windows.go b/vendor/github.com/docker/docker/pkg/system/args_windows.go
deleted file mode 100644
index b7c9487a0..000000000
--- a/vendor/github.com/docker/docker/pkg/system/args_windows.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"strings"
-
-	"golang.org/x/sys/windows"
-)
-
-// EscapeArgs makes a Windows-style escaped command line from a set of arguments
-func EscapeArgs(args []string) string {
-	escapedArgs := make([]string, len(args))
-	for i, a := range args {
-		escapedArgs[i] = windows.EscapeArg(a)
-	}
-	return strings.Join(escapedArgs, " ")
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/chtimes.go b/vendor/github.com/docker/docker/pkg/system/chtimes.go
deleted file mode 100644
index 6a6bca43e..000000000
--- a/vendor/github.com/docker/docker/pkg/system/chtimes.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"syscall"
-	"time"
-	"unsafe"
-)
-
-// Used by Chtimes
-var unixEpochTime, unixMaxTime time.Time
-
-func init() {
-	unixEpochTime = time.Unix(0, 0)
-	if unsafe.Sizeof(syscall.Timespec{}.Nsec) == 8 {
-		// This is a 64 bit timespec
-		// os.Chtimes limits time to the following
-		//
-		// Note that this intentionally sets nsec (not sec), which sets both sec
-		// and nsec internally in time.Unix();
-		// https://github.com/golang/go/blob/go1.19.2/src/time/time.go#L1364-L1380
-		unixMaxTime = time.Unix(0, 1<<63-1)
-	} else {
-		// This is a 32 bit timespec
-		unixMaxTime = time.Unix(1<<31-1, 0)
-	}
-}
-
-// Chtimes changes the access time and modified time of a file at the given path.
-// If the modified time is prior to the Unix Epoch (unixMinTime), or after the
-// end of Unix Time (unixEpochTime), os.Chtimes has undefined behavior. In this
-// case, Chtimes defaults to Unix Epoch, just in case.
-func Chtimes(name string, atime time.Time, mtime time.Time) error {
-	if atime.Before(unixEpochTime) || atime.After(unixMaxTime) {
-		atime = unixEpochTime
-	}
-
-	if mtime.Before(unixEpochTime) || mtime.After(unixMaxTime) {
-		mtime = unixEpochTime
-	}
-
-	if err := os.Chtimes(name, atime, mtime); err != nil {
-		return err
-	}
-
-	// Take platform specific action for setting create time.
-	return setCTime(name, mtime)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/chtimes_nowindows.go b/vendor/github.com/docker/docker/pkg/system/chtimes_nowindows.go
deleted file mode 100644
index 92ff02097..000000000
--- a/vendor/github.com/docker/docker/pkg/system/chtimes_nowindows.go
+++ /dev/null
@@ -1,14 +0,0 @@
-//go:build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"time"
-)
-
-// setCTime will set the create time on a file. On Unix, the create
-// time is updated as a side effect of setting the modified time, so
-// no action is required.
-func setCTime(path string, ctime time.Time) error {
-	return nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/errors.go b/vendor/github.com/docker/docker/pkg/system/errors.go
deleted file mode 100644
index f4bbcce74..000000000
--- a/vendor/github.com/docker/docker/pkg/system/errors.go
+++ /dev/null
@@ -1,6 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "errors"
-
-// ErrNotSupportedPlatform means the platform is not supported.
-var ErrNotSupportedPlatform = errors.New("platform and architecture is not supported")
diff --git a/vendor/github.com/docker/docker/pkg/system/filesys.go b/vendor/github.com/docker/docker/pkg/system/filesys.go
deleted file mode 100644
index ce5990c91..000000000
--- a/vendor/github.com/docker/docker/pkg/system/filesys.go
+++ /dev/null
@@ -1,19 +0,0 @@
-package system
-
-import (
-	"os"
-	"path/filepath"
-	"strings"
-)
-
-// IsAbs is a platform-agnostic wrapper for filepath.IsAbs.
-//
-// On Windows, golang filepath.IsAbs does not consider a path \windows\system32
-// as absolute as it doesn't start with a drive-letter/colon combination. However,
-// in docker we need to verify things such as WORKDIR /windows/system32 in
-// a Dockerfile (which gets translated to \windows\system32 when being processed
-// by the daemon). This SHOULD be treated as absolute from a docker processing
-// perspective.
-func IsAbs(path string) bool {
-	return filepath.IsAbs(path) || strings.HasPrefix(path, string(os.PathSeparator))
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/filesys_unix.go b/vendor/github.com/docker/docker/pkg/system/filesys_unix.go
deleted file mode 100644
index f01f9385e..000000000
--- a/vendor/github.com/docker/docker/pkg/system/filesys_unix.go
+++ /dev/null
@@ -1,16 +0,0 @@
-//go:build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import "os"
-
-// MkdirAllWithACL is a wrapper for os.MkdirAll on unix systems.
-func MkdirAllWithACL(path string, perm os.FileMode, sddl string) error {
-	return os.MkdirAll(path, perm)
-}
-
-// MkdirAll creates a directory named path along with any necessary parents,
-// with permission specified by attribute perm for all dir created.
-func MkdirAll(path string, perm os.FileMode) error {
-	return os.MkdirAll(path, perm)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/filesys_windows.go b/vendor/github.com/docker/docker/pkg/system/filesys_windows.go
deleted file mode 100644
index 92e972ea2..000000000
--- a/vendor/github.com/docker/docker/pkg/system/filesys_windows.go
+++ /dev/null
@@ -1,135 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"regexp"
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-// SddlAdministratorsLocalSystem is local administrators plus NT AUTHORITY\System.
-const SddlAdministratorsLocalSystem = "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
-
-// volumePath is a regular expression to check if a path is a Windows
-// volume path (e.g., "\\?\Volume{4c1b02c1-d990-11dc-99ae-806e6f6e6963}"
-// or "\\?\Volume{4c1b02c1-d990-11dc-99ae-806e6f6e6963}\").
-var volumePath = regexp.MustCompile(`^\\\\\?\\Volume{[a-z0-9-]+}\\?$`)
-
-// MkdirAllWithACL is a custom version of os.MkdirAll modified for use on Windows
-// so that it is both volume path aware, and can create a directory with
-// an appropriate SDDL defined ACL.
-func MkdirAllWithACL(path string, _ os.FileMode, sddl string) error {
-	sa, err := makeSecurityAttributes(sddl)
-	if err != nil {
-		return &os.PathError{Op: "mkdirall", Path: path, Err: err}
-	}
-	return mkdirall(path, sa)
-}
-
-// MkdirAll is a custom version of os.MkdirAll that is volume path aware for
-// Windows. It can be used as a drop-in replacement for os.MkdirAll.
-func MkdirAll(path string, _ os.FileMode) error {
-	return mkdirall(path, nil)
-}
-
-// mkdirall is a custom version of os.MkdirAll modified for use on Windows
-// so that it is both volume path aware, and can create a directory with
-// a DACL.
-func mkdirall(path string, perm *windows.SecurityAttributes) error {
-	if volumePath.MatchString(path) {
-		return nil
-	}
-
-	// The rest of this method is largely copied from os.MkdirAll and should be kept
-	// as-is to ensure compatibility.
-
-	// Fast path: if we can tell whether path is a directory or file, stop with success or error.
-	dir, err := os.Stat(path)
-	if err == nil {
-		if dir.IsDir() {
-			return nil
-		}
-		return &os.PathError{Op: "mkdir", Path: path, Err: syscall.ENOTDIR}
-	}
-
-	// Slow path: make sure parent exists and then call Mkdir for path.
-	i := len(path)
-	for i > 0 && os.IsPathSeparator(path[i-1]) { // Skip trailing path separator.
-		i--
-	}
-
-	j := i
-	for j > 0 && !os.IsPathSeparator(path[j-1]) { // Scan backward over element.
-		j--
-	}
-
-	if j > 1 {
-		// Create parent.
-		err = mkdirall(fixRootDirectory(path[:j-1]), perm)
-		if err != nil {
-			return err
-		}
-	}
-
-	// Parent now exists; invoke Mkdir and use its result.
-	err = mkdirWithACL(path, perm)
-	if err != nil {
-		// Handle arguments like "foo/." by
-		// double-checking that directory doesn't exist.
-		dir, err1 := os.Lstat(path)
-		if err1 == nil && dir.IsDir() {
-			return nil
-		}
-		return err
-	}
-	return nil
-}
-
-// mkdirWithACL creates a new directory. If there is an error, it will be of
-// type *PathError. .
-//
-// This is a modified and combined version of os.Mkdir and windows.Mkdir
-// in golang to cater for creating a directory am ACL permitting full
-// access, with inheritance, to any subfolder/file for Built-in Administrators
-// and Local System.
-func mkdirWithACL(name string, sa *windows.SecurityAttributes) error {
-	if sa == nil {
-		return os.Mkdir(name, 0)
-	}
-
-	namep, err := windows.UTF16PtrFromString(name)
-	if err != nil {
-		return &os.PathError{Op: "mkdir", Path: name, Err: err}
-	}
-
-	err = windows.CreateDirectory(namep, sa)
-	if err != nil {
-		return &os.PathError{Op: "mkdir", Path: name, Err: err}
-	}
-	return nil
-}
-
-// fixRootDirectory fixes a reference to a drive's root directory to
-// have the required trailing slash.
-func fixRootDirectory(p string) string {
-	if len(p) == len(`\\?\c:`) {
-		if os.IsPathSeparator(p[0]) && os.IsPathSeparator(p[1]) && p[2] == '?' && os.IsPathSeparator(p[3]) && p[5] == ':' {
-			return p + `\`
-		}
-	}
-	return p
-}
-
-func makeSecurityAttributes(sddl string) (*windows.SecurityAttributes, error) {
-	var sa windows.SecurityAttributes
-	sa.Length = uint32(unsafe.Sizeof(sa))
-	sa.InheritHandle = 1
-	var err error
-	sa.SecurityDescriptor, err = windows.SecurityDescriptorFromString(sddl)
-	if err != nil {
-		return nil, err
-	}
-	return &sa, nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/init_windows.go b/vendor/github.com/docker/docker/pkg/system/init_windows.go
deleted file mode 100644
index 7603efbbd..000000000
--- a/vendor/github.com/docker/docker/pkg/system/init_windows.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-// containerdRuntimeSupported determines if containerd should be the runtime.
-var containerdRuntimeSupported = false
-
-// InitContainerdRuntime sets whether to use containerd for runtime on Windows.
-func InitContainerdRuntime(cdPath string) {
-	if len(cdPath) > 0 {
-		containerdRuntimeSupported = true
-	}
-}
-
-// ContainerdRuntimeSupported returns true if the use of containerd runtime is supported.
-func ContainerdRuntimeSupported() bool {
-	return containerdRuntimeSupported
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/lstat_unix.go b/vendor/github.com/docker/docker/pkg/system/lstat_unix.go
deleted file mode 100644
index 97f355d2e..000000000
--- a/vendor/github.com/docker/docker/pkg/system/lstat_unix.go
+++ /dev/null
@@ -1,22 +0,0 @@
-//go:build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"syscall"
-)
-
-// Lstat takes a path to a file and returns
-// a system.StatT type pertaining to that file.
-//
-// Throws an error if the file does not exist.
-//
-// Deprecated: this function is only used internally, and will be removed in the next release.
-func Lstat(path string) (*StatT, error) {
-	s := &syscall.Stat_t{}
-	if err := syscall.Lstat(path, s); err != nil {
-		return nil, &os.PathError{Op: "Lstat", Path: path, Err: err}
-	}
-	return fromStatT(s)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/lstat_windows.go b/vendor/github.com/docker/docker/pkg/system/lstat_windows.go
deleted file mode 100644
index 4180f3ac2..000000000
--- a/vendor/github.com/docker/docker/pkg/system/lstat_windows.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "os"
-
-// Lstat calls os.Lstat to get a fileinfo interface back.
-// This is then copied into our own locally defined structure.
-//
-// Deprecated: this function is only used internally, and will be removed in the next release.
-func Lstat(path string) (*StatT, error) {
-	fi, err := os.Lstat(path)
-	if err != nil {
-		return nil, err
-	}
-
-	return fromStatT(&fi)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/mknod.go b/vendor/github.com/docker/docker/pkg/system/mknod.go
deleted file mode 100644
index e0cd22d7a..000000000
--- a/vendor/github.com/docker/docker/pkg/system/mknod.go
+++ /dev/null
@@ -1,18 +0,0 @@
-//go:build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"golang.org/x/sys/unix"
-)
-
-// Mkdev is used to build the value of linux devices (in /dev/) which specifies major
-// and minor number of the newly created device special file.
-// Linux device nodes are a bit weird due to backwards compat with 16 bit device nodes.
-// They are, from low to high: the lower 8 bits of the minor, then 12 bits of the major,
-// then the top 12 bits of the minor.
-//
-// Deprecated: this function is only used internally, and will be removed in the next release.
-func Mkdev(major int64, minor int64) uint32 {
-	return uint32(unix.Mkdev(uint32(major), uint32(minor)))
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/mknod_freebsd.go b/vendor/github.com/docker/docker/pkg/system/mknod_freebsd.go
deleted file mode 100644
index 4f66453d6..000000000
--- a/vendor/github.com/docker/docker/pkg/system/mknod_freebsd.go
+++ /dev/null
@@ -1,15 +0,0 @@
-//go:build freebsd
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"golang.org/x/sys/unix"
-)
-
-// Mknod creates a filesystem node (file, device special file or named pipe) named path
-// with attributes specified by mode and dev.
-//
-// Deprecated: this function is only used internally, and will be removed in the next release.
-func Mknod(path string, mode uint32, dev int) error {
-	return unix.Mknod(path, mode, uint64(dev))
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/mknod_unix.go b/vendor/github.com/docker/docker/pkg/system/mknod_unix.go
deleted file mode 100644
index 34c553263..000000000
--- a/vendor/github.com/docker/docker/pkg/system/mknod_unix.go
+++ /dev/null
@@ -1,15 +0,0 @@
-//go:build !freebsd && !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"golang.org/x/sys/unix"
-)
-
-// Mknod creates a filesystem node (file, device special file or named pipe) named path
-// with attributes specified by mode and dev.
-//
-// Deprecated: this function is only used internally, and will be removed in the next release.
-func Mknod(path string, mode uint32, dev int) error {
-	return unix.Mknod(path, mode, dev)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_bsd.go b/vendor/github.com/docker/docker/pkg/system/stat_bsd.go
deleted file mode 100644
index 435b776ee..000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_bsd.go
+++ /dev/null
@@ -1,17 +0,0 @@
-//go:build freebsd || netbsd
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return &StatT{
-		size: s.Size,
-		mode: uint32(s.Mode),
-		uid:  s.Uid,
-		gid:  s.Gid,
-		rdev: uint64(s.Rdev),
-		mtim: s.Mtimespec,
-	}, nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_darwin.go b/vendor/github.com/docker/docker/pkg/system/stat_darwin.go
deleted file mode 100644
index e0b629df0..000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_darwin.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return &StatT{
-		size: s.Size,
-		mode: uint32(s.Mode),
-		uid:  s.Uid,
-		gid:  s.Gid,
-		rdev: uint64(s.Rdev),
-		mtim: s.Mtimespec,
-	}, nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_linux.go b/vendor/github.com/docker/docker/pkg/system/stat_linux.go
deleted file mode 100644
index 0557235f9..000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_linux.go
+++ /dev/null
@@ -1,24 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return &StatT{
-		size: s.Size,
-		mode: s.Mode,
-		uid:  s.Uid,
-		gid:  s.Gid,
-		// the type is 32bit on mips
-		rdev: uint64(s.Rdev), //nolint: unconvert
-		mtim: s.Mtim,
-	}, nil
-}
-
-// FromStatT converts a syscall.Stat_t type to a system.Stat_t type
-// This is exposed on Linux as pkg/archive/changes uses it.
-//
-// Deprecated: this function is only used internally, and will be removed in the next release.
-func FromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return fromStatT(s)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_openbsd.go b/vendor/github.com/docker/docker/pkg/system/stat_openbsd.go
deleted file mode 100644
index 851374e5d..000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_openbsd.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return &StatT{
-		size: s.Size,
-		mode: uint32(s.Mode),
-		uid:  s.Uid,
-		gid:  s.Gid,
-		rdev: uint64(s.Rdev),
-		mtim: s.Mtim,
-	}, nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_unix.go b/vendor/github.com/docker/docker/pkg/system/stat_unix.go
deleted file mode 100644
index 661b0bed2..000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_unix.go
+++ /dev/null
@@ -1,70 +0,0 @@
-//go:build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"syscall"
-)
-
-// StatT type contains status of a file. It contains metadata
-// like permission, owner, group, size, etc about a file.
-//
-// Deprecated: this type is only used internally, and will be removed in the next release.
-type StatT struct {
-	mode uint32
-	uid  uint32
-	gid  uint32
-	rdev uint64
-	size int64
-	mtim syscall.Timespec
-}
-
-// Mode returns file's permission mode.
-func (s StatT) Mode() uint32 {
-	return s.mode
-}
-
-// UID returns file's user id of owner.
-func (s StatT) UID() uint32 {
-	return s.uid
-}
-
-// GID returns file's group id of owner.
-func (s StatT) GID() uint32 {
-	return s.gid
-}
-
-// Rdev returns file's device ID (if it's special file).
-func (s StatT) Rdev() uint64 {
-	return s.rdev
-}
-
-// Size returns file's size.
-func (s StatT) Size() int64 {
-	return s.size
-}
-
-// Mtim returns file's last modification time.
-func (s StatT) Mtim() syscall.Timespec {
-	return s.mtim
-}
-
-// IsDir reports whether s describes a directory.
-func (s StatT) IsDir() bool {
-	return s.mode&syscall.S_IFDIR != 0
-}
-
-// Stat takes a path to a file and returns
-// a system.StatT type pertaining to that file.
-//
-// Throws an error if the file does not exist.
-//
-// Deprecated: this function is only used internally, and will be removed in the next release.
-func Stat(path string) (*StatT, error) {
-	s := &syscall.Stat_t{}
-	if err := syscall.Stat(path, s); err != nil {
-		return nil, &os.PathError{Op: "Stat", Path: path, Err: err}
-	}
-	return fromStatT(s)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_windows.go b/vendor/github.com/docker/docker/pkg/system/stat_windows.go
deleted file mode 100644
index e74a0f4fd..000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_windows.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"time"
-)
-
-// StatT type contains status of a file. It contains metadata
-// like permission, size, etc about a file.
-//
-// Deprecated: this type is only used internally, and will be removed in the next release.
-type StatT struct {
-	mode os.FileMode
-	size int64
-	mtim time.Time
-}
-
-// Size returns file's size.
-func (s StatT) Size() int64 {
-	return s.size
-}
-
-// Mode returns file's permission mode.
-func (s StatT) Mode() os.FileMode {
-	return s.mode
-}
-
-// Mtim returns file's last modification time.
-func (s StatT) Mtim() time.Time {
-	return s.mtim
-}
-
-// Stat takes a path to a file and returns
-// a system.StatT type pertaining to that file.
-//
-// Throws an error if the file does not exist.
-//
-// Deprecated: this function is only used internally, and will be removed in the next release.
-func Stat(path string) (*StatT, error) {
-	fi, err := os.Stat(path)
-	if err != nil {
-		return nil, err
-	}
-	return fromStatT(&fi)
-}
-
-// fromStatT converts a os.FileInfo type to a system.StatT type
-func fromStatT(fi *os.FileInfo) (*StatT, error) {
-	return &StatT{
-		size: (*fi).Size(),
-		mode: (*fi).Mode(),
-		mtim: (*fi).ModTime(),
-	}, nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/utimes_unix.go b/vendor/github.com/docker/docker/pkg/system/utimes_unix.go
deleted file mode 100644
index f3a079f88..000000000
--- a/vendor/github.com/docker/docker/pkg/system/utimes_unix.go
+++ /dev/null
@@ -1,24 +0,0 @@
-//go:build linux || freebsd
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"syscall"
-
-	"golang.org/x/sys/unix"
-)
-
-// LUtimesNano is used to change access and modification time of the specified path.
-// It's used for symbol link file because unix.UtimesNano doesn't support a NOFOLLOW flag atm.
-func LUtimesNano(path string, ts []syscall.Timespec) error {
-	uts := []unix.Timespec{
-		unix.NsecToTimespec(syscall.TimespecToNsec(ts[0])),
-		unix.NsecToTimespec(syscall.TimespecToNsec(ts[1])),
-	}
-	err := unix.UtimesNanoAt(unix.AT_FDCWD, path, uts, unix.AT_SYMLINK_NOFOLLOW)
-	if err != nil && err != unix.ENOSYS {
-		return err
-	}
-
-	return nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/utimes_unsupported.go b/vendor/github.com/docker/docker/pkg/system/utimes_unsupported.go
deleted file mode 100644
index 7c19d5915..000000000
--- a/vendor/github.com/docker/docker/pkg/system/utimes_unsupported.go
+++ /dev/null
@@ -1,10 +0,0 @@
-//go:build !linux && !freebsd
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// LUtimesNano is only supported on linux and freebsd.
-func LUtimesNano(path string, ts []syscall.Timespec) error {
-	return ErrNotSupportedPlatform
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/xattrs.go b/vendor/github.com/docker/docker/pkg/system/xattrs.go
deleted file mode 100644
index b3f4e8a21..000000000
--- a/vendor/github.com/docker/docker/pkg/system/xattrs.go
+++ /dev/null
@@ -1,18 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-type XattrError struct {
-	Op   string
-	Attr string
-	Path string
-	Err  error
-}
-
-func (e *XattrError) Error() string { return e.Op + " " + e.Attr + " " + e.Path + ": " + e.Err.Error() }
-
-func (e *XattrError) Unwrap() error { return e.Err }
-
-// Timeout reports whether this error represents a timeout.
-func (e *XattrError) Timeout() bool {
-	t, ok := e.Err.(interface{ Timeout() bool })
-	return ok && t.Timeout()
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/xattrs_linux.go b/vendor/github.com/docker/docker/pkg/system/xattrs_linux.go
deleted file mode 100644
index b877ecc5a..000000000
--- a/vendor/github.com/docker/docker/pkg/system/xattrs_linux.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"golang.org/x/sys/unix"
-)
-
-// Lgetxattr retrieves the value of the extended attribute identified by attr
-// and associated with the given path in the file system.
-// It returns a nil slice and nil error if the xattr is not set.
-func Lgetxattr(path string, attr string) ([]byte, error) {
-	sysErr := func(err error) ([]byte, error) {
-		return nil, &XattrError{Op: "lgetxattr", Attr: attr, Path: path, Err: err}
-	}
-
-	// Start with a 128 length byte array
-	dest := make([]byte, 128)
-	sz, errno := unix.Lgetxattr(path, attr, dest)
-
-	for errno == unix.ERANGE {
-		// Buffer too small, use zero-sized buffer to get the actual size
-		sz, errno = unix.Lgetxattr(path, attr, []byte{})
-		if errno != nil {
-			return sysErr(errno)
-		}
-		dest = make([]byte, sz)
-		sz, errno = unix.Lgetxattr(path, attr, dest)
-	}
-
-	switch {
-	case errno == unix.ENODATA:
-		return nil, nil
-	case errno != nil:
-		return sysErr(errno)
-	}
-
-	return dest[:sz], nil
-}
-
-// Lsetxattr sets the value of the extended attribute identified by attr
-// and associated with the given path in the file system.
-func Lsetxattr(path string, attr string, data []byte, flags int) error {
-	err := unix.Lsetxattr(path, attr, data, flags)
-	if err != nil {
-		return &XattrError{Op: "lsetxattr", Attr: attr, Path: path, Err: err}
-	}
-	return nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/xattrs_unsupported.go b/vendor/github.com/docker/docker/pkg/system/xattrs_unsupported.go
deleted file mode 100644
index 2a3698f12..000000000
--- a/vendor/github.com/docker/docker/pkg/system/xattrs_unsupported.go
+++ /dev/null
@@ -1,13 +0,0 @@
-//go:build !linux
-
-package system // import "github.com/docker/docker/pkg/system"
-
-// Lgetxattr is not supported on platforms other than linux.
-func Lgetxattr(path string, attr string) ([]byte, error) {
-	return nil, ErrNotSupportedPlatform
-}
-
-// Lsetxattr is not supported on platforms other than linux.
-func Lsetxattr(path string, attr string, data []byte, flags int) error {
-	return ErrNotSupportedPlatform
-}
diff --git a/vendor/github.com/moby/docker-image-spec/LICENSE b/vendor/github.com/moby/docker-image-spec/LICENSE
new file mode 100644
index 000000000..261eeb9e9
--- /dev/null
+++ b/vendor/github.com/moby/docker-image-spec/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/moby/docker-image-spec/specs-go/v1/image.go b/vendor/github.com/moby/docker-image-spec/specs-go/v1/image.go
new file mode 100644
index 000000000..167261763
--- /dev/null
+++ b/vendor/github.com/moby/docker-image-spec/specs-go/v1/image.go
@@ -0,0 +1,54 @@
+package v1
+
+import (
+	"time"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+const DockerOCIImageMediaType = "application/vnd.docker.container.image.v1+json"
+
+// DockerOCIImage is a ocispec.Image extended with Docker specific Config.
+type DockerOCIImage struct {
+	ocispec.Image
+
+	// Shadow ocispec.Image.Config
+	Config DockerOCIImageConfig `json:"config,omitempty"`
+}
+
+// DockerOCIImageConfig is a ocispec.ImageConfig extended with Docker specific fields.
+type DockerOCIImageConfig struct {
+	ocispec.ImageConfig
+
+	DockerOCIImageConfigExt
+}
+
+// DockerOCIImageConfigExt contains Docker-specific fields in DockerImageConfig.
+type DockerOCIImageConfigExt struct {
+	Healthcheck *HealthcheckConfig `json:",omitempty"` // Healthcheck describes how to check the container is healthy
+
+	OnBuild []string `json:",omitempty"` // ONBUILD metadata that were defined on the image Dockerfile
+	Shell   []string `json:",omitempty"` // Shell for shell-form of RUN, CMD, ENTRYPOINT
+}
+
+// HealthcheckConfig holds configuration settings for the HEALTHCHECK feature.
+type HealthcheckConfig struct {
+	// Test is the test to perform to check that the container is healthy.
+	// An empty slice means to inherit the default.
+	// The options are:
+	// {} : inherit healthcheck
+	// {"NONE"} : disable healthcheck
+	// {"CMD", args...} : exec arguments directly
+	// {"CMD-SHELL", command} : run command with system's default shell
+	Test []string `json:",omitempty"`
+
+	// Zero means to inherit. Durations are expressed as integer nanoseconds.
+	Interval      time.Duration `json:",omitempty"` // Interval is the time to wait between checks.
+	Timeout       time.Duration `json:",omitempty"` // Timeout is the time to wait before considering the check to have hung.
+	StartPeriod   time.Duration `json:",omitempty"` // The start period for the container to initialize before the retries starts to count down.
+	StartInterval time.Duration `json:",omitempty"` // The interval to attempt healthchecks at during the start period
+
+	// Retries is the number of consecutive failures needed to consider a container as unhealthy.
+	// Zero means inherit.
+	Retries int `json:",omitempty"`
+}
diff --git a/vendor/github.com/moby/sys/userns/LICENSE b/vendor/github.com/moby/sys/userns/LICENSE
new file mode 100644
index 000000000..d64569567
--- /dev/null
+++ b/vendor/github.com/moby/sys/userns/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/moby/sys/userns/userns.go b/vendor/github.com/moby/sys/userns/userns.go
new file mode 100644
index 000000000..56b24c44a
--- /dev/null
+++ b/vendor/github.com/moby/sys/userns/userns.go
@@ -0,0 +1,16 @@
+// Package userns provides utilities to detect whether we are currently running
+// in a Linux user namespace.
+//
+// This code was migrated from [libcontainer/runc], which based its implementation
+// on code from [lcx/incus].
+//
+// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49
+// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700
+package userns
+
+// RunningInUserNS detects whether we are currently running in a Linux
+// user namespace and memoizes the result. It returns false on non-Linux
+// platforms.
+func RunningInUserNS() bool {
+	return inUserNS()
+}
diff --git a/vendor/github.com/moby/sys/userns/userns_linux.go b/vendor/github.com/moby/sys/userns/userns_linux.go
new file mode 100644
index 000000000..87c1c38ee
--- /dev/null
+++ b/vendor/github.com/moby/sys/userns/userns_linux.go
@@ -0,0 +1,53 @@
+package userns
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"sync"
+)
+
+var inUserNS = sync.OnceValue(runningInUserNS)
+
+// runningInUserNS detects whether we are currently running in a user namespace.
+//
+// This code was migrated from [libcontainer/runc] and based on an implementation
+// from [lcx/incus].
+//
+// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49
+// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700
+func runningInUserNS() bool {
+	file, err := os.Open("/proc/self/uid_map")
+	if err != nil {
+		// This kernel-provided file only exists if user namespaces are supported.
+		return false
+	}
+	defer file.Close()
+
+	buf := bufio.NewReader(file)
+	l, _, err := buf.ReadLine()
+	if err != nil {
+		return false
+	}
+
+	return uidMapInUserNS(string(l))
+}
+
+func uidMapInUserNS(uidMap string) bool {
+	if uidMap == "" {
+		// File exist but empty (the initial state when userns is created,
+		// see user_namespaces(7)).
+		return true
+	}
+
+	var a, b, c int64
+	if _, err := fmt.Sscanf(uidMap, "%d %d %d", &a, &b, &c); err != nil {
+		// Assume we are in a regular, non user namespace.
+		return false
+	}
+
+	// As per user_namespaces(7), /proc/self/uid_map of
+	// the initial user namespace shows 0 0 4294967295.
+	initNS := a == 0 && b == 0 && c == 4294967295
+	return !initNS
+}
diff --git a/vendor/github.com/moby/sys/userns/userns_linux_fuzzer.go b/vendor/github.com/moby/sys/userns/userns_linux_fuzzer.go
new file mode 100644
index 000000000..26ba2e16e
--- /dev/null
+++ b/vendor/github.com/moby/sys/userns/userns_linux_fuzzer.go
@@ -0,0 +1,8 @@
+//go:build linux && gofuzz
+
+package userns
+
+func FuzzUIDMap(uidmap []byte) int {
+	_ = uidMapInUserNS(string(uidmap))
+	return 1
+}
diff --git a/vendor/github.com/moby/sys/userns/userns_unsupported.go b/vendor/github.com/moby/sys/userns/userns_unsupported.go
new file mode 100644
index 000000000..8ed83072c
--- /dev/null
+++ b/vendor/github.com/moby/sys/userns/userns_unsupported.go
@@ -0,0 +1,6 @@
+//go:build !linux
+
+package userns
+
+// inUserNS is a stub for non-Linux systems. Always returns false.
+func inUserNS() bool { return false }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 45532a144..40f573ffe 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -43,14 +43,16 @@ github.com/coreos/go-systemd/v22/journal
 # github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0
 ## explicit; go 1.17
 github.com/decred/dcrd/dcrec/secp256k1/v4
-# github.com/docker/docker v27.5.1+incompatible
+# github.com/docker/docker v28.0.0+incompatible
 ## explicit
 github.com/docker/docker/api/types/blkiodev
+github.com/docker/docker/api/types/common
 github.com/docker/docker/api/types/container
 github.com/docker/docker/api/types/filters
 github.com/docker/docker/api/types/mount
 github.com/docker/docker/api/types/network
 github.com/docker/docker/api/types/registry
+github.com/docker/docker/api/types/storage
 github.com/docker/docker/api/types/strslice
 github.com/docker/docker/api/types/swarm
 github.com/docker/docker/api/types/swarm/runtime
@@ -59,11 +61,8 @@ github.com/docker/docker/internal/multierror
 github.com/docker/docker/pkg/archive
 github.com/docker/docker/pkg/homedir
 github.com/docker/docker/pkg/idtools
-github.com/docker/docker/pkg/ioutils
 github.com/docker/docker/pkg/jsonmessage
-github.com/docker/docker/pkg/pools
 github.com/docker/docker/pkg/stdcopy
-github.com/docker/docker/pkg/system
 # github.com/docker/go-connections v0.4.0
 ## explicit
 github.com/docker/go-connections/nat