Merge pull request #4408 from containerd/dependabot/go_modules/docker-0e145687d2

build(deps): bump the docker group with 2 updates

.dockerignore

@@ -1,9 +1,10 @@
 # artifacts
 /nerdctl
 _output
+*.gomodjail
 
 # golangci-lint
-build
+/build
 
 # vagrant
 /.vagrant

.github/workflows/ghcr-image-build-and-publish.yml

@@ -31,19 +31,20 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
+      # FIXME: setup-qemu-action is depended by `gomodjail pack`
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392  # v3.6.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3.3.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3.4.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -53,17 +54,19 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5.5.1
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804  # v5.7.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6.9.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          secrets: |
+            github_token=${{ secrets.GITHUB_TOKEN }}

.github/workflows/job-build.yml

@@ -0,0 +1,110 @@
+# This job just builds nerdctl for the golang versions we support (as a smoke test)
+name: job-build
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+      canary:
+        required: false
+        default: false
+        type: boolean
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  build-all-targets:
+    name: ${{ format('go {0}', inputs.canary && 'canary' || inputs.go-version ) }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    env:
+      GO_VERSION: ${{ inputs.go-version }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - if: ${{ inputs.canary }}
+        name: "Init (canary): retrieve GO_VERSION"
+        run: |
+          . ./hack/github/action-helpers.sh
+          latest_go="$(. ./hack/provisioning/version/fetch.sh; go::canary::for::go-setup)"
+          printf "GO_VERSION=%s\n" "$latest_go" >> "$GITHUB_ENV"
+          [ "$latest_go" != "" ] || \
+            github::log::warning "No canary go" "There is currently no canary go version to test. Steps will not run."
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: install go"
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Run: make binaries"
+        run: |
+          . ./hack/github/action-helpers.sh
+
+          github::md::table::header "OS" "Arch" "Result" "Time" >> $GITHUB_STEP_SUMMARY
+
+          failure=
+
+          build(){
+            local goos="$1"
+            local goarch="${2:-amd64}"
+            local goarm="${3:-}"
+            local result
+
+            GOOS="$goos" GOARCH="$goarch" GOARM="$goarm" go build ./examples/...
+
+            github::timer::begin
+
+            GOOS="$goos" GOARCH="$goarch" GOARM="$goarm" make binaries \
+              && result="$decorator_success" \
+              || {
+                failure=true
+                result="$decorator_failure"
+              }
+
+            [ ! "$goarm" ] || goarch="$goarch/v$goarm"
+            github::md::table::line "$goos" "$goarch" "$result" "$(github::timer::format <(github::timer::tick))" >> $GITHUB_STEP_SUMMARY
+          }
+
+          # We officially support these
+          build linux
+          build linux arm64
+          build windows
+          build freebsd
+          # These architectures are not released, but we still verify that we can at least compile
+          build darwin
+          build linux arm 6
+          build linux loong64
+          build linux ppc64le
+          build linux riscv64
+          build linux s390x
+
+          [ ! "$failure" ] || exit 1
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Run: make binaries with custom BUILDTAGS"
+        run: |
+          set -eux
+          # no_ipfs: make sure it does not incur any IPFS-related dependency
+          go mod vendor
+          rm -rf vendor/github.com/ipfs vendor/github.com/multiformats
+          BUILDTAGS=no_ipfs make binaries

.github/workflows/job-lint-go.yml

@@ -0,0 +1,76 @@
+# This job runs golangci-lint
+# Note that technically, `make lint-go-all` would run the linter for all targets, and could be called once, on a single instance.
+# The point of running it on a matrix instead, each GOOS separately, is to verify that the tooling itself is working on the target OS.
+name: job-lint-go
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+      canary:
+        required: false
+        default: false
+        type: boolean
+      goos:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  lint-go:
+    name: ${{ format('{0}{1}', inputs.goos, inputs.canary && ' (go canary)' || '') }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    defaults:
+      run:
+        shell: bash
+    env:
+      GO_VERSION: ${{ inputs.go-version }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - if: ${{ inputs.canary }}
+        name: "Init (canary): retrieve GO_VERSION"
+        run: |
+          latest_go="$(. ./hack/provisioning/version/fetch.sh; go::canary::for::go-setup)"
+          printf "GO_VERSION=%s\n" "$latest_go" >> "$GITHUB_ENV"
+          [ "$latest_go" != "" ] || \
+            echo "::warning title=No canary go::There is currently no canary go version to test. Steps will not run."
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: install go"
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: install dev-tools"
+        run: |
+          echo "::group:: make install-dev-tools"
+          make install-dev-tools
+          echo "::endgroup::"
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Run"
+        run: |
+          # On canary, lint for all supported targets
+          if [ "${{ inputs.canary }}" == "true" ]; then
+            NO_COLOR=true make lint-go-all
+          else
+            NO_COLOR=true GOOS="${{ inputs.goos }}" make lint-go
+          fi

.github/workflows/job-lint-other.yml

@@ -0,0 +1,38 @@
+# This job runs any subsidiary linter not part of golangci (shell, yaml, etc)
+name: job-lint-other
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  lint-other:
+    name: "yaml | shell"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: ${{ inputs.runner }}
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Run: yaml"
+        run: |
+          make lint-yaml
+
+      - name: "Run: shell"
+        run: |
+          make lint-shell

.github/workflows/job-lint-project.yml

@@ -0,0 +1,56 @@
+# This job runs containerd shared project-checks, that verifies licenses, headers, and commits.
+# To run locally, you may just use `make lint` instead, that does the same thing
+# (albeit `make lint` uses more modern versions).
+name: job-lint-project
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  project:
+    name: "commits, licenses..."
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: ${{ inputs.runner }}
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 100
+          path: src/github.com/containerd/nerdctl
+
+      - name: "Init: install go"
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        with:
+          go-version: ${{ inputs.go-version }}
+          check-latest: true
+          cache-dependency-path: src/github.com/containerd/nerdctl
+
+      - name: "Run"
+        uses: containerd/project-checks@d7751f3c375b8fe4a84c02a068184ee4c1f59bc4  # v1.2.2
+        with:
+          working-directory: src/github.com/containerd/nerdctl
+          repo-access-token: ${{ secrets.GITHUB_TOKEN }}
+          # go-licenses-ignore is set because go-licenses cannot detect the license of the following package:
+          # * go-base36: Apache-2.0 OR MIT (https://github.com/multiformats/go-base36/blob/master/LICENSE.md)
+          #
+          # The list of the CNCF-approved licenses can be found here:
+          # https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
+          go-licenses-ignore: |
+            github.com/multiformats/go-base36

.github/workflows/job-test-dependencies.yml

@@ -0,0 +1,57 @@
+# This job pre-heats the cache for the test image by building all dependencies
+name: job-test-dependencies
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner:
+        required: true
+        type: string
+      containerd-version:
+        required: false
+        default: ''
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  # This job builds the dependency target of the test docker image for all supported architectures and cache it in GHA
+  build-dependencies:
+    # Note: for whatever reason, you cannot access env.RUNNER_ARCH here
+    name: "${{ contains(inputs.runner, 'arm') && 'arm64' || 'amd64' }}${{ inputs.containerd-version && format(' | {0}', inputs.containerd-version) || ''}}"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: expose GitHub Runtime variables for gha"
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124  # v3.1.0
+
+      - name: "Run: build dependencies for the integration test environment image"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Cache is sharded per-architecture
+          arch=${{ env.RUNNER_ARCH == 'ARM64' && 'arm64' || 'amd64' }}
+          docker buildx create --name with-gha --use
+          # Honor old containerd if requested
+          args=()
+          if [ "${{ inputs.containerd-version }}" != "" ]; then
+            args=(--build-arg CONTAINERD_VERSION=${{ inputs.containerd-version }})
+          fi
+          docker buildx build \
+            --secret id=github_token,env=GITHUB_TOKEN \
+            --cache-to type=gha,compression=zstd,mode=max,scope=test-integration-dependencies-"$arch" \
+            --cache-from type=gha,scope=test-integration-dependencies-"$arch" \
+            --target build-dependencies "${args[@]}" .

.github/workflows/job-test-in-container.yml

@@ -0,0 +1,181 @@
+# This job runs integration tests inside a container, for all supported variants (ipv6, canary, etc)
+# Note that it is linux and nerdctl (+/- gomodjail) only.
+name: job-test-in-container
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner:
+        required: true
+        type: string
+      canary:
+        required: false
+        default: false
+        type: boolean
+      target:
+        required: false
+        default: ''
+        type: string
+      binary:
+        required: false
+        default: nerdctl
+        type: string
+      containerd-version:
+        required: false
+        default: ''
+        type: string
+      rootlesskit-version:
+        required: false
+        default: ''
+        type: string
+      ipv6:
+        required: false
+        default: false
+        type: boolean
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  test:
+    name: |
+      ${{ inputs.binary != 'nerdctl' && format('{0} < ', inputs.binary) || '' }}
+      ${{ inputs.target }}
+      ${{ contains(inputs.runner, 'arm') && '(arm)' || '' }}
+      ${{ contains(inputs.runner, '22.04') && '(old ubuntu)' || '' }}
+      ${{ inputs.ipv6 && ' (ipv6)' || '' }}
+      ${{ inputs.canary && ' (canary)' || '' }}
+      ${{ inputs.containerd-version && format(' (ctd: {0})', inputs.containerd-version) || '' }}
+      ${{ inputs.rootlesskit-version && format(' (rlk: {0})', inputs.rootlesskit-version) || '' }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: ${{ inputs.runner }}
+    defaults:
+      run:
+        shell: bash
+
+    env:
+      # https://github.com/containerd/nerdctl/issues/622
+      # The only case when rootlesskit-version is force-specified is when we downgrade explicitly to v1
+      WORKAROUND_ISSUE_622: ${{ inputs.rootlesskit-version }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: expose GitHub Runtime variables for gha"
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124  # v3.1.0
+
+      - name: "Init: register QEMU (tonistiigi/binfmt)"
+        run: |
+          # `--install all` will only install emulation for architectures that cannot be natively executed
+          # Since some arm64 platforms do provide native fallback execution for 32 bits,
+          # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`.
+          # To avoid that, we explicitly list the architectures we do want emulation for.
+          docker run --privileged --rm tonistiigi/binfmt --install linux/amd64
+          docker run --privileged --rm tonistiigi/binfmt --install linux/arm64
+          docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7
+      - if: ${{ inputs.canary }}
+        name: "Init (canary): prepare updated test image"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          . ./hack/build-integration-canary.sh
+          canary::build::integration
+      - if: ${{ ! inputs.canary }}
+        name: "Init: prepare test image"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          buildargs=()
+          # If the runner is old, use old ubuntu inside the container as well
+          [ "${{ contains(inputs.runner, '22.04') }}" != "true" ] || buildargs=(--build-arg UBUNTU_VERSION=22.04)
+          # Honor if we want old containerd
+          [ "${{ inputs.containerd-version }}" == "" ] || buildargs+=(--build-arg CONTAINERD_VERSION=${{ inputs.containerd-version }})
+          # Honor custom targets and if we want old rootlesskit
+          target=test-integration
+          if [ "${{ inputs.target }}" != "rootful" ]; then
+            target+=-${{ inputs.target }}
+            if [ "${{ inputs.rootlesskit-version }}" != "" ]; then
+              buildargs+=(--build-arg ROOTLESSKIT_VERSION=${{ inputs.rootlesskit-version }})
+            fi
+          fi
+          # Cache is sharded per-architecture
+          arch=${{ env.RUNNER_ARCH == 'ARM64' && 'arm64' || 'amd64' }}
+          docker buildx create --name with-gha --use
+          docker buildx build \
+            --secret id=github_token,env=GITHUB_TOKEN \
+            --output=type=docker \
+            --cache-from type=gha,scope=test-integration-dependencies-"$arch" \
+            -t "$target" --target "$target" \
+            "${buildargs[@]}" \
+            .
+      # Rootful needs to disable snap
+      - if: ${{ inputs.target == 'rootful' }}
+        name: "Init: remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)"
+        run: |
+          sudo systemctl disable --now snapd.service snapd.socket
+          sudo apt-get purge -qq snapd
+          sudo losetup -Dv
+          sudo losetup -lv
+      # Rootless on modern ubuntu wants apparmor
+      - if: ${{ inputs.target != 'rootful' && ! contains(inputs.runner, '22.04') }}
+        name: "Init: prepare apparmor for rootless + ubuntu 24+"
+        run: |
+          cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit"
+          abi <abi/4.0>,
+          include <tunables/global>
+          /usr/local/bin/rootlesskit flags=(unconfined) {
+            userns,
+            # Site-specific additions and overrides. See local/README for details.
+            include if exists <local/usr.local.bin.rootlesskit>
+          }
+          EOT
+          sudo systemctl restart apparmor.service
+      # ipv6 wants... ipv6
+      - if: ${{ inputs.ipv6 }}
+        name: "Init: ipv6"
+        run: |
+          # Enable ipv4 and ipv6 forwarding
+          sudo sysctl -w net.ipv6.conf.all.forwarding=1
+          sudo sysctl -w net.ipv4.ip_forward=1
+          # Enable IPv6 for Docker, and configure docker to use containerd for gha
+          sudo mkdir -p /etc/docker
+          echo '{"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64", "experimental": true, "ip6tables": true}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+      - name: "Run: integration tests"
+        run: |
+          . ./hack/github/action-helpers.sh
+          github::md::h2 "non-flaky" >> "$GITHUB_STEP_SUMMARY"
+
+          # IPV6 note: nested IPv6 network inside docker and qemu is complex and needs a bunch of sysctl config.
+          # Therefore, it's hard to debug why the IPv6 tests fail in such an isolation layer.
+          # On the other side, using the host network is easier at configuration.
+          # Besides, each job is running on a different instance, which means using host network here
+          # is safe and has no side effects on others.
+          [ "${{ inputs.target }}" == "rootful" ] \
+            && args=(test-integration ./hack/test-integration.sh -test.allow-modify-users=true) \
+            || args=(test-integration-${{ inputs.target }} /test-integration-rootless.sh ./hack/test-integration.sh)
+          if [ "${{ inputs.ipv6 }}" == true ]; then
+            docker run --network host -t --rm --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=false -test.only-ipv6 -test.target=${{ inputs.binary }}
+          else
+            docker run -t --rm --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=false -test.target=${{ inputs.binary }}
+          fi
+      # FIXME: this NEEDS to go away
+      - name: "Run: integration tests (flaky)"
+        run: |
+          . ./hack/github/action-helpers.sh
+          github::md::h2 "flaky" >> "$GITHUB_STEP_SUMMARY"
+
+          [ "${{ inputs.target }}" == "rootful" ] \
+            && args=(test-integration ./hack/test-integration.sh) \
+            || args=(test-integration-${{ inputs.target }} /test-integration-rootless.sh ./hack/test-integration.sh)
+          if [ "${{ inputs.ipv6 }}" == true ]; then
+            docker run --network host -t --rm --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=true -test.only-ipv6 -test.target=${{ inputs.binary }}
+          else
+            docker run -t --rm --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=true -test.target=${{ inputs.binary }}
+          fi

.github/workflows/job-test-in-host.yml

@@ -0,0 +1,210 @@
+# This currently test docker and nerdctl on windows (w/o canary)
+# Structure is in to allow testing nerdctl on linux as well, though more work is required to make it functional.
+name: job-test-in-host
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner:
+        required: true
+        type: string
+      canary:
+        required: false
+        default: false
+        type: boolean
+      binary:
+        required: false
+        default: nerdctl
+        type: string
+      go-version:
+        required: true
+        type: string
+      docker-version:
+        required: true
+        type: string
+      containerd-version:
+        required: true
+        type: string
+      containerd-sha:
+        required: true
+        type: string
+      containerd-service-sha:
+        required: true
+        type: string
+      windows-cni-version:
+        required: true
+        type: string
+      linux-cni-version:
+        required: true
+        type: string
+      linux-cni-sha:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  test:
+    name: |
+      ${{ inputs.binary != 'nerdctl' && format('{0} < ', inputs.binary) || '' }}
+      ${{ contains(inputs.runner, 'ubuntu') && ' linux' || ' windows' }}
+      ${{ contains(inputs.runner, 'arm') && '(arm)' || '' }}
+      ${{ contains(inputs.runner, '22.04') && '(old ubuntu)' || '' }}
+      ${{ inputs.canary && ' (canary)' || '' }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    env:
+      SHOULD_RUN: "yes"
+      GO_VERSION: ${{ inputs.go-version }}
+      # Both Docker and nerdctl on linux need rootful right now
+      WITH_SUDO: ${{ contains(inputs.runner, 'ubuntu') }}
+      CONTAINERD_VERSION: ${{ inputs.containerd-version }}
+      CONTAINERD_SHA: ${{ inputs.containerd-sha }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - if: ${{ inputs.canary }}
+        name: "Init (canary): retrieve latest go and containerd"
+        run: |
+          latest_go="$(. ./hack/provisioning/version/fetch.sh; go::canary::for::go-setup)"
+          latest_containerd="$(. ./hack/provisioning/version/fetch.sh; github::project::latest "containerd/containerd")"
+
+          [ "$latest_go" == "" ] || \
+            printf "GO_VERSION=%s\n" "$latest_go" >> "$GITHUB_ENV"
+          [ "${latest_containerd:1}" == "$CONTAINERD_VERSION" ] || {
+            printf "CONTAINERD_VERSION=%s\n" "${latest_containerd:1}" >> "$GITHUB_ENV"
+            printf "CONTAINERD_SHA=canary is volatile and I accept the risk\n" >> "$GITHUB_ENV"
+          }
+          if [ "$latest_go" == "" ] && [ "${latest_containerd:1}" == "$CONTAINERD_VERSION" ]; then
+            echo "::warning title=No canary::There is currently no canary versions to test. Steps will not run.";
+            printf "SHOULD_RUN=no\n" >> "$GITHUB_ENV"
+          fi
+
+      - if: ${{ env.SHOULD_RUN == 'yes' }}
+        name: "Init: install go"
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      # XXX RUNNER_OS and generally env is too unreliable
+      # - if: ${{ env.RUNNER_OS == 'Linux' }}
+      - if: ${{ contains(inputs.runner, 'ubuntu') && env.SHOULD_RUN == 'yes' }}
+        name: "Init (linux): prepare host"
+        run: |
+          if [ "${{ contains(inputs.binary, 'docker') }}" == true ]; then
+            echo "::group:: configure cdi for docker"
+            sudo mkdir -p /etc/docker
+            sudo jq '.features.cdi = true' /etc/docker/daemon.json | sudo tee /etc/docker/daemon.json.tmp && sudo mv /etc/docker/daemon.json.tmp /etc/docker/daemon.json
+            echo "::endgroup::"
+            echo "::group:: downgrade docker to the specific version we want to test (${{ inputs.docker-version }})"
+            sudo apt-get update -qq
+            sudo apt-get install -qq ca-certificates curl
+            sudo install -m 0755 -d /etc/apt/keyrings
+            sudo cp ./hack/provisioning/gpg/docker /etc/apt/keyrings/docker.asc
+            sudo chmod a+r /etc/apt/keyrings/docker.asc
+            echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+              $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" \
+              | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+            sudo apt-get update -qq
+            sudo apt-get install -qq --allow-downgrades docker-ce=${{ inputs.docker-version }} docker-ce-cli=${{ inputs.docker-version }}
+            echo "::endgroup::"
+          else
+            # FIXME: this is missing runc (see top level workflow note about the state of this)
+            echo "::group:: install dependencies"
+            sudo ./hack/provisioning/linux/containerd.sh uninstall
+            ./hack/provisioning/linux/containerd.sh rootful "$CONTAINERD_VERSION" "amd64" "$CONTAINERD_SHA" "${{ inputs.containerd-service-sha }}"
+            sudo ./hack/provisioning/linux/cni.sh uninstall
+            ./hack/provisioning/linux/cni.sh install "${{ inputs.linux-cni-version }}" "amd64" "${{ inputs.linux-cni-sha }}"
+            echo "::endgroup::"
+
+            echo "::group:: build nerctl"
+            go install ./cmd/nerdctl
+            echo "$HOME/go/bin" >> "$GITHUB_PATH"
+            # Since tests are going to run root, we need nerdctl to be in a PATH that will survive `sudo`
+            sudo cp "$(which nerdctl)" /usr/local/bin
+            echo "::endgroup::"
+          fi
+
+          # Register QEMU (tonistiigi/binfmt)
+          # `--install all` will only install emulation for architectures that cannot be natively executed
+          # Since some arm64 platforms do provide native fallback execution for 32 bits,
+          # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`.
+          # To avoid that, we explicitly list the architectures we do want emulation for.
+          echo "::group:: install binfmt"
+          docker run --quiet --privileged --rm tonistiigi/binfmt --install linux/amd64
+          docker run --quiet --privileged --rm tonistiigi/binfmt --install linux/arm64
+          docker run --quiet --privileged --rm tonistiigi/binfmt --install linux/arm/v7
+          echo "::endgroup::"
+
+          # FIXME: remove expect when we are done removing unbuffer from tests
+          echo "::group:: installing test dependencies"
+          sudo apt-get install -qq expect
+          echo "::endgroup::"
+
+      - if: ${{ contains(inputs.runner, 'windows') && env.SHOULD_RUN == 'yes' }}
+        name: "Init (windows): prepare host"
+        env:
+          ctrdVersion: ${{ env.CONTAINERD_VERSION }}
+        run: |
+          # Install WinCNI
+          echo "::group:: install wincni"
+          GOPATH=$(go env GOPATH) WINCNI_VERSION=${{ inputs.windows-cni-version }} ./hack/provisioning/windows/cni.sh
+          echo "::endgroup::"
+
+          # Install containerd
+          echo "::group:: install containerd"
+          powershell hack/provisioning/windows/containerd.ps1
+          echo "::endgroup::"
+
+          # Install nerdctl
+          echo "::group:: build nerctl"
+          go install ./cmd/nerdctl
+          echo "::endgroup::"
+
+          choco install jq
+
+      - if: ${{ env.SHOULD_RUN == 'yes' }}
+        name: "Init: install dev tools"
+        run: |
+          echo "::group:: make install-dev-tools"
+          make install-dev-tools
+          echo "::endgroup::"
+
+      # ipv6 is tested only on linux
+      - if: ${{ contains(inputs.runner, 'ubuntu') && env.SHOULD_RUN == 'yes' }}
+        name: "Run (linux): integration tests (IPv6)"
+        run: |
+          . ./hack/github/action-helpers.sh
+          github::md::h2 "ipv6" >> "$GITHUB_STEP_SUMMARY"
+
+          ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-ipv6
+
+      - if: ${{ env.SHOULD_RUN == 'yes' }}
+        name: "Run: integration tests"
+        run: |
+          . ./hack/github/action-helpers.sh
+          github::md::h2 "non-flaky" >> "$GITHUB_STEP_SUMMARY"
+
+          ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-flaky=false
+
+      # FIXME: this must go
+      - if: ${{ env.SHOULD_RUN == 'yes' }}
+        name: "Run: integration tests (flaky)"
+        run: |
+          . ./hack/github/action-helpers.sh
+          github::md::h2 "flaky" >> "$GITHUB_STEP_SUMMARY"
+
+          ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-flaky=true

.github/workflows/job-test-in-lima.yml

@@ -0,0 +1,121 @@
+# Currently, Lima job test only for EL, though in the future it could be used to also test FreeBSD or other linux-es
+name: job-test-in-lima
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner:
+        required: true
+        type: string
+      target:
+        required: true
+        type: string
+      guest:
+        required: true
+        type: string
+
+jobs:
+  test:
+    name: "${{ inputs.guest }} ${{ inputs.target }}"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    env:
+      TARGET: ${{ inputs.target }}
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: lima"
+        uses: lima-vm/lima-actions/setup@03b96d61959e83b2c737e44162c3088e81de0886  # v1.0.1
+        id: lima-actions-setup
+
+      - name: "Init: Cache"
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
+        with:
+          path: ~/.cache/lima
+          key: lima-${{ steps.lima-actions-setup.outputs.version }}
+
+      - name: "Init: start the guest VM"
+        run: |
+          set -eux
+          # containerd=none is set because the built-in containerd support conflicts with Docker
+          limactl start \
+            --name=default \
+            --cpus=4 \
+            --memory=12 \
+            --containerd=none \
+            --set '.mounts=null | .portForwards=[{"guestSocket":"/var/run/docker.sock","hostSocket":"{{.Dir}}/sock/docker.sock"}]' \
+            template://${{ inputs.guest }}
+
+      # FIXME: the tests should be directly executed in the VM without nesting Docker inside it
+      # https://github.com/containerd/nerdctl/issues/3858
+      - name: "Init: install dockerd in the guest VM"
+        run: |
+          set -eux
+          lima sudo mkdir -p /etc/systemd/system/docker.socket.d
+          cat <<-EOF | lima sudo tee /etc/systemd/system/docker.socket.d/override.conf
+          [Socket]
+          SocketUser=$(whoami)
+          EOF
+          lima sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
+          lima sudo dnf -q -y install docker-ce --nobest
+          lima sudo systemctl enable --now docker
+
+      - name: "Init: configure the host to use dockerd in the guest VM"
+        run: |
+          set -eux
+          sudo systemctl disable --now docker.service docker.socket
+          export DOCKER_HOST="unix://$(limactl ls --format '{{.Dir}}/sock/docker.sock' default)"
+          echo "DOCKER_HOST=${DOCKER_HOST}" >>$GITHUB_ENV
+          docker info
+          docker version
+
+      - name: "Init: expose GitHub Runtime variables for gha"
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124  # v3.1.0
+
+      - name: "Init: prepare integration tests"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -eux
+
+          sudo losetup -Dv
+          sudo losetup -lv
+
+          [ "$TARGET" = "rootless" ] && TARGET=test-integration-rootless || TARGET=test-integration
+          docker buildx create --name with-gha --use
+          docker buildx build \
+            --secret id=github_token,env=GITHUB_TOKEN \
+            --output=type=docker \
+            --cache-from type=gha,scope=test-integration-dependencies-amd64 \
+            -t test-integration --target "${TARGET}" \
+            .
+
+      - name: "Run integration tests"
+        # Presumably, something is broken with the way docker exposes /dev to the container, as it appears to only
+        # randomly work. Mounting /dev does workaround the issue.
+        # This might be due to the old kernel shipped with Alma (4.18), or something else between centos/docker.
+        run: |
+          set -eux
+          if [ "$TARGET" = "rootless" ]; then
+            echo "rootless"
+            docker run -t -v /dev:/dev --rm --privileged test-integration /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=false
+          else
+            echo "rootful"
+            docker run -t -v /dev:/dev --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=false
+          fi
+      - name: "Run: integration tests (flaky)"
+        run: |
+          set -eux
+          if [ "$TARGET" = "rootless" ]; then
+            echo "rootless"
+            docker run -t -v /dev:/dev --rm --privileged test-integration /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=true
+          else
+            echo "rootful"
+            docker run -t -v /dev:/dev --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=true
+          fi

.github/workflows/job-test-in-vagrant.yml

@@ -0,0 +1,60 @@
+# Right now, this is testing solely FreeBSD, but could be used to test other targets.
+# Alternatively, this might get replaced entirely by Lima eventually.
+name: job-test-in-vagrant
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner:
+        required: true
+        type: string
+
+jobs:
+  test:
+    # Will appear as freebsd / 14 in GitHub UI
+    name: "14"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: setup cache"
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
+        with:
+          path: /root/.vagrant.d
+          key: vagrant
+
+      - name: "Init: set up vagrant"
+        run: |
+          # from https://github.com/containerd/containerd/blob/v2.0.2/.github/workflows/ci.yml#L583-L596
+          # which is based on https://github.com/opencontainers/runc/blob/v1.1.8/.cirrus.yml#L41-L49
+          # FIXME: https://github.com/containerd/nerdctl/issues/4163
+          cat ./hack/provisioning/gpg/hashicorp | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
+          echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
+          sudo sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources
+          sudo apt-get update -qq
+          sudo apt-get install -qq libvirt-daemon libvirt-daemon-system vagrant ovmf
+          # https://github.com/vagrant-libvirt/vagrant-libvirt/issues/1725#issuecomment-1454058646
+          sudo cp /usr/share/OVMF/OVMF_VARS_4M.fd /var/lib/libvirt/qemu/nvram/
+          sudo systemctl enable --now libvirtd
+          sudo apt-get build-dep -qq ruby-libvirt
+          sudo apt-get install -qq --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
+          # Disable strict dependency enforcement to bypass gem version conflicts during the installation of the vagrant-libvirt plugin.
+          sudo env VAGRANT_DISABLE_STRICT_DEPENDENCY_ENFORCEMENT=1 vagrant plugin install vagrant-libvirt
+
+      - name: "Init: boot VM"
+        run: |
+          ln -sf Vagrantfile.freebsd Vagrantfile
+          sudo vagrant up --no-tty
+
+      - name: "Run: test-unit"
+        run: sudo vagrant up --provision-with=test-unit
+
+      - name: "Run: test-integration"
+        run: sudo vagrant up --provision-with=test-integration

.github/workflows/job-test-unit.yml

@@ -0,0 +1,88 @@
+# Note: freebsd tests are not ran here (see integration instead)
+name: job-test-unit
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+      canary:
+        required: false
+        default: false
+        type: boolean
+      windows-cni-version:
+        required: true
+        type: string
+      linux-cni-version:
+        required: true
+        type: string
+      linux-cni-sha:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+  # Windows fails without this
+  CGO_ENABLED: 0
+
+jobs:
+  test-unit:
+    name: ${{ format('{0}{1}', inputs.runner, inputs.canary && ' (go canary)' || '') }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    env:
+      GO_VERSION: ${{ inputs.go-version }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      # If canary is requested, check for the latest unstable release
+      - if: ${{ inputs.canary }}
+        name: "Init (canary): retrieve GO_VERSION"
+        run: |
+          latest_go="$(. ./hack/provisioning/version/fetch.sh; go::canary::for::go-setup)"
+          printf "GO_VERSION=%s\n" "$latest_go" >> "$GITHUB_ENV"
+          [ "$latest_go" != "" ] || \
+            echo "::warning title=No canary go::There is currently no canary go version to test. Following steps will not run."
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: install go"
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      # Install CNI
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: set up CNI"
+        run: |
+          if [ "$RUNNER_OS" == "Windows" ]; then
+            GOPATH=$(go env GOPATH) WINCNI_VERSION=${{ inputs.windows-cni-version }} ./hack/provisioning/windows/cni.sh
+          elif [ "$RUNNER_OS" == "Linux" ]; then
+            ./hack/provisioning/linux/cni.sh install "${{ inputs.linux-cni-version }}" "amd64" "${{ inputs.linux-cni-sha }}"
+          fi
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Run"
+        run: |
+          make test-unit
+
+      # On linux, also run with root
+      - if: ${{ env.GO_VERSION != '' && env.RUNNER_OS == 'Linux' }}
+        name: "Run: with root"
+        run: |
+          sudo make test-unit

.github/workflows/lint.yml

@@ -1,78 +0,0 @@
-name: lint
-
-on:
-  push:
-    branches:
-      - main
-      - 'release/**'
-  pull_request:
-
-env:
-  GO_VERSION: 1.23.x
-
-jobs:
-  go:
-    timeout-minutes: 5
-    name: "go | ${{ matrix.goos }} | ${{ matrix.canary }}"
-    runs-on: "${{ matrix.os }}"
-    defaults:
-      run:
-        shell: bash
-    strategy:
-      matrix:
-        include:
-          - os: ubuntu-24.04
-            goos: linux
-          - os: ubuntu-24.04
-            goos: freebsd
-          # FIXME: this is currently failing in a non-sensical way, so, running on linux instead...
-          # - os: windows-2022
-          - os: ubuntu-24.04
-            goos: windows
-          - os: ubuntu-24.04
-            goos: linux
-            # This allows the canary script to select any upcoming golang alpha/beta/RC
-            canary: go-canary
-    env:
-      GOOS: "${{ matrix.goos }}"
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - name: Set GO env
-        run: |
-          # If canary is specified, get the latest available golang pre-release instead of the major version
-          if [ "$canary" != "" ]; then
-            . ./hack/build-integration-canary.sh
-            canary::golang::latest
-          fi
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          check-latest: true
-          cache: true
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          args: --verbose
-  other:
-    timeout-minutes: 5
-    name: yaml | shell | imports order
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          check-latest: true
-          cache: true
-      - name: yaml
-        run: make lint-yaml
-      - name: shell
-        run: make lint-shell
-      - name: go imports ordering
-        run: |
-          go install -v github.com/incu6us/goimports-reviser/v3@latest
-          make lint-imports

.github/workflows/project.yml

@@ -1,31 +0,0 @@
-name: project
-
-on:
-  push:
-    branches:
-      - main
-      - 'release/**'
-  pull_request:
-
-jobs:
-  project:
-    name: checks
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          path: src/github.com/containerd/nerdctl
-          fetch-depth: 100
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: src/github.com/containerd/nerdctl
-      - uses: containerd/project-checks@v1.1.0
-        with:
-          working-directory: src/github.com/containerd/nerdctl
-          repo-access-token: ${{ secrets.GITHUB_TOKEN }}
-      - run: ./hack/verify-no-patent.sh
-        working-directory: src/github.com/containerd/nerdctl
-      - run: ./hack/verify-pkg-isolation.sh
-        working-directory: src/github.com/containerd/nerdctl

.github/workflows/release.yml

@@ -5,16 +5,36 @@ on:
     tags:
     - 'v*'
     - 'test-action-release-*'
+  pull_request:
+    paths-ignore:
+    - '**.md'
+
+env:
+  GOTOOLCHAIN: local
+
 jobs:
   release:
     runs-on: ubuntu-24.04
     timeout-minutes: 40
+    # The maximum access is "read" for PRs from public forked repos
+    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+    permissions:
+      contents: write  # for releases
+      id-token: write  # for provenances
+      attestations: write  # for provenances
     steps:
-    - uses: actions/checkout@v4.2.2
-    - uses: actions/setup-go@v5
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    # FIXME: setup-qemu-action is depended by `gomodjail pack`
+    - name: "Set up QEMU"
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392  # v3.6.0
+    - name: "Install go"
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
       with:
-        go-version: 1.23.x
+        go-version: "1.24"
+        check-latest: true
     - name: "Compile binaries"
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: make artifacts
     - name: "SHA256SUMS"
       run: |
@@ -35,7 +55,13 @@ jobs:
         - - -
         Release manager: [ADD YOUR NAME HERE] (@[ADD YOUR GITHUB ID HERE])
         EOF
+    - name: "Generate artifact attestation"
+      uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be  # v2.4.0
+      if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+      with:
+        subject-path: _output/*
     - name: "Create release"
+      if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |

.github/workflows/test-canary.yml

@@ -1,99 +0,0 @@
-# This pipeline purpose is solely meant to run a subset of our test suites against upcoming or unreleased dependencies versions
-name: canary
-
-on:
-  push:
-    branches:
-      - main
-      - 'release/**'
-  pull_request:
-    paths-ignore:
-      - '**.md'
-
-env:
-  UBUNTU_VERSION: "24.04"
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-jobs:
-  linux:
-    runs-on: "ubuntu-24.04"
-    timeout-minutes: 40
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - name: "Prepare integration test environment"
-        run: |
-          . ./hack/build-integration-canary.sh
-          canary::build::integration
-      - name: "Remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)"
-        run: |
-          sudo systemctl disable --now snapd.service snapd.socket
-          sudo apt-get purge -y snapd
-          sudo losetup -Dv
-          sudo losetup -lv
-      - name: "Register QEMU (tonistiigi/binfmt)"
-        run: |
-          # `--install all` will only install emulation for architectures that cannot be natively executed
-          # Since some arm64 platforms do provide native fallback execution for 32 bits,
-          # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`.
-          # To avoid that, we explicitly list the architectures we do want emulation for.
-          docker run --privileged --rm tonistiigi/binfmt --install linux/amd64
-          docker run --privileged --rm tonistiigi/binfmt --install linux/arm64
-          docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7
-      - name: "Run unit tests"
-        run: go test -v ./pkg/...
-      - name: "Run integration tests"
-        run: docker run -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=false
-      - name: "Run integration tests (flaky)"
-        run: docker run -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=true
-
-  windows:
-    timeout-minutes: 30
-    runs-on: windows-latest
-    defaults:
-      run:
-        shell: bash
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - name: Set GO env
-        run: |
-          # Get latest containerd
-          args=(curl --proto '=https' --tlsv1.2 -fsSL -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28")
-          [ "${GITHUB_TOKEN:-}" == "" ] && {
-            >&2 printf "GITHUB_TOKEN is not set - you might face rate limitations with the Github API\n"
-          } || args+=(-H "Authorization: Bearer $GITHUB_TOKEN")
-          ctd_v="$("${args[@]}" https://api.github.com/repos/containerd/containerd/tags | jq -rc .[0].name)"
-          echo "CONTAINERD_VERSION=${ctd_v:1}" >> "$GITHUB_ENV"
-
-          . ./hack/build-integration-canary.sh
-          canary::golang::latest
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: true
-          check-latest: true
-      - run: go install ./cmd/nerdctl
-      - run: go install -v gotest.tools/gotestsum@v1
-      # This here is solely to get the cni install script, which has not been modified in 3+ years.
-      # There is little to no reason to update this to latest containerd
-      - uses: actions/checkout@v4.2.2
-        with:
-          repository: containerd/containerd
-          ref: "v1.7.23"
-          path: containerd
-          fetch-depth: 1
-      - name: "Set up CNI"
-        working-directory: containerd
-        run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows
-      # Windows setup script can only use released versions
-      - name: "Set up containerd"
-        env:
-          ctrdVersion: ${{ env.CONTAINERD_VERSION }}
-        run: powershell hack/configure-windows-ci.ps1
-      - name: "Run integration tests"
-        run: ./hack/test-integration.sh -test.only-flaky=false
-      - name: "Run integration tests (flaky)"
-        run: ./hack/test-integration.sh -test.only-flaky=true

.github/workflows/test-kube.yml

@@ -1,27 +0,0 @@
-# This pipeline purpose is solely meant to run a subset of our test suites against a kubernetes cluster
-name: kubernetes
-
-on:
-  push:
-    branches:
-      - main
-      - 'release/**'
-  pull_request:
-    paths-ignore:
-      - '**.md'
-
-jobs:
-  linux:
-    runs-on: "ubuntu-24.04"
-    timeout-minutes: 40
-    env:
-      ROOTFUL: true
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - name: "Run Kubernetes integration tests"
-        # See https://github.com/containerd/nerdctl/blob/main/docs/testing/README.md#about-parallelization
-        run: |
-          ./hack/build-integration-kubernetes.sh
-          sudo ./_output/nerdctl exec nerdctl-test-control-plane bash -c -- 'export TMPDIR="$HOME"/tmp; mkdir -p "$TMPDIR"; cd /nerdctl-source; /usr/local/go/bin/go test -p 1 ./cmd/nerdctl/... -test.only-kubernetes'

.github/workflows/test.yml

@@ -1,350 +0,0 @@
-name: test
-
-on:
-  push:
-    branches:
-      - main
-      - 'release/**'
-  pull_request:
-    paths-ignore:
-      - '**.md'
-
-env:
-  GO_VERSION: 1.23.x
-  SHORT_TIMEOUT: 5
-  LONG_TIMEOUT: 60
-
-jobs:
-  test-unit:
-    # Supposed to work: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions#example-returning-a-json-data-type
-    # Apparently does not
-    # timeout-minutes: ${{ fromJSON(env.SHORT_TIMEOUT) }}
-    timeout-minutes: 5
-    name: unit | ${{ matrix.goos }}
-    runs-on: "${{ matrix.os }}"
-    defaults:
-      run:
-        shell: bash
-    strategy:
-      matrix:
-        include:
-          - os: windows-2022
-            goos: windows
-          - os: ubuntu-24.04
-            goos: linux
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          check-latest: true
-          cache: true
-      - if: ${{ matrix.goos=='windows' }}
-        uses: actions/checkout@v4.2.2
-        with:
-          repository: containerd/containerd
-          ref: v1.7.23
-          path: containerd
-          fetch-depth: 1
-      - if: ${{ matrix.goos=='windows' }}
-        name: "Set up CNI"
-        working-directory: containerd
-        run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows
-      - name: "Run unit tests"
-        run: make test-unit
-
-  test-integration:
-    timeout-minutes: 60
-    name: rootful | ${{ matrix.containerd }} | ${{ matrix.runner }}
-    runs-on: "${{ matrix.runner }}"
-    strategy:
-      fail-fast: false
-      matrix:
-        # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2
-        include:
-          - ubuntu: 20.04
-            containerd: v1.6.36
-            runner: "ubuntu-20.04"
-          - ubuntu: 22.04
-            containerd: v1.7.23
-            runner: "ubuntu-22.04"
-          - ubuntu: 24.04
-            containerd: v2.0.0-rc.5
-            runner: "ubuntu-24.04"
-          - ubuntu: 24.04
-            containerd: v2.0.0-rc.5
-            runner: github-arm64-2c-8gb
-    env:
-      UBUNTU_VERSION: "${{ matrix.ubuntu }}"
-      CONTAINERD_VERSION: "${{ matrix.containerd }}"
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - name: "Prepare integration test environment"
-        run: docker build -t test-integration --target test-integration --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} .
-      - name: "Remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)"
-        run: |
-          sudo systemctl disable --now snapd.service snapd.socket
-          sudo apt-get purge -y snapd
-          sudo losetup -Dv
-          sudo losetup -lv
-      - name: "Register QEMU (tonistiigi/binfmt)"
-        run: |
-          # `--install all` will only install emulation for architectures that cannot be natively executed
-          # Since some arm64 platforms do provide native fallback execution for 32 bits,
-          # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`.
-          # To avoid that, we explicitly list the architectures we do want emulation for.
-          docker run --privileged --rm tonistiigi/binfmt --install linux/amd64
-          docker run --privileged --rm tonistiigi/binfmt --install linux/arm64
-          docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7
-      - name: "Run integration tests"
-        run: docker run -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=false
-      - name: "Run integration tests (flaky)"
-        run: docker run -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=true
-
-  test-integration-ipv6:
-    timeout-minutes: 60
-    name: ipv6 | ${{ matrix.containerd }} | ${{ matrix.ubuntu }}
-    runs-on: "ubuntu-${{ matrix.ubuntu }}"
-    strategy:
-      fail-fast: false
-      matrix:
-        # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2
-        include:
-          - ubuntu: 24.04
-            containerd: v2.0.0-rc.5
-    env:
-      UBUNTU_VERSION: "${{ matrix.ubuntu }}"
-      CONTAINERD_VERSION: "${{ matrix.containerd }}"
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - name: Enable ipv4 and ipv6 forwarding
-        run: |
-          sudo sysctl -w net.ipv6.conf.all.forwarding=1
-          sudo sysctl -w net.ipv4.ip_forward=1
-      - name: Enable IPv6 for Docker
-        run: |
-          sudo mkdir -p /etc/docker
-          echo '{"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64", "experimental": true, "ip6tables": true}' | sudo tee /etc/docker/daemon.json
-          sudo systemctl restart docker
-      - name: "Prepare integration test environment"
-        run: docker build -t test-integration --target test-integration --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} .
-      - name: "Remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)"
-        run: |
-          sudo systemctl disable --now snapd.service snapd.socket
-          sudo apt-get purge -y snapd
-          sudo losetup -Dv
-          sudo losetup -lv
-      - name: "Register QEMU (tonistiigi/binfmt)"
-        run: |
-          # `--install all` will only install emulation for architectures that cannot be natively executed
-          # Since some arm64 platforms do provide native fallback execution for 32 bits,
-          # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`.
-          # To avoid that, we explicitly list the architectures we do want emulation for.
-          docker run --privileged --rm tonistiigi/binfmt --install linux/amd64
-          docker run --privileged --rm tonistiigi/binfmt --install linux/arm64
-          docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7
-      - name: "Run integration tests"
-        # The nested IPv6 network inside docker and qemu is complex and needs a bunch of sysctl config.
-        # Therefore, it's hard to debug why the IPv6 tests fail in such an isolation layer.
-        # On the other side, using the host network is easier at configuration.
-        # Besides, each job is running on a different instance, which means using host network here
-        # is safe and has no side effects on others.
-        run: docker run --network host -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-ipv6
-
-  test-integration-rootless:
-    timeout-minutes: 60
-    name: "${{ matrix.target }} | ${{ matrix.containerd }} | ${{ matrix.rootlesskit }} | ${{ matrix.ubuntu }}"
-    runs-on: "ubuntu-${{ matrix.ubuntu }}"
-    strategy:
-      fail-fast: false
-      matrix:
-        # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2
-        include:
-          - ubuntu: 20.04
-            containerd: v1.6.36
-            rootlesskit: v1.1.1  # Deprecated
-            target: rootless
-          - ubuntu: 22.04
-            containerd: v1.7.23
-            rootlesskit: v2.3.1
-            target: rootless
-          - ubuntu: 24.04
-            containerd: v2.0.0-rc.5
-            rootlesskit: v2.3.1
-            target: rootless
-          - ubuntu: 24.04
-            containerd: v1.7.23
-            rootlesskit: v2.3.1
-            target: rootless-port-slirp4netns
-    env:
-      UBUNTU_VERSION: "${{ matrix.ubuntu }}"
-      CONTAINERD_VERSION: "${{ matrix.containerd }}"
-      ROOTLESSKIT_VERSION: "${{ matrix.rootlesskit }}"
-      TEST_TARGET: "test-integration-${{ matrix.target }}"
-    steps:
-      - name: "Set up AppArmor"
-        if: matrix.ubuntu == '24.04'
-        run: |
-          cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit"
-          abi <abi/4.0>,
-          include <tunables/global>
-
-          /usr/local/bin/rootlesskit flags=(unconfined) {
-            userns,
-
-            # Site-specific additions and overrides. See local/README for details.
-            include if exists <local/usr.local.bin.rootlesskit>
-          }
-          EOT
-          sudo systemctl restart apparmor.service
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - name: "Register QEMU (tonistiigi/binfmt)"
-        run: |
-          # `--install all` will only install emulation for architectures that cannot be natively executed
-          # Since some arm64 platforms do provide native fallback execution for 32 bits,
-          # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`.
-          # To avoid that, we explicitly list the architectures we do want emulation for.
-          docker run --privileged --rm tonistiigi/binfmt --install linux/amd64
-          docker run --privileged --rm tonistiigi/binfmt --install linux/arm64
-          docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7
-      - name: "Prepare (network driver=slirp4netns, port driver=builtin)"
-        run: docker build -t ${TEST_TARGET} --target ${TEST_TARGET} --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} --build-arg ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION} .
-      - name: "Disable BuildKit for RootlessKit v1 (workaround for issue #622)"
-        run: |
-          # https://github.com/containerd/nerdctl/issues/622
-          WORKAROUND_ISSUE_622=
-          if echo "${ROOTLESSKIT_VERSION}" | grep -q v1; then
-            WORKAROUND_ISSUE_622=1
-          fi
-          echo "WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622}" >> "$GITHUB_ENV"
-      - name: "Test (network driver=slirp4netns, port driver=builtin)"
-        run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622} ${TEST_TARGET} /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=false
-      - name: "Test (network driver=slirp4netns, port driver=builtin) (flaky)"
-        run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622} ${TEST_TARGET} /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=true
-
-  build:
-    timeout-minutes: 5
-    name: "build | ${{ matrix.go-version }}"
-    runs-on: ubuntu-24.04
-    strategy:
-      matrix:
-        go-version: ["1.22.x", "1.23.x"]
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ matrix.go-version }}
-          cache: true
-          check-latest: true
-      - name: "build"
-        run: GO_VERSION="$(echo ${{ matrix.go-version }} | sed -e s/.x//)" make binaries
-
-  test-integration-docker-compatibility:
-    timeout-minutes: 60
-    name: docker
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: true
-          check-latest: true
-      - name: "Print docker info"
-        run: |
-          set -eux -o pipefail
-          docker info
-          docker version
-      - name: "Register QEMU (tonistiigi/binfmt)"
-        run: |
-          # `--install all` will only install emulation for architectures that cannot be natively executed
-          # Since some arm64 platforms do provide native fallback execution for 32 bits,
-          # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`.
-          # To avoid that, we explicitly list the architectures we do want emulation for.
-          docker run --privileged --rm tonistiigi/binfmt --install linux/amd64
-          docker run --privileged --rm tonistiigi/binfmt --install linux/arm64
-          docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7
-      - name: "Prepare integration test environment"
-        run: |
-          sudo apt-get install -y expect
-          go install -v gotest.tools/gotestsum@v1
-      - name: "Ensure that the integration test suite is compatible with Docker"
-        run: WITH_SUDO=true ./hack/test-integration.sh -test.target=docker
-      - name: "Ensure that the IPv6 integration test suite is compatible with Docker"
-        run: WITH_SUDO=true ./hack/test-integration.sh -test.target=docker -test.only-ipv6
-      - name: "Ensure that the integration test suite is compatible with Docker (flaky only)"
-        run: WITH_SUDO=true ./hack/test-integration.sh -test.target=docker -test.only-flaky
-
-  test-integration-windows:
-    timeout-minutes: 30
-    name: windows
-    runs-on: windows-2022
-    defaults:
-      run:
-        shell: bash
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: true
-          check-latest: true
-      - run: go install ./cmd/nerdctl
-      - run: go install -v gotest.tools/gotestsum@v1
-      - uses: actions/checkout@v4.2.2
-        with:
-          repository: containerd/containerd
-          ref: v1.7.23
-          path: containerd
-          fetch-depth: 1
-      - name: "Set up CNI"
-        working-directory: containerd
-        run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows
-      - name: "Set up containerd"
-        env:
-          ctrdVersion: 1.7.23
-        run: powershell hack/configure-windows-ci.ps1
-      - name: "Run integration tests"
-        run: ./hack/test-integration.sh -test.only-flaky=false
-      - name: "Run integration tests (flaky)"
-        run: ./hack/test-integration.sh -test.only-flaky=true
-
-  test-integration-freebsd:
-    timeout-minutes: 60
-    name: FreeBSD
-    # ubuntu-24.04 lacks the vagrant package
-    runs-on: ubuntu-22.04
-
-    steps:
-      - uses: actions/checkout@v4.2.2
-      - uses: actions/cache@v4
-        with:
-          path: /root/.vagrant.d
-          key: vagrant-${{ matrix.box }}
-      - name: Set up vagrant
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y libvirt-daemon libvirt-daemon-system vagrant vagrant-libvirt
-          sudo systemctl enable --now libvirtd
-      - name: Boot VM
-        run: |
-          ln -sf Vagrantfile.freebsd Vagrantfile
-          sudo vagrant up --no-tty
-      - name: test-unit
-        run: sudo vagrant up --provision-with=test-unit
-      - name: test-integration
-        run: sudo vagrant up --provision-with=test-integration

.github/workflows/workflow-flaky.yml

@@ -0,0 +1,56 @@
+# This workflow puts together all known "flaky" and experimental targets
+name: "[flaky, see #3988]"
+
+on:
+  push:
+    branches:
+      - main
+      - 'release/**'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+
+jobs:
+  test-integration-el:
+    name: "EL${{ inputs.hack }}"
+    uses: ./.github/workflows/job-test-in-lima.yml
+    strategy:
+      fail-fast: false
+      # EL8 is used for testing compatibility with cgroup v1.
+      # Unfortunately, EL8 is hard to debug for M1 users (as Lima+M1+EL8 is not runnable because of page size),
+      # and it currently shows numerous issues.
+      # Thus, EL9 is also added as target (for a limited time?) so that we can figure out which issues are EL8 specific,
+      # and which issues could be reproduced on EL9 as well (which would be easier to debug).
+      matrix:
+        guest: ["almalinux-8", "almalinux-9"]
+        target: ["rootful", "rootless"]
+    with:
+      timeout: 60
+      runner: ubuntu-24.04
+      guest: ${{ matrix.guest }}
+      target: ${{ matrix.target }}
+
+  test-integration-freebsd:
+    name: "FreeBSD"
+    uses: ./.github/workflows/job-test-in-vagrant.yml
+    with:
+      timeout: 15
+      runner: ubuntu-24.04
+
+  kube:
+    name: "kubernetes"
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    env:
+      ROOTFUL: true
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+      - name: "Run"
+        run: |
+          # FIXME: this should be a bit more elegant to use.
+          ./hack/provisioning/kube/kind.sh
+          # See https://github.com/containerd/nerdctl/blob/main/docs/testing/README.md#about-parallelization
+          sudo ./_output/nerdctl exec nerdctl-test-control-plane bash -c -- 'export TMPDIR="$HOME"/tmp; mkdir -p "$TMPDIR"; cd /nerdctl-source; /usr/local/go/bin/go test -p 1 ./cmd/nerdctl/... -test.only-kubernetes'

.github/workflows/workflow-lint.yml

@@ -0,0 +1,80 @@
+name: lint
+
+on:
+  push:
+    branches:
+      - main
+      - 'release/**'
+  pull_request:
+
+jobs:
+  # Runs golangci to ensure that:
+  # 1. the tooling is working on the target platform
+  # 2. the linter is happy
+  # 3. for canary (if there is a canary go version), does lint for all supported goos
+  lint-go:
+    name: "go${{ inputs.hack }}"
+    uses: ./.github/workflows/job-lint-go.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+            goos: linux
+          - runner: ubuntu-24.04
+            goos: freebsd
+          - runner: macos-15
+            goos: darwin
+          # FIXME: this is currently failing in a nonsensical way, so, running on linux instead...
+          # - runner: windows-2022
+          - runner: ubuntu-24.04
+            goos: windows
+          # Additionally lint for canary
+          - runner: ubuntu-24.04
+            goos: linux
+            canary: true
+    with:
+      timeout: 5
+      go-version: "1.24"
+      runner: ubuntu-24.04
+      # Note: in GitHub yaml world, if `matrix.canary` is undefined, and is passed to `inputs.canary`, the job
+      # will not run. However, if you test it, it will coerce to `false`, hence:
+      canary: ${{ matrix.canary && true || false }}
+      goos: ${{ matrix.goos }}
+
+  # Run common project checks (commits, licenses, etc)
+  lint-project-checks:
+    name: "project checks"
+    uses: ./.github/workflows/job-lint-project.yml
+    with:
+      timeout: 5
+      go-version: "1.24"
+      runner: ubuntu-24.04
+
+  # Lint for shell and yaml files
+  lint-other:
+    name: "other"
+    uses: ./.github/workflows/job-lint-other.yml
+    with:
+      timeout: 5
+      runner: ubuntu-24.04
+
+  # Verify we can actually build on all supported platforms, and a bunch of architectures
+  build-for-go:
+    name: "build for${{ inputs.hack }}"
+    uses: ./.github/workflows/job-build.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Build for both old and stable go
+          - go-version: "1.23"
+          - go-version: "1.24"
+          # Additionally build for canary
+          - go-version: "1.24"
+            canary: true
+    with:
+      timeout: 10
+      go-version: ${{ matrix.go-version }}
+      runner: ubuntu-24.04
+      canary: ${{ matrix.canary && true || false }}

.github/workflows/workflow-test.yml

@@ -0,0 +1,149 @@
+name: test
+
+on:
+  push:
+    branches:
+      - main
+      - 'release/**'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+
+jobs:
+  test-unit:
+    # Note: inputs.hack is undefined - its purpose is to prevent GitHub Actions from displaying all matrix variants as part of the name.
+    name: "unit${{ inputs.hack }}"
+    uses: ./.github/workflows/job-test-unit.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        # Run on all supported platforms but freebsd
+        # Additionally run on canary for linux
+        include:
+          - runner: "ubuntu-24.04"
+          - runner: "macos-15"
+          - runner: "windows-2025"
+          - runner: "ubuntu-24.04"
+            canary: true
+    with:
+      runner: ${{ matrix.runner }}
+      canary: ${{ matrix.canary && true || false }}
+      # Windows routinely go over 5 minutes
+      timeout: 10
+      go-version: 1.24
+      windows-cni-version: v0.3.1
+      linux-cni-version: v1.7.1
+      linux-cni-sha: 1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098
+
+  # This job builds the dependency target of the test-image for all supported architectures and cache it in GHA
+  build-dependencies:
+    name: "dependencies${{ inputs.hack }}"
+    uses: ./.github/workflows/job-test-dependencies.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Build for arm & amd, current containerd
+          - runner: ubuntu-24.04
+          - runner: ubuntu-24.04-arm
+          # Additionally build for old containerd on amd
+          - runner: ubuntu-24.04
+            containerd-version: v1.6.38
+    with:
+      runner: ${{ matrix.runner }}
+      containerd-version: ${{ matrix.containerd-version }}
+      timeout: 20
+
+  test-integration-container:
+    name: "in-container${{ inputs.hack }}"
+    uses: ./.github/workflows/job-test-in-container.yml
+    needs: build-dependencies
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          ###### Rootless
+          # amd64
+          - runner: ubuntu-24.04
+            target: rootless
+          # arm64
+          - runner: ubuntu-24.04-arm
+            target: rootless
+          # port-slirp4netns
+          - runner: ubuntu-24.04
+            target: rootless-port-slirp4netns
+          # old containerd + old ubuntu + old rootlesskit
+          - runner: ubuntu-22.04
+            target: rootless
+            containerd-version: v1.6.38
+            rootlesskit-version: v1.1.1
+          # gomodjail
+          - runner: ubuntu-24.04
+            target: rootless
+            binary: "nerdctl.gomodjail"
+          ###### Rootful
+          # amd64
+          - runner: ubuntu-24.04
+            target: rootful
+          # arm64
+          - runner: ubuntu-24.04-arm
+            target: rootful
+          # old containerd + old ubuntu
+          - runner: ubuntu-22.04
+            target: rootful
+            containerd-version: v1.6.38
+          # ipv6
+          - runner: ubuntu-24.04
+            target: rootful
+            ipv6: true
+          # all canary
+          - runner: ubuntu-24.04
+            target: rootful
+            canary: true
+
+    with:
+      timeout: 60
+      runner: ${{ matrix.runner }}
+      target: ${{ matrix.target }}
+      binary: ${{ matrix.binary && matrix.binary || 'nerdctl' }}
+      containerd-version: ${{ matrix.containerd-version }}
+      rootlesskit-version: ${{ matrix.rootlesskit-version }}
+      ipv6: ${{ matrix.ipv6 && true || false }}
+      canary: ${{ matrix.canary && true || false }}
+
+  test-integration-host:
+    name: "in-host${{ inputs.hack }}"
+    uses: ./.github/workflows/job-test-in-host.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Test on windows w/o canary
+          - runner: windows-2022
+          - runner: windows-2025
+            canary: true
+          # Test docker on linux
+          - runner: ubuntu-24.04
+            binary: docker
+
+          # FIXME: running nerdctl on the host is work in progress
+          # (we miss runc to be installed on the host - and obviously other deps)
+          # Plan is to pause this for now and first consolidate dependencies management (wrt Dockerfile vs. host-testing CI)
+          # before we can really start testing linux nerdctl on the host.
+          # - runner: ubuntu-24.04
+          # - runner: ubuntu-24.04
+          #  canary: true
+    with:
+      timeout: 45
+      runner: ${{ matrix.runner }}
+      binary: ${{ matrix.binary != '' && matrix.binary || 'nerdctl' }}
+      canary: ${{ matrix.canary && true || false }}
+      go-version: 1.24
+      windows-cni-version: v0.3.1
+      docker-version: 5:28.0.4-1~ubuntu.24.04~noble
+      containerd-version: 2.1.3
+      # Note: these as for amd64
+      containerd-sha: 436cc160c33b37ec25b89fb5c72fc879ab2b3416df5d7af240c3e9c2f4065d3c
+      containerd-service-sha: 1941362cbaa89dd591b99c32b050d82c583d3cd2e5fa63085d7017457ec5fca8
+      linux-cni-version: v1.7.1
+      linux-cni-sha: 1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098

.github/workflows/workflow-tigron.yml

@@ -0,0 +1,95 @@
+name: tigron
+
+on:
+  push:
+    branches:
+      - main
+      - 'release/**'
+  pull_request:
+    paths: 'mod/tigron/**'
+
+env:
+  GO_VERSION: "1.24"
+  GOTOOLCHAIN: local
+
+jobs:
+  lint:
+    timeout-minutes: 15
+    name: "${{ matrix.goos }} ${{ matrix.runner }} | go ${{ matrix.canary }}"
+    runs-on: ${{ matrix.runner }}
+    defaults:
+      run:
+        shell: bash
+    strategy:
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+          - runner: macos-15
+          - runner: windows-2022
+          - runner: ubuntu-24.04
+            goos: freebsd
+          - runner: ubuntu-24.04
+            canary: go-canary
+    steps:
+      - name: "Checkout project"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 100
+      - if: ${{ matrix.canary }}
+        name: "Init (canary): retrieve GO_VERSION"
+        run: |
+          latest_go="$(. ./hack/provisioning/version/fetch.sh; go::canary::for::go-setup)"
+          printf "GO_VERSION=%s\n" "$latest_go" >> "$GITHUB_ENV"
+          [ "$latest_go" != "" ] || \
+            echo "::warning title=No canary go::There is currently no canary go version to test. Steps will not run."
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Install go"
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Install tools"
+        run: |
+          cd mod/tigron
+          echo "::group:: make install-dev-tools"
+          make install-dev-tools
+          if [ "$RUNNER_OS" == macOS ]; then
+            brew install yamllint shellcheck
+          fi
+          echo "::endgroup::"
+      - if: ${{ env.GO_VERSION != '' && matrix.goos == '' }}
+        name: "lint"
+        env:
+          NO_COLOR: true
+        run: |
+          if [ "$RUNNER_OS" == Linux ]; then
+            echo "::group:: lint"
+            cd mod/tigron
+            export LINT_COMMIT_RANGE="$(jq -r '.after + "..HEAD"' ${GITHUB_EVENT_PATH})"
+            make lint
+            echo "::endgroup::"
+          else
+            echo "Lint is disabled on $RUNNER_OS"
+          fi
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "test-unit"
+        run: |
+          echo "::group:: unit test"
+          cd mod/tigron
+          make test-unit
+          echo "::endgroup::"
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "test-unit-race"
+        run: |
+          echo "::group:: race test"
+          cd mod/tigron
+          make test-unit-race
+          echo "::endgroup::"
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "test-unit-bench"
+        run: |
+          echo "::group:: bench"
+          cd mod/tigron
+          make test-unit-bench
+          echo "::endgroup::"

.gitignore

@@ -1,6 +1,7 @@
 # artifacts
 /nerdctl
 _output
+*.gomodjail
 
 # golangci-lint
 /build

.golangci.yml

@@ -1,142 +1,275 @@
----
+version: "2"
+
 run:
-  concurrency: 6
-  timeout: 5m
-linters:
-  disable-all: true
-  enable:
-    # - depguard
-    - gofmt
-    - goimports
-    - govet
-    - ineffassign
-    - misspell
-    - nakedret
-    - prealloc
-    - typecheck
-    # - asciicheck
-    # - bodyclose
-    # - dogsled
-    # - dupl
-    # - errcheck
-    # - errorlint
-    # - exhaustive
-    # - exhaustivestruct
-    # - exportloopref
-    # - funlen
-    # - gci
-    # - gochecknoglobals
-    # - gochecknoinits
-    # - gocognit
-    # - goconst
-    # - gocritic
-    # - gocyclo
-    # - godot
-    # - godox
-    # - goerr113
-    # - gofumpt
-    # - goheader
-    # - golint
-    # - gomnd
-    # - gomodguard
-    # - goprintffuncname
-    # - gosec (gas)
-    - gosimple  # (megacheck)
-    # - interfacer
-    # - lll
-    # - maligned
-    # - nestif
-    # - nlreturn
-    # - noctx
-    # - nolintlint
-    - revive
-    # - rowserrcheck
-    # - scopelint
-    # - sqlclosecheck
-    - staticcheck
-    - stylecheck
-    # - testpackage
-    # - tparallel
-    - unconvert
-    # - unparam
-    - unused
-    # - whitespace
-    # - wrapcheck
-    # - wsl
-linters-settings:
-  gocritic:
-    enabled-checks:
-      # Diagnostic
-      - appendAssign
-      - argOrder
-      - badCond
-      - caseOrder
-      - codegenComment
-      - commentedOutCode
-      - deprecatedComment
-      - dupArg
-      - dupBranchBody
-      - dupCase
-      - dupSubExpr
-      - exitAfterDefer
-      - flagDeref
-      - flagName
-      - nilValReturn
-      - offBy1
-      - sloppyReassign
-      - weakCond
-      - octalLiteral
-
-      # Performance
-      - appendCombine
-      - equalFold
-      - hugeParam
-      - indexAlloc
-      - rangeExprCopy
-      - rangeValCopy
-
-      # Style
-      - assignOp
-      - boolExprSimplify
-      - captLocal
-      - commentFormatting
-      - commentedOutImport
-      - defaultCaseOrder
-      - docStub
-      - elseif
-      - emptyFallthrough
-      - emptyStringTest
-      - hexLiteral
-      - ifElseChain
-      - methodExprCall
-      - regexpMust
-      - singleCaseSwitch
-      - sloppyLen
-      - stringXbytes
-      - switchTrue
-      - typeAssertChain
-      - typeSwitchVar
-      - underef
-      - unlabelStmt
-      - unlambda
-      - unslice
-      - valSwap
-      - wrapperFunc
-      - yodaStyleExpr
-
-      # Opinionated
-      - builtinShadow
-      - importShadow
-      - initClause
-      - nestingReduce
-      - paramTypeCombine
-      - ptrToRefParam
-      - typeUnparen
-      - unnamedResult
-      - unnecessaryBlock
+  modules-download-mode: readonly
 
 issues:
-  exclude-rules:
-    - linters:
-        - revive
-      text: "unused-parameter"
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+linters:
+  default: none
+  enable:
+    # 1. This is the default enabled set of golanci
+
+    # We should consider enabling errcheck
+    # - errcheck
+    - govet
+    - ineffassign
+    - staticcheck
+    - unused
+
+    # 2. These are not part of the default set
+
+    # Important to prevent import of certain packages
+    - depguard
+    # Removes unnecessary conversions
+    - unconvert
+    # Flag common typos
+    - misspell
+    # A meta-linter seen as a good replacement for golint
+    - revive
+    # Gocritic
+    - gocritic
+    - forbidigo
+
+    # 3. We used to use these, but have now removed them
+
+    # Use of prealloc is generally premature optimization and performance profiling should be done instead
+    # https://golangci-lint.run/usage/linters/#prealloc
+    # - prealloc
+    # Provided by revive in a better way
+    # - nakedret
+
+  settings:
+    forbidigo:
+      forbid:
+        # FIXME: there are still calls to os.WriteFile in tests under `cmd`
+        - pattern: ^os\.WriteFile.*$
+          pkg: github.com/containerd/nerdctl/v2/pkg
+          msg: os.WriteFile is neither atomic nor durable - use nerdctl filesystem.WriteFile instead
+        - pattern: ^os\.ReadFile.*$
+          pkg: github.com/containerd/nerdctl/v2/pkg
+          msg: use filesystem.ReadFile instead of os.ReadFile
+    staticcheck:
+      checks:
+        # Below is the default set
+        - "all"
+        - "-ST1000"
+        - "-ST1003"
+        - "-ST1016"
+        - "-ST1020"
+        - "-ST1021"
+        - "-ST1022"
+
+        ##### TODO: fix and enable these
+        # 6 occurrences.
+        # Apply De Morgan’s law https://staticcheck.dev/docs/checks#QF1001
+        - "-QF1001"
+        # 10 occurrences.
+        # Convert if/else-if chain to tagged switch https://staticcheck.dev/docs/checks#QF1003
+        - "-QF1003"
+
+        ##### These have been vetted to be disabled.
+        # 55 occurrences. Omit embedded fields from selector expression https://staticcheck.dev/docs/checks#QF1008
+        # Usefulness is questionable.
+        - "-QF1008"
+
+    revive:
+      enable-all-rules: true
+      rules:
+        # See https://revive.run/r
+
+        ##### P0: we should do it ASAP.
+        - name: max-control-nesting
+          # 10 occurences (at default 5). Deep nesting hurts readibility.
+          arguments: [7]
+        - name: deep-exit
+          # 11 occurrences. Do not exit in random places.
+          disabled: true
+        - name: unchecked-type-assertion
+          # 14 occurrences. This is generally risky and encourages bad coding for newcomers.
+          disabled: true
+        - name: bare-return
+          # 31 occurrences. Bare returns are just evil, very unfriendly, and make reading and editing much harder.
+          disabled: true
+        - name: import-shadowing
+          # 44 occurrences. Shadowing makes things prone to errors / confusing to read.
+          disabled: true
+        - name: use-errors-new
+          # 84 occurrences. Improves error testing.
+          disabled: true
+
+        ##### P1: consider making a dent on these, but not critical.
+        - name: argument-limit
+          # 4 occurrences (at default 8). Long windy arguments list for functions are hard to read. Use structs instead.
+          arguments: [12]
+        - name: unnecessary-stmt
+          # 5 occurrences. Increase readability.
+          disabled: true
+        - name: defer
+          # 7 occurrences. Confusing to read for newbies.
+          disabled: true
+        - name: confusing-naming
+          # 10 occurrences. Hurts readability.
+          disabled: true
+        - name: early-return
+          # 10 occurrences. Would improve readability.
+          disabled: true
+        - name: function-result-limit
+          # 12 occurrences (at default 3). A function returning many results is probably too big.
+          arguments: [7]
+        - name: function-length
+          # 155 occurrences (at default 0, 75). Really long functions should really be broken up in most cases.
+          arguments: [0, 500]
+        - name: cyclomatic
+          # 204 occurrences (at default 10)
+          arguments: [100]
+        - name: unhandled-error
+          # 222 occurrences. Could indicate failure to handle broken conditions.
+          disabled: true
+        - name: cognitive-complexity
+          arguments: [205]
+          # 441 occurrences (at default 7). We should try to lower it (involves significant refactoring).
+
+        ##### P2: nice to have.
+        - name: max-public-structs
+          # 7 occurrences (at default 5). Might indicate overcrowding of public API.
+          arguments: [25]
+        - name: confusing-results
+          # 13 occurrences. Have named returns when the type stutters.
+          # Makes it a bit easier to figure out function behavior just looking at signature.
+          disabled: true
+        - name: comment-spacings
+          # 50 occurrences. Makes code look less wonky / ease readability.
+          disabled: true
+        - name: use-any
+          # 30 occurrences. `any` instead of `interface{}`. Cosmetic.
+          disabled: true
+        - name: empty-lines
+          # 85 occurrences. Makes code look less wonky / ease readability.
+          disabled: true
+        - name: package-comments
+          # 100 occurrences. Better for documentation...
+          disabled: true
+        - name: exported
+          # 577 occurrences. Forces documentation of any exported symbol.
+          disabled: true
+
+        ###### Permanently disabled. Below have been reviewed and vetted to be unnecessary.
+        - name: line-length-limit
+          # Formatter `golines` takes care of this.
+          disabled: true
+        - name: nested-structs
+          # 5 occurrences. Trivial. This is not that hard to read.
+          disabled: true
+        - name: flag-parameter
+          # 52 occurrences. Not sure if this is valuable.
+          disabled: true
+        - name: unused-parameter
+          # 505 occurrences. A lot of work for a marginal improvement.
+          disabled: true
+        - name: unused-receiver
+          # 31 occurrences. Ibid.
+          disabled: true
+        - name: add-constant
+          # 2605 occurrences. Kind of useful in itself, but unacceptable amount of effort to fix
+          disabled: true
+
+    depguard:
+      rules:
+        no-patent:
+          # do not link in golang-lru anywhere (problematic patent)
+          deny:
+            - pkg: github.com/hashicorp/golang-lru/arc/v2
+              desc: patented (https://github.com/hashicorp/golang-lru/blob/arc/v2.0.7/arc/arc.go#L18)
+        pkg:
+          # pkg files must not depend on cobra nor anything in cmd
+          files:
+            - '**/pkg/**/*.go'
+          deny:
+            - pkg: github.com/spf13/cobra
+              desc: pkg must not depend on cobra
+            - pkg: github.com/spf13/pflag
+              desc: pkg must not depend on pflag
+            - pkg: github.com/spf13/viper
+              desc: pkg must not depend on viper
+            - pkg: github.com/containerd/nerdctl/v2/cmd
+              desc: pkg must not depend on any cmd files
+    gocritic:
+      disabled-checks:
+        # Below are normally enabled by default, but we do not pass
+        - appendAssign
+        - ifElseChain
+        - unslice
+        - badCall
+        - assignOp
+        - commentFormatting
+        - captLocal
+        - singleCaseSwitch
+        - wrapperFunc
+        - elseif
+        - regexpMust
+      enabled-checks:
+        # Below used to be enabled, but we do not pass anymore
+        # - paramTypeCombine
+        # - octalLiteral
+        # - unnamedResult
+        # - equalFold
+        # - sloppyReassign
+        # - emptyStringTest
+        # - hugeParam
+        # - appendCombine
+        # - stringXbytes
+        # - ptrToRefParam
+        # - commentedOutCode
+        # - rangeValCopy
+        # - methodExprCall
+        # - yodaStyleExpr
+        # - typeUnparen
+
+        # We enabled these and we pass
+        - nilValReturn
+        - weakCond
+        - indexAlloc
+        - rangeExprCopy
+        - boolExprSimplify
+        - commentedOutImport
+        - docStub
+        - emptyFallthrough
+        - hexLiteral
+        - typeAssertChain
+        - unlabelStmt
+        - builtinShadow
+        - importShadow
+        - initClause
+        - nestingReduce
+        - unnecessaryBlock
+  exclusions:
+    generated: disable
+
+formatters:
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(github.com/containerd)
+        - localmodule
+      no-inline-comments: true
+      no-prefix-comments: true
+      custom-order: true
+    gofumpt:
+      extra-rules: true
+    golines:
+      max-len: 500
+      tab-len: 4
+      shorten-comments: true
+  enable:
+    - gci
+    - gofmt
+    # We might consider enabling the following:
+    #    - gofumpt
+    - golines
+  exclusions:
+    generated: disable

BUILDING.md

@@ -0,0 +1,22 @@
+# Building nerdctl
+
+To build nerdctl, use `make`:
+
+```bash
+make
+sudo make install
+```
+
+Alternatively, nerdctl can be also built with `go build ./cmd/nerdctl`.
+However, this is not recommended as it does not populate the version string (`nerdctl -v`).
+
+## Customization
+
+To specify build tags, set the `BUILDTAGS` variable as follows:
+
+```bash
+BUILDTAGS=no_ipfs make
+```
+
+The following build tags are supported:
+* `no_ipfs` (since v2.1.3): Disable IPFS

Dockerfile

@@ -15,136 +15,145 @@
 # -----------------------------------------------------------------------------
 # Usage: `docker run -it --privileged <IMAGE>`. Make sure to add `-t` and `--privileged`.
 
-# TODO: verify commit hash
-
 # Basic deps
-ARG CONTAINERD_VERSION=v2.0.0-rc.6
-ARG RUNC_VERSION=v1.2.0
-ARG CNI_PLUGINS_VERSION=v1.6.0
+# @BINARY: the binary checksums are verified via Dockerfile.d/SHA256SUMS.d/<COMPONENT>-<VERSION>
+ARG CONTAINERD_VERSION=v2.1.3@c787fb98911740dd3ff2d0e45ce88cdf01410486
+ARG RUNC_VERSION=v1.3.0@4ca628d1d4c974f92d24daccb901aa078aad748e
+ARG CNI_PLUGINS_VERSION=v1.7.1@BINARY
 
 # Extra deps: Build
-ARG BUILDKIT_VERSION=v0.16.0
+ARG BUILDKIT_VERSION=v0.23.2@BINARY
 # Extra deps: Lazy-pulling
-ARG STARGZ_SNAPSHOTTER_VERSION=v0.15.1
+ARG STARGZ_SNAPSHOTTER_VERSION=v0.16.3@BINARY
 # Extra deps: Encryption
-ARG IMGCRYPT_VERSION=v1.1.11
+ARG IMGCRYPT_VERSION=v2.0.1@c377ec98ff79ec9205eabf555ebd2ea784738c6c
 # Extra deps: Rootless
-ARG ROOTLESSKIT_VERSION=v2.3.1
-ARG SLIRP4NETNS_VERSION=v1.3.1
+ARG ROOTLESSKIT_VERSION=v2.3.5@BINARY
+ARG SLIRP4NETNS_VERSION=v1.3.3@BINARY
 # Extra deps: bypass4netns
-ARG BYPASS4NETNS_VERSION=v0.4.1
+ARG BYPASS4NETNS_VERSION=v0.4.2@aa04bd3dcc48c6dae6d7327ba219bda8fe2a4634
 # Extra deps: FUSE-OverlayFS
-ARG FUSE_OVERLAYFS_VERSION=v1.14
-ARG CONTAINERD_FUSE_OVERLAYFS_VERSION=v1.0.8
+ARG FUSE_OVERLAYFS_VERSION=v1.15@BINARY
+ARG CONTAINERD_FUSE_OVERLAYFS_VERSION=v2.1.6@BINARY
 # Extra deps: Init
-ARG TINI_VERSION=v0.19.0
+ARG TINI_VERSION=v0.19.0@BINARY
 # Extra deps: Debug
-ARG BUILDG_VERSION=v0.4.1
+ARG BUILDG_VERSION=v0.5.3@BINARY
+# Extra deps: gomodjail
+ARG GOMODJAIL_VERSION=v0.1.2@0a86b34442a491fa8f5e4565e9c846fce310239c
 
 # Test deps
-ARG GO_VERSION=1.23
+# Currently, the Docker Official Images and the test deps are not pinned by the hash
+ARG GO_VERSION=1.24
 ARG UBUNTU_VERSION=24.04
 ARG CONTAINERIZED_SYSTEMD_VERSION=v0.1.1
-ARG GOTESTSUM_VERSION=v1.12.0
-ARG NYDUS_VERSION=v2.3.0
-ARG SOCI_SNAPSHOTTER_VERSION=0.7.0
-ARG KUBO_VERSION=v0.31.0
+ARG GOTESTSUM_VERSION=v1.12.3
+ARG NYDUS_VERSION=v2.3.2
+ARG SOCI_SNAPSHOTTER_VERSION=0.11.1
+ARG KUBO_VERSION=v0.35.0
 
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.5.0 AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1@sha256:923441d7c25f1e2eb5789f82d987693c47b8ed987c4ab3b075d6ed2b5d6779a3 AS xx
 
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bookworm AS build-base-debian
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bookworm AS build-base
 COPY --from=xx / /
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
-    git \
-    dpkg-dev
+  make \
+  git \
+  jq \
+  curl \
+  dpkg-dev
 ARG TARGETARCH
 # libbtrfs: for containerd
 # libseccomp: for runc and bypass4netns
 RUN xx-apt-get update -qq && xx-apt-get install -qq --no-install-recommends \
-    binutils \
-    gcc \
-    libc6-dev \
-    libbtrfs-dev \
-    libseccomp-dev \
-    pkg-config
+  binutils \
+  gcc \
+  libc6-dev \
+  libbtrfs-dev \
+  libseccomp-dev \
+  pkg-config
+RUN git config --global advice.detachedHead false
+ADD hack/git-checkout-tag-with-hash.sh /usr/local/bin/
+ADD hack/scripts/lib.sh /usr/local/bin/http::helper
 
-FROM build-base-debian AS build-containerd
+FROM build-base AS build-containerd
 ARG TARGETARCH
 ARG CONTAINERD_VERSION
-RUN git clone https://github.com/containerd/containerd.git /go/src/github.com/containerd/containerd
+RUN git clone --quiet --depth 1 --branch "${CONTAINERD_VERSION%%@*}" https://github.com/containerd/containerd.git /go/src/github.com/containerd/containerd
 WORKDIR /go/src/github.com/containerd/containerd
-RUN git checkout ${CONTAINERD_VERSION} && \
+RUN git-checkout-tag-with-hash.sh ${CONTAINERD_VERSION} && \
   mkdir -p /out /out/$TARGETARCH && \
   cp -a containerd.service /out
 RUN GO=xx-go make STATIC=1 && \
   cp -a bin/containerd bin/containerd-shim-runc-v2 bin/ctr /out/$TARGETARCH
 
-FROM build-base-debian AS build-runc
+FROM build-base AS build-runc
 ARG RUNC_VERSION
 ARG TARGETARCH
-RUN git clone https://github.com/opencontainers/runc.git /go/src/github.com/opencontainers/runc
+RUN git clone --quiet --depth 1 --branch "${RUNC_VERSION%%@*}" https://github.com/opencontainers/runc.git /go/src/github.com/opencontainers/runc
 WORKDIR /go/src/github.com/opencontainers/runc
-RUN git checkout ${RUNC_VERSION} && \
+RUN git-checkout-tag-with-hash.sh ${RUNC_VERSION} && \
   mkdir -p /out
 ENV CGO_ENABLED=1
 RUN GO=xx-go CC=$(xx-info)-gcc STRIP=$(xx-info)-strip make static && \
   xx-verify --static runc && cp -v -a runc /out/runc.${TARGETARCH}
 
-FROM build-base-debian AS build-bypass4netns
+FROM build-base AS build-bypass4netns
 ARG BYPASS4NETNS_VERSION
 ARG TARGETARCH
-RUN git clone https://github.com/rootless-containers/bypass4netns.git /go/src/github.com/rootless-containers/bypass4netns
+RUN git clone --quiet --depth 1 --branch "${BYPASS4NETNS_VERSION%%@*}" https://github.com/rootless-containers/bypass4netns.git /go/src/github.com/rootless-containers/bypass4netns
 WORKDIR /go/src/github.com/rootless-containers/bypass4netns
-RUN git checkout ${BYPASS4NETNS_VERSION} && \
+RUN git-checkout-tag-with-hash.sh ${BYPASS4NETNS_VERSION} && \
   mkdir -p /out/${TARGETARCH}
 ENV CGO_ENABLED=1
 RUN GO=xx-go make static && \
   xx-verify --static bypass4netns && cp -a bypass4netns bypass4netnsd /out/${TARGETARCH}
 
-FROM build-base-debian AS build-kubo
+FROM build-base AS build-gomodjail
+ARG GOMODJAIL_VERSION
+ARG TARGETARCH
+RUN git clone --quiet --depth 1 --branch "${GOMODJAIL_VERSION%%@*}" https://github.com/AkihiroSuda/gomodjail.git /go/src/github.com/AkihiroSuda/gomodjail
+WORKDIR /go/src/github.com/AkihiroSuda/gomodjail
+RUN git-checkout-tag-with-hash.sh ${GOMODJAIL_VERSION} && \
+  mkdir -p /out/${TARGETARCH}
+RUN GO=xx-go make STATIC=1 && \
+  xx-verify --static _output/bin/gomodjail && cp -a _output/bin/gomodjail /out/${TARGETARCH}
+
+FROM build-base AS build-kubo
 ARG KUBO_VERSION
 ARG TARGETARCH
-RUN git clone https://github.com/ipfs/kubo.git /go/src/github.com/ipfs/kubo
+RUN git clone --quiet --depth 1 --branch "${KUBO_VERSION%%@*}" https://github.com/ipfs/kubo.git /go/src/github.com/ipfs/kubo
 WORKDIR /go/src/github.com/ipfs/kubo
-RUN git checkout ${KUBO_VERSION} && \
+RUN git-checkout-tag-with-hash.sh ${KUBO_VERSION} && \
   mkdir -p /out/${TARGETARCH}
 ENV CGO_ENABLED=0
 RUN xx-go --wrap && \
   make build && \
   xx-verify --static cmd/ipfs/ipfs && cp -a cmd/ipfs/ipfs /out/${TARGETARCH}
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS build-base
-RUN apk add --no-cache make git curl
-COPY . /go/src/github.com/containerd/nerdctl
-WORKDIR /go/src/github.com/containerd/nerdctl
-
 FROM build-base AS build-minimal
 RUN BINDIR=/out/bin make binaries install
 # We do not set CMD to `go test` here, because it requires systemd
 
-FROM build-base AS build-full
+FROM build-base AS build-dependencies
 ARG TARGETARCH
 ENV GOARCH=${TARGETARCH}
-RUN BINDIR=/out/bin make binaries install
-WORKDIR /nowhere
 COPY ./Dockerfile.d/SHA256SUMS.d/ /SHA256SUMS.d
-COPY README.md /out/share/doc/nerdctl/
-COPY docs /out/share/doc/nerdctl/docs
+WORKDIR /nowhere
 RUN echo "${TARGETARCH:-amd64}" | sed -e s/amd64/x86_64/ -e s/arm64/aarch64/ | tee /target_uname_m
-RUN mkdir -p /out/share/doc/nerdctl-full && \
-  echo "# nerdctl (full distribution)" > /out/share/doc/nerdctl-full/README.md && \
-  echo "- nerdctl: $(cd /go/src/github.com/containerd/nerdctl && git describe --tags)" >> /out/share/doc/nerdctl-full/README.md
+RUN mkdir -p /out/share/doc/nerdctl-full && touch /out/share/doc/nerdctl-full/README.md
 ARG CONTAINERD_VERSION
 COPY --from=build-containerd /out/${TARGETARCH:-amd64}/* /out/bin/
 COPY --from=build-containerd /out/containerd.service /out/lib/systemd/system/containerd.service
-RUN echo "- containerd: ${CONTAINERD_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+RUN echo "- containerd: ${CONTAINERD_VERSION%%@*}" >> /out/share/doc/nerdctl-full/README.md
 ARG RUNC_VERSION
 COPY --from=build-runc /out/runc.${TARGETARCH:-amd64} /out/bin/runc
-RUN echo "- runc: ${RUNC_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+RUN echo "- runc: ${RUNC_VERSION%%@*}" >> /out/share/doc/nerdctl-full/README.md
 ARG CNI_PLUGINS_VERSION
-RUN fname="cni-plugins-${TARGETOS:-linux}-${TARGETARCH:-amd64}-${CNI_PLUGINS_VERSION}.tgz" && \
+RUN CNI_PLUGINS_VERSION=${CNI_PLUGINS_VERSION%%@*}; \
+  fname="cni-plugins-${TARGETOS:-linux}-${TARGETARCH:-amd64}-${CNI_PLUGINS_VERSION}.tgz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGINS_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/cni-plugins-${CNI_PLUGINS_VERSION}" | sha256sum -c && \
   mkdir -p /out/libexec/cni && \
@@ -152,7 +161,8 @@ RUN fname="cni-plugins-${TARGETOS:-linux}-${TARGETARCH:-amd64}-${CNI_PLUGINS_VER
   rm -f "${fname}" && \
   echo "- CNI plugins: ${CNI_PLUGINS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG BUILDKIT_VERSION
-RUN fname="buildkit-${BUILDKIT_VERSION}.${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+RUN BUILDKIT_VERSION=${BUILDKIT_VERSION%%@*}; \
+  fname="buildkit-${BUILDKIT_VERSION}.${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/moby/buildkit/releases/download/${BUILDKIT_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/buildkit-${BUILDKIT_VERSION}" | sha256sum -c && \
   tar xzf "${fname}" -C /out && \
@@ -166,9 +176,11 @@ RUN cd /out/lib/systemd/system && \
   echo "" >> buildkit.service && \
   echo "# This file was converted from containerd.service, with \`sed -E '${sedcomm}'\`" >> buildkit.service
 ARG STARGZ_SNAPSHOTTER_VERSION
-RUN fname="stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \
+  STARGZ_SNAPSHOTTER_VERSION=${STARGZ_SNAPSHOTTER_VERSION%%@*}; \
+  fname="stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/containerd/stargz-snapshotter/releases/download/${STARGZ_SNAPSHOTTER_VERSION}/${fname}" && \
-  curl -o "stargz-snapshotter.service" -fsSL --proto '=https' --tlsv1.2 "https://raw.githubusercontent.com/containerd/stargz-snapshotter/${STARGZ_SNAPSHOTTER_VERSION}/script/config/etc/systemd/system/stargz-snapshotter.service" && \
+  http::helper github::file containerd/stargz-snapshotter script/config/etc/systemd/system/stargz-snapshotter.service "${STARGZ_SNAPSHOTTER_VERSION}" > "stargz-snapshotter.service" && \
   grep "${fname}" "/SHA256SUMS.d/stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}" | sha256sum -c - && \
   grep "stargz-snapshotter.service" "/SHA256SUMS.d/stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}" | sha256sum -c - && \
   tar xzf "${fname}" -C /out/bin && \
@@ -176,20 +188,14 @@ RUN fname="stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-$
   mv stargz-snapshotter.service /out/lib/systemd/system/stargz-snapshotter.service && \
   echo "- Stargz Snapshotter: ${STARGZ_SNAPSHOTTER_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG IMGCRYPT_VERSION
-RUN git clone https://github.com/containerd/imgcrypt.git /go/src/github.com/containerd/imgcrypt && \
+RUN git clone --quiet --depth 1 --branch "${IMGCRYPT_VERSION%%@*}" https://github.com/containerd/imgcrypt.git /go/src/github.com/containerd/imgcrypt && \
   cd /go/src/github.com/containerd/imgcrypt && \
-  git checkout "${IMGCRYPT_VERSION}" && \
+  git-checkout-tag-with-hash.sh "${IMGCRYPT_VERSION}" && \
   CGO_ENABLED=0 make && DESTDIR=/out make install && \
-  echo "- imgcrypt: ${IMGCRYPT_VERSION}" >> /out/share/doc/nerdctl-full/README.md
-ARG ROOTLESSKIT_VERSION
-RUN fname="rootlesskit-$(cat /target_uname_m).tar.gz" && \
-  curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/${fname}" && \
-  grep "${fname}" "/SHA256SUMS.d/rootlesskit-${ROOTLESSKIT_VERSION}" | sha256sum -c && \
-  tar xzf "${fname}" -C /out/bin && \
-  rm -f "${fname}" /out/bin/rootlesskit-docker-proxy && \
-  echo "- RootlessKit: ${ROOTLESSKIT_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+  echo "- imgcrypt: ${IMGCRYPT_VERSION%%@*}" >> /out/share/doc/nerdctl-full/README.md
 ARG SLIRP4NETNS_VERSION
-RUN fname="slirp4netns-$(cat /target_uname_m)" && \
+RUN SLIRP4NETNS_VERSION=${SLIRP4NETNS_VERSION%%@*}; \
+  fname="slirp4netns-$(cat /target_uname_m)" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/rootless-containers/slirp4netns/releases/download/${SLIRP4NETNS_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/slirp4netns-${SLIRP4NETNS_VERSION}" | sha256sum -c && \
   mv "${fname}" /out/bin/slirp4netns && \
@@ -197,43 +203,76 @@ RUN fname="slirp4netns-$(cat /target_uname_m)" && \
   echo "- slirp4netns: ${SLIRP4NETNS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG BYPASS4NETNS_VERSION
 COPY --from=build-bypass4netns /out/${TARGETARCH:-amd64}/* /out/bin/
-RUN echo "- bypass4netns: ${BYPASS4NETNS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+RUN echo "- bypass4netns: ${BYPASS4NETNS_VERSION%%@*}" >> /out/share/doc/nerdctl-full/README.md
 ARG FUSE_OVERLAYFS_VERSION
-RUN fname="fuse-overlayfs-$(cat /target_uname_m)" && \
+RUN FUSE_OVERLAYFS_VERSION=${FUSE_OVERLAYFS_VERSION%%@*}; \
+  fname="fuse-overlayfs-$(cat /target_uname_m)" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/containers/fuse-overlayfs/releases/download/${FUSE_OVERLAYFS_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/fuse-overlayfs-${FUSE_OVERLAYFS_VERSION}" | sha256sum -c && \
   mv "${fname}" /out/bin/fuse-overlayfs && \
   chmod +x /out/bin/fuse-overlayfs && \
   echo "- fuse-overlayfs: ${FUSE_OVERLAYFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG CONTAINERD_FUSE_OVERLAYFS_VERSION
-RUN fname="containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION/v}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+RUN CONTAINERD_FUSE_OVERLAYFS_VERSION=${CONTAINERD_FUSE_OVERLAYFS_VERSION%%@*}; \
+  fname="containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION##*v}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/containerd/fuse-overlayfs-snapshotter/releases/download/${CONTAINERD_FUSE_OVERLAYFS_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION}" | sha256sum -c && \
   tar xzf "${fname}" -C /out/bin && \
   rm -f "${fname}" && \
   echo "- containerd-fuse-overlayfs: ${CONTAINERD_FUSE_OVERLAYFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG TINI_VERSION
-RUN fname="tini-static-${TARGETARCH:-amd64}" && \
+RUN TINI_VERSION=${TINI_VERSION%%@*}; \
+  fname="tini-static-${TARGETARCH:-amd64}" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/tini-${TINI_VERSION}" | sha256sum -c && \
   cp -a "${fname}" /out/bin/tini && chmod +x /out/bin/tini && \
   echo "- Tini: ${TINI_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG BUILDG_VERSION
-RUN fname="buildg-${BUILDG_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+# FIXME: this is a mildly-confusing approach. Buildkit will perform some "smart" replacement at build time and output
+# confusing debugging information, eg: BUILDG_VERSION will appear as if the original ARG value was used.
+RUN BUILDG_VERSION=${BUILDG_VERSION%%@*}; \
+  fname="buildg-${BUILDG_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/ktock/buildg/releases/download/${BUILDG_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/buildg-${BUILDG_VERSION}" | sha256sum -c && \
   tar xzf "${fname}" -C /out/bin && \
   rm -f "${fname}" && \
   echo "- buildg: ${BUILDG_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+ARG ROOTLESSKIT_VERSION
+RUN ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION%%@*}; \
+  fname="rootlesskit-$(cat /target_uname_m).tar.gz" && \
+  curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/${fname}" && \
+  grep "${fname}" "/SHA256SUMS.d/rootlesskit-${ROOTLESSKIT_VERSION}" | sha256sum -c && \
+  tar xzf "${fname}" -C /out/bin && \
+  rm -f "${fname}" /out/bin/rootlesskit-docker-proxy && \
+  echo "- RootlessKit: ${ROOTLESSKIT_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+ARG GOMODJAIL_VERSION
+COPY --from=build-gomodjail /out/${TARGETARCH:-amd64}/* /out/bin/
+RUN echo "- gomodjail: ${GOMODJAIL_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+ARG CONTAINERIZED_SYSTEMD_VERSION
+RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \
+  http::helper github::file AkihiroSuda/containerized-systemd docker-entrypoint.sh "${CONTAINERIZED_SYSTEMD_VERSION}" > /docker-entrypoint.sh && \
+  chmod +x /docker-entrypoint.sh
 
 RUN echo "" >> /out/share/doc/nerdctl-full/README.md && \
   echo "## License" >> /out/share/doc/nerdctl-full/README.md && \
-  echo "- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/${SLIRP4NETNS_VERSION}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
-  echo "- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/${FUSE_OVERLAYFS_VERSION}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
+  echo "- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/${SLIRP4NETNS_VERSION%%@*}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
+  echo "- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/${FUSE_OVERLAYFS_VERSION%%@*}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- bin/{runc,bypass4netns,bypass4netnsd}: Apache License 2.0, statically linked with libseccomp ([LGPL 2.1](https://github.com/seccomp/libseccomp/blob/main/LICENSE), source code available at https://github.com/seccomp/libseccomp/)" >> /out/share/doc/nerdctl-full/README.md && \
-  echo "- bin/tini: [MIT License](https://github.com/krallin/tini/blob/${TINI_VERSION}/LICENSE)" >> /out/share/doc/nerdctl-full/README.md && \
-  echo "- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)" >> /out/share/doc/nerdctl-full/README.md && \
-  (cd /out && find ! -type d | sort | xargs sha256sum > /tmp/SHA256SUMS ) && \
+  echo "- bin/tini: [MIT License](https://github.com/krallin/tini/blob/${TINI_VERSION%%@*}/LICENSE)" >> /out/share/doc/nerdctl-full/README.md && \
+  echo "- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)" >> /out/share/doc/nerdctl-full/README.md
+
+FROM build-dependencies AS build-full
+COPY . /go/src/github.com/containerd/nerdctl
+RUN { echo "# nerdctl (full distribution)"; echo "- nerdctl: $(cd /go/src/github.com/containerd/nerdctl && git describe --tags)"; cat /out/share/doc/nerdctl-full/README.md; } > /out/share/doc/nerdctl-full/README.md.new; mv /out/share/doc/nerdctl-full/README.md.new /out/share/doc/nerdctl-full/README.md
+WORKDIR /go/src/github.com/containerd/nerdctl
+RUN BINDIR=/out/bin make binaries install
+# FIXME: `gomodjail pack` depends on QEMU for non-native architecture
+# TODO: gomodjail should provide a plain shell script that utilizes `zip(1)` for packing the self-extract archive, without running `gomodjail pack`..
+RUN /out/bin/gomodjail pack --go-mod=/go/src/github.com/containerd/nerdctl/go.mod /out/bin/nerdctl && \
+  cp -a nerdctl.gomodjail /out/bin/
+COPY README.md /out/share/doc/nerdctl/
+COPY docs /out/share/doc/nerdctl/docs
+RUN (cd /out && find ! -type d | sort | xargs sha256sum > /tmp/SHA256SUMS ) && \
   mv /tmp/SHA256SUMS /out/share/doc/nerdctl-full/SHA256SUMS && \
   chown -R 0:0 /out
 
@@ -243,15 +282,13 @@ COPY --from=build-full /out /
 FROM ubuntu:${UBUNTU_VERSION} AS base
 # fuse3 is required by stargz snapshotter
 RUN apt-get update -qq && apt-get install -qq -y --no-install-recommends \
-    apparmor \
-    bash-completion \
-    ca-certificates curl \
-    iproute2 iptables \
-    dbus dbus-user-session systemd systemd-sysv \
-    fuse3
-ARG CONTAINERIZED_SYSTEMD_VERSION
-RUN curl -o /docker-entrypoint.sh -fsSL --proto '=https' --tlsv1.2 https://raw.githubusercontent.com/AkihiroSuda/containerized-systemd/${CONTAINERIZED_SYSTEMD_VERSION}/docker-entrypoint.sh && \
-  chmod +x /docker-entrypoint.sh
+  apparmor \
+  bash-completion \
+  ca-certificates curl \
+  iproute2 iptables \
+  dbus dbus-user-session systemd systemd-sysv \
+  fuse3
+COPY --from=build-full /docker-entrypoint.sh /docker-entrypoint.sh
 COPY --from=out-full / /usr/local/
 RUN perl -pi -e 's/multi-user.target/docker-entrypoint.target/g' /usr/local/lib/systemd/system/*.service && \
   systemctl enable containerd buildkit stargz-snapshotter && \
@@ -267,20 +304,18 @@ VOLUME /var/lib/nerdctl
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["bash", "--login", "-i"]
 
-# convert GO_VERSION=1.16 to the latest release such as "go1.16.1"
-FROM golang:${GO_VERSION}-alpine AS goversion
-RUN go env GOVERSION > /GOVERSION
-
 FROM base AS test-integration
 ARG DEBIAN_FRONTEND=noninteractive
 # `expect` package contains `unbuffer(1)`, which is used for emulating TTY for testing
+# `jq` is required to generate test summaries
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
-    expect \
-    git \
-    make
-COPY --from=goversion /GOVERSION /GOVERSION
+  expect \
+  jq \
+  git \
+  make
+# We wouldn't need this if Docker Hub could have "golang:${GO_VERSION}-ubuntu"
+COPY --from=build-base /usr/local/go /usr/local/go
 ARG TARGETARCH
-RUN curl -fsSL --proto '=https' --tlsv1.2 https://golang.org/dl/$(cat /GOVERSION).linux-${TARGETARCH:-amd64}.tar.gz | tar xzvC /usr/local
 ENV PATH=/usr/local/go/bin:$PATH
 ARG GOTESTSUM_VERSION
 RUN GOBIN=/usr/local/bin go install gotest.tools/gotestsum@${GOTESTSUM_VERSION}
@@ -294,7 +329,10 @@ COPY --from=ghcr.io/sigstore/cosign/cosign:v2.2.3@sha256:8fc9cad121611e8479f65f7
 ARG SOCI_SNAPSHOTTER_VERSION
 RUN fname="soci-snapshotter-${SOCI_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/awslabs/soci-snapshotter/releases/download/v${SOCI_SNAPSHOTTER_VERSION}/${fname}" && \
-  tar -C /usr/local/bin -xvf "${fname}" soci soci-snapshotter-grpc
+  tar -C /usr/local/bin -xvf "${fname}" soci soci-snapshotter-grpc && \
+  mkdir -p /etc/soci-snapshotter-grpc && \
+  touch /etc/soci-snapshotter-grpc/config.toml && \
+  echo "\n[pull_modes]\n  [pull_modes.soci_v1]\n    enable = true" >> /etc/soci-snapshotter-grpc/config.toml
 # enable offline ipfs for integration test
 COPY --from=build-kubo /out/${TARGETARCH:-amd64}/* /usr/local/bin/
 COPY ./Dockerfile.d/test-integration-etc_containerd-stargz-grpc_config.toml /etc/containerd-stargz-grpc/config.toml
@@ -322,9 +360,9 @@ FROM test-integration AS test-integration-rootless
 # (`sudo` does not work for this purpose,
 #  OTOH `machinectl shell` can create the session but does not propagate exit code)
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
-    uidmap \
-    openssh-server \
-    openssh-client
+  uidmap \
+  openssh-server \
+  openssh-client
 # TODO: update containerized-systemd to enable sshd by default, or allow `systemctl wants <TARGET> ssh` here
 RUN ssh-keygen -q -t rsa -f /root/.ssh/id_rsa -N '' && \
   useradd -m -s /bin/bash rootless && \

Dockerfile.d/SHA256SUMS.d/buildg-v0.4.1

@@ -1,2 +0,0 @@
-87d047c4742b904e9f0f48427aec5cd157dc96ea97cd89e3ff5b1db171c6eb5e  buildg-v0.4.1-linux-amd64.tar.gz
-44ab3251cef95f0e79e94f54113be962dacf197ad8d5c5b455aa4a6b8d566111  buildg-v0.4.1-linux-arm64.tar.gz

Dockerfile.d/SHA256SUMS.d/buildg-v0.5.3

@@ -0,0 +1,4 @@
+cf4c40c58ca795eeb6e75e2c6a0e5bb3a6a9c0623d51bc3b85163e5d483eeade  buildg-full-v0.5.3-linux-amd64.tar.gz
+47c479f2e5150c9c76294fa93a03ad20e5928f4315bf52ca8432bfb6707d4276  buildg-full-v0.5.3-linux-arm64.tar.gz
+c289a454ae8673ff99acf56dec9ba97274c20d2015e80f7ac3b8eb8e4f77888f  buildg-v0.5.3-linux-amd64.tar.gz
+b2e244250ce7ea5c090388f2025a9c546557861d25bba7b0666aa512f01fa6cd  buildg-v0.5.3-linux-arm64.tar.gz

Dockerfile.d/SHA256SUMS.d/buildkit-v0.16.0

@@ -1,2 +0,0 @@
-a07a01da821d39bdb6e03a2f98ee407bb861cc61ece2e69e2ea4d61b3a4ab7f1  buildkit-v0.16.0.linux-amd64.tar.gz
-1b70bb7955ddda66537d4bf9aa540e79e79e19aa989901613da58f5f133a53ef  buildkit-v0.16.0.linux-arm64.tar.gz

Dockerfile.d/SHA256SUMS.d/buildkit-v0.23.2

@@ -0,0 +1,2 @@
+2771c3403e3a1f75a83cde387a05365794d3b900c355e864772a36c3ce541f82  buildkit-v0.23.2.linux-amd64.tar.gz
+6385ff70b2fb4134b50ac3183eea3a0b06c6f6129173940d73178ae0477368f1  buildkit-v0.23.2.linux-arm64.tar.gz

Dockerfile.d/SHA256SUMS.d/cni-plugins-v1.6.0

@@ -1,2 +0,0 @@
-682b49ff8933a997a52107161f1745f8312364b4c7f605ccdf7a77499130d89d  cni-plugins-linux-amd64-v1.6.0.tgz
-db09ab057ecf60b05ba05cbec38d55b95cc139c7f1078e2e4857cc13af158cee  cni-plugins-linux-arm64-v1.6.0.tgz

Dockerfile.d/SHA256SUMS.d/cni-plugins-v1.7.1

@@ -0,0 +1,2 @@
+1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098  cni-plugins-linux-amd64-v1.7.1.tgz
+119fcb508d1ac2149e49a550752f9cd64d023a1d70e189b59c476e4d2bf7c497  cni-plugins-linux-arm64-v1.7.1.tgz

Dockerfile.d/SHA256SUMS.d/containerd-fuse-overlayfs-v1.0.8

@@ -1,6 +0,0 @@
-a831f236299007bd1078e49df2e45ad0aeee47c5ed099852ad5f6791b091d536  containerd-fuse-overlayfs-1.0.8-linux-amd64.tar.gz
-d0fd1fd92ee9ef03050aa759f197b50c46bca81a75bed65b4433b6213a145022  containerd-fuse-overlayfs-1.0.8-linux-arm-v7.tar.gz
-17a3a83ae92002dce8ebe41e6a10877ac5d417550d63939c74fc22b0be6ca04a  containerd-fuse-overlayfs-1.0.8-linux-arm64.tar.gz
-dddaea552594166eb4edef8adabe765b2fae099574b7afe47657fc87674c81db  containerd-fuse-overlayfs-1.0.8-linux-ppc64le.tar.gz
-d6846b4bf1500cc2dbd29e382ba8b1f2268bdbfc5358a48d17131b8108f97aa9  containerd-fuse-overlayfs-1.0.8-linux-riscv64.tar.gz
-492ce81ed25a9b8b3c64d807d3e0f7de6011e70dc11915df8aef64a77fa67fb9  containerd-fuse-overlayfs-1.0.8-linux-s390x.tar.gz

Dockerfile.d/SHA256SUMS.d/containerd-fuse-overlayfs-v2.1.6

@@ -0,0 +1,6 @@
+8a768e4c953251d32b5e5d748d17593f7150834caaba403b483cf83f5856fea3  containerd-fuse-overlayfs-2.1.6-linux-amd64.tar.gz
+a3af866a12e913cd1d4dda8e41c08345eca928a15ac1d466fdb2b00b013e14ee  containerd-fuse-overlayfs-2.1.6-linux-arm-v7.tar.gz
+417ca0c838e43e446f498b384d73f7caaeb00dc4c1c0fe4b0ecfdd36fd355daa  containerd-fuse-overlayfs-2.1.6-linux-arm64.tar.gz
+5fdebd9fb7b50473318f0410bc3ab46f3388ac8aa586b45c91a314af9ce6569c  containerd-fuse-overlayfs-2.1.6-linux-ppc64le.tar.gz
+7e1a9d2ba68ff31a8dfb53bf6e71b2879063b13c759922c8cff3013893829bca  containerd-fuse-overlayfs-2.1.6-linux-riscv64.tar.gz
+3c022651cdaff666e88996d5d9c7e776bf59419a03d7d718a28aa708036419f9  containerd-fuse-overlayfs-2.1.6-linux-s390x.tar.gz

Dockerfile.d/SHA256SUMS.d/fuse-overlayfs-v1.14

@@ -1,2 +0,0 @@
-bf2c19b80e68afe1f53bae7a08cc9e7fb2f1b49bfdb9e5b49ab87cbe80b97cd1  fuse-overlayfs-aarch64
-4817a8896a9e6f0433080f88f5b71dec931e8829a89d64c71af94b0630ccb4a9  fuse-overlayfs-x86_64

Dockerfile.d/SHA256SUMS.d/fuse-overlayfs-v1.15

@@ -0,0 +1,6 @@
+a62829baa7a7d39d0a9a784d51ebd528efe226192c0a86ba6667d0fcae9129c3  fuse-overlayfs-aarch64
+7ad67a810100bebf63c41fbb621df3d552531db94d600a94f5f701b1e9f8aa5a  fuse-overlayfs-armv7l
+9778e1f0da1429469bcc65ea90a7504e63f0a258089b9bb1ae65105330e61808  fuse-overlayfs-ppc64le
+f7a2852983b3d0a8f15c31084c215b4965d5b62b9ce1014708283dd2dd909b28  fuse-overlayfs-riscv64
+89a410a67822002c20ff21d8a9e5353ebda00d3a2f79fd99f26fb47533e253a5  fuse-overlayfs-s390x
+1cd97f5ca7ac52fa192c94c1e605713cfb27d3dc417c0bef4dcfb9fb20e01e81  fuse-overlayfs-x86_64

Dockerfile.d/SHA256SUMS.d/rootlesskit-v2.3.1

@@ -1,6 +0,0 @@
-57bc67f71b8043961417325be13528d4f1e8ec90876cd34c38064431f457070f  rootlesskit-aarch64.tar.gz
-5154542509736957738478e3624b53865a875c396f978db5adea513d7507dee6  rootlesskit-armv7l.tar.gz
-983642556dd3dcbe2c9b764d577882016ad1ca960815ffa13ca76d7da518504f  rootlesskit-ppc64le.tar.gz
-83c40bb8938828eb15837a4900ba825a1f52227631195c22df85f2e8f7f73546  rootlesskit-riscv64.tar.gz
-dd6c8bc7e1c9b5d8c775efcf40854ef1d25205060294f0654a77d996a7f4e172  rootlesskit-s390x.tar.gz
-caafdce18e0959f078b4b478d4f352ebf3d556e373265fc7831f1a6d70219ee0  rootlesskit-x86_64.tar.gz

Dockerfile.d/SHA256SUMS.d/rootlesskit-v2.3.5

@@ -0,0 +1,6 @@
+478c14c3195bf989cd9a8e6bd129d227d5d88f1c11418967ffdc84a0072cc7a2  rootlesskit-aarch64.tar.gz
+0622e52952a848219b86b902c9bdb96e1ebe575a3015c05e7da02569e83b3a61  rootlesskit-armv7l.tar.gz
+b1ec12321c54860230c5d0bbbc6d651a746ac49bce7eeb36fd1ad1e0f0048d58  rootlesskit-ppc64le.tar.gz
+8ee59e518cdb5770afab49307b400f585598ed2c06b4ffc81f7c36fbeea422d6  rootlesskit-riscv64.tar.gz
+2a3198947cf322357106557c58a8d5f29a664961edf290ea305c94b03521f6c8  rootlesskit-s390x.tar.gz
+118208e25becd144ee7317c172fc9decce7b16174d5c1bbf80f1d1d0eacc6b5f  rootlesskit-x86_64.tar.gz

Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.1

@@ -1,6 +0,0 @@
-2dd9aac6c2e3203e53cb7b6e4b9fc7123e4e4a9716c8bb1d95951853059a6af5  slirp4netns-aarch64
-ed618c0f2c74014bb736e9e427e18c8791ad9d68311872a41b06fac0d7cb9ef2  slirp4netns-armv7l
-a10f70209cee0dd0532fea0e8b6bfde5d16dec5206fd4b3387d861721456de66  slirp4netns-ppc64le
-38209015c2f3f4619d9fc46610852887910f33c7a0b96f7d2aa835a7bbc73f31  slirp4netns-riscv64
-9f42718455b1f9cf4b6f0efee314b78e860b8c36dbbb6290f09c8fbedda9ff8a  slirp4netns-s390x
-4bc5d6c311f9fa7ae00ce54aefe10c2afaf0800fe9e99f32616a964ed804a9e1  slirp4netns-x86_64

Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.3

@@ -0,0 +1,7 @@
+d0e6a13342efbedb8b7454629a0e9ce9b7a937c261034c85f46ed81af76307d8  SOURCE_DATE_EPOCH
+1ca9d2f5f1fb4beb91f354653e5dad35b95c049afb264268d99a96ff2a10d903  slirp4netns-aarch64
+3e209d1c56fccbe627a038d311b233c15e8d914b30f9b981b5ed78b98e836859  slirp4netns-armv7l
+4d1003a98103ee170c0fcd4aad8a5e0ba7aa2e70fbca883cbb6a39f40447c8da  slirp4netns-ppc64le
+06a13b398d88120097b20dace966d7dd5e2fbfd284b95a086347808df392200e  slirp4netns-riscv64
+23d4a206edd6d3fc9c86f8b05c0881ff77a607b8d471f20964ad9f9c3f3176b1  slirp4netns-s390x
+5618887b671a30a2f7548f2bdf7fba98a53981abc80cfd3183cd28b4dc8b2b97  slirp4netns-x86_64

Dockerfile.d/SHA256SUMS.d/stargz-snapshotter-v0.15.1

@@ -1,3 +0,0 @@
-7f25b570f5e954a33df695d41fdf60d060a3096066f1668236fb5e1b4c7b7753  stargz-snapshotter-v0.15.1-linux-amd64.tar.gz
-4bd1ac3331501e14d87f5f8c3cde82cb08971d9b55643eb80155f74261e82a5a  stargz-snapshotter-v0.15.1-linux-arm64.tar.gz
-f1cf855870af16a653d8acb9daa3edf84687c2c05323cb958f078fb148af3eec  stargz-snapshotter.service

Dockerfile.d/SHA256SUMS.d/stargz-snapshotter-v0.16.3

@@ -0,0 +1,3 @@
+516984d13e10396f7f6090c51e4e42cc1af9a0d4b16aa81837bcdb1d5a5608d6  stargz-snapshotter-v0.16.3-linux-amd64.tar.gz
+d3ac8215603cfd002901c88c568ff5c0685d6953c012fa6ff709deb50f90b023  stargz-snapshotter-v0.16.3-linux-arm64.tar.gz
+f1cf855870af16a653d8acb9daa3edf84687c2c05323cb958f078fb148af3eec  stargz-snapshotter.service

Dockerfile.d/test-integration-ipfs-offline.service

@@ -3,6 +3,7 @@ Description=ipfs daemon for integration test (offline)
 
 [Service]
 ExecStart=ipfs daemon --init --offline
+Environment=IPFS_PATH="%h/.ipfs"
 
 [Install]
 WantedBy=docker-entrypoint.target

Dockerfile.d/test-integration-rootless.sh

@@ -16,13 +16,17 @@
 
 set -eux -o pipefail
 if [[ "$(id -u)" = "0" ]]; then
+  # Ensure securityfs is mounted for apparmor to work
+  if ! mountpoint -q /sys/kernel/security; then
+    mount -tsecurityfs securityfs /sys/kernel/security
+  fi
 	if [ -e /sys/kernel/security/apparmor/profiles ]; then
 		# Load the "nerdctl-default" profile for TestRunApparmor
 		nerdctl apparmor load
 	fi
 
 	: "${WORKAROUND_ISSUE_622:=}"
-	if [[ "$WORKAROUND_ISSUE_622" = "1" ]]; then
+	if [[ "$WORKAROUND_ISSUE_622" != "" ]]; then
 		touch /workaround-issue-622
 	fi
 

MAINTAINERS

@@ -22,6 +22,7 @@
 # GitHub ID, Name, Email address, GPG fingerprint
 "jsturtevant","James Sturtevant","jstur@microsoft.com",""
 "manugupt1", "Manu Gupta", "manugupt1@gmail.com","FCA9 504A 4118 EA5C F466 CC30 A5C3 A8F4 E7FE 9E10"
+"Shubhranshu153","Shubharanshu Mahapatra","shubhum@amazon.com",""
 
 # EMERITUS
 # See EMERITUS.md

Makefile

@@ -18,95 +18,252 @@
 # Licensed under the Apache License, Version 2.0
 # -----------------------------------------------------------------------------
 
+##########################
+# Configuration
+##########################
+PACKAGE := "github.com/containerd/nerdctl/v2"
+
 DOCKER ?= docker
 GO ?= go
 GOOS ?= $(shell $(GO) env GOOS)
+GOARCH ?= $(shell $(GO) env GOARCH)
 ifeq ($(GOOS),windows)
 	BIN_EXT := .exe
 endif
 
-PACKAGE := github.com/containerd/nerdctl/v2
-
-# distro builders might wanna override these
+# distro builders might want to override these
 PREFIX  ?= /usr/local
 BINDIR  ?= $(PREFIX)/bin
 DATADIR ?= $(PREFIX)/share
 DOCDIR  ?= $(DATADIR)/doc
 
+BINARY ?= "nerdctl"
 MAKEFILE_DIR := $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
-VERSION ?= $(shell git -C $(MAKEFILE_DIR) describe --match 'v[0-9]*' --dirty='.m' --always --tags)
+VERSION ?= $(shell git -C $(MAKEFILE_DIR) describe --match 'v[0-9]*' --dirty='.m' --always --tags 2>/dev/null || echo no_git_information)
 VERSION_TRIMMED := $(VERSION:v%=%)
-REVISION ?= $(shell git -C $(MAKEFILE_DIR) rev-parse HEAD)$(shell if ! git -C $(MAKEFILE_DIR) diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
+REVISION ?= $(shell git -C $(MAKEFILE_DIR) rev-parse HEAD 2>/dev/null || echo no_git_information)$(shell if ! git -C $(MAKEFILE_DIR) diff --no-ext-diff --quiet --exit-code 2>/dev/null; then echo .m; fi)
+LINT_COMMIT_RANGE ?= main..HEAD
+GO_BUILD_LDFLAGS ?= -s -w
+GO_BUILD_FLAGS ?=
 
+BUILDTAGS ?=
+GO_TAGS=$(if $(BUILDTAGS),-tags "$(strip $(BUILDTAGS))",)
+
+##########################
+# Helpers
+##########################
 ifdef VERBOSE
 	VERBOSE_FLAG := -v
 	VERBOSE_FLAG_LONG := --verbose
 endif
 
-GO_BUILD_LDFLAGS ?= -s -w
-GO_BUILD_FLAGS ?=
-export GO_BUILD=CGO_ENABLED=0 GOOS=$(GOOS) $(GO) -C $(MAKEFILE_DIR) build -ldflags "$(GO_BUILD_LDFLAGS) $(VERBOSE_FLAG) -X $(PACKAGE)/pkg/version.Version=$(VERSION) -X $(PACKAGE)/pkg/version.Revision=$(REVISION)"
+export GO_BUILD=CGO_ENABLED=0 GOOS=$(GOOS) $(GO) -C $(MAKEFILE_DIR) build $(GO_TAGS) -ldflags "$(GO_BUILD_LDFLAGS) $(VERBOSE_FLAG) -X $(PACKAGE)/pkg/version.Version=$(VERSION) -X $(PACKAGE)/pkg/version.Revision=$(REVISION)"
+
+ifndef NO_COLOR
+    NC := \033[0m
+    GREEN := \033[1;32m
+    ORANGE := \033[1;33m
+endif
 
 recursive_wildcard=$(wildcard $1$2) $(foreach e,$(wildcard $1*),$(call recursive_wildcard,$e/,$2))
 
+define title
+	@printf "$(GREEN)____________________________________________________________________________________________________\n"
+	@printf "$(GREEN)%*s\n" $$(( ( $(shell echo "🤓$(1) 🤓" | wc -c ) + 100 ) / 2 )) "🤓$(1) 🤓"
+	@printf "$(GREEN)____________________________________________________________________________________________________\n$(ORANGE)"
+endef
+
+define footer
+	@printf "$(GREEN)> %s: done!\n" "$(1)"
+	@printf "$(GREEN)____________________________________________________________________________________________________\n$(NC)"
+endef
+
+##########################
+# High-level tasks definitions
+##########################
 all: binaries
 
+lint: lint-go-all lint-yaml lint-shell lint-commits lint-mod lint-licenses-all
+
+fix: fix-mod fix-go-all
+
+# TODO: fix race task and add it
+test: test-unit # test-unit-race test-unit-bench
+
 help:
 	@echo "Usage: make <target>"
 	@echo
-	@echo " * 'install' - Install binaries to system locations."
+	@echo " * 'lint' - Run linters against codebase."
+	@echo " * 'fix' - Automatically fixes imports, modules, and simple formatting."
+	@echo " * 'test' - Run basic unit testing."
 	@echo " * 'binaries' - Build nerdctl."
+	@echo " * 'install' - Install binaries to system locations."
 	@echo " * 'clean' - Clean artifacts."
-	@echo " * 'lint' - Run various linters."
 
-nerdctl:
-	$(GO_BUILD) $(GO_BUILD_FLAGS) $(VERBOSE_FLAG) -o $(CURDIR)/_output/nerdctl$(BIN_EXT) ./cmd/nerdctl
+##########################
+# Building and installation tasks
+##########################
+binaries: $(CURDIR)/_output/$(BINARY)$(BIN_EXT)
 
-clean:
-	find . -name \*~ -delete
-	find . -name \#\* -delete
-	rm -rf $(CURDIR)/_output/* $(MAKEFILE_DIR)/vendor
-
-lint: lint-go lint-imports lint-yaml lint-shell
-
-lint-go:
-	cd $(MAKEFILE_DIR) && GOOS=linux golangci-lint run $(VERBOSE_FLAG_LONG) ./... && \
-		GOOS=windows golangci-lint run $(VERBOSE_FLAG_LONG) ./... && \
-		GOOS=freebsd golangci-lint run $(VERBOSE_FLAG_LONG) ./...
-
-lint-imports:
-	cd $(MAKEFILE_DIR) && ./hack/lint-imports.sh
-
-lint-fix-imports:
-	cd $(MAKEFILE_DIR) && goimports-reviser -company-prefixes "github.com/containerd" ./...
-
-lint-yaml:
-	cd $(MAKEFILE_DIR) && yamllint .
-
-lint-shell: $(call recursive_wildcard,$(MAKEFILE_DIR)/,*.sh)
-	shellcheck -a -x $^
-
-test-unit:
-	go test -v $(MAKEFILE_DIR)/pkg/...
-
-binaries: nerdctl
+$(CURDIR)/_output/$(BINARY)$(BIN_EXT):
+	$(call title, $@: $(GOOS)/$(GOARCH))
+	$(GO_BUILD) $(GO_BUILD_FLAGS) $(VERBOSE_FLAG) -o $(CURDIR)/_output/$(BINARY)$(BIN_EXT) ./cmd/nerdctl
+	$(call footer, $@)
 
 install:
-	install -D -m 755 $(CURDIR)/_output/nerdctl $(DESTDIR)$(BINDIR)/nerdctl
+	$(call title, $@)
+	install -D -m 755 $(CURDIR)/_output/$(BINARY) $(DESTDIR)$(BINDIR)/$(BINARY)
 	install -D -m 755 $(MAKEFILE_DIR)/extras/rootless/containerd-rootless.sh $(DESTDIR)$(BINDIR)/containerd-rootless.sh
 	install -D -m 755 $(MAKEFILE_DIR)/extras/rootless/containerd-rootless-setuptool.sh $(DESTDIR)$(BINDIR)/containerd-rootless-setuptool.sh
 	install -D -m 644 -t $(DESTDIR)$(DOCDIR)/nerdctl $(MAKEFILE_DIR)/docs/*.md
+	$(call footer, $@)
 
+clean:
+	$(call title, $@)
+	find . -name \*~ -delete
+	find . -name \#\* -delete
+	rm -rf $(CURDIR)/_output/* $(MAKEFILE_DIR)/vendor
+	$(call footer, $@)
+
+##########################
+# Linting tasks
+##########################
+lint-go:
+	$(call title, $@: $(GOOS))
+	@cd $(MAKEFILE_DIR) \
+		&& golangci-lint run $(VERBOSE_FLAG_LONG) ./...
+	$(call footer, $@)
+
+lint-go-all:
+	$(call title, $@)
+	@cd $(MAKEFILE_DIR) \
+		&& GOOS=linux make lint-go \
+		&& GOOS=windows make lint-go \
+		&& GOOS=freebsd make lint-go \
+		&& GOOS=darwin make lint-go
+	$(call footer, $@)
+
+lint-yaml:
+	$(call title, $@)
+	cd $(MAKEFILE_DIR) \
+		&& yamllint .
+	$(call footer, $@)
+
+lint-shell: $(call recursive_wildcard,$(MAKEFILE_DIR)/,*.sh)
+	$(call title, $@)
+	shellcheck -a -x $^
+	$(call footer, $@)
+
+lint-commits:
+	$(call title, $@)
+	@cd $(MAKEFILE_DIR) \
+		&& git-validation $(VERBOSE_FLAG) -run DCO,short-subject,dangling-whitespace -range "$(LINT_COMMIT_RANGE)"
+	$(call footer, $@)
+
+lint-mod:
+	$(call title, $@)
+	@cd $(MAKEFILE_DIR) \
+		&& go mod tidy --diff
+	$(call footer, $@)
+
+# FIXME: go-licenses cannot find LICENSE from root of repo when submodule is imported:
+# https://github.com/google/go-licenses/issues/186
+# This is impacting gotest.tools
+# FIXME: go-base36 is multi-license (MIT/Apache), using a custom boilerplate file that go-licenses fails to understand
+lint-licenses:
+	$(call title, $@: $(GOOS))
+	@cd $(MAKEFILE_DIR) \
+		&& go-licenses check --include_tests --allowed_licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib \
+		  --ignore gotest.tools \
+		  --ignore github.com/multiformats/go-base36 \
+		  ./...
+	$(call footer, $@)
+
+lint-licenses-all:
+	$(call title, $@)
+	@cd $(MAKEFILE_DIR) \
+		&& GOOS=linux make lint-licenses \
+		&& GOOS=windows make lint-licenses \
+		&& GOOS=freebsd make lint-licenses \
+		&& GOOS=darwin make lint-licenses
+	$(call footer, $@)
+
+##########################
+# Automated fixing tasks
+##########################
+fix-go:
+	$(call title, $@: $(GOOS))
+	@cd $(MAKEFILE_DIR) \
+		&& golangci-lint run --fix
+	$(call footer, $@)
+
+fix-go-all:
+	$(call title, $@)
+	@cd $(MAKEFILE_DIR) \
+		&& GOOS=linux make fix-go \
+		&& GOOS=windows make fix-go \
+		&& GOOS=freebsd make fix-go \
+		&& GOOS=darwin make fix-go
+	$(call footer, $@)
+
+fix-mod:
+	$(call title, $@)
+	@cd $(MAKEFILE_DIR) \
+		&& go mod tidy
+	$(call footer, $@)
+
+##########################
+# Development tools installation
+##########################
+install-dev-tools:
+	$(call title, $@)
+	# golangci: v2.0.2 (2024-03-26)
+	# git-validation: main (2025-02-25)
+	# ltag: main (2025-03-04)
+	# go-licenses: v2.0.0-alpha.1 (2024-06-27)
+	# stubbing go-licenses with dependency upgrade due to non-compatibility with golang 1.25rc1
+	# Issue: https://github.com/google/go-licenses/issues/312
+	@cd $(MAKEFILE_DIR) \
+	        && go install github.com/Shubhranshu153/go-licenses/v2@f8c503d1357dffb6c97ed3b94e912ab294dde24a \
+		&& go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@2b224c2cf4c9f261c22a16af7f8ca6408467f338 \
+		&& go install github.com/vbatts/git-validation@7b60e35b055dd2eab5844202ffffad51d9c93922 \
+		&& go install github.com/containerd/ltag@66e6a514664ee2d11a470735519fa22b1a9eaabd \
+		&& go install gotest.tools/gotestsum@0d9599e513d70e5792bb9334869f82f6e8b53d4d
+	@echo "Remember to add \$$HOME/go/bin to your path"
+	$(call footer, $@)
+
+##########################
+# Testing tasks
+##########################
+test-unit:
+	$(call title, $@)
+	@go test $(VERBOSE_FLAG) $(MAKEFILE_DIR)/pkg/...
+	$(call footer, $@)
+
+test-unit-bench:
+	$(call title, $@)
+	@go test $(VERBOSE_FLAG) $(MAKEFILE_DIR)/pkg/... -bench=.
+	$(call footer, $@)
+
+test-unit-race:
+	$(call title, $@)
+	@go test $(VERBOSE_FLAG) $(MAKEFILE_DIR)/pkg/... -race
+	$(call footer, $@)
+
+##########################
+# Release tasks
+##########################
 # Note that these options will not work on macOS - unless you use gnu-tar instead of tar
 TAR_OWNER0_FLAGS=--owner=0 --group=0
 TAR_FLATTEN_FLAGS=--transform 's/.*\///g'
 
 define make_artifact_full_linux
-	$(DOCKER) build --output type=tar,dest=$(CURDIR)/_output/nerdctl-full-$(VERSION_TRIMMED)-linux-$(1).tar --target out-full --platform $(1) --build-arg GO_VERSION -f $(MAKEFILE_DIR)/Dockerfile $(MAKEFILE_DIR)
+	$(DOCKER) build --secret id=github_token,env=GITHUB_TOKEN --output type=tar,dest=$(CURDIR)/_output/nerdctl-full-$(VERSION_TRIMMED)-linux-$(1).tar --target out-full --platform $(1) --build-arg GO_VERSION -f $(MAKEFILE_DIR)/Dockerfile $(MAKEFILE_DIR)
 	gzip -9 $(CURDIR)/_output/nerdctl-full-$(VERSION_TRIMMED)-linux-$(1).tar
 endef
 
 artifacts: clean
+	$(call title, $@)
 	GOOS=linux GOARCH=amd64       make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries
 	tar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-amd64.tar.gz   $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*
 
@@ -116,6 +273,9 @@ artifacts: clean
 	GOOS=linux GOARCH=arm GOARM=7 make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries
 	tar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-arm-v7.tar.gz  $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*
 
+	GOOS=linux GOARCH=loong64     make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries
+	tar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-loong64.tar.gz   $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*
+
 	GOOS=linux GOARCH=ppc64le     make -C $(CURDIR) -f $(MAKEFILE_DIR)/Makefile binaries
 	tar $(TAR_OWNER0_FLAGS) $(TAR_FLATTEN_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-ppc64le.tar.gz $(CURDIR)/_output/nerdctl $(MAKEFILE_DIR)/extras/rootless/*
 
@@ -138,15 +298,19 @@ artifacts: clean
 
 	$(GO) -C $(MAKEFILE_DIR) mod vendor
 	tar $(TAR_OWNER0_FLAGS) -czf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-go-mod-vendor.tar.gz $(MAKEFILE_DIR)/go.mod $(MAKEFILE_DIR)/go.sum $(MAKEFILE_DIR)/vendor
+	$(call footer, $@)
 
 .PHONY: \
+	all \
+	lint \
+	fix \
+	test \
 	help \
-	nerdctl \
-	clean \
 	binaries \
 	install \
+	clean \
+	lint-go lint-go-all lint-yaml lint-shell lint-commits lint-mod lint-licenses lint-licenses-all \
+	fix-go fix-go-all fix-mod \
+	install-dev-tools \
+	test-unit test-unit-race test-unit-bench \
 	artifacts
-	lint \
-	lint-yaml \
-	lint-go \
-	lint-shell

Vagrantfile.freebsd

@@ -36,6 +36,10 @@ Vagrant.configure("2") do |config|
     sh.inline = <<~SHELL
         #!/usr/bin/env bash
         set -eux -o pipefail
+        freebsd-version -kru
+        # switching to "release_2" ensures compatibility with the current Vagrant box
+        # https://github.com/moby/buildkit/pull/5893
+        sed -i '' 's/latest/release_2/' /usr/local/etc/pkg/repos/FreeBSD.conf
         # `pkg install go` still installs Go 1.20 (March 2024)
         pkg install -y go122 containerd runj
         ln -s go122 /usr/local/bin/go
@@ -59,7 +63,7 @@ Vagrant.configure("2") do |config|
         set -eux -o pipefail
         daemon -o containerd.out containerd
         sleep 3
-        /root/go/bin/nerdctl run --rm --net=none dougrabson/freebsd-minimal:13 echo "Nerdctl is up and running."
+        CONTAINERD_ADDRESS=/run/containerd/containerd.sock /root/go/bin/nerdctl run --rm --quiet --net=none dougrabson/freebsd-minimal:13 echo "Nerdctl is up and running."
     SHELL
   end
 

cmd/nerdctl/apparmor/apparmor_inspect_linux.go

@@ -26,19 +26,19 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/defaults"
 )
 
-func newApparmorInspectCommand() *cobra.Command {
+func inspectCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:           "inspect",
 		Short:         fmt.Sprintf("Display the default AppArmor profile %q. Other profiles cannot be displayed with this command.", defaults.AppArmorProfileName),
 		Args:          cobra.NoArgs,
-		RunE:          apparmorInspectAction,
+		RunE:          inspectAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
 	return cmd
 }
 
-func apparmorInspectAction(cmd *cobra.Command, args []string) error {
+func inspectAction(cmd *cobra.Command, args []string) error {
 	return apparmor.Inspect(types.ApparmorInspectOptions{
 		Stdout: cmd.OutOrStdout(),
 	})

cmd/nerdctl/apparmor/apparmor_linux.go

@@ -22,7 +22,7 @@ import (
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers"
 )
 
-func NewApparmorCommand() *cobra.Command {
+func Command() *cobra.Command {
 	cmd := &cobra.Command{
 		Annotations:   map[string]string{helpers.Category: helpers.Management},
 		Use:           "apparmor",
@@ -32,10 +32,10 @@ func NewApparmorCommand() *cobra.Command {
 		SilenceErrors: true,
 	}
 	cmd.AddCommand(
-		newApparmorLsCommand(),
-		newApparmorInspectCommand(),
-		newApparmorLoadCommand(),
-		newApparmorUnloadCommand(),
+		listCommand(),
+		inspectCommand(),
+		loadCommand(),
+		unloadCommand(),
 	)
 	return cmd
 }

cmd/nerdctl/apparmor/apparmor_list_linux.go

@@ -23,13 +23,13 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/cmd/apparmor"
 )
 
-func newApparmorLsCommand() *cobra.Command {
+func listCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:           "ls",
 		Aliases:       []string{"list"},
 		Short:         "List the loaded AppArmor profiles",
 		Args:          cobra.NoArgs,
-		RunE:          apparmorLsAction,
+		RunE:          listAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
@@ -42,7 +42,7 @@ func newApparmorLsCommand() *cobra.Command {
 	return cmd
 }
 
-func processApparmorListOptions(cmd *cobra.Command) (types.ApparmorListOptions, error) {
+func listOptions(cmd *cobra.Command) (types.ApparmorListOptions, error) {
 	quiet, err := cmd.Flags().GetBool("quiet")
 	if err != nil {
 		return types.ApparmorListOptions{}, err
@@ -58,8 +58,8 @@ func processApparmorListOptions(cmd *cobra.Command) (types.ApparmorListOptions,
 	}, nil
 }
 
-func apparmorLsAction(cmd *cobra.Command, args []string) error {
-	options, err := processApparmorListOptions(cmd)
+func listAction(cmd *cobra.Command, args []string) error {
+	options, err := listOptions(cmd)
 	if err != nil {
 		return err
 	}

cmd/nerdctl/apparmor/apparmor_load_linux.go

@@ -25,18 +25,18 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/defaults"
 )
 
-func newApparmorLoadCommand() *cobra.Command {
+func loadCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:           "load",
 		Short:         fmt.Sprintf("Load the default AppArmor profile %q. Requires root.", defaults.AppArmorProfileName),
 		Args:          cobra.NoArgs,
-		RunE:          apparmorLoadAction,
+		RunE:          loadAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
 	return cmd
 }
 
-func apparmorLoadAction(cmd *cobra.Command, args []string) error {
+func loadAction(cmd *cobra.Command, args []string) error {
 	return apparmor.Load()
 }

cmd/nerdctl/apparmor/apparmor_unload_linux.go

@@ -26,20 +26,20 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/defaults"
 )
 
-func newApparmorUnloadCommand() *cobra.Command {
+func unloadCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:               "unload [PROFILE]",
 		Short:             fmt.Sprintf("Unload an AppArmor profile. The target profile name defaults to %q. Requires root.", defaults.AppArmorProfileName),
 		Args:              cobra.MaximumNArgs(1),
-		RunE:              apparmorUnloadAction,
-		ValidArgsFunction: apparmorUnloadShellComplete,
+		RunE:              unloadAction,
+		ValidArgsFunction: unloadShellComplete,
 		SilenceUsage:      true,
 		SilenceErrors:     true,
 	}
 	return cmd
 }
 
-func apparmorUnloadAction(cmd *cobra.Command, args []string) error {
+func unloadAction(cmd *cobra.Command, args []string) error {
 	target := defaults.AppArmorProfileName
 	if len(args) > 0 {
 		target = args[0]
@@ -47,6 +47,6 @@ func apparmorUnloadAction(cmd *cobra.Command, args []string) error {
 	return apparmor.Unload(target)
 }
 
-func apparmorUnloadShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+func unloadShellComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	return completion.ApparmorProfiles(cmd)
 }

cmd/nerdctl/builder/builder.go

@@ -21,6 +21,7 @@ import (
 	"os"
 	"os/exec"
 	"strings"
+	"time"
 
 	"github.com/docker/go-units"
 	"github.com/spf13/cobra"
@@ -30,8 +31,8 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/cmd/builder"
 )
 
-func NewBuilderCommand() *cobra.Command {
-	var builderCommand = &cobra.Command{
+func Command() *cobra.Command {
+	var cmd = &cobra.Command{
 		Annotations:   map[string]string{helpers.Category: helpers.Management},
 		Use:           "builder",
 		Short:         "Manage builds",
@@ -39,34 +40,33 @@ func NewBuilderCommand() *cobra.Command {
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	builderCommand.AddCommand(
-		NewBuildCommand(),
-		newBuilderPruneCommand(),
-		newBuilderDebugCommand(),
+	cmd.AddCommand(
+		BuildCommand(),
+		pruneCommand(),
+		debugCommand(),
 	)
-	return builderCommand
+	return cmd
 }
 
-func newBuilderPruneCommand() *cobra.Command {
+func pruneCommand() *cobra.Command {
 	shortHelp := `Clean up BuildKit build cache`
-	var buildPruneCommand = &cobra.Command{
+	var cmd = &cobra.Command{
 		Use:           "prune",
 		Args:          cobra.NoArgs,
 		Short:         shortHelp,
-		RunE:          builderPruneAction,
+		RunE:          pruneAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
 
-	helpers.AddStringFlag(buildPruneCommand, "buildkit-host", nil, "", "BUILDKIT_HOST", "BuildKit address")
-
-	buildPruneCommand.Flags().BoolP("all", "a", false, "Remove all unused build cache, not just dangling ones")
-	buildPruneCommand.Flags().BoolP("force", "f", false, "Do not prompt for confirmation")
-	return buildPruneCommand
+	cmd.Flags().String("buildkit-host", "", "BuildKit address")
+	cmd.Flags().BoolP("all", "a", false, "Remove all unused build cache, not just dangling ones")
+	cmd.Flags().BoolP("force", "f", false, "Do not prompt for confirmation")
+	return cmd
 }
 
-func builderPruneAction(cmd *cobra.Command, _ []string) error {
-	options, err := processBuilderPruneOptions(cmd)
+func pruneAction(cmd *cobra.Command, _ []string) error {
+	options, err := pruneOptions(cmd)
 	if err != nil {
 		return err
 	}
@@ -101,7 +101,7 @@ func builderPruneAction(cmd *cobra.Command, _ []string) error {
 	return nil
 }
 
-func processBuilderPruneOptions(cmd *cobra.Command) (types.BuilderPruneOptions, error) {
+func pruneOptions(cmd *cobra.Command) (types.BuilderPruneOptions, error) {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return types.BuilderPruneOptions{}, err
@@ -131,26 +131,27 @@ func processBuilderPruneOptions(cmd *cobra.Command) (types.BuilderPruneOptions,
 	}, nil
 }
 
-func newBuilderDebugCommand() *cobra.Command {
+func debugCommand() *cobra.Command {
 	shortHelp := `Debug Dockerfile`
-	var buildDebugCommand = &cobra.Command{
+	var cmd = &cobra.Command{
 		Use:           "debug",
 		Short:         shortHelp,
 		PreRunE:       helpers.CheckExperimental("`nerdctl builder debug`"),
-		RunE:          builderDebugAction,
+		RunE:          debugAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	buildDebugCommand.Flags().StringP("file", "f", "", "Name of the Dockerfile")
-	buildDebugCommand.Flags().String("target", "", "Set the target build stage to build")
-	buildDebugCommand.Flags().StringArray("build-arg", nil, "Set build-time variables")
-	buildDebugCommand.Flags().String("image", "", "Image to use for debugging stage")
-	buildDebugCommand.Flags().StringArray("ssh", nil, "Allow forwarding SSH agent to the build. Format: default|<id>[=<socket>|<key>[,<key>]]")
-	buildDebugCommand.Flags().StringArray("secret", nil, "Expose secret value to the build. Format: id=secretname,src=filepath")
-	return buildDebugCommand
+	cmd.Flags().StringP("file", "f", "", "Name of the Dockerfile")
+	cmd.Flags().String("target", "", "Set the target build stage to build")
+	cmd.Flags().StringArray("build-arg", nil, "Set build-time variables")
+	cmd.Flags().String("image", "", "Image to use for debugging stage")
+	cmd.Flags().StringArray("ssh", nil, "Allow forwarding SSH agent to the build. Format: default|<id>[=<socket>|<key>[,<key>]]")
+	cmd.Flags().StringArray("secret", nil, "Expose secret value to the build. Format: id=secretname,src=filepath")
+	helpers.AddDurationFlag(cmd, "buildg-startup-timeout", nil, 1*time.Minute, "", "Timeout for starting up buildg")
+	return cmd
 }
 
-func builderDebugAction(cmd *cobra.Command, args []string) error {
+func debugAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err
@@ -168,6 +169,12 @@ func builderDebugAction(cmd *cobra.Command, args []string) error {
 		buildgArgs = append([]string{"--debug"}, buildgArgs...)
 	}
 
+	startupTimeout, err := cmd.Flags().GetDuration("buildg-startup-timeout")
+	if err != nil {
+		return err
+	}
+	buildgArgs = append(buildgArgs, "--startup-timeout="+startupTimeout.String())
+
 	if file, err := cmd.Flags().GetString("file"); err != nil {
 		return err
 	} else if file != "" {

cmd/nerdctl/builder/builder_build.go

@@ -19,12 +19,13 @@ package builder
 import (
 	"errors"
 	"fmt"
-	"os"
 	"strconv"
 	"strings"
 
 	"github.com/spf13/cobra"
 
+	"github.com/containerd/log"
+
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/completion"
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers"
 	"github.com/containerd/nerdctl/v2/pkg/api/types"
@@ -34,8 +35,8 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/strutil"
 )
 
-func NewBuildCommand() *cobra.Command {
-	var buildCommand = &cobra.Command{
+func BuildCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:   "build [flags] PATH",
 		Short: "Build an image from a Dockerfile. Needs buildkitd to be running.",
 		Long: `Build an image from a Dockerfile. Needs buildkitd to be running.
@@ -44,43 +45,44 @@ If Dockerfile is not present and -f is not specified, it will look for Container
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	helpers.AddStringFlag(buildCommand, "buildkit-host", nil, "", "BUILDKIT_HOST", "BuildKit address")
-	buildCommand.Flags().StringArrayP("tag", "t", nil, "Name and optionally a tag in the 'name:tag' format")
-	buildCommand.Flags().StringP("file", "f", "", "Name of the Dockerfile")
-	buildCommand.Flags().String("target", "", "Set the target build stage to build")
-	buildCommand.Flags().StringArray("build-arg", nil, "Set build-time variables")
-	buildCommand.Flags().Bool("no-cache", false, "Do not use cache when building the image")
-	buildCommand.Flags().StringP("output", "o", "", "Output destination (format: type=local,dest=path)")
-	buildCommand.Flags().String("progress", "auto", "Set type of progress output (auto, plain, tty). Use plain to show container output")
-	buildCommand.Flags().String("provenance", "", "Shorthand for \"--attest=type=provenance\"")
-	buildCommand.Flags().Bool("pull", false, "On true, always attempt to pull latest image version from remote. Default uses buildkit's default.")
-	buildCommand.Flags().StringArray("secret", nil, "Secret file to expose to the build: id=mysecret,src=/local/secret")
-	buildCommand.Flags().StringArray("allow", nil, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
-	buildCommand.RegisterFlagCompletionFunc("allow", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	cmd.Flags().String("buildkit-host", "", "BuildKit address")
+	cmd.Flags().StringArray("add-host", nil, "Add a custom host-to-IP mapping (format: \"host:ip\")")
+	cmd.Flags().StringArrayP("tag", "t", nil, "Name and optionally a tag in the 'name:tag' format")
+	cmd.Flags().StringP("file", "f", "", "Name of the Dockerfile")
+	cmd.Flags().String("target", "", "Set the target build stage to build")
+	cmd.Flags().StringArray("build-arg", nil, "Set build-time variables")
+	cmd.Flags().Bool("no-cache", false, "Do not use cache when building the image")
+	cmd.Flags().StringP("output", "o", "", "Output destination (format: type=local,dest=path)")
+	cmd.Flags().String("progress", "auto", "Set type of progress output (auto, plain, tty). Use plain to show container output")
+	cmd.Flags().String("provenance", "", "Shorthand for \"--attest=type=provenance\"")
+	cmd.Flags().Bool("pull", false, "On true, always attempt to pull latest image version from remote. Default uses buildkit's default.")
+	cmd.Flags().StringArray("secret", nil, "Secret file to expose to the build: id=mysecret,src=/local/secret")
+	cmd.Flags().StringArray("allow", nil, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
+	cmd.RegisterFlagCompletionFunc("allow", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return []string{"network.host", "security.insecure"}, cobra.ShellCompDirectiveNoFileComp
 	})
-	buildCommand.Flags().StringArray("attest", nil, "Attestation parameters (format: \"type=sbom,generator=image\")")
-	buildCommand.Flags().StringArray("ssh", nil, "SSH agent socket or keys to expose to the build (format: default|<id>[=<socket>|<key>[,<key>]])")
-	buildCommand.Flags().BoolP("quiet", "q", false, "Suppress the build output and print image ID on success")
-	buildCommand.Flags().String("sbom", "", "Shorthand for \"--attest=type=sbom\"")
-	buildCommand.Flags().StringArray("cache-from", nil, "External cache sources (eg. user/app:cache, type=local,src=path/to/dir)")
-	buildCommand.Flags().StringArray("cache-to", nil, "Cache export destinations (eg. user/app:cache, type=local,dest=path/to/dir)")
-	buildCommand.Flags().Bool("rm", true, "Remove intermediate containers after a successful build")
-	buildCommand.Flags().String("network", "default", "Set type of network for build (format:network=default|none|host)")
-	buildCommand.RegisterFlagCompletionFunc("network", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	cmd.Flags().StringArray("attest", nil, "Attestation parameters (format: \"type=sbom,generator=image\")")
+	cmd.Flags().StringArray("ssh", nil, "SSH agent socket or keys to expose to the build (format: default|<id>[=<socket>|<key>[,<key>]])")
+	cmd.Flags().BoolP("quiet", "q", false, "Suppress the build output and print image ID on success")
+	cmd.Flags().String("sbom", "", "Shorthand for \"--attest=type=sbom\"")
+	cmd.Flags().StringArray("cache-from", nil, "External cache sources (eg. user/app:cache, type=local,src=path/to/dir)")
+	cmd.Flags().StringArray("cache-to", nil, "Cache export destinations (eg. user/app:cache, type=local,dest=path/to/dir)")
+	cmd.Flags().Bool("rm", true, "Remove intermediate containers after a successful build")
+	cmd.Flags().String("network", "default", "Set type of network for build (format:network=default|none|host)")
+	cmd.RegisterFlagCompletionFunc("network", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return []string{"default", "host", "none"}, cobra.ShellCompDirectiveNoFileComp
 	})
 	// #region platform flags
 	// platform is defined as StringSlice, not StringArray, to allow specifying "--platform=amd64,arm64"
-	buildCommand.Flags().StringSlice("platform", []string{}, "Set target platform for build (e.g., \"amd64\", \"arm64\")")
-	buildCommand.RegisterFlagCompletionFunc("platform", completion.Platforms)
-	buildCommand.Flags().StringArray("build-context", []string{}, "Additional build contexts (e.g., name=path)")
+	cmd.Flags().StringSlice("platform", []string{}, "Set target platform for build (e.g., \"amd64\", \"arm64\")")
+	cmd.RegisterFlagCompletionFunc("platform", completion.Platforms)
+	cmd.Flags().StringArray("build-context", []string{}, "Additional build contexts (e.g., name=path)")
 	// #endregion
 
-	buildCommand.Flags().String("iidfile", "", "Write the image ID to the file")
-	buildCommand.Flags().StringArray("label", nil, "Set metadata for an image")
+	cmd.Flags().String("iidfile", "", "Write the image ID to the file")
+	cmd.Flags().StringArray("label", nil, "Set metadata for an image")
 
-	return buildCommand
+	return cmd
 }
 
 func processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBuildOptions, error) {
@@ -92,6 +94,10 @@ func processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBu
 	if err != nil {
 		return types.BuilderBuildOptions{}, err
 	}
+	extraHosts, err := cmd.Flags().GetStringArray("add-host")
+	if err != nil {
+		return types.BuilderBuildOptions{}, err
+	}
 	platform, err := cmd.Flags().GetStringSlice("platform")
 	if err != nil {
 		return types.BuilderBuildOptions{}, err
@@ -204,6 +210,13 @@ func processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBu
 		return types.BuilderBuildOptions{}, err
 	}
 
+	usernsRemap, err := cmd.Flags().GetString("userns-remap")
+	if err != nil {
+		return types.BuilderBuildOptions{}, err
+	} else if usernsRemap != "" {
+		log.L.Warn("userns remap is not supported with nerdctl build. dropping the config.")
+	}
+
 	return types.BuilderBuildOptions{
 		GOptions:             globalOptions,
 		BuildKitHost:         buildKitHost,
@@ -232,11 +245,12 @@ func processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBu
 		Stdin:                cmd.InOrStdin(),
 		NetworkMode:          network,
 		ExtendedBuildContext: extendedBuildCtx,
+		ExtraHosts:           extraHosts,
 	}, nil
 }
 
 func GetBuildkitHost(cmd *cobra.Command, namespace string) (string, error) {
-	if cmd.Flags().Changed("buildkit-host") || os.Getenv("BUILDKIT_HOST") != "" {
+	if cmd.Flags().Changed("buildkit-host") {
 		// If address is explicitly specified, use it.
 		buildkitHost, err := cmd.Flags().GetString("buildkit-host")
 		if err != nil {
@@ -247,6 +261,7 @@ func GetBuildkitHost(cmd *cobra.Command, namespace string) (string, error) {
 		}
 		return buildkitHost, nil
 	}
+
 	return buildkitutil.GetBuildkitHost(namespace)
 }
 

cmd/nerdctl/builder/builder_build_oci_layout_test.go

@@ -18,16 +18,19 @@ package builder
 
 import (
 	"fmt"
-	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 
 	"gotest.tools/v3/assert"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/require"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+	"github.com/containerd/nerdctl/mod/tigron/tig"
+
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
-	"github.com/containerd/nerdctl/v2/pkg/testutil/test"
 )
 
 func TestBuildContextWithOCILayout(t *testing.T) {
@@ -36,23 +39,23 @@ func TestBuildContextWithOCILayout(t *testing.T) {
 	var dockerBuilderArgs []string
 
 	testCase := &test.Case{
-		Require: test.Require(
+		Require: require.All(
 			nerdtest.Build,
-			test.Not(test.Windows),
+			require.Not(require.Windows),
 		),
 		Cleanup: func(data test.Data, helpers test.Helpers) {
 			if nerdtest.IsDocker() {
-				helpers.Anyhow("buildx", "stop", data.Identifier("-container"))
-				helpers.Anyhow("buildx", "rm", "--force", data.Identifier("-container"))
+				helpers.Anyhow("buildx", "stop", data.Identifier("container"))
+				helpers.Anyhow("buildx", "rm", "--force", data.Identifier("container"))
 			}
-			helpers.Anyhow("rmi", "-f", data.Identifier("-parent"))
-			helpers.Anyhow("rmi", "-f", data.Identifier("-child"))
+			helpers.Anyhow("rmi", "-f", data.Identifier("parent"))
+			helpers.Anyhow("rmi", "-f", data.Identifier("child"))
 		},
 		Setup: func(data test.Data, helpers test.Helpers) {
 			// Default docker driver does not support OCI exporter.
 			// Reference: https://docs.docker.com/build/exporters/oci-docker/
 			if nerdtest.IsDocker() {
-				name := data.Identifier("-container")
+				name := data.Identifier("container")
 				helpers.Ensure("buildx", "create", "--name", name, "--driver=docker-container")
 				dockerBuilderArgs = []string{"buildx", "--builder", name}
 			}
@@ -61,25 +64,21 @@ func TestBuildContextWithOCILayout(t *testing.T) {
 LABEL layer=oci-layout-parent
 CMD ["echo", "test-nerdctl-build-context-oci-layout-parent"]`, testutil.CommonImage)
 
-			buildCtx := data.TempDir()
-			err := os.WriteFile(filepath.Join(buildCtx, "Dockerfile"), []byte(dockerfile), 0o600)
-			assert.NilError(helpers.T(), err)
+			data.Temp().Save(dockerfile, "Dockerfile")
+			dest := data.Temp().Dir("parent")
+			tarPath := data.Temp().Path("parent.tar")
 
-			tarPath := filepath.Join(buildCtx, "parent.tar")
-			dest := filepath.Join(buildCtx, "parent")
-			assert.NilError(helpers.T(), os.MkdirAll(dest, 0o700))
-			helpers.Ensure("build", buildCtx, "--tag", data.Identifier("-parent"))
-			helpers.Ensure("image", "save", "--output", tarPath, data.Identifier("-parent"))
-			helpers.Custom("tar", "Cxf", dest, tarPath).Run(&test.Expected{})
+			helpers.Ensure("build", data.Temp().Path(), "--tag", data.Identifier("parent"))
+			helpers.Ensure("image", "save", "--output", tarPath, data.Identifier("parent"))
+			helpers.Custom("tar", "Cxf", dest, tarPath).Run(&test.Expected{
+				ExitCode: expect.ExitCodeSuccess,
+			})
 		},
 
 		Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
 			dockerfile := `FROM parent
 CMD ["echo", "test-nerdctl-build-context-oci-layout"]`
-
-			buildCtx := data.TempDir()
-			err := os.WriteFile(filepath.Join(buildCtx, "Dockerfile"), []byte(dockerfile), 0o600)
-			assert.NilError(helpers.T(), err)
+			data.Temp().Save(dockerfile, "Dockerfile")
 
 			var cmd test.TestableCommand
 			if nerdtest.IsDocker() {
@@ -87,7 +86,13 @@ CMD ["echo", "test-nerdctl-build-context-oci-layout"]`
 			} else {
 				cmd = helpers.Command()
 			}
-			cmd.WithArgs("build", buildCtx, fmt.Sprintf("--build-context=parent=oci-layout://%s", filepath.Join(buildCtx, "parent")), "--tag", data.Identifier("-child"))
+			cmd.WithArgs(
+				"build",
+				data.Temp().Path(),
+				fmt.Sprintf("--build-context=parent=oci-layout://%s", filepath.Join(data.Temp().Path(), "parent")),
+				"--tag",
+				data.Identifier("child"),
+			)
 			if nerdtest.IsDocker() {
 				// Need to load the container image from the builder to be able to run it.
 				cmd.WithArgs("--load")
@@ -96,8 +101,14 @@ CMD ["echo", "test-nerdctl-build-context-oci-layout"]`
 		},
 		Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 			return &test.Expected{
-				Output: func(stdout string, info string, t *testing.T) {
-					assert.Assert(t, strings.Contains(helpers.Capture("run", "--rm", data.Identifier("-child")), "test-nerdctl-build-context-oci-layout"), info)
+				Output: func(stdout string, t tig.T) {
+					assert.Assert(
+						t,
+						strings.Contains(
+							helpers.Capture("run", "--rm", data.Identifier("child")),
+							"test-nerdctl-build-context-oci-layout",
+						),
+					)
 				},
 			}
 		},

cmd/nerdctl/builder/builder_builder_test.go

@@ -17,18 +17,22 @@
 package builder
 
 import (
-	"bytes"
 	"errors"
 	"fmt"
-	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"gotest.tools/v3/assert"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/require"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+
+	"github.com/containerd/nerdctl/v2/pkg/buildkitutil"
+	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
-	"github.com/containerd/nerdctl/v2/pkg/testutil/test"
 )
 
 func TestBuilder(t *testing.T) {
@@ -36,9 +40,9 @@ func TestBuilder(t *testing.T) {
 
 	testCase := &test.Case{
 		NoParallel: true,
-		Require: test.Require(
+		Require: require.All(
 			nerdtest.Build,
-			test.Not(test.Windows),
+			require.Not(require.Windows),
 		),
 		SubTests: []*test.Case{
 			{
@@ -47,10 +51,8 @@ func TestBuilder(t *testing.T) {
 				Setup: func(data test.Data, helpers test.Helpers) {
 					dockerfile := fmt.Sprintf(`FROM %s
 CMD ["echo", "nerdctl-test-builder-prune"]`, testutil.CommonImage)
-					buildCtx := data.TempDir()
-					err := os.WriteFile(filepath.Join(buildCtx, "Dockerfile"), []byte(dockerfile), 0o600)
-					assert.NilError(helpers.T(), err)
-					helpers.Ensure("build", buildCtx)
+					data.Temp().Save(dockerfile, "Dockerfile")
+					helpers.Ensure("build", data.Temp().Path())
 				},
 				Command:  test.Command("builder", "prune", "--force"),
 				Expected: test.Expects(0, nil, nil),
@@ -61,61 +63,127 @@ CMD ["echo", "nerdctl-test-builder-prune"]`, testutil.CommonImage)
 				Setup: func(data test.Data, helpers test.Helpers) {
 					dockerfile := fmt.Sprintf(`FROM %s
 CMD ["echo", "nerdctl-test-builder-prune"]`, testutil.CommonImage)
-					buildCtx := data.TempDir()
-					err := os.WriteFile(filepath.Join(buildCtx, "Dockerfile"), []byte(dockerfile), 0o600)
-					assert.NilError(helpers.T(), err)
-					helpers.Ensure("build", buildCtx)
+					data.Temp().Save(dockerfile, "Dockerfile")
+					helpers.Ensure("build", data.Temp().Path())
 				},
 				Command:  test.Command("builder", "prune", "--force", "--all"),
 				Expected: test.Expects(0, nil, nil),
 			},
 			{
-				Description: "Debug",
+				Description: "builder with buildkit-host",
 				NoParallel:  true,
+				Require:     require.Not(nerdtest.Docker),
+				Setup: func(data test.Data, helpers test.Helpers) {
+					// Get BuildkitAddr
+					buildkitAddr, err := buildkitutil.GetBuildkitHost(testutil.Namespace)
+					assert.NilError(helpers.T(), err)
+					buildkitAddr = strings.TrimPrefix(buildkitAddr, "unix://")
+
+					// Symlink the buildkit Socket for testing
+					symlinkedBuildkitAddr := filepath.Join(data.Temp().Path(), "buildkit.sock")
+					data.Labels().Set("symlinkedBuildkitAddr", symlinkedBuildkitAddr)
+
+					// Do a negative test to check the setup
+					helpers.Fail("builder", "prune", "--force", "--buildkit-host", fmt.Sprintf("unix://%s", symlinkedBuildkitAddr))
+
+					// Test build with the symlinked socket
+					cmd := helpers.Custom("ln", "-s", buildkitAddr, symlinkedBuildkitAddr)
+					cmd.Run(&test.Expected{
+						ExitCode: 0,
+					})
+
+				},
+				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+					return helpers.Command("builder", "prune", "--force", "--buildkit-host", fmt.Sprintf("unix://%s", data.Labels().Get("symlinkedBuildkitAddr")))
+				},
+				Expected: test.Expects(0, nil, nil),
+			},
+			{
+				Description: "builder with env",
+				NoParallel:  true,
+				Require:     require.Not(nerdtest.Docker),
+				Setup: func(data test.Data, helpers test.Helpers) {
+					// Get BuildkitAddr
+					buildkitAddr, err := buildkitutil.GetBuildkitHost(testutil.Namespace)
+					assert.NilError(helpers.T(), err)
+					buildkitAddr = strings.TrimPrefix(buildkitAddr, "unix://")
+
+					// Symlink the buildkit Socket for testing
+					symlinkedBuildkitAddr := filepath.Join(data.Temp().Path(), "buildkit-env.sock")
+					data.Labels().Set("symlinkedBuildkitAddr", symlinkedBuildkitAddr)
+
+					// Do a negative test to ensure setting up the env variable is effective
+					cmd := helpers.Command("builder", "prune", "--force")
+					cmd.Setenv("BUILDKIT_HOST", fmt.Sprintf("unix://%s", symlinkedBuildkitAddr))
+					cmd.Run(&test.Expected{ExitCode: expect.ExitCodeGenericFail})
+
+					// Symlink the buildkit socket for testing
+					cmd = helpers.Custom("ln", "-s", buildkitAddr, symlinkedBuildkitAddr)
+					cmd.Run(&test.Expected{
+						ExitCode: 0,
+					})
+				},
+				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+					symlinkedBuildkitAddr := data.Labels().Get("symlinkedBuildkitAddr")
+					cmd := helpers.Command("builder", "prune", "--force")
+					cmd.Setenv("BUILDKIT_HOST", fmt.Sprintf("unix://%s", symlinkedBuildkitAddr))
+					return cmd
+				},
+				Expected: test.Expects(0, nil, nil),
+			},
+			{
+				Description: "Debug",
+				// `nerdctl builder debug` is currently incompatible with `docker buildx debug`.
+				Require:    require.All(require.Not(nerdtest.Docker)),
+				NoParallel: true,
 				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
 					dockerfile := fmt.Sprintf(`FROM %s
 CMD ["echo", "nerdctl-builder-debug-test-string"]`, testutil.CommonImage)
-					buildCtx := data.TempDir()
-					err := os.WriteFile(filepath.Join(buildCtx, "Dockerfile"), []byte(dockerfile), 0o600)
-					assert.NilError(helpers.T(), err)
-					cmd := helpers.Command("builder", "debug", buildCtx)
-					cmd.WithStdin(bytes.NewReader([]byte("c\n")))
+					data.Temp().Save(dockerfile, "Dockerfile")
+					cmd := helpers.Command("builder", "debug", data.Temp().Path())
+					cmd.Feed(strings.NewReader("c\n"))
 					return cmd
 				},
 				Expected: test.Expects(0, nil, nil),
 			},
 			{
 				Description: "WithPull",
+				NoParallel:  true,
 				Setup: func(data test.Data, helpers test.Helpers) {
 					// FIXME: this test should be rewritten to dynamically retrieve the ids, and use images
 					// available on all platforms
 					oldImage := testutil.BusyboxImage
-					oldImageSha := "141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47"
+					parsedOldImage, err := referenceutil.Parse(oldImage)
+					assert.NilError(helpers.T(), err)
+					oldImageSha := parsedOldImage.Digest.String()
+
 					newImage := testutil.AlpineImage
-					newImageSha := "ec14c7992a97fc11425907e908340c6c3d6ff602f5f13d899e6b7027c9b4133a"
+					parsedNewImage, err := referenceutil.Parse(newImage)
+					assert.NilError(helpers.T(), err)
+					newImageSha := parsedNewImage.Digest.String()
 
 					helpers.Ensure("pull", "--quiet", oldImage)
-					helpers.Ensure("tag", oldImage, newImage)
+					helpers.Ensure("tag", oldImage, parsedNewImage.Domain+"/"+parsedNewImage.Path+":"+parsedNewImage.Tag)
 
-					dockerfile := fmt.Sprintf(`FROM %s`, newImage)
-					buildCtx := data.TempDir()
-					err := os.WriteFile(filepath.Join(buildCtx, "Dockerfile"), []byte(dockerfile), 0o600)
-					assert.NilError(helpers.T(), err)
-
-					data.Set("buildCtx", buildCtx)
-					data.Set("oldImageSha", oldImageSha)
-					data.Set("newImageSha", newImageSha)
+					dockerfile := fmt.Sprintf(`FROM %s`, parsedNewImage.Domain+"/"+parsedNewImage.Path+":"+parsedNewImage.Tag)
+					data.Temp().Save(dockerfile, "Dockerfile")
+					data.Labels().Set("oldImageSha", oldImageSha)
+					data.Labels().Set("newImageSha", newImageSha)
+					data.Labels().Set("base", data.Temp().Dir())
+				},
+				Cleanup: func(data test.Data, helpers test.Helpers) {
+					helpers.Anyhow("rmi", testutil.AlpineImage)
 				},
 				SubTests: []*test.Case{
 					{
 						Description: "pull false",
 						NoParallel:  true,
 						Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
-							return helpers.Command("build", data.Get("buildCtx"), "--pull=false")
+							return helpers.Command("build", data.Labels().Get("base"), "--pull=false")
 						},
 						Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 							return &test.Expected{
-								Errors: []error{errors.New(data.Get("oldImageSha"))},
+								Errors: []error{errors.New(data.Labels().Get("oldImageSha"))},
 							}
 						},
 					},
@@ -123,11 +191,11 @@ CMD ["echo", "nerdctl-builder-debug-test-string"]`, testutil.CommonImage)
 						Description: "pull true",
 						NoParallel:  true,
 						Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
-							return helpers.Command("build", data.Get("buildCtx"), "--pull=true")
+							return helpers.Command("build", data.Labels().Get("base"), "--pull=true")
 						},
 						Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 							return &test.Expected{
-								Errors: []error{errors.New(data.Get("newImageSha"))},
+								Errors: []error{errors.New(data.Labels().Get("newImageSha"))},
 							}
 						},
 					},
@@ -135,11 +203,11 @@ CMD ["echo", "nerdctl-builder-debug-test-string"]`, testutil.CommonImage)
 						Description: "no pull",
 						NoParallel:  true,
 						Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
-							return helpers.Command("build", data.Get("buildCtx"))
+							return helpers.Command("build", data.Labels().Get("base"))
 						},
 						Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 							return &test.Expected{
-								Errors: []error{errors.New(data.Get("newImageSha"))},
+								Errors: []error{errors.New(data.Labels().Get("newImageSha"))},
 							}
 						},
 					},

cmd/nerdctl/completion/completion.go

@@ -164,6 +164,7 @@ func Platforms(cmd *cobra.Command, args []string, toComplete string) ([]string,
 		"riscv64",
 		"ppc64le",
 		"s390x",
+		"loong64",
 		"386",
 		"arm",          // alias of "linux/arm/v7"
 		"linux/arm/v6", // "arm/v6" is invalid (interpreted as OS="arm", Arch="v7")

cmd/nerdctl/completion/completion_test.go

@@ -17,11 +17,15 @@
 package completion
 
 import (
+	"os/exec"
 	"testing"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/require"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
-	"github.com/containerd/nerdctl/v2/pkg/testutil/test"
 )
 
 func TestMain(m *testing.M) {
@@ -31,65 +35,69 @@ func TestMain(m *testing.M) {
 func TestCompletion(t *testing.T) {
 	nerdtest.Setup()
 
+	// Note: some functions need to be tested without the automatic --namespace nerdctl-test argument, so we need
+	// to retrieve the binary name.
+	// Note that we know this works already, so no need to assert err.
+	bin, _ := exec.LookPath(testutil.GetTarget())
+
 	testCase := &test.Case{
-		Require: test.Not(nerdtest.Docker),
+		Require: require.Not(nerdtest.Docker),
 		Setup: func(data test.Data, helpers test.Helpers) {
+			identifier := data.Identifier()
 			helpers.Ensure("pull", "--quiet", testutil.CommonImage)
-			helpers.Ensure("network", "create", data.Identifier())
-			helpers.Ensure("volume", "create", data.Identifier())
-			data.Set("identifier", data.Identifier())
+			helpers.Ensure("network", "create", identifier)
+			helpers.Ensure("volume", "create", identifier)
+			data.Labels().Set("identifier", identifier)
 		},
 		Cleanup: func(data test.Data, helpers test.Helpers) {
-			helpers.Anyhow("network", "rm", data.Identifier())
-			helpers.Anyhow("volume", "rm", data.Identifier())
+			identifier := data.Identifier()
+			helpers.Anyhow("network", "rm", identifier)
+			helpers.Anyhow("volume", "rm", identifier)
 		},
 		SubTests: []*test.Case{
 			{
 				Description: "--cgroup-manager",
-				Require:     test.Not(test.Windows),
+				Require:     require.Not(require.Windows),
 				Command:     test.Command("__complete", "--cgroup-manager", ""),
-				Expected:    test.Expects(0, nil, test.Contains("cgroupfs\n")),
+				Expected:    test.Expects(0, nil, expect.Contains("cgroupfs\n")),
 			},
 			{
 				Description: "--snapshotter",
-				Require:     test.Not(test.Windows),
+				Require:     require.Not(require.Windows),
 				Command:     test.Command("__complete", "--snapshotter", ""),
-				Expected:    test.Expects(0, nil, test.Contains("native\n")),
+				Expected:    test.Expects(0, nil, expect.Contains("native\n")),
 			},
 			{
 				Description: "empty",
 				Command:     test.Command("__complete", ""),
-				Expected:    test.Expects(0, nil, test.Contains("run\t")),
+				Expected:    test.Expects(0, nil, expect.Contains("run\t")),
 			},
 			{
 				Description: "build --network",
 				Command:     test.Command("__complete", "build", "--network", ""),
-				Expected:    test.Expects(0, nil, test.Contains("default\n")),
+				Expected:    test.Expects(0, nil, expect.Contains("default\n")),
 			},
 			{
 				Description: "run -",
 				Command:     test.Command("__complete", "run", "-"),
-				Expected:    test.Expects(0, nil, test.Contains("--network\t")),
+				Expected:    test.Expects(0, nil, expect.Contains("--network\t")),
 			},
 			{
 				Description: "run --n",
 				Command:     test.Command("__complete", "run", "--n"),
-				Expected:    test.Expects(0, nil, test.Contains("--network\t")),
+				Expected:    test.Expects(0, nil, expect.Contains("--network\t")),
 			},
 			{
 				Description: "run --ne",
 				Command:     test.Command("__complete", "run", "--ne"),
-				Expected:    test.Expects(0, nil, test.Contains("--network\t")),
+				Expected:    test.Expects(0, nil, expect.Contains("--network\t")),
 			},
 			{
 				Description: "run --net",
 				Command:     test.Command("__complete", "run", "--net", ""),
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 					return &test.Expected{
-						Output: test.All(
-							test.Contains("host\n"),
-							test.Contains(data.Get("identifier")+"\n"),
-						),
+						Output: expect.Contains("host\n", data.Labels().Get("identifier")+"\n"),
 					}
 				},
 			},
@@ -98,10 +106,7 @@ func TestCompletion(t *testing.T) {
 				Command:     test.Command("__complete", "run", "-it", "--net", ""),
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 					return &test.Expected{
-						Output: test.All(
-							test.Contains("host\n"),
-							test.Contains(data.Get("identifier")+"\n"),
-						),
+						Output: expect.Contains("host\n", data.Labels().Get("identifier")+"\n"),
 					}
 				},
 			},
@@ -110,37 +115,34 @@ func TestCompletion(t *testing.T) {
 				Command:     test.Command("__complete", "run", "-it", "--rm", "--net", ""),
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 					return &test.Expected{
-						Output: test.All(
-							test.Contains("host\n"),
-							test.Contains(data.Get("identifier")+"\n"),
-						),
+						Output: expect.Contains("host\n", data.Labels().Get("identifier")+"\n"),
 					}
 				},
 			},
 			{
 				Description: "run --restart",
 				Command:     test.Command("__complete", "run", "--restart", ""),
-				Expected:    test.Expects(0, nil, test.Contains("always\n")),
+				Expected:    test.Expects(0, nil, expect.Contains("always\n")),
 			},
 			{
 				Description: "network --rm",
 				Command:     test.Command("__complete", "network", "rm", ""),
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 					return &test.Expected{
-						Output: test.All(
-							test.DoesNotContain("host\n"),
-							test.Contains(data.Get("identifier")+"\n"),
+						Output: expect.All(
+							expect.DoesNotContain("host\n"),
+							expect.Contains(data.Labels().Get("identifier")+"\n"),
 						),
 					}
 				},
 			},
 			{
 				Description: "run --cap-add",
-				Require:     test.Not(test.Windows),
+				Require:     require.Not(require.Windows),
 				Command:     test.Command("__complete", "run", "--cap-add", ""),
-				Expected: test.Expects(0, nil, test.All(
-					test.Contains("sys_admin\n"),
-					test.DoesNotContain("CAP_SYS_ADMIN\n"),
+				Expected: test.Expects(0, nil, expect.All(
+					expect.Contains("sys_admin\n"),
+					expect.DoesNotContain("CAP_SYS_ADMIN\n"),
 				)),
 			},
 			{
@@ -148,7 +150,7 @@ func TestCompletion(t *testing.T) {
 				Command:     test.Command("__complete", "volume", "inspect", ""),
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 					return &test.Expected{
-						Output: test.Contains(data.Get("identifier") + "\n"),
+						Output: expect.Contains(data.Labels().Get("identifier") + "\n"),
 					}
 				},
 			},
@@ -157,55 +159,55 @@ func TestCompletion(t *testing.T) {
 				Command:     test.Command("__complete", "volume", "rm", ""),
 				Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
 					return &test.Expected{
-						Output: test.Contains(data.Get("identifier") + "\n"),
+						Output: expect.Contains(data.Labels().Get("identifier") + "\n"),
 					}
 				},
 			},
 			{
-				Description: "no namespace --cgroup-manager",
-				Require:     test.Not(test.Windows),
+				Description: "--cgroup-manager",
+				Require:     require.Not(require.Windows),
 				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
-					return helpers.Custom("nerdctl", "__complete", "--cgroup-manager", "")
+					return helpers.Command("__complete", "--cgroup-manager", "")
 				},
-				Expected: test.Expects(0, nil, test.Contains("cgroupfs\n")),
+				Expected: test.Expects(0, nil, expect.Contains("cgroupfs\n")),
 			},
 			{
-				Description: "no namespace empty",
+				Description: "empty",
 				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
-					return helpers.Custom("nerdctl", "__complete", "")
+					return helpers.Command("__complete", "")
 				},
-				Expected: test.Expects(0, nil, test.Contains("run\t")),
+				Expected: test.Expects(0, nil, expect.Contains("run\t")),
 			},
 			{
 				Description: "namespace space empty",
 				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
 					// mind {"--namespace=nerdctl-test"} vs {"--namespace", "nerdctl-test"}
-					return helpers.Custom("nerdctl", "__complete", "--namespace", string(helpers.Read(nerdtest.Namespace)), "")
+					return helpers.Custom(bin, "__complete", "--namespace", string(helpers.Read(nerdtest.Namespace)), "")
 				},
-				Expected: test.Expects(0, nil, test.Contains("run\t")),
+				Expected: test.Expects(0, nil, expect.Contains("run\t")),
 			},
 			{
 				Description: "run -i",
 				Command:     test.Command("__complete", "run", "-i", ""),
-				Expected:    test.Expects(0, nil, test.Contains(testutil.CommonImage)),
+				Expected:    test.Expects(0, nil, expect.Contains(testutil.CommonImage)),
 			},
 			{
 				Description: "run -it",
 				Command:     test.Command("__complete", "run", "-it", ""),
-				Expected:    test.Expects(0, nil, test.Contains(testutil.CommonImage)),
+				Expected:    test.Expects(0, nil, expect.Contains(testutil.CommonImage)),
 			},
 			{
 				Description: "run -it --rm",
 				Command:     test.Command("__complete", "run", "-it", "--rm", ""),
-				Expected:    test.Expects(0, nil, test.Contains(testutil.CommonImage)),
+				Expected:    test.Expects(0, nil, expect.Contains(testutil.CommonImage)),
 			},
 			{
 				Description: "namespace run -i",
 				Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
 					// mind {"--namespace=nerdctl-test"} vs {"--namespace", "nerdctl-test"}
-					return helpers.Custom("nerdctl", "__complete", "--namespace", string(helpers.Read(nerdtest.Namespace)), "run", "-i", "")
+					return helpers.Custom(bin, "__complete", "--namespace", string(helpers.Read(nerdtest.Namespace)), "run", "-i", "")
 				},
-				Expected: test.Expects(0, nil, test.Contains(testutil.CommonImage+"\n")),
+				Expected: test.Expects(0, nil, expect.Contains(testutil.CommonImage+"\n")),
 			},
 		},
 	}

cmd/nerdctl/completion/completion_unix.go

@@ -38,6 +38,49 @@ func IPAMDrivers(cmd *cobra.Command, args []string, toComplete string) ([]string
 	return []string{"default", "host-local", "dhcp"}, cobra.ShellCompDirectiveNoFileComp
 }
 
+func NetworkOptions(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	driver, _ := cmd.Flags().GetString("driver")
+	if driver == "" {
+		driver = "bridge"
+	}
+
+	var candidates []string
+	switch driver {
+	case "bridge":
+		candidates = []string{
+			"mtu=",
+			"com.docker.network.driver.mtu=",
+			"ip-masq=",
+			"com.docker.network.bridge.enable_ip_masquerade=",
+		}
+	case "macvlan":
+		candidates = []string{
+			"mtu=",
+			"com.docker.network.driver.mtu=",
+			"mode=bridge",
+			"macvlan_mode=bridge",
+			"parent=",
+		}
+	case "ipvlan":
+		candidates = []string{
+			"mtu=",
+			"com.docker.network.driver.mtu=",
+			"mode=l2",
+			"mode=l3",
+			"ipvlan_mode=l2",
+			"ipvlan_mode=l3",
+			"parent=",
+		}
+	default:
+		candidates = []string{
+			"mtu=",
+			"com.docker.network.driver.mtu=",
+			"parent=",
+		}
+	}
+	return candidates, cobra.ShellCompDirectiveNoSpace
+}
+
 func NamespaceNames(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {

cmd/nerdctl/completion/completion_unix_nolinux.go

@@ -1,3 +1,5 @@
+//go:build unix && !linux
+
 /*
    Copyright The containerd Authors.
 

cmd/nerdctl/completion/completion_windows.go

@@ -38,3 +38,25 @@ func NetworkDrivers(cmd *cobra.Command, args []string, toComplete string) ([]str
 func IPAMDrivers(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	return []string{"default"}, cobra.ShellCompDirectiveNoFileComp
 }
+
+func NetworkOptions(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	driver, _ := cmd.Flags().GetString("driver")
+	if driver == "" {
+		driver = "nat"
+	}
+
+	var candidates []string
+	switch driver {
+	case "nat":
+		candidates = []string{
+			"mtu=",
+			"com.docker.network.driver.mtu=",
+		}
+	default:
+		candidates = []string{
+			"mtu=",
+			"com.docker.network.driver.mtu=",
+		}
+	}
+	return candidates, cobra.ShellCompDirectiveNoSpace
+}

cmd/nerdctl/compose/compose.go

@@ -23,8 +23,8 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func NewComposeCommand() *cobra.Command {
-	var composeCommand = &cobra.Command{
+func Command() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:              "compose [flags] COMMAND",
 		Short:            "Compose",
 		RunE:             helpers.UnknownSubcommandAction,
@@ -33,40 +33,40 @@ func NewComposeCommand() *cobra.Command {
 		TraverseChildren: true, // required for global short hands like -f
 	}
 	// `-f` is a nonPersistentAlias, as it conflicts with `nerdctl compose logs --follow`
-	helpers.AddPersistentStringArrayFlag(composeCommand, "file", nil, []string{"f"}, nil, "", "Specify an alternate compose file")
-	composeCommand.PersistentFlags().String("project-directory", "", "Specify an alternate working directory")
-	composeCommand.PersistentFlags().StringP("project-name", "p", "", "Specify an alternate project name")
-	composeCommand.PersistentFlags().String("env-file", "", "Specify an alternate environment file")
-	composeCommand.PersistentFlags().String("ipfs-address", "", "multiaddr of IPFS API (default uses $IPFS_PATH env variable if defined or local directory ~/.ipfs)")
-	composeCommand.PersistentFlags().StringArray("profile", []string{}, "Specify a profile to enable")
+	helpers.AddPersistentStringArrayFlag(cmd, "file", nil, []string{"f"}, nil, "", "Specify an alternate compose file")
+	cmd.PersistentFlags().String("project-directory", "", "Specify an alternate working directory")
+	cmd.PersistentFlags().StringP("project-name", "p", "", "Specify an alternate project name")
+	cmd.PersistentFlags().String("env-file", "", "Specify an alternate environment file")
+	cmd.PersistentFlags().String("ipfs-address", "", "multiaddr of IPFS API (default uses $IPFS_PATH env variable if defined or local directory ~/.ipfs)")
+	cmd.PersistentFlags().StringArray("profile", []string{}, "Specify a profile to enable")
 
-	composeCommand.AddCommand(
-		newComposeUpCommand(),
-		newComposeLogsCommand(),
-		newComposeConfigCommand(),
-		newComposeCopyCommand(),
-		newComposeBuildCommand(),
-		newComposeExecCommand(),
-		newComposeImagesCommand(),
-		newComposePortCommand(),
-		newComposePushCommand(),
-		newComposePullCommand(),
-		newComposeDownCommand(),
-		newComposePsCommand(),
-		newComposeKillCommand(),
-		newComposeRestartCommand(),
-		newComposeRemoveCommand(),
-		newComposeRunCommand(),
-		newComposeVersionCommand(),
-		newComposeStartCommand(),
-		newComposeStopCommand(),
-		newComposePauseCommand(),
-		newComposeUnpauseCommand(),
-		newComposeTopCommand(),
-		newComposeCreateCommand(),
+	cmd.AddCommand(
+		upCommand(),
+		logsCommand(),
+		configCommand(),
+		copyCommand(),
+		buildCommand(),
+		execCommand(),
+		imagesCommand(),
+		portCommand(),
+		pushCommand(),
+		pullCommand(),
+		downCommand(),
+		psCommand(),
+		killCommand(),
+		restartCommand(),
+		removeCommand(),
+		runCommand(),
+		versionCommand(),
+		startCommand(),
+		stopCommand(),
+		pauseCommand(),
+		unpauseCommand(),
+		topCommand(),
+		createCommand(),
 	)
 
-	return composeCommand
+	return cmd
 }
 
 func getComposeOptions(cmd *cobra.Command, debugFull, experimental bool) (composer.Options, error) {

cmd/nerdctl/compose/compose_build.go

@@ -25,22 +25,22 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeBuildCommand() *cobra.Command {
-	var composeBuildCommand = &cobra.Command{
+func buildCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "build [flags] [SERVICE...]",
 		Short:         "Build or rebuild services",
-		RunE:          composeBuildAction,
+		RunE:          buildAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeBuildCommand.Flags().StringArray("build-arg", nil, "Set build-time variables for services.")
-	composeBuildCommand.Flags().Bool("no-cache", false, "Do not use cache when building the image.")
-	composeBuildCommand.Flags().String("progress", "", "Set type of progress output (auto, plain, tty). Use plain to show container output")
+	cmd.Flags().StringArray("build-arg", nil, "Set build-time variables for services.")
+	cmd.Flags().Bool("no-cache", false, "Do not use cache when building the image.")
+	cmd.Flags().String("progress", "", "Set type of progress output (auto, plain, tty). Use plain to show container output")
 
-	return composeBuildCommand
+	return cmd
 }
 
-func composeBuildAction(cmd *cobra.Command, args []string) error {
+func buildAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_build_linux_test.go

@@ -17,57 +17,114 @@
 package compose
 
 import (
+	"errors"
 	"fmt"
 	"testing"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func TestComposeBuild(t *testing.T) {
-	const imageSvc0 = "composebuild_svc0"
-	const imageSvc1 = "composebuild_svc1"
+	dockerfile := "FROM " + testutil.CommonImage
 
-	dockerComposeYAML := fmt.Sprintf(`
+	testCase := nerdtest.Setup()
+
+	testCase.Require = nerdtest.Build
+
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		// Make sure we shard the image name to something unique to the test to avoid conflicts with other tests
+		imageSvc0 := data.Identifier("svc0")
+		imageSvc1 := data.Identifier("svc1")
+
+		// We are not going to run them, so, ports conflicts should not matter here
+		dockerComposeYAML := fmt.Sprintf(`
 services:
   svc0:
     build: .
     image: %s
-    ports:
-    - 8080:80
     depends_on:
     - svc1
   svc1:
     build: .
     image: %s
-    ports:
-    - 8081:80
 `, imageSvc0, imageSvc1)
 
-	dockerfile := fmt.Sprintf(`FROM %s`, testutil.AlpineImage)
+		data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		data.Temp().Save(dockerfile, "Dockerfile")
 
-	testutil.RequiresBuild(t)
-	testutil.RegisterBuildCacheCleanup(t)
-	base := testutil.NewBase(t)
+		data.Labels().Set("composeYaml", data.Temp().Path("compose.yaml"))
+		data.Labels().Set("imageSvc0", imageSvc0)
+		data.Labels().Set("imageSvc1", imageSvc1)
+	}
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	comp.WriteFile("Dockerfile", dockerfile)
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "build svc0",
+			NoParallel:  true,
+			Setup: func(data test.Data, helpers test.Helpers) {
+				helpers.Ensure("compose", "-f", data.Labels().Get("composeYaml"), "build", "svc0")
+			},
 
-	defer base.Cmd("rmi", imageSvc0).Run()
-	defer base.Cmd("rmi", imageSvc1).Run()
+			Command: test.Command("images"),
 
-	// 1. build only 1 service without triggering the dependency service build
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "build", "svc0").AssertOK()
-	base.Cmd("images").AssertOutContains(imageSvc0)
-	base.Cmd("images").AssertOutNotContains(imageSvc1)
-	// 2. build multiple services
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "build", "svc0", "svc1").AssertOK()
-	base.Cmd("images").AssertOutContains(imageSvc0)
-	base.Cmd("images").AssertOutContains(imageSvc1)
-	// 3. build all if no args are given
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "build").AssertOK()
-	// 4. fail if some services args not exist in compose.yml
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "build", "svc0", "svc100").AssertFail()
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					Output: expect.All(
+						expect.Contains(data.Labels().Get("imageSvc0")),
+						expect.DoesNotContain(data.Labels().Get("imageSvc1")),
+					),
+				}
+			},
+		},
+		{
+			Description: "build svc0 and svc1",
+			NoParallel:  true,
+			Setup: func(data test.Data, helpers test.Helpers) {
+				helpers.Ensure("compose", "-f", data.Labels().Get("composeYaml"), "build", "svc0", "svc1")
+			},
+
+			Command: test.Command("images"),
+
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					Output: expect.Contains(data.Labels().Get("imageSvc0"), data.Labels().Get("imageSvc1")),
+				}
+			},
+		},
+		{
+			Description: "build no arg",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "build")
+			},
+
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, nil),
+		},
+		{
+			Description: "build bogus",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command(
+					"compose",
+					"-f",
+					data.Labels().Get("composeYaml"),
+					"build",
+					"svc0",
+					"svc100",
+				)
+			},
+
+			Expected: test.Expects(1, []error{errors.New("no such service: svc100")}, nil),
+		},
+	}
+
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		if data.Labels().Get("imageSvc0") != "" {
+			helpers.Anyhow("rmi", data.Labels().Get("imageSvc0"), data.Labels().Get("imageSvc1"))
+		}
+	}
+
+	testCase.Run(t)
 }

cmd/nerdctl/compose/compose_config.go

@@ -27,25 +27,25 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeConfigCommand() *cobra.Command {
-	var composeConfigCommand = &cobra.Command{
+func configCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "config",
 		Short:         "Validate and view the Compose file",
-		RunE:          composeConfigAction,
+		RunE:          configAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeConfigCommand.Flags().BoolP("quiet", "q", false, "Only validate the configuration, don't print anything.")
-	composeConfigCommand.Flags().Bool("services", false, "Print the service names, one per line.")
-	composeConfigCommand.Flags().Bool("volumes", false, "Print the volume names, one per line.")
-	composeConfigCommand.Flags().String("hash", "", "Print the service config hash, one per line.")
-	composeConfigCommand.RegisterFlagCompletionFunc("hash", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	cmd.Flags().BoolP("quiet", "q", false, "Only validate the configuration, don't print anything.")
+	cmd.Flags().Bool("services", false, "Print the service names, one per line.")
+	cmd.Flags().Bool("volumes", false, "Print the volume names, one per line.")
+	cmd.Flags().String("hash", "", "Print the service config hash, one per line.")
+	cmd.RegisterFlagCompletionFunc("hash", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return []string{"\"*\""}, cobra.ShellCompDirectiveNoFileComp
 	})
-	return composeConfigCommand
+	return cmd
 }
 
-func composeConfigAction(cmd *cobra.Command, args []string) error {
+func configAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_config_test.go

@@ -18,141 +18,275 @@ package compose
 
 import (
 	"fmt"
-	"os"
-	"path/filepath"
 	"testing"
 
 	"gotest.tools/v3/assert"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+	"github.com/containerd/nerdctl/mod/tigron/tig"
+
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func TestComposeConfig(t *testing.T) {
-	base := testutil.NewBase(t)
-
-	var dockerComposeYAML = `
+	dockerComposeYAML := fmt.Sprintf(`
 services:
   hello:
-    image: alpine:3.13
-`
+    image: %s
+`, testutil.CommonImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
+	testCase := nerdtest.Setup()
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "config").AssertOutContains("hello:")
-}
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		data.Labels().Set("composeYaml", data.Temp().Path("compose.yaml"))
+	}
 
-func TestComposeConfigWithPrintService(t *testing.T) {
-	base := testutil.NewBase(t)
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "config contains service name",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "config")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains("hello:")),
+		},
+		{
+			Description: "config --services is exactly service name",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command(
+					"compose",
+					"-f",
+					data.Labels().Get("composeYaml"),
+					"config",
+					"--services",
+				)
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals("hello\n")),
+		},
+		{
+			Description: "config --hash=* contains service name",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "config", "--hash=*")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains("hello")),
+		},
+	}
 
-	var dockerComposeYAML = `
-services:
-  hello1:
-    image: alpine:3.13
-`
-
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "config", "--services").AssertOutExactly("hello1\n")
+	testCase.Run(t)
 }
 
 func TestComposeConfigWithPrintServiceHash(t *testing.T) {
-	base := testutil.NewBase(t)
-
-	var dockerComposeYAML = `
+	const dockerComposeYAML = `
 services:
-  hello1:
+  hello:
     image: alpine:%s
 `
+	testCase := nerdtest.Setup()
 
-	comp := testutil.NewComposeDir(t, fmt.Sprintf(dockerComposeYAML, "3.13"))
-	defer comp.CleanUp()
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		data.Temp().Save(fmt.Sprintf(dockerComposeYAML, "3.13"), "compose.yaml")
 
-	// `--hash=*` is broken in Docker Compose v2.23.0: https://github.com/docker/compose/issues/11145
-	if base.Target == testutil.Nerdctl {
-		base.ComposeCmd("-f", comp.YAMLFullPath(), "config", "--hash=*").AssertOutContains("hello1")
+		hash := helpers.Capture(
+			"compose",
+			"-f",
+			data.Temp().Path("compose.yaml"),
+			"config",
+			"--hash=hello",
+		)
+
+		data.Labels().Set("hash", hash)
+
+		data.Temp().Save(fmt.Sprintf(dockerComposeYAML, "3.14"), "compose.yaml")
 	}
 
-	hash := base.ComposeCmd("-f", comp.YAMLFullPath(), "config", "--hash=hello1").Out()
+	testCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {
+		return helpers.Command(
+			"compose",
+			"-f",
+			data.Temp().Path("compose.yaml"),
+			"config",
+			"--hash=hello",
+		)
+	}
 
-	newComp := testutil.NewComposeDir(t, fmt.Sprintf(dockerComposeYAML, "3.14"))
-	defer newComp.CleanUp()
+	testCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {
+		return &test.Expected{
+			ExitCode: 0,
+			Output: func(stdout string, t tig.T) {
+				assert.Assert(t, data.Labels().Get("hash") != stdout, "hash should be different")
+			},
+		}
+	}
 
-	newHash := base.ComposeCmd("-f", newComp.YAMLFullPath(), "config", "--hash=hello1").Out()
-	assert.Assert(t, hash != newHash)
+	testCase.Run(t)
 }
 
 func TestComposeConfigWithMultipleFile(t *testing.T) {
-	base := testutil.NewBase(t)
-
-	var dockerComposeYAML = `
+	const dockerComposeBase = `
 services:
   hello1:
     image: alpine:3.13
 `
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-
-	comp.WriteFile("docker-compose.test.yml", `
+	const dockerComposeTest = `
 services:
   hello2:
     image: alpine:3.14
-`)
-	comp.WriteFile("docker-compose.override.yml", `
+`
+
+	const dockerComposeOverride = `
 services:
   hello1:
     image: alpine:3.14
-`)
+`
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "-f", filepath.Join(comp.Dir(), "docker-compose.test.yml"), "config").AssertOutContains("alpine:3.14")
-	base.ComposeCmd("--project-directory", comp.Dir(), "config", "--services").AssertOutExactly("hello1\n")
-	base.ComposeCmd("--project-directory", comp.Dir(), "config").AssertOutContains("alpine:3.14")
+	testCase := nerdtest.Setup()
+
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		data.Temp().Save(dockerComposeBase, "compose.yaml")
+		data.Temp().Save(dockerComposeTest, "docker-compose.test.yml")
+		data.Temp().Save(dockerComposeOverride, "docker-compose.override.yml")
+
+		data.Labels().Set("composeDir", data.Temp().Path())
+		data.Labels().Set("composeYaml", data.Temp().Path("compose.yaml"))
+		data.Labels().Set("composeYamlTest", data.Temp().Path("docker-compose.test.yml"))
+	}
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "config override",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command(
+					"compose",
+					"-f", data.Labels().Get("composeYaml"),
+					"-f", data.Labels().Get("composeYamlTest"),
+					"config",
+				)
+			},
+			Expected: test.Expects(
+				expect.ExitCodeSuccess,
+				nil,
+				expect.Contains("alpine:3.13", "alpine:3.14", "hello1", "hello2"),
+			),
+		},
+		{
+			Description: "project dir",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command(
+					"compose",
+					"--project-directory", data.Labels().Get("composeDir"), "config",
+				)
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains("alpine:3.14")),
+		},
+		{
+			Description: "project dir services",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command(
+					"compose",
+					"--project-directory", data.Labels().Get("composeDir"), "config", "--services",
+				)
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals("hello1\n")),
+		},
+	}
+
+	testCase.Run(t)
 }
 
 func TestComposeConfigWithComposeFileEnv(t *testing.T) {
-	base := testutil.NewBase(t)
-
-	var dockerComposeYAML = `
+	const dockerComposeBase = `
 services:
   hello1:
     image: alpine:3.13
 `
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-
-	comp.WriteFile("docker-compose.test.yml", `
+	const dockerComposeTest = `
 services:
   hello2:
     image: alpine:3.14
-`)
+`
 
-	base.Env = append(base.Env, "COMPOSE_FILE="+comp.YAMLFullPath()+","+filepath.Join(comp.Dir(), "docker-compose.test.yml"), "COMPOSE_PATH_SEPARATOR=,")
+	testCase := nerdtest.Setup()
 
-	base.ComposeCmd("config").AssertOutContains("alpine:3.14")
-	base.ComposeCmd("--project-directory", comp.Dir(), "config", "--services").AssertOutContainsAll("hello1\n", "hello2\n")
-	base.ComposeCmd("--project-directory", comp.Dir(), "config").AssertOutContains("alpine:3.14")
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		data.Temp().Save(dockerComposeBase, "compose.yaml")
+		data.Temp().Save(dockerComposeTest, "docker-compose.test.yml")
+
+		data.Labels().Set("composeDir", data.Temp().Path())
+		data.Labels().Set("composeYaml", data.Temp().Path("compose.yaml"))
+		data.Labels().Set("composeYamlTest", data.Temp().Path("docker-compose.test.yml"))
+	}
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "env config",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				cmd := helpers.Command(
+					"compose",
+					"config",
+				)
+				cmd.Setenv("COMPOSE_FILE", data.Labels().Get("composeYaml")+","+data.Labels().Get("composeYamlTest"))
+				cmd.Setenv("COMPOSE_PATH_SEPARATOR", ",")
+				return cmd
+			},
+			Expected: test.Expects(
+				expect.ExitCodeSuccess,
+				nil,
+				expect.Contains("alpine:3.13", "alpine:3.14", "hello1", "hello2"),
+			),
+		},
+		{
+			Description: "env with project dir",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				cmd := helpers.Command(
+					"compose",
+					"--project-directory", data.Labels().Get("composeDir"),
+					"config",
+				)
+				cmd.Setenv("COMPOSE_FILE", data.Labels().Get("composeYaml")+","+data.Labels().Get("composeYamlTest"))
+				cmd.Setenv("COMPOSE_PATH_SEPARATOR", ",")
+				return cmd
+			},
+			Expected: test.Expects(
+				expect.ExitCodeSuccess,
+				nil,
+				expect.Contains("alpine:3.13", "alpine:3.14", "hello1", "hello2"),
+			),
+		},
+	}
+
+	testCase.Run(t)
 }
 
 func TestComposeConfigWithEnvFile(t *testing.T) {
-	base := testutil.NewBase(t)
-
 	const dockerComposeYAML = `
 services:
   hello:
     image: ${image}
 `
-
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-
-	envFile := filepath.Join(comp.Dir(), "env")
 	const envFileContent = `
 image: hello-world
 `
-	assert.NilError(t, os.WriteFile(envFile, []byte(envFileContent), 0644))
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "--env-file", envFile, "config").AssertOutContains("image: hello-world")
+	testCase := nerdtest.Setup()
+
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		data.Temp().Save(envFileContent, "env")
+	}
+
+	testCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {
+		return helpers.Command("compose",
+			"-f", data.Temp().Path("compose.yaml"),
+			"--env-file", data.Temp().Path("env"),
+			"config",
+		)
+	}
+
+	testCase.Expected = test.Expects(expect.ExitCodeSuccess, nil, expect.Contains("image: hello-world"))
+
+	testCase.Run(t)
 }

cmd/nerdctl/compose/compose_cp.go

@@ -28,24 +28,24 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/rootlessutil"
 )
 
-func newComposeCopyCommand() *cobra.Command {
+func copyCommand() *cobra.Command {
 	usage := `cp [OPTIONS] SERVICE:SRC_PATH DEST_PATH|-
        nerdctl compose cp [OPTIONS] SRC_PATH|- SERVICE:DEST_PATH`
-	var composeCpCommand = &cobra.Command{
+	var cmd = &cobra.Command{
 		Use:           usage,
 		Short:         "Copy files/folders between a service container and the local filesystem",
 		Args:          cobra.ExactArgs(2),
-		RunE:          composeCopyAction,
+		RunE:          copyAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeCpCommand.Flags().Bool("dry-run", false, "Execute command in dry run mode")
-	composeCpCommand.Flags().BoolP("follow-link", "L", false, "Always follow symbol link in SRC_PATH")
-	composeCpCommand.Flags().Int("index", 0, "index of the container if service has multiple replicas")
-	return composeCpCommand
+	cmd.Flags().Bool("dry-run", false, "Execute command in dry run mode")
+	cmd.Flags().BoolP("follow-link", "L", false, "Always follow symbol link in SRC_PATH")
+	cmd.Flags().Int("index", 0, "index of the container if service has multiple replicas")
+	return cmd
 }
 
-func composeCopyAction(cmd *cobra.Command, args []string) error {
+func copyAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err
@@ -71,15 +71,15 @@ func composeCopyAction(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	address := globalOptions.Address
+
 	// rootless cp runs in the host namespaces, so the address is different
 	if rootlessutil.IsRootless() {
-		address, err = rootlessutil.RootlessContainredSockAddress()
+		globalOptions.Address, err = rootlessutil.RootlessContainredSockAddress()
 		if err != nil {
 			return err
 		}
 	}
-	client, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, address)
+	client, ctx, cancel, err := clientutil.NewClient(cmd.Context(), globalOptions.Namespace, globalOptions.Address)
 	if err != nil {
 		return err
 	}

cmd/nerdctl/compose/compose_cp_linux_test.go

@@ -18,52 +18,74 @@ package compose
 
 import (
 	"fmt"
-	"os"
-	"path/filepath"
 	"testing"
 
 	"gotest.tools/v3/assert"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+	"github.com/containerd/nerdctl/mod/tigron/tig"
+
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func TestComposeCopy(t *testing.T) {
-	base := testutil.NewBase(t)
-
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   svc0:
     image: %s
     command: "sleep infinity"
 `, testutil.CommonImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	const testFileContent = "test-file-content"
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
+	testCase := nerdtest.Setup()
 
-	// gernetate test file
-	srcDir := t.TempDir()
-	srcFile := filepath.Join(srcDir, "test-file")
-	srcFileContent := []byte("test-file-content")
-	err := os.WriteFile(srcFile, srcFileContent, 0o644)
-	assert.NilError(t, err)
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		compYamlPath := data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		helpers.Ensure("compose", "-f", compYamlPath, "up", "-d")
 
-	// test copy to service
-	destPath := "/dest-no-exist-no-slash"
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "cp", srcFile, "svc0:"+destPath).AssertOK()
+		srcFilePath := data.Temp().Save(testFileContent, "test-file")
 
-	// test copy from service
-	destFile := filepath.Join(srcDir, "test-file2")
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "cp", "svc0:"+destPath, destFile).AssertOK()
+		data.Labels().Set("composeYaml", compYamlPath)
+		data.Labels().Set("srcFile", srcFilePath)
+	}
 
-	destFileContent, err := os.ReadFile(destFile)
-	assert.NilError(t, err)
-	assert.DeepEqual(t, srcFileContent, destFileContent)
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down", "-v")
+	}
 
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "test copy to service /dest-no-exist-no-slash",
+			// These are expected to run in sequence
+			NoParallel: true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose",
+					"-f", data.Labels().Get("composeYaml"),
+					"cp", data.Labels().Get("srcFile"), "svc0:/dest-no-exist-no-slash")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, nil),
+		},
+		{
+			Description: "test copy from service test-file2",
+			NoParallel:  true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose",
+					"-f", data.Labels().Get("composeYaml"),
+					"cp", "svc0:/dest-no-exist-no-slash", data.Temp().Path("test-file2"))
+			},
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					Output: func(stdout string, t tig.T) {
+						copied := data.Temp().Load("test-file2")
+						assert.Equal(t, copied, testFileContent)
+					},
+				}
+			},
+		},
+	}
+
+	testCase.Run(t)
 }

cmd/nerdctl/compose/compose_create.go

@@ -27,23 +27,23 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeCreateCommand() *cobra.Command {
-	var composeCreateCommand = &cobra.Command{
+func createCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "create [flags] [SERVICE...]",
 		Short:         "Creates containers for one or more services",
-		RunE:          composeCreateAction,
+		RunE:          createAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeCreateCommand.Flags().Bool("build", false, "Build images before starting containers.")
-	composeCreateCommand.Flags().Bool("no-build", false, "Don't build an image even if it's missing, conflict with --build.")
-	composeCreateCommand.Flags().Bool("force-recreate", false, "Recreate containers even if their configuration and image haven't changed.")
-	composeCreateCommand.Flags().Bool("no-recreate", false, "Don't recreate containers if they exist, conflict with --force-recreate.")
-	composeCreateCommand.Flags().String("pull", "missing", "Pull images before running. (support always|missing|never)")
-	return composeCreateCommand
+	cmd.Flags().Bool("build", false, "Build images before starting containers.")
+	cmd.Flags().Bool("no-build", false, "Don't build an image even if it's missing, conflict with --build.")
+	cmd.Flags().Bool("force-recreate", false, "Recreate containers even if their configuration and image haven't changed.")
+	cmd.Flags().Bool("no-recreate", false, "Don't recreate containers if they exist, conflict with --force-recreate.")
+	cmd.Flags().String("pull", "missing", "Pull images before running. (support always|missing|never)")
+	return cmd
 }
 
-func composeCreateAction(cmd *cobra.Command, args []string) error {
+func createAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err
@@ -65,7 +65,7 @@ func composeCreateAction(cmd *cobra.Command, args []string) error {
 	}
 	noRecreate, err := cmd.Flags().GetBool("no-recreate")
 	if err != nil {
-		return nil
+		return err
 	}
 	if forceRecreate && noRecreate {
 		return errors.New("flag --force-recreate and --no-recreate cannot be specified together")

cmd/nerdctl/compose/compose_create_linux_test.go

@@ -18,40 +18,74 @@ package compose
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 
+	"gotest.tools/v3/assert"
+
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+	"github.com/containerd/nerdctl/mod/tigron/tig"
+
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func TestComposeCreate(t *testing.T) {
-	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   svc0:
     image: %s
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	testCase := nerdtest.Setup()
 
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		compYamlPath := data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		data.Labels().Set("composeYaml", compYamlPath)
+	}
 
-	// 1.1 `compose create` should create service container (in `created` status)
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "create").AssertOK()
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "svc0", "-a").AssertOutContainsAny("Created", "created")
-	// 1.2 created container can be started by `compose start`
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "start").AssertOK()
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down", "-v")
+	}
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "`compose create` should work",
+			// These are sequential
+			NoParallel: true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "create")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, nil),
+		},
+		{
+			Description: "`compose create` should have created service container (in `created` status)",
+			NoParallel:  true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "ps", "svc0", "-a")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, func(stdout string, t tig.T) {
+				assert.Assert(t,
+					strings.Contains(stdout, "created") || strings.Contains(stdout, "Created"),
+					"stdout should contain `created`")
+			}),
+		},
+		{
+			Description: "`created container can be started by `compose start`",
+			NoParallel:  true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "start")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, nil),
+		},
+	}
+
+	testCase.Run(t)
 }
 
 func TestComposeCreateDependency(t *testing.T) {
-	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   svc0:
     image: %s
@@ -61,29 +95,64 @@ services:
     image: %s
 `, testutil.CommonImage, testutil.CommonImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	testCase := nerdtest.Setup()
 
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		compYamlPath := data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		data.Labels().Set("composeYaml", compYamlPath)
+	}
 
-	// `compose create` should create containers for both services and their dependencies
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "create", "svc0").AssertOK()
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "svc0", "-a").AssertOutContainsAny("Created", "created")
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "svc1", "-a").AssertOutContainsAny("Created", "created")
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down", "-v")
+	}
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "`compose create` should work",
+			// These are sequential
+			NoParallel: true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "create")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, nil),
+		},
+		{
+			Description: "`compose create` should have created svc0 (in `created` status)",
+			NoParallel:  true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "ps", "svc0", "-a")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, func(stdout string, t tig.T) {
+				assert.Assert(t,
+					strings.Contains(stdout, "created") || strings.Contains(stdout, "Created"),
+					"stdout should contain `created`")
+			}),
+		},
+		{
+			Description: "`compose create` should have created svc1 (in `created` status)",
+			NoParallel:  true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "ps", "svc1", "-a")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, func(stdout string, t tig.T) {
+				assert.Assert(t,
+					strings.Contains(stdout, "created") || strings.Contains(stdout, "Created"),
+					"stdout should contain `created`")
+			}),
+		},
+	}
+
+	testCase.Run(t)
 }
 
 func TestComposeCreatePull(t *testing.T) {
 
 	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   svc0:
     image: %s
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
 	comp := testutil.NewComposeDir(t, dockerComposeYAML)
 	defer comp.CleanUp()
@@ -93,12 +162,12 @@ services:
 	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
 
 	// `compose create --pull never` should fail: no such image
-	base.Cmd("rmi", "-f", testutil.AlpineImage).Run()
+	base.Cmd("rmi", "-f", testutil.CommonImage).Run()
 	base.ComposeCmd("-f", comp.YAMLFullPath(), "create", "--pull", "never").AssertFail()
 	// `compose create --pull missing(default)|always` should succeed: image is pulled and container is created
-	base.Cmd("rmi", "-f", testutil.AlpineImage).Run()
+	base.Cmd("rmi", "-f", testutil.CommonImage).Run()
 	base.ComposeCmd("-f", comp.YAMLFullPath(), "create").AssertOK()
-	base.Cmd("rmi", "-f", testutil.AlpineImage).Run()
+	base.Cmd("rmi", "-f", testutil.CommonImage).Run()
 	base.ComposeCmd("-f", comp.YAMLFullPath(), "create", "--pull", "always").AssertOK()
 	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "svc0", "-a").AssertOutContainsAny("Created", "created")
 }
@@ -113,7 +182,7 @@ services:
     image: %s
 `, imageSvc0)
 
-	dockerfile := fmt.Sprintf(`FROM %s`, testutil.AlpineImage)
+	dockerfile := fmt.Sprintf(`FROM %s`, testutil.CommonImage)
 
 	testutil.RequiresBuild(t)
 	testutil.RegisterBuildCacheCleanup(t)

cmd/nerdctl/compose/compose_down.go

@@ -25,21 +25,21 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeDownCommand() *cobra.Command {
-	var composeDownCommand = &cobra.Command{
+func downCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "down",
 		Short:         "Remove containers and associated resources",
 		Args:          cobra.NoArgs,
-		RunE:          composeDownAction,
+		RunE:          downAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeDownCommand.Flags().BoolP("volumes", "v", false, "Remove named volumes declared in the `volumes` section of the Compose file and anonymous volumes attached to containers.")
-	composeDownCommand.Flags().Bool("remove-orphans", false, "Remove containers for services not defined in the Compose file.")
-	return composeDownCommand
+	cmd.Flags().BoolP("volumes", "v", false, "Remove named volumes declared in the `volumes` section of the Compose file and anonymous volumes attached to containers.")
+	cmd.Flags().Bool("remove-orphans", false, "Remove containers for services not defined in the Compose file.")
+	return cmd
 }
 
-func composeDownAction(cmd *cobra.Command, args []string) error {
+func downAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_down_linux_test.go

@@ -30,20 +30,18 @@ func TestComposeDownRemoveUsedNetwork(t *testing.T) {
 
 	var (
 		dockerComposeYAMLOrphan = fmt.Sprintf(`
-version: '3.1'
-
 services:
   test:
     image: %s
     command: "sleep infinity"
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
 		dockerComposeYAMLFull = fmt.Sprintf(`
 %s
   orphan:
     image: %s
     command: "sleep infinity"
-`, dockerComposeYAMLOrphan, testutil.AlpineImage)
+`, dockerComposeYAMLOrphan, testutil.CommonImage)
 	)
 
 	compOrphan := testutil.NewComposeDir(t, dockerComposeYAMLOrphan)
@@ -66,20 +64,18 @@ func TestComposeDownRemoveOrphans(t *testing.T) {
 
 	var (
 		dockerComposeYAMLOrphan = fmt.Sprintf(`
-version: '3.1'
-
 services:
   test:
     image: %s
     command: "sleep infinity"
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
 		dockerComposeYAMLFull = fmt.Sprintf(`
 %s
   orphan:
     image: %s
     command: "sleep infinity"
-`, dockerComposeYAMLOrphan, testutil.AlpineImage)
+`, dockerComposeYAMLOrphan, testutil.CommonImage)
 	)
 
 	compOrphan := testutil.NewComposeDir(t, dockerComposeYAMLOrphan)

cmd/nerdctl/compose/compose_exec.go

@@ -29,39 +29,39 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeExecCommand() *cobra.Command {
-	var composeExecCommand = &cobra.Command{
+func execCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "exec [flags] SERVICE COMMAND [ARGS...]",
 		Short:         "Execute a command in a running container of the service",
 		Args:          cobra.MinimumNArgs(2),
-		RunE:          composeExecAction,
+		RunE:          execAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeExecCommand.Flags().SetInterspersed(false)
+	cmd.Flags().SetInterspersed(false)
 
 	_, isTerminal := term.GetFdInfo(os.Stdout)
-	composeExecCommand.Flags().BoolP("no-TTY", "T", !isTerminal, "Disable pseudo-TTY allocation. By default nerdctl compose exec allocates a TTY.")
-	composeExecCommand.Flags().BoolP("detach", "d", false, "Detached mode: Run containers in the background")
-	composeExecCommand.Flags().StringP("workdir", "w", "", "Working directory inside the container")
+	cmd.Flags().BoolP("no-TTY", "T", !isTerminal, "Disable pseudo-TTY allocation. By default nerdctl compose exec allocates a TTY.")
+	cmd.Flags().BoolP("detach", "d", false, "Detached mode: Run containers in the background")
+	cmd.Flags().StringP("workdir", "w", "", "Working directory inside the container")
 	// env needs to be StringArray, not StringSlice, to prevent "FOO=foo1,foo2" from being split to {"FOO=foo1", "foo2"}
-	composeExecCommand.Flags().StringArrayP("env", "e", nil, "Set environment variables")
-	composeExecCommand.Flags().Bool("privileged", false, "Give extended privileges to the command")
-	composeExecCommand.Flags().StringP("user", "u", "", "Username or UID (format: <name|uid>[:<group|gid>])")
-	composeExecCommand.Flags().Int("index", 1, "index of the container if the service has multiple instances.")
+	cmd.Flags().StringArrayP("env", "e", nil, "Set environment variables")
+	cmd.Flags().Bool("privileged", false, "Give extended privileges to the command")
+	cmd.Flags().StringP("user", "u", "", "Username or UID (format: <name|uid>[:<group|gid>])")
+	cmd.Flags().Int("index", 1, "index of the container if the service has multiple instances.")
 
-	composeExecCommand.Flags().BoolP("interactive", "i", true, "Keep STDIN open even if not attached")
-	composeExecCommand.Flags().MarkHidden("interactive")
+	cmd.Flags().BoolP("interactive", "i", true, "Keep STDIN open even if not attached")
+	cmd.Flags().MarkHidden("interactive")
 	// The -t does not has effect to keep the compatibility with docker.
 	// The proposal of -t is to keep "muscle memory" with compose v1: https://github.com/docker/compose/issues/9207
 	// FYI: https://github.com/docker/compose/blob/v2.23.1/cmd/compose/exec.go#L77
-	composeExecCommand.Flags().BoolP("tty", "t", true, "Allocate a pseudo-TTY")
-	composeExecCommand.Flags().MarkHidden("tty")
+	cmd.Flags().BoolP("tty", "t", true, "Allocate a pseudo-TTY")
+	cmd.Flags().MarkHidden("tty")
 
-	return composeExecCommand
+	return cmd
 }
 
-func composeExecAction(cmd *cobra.Command, args []string) error {
+func execAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_exec_linux_test.go

@@ -17,22 +17,23 @@
 package compose
 
 import (
-	"errors"
 	"fmt"
 	"net"
+	"path/filepath"
 	"strings"
 	"testing"
 
 	"gotest.tools/v3/assert"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func TestComposeExec(t *testing.T) {
-	base := testutil.NewBase(t)
-	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
+	dockerComposeYAML := fmt.Sprintf(`
 services:
   svc0:
     image: %s
@@ -42,107 +43,109 @@ services:
     command: "sleep infinity"
 `, testutil.CommonImage, testutil.CommonImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	testCase := nerdtest.Setup()
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d", "svc0").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		yamlPath := data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		data.Labels().Set("YAMLPath", yamlPath)
+		helpers.Ensure("compose", "-f", yamlPath, "up", "-d", "svc0")
+	}
 
-	// test basic functionality and `--workdir` flag
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "exec", "-i=false", "--no-TTY", "svc0", "echo", "success").AssertOutExactly("success\n")
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "exec", "-i=false", "--no-TTY", "--workdir", "/tmp", "svc0", "pwd").AssertOutExactly("/tmp\n")
-	// cannot `exec` on non-running service
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "exec", "svc1", "echo", "success").AssertFail()
-}
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down", "-v")
+	}
 
-func TestComposeExecWithEnv(t *testing.T) {
-	base := testutil.NewBase(t)
-	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "exec no tty",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command(
+					"compose",
+					"-f",
+					data.Labels().Get("YAMLPath"),
+					"exec",
+					"-i=false",
+					"--no-TTY",
+					"svc0",
+					"echo",
+					"success",
+				)
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals("success\n")),
+		},
+		{
+			Description: "exec no tty with workdir",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command(
+					"compose",
+					"-f",
+					data.Labels().Get("YAMLPath"),
+					"exec",
+					"-i=false",
+					"--no-TTY",
+					"--workdir",
+					"/tmp",
+					"svc0",
+					"pwd",
+				)
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Equals("/tmp\n")),
+		},
+		{
+			Description: "cannot exec on non-running service",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("YAMLPath"), "exec", "svc1", "echo", "success")
+			},
+			Expected: test.Expects(expect.ExitCodeGenericFail, nil, nil),
+		},
+		{
+			Description: "with env",
+			Env: map[string]string{
+				"CORGE":  "corge-value-in-host",
+				"GARPLY": "garply-value-in-host",
+			},
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command(
+					"compose",
+					"-f",
+					data.Labels().Get("YAMLPath"),
+					"exec",
+					"-i=false",
+					"--no-TTY",
+					"--env", "FOO=foo1,foo2",
+					"--env", "BAR=bar1 bar2",
+					"--env", "BAZ=",
+					"--env", "QUX", // not exported in OS
+					"--env", "QUUX=quux1",
+					"--env", "QUUX=quux2",
+					"--env", "CORGE", // OS exported
+					"--env", "GRAULT=grault_key=grault_value", // value contains `=` char
+					"--env", "GARPLY=", // OS exported
+					"--env", "WALDO=", // not exported in OS
+					"svc0",
+					"env")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(
+				expect.Contains(
+					"\nFOO=foo1,foo2\n",
+					"\nBAR=bar1 bar2\n",
+					"\nBAZ=\n",
+					"\nQUUX=quux2\n",
+					"\nCORGE=corge-value-in-host\n",
+					"\nGRAULT=grault_key=grault_value\n",
+					"\nGARPLY=\n",
+					"\nWALDO=\n"),
+				expect.DoesNotContain("QUX"),
+			)),
+		},
+	}
 
-services:
-  svc0:
-    image: %s
-    command: "sleep infinity"
-`, testutil.CommonImage)
+	userSubTest := &test.Case{
+		Description: "with user",
+		SubTests:    []*test.Case{},
+	}
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
-
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
-
-	// FYI: https://github.com/containerd/nerdctl/blob/e4b2b6da56555dc29ed66d0fd8e7094ff2bc002d/cmd/nerdctl/run_test.go#L177
-	base.Env = append(base.Env, "CORGE=corge-value-in-host", "GARPLY=garply-value-in-host")
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "exec", "-i=false", "--no-TTY",
-		"--env", "FOO=foo1,foo2",
-		"--env", "BAR=bar1 bar2",
-		"--env", "BAZ=",
-		"--env", "QUX", // not exported in OS
-		"--env", "QUUX=quux1",
-		"--env", "QUUX=quux2",
-		"--env", "CORGE", // OS exported
-		"--env", "GRAULT=grault_key=grault_value", // value contains `=` char
-		"--env", "GARPLY=", // OS exported
-		"--env", "WALDO=", // not exported in OS
-
-		"svc0", "env").AssertOutWithFunc(func(stdout string) error {
-		if !strings.Contains(stdout, "\nFOO=foo1,foo2\n") {
-			return errors.New("got bad FOO")
-		}
-		if !strings.Contains(stdout, "\nBAR=bar1 bar2\n") {
-			return errors.New("got bad BAR")
-		}
-		if !strings.Contains(stdout, "\nBAZ=\n") {
-			return errors.New("got bad BAZ")
-		}
-		if strings.Contains(stdout, "QUX") {
-			return errors.New("got bad QUX (should not be set)")
-		}
-		if !strings.Contains(stdout, "\nQUUX=quux2\n") {
-			return errors.New("got bad QUUX")
-		}
-		if !strings.Contains(stdout, "\nCORGE=corge-value-in-host\n") {
-			return errors.New("got bad CORGE")
-		}
-		if !strings.Contains(stdout, "\nGRAULT=grault_key=grault_value\n") {
-			return errors.New("got bad GRAULT")
-		}
-		if !strings.Contains(stdout, "\nGARPLY=\n") {
-			return errors.New("got bad GARPLY")
-		}
-		if !strings.Contains(stdout, "\nWALDO=\n") {
-			return errors.New("got bad WALDO")
-		}
-
-		return nil
-	})
-}
-
-func TestComposeExecWithUser(t *testing.T) {
-	base := testutil.NewBase(t)
-	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
-services:
-  svc0:
-    image: %s
-    command: "sleep infinity"
-`, testutil.CommonImage)
-
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
-
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
-
-	testCases := map[string]string{
+	userCasesMap := map[string]string{
 		"":             "uid=0(root) gid=0(root)",
 		"1000":         "uid=1000 gid=0(root)",
 		"1000:users":   "uid=1000 gid=100(users)",
@@ -151,26 +154,29 @@ services:
 		"nobody:users": "uid=65534(nobody) gid=100(users)",
 	}
 
-	for userStr, expected := range testCases {
-		args := []string{"-f", comp.YAMLFullPath(), "exec", "-i=false", "--no-TTY"}
-		if userStr != "" {
-			args = append(args, "--user", userStr)
-		}
-		args = append(args, "svc0", "id")
-		base.ComposeCmd(args...).AssertOutContains(expected)
+	for k, v := range userCasesMap {
+		userSubTest.SubTests = append(userSubTest.SubTests, &test.Case{
+			Description: k + " " + v,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				args := []string{"compose", "-f", data.Labels().Get("YAMLPath"), "exec", "-i=false", "--no-TTY"}
+				if k != "" {
+					args = append(args, "--user", k)
+				}
+				args = append(args, "svc0", "id")
+				return helpers.Command(args...)
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(v)),
+		})
 	}
+
+	testCase.SubTests = append(testCase.SubTests, userSubTest)
+
+	testCase.Run(t)
 }
 
 func TestComposeExecTTY(t *testing.T) {
-	// `-i` in `compose run & exec` is only supported in compose v2.
-	base := testutil.NewBase(t)
-	if testutil.GetTarget() == testutil.Nerdctl {
-		testutil.RequireDaemonVersion(base, ">= 1.6.0-0")
-	}
-
-	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
+	const expectedOutput = "speed 38400 baud"
+	dockerComposeYAML := fmt.Sprintf(`
 services:
   svc0:
     image: %s
@@ -178,31 +184,85 @@ services:
     image: %s
 `, testutil.CommonImage, testutil.CommonImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	testCase := nerdtest.Setup()
 
-	testContainer := testutil.Identifier(t)
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "run", "-d", "-i=false", "--name", testContainer, "svc0", "sleep", "1h").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
-	base.EnsureContainerStarted(testContainer)
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		yamlPath := data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		data.Labels().Set("YAMLPath", yamlPath)
+		helpers.Ensure(
+			"compose",
+			"-f",
+			yamlPath,
+			"run",
+			"-d",
+			"-i=false",
+			"--name",
+			data.Identifier(),
+			"svc0",
+			"sleep",
+			"1h",
+		)
+	}
 
-	const sttyPartialOutput = "speed 38400 baud"
-	// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.
-	// unbuffer(1) can be installed with `apt-get install expect`.
-	unbuffer := []string{"unbuffer"}
-	base.ComposeCmdWithHelper(unbuffer, "-f", comp.YAMLFullPath(), "exec", "svc0", "stty").AssertOutContains(sttyPartialOutput)             // `-it`
-	base.ComposeCmdWithHelper(unbuffer, "-f", comp.YAMLFullPath(), "exec", "-i=false", "svc0", "stty").AssertOutContains(sttyPartialOutput) // `-t`
-	base.ComposeCmdWithHelper(unbuffer, "-f", comp.YAMLFullPath(), "exec", "--no-TTY", "svc0", "stty").AssertFail()                         // `-i`
-	base.ComposeCmdWithHelper(unbuffer, "-f", comp.YAMLFullPath(), "exec", "-i=false", "--no-TTY", "svc0", "stty").AssertFail()
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		// FIXME?
+		// similar, other test does *also* remove the container
+		helpers.Anyhow("compose", "-f", data.Labels().Get("YAMLPath"), "down", "-v")
+	}
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "stty exec",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				cmd := helpers.Command("compose", "-f", data.Labels().Get("YAMLPath"), "exec", "svc0", "stty")
+				cmd.WithPseudoTTY()
+				return cmd
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(expectedOutput)),
+		},
+		{
+			Description: "-i=false stty exec",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				cmd := helpers.Command("compose", "-f", data.Labels().Get("YAMLPath"), "exec", "-i=false", "svc0", "stty")
+				cmd.WithPseudoTTY()
+				return cmd
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(expectedOutput)),
+		},
+		{
+			Description: "--no-TTY stty exec",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				cmd := helpers.Command("compose", "-f", data.Labels().Get("YAMLPath"), "exec", "--no-TTY", "svc0", "stty")
+				cmd.WithPseudoTTY()
+				return cmd
+			},
+			Expected: test.Expects(expect.ExitCodeGenericFail, nil, nil),
+		},
+		{
+			Description: "-i=false --no-TTY stty exec",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				cmd := helpers.Command(
+					"compose",
+					"-f",
+					data.Labels().Get("YAMLPath"),
+					"exec",
+					"-i=false",
+					"--no-TTY",
+					"svc0",
+					"stty",
+				)
+				cmd.WithPseudoTTY()
+				return cmd
+			},
+			Expected: test.Expects(expect.ExitCodeGenericFail, nil, nil),
+		},
+	}
+
+	testCase.Run(t)
 }
 
 func TestComposeExecWithIndex(t *testing.T) {
-	base := testutil.NewBase(t)
-	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
+	dockerComposeYAML := fmt.Sprintf(`
 services:
   svc0:
     image: %s
@@ -211,39 +271,57 @@ services:
       replicas: 3
 `, testutil.CommonImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	t.Cleanup(func() {
-		comp.CleanUp()
-	})
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	testCase := nerdtest.Setup()
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d", "svc0").AssertOK()
-	t.Cleanup(func() {
-		base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
-	})
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		yamlPath := data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		data.Labels().Set("YAMLPath", yamlPath)
+		data.Labels().Set("projectName", strings.ToLower(filepath.Base(data.Temp().Dir())))
 
-	// try 5 times to ensure that results are stable
-	for i := 0; i < 5; i++ {
-		for _, j := range []string{"1", "2", "3"} {
-			name := fmt.Sprintf("%s-svc0-%s", projectName, j)
-			host := fmt.Sprintf("%s.%s_default", name, projectName)
-			var (
-				expectIP string
-				realIP   string
-			)
-			//  docker and nerdctl have different DNS resolution behaviors.
-			// it uses the ID in the /etc/hosts file, so we need to fetch the ID first.
-			if testutil.GetTarget() == testutil.Docker {
-				base.Cmd("ps", "--filter", fmt.Sprintf("name=%s", name), "--format", "{{.ID}}").AssertOutWithFunc(func(stdout string) error {
-					host = strings.TrimSpace(stdout)
-					return nil
-				})
-			}
-			cmds := []string{"-f", comp.YAMLFullPath(), "exec", "-i=false", "--no-TTY", "--index", j, "svc0"}
-			base.ComposeCmd(append(cmds, "cat", "/etc/hosts")...).
-				AssertOutWithFunc(func(stdout string) error {
-					lines := strings.Split(stdout, "\n")
+		helpers.Ensure("compose", "-f", yamlPath, "up", "-d", "svc0")
+
+		// Make sure all containers are started so that /etc/hosts is consistent.
+		for _, index := range []string{"1", "2", "3"} {
+			nerdtest.EnsureContainerStarted(helpers, fmt.Sprintf("%s-svc0-%s", data.Labels().Get("projectName"), index))
+		}
+	}
+
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down", "-v")
+	}
+
+	for _, index := range []string{"1", "2", "3"} {
+		testCase.SubTests = append(testCase.SubTests, &test.Case{
+			Description: index,
+			Setup: func(data test.Data, helpers test.Helpers) {
+				// try 5 times to ensure that results are stable
+				for range 5 {
+					cmds := []string{
+						"compose",
+						"-f",
+						data.Labels().Get("YAMLPath"),
+						"exec",
+						"-i=false",
+						"--no-TTY",
+						"--index",
+						index,
+						"svc0",
+					}
+
+					hsts := helpers.Capture(append(cmds, "cat", "/etc/hosts")...)
+					ips := helpers.Capture(append(cmds, "ip", "addr", "show", "dev", "eth0")...)
+
+					var (
+						expectIP string
+						realIP   string
+					)
+					name := fmt.Sprintf("%s-svc0-%s", data.Labels().Get("projectName"), index)
+					host := fmt.Sprintf("%s.%s_default", name, data.Labels().Get("projectName"))
+					if nerdtest.IsDocker() {
+						host = strings.TrimSpace(helpers.Capture("ps", "--filter", "name="+name, "--format", "{{.ID}}"))
+					}
+
+					lines := strings.Split(hsts, "\n")
 					for _, line := range lines {
 						if !strings.Contains(line, host) {
 							continue
@@ -253,37 +331,32 @@ services:
 							continue
 						}
 						expectIP = fields[0]
-						return nil
 					}
-					return errors.New("fail to get the expected ip address")
-				})
-			base.ComposeCmd(append(cmds, "ip", "addr", "show", "dev", "eth0")...).
-				AssertOutWithFunc(func(stdout string) error {
-					ip := findIP(stdout)
-					if ip == nil {
-						return errors.New("fail to get the real ip address")
-					}
-					realIP = ip.String()
-					return nil
-				})
-			assert.Equal(t, realIP, expectIP)
-		}
-	}
-}
 
-func findIP(output string) net.IP {
-	var ip string
-	lines := strings.Split(output, "\n")
-	for _, line := range lines {
-		if !strings.Contains(line, "inet ") {
-			continue
-		}
-		fields := strings.Fields(line)
-		if len(fields) <= 1 {
-			continue
-		}
-		ip = strings.Split(fields[1], "/")[0]
-		break
+					var ip string
+					lines = strings.Split(ips, "\n")
+					for _, line := range lines {
+						if !strings.Contains(line, "inet ") {
+							continue
+						}
+						fields := strings.Fields(line)
+						if len(fields) <= 1 {
+							continue
+						}
+						ip = strings.Split(fields[1], "/")[0]
+						break
+					}
+
+					pip := net.ParseIP(ip)
+
+					assert.Assert(helpers.T(), pip != nil, "fail to get the real ip address")
+					realIP = pip.String()
+
+					assert.Equal(helpers.T(), realIP, expectIP)
+				}
+			},
+		})
 	}
-	return net.ParseIP(ip)
+
+	testCase.Run(t)
 }

cmd/nerdctl/compose/compose_images.go

@@ -38,20 +38,20 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/strutil"
 )
 
-func newComposeImagesCommand() *cobra.Command {
-	var composeImagesCommand = &cobra.Command{
+func imagesCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "images [flags] [SERVICE...]",
 		Short:         "List images used by created containers in services",
-		RunE:          composeImagesAction,
+		RunE:          imagesAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeImagesCommand.Flags().String("format", "", "Format the output. Supported values: [json]")
-	composeImagesCommand.Flags().BoolP("quiet", "q", false, "Only show numeric image IDs")
-	return composeImagesCommand
+	cmd.Flags().String("format", "", "Format the output. Supported values: [json]")
+	cmd.Flags().BoolP("quiet", "q", false, "Only show numeric image IDs")
+	return cmd
 }
 
-func composeImagesAction(cmd *cobra.Command, args []string) error {
+func imagesAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_images_linux_test.go

@@ -17,77 +17,26 @@
 package compose
 
 import (
-	"encoding/json"
 	"fmt"
-	"strings"
 	"testing"
 
+	"gotest.tools/v3/assert"
+
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+	"github.com/containerd/nerdctl/mod/tigron/tig"
+
+	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func TestComposeImages(t *testing.T) {
-	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
-services:
-  wordpress:
-    image: %s
-    ports:
-      - 8080:80
-    environment:
-      WORDPRESS_DB_HOST: db
-      WORDPRESS_DB_USER: exampleuser
-      WORDPRESS_DB_PASSWORD: examplepass
-      WORDPRESS_DB_NAME: exampledb
-    volumes:
-      - wordpress:/var/www/html
-  db:
-    image: %s
-    environment:
-      MYSQL_DATABASE: exampledb
-      MYSQL_USER: exampleuser
-      MYSQL_PASSWORD: examplepass
-      MYSQL_RANDOM_ROOT_PASSWORD: '1'
-    volumes:
-      - db:/var/lib/mysql
-
-volumes:
-  wordpress:
-  db:
-`, testutil.WordpressImage, testutil.MariaDBImage)
-
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
-
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").Run()
-
-	wordpressImageName := strings.Split(testutil.WordpressImage, ":")[0]
-	dbImageName := strings.Split(testutil.MariaDBImage, ":")[0]
-
-	// check one service image
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "images", "db").AssertOutContains(dbImageName)
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "images", "db").AssertOutNotContains(wordpressImageName)
-
-	// check all service images
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "images").AssertOutContains(dbImageName)
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "images").AssertOutContains(wordpressImageName)
-}
-
-func TestComposeImagesJson(t *testing.T) {
-	base := testutil.NewBase(t)
-	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   wordpress:
     image: %s
     container_name: wordpress
-    ports:
-      - 8080:80
     environment:
       WORDPRESS_DB_HOST: db
       WORDPRESS_DB_USER: exampleuser
@@ -111,41 +60,71 @@ volumes:
   db:
 `, testutil.WordpressImage, testutil.MariaDBImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	wordpressImageName, _ := referenceutil.Parse(testutil.WordpressImage)
+	dbImageName, _ := referenceutil.Parse(testutil.MariaDBImage)
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").Run()
+	testCase := nerdtest.Setup()
 
-	assertHandler := func(svc string, count int, fields ...string) func(stdout string) error {
-		return func(stdout string) error {
-			// 1. check json output can be unmarshalled back to printables.
-			var printables []composeContainerPrintable
-			if err := json.Unmarshal([]byte(stdout), &printables); err != nil {
-				return fmt.Errorf("[service: %s]failed to unmarshal json output from `compose images`: %s", svc, stdout)
-			}
-			// 2. check #printables matches expected count.
-			if len(printables) != count {
-				return fmt.Errorf("[service: %s]unmarshal generates %d printables, expected %d: %s", svc, len(printables), count, stdout)
-			}
-			// 3. check marshalled json string has all expected substrings.
-			for _, field := range fields {
-				if !strings.Contains(stdout, field) {
-					return fmt.Errorf("[service: %s]marshalled json output doesn't have expected string (%s): %s", svc, field, stdout)
-				}
-			}
-			return nil
-		}
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		data.Labels().Set("composeYaml", data.Temp().Path("compose.yaml"))
+		helpers.Ensure("compose", "-f", data.Temp().Path("compose.yaml"), "up", "-d")
 	}
 
-	// check other formats are not supported
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "images", "--format", "yaml").AssertFail()
-	// check all services are up (can be marshalled and unmarshalled)
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "images", "--format", "json").
-		AssertOutWithFunc(assertHandler("all", 2, `"ContainerName":"wordpress"`, `"ContainerName":"db"`))
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down")
+	}
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "images", "--format", "json", "wordpress").
-		AssertOutWithFunc(assertHandler("wordpress", 1, `"ContainerName":"wordpress"`))
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "images db",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "images", "db")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(
+				expect.Contains(dbImageName.Name()),
+				expect.DoesNotContain(wordpressImageName.Name()),
+			)),
+		},
+		{
+			Description: "images",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "images")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains(dbImageName.Name(), wordpressImageName.Name())),
+		},
+		{
+			Description: "images --format yaml",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "images", "--format", "yaml")
+			},
+			Expected: test.Expects(expect.ExitCodeGenericFail, nil, nil),
+		},
+		{
+			Description: "images --format json",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "images", "--format", "json")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(
+				expect.JSON([]composeContainerPrintable{}, func(printables []composeContainerPrintable, t tig.T) {
+					assert.Equal(t, len(printables), 2)
+				}),
+				expect.Contains(`"ContainerName":"wordpress"`, `"ContainerName":"db"`),
+			)),
+		},
+		{
+			Description: "images --format json wordpress",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "images", "--format", "json", "wordpress")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.All(
+				expect.JSON([]composeContainerPrintable{}, func(printables []composeContainerPrintable, t tig.T) {
+					assert.Equal(t, len(printables), 1)
+				}),
+				expect.Contains(`"ContainerName":"wordpress"`),
+			)),
+		},
+	}
+
+	testCase.Run(t)
 }

cmd/nerdctl/compose/compose_kill.go

@@ -25,19 +25,19 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeKillCommand() *cobra.Command {
-	var composeKillCommand = &cobra.Command{
+func killCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "kill [flags] [SERVICE...]",
 		Short:         "Force stop service containers",
-		RunE:          composeKillAction,
+		RunE:          killAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeKillCommand.Flags().StringP("signal", "s", "SIGKILL", "SIGNAL to send to the container.")
-	return composeKillCommand
+	cmd.Flags().StringP("signal", "s", "SIGKILL", "SIGNAL to send to the container.")
+	return cmd
 }
 
-func composeKillAction(cmd *cobra.Command, args []string) error {
+func killAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_kill_linux_test.go

@@ -27,14 +27,10 @@ import (
 func TestComposeKill(t *testing.T) {
 	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
 
   wordpress:
     image: %s
-    ports:
-      - 8080:80
     environment:
       WORDPRESS_DB_HOST: db
       WORDPRESS_DB_USER: exampleuser

cmd/nerdctl/compose/compose_logs.go

@@ -25,23 +25,23 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeLogsCommand() *cobra.Command {
-	var composeLogsCommand = &cobra.Command{
+func logsCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "logs [flags] [SERVICE...]",
 		Short:         "Show logs of running containers",
-		RunE:          composeLogsAction,
+		RunE:          logsAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeLogsCommand.Flags().BoolP("follow", "f", false, "Follow log output.")
-	composeLogsCommand.Flags().BoolP("timestamps", "t", false, "Show timestamps")
-	composeLogsCommand.Flags().String("tail", "all", "Number of lines to show from the end of the logs")
-	composeLogsCommand.Flags().Bool("no-color", false, "Produce monochrome output")
-	composeLogsCommand.Flags().Bool("no-log-prefix", false, "Don't print prefix in logs")
-	return composeLogsCommand
+	cmd.Flags().BoolP("follow", "f", false, "Follow log output.")
+	cmd.Flags().BoolP("timestamps", "t", false, "Show timestamps")
+	cmd.Flags().String("tail", "all", "Number of lines to show from the end of the logs")
+	cmd.Flags().Bool("no-color", false, "Produce monochrome output")
+	cmd.Flags().Bool("no-log-prefix", false, "Don't print prefix in logs")
+	return cmd
 }
 
-func composeLogsAction(cmd *cobra.Command, args []string) error {
+func logsAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_pause.go

@@ -24,19 +24,19 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/cmd/compose"
 )
 
-func newComposePauseCommand() *cobra.Command {
-	var composePauseCommand = &cobra.Command{
+func pauseCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:                   "pause [SERVICE...]",
 		Short:                 "Pause all processes within containers of service(s). They can be unpaused with nerdctl compose unpause",
-		RunE:                  composePauseAction,
+		RunE:                  pauseAction,
 		SilenceUsage:          true,
 		SilenceErrors:         true,
 		DisableFlagsInUseLine: true,
 	}
-	return composePauseCommand
+	return cmd
 }
 
-func composePauseAction(cmd *cobra.Command, args []string) error {
+func pauseAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err
@@ -59,19 +59,19 @@ func composePauseAction(cmd *cobra.Command, args []string) error {
 	return c.Pause(ctx, args, cmd.OutOrStdout())
 }
 
-func newComposeUnpauseCommand() *cobra.Command {
-	var composeUnpauseCommand = &cobra.Command{
+func unpauseCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:                   "unpause [SERVICE...]",
 		Short:                 "Unpause all processes within containers of service(s).",
-		RunE:                  composeUnpauseAction,
+		RunE:                  unpauseAction,
 		SilenceUsage:          true,
 		SilenceErrors:         true,
 		DisableFlagsInUseLine: true,
 	}
-	return composeUnpauseCommand
+	return cmd
 }
 
-func composeUnpauseAction(cmd *cobra.Command, args []string) error {
+func unpauseAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_pause_linux_test.go

@@ -31,8 +31,6 @@ func TestComposePauseAndUnpause(t *testing.T) {
 	}
 
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   svc0:
     image: %s

cmd/nerdctl/compose/compose_port.go

@@ -28,22 +28,22 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposePortCommand() *cobra.Command {
-	var composePortCommand = &cobra.Command{
+func portCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "port [flags] SERVICE PRIVATE_PORT",
 		Short:         "Print the public port for a port binding",
 		Args:          cobra.ExactArgs(2),
-		RunE:          composePortAction,
+		RunE:          portAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composePortCommand.Flags().Int("index", 1, "index of the container if the service has multiple instances.")
-	composePortCommand.Flags().String("protocol", "tcp", "protocol of the port (tcp|udp)")
+	cmd.Flags().Int("index", 1, "index of the container if the service has multiple instances.")
+	cmd.Flags().String("protocol", "tcp", "protocol of the port (tcp|udp)")
 
-	return composePortCommand
+	return cmd
 }
 
-func composePortAction(cmd *cobra.Command, args []string) error {
+func portAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err
@@ -88,11 +88,18 @@ func composePortAction(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	dataStore, err := clientutil.DataStore(globalOptions.DataRoot, globalOptions.Address)
+	if err != nil {
+		return err
+	}
+
 	po := composer.PortOptions{
 		ServiceName: args[0],
 		Index:       index,
 		Port:        port,
 		Protocol:    protocol,
+		DataStore:   dataStore,
+		Namespace:   globalOptions.Namespace,
 	}
 
 	return c.Port(ctx, cmd.OutOrStdout(), po)

cmd/nerdctl/compose/compose_port_linux_test.go

@@ -20,15 +20,17 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func TestComposePort(t *testing.T) {
 	base := testutil.NewBase(t)
 
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   svc0:
     image: %s
@@ -55,8 +57,6 @@ func TestComposePortFailure(t *testing.T) {
 	base := testutil.NewBase(t)
 
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   svc0:
     image: %s
@@ -79,3 +79,42 @@ services:
 	base.ComposeCmd("-f", comp.YAMLFullPath(), "port", "--protocol", "udp", "svc0", "10000").AssertFail()
 	base.ComposeCmd("-f", comp.YAMLFullPath(), "port", "--protocol", "tcp", "svc0", "10001").AssertFail()
 }
+
+// TestComposeMultiplePorts tests whether it is possible to allocate a large
+// number of ports. (https://github.com/containerd/nerdctl/issues/4027)
+func TestComposeMultiplePorts(t *testing.T) {
+	var dockerComposeYAML = fmt.Sprintf(`
+services:
+  svc0:
+    image: %s
+    command: "sleep infinity"
+    ports:
+    - '32000-32060:32000-32060'
+`, testutil.AlpineImage)
+
+	testCase := nerdtest.Setup()
+
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		compYamlPath := data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		data.Labels().Set("composeYaml", compYamlPath)
+
+		helpers.Ensure("compose", "-f", compYamlPath, "up", "-d")
+	}
+
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down", "-v")
+	}
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "Issue #4027 - Allocate a large number of ports.",
+			NoParallel:  true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("composeYaml"), "port", "svc0", "32000")
+			},
+			Expected: test.Expects(expect.ExitCodeSuccess, nil, expect.Contains("0.0.0.0:32000")),
+		},
+	}
+
+	testCase.Run(t)
+}

cmd/nerdctl/compose/compose_ps.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"strings"
 	"text/tabwriter"
-	"time"
 
 	"github.com/spf13/cobra"
 	"golang.org/x/sync/errgroup"
@@ -29,10 +28,10 @@ import (
 	containerd "github.com/containerd/containerd/v2/client"
 	"github.com/containerd/containerd/v2/core/runtime/restart"
 	"github.com/containerd/errdefs"
-	gocni "github.com/containerd/go-cni"
-	"github.com/containerd/log"
+	"github.com/containerd/go-cni"
 
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers"
+	"github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/clientutil"
 	"github.com/containerd/nerdctl/v2/pkg/cmd/compose"
 	"github.com/containerd/nerdctl/v2/pkg/containerutil"
@@ -41,21 +40,21 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/portutil"
 )
 
-func newComposePsCommand() *cobra.Command {
-	var composePsCommand = &cobra.Command{
+func psCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "ps [flags] [SERVICE...]",
 		Short:         "List containers of services",
-		RunE:          composePsAction,
+		RunE:          psAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composePsCommand.Flags().String("format", "table", "Format the output. Supported values: [table|json]")
-	composePsCommand.Flags().String("filter", "", "Filter matches containers based on given conditions")
-	composePsCommand.Flags().StringArray("status", []string{}, "Filter services by status. Values: [paused | restarting | removing | running | dead | created | exited]")
-	composePsCommand.Flags().BoolP("quiet", "q", false, "Only display container IDs")
-	composePsCommand.Flags().Bool("services", false, "Display services")
-	composePsCommand.Flags().BoolP("all", "a", false, "Show all containers (default shows just running)")
-	return composePsCommand
+	cmd.Flags().String("format", "table", "Format the output. Supported values: [table|json]")
+	cmd.Flags().String("filter", "", "Filter matches containers based on given conditions")
+	cmd.Flags().StringArray("status", []string{}, "Filter services by status. Values: [paused | restarting | removing | running | dead | created | exited]")
+	cmd.Flags().BoolP("quiet", "q", false, "Only display container IDs")
+	cmd.Flags().Bool("services", false, "Display services")
+	cmd.Flags().BoolP("all", "a", false, "Show all containers (default shows just running)")
+	return cmd
 }
 
 type composeContainerPrintable struct {
@@ -74,7 +73,7 @@ type composeContainerPrintable struct {
 	Ports      string `json:"-"`
 }
 
-func composePsAction(cmd *cobra.Command, args []string) error {
+func psAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err
@@ -184,9 +183,9 @@ func composePsAction(cmd *cobra.Command, args []string) error {
 			var p composeContainerPrintable
 			var err error
 			if format == "json" {
-				p, err = composeContainerPrintableJSON(ctx, container)
+				p, err = composeContainerPrintableJSON(ctx, container, globalOptions)
 			} else {
-				p, err = composeContainerPrintableTab(ctx, container)
+				p, err = composeContainerPrintableTab(ctx, container, globalOptions)
 			}
 			if err != nil {
 				return err
@@ -235,7 +234,7 @@ func composePsAction(cmd *cobra.Command, args []string) error {
 
 // composeContainerPrintableTab constructs composeContainerPrintable with fields
 // only for console output.
-func composeContainerPrintableTab(ctx context.Context, container containerd.Container) (composeContainerPrintable, error) {
+func composeContainerPrintableTab(ctx context.Context, container containerd.Container, gOptions types.GlobalCommandOptions) (composeContainerPrintable, error) {
 	info, err := container.Info(ctx, containerd.WithoutRefreshedMetadata)
 	if err != nil {
 		return composeContainerPrintable{}, err
@@ -252,6 +251,18 @@ func composeContainerPrintableTab(ctx context.Context, container containerd.Cont
 	if err != nil {
 		return composeContainerPrintable{}, err
 	}
+	dataStore, err := clientutil.DataStore(gOptions.DataRoot, gOptions.Address)
+	if err != nil {
+		return composeContainerPrintable{}, err
+	}
+	containerLabels, err := container.Labels(ctx)
+	if err != nil {
+		return composeContainerPrintable{}, err
+	}
+	ports, err := portutil.LoadPortMappings(dataStore, gOptions.Namespace, info.ID, containerLabels)
+	if err != nil {
+		return composeContainerPrintable{}, err
+	}
 
 	return composeContainerPrintable{
 		Name:    info.Labels[labels.Name],
@@ -259,13 +270,13 @@ func composeContainerPrintableTab(ctx context.Context, container containerd.Cont
 		Command: formatter.InspectContainerCommandTrunc(spec),
 		Service: info.Labels[labels.ComposeService],
 		State:   status,
-		Ports:   formatter.FormatPorts(info.Labels),
+		Ports:   formatter.FormatPorts(ports),
 	}, nil
 }
 
 // composeContainerPrintableJSON constructs composeContainerPrintable with fields
 // only for json output and compatible docker output.
-func composeContainerPrintableJSON(ctx context.Context, container containerd.Container) (composeContainerPrintable, error) {
+func composeContainerPrintableJSON(ctx context.Context, container containerd.Container, gOptions types.GlobalCommandOptions) (composeContainerPrintable, error) {
 	info, err := container.Info(ctx, containerd.WithoutRefreshedMetadata)
 	if err != nil {
 		return composeContainerPrintable{}, err
@@ -295,6 +306,18 @@ func composeContainerPrintableJSON(ctx context.Context, container containerd.Con
 	if err != nil {
 		return composeContainerPrintable{}, err
 	}
+	dataStore, err := clientutil.DataStore(gOptions.DataRoot, gOptions.Address)
+	if err != nil {
+		return composeContainerPrintable{}, err
+	}
+	containerLabels, err := container.Labels(ctx)
+	if err != nil {
+		return composeContainerPrintable{}, err
+	}
+	portMappings, err := portutil.LoadPortMappings(dataStore, gOptions.Namespace, info.ID, containerLabels)
+	if err != nil {
+		return composeContainerPrintable{}, err
+	}
 
 	return composeContainerPrintable{
 		ID:         container.ID(),
@@ -306,7 +329,7 @@ func composeContainerPrintableJSON(ctx context.Context, container containerd.Con
 		State:      state,
 		Health:     "",
 		ExitCode:   exitCode,
-		Publishers: formatPublishers(info.Labels),
+		Publishers: formatPublishers(portMappings),
 	}, nil
 }
 
@@ -322,8 +345,8 @@ type PortPublisher struct {
 
 // formatPublishers parses and returns docker-compatible []PortPublisher from
 // label map. If an error happens, an empty slice is returned.
-func formatPublishers(labelMap map[string]string) []PortPublisher {
-	mapper := func(pm gocni.PortMapping) PortPublisher {
+func formatPublishers(portMappings []cni.PortMapping) []PortPublisher {
+	mapper := func(pm cni.PortMapping) PortPublisher {
 		return PortPublisher{
 			URL:           pm.HostIP,
 			TargetPort:    int(pm.ContainerPort),
@@ -333,22 +356,14 @@ func formatPublishers(labelMap map[string]string) []PortPublisher {
 	}
 
 	var dockerPorts []PortPublisher
-	if portMappings, err := portutil.ParsePortsLabel(labelMap); err == nil {
-		for _, p := range portMappings {
-			dockerPorts = append(dockerPorts, mapper(p))
-		}
-	} else {
-		log.L.Error(err.Error())
+	for _, p := range portMappings {
+		dockerPorts = append(dockerPorts, mapper(p))
 	}
 	return dockerPorts
 }
 
 // statusForFilter returns the status value to be matched with the 'status' filter
 func statusForFilter(ctx context.Context, c containerd.Container) string {
-	// Just in case, there is something wrong in server.
-	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
-	defer cancel()
-
 	task, err := c.Task(ctx, nil)
 	if err != nil {
 		// NOTE: NotFound doesn't mean that container hasn't started.

cmd/nerdctl/compose/compose_ps_linux_test.go

@@ -32,14 +32,10 @@ import (
 func TestComposePs(t *testing.T) {
 	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   wordpress:
     image: %s
     container_name: wordpress_container
-    ports:
-      - 8080:80
     environment:
       WORDPRESS_DB_HOST: db
       WORDPRESS_DB_USER: exampleuser
@@ -64,7 +60,7 @@ services:
 volumes:
   wordpress:
   db:
-`, testutil.WordpressImage, testutil.MariaDBImage, testutil.AlpineImage)
+`, testutil.WordpressImage, testutil.MariaDBImage, testutil.CommonImage)
 	comp := testutil.NewComposeDir(t, dockerComposeYAML)
 	defer comp.CleanUp()
 	projectName := comp.ProjectName()
@@ -100,9 +96,9 @@ volumes:
 	time.Sleep(3 * time.Second)
 	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "wordpress").AssertOutWithFunc(assertHandler("wordpress_container", testutil.WordpressImage))
 	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "db").AssertOutWithFunc(assertHandler("db_container", testutil.MariaDBImage))
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps").AssertOutNotContains(testutil.AlpineImage)
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "alpine", "-a").AssertOutWithFunc(assertHandler("alpine_container", testutil.AlpineImage))
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "-a", "--filter", "status=exited").AssertOutWithFunc(assertHandler("alpine_container", testutil.AlpineImage))
+	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps").AssertOutNotContains(testutil.CommonImage)
+	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "alpine", "-a").AssertOutWithFunc(assertHandler("alpine_container", testutil.CommonImage))
+	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "-a", "--filter", "status=exited").AssertOutWithFunc(assertHandler("alpine_container", testutil.CommonImage))
 	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "--services", "-a").AssertOutContainsAll("wordpress\n", "db\n", "alpine\n")
 }
 
@@ -112,8 +108,6 @@ func TestComposePsJSON(t *testing.T) {
 
 	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   wordpress:
     image: %s

cmd/nerdctl/compose/compose_pull.go

@@ -25,19 +25,19 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposePullCommand() *cobra.Command {
-	var composePullCommand = &cobra.Command{
+func pullCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "pull [flags] [SERVICE...]",
 		Short:         "Pull service images",
-		RunE:          composePullAction,
+		RunE:          pullAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composePullCommand.Flags().BoolP("quiet", "q", false, "Pull without printing progress information")
-	return composePullCommand
+	cmd.Flags().BoolP("quiet", "q", false, "Pull without printing progress information")
+	return cmd
 }
 
-func composePullAction(cmd *cobra.Command, args []string) error {
+func pullAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_pull_linux_test.go

@@ -26,14 +26,10 @@ import (
 func TestComposePullWithService(t *testing.T) {
 	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
 
   wordpress:
     image: %s
-    ports:
-      - 8080:80
     environment:
       WORDPRESS_DB_HOST: db
       WORDPRESS_DB_USER: exampleuser

cmd/nerdctl/compose/compose_push.go

@@ -25,18 +25,18 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposePushCommand() *cobra.Command {
-	var composePushCommand = &cobra.Command{
+func pushCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "push [flags] [SERVICE...]",
 		Short:         "Push service images",
-		RunE:          composePushAction,
+		RunE:          pushAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	return composePushCommand
+	return cmd
 }
 
-func composePushAction(cmd *cobra.Command, args []string) error {
+func pushAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_restart.go

@@ -25,19 +25,19 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeRestartCommand() *cobra.Command {
-	var composeRestartCommand = &cobra.Command{
+func restartCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "restart [flags] [SERVICE...]",
 		Short:         "Restart containers of given (or all) services",
-		RunE:          composeRestartAction,
+		RunE:          restartAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeRestartCommand.Flags().UintP("timeout", "t", 10, "Seconds to wait before restarting them")
-	return composeRestartCommand
+	cmd.Flags().UintP("timeout", "t", 10, "Seconds to wait before restarting them")
+	return cmd
 }
 
-func composeRestartAction(cmd *cobra.Command, args []string) error {
+func restartAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_restart_linux_test.go

@@ -26,13 +26,9 @@ import (
 func TestComposeRestart(t *testing.T) {
 	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   wordpress:
     image: %s
-    ports:
-      - 8080:80
     environment:
       WORDPRESS_DB_HOST: db
       WORDPRESS_DB_USER: exampleuser

cmd/nerdctl/compose/compose_rm.go

@@ -28,21 +28,21 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeRemoveCommand() *cobra.Command {
-	var composeRemoveCommand = &cobra.Command{
+func removeCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "rm [flags] [SERVICE...]",
 		Short:         "Remove stopped service containers",
-		RunE:          composeRemoveAction,
+		RunE:          removeAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeRemoveCommand.Flags().BoolP("force", "f", false, "Do not prompt for confirmation")
-	composeRemoveCommand.Flags().BoolP("stop", "s", false, "Stop containers before removing")
-	composeRemoveCommand.Flags().BoolP("volumes", "v", false, "Remove anonymous volumes associated with containers")
-	return composeRemoveCommand
+	cmd.Flags().BoolP("force", "f", false, "Do not prompt for confirmation")
+	cmd.Flags().BoolP("stop", "s", false, "Stop containers before removing")
+	cmd.Flags().BoolP("volumes", "v", false, "Remove anonymous volumes associated with containers")
+	return cmd
 }
 
-func composeRemoveAction(cmd *cobra.Command, args []string) error {
+func removeAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_rm_linux_test.go

@@ -18,23 +18,23 @@ package compose
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
-	"time"
+
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+	"github.com/containerd/nerdctl/mod/tigron/tig"
 
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func TestComposeRemove(t *testing.T) {
-	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
 
   wordpress:
     image: %s
-    ports:
-      - 8080:80
     environment:
       WORDPRESS_DB_HOST: db
       WORDPRESS_DB_USER: exampleuser
@@ -58,27 +58,71 @@ volumes:
   db:
 `, testutil.WordpressImage, testutil.MariaDBImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	testCase := nerdtest.Setup()
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").Run()
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down")
+	}
 
-	// no stopped containers
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "rm", "-f").AssertOK()
-	time.Sleep(3 * time.Second)
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "wordpress").AssertOutContainsAny("Up", "running")
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "db").AssertOutContainsAny("Up", "running")
-	// remove one stopped service
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "stop", "wordpress").AssertOK()
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "rm", "-f", "wordpress").AssertOK()
-	time.Sleep(3 * time.Second)
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "wordpress").AssertOutNotContains("wordpress")
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "db").AssertOutContainsAny("Up", "running")
-	// remove all services with `--stop`
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "rm", "-f", "-s").AssertOK()
-	time.Sleep(3 * time.Second)
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "db").AssertOutNotContains("db")
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		helpers.Ensure("compose", "-f", data.Temp().Path("compose.yaml"), "up", "-d")
+		data.Labels().Set("yamlPath", data.Temp().Path("compose.yaml"))
+	}
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "All services are still up",
+			NoParallel:  true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("yamlPath"), "rm", "-f")
+			},
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					Output: func(stdout string, t tig.T) {
+						wp := helpers.Capture("compose", "-f", data.Labels().Get("yamlPath"), "ps", "wordpress")
+						db := helpers.Capture("compose", "-f", data.Labels().Get("yamlPath"), "ps", "db")
+						comp := expect.Match(regexp.MustCompile("Up|running"))
+						comp(wp, t)
+						comp(db, t)
+					},
+				}
+			},
+		},
+		{
+			Description: "Remove stopped service",
+			NoParallel:  true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				helpers.Ensure("compose", "-f", data.Labels().Get("yamlPath"), "stop", "wordpress")
+				return helpers.Command("compose", "-f", data.Labels().Get("yamlPath"), "rm", "-f")
+			},
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					Output: func(stdout string, t tig.T) {
+						wp := helpers.Capture("compose", "-f", data.Labels().Get("yamlPath"), "ps", "wordpress")
+						db := helpers.Capture("compose", "-f", data.Labels().Get("yamlPath"), "ps", "db")
+						expect.DoesNotContain("wordpress")(wp, t)
+						expect.Match(regexp.MustCompile("Up|running"))(db, t)
+					},
+				}
+			},
+		},
+		{
+			Description: "Remove all services with stop",
+			NoParallel:  true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("yamlPath"), "rm", "-f", "-s")
+			},
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					Output: func(stdout string, t tig.T) {
+						db := helpers.Capture("compose", "-f", data.Labels().Get("yamlPath"), "ps", "db")
+						expect.DoesNotContain("db")(db, t)
+					},
+				}
+			},
+		},
+	}
+
+	testCase.Run(t)
 }

cmd/nerdctl/compose/compose_run.go

@@ -28,48 +28,48 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeRunCommand() *cobra.Command {
-	var composeRunCommand = &cobra.Command{
+func runCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:                   "run [flags] SERVICE [COMMAND] [ARGS...]",
 		Short:                 "Run a one-off command on a service",
 		Args:                  cobra.MinimumNArgs(1),
-		RunE:                  composeRunAction,
+		RunE:                  runAction,
 		SilenceUsage:          true,
 		SilenceErrors:         true,
 		DisableFlagsInUseLine: true,
 	}
-	composeRunCommand.Flags().SetInterspersed(false)
-	composeRunCommand.Flags().BoolP("detach", "d", false, "Detached mode: Run containers in the background")
-	composeRunCommand.Flags().Bool("no-build", false, "Don't build an image, even if it's missing.")
-	composeRunCommand.Flags().Bool("no-color", false, "Produce monochrome output")
-	composeRunCommand.Flags().Bool("no-log-prefix", false, "Don't print prefix in logs")
-	composeRunCommand.Flags().Bool("build", false, "Build images before starting containers.")
-	composeRunCommand.Flags().Bool("quiet-pull", false, "Pull without printing progress information")
-	composeRunCommand.Flags().Bool("remove-orphans", false, "Remove containers for services not defined in the Compose file.")
+	cmd.Flags().SetInterspersed(false)
+	cmd.Flags().BoolP("detach", "d", false, "Detached mode: Run containers in the background")
+	cmd.Flags().Bool("no-build", false, "Don't build an image, even if it's missing.")
+	cmd.Flags().Bool("no-color", false, "Produce monochrome output")
+	cmd.Flags().Bool("no-log-prefix", false, "Don't print prefix in logs")
+	cmd.Flags().Bool("build", false, "Build images before starting containers.")
+	cmd.Flags().Bool("quiet-pull", false, "Pull without printing progress information")
+	cmd.Flags().Bool("remove-orphans", false, "Remove containers for services not defined in the Compose file.")
 
-	composeRunCommand.Flags().String("name", "", "Assign a name to the container")
-	composeRunCommand.Flags().Bool("no-deps", false, "Don't start dependencies")
+	cmd.Flags().String("name", "", "Assign a name to the container")
+	cmd.Flags().Bool("no-deps", false, "Don't start dependencies")
 	// TODO: no-TTY flag
 	//       In docker-compose's documentation, no-TTY is automatically detected
 	//       But, it follows `-i` flag because currently `run` command needs `-it` simultaneously.
-	composeRunCommand.Flags().BoolP("interactive", "i", true, "Keep STDIN open even if not attached")
-	composeRunCommand.Flags().Bool("rm", false, "Automatically remove the container when it exits")
-	composeRunCommand.Flags().StringP("user", "u", "", "Username or UID (format: <name|uid>[:<group|gid>])")
-	composeRunCommand.Flags().StringArrayP("volume", "v", nil, "Bind mount a volume")
-	composeRunCommand.Flags().StringArray("entrypoint", nil, "Overwrite the default ENTRYPOINT of the image")
-	composeRunCommand.Flags().StringArrayP("env", "e", nil, "Set environment variables")
-	composeRunCommand.Flags().StringArrayP("label", "l", nil, "Set metadata on container")
-	composeRunCommand.Flags().StringP("workdir", "w", "", "Working directory inside the container")
+	cmd.Flags().BoolP("interactive", "i", true, "Keep STDIN open even if not attached")
+	cmd.Flags().Bool("rm", false, "Automatically remove the container when it exits")
+	cmd.Flags().StringP("user", "u", "", "Username or UID (format: <name|uid>[:<group|gid>])")
+	cmd.Flags().StringArrayP("volume", "v", nil, "Bind mount a volume")
+	cmd.Flags().StringArray("entrypoint", nil, "Overwrite the default ENTRYPOINT of the image")
+	cmd.Flags().StringArrayP("env", "e", nil, "Set environment variables")
+	cmd.Flags().StringArrayP("label", "l", nil, "Set metadata on container")
+	cmd.Flags().StringP("workdir", "w", "", "Working directory inside the container")
 	// FIXME: `-p` conflicts with the `--project-name` in PersistentFlags of parent command `compose`
 	//        For docker compatibility, it should be fixed.
-	composeRunCommand.Flags().StringSlice("publish", nil, "Publish a container's port(s) to the host")
-	composeRunCommand.Flags().Bool("service-ports", false, "Run command with the service's ports enabled and mapped to the host")
+	cmd.Flags().StringSlice("publish", nil, "Publish a container's port(s) to the host")
+	cmd.Flags().Bool("service-ports", false, "Run command with the service's ports enabled and mapped to the host")
 	// TODO: use-aliases
 
-	return composeRunCommand
+	return cmd
 }
 
-func composeRunAction(cmd *cobra.Command, args []string) error {
+func runAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_run_linux_test.go

@@ -26,81 +26,90 @@ import (
 	"gotest.tools/v3/assert"
 
 	"github.com/containerd/log"
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
 
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/testregistry"
 )
 
 func TestComposeRun(t *testing.T) {
-	base := testutil.NewBase(t)
-	// specify the name of container in order to remove
-	// TODO: when `compose rm` is implemented, replace it.
-	containerName := testutil.Identifier(t)
+	const expectedOutput = "speed 38400 baud"
 
 	dockerComposeYAML := fmt.Sprintf(`
-version: '3.1'
 services:
   alpine:
     image: %s
     entrypoint:
       - stty
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").Run()
+	testCase := nerdtest.Setup()
 
-	defer base.Cmd("rm", "-f", "-v", containerName).Run()
-	const sttyPartialOutput = "speed 38400 baud"
-	// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.
-	// unbuffer(1) can be installed with `apt-get install expect`.
-	unbuffer := []string{"unbuffer"}
-	base.ComposeCmdWithHelper(unbuffer, "-f", comp.YAMLFullPath(),
-		"run", "--name", containerName, "alpine").AssertOutContains(sttyPartialOutput)
-}
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "pty run",
+			Setup: func(data test.Data, helpers test.Helpers) {
+				data.Temp().Save(dockerComposeYAML, "compose.yaml")
+			},
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				cmd := helpers.Command(
+					"compose",
+					"-f",
+					data.Temp().Path("compose.yaml"),
+					"run",
+					"--name",
+					data.Identifier(),
+					"alpine",
+				)
+				cmd.WithPseudoTTY()
+				return cmd
+			},
+			Expected: test.Expects(0, nil, expect.Contains(expectedOutput)),
+			Cleanup: func(data test.Data, helpers test.Helpers) {
+				helpers.Anyhow("rm", "-f", "-v", data.Identifier())
+				helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down", "-v")
+			},
+		},
+		{
+			Description: "pty run with --rm",
+			Setup: func(data test.Data, helpers test.Helpers) {
+				data.Temp().Save(dockerComposeYAML, "compose.yaml")
+			},
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				cmd := helpers.Command(
+					"compose",
+					"-f",
+					data.Temp().Path("compose.yaml"),
+					"run",
+					"--name",
+					data.Identifier(),
+					"--rm",
+					"alpine",
+				)
+				cmd.WithPseudoTTY()
+				return cmd
+			},
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				// Ensure the container has been removed
+				capt := helpers.Capture("ps", "-a", "--format=\"{{.Names}}\"")
+				assert.Assert(t, !strings.Contains(capt, data.Identifier()), capt)
 
-func TestComposeRunWithRM(t *testing.T) {
-	base := testutil.NewBase(t)
-	// specify the name of container in order to remove
-	// TODO: when `compose rm` is implemented, replace it.
-	containerName := testutil.Identifier(t)
-
-	dockerComposeYAML := fmt.Sprintf(`
-version: '3.1'
-services:
-  alpine:
-    image: %s
-    entrypoint:
-      - stty
-`, testutil.AlpineImage)
-
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").Run()
-
-	defer base.Cmd("rm", "-f", "-v", containerName).Run()
-	const sttyPartialOutput = "speed 38400 baud"
-	// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.
-	// unbuffer(1) can be installed with `apt-get install expect`.
-	unbuffer := []string{"unbuffer"}
-	base.ComposeCmdWithHelper(unbuffer, "-f", comp.YAMLFullPath(),
-		"run", "--name", containerName, "--rm", "alpine").AssertOutContains(sttyPartialOutput)
-
-	psCmd := base.Cmd("ps", "-a", "--format=\"{{.Names}}\"")
-	result := psCmd.Run()
-	stdoutContent := result.Stdout() + result.Stderr()
-	assert.Assert(psCmd.Base.T, result.ExitCode == 0, stdoutContent)
-	if strings.Contains(stdoutContent, containerName) {
-		log.L.Errorf("test failed, the container %s is not removed", stdoutContent)
-		t.Fail()
-		return
+				return &test.Expected{
+					Output: expect.Contains(expectedOutput),
+				}
+			},
+			Cleanup: func(data test.Data, helpers test.Helpers) {
+				helpers.Anyhow("rm", "-f", "-v", data.Identifier())
+				helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down", "-v")
+			},
+		},
 	}
+
+	testCase.Run(t)
 }
 
 func TestComposeRunWithServicePorts(t *testing.T) {
@@ -110,7 +119,6 @@ func TestComposeRunWithServicePorts(t *testing.T) {
 	containerName := testutil.Identifier(t)
 
 	dockerComposeYAML := fmt.Sprintf(`
-version: '3.1'
 services:
   web:
     image: %s
@@ -134,7 +142,7 @@ services:
 	}()
 
 	checkNginx := func() error {
-		resp, err := nettestutil.HTTPGet("http://127.0.0.1:8080", 10, false)
+		resp, err := nettestutil.HTTPGet("http://127.0.0.1:8080", 5, false)
 		if err != nil {
 			return err
 		}
@@ -172,7 +180,6 @@ func TestComposeRunWithPublish(t *testing.T) {
 	containerName := testutil.Identifier(t)
 
 	dockerComposeYAML := fmt.Sprintf(`
-version: '3.1'
 services:
   web:
     image: %s
@@ -194,7 +201,7 @@ services:
 	}()
 
 	checkNginx := func() error {
-		resp, err := nettestutil.HTTPGet("http://127.0.0.1:8080", 10, false)
+		resp, err := nettestutil.HTTPGet("http://127.0.0.1:8080", 5, false)
 		if err != nil {
 			return err
 		}
@@ -232,7 +239,6 @@ func TestComposeRunWithEnv(t *testing.T) {
 	containerName := testutil.Identifier(t)
 
 	dockerComposeYAML := fmt.Sprintf(`
-version: '3.1'
 services:
   alpine:
     image: %s
@@ -240,7 +246,7 @@ services:
       - sh
       - -c
       - "echo $$FOO"
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
 	comp := testutil.NewComposeDir(t, dockerComposeYAML)
 	defer comp.CleanUp()
@@ -264,14 +270,13 @@ func TestComposeRunWithUser(t *testing.T) {
 	containerName := testutil.Identifier(t)
 
 	dockerComposeYAML := fmt.Sprintf(`
-version: '3.1'
 services:
   alpine:
     image: %s
     entrypoint:
       - id
       - -u
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
 	comp := testutil.NewComposeDir(t, dockerComposeYAML)
 	defer comp.CleanUp()
@@ -293,7 +298,6 @@ func TestComposeRunWithLabel(t *testing.T) {
 	containerName := testutil.Identifier(t)
 
 	dockerComposeYAML := fmt.Sprintf(`
-version: '3.1'
 services:
   alpine:
     image: %s
@@ -302,7 +306,7 @@ services:
       - "dummy log"
     labels:
       - "foo=bar"
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
 	comp := testutil.NewComposeDir(t, dockerComposeYAML)
 	defer comp.CleanUp()
@@ -331,13 +335,12 @@ func TestComposeRunWithArgs(t *testing.T) {
 	containerName := testutil.Identifier(t)
 
 	dockerComposeYAML := fmt.Sprintf(`
-version: '3.1'
 services:
   alpine:
     image: %s
     entrypoint:
       - echo
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
 	comp := testutil.NewComposeDir(t, dockerComposeYAML)
 	defer comp.CleanUp()
@@ -361,13 +364,12 @@ func TestComposeRunWithEntrypoint(t *testing.T) {
 	containerName := testutil.Identifier(t)
 
 	dockerComposeYAML := fmt.Sprintf(`
-version: '3.1'
 services:
   alpine:
     image: %s
     entrypoint:
       - stty # should be changed
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
 	comp := testutil.NewComposeDir(t, dockerComposeYAML)
 	defer comp.CleanUp()
@@ -389,13 +391,12 @@ func TestComposeRunWithVolume(t *testing.T) {
 	containerName := testutil.Identifier(t)
 
 	dockerComposeYAML := fmt.Sprintf(`
-version: '3.1'
 services:
   alpine:
     image: %s
     entrypoint:
     - stty # no meaning, just put any command
-`, testutil.AlpineImage)
+`, testutil.CommonImage)
 
 	comp := testutil.NewComposeDir(t, dockerComposeYAML)
 	defer comp.CleanUp()
@@ -479,7 +480,7 @@ services:
 `, imageSvc0, keyPair.PublicKey, keyPair.PrivateKey,
 		imageSvc1, keyPair.PrivateKey, imageSvc2)
 
-	dockerfile := fmt.Sprintf(`FROM %s`, testutil.AlpineImage)
+	dockerfile := fmt.Sprintf(`FROM %s`, testutil.CommonImage)
 
 	comp := testutil.NewComposeDir(t, dockerComposeYAML)
 	defer comp.CleanUp()

cmd/nerdctl/compose/compose_start.go

@@ -34,19 +34,19 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/labels"
 )
 
-func newComposeStartCommand() *cobra.Command {
-	var composeRestartCommand = &cobra.Command{
+func startCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:                   "start [SERVICE...]",
 		Short:                 "Start existing containers for service(s)",
-		RunE:                  composeStartAction,
+		RunE:                  startAction,
 		SilenceUsage:          true,
 		SilenceErrors:         true,
 		DisableFlagsInUseLine: true,
 	}
-	return composeRestartCommand
+	return cmd
 }
 
-func composeStartAction(cmd *cobra.Command, args []string) error {
+func startAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err
@@ -112,7 +112,7 @@ func startContainers(ctx context.Context, client *containerd.Client, containers
 			}
 
 			// in compose, always disable attach
-			if err := containerutil.Start(ctx, c, false, client, ""); err != nil {
+			if err := containerutil.Start(ctx, c, false, false, client, ""); err != nil {
 				return err
 			}
 			info, err := c.Info(ctx, containerd.WithoutRefreshedMetadata)

cmd/nerdctl/compose/compose_start_linux_test.go

@@ -18,16 +18,19 @@ package compose
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+	"github.com/containerd/nerdctl/mod/tigron/tig"
+
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func TestComposeStart(t *testing.T) {
-	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   svc0:
     image: %s
@@ -37,50 +40,68 @@ services:
     command: "sleep infinity"
 `, testutil.CommonImage, testutil.CommonImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	testCase := nerdtest.Setup()
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down")
+	}
 
-	// calling `compose start` after all services up has no effect.
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "start").AssertOK()
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		helpers.Ensure("compose", "-f", data.Temp().Path("compose.yaml"), "up", "-d")
+		helpers.Ensure("compose", "-f", data.Temp().Path("compose.yaml"), "start")
+		helpers.Ensure("compose", "-f", data.Temp().Path("compose.yaml"), "stop", "--timeout", "1", "svc0")
+		helpers.Ensure("compose", "-f", data.Temp().Path("compose.yaml"), "kill", "svc1")
+	}
 
-	// `compose start`` can start a stopped/killed service container
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "stop", "--timeout", "1", "svc0").AssertOK()
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "kill", "svc1").AssertOK()
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "start").AssertOK()
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "svc0").AssertOutContainsAny("Up", "running")
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "svc1").AssertOutContainsAny("Up", "running")
+	testCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {
+		return helpers.Command("compose", "-f", data.Temp().Path("compose.yaml"), "start")
+	}
+
+	testCase.Expected = func(data test.Data, helpers test.Helpers) *test.Expected {
+		return &test.Expected{
+			ExitCode: 0,
+			Errors:   nil,
+			Output: func(stdout string, t tig.T) {
+				svc0 := helpers.Capture("compose", "-f", data.Temp().Path("compose.yaml"), "ps", "svc0")
+				svc1 := helpers.Capture("compose", "-f", data.Temp().Path("compose.yaml"), "ps", "svc1")
+				comp := expect.Match(regexp.MustCompile("Up|running"))
+				comp(svc0, t)
+				comp(svc1, t)
+			},
+		}
+	}
+
+	testCase.Run(t)
 }
 
 func TestComposeStartFailWhenServicePause(t *testing.T) {
-	base := testutil.NewBase(t)
-	switch base.Info().CgroupDriver {
-	case "none", "":
-		t.Skip("requires cgroup (for pausing)")
-	}
-
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
   svc0:
     image: %s
     command: "sleep infinity"
 `, testutil.CommonImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	testCase := nerdtest.Setup()
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").AssertOK()
+	testCase.Require = nerdtest.CGroup
 
-	// `compose start` cannot start a paused service container
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "pause", "svc0").AssertOK()
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "start").AssertFail()
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down")
+	}
+
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		helpers.Ensure("compose", "-f", data.Temp().Path("compose.yaml"), "up", "-d")
+		helpers.Ensure("compose", "-f", data.Temp().Path("compose.yaml"), "pause", "svc0")
+	}
+
+	testCase.Command = func(data test.Data, helpers test.Helpers) test.TestableCommand {
+		return helpers.Command("compose", "-f", data.Temp().Path("compose.yaml"), "start")
+	}
+
+	testCase.Expected = test.Expects(expect.ExitCodeGenericFail, nil, nil)
+
+	testCase.Run(t)
 }

cmd/nerdctl/compose/compose_stop.go

@@ -25,19 +25,19 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 )
 
-func newComposeStopCommand() *cobra.Command {
-	var composeStopCommand = &cobra.Command{
+func stopCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:           "stop [flags] [SERVICE...]",
 		Short:         "Stop running containers without removing them.",
-		RunE:          composeStopAction,
+		RunE:          stopAction,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
-	composeStopCommand.Flags().UintP("timeout", "t", 10, "Seconds to wait for stop before killing them")
-	return composeStopCommand
+	cmd.Flags().UintP("timeout", "t", 10, "Seconds to wait for stop before killing them")
+	return cmd
 }
 
-func composeStopAction(cmd *cobra.Command, args []string) error {
+func stopAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err

cmd/nerdctl/compose/compose_stop_linux_test.go

@@ -18,22 +18,22 @@ package compose
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func TestComposeStop(t *testing.T) {
-	base := testutil.NewBase(t)
 	var dockerComposeYAML = fmt.Sprintf(`
-version: '3.1'
-
 services:
 
   wordpress:
     image: %s
-    ports:
-      - 8080:80
     environment:
       WORDPRESS_DB_HOST: db
       WORDPRESS_DB_USER: exampleuser
@@ -57,21 +57,50 @@ volumes:
   db:
 `, testutil.WordpressImage, testutil.MariaDBImage)
 
-	comp := testutil.NewComposeDir(t, dockerComposeYAML)
-	defer comp.CleanUp()
-	projectName := comp.ProjectName()
-	t.Logf("projectName=%q", projectName)
+	testCase := nerdtest.Setup()
 
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "up", "-d").AssertOK()
-	defer base.ComposeCmd("-f", comp.YAMLFullPath(), "down", "-v").Run()
+	testCase.Setup = func(data test.Data, helpers test.Helpers) {
+		data.Temp().Save(dockerComposeYAML, "compose.yaml")
+		helpers.Ensure("compose", "-f", data.Temp().Path("compose.yaml"), "up", "-d")
+		data.Labels().Set("yamlPath", data.Temp().Path("compose.yaml"))
+	}
 
-	// stop should (only) stop the given service.
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "stop", "db").AssertOK()
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "db", "-a").AssertOutContainsAny("Exit", "exited")
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "wordpress").AssertOutContainsAny("Up", "running")
+	testCase.Cleanup = func(data test.Data, helpers test.Helpers) {
+		helpers.Anyhow("compose", "-f", data.Temp().Path("compose.yaml"), "down")
+	}
 
-	// `--timeout` arg should work properly.
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "stop", "--timeout", "5", "wordpress").AssertOK()
-	base.ComposeCmd("-f", comp.YAMLFullPath(), "ps", "wordpress", "-a").AssertOutContainsAny("Exit", "exited")
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "stop db",
+			NoParallel:  true,
+			Setup: func(data test.Data, helpers test.Helpers) {
+				helpers.Ensure("compose", "-f", data.Labels().Get("yamlPath"), "stop", "db")
+			},
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("yamlPath"), "ps", "db", "-a")
+			},
+			Expected: test.Expects(0, nil, expect.Match(regexp.MustCompile("Exit|exited"))),
+		},
+		{
+			Description: "wordpress is still running",
+			NoParallel:  true,
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("yamlPath"), "ps", "wordpress")
+			},
+			Expected: test.Expects(0, nil, expect.Match(regexp.MustCompile("Up|running"))),
+		},
+		{
+			Description: "stop wordpress",
+			NoParallel:  true,
+			Setup: func(data test.Data, helpers test.Helpers) {
+				helpers.Ensure("compose", "-f", data.Labels().Get("yamlPath"), "stop", "--timeout", "5", "wordpress")
+			},
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("compose", "-f", data.Labels().Get("yamlPath"), "ps", "wordpress", "-a")
+			},
+			Expected: test.Expects(0, nil, expect.Match(regexp.MustCompile("Exit|exited"))),
+		},
+	}
 
+	testCase.Run(t)
 }

cmd/nerdctl/compose/compose_top.go

@@ -32,19 +32,19 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/labels"
 )
 
-func newComposeTopCommand() *cobra.Command {
-	var composeTopCommand = &cobra.Command{
+func topCommand() *cobra.Command {
+	var cmd = &cobra.Command{
 		Use:                   "top [SERVICE...]",
 		Short:                 "Display the running processes of service containers",
-		RunE:                  composeTopAction,
+		RunE:                  topAction,
 		SilenceUsage:          true,
 		SilenceErrors:         true,
 		DisableFlagsInUseLine: true,
 	}
-	return composeTopCommand
+	return cmd
 }
 
-func composeTopAction(cmd *cobra.Command, args []string) error {
+func topAction(cmd *cobra.Command, args []string) error {
 	globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 	if err != nil {
 		return err