Merge pull request #6208 from thaJeztah/bump_moby

vendor: github.com/docker/docker master

vendor.mod

@@ -21,7 +21,7 @@ require (
 	github.com/distribution/reference v0.6.0
 	github.com/docker/cli-docs-tool v0.10.0
 	github.com/docker/distribution v2.8.3+incompatible
-	github.com/docker/docker v28.2.3-0.20250722205935-c55a16352354+incompatible // master (v29.0-dev)
+	github.com/docker/docker v28.2.3-0.20250724140036-49306c607b72+incompatible // master (v29.0-dev)
 	github.com/docker/docker-credential-helpers v0.9.3
 	github.com/docker/go-connections v0.5.0
 	github.com/docker/go-units v0.5.0

vendor.sum

@@ -57,8 +57,8 @@ github.com/docker/cli-docs-tool v0.10.0/go.mod h1:5EM5zPnT2E7yCLERZmrDA234Vwn09f
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v28.2.3-0.20250722205935-c55a16352354+incompatible h1:/US2sfszh6RjbwhG7saJBx2R7S8FfwUoHjsFyi+1bG4=
+github.com/docker/docker v28.2.3-0.20250724140036-49306c607b72+incompatible h1:jDPHkJMR6wCbKJhFijK8GfnbpesQFzzIxRnlQ9urO+s=
-github.com/docker/docker v28.2.3-0.20250722205935-c55a16352354+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.2.3-0.20250724140036-49306c607b72+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
 github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=

vendor/github.com/docker/docker/registry/auth.go

@@ -40,9 +40,9 @@ type staticCredentialStore struct {
 
 // NewStaticCredentialStore returns a credential store
 // which always returns the same credential values.
-func NewStaticCredentialStore(auth *registry.AuthConfig) auth.CredentialStore {
+func NewStaticCredentialStore(ac *registry.AuthConfig) auth.CredentialStore {
 	return staticCredentialStore{
-		auth: auth,
+		auth: ac,
 	}
 }
 
@@ -60,7 +60,7 @@ func (scs staticCredentialStore) RefreshToken(*url.URL, string) string {
 	return scs.auth.IdentityToken
 }
 
-func (scs staticCredentialStore) SetRefreshToken(*url.URL, string, string) {
+func (staticCredentialStore) SetRefreshToken(*url.URL, string, string) {
 }
 
 // loginV2 tries to login to the v2 registry server. The given registry
@@ -131,12 +131,15 @@ func v2AuthHTTPClient(endpoint *url.URL, authTransport http.RoundTripper, modifi
 // to just its hostname. It is used to match credentials, which may be either
 // stored as hostname or as hostname including scheme (in legacy configuration
 // files).
-func ConvertToHostname(url string) string {
+func ConvertToHostname(maybeURL string) string {
-	stripped := url
+	stripped := maybeURL
-	if strings.HasPrefix(stripped, "http://") {
+	if scheme, remainder, ok := strings.Cut(stripped, "://"); ok {
-		stripped = strings.TrimPrefix(stripped, "http://")
+		switch scheme {
-	} else if strings.HasPrefix(stripped, "https://") {
+		case "http", "https":
-		stripped = strings.TrimPrefix(stripped, "https://")
+			stripped = remainder
+		default:
+			// unknown, or no scheme; doing nothing for now, as we never did.
+		}
 	}
 	stripped, _, _ = strings.Cut(stripped, "/")
 	return stripped
@@ -175,9 +178,9 @@ func (err PingResponseError) Error() string {
 // PingV2Registry attempts to ping a v2 registry and on success return a
 // challenge manager for the supported authentication types.
 // If a response is received but cannot be interpreted, a PingResponseError will be returned.
-func PingV2Registry(endpoint *url.URL, transport http.RoundTripper) (challenge.Manager, error) {
+func PingV2Registry(endpoint *url.URL, authTransport http.RoundTripper) (challenge.Manager, error) {
 	pingClient := &http.Client{
-		Transport: transport,
+		Transport: authTransport,
 		Timeout:   15 * time.Second,
 	}
 	endpointStr := strings.TrimRight(endpoint.String(), "/") + "/v2/"

vendor/github.com/docker/docker/registry/config.go

@@ -168,14 +168,15 @@ skip:
 		if _, err := ValidateIndexName(r); err != nil {
 			return err
 		}
-		if strings.HasPrefix(strings.ToLower(r), "http://") {
+		if scheme, host, ok := strings.Cut(r, "://"); ok {
-			log.G(context.TODO()).Warnf("insecure registry %s should not contain 'http://' and 'http://' has been removed from the insecure registry config", r)
+			switch strings.ToLower(scheme) {
-			r = r[7:]
+			case "http", "https":
-		} else if strings.HasPrefix(strings.ToLower(r), "https://") {
+				log.G(context.TODO()).Warnf("insecure registry %[1]s should not contain '%[2]s' and '%[2]ss' has been removed from the insecure registry config", r, scheme)
-			log.G(context.TODO()).Warnf("insecure registry %s should not contain 'https://' and 'https://' has been removed from the insecure registry config", r)
+				r = host
-			r = r[8:]
+			default:
-		} else if hasScheme(r) {
+				// unsupported scheme
-			return invalidParamf("insecure registry %s should not contain '://'", r)
+				return invalidParamf("insecure registry %s should not contain '://'", r)
+			}
 		}
 		// Check if CIDR was passed to --insecure-registry
 		_, ipnet, err := net.ParseCIDR(r)
@@ -240,18 +241,18 @@ func (config *serviceConfig) isSecureIndex(indexName string) bool {
 // for mocking in unit tests.
 var lookupIP = net.LookupIP
 
-// isCIDRMatch returns true if URLHost matches an element of cidrs. URLHost is a URL.Host (`host:port` or `host`)
+// isCIDRMatch returns true if urlHost matches an element of cidrs. urlHost is a URL.Host ("host:port" or "host")
 // where the `host` part can be either a domain name or an IP address. If it is a domain name, then it will be
 // resolved to IP addresses for matching. If resolution fails, false is returned.
-func isCIDRMatch(cidrs []*registry.NetIPNet, URLHost string) bool {
+func isCIDRMatch(cidrs []*registry.NetIPNet, urlHost string) bool {
 	if len(cidrs) == 0 {
 		return false
 	}
 
-	host, _, err := net.SplitHostPort(URLHost)
+	host, _, err := net.SplitHostPort(urlHost)
 	if err != nil {
-		// Assume URLHost is a host without port and go on.
+		// Assume urlHost is a host without port and go on.
-		host = URLHost
+		host = urlHost
 	}
 
 	var addresses []net.IP
@@ -396,7 +397,6 @@ func ParseRepositoryInfo(reposName reference.Named) (*RepositoryInfo, error) {
 				Secure:   true,
 				Official: true,
 			},
-			Official: !strings.ContainsRune(reference.FamiliarName(reposName), '/'),
 		}, nil
 	}
 

vendor/github.com/docker/docker/registry/errors.go

@@ -8,17 +8,13 @@ import (
 )
 
 func translateV2AuthError(err error) error {
-	switch e := err.(type) {
+	var e *url.Error
-	case *url.Error:
+	if errors.As(err, &e) {
-		switch e2 := e.Err.(type) {
+		var e2 errcode.Error
-		case errcode.Error:
+		if errors.As(e, &e2) && errors.Is(e2.Code, errcode.ErrorCodeUnauthorized) {
-			switch e2.Code {
+			return unauthorizedErr{err}
-			case errcode.ErrorCodeUnauthorized:
-				return unauthorizedErr{err}
-			}
 		}
 	}
-
 	return err
 }
 

vendor/github.com/docker/docker/registry/search_endpoint_v1.go

@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@@ -58,7 +59,12 @@ func newV1Endpoint(ctx context.Context, index *registry.IndexInfo, headers http.
 		if endpoint.IsSecure {
 			// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
 			// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fall back to HTTP.
-			return nil, invalidParamf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
+			hint := fmt.Sprintf(
+				". If this private registry supports only HTTP or HTTPS with an unknown CA certificate, add `--insecure-registry %[1]s` to the daemon's arguments. "+
+					"In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; place the CA certificate at /etc/docker/certs.d/%[1]s/ca.crt",
+				endpoint.URL.Host,
+			)
+			return nil, invalidParamf("invalid registry endpoint %s: %v%s", endpoint, err, hint)
 		}
 
 		// registry is insecure and HTTPS failed, fallback to HTTP.
@@ -163,9 +169,9 @@ func (e *v1Endpoint) ping(ctx context.Context) (v1PingResult, error) {
 
 // httpClient returns an HTTP client structure which uses the given transport
 // and contains the necessary headers for redirected requests
-func httpClient(transport http.RoundTripper) *http.Client {
+func httpClient(tr http.RoundTripper) *http.Client {
 	return &http.Client{
-		Transport:     transport,
+		Transport:     tr,
 		CheckRedirect: addRequiredHeadersToRedirectedRequests,
 	}
 }

vendor/github.com/docker/docker/registry/search_session.go

@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
+	"strconv"
 	"strings"
 	"sync"
 
@@ -219,7 +220,7 @@ func (r *session) searchRepositories(ctx context.Context, term string, limit int
 	if limit < 1 || limit > 100 {
 		return nil, invalidParamf("limit %d is outside the range of [1, 100]", limit)
 	}
-	u := r.indexEndpoint.String() + "search?q=" + url.QueryEscape(term) + "&n=" + url.QueryEscape(fmt.Sprintf("%d", limit))
+	u := r.indexEndpoint.String() + "search?q=" + url.QueryEscape(term) + "&n=" + url.QueryEscape(strconv.Itoa(limit))
 	log.G(ctx).WithField("url", u).Debug("searchRepositories")
 
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, u, http.NoBody)
@@ -236,7 +237,7 @@ func (r *session) searchRepositories(ctx context.Context, term string, limit int
 	if res.StatusCode != http.StatusOK {
 		// TODO(thaJeztah): return upstream response body for errors (see https://github.com/moby/moby/issues/27286).
 		// TODO(thaJeztah): handle other status-codes to return correct error-type
-		return nil, errUnknown{fmt.Errorf("Unexpected status code %d", res.StatusCode)}
+		return nil, errUnknown{fmt.Errorf("unexpected status code %d", res.StatusCode)}
 	}
 	result := &registry.SearchResults{}
 	err = json.NewDecoder(res.Body).Decode(result)

vendor/github.com/docker/docker/registry/types.go

@@ -10,15 +10,4 @@ type RepositoryInfo struct {
 	Name reference.Named
 	// Index points to registry information
 	Index *registry.IndexInfo
-	// Official indicates whether the repository is considered official.
-	// If the registry is official, and the normalized name does not
-	// contain a '/' (e.g. "foo"), then it is considered an official repo.
-	//
-	// Deprecated: this field is no longer used and will be removed in the next release. The information captured in this field can be obtained from the [Name] field instead.
-	Official bool
-	// Class represents the class of the repository, such as "plugin"
-	// or "image".
-	//
-	// Deprecated: this field is no longer used, and will be removed in the next release.
-	Class string
 }

vendor/modules.txt

@@ -65,7 +65,7 @@ github.com/docker/distribution/registry/client/transport
 github.com/docker/distribution/registry/storage/cache
 github.com/docker/distribution/registry/storage/cache/memory
 github.com/docker/distribution/uuid
-# github.com/docker/docker v28.2.3-0.20250722205935-c55a16352354+incompatible
+# github.com/docker/docker v28.2.3-0.20250724140036-49306c607b72+incompatible
 ## explicit
 github.com/docker/docker/pkg/jsonmessage
 github.com/docker/docker/pkg/process