docker v19.03.9

Signed-off-by: Yoan Blanc <yoan@dosimple.ch>

vendor/github.com/docker/docker/pkg/archive/archive.go

@@ -442,7 +442,7 @@ func newTarAppender(idMapping *idtools.IdentityMapping, writer io.Writer, chownO
 }
 
 // canonicalTarName provides a platform-independent and consistent posix-style
-// path for files and directories to be archived regardless of the platform.
+//path for files and directories to be archived regardless of the platform.
 func canonicalTarName(name string, isDir bool) string {
 	name = CanonicalTarNameForPath(name)
 
@@ -495,13 +495,13 @@ func (ta *tarAppender) addTarFile(path, name string) error {
 		}
 	}
 
-	// check whether the file is overlayfs whiteout
-	// if yes, skip re-mapping container ID mappings.
+	//check whether the file is overlayfs whiteout
+	//if yes, skip re-mapping container ID mappings.
 	isOverlayWhiteout := fi.Mode()&os.ModeCharDevice != 0 && hdr.Devmajor == 0 && hdr.Devminor == 0
 
-	// handle re-mapping container ID mappings back to host ID mappings before
-	// writing tar headers/files. We skip whiteout files because they were written
-	// by the kernel and already have proper ownership relative to the host
+	//handle re-mapping container ID mappings back to host ID mappings before
+	//writing tar headers/files. We skip whiteout files because they were written
+	//by the kernel and already have proper ownership relative to the host
 	if !isOverlayWhiteout && !strings.HasPrefix(filepath.Base(hdr.Name), WhiteoutPrefix) && !ta.IdentityMapping.Empty() {
 		fileIDPair, err := getFileUIDGID(fi.Sys())
 		if err != nil {
@@ -1134,7 +1134,7 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
 		dst = filepath.Join(dst, filepath.Base(src))
 	}
 	// Create the holding directory if necessary
-	if err := system.MkdirAll(filepath.Dir(dst), 0700); err != nil {
+	if err := system.MkdirAll(filepath.Dir(dst), 0700, ""); err != nil {
 		return err
 	}
 
@@ -1218,9 +1218,6 @@ func cmdStream(cmd *exec.Cmd, input io.Reader) (io.ReadCloser, error) {
 		return nil, err
 	}
 
-	// Ensure the command has exited before we clean anything up
-	done := make(chan struct{})
-
 	// Copy stdout to the returned pipe
 	go func() {
 		if err := cmd.Wait(); err != nil {
@@ -1228,16 +1225,9 @@ func cmdStream(cmd *exec.Cmd, input io.Reader) (io.ReadCloser, error) {
 		} else {
 			pipeW.Close()
 		}
-		close(done)
 	}()
 
-	return ioutils.NewReadCloserWrapper(pipeR, func() error {
-		// Close pipeR, and then wait for the command to complete before returning. We have to close pipeR first, as
-		// cmd.Wait waits for any non-file stdout/stderr/stdin to close.
-		err := pipeR.Close()
-		<-done
-		return err
-	}), nil
+	return pipeR, nil
 }
 
 // NewTempArchive reads the content of src into a temporary file, and returns the contents

vendor/github.com/docker/docker/pkg/archive/archive_linux.go

@@ -10,7 +10,6 @@ import (
 	"syscall"
 
 	"github.com/containerd/continuity/fs"
-	"github.com/docker/docker/pkg/mount"
 	"github.com/docker/docker/pkg/system"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/unix"
@@ -152,9 +151,12 @@ func mknodChar0Overlay(cleansedOriginalPath string) error {
 	if err := ioutil.WriteFile(lowerDummy, []byte{}, 0600); err != nil {
 		return errors.Wrapf(err, "failed to create a dummy lower file %s", lowerDummy)
 	}
-	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lower, upper, work)
-	if err := mount.Mount("overlay", merged, "overlay", mOpts); err != nil {
-		return err
+	// lowerdir needs ":" to be escaped: https://github.com/moby/moby/issues/40939#issuecomment-627098286
+	lowerEscaped := strings.ReplaceAll(lower, ":", "\\:")
+	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerEscaped, upper, work)
+	// docker/pkg/mount.Mount() requires procfs to be mounted. So we use syscall.Mount() directly instead.
+	if err := syscall.Mount("overlay", merged, "overlay", uintptr(0), mOpts); err != nil {
+		return errors.Wrapf(err, "failed to mount overlay (%s) on %s", mOpts, merged)
 	}
 	mergedDummy := filepath.Join(merged, dummyBase)
 	if err := os.Remove(mergedDummy); err != nil {
@@ -236,9 +238,12 @@ func createDirWithOverlayOpaque(tmp string) (string, error) {
 	if err := os.MkdirAll(lowerDummy, 0700); err != nil {
 		return "", errors.Wrapf(err, "failed to create a dummy lower directory %s", lowerDummy)
 	}
-	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lower, upper, work)
-	if err := mount.Mount("overlay", merged, "overlay", mOpts); err != nil {
-		return "", err
+	// lowerdir needs ":" to be escaped: https://github.com/moby/moby/issues/40939#issuecomment-627098286
+	lowerEscaped := strings.ReplaceAll(lower, ":", "\\:")
+	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerEscaped, upper, work)
+	// docker/pkg/mount.Mount() requires procfs to be mounted. So we use syscall.Mount() directly instead.
+	if err := syscall.Mount("overlay", merged, "overlay", uintptr(0), mOpts); err != nil {
+		return "", errors.Wrapf(err, "failed to mount overlay (%s) on %s", mOpts, merged)
 	}
 	mergedDummy := filepath.Join(merged, dummyBase)
 	if err := os.Remove(mergedDummy); err != nil {

vendor/github.com/docker/docker/pkg/archive/archive_windows.go

@@ -31,7 +31,7 @@ func CanonicalTarNameForPath(p string) string {
 // chmodTarEntry is used to adjust the file permissions used in tar header based
 // on the platform the archival is done.
 func chmodTarEntry(perm os.FileMode) os.FileMode {
-	// perm &= 0755 // this 0-ed out tar flags (like link, regular file, directory marker etc.)
+	//perm &= 0755 // this 0-ed out tar flags (like link, regular file, directory marker etc.)
 	permPart := perm & os.ModePerm
 	noPermPart := perm &^ os.ModePerm
 	// Add the x bit: make everything +x from windows

vendor/github.com/docker/docker/pkg/archive/diff.go

@@ -84,7 +84,7 @@ func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64,
 			parentPath := filepath.Join(dest, parent)
 
 			if _, err := os.Lstat(parentPath); err != nil && os.IsNotExist(err) {
-				err = system.MkdirAll(parentPath, 0600)
+				err = system.MkdirAll(parentPath, 0600, "")
 				if err != nil {
 					return 0, err
 				}
@@ -196,7 +196,7 @@ func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64,
 				return 0, err
 			}
 
-			if err := createTarFile(path, dest, srcHdr, srcData, !options.NoLchown, nil, options.InUserNS); err != nil {
+			if err := createTarFile(path, dest, srcHdr, srcData, true, nil, options.InUserNS); err != nil {
 				return 0, err
 			}
 

vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go

@@ -59,7 +59,7 @@ func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting
 				paths = append(paths, dirPath)
 			}
 		}
-		if err := system.MkdirAll(path, mode); err != nil {
+		if err := system.MkdirAll(path, mode, ""); err != nil {
 			return err
 		}
 	} else {

vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go

@@ -11,7 +11,7 @@ import (
 // Ownership is handled elsewhere, but in the future could be support here
 // too.
 func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting bool) error {
-	if err := system.MkdirAll(path, mode); err != nil {
+	if err := system.MkdirAll(path, mode, ""); err != nil {
 		return err
 	}
 	return nil

vendor/github.com/docker/docker/pkg/idtools/utils_unix.go

@@ -18,8 +18,8 @@ func resolveBinary(binname string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	// only return no error if the final resolved binary basename
-	// matches what was searched for
+	//only return no error if the final resolved binary basename
+	//matches what was searched for
 	if filepath.Base(resolvedPath) == binname {
 		return resolvedPath, nil
 	}

vendor/github.com/docker/docker/pkg/system/chtimes_unix.go

@@ -6,9 +6,9 @@ import (
 	"time"
 )
 
-// setCTime will set the create time on a file. On Unix, the create
-// time is updated as a side effect of setting the modified time, so
-// no action is required.
+//setCTime will set the create time on a file. On Unix, the create
+//time is updated as a side effect of setting the modified time, so
+//no action is required.
 func setCTime(path string, ctime time.Time) error {
 	return nil
 }

vendor/github.com/docker/docker/pkg/system/chtimes_windows.go

@@ -6,8 +6,8 @@ import (
 	"golang.org/x/sys/windows"
 )
 
-// setCTime will set the create time on a file. On Windows, this requires
-// calling SetFileTime and explicitly including the create time.
+//setCTime will set the create time on a file. On Windows, this requires
+//calling SetFileTime and explicitly including the create time.
 func setCTime(path string, ctime time.Time) error {
 	ctimespec := windows.NsecToTimespec(ctime.UnixNano())
 	pathp, e := windows.UTF16PtrFromString(path)

vendor/github.com/docker/docker/pkg/system/filesys.go

@@ -8,14 +8,14 @@ import (
 	"path/filepath"
 )
 
-// MkdirAllWithACL is a wrapper for os.MkdirAll on unix systems.
+// MkdirAllWithACL is a wrapper for MkdirAll on unix systems.
 func MkdirAllWithACL(path string, perm os.FileMode, sddl string) error {
-	return os.MkdirAll(path, perm)
+	return MkdirAll(path, perm, sddl)
 }
 
 // MkdirAll creates a directory named path along with any necessary parents,
 // with permission specified by attribute perm for all dir created.
-func MkdirAll(path string, perm os.FileMode) error {
+func MkdirAll(path string, perm os.FileMode, sddl string) error {
 	return os.MkdirAll(path, perm)
 }
 

vendor/github.com/docker/docker/pkg/system/filesys_windows.go

@@ -11,6 +11,7 @@ import (
 	"time"
 	"unsafe"
 
+	winio "github.com/Microsoft/go-winio"
 	"golang.org/x/sys/windows"
 )
 
@@ -25,10 +26,9 @@ func MkdirAllWithACL(path string, perm os.FileMode, sddl string) error {
 	return mkdirall(path, true, sddl)
 }
 
-// MkdirAll implementation that is volume path aware for Windows. It can be used
-// as a drop-in replacement for os.MkdirAll()
-func MkdirAll(path string, _ os.FileMode) error {
-	return mkdirall(path, false, "")
+// MkdirAll implementation that is volume path aware for Windows.
+func MkdirAll(path string, _ os.FileMode, sddl string) error {
+	return mkdirall(path, false, sddl)
 }
 
 // mkdirall is a custom version of os.MkdirAll modified for use on Windows
@@ -102,13 +102,13 @@ func mkdirall(path string, applyACL bool, sddl string) error {
 // and Local System.
 func mkdirWithACL(name string, sddl string) error {
 	sa := windows.SecurityAttributes{Length: 0}
-	sd, err := windows.SecurityDescriptorFromString(sddl)
+	sd, err := winio.SddlToSecurityDescriptor(sddl)
 	if err != nil {
 		return &os.PathError{Op: "mkdir", Path: name, Err: err}
 	}
 	sa.Length = uint32(unsafe.Sizeof(sa))
 	sa.InheritHandle = 1
-	sa.SecurityDescriptor = sd
+	sa.SecurityDescriptor = uintptr(unsafe.Pointer(&sd[0]))
 
 	namep, err := windows.UTF16PtrFromString(name)
 	if err != nil {
@@ -130,10 +130,12 @@ func mkdirWithACL(name string, sddl string) error {
 // by the daemon. This SHOULD be treated as absolute from a docker processing
 // perspective.
 func IsAbs(path string) bool {
-	if filepath.IsAbs(path) || strings.HasPrefix(path, string(os.PathSeparator)) {
-		return true
+	if !filepath.IsAbs(path) {
+		if !strings.HasPrefix(path, string(os.PathSeparator)) {
+			return false
+		}
 	}
-	return false
+	return true
 }
 
 // The origin of the functions below here are the golang OS and windows packages,
@@ -233,7 +235,7 @@ func windowsOpenSequential(path string, mode int, _ uint32) (fd windows.Handle,
 		createmode = windows.OPEN_EXISTING
 	}
 	// Use FILE_FLAG_SEQUENTIAL_SCAN rather than FILE_ATTRIBUTE_NORMAL as implemented in golang.
-	// https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx
+	//https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx
 	const fileFlagSequentialScan = 0x08000000 // FILE_FLAG_SEQUENTIAL_SCAN
 	h, e := windows.CreateFile(pathp, access, sharemode, sa, createmode, fileFlagSequentialScan, 0)
 	return h, e

vendor/github.com/docker/docker/pkg/system/init_windows.go

@@ -18,7 +18,8 @@ var (
 
 // InitLCOW sets whether LCOW is supported or not. Requires RS5+
 func InitLCOW(experimental bool) {
-	if experimental && osversion.Build() >= osversion.RS5 {
+	v := GetOSVersion()
+	if experimental && v.Build >= osversion.RS5 {
 		lcowSupported = true
 	}
 }

vendor/github.com/docker/docker/pkg/system/meminfo_linux.go

@@ -7,7 +7,7 @@ import (
 	"strconv"
 	"strings"
 
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
 )
 
 // ReadMemInfo retrieves memory statistics of the host system and returns a
@@ -27,7 +27,6 @@ func ReadMemInfo() (*MemInfo, error) {
 func parseMemInfo(reader io.Reader) (*MemInfo, error) {
 	meminfo := &MemInfo{}
 	scanner := bufio.NewScanner(reader)
-	memAvailable := int64(-1)
 	for scanner.Scan() {
 		// Expected format: ["MemTotal:", "1234", "kB"]
 		parts := strings.Fields(scanner.Text())
@@ -49,8 +48,6 @@ func parseMemInfo(reader io.Reader) (*MemInfo, error) {
 			meminfo.MemTotal = bytes
 		case "MemFree:":
 			meminfo.MemFree = bytes
-		case "MemAvailable:":
-			memAvailable = bytes
 		case "SwapTotal:":
 			meminfo.SwapTotal = bytes
 		case "SwapFree:":
@@ -58,9 +55,6 @@ func parseMemInfo(reader io.Reader) (*MemInfo, error) {
 		}
 
 	}
-	if memAvailable != -1 {
-		meminfo.MemFree = memAvailable
-	}
 
 	// Handle errors that may have occurred during the reading of the file.
 	if err := scanner.Err(); err != nil {

vendor/github.com/docker/docker/pkg/system/path.go

@@ -5,6 +5,8 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+
+	"github.com/containerd/continuity/pathdriver"
 )
 
 const defaultUnixPathEnv = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -25,12 +27,6 @@ func DefaultPathEnv(os string) string {
 
 }
 
-// PathVerifier defines the subset of a PathDriver that CheckSystemDriveAndRemoveDriveLetter
-// actually uses in order to avoid system depending on containerd/continuity.
-type PathVerifier interface {
-	IsAbs(string) bool
-}
-
 // CheckSystemDriveAndRemoveDriveLetter verifies that a path, if it includes a drive letter,
 // is the system drive.
 // On Linux: this is a no-op.
@@ -46,7 +42,7 @@ type PathVerifier interface {
 // a			--> a
 // /a			--> \a
 // d:\			--> Fail
-func CheckSystemDriveAndRemoveDriveLetter(path string, driver PathVerifier) (string, error) {
+func CheckSystemDriveAndRemoveDriveLetter(path string, driver pathdriver.PathDriver) (string, error) {
 	if runtime.GOOS != "windows" || LCOWSupported() {
 		return path, nil
 	}

vendor/github.com/docker/docker/pkg/system/path_windows.go

@@ -1,27 +1,24 @@
 package system // import "github.com/docker/docker/pkg/system"
 
-import "golang.org/x/sys/windows"
+import "syscall"
 
 // GetLongPathName converts Windows short pathnames to full pathnames.
 // For example C:\Users\ADMIN~1 --> C:\Users\Administrator.
 // It is a no-op on non-Windows platforms
 func GetLongPathName(path string) (string, error) {
 	// See https://groups.google.com/forum/#!topic/golang-dev/1tufzkruoTg
-	p, err := windows.UTF16FromString(path)
-	if err != nil {
-		return "", err
-	}
+	p := syscall.StringToUTF16(path)
 	b := p // GetLongPathName says we can reuse buffer
-	n, err := windows.GetLongPathName(&p[0], &b[0], uint32(len(b)))
+	n, err := syscall.GetLongPathName(&p[0], &b[0], uint32(len(b)))
 	if err != nil {
 		return "", err
 	}
 	if n > uint32(len(b)) {
 		b = make([]uint16, n)
-		_, err = windows.GetLongPathName(&p[0], &b[0], uint32(len(b)))
+		_, err = syscall.GetLongPathName(&p[0], &b[0], uint32(len(b)))
 		if err != nil {
 			return "", err
 		}
 	}
-	return windows.UTF16ToString(b), nil
+	return syscall.UTF16ToString(b), nil
 }

vendor/github.com/docker/docker/pkg/system/process_windows.go

@@ -13,6 +13,6 @@ func IsProcessAlive(pid int) bool {
 func KillProcess(pid int) {
 	p, err := os.FindProcess(pid)
 	if err == nil {
-		_ = p.Kill()
+		p.Kill()
 	}
 }

vendor/github.com/docker/docker/pkg/system/rm.go

@@ -63,8 +63,12 @@ func EnsureRemoveAll(dir string) error {
 			return err
 		}
 
-		if e := mount.Unmount(pe.Path); e != nil {
-			return errors.Wrapf(e, "error while removing %s", dir)
+		if mounted, _ := mount.Mounted(pe.Path); mounted {
+			if e := mount.Unmount(pe.Path); e != nil {
+				if mounted, _ := mount.Mounted(pe.Path); mounted {
+					return errors.Wrapf(e, "error while removing %s", dir)
+				}
+			}
 		}
 
 		if exitOnErr[pe.Path] == maxRetry {

vendor/github.com/docker/docker/pkg/system/stat_solaris.go

@@ -0,0 +1,13 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "syscall"
+
+// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
+func fromStatT(s *syscall.Stat_t) (*StatT, error) {
+	return &StatT{size: s.Size,
+		mode: uint32(s.Mode),
+		uid:  s.Uid,
+		gid:  s.Gid,
+		rdev: uint64(s.Rdev),
+		mtim: s.Mtim}, nil
+}

vendor/github.com/docker/docker/pkg/system/syscall_unix.go

@@ -9,3 +9,9 @@ import "golang.org/x/sys/unix"
 func Unmount(dest string) error {
 	return unix.Unmount(dest, 0)
 }
+
+// CommandLineToArgv should not be used on Unix.
+// It simply returns commandLine in the only element in the returned array.
+func CommandLineToArgv(commandLine string) ([]string, error) {
+	return []string{commandLine}, nil
+}

vendor/github.com/docker/docker/pkg/system/syscall_windows.go

@@ -1,45 +1,45 @@
 package system // import "github.com/docker/docker/pkg/system"
 
 import (
+	"fmt"
 	"syscall"
 	"unsafe"
 
-	"github.com/Microsoft/hcsshim/osversion"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows"
 )
 
 const (
-	OWNER_SECURITY_INFORMATION               = windows.OWNER_SECURITY_INFORMATION     // Deprecated: use golang.org/x/sys/windows.OWNER_SECURITY_INFORMATION
-	GROUP_SECURITY_INFORMATION               = windows.GROUP_SECURITY_INFORMATION     // Deprecated: use golang.org/x/sys/windows.GROUP_SECURITY_INFORMATION
-	DACL_SECURITY_INFORMATION                = windows.DACL_SECURITY_INFORMATION      // Deprecated: use golang.org/x/sys/windows.DACL_SECURITY_INFORMATION
-	SACL_SECURITY_INFORMATION                = windows.SACL_SECURITY_INFORMATION      // Deprecated: use golang.org/x/sys/windows.SACL_SECURITY_INFORMATION
-	LABEL_SECURITY_INFORMATION               = windows.LABEL_SECURITY_INFORMATION     // Deprecated: use golang.org/x/sys/windows.LABEL_SECURITY_INFORMATION
-	ATTRIBUTE_SECURITY_INFORMATION           = windows.ATTRIBUTE_SECURITY_INFORMATION // Deprecated: use golang.org/x/sys/windows.ATTRIBUTE_SECURITY_INFORMATION
-	SCOPE_SECURITY_INFORMATION               = windows.SCOPE_SECURITY_INFORMATION     // Deprecated: use golang.org/x/sys/windows.SCOPE_SECURITY_INFORMATION
+	OWNER_SECURITY_INFORMATION               = 0x00000001
+	GROUP_SECURITY_INFORMATION               = 0x00000002
+	DACL_SECURITY_INFORMATION                = 0x00000004
+	SACL_SECURITY_INFORMATION                = 0x00000008
+	LABEL_SECURITY_INFORMATION               = 0x00000010
+	ATTRIBUTE_SECURITY_INFORMATION           = 0x00000020
+	SCOPE_SECURITY_INFORMATION               = 0x00000040
 	PROCESS_TRUST_LABEL_SECURITY_INFORMATION = 0x00000080
 	ACCESS_FILTER_SECURITY_INFORMATION       = 0x00000100
-	BACKUP_SECURITY_INFORMATION              = windows.BACKUP_SECURITY_INFORMATION           // Deprecated: use golang.org/x/sys/windows.BACKUP_SECURITY_INFORMATION
-	PROTECTED_DACL_SECURITY_INFORMATION      = windows.PROTECTED_DACL_SECURITY_INFORMATION   // Deprecated: use golang.org/x/sys/windows.PROTECTED_DACL_SECURITY_INFORMATION
-	PROTECTED_SACL_SECURITY_INFORMATION      = windows.PROTECTED_SACL_SECURITY_INFORMATION   // Deprecated: use golang.org/x/sys/windows.PROTECTED_SACL_SECURITY_INFORMATION
-	UNPROTECTED_DACL_SECURITY_INFORMATION    = windows.UNPROTECTED_DACL_SECURITY_INFORMATION // Deprecated: use golang.org/x/sys/windows.UNPROTECTED_DACL_SECURITY_INFORMATION
-	UNPROTECTED_SACL_SECURITY_INFORMATION    = windows.UNPROTECTED_SACL_SECURITY_INFORMATION // Deprecated: use golang.org/x/sys/windows.UNPROTECTED_SACL_SECURITY_INFORMATION
+	BACKUP_SECURITY_INFORMATION              = 0x00010000
+	PROTECTED_DACL_SECURITY_INFORMATION      = 0x80000000
+	PROTECTED_SACL_SECURITY_INFORMATION      = 0x40000000
+	UNPROTECTED_DACL_SECURITY_INFORMATION    = 0x20000000
+	UNPROTECTED_SACL_SECURITY_INFORMATION    = 0x10000000
 )
 
 const (
-	SE_UNKNOWN_OBJECT_TYPE     = windows.SE_UNKNOWN_OBJECT_TYPE     // Deprecated: use golang.org/x/sys/windows.SE_UNKNOWN_OBJECT_TYPE
-	SE_FILE_OBJECT             = windows.SE_FILE_OBJECT             // Deprecated: use golang.org/x/sys/windows.SE_FILE_OBJECT
-	SE_SERVICE                 = windows.SE_SERVICE                 // Deprecated: use golang.org/x/sys/windows.SE_SERVICE
-	SE_PRINTER                 = windows.SE_PRINTER                 // Deprecated: use golang.org/x/sys/windows.SE_PRINTER
-	SE_REGISTRY_KEY            = windows.SE_REGISTRY_KEY            // Deprecated: use golang.org/x/sys/windows.SE_REGISTRY_KEY
-	SE_LMSHARE                 = windows.SE_LMSHARE                 // Deprecated: use golang.org/x/sys/windows.SE_LMSHARE
-	SE_KERNEL_OBJECT           = windows.SE_KERNEL_OBJECT           // Deprecated: use golang.org/x/sys/windows.SE_KERNEL_OBJECT
-	SE_WINDOW_OBJECT           = windows.SE_WINDOW_OBJECT           // Deprecated: use golang.org/x/sys/windows.SE_WINDOW_OBJECT
-	SE_DS_OBJECT               = windows.SE_DS_OBJECT               // Deprecated: use golang.org/x/sys/windows.SE_DS_OBJECT
-	SE_DS_OBJECT_ALL           = windows.SE_DS_OBJECT_ALL           // Deprecated: use golang.org/x/sys/windows.SE_DS_OBJECT_ALL
-	SE_PROVIDER_DEFINED_OBJECT = windows.SE_PROVIDER_DEFINED_OBJECT // Deprecated: use golang.org/x/sys/windows.SE_PROVIDER_DEFINED_OBJECT
-	SE_WMIGUID_OBJECT          = windows.SE_WMIGUID_OBJECT          // Deprecated: use golang.org/x/sys/windows.SE_WMIGUID_OBJECT
-	SE_REGISTRY_WOW64_32KEY    = windows.SE_REGISTRY_WOW64_32KEY    // Deprecated: use golang.org/x/sys/windows.SE_REGISTRY_WOW64_32KEY
+	SE_UNKNOWN_OBJECT_TYPE = iota
+	SE_FILE_OBJECT
+	SE_SERVICE
+	SE_PRINTER
+	SE_REGISTRY_KEY
+	SE_LMSHARE
+	SE_KERNEL_OBJECT
+	SE_WINDOW_OBJECT
+	SE_DS_OBJECT
+	SE_DS_OBJECT_ALL
+	SE_PROVIDER_DEFINED_OBJECT
+	SE_WMIGUID_OBJECT
+	SE_REGISTRY_WOW64_32KEY
 )
 
 const (
@@ -55,16 +55,21 @@ var (
 	ntuserApiset                  = windows.NewLazyDLL("ext-ms-win-ntuser-window-l1-1-0")
 	modadvapi32                   = windows.NewLazySystemDLL("advapi32.dll")
 	procGetVersionExW             = modkernel32.NewProc("GetVersionExW")
+	procGetProductInfo            = modkernel32.NewProc("GetProductInfo")
 	procSetNamedSecurityInfo      = modadvapi32.NewProc("SetNamedSecurityInfoW")
 	procGetSecurityDescriptorDacl = modadvapi32.NewProc("GetSecurityDescriptorDacl")
 )
 
 // OSVersion is a wrapper for Windows version information
 // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
-type OSVersion = osversion.OSVersion
+type OSVersion struct {
+	Version      uint32
+	MajorVersion uint8
+	MinorVersion uint8
+	Build        uint16
+}
 
 // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx
-// TODO: use golang.org/x/sys/windows.OsVersionInfoEx (needs OSVersionInfoSize to be exported)
 type osVersionInfoEx struct {
 	OSVersionInfoSize uint32
 	MajorVersion      uint32
@@ -80,13 +85,28 @@ type osVersionInfoEx struct {
 }
 
 // GetOSVersion gets the operating system version on Windows. Note that
-// dockerd.exe must be manifested to get the correct version information.
-// Deprecated: use github.com/Microsoft/hcsshim/osversion.Get() instead
+// docker.exe must be manifested to get the correct version information.
 func GetOSVersion() OSVersion {
-	return osversion.Get()
+	var err error
+	osv := OSVersion{}
+	osv.Version, err = windows.GetVersion()
+	if err != nil {
+		// GetVersion never fails.
+		panic(err)
+	}
+	osv.MajorVersion = uint8(osv.Version & 0xFF)
+	osv.MinorVersion = uint8(osv.Version >> 8 & 0xFF)
+	osv.Build = uint16(osv.Version >> 16)
+	return osv
+}
+
+func (osv OSVersion) ToString() string {
+	return fmt.Sprintf("%d.%d.%d", osv.MajorVersion, osv.MinorVersion, osv.Build)
 }
 
 // IsWindowsClient returns true if the SKU is client
+// @engine maintainers - this function should not be removed or modified as it
+// is used to enforce licensing restrictions on Windows.
 func IsWindowsClient() bool {
 	osviex := &osVersionInfoEx{OSVersionInfoSize: 284}
 	r1, _, err := procGetVersionExW.Call(uintptr(unsafe.Pointer(osviex)))
@@ -98,12 +118,51 @@ func IsWindowsClient() bool {
 	return osviex.ProductType == verNTWorkstation
 }
 
+// IsIoTCore returns true if the currently running image is based off of
+// Windows 10 IoT Core.
+// @engine maintainers - this function should not be removed or modified as it
+// is used to enforce licensing restrictions on Windows.
+func IsIoTCore() bool {
+	var returnedProductType uint32
+	r1, _, err := procGetProductInfo.Call(6, 1, 0, 0, uintptr(unsafe.Pointer(&returnedProductType)))
+	if r1 == 0 {
+		logrus.Warnf("GetProductInfo failed - assuming this is not IoT: %v", err)
+		return false
+	}
+	const productIoTUAP = 0x0000007B
+	const productIoTUAPCommercial = 0x00000083
+	return returnedProductType == productIoTUAP || returnedProductType == productIoTUAPCommercial
+}
+
 // Unmount is a platform-specific helper function to call
 // the unmount syscall. Not supported on Windows
-func Unmount(_ string) error {
+func Unmount(dest string) error {
 	return nil
 }
 
+// CommandLineToArgv wraps the Windows syscall to turn a commandline into an argument array.
+func CommandLineToArgv(commandLine string) ([]string, error) {
+	var argc int32
+
+	argsPtr, err := windows.UTF16PtrFromString(commandLine)
+	if err != nil {
+		return nil, err
+	}
+
+	argv, err := windows.CommandLineToArgv(argsPtr, &argc)
+	if err != nil {
+		return nil, err
+	}
+	defer windows.LocalFree(windows.Handle(uintptr(unsafe.Pointer(argv))))
+
+	newArgs := make([]string, argc)
+	for i, v := range (*argv)[:argc] {
+		newArgs[i] = string(windows.UTF16ToString((*v)[:]))
+	}
+
+	return newArgs, nil
+}
+
 // HasWin32KSupport determines whether containers that depend on win32k can
 // run on this machine. Win32k is the driver used to implement windowing.
 func HasWin32KSupport() bool {
@@ -125,7 +184,7 @@ func GetSecurityDescriptorDacl(securityDescriptor *byte, daclPresent *uint32, da
 	r1, _, e1 := syscall.Syscall6(procGetSecurityDescriptorDacl.Addr(), 4, uintptr(unsafe.Pointer(securityDescriptor)), uintptr(unsafe.Pointer(daclPresent)), uintptr(unsafe.Pointer(dacl)), uintptr(unsafe.Pointer(daclDefaulted)), 0, 0)
 	if r1 == 0 {
 		if e1 != 0 {
-			result = e1
+			result = syscall.Errno(e1)
 		} else {
 			result = syscall.EINVAL
 		}

vendor/github.com/docker/docker/pkg/system/utimes_freebsd.go

@@ -1,9 +1,8 @@
-// +build linux freebsd
-
 package system // import "github.com/docker/docker/pkg/system"
 
 import (
 	"syscall"
+	"unsafe"
 
 	"golang.org/x/sys/unix"
 )
@@ -11,12 +10,13 @@ import (
 // LUtimesNano is used to change access and modification time of the specified path.
 // It's used for symbol link file because unix.UtimesNano doesn't support a NOFOLLOW flag atm.
 func LUtimesNano(path string, ts []syscall.Timespec) error {
-	uts := []unix.Timespec{
-		unix.NsecToTimespec(syscall.TimespecToNsec(ts[0])),
-		unix.NsecToTimespec(syscall.TimespecToNsec(ts[1])),
+	var _path *byte
+	_path, err := unix.BytePtrFromString(path)
+	if err != nil {
+		return err
 	}
-	err := unix.UtimesNanoAt(unix.AT_FDCWD, path, uts, unix.AT_SYMLINK_NOFOLLOW)
-	if err != nil && err != unix.ENOSYS {
+
+	if _, _, err := unix.Syscall(unix.SYS_LUTIMES, uintptr(unsafe.Pointer(_path)), uintptr(unsafe.Pointer(&ts[0])), 0); err != 0 && err != unix.ENOSYS {
 		return err
 	}
 

vendor/github.com/docker/docker/pkg/system/utimes_linux.go

@@ -0,0 +1,25 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+// LUtimesNano is used to change access and modification time of the specified path.
+// It's used for symbol link file because unix.UtimesNano doesn't support a NOFOLLOW flag atm.
+func LUtimesNano(path string, ts []syscall.Timespec) error {
+	atFdCwd := unix.AT_FDCWD
+
+	var _path *byte
+	_path, err := unix.BytePtrFromString(path)
+	if err != nil {
+		return err
+	}
+	if _, _, err := unix.Syscall6(unix.SYS_UTIMENSAT, uintptr(atFdCwd), uintptr(unsafe.Pointer(_path)), uintptr(unsafe.Pointer(&ts[0])), unix.AT_SYMLINK_NOFOLLOW, 0, 0); err != 0 && err != unix.ENOSYS {
+		return err
+	}
+
+	return nil
+}

vendor/github.com/docker/docker/pkg/system/xattrs_linux.go

@@ -10,23 +10,24 @@ func Lgetxattr(path string, attr string) ([]byte, error) {
 	dest := make([]byte, 128)
 	sz, errno := unix.Lgetxattr(path, attr, dest)
 
-	for errno == unix.ERANGE {
-		// Buffer too small, use zero-sized buffer to get the actual size
+	switch {
+	case errno == unix.ENODATA:
+		return nil, nil
+	case errno == unix.ERANGE:
+		// 128 byte array might just not be good enough. A dummy buffer is used
+		// to get the real size of the xattrs on disk
 		sz, errno = unix.Lgetxattr(path, attr, []byte{})
 		if errno != nil {
 			return nil, errno
 		}
 		dest = make([]byte, sz)
 		sz, errno = unix.Lgetxattr(path, attr, dest)
-	}
-
-	switch {
-	case errno == unix.ENODATA:
-		return nil, nil
+		if errno != nil {
+			return nil, errno
+		}
 	case errno != nil:
 		return nil, errno
 	}
-
 	return dest[:sz], nil
 }
 

vendor/github.com/docker/docker/volume/mounts/mounts.go

@@ -113,7 +113,7 @@ func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.Identity, checkFun
 			return
 		}
 		err = label.Relabel(sourcePath, mountLabel, label.IsShared(m.Mode))
-		if err == syscall.ENOTSUP {
+		if errors.Is(err, syscall.ENOTSUP) {
 			err = nil
 		}
 		if err != nil {