Bump github.com/docker/docker from 26.1.4+incompatible to 27.0.0+inco…

…mpatible (#817)

Bumps [github.com/docker/docker](https://github.com/docker/docker) from
26.1.4+incompatible to 27.0.0+incompatible.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/docker/releases">github.com/docker/docker's
releases</a>.</em></p>
<blockquote>
<h2>v27.0.0-rc.1</h2>
<h2>27.0.0-rc.1</h2>
<p>For a full list of pull requests and changes in this release, refer
to the relevant GitHub milestones:</p>
<ul>
<li><a
href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A27.0.0">docker/cli,
27.0.0 milestone</a></li>
<li><a
href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A27.0.0">moby/moby,
27.0.0 milestone</a></li>
<li>Deprecated and removed features, see <a
href="https://github.com/docker/cli/blob/v27.0.0-rc.1/docs/deprecated.md">Deprecated
Features</a>.</li>
<li>Changes to the Engine API, see <a
href="https://github.com/moby/moby/blob/v27.0.0-rc.1/docs/api/version-history.md">API
version history</a>.</li>
</ul>
<h3>New</h3>
<ul>
<li>Add support to <code>docker stack deploy</code> for
<code>driver_opts</code> in a service's networks. <a
href="https://redirect.github.com/docker/cli/pull/5125">docker/cli#5125</a></li>
<li>containerd image store: Add <code>--platform</code> flag to
<code>docker image push</code> and improve the default behavior when not
all platforms of the multi-platform image are available locally. <a
href="https://redirect.github.com/docker/cli/pull/4984">docker/cli#4984</a>,
<a
href="https://redirect.github.com/moby/moby/pull/47679">moby/moby#47679</a></li>
</ul>
<h3>Bug fixes and enhancements</h3>
<ul>
<li>Fix a bug causing the docker CLI to leak UNIX sockets in
<code>$TMPDIR</code> in some cases. <a
href="https://redirect.github.com/docker/cli/pull/5146">docker/cli#5146</a></li>
<li>Don't ignore a custom seccomp profile when used in conjunction with
<code>--privileged</code> <a
href="https://redirect.github.com/moby/moby/pull/47500">moby/moby#47500</a></li>
<li>rootless: overlay2: support native overlay diff when using
rootless-mode in kernel 5.11 and above <a
href="https://redirect.github.com/moby/moby/pull/47605">moby/moby#47605</a></li>
<li>Fix the <code>StartInterval</code> default value of healthcheck to
reflect the documented value of 5s. <a
href="https://redirect.github.com/moby/moby/pull/47799">moby/moby#47799</a></li>
<li>Allow sysctls to be set per-interface during container creation and
network connection. <a
href="https://redirect.github.com/moby/moby/pull/47686">moby/moby#47686</a></li>
<li>A ULA base prefix is automatically added to
<code>default-address-pools</code> if this parameter wasn't manually
configured, or if it contains no IPv6 prefixes. This ULA prefix is
derived from the Engine host ID such that it's unique across hosts and
over time. <a
href="https://redirect.github.com/moby/moby/pull/47853">moby/moby#47853</a></li>
<li>Enable <code>ip6tables</code> by default, it is no longer
<code>--experimental</code>. <a
href="https://redirect.github.com/moby/moby/pull/47747">moby/moby#47747</a></li>
<li>Introduce a new subnet allocator that can deal with IPv6 address
pools of any size <a
href="https://redirect.github.com/moby/moby/pull/47768">moby/moby#47768</a></li>
<li>For IPv6-enabled bridge networks, do not attempt to replace the
bridge's kernel-assigned link local address with <code>fe80::1</code>.
<a
href="https://redirect.github.com/moby/moby/pull/47787">moby/moby#47787</a></li>
<li>Fix <code>docker save</code> and <code>docker load</code> not ending
on the daemon side when the operation was cancelled (eg. Ctrl+C) <a
href="https://redirect.github.com/moby/moby/pull/47629">moby/moby#47629</a></li>
<li>Container's <code>StartedAt</code> property is now recorded before
container startup, guaranteeing that the <code>StartedAt</code> is
always before <code>FinishedAt</code>. <a
href="https://redirect.github.com/moby/moby/pull/47003">moby/moby#47003</a></li>
<li>Run an internal resolver on the default bridge network to forward
DNS requests to external resolvers, even if they are on localhost
addresses, or IPv6 addresses when the default bridge does not have IPv6
connectivity. To preserve existing behavior, the internal resolver on
the default bridge will not resolve container names, unlike the resolver
on user-defined networks. Do not use Google's DNS servers as a fallback
when no external DNS servers are supplied in configuration via
<code>--dns</code> or available from the host's
<code>resolv.conf</code>. <a
href="https://redirect.github.com/moby/moby/pull/47602">moby/moby#47602</a></li>
<li>If firewalld is running on the host, create policy
<code>docker-forwarding</code> to allow forwarding from any zone to the
<code>docker</code> zone. This makes it possible to configure a bridge
network with a routable IPv6 address, and no masquerading. <a
href="https://redirect.github.com/moby/moby/pull/47745">moby/moby#47745</a></li>
<li>IPv6 can now be enabled by default on all custom networks using
<code>dockerd
--default-network-opt=bridge=com.docker.network.enable_ipv6=true</code>
(and the matching json option). <a
href="https://redirect.github.com/moby/moby/pull/47867">moby/moby#47867</a></li>
<li>The internal DNS resolver used by Windows containers on Windows will
now forward requests to external DNS servers by-default, this enables
<code>nslookup</code> to resolve external hostnames. This behaviour can
be disabled via <code>daemon.json</code>, using
<code>&quot;features&quot;: { &quot;windows-dns-proxy&quot;: false
}</code>, the feature flag will be removed in a future release. <a
href="https://redirect.github.com/moby/moby/pull/47826">moby/moby#47826</a></li>
<li>Document the use of <code>driver-opt</code> in the CLI for setting
per-interface sysctls. <a
href="https://redirect.github.com/docker/cli/pull/4994">docker/cli#4994</a></li>
<li>Print a warning when the CLI does not have permissions to read the
configuration file. <a
href="https://redirect.github.com/docker/cli/pull/5077">docker/cli#5077</a></li>
</ul>
<h3>API</h3>
<ul>
<li>containerd image store: <code>POST /images/{name}/push</code> now
supports a <code>platform</code> parameter (JSON encoded OCI Platform
type) that allows selecting a specific platform-manifest from the
multi-platform image. This is experimental and may change in future API
versions. <a
href="https://redirect.github.com/moby/moby/pull/47679">moby/moby#47679</a></li>
<li><code>ContainerList</code> api returns container annotations. <a
href="https://redirect.github.com/moby/moby/pull/47866">moby/moby#47866</a></li>
<li>Deprecate the daemon flag <code>--api-cors-header</code> and the
corresponding daemon.json config param. These will be removed in the
next major release. <a
href="https://redirect.github.com/moby/moby/pull/45313">moby/moby#45313</a></li>
<li>Client API callback functions
<code>client.RequestPrivilegeFunc</code>,
<code>client.ImageSearchOptions.AcceptPermissionsFunc</code> and
<code>image.ImportOptions.PrivilegeFunc</code> now require a context
parameter. <a
href="https://redirect.github.com/moby/moby/pull/47536">moby/moby#47536</a></li>
<li>Remove deprecated <code>ImageImportOptions</code>,
<code>ImageCreateOptions</code>, <code>ImagePullOptions</code>,
<code>ImagePushOptions</code>, <code>ImageListOptions</code>,
<code>ImageRemoveOptions</code> aliases for Image types. <a
href="https://redirect.github.com/moby/moby/pull/47900">moby/moby#47900</a></li>
<li>Move <code>ExecConfig</code>, <code>ContainerExecInspect</code>,
<code>ContainersPruneReport</code>, <code>ContainerPathStat</code>,
<code>CopyToContainerOptions</code>, <code>ExecStartCheck</code> and
<code>ContainerStats</code> to api/types/container;
<code>ImagesPruneReport</code>, <code>ImageImportSource</code> and
<code>ImageLoadResponse</code> to api/types/image;
<code>ExecStartOptions</code> to api/types/backend;
<code>VolumesPruneReport</code> to api/types/volume;
<code>EventsOptions</code> to api/types/events;
<code>ImageSearchOptions</code> to api/types/registry. <a
href="https://redirect.github.com/moby/moby/pull/47936">moby/moby#47936</a></li>
<li>Deprecate non-standard (config) fields in image inspect output. The
<code>Config</code> field returned by this endpoint (used for
&quot;image inspect&quot;) returned additional fields that are not part
of the image's configuration and not part of the [Docker Image Spec] and
the [OCI Image Spec]. These fields are never set (and always return the
default value for the type), but are not omitted in the response when
left empty. As these fields were not intended to be part of the image
configuration response, they are deprecated, and will be removed in the
future API versions.
The following fields are currently included in the API response, but are
not part of the underlying image's Config, and deprecated:
<ul>
<li><code>Hostname</code></li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/docker/docker/commits">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/docker/docker&package-manager=go_modules&previous-version=26.1.4+incompatible&new-version=27.0.0+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Hilmar Falkenberg <[email protected]>

flake.nix

@@ -35,7 +35,7 @@
             state = if (self ? rev) then "clean" else "dirty";
 
             # This vendorHash represents a dervative of all go.mod dependancies and needs to be adjusted with every change
-            vendorHash = "sha256-cxB5awTUWgKFdexwSNyjuU//f4iKgHYFC1u907AVRKY=";
+            vendorHash = "sha256-jhgO8W6iMa+0aexOgUdPffObyxlGUNg8rQ0sSCGO2ZU=";
 
             src = ./.;
 

go.mod

@@ -20,8 +20,8 @@ require (
 	github.com/containers/image/v5 v5.31.1
 	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f
 	github.com/distribution/reference v0.6.0
-	github.com/docker/cli v26.1.4+incompatible
-	github.com/docker/docker v26.1.4+incompatible
+	github.com/docker/cli v27.0.1+incompatible
+	github.com/docker/docker v27.0.1+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/drone/envsubst v1.0.3
 	github.com/fluxcd/cli-utils v0.36.0-flux.7

go.sum

@@ -316,13 +316,13 @@ github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aB
 github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8=
-github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.0.1+incompatible h1:d/OrlblkOTkhJ1IaAGD1bLgUBtFQC/oP0VjkFMIN+B0=
+github.com/docker/cli v27.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
-github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v27.0.1+incompatible h1:AbszR+lCnR3f297p/g0arbQoyhAkImxQOR/XO9YZeIg=
+github.com/docker/docker v27.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
 github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=

pkg/toi/drivers/docker/driver.go

@@ -207,7 +207,10 @@ func (d *Driver) initializeDockerCli() (command.Cli, error) {
 	}
 
 	if d.config[OptionQuiet] == "1" {
-		cli.Apply(command.WithCombinedStreams(io.Discard))
+		err = cli.Apply(command.WithCombinedStreams(io.Discard))
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	d.dockerCli = cli
@@ -259,7 +262,7 @@ func (d *Driver) Exec(op *install.Operation) (*install.OperationResult, error) {
 	if err != nil {
 		return nil, fmt.Errorf("error staging files: %w", err)
 	}
-	options := types.CopyToContainerOptions{
+	options := container.CopyToContainerOptions{
 		AllowOverwriteDirWithFile: false,
 	}
 	// This copies the tar to the root of the container. The tar has been assembled using the