Update to use github.com/moby/go-archive

Update use of idtools to moby/user for archive and other deprecated uses

Signed-off-by: Derek McGowan <derek@mcg.dev>

api/server/router/container/backend.go

@@ -8,7 +8,7 @@ import (
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	containerpkg "github.com/docker/docker/container"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 // execBackend includes functions to implement to provide exec functionality.

builder/builder-next/adapters/snapshot/snapshot.go

@@ -18,6 +18,7 @@ import (
 	"github.com/moby/buildkit/snapshot"
 	"github.com/moby/buildkit/util/leaseutil"
 	"github.com/moby/locker"
+	"github.com/moby/sys/user"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	bolt "go.etcd.io/bbolt"
@@ -36,7 +37,7 @@ type Opt struct {
 	GraphDriver     graphdriver.Driver
 	LayerStore      layer.Store
 	Root            string
-	IdentityMapping idtools.IdentityMapping
+	IdentityMapping user.IdentityMapping
 }
 
 type graphIDRegistrar interface {
@@ -112,7 +113,9 @@ func (s *snapshotter) IdentityMapping() *idtools.IdentityMapping {
 	if s.opt.IdentityMapping.Empty() {
 		return nil
 	}
-	return &s.opt.IdentityMapping
+	// TODO: Update this once BuildKit switches from idtools
+	idMap := idtools.FromUserIdentityMapping(s.opt.IdentityMapping)
+	return &idMap
 }
 
 func (s *snapshotter) Prepare(ctx context.Context, key, parent string, opts ...snapshots.Opt) error {
@@ -494,7 +497,7 @@ type mountable struct {
 	acquire  func() ([]mount.Mount, func() error, error)
 	release  func() error
 	refCount int
-	idmap    idtools.IdentityMapping
+	idmap    user.IdentityMapping
 }
 
 func (m *mountable) Mount() ([]mount.Mount, func() error, error) {
@@ -544,5 +547,7 @@ func (m *mountable) IdentityMapping() *idtools.IdentityMapping {
 	if m.idmap.Empty() {
 		return nil
 	}
-	return &m.idmap
+	// TODO: Update this once BuildKit switches from idtools
+	idtoolsMap := idtools.FromUserIdentityMapping(m.idmap)
+	return &idtoolsMap
 }

builder/builder-next/builder.go

@@ -26,7 +26,6 @@ import (
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/libnetwork"
 	"github.com/docker/docker/opts"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/streamformatter"
 	controlapi "github.com/moby/buildkit/api/services/control"
 	"github.com/moby/buildkit/client"
@@ -35,6 +34,7 @@ import (
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/util/entitlements"
 	"github.com/moby/buildkit/util/tracing"
+	"github.com/moby/sys/user"
 	"github.com/pkg/errors"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
@@ -89,7 +89,7 @@ type Opt struct {
 	RegistryHosts       docker.RegistryHosts
 	BuilderConfig       config.BuilderConfig
 	Rootless            bool
-	IdentityMapping     idtools.IdentityMapping
+	IdentityMapping     user.IdentityMapping
 	DNSConfig           config.DNSConfig
 	ApparmorProfile     string
 	UseSnapshotter      bool

builder/builder-next/executor_linux.go

@@ -22,12 +22,13 @@ import (
 	"github.com/moby/buildkit/solver/llbsolver/cdidevices"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/network"
+	"github.com/moby/sys/user"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )
 
 const networkName = "bridge"
 
-func newExecutor(root, cgroupParent string, net *libnetwork.Controller, dnsConfig *oci.DNSConfig, rootless bool, idmap idtools.IdentityMapping, apparmorProfile string, cdiManager *cdidevices.Manager) (executor.Executor, error) {
+func newExecutor(root, cgroupParent string, net *libnetwork.Controller, dnsConfig *oci.DNSConfig, rootless bool, idmap user.IdentityMapping, apparmorProfile string, cdiManager *cdidevices.Manager) (executor.Executor, error) {
 	netRoot := filepath.Join(root, "net")
 	networkProviders := map[pb.NetMode]network.Provider{
 		pb.NetMode_UNSET: &bridgeProvider{Controller: net, Root: netRoot},
@@ -48,7 +49,9 @@ func newExecutor(root, cgroupParent string, net *libnetwork.Controller, dnsConfi
 
 	// Returning a non-nil but empty *IdentityMapping breaks BuildKit:
 	// https://github.com/moby/moby/pull/39444
-	pidmap := &idmap
+	// TODO: Remove conversion once buildkit updates
+	idtoolsMap := idtools.FromUserIdentityMapping(idmap)
+	pidmap := &idtoolsMap
 	if idmap.Empty() {
 		pidmap = nil
 	}

builder/builder-next/executor_nolinux.go

@@ -9,14 +9,14 @@ import (
 
 	"github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/libnetwork"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/executor/oci"
 	resourcetypes "github.com/moby/buildkit/executor/resources/types"
 	"github.com/moby/buildkit/solver/llbsolver/cdidevices"
+	"github.com/moby/sys/user"
 )
 
-func newExecutor(_, _ string, _ *libnetwork.Controller, _ *oci.DNSConfig, _ bool, _ idtools.IdentityMapping, _ string, _ *cdidevices.Manager) (executor.Executor, error) {
+func newExecutor(_, _ string, _ *libnetwork.Controller, _ *oci.DNSConfig, _ bool, _ user.IdentityMapping, _ string, _ *cdidevices.Manager) (executor.Executor, error) {
 	return &stubExecutor{}, nil
 }
 

builder/dockerfile/builder.go

@@ -16,12 +16,12 @@ import (
 	"github.com/docker/docker/builder"
 	"github.com/docker/docker/builder/remotecontext"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/streamformatter"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/moby/buildkit/frontend/dockerfile/instructions"
 	"github.com/moby/buildkit/frontend/dockerfile/parser"
 	"github.com/moby/buildkit/frontend/dockerfile/shell"
+	"github.com/moby/sys/user"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"golang.org/x/sync/syncmap"
@@ -47,13 +47,13 @@ const (
 
 // BuildManager is shared across all Builder objects
 type BuildManager struct {
-	idMapping idtools.IdentityMapping
+	idMapping user.IdentityMapping
 	backend   builder.Backend
 	pathCache pathCache // TODO: make this persistent
 }
 
 // NewBuildManager creates a BuildManager
-func NewBuildManager(b builder.Backend, identityMapping idtools.IdentityMapping) (*BuildManager, error) {
+func NewBuildManager(b builder.Backend, identityMapping user.IdentityMapping) (*BuildManager, error) {
 	bm := &BuildManager{
 		backend:   b,
 		pathCache: &syncmap.Map{},
@@ -103,7 +103,7 @@ type builderOptions struct {
 	Backend        builder.Backend
 	ProgressWriter backend.ProgressWriter
 	PathCache      pathCache
-	IDMapping      idtools.IdentityMapping
+	IDMapping      user.IdentityMapping
 }
 
 // Builder is a Dockerfile builder
@@ -118,7 +118,7 @@ type Builder struct {
 
 	docker builder.Backend
 
-	idMapping        idtools.IdentityMapping
+	idMapping        user.IdentityMapping
 	disableCommit    bool
 	imageSources     *imageSources
 	pathCache        pathCache

builder/dockerfile/copy.go

@@ -17,14 +17,14 @@ import (
 	"github.com/docker/docker/builder"
 	"github.com/docker/docker/builder/remotecontext"
 	"github.com/docker/docker/builder/remotecontext/urlutil"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/longpath"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/streamformatter"
 	"github.com/docker/docker/pkg/system"
 	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/go-archive"
 	"github.com/moby/sys/symlink"
+	"github.com/moby/sys/user"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )
@@ -446,9 +446,15 @@ func downloadSource(output io.Writer, stdout io.Writer, srcURL string) (remote b
 	return lc, filename, err
 }
 
+type identity struct {
+	UID int
+	GID int
+	SID string
+}
+
 type copyFileOptions struct {
 	decompress bool
-	identity   *idtools.Identity
+	identity   *identity
 	archiver   *archive.Archiver
 }
 
@@ -498,7 +504,7 @@ func performCopyForInfo(dest copyInfo, source copyInfo, options copyFileOptions)
 	return copyFile(archiver, srcPath, destPath, options.identity)
 }
 
-func copyDirectory(archiver *archive.Archiver, source, dest string, identity *idtools.Identity) error {
+func copyDirectory(archiver *archive.Archiver, source, dest string, identity *identity) error {
 	destExists, err := isExistingDirectory(dest)
 	if err != nil {
 		return errors.Wrapf(err, "failed to query destination path")
@@ -513,13 +519,13 @@ func copyDirectory(archiver *archive.Archiver, source, dest string, identity *id
 	return nil
 }
 
-func copyFile(archiver *archive.Archiver, source, dest string, identity *idtools.Identity) error {
+func copyFile(archiver *archive.Archiver, source, dest string, identity *identity) error {
 	if identity == nil {
 		if err := os.MkdirAll(filepath.Dir(dest), 0o755); err != nil {
 			return err
 		}
 	} else {
-		if err := idtools.MkdirAllAndChownNew(filepath.Dir(dest), 0o755, *identity); err != nil {
+		if err := user.MkdirAllAndChown(filepath.Dir(dest), 0o755, identity.UID, identity.GID, user.WithOnlyNew); err != nil {
 			return errors.Wrapf(err, "failed to create new directory")
 		}
 	}

builder/dockerfile/copy_unix.go

@@ -7,11 +7,9 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
-
-	"github.com/docker/docker/pkg/idtools"
 )
 
-func fixPermissions(source, destination string, identity idtools.Identity, overrideSkip bool) error {
+func fixPermissions(source, destination string, id identity, overrideSkip bool) error {
 	var (
 		skipChownRoot bool
 		err           error
@@ -39,7 +37,7 @@ func fixPermissions(source, destination string, identity idtools.Identity, overr
 		}
 
 		fullpath = filepath.Join(destination, cleaned)
-		return os.Lchown(fullpath, identity.UID, identity.GID)
+		return os.Lchown(fullpath, id.UID, id.GID)
 	})
 }
 

builder/dockerfile/copy_windows.go

@@ -8,7 +8,6 @@ import (
 
 	winio "github.com/Microsoft/go-winio"
 	"github.com/docker/docker/internal/usergroup"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/system"
 	"github.com/moby/sys/reexec"
 	"github.com/pkg/errors"
@@ -24,12 +23,12 @@ func init() {
 	reexec.Register("windows-fix-permissions", fixPermissionsReexec)
 }
 
-func fixPermissions(source, destination string, identity idtools.Identity, _ bool) error {
-	if identity.SID == "" {
+func fixPermissions(source, destination string, id identity, _ bool) error {
+	if id.SID == "" {
 		return nil
 	}
 
-	cmd := reexec.Command("windows-fix-permissions", source, destination, identity.SID)
+	cmd := reexec.Command("windows-fix-permissions", source, destination, id.SID)
 	output, err := cmd.CombinedOutput()
 
 	return errors.Wrapf(err, "failed to exec windows-fix-permissions: %s", output)

builder/dockerfile/evaluator_test.go

@@ -7,8 +7,8 @@ import (
 	"testing"
 
 	"github.com/docker/docker/builder/remotecontext"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/go-archive"
 	"github.com/moby/sys/reexec"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"

builder/dockerfile/internals.go

@@ -19,10 +19,10 @@ import (
 	"github.com/docker/docker/builder"
 	networkSettings "github.com/docker/docker/daemon/network"
 	"github.com/docker/docker/image"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/chrootarchive"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/go-connections/nat"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/chrootarchive"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )
@@ -152,12 +152,13 @@ func (b *Builder) performCopy(ctx context.Context, req dispatchRequest, inst cop
 		return err
 	}
 
-	identity := b.idMapping.RootPair()
+	uid, gid := b.idMapping.RootPair()
+	id := identity{UID: uid, GID: gid}
 	// if a chown was requested, perform the steps to get the uid, gid
 	// translated (if necessary because of user namespaces), and replace
 	// the root pair with the chown pair for copy operations
 	if inst.chownStr != "" {
-		identity, err = parseChownFlag(ctx, b, state, inst.chownStr, destInfo.root, b.idMapping)
+		id, err = parseChownFlag(ctx, b, state, inst.chownStr, destInfo.root, b.idMapping)
 		if err != nil {
 			if b.options.Platform != "windows" {
 				return errors.Wrapf(err, "unable to convert uid/gid chown string to host mapping")
@@ -173,7 +174,7 @@ func (b *Builder) performCopy(ctx context.Context, req dispatchRequest, inst cop
 			archiver:   b.getArchiver(),
 		}
 		if !inst.preserveOwnership {
-			opts.identity = &identity
+			opts.identity = &id
 		}
 		if err := performCopyForInfo(destInfo, info, opts); err != nil {
 			return errors.Wrapf(err, "failed to copy files")

builder/dockerfile/internals_linux.go

@@ -6,17 +6,16 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/moby/sys/symlink"
 	"github.com/moby/sys/user"
 	"github.com/pkg/errors"
 )
 
-func parseChownFlag(ctx context.Context, builder *Builder, state *dispatchState, chown, ctrRootPath string, identityMapping idtools.IdentityMapping) (idtools.Identity, error) {
+func parseChownFlag(ctx context.Context, builder *Builder, state *dispatchState, chown, ctrRootPath string, identityMapping user.IdentityMapping) (identity, error) {
 	var userStr, grpStr string
 	parts := strings.Split(chown, ":")
 	if len(parts) > 2 {
-		return idtools.Identity{}, errors.New("invalid chown string format: " + chown)
+		return identity{}, errors.New("invalid chown string format: " + chown)
 	}
 	if len(parts) == 1 {
 		// if no group specified, use the user spec as group as well
@@ -27,27 +26,27 @@ func parseChownFlag(ctx context.Context, builder *Builder, state *dispatchState,
 
 	passwdPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "passwd"), ctrRootPath)
 	if err != nil {
-		return idtools.Identity{}, errors.Wrap(err, "can't resolve /etc/passwd path in container rootfs")
+		return identity{}, errors.Wrap(err, "can't resolve /etc/passwd path in container rootfs")
 	}
 	groupPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "group"), ctrRootPath)
 	if err != nil {
-		return idtools.Identity{}, errors.Wrap(err, "can't resolve /etc/group path in container rootfs")
+		return identity{}, errors.Wrap(err, "can't resolve /etc/group path in container rootfs")
 	}
 	uid, err := lookupUser(userStr, passwdPath)
 	if err != nil {
-		return idtools.Identity{}, errors.Wrap(err, "can't find uid for user "+userStr)
+		return identity{}, errors.Wrap(err, "can't find uid for user "+userStr)
 	}
 	gid, err := lookupGroup(grpStr, groupPath)
 	if err != nil {
-		return idtools.Identity{}, errors.Wrap(err, "can't find gid for group "+grpStr)
+		return identity{}, errors.Wrap(err, "can't find gid for group "+grpStr)
 	}
 
 	// convert as necessary because of user namespaces
-	chownPair, err := identityMapping.ToHost(idtools.Identity{UID: uid, GID: gid})
+	uid, gid, err = identityMapping.ToHost(uid, gid)
 	if err != nil {
-		return idtools.Identity{}, errors.Wrap(err, "unable to convert uid/gid to host mapping")
+		return identity{}, errors.Wrap(err, "unable to convert uid/gid to host mapping")
 	}
-	return chownPair, nil
+	return identity{UID: uid, GID: gid}, nil
 }
 
 func lookupUser(userStr, filepath string) (int, error) {

builder/dockerfile/internals_linux_test.go

@@ -7,7 +7,7 @@ import (
 	"testing"
 
 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/sys/user"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -28,15 +28,15 @@ othergrp:x:6666:
 		`,
 	}
 	// test mappings for validating use of maps
-	idMaps := []idtools.IDMap{
+	idMaps := []user.IDMap{
 		{
-			ContainerID: 0,
-			HostID:      100000,
-			Size:        65536,
+			ID:       0,
+			ParentID: 100000,
+			Count:    65536,
 		},
 	}
-	remapped := idtools.IdentityMapping{UIDMaps: idMaps, GIDMaps: idMaps}
-	unmapped := idtools.IdentityMapping{}
+	remapped := user.IdentityMapping{UIDMaps: idMaps, GIDMaps: idMaps}
+	unmapped := user.IdentityMapping{}
 
 	contextDir, cleanup := createTestTempDir(t, "", "builder-chown-parse-test")
 	defer cleanup()
@@ -54,9 +54,9 @@ othergrp:x:6666:
 		builder   *Builder
 		name      string
 		chownStr  string
-		idMapping idtools.IdentityMapping
+		idMapping user.IdentityMapping
 		state     *dispatchState
-		expected  idtools.Identity
+		expected  identity
 	}{
 		{
 			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},
@@ -64,7 +64,7 @@ othergrp:x:6666:
 			chownStr:  "1",
 			idMapping: unmapped,
 			state:     &dispatchState{},
-			expected:  idtools.Identity{UID: 1, GID: 1},
+			expected:  identity{UID: 1, GID: 1},
 		},
 		{
 			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},
@@ -72,7 +72,7 @@ othergrp:x:6666:
 			chownStr:  "0:1",
 			idMapping: unmapped,
 			state:     &dispatchState{},
-			expected:  idtools.Identity{UID: 0, GID: 1},
+			expected:  identity{UID: 0, GID: 1},
 		},
 		{
 			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},
@@ -80,7 +80,7 @@ othergrp:x:6666:
 			chownStr:  "0",
 			idMapping: remapped,
 			state:     &dispatchState{},
-			expected:  idtools.Identity{UID: 100000, GID: 100000},
+			expected:  identity{UID: 100000, GID: 100000},
 		},
 		{
 			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},
@@ -88,7 +88,7 @@ othergrp:x:6666:
 			chownStr:  "1:33",
 			idMapping: remapped,
 			state:     &dispatchState{},
-			expected:  idtools.Identity{UID: 100001, GID: 100033},
+			expected:  identity{UID: 100001, GID: 100033},
 		},
 		{
 			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},
@@ -96,7 +96,7 @@ othergrp:x:6666:
 			chownStr:  "bin:5555",
 			idMapping: unmapped,
 			state:     &dispatchState{},
-			expected:  idtools.Identity{UID: 1, GID: 5555},
+			expected:  identity{UID: 1, GID: 5555},
 		},
 		{
 			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},
@@ -104,7 +104,7 @@ othergrp:x:6666:
 			chownStr:  "0:unicorn",
 			idMapping: remapped,
 			state:     &dispatchState{},
-			expected:  idtools.Identity{UID: 100000, GID: 101002},
+			expected:  identity{UID: 100000, GID: 101002},
 		},
 		{
 			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},
@@ -112,7 +112,7 @@ othergrp:x:6666:
 			chownStr:  "unicorn",
 			idMapping: remapped,
 			state:     &dispatchState{},
-			expected:  idtools.Identity{UID: 101001, GID: 101002},
+			expected:  identity{UID: 101001, GID: 101002},
 		},
 	} {
 		t.Run(testcase.name, func(t *testing.T) {
@@ -127,7 +127,7 @@ othergrp:x:6666:
 		builder   *Builder
 		name      string
 		chownStr  string
-		idMapping idtools.IdentityMapping
+		idMapping user.IdentityMapping
 		state     *dispatchState
 		descr     string
 	}{

builder/dockerfile/internals_test.go

@@ -14,8 +14,8 @@ import (
 	"github.com/docker/docker/builder/remotecontext"
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/go-connections/nat"
+	"github.com/moby/go-archive"
 	"github.com/opencontainers/go-digest"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"

builder/dockerfile/internals_windows.go

@@ -12,27 +12,28 @@ import (
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/internal/usergroup"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/moby/sys/user"
 	"golang.org/x/sys/windows"
 )
 
-func parseChownFlag(ctx context.Context, builder *Builder, state *dispatchState, chown, ctrRootPath string, identityMapping idtools.IdentityMapping) (idtools.Identity, error) {
+func parseChownFlag(ctx context.Context, builder *Builder, state *dispatchState, chown, ctrRootPath string, identityMapping user.IdentityMapping) (identity, error) {
 	if builder.options.Platform == "windows" {
 		return getAccountIdentity(ctx, builder, chown, ctrRootPath, state)
 	}
 
-	return identityMapping.RootPair(), nil
+	uid, gid := identityMapping.RootPair()
+	return identity{UID: uid, GID: gid}, nil
 }
 
-func getAccountIdentity(ctx context.Context, builder *Builder, accountName string, ctrRootPath string, state *dispatchState) (idtools.Identity, error) {
+func getAccountIdentity(ctx context.Context, builder *Builder, accountName string, ctrRootPath string, state *dispatchState) (identity, error) {
 	// If this is potentially a string SID then attempt to convert it to verify
 	// this, otherwise continue looking for the account.
 	if strings.HasPrefix(accountName, "S-") || strings.HasPrefix(accountName, "s-") {
 		sid, err := windows.StringToSid(accountName)
 
 		if err == nil {
-			return idtools.Identity{SID: sid.String()}, nil
+			return identity{SID: sid.String()}, nil
 		}
 	}
 
@@ -41,14 +42,14 @@ func getAccountIdentity(ctx context.Context, builder *Builder, accountName strin
 
 	// If this is a SID that is built-in and hence the same across all systems then use that.
 	if err == nil && (accType == windows.SidTypeAlias || accType == windows.SidTypeWellKnownGroup) {
-		return idtools.Identity{SID: sid.String()}, nil
+		return identity{SID: sid.String()}, nil
 	}
 
 	// Check if the account name is one unique to containers.
 	if strings.EqualFold(accountName, "ContainerAdministrator") {
-		return idtools.Identity{SID: usergroup.ContainerAdministratorSidString}, nil
+		return identity{SID: usergroup.ContainerAdministratorSidString}, nil
 	} else if strings.EqualFold(accountName, "ContainerUser") {
-		return idtools.Identity{SID: usergroup.ContainerUserSidString}, nil
+		return identity{SID: usergroup.ContainerUserSidString}, nil
 	}
 
 	// All other lookups failed, so therefore determine if the account in
@@ -56,7 +57,7 @@ func getAccountIdentity(ctx context.Context, builder *Builder, accountName strin
 	return lookupNTAccount(ctx, builder, accountName, state)
 }
 
-func lookupNTAccount(ctx context.Context, builder *Builder, accountName string, state *dispatchState) (idtools.Identity, error) {
+func lookupNTAccount(ctx context.Context, builder *Builder, accountName string, state *dispatchState) (identity, error) {
 	source, _ := filepath.Split(os.Args[0])
 
 	target := "C:\\Docker"
@@ -64,7 +65,7 @@ func lookupNTAccount(ctx context.Context, builder *Builder, accountName string,
 
 	optionsPlatform, err := platforms.Parse(builder.options.Platform)
 	if err != nil {
-		return idtools.Identity{}, errdefs.InvalidParameter(err)
+		return identity{}, errdefs.InvalidParameter(err)
 	}
 
 	runConfig := copyRunConfig(state.runConfig,
@@ -85,7 +86,7 @@ func lookupNTAccount(ctx context.Context, builder *Builder, accountName string,
 
 	container, err := builder.containerManager.Create(ctx, runConfig, hostConfig)
 	if err != nil {
-		return idtools.Identity{}, err
+		return identity{}, err
 	}
 
 	stdout := new(bytes.Buffer)
@@ -93,15 +94,15 @@ func lookupNTAccount(ctx context.Context, builder *Builder, accountName string,
 
 	if err := builder.containerManager.Run(ctx, container.ID, stdout, stderr); err != nil {
 		if err, ok := err.(*statusCodeError); ok {
-			return idtools.Identity{}, &jsonmessage.JSONError{
+			return identity{}, &jsonmessage.JSONError{
 				Message: stderr.String(),
 				Code:    err.StatusCode(),
 			}
 		}
-		return idtools.Identity{}, err
+		return identity{}, err
 	}
 
 	accountSid := stdout.String()
 
-	return idtools.Identity{SID: accountSid}, nil
+	return identity{SID: accountSid}, nil
 }

builder/remotecontext/archive.go

@@ -6,11 +6,11 @@ import (
 	"path/filepath"
 
 	"github.com/docker/docker/builder"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/chrootarchive"
 	"github.com/docker/docker/pkg/longpath"
 	"github.com/docker/docker/pkg/system"
 	"github.com/docker/docker/pkg/tarsum"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/chrootarchive"
 	"github.com/moby/sys/symlink"
 	"github.com/pkg/errors"
 )

builder/remotecontext/filehash.go

@@ -6,8 +6,8 @@ import (
 	"hash"
 	"os"
 
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/tarsum"
+	"github.com/moby/go-archive"
 )
 
 // NewFileHash returns new hash that is used for the builder cache keys

builder/remotecontext/git.go

@@ -7,7 +7,7 @@ import (
 	"github.com/containerd/log"
 	"github.com/docker/docker/builder"
 	"github.com/docker/docker/builder/remotecontext/git"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 // MakeGitContext returns a Context from gitURL that is cloned in a temporary directory.

builder/remotecontext/tarsum_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 
 	"github.com/docker/docker/builder"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 	"github.com/moby/sys/reexec"
 	"github.com/pkg/errors"
 	"gotest.tools/v3/skip"

container/archive_windows.go

@@ -5,7 +5,7 @@ import (
 	"path/filepath"
 
 	containertypes "github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 	"github.com/pkg/errors"
 )
 

daemon/archive_tarcopyoptions.go

@@ -1,8 +1,7 @@
 package daemon // import "github.com/docker/docker/daemon"
 
 import (
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/go-archive"
 )
 
 // defaultTarCopyOptions is the setting that is used when unpacking an archive
@@ -10,6 +9,6 @@ import (
 func (daemon *Daemon) defaultTarCopyOptions(noOverwriteDirNonDir bool) *archive.TarOptions {
 	return &archive.TarOptions{
 		NoOverwriteDirNonDir: noOverwriteDirNonDir,
-		IDMap:                idtools.FromUserIdentityMapping(daemon.idMapping),
+		IDMap:                daemon.idMapping,
 	}
 }

daemon/archive_tarcopyoptions_unix.go

@@ -10,8 +10,7 @@ import (
 
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/go-archive"
 	"github.com/moby/sys/user"
 )
 
@@ -27,7 +26,7 @@ func (daemon *Daemon) tarCopyOptions(ctr *container.Container, noOverwriteDirNon
 
 	return &archive.TarOptions{
 		NoOverwriteDirNonDir: noOverwriteDirNonDir,
-		ChownOpts:            &idtools.Identity{UID: uid, GID: gid},
+		ChownOpts:            &archive.ChownOpts{UID: uid, GID: gid},
 	}, nil
 }
 

daemon/archive_unix.go

@@ -12,9 +12,9 @@ import (
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/ioutils"
 	volumemounts "github.com/docker/docker/volume/mounts"
+	"github.com/moby/go-archive"
 	"github.com/pkg/errors"
 )
 

daemon/archive_windows.go

@@ -10,9 +10,9 @@ import (
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/chrootarchive"
 	"github.com/docker/docker/pkg/ioutils"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/chrootarchive"
 )
 
 // containerStatPath stats the filesystem resource at the specified path in this

daemon/changes.go

@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"github.com/docker/docker/internal/metrics"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 // ContainerChanges returns a list of container fs changes

daemon/container_operations_unix.go

@@ -19,7 +19,6 @@ import (
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/libnetwork"
 	"github.com/docker/docker/libnetwork/drivers/bridge"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/process"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/moby/sys/mount"
@@ -578,5 +577,6 @@ func (daemon *Daemon) setupContainerMountsRoot(ctr *container.Container) error {
 	if err != nil {
 		return err
 	}
-	return idtools.MkdirAllAndChown(p, 0o710, idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: daemon.IdentityMapping().RootPair().GID})
+	_, gid := daemon.IdentityMapping().RootPair()
+	return user.MkdirAllAndChown(p, 0o710, os.Getuid(), gid)
 }

daemon/containerd/image_builder.go

@@ -30,11 +30,11 @@ import (
 	"github.com/docker/docker/image"
 	dimage "github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/streamformatter"
 	"github.com/docker/docker/pkg/stringid"
 	imagespec "github.com/moby/docker-image-spec/specs-go/v1"
+	"github.com/moby/go-archive"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/identity"
 	"github.com/opencontainers/image-spec/specs-go"

daemon/containerd/image_changes.go

@@ -7,8 +7,8 @@ import (
 	"github.com/containerd/containerd/v2/core/mount"
 	"github.com/containerd/log"
 	"github.com/docker/docker/container"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/stringid"
+	"github.com/moby/go-archive"
 )
 
 func (i *ImageService) Changes(ctx context.Context, ctr *container.Container) ([]archive.Change, error) {

daemon/containerd/image_commit.go

@@ -18,8 +18,8 @@ import (
 	"github.com/containerd/log"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/image"
-	"github.com/docker/docker/pkg/archive"
 	imagespec "github.com/moby/docker-image-spec/specs-go/v1"
+	"github.com/moby/go-archive"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/identity"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -152,8 +152,8 @@ func (i *ImageService) createDiff(ctx context.Context, name string, sn snapshots
 	if !i.idMapping.Empty() {
 		// The rootfs of the container is remapped if an id mapping exists, we
 		// need to "unremap" it before committing the snapshot
-		rootPair := i.idMapping.RootPair()
-		usernsID := fmt.Sprintf("%s-%d-%d-%s", name, rootPair.UID, rootPair.GID, uniquePart())
+		uid, gid := i.idMapping.RootPair()
+		usernsID := fmt.Sprintf("%s-%d-%d-%s", name, uid, gid, uniquePart())
 		remappedID := usernsID + remapSuffix
 		baseName := name
 

daemon/containerd/image_exporter.go

@@ -18,8 +18,8 @@ import (
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/daemon/images"
 	"github.com/docker/docker/errdefs"
-	dockerarchive "github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/streamformatter"
+	dockerarchive "github.com/moby/go-archive"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )

daemon/containerd/image_import.go

@@ -20,10 +20,10 @@ import (
 	"github.com/docker/docker/builder/dockerfile"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/image"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/pools"
 	"github.com/google/uuid"
 	imagespec "github.com/moby/docker-image-spec/specs-go/v1"
+	"github.com/moby/go-archive"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/specs-go"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

daemon/containerd/image_load_test.go

@@ -14,7 +14,7 @@ import (
 	"github.com/containerd/platforms"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/internal/testutils/specialimage"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"

daemon/containerd/image_snapshot_unix.go

@@ -13,7 +13,6 @@ import (
 	"github.com/containerd/containerd/v2/core/snapshots"
 	"github.com/containerd/continuity/fs"
 	"github.com/containerd/continuity/sysx"
-	"github.com/docker/docker/pkg/idtools"
 )
 
 const (
@@ -54,12 +53,12 @@ func (i *ImageService) remapRootFS(ctx context.Context, mounts []mount.Mount) er
 				return fmt.Errorf("cannot get underlying data for %s", path)
 			}
 
-			ids, err := i.idMapping.ToHost(idtools.Identity{UID: int(stat.Uid), GID: int(stat.Gid)})
+			uid, gid, err := i.idMapping.ToHost(int(stat.Uid), int(stat.Gid))
 			if err != nil {
 				return err
 			}
 
-			return chownWithCaps(path, ids.UID, ids.GID)
+			return chownWithCaps(path, uid, gid)
 		})
 	})
 }
@@ -82,7 +81,7 @@ func (i *ImageService) copyAndUnremapRootFS(ctx context.Context, dst, src []moun
 					return fmt.Errorf("cannot get underlying data for %s", path)
 				}
 
-				uid, gid, err := i.idMapping.ToContainer(idtools.Identity{UID: int(stat.Uid), GID: int(stat.Gid)})
+				uid, gid, err := i.idMapping.ToContainer(int(stat.Uid), int(stat.Gid))
 				if err != nil {
 					return err
 				}
@@ -105,7 +104,7 @@ func (i *ImageService) unremapRootFS(ctx context.Context, mounts []mount.Mount)
 				return fmt.Errorf("cannot get underlying data for %s", path)
 			}
 
-			uid, gid, err := i.idMapping.ToContainer(idtools.Identity{UID: int(stat.Uid), GID: int(stat.Gid)})
+			uid, gid, err := i.idMapping.ToContainer(int(stat.Uid), int(stat.Gid))
 			if err != nil {
 				return err
 			}

daemon/containerd/service.go

@@ -20,7 +20,7 @@ import (
 	"github.com/docker/docker/daemon/snapshotter"
 	"github.com/docker/docker/distribution"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/sys/user"
 	"github.com/pkg/errors"
 )
 
@@ -37,7 +37,7 @@ type ImageService struct {
 	eventsService       *daemonevents.Events
 	pruneRunning        atomic.Bool
 	refCountMounter     snapshotter.Mounter
-	idMapping           idtools.IdentityMapping
+	idMapping           user.IdentityMapping
 
 	// defaultPlatformOverride is used in tests to override the host platform.
 	defaultPlatformOverride platforms.MatchComparer
@@ -51,7 +51,7 @@ type ImageServiceConfig struct {
 	Registry        distribution.RegistryResolver
 	EventsService   *daemonevents.Events
 	RefCountMounter snapshotter.Mounter
-	IDMapping       idtools.IdentityMapping
+	IDMapping       user.IdentityMapping
 }
 
 // NewService creates a new ImageService.

daemon/create.go

@@ -3,6 +3,7 @@ package daemon // import "github.com/docker/docker/daemon"
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 	"time"
 
@@ -19,8 +20,8 @@ import (
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/internal/metrics"
 	"github.com/docker/docker/internal/multierror"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/runconfig"
+	"github.com/moby/sys/user"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/tonistiigi/go-archvariant"
@@ -192,11 +193,12 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts
 	}
 	ctr.RWLayer = rwLayer
 
-	current := idtools.CurrentIdentity()
-	if err := idtools.MkdirAndChown(ctr.Root, 0o710, idtools.Identity{UID: current.UID, GID: daemon.IdentityMapping().RootPair().GID}); err != nil {
+	cuid := os.Getuid()
+	_, gid := daemon.IdentityMapping().RootPair()
+	if err := user.MkdirAndChown(ctr.Root, 0o710, cuid, gid); err != nil {
 		return nil, err
 	}
-	if err := idtools.MkdirAndChown(ctr.CheckpointDir(), 0o700, current); err != nil {
+	if err := user.MkdirAndChown(ctr.CheckpointDir(), 0o700, cuid, os.Getegid()); err != nil {
 		return nil, err
 	}
 

daemon/daemon.go

@@ -1072,15 +1072,15 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 			RegistryHosts:   d.RegistryHosts,
 			Registry:        d.registryService,
 			EventsService:   d.EventsService,
-			IDMapping:       idtools.FromUserIdentityMapping(idMapping),
-			RefCountMounter: snapshotter.NewMounter(config.Root, driverName, idtools.FromUserIdentityMapping(idMapping)),
+			IDMapping:       idMapping,
+			RefCountMounter: snapshotter.NewMounter(config.Root, driverName, idMapping),
 		})
 	} else {
 		layerStore, err := layer.NewStoreFromOptions(layer.StoreOptions{
 			Root:               cfgStore.Root,
 			GraphDriver:        driverName,
 			GraphDriverOptions: cfgStore.GraphOptions,
-			IDMapping:          idtools.FromUserIdentityMapping(idMapping),
+			IDMapping:          idMapping,
 		})
 		if err != nil {
 			return nil, err
@@ -1599,8 +1599,8 @@ func (daemon *Daemon) GetAttachmentStore() *network.AttachmentStore {
 }
 
 // IdentityMapping returns uid/gid mapping or a SID (in the case of Windows) for the builder
-func (daemon *Daemon) IdentityMapping() idtools.IdentityMapping {
-	return idtools.FromUserIdentityMapping(daemon.idMapping)
+func (daemon *Daemon) IdentityMapping() user.IdentityMapping {
+	return daemon.idMapping
 }
 
 // ImageService returns the Daemon's ImageService

daemon/export.go

@@ -9,9 +9,8 @@ import (
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/chrootarchive"
-	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/chrootarchive"
 )
 
 // ContainerExport writes the contents of the container to the given
@@ -66,7 +65,7 @@ func (daemon *Daemon) containerExport(ctx context.Context, ctr *container.Contai
 
 	archv, err := chrootarchive.Tar(basefs, &archive.TarOptions{
 		Compression: archive.Uncompressed,
-		IDMap:       idtools.FromUserIdentityMapping(daemon.idMapping),
+		IDMap:       daemon.idMapping,
 	}, basefs)
 	if err != nil {
 		return err

daemon/graphdriver/btrfs/btrfs.go

@@ -38,9 +38,9 @@ import (
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/daemon/internal/fstype"
 	"github.com/docker/docker/internal/containerfs"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/go-units"
 	"github.com/moby/sys/mount"
+	"github.com/moby/sys/user"
 	"github.com/moby/sys/userns"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
@@ -58,7 +58,7 @@ type btrfsOptions struct {
 
 // Init returns a new BTRFS driver.
 // An error is returned if BTRFS is not supported.
-func Init(home string, options []string, idMap idtools.IdentityMapping) (graphdriver.Driver, error) {
+func Init(home string, options []string, idMap user.IdentityMapping) (graphdriver.Driver, error) {
 	// Perform feature detection on /var/lib/docker/btrfs if it's an existing directory.
 	// This covers situations where /var/lib/docker/btrfs is a mount, and on a different
 	// filesystem than /var/lib/docker.
@@ -77,13 +77,8 @@ func Init(home string, options []string, idMap idtools.IdentityMapping) (graphdr
 		return nil, graphdriver.ErrPrerequisites
 	}
 
-	currentID := idtools.CurrentIdentity()
-	dirID := idtools.Identity{
-		UID: currentID.UID,
-		GID: idMap.RootPair().GID,
-	}
-
-	if err := idtools.MkdirAllAndChown(home, 0o710, dirID); err != nil {
+	_, gid := idMap.RootPair()
+	if err := user.MkdirAllAndChown(home, 0o710, os.Getuid(), gid); err != nil {
 		return nil, err
 	}
 
@@ -144,7 +139,7 @@ func parseOptions(opt []string) (btrfsOptions, bool, error) {
 type Driver struct {
 	// root of the file system
 	home         string
-	idMap        idtools.IdentityMapping
+	idMap        user.IdentityMapping
 	options      btrfsOptions
 	quotaEnabled bool
 	once         sync.Once
@@ -487,15 +482,9 @@ func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts
 func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
 	quotas := path.Join(d.home, "quotas")
 	subvolumes := path.Join(d.home, "subvolumes")
-	root := d.idMap.RootPair()
 
-	currentID := idtools.CurrentIdentity()
-	dirID := idtools.Identity{
-		UID: currentID.UID,
-		GID: root.GID,
-	}
-
-	if err := idtools.MkdirAllAndChown(subvolumes, 0o710, dirID); err != nil {
+	uid, gid := d.idMap.RootPair()
+	if err := user.MkdirAllAndChown(subvolumes, 0o710, os.Getuid(), gid); err != nil {
 		return err
 	}
 	if parent == "" {
@@ -530,7 +519,7 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
 		if err := d.setStorageSize(path.Join(subvolumes, id), driver); err != nil {
 			return err
 		}
-		if err := idtools.MkdirAllAndChown(quotas, 0o700, idtools.CurrentIdentity()); err != nil {
+		if err := user.MkdirAllAndChown(quotas, 0o700, os.Getuid(), os.Getegid()); err != nil {
 			return err
 		}
 		if err := os.WriteFile(path.Join(quotas, id), []byte(fmt.Sprint(driver.options.size)), 0o644); err != nil {
@@ -540,8 +529,8 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
 
 	// if we have a remapped root (user namespaces enabled), change the created snapshot
 	// dir ownership to match
-	if root.UID != 0 || root.GID != 0 {
-		if err := root.Chown(path.Join(subvolumes, id)); err != nil {
+	if uid != 0 || gid != 0 {
+		if err := os.Chown(path.Join(subvolumes, id), uid, gid); err != nil {
 			return err
 		}
 	}

daemon/graphdriver/driver.go

@@ -9,8 +9,8 @@ import (
 	"strings"
 
 	"github.com/containerd/log"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/go-archive"
+	"github.com/moby/sys/user"
 	"github.com/pkg/errors"
 	"github.com/vbatts/tar-split/tar/storage"
 )
@@ -26,7 +26,7 @@ type CreateOpts struct {
 }
 
 // InitFunc initializes the storage driver.
-type InitFunc func(root string, options []string, idMap idtools.IdentityMapping) (Driver, error)
+type InitFunc func(root string, options []string, idMap user.IdentityMapping) (Driver, error)
 
 // ProtoDriver defines the basic capabilities of a driver.
 // This interface exists solely to be a minimum set of methods
@@ -151,7 +151,7 @@ func getDriver(name string, config Options) (Driver, error) {
 type Options struct {
 	Root                string
 	DriverOptions       []string
-	IDMap               idtools.IdentityMapping
+	IDMap               user.IdentityMapping
 	ExperimentalEnabled bool
 }
 

daemon/graphdriver/fsdiff.go

@@ -6,10 +6,10 @@ import (
 	"time"
 
 	"github.com/containerd/log"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/chrootarchive"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/ioutils"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/chrootarchive"
+	"github.com/moby/sys/user"
 )
 
 // ApplyUncompressedLayer defines the unpack method used by the graph
@@ -22,7 +22,7 @@ var ApplyUncompressedLayer = chrootarchive.ApplyUncompressedLayer
 // on the exported NewNaiveDiffDriver function below.
 type NaiveDiffDriver struct {
 	ProtoDriver
-	IDMap idtools.IdentityMapping
+	IDMap user.IdentityMapping
 	// If true, allow ApplyDiff to succeed in spite of failures to set
 	// extended attributes on the unpacked files due to the destination
 	// filesystem not supporting them or a lack of permissions. The
@@ -38,7 +38,7 @@ type NaiveDiffDriver struct {
 //	Changes(id, parent string) ([]archive.Change, error)
 //	ApplyDiff(id, parent string, diff archive.Reader) (size int64, err error)
 //	DiffSize(id, parent string) (size int64, err error)
-func NewNaiveDiffDriver(driver ProtoDriver, idMap idtools.IdentityMapping) Driver {
+func NewNaiveDiffDriver(driver ProtoDriver, idMap user.IdentityMapping) Driver {
 	return &NaiveDiffDriver{
 		ProtoDriver: driver,
 		IDMap:       idMap,

daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go

@@ -20,12 +20,12 @@ import (
 	"github.com/docker/docker/daemon/internal/mountref"
 	"github.com/docker/docker/internal/containerfs"
 	"github.com/docker/docker/internal/directory"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/chrootarchive"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/parsers/kernel"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/chrootarchive"
 	"github.com/moby/locker"
 	"github.com/moby/sys/mount"
+	"github.com/moby/sys/user"
 	"github.com/moby/sys/userns"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
@@ -59,7 +59,7 @@ const (
 // mounts that are created using this driver.
 type Driver struct {
 	home      string
-	idMap     idtools.IdentityMapping
+	idMap     user.IdentityMapping
 	ctr       *mountref.Counter
 	naiveDiff graphdriver.DiffDriver
 	locker    *locker.Locker
@@ -74,7 +74,7 @@ func init() {
 // Init returns the naive diff driver for fuse-overlayfs.
 // If fuse-overlayfs is not supported on the host, the error
 // graphdriver.ErrNotSupported is returned.
-func Init(home string, options []string, idMap idtools.IdentityMapping) (graphdriver.Driver, error) {
+func Init(home string, options []string, idMap user.IdentityMapping) (graphdriver.Driver, error) {
 	if _, err := exec.LookPath(binary); err != nil {
 		logger.Error(err)
 		return nil, graphdriver.ErrNotSupported
@@ -83,16 +83,12 @@ func Init(home string, options []string, idMap idtools.IdentityMapping) (graphdr
 		return nil, graphdriver.ErrNotSupported
 	}
 
-	currentID := idtools.CurrentIdentity()
-	dirID := idtools.Identity{
-		UID: currentID.UID,
-		GID: idMap.RootPair().GID,
-	}
-
-	if err := idtools.MkdirAllAndChown(home, 0o710, dirID); err != nil {
+	cuid := os.Getuid()
+	_, gid := idMap.RootPair()
+	if err := user.MkdirAllAndChown(home, 0o710, cuid, gid); err != nil {
 		return nil, err
 	}
-	if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0o700, currentID); err != nil {
+	if err := user.MkdirAllAndChown(path.Join(home, linkDir), 0o700, cuid, os.Getegid()); err != nil {
 		return nil, err
 	}
 
@@ -175,12 +171,12 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr
 
 func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr error) {
 	dir := d.dir(id)
-	root := d.idMap.RootPair()
+	uid, gid := d.idMap.RootPair()
 
-	if err := idtools.MkdirAllAndChown(path.Dir(dir), 0o710, root); err != nil {
+	if err := user.MkdirAllAndChown(path.Dir(dir), 0o710, uid, gid); err != nil {
 		return err
 	}
-	if err := idtools.MkdirAndChown(dir, 0o710, root); err != nil {
+	if err := user.MkdirAndChown(dir, 0o710, uid, gid); err != nil {
 		return err
 	}
 
@@ -195,7 +191,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
 		return fmt.Errorf("--storage-opt is not supported")
 	}
 
-	if err := idtools.MkdirAndChown(path.Join(dir, diffDirName), 0o755, root); err != nil {
+	if err := user.MkdirAndChown(path.Join(dir, diffDirName), 0o755, uid, gid); err != nil {
 		return err
 	}
 
@@ -214,7 +210,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
 		return nil
 	}
 
-	if err := idtools.MkdirAndChown(path.Join(dir, workDirName), 0o710, root); err != nil {
+	if err := user.MkdirAndChown(path.Join(dir, workDirName), 0o710, uid, gid); err != nil {
 		return err
 	}
 
@@ -367,7 +363,8 @@ func (d *Driver) Get(id, mountLabel string) (_ string, retErr error) {
 	mountData := label.FormatMountLabel(opts, mountLabel)
 	mountTarget := mergedDir
 
-	if err := idtools.MkdirAndChown(mergedDir, 0o700, d.idMap.RootPair()); err != nil {
+	uid, gid := d.idMap.RootPair()
+	if err := user.MkdirAndChown(mergedDir, 0o700, uid, gid); err != nil {
 		return "", err
 	}
 

daemon/graphdriver/fuse-overlayfs/fuseoverlayfs_test.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/daemon/graphdriver/graphtest"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 func init() {

daemon/graphdriver/graphtest/testutil.go

@@ -10,8 +10,8 @@ import (
 	"sort"
 
 	"github.com/docker/docker/daemon/graphdriver"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/stringid"
+	"github.com/moby/go-archive"
 )
 
 func randomContent(size int, seed int64) []byte {

daemon/graphdriver/overlay2/overlay.go

@@ -22,14 +22,14 @@ import (
 	"github.com/docker/docker/daemon/internal/mountref"
 	"github.com/docker/docker/internal/containerfs"
 	"github.com/docker/docker/internal/directory"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/chrootarchive"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/quota"
 	"github.com/docker/go-units"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/chrootarchive"
 	"github.com/moby/locker"
 	"github.com/moby/sys/atomicwriter"
 	"github.com/moby/sys/mount"
+	"github.com/moby/sys/user"
 	"github.com/moby/sys/userns"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"golang.org/x/sys/unix"
@@ -92,7 +92,7 @@ type overlayOptions struct {
 // mounts that are created using this driver.
 type Driver struct {
 	home          string
-	idMap         idtools.IdentityMapping
+	idMap         user.IdentityMapping
 	ctr           *mountref.Counter
 	quotaCtl      *quota.Control
 	options       overlayOptions
@@ -123,7 +123,7 @@ func init() {
 // graphdriver.ErrNotSupported is returned.
 // If an overlay filesystem is not supported over an existing filesystem then
 // the error graphdriver.ErrIncompatibleFS is returned.
-func Init(home string, options []string, idMap idtools.IdentityMapping) (graphdriver.Driver, error) {
+func Init(home string, options []string, idMap user.IdentityMapping) (graphdriver.Driver, error) {
 	opts, err := parseOptions(options)
 	if err != nil {
 		return nil, err
@@ -164,15 +164,12 @@ func Init(home string, options []string, idMap idtools.IdentityMapping) (graphdr
 		return nil, err
 	}
 
-	cur := idtools.CurrentIdentity()
-	dirID := idtools.Identity{
-		UID: cur.UID,
-		GID: idMap.RootPair().GID,
-	}
-	if err := idtools.MkdirAllAndChown(home, 0o710, dirID); err != nil {
+	cuid := os.Getuid()
+	_, gid := idMap.RootPair()
+	if err := user.MkdirAllAndChown(home, 0o710, cuid, gid); err != nil {
 		return nil, err
 	}
-	if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0o700, cur); err != nil {
+	if err := user.MkdirAllAndChown(path.Join(home, linkDir), 0o700, cuid, os.Getegid()); err != nil {
 		return nil, err
 	}
 
@@ -348,16 +345,12 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr
 func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr error) {
 	dir := d.dir(id)
 
-	root := d.idMap.RootPair()
-	dirID := idtools.Identity{
-		UID: idtools.CurrentIdentity().UID,
-		GID: root.GID,
-	}
-
-	if err := idtools.MkdirAllAndChown(path.Dir(dir), 0o710, dirID); err != nil {
+	cuid := os.Getuid()
+	uid, gid := d.idMap.RootPair()
+	if err := user.MkdirAllAndChown(path.Dir(dir), 0o710, cuid, gid); err != nil {
 		return err
 	}
-	if err := idtools.MkdirAndChown(dir, 0o710, dirID); err != nil {
+	if err := user.MkdirAndChown(dir, 0o710, cuid, gid); err != nil {
 		return err
 	}
 
@@ -382,7 +375,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
 		}
 	}
 
-	if err := idtools.MkdirAndChown(path.Join(dir, diffDirName), 0o755, root); err != nil {
+	if err := user.MkdirAndChown(path.Join(dir, diffDirName), 0o755, uid, gid); err != nil {
 		return err
 	}
 
@@ -401,7 +394,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
 		return nil
 	}
 
-	if err := idtools.MkdirAndChown(path.Join(dir, workDirName), 0o700, root); err != nil {
+	if err := user.MkdirAndChown(path.Join(dir, workDirName), 0o700, uid, gid); err != nil {
 		return err
 	}
 
@@ -573,8 +566,8 @@ func (d *Driver) Get(id, mountLabel string) (_ string, retErr error) {
 	mount := unix.Mount
 	mountTarget := mergedDir
 
-	root := d.idMap.RootPair()
-	if err := idtools.MkdirAndChown(mergedDir, 0o700, root); err != nil {
+	uid, gid := d.idMap.RootPair()
+	if err := user.MkdirAndChown(mergedDir, 0o700, uid, gid); err != nil {
 		return "", err
 	}
 
@@ -608,7 +601,7 @@ func (d *Driver) Get(id, mountLabel string) (_ string, retErr error) {
 	if !readonly {
 		// chown "workdir/work" to the remapped root UID/GID. Overlay fs inside a
 		// user namespace requires this to move a directory from lower to upper.
-		if err := root.Chown(path.Join(workDir, workDirName)); err != nil {
+		if err := os.Chown(path.Join(workDir, workDirName), uid, gid); err != nil {
 			return "", err
 		}
 	}

daemon/graphdriver/overlay2/overlay_test.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/daemon/graphdriver/graphtest"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 func init() {

daemon/graphdriver/vfs/copy_unsupported.go

@@ -3,10 +3,10 @@
 package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"
 
 import (
-	"github.com/docker/docker/pkg/chrootarchive"
-	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/go-archive/chrootarchive"
+	"github.com/moby/sys/user"
 )
 
 func dirCopy(srcDir, dstDir string) error {
-	return chrootarchive.NewArchiver(idtools.IdentityMapping{}).CopyWithTar(srcDir, dstDir)
+	return chrootarchive.NewArchiver(user.IdentityMapping{}).CopyWithTar(srcDir, dstDir)
 }

daemon/graphdriver/vfs/driver.go

@@ -8,9 +8,9 @@ import (
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/internal/containerfs"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/quota"
 	"github.com/docker/go-units"
+	"github.com/moby/sys/user"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 )
@@ -29,7 +29,7 @@ func init() {
 
 // Init returns a new VFS driver.
 // This sets the home directory for the driver and returns NaiveDiffDriver.
-func Init(home string, options []string, idMap idtools.IdentityMapping) (graphdriver.Driver, error) {
+func Init(home string, options []string, idMap user.IdentityMapping) (graphdriver.Driver, error) {
 	d := &Driver{
 		home:      home,
 		idMapping: idMap,
@@ -39,11 +39,8 @@ func Init(home string, options []string, idMap idtools.IdentityMapping) (graphdr
 		return nil, err
 	}
 
-	dirID := idtools.Identity{
-		UID: idtools.CurrentIdentity().UID,
-		GID: d.idMapping.RootPair().GID,
-	}
-	if err := idtools.MkdirAllAndChown(home, 0o710, dirID); err != nil {
+	_, gid := d.idMapping.RootPair()
+	if err := user.MkdirAllAndChown(home, 0o710, os.Getuid(), gid); err != nil {
 		return nil, err
 	}
 
@@ -67,7 +64,7 @@ func Init(home string, options []string, idMap idtools.IdentityMapping) (graphdr
 type Driver struct {
 	driverQuota
 	home             string
-	idMapping        idtools.IdentityMapping
+	idMapping        user.IdentityMapping
 	bestEffortXattrs bool
 }
 
@@ -161,16 +158,12 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
 
 func (d *Driver) create(id, parent string, size uint64) error {
 	dir := d.dir(id)
-	rootIDs := d.idMapping.RootPair()
+	uid, gid := d.idMapping.RootPair()
 
-	dirID := idtools.Identity{
-		UID: idtools.CurrentIdentity().UID,
-		GID: rootIDs.GID,
-	}
-	if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0o710, dirID); err != nil {
+	if err := user.MkdirAllAndChown(filepath.Dir(dir), 0o710, os.Getuid(), gid); err != nil {
 		return err
 	}
-	if err := idtools.MkdirAndChown(dir, 0o755, rootIDs); err != nil {
+	if err := user.MkdirAndChown(dir, 0o755, uid, gid); err != nil {
 		return err
 	}
 

daemon/graphdriver/windows/windows.go

@@ -27,12 +27,12 @@ import (
 	"github.com/containerd/log"
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/daemon/internal/mountref"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/ioutils"
 	"github.com/docker/docker/pkg/longpath"
 	"github.com/docker/go-units"
+	"github.com/moby/go-archive"
 	"github.com/moby/sys/reexec"
+	"github.com/moby/sys/user"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/windows"
 )
@@ -89,7 +89,7 @@ type Driver struct {
 }
 
 // InitFilter returns a new Windows storage filter driver.
-func InitFilter(home string, options []string, _ idtools.IdentityMapping) (graphdriver.Driver, error) {
+func InitFilter(home string, options []string, _ user.IdentityMapping) (graphdriver.Driver, error) {
 	log.G(context.TODO()).Debugf("WindowsGraphDriver InitFilter at %s", home)
 
 	fsType, err := winiofs.GetFileSystemType(home)

daemon/graphdriver/zfs/zfs.go

@@ -16,11 +16,11 @@ import (
 	"github.com/containerd/log"
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/daemon/internal/mountref"
-	"github.com/docker/docker/pkg/idtools"
 	zfs "github.com/mistifyio/go-zfs/v3"
 	"github.com/moby/locker"
 	"github.com/moby/sys/mount"
 	"github.com/moby/sys/mountinfo"
+	"github.com/moby/sys/user"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/unix"
@@ -46,7 +46,7 @@ func (*Logger) Log(cmd []string) {
 // Init returns a new ZFS driver.
 // It takes base mount path and an array of options which are represented as key value pairs.
 // Each option is in the for key=value. 'zfs.fsname' is expected to be a valid key in the options.
-func Init(base string, opt []string, idMap idtools.IdentityMapping) (graphdriver.Driver, error) {
+func Init(base string, opt []string, idMap user.IdentityMapping) (graphdriver.Driver, error) {
 	var err error
 
 	logger := log.G(context.TODO()).WithField("storage-driver", "zfs")
@@ -105,11 +105,8 @@ func Init(base string, opt []string, idMap idtools.IdentityMapping) (graphdriver
 		return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName)
 	}
 
-	dirID := idtools.Identity{
-		UID: idtools.CurrentIdentity().UID,
-		GID: idMap.RootPair().GID,
-	}
-	if err := idtools.MkdirAllAndChown(base, 0o710, dirID); err != nil {
+	_, gid := idMap.RootPair()
+	if err := user.MkdirAllAndChown(base, 0o710, os.Getuid(), gid); err != nil {
 		return nil, fmt.Errorf("Failed to create '%s': %v", base, err)
 	}
 
@@ -181,7 +178,7 @@ type Driver struct {
 	options          zfsOptions
 	sync.Mutex       // protects filesystem cache against concurrent access
 	filesystemsCache map[string]bool
-	idMap            idtools.IdentityMapping
+	idMap            user.IdentityMapping
 	ctr              *mountref.Counter
 	locker           *locker.Locker
 }
@@ -404,9 +401,9 @@ func (d *Driver) Get(id, mountLabel string) (_ string, retErr error) {
 	options := label.FormatMountLabel("", mountLabel)
 	log.G(context.TODO()).WithField("storage-driver", "zfs").Debugf(`mount("%s", "%s", "%s")`, filesystem, mountpoint, options)
 
-	root := d.idMap.RootPair()
+	uid, gid := d.idMap.RootPair()
 	// Create the target directories if they don't exist
-	if err := idtools.MkdirAllAndChown(mountpoint, 0o755, root); err != nil {
+	if err := user.MkdirAllAndChown(mountpoint, 0o755, uid, gid); err != nil {
 		return "", err
 	}
 
@@ -416,7 +413,7 @@ func (d *Driver) Get(id, mountLabel string) (_ string, retErr error) {
 
 	// this could be our first mount after creation of the filesystem, and the root dir may still have root
 	// permissions instead of the remapped root uid:gid (if user namespaces are enabled):
-	if err := root.Chown(mountpoint); err != nil {
+	if err := os.Chown(mountpoint, uid, gid); err != nil {
 		return "", fmt.Errorf("error modifying zfs mountpoint (%s) directory ownership: %v", mountpoint, err)
 	}
 

daemon/image_service.go

@@ -15,7 +15,7 @@ import (
 	"github.com/docker/docker/daemon/images"
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )

daemon/images/image_changes.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/layer"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 func (i *ImageService) Changes(ctx context.Context, container *container.Container) ([]archive.Change, error) {

daemon/images/image_import.go

@@ -15,7 +15,7 @@ import (
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 

daemon/snapshotter/mount.go

@@ -8,9 +8,9 @@ import (
 	"github.com/containerd/containerd/v2/core/mount"
 	"github.com/containerd/log"
 	"github.com/docker/docker/daemon/internal/mountref"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/moby/locker"
 	"github.com/moby/sys/mountinfo"
+	"github.com/moby/sys/user"
 )
 
 // Mounter handles mounting/unmounting things coming in from a snapshotter
@@ -25,7 +25,7 @@ type Mounter interface {
 }
 
 // NewMounter creates a new mounter for the provided snapshotter
-func NewMounter(home string, snapshotter string, idMap idtools.IdentityMapping) *refCountMounter {
+func NewMounter(home string, snapshotter string, idMap user.IdentityMapping) *refCountMounter {
 	return &refCountMounter{
 		base: mounter{
 			home:        home,
@@ -113,20 +113,17 @@ func (m *refCountMounter) Mounted(containerID string) (string, error) {
 type mounter struct {
 	home        string
 	snapshotter string
-	idMap       idtools.IdentityMapping
+	idMap       user.IdentityMapping
 }
 
 func (m mounter) Mount(mounts []mount.Mount, containerID string) (string, error) {
 	target := m.target(containerID)
 
-	root := m.idMap.RootPair()
-	if err := idtools.MkdirAllAndChown(filepath.Dir(target), 0o710, idtools.Identity{
-		UID: idtools.CurrentIdentity().UID,
-		GID: root.GID,
-	}); err != nil {
+	uid, gid := m.idMap.RootPair()
+	if err := user.MkdirAllAndChown(filepath.Dir(target), 0o710, os.Getuid(), gid); err != nil {
 		return "", err
 	}
-	if err := idtools.MkdirAllAndChown(target, 0o710, root); err != nil {
+	if err := user.MkdirAllAndChown(target, 0o710, uid, gid); err != nil {
 		return "", err
 	}
 

distribution/xfer/download.go

@@ -11,9 +11,9 @@ import (
 	"github.com/docker/distribution"
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/ioutils"
 	"github.com/docker/docker/pkg/progress"
+	"github.com/moby/go-archive"
 )
 
 const maxDownloadAttempts = 5

image/tarexport/load.go

@@ -20,11 +20,11 @@ import (
 	v1 "github.com/docker/docker/image/v1"
 	"github.com/docker/docker/internal/ioutils"
 	"github.com/docker/docker/layer"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/chrootarchive"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/streamformatter"
 	"github.com/docker/docker/pkg/stringid"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/chrootarchive"
 	"github.com/moby/sys/sequential"
 	"github.com/moby/sys/symlink"
 	"github.com/opencontainers/go-digest"

image/tarexport/save.go

@@ -21,8 +21,8 @@ import (
 	v1 "github.com/docker/docker/image/v1"
 	"github.com/docker/docker/internal/ioutils"
 	"github.com/docker/docker/layer"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/system"
+	"github.com/moby/go-archive"
 	"github.com/moby/sys/sequential"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/specs-go"

integration-cli/docker_cli_build_test.go

@@ -20,12 +20,12 @@ import (
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/integration-cli/cli"
 	"github.com/docker/docker/integration-cli/cli/build"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/testutil"
 	"github.com/docker/docker/testutil/fakecontext"
 	"github.com/docker/docker/testutil/fakegit"
 	"github.com/docker/docker/testutil/fakestorage"
 	"github.com/moby/buildkit/frontend/dockerfile/command"
+	"github.com/moby/go-archive"
 	"github.com/opencontainers/go-digest"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"

integration-cli/docker_cli_cp_utils_test.go

@@ -12,7 +12,7 @@ import (
 	"testing"
 
 	"github.com/docker/docker/integration-cli/cli"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )

integration-cli/docker_utils_test.go

@@ -20,8 +20,8 @@ import (
 	"github.com/docker/docker/integration-cli/cli"
 	"github.com/docker/docker/integration-cli/daemon"
 	"github.com/docker/docker/internal/testutils/specialimage"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/testutil"
+	"github.com/moby/go-archive"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/icmd"

integration/container/copy_test.go

@@ -15,9 +15,9 @@ import (
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/integration/internal/container"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/docker/docker/testutil/fakecontext"
+	"github.com/moby/go-archive"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/skip"

integration/container/overlayfs_linux_test.go

@@ -7,7 +7,7 @@ import (
 
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/integration/internal/container"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 	"golang.org/x/sys/unix"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/skip"

integration/image/save_test.go

@@ -22,8 +22,8 @@ import (
 	"github.com/docker/docker/integration/internal/container"
 	"github.com/docker/docker/internal/testutils"
 	"github.com/docker/docker/internal/testutils/specialimage"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/testutil/fakecontext"
+	"github.com/moby/go-archive"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"gotest.tools/v3/assert"

integration/plugin/authz/authz_plugin_test.go

@@ -21,10 +21,10 @@ import (
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/integration/internal/container"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/authorization"
 	"github.com/docker/docker/testutil/environment"
 	"github.com/docker/go-connections/sockets"
+	"github.com/moby/go-archive"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/skip"
 )

internal/testutils/archive.go

@@ -3,7 +3,7 @@ package testutils
 import (
 	"io"
 
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 	"github.com/opencontainers/go-digest"
 )
 

internal/testutils/specialimage/load.go

@@ -10,8 +10,8 @@ import (
 	"testing"
 
 	"github.com/docker/docker/client"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/moby/go-archive"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"gotest.tools/v3/assert"
 )

internal/testutils/specialimage/multilayer.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/containerd/platforms"
 	"github.com/distribution/reference"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/google/uuid"
+	"github.com/moby/go-archive"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/specs-go"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

layer/layer.go

@@ -16,7 +16,7 @@ import (
 
 	"github.com/containerd/log"
 	"github.com/docker/distribution"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 	"github.com/opencontainers/go-digest"
 )
 

layer/layer_store.go

@@ -12,9 +12,9 @@ import (
 	"github.com/containerd/log"
 	"github.com/docker/distribution"
 	"github.com/docker/docker/daemon/graphdriver"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/moby/locker"
+	"github.com/moby/sys/user"
 	"github.com/opencontainers/go-digest"
 	"github.com/vbatts/tar-split/tar/asm"
 	"github.com/vbatts/tar-split/tar/storage"
@@ -46,7 +46,7 @@ type StoreOptions struct {
 	Root               string
 	GraphDriver        string
 	GraphDriverOptions []string
-	IDMapping          idtools.IdentityMapping
+	IDMapping          user.IdentityMapping
 }
 
 // NewStoreFromOptions creates a new Store instance

layer/layer_test.go

@@ -13,9 +13,9 @@ import (
 	"github.com/containerd/continuity/driver"
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/daemon/graphdriver/vfs"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/stringid"
+	"github.com/moby/go-archive"
+	"github.com/moby/sys/user"
 	"github.com/opencontainers/go-digest"
 )
 
@@ -28,16 +28,16 @@ func init() {
 func newVFSGraphDriver(td string) (graphdriver.Driver, error) {
 	return graphdriver.New("vfs", graphdriver.Options{
 		Root: td,
-		IDMap: idtools.IdentityMapping{
-			UIDMaps: []idtools.IDMap{{
-				ContainerID: 0,
-				HostID:      os.Getuid(),
-				Size:        1,
+		IDMap: user.IdentityMapping{
+			UIDMaps: []user.IDMap{{
+				ID:       0,
+				ParentID: int64(os.Getuid()),
+				Count:    1,
 			}},
-			GIDMaps: []idtools.IDMap{{
-				ContainerID: 0,
-				HostID:      os.Getgid(),
-				Size:        1,
+			GIDMaps: []user.IDMap{{
+				ID:       0,
+				ParentID: int64(os.Getgid()),
+				Count:    1,
 			}},
 		},
 	})

layer/mount_test.go

@@ -9,7 +9,7 @@ import (
 	"testing"
 
 	"github.com/containerd/continuity/driver"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 func TestMountInit(t *testing.T) {

layer/mounted_layer.go

@@ -4,7 +4,7 @@ import (
 	"io"
 	"sync"
 
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 type mountedLayer struct {

libnetwork/drivers/windows/overlay/overlay.pb.go

@@ -2,13 +2,15 @@
 // source: drivers/windows/overlay/overlay.proto
 
 /*
-	Package overlay is a generated protocol buffer package.
+Package overlay is a generated protocol buffer package.
 
-	It is generated from these files:
-		drivers/windows/overlay/overlay.proto
+It is generated from these files:
 
-	It has these top-level messages:
-		PeerRecord
+	drivers/windows/overlay/overlay.proto
+
+It has these top-level messages:
+
+	PeerRecord
 */
 package overlay
 

plugin/backend_linux.go

@@ -31,11 +31,11 @@ import (
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/internal/containerfs"
 	"github.com/docker/docker/pkg/authorization"
-	"github.com/docker/docker/pkg/chrootarchive"
 	"github.com/docker/docker/pkg/pools"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/stringid"
 	v2 "github.com/docker/docker/plugin/v2"
+	"github.com/moby/go-archive/chrootarchive"
 	"github.com/moby/sys/mount"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

plugin/fetch_linux.go

@@ -15,10 +15,10 @@ import (
 	"github.com/distribution/reference"
 	"github.com/docker/docker/api/types/registry"
 	progressutils "github.com/docker/docker/distribution/utils"
-	"github.com/docker/docker/pkg/chrootarchive"
 	"github.com/docker/docker/pkg/ioutils"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/stringid"
+	"github.com/moby/go-archive/chrootarchive"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"

testutil/fakecontext/context.go

@@ -7,7 +7,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 // New creates a fake build context

testutil/fakestorage/fixtures.go

@@ -10,7 +10,7 @@ import (
 	"testing"
 
 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 	"gotest.tools/v3/assert"
 )
 

testutil/fixtures/plugin/plugin.go

@@ -12,9 +12,9 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/plugin"
 	registrypkg "github.com/docker/docker/registry"
+	"github.com/moby/go-archive"
 	"github.com/pkg/errors"
 )