vendor: containerd/cri 92cb4ed978

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-12 23:15:45 +01:00 · 2020-03-12 23:15:45 +01:00 · c00cf9a670
commit c00cf9a670
parent 62083eeed2
71 changed files with 249 additions and 2523 deletions
--- a/vendor.conf
+++ b/vendor.conf
@ -56,10 +56,10 @@ gotest.tools/v3                                     bb0d8a963040ea5048dcef1a14d8
 github.com/cilium/ebpf                              60c3aa43f488292fe2ee50fb8b833b383ca8ebbb
 # cri dependencies
-github.com/containerd/cri                           1a00c068864a59835ff442e0dddfa5a254be6bb3 # master
+github.com/containerd/cri                           92cb4ed9786a6cd271152ba1f862183d84701003 # master
 github.com/davecgh/go-spew                          8991bc29aa16c548c550c7ff78260e27b9ab7c73 # v1.1.1
 github.com/docker/distribution                      0d3efadf0154c2b8a4e7b6621fff9809655cc580
-github.com/docker/docker                            d1d5f6476656c6aad457e2a91d3436e66b6f2251
+github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
 github.com/docker/spdystream                        449fdfce4d962303d702fec724ef0ad181c92528
 github.com/emicklei/go-restful                      b993709ae1a4f6dd19cfa475232614441b11c9d5 # v2.9.5
 github.com/google/gofuzz                            db92cf7ae75e4a7a28abc005addab2b394362888 # v1.1.0
--- a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go
@ -225,9 +225,10 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 		customopts.WithAnnotation(annotations.SandboxID, sandboxID),
 	)
 	// cgroupns is used for hiding /sys/fs/cgroup from containers.
-	// For compatibility, cgroupns is not used when running in cgroup v1 mode.
+	// For compatibility, cgroupns is not used when running in cgroup v1 mode or in privileged.
 	// https://github.com/containers/libpod/issues/4363
-	if cgroups.Mode() == cgroups.Unified {
+	// https://github.com/kubernetes/enhancements/blob/0e409b47497e398b369c281074485c8de129694f/keps/sig-node/20191118-cgroups-v2.md#cgroup-namespace
 	if cgroups.Mode() == cgroups.Unified && !securityContext.GetPrivileged() {
 		specOpts = append(specOpts, oci.WithLinuxNamespace(
 			runtimespec.LinuxNamespace{
 				Type: runtimespec.CgroupNamespace,
--- a/vendor/github.com/containerd/cri/pkg/server/container_remove.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_remove.go
@ -20,7 +20,6 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/log"
 	"github.com/docker/docker/pkg/system"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
@ -76,12 +75,12 @@ func (c *criService) RemoveContainer(ctx context.Context, r *runtime.RemoveConta
 	}
 	containerRootDir := c.getContainerRootDir(id)
-	if err := system.EnsureRemoveAll(containerRootDir); err != nil {
+	if err := ensureRemoveAll(ctx, containerRootDir); err != nil {
 		return nil, errors.Wrapf(err, "failed to remove container root directory %q",
 			containerRootDir)
 	}
 	volatileContainerRootDir := c.getVolatileContainerRootDir(id)
-	if err := system.EnsureRemoveAll(volatileContainerRootDir); err != nil {
+	if err := ensureRemoveAll(ctx, volatileContainerRootDir); err != nil {
 		return nil, errors.Wrapf(err, "failed to remove volatile container root directory %q",
 			volatileContainerRootDir)
 	}
--- a/vendor/github.com/containerd/cri/pkg/server/helpers_unix.go
+++ b/vendor/github.com/containerd/cri/pkg/server/helpers_unix.go
@ -19,17 +19,24 @@ limitations under the License.
 package server
 import (
 	"context"
 	"fmt"
 	"os"
 	"path"
 	"path/filepath"
 	"regexp"
 	"sort"
 	"strings"
 	"syscall"
 	"time"
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/mount"
 	runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
 	runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/unix"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 )
@ -141,3 +148,106 @@ func (c *criService) seccompEnabled() bool {
 func openLogFile(path string) (*os.File, error) {
 	return os.OpenFile(path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0640)
 }
 // unmountRecursive unmounts the target and all mounts underneath, starting with
 // the deepest mount first.
 func unmountRecursive(ctx context.Context, target string) error {
 	mounts, err := mount.Self()
 	if err != nil {
 		return err
 	}
 	var toUnmount []string
 	for _, m := range mounts {
 		p, err := filepath.Rel(target, m.Mountpoint)
 		if err != nil {
 			return err
 		}
 		if !strings.HasPrefix(p, "..") {
 			toUnmount = append(toUnmount, m.Mountpoint)
 		}
 	}
 	// Make the deepest mount be first
 	sort.Slice(toUnmount, func(i, j int) bool {
 		return len(toUnmount[i]) > len(toUnmount[j])
 	})
 	for i, mountPath := range toUnmount {
 		if err := mount.UnmountAll(mountPath, unix.MNT_DETACH); err != nil {
 			if i == len(toUnmount)-1 { // last mount
 				return err
 			}
 			// This is some submount, we can ignore this error for now, the final unmount will fail if this is a real problem
 			log.G(ctx).WithError(err).Debugf("failed to unmount submount %s", mountPath)
 		}
 	}
 	return nil
 }
 // ensureRemoveAll wraps `os.RemoveAll` to check for specific errors that can
 // often be remedied.
 // Only use `ensureRemoveAll` if you really want to make every effort to remove
 // a directory.
 //
 // Because of the way `os.Remove` (and by extension `os.RemoveAll`) works, there
 // can be a race between reading directory entries and then actually attempting
 // to remove everything in the directory.
 // These types of errors do not need to be returned since it's ok for the dir to
 // be gone we can just retry the remove operation.
 //
 // This should not return a `os.ErrNotExist` kind of error under any circumstances
 func ensureRemoveAll(ctx context.Context, dir string) error {
 	notExistErr := make(map[string]bool)
 	// track retries
 	exitOnErr := make(map[string]int)
 	maxRetry := 50
 	// Attempt to unmount anything beneath this dir first.
 	if err := unmountRecursive(ctx, dir); err != nil {
 		log.G(ctx).WithError(err).Debugf("failed to do initial unmount of %s", dir)
 	}
 	for {
 		err := os.RemoveAll(dir)
 		if err == nil {
 			return nil
 		}
 		pe, ok := err.(*os.PathError)
 		if !ok {
 			return err
 		}
 		if os.IsNotExist(err) {
 			if notExistErr[pe.Path] {
 				return err
 			}
 			notExistErr[pe.Path] = true
 			// There is a race where some subdir can be removed but after the
 			// parent dir entries have been read.
 			// So the path could be from `os.Remove(subdir)`
 			// If the reported non-existent path is not the passed in `dir` we
 			// should just retry, but otherwise return with no error.
 			if pe.Path == dir {
 				return nil
 			}
 			continue
 		}
 		if pe.Err != syscall.EBUSY {
 			return err
 		}
 		if e := mount.Unmount(pe.Path, unix.MNT_DETACH); e != nil {
 			return errors.Wrapf(e, "error while removing %s", dir)
 		}
 		if exitOnErr[pe.Path] == maxRetry {
 			return err
 		}
 		exitOnErr[pe.Path]++
 		time.Sleep(100 * time.Millisecond)
 	}
 }
--- a/vendor/github.com/containerd/cri/pkg/server/helpers_windows.go
+++ b/vendor/github.com/containerd/cri/pkg/server/helpers_windows.go
@ -19,9 +19,11 @@ limitations under the License.
 package server
 import (
 	"context"
 	"os"
 	"path/filepath"
 	"syscall"
 	"time"
 )
 // openLogFile opens/creates a container log file.
@ -156,3 +158,62 @@ func fixLongPath(path string) string {
 	}
 	return string(pathbuf[:w])
 }
 // ensureRemoveAll wraps `os.RemoveAll` to check for specific errors that can
 // often be remedied.
 // Only use `ensureRemoveAll` if you really want to make every effort to remove
 // a directory.
 //
 // Because of the way `os.Remove` (and by extension `os.RemoveAll`) works, there
 // can be a race between reading directory entries and then actually attempting
 // to remove everything in the directory.
 // These types of errors do not need to be returned since it's ok for the dir to
 // be gone we can just retry the remove operation.
 //
 // This should not return a `os.ErrNotExist` kind of error under any circumstances
 func ensureRemoveAll(_ context.Context, dir string) error {
 	notExistErr := make(map[string]bool)
 	// track retries
 	exitOnErr := make(map[string]int)
 	maxRetry := 50
 	for {
 		err := os.RemoveAll(dir)
 		if err == nil {
 			return nil
 		}
 		pe, ok := err.(*os.PathError)
 		if !ok {
 			return err
 		}
 		if os.IsNotExist(err) {
 			if notExistErr[pe.Path] {
 				return err
 			}
 			notExistErr[pe.Path] = true
 			// There is a race where some subdir can be removed but after the
 			// parent dir entries have been read.
 			// So the path could be from `os.Remove(subdir)`
 			// If the reported non-existent path is not the passed in `dir` we
 			// should just retry, but otherwise return with no error.
 			if pe.Path == dir {
 				return nil
 			}
 			continue
 		}
 		if pe.Err != syscall.EBUSY {
 			return err
 		}
 		if exitOnErr[pe.Path] == maxRetry {
 			return err
 		}
 		exitOnErr[pe.Path]++
 		time.Sleep(100 * time.Millisecond)
 	}
 }
--- a/vendor/github.com/containerd/cri/pkg/server/restart.go
+++ b/vendor/github.com/containerd/cri/pkg/server/restart.go
@ -30,7 +30,6 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/typeurl"
 	"github.com/docker/docker/pkg/system"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
@ -474,7 +473,7 @@ func cleanupOrphanedIDDirs(ctx context.Context, cntrs []containerd.Container, ba
 			continue
 		}
 		dir := filepath.Join(base, d.Name())
-		if err := system.EnsureRemoveAll(dir); err != nil {
+		if err := ensureRemoveAll(ctx, dir); err != nil {
 			log.G(ctx).WithError(err).Warnf("Failed to remove id directory %q", dir)
 		} else {
 			log.G(ctx).Debugf("Cleanup orphaned id directory %q", dir)
--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go
+++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_remove.go
@ -20,7 +20,6 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/log"
 	"github.com/docker/docker/pkg/system"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
@ -80,12 +79,12 @@ func (c *criService) RemovePodSandbox(ctx context.Context, r *runtime.RemovePodS
 	// Cleanup the sandbox root directories.
 	sandboxRootDir := c.getSandboxRootDir(id)
-	if err := system.EnsureRemoveAll(sandboxRootDir); err != nil {
+	if err := ensureRemoveAll(ctx, sandboxRootDir); err != nil {
 		return nil, errors.Wrapf(err, "failed to remove sandbox root directory %q",
 			sandboxRootDir)
 	}
 	volatileSandboxRootDir := c.getVolatileSandboxRootDir(id)
-	if err := system.EnsureRemoveAll(volatileSandboxRootDir); err != nil {
+	if err := ensureRemoveAll(ctx, volatileSandboxRootDir); err != nil {
 		return nil, errors.Wrapf(err, "failed to remove volatile sandbox root directory %q",
 			volatileSandboxRootDir)
 	}
--- a/vendor/github.com/containerd/cri/vendor.conf
+++ b/vendor/github.com/containerd/cri/vendor.conf
@ -1,6 +1,6 @@
 # cri dependencies
 github.com/docker/distribution                      0d3efadf0154c2b8a4e7b6621fff9809655cc580
-github.com/docker/docker                            d1d5f6476656c6aad457e2a91d3436e66b6f2251
+github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
 github.com/opencontainers/selinux                   31f70552238c5e017d78c3f1ba65e85f593f48e0 # v1.3.3
 github.com/tchap/go-patricia                        666120de432aea38ab06bd5c818f04f4129882c9 # v2.2.6
--- a/vendor/github.com/docker/docker/pkg/longpath/longpath.go
+++ b/vendor/github.com/docker/docker/pkg/longpath/longpath.go
@ -1,26 +0,0 @@
 // longpath introduces some constants and helper functions for handling long paths
 // in Windows, which are expected to be prepended with `\\?\` and followed by either
 // a drive letter, a UNC server\share, or a volume identifier.
 package longpath // import "github.com/docker/docker/pkg/longpath"
 import (
 	"strings"
 )
 // Prefix is the longpath prefix for Windows file paths.
 const Prefix = `\\?\`
 // AddPrefix will add the Windows long path prefix to the path provided if
 // it does not already have it.
 func AddPrefix(path string) string {
 	if !strings.HasPrefix(path, Prefix) {
 		if strings.HasPrefix(path, `\\`) {
 			// This is a UNC path, so we need to add 'UNC' to the path as well.
 			path = Prefix + `UNC` + path[1:]
 		} else {
 			path = Prefix + path
 		}
 	}
 	return path
 }
--- a/vendor/github.com/docker/docker/pkg/mount/flags.go
+++ b/vendor/github.com/docker/docker/pkg/mount/flags.go
@ -1,137 +0,0 @@
 package mount // import "github.com/docker/docker/pkg/mount"
 import (
 	"fmt"
 	"strings"
 )
 var flags = map[string]struct {
 	clear bool
 	flag  int
 }{
 	"defaults":      {false, 0},
 	"ro":            {false, RDONLY},
 	"rw":            {true, RDONLY},
 	"suid":          {true, NOSUID},
 	"nosuid":        {false, NOSUID},
 	"dev":           {true, NODEV},
 	"nodev":         {false, NODEV},
 	"exec":          {true, NOEXEC},
 	"noexec":        {false, NOEXEC},
 	"sync":          {false, SYNCHRONOUS},
 	"async":         {true, SYNCHRONOUS},
 	"dirsync":       {false, DIRSYNC},
 	"remount":       {false, REMOUNT},
 	"mand":          {false, MANDLOCK},
 	"nomand":        {true, MANDLOCK},
 	"atime":         {true, NOATIME},
 	"noatime":       {false, NOATIME},
 	"diratime":      {true, NODIRATIME},
 	"nodiratime":    {false, NODIRATIME},
 	"bind":          {false, BIND},
 	"rbind":         {false, RBIND},
 	"unbindable":    {false, UNBINDABLE},
 	"runbindable":   {false, RUNBINDABLE},
 	"private":       {false, PRIVATE},
 	"rprivate":      {false, RPRIVATE},
 	"shared":        {false, SHARED},
 	"rshared":       {false, RSHARED},
 	"slave":         {false, SLAVE},
 	"rslave":        {false, RSLAVE},
 	"relatime":      {false, RELATIME},
 	"norelatime":    {true, RELATIME},
 	"strictatime":   {false, STRICTATIME},
 	"nostrictatime": {true, STRICTATIME},
 }
 var validFlags = map[string]bool{
 	"":          true,
 	"size":      true,
 	"mode":      true,
 	"uid":       true,
 	"gid":       true,
 	"nr_inodes": true,
 	"nr_blocks": true,
 	"mpol":      true,
 }
 var propagationFlags = map[string]bool{
 	"bind":        true,
 	"rbind":       true,
 	"unbindable":  true,
 	"runbindable": true,
 	"private":     true,
 	"rprivate":    true,
 	"shared":      true,
 	"rshared":     true,
 	"slave":       true,
 	"rslave":      true,
 }
 // MergeTmpfsOptions merge mount options to make sure there is no duplicate.
 func MergeTmpfsOptions(options []string) ([]string, error) {
 	// We use collisions maps to remove duplicates.
 	// For flag, the key is the flag value (the key for propagation flag is -1)
 	// For data=value, the key is the data
 	flagCollisions := map[int]bool{}
 	dataCollisions := map[string]bool{}
 	var newOptions []string
 	// We process in reverse order
 	for i := len(options) - 1; i >= 0; i-- {
 		option := options[i]
 		if option == "defaults" {
 			continue
 		}
 		if f, ok := flags[option]; ok && f.flag != 0 {
 			// There is only one propagation mode
 			key := f.flag
 			if propagationFlags[option] {
 				key = -1
 			}
 			// Check to see if there is collision for flag
 			if !flagCollisions[key] {
 				// We prepend the option and add to collision map
 				newOptions = append([]string{option}, newOptions...)
 				flagCollisions[key] = true
 			}
 			continue
 		}
 		opt := strings.SplitN(option, "=", 2)
 		if len(opt) != 2 || !validFlags[opt[0]] {
 			return nil, fmt.Errorf("Invalid tmpfs option %q", opt)
 		}
 		if !dataCollisions[opt[0]] {
 			// We prepend the option and add to collision map
 			newOptions = append([]string{option}, newOptions...)
 			dataCollisions[opt[0]] = true
 		}
 	}
 	return newOptions, nil
 }
 // Parse fstab type mount options into mount() flags
 // and device specific data
 func parseOptions(options string) (int, string) {
 	var (
 		flag int
 		data []string
 	)
 	for _, o := range strings.Split(options, ",") {
 		// If the option does not exist in the flags table or the flag
 		// is not supported on the platform,
 		// then it is a data value for a specific fs type
 		if f, exists := flags[o]; exists && f.flag != 0 {
 			if f.clear {
 				flag &= ^f.flag
 			} else {
 				flag |= f.flag
 			}
 		} else {
 			data = append(data, o)
 		}
 	}
 	return flag, strings.Join(data, ",")
 }
--- a/vendor/github.com/docker/docker/pkg/mount/flags_freebsd.go
+++ b/vendor/github.com/docker/docker/pkg/mount/flags_freebsd.go
@ -1,49 +0,0 @@
 // +build freebsd,cgo
 package mount // import "github.com/docker/docker/pkg/mount"
 /*
 #include <sys/mount.h>
 */
 import "C"
 const (
 	// RDONLY will mount the filesystem as read-only.
 	RDONLY = C.MNT_RDONLY
 	// NOSUID will not allow set-user-identifier or set-group-identifier bits to
 	// take effect.
 	NOSUID = C.MNT_NOSUID
 	// NOEXEC will not allow execution of any binaries on the mounted file system.
 	NOEXEC = C.MNT_NOEXEC
 	// SYNCHRONOUS will allow any I/O to the file system to be done synchronously.
 	SYNCHRONOUS = C.MNT_SYNCHRONOUS
 	// NOATIME will not update the file access time when reading from a file.
 	NOATIME = C.MNT_NOATIME
 )
 // These flags are unsupported.
 const (
 	BIND        = 0
 	DIRSYNC     = 0
 	MANDLOCK    = 0
 	NODEV       = 0
 	NODIRATIME  = 0
 	UNBINDABLE  = 0
 	RUNBINDABLE = 0
 	PRIVATE     = 0
 	RPRIVATE    = 0
 	SHARED      = 0
 	RSHARED     = 0
 	SLAVE       = 0
 	RSLAVE      = 0
 	RBIND       = 0
 	RELATIVE    = 0
 	RELATIME    = 0
 	REMOUNT     = 0
 	STRICTATIME = 0
 	mntDetach   = 0
 )
--- a/vendor/github.com/docker/docker/pkg/mount/flags_linux.go
+++ b/vendor/github.com/docker/docker/pkg/mount/flags_linux.go
@ -1,87 +0,0 @@
 package mount // import "github.com/docker/docker/pkg/mount"
 import (
 	"golang.org/x/sys/unix"
 )
 const (
 	// RDONLY will mount the file system read-only.
 	RDONLY = unix.MS_RDONLY
 	// NOSUID will not allow set-user-identifier or set-group-identifier bits to
 	// take effect.
 	NOSUID = unix.MS_NOSUID
 	// NODEV will not interpret character or block special devices on the file
 	// system.
 	NODEV = unix.MS_NODEV
 	// NOEXEC will not allow execution of any binaries on the mounted file system.
 	NOEXEC = unix.MS_NOEXEC
 	// SYNCHRONOUS will allow I/O to the file system to be done synchronously.
 	SYNCHRONOUS = unix.MS_SYNCHRONOUS
 	// DIRSYNC will force all directory updates within the file system to be done
 	// synchronously. This affects the following system calls: create, link,
 	// unlink, symlink, mkdir, rmdir, mknod and rename.
 	DIRSYNC = unix.MS_DIRSYNC
 	// REMOUNT will attempt to remount an already-mounted file system. This is
 	// commonly used to change the mount flags for a file system, especially to
 	// make a readonly file system writeable. It does not change device or mount
 	// point.
 	REMOUNT = unix.MS_REMOUNT
 	// MANDLOCK will force mandatory locks on a filesystem.
 	MANDLOCK = unix.MS_MANDLOCK
 	// NOATIME will not update the file access time when reading from a file.
 	NOATIME = unix.MS_NOATIME
 	// NODIRATIME will not update the directory access time.
 	NODIRATIME = unix.MS_NODIRATIME
 	// BIND remounts a subtree somewhere else.
 	BIND = unix.MS_BIND
 	// RBIND remounts a subtree and all possible submounts somewhere else.
 	RBIND = unix.MS_BIND | unix.MS_REC
 	// UNBINDABLE creates a mount which cannot be cloned through a bind operation.
 	UNBINDABLE = unix.MS_UNBINDABLE
 	// RUNBINDABLE marks the entire mount tree as UNBINDABLE.
 	RUNBINDABLE = unix.MS_UNBINDABLE | unix.MS_REC
 	// PRIVATE creates a mount which carries no propagation abilities.
 	PRIVATE = unix.MS_PRIVATE
 	// RPRIVATE marks the entire mount tree as PRIVATE.
 	RPRIVATE = unix.MS_PRIVATE | unix.MS_REC
 	// SLAVE creates a mount which receives propagation from its master, but not
 	// vice versa.
 	SLAVE = unix.MS_SLAVE
 	// RSLAVE marks the entire mount tree as SLAVE.
 	RSLAVE = unix.MS_SLAVE | unix.MS_REC
 	// SHARED creates a mount which provides the ability to create mirrors of
 	// that mount such that mounts and unmounts within any of the mirrors
 	// propagate to the other mirrors.
 	SHARED = unix.MS_SHARED
 	// RSHARED marks the entire mount tree as SHARED.
 	RSHARED = unix.MS_SHARED | unix.MS_REC
 	// RELATIME updates inode access times relative to modify or change time.
 	RELATIME = unix.MS_RELATIME
 	// STRICTATIME allows to explicitly request full atime updates.  This makes
 	// it possible for the kernel to default to relatime or noatime but still
 	// allow userspace to override it.
 	STRICTATIME = unix.MS_STRICTATIME
 	mntDetach = unix.MNT_DETACH
 )
--- a/vendor/github.com/docker/docker/pkg/mount/flags_unsupported.go
+++ b/vendor/github.com/docker/docker/pkg/mount/flags_unsupported.go
@ -1,31 +0,0 @@
 // +build !linux,!freebsd freebsd,!cgo
 package mount // import "github.com/docker/docker/pkg/mount"
 // These flags are unsupported.
 const (
 	BIND        = 0
 	DIRSYNC     = 0
 	MANDLOCK    = 0
 	NOATIME     = 0
 	NODEV       = 0
 	NODIRATIME  = 0
 	NOEXEC      = 0
 	NOSUID      = 0
 	UNBINDABLE  = 0
 	RUNBINDABLE = 0
 	PRIVATE     = 0
 	RPRIVATE    = 0
 	SHARED      = 0
 	RSHARED     = 0
 	SLAVE       = 0
 	RSLAVE      = 0
 	RBIND       = 0
 	RELATIME    = 0
 	RELATIVE    = 0
 	REMOUNT     = 0
 	STRICTATIME = 0
 	SYNCHRONOUS = 0
 	RDONLY      = 0
 	mntDetach   = 0
 )
--- a/vendor/github.com/docker/docker/pkg/mount/mount.go
+++ b/vendor/github.com/docker/docker/pkg/mount/mount.go
@ -1,159 +0,0 @@
 package mount // import "github.com/docker/docker/pkg/mount"
 import (
 	"sort"
 	"strconv"
 	"strings"
 	"github.com/sirupsen/logrus"
 )
 // mountError records an error from mount or unmount operation
 type mountError struct {
 	op             string
 	source, target string
 	flags          uintptr
 	data           string
 	err            error
 }
 func (e *mountError) Error() string {
 	out := e.op + " "
 	if e.source != "" {
 		out += e.source + ":" + e.target
 	} else {
 		out += e.target
 	}
 	if e.flags != uintptr(0) {
 		out += ", flags: 0x" + strconv.FormatUint(uint64(e.flags), 16)
 	}
 	if e.data != "" {
 		out += ", data: " + e.data
 	}
 	out += ": " + e.err.Error()
 	return out
 }
 // Cause returns the underlying cause of the error
 func (e *mountError) Cause() error {
 	return e.err
 }
 // FilterFunc is a type defining a callback function
 // to filter out unwanted entries. It takes a pointer
 // to an Info struct (not fully populated, currently
 // only Mountpoint is filled in), and returns two booleans:
 //  - skip: true if the entry should be skipped
 //  - stop: true if parsing should be stopped after the entry
 type FilterFunc func(*Info) (skip, stop bool)
 // PrefixFilter discards all entries whose mount points
 // do not start with a prefix specified
 func PrefixFilter(prefix string) FilterFunc {
 	return func(m *Info) (bool, bool) {
 		skip := !strings.HasPrefix(m.Mountpoint, prefix)
 		return skip, false
 	}
 }
 // SingleEntryFilter looks for a specific entry
 func SingleEntryFilter(mp string) FilterFunc {
 	return func(m *Info) (bool, bool) {
 		if m.Mountpoint == mp {
 			return false, true // don't skip, stop now
 		}
 		return true, false // skip, keep going
 	}
 }
 // ParentsFilter returns all entries whose mount points
 // can be parents of a path specified, discarding others.
 // For example, given `/var/lib/docker/something`, entries
 // like `/var/lib/docker`, `/var` and `/` are returned.
 func ParentsFilter(path string) FilterFunc {
 	return func(m *Info) (bool, bool) {
 		skip := !strings.HasPrefix(path, m.Mountpoint)
 		return skip, false
 	}
 }
 // GetMounts retrieves a list of mounts for the current running process,
 // with an optional filter applied (use nil for no filter).
 func GetMounts(f FilterFunc) ([]*Info, error) {
 	return parseMountTable(f)
 }
 // Mounted determines if a specified mountpoint has been mounted.
 // On Linux it looks at /proc/self/mountinfo.
 func Mounted(mountpoint string) (bool, error) {
 	entries, err := GetMounts(SingleEntryFilter(mountpoint))
 	if err != nil {
 		return false, err
 	}
 	return len(entries) > 0, nil
 }
 // Mount will mount filesystem according to the specified configuration, on the
 // condition that the target path is *not* already mounted. Options must be
 // specified like the mount or fstab unix commands: "opt1=val1,opt2=val2". See
 // flags.go for supported option flags.
 func Mount(device, target, mType, options string) error {
 	flag, data := parseOptions(options)
 	if flag&REMOUNT != REMOUNT {
 		if mounted, err := Mounted(target); err != nil || mounted {
 			return err
 		}
 	}
 	return mount(device, target, mType, uintptr(flag), data)
 }
 // ForceMount will mount a filesystem according to the specified configuration,
 // *regardless* if the target path is not already mounted. Options must be
 // specified like the mount or fstab unix commands: "opt1=val1,opt2=val2". See
 // flags.go for supported option flags.
 func ForceMount(device, target, mType, options string) error {
 	flag, data := parseOptions(options)
 	return mount(device, target, mType, uintptr(flag), data)
 }
 // Unmount lazily unmounts a filesystem on supported platforms, otherwise
 // does a normal unmount.
 func Unmount(target string) error {
 	return unmount(target, mntDetach)
 }
 // RecursiveUnmount unmounts the target and all mounts underneath, starting with
 // the deepsest mount first.
 func RecursiveUnmount(target string) error {
 	mounts, err := parseMountTable(PrefixFilter(target))
 	if err != nil {
 		return err
 	}
 	// Make the deepest mount be first
 	sort.Slice(mounts, func(i, j int) bool {
 		return len(mounts[i].Mountpoint) > len(mounts[j].Mountpoint)
 	})
 	for i, m := range mounts {
 		logrus.Debugf("Trying to unmount %s", m.Mountpoint)
 		err = unmount(m.Mountpoint, mntDetach)
 		if err != nil {
 			if i == len(mounts)-1 { // last mount
 				if mounted, e := Mounted(m.Mountpoint); e != nil || mounted {
 					return err
 				}
 			} else {
 				// This is some submount, we can ignore this error for now, the final unmount will fail if this is a real problem
 				logrus.WithError(err).Warnf("Failed to unmount submount %s", m.Mountpoint)
 			}
 		}
 		logrus.Debugf("Unmounted %s", m.Mountpoint)
 	}
 	return nil
 }
--- a/vendor/github.com/docker/docker/pkg/mount/mounter_freebsd.go
+++ b/vendor/github.com/docker/docker/pkg/mount/mounter_freebsd.go
@ -1,59 +0,0 @@
 package mount // import "github.com/docker/docker/pkg/mount"
 /*
 #include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/_iovec.h>
 #include <sys/mount.h>
 #include <sys/param.h>
 */
 import "C"
 import (
 	"strings"
 	"syscall"
 	"unsafe"
 )
 func allocateIOVecs(options []string) []C.struct_iovec {
 	out := make([]C.struct_iovec, len(options))
 	for i, option := range options {
 		out[i].iov_base = unsafe.Pointer(C.CString(option))
 		out[i].iov_len = C.size_t(len(option) + 1)
 	}
 	return out
 }
 func mount(device, target, mType string, flag uintptr, data string) error {
 	isNullFS := false
 	xs := strings.Split(data, ",")
 	for _, x := range xs {
 		if x == "bind" {
 			isNullFS = true
 		}
 	}
 	options := []string{"fspath", target}
 	if isNullFS {
 		options = append(options, "fstype", "nullfs", "target", device)
 	} else {
 		options = append(options, "fstype", mType, "from", device)
 	}
 	rawOptions := allocateIOVecs(options)
 	for _, rawOption := range rawOptions {
 		defer C.free(rawOption.iov_base)
 	}
 	if errno := C.nmount(&rawOptions[0], C.uint(len(options)), C.int(flag)); errno != 0 {
 		return &mountError{
 			op:     "mount",
 			source: device,
 			target: target,
 			flags:  flag,
 			err:    syscall.Errno(errno),
 		}
 	}
 	return nil
 }
--- a/vendor/github.com/docker/docker/pkg/mount/mounter_linux.go
+++ b/vendor/github.com/docker/docker/pkg/mount/mounter_linux.go
@ -1,73 +0,0 @@
 package mount // import "github.com/docker/docker/pkg/mount"
 import (
 	"golang.org/x/sys/unix"
 )
 const (
 	// ptypes is the set propagation types.
 	ptypes = unix.MS_SHARED | unix.MS_PRIVATE | unix.MS_SLAVE | unix.MS_UNBINDABLE
 	// pflags is the full set valid flags for a change propagation call.
 	pflags = ptypes | unix.MS_REC | unix.MS_SILENT
 	// broflags is the combination of bind and read only
 	broflags = unix.MS_BIND | unix.MS_RDONLY
 )
 // isremount returns true if either device name or flags identify a remount request, false otherwise.
 func isremount(device string, flags uintptr) bool {
 	switch {
 	// We treat device "" and "none" as a remount request to provide compatibility with
 	// requests that don't explicitly set MS_REMOUNT such as those manipulating bind mounts.
 	case flags&unix.MS_REMOUNT != 0, device == "", device == "none":
 		return true
 	default:
 		return false
 	}
 }
 func mount(device, target, mType string, flags uintptr, data string) error {
 	oflags := flags &^ ptypes
 	if !isremount(device, flags) || data != "" {
 		// Initial call applying all non-propagation flags for mount
 		// or remount with changed data
 		if err := unix.Mount(device, target, mType, oflags, data); err != nil {
 			return &mountError{
 				op:     "mount",
 				source: device,
 				target: target,
 				flags:  oflags,
 				data:   data,
 				err:    err,
 			}
 		}
 	}
 	if flags&ptypes != 0 {
 		// Change the propagation type.
 		if err := unix.Mount("", target, "", flags&pflags, ""); err != nil {
 			return &mountError{
 				op:     "remount",
 				target: target,
 				flags:  flags & pflags,
 				err:    err,
 			}
 		}
 	}
 	if oflags&broflags == broflags {
 		// Remount the bind to apply read only.
 		if err := unix.Mount("", target, "", oflags|unix.MS_REMOUNT, ""); err != nil {
 			return &mountError{
 				op:     "remount-ro",
 				target: target,
 				flags:  oflags | unix.MS_REMOUNT,
 				err:    err,
 			}
 		}
 	}
 	return nil
 }
--- a/vendor/github.com/docker/docker/pkg/mount/mounter_unsupported.go
+++ b/vendor/github.com/docker/docker/pkg/mount/mounter_unsupported.go
@ -1,7 +0,0 @@
 // +build !linux,!freebsd freebsd,!cgo
 package mount // import "github.com/docker/docker/pkg/mount"
 func mount(device, target, mType string, flag uintptr, data string) error {
 	panic("Not implemented")
 }
--- a/vendor/github.com/docker/docker/pkg/mount/mountinfo.go
+++ b/vendor/github.com/docker/docker/pkg/mount/mountinfo.go
@ -1,40 +0,0 @@
 package mount // import "github.com/docker/docker/pkg/mount"
 // Info reveals information about a particular mounted filesystem. This
 // struct is populated from the content in the /proc/<pid>/mountinfo file.
 type Info struct {
 	// ID is a unique identifier of the mount (may be reused after umount).
 	ID int
 	// Parent indicates the ID of the mount parent (or of self for the top of the
 	// mount tree).
 	Parent int
 	// Major indicates one half of the device ID which identifies the device class.
 	Major int
 	// Minor indicates one half of the device ID which identifies a specific
 	// instance of device.
 	Minor int
 	// Root of the mount within the filesystem.
 	Root string
 	// Mountpoint indicates the mount point relative to the process's root.
 	Mountpoint string
 	// Opts represents mount-specific options.
 	Opts string
 	// Optional represents optional fields.
 	Optional string
 	// Fstype indicates the type of filesystem, such as EXT3.
 	Fstype string
 	// Source indicates filesystem specific information or "none".
 	Source string
 	// VfsOpts represents per super block options.
 	VfsOpts string
 }
--- a/vendor/github.com/docker/docker/pkg/mount/mountinfo_freebsd.go
+++ b/vendor/github.com/docker/docker/pkg/mount/mountinfo_freebsd.go
@ -1,54 +0,0 @@
 package mount // import "github.com/docker/docker/pkg/mount"
 /*
 #include <sys/param.h>
 #include <sys/ucred.h>
 #include <sys/mount.h>
 */
 import "C"
 import (
 	"fmt"
 	"reflect"
 	"unsafe"
 )
 //parseMountTable returns information about mounted filesystems
 func parseMountTable(filter FilterFunc) ([]*Info, error) {
 	var rawEntries *C.struct_statfs
 	count := int(C.getmntinfo(&rawEntries, C.MNT_WAIT))
 	if count == 0 {
 		return nil, fmt.Errorf("Failed to call getmntinfo")
 	}
 	var entries []C.struct_statfs
 	header := (*reflect.SliceHeader)(unsafe.Pointer(&entries))
 	header.Cap = count
 	header.Len = count
 	header.Data = uintptr(unsafe.Pointer(rawEntries))
 	var out []*Info
 	for _, entry := range entries {
 		var mountinfo Info
 		var skip, stop bool
 		mountinfo.Mountpoint = C.GoString(&entry.f_mntonname[0])
 		if filter != nil {
 			// filter out entries we're not interested in
 			skip, stop = filter(&mountinfo)
 			if skip {
 				continue
 			}
 		}
 		mountinfo.Source = C.GoString(&entry.f_mntfromname[0])
 		mountinfo.Fstype = C.GoString(&entry.f_fstypename[0])
 		out = append(out, &mountinfo)
 		if stop {
 			break
 		}
 	}
 	return out, nil
 }
--- a/vendor/github.com/docker/docker/pkg/mount/mountinfo_linux.go
+++ b/vendor/github.com/docker/docker/pkg/mount/mountinfo_linux.go
@ -1,143 +0,0 @@
 package mount // import "github.com/docker/docker/pkg/mount"
 import (
 	"bufio"
 	"fmt"
 	"io"
 	"os"
 	"strconv"
 	"strings"
 	"github.com/pkg/errors"
 )
 func parseInfoFile(r io.Reader, filter FilterFunc) ([]*Info, error) {
 	s := bufio.NewScanner(r)
 	out := []*Info{}
 	var err error
 	for s.Scan() {
 		if err = s.Err(); err != nil {
 			return nil, err
 		}
 		/*
 		   See http://man7.org/linux/man-pages/man5/proc.5.html
 		   36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue
 		   (1)(2)(3)   (4)   (5)      (6)      (7)   (8) (9)   (10)         (11)
 		   (1) mount ID:  unique identifier of the mount (may be reused after umount)
 		   (2) parent ID:  ID of parent (or of self for the top of the mount tree)
 		   (3) major:minor:  value of st_dev for files on filesystem
 		   (4) root:  root of the mount within the filesystem
 		   (5) mount point:  mount point relative to the process's root
 		   (6) mount options:  per mount options
 		   (7) optional fields:  zero or more fields of the form "tag[:value]"
 		   (8) separator:  marks the end of the optional fields
 		   (9) filesystem type:  name of filesystem of the form "type[.subtype]"
 		   (10) mount source:  filesystem specific information or "none"
 		   (11) super options:  per super block options
 		*/
 		text := s.Text()
 		fields := strings.Split(text, " ")
 		numFields := len(fields)
 		if numFields < 10 {
 			// should be at least 10 fields
 			return nil, fmt.Errorf("Parsing '%s' failed: not enough fields (%d)", text, numFields)
 		}
 		p := &Info{}
 		// ignore any numbers parsing errors, as there should not be any
 		p.ID, _ = strconv.Atoi(fields[0])
 		p.Parent, _ = strconv.Atoi(fields[1])
 		mm := strings.Split(fields[2], ":")
 		if len(mm) != 2 {
 			return nil, fmt.Errorf("Parsing '%s' failed: unexpected minor:major pair %s", text, mm)
 		}
 		p.Major, _ = strconv.Atoi(mm[0])
 		p.Minor, _ = strconv.Atoi(mm[1])
 		p.Root, err = strconv.Unquote(`"` + fields[3] + `"`)
 		if err != nil {
 			return nil, errors.Wrapf(err, "Parsing '%s' failed: unable to unquote root field", fields[3])
 		}
 		p.Mountpoint, err = strconv.Unquote(`"` + fields[4] + `"`)
 		if err != nil {
 			return nil, errors.Wrapf(err, "Parsing '%s' failed: unable to unquote mount point field", fields[4])
 		}
 		p.Opts = fields[5]
 		var skip, stop bool
 		if filter != nil {
 			// filter out entries we're not interested in
 			skip, stop = filter(p)
 			if skip {
 				continue
 			}
 		}
 		// one or more optional fields, when a separator (-)
 		i := 6
 		for ; i < numFields && fields[i] != "-"; i++ {
 			switch i {
 			case 6:
 				p.Optional = fields[6]
 			default:
 				/* NOTE there might be more optional fields before the such as
 				   fields[7]...fields[N] (where N < sepIndex), although
 				   as of Linux kernel 4.15 the only known ones are
 				   mount propagation flags in fields[6]. The correct
 				   behavior is to ignore any unknown optional fields.
 				*/
 			}
 		}
 		if i == numFields {
 			return nil, fmt.Errorf("Parsing '%s' failed: missing separator ('-')", text)
 		}
 		// There should be 3 fields after the separator...
 		if i+4 > numFields {
 			return nil, fmt.Errorf("Parsing '%s' failed: not enough fields after a separator", text)
 		}
 		// ... but in Linux <= 3.9 mounting a cifs with spaces in a share name
 		// (like "//serv/My Documents") _may_ end up having a space in the last field
 		// of mountinfo (like "unc=//serv/My Documents"). Since kernel 3.10-rc1, cifs
 		// option unc= is ignored,  so a space should not appear. In here we ignore
 		// those "extra" fields caused by extra spaces.
 		p.Fstype = fields[i+1]
 		p.Source = fields[i+2]
 		p.VfsOpts = fields[i+3]
 		out = append(out, p)
 		if stop {
 			break
 		}
 	}
 	return out, nil
 }
 // Parse /proc/self/mountinfo because comparing Dev and ino does not work from
 // bind mounts
 func parseMountTable(filter FilterFunc) ([]*Info, error) {
 	f, err := os.Open("/proc/self/mountinfo")
 	if err != nil {
 		return nil, err
 	}
 	defer f.Close()
 	return parseInfoFile(f, filter)
 }
 // PidMountInfo collects the mounts for a specific process ID. If the process
 // ID is unknown, it is better to use `GetMounts` which will inspect
 // "/proc/self/mountinfo" instead.
 func PidMountInfo(pid int) ([]*Info, error) {
 	f, err := os.Open(fmt.Sprintf("/proc/%d/mountinfo", pid))
 	if err != nil {
 		return nil, err
 	}
 	defer f.Close()
 	return parseInfoFile(f, nil)
 }
--- a/vendor/github.com/docker/docker/pkg/mount/mountinfo_unsupported.go
+++ b/vendor/github.com/docker/docker/pkg/mount/mountinfo_unsupported.go
@ -1,12 +0,0 @@
 // +build !windows,!linux,!freebsd freebsd,!cgo
 package mount // import "github.com/docker/docker/pkg/mount"
 import (
 	"fmt"
 	"runtime"
 )
 func parseMountTable(f FilterFunc) ([]*Info, error) {
 	return nil, fmt.Errorf("mount.parseMountTable is not implemented on %s/%s", runtime.GOOS, runtime.GOARCH)
 }
--- a/vendor/github.com/docker/docker/pkg/mount/mountinfo_windows.go
+++ b/vendor/github.com/docker/docker/pkg/mount/mountinfo_windows.go
@ -1,6 +0,0 @@
 package mount // import "github.com/docker/docker/pkg/mount"
 func parseMountTable(f FilterFunc) ([]*Info, error) {
 	// Do NOT return an error!
 	return nil, nil
 }
--- a/vendor/github.com/docker/docker/pkg/mount/sharedsubtree_linux.go
+++ b/vendor/github.com/docker/docker/pkg/mount/sharedsubtree_linux.go
@ -1,71 +0,0 @@
 package mount // import "github.com/docker/docker/pkg/mount"
 // MakeShared ensures a mounted filesystem has the SHARED mount option enabled.
 // See the supported options in flags.go for further reference.
 func MakeShared(mountPoint string) error {
 	return ensureMountedAs(mountPoint, SHARED)
 }
 // MakeRShared ensures a mounted filesystem has the RSHARED mount option enabled.
 // See the supported options in flags.go for further reference.
 func MakeRShared(mountPoint string) error {
 	return ensureMountedAs(mountPoint, RSHARED)
 }
 // MakePrivate ensures a mounted filesystem has the PRIVATE mount option enabled.
 // See the supported options in flags.go for further reference.
 func MakePrivate(mountPoint string) error {
 	return ensureMountedAs(mountPoint, PRIVATE)
 }
 // MakeRPrivate ensures a mounted filesystem has the RPRIVATE mount option
 // enabled. See the supported options in flags.go for further reference.
 func MakeRPrivate(mountPoint string) error {
 	return ensureMountedAs(mountPoint, RPRIVATE)
 }
 // MakeSlave ensures a mounted filesystem has the SLAVE mount option enabled.
 // See the supported options in flags.go for further reference.
 func MakeSlave(mountPoint string) error {
 	return ensureMountedAs(mountPoint, SLAVE)
 }
 // MakeRSlave ensures a mounted filesystem has the RSLAVE mount option enabled.
 // See the supported options in flags.go for further reference.
 func MakeRSlave(mountPoint string) error {
 	return ensureMountedAs(mountPoint, RSLAVE)
 }
 // MakeUnbindable ensures a mounted filesystem has the UNBINDABLE mount option
 // enabled. See the supported options in flags.go for further reference.
 func MakeUnbindable(mountPoint string) error {
 	return ensureMountedAs(mountPoint, UNBINDABLE)
 }
 // MakeRUnbindable ensures a mounted filesystem has the RUNBINDABLE mount
 // option enabled. See the supported options in flags.go for further reference.
 func MakeRUnbindable(mountPoint string) error {
 	return ensureMountedAs(mountPoint, RUNBINDABLE)
 }
 // MakeMount ensures that the file or directory given is a mount point,
 // bind mounting it to itself it case it is not.
 func MakeMount(mnt string) error {
 	mounted, err := Mounted(mnt)
 	if err != nil {
 		return err
 	}
 	if mounted {
 		return nil
 	}
 	return mount(mnt, mnt, "none", uintptr(BIND), "")
 }
 func ensureMountedAs(mnt string, flags int) error {
 	if err := MakeMount(mnt); err != nil {
 		return err
 	}
 	return mount("", mnt, "none", uintptr(flags), "")
 }
--- a/vendor/github.com/docker/docker/pkg/mount/unmount_unix.go
+++ b/vendor/github.com/docker/docker/pkg/mount/unmount_unix.go
@ -1,22 +0,0 @@
 // +build !windows
 package mount // import "github.com/docker/docker/pkg/mount"
 import "golang.org/x/sys/unix"
 func unmount(target string, flags int) error {
 	err := unix.Unmount(target, flags)
 	if err == nil || err == unix.EINVAL {
 		// Ignore "not mounted" error here. Note the same error
 		// can be returned if flags are invalid, so this code
 		// assumes that the flags value is always correct.
 		return nil
 	}
 	return &mountError{
 		op:     "umount",
 		target: target,
 		flags:  uintptr(flags),
 		err:    err,
 	}
 }
--- a/vendor/github.com/docker/docker/pkg/mount/unmount_unsupported.go
+++ b/vendor/github.com/docker/docker/pkg/mount/unmount_unsupported.go
@ -1,7 +0,0 @@
 // +build windows
 package mount // import "github.com/docker/docker/pkg/mount"
 func unmount(target string, flag int) error {
 	panic("Not implemented")
 }
--- a/vendor/github.com/docker/docker/pkg/symlink/fs.go
+++ b/vendor/github.com/docker/docker/pkg/symlink/fs.go
@ -12,8 +12,6 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/docker/docker/pkg/system"
 )
 // FollowSymlinkInScope is a wrapper around evalSymlinksInScope that returns an
@ -123,7 +121,7 @@ func evalSymlinksInScope(path, root string) (string, error) {
 		if err != nil {
 			return "", err
 		}
-		if system.IsAbs(dest) {
+		if isAbs(dest) {
 			b.Reset()
 		}
 		path = dest + string(filepath.Separator) + path
--- a/vendor/github.com/docker/docker/pkg/symlink/fs_unix.go
+++ b/vendor/github.com/docker/docker/pkg/symlink/fs_unix.go
@ -13,3 +13,5 @@ func evalSymlinks(path string) (string, error) {
 func isDriveOrRoot(p string) bool {
 	return p == string(filepath.Separator)
 }
 var isAbs = filepath.IsAbs
--- a/vendor/github.com/docker/docker/pkg/symlink/fs_windows.go
+++ b/vendor/github.com/docker/docker/pkg/symlink/fs_windows.go
@ -7,7 +7,6 @@ import (
 	"path/filepath"
 	"strings"
 	"github.com/docker/docker/pkg/longpath"
 	"golang.org/x/sys/windows"
 )
@ -77,7 +76,10 @@ func evalSymlinks(path string) (string, error) {
 	return filepath.Clean(p), nil
 }
-const utf8RuneSelf = 0x80
+const (
 	utf8RuneSelf   = 0x80
 	longPathPrefix = `\\?\`
 )
 func walkSymlinks(path string) (string, error) {
 	const maxIter = 255
@ -92,8 +94,8 @@ func walkSymlinks(path string) (string, error) {
 		// A path beginning with `\\?\` represents the root, so automatically
 		// skip that part and begin processing the next segment.
-		if strings.HasPrefix(path, longpath.Prefix) {
+		if strings.HasPrefix(path, longPathPrefix) {
-			b.WriteString(longpath.Prefix)
+			b.WriteString(longPathPrefix)
 			path = path[4:]
 			continue
 		}
@ -123,7 +125,7 @@ func walkSymlinks(path string) (string, error) {
 		// If this is the first segment after the long path prefix, accept the
 		// current segment as a volume root or UNC share and move on to the next.
-		if b.String() == longpath.Prefix {
+		if b.String() == longPathPrefix {
 			b.WriteString(p)
 			b.WriteRune(filepath.Separator)
 			continue
@ -146,7 +148,7 @@ func walkSymlinks(path string) (string, error) {
 		if err != nil {
 			return "", err
 		}
-		if filepath.IsAbs(dest) || os.IsPathSeparator(dest[0]) {
+		if isAbs(dest) {
 			b.Reset()
 		}
 		path = dest + string(filepath.Separator) + path
@ -167,3 +169,17 @@ func isDriveOrRoot(p string) bool {
 	}
 	return false
 }
 // isAbs is a platform-specific wrapper for filepath.IsAbs. On Windows,
 // golang filepath.IsAbs does not consider a path \windows\system32 as absolute
 // as it doesn't start with a drive-letter/colon combination. However, in
 // docker we need to verify things such as WORKDIR /windows/system32 in
 // a Dockerfile (which gets translated to \windows\system32 when being processed
 // by the daemon. This SHOULD be treated as absolute from a docker processing
 // perspective.
 func isAbs(path string) bool {
 	if filepath.IsAbs(path) || strings.HasPrefix(path, string(os.PathSeparator)) {
 		return true
 	}
 	return false
 }
--- a/vendor/github.com/docker/docker/pkg/system/args_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/args_windows.go
@ -1,16 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"strings"
 	"golang.org/x/sys/windows"
 )
 // EscapeArgs makes a Windows-style escaped command line from a set of arguments
 func EscapeArgs(args []string) string {
 	escapedArgs := make([]string, len(args))
 	for i, a := range args {
 		escapedArgs[i] = windows.EscapeArg(a)
 	}
 	return strings.Join(escapedArgs, " ")
 }
--- a/vendor/github.com/docker/docker/pkg/system/chtimes.go
+++ b/vendor/github.com/docker/docker/pkg/system/chtimes.go
@ -1,31 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"os"
 	"time"
 )
 // Chtimes changes the access time and modified time of a file at the given path
 func Chtimes(name string, atime time.Time, mtime time.Time) error {
 	unixMinTime := time.Unix(0, 0)
 	unixMaxTime := maxTime
 	// If the modified time is prior to the Unix Epoch, or after the
 	// end of Unix Time, os.Chtimes has undefined behavior
 	// default to Unix Epoch in this case, just in case
 	if atime.Before(unixMinTime) || atime.After(unixMaxTime) {
 		atime = unixMinTime
 	}
 	if mtime.Before(unixMinTime) || mtime.After(unixMaxTime) {
 		mtime = unixMinTime
 	}
 	if err := os.Chtimes(name, atime, mtime); err != nil {
 		return err
 	}
 	// Take platform specific action for setting create time.
 	return setCTime(name, mtime)
 }
--- a/vendor/github.com/docker/docker/pkg/system/chtimes_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/chtimes_unix.go
@ -1,14 +0,0 @@
 // +build !windows
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"time"
 )
 //setCTime will set the create time on a file. On Unix, the create
 //time is updated as a side effect of setting the modified time, so
 //no action is required.
 func setCTime(path string, ctime time.Time) error {
 	return nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/chtimes_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/chtimes_windows.go
@ -1,26 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"time"
 	"golang.org/x/sys/windows"
 )
 //setCTime will set the create time on a file. On Windows, this requires
 //calling SetFileTime and explicitly including the create time.
 func setCTime(path string, ctime time.Time) error {
 	ctimespec := windows.NsecToTimespec(ctime.UnixNano())
 	pathp, e := windows.UTF16PtrFromString(path)
 	if e != nil {
 		return e
 	}
 	h, e := windows.CreateFile(pathp,
 		windows.FILE_WRITE_ATTRIBUTES, windows.FILE_SHARE_WRITE, nil,
 		windows.OPEN_EXISTING, windows.FILE_FLAG_BACKUP_SEMANTICS, 0)
 	if e != nil {
 		return e
 	}
 	defer windows.Close(h)
 	c := windows.NsecToFiletime(windows.TimespecToNsec(ctimespec))
 	return windows.SetFileTime(h, &c, nil, nil)
 }
--- a/vendor/github.com/docker/docker/pkg/system/errors.go
+++ b/vendor/github.com/docker/docker/pkg/system/errors.go
@ -1,13 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"errors"
 )
 var (
 	// ErrNotSupportedPlatform means the platform is not supported.
 	ErrNotSupportedPlatform = errors.New("platform and architecture is not supported")
 	// ErrNotSupportedOperatingSystem means the operating system is not supported.
 	ErrNotSupportedOperatingSystem = errors.New("operating system is not supported")
 )
--- a/vendor/github.com/docker/docker/pkg/system/exitcode.go
+++ b/vendor/github.com/docker/docker/pkg/system/exitcode.go
@ -1,19 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"fmt"
 	"os/exec"
 	"syscall"
 )
 // GetExitCode returns the ExitStatus of the specified error if its type is
 // exec.ExitError, returns 0 and an error otherwise.
 func GetExitCode(err error) (int, error) {
 	exitCode := 0
 	if exiterr, ok := err.(*exec.ExitError); ok {
 		if procExit, ok := exiterr.Sys().(syscall.WaitStatus); ok {
 			return procExit.ExitStatus(), nil
 		}
 	}
 	return exitCode, fmt.Errorf("failed to get exit code")
 }
--- a/vendor/github.com/docker/docker/pkg/system/filesys_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/filesys_unix.go
@ -1,67 +0,0 @@
 // +build !windows
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
 )
 // MkdirAllWithACL is a wrapper for os.MkdirAll on unix systems.
 func MkdirAllWithACL(path string, perm os.FileMode, sddl string) error {
 	return os.MkdirAll(path, perm)
 }
 // MkdirAll creates a directory named path along with any necessary parents,
 // with permission specified by attribute perm for all dir created.
 func MkdirAll(path string, perm os.FileMode) error {
 	return os.MkdirAll(path, perm)
 }
 // IsAbs is a platform-specific wrapper for filepath.IsAbs.
 func IsAbs(path string) bool {
 	return filepath.IsAbs(path)
 }
 // The functions below here are wrappers for the equivalents in the os and ioutils packages.
 // They are passthrough on Unix platforms, and only relevant on Windows.
 // CreateSequential creates the named file with mode 0666 (before umask), truncating
 // it if it already exists. If successful, methods on the returned
 // File can be used for I/O; the associated file descriptor has mode
 // O_RDWR.
 // If there is an error, it will be of type *PathError.
 func CreateSequential(name string) (*os.File, error) {
 	return os.Create(name)
 }
 // OpenSequential opens the named file for reading. If successful, methods on
 // the returned file can be used for reading; the associated file
 // descriptor has mode O_RDONLY.
 // If there is an error, it will be of type *PathError.
 func OpenSequential(name string) (*os.File, error) {
 	return os.Open(name)
 }
 // OpenFileSequential is the generalized open call; most users will use Open
 // or Create instead. It opens the named file with specified flag
 // (O_RDONLY etc.) and perm, (0666 etc.) if applicable. If successful,
 // methods on the returned File can be used for I/O.
 // If there is an error, it will be of type *PathError.
 func OpenFileSequential(name string, flag int, perm os.FileMode) (*os.File, error) {
 	return os.OpenFile(name, flag, perm)
 }
 // TempFileSequential creates a new temporary file in the directory dir
 // with a name beginning with prefix, opens the file for reading
 // and writing, and returns the resulting *os.File.
 // If dir is the empty string, TempFile uses the default directory
 // for temporary files (see os.TempDir).
 // Multiple programs calling TempFile simultaneously
 // will not choose the same file. The caller can use f.Name()
 // to find the pathname of the file. It is the caller's responsibility
 // to remove the file when no longer needed.
 func TempFileSequential(dir, prefix string) (f *os.File, err error) {
 	return ioutil.TempFile(dir, prefix)
 }
--- a/vendor/github.com/docker/docker/pkg/system/filesys_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/filesys_windows.go
@ -1,294 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"os"
 	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
 	"sync"
 	"syscall"
 	"time"
 	"unsafe"
 	"golang.org/x/sys/windows"
 )
 const (
 	// SddlAdministratorsLocalSystem is local administrators plus NT AUTHORITY\System
 	SddlAdministratorsLocalSystem = "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
 )
 // MkdirAllWithACL is a wrapper for MkdirAll that creates a directory
 // with an appropriate SDDL defined ACL.
 func MkdirAllWithACL(path string, perm os.FileMode, sddl string) error {
 	return mkdirall(path, true, sddl)
 }
 // MkdirAll implementation that is volume path aware for Windows. It can be used
 // as a drop-in replacement for os.MkdirAll()
 func MkdirAll(path string, _ os.FileMode) error {
 	return mkdirall(path, false, "")
 }
 // mkdirall is a custom version of os.MkdirAll modified for use on Windows
 // so that it is both volume path aware, and can create a directory with
 // a DACL.
 func mkdirall(path string, applyACL bool, sddl string) error {
 	if re := regexp.MustCompile(`^\\\\\?\\Volume{[a-z0-9-]+}$`); re.MatchString(path) {
 		return nil
 	}
 	// The rest of this method is largely copied from os.MkdirAll and should be kept
 	// as-is to ensure compatibility.
 	// Fast path: if we can tell whether path is a directory or file, stop with success or error.
 	dir, err := os.Stat(path)
 	if err == nil {
 		if dir.IsDir() {
 			return nil
 		}
 		return &os.PathError{
 			Op:   "mkdir",
 			Path: path,
 			Err:  syscall.ENOTDIR,
 		}
 	}
 	// Slow path: make sure parent exists and then call Mkdir for path.
 	i := len(path)
 	for i > 0 && os.IsPathSeparator(path[i-1]) { // Skip trailing path separator.
 		i--
 	}
 	j := i
 	for j > 0 && !os.IsPathSeparator(path[j-1]) { // Scan backward over element.
 		j--
 	}
 	if j > 1 {
 		// Create parent
 		err = mkdirall(path[0:j-1], false, sddl)
 		if err != nil {
 			return err
 		}
 	}
 	// Parent now exists; invoke os.Mkdir or mkdirWithACL and use its result.
 	if applyACL {
 		err = mkdirWithACL(path, sddl)
 	} else {
 		err = os.Mkdir(path, 0)
 	}
 	if err != nil {
 		// Handle arguments like "foo/." by
 		// double-checking that directory doesn't exist.
 		dir, err1 := os.Lstat(path)
 		if err1 == nil && dir.IsDir() {
 			return nil
 		}
 		return err
 	}
 	return nil
 }
 // mkdirWithACL creates a new directory. If there is an error, it will be of
 // type *PathError. .
 //
 // This is a modified and combined version of os.Mkdir and windows.Mkdir
 // in golang to cater for creating a directory am ACL permitting full
 // access, with inheritance, to any subfolder/file for Built-in Administrators
 // and Local System.
 func mkdirWithACL(name string, sddl string) error {
 	sa := windows.SecurityAttributes{Length: 0}
 	sd, err := windows.SecurityDescriptorFromString(sddl)
 	if err != nil {
 		return &os.PathError{Op: "mkdir", Path: name, Err: err}
 	}
 	sa.Length = uint32(unsafe.Sizeof(sa))
 	sa.InheritHandle = 1
 	sa.SecurityDescriptor = sd
 	namep, err := windows.UTF16PtrFromString(name)
 	if err != nil {
 		return &os.PathError{Op: "mkdir", Path: name, Err: err}
 	}
 	e := windows.CreateDirectory(namep, &sa)
 	if e != nil {
 		return &os.PathError{Op: "mkdir", Path: name, Err: e}
 	}
 	return nil
 }
 // IsAbs is a platform-specific wrapper for filepath.IsAbs. On Windows,
 // golang filepath.IsAbs does not consider a path \windows\system32 as absolute
 // as it doesn't start with a drive-letter/colon combination. However, in
 // docker we need to verify things such as WORKDIR /windows/system32 in
 // a Dockerfile (which gets translated to \windows\system32 when being processed
 // by the daemon. This SHOULD be treated as absolute from a docker processing
 // perspective.
 func IsAbs(path string) bool {
 	if !filepath.IsAbs(path) {
 		if !strings.HasPrefix(path, string(os.PathSeparator)) {
 			return false
 		}
 	}
 	return true
 }
 // The origin of the functions below here are the golang OS and windows packages,
 // slightly modified to only cope with files, not directories due to the
 // specific use case.
 //
 // The alteration is to allow a file on Windows to be opened with
 // FILE_FLAG_SEQUENTIAL_SCAN (particular for docker load), to avoid eating
 // the standby list, particularly when accessing large files such as layer.tar.
 // CreateSequential creates the named file with mode 0666 (before umask), truncating
 // it if it already exists. If successful, methods on the returned
 // File can be used for I/O; the associated file descriptor has mode
 // O_RDWR.
 // If there is an error, it will be of type *PathError.
 func CreateSequential(name string) (*os.File, error) {
 	return OpenFileSequential(name, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0)
 }
 // OpenSequential opens the named file for reading. If successful, methods on
 // the returned file can be used for reading; the associated file
 // descriptor has mode O_RDONLY.
 // If there is an error, it will be of type *PathError.
 func OpenSequential(name string) (*os.File, error) {
 	return OpenFileSequential(name, os.O_RDONLY, 0)
 }
 // OpenFileSequential is the generalized open call; most users will use Open
 // or Create instead.
 // If there is an error, it will be of type *PathError.
 func OpenFileSequential(name string, flag int, _ os.FileMode) (*os.File, error) {
 	if name == "" {
 		return nil, &os.PathError{Op: "open", Path: name, Err: syscall.ENOENT}
 	}
 	r, errf := windowsOpenFileSequential(name, flag, 0)
 	if errf == nil {
 		return r, nil
 	}
 	return nil, &os.PathError{Op: "open", Path: name, Err: errf}
 }
 func windowsOpenFileSequential(name string, flag int, _ os.FileMode) (file *os.File, err error) {
 	r, e := windowsOpenSequential(name, flag|windows.O_CLOEXEC, 0)
 	if e != nil {
 		return nil, e
 	}
 	return os.NewFile(uintptr(r), name), nil
 }
 func makeInheritSa() *windows.SecurityAttributes {
 	var sa windows.SecurityAttributes
 	sa.Length = uint32(unsafe.Sizeof(sa))
 	sa.InheritHandle = 1
 	return &sa
 }
 func windowsOpenSequential(path string, mode int, _ uint32) (fd windows.Handle, err error) {
 	if len(path) == 0 {
 		return windows.InvalidHandle, windows.ERROR_FILE_NOT_FOUND
 	}
 	pathp, err := windows.UTF16PtrFromString(path)
 	if err != nil {
 		return windows.InvalidHandle, err
 	}
 	var access uint32
 	switch mode & (windows.O_RDONLY | windows.O_WRONLY | windows.O_RDWR) {
 	case windows.O_RDONLY:
 		access = windows.GENERIC_READ
 	case windows.O_WRONLY:
 		access = windows.GENERIC_WRITE
 	case windows.O_RDWR:
 		access = windows.GENERIC_READ | windows.GENERIC_WRITE
 	}
 	if mode&windows.O_CREAT != 0 {
 		access |= windows.GENERIC_WRITE
 	}
 	if mode&windows.O_APPEND != 0 {
 		access &^= windows.GENERIC_WRITE
 		access |= windows.FILE_APPEND_DATA
 	}
 	sharemode := uint32(windows.FILE_SHARE_READ | windows.FILE_SHARE_WRITE)
 	var sa *windows.SecurityAttributes
 	if mode&windows.O_CLOEXEC == 0 {
 		sa = makeInheritSa()
 	}
 	var createmode uint32
 	switch {
 	case mode&(windows.O_CREAT|windows.O_EXCL) == (windows.O_CREAT | windows.O_EXCL):
 		createmode = windows.CREATE_NEW
 	case mode&(windows.O_CREAT|windows.O_TRUNC) == (windows.O_CREAT | windows.O_TRUNC):
 		createmode = windows.CREATE_ALWAYS
 	case mode&windows.O_CREAT == windows.O_CREAT:
 		createmode = windows.OPEN_ALWAYS
 	case mode&windows.O_TRUNC == windows.O_TRUNC:
 		createmode = windows.TRUNCATE_EXISTING
 	default:
 		createmode = windows.OPEN_EXISTING
 	}
 	// Use FILE_FLAG_SEQUENTIAL_SCAN rather than FILE_ATTRIBUTE_NORMAL as implemented in golang.
 	//https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx
 	const fileFlagSequentialScan = 0x08000000 // FILE_FLAG_SEQUENTIAL_SCAN
 	h, e := windows.CreateFile(pathp, access, sharemode, sa, createmode, fileFlagSequentialScan, 0)
 	return h, e
 }
 // Helpers for TempFileSequential
 var rand uint32
 var randmu sync.Mutex
 func reseed() uint32 {
 	return uint32(time.Now().UnixNano() + int64(os.Getpid()))
 }
 func nextSuffix() string {
 	randmu.Lock()
 	r := rand
 	if r == 0 {
 		r = reseed()
 	}
 	r = r*1664525 + 1013904223 // constants from Numerical Recipes
 	rand = r
 	randmu.Unlock()
 	return strconv.Itoa(int(1e9 + r%1e9))[1:]
 }
 // TempFileSequential is a copy of ioutil.TempFile, modified to use sequential
 // file access. Below is the original comment from golang:
 // TempFile creates a new temporary file in the directory dir
 // with a name beginning with prefix, opens the file for reading
 // and writing, and returns the resulting *os.File.
 // If dir is the empty string, TempFile uses the default directory
 // for temporary files (see os.TempDir).
 // Multiple programs calling TempFile simultaneously
 // will not choose the same file. The caller can use f.Name()
 // to find the pathname of the file. It is the caller's responsibility
 // to remove the file when no longer needed.
 func TempFileSequential(dir, prefix string) (f *os.File, err error) {
 	if dir == "" {
 		dir = os.TempDir()
 	}
 	nconflict := 0
 	for i := 0; i < 10000; i++ {
 		name := filepath.Join(dir, prefix+nextSuffix())
 		f, err = OpenFileSequential(name, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600)
 		if os.IsExist(err) {
 			if nconflict++; nconflict > 10 {
 				randmu.Lock()
 				rand = reseed()
 				randmu.Unlock()
 			}
 			continue
 		}
 		break
 	}
 	return
 }
--- a/vendor/github.com/docker/docker/pkg/system/init.go
+++ b/vendor/github.com/docker/docker/pkg/system/init.go
@ -1,22 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"syscall"
 	"time"
 	"unsafe"
 )
 // Used by chtimes
 var maxTime time.Time
 func init() {
 	// chtimes initialization
 	if unsafe.Sizeof(syscall.Timespec{}.Nsec) == 8 {
 		// This is a 64 bit timespec
 		// os.Chtimes limits time to the following
 		maxTime = time.Unix(0, 1<<63-1)
 	} else {
 		// This is a 32 bit timespec
 		maxTime = time.Unix(1<<31-1, 0)
 	}
 }
--- a/vendor/github.com/docker/docker/pkg/system/init_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/init_unix.go
@ -1,12 +0,0 @@
 // +build !windows
 package system // import "github.com/docker/docker/pkg/system"
 // InitLCOW does nothing since LCOW is a windows only feature
 func InitLCOW(experimental bool) {
 }
 // ContainerdRuntimeSupported returns true if the use of ContainerD runtime is supported.
 func ContainerdRuntimeSupported(_ bool, _ string) bool {
 	return true
 }
--- a/vendor/github.com/docker/docker/pkg/system/init_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/init_windows.go
@ -1,40 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"os"
 	"github.com/Microsoft/hcsshim/osversion"
 	"github.com/sirupsen/logrus"
 )
 var (
 	// lcowSupported determines if Linux Containers on Windows are supported.
 	lcowSupported = false
 	// containerdRuntimeSupported determines if ContainerD should be the runtime.
 	// As of March 2019, this is an experimental feature.
 	containerdRuntimeSupported = false
 )
 // InitLCOW sets whether LCOW is supported or not. Requires RS5+
 func InitLCOW(experimental bool) {
 	if experimental && osversion.Build() >= osversion.RS5 {
 		lcowSupported = true
 	}
 }
 // InitContainerdRuntime sets whether to use ContainerD for runtime
 // on Windows. This is an experimental feature still in development, and
 // also requires an environment variable to be set (so as not to turn the
 // feature on from simply experimental which would also mean LCOW.
 func InitContainerdRuntime(experimental bool, cdPath string) {
 	if experimental && len(cdPath) > 0 && len(os.Getenv("DOCKER_WINDOWS_CONTAINERD_RUNTIME")) > 0 {
 		logrus.Warnf("Using ContainerD runtime. This feature is experimental")
 		containerdRuntimeSupported = true
 	}
 }
 // ContainerdRuntimeSupported returns true if the use of ContainerD runtime is supported.
 func ContainerdRuntimeSupported() bool {
 	return containerdRuntimeSupported
 }
--- a/vendor/github.com/docker/docker/pkg/system/lcow.go
+++ b/vendor/github.com/docker/docker/pkg/system/lcow.go
@ -1,32 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"runtime"
 	"strings"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )
 // IsOSSupported determines if an operating system is supported by the host
 func IsOSSupported(os string) bool {
 	if strings.EqualFold(runtime.GOOS, os) {
 		return true
 	}
 	if LCOWSupported() && strings.EqualFold(os, "linux") {
 		return true
 	}
 	return false
 }
 // ValidatePlatform determines if a platform structure is valid.
 // TODO This is a temporary windows-only function, should be replaced by
 // comparison of worker capabilities
 func ValidatePlatform(platform specs.Platform) error {
 	if runtime.GOOS == "windows" {
 		if !(platform.OS == runtime.GOOS || (LCOWSupported() && platform.OS == "linux")) {
 			return errors.Errorf("unsupported os %s", platform.OS)
 		}
 	}
 	return nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/lcow_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/lcow_unix.go
@ -1,8 +0,0 @@
 // +build !windows
 package system // import "github.com/docker/docker/pkg/system"
 // LCOWSupported returns true if Linux containers on Windows are supported.
 func LCOWSupported() bool {
 	return false
 }
--- a/vendor/github.com/docker/docker/pkg/system/lcow_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/lcow_windows.go
@ -1,6 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 // LCOWSupported returns true if Linux containers on Windows are supported.
 func LCOWSupported() bool {
 	return lcowSupported
 }
--- a/vendor/github.com/docker/docker/pkg/system/lstat_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/lstat_unix.go
@ -1,20 +0,0 @@
 // +build !windows
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"os"
 	"syscall"
 )
 // Lstat takes a path to a file and returns
 // a system.StatT type pertaining to that file.
 //
 // Throws an error if the file does not exist
 func Lstat(path string) (*StatT, error) {
 	s := &syscall.Stat_t{}
 	if err := syscall.Lstat(path, s); err != nil {
 		return nil, &os.PathError{Op: "Lstat", Path: path, Err: err}
 	}
 	return fromStatT(s)
 }
--- a/vendor/github.com/docker/docker/pkg/system/lstat_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/lstat_windows.go
@ -1,14 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import "os"
 // Lstat calls os.Lstat to get a fileinfo interface back.
 // This is then copied into our own locally defined structure.
 func Lstat(path string) (*StatT, error) {
 	fi, err := os.Lstat(path)
 	if err != nil {
 		return nil, err
 	}
 	return fromStatT(&fi)
 }
--- a/vendor/github.com/docker/docker/pkg/system/meminfo.go
+++ b/vendor/github.com/docker/docker/pkg/system/meminfo.go
@ -1,17 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 // MemInfo contains memory statistics of the host system.
 type MemInfo struct {
 	// Total usable RAM (i.e. physical RAM minus a few reserved bits and the
 	// kernel binary code).
 	MemTotal int64
 	// Amount of free memory.
 	MemFree int64
 	// Total amount of swap space available.
 	SwapTotal int64
 	// Amount of swap space that is currently unused.
 	SwapFree int64
 }
--- a/vendor/github.com/docker/docker/pkg/system/meminfo_linux.go
+++ b/vendor/github.com/docker/docker/pkg/system/meminfo_linux.go
@ -1,71 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"bufio"
 	"io"
 	"os"
 	"strconv"
 	"strings"
 	units "github.com/docker/go-units"
 )
 // ReadMemInfo retrieves memory statistics of the host system and returns a
 // MemInfo type.
 func ReadMemInfo() (*MemInfo, error) {
 	file, err := os.Open("/proc/meminfo")
 	if err != nil {
 		return nil, err
 	}
 	defer file.Close()
 	return parseMemInfo(file)
 }
 // parseMemInfo parses the /proc/meminfo file into
 // a MemInfo object given an io.Reader to the file.
 // Throws error if there are problems reading from the file
 func parseMemInfo(reader io.Reader) (*MemInfo, error) {
 	meminfo := &MemInfo{}
 	scanner := bufio.NewScanner(reader)
 	memAvailable := int64(-1)
 	for scanner.Scan() {
 		// Expected format: ["MemTotal:", "1234", "kB"]
 		parts := strings.Fields(scanner.Text())
 		// Sanity checks: Skip malformed entries.
 		if len(parts) < 3 || parts[2] != "kB" {
 			continue
 		}
 		// Convert to bytes.
 		size, err := strconv.Atoi(parts[1])
 		if err != nil {
 			continue
 		}
 		bytes := int64(size) * units.KiB
 		switch parts[0] {
 		case "MemTotal:":
 			meminfo.MemTotal = bytes
 		case "MemFree:":
 			meminfo.MemFree = bytes
 		case "MemAvailable:":
 			memAvailable = bytes
 		case "SwapTotal:":
 			meminfo.SwapTotal = bytes
 		case "SwapFree:":
 			meminfo.SwapFree = bytes
 		}
 	}
 	if memAvailable != -1 {
 		meminfo.MemFree = memAvailable
 	}
 	// Handle errors that may have occurred during the reading of the file.
 	if err := scanner.Err(); err != nil {
 		return nil, err
 	}
 	return meminfo, nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/meminfo_unsupported.go
+++ b/vendor/github.com/docker/docker/pkg/system/meminfo_unsupported.go
@ -1,8 +0,0 @@
 // +build !linux,!windows
 package system // import "github.com/docker/docker/pkg/system"
 // ReadMemInfo is not supported on platforms other than linux and windows.
 func ReadMemInfo() (*MemInfo, error) {
 	return nil, ErrNotSupportedPlatform
 }
--- a/vendor/github.com/docker/docker/pkg/system/meminfo_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/meminfo_windows.go
@ -1,45 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"unsafe"
 	"golang.org/x/sys/windows"
 )
 var (
 	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
 	procGlobalMemoryStatusEx = modkernel32.NewProc("GlobalMemoryStatusEx")
 )
 // https://msdn.microsoft.com/en-us/library/windows/desktop/aa366589(v=vs.85).aspx
 // https://msdn.microsoft.com/en-us/library/windows/desktop/aa366770(v=vs.85).aspx
 type memorystatusex struct {
 	dwLength                uint32
 	dwMemoryLoad            uint32
 	ullTotalPhys            uint64
 	ullAvailPhys            uint64
 	ullTotalPageFile        uint64
 	ullAvailPageFile        uint64
 	ullTotalVirtual         uint64
 	ullAvailVirtual         uint64
 	ullAvailExtendedVirtual uint64
 }
 // ReadMemInfo retrieves memory statistics of the host system and returns a
 //  MemInfo type.
 func ReadMemInfo() (*MemInfo, error) {
 	msi := &memorystatusex{
 		dwLength: 64,
 	}
 	r1, _, _ := procGlobalMemoryStatusEx.Call(uintptr(unsafe.Pointer(msi)))
 	if r1 == 0 {
 		return &MemInfo{}, nil
 	}
 	return &MemInfo{
 		MemTotal:  int64(msi.ullTotalPhys),
 		MemFree:   int64(msi.ullAvailPhys),
 		SwapTotal: int64(msi.ullTotalPageFile),
 		SwapFree:  int64(msi.ullAvailPageFile),
 	}, nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/mknod.go
+++ b/vendor/github.com/docker/docker/pkg/system/mknod.go
@ -1,22 +0,0 @@
 // +build !windows
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"golang.org/x/sys/unix"
 )
 // Mknod creates a filesystem node (file, device special file or named pipe) named path
 // with attributes specified by mode and dev.
 func Mknod(path string, mode uint32, dev int) error {
 	return unix.Mknod(path, mode, dev)
 }
 // Mkdev is used to build the value of linux devices (in /dev/) which specifies major
 // and minor number of the newly created device special file.
 // Linux device nodes are a bit weird due to backwards compat with 16 bit device nodes.
 // They are, from low to high: the lower 8 bits of the minor, then 12 bits of the major,
 // then the top 12 bits of the minor.
 func Mkdev(major int64, minor int64) uint32 {
 	return uint32(unix.Mkdev(uint32(major), uint32(minor)))
 }
--- a/vendor/github.com/docker/docker/pkg/system/mknod_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/mknod_windows.go
@ -1,11 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 // Mknod is not implemented on Windows.
 func Mknod(path string, mode uint32, dev int) error {
 	return ErrNotSupportedPlatform
 }
 // Mkdev is not implemented on Windows.
 func Mkdev(major int64, minor int64) uint32 {
 	panic("Mkdev not implemented on Windows.")
 }
--- a/vendor/github.com/docker/docker/pkg/system/path.go
+++ b/vendor/github.com/docker/docker/pkg/system/path.go
@ -1,64 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"fmt"
 	"path/filepath"
 	"runtime"
 	"strings"
 )
 const defaultUnixPathEnv = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 // DefaultPathEnv is unix style list of directories to search for
 // executables. Each directory is separated from the next by a colon
 // ':' character .
 func DefaultPathEnv(os string) string {
 	if runtime.GOOS == "windows" {
 		if os != runtime.GOOS {
 			return defaultUnixPathEnv
 		}
 		// Deliberately empty on Windows containers on Windows as the default path will be set by
 		// the container. Docker has no context of what the default path should be.
 		return ""
 	}
 	return defaultUnixPathEnv
 }
 // PathVerifier defines the subset of a PathDriver that CheckSystemDriveAndRemoveDriveLetter
 // actually uses in order to avoid system depending on containerd/continuity.
 type PathVerifier interface {
 	IsAbs(string) bool
 }
 // CheckSystemDriveAndRemoveDriveLetter verifies that a path, if it includes a drive letter,
 // is the system drive.
 // On Linux: this is a no-op.
 // On Windows: this does the following>
 // CheckSystemDriveAndRemoveDriveLetter verifies and manipulates a Windows path.
 // This is used, for example, when validating a user provided path in docker cp.
 // If a drive letter is supplied, it must be the system drive. The drive letter
 // is always removed. Also, it translates it to OS semantics (IOW / to \). We
 // need the path in this syntax so that it can ultimately be concatenated with
 // a Windows long-path which doesn't support drive-letters. Examples:
 // C:			--> Fail
 // C:\			--> \
 // a			--> a
 // /a			--> \a
 // d:\			--> Fail
 func CheckSystemDriveAndRemoveDriveLetter(path string, driver PathVerifier) (string, error) {
 	if runtime.GOOS != "windows" || LCOWSupported() {
 		return path, nil
 	}
 	if len(path) == 2 && string(path[1]) == ":" {
 		return "", fmt.Errorf("No relative path specified in %q", path)
 	}
 	if !driver.IsAbs(path) || len(path) < 2 {
 		return filepath.FromSlash(path), nil
 	}
 	if string(path[1]) == ":" && !strings.EqualFold(string(path[0]), "c") {
 		return "", fmt.Errorf("The specified path is not on the system drive (C:)")
 	}
 	return filepath.FromSlash(path[2:]), nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/path_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/path_unix.go
@ -1,10 +0,0 @@
 // +build !windows
 package system // import "github.com/docker/docker/pkg/system"
 // GetLongPathName converts Windows short pathnames to full pathnames.
 // For example C:\Users\ADMIN~1 --> C:\Users\Administrator.
 // It is a no-op on non-Windows platforms
 func GetLongPathName(path string) (string, error) {
 	return path, nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/path_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/path_windows.go
@ -1,24 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import "syscall"
 // GetLongPathName converts Windows short pathnames to full pathnames.
 // For example C:\Users\ADMIN~1 --> C:\Users\Administrator.
 // It is a no-op on non-Windows platforms
 func GetLongPathName(path string) (string, error) {
 	// See https://groups.google.com/forum/#!topic/golang-dev/1tufzkruoTg
 	p := syscall.StringToUTF16(path)
 	b := p // GetLongPathName says we can reuse buffer
 	n, err := syscall.GetLongPathName(&p[0], &b[0], uint32(len(b)))
 	if err != nil {
 		return "", err
 	}
 	if n > uint32(len(b)) {
 		b = make([]uint16, n)
 		_, err = syscall.GetLongPathName(&p[0], &b[0], uint32(len(b)))
 		if err != nil {
 			return "", err
 		}
 	}
 	return syscall.UTF16ToString(b), nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/process_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/process_unix.go
@ -1,24 +0,0 @@
 // +build linux freebsd darwin
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"syscall"
 	"golang.org/x/sys/unix"
 )
 // IsProcessAlive returns true if process with a given pid is running.
 func IsProcessAlive(pid int) bool {
 	err := unix.Kill(pid, syscall.Signal(0))
 	if err == nil || err == unix.EPERM {
 		return true
 	}
 	return false
 }
 // KillProcess force-stops a process.
 func KillProcess(pid int) {
 	unix.Kill(pid, unix.SIGKILL)
 }
--- a/vendor/github.com/docker/docker/pkg/system/process_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/process_windows.go
@ -1,18 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import "os"
 // IsProcessAlive returns true if process with a given pid is running.
 func IsProcessAlive(pid int) bool {
 	_, err := os.FindProcess(pid)
 	return err == nil
 }
 // KillProcess force-stops a process.
 func KillProcess(pid int) {
 	p, err := os.FindProcess(pid)
 	if err == nil {
 		p.Kill()
 	}
 }
--- a/vendor/github.com/docker/docker/pkg/system/rm.go
+++ b/vendor/github.com/docker/docker/pkg/system/rm.go
@ -1,80 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"os"
 	"syscall"
 	"time"
 	"github.com/docker/docker/pkg/mount"
 	"github.com/pkg/errors"
 )
 // EnsureRemoveAll wraps `os.RemoveAll` to check for specific errors that can
 // often be remedied.
 // Only use `EnsureRemoveAll` if you really want to make every effort to remove
 // a directory.
 //
 // Because of the way `os.Remove` (and by extension `os.RemoveAll`) works, there
 // can be a race between reading directory entries and then actually attempting
 // to remove everything in the directory.
 // These types of errors do not need to be returned since it's ok for the dir to
 // be gone we can just retry the remove operation.
 //
 // This should not return a `os.ErrNotExist` kind of error under any circumstances
 func EnsureRemoveAll(dir string) error {
 	notExistErr := make(map[string]bool)
 	// track retries
 	exitOnErr := make(map[string]int)
 	maxRetry := 50
 	// Attempt to unmount anything beneath this dir first
 	mount.RecursiveUnmount(dir)
 	for {
 		err := os.RemoveAll(dir)
 		if err == nil {
 			return nil
 		}
 		pe, ok := err.(*os.PathError)
 		if !ok {
 			return err
 		}
 		if os.IsNotExist(err) {
 			if notExistErr[pe.Path] {
 				return err
 			}
 			notExistErr[pe.Path] = true
 			// There is a race where some subdir can be removed but after the parent
 			//   dir entries have been read.
 			// So the path could be from `os.Remove(subdir)`
 			// If the reported non-existent path is not the passed in `dir` we
 			// should just retry, but otherwise return with no error.
 			if pe.Path == dir {
 				return nil
 			}
 			continue
 		}
 		if pe.Err != syscall.EBUSY {
 			return err
 		}
 		if mounted, _ := mount.Mounted(pe.Path); mounted {
 			if e := mount.Unmount(pe.Path); e != nil {
 				if mounted, _ := mount.Mounted(pe.Path); mounted {
 					return errors.Wrapf(e, "error while removing %s", dir)
 				}
 			}
 		}
 		if exitOnErr[pe.Path] == maxRetry {
 			return err
 		}
 		exitOnErr[pe.Path]++
 		time.Sleep(100 * time.Millisecond)
 	}
 }
--- a/vendor/github.com/docker/docker/pkg/system/stat_darwin.go
+++ b/vendor/github.com/docker/docker/pkg/system/stat_darwin.go
@ -1,13 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import "syscall"
 // fromStatT converts a syscall.Stat_t type to a system.Stat_t type
 func fromStatT(s *syscall.Stat_t) (*StatT, error) {
 	return &StatT{size: s.Size,
 		mode: uint32(s.Mode),
 		uid:  s.Uid,
 		gid:  s.Gid,
 		rdev: uint64(s.Rdev),
 		mtim: s.Mtimespec}, nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/stat_freebsd.go
+++ b/vendor/github.com/docker/docker/pkg/system/stat_freebsd.go
@ -1,13 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import "syscall"
 // fromStatT converts a syscall.Stat_t type to a system.Stat_t type
 func fromStatT(s *syscall.Stat_t) (*StatT, error) {
 	return &StatT{size: s.Size,
 		mode: uint32(s.Mode),
 		uid:  s.Uid,
 		gid:  s.Gid,
 		rdev: uint64(s.Rdev),
 		mtim: s.Mtimespec}, nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/stat_linux.go
+++ b/vendor/github.com/docker/docker/pkg/system/stat_linux.go
@ -1,20 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import "syscall"
 // fromStatT converts a syscall.Stat_t type to a system.Stat_t type
 func fromStatT(s *syscall.Stat_t) (*StatT, error) {
 	return &StatT{size: s.Size,
 		mode: s.Mode,
 		uid:  s.Uid,
 		gid:  s.Gid,
 		// the type is 32bit on mips
 		rdev: uint64(s.Rdev), // nolint: unconvert
 		mtim: s.Mtim}, nil
 }
 // FromStatT converts a syscall.Stat_t type to a system.Stat_t type
 // This is exposed on Linux as pkg/archive/changes uses it.
 func FromStatT(s *syscall.Stat_t) (*StatT, error) {
 	return fromStatT(s)
 }
--- a/vendor/github.com/docker/docker/pkg/system/stat_openbsd.go
+++ b/vendor/github.com/docker/docker/pkg/system/stat_openbsd.go
@ -1,13 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import "syscall"
 // fromStatT converts a syscall.Stat_t type to a system.Stat_t type
 func fromStatT(s *syscall.Stat_t) (*StatT, error) {
 	return &StatT{size: s.Size,
 		mode: uint32(s.Mode),
 		uid:  s.Uid,
 		gid:  s.Gid,
 		rdev: uint64(s.Rdev),
 		mtim: s.Mtim}, nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/stat_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/stat_unix.go
@ -1,66 +0,0 @@
 // +build !windows
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"os"
 	"syscall"
 )
 // StatT type contains status of a file. It contains metadata
 // like permission, owner, group, size, etc about a file.
 type StatT struct {
 	mode uint32
 	uid  uint32
 	gid  uint32
 	rdev uint64
 	size int64
 	mtim syscall.Timespec
 }
 // Mode returns file's permission mode.
 func (s StatT) Mode() uint32 {
 	return s.mode
 }
 // UID returns file's user id of owner.
 func (s StatT) UID() uint32 {
 	return s.uid
 }
 // GID returns file's group id of owner.
 func (s StatT) GID() uint32 {
 	return s.gid
 }
 // Rdev returns file's device ID (if it's special file).
 func (s StatT) Rdev() uint64 {
 	return s.rdev
 }
 // Size returns file's size.
 func (s StatT) Size() int64 {
 	return s.size
 }
 // Mtim returns file's last modification time.
 func (s StatT) Mtim() syscall.Timespec {
 	return s.mtim
 }
 // IsDir reports whether s describes a directory.
 func (s StatT) IsDir() bool {
 	return s.mode&syscall.S_IFDIR != 0
 }
 // Stat takes a path to a file and returns
 // a system.StatT type pertaining to that file.
 //
 // Throws an error if the file does not exist
 func Stat(path string) (*StatT, error) {
 	s := &syscall.Stat_t{}
 	if err := syscall.Stat(path, s); err != nil {
 		return nil, &os.PathError{Op: "Stat", Path: path, Err: err}
 	}
 	return fromStatT(s)
 }
--- a/vendor/github.com/docker/docker/pkg/system/stat_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/stat_windows.go
@ -1,49 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"os"
 	"time"
 )
 // StatT type contains status of a file. It contains metadata
 // like permission, size, etc about a file.
 type StatT struct {
 	mode os.FileMode
 	size int64
 	mtim time.Time
 }
 // Size returns file's size.
 func (s StatT) Size() int64 {
 	return s.size
 }
 // Mode returns file's permission mode.
 func (s StatT) Mode() os.FileMode {
 	return os.FileMode(s.mode)
 }
 // Mtim returns file's last modification time.
 func (s StatT) Mtim() time.Time {
 	return time.Time(s.mtim)
 }
 // Stat takes a path to a file and returns
 // a system.StatT type pertaining to that file.
 //
 // Throws an error if the file does not exist
 func Stat(path string) (*StatT, error) {
 	fi, err := os.Stat(path)
 	if err != nil {
 		return nil, err
 	}
 	return fromStatT(&fi)
 }
 // fromStatT converts a os.FileInfo type to a system.StatT type
 func fromStatT(fi *os.FileInfo) (*StatT, error) {
 	return &StatT{
 		size: (*fi).Size(),
 		mode: (*fi).Mode(),
 		mtim: (*fi).ModTime()}, nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/syscall_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/syscall_unix.go
@ -1,17 +0,0 @@
 // +build linux freebsd
 package system // import "github.com/docker/docker/pkg/system"
 import "golang.org/x/sys/unix"
 // Unmount is a platform-specific helper function to call
 // the unmount syscall.
 func Unmount(dest string) error {
 	return unix.Unmount(dest, 0)
 }
 // CommandLineToArgv should not be used on Unix.
 // It simply returns commandLine in the only element in the returned array.
 func CommandLineToArgv(commandLine string) ([]string, error) {
 	return []string{commandLine}, nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/syscall_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/syscall_windows.go
@ -1,163 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"fmt"
 	"syscall"
 	"unsafe"
 	"github.com/Microsoft/hcsshim/osversion"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows"
 )
 const (
 	OWNER_SECURITY_INFORMATION               = 0x00000001
 	GROUP_SECURITY_INFORMATION               = 0x00000002
 	DACL_SECURITY_INFORMATION                = 0x00000004
 	SACL_SECURITY_INFORMATION                = 0x00000008
 	LABEL_SECURITY_INFORMATION               = 0x00000010
 	ATTRIBUTE_SECURITY_INFORMATION           = 0x00000020
 	SCOPE_SECURITY_INFORMATION               = 0x00000040
 	PROCESS_TRUST_LABEL_SECURITY_INFORMATION = 0x00000080
 	ACCESS_FILTER_SECURITY_INFORMATION       = 0x00000100
 	BACKUP_SECURITY_INFORMATION              = 0x00010000
 	PROTECTED_DACL_SECURITY_INFORMATION      = 0x80000000
 	PROTECTED_SACL_SECURITY_INFORMATION      = 0x40000000
 	UNPROTECTED_DACL_SECURITY_INFORMATION    = 0x20000000
 	UNPROTECTED_SACL_SECURITY_INFORMATION    = 0x10000000
 )
 const (
 	SE_UNKNOWN_OBJECT_TYPE = iota
 	SE_FILE_OBJECT
 	SE_SERVICE
 	SE_PRINTER
 	SE_REGISTRY_KEY
 	SE_LMSHARE
 	SE_KERNEL_OBJECT
 	SE_WINDOW_OBJECT
 	SE_DS_OBJECT
 	SE_DS_OBJECT_ALL
 	SE_PROVIDER_DEFINED_OBJECT
 	SE_WMIGUID_OBJECT
 	SE_REGISTRY_WOW64_32KEY
 )
 const (
 	SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
 )
 const (
 	ContainerAdministratorSidString = "S-1-5-93-2-1"
 	ContainerUserSidString          = "S-1-5-93-2-2"
 )
 var (
 	ntuserApiset                  = windows.NewLazyDLL("ext-ms-win-ntuser-window-l1-1-0")
 	modadvapi32                   = windows.NewLazySystemDLL("advapi32.dll")
 	procGetVersionExW             = modkernel32.NewProc("GetVersionExW")
 	procSetNamedSecurityInfo      = modadvapi32.NewProc("SetNamedSecurityInfoW")
 	procGetSecurityDescriptorDacl = modadvapi32.NewProc("GetSecurityDescriptorDacl")
 )
 // OSVersion is a wrapper for Windows version information
 // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
 type OSVersion osversion.OSVersion
 // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx
 type osVersionInfoEx struct {
 	OSVersionInfoSize uint32
 	MajorVersion      uint32
 	MinorVersion      uint32
 	BuildNumber       uint32
 	PlatformID        uint32
 	CSDVersion        [128]uint16
 	ServicePackMajor  uint16
 	ServicePackMinor  uint16
 	SuiteMask         uint16
 	ProductType       byte
 	Reserve           byte
 }
 // GetOSVersion gets the operating system version on Windows. Note that
 // dockerd.exe must be manifested to get the correct version information.
 // Deprecated: use github.com/Microsoft/hcsshim/osversion.Get() instead
 func GetOSVersion() OSVersion {
 	return OSVersion(osversion.Get())
 }
 func (osv OSVersion) ToString() string {
 	return fmt.Sprintf("%d.%d.%d", osv.MajorVersion, osv.MinorVersion, osv.Build)
 }
 // IsWindowsClient returns true if the SKU is client
 // @engine maintainers - this function should not be removed or modified as it
 // is used to enforce licensing restrictions on Windows.
 func IsWindowsClient() bool {
 	osviex := &osVersionInfoEx{OSVersionInfoSize: 284}
 	r1, _, err := procGetVersionExW.Call(uintptr(unsafe.Pointer(osviex)))
 	if r1 == 0 {
 		logrus.Warnf("GetVersionExW failed - assuming server SKU: %v", err)
 		return false
 	}
 	const verNTWorkstation = 0x00000001
 	return osviex.ProductType == verNTWorkstation
 }
 // Unmount is a platform-specific helper function to call
 // the unmount syscall. Not supported on Windows
 func Unmount(dest string) error {
 	return nil
 }
 // CommandLineToArgv wraps the Windows syscall to turn a commandline into an argument array.
 func CommandLineToArgv(commandLine string) ([]string, error) {
 	var argc int32
 	argsPtr, err := windows.UTF16PtrFromString(commandLine)
 	if err != nil {
 		return nil, err
 	}
 	argv, err := windows.CommandLineToArgv(argsPtr, &argc)
 	if err != nil {
 		return nil, err
 	}
 	defer windows.LocalFree(windows.Handle(uintptr(unsafe.Pointer(argv))))
 	newArgs := make([]string, argc)
 	for i, v := range (*argv)[:argc] {
 		newArgs[i] = string(windows.UTF16ToString((*v)[:]))
 	}
 	return newArgs, nil
 }
 // HasWin32KSupport determines whether containers that depend on win32k can
 // run on this machine. Win32k is the driver used to implement windowing.
 func HasWin32KSupport() bool {
 	// For now, check for ntuser API support on the host. In the future, a host
 	// may support win32k in containers even if the host does not support ntuser
 	// APIs.
 	return ntuserApiset.Load() == nil
 }
 func SetNamedSecurityInfo(objectName *uint16, objectType uint32, securityInformation uint32, sidOwner *windows.SID, sidGroup *windows.SID, dacl *byte, sacl *byte) (result error) {
 	r0, _, _ := syscall.Syscall9(procSetNamedSecurityInfo.Addr(), 7, uintptr(unsafe.Pointer(objectName)), uintptr(objectType), uintptr(securityInformation), uintptr(unsafe.Pointer(sidOwner)), uintptr(unsafe.Pointer(sidGroup)), uintptr(unsafe.Pointer(dacl)), uintptr(unsafe.Pointer(sacl)), 0, 0)
 	if r0 != 0 {
 		result = syscall.Errno(r0)
 	}
 	return
 }
 func GetSecurityDescriptorDacl(securityDescriptor *byte, daclPresent *uint32, dacl **byte, daclDefaulted *uint32) (result error) {
 	r1, _, e1 := syscall.Syscall6(procGetSecurityDescriptorDacl.Addr(), 4, uintptr(unsafe.Pointer(securityDescriptor)), uintptr(unsafe.Pointer(daclPresent)), uintptr(unsafe.Pointer(dacl)), uintptr(unsafe.Pointer(daclDefaulted)), 0, 0)
 	if r1 == 0 {
 		if e1 != 0 {
 			result = syscall.Errno(e1)
 		} else {
 			result = syscall.EINVAL
 		}
 	}
 	return
 }
--- a/vendor/github.com/docker/docker/pkg/system/umask.go
+++ b/vendor/github.com/docker/docker/pkg/system/umask.go
@ -1,13 +0,0 @@
 // +build !windows
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"golang.org/x/sys/unix"
 )
 // Umask sets current process's file mode creation mask to newmask
 // and returns oldmask.
 func Umask(newmask int) (oldmask int, err error) {
 	return unix.Umask(newmask), nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/umask_windows.go
+++ b/vendor/github.com/docker/docker/pkg/system/umask_windows.go
@ -1,7 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 // Umask is not supported on the windows platform.
 func Umask(newmask int) (oldmask int, err error) {
 	// should not be called on cli code path
 	return 0, ErrNotSupportedPlatform
 }
--- a/vendor/github.com/docker/docker/pkg/system/utimes_unix.go
+++ b/vendor/github.com/docker/docker/pkg/system/utimes_unix.go
@ -1,24 +0,0 @@
 // +build linux freebsd
 package system // import "github.com/docker/docker/pkg/system"
 import (
 	"syscall"
 	"golang.org/x/sys/unix"
 )
 // LUtimesNano is used to change access and modification time of the specified path.
 // It's used for symbol link file because unix.UtimesNano doesn't support a NOFOLLOW flag atm.
 func LUtimesNano(path string, ts []syscall.Timespec) error {
 	uts := []unix.Timespec{
 		unix.NsecToTimespec(syscall.TimespecToNsec(ts[0])),
 		unix.NsecToTimespec(syscall.TimespecToNsec(ts[1])),
 	}
 	err := unix.UtimesNanoAt(unix.AT_FDCWD, path, uts, unix.AT_SYMLINK_NOFOLLOW)
 	if err != nil && err != unix.ENOSYS {
 		return err
 	}
 	return nil
 }
--- a/vendor/github.com/docker/docker/pkg/system/utimes_unsupported.go
+++ b/vendor/github.com/docker/docker/pkg/system/utimes_unsupported.go
@ -1,10 +0,0 @@
 // +build !linux,!freebsd
 package system // import "github.com/docker/docker/pkg/system"
 import "syscall"
 // LUtimesNano is only supported on linux and freebsd.
 func LUtimesNano(path string, ts []syscall.Timespec) error {
 	return ErrNotSupportedPlatform
 }
--- a/vendor/github.com/docker/docker/pkg/system/xattrs_linux.go
+++ b/vendor/github.com/docker/docker/pkg/system/xattrs_linux.go
@ -1,29 +0,0 @@
 package system // import "github.com/docker/docker/pkg/system"
 import "golang.org/x/sys/unix"
 // Lgetxattr retrieves the value of the extended attribute identified by attr
 // and associated with the given path in the file system.
 // It will returns a nil slice and nil error if the xattr is not set.
 func Lgetxattr(path string, attr string) ([]byte, error) {
 	dest := make([]byte, 128)
 	sz, errno := unix.Lgetxattr(path, attr, dest)
 	if errno == unix.ENODATA {
 		return nil, nil
 	}
 	if errno == unix.ERANGE {
 		dest = make([]byte, sz)
 		sz, errno = unix.Lgetxattr(path, attr, dest)
 	}
 	if errno != nil {
 		return nil, errno
 	}
 	return dest[:sz], nil
 }
 // Lsetxattr sets the value of the extended attribute identified by attr
 // and associated with the given path in the file system.
 func Lsetxattr(path string, attr string, data []byte, flags int) error {
 	return unix.Lsetxattr(path, attr, data, flags)
 }
--- a/vendor/github.com/docker/docker/pkg/system/xattrs_unsupported.go
+++ b/vendor/github.com/docker/docker/pkg/system/xattrs_unsupported.go
@ -1,13 +0,0 @@
 // +build !linux
 package system // import "github.com/docker/docker/pkg/system"
 // Lgetxattr is not supported on platforms other than linux.
 func Lgetxattr(path string, attr string) ([]byte, error) {
 	return nil, ErrNotSupportedPlatform
 }
 // Lsetxattr is not supported on platforms other than linux.
 func Lsetxattr(path string, attr string, data []byte, flags int) error {
 	return ErrNotSupportedPlatform
 }
--- a/vendor/github.com/docker/docker/vendor.conf
+++ b/vendor/github.com/docker/docker/vendor.conf
@ -1,5 +1,5 @@
 github.com/Azure/go-ansiterm                        d6e3b3328b783f23731bc4d058875b0371ff8109
-github.com/Microsoft/hcsshim                        2226e083fc390003ae5aa8325c3c92789afa0e7a
+github.com/Microsoft/hcsshim                        b3f49c06ffaeef24d09c6c08ec8ec8425a0303e2 # v0.8.7
 github.com/Microsoft/go-winio                       6c72808b55902eae4c5943626030429ff20f3b63 # v0.4.14
 github.com/docker/libtrust                          9cbd2a1374f46905c68a4eb3694a130610adc62a
 github.com/golang/gddo                              72a348e765d293ed6d1ded7b699591f14d6cd921
@ -12,25 +12,25 @@ github.com/konsorten/go-windows-terminal-sequences  f55edac94c9bbba5d6182a4be46d
 github.com/mattn/go-shellwords                      36a9b3c57cb5caa559ff63fb7e9b585f1c00df75 # v1.0.6
 github.com/sirupsen/logrus                          839c75faf7f98a33d445d181f3018b5c3409a45e # v1.4.2
 github.com/tchap/go-patricia                        a7f0089c6f496e8e70402f61733606daa326cac5 # v2.3.0
-golang.org/x/net                                    f3200d17e092c607f615320ecaad13d87ad9a2b3
+golang.org/x/net                                    0de0cce0169b09b364e001f108dc0399ea8630b3
-golang.org/x/sys                                    c990c680b611ac1aeb7d8f2af94a825f98d69720
+golang.org/x/sys                                    d5e6a3e2c0ae16fc7480523ebcb7fd4dd3215489
 github.com/docker/go-units                          519db1ee28dcc9fd2474ae59fca29a810482bfb1 # v0.4.0
 github.com/docker/go-connections                    7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0
-golang.org/x/text                                   f21a4dfb5e38f5895301dc265a8def02365cc3d0 # v0.3.0
+golang.org/x/text                                   342b2e1fbaa52c93f31447ad2c6abc048c63e475 # v0.3.2
-gotest.tools                                        1083505acf35a0bd8a696b26837e1fb3187a7a83 # v2.3.0
+gotest.tools/v3                                     bb0d8a963040ea5048dcef1a14d8f8b58a33d4b3 # v3.0.2
 github.com/google/go-cmp                            3af367b6b30c263d47e8895973edcca9a49cf029 # v0.2.0
 github.com/syndtr/gocapability                      d98352740cb2c55f81556b63d4a1ec64c5a319c2
 github.com/RackSec/srslog                           a4725f04ec91af1a91b380da679d6e0c2f061e59
 github.com/imdario/mergo                            1afb36080aec31e0d1528973ebe6721b191b0369 # v0.3.8
-golang.org/x/sync                                   e225da77a7e68af35c70ccbf71af2b83e6acac3c
+golang.org/x/sync                                   cd5d95a43a6e21273425c7ae415d3df9ea832eeb
 # buildkit
-github.com/moby/buildkit                            f7042823e340d38d1746aa675b83d1aca431cee3
+github.com/moby/buildkit                            4d8d91bf49c769b8458e9aa84746c842b4a0e39a
-github.com/tonistiigi/fsutil                        3bbb99cdbd76619ab717299830c60f6f2a533a6b
+github.com/tonistiigi/fsutil                        013a9fe6aee2d1658457075bf9e688bc8c0be2e0
 github.com/grpc-ecosystem/grpc-opentracing          8e809c8a86450a29b90dcc9efbf062d0fe6d9746
 github.com/opentracing/opentracing-go               1361b9cd60be79c4c3a7fa9841b3c132e40066a7
-github.com/google/shlex                             6f45313302b9c56850fc17f99e40caebce98c716
+github.com/google/shlex                             e7afc7fbc51079733e9468cdfd1efcd7d196cd1d
 github.com/opentracing-contrib/go-stdlib            b1a47cfbdd7543e70e9ef3e73d0802ad306cc1cc
 github.com/mitchellh/hashstructure                  2bca23e0e452137f789efbc8610126fd8b94f73b
 github.com/gofrs/flock                              392e7fae8f1b0bdbd67dad7237d23f618feb6dbb # v0.7.1
@ -38,7 +38,7 @@ github.com/gofrs/flock                              392e7fae8f1b0bdbd67dad7237d2
 # libnetwork
 # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly
-github.com/docker/libnetwork                        90afbb01e1d8acacb505a092744ea42b9f167377
+github.com/docker/libnetwork                        bf2bd42abc0a3734f12b5ec724e571434e42c669
 github.com/docker/go-events                         9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/armon/go-radix                           e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
 github.com/armon/go-metrics                         eb0af217e5e9747e41dd5303755356b62d28e3ec
@ -61,7 +61,7 @@ github.com/coreos/etcd                              d57e8b8d97adfc4a6c224fe11671
 github.com/coreos/go-semver                         8ab6407b697782a06568d4b7f1db25550ec2e4c6 # v0.2.0
 github.com/ugorji/go                                b4c50a2b199d93b13dc15e78929cfb23bfdf21ab # v1.1.1
 github.com/hashicorp/consul                         9a9cc9341bb487651a0399e3fc5e1e8a42e62dd9 # v0.5.2
-github.com/miekg/dns                                e57bf427e68187a27e22adceac868350d7a7079b # v1.0.7
+github.com/miekg/dns                                6c0c4e6581f8e173cc562c8b3363ab984e4ae071 # v1.1.27
 github.com/ishidawataru/sctp                        6e2cb1366111dcf547c13531e3a263a067715847
 go.etcd.io/bbolt                                    a0458a2b35708eef59eb5f620ceb3cd1c01a824d # v1.3.3
@ -73,21 +73,23 @@ github.com/opencontainers/go-digest                 279bed98673dd5bef374d3b6e4b0
 # get go-zfs packages
 github.com/mistifyio/go-zfs                         f784269be439d704d3dfa1906f45dd848fed2beb
-google.golang.org/grpc                              6eaf6f47437a6b4e2153a190160ef39a92c7eceb # v1.23.0
+google.golang.org/grpc                              f495f5b15ae7ccda3b38c53a1bfcde4c1a58a2bc # v1.27.1
 # The version of runc should match the version that is used by the containerd
 # version that is used. If you need to update runc, open a pull request in
 # the containerd project first, and update both after that is merged.
 # This commit does not need to match RUNC_COMMIT as it is used for helper
 # packages but should be newer or equal.
-github.com/opencontainers/runc                      3e425f80a8c931f88e6d94a8c831b9d5aa481657 # v1.0.0-rc8-92-g84373aaa
+github.com/opencontainers/runc                      dc9208a3303feef5b3839f4323d9beb36df0a9dd # v1.0.0-rc10
 github.com/opencontainers/runtime-spec              29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
 github.com/opencontainers/image-spec                d60099175f88c47cd379c4738d158884749ed235 # v1.0.1
 github.com/seccomp/libseccomp-golang                689e3c1541a84461afc49c1c87352a6cedf72e9c # v0.9.1
 # systemd integration (journald, daemon/listeners, containerd/cgroups)
 github.com/coreos/go-systemd/v22                    2d78030078ef61b3cae27f42ad6d0e46db51b339 # v22.0.0
 github.com/godbus/dbus/v5                           37bf87eef99d69c4f1d3528bd66e3a87dc201472 # v5.0.3
 # go-systemd v17 is required by github.com/coreos/pkg/capnslog/journald_formatter.go
 github.com/coreos/go-systemd                        39ca1b05acc7ad1220e09f133283b8859a8b71ab # v17
 github.com/godbus/dbus                              5f6efc7ef2759c81b7ba876593971bfce311eab3 # v4.0.0
 # gelf logging driver deps
 github.com/Graylog2/go-gelf                         1550ee647df0510058c9d67a45c56f18911d80b8 # v2 branch
@ -101,41 +103,40 @@ github.com/tinylib/msgp                             af6442a0fcf6e2a1b824f70dd0c7
 github.com/fsnotify/fsnotify                        1485a34d5d5723fea214f5710708e19a831720e4 # v1.4.7-11-g1485a34
 # awslogs deps
-github.com/aws/aws-sdk-go                           9ed0c8de252f04ac45a65358377103d5a1aa2d92 # v1.12.66
+github.com/aws/aws-sdk-go                           2590bc875c54c9fda225d8e4e56a9d28d90c6a47 # v1.28.11
-github.com/go-ini/ini                               300e940a926eb277d3901b20bdfcc54928ad3642 # v1.25.4
+github.com/jmespath/go-jmespath                     c2b33e8439af944379acbdd9c3a5fe0bc44bd8a5 # see https://github.com/aws/aws-sdk-go/blob/2590bc875c54c9fda225d8e4e56a9d28d90c6a47/Gopkg.toml#L42
 github.com/jmespath/go-jmespath                     0b12d6b521d83fc7f755e7cfc1b1fbdd35a01a74
 # logentries
 github.com/bsphere/le_go                            7a984a84b5492ae539b79b62fb4a10afc63c7bcf
 # gcplogs deps
-golang.org/x/oauth2                                 ec22f46f877b4505e0117eeaab541714644fdd28
+golang.org/x/oauth2                                 bf48bf16ab8d622ce64ec6ce98d2c98f916b6303
 google.golang.org/api                               de943baf05a022a8f921b544b7827bacaba1aed5
 go.opencensus.io                                    c3ed530f775d85e577ca652cb052a52c078aad26 # v0.11.0
 cloud.google.com/go                                 0fd7230b2a7505833d5f69b75cbd6c9582401479 # v0.23.0
 github.com/googleapis/gax-go                        317e0006254c44a0ac427cc52a0e083ff0b9622f # v2.0.0
-google.golang.org/genproto                          694d95ba50e67b2e363f3483057db5d4910c18f9
+google.golang.org/genproto                          3f1135a288c9a07e340ae8ba4cc6c7065a3160e8
 # containerd
-github.com/containerd/containerd                    36cf5b690dcc00ff0f34ff7799209050c3d0c59a # v1.3.0
+github.com/containerd/containerd                    4d242818bf55542e5d7876ca276fea83029e803c
-github.com/containerd/fifo                          bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13
+github.com/containerd/fifo                          ff969a566b00877c63489baf6e8c35d60af6142c
-github.com/containerd/continuity                    f2a389ac0a02ce21c09edd7344677a601970f41c
+github.com/containerd/continuity                    26c1120b8d4107d2471b93ad78ef7ce1fc84c4c4
-github.com/containerd/cgroups                       5fbad35c2a7e855762d3c60f2e474ffcad0d470a
+github.com/containerd/cgroups                       44306b6a1d46985d916b48b4199f93a378af314f
-github.com/containerd/console                       0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
+github.com/containerd/console                       8375c3424e4d7b114e8a90a4a40c8e1b40d1d4e6
-github.com/containerd/go-runc                       e029b79d8cda8374981c64eba71f28ec38e5526f
+github.com/containerd/go-runc                       7016d3ce2328dd2cb1192b2076ebd565c4e8df0c
-github.com/containerd/typeurl                       2a93cfde8c20b23de8eb84a5adbc234ddf7a9e8d
+github.com/containerd/typeurl                       b45ef1f1f737e10bd45b25b669df25f0da8b9ba0
-github.com/containerd/ttrpc                         92c8520ef9f86600c650dd540266a007bf03670f
+github.com/containerd/ttrpc                         0be804eadb152bc3b3c20c5edc314c4633833398
-github.com/gogo/googleapis                          d31c731455cb061f42baff3bda55bad0118b126b # v1.2.0
+github.com/gogo/googleapis                          01e0f9cca9b92166042241267ee2a5cdf5cff46c # v1.3.2
 # cluster
-github.com/docker/swarmkit                          7dded76ec532741c1ad9736cd2bb6d6661f0a386
+github.com/docker/swarmkit                          49e35619b18200845c9365c1e953440c28868002
-github.com/gogo/protobuf                            ba06b47c162d49f2af050fb4c75bcbc86a159d5c # v1.2.1
+github.com/gogo/protobuf                            5628607bb4c51c3157aacc3a50f0ab707582b805 # v1.3.1
-github.com/golang/protobuf                          aa810b61a9c79d51363740d207bb46cf8e620ed5 # v1.2.0
+github.com/golang/protobuf                          d23c5127dc24889085f8ccea5c9d560a57a879d8 # v1.3.3
 github.com/cloudflare/cfssl                         5d63dbd981b5c408effbb58c442d54761ff94fbd # 1.3.2
 github.com/fernet/fernet-go                         9eac43b88a5efb8651d24de9b68e87567e029736
 github.com/google/certificate-transparency-go       37a384cd035e722ea46e55029093e26687138edf # v1.0.20
-golang.org/x/crypto                                 88737f569e3a9c7ab309cdc09a07fe7fc87233c3
+golang.org/x/crypto                                 2aa609cf4a9d7d1126360de73b55b6002f9e052a
-golang.org/x/time                                   fbb02b2291d28baffd63558aa44b4b56f178d650
+golang.org/x/time                                   555d28b269f0569763d25dbe1a237ae74c6bcc82
 github.com/hashicorp/go-memdb                       cb9a474f84cc5e41b273b20c6927680b2a8776ad
 github.com/hashicorp/go-immutable-radix             826af9ccf0feeee615d546d69b11f8e98da8c8f1 git://github.com/tonistiigi/go-immutable-radix.git
 github.com/hashicorp/golang-lru                     7f827b33c0f158ec5dfbba01bb0b14a4541fd81d # v0.5.3
@ -143,14 +144,15 @@ github.com/coreos/pkg                               3ac0863d7acf3bc44daf49afef89
 code.cloudfoundry.org/clock                         02e53af36e6c978af692887ed449b74026d76fec
 # prometheus
-github.com/prometheus/client_golang                 c5b7fccd204277076155f10851dad72b76a49317 # v0.8.0
+github.com/prometheus/client_golang                 c42bebe5a5cddfc6b28cd639103369d8a75dfa89 # v1.3.0
-github.com/beorn7/perks                             e7f67b54abbeac9c40a31de0f81159e4cafebd6a
+github.com/beorn7/perks                             37c8de3658fcb183f997c4e13e8337516ab753e6 # v1.0.1
-github.com/prometheus/client_model                  6f3806018612930941127f2a7c6c453ba2c527d2
+github.com/prometheus/client_model                  d1d2010b5beead3fa1c5f271a5cf626e40b3ad6e # v0.1.0
-github.com/prometheus/common                        7600349dcfe1abd18d72d3a1770870d9800a7801
+github.com/prometheus/common                        287d3e634a1e550c9e463dd7e5a75a422c614505 # v0.7.0
-github.com/prometheus/procfs                        7d6f385de8bea29190f15ba9931442a0eaef9af7
+github.com/prometheus/procfs                        6d489fc7f1d9cd890a250f3ea3431b1744b9623f # v0.0.8
 github.com/matttproud/golang_protobuf_extensions    c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1
 github.com/pkg/errors                               ba968bfe8b2f7e042a574c888954fccecfa385b4 # v0.8.1
 github.com/grpc-ecosystem/go-grpc-prometheus        c225b8c3b01faf2899099b768856a9e916e5087b # v1.2.0
 github.com/cespare/xxhash/v2                        d7df74196a9e781ede915320c11c378c1b2f3a1f # v2.1.1
 # cli
 github.com/spf13/cobra                              ef82de70bb3f60c65fb8eebacbb2d122ef517385 # v0.0.3
@ -159,8 +161,8 @@ github.com/inconshreveable/mousetrap                76626ae9c91c4f2a10f34cad8ce8
 github.com/morikuni/aec                             39771216ff4c63d11f5e604076f9c45e8be1067b
 # metrics
-github.com/docker/go-metrics                        d466d4f6fd960e01820085bd7e1a24426ee7ef18
+github.com/docker/go-metrics                        b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1
-github.com/opencontainers/selinux                   3a1f366feb7aecbf7a0e71ac4cea88b31597de9e # v1.2.2
+github.com/opencontainers/selinux                   31f70552238c5e017d78c3f1ba65e85f593f48e0 # v1.3.3
 # DO NOT EDIT BELOW THIS LINE -------- reserved for downstream projects --------