Skip to content

Migrate pkg/runtimes/docker/ to moby/moby/client for Docker SDK v29 #1671

Description

@iwilltry42

Background

The Docker Engine SDK split at v29. v28.x is the final release that publishes Go modules at github.com/docker/docker and github.com/docker/cli. From v29 onwards, the client and types live in two new modules:

  • github.com/moby/moby/client — client implementation
  • github.com/moby/moby/api — API types

github.com/docker/cli@v29.x exists but no longer imports github.com/docker/docker — it uses the new modules. github.com/docker/docker has no v29 published.

Impact

This leaves the following Dependabot alerts unresolved as long as k3d stays on docker/docker@v28.x:

  • CVE-2026-34040 (HIGH, Moby AuthZ plugin bypass — engine fix v29.3.1)
  • CVE-2025-15558 (HIGH Windows, Docker CLI uncontrolled search path — fix docker/cli@v29.2.0)

Plus any future Moby/Docker fixes that land in v29+ only.

Scope of work

Migrate the runtime layer to the new module paths. Surface area in k3d:

  • pkg/runtimes/docker/ — ~9 files, 24+ imports of docker/docker / docker/docker/client / docker/docker/api/types/*
  • tools/cmd/image.go (and friends) — smaller surface

Likely changes:

  • import "github.com/docker/docker/client"import "github.com/moby/moby/client"
  • import "github.com/docker/docker/api/types/container"import "github.com/moby/moby/api/types/container" (similar for network, image, volume, etc.)
  • Some types moved between subpackages between v28 and v29 — call sites may need small adjustments.

Notes

  • v5.9.0 ships with docker/docker@v28.5.2. The version-bump PR (chore(deps): refresh deps + base images for v5.9.0 #1670) explicitly defers this migration.
  • The runtime container engine on the host can be any version; this is purely a Go SDK module bump for what k3d uses to talk to Docker.
  • E2E coverage in DIND should catch behavior regressions.

Acceptance criteria

  • All pkg/runtimes/docker/ files migrated to moby/moby/client + moby/moby/api
  • All tools/cmd/ files migrated similarly
  • make check, make test, make build-cross, make build-helper-images green
  • E2E green in CI
  • Dependabot alerts for CVE-2026-34040 and CVE-2025-15558 close after merge

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions