Dockerfile: use TARGETPLATFORM to build Docker

Better support for cross compilation so we can fully rely
on `--platform` flag of buildx for a seamless integration.

This removes unnecessary extra cross logic in the Dockerfile,
DOCKER_CROSSPLATFORMS and CROSS vars and some hack scripts as well.

Non-sandboxed build invocation is still supported and dev stages
in the Dockerfile have been updated accordingly.

Bake definition and GitHub Actions workflows have been updated
accordingly as well.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

.github/workflows/ci.yml

@@ -54,23 +54,36 @@ jobs:
           if-no-files-found: error
           retention-days: 7
 
+  prepare-cross:
+    runs-on: ubuntu-latest
+    needs:
+      - validate-dco
+    outputs:
+      matrix: ${{ steps.platforms.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Create matrix
+        id: platforms
+        run: |
+          matrix="$(docker buildx bake binary-cross --print | jq -cr '.target."binary-cross".platforms')"
+          echo "matrix=$matrix" >> $GITHUB_OUTPUT
+      -
+        name: Show matrix
+        run: |
+          echo ${{ steps.platforms.outputs.matrix }}
+
   cross:
     runs-on: ubuntu-20.04
     needs:
       - validate-dco
+      - prepare-cross
     strategy:
       fail-fast: false
       matrix:
-        platform:
-          - linux/amd64
-          - linux/arm/v5
-          - linux/arm/v6
-          - linux/arm/v7
-          - linux/arm64
-          - linux/ppc64le
-          - linux/s390x
-          - windows/amd64
-          - windows/arm64
+        platform: ${{ fromJson(needs.prepare-cross.outputs.matrix) }}
     steps:
       -
         name: Checkout
@@ -89,9 +102,9 @@ jobs:
         name: Build
         uses: docker/bake-action@v2
         with:
-          targets: cross
-        env:
-          DOCKER_CROSSPLATFORMS: ${{ matrix.platform }}
+          targets: binary
+          set: |
+            *.platform=${{ matrix.platform }}
       -
         name: Upload artifacts
         uses: actions/upload-artifact@v3

Dockerfile

@@ -8,7 +8,6 @@ ARG XX_VERSION=1.1.2
 ARG VPNKIT_VERSION=0.5.0
 ARG DOCKERCLI_VERSION=v17.06.2-ce
 
-ARG CROSS="false"
 ARG SYSTEMD="false"
 ARG DEBIAN_FRONTEND=noninteractive
 ARG DOCKER_STATIC=1
@@ -128,60 +127,6 @@ RUN /download-frozen-image-v2.sh /build \
         hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
         arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
 
-FROM base AS cross-false
-
-FROM --platform=linux/amd64 base AS cross-true
-ARG DEBIAN_FRONTEND
-RUN dpkg --add-architecture arm64
-RUN dpkg --add-architecture armel
-RUN dpkg --add-architecture armhf
-RUN dpkg --add-architecture ppc64el
-RUN dpkg --add-architecture s390x
-RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \
-    --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \
-        apt-get update && apt-get install -y --no-install-recommends \
-            crossbuild-essential-arm64 \
-            crossbuild-essential-armel \
-            crossbuild-essential-armhf \
-            crossbuild-essential-ppc64el \
-            crossbuild-essential-s390x
-
-FROM cross-${CROSS} AS dev-base
-
-FROM dev-base AS runtime-dev-cross-false
-ARG DEBIAN_FRONTEND
-RUN --mount=type=cache,sharing=locked,id=moby-cross-false-aptlib,target=/var/lib/apt \
-    --mount=type=cache,sharing=locked,id=moby-cross-false-aptcache,target=/var/cache/apt \
-        apt-get update && apt-get install -y --no-install-recommends \
-            binutils-mingw-w64 \
-            g++-mingw-w64-x86-64 \
-            libapparmor-dev \
-            libbtrfs-dev \
-            libdevmapper-dev \
-            libseccomp-dev \
-            libsystemd-dev \
-            libudev-dev
-
-FROM --platform=linux/amd64 runtime-dev-cross-false AS runtime-dev-cross-true
-ARG DEBIAN_FRONTEND
-# These crossbuild packages rely on gcc-<arch>, but this doesn't want to install
-# on non-amd64 systems, so other architectures cannot crossbuild amd64.
-RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \
-    --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \
-        apt-get update && apt-get install -y --no-install-recommends \
-            libapparmor-dev:arm64 \
-            libapparmor-dev:armel \
-            libapparmor-dev:armhf \
-            libapparmor-dev:ppc64el \
-            libapparmor-dev:s390x \
-            libseccomp-dev:arm64 \
-            libseccomp-dev:armel \
-            libseccomp-dev:armhf \
-            libseccomp-dev:ppc64el \
-            libseccomp-dev:s390x
-
-FROM runtime-dev-cross-${CROSS} AS runtime-dev
-
 # delve
 FROM base AS delve-src
 WORKDIR /usr/src/delve
@@ -494,8 +439,44 @@ FROM containerutil-build AS containerutil-windows-amd64
 FROM containerutil-windows-${TARGETARCH} AS containerutil-windows
 FROM containerutil-${TARGETOS} AS containerutil
 
-# TODO: Some of this is only really needed for testing, it would be nice to split this up
-FROM runtime-dev AS dev-systemd-false
+FROM base AS dev-systemd-false
+COPY --from=dockercli     /build/ /usr/local/cli
+COPY --from=frozen-images /build/ /docker-frozen-images
+COPY --from=swagger       /build/ /usr/local/bin/
+COPY --from=delve         /build/ /usr/local/bin/
+COPY --from=tomll         /build/ /usr/local/bin/
+COPY --from=gowinres      /build/ /usr/local/bin/
+COPY --from=tini          /build/ /usr/local/bin/
+COPY --from=registry      /build/ /usr/local/bin/
+COPY --from=criu          /build/ /usr/local/bin/
+COPY --from=gotestsum     /build/ /usr/local/bin/
+COPY --from=golangci_lint /build/ /usr/local/bin/
+COPY --from=shfmt         /build/ /usr/local/bin/
+COPY --from=runc          /build/ /usr/local/bin/
+COPY --from=containerd    /build/ /usr/local/bin/
+COPY --from=rootlesskit   /build/ /usr/local/bin/
+COPY --from=vpnkit        /       /usr/local/bin/
+COPY --from=containerutil /build/ /usr/local/bin/
+COPY --from=crun          /build/ /usr/local/bin/
+COPY hack/dockerfile/etc/docker/  /etc/docker/
+ENV PATH=/usr/local/cli:$PATH
+WORKDIR /go/src/github.com/docker/docker
+VOLUME /var/lib/docker
+VOLUME /home/unprivilegeduser/.local/share/docker
+# Wrap all commands in the "docker-in-docker" script to allow nested containers
+ENTRYPOINT ["hack/dind"]
+
+FROM dev-systemd-false AS dev-systemd-true
+RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
+    --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
+        apt-get update && apt-get install -y --no-install-recommends \
+            dbus \
+            dbus-user-session \
+            systemd \
+            systemd-sysv
+ENTRYPOINT ["hack/dind-systemd"]
+
+FROM dev-systemd-${SYSTEMD} AS dev
 ARG DEBIAN_FRONTEND
 RUN groupadd -r docker
 RUN useradd --create-home --gid docker unprivilegeduser \
@@ -540,115 +521,84 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
             xz-utils \
             zip \
             zstd
-
-
 # Switch to use iptables instead of nftables (to match the CI hosts)
 # TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824)
 RUN update-alternatives --set iptables  /usr/sbin/iptables-legacy  || true \
  && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \
  && update-alternatives --set arptables /usr/sbin/arptables-legacy || true
-
 ARG YAMLLINT_VERSION=1.27.1
 RUN pip3 install yamllint==${YAMLLINT_VERSION}
-
-COPY --from=dockercli     /build/ /usr/local/cli
-COPY --from=frozen-images /build/ /docker-frozen-images
-COPY --from=swagger       /build/ /usr/local/bin/
-COPY --from=delve         /build/ /usr/local/bin/
-COPY --from=tomll         /build/ /usr/local/bin/
-COPY --from=gowinres      /build/ /usr/local/bin/
-COPY --from=tini          /build/ /usr/local/bin/
-COPY --from=registry      /build/ /usr/local/bin/
-COPY --from=criu          /build/ /usr/local/bin/
-COPY --from=gotestsum     /build/ /usr/local/bin/
-COPY --from=golangci_lint /build/ /usr/local/bin/
-COPY --from=shfmt         /build/ /usr/local/bin/
-COPY --from=runc          /build/ /usr/local/bin/
-COPY --from=containerd    /build/ /usr/local/bin/
-COPY --from=rootlesskit   /build/ /usr/local/bin/
-COPY --from=vpnkit        /       /usr/local/bin/
-COPY --from=containerutil /build/ /usr/local/bin/
-COPY --from=crun          /build/ /usr/local/bin/
-COPY hack/dockerfile/etc/docker/  /etc/docker/
-ENV PATH=/usr/local/cli:$PATH
-ARG DOCKER_BUILDTAGS
-ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}"
-WORKDIR /go/src/github.com/docker/docker
-VOLUME /var/lib/docker
-VOLUME /home/unprivilegeduser/.local/share/docker
-# Wrap all commands in the "docker-in-docker" script to allow nested containers
-ENTRYPOINT ["hack/dind"]
-
-FROM dev-systemd-false AS dev-systemd-true
 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
     --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
-        apt-get update && apt-get install -y --no-install-recommends \
-            dbus \
-            dbus-user-session \
-            systemd \
-            systemd-sysv
-ENTRYPOINT ["hack/dind-systemd"]
-
-FROM dev-systemd-${SYSTEMD} AS dev
+        apt-get update && apt-get install --no-install-recommends -y \
+            gcc \
+            pkg-config \
+            dpkg-dev \
+            libapparmor-dev \
+            libbtrfs-dev \
+            libdevmapper-dev \
+            libseccomp-dev \
+            libsecret-1-dev \
+            libsystemd-dev \
+            libudev-dev
 
-FROM runtime-dev AS binary-base
+FROM base AS build
+COPY --from=gowinres /build/ /usr/local/bin/
+WORKDIR /go/src/github.com/docker/docker
+ENV GO111MODULE=off
+ENV CGO_ENABLED=1
+ARG DEBIAN_FRONTEND
+ARG TARGETPLATFORM
+RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
+    --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
+        xx-apt-get install --no-install-recommends -y \
+            gcc \
+            libapparmor-dev \
+            libbtrfs-dev \
+            libc6-dev \
+            libdevmapper-dev \
+            libseccomp-dev \
+            libsecret-1-dev \
+            libsystemd-dev \
+            libudev-dev
+ARG DOCKER_BUILDTAGS
+ARG DOCKER_DEBUG
 ARG DOCKER_GITCOMMIT=HEAD
-ENV DOCKER_GITCOMMIT=${DOCKER_GITCOMMIT}
+ARG DOCKER_LDFLAGS
+ARG DOCKER_STATIC
 ARG VERSION
-ENV VERSION=${VERSION}
 ARG PLATFORM
-ENV PLATFORM=${PLATFORM}
 ARG PRODUCT
-ENV PRODUCT=${PRODUCT}
 ARG DEFAULT_PRODUCT_LICENSE
-ENV DEFAULT_PRODUCT_LICENSE=${DEFAULT_PRODUCT_LICENSE}
 ARG PACKAGER_NAME
-ENV PACKAGER_NAME=${PACKAGER_NAME}
-ARG DOCKER_BUILDTAGS
-ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}"
-ENV PREFIX=/build
-# TODO: This is here because hack/make.sh binary copies these extras binaries
-# from $PATH into the bundles dir.
-# It would be nice to handle this in a different way.
-COPY --from=tini          /build/ /usr/local/bin/
-COPY --from=runc          /build/ /usr/local/bin/
-COPY --from=containerd    /build/ /usr/local/bin/
-COPY --from=rootlesskit   /build/ /usr/local/bin/
-COPY --from=vpnkit        /       /usr/local/bin/
-COPY --from=containerutil /build/ /usr/local/bin/
-COPY --from=gowinres      /build/ /usr/local/bin/
-WORKDIR /go/src/github.com/docker/docker
-
-FROM binary-base AS build-binary
-RUN --mount=type=cache,target=/root/.cache \
-    --mount=type=bind,target=.,ro \
-    --mount=type=tmpfs,target=cli/winresources/dockerd \
-    --mount=type=tmpfs,target=cli/winresources/docker-proxy \
-        hack/make.sh binary
-
-FROM binary-base AS build-dynbinary
-RUN --mount=type=cache,target=/root/.cache \
-    --mount=type=bind,target=.,ro \
-    --mount=type=tmpfs,target=cli/winresources/dockerd \
-    --mount=type=tmpfs,target=cli/winresources/docker-proxy \
-        hack/make.sh dynbinary
-
-FROM binary-base AS build-cross
-ARG DOCKER_CROSSPLATFORMS
-RUN --mount=type=cache,target=/root/.cache \
-    --mount=type=bind,target=.,ro \
+# PREFIX overrides DEST dir in make.sh script otherwise it fails because of
+# read only mount in current work dir
+ENV PREFIX=/tmp
+RUN --mount=type=bind,target=. \
     --mount=type=tmpfs,target=cli/winresources/dockerd \
     --mount=type=tmpfs,target=cli/winresources/docker-proxy \
-        hack/make.sh cross
+    --mount=type=cache,target=/root/.cache/go-build,id=moby-build-$TARGETPLATFORM <<EOT
+  set -e
+  target=$([ "$DOCKER_STATIC" = "1" ] && echo "binary" || echo "dynbinary")
+  xx-go --wrap
+  ./hack/make.sh $target
+  xx-verify /tmp/bundles/${target}-daemon/dockerd$([ "$(xx-info os)" = "windows" ] && echo ".exe")
+  xx-verify /tmp/bundles/${target}-daemon/docker-proxy$([ "$(xx-info os)" = "windows" ] && echo ".exe")
+  mkdir /build
+  mv /tmp/bundles/${target}-daemon/* /build/
+EOT
 
+# usage:
+# > docker buildx bake binary
+# > DOCKER_STATIC=0 docker buildx bake binary
+# or
+# > make binary
+# > make dynbinary
 FROM scratch AS binary
-COPY --from=build-binary /build/bundles/ /
-
-FROM scratch AS dynbinary
-COPY --from=build-dynbinary /build/bundles/ /
-
-FROM scratch AS cross
-COPY --from=build-cross /build/bundles/ /
+COPY --from=build /build/ /
 
+# usage:
+# > make shell
+# > SYSTEMD=true make shell
 FROM dev AS final
-COPY . /go/src/github.com/docker/docker
+COPY . .

Makefile

@@ -31,7 +31,6 @@ export VALIDATE_ORIGIN_BRANCH
 # make DOCKER_LDFLAGS="-X github.com/docker/docker/daemon/graphdriver.priority=overlay2,devicemapper" dynbinary
 #
 DOCKER_ENVS := \
-	-e DOCKER_CROSSPLATFORMS \
 	-e BUILD_APT_MIRROR \
 	-e BUILDFLAGS \
 	-e KEEPBUNDLE \
@@ -143,17 +142,7 @@ endif
 
 BUILD_OPTS := ${BUILD_APT_MIRROR} ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS} -f "$(DOCKERFILE)"
 BUILD_CMD := $(BUILDX) build
-
-# This is used for the legacy "build" target and anything still depending on it
-BUILD_CROSS =
-ifdef DOCKER_CROSS
-BUILD_CROSS = --build-arg CROSS=$(DOCKER_CROSS)
-endif
-ifdef DOCKER_CROSSPLATFORMS
-BUILD_CROSS = --build-arg CROSS=true
-endif
-
-VERSION_AUTOGEN_ARGS = --build-arg VERSION --build-arg DOCKER_GITCOMMIT --build-arg PRODUCT --build-arg PLATFORM --build-arg DEFAULT_PRODUCT_LICENSE --build-arg PACKAGER_NAME
+BAKE_CMD := $(BUILDX) bake
 
 default: binary
 
@@ -161,14 +150,13 @@ all: build ## validate all checks, build linux binaries, run all tests,\ncross b
 	$(DOCKER_RUN_DOCKER) bash -c 'hack/validate/default && hack/make.sh'
 
 binary: bundles ## build statically linked linux binaries
-	$(BUILD_CMD) $(BUILD_OPTS) --output=bundles/ --target=$@ $(VERSION_AUTOGEN_ARGS) .
+	$(BAKE_CMD) binary
 
 dynbinary: bundles ## build dynamically linked linux binaries
-	$(BUILD_CMD) $(BUILD_OPTS) --output=bundles/ --target=$@ $(VERSION_AUTOGEN_ARGS) .
+	$(BAKE_CMD) dynbinary
 
-cross: BUILD_OPTS += --build-arg CROSS=true --build-arg DOCKER_CROSSPLATFORMS
-cross: bundles ## cross build the binaries for darwin, freebsd and\nwindows
-	$(BUILD_CMD) $(BUILD_OPTS) --output=bundles/ --target=$@ $(VERSION_AUTOGEN_ARGS) .
+cross: bundles ## cross build the binaries
+	$(BAKE_CMD) binary-cross
 
 bundles:
 	mkdir bundles
@@ -196,13 +184,13 @@ else
 build: shell_target := --target=final
 endif
 build: bundles
-	$(BUILD_CMD) $(BUILD_OPTS) $(shell_target) --load $(BUILD_CROSS) -t "$(DOCKER_IMAGE)" .
+	$(BUILD_CMD) $(BUILD_OPTS) $(shell_target) --load -t "$(DOCKER_IMAGE)" .
 
 shell: build  ## start a shell inside the build env
 	$(DOCKER_RUN_DOCKER) bash
 
 test: build test-unit ## run the unit, integration and docker-py tests
-	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary cross test-integration test-docker-py
+	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-integration test-docker-py
 
 test-docker-py: build ## run the docker-py tests
 	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-docker-py
@@ -229,8 +217,8 @@ validate: build ## validate DCO, Seccomp profile generation, gofmt,\n./pkg/ isol
 validate-%: build ## validate specific check
 	$(DOCKER_RUN_DOCKER) hack/validate/$*
 
-win: build ## cross build the binary for windows
-	$(DOCKER_RUN_DOCKER) DOCKER_CROSSPLATFORMS=windows/amd64 hack/make.sh cross
+win: bundles ## cross build the binary for windows
+	$(BAKE_CMD) --set *.platform=windows/amd64 binary
 
 .PHONY: swagger-gen
 swagger-gen:

docker-bake.hcl

@@ -4,9 +4,6 @@ variable "BUNDLES_OUTPUT" {
 variable "DOCKER_STATIC" {
   default = "1"
 }
-variable "DOCKER_CROSSPLATFORMS" {
-  default = ""
-}
 
 target "_common" {
   args = {
@@ -20,6 +17,23 @@ group "default" {
   targets = ["binary"]
 }
 
+target "_platforms" {
+  platforms = [
+    "linux/amd64",
+    "linux/arm/v5",
+    "linux/arm/v6",
+    "linux/arm/v7",
+    "linux/arm64",
+    "linux/ppc64le",
+    "linux/s390x",
+    "windows/amd64"
+  ]
+}
+
+#
+# build dockerd and docker-proxy
+#
+
 target "binary" {
   inherits = ["_common"]
   target = "binary"
@@ -27,17 +41,14 @@ target "binary" {
 }
 
 target "dynbinary" {
-  inherits = ["binary"]
-  target = "dynbinary"
-}
-
-target "cross" {
   inherits = ["binary"]
   args = {
-    CROSS = "true"
-    DOCKER_CROSSPLATFORMS = DOCKER_CROSSPLATFORMS
+    DOCKER_STATIC = "0"
   }
-  target = "cross"
+}
+
+target "binary-cross" {
+  inherits = ["binary", "_platforms"]
 }
 
 #

docs/contributing/set-up-dev-env.md

@@ -150,10 +150,10 @@ can take over 15 minutes to complete.
    Removing bundles/
 
    ---> Making bundle: binary (in bundles/binary)
-   Building: bundles/binary-daemon/dockerd-17.06.0-dev
-   Created binary: bundles/binary-daemon/dockerd-17.06.0-dev
-   Copying nested executables into bundles/binary-daemon
-
+   Building bundles/binary-daemon/dockerd (linux/amd64)...
+   Created binary: bundles/binary-daemon/dockerd
+   Building bundles/binary-daemon/docker-proxy (linux/amd64)...
+   Created binary:bundles/binary-daemon/docker-proxy
    ```
 
 7. Run `make install`, which copies the binary to the container's

docs/contributing/test.md

@@ -123,7 +123,7 @@ Try this now.
 4.  Run the tests using the `hack/make.sh` script.
 
     ```bash
-    # hack/make.sh dynbinary binary cross test-integration test-docker-py
+    # hack/make.sh dynbinary binary test-integration test-docker-py
     ```
 
     The tests run just as they did within your local host.
@@ -132,11 +132,11 @@ Try this now.
     just the integration tests:
 
     ```bash
-    # hack/make.sh dynbinary binary cross test-integration
+    # hack/make.sh dynbinary binary test-integration
     ```
 
     Most test targets require that you build these precursor targets first:
-    `dynbinary binary cross`
+    `dynbinary binary`
 
 
 ## Run unit tests

hack/README.md

@@ -44,7 +44,7 @@ all of the tests.
 - When running inside a Docker development container, `hack/make.sh` does
 not have a single target that runs all the tests. You need to provide a
 single command line with multiple targets that performs the same thing.
-An example referenced from [Run targets inside a development container](https://docs.docker.com/opensource/project/test-and-docs/#run-targets-inside-a-development-container): `root@5f8630b873fe:/go/src/github.com/moby/moby# hack/make.sh dynbinary binary cross test-unit test-integration test-docker-py`
+An example referenced from [Run targets inside a development container](https://docs.docker.com/opensource/project/test-and-docs/#run-targets-inside-a-development-container): `root@5f8630b873fe:/go/src/github.com/moby/moby# hack/make.sh dynbinary binary test-unit test-integration test-docker-py`
 - For more information related to testing outside the scope of this README,
 refer to
 [Run tests and test documentation](https://docs.docker.com/opensource/project/test-and-docs/)

hack/make.sh

@@ -36,7 +36,6 @@ DEFAULT_BUNDLES=(
 	dynbinary
 	test-integration
 	test-docker-py
-	cross
 )
 
 VERSION=${VERSION:-dev}

hack/make/.binary

@@ -16,56 +16,59 @@ source "${MAKEDIR}/.go-autogen"
 (
 	export GOGC=${DOCKER_BUILD_GOGC:-1000}
 
-	if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARCH)" ]; then
-		# must be cross-compiling!
-		case "$(go env GOOS)/$(go env GOARCH)" in
-			windows/amd64)
-				export CC="${CC:-x86_64-w64-mingw32-gcc}"
-				export CGO_ENABLED=1
-				;;
-			linux/arm)
-				case "${GOARM}" in
-					5)
-						export CC="${CC:-arm-linux-gnueabi-gcc}"
-						export CGO_ENABLED=1
-						export CGO_CFLAGS="-march=armv5t"
-						export CGO_CXXFLAGS="-march=armv5t"
-						;;
-					6)
-						export CC="${CC:-arm-linux-gnueabi-gcc}"
-						export CGO_ENABLED=1
-						export CGO_CFLAGS="-march=armv6"
-						export CGO_CXXFLAGS="-march=armv6"
-						;;
-					7)
-						export CC="${CC:-arm-linux-gnueabihf-gcc}"
-						export CGO_ENABLED=1
-						export CGO_CFLAGS="-march=armv7-a"
-						export CGO_CXXFLAGS="-march=armv7-a"
-						;;
-					*)
-						export CC="${CC:-arm-linux-gnueabihf-gcc}"
-						export CGO_ENABLED=1
-						;;
-				esac
-				;;
-			linux/arm64)
-				export CC="${CC:-aarch64-linux-gnu-gcc}"
-				export CGO_ENABLED=1
-				;;
-			linux/amd64)
-				export CC="${CC:-x86_64-linux-gnu-gcc}"
-				export CGO_ENABLED=1
-				;;
-			linux/ppc64le)
-				export CC="${CC:-powerpc64le-linux-gnu-gcc}"
-				export CGO_ENABLED=1
-				;;
-			linux/s390x)
-				export CC="${CC:-s390x-linux-gnu-gcc}"
-				export CGO_ENABLED=1
-				;;
-		esac
+	# for non-sandboxed invocation
+	if ! command -v xx-go > /dev/null 2>&1; then
+		if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARCH)" ]; then
+			# must be cross-compiling!
+			case "$(go env GOOS)/$(go env GOARCH)" in
+				windows/amd64)
+					export CC="${CC:-x86_64-w64-mingw32-gcc}"
+					export CGO_ENABLED=1
+					;;
+				linux/arm)
+					case "${GOARM}" in
+						5)
+							export CC="${CC:-arm-linux-gnueabi-gcc}"
+							export CGO_ENABLED=1
+							export CGO_CFLAGS="-march=armv5t"
+							export CGO_CXXFLAGS="-march=armv5t"
+							;;
+						6)
+							export CC="${CC:-arm-linux-gnueabi-gcc}"
+							export CGO_ENABLED=1
+							export CGO_CFLAGS="-march=armv6"
+							export CGO_CXXFLAGS="-march=armv6"
+							;;
+						7)
+							export CC="${CC:-arm-linux-gnueabihf-gcc}"
+							export CGO_ENABLED=1
+							export CGO_CFLAGS="-march=armv7-a"
+							export CGO_CXXFLAGS="-march=armv7-a"
+							;;
+						*)
+							export CC="${CC:-arm-linux-gnueabihf-gcc}"
+							export CGO_ENABLED=1
+							;;
+					esac
+					;;
+				linux/arm64)
+					export CC="${CC:-aarch64-linux-gnu-gcc}"
+					export CGO_ENABLED=1
+					;;
+				linux/amd64)
+					export CC="${CC:-x86_64-linux-gnu-gcc}"
+					export CGO_ENABLED=1
+					;;
+				linux/ppc64le)
+					export CC="${CC:-powerpc64le-linux-gnu-gcc}"
+					export CGO_ENABLED=1
+					;;
+				linux/s390x)
+					export CC="${CC:-s390x-linux-gnu-gcc}"
+					export CGO_ENABLED=1
+					;;
+			esac
+		fi
 	fi
 
 	# -buildmode=pie is not supported on Windows and Linux on mips, riscv64 and ppc64be.
@@ -80,8 +83,18 @@ source "${MAKEDIR}/.go-autogen"
 			;;
 	esac
 
-	echo "Building: $DEST/$BINARY_FULLNAME"
-	echo "GOOS=\"${GOOS}\" GOARCH=\"${GOARCH}\" GOARM=\"${GOARM}\""
+	# only necessary for non-sandboxed invocation where TARGETPLATFORM is empty
+	PLATFORM_NAME=$TARGETPLATFORM
+	if [ -z "$PLATFORM_NAME" ]; then
+		PLATFORM_NAME="$(go env GOOS)/$(go env GOARCH)"
+		if [ -n "$(go env GOARM)" ]; then
+			PLATFORM_NAME+="/$(go env GOARM)"
+		elif [ -n "$(go env GOAMD64)" ] && [ "$(go env GOAMD64)" != "v1" ]; then
+			PLATFORM_NAME+="/$(go env GOAMD64)"
+		fi
+	fi
+
+	echo "Building $DEST/$BINARY_FULLNAME ($PLATFORM_NAME)..."
 	go build \
 		-o "$DEST/$BINARY_FULLNAME" \
 		"${BUILDFLAGS[@]}" \

hack/make/binary-daemon

@@ -1,35 +1,10 @@
 #!/usr/bin/env bash
 set -e
 
-copy_binaries() {
-	local dir="$1"
-
-	# Add nested executables to bundle dir so we have complete set of
-	# them available, but only if the native OS/ARCH is the same as the
-	# OS/ARCH of the build target
-	if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARCH)" ]; then
-		return
-	fi
-	if [ ! -x /usr/local/bin/runc ]; then
-		return
-	fi
-	echo "Copying nested executables into $dir"
-	for file in containerd containerd-shim-runc-v2 ctr runc docker-init rootlesskit rootlesskit-docker-proxy dockerd-rootless.sh dockerd-rootless-setuptool.sh; do
-		cp -f "$(command -v "$file")" "$dir/"
-	done
-	# vpnkit might not be available for the target platform, see vpnkit stage in
-	# the Dockerfile for more information.
-	if command -v vpnkit > /dev/null 2>&1; then
-		cp -f "$(command -v vpnkit)" "$dir/"
-	fi
-}
-
 [ -z "$KEEPDEST" ] && rm -rf "$DEST"
 
 (
 	GO_PACKAGE='github.com/docker/docker/cmd/dockerd'
 	BINARY_NAME='dockerd'
-
 	source "${MAKEDIR}/.binary"
-	copy_binaries "$DEST"
 )

hack/make/cross

@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# if we have our linux/amd64 version compiled, let's symlink it in
-if [ -x "${DEST}/../binary-daemon/dockerd" ]; then
-	arch=$(go env GOHOSTARCH)
-	mkdir -p "$DEST/linux/${arch}"
-	(
-		cd "${DEST}/linux/${arch}"
-		ln -sf ../../../binary-daemon/* ./
-	)
-	echo "Created symlinks:" "${DEST}/linux/${arch}/"*
-fi
-
-DOCKER_CROSSPLATFORMS=${DOCKER_CROSSPLATFORMS:-"linux/amd64 windows/amd64 linux/ppc64le linux/s390x"}
-
-for platform in ${DOCKER_CROSSPLATFORMS}; do
-	(
-		export KEEPDEST=1
-		export DEST="${DEST}/${platform}" # bundles/VERSION/cross/GOOS/GOARCH/docker-VERSION
-		export GOOS=${platform%%/*}
-		export GOARCH=${platform#*/}
-
-		if [[ "${GOARCH}" = "arm/"* ]]; then
-			GOARM=${GOARCH##*/v}
-			GOARCH=${GOARCH%/v*}
-			export GOARM
-		fi
-
-		echo "Cross building: ${DEST}"
-		mkdir -p "${DEST}"
-		ABS_DEST="$(cd "${DEST}" && pwd -P)"
-		source "${MAKEDIR}/binary"
-
-		source "${MAKEDIR}/cross-platform-dependent"
-	)
-done

hack/make/cross-platform-dependent

@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-if [ ${platform} == "windows/amd64" ]; then
-	source "${MAKEDIR}/containerutility"
-fi