@@ -1,12 +1,17 @@

 package httputils // import "github.com/docker/docker/api/server/httputils"

 import (

+	"encoding/json"

 	"fmt"

 	"net/http"

 	"strconv"

 	"strings"

 	"github.com/distribution/reference"

+	"github.com/docker/docker/errdefs"

+	"github.com/pkg/errors"

+

+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

 )

 // BoolValue transforms a form value in different formats into a boolean type.

@@ -109,3 +114,24 @@ func ArchiveFormValues(r *http.Request, vars map[string]string) (ArchiveOptions,

 	}

 	return ArchiveOptions{name, path}, nil

 }

+

+// DecodePlatform decodes the OCI platform JSON string into a Platform struct.

+func DecodePlatform(platformJSON string) (*ocispec.Platform, error) {

+	var p ocispec.Platform

+

+	if err := json.Unmarshal([]byte(platformJSON), &p); err != nil {

+		return nil, errdefs.InvalidParameter(errors.Wrap(err, "failed to parse platform"))

+	}

+

+	hasAnyOptional := (p.Variant != "" || p.OSVersion != "" || len(p.OSFeatures) > 0)

+

+	if p.OS == "" && p.Architecture == "" && hasAnyOptional {

+		return nil, errdefs.InvalidParameter(errors.New("optional platform fields provided, but OS and Architecture are missing"))

+	}

+

+	if p.OS == "" || p.Architecture == "" {

+		return nil, errdefs.InvalidParameter(errors.New("both OS and Architecture must be provided"))

+	}

+

+	return &p, nil

+}

@@ -1,9 +1,16 @@

 package httputils // import "github.com/docker/docker/api/server/httputils"

 import (

+	"encoding/json"

 	"net/http"

 	"net/url"

 	"testing"

+

+	"github.com/containerd/containerd/platforms"

+	"github.com/docker/docker/errdefs"

+

+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

+	"gotest.tools/v3/assert"

 )

 func TestBoolValue(t *testing.T) {

@@ -103,3 +110,23 @@ func TestInt64ValueOrDefaultWithError(t *testing.T) {

 		t.Fatal("Expected an error.")

 	}

 }

+

+func TestParsePlatformInvalid(t *testing.T) {

+	for _, tc := range []ocispec.Platform{

+		{

+			OSVersion:  "1.2.3",

+			OSFeatures: []string{"a", "b"},

+		},

+		{OSVersion: "12.0"},

+		{OS: "linux"},

+		{Architecture: "amd64"},

+	} {

+		t.Run(platforms.Format(tc), func(t *testing.T) {

+			js, err := json.Marshal(tc)

+			assert.NilError(t, err)

+

+			_, err = DecodePlatform(string(js))

+			assert.Check(t, errdefs.IsInvalidParameter(err))

+		})

+	}

+}

@@ -39,7 +39,7 @@ type importExportBackend interface {

 type registryBackend interface {

 	PullImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error

-	PushImage(ctx context.Context, ref reference.Named, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error

+	PushImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error

 }

 type Searcher interface {

@@ -205,7 +205,21 @@ func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter

 		ref = r

 	}

-	if err := ir.backend.PushImage(ctx, ref, metaHeaders, authConfig, output); err != nil {

+	var platform *ocispec.Platform

+	if formPlatform := r.Form.Get("platform"); formPlatform != "" {

+		if versions.LessThan(httputils.VersionFromContext(ctx), "1.46") {

+			return errdefs.InvalidParameter(errors.New("selecting platform is not supported in API version < 1.46"))

+		}

+

+		p, err := httputils.DecodePlatform(formPlatform)

+		if err != nil {

+			return err

+		}

+

+		platform = p

+	}

+

+	if err := ir.backend.PushImage(ctx, ref, platform, metaHeaders, authConfig, output); err != nil {

 		if !output.Flushed() {

 			return err

 		}

@@ -8752,6 +8752,11 @@ paths:

             details.

           type: "string"

           required: true

+        - name: "platform"

+          in: "query"

+          description: "Select a platform-specific manifest to be pushed. OCI platform (JSON encoded)"

+          type: "string"

+          x-nullable: true

       tags: ["Image"]

   /images/{name}/tag:

     post:

@@ -4,6 +4,7 @@ import (

 	"context"

 	"github.com/docker/docker/api/types/filters"

+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

 )

 // ImportOptions holds information to import images from the client host.

@@ -36,7 +37,23 @@ type PullOptions struct {

 }

 // PushOptions holds information to push images.

-type PushOptions PullOptions

+type PushOptions struct {

+	All          bool

+	RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry

+

+	// PrivilegeFunc is a function that clients can supply to retry operations

+	// after getting an authorization error. This function returns the registry

+	// authentication header value in base64 encoded format, or an error if the

+	// privilege request fails.

+	//

+	// Also see [github.com/docker/docker/api/types.RequestPrivilegeFunc].

+	PrivilegeFunc func(context.Context) (string, error)

+

+	// Platform is an optional field that selects a specific platform to push

+	// when the image is a multi-platform image.

+	// Using this will only push a single platform-specific manifest.

+	Platform *ocispec.Platform `json:",omitempty"`

+}

 // ListOptions holds parameters to list images with.

 type ListOptions struct {

@@ -2,7 +2,9 @@ package client // import "github.com/docker/docker/client"

 import (

 	"context"

+	"encoding/json"

 	"errors"

+	"fmt"

 	"io"

 	"net/http"

 	"net/url"

@@ -36,6 +38,20 @@ func (cli *Client) ImagePush(ctx context.Context, image string, options image.Pu

 		}

 	}

+	if options.Platform != nil {

+		if err := cli.NewVersionError(ctx, "1.46", "platform"); err != nil {

+			return nil, err

+		}

+

+		p := *options.Platform

+		pJson, err := json.Marshal(p)

+		if err != nil {

+			return nil, fmt.Errorf("invalid platform: %v", err)

+		}

+

+		query.Set("platform", string(pJson))

+	}

+

 	resp, err := cli.tryImagePush(ctx, name, query, options.RegistryAuth)

 	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {

 		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)

@@ -41,7 +41,7 @@ import (

 // pointing to the new target repository. This will allow subsequent pushes

 // to perform cross-repo mounts of the shared content when pushing to a different

 // repository on the same registry.

-func (i *ImageService) PushImage(ctx context.Context, sourceRef reference.Named, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) (retErr error) {

+func (i *ImageService) PushImage(ctx context.Context, sourceRef reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) (retErr error) {

 	start := time.Now()

 	defer func() {

 		if retErr == nil {

@@ -76,7 +76,7 @@ func (i *ImageService) PushImage(ctx context.Context, sourceRef reference.Named,

 					continue

 				}

-				if err := i.pushRef(ctx, named, metaHeaders, authConfig, out); err != nil {

+				if err := i.pushRef(ctx, named, platform, metaHeaders, authConfig, out); err != nil {

 					return err

 				}

 			}

@@ -85,10 +85,10 @@ func (i *ImageService) PushImage(ctx context.Context, sourceRef reference.Named,

 		}

 	}

-	return i.pushRef(ctx, sourceRef, metaHeaders, authConfig, out)

+	return i.pushRef(ctx, sourceRef, platform, metaHeaders, authConfig, out)

 }

-func (i *ImageService) pushRef(ctx context.Context, targetRef reference.Named, metaHeaders map[string][]string, authConfig *registry.AuthConfig, out progress.Output) (retErr error) {

+func (i *ImageService) pushRef(ctx context.Context, targetRef reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, out progress.Output) (retErr error) {

 	leasedCtx, release, err := i.client.WithLease(ctx)

 	if err != nil {

 		return err

@@ -104,12 +104,18 @@ func (i *ImageService) pushRef(ctx context.Context, targetRef reference.Named, m

 		if cerrdefs.IsNotFound(err) {

 			return errdefs.NotFound(fmt.Errorf("tag does not exist: %s", reference.FamiliarString(targetRef)))

 		}

-		return errdefs.NotFound(err)

+		return errdefs.System(err)

 	}

 	target := img.Target

-	store := i.content

+	if platform != nil {

+		target, err = i.getPushDescriptor(ctx, img, platform)

+		if err != nil {

+			return err

+		}

+	}

+	store := i.content

 	resolver, tracker := i.newResolverFromAuthConfig(ctx, authConfig, targetRef)

 	pp := pushProgress{Tracker: tracker}

 	jobsQueue := newJobs()

@@ -121,7 +127,7 @@ func (i *ImageService) pushRef(ctx context.Context, targetRef reference.Named, m

 		finishProgress()

 		if retErr == nil {

 			if tagged, ok := targetRef.(reference.Tagged); ok {

-				progress.Messagef(out, "", "%s: digest: %s size: %d", tagged.Tag(), target.Digest, img.Target.Size)

+				progress.Messagef(out, "", "%s: digest: %s size: %d", tagged.Tag(), target.Digest, target.Size)

 			}

 		}

 	}()

@@ -164,16 +170,44 @@ func (i *ImageService) pushRef(ctx context.Context, targetRef reference.Named, m

 	err = remotes.PushContent(ctx, pusher, target, store, limiter, platforms.All, handlerWrapper)

 	if err != nil {

-		if containerdimages.IsIndexType(target.MediaType) && cerrdefs.IsNotFound(err) {

+		// If push failed because of a missing content, no specific platform was requested

+		// and the target is an index, select a platform-specific manifest to push instead.

+		if cerrdefs.IsNotFound(err) && containerdimages.IsIndexType(target.MediaType) && platform == nil {

+			var newTarget ocispec.Descriptor

+			newTarget, err = i.getPushDescriptor(ctx, img, nil)

+			if err != nil {

+				return err

+			}

+

+			// Retry only if the new push candidate is different from the previous one.

+			if newTarget.Digest != target.Digest {

+				target = newTarget

+				pp.TurnNotStartedIntoUnavailable()

+				err = remotes.PushContent(ctx, pusher, target, store, limiter, platforms.All, handlerWrapper)

+

+				if err == nil {

+					progress.Aux(out, map[string]string{

+						"Stripped": "true",

+						"Index":    img.Target.Digest.String(),

+						"Manifest": target.Digest.String(),

+					})

+				}

+			}

+		}

+

+		if err != nil {

+			if !cerrdefs.IsNotFound(err) {

+				return errdefs.System(err)

+			}

 			return errdefs.NotFound(fmt.Errorf(

 				"missing content: %w\n"+

 					"Note: You're trying to push a manifest list/index which "+

 					"references multiple platform specific manifests, but not all of them are available locally "+

-					"or available to the remote repository.\n"+

-					"Make sure you have all the referenced content and try again.",

+					"or available to the remote repository.\n\n"+

+					"Make sure you have all the referenced content and try again.\n"+

+					"You can also push only a single platform specific manifest directly by specifying the platform you want to push.",

 				err))

 		}

-		return err

 	}

 	appendDistributionSourceLabel(ctx, realStore, targetRef, target)

@@ -183,6 +217,97 @@ func (i *ImageService) pushRef(ctx context.Context, targetRef reference.Named, m

 	return nil

 }

+func (i *ImageService) getPushDescriptor(ctx context.Context, img containerdimages.Image, platform *ocispec.Platform) (ocispec.Descriptor, error) {

+	// Allow to override the host platform for testing purposes.

+	hostPlatform := i.defaultPlatformOverride

+	if hostPlatform == nil {

+		hostPlatform = platforms.Default()

+	}

+

+	pm := matchAllWithPreference(hostPlatform)

+	if platform != nil {

+		pm = platforms.OnlyStrict(*platform)

+	}

+

+	anyMissing := false

+

+	var bestMatchPlatform ocispec.Platform

+	var bestMatch *ImageManifest

+	var presentMatchingManifests []*ImageManifest

+	err := i.walkReachableImageManifests(ctx, img, func(im *ImageManifest) error {

+		available, err := im.CheckContentAvailable(ctx)

+		if err != nil {

+			return fmt.Errorf("failed to determine availability of image manifest %s: %w", im.Target().Digest, err)

+		}

+

+		if !available {

+			anyMissing = true

+			return nil

+		}

+

+		if im.IsAttestation() {

+			return nil

+		}

+

+		imgPlatform, err := im.ImagePlatform(ctx)

+		if err != nil {

+			return fmt.Errorf("failed to determine platform of image %s: %w", img.Name, err)

+		}

+

+		if !pm.Match(imgPlatform) {

+			return nil

+		}

+

+		presentMatchingManifests = append(presentMatchingManifests, im)

+		if bestMatch == nil || pm.Less(imgPlatform, bestMatchPlatform) {

+			bestMatchPlatform = imgPlatform

+			bestMatch = im

+		}

+

+		return nil

+	})

+	if err != nil {

+		return ocispec.Descriptor{}, err

+	}

+

+	switch len(presentMatchingManifests) {

+	case 0:

+		return ocispec.Descriptor{}, errdefs.NotFound(fmt.Errorf("no suitable image manifest found for platform %s", *platform))

+	case 1:

+		// Only one manifest is available AND matching the requested platform.

+

+		if platform != nil {

+			// Explicit platform was requested

+			return presentMatchingManifests[0].Target(), nil

+		}

+

+		// No specific platform was requested, but only one manifest is available.

+		if anyMissing {

+			return presentMatchingManifests[0].Target(), nil

+		}

+

+		// Index has only one manifest anyway, select the full index.

+		return img.Target, nil

+	default:

+		if platform == nil {

+			if !anyMissing {

+				// No specific platform requested, and all manifests are available, select the full index.

+				return img.Target, nil

+			}

+

+			// No specific platform requested and not all manifests are available.

+			// Select the manifest that matches the host platform the best.

+			if bestMatch != nil && hostPlatform.Match(bestMatchPlatform) {

+				return bestMatch.Target(), nil

+			}

+

+			return ocispec.Descriptor{}, errdefs.Conflict(errors.Errorf("multiple matching manifests found but no specific platform requested"))

+		}

+

+		return ocispec.Descriptor{}, errdefs.Conflict(errors.Errorf("multiple manifests found for platform %s", *platform))

+	}

+}

+

 func appendDistributionSourceLabel(ctx context.Context, realStore content.Store, targetRef reference.Named, target ocispec.Descriptor) {

 	appendSource, err := docker.AppendDistributionSourceLabel(realStore, targetRef.String())

 	if err != nil {

new file mode 100644

@@ -0,0 +1,288 @@

+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:

+//go:build go1.19

+

+package containerd

+

+import (

+	"context"

+	"fmt"

+	"path/filepath"

+	"testing"

+

+	containerdimages "github.com/containerd/containerd/images"

+	"github.com/containerd/containerd/namespaces"

+	"github.com/containerd/containerd/platforms"

+	"github.com/docker/docker/errdefs"

+	"github.com/docker/docker/internal/testutils/specialimage"

+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

+	"golang.org/x/exp/slices"

+	"gotest.tools/v3/assert"

+	is "gotest.tools/v3/assert/cmp"

+)

+

+type pushTestCase struct {

+	name               string

+	indexPlatforms     []platforms.Platform // all platforms supported by the image

+	availablePlatforms []platforms.Platform // platforms available locally

+	requestPlatform    *platforms.Platform  // platform requested by the client (not the platform selected for push!)

+	check              func(t *testing.T, img containerdimages.Image, pushDescriptor ocispec.Descriptor, err error)

+	daemonPlatform     *platforms.Platform

+}

+

+func TestImagePushIndex(t *testing.T) {

+	ctx := namespaces.WithNamespace(context.TODO(), "testing-"+t.Name())

+

+	csDir := t.TempDir()

+	store := &blobsDirContentStore{blobs: filepath.Join(csDir, "blobs/sha256")}

+

+	linuxAmd64 := platforms.MustParse("linux/amd64")

+	darwinArm64 := platforms.MustParse("darwin/arm64")

+	windowsAmd64 := platforms.MustParse("windows/amd64")

+

+	linuxArm64 := platforms.MustParse("linux/arm64")

+	linuxArmv5 := platforms.MustParse("linux/arm/v5")

+	linuxArmv7 := platforms.MustParse("linux/arm/v7")

+

+	// Image service will have the daemon host platform mocked to linux/amd64.

+	// Unless test cases specify a different platform.

+	defaultDaemonPlatform := linuxAmd64

+

+	for _, tc := range []pushTestCase{

+		// No explicit platform requested

+		{

+			name: "none requested, all present",

+

+			indexPlatforms:     []platforms.Platform{linuxAmd64, darwinArm64, windowsAmd64},

+			availablePlatforms: []platforms.Platform{linuxAmd64, darwinArm64, windowsAmd64},

+			check:              wholeIndexSelected,

+		},

+		{

+			name: "none requested, one present",

+

+			indexPlatforms:     []platforms.Platform{linuxAmd64, darwinArm64, windowsAmd64},

+			availablePlatforms: []platforms.Platform{linuxAmd64},

+			check:              singleManifestSelected(linuxAmd64),

+		},

+		{

+			name: "none requested, two present, daemon platform available",

+

+			indexPlatforms:     []platforms.Platform{linuxAmd64, darwinArm64, windowsAmd64},

+			availablePlatforms: []platforms.Platform{linuxAmd64, darwinArm64},

+			check:              singleManifestSelected(linuxAmd64),

+		},

+		{

+			name: "none requested, two present, daemon platform NOT available",

+

+			indexPlatforms:     []platforms.Platform{linuxAmd64, darwinArm64, windowsAmd64},

+			availablePlatforms: []platforms.Platform{darwinArm64, windowsAmd64},

+			check:              multipleCandidates,

+		},

+

+		// Specific platform requested

+		{

+			name: "linux/amd64 requested, all present",

+

+			indexPlatforms:     []platforms.Platform{linuxAmd64, darwinArm64, windowsAmd64},

+			availablePlatforms: []platforms.Platform{linuxAmd64, darwinArm64, windowsAmd64},

+			requestPlatform:    &linuxAmd64,

+			check:              singleManifestSelected(linuxAmd64),

+		},

+		{

+			name: "linux/amd64 requested, but not present",

+

+			indexPlatforms:     []platforms.Platform{linuxAmd64, darwinArm64, windowsAmd64},

+			availablePlatforms: []platforms.Platform{darwinArm64, windowsAmd64},

+			requestPlatform:    &linuxAmd64,

+			check:              candidateNotFound,

+		},

+

+		// Variant tests

+		{

+			name: "linux/arm/v5 requested, but not in index",

+

+			indexPlatforms:     []platforms.Platform{linuxAmd64, linuxArmv7},

+			availablePlatforms: []platforms.Platform{linuxAmd64, linuxArmv7},

+			requestPlatform:    &linuxArmv5,

+			check:              candidateNotFound,

+		},

+		{

+			name: "linux/arm/v5 requested, but not available",

+

+			indexPlatforms:     []platforms.Platform{linuxArm64, linuxArmv7, linuxArmv5},

+			availablePlatforms: []platforms.Platform{linuxArm64, linuxArmv7},

+			requestPlatform:    &linuxArmv5,

+			check:              candidateNotFound,

+		},

+		{

+			name: "linux/arm/v7 requested, but not available",

+

+			indexPlatforms:     []platforms.Platform{linuxArm64, linuxArmv7, linuxArmv5},

+			availablePlatforms: []platforms.Platform{linuxArm64, linuxArmv5},

+			requestPlatform:    &linuxArmv7,

+			check:              candidateNotFound,

+		},

+		{

+			name: "linux/arm/v7 requested on v7 daemon, but not available",

+

+			indexPlatforms:     []platforms.Platform{linuxArm64, linuxArmv7, linuxArmv5},

+			availablePlatforms: []platforms.Platform{linuxArm64, linuxArmv5},

+			daemonPlatform:     &linuxArmv7,

+			requestPlatform:    &linuxArmv7,

+			check:              candidateNotFound,

+		},

+		{

+			name: "linux/arm/v7 requested on v5 daemon, all available",

+

+			indexPlatforms:     []platforms.Platform{linuxArm64, linuxArmv7, linuxArmv5},

+			availablePlatforms: []platforms.Platform{linuxArm64, linuxArmv7, linuxArmv5},

+			daemonPlatform:     &linuxArmv5,

+			requestPlatform:    &linuxArmv7,

+			check:              singleManifestSelected(linuxArmv7),

+		},

+		{

+			name: "linux/arm/v5 requested on v7 daemon, all available",

+

+			indexPlatforms:     []platforms.Platform{linuxArm64, linuxArmv7, linuxArmv5},

+			availablePlatforms: []platforms.Platform{linuxArm64, linuxArmv7, linuxArmv5},

+			daemonPlatform:     &linuxArmv7,

+			requestPlatform:    &linuxArmv5,

+			check:              singleManifestSelected(linuxArmv5),

+		},

+		{

+			name: "none requested on v5 daemon, arm64 not available",

+

+			indexPlatforms:     []platforms.Platform{linuxArm64, linuxArmv7, linuxArmv5},

+			availablePlatforms: []platforms.Platform{linuxArmv7, linuxArmv5},

+			daemonPlatform:     &linuxArmv5,

+			requestPlatform:    nil,

+			check:              singleManifestSelected(linuxArmv5),

+		},

+		{

+			name: "none requested on v7 daemon, arm64 not available",

+

+			indexPlatforms:     []platforms.Platform{linuxArm64, linuxArmv7, linuxArmv5},

+			availablePlatforms: []platforms.Platform{linuxArmv7, linuxArmv5},

+			daemonPlatform:     &linuxArmv7,

+			requestPlatform:    nil,

+			check:              singleManifestSelected(linuxArmv7),

+		},

+		{

+			name: "none requested on v7 daemon, v7 not available",

+

+			indexPlatforms:     []platforms.Platform{linuxArm64, linuxArmv7, linuxArmv5},

+			availablePlatforms: []platforms.Platform{linuxArm64, linuxArmv5},

+			daemonPlatform:     &linuxArmv7,

+			requestPlatform:    nil,

+			check:              singleManifestSelected(linuxArmv5), // Should it fail, because v5 can't be pushed?

+		},

+

+		{

+			name: "none requested on v7 daemon, v5 in index but not v7, all present",

+

+			indexPlatforms:     []platforms.Platform{linuxArm64, linuxArmv5},

+			availablePlatforms: []platforms.Platform{linuxArm64, linuxArmv5},

+			daemonPlatform:     &linuxArmv7,

+			requestPlatform:    nil,

+			check:              wholeIndexSelected,

+		},

+		{

+			name: "none requested on v7 daemon, v5 in index but not v7, v5 present",

+

+			indexPlatforms:     []platforms.Platform{linuxArm64, linuxArmv5},

+			availablePlatforms: []platforms.Platform{linuxArmv5},

+			daemonPlatform:     &linuxArmv7,

+			requestPlatform:    nil,

+			check:              singleManifestSelected(linuxArmv5),

+		},

+	} {

+		t.Run(tc.name, func(t *testing.T) {

+			imgSvc := fakeImageService(t, ctx, store)

+			// Mock the daemon platform.

+			if tc.daemonPlatform != nil {

+				imgSvc.defaultPlatformOverride = platforms.Only(*tc.daemonPlatform)

+			} else {

+				imgSvc.defaultPlatformOverride = platforms.Only(defaultDaemonPlatform)

+			}

+

+			idx, err := specialimage.MultiPlatform(csDir, "multiplatform:latest", tc.indexPlatforms)

+			assert.NilError(t, err)

+

+			imgs := imagesFromIndex(idx)

+			assert.Assert(t, is.Len(imgs, 1))

+

+			img := imgs[0]

+			_, err = imgSvc.images.Create(ctx, img)

+			assert.NilError(t, err)

+

+			for _, platform := range tc.indexPlatforms {

+				if slices.ContainsFunc(tc.availablePlatforms, platforms.OnlyStrict(platform).Match) {

+					continue

+				}

+				assert.NilError(t, deletePlatform(ctx, imgSvc, img, platform))

+			}

+

+			desc, err := imgSvc.getPushDescriptor(ctx, img, tc.requestPlatform)

+

+			tc.check(t, img, desc, err)

+		})

+	}

+}

+

+func deletePlatform(ctx context.Context, imgSvc *ImageService, img containerdimages.Image, platform platforms.Platform) error {

+	var blobs []ocispec.Descriptor

+	pm := platforms.OnlyStrict(platform)

+	err := imgSvc.walkImageManifests(ctx, img, func(im *ImageManifest) error {

+		imPlatform, err := im.ImagePlatform(ctx)

+		if err != nil {

+			return fmt.Errorf("failed to determine platform of image manifest %v: %w", im.Target(), err)

+		}

+

+		if !pm.Match(imPlatform) {

+			return nil

+		}

+

+		return imgSvc.walkPresentChildren(ctx, im.Target(), func(ctx context.Context, d ocispec.Descriptor) error {

+			blobs = append(blobs, d)

+			return nil

+		})

+	})

+	if err != nil {

+		return fmt.Errorf("failed to walk image manifests: %w", err)

+	}

+

+	for _, d := range blobs {

+		err := imgSvc.content.Delete(ctx, d.Digest)

+		if err != nil {

+			return fmt.Errorf("failed to delete blob %v: %w", d.Digest, err)

+		}

+	}

+

+	return nil

+}

+

+// wholeIndexSelected asserts that the push descriptor candidate is for the whole index.

+func wholeIndexSelected(t *testing.T, img containerdimages.Image, pushDescriptor ocispec.Descriptor, err error) {

+	assert.NilError(t, err)

+	assert.Check(t, is.Equal(pushDescriptor.Digest, img.Target.Digest))

+}

+

+// singleManifestSelected asserts that the push descriptor candidate is for a single platform-specific manifest.

+func singleManifestSelected(platform ocispec.Platform) func(t *testing.T, img containerdimages.Image, pushDescriptor ocispec.Descriptor, err error) {

+	pm := platforms.OnlyStrict(platform)

+	return func(t *testing.T, img containerdimages.Image, pushDescriptor ocispec.Descriptor, err error) {

+		assert.NilError(t, err)

+		assert.Assert(t, is.Equal(pushDescriptor.MediaType, ocispec.MediaTypeImageManifest), "the push descriptor isn't for a manifest")

+		assert.Assert(t, pushDescriptor.Platform != nil, "the push descriptor doesn't have a platform")

+		assert.Assert(t, pm.Match(*pushDescriptor.Platform), "the push descriptor isn't for the selected platform")

+	}

+}

+

+// candidateNotFound asserts that the no matching candidate was found.

+func candidateNotFound(t *testing.T, _ containerdimages.Image, desc ocispec.Descriptor, err error) {

+	assert.Check(t, errdefs.IsNotFound(err), "expected NotFound error, got %v, candidate: %v", err, desc.Platform)

+}

+

+// multipleCandidates asserts that multiple matching candidates were found and no decision could be made.

+func multipleCandidates(t *testing.T, _ containerdimages.Image, desc ocispec.Descriptor, err error) {

+	assert.Check(t, errdefs.IsConflict(err), "expected Conflict error, got %v, candidate: %v", err, desc.Platform)

+}

@@ -4,6 +4,7 @@ import (

 	"context"

 	"errors"

 	"sync"

+	"sync/atomic"

 	"time"

 	"github.com/containerd/containerd/content"

@@ -174,7 +175,13 @@ func (p pullProgress) UpdateProgress(ctx context.Context, ongoing *jobs, out pro

 }

 type pushProgress struct {

-	Tracker docker.StatusTracker

+	Tracker                         docker.StatusTracker

+	notStartedWaitingAreUnavailable atomic.Bool

+}

+

+// TurnNotStartedIntoUnavailable will mark all not started layers as "Unavailable" instead of "Waiting".

+func (p *pushProgress) TurnNotStartedIntoUnavailable() {

+	p.notStartedWaitingAreUnavailable.Store(true)

 }

 func (p *pushProgress) UpdateProgress(ctx context.Context, ongoing *jobs, out progress.Output, start time.Time) error {

@@ -183,7 +190,14 @@ func (p *pushProgress) UpdateProgress(ctx context.Context, ongoing *jobs, out pr

 		id := stringid.TruncateID(j.Digest.Encoded())

 		status, err := p.Tracker.GetStatus(key)

-		if err != nil {

+

+		notStarted := (status.Total > 0 && status.Offset == 0)

+		if err != nil || notStarted {

+			if p.notStartedWaitingAreUnavailable.Load() {

+				progress.Update(out, id, "Unavailable")

+				ongoing.Remove(j)

+				continue

+			}

 			if cerrdefs.IsNotFound(err) {

 				progress.Update(out, id, "Waiting")

 				continue

@@ -8,6 +8,7 @@ import (

 	"github.com/containerd/containerd"

 	"github.com/containerd/containerd/content"

 	"github.com/containerd/containerd/images"

+	"github.com/containerd/containerd/platforms"

 	"github.com/containerd/containerd/plugin"

 	"github.com/containerd/containerd/remotes/docker"

 	"github.com/containerd/containerd/snapshots"

@@ -39,6 +40,9 @@ type ImageService struct {

 	pruneRunning        atomic.Bool

 	refCountMounter     snapshotter.Mounter

 	idMapping           idtools.IdentityMapping

+

+	// defaultPlatformOverride is used in tests to override the host platform.

+	defaultPlatformOverride platforms.MatchComparer

 }

 type registryResolver interface {

@@ -28,7 +28,7 @@ type ImageService interface {

 	// Images

 	PullImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error

-	PushImage(ctx context.Context, ref reference.Named, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error

+	PushImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error

 	CreateImage(ctx context.Context, config []byte, parent string, contentStoreDigest digest.Digest) (builder.Image, error)

 	ImageDelete(ctx context.Context, imageRef string, force, prune bool) ([]imagetype.DeleteResponse, error)

 	ExportImage(ctx context.Context, names []string, outStream io.Writer) error

@@ -2,19 +2,30 @@ package images // import "github.com/docker/docker/daemon/images"

 import (

 	"context"

+	"errors"

 	"io"

 	"time"

 	"github.com/distribution/reference"

 	"github.com/docker/distribution/manifest/schema2"

+	"github.com/docker/docker/api/types/backend"

 	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/distribution"

 	progressutils "github.com/docker/docker/distribution/utils"

+	"github.com/docker/docker/errdefs"

 	"github.com/docker/docker/pkg/progress"

+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

 )

 // PushImage initiates a push operation on the repository named localName.

-func (i *ImageService) PushImage(ctx context.Context, ref reference.Named, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error {

+func (i *ImageService) PushImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error {

+	if platform != nil {

+		// Check if the image is actually the platform we want to push.

+		_, err := i.GetImage(ctx, ref.String(), backend.GetImageOpts{Platform: platform})

+		if err != nil {

+			return errdefs.InvalidParameter(errors.New("graphdriver backed image store doesn't support multiplatform images"))

+		}

+	}

 	start := time.Now()

 	// Include a buffer so that slow client connections don't affect

 	// transfer performance.

@@ -26,8 +26,10 @@ keywords: "API, Docker, rcli, REST, documentation"

   `net.ipv4.config.IFNAME.log_martians=1`. In API versions up-to 1.46, top level

   `--sysctl` settings for `eth0` will be migrated to `DriverOpts` when possible. 

   This automatic migration will be removed for API versions 1.47 and greater.

-

 * `GET /containers/json` now returns the annotations of containers.

+* `POST /images/{name}/push` now supports a `platform` parameter (JSON encoded

+  OCI Platform type) that allows selecting a specific platform manifest from

+  the multi-platform image.

 ## v1.45 API changes

@@ -99,6 +99,7 @@ require (

 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0

 	go.opentelemetry.io/otel/sdk v1.21.0

 	go.opentelemetry.io/otel/trace v1.21.0

+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d

 	golang.org/x/mod v0.17.0

 	golang.org/x/net v0.23.0

 	golang.org/x/sync v0.5.0

@@ -216,7 +217,6 @@ require (

 	go.uber.org/multierr v1.8.0 // indirect

 	go.uber.org/zap v1.21.0 // indirect

 	golang.org/x/crypto v0.21.0 // indirect

-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect

 	golang.org/x/oauth2 v0.11.0 // indirect

 	golang.org/x/tools v0.16.0 // indirect

 	google.golang.org/api v0.128.0 // indirect