@@ -30,13 +30,13 @@ import (

 	"github.com/docker/docker/image"

 	libcontainerdtypes "github.com/docker/docker/libcontainerd/types"

 	"github.com/docker/docker/oci"

-	"github.com/docker/docker/pkg/atomicwriter"

 	"github.com/docker/docker/pkg/idtools"

 	"github.com/docker/docker/restartmanager"

 	"github.com/docker/docker/volume"

 	volumemounts "github.com/docker/docker/volume/mounts"

 	"github.com/docker/go-units"

 	agentexec "github.com/moby/swarmkit/v2/agent/exec"

+	"github.com/moby/sys/atomicwriter"

 	"github.com/moby/sys/signal"

 	"github.com/moby/sys/symlink"

 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

@@ -6,7 +6,7 @@ import (

 	"path/filepath"

 	"strings"

-	"github.com/docker/docker/pkg/atomicwriter"

+	"github.com/moby/sys/atomicwriter"

 )

 // convertKVStringsToMap converts ["key=value"] to {"key":"value"}

@@ -23,12 +23,12 @@ import (

 	"github.com/docker/docker/internal/containerfs"

 	"github.com/docker/docker/internal/directory"

 	"github.com/docker/docker/pkg/archive"

-	"github.com/docker/docker/pkg/atomicwriter"

 	"github.com/docker/docker/pkg/chrootarchive"

 	"github.com/docker/docker/pkg/idtools"

 	"github.com/docker/docker/quota"

 	"github.com/docker/go-units"

 	"github.com/moby/locker"

+	"github.com/moby/sys/atomicwriter"

 	"github.com/moby/sys/mount"

 	"github.com/moby/sys/userns"

 	"github.com/opencontainers/selinux/go-selinux/label"

@@ -4,8 +4,8 @@ import (

 	"os"

 	"path/filepath"

-	"github.com/docker/docker/pkg/atomicwriter"

 	"github.com/google/uuid"

+	"github.com/moby/sys/atomicwriter"

 	"github.com/pkg/errors"

 )

@@ -21,7 +21,7 @@ import (

 	"github.com/docker/docker/daemon/config"

 	"github.com/docker/docker/errdefs"

 	"github.com/docker/docker/libcontainerd/shimopts"

-	"github.com/docker/docker/pkg/atomicwriter"

+	"github.com/moby/sys/atomicwriter"

 	"github.com/opencontainers/runtime-spec/specs-go/features"

 	"github.com/pkg/errors"

 )

@@ -5,7 +5,7 @@ import (

 	"path/filepath"

 	"sync"

-	"github.com/docker/docker/pkg/atomicwriter"

+	"github.com/moby/sys/atomicwriter"

 )

 // Store implements a K/V store for mapping distribution-related IDs

@@ -8,7 +8,7 @@ import (

 	"sync"

 	"github.com/containerd/log"

-	"github.com/docker/docker/pkg/atomicwriter"

+	"github.com/moby/sys/atomicwriter"

 	"github.com/opencontainers/go-digest"

 	"github.com/pkg/errors"

 )

@@ -12,8 +12,8 @@ import (

 	"github.com/containerd/log"

 	"github.com/docker/distribution"

-	"github.com/docker/docker/pkg/atomicwriter"

 	"github.com/docker/docker/pkg/ioutils"

+	"github.com/moby/sys/atomicwriter"

 	"github.com/opencontainers/go-digest"

 	"github.com/pkg/errors"

 )

@@ -31,7 +31,7 @@ import (

 	"text/template"

 	"github.com/containerd/log"

-	"github.com/docker/docker/pkg/atomicwriter"

+	"github.com/moby/sys/atomicwriter"

 	"github.com/opencontainers/go-digest"

 	"github.com/pkg/errors"

 )

deleted file mode 100644

@@ -1,245 +0,0 @@

-// Package atomicwriter provides utilities to perform atomic writes to a

-// file or set of files.

-package atomicwriter

-

-import (

-	"errors"

-	"fmt"

-	"io"

-	"os"

-	"path/filepath"

-	"syscall"

-

-	"github.com/moby/sys/sequential"

-)

-

-func validateDestination(fileName string) error {

-	if fileName == "" {

-		return errors.New("file name is empty")

-	}

-	if dir := filepath.Dir(fileName); dir != "" && dir != "." && dir != ".." {

-		di, err := os.Stat(dir)

-		if err != nil {

-			return fmt.Errorf("invalid output path: %w", err)

-		}

-		if !di.IsDir() {

-			return fmt.Errorf("invalid output path: %w", &os.PathError{Op: "stat", Path: dir, Err: syscall.ENOTDIR})

-		}

-	}

-

-	// Deliberately using Lstat here to match the behavior of [os.Rename],

-	// which is used when completing the write and does not resolve symlinks.

-	fi, err := os.Lstat(fileName)

-	if err != nil {

-		if os.IsNotExist(err) {

-			return nil

-		}

-		return fmt.Errorf("failed to stat output path: %w", err)

-	}

-

-	switch mode := fi.Mode(); {

-	case mode.IsRegular():

-		return nil // Regular file

-	case mode&os.ModeDir != 0:

-		return errors.New("cannot write to a directory")

-	case mode&os.ModeSymlink != 0:

-		return errors.New("cannot write to a symbolic link directly")

-	case mode&os.ModeNamedPipe != 0:

-		return errors.New("cannot write to a named pipe (FIFO)")

-	case mode&os.ModeSocket != 0:

-		return errors.New("cannot write to a socket")

-	case mode&os.ModeDevice != 0:

-		if mode&os.ModeCharDevice != 0 {

-			return errors.New("cannot write to a character device file")

-		}

-		return errors.New("cannot write to a block device file")

-	case mode&os.ModeSetuid != 0:

-		return errors.New("cannot write to a setuid file")

-	case mode&os.ModeSetgid != 0:

-		return errors.New("cannot write to a setgid file")

-	case mode&os.ModeSticky != 0:

-		return errors.New("cannot write to a sticky bit file")

-	default:

-		return fmt.Errorf("unknown file mode: %[1]s (%#[1]o)", mode)

-	}

-}

-

-// New returns a WriteCloser so that writing to it writes to a

-// temporary file and closing it atomically changes the temporary file to

-// destination path. Writing and closing concurrently is not allowed.

-// NOTE: umask is not considered for the file's permissions.

-//

-// New uses [sequential.CreateTemp] to use sequential file access on Windows,

-// avoiding depleting the standby list un-necessarily. On Linux, this equates to

-// a regular [os.CreateTemp]. Refer to the [Win32 API documentation] for details

-// on sequential file access.

-//

-// [Win32 API documentation]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN

-func New(filename string, perm os.FileMode) (io.WriteCloser, error) {

-	if err := validateDestination(filename); err != nil {

-		return nil, err

-	}

-	abspath, err := filepath.Abs(filename)

-	if err != nil {

-		return nil, err

-	}

-

-	f, err := sequential.CreateTemp(filepath.Dir(abspath), ".tmp-"+filepath.Base(filename))

-	if err != nil {

-		return nil, err

-	}

-	return &atomicFileWriter{

-		f:    f,

-		fn:   abspath,

-		perm: perm,

-	}, nil

-}

-

-// WriteFile atomically writes data to a file named by filename and with the

-// specified permission bits. The given filename is created if it does not exist,

-// but the destination directory must exist. It can be used as a drop-in replacement

-// for [os.WriteFile], but currently does not allow the destination path to be

-// a symlink. WriteFile is implemented using [New] for its implementation.

-//

-// NOTE: umask is not considered for the file's permissions.

-func WriteFile(filename string, data []byte, perm os.FileMode) error {

-	f, err := New(filename, perm)

-	if err != nil {

-		return err

-	}

-	n, err := f.Write(data)

-	if err == nil && n < len(data) {

-		err = io.ErrShortWrite

-		f.(*atomicFileWriter).writeErr = err

-	}

-	if err1 := f.Close(); err == nil {

-		err = err1

-	}

-	return err

-}

-

-type atomicFileWriter struct {

-	f        *os.File

-	fn       string

-	writeErr error

-	written  bool

-	perm     os.FileMode

-}

-

-func (w *atomicFileWriter) Write(dt []byte) (int, error) {

-	w.written = true

-	n, err := w.f.Write(dt)

-	if err != nil {

-		w.writeErr = err

-	}

-	return n, err

-}

-

-func (w *atomicFileWriter) Close() (retErr error) {

-	defer func() {

-		if err := os.Remove(w.f.Name()); !errors.Is(err, os.ErrNotExist) && retErr == nil {

-			retErr = err

-		}

-	}()

-	if err := w.f.Sync(); err != nil {

-		_ = w.f.Close()

-		return err

-	}

-	if err := w.f.Close(); err != nil {

-		return err

-	}

-	if err := os.Chmod(w.f.Name(), w.perm); err != nil {

-		return err

-	}

-	if w.writeErr == nil && w.written {

-		return os.Rename(w.f.Name(), w.fn)

-	}

-	return nil

-}

-

-// WriteSet is used to atomically write a set

-// of files and ensure they are visible at the same time.

-// Must be committed to a new directory.

-type WriteSet struct {

-	root string

-}

-

-// NewWriteSet creates a new atomic write set to

-// atomically create a set of files. The given directory

-// is used as the base directory for storing files before

-// commit. If no temporary directory is given the system

-// default is used.

-func NewWriteSet(tmpDir string) (*WriteSet, error) {

-	td, err := os.MkdirTemp(tmpDir, "write-set-")

-	if err != nil {

-		return nil, err

-	}

-

-	return &WriteSet{

-		root: td,

-	}, nil

-}

-

-// WriteFile writes a file to the set, guaranteeing the file

-// has been synced.

-func (ws *WriteSet) WriteFile(filename string, data []byte, perm os.FileMode) error {

-	f, err := ws.FileWriter(filename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, perm)

-	if err != nil {

-		return err

-	}

-	n, err := f.Write(data)

-	if err == nil && n < len(data) {

-		err = io.ErrShortWrite

-	}

-	if err1 := f.Close(); err == nil {

-		err = err1

-	}

-	return err

-}

-

-type syncFileCloser struct {

-	*os.File

-}

-

-func (w syncFileCloser) Close() error {

-	err := w.File.Sync()

-	if err1 := w.File.Close(); err == nil {

-		err = err1

-	}

-	return err

-}

-

-// FileWriter opens a file writer inside the set. The file

-// should be synced and closed before calling commit.

-//

-// FileWriter uses [sequential.OpenFile] to use sequential file access on Windows,

-// avoiding depleting the standby list un-necessarily. On Linux, this equates to

-// a regular [os.OpenFile]. Refer to the [Win32 API documentation] for details

-// on sequential file access.

-//

-// [Win32 API documentation]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN

-func (ws *WriteSet) FileWriter(name string, flag int, perm os.FileMode) (io.WriteCloser, error) {

-	f, err := sequential.OpenFile(filepath.Join(ws.root, name), flag, perm)

-	if err != nil {

-		return nil, err

-	}

-	return syncFileCloser{f}, nil

-}

-

-// Cancel cancels the set and removes all temporary data

-// created in the set.

-func (ws *WriteSet) Cancel() error {

-	return os.RemoveAll(ws.root)

-}

-

-// Commit moves all created files to the target directory. The

-// target directory must not exist and the parent of the target

-// directory must exist.

-func (ws *WriteSet) Commit(target string) error {

-	return os.Rename(ws.root, target)

-}

-

-// String returns the location the set is writing to.

-func (ws *WriteSet) String() string {

-	return ws.root

-}

new file mode 100644

@@ -0,0 +1,56 @@

+package atomicwriter

+

+import (

+	"io"

+	"os"

+

+	"github.com/moby/sys/atomicwriter"

+)

+

+// New returns a WriteCloser so that writing to it writes to a

+// temporary file and closing it atomically changes the temporary file to

+// destination path. Writing and closing concurrently is not allowed.

+// NOTE: umask is not considered for the file's permissions.

+//

+// New uses [sequential.CreateTemp] to use sequential file access on Windows,

+// avoiding depleting the standby list un-necessarily. On Linux, this equates to

+// a regular [os.CreateTemp]. Refer to the [Win32 API documentation] for details

+// on sequential file access.

+//

+// Deprecated: use [atomicwriter.New] instead.

+//

+// [Win32 API documentation]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN

+func New(filename string, perm os.FileMode) (io.WriteCloser, error) {

+	return atomicwriter.New(filename, perm)

+}

+

+// WriteFile atomically writes data to a file named by filename and with the

+// specified permission bits. The given filename is created if it does not exist,

+// but the destination directory must exist. It can be used as a drop-in replacement

+// for [os.WriteFile], but currently does not allow the destination path to be

+// a symlink. WriteFile is implemented using [New] for its implementation.

+//

+// NOTE: umask is not considered for the file's permissions.

+//

+// Deprecated: use [atomicwriter.WriteFile] instead.

+func WriteFile(filename string, data []byte, perm os.FileMode) error {

+	return atomicwriter.WriteFile(filename, data, perm)

+}

+

+// WriteSet is used to atomically write a set

+// of files and ensure they are visible at the same time.

+// Must be committed to a new directory.

+//

+// Deprecated: use [atomicwriter.WriteSet] instead.

+type WriteSet = atomicwriter.WriteSet

+

+// NewWriteSet creates a new atomic write set to

+// atomically create a set of files. The given directory

+// is used as the base directory for storing files before

+// commit. If no temporary directory is given the system

+// default is used.

+//

+// Deprecated: use [atomicwriter.NewWriteSet] instead.

+func NewWriteSet(tmpDir string) (*atomicwriter.WriteSet, error) {

+	return atomicwriter.NewWriteSet(tmpDir)

+}

deleted file mode 100644

@@ -1,325 +0,0 @@

-package atomicwriter

-

-import (

-	"bytes"

-	"errors"

-	"os"

-	"path/filepath"

-	"runtime"

-	"strings"

-	"syscall"

-	"testing"

-)

-

-// testMode returns the file-mode to use in tests, accounting for Windows

-// not supporting full Linux file mode.

-func testMode() os.FileMode {

-	if runtime.GOOS == "windows" {

-		return 0o666

-	}

-	return 0o640

-}

-

-// assertFile asserts the given fileName to exist, and to have the expected

-// content and mode.

-func assertFile(t *testing.T, fileName string, fileContent []byte, expectedMode os.FileMode) {

-	t.Helper()

-	actual, err := os.ReadFile(fileName)

-	if err != nil {

-		t.Fatalf("Error reading from file: %v", err)

-	}

-

-	if !bytes.Equal(actual, fileContent) {

-		t.Errorf("Data mismatch, expected %q, got %q", fileContent, actual)

-	}

-

-	st, err := os.Stat(fileName)

-	if err != nil {

-		t.Fatalf("Error statting file: %v", err)

-	}

-	if st.Mode() != expectedMode {

-		t.Errorf("Mode mismatched, expected %o, got %o", expectedMode, st.Mode())

-	}

-}

-

-// assertFileCount asserts the given directory has the expected number

-// of files, and returns the list of files found.

-func assertFileCount(t *testing.T, directory string, expected int) []os.DirEntry {

-	t.Helper()

-	files, err := os.ReadDir(directory)

-	if err != nil {

-		t.Fatalf("Error reading dir: %v", err)

-	}

-	if len(files) != expected {

-		t.Errorf("Expected %d files, got %d: %v", expected, len(files), files)

-	}

-	return files

-}

-

-func TestNew(t *testing.T) {

-	for _, tc := range []string{"normal", "symlinked"} {

-		tmpDir := t.TempDir()

-		parentDir := tmpDir

-		actualParentDir := parentDir

-		if tc == "symlinked" {

-			actualParentDir = filepath.Join(tmpDir, "parent-dir")

-			if err := os.Mkdir(actualParentDir, 0o700); err != nil {

-				t.Fatal(err)

-			}

-			parentDir = filepath.Join(tmpDir, "parent-dir-symlink")

-			if err := os.Symlink(actualParentDir, parentDir); err != nil {

-				t.Fatal(err)

-			}

-		}

-		t.Run(tc, func(t *testing.T) {

-			for _, tc := range []string{"new-file", "existing-file"} {

-				t.Run(tc, func(t *testing.T) {

-					fileName := filepath.Join(parentDir, "test.txt")

-					var origFileCount int

-					if tc == "existing-file" {

-						if err := os.WriteFile(fileName, []byte("original content"), testMode()); err != nil {

-							t.Fatalf("Error writing file: %v", err)

-						}

-						origFileCount = 1

-					}

-					writer, err := New(fileName, testMode())

-					if writer == nil {

-						t.Errorf("Writer is nil")

-					}

-					if err != nil {

-						t.Fatalf("Error creating new atomicwriter: %v", err)

-					}

-					files := assertFileCount(t, actualParentDir, origFileCount+1)

-					if tmpFileName := files[0].Name(); !strings.HasPrefix(tmpFileName, ".tmp-test.txt") {

-						t.Errorf("Unexpected file name for temp-file: %s", tmpFileName)

-					}

-

-					// Closing the writer without writing should clean up the temp-file,

-					// and should not replace the destination file.

-					if err = writer.Close(); err != nil {

-						t.Errorf("Error closing writer: %v", err)

-					}

-					assertFileCount(t, actualParentDir, origFileCount)

-					if tc == "existing-file" {

-						assertFile(t, fileName, []byte("original content"), testMode())

-					}

-				})

-			}

-		})

-	}

-}

-

-func TestNewInvalid(t *testing.T) {

-	t.Run("missing target dir", func(t *testing.T) {

-		tmpDir := t.TempDir()

-		fileName := filepath.Join(tmpDir, "missing-dir", "test.txt")

-		writer, err := New(fileName, testMode())

-		if writer != nil {

-			t.Errorf("Should not have created writer")

-		}

-		if !errors.Is(err, os.ErrNotExist) {

-			t.Errorf("Should produce a 'not found' error, but got %[1]T (%[1]v)", err)

-		}

-	})

-	t.Run("target dir is not a directory", func(t *testing.T) {

-		tmpDir := t.TempDir()

-		parentPath := filepath.Join(tmpDir, "not-a-dir")

-		err := os.WriteFile(parentPath, nil, testMode())

-		if err != nil {

-			t.Fatalf("Error writing file: %v", err)

-		}

-		fileName := filepath.Join(parentPath, "new-file.txt")

-		writer, err := New(fileName, testMode())

-		if writer != nil {

-			t.Errorf("Should not have created writer")

-		}

-		// This should match the behavior of os.WriteFile, which returns a [os.PathError] with [syscall.ENOTDIR].

-		if !errors.Is(err, syscall.ENOTDIR) {

-			t.Errorf("Should produce a 'not a directory' error, but got %[1]T (%[1]v)", err)

-		}

-	})

-	t.Run("empty filename", func(t *testing.T) {

-		writer, err := New("", testMode())

-		if writer != nil {

-			t.Errorf("Should not have created writer")

-		}

-		if err == nil || err.Error() != "file name is empty" {

-			t.Errorf("Should produce a 'file name is empty' error, but got %[1]T (%[1]v)", err)

-		}

-	})

-	t.Run("directory", func(t *testing.T) {

-		tmpDir := t.TempDir()

-		writer, err := New(tmpDir, testMode())

-		if writer != nil {

-			t.Errorf("Should not have created writer")

-		}

-		if err == nil || err.Error() != "cannot write to a directory" {

-			t.Errorf("Should produce a 'cannot write to a directory' error, but got %[1]T (%[1]v)", err)

-		}

-	})

-	t.Run("symlinked file", func(t *testing.T) {

-		tmpDir := t.TempDir()

-		linkTarget := filepath.Join(tmpDir, "symlink-target")

-		if err := os.WriteFile(linkTarget, []byte("orig content"), testMode()); err != nil {

-			t.Fatal(err)

-		}

-		fileName := filepath.Join(tmpDir, "symlinked-file")

-		if err := os.Symlink(linkTarget, fileName); err != nil {

-			t.Fatal(err)

-		}

-		writer, err := New(fileName, testMode())

-		if writer != nil {

-			t.Errorf("Should not have created writer")

-		}

-		if err == nil || err.Error() != "cannot write to a symbolic link directly" {

-			t.Errorf("Should produce a 'cannot write to a symbolic link directly' error, but got %[1]T (%[1]v)", err)

-		}

-	})

-}

-

-func TestWriteFile(t *testing.T) {

-	t.Run("empty filename", func(t *testing.T) {

-		err := WriteFile("", nil, testMode())

-		if err == nil || err.Error() != "file name is empty" {

-			t.Errorf("Should produce a 'file name is empty' error, but got %[1]T (%[1]v)", err)

-		}

-	})

-	t.Run("write to directory", func(t *testing.T) {

-		err := WriteFile(t.TempDir(), nil, testMode())

-		if err == nil || err.Error() != "cannot write to a directory" {

-			t.Errorf("Should produce a 'cannot write to a directory' error, but got %[1]T (%[1]v)", err)

-		}

-	})

-	t.Run("write to file", func(t *testing.T) {

-		tmpDir := t.TempDir()

-		fileName := filepath.Join(tmpDir, "test.txt")

-		fileContent := []byte("file content")

-		fileMode := testMode()

-		if err := WriteFile(fileName, fileContent, fileMode); err != nil {

-			t.Fatalf("Error writing to file: %v", err)

-		}

-		assertFile(t, fileName, fileContent, fileMode)

-		assertFileCount(t, tmpDir, 1)

-	})

-	t.Run("missing parent directory", func(t *testing.T) {

-		tmpDir := t.TempDir()

-		fileName := filepath.Join(tmpDir, "missing-dir", "test.txt")

-		fileContent := []byte("file content")

-		fileMode := testMode()

-		if err := WriteFile(fileName, fileContent, fileMode); !errors.Is(err, os.ErrNotExist) {

-			t.Errorf("Should produce a 'not found' error, but got %[1]T (%[1]v)", err)

-		}

-		assertFileCount(t, tmpDir, 0)

-	})

-	t.Run("symlinked file", func(t *testing.T) {

-		tmpDir := t.TempDir()

-		linkTarget := filepath.Join(tmpDir, "symlink-target")

-		originalContent := []byte("original content")

-		fileMode := testMode()

-		if err := os.WriteFile(linkTarget, originalContent, fileMode); err != nil {

-			t.Fatal(err)

-		}

-		if err := os.Symlink(linkTarget, filepath.Join(tmpDir, "symlinked-file")); err != nil {

-			t.Fatal(err)

-		}

-		origFileCount := 2

-		assertFileCount(t, tmpDir, origFileCount)

-

-		fileName := filepath.Join(tmpDir, "symlinked-file")

-		err := WriteFile(fileName, []byte("new content"), testMode())

-		if err == nil || err.Error() != "cannot write to a symbolic link directly" {

-			t.Errorf("Should produce a 'cannot write to a symbolic link directly' error, but got %[1]T (%[1]v)", err)

-		}

-		assertFile(t, linkTarget, originalContent, fileMode)

-		assertFileCount(t, tmpDir, origFileCount)

-	})

-	t.Run("symlinked directory", func(t *testing.T) {

-		tmpDir := t.TempDir()

-		actualParentDir := filepath.Join(tmpDir, "parent-dir")

-		if err := os.Mkdir(actualParentDir, 0o700); err != nil {

-			t.Fatal(err)

-		}

-		actualTargetFile := filepath.Join(actualParentDir, "target-file")

-		if err := os.WriteFile(actualTargetFile, []byte("orig content"), testMode()); err != nil {

-			t.Fatal(err)

-		}

-		parentDir := filepath.Join(tmpDir, "parent-dir-symlink")

-		if err := os.Symlink(actualParentDir, parentDir); err != nil {

-			t.Fatal(err)

-		}

-		origFileCount := 1

-		assertFileCount(t, actualParentDir, origFileCount)

-

-		fileName := filepath.Join(parentDir, "target-file")

-		fileContent := []byte("new content")

-		fileMode := testMode()

-		if err := WriteFile(fileName, fileContent, fileMode); err != nil {

-			t.Fatalf("Error writing to file: %v", err)

-		}

-		assertFile(t, fileName, fileContent, fileMode)

-		assertFile(t, actualTargetFile, fileContent, fileMode)

-		assertFileCount(t, actualParentDir, origFileCount)

-	})

-}

-

-func TestWriteSetCommit(t *testing.T) {

-	tmpDir := t.TempDir()

-

-	if err := os.Mkdir(filepath.Join(tmpDir, "tmp"), 0o700); err != nil {

-		t.Fatalf("Error creating tmp directory: %s", err)

-	}

-

-	targetDir := filepath.Join(tmpDir, "target")

-	ws, err := NewWriteSet(filepath.Join(tmpDir, "tmp"))

-	if err != nil {

-		t.Fatalf("Error creating atomic write set: %s", err)

-	}

-

-	fileContent := []byte("file content")

-	fileMode := testMode()

-

-	if err := ws.WriteFile("foo", fileContent, fileMode); err != nil {

-		t.Fatalf("Error writing to file: %v", err)

-	}

-

-	if _, err := os.ReadFile(filepath.Join(targetDir, "foo")); err == nil {

-		t.Fatalf("Expected error reading file where should not exist")

-	}

-

-	if err := ws.Commit(targetDir); err != nil {

-		t.Fatalf("Error committing file: %s", err)

-	}

-

-	assertFile(t, filepath.Join(targetDir, "foo"), fileContent, fileMode)

-	assertFileCount(t, targetDir, 1)

-}

-

-func TestWriteSetCancel(t *testing.T) {

-	tmpDir := t.TempDir()

-

-	if err := os.Mkdir(filepath.Join(tmpDir, "tmp"), 0o700); err != nil {

-		t.Fatalf("Error creating tmp directory: %s", err)

-	}

-

-	ws, err := NewWriteSet(filepath.Join(tmpDir, "tmp"))

-	if err != nil {

-		t.Fatalf("Error creating atomic write set: %s", err)

-	}

-

-	fileContent := []byte("file content")

-	fileMode := testMode()

-	if err := ws.WriteFile("foo", fileContent, fileMode); err != nil {

-		t.Fatalf("Error writing to file: %v", err)

-	}

-

-	if err := ws.Cancel(); err != nil {

-		t.Fatalf("Error committing file: %s", err)

-	}

-

-	if _, err := os.ReadFile(filepath.Join(tmpDir, "target", "foo")); err == nil {

-		t.Fatalf("Expected error reading file where should not exist")

-	} else if !errors.Is(err, os.ErrNotExist) {

-		t.Fatalf("Unexpected error reading file: %s", err)

-	}

-	assertFileCount(t, filepath.Join(tmpDir, "tmp"), 0)

-}

@@ -4,7 +4,7 @@ import (

 	"io"

 	"os"

-	"github.com/docker/docker/pkg/atomicwriter"

+	"github.com/moby/sys/atomicwriter"

 )

 // NewAtomicFileWriter returns WriteCloser so that writing to it writes to a

@@ -19,11 +19,11 @@ import (

 	"github.com/docker/docker/api/types/events"

 	"github.com/docker/docker/internal/containerfs"

 	"github.com/docker/docker/internal/lazyregexp"

-	"github.com/docker/docker/pkg/atomicwriter"

 	"github.com/docker/docker/pkg/authorization"

 	v2 "github.com/docker/docker/plugin/v2"

 	"github.com/docker/docker/registry"

 	"github.com/moby/pubsub"

+	"github.com/moby/sys/atomicwriter"

 	"github.com/opencontainers/go-digest"

 	"github.com/opencontainers/runtime-spec/specs-go"

 	"github.com/pkg/errors"

@@ -9,7 +9,7 @@ import (

 	"sync"

 	"github.com/distribution/reference"

-	"github.com/docker/docker/pkg/atomicwriter"

+	"github.com/moby/sys/atomicwriter"

 	"github.com/opencontainers/go-digest"

 	"github.com/pkg/errors"

 )

@@ -70,6 +70,7 @@ require (

 	github.com/moby/patternmatcher v0.6.0

 	github.com/moby/pubsub v1.0.0

 	github.com/moby/swarmkit/v2 v2.0.0-20250103191802-8c1959736554

+	github.com/moby/sys/atomicwriter v0.0.0-20250404210502-6e2523cbf3a1

 	github.com/moby/sys/mount v0.3.4

 	github.com/moby/sys/mountinfo v0.7.2

 	github.com/moby/sys/reexec v0.1.0

@@ -397,6 +397,8 @@ github.com/moby/pubsub v1.0.0 h1:jkp/imWsmJz2f6LyFsk7EkVeN2HxR/HTTOY8kHrsxfA=

 github.com/moby/pubsub v1.0.0/go.mod h1:bXSO+3h5MNXXCaEG+6/NlAIk7MMZbySZlnB+cUQhKKc=

 github.com/moby/swarmkit/v2 v2.0.0-20250103191802-8c1959736554 h1:DMHJbgyNZWyrPKYjCYt2IxEO7KA0eSd4fo6KQsv2W84=

 github.com/moby/swarmkit/v2 v2.0.0-20250103191802-8c1959736554/go.mod h1:mTTGIAz/59OGZR5Qe+QByIe3Nxc+sSuJkrsStFhr6Lg=

+github.com/moby/sys/atomicwriter v0.0.0-20250404210502-6e2523cbf3a1 h1:RfsCoQh4+GdgY8QQ7y05leVCa8niO1Phmy5CF3YiSgo=

+github.com/moby/sys/atomicwriter v0.0.0-20250404210502-6e2523cbf3a1/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=

 github.com/moby/sys/mount v0.3.4 h1:yn5jq4STPztkkzSKpZkLcmjue+bZJ0u2AuQY1iNI1Ww=

 github.com/moby/sys/mount v0.3.4/go.mod h1:KcQJMbQdJHPlq5lcYT+/CjatWM4PuxKe+XLSVS4J6Os=

 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=

new file mode 100644

@@ -0,0 +1,202 @@

+

+                                 Apache License

+                           Version 2.0, January 2004

+                        http://www.apache.org/licenses/

+

+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

+

+   1. Definitions.

+

+      "License" shall mean the terms and conditions for use, reproduction,

+      and distribution as defined by Sections 1 through 9 of this document.

+

+      "Licensor" shall mean the copyright owner or entity authorized by

+      the copyright owner that is granting the License.

+

+      "Legal Entity" shall mean the union of the acting entity and all

+      other entities that control, are controlled by, or are under common

+      control with that entity. For the purposes of this definition,

+      "control" means (i) the power, direct or indirect, to cause the

+      direction or management of such entity, whether by contract or

+      otherwise, or (ii) ownership of fifty percent (50%) or more of the

+      outstanding shares, or (iii) beneficial ownership of such entity.

+

+      "You" (or "Your") shall mean an individual or Legal Entity

+      exercising permissions granted by this License.

+

+      "Source" form shall mean the preferred form for making modifications,

+      including but not limited to software source code, documentation

+      source, and configuration files.

+

+      "Object" form shall mean any form resulting from mechanical

+      transformation or translation of a Source form, including but

+      not limited to compiled object code, generated documentation,

+      and conversions to other media types.

+

+      "Work" shall mean the work of authorship, whether in Source or

+      Object form, made available under the License, as indicated by a

+      copyright notice that is included in or attached to the work

+      (an example is provided in the Appendix below).

+

+      "Derivative Works" shall mean any work, whether in Source or Object

+      form, that is based on (or derived from) the Work and for which the

+      editorial revisions, annotations, elaborations, or other modifications

+      represent, as a whole, an original work of authorship. For the purposes

+      of this License, Derivative Works shall not include works that remain

+      separable from, or merely link (or bind by name) to the interfaces of,

+      the Work and Derivative Works thereof.

+

+      "Contribution" shall mean any work of authorship, including

+      the original version of the Work and any modifications or additions

+      to that Work or Derivative Works thereof, that is intentionally

+      submitted to Licensor for inclusion in the Work by the copyright owner

+      or by an individual or Legal Entity authorized to submit on behalf of

+      the copyright owner. For the purposes of this definition, "submitted"

+      means any form of electronic, verbal, or written communication sent

+      to the Licensor or its representatives, including but not limited to

+      communication on electronic mailing lists, source code control systems,

+      and issue tracking systems that are managed by, or on behalf of, the

+      Licensor for the purpose of discussing and improving the Work, but

+      excluding communication that is conspicuously marked or otherwise

+      designated in writing by the copyright owner as "Not a Contribution."

+

+      "Contributor" shall mean Licensor and any individual or Legal Entity

+      on behalf of whom a Contribution has been received by Licensor and

+      subsequently incorporated within the Work.

+

+   2. Grant of Copyright License. Subject to the terms and conditions of

+      this License, each Contributor hereby grants to You a perpetual,

+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable

+      copyright license to reproduce, prepare Derivative Works of,

+      publicly display, publicly perform, sublicense, and distribute the

+      Work and such Derivative Works in Source or Object form.

+

+   3. Grant of Patent License. Subject to the terms and conditions of

+      this License, each Contributor hereby grants to You a perpetual,

+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable

+      (except as stated in this section) patent license to make, have made,

+      use, offer to sell, sell, import, and otherwise transfer the Work,

+      where such license applies only to those patent claims licensable

+      by such Contributor that are necessarily infringed by their