@@ -12,8 +12,6 @@ import (

 const (

 	// defaultShutdownTimeout is the default shutdown timeout for the daemon

 	defaultShutdownTimeout = 15

-	// defaultTrustKeyFile is the default filename for the trust key

-	defaultTrustKeyFile = "key.json"

 )

 // installCommonConfigFlags adds flags to the pflag.FlagSet to configure the daemon

@@ -83,13 +81,6 @@ func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {

 	flags.IntVar(&conf.NetworkControlPlaneMTU, "network-control-plane-mtu", config.DefaultNetworkMtu, "Network Control plane MTU")

-	// "--deprecated-key-path" is to allow configuration of the key used

-	// for the daemon ID and the deprecated image signing. It was never

-	// exposed as a command line option but is added here to allow

-	// overriding the default path in configuration.

-	flags.Var(opts.NewQuotedString(&conf.TrustKeyPath), "deprecated-key-path", "Path to key file for ID and image signing")

-	flags.MarkHidden("deprecated-key-path")

-

 	conf.MaxConcurrentDownloads = &maxConcurrentDownloads

 	conf.MaxConcurrentUploads = &maxConcurrentUploads

 	return nil

@@ -103,10 +94,4 @@ func installRegistryServiceFlags(options *registry.ServiceOptions, flags *pflag.

 	flags.Var(ana, "allow-nondistributable-artifacts", "Allow push of nondistributable artifacts to registry")

 	flags.Var(mirrors, "registry-mirror", "Preferred Docker registry mirror")

 	flags.Var(insecureRegistries, "insecure-registry", "Enable insecure registry communication")

-

-	if runtime.GOOS != "windows" {

-		// TODO: Remove this flag after 3 release cycles (18.03)

-		flags.BoolVar(&options.V2Only, "disable-legacy-registry", true, "Disable contacting legacy registries")

-		flags.MarkHidden("disable-legacy-registry")

-	}

 }

@@ -432,14 +432,6 @@ func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {

 		conf.CommonTLSOptions.KeyFile = opts.TLSOptions.KeyFile

 	}

-	if conf.TrustKeyPath == "" {

-		daemonConfDir, err := getDaemonConfDir(conf.Root)

-		if err != nil {

-			return nil, err

-		}

-		conf.TrustKeyPath = filepath.Join(daemonConfDir, defaultTrustKeyFile)

-	}

-

 	if flags.Changed("graph") && flags.Changed("data-root") {

 		return nil, errors.New(`cannot specify both "--graph" and "--data-root" option`)

 	}

@@ -462,17 +454,6 @@ func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {

 		return nil, err

 	}

-	if runtime.GOOS != "windows" {

-		if flags.Changed("disable-legacy-registry") {

-			// TODO: Remove this error after 3 release cycles (18.03)

-			return nil, errors.New("ERROR: The '--disable-legacy-registry' flag has been removed. Interacting with legacy (v1) registries is no longer supported")

-		}

-		if !conf.V2Only {

-			// TODO: Remove this error after 3 release cycles (18.03)

-			return nil, errors.New("ERROR: The 'disable-legacy-registry' configuration option has been removed. Interacting with legacy (v1) registries is no longer supported")

-		}

-	}

-

 	if flags.Changed("graph") {

 		logrus.Warnf(`The "-g / --graph" flag is deprecated. Please use "--data-root" instead`)

 	}

@@ -55,10 +55,6 @@ func setDefaultUmask() error {

 	return nil

 }

-func getDaemonConfDir(_ string) (string, error) {

-	return getDefaultDaemonConfigDir()

-}

-

 func (cli *DaemonCli) getPlatformContainerdDaemonOpts() ([]supervisor.DaemonOpt, error) {

 	opts := []supervisor.DaemonOpt{

 		supervisor.WithOOMScore(cli.Config.OOMScoreAdjust),

@@ -4,7 +4,6 @@ import (

 	"fmt"

 	"net"

 	"os"

-	"path/filepath"

 	"github.com/docker/docker/daemon/config"

 	"github.com/docker/docker/libcontainerd/supervisor"

@@ -21,10 +20,6 @@ func setDefaultUmask() error {

 	return nil

 }

-func getDaemonConfDir(root string) (string, error) {

-	return filepath.Join(root, `\config`), nil

-}

-

 // preNotifySystem sends a message to the host when the API is active, but before the daemon is

 func preNotifySystem() {

 	// start the service now to prevent timeouts waiting for daemon to start

@@ -8,7 +8,6 @@ import (

 	"io/ioutil"

 	"os"

 	"reflect"

-	"runtime"

 	"strings"

 	"sync"

@@ -135,12 +134,6 @@ type CommonConfig struct {

 	SocketGroup           string                    `json:"group,omitempty"`

 	CorsHeaders           string                    `json:"api-cors-header,omitempty"`

-	// TrustKeyPath is used to generate the daemon ID and for signing schema 1 manifests

-	// when pushing to a registry which does not support schema 2. This field is marked as

-	// deprecated because schema 1 manifests are deprecated in favor of schema 2 and the

-	// daemon ID will use a dedicated identifier not shared with exported signatures.

-	TrustKeyPath string `json:"deprecated-key-path,omitempty"`

-

 	// LiveRestoreEnabled determines whether we should keep containers

 	// alive upon daemon shutdown/start

 	LiveRestoreEnabled bool `json:"live-restore,omitempty"`

@@ -247,9 +240,6 @@ func New() *Config {

 	config.LogConfig.Config = make(map[string]string)

 	config.ClusterOpts = make(map[string]string)

-	if runtime.GOOS != "linux" {

-		config.V2Only = true

-	}

 	return &config

 }

@@ -953,7 +953,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S

 		return nil, err

 	}

-	trustKey, err := loadOrCreateTrustKey(config.TrustKeyPath)

+	uuid, err := loadOrCreateUUID(filepath.Join(config.Root, "engine_uuid"))

 	if err != nil {

 		return nil, err

 	}

@@ -998,7 +998,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S

 		return nil, errors.New("Devices cgroup isn't mounted")

 	}

-	d.ID = trustKey.PublicKey().KeyID()

+	d.ID = uuid

 	d.repository = daemonRepo

 	d.containers = container.NewMemoryStore()

 	if d.containersReplica, err = container.NewViewDB(); err != nil {

@@ -1029,7 +1029,6 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S

 		MaxConcurrentUploads:      *config.MaxConcurrentUploads,

 		ReferenceStore:            rs,

 		RegistryService:           registryService,

-		TrustKey:                  trustKey,

 	})

 	go d.execCommandGC()

@@ -54,7 +54,6 @@ func (i *ImageService) PushImage(ctx context.Context, image, tag string, metaHea

 		},

 		ConfigMediaType: schema2.MediaTypeImageConfig,

 		LayerStores:     distribution.NewLayerProvidersFromStores(i.layerStores),

-		TrustKey:        i.trustKey,

 		UploadManager:   i.uploadManager,

 	}

@@ -14,7 +14,6 @@ import (

 	"github.com/docker/docker/layer"

 	dockerreference "github.com/docker/docker/reference"

 	"github.com/docker/docker/registry"

-	"github.com/docker/libtrust"

 	"github.com/opencontainers/go-digest"

 	"github.com/pkg/errors"

 	"github.com/sirupsen/logrus"

@@ -40,7 +39,6 @@ type ImageServiceConfig struct {

 	MaxConcurrentUploads      int

 	ReferenceStore            dockerreference.Store

 	RegistryService           registry.Service

-	TrustKey                  libtrust.PrivateKey

 }

 // NewImageService returns a new ImageService from a configuration

@@ -56,7 +54,6 @@ func NewImageService(config ImageServiceConfig) *ImageService {

 		layerStores:               config.LayerStores,

 		referenceStore:            config.ReferenceStore,

 		registryService:           config.RegistryService,

-		trustKey:                  config.TrustKey,

 		uploadManager:             xfer.NewLayerUploadManager(config.MaxConcurrentUploads),

 	}

 }

@@ -72,7 +69,6 @@ type ImageService struct {

 	pruneRunning              int32

 	referenceStore            dockerreference.Store

 	registryService           registry.Service

-	trustKey                  libtrust.PrivateKey

 	uploadManager             *xfer.LayerUploadManager

 }

deleted file mode 100644

@@ -1,57 +0,0 @@

-package daemon // import "github.com/docker/docker/daemon"

-

-import (

-	"encoding/json"

-	"encoding/pem"

-	"fmt"

-	"os"

-	"path/filepath"

-

-	"github.com/docker/docker/pkg/ioutils"

-	"github.com/docker/docker/pkg/system"

-	"github.com/docker/libtrust"

-)

-

-// LoadOrCreateTrustKey attempts to load the libtrust key at the given path,

-// otherwise generates a new one

-// TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need

-// a refactor or this function to be moved into libtrust

-func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {

-	err := system.MkdirAll(filepath.Dir(trustKeyPath), 0755, "")

-	if err != nil {

-		return nil, err

-	}

-	trustKey, err := libtrust.LoadKeyFile(trustKeyPath)

-	if err == libtrust.ErrKeyFileDoesNotExist {

-		trustKey, err = libtrust.GenerateECP256PrivateKey()

-		if err != nil {

-			return nil, fmt.Errorf("Error generating key: %s", err)

-		}

-		encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))

-		if err != nil {

-			return nil, fmt.Errorf("Error serializing key: %s", err)

-		}

-		if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {

-			return nil, fmt.Errorf("Error saving key file: %s", err)

-		}

-	} else if err != nil {

-		return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)

-	}

-	return trustKey, nil

-}

-

-func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {

-	if ext == ".json" || ext == ".jwk" {

-		encoded, err = json.Marshal(key)

-		if err != nil {

-			return nil, fmt.Errorf("unable to encode private key JWK: %s", err)

-		}

-	} else {

-		pemBlock, err := key.PEMBlock()

-		if err != nil {

-			return nil, fmt.Errorf("unable to encode private key PEM: %s", err)

-		}

-		encoded = pem.EncodeToMemory(pemBlock)

-	}

-	return

-}

deleted file mode 100644

@@ -1,71 +0,0 @@

-package daemon // import "github.com/docker/docker/daemon"

-

-import (

-	"io/ioutil"

-	"os"

-	"path/filepath"

-	"testing"

-

-	"gotest.tools/assert"

-	is "gotest.tools/assert/cmp"

-	"gotest.tools/fs"

-)

-

-// LoadOrCreateTrustKey

-func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) {

-	tmpKeyFolderPath, err := ioutil.TempDir("", "api-trustkey-test")

-	assert.NilError(t, err)

-	defer os.RemoveAll(tmpKeyFolderPath)

-

-	tmpKeyFile, err := ioutil.TempFile(tmpKeyFolderPath, "keyfile")

-	assert.NilError(t, err)

-

-	_, err = loadOrCreateTrustKey(tmpKeyFile.Name())

-	assert.Check(t, is.ErrorContains(err, "Error loading key file"))

-}

-

-func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {

-	tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")

-	defer tmpKeyFolderPath.Remove()

-

-	// Without the need to create the folder hierarchy

-	tmpKeyFile := tmpKeyFolderPath.Join("keyfile")

-

-	key, err := loadOrCreateTrustKey(tmpKeyFile)

-	assert.NilError(t, err)

-	assert.Check(t, key != nil)

-

-	_, err = os.Stat(tmpKeyFile)

-	assert.NilError(t, err, "key file doesn't exist")

-}

-

-func TestLoadOrCreateTrustKeyCreateKeyWhenDirectoryDoesNotExist(t *testing.T) {

-	tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")

-	defer tmpKeyFolderPath.Remove()

-	tmpKeyFile := tmpKeyFolderPath.Join("folder/hierarchy/keyfile")

-

-	key, err := loadOrCreateTrustKey(tmpKeyFile)

-	assert.NilError(t, err)

-	assert.Check(t, key != nil)

-

-	_, err = os.Stat(tmpKeyFile)

-	assert.NilError(t, err, "key file doesn't exist")

-}

-

-func TestLoadOrCreateTrustKeyCreateKeyNoPath(t *testing.T) {

-	defer os.Remove("keyfile")

-	key, err := loadOrCreateTrustKey("keyfile")

-	assert.NilError(t, err)

-	assert.Check(t, key != nil)

-

-	_, err = os.Stat("keyfile")

-	assert.NilError(t, err, "key file doesn't exist")

-}

-

-func TestLoadOrCreateTrustKeyLoadValidKey(t *testing.T) {

-	tmpKeyFile := filepath.Join("testdata", "keyfile")

-	key, err := loadOrCreateTrustKey(tmpKeyFile)

-	assert.NilError(t, err)

-	expected := "AWX2:I27X:WQFX:IOMK:CNAK:O7PW:VYNB:ZLKC:CVAE:YJP2:SI4A:XXAY"

-	assert.Check(t, is.Contains(key.String(), expected))

-}

new file mode 100644

@@ -0,0 +1,28 @@

+package daemon // import "github.com/docker/docker/daemon"

+

+import (

+	"fmt"

+	"io/ioutil"

+	"os"

+	"path/filepath"

+

+	"github.com/docker/docker/pkg/ioutils"

+	"github.com/pborman/uuid"

+)

+

+func loadOrCreateUUID(path string) (string, error) {

+	err := os.MkdirAll(filepath.Dir(path), 0755)

+	if err != nil {

+		return "", err

+	}

+	id, err := ioutil.ReadFile(path)

+	if os.IsNotExist(err) {

+		id = []byte(uuid.New())

+		if err := ioutils.AtomicWriteFile(path, id, os.FileMode(0600)); err != nil {

+			return "", fmt.Errorf("Error saving uuid file: %s", err)

+		}

+	} else if err != nil {

+		return "", fmt.Errorf("Error loading uuid file %s: %s", path, err)

+	}

+	return string(id), nil

+}

@@ -18,7 +18,6 @@ import (

 	"github.com/docker/docker/pkg/system"

 	refstore "github.com/docker/docker/reference"

 	"github.com/docker/docker/registry"

-	"github.com/docker/libtrust"

 	"github.com/opencontainers/go-digest"

 	specs "github.com/opencontainers/image-spec/specs-go/v1"

 )

@@ -73,9 +72,6 @@ type ImagePushConfig struct {

 	ConfigMediaType string

 	// LayerStores (indexed by operating system) manages layers.

 	LayerStores map[string]PushLayerProvider

-	// TrustKey is the private key for legacy signatures. This is typically

-	// an ephemeral key, since these signatures are no longer verified.

-	TrustKey libtrust.PrivateKey

 	// UploadManager dispatches uploads.

 	UploadManager *xfer.LayerUploadManager

 }

@@ -5,7 +5,6 @@ import (

 	"errors"

 	"fmt"

 	"io"

-	"runtime"

 	"sort"

 	"strings"

 	"sync"

@@ -181,26 +180,8 @@ func (p *v2Pusher) pushV2Tag(ctx context.Context, ref reference.NamedTagged, id

 	putOptions := []distribution.ManifestServiceOption{distribution.WithTag(ref.Tag())}

 	if _, err = manSvc.Put(ctx, manifest, putOptions...); err != nil {

-		if runtime.GOOS == "windows" || p.config.TrustKey == nil || p.config.RequireSchema2 {

-			logrus.Warnf("failed to upload schema2 manifest: %v", err)

-			return err

-		}

-

-		logrus.Warnf("failed to upload schema2 manifest: %v - falling back to schema1", err)

-

-		manifestRef, err := reference.WithTag(p.repo.Named(), ref.Tag())

-		if err != nil {

-			return err

-		}

-		builder = schema1.NewConfigManifestBuilder(p.repo.Blobs(ctx), p.config.TrustKey, manifestRef, imgConfig)

-		manifest, err = manifestFromBuilder(ctx, builder, descriptors)

-		if err != nil {

-			return err

-		}

-

-		if _, err = manSvc.Put(ctx, manifest, putOptions...); err != nil {

-			return err

-		}

+		logrus.Warnf("failed to upload schema2 manifest: %v", err)

+		return err

 	}

 	var canonicalManifest []byte

@@ -18,6 +18,7 @@ import (

 	"path"

 	"path/filepath"

 	"regexp"

+	"runtime"

 	"strconv"

 	"strings"

 	"sync"

@@ -35,7 +36,6 @@ import (

 	"github.com/docker/docker/pkg/mount"

 	"github.com/docker/go-units"

 	"github.com/docker/libnetwork/iptables"

-	"github.com/docker/libtrust"

 	"github.com/go-check/check"

 	"github.com/kr/pty"

 	"golang.org/x/sys/unix"

@@ -551,20 +551,23 @@ func (s *DockerDaemonSuite) TestDaemonAllocatesListeningPort(c *check.C) {

 	}

 }

-func (s *DockerDaemonSuite) TestDaemonKeyGeneration(c *check.C) {

-	// TODO: skip or update for Windows daemon

-	os.Remove("/etc/docker/key.json")

+func (s *DockerDaemonSuite) TestDaemonUUIDGeneration(c *check.C) {

+	dir := "/var/lib/docker"

+	if runtime.GOOS == "windows" {

+		dir = filepath.Join(os.Getenv("programdata"), "docker")

+	}

+	file := filepath.Join(dir, "engine_uuid")

+	os.Remove(file)

 	s.d.Start(c)

 	s.d.Stop(c)

-	k, err := libtrust.LoadKeyFile("/etc/docker/key.json")

+	fi, err := os.Stat(file)

 	if err != nil {

-		c.Fatalf("Error opening key file")

+		c.Fatalf("Error opening uuid file")

 	}

-	kid := k.KeyID()

-	// Test Key ID is a valid fingerprint (e.g. QQXN:JY5W:TBXI:MK3X:GX6P:PD5D:F56N:NHCS:LVRZ:JA46:R24J:XEFF)

-	if len(kid) != 59 {

-		c.Fatalf("Bad key ID: %s", kid)

+	// Test for uuid length

+	if fi.Size() != 36 {

+		c.Fatalf("Bad UUID size %d", fi.Size())

 	}

 }

@@ -92,7 +92,7 @@ func CreateInRegistry(ctx context.Context, repo string, auth *types.AuthConfig,

 		return nil, nil

 	}

-	regService, err := registry.NewService(registry.ServiceOptions{V2Only: true})

+	regService, err := registry.NewService(registry.ServiceOptions{})

 	if err != nil {

 		return err

 	}

@@ -19,16 +19,11 @@ type ServiceOptions struct {

 	AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"`

 	Mirrors                        []string `json:"registry-mirrors,omitempty"`

 	InsecureRegistries             []string `json:"insecure-registries,omitempty"`

-

-	// V2Only controls access to legacy registries.  If it is set to true via the

-	// command line flag the daemon will not attempt to contact v1 legacy registries

-	V2Only bool `json:"disable-legacy-registry,omitempty"`

 }

 // serviceConfig holds daemon configuration for the registry service.

 type serviceConfig struct {

 	registrytypes.ServiceConfig

-	V2Only bool

 }

 var (

@@ -76,7 +71,6 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) {

 			// Hack: Bypass setting the mirrors to IndexConfigs since they are going away

 			// and Mirrors are only for the official registry anyways.

 		},

-		V2Only: options.V2Only,

 	}

 	if err := config.LoadAllowNondistributableArtifacts(options.AllowNondistributableArtifacts); err != nil {

 		return nil, err

@@ -309,20 +309,5 @@ func (s *DefaultService) LookupPushEndpoints(hostname string) (endpoints []APIEn

 }

 func (s *DefaultService) lookupEndpoints(hostname string) (endpoints []APIEndpoint, err error) {

-	endpoints, err = s.lookupV2Endpoints(hostname)

-	if err != nil {

-		return nil, err

-	}

-

-	if s.config.V2Only {

-		return endpoints, nil

-	}

-

-	legacyEndpoints, err := s.lookupV1Endpoints(hostname)

-	if err != nil {

-		return nil, err

-	}

-	endpoints = append(endpoints, legacyEndpoints...)

-

-	return endpoints, nil

+	return s.lookupV2Endpoints(hostname)

 }