diff --git a/anda/docker/containerd/.gitignore b/anda/docker/containerd/.gitignore
new file mode 100644
index 0000000000..cd976ef07f
--- /dev/null
+++ b/anda/docker/containerd/.gitignore
@@ -0,0 +1,2 @@
+containerd-*.tar.gz
+clog
diff --git a/anda/docker/containerd/0001-Add-reaper-StartLocked.patch b/anda/docker/containerd/0001-Add-reaper-StartLocked.patch
new file mode 100644
index 0000000000..610ec0005d
--- /dev/null
+++ b/anda/docker/containerd/0001-Add-reaper-StartLocked.patch
@@ -0,0 +1,33 @@
+From 788f2f928c1d0099d3861553bf82e83169811a29 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Robert-Andr=C3=A9=20Mauchin?= <zebob.m@gmail.com>
+Date: Tue, 1 Nov 2022 22:09:38 +0100
+Subject: [PATCH] Add reaper StartLocked
+
+---
+ sys/reaper/reaper_unix.go | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/sys/reaper/reaper_unix.go b/sys/reaper/reaper_unix.go
+index 6c4f13b90..a6d6a1e77 100644
+--- a/sys/reaper/reaper_unix.go
++++ b/sys/reaper/reaper_unix.go
+@@ -101,6 +101,16 @@ func (m *Monitor) Start(c *exec.Cmd) (chan runc.Exit, error) {
+ 	return ec, nil
+ }
+ 
++// StartLocked starts the command a registers the process with the reaper
++func (m *Monitor) StartLocked(c *exec.Cmd) (chan runc.Exit, error) {
++	ec := m.Subscribe()
++	if err := c.Start(); err != nil {
++		m.Unsubscribe(ec)
++		return nil, err
++	}
++	return ec, nil
++}
++
+ // Wait blocks until a process is signal as dead.
+ // User should rely on the value of the exit status to determine if the
+ // command was successful or not.
+-- 
+2.38.1
+
diff --git a/anda/docker/containerd/0001-Revert-commit-for-Windows-metrics.patch b/anda/docker/containerd/0001-Revert-commit-for-Windows-metrics.patch
new file mode 100644
index 0000000000..568f98ff13
--- /dev/null
+++ b/anda/docker/containerd/0001-Revert-commit-for-Windows-metrics.patch
@@ -0,0 +1,157 @@
+From beb23ffb0624b40b2ee1bc56730e54943bd3020f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Robert-Andr=C3=A9=20Mauchin?= <zebob.m@gmail.com>
+Date: Thu, 1 Oct 2020 07:19:45 +0200
+Subject: [PATCH] Revert commit for Windows metrics
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Robert-André Mauchin <zebob.m@gmail.com>
+---
+ cmd/ctr/commands/tasks/metrics.go | 113 ------------------------------
+ 1 file changed, 113 deletions(-)
+
+diff --git a/cmd/ctr/commands/tasks/metrics.go b/cmd/ctr/commands/tasks/metrics.go
+index a83e45ef..f8371401 100644
+--- a/cmd/ctr/commands/tasks/metrics.go
++++ b/cmd/ctr/commands/tasks/metrics.go
+@@ -23,9 +23,6 @@ import (
+ 	"os"
+ 	"text/tabwriter"
+ 
+-	wstats "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/stats"
+-	v1 "github.com/containerd/cgroups/stats/v1"
+-	v2 "github.com/containerd/cgroups/v2/stats"
+ 	"github.com/containerd/containerd/cmd/ctr/commands"
+ 	"github.com/containerd/typeurl"
+ 	"github.com/urfave/cli"
+@@ -77,42 +74,12 @@ var metricsCommand = cli.Command{
+ 		if err != nil {
+ 			return err
+ 		}
+-		var (
+-			data         *v1.Metrics
+-			data2        *v2.Metrics
+-			windowsStats *wstats.Statistics
+-		)
+-		switch v := anydata.(type) {
+-		case *v1.Metrics:
+-			data = v
+-		case *v2.Metrics:
+-			data2 = v
+-		case *wstats.Statistics:
+-			windowsStats = v
+-		default:
+-			return errors.New("cannot convert metric data to cgroups.Metrics or windows.Statistics")
+-		}
+ 
+ 		switch context.String(formatFlag) {
+ 		case formatTable:
+ 			w := tabwriter.NewWriter(os.Stdout, 1, 8, 4, ' ', 0)
+ 			fmt.Fprintf(w, "ID\tTIMESTAMP\t\n")
+ 			fmt.Fprintf(w, "%s\t%s\t\n\n", metric.ID, metric.Timestamp)
+-			if data != nil {
+-				printCgroupMetricsTable(w, data)
+-			} else if data2 != nil {
+-				printCgroup2MetricsTable(w, data2)
+-			} else {
+-				if windowsStats.GetLinux() != nil {
+-					printCgroupMetricsTable(w, windowsStats.GetLinux())
+-				} else if windowsStats.GetWindows() != nil {
+-					printWindowsContainerStatistics(w, windowsStats.GetWindows())
+-				}
+-				// Print VM stats if its isolated
+-				if windowsStats.VM != nil {
+-					printWindowsVMStatistics(w, windowsStats.VM)
+-				}
+-			}
+ 			return w.Flush()
+ 		case formatJSON:
+ 			marshaledJSON, err := json.MarshalIndent(anydata, "", "  ")
+@@ -126,83 +93,3 @@ var metricsCommand = cli.Command{
+ 		}
+ 	},
+ }
+-
+-func printCgroupMetricsTable(w *tabwriter.Writer, data *v1.Metrics) {
+-	fmt.Fprintf(w, "METRIC\tVALUE\t\n")
+-	if data.Memory != nil {
+-		fmt.Fprintf(w, "memory.usage_in_bytes\t%d\t\n", data.Memory.Usage.Usage)
+-		fmt.Fprintf(w, "memory.limit_in_bytes\t%d\t\n", data.Memory.Usage.Limit)
+-		fmt.Fprintf(w, "memory.stat.cache\t%d\t\n", data.Memory.TotalCache)
+-	}
+-	if data.CPU != nil {
+-		fmt.Fprintf(w, "cpuacct.usage\t%d\t\n", data.CPU.Usage.Total)
+-		fmt.Fprintf(w, "cpuacct.usage_percpu\t%v\t\n", data.CPU.Usage.PerCPU)
+-	}
+-	if data.Pids != nil {
+-		fmt.Fprintf(w, "pids.current\t%v\t\n", data.Pids.Current)
+-		fmt.Fprintf(w, "pids.limit\t%v\t\n", data.Pids.Limit)
+-	}
+-}
+-
+-func printCgroup2MetricsTable(w *tabwriter.Writer, data *v2.Metrics) {
+-	fmt.Fprintf(w, "METRIC\tVALUE\t\n")
+-	if data.Pids != nil {
+-		fmt.Fprintf(w, "pids.current\t%v\t\n", data.Pids.Current)
+-		fmt.Fprintf(w, "pids.limit\t%v\t\n", data.Pids.Limit)
+-	}
+-	if data.CPU != nil {
+-		fmt.Fprintf(w, "cpu.usage_usec\t%v\t\n", data.CPU.UsageUsec)
+-		fmt.Fprintf(w, "cpu.user_usec\t%v\t\n", data.CPU.UserUsec)
+-		fmt.Fprintf(w, "cpu.system_usec\t%v\t\n", data.CPU.SystemUsec)
+-		fmt.Fprintf(w, "cpu.nr_periods\t%v\t\n", data.CPU.NrPeriods)
+-		fmt.Fprintf(w, "cpu.nr_throttled\t%v\t\n", data.CPU.NrThrottled)
+-		fmt.Fprintf(w, "cpu.throttled_usec\t%v\t\n", data.CPU.ThrottledUsec)
+-	}
+-	if data.Memory != nil {
+-		fmt.Fprintf(w, "memory.usage\t%v\t\n", data.Memory.Usage)
+-		fmt.Fprintf(w, "memory.usage_limit\t%v\t\n", data.Memory.UsageLimit)
+-		fmt.Fprintf(w, "memory.swap_usage\t%v\t\n", data.Memory.SwapUsage)
+-		fmt.Fprintf(w, "memory.swap_limit\t%v\t\n", data.Memory.SwapLimit)
+-	}
+-}
+-
+-func printWindowsContainerStatistics(w *tabwriter.Writer, stats *wstats.WindowsContainerStatistics) {
+-	fmt.Fprintf(w, "METRIC\tVALUE\t\n")
+-	fmt.Fprintf(w, "timestamp\t%s\t\n", stats.Timestamp)
+-	fmt.Fprintf(w, "start_time\t%s\t\n", stats.ContainerStartTime)
+-	fmt.Fprintf(w, "uptime_ns\t%d\t\n", stats.UptimeNS)
+-	if stats.Processor != nil {
+-		fmt.Fprintf(w, "cpu.total_runtime_ns\t%d\t\n", stats.Processor.TotalRuntimeNS)
+-		fmt.Fprintf(w, "cpu.runtime_user_ns\t%d\t\n", stats.Processor.RuntimeUserNS)
+-		fmt.Fprintf(w, "cpu.runtime_kernel_ns\t%d\t\n", stats.Processor.RuntimeKernelNS)
+-	}
+-	if stats.Memory != nil {
+-		fmt.Fprintf(w, "memory.commit_bytes\t%d\t\n", stats.Memory.MemoryUsageCommitBytes)
+-		fmt.Fprintf(w, "memory.commit_peak_bytes\t%d\t\n", stats.Memory.MemoryUsageCommitPeakBytes)
+-		fmt.Fprintf(w, "memory.private_working_set_bytes\t%d\t\n", stats.Memory.MemoryUsagePrivateWorkingSetBytes)
+-	}
+-	if stats.Storage != nil {
+-		fmt.Fprintf(w, "storage.read_count_normalized\t%d\t\n", stats.Storage.ReadCountNormalized)
+-		fmt.Fprintf(w, "storage.read_size_bytes\t%d\t\n", stats.Storage.ReadSizeBytes)
+-		fmt.Fprintf(w, "storage.write_count_normalized\t%d\t\n", stats.Storage.WriteCountNormalized)
+-		fmt.Fprintf(w, "storage.write_size_bytes\t%d\t\n", stats.Storage.WriteSizeBytes)
+-	}
+-}
+-
+-func printWindowsVMStatistics(w *tabwriter.Writer, stats *wstats.VirtualMachineStatistics) {
+-	fmt.Fprintf(w, "METRIC\tVALUE\t\n")
+-	if stats.Processor != nil {
+-		fmt.Fprintf(w, "vm.cpu.total_runtime_ns\t%d\t\n", stats.Processor.TotalRuntimeNS)
+-	}
+-	if stats.Memory != nil {
+-		fmt.Fprintf(w, "vm.memory.working_set_bytes\t%d\t\n", stats.Memory.WorkingSetBytes)
+-		fmt.Fprintf(w, "vm.memory.virtual_node_count\t%d\t\n", stats.Memory.VirtualNodeCount)
+-		fmt.Fprintf(w, "vm.memory.available\t%d\t\n", stats.Memory.VmMemory.AvailableMemory)
+-		fmt.Fprintf(w, "vm.memory.available_buffer\t%d\t\n", stats.Memory.VmMemory.AvailableMemoryBuffer)
+-		fmt.Fprintf(w, "vm.memory.reserved\t%d\t\n", stats.Memory.VmMemory.ReservedMemory)
+-		fmt.Fprintf(w, "vm.memory.assigned\t%d\t\n", stats.Memory.VmMemory.AssignedMemory)
+-		fmt.Fprintf(w, "vm.memory.slp_active\t%t\t\n", stats.Memory.VmMemory.SlpActive)
+-		fmt.Fprintf(w, "vm.memory.balancing_enabled\t%t\t\n", stats.Memory.VmMemory.BalancingEnabled)
+-		fmt.Fprintf(w, "vm.memory.dm_operation_in_progress\t%t\t\n", stats.Memory.VmMemory.DmOperationInProgress)
+-	}
+-}
+-- 
+2.28.0
+
diff --git a/anda/docker/containerd/0001-Use-typeurl.Any-instead-of-github.com-gogo-protobuf-.patch b/anda/docker/containerd/0001-Use-typeurl.Any-instead-of-github.com-gogo-protobuf-.patch
new file mode 100644
index 0000000000..5577569579
--- /dev/null
+++ b/anda/docker/containerd/0001-Use-typeurl.Any-instead-of-github.com-gogo-protobuf-.patch
@@ -0,0 +1,1467 @@
+From 92d2d9b8ed28b3918ad902219245b6c737e9dee4 Mon Sep 17 00:00:00 2001
+From: Davanum Srinivas <davanum@gmail.com>
+Date: Fri, 25 Aug 2023 11:11:35 -0400
+Subject: [PATCH] [PATCH] Use typeurl.Any instead of
+ github.com/gogo/protobuf/types.Any
+
+This commit upgrades github.com/containerd/typeurl to use typeurl.Any.
+The interface hides gogo/protobuf/types.Any from containerd's Go client.
+
+Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
+Signed-off-by: Davanum Srinivas <davanum@gmail.com>
+---
+ cmd/containerd-shim/main_unix.go          |  4 +-
+ cmd/ctr/commands/containers/containers.go |  2 +-
+ container.go                              | 10 +--
+ container_checkpoint_opts.go              |  8 +--
+ container_opts.go                         | 10 +--
+ containers/containers.go                  |  8 +--
+ containerstore.go                         | 19 ++++--
+ events.go                                 |  5 +-
+ events/events.go                          |  3 +-
+ events/exchange/exchange.go               |  8 +--
+ go.mod                                    |  2 +-
+ go.sum                                    |  3 +-
+ integration/client/container_test.go      |  8 +--
+ integration/client/go.mod                 |  2 +-
+ integration/client/go.sum                 |  3 +-
+ metadata/boltutil/helpers.go              | 21 +++---
+ metadata/containers.go                    |  3 +-
+ metadata/containers_test.go               | 83 ++++++++++++++---------
+ metrics/cgroups/metrics_test.go           |  6 +-
+ pkg/cri/server/events.go                  |  3 +-
+ pkg/cri/server/helpers.go                 |  5 +-
+ pkg/cri/server/helpers_test.go            | 13 ++++
+ pkg/cri/server/restart.go                 |  4 +-
+ protobuf/any.go                           | 47 +++++++++++++
+ protobuf/any_test.go                      | 26 +++++++
+ runtime/runtime.go                        |  8 +--
+ runtime/v1/linux/runtime.go               |  9 +--
+ runtime/v1/linux/task.go                  |  4 +-
+ runtime/v1/shim/service.go                |  3 +-
+ runtime/v2/manager.go                     |  7 +-
+ runtime/v2/runc/container.go              |  6 +-
+ runtime/v2/runc/task/service.go           |  5 +-
+ runtime/v2/runc/v1/service.go             |  5 +-
+ runtime/v2/shim.go                        |  5 +-
+ runtime/v2/shim/publisher.go              |  4 +-
+ services/containers/helpers.go            | 20 ++++--
+ services/events/service.go                |  3 +-
+ services/tasks/local.go                   |  5 +-
+ task.go                                   |  7 +-
+ 39 files changed, 270 insertions(+), 127 deletions(-)
+ create mode 100644 protobuf/any.go
+ create mode 100644 protobuf/any_test.go
+
+diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go
+index 024611bf3bdf..ef32ae38bb51 100644
+--- a/cmd/containerd-shim/main_unix.go
++++ b/cmd/containerd-shim/main_unix.go
+@@ -38,12 +38,12 @@ import (
+ 	"github.com/containerd/containerd/events"
+ 	"github.com/containerd/containerd/namespaces"
+ 	"github.com/containerd/containerd/pkg/process"
++	"github.com/containerd/containerd/protobuf"
+ 	shimlog "github.com/containerd/containerd/runtime/v1"
+ 	"github.com/containerd/containerd/runtime/v1/shim"
+ 	shimapi "github.com/containerd/containerd/runtime/v1/shim/v1"
+ 	"github.com/containerd/containerd/sys/reaper"
+ 	"github.com/containerd/ttrpc"
+-	"github.com/containerd/typeurl"
+ 	ptypes "github.com/gogo/protobuf/types"
+ 	"github.com/sirupsen/logrus"
+ 	exec "golang.org/x/sys/execabs"
+@@ -286,7 +286,7 @@ type remoteEventsPublisher struct {
+ 
+ func (l *remoteEventsPublisher) Publish(ctx context.Context, topic string, event events.Event) error {
+ 	ns, _ := namespaces.Namespace(ctx)
+-	encoded, err := typeurl.MarshalAny(event)
++	encoded, err := protobuf.MarshalAnyToProto(event)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/cmd/ctr/commands/containers/containers.go b/cmd/ctr/commands/containers/containers.go
+index d1025344e0a0..3f2d55d6c10c 100644
+--- a/cmd/ctr/commands/containers/containers.go
++++ b/cmd/ctr/commands/containers/containers.go
+@@ -280,7 +280,7 @@ var infoCommand = cli.Command{
+ 			return nil
+ 		}
+ 
+-		if info.Spec != nil && info.Spec.Value != nil {
++		if info.Spec != nil && info.Spec.GetValue() != nil {
+ 			v, err := typeurl.UnmarshalAny(info.Spec)
+ 			if err != nil {
+ 				return err
+diff --git a/container.go b/container.go
+index 2cf15666f132..8511d863dc1c 100644
+--- a/container.go
++++ b/container.go
+@@ -32,10 +32,10 @@ import (
+ 	"github.com/containerd/containerd/errdefs"
+ 	"github.com/containerd/containerd/images"
+ 	"github.com/containerd/containerd/oci"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/runtime/v2/runc/options"
+ 	"github.com/containerd/fifo"
+ 	"github.com/containerd/typeurl"
+-	prototypes "github.com/gogo/protobuf/types"
+ 	ver "github.com/opencontainers/image-spec/specs-go"
+ 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+@@ -74,7 +74,7 @@ type Container interface {
+ 	// SetLabels sets the provided labels for the container and returns the final label set
+ 	SetLabels(context.Context, map[string]string) (map[string]string, error)
+ 	// Extensions returns the extensions set on the container
+-	Extensions(context.Context) (map[string]prototypes.Any, error)
++	Extensions(context.Context) (map[string]typeurl.Any, error)
+ 	// Update a container
+ 	Update(context.Context, ...UpdateContainerOpts) error
+ 	// Checkpoint creates a checkpoint image of the current container
+@@ -120,7 +120,7 @@ func (c *container) Info(ctx context.Context, opts ...InfoOpts) (containers.Cont
+ 	return c.metadata, nil
+ }
+ 
+-func (c *container) Extensions(ctx context.Context) (map[string]prototypes.Any, error) {
++func (c *container) Extensions(ctx context.Context) (map[string]typeurl.Any, error) {
+ 	r, err := c.get(ctx)
+ 	if err != nil {
+ 		return nil, err
+@@ -163,7 +163,7 @@ func (c *container) Spec(ctx context.Context) (*oci.Spec, error) {
+ 		return nil, err
+ 	}
+ 	var s oci.Spec
+-	if err := json.Unmarshal(r.Spec.Value, &s); err != nil {
++	if err := json.Unmarshal(r.Spec.GetValue(), &s); err != nil {
+ 		return nil, err
+ 	}
+ 	return &s, nil
+@@ -285,7 +285,7 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N
+ 		if err != nil {
+ 			return nil, err
+ 		}
+-		request.Options = any
++		request.Options = protobuf.FromAny(any)
+ 	}
+ 	t := &task{
+ 		client: c.client,
+diff --git a/container_checkpoint_opts.go b/container_checkpoint_opts.go
+index a64ef618ba62..ee2fa1b977eb 100644
+--- a/container_checkpoint_opts.go
++++ b/container_checkpoint_opts.go
+@@ -28,9 +28,9 @@ import (
+ 	"github.com/containerd/containerd/diff"
+ 	"github.com/containerd/containerd/images"
+ 	"github.com/containerd/containerd/platforms"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/rootfs"
+ 	"github.com/containerd/containerd/runtime/v2/runc/options"
+-	"github.com/containerd/typeurl"
+ 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
+ )
+ 
+@@ -56,7 +56,7 @@ func WithCheckpointImage(ctx context.Context, client *Client, c *containers.Cont
+ 
+ // WithCheckpointTask includes the running task
+ func WithCheckpointTask(ctx context.Context, client *Client, c *containers.Container, index *imagespec.Index, copts *options.CheckpointOptions) error {
+-	any, err := typeurl.MarshalAny(copts)
++	any, err := protobuf.MarshalAnyToProto(copts)
+ 	if err != nil {
+ 		return nil
+ 	}
+@@ -97,8 +97,8 @@ func WithCheckpointTask(ctx context.Context, client *Client, c *containers.Conta
+ 
+ // WithCheckpointRuntime includes the container runtime info
+ func WithCheckpointRuntime(ctx context.Context, client *Client, c *containers.Container, index *imagespec.Index, copts *options.CheckpointOptions) error {
+-	if c.Runtime.Options != nil {
+-		data, err := c.Runtime.Options.Marshal()
++	if c.Runtime.Options != nil && c.Runtime.Options.GetValue() != nil {
++		data, err := protobuf.FromAny(c.Runtime.Options).Marshal()
+ 		if err != nil {
+ 			return err
+ 		}
+diff --git a/container_opts.go b/container_opts.go
+index 4d630ea6c9d2..f005fe1c7730 100644
+--- a/container_opts.go
++++ b/container_opts.go
+@@ -27,9 +27,9 @@ import (
+ 	"github.com/containerd/containerd/errdefs"
+ 	"github.com/containerd/containerd/images"
+ 	"github.com/containerd/containerd/oci"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/snapshots"
+ 	"github.com/containerd/typeurl"
+-	"github.com/gogo/protobuf/types"
+ 	"github.com/opencontainers/image-spec/identity"
+ 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
+ )
+@@ -57,7 +57,7 @@ type InfoConfig struct {
+ func WithRuntime(name string, options interface{}) NewContainerOpts {
+ 	return func(ctx context.Context, client *Client, c *containers.Container) error {
+ 		var (
+-			any *types.Any
++			any typeurl.Any
+ 			err error
+ 		)
+ 		if options != nil {
+@@ -288,9 +288,9 @@ func WithContainerExtension(name string, extension interface{}) NewContainerOpts
+ 		}
+ 
+ 		if c.Extensions == nil {
+-			c.Extensions = make(map[string]types.Any)
++			c.Extensions = make(map[string]typeurl.Any)
+ 		}
+-		c.Extensions[name] = *any
++		c.Extensions[name] = any
+ 		return nil
+ 	}
+ }
+@@ -315,7 +315,7 @@ func WithSpec(s *oci.Spec, opts ...oci.SpecOpts) NewContainerOpts {
+ 		}
+ 
+ 		var err error
+-		c.Spec, err = typeurl.MarshalAny(s)
++		c.Spec, err = protobuf.MarshalAnyToProto(s)
+ 		return err
+ 	}
+ }
+diff --git a/containers/containers.go b/containers/containers.go
+index 7174bbd6aa6f..275f8069ea12 100644
+--- a/containers/containers.go
++++ b/containers/containers.go
+@@ -20,7 +20,7 @@ import (
+ 	"context"
+ 	"time"
+ 
+-	"github.com/gogo/protobuf/types"
++	"github.com/containerd/typeurl"
+ )
+ 
+ // Container represents the set of data pinned by a container. Unless otherwise
+@@ -53,7 +53,7 @@ type Container struct {
+ 	// container.
+ 	//
+ 	// This field is required but mutable.
+-	Spec *types.Any
++	Spec typeurl.Any
+ 
+ 	// SnapshotKey specifies the snapshot key to use for the container's root
+ 	// filesystem. When starting a task from this container, a caller should
+@@ -75,13 +75,13 @@ type Container struct {
+ 	UpdatedAt time.Time
+ 
+ 	// Extensions stores client-specified metadata
+-	Extensions map[string]types.Any
++	Extensions map[string]typeurl.Any
+ }
+ 
+ // RuntimeInfo holds runtime specific information
+ type RuntimeInfo struct {
+ 	Name    string
+-	Options *types.Any
++	Options typeurl.Any
+ }
+ 
+ // Store interacts with the underlying container storage
+diff --git a/containerstore.go b/containerstore.go
+index bdd1c6066a79..2a154e26590d 100644
+--- a/containerstore.go
++++ b/containerstore.go
+@@ -24,6 +24,8 @@ import (
+ 	containersapi "github.com/containerd/containerd/api/services/containers/v1"
+ 	"github.com/containerd/containerd/containers"
+ 	"github.com/containerd/containerd/errdefs"
++	"github.com/containerd/containerd/protobuf"
++	"github.com/containerd/typeurl"
+ 	ptypes "github.com/gogo/protobuf/types"
+ 	"google.golang.org/grpc/codes"
+ 	"google.golang.org/grpc/status"
+@@ -148,18 +150,22 @@ func (r *remoteContainers) Delete(ctx context.Context, id string) error {
+ }
+ 
+ func containerToProto(container *containers.Container) containersapi.Container {
++	extensions := make(map[string]ptypes.Any)
++	for k, v := range container.Extensions {
++		extensions[k] = *protobuf.FromAny(v)
++	}
+ 	return containersapi.Container{
+ 		ID:     container.ID,
+ 		Labels: container.Labels,
+ 		Image:  container.Image,
+ 		Runtime: &containersapi.Container_Runtime{
+ 			Name:    container.Runtime.Name,
+-			Options: container.Runtime.Options,
++			Options: protobuf.FromAny(container.Runtime.Options),
+ 		},
+-		Spec:        container.Spec,
++		Spec:        protobuf.FromAny(container.Spec),
+ 		Snapshotter: container.Snapshotter,
+ 		SnapshotKey: container.SnapshotKey,
+-		Extensions:  container.Extensions,
++		Extensions:  extensions,
+ 	}
+ }
+ 
+@@ -171,6 +177,11 @@ func containerFromProto(containerpb *containersapi.Container) containers.Contain
+ 			Options: containerpb.Runtime.Options,
+ 		}
+ 	}
++	extensions := make(map[string]typeurl.Any)
++	for k, v := range containerpb.Extensions {
++		v := v
++		extensions[k] = &v
++	}
+ 	return containers.Container{
+ 		ID:          containerpb.ID,
+ 		Labels:      containerpb.Labels,
+@@ -181,7 +192,7 @@ func containerFromProto(containerpb *containersapi.Container) containers.Contain
+ 		SnapshotKey: containerpb.SnapshotKey,
+ 		CreatedAt:   containerpb.CreatedAt,
+ 		UpdatedAt:   containerpb.UpdatedAt,
+-		Extensions:  containerpb.Extensions,
++		Extensions:  extensions,
+ 	}
+ }
+ 
+diff --git a/events.go b/events.go
+index 3577b7c3a9fc..d6499ad3b3a8 100644
+--- a/events.go
++++ b/events.go
+@@ -22,6 +22,7 @@ import (
+ 	eventsapi "github.com/containerd/containerd/api/services/events/v1"
+ 	"github.com/containerd/containerd/errdefs"
+ 	"github.com/containerd/containerd/events"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/typeurl"
+ )
+ 
+@@ -51,7 +52,7 @@ func (e *eventRemote) Publish(ctx context.Context, topic string, event events.Ev
+ 	}
+ 	req := &eventsapi.PublishRequest{
+ 		Topic: topic,
+-		Event: any,
++		Event: protobuf.FromAny(any),
+ 	}
+ 	if _, err := e.client.Publish(ctx, req); err != nil {
+ 		return errdefs.FromGRPC(err)
+@@ -65,7 +66,7 @@ func (e *eventRemote) Forward(ctx context.Context, envelope *events.Envelope) er
+ 			Timestamp: envelope.Timestamp,
+ 			Namespace: envelope.Namespace,
+ 			Topic:     envelope.Topic,
+-			Event:     envelope.Event,
++			Event:     protobuf.FromAny(envelope.Event),
+ 		},
+ 	}
+ 	if _, err := e.client.Forward(ctx, req); err != nil {
+diff --git a/events/events.go b/events/events.go
+index b7eb86f1eb65..8af0ec03a483 100644
+--- a/events/events.go
++++ b/events/events.go
+@@ -21,7 +21,6 @@ import (
+ 	"time"
+ 
+ 	"github.com/containerd/typeurl"
+-	"github.com/gogo/protobuf/types"
+ )
+ 
+ // Envelope provides the packaging for an event.
+@@ -29,7 +28,7 @@ type Envelope struct {
+ 	Timestamp time.Time
+ 	Namespace string
+ 	Topic     string
+-	Event     *types.Any
++	Event     typeurl.Any
+ }
+ 
+ // Field returns the value for the given fieldpath as a string, if defined.
+diff --git a/events/exchange/exchange.go b/events/exchange/exchange.go
+index a1f385d7abd3..7f085dc91774 100644
+--- a/events/exchange/exchange.go
++++ b/events/exchange/exchange.go
+@@ -30,7 +30,6 @@ import (
+ 	"github.com/containerd/containerd/namespaces"
+ 	"github.com/containerd/typeurl"
+ 	goevents "github.com/docker/go-events"
+-	"github.com/gogo/protobuf/types"
+ 	"github.com/sirupsen/logrus"
+ )
+ 
+@@ -63,7 +62,7 @@ func (e *Exchange) Forward(ctx context.Context, envelope *events.Envelope) (err
+ 		logger := log.G(ctx).WithFields(logrus.Fields{
+ 			"topic": envelope.Topic,
+ 			"ns":    envelope.Namespace,
+-			"type":  envelope.Event.TypeUrl,
++			"type":  envelope.Event.GetTypeUrl(),
+ 		})
+ 
+ 		if err != nil {
+@@ -82,7 +81,6 @@ func (e *Exchange) Forward(ctx context.Context, envelope *events.Envelope) (err
+ func (e *Exchange) Publish(ctx context.Context, topic string, event events.Event) (err error) {
+ 	var (
+ 		namespace string
+-		encoded   *types.Any
+ 		envelope  events.Envelope
+ 	)
+ 
+@@ -94,7 +92,7 @@ func (e *Exchange) Publish(ctx context.Context, topic string, event events.Event
+ 		return fmt.Errorf("envelope topic %q: %w", topic, err)
+ 	}
+ 
+-	encoded, err = typeurl.MarshalAny(event)
++	encoded, err := typeurl.MarshalAny(event)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -108,7 +106,7 @@ func (e *Exchange) Publish(ctx context.Context, topic string, event events.Event
+ 		logger := log.G(ctx).WithFields(logrus.Fields{
+ 			"topic": envelope.Topic,
+ 			"ns":    envelope.Namespace,
+-			"type":  envelope.Event.TypeUrl,
++			"type":  envelope.Event.GetTypeUrl(),
+ 		})
+ 
+ 		if err != nil {
+diff --git a/go.mod b/go.mod
+index 26b0ae08bcc9..fc5ebe10e783 100644
+--- a/go.mod
++++ b/go.mod
+@@ -17,7 +17,7 @@ require (
+ 	github.com/containerd/imgcrypt v1.1.4
+ 	github.com/containerd/nri v0.1.0
+ 	github.com/containerd/ttrpc v1.1.2
+-	github.com/containerd/typeurl v1.0.2
++	github.com/containerd/typeurl v1.0.3-0.20220324183432-6193a0e03259
+ 	github.com/containerd/zfs v1.1.0
+ 	github.com/containernetworking/cni v1.1.1
+ 	github.com/containernetworking/plugins v1.1.1
+diff --git a/go.sum b/go.sum
+index 7f42e83a3b68..0bf0cb6c63e1 100644
+--- a/go.sum
++++ b/go.sum
+@@ -260,8 +260,9 @@ github.com/containerd/ttrpc v1.1.2/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Ev
+ github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
+ github.com/containerd/typeurl v0.0.0-20190911142611-5eb25027c9fd/go.mod h1:GeKYzf2pQcqv7tJ0AoCuuhtnqhva5LNU3U+OyKxxJpk=
+ github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
+-github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY=
+ github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
++github.com/containerd/typeurl v1.0.3-0.20220324183432-6193a0e03259 h1:bJv9qgjarrsdd4XIIczeRdYXON88Fgn3GdXVfnQjcSo=
++github.com/containerd/typeurl v1.0.3-0.20220324183432-6193a0e03259/go.mod h1:HDkcKOXRnX6yKnXv3P0QrogFi0DoiauK/LpQi961f0A=
+ github.com/containerd/zfs v0.0.0-20200918131355-0a33824f23a2/go.mod h1:8IgZOBdv8fAgXddBT4dBXJPtxyRsejFIpXoklgxgEjw=
+ github.com/containerd/zfs v0.0.0-20210301145711-11e8f1707f62/go.mod h1:A9zfAbMlQwE+/is6hi0Xw8ktpL+6glmqZYtevJgaB8Y=
+ github.com/containerd/zfs v0.0.0-20210315114300-dde8f0fda960/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY=
+diff --git a/integration/client/container_test.go b/integration/client/container_test.go
+index 53cffb6874d1..cdf3c1fd0296 100644
+--- a/integration/client/container_test.go
++++ b/integration/client/container_test.go
+@@ -1570,11 +1570,11 @@ func TestContainerExtensions(t *testing.T) {
+ 		if len(cExts) != 1 {
+ 			t.Errorf("expected 1 container extension")
+ 		}
+-		if cExts["hello"].TypeUrl != ext.TypeUrl {
+-			t.Errorf("got unexpected type url for extension: %s", cExts["hello"].TypeUrl)
++		if actual := cExts["hello"].GetTypeUrl(); actual != ext.TypeUrl {
++			t.Errorf("got unexpected type url for extension: %s", actual)
+ 		}
+-		if !bytes.Equal(cExts["hello"].Value, ext.Value) {
+-			t.Errorf("expected extension value %q, got: %q", ext.Value, cExts["hello"].Value)
++		if actual := cExts["hello"].GetValue(); !bytes.Equal(actual, ext.Value) {
++			t.Errorf("expected extension value %q, got: %q", ext.Value, actual)
+ 		}
+ 	}
+ 
+diff --git a/integration/client/go.mod b/integration/client/go.mod
+index f5defa51018c..fcbbdee846ee 100644
+--- a/integration/client/go.mod
++++ b/integration/client/go.mod
+@@ -11,7 +11,7 @@ require (
+ 	github.com/containerd/continuity v0.3.0
+ 	github.com/containerd/go-runc v1.0.0
+ 	github.com/containerd/ttrpc v1.1.2
+-	github.com/containerd/typeurl v1.0.2
++	github.com/containerd/typeurl v1.0.3-0.20220324183432-6193a0e03259
+ 	github.com/gogo/protobuf v1.3.2
+ 	github.com/opencontainers/go-digest v1.0.0
+ 	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
+diff --git a/integration/client/go.sum b/integration/client/go.sum
+index 5e37298cff45..8c3099b3f5f6 100644
+--- a/integration/client/go.sum
++++ b/integration/client/go.sum
+@@ -148,8 +148,9 @@ github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Ev
+ github.com/containerd/ttrpc v1.1.2 h1:4jH6OQDQqjfVD2b5TJS5TxmGuLGmp5WW7KtW2TWOP7c=
+ github.com/containerd/ttrpc v1.1.2/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
+ github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
+-github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY=
+ github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
++github.com/containerd/typeurl v1.0.3-0.20220324183432-6193a0e03259 h1:bJv9qgjarrsdd4XIIczeRdYXON88Fgn3GdXVfnQjcSo=
++github.com/containerd/typeurl v1.0.3-0.20220324183432-6193a0e03259/go.mod h1:HDkcKOXRnX6yKnXv3P0QrogFi0DoiauK/LpQi961f0A=
+ github.com/containerd/zfs v1.1.0/go.mod h1:oZF9wBnrnQjpWLaPKEinrx3TQ9a+W/RJO7Zb41d8YLE=
+ github.com/containernetworking/cni v1.0.1/go.mod h1:AKuhXbN5EzmD4yTNtfSsX3tPcmtrBI6QcRV0NiNt15Y=
+ github.com/containernetworking/cni v1.1.1/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw=
+diff --git a/metadata/boltutil/helpers.go b/metadata/boltutil/helpers.go
+index 4201d7ba9ee1..2b2b0ad1e523 100644
+--- a/metadata/boltutil/helpers.go
++++ b/metadata/boltutil/helpers.go
+@@ -20,6 +20,8 @@ import (
+ 	"fmt"
+ 	"time"
+ 
++	"github.com/containerd/containerd/protobuf"
++	"github.com/containerd/typeurl"
+ 	"github.com/gogo/protobuf/proto"
+ 	"github.com/gogo/protobuf/types"
+ 	bolt "go.etcd.io/bbolt"
+@@ -151,7 +153,7 @@ func WriteTimestamps(bkt *bolt.Bucket, created, updated time.Time) error {
+ 
+ // WriteExtensions will write a KV map to the given bucket,
+ // where `K` is a string key and `V` is a protobuf's Any type that represents a generic extension.
+-func WriteExtensions(bkt *bolt.Bucket, extensions map[string]types.Any) error {
++func WriteExtensions(bkt *bolt.Bucket, extensions map[string]typeurl.Any) error {
+ 	if len(extensions) == 0 {
+ 		return nil
+ 	}
+@@ -162,8 +164,8 @@ func WriteExtensions(bkt *bolt.Bucket, extensions map[string]types.Any) error {
+ 	}
+ 
+ 	for name, ext := range extensions {
+-		ext := ext
+-		p, err := proto.Marshal(&ext)
++		ext := protobuf.FromAny(ext)
++		p, err := proto.Marshal(ext)
+ 		if err != nil {
+ 			return err
+ 		}
+@@ -177,9 +179,9 @@ func WriteExtensions(bkt *bolt.Bucket, extensions map[string]types.Any) error {
+ }
+ 
+ // ReadExtensions will read back a map of extensions from the given bucket, previously written by WriteExtensions
+-func ReadExtensions(bkt *bolt.Bucket) (map[string]types.Any, error) {
++func ReadExtensions(bkt *bolt.Bucket) (map[string]typeurl.Any, error) {
+ 	var (
+-		extensions = make(map[string]types.Any)
++		extensions = make(map[string]typeurl.Any)
+ 		ebkt       = bkt.Bucket(bucketKeyExtensions)
+ 	)
+ 
+@@ -193,7 +195,7 @@ func ReadExtensions(bkt *bolt.Bucket) (map[string]types.Any, error) {
+ 			return err
+ 		}
+ 
+-		extensions[string(k)] = t
++		extensions[string(k)] = &t
+ 		return nil
+ 	}); err != nil {
+ 		return nil, err
+@@ -203,12 +205,13 @@ func ReadExtensions(bkt *bolt.Bucket) (map[string]types.Any, error) {
+ }
+ 
+ // WriteAny write a protobuf's Any type to the bucket
+-func WriteAny(bkt *bolt.Bucket, name []byte, any *types.Any) error {
+-	if any == nil {
++func WriteAny(bkt *bolt.Bucket, name []byte, any typeurl.Any) error {
++	pbany := protobuf.FromAny(any)
++	if pbany == nil {
+ 		return nil
+ 	}
+ 
+-	data, err := proto.Marshal(any)
++	data, err := proto.Marshal(pbany)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/metadata/containers.go b/metadata/containers.go
+index 97002e5886e1..b27dc0f87208 100644
+--- a/metadata/containers.go
++++ b/metadata/containers.go
+@@ -30,6 +30,7 @@ import (
+ 	"github.com/containerd/containerd/labels"
+ 	"github.com/containerd/containerd/metadata/boltutil"
+ 	"github.com/containerd/containerd/namespaces"
++	"github.com/containerd/typeurl"
+ 	"github.com/gogo/protobuf/proto"
+ 	"github.com/gogo/protobuf/types"
+ 	bolt "go.etcd.io/bbolt"
+@@ -211,7 +212,7 @@ func (s *containerStore) Update(ctx context.Context, container containers.Contai
+ 
+ 			if strings.HasPrefix(path, "extensions.") {
+ 				if updated.Extensions == nil {
+-					updated.Extensions = map[string]types.Any{}
++					updated.Extensions = map[string]typeurl.Any{}
+ 				}
+ 				key := strings.TrimPrefix(path, "extensions.")
+ 				updated.Extensions[key] = container.Extensions[key]
+diff --git a/metadata/containers_test.go b/metadata/containers_test.go
+index b45d54cf5234..409bd8478763 100644
+--- a/metadata/containers_test.go
++++ b/metadata/containers_test.go
+@@ -31,10 +31,13 @@ import (
+ 	"github.com/containerd/containerd/filters"
+ 	"github.com/containerd/containerd/log/logtest"
+ 	"github.com/containerd/containerd/namespaces"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/typeurl"
+ 	"github.com/gogo/protobuf/types"
++	"github.com/google/go-cmp/cmp"
+ 	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	bolt "go.etcd.io/bbolt"
++	"gotest.tools/v3/assert"
+ )
+ 
+ func init() {
+@@ -48,7 +51,7 @@ func TestContainersList(t *testing.T) {
+ 	store := NewContainerStore(NewDB(db, nil, nil))
+ 
+ 	spec := &specs.Spec{}
+-	encoded, err := typeurl.MarshalAny(spec)
++	encoded, err := protobuf.MarshalAnyToProto(spec)
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+@@ -180,13 +183,13 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 	store := NewContainerStore(NewDB(db, nil, nil))
+ 
+ 	spec := &specs.Spec{}
+-	encoded, err := typeurl.MarshalAny(spec)
++	encoded, err := protobuf.MarshalAnyToProto(spec)
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+ 
+ 	spec.Annotations = map[string]string{"updated": "true"}
+-	encodedUpdated, err := typeurl.MarshalAny(spec)
++	encodedUpdated, err := protobuf.MarshalAnyToProto(spec)
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+@@ -468,8 +471,8 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Runtime: containers.RuntimeInfo{
+ 					Name: "testruntime",
+ 				},
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("hello"),
+ 					},
+@@ -480,8 +483,8 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Runtime: containers.RuntimeInfo{
+ 					Name: "testruntime",
+ 				},
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("world"),
+ 					},
+@@ -492,8 +495,8 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Runtime: containers.RuntimeInfo{
+ 					Name: "testruntime",
+ 				},
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("world"),
+ 					},
+@@ -507,8 +510,8 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Runtime: containers.RuntimeInfo{
+ 					Name: "testruntime",
+ 				},
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("hello"),
+ 					},
+@@ -519,8 +522,8 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Runtime: containers.RuntimeInfo{
+ 					Name: "testruntime",
+ 				},
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("world"),
+ 					},
+@@ -532,8 +535,8 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Runtime: containers.RuntimeInfo{
+ 					Name: "testruntime",
+ 				},
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("hello"),
+ 					},
+@@ -547,8 +550,8 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Runtime: containers.RuntimeInfo{
+ 					Name: "testruntime",
+ 				},
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("hello"),
+ 					},
+@@ -558,8 +561,8 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Labels: map[string]string{
+ 					"foo": "one",
+ 				},
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("world"),
+ 					},
+@@ -571,8 +574,8 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Runtime: containers.RuntimeInfo{
+ 					Name: "testruntime",
+ 				},
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("world"),
+ 					},
+@@ -586,21 +589,21 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Runtime: containers.RuntimeInfo{
+ 					Name: "testruntime",
+ 				},
+-				Extensions: map[string]types.Any{
++				Extensions: map[string]typeurl.Any{
+ 					// leaves hello in place.
+-					"hello": {
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("hello"),
+ 					},
+ 				},
+ 			},
+ 			input: containers.Container{
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("universe"), // this will be ignored
+ 					},
+-					"bar": {
++					"bar": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("foo"), // this will be added
+ 					},
+@@ -612,12 +615,12 @@ func TestContainersCreateUpdateDelete(t *testing.T) {
+ 				Runtime: containers.RuntimeInfo{
+ 					Name: "testruntime",
+ 				},
+-				Extensions: map[string]types.Any{
+-					"hello": {
++				Extensions: map[string]typeurl.Any{
++					"hello": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("hello"), // remains as world
+ 					},
+-					"bar": {
++					"bar": &types.Any{
+ 						TypeUrl: "test.update.extensions",
+ 						Value:   []byte("foo"), // this will be added
+ 					},
+@@ -708,10 +711,26 @@ func checkContainerTimestamps(t *testing.T, c *containers.Container, now time.Ti
+ 	}
+ }
+ 
+-func checkContainersEqual(t *testing.T, a, b *containers.Container, format string, args ...interface{}) {
+-	if !reflect.DeepEqual(a, b) {
+-		t.Fatalf("containers not equal \n\t%v != \n\t%v: "+format, append([]interface{}{a, b}, args...)...)
++// isNil returns true if the given parameter is nil or typed nil.
++func isNil(x interface{}) bool {
++	if x == nil {
++		return true
+ 	}
++	v := reflect.ValueOf(x)
++	return v.Kind() == reflect.Ptr && v.IsNil()
++}
++
++func checkContainersEqual(t *testing.T, a, b *containers.Container, format string, args ...interface{}) {
++	// Ignore the difference of nil and typed nil.
++	opt := cmp.FilterValues(
++		func(x, y interface{}) bool {
++			return isNil(x) && isNil(y)
++		},
++		cmp.Comparer(func(_, _ interface{}) bool {
++			return true
++		}),
++	)
++	assert.DeepEqual(t, a, b, opt)
+ }
+ 
+ func testEnv(t *testing.T) (context.Context, *bolt.DB, func()) {
+diff --git a/metrics/cgroups/metrics_test.go b/metrics/cgroups/metrics_test.go
+index c71ea60a523a..c362ea3b9d65 100644
+--- a/metrics/cgroups/metrics_test.go
++++ b/metrics/cgroups/metrics_test.go
+@@ -32,7 +32,7 @@ import (
+ 	v2 "github.com/containerd/containerd/metrics/cgroups/v2"
+ 	v1types "github.com/containerd/containerd/metrics/types/v1"
+ 	v2types "github.com/containerd/containerd/metrics/types/v2"
+-	"github.com/containerd/typeurl"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/prometheus/client_golang/prometheus"
+ 
+ 	metrics "github.com/docker/go-metrics"
+@@ -152,7 +152,7 @@ func (t *mockStatT) Namespace() string {
+ 
+ func (t *mockStatT) Stats(context.Context) (*types.Any, error) {
+ 	if t.isV1 {
+-		return typeurl.MarshalAny(&v1types.Metrics{})
++		return protobuf.MarshalAnyToProto(&v1types.Metrics{})
+ 	}
+-	return typeurl.MarshalAny(&v2types.Metrics{})
++	return protobuf.MarshalAnyToProto(&v2types.Metrics{})
+ }
+diff --git a/pkg/cri/server/events.go b/pkg/cri/server/events.go
+index c8ffdadbfd21..fbecb29a049a 100644
+--- a/pkg/cri/server/events.go
++++ b/pkg/cri/server/events.go
+@@ -32,7 +32,6 @@ import (
+ 	sandboxstore "github.com/containerd/containerd/pkg/cri/store/sandbox"
+ 	ctrdutil "github.com/containerd/containerd/pkg/cri/util"
+ 	"github.com/containerd/typeurl"
+-	gogotypes "github.com/gogo/protobuf/types"
+ 	"github.com/sirupsen/logrus"
+ 	"golang.org/x/net/context"
+ 	"k8s.io/utils/clock"
+@@ -207,7 +206,7 @@ func (em *eventMonitor) startContainerExitMonitor(ctx context.Context, id string
+ 	return stopCh
+ }
+ 
+-func convertEvent(e *gogotypes.Any) (string, interface{}, error) {
++func convertEvent(e typeurl.Any) (string, interface{}, error) {
+ 	id := ""
+ 	evt, err := typeurl.UnmarshalAny(e)
+ 	if err != nil {
+diff --git a/pkg/cri/server/helpers.go b/pkg/cri/server/helpers.go
+index 4ee0ae8ffc12..8937739540a5 100644
+--- a/pkg/cri/server/helpers.go
++++ b/pkg/cri/server/helpers.go
+@@ -371,10 +371,11 @@ func getRuntimeOptionsType(t string) interface{} {
+ 
+ // getRuntimeOptions get runtime options from container metadata.
+ func getRuntimeOptions(c containers.Container) (interface{}, error) {
+-	if c.Runtime.Options == nil {
++	from := c.Runtime.Options
++	if from == nil || from.GetValue() == nil {
+ 		return nil, nil
+ 	}
+-	opts, err := typeurl.UnmarshalAny(c.Runtime.Options)
++	opts, err := typeurl.UnmarshalAny(from)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/pkg/cri/server/helpers_test.go b/pkg/cri/server/helpers_test.go
+index f73e174dcc47..8fa9af8c1767 100644
+--- a/pkg/cri/server/helpers_test.go
++++ b/pkg/cri/server/helpers_test.go
+@@ -23,6 +23,7 @@ import (
+ 	"testing"
+ 	"time"
+ 
++	"github.com/containerd/containerd/containers"
+ 	"github.com/containerd/containerd/errdefs"
+ 	"github.com/containerd/containerd/oci"
+ 	criconfig "github.com/containerd/containerd/pkg/cri/config"
+@@ -32,6 +33,8 @@ import (
+ 	"github.com/containerd/containerd/reference/docker"
+ 	"github.com/containerd/containerd/runtime/linux/runctypes"
+ 	runcoptions "github.com/containerd/containerd/runtime/v2/runc/options"
++	"github.com/containerd/typeurl"
++	"github.com/gogo/protobuf/types"
+ 
+ 	imagedigest "github.com/opencontainers/go-digest"
+ 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+@@ -599,3 +602,13 @@ func TestValidateTargetContainer(t *testing.T) {
+ 	}
+ 
+ }
++
++func TestGetRuntimeOptions(t *testing.T) {
++	_, err := getRuntimeOptions(containers.Container{})
++	require.NoError(t, err)
++
++	var pbany *types.Any               // This is nil.
++	var typeurlAny typeurl.Any = pbany // This is typed nil.
++	_, err = getRuntimeOptions(containers.Container{Runtime: containers.RuntimeInfo{Options: typeurlAny}})
++	require.NoError(t, err)
++}
+diff --git a/pkg/cri/server/restart.go b/pkg/cri/server/restart.go
+index f5f3e5083e2c..f7db3f7b3064 100644
+--- a/pkg/cri/server/restart.go
++++ b/pkg/cri/server/restart.go
+@@ -166,7 +166,7 @@ func (c *criService) loadContainer(ctx context.Context, cntr containerd.Containe
+ 	if !ok {
+ 		return container, fmt.Errorf("metadata extension %q not found", containerMetadataExtension)
+ 	}
+-	data, err := typeurl.UnmarshalAny(&ext)
++	data, err := typeurl.UnmarshalAny(ext)
+ 	if err != nil {
+ 		return container, fmt.Errorf("failed to unmarshal metadata extension %q: %w", ext, err)
+ 	}
+@@ -335,7 +335,7 @@ func (c *criService) loadSandbox(ctx context.Context, cntr containerd.Container)
+ 	if !ok {
+ 		return sandbox, fmt.Errorf("metadata extension %q not found", sandboxMetadataExtension)
+ 	}
+-	data, err := typeurl.UnmarshalAny(&ext)
++	data, err := typeurl.UnmarshalAny(ext)
+ 	if err != nil {
+ 		return sandbox, fmt.Errorf("failed to unmarshal metadata extension %q: %w", ext, err)
+ 	}
+diff --git a/protobuf/any.go b/protobuf/any.go
+new file mode 100644
+index 000000000000..0f667176502e
+--- /dev/null
++++ b/protobuf/any.go
+@@ -0,0 +1,47 @@
++/*
++   Copyright The containerd Authors.
++
++   Licensed under the Apache License, Version 2.0 (the "License");
++   you may not use this file except in compliance with the License.
++   You may obtain a copy of the License at
++
++       http://www.apache.org/licenses/LICENSE-2.0
++
++   Unless required by applicable law or agreed to in writing, software
++   distributed under the License is distributed on an "AS IS" BASIS,
++   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++   See the License for the specific language governing permissions and
++   limitations under the License.
++*/
++
++package protobuf
++
++import (
++	"github.com/containerd/typeurl"
++	"github.com/gogo/protobuf/types"
++)
++
++// FromAny converts typeurl.Any to github.com/gogo/protobuf/types.Any.
++func FromAny(from typeurl.Any) *types.Any {
++	if from == nil {
++		return nil
++	}
++
++	if pbany, ok := from.(*types.Any); ok {
++		return pbany
++	}
++
++	return &types.Any{
++		TypeUrl: from.GetTypeUrl(),
++		Value:   from.GetValue(),
++	}
++}
++
++// FromAny converts an arbitrary interface to github.com/gogo/protobuf/types.Any.
++func MarshalAnyToProto(from interface{}) (*types.Any, error) {
++	any, err := typeurl.MarshalAny(from)
++	if err != nil {
++		return nil, err
++	}
++	return FromAny(any), nil
++}
+diff --git a/protobuf/any_test.go b/protobuf/any_test.go
+new file mode 100644
+index 000000000000..7a74ec16c28b
+--- /dev/null
++++ b/protobuf/any_test.go
+@@ -0,0 +1,26 @@
++/*
++   Copyright The containerd Authors.
++
++   Licensed under the Apache License, Version 2.0 (the "License");
++   you may not use this file except in compliance with the License.
++   You may obtain a copy of the License at
++
++       http://www.apache.org/licenses/LICENSE-2.0
++
++   Unless required by applicable law or agreed to in writing, software
++   distributed under the License is distributed on an "AS IS" BASIS,
++   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++   See the License for the specific language governing permissions and
++   limitations under the License.
++*/
++
++package protobuf
++
++import "testing"
++
++func TestFromAny(t *testing.T) {
++	actual := FromAny(nil)
++	if actual != nil {
++		t.Fatalf("expected nil, got %v", actual)
++	}
++}
+diff --git a/runtime/runtime.go b/runtime/runtime.go
+index 84aaa8ac67f5..1ca22ee2bccc 100644
+--- a/runtime/runtime.go
++++ b/runtime/runtime.go
+@@ -21,7 +21,7 @@ import (
+ 	"time"
+ 
+ 	"github.com/containerd/containerd/mount"
+-	"github.com/gogo/protobuf/types"
++	"github.com/containerd/typeurl"
+ )
+ 
+ // IO holds process IO information
+@@ -35,7 +35,7 @@ type IO struct {
+ // CreateOpts contains task creation data
+ type CreateOpts struct {
+ 	// Spec is the OCI runtime spec
+-	Spec *types.Any
++	Spec typeurl.Any
+ 	// Rootfs mounts to perform to gain access to the container's filesystem
+ 	Rootfs []mount.Mount
+ 	// IO for the container's main process
+@@ -43,9 +43,9 @@ type CreateOpts struct {
+ 	// Checkpoint digest to restore container state
+ 	Checkpoint string
+ 	// RuntimeOptions for the runtime
+-	RuntimeOptions *types.Any
++	RuntimeOptions typeurl.Any
+ 	// TaskOptions received for the task
+-	TaskOptions *types.Any
++	TaskOptions typeurl.Any
+ 	// Runtime name to use (e.g. `io.containerd.NAME.VERSION`).
+ 	// As an alternative full abs path to binary may be specified instead.
+ 	Runtime string
+diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go
+index b6d53820a859..ad7a0b67ec0b 100644
+--- a/runtime/v1/linux/runtime.go
++++ b/runtime/v1/linux/runtime.go
+@@ -41,6 +41,7 @@ import (
+ 	"github.com/containerd/containerd/pkg/process"
+ 	"github.com/containerd/containerd/platforms"
+ 	"github.com/containerd/containerd/plugin"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/runtime"
+ 	"github.com/containerd/containerd/runtime/linux/runctypes"
+ 	v1 "github.com/containerd/containerd/runtime/v1"
+@@ -178,7 +179,7 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
+ 	bundle, err := newBundle(id,
+ 		filepath.Join(r.state, namespace),
+ 		filepath.Join(r.root, namespace),
+-		opts.Spec.Value)
++		opts.Spec.GetValue())
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -191,7 +192,7 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
+ 	shimopt := ShimLocal(r.config, r.events)
+ 	if !r.config.NoShim {
+ 		var cgroup string
+-		if opts.TaskOptions != nil {
++		if opts.TaskOptions != nil && opts.TaskOptions.GetValue() != nil {
+ 			v, err := typeurl.UnmarshalAny(opts.TaskOptions)
+ 			if err != nil {
+ 				return nil, err
+@@ -244,7 +245,7 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
+ 		Stderr:     opts.IO.Stderr,
+ 		Terminal:   opts.IO.Terminal,
+ 		Checkpoint: opts.Checkpoint,
+-		Options:    opts.TaskOptions,
++		Options:    protobuf.FromAny(opts.TaskOptions),
+ 	}
+ 	for _, m := range opts.Rootfs {
+ 		sopts.Rootfs = append(sopts.Rootfs, &types.Mount{
+@@ -537,7 +538,7 @@ func (r *Runtime) getRuncOptions(ctx context.Context, id string) (*runctypes.Run
+ 		return nil, err
+ 	}
+ 
+-	if container.Runtime.Options != nil {
++	if container.Runtime.Options != nil && container.Runtime.Options.GetValue() != nil {
+ 		v, err := typeurl.UnmarshalAny(container.Runtime.Options)
+ 		if err != nil {
+ 			return nil, err
+diff --git a/runtime/v1/linux/task.go b/runtime/v1/linux/task.go
+index 3ac7839ff02b..44c89e5c27c2 100644
+--- a/runtime/v1/linux/task.go
++++ b/runtime/v1/linux/task.go
+@@ -32,11 +32,11 @@ import (
+ 	"github.com/containerd/containerd/events/exchange"
+ 	"github.com/containerd/containerd/identifiers"
+ 	"github.com/containerd/containerd/log"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/runtime"
+ 	"github.com/containerd/containerd/runtime/v1/shim/client"
+ 	"github.com/containerd/containerd/runtime/v1/shim/v1"
+ 	"github.com/containerd/ttrpc"
+-	"github.com/containerd/typeurl"
+ 	"github.com/gogo/protobuf/types"
+ )
+ 
+@@ -340,7 +340,7 @@ func (t *Task) Stats(ctx context.Context) (*types.Any, error) {
+ 	if err != nil {
+ 		return nil, err
+ 	}
+-	return typeurl.MarshalAny(stats)
++	return protobuf.MarshalAnyToProto(stats)
+ }
+ 
+ // Cgroup returns the underlying cgroup for a linux task
+diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
+index a08757d0a7b9..926134821d38 100644
+--- a/runtime/v1/shim/service.go
++++ b/runtime/v1/shim/service.go
+@@ -37,6 +37,7 @@ import (
+ 	"github.com/containerd/containerd/namespaces"
+ 	"github.com/containerd/containerd/pkg/process"
+ 	"github.com/containerd/containerd/pkg/stdio"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/runtime"
+ 	"github.com/containerd/containerd/runtime/linux/runctypes"
+ 	shimapi "github.com/containerd/containerd/runtime/v1/shim/v1"
+@@ -412,7 +413,7 @@ func (s *Service) ListPids(ctx context.Context, r *shimapi.ListPidsRequest) (*sh
+ 				if err != nil {
+ 					return nil, fmt.Errorf("failed to marshal process %d info: %w", pid, err)
+ 				}
+-				pInfo.Info = a
++				pInfo.Info = protobuf.FromAny(a)
+ 				break
+ 			}
+ 		}
+diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go
+index 1927cbb3f0c3..505d5d896995 100644
+--- a/runtime/v2/manager.go
++++ b/runtime/v2/manager.go
+@@ -33,6 +33,7 @@ import (
+ 	"github.com/containerd/containerd/pkg/timeout"
+ 	"github.com/containerd/containerd/platforms"
+ 	"github.com/containerd/containerd/plugin"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/runtime"
+ 	shimbinary "github.com/containerd/containerd/runtime/v2/shim"
+ 	"github.com/containerd/containerd/runtime/v2/task"
+@@ -156,7 +157,7 @@ func (m *ShimManager) ID() string {
+ 
+ // Start launches a new shim instance
+ func (m *ShimManager) Start(ctx context.Context, id string, opts runtime.CreateOpts) (_ ShimProcess, retErr error) {
+-	bundle, err := NewBundle(ctx, m.root, m.state, id, opts.Spec.Value)
++	bundle, err := NewBundle(ctx, m.root, m.state, id, opts.Spec.GetValue())
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -197,7 +198,7 @@ func (m *ShimManager) startShim(ctx context.Context, bundle *Bundle, id string,
+ 	}
+ 
+ 	topts := opts.TaskOptions
+-	if topts == nil {
++	if topts == nil || topts.GetValue() == nil {
+ 		topts = opts.RuntimeOptions
+ 	}
+ 
+@@ -212,7 +213,7 @@ func (m *ShimManager) startShim(ctx context.Context, bundle *Bundle, id string,
+ 		ttrpcAddress: m.containerdTTRPCAddress,
+ 		schedCore:    m.schedCore,
+ 	})
+-	shim, err := b.Start(ctx, topts, func() {
++	shim, err := b.Start(ctx, protobuf.FromAny(topts), func() {
+ 		log.G(ctx).WithField("id", id).Info("shim disconnected")
+ 
+ 		cleanupAfterDeadShim(context.Background(), id, ns, m.shims, m.events, b)
+diff --git a/runtime/v2/runc/container.go b/runtime/v2/runc/container.go
+index aac9dad7e916..c7e82b610695 100644
+--- a/runtime/v2/runc/container.go
++++ b/runtime/v2/runc/container.go
+@@ -49,12 +49,14 @@ func NewContainer(ctx context.Context, platform stdio.Platform, r *task.CreateTa
+ 	}
+ 
+ 	var opts options.Options
+-	if r.Options != nil && r.Options.GetTypeUrl() != "" {
++	if r.Options.GetValue() != nil {
+ 		v, err := typeurl.UnmarshalAny(r.Options)
+ 		if err != nil {
+ 			return nil, err
+ 		}
+-		opts = *v.(*options.Options)
++		if v != nil {
++			opts = *v.(*options.Options)
++		}
+ 	}
+ 
+ 	var mounts []process.Mount
+diff --git a/runtime/v2/runc/task/service.go b/runtime/v2/runc/task/service.go
+index d6af20fb03f0..25ec6d1f9df5 100644
+--- a/runtime/v2/runc/task/service.go
++++ b/runtime/v2/runc/task/service.go
+@@ -38,6 +38,7 @@ import (
+ 	"github.com/containerd/containerd/pkg/shutdown"
+ 	"github.com/containerd/containerd/pkg/stdio"
+ 	"github.com/containerd/containerd/pkg/userns"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/runtime/v2/runc"
+ 	"github.com/containerd/containerd/runtime/v2/runc/options"
+ 	"github.com/containerd/containerd/runtime/v2/shim"
+@@ -475,7 +476,7 @@ func (s *service) Pids(ctx context.Context, r *taskAPI.PidsRequest) (*taskAPI.Pi
+ 				d := &options.ProcessDetails{
+ 					ExecID: p.ID(),
+ 				}
+-				a, err := typeurl.MarshalAny(d)
++				a, err := protobuf.MarshalAnyToProto(d)
+ 				if err != nil {
+ 					return nil, fmt.Errorf("failed to marshal process %d info: %w", pid, err)
+ 				}
+@@ -603,7 +604,7 @@ func (s *service) Stats(ctx context.Context, r *taskAPI.StatsRequest) (*taskAPI.
+ 		return nil, err
+ 	}
+ 	return &taskAPI.StatsResponse{
+-		Stats: data,
++		Stats: protobuf.FromAny(data),
+ 	}, nil
+ }
+ 
+diff --git a/runtime/v2/runc/v1/service.go b/runtime/v2/runc/v1/service.go
+index 8c473430e218..8fdac3f8a2fd 100644
+--- a/runtime/v2/runc/v1/service.go
++++ b/runtime/v2/runc/v1/service.go
+@@ -41,6 +41,7 @@ import (
+ 	"github.com/containerd/containerd/pkg/process"
+ 	"github.com/containerd/containerd/pkg/schedcore"
+ 	"github.com/containerd/containerd/pkg/stdio"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/runtime/v2/runc"
+ 	"github.com/containerd/containerd/runtime/v2/runc/options"
+ 	"github.com/containerd/containerd/runtime/v2/shim"
+@@ -507,7 +508,7 @@ func (s *service) Pids(ctx context.Context, r *taskAPI.PidsRequest) (*taskAPI.Pi
+ 				d := &options.ProcessDetails{
+ 					ExecID: p.ID(),
+ 				}
+-				a, err := typeurl.MarshalAny(d)
++				a, err := protobuf.MarshalAnyToProto(d)
+ 				if err != nil {
+ 					return nil, fmt.Errorf("failed to marshal process %d info: %w", pid, err)
+ 				}
+@@ -621,7 +622,7 @@ func (s *service) Stats(ctx context.Context, r *taskAPI.StatsRequest) (*taskAPI.
+ 		return nil, err
+ 	}
+ 	return &taskAPI.StatsResponse{
+-		Stats: data,
++		Stats: protobuf.FromAny(data),
+ 	}, nil
+ }
+ 
+diff --git a/runtime/v2/shim.go b/runtime/v2/shim.go
+index 456ffb4409bd..18cc9a0ed6cc 100644
+--- a/runtime/v2/shim.go
++++ b/runtime/v2/shim.go
+@@ -34,6 +34,7 @@ import (
+ 	"github.com/containerd/containerd/log"
+ 	"github.com/containerd/containerd/namespaces"
+ 	"github.com/containerd/containerd/pkg/timeout"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/runtime"
+ 	client "github.com/containerd/containerd/runtime/v2/shim"
+ 	"github.com/containerd/containerd/runtime/v2/task"
+@@ -324,7 +325,7 @@ func (s *shimTask) delete(ctx context.Context, removeTask func(ctx context.Conte
+ 
+ func (s *shimTask) Create(ctx context.Context, opts runtime.CreateOpts) (runtime.Task, error) {
+ 	topts := opts.TaskOptions
+-	if topts == nil {
++	if topts == nil || topts.GetValue() == nil {
+ 		topts = opts.RuntimeOptions
+ 	}
+ 	request := &task.CreateTaskRequest{
+@@ -335,7 +336,7 @@ func (s *shimTask) Create(ctx context.Context, opts runtime.CreateOpts) (runtime
+ 		Stderr:     opts.IO.Stderr,
+ 		Terminal:   opts.IO.Terminal,
+ 		Checkpoint: opts.Checkpoint,
+-		Options:    topts,
++		Options:    protobuf.FromAny(topts),
+ 	}
+ 	for _, m := range opts.Rootfs {
+ 		request.Rootfs = append(request.Rootfs, &types.Mount{
+diff --git a/runtime/v2/shim/publisher.go b/runtime/v2/shim/publisher.go
+index ed1ebdd58b9c..20856f115bd6 100644
+--- a/runtime/v2/shim/publisher.go
++++ b/runtime/v2/shim/publisher.go
+@@ -25,8 +25,8 @@ import (
+ 	"github.com/containerd/containerd/events"
+ 	"github.com/containerd/containerd/namespaces"
+ 	"github.com/containerd/containerd/pkg/ttrpcutil"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/ttrpc"
+-	"github.com/containerd/typeurl"
+ 	"github.com/sirupsen/logrus"
+ )
+ 
+@@ -110,7 +110,7 @@ func (l *RemoteEventsPublisher) Publish(ctx context.Context, topic string, event
+ 	if err != nil {
+ 		return err
+ 	}
+-	any, err := typeurl.MarshalAny(event)
++	any, err := protobuf.MarshalAnyToProto(event)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/services/containers/helpers.go b/services/containers/helpers.go
+index aece9ca41471..a75d5d62bbc0 100644
+--- a/services/containers/helpers.go
++++ b/services/containers/helpers.go
+@@ -19,6 +19,9 @@ package containers
+ import (
+ 	api "github.com/containerd/containerd/api/services/containers/v1"
+ 	"github.com/containerd/containerd/containers"
++	"github.com/containerd/containerd/protobuf"
++	"github.com/containerd/typeurl"
++	"github.com/gogo/protobuf/types"
+ )
+ 
+ func containersToProto(containers []containers.Container) []api.Container {
+@@ -33,20 +36,24 @@ func containersToProto(containers []containers.Container) []api.Container {
+ }
+ 
+ func containerToProto(container *containers.Container) api.Container {
++	extensions := make(map[string]types.Any)
++	for k, v := range container.Extensions {
++		extensions[k] = *protobuf.FromAny(v)
++	}
+ 	return api.Container{
+ 		ID:     container.ID,
+ 		Labels: container.Labels,
+ 		Image:  container.Image,
+ 		Runtime: &api.Container_Runtime{
+ 			Name:    container.Runtime.Name,
+-			Options: container.Runtime.Options,
++			Options: protobuf.FromAny(container.Runtime.Options),
+ 		},
+-		Spec:        container.Spec,
++		Spec:        protobuf.FromAny(container.Spec),
+ 		Snapshotter: container.Snapshotter,
+ 		SnapshotKey: container.SnapshotKey,
+ 		CreatedAt:   container.CreatedAt,
+ 		UpdatedAt:   container.UpdatedAt,
+-		Extensions:  container.Extensions,
++		Extensions:  extensions,
+ 	}
+ }
+ 
+@@ -58,6 +65,11 @@ func containerFromProto(containerpb *api.Container) containers.Container {
+ 			Options: containerpb.Runtime.Options,
+ 		}
+ 	}
++	extensions := make(map[string]typeurl.Any)
++	for k, v := range containerpb.Extensions {
++		v := v
++		extensions[k] = &v
++	}
+ 	return containers.Container{
+ 		ID:          containerpb.ID,
+ 		Labels:      containerpb.Labels,
+@@ -66,6 +78,6 @@ func containerFromProto(containerpb *api.Container) containers.Container {
+ 		Spec:        containerpb.Spec,
+ 		Snapshotter: containerpb.Snapshotter,
+ 		SnapshotKey: containerpb.SnapshotKey,
+-		Extensions:  containerpb.Extensions,
++		Extensions:  extensions,
+ 	}
+ }
+diff --git a/services/events/service.go b/services/events/service.go
+index 3b5f811382b7..b1992a1ab716 100644
+--- a/services/events/service.go
++++ b/services/events/service.go
+@@ -26,6 +26,7 @@ import (
+ 	"github.com/containerd/containerd/events"
+ 	"github.com/containerd/containerd/events/exchange"
+ 	"github.com/containerd/containerd/plugin"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/ttrpc"
+ 	ptypes "github.com/gogo/protobuf/types"
+ 	"google.golang.org/grpc"
+@@ -115,7 +116,7 @@ func toProto(env *events.Envelope) *api.Envelope {
+ 		Timestamp: env.Timestamp,
+ 		Namespace: env.Namespace,
+ 		Topic:     env.Topic,
+-		Event:     env.Event,
++		Event:     protobuf.FromAny(env.Event),
+ 	}
+ }
+ 
+diff --git a/services/tasks/local.go b/services/tasks/local.go
+index 96ed36ca4a34..34cb23d1672c 100644
+--- a/services/tasks/local.go
++++ b/services/tasks/local.go
+@@ -41,6 +41,7 @@ import (
+ 	"github.com/containerd/containerd/mount"
+ 	"github.com/containerd/containerd/pkg/timeout"
+ 	"github.com/containerd/containerd/plugin"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/runtime"
+ 	"github.com/containerd/containerd/runtime/linux/runctypes"
+ 	"github.com/containerd/containerd/runtime/v2/runc/options"
+@@ -461,7 +462,7 @@ func (l *local) ListPids(ctx context.Context, r *api.ListPidsRequest, _ ...grpc.
+ 			Pid: p.Pid,
+ 		}
+ 		if p.Info != nil {
+-			a, err := typeurl.MarshalAny(p.Info)
++			a, err := protobuf.MarshalAnyToProto(p.Info)
+ 			if err != nil {
+ 				return nil, fmt.Errorf("failed to marshal process %d info: %w", p.Pid, err)
+ 			}
+@@ -576,7 +577,7 @@ func (l *local) Checkpoint(ctx context.Context, r *api.CheckpointTaskRequest, _
+ 		return nil, err
+ 	}
+ 	// write the config to the content store
+-	data, err := container.Spec.Marshal()
++	data, err := protobuf.FromAny(container.Spec).Marshal()
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/task.go b/task.go
+index ef8cd44942cf..bcb522c52e30 100644
+--- a/task.go
++++ b/task.go
+@@ -38,6 +38,7 @@ import (
+ 	"github.com/containerd/containerd/mount"
+ 	"github.com/containerd/containerd/oci"
+ 	"github.com/containerd/containerd/plugin"
++	"github.com/containerd/containerd/protobuf"
+ 	"github.com/containerd/containerd/rootfs"
+ 	"github.com/containerd/containerd/runtime/linux/runctypes"
+ 	"github.com/containerd/containerd/runtime/v2/runc/options"
+@@ -365,7 +366,7 @@ func (t *task) Exec(ctx context.Context, id string, spec *specs.Process, ioCreat
+ 			i.Close()
+ 		}
+ 	}()
+-	any, err := typeurl.MarshalAny(spec)
++	any, err := protobuf.MarshalAnyToProto(spec)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -465,7 +466,7 @@ func (t *task) Checkpoint(ctx context.Context, opts ...CheckpointTaskOpts) (Imag
+ 	}
+ 	request.ParentCheckpoint = i.ParentCheckpoint
+ 	if i.Options != nil {
+-		any, err := typeurl.MarshalAny(i.Options)
++		any, err := protobuf.MarshalAnyToProto(i.Options)
+ 		if err != nil {
+ 			return nil, err
+ 		}
+@@ -554,7 +555,7 @@ func (t *task) Update(ctx context.Context, opts ...UpdateTaskOpts) error {
+ 		if err != nil {
+ 			return err
+ 		}
+-		request.Resources = any
++		request.Resources = protobuf.FromAny(any)
+ 	}
+ 	if i.Annotations != nil {
+ 		request.Annotations = i.Annotations
+-- 
+2.41.0
+
diff --git a/anda/docker/containerd/0001-opencontainers-image-spec-v1.1.0-rc3.patch b/anda/docker/containerd/0001-opencontainers-image-spec-v1.1.0-rc3.patch
new file mode 100644
index 0000000000..dafb32e536
--- /dev/null
+++ b/anda/docker/containerd/0001-opencontainers-image-spec-v1.1.0-rc3.patch
@@ -0,0 +1,162 @@
+From 4347fc8bc2ac225117a3280c0445e855ca7a69f3 Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Tue, 9 May 2023 22:24:47 +0900
+Subject: [PATCH] go.mod: github.com/opencontainers/image-spec v1.1.0-rc3
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ go.mod                                        |  2 +-
+ go.sum                                        |  4 +--
+ images/converter/default.go                   |  4 +--
+ images/converter/uncompress/uncompress.go     |  6 ++--
+ images/diffid.go                              |  2 +-
+ images/mediatypes.go                          |  2 +-
+ integration/client/go.mod                     |  2 +-
+ integration/client/go.sum                     |  4 +--
+ integration/client/import_test.go             |  8 +++--
+ oci/spec_opts.go                              |  1 +
+ pkg/cri/opts/spec_windows.go                  |  4 +--
+ remotes/handlers_test.go                      |  1 +
+ .../image-spec/specs-go/v1/annotations.go     |  3 --
+ .../image-spec/specs-go/v1/artifact.go        | 34 -------------------
+ .../image-spec/specs-go/v1/config.go          | 34 ++++++-------------
+ .../image-spec/specs-go/v1/manifest.go        | 11 ++++++
+ .../image-spec/specs-go/v1/mediatype.go       | 19 +++++++++--
+ .../image-spec/specs-go/version.go            |  2 +-
+ vendor/modules.txt                            |  4 +--
+ 19 files changed, 64 insertions(+), 83 deletions(-)
+ delete mode 100644 vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go
+
+diff --git a/images/converter/default.go b/images/converter/default.go
+index c67617e4ccfc..4a887242ce40 100644
+--- a/images/converter/default.go
++++ b/images/converter/default.go
+@@ -431,11 +431,11 @@ func ConvertDockerMediaTypeToOCI(mt stri
+ 	case images.MediaTypeDockerSchema2LayerGzip:
+ 		return ocispec.MediaTypeImageLayerGzip
+ 	case images.MediaTypeDockerSchema2LayerForeignGzip:
+-		return ocispec.MediaTypeImageLayerNonDistributableGzip
++		return ocispec.MediaTypeImageLayerNonDistributableGzip //nolint:staticcheck // deprecated
+ 	case images.MediaTypeDockerSchema2Layer:
+ 		return ocispec.MediaTypeImageLayer
+ 	case images.MediaTypeDockerSchema2LayerForeign:
+-		return ocispec.MediaTypeImageLayerNonDistributable
++		return ocispec.MediaTypeImageLayerNonDistributable //nolint:staticcheck // deprecated
+ 	case images.MediaTypeDockerSchema2Config:
+ 		return ocispec.MediaTypeImageConfig
+ 	default:
+diff --git a/images/converter/uncompress/uncompress.go b/images/converter/uncompress/uncompress.go
+index 30ae02cf5ef9..ceb998fb8ff6 100644
+--- a/images/converter/uncompress/uncompress.go
++++ b/images/converter/uncompress/uncompress.go
+@@ -99,7 +99,7 @@ func IsUncompressedType(mt string) bool
+ 		images.MediaTypeDockerSchema2Layer,
+ 		images.MediaTypeDockerSchema2LayerForeign,
+ 		ocispec.MediaTypeImageLayer,
+-		ocispec.MediaTypeImageLayerNonDistributable:
++		ocispec.MediaTypeImageLayerNonDistributable: //nolint:staticcheck // deprecated
+ 		return true
+ 	default:
+ 		return false
+@@ -114,8 +114,8 @@ func convertMediaType(mt string) string
+ 		return images.MediaTypeDockerSchema2LayerForeign
+ 	case ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayerZstd:
+ 		return ocispec.MediaTypeImageLayer
+-	case ocispec.MediaTypeImageLayerNonDistributableGzip, ocispec.MediaTypeImageLayerNonDistributableZstd:
+-		return ocispec.MediaTypeImageLayerNonDistributable
++	case ocispec.MediaTypeImageLayerNonDistributableGzip, ocispec.MediaTypeImageLayerNonDistributableZstd: //nolint:staticcheck // deprecated
++		return ocispec.MediaTypeImageLayerNonDistributable //nolint:staticcheck // deprecated
+ 	default:
+ 		return mt
+ 	}
+diff --git a/images/diffid.go b/images/diffid.go
+index 1bd5256e2b37..c031f8e36377 100644
+--- a/images/diffid.go
++++ b/images/diffid.go
+@@ -36,7 +36,7 @@ func GetDiffID(ctx context.Context, cs c
+ 		MediaTypeDockerSchema2Layer,
+ 		ocispec.MediaTypeImageLayer,
+ 		MediaTypeDockerSchema2LayerForeign,
+-		ocispec.MediaTypeImageLayerNonDistributable:
++		ocispec.MediaTypeImageLayerNonDistributable: //nolint:staticcheck // deprecated
+ 		return desc.Digest, nil
+ 	}
+ 	info, err := cs.Info(ctx, desc.Digest)
+diff --git a/images/mediatypes.go b/images/mediatypes.go
+index 067963babba1..d3b28d42dc61 100644
+--- a/images/mediatypes.go
++++ b/images/mediatypes.go
+@@ -76,7 +76,7 @@ func DiffCompression(ctx context.Context
+ 			return "", nil
+ 		}
+ 		return "gzip", nil
+-	case ocispec.MediaTypeImageLayer, ocispec.MediaTypeImageLayerNonDistributable:
++	case ocispec.MediaTypeImageLayer, ocispec.MediaTypeImageLayerNonDistributable: //nolint:staticcheck // Non-distributable layers are deprecated
+ 		if len(ext) > 0 {
+ 			switch ext[len(ext)-1] {
+ 			case "gzip":
+diff --git a/integration/client/import_test.go b/integration/client/import_test.go
+index f2ba3db35f89..9f2cc46e624e 100644
+--- a/integration/client/import_test.go
++++ b/integration/client/import_test.go
+@@ -370,9 +370,11 @@ func createContent(size int64, seed int6
+
+ func createConfig(osName, archName string) ([]byte, digest.Digest) {
+ 	image := ocispec.Image{
+-		OS:           osName,
+-		Architecture: archName,
+-		Author:       "test",
++		Platform: ocispec.Platform{
++			OS:           osName,
++			Architecture: archName,
++		},
++		Author: author,
+ 	}
+ 	b, _ := json.Marshal(image)
+
+diff --git a/oci/spec_opts.go b/oci/spec_opts.go
+index f38828988577..8c4abd0bd876 100644
+--- a/oci/spec_opts.go
++++ b/oci/spec_opts.go
+@@ -446,6 +446,7 @@ func WithImageConfigArgs(image Image, ar
+ 				return errors.New("no arguments specified")
+ 			}
+
++			//nolint:staticcheck // ArgsEscaped is deprecated
+ 			if config.ArgsEscaped && (len(config.Entrypoint) > 0 || cmdFromImage) {
+ 				s.Process.Args = nil
+ 				s.Process.CommandLine = cmd[0]
+diff --git a/pkg/cri/opts/spec_windows.go b/pkg/cri/opts/spec_windows.go
+index 0964084ca107..0f7307bd0a6f 100644
+--- a/pkg/cri/opts/spec_windows.go
++++ b/pkg/cri/opts/spec_windows.go
+@@ -260,7 +260,7 @@ func escapeAndCombineArgsWindows(args []
+ // If image.ArgsEscaped field is set, this function sets the process command line and if not, it sets the
+ // process args field
+ func WithProcessCommandLineOrArgsForWindows(config *runtime.ContainerConfig, image *imagespec.ImageConfig) oci.SpecOpts {
+-	if image.ArgsEscaped {
++	if image.ArgsEscaped { //nolint:staticcheck // ArgsEscaped is deprecated
+ 		return func(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) (err error) {
+ 			// firstArgFromImg is a flag that is returned to indicate that the first arg in the slice comes from either the
+ 			// image Entrypoint or Cmd. If the first arg instead comes from the container config (e.g. overriding the image values),
+@@ -273,7 +273,7 @@ func WithProcessCommandLineOrArgsForWind
+ 			}
+
+ 			var cmdLine string
+-			if image.ArgsEscaped && firstArgFromImg {
++			if image.ArgsEscaped && firstArgFromImg { //nolint:staticcheck // ArgsEscaped is deprecated
+ 				cmdLine = args[0]
+ 				if len(args) > 1 {
+ 					cmdLine += " " + escapeAndCombineArgsWindows(args[1:])
+diff --git a/remotes/handlers_test.go b/remotes/handlers_test.go
+index c0446e1a52e6..9acf54680bf3 100644
+--- a/remotes/handlers_test.go
++++ b/remotes/handlers_test.go
+@@ -78,6 +78,7 @@ func TestContextCustomKeyPrefix(t *testi
+ 	})
+ }
+
++//nolint:staticcheck // Non-distributable layers are deprecated
+ func TestSkipNonDistributableBlobs(t *testing.T) {
+ 	ctx := context.Background()
+
diff --git a/anda/docker/containerd/0002-Remove-windows-only-dep.patch b/anda/docker/containerd/0002-Remove-windows-only-dep.patch
new file mode 100644
index 0000000000..92a2856cfb
--- /dev/null
+++ b/anda/docker/containerd/0002-Remove-windows-only-dep.patch
@@ -0,0 +1,24 @@
+diff --git a/pkg/cri/server/helpers.go b/pkg/cri/server/helpers.go
+index a8498116d..3682be668 100644
+--- a/pkg/cri/server/helpers.go
++++ b/pkg/cri/server/helpers.go
+@@ -40,7 +40,7 @@ import (
+ 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/sirupsen/logrus"
+ 
+-	runhcsoptions "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options"
++	// runhcsoptions "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options"
+ 	imagedigest "github.com/opencontainers/go-digest"
+ 	"github.com/pelletier/go-toml"
+ 	"golang.org/x/net/context"
+@@ -366,8 +366,8 @@ func getRuntimeOptionsType(t string) interface{} {
+ 		return &runcoptions.Options{}
+ 	case plugin.RuntimeLinuxV1:
+ 		return &runctypes.RuncOptions{}
+-	case runtimeRunhcsV1:
+-		return &runhcsoptions.Options{}
++	// case runtimeRunhcsV1:
++	//	return &runhcsoptions.Options{}
+ 	default:
+ 		return &runtimeoptions.Options{}
+ 	}
diff --git a/anda/docker/containerd/anda.hcl b/anda/docker/containerd/anda.hcl
new file mode 100644
index 0000000000..595cb36095
--- /dev/null
+++ b/anda/docker/containerd/anda.hcl
@@ -0,0 +1,5 @@
+project "pkg" {
+    rpm {
+        spec = "containerd.spec"
+    }
+}
\ No newline at end of file
diff --git a/anda/docker/containerd/changelog b/anda/docker/containerd/changelog
new file mode 100644
index 0000000000..eef50d4496
--- /dev/null
+++ b/anda/docker/containerd/changelog
@@ -0,0 +1,167 @@
+* Mon Jun 06 2022 Maxwell G <gotmax@e.email> 1.6.6-1
+- Update to 1.6.6.
+- Mitigates GHSA-5ffw-gxpp-mxpf / CVE-2022-31030.
+
+* Sun Jun 05 2022 Maxwell G <gotmax@e.email> 1.6.5-2
+- Bump release
+
+* Sat Jun 04 2022 Maxwell G <gotmax@e.email> 1.6.5-1
+- Update to 1.6.5. Fixes rhbz#2093608.
+
+* Wed May 11 2022 Maxwell G <gotmax@e.email> 1.6.4-1
+- Update to 1.6.4. Fixes rhbz#079050 and rhbz#2079779.
+
+* Sat Apr 16 2022 Fabio Alessandro Locati <me@fale.io> 1.6.2-2
+- Rebuilt for CVE-2022-27191
+
+* Sun Apr 03 2022 Maxwell G <gotmax@e.email> 1.6.2-1
+- Update to 1.6.2 (rhbz#2068277). Mitigates CVE-2022-24769 /
+  GHSA-c9cp-9c75-9v8c.
+
+* Sat Mar 12 2022 Maxwell G <gotmax@e.email> 1.6.1-1
+- Update to 1.6.1 (rhbz#2060228). Mitigates CVE-2022-23648.
+
+* Thu Feb 17 2022 Maxwell G <gotmax@e.email> 1.6.0-1
+- Update to 1.6.0 (rhbz#2054935). Use unbundled deps.
+
+* Sun Feb 06 2022 Robert-André Mauchin <zebob.m@gmail.com> 1.6.0~rc.2-2
+- Disable platform tests
+
+* Sat Feb 05 2022 Robert-André Mauchin <zebob.m@gmail.com> 1.6.0~rc.2-1
+- Update to 1.6.0~rc.2 Close: rhbz#1731597 Close: rhbz#1798419
+
+* Mon Jan 31 2022 Maxwell G <gotmax@e.email> - 1.5.9-1
+- Update to 1.5.9. Fixes FTBFS. Closes rhbz#2045277.
+- Mitigates CVE-2021-43816. Closes rhbz#2044434. Closes rhbz#2044436.
+- Temporarily build using vendored dependencies.
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Mon Nov 22 2021 Olivier Lemasle <o.lemasle@gmail.com> - 1.5.8-1
+- Update to upstream 1.5.8 (fixes rhbz#2013807)
+- Mitigate CVE-2021-41190 (fixes GHSA-5j5w-g665-5m35, fixes rhbz#2024941)
+
+* Sun Oct 10 2021 Olivier Lemasle <o.lemasle@gmail.com> - 1.5.7-1
+- Update to upstream 1.5.7 (fixes rhbz#2009149)
+- Fixes CVE-2021-41103 (fixes rhbz#2011014, rhbz#2011007)
+
+* Sun Aug 15 2021 Olivier Lemasle <o.lemasle@gmail.com> - 1.5.5-1
+- Update to upstream 1.5.5 (fixes rhbz#1983820)
+- Fixes CVE-2021-32760 (rhbz#1983932)
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Wed Jul 14 11:28:54 CEST 2021 Olivier Lemasle <o.lemasle@gmail.com> - 1.5.3-1
+- Update to upstream 1.5.3 (fixes rhbz#1956638)
+
+* Tue May 04 2021 Olivier Lemasle <o.lemasle@gmail.com> - 1.5.0-1
+- Update to upstream 1.5.0 (#1956638)
+
+* Mon Apr 19 2021 Olivier Lemasle <o.lemasle@gmail.com> - 1.5.0~rc.1-1
+- Update to 1.5.0~rc.1 (#1948041)
+
+* Wed Mar 17 2021 Olivier Lemasle <o.lemasle@gmail.com> - 1.5.0~beta.4-1
+- Update to upstream 1.5.0-beta.4
+
+* Sat Mar 06 2021 Olivier Lemasle <o.lemasle@gmail.com> - 1.5.0~beta.3-1
+- Update to upstream 1.5.0-beta.3
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.5.0~beta.0-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Thu Jan 28 2021 Olivier Lemasle <o.lemasle@gmail.com> 1.5.0~beta.0-1
+- Update to 1.5.0~beta.0 (#1918993)
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Dec 01 2020 Olivier Lemasle <o.lemasle@gmail.com> - 1.4.3-1
+- Fix CVE-2020-15257 (#1903050)
+- Update to latest upstream - 1.4.3 (#1901908)
+
+* Mon Nov  2 23:23:57 CET 2020 Olivier Lemasle <o.lemasle@gmail.com> - 1.4.1-2
+- Fix man pages
+
+* Wed Sep 30 2020 Robert-André Mauchin <zebob.m@gmail.com> - 1.4.1-1
+- Update to 1.4.1
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.3-3
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Apr 01 2020 Olivier Lemasle <o.lemasle@gmail.com> - 1.3.3-1
+- Update to 1.3.3
+
+* Sun Mar 22 2020 Olivier Lemasle <o.lemasle@gmail.com> - 1.2.13-2
+- Remove version requirement on golang-github-containerd-cri
+
+* Sun Mar 22 2020 Olivier Lemasle <o.lemasle@gmail.com> - 1.2.13-1
+- Exclude failing integration tests
+- Update to containerd 1.2.13
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed May 01 15:33:19 CEST 2019 Robert-André Mauchin <zebob.m@gmail.com> - 1.2.6-1.20190501gitd68b593
+- Release 1.2.6, commit d68b593de4ab10bb8b4fd64560e10d43c7156db2
+
+* Tue Feb 26 2019 Carl George <carl@george.computer> - 1.2.4-1
+- Latest upstream
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Jan 03 2019 Carl George <carl@george.computer> - 1.2.1-1
+- Latest upstream
+- Run test suite (except on el7 or %%arm)
+
+* Thu Oct 25 2018 Carl George <carl@george.computer> - 1.2.0-1
+- Latest upstream
+
+* Mon Aug 13 2018 Carl George <carl@george.computer> - 1.1.2-1
+- Latest upstream
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Apr 26 2018 Carl George <carl@george.computer> - 1.1.0-1
+- Latest upstream
+- Build and include man pages
+
+* Wed Apr 04 2018 Carl George <carl@george.computer> - 1.0.3-1
+- Latest upstream
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Jan 22 2018 Carl George <carl@george.computer> - 1.0.1-1
+- Latest upstream
+
+* Wed Dec 06 2017 Carl George <carl@george.computer> - 1.0.0-1
+- Latest upstream
+
+* Fri Nov 10 2017 Carl George <carl@george.computer> - 1.0.0-0.5.beta.3
+- Latest upstream
+
+* Thu Oct 19 2017 Carl George <carl@george.computer> - 1.0.0-0.4.beta.2
+- Own /etc/containerd
+
+* Thu Oct 12 2017 Carl George <carl@george.computer> - 1.0.0-0.3.beta.2
+- Latest upstream
+- Require runc 1.0.0 https://github.com/containerd/containerd/issues/1508#issuecomment-335566293
+
+* Mon Oct 09 2017 Carl George <carl@george.computer> - 1.0.0-0.2.beta.1
+- Add provides for vendored dependencies
+- Add ctr command
+
+* Wed Oct 04 2017 Carl George <carl@george.computer> - 1.0.0-0.1.beta.1
+- Initial package
diff --git a/anda/docker/containerd/containerd.spec b/anda/docker/containerd/containerd.spec
new file mode 100644
index 0000000000..428f436020
--- /dev/null
+++ b/anda/docker/containerd/containerd.spec
@@ -0,0 +1,127 @@
+# This is a simplified version of the containerd.spec file from Fedora
+# designed to build from upstream containerd, not Fedora
+
+# Created due to https://bugzilla.redhat.com/show_bug.cgi?id=2237396
+
+%global debug_package %{nil}
+
+# https://github.com/containerd/containerd
+%global goipath         github.com/containerd/containerd
+Version:                1.7.9
+
+%gometa
+
+%global goname          containerd
+%global godevelname     containerd-devel
+
+%global common_description %{expand:
+Containerd is an industry-standard container runtime with an emphasis on
+simplicity, robustness and portability. It is available as a daemon for Linux
+and Windows, which can manage the complete container lifecycle of its host
+system: image transfer and storage, container execution and supervision,
+low-level storage and network attachments, etc.}
+
+%global golicenses      LICENSE NOTICE
+%global godocs          docs ROADMAP.md SCOPE.md code-of-conduct.md\\\
+                        BUILDING.md README.md RELEASES.md
+
+Name:           %{goname}
+Release:        %autorelease
+Summary:        Open and reliable container runtime
+
+License:        Apache-2.0
+URL:            https://github.com/containerd/containerd
+Source0:        %{url}/archive/refs/tags/v%{version}.tar.gz#/containerd-%{version}.tar.gz
+Source2:        containerd.toml
+# Carve out code requiring github.com/Microsoft/hcsshim
+#Patch0:         0001-Revert-commit-for-Windows-metrics.patch
+#Patch1:         0002-Remove-windows-only-dep.patch
+# Backport for github.com/containerd/typeurl update
+#Patch2:         0001-Use-typeurl.Any-instead-of-github.com-gogo-protobuf-.patch
+# To use with latest go-runc
+#Patch3:         0001-Add-reaper-StartLocked.patch
+# To use with latest opencontainers/image-spec
+#Patch4:         0001-opencontainers-image-spec-v1.1.0-rc3.patch
+
+BuildRequires:  btrfs-progs-devel
+BuildRequires:  go-md2man
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  git-core
+
+Requires:       runc
+
+%description
+%{common_description}
+
+%package devel
+Summary:        Development files for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+
+%description devel
+%{common_description}
+
+This package contains library source intended for
+building other packages which use import path with
+%{goname} prefix.
+
+%prep
+%autosetup -p1 -n %{goname}-%{version}
+# Used only for generation:
+#rm -rf cmd/protoc-gen-gogoctrd
+# Replace default bin directory
+sed -i "s|/usr/local/bin/containerd|/usr/bin/containerd|" containerd.service
+
+%build
+#pushd containerd
+export GOFLAGS="-buildmode=pie -v -x"
+%make_build
+mkdir _man
+go-md2man -in docs/man/containerd-config.8.md -out _man/containerd-config.8
+go-md2man -in docs/man/containerd-config.toml.5.md -out _man/containerd-config.toml.5
+go run cmd/gen-manpages/main.go containerd.8 _man
+go run cmd/gen-manpages/main.go ctr.8 _man
+
+%install
+export GOFLAGS="-buildmode=pie -v -x"
+%make_install PREFIX=%{_prefix} DESTDIR=%{buildroot}
+
+	
+	
+install -D -p -m 0644 _man/containerd.8 %{buildroot}%{_mandir}/man8/containerd.8	
+install -D -p -m 0644 _man/containerd-config.8 %{buildroot}%{_mandir}/man8/containerd-config.8
+install -D -p -m 0644 _man/ctr.8 %{buildroot}%{_mandir}/man8/ctr.8
+install -D -p -m 0644 _man/containerd-config.toml.5 %{buildroot}%{_mandir}/man5/containerd-config.toml.5
+install -D -p -m 0644 containerd.service %{buildroot}%{_unitdir}/containerd.service
+install -D -p -m 0644 %{S:2} %{buildroot}%{_sysconfdir}/containerd/config.toml
+mkdir -p %{buildroot}%{_sharedstatedir}/containerd/opt
+
+%post
+%systemd_post containerd.service
+
+%preun
+%systemd_preun containerd.service
+
+%postun
+%systemd_postun_with_restart containerd.service
+
+
+
+%files
+%license LICENSE NOTICE
+%doc docs ROADMAP.md SCOPE.md code-of-conduct.md BUILDING.md
+%doc README.md RELEASES.md
+%{_bindir}/*
+%{_mandir}/man8/containerd.8*
+%{_mandir}/man8/containerd-config.8*
+%{_mandir}/man8/ctr.8*
+%{_mandir}/man5/containerd-config.toml.5*
+%{_unitdir}/containerd.service
+%dir %{_sysconfdir}/containerd
+%config(noreplace) %{_sysconfdir}/containerd/config.toml
+%dir %{_sharedstatedir}/containerd
+%dir %{_sharedstatedir}/containerd/opt
+
+
+%changelog
+%autochangelog
diff --git a/anda/docker/containerd/containerd.toml b/anda/docker/containerd/containerd.toml
new file mode 100644
index 0000000000..4a76ac46c2
--- /dev/null
+++ b/anda/docker/containerd/containerd.toml
@@ -0,0 +1,9 @@
+version = 2
+
+[plugins]
+  [plugins."io.containerd.grpc.v1.cri"]
+    [plugins."io.containerd.grpc.v1.cri".cni]
+      bin_dir = "/usr/libexec/cni/"
+      conf_dir = "/etc/cni/net.d"
+  [plugins."io.containerd.internal.v1.opt"]
+    path = "/var/lib/containerd/opt"
diff --git a/anda/moby-extras/moby-buildx/anda.hcl b/anda/docker/moby-buildx/anda.hcl
similarity index 100%
rename from anda/moby-extras/moby-buildx/anda.hcl
rename to anda/docker/moby-buildx/anda.hcl
diff --git a/anda/moby-extras/moby-buildx/moby-buildx.spec b/anda/docker/moby-buildx/moby-buildx.spec
similarity index 100%
rename from anda/moby-extras/moby-buildx/moby-buildx.spec
rename to anda/docker/moby-buildx/moby-buildx.spec
diff --git a/anda/moby-extras/moby-buildx/update.rhai b/anda/docker/moby-buildx/update.rhai
similarity index 100%
rename from anda/moby-extras/moby-buildx/update.rhai
rename to anda/docker/moby-buildx/update.rhai
diff --git a/anda/moby-extras/moby-compose/anda.hcl b/anda/docker/moby-compose/anda.hcl
similarity index 100%
rename from anda/moby-extras/moby-compose/anda.hcl
rename to anda/docker/moby-compose/anda.hcl
diff --git a/anda/moby-extras/moby-compose/moby-compose.spec b/anda/docker/moby-compose/moby-compose.spec
similarity index 100%
rename from anda/moby-extras/moby-compose/moby-compose.spec
rename to anda/docker/moby-compose/moby-compose.spec
diff --git a/anda/moby-extras/moby-compose/update.rhai b/anda/docker/moby-compose/update.rhai
similarity index 100%
rename from anda/moby-extras/moby-compose/update.rhai
rename to anda/docker/moby-compose/update.rhai
diff --git a/anda/docker/moby-engine/.gitignore b/anda/docker/moby-engine/.gitignore
new file mode 100644
index 0000000000..d310b090e3
--- /dev/null
+++ b/anda/docker/moby-engine/.gitignore
@@ -0,0 +1,59 @@
+/2d0083d657f82c47044c8d3948ba434b622fe2fd.tar.gz
+/425e105d5a03fabd737a126ad93d62a9eeede87f.tar.gz
+/894b81a4b802e4eb2a91d1ce216b8817763c29fb.tar.gz
+/e7933d41e7b206756115aa9df5e0599fc5169742.tar.gz
+/fec3683b971d9c3ef73f284f176672c44b448662.tar.gz
+/0dd43dd87fd530113bf44c9bba9ad8b20ce4637f.tar.gz
+/7141c199a2edb2a90b778175f836f9dd2a22c95a.tar.gz
+/264bffcb88c1b6b7471c04e3c6b3f301233a544b.tar.gz
+/afacb8b7f0d8d4f9d2a8e8736e9c993e672b41f3.tar.gz
+/bf2bd42abc0a3734f12b5ec724e571434e42c669.tar.gz
+/2e24aed516bd5c836e11378bb457dd612aa868ed.tar.gz
+/42e35e61f352e527082521280d5ea3761f0dee50.tar.gz
+/4484c46d9d1a2d10b8fc662923ad586daeedb04f.tar.gz
+/026aabaa659832804b01754aaadd2c0f420c68b6.tar.gz
+/de40ad007797e0dcd8b7126f27bb87401d224240.tar.gz
+/moby-v20.10.5.tar.gz
+/cli-v20.10.5.tar.gz
+/moby-v20.10.6.tar.gz
+/cli-v20.10.6.tar.gz
+/moby-v20.10.7.tar.gz
+/cli-v20.10.7.tar.gz
+/cli-v20.10.8.tar.gz
+/moby-v20.10.8.tar.gz
+/cli-v20.10.9.tar.gz
+/moby-v20.10.9.tar.gz
+/cli-v20.10.10.tar.gz
+moby-v20.10.10.tar.gz
+/cli-v20.10.11.tar.gz
+/moby-v20.10.11.tar.gz
+/cli-v20.10.12.tar.gz
+/moby-v20.10.12.tar.gz
+/cli-20.10.12.tar.gz
+/moby-20.10.12.tar.gz
+/tini-de40ad0.tar.gz
+/cli-20.10.14.tar.gz
+/moby-20.10.14.tar.gz
+/cli-20.10.15.tar.gz
+/moby-20.10.15.tar.gz
+/cli-20.10.16.tar.gz
+/moby-20.10.16.tar.gz
+/cli-20.10.17.tar.gz
+/moby-20.10.17.tar.gz
+/cli-20.10.18.tar.gz
+/moby-20.10.18.tar.gz
+/cli-20.10.19.tar.gz
+/moby-20.10.19.tar.gz
+/cli-20.10.20.tar.gz
+/moby-20.10.20.tar.gz
+/cli-20.10.21.tar.gz
+/moby-20.10.21.tar.gz
+/cli-20.10.22.tar.gz
+/moby-20.10.22.tar.gz
+/moby-20.10.23.tar.gz
+/cli-20.10.23.tar.gz
+/moby-23.0.4.tar.gz
+/cli-23.0.4.tar.gz
+/tini-0b44d36.tar.gz
+/cli-24.0.5.tar.gz
+/moby-24.0.5.tar.gz
diff --git a/anda/docker/moby-engine/README.md b/anda/docker/moby-engine/README.md
new file mode 100644
index 0000000000..57607ed02e
--- /dev/null
+++ b/anda/docker/moby-engine/README.md
@@ -0,0 +1,3 @@
+# moby-engine
+
+The moby-engine package
\ No newline at end of file
diff --git a/anda/docker/moby-engine/anda.hcl b/anda/docker/moby-engine/anda.hcl
new file mode 100644
index 0000000000..be47166b46
--- /dev/null
+++ b/anda/docker/moby-engine/anda.hcl
@@ -0,0 +1,5 @@
+project "pkg" {
+    rpm {
+        spec = "moby-engine.spec"
+    }
+}
\ No newline at end of file
diff --git a/anda/docker/moby-engine/docker.service b/anda/docker/moby-engine/docker.service
new file mode 100644
index 0000000000..41cb0e397e
--- /dev/null
+++ b/anda/docker/moby-engine/docker.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=https://docs.docker.com
+After=docker.socket network-online.target firewalld.service
+Requires=docker.socket
+Wants=network-online.target
+
+[Service]
+Type=notify
+EnvironmentFile=-/etc/sysconfig/docker
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+ExecStart=/usr/bin/dockerd \
+          --host=fd:// \
+          --exec-opt native.cgroupdriver=systemd \
+          $OPTIONS
+ExecReload=/bin/kill -s HUP $MAINPID
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=infinity
+LimitNPROC=infinity
+LimitCORE=infinity
+# Uncomment TasksMax if your systemd version supports it.
+# Only systemd 226 and above support this version.
+#TasksMax=infinity
+TimeoutStartSec=0
+# set delegate yes so that systemd does not reset the cgroups of docker containers
+#Delegate=yes
+# kill only the docker process, not all processes in the cgroup
+KillMode=process
+# restart the docker process if it exits prematurely
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/anda/docker/moby-engine/docker.sysconfig b/anda/docker/moby-engine/docker.sysconfig
new file mode 100644
index 0000000000..6ba9fd7e8c
--- /dev/null
+++ b/anda/docker/moby-engine/docker.sysconfig
@@ -0,0 +1,10 @@
+# /etc/sysconfig/docker
+
+# Modify these options if you want to change the way the docker daemon runs
+OPTIONS="--selinux-enabled \
+  --log-driver=journald \
+  --live-restore \
+  --default-ulimit nofile=1024:1024 \
+  --init-path /usr/libexec/docker/docker-init \
+  --userland-proxy-path /usr/libexec/docker/docker-proxy \
+"
diff --git a/anda/docker/moby-engine/generate-docs.sh b/anda/docker/moby-engine/generate-docs.sh
new file mode 100644
index 0000000000..09fb5cb7bd
--- /dev/null
+++ b/anda/docker/moby-engine/generate-docs.sh
@@ -0,0 +1,12 @@
+cd man
+for FILE in *.md; do
+    base="$(basename "$FILE")"
+    name="${base%.md}"
+    num="${name##*.}"
+    if [ -z "$num" ] || [ "$name" = "$num" ]; then
+    # skip files that aren't of the format xxxx.N.md (like README.md)
+        continue
+    fi
+    mkdir -p "./man${num}"
+    (set -x ;go-md2man -in "$FILE" -out "./man${num}/${name}")
+done
diff --git a/anda/docker/moby-engine/moby-engine-systemd-sysusers.conf b/anda/docker/moby-engine/moby-engine-systemd-sysusers.conf
new file mode 100644
index 0000000000..fafc51244a
--- /dev/null
+++ b/anda/docker/moby-engine/moby-engine-systemd-sysusers.conf
@@ -0,0 +1,2 @@
+#Type Name   ID
+g     docker -
diff --git a/anda/docker/moby-engine/moby-engine.spec b/anda/docker/moby-engine/moby-engine.spec
new file mode 100644
index 0000000000..3dfaa45ece
--- /dev/null
+++ b/anda/docker/moby-engine/moby-engine.spec
@@ -0,0 +1,559 @@
+# This specfile is licensed under:
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: Fedora Project Authors
+# SPDX-FileCopyrightText: 2022 Maxwell G <gotmax@e.email>
+# See %%{name}.spec.license for the full license text.
+
+# disable debuginfo for now
+%global debug_package %{nil}
+
+# moby
+%global goipath_moby github.com/docker/docker
+%global git_moby https://%%{goipath_moby}
+#%%global commit_moby 9fdeb9c3de2f2d9f5799be373f27b2f9df44609d
+#%%global shortcommit_moby %%(c=%%{commit_moby}; echo ${c:0:7})
+
+# cli
+%global goipath_cli github.com/docker/cli
+%global git_cli https://%%{goipath_cli}
+#%%global commit_cli baeda1f82a10204ec5708d5fbba130ad76cfee49
+#%%global shortcommit_cli %%(c=%%{commit_cli}; echo ${c:0:7})
+
+# tini
+%global git_tini https://github.com/krallin/tini
+%global commit_tini 0b44d3665869e46ccbac7414241b8256d6234dc4
+%global shortcommit_tini %(c=%{commit_tini}; echo ${c:0:7})
+
+%global anda_go_build go build -buildmode=pie -v -x
+
+Name:           moby-engine
+Version:        24.0.5
+Release:        1%{?dist}
+Summary:        The open-source application container engine
+License:        Apache-2.0
+Source0:        %{git_moby}/archive/v%{version}/moby-%{version}.tar.gz
+Source1:        %{git_cli}/archive/v%{version}/cli-%{version}.tar.gz
+Source2:        %{git_tini}/archive/%{commit_tini}/tini-%{shortcommit_tini}.tar.gz
+Source3:        docker.service
+Source4:        docker.sysconfig
+Source5:        moby-engine-systemd-sysusers.conf
+Source6:        generate-docs.sh
+
+# Seperate file containing virtual provides for bundled deps that's %%include'd in the specfile.
+#Source100:      provides.spec.inc
+# Specfile license
+Source200:      moby-engine.spec.license
+
+URL:            https://www.docker.com
+
+ExclusiveArch:  %{golang_arches}
+
+BuildRequires:  pkgconfig(libbtrfsutil)
+BuildRequires:  pkgconfig(devmapper)
+BuildRequires:  golang
+BuildRequires:  go-rpm-macros
+BuildRequires:  go-md2man
+BuildRequires:  pkgconfig(libseccomp) >= 2.3.0
+BuildRequires:  make
+BuildRequires:  pkgconfig(audit)
+BuildRequires:  pkgconfig(systemd)
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  firewalld-filesystem
+
+# Build dependencies for tini
+BuildRequires:  cmake
+BuildRequires:  glibc-static
+
+# required packages on install
+Requires:       container-selinux
+Requires:       containerd
+Requires:       iptables
+Requires:       pigz
+Requires:       runc
+Requires:       systemd
+Requires:       tar
+Requires:       xz
+
+# Resolves: rhbz#1165615
+Requires:       device-mapper-libs >= 1.02.90-1
+
+# Replace the old Docker packages
+Provides:       docker = %{version}-%{release}
+Provides:       docker-latest = %{version}-%{release}
+
+# conflicting packages
+Conflicts:      docker-ce
+Conflicts:      docker-ce-cli
+Conflicts:      docker-common
+Conflicts:      docker-ee
+Conflicts:      docker-engine-cs
+Conflicts:      docker-io
+Conflicts:      podman-docker
+
+%description
+Docker is an open source project to build, ship and run any application as a
+lightweight container.
+
+Docker containers are both hardware-agnostic and platform-agnostic. This means
+they can run anywhere, from your laptop to the largest EC2 compute instance and
+everything in between - and they don't require you to use a particular
+language, framework or packaging system. That makes them great building blocks
+for deploying and scaling web apps, databases, and backend services without
+depending on a particular stack or provider.
+
+%package fish-completion
+Summary:        Fish completion files for %{name}
+BuildArch:      noarch
+Requires:       %{name} = %{version}-%{release}
+Requires:       fish
+Provides:       docker-fish-completion = %{version}-%{release}
+
+%description fish-completion
+This package installs %{summary}.
+
+%package zsh-completion
+Summary:        Zsh completion files for %{name}
+BuildArch:      noarch
+Requires:       %{name} = %{version}-%{release}
+Requires:       zsh
+Provides:       docker-zsh-completion = %{version}-%{release}
+
+%description zsh-completion
+This package installs %{summary}.
+
+%package nano
+Summary:        GNU nano syntax highlighting files for Moby
+BuildArch:      noarch
+Requires:       %{name} = %{version}-%{release}
+Requires:       nano
+
+%description nano
+This package installs %{summary}.
+
+%prep
+%setup -q -a 1 -a 2 -n moby-%{version}
+ln -s vendor.mod go.mod
+#export GOPATH="$PWD"
+#go get -x
+#go mod vendor
+# correct rpmlint errors for bash completion
+sed -i '/env bash/d' cli-%{version}/contrib/completion/bash/docker
+cp %{SOURCE6} cli-%{version}/scripts/docs/generate-man.sh
+%build
+mkdir -p _build/bin
+export CGO_ENABLED=1
+
+export DISABLE_WARN_OUTSIDE_CONTAINER=1
+
+#go mod download
+
+
+# build docker-proxy / libnetwork
+(
+
+        # Link source and vendored deps into local GOPATH.
+        #ln -fns ../../.. src/%{goipath_moby}
+        #export GOPATH="${PWD}"
+        %anda_go_build -o _build/bin/docker-proxy github.com/docker/docker/cmd/docker-proxy
+)
+
+# build tini (installed as docker-init)
+(
+        cd tini-%{commit_tini}
+        %cmake
+        make tini-static -C "%{__cmake_builddir}"
+)
+
+%global buildtime %(date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +"%Y-%m-%dT%H:%M:%SZ")
+# build engine
+(
+        mkdir -p src/github.com/docker
+        # Link source and vendored deps into local GOPATH.
+        ln -fns ../../.. src/%{goipath_moby}
+        # Build using source and vendored deps in local GOPATH.
+        export GOPATH="${PWD}"
+        export GO111MODULE=off
+        export LDFLAGS="-w"
+        export LDFLAGS+=" -X github.com/docker/docker/dockerversion.Version=%{version}"
+        export LDFLAGS+=" -X github.com/docker/docker/dockerversion.GitCommit=%{shortcommit_moby}"
+        export LDFLAGS+=" -X github.com/docker/docker/dockerversion.IAmStatic=false"
+        export LDFLAGS+=" -X 'github.com/docker/docker/dockerversion.BuildTime=%{buildtime}'"
+        export DOCKER_BUILDTAGS="seccomp selinux journald"
+        export BUILDTAGS="${DOCKER_BUILDTAGS}"
+        export GOBUILDTAGS="${BUILDTAGS}"
+        %anda_go_build -o _build/bin/dockerd %{goipath_moby}/cmd/dockerd
+        # VERSION=%%{version} DOCKER_GITCOMMIT=%%{shortcommit_moby} bash sh dynbinary
+        # mv bundles/dynbinary-daemon/dockerd-%%{version} _build/bin/dockerd
+)
+
+# build cli
+(
+        cd cli-%{version}
+        mkdir -p src/github.com/docker
+        # Link source and vendored deps into local GOPATH.
+        ln -fns ../../.. src/%{goipath_cli}
+        # export DISABLE_WARN_OUTSIDE_CONTAINER=1
+        # Build using source and vendored deps in local GOPATH.
+        export GOPATH="${PWD}"
+        export GO111MODULE=off
+        export LDFLAGS="\
+            -w \
+            -X \"github.com/docker/cli/cli/version.GitCommit=%{shortcommit_cli}\" \
+            -X \"github.com/docker/cli/cli/version.BuildTime=%{buildtime}\" \
+            -X \"github.com/docker/cli/cli/version.Version=%{version}\" \
+    "
+        export BUILDTAGS="pkcs11"
+        export GOBUILDTAGS="${BUILDTAGS}"
+        %anda_go_build -o ../_build/bin/docker %{goipath_cli}/cmd/docker
+        # make VERSION=%%{version} GITCOMMIT=%%{shortcommit_cli} dynbinary
+
+	scripts/docs/generate-man.sh
+)
+
+%install
+# install binary
+install -Dpm 755 _build/bin/docker _build/bin/dockerd -t %{buildroot}%{_bindir}/
+
+# install proxy
+install -Dpm 755 _build/bin/docker-proxy -t %{buildroot}%{_libexecdir}/docker/
+
+# install tini
+install -Dpm 755 tini-%{commit_tini}/%{__cmake_builddir}/tini-static %{buildroot}%{_libexecdir}/docker/docker-init
+
+# install udev rules
+install -Dpm 644 contrib/udev/80-docker.rules -t %{buildroot}%{_usr}/lib/udev/rules.d/
+
+# add init scripts
+install -Dpm 644 %{SOURCE3} contrib/init/systemd/docker.socket -t %{buildroot}%{_unitdir}/
+
+# for additional args
+install -Dpm 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/docker
+
+# Install sysusers configuration
+install -Dpm 0644 %{SOURCE5} %{buildroot}%{_sysusersdir}/moby-engine.conf
+
+# add bash, zsh, and fish completions
+install -Dpm 644 cli-%{version}/contrib/completion/bash/docker -t %{buildroot}%{_datadir}/bash-completion/completions/
+install -Dpm 644 cli-%{version}/contrib/completion/zsh/_docker -t %{buildroot}%{_datadir}/zsh/site-functions/
+install -Dpm 644 cli-%{version}/contrib/completion/fish/docker.fish -t %{buildroot}%{_datadir}/fish/vendor_completions.d/
+
+# install manpages
+install -Dpm 644 cli-%{version}/man/man1/*.1 -t %{buildroot}%{_mandir}/man1/
+install -Dpm 644 cli-%{version}/man/man5/*.5 -t %{buildroot}%{_mandir}/man5/
+install -Dpm 644 cli-%{version}/man/man8/*.8 -t %{buildroot}%{_mandir}/man8/
+
+# add nano files
+install -Dpm 644 contrib/syntax/nano/Dockerfile.nanorc -t %{buildroot}%{_datadir}/nano/
+
+for cli_file in LICENSE MAINTAINERS NOTICE README.md; do
+    cp "cli-%{version}/$cli_file" "cli-$cli_file"
+done
+
+%pre
+%sysusers_create_compat %{SOURCE5}
+
+%post
+%systemd_post docker.service docker.socket
+%firewalld_reload
+
+%preun
+%systemd_preun docker.service docker.socket
+
+%postun
+%systemd_postun_with_restart docker.service
+
+%files
+%license LICENSE cli-LICENSE
+%doc AUTHORS CONTRIBUTING.md MAINTAINERS NOTICE README.md
+%doc cli-MAINTAINERS cli-NOTICE cli-README.md
+%config(noreplace) %{_sysconfdir}/sysconfig/docker
+%{_bindir}/docker
+%{_bindir}/dockerd
+%dir %{_libexecdir}/docker/
+%{_libexecdir}/docker/docker-proxy
+%{_libexecdir}/docker/docker-init
+%{_usr}/lib/udev/rules.d/80-docker.rules
+%{_unitdir}/docker.service
+%{_unitdir}/docker.socket
+%{_sysusersdir}/moby-engine.conf
+%{_datadir}/bash-completion/completions/docker
+%{_mandir}/man1/docker*.1*
+%{_mandir}/man5/{Dockerfile,docker-config-json}.5*
+%{_mandir}/man8/dockerd.8*
+
+%files zsh-completion
+%{_datadir}/zsh/site-functions/_docker
+
+%files fish-completion
+%{_datadir}/fish/vendor_completions.d/docker.fish
+
+%files nano
+%dir %{_datadir}/nano
+%{_datadir}/nano/Dockerfile.nanorc
+
+%changelog
+* Wed Aug 23 2023 LuK1337 <priv.luk@gmail.com> - 24.0.5-1
+- Update moby-engine to 24.0.5
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Sun Jan 29 2023 John Ghatas <john@johnghatas.com>
+- Update moby-engine to 23.0.4
+
+* Sun Jan 29 2023 Sérgio Basto <sergio@serjux.com>
+- Update moby-engine to 20.10.23
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Sun Jan 01 2023 Sérgio Basto <sergio@serjux.com>
+- Update moby-engine to 20.10.22
+
+* Wed Dec 14 2022 Dan Čermák <dan.cermak@cgc-instruments.com> - 20.10.21-1
+- Update to 20.10.21
+- Fix build, use libnetwork from golang-github-docker-0:22.06.0~beta
+
+* Thu Oct 20 2022 Jan Kuparinen <copperi@fedoraproject.org> - 20.10.20-1
+- Update to 20.10.20.
+- Mitigates CVE-2022-39253
+
+* Tue Oct 18 2022 Jan Kuparinen <copperi@fedoraproject.org> - 20.10.19-1
+- Update to 20.10.19.
+
+* Sat Sep 10 2022 Maxwell G <gotmax@e.email> - 20.10.18-1
+- Update to 20.10.18.
+- Mitigates CVE-2022-36109 / GHSA-rc4r-wh2q-q6c4
+
+* Tue Aug 30 2022 Luca BRUNO <lucab@lucabruno.net> - 20.10.17-8
+- Move 'docker' group creation logic to a sysusers.d fragment
+  Resolves: rhbz#1745936
+
+* Fri Aug 05 2022 Maxwell G <gotmax@e.email> - 20.10.17-7
+- Migrate to SPDX license identifiers
+- Generate debuginfo
+- Specfile improvements
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jul 19 2022 Maxwell G <gotmax@e.email> - 20.10.17-5
+- Rebuild for CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in
+  golang
+
+* Mon Jul 04 2022 Maxwell G <gotmax@e.email> - 20.10.17-4
+- Only build on %%golang_arches (i.e. where golang is available).
+
+* Sun Jun 19 2022 Maxwell G <gotmax@e.email> - 20.10.17-3
+- Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191,
+  CVE-2022-29526, CVE-2022-30629.
+
+* Sat Jun 11 2022 Maxwell G <gotmax@e.email> - 20.10.17-2
+- Rebuild for new golang-github-docker-libnetwork
+
+* Fri Jun 10 2022 Maxwell G <gotmax@e.email> - 20.10.17-1
+- Update to 20.10.17. Fixes rhbz#2095714.
+
+* Fri May 13 2022 Maxwell G <gotmax@e.email> - 20.10.16-1
+- Update to 20.10.16.
+
+* Sat May 07 2022 Maxwell G <gotmax@e.email> - 20.10.15-1
+- Update to 20.10.15 (rhbz#2082501).
+- Fix BUILDTAGS (rhbz#2082924).
+- Make non-binary subpackages noarch.
+
+* Mon Apr 11 2022 Maxwell G <gotmax@e.email> - 20.10.14-1
+- Update to 20.10.14. Fixes rhbz#2063052.
+- Mitigate CVE-2022-24769.
+
+* Mon Jan 31 2022 Maxwell G <gotmax@e.email> - 20.10.12-3
+- Fixes FTBFS. Closes rhbz#2046748.
+- Use %%anda_go_build instead of Makefile to build binaries
+- Add explanatory comments.
+- Normalize install commands
+- Make compliant with SourceURL Guidelines
+- Remove no longer necessary `ExcludeArch: ppc64`.
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 20.10.12-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Jan 11 2022 Maxwell G <gotmax@e.email> - 20.10.12-1
+- Update to 20.10.12. Fixes rhbz#2032534.
+- Install zsh completions to the correct directory. Fixes rhbz#2038888.
+
+* Mon Nov 22 2021 Olivier Lemasle <o.lemasle@gmail.com> - 20.10-11-1
+- Update to upstream 20.10.11 (fixes rhbz#2024384)
+- Mitigates CVE-2021-41190 (fixes rhbz#2024940)
+
+* Fri Oct 29 2021 Maxwell G <gotmax@e.email> - 20.10.10-1
+- Update to 20.10.10 (fixes rhbz#2015385)
+- Update virtual provides
+
+* Fri Oct 08 2021 Maxwell G <gotmax@e.email> - 20.10.9-1
+- Update to 20.10.9 (fixes rhbz#2010508)
+- Patch seccomp policy to fix clone3() issue (fixes rhbz#2011523 and rhbz#1988199)
+
+* Sun Aug 15 2021 Olivier Lemasle <o.lemasle@gmail.com> - 20.10.8-1
+- Update to upstream 20.10.8 (fixes rhbz#1990148)
+- Fix seccomp support (fixes rhbz#1986092)
+
+* Sun Aug 15 2021 Dusty Mabe <dusty@dustymabe.com> - 20.10.7-3
+- Remove `Requires(post)` on firewalld-filesystem.
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 20.10.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri Jul 16 2021 Olivier Lemasle <o.lemasle@gmail.com> - 20.10.7-1
+- Update to upstream 20.10.7 (fixes rhbz#1967390)
+
+* Tue May 04 2021 Olivier Lemasle <o.lemasle@gmail.com> - 20.10.6-2
+- Add conflict with podman-docker
+
+* Tue Apr 20 2021 Olivier Lemasle <o.lemasle@gmail.com> - 20.10.6-1
+- Update to upstream 20.10.6 (#1948605)
+- Re-bundle moby dependencies to fix gRPC issues with Swarm
+  (https://github.com/coreos/fedora-coreos-tracker/issues/793)
+
+* Sun Mar 14 2021 Olivier Lemasle <o.lemasle@gmail.com> - 20.10.5-1
+- Update to latest upstream 20.10.5 - fixes #1903426
+- Upstream brings compatibility with cgroups v2 - fixes #1746355
+- Remove package moby-engine-vim (dockerfile.vim has been merged in upstream vim)
+- Remove firewalld docker zone, since dockerd can now communicate with firewalld - fixes #1852680
+- Build dockerd and docker-proxy from unbundled source packages
+- Remove fixed storage-driver (cf. https://src.fedoraproject.org/rpms/moby-engine/pull-request/6)
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 19.03.13-3.ce.git4484c46
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 19.03.13-2.ce.git4484c46
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Oct 02 2020 Olivier Lemasle <o.lemasle@gmail.com> - 19.03.13-1.ce.git4484c46
+- Update to upstream 19.03.13 (#1837641)
+
+* Fri Oct 02 2020 Olivier Lemasle <o.lemasle@gmail.com> - 19.03.11-4.ce.git42e35e6
+- Fix FTBFS: adapt to change to CMake builds (#1864160)
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 19.03.11-3.ce.git42e35e6
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 19.03.11-2.ce.git42e35e6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sun Jun 07 2020 Olivier Lemasle <o.lemasle@gmail.com> - 19.03.11-1.ce.git42e35e6
+- Update to upstream 19.03.11 to prevent CVE-2020-13401
+
+* Thu May 07 2020 Olivier Lemasle <o.lemasle@gmail.com> - 19.03.8-2.ce.gitafacb8b
+- Configure storage-driver explicitely (fixes #1832301)
+- Add firewalld zone: trust interface docker0, as firewalld now uses nftables
+  by default and docker communicates with iptables (fixes #1817022)
+
+* Mon Mar 16 2020 Olivier Lemasle <o.lemasle@gmail.com> - 19.03.8-1.ce.gitafacb8b
+- Update to latest upstream release - Docker CE 19.03.8
+- Prune unused BuildRequires
+
+* Sun Mar 8 2020 Olivier Lemasle <o.lemasle@gmail.com> - 19.03.7-2.ce.git7141c19
+- Add Conflicts with docker-ce-cli and Obsoletes docker-common
+
+* Sat Mar 7 2020 Olivier Lemasle <o.lemasle@gmail.com> - 19.03.7-1.ce.git7141c19
+- Update to latest upstream release - Docker CE 19.03.7
+- Add Epoch: 2 to Obsoletes for docker and docker-latest
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 18.09.8-3.ce.git0dd43dd
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 18.09.8-2.ce.git0dd43dd
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jul 18 2019 Olivier Lemasle <o.lemasle@gmail.com> - 18.09.8-1.ce.git0dd43dd
+- Update to latest upstream release - Docker CE 18.09.8
+
+* Sat Jul 13 2019 Olivier Lemasle <o.lemasle@gmail.com> - 18.09.7-5.ce.git2d0083d
+- Move docker-init and docker-proxy to /usr/libexec/docker
+- Update moby-engine-nano summary to follow guidelines
+
+* Sat Jul 13 2019 Olivier Lemasle <o.lemasle@gmail.com> - 18.09.7-4.ce.git2d0083d
+- Add nofile ulimit to default docker daemon options (#1715254, #1708115)
+
+* Fri Jul 12 2019 Olivier Lemasle <o.lemasle@gmail.com> - 18.09.7-3.ce.git2d0083d
+- rebuilt
+
+* Fri Jul 12 2019 Olivier Lemasle <o.lemasle@gmail.com> - 18.09.7-2.ce.git2d0083d
+- Depend on packaged versions "runc" and "containerd" instead of building them.
+
+* Thu Jun 27 2019 David Michael <dm0@redhat.com> - 18.09.7-1.ce.git2d0083d
+- Update docker-ce to commit 2d0083d (version 18.09.7).
+- Update runc to commit 425e105.
+- Update containerd to commit 894b81a (1.2.6).
+- Update docker-proxy to commit e7933d4.
+
+* Tue May 14 2019 David Michael <dm0@redhat.com> - 18.09.6-1.ce.git481bc77
+- Update docker-ce to commit 481bc77 (version 18.09.6).
+- Update docker-proxy to commit 872f0a8.
+- Obsolete and provide the docker and docker-latest packages. (#1700006)
+
+* Thu Apr 11 2019 David Michael <dm0@redhat.com> - 18.09.5-1.ce.gite8ff056
+- Update docker-ce to commit e8ff056 (version 18.09.5).
+- Update docker-runc to commit 2b18fe1.
+- Update docker-containerd to commit bb71b10 (version 1.2.5).
+- Update docker-proxy to commit 4725f21.
+- Report the correct engine version.
+- Install symlinks to unprefixed runc/containerd program names.
+
+* Thu Mar 28 2019 David Michael <dm0@redhat.com> - 18.06.3-2.ce.gitd7080c1
+- Conflict with docker-common. (#1693397)
+
+* Thu Feb 21 2019 David Michael <dm0@redhat.com> - 18.06.3-1.ce.gitd7080c1
+- Update docker-ce to commit d7080c1 (version 18.06.3).
+
+* Tue Feb 12 2019 David Michael <dm0@redhat.com> - 18.06.2-1.ce.git6d37f41
+- Update docker-ce to commit 6d37f41 (version 18.06.2).
+- Update docker-runc to commit a592beb.
+
+* Mon Feb 11 2019 David Michael <dm0@redhat.com> - 18.06.1-3.ce.gite68fc7a
+- Apply a runc patch for CVE-2019-5736.
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 18.06.1-2.ce.gite68fc7a
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Nov 29 2018 David Michael <dm0@redhat.com> - 18.06.1-1.ce.gite68fc7a
+- Update docker-ce to commit e68fc7a (version 18.06.1).
+- Update docker-runc to commit 69663f0.
+- Update docker-containerd to commit 468a545 (version 1.1.2).
+- Update docker-proxy to commit 3ac297b.
+- Backport a fix for mounting named volumes.
+- Create a "docker" group for non-root Docker access.
+- Support systemd socket-activation.
+- Make runc and containerd commit IDs match their expected values.
+- Preserve containerd debuginfo.
+
+* Mon Nov 12 2018 Marcin Skarbek <rpm@skarbek.name> - 18.06.0-2.ce.git0ffa825
+- add configuration file
+- update service file
+
+* Sat Aug 18 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 18.06.0-1.ce.git0ffa825
+- Resolves: #1539161 - first upload to Fedora
+- built docker-ce commit 0ffa825
+- built docker-runc commit ad0f5255
+- built docker-containerd commit a88b631
+- built docker-proxy commit a79d368
+- built docker-init commit fec3683
+
+* Tue Mar 20 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 17.03.2-4.ce.gitf5ec1e2
+- correct some rpmlint errors
+
+* Wed Feb 21 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 17.03.2-3.ce
+- docker-* symlinks to moby-* (RE: gh PR 34226)
+
+* Wed Feb 21 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 17.03.2-2.ce
+- rename binaries as per upstream gh PR 34226
+
+* Fri Jan 26 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 17.03.2-1
+- initial build
+- built moby commit f5ec1e2
+- built cli commit 4b61f56
+- built docker-runc commit 2d41c047
+- built docker-containerd commit 3addd84
+- built docker-proxy commit 7b2b1fe
diff --git a/anda/docker/moby-engine/moby-engine.spec.license b/anda/docker/moby-engine/moby-engine.spec.license
new file mode 100644
index 0000000000..2071b23b0e
--- /dev/null
+++ b/anda/docker/moby-engine/moby-engine.spec.license
@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) <year> <copyright holders>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/anda/docker/moby-engine/provides.spec.inc b/anda/docker/moby-engine/provides.spec.inc
new file mode 100644
index 0000000000..847f007ed0
--- /dev/null
+++ b/anda/docker/moby-engine/provides.spec.inc
@@ -0,0 +1,108 @@
+# Bundled dependencies
+Provides:       bundled(tini-static)
+Provides:       bundled(golang(github.com/docker/docker))
+Provides:       bundled(golang(github.com/docker/cli))
+# grep -v -e '^$' -e '^#' cli-24.0.5/vendor/github.com/docker/distribution/vendor.conf | sort | awk '{print "Provides:       bundled(golang("$1")) = "$2}'
+Provides:       bundled(golang(github.com/aws/aws-sdk-go)) = f831d5a0822a1ad72420ab18c6269bca1ddaf490
+Provides:       bundled(golang(github.com/Azure/azure-sdk-for-go)) = 4650843026a7fdec254a8d9cf893693a254edd0b
+Provides:       bundled(golang(github.com/Azure/go-autorest)) = eaa7994b2278094c904d31993d26f56324db3052
+Provides:       bundled(golang(github.com/beorn7/perks)) = 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
+Provides:       bundled(golang(github.com/bshuster-repo/logrus-logstash-hook)) = d2c0ecc1836d91814e15e23bb5dc309c3ef51f4a
+Provides:       bundled(golang(github.com/bugsnag/bugsnag-go)) = b1d153021fcd90ca3f080db36bec96dc690fb274
+Provides:       bundled(golang(github.com/bugsnag/osext)) = 0dd3f918b21bec95ace9dc86c7e70266cfc5c702
+Provides:       bundled(golang(github.com/bugsnag/panicwrap)) = e2c28503fcd0675329da73bf48b33404db873782
+Provides:       bundled(golang(github.com/denverdino/aliyungo)) = afedced274aa9a7fcdd47ac97018f0f8db4e5de2
+Provides:       bundled(golang(github.com/dgrijalva/jwt-go)) = 4bbdd8ac624fc7a9ef7aec841c43d99b5fe65a29
+Provides:       bundled(golang(github.com/docker/go-metrics)) = 399ea8c73916000c64c2c76e8da00ca82f8387ab
+Provides:       bundled(golang(github.com/docker/libtrust)) = fa567046d9b14f6aa788882a950d69651d230b21
+Provides:       bundled(golang(github.com/garyburd/redigo)) = 535138d7bcd717d6531c701ef5933d98b1866257
+Provides:       bundled(golang(github.com/go-ini/ini)) = 2ba15ac2dc9cdf88c110ec2dc0ced7fa45f5678c
+Provides:       bundled(golang(github.com/golang/protobuf)) = 8d92cf5fc15a4382f8964b08e1f42a75c0591aa3
+Provides:       bundled(golang(github.com/gorilla/handlers)) = 60c7bfde3e33c201519a200a4507a158cc03a17b
+Provides:       bundled(golang(github.com/gorilla/mux)) = 599cba5e7b6137d46ddf58fb1765f5d928e69604
+Provides:       bundled(golang(github.com/inconshreveable/mousetrap)) = 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
+Provides:       bundled(golang(github.com/jmespath/go-jmespath)) = bd40a432e4c76585ef6b72d3fd96fb9b6dc7b68d
+Provides:       bundled(golang(github.com/marstr/guid)) = 8bd9a64bf37eb297b492a4101fb28e80ac0b290f
+Provides:       bundled(golang(github.com/matttproud/golang_protobuf_extensions)) = c12348ce28de40eed0136aa2b644d0ee0650e56c
+Provides:       bundled(golang(github.com/miekg/dns)) = 271c58e0c14f552178ea321a545ff9af38930f39
+Provides:       bundled(golang(github.com/mitchellh/mapstructure)) = 482a9fd5fa83e8c4e7817413b80f3eb8feec03ef
+Provides:       bundled(golang(github.com/ncw/swift)) = a0320860b16212c2b59b4912bb6508cda1d7cee6
+Provides:       bundled(golang(github.com/opencontainers/go-digest)) = a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
+Provides:       bundled(golang(github.com/opencontainers/image-spec)) = 67d2d5658fe0476ab9bf414cec164077ebff3920
+Provides:       bundled(golang(github.com/prometheus/client_golang)) = c332b6f63c0658a65eca15c0e5247ded801cf564
+Provides:       bundled(golang(github.com/prometheus/client_model)) = 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c
+Provides:       bundled(golang(github.com/prometheus/common)) = 89604d197083d4781071d3c65855d24ecfb0a563
+Provides:       bundled(golang(github.com/prometheus/procfs)) = cb4147076ac75738c9a7d279075a253c0cc5acbd
+Provides:       bundled(golang(github.com/satori/go.uuid)) = f58768cc1a7a7e77a3bd49e98cdd21419399b6a3
+Provides:       bundled(golang(github.com/Shopify/logrus-bugsnag)) = 577dee27f20dd8f1a529f82210094af593be12bd
+Provides:       bundled(golang(github.com/sirupsen/logrus)) = 3d4380f53a34dcdc95f0c1db702615992b38d9a4
+Provides:       bundled(golang(github.com/spf13/cobra)) = 312092086bed4968099259622145a0c9ae280064
+Provides:       bundled(golang(github.com/spf13/pflag)) = 5644820622454e71517561946e3d94b9f9db6842
+Provides:       bundled(golang(github.com/xenolf/lego)) = a9d8cec0e6563575e5868a005359ac97911b5985
+Provides:       bundled(golang(github.com/yvasiyarov/go-metrics)) = 57bccd1ccd43f94bb17fdd8bf3007059b802f85e
+Provides:       bundled(golang(github.com/yvasiyarov/gorelic)) = a9bba5b9ab508a086f9a12b8c51fab68478e2128
+Provides:       bundled(golang(github.com/yvasiyarov/newrelic_platform_go)) = b21fdbd4370f3717f3bbd2bf41c223bc273068e6
+Provides:       bundled(golang(golang.org/x/crypto)) = c10c31b5e94b6f7a0283272dc2bb27163dcea24b
+Provides:       bundled(golang(golang.org/x/net)) = 4876518f9e71663000c348837735820161a42df7
+Provides:       bundled(golang(golang.org/x/oauth2)) = 045497edb6234273d67dbc25da3f2ddbc4c4cacf
+Provides:       bundled(golang(golang.org/x/time)) = a4bde12657593d5e90d0533a3e4fd95e635124cb
+Provides:       bundled(golang(google.golang.org/api)) = 9bf6e6e569ff057f75d9604a46c52928f17d2b54
+Provides:       bundled(golang(google.golang.org/appengine)) = 12d5545dc1cfa6047a286d5e853841b6471f4c19
+Provides:       bundled(golang(google.golang.org/cloud)) = 975617b05ea8a58727e6c1a06b6161ff4185a9f2
+Provides:       bundled(golang(google.golang.org/grpc)) = d3ddb4469d5a1b949fc7a7da7c1d6a0d1b6de994
+Provides:       bundled(golang(gopkg.in/check.v1)) = 64131543e7896d5bcc6bd5a76287eb75ea96c673
+Provides:       bundled(golang(gopkg.in/square/go-jose.v1)) = 40d457b439244b546f023d056628e5184136899b
+Provides:       bundled(golang(gopkg.in/yaml.v2)) = v2.2.1
+Provides:       bundled(golang(rsc.io/letsencrypt)) = e770c10b0f1a64775ae91d240407ce00d1a5bdeb
+# grep -v -e '^$' -e '^#' moby-24.0.5/vendor/github.com/docker/distribution/vendor.conf | sort | awk '{print "Provides:       bundled(golang("$1")) = "$2}'
+Provides:       bundled(golang(github.com/aws/aws-sdk-go)) = f831d5a0822a1ad72420ab18c6269bca1ddaf490
+Provides:       bundled(golang(github.com/Azure/azure-sdk-for-go)) = 4650843026a7fdec254a8d9cf893693a254edd0b
+Provides:       bundled(golang(github.com/Azure/go-autorest)) = eaa7994b2278094c904d31993d26f56324db3052
+Provides:       bundled(golang(github.com/beorn7/perks)) = 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
+Provides:       bundled(golang(github.com/bshuster-repo/logrus-logstash-hook)) = d2c0ecc1836d91814e15e23bb5dc309c3ef51f4a
+Provides:       bundled(golang(github.com/bugsnag/bugsnag-go)) = b1d153021fcd90ca3f080db36bec96dc690fb274
+Provides:       bundled(golang(github.com/bugsnag/osext)) = 0dd3f918b21bec95ace9dc86c7e70266cfc5c702
+Provides:       bundled(golang(github.com/bugsnag/panicwrap)) = e2c28503fcd0675329da73bf48b33404db873782
+Provides:       bundled(golang(github.com/denverdino/aliyungo)) = afedced274aa9a7fcdd47ac97018f0f8db4e5de2
+Provides:       bundled(golang(github.com/dgrijalva/jwt-go)) = 4bbdd8ac624fc7a9ef7aec841c43d99b5fe65a29
+Provides:       bundled(golang(github.com/docker/go-metrics)) = 399ea8c73916000c64c2c76e8da00ca82f8387ab
+Provides:       bundled(golang(github.com/docker/libtrust)) = fa567046d9b14f6aa788882a950d69651d230b21
+Provides:       bundled(golang(github.com/garyburd/redigo)) = 535138d7bcd717d6531c701ef5933d98b1866257
+Provides:       bundled(golang(github.com/go-ini/ini)) = 2ba15ac2dc9cdf88c110ec2dc0ced7fa45f5678c
+Provides:       bundled(golang(github.com/golang/protobuf)) = 8d92cf5fc15a4382f8964b08e1f42a75c0591aa3
+Provides:       bundled(golang(github.com/gorilla/handlers)) = 60c7bfde3e33c201519a200a4507a158cc03a17b
+Provides:       bundled(golang(github.com/gorilla/mux)) = 599cba5e7b6137d46ddf58fb1765f5d928e69604
+Provides:       bundled(golang(github.com/inconshreveable/mousetrap)) = 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
+Provides:       bundled(golang(github.com/jmespath/go-jmespath)) = bd40a432e4c76585ef6b72d3fd96fb9b6dc7b68d
+Provides:       bundled(golang(github.com/marstr/guid)) = 8bd9a64bf37eb297b492a4101fb28e80ac0b290f
+Provides:       bundled(golang(github.com/matttproud/golang_protobuf_extensions)) = c12348ce28de40eed0136aa2b644d0ee0650e56c
+Provides:       bundled(golang(github.com/miekg/dns)) = 271c58e0c14f552178ea321a545ff9af38930f39
+Provides:       bundled(golang(github.com/mitchellh/mapstructure)) = 482a9fd5fa83e8c4e7817413b80f3eb8feec03ef
+Provides:       bundled(golang(github.com/ncw/swift)) = a0320860b16212c2b59b4912bb6508cda1d7cee6
+Provides:       bundled(golang(github.com/opencontainers/go-digest)) = a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
+Provides:       bundled(golang(github.com/opencontainers/image-spec)) = 67d2d5658fe0476ab9bf414cec164077ebff3920
+Provides:       bundled(golang(github.com/prometheus/client_golang)) = c332b6f63c0658a65eca15c0e5247ded801cf564
+Provides:       bundled(golang(github.com/prometheus/client_model)) = 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c
+Provides:       bundled(golang(github.com/prometheus/common)) = 89604d197083d4781071d3c65855d24ecfb0a563
+Provides:       bundled(golang(github.com/prometheus/procfs)) = cb4147076ac75738c9a7d279075a253c0cc5acbd
+Provides:       bundled(golang(github.com/satori/go.uuid)) = f58768cc1a7a7e77a3bd49e98cdd21419399b6a3
+Provides:       bundled(golang(github.com/Shopify/logrus-bugsnag)) = 577dee27f20dd8f1a529f82210094af593be12bd
+Provides:       bundled(golang(github.com/sirupsen/logrus)) = 3d4380f53a34dcdc95f0c1db702615992b38d9a4
+Provides:       bundled(golang(github.com/spf13/cobra)) = 312092086bed4968099259622145a0c9ae280064
+Provides:       bundled(golang(github.com/spf13/pflag)) = 5644820622454e71517561946e3d94b9f9db6842
+Provides:       bundled(golang(github.com/xenolf/lego)) = a9d8cec0e6563575e5868a005359ac97911b5985
+Provides:       bundled(golang(github.com/yvasiyarov/go-metrics)) = 57bccd1ccd43f94bb17fdd8bf3007059b802f85e
+Provides:       bundled(golang(github.com/yvasiyarov/gorelic)) = a9bba5b9ab508a086f9a12b8c51fab68478e2128
+Provides:       bundled(golang(github.com/yvasiyarov/newrelic_platform_go)) = b21fdbd4370f3717f3bbd2bf41c223bc273068e6
+Provides:       bundled(golang(golang.org/x/crypto)) = c10c31b5e94b6f7a0283272dc2bb27163dcea24b
+Provides:       bundled(golang(golang.org/x/net)) = 4876518f9e71663000c348837735820161a42df7
+Provides:       bundled(golang(golang.org/x/oauth2)) = 045497edb6234273d67dbc25da3f2ddbc4c4cacf
+Provides:       bundled(golang(golang.org/x/time)) = a4bde12657593d5e90d0533a3e4fd95e635124cb
+Provides:       bundled(golang(google.golang.org/api)) = 9bf6e6e569ff057f75d9604a46c52928f17d2b54
+Provides:       bundled(golang(google.golang.org/appengine)) = 12d5545dc1cfa6047a286d5e853841b6471f4c19
+Provides:       bundled(golang(google.golang.org/cloud)) = 975617b05ea8a58727e6c1a06b6161ff4185a9f2
+Provides:       bundled(golang(google.golang.org/grpc)) = d3ddb4469d5a1b949fc7a7da7c1d6a0d1b6de994
+Provides:       bundled(golang(gopkg.in/check.v1)) = 64131543e7896d5bcc6bd5a76287eb75ea96c673
+Provides:       bundled(golang(gopkg.in/square/go-jose.v1)) = 40d457b439244b546f023d056628e5184136899b
+Provides:       bundled(golang(gopkg.in/yaml.v2)) = v2.2.1
+Provides:       bundled(golang(rsc.io/letsencrypt)) = e770c10b0f1a64775ae91d240407ce00d1a5bdeb
diff --git a/anda/docker/moby-engine/sources b/anda/docker/moby-engine/sources
new file mode 100644
index 0000000000..185f3bb5a2
--- /dev/null
+++ b/anda/docker/moby-engine/sources
@@ -0,0 +1,3 @@
+SHA512 (cli-24.0.5.tar.gz) = 765c67634d91d248b156d3e407398b98b7a0a89507bbac0310d4a68b95aa1a05e3af43c8b90bc10166748749d8cc36670619fc9efca110beefbdcd4385dc96be
+SHA512 (moby-24.0.5.tar.gz) = cde2e47e7658b153399ee29154ec21eebf54b292185e07d43b968895dcfdfead95e4507fefb713859a4540f21d8007116d3ebeaa1fb7ba305fb2a0449ba1bee6
+SHA512 (tini-0b44d36.tar.gz) = 5294e877c369177b09c2a34f759e911f612f6977e960a63d46b6e5ebea790455dad972e91ca10c478693da637a5479d4e0b904efcfb5ae291e87e7e66674c752
diff --git a/anda/docker/moby-engine/update.sh b/anda/docker/moby-engine/update.sh
new file mode 100755
index 0000000000..3089ca4027
--- /dev/null
+++ b/anda/docker/moby-engine/update.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2022 Maxwell G (@gotmax23)
+# SPDX-License-Identifier: MIT
+
+# USAGE: After bumping the version in moby-engine.spec and downloading the new
+# sources, run this script in moby-engine's distgit repository to update the
+# package's virtual Provides.
+
+set -euo pipefail
+
+# Note(gotmax23): I have a separate update.sh script in my $PATH.
+# When that exists, this script will run that first.
+# You can ignore this.
+if command -v update.sh && [ "$#" -gt 0 ]; then
+    update.sh "$@"
+fi
+
+spectool -g moby-engine.spec --define "_sourcedir ."
+fedpkg prep
+
+version="$(rpmspec -D '_sourcedir %(pwd)' -q --srpm --qf '%{version}\n' *.spec)"
+
+cat << EOF > provides.spec.inc
+# Bundled dependencies
+Provides:       bundled(tini-static)
+Provides:       bundled(golang(github.com/docker/docker))
+Provides:       bundled(golang(github.com/docker/cli))
+# grep -v -e '^$' -e '^#' cli-${version}/vendor/github.com/docker/distribution/vendor.conf | sort | awk '{print "Provides:       bundled(golang("\$1")) = "\$2}'
+EOF
+
+grep -v -e '^$' -e '^#' "moby-${version}/cli-${version}/vendor/github.com/docker/distribution/vendor.conf" | sort | awk '{print "Provides:       bundled(golang("$1")) = "$2}' >> provides.spec.inc
+
+cat << EOF >> provides.spec.inc
+# grep -v -e '^$' -e '^#' moby-${version}/vendor/github.com/docker/distribution/vendor.conf | sort | awk '{print "Provides:       bundled(golang("\$1")) = "\$2}'
+EOF
+
+grep -v -e '^$' -e '^#' "moby-${version}/vendor/github.com/docker/distribution/vendor.conf" | sort | awk '{print "Provides:       bundled(golang("$1")) = "$2}' >> provides.spec.inc
+
+# Note(gotmax23): Ignore this also. My script commits the specfile,
+# and then this ammends that commit to add the updated provides.spec.inc.
+if command -v update.sh && [ "$#" -gt 0 ]; then
+    git add provides.spec.inc
+    git commit --gpg-sign --amend --no-edit
+fi