Sync from SUSE:ALP:Source:Standard:1.0 docker revision 5d9c6ff2bc4d1d6e8e39aa4e42167fb8

2025-01-06 13:59:27 +01:00 · 2025-01-06 13:59:27 +01:00 · 939bc3c78b
commit 939bc3c78b
parent 28da6e001e
19 changed files with 869 additions and 3693 deletions
--- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
@ -1,4 +1,4 @@
-From fc318bf73243e653e34252db10d8216fbe0fc17a Mon Sep 17 00:00:00 2001
+From ec53ee338835c4c1dc583695ac166f36bf3bac5c Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
 Subject: [PATCH 1/7] SECRETS: daemon: allow directory creation in /run/secrets
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 1 file changed, 20 insertions(+), 3 deletions(-)
 diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index e9be1b4e72e2..bf6af24c303c 100644
+index 4dedc1b21c87..b7c310493e79 100644
 --- a/daemon/container_operations_unix.go
 +++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
@ -33,7 +33,7 @@ index e9be1b4e72e2..bf6af24c303c 100644
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/process"
 	"github.com/docker/docker/pkg/stringid"
-@@ -201,9 +203,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -240,9 +242,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		if err != nil {
 			return errors.Wrap(err, "unable to get secret from secret store")
 		}
@ -43,7 +43,7 @@ index e9be1b4e72e2..bf6af24c303c 100644
 		uid, err := strconv.Atoi(s.File.UID)
 		if err != nil {
-@@ -214,6 +213,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -253,6 +252,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 			return err
 		}
--- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -1,4 +1,4 @@
-From 530aa9ea84a85817b747a2cb4ae3c5c029eea48c Mon Sep 17 00:00:00 2001
+From 7ab9590b94925a03e0f16285492a73dbc231800c Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
@ -6,40 +6,44 @@ Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
 Users can disable this by setting DOCKER_SUSE_SECRETS_ENABLE=0 in
 /etc/sysconfig/docker or by adding that setting to docker.service's
 Environment using a drop-in file.
 THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
 SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
 MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
-SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
+SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 bsc#1231348
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 daemon/start.go        |   5 +
- daemon/suse_secrets.go | 415 +++++++++++++++++++++++++++++++++++++++++
+ daemon/suse_secrets.go | 461 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 420 insertions(+)
+ 2 files changed, 466 insertions(+)
 create mode 100644 daemon/suse_secrets.go
 diff --git a/daemon/start.go b/daemon/start.go
-index 86321bc5d017..5d4c1280608d 100644
+index b967947af2ce..e1a1218eb016 100644
 --- a/daemon/start.go
 +++ b/daemon/start.go
-@@ -159,6 +159,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
+@@ -118,6 +118,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
 		return err
 	}
 +	// SUSE:secrets -- inject the SUSE secret store
 +	if err := daemon.injectSuseSecretStore(container); err != nil {
-+		return errdefs.System(err)
+		return err
 +	}
 +
- 	spec, err := daemon.createSpec(ctx, daemonCfg, container)
+ 	mnts, err := daemon.setupContainerDirs(container)
 	if err != nil {
- 		// Any error that occurs while creating the spec, even if it's the
+ 		return err
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..32b0ece91b59
+index 000000000000..85b37bf46544
 --- /dev/null
 +++ b/daemon/suse_secrets.go
-@@ -0,0 +1,415 @@
+@@ -0,0 +1,461 @@
 +/*
 + * suse-secrets: patch for Docker to implement SUSE secrets
 + * Copyright (C) 2017-2021 SUSE LLC.
@ -82,9 +86,47 @@ index 000000000000..32b0ece91b59
 +	"github.com/sirupsen/logrus"
 +)
 +
 +const suseSecretsTogglePath = "/etc/docker/suse-secrets-enable"
 +
 +// parseEnableFile parses a file that can only contain "0" or "1" (with some
 +// whitespace).
 +func parseEnableFile(path string) (bool, error) {
 +	data, err := os.ReadFile(path)
 +	if err != nil {
 +		return false, err
 +	}
 +	data = bytes.TrimSpace(data)
 +
 +	switch value := string(data); value {
 +	case "1":
 +		return true, nil
 +	case "0", "":
 +		return false, nil
 +	default:
 +		return false, fmt.Errorf("invalid value %q (must be 0 to disable or 1 to enable)", value)
 +	}
 +}
 +
 +func isSuseSecretsEnabled() bool {
 +	value, err := parseEnableFile(suseSecretsTogglePath)
 +	if err != nil {
 +		logrus.Warnf("SUSE:secrets :: error parsing %s: %v -- disabling SUSE secrets", suseSecretsTogglePath, err)
 +		value = false
 +	}
 +	return value
 +}
 +
 +var suseSecretsEnabled = true
 +
 +func init() {
-+	// Output to tell us in logs that SUSE:secrets is enabled.
+	// Make this entire feature toggle-able so that users can disable it if
-+	logrus.Infof("SUSE:secrets :: enabled")
+	// they run into issues like bsc#1231348.
 +	suseSecretsEnabled = isSuseSecretsEnabled()
 +	if suseSecretsEnabled {
 +		logrus.Infof("SUSE:secrets :: SUSEConnect support enabled (set %s to 0 to disable)", suseSecretsTogglePath)
 +	} else {
 +		logrus.Infof("SUSE:secrets :: SUSEConnect support disabled by %s", suseSecretsTogglePath)
 +	}
 +}
 +
 +// Creating a fake file.
@ -400,7 +442,7 @@ index 000000000000..32b0ece91b59
 +	var without []*swarmtypes.SecretReference
 +	for _, secret := range c.SecretReferences {
 +		if strings.HasPrefix(secret.SecretID, "suse") {
-+			logrus.Warnf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
+			logrus.Debugf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
 +			continue
 +		}
 +		without = append(without, secret)
@ -409,6 +451,20 @@ index 000000000000..32b0ece91b59
 +}
 +
 +func (daemon *Daemon) injectSuseSecretStore(c *container.Container) error {
 +	// We drop any "old" SUSE secrets, as it appears that old containers (when
 +	// restarted) could still have references to old secrets. The .id() of all
 +	// secrets have a prefix of "suse" so this is much easier. See bsc#1057743
 +	// for details on why this could cause issues.
 +	removeSuseSecrets(c)
 +
 +	// Don't inject anything if the administrator has disabled suse secrets.
 +	// However, for previous existing containers we need to remove old secrets
 +	// (see above), otherwise they will still have old secret data.
 +	if !suseSecretsEnabled {
 +		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container %q because of %s", c.ID, suseSecretsTogglePath)
 +		return nil
 +	}
 +
 +	newDependencyStore := &suseDependencyStore{
 +		dfl:     c.DependencyStore,
 +		secrets: make(map[string]*swarmapi.Secret),
@ -418,12 +474,6 @@ index 000000000000..32b0ece91b59
 +		newDependencyStore.dfl = emptyStore
 +	}
 +
 +	// We drop any "old" SUSE secrets, as it appears that old containers (when
 +	// restarted) could still have references to old secrets. The .id() of all
 +	// secrets have a prefix of "suse" so this is much easier. See bsc#1057743
 +	// for details on why this could cause issues.
 +	removeSuseSecrets(c)
 +
 +	secrets, err := getHostSuseSecretData()
 +	if err != nil {
 +		return err
@ -456,5 +506,5 @@ index 000000000000..32b0ece91b59
 +	return nil
 +}
 -- 
-2.45.2
+2.47.1
--- a/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+++ b/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
@ -1,4 +1,4 @@
-From dfa9e392bf1360144c80d62e01c297dc7aa52827 Mon Sep 17 00:00:00 2001
+From 983a57fd37dc8e42e9c4e4dfc72eb346a4385948 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 22 May 2023 15:44:54 +1000
 Subject: [PATCH 3/7] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
--- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
@ -1,4 +1,4 @@
-From 208a9ba144d7ab21b9717d669a577e2dbbf7ab2e Mon Sep 17 00:00:00 2001
+From 8829bb8ec53399fd41dd6f46e2bad64e773e8eaa Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
 Subject: [PATCH 4/7] bsc1073877: apparmor: clobber docker-default profile on
@ -69,10 +69,10 @@ index be4938f5b61a..2b326fea5829 100644
 	return nil
 }
 diff --git a/daemon/daemon.go b/daemon/daemon.go
-index c28e3063d576..c3228a084cb1 100644
+index e7ca77d8cbfc..13b39538fb00 100644
 --- a/daemon/daemon.go
 +++ b/daemon/daemon.go
-@@ -900,8 +900,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
+@@ -916,8 +916,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		log.G(ctx).Warnf("Failed to configure golang's threads limit: %v", err)
 	}
--- a/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+++ b/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
@ -1,4 +1,4 @@
-From 3dd554c3bdb8a01c28651b6b8a405a5d735d02d9 Mon Sep 17 00:00:00 2001
+From 24173cd6a2643e5e680e84920864f42ed43b6f28 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 11 Oct 2023 21:19:12 +1100
 Subject: [PATCH 5/7] SLE12: revert "apparmor: remove version-conditionals from
@ -249,7 +249,7 @@ index 000000000000..89b48b2dba58
 +	return numericVersion, nil
 +}
 diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
-index 1edfc5300235..0d23b940bdf4 100644
+index 277c853ebe1f..d1aad80cbfd2 100644
 --- a/profiles/apparmor/apparmor.go
 +++ b/profiles/apparmor/apparmor.go
@@ -11,10 +11,14 @@ import (
--- a/0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
+++ b/0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
--- a/0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
+++ b/0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
@ -1,4 +1,4 @@
-From a60ba6a7cae1bfc679e5a34646ffe1d4702d91e0 Mon Sep 17 00:00:00 2001
+From 62035ba22a45bde6bed2da321e7ad954f5b461b4 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Wed, 19 Jun 2024 16:30:49 +1000
 Subject: [PATCH 7/7] bsc1214855: volume: use AtomicWriteFile to save volume
--- a/17
+++ b/17
@ -3,19 +3,26 @@
    <param name="url">https://github.com/moby/moby.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">25.0.6_ce_%h</param>
+    <param name="versionformat">26.1.5_ce_%h</param>
-    <param name="revision">v25.0.6</param>
+    <param name="revision">v26.1.5</param>
    <param name="filename">docker</param>
  </service>
  <service name="tar_scm" mode="manual">
    <param name="url">https://github.com/docker/cli.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">25.0.6_ce</param>
+    <param name="versionformat">26.1.5_ce</param>
-	<!-- They didn't release a version of docker-cli for this update. -->
+    <param name="revision">v26.1.5</param>
    <param name="revision">v25.0.5</param>
    <param name="filename">docker-cli</param>
  </service>
  <service name="tar_scm" mode="manual">
    <param name="url">https://github.com/docker/buildx.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
    <param name="versionformat">0.19.2</param>
    <param name="revision">v0.19.2</param>
    <param name="filename">docker-buildx</param>
  </service>
  <service name="recompress" mode="manual">
    <param name="file">docker-*.tar</param>
    <param name="compression">xz</param>
--- a/cli-0001-docs-include-required-tools-in-source-tree.patch
+++ b/cli-0001-docs-include-required-tools-in-source-tree.patch
@ -1,7 +1,7 @@
-From 7d5055e48910d7c368d315c22c5b1603cee0aa1f Mon Sep 17 00:00:00 2001
+From 3701285f1cf678dda730e3f9a4860d74ca54057d Mon Sep 17 00:00:00 2001
 From: danishprakash <danish.prakash@suse.com>
 Date: Mon, 12 Feb 2024 18:07:06 +0530
-Subject: [PATCH] [PATCH] docs: include required tools in source tree
+Subject: [PATCH] docs: include required tools in source tree
 In order to be able to build the documentation without internet access
 (as is required by some distribution build systems), all of the source
@ -370,53 +370,53 @@ index 0d67c5e5bb09..7d98e161df5d 100755
 mkdir -p docs/yaml
 set -x
 diff --git a/vendor.mod b/vendor.mod
-index cb538723603a..ba34bb097a32 100644
+index 3bc5ce327f0f..a654f78703d6 100644
 --- a/vendor.mod
 +++ b/vendor.mod
@@ -11,6 +11,7 @@ require (
- 	github.com/containerd/containerd v1.7.12
+ 	github.com/containerd/platforms v0.2.0
 	github.com/creack/pty v1.1.21
 	github.com/distribution/reference v0.5.0
 +	github.com/docker/cli-docs-tool v0.6.0
 	github.com/docker/distribution v2.8.3+incompatible
- 	github.com/docker/docker v25.0.5-0.20240319141229-e63daec8672d+incompatible // 25.0 branch (v25.0.5-dev)
+ 	github.com/docker/docker v26.1.4-0.20240605103321-de5c9cf0b96e+incompatible // 26.1 branch (v26.1.4-dev)
 	github.com/docker/docker-credential-helpers v0.8.1
-@@ -46,6 +47,8 @@ require (
+@@ -53,6 +54,8 @@ require (
- 	tags.cncf.io/container-device-interface v0.6.2
+ 	tags.cncf.io/container-device-interface v0.7.2
 )
 +require github.com/cpuguy83/go-md2man/v2 v2.0.3
 +
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
- 	github.com/Microsoft/go-winio v0.6.1 // indirect
+ 	github.com/Microsoft/go-winio v0.6.2 // indirect
-@@ -72,6 +75,7 @@ require (
+@@ -83,6 +86,7 @@ require (
- 	github.com/prometheus/common v0.42.0 // indirect
+ 	github.com/prometheus/common v0.44.0 // indirect
- 	github.com/prometheus/procfs v0.9.0 // indirect
+ 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 +	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	go.etcd.io/etcd/raft/v3 v3.5.6 // indirect
-@@ -87,4 +91,5 @@ require (
+@@ -96,4 +100,5 @@ require (
- 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
+ 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
- 	google.golang.org/grpc v1.58.3 // indirect
+ 	google.golang.org/grpc v1.60.1 // indirect
- 	google.golang.org/protobuf v1.31.0 // indirect
+ 	google.golang.org/protobuf v1.33.0 // indirect
 +	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 diff --git a/vendor.sum b/vendor.sum
-index 064239b2fa8f..ca83ab55f00a 100644
+index 6a31c9b2cf62..a0905e657c37 100644
 --- a/vendor.sum
 +++ b/vendor.sum
-@@ -41,6 +41,7 @@ github.com/containerd/containerd v1.7.12/go.mod h1:/5OMpE1p0ylxtEUGY8kuCYkDRzJm9
+@@ -46,6 +46,7 @@ github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3
- github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+ github.com/containerd/platforms v0.2.0 h1:clGNvVIcY3k39VJSYdFGohI1b3bP/eeBUVR5+XA28oo=
- github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+ github.com/containerd/platforms v0.2.0/go.mod h1:XOM2BS6kN6gXafPLg80V6y/QUib+xoLyC3qVmHzibko=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 +github.com/cpuguy83/go-md2man/v2 v2.0.3 h1:qMCsGGgs+MAzDFyp9LpAe1Lqy/fY/qCovCm0qnXZOBM=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
-@@ -51,6 +52,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
+@@ -56,6 +57,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
@ -425,10 +425,10 @@ index 064239b2fa8f..ca83ab55f00a 100644
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-@@ -227,6 +230,7 @@ github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJf
+@@ -241,6 +244,7 @@ github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
@ -23326,13 +23326,13 @@ index 000000000000..e88f9c54aecb
 +
 +}
 diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 7764f1a73540..f64e8d9e6f78 100644
+index 4e0448570ce9..577e9de880c6 100644
 --- a/vendor/modules.txt
 +++ b/vendor/modules.txt
-@@ -30,12 +30,20 @@ github.com/containerd/containerd/platforms
+@@ -33,12 +33,20 @@ github.com/containerd/log
- # github.com/containerd/log v0.1.0
+ # github.com/containerd/platforms v0.2.0
 ## explicit; go 1.20
- github.com/containerd/log
+ github.com/containerd/platforms
 +# github.com/cpuguy83/go-md2man/v2 v2.0.3
 +## explicit; go 1.11
 +github.com/cpuguy83/go-md2man/v2
@ -23350,7 +23350,7 @@ index 7764f1a73540..f64e8d9e6f78 100644
 # github.com/docker/distribution v2.8.3+incompatible
 ## explicit
 github.com/docker/distribution
-@@ -242,12 +250,16 @@ github.com/prometheus/procfs/internal/util
+@@ -252,12 +260,16 @@ github.com/prometheus/procfs/internal/util
 # github.com/rivo/uniseg v0.2.0
 ## explicit; go 1.12
 github.com/rivo/uniseg
@ -23367,7 +23367,7 @@ index 7764f1a73540..f64e8d9e6f78 100644
 # github.com/spf13/pflag v1.0.5
 ## explicit; go 1.12
 github.com/spf13/pflag
-@@ -452,6 +464,9 @@ google.golang.org/protobuf/types/known/timestamppb
+@@ -498,6 +510,9 @@ google.golang.org/protobuf/types/known/wrapperspb
 # gopkg.in/yaml.v2 v2.4.0
 ## explicit; go 1.15
 gopkg.in/yaml.v2
@ -23378,5 +23378,5 @@ index 7764f1a73540..f64e8d9e6f78 100644
 ## explicit; go 1.17
 gotest.tools/v3/assert
 -- 
-2.44.0
+2.45.2
--- a/docker-25.0.6_ce_b08a51fe16ee.tar.xz
+++ b/docker-25.0.6_ce_b08a51fe16ee.tar.xz
--- a/docker-26.1.5_ce_411e817ddf71.tar.xz
+++ b/docker-26.1.5_ce_411e817ddf71.tar.xz
--- a/docker-buildx-0.19.2.tar.xz
+++ b/docker-buildx-0.19.2.tar.xz
--- a/docker-cli-25.0.6_ce.tar.xz
+++ b/docker-cli-25.0.6_ce.tar.xz
--- a/docker-cli-26.1.5_ce.tar.xz
+++ b/docker-cli-26.1.5_ce.tar.xz
--- a/docker-integration.sh
+++ b/docker-integration.sh
@ -0,0 +1,291 @@
 #!/bin/bash
 # docker-integration: run Docker's integration tests
 # Copyright (C) 2024 SUSE LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -Eeuo pipefail
 TESTDIR=/usr/src/docker-test
 TEST_SRCDIR="$TESTDIR/src"
 TEST_BINDIR="$TESTDIR/bin"
 TMPROOT="$(mktemp --tmpdir -d docker-integration-tmpdir.XXXXXX)"
 TMPDIR="$TMPROOT/tmp"
 DEST="$TMPROOT/dest"
 mkdir -p "$TMPDIR" "$TEST_BINDIR" "$DEST"
 chmod 1777 "$TMPDIR"
 chmod 777 "$TMPROOT"
 function usage() {
 	cat >&2 <<-EOF
 	docker-integration.sh [-Av] [-r TestName] [-t timeout] [<test-suites>...]
 	Arguments:
 	  -A
 	         Run all tests (do not fail on first suite failure).
 	  -v
 	         Run tests in verbose mode (go test -v).
 	  -r
 	         Only run tests that match the given regular expression (go test -run).
 	  -t <timeout=$timeout>
 	         Set the per-suite timeout to <timeout> (go test -timeout).
 	  <test-suites>...
 	         Only run the given test suites in /usr/src/docker-test. The
 	         default is to run all test suites
 	Examples:
 	  Run the build and network integration tests with a 60 minute timeout:
 	    ./docker-integration.sh -t 60m integration/build integration/network
 	  Run all of the tests in verbose mode with a 6 hour timeout:
 	    ./docker-integration.sh -Av -t 360m
 	This script is maintained by openSUSE in the Virtualization:containers
 	project, and is only intended to be used by openSUSE developers.
 	EOF
 	exit "${1:-1}"
 }
 fail_fast=1
 verbose=
 filter=
 timeout=20m
 while getopts "Ahr:t:v" opt; do
 	case "$opt" in
 	A)
 		fail_fast=
 		;;
 	v)
 		verbose=1
 		;;
 	r)
 		filter="$OPTARG"
 		;;
 	t)
 		timeout="$OPTARG"
 		;;
 	h)
 		usage 0
 		;;
 	:)
 		echo "Missing argument: -$OPTARG" >&2
 		usage 1
 		;;
 	\?)
 		echo "Invalid option: -$OPTARG" >&2
 		usage 1
 		;;
 	esac
 done
 pushd "$TEST_SRCDIR"
 if [ "$OPTIND" -le "$#" ]; then
 	SUITES=("${@:$OPTIND:$(($#+1))}")
 else
 	readarray -t SUITES <<<"$(find . -type f -name test.main -printf "%h\n")"
 fi
 echo "Planning to run suites {${SUITES[@]}}."
 # Download the frozen images.
 if ! [ -d /docker-frozen-images ]; then
 	# TODO: Get the hashes from /usr/src/docker-test/Dockerfile...
 	contrib/download-frozen-image-v2.sh "$TMPDIR/docker-frozen-images" \
 		busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
 		busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
 		debian:bookworm-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 \
 		hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
 		arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
 	sudo cp -r "$TMPDIR/docker-frozen-images" /
 fi
 # Create binaries in $TEST_BINDIR.
 if ! [ -e "$TEST_BINDIR/docker-basic-plugin" ]; then
 	(
 		pushd "$TEST_SRCDIR/testutil/fixtures/plugin/basic"
 		go mod init docker-basic-plugin
 		go build -o "$TEST_BINDIR/docker-basic-plugin" .
 	)
 fi
 if ! [ -e "$TEST_BINDIR/registry-v2" ]; then
 	# The v2.x tags of Docker registry don't use go.mod, and pre-date the move
 	# to github.com/distribution, so we need to create a fake GOPATH with the
 	# old github.com/docker/distribution import path.
 	(
 		export GOPATH="$(mktemp -d -p "$TMPROOT" distribution-build-gopath.XXXXXX)"
 		pushd "$GOPATH"
 		git clone \
 			--depth=1 --branch=v2.8.3 \
 			https://github.com/distribution/distribution.git \
 			src/github.com/docker/distribution
 		pushd src/github.com/docker/distribution
 		GO111MODULE=off go build -o "$TEST_BINDIR/registry-v2" ./cmd/registry
 	)
 fi
 if ! [ -e "$TEST_BINDIR/ctr" ]; then
 	containerd-ctr --help >/dev/null
 	ln -sf "$(which containerd-ctr)" "$TEST_BINDIR/ctr"
 fi
 if ! [ -e "$TEST_BINDIR/docker" ]; then
 	# The integration-cli tests require a Docker 17.06.2 client (from 2017).
 	# This is mainly because the tests are all based on the specific output the
 	# client gives, and some tests fail on modern client versions.
 	(
 		export GOPATH="$(mktemp -d -p "$TMPROOT" distribution-build-gopath.XXXXXX)"
 		pushd "$GOPATH"
 		# This tag also comes from the time when this was called
 		# github.com/docker/docker-ce-packaging, so we need to work around this
 		# by moving the cli component into the right path...
 		git clone \
 			--depth=1 --branch=v17.06.2-ce \
 			https://github.com/docker/cli.git \
 			src/github.com/docker/docker-ce-packaging
 		mv \
 			src/github.com/docker/docker-ce-packaging/components/cli \
 			src/github.com/docker/cli
 		pushd src/github.com/docker/cli
 		GO111MODULE=off go build -o "$TEST_BINDIR/docker" ./cmd/docker
 	)
 fi
 # Create an unprivilegeduser account for tests.
 if ! ( grep unprivilegeduser /etc/passwd &>/dev/null ); then
 	useradd --create-home --gid docker unprivilegeduser
 fi
 # Disable SUSE secrets for tests, as some tests (TestDiff from
 # integration/container) will fail if we have secrets injected.
 [ -e /etc/docker/suse-secrets-enable ] && \
 	mv -nv /etc/docker/suse-secrets-enable{,-DISABLED}
 sudo systemctl restart docker
 # Make sure docker-buildx is disabled.
 [ -e /usr/lib/docker/cli-plugins/docker-buildx ] && \
 	mv -nv /usr/lib/docker/cli-plugins/docker-buildx{,-DISABLED}
 # Disable any daemon configurations.
 [ -e /etc/docker/daemon.json ] && \
 	mv -nv /etc/docker/daemon.json{,.DISABLED}
 set -x
 # In order for< gotest.tools/v3/assert> to parse the source and give us useful
 # error messages, we have to create a fake source directory that points at
 # $TEST_SRCDIR. This path is replaced with %{docker_builddir} during the
 # docker.spec build.
 __DOCKER_BUILDIR="@@docker_builddir@@"
 DOCKER_BUILDDIR="${DOCKER_BUILDDIR:-$__DOCKER_BUILDIR}"
 sudo rm -rvf "$DOCKER_BUILDDIR"
 sudo mkdir -p "$(dirname "$DOCKER_BUILDDIR")"
 sudo ln -svf "$TEST_SRCDIR" "$DOCKER_BUILDDIR"
 # Clean up any old containers/images/networks/volumes before running the tests.
 # We need to do this *BEFORE* we set PATH, as the outdated $TEST_BINDIR/docker
 # doesn't support some of these commands.
 docker container prune -f
 docker image prune -af
 #docker buildx prune -af
 docker network prune -f
 docker volume prune -af
 [ -z "$(docker plugin ls -q)" ] || docker plugin ls -q | xargs docker plugin rm -f
 docker system prune -af
 export DOCKERFILE="$TEST_SRCDIR/Dockerfile"
 export TMPDIR="$TMPDIR"
 export TEMP="$TMPDIR"
 export HOME="$TMPDIR/fake-home"
 export DEST="$TEST_SRCDIR/bundles"
 export ABS_DEST="$DEST"
 export PATH="$TEST_BINDIR:$PATH"
 export TZ=UTC
 export DOCKER_INTEGRATION_DAEMON_DEST="$ABS_DEST"
 export DOCKER_HOST=unix:///run/docker.sock
 export DOCKER_GRAPHDRIVER=overlay2
 export DOCKER_USERLANDPROXY=true
 export DOCKER_REMAP_ROOT="${DOCKER_REMAP_ROOT:-}"
 export DOCKER_TMPDIR="$TMPDIR"
 export DOCKER_SUSE_SECRETS_ENABLE=0
 set +x
 # Make sure that we have a dummy "destination" directory for tests.
 rm -rf "$DOCKER_INTEGRATION_DAEMON_DEST"
 mkdir -p "$DOCKER_INTEGRATION_DAEMON_DEST"
 # Install the emptyfs images.
 sh ./hack/make/.build-empty-images
 ls -la "$TMPROOT"
 success=0
 failed_suites=()
 for suite_name in "${SUITES[@]}"; do
 	suite_name="${suite_name#*./}"
 	pushd "$TEST_SRCDIR/$suite_name"
 	test_flags=()
 	[ -n "$verbose" ] && test_flags+=("-test.v")
 	[ -n "$filter" ] && test_flags+=("-test.run" "$filter")
 	if [[ "$suite_name" == "integration-cli" ]]; then
 		# We need to disable docker-buildx for the integration-cli tests
 		# because otherwise the "docker build" command will use the wrong
 		# builder and the output won't match what the tests expect.
 		timeout=360m
 	fi
 	test_flags+=("-test.timeout" "$timeout")
 	echo "Running suite $suite_name (${test_flags[@]}) [success=$success fail=${#failed_suites[@]}]"
 	set -x +e
 	sudo -E HOME="$HOME" TMPDIR="$TMPDIR" PATH="$PATH" \
 		./test.main "${test_flags[@]}"
 	err="$?"
 	if (( $err != 0 )); then
 		[ -z "$fail_fast" ] || exit "$err"
 		failed_suites+=("$suite_name")
 	else
 		(( success++ ))
 	fi
 	set +x -e
 	popd
 done
 [ -e /usr/lib/docker/cli-plugins/docker-buildx-DISABLED ] && \
 	mv -nv /usr/lib/docker/cli-plugins/docker-buildx{-DISABLED,}
 [ -e /etc/docker/suse-secrets-enable-DISABLED ] && \
 	mv -nv /etc/docker/suse-secrets-enable{-DISABLED,}
 [ -e /etc/docker/daemon.json.DISABLED ] && \
 	mv -nv /etc/docker/daemon.json{.DISABLED,}
 echo "Suite results: $success success(es) ${#failed_suites[@]} failure(s)."
 if (( ${#failed_suites[@]} > 0 )); then
 	echo "Failed suites:"
 	printf " - %s\n" "${failed_suites[@]}"
 	exit 1
 fi
--- a/9
+++ b/9
@ -1,2 +1,7 @@
-addFilter("^docker-bash-completion.noarch: (E|W): non-executable-script /usr/share/bash-completion/completions/docker")
+addFilter("^docker-(stable-)?bash-completion.noarch: (E|W): non-executable-script /usr/share/bash-completion/completions/docker")
-addFilter("^docker-zsh-completion.noarch: W: non-conffile-in-etc /etc/zsh_completion.d/_docker")
+addFilter("^docker-(stable-)?zsh-completion.noarch: W: non-conffile-in-etc /etc/zsh_completion.d/_docker")
 # The docker-integration-tests-devel package contains all of the source code of
 # Docker, which causes a bunch of warnings. Note that
 # docker-integration-tests-devel is used internally and isn't actually shipped.
 addFilter("^docker-(stable-)?integration-tests-devel\..*: (E|W): .*")
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,111 @@
 -------------------------------------------------------------------
 Wed Dec 11 10:14:56 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Update docker-buildx to v0.19.2. See upstream changelog online at
  <https://github.com/docker/buildx/releases/tag/v0.19.2>.
  Some notable changelogs from the last update:
    * <https://github.com/docker/buildx/releases/tag/v0.19.0>
 	* <https://github.com/docker/buildx/releases/tag/v0.18.0>
 - Update to Go 1.22.
 -------------------------------------------------------------------
 Wed Dec 11 05:39:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Add a new toggle file /etc/docker/suse-secrets-enable which allows users to
  disable the SUSEConnect integration with Docker (which creates special mounts
  in /run/secrets to allow container-suseconnect to authenticate containers
  with registries on registered hosts). bsc#1231348 bsc#1232999
  In order to disable these mounts, just do
    echo 0 > /etc/docker/suse-secrets-enable
  and restart Docker. In order to re-enable them, just do
    echo 1 > /etc/docker/suse-secrets-enable
  and restart Docker. Docker will output information on startup to tell you
  whether the SUSE secrets feature is enabled or not.
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
 -------------------------------------------------------------------
 Wed Nov 27 12:10:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Disable docker-buildx builds for SLES. It turns out that build containers
  with docker-buildx don't currently get the SUSE secrets mounts applied,
  meaning that container-suseconnect doesn't work when building images.
  bsc#1233819
 -------------------------------------------------------------------
 Wed Nov 20 05:34:38 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Add docker-integration-tests-devel subpackage for building and running the
  upstream Docker integration tests on machines to test that Docker works
  properly. Users should not install this package.
 - docker-rpmlintrc updated to include allow-list for all of the integration
  tests package, since it contains a bunch of stuff that wouldn't normally be
  allowed.
 -------------------------------------------------------------------
 Tue Nov 12 06:34:28 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from
  sysconfig a long time ago, and apparently this causes issues with systemd in
  some cases.
 -------------------------------------------------------------------
 Wed Oct 16 22:24:52 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Further merge docker and docker-stable specfiles to minimise the differences.
  The main thing is that we now include both halves of the
  Conflicts/Provides/Obsoletes dance in both specfiles.
 -------------------------------------------------------------------
 Wed Oct 16 05:37:14 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Update to docker-buildx v0.17.1 to match standalone docker-buildx package we
  are replacing. See upstream changelog online at
  <https://github.com/docker/buildx/releases/tag/v0.17.1>
 -------------------------------------------------------------------
 Wed Sep 18 13:47:45 UTC 2024 - Ana Guerrero <ana.guerrero@suse.com>
 - Add %{_sysconfdir}/audit/rules.d to filelist.
 -------------------------------------------------------------------
 Sat Sep  7 06:07:50 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Mark docker-buildx as required since classic "docker build" has been
  deprecated since Docker 23.0. bsc#1230331
 - Import docker-buildx v0.16.2 as a subpackage. Previously this was a separate
  package, but with docker-stable it will be necessary to maintain the packages
  together and it makes more sense to have them live in the same OBS package.
  bsc#1230333
 - Make some minor name macro updates to help with the docker-stable package
  fork.
 -------------------------------------------------------------------
 Wed Jul 31 05:28:09 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Update to Docker 26.1.5-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/26.1/#2615>
  bsc#1230294
 - This update includes fixes for:
  * CVE-2024-41110. bsc#1228324
  * CVE-2023-47108. bsc#1217070
  * CVE-2023-45142. bsc#1228553
 - Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
  * 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch
 -------------------------------------------------------------------
 Wed Jul 31 04:58:15 UTC 2024 - Aleksa Sarai <asarai@suse.com>
@ -5,7 +113,10 @@ Wed Jul 31 04:58:15 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Update to Docker 25.0.6-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/25.0/#2506>
- This update includes a fix for CVE-2024-41110. bsc#1228324
+- This update includes fixes for:
  * CVE-2024-41110. bsc#1228324
  * CVE-2023-47108. bsc#1217070 bsc#1229806
  * CVE-2023-45142. bsc#1228553 bsc#1229806
 - Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -33,6 +144,41 @@ Mon Jun 24 08:15:24 UTC 2024 - Aleksa Sarai <asarai@suse.com>
  <https://github.com/moby/moby/pull/48034>. bsc#1214855
  + 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
 -------------------------------------------------------------------
 Thu Jun  6 04:17:23 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Update to Docker 26.1.4-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/26.1/#2614>
 - Rebase patches:
  * cli-0001-docs-include-required-tools-in-source-tree.patch
 -------------------------------------------------------------------
 Wed Apr 24 13:43:30 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Update to Docker 26.1.0-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/26.1/#2610>
 - Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch
 -------------------------------------------------------------------
 Thu Apr 18 07:46:18 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Update to Docker 26.0.1-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/26.0/#2601>
 - Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch
 - Update --add-runtime to point to correct binary path.
 -------------------------------------------------------------------
 Mon Mar 25 12:34:56 UTC 2024 - Aleksa Sarai <asarai@suse.com>
--- a/docker.service
+++ b/docker.service
@ -16,7 +16,7 @@ EnvironmentFile=/etc/sysconfig/docker
 # enabled by default because enabling socket activation means that on boot your
 # containers won't start until someone tries to administer the Docker daemon.
 Type=notify
-ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
+ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/runc $DOCKER_OPTS
 ExecReload=/bin/kill -s HUP $MAINPID
 # Having non-zero Limit*s causes performance problems due to accounting overhead
--- a/docker.spec
+++ b/docker.spec
@ -1,7 +1,7 @@
 #
 # spec file for package docker
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,38 +16,69 @@
 #
 # nodebuginfo
-%bcond_without apparmor
+
 %bcond_without  apparmor
 # This subpackage is only used for testing by developers, and shouldn't be
 # built for actual users.
 %bcond_with     integration_tests
 %if 0%{?is_opensuse} == 0
 # SUSEConnect support ("SUSE secrets") only makes sense for SLES hosts.
 %bcond_without  suseconnect
 # There is currently a known bug between buildx and SUSE secrets, so we don't
 # package docker-buildx for SLES. bsc#1233819
 %bcond_with     buildx
 %else
 %bcond_with     suseconnect
 %bcond_without  buildx
 %endif
 # The flavour is defined with a macro to try to keep docker and docker-stable
 # as similar as possible, to make maintenance a little easier.
 %define flavour %{nil}
 # Where important update information will be stored, such that an administrator
 # is guaranteed to see the relevant warning.
 %define update_messages %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}
 # Test binaries.
 %define testdir /usr/src/docker-test
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
  %define _fillupdir /var/adm/fillup-templates
 %endif
 # MANUAL: This needs to be updated with every docker update.
 %define docker_real_version 26.1.5
 %define docker_git_version 411e817ddf71
 %define docker_version %{docker_real_version}_ce
 # This "nice version" is so that docker --version gives a result that can be
 # parsed by other people. boo#1182476
 %define docker_nice_version %{docker_real_version}-ce
 %if %{with buildx}
 # MANUAL: This needs to be updated with every docker-buildx update.
 %define buildx_version 0.19.2
 %endif
 # Used when generating the "build" information for Docker version. The value of
 # git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define real_version 25.0.6
+%define git_commit_epoch 1721763388
 %define git_version b08a51fe16ee
 %define git_commit_epoch 1721861837
-Name:           docker
+Name:           docker%{flavour}
-Version:        %{real_version}_ce
+Version:        %{docker_version}
 # This "nice version" is so that docker --version gives a result that can be
 # parsed by other people. boo#1182476
 %define nice_version %{real_version}-ce
 Release:        0
 Summary:        The Moby-project Linux container runtime
 License:        Apache-2.0
 Group:          System/Management
 URL:            http://www.docker.io
-Source:         %{name}-%{version}_%{git_version}.tar.xz
+Source:         docker-%{docker_version}_%{docker_git_version}.tar.xz
-Source1:        %{name}-cli-%{version}.tar.xz
+Source1:        docker-cli-%{docker_version}.tar.xz
 Source3:        docker-rpmlintrc
 # TODO: Move these source files to somewhere nicer.
 Source100:      docker.service
@ -58,6 +89,8 @@ Source130:      README_SUSE.md
 Source140:      docker-audit.rules
 Source150:      docker-daemon.json
 Source160:      docker.sysusers
 # docker-integration-tests-devel
 Source900:      docker-integration.sh
 # NOTE: All of these patches are maintained in <https://github.com/suse/docker>
 #       in the suse-v<version> branch. Make sure you update the patches in that
 #       branch and then git-format-patch the patch here.
@ -86,18 +119,18 @@ BuildRequires:  fdupes
 %if %{with apparmor}
 BuildRequires:  libapparmor-devel
 %endif
 BuildRequires:  fish
 BuildRequires:  go-go-md2man
 BuildRequires:  libbtrfs-devel >= 3.8
 BuildRequires:  libseccomp-devel >= 2.2
 BuildRequires:  libtool
 BuildRequires:  linux-glibc-devel
 BuildRequires:  procps
 BuildRequires:  sqlite3-devel
 BuildRequires:  zsh
 BuildRequires:  fish
 BuildRequires:  go-go-md2man
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  sysuser-tools
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  zsh
 BuildRequires:  golang(API) = 1.22
 BuildRequires:  pkgconfig(libsystemd)
 %if %{with apparmor}
 %if 0%{?sle_version} >= 150000
 # This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
@ -119,7 +152,15 @@ Requires:       ca-certificates-mozilla
 # The docker-proxy binary used to be in a separate package. We obsolete it,
 # since now docker-proxy is maintained as part of this package.
 Obsoletes:      docker-libnetwork < 0.7.0.2
-Provides:       docker-libnetwork = 0.7.0.2.%{version}
+Provides:       docker-libnetwork = 0.7.0.2.%{docker_version}
 # docker-stable cannot be used alongside docker.
 %if "%{name}" == "docker-stable"
 Provides:       docker = %{docker_version}
 Obsoletes:      docker < %{docker_version}
 Conflicts:      docker
 %else
 Conflicts:      docker-stable
 %endif
 # Required to actually run containers. We require the minimum version that is
 # pinned by Docker, but in order to avoid headaches we allow for updates.
 Requires:       runc >= 1.1.9
@ -134,6 +175,11 @@ Requires:       iptables >= 1.4
 Requires:       procps
 Requires:       tar >= 1.26
 Requires:       xz >= 4.9
 %if %{with buildx}
 # Standard docker-build is deprecated, so require docker-buildx to avoid users
 # hitting bugs that have long since been fixed by docker-buildx. bsc#1230331
 Requires:       %{name}-buildx
 %endif
 %?sysusers_requires
 Requires(post): %fillup_prereq
 Requires(post): udev
@ -142,10 +188,8 @@ Requires(post): shadow
 # configured to use lvm and the user doesn't explicitly provide a
 # different storage-driver than devicemapper
 Recommends:     lvm2 >= 2.2.89
 Recommends:     git-core >= 1.7
 # Required for "docker buildx" support.
 Recommends:     %{name}-buildx
 Recommends:     %{name}-rootless-extras
 Recommends:     git-core >= 1.7
 ExcludeArch:    s390 ppc
 %description
@ -157,27 +201,95 @@ Docker is a great building block for automating distributed systems: large-scale
 web deployments, database clusters, continuous deployment systems, private PaaS,
 service-oriented architectures, etc.
 %if %{with buildx}
 %package buildx
 Version:        %{buildx_version}
 Summary:        Docker CLI plugin for extended build capabilities with BuildKit
 License:        Apache-2.0
 URL:            https://github.com/docker/buildx
 Source500:      docker-buildx-%{buildx_version}.tar.xz
 Group:          System/Management
 Requires:       %{name} >= 19.03.0_ce
 # docker-stable cannot be used alongside docker.
 %if "%{name}" == "docker-stable"
 Provides:       docker-buildx = %{buildx_version}
 Obsoletes:      docker-buildx < %{buildx_version}
 Conflicts:      docker-buildx
 %else
 Conflicts:      docker-stable-buildx
 %endif
 %description buildx
 buildx is a Docker CLI plugin for extended build capabilities with BuildKit.
 Key features:
 - Familiar UI from docker build
 - Full BuildKit capabilities with container driver
 - Multiple builder instance support
 - Multi-node builds for cross-platform images
 - Compose build support
 - High-level build constructs (bake)
 - In-container driver support (both Docker and Kubernetes)
 %endif
 %package rootless-extras
 Summary:        Rootless support for Docker
 Group:          System/Management
-Requires:       %{name} = %{version}
+Requires:       %{name} = %{docker_version}
 Requires:       slirp4netns >= 0.4
 Requires:       fuse-overlayfs >= 0.7
 Requires:       rootlesskit
 Requires:       slirp4netns >= 0.4
 BuildArch:      noarch
 # docker-stable cannot be used alongside docker.
 %if "%{name}" == "docker-stable"
 Provides:       docker-rootless-extras = %{docker_version}
 Obsoletes:      docker-rootless-extras < %{docker_version}
 Conflicts:      docker-rootless-extras
 %else
 Conflicts:      docker-stable-rootless-extras
 %endif
 %description rootless-extras
 Rootless support for Docker.
 Use dockerd-rootless.sh to run the daemon.
 Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh.
 %if %{with integration_tests}
 %package integration-tests-devel
 Summary:        Rootless support for Docker
 Group:          TestSuite
 Requires:       %{name} = %{docker_version}
 Requires:       containerd-ctr
 Requires:       curl
 Requires:       gcc
 Requires:       git
 Requires:       glibc-devel-static
 Requires:       go
 Requires:       jq
 Requires:       libcap-progs
 %description integration-tests-devel
 Integration testing binaries for Docker.
 THIS PACKAGE SHOULD NOT BE INSTALLED BY END-USERS, IT IS ONLY INTENDED FOR
 INTERNAL DEVELOPMENT OF THE DOCKER PACKAGE FOR (OPEN)SUSE.
 %endif
 %package bash-completion
 Summary:        Bash Completion for %{name}
 Group:          System/Shells
-Requires:       %{name} = %{version}
+Requires:       %{name} = %{docker_version}
 Requires:       bash-completion
 Supplements:    packageand(%{name}:bash-completion)
 BuildArch:      noarch
 # docker-stable cannot be used alongside docker.
 %if "%{name}" == "docker-stable"
 Provides:       docker-bash-completion = %{docker_version}
 Obsoletes:      docker-bash-completion < %{docker_version}
 Conflicts:      docker-bash-completion
 %else
 Conflicts:      docker-stable-bash-completion
 %endif
 %description bash-completion
 Bash command line completion support for %{name}.
@ -185,10 +297,18 @@ Bash command line completion support for %{name}.
 %package zsh-completion
 Summary:        Zsh Completion for %{name}
 Group:          System/Shells
-Requires:       %{name} = %{version}
+Requires:       %{name} = %{docker_version}
 Requires:       zsh
 Supplements:    packageand(%{name}:zsh)
 BuildArch:      noarch
 # docker-stable cannot be used alongside docker.
 %if "%{name}" == "docker-stable"
 Provides:       docker-zsh-completion = %{docker_version}
 Obsoletes:      docker-zsh-completion < %{docker_version}
 Conflicts:      docker-zsh-completion
 %else
 Conflicts:      docker-stable-zsh-completion
 %endif
 %description zsh-completion
 Zsh command line completion support for %{name}.
@ -196,30 +316,45 @@ Zsh command line completion support for %{name}.
 %package fish-completion
 Summary:        Fish completion for %{name}
 Group:          System/Shells
-Requires:       %{name} = %{version}
+Requires:       %{name} = %{docker_version}
 Requires:       fish
 Supplements:    packageand(%{name}:fish)
 BuildArch:      noarch
 # docker-stable cannot be used alongside docker.
 %if "%{name}" == "docker-stable"
 Provides:       docker-fish-completion = %{docker_version}
 Obsoletes:      docker-fish-completion < %{docker_version}
 Conflicts:      docker-fish-completion
 %else
 Conflicts:      docker-stable-fish-completion
 %endif
 %description fish-completion
 Fish command line completion support for %{name}.
 %prep
 # docker-cli
-%define cli_builddir %{_builddir}/%{name}-cli-%{version}
+%define cli_builddir %{_builddir}/docker-cli-%{docker_version}
-%setup -q -T -b 1 -n %{name}-cli-%{version}
+%setup -q -T -b 1 -n docker-cli-%{docker_version}
 [ "%{cli_builddir}" = "$PWD" ]
 # offline manpages
 %patch -P900 -p1
 %if %{with buildx}
 # docker-buildx
 %define buildx_builddir %{_builddir}/docker-buildx-%{buildx_version}
 %setup -q -T -b 500 -n docker-buildx-%{buildx_version}
 [ "%{buildx_builddir}" = "$PWD" ]
 %endif
 # docker
-%define docker_builddir %{_builddir}/%{name}-%{version}_%{git_version}
+%define docker_builddir %{_builddir}/docker-%{docker_version}_%{docker_git_version}
-%setup -q -n %{name}-%{version}_%{git_version}
+%setup -q -n docker-%{docker_version}_%{docker_git_version}
 [ "%{docker_builddir}" = "$PWD" ]
 # README_SUSE.md for documentation.
 cp %{SOURCE130} .
-%if 0%{?is_opensuse} == 0
+%if %{with suseconnect}
 # PATCH-SUSE: Secrets patches.
 %patch -P100 -p1
 %patch -P101 -p1
@ -238,7 +373,7 @@ cp %{SOURCE130} .
 %patch -P204 -p1
 %build
-%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf
+%sysusers_generate_pre %{SOURCE160} %{name} docker.conf
 BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
 %if 0%{?sle_version} == 120000
@ -255,9 +390,9 @@ export BUILDFLAGS="-buildmode=pie"
 # Specify all of the versioning information. We use SOURCE_DATE_EPOCH if it's
 # been injected by rpmbuild, otherwise we use the hardcoded git_commit_epoch
 # generated above. boo#1064781
-export VERSION="%{nice_version}"
+export VERSION="%{docker_nice_version}"
-export DOCKER_GITCOMMIT="%{git_version}"
+export DOCKER_GITCOMMIT="%{docker_git_version}"
-export GITCOMMIT="%{git_version}"
+export GITCOMMIT="%{docker_git_version}"
 export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
 export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
@ -270,6 +405,21 @@ pushd "%{docker_builddir}"
 ln -s {vendor,go}.mod
 ln -s {vendor,go}.sum
 ./hack/make.sh dynbinary
 %if %{with integration_tests}
 # build test binaries for integration tests
 readarray -t integration_dirs \
 	<<<"$(go list -test -f '{{- if ne .ForTest "" -}}{{- .Dir -}}{{- end -}}' ./integration/... ./integration-cli/...)"
 for dir in "${integration_dirs[@]}"
 do
 	pushd "$dir"
 	go test -c -buildmode=pie -tags "$BUILDTAGS" -o test.main .
 	popd
 done
 # Update __DOCKER_BUILDIR in the integration testing script.
 sed -i 's|^__DOCKER_BUILDIR=.*|__DOCKER_BUILDIR=%{docker_builddir}|g' "%{SOURCE900}"
 %endif
 popd
 ###################
@ -283,6 +433,21 @@ ln -s {vendor,go}.sum
 make DISABLE_WARN_OUTSIDE_CONTAINER=1 dynbinary manpages
 popd
 %if %{with buildx}
 ###################
 ## DOCKER BUILDX ##
 ###################
 pushd "%{buildx_builddir}"
 make \
 	CGO_ENABLED=1 \
 	VERSION="%{buildx_version}" \
 	REVISION="v%{buildx_version}" \
 	GO_EXTRA_FLAGS="-buildmode=pie" \
 	build
 popd
 %endif
 %install
 install -Dd -m0755 \
 	%{buildroot}%{_sysconfdir}/init.d \
@ -296,29 +461,37 @@ install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/docker-proxy %{bui
 # cli-plugins/
 install -d %{buildroot}/usr/lib/docker/cli-plugins
 %if %{with buildx}
 # buildx plugin
 install -D -m0755 %{buildx_builddir}/bin/build/docker-buildx %{buildroot}/usr/lib/docker/cli-plugins/docker-buildx
 %endif
 # /var/lib/docker
 install -d %{buildroot}/%{_localstatedir}/lib/docker
 # daemon.json config file
 install -D -m0644 %{SOURCE150} %{buildroot}%{_sysconfdir}/docker/daemon.json
 %if %{with suseconnect}
 # SUSE-specific config file
 echo 1 > %{buildroot}%{_sysconfdir}/docker/suse-secrets-enable
 %endif
 # docker cli
 install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
-install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{name}"
+install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/docker"
-install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{name}"
+install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_docker"
-install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{name}.fish"
+install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/docker.fish"
 # systemd service
-install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{name}.service
+install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/docker.service
-install -D -m0644 %{SOURCE101} %{buildroot}%{_unitdir}/%{name}.socket
+install -D -m0644 %{SOURCE101} %{buildroot}%{_unitdir}/docker.socket
 ln -sf service %{buildroot}%{_sbindir}/rcdocker
 # udev rules that prevents dolphin to show all docker devices and slows down
 # upstream report https://bugs.kde.org/show_bug.cgi?id=329930
-install -D -m0644 %{SOURCE110} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
+install -D -m0644 %{SOURCE110} %{buildroot}%{_udevrulesdir}/80-docker.rules
 # audit rules
-install -D -m0640 %{SOURCE140} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
+install -D -m0640 %{SOURCE140} %{buildroot}%{_sysconfdir}/audit/rules.d/docker.rules
 # sysconfig file
 install -D -m0644 %{SOURCE120} %{buildroot}%{_fillupdir}/sysconfig.docker
@ -332,12 +505,22 @@ install -d %{buildroot}%{_mandir}/man8
 install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8
 # sysusers.d
-install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/docker.conf
 # rootless extras
 install -D -p -m 0755 contrib/dockerd-rootless.sh %{buildroot}/%{_bindir}/dockerd-rootless.sh
 install -D -p -m 0755 contrib/dockerd-rootless-setuptool.sh %{buildroot}/%{_bindir}/dockerd-rootless-setuptool.sh
 %if %{with integration_tests}
 # integration tests
 install -d %{buildroot}%{testdir}
 cp -ar %{docker_builddir} %{buildroot}%{testdir}/src
 install -d %{buildroot}%{testdir}/bin
 install -D -p -m 0755 %{SOURCE900} %{buildroot}%{testdir}/docker-integration.sh
 # remove all of the non-test binaries in bundles/
 rm -rfv %{buildroot}%{testdir}/src/bundles/
 %endif
 %fdupes %{buildroot}
 %pre -f %{name}.pre
@ -356,17 +539,17 @@ grep -q '^dockremap:' /etc/subgid || \
 	usermod -w 100000000-200000000 dockremap &>/dev/null || \
 	echo "dockremap:100000000:100000001" >>/etc/subgid ||:
-%service_add_pre %{name}.service %{name}.socket
+%service_add_pre docker.service docker.socket
 %post
-%service_add_post %{name}.service %{name}.socket
+%service_add_post docker.service docker.socket
 %{fillup_only -n docker}
 %preun
-%service_del_preun %{name}.service %{name}.socket
+%service_del_preun docker.service docker.socket
 %postun
-%service_del_postun %{name}.service %{name}.socket
+%service_del_postun docker.service docker.socket
 %files
 %defattr(-,root,root)
@ -381,37 +564,53 @@ grep -q '^dockremap:' /etc/subgid || \
 %dir /usr/lib/docker
 %dir /usr/lib/docker/cli-plugins
-%{_unitdir}/%{name}.service
+%{_unitdir}/docker.service
-%{_unitdir}/%{name}.socket
+%{_unitdir}/docker.socket
-%{_sysusersdir}/%{name}.conf
+%{_sysusersdir}/docker.conf
 %dir %{_sysconfdir}/docker
 %config(noreplace) %{_sysconfdir}/docker/daemon.json
 %if %{with suseconnect}
 %config(noreplace) %{_sysconfdir}/docker/suse-secrets-enable
 %endif
 %{_fillupdir}/sysconfig.docker
-%config %{_sysconfdir}/audit/rules.d/%{name}.rules
+%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
-%{_udevrulesdir}/80-%{name}.rules
+%config %{_sysconfdir}/audit/rules.d/docker.rules
 %{_udevrulesdir}/80-docker.rules
 %{_mandir}/man1/docker-*.1%{ext_man}
 %{_mandir}/man1/docker.1%{ext_man}
 %{_mandir}/man5/Dockerfile.5%{ext_man}
 %{_mandir}/man8/dockerd.8%{ext_man}
-%files bash-completion
+%if %{with buildx}
 %files buildx
 %defattr(-,root,root)
-%{_datarootdir}/bash-completion/completions/%{name}
+/usr/lib/docker/cli-plugins/docker-buildx
-
+%endif
 %files zsh-completion
 %defattr(-,root,root)
 %{_sysconfdir}/zsh_completion.d/_%{name}
 %files fish-completion
 %defattr(-,root,root)
 %{_datadir}/fish/vendor_completions.d/%{name}.fish
 %files rootless-extras
 %defattr(-,root,root)
 %{_bindir}/dockerd-rootless.sh
 %{_bindir}/dockerd-rootless-setuptool.sh
 %if %{with integration_tests}
 %files integration-tests-devel
 %defattr(-,root,root)
 %{testdir}
 %endif
 %files bash-completion
 %defattr(-,root,root)
 %{_datarootdir}/bash-completion/completions/docker
 %files zsh-completion
 %defattr(-,root,root)
 %{_sysconfdir}/zsh_completion.d/_docker
 %files fish-completion
 %defattr(-,root,root)
 %{_datadir}/fish/vendor_completions.d/docker.fish
 %changelog