Sync from SUSE:SLFO:Main docker revision e260d6f52ee14184644ab5aee8ba8343

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch

@@ -0,0 +1,73 @@
+From 678e0f470c01dcf849d42d4f3f38e97b8d7ba841 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Wed, 8 Mar 2017 12:41:54 +1100
+Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
+
+Since FileMode can have the directory bit set, allow a SecretStore
+implementation to return secrets that are actually directories. This is
+useful for creating directories and subdirectories of secrets.
+
+Signed-off-by: Antonio Murdaca <runcom@redhat.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ daemon/container_operations_unix.go | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
+index 290ec59a34..b7013fb89c 100644
+--- a/daemon/container_operations_unix.go
++++ b/daemon/container_operations_unix.go
+@@ -4,6 +4,7 @@
+ package daemon // import "github.com/docker/docker/daemon"
+ 
+ import (
++	"bytes"
+ 	"fmt"
+ 	"os"
+ 	"path/filepath"
+@@ -14,6 +15,7 @@ import (
+ 	"github.com/docker/docker/daemon/links"
+ 	"github.com/docker/docker/errdefs"
+ 	"github.com/docker/docker/libnetwork"
++	"github.com/docker/docker/pkg/archive"
+ 	"github.com/docker/docker/pkg/idtools"
+ 	"github.com/docker/docker/pkg/process"
+ 	"github.com/docker/docker/pkg/stringid"
+@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+ 		if err != nil {
+ 			return errors.Wrap(err, "unable to get secret from secret store")
+ 		}
+-		if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
+-			return errors.Wrap(err, "error injecting secret")
+-		}
+ 
+ 		uid, err := strconv.Atoi(s.File.UID)
+ 		if err != nil {
+@@ -219,6 +218,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+ 			return err
+ 		}
+ 
++		if s.File.Mode.IsDir() {
++			if err := os.Mkdir(fPath, s.File.Mode); err != nil {
++				return errors.Wrap(err, "error creating secretdir")
++			}
++			if secret.Spec.Data != nil {
++				// If the "file" is a directory, then s.File.Data is actually a tar
++				// archive of the directory. So we just do a tar extraction here.
++				if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
++					IDMap: daemon.idMapping,
++				}); err != nil {
++					return errors.Wrap(err, "error injecting secretdir")
++				}
++			}
++		} else {
++			if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
++				return errors.Wrap(err, "error injecting secret")
++			}
++		}
+ 		if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil {
+ 			return errors.Wrap(err, "error setting ownership for secret")
+ 		}
+-- 
+2.43.0
+

0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch

@@ -0,0 +1,460 @@
+From 4f2462c67f8aa24d08648c2494a83a10e1578079 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Wed, 8 Mar 2017 11:43:29 +1100
+Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
+
+This allows for us to pass in host credentials to a container, allowing
+for SUSEConnect to work with containers.
+
+THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
+SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
+MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
+
+SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ daemon/start.go        |   5 +
+ daemon/suse_secrets.go | 415 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 420 insertions(+)
+ create mode 100644 daemon/suse_secrets.go
+
+diff --git a/daemon/start.go b/daemon/start.go
+index 2e0b9e6be8..dca0448688 100644
+--- a/daemon/start.go
++++ b/daemon/start.go
+@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C
+ 		return err
+ 	}
+ 
++	// SUSE:secrets -- inject the SUSE secret store
++	if err := daemon.injectSuseSecretStore(container); err != nil {
++		return errdefs.System(err)
++	}
++
+ 	spec, err := daemon.createSpec(ctx, container)
+ 	if err != nil {
+ 		return errdefs.System(err)
+diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
+new file mode 100644
+index 0000000000..32b0ece91b
+--- /dev/null
++++ b/daemon/suse_secrets.go
+@@ -0,0 +1,415 @@
++/*
++ * suse-secrets: patch for Docker to implement SUSE secrets
++ * Copyright (C) 2017-2021 SUSE LLC.
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *    http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package daemon
++
++import (
++	"archive/tar"
++	"bytes"
++	"fmt"
++	"io"
++	"io/ioutil"
++	"os"
++	"path/filepath"
++	"strings"
++	"syscall"
++
++	"github.com/docker/docker/container"
++	"github.com/docker/docker/pkg/archive"
++	"github.com/docker/docker/pkg/idtools"
++
++	swarmtypes "github.com/docker/docker/api/types/swarm"
++	swarmexec "github.com/moby/swarmkit/v2/agent/exec"
++	swarmapi "github.com/moby/swarmkit/v2/api"
++
++	"github.com/opencontainers/go-digest"
++	"github.com/sirupsen/logrus"
++)
++
++func init() {
++	// Output to tell us in logs that SUSE:secrets is enabled.
++	logrus.Infof("SUSE:secrets :: enabled")
++}
++
++// Creating a fake file.
++type SuseFakeFile struct {
++	Path string
++	Uid  int
++	Gid  int
++	Mode os.FileMode
++	Data []byte
++}
++
++func (s SuseFakeFile) id() string {
++	// NOTE: It is _very_ important that this string always has a prefix of
++	//       "suse". This is how we can ensure that we can operate on
++	//       SecretReferences with a confidence that it was made by us.
++	return fmt.Sprintf("suse_%s_%s", digest.FromBytes(s.Data).Hex(), s.Path)
++}
++
++func (s SuseFakeFile) toSecret() *swarmapi.Secret {
++	return &swarmapi.Secret{
++		ID:       s.id(),
++		Internal: true,
++		Spec: swarmapi.SecretSpec{
++			Data: s.Data,
++		},
++	}
++}
++
++func (s SuseFakeFile) toSecretReference(idMaps idtools.IdentityMapping) *swarmtypes.SecretReference {
++	// Figure out the host-facing {uid,gid} based on the provided maps. Fall
++	// back to root if the UID/GID don't match (we are guaranteed that root is
++	// mapped).
++	ctrUser := idtools.Identity{UID: s.Uid, GID: s.Gid}
++	hostUser := idMaps.RootPair()
++	if user, err := idMaps.ToHost(ctrUser); err == nil {
++		hostUser = user
++	}
++
++	// Return the secret reference as a file target.
++	return &swarmtypes.SecretReference{
++		SecretID:   s.id(),
++		SecretName: s.id(),
++		File: &swarmtypes.SecretReferenceFileTarget{
++			Name: s.Path,
++			UID:  fmt.Sprintf("%d", hostUser.UID),
++			GID:  fmt.Sprintf("%d", hostUser.GID),
++			Mode: s.Mode,
++		},
++	}
++}
++
++// readDir will recurse into a directory prefix/dir, and return the set of
++// secrets in that directory (as a tar archive that is packed inside the "data"
++// field). The Path attribute of each has the prefix stripped. Symlinks are
++// dereferenced.
++func readDir(prefix, dir string) ([]*SuseFakeFile, error) {
++	var suseFiles []*SuseFakeFile
++
++	path := filepath.Join(prefix, dir)
++	fi, err := os.Stat(path)
++	if err != nil {
++		// Ignore missing files.
++		if os.IsNotExist(err) {
++			// If the path itself exists it was a dangling symlink so give a
++			// warning about the symlink dangling.
++			_, err2 := os.Lstat(path)
++			if !os.IsNotExist(err2) {
++				logrus.Warnf("SUSE:secrets :: ignoring dangling symlink: %s", path)
++			}
++			return nil, nil
++		}
++		return nil, err
++	} else if !fi.IsDir() {
++		// Just to be safe.
++		logrus.Infof("SUSE:secrets :: expected %q to be a directory, but was a file", path)
++		return readFile(prefix, dir)
++	}
++	path, err = filepath.EvalSymlinks(path)
++	if err != nil {
++		return nil, err
++	}
++
++	// Construct a tar archive of the source directory. We tar up the prefix
++	// directory and add dir as an IncludeFiles specifically so that we
++	// preserve the name of the directory itself.
++	tarStream, err := archive.TarWithOptions(path, &archive.TarOptions{
++		Compression:      archive.Uncompressed,
++		IncludeSourceDir: true,
++	})
++	if err != nil {
++		return nil, fmt.Errorf("SUSE:secrets :: failed to tar source directory %q: %v", path, err)
++	}
++	tarStreamBytes, err := ioutil.ReadAll(tarStream)
++	if err != nil {
++		return nil, fmt.Errorf("SUSE:secrets :: failed to read full tar archive: %v", err)
++	}
++
++	// Get a list of the symlinks in the tar archive.
++	var symlinks []string
++	tmpTr := tar.NewReader(bytes.NewBuffer(tarStreamBytes))
++	for {
++		hdr, err := tmpTr.Next()
++		if err == io.EOF {
++			break
++		}
++		if err != nil {
++			return nil, fmt.Errorf("SUSE:secrets :: failed to read through tar reader: %v", err)
++		}
++		if hdr.Typeflag == tar.TypeSymlink {
++			symlinks = append(symlinks, hdr.Name)
++		}
++	}
++
++	// Symlinks aren't dereferenced in the above archive, so we explicitly do a
++	// rewrite of the tar archive to include all symlinks to files. We cannot
++	// do directories here, but lower-level directory symlinks aren't supported
++	// by zypper so this isn't an issue.
++	symlinkModifyMap := map[string]archive.TarModifierFunc{}
++	for _, sym := range symlinks {
++		logrus.Debugf("SUSE:secrets: archive(%q) %q is a need-to-rewrite symlink", path, sym)
++		symlinkModifyMap[sym] = func(tarPath string, hdr *tar.Header, r io.Reader) (*tar.Header, []byte, error) {
++			logrus.Debugf("SUSE:secrets: archive(%q) mapping for symlink %q", path, tarPath)
++			tarFullPath := filepath.Join(path, tarPath)
++
++			// Get a copy of the original byte stream.
++			oldContent, err := ioutil.ReadAll(r)
++			if err != nil {
++				return nil, nil, fmt.Errorf("suse_rewrite: failed to read archive entry %q: %v", tarPath, err)
++			}
++
++			// Check that the file actually exists.
++			fi, err := os.Stat(tarFullPath)
++			if err != nil {
++				logrus.Warnf("suse_rewrite: failed to stat archive entry %q: %v", tarFullPath, err)
++				return hdr, oldContent, nil
++			}
++
++			// Read the actual contents.
++			content, err := ioutil.ReadFile(tarFullPath)
++			if err != nil {
++				logrus.Warnf("suse_rewrite: failed to read %q: %v", tarFullPath, err)
++				return hdr, oldContent, nil
++			}
++
++			newHdr, err := tar.FileInfoHeader(fi, "")
++			if err != nil {
++				// Fake the header.
++				newHdr = &tar.Header{
++					Typeflag: tar.TypeReg,
++					Mode:     0644,
++				}
++			}
++
++			// Update the key fields.
++			hdr.Typeflag = newHdr.Typeflag
++			hdr.Mode = newHdr.Mode
++			hdr.Linkname = ""
++			return hdr, content, nil
++		}
++	}
++
++	// Create the rewritten tar stream.
++	tarStream = archive.ReplaceFileTarWrapper(ioutil.NopCloser(bytes.NewBuffer(tarStreamBytes)), symlinkModifyMap)
++	tarStreamBytes, err = ioutil.ReadAll(tarStream)
++	if err != nil {
++		return nil, fmt.Errorf("SUSE:secrets :: failed to read rewritten archive: %v", err)
++	}
++
++	// Add the tar stream as a "file".
++	suseFiles = append(suseFiles, &SuseFakeFile{
++		Path: dir,
++		Mode: fi.Mode(),
++		Data: tarStreamBytes,
++	})
++	return suseFiles, nil
++}
++
++// readFile returns a secret given a file under a given prefix.
++func readFile(prefix, file string) ([]*SuseFakeFile, error) {
++	path := filepath.Join(prefix, file)
++	fi, err := os.Stat(path)
++	if err != nil {
++		// Ignore missing files.
++		if os.IsNotExist(err) {
++			// If the path itself exists it was a dangling symlink so give a
++			// warning about the symlink dangling.
++			_, err2 := os.Lstat(path)
++			if !os.IsNotExist(err2) {
++				logrus.Warnf("SUSE:secrets :: ignoring dangling symlink: %s", path)
++			}
++			return nil, nil
++		}
++		return nil, err
++	} else if fi.IsDir() {
++		// Just to be safe.
++		logrus.Infof("SUSE:secrets :: expected %q to be a file, but was a directory", path)
++		return readDir(prefix, file)
++	}
++
++	var uid, gid int
++	if stat, ok := fi.Sys().(*syscall.Stat_t); ok {
++		uid, gid = int(stat.Uid), int(stat.Gid)
++	} else {
++		logrus.Warnf("SUSE:secrets :: failed to cast file stat_t: defaulting to owned by root:root: %s", path)
++		uid, gid = 0, 0
++	}
++
++	bytes, err := ioutil.ReadFile(path)
++	if err != nil {
++		return nil, err
++	}
++
++	var suseFiles []*SuseFakeFile
++	suseFiles = append(suseFiles, &SuseFakeFile{
++		Path: file,
++		Uid:  uid,
++		Gid:  gid,
++		Mode: fi.Mode(),
++		Data: bytes,
++	})
++	return suseFiles, nil
++}
++
++// getHostSuseSecretData returns the list of SuseFakeFiles the need to be added
++// as SUSE secrets.
++func getHostSuseSecretData() ([]*SuseFakeFile, error) {
++	secrets := []*SuseFakeFile{}
++
++	credentials, err := readDir("/etc/zypp", "credentials.d")
++	if err != nil {
++		if os.IsNotExist(err) {
++			credentials = []*SuseFakeFile{}
++		} else {
++			logrus.Errorf("SUSE:secrets :: error while reading zypp credentials: %s", err)
++			return nil, err
++		}
++	}
++	secrets = append(secrets, credentials...)
++
++	suseConnect, err := readFile("/etc", "SUSEConnect")
++	if err != nil {
++		if os.IsNotExist(err) {
++			suseConnect = []*SuseFakeFile{}
++		} else {
++			logrus.Errorf("SUSE:secrets :: error while reading /etc/SUSEConnect: %s", err)
++			return nil, err
++		}
++	}
++	secrets = append(secrets, suseConnect...)
++
++	return secrets, nil
++}
++
++// To fake an empty store, in the case where we are operating on a container
++// that was created pre-swarmkit. Otherwise segfaults and other fun things
++// happen. See bsc#1057743.
++type (
++	suseEmptyStore  struct{}
++	suseEmptySecret struct{}
++	suseEmptyConfig struct{}
++	suseEmptyVolume struct{}
++)
++
++// In order to reduce the amount of code touched outside of this file, we
++// implement the swarm API for DependencyGetter. This asserts that this
++// requirement will always be matched. In addition, for the case of the *empty*
++// getters this reduces memory usage by having a global instance.
++var (
++	_           swarmexec.DependencyGetter = &suseDependencyStore{}
++	emptyStore  swarmexec.DependencyGetter = suseEmptyStore{}
++	emptySecret swarmexec.SecretGetter     = suseEmptySecret{}
++	emptyConfig swarmexec.ConfigGetter     = suseEmptyConfig{}
++	emptyVolume swarmexec.VolumeGetter     = suseEmptyVolume{}
++)
++
++var errSuseEmptyStore = fmt.Errorf("SUSE:secrets :: tried to get a resource from empty store [this is a bug]")
++
++func (_ suseEmptyConfig) Get(_ string) (*swarmapi.Config, error) { return nil, errSuseEmptyStore }
++func (_ suseEmptySecret) Get(_ string) (*swarmapi.Secret, error) { return nil, errSuseEmptyStore }
++func (_ suseEmptyVolume) Get(_ string) (string, error)           { return "", errSuseEmptyStore }
++func (_ suseEmptyStore) Secrets() swarmexec.SecretGetter         { return emptySecret }
++func (_ suseEmptyStore) Configs() swarmexec.ConfigGetter         { return emptyConfig }
++func (_ suseEmptyStore) Volumes() swarmexec.VolumeGetter         { return emptyVolume }
++
++type suseDependencyStore struct {
++	dfl     swarmexec.DependencyGetter
++	secrets map[string]*swarmapi.Secret
++}
++
++// The following are effectively dumb wrappers that return ourselves, or the
++// default.
++func (s *suseDependencyStore) Secrets() swarmexec.SecretGetter { return s }
++func (s *suseDependencyStore) Volumes() swarmexec.VolumeGetter { return emptyVolume }
++func (s *suseDependencyStore) Configs() swarmexec.ConfigGetter { return s.dfl.Configs() }
++
++// Get overrides the underlying DependencyGetter with our own secrets (falling
++// through to the underlying DependencyGetter if the secret isn't present).
++func (s *suseDependencyStore) Get(id string) (*swarmapi.Secret, error) {
++	logrus.Debugf("SUSE:secrets :: id=%s requested from suseDependencyGetter", id)
++
++	secret, ok := s.secrets[id]
++	if !ok {
++		// fallthrough
++		return s.dfl.Secrets().Get(id)
++	}
++	return secret, nil
++}
++
++// removeSuseSecrets removes any SecretReferences which were added by us
++// explicitly (this is detected by checking that the prefix has a 'suse'
++// prefix). See bsc#1057743.
++func removeSuseSecrets(c *container.Container) {
++	var without []*swarmtypes.SecretReference
++	for _, secret := range c.SecretReferences {
++		if strings.HasPrefix(secret.SecretID, "suse") {
++			logrus.Warnf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
++			continue
++		}
++		without = append(without, secret)
++	}
++	c.SecretReferences = without
++}
++
++func (daemon *Daemon) injectSuseSecretStore(c *container.Container) error {
++	newDependencyStore := &suseDependencyStore{
++		dfl:     c.DependencyStore,
++		secrets: make(map[string]*swarmapi.Secret),
++	}
++	// Handle old containers. See bsc#1057743.
++	if newDependencyStore.dfl == nil {
++		newDependencyStore.dfl = emptyStore
++	}
++
++	// We drop any "old" SUSE secrets, as it appears that old containers (when
++	// restarted) could still have references to old secrets. The .id() of all
++	// secrets have a prefix of "suse" so this is much easier. See bsc#1057743
++	// for details on why this could cause issues.
++	removeSuseSecrets(c)
++
++	secrets, err := getHostSuseSecretData()
++	if err != nil {
++		return err
++	}
++
++	idMaps := daemon.idMapping
++	for _, secret := range secrets {
++		newDependencyStore.secrets[secret.id()] = secret.toSecret()
++		c.SecretReferences = append(c.SecretReferences, secret.toSecretReference(idMaps))
++	}
++
++	c.DependencyStore = newDependencyStore
++
++	// bsc#1057743 -- In older versions of Docker we added volumes explicitly
++	// to the mount list. This causes clashes because of duplicate namespaces.
++	// If we see an existing mount that will clash with the in-built secrets
++	// mount we assume it's our fault.
++	intendedMounts, err := c.SecretMounts()
++	if err != nil {
++		logrus.Warnf("SUSE:secrets :: fetching old secret mounts: %v", err)
++		return err
++	}
++	for _, intendedMount := range intendedMounts {
++		mountPath := intendedMount.Destination
++		if volume, ok := c.MountPoints[mountPath]; ok {
++			logrus.Debugf("SUSE:secrets :: removing pre-existing %q mount: %#v", mountPath, volume)
++			delete(c.MountPoints, mountPath)
++		}
++	}
++	return nil
++}
+-- 
+2.43.0
+

0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch

@@ -0,0 +1,46 @@
+From 4b6edb887a878a9637e9b3f434fa3f905543e1d1 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Mon, 22 May 2023 15:44:54 +1000
+Subject: [PATCH 3/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
+ headers"
+
+This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
+
+On SLE 12, our UAPI headers are too old, resulting in us being unable to
+build the btrfs driver with the new headers. This patch is only needed
+for SLE-12.
+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ daemon/graphdriver/btrfs/btrfs.go | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
+index d88efc4be2..4e976aa689 100644
+--- a/daemon/graphdriver/btrfs/btrfs.go
++++ b/daemon/graphdriver/btrfs/btrfs.go
+@@ -5,17 +5,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
+ 
+ /*
+ #include <stdlib.h>
+-#include <stdio.h>
+ #include <dirent.h>
+ 
+-#include <linux/version.h>
+-#if LINUX_VERSION_CODE < KERNEL_VERSION(4,12,0)
+-    #error "Headers from kernel >= 4.12 are required to build with Btrfs support."
+-    #error "HINT: Set 'DOCKER_BUILDTAGS=exclude_graphdriver_btrfs' to build without Btrfs."
+-#endif
+-
+-#include <linux/btrfs.h>
+-#include <linux/btrfs_tree.h>
++// keep struct field name compatible with btrfs-progs < 6.1.
++#define max_referenced max_rfer
++#include <btrfs/ioctl.h>
++#include <btrfs/ctree.h>
+ 
+ static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
+     snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
+-- 
+2.43.0
+

0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch

@@ -0,0 +1,89 @@
+From a309d7e57c351a5f81a0cf9a342205ab790f60ba Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Fri, 29 Jun 2018 17:59:30 +1000
+Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
+ start
+
+In the process of making docker-default reloading far less expensive,
+567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor
+profiles") mistakenly made the initial profile load at dockerd start-up
+lazy. As a result, if you have a running Docker daemon and upgrade it to
+a new one with an updated AppArmor profile the new profile will not take
+effect (because the old one is still loaded). The fix for this is quite
+trivial, and just requires us to clobber the profile on start-up.
+
+Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles")
+SUSE-Bugs: bsc#1099277
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ daemon/apparmor_default.go             | 14 ++++++++++----
+ daemon/apparmor_default_unsupported.go |  4 ++++
+ daemon/daemon.go                       |  5 +++--
+ 3 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
+index 6376001613..5fde21a4af 100644
+--- a/daemon/apparmor_default.go
++++ b/daemon/apparmor_default.go
+@@ -24,6 +24,15 @@ func DefaultApparmorProfile() string {
+ 	return ""
+ }
+ 
++func clobberDefaultAppArmorProfile() error {
++	if apparmor.HostSupports() {
++		if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
++			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
++		}
++	}
++	return nil
++}
++
+ func ensureDefaultAppArmorProfile() error {
+ 	if apparmor.HostSupports() {
+ 		loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
+@@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error {
+ 		}
+ 
+ 		// Load the profile.
+-		if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
+-			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
+-		}
++		return clobberDefaultAppArmorProfile()
+ 	}
+-
+ 	return nil
+ }
+diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
+index e3dc18b32b..9c77230562 100644
+--- a/daemon/apparmor_default_unsupported.go
++++ b/daemon/apparmor_default_unsupported.go
+@@ -3,6 +3,10 @@
+ 
+ package daemon // import "github.com/docker/docker/daemon"
+ 
++func clobberDefaultAppArmorProfile() error {
++	return nil
++}
++
+ func ensureDefaultAppArmorProfile() error {
+ 	return nil
+ }
+diff --git a/daemon/daemon.go b/daemon/daemon.go
+index 4d76c57988..15c95b50c4 100644
+--- a/daemon/daemon.go
++++ b/daemon/daemon.go
+@@ -839,8 +839,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
+ 		logrus.Warnf("Failed to configure golang's threads limit: %v", err)
+ 	}
+ 
+-	// ensureDefaultAppArmorProfile does nothing if apparmor is disabled
+-	if err := ensureDefaultAppArmorProfile(); err != nil {
++	// Make sure we clobber any pre-existing docker-default profile to ensure
++	// that upgrades to the profile actually work smoothly.
++	if err := clobberDefaultAppArmorProfile(); err != nil {
+ 		logrus.Errorf(err.Error())
+ 	}
+ 
+-- 
+2.43.0
+

0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch

@@ -0,0 +1,241 @@
+From e4c2b3e6b168e815ec7248aea696afe807153cb6 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Wed, 11 Oct 2023 21:19:12 +1100
+Subject: [PATCH 5/6] SLE12: revert "apparmor: remove version-conditionals from
+ template"
+
+This reverts the following commits:
+
+ * 7008a514493a ("profiles/apparmor: remove version-conditional constraints (< 2.8.96)")
+ * 2e19a4d56bf2 ("contrib/apparmor: remove version-conditionals (< 2.9) from template")
+ * d169a5730649 ("contrib/apparmor: remove remaining version-conditionals (< 2.9) from template")
+ * ecaab085db4b ("profiles/apparmor: remove use of aaparser.GetVersion()")
+ * e3e715666f95 ("pkg/aaparser: deprecate GetVersion, as it's no longer used")
+
+These version conditionals are still required on SLE 12, where our
+apparmor_parser version is quite old.
+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ contrib/apparmor/main.go      | 16 ++++++++++++++--
+ contrib/apparmor/template.go  | 16 ++++++++++++++++
+ pkg/aaparser/aaparser.go      |  2 --
+ profiles/apparmor/apparmor.go | 14 ++++++++++++--
+ profiles/apparmor/template.go |  4 ++++
+ 5 files changed, 46 insertions(+), 6 deletions(-)
+
+diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
+index d67890d265..f4a2978b86 100644
+--- a/contrib/apparmor/main.go
++++ b/contrib/apparmor/main.go
+@@ -6,9 +6,13 @@ import (
+ 	"os"
+ 	"path"
+ 	"text/template"
++
++	"github.com/docker/docker/pkg/aaparser"
+ )
+ 
+-type profileData struct{}
++type profileData struct {
++	Version int
++}
+ 
+ func main() {
+ 	if len(os.Args) < 2 {
+@@ -18,6 +22,15 @@ func main() {
+ 	// parse the arg
+ 	apparmorProfilePath := os.Args[1]
+ 
++	version, err := aaparser.GetVersion()
++	if err != nil {
++		log.Fatal(err)
++	}
++	data := profileData{
++		Version: version,
++	}
++	fmt.Printf("apparmor_parser is of version %+v\n", data)
++
+ 	// parse the template
+ 	compiled, err := template.New("apparmor_profile").Parse(dockerProfileTemplate)
+ 	if err != nil {
+@@ -35,7 +48,6 @@ func main() {
+ 	}
+ 	defer f.Close()
+ 
+-	data := profileData{}
+ 	if err := compiled.Execute(f, data); err != nil {
+ 		log.Fatalf("executing template failed: %v", err)
+ 	}
+diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
+index 58afcbe845..e6d0b6d37c 100644
+--- a/contrib/apparmor/template.go
++++ b/contrib/apparmor/template.go
+@@ -20,9 +20,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
+ 
+   umount,
+   pivot_root,
++{{if ge .Version 209000}}
+   signal (receive) peer=@{profile_name},
+   signal (receive) peer=unconfined,
+   signal (send),
++{{end}}
+   network,
+   capability,
+   owner /** rw,
+@@ -45,10 +47,12 @@ profile /usr/bin/docker (attach_disconnected, complain) {
+   /etc/ld.so.cache r,
+   /etc/passwd r,
+ 
++{{if ge .Version 209000}}
+   ptrace peer=@{profile_name},
+   ptrace (read) peer=docker-default,
+   deny ptrace (trace) peer=docker-default,
+   deny ptrace peer=/usr/bin/docker///bin/ps,
++{{end}}
+ 
+   /usr/lib/** rm,
+   /lib/** rm,
+@@ -69,9 +73,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
+   /sbin/zfs rCx,
+   /sbin/apparmor_parser rCx,
+ 
++{{if ge .Version 209000}}
+   # Transitions
+   change_profile -> docker-*,
+   change_profile -> unconfined,
++{{end}}
+ 
+   profile /bin/cat (complain) {
+     /etc/ld.so.cache r,
+@@ -93,8 +99,10 @@ profile /usr/bin/docker (attach_disconnected, complain) {
+     /dev/null rw,
+     /bin/ps mr,
+ 
++{{if ge .Version 209000}}
+     # We don't need ptrace so we'll deny and ignore the error.
+     deny ptrace (read, trace),
++{{end}}
+ 
+     # Quiet dac_override denials
+     deny capability dac_override,
+@@ -112,11 +120,15 @@ profile /usr/bin/docker (attach_disconnected, complain) {
+     /proc/tty/drivers r,
+   }
+   profile /sbin/iptables (complain) {
++{{if ge .Version 209000}}
+     signal (receive) peer=/usr/bin/docker,
++{{end}}
+     capability net_admin,
+   }
+   profile /sbin/auplink flags=(attach_disconnected, complain) {
++{{if ge .Version 209000}}
+     signal (receive) peer=/usr/bin/docker,
++{{end}}
+     capability sys_admin,
+     capability dac_override,
+ 
+@@ -135,7 +147,9 @@ profile /usr/bin/docker (attach_disconnected, complain) {
+     /proc/[0-9]*/mounts rw,
+   }
+   profile /sbin/modprobe /bin/kmod (complain) {
++{{if ge .Version 209000}}
+     signal (receive) peer=/usr/bin/docker,
++{{end}}
+     capability sys_module,
+     /etc/ld.so.cache r,
+     /lib/** rm,
+@@ -149,7 +163,9 @@ profile /usr/bin/docker (attach_disconnected, complain) {
+   }
+   # xz works via pipes, so we do not need access to the filesystem.
+   profile /usr/bin/xz (complain) {
++{{if ge .Version 209000}}
+     signal (receive) peer=/usr/bin/docker,
++{{end}}
+     /etc/ld.so.cache r,
+     /lib/** rm,
+     /usr/bin/xz rm,
+diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
+index 3d7c2c5a97..2b5a2605f9 100644
+--- a/pkg/aaparser/aaparser.go
++++ b/pkg/aaparser/aaparser.go
+@@ -13,8 +13,6 @@ const (
+ )
+ 
+ // GetVersion returns the major and minor version of apparmor_parser.
+-//
+-// Deprecated: no longer used, and will be removed in the next release.
+ func GetVersion() (int, error) {
+ 	output, err := cmd("", "--version")
+ 	if err != nil {
+diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
+index d0f2361605..b3566b2f73 100644
+--- a/profiles/apparmor/apparmor.go
++++ b/profiles/apparmor/apparmor.go
+@@ -14,8 +14,10 @@ import (
+ 	"github.com/docker/docker/pkg/aaparser"
+ )
+ 
+-// profileDirectory is the file store for apparmor profiles and macros.
+-const profileDirectory = "/etc/apparmor.d"
++var (
++	// profileDirectory is the file store for apparmor profiles and macros.
++	profileDirectory = "/etc/apparmor.d"
++)
+ 
+ // profileData holds information about the given profile for generation.
+ type profileData struct {
+@@ -27,6 +29,8 @@ type profileData struct {
+ 	Imports []string
+ 	// InnerImports defines the apparmor functions to import in the profile.
+ 	InnerImports []string
++	// Version is the {major, minor, patch} version of apparmor_parser as a single number.
++	Version int
+ }
+ 
+ // generateDefault creates an apparmor profile from ProfileData.
+@@ -46,6 +50,12 @@ func (p *profileData) generateDefault(out io.Writer) error {
+ 		p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
+ 	}
+ 
++	ver, err := aaparser.GetVersion()
++	if err != nil {
++		return err
++	}
++	p.Version = ver
++
+ 	return compiled.Execute(out, p)
+ }
+ 
+diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
+index 9f207e2014..626e5f6789 100644
+--- a/profiles/apparmor/template.go
++++ b/profiles/apparmor/template.go
+@@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+   capability,
+   file,
+   umount,
++{{if ge .Version 208096}}
+   # Host (privileged) processes may send signals to container processes.
+   signal (receive) peer=unconfined,
+   # dockerd may send signals to container processes (for "docker kill").
+   signal (receive) peer={{.DaemonProfile}},
+   # Container processes may send signals amongst themselves.
+   signal (send,receive) peer={{.Name}},
++{{end}}
+ 
+   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
+   # deny write to files not in /proc/<number>/** or /proc/sys/**
+@@ -50,7 +52,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+   deny /sys/devices/virtual/powercap/** rwklx,
+   deny /sys/kernel/security/** rwklx,
+ 
++{{if ge .Version 208095}}
+   # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+   ptrace (trace,read,tracedby,readby) peer={{.Name}},
++{{end}}
+ }
+ `
+-- 
+2.43.0
+

80-docker.rules

@@ -0,0 +1,5 @@
+# hide docker's loopback devices from udisks, and thus from user desktops
+SUBSYSTEM=="block", ENV{DM_NAME}=="docker-*", ENV{UDISKS_PRESENTATION_HIDE}="1", ENV{UDISKS_IGNORE}="1"
+SUBSYSTEM=="block", DEVPATH=="/devices/virtual/block/loop*", ATTR{loop/backing_file}=="/var/lib/docker/*", ENV{UDISKS_PRESENTATION_HIDE}="1", ENV{UDISKS_IGNORE}="1"
+
+

README_SUSE.md

@@ -0,0 +1,230 @@
+# Abstract
+
+Docker is a lightweight "virtualization" method to run multiple virtual units
+(containers, akin to “chroot”) simultaneously on a single control host.
+Containers are isolated with Kernel Control Groups (cgroups) and Kernel Namespaces.
+
+Docker provides an operating system-level virtualization where the Kernel
+controls the isolated containers. With other full virtualization solutions
+like Xen, KVM, or libvirt the processor simulates a complete hardware
+environment and controls its virtual machines.
+
+# Terminology
+
+## chroot
+
+A change root (chroot, or change root jail) is a section in the file system
+which is isolated from the rest of the file system. For this purpose, the chroot
+command is used to change the root of the file system. A program which is
+executed in such a “chroot jail” cannot access files outside the designated
+directory tree.
+
+## cgroups
+
+Kernel Control Groups (commonly referred to as just “cgroups”) are a Kernel
+feature that allows aggregating or partitioning tasks (processes) and all their
+children into hierarchical organized groups to isolate resources.
+
+## Image
+
+A "virtual machine" on the host server that can run any Linux system, for
+example openSUSE, SUSE Linux Enterprise Desktop, or SUSE Linux Enterprise Server.
+
+A Docker image is made by a series of layers built one over the other. Each layer
+corresponds to a permanent change committed from a container to the image.
+
+For more details checkout [Docker's official documentation](http://docs.docker.com/terms/image/).
+
+## Image Name
+
+A name that refers to an image. The name is used by the docker commands.
+
+## Container
+
+A running Docker Image.
+
+## Container ID
+
+A ID that refers to a container. The ID is used by the docker commands.
+
+## TAG
+
+A string associated to a Image. It commonly used to identify a specific version
+of a Image (like tags in version control systems). It is also possible to refer
+the same Image with different TAGs.
+
+## Kernel Namespaces
+
+A Kernel feature to isolate some resources like network, users, and others for
+a group of processes.
+
+## Docker Host Server
+
+The system that runs the Docker daemon, provides the images, and the management
+control capabilities through cgroups.
+
+
+# Overview
+
+Docker is a platform that allows developers and sysadmins to manage the complete
+lifecycle of images.
+
+Docker makes incredibly easy to build, ship and run images containing
+applications.
+
+Benefits of Docker:
+
+  * Isolating applications and operating systems through containers.
+  * Providing nearly native performance as Docker manages allocation of resources
+    in real-time.
+  * Controlling network interfaces and applying resources inside containers through cgroups. 
+  * Versioning of images.
+  * Building images based on existing ones.
+  * Sharining/storing on [public](http://docs.docker.com/docker-hub/) or
+    [private](http://docs.docker.com/userguide/dockerrepos/#private-repositories)
+    repositories.
+
+Limitations of Docker:
+
+  * All Docker containers are running inside the host system's Kernel and not with
+    a different Kernel.
+  * Only allows Linux "guest" operating systems.
+  * Docker is not a full virtualization stack like Xen, KVM, or libvirt.
+  * Security depends on the host system. Refer to the [official documentation](http://docs.docker.com/articles/security/)
+    for more details.
+
+## Container drivers
+
+Docker has different backend drivers to handle the containers. The recommended
+on is [libcontainer](https://github.com/docker/libcontainer), which is also the
+default choice. This driver provides direct access with cgroups.
+
+The Docker packages ships also a LXC driver which handles containers using the
+LXC tools.
+
+At the time of writing, upstream is working on a `libvirt-lxc` driver.
+
+## Storage drivers
+
+Docker supports different storage drivers:
+
+  * `vfs`: this driver is automatically used when the Docker host filesystem
+    does not support copy-on-write. This is a simple driver which does not offer
+    some of the advantages of Docker (like sharing layers, more on that in the
+    next sections). It is highly reliable but also slow.
+  * `devicemapper`: this driver relies on the device-mapper thin provisioning
+    module. It supports copy-on-write, hence it offers all the advantages of
+    Docker.
+  * `btrfs`: this driver relies on Btrfs to provide all the features required
+    by Docker. To use this driver the `/var/lib/docker` directory must be on a
+    btrfs filesystem.
+  * `AUFS`: this driver relies on AUFS union filesystem. Neither the upstream
+    kernel nor the SUSE one supports this filesystem. Hence the AUFS driver is
+    not built into the SUSE Docker package.
+
+It is possible to specify which driver to use by changing the value of the
+`DOCKER_OPTS` variable defined inside of the `/etc/sysconfig/docker` file.
+This can be done either manually or using &yast; by browsing to:
+  * System
+  * /etc/sysconfig Editor
+  * System
+  * Management
+  * DOCKER_OPTS
+menu and entering the `-s storage_driver` string.
+
+For example, to force the usage of the `devicemapper` driver
+enter the following text:
+```
+DOCKER_OPTS="-s devicemapper
+```
+
+It is recommended to have `/var/lib/docker` mounted on a different filesystem
+to not affect the Docker host OS in case of a filesystem corruption.
+
+# Setting up a Docker host
+
+Prepare the host:
+
+  1. Install the `docker` package.
+  2. Automatically start the Docker daemon at boot:
+     `sudo systemctl enable docker`
+  3. Start the Docker daemon:
+     `sudo systemctl start docker`
+
+The Docker daemon listens on a local socket which is accessible only by the `root`
+user and by the members of the `docker` group.
+
+The `docker` group is automatically created at package installation time. To
+allow a certain user to connect to the local Docker daemon use the following
+command:
+
+```
+sudo /usr/sbin/usermod -aG docker <username>
+```
+
+The user will be able to communicate with the local Docker daemon upon his next
+login.
+
+## Networking
+
+If you want your containers to be able to access the external network you must
+enable the `net.ipv4.ip_forward` rule.
+This can be done using YaST by browsing to the
+`Network Devices -> Network Settings -> Routing` menu and ensuring that the
+`Enable IPv4 Forwarding` box is checked.
+
+This option cannot be changed when networking is handled by the Network Manager.
+In such cases the `/etc/sysconfig/SuSEfirewall2` file needs to be edited by
+hand to ensure the `FW_ROUTE` flag is set to `yes` like so:
+
+```
+    FW_ROUTE="yes"
+```
+
+
+# Basic Docker operations
+
+Images can be pulled from [Docker's central index](http://index.docker.io) using
+the following command:
+
+```
+docker pull <image name>
+```
+
+Containers can be started using the `docker run` command.
+
+Please refer to the [official documentation](http://docs.docker.com/)
+for more details.
+
+
+# Building Docker containers using KIWI
+
+Starting from version 5.06.8 KIWI can be used to build Docker images.
+Please refer to KIWI's [official documentation](https://doc.opensuse.org/projects/kiwi/doc/#chap.lxc).
+The official `kiwi-doc` package contains examples of Docker images.
+
+## Docker build system versus KIWI
+
+Docker has an [internal build system](http://docs.docker.com/reference/builder/)
+which makes incredibly easy to create new images based on existing ones.
+
+Some users might be confused about what to use. The right approach is to build
+the [base images](http://docs.docker.com/terms/image/#base-image-def) using KIWI
+and then use them as foundation blocks inside of your Docker's build system.
+
+That two advantages:
+
+  1. Be able to use docker specific directives (like `ENTRYPOINT`, `EXPOSE`, ...).
+  2. Be able to reuse already existing layers.
+
+Sharing the common layers between different images makes possible to:
+
+  * Use less disk space on the Docker hosts.
+  * Make the deployments faster: only the requested layers are sent over the
+    network (it is like upgrading installed packages using delta rpms).
+  * Take full advantage of caching while building Docker images: this will result
+    in faster executions of `docker build` command.
+
+To recap: KIWI is not to be intended as a replacement for Docker's build system.
+It rather complements with it.
+

_service

@@ -0,0 +1,22 @@
+<services>
+  <service name="tar_scm" mode="manual">
+    <param name="url">https://github.com/moby/moby.git</param>
+    <param name="scm">git</param>
+    <param name="exclude">.git</param>
+    <param name="versionformat">24.0.7_ce_%h</param>
+    <param name="revision">v24.0.7</param>
+    <param name="filename">docker</param>
+  </service>
+  <service name="tar_scm" mode="manual">
+    <param name="url">https://github.com/docker/cli.git</param>
+    <param name="scm">git</param>
+    <param name="exclude">.git</param>
+    <param name="versionformat">24.0.7_ce</param>
+    <param name="revision">v24.0.7</param>
+    <param name="filename">docker-cli</param>
+  </service>
+  <service name="recompress" mode="manual">
+    <param name="file">docker-*.tar</param>
+    <param name="compression">xz</param>
+  </service>
+</services>

docker-audit.rules

@@ -0,0 +1,27 @@
+##
+# Audit rules based on CIS Docker 1.6 Benchmark v1.0.0
+# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
+# Not all of these apply to SUSE.
+# 1.8 Audit docker daemon
+-w /usr/bin/docker -k docker
+# 1.9 Audit Docker files and directories
+-w /var/lib/docker -k docker
+# 1.10 Audit /etc/docker
+-w /etc/docker -k docker
+# 1.11 Audit Docker files and directories - docker-registry.service
+-w /usr/lib/systemd/system/docker-registry.service -k docker
+# 1.12 Audit Docker files and directories - docker.service
+-w /usr/lib/systemd/system/docker.service -k docker
+# 1.13 Audit Docker files and directories - /var/run/docker.sock
+-w /var/run/docker.sock -k docker
+# 1.14 Audit Docker files and directories - /etc/sysconfig/docker
+-w /etc/sysconfig/docker -k docker
+# 1.15 Audit Docker files and directories - /etc/sysconfig/docker-network
+-w /etc/sysconfig/docker-network -k docker
+# 1.16 Audit Docker files and directories - /etc/sysconfig/docker-registry
+-w /etc/sysconfig/docker-registry -k docker
+# 1.17 Audit Docker files and directories - /etc/sysconfig/docker-storage
+-w /etc/sysconfig/docker-storage -k docker
+# 1.18 Audit Docker files and directories - /etc/default/docker
+-w /etc/default/docker -k docker
+## end docker audit rules

docker-daemon.json

@@ -0,0 +1,8 @@
+{
+  "log-level": "warn",
+  "log-driver": "json-file",
+  "log-opts": {
+    "max-size": "10m",
+    "max-file": "5"
+  }
+}

docker-rpmlintrc

@@ -0,0 +1,2 @@
+addFilter("^docker-bash-completion.noarch: (E|W): non-executable-script /usr/share/bash-completion/completions/docker")
+addFilter("^docker-zsh-completion.noarch: W: non-conffile-in-etc /etc/zsh_completion.d/_docker")

docker.service

@@ -0,0 +1,45 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=http://docs.docker.com
+After=network.target lvm2-monitor.service firewalld.service
+# We don't use the docker socket activation, but doing this ensures that the
+# docker.socket unit is alive while Docker is (docker.socket has BindsTo, so we
+# only need a weak requirement to make sure starting docker.service also
+# "starts" the socket service). Forcefully stopping docker.socket will not
+# cause docker to die, but there's no nice workaround for that.
+Wants=docker.socket
+
+[Service]
+EnvironmentFile=/etc/sysconfig/docker
+
+# While Docker has support for socket activation (-H fd://), this is not
+# enabled by default because enabling socket activation means that on boot your
+# containers won't start until someone tries to administer the Docker daemon.
+Type=notify
+ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
+ExecReload=/bin/kill -s HUP $MAINPID
+
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=1048576
+LimitNPROC=infinity
+LimitCORE=infinity
+
+# Uncomment TasksMax if your systemd version supports it.
+# Only systemd 226 and above support this property.
+TasksMax=infinity
+
+# Set delegate yes so that systemd does not reset the cgroups of docker containers
+# Only systemd 218 and above support this property.
+Delegate=yes
+
+# Kill only the docker process, not all processes in the cgroup.
+KillMode=process
+
+# Restart the docker process if it exits prematurely.
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s
+
+[Install]
+WantedBy=multi-user.target

docker.socket

@@ -0,0 +1,18 @@
+[Unit]
+Description=Docker Socket for the API
+# We use BindsTo in order to make sure that you cannot use socket-activation
+# with Docker (Docker must always start at boot if enabled, otherwise
+# containers will not run until some administrator interacts with Docker).
+BindsTo=docker.service
+
+[Socket]
+# If /var/run is not implemented as a symlink to /run, you may need to
+# specify ListenStream=/var/run/docker.sock instead.
+ListenStream=/run/docker.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target
+

docker.spec

@@ -0,0 +1,415 @@
+#
+# spec file for package docker
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+# nodebuginfo
+
+%bcond_without apparmor
+
+# Where important update information will be stored, such that an administrator
+# is guaranteed to see the relevant warning.
+%define update_messages %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}
+
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir /var/adm/fillup-templates
+%endif
+
+# Used when generating the "build" information for Docker version. The value of
+# git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
+# helpfully injects into our build environment from the changelog). If you want
+# to generate a new git_commit_epoch, use this:
+#  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
+%define real_version 24.0.7
+%define git_version 311b9ff0aa93
+%define git_commit_epoch 1698306665
+
+Name:           docker
+Version:        %{real_version}_ce
+# This "nice version" is so that docker --version gives a result that can be
+# parsed by other people. boo#1182476
+%define nice_version %{real_version}-ce
+Release:        0
+Summary:        The Moby-project Linux container runtime
+License:        Apache-2.0
+Group:          System/Management
+URL:            http://www.docker.io
+Source:         %{name}-%{version}_%{git_version}.tar.xz
+Source1:        %{name}-cli-%{version}.tar.xz
+Source3:        docker-rpmlintrc
+# TODO: Move these source files to somewhere nicer.
+Source100:      docker.service
+Source101:      docker.socket
+Source110:      80-docker.rules
+Source120:      sysconfig.docker
+Source130:      README_SUSE.md
+Source140:      docker-audit.rules
+Source150:      docker-daemon.json
+Source160:      docker.sysusers
+# NOTE: All of these patches are maintained in <https://github.com/suse/docker>
+#       in the suse-v<version> branch. Make sure you update the patches in that
+#       branch and then git-format-patch the patch here.
+# SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
+#               which is not snapshotted when images are committed.
+Patch100:       0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+Patch101:       0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+# UPSTREAM: Revert of upstream patch to keep SLE-12 build working.
+Patch200:       0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+# UPSTREAM: Backport of <https://github.com/moby/moby/pull/41954>.
+Patch201:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+# UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12.
+Patch202:       0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
+Patch900:       cli-0001-docs-include-required-tools-in-source-tree.patch
+# bugfix for:
+# bsc#1219438: CVE-2024-23653
+# bsc#1219268: CVE-2024-23652
+# bsc#1219267: CVE-2024-23651
+Patch901:       0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
+BuildRequires:  audit
+BuildRequires:  bash-completion
+BuildRequires:  ca-certificates
+BuildRequires:  device-mapper-devel >= 1.2.68
+BuildRequires:  fdupes
+%if %{with apparmor}
+BuildRequires:  libapparmor-devel
+%endif
+BuildRequires:  libbtrfs-devel >= 3.8
+BuildRequires:  libseccomp-devel >= 2.2
+BuildRequires:  libtool
+BuildRequires:  linux-glibc-devel
+BuildRequires:  procps
+BuildRequires:  sqlite3-devel
+BuildRequires:  zsh
+BuildRequires:  fish
+BuildRequires:  go-go-md2man
+BuildRequires:  pkgconfig(libsystemd)
+BuildRequires:  sysuser-tools
+BuildRequires:  golang(API) = 1.20
+%if %{with apparmor}
+%if 0%{?sle_version} >= 150000
+# This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
+# don't need to support Docker+selinux for SLE 12 anyway.
+Requires:       (apparmor-parser or container-selinux)
+# This recommends is added to make sure that even if you have container-selinux
+# installed you will still be prompted to install apparmor-parser which Docker
+# requires to apply AppArmor profiles (for SELinux systems this doesn't matter
+# but if you switch back to AppArmor on reboot this would result in insecure
+# containers).
+Recommends:     apparmor-parser
+%else
+Requires:       apparmor-parser
+%endif
+%else
+Requires:       container-selinux
+%endif
+Requires:       ca-certificates-mozilla
+# The docker-proxy binary used to be in a separate package. We obsolete it,
+# since now docker-proxy is maintained as part of this package.
+Obsoletes:      docker-libnetwork < 0.7.0.2
+Provides:       docker-libnetwork = 0.7.0.2.%{version}
+# Required to actually run containers. We require the minimum version that is
+# pinned by Docker, but in order to avoid headaches we allow for updates.
+Requires:       runc >= 1.1.9
+Requires:       containerd >= 1.7.3
+# Needed for --init support. We don't use "tini", we use our own implementation
+# which handles edge-cases better.
+Requires:       catatonit
+# Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used
+Requires:       e2fsprogs
+Requires:       iproute2 >= 3.5
+Requires:       iptables >= 1.4
+Requires:       procps
+Requires:       tar >= 1.26
+Requires:       xz >= 4.9
+%?sysusers_requires
+Requires(post): %fillup_prereq
+Requires(post): udev
+Requires(post): shadow
+# Not necessary, but must be installed when the underlying system is
+# configured to use lvm and the user doesn't explicitly provide a
+# different storage-driver than devicemapper
+Recommends:     lvm2 >= 2.2.89
+Recommends:     git-core >= 1.7
+# Required for "docker buildx" support.
+Recommends:     %{name}-buildx
+Recommends:     %{name}-rootless-extras
+ExcludeArch:    s390 ppc
+
+%description
+Docker complements LXC with a high-level API which operates at the process
+level. It runs unix processes with strong guarantees of isolation and
+repeatability across servers.
+
+Docker is a great building block for automating distributed systems: large-scale
+web deployments, database clusters, continuous deployment systems, private PaaS,
+service-oriented architectures, etc.
+
+%package rootless-extras
+Summary:        Rootless support for Docker
+Group:          System/Management
+Requires:       %{name} = %{version}
+Requires:       slirp4netns >= 0.4
+Requires:       fuse-overlayfs >= 0.7
+Requires:       rootlesskit
+BuildArch:      noarch
+
+%description rootless-extras
+Rootless support for Docker.
+Use dockerd-rootless.sh to run the daemon.
+Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh.
+
+%package bash-completion
+Summary:        Bash Completion for %{name}
+Group:          System/Shells
+Requires:       %{name} = %{version}
+Requires:       bash-completion
+Supplements:    packageand(%{name}:bash-completion)
+BuildArch:      noarch
+
+%description bash-completion
+Bash command line completion support for %{name}.
+
+%package zsh-completion
+Summary:        Zsh Completion for %{name}
+Group:          System/Shells
+Requires:       %{name} = %{version}
+Requires:       zsh
+Supplements:    packageand(%{name}:zsh)
+BuildArch:      noarch
+
+%description zsh-completion
+Zsh command line completion support for %{name}.
+
+%package fish-completion
+Summary:        Fish completion for %{name}
+Group:          System/Shells
+Requires:       %{name} = %{version}
+Requires:       fish
+Supplements:    packageand(%{name}:fish)
+BuildArch:      noarch
+
+%description fish-completion
+Fish command line completion support for %{name}.
+
+%prep
+# docker-cli
+%define cli_builddir %{_builddir}/%{name}-cli-%{version}
+%setup -q -T -b 1 -n %{name}-cli-%{version}
+[ "%{cli_builddir}" = "$PWD" ]
+# offline manpages
+%patch -P900 -p1
+
+# docker
+%define docker_builddir %{_builddir}/%{name}-%{version}_%{git_version}
+%setup -q -n %{name}-%{version}_%{git_version}
+[ "%{docker_builddir}" = "$PWD" ]
+# README_SUSE.md for documentation.
+cp %{SOURCE130} .
+
+%if 0%{?is_opensuse} == 0
+# PATCH-SUSE: Secrets patches.
+%patch -P100 -p1
+%patch -P101 -p1
+%endif
+%if 0%{?sle_version} == 120000
+# Patches to build on SLE-12.
+%patch -P200 -p1
+%endif
+# bsc#1099277
+%patch -P201 -p1
+# Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
+%patch -P202 -p1
+# temporary buildkit bugfixes
+%patch -P901 -p1
+
+%build
+%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf
+
+BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
+%if 0%{?sle_version} == 120000
+	# Allow us to build with older distros but still have deferred removal
+	# support at runtime. We only use this when building on SLE12, because
+	# later openSUSE/SLE versions have a new enough libdevicemapper to not
+	# require the runtime checking.
+	BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS"
+%endif
+
+export AUTO_GOPATH=1
+# Make sure we always build PIC code. bsc#1048046
+export BUILDFLAGS="-buildmode=pie"
+# Specify all of the versioning information. We use SOURCE_DATE_EPOCH if it's
+# been injected by rpmbuild, otherwise we use the hardcoded git_commit_epoch
+# generated above. boo#1064781
+export VERSION="%{nice_version}"
+export DOCKER_GITCOMMIT="%{git_version}"
+export GITCOMMIT="%{git_version}"
+export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
+export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
+
+###################
+## DOCKER ENGINE ##
+###################
+
+pushd "%{docker_builddir}"
+# use go module for build
+ln -s {vendor,go}.mod
+ln -s {vendor,go}.sum
+./hack/make.sh dynbinary
+popd
+
+###################
+## DOCKER CLIENT ##
+###################
+
+pushd "%{cli_builddir}"
+# use go module for build
+ln -s {vendor,go}.mod
+ln -s {vendor,go}.sum
+make DISABLE_WARN_OUTSIDE_CONTAINER=1 dynbinary manpages
+popd
+
+%install
+install -Dd -m0755 \
+	%{buildroot}%{_sysconfdir}/init.d \
+	%{buildroot}%{_bindir} \
+	%{buildroot}%{_sbindir}
+
+# docker daemon
+install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
+# docker proxy
+install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/docker-proxy %{buildroot}/%{_bindir}/docker-proxy
+
+# cli-plugins/
+install -d %{buildroot}/usr/lib/docker/cli-plugins
+
+# /var/lib/docker
+install -d %{buildroot}/%{_localstatedir}/lib/docker
+# daemon.json config file
+install -D -m0644 %{SOURCE150} %{buildroot}%{_sysconfdir}/docker/daemon.json
+
+# docker cli
+install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
+install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{name}"
+install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{name}"
+install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{name}.fish"
+
+# systemd service
+install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{name}.service
+install -D -m0644 %{SOURCE101} %{buildroot}%{_unitdir}/%{name}.socket
+ln -sf service %{buildroot}%{_sbindir}/rcdocker
+
+# udev rules that prevents dolphin to show all docker devices and slows down
+# upstream report https://bugs.kde.org/show_bug.cgi?id=329930
+install -D -m0644 %{SOURCE110} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
+
+# audit rules
+install -D -m0640 %{SOURCE140} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
+
+# sysconfig file
+install -D -m0644 %{SOURCE120} %{buildroot}%{_fillupdir}/sysconfig.docker
+
+# install manpages (using the ones from the engine)
+install -d %{buildroot}%{_mandir}/man1
+install -p -m0644 %{cli_builddir}/man/man1/*.1 %{buildroot}%{_mandir}/man1
+install -d %{buildroot}%{_mandir}/man5
+install -p -m0644 %{cli_builddir}/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
+install -d %{buildroot}%{_mandir}/man8
+install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8
+
+# sysusers.d
+install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/%{name}.conf
+
+# rootless extras
+install -D -p -m 0755 contrib/dockerd-rootless.sh %{buildroot}/%{_bindir}/dockerd-rootless.sh
+install -D -p -m 0755 contrib/dockerd-rootless-setuptool.sh %{buildroot}/%{_bindir}/dockerd-rootless-setuptool.sh
+
+%fdupes %{buildroot}
+
+%pre -f %{name}.pre
+# /etc/sub[ug]id should exist already (it's part of shadow-utils), but older
+# distros don't have it. Docker just parses it and doesn't need any special
+# shadow-utils helpers.
+touch /etc/subuid /etc/subgid ||:
+
+# "useradd -r" doesn't add sub[ug]ids so we manually add some. Hopefully there
+# aren't any conflicts here, because usermod doesn't provide the same "get
+# unusued range" feature that dockremap does.
+grep -q '^dockremap:' /etc/subuid || \
+	usermod -v 100000000-200000000 dockremap &>/dev/null || \
+	echo "dockremap:100000000:100000001" >>/etc/subuid ||:
+grep -q '^dockremap:' /etc/subgid || \
+	usermod -w 100000000-200000000 dockremap &>/dev/null || \
+	echo "dockremap:100000000:100000001" >>/etc/subgid ||:
+
+%service_add_pre %{name}.service %{name}.socket
+
+%post
+%service_add_post %{name}.service %{name}.socket
+%{fillup_only -n docker}
+
+%preun
+%service_del_preun %{name}.service %{name}.socket
+
+%postun
+%service_del_postun %{name}.service %{name}.socket
+
+%files
+%defattr(-,root,root)
+%doc README.md README_SUSE.md
+%license LICENSE
+%{_bindir}/docker
+%{_bindir}/dockerd
+%{_bindir}/docker-proxy
+%{_sbindir}/rcdocker
+%dir %{_localstatedir}/lib/docker/
+
+%dir /usr/lib/docker
+%dir /usr/lib/docker/cli-plugins
+
+%{_unitdir}/%{name}.service
+%{_unitdir}/%{name}.socket
+%{_sysusersdir}/%{name}.conf
+
+%dir %{_sysconfdir}/docker
+%config(noreplace) %{_sysconfdir}/docker/daemon.json
+%{_fillupdir}/sysconfig.docker
+
+%config %{_sysconfdir}/audit/rules.d/%{name}.rules
+%{_udevrulesdir}/80-%{name}.rules
+
+%{_mandir}/man1/docker-*.1%{ext_man}
+%{_mandir}/man1/docker.1%{ext_man}
+%{_mandir}/man5/Dockerfile.5%{ext_man}
+%{_mandir}/man8/dockerd.8%{ext_man}
+
+%files bash-completion
+%defattr(-,root,root)
+%{_datarootdir}/bash-completion/completions/%{name}
+
+%files zsh-completion
+%defattr(-,root,root)
+%{_sysconfdir}/zsh_completion.d/_%{name}
+
+%files fish-completion
+%defattr(-,root,root)
+%{_datadir}/fish/vendor_completions.d/%{name}.fish
+
+%files rootless-extras
+%defattr(-,root,root)
+%{_bindir}/dockerd-rootless.sh
+%{_bindir}/dockerd-rootless-setuptool.sh
+
+%changelog

docker.sysusers

@@ -0,0 +1,3 @@
+#Type Name      ID GECOS                           Home directory Shell
+g     docker    -  -                               -              -
+u     dockremap -  'docker --userns-remap=default' -              -

sysconfig.docker

@@ -0,0 +1,8 @@
+
+## Path           : System/Management
+## Description    : Extra cli switches for docker daemon
+## Type           : string
+## Default        : ""
+## ServiceRestart : docker
+#
+DOCKER_OPTS=""