Sync from SUSE:SLFO:1.1 docker revision 11880ddb21cbbc979c6f3318f4ee3f68

0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch

@@ -0,0 +1,106 @@
+From 6984023c043bec71b44665a55ab4abec6f549ed5 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Wed, 4 Jun 2025 15:01:37 +1000
+Subject: [PATCH 1/6] SECRETS: SUSE: always clear our internal secrets
+
+In the future SUSEConnect support patch, we will add swarm secrets with
+the ID suse_* containing credentials pertinent to SUSEConnect.
+Unfortunately, secret references (but not the secrets themselves) are
+persisted in the container configuration.
+
+Our secrets patch would clear old secrets to avoid having duplicates
+(see bsc#1057743) but now that SLE16 will no longer use this patch,
+containers migrated to the new system will fail to start because the
+secret store is not initialised (and the secret reference IDs don't
+exist anyway).
+
+The solution is to always clear any secrets with the suse_* prefix, and
+this patch will be applied to all builds (even those with SUSEConnect
+support disabled).
+
+THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
+SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
+MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
+
+SUSE-Bugs: bsc#1244035 bsc#1057743
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ daemon/start.go        | 10 ++++++++++
+ daemon/suse_secrets.go | 44 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+ create mode 100644 daemon/suse_secrets.go
+
+diff --git a/daemon/start.go b/daemon/start.go
+index a914a0fe3145..0930ff91d1a2 100644
+--- a/daemon/start.go
++++ b/daemon/start.go
+@@ -146,6 +146,16 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
+ 		}
+ 	}()
+ 
++	// SUSE:secrets -- Drop any "old" SUSE secrets referenced by this container
++	// (even if this daemon is not compiled with injectSuseSecretStore
++	// enabled). This is necessary because containers secret references are
++	// somewhat permanently associated with containers, so if you were to
++	// restart the container with a different Docker daemon you may end up with
++	// duplicate secrets causing errors (bsc#1057743) or the secret reference
++	// might not be resolveable if you switched to a Docker without the
++	// SUSEConnect patch enabled (bsc#1244035).
++	daemon.clearSuseSecrets(container)
++
+ 	mnts, err := daemon.setupContainerDirs(container)
+ 	if err != nil {
+ 		return err
+diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
+new file mode 100644
+index 000000000000..b8f3d9f9c094
+--- /dev/null
++++ b/daemon/suse_secrets.go
+@@ -0,0 +1,44 @@
++/*
++ * suse-secrets: patch for Docker to implement SUSE secrets
++ * Copyright (C) 2017-2021 SUSE LLC.
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *    http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package daemon
++
++import (
++	"strings"
++
++	"github.com/docker/docker/container"
++
++	swarmtypes "github.com/docker/docker/api/types/swarm"
++
++	"github.com/sirupsen/logrus"
++)
++
++// clearSuseSecrets removes any SecretReferences which were added by us
++// explicitly (this is detected by checking that the prefix has a 'suse_'
++// prefix, which is a prefix that cannot exist for normal swarm secrets). See
++// bsc#1057743 and bsc#1244035.
++func (daemon *Daemon) clearSuseSecrets(c *container.Container) {
++	var without []*swarmtypes.SecretReference
++	for _, secret := range c.SecretReferences {
++		if strings.HasPrefix(secret.SecretID, "suse_") {
++			logrus.Debugf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
++			continue
++		}
++		without = append(without, secret)
++	}
++	c.SecretReferences = without
++}
+-- 
+2.50.0
+

0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch

@@ -1,7 +1,7 @@
-From f839b3ae9ba6e379fc7141987bf423cd66e353e3 Mon Sep 17 00:00:00 2001
+From a37bdf794549f1bd238d222801f87c223efc92dc Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
+Subject: [PATCH 2/6] SECRETS: daemon: allow directory creation in /run/secrets
 
 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@@ -14,26 +14,26 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  1 file changed, 20 insertions(+), 3 deletions(-)
 
 diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index f572e0d8a865..88573559d537 100644
+index f6d9449609b7..520b7f80f162 100644
 --- a/daemon/container_operations_unix.go
 +++ b/daemon/container_operations_unix.go
 @@ -3,6 +3,7 @@
- package daemon // import "github.com/docker/docker/daemon"
+ package daemon
  
  import (
 +	"bytes"
  	"context"
  	"fmt"
  	"os"
-@@ -17,6 +18,7 @@ import (
- 	"github.com/docker/docker/daemon/network"
- 	"github.com/docker/docker/errdefs"
- 	"github.com/docker/docker/libnetwork"
-+	"github.com/docker/docker/pkg/archive"
- 	"github.com/docker/docker/pkg/idtools"
+@@ -21,6 +22,7 @@ import (
+ 	"github.com/docker/docker/libnetwork/drivers/bridge"
  	"github.com/docker/docker/pkg/process"
  	"github.com/docker/docker/pkg/stringid"
-@@ -240,9 +242,6 @@ func (daemon *Daemon) setupSecretDir(ctr *container.Container) (setupErr error)
++	"github.com/moby/go-archive"
+ 	"github.com/moby/sys/mount"
+ 	"github.com/moby/sys/user"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+@@ -325,9 +327,6 @@ func (daemon *Daemon) setupSecretDir(ctr *container.Container) (setupErr error)
  		if err != nil {
  			return errors.Wrap(err, "unable to get secret from secret store")
  		}
@@ -43,7 +43,7 @@ index f572e0d8a865..88573559d537 100644
  
  		uid, err := strconv.Atoi(s.File.UID)
  		if err != nil {
-@@ -253,6 +252,24 @@ func (daemon *Daemon) setupSecretDir(ctr *container.Container) (setupErr error)
+@@ -338,6 +337,24 @@ func (daemon *Daemon) setupSecretDir(ctr *container.Container) (setupErr error)
  			return err
  		}
  
@@ -65,9 +65,9 @@ index f572e0d8a865..88573559d537 100644
 +				return errors.Wrap(err, "error injecting secret")
 +			}
 +		}
- 		if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil {
+ 		if err := os.Chown(fPath, ruid+uid, rgid+gid); err != nil {
  			return errors.Wrap(err, "error setting ownership for secret")
  		}
 -- 
-2.48.1
+2.50.0
 

0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch

@@ -1,7 +1,7 @@
-From 2dae295a69ce4cc345ec144abeb6ffd936fd639a Mon Sep 17 00:00:00 2001
+From b2580007548917ca214a8f40f6888a3285c63b1f Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 3/6] SECRETS: SUSE: implement SUSE container secrets
 
 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
@@ -14,23 +14,22 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
 SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
 MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
 
-SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 bsc#1231348
+SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 bsc#1231348 bsc#1240150
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
  daemon/start.go        |   5 +
- daemon/suse_secrets.go | 461 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 466 insertions(+)
- create mode 100644 daemon/suse_secrets.go
+ daemon/suse_secrets.go | 438 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 443 insertions(+)
 
 diff --git a/daemon/start.go b/daemon/start.go
-index 027f08a6dc07..d8545f8cb46a 100644
+index 0930ff91d1a2..02d2f8429c19 100644
 --- a/daemon/start.go
 +++ b/daemon/start.go
-@@ -128,6 +128,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
- 		return err
- 	}
+@@ -156,6 +156,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
+ 	// SUSEConnect patch enabled (bsc#1244035).
+ 	daemon.clearSuseSecrets(container)
  
-+	// SUSE:secrets -- inject the SUSE secret store
++	// SUSE:secrets -- Inject the SUSE secret store.
 +	if err := daemon.injectSuseSecretStore(container); err != nil {
 +		return err
 +	}
@@ -39,53 +38,37 @@ index 027f08a6dc07..d8545f8cb46a 100644
  	if err != nil {
  		return err
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
-new file mode 100644
-index 000000000000..85b37bf46544
---- /dev/null
+index b8f3d9f9c094..5ab96651080b 100644
+--- a/daemon/suse_secrets.go
 +++ b/daemon/suse_secrets.go
-@@ -0,0 +1,461 @@
-+/*
-+ * suse-secrets: patch for Docker to implement SUSE secrets
-+ * Copyright (C) 2017-2021 SUSE LLC.
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ *    http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+package daemon
-+
-+import (
+@@ -18,15 +18,378 @@
+ package daemon
+ 
+ import (
 +	"archive/tar"
 +	"bytes"
++	"errors"
 +	"fmt"
 +	"io"
 +	"io/ioutil"
 +	"os"
 +	"path/filepath"
-+	"strings"
+ 	"strings"
 +	"syscall"
-+
-+	"github.com/docker/docker/container"
-+	"github.com/docker/docker/pkg/archive"
-+	"github.com/docker/docker/pkg/idtools"
-+
-+	swarmtypes "github.com/docker/docker/api/types/swarm"
+ 
+ 	"github.com/docker/docker/container"
++	"github.com/docker/docker/pkg/rootless"
+ 
+ 	swarmtypes "github.com/docker/docker/api/types/swarm"
++	"github.com/moby/go-archive"
 +	swarmexec "github.com/moby/swarmkit/v2/agent/exec"
 +	swarmapi "github.com/moby/swarmkit/v2/api"
-+
++	"github.com/moby/sys/user"
+ 
 +	"github.com/opencontainers/go-digest"
-+	"github.com/sirupsen/logrus"
-+)
-+
+ 	"github.com/sirupsen/logrus"
+ )
+ 
 +const suseSecretsTogglePath = "/etc/docker/suse-secrets-enable"
 +
 +// parseEnableFile parses a file that can only contain "0" or "1" (with some
@@ -155,14 +138,13 @@ index 000000000000..85b37bf46544
 +	}
 +}
 +
-+func (s SuseFakeFile) toSecretReference(idMaps idtools.IdentityMapping) *swarmtypes.SecretReference {
++func (s SuseFakeFile) toSecretReference(idMaps user.IdentityMapping) *swarmtypes.SecretReference {
 +	// Figure out the host-facing {uid,gid} based on the provided maps. Fall
 +	// back to root if the UID/GID don't match (we are guaranteed that root is
 +	// mapped).
-+	ctrUser := idtools.Identity{UID: s.Uid, GID: s.Gid}
-+	hostUser := idMaps.RootPair()
-+	if user, err := idMaps.ToHost(ctrUser); err == nil {
-+		hostUser = user
++	hostUID, hostGID := idMaps.RootPair()
++	if uid, gid, err := idMaps.ToHost(s.Uid, s.Gid); err == nil {
++		hostUID, hostGID = uid, gid
 +	}
 +
 +	// Return the secret reference as a file target.
@@ -171,8 +153,8 @@ index 000000000000..85b37bf46544
 +		SecretName: s.id(),
 +		File: &swarmtypes.SecretReferenceFileTarget{
 +			Name: s.Path,
-+			UID:  fmt.Sprintf("%d", hostUser.UID),
-+			GID:  fmt.Sprintf("%d", hostUser.GID),
++			UID:  fmt.Sprintf("%d", hostUID),
++			GID:  fmt.Sprintf("%d", hostGID),
 +			Mode: s.Mode,
 +		},
 +	}
@@ -217,11 +199,11 @@ index 000000000000..85b37bf46544
 +		IncludeSourceDir: true,
 +	})
 +	if err != nil {
-+		return nil, fmt.Errorf("SUSE:secrets :: failed to tar source directory %q: %v", path, err)
++		return nil, fmt.Errorf("SUSE:secrets :: failed to tar source directory %q: %w", path, err)
 +	}
 +	tarStreamBytes, err := ioutil.ReadAll(tarStream)
 +	if err != nil {
-+		return nil, fmt.Errorf("SUSE:secrets :: failed to read full tar archive: %v", err)
++		return nil, fmt.Errorf("SUSE:secrets :: failed to read full tar archive: %w", err)
 +	}
 +
 +	// Get a list of the symlinks in the tar archive.
@@ -233,7 +215,7 @@ index 000000000000..85b37bf46544
 +			break
 +		}
 +		if err != nil {
-+			return nil, fmt.Errorf("SUSE:secrets :: failed to read through tar reader: %v", err)
++			return nil, fmt.Errorf("SUSE:secrets :: failed to read through tar reader: %w", err)
 +		}
 +		if hdr.Typeflag == tar.TypeSymlink {
 +			symlinks = append(symlinks, hdr.Name)
@@ -254,7 +236,7 @@ index 000000000000..85b37bf46544
 +			// Get a copy of the original byte stream.
 +			oldContent, err := ioutil.ReadAll(r)
 +			if err != nil {
-+				return nil, nil, fmt.Errorf("suse_rewrite: failed to read archive entry %q: %v", tarPath, err)
++				return nil, nil, fmt.Errorf("suse_rewrite: failed to read archive entry %q: %w", tarPath, err)
 +			}
 +
 +			// Check that the file actually exists.
@@ -292,7 +274,7 @@ index 000000000000..85b37bf46544
 +	tarStream = archive.ReplaceFileTarWrapper(ioutil.NopCloser(bytes.NewBuffer(tarStreamBytes)), symlinkModifyMap)
 +	tarStreamBytes, err = ioutil.ReadAll(tarStream)
 +	if err != nil {
-+		return nil, fmt.Errorf("SUSE:secrets :: failed to read rewritten archive: %v", err)
++		return nil, fmt.Errorf("SUSE:secrets :: failed to read rewritten archive: %w", err)
 +	}
 +
 +	// Add the tar stream as a "file".
@@ -435,19 +417,17 @@ index 000000000000..85b37bf46544
 +	return secret, nil
 +}
 +
-+// removeSuseSecrets removes any SecretReferences which were added by us
-+// explicitly (this is detected by checking that the prefix has a 'suse'
-+// prefix). See bsc#1057743.
-+func removeSuseSecrets(c *container.Container) {
-+	var without []*swarmtypes.SecretReference
-+	for _, secret := range c.SecretReferences {
-+		if strings.HasPrefix(secret.SecretID, "suse") {
-+			logrus.Debugf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
-+			continue
-+		}
-+		without = append(without, secret)
-+	}
-+	c.SecretReferences = without
+ // clearSuseSecrets removes any SecretReferences which were added by us
+ // explicitly (this is detected by checking that the prefix has a 'suse_'
+ // prefix, which is a prefix that cannot exist for normal swarm secrets). See
+@@ -42,3 +405,78 @@ func (daemon *Daemon) clearSuseSecrets(c *container.Container) {
+ 	}
+ 	c.SecretReferences = without
+ }
++
++func (daemon *Daemon) isRootless() bool {
++	cfg := daemon.Config()
++	return os.Geteuid() != 0 || Rootless(&cfg) || rootless.RunningWithRootlessKit()
 +}
 +
 +func (daemon *Daemon) injectSuseSecretStore(c *container.Container) error {
@@ -455,7 +435,7 @@ index 000000000000..85b37bf46544
 +	// restarted) could still have references to old secrets. The .id() of all
 +	// secrets have a prefix of "suse" so this is much easier. See bsc#1057743
 +	// for details on why this could cause issues.
-+	removeSuseSecrets(c)
++	daemon.clearSuseSecrets(c)
 +
 +	// Don't inject anything if the administrator has disabled suse secrets.
 +	// However, for previous existing containers we need to remove old secrets
@@ -464,6 +444,13 @@ index 000000000000..85b37bf46544
 +		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container %q because of %s", c.ID, suseSecretsTogglePath)
 +		return nil
 +	}
++	// Unprivileged users (or Docker in rootless mode, in a user namespace)
++	// cannot access host zypper credentials so there is no real point even
++	// trying to inject them into the container. bsc#1240150
++	if daemon.isRootless() {
++		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container in rootless mode")
++		return nil
++	}
 +
 +	newDependencyStore := &suseDependencyStore{
 +		dfl:     c.DependencyStore,
@@ -475,6 +462,13 @@ index 000000000000..85b37bf46544
 +	}
 +
 +	secrets, err := getHostSuseSecretData()
++	if errors.Is(err, os.ErrPermission) {
++		// This should only ever really happen for rootless Docker (which we
++		// already handled above), but ignore permission errors here just in
++		// case. bsc#1240150
++		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container because of permission error while loading host data")
++		return nil
++	}
 +	if err != nil {
 +		return err
 +	}
@@ -506,5 +500,5 @@ index 000000000000..85b37bf46544
 +	return nil
 +}
 -- 
-2.48.1
+2.50.0
 

0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch

@@ -1,7 +1,7 @@
-From d3a0ce85a41282135e0eea96dd04a4c82effea1d Mon Sep 17 00:00:00 2001
+From faaf452a0ced139a10a76cdb4dba04ba39d2e948 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 22 May 2023 15:44:54 +1000
-Subject: [PATCH 3/5] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
+Subject: [PATCH 4/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
  headers"
 
 This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
@@ -16,10 +16,10 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
  1 file changed, 4 insertions(+), 9 deletions(-)
 
 diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
-index 73652ed853ba..c31e1c542253 100644
+index fa0cb3ed25d8..871f6b3f8c1f 100644
 --- a/daemon/graphdriver/btrfs/btrfs.go
 +++ b/daemon/graphdriver/btrfs/btrfs.go
-@@ -4,17 +4,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
+@@ -4,17 +4,12 @@ package btrfs
  
  /*
  #include <stdlib.h>
@@ -42,5 +42,5 @@ index 73652ed853ba..c31e1c542253 100644
  static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
      snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
 -- 
-2.48.1
+2.50.0
 

0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch

@@ -1,7 +1,7 @@
-From d14bce9bafde35ad958f38f608bf3e0481d98ad7 Mon Sep 17 00:00:00 2001
+From 1d73fe8e91b3f27e93affe5e8257b79627587875 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 5/6] bsc1073877: apparmor: clobber docker-default profile on
  start
 
 In the process of making docker-default reloading far less expensive,
@@ -22,7 +22,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  3 files changed, 17 insertions(+), 6 deletions(-)
 
 diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
-index 81e10b6cbec0..e695667a190f 100644
+index d5737e5a75a3..d77c714d266b 100644
 --- a/daemon/apparmor_default.go
 +++ b/daemon/apparmor_default.go
 @@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
@@ -54,12 +54,12 @@ index 81e10b6cbec0..e695667a190f 100644
  	return nil
  }
 diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
-index be4938f5b61a..2b326fea5829 100644
+index 37974bbb9778..095aa728a7a8 100644
 --- a/daemon/apparmor_default_unsupported.go
 +++ b/daemon/apparmor_default_unsupported.go
 @@ -2,6 +2,10 @@
  
- package daemon // import "github.com/docker/docker/daemon"
+ package daemon
  
 +func clobberDefaultAppArmorProfile() error {
 +	return nil
@@ -69,10 +69,10 @@ index be4938f5b61a..2b326fea5829 100644
  	return nil
  }
 diff --git a/daemon/daemon.go b/daemon/daemon.go
-index f152685e6026..dee4c33471d5 100644
+index 2e0a36eb102b..f28c6e061fa9 100644
 --- a/daemon/daemon.go
 +++ b/daemon/daemon.go
-@@ -941,8 +941,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
+@@ -878,8 +878,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
  		log.G(ctx).Warnf("Failed to configure golang's threads limit: %v", err)
  	}
  
@@ -85,5 +85,5 @@ index f152685e6026..dee4c33471d5 100644
  	}
  
 -- 
-2.48.1
+2.50.0
 

0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch

@@ -1,7 +1,7 @@
-From 7a52b3d815482a14646e07319d5c0b7a59d1994d Mon Sep 17 00:00:00 2001
+From 993356d0603739961b62a8010d96f412e56b9196 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 11 Oct 2023 21:19:12 +1100
-Subject: [PATCH 5/5] SLE12: revert "apparmor: remove version-conditionals from
+Subject: [PATCH 6/6] SLE12: revert "apparmor: remove version-conditionals from
  template"
 
 This reverts the following commits:
@@ -249,7 +249,7 @@ index 000000000000..89b48b2dba58
 +	return numericVersion, nil
 +}
 diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
-index 277c853ebe1f..d1aad80cbfd2 100644
+index 445eed64e979..871b1f7d63c2 100644
 --- a/profiles/apparmor/apparmor.go
 +++ b/profiles/apparmor/apparmor.go
 @@ -11,10 +11,14 @@ import (
@@ -292,7 +292,7 @@ index 277c853ebe1f..d1aad80cbfd2 100644
  }
  
 diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
-index 8dbc1b610288..2062aab1ac99 100644
+index 35c75300f8f0..b7a0299af2b8 100644
 --- a/profiles/apparmor/template.go
 +++ b/profiles/apparmor/template.go
 @@ -23,6 +23,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@@ -322,5 +322,5 @@ index 8dbc1b610288..2062aab1ac99 100644
  }
  `
 -- 
-2.48.1
+2.50.0
 

_service

@@ -3,24 +3,24 @@
     <param name="url">https://github.com/moby/moby.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">27.5.1_ce_%h</param>
-    <param name="revision">v27.5.1</param>
+    <param name="versionformat">28.3.2_ce_%h</param>
+    <param name="revision">v28.3.2</param>
     <param name="filename">docker</param>
   </service>
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/docker/cli.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">27.5.1_ce</param>
-    <param name="revision">v27.5.1</param>
+    <param name="versionformat">28.3.2_ce</param>
+    <param name="revision">v28.3.2</param>
     <param name="filename">docker-cli</param>
   </service>
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/docker/buildx.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">0.20.1</param>
-    <param name="revision">v0.20.1</param>
+    <param name="versionformat">0.25.0</param>
+    <param name="revision">v0.25.0</param>
     <param name="filename">docker-buildx</param>
   </service>
   <service name="recompress" mode="manual">

docker.changes

@@ -1,3 +1,255 @@
+-------------------------------------------------------------------
+Thu Jul 17 04:32:55 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Go 1.24 for builds, to match upstream.
+
+-------------------------------------------------------------------
+Wed Jul  9 19:54:47 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.3.2-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2832>
+
+-------------------------------------------------------------------
+Thu Jul  3 01:24:33 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.3.1-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2831>
+
+-------------------------------------------------------------------
+Wed Jun 25 15:33:36 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.3.0-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2830>
+  bsc#1246556
+- Rebase patches:
+ * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+ * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Mon Jun 23 12:46:53 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+[ This update is a no-op, only needed to work around unfortunate automated
+  packaging script behaviour on SLES. ]
+
+- The following patches were removed in openSUSE in the Docker 28.1.1-ce
+  update, but the patch names were later renamed in a SLES-only update before
+  Docker 28.1.1-ce was submitted to SLES.
+
+  This causes the SLES build scripts to refuse the update because the patches
+  are not referenced in the changelog. There is no obvious place to put the
+  patch removals (the 28.1.1-ce update removing the patches chronologically
+  predates their renaming in SLES), so they are included here a dummy changelog
+  entry to work around the issue.
+
+  - 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+  - 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+
+-------------------------------------------------------------------
+Wed Jun 18 06:22:56 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.25.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.25.0>
+
+-------------------------------------------------------------------
+Thu Jun  5 16:12:14 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
+  Docker does not have permission to access the host zypper credentials in this
+  mode (and unprivileged users cannot disable the feature using
+  /etc/docker/suse-secrets-enable.) bsc#1240150
+
+  * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+
+- Rebase patches:
+  * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+  * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Wed Jun  4 05:21:19 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Always clear SUSEConnect suse_* secrets when starting containers regardless
+  of whether the daemon was built with SUSEConnect support. Not doing this
+  causes containers from SUSEConnect-enabled daemons to fail to start when
+  running with SUSEConnect-disabled (i.e. upstream) daemons.
+
+  This was a long-standing issue with our secrets support but until recently
+  this would've required migrating from SLE packages to openSUSE packages
+  (which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
+  away from in-built SUSEConnect support, this is now a practical issue users
+  will run into. bsc#1244035
+
+  + 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+
+- Rearrange patches:
+  - 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  - 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  - 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  + 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  - 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  + 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Wed Jun  4 05:21:18 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+[NOTE: This update was only ever released in SLES and Leap.]
+
+- Always clear SUSEConnect suse_* secrets when starting containers regardless
+  of whether the daemon was built with SUSEConnect support. Not doing this
+  causes containers from SUSEConnect-enabled daemons to fail to start when
+  running with SUSEConnect-disabled (i.e. upstream) daemons.
+
+  This was a long-standing issue with our secrets support but until recently
+  this would've required migrating from SLE packages to openSUSE packages
+  (which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
+  away from in-built SUSEConnect support, this is now a practical issue users
+  will run into. bsc#1244035
+
+  + 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+
+- Rearrange patches:
+  - 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  - 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  - 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  + 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  - 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  + 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  - 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+  + 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+  - 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+  + 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+
+-------------------------------------------------------------------
+Fri May 30 17:55:22 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.2.2-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2822>
+- Rebase patches:
+ * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Fri May 30 09:26:40 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.2.1-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2820> bsc#1243833
+  <https://github.com/moby/moby/releases/tag/v28.2.1>
+- Rebase patches:
+ * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Thu May 22 12:48:59 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.24.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.24.0>
+
+-------------------------------------------------------------------
+Thu May  1 16:27:28 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.1.1-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2811> bsc#1242114
+  Includes upstream fixes:
+   - CVE-2025-22872 bsc#1241830
+- Remove long-outdated build handling for deprecated and unsupported
+  devicemapper and AUFS storage drivers. AUFS was removed in v24, and
+  devicemapper was removed in v25.
+  <https://docs.docker.com/engine/deprecated/#aufs-storage-driver>
+- Rebase patches:
+ * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+- Remove upstreamed patches:
+ - 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+ - 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+ - cli-0001-docs-include-required-tools-in-source-tree.patch
+
+-------------------------------------------------------------------
+Mon Apr 28 18:22:47 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.23.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.23.0>
+
+-------------------------------------------------------------------
+Thu Apr 10 03:18:42 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.22.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.22.0>
+  * Includes fixes for CVE-2025-0495. bsc#1239765
+
+-------------------------------------------------------------------
+Thu Apr 10 03:09:38 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Disable transparent SUSEConnect support for SLE-16. PED-12534
+
+  When this patchset was first added in 2013 (and rewritten over the years),
+  there was no upstream way to easily provide SLE customers with a way to build
+  container images based on SLE using the host subscription. However, with
+  docker-buildx you can now define secrets for builds (this is not entirely
+  transparent, but we can easily document this new requirement for SLE-16).
+
+  Users should use
+
+    RUN --mount=type=secret,id=SCCcredentials zypper -n ...
+
+  in their Dockerfiles, and
+
+    docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
+
+  when doing their builds.
+
+- Now that the only blocker for docker-buildx support was removed for SLE-16,
+  enable docker-buildx for SLE-16 as well. PED-8905
+
+-------------------------------------------------------------------
+Wed Mar 26 02:36:16 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Don't use the new container-selinux conditional requires on SLE-12, as the
+  RPM version there doesn't support it. Arguably the change itself is a bit
+  suspect but we can fix that later. bsc#1237367
+
+-------------------------------------------------------------------
+Tue Mar 25 01:11:54 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185
+  + 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+- Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322
+  + 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+- Refresh patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Thu Mar 20 16:09:49 UTC 2025 - Fabian Vogt <fvogt@suse.com>
+
+- Make container-selinux requirement conditional on selinux-policy
+  (bsc#1237367)
+
 -------------------------------------------------------------------
 Wed Feb 19 04:28:34 UTC 2025 - Aleksa Sarai <asarai@suse.com>
 

docker.spec

@@ -23,11 +23,11 @@
 # built for actual users.
 %bcond_with     integration_tests
 
-%if 0%{?is_opensuse} == 0
+%if 0%{?is_opensuse} == 0 && 0%{?suse_version} < 1600
 # SUSEConnect support ("SUSE secrets") only makes sense for SLES hosts.
 %bcond_without  suseconnect
 # There is currently a known bug between buildx and SUSE secrets, so we don't
-# package docker-buildx for SLES. bsc#1233819
+# package docker-buildx for SLES<16. bsc#1233819
 %bcond_with     buildx
 %else
 %bcond_with     suseconnect
@@ -51,8 +51,8 @@
 %endif
 
 # MANUAL: This needs to be updated with every docker update.
-%define docker_real_version 27.5.1
-%define docker_git_version 4c9b3b011ae4
+%define docker_real_version 28.3.2
+%define docker_git_version e77ff99ed
 %define docker_version %{docker_real_version}_ce
 # This "nice version" is so that docker --version gives a result that can be
 # parsed by other people. boo#1182476
@@ -60,7 +60,7 @@
 
 %if %{with buildx}
 # MANUAL: This needs to be updated with every docker-buildx update.
-%define buildx_version 0.20.1
+%define buildx_version 0.25.0
 %endif
 
 # Used when generating the "build" information for Docker version. The value of
@@ -68,7 +68,7 @@
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define git_commit_epoch 1737503210
+%define git_commit_epoch 1752057183
 
 Name:           docker%{flavour}
 Version:        %{docker_version}
@@ -96,20 +96,18 @@ Source900:      docker-integration.sh
 #       branch and then git-format-patch the patch here.
 # SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
 #               which is not snapshotted when images are committed.
-Patch100:       0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
-Patch101:       0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+Patch100:       0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+Patch101:       0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+Patch102:       0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
 # UPSTREAM: Revert of upstream patch to keep SLE-12 build working.
-Patch200:       0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+Patch200:       0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
 # UPSTREAM: Backport of <https://github.com/moby/moby/pull/41954>.
-Patch201:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+Patch201:       0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 # UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12.
-Patch202:       0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
-# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
-Patch900:       cli-0001-docs-include-required-tools-in-source-tree.patch
+Patch202:       0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
-BuildRequires:  device-mapper-devel >= 1.2.68
 BuildRequires:  fdupes
 %if %{with apparmor}
 BuildRequires:  libapparmor-devel
@@ -124,10 +122,10 @@ BuildRequires:  procps
 BuildRequires:  sqlite3-devel
 BuildRequires:  sysuser-tools
 BuildRequires:  zsh
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.24
 BuildRequires:  pkgconfig(libsystemd)
 %if %{with apparmor}
-%if 0%{?sle_version} >= 150000
+%if 0%{?suse_version} >= 1500
 # This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
 # don't need to support Docker+selinux for SLE 12 anyway.
 Requires:       (apparmor-parser or container-selinux)
@@ -141,8 +139,14 @@ Recommends:     apparmor-parser
 Requires:       apparmor-parser
 %endif
 %else
+%if 0%{?suse_version} >= 1500
+# This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
+# don't need to support Docker+selinux for SLE 12 anyway.
+Requires:       (container-selinux if selinux-policy)
+%else
 Requires:       container-selinux
 %endif
+%endif
 Requires:       ca-certificates-mozilla
 # The docker-proxy binary used to be in a separate package. We obsolete it,
 # since now docker-proxy is maintained as part of this package.
@@ -163,8 +167,6 @@ Requires:       containerd >= 1.7.3
 # Needed for --init support. We don't use "tini", we use our own implementation
 # which handles edge-cases better.
 Requires:       catatonit
-# Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used
-Requires:       e2fsprogs
 Requires:       iproute2 >= 3.5
 Requires:       iptables >= 1.4
 Requires:       procps
@@ -179,10 +181,6 @@ Requires:       %{name}-buildx
 Requires(post): %fillup_prereq
 Requires(post): udev
 Requires(post): shadow
-# Not necessary, but must be installed when the underlying system is
-# configured to use lvm and the user doesn't explicitly provide a
-# different storage-driver than devicemapper
-Recommends:     lvm2 >= 2.2.89
 Recommends:     %{name}-rootless-extras
 Recommends:     git-core >= 1.7
 ExcludeArch:    s390 ppc
@@ -332,8 +330,6 @@ Fish command line completion support for %{name}.
 %define cli_builddir %{_builddir}/docker-cli-%{docker_version}
 %setup -q -T -b 1 -n docker-cli-%{docker_version}
 [ "%{cli_builddir}" = "$PWD" ]
-# offline manpages
-%patch -P900 -p1
 
 %if %{with buildx}
 # docker-buildx
@@ -349,10 +345,12 @@ Fish command line completion support for %{name}.
 # README_SUSE.md for documentation.
 cp %{SOURCE130} .
 
+# bsc#1244035 (secrets patch to remove unreferenced secrets -- always applies).
+%patch -P100 -p1
 %if %{with suseconnect}
 # PATCH-SUSE: Secrets patches.
-%patch -P100 -p1
 %patch -P101 -p1
+%patch -P102 -p1
 %endif
 %if 0%{?sle_version} == 120000
 # Patches to build on SLE-12.
@@ -366,14 +364,7 @@ cp %{SOURCE130} .
 %build
 %sysusers_generate_pre %{SOURCE160} %{name} docker.conf
 
-BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
-%if 0%{?sle_version} == 120000
-	# Allow us to build with older distros but still have deferred removal
-	# support at runtime. We only use this when building on SLE12, because
-	# later openSUSE/SLE versions have a new enough libdevicemapper to not
-	# require the runtime checking.
-	BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS"
-%endif
+BUILDTAGS="apparmor selinux seccomp pkcs11"
 
 export AUTO_GOPATH=1
 # Make sure we always build PIC code. bsc#1048046
@@ -396,6 +387,8 @@ pushd "%{docker_builddir}"
 cp {vendor,go}.mod
 cp {vendor,go}.sum
 ./hack/make.sh dynbinary
+# dockerd man page
+GO_MD2MAN=go-md2man make -C ./man/
 
 %if %{with integration_tests}
 # build test binaries for integration tests
@@ -488,12 +481,12 @@ install -D -m0640 %{SOURCE140} %{buildroot}%{_sysconfdir}/audit/rules.d/docker.r
 install -D -m0644 %{SOURCE120} %{buildroot}%{_fillupdir}/sysconfig.docker
 
 # install manpages (using the ones from the engine)
-install -d %{buildroot}%{_mandir}/man1
-install -p -m0644 %{cli_builddir}/man/man1/*.1 %{buildroot}%{_mandir}/man1
-install -d %{buildroot}%{_mandir}/man5
-install -p -m0644 %{cli_builddir}/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
-install -d %{buildroot}%{_mandir}/man8
-install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8
+for mansrcdir in %{cli_builddir}/man/man[1-9] %{docker_builddir}/man/man[1-9]
+do
+	section="$(basename $mansrcdir)"
+	install -d %{buildroot}%{_mandir}/$section
+	install -p -m0644 $mansrcdir/* %{buildroot}%{_mandir}/$section
+done
 
 # sysusers.d
 install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/docker.conf
@@ -570,10 +563,7 @@ grep -q '^dockremap:' /etc/subgid || \
 %config %{_sysconfdir}/audit/rules.d/docker.rules
 %{_udevrulesdir}/80-docker.rules
 
-%{_mandir}/man1/docker-*.1%{ext_man}
-%{_mandir}/man1/docker.1%{ext_man}
-%{_mandir}/man5/Dockerfile.5%{ext_man}
-%{_mandir}/man8/dockerd.8%{ext_man}
+%{_mandir}/man*/*%{ext_man}
 
 %if %{with buildx}
 %files buildx