Accepting request 1230150 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/1230150 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker-stable?expand=0&rev=4
2024-12-12 20:17:51 +00:00 · 2024-12-12 20:17:51 +00:00 · 0b754a6ceb
commit 0b754a6ceb
parent 6baeb55273 ff3bcb3eda
17 changed files with 591 additions and 84 deletions
--- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
@ -1,7 +1,8 @@
-From 947743a263df2f482db763db568f39aab2970b2d Mon Sep 17 00:00:00 2001
+From a94378d92f7ef523b17aa399ce83b27f7986980f Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 1/9] SECRETS: daemon: allow directory creation in /run/secrets
+Subject: [PATCH 01/13] SECRETS: daemon: allow directory creation in
 /run/secrets
 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@ -69,5 +70,5 @@ index 290ec59a34a7..b7013fb89c83 100644
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 -- 
-2.46.0
+2.47.0
--- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -1,7 +1,7 @@
-From 24afdcdb967fbb6e108b452d2e05e917d29cb184 Mon Sep 17 00:00:00 2001
+From 009cad241857541779baa2a9fae8291597dc85f8 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 2/9] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 02/10] SECRETS: SUSE: implement SUSE container secrets
 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
@ -14,12 +14,12 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
 SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
 MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
-SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
+SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 bsc#1231348
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 daemon/start.go        |   5 +
- daemon/suse_secrets.go | 439 +++++++++++++++++++++++++++++++++++++++++
+ daemon/suse_secrets.go | 461 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 444 insertions(+)
+ 2 files changed, 466 insertions(+)
 create mode 100644 daemon/suse_secrets.go
 diff --git a/daemon/start.go b/daemon/start.go
@ -40,10 +40,10 @@ index 2e0b9e6be847..dca04486888f 100644
 		return errdefs.System(err)
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..f003299522df
+index 000000000000..85b37bf46544
 --- /dev/null
 +++ b/daemon/suse_secrets.go
-@@ -0,0 +1,439 @@
+@@ -0,0 +1,461 @@
 +/*
 + * suse-secrets: patch for Docker to implement SUSE secrets
 + * Copyright (C) 2017-2021 SUSE LLC.
@ -86,12 +86,46 @@ index 000000000000..f003299522df
 +	"github.com/sirupsen/logrus"
 +)
 +
 +const suseSecretsTogglePath = "/etc/docker/suse-secrets-enable"
 +
 +// parseEnableFile parses a file that can only contain "0" or "1" (with some
 +// whitespace).
 +func parseEnableFile(path string) (bool, error) {
 +	data, err := os.ReadFile(path)
 +	if err != nil {
 +		return false, err
 +	}
 +	data = bytes.TrimSpace(data)
 +
 +	switch value := string(data); value {
 +	case "1":
 +		return true, nil
 +	case "0", "":
 +		return false, nil
 +	default:
 +		return false, fmt.Errorf("invalid value %q (must be 0 to disable or 1 to enable)", value)
 +	}
 +}
 +
 +func isSuseSecretsEnabled() bool {
 +	value, err := parseEnableFile(suseSecretsTogglePath)
 +	if err != nil {
 +		logrus.Warnf("SUSE:secrets :: error parsing %s: %v -- disabling SUSE secrets", suseSecretsTogglePath, err)
 +		value = false
 +	}
 +	return value
 +}
 +
 +var suseSecretsEnabled = true
 +
 +func init() {
-+	// Output to tell us in logs that SUSE:secrets is enabled.
+	// Make this entire feature toggle-able so that users can disable it if
-+	if isSuseSecretEnabled() {
+	// they run into issues like bsc#1231348.
-+		logrus.Infof("SUSE:secrets :: enabled")
+	suseSecretsEnabled = isSuseSecretsEnabled()
 +	if suseSecretsEnabled {
 +		logrus.Infof("SUSE:secrets :: SUSEConnect support enabled (set %s to 0 to disable)", suseSecretsTogglePath)
 +	} else {
-+		logrus.Infof("SUSE:secrets :: disabled by DOCKER_SUSE_SECRETS_ENABLE=0")
+		logrus.Infof("SUSE:secrets :: SUSEConnect support disabled by %s", suseSecretsTogglePath)
 +	}
 +}
 +
@ -408,7 +442,7 @@ index 000000000000..f003299522df
 +	var without []*swarmtypes.SecretReference
 +	for _, secret := range c.SecretReferences {
 +		if strings.HasPrefix(secret.SecretID, "suse") {
-+			logrus.Warnf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
+			logrus.Debugf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
 +			continue
 +		}
 +		without = append(without, secret)
@ -416,24 +450,18 @@ index 000000000000..f003299522df
 +	c.SecretReferences = without
 +}
 +
 +func isSuseSecretEnabled() bool {
 +	env := os.Getenv("DOCKER_SUSE_SECRETS_ENABLE")
 +	switch env {
 +	case "0", "no":
 +		return false
 +	default:
 +		logrus.Errorf("SUSE:secrets :: DOCKER_SUSE_SECRETS_ENABLE=%q is an invalid value, keeping SUSE secrets enabled", env)
 +		fallthrough
 +	case "", "1", "yes":
 +		return true
 +	}
 +}
 +
 +func (daemon *Daemon) injectSuseSecretStore(c *container.Container) error {
-+	// Allow users to disable SUSE secrets in cases where they don't need it
+	// We drop any "old" SUSE secrets, as it appears that old containers (when
-+	// (in principle you only really need containers-suseconnect when you're
+	// restarted) could still have references to old secrets. The .id() of all
-+	// building images). bsc#1231348
+	// secrets have a prefix of "suse" so this is much easier. See bsc#1057743
-+	if !isSuseSecretEnabled() {
+	// for details on why this could cause issues.
 +	removeSuseSecrets(c)
 +
 +	// Don't inject anything if the administrator has disabled suse secrets.
 +	// However, for previous existing containers we need to remove old secrets
 +	// (see above), otherwise they will still have old secret data.
 +	if !suseSecretsEnabled {
 +		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container %q because of %s", c.ID, suseSecretsTogglePath)
 +		return nil
 +	}
 +
@ -446,12 +474,6 @@ index 000000000000..f003299522df
 +		newDependencyStore.dfl = emptyStore
 +	}
 +
 +	// We drop any "old" SUSE secrets, as it appears that old containers (when
 +	// restarted) could still have references to old secrets. The .id() of all
 +	// secrets have a prefix of "suse" so this is much easier. See bsc#1057743
 +	// for details on why this could cause issues.
 +	removeSuseSecrets(c)
 +
 +	secrets, err := getHostSuseSecretData()
 +	if err != nil {
 +		return err
@ -484,5 +506,5 @@ index 000000000000..f003299522df
 +	return nil
 +}
 -- 
-2.47.0
+2.47.1
--- a/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+++ b/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
@ -1,8 +1,8 @@
-From c1889321c8c598a177f076d52319c6fbd2fe8e1b Mon Sep 17 00:00:00 2001
+From 7824330a0012e6b1d9b00db40a7c58b42d6adbfd Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 22 May 2023 15:44:54 +1000
-Subject: [PATCH 3/9] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
+Subject: [PATCH 03/13] BUILD: SLE12: revert "graphdriver/btrfs: use kernel
- headers"
+ UAPI headers"
 This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
@ -42,5 +42,5 @@ index d88efc4be2bb..4e976aa689cd 100644
 static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
     snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
 -- 
-2.46.0
+2.47.0
--- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
@ -1,7 +1,7 @@
-From d653a55bf541f5a12927a981c59c4134614e8bc0 Mon Sep 17 00:00:00 2001
+From 5deaa3fad88f7a6d8d5d342e23d3e2027571b9e2 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 4/9] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 04/13] bsc1073877: apparmor: clobber docker-default profile on
 start
 In the process of making docker-default reloading far less expensive,
@ -85,5 +85,5 @@ index 585d85086f8d..6e4c6ad1ac01 100644
 	}
 -- 
-2.46.0
+2.47.0
--- a/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+++ b/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
@ -1,8 +1,8 @@
-From 700e0e1fb127504d2524bbea962b07430dab2df2 Mon Sep 17 00:00:00 2001
+From 6e3d78c8d9f569ed7142994a802e2bce988b59bf Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 11 Oct 2023 21:19:12 +1100
-Subject: [PATCH 5/9] SLE12: revert "apparmor: remove version-conditionals from
+Subject: [PATCH 05/13] SLE12: revert "apparmor: remove version-conditionals
- template"
+ from template"
 This reverts the following commits:
@ -237,5 +237,5 @@ index 9f207e2014a8..626e5f6789a3 100644
 }
 `
 -- 
-2.46.0
+2.47.0
--- a/0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
+++ b/0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
@ -1,7 +1,7 @@
-From fe759bf0da0b91a65aeb7e11fd86ee087a7d23d5 Mon Sep 17 00:00:00 2001
+From d3d04b94a209b056c30bec37ce9dd42f646ebd54 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Tue, 13 Feb 2024 16:57:32 +0100
-Subject: [PATCH 6/9] CVE-2024-23653: update buildkit to include CVE patches
+Subject: [PATCH 06/13] CVE-2024-23653: update buildkit to include CVE patches
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -3146,5 +3146,5 @@ index dd3fb54fefd2..2a3b597c5858 100644
 resenje.org/singleflight
 +# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4
 -- 
-2.46.0
+2.47.0
--- a/0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
+++ b/0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
@ -1,7 +1,7 @@
-From 9c6101a7e554d6e09983ec59d631390568c664d1 Mon Sep 17 00:00:00 2001
+From 7719675180f785c4e92df7efc25df9adc882b289 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Thu, 2 May 2024 22:50:23 +1000
-Subject: [PATCH 7/9] bsc1221916: update to patched buildkit version to fix
+Subject: [PATCH 07/13] bsc1221916: update to patched buildkit version to fix
 symlink resolution
 SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1221916
@ -894,5 +894,5 @@ index 2a3b597c5858..335c85392288 100644
 -# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4
 +# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261
 -- 
-2.46.0
+2.47.0
--- a/0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
+++ b/0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
@ -1,7 +1,7 @@
-From b50a8d343af0323ad2e615b652d8a653a14b2232 Mon Sep 17 00:00:00 2001
+From b6213c77313f15ac74a551b9a03670fce06280fb Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Wed, 19 Jun 2024 16:30:49 +1000
-Subject: [PATCH 8/9] bsc1214855: volume: use AtomicWriteFile to save volume
+Subject: [PATCH 08/13] bsc1214855: volume: use AtomicWriteFile to save volume
 options
 If the system (or Docker) crashes while saivng the volume options, on
@ -49,5 +49,5 @@ index b4f3a3669a84..077b26f1b813 100644
 		return errdefs.System(errors.Wrap(err, "error while persisting volume options"))
 	}
 -- 
-2.46.0
+2.47.0
--- a/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
+++ b/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
@ -1,7 +1,7 @@
-From c005f7c2a1ec8061d15ba0e3d4db23c3fa9838e5 Mon Sep 17 00:00:00 2001
+From 989f5ae4dea1619b7e1d7ec7f9cac8d64b3a2209 Mon Sep 17 00:00:00 2001
 From: Jameson Hyde <jameson.hyde@docker.com>
 Date: Mon, 26 Nov 2018 14:15:22 -0500
-Subject: [PATCH 9/9] CVE-2024-41110: AuthZ plugin securty fixes
+Subject: [PATCH 09/13] CVE-2024-41110: AuthZ plugin securty fixes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -205,5 +205,5 @@ index 835cb703839b..8bfe44e1a840 100644
 	}
 }
 -- 
-2.46.0
+2.47.0
--- a/0010-TESTS-backport-fixes-for-integration-tests.patch
+++ b/0010-TESTS-backport-fixes-for-integration-tests.patch
@ -0,0 +1,65 @@
 From 971d5a3b8431c9263060b12c6b131ebb8158a389 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Thu, 21 Nov 2024 20:00:07 +1100
 Subject: [PATCH 10/10] TESTS: backport fixes for integration tests
 We need a couple of patches to make the tests work on SLES:
 * 143b3b2ef3d0 ("test: update registry version to latest")
 * 1a453abfb172 ("integration-cli: don't skip AppArmor tests on SLES")
 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 ---
 Dockerfile                           | 2 +-
 integration-cli/requirements_test.go | 3 ---
 testutil/registry/registry.go        | 4 +++-
 3 files changed, 4 insertions(+), 5 deletions(-)
 diff --git a/Dockerfile b/Dockerfile
 index 463d5cfc1a86..7a23962af09b 100644
 --- a/Dockerfile
 +++ b/Dockerfile
@@ -59,7 +59,7 @@ WORKDIR /go/src/github.com/docker/distribution
 # from the https://github.com/docker/distribution repository. This version of
 # the registry is used to test both schema 1 and schema 2 manifests. Generally,
 # the version specified here should match a current release.
 -ARG REGISTRY_VERSION=v2.3.0
 +ARG REGISTRY_VERSION=v2.8.2
 # REGISTRY_VERSION_SCHEMA1 specifies the version of the registry to build and
 # install from the https://github.com/docker/distribution repository. This is
 # an older (pre v2.3.0) version of the registry that only supports schema1
 diff --git a/integration-cli/requirements_test.go b/integration-cli/requirements_test.go
 index 2313272d7704..e5f72397e1bc 100644
 --- a/integration-cli/requirements_test.go
 +++ b/integration-cli/requirements_test.go
@@ -85,9 +85,6 @@ func Network() bool {
 }
 func Apparmor() bool {
 -	if strings.HasPrefix(testEnv.DaemonInfo.OperatingSystem, "SUSE Linux Enterprise Server ") {
 -		return false
 -	}
 	buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled")
 	return err == nil && len(buf) > 1 && buf[0] == 'Y'
 }
 diff --git a/testutil/registry/registry.go b/testutil/registry/registry.go
 index 9213db2ba21a..d8bfe17678a4 100644
 --- a/testutil/registry/registry.go
 +++ b/testutil/registry/registry.go
@@ -107,10 +107,12 @@ http:
 	}
 	binary := V2binary
 +	args := []string{"serve", confPath}
 	if c.schema1 {
 		binary = V2binarySchema1
 +		args = []string{confPath}
 	}
 -	cmd := exec.Command(binary, confPath)
 +	cmd := exec.Command(binary, args...)
 	cmd.Stdout = c.stdout
 	cmd.Stderr = c.stderr
 	if err := cmd.Start(); err != nil {
 -- 
 2.47.1
--- a/4
+++ b/4
@ -19,8 +19,8 @@
    <param name="url">https://github.com/docker/buildx.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">0.17.1</param>
+    <param name="versionformat">0.19.2</param>
-    <param name="revision">v0.17.1</param>
+    <param name="revision">v0.19.2</param>
    <param name="filename">docker-buildx</param>
  </service>
  <service name="recompress" mode="manual">
--- a/docker-buildx-0.17.1.tar.xz
+++ b/docker-buildx-0.17.1.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:fd0f81752a02e20b611f95a35718bdc44eb1e203e0fd80d7afb87dfd8135c300
 size 6445376
--- a/docker-buildx-0.19.2.tar.xz
+++ b/docker-buildx-0.19.2.tar.xz
--- a/docker-integration.sh
+++ b/docker-integration.sh
@ -0,0 +1,294 @@
 #!/bin/bash
 # docker-integration: run Docker's integration tests
 # Copyright (C) 2024 SUSE LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -Eeuo pipefail
 TESTDIR=/usr/src/docker-test
 TEST_SRCDIR="$TESTDIR/src"
 TEST_BINDIR="$TESTDIR/bin"
 TMPROOT="$(mktemp --tmpdir -d docker-integration-tmpdir.XXXXXX)"
 TMPDIR="$TMPROOT/tmp"
 DEST="$TMPROOT/dest"
 mkdir -p "$TMPDIR" "$TEST_BINDIR" "$DEST"
 chmod 1777 "$TMPDIR"
 chmod 777 "$TMPROOT"
 function usage() {
 	cat >&2 <<-EOF
 	docker-integration.sh [-Av] [-r TestName] [-t timeout] [<test-suites>...]
 	Arguments:
 	  -A
 	         Run all tests (do not fail on first suite failure).
 	  -v
 	         Run tests in verbose mode (go test -v).
 	  -r
 	         Only run tests that match the given regular expression (go test -run).
 	  -t <timeout=$timeout>
 	         Set the per-suite timeout to <timeout> (go test -timeout).
 	  <test-suites>...
 	         Only run the given test suites in /usr/src/docker-test. The
 	         default is to run all test suites
 	Examples:
 	  Run the build and network integration tests with a 60 minute timeout:
 	    ./docker-integration.sh -t 60m integration/build integration/network
 	  Run all of the tests in verbose mode with a 6 hour timeout:
 	    ./docker-integration.sh -Av -t 360m
 	This script is maintained by openSUSE in the Virtualization:containers
 	project, and is only intended to be used by openSUSE developers.
 	EOF
 	exit "${1:-1}"
 }
 fail_fast=1
 verbose=
 filter=
 timeout=20m
 while getopts "Ahr:t:v" opt; do
 	case "$opt" in
 	A)
 		fail_fast=
 		;;
 	v)
 		verbose=1
 		;;
 	r)
 		filter="$OPTARG"
 		;;
 	t)
 		timeout="$OPTARG"
 		;;
 	h)
 		usage 0
 		;;
 	:)
 		echo "Missing argument: -$OPTARG" >&2
 		usage 1
 		;;
 	\?)
 		echo "Invalid option: -$OPTARG" >&2
 		usage 1
 		;;
 	esac
 done
 pushd "$TEST_SRCDIR"
 if [ "$OPTIND" -le "$#" ]; then
 	SUITES=("${@:$OPTIND:$(($#+1))}")
 else
 	readarray -t SUITES <<<"$(find . -type f -name test.main -printf "%h\n")"
 fi
 echo "Planning to run suites {${SUITES[*]}}."
 # Download the frozen images.
 if ! [ -d /docker-frozen-images ]; then
 	# TODO: Get the hashes from /usr/src/docker-test/Dockerfile...
 	contrib/download-frozen-image-v2.sh "$TMPDIR/docker-frozen-images" \
 		busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
 		busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
 		debian:bookworm-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 \
 		hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
 		arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
 	sudo cp -r "$TMPDIR/docker-frozen-images" /
 fi
 # Create binaries in $TEST_BINDIR.
 if ! [ -e "$TEST_BINDIR/docker-basic-plugin" ]; then
 	(
 		pushd "$TEST_SRCDIR/testutil/fixtures/plugin/basic"
 		[ -f go.mod ] || go mod init docker-basic-plugin
 		go build -o "$TEST_BINDIR/docker-basic-plugin" .
 	)
 fi
 if ! [ -e "$TEST_BINDIR/registry-v2" ]; then
 	# The v2.x tags of Docker registry don't use go.mod, and pre-date the move
 	# to github.com/distribution, so we need to create a fake GOPATH with the
 	# old github.com/docker/distribution import path.
 	(
 		# shellcheck disable=SC2030
 		GOPATH="$(mktemp -d -p "$TMPROOT" distribution-build-gopath.XXXXXX)"
 		export GOPATH
 		pushd "$GOPATH"
 		git clone \
 			--depth=1 --branch=v2.8.3 \
 			https://github.com/distribution/distribution.git \
 			src/github.com/docker/distribution
 		pushd src/github.com/docker/distribution
 		GO111MODULE=off go build -o "$TEST_BINDIR/registry-v2" ./cmd/registry
 	)
 fi
 if ! [ -e "$TEST_BINDIR/ctr" ]; then
 	containerd-ctr --help >/dev/null
 	ln -sf "$(which containerd-ctr)" "$TEST_BINDIR/ctr"
 fi
 if ! [ -e "$TEST_BINDIR/docker" ]; then
 	# The integration-cli tests require a Docker 17.06.2 client (from 2017).
 	# This is mainly because the tests are all based on the specific output the
 	# client gives, and some tests fail on modern client versions.
 	(
 		# shellcheck disable=SC2030
 		GOPATH="$(mktemp -d -p "$TMPROOT" docker-cli-build-gopath.XXXXXX)"
 		export GOPATH
 		pushd "$GOPATH"
 		# This tag also comes from the time when this was called
 		# github.com/docker/docker-ce-packaging, so we need to work around this
 		# by moving the cli component into the right path...
 		git clone \
 			--depth=1 --branch=v17.06.2-ce \
 			https://github.com/docker/cli.git \
 			src/github.com/docker/docker-ce-packaging
 		mv \
 			src/github.com/docker/docker-ce-packaging/components/cli \
 			src/github.com/docker/cli
 		pushd src/github.com/docker/cli
 		GO111MODULE=off go build -o "$TEST_BINDIR/docker" ./cmd/docker
 	)
 fi
 # Create an unprivilegeduser account for tests.
 if ! ( grep unprivilegeduser /etc/passwd &>/dev/null ); then
 	useradd --create-home --gid docker unprivilegeduser
 fi
 # Disable SUSE secrets for tests, as some tests (TestDiff from
 # integration/container) will fail if we have secrets injected.
 [ -e /etc/docker/suse-secrets-enable ] && \
 	mv -nv /etc/docker/suse-secrets-enable{,-DISABLED}
 sudo systemctl restart docker
 # Make sure docker-buildx is disabled.
 [ -e /usr/lib/docker/cli-plugins/docker-buildx ] && \
 	mv -nv /usr/lib/docker/cli-plugins/docker-buildx{,-DISABLED}
 # Disable any daemon configurations.
 [ -e /etc/docker/daemon.json ] && \
 	mv -nv /etc/docker/daemon.json{,.DISABLED}
 set -x
 # In order for< gotest.tools/v3/assert> to parse the source and give us useful
 # error messages, we have to create a fake source directory that points at
 # $TEST_SRCDIR. This path is replaced with %{docker_builddir} during the
 # docker.spec build.
 __DOCKER_BUILDIR="@@docker_builddir@@"
 DOCKER_BUILDDIR="${DOCKER_BUILDDIR:-$__DOCKER_BUILDIR}"
 sudo rm -rvf "$DOCKER_BUILDDIR"
 sudo mkdir -p "$(dirname "$DOCKER_BUILDDIR")"
 sudo ln -svf "$TEST_SRCDIR" "$DOCKER_BUILDDIR"
 # Clean up any old containers/images/networks/volumes before running the tests.
 # We need to do this *BEFORE* we set PATH, as the outdated $TEST_BINDIR/docker
 # doesn't support some of these commands.
 docker container prune -f
 docker image prune -af
 #docker buildx prune -af
 docker network prune -f
 docker volume prune -af
 [ -z "$(docker plugin ls -q)" ] || docker plugin ls -q | xargs docker plugin rm -f
 docker system prune -af
 export DOCKERFILE="$TEST_SRCDIR/Dockerfile"
 export TMPDIR="$TMPDIR"
 export TEMP="$TMPDIR"
 export HOME="$TMPDIR/fake-home"
 export DEST="$TEST_SRCDIR/bundles/dummy-dir"
 export ABS_DEST="$DEST"
 export PATH="$TEST_BINDIR:$PATH"
 export TZ=UTC
 export DOCKER_INTEGRATION_DAEMON_DEST="$ABS_DEST"
 export DOCKER_HOST=unix:///run/docker.sock
 export DOCKER_GRAPHDRIVER=overlay2
 export DOCKER_USERLANDPROXY=true
 export DOCKER_REMAP_ROOT="${DOCKER_REMAP_ROOT:-}"
 export DOCKER_TMPDIR="$TMPDIR"
 set +x
 # Make sure that we have a dummy "destination" directory for tests.
 rm -rf "$DOCKER_INTEGRATION_DAEMON_DEST"
 mkdir -p "$DOCKER_INTEGRATION_DAEMON_DEST"
 # Install the emptyfs images.
 sh ./hack/make/.build-empty-images
 ls -la "$TMPROOT"
 success=0
 failed_suites=()
 for suite_name in "${SUITES[@]}"; do
 	suite_name="${suite_name#*./}"
 	pushd "$TEST_SRCDIR/$suite_name"
 	test_flags=()
 	[ -n "$verbose" ] && test_flags+=("-test.v")
 	[ -n "$filter" ] && test_flags+=("-test.run" "$filter")
 	if [[ "$suite_name" == "integration-cli" ]]; then
 		# We need to disable docker-buildx for the integration-cli tests
 		# because otherwise the "docker build" command will use the wrong
 		# builder and the output won't match what the tests expect.
 		timeout=360m
 	fi
 	test_flags+=("-test.timeout" "$timeout")
 	echo "Running suite $suite_name (${test_flags[*]}) [success=$success fail=${#failed_suites[@]}]"
 	set -x +e
 	sudo -E HOME="$HOME" TMPDIR="$TMPDIR" PATH="$PATH" \
 		./test.main "${test_flags[@]}"
 	err="$?"
 	if (( err != 0 )); then
 		[ -z "$fail_fast" ] || exit "$err"
 		failed_suites+=("$suite_name")
 	else
 		(( success++ ))
 	fi
 	set +x -e
 	popd
 done
 [ -e /usr/lib/docker/cli-plugins/docker-buildx-DISABLED ] && \
 	mv -nv /usr/lib/docker/cli-plugins/docker-buildx{-DISABLED,}
 [ -e /etc/docker/suse-secrets-enable-DISABLED ] && \
 	mv -nv /etc/docker/suse-secrets-enable{-DISABLED,}
 [ -e /etc/docker/daemon.json.DISABLED ] && \
 	mv -nv /etc/docker/daemon.json{.DISABLED,}
 echo "Suite results: $success success(es) ${#failed_suites[*]} failure(s)."
 if (( ${#failed_suites[@]} > 0 )); then
 	echo "Failed suites:"
 	printf " - %s\n" "${failed_suites[@]}"
 	exit 1
 fi
--- a/11
+++ b/11
@ -1,6 +1,7 @@
-# The #! comes from upstream.
+addFilter("^docker-(stable-)?bash-completion.noarch: (E|W): non-executable-script /usr/share/bash-completion/completions/docker")
-addFilter ("^docker-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash")
+addFilter("^docker-(stable-)?zsh-completion.noarch: W: non-conffile-in-etc /etc/zsh_completion.d/_docker")
 addFilter ("^docker-zsh-completion.noarch: W: sourced-script-with-shebang /etc/zsh_completion.d/docker zsh")
-# -test is something that is used internally and isn't actually shipped -- it's a pseduo-source package.
+# The docker-integration-tests-devel package contains all of the source code of
-addFilter ("^docker-test.*")
+# Docker, which causes a bunch of warnings. Note that
 # docker-integration-tests-devel is used internally and isn't actually shipped.
 addFilter("^docker-(stable-)?integration-tests-devel\..*: (E|W): .*")
--- a/docker-stable.changes
+++ b/docker-stable.changes
@ -1,13 +1,65 @@
 -------------------------------------------------------------------
 Wed Dec 11 10:14:56 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Update docker-buildx to v0.19.2. See upstream changelog online at
  <https://github.com/docker/buildx/releases/tag/v0.19.2>.
  Some notable changelogs from the last update:
    * <https://github.com/docker/buildx/releases/tag/v0.19.0>
 	* <https://github.com/docker/buildx/releases/tag/v0.18.0>
 - Update to Go 1.22.
 -------------------------------------------------------------------
 Wed Dec 11 05:39:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Add a new toggle file /etc/docker/suse-secrets-enable which allows users to
  disable the SUSEConnect integration with Docker (which creates special mounts
  in /run/secrets to allow container-suseconnect to authenticate containers
  with registries on registered hosts). bsc#1231348 bsc#1232999
  In order to disable these mounts, just do
    echo 0 > /etc/docker/suse-secrets-enable
  and restart Docker. In order to re-enable them, just do
    echo 1 > /etc/docker/suse-secrets-enable
  and restart Docker. Docker will output information on startup to tell you
  whether the SUSE secrets feature is enabled or not.
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
 -------------------------------------------------------------------
 Wed Nov 27 12:10:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 [NOTE: This update was only ever released in SLES and Leap.]
 - Disable docker-buildx builds for SLES. It turns out that build containers
  with docker-buildx don't currently get the SUSE secrets mounts applied,
  meaning that container-suseconnect doesn't work when building images.
  bsc#1233819
 -------------------------------------------------------------------
 Wed Nov 20 05:34:38 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Add docker-integration-tests-devel subpackage for building and running the
  upstream Docker integration tests on machines to test that Docker works
  properly. Users should not install this package.
 - docker-rpmlintrc updated to include allow-list for all of the integration
  tests package, since it contains a bunch of stuff that wouldn't normally be
  allowed.
 - Rebased patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
  * 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
  * 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
  * 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
 - Added patches:
  + 0010-TESTS-backport-fixes-for-integration-tests.patch
 -------------------------------------------------------------------
 Tue Nov 12 06:34:28 UTC 2024 - Aleksa Sarai <asarai@suse.com>
@ -30,12 +82,6 @@ Wed Oct 16 05:37:14 UTC 2024 - Aleksa Sarai <asarai@suse.com>
  are replacing. See upstream changelog online at
  <https://github.com/docker/buildx/releases/tag/v0.17.1>
 -------------------------------------------------------------------
 Tue Oct 15 04:58:46 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Allow users to disable SUSE secrets support by setting
  DOCKER_SUSE_SECRETS_ENABLE=0 in /etc/sysconfig/docker. bsc#1231348
 -------------------------------------------------------------------
 Sat Sep  7 13:10:30 UTC 2024 - Aleksa Sarai <asarai@suse.com>
--- a/docker-stable.spec
+++ b/docker-stable.spec
@ -19,11 +19,18 @@
 %bcond_without  apparmor
 # This subpackage is only used for testing by developers, and shouldn't be
 # built for actual users.
 %bcond_with     integration_tests
 %if 0%{?is_opensuse} == 0
 # SUSEConnect support ("SUSE secrets") only makes sense for SLES hosts.
 %bcond_without  suseconnect
 # There is currently a known bug between buildx and SUSE secrets, so we don't
 # package docker-buildx for SLES. bsc#1233819
 %if 0%{?is_opensuse} == 0
 %bcond_with     buildx
 %else
 %bcond_with     suseconnect
 %bcond_without  buildx
 %endif
@ -35,6 +42,9 @@
 # is guaranteed to see the relevant warning.
 %define update_messages %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}
 # Test binaries.
 %define testdir /usr/src/docker-test
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
  %define _fillupdir /var/adm/fillup-templates
@ -50,7 +60,7 @@
 %if %{with buildx}
 # MANUAL: This needs to be updated with every docker-buildx update.
-%define buildx_version 0.17.1
+%define buildx_version 0.19.2
 %endif
 # Used when generating the "build" information for Docker version. The value of
@ -87,6 +97,8 @@ Source130:      README_SUSE.md
 Source140:      docker-audit.rules
 Source150:      docker-daemon.json
 Source160:      docker.sysusers
 # docker-integration-tests-devel
 Source900:      docker-integration.sh
 # NOTE: All of these patches are maintained in <https://github.com/suse/docker>
 #       in the suse-v<version> branch. Make sure you update the patches in that
 #       branch and then git-format-patch the patch here.
@ -113,6 +125,9 @@ Patch205:       0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
 # UPSTREAM: Backport of <https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq>
 #           fix. CVE-2024-41110
 Patch206:       0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
 # UPSTREAM: Backport of <https://github.com/moby/moby/pull/46307> and
 #                       <https://github.com/moby/moby/pull/49061>.
 Patch299:       0010-TESTS-backport-fixes-for-integration-tests.patch
 # UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
 Patch900:       cli-0001-docs-include-required-tools-in-source-tree.patch
 BuildRequires:  audit
@ -133,7 +148,7 @@ BuildRequires:  procps
 BuildRequires:  sqlite3-devel
 BuildRequires:  sysuser-tools
 BuildRequires:  zsh
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 BuildRequires:  pkgconfig(libsystemd)
 %if %{with apparmor}
 %if 0%{?sle_version} >= 150000
@ -258,6 +273,27 @@ Rootless support for Docker.
 Use dockerd-rootless.sh to run the daemon.
 Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh.
 %if %{with integration_tests}
 %package integration-tests-devel
 Summary:        Rootless support for Docker
 Group:          TestSuite
 Requires:       %{name} = %{docker_version}
 Requires:       containerd-ctr
 Requires:       curl
 Requires:       gcc
 Requires:       git
 Requires:       glibc-devel-static
 Requires:       go
 Requires:       jq
 Requires:       libcap-progs
 %description integration-tests-devel
 Integration testing binaries for Docker.
 THIS PACKAGE SHOULD NOT BE INSTALLED BY END-USERS, IT IS ONLY INTENDED FOR
 INTERNAL DEVELOPMENT OF THE DOCKER PACKAGE FOR (OPEN)SUSE.
 %endif
 %package bash-completion
 Summary:        Bash Completion for %{name}
 Group:          System/Shells
@ -337,7 +373,7 @@ Fish command line completion support for %{name}.
 # README_SUSE.md for documentation.
 cp %{SOURCE130} .
-%if 0%{?is_opensuse} == 0
+%if %{with suseconnect}
 # PATCH-SUSE: Secrets patches.
 %patch -P100 -p1
 %patch -P101 -p1
@ -358,6 +394,10 @@ cp %{SOURCE130} .
 %patch -P205 -p1
 # CVE-2024-41110
 %patch -P206 -p1
 %if %{with integration_tests}
 # integration-tests patches
 %patch -P299 -p1
 %endif
 %build
 %sysusers_generate_pre %{SOURCE160} %{name} docker.conf
@ -392,6 +432,21 @@ pushd "%{docker_builddir}"
 ln -s {vendor,go}.mod
 ln -s {vendor,go}.sum
 ./hack/make.sh dynbinary
 %if %{with integration_tests}
 # build test binaries for integration tests
 readarray -t integration_dirs \
 	<<<"$(go list -test -f '{{- if ne .ForTest "" -}}{{- .Dir -}}{{- end -}}' ./integration/... ./integration-cli/...)"
 for dir in "${integration_dirs[@]}"
 do
 	pushd "$dir"
 	go test -c -buildmode=pie -tags "$BUILDTAGS" -o test.main .
 	popd
 done
 # Update __DOCKER_BUILDIR in the integration testing script.
 sed -i 's|^__DOCKER_BUILDIR=.*|__DOCKER_BUILDIR=%{docker_builddir}|g' "%{SOURCE900}"
 %endif
 popd
 ###################
@ -442,6 +497,10 @@ install -D -m0755 %{buildx_builddir}/bin/build/docker-buildx %{buildroot}/usr/li
 install -d %{buildroot}/%{_localstatedir}/lib/docker
 # daemon.json config file
 install -D -m0644 %{SOURCE150} %{buildroot}%{_sysconfdir}/docker/daemon.json
 %if %{with suseconnect}
 # SUSE-specific config file
 echo 1 > %{buildroot}%{_sysconfdir}/docker/suse-secrets-enable
 %endif
 # docker cli
 install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
@ -479,6 +538,16 @@ install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/docker.conf
 install -D -p -m 0755 contrib/dockerd-rootless.sh %{buildroot}/%{_bindir}/dockerd-rootless.sh
 install -D -p -m 0755 contrib/dockerd-rootless-setuptool.sh %{buildroot}/%{_bindir}/dockerd-rootless-setuptool.sh
 %if %{with integration_tests}
 # integration tests
 install -d %{buildroot}%{testdir}
 cp -ar %{docker_builddir} %{buildroot}%{testdir}/src
 install -d %{buildroot}%{testdir}/bin
 install -D -p -m 0755 %{SOURCE900} %{buildroot}%{testdir}/docker-integration.sh
 # remove all of the non-test binaries in bundles/
 rm -rfv %{buildroot}%{testdir}/src/bundles/
 %endif
 %fdupes %{buildroot}
 %pre -f %{name}.pre
@ -528,6 +597,9 @@ grep -q '^dockremap:' /etc/subgid || \
 %dir %{_sysconfdir}/docker
 %config(noreplace) %{_sysconfdir}/docker/daemon.json
 %if %{with suseconnect}
 %config(noreplace) %{_sysconfdir}/docker/suse-secrets-enable
 %endif
 %{_fillupdir}/sysconfig.docker
 %dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
@ -550,6 +622,12 @@ grep -q '^dockremap:' /etc/subgid || \
 %{_bindir}/dockerd-rootless.sh
 %{_bindir}/dockerd-rootless-setuptool.sh
 %if %{with integration_tests}
 %files integration-tests-devel
 %defattr(-,root,root)
 %{testdir}
 %endif
 %files bash-completion
 %defattr(-,root,root)
 %{_datarootdir}/bash-completion/completions/docker