Accepting request 632984 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/632984 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=80
2018-09-05 11:46:40 +00:00 · 2018-09-05 11:46:40 +00:00 · 4e61c95de6
commit 4e61c95de6
parent 7ee280ecaf 1754fa7fc7
19 changed files with 1573 additions and 464 deletions
--- a/3
+++ b/3
@ -0,0 +1,3 @@
 <multibuild>
 	<package>kubic</package>
 </multibuild>
--- a/4
+++ b/4
@ -3,8 +3,8 @@
    <param name="url">https://github.com/docker/docker-ce.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">17.09.1_ce</param>
+    <param name="versionformat">18.06.1_ce</param>
-    <param name="revision">v17.09.1-ce</param>
+    <param name="revision">v18.06.1-ce</param>
    <param name="filename">docker</param>
  </service>
  <service name="recompress" mode="disabled">
--- a/bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
+++ b/bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
@ -1,243 +0,0 @@
 From e57d7270deb50c31ac1f732d8f28812e5b809062 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Thu, 16 Nov 2017 17:09:16 +1100
 Subject: [PATCH] pkg: devmapper: dynamically load dm_task_deferred_remove
 dm_task_deferred_remove is not supported by all distributions, due to
 out-dated versions of devicemapper. However, in the case where the
 devicemapper library was updated without rebuilding Docker (which can
 happen in some distributions) then we should attempt to dynamically load
 the relevant object rather than try to link to it.
 This can only be done if Docker was built dynamically, for obvious
 reasons.
 In order to avoid having issues arise when dlsym(3) was unnecessary,
 gate the whole dlsym(3) logic behind a buildflag that we disable by
 default (libdm_dlsym_deferred_remove).
 SUSE-Bugs: bsc#1021227 bsc#1029320 bsc#1058173
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 components/engine/hack/make.sh                     |  12 +-
 ...> devmapper_wrapper_dynamic_deferred_remove.go} |  10 +-
 ...mapper_wrapper_dynamic_dlsym_deferred_remove.go | 128 +++++++++++++++++++++
 .../devmapper_wrapper_no_deferred_remove.go        |   6 +-
 4 files changed, 149 insertions(+), 7 deletions(-)
 rename components/engine/pkg/devicemapper/{devmapper_wrapper_deferred_remove.go => devmapper_wrapper_dynamic_deferred_remove.go} (78%)
 create mode 100644 components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
 diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh
 index 58e0d8cd628a..3b78ddef30b0 100755
 --- a/components/engine/hack/make.sh
 +++ b/components/engine/hack/make.sh
@@ -112,6 +112,12 @@ if [ ! "$GOPATH" ]; then
 	exit 1
 fi
 +# Adds $1_$2 to DOCKER_BUILDTAGS unless it already
 +# contains a word starting from $1_
 +add_buildtag() {
 +	[[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2"
 +}
 +
 if ${PKG_CONFIG} 'libsystemd >= 209' 2> /dev/null ; then
 	DOCKER_BUILDTAGS+=" journald"
 elif ${PKG_CONFIG} 'libsystemd-journal' 2> /dev/null ; then
@@ -127,12 +133,14 @@ if \
 fi
 # test whether "libdevmapper.h" is new enough to support deferred remove
 -# functionality.
 +# functionality. We favour libdm_dlsym_deferred_remove over
 +# libdm_no_deferred_remove in dynamic cases because the binary could be shipped
 +# with a newer libdevmapper than the one it was built wih.
 if \
 	command -v gcc &> /dev/null \
 	&& ! ( echo -e  '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \
 ; then
 -	DOCKER_BUILDTAGS+=' libdm_no_deferred_remove'
 +	add_buildtag libdm dlsym_deferred_remove
 fi
 # Use these flags when compiling the tests and final binary
 diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
 similarity index 78%
 rename from components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
 rename to components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
 index 7f793c270868..bf57371ff4cf 100644
 --- a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
 +++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
@@ -1,11 +1,15 @@
 -// +build linux,cgo,!libdm_no_deferred_remove
 +// +build linux,cgo,!static_build
 +// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
 package devicemapper
 -// #include <libdevmapper.h>
 +/*
 +#include <libdevmapper.h>
 +*/
 import "C"
 -// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
 +// LibraryDeferredRemovalSupport tells if the feature is supported by the
 +// current Docker invocation.
 const LibraryDeferredRemovalSupport = true
 func dmTaskDeferredRemoveFct(task *cdmTask) int {
 diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
 new file mode 100644
 index 000000000000..5dfb369f1ff8
 --- /dev/null
 +++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
@@ -0,0 +1,128 @@
 +// +build linux,cgo,!static_build
 +// +build libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
 +
 +package devicemapper
 +
 +/*
 +#cgo LDFLAGS: -ldl
 +#include <stdlib.h>
 +#include <dlfcn.h>
 +#include <libdevmapper.h>
 +
 +// Yes, I know this looks scary. In order to be able to fill our own internal
 +// dm_info with deferred_remove we need to have a struct definition that is
 +// correct (regardless of the version of libdm that was used to compile it). To
 +// this end, we define struct_backport_dm_info. This code comes from lvm2, and
 +// I have verified that the structure has only ever had elements *appended* to
 +// it (since 2001).
 +//
 +// It is also important that this structure be _larger_ than the dm_info that
 +// libdevmapper expected. Otherwise libdm might try to write to memory it
 +// shouldn't (they don't have a "known size" API).
 +struct backport_dm_info {
 +	int exists;
 +	int suspended;
 +	int live_table;
 +	int inactive_table;
 +	int32_t open_count;
 +	uint32_t event_nr;
 +	uint32_t major;
 +	uint32_t minor;
 +	int read_only;
 +
 +	int32_t target_count;
 +
 +	int deferred_remove;
 +	int internal_suspend;
 +
 +	// Padding, purely for our own safety. This is to avoid cases where libdm
 +	// was updated underneath us and we call into dm_task_get_info() with too
 +	// small of a buffer.
 +	char _[512];
 +};
 +
 +// We have to wrap this in CGo, because Go really doesn't like function pointers.
 +int call_dm_task_deferred_remove(void *fn, struct dm_task *task)
 +{
 +	int (*_dm_task_deferred_remove)(struct dm_task *task) = fn;
 +	return _dm_task_deferred_remove(task);
 +}
 +*/
 +import "C"
 +
 +import (
 +	"unsafe"
 +
 +	"github.com/sirupsen/logrus"
 +)
 +
 +// dm_task_deferred_remove is not supported by all distributions, due to
 +// out-dated versions of devicemapper. However, in the case where the
 +// devicemapper library was updated without rebuilding Docker (which can happen
 +// in some distributions) then we should attempt to dynamically load the
 +// relevant object rather than try to link to it.
 +
 +// dmTaskDeferredRemoveFct is a "bound" version of dm_task_deferred_remove.
 +// It is nil if dm_task_deferred_remove was not found in the libdevmapper that
 +// is currently loaded.
 +var dmTaskDeferredRemovePtr unsafe.Pointer
 +
 +// LibraryDeferredRemovalSupport tells if the feature is supported by the
 +// current Docker invocation. This value is fixed during init.
 +var LibraryDeferredRemovalSupport bool
 +
 +func init() {
 +	// Clear any errors.
 +	var err *C.char
 +	C.dlerror()
 +
 +	// The symbol we want to fetch.
 +	symName := C.CString("dm_task_deferred_remove")
 +	defer C.free(unsafe.Pointer(symName))
 +
 +	// See if we can find dm_task_deferred_remove. Since we already are linked
 +	// to libdevmapper, we can search our own address space (rather than trying
 +	// to guess what libdevmapper is called). We use NULL here, as RTLD_DEFAULT
 +	// is not available in CGO (even if you set _GNU_SOURCE for some reason).
 +	// The semantics are identical on glibc.
 +	sym := C.dlsym(nil, symName)
 +	err = C.dlerror()
 +	if err != nil {
 +		logrus.Debugf("devmapper: could not load dm_task_deferred_remove: %s", C.GoString(err))
 +		return
 +	}
 +
 +	logrus.Debugf("devmapper: found dm_task_deferred_remove at %x", uintptr(sym))
 +	dmTaskDeferredRemovePtr = sym
 +	LibraryDeferredRemovalSupport = true
 +}
 +
 +func dmTaskDeferredRemoveFct(task *cdmTask) int {
 +	sym := dmTaskDeferredRemovePtr
 +	if sym == nil || !LibraryDeferredRemovalSupport {
 +		return -1
 +	}
 +	return int(C.call_dm_task_deferred_remove(sym, (*C.struct_dm_task)(task)))
 +}
 +
 +func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int {
 +	if !LibraryDeferredRemovalSupport {
 +		return -1
 +	}
 +
 +	Cinfo := C.struct_backport_dm_info{}
 +	defer func() {
 +		info.Exists = int(Cinfo.exists)
 +		info.Suspended = int(Cinfo.suspended)
 +		info.LiveTable = int(Cinfo.live_table)
 +		info.InactiveTable = int(Cinfo.inactive_table)
 +		info.OpenCount = int32(Cinfo.open_count)
 +		info.EventNr = uint32(Cinfo.event_nr)
 +		info.Major = uint32(Cinfo.major)
 +		info.Minor = uint32(Cinfo.minor)
 +		info.ReadOnly = int(Cinfo.read_only)
 +		info.TargetCount = int32(Cinfo.target_count)
 +		info.DeferredRemove = int(Cinfo.deferred_remove)
 +	}()
 +	return int(C.dm_task_get_info((*C.struct_dm_task)(task), (*C.struct_dm_info)(unsafe.Pointer(&Cinfo))))
 +}
 diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
 index a880fec8c499..80b034b3ff17 100644
 --- a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
 +++ b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
@@ -1,8 +1,10 @@
 -// +build linux,cgo,libdm_no_deferred_remove
 +// +build linux,cgo
 +// +build !libdm_dlsym_deferred_remove,libdm_no_deferred_remove
 package devicemapper
 -// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
 +// LibraryDeferredRemovalSupport tells if the feature is supported by the
 +// current Docker invocation.
 const LibraryDeferredRemovalSupport = false
 func dmTaskDeferredRemoveFct(task *cdmTask) int {
 -- 
 2.16.1
--- a/bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
+++ b/bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
@ -0,0 +1,58 @@
 From d84d2f13c475bf5ff0ce7b080b759b0239d5d345 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Thu, 23 Aug 2018 19:53:55 +1000
 Subject: [PATCH] man: obey SOURCE_DATE_EPOCH when generating man pages
 Previously our man pages included the current time each time they were
 generated. This causes an issue for reproducible builds, since each
 re-build of a package that includes the man pages will have different
 times listed in the man pages.
 To fix this, add support for SOURCE_DATE_EPOCH (which is a standardised
 packaging environment variable, designed to be used specifically for
 this purpose[1]). spf13/cobra doesn't support this natively yet (though
 I will push a patch for that as well), but it's simpler to fix it
 directly in docker/cli.
 [1]: https://reproducible-builds.org/specs/source-date-epoch/
 SUSE-Bugs: boo#1047218
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 components/cli/man/generate.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 diff --git a/components/cli/man/generate.go b/components/cli/man/generate.go
 index 4197558a2225..4a3e98fb22c1 100644
 --- a/components/cli/man/generate.go
 +++ b/components/cli/man/generate.go
@@ -6,6 +6,8 @@ import (
 	"log"
 	"os"
 	"path/filepath"
 +	"strconv"
 +	"time"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/commands"
@@ -24,6 +26,17 @@ func generateManPages(opts *options) error {
 		Source:  "Docker Community",
 	}
 +	// If SOURCE_DATE_EPOCH is set, in order to allow reproducible package
 +	// builds, we explicitly set the build time to SOURCE_DATE_EPOCH.
 +	if epoch := os.Getenv("SOURCE_DATE_EPOCH"); epoch != "" {
 +		unixEpoch, err := strconv.ParseInt(epoch, 10, 64)
 +		if err != nil {
 +			return fmt.Errorf("invalid SOURCE_DATE_EPOCH: %v", err)
 +		}
 +		now := time.Unix(unixEpoch, 0)
 +		header.Date = &now
 +	}
 +
 	stdin, stdout, stderr := term.StdStreams()
 	dockerCli := command.NewDockerCli(stdin, stdout, stderr, false)
 	cmd := &cobra.Command{Use: "docker"}
 -- 
 2.18.0
--- a/bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
+++ b/bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
@ -1,95 +0,0 @@
 From ff7b94c76f343931463b5916fb3fbd2610869a1a Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Sun, 15 Oct 2017 17:06:20 +1100
 Subject: [PATCH] daemon: oci: obey CL_UNPRIVILEGED for user namespaced daemon
 When runc is bind-mounting a particular path "with options", it has to
 do so by first creating a bind-mount and the modifying the options of
 said bind-mount via remount. However, in a user namespace, there are
 restrictions on which flags you can change with a remount (due to
 CL_UNPRIVILEGED being set in this instance). Docker historically has
 ignored this, and as a result, internal Docker mounts (such as secrets)
 haven't worked with --userns-remap. Fix this by preserving
 CL_UNPRIVILEGED mount flags when Docker is spawning containers with user
 namespaces enabled.
 SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1055676
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 components/engine/daemon/oci_linux.go | 46 +++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go
 index 6917b4841429..936cb8f998ca 100644
 --- a/components/engine/daemon/oci_linux.go
 +++ b/components/engine/daemon/oci_linux.go
@@ -27,6 +27,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/user"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 +	"golang.org/x/sys/unix"
 )
 var (
@@ -469,6 +470,38 @@ func ensureSharedOrSlave(path string) error {
 	return nil
 }
 +// Get the set of mount flags that are set on the mount that contains the given
 +// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
 +// bind-mounting "with options" will not fail with user namespaces, due to
 +// kernel restrictions that require user namespace mounts to preserve
 +// CL_UNPRIVILEGED locked flags.
 +func getUnprivilegedMountFlags(path string) ([]string, error) {
 +	var statfs unix.Statfs_t
 +	if err := unix.Statfs(path, &statfs); err != nil {
 +		return nil, err
 +	}
 +
 +	// The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048.
 +	unprivilegedFlags := map[uint64]string{
 +		unix.MS_RDONLY:     "ro",
 +		unix.MS_NODEV:      "nodev",
 +		unix.MS_NOEXEC:     "noexec",
 +		unix.MS_NOSUID:     "nosuid",
 +		unix.MS_NOATIME:    "noatime",
 +		unix.MS_RELATIME:   "relatime",
 +		unix.MS_NODIRATIME: "nodiratime",
 +	}
 +
 +	var flags []string
 +	for mask, flag := range unprivilegedFlags {
 +		if uint64(statfs.Flags)&mask == mask {
 +			flags = append(flags, flag)
 +		}
 +	}
 +
 +	return flags, nil
 +}
 +
 var (
 	mountPropagationMap = map[string]int{
 		"private":  mount.PRIVATE,
@@ -586,6 +619,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
 			opts = append(opts, mountPropagationReverseMap[pFlag])
 		}
 +		// If we are using user namespaces, then we must make sure that we
 +		// don't drop any of the CL_UNPRIVILEGED "locked" flags of the source
 +		// "mount" when we bind-mount. The reason for this is that at the point
 +		// when runc sets up the root filesystem, it is already inside a user
 +		// namespace, and thus cannot change any flags that are locked.
 +		if daemon.configStore.RemappedRoot != "" {
 +			unprivOpts, err := getUnprivilegedMountFlags(m.Source)
 +			if err != nil {
 +				return err
 +			}
 +			opts = append(opts, unprivOpts...)
 +		}
 +
 		mt.Options = opts
 		s.Mounts = append(s.Mounts, mt)
 	}
 -- 
 2.16.1
--- a/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
+++ b/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
@ -1,4 +1,4 @@
-From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
+From 3464bd58d266b0640774952e825558044ffc64e2 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Sun, 8 Apr 2018 20:21:30 +1000
 Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
@ -15,7 +15,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 1 file changed, 6 insertions(+)
 diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
-index c5ea4584de6b..082638e85903 100644
+index c00a3f70e993..772c4a4873f6 100644
 --- a/components/engine/profiles/apparmor/template.go
 +++ b/components/engine/profiles/apparmor/template.go
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@ -32,5 +32,5 @@ index c5ea4584de6b..082638e85903 100644
   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
   # deny write to files not in /proc/<number>/** or /proc/sys/**
 -- 
-2.17.1
+2.18.0
--- a/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
+++ b/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
@ -1,4 +1,4 @@
-From 8edc54753ab5ea9294c55ec32b49c9eb7cdf3892 Mon Sep 17 00:00:00 2001
+From 0954810e947abf0b4e5d8f6c78598c5d66b43952 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
 Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
@ -21,7 +21,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 3 files changed, 17 insertions(+), 5 deletions(-)
 diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go
-index 2a418b25c241..c3e271ee4774 100644
+index 461f5c7f96b2..8f21c5c0c566 100644
 --- a/components/engine/daemon/apparmor_default.go
 +++ b/components/engine/daemon/apparmor_default.go
@@ -14,6 +14,15 @@ const (
@ -53,12 +53,12 @@ index 2a418b25c241..c3e271ee4774 100644
 	return nil
 }
 diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go
-index cd2dd9702ef2..17584063c711 100644
+index 51f9c526b350..97d7758442ee 100644
 --- a/components/engine/daemon/apparmor_default_unsupported.go
 +++ b/components/engine/daemon/apparmor_default_unsupported.go
@@ -2,6 +2,10 @@
- package daemon
+ package daemon // import "github.com/docker/docker/daemon"
 +func clobberDefaultAppArmorProfile() error {
 +	return nil
@ -68,10 +68,10 @@ index cd2dd9702ef2..17584063c711 100644
 	return nil
 }
 diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
-index a11a1f8691cc..6f8846b19f57 100644
+index 5e5f586ae085..6ca6a7aaa268 100644
 --- a/components/engine/daemon/daemon.go
 +++ b/components/engine/daemon/daemon.go
-@@ -594,7 +594,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
+@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
 		logrus.Warnf("Failed to configure golang's threads limit: %v", err)
 	}
@ -83,5 +83,5 @@ index a11a1f8691cc..6f8846b19f57 100644
 	}
 -- 
-2.17.1
+2.18.0
--- a/bsc1100727-0001-build-add-buildmode-pie.patch
+++ b/bsc1100727-0001-build-add-buildmode-pie.patch
@ -1,4 +1,4 @@
-From d39172ffc6b245f02da1898793ccaef20bb6858a Mon Sep 17 00:00:00 2001
+From 547870ff2904a75fa3e0ee96fa264d53a81d4c01 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 30 Jul 2018 19:34:01 +1000
 Subject: [PATCH] build: add -buildmode=pie
@ -7,6 +7,7 @@ Make all dynbinary builds be position-independent (this adds both
 security benefits and can help with flaky builds on POWER
 architectures).
 SUSE-Bugs: bsc#1100727
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 components/cli/scripts/build/dynbinary | 2 +-
--- a/docker-17.09.1_ce.tar.xz
+++ b/docker-17.09.1_ce.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:dd19ad9900aaabb9eb5870be6271262aebbd4f86fa12f7c59677d47876492bf9
 size 6237800
--- a/docker-18.06.1_ce.tar.xz
+++ b/docker-18.06.1_ce.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:061ae523be13dbe05ff5377626113a299327cc39fc145f801cd674c67b8c7fe0
 size 8561132
--- a/docker-kubic-service.conf
+++ b/docker-kubic-service.conf
@ -0,0 +1,4 @@
 [Service]
 # Put docker under the podruntime slice. This the recommended
 # deployment to allow fine resource control on Kubernetes.
 Slice=podruntime.slice
--- a/16
+++ b/16
@ -1,7 +1,9 @@
-addFilter ("^docker.x86_64: W: statically-linked-binary /usr/lib64/docker/dockerinit")
+# This is intentional, since we use _multibuild for the flavours.
-addFilter ("^docker-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash")
+addFilter ("^docker-kubic.src: W: invalid-spec-name")
-addFilter ("^docker.x86_64: W: statically-linked-binary /usr/lib/docker/dockerinit")
+
-addFilter ("^docker.x86_64: W: unstripped-binary-or-object /usr/lib/docker/dockerinit")
+# The #! comes from upstream.
-addFilter ("^docker.x86_64: W: no-manual-page-for-binary docker")
+addFilter ("^docker(-kubic)?-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash")
-addFilter ("^docker.x86_64: W: no-manual-page-for-binary nsinit")
+addFilter ("^docker(-kubic)?-zsh-completion.noarch: W: sourced-script-with-shebang /etc/zsh_completion.d/docker zsh")
-addFilter ("^docker-test.*")
+
 # -test is something that is used internally and isn't actually shipped -- it's a pseduo-source package.
 addFilter ("^docker(-kubic)?-test.*")
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,76 @@
 -------------------------------------------------------------------
 Tue Sep  4 08:32:43 UTC 2018 - rbrown@suse.com
 - ExcludeArch i586 for entire docker-kubic flavour 
 -------------------------------------------------------------------
 Tue Sep  4 07:32:47 UTC 2018 - rbrown@suse.com
 - ExcludeArch i586 for docker-kubic-kubeadm-criconfig subpackage 
 -------------------------------------------------------------------
 Fri Aug 24 08:17:41 UTC 2018 - asarai@suse.com
 - Add patch to make package reproducible, which is a backport of
  https://github.com/docker/cli/pull/1306. boo#1047218
  + bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
 -------------------------------------------------------------------
 Wed Aug 22 09:54:57 UTC 2018 - asarai@suse.com
 - Upgrade to docker-ce v18.06.1-ce. Upstream changelog:
  https://github.com/docker/docker-ce/releases/tag/v18.06.1-ce bsc#1102522
 - Remove patches that were merged upstream:
  - bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch
 -------------------------------------------------------------------
 Tue Aug 21 09:50:01 UTC 2018 - asarai@suse.com
 - Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce
  upgrade. This is a potential security issue (the CRI plugin was enabled by
  default, which listens on a TCP port bound to 0.0.0.0) that will be fixed
  upstream in the 18.06.1-ce upgrade. bsc#1102522
  + bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch
 -------------------------------------------------------------------
 Tue Aug 21 09:39:57 UTC 2018 - rbrown@suse.com
 - Kubic: Make crio default, docker as alternative runtime
  (boo#1104821)
 - Provide kubernetes CRI config with docker-kubic-kubeadm-criconfig
  subpackage
 -------------------------------------------------------------------
 Thu Aug 16 02:00:31 UTC 2018 - asarai@suse.com
 - Merge -kubic packages back into the main Virtualization:containers packages.
  This is done using _multibuild to add a "kubic" flavour, which is then used
  to conditionally compile patches and other kubic-specific features.
  bsc#1105000
 - Rework docker-rpmlintrc with the new _multibuild setup.
 -------------------------------------------------------------------
 Wed Aug  1 09:40:59 UTC 2018 - asarai@suse.com
 - Enable seccomp support on SLE12, since libseccomp is now a new enough vintage
  to work with Docker and containerd. fate#325877
 -------------------------------------------------------------------
 Tue Jul 31 09:48:16 UTC 2018 - asarai@suse.com
 - Upgrade to docker-ce v18.06.0-ce. bsc#1102522
 - Remove systemd-service dependency on containerd, which is now being started
  by dockerd to align with upstream defaults.
 - Removed the following patches as they are merged upstream:
  - bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
  - bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
 - Rebased the following patches:
  * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
  * bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
  * bsc1100727-0001-build-add-buildmode-pie.patch
  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
 -------------------------------------------------------------------
 Mon Jul 30 09:44:47 UTC 2018 - asarai@suse.com
@ -14,11 +87,6 @@ Fri Jun 29 08:35:56 UTC 2018 - asarai@suse.com
  * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
  + bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
 -------------------------------------------------------------------
 Wed Jun 13 10:19:23 UTC 2018 - dcassany@suse.com
 - Make use of %license macro
 -------------------------------------------------------------------
 Tue Jun  5 11:24:35 UTC 2018 - asarai@suse.com
@ -26,6 +94,11 @@ Tue Jun  5 11:24:35 UTC 2018 - asarai@suse.com
  between in-container processes. bsc#1073877
  * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
 -------------------------------------------------------------------
 Tue Jun  5 08:41:07 UTC 2018 - dcassany@suse.com
 - Make use of %license macro
 -------------------------------------------------------------------
 Tue Jun  5 06:38:40 UTC 2018 - asarai@suse.com
@ -41,6 +114,18 @@ Tue May 29 08:10:48 UTC 2018 - asarai@suse.com
  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
 -------------------------------------------------------------------
 Wed May 16 10:12:56 UTC 2018 - jmassaguerpla@suse.com
 - Review Obsoletes to fix bsc#1080978
 -------------------------------------------------------------------
 Thu Apr 12 12:49:25 UTC 2018 - fcastelli@suse.com
 - Put docker under the podruntime slice. This the recommended
  deployment to allow fine resource control on Kubernetes.
  bsc#1086185
 -------------------------------------------------------------------
 Tue Apr 10 09:25:43 UTC 2018 - mmeister@suse.com
@ -66,6 +151,13 @@ Tue Mar 27 10:13:41 UTC 2018 - asarai@suse.com
 - Add requirement for catatonit, which provides a docker-init implementation.
  fate#324652 bsc#1085380
 -------------------------------------------------------------------
 Thu Mar  8 13:14:54 UTC 2018 - vrothberg@suse.com
 - Fix private-registry-0001-Add-private-registry-mirror-support.patch to
  deal corretly with TLS configs of 3rd party registries.
  fix bsc#1084533
 -------------------------------------------------------------------
 Tue Feb 13 10:45:58 UTC 2018 - asarai@suse.com
@ -75,9 +167,40 @@ Tue Feb 13 10:45:58 UTC 2018 - asarai@suse.com
  patch maintenance is much simpler.
  * bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
  * bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
  * private-registry-0001-Add-private-registry-mirror-support.patch
  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
 -------------------------------------------------------------------
 Mon Feb 12 10:52:33 UTC 2018 - rbrown@suse.com
 - Add ${version} to equivalent non-kubic package provides
 -------------------------------------------------------------------
 Thu Feb  8 12:34:51 UTC 2018 - rbrown@suse.com
 - Add Provides for equivalent non-kubic packages
 -------------------------------------------------------------------
 Tue Jan 30 12:27:44 UTC 2018 - vrothberg@suse.com
 - Disable all tests for docker/client and docker/pkg/discovery.  The unit tests
  of those packages broke reproducibly the builds in IBS.
 -------------------------------------------------------------------
 Mon Jan 29 14:39:02 UTC 2018 - vrothberg@suse.com
 - Disable flaky tests github.com/docker/docker/pkg/discovery/kv.
 -------------------------------------------------------------------
 Fri Jan 26 07:15:53 UTC 2018 - vrothberg@suse.com
 - Add patch to support mirroring of private/non-upstream registries. As soon as
  the upstream PR (https://github.com/moby/moby/pull/34319) is merged, this
  patch will be replaced by the backported one from upstream.
  + private-registry-0001-Add-private-registry-mirror-support.patch
  fix bsc#1074971
 -------------------------------------------------------------------
 Fri Jan 19 14:12:32 UTC 2018 - asarai@suse.com
--- a/docker.service
+++ b/docker.service
@ -1,8 +1,7 @@
 [Unit]
 Description=Docker Application Container Engine
 Documentation=http://docs.docker.com
-After=network.target containerd.socket containerd.service lvm2-monitor.service SuSEfirewall2.service
+After=network.target lvm2-monitor.service SuSEfirewall2.service
 Requires=containerd.socket containerd.service
 [Service]
 EnvironmentFile=/etc/sysconfig/docker
@ -11,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker
 # enabled by default because enabling socket activation means that on boot your
 # containers won't start until someone tries to administer the Docker daemon.
 Type=notify
-ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
+ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
 ExecReload=/bin/kill -s HUP $MAINPID
 # Having non-zero Limit*s causes performance problems due to accounting overhead
--- a/docker.spec
+++ b/docker.spec
@ -26,32 +26,46 @@
  %define _fillupdir /var/adm/fillup-templates
 %endif
 # Handle _multibuild magic.
 %define flavour @BUILD_FLAVOR@%{nil}
 # We split the Name: into "realname" and "name_suffix".
 %define realname docker
 %if "%flavour" == ""
 %define name_suffix %{nil}
 %else
 %define name_suffix -%{flavour}
 %endif
 # Used when generating the "build" information for Docker version. The value of
 # git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define git_version f4ffd2511ce9
+%define git_version e68fc7a215d7
-%define git_commit_epoch 1508606827
+%define git_commit_epoch 1534871791
 # These are the git commits required. We verify them against the source to make
 # sure we didn't miss anything important when doing upgrades.
-%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0
+%define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e
-%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64
+%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
-%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e
+%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b
-Name:           docker
+Name:           %{realname}%{name_suffix}
-Version:        17.09.1_ce
+Version:        18.06.1_ce
 Release:        0
 Summary:        The Linux container runtime
 License:        Apache-2.0
 Group:          System/Management
 Url:            http://www.docker.io
 # TODO(VR): check those SOURCE files below
-Source:         %{name}-%{version}.tar.xz
+Source:         %{realname}-%{version}.tar.xz
 Source1:        docker.service
 # bsc#1086185 -- but we only apply this on Kubic.
 Source2:        docker-kubic-service.conf
 Source3:        80-docker.rules
 Source4:        sysconfig.docker
 Source5:        kubelet.env
 Source6:        docker-rpmlintrc
 Source7:        README_SUSE.md
 Source8:        docker-audit.rules
@ -62,16 +76,17 @@ Source9:        tests.sh
 # branch in http://github.com/suse/docker.mirror.
 Patch200:       secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
 Patch201:       secrets-0002-SUSE-implement-SUSE-container-secrets.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676
 Patch400:       bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173
 Patch401:       bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
-Patch402:       bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
+Patch400:       bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
-Patch403:       bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
+Patch401:       bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
 # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727
-Patch404:       bsc1100727-0001-build-add-buildmode-pie.patch
+Patch402:       bsc1100727-0001-build-add-buildmode-pie.patch
 # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218
 Patch403:       bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
 # SUSE-FEATURE: Add support to mirror inofficial/private registries
 #               (https://github.com/moby/moby/pull/34319)
 Patch500:       private-registry-0001-Add-private-registry-mirror-support.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@ -79,21 +94,7 @@ BuildRequires:  device-mapper-devel >= 1.2.68
 BuildRequires:  glibc-devel-static
 BuildRequires:  libapparmor-devel
 BuildRequires:  libbtrfs-devel >= 3.8
-# enable libseccomp for sle >= sle12sp2
+BuildRequires:  libseccomp-devel >= 2.2
 %if 0%{?sle_version} >= 120200
 %define with_libseccomp 1
 %endif
 # enable libseccomp for leap >= 42.2
 %if 0%{?leap_version} >= 420200
 %define with_libseccomp 1
 %endif
 # enable libseccomp for Factory
 %if 0%{?suse_version} > 1320
 %define with_libseccomp 1
 %endif
 %if 0%{?with_libseccomp}
 BuildRequires:  libseccomp-devel
 %endif
 BuildRequires:  libtool
 BuildRequires:  procps
 BuildRequires:  sqlite3-devel
@ -104,14 +105,14 @@ Requires:       ca-certificates-mozilla
 # Required in order for networking to work. fix_bsc_1057743 is a work-around
 # for some old packaging issues (where rpm would delete a binary that was
 # installed by docker-libnetwork). See bsc#1057743 for more details.
-Requires:       docker-libnetwork-git = %{required_libnetwork}
+Requires:       docker-libnetwork%{name_suffix}-git = %{required_libnetwork}
 Requires:       fix_bsc_1057743
 # Containerd and runC are required as they are the only currently supported
 # execdrivers of Docker. NOTE: The version pinning here matches upstream's
 # vendor.conf to ensure that we don't use a slightly incompatible version of
 # runC or containerd (which would be bad).
-Requires:       containerd-git  = %{required_containerd}
+Requires:       containerd%{name_suffix}-git  = %{required_containerd}
-Requires:       docker-runc-git = %{required_dockerrunc}
+Requires:       docker-runc%{name_suffix}-git = %{required_dockerrunc}
 # Needed for --init support. We don't use "tini", we use our own implementation
 # which handles edge-cases better.
 Requires:       catatonit
@ -134,11 +135,26 @@ Obsoletes:      docker-image-migrator
 # different storage-driver than devicemapper
 Recommends:     lvm2 >= 2.2.89
 Conflicts:      lxc < 1.0
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 ExcludeArch:    s390 ppc
-# Make sure we build with go 1.8
+# Make sure we build with go 1.10
 BuildRequires:  go-go-md2man
-BuildRequires:  golang(API) = 1.8
+BuildRequires:  golang(API) = 1.10
 # KUBIC-SPECIFIC: This was required when upgrading from the original kubic
 #                 packaging, when everything was renamed to -kubic. It also is
 #                 used to ensure that nothing complains too much when using
 #                 -kubic packages. Hopfully it can be removed one day.
 %if "%flavour" == "kubic"
 # Obsolete old packege without the -kubic suffix
 Obsoletes:      %{realname} = 1.12.6
 Obsoletes:      %{realname}_1_12_6
 # Conflict with non-kubic package, and provide equivalent
 Conflicts:      %{realname}
 Provides:       %{realname} = %{version}
 # Kubernetes requires cri-runtime, which should be provided only by the -kubic flavour of this package
 Provides:       cri-runtime
 # No i586 Kubernetes, so docker-kubic must not be built for i586 also
 ExcludeArch:    i586
 %endif
 %description
 Docker complements LXC with a high-level API which operates at the process
@ -153,8 +169,19 @@ service-oriented architectures, etc.
 Summary:        Bash Completion for %{name}
 Group:          System/Management
 Requires:       %{name} = %{version}
-Supplements:    packageand(docker:bash-completion)
+Supplements:    packageand(%{name}:bash-completion)
 BuildArch:      noarch
 # KUBIC-SPECIFIC: This was required when upgrading from the original kubic
 #                 packaging, when everything was renamed to -kubic. It also is
 #                 used to ensure that nothing complains too much when using
 #                 -kubic packages. Hopfully it can be removed one day.
 %if "%flavour" == "kubic"
 # Obsolete old packege without the -kubic suffix
 Obsoletes:      %{realname}-bash-completion = 1.12.6
 # Conflict with non-kubic package, and provide equivalent
 Conflicts:      %{realname}-bash-completion > 1.12.6
 Provides:       %{realname}-bash-completion = %{version}
 %endif
 %description bash-completion
 Bash command line completion support for %{name}.
@ -163,8 +190,19 @@ Bash command line completion support for %{name}.
 Summary:        Zsh Completion for %{name}
 Group:          System/Management
 Requires:       %{name} = %{version}
-Supplements:    packageand(docker:zsh)
+Supplements:    packageand(%{name}:zsh)
 BuildArch:      noarch
 # KUBIC-SPECIFIC: This was required when upgrading from the original kubic
 #                 packaging, when everything was renamed to -kubic. It also is
 #                 used to ensure that nothing complains too much when using
 #                 -kubic packages. Hopfully it can be removed one day.
 %if "%flavour" == "kubic"
 # Obsolete old packege without the -kubic suffix
 Obsoletes:      %{realname}-zsh-completion = 1.12.6
 # Conflict with non-kubic package, and provide equivalent
 Conflicts:      %{realname}-zsh-completion > 1.12.6
 Provides:       %{realname}-zsh-completion = %{version}
 %endif
 %description zsh-completion
 Zsh command line completion support for %{name}.
@ -183,12 +221,37 @@ Requires:       libbtrfs-devel >= 3.8
 Requires:       procps
 Requires:       sqlite3-devel
 Requires:       golang(API) = 1.8
 # KUBIC-SPECIFIC: This was required when upgrading from the original kubic
 #                 packaging, when everything was renamed to -kubic. It also is
 #                 used to ensure that nothing complains too much when using
 #                 -kubic packages. Hopfully it can be removed one day.
 %if "%flavour" == "kubic"
 # Obsolete old packege without the -kubic suffix
 Obsoletes:      %{realname}-test = 1.12.6
 # Conflict with non-kubic package, and provide equivalent
 Conflicts:      %{realname}-test > 1.12.6
 Provides:       %{realname}-test = %{version}
 %endif
 %description test
 Test package for docker. It contains the source code and the tests.
 %if "%flavour" == "kubic"
 %package kubeadm-criconfig
 Summary:        docker container runtime configuration for kubeadm
 Group:          System/Management
 Requires:       kubernetes-kubeadm
 Requires(post): %fillup_prereq
 Supplements:    docker-kubic
 Provides:       kubernetes-kubeadm-criconfig
 Conflicts:      cri-o-kubeadm-criconfig
 %description kubeadm-criconfig
 docker container runtime configuration for kubeadm
 %endif
 %prep
-%setup -q
+%setup -q -n %{realname}-%{version}
 %if 0%{?is_opensuse}
 # nothing
 %else
@ -196,25 +259,24 @@ Test package for docker. It contains the source code and the tests.
 %patch200 -p1
 %patch201 -p1
 %endif
 # bsc#1055676
 %patch400 -p1
 # bsc#1021227 bsc#1029320 bsc#1058173
 %patch401 -p1
 # bsc#1073877
-%patch402 -p1
+%patch400 -p1
 # bsc#1099277
-%patch403 -p1
+%patch401 -p1
 # bsc#1100727
-%patch404 -p1
+%patch402 -p1
 # boo#1047218
 %patch403 -p1
 %if "%flavour" == "kubic"
 # PATCH-SUSE: Mirror patch.
 %patch500 -p1
 %endif
 cp %{SOURCE7} .
 cp %{SOURCE9} .
 %build
-BUILDTAGS="exclude_graphdriver_aufs apparmor selinux pkcs11"
+BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
 %if 0%{?with_libseccomp}
 BUILDTAGS="seccomp $BUILDTAGS"
 %endif
 %if 0%{?sle_version} == 120000
 	# Provided by patch406, to allow us to build with older distros but still
 	# have deferred removal support at runtime. We only use this when building
@ -279,9 +341,9 @@ cd ../..
 # of the upstream vendoring scripts. This is done on-build to make sure that
 # someone doing an update didn't miss anything.
 cd components/engine
-grep 'RUNC_COMMIT=%{required_dockerrunc}'       hack/dockerfile/binaries-commits
+grep 'RUNC_COMMIT=%{required_dockerrunc}'       hack/dockerfile/install/runc.installer
-grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits
+grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/install/containerd.installer
-grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits
+grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/install/proxy.installer
 %install
 install -d %{buildroot}%{go_contribdir}
@ -293,8 +355,8 @@ install -Dd -m 0755 \
 	%{buildroot}%{_sysconfdir}/init.d \
 	%{buildroot}%{_sbindir}
-install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{name}"
+install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{realname}"
-install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{name}"
+install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{realname}"
 # copy all for the test package
 install -d %{buildroot}%{_prefix}/src/docker/
 cp -a components/engine/. %{buildroot}%{_prefix}/src/docker/engine
@ -303,17 +365,20 @@ cp -a components/cli/. %{buildroot}%{_prefix}/src/docker/cli
 #
 # systemd service
 #
-install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
+install -D -m0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{realname}.service
 %if "%flavour" == "kubic"
 install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf
 %endif
 ln -sf service %{buildroot}%{_sbindir}/rcdocker
 #
 # udev rules that prevents dolphin to show all docker devices and slows down
 # upstream report https://bugs.kde.org/show_bug.cgi?id=329930
 #
-install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
+install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
 # audit rules
-install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
+install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
 # sysconfig file
 install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker
@ -326,21 +391,42 @@ install -p -m 644 components/cli/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/ma
 install -d %{buildroot}%{_mandir}/man8
 install -p -m 644 components/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8
 %if "%flavour" == "kubic"
 # place kubelet.env in fillupdir (for kubeadm-criconfig)
 install -D -m 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.kubelet
 %endif
 %fdupes %{buildroot}
 %pre
 getent group docker >/dev/null || groupadd -r docker
-%service_add_pre %{name}.service
+%service_add_pre %{realname}.service
 %post
-%service_add_post %{name}.service
+%service_add_post %{realname}.service
 %{fillup_only -n docker}
 # NOTE: This is a pretty hacky way of getting around the fact we've removed
 #       containerd.service and now everything is spawned underneath Docker. In
 #       order to force containerd.service to be stopped on the upgrade we need
 #       to trick the systemd macros into thinking that this is an "uninstall".
 #       Hopefully we can remove this soon.
 (
 	FIRST_ARG=0
 	%service_del_preun containerd.service containerd.socket
 	%service_del_postun containerd.service containerd.socket
 )
 %if "%flavour" == "kubic"
 %post kubeadm-criconfig
 %fillup_only -n kubelet
 %endif
 %preun
-%service_del_preun %{name}.service
+%service_del_preun %{realname}.service
 %postun
-%service_del_postun %{name}.service
+%service_del_postun %{realname}.service
 %files
 %defattr(-,root,root)
@ -349,9 +435,13 @@ getent group docker >/dev/null || groupadd -r docker
 %{_bindir}/docker
 %{_bindir}/dockerd
 %{_sbindir}/rcdocker
-%{_unitdir}/%{name}.service
+%{_unitdir}/%{realname}.service
-%config %{_sysconfdir}/audit/rules.d/%{name}.rules
+%if "%flavour" == "kubic"
-%{_udevrulesdir}/80-%{name}.rules
+%dir %{_unitdir}/%{realname}.service.d/
 %{_unitdir}/%{realname}.service.d/90-kubic.conf
 %endif
 %config %{_sysconfdir}/audit/rules.d/%{realname}.rules
 %{_udevrulesdir}/80-%{realname}.rules
 %{_fillupdir}/sysconfig.docker
 %dir %{_localstatedir}/lib/docker/
 %{_mandir}/man1/docker-*.1%{ext_man}
@ -361,11 +451,11 @@ getent group docker >/dev/null || groupadd -r docker
 %files bash-completion
 %defattr(-,root,root)
-%config %{_sysconfdir}/bash_completion.d/%{name}
+%config %{_sysconfdir}/bash_completion.d/%{realname}
 %files zsh-completion
 %defattr(-,root,root)
-%config %{_sysconfdir}/zsh_completion.d/%{name}
+%config %{_sysconfdir}/zsh_completion.d/%{realname}
 %files test
 %defattr(-,root,root)
@ -379,4 +469,10 @@ getent group docker >/dev/null || groupadd -r docker
 %exclude %{_prefix}/src/docker/engine/contrib/init/sysvinit-redhat
 %exclude %{_prefix}/src/docker/engine/contrib/init/upstart
 %if "%flavour" == "kubic"
 %files kubeadm-criconfig
 %defattr(-,root,root)
 %{_fillupdir}/sysconfig.kubelet
 %endif
 %changelog
--- a/kubelet.env
+++ b/kubelet.env
@ -0,0 +1 @@
 KUBELET_EXTRA_ARGS="--cni-bin-dir=/usr/lib/cni"
--- a/private-registry-0001-Add-private-registry-mirror-support.patch
+++ b/private-registry-0001-Add-private-registry-mirror-support.patch
--- a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+++ b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
@ -1,4 +1,4 @@
-From c607825b73e5f850b3804a10e9f3c8684cb29d16 Mon Sep 17 00:00:00 2001
+From 95a40e4f18c80cce91f16c6dff08e13642de54da Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
@ -14,26 +14,26 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 1 file changed, 21 insertions(+), 3 deletions(-)
 diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
-index 954c194ea836..3ef1e0262edc 100644
+index bc7ee452332b..d34129dfd80b 100644
 --- a/components/engine/daemon/container_operations_unix.go
 +++ b/components/engine/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
- package daemon
+ package daemon // import "github.com/docker/docker/daemon"
 import (
 +	"bytes"
 	"context"
 	"fmt"
 	"io/ioutil"
-@@ -13,6 +14,7 @@ import (
+@@ -14,6 +15,7 @@ import (
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/daemon/links"
 	"github.com/docker/docker/errdefs"
 +	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/mount"
 	"github.com/docker/docker/pkg/stringid"
-@@ -216,9 +218,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		if err != nil {
 			return errors.Wrap(err, "unable to get secret from secret store")
 		}
@ -43,7 +43,7 @@ index 954c194ea836..3ef1e0262edc 100644
 		uid, err := strconv.Atoi(s.File.UID)
 		if err != nil {
-@@ -229,6 +228,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 			return err
 		}
@ -70,5 +70,5 @@ index 954c194ea836..3ef1e0262edc 100644
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 -- 
-2.17.0
+2.18.0
--- a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+++ b/secrets-0002-SUSE-implement-SUSE-container-secrets.patch
@ -1,4 +1,4 @@
-From a7533a3084e925eb478148ef30bec0d1f1b81ae3 Mon Sep 17 00:00:00 2001
+From f178392f98b42bf36ff8d8c6a23c8caab9ac10f7 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@ -10,36 +10,36 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
 SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
 MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
-SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
+SUSE-Bugs: bsc#1057743 bsc#1055676 bsc#1030702
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 components/engine/daemon/start.go        |   5 +
- components/engine/daemon/suse_secrets.go | 399 +++++++++++++++++++++++
+ components/engine/daemon/suse_secrets.go | 396 +++++++++++++++++++++++
- 2 files changed, 404 insertions(+)
+ 2 files changed, 401 insertions(+)
 create mode 100644 components/engine/daemon/suse_secrets.go
 diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go
-index 55438cf2c45f..7dfa6cd1d055 100644
+index c00bd9ceb22b..aa705888df39 100644
 --- a/components/engine/daemon/start.go
 +++ b/components/engine/daemon/start.go
-@@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
+@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
 		return err
 	}
 +	// SUSE:secrets -- inject the SUSE secret store
 +	if err := daemon.injectSuseSecretStore(container); err != nil {
-+		return err
+		return errdefs.System(err)
 +	}
 +
 	spec, err := daemon.createSpec(container)
 	if err != nil {
- 		return systemError{err}
+ 		return errdefs.System(err)
 diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..00e485368b47
+index 000000000000..817cd5561023
 --- /dev/null
 +++ b/components/engine/daemon/suse_secrets.go
-@@ -0,0 +1,399 @@
+@@ -0,0 +1,396 @@
 +/*
 + * suse-secrets: patch for Docker to implement SUSE secrets
 + * Copyright (C) 2017 SUSE LLC.
@ -143,10 +143,6 @@ index 000000000000..00e485368b47
 +	var suseFiles []*SuseFakeFile
 +
 +	path := filepath.Join(prefix, dir)
 +	if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) {
 +		// If the path doesn't exist at all we don't inject anything.
 +		return nil, nil
 +	}
 +	fi, err := os.Stat(path)
 +	if err != nil {
 +		// Ignore dangling symlinks.
@ -263,10 +259,6 @@ index 000000000000..00e485368b47
 +// readFile returns a secret given a file under a given prefix.
 +func readFile(prefix, file string) ([]*SuseFakeFile, error) {
 +	path := filepath.Join(prefix, file)
 +	if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) {
 +		// If the path doesn't exist at all we don't inject anything.
 +		return nil, nil
 +	}
 +	fi, err := os.Stat(path)
 +	if err != nil {
 +		// Ignore dangling symlinks.
@ -430,7 +422,12 @@ index 000000000000..00e485368b47
 +	// to the mount list. This causes clashes because of duplicate namespaces.
 +	// If we see an existing mount that will clash with the in-built secrets
 +	// mount we assume it's our fault.
-+	for _, intendedMount := range c.SecretMounts() {
+	intendedMounts, err := c.SecretMounts()
 +	if err != nil {
 +		logrus.Warnf("SUSE:secrets :: fetching old secret mounts: %v", err)
 +		return err
 +	}
 +	for _, intendedMount := range intendedMounts {
 +		mountPath := intendedMount.Destination
 +		if volume, ok := c.MountPoints[mountPath]; ok {
 +			logrus.Debugf("SUSE:secrets :: removing pre-existing %q mount: %#v", mountPath, volume)
@ -440,5 +437,5 @@ index 000000000000..00e485368b47
 +	return nil
 +}
 -- 
-2.17.0
+2.18.0
		`@ -0,0 +1 @@`
							`KUBELET_EXTRA_ARGS="--cni-bin-dir=/usr/lib/cni"`