Accepting request 1230151 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/1230151
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=157

0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch

@@ -1,4 +1,4 @@
-From c804f6484cb59db827d2b6be6f343a3ca9213a22 Mon Sep 17 00:00:00 2001
+From 7ab9590b94925a03e0f16285492a73dbc231800c Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
@@ -14,12 +14,12 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
 SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
 MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
 
-SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
+SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 bsc#1231348
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
  daemon/start.go        |   5 +
- daemon/suse_secrets.go | 439 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 444 insertions(+)
+ daemon/suse_secrets.go | 461 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 466 insertions(+)
  create mode 100644 daemon/suse_secrets.go
 
 diff --git a/daemon/start.go b/daemon/start.go
@@ -40,10 +40,10 @@ index b967947af2ce..e1a1218eb016 100644
  		return err
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..f003299522df
+index 000000000000..85b37bf46544
 --- /dev/null
 +++ b/daemon/suse_secrets.go
-@@ -0,0 +1,439 @@
+@@ -0,0 +1,461 @@
 +/*
 + * suse-secrets: patch for Docker to implement SUSE secrets
 + * Copyright (C) 2017-2021 SUSE LLC.
@@ -86,12 +86,46 @@ index 000000000000..f003299522df
 +	"github.com/sirupsen/logrus"
 +)
 +
++const suseSecretsTogglePath = "/etc/docker/suse-secrets-enable"
++
++// parseEnableFile parses a file that can only contain "0" or "1" (with some
++// whitespace).
++func parseEnableFile(path string) (bool, error) {
++	data, err := os.ReadFile(path)
++	if err != nil {
++		return false, err
++	}
++	data = bytes.TrimSpace(data)
++
++	switch value := string(data); value {
++	case "1":
++		return true, nil
++	case "0", "":
++		return false, nil
++	default:
++		return false, fmt.Errorf("invalid value %q (must be 0 to disable or 1 to enable)", value)
++	}
++}
++
++func isSuseSecretsEnabled() bool {
++	value, err := parseEnableFile(suseSecretsTogglePath)
++	if err != nil {
++		logrus.Warnf("SUSE:secrets :: error parsing %s: %v -- disabling SUSE secrets", suseSecretsTogglePath, err)
++		value = false
++	}
++	return value
++}
++
++var suseSecretsEnabled = true
++
 +func init() {
-+	// Output to tell us in logs that SUSE:secrets is enabled.
-+	if isSuseSecretEnabled() {
-+		logrus.Infof("SUSE:secrets :: enabled")
++	// Make this entire feature toggle-able so that users can disable it if
++	// they run into issues like bsc#1231348.
++	suseSecretsEnabled = isSuseSecretsEnabled()
++	if suseSecretsEnabled {
++		logrus.Infof("SUSE:secrets :: SUSEConnect support enabled (set %s to 0 to disable)", suseSecretsTogglePath)
 +	} else {
-+		logrus.Infof("SUSE:secrets :: disabled by DOCKER_SUSE_SECRETS_ENABLE=0")
++		logrus.Infof("SUSE:secrets :: SUSEConnect support disabled by %s", suseSecretsTogglePath)
 +	}
 +}
 +
@@ -408,7 +442,7 @@ index 000000000000..f003299522df
 +	var without []*swarmtypes.SecretReference
 +	for _, secret := range c.SecretReferences {
 +		if strings.HasPrefix(secret.SecretID, "suse") {
-+			logrus.Warnf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
++			logrus.Debugf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
 +			continue
 +		}
 +		without = append(without, secret)
@@ -416,24 +450,18 @@ index 000000000000..f003299522df
 +	c.SecretReferences = without
 +}
 +
-+func isSuseSecretEnabled() bool {
-+	env := os.Getenv("DOCKER_SUSE_SECRETS_ENABLE")
-+	switch env {
-+	case "0", "no":
-+		return false
-+	default:
-+		logrus.Errorf("SUSE:secrets :: DOCKER_SUSE_SECRETS_ENABLE=%q is an invalid value, keeping SUSE secrets enabled", env)
-+		fallthrough
-+	case "", "1", "yes":
-+		return true
-+	}
-+}
-+
 +func (daemon *Daemon) injectSuseSecretStore(c *container.Container) error {
-+	// Allow users to disable SUSE secrets in cases where they don't need it
-+	// (in principle you only really need containers-suseconnect when you're
-+	// building images). bsc#1231348
-+	if !isSuseSecretEnabled() {
++	// We drop any "old" SUSE secrets, as it appears that old containers (when
++	// restarted) could still have references to old secrets. The .id() of all
++	// secrets have a prefix of "suse" so this is much easier. See bsc#1057743
++	// for details on why this could cause issues.
++	removeSuseSecrets(c)
++
++	// Don't inject anything if the administrator has disabled suse secrets.
++	// However, for previous existing containers we need to remove old secrets
++	// (see above), otherwise they will still have old secret data.
++	if !suseSecretsEnabled {
++		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container %q because of %s", c.ID, suseSecretsTogglePath)
 +		return nil
 +	}
 +
@@ -446,12 +474,6 @@ index 000000000000..f003299522df
 +		newDependencyStore.dfl = emptyStore
 +	}
 +
-+	// We drop any "old" SUSE secrets, as it appears that old containers (when
-+	// restarted) could still have references to old secrets. The .id() of all
-+	// secrets have a prefix of "suse" so this is much easier. See bsc#1057743
-+	// for details on why this could cause issues.
-+	removeSuseSecrets(c)
-+
 +	secrets, err := getHostSuseSecretData()
 +	if err != nil {
 +		return err
@@ -484,5 +506,5 @@ index 000000000000..f003299522df
 +	return nil
 +}
 -- 
-2.47.0
+2.47.1
 

_service

@@ -19,8 +19,8 @@
     <param name="url">https://github.com/docker/buildx.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">0.17.1</param>
-    <param name="revision">v0.17.1</param>
+    <param name="versionformat">0.19.2</param>
+    <param name="revision">v0.19.2</param>
     <param name="filename">docker-buildx</param>
   </service>
   <service name="recompress" mode="manual">

docker-buildx-0.17.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fd0f81752a02e20b611f95a35718bdc44eb1e203e0fd80d7afb87dfd8135c300
-size 6445376

docker-buildx-0.19.2.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d915e0d1a81e1ec04bd2d37223e46d8e0438d326d713cde9d059ff2e809bf5b2
+size 6479440

docker-integration.sh

@@ -0,0 +1,291 @@
+#!/bin/bash
+# docker-integration: run Docker's integration tests
+# Copyright (C) 2024 SUSE LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeuo pipefail
+
+TESTDIR=/usr/src/docker-test
+TEST_SRCDIR="$TESTDIR/src"
+TEST_BINDIR="$TESTDIR/bin"
+
+TMPROOT="$(mktemp --tmpdir -d docker-integration-tmpdir.XXXXXX)"
+TMPDIR="$TMPROOT/tmp"
+DEST="$TMPROOT/dest"
+
+mkdir -p "$TMPDIR" "$TEST_BINDIR" "$DEST"
+chmod 1777 "$TMPDIR"
+chmod 777 "$TMPROOT"
+
+function usage() {
+	cat >&2 <<-EOF
+	docker-integration.sh [-Av] [-r TestName] [-t timeout] [<test-suites>...]
+
+	Arguments:
+	  -A
+	         Run all tests (do not fail on first suite failure).
+	  -v
+	         Run tests in verbose mode (go test -v).
+	  -r
+	         Only run tests that match the given regular expression (go test -run).
+	  -t <timeout=$timeout>
+	         Set the per-suite timeout to <timeout> (go test -timeout).
+	  <test-suites>...
+	         Only run the given test suites in /usr/src/docker-test. The
+	         default is to run all test suites
+
+	Examples:
+
+	  Run the build and network integration tests with a 60 minute timeout:
+
+	    ./docker-integration.sh -t 60m integration/build integration/network
+
+	  Run all of the tests in verbose mode with a 6 hour timeout:
+
+	    ./docker-integration.sh -Av -t 360m
+
+	This script is maintained by openSUSE in the Virtualization:containers
+	project, and is only intended to be used by openSUSE developers.
+	EOF
+	exit "${1:-1}"
+}
+
+fail_fast=1
+verbose=
+filter=
+timeout=20m
+while getopts "Ahr:t:v" opt; do
+	case "$opt" in
+	A)
+		fail_fast=
+		;;
+	v)
+		verbose=1
+		;;
+	r)
+		filter="$OPTARG"
+		;;
+	t)
+		timeout="$OPTARG"
+		;;
+	h)
+		usage 0
+		;;
+	:)
+		echo "Missing argument: -$OPTARG" >&2
+		usage 1
+		;;
+	\?)
+		echo "Invalid option: -$OPTARG" >&2
+		usage 1
+		;;
+	esac
+done
+
+pushd "$TEST_SRCDIR"
+
+if [ "$OPTIND" -le "$#" ]; then
+	SUITES=("${@:$OPTIND:$(($#+1))}")
+else
+	readarray -t SUITES <<<"$(find . -type f -name test.main -printf "%h\n")"
+fi
+echo "Planning to run suites {${SUITES[@]}}."
+
+# Download the frozen images.
+if ! [ -d /docker-frozen-images ]; then
+	# TODO: Get the hashes from /usr/src/docker-test/Dockerfile...
+	contrib/download-frozen-image-v2.sh "$TMPDIR/docker-frozen-images" \
+		busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
+		busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
+		debian:bookworm-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 \
+		hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
+		arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
+	sudo cp -r "$TMPDIR/docker-frozen-images" /
+fi
+
+# Create binaries in $TEST_BINDIR.
+if ! [ -e "$TEST_BINDIR/docker-basic-plugin" ]; then
+	(
+		pushd "$TEST_SRCDIR/testutil/fixtures/plugin/basic"
+
+		go mod init docker-basic-plugin
+		go build -o "$TEST_BINDIR/docker-basic-plugin" .
+	)
+fi
+if ! [ -e "$TEST_BINDIR/registry-v2" ]; then
+	# The v2.x tags of Docker registry don't use go.mod, and pre-date the move
+	# to github.com/distribution, so we need to create a fake GOPATH with the
+	# old github.com/docker/distribution import path.
+	(
+		export GOPATH="$(mktemp -d -p "$TMPROOT" distribution-build-gopath.XXXXXX)"
+		pushd "$GOPATH"
+
+		git clone \
+			--depth=1 --branch=v2.8.3 \
+			https://github.com/distribution/distribution.git \
+			src/github.com/docker/distribution
+
+		pushd src/github.com/docker/distribution
+
+		GO111MODULE=off go build -o "$TEST_BINDIR/registry-v2" ./cmd/registry
+	)
+fi
+if ! [ -e "$TEST_BINDIR/ctr" ]; then
+	containerd-ctr --help >/dev/null
+	ln -sf "$(which containerd-ctr)" "$TEST_BINDIR/ctr"
+fi
+if ! [ -e "$TEST_BINDIR/docker" ]; then
+	# The integration-cli tests require a Docker 17.06.2 client (from 2017).
+	# This is mainly because the tests are all based on the specific output the
+	# client gives, and some tests fail on modern client versions.
+	(
+		export GOPATH="$(mktemp -d -p "$TMPROOT" distribution-build-gopath.XXXXXX)"
+		pushd "$GOPATH"
+
+		# This tag also comes from the time when this was called
+		# github.com/docker/docker-ce-packaging, so we need to work around this
+		# by moving the cli component into the right path...
+		git clone \
+			--depth=1 --branch=v17.06.2-ce \
+			https://github.com/docker/cli.git \
+			src/github.com/docker/docker-ce-packaging
+		mv \
+			src/github.com/docker/docker-ce-packaging/components/cli \
+			src/github.com/docker/cli
+
+		pushd src/github.com/docker/cli
+		GO111MODULE=off go build -o "$TEST_BINDIR/docker" ./cmd/docker
+	)
+fi
+
+# Create an unprivilegeduser account for tests.
+if ! ( grep unprivilegeduser /etc/passwd &>/dev/null ); then
+	useradd --create-home --gid docker unprivilegeduser
+fi
+
+# Disable SUSE secrets for tests, as some tests (TestDiff from
+# integration/container) will fail if we have secrets injected.
+[ -e /etc/docker/suse-secrets-enable ] && \
+	mv -nv /etc/docker/suse-secrets-enable{,-DISABLED}
+sudo systemctl restart docker
+
+# Make sure docker-buildx is disabled.
+[ -e /usr/lib/docker/cli-plugins/docker-buildx ] && \
+	mv -nv /usr/lib/docker/cli-plugins/docker-buildx{,-DISABLED}
+
+# Disable any daemon configurations.
+[ -e /etc/docker/daemon.json ] && \
+	mv -nv /etc/docker/daemon.json{,.DISABLED}
+
+set -x
+
+# In order for< gotest.tools/v3/assert> to parse the source and give us useful
+# error messages, we have to create a fake source directory that points at
+# $TEST_SRCDIR. This path is replaced with %{docker_builddir} during the
+# docker.spec build.
+__DOCKER_BUILDIR="@@docker_builddir@@"
+DOCKER_BUILDDIR="${DOCKER_BUILDDIR:-$__DOCKER_BUILDIR}"
+sudo rm -rvf "$DOCKER_BUILDDIR"
+sudo mkdir -p "$(dirname "$DOCKER_BUILDDIR")"
+sudo ln -svf "$TEST_SRCDIR" "$DOCKER_BUILDDIR"
+
+# Clean up any old containers/images/networks/volumes before running the tests.
+# We need to do this *BEFORE* we set PATH, as the outdated $TEST_BINDIR/docker
+# doesn't support some of these commands.
+docker container prune -f
+docker image prune -af
+#docker buildx prune -af
+docker network prune -f
+docker volume prune -af
+[ -z "$(docker plugin ls -q)" ] || docker plugin ls -q | xargs docker plugin rm -f
+docker system prune -af
+
+export DOCKERFILE="$TEST_SRCDIR/Dockerfile"
+export TMPDIR="$TMPDIR"
+export TEMP="$TMPDIR"
+export HOME="$TMPDIR/fake-home"
+export DEST="$TEST_SRCDIR/bundles"
+export ABS_DEST="$DEST"
+export PATH="$TEST_BINDIR:$PATH"
+
+export TZ=UTC
+export DOCKER_INTEGRATION_DAEMON_DEST="$ABS_DEST"
+export DOCKER_HOST=unix:///run/docker.sock
+export DOCKER_GRAPHDRIVER=overlay2
+export DOCKER_USERLANDPROXY=true
+export DOCKER_REMAP_ROOT="${DOCKER_REMAP_ROOT:-}"
+export DOCKER_TMPDIR="$TMPDIR"
+export DOCKER_SUSE_SECRETS_ENABLE=0
+
+set +x
+
+# Make sure that we have a dummy "destination" directory for tests.
+rm -rf "$DOCKER_INTEGRATION_DAEMON_DEST"
+mkdir -p "$DOCKER_INTEGRATION_DAEMON_DEST"
+
+# Install the emptyfs images.
+sh ./hack/make/.build-empty-images
+
+ls -la "$TMPROOT"
+
+success=0
+failed_suites=()
+for suite_name in "${SUITES[@]}"; do
+	suite_name="${suite_name#*./}"
+	pushd "$TEST_SRCDIR/$suite_name"
+
+	test_flags=()
+	[ -n "$verbose" ] && test_flags+=("-test.v")
+	[ -n "$filter" ] && test_flags+=("-test.run" "$filter")
+
+	if [[ "$suite_name" == "integration-cli" ]]; then
+		# We need to disable docker-buildx for the integration-cli tests
+		# because otherwise the "docker build" command will use the wrong
+		# builder and the output won't match what the tests expect.
+		timeout=360m
+	fi
+	test_flags+=("-test.timeout" "$timeout")
+
+	echo "Running suite $suite_name (${test_flags[@]}) [success=$success fail=${#failed_suites[@]}]"
+
+	set -x +e
+	sudo -E HOME="$HOME" TMPDIR="$TMPDIR" PATH="$PATH" \
+		./test.main "${test_flags[@]}"
+	err="$?"
+	if (( $err != 0 )); then
+		[ -z "$fail_fast" ] || exit "$err"
+		failed_suites+=("$suite_name")
+	else
+		(( success++ ))
+	fi
+	set +x -e
+
+	popd
+done
+
+[ -e /usr/lib/docker/cli-plugins/docker-buildx-DISABLED ] && \
+	mv -nv /usr/lib/docker/cli-plugins/docker-buildx{-DISABLED,}
+
+[ -e /etc/docker/suse-secrets-enable-DISABLED ] && \
+	mv -nv /etc/docker/suse-secrets-enable{-DISABLED,}
+
+[ -e /etc/docker/daemon.json.DISABLED ] && \
+	mv -nv /etc/docker/daemon.json{.DISABLED,}
+
+echo "Suite results: $success success(es) ${#failed_suites[@]} failure(s)."
+if (( ${#failed_suites[@]} > 0 )); then
+	echo "Failed suites:"
+	printf " - %s\n" "${failed_suites[@]}"
+	exit 1
+fi

docker-rpmlintrc

@@ -1,2 +1,7 @@
-addFilter("^docker-bash-completion.noarch: (E|W): non-executable-script /usr/share/bash-completion/completions/docker")
-addFilter("^docker-zsh-completion.noarch: W: non-conffile-in-etc /etc/zsh_completion.d/_docker")
+addFilter("^docker-(stable-)?bash-completion.noarch: (E|W): non-executable-script /usr/share/bash-completion/completions/docker")
+addFilter("^docker-(stable-)?zsh-completion.noarch: W: non-conffile-in-etc /etc/zsh_completion.d/_docker")
+
+# The docker-integration-tests-devel package contains all of the source code of
+# Docker, which causes a bunch of warnings. Note that
+# docker-integration-tests-devel is used internally and isn't actually shipped.
+addFilter("^docker-(stable-)?integration-tests-devel\..*: (E|W): .*")

docker.changes

@@ -1,13 +1,53 @@
+-------------------------------------------------------------------
+Wed Dec 11 10:14:56 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update docker-buildx to v0.19.2. See upstream changelog online at
+  <https://github.com/docker/buildx/releases/tag/v0.19.2>.
+
+  Some notable changelogs from the last update:
+    * <https://github.com/docker/buildx/releases/tag/v0.19.0>
+	* <https://github.com/docker/buildx/releases/tag/v0.18.0>
+- Update to Go 1.22.
+
+-------------------------------------------------------------------
+Wed Dec 11 05:39:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Add a new toggle file /etc/docker/suse-secrets-enable which allows users to
+  disable the SUSEConnect integration with Docker (which creates special mounts
+  in /run/secrets to allow container-suseconnect to authenticate containers
+  with registries on registered hosts). bsc#1231348 bsc#1232999
+
+  In order to disable these mounts, just do
+
+    echo 0 > /etc/docker/suse-secrets-enable
+
+  and restart Docker. In order to re-enable them, just do
+
+    echo 1 > /etc/docker/suse-secrets-enable
+
+  and restart Docker. Docker will output information on startup to tell you
+  whether the SUSE secrets feature is enabled or not.
+
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+
 -------------------------------------------------------------------
 Wed Nov 27 12:10:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 
-[NOTE: This update was only ever released in SLES and Leap.]
-
 - Disable docker-buildx builds for SLES. It turns out that build containers
   with docker-buildx don't currently get the SUSE secrets mounts applied,
   meaning that container-suseconnect doesn't work when building images.
   bsc#1233819
 
+-------------------------------------------------------------------
+Wed Nov 20 05:34:38 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Add docker-integration-tests-devel subpackage for building and running the
+  upstream Docker integration tests on machines to test that Docker works
+  properly. Users should not install this package.
+- docker-rpmlintrc updated to include allow-list for all of the integration
+  tests package, since it contains a bunch of stuff that wouldn't normally be
+  allowed.
+
 -------------------------------------------------------------------
 Tue Nov 12 06:34:28 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 
@@ -29,13 +69,6 @@ Wed Oct 16 05:37:14 UTC 2024 - Aleksa Sarai <asarai@suse.com>
   are replacing. See upstream changelog online at
   <https://github.com/docker/buildx/releases/tag/v0.17.1>
 
--------------------------------------------------------------------
-Tue Oct 15 04:58:46 UTC 2024 - Aleksa Sarai <asarai@suse.com>
-
-- Allow users to disable SUSE secrets support by setting
-  DOCKER_SUSE_SECRETS_ENABLE=0 in /etc/sysconfig/docker. bsc#1231348
-  bsc#1232999
-
 -------------------------------------------------------------------
 Wed Sep 18 13:47:45 UTC 2024 - Ana Guerrero <ana.guerrero@suse.com>
 

docker.spec

@@ -19,11 +19,18 @@
 
 %bcond_without  apparmor
 
+# This subpackage is only used for testing by developers, and shouldn't be
+# built for actual users.
+%bcond_with     integration_tests
+
+%if 0%{?is_opensuse} == 0
+# SUSEConnect support ("SUSE secrets") only makes sense for SLES hosts.
+%bcond_without  suseconnect
 # There is currently a known bug between buildx and SUSE secrets, so we don't
 # package docker-buildx for SLES. bsc#1233819
-%if 0%{?is_opensuse} == 0
 %bcond_with     buildx
 %else
+%bcond_with     suseconnect
 %bcond_without  buildx
 %endif
 
@@ -35,6 +42,9 @@
 # is guaranteed to see the relevant warning.
 %define update_messages %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}
 
+# Test binaries.
+%define testdir /usr/src/docker-test
+
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir /var/adm/fillup-templates
@@ -50,7 +60,7 @@
 
 %if %{with buildx}
 # MANUAL: This needs to be updated with every docker-buildx update.
-%define buildx_version 0.17.1
+%define buildx_version 0.19.2
 %endif
 
 # Used when generating the "build" information for Docker version. The value of
@@ -79,6 +89,8 @@ Source130:      README_SUSE.md
 Source140:      docker-audit.rules
 Source150:      docker-daemon.json
 Source160:      docker.sysusers
+# docker-integration-tests-devel
+Source900:      docker-integration.sh
 # NOTE: All of these patches are maintained in <https://github.com/suse/docker>
 #       in the suse-v<version> branch. Make sure you update the patches in that
 #       branch and then git-format-patch the patch here.
@@ -117,7 +129,7 @@ BuildRequires:  procps
 BuildRequires:  sqlite3-devel
 BuildRequires:  sysuser-tools
 BuildRequires:  zsh
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 BuildRequires:  pkgconfig(libsystemd)
 %if %{with apparmor}
 %if 0%{?sle_version} >= 150000
@@ -242,6 +254,27 @@ Rootless support for Docker.
 Use dockerd-rootless.sh to run the daemon.
 Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh.
 
+%if %{with integration_tests}
+%package integration-tests-devel
+Summary:        Rootless support for Docker
+Group:          TestSuite
+Requires:       %{name} = %{docker_version}
+Requires:       containerd-ctr
+Requires:       curl
+Requires:       gcc
+Requires:       git
+Requires:       glibc-devel-static
+Requires:       go
+Requires:       jq
+Requires:       libcap-progs
+
+%description integration-tests-devel
+Integration testing binaries for Docker.
+
+THIS PACKAGE SHOULD NOT BE INSTALLED BY END-USERS, IT IS ONLY INTENDED FOR
+INTERNAL DEVELOPMENT OF THE DOCKER PACKAGE FOR (OPEN)SUSE.
+%endif
+
 %package bash-completion
 Summary:        Bash Completion for %{name}
 Group:          System/Shells
@@ -321,7 +354,7 @@ Fish command line completion support for %{name}.
 # README_SUSE.md for documentation.
 cp %{SOURCE130} .
 
-%if 0%{?is_opensuse} == 0
+%if %{with suseconnect}
 # PATCH-SUSE: Secrets patches.
 %patch -P100 -p1
 %patch -P101 -p1
@@ -372,6 +405,21 @@ pushd "%{docker_builddir}"
 ln -s {vendor,go}.mod
 ln -s {vendor,go}.sum
 ./hack/make.sh dynbinary
+
+%if %{with integration_tests}
+# build test binaries for integration tests
+readarray -t integration_dirs \
+	<<<"$(go list -test -f '{{- if ne .ForTest "" -}}{{- .Dir -}}{{- end -}}' ./integration/... ./integration-cli/...)"
+for dir in "${integration_dirs[@]}"
+do
+	pushd "$dir"
+	go test -c -buildmode=pie -tags "$BUILDTAGS" -o test.main .
+	popd
+done
+# Update __DOCKER_BUILDIR in the integration testing script.
+sed -i 's|^__DOCKER_BUILDIR=.*|__DOCKER_BUILDIR=%{docker_builddir}|g' "%{SOURCE900}"
+%endif
+
 popd
 
 ###################
@@ -422,6 +470,10 @@ install -D -m0755 %{buildx_builddir}/bin/build/docker-buildx %{buildroot}/usr/li
 install -d %{buildroot}/%{_localstatedir}/lib/docker
 # daemon.json config file
 install -D -m0644 %{SOURCE150} %{buildroot}%{_sysconfdir}/docker/daemon.json
+%if %{with suseconnect}
+# SUSE-specific config file
+echo 1 > %{buildroot}%{_sysconfdir}/docker/suse-secrets-enable
+%endif
 
 # docker cli
 install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
@@ -459,6 +511,16 @@ install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/docker.conf
 install -D -p -m 0755 contrib/dockerd-rootless.sh %{buildroot}/%{_bindir}/dockerd-rootless.sh
 install -D -p -m 0755 contrib/dockerd-rootless-setuptool.sh %{buildroot}/%{_bindir}/dockerd-rootless-setuptool.sh
 
+%if %{with integration_tests}
+# integration tests
+install -d %{buildroot}%{testdir}
+cp -ar %{docker_builddir} %{buildroot}%{testdir}/src
+install -d %{buildroot}%{testdir}/bin
+install -D -p -m 0755 %{SOURCE900} %{buildroot}%{testdir}/docker-integration.sh
+# remove all of the non-test binaries in bundles/
+rm -rfv %{buildroot}%{testdir}/src/bundles/
+%endif
+
 %fdupes %{buildroot}
 
 %pre -f %{name}.pre
@@ -508,6 +570,9 @@ grep -q '^dockremap:' /etc/subgid || \
 
 %dir %{_sysconfdir}/docker
 %config(noreplace) %{_sysconfdir}/docker/daemon.json
+%if %{with suseconnect}
+%config(noreplace) %{_sysconfdir}/docker/suse-secrets-enable
+%endif
 %{_fillupdir}/sysconfig.docker
 
 %dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
@@ -530,6 +595,12 @@ grep -q '^dockremap:' /etc/subgid || \
 %{_bindir}/dockerd-rootless.sh
 %{_bindir}/dockerd-rootless-setuptool.sh
 
+%if %{with integration_tests}
+%files integration-tests-devel
+%defattr(-,root,root)
+%{testdir}
+%endif
+
 %files bash-completion
 %defattr(-,root,root)
 %{_datarootdir}/bash-completion/completions/docker