- Update to Docker 20.10.3-ce. See upstream changelog in the packaged

/usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-21285 CVE-2021-21284 - Drop docker-runc, docker-test and docker-libnetwork packages. We now just use the upstream runc package (it's stable enough and Docker no longer pins git versions). docker-libnetwork is so unstable that it doesn't have any versioning scheme and so it really doesn't make sense to maintain the project as a separate package. bsc#1181641 bsc#1181677 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=354
2021-02-02 22:19:52 +00:00 · 2021-02-02 22:19:52 +00:00 · cb6967cb97
commit cb6967cb97
parent de3596b770
14 changed files with 151 additions and 481 deletions
--- a/0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
+++ b/0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
@ -1,110 +0,0 @@
 From 9961826453fee3b52244ba920359b9e2f9ad137c Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Thu, 29 Nov 2018 20:53:16 +1100
 Subject: [PATCH 1/5] PACKAGING: revert "Remove 'docker-' prefix for containerd
 and runc binaries"
 This reverts commit 34eede0296bce6a9c335cb429f10728ae3f4252d, as it
 would significantly break openSUSE's packaging (as well as causing
 conflicts between the very-outdated runc that Docker uses and the more
 up-to-date one available for Podman).
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 builder/builder-next/executor_unix.go             | 2 +-
 daemon/daemon_unix.go                             | 8 ++++++--
 libcontainerd/supervisor/remote_daemon.go         | 4 ++--
 libcontainerd/supervisor/remote_daemon_linux.go   | 4 ++--
 libcontainerd/supervisor/remote_daemon_windows.go | 4 ++--
 5 files changed, 13 insertions(+), 9 deletions(-)
 diff --git a/builder/builder-next/executor_unix.go b/builder/builder-next/executor_unix.go
 index c052ec707fec..d1caf53f5023 100644
 --- a/builder/builder-next/executor_unix.go
 +++ b/builder/builder-next/executor_unix.go
@@ -32,7 +32,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dn
 	}
 	return runcexecutor.New(runcexecutor.Opt{
 		Root:                filepath.Join(root, "executor"),
 -		CommandCandidates:   []string{"runc"},
 +		CommandCandidates:   []string{"docker-runc", "runc"},
 		DefaultCgroupParent: cgroupParent,
 		Rootless:            rootless,
 		NoPivot:             os.Getenv("DOCKER_RAMDISK") != "",
 diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
 index 5fa688dff4c7..f610fdb01d27 100644
 --- a/daemon/daemon_unix.go
 +++ b/daemon/daemon_unix.go
@@ -58,11 +58,11 @@ const (
 	// DefaultShimBinary is the default shim to be used by containerd if none
 	// is specified
 -	DefaultShimBinary = "containerd-shim"
 +	DefaultShimBinary = "docker-containerd-shim"
 	// DefaultRuntimeBinary is the default runtime to be used by
 	// containerd if none is specified
 -	DefaultRuntimeBinary = "runc"
 +	DefaultRuntimeBinary = "docker-runc"
 	// See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269
 	linuxMinCPUShares = 2
@@ -78,6 +78,10 @@ const (
 	cgroupFsDriver      = "cgroupfs"
 	cgroupSystemdDriver = "systemd"
 	cgroupNoneDriver    = "none"
 +
 +	// DefaultRuntimeName is the default runtime to be used by
 +	// containerd if none is specified
 +	DefaultRuntimeName = "docker-runc"
 )
 type containerGetter interface {
 diff --git a/libcontainerd/supervisor/remote_daemon.go b/libcontainerd/supervisor/remote_daemon.go
 index 3538612246f4..f17868a7e1f8 100644
 --- a/libcontainerd/supervisor/remote_daemon.go
 +++ b/libcontainerd/supervisor/remote_daemon.go
@@ -27,8 +27,8 @@ const (
 	shutdownTimeout         = 15 * time.Second
 	startupTimeout          = 15 * time.Second
 	configFile              = "containerd.toml"
 -	binaryName              = "containerd"
 -	pidFile                 = "containerd.pid"
 +	binaryName              = "docker-containerd"
 +	pidFile                 = "docker-containerd.pid"
 )
 type pluginConfigs struct {
 diff --git a/libcontainerd/supervisor/remote_daemon_linux.go b/libcontainerd/supervisor/remote_daemon_linux.go
 index d229881a62b3..da93fc45371d 100644
 --- a/libcontainerd/supervisor/remote_daemon_linux.go
 +++ b/libcontainerd/supervisor/remote_daemon_linux.go
@@ -11,8 +11,8 @@ import (
 )
 const (
 -	sockFile      = "containerd.sock"
 -	debugSockFile = "containerd-debug.sock"
 +	sockFile      = "docker-containerd.sock"
 +	debugSockFile = "docker-containerd-debug.sock"
 )
 func (r *remote) setDefaults() {
 diff --git a/libcontainerd/supervisor/remote_daemon_windows.go b/libcontainerd/supervisor/remote_daemon_windows.go
 index 9b254ef58a0a..bcdc9529e0f7 100644
 --- a/libcontainerd/supervisor/remote_daemon_windows.go
 +++ b/libcontainerd/supervisor/remote_daemon_windows.go
@@ -7,8 +7,8 @@ import (
 )
 const (
 -	grpcPipeName  = `\\.\pipe\containerd-containerd`
 -	debugPipeName = `\\.\pipe\containerd-debug`
 +	grpcPipeName  = `\\.\pipe\docker-containerd-containerd`
 +	debugPipeName = `\\.\pipe\docker-containerd-debug`
 )
 func (r *remote) setDefaults() {
 -- 
 2.30.0
--- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
@ -1,7 +1,7 @@
-From e24062ca12b575bc417fea2f46544ccd18e5f1eb Mon Sep 17 00:00:00 2001
+From 1edf7a140c843cc6db85cdea298db19fee316dcb Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 2/5] SECRETS: daemon: allow directory creation in /run/secrets
+Subject: [PATCH 1/4] SECRETS: daemon: allow directory creation in /run/secrets
 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 1 file changed, 21 insertions(+), 3 deletions(-)
 diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index f4f1bd2c0b6a..f18f522485ee 100644
+index 5521adbd2749..c103d9349c51 100644
 --- a/daemon/container_operations_unix.go
 +++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
--- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -1,7 +1,7 @@
-From 3469fd3b7da0477ba781d95b02bd698c770916f6 Mon Sep 17 00:00:00 2001
+From b7419429d17675d8db949bd7c35812308684254a Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 3/5] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 2/4] SECRETS: SUSE: implement SUSE container secrets
 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
--- a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+++ b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
@ -1,7 +1,7 @@
-From 3e63781e1bf40affdb884ddd83b82fc51c54d88a Mon Sep 17 00:00:00 2001
+From aa173dd56730552524ab35d74acbe61709c732e2 Mon Sep 17 00:00:00 2001
 From: Valentin Rothberg <vrothberg@suse.com>
 Date: Mon, 2 Jul 2018 13:37:34 +0200
-Subject: [PATCH 4/5] PRIVATE-REGISTRY: add private-registry mirror support
+Subject: [PATCH 3/4] PRIVATE-REGISTRY: add private-registry mirror support
 NOTE: This is a backport/downstream patch of the upstream pull-request
      for Moby, which is still subject to changes.  Please visit
@ -444,7 +444,7 @@ index c8ddd4c5cfcd..b17e9d25d6c2 100644
 		return err
 	}
 diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go
-index 12497ea890e7..926e02f851fd 100644
+index 023ee2e71efd..e14cdd16b410 100644
 --- a/distribution/pull_v2.go
 +++ b/distribution/pull_v2.go
@@ -431,7 +431,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform
--- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
@ -1,7 +1,7 @@
-From 4d134a69323ba490b1f8976394cdd9fe0c278b3d Mon Sep 17 00:00:00 2001
+From eb4e0b351b4bb229bfd5fd3ed57d3c35040265e0 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 5/5] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 4/4] bsc1073877: apparmor: clobber docker-default profile on
 start
 In the process of making docker-default reloading far less expensive,
@ -22,12 +22,12 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 3 files changed, 17 insertions(+), 6 deletions(-)
 diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
-index 2045412a7966..0c1fd0f0c940 100644
+index a7cc3a5ef412..1a952953da8f 100644
 --- a/daemon/apparmor_default.go
 +++ b/daemon/apparmor_default.go
-@@ -15,6 +15,15 @@ const (
+@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
- 	defaultAppArmorProfile    = "docker-default"
+ 	return ""
- )
+ }
 +func clobberDefaultAppArmorProfile() error {
 +	if apparmor.IsEnabled() {
@ -41,7 +41,7 @@ index 2045412a7966..0c1fd0f0c940 100644
 func ensureDefaultAppArmorProfile() error {
 	if apparmor.IsEnabled() {
 		loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
-@@ -28,10 +37,7 @@ func ensureDefaultAppArmorProfile() error {
+@@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error {
 		}
 		// Load the profile.
@ -54,7 +54,7 @@ index 2045412a7966..0c1fd0f0c940 100644
 	return nil
 }
 diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
-index 51f9c526b350..97d7758442ee 100644
+index dd581dc7dadb..5b14979cd4a3 100644
 --- a/daemon/apparmor_default_unsupported.go
 +++ b/daemon/apparmor_default_unsupported.go
@@ -2,6 +2,10 @@
@ -69,7 +69,7 @@ index 51f9c526b350..97d7758442ee 100644
 	return nil
 }
 diff --git a/daemon/daemon.go b/daemon/daemon.go
-index 3e86ab5c8721..4a574da030da 100644
+index 794ff9712d08..f9e727b348c5 100644
 --- a/daemon/daemon.go
 +++ b/daemon/daemon.go
@@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
--- a/18
+++ b/18
@ -1,20 +1,28 @@
 <services>
  <service name="tar_scm" mode="disabled">
-    <param name="url">https://github.com/docker/docker.git</param>
+    <param name="url">https://github.com/moby/moby.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">20.10.2_ce_%h</param>
+    <param name="versionformat">20.10.3_ce_%h</param>
-    <param name="revision">v20.10.2</param>
+    <param name="revision">v20.10.3</param>
    <param name="filename">docker</param>
  </service>
  <service name="tar_scm" mode="disabled">
    <param name="url">https://github.com/docker/cli.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">20.10.2_ce</param>
+    <param name="versionformat">20.10.3_ce</param>
-    <param name="revision">v20.10.2</param>
+    <param name="revision">v20.10.3</param>
    <param name="filename">docker-cli</param>
  </service>
  <service name="tar_scm" mode="disabled">
    <param name="url">https://github.com/docker/libnetwork.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
    <param name="versionformat">%H</param>
    <param name="revision">fa125a3512ee0f6187721c88582bf8c4378bd4d7</param>
    <param name="filename">docker-libnetwork</param>
  </service>
  <service name="recompress" mode="disabled">
    <param name="file">docker-*.tar</param>
    <param name="compression">xz</param>
--- a/docker-20.10.2_ce_8891c58a433a.tar.xz
+++ b/docker-20.10.2_ce_8891c58a433a.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:8f38527e3b117ca42b0b702a3a8a2a3d73cb629d170730d7d741115e72da8171
 size 6463700
--- a/docker-20.10.3_ce_46229ca1d815.tar.xz
+++ b/docker-20.10.3_ce_46229ca1d815.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:84fcc9d36db90c8b87a0b19d5846ade17e8dc4586e998e071c843fd8d43a0bef
 size 6481288
--- a/docker-cli-20.10.2_ce.tar.xz
+++ b/docker-cli-20.10.2_ce.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:83f9812b3d0fda73d6645d82577b0e3c7d603c042be6ee80119d0d5a48d73866
 size 4432320
--- a/docker-cli-20.10.3_ce.tar.xz
+++ b/docker-cli-20.10.3_ce.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a8526bdb466209ffd1c3ef41fcfccb9588b67d507d4444701398d6f7987f5f16
 size 4450316
--- a/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7.tar.xz
+++ b/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a50f42e391a98ab204eaa93e2269981be36f619c68b2bbfc3224263fbd30c4a8
 size 1982676
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,30 @@
 -------------------------------------------------------------------
 Tue Feb  2 13:06:17 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 - Update to Docker 20.10.3-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-21285 CVE-2021-21284
 - Rebase patches on top of 20.10.3-ce.
  - 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  + 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  - 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  + 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  - 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  + 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  - 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 -------------------------------------------------------------------
 Tue Feb  2 05:28:01 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 - Drop docker-runc, docker-test and docker-libnetwork packages. We now just use
  the upstream runc package (it's stable enough and Docker no longer pins git
  versions). docker-libnetwork is so unstable that it doesn't have any
  versioning scheme and so it really doesn't make sense to maintain the project
  as a separate package. bsc#1181641 bsc#1181677
 - Remove no-longer-needed patch for packaging now that we've dropped
  docker-runc and docker-libnetwork.
  - 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
 -------------------------------------------------------------------
 Fri Jan 29 22:55:48 UTC 2021 - Aleksa Sarai <asarai@suse.com>
--- a/docker.spec
+++ b/docker.spec
@ -42,17 +42,21 @@
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define git_version 8891c58a433a
+%define git_version 46229ca1d815
-%define git_commit_epoch 1608908869
+%define git_commit_epoch 1611869592
-# These are the git commits required. We verify them against the source to make
+# We require a specific pin of libnetwork because it doesn't really do
-# sure we didn't miss anything important when doing upgrades.
+# versioning and minor version mismatches in libnetwork can break Docker
-%define required_containerd 269548fa27e0089a8b8278fc4fc781d7f65a939b
+# networking. All other key runtime dependencies (containerd, runc) are stable
-%define required_dockerrunc ff819c7e9184c13b7c2607fe6c30ae19403a7aff
+# enough that this isn't necessary.
-%define required_libnetwork fa125a3512ee0f6187721c88582bf8c4378bd4d7
+%define libnetwork_version fa125a3512ee0f6187721c88582bf8c4378bd4d7
 %define dist_builddir  %{_builddir}/dist-suse
 %define cli_builddir   %{dist_builddir}/src/github.com/docker/cli
 %define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
 Name:           %{realname}%{name_suffix}
-Version:        20.10.2_ce
+Version:        20.10.3_ce
 Release:        0
 Summary:        The Moby-project Linux container runtime
 License:        Apache-2.0
@ -60,15 +64,15 @@ Group:          System/Management
 URL:            http://www.docker.io
 Source:         %{realname}-%{version}_%{git_version}.tar.xz
 Source1:        %{realname}-cli-%{version}.tar.xz
-Source2:        docker-rpmlintrc
+Source2:        %{realname}-libnetwork-%{libnetwork_version}.tar.xz
 Source3:        docker-rpmlintrc
 # TODO: Move these source files to somewhere nicer.
 Source100:      docker.service
 Source101:      80-docker.rules
 Source102:      sysconfig.docker
 Source103:      README_SUSE.md
 Source104:      docker-audit.rules
-Source105:      tests.sh
+Source105:      docker-daemon.json
 Source106:      docker-daemon.json
 # Kubelet-specific sources.
 # bsc#1086185 -- but we only apply this on Kubic.
 Source900:      docker-kubic-service.conf
@ -78,17 +82,15 @@ Source901:      kubelet.env
 #       branch and then git-format-patch the patch here.
 # SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
 #               which is not snapshotted when images are committed.
-Patch100:       0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+Patch100:       0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
-Patch101:       0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+Patch101:       0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
 # SUSE-FEATURE: Add support to mirror unofficial/private registries
 #               <https://github.com/docker/docker/pull/34319>.
-Patch200:       0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+Patch200:       0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
 # SUSE-ISSUE: Revert of <https://github.com/docker/docker/pull/37907>.
 Patch300:       0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
 # SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1073877 bsc#1099277
-Patch301:       0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+Patch300:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/2888.
-Patch302:       cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
+Patch301:       cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@ -102,23 +104,21 @@ BuildRequires:  procps
 BuildRequires:  sqlite3-devel
 BuildRequires:  zsh
 BuildRequires:  fish
 BuildRequires:  go-go-md2man
 # We cannot use Go 1.14 because it breaks io.Copy (among other things) by
 # returning -EINTR from I/O syscalls much more often.
 BuildRequires:  go1.13
 BuildRequires:  pkgconfig(libsystemd)
 Requires:       apparmor-parser
 Requires:       ca-certificates-mozilla
-# Required in order for networking to work. fix_bsc_1057743 is a work-around
+# The docker-proxy binary used to be in a separate package. We obsolete it,
-# for some old packaging issues (where rpm would delete a binary that was
+# since now docker-proxy is maintained as part of this package.
-# installed by docker-libnetwork). See bsc#1057743 for more details.
+Obsoletes:      docker-libnetwork%{name_suffix} < 0.7.0.2
-BuildRequires:  docker-libnetwork%{name_suffix}-git = %{required_libnetwork}
+Provides:       docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
-Requires:       docker-libnetwork%{name_suffix}-git = %{required_libnetwork}
+# Required to actually run containers. We require the minimum version that is
-Requires:       fix_bsc_1057743
+# pinned by Docker, but in order to avoid headaches we allow for updates.
-# Containerd and runC are required as they are the only currently supported
+Requires:       runc >= 1.0.0~rc92
-# execdrivers of Docker. NOTE: The version pinning here matches upstream's
+Requires:       containerd >= 1.4.3
 # vendor.conf to ensure that we don't use a slightly incompatible version of
 # runC or containerd (which would be bad).
 BuildRequires:  containerd%{name_suffix}-git  = %{required_containerd}
 Requires:       containerd%{name_suffix}-git = %{required_containerd}
 BuildRequires:  docker-runc%{name_suffix}-git = %{required_dockerrunc}
 Requires:       docker-runc%{name_suffix}-git = %{required_dockerrunc}
 # Needed for --init support. We don't use "tini", we use our own implementation
 # which handles edge-cases better.
 Requires:       catatonit
@ -132,20 +132,13 @@ Requires:       xz >= 4.9
 Requires(post): %fillup_prereq
 Requires(post): udev
 Requires(post): shadow
 # We used to have a migration tool for the upgrade from v1.9.x to v1.10.x.
 # It is no longer useful, so we obsolete it. bsc#1069758
 Obsoletes:      docker-image-migrator
 # Not necessary, but must be installed when the underlying system is
 # configured to use lvm and the user doesn't explicitly provide a
 # different storage-driver than devicemapper
 Recommends:     lvm2 >= 2.2.89
 Recommends:     git-core >= 1.7
 Conflicts:      lxc < 1.0
 ExcludeArch:    s390 ppc
-BuildRequires:  go-go-md2man
+
 # We cannot use Go 1.14 because it breaks io.Copy (among other things) by
 # returning -EINTR from I/O syscalls much more often.
 BuildRequires:  go1.13
 # KUBIC-SPECIFIC: This was required when upgrading from the original kubic
 #                 packaging, when everything was renamed to -kubic. It also is
 #                 used to ensure that nothing complains too much when using
@ -233,31 +226,6 @@ Provides:       %{realname}-fish-completion = %{version}
 %description fish-completion
 Fish command line completion support for %{name}.
 %package test
 %global __requires_exclude ^libgo.so.*$
 Summary:        Test package for docker
 # Needed for test-suite.
 Group:          System/Management
 Requires:       curl
 Requires:       go
 Requires:       iputils
 Requires:       jq
 Requires:       net-tools-deprecated
 # KUBIC-SPECIFIC: This was required when upgrading from the original kubic
 #                 packaging, when everything was renamed to -kubic. It also is
 #                 used to ensure that nothing complains too much when using
 #                 -kubic packages. Hopfully it can be removed one day.
 %if "%flavour" == "kubic"
 # Obsolete old packege without the -kubic suffix
 Obsoletes:      %{realname}-test = 1.12.6
 # Conflict with non-kubic package, and provide equivalent
 Conflicts:      %{realname}-test > 1.12.6
 Provides:       %{realname}-test = %{version}
 %endif
 %description test
 Test package for docker. It contains the source code and the tests.
 %if "%flavour" == "kubic"
 %package kubeadm-criconfig
 Summary:        docker container runtime configuration for kubeadm
@ -286,23 +254,29 @@ docker container runtime configuration for kubeadm
 # PATCH-SUSE: Mirror patch.
 %patch200 -p1
 %endif
 # packaging
 %patch300 -p1
 # bsc#1099277
-%patch301 -p1
+%patch300 -p1
 # README_SUSE.md for documentation.
 cp %{SOURCE103} .
-# Fill the CLI sources in a subdir.
+# Extract the docker-cli source in a subdir.
-mkdir -p dist-suse/cli
+mkdir -p %{cli_builddir}
-pushd dist-suse/cli/
+pushd %{cli_builddir}
 xz -dc %{SOURCE1} | tar -xof - --strip-components=1
 # https://github.com/docker/cli/pull/2888
-%patch302 -p1
+%patch301 -p1
 popd
 # Extract the docker-libnetwork source in a subdir.
 mkdir -p %{proxy_builddir}
 pushd %{proxy_builddir}
 xz -dc %{SOURCE2} | tar -xof - --strip-components=1
 popd
 %build
 echo "$PWD -- $PWD -- $PWD"
 BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
 %if 0%{?sle_version} == 120000
 	# Allow us to build with older distros but still have deferred removal
@ -334,8 +308,8 @@ EOF
 # Preparing GOPATH so that the client is visible to the compiler
 mkdir -p src/github.com/docker/
-ln -s $(pwd)/dist-suse/cli $(pwd)/src/github.com/docker/cli
+ln -s "%{cli_builddir}" "$PWD/src/github.com/docker/cli"
-export GOPATH=$GOPATH:$(pwd)
+export GOPATH="$GOPATH:$PWD"
 ###################
 ## DOCKER ENGINE ##
@ -344,106 +318,82 @@ export GOPATH=$GOPATH:$(pwd)
 # Ignore the warning that we compile outside a Docker container.
 ./hack/make.sh dynbinary
 # Build test binaries (integration-cli and integration/*). They are all stored
 # within the testdir -- we will only end up installing these test files for
 # docker-test.
 for testdir in {integration-cli,integration/*/}
 do
 	( find "$testdir" -name '*_test.go' | grep -q '.' ) || continue
 	GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test -c \
 		-o "$testdir/tests.main" -buildmode=pie \
 		-tags "$DOCKER_BUILDTAGS daemon" \
 		"github.com/docker/docker/$testdir"
 done
 ###################
 ## DOCKER CLIENT ##
 ###################
-pushd dist-suse/cli/
+pushd %{cli_builddir}
 ./scripts/build/dynbinary
 mkdir -p ./man/man1
 go build -buildmode=pie -o gen-manpages github.com/docker/cli/man
-./gen-manpages --root "$(pwd)" --target "$(pwd)/man/man1"
+./gen-manpages --root "$PWD" --target "$PWD/man/man1"
 ./man/md2man-all.sh
 popd
-%check
+##################
-# We used to run 'go test' here, however we found that this actually didn't
+## DOCKER PROXY ##
-# catch any issues that were caught by smoke testing, and %check would
+##################
 # continually cause package builds to fail due to flaky tests. If you ever need
 # to know how the testing was done, you can always look in the package history.
 # boo#1095817
-# We verify that all of our -git requires are correct, and match the contents
+pushd %{proxy_builddir}
-# of the upstream vendoring scripts. This is done on-build to make sure that
+GOPATH="%{dist_builddir}" \
-# someone doing an update didn't miss anything.
+	go build -buildmode=pie -o docker-proxy github.com/docker/libnetwork/cmd/proxy
-grep 'RUNC_COMMIT:=%{required_dockerrunc}'       hack/dockerfile/install/runc.installer
+popd
-grep 'CONTAINERD_COMMIT:=%{required_containerd}' hack/dockerfile/install/containerd.installer
+
-grep 'LIBNETWORK_COMMIT:=%{required_libnetwork}' hack/dockerfile/install/proxy.installer
+# We verify that our libnetwork source is the correct version. This is done
 # on-build to make sure that someone doing an update didn't miss anything.
 grep 'LIBNETWORK_COMMIT:=%{libnetwork_version}' hack/dockerfile/install/proxy.installer
 %install
-install -d %{buildroot}%{_bindir}
+install -Dd -m0755 \
 install -D -m755 dist-suse/cli/build/docker %{buildroot}/%{_bindir}/docker
 install -D -m755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
 install -d %{buildroot}/%{_localstatedir}/lib/docker
 install -Dd -m 0755 \
 	%{buildroot}%{_sysconfdir}/init.d \
 	%{buildroot}%{_bindir} \
 	%{buildroot}%{_sbindir}
-install -D -m0644 dist-suse/cli/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}"
+# docker daemon
-install -D -m0644 dist-suse/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}"
+install -D -m0755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
-install -D -m0644 dist-suse/cli/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish"
+install -d %{buildroot}/%{_localstatedir}/lib/docker
 # daemon.json config file
 install -D -m0644 %{SOURCE105} %{buildroot}%{_sysconfdir}/docker/daemon.json
 # docker cli
 install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
 install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}"
 install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}"
 install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish"
 # docker proxy
 install -D -m0755 %{proxy_builddir}/docker-proxy %{buildroot}/%{_bindir}/docker-proxy
 #
 # systemd service
 #
 install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service
 %if "%flavour" == "kubic"
 install -D -m0644 %{SOURCE900} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf
 %endif
 ln -sf service %{buildroot}%{_sbindir}/rcdocker
 #
 # udev rules that prevents dolphin to show all docker devices and slows down
 # upstream report https://bugs.kde.org/show_bug.cgi?id=329930
-#
+install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
 install -D -m 0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
 # audit rules
-install -D -m 0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
+install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
 # sysconfig file
-install -D -m 644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker
+install -D -m0644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker
 # install docker config file
 install -D -m 644 %{SOURCE106} %{buildroot}%{_sysconfdir}/docker/daemon.json
 # install manpages (using the ones from the engine)
 install -d %{buildroot}%{_mandir}/man1
-install -p -m 644 dist-suse/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1
+install -p -m0644 %{cli_builddir}/man/man1/*.1 %{buildroot}%{_mandir}/man1
 install -d %{buildroot}%{_mandir}/man5
-install -p -m 644 dist-suse/cli/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
+install -p -m0644 %{cli_builddir}/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
 install -d %{buildroot}%{_mandir}/man8
-install -p -m 644 dist-suse/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8
+install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8
 # install docker-test files -- we want to avoid installing the entire source tree.
 install -d %{buildroot}%{_prefix}/src/docker/
 install -D -m0755 %{SOURCE105} %{buildroot}%{_prefix}/src/docker/tests.sh
 # We need hack/, contrib/, profiles/, and the integration*/ trees.
 cp -a {hack,contrib,profiles,integration{,-cli}} %{buildroot}%{_prefix}/src/docker/
 echo "%{version}" > %{buildroot}%{_prefix}/src/docker/VERSION
 # And now we can remove all *_test.go files -- since we already have test
 # binaries. Due to a lot of hacks within the Docker integration tests, we can't
 # really do a bigger cleanup than this.
 find %{buildroot}%{_prefix}/src/docker \
 	-type f -name '*_test.go' -delete
 %if "%flavour" == "kubic"
 # place kubelet.env in fillupdir (for kubeadm-criconfig)
 sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE901}
-install -D -m 0644 %{SOURCE901} %{buildroot}%{_fillupdir}/sysconfig.kubelet
+install -D -m0644 %{SOURCE901} %{buildroot}%{_fillupdir}/sysconfig.kubelet
 %endif
 %fdupes %{buildroot}
@ -494,6 +444,7 @@ grep -q '^dockremap:' /etc/subgid || \
 %license LICENSE
 %{_bindir}/docker
 %{_bindir}/dockerd
 %{_bindir}/docker-proxy
 %{_sbindir}/rcdocker
 %dir %{_localstatedir}/lib/docker/
@ -527,10 +478,6 @@ grep -q '^dockremap:' /etc/subgid || \
 %defattr(-,root,root)
 %{_datadir}/fish/vendor_completions.d/%{realname}.fish
 %files test
 %defattr(-,root,root)
 %{_prefix}/src/docker/
 %if "%flavour" == "kubic"
 %files kubeadm-criconfig
 %defattr(-,root,root)
--- a/tests.sh
+++ b/tests.sh
@ -1,205 +0,0 @@
 #!/bin/bash
 #
 # Script for launching the Docker integration tests
 # XXX: We currently only support running integration-cli.
 #
 set -Eeuo pipefail
 DOCKER_DIR=/usr/src/docker
 SCRIPTS_DIR="$DOCKER_DIR/hack"
 VERSION="$(cat "$DOCKER_DIR/VERSION")"
 # working dirs
 FROZEN_IMAGES_DIR="/tmp/docker-frozen-images"
 FROZEN_IMAGES_LINK=/docker-frozen-images
 readarray -t TESTS < <(find "$DOCKER_DIR/integration-cli" -type f -executable -name 'tests.main')
 CHECK_TIMEOUT="${CHECK_TIMEOUT:-15m}"
 TEST_TIMEOUT="${TEST_TIMEOUT:-0}"
 TEST_ARGS=("-check.v" "-check.timeout=${CHECK_TIMEOUT}" "-test.timeout=${TEST_TIMEOUT}")
 TEST_SELECT=
 TEST_LOG=/tmp/docker-tests.log
 KEEPBUNDLE="${KEEPBUNDLE:-}"
 # the config file for Docker
 CFG_DOCKER=/etc/docker/daemon.json
 ################################################################################
 log()   { echo ">>> $@" ; }
 warn()  { log "WARNING: $@" ; }
 error() { log "ERROR: $@" ; }
 abort() { log "FATAL: $@" ; exit 1 ; }
 usage() { echo "$USAGE" ; }
 abort_usage() { usage ; abort "$@" ; }
 bundle() {
 	local bundle="$1"; shift
 	log "Making bundle: $(basename "$bundle") (in $PWD)"
 	local oldFlags="$-"
 	set +Eeu
 	source "$SCRIPTS_DIR/make/$bundle" "$@"
 	set "-$oldFlags"
 }
 save_backup() {
 	for x in $@ ; do
 		if [ ! -f "$x" ] ; then
 			touch "$x.nbak"
 		elif [ -f "$x.bak" ] ; then
 			warn "$x.bak already exists: no backup will be done"
 		else
 			cp -f "$x" "$x.bak"
 		fi
 	done
 }
 restore_backup() {
 	for x in $@ ; do
 		if [ -f "$x.nbak" ] ; then
 			rm -f "$x.nbak"
 		elif [ -f "$x.bak" ] ; then
 			mv -f "$x.bak" "$x"
 		fi
 	done
 }
 require_go()  { go version  >/dev/null 2>&1 ; }
 require_git() { git version >/dev/null 2>&1 ; }
 ################################################################################
 [ "${#TESTS[@]}" -gt 0 ] || abort "integration tests executable not found in $DOCKER_DIR"
 [ "$EUID" -eq 0 ]        || abort "this script must be run as root"
 [ -n "$VERSION" ]        || abort "could not obtain version"
 if [ "$#" -gt 0 ] ; then
 	# run only some specific tests
 	TEST_ARGS+=( "-check.f=$(echo $@ | tr ' ' '|')" )
 fi
 # tests require this user and group
 /usr/sbin/groupadd -r docker >/dev/null 2>&1 || /bin/true
 /usr/sbin/useradd --create-home --gid docker unprivilegeduser >/dev/null 2>&1 || /bin/true
 export DOCKER_TEST_HOST="tcp://127.0.0.1:2375"
 export PATH="/usr/local/bin:$PATH"
 export TZ=utc
 export DOCKER_GRAPHDRIVER="${DOCKER_GRAPHDRIVER:-vfs}"
 export DOCKER_USERLANDPROXY="${DOCKER_USERLANDPROXY:-true}"
 export DOCKER_STORAGE_OPTS="${DOCKER_STORAGE_OPTS:-}"
 export DOCKER_REMAP_ROOT="${DOCKER_REMAP_ROOT:-}" # "default" uses dockremap
 # Example usage: DOCKER_STORAGE_OPTS="dm.basesize=20G,dm.loopdatasize=200G".
 storage_opts=()
 if [ -n "$DOCKER_STORAGE_OPTS" ]; then
 	IFS=','
 	for i in ${DOCKER_STORAGE_OPTS}; do
 		storage_opts+=("$i")
 	done
 	unset IFS
 fi
 # deal with remapping
 save_backup /etc/subuid /etc/subgid
 echo "dockremap:500000:65536"  >/etc/subuid
 echo "dockremap:500000:65536"  >/etc/subgid
 groupadd dockremap             >/dev/null 2>&1 || /bin/true
 useradd -g dockremap dockremap >/dev/null 2>&1 || /bin/true
 # make sure Docker is stopped, set our config file and then start again
 save_backup "$CFG_DOCKER"
 cat <<CFG_DOCKER_EOF >"$CFG_DOCKER"
 {
 	"log-level": "debug",
 	"log-driver": "json-file",
 	"log-opts": {
 		"max-size": "50m",
 		"max-file": "5"
 	},
 	"userns-remap": "$DOCKER_REMAP_ROOT",
 	"hosts": [
 		"tcp://127.0.0.1:2375"
 	],
 	"storage-driver": "$DOCKER_GRAPHDRIVER",
 	"storage-opts": [
 		$(printf '"%s",' "${storage_opts[@]}" | sed 's/"",//g;$s/,$//')
 	],
 	"userland-proxy": $DOCKER_USERLANDPROXY
 }
 CFG_DOCKER_EOF
 systemctl restart docker.service
 cleanup() {
 	log "Restoring configuration files..."
 	restore_backup /etc/subuid /etc/subgid "$CFG_DOCKER"
 	rm -f "$FROZEN_IMAGES_LINK"
 	log "Removing images and containers..."
 	export DOCKER_HOST="$DOCKER_TEST_HOST"
 	docker ps -aq    | xargs docker rm  -f &>/dev/null || :
 	docker images -q | xargs docker rmi -f &>/dev/null || :
 	log "Restarting the Docker service in a pristine state..."
 	systemctl restart docker.service
 }
 trap cleanup EXIT
 cd "$DOCKER_DIR"
 export MAKEDIR="$SCRIPTS_DIR/make"
 export DOCKER_HOST="$DOCKER_TEST_HOST"
 # Clean up all images on the host -- this is key to avoid test run failures.
 log "Cleaning the environment..."
 docker ps -aq    | xargs docker rm  -f &>/dev/null || :
 docker images -q | xargs docker rmi -f &>/dev/null || :
 log "Preparing the environment..."
 bundle .integration-daemon-setup
 # XXX: Really this should be sourced from the Dockerfile but this is good
 #      enough for now. This comes from the Docker 18.09.1-ce Dockerfile.
 log "Downlading frozen images..."
 mkdir -p "$FROZEN_IMAGES_DIR"
 ln -sf "$FROZEN_IMAGES_DIR" "$FROZEN_IMAGES_LINK"
 "$DOCKER_DIR/contrib/download-frozen-image-v2.sh" "$FROZEN_IMAGES_DIR" \
 	buildpack-deps:jessie@sha256:dd86dced7c9cd2a724e779730f0a53f93b7ef42228d4344b25ce9a42a1486251 \
 	busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0 \
 	busybox:glibc@sha256:0b55a30394294ab23b9afd58fab94e61a923f5834fba7ddbae7f8e0c11ba85e6 \
 	debian:jessie@sha256:287a20c5f73087ab406e6b364833e3fb7b3ae63ca0eb3486555dc27ed32c6e60 \
 	hello-world:latest@sha256:be0cd392e45be79ffeffa6b05338b98ebb16c87b255f48e297ec7f98e123905c
 # The code within integration-cli which handles building *-test images doesn't
 # appear to work within our setup, not to mention we don't want to Require: a
 # bunch of build tools so we just use the provided Dockerfile and
 # buildpack-deps.
 tar -cC "$FROZEN_IMAGES_DIR" . | docker load
 for dir in "$DOCKER_DIR"/contrib/*-test
 do
 	log "Building *-test images ($dir)..."
 	docker build -t "$(basename "$dir")" "$dir"
 done
 # For some reason, dockerd appears to put the containerd.sock in the wrong
 # place under systemd. So we just manually add a symlink for it.
 [ -e "/var/run/docker/containerd/containerd.sock" ] || \
 	ln -s docker-containerd.sock /var/run/docker/containerd/containerd.sock
 # And there appears to be an issue with daemon.json as a configuration format,
 # so we need to hide our generated configuration. The original will be restored
 # in cleanup().
 rm -f "$CFG_DOCKER"
 # Run all of our tests.
 rm -f "$TEST_LOG"
 for TEST in "${TESTS[@]}"
 do
 	cd "$(dirname "$TEST")"
 	log "Running integration test ($TEST)..." | tee -a "$TEST_LOG"
 	"$TEST" "${TEST_ARGS[@]}" 2>&1 | tee -a "$TEST_LOG" || :
 done
 export -n DOCKER_HOST