Accepting request 1302771 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/1302771
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=175

0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch

@@ -1,4 +1,4 @@
-From 6984023c043bec71b44665a55ab4abec6f549ed5 Mon Sep 17 00:00:00 2001
+From 4ae999e2bf6cea95845ce16baf262193947028c3 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Wed, 4 Jun 2025 15:01:37 +1000
 Subject: [PATCH 1/6] SECRETS: SUSE: always clear our internal secrets
@@ -102,5 +102,5 @@ index 000000000000..b8f3d9f9c094
 +	c.SecretReferences = without
 +}
 -- 
-2.50.0
+2.51.0
 

0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch

@@ -1,4 +1,4 @@
-From a37bdf794549f1bd238d222801f87c223efc92dc Mon Sep 17 00:00:00 2001
+From 6f03d8d6c52c95823d5d730416b2b8b111a9f2a3 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
 Subject: [PATCH 2/6] SECRETS: daemon: allow directory creation in /run/secrets
@@ -69,5 +69,5 @@ index f6d9449609b7..520b7f80f162 100644
  			return errors.Wrap(err, "error setting ownership for secret")
  		}
 -- 
-2.50.0
+2.51.0
 

0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch

@@ -1,4 +1,4 @@
-From b2580007548917ca214a8f40f6888a3285c63b1f Mon Sep 17 00:00:00 2001
+From 12c87ffce6cea19c87213e9a0174f5cc31ac3891 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 3/6] SECRETS: SUSE: implement SUSE container secrets
@@ -500,5 +500,5 @@ index b8f3d9f9c094..5ab96651080b 100644
 +	return nil
 +}
 -- 
-2.50.0
+2.51.0
 

0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch

@@ -1,4 +1,4 @@
-From faaf452a0ced139a10a76cdb4dba04ba39d2e948 Mon Sep 17 00:00:00 2001
+From be344f919f392cad31c96f53615d0010d7c1bab8 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 22 May 2023 15:44:54 +1000
 Subject: [PATCH 4/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
@@ -42,5 +42,5 @@ index fa0cb3ed25d8..871f6b3f8c1f 100644
  static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
      snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
 -- 
-2.50.0
+2.51.0
 

0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch

@@ -1,4 +1,4 @@
-From 1d73fe8e91b3f27e93affe5e8257b79627587875 Mon Sep 17 00:00:00 2001
+From f6e33b35f540cc1ac3c7cc6403916e23239fdb23 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
 Subject: [PATCH 5/6] bsc1073877: apparmor: clobber docker-default profile on
@@ -22,7 +22,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  3 files changed, 17 insertions(+), 6 deletions(-)
 
 diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
-index d5737e5a75a3..d77c714d266b 100644
+index a1048e303c1e..e087f6b9265f 100644
 --- a/daemon/apparmor_default.go
 +++ b/daemon/apparmor_default.go
 @@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
@@ -85,5 +85,5 @@ index 2e0a36eb102b..f28c6e061fa9 100644
  	}
  
 -- 
-2.50.0
+2.51.0
 

0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch

@@ -1,4 +1,4 @@
-From 993356d0603739961b62a8010d96f412e56b9196 Mon Sep 17 00:00:00 2001
+From 7bd32fa91ed29b32d42991304b9a55a1f7db2ece Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 11 Oct 2023 21:19:12 +1100
 Subject: [PATCH 6/6] SLE12: revert "apparmor: remove version-conditionals from
@@ -17,11 +17,11 @@ apparmor_parser version is quite old.
 
 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 ---
- contrib/apparmor/main.go      | 16 ++++++-
- contrib/apparmor/template.go  | 16 +++++++
- pkg/aaparser/aaparser.go      | 86 +++++++++++++++++++++++++++++++++++
- profiles/apparmor/apparmor.go | 16 ++++++-
- profiles/apparmor/template.go |  4 ++
+ contrib/apparmor/main.go                      | 16 +++-
+ contrib/apparmor/template.go                  | 16 ++++
+ pkg/aaparser/aaparser.go                      | 86 +++++++++++++++++++
+ .../moby/profiles/apparmor/apparmor.go        | 16 +++-
+ .../moby/profiles/apparmor/template.go        |  4 +
  5 files changed, 134 insertions(+), 4 deletions(-)
  create mode 100644 pkg/aaparser/aaparser.go
 
@@ -248,10 +248,10 @@ index 000000000000..89b48b2dba58
 +	numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
 +	return numericVersion, nil
 +}
-diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
+diff --git a/vendor/github.com/moby/profiles/apparmor/apparmor.go b/vendor/github.com/moby/profiles/apparmor/apparmor.go
 index 445eed64e979..871b1f7d63c2 100644
---- a/profiles/apparmor/apparmor.go
-+++ b/profiles/apparmor/apparmor.go
+--- a/vendor/github.com/moby/profiles/apparmor/apparmor.go
++++ b/vendor/github.com/moby/profiles/apparmor/apparmor.go
 @@ -11,10 +11,14 @@ import (
  	"path"
  	"strings"
@@ -291,11 +291,11 @@ index 445eed64e979..871b1f7d63c2 100644
  	return compiled.Execute(out, p)
  }
  
-diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
-index 35c75300f8f0..b7a0299af2b8 100644
---- a/profiles/apparmor/template.go
-+++ b/profiles/apparmor/template.go
-@@ -23,6 +23,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+diff --git a/vendor/github.com/moby/profiles/apparmor/template.go b/vendor/github.com/moby/profiles/apparmor/template.go
+index 2ebcc218a702..682425f71e64 100644
+--- a/vendor/github.com/moby/profiles/apparmor/template.go
++++ b/vendor/github.com/moby/profiles/apparmor/template.go
+@@ -22,6 +22,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
    capability,
    file,
    umount,
@@ -303,7 +303,7 @@ index 35c75300f8f0..b7a0299af2b8 100644
    # Host (privileged) processes may send signals to container processes.
    signal (receive) peer=unconfined,
    # runc may send signals to container processes (for "docker stop").
-@@ -33,6 +34,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+@@ -32,6 +33,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
    signal (receive) peer={{.DaemonProfile}},
    # Container processes may send signals amongst themselves.
    signal (send,receive) peer={{.Name}},
@@ -311,7 +311,7 @@ index 35c75300f8f0..b7a0299af2b8 100644
  
    deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
    # deny write to files not in /proc/<number>/** or /proc/sys/**
-@@ -53,7 +55,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+@@ -52,7 +54,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
    deny /sys/devices/virtual/powercap/** rwklx,
    deny /sys/kernel/security/** rwklx,
  
@@ -322,5 +322,5 @@ index 35c75300f8f0..b7a0299af2b8 100644
  }
  `
 -- 
-2.50.0
+2.51.0
 

_service

@@ -3,24 +3,24 @@
     <param name="url">https://github.com/moby/moby.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">28.3.2_ce_%h</param>
-    <param name="revision">v28.3.2</param>
+    <param name="versionformat">28.4.0_ce_%h</param>
+    <param name="revision">v28.4.0</param>
     <param name="filename">docker</param>
   </service>
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/docker/cli.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">28.3.2_ce</param>
-    <param name="revision">v28.3.2</param>
+    <param name="versionformat">28.4.0_ce</param>
+    <param name="revision">v28.4.0</param>
     <param name="filename">docker-cli</param>
   </service>
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/docker/buildx.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">0.25.0</param>
-    <param name="revision">v0.25.0</param>
+    <param name="versionformat">0.28.0</param>
+    <param name="revision">v0.28.0</param>
     <param name="filename">docker-buildx</param>
   </service>
   <service name="recompress" mode="manual">

cli-0001-openSUSE-point-users-to-docker-buildx-package.patch

@@ -0,0 +1,44 @@
+From 02b49739668ea5ffb0b240c2a264eb9bb378f56f Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Mon, 1 Sep 2025 16:05:24 +1000
+Subject: [PATCH 1/2] openSUSE: point users to docker-buildx package
+
+The reference to a "buildx component" is a little confusing in the
+context of (open)SUSE packaging and might confuse users, as they just
+need to install the "docker-buildx" package.
+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ cmd/docker/builder.go | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/cmd/docker/builder.go b/cmd/docker/builder.go
+index 00fc1b40f1ab..ff3becd1c9e7 100644
+--- a/cmd/docker/builder.go
++++ b/cmd/docker/builder.go
+@@ -20,7 +20,7 @@
+ const (
+ 	builderDefaultPlugin = "buildx"
+ 	buildxMissingWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
+-            Install the buildx component to build images with BuildKit:
++            Install the docker-buildx package to build images with BuildKit:
+             https://docs.docker.com/go/buildx/`
+ 
+ 	buildkitDisabledWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
+@@ -28,11 +28,11 @@
+             environment-variable.`
+ 
+ 	buildxMissingError = `ERROR: BuildKit is enabled but the buildx component is missing or broken.
+-       Install the buildx component to build images with BuildKit:
++       Install the docker-buildx package to build images with BuildKit:
+        https://docs.docker.com/go/buildx/`
+ 
+ 	bakeMissingError = `ERROR: docker bake requires the buildx component but it is missing or broken.
+-       Install the buildx component to use bake:
++       Install the docker-buildx package to use bake:
+        https://docs.docker.com/go/buildx/`
+ )
+ 
+-- 
+2.51.0
+

cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch

@@ -0,0 +1,98 @@
+From b7fb811f2c032bdd42b914aa00dc2a793ddb003f Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Fri, 15 Aug 2025 19:55:53 +1000
+Subject: [PATCH 2/2] SECRETS: SUSE: default to DOCKER_BUILDKIT=0 for "docker
+ build"
+
+For systems with SUSEConnect auto-injection enabled, docker-buildx does
+not include our injected secrets. For SLE15 and earlier, enabling
+"docker build" to auto-switch to "docker buildx build" would thus break
+existing users of the feature.
+
+So, make DOCKER_BUILDKIT=0 the default. Users can still opt-in to using
+BuildKit with DOCKER_BUILDKIT=1 or using subcommands like "docker bake"
+or "docker buildx $foo", but existing users won't be broken by the
+change.
+
+Users that do switch BuildKit can inject SCC credentials in a far more
+deliberate (and thus more secure) manner by using
+
+  RUN --mount=type=secret,id=SCCcredentials zypper -n ...
+
+in their Dockerfiles, and then using
+
+  docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
+
+for their builds.
+
+SUSE-Bug: https://jira.suse.com/browse/PED-12534
+SUSE-Bug: https://jira.suse.com/browse/PED-8905
+SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1247594
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ cmd/docker/builder.go | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/cmd/docker/builder.go b/cmd/docker/builder.go
+index ff3becd1c9e7..61306cc6785e 100644
+--- a/cmd/docker/builder.go
++++ b/cmd/docker/builder.go
+@@ -23,9 +23,19 @@
+             Install the docker-buildx package to build images with BuildKit:
+             https://docs.docker.com/go/buildx/`
+ 
+-	buildkitDisabledWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
+-            BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
+-            environment-variable.`
++	buildkitDisabledWarning = `INFORMATION: This version of Docker has been patched by SUSE.
++        These patches allow for automatic access to the host SUSE subscription
++        inside containers, allowing for customers to create derived images with
++        "docker build" using SUSE packages. However, this feature is
++        incompatible with BuildKit and so "docker build" will use the legacy
++        builder by default. In order to disable this message and continue using
++        the legacy builder, set the DOCKER_BUILDKIT=0 environment-variable.
++
++        In order to opt-in to using BuildKit, set the DOCKER_BUILDKIT=1
++        environment-variable. See the SLE16 documentation for information on
++        how to switch to BuildKit while still maintaining access to SCC
++        credentials. In order to use BuildKit, you must have the docker-buildx
++        package installed.`
+ 
+ 	buildxMissingError = `ERROR: BuildKit is enabled but the buildx component is missing or broken.
+        Install the docker-buildx package to build images with BuildKit:
+@@ -48,7 +58,7 @@ func newBuilderError(errorMsg string, pluginLoadErr error) error {
+ 
+ //nolint:gocyclo
+ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []string) ([]string, []string, []string, error) {
+-	var buildKitDisabled, useBuilder, useAlias bool
++	var buildKitDisabled, showDisabledWarning, useBuilder, useAlias bool
+ 	var envs []string
+ 
+ 	// check DOCKER_BUILDKIT env var is not empty
+@@ -63,6 +73,14 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
+ 		} else {
+ 			useBuilder = true
+ 		}
++	} else {
++		// SUSE: Disable automatic usage of docker-buildx if unspecified (for
++		// pre-SLE16) to maintain support for SUSEConnect auto-injection. If a
++		// user specifies DOCKER_BUILDKIT=1 manually, that's up to them.
++		buildKitDisabled = true
++		// Only show the disabled "warning" when the user hasn't explicitly
++		// opted into DOCKER_BUILDKIT=0.
++		showDisabledWarning = true
+ 	}
+ 	// docker bake always requires buildkit; ignore "DOCKER_BUILDKIT=0".
+ 	if buildKitDisabled && len(args) > 0 && args[0] == "bake" {
+@@ -102,7 +120,7 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
+ 		// is deprecated. For Windows / WCOW, BuildKit is still experimental,
+ 		// so we don't print this warning, even if the daemon advertised that
+ 		// it supports BuildKit.
+-		if dockerCli.ServerInfo().OSType != "windows" {
++		if showDisabledWarning && dockerCli.ServerInfo().OSType != "windows" {
+ 			_, _ = fmt.Fprintf(dockerCli.Err(), "%s\n\n", buildkitDisabledWarning)
+ 		}
+ 		return args, osargs, nil, nil
+-- 
+2.51.0
+

docker-28.4.0_ce_249d679a6.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:73bf3e1c1b73100b35d428e65eb9ddbb5eba630ca1903ec122313539ff81c282
+size 10671788

docker-buildx-0.28.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d9f918d63e74fea28bfc9d4766982611b63525fff08aee99bb9096541354eb2c
+size 8071860

docker-cli-28.4.0_ce.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4ef957ca985d14dfcd65ca125e035b917da61cd664ebc3816411e1ecc8815379
+size 4280768

docker.changes

@@ -1,3 +1,70 @@
+-------------------------------------------------------------------
+Thu Sep  4 08:37:24 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.28.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.28.0>
+- Update to Docker 28.4.0-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2840>
+- Rebased patches:
+  * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+  * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
+  * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
+
+-------------------------------------------------------------------
+Mon Sep  1 05:48:29 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update warnings and errors related to "docker buildx ..." so that they
+  reference our openSUSE docker-buildx packages.
+  + cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
+- Enable building docker-buildx for SLE15 systems with SUSEConnect secret
+  injection enabled. PED-12534 PED-8905 bsc#1247594
+
+  As docker-buildx does not support our SUSEConnect secret injection (and some
+  users depend "docker build" working transparently), patch the docker CLI so
+  that "docker build" will no longer automatically call "docker buildx build",
+  effectively making DOCKER_BUILDKIT=0 the default configuration. Users can
+  manually use "docker buildx ..." commands or set DOCKER_BUILDKIT=1 in order
+  to opt-in to using docker-buildx.
+
+  Users can silence the "docker build" warning by setting DOCKER_BUILDKIT=0
+  explicitly.
+
+  In order to inject SCC credentials with docker-buildx, users should use
+
+    RUN --mount=type=secret,id=SCCcredentials zypper -n ...
+
+  in their Dockerfiles, and
+
+    docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
+
+  when doing their builds.
+
+  + cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
+
+-------------------------------------------------------------------
+Tue Jul 29 14:44:44 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.3.3-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2833>
+  CVE-2025-54388 bsc#1247367
+
+-------------------------------------------------------------------
+Wed Jul 23 04:23:57 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.26.1. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.26.1>
+
+-------------------------------------------------------------------
+Mon Jul 21 21:53:38 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.26.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.26.0>
+
 -------------------------------------------------------------------
 Thu Jul 17 04:32:55 UTC 2025 - Aleksa Sarai <asarai@suse.com>
 

docker.spec

@@ -26,12 +26,14 @@
 %if 0%{?is_opensuse} == 0 && 0%{?suse_version} < 1600
 # SUSEConnect support ("SUSE secrets") only makes sense for SLES hosts.
 %bcond_without  suseconnect
-# There is currently a known bug between buildx and SUSE secrets, so we don't
-# package docker-buildx for SLES<16. bsc#1233819
-%bcond_with     buildx
 %else
 %bcond_with     suseconnect
+%endif
+# BuildKit (docker-buildx) is only provided for SLE >= 15 and openSUSE.
+%if 0%{?is_opensuse} || 0%{?suse_version} >= 1500
 %bcond_without  buildx
+%else
+%bcond_with     buildx
 %endif
 
 # The flavour is defined with a macro to try to keep docker and docker-stable
@@ -51,8 +53,8 @@
 %endif
 
 # MANUAL: This needs to be updated with every docker update.
-%define docker_real_version 28.3.2
-%define docker_git_version e77ff99ed
+%define docker_real_version 28.4.0
+%define docker_git_version 249d679a6
 %define docker_version %{docker_real_version}_ce
 # This "nice version" is so that docker --version gives a result that can be
 # parsed by other people. boo#1182476
@@ -60,7 +62,7 @@
 
 %if %{with buildx}
 # MANUAL: This needs to be updated with every docker-buildx update.
-%define buildx_version 0.25.0
+%define buildx_version 0.28.0
 %endif
 
 # Used when generating the "build" information for Docker version. The value of
@@ -68,7 +70,7 @@
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define git_commit_epoch 1752057183
+%define git_commit_epoch 1756931329
 
 Name:           docker%{flavour}
 Version:        %{docker_version}
@@ -99,6 +101,8 @@ Source900:      docker-integration.sh
 Patch100:       0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
 Patch101:       0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
 Patch102:       0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+Patch901:       cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
+Patch902:       cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
 # UPSTREAM: Revert of upstream patch to keep SLE-12 build working.
 Patch200:       0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
 # UPSTREAM: Backport of <https://github.com/moby/moby/pull/41954>.
@@ -330,6 +334,13 @@ Fish command line completion support for %{name}.
 %define cli_builddir %{_builddir}/docker-cli-%{docker_version}
 %setup -q -T -b 1 -n docker-cli-%{docker_version}
 [ "%{cli_builddir}" = "$PWD" ]
+%if %{with buildx}
+%patch -P901 -p1
+%if %{with suseconnect}
+# PATCH-SUSE: Secrets patch for docker-build.
+%patch -P902 -p1
+%endif
+%endif
 
 %if %{with buildx}
 # docker-buildx