Docker v18.06 upgrade.

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=258

_service

@@ -3,8 +3,8 @@
     <param name="url">https://github.com/docker/docker-ce.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">17.09.1_ce</param>
-    <param name="revision">v17.09.1-ce</param>
+    <param name="versionformat">18.06.0_ce</param>
+    <param name="revision">v18.06.0-ce</param>
     <param name="filename">docker</param>
   </service>
   <service name="recompress" mode="disabled">

bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch

@@ -1,243 +0,0 @@
-From e57d7270deb50c31ac1f732d8f28812e5b809062 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Thu, 16 Nov 2017 17:09:16 +1100
-Subject: [PATCH] pkg: devmapper: dynamically load dm_task_deferred_remove
-
-dm_task_deferred_remove is not supported by all distributions, due to
-out-dated versions of devicemapper. However, in the case where the
-devicemapper library was updated without rebuilding Docker (which can
-happen in some distributions) then we should attempt to dynamically load
-the relevant object rather than try to link to it.
-
-This can only be done if Docker was built dynamically, for obvious
-reasons.
-
-In order to avoid having issues arise when dlsym(3) was unnecessary,
-gate the whole dlsym(3) logic behind a buildflag that we disable by
-default (libdm_dlsym_deferred_remove).
-
-SUSE-Bugs: bsc#1021227 bsc#1029320 bsc#1058173
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- components/engine/hack/make.sh                     |  12 +-
- ...> devmapper_wrapper_dynamic_deferred_remove.go} |  10 +-
- ...mapper_wrapper_dynamic_dlsym_deferred_remove.go | 128 +++++++++++++++++++++
- .../devmapper_wrapper_no_deferred_remove.go        |   6 +-
- 4 files changed, 149 insertions(+), 7 deletions(-)
- rename components/engine/pkg/devicemapper/{devmapper_wrapper_deferred_remove.go => devmapper_wrapper_dynamic_deferred_remove.go} (78%)
- create mode 100644 components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
-
-diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh
-index 58e0d8cd628a..3b78ddef30b0 100755
---- a/components/engine/hack/make.sh
-+++ b/components/engine/hack/make.sh
-@@ -112,6 +112,12 @@ if [ ! "$GOPATH" ]; then
- 	exit 1
- fi
- 
-+# Adds $1_$2 to DOCKER_BUILDTAGS unless it already
-+# contains a word starting from $1_
-+add_buildtag() {
-+	[[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2"
-+}
-+
- if ${PKG_CONFIG} 'libsystemd >= 209' 2> /dev/null ; then
- 	DOCKER_BUILDTAGS+=" journald"
- elif ${PKG_CONFIG} 'libsystemd-journal' 2> /dev/null ; then
-@@ -127,12 +133,14 @@ if \
- fi
- 
- # test whether "libdevmapper.h" is new enough to support deferred remove
--# functionality.
-+# functionality. We favour libdm_dlsym_deferred_remove over
-+# libdm_no_deferred_remove in dynamic cases because the binary could be shipped
-+# with a newer libdevmapper than the one it was built wih.
- if \
- 	command -v gcc &> /dev/null \
- 	&& ! ( echo -e  '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \
- ; then
--	DOCKER_BUILDTAGS+=' libdm_no_deferred_remove'
-+	add_buildtag libdm dlsym_deferred_remove
- fi
- 
- # Use these flags when compiling the tests and final binary
-diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
-similarity index 78%
-rename from components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
-rename to components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
-index 7f793c270868..bf57371ff4cf 100644
---- a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
-+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
-@@ -1,11 +1,15 @@
--// +build linux,cgo,!libdm_no_deferred_remove
-+// +build linux,cgo,!static_build
-+// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
- 
- package devicemapper
- 
--// #include <libdevmapper.h>
-+/*
-+#include <libdevmapper.h>
-+*/
- import "C"
- 
--// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
-+// LibraryDeferredRemovalSupport tells if the feature is supported by the
-+// current Docker invocation.
- const LibraryDeferredRemovalSupport = true
- 
- func dmTaskDeferredRemoveFct(task *cdmTask) int {
-diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
-new file mode 100644
-index 000000000000..5dfb369f1ff8
---- /dev/null
-+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
-@@ -0,0 +1,128 @@
-+// +build linux,cgo,!static_build
-+// +build libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
-+
-+package devicemapper
-+
-+/*
-+#cgo LDFLAGS: -ldl
-+#include <stdlib.h>
-+#include <dlfcn.h>
-+#include <libdevmapper.h>
-+
-+// Yes, I know this looks scary. In order to be able to fill our own internal
-+// dm_info with deferred_remove we need to have a struct definition that is
-+// correct (regardless of the version of libdm that was used to compile it). To
-+// this end, we define struct_backport_dm_info. This code comes from lvm2, and
-+// I have verified that the structure has only ever had elements *appended* to
-+// it (since 2001).
-+//
-+// It is also important that this structure be _larger_ than the dm_info that
-+// libdevmapper expected. Otherwise libdm might try to write to memory it
-+// shouldn't (they don't have a "known size" API).
-+struct backport_dm_info {
-+	int exists;
-+	int suspended;
-+	int live_table;
-+	int inactive_table;
-+	int32_t open_count;
-+	uint32_t event_nr;
-+	uint32_t major;
-+	uint32_t minor;
-+	int read_only;
-+
-+	int32_t target_count;
-+
-+	int deferred_remove;
-+	int internal_suspend;
-+
-+	// Padding, purely for our own safety. This is to avoid cases where libdm
-+	// was updated underneath us and we call into dm_task_get_info() with too
-+	// small of a buffer.
-+	char _[512];
-+};
-+
-+// We have to wrap this in CGo, because Go really doesn't like function pointers.
-+int call_dm_task_deferred_remove(void *fn, struct dm_task *task)
-+{
-+	int (*_dm_task_deferred_remove)(struct dm_task *task) = fn;
-+	return _dm_task_deferred_remove(task);
-+}
-+*/
-+import "C"
-+
-+import (
-+	"unsafe"
-+
-+	"github.com/sirupsen/logrus"
-+)
-+
-+// dm_task_deferred_remove is not supported by all distributions, due to
-+// out-dated versions of devicemapper. However, in the case where the
-+// devicemapper library was updated without rebuilding Docker (which can happen
-+// in some distributions) then we should attempt to dynamically load the
-+// relevant object rather than try to link to it.
-+
-+// dmTaskDeferredRemoveFct is a "bound" version of dm_task_deferred_remove.
-+// It is nil if dm_task_deferred_remove was not found in the libdevmapper that
-+// is currently loaded.
-+var dmTaskDeferredRemovePtr unsafe.Pointer
-+
-+// LibraryDeferredRemovalSupport tells if the feature is supported by the
-+// current Docker invocation. This value is fixed during init.
-+var LibraryDeferredRemovalSupport bool
-+
-+func init() {
-+	// Clear any errors.
-+	var err *C.char
-+	C.dlerror()
-+
-+	// The symbol we want to fetch.
-+	symName := C.CString("dm_task_deferred_remove")
-+	defer C.free(unsafe.Pointer(symName))
-+
-+	// See if we can find dm_task_deferred_remove. Since we already are linked
-+	// to libdevmapper, we can search our own address space (rather than trying
-+	// to guess what libdevmapper is called). We use NULL here, as RTLD_DEFAULT
-+	// is not available in CGO (even if you set _GNU_SOURCE for some reason).
-+	// The semantics are identical on glibc.
-+	sym := C.dlsym(nil, symName)
-+	err = C.dlerror()
-+	if err != nil {
-+		logrus.Debugf("devmapper: could not load dm_task_deferred_remove: %s", C.GoString(err))
-+		return
-+	}
-+
-+	logrus.Debugf("devmapper: found dm_task_deferred_remove at %x", uintptr(sym))
-+	dmTaskDeferredRemovePtr = sym
-+	LibraryDeferredRemovalSupport = true
-+}
-+
-+func dmTaskDeferredRemoveFct(task *cdmTask) int {
-+	sym := dmTaskDeferredRemovePtr
-+	if sym == nil || !LibraryDeferredRemovalSupport {
-+		return -1
-+	}
-+	return int(C.call_dm_task_deferred_remove(sym, (*C.struct_dm_task)(task)))
-+}
-+
-+func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int {
-+	if !LibraryDeferredRemovalSupport {
-+		return -1
-+	}
-+
-+	Cinfo := C.struct_backport_dm_info{}
-+	defer func() {
-+		info.Exists = int(Cinfo.exists)
-+		info.Suspended = int(Cinfo.suspended)
-+		info.LiveTable = int(Cinfo.live_table)
-+		info.InactiveTable = int(Cinfo.inactive_table)
-+		info.OpenCount = int32(Cinfo.open_count)
-+		info.EventNr = uint32(Cinfo.event_nr)
-+		info.Major = uint32(Cinfo.major)
-+		info.Minor = uint32(Cinfo.minor)
-+		info.ReadOnly = int(Cinfo.read_only)
-+		info.TargetCount = int32(Cinfo.target_count)
-+		info.DeferredRemove = int(Cinfo.deferred_remove)
-+	}()
-+	return int(C.dm_task_get_info((*C.struct_dm_task)(task), (*C.struct_dm_info)(unsafe.Pointer(&Cinfo))))
-+}
-diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
-index a880fec8c499..80b034b3ff17 100644
---- a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
-+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
-@@ -1,8 +1,10 @@
--// +build linux,cgo,libdm_no_deferred_remove
-+// +build linux,cgo
-+// +build !libdm_dlsym_deferred_remove,libdm_no_deferred_remove
- 
- package devicemapper
- 
--// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
-+// LibraryDeferredRemovalSupport tells if the feature is supported by the
-+// current Docker invocation.
- const LibraryDeferredRemovalSupport = false
- 
- func dmTaskDeferredRemoveFct(task *cdmTask) int {
--- 
-2.16.1
-

bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch

@@ -1,95 +0,0 @@
-From ff7b94c76f343931463b5916fb3fbd2610869a1a Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Sun, 15 Oct 2017 17:06:20 +1100
-Subject: [PATCH] daemon: oci: obey CL_UNPRIVILEGED for user namespaced daemon
-
-When runc is bind-mounting a particular path "with options", it has to
-do so by first creating a bind-mount and the modifying the options of
-said bind-mount via remount. However, in a user namespace, there are
-restrictions on which flags you can change with a remount (due to
-CL_UNPRIVILEGED being set in this instance). Docker historically has
-ignored this, and as a result, internal Docker mounts (such as secrets)
-haven't worked with --userns-remap. Fix this by preserving
-CL_UNPRIVILEGED mount flags when Docker is spawning containers with user
-namespaces enabled.
-
-SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1055676
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- components/engine/daemon/oci_linux.go | 46 +++++++++++++++++++++++++++++++++++
- 1 file changed, 46 insertions(+)
-
-diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go
-index 6917b4841429..936cb8f998ca 100644
---- a/components/engine/daemon/oci_linux.go
-+++ b/components/engine/daemon/oci_linux.go
-@@ -27,6 +27,7 @@ import (
- 	"github.com/opencontainers/runc/libcontainer/user"
- 	specs "github.com/opencontainers/runtime-spec/specs-go"
- 	"github.com/sirupsen/logrus"
-+	"golang.org/x/sys/unix"
- )
- 
- var (
-@@ -469,6 +470,38 @@ func ensureSharedOrSlave(path string) error {
- 	return nil
- }
- 
-+// Get the set of mount flags that are set on the mount that contains the given
-+// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
-+// bind-mounting "with options" will not fail with user namespaces, due to
-+// kernel restrictions that require user namespace mounts to preserve
-+// CL_UNPRIVILEGED locked flags.
-+func getUnprivilegedMountFlags(path string) ([]string, error) {
-+	var statfs unix.Statfs_t
-+	if err := unix.Statfs(path, &statfs); err != nil {
-+		return nil, err
-+	}
-+
-+	// The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048.
-+	unprivilegedFlags := map[uint64]string{
-+		unix.MS_RDONLY:     "ro",
-+		unix.MS_NODEV:      "nodev",
-+		unix.MS_NOEXEC:     "noexec",
-+		unix.MS_NOSUID:     "nosuid",
-+		unix.MS_NOATIME:    "noatime",
-+		unix.MS_RELATIME:   "relatime",
-+		unix.MS_NODIRATIME: "nodiratime",
-+	}
-+
-+	var flags []string
-+	for mask, flag := range unprivilegedFlags {
-+		if uint64(statfs.Flags)&mask == mask {
-+			flags = append(flags, flag)
-+		}
-+	}
-+
-+	return flags, nil
-+}
-+
- var (
- 	mountPropagationMap = map[string]int{
- 		"private":  mount.PRIVATE,
-@@ -586,6 +619,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
- 			opts = append(opts, mountPropagationReverseMap[pFlag])
- 		}
- 
-+		// If we are using user namespaces, then we must make sure that we
-+		// don't drop any of the CL_UNPRIVILEGED "locked" flags of the source
-+		// "mount" when we bind-mount. The reason for this is that at the point
-+		// when runc sets up the root filesystem, it is already inside a user
-+		// namespace, and thus cannot change any flags that are locked.
-+		if daemon.configStore.RemappedRoot != "" {
-+			unprivOpts, err := getUnprivilegedMountFlags(m.Source)
-+			if err != nil {
-+				return err
-+			}
-+			opts = append(opts, unprivOpts...)
-+		}
-+
- 		mt.Options = opts
- 		s.Mounts = append(s.Mounts, mt)
- 	}
--- 
-2.16.1
-

bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch

@@ -1,4 +1,4 @@
-From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
+From 690b89f58f34dc03333988577d49bae04a11a27c Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Sun, 8 Apr 2018 20:21:30 +1000
 Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
@@ -15,7 +15,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  1 file changed, 6 insertions(+)
 
 diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
-index c5ea4584de6b..082638e85903 100644
+index c00a3f70e993..772c4a4873f6 100644
 --- a/components/engine/profiles/apparmor/template.go
 +++ b/components/engine/profiles/apparmor/template.go
 @@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@@ -32,5 +32,5 @@ index c5ea4584de6b..082638e85903 100644
    deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
    # deny write to files not in /proc/<number>/** or /proc/sys/**
 -- 
-2.17.1
+2.18.0
 

bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch

@@ -1,4 +1,4 @@
-From 8edc54753ab5ea9294c55ec32b49c9eb7cdf3892 Mon Sep 17 00:00:00 2001
+From 45d68c6f85da51dc6e292ce09855e79794fd8984 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
 Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
@@ -21,7 +21,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  3 files changed, 17 insertions(+), 5 deletions(-)
 
 diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go
-index 2a418b25c241..c3e271ee4774 100644
+index 461f5c7f96b2..8f21c5c0c566 100644
 --- a/components/engine/daemon/apparmor_default.go
 +++ b/components/engine/daemon/apparmor_default.go
 @@ -14,6 +14,15 @@ const (
@@ -53,12 +53,12 @@ index 2a418b25c241..c3e271ee4774 100644
  	return nil
  }
 diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go
-index cd2dd9702ef2..17584063c711 100644
+index 51f9c526b350..97d7758442ee 100644
 --- a/components/engine/daemon/apparmor_default_unsupported.go
 +++ b/components/engine/daemon/apparmor_default_unsupported.go
 @@ -2,6 +2,10 @@
  
- package daemon
+ package daemon // import "github.com/docker/docker/daemon"
  
 +func clobberDefaultAppArmorProfile() error {
 +	return nil
@@ -68,10 +68,10 @@ index cd2dd9702ef2..17584063c711 100644
  	return nil
  }
 diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
-index a11a1f8691cc..6f8846b19f57 100644
+index 5e5f586ae085..6ca6a7aaa268 100644
 --- a/components/engine/daemon/daemon.go
 +++ b/components/engine/daemon/daemon.go
-@@ -594,7 +594,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
+@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
  		logrus.Warnf("Failed to configure golang's threads limit: %v", err)
  	}
  
@@ -83,5 +83,5 @@ index a11a1f8691cc..6f8846b19f57 100644
  	}
  
 -- 
-2.17.1
+2.18.0
 

bsc1100727-0001-build-add-buildmode-pie.patch

@@ -1,4 +1,4 @@
-From d39172ffc6b245f02da1898793ccaef20bb6858a Mon Sep 17 00:00:00 2001
+From 6cba061d6d42e2e40267dbf8628480ec0c5d376a Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 30 Jul 2018 19:34:01 +1000
 Subject: [PATCH] build: add -buildmode=pie
@@ -7,6 +7,7 @@ Make all dynbinary builds be position-independent (this adds both
 security benefits and can help with flaky builds on POWER
 architectures).
 
+SUSE-Bugs: bsc#1100727
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
  components/cli/scripts/build/dynbinary | 2 +-

docker-17.09.1_ce.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:dd19ad9900aaabb9eb5870be6271262aebbd4f86fa12f7c59677d47876492bf9
-size 6237800

docker-18.06.0_ce.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:df4b5d33d8a1d17c4707fe9610a33bd8a1618ae7a7d3a0fa0b8c38ed1d1d53e1
+size 8550432

docker.changes

@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Wed Aug  1 09:40:59 UTC 2018 - asarai@suse.com
+
+- Enable seccomp support on SLE12, since libseccomp is now a new enough vintage
+  to work with Docker and containerd. fate#325877
+
+-------------------------------------------------------------------
+Tue Jul 31 09:48:16 UTC 2018 - asarai@suse.com
+
+- Upgrade to docker-ce v18.06.0-ce. bsc#1102522
+- Remove systemd-service dependency on containerd, which is now being started
+  by dockerd to align with upstream defaults.
+- Removed the following patches as they are merged upstream:
+  - bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
+  - bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
+- Rebased the following patches:
+  * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
+  * bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
+  * bsc1100727-0001-build-add-buildmode-pie.patch
+  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+
 -------------------------------------------------------------------
 Mon Jul 30 09:44:47 UTC 2018 - asarai@suse.com
 

docker.service

@@ -1,8 +1,7 @@
 [Unit]
 Description=Docker Application Container Engine
 Documentation=http://docs.docker.com
-After=network.target containerd.socket containerd.service lvm2-monitor.service SuSEfirewall2.service
-Requires=containerd.socket containerd.service
+After=network.target lvm2-monitor.service SuSEfirewall2.service
 
 [Service]
 EnvironmentFile=/etc/sysconfig/docker
@@ -11,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker
 # enabled by default because enabling socket activation means that on boot your
 # containers won't start until someone tries to administer the Docker daemon.
 Type=notify
-ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
+ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
 ExecReload=/bin/kill -s HUP $MAINPID
 
 # Having non-zero Limit*s causes performance problems due to accounting overhead

docker.spec

@@ -36,12 +36,12 @@
 
 # These are the git commits required. We verify them against the source to make
 # sure we didn't miss anything important when doing upgrades.
-%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0
-%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64
-%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e
+%define required_containerd d64c661f1d51c48782c9cec8fda7604785f93587
+%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
+%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b
 
 Name:           docker
-Version:        17.09.1_ce
+Version:        18.06.0_ce
 Release:        0
 Summary:        The Linux container runtime
 License:        Apache-2.0
@@ -62,16 +62,12 @@ Source9:        tests.sh
 # branch in http://github.com/suse/docker.mirror.
 Patch200:       secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
 Patch201:       secrets-0002-SUSE-implement-SUSE-container-secrets.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676
-Patch400:       bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173
-Patch401:       bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
-Patch402:       bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
+Patch400:       bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
-Patch403:       bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
+Patch401:       bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
 # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727
-Patch404:       bsc1100727-0001-build-add-buildmode-pie.patch
+Patch402:       bsc1100727-0001-build-add-buildmode-pie.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@@ -79,21 +75,7 @@ BuildRequires:  device-mapper-devel >= 1.2.68
 BuildRequires:  glibc-devel-static
 BuildRequires:  libapparmor-devel
 BuildRequires:  libbtrfs-devel >= 3.8
-# enable libseccomp for sle >= sle12sp2
-%if 0%{?sle_version} >= 120200
-%define with_libseccomp 1
-%endif
-# enable libseccomp for leap >= 42.2
-%if 0%{?leap_version} >= 420200
-%define with_libseccomp 1
-%endif
-# enable libseccomp for Factory
-%if 0%{?suse_version} > 1320
-%define with_libseccomp 1
-%endif
-%if 0%{?with_libseccomp}
-BuildRequires:  libseccomp-devel
-%endif
+BuildRequires:  libseccomp-devel >= 2.2
 BuildRequires:  libtool
 BuildRequires:  procps
 BuildRequires:  sqlite3-devel
@@ -136,9 +118,9 @@ Recommends:     lvm2 >= 2.2.89
 Conflicts:      lxc < 1.0
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 ExcludeArch:    s390 ppc
-# Make sure we build with go 1.8
+# Make sure we build with go 1.10
 BuildRequires:  go-go-md2man
-BuildRequires:  golang(API) = 1.8
+BuildRequires:  golang(API) = 1.10
 
 %description
 Docker complements LXC with a high-level API which operates at the process
@@ -196,25 +178,18 @@ Test package for docker. It contains the source code and the tests.
 %patch200 -p1
 %patch201 -p1
 %endif
-# bsc#1055676
-%patch400 -p1
-# bsc#1021227 bsc#1029320 bsc#1058173
-%patch401 -p1
 # bsc#1073877
-%patch402 -p1
+%patch400 -p1
 # bsc#1099277
-%patch403 -p1
+%patch401 -p1
 # bsc#1100727
-%patch404 -p1
+%patch402 -p1
 
 cp %{SOURCE7} .
 cp %{SOURCE9} .
 
 %build
-BUILDTAGS="exclude_graphdriver_aufs apparmor selinux pkcs11"
-%if 0%{?with_libseccomp}
-BUILDTAGS="seccomp $BUILDTAGS"
-%endif
+BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
 %if 0%{?sle_version} == 120000
 	# Provided by patch406, to allow us to build with older distros but still
 	# have deferred removal support at runtime. We only use this when building
@@ -279,9 +254,9 @@ cd ../..
 # of the upstream vendoring scripts. This is done on-build to make sure that
 # someone doing an update didn't miss anything.
 cd components/engine
-grep 'RUNC_COMMIT=%{required_dockerrunc}'       hack/dockerfile/binaries-commits
-grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits
-grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits
+grep 'RUNC_COMMIT=%{required_dockerrunc}'       hack/dockerfile/install/runc.installer
+grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/install/containerd.installer
+grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/install/proxy.installer
 
 %install
 install -d %{buildroot}%{go_contribdir}
@@ -336,6 +311,17 @@ getent group docker >/dev/null || groupadd -r docker
 %service_add_post %{name}.service
 %{fillup_only -n docker}
 
+# NOTE: This is a pretty hacky way of getting around the fact we've removed
+#       containerd.service and now everything is spawned underneath Docker. In
+#       order to force containerd.service to be stopped on the upgrade we need
+#       to trick the systemd macros into thinking that this is an "uninstall".
+#       Hopefully we can remove this soon.
+(
+	FIRST_ARG=0
+	%service_del_preun containerd.service containerd.socket
+	%service_del_postun containerd.service containerd.socket
+)
+
 %preun
 %service_del_preun %{name}.service
 

secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch

@@ -1,4 +1,4 @@
-From c607825b73e5f850b3804a10e9f3c8684cb29d16 Mon Sep 17 00:00:00 2001
+From 72ca29ce89146ac0c9a47881ebfc10883ed8ed39 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
@@ -14,26 +14,26 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  1 file changed, 21 insertions(+), 3 deletions(-)
 
 diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
-index 954c194ea836..3ef1e0262edc 100644
+index bc7ee452332b..d34129dfd80b 100644
 --- a/components/engine/daemon/container_operations_unix.go
 +++ b/components/engine/daemon/container_operations_unix.go
 @@ -3,6 +3,7 @@
- package daemon
+ package daemon // import "github.com/docker/docker/daemon"
  
  import (
 +	"bytes"
  	"context"
  	"fmt"
  	"io/ioutil"
-@@ -13,6 +14,7 @@ import (
- 
+@@ -14,6 +15,7 @@ import (
  	"github.com/docker/docker/container"
  	"github.com/docker/docker/daemon/links"
+ 	"github.com/docker/docker/errdefs"
 +	"github.com/docker/docker/pkg/archive"
  	"github.com/docker/docker/pkg/idtools"
  	"github.com/docker/docker/pkg/mount"
  	"github.com/docker/docker/pkg/stringid"
-@@ -216,9 +218,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
  		if err != nil {
  			return errors.Wrap(err, "unable to get secret from secret store")
  		}
@@ -43,7 +43,7 @@ index 954c194ea836..3ef1e0262edc 100644
  
  		uid, err := strconv.Atoi(s.File.UID)
  		if err != nil {
-@@ -229,6 +228,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
  			return err
  		}
  
@@ -70,5 +70,5 @@ index 954c194ea836..3ef1e0262edc 100644
  			return errors.Wrap(err, "error setting ownership for secret")
  		}
 -- 
-2.17.0
+2.18.0
 

secrets-0002-SUSE-implement-SUSE-container-secrets.patch

@@ -1,4 +1,4 @@
-From a7533a3084e925eb478148ef30bec0d1f1b81ae3 Mon Sep 17 00:00:00 2001
+From 4b300d3fabe2c8fa7292967c63a83eb82a30925a Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@@ -10,36 +10,36 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
 SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
 MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
 
-SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
+SUSE-Bugs: bsc#1057743 bsc#1055676 bsc#1030702
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
  components/engine/daemon/start.go        |   5 +
- components/engine/daemon/suse_secrets.go | 399 +++++++++++++++++++++++
- 2 files changed, 404 insertions(+)
+ components/engine/daemon/suse_secrets.go | 396 +++++++++++++++++++++++
+ 2 files changed, 401 insertions(+)
  create mode 100644 components/engine/daemon/suse_secrets.go
 
 diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go
-index 55438cf2c45f..7dfa6cd1d055 100644
+index c00bd9ceb22b..aa705888df39 100644
 --- a/components/engine/daemon/start.go
 +++ b/components/engine/daemon/start.go
-@@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
+@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
  		return err
  	}
  
 +	// SUSE:secrets -- inject the SUSE secret store
 +	if err := daemon.injectSuseSecretStore(container); err != nil {
-+		return err
++		return errdefs.System(err)
 +	}
 +
  	spec, err := daemon.createSpec(container)
  	if err != nil {
- 		return systemError{err}
+ 		return errdefs.System(err)
 diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..00e485368b47
+index 000000000000..817cd5561023
 --- /dev/null
 +++ b/components/engine/daemon/suse_secrets.go
-@@ -0,0 +1,399 @@
+@@ -0,0 +1,396 @@
 +/*
 + * suse-secrets: patch for Docker to implement SUSE secrets
 + * Copyright (C) 2017 SUSE LLC.
@@ -143,10 +143,6 @@ index 000000000000..00e485368b47
 +	var suseFiles []*SuseFakeFile
 +
 +	path := filepath.Join(prefix, dir)
-+	if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) {
-+		// If the path doesn't exist at all we don't inject anything.
-+		return nil, nil
-+	}
 +	fi, err := os.Stat(path)
 +	if err != nil {
 +		// Ignore dangling symlinks.
@@ -263,10 +259,6 @@ index 000000000000..00e485368b47
 +// readFile returns a secret given a file under a given prefix.
 +func readFile(prefix, file string) ([]*SuseFakeFile, error) {
 +	path := filepath.Join(prefix, file)
-+	if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) {
-+		// If the path doesn't exist at all we don't inject anything.
-+		return nil, nil
-+	}
 +	fi, err := os.Stat(path)
 +	if err != nil {
 +		// Ignore dangling symlinks.
@@ -430,7 +422,12 @@ index 000000000000..00e485368b47
 +	// to the mount list. This causes clashes because of duplicate namespaces.
 +	// If we see an existing mount that will clash with the in-built secrets
 +	// mount we assume it's our fault.
-+	for _, intendedMount := range c.SecretMounts() {
++	intendedMounts, err := c.SecretMounts()
++	if err != nil {
++		logrus.Warnf("SUSE:secrets :: fetching old secret mounts: %v", err)
++		return err
++	}
++	for _, intendedMount := range intendedMounts {
 +		mountPath := intendedMount.Destination
 +		if volume, ok := c.MountPoints[mountPath]; ok {
 +			logrus.Debugf("SUSE:secrets :: removing pre-existing %q mount: %#v", mountPath, volume)
@@ -440,5 +437,5 @@ index 000000000000..00e485368b47
 +	return nil
 +}
 -- 
-2.17.0
+2.18.0