Accepting request 868782 from Virtualization:containers

- Update to Docker 20.10.3-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-21285 CVE-2021-21284 - Drop docker-runc, docker-test and docker-libnetwork packages. We now just use the upstream runc package (it's stable enough and Docker no longer pins git versions). docker-libnetwork is so unstable that it doesn't have any versioning scheme and so it really doesn't make sense to maintain the project as a separate package. bsc#1181641 bsc#1181677 OBS-URL: https://build.opensuse.org/request/show/868782 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=109
2021-02-04 19:22:48 +00:00 · 2021-02-04 19:22:48 +00:00 · 8155465191
commit 8155465191
parent 577b3e005c cb6967cb97
16 changed files with 492 additions and 977 deletions
--- a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+++ b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
@ -1,7 +1,7 @@
-From 47b241f184e61474957c4ffb8a3dcbaa543eadb9 Mon Sep 17 00:00:00 2001
+From 1edf7a140c843cc6db85cdea298db19fee316dcb Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
+Subject: [PATCH 1/4] SECRETS: daemon: allow directory creation in /run/secrets
 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@ -10,13 +10,13 @@ useful for creating directories and subdirectories of secrets.
 Signed-off-by: Antonio Murdaca <runcom@redhat.com>
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
- .../daemon/container_operations_unix.go       | 24 ++++++++++++++++---
+ daemon/container_operations_unix.go | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)
-diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
+diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index 3fcdc1913bed..4920def81a7e 100644
+index 5521adbd2749..c103d9349c51 100644
--- a/components/engine/daemon/container_operations_unix.go
+--- a/daemon/container_operations_unix.go
-+++ b/components/engine/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
 package daemon // import "github.com/docker/docker/daemon"
@ -31,9 +31,9 @@ index 3fcdc1913bed..4920def81a7e 100644
 	"github.com/docker/docker/errdefs"
 +	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/mount"
 	"github.com/docker/docker/pkg/stringid"
-@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+ 	"github.com/docker/docker/pkg/system"
@@ -207,9 +209,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		if err != nil {
 			return errors.Wrap(err, "unable to get secret from secret store")
 		}
@ -43,7 +43,7 @@ index 3fcdc1913bed..4920def81a7e 100644
 		uid, err := strconv.Atoi(s.File.UID)
 		if err != nil {
-@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -220,6 +219,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 			return err
 		}
@ -70,5 +70,5 @@ index 3fcdc1913bed..4920def81a7e 100644
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 -- 
-2.22.0
+2.30.0
--- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -1,7 +1,7 @@
-From 80072183953f8cf6fcef6b5e65e609e833dd9fb8 Mon Sep 17 00:00:00 2001
+From b7419429d17675d8db949bd7c35812308684254a Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
+Subject: [PATCH 2/4] SECRETS: SUSE: implement SUSE container secrets
 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
@ -10,19 +10,19 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
 SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
 MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
-SUSE-Bugs: bsc#1057743 bsc#1055676 bsc#1030702
+SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
- components/engine/daemon/start.go        |   5 +
+ daemon/start.go        |   5 +
- components/engine/daemon/suse_secrets.go | 396 +++++++++++++++++++++++
+ daemon/suse_secrets.go | 410 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 401 insertions(+)
+ 2 files changed, 415 insertions(+)
- create mode 100644 components/engine/daemon/suse_secrets.go
+ create mode 100644 daemon/suse_secrets.go
-diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go
+diff --git a/daemon/start.go b/daemon/start.go
-index 57a7267b7cbb..46c3a603554f 100644
+index d9bc082b1078..091dae2ae65e 100644
--- a/components/engine/daemon/start.go
+--- a/daemon/start.go
-+++ b/components/engine/daemon/start.go
+++ b/daemon/start.go
-@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
+@@ -150,6 +150,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
 		return err
 	}
@ -34,15 +34,15 @@ index 57a7267b7cbb..46c3a603554f 100644
 	spec, err := daemon.createSpec(container)
 	if err != nil {
 		return errdefs.System(err)
-diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
+diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..087c877015a7
+index 000000000000..177efcb22295
 --- /dev/null
-+++ b/components/engine/daemon/suse_secrets.go
+++ b/daemon/suse_secrets.go
-@@ -0,0 +1,396 @@
+@@ -0,0 +1,410 @@
 +/*
 + * suse-secrets: patch for Docker to implement SUSE secrets
-+ * Copyright (C) 2017 SUSE LLC.
+ * Copyright (C) 2017-2021 SUSE LLC.
 + *
 + * Licensed under the Apache License, Version 2.0 (the "License");
 + * you may not use this file except in compliance with the License.
@ -68,17 +68,18 @@ index 000000000000..087c877015a7
 +	"os"
 +	"path/filepath"
 +	"strings"
 +	"syscall"
 +
 +	"github.com/docker/docker/container"
 +	"github.com/docker/docker/pkg/archive"
 +	"github.com/docker/docker/pkg/idtools"
 +	"github.com/opencontainers/go-digest"
 +	"github.com/sirupsen/logrus"
 +
 +	swarmtypes "github.com/docker/docker/api/types/swarm"
 +	swarmexec "github.com/docker/swarmkit/agent/exec"
 +	swarmapi "github.com/docker/swarmkit/api"
 +
 +	"github.com/opencontainers/go-digest"
 +	"github.com/sirupsen/logrus"
 +	"golang.org/x/sys/unix"
 +)
 +
 +func init() {
@ -145,15 +146,20 @@ index 000000000000..087c877015a7
 +	path := filepath.Join(prefix, dir)
 +	fi, err := os.Stat(path)
 +	if err != nil {
-+		// Ignore dangling symlinks.
+		// Ignore missing files.
 +		if os.IsNotExist(err) {
-+			logrus.Warnf("SUSE:secrets :: dangling symlink: %s", path)
+			// If the path itself exists it was a dangling symlink so give a
 +			// warning about the symlink dangling.
 +			_, err2 := os.Lstat(path)
 +			if !os.IsNotExist(err2) {
 +				logrus.Warnf("SUSE:secrets :: ignoring dangling symlink: %s", path)
 +			}
 +			return nil, nil
 +		}
 +		return nil, err
 +	} else if !fi.IsDir() {
 +		// Just to be safe.
-+		logrus.Warnf("SUSE:secrets :: expected %q to be a directory, but was a file", path)
+		logrus.Infof("SUSE:secrets :: expected %q to be a directory, but was a file", path)
 +		return readFile(prefix, dir)
 +	}
 +	path, err = filepath.EvalSymlinks(path)
@ -261,21 +267,29 @@ index 000000000000..087c877015a7
 +	path := filepath.Join(prefix, file)
 +	fi, err := os.Stat(path)
 +	if err != nil {
-+		// Ignore dangling symlinks.
+		// Ignore missing files.
 +		if os.IsNotExist(err) {
-+			logrus.Warnf("SUSE:secrets :: dangling symlink: %s", path)
+			// If the path itself exists it was a dangling symlink so give a
 +			// warning about the symlink dangling.
 +			_, err2 := os.Lstat(path)
 +			if !os.IsNotExist(err2) {
 +				logrus.Warnf("SUSE:secrets :: ignoring dangling symlink: %s", path)
 +			}
 +			return nil, nil
 +		}
 +		return nil, err
 +	} else if fi.IsDir() {
 +		// Just to be safe.
-+		logrus.Warnf("SUSE:secrets :: expected %q to be a file, but was a directory", path)
+		logrus.Infof("SUSE:secrets :: expected %q to be a file, but was a directory", path)
 +		return readDir(prefix, file)
 +	}
 +
-+	stat, ok := fi.Sys().(*syscall.Stat_t)
+	var uid, gid int
-+	if !ok {
+	if stat, ok := fi.Sys().(*unix.Stat_t); ok {
 +		uid, gid = int(stat.Uid), int(stat.Gid)
 +	} else {
 +		logrus.Warnf("SUSE:secrets :: failed to cast file stat_t: defaulting to owned by root:root: %s", path)
 +		uid, gid = 0, 0
 +	}
 +
 +	bytes, err := ioutil.ReadFile(path)
@ -286,8 +300,8 @@ index 000000000000..087c877015a7
 +	var suseFiles []*SuseFakeFile
 +	suseFiles = append(suseFiles, &SuseFakeFile{
 +		Path: file,
-+		Uid:  int(stat.Uid),
+		Uid:  uid,
-+		Gid:  int(stat.Gid),
+		Gid:  gid,
 +		Mode: fi.Mode(),
 +		Data: bytes,
 +	})
@ -437,5 +451,5 @@ index 000000000000..087c877015a7
 +	return nil
 +}
 -- 
-2.22.0
+2.30.0
--- a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+++ b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
@ -1,11 +1,11 @@
-From 69d43a9550cdedf86b0d4b29e9d737af90221109 Mon Sep 17 00:00:00 2001
+From aa173dd56730552524ab35d74acbe61709c732e2 Mon Sep 17 00:00:00 2001
 From: Valentin Rothberg <vrothberg@suse.com>
 Date: Mon, 2 Jul 2018 13:37:34 +0200
-Subject: [PATCH] Add private-registry mirror support
+Subject: [PATCH 3/4] PRIVATE-REGISTRY: add private-registry mirror support
 NOTE: This is a backport/downstream patch of the upstream pull-request
      for Moby, which is still subject to changes.  Please visit
-      https://github.com/moby/moby/pull/34319 for the current status.
+      <https://github.com/moby/moby/pull/34319> for the current status.
 Add support for mirroring private registries.  The daemon.json config
 can now be configured as exemplified below:
@ -65,24 +65,24 @@ Signed-off-by: Flavio Castelli <fcastelli@suse.com>
 Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
- .../engine/api/types/registry/registry.go     | 144 ++++++++++++++++++
+ api/types/registry/registry.go | 144 +++++++++++++++++++++++++++++++++
- components/engine/daemon/config/config.go     |   4 +
+ daemon/config/config.go        |   4 +
- components/engine/daemon/reload.go            |  33 ++++
+ daemon/reload.go               |  33 ++++++++
- components/engine/daemon/reload_test.go       |  95 ++++++++++++
+ daemon/reload_test.go          |  95 ++++++++++++++++++++++
- components/engine/distribution/pull.go        |   2 +-
+ distribution/pull.go           |   2 +-
- components/engine/distribution/pull_v2.go     |   2 +-
+ distribution/pull_v2.go        |   2 +-
- components/engine/distribution/push.go        |   2 +-
+ distribution/push.go           |   2 +-
- components/engine/registry/config.go          | 124 ++++++++++++++-
+ registry/config.go             | 126 ++++++++++++++++++++++++++++-
- components/engine/registry/config_test.go     | 136 +++++++++++++++++
+ registry/config_test.go        | 142 ++++++++++++++++++++++++++++++++
- components/engine/registry/registry_test.go   |  91 ++++++++++-
+ registry/registry_test.go      |  99 ++++++++++++++++++++---
- components/engine/registry/service.go         |  45 ++++--
+ registry/service.go            |  43 +++++++---
- components/engine/registry/service_v2.go      |  66 +++++---
+ registry/service_v2.go         |  64 +++++++++++----
- 12 files changed, 697 insertions(+), 47 deletions(-)
+ 12 files changed, 710 insertions(+), 46 deletions(-)
-diff --git a/components/engine/api/types/registry/registry.go b/components/engine/api/types/registry/registry.go
+diff --git a/api/types/registry/registry.go b/api/types/registry/registry.go
-index 8789ad3b3210..c663fec7d881 100644
+index 53e47084c8d5..b4bb9ef805d3 100644
--- a/components/engine/api/types/registry/registry.go
+--- a/api/types/registry/registry.go
-+++ b/components/engine/api/types/registry/registry.go
+++ b/api/types/registry/registry.go
@@ -2,7 +2,10 @@ package registry // import "github.com/docker/docker/api/types/registry"
 import (
@ -92,7 +92,7 @@ index 8789ad3b3210..c663fec7d881 100644
 +	"net/url"
 +	"strings"
- 	"github.com/opencontainers/image-spec/specs-go/v1"
+ 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 )
@@ -14,6 +17,147 @@ type ServiceConfig struct {
 	InsecureRegistryCIDRs                   []*NetIPNet           `json:"InsecureRegistryCIDRs"`
@ -242,11 +242,11 @@ index 8789ad3b3210..c663fec7d881 100644
 }
 // NetIPNet is the net.IPNet type, which can be marshalled and
-diff --git a/components/engine/daemon/config/config.go b/components/engine/daemon/config/config.go
+diff --git a/daemon/config/config.go b/daemon/config/config.go
-index 80ecbbd9550d..8ce69714d9bf 100644
+index 4990727597c9..f3a53c692d73 100644
--- a/components/engine/daemon/config/config.go
+--- a/daemon/config/config.go
-+++ b/components/engine/daemon/config/config.go
+++ b/daemon/config/config.go
-@@ -467,6 +467,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag
+@@ -482,6 +482,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag
 	// 1. Search keys from the file that we don't recognize as flags.
 	unknownKeys := make(map[string]interface{})
 	for key, value := range config {
@ -257,11 +257,11 @@ index 80ecbbd9550d..8ce69714d9bf 100644
 		if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] {
 			unknownKeys[key] = value
 		}
-diff --git a/components/engine/daemon/reload.go b/components/engine/daemon/reload.go
+diff --git a/daemon/reload.go b/daemon/reload.go
-index a31dd0cb87c1..99cc4a65a79d 100644
+index 72379c054ef6..1e4afe9b3b03 100644
--- a/components/engine/daemon/reload.go
+--- a/daemon/reload.go
-+++ b/components/engine/daemon/reload.go
+++ b/daemon/reload.go
-@@ -21,8 +21,14 @@ import (
+@@ -22,8 +22,14 @@ import (
 // - Daemon labels
 // - Insecure registries
 // - Registry mirrors
@ -276,7 +276,7 @@ index a31dd0cb87c1..99cc4a65a79d 100644
 	daemon.configStore.Lock()
 	attributes := map[string]string{}
-@@ -65,6 +71,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) {
+@@ -69,6 +75,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) {
 	if err := daemon.reloadLiveRestore(conf, attributes); err != nil {
 		return err
 	}
@ -286,7 +286,7 @@ index a31dd0cb87c1..99cc4a65a79d 100644
 	return daemon.reloadNetworkDiagnosticPort(conf, attributes)
 }
-@@ -295,6 +304,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[
+@@ -320,6 +329,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[
 	return nil
 }
@ -317,10 +317,10 @@ index a31dd0cb87c1..99cc4a65a79d 100644
 // reloadLiveRestore updates configuration with live restore option
 // and updates the passed attributes
 func (daemon *Daemon) reloadLiveRestore(conf *config.Config, attributes map[string]string) error {
-diff --git a/components/engine/daemon/reload_test.go b/components/engine/daemon/reload_test.go
+diff --git a/daemon/reload_test.go b/daemon/reload_test.go
-index ffad297f71b7..21733c3f1e33 100644
+index 4a8466616dee..46664f4b1eda 100644
--- a/components/engine/daemon/reload_test.go
+--- a/daemon/reload_test.go
-+++ b/components/engine/daemon/reload_test.go
+++ b/daemon/reload_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
@ -329,7 +329,7 @@ index ffad297f71b7..21733c3f1e33 100644
 	"github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/daemon/images"
 	"github.com/docker/docker/pkg/discovery"
-@@ -201,6 +202,100 @@ func TestDaemonReloadMirrors(t *testing.T) {
+@@ -211,6 +212,100 @@ func TestDaemonReloadMirrors(t *testing.T) {
 	}
 }
@ -430,11 +430,11 @@ index ffad297f71b7..21733c3f1e33 100644
 func TestDaemonReloadInsecureRegistries(t *testing.T) {
 	daemon := &Daemon{
 		imageService: images.NewImageService(images.ImageServiceConfig{}),
-diff --git a/components/engine/distribution/pull.go b/components/engine/distribution/pull.go
+diff --git a/distribution/pull.go b/distribution/pull.go
-index be366ce4a99b..49e0d0352778 100644
+index c8ddd4c5cfcd..b17e9d25d6c2 100644
--- a/components/engine/distribution/pull.go
+--- a/distribution/pull.go
-+++ b/components/engine/distribution/pull.go
+++ b/distribution/pull.go
-@@ -58,7 +58,7 @@ func Pull(ctx context.Context, ref reference.Named, imagePullConfig *ImagePullCo
+@@ -61,7 +61,7 @@ func Pull(ctx context.Context, ref reference.Named, imagePullConfig *ImagePullCo
 		return err
 	}
@ -443,11 +443,11 @@ index be366ce4a99b..49e0d0352778 100644
 	if err != nil {
 		return err
 	}
-diff --git a/components/engine/distribution/pull_v2.go b/components/engine/distribution/pull_v2.go
+diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go
-index dd91ff2157b1..2640f6134e5d 100644
+index 023ee2e71efd..e14cdd16b410 100644
--- a/components/engine/distribution/pull_v2.go
+--- a/distribution/pull_v2.go
-+++ b/components/engine/distribution/pull_v2.go
+++ b/distribution/pull_v2.go
-@@ -379,7 +379,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform
+@@ -431,7 +431,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform
 	// the other side speaks the v2 protocol.
 	p.confirmedV2 = true
@ -456,10 +456,10 @@ index dd91ff2157b1..2640f6134e5d 100644
 	progress.Message(p.config.ProgressOutput, tagOrDigest, "Pulling from "+reference.FamiliarName(p.repo.Named()))
 	var (
-diff --git a/components/engine/distribution/push.go b/components/engine/distribution/push.go
+diff --git a/distribution/push.go b/distribution/push.go
 index 5617a4c95f49..0a24aebed968 100644
--- a/components/engine/distribution/push.go
+--- a/distribution/push.go
-+++ b/components/engine/distribution/push.go
+++ b/distribution/push.go
@@ -58,7 +58,7 @@ func Push(ctx context.Context, ref reference.Named, imagePushConfig *ImagePushCo
 		return err
 	}
@ -469,10 +469,10 @@ index 5617a4c95f49..0a24aebed968 100644
 	if err != nil {
 		return err
 	}
-diff --git a/components/engine/registry/config.go b/components/engine/registry/config.go
+diff --git a/registry/config.go b/registry/config.go
-index 6bb9258c9b6f..f1945237d235 100644
+index 54b83fa40aab..e1ba24b83bdd 100644
--- a/components/engine/registry/config.go
+--- a/registry/config.go
-+++ b/components/engine/registry/config.go
+++ b/registry/config.go
@@ -14,11 +14,12 @@ import (
 	"github.com/sirupsen/logrus"
 )
@ -490,9 +490,9 @@ index 6bb9258c9b6f..f1945237d235 100644
 }
 // serviceConfig holds daemon configuration for the registry service.
-@@ -62,8 +63,21 @@ var (
+@@ -59,8 +60,21 @@ var (
- // for mocking in unit tests
+ 	lookupIP = net.LookupIP
- var lookupIP = net.LookupIP
+ )
 +// CompatCheck performs some compatibility checks among the config options and
 +// returns an error in case of conflicts.
@ -512,7 +512,7 @@ index 6bb9258c9b6f..f1945237d235 100644
 	config := &serviceConfig{
 		ServiceConfig: registrytypes.ServiceConfig{
 			InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0),
-@@ -81,10 +95,104 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) {
+@@ -78,10 +92,106 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) {
 	if err := config.LoadInsecureRegistries(options.InsecureRegistries); err != nil {
 		return nil, err
 	}
@ -546,7 +546,9 @@ index 6bb9258c9b6f..f1945237d235 100644
 +			inUse[mirror.URL.Host()] = reg.URL.Host()
 +			// also warnf if seucurity levels differ
 +			if reg.URL.IsSecure() != mirror.URL.IsSecure() {
-+				logrus.Warnf("registry '%s' and mirror '%s' have different security levels", reg.URL.URL(), mirror.URL.URL())
+				regURL := reg.URL.URL()
 +				mirrorURL := mirror.URL.URL()
 +				logrus.Warnf("registry '%s' and mirror '%s' have different security levels", &regURL, &mirrorURL)
 +			}
 +		}
 +		if reg.URL.IsSecure() && len(reg.Mirrors) == 0 {
@ -617,7 +619,7 @@ index 6bb9258c9b6f..f1945237d235 100644
 // LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config.
 func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []string) error {
 	cidrs := map[string]*registrytypes.NetIPNet{}
-@@ -125,6 +233,10 @@ func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []str
+@@ -122,6 +232,10 @@ func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []str
 // LoadMirrors loads mirrors to config, after removing duplicates.
 // Returns an error if mirrors contains an invalid mirror.
 func (config *serviceConfig) LoadMirrors(mirrors []string) error {
@ -628,7 +630,7 @@ index 6bb9258c9b6f..f1945237d235 100644
 	mMap := map[string]struct{}{}
 	unique := []string{}
-@@ -154,6 +266,10 @@ func (config *serviceConfig) LoadMirrors(mirrors []string) error {
+@@ -151,6 +265,10 @@ func (config *serviceConfig) LoadMirrors(mirrors []string) error {
 // LoadInsecureRegistries loads insecure registries to config
 func (config *serviceConfig) LoadInsecureRegistries(registries []string) error {
@ -639,17 +641,17 @@ index 6bb9258c9b6f..f1945237d235 100644
 	// Localhost is by default considered as an insecure registry
 	// This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker).
 	//
-diff --git a/components/engine/registry/config_test.go b/components/engine/registry/config_test.go
+diff --git a/registry/config_test.go b/registry/config_test.go
-index 30a257e32556..78a4fadd733f 100644
+index ae8cb23f94b6..7f31b1eb2bf4 100644
--- a/components/engine/registry/config_test.go
+--- a/registry/config_test.go
-+++ b/components/engine/registry/config_test.go
+++ b/registry/config_test.go
-@@ -6,10 +6,146 @@ import (
+@@ -6,10 +6,152 @@ import (
 	"strings"
 	"testing"
 +	registrytypes "github.com/docker/docker/api/types/registry"
- 	"gotest.tools/assert"
+ 	"gotest.tools/v3/assert"
- 	is "gotest.tools/assert/cmp"
+ 	is "gotest.tools/v3/assert/cmp"
 )
 +func TestLoadValidRegistries(t *testing.T) {
@ -682,11 +684,14 @@ index 30a257e32556..78a4fadd733f 100644
 +	officialMirrors := []string{"https://official.mirror1.com", "https://official.mirror2.com"}
 +
 +	// create serciveConfig
-+	config = newServiceConfig(
+	config, err = newServiceConfig(
 +		ServiceOptions{
 +			Mirrors:    officialMirrors,
 +			Registries: []registrytypes.Registry{secReg, insecReg},
 +		})
 +	if err != nil {
 +		t.Fatal(err)
 +	}
 +
 +	// now test if the config looks as expected
 +	getMirrors := func(reg registrytypes.Registry) []string {
@ -760,53 +765,56 @@ index 30a257e32556..78a4fadd733f 100644
 +	}
 +
 +	// create serciveConfig
-+	config = newServiceConfig(
+	config, err = newServiceConfig(
 +		ServiceOptions{
 +			Registries: []registrytypes.Registry{regA, regB},
 +		})
 +	if err != nil {
 +		t.Fatal(err)
 +	}
 +
 +	// no match -> nil
 +	reg := config.FindRegistry("foo")
-+	assert.Nil(t, reg)
+	assert.Assert(t, is.Nil(reg))
 +
 +	// prefix match -> registry
 +	reg = config.FindRegistry("registry-a.com/my-prefix/image:latest")
-+	assert.NotNil(t, reg)
+	assert.Assert(t, reg != nil)
 +	assert.Equal(t, "registry-a.com", reg.URL.Host())
 +	// no prefix match -> nil
 +	reg = config.FindRegistry("registry-a.com/not-my-prefix/image:42")
-+	assert.Nil(t, reg)
+	assert.Assert(t, is.Nil(reg))
 +
 +	// prefix match -> registry
 +	reg = config.FindRegistry("registry-b.com/image:latest")
-+	assert.NotNil(t, reg)
+	assert.Assert(t, reg != nil)
 +	assert.Equal(t, "registry-b.com", reg.URL.Host())
 +	// prefix match -> registry
 +	reg = config.FindRegistry("registry-b.com/also-in-namespaces/image:latest")
-+	assert.NotNil(t, reg)
+	assert.Assert(t, reg != nil)
 +	assert.Equal(t, "registry-b.com", reg.URL.Host())
 +}
 +
 func TestLoadAllowNondistributableArtifacts(t *testing.T) {
 	testCases := []struct {
 		registries []string
-diff --git a/components/engine/registry/registry_test.go b/components/engine/registry/registry_test.go
+diff --git a/registry/registry_test.go b/registry/registry_test.go
-index b7459471b3f6..1e0d53e7dc21 100644
+index 417c9574bc5d..b3a978474ec1 100644
--- a/components/engine/registry/registry_test.go
+--- a/registry/registry_test.go
-+++ b/components/engine/registry/registry_test.go
+++ b/registry/registry_test.go
-@@ -665,7 +665,32 @@ func TestNewIndexInfo(t *testing.T) {
+@@ -507,40 +507,119 @@ func TestNewIndexInfo(t *testing.T) {
 }
 func TestMirrorEndpointLookup(t *testing.T) {
 -	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
 -	containsMirror := func(endpoints []APIEndpoint) bool {
 +	var (
 +		registries       []registrytypes.Registry
 +		secReg           registrytypes.Registry
 +		config           *serviceConfig
 +		pushAPIEndpoints []APIEndpoint
 +		pullAPIEndpoints []APIEndpoint
 +		err              error
 +	)
 +
 	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
 +
 +	// secure with mirrors
 +	secReg, err = registrytypes.NewRegistry("https://secure.registry.com/test-prefix/")
@ -820,19 +828,25 @@ index b7459471b3f6..1e0d53e7dc21 100644
 +	if err := secReg.AddMirror(secMirrors[1]); err != nil {
 +		t.Fatal(err)
 +	}
 +	registries = append(registries, secReg)
 +
 +	// docker.io mirrors to test backwards compatibility
 +	officialMirrors := []string{"https://official.mirror1.com/", "https://official.mirror2.com/"}
 +
- 	containsMirror := func(endpoints []APIEndpoint) bool {
+	containsMirror := func(needle string, endpoints []APIEndpoint) bool {
 		for _, pe := range endpoints {
- 			if pe.URL.Host == "my.mirror" {
+-			if pe.URL.Host == "my.mirror" {
-@@ -674,31 +699,83 @@ func TestMirrorEndpointLookup(t *testing.T) {
+			if pe.URL.String() == needle {
 				return true
 			}
 		}
 		return false
 	}
 -	cfg, err := makeServiceConfig([]string{"https://my.mirror"}, nil)
-+	cfg, err := makeServiceConfig(officialMirrors, nil)
+	cfg, err := newServiceConfig(ServiceOptions{
 +		Mirrors:    officialMirrors,
 +		Registries: registries,
 +	})
 	if err != nil {
 		t.Fatal(err)
 	}
@ -848,20 +862,19 @@ index b7459471b3f6..1e0d53e7dc21 100644
 +	}
 +	if containsMirror(officialMirrors[0], pushAPIEndpoints) {
 +		t.Fatal("Push endpoint should not contain mirror")
- 	}
+	}
 -	pushAPIEndpoints, err := s.LookupPushEndpoints(reference.Domain(imageName))
 +	if containsMirror(officialMirrors[1], pushAPIEndpoints) {
 +		t.Fatal("Push endpoint should not contain mirror")
 +	}
 +
 +	pullAPIEndpoints, err = s.LookupPullEndpoints(officialRef)
- 	if err != nil {
+	if err != nil {
- 		t.Fatal(err)
+		t.Fatal(err)
- 	}
+	}
 -	if containsMirror(pushAPIEndpoints) {
 +	if !containsMirror(officialMirrors[0], pullAPIEndpoints) {
 +		t.Fatal("Pull endpoint should contain mirror")
-+	}
+ 	}
 -	pushAPIEndpoints, err := s.LookupPushEndpoints(reference.Domain(imageName))
 +	if !containsMirror(officialMirrors[1], pullAPIEndpoints) {
 +		t.Fatal("Pull endpoint should contain mirror")
 +	}
@ -869,9 +882,10 @@ index b7459471b3f6..1e0d53e7dc21 100644
 +	// prefix lookups
 +	prefixRef := "secure.registry.com/test-prefix/foo:latest"
 +	pushAPIEndpoints, err = s.LookupPushEndpoints(prefixRef)
-+	if err != nil {
+ 	if err != nil {
-+		t.Fatal(err)
+ 		t.Fatal(err)
-+	}
+ 	}
 -	if containsMirror(pushAPIEndpoints) {
 +	if containsMirror(secMirrors[0], pushAPIEndpoints) {
 +		t.Fatal("Push endpoint should not contain mirror")
 +	}
@ -917,11 +931,11 @@ index b7459471b3f6..1e0d53e7dc21 100644
 +	}
 }
- func TestPushRegistryTag(t *testing.T) {
+ func TestSearchRepositories(t *testing.T) {
-diff --git a/components/engine/registry/service.go b/components/engine/registry/service.go
+diff --git a/registry/service.go b/registry/service.go
-index 08f5c7a4e12c..ee0c97a8a21b 100644
+index 3b08e39da2c2..62556ba1ba70 100644
--- a/components/engine/registry/service.go
+--- a/registry/service.go
-+++ b/components/engine/registry/service.go
+++ b/registry/service.go
@@ -8,7 +8,7 @@ import (
 	"strings"
 	"sync"
@ -984,7 +998,7 @@ index 08f5c7a4e12c..ee0c97a8a21b 100644
 // Auth contacts the public registry with the provided credentials,
 // and returns OK if authentication was successful.
 // It can be used to verify the validity of a client's credentials.
-@@ -241,7 +255,7 @@ func (s *DefaultService) Search(ctx context.Context, term string, limit int, aut
+@@ -230,7 +244,7 @@ func (s *DefaultService) Search(ctx context.Context, term string, limit int, aut
 // ResolveRepository splits a repository name into its components
 // and configuration of the associated registry.
@ -993,13 +1007,12 @@ index 08f5c7a4e12c..ee0c97a8a21b 100644
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	return newRepositoryInfo(s.config, name)
-@@ -280,24 +294,25 @@ func (s *DefaultService) tlsConfigForMirror(mirrorURL *url.URL) (*tls.Config, er
+@@ -270,22 +284,25 @@ func (s *DefaultService) tlsConfigForMirror(mirrorURL *url.URL) (*tls.Config, er
 	return s.tlsConfig(mirrorURL.Host)
 }
-// LookupPullEndpoints creates a list of endpoints to try to pull from, in order of preference.
+-// LookupPullEndpoints creates a list of v2 endpoints to try to pull from, in order of preference.
-// It gives preference to v2 endpoints over v1, mirrors over the actual
+-// It gives preference to mirrors over the actual registry, and HTTPS over plain HTTP.
 -// registry, and HTTPS over plain HTTP.
 -func (s *DefaultService) LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
 +// LookupPullEndpoints creates a list of endpoints based on the provided
 +// reference to try to pull from, in order of preference.  It gives preference
@ -1009,13 +1022,12 @@ index 08f5c7a4e12c..ee0c97a8a21b 100644
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	return s.lookupEndpoints(hostname)
+-	return s.lookupV2Endpoints(hostname)
-+	return s.lookupEndpoints(reference)
+	return s.lookupV2Endpoints(reference)
 }
-// LookupPushEndpoints creates a list of endpoints to try to push to, in order of preference.
+-// LookupPushEndpoints creates a list of v2 endpoints to try to push to, in order of preference.
-// It gives preference to v2 endpoints over v1, and HTTPS over plain HTTP.
+-// It gives preference to HTTPS over plain HTTP. Mirrors are not included.
 -// Mirrors are not included.
 -func (s *DefaultService) LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
 +// LookupPushEndpoints creates a list of endpoints based on the provided
 +// reference to try to push to, in order of preference.  It gives preference to
@ -1024,16 +1036,16 @@ index 08f5c7a4e12c..ee0c97a8a21b 100644
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	allEndpoints, err := s.lookupEndpoints(hostname)
+-	allEndpoints, err := s.lookupV2Endpoints(hostname)
-+	allEndpoints, err := s.lookupEndpoints(reference)
+	allEndpoints, err := s.lookupV2Endpoints(reference)
 	if err == nil {
 		for _, endpoint := range allEndpoints {
 			if !endpoint.Mirror {
-diff --git a/components/engine/registry/service_v2.go b/components/engine/registry/service_v2.go
+diff --git a/registry/service_v2.go b/registry/service_v2.go
-index 1a4c9e310547..efebb4f41486 100644
+index 3e3a5b41ffbd..451a6f874bc1 100644
--- a/components/engine/registry/service_v2.go
+--- a/registry/service_v2.go
-+++ b/components/engine/registry/service_v2.go
+++ b/registry/service_v2.go
-@@ -1,30 +1,51 @@
+@@ -1,39 +1,71 @@
 package registry // import "github.com/docker/docker/registry"
 import (
@ -1049,7 +1061,6 @@ index 1a4c9e310547..efebb4f41486 100644
 +func (s *DefaultService) lookupV2Endpoints(reference string) (endpoints []APIEndpoint, err error) {
 	tlsConfig := tlsconfig.ServerDefault()
 -	if hostname == DefaultNamespace || hostname == IndexHostname {
 -		// v2 mirrors
 -		for _, mirror := range s.config.Mirrors {
 -			if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") {
 -				mirror = "https://" + mirror
@ -1094,16 +1105,14 @@ index 1a4c9e310547..efebb4f41486 100644
 +				return nil, fmt.Errorf("SUSE PATCH [lookupV2Endpoints]: %s", err)
 			}
 			endpoints = append(endpoints, APIEndpoint{
-				URL: mirrorURL,
+-				URL:          mirrorURL,
-+				URL: &mURL,
+				URL:          &mURL,
 				// guess mirrors are v2
 				Version:      APIVersion2,
 				Mirror:       true,
-@@ -32,11 +53,20 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp
+ 				TrimHostname: true,
 				TLSConfig:    mirrorTLSConfig,
 			})
 		}
 -		// v2 registry
 +		// add the registry
 +		var endpointURL *url.URL
 +		if official {
@ -1123,7 +1132,7 @@ index 1a4c9e310547..efebb4f41486 100644
 			TrimHostname: true,
 			TLSConfig:    tlsConfig,
 		})
-@@ -48,7 +78,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp
+@@ -45,7 +77,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp
 	tlsConfig, err = s.tlsConfig(hostname)
 	if err != nil {
@ -1133,5 +1142,5 @@ index 1a4c9e310547..efebb4f41486 100644
 	endpoints = []APIEndpoint{
 -- 
-2.22.0
+2.30.0
--- a/bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
+++ b/bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
@ -1,7 +1,8 @@
-From a67925f5d977db2b5a1b0162149cbd0de2b20598 Mon Sep 17 00:00:00 2001
+From eb4e0b351b4bb229bfd5fd3ed57d3c35040265e0 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH] apparmor: clobber docker-default profile on start
+Subject: [PATCH 4/4] bsc1073877: apparmor: clobber docker-default profile on
 start
 In the process of making docker-default reloading far less expensive,
 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor
@ -15,23 +16,23 @@ Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles"
 SUSE-Bugs: bsc#1099277
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
- components/engine/daemon/apparmor_default.go       | 14 ++++++++++----
+ daemon/apparmor_default.go             | 14 ++++++++++----
- .../engine/daemon/apparmor_default_unsupported.go  |  4 ++++
+ daemon/apparmor_default_unsupported.go |  4 ++++
- components/engine/daemon/daemon.go                 |  5 +++--
+ daemon/daemon.go                       |  5 +++--
 3 files changed, 17 insertions(+), 6 deletions(-)
-diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go
+diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
-index 461f5c7f96b2..8f21c5c0c566 100644
+index a7cc3a5ef412..1a952953da8f 100644
--- a/components/engine/daemon/apparmor_default.go
+--- a/daemon/apparmor_default.go
-+++ b/components/engine/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
-@@ -14,6 +14,15 @@ const (
+@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
- 	defaultApparmorProfile = "docker-default"
+ 	return ""
- )
+ }
 +func clobberDefaultAppArmorProfile() error {
 +	if apparmor.IsEnabled() {
-+		if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
+		if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
-+			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err)
+			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
 +		}
 +	}
 +	return nil
@ -39,23 +40,23 @@ index 461f5c7f96b2..8f21c5c0c566 100644
 +
 func ensureDefaultAppArmorProfile() error {
 	if apparmor.IsEnabled() {
- 		loaded, err := aaprofile.IsLoaded(defaultApparmorProfile)
+ 		loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
-@@ -27,10 +36,7 @@ func ensureDefaultAppArmorProfile() error {
+@@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error {
 		}
 		// Load the profile.
-		if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
+-		if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
-			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err)
+-			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
 -		}
 +		return clobberDefaultAppArmorProfile()
 	}
 -
 	return nil
 }
-diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go
+diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
-index 51f9c526b350..97d7758442ee 100644
+index dd581dc7dadb..5b14979cd4a3 100644
--- a/components/engine/daemon/apparmor_default_unsupported.go
+--- a/daemon/apparmor_default_unsupported.go
-+++ b/components/engine/daemon/apparmor_default_unsupported.go
+++ b/daemon/apparmor_default_unsupported.go
@@ -2,6 +2,10 @@
 package daemon // import "github.com/docker/docker/daemon"
@ -67,11 +68,11 @@ index 51f9c526b350..97d7758442ee 100644
 func ensureDefaultAppArmorProfile() error {
 	return nil
 }
-diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
+diff --git a/daemon/daemon.go b/daemon/daemon.go
-index f049b0d2a41f..7bd89e76b32f 100644
+index 794ff9712d08..f9e727b348c5 100644
--- a/components/engine/daemon/daemon.go
+--- a/daemon/daemon.go
-+++ b/components/engine/daemon/daemon.go
+++ b/daemon/daemon.go
-@@ -807,8 +807,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
+@@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		logrus.Warnf("Failed to configure golang's threads limit: %v", err)
 	}
@ -84,5 +85,5 @@ index f049b0d2a41f..7bd89e76b32f 100644
 	}
 -- 
-2.22.0
+2.30.0
--- a/22
+++ b/22
@ -1,12 +1,28 @@
 <services>
  <service name="tar_scm" mode="disabled">
-    <param name="url">https://github.com/docker/docker-ce.git</param>
+    <param name="url">https://github.com/moby/moby.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">19.03.14_ce_%h</param>
+    <param name="versionformat">20.10.3_ce_%h</param>
-    <param name="revision">v19.03.14</param>
+    <param name="revision">v20.10.3</param>
    <param name="filename">docker</param>
  </service>
  <service name="tar_scm" mode="disabled">
    <param name="url">https://github.com/docker/cli.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
    <param name="versionformat">20.10.3_ce</param>
    <param name="revision">v20.10.3</param>
    <param name="filename">docker-cli</param>
  </service>
  <service name="tar_scm" mode="disabled">
    <param name="url">https://github.com/docker/libnetwork.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
    <param name="versionformat">%H</param>
    <param name="revision">fa125a3512ee0f6187721c88582bf8c4378bd4d7</param>
    <param name="filename">docker-libnetwork</param>
  </service>
  <service name="recompress" mode="disabled">
    <param name="file">docker-*.tar</param>
    <param name="compression">xz</param>
--- a/boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
+++ b/boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
@ -1,230 +0,0 @@
 From ea920fbc29225a71c9e07ffeeba00bc71423d839 Mon Sep 17 00:00:00 2001
 From: Arko Dasgupta <arko.dasgupta@docker.com>
 Date: Mon, 4 May 2020 13:51:42 -0700
 Subject: [PATCH] Add docker interfaces to firewalld docker zone
 If firewalld is running, create a new docker zone and
 add the docker interfaces to the docker zone to allow
 container networking for distros with firewalld enabled
 Fixes: https://github.com/moby/libnetwork/issues/2496
 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
 (cherry picked from commit 7a7209221542dc99b316748c97608dfc276c40f6)
 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 ---
 .../docker/libnetwork/iptables/firewalld.go   | 136 ++++++++++++++++--
 .../docker/libnetwork/iptables/iptables.go    |  13 ++
 2 files changed, 139 insertions(+), 10 deletions(-)
 diff --git a/components/engine/vendor/github.com/docker/libnetwork/iptables/firewalld.go b/components/engine/vendor/github.com/docker/libnetwork/iptables/firewalld.go
 index 8f13c86448..33eb749ab0 100644
 --- a/components/engine/vendor/github.com/docker/libnetwork/iptables/firewalld.go
 +++ b/components/engine/vendor/github.com/docker/libnetwork/iptables/firewalld.go
@@ -19,20 +19,46 @@ const (
 	// Ebtables point to bridge table
 	Ebtables IPV = "eb"
 )
 +
 const (
 -	dbusInterface = "org.fedoraproject.FirewallD1"
 -	dbusPath      = "/org/fedoraproject/FirewallD1"
 +	dbusInterface  = "org.fedoraproject.FirewallD1"
 +	dbusPath       = "/org/fedoraproject/FirewallD1"
 +	dbusConfigPath = "/org/fedoraproject/FirewallD1/config"
 +	dockerZone     = "docker"
 )
 // Conn is a connection to firewalld dbus endpoint.
 type Conn struct {
 -	sysconn *dbus.Conn
 -	sysobj  dbus.BusObject
 -	signal  chan *dbus.Signal
 +	sysconn    *dbus.Conn
 +	sysObj     dbus.BusObject
 +	sysConfObj dbus.BusObject
 +	signal     chan *dbus.Signal
 +}
 +
 +// ZoneSettings holds the firewalld zone settings, documented in
 +// https://firewalld.org/documentation/man-pages/firewalld.dbus.html
 +type ZoneSettings struct {
 +	version            string
 +	name               string
 +	description        string
 +	unused             bool
 +	target             string
 +	services           []string
 +	ports              [][]interface{}
 +	icmpBlocks         []string
 +	masquerade         bool
 +	forwardPorts       [][]interface{}
 +	interfaces         []string
 +	sourceAddresses    []string
 +	richRules          []string
 +	protocols          []string
 +	sourcePorts        [][]interface{}
 +	icmpBlockInversion bool
 }
 var (
 -	connection       *Conn
 +	connection *Conn
 +
 	firewalldRunning bool      // is Firewalld service running
 	onReloaded       []*func() // callbacks when Firewalld has been reloaded
 )
@@ -51,6 +77,9 @@ func FirewalldInit() error {
 	}
 	if connection != nil {
 		go signalHandler()
 +		if err := setupDockerZone(); err != nil {
 +			return err
 +		}
 	}
 	return nil
@@ -76,8 +105,8 @@ func (c *Conn) initConnection() error {
 	}
 	// This never fails, even if the service is not running atm.
 -	c.sysobj = c.sysconn.Object(dbusInterface, dbus.ObjectPath(dbusPath))
 -
 +	c.sysObj = c.sysconn.Object(dbusInterface, dbus.ObjectPath(dbusPath))
 +	c.sysConfObj = c.sysconn.Object(dbusInterface, dbus.ObjectPath(dbusConfigPath))
 	rule := fmt.Sprintf("type='signal',path='%s',interface='%s',sender='%s',member='Reloaded'",
 		dbusPath, dbusInterface, dbusInterface)
 	c.sysconn.BusObject().Call("org.freedesktop.DBus.AddMatch", 0, rule)
@@ -150,7 +179,7 @@ func checkRunning() bool {
 	var err error
 	if connection != nil {
 -		err = connection.sysobj.Call(dbusInterface+".getDefaultZone", 0).Store(&zone)
 +		err = connection.sysObj.Call(dbusInterface+".getDefaultZone", 0).Store(&zone)
 		return err == nil
 	}
 	return false
@@ -160,8 +189,95 @@ func checkRunning() bool {
 func Passthrough(ipv IPV, args ...string) ([]byte, error) {
 	var output string
 	logrus.Debugf("Firewalld passthrough: %s, %s", ipv, args)
 -	if err := connection.sysobj.Call(dbusInterface+".direct.passthrough", 0, ipv, args).Store(&output); err != nil {
 +	if err := connection.sysObj.Call(dbusInterface+".direct.passthrough", 0, ipv, args).Store(&output); err != nil {
 		return nil, err
 	}
 	return []byte(output), nil
 }
 +
 +// getDockerZoneSettings converts the ZoneSettings struct into a interface slice
 +func getDockerZoneSettings() map[string]string {
 +	return map[string]string{
 +		"version":     "1.0",
 +		"name":        dockerZone,
 +		"description": "zone for docker bridge network interfaces",
 +		"target":      "ACCEPT",
 +	}
 +}
 +
 +// setupDockerZone creates a zone called docker in firewalld which includes docker interfaces to allow
 +// container networking
 +func setupDockerZone() error {
 +	var zones []string
 +	// Check if zone exists
 +	if err := connection.sysObj.Call(dbusInterface+".zone.getZones", 0).Store(&zones); err != nil {
 +		return err
 +	}
 +	if contains(zones, dockerZone) {
 +		logrus.Infof("Firewalld: %s zone already exists, returning", dockerZone)
 +		return nil
 +	}
 +	logrus.Debugf("Firewalld: creating %s zone", dockerZone)
 +
 +	settings := getDockerZoneSettings()
 +	// Permanent
 +	if err := connection.sysConfObj.Call(dbusInterface+".config.addZone", 0, dockerZone, settings).Err; err != nil {
 +		return err
 +	}
 +	// Reload for change to take effect
 +	if err := connection.sysObj.Call(dbusInterface+".reload", 0).Err; err != nil {
 +		return err
 +	}
 +
 +	return nil
 +}
 +
 +// AddInterfaceFirewalld adds the interface to the trusted zone
 +func AddInterfaceFirewalld(intf string) error {
 +	var intfs []string
 +	// Check if interface is already added to the zone
 +	if err := connection.sysObj.Call(dbusInterface+".zone.getInterfaces", 0, dockerZone).Store(&intfs); err != nil {
 +		return err
 +	}
 +	// Return if interface is already part of the zone
 +	if contains(intfs, intf) {
 +		logrus.Infof("Firewalld: interface %s already part of %s zone, returning", intf, dockerZone)
 +		return nil
 +	}
 +
 +	logrus.Debugf("Firewalld: adding %s interface to %s zone", intf, dockerZone)
 +	// Runtime
 +	if err := connection.sysObj.Call(dbusInterface+".zone.addInterface", 0, dockerZone, intf).Err; err != nil {
 +		return err
 +	}
 +	return nil
 +}
 +
 +// DelInterfaceFirewalld removes the interface from the trusted zone
 +func DelInterfaceFirewalld(intf string) error {
 +	var intfs []string
 +	// Check if interface is part of the zone
 +	if err := connection.sysObj.Call(dbusInterface+".zone.getInterfaces", 0, dockerZone).Store(&intfs); err != nil {
 +		return err
 +	}
 +	// Remove interface if it exists
 +	if !contains(intfs, intf) {
 +		return fmt.Errorf("Firewalld: unable to find interface %s in %s zone", intf, dockerZone)
 +	}
 +
 +	logrus.Debugf("Firewalld: removing %s interface from %s zone", intf, dockerZone)
 +	// Runtime
 +	if err := connection.sysObj.Call(dbusInterface+".zone.removeInterface", 0, dockerZone, intf).Err; err != nil {
 +		return err
 +	}
 +	return nil
 +}
 +
 +func contains(list []string, val string) bool {
 +	for _, v := range list {
 +		if v == val {
 +			return true
 +		}
 +	}
 +	return false
 +}
 diff --git a/components/engine/vendor/github.com/docker/libnetwork/iptables/iptables.go b/components/engine/vendor/github.com/docker/libnetwork/iptables/iptables.go
 index 5523c4858c..bd262eb86c 100644
 --- a/components/engine/vendor/github.com/docker/libnetwork/iptables/iptables.go
 +++ b/components/engine/vendor/github.com/docker/libnetwork/iptables/iptables.go
@@ -146,6 +146,19 @@ func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) err
 		return errors.New("Could not program chain, missing chain name")
 	}
 +	// Either add or remove the interface from the firewalld zone
 +	if firewalldRunning {
 +		if enable {
 +			if err := AddInterfaceFirewalld(bridgeName); err != nil {
 +				return err
 +			}
 +		} else {
 +			if err := DelInterfaceFirewalld(bridgeName); err != nil {
 +				return err
 +			}
 +		}
 +	}
 +
 	switch c.Table {
 	case Nat:
 		preroute := []string{
 -- 
 2.29.2
--- a/bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
+++ b/bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
@ -1,40 +0,0 @@
 From cb676052272ed4f6f3b901dbc21510fabf742860 Mon Sep 17 00:00:00 2001
 From: Goldwyn Rodrigues <rgoldwyn@suse.com>
 Date: Mon, 22 Apr 2019 09:08:28 -0500
 Subject: [PATCH] apparmor: allow readby and tracedby
 Fixes audit errors such as:
 type=AVC msg=audit(1550236803.810:143):
 apparmor="DENIED" operation="ptrace" profile="docker-default"
 pid=3181 comm="ps" requested_mask="readby" denied_mask="readby"
 peer="docker-default"
 audit(1550236375.918:3): apparmor="DENIED" operation="ptrace"
 profile="docker-default" pid=2267 comm="ps"
 requested_mask="tracedby" denied_mask="tracedby"
 peer="docker-default"
 SUSE-Bugs: bsc#1122469
 Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 ---
 components/engine/profiles/apparmor/template.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
 index 400b3bd50a11..d8db0ee2fb36 100644
 --- a/components/engine/profiles/apparmor/template.go
 +++ b/components/engine/profiles/apparmor/template.go
@@ -44,7 +44,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
 {{if ge .Version 208095}}
   # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
 -  ptrace (trace,read) peer={{.Name}},
 +  ptrace (trace,read,tracedby,readby) peer={{.Name}},
 {{end}}
 }
 `
 -- 
 2.24.0
--- a/cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
+++ b/cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
@ -0,0 +1,59 @@
 From 6e2607c6a68ecf1a7378133f22cb7192e2eb9d5b Mon Sep 17 00:00:00 2001
 From: Arnaud Rebillout <elboulangero@gmail.com>
 Date: Wed, 16 Dec 2020 10:19:43 +0700
 Subject: [PATCH] Rename bin/md2man to bin/go-md2man
 In the recent PR !2877, some code was added to check if md2man is
 already installed in the build environment. This is to cater to the
 needs of Linux distributions.
 However it turns out that Linux distributions install md2man as
 bin/go-md2man instead of bin/md2man, hence the PR !2877 doesn't help
 much.
 This commit fixes it by settling on using the binary name go-md2man.
 For reference, here the file list of the package go-md2man in several
 distributions:
 - Debian: <https://packages.debian.org/sid/amd64/go-md2man/filelist>
 - Ubuntu: <https://packages.ubuntu.com/hirsute/amd64/go-md2man/filelist>
 - Fedora: <https://fedora.pkgs.org/31/fedora-x86_64/golang-github-cpuguy83-md2man-2.0.0-0.4.20190624gitf79a8a8.fc31.x86_64.rpm.html>
 - ArchLinux: <https://www.archlinux.org/packages/community/x86_64/go-md2man/>
 Signed-off-by: Arnaud Rebillout <elboulangero@gmail.com>
 ---
 man/md2man-all.sh            | 2 +-
 scripts/docs/generate-man.sh | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 diff --git a/man/md2man-all.sh b/man/md2man-all.sh
 index eb0bc6366a27..46c7b8f08eae 100755
 --- a/man/md2man-all.sh
 +++ b/man/md2man-all.sh
@@ -18,5 +18,5 @@ for FILE in *.md; do
 		continue
 	fi
 	mkdir -p "./man${num}"
 -	md2man -in "$FILE" -out "./man${num}/${name}"
 +	go-md2man -in "$FILE" -out "./man${num}/${name}"
 done
 diff --git a/scripts/docs/generate-man.sh b/scripts/docs/generate-man.sh
 index 136ed1e00094..e312c87dd321 100755
 --- a/scripts/docs/generate-man.sh
 +++ b/scripts/docs/generate-man.sh
@@ -4,9 +4,9 @@ set -eu -o pipefail
 mkdir -p ./man/man1
 -if ! command -v md2man &> /dev/null; then
 +if ! command -v go-md2man &> /dev/null; then
 	# yay, go install creates a binary named "v2" ¯\_(ツ)_/¯
 -	go build -o "/go/bin/md2man" ./vendor/github.com/cpuguy83/go-md2man/v2
 +	go build -o "/go/bin/go-md2man" ./vendor/github.com/cpuguy83/go-md2man/v2
 fi
 # Generate man pages from cobra commands
 -- 
 2.30.0
--- a/docker-19.03.14_ce_5eb3275d4006.tar.xz
+++ b/docker-19.03.14_ce_5eb3275d4006.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5bf99fd416c9a282dc97ac3568da541d378ea1c003a5680c07f11f91115d984d
 size 10421676
--- a/docker-20.10.3_ce_46229ca1d815.tar.xz
+++ b/docker-20.10.3_ce_46229ca1d815.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:84fcc9d36db90c8b87a0b19d5846ade17e8dc4586e998e071c843fd8d43a0bef
 size 6481288
--- a/docker-cli-20.10.3_ce.tar.xz
+++ b/docker-cli-20.10.3_ce.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a8526bdb466209ffd1c3ef41fcfccb9588b67d507d4444701398d6f7987f5f16
 size 4450316
--- a/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7.tar.xz
+++ b/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a50f42e391a98ab204eaa93e2269981be36f619c68b2bbfc3224263fbd30c4a8
 size 1982676
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,62 @@
 -------------------------------------------------------------------
 Tue Feb  2 13:06:17 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 - Update to Docker 20.10.3-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-21285 CVE-2021-21284
 - Rebase patches on top of 20.10.3-ce.
  - 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  + 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  - 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  + 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  - 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  + 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  - 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 -------------------------------------------------------------------
 Tue Feb  2 05:28:01 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 - Drop docker-runc, docker-test and docker-libnetwork packages. We now just use
  the upstream runc package (it's stable enough and Docker no longer pins git
  versions). docker-libnetwork is so unstable that it doesn't have any
  versioning scheme and so it really doesn't make sense to maintain the project
  as a separate package. bsc#1181641 bsc#1181677
 - Remove no-longer-needed patch for packaging now that we've dropped
  docker-runc and docker-libnetwork.
  - 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
 -------------------------------------------------------------------
 Fri Jan 29 22:55:48 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 - Update to Docker 20.10.2-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1181594
 - Remove upstreamed patches:
  - bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
  - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
 - Add patches to fix build:
  + cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
 - Since upstream has changed their source repo (again) we have to rebase all of
  our patches. While doing this, I've collapsed all patches into one branch
  per-release and thus all the patches are now just one series:
  - packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
  + 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
  - secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  - secrets-0002-SUSE-implement-SUSE-container-secrets.patch
  + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  - private-registry-0001-Add-private-registry-mirror-support.patch
  + 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  - bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
  + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 -------------------------------------------------------------------
 Fri Jan 29 11:54:53 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 - Re-apply secrets fix for bsc#1065609 which appears to have been lost after it
  was fixed.
  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
 -------------------------------------------------------------------
 Wed Dec 23 06:40:46 UTC 2020 - Aleksa Sarai <asarai@suse.com>
--- a/docker.spec
+++ b/docker.spec
@ -1,7 +1,7 @@
 #
 # spec file for package docker
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -42,52 +42,55 @@
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define git_version 5eb3275d4006
+%define git_version 46229ca1d815
-%define git_commit_epoch 1606849828
+%define git_commit_epoch 1611869592
-# These are the git commits required. We verify them against the source to make
+# We require a specific pin of libnetwork because it doesn't really do
-# sure we didn't miss anything important when doing upgrades.
+# versioning and minor version mismatches in libnetwork can break Docker
-%define required_containerd ea765aba0d05254012b0b9e595e995c09186427f
+# networking. All other key runtime dependencies (containerd, runc) are stable
-%define required_dockerrunc dc9208a3303feef5b3839f4323d9beb36df0a9dd
+# enough that this isn't necessary.
-%define required_libnetwork 55e924b8a84231a065879156c0de95aefc5f5435
+%define libnetwork_version fa125a3512ee0f6187721c88582bf8c4378bd4d7
 %define dist_builddir  %{_builddir}/dist-suse
 %define cli_builddir   %{dist_builddir}/src/github.com/docker/cli
 %define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
 Name:           %{realname}%{name_suffix}
-Version:        19.03.14_ce
+Version:        20.10.3_ce
 Release:        0
 Summary:        The Moby-project Linux container runtime
 License:        Apache-2.0
 Group:          System/Management
 URL:            http://www.docker.io
 # TODO(VR): check those SOURCE files below
 Source:         %{realname}-%{version}_%{git_version}.tar.xz
-Source1:        docker.service
+Source1:        %{realname}-cli-%{version}.tar.xz
 Source2:        %{realname}-libnetwork-%{libnetwork_version}.tar.xz
 Source3:        docker-rpmlintrc
 # TODO: Move these source files to somewhere nicer.
 Source100:      docker.service
 Source101:      80-docker.rules
 Source102:      sysconfig.docker
 Source103:      README_SUSE.md
 Source104:      docker-audit.rules
 Source105:      docker-daemon.json
 # Kubelet-specific sources.
 # bsc#1086185 -- but we only apply this on Kubic.
-Source2:        docker-kubic-service.conf
+Source900:      docker-kubic-service.conf
-Source3:        80-docker.rules
+Source901:      kubelet.env
-Source4:        sysconfig.docker
+# NOTE: All of these patches are maintained in <https://github.com/suse/docker>
-Source5:        kubelet.env
+#       in the suse-<version> branch. Make sure you update the patches in that
-Source6:        docker-rpmlintrc
+#       branch and then git-format-patch the patch here.
 Source7:        README_SUSE.md
 Source8:        docker-audit.rules
 Source9:        tests.sh
 Source10:       docker-daemon.json
 # SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
-# which is not snapshotted when images are committed. Note that if you modify
+#               which is not snapshotted when images are committed.
-# this patch, please also modify the patch in the suse-secrets-v<version>
+Patch100:       0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
-# branch in http://github.com/suse/docker.mirror.
+Patch101:       0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
-Patch200:       secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+# SUSE-FEATURE: Add support to mirror unofficial/private registries
-Patch201:       secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+#               <https://github.com/docker/docker/pull/34319>.
-# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907.
+Patch200:       0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
-Patch300:       packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
+# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1073877 bsc#1099277
-# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277
+Patch300:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
-Patch401:       bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
+# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/2888.
-# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/39121. bsc#1122469
+Patch301:       cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
 Patch402:       bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/libnetwork/pull/2548. boo#1178801, SLE-16460
 Patch403:       boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
 # SUSE-FEATURE: Add support to mirror inofficial/private registries
 #               (https://github.com/docker/docker/pull/34319)
 Patch500:       private-registry-0001-Add-private-registry-mirror-support.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@ -101,23 +104,21 @@ BuildRequires:  procps
 BuildRequires:  sqlite3-devel
 BuildRequires:  zsh
 BuildRequires:  fish
 BuildRequires:  go-go-md2man
 # We cannot use Go 1.14 because it breaks io.Copy (among other things) by
 # returning -EINTR from I/O syscalls much more often.
 BuildRequires:  go1.13
 BuildRequires:  pkgconfig(libsystemd)
 Requires:       apparmor-parser
 Requires:       ca-certificates-mozilla
-# Required in order for networking to work. fix_bsc_1057743 is a work-around
+# The docker-proxy binary used to be in a separate package. We obsolete it,
-# for some old packaging issues (where rpm would delete a binary that was
+# since now docker-proxy is maintained as part of this package.
-# installed by docker-libnetwork). See bsc#1057743 for more details.
+Obsoletes:      docker-libnetwork%{name_suffix} < 0.7.0.2
-BuildRequires:  docker-libnetwork%{name_suffix}-git = %{required_libnetwork}
+Provides:       docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
-Requires:       docker-libnetwork%{name_suffix}-git = %{required_libnetwork}
+# Required to actually run containers. We require the minimum version that is
-Requires:       fix_bsc_1057743
+# pinned by Docker, but in order to avoid headaches we allow for updates.
-# Containerd and runC are required as they are the only currently supported
+Requires:       runc >= 1.0.0~rc92
-# execdrivers of Docker. NOTE: The version pinning here matches upstream's
+Requires:       containerd >= 1.4.3
 # vendor.conf to ensure that we don't use a slightly incompatible version of
 # runC or containerd (which would be bad).
 BuildRequires:  containerd%{name_suffix}-git  = %{required_containerd}
 Requires:       containerd%{name_suffix}-git = %{required_containerd}
 BuildRequires:  docker-runc%{name_suffix}-git = %{required_dockerrunc}
 Requires:       docker-runc%{name_suffix}-git = %{required_dockerrunc}
 # Needed for --init support. We don't use "tini", we use our own implementation
 # which handles edge-cases better.
 Requires:       catatonit
@ -131,20 +132,13 @@ Requires:       xz >= 4.9
 Requires(post): %fillup_prereq
 Requires(post): udev
 Requires(post): shadow
 # We used to have a migration tool for the upgrade from v1.9.x to v1.10.x.
 # It is no longer useful, so we obsolete it. bsc#1069758
 Obsoletes:      docker-image-migrator
 # Not necessary, but must be installed when the underlying system is
 # configured to use lvm and the user doesn't explicitly provide a
 # different storage-driver than devicemapper
 Recommends:     lvm2 >= 2.2.89
 Recommends:     git-core >= 1.7
 Conflicts:      lxc < 1.0
 ExcludeArch:    s390 ppc
-BuildRequires:  go-go-md2man
+
 # We cannot use Go 1.14 because it breaks io.Copy (among other things) by
 # returning -EINTR from I/O syscalls much more often.
 BuildRequires:  go1.13
 # KUBIC-SPECIFIC: This was required when upgrading from the original kubic
 #                 packaging, when everything was renamed to -kubic. It also is
 #                 used to ensure that nothing complains too much when using
@ -232,31 +226,6 @@ Provides:       %{realname}-fish-completion = %{version}
 %description fish-completion
 Fish command line completion support for %{name}.
 %package test
 %global __requires_exclude ^libgo.so.*$
 Summary:        Test package for docker
 # Needed for test-suite.
 Group:          System/Management
 Requires:       curl
 Requires:       go
 Requires:       iputils
 Requires:       jq
 Requires:       net-tools-deprecated
 # KUBIC-SPECIFIC: This was required when upgrading from the original kubic
 #                 packaging, when everything was renamed to -kubic. It also is
 #                 used to ensure that nothing complains too much when using
 #                 -kubic packages. Hopfully it can be removed one day.
 %if "%flavour" == "kubic"
 # Obsolete old packege without the -kubic suffix
 Obsoletes:      %{realname}-test = 1.12.6
 # Conflict with non-kubic package, and provide equivalent
 Conflicts:      %{realname}-test > 1.12.6
 Provides:       %{realname}-test = %{version}
 %endif
 %description test
 Test package for docker. It contains the source code and the tests.
 %if "%flavour" == "kubic"
 %package kubeadm-criconfig
 Summary:        docker container runtime configuration for kubeadm
@ -273,34 +242,47 @@ docker container runtime configuration for kubeadm
 %prep
 %setup -q -n %{realname}-%{version}_%{git_version}
 %if 0%{?is_opensuse}
 # nothing
 %else
 # PATCH-SUSE: Secrets patches.
-%patch200 -p1
+%patch100 -p1
-%patch201 -p1
+%patch101 -p1
 %endif
 # revert upstream
 %patch300 -p1
 # bsc#1099277
 %patch401 -p1
 # bsc#1122469
 %patch402 -p1
 # boo#1178801, SLE-16460
 %patch403 -p1
 %if "%flavour" == "kubic"
 # PATCH-SUSE: Mirror patch.
-%patch500 -p1
+%patch200 -p1
 %endif
 # bsc#1099277
 %patch300 -p1
-cp %{SOURCE7} .
+# README_SUSE.md for documentation.
 cp %{SOURCE103} .
 # Extract the docker-cli source in a subdir.
 mkdir -p %{cli_builddir}
 pushd %{cli_builddir}
 xz -dc %{SOURCE1} | tar -xof - --strip-components=1
 # https://github.com/docker/cli/pull/2888
 %patch301 -p1
 popd
 # Extract the docker-libnetwork source in a subdir.
 mkdir -p %{proxy_builddir}
 pushd %{proxy_builddir}
 xz -dc %{SOURCE2} | tar -xof - --strip-components=1
 popd
 %build
 echo "$PWD -- $PWD -- $PWD"
 BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
 %if 0%{?sle_version} == 120000
-	# Provided by patch406, to allow us to build with older distros but still
+	# Allow us to build with older distros but still have deferred removal
-	# have deferred removal support at runtime. We only use this when building
+	# support at runtime. We only use this when building on SLE12, because
-	# on SLE12.
+	# later openSUSE/SLE versions have a new enough libdevicemapper to not
 	# require the runtime checking.
 	BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS"
 %endif
@ -326,119 +308,92 @@ EOF
 # Preparing GOPATH so that the client is visible to the compiler
 mkdir -p src/github.com/docker/
-ln -s $(pwd)/components/cli $(pwd)/src/github.com/docker/cli
+ln -s "%{cli_builddir}" "$PWD/src/github.com/docker/cli"
-export GOPATH=$GOPATH:$(pwd)
+export GOPATH="$GOPATH:$PWD"
 ###################
 ## DOCKER ENGINE ##
 ###################
 pushd components/engine/
 # Ignore the warning that we compile outside a Docker container.
 ./hack/make.sh dynbinary
 # Build test binaries (integration-cli and integration/*). They are all stored
 # within the testdir -- we will only end up installing these test files for
 # docker-test.
 for testdir in {integration-cli,integration/*/}
 do
 	( find "$testdir" -name '*_test.go' | grep -q '.' ) || continue
 	GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test \
 		-buildmode=pie \
 		-tags "$DOCKER_BUILDTAGS daemon autogen" \
 		-c "github.com/docker/docker/$testdir" -o "$testdir/tests.main"
 done
 popd
 ###################
 ## DOCKER CLIENT ##
 ###################
-pushd components/cli/
+pushd %{cli_builddir}
 ./scripts/build/dynbinary
 mkdir -p ./man/man1
 go build -buildmode=pie -o gen-manpages github.com/docker/cli/man
-./gen-manpages --root "$(pwd)" --target "$(pwd)/man/man1"
+./gen-manpages --root "$PWD" --target "$PWD/man/man1"
 ./man/md2man-all.sh
 popd
-%check
+##################
-# We used to run 'go test' here, however we found that this actually didn't
+## DOCKER PROXY ##
-# catch any issues that were caught by smoke testing, and %check would
+##################
 # continually cause package builds to fail due to flaky tests. If you ever need
 # to know how the testing was done, you can always look in the package history.
 # boo#1095817
-# We verify that all of our -git requires are correct, and match the contents
+pushd %{proxy_builddir}
-# of the upstream vendoring scripts. This is done on-build to make sure that
+GOPATH="%{dist_builddir}" \
-# someone doing an update didn't miss anything.
+	go build -buildmode=pie -o docker-proxy github.com/docker/libnetwork/cmd/proxy
-cd components/engine
+popd
-grep 'RUNC_COMMIT:=%{required_dockerrunc}'       hack/dockerfile/install/runc.installer
+
-grep 'CONTAINERD_COMMIT:=%{required_containerd}' hack/dockerfile/install/containerd.installer
+# We verify that our libnetwork source is the correct version. This is done
-grep 'LIBNETWORK_COMMIT:=%{required_libnetwork}' hack/dockerfile/install/proxy.installer
+# on-build to make sure that someone doing an update didn't miss anything.
 grep 'LIBNETWORK_COMMIT:=%{libnetwork_version}' hack/dockerfile/install/proxy.installer
 %install
-install -d %{buildroot}%{_bindir}
+install -Dd -m0755 \
 install -D -m755 components/cli/build/docker %{buildroot}/%{_bindir}/docker
 install -D -m755 components/engine/bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
 install -d %{buildroot}/%{_localstatedir}/lib/docker
 install -Dd -m 0755 \
 	%{buildroot}%{_sysconfdir}/init.d \
 	%{buildroot}%{_bindir} \
 	%{buildroot}%{_sbindir}
-install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}"
+# docker daemon
-install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}"
+install -D -m0755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
-install -D -m0644 components/cli/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish"
+install -d %{buildroot}/%{_localstatedir}/lib/docker
 # daemon.json config file
 install -D -m0644 %{SOURCE105} %{buildroot}%{_sysconfdir}/docker/daemon.json
 # docker cli
 install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
 install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}"
 install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}"
 install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish"
 # docker proxy
 install -D -m0755 %{proxy_builddir}/docker-proxy %{buildroot}/%{_bindir}/docker-proxy
 #
 # systemd service
-#
+install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service
 install -D -m0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{realname}.service
 %if "%flavour" == "kubic"
-install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf
+install -D -m0644 %{SOURCE900} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf
 %endif
 ln -sf service %{buildroot}%{_sbindir}/rcdocker
 #
 # udev rules that prevents dolphin to show all docker devices and slows down
 # upstream report https://bugs.kde.org/show_bug.cgi?id=329930
-#
+install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
 install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
 # audit rules
-install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
+install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
 # sysconfig file
-install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker
+install -D -m0644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker
 # install docker config file
 install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/docker/daemon.json
 # install manpages (using the ones from the engine)
 install -d %{buildroot}%{_mandir}/man1
-install -p -m 644 components/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1
+install -p -m0644 %{cli_builddir}/man/man1/*.1 %{buildroot}%{_mandir}/man1
 install -d %{buildroot}%{_mandir}/man5
-install -p -m 644 components/cli/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
+install -p -m0644 %{cli_builddir}/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
 install -d %{buildroot}%{_mandir}/man8
-install -p -m 644 components/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8
+install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8
 # install docker-test files -- we want to avoid installing the entire source tree.
 install -d %{buildroot}%{_prefix}/src/docker/
 install -D -m0755 %{SOURCE9} %{buildroot}%{_prefix}/src/docker/tests.sh
 # We need hack/, contrib/, profiles/, and the integration*/ trees.
 cp -a components/engine/{hack,contrib,profiles,integration{,-cli}} %{buildroot}%{_prefix}/src/docker/
 echo "%{version}" > %{buildroot}%{_prefix}/src/docker/VERSION
 # And now we can remove all *_test.go files -- since we already have test
 # binaries. Due to a lot of hacks within the Docker integration tests, we can't
 # really do a bigger cleanup than this.
 find %{buildroot}%{_prefix}/src/docker \
 	-type f -name '*_test.go' -delete
 %if "%flavour" == "kubic"
 # place kubelet.env in fillupdir (for kubeadm-criconfig)
-sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE5}
+sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE901}
-install -D -m 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.kubelet
+install -D -m0644 %{SOURCE901} %{buildroot}%{_fillupdir}/sysconfig.kubelet
 %endif
 %fdupes %{buildroot}
@ -485,10 +440,11 @@ grep -q '^dockremap:' /etc/subgid || \
 %files
 %defattr(-,root,root)
-%doc components/engine/README.md README_SUSE.md CHANGELOG.md
+%doc README.md README_SUSE.md CHANGELOG.md
-%license components/engine/LICENSE
+%license LICENSE
 %{_bindir}/docker
 %{_bindir}/dockerd
 %{_bindir}/docker-proxy
 %{_sbindir}/rcdocker
 %dir %{_localstatedir}/lib/docker/
@ -522,10 +478,6 @@ grep -q '^dockremap:' /etc/subgid || \
 %defattr(-,root,root)
 %{_datadir}/fish/vendor_completions.d/%{realname}.fish
 %files test
 %defattr(-,root,root)
 %{_prefix}/src/docker/
 %if "%flavour" == "kubic"
 %files kubeadm-criconfig
 %defattr(-,root,root)
--- a/packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
+++ b/packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
@ -1,126 +0,0 @@
 From 33d18d20a806e2541292acb55338dea2065d2501 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Thu, 29 Nov 2018 20:53:16 +1100
 Subject: [PATCH] revert "Remove 'docker-' prefix for containerd and runc
 binaries"
 This reverts commit 34eede0296bce6a9c335cb429f10728ae3f4252d, as it
 would significantly break openSUSE's packaging (as well as causing
 conflicts between the very-outdated runc that Docker uses and the more
 up-to-date one available for Podman).
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 components/engine/api/swagger.yaml                          | 4 ++--
 components/engine/builder/builder-next/executor_unix.go     | 2 +-
 components/engine/daemon/daemon_unix.go                     | 6 +++---
 components/engine/libcontainerd/supervisor/remote_daemon.go | 4 ++--
 .../engine/libcontainerd/supervisor/remote_daemon_linux.go  | 4 ++--
 .../libcontainerd/supervisor/remote_daemon_windows.go       | 4 ++--
 6 files changed, 12 insertions(+), 12 deletions(-)
 diff --git a/components/engine/api/swagger.yaml b/components/engine/api/swagger.yaml
 index 6e0bc25b52d6..58f860d22a49 100644
 --- a/components/engine/api/swagger.yaml
 +++ b/components/engine/api/swagger.yaml
@@ -3980,10 +3980,10 @@ definitions:
           $ref: "#/definitions/Runtime"
         default:
           runc:
 -            path: "runc"
 +            path: "docker-runc"
         example:
           runc:
 -            path: "runc"
 +            path: "docker-runc"
           runc-master:
             path: "/go/bin/runc"
           custom:
 diff --git a/components/engine/builder/builder-next/executor_unix.go b/components/engine/builder/builder-next/executor_unix.go
 index 620ffb401de7..dd63779a27d2 100644
 --- a/components/engine/builder/builder-next/executor_unix.go
 +++ b/components/engine/builder/builder-next/executor_unix.go
@@ -28,7 +28,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, ro
 	}
 	return runcexecutor.New(runcexecutor.Opt{
 		Root:                filepath.Join(root, "executor"),
 -		CommandCandidates:   []string{"runc"},
 +		CommandCandidates:   []string{"docker-runc", "runc"},
 		DefaultCgroupParent: cgroupParent,
 		Rootless:            rootless,
 		NoPivot:             os.Getenv("DOCKER_RAMDISK") != "",
 diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
 index df64de6edf13..fa9bfb528414 100644
 --- a/components/engine/daemon/daemon_unix.go
 +++ b/components/engine/daemon/daemon_unix.go
@@ -54,11 +54,11 @@ import (
 const (
 	// DefaultShimBinary is the default shim to be used by containerd if none
 	// is specified
 -	DefaultShimBinary = "containerd-shim"
 +	DefaultShimBinary = "docker-containerd-shim"
 	// DefaultRuntimeBinary is the default runtime to be used by
 	// containerd if none is specified
 -	DefaultRuntimeBinary = "runc"
 +	DefaultRuntimeBinary = "docker-runc"
 	// See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269
 	linuxMinCPUShares = 2
@@ -77,7 +77,7 @@ const (
 	// DefaultRuntimeName is the default runtime to be used by
 	// containerd if none is specified
 -	DefaultRuntimeName = "runc"
 +	DefaultRuntimeName = "docker-runc"
 )
 type containerGetter interface {
 diff --git a/components/engine/libcontainerd/supervisor/remote_daemon.go b/components/engine/libcontainerd/supervisor/remote_daemon.go
 index 31b93f11f0b1..5fba7f29eff9 100644
 --- a/components/engine/libcontainerd/supervisor/remote_daemon.go
 +++ b/components/engine/libcontainerd/supervisor/remote_daemon.go
@@ -27,8 +27,8 @@ const (
 	shutdownTimeout         = 15 * time.Second
 	startupTimeout          = 15 * time.Second
 	configFile              = "containerd.toml"
 -	binaryName              = "containerd"
 -	pidFile                 = "containerd.pid"
 +	binaryName              = "docker-containerd"
 +	pidFile                 = "docker-containerd.pid"
 )
 type pluginConfigs struct {
 diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
 index 799399c07bc5..1ea91d2b5d0b 100644
 --- a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
 +++ b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
@@ -11,8 +11,8 @@ import (
 )
 const (
 -	sockFile      = "containerd.sock"
 -	debugSockFile = "containerd-debug.sock"
 +	sockFile      = "docker-containerd.sock"
 +	debugSockFile = "docker-containerd-debug.sock"
 )
 func (r *remote) setDefaults() {
 diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
 index 9b254ef58a0a..bcdc9529e0f7 100644
 --- a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
 +++ b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
@@ -7,8 +7,8 @@ import (
 )
 const (
 -	grpcPipeName  = `\\.\pipe\containerd-containerd`
 -	debugPipeName = `\\.\pipe\containerd-debug`
 +	grpcPipeName  = `\\.\pipe\docker-containerd-containerd`
 +	debugPipeName = `\\.\pipe\docker-containerd-debug`
 )
 func (r *remote) setDefaults() {
 -- 
 2.22.0
--- a/tests.sh
+++ b/tests.sh
@ -1,205 +0,0 @@
 #!/bin/bash
 #
 # Script for launching the Docker integration tests
 # XXX: We currently only support running integration-cli.
 #
 set -Eeuo pipefail
 DOCKER_DIR=/usr/src/docker
 SCRIPTS_DIR="$DOCKER_DIR/hack"
 VERSION="$(cat "$DOCKER_DIR/VERSION")"
 # working dirs
 FROZEN_IMAGES_DIR="/tmp/docker-frozen-images"
 FROZEN_IMAGES_LINK=/docker-frozen-images
 readarray -t TESTS < <(find "$DOCKER_DIR/integration-cli" -type f -executable -name 'tests.main')
 CHECK_TIMEOUT="${CHECK_TIMEOUT:-15m}"
 TEST_TIMEOUT="${TEST_TIMEOUT:-0}"
 TEST_ARGS=("-check.v" "-check.timeout=${CHECK_TIMEOUT}" "-test.timeout=${TEST_TIMEOUT}")
 TEST_SELECT=
 TEST_LOG=/tmp/docker-tests.log
 KEEPBUNDLE="${KEEPBUNDLE:-}"
 # the config file for Docker
 CFG_DOCKER=/etc/docker/daemon.json
 ################################################################################
 log()   { echo ">>> $@" ; }
 warn()  { log "WARNING: $@" ; }
 error() { log "ERROR: $@" ; }
 abort() { log "FATAL: $@" ; exit 1 ; }
 usage() { echo "$USAGE" ; }
 abort_usage() { usage ; abort "$@" ; }
 bundle() {
 	local bundle="$1"; shift
 	log "Making bundle: $(basename "$bundle") (in $PWD)"
 	local oldFlags="$-"
 	set +Eeu
 	source "$SCRIPTS_DIR/make/$bundle" "$@"
 	set "-$oldFlags"
 }
 save_backup() {
 	for x in $@ ; do
 		if [ ! -f "$x" ] ; then
 			touch "$x.nbak"
 		elif [ -f "$x.bak" ] ; then
 			warn "$x.bak already exists: no backup will be done"
 		else
 			cp -f "$x" "$x.bak"
 		fi
 	done
 }
 restore_backup() {
 	for x in $@ ; do
 		if [ -f "$x.nbak" ] ; then
 			rm -f "$x.nbak"
 		elif [ -f "$x.bak" ] ; then
 			mv -f "$x.bak" "$x"
 		fi
 	done
 }
 require_go()  { go version  >/dev/null 2>&1 ; }
 require_git() { git version >/dev/null 2>&1 ; }
 ################################################################################
 [ "${#TESTS[@]}" -gt 0 ] || abort "integration tests executable not found in $DOCKER_DIR"
 [ "$EUID" -eq 0 ]        || abort "this script must be run as root"
 [ -n "$VERSION" ]        || abort "could not obtain version"
 if [ "$#" -gt 0 ] ; then
 	# run only some specific tests
 	TEST_ARGS+=( "-check.f=$(echo $@ | tr ' ' '|')" )
 fi
 # tests require this user and group
 /usr/sbin/groupadd -r docker >/dev/null 2>&1 || /bin/true
 /usr/sbin/useradd --create-home --gid docker unprivilegeduser >/dev/null 2>&1 || /bin/true
 export DOCKER_TEST_HOST="tcp://127.0.0.1:2375"
 export PATH="/usr/local/bin:$PATH"
 export TZ=utc
 export DOCKER_GRAPHDRIVER="${DOCKER_GRAPHDRIVER:-vfs}"
 export DOCKER_USERLANDPROXY="${DOCKER_USERLANDPROXY:-true}"
 export DOCKER_STORAGE_OPTS="${DOCKER_STORAGE_OPTS:-}"
 export DOCKER_REMAP_ROOT="${DOCKER_REMAP_ROOT:-}" # "default" uses dockremap
 # Example usage: DOCKER_STORAGE_OPTS="dm.basesize=20G,dm.loopdatasize=200G".
 storage_opts=()
 if [ -n "$DOCKER_STORAGE_OPTS" ]; then
 	IFS=','
 	for i in ${DOCKER_STORAGE_OPTS}; do
 		storage_opts+=("$i")
 	done
 	unset IFS
 fi
 # deal with remapping
 save_backup /etc/subuid /etc/subgid
 echo "dockremap:500000:65536"  >/etc/subuid
 echo "dockremap:500000:65536"  >/etc/subgid
 groupadd dockremap             >/dev/null 2>&1 || /bin/true
 useradd -g dockremap dockremap >/dev/null 2>&1 || /bin/true
 # make sure Docker is stopped, set our config file and then start again
 save_backup "$CFG_DOCKER"
 cat <<CFG_DOCKER_EOF >"$CFG_DOCKER"
 {
 	"log-level": "debug",
 	"log-driver": "json-file",
 	"log-opts": {
 		"max-size": "50m",
 		"max-file": "5"
 	},
 	"userns-remap": "$DOCKER_REMAP_ROOT",
 	"hosts": [
 		"tcp://127.0.0.1:2375"
 	],
 	"storage-driver": "$DOCKER_GRAPHDRIVER",
 	"storage-opts": [
 		$(printf '"%s",' "${storage_opts[@]}" | sed 's/"",//g;$s/,$//')
 	],
 	"userland-proxy": $DOCKER_USERLANDPROXY
 }
 CFG_DOCKER_EOF
 systemctl restart docker.service
 cleanup() {
 	log "Restoring configuration files..."
 	restore_backup /etc/subuid /etc/subgid "$CFG_DOCKER"
 	rm -f "$FROZEN_IMAGES_LINK"
 	log "Removing images and containers..."
 	export DOCKER_HOST="$DOCKER_TEST_HOST"
 	docker ps -aq    | xargs docker rm  -f &>/dev/null || :
 	docker images -q | xargs docker rmi -f &>/dev/null || :
 	log "Restarting the Docker service in a pristine state..."
 	systemctl restart docker.service
 }
 trap cleanup EXIT
 cd "$DOCKER_DIR"
 export MAKEDIR="$SCRIPTS_DIR/make"
 export DOCKER_HOST="$DOCKER_TEST_HOST"
 # Clean up all images on the host -- this is key to avoid test run failures.
 log "Cleaning the environment..."
 docker ps -aq    | xargs docker rm  -f &>/dev/null || :
 docker images -q | xargs docker rmi -f &>/dev/null || :
 log "Preparing the environment..."
 bundle .integration-daemon-setup
 # XXX: Really this should be sourced from the Dockerfile but this is good
 #      enough for now. This comes from the Docker 18.09.1-ce Dockerfile.
 log "Downlading frozen images..."
 mkdir -p "$FROZEN_IMAGES_DIR"
 ln -sf "$FROZEN_IMAGES_DIR" "$FROZEN_IMAGES_LINK"
 "$DOCKER_DIR/contrib/download-frozen-image-v2.sh" "$FROZEN_IMAGES_DIR" \
 	buildpack-deps:jessie@sha256:dd86dced7c9cd2a724e779730f0a53f93b7ef42228d4344b25ce9a42a1486251 \
 	busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0 \
 	busybox:glibc@sha256:0b55a30394294ab23b9afd58fab94e61a923f5834fba7ddbae7f8e0c11ba85e6 \
 	debian:jessie@sha256:287a20c5f73087ab406e6b364833e3fb7b3ae63ca0eb3486555dc27ed32c6e60 \
 	hello-world:latest@sha256:be0cd392e45be79ffeffa6b05338b98ebb16c87b255f48e297ec7f98e123905c
 # The code within integration-cli which handles building *-test images doesn't
 # appear to work within our setup, not to mention we don't want to Require: a
 # bunch of build tools so we just use the provided Dockerfile and
 # buildpack-deps.
 tar -cC "$FROZEN_IMAGES_DIR" . | docker load
 for dir in "$DOCKER_DIR"/contrib/*-test
 do
 	log "Building *-test images ($dir)..."
 	docker build -t "$(basename "$dir")" "$dir"
 done
 # For some reason, dockerd appears to put the containerd.sock in the wrong
 # place under systemd. So we just manually add a symlink for it.
 [ -e "/var/run/docker/containerd/containerd.sock" ] || \
 	ln -s docker-containerd.sock /var/run/docker/containerd/containerd.sock
 # And there appears to be an issue with daemon.json as a configuration format,
 # so we need to hide our generated configuration. The original will be restored
 # in cleanup().
 rm -f "$CFG_DOCKER"
 # Run all of our tests.
 rm -f "$TEST_LOG"
 for TEST in "${TESTS[@]}"
 do
 	cd "$(dirname "$TEST")"
 	log "Running integration test ($TEST)..." | tee -a "$TEST_LOG"
 	"$TEST" "${TEST_ARGS[@]}" 2>&1 | tee -a "$TEST_LOG" || :
 done
 export -n DOCKER_HOST