Accepting request 1302771 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/1302771
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=175

0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch

@@ -0,0 +1,106 @@
+From 4ae999e2bf6cea95845ce16baf262193947028c3 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Wed, 4 Jun 2025 15:01:37 +1000
+Subject: [PATCH 1/6] SECRETS: SUSE: always clear our internal secrets
+
+In the future SUSEConnect support patch, we will add swarm secrets with
+the ID suse_* containing credentials pertinent to SUSEConnect.
+Unfortunately, secret references (but not the secrets themselves) are
+persisted in the container configuration.
+
+Our secrets patch would clear old secrets to avoid having duplicates
+(see bsc#1057743) but now that SLE16 will no longer use this patch,
+containers migrated to the new system will fail to start because the
+secret store is not initialised (and the secret reference IDs don't
+exist anyway).
+
+The solution is to always clear any secrets with the suse_* prefix, and
+this patch will be applied to all builds (even those with SUSEConnect
+support disabled).
+
+THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
+SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
+MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
+
+SUSE-Bugs: bsc#1244035 bsc#1057743
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ daemon/start.go        | 10 ++++++++++
+ daemon/suse_secrets.go | 44 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+ create mode 100644 daemon/suse_secrets.go
+
+diff --git a/daemon/start.go b/daemon/start.go
+index a914a0fe3145..0930ff91d1a2 100644
+--- a/daemon/start.go
++++ b/daemon/start.go
+@@ -146,6 +146,16 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
+ 		}
+ 	}()
+ 
++	// SUSE:secrets -- Drop any "old" SUSE secrets referenced by this container
++	// (even if this daemon is not compiled with injectSuseSecretStore
++	// enabled). This is necessary because containers secret references are
++	// somewhat permanently associated with containers, so if you were to
++	// restart the container with a different Docker daemon you may end up with
++	// duplicate secrets causing errors (bsc#1057743) or the secret reference
++	// might not be resolveable if you switched to a Docker without the
++	// SUSEConnect patch enabled (bsc#1244035).
++	daemon.clearSuseSecrets(container)
++
+ 	mnts, err := daemon.setupContainerDirs(container)
+ 	if err != nil {
+ 		return err
+diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
+new file mode 100644
+index 000000000000..b8f3d9f9c094
+--- /dev/null
++++ b/daemon/suse_secrets.go
+@@ -0,0 +1,44 @@
++/*
++ * suse-secrets: patch for Docker to implement SUSE secrets
++ * Copyright (C) 2017-2021 SUSE LLC.
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *    http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package daemon
++
++import (
++	"strings"
++
++	"github.com/docker/docker/container"
++
++	swarmtypes "github.com/docker/docker/api/types/swarm"
++
++	"github.com/sirupsen/logrus"
++)
++
++// clearSuseSecrets removes any SecretReferences which were added by us
++// explicitly (this is detected by checking that the prefix has a 'suse_'
++// prefix, which is a prefix that cannot exist for normal swarm secrets). See
++// bsc#1057743 and bsc#1244035.
++func (daemon *Daemon) clearSuseSecrets(c *container.Container) {
++	var without []*swarmtypes.SecretReference
++	for _, secret := range c.SecretReferences {
++		if strings.HasPrefix(secret.SecretID, "suse_") {
++			logrus.Debugf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
++			continue
++		}
++		without = append(without, secret)
++	}
++	c.SecretReferences = without
++}
+-- 
+2.51.0
+

0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch

@@ -1,7 +1,7 @@
-From ec53ee338835c4c1dc583695ac166f36bf3bac5c Mon Sep 17 00:00:00 2001
+From 6f03d8d6c52c95823d5d730416b2b8b111a9f2a3 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 1/7] SECRETS: daemon: allow directory creation in /run/secrets
+Subject: [PATCH 2/6] SECRETS: daemon: allow directory creation in /run/secrets
 
 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@@ -14,26 +14,26 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  1 file changed, 20 insertions(+), 3 deletions(-)
 
 diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index 4dedc1b21c87..b7c310493e79 100644
+index f6d9449609b7..520b7f80f162 100644
 --- a/daemon/container_operations_unix.go
 +++ b/daemon/container_operations_unix.go
 @@ -3,6 +3,7 @@
- package daemon // import "github.com/docker/docker/daemon"
+ package daemon
  
  import (
 +	"bytes"
  	"context"
  	"fmt"
  	"os"
-@@ -16,6 +17,7 @@ import (
+@@ -21,6 +22,7 @@ import (
- 	"github.com/docker/docker/daemon/links"
+ 	"github.com/docker/docker/libnetwork/drivers/bridge"
- 	"github.com/docker/docker/errdefs"
- 	"github.com/docker/docker/libnetwork"
-+	"github.com/docker/docker/pkg/archive"
- 	"github.com/docker/docker/pkg/idtools"
  	"github.com/docker/docker/pkg/process"
  	"github.com/docker/docker/pkg/stringid"
-@@ -240,9 +242,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
++	"github.com/moby/go-archive"
+ 	"github.com/moby/sys/mount"
+ 	"github.com/moby/sys/user"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+@@ -325,9 +327,6 @@ func (daemon *Daemon) setupSecretDir(ctr *container.Container) (setupErr error)
  		if err != nil {
  			return errors.Wrap(err, "unable to get secret from secret store")
  		}
@@ -43,7 +43,7 @@ index 4dedc1b21c87..b7c310493e79 100644
  
  		uid, err := strconv.Atoi(s.File.UID)
  		if err != nil {
-@@ -253,6 +252,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -338,6 +337,24 @@ func (daemon *Daemon) setupSecretDir(ctr *container.Container) (setupErr error)
  			return err
  		}
  
@@ -65,9 +65,9 @@ index 4dedc1b21c87..b7c310493e79 100644
 +				return errors.Wrap(err, "error injecting secret")
 +			}
 +		}
- 		if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil {
+ 		if err := os.Chown(fPath, ruid+uid, rgid+gid); err != nil {
  			return errors.Wrap(err, "error setting ownership for secret")
  		}
 -- 
-2.45.2
+2.51.0
 

0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch

@@ -1,90 +1,115 @@
-From 759482e941bde2b67d39b52c803e3390555ff9e9 Mon Sep 17 00:00:00 2001
+From 12c87ffce6cea19c87213e9a0174f5cc31ac3891 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 3/6] SECRETS: SUSE: implement SUSE container secrets
 
 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
 
+Users can disable this by setting DOCKER_SUSE_SECRETS_ENABLE=0 in
+/etc/sysconfig/docker or by adding that setting to docker.service's
+Environment using a drop-in file.
+
 THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
 SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
 MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
 
-SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
+SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 bsc#1231348 bsc#1240150
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
  daemon/start.go        |   5 +
- daemon/suse_secrets.go | 415 +++++++++++++++++++++++++++++++++++++++++
+ daemon/suse_secrets.go | 438 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 420 insertions(+)
+ 2 files changed, 443 insertions(+)
- create mode 100644 daemon/suse_secrets.go
 
 diff --git a/daemon/start.go b/daemon/start.go
-index b967947af2ce..09e79e410310 100644
+index 0930ff91d1a2..02d2f8429c19 100644
 --- a/daemon/start.go
 +++ b/daemon/start.go
-@@ -123,6 +123,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
+@@ -156,6 +156,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
- 		return err
+ 	// SUSEConnect patch enabled (bsc#1244035).
- 	}
+ 	daemon.clearSuseSecrets(container)
  
-+	// SUSE:secrets -- inject the SUSE secret store
++	// SUSE:secrets -- Inject the SUSE secret store.
 +	if err := daemon.injectSuseSecretStore(container); err != nil {
 +		return err
 +	}
 +
- 	m, cleanup, err := daemon.setupMounts(ctx, container)
+ 	mnts, err := daemon.setupContainerDirs(container)
  	if err != nil {
  		return err
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
-new file mode 100644
+index b8f3d9f9c094..5ab96651080b 100644
-index 000000000000..32b0ece91b59
+--- a/daemon/suse_secrets.go
---- /dev/null
 +++ b/daemon/suse_secrets.go
-@@ -0,0 +1,415 @@
+@@ -18,15 +18,378 @@
-+/*
+ package daemon
-+ * suse-secrets: patch for Docker to implement SUSE secrets
+ 
-+ * Copyright (C) 2017-2021 SUSE LLC.
+ import (
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ *    http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+package daemon
-+
-+import (
 +	"archive/tar"
 +	"bytes"
++	"errors"
 +	"fmt"
 +	"io"
 +	"io/ioutil"
 +	"os"
 +	"path/filepath"
-+	"strings"
+ 	"strings"
 +	"syscall"
-+
+ 
-+	"github.com/docker/docker/container"
+ 	"github.com/docker/docker/container"
-+	"github.com/docker/docker/pkg/archive"
++	"github.com/docker/docker/pkg/rootless"
-+	"github.com/docker/docker/pkg/idtools"
+ 
-+
+ 	swarmtypes "github.com/docker/docker/api/types/swarm"
-+	swarmtypes "github.com/docker/docker/api/types/swarm"
++	"github.com/moby/go-archive"
 +	swarmexec "github.com/moby/swarmkit/v2/agent/exec"
 +	swarmapi "github.com/moby/swarmkit/v2/api"
-+
++	"github.com/moby/sys/user"
+ 
 +	"github.com/opencontainers/go-digest"
-+	"github.com/sirupsen/logrus"
+ 	"github.com/sirupsen/logrus"
-+)
+ )
+ 
++const suseSecretsTogglePath = "/etc/docker/suse-secrets-enable"
++
++// parseEnableFile parses a file that can only contain "0" or "1" (with some
++// whitespace).
++func parseEnableFile(path string) (bool, error) {
++	data, err := os.ReadFile(path)
++	if err != nil {
++		return false, err
++	}
++	data = bytes.TrimSpace(data)
++
++	switch value := string(data); value {
++	case "1":
++		return true, nil
++	case "0", "":
++		return false, nil
++	default:
++		return false, fmt.Errorf("invalid value %q (must be 0 to disable or 1 to enable)", value)
++	}
++}
++
++func isSuseSecretsEnabled() bool {
++	value, err := parseEnableFile(suseSecretsTogglePath)
++	if err != nil {
++		logrus.Warnf("SUSE:secrets :: error parsing %s: %v -- disabling SUSE secrets", suseSecretsTogglePath, err)
++		value = false
++	}
++	return value
++}
++
++var suseSecretsEnabled = true
 +
 +func init() {
-+	// Output to tell us in logs that SUSE:secrets is enabled.
++	// Make this entire feature toggle-able so that users can disable it if
-+	logrus.Infof("SUSE:secrets :: enabled")
++	// they run into issues like bsc#1231348.
++	suseSecretsEnabled = isSuseSecretsEnabled()
++	if suseSecretsEnabled {
++		logrus.Infof("SUSE:secrets :: SUSEConnect support enabled (set %s to 0 to disable)", suseSecretsTogglePath)
++	} else {
++		logrus.Infof("SUSE:secrets :: SUSEConnect support disabled by %s", suseSecretsTogglePath)
++	}
 +}
 +
 +// Creating a fake file.
@@ -113,14 +138,13 @@ index 000000000000..32b0ece91b59
 +	}
 +}
 +
-+func (s SuseFakeFile) toSecretReference(idMaps idtools.IdentityMapping) *swarmtypes.SecretReference {
++func (s SuseFakeFile) toSecretReference(idMaps user.IdentityMapping) *swarmtypes.SecretReference {
 +	// Figure out the host-facing {uid,gid} based on the provided maps. Fall
 +	// back to root if the UID/GID don't match (we are guaranteed that root is
 +	// mapped).
-+	ctrUser := idtools.Identity{UID: s.Uid, GID: s.Gid}
++	hostUID, hostGID := idMaps.RootPair()
-+	hostUser := idMaps.RootPair()
++	if uid, gid, err := idMaps.ToHost(s.Uid, s.Gid); err == nil {
-+	if user, err := idMaps.ToHost(ctrUser); err == nil {
++		hostUID, hostGID = uid, gid
-+		hostUser = user
 +	}
 +
 +	// Return the secret reference as a file target.
@@ -129,8 +153,8 @@ index 000000000000..32b0ece91b59
 +		SecretName: s.id(),
 +		File: &swarmtypes.SecretReferenceFileTarget{
 +			Name: s.Path,
-+			UID:  fmt.Sprintf("%d", hostUser.UID),
++			UID:  fmt.Sprintf("%d", hostUID),
-+			GID:  fmt.Sprintf("%d", hostUser.GID),
++			GID:  fmt.Sprintf("%d", hostGID),
 +			Mode: s.Mode,
 +		},
 +	}
@@ -175,11 +199,11 @@ index 000000000000..32b0ece91b59
 +		IncludeSourceDir: true,
 +	})
 +	if err != nil {
-+		return nil, fmt.Errorf("SUSE:secrets :: failed to tar source directory %q: %v", path, err)
++		return nil, fmt.Errorf("SUSE:secrets :: failed to tar source directory %q: %w", path, err)
 +	}
 +	tarStreamBytes, err := ioutil.ReadAll(tarStream)
 +	if err != nil {
-+		return nil, fmt.Errorf("SUSE:secrets :: failed to read full tar archive: %v", err)
++		return nil, fmt.Errorf("SUSE:secrets :: failed to read full tar archive: %w", err)
 +	}
 +
 +	// Get a list of the symlinks in the tar archive.
@@ -191,7 +215,7 @@ index 000000000000..32b0ece91b59
 +			break
 +		}
 +		if err != nil {
-+			return nil, fmt.Errorf("SUSE:secrets :: failed to read through tar reader: %v", err)
++			return nil, fmt.Errorf("SUSE:secrets :: failed to read through tar reader: %w", err)
 +		}
 +		if hdr.Typeflag == tar.TypeSymlink {
 +			symlinks = append(symlinks, hdr.Name)
@@ -212,7 +236,7 @@ index 000000000000..32b0ece91b59
 +			// Get a copy of the original byte stream.
 +			oldContent, err := ioutil.ReadAll(r)
 +			if err != nil {
-+				return nil, nil, fmt.Errorf("suse_rewrite: failed to read archive entry %q: %v", tarPath, err)
++				return nil, nil, fmt.Errorf("suse_rewrite: failed to read archive entry %q: %w", tarPath, err)
 +			}
 +
 +			// Check that the file actually exists.
@@ -250,7 +274,7 @@ index 000000000000..32b0ece91b59
 +	tarStream = archive.ReplaceFileTarWrapper(ioutil.NopCloser(bytes.NewBuffer(tarStreamBytes)), symlinkModifyMap)
 +	tarStreamBytes, err = ioutil.ReadAll(tarStream)
 +	if err != nil {
-+		return nil, fmt.Errorf("SUSE:secrets :: failed to read rewritten archive: %v", err)
++		return nil, fmt.Errorf("SUSE:secrets :: failed to read rewritten archive: %w", err)
 +	}
 +
 +	// Add the tar stream as a "file".
@@ -393,22 +417,41 @@ index 000000000000..32b0ece91b59
 +	return secret, nil
 +}
 +
-+// removeSuseSecrets removes any SecretReferences which were added by us
+ // clearSuseSecrets removes any SecretReferences which were added by us
-+// explicitly (this is detected by checking that the prefix has a 'suse'
+ // explicitly (this is detected by checking that the prefix has a 'suse_'
-+// prefix). See bsc#1057743.
+ // prefix, which is a prefix that cannot exist for normal swarm secrets). See
-+func removeSuseSecrets(c *container.Container) {
+@@ -42,3 +405,78 @@ func (daemon *Daemon) clearSuseSecrets(c *container.Container) {
-+	var without []*swarmtypes.SecretReference
+ 	}
-+	for _, secret := range c.SecretReferences {
+ 	c.SecretReferences = without
-+		if strings.HasPrefix(secret.SecretID, "suse") {
+ }
-+			logrus.Warnf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
++
-+			continue
++func (daemon *Daemon) isRootless() bool {
-+		}
++	cfg := daemon.Config()
-+		without = append(without, secret)
++	return os.Geteuid() != 0 || Rootless(&cfg) || rootless.RunningWithRootlessKit()
-+	}
-+	c.SecretReferences = without
 +}
 +
 +func (daemon *Daemon) injectSuseSecretStore(c *container.Container) error {
++	// We drop any "old" SUSE secrets, as it appears that old containers (when
++	// restarted) could still have references to old secrets. The .id() of all
++	// secrets have a prefix of "suse" so this is much easier. See bsc#1057743
++	// for details on why this could cause issues.
++	daemon.clearSuseSecrets(c)
++
++	// Don't inject anything if the administrator has disabled suse secrets.
++	// However, for previous existing containers we need to remove old secrets
++	// (see above), otherwise they will still have old secret data.
++	if !suseSecretsEnabled {
++		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container %q because of %s", c.ID, suseSecretsTogglePath)
++		return nil
++	}
++	// Unprivileged users (or Docker in rootless mode, in a user namespace)
++	// cannot access host zypper credentials so there is no real point even
++	// trying to inject them into the container. bsc#1240150
++	if daemon.isRootless() {
++		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container in rootless mode")
++		return nil
++	}
++
 +	newDependencyStore := &suseDependencyStore{
 +		dfl:     c.DependencyStore,
 +		secrets: make(map[string]*swarmapi.Secret),
@@ -418,13 +461,14 @@ index 000000000000..32b0ece91b59
 +		newDependencyStore.dfl = emptyStore
 +	}
 +
-+	// We drop any "old" SUSE secrets, as it appears that old containers (when
-+	// restarted) could still have references to old secrets. The .id() of all
-+	// secrets have a prefix of "suse" so this is much easier. See bsc#1057743
-+	// for details on why this could cause issues.
-+	removeSuseSecrets(c)
-+
 +	secrets, err := getHostSuseSecretData()
++	if errors.Is(err, os.ErrPermission) {
++		// This should only ever really happen for rootless Docker (which we
++		// already handled above), but ignore permission errors here just in
++		// case. bsc#1240150
++		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container because of permission error while loading host data")
++		return nil
++	}
 +	if err != nil {
 +		return err
 +	}
@@ -456,5 +500,5 @@ index 000000000000..32b0ece91b59
 +	return nil
 +}
 -- 
-2.45.2
+2.51.0
 

0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch

@@ -1,7 +1,7 @@
-From 983a57fd37dc8e42e9c4e4dfc72eb346a4385948 Mon Sep 17 00:00:00 2001
+From be344f919f392cad31c96f53615d0010d7c1bab8 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 22 May 2023 15:44:54 +1000
-Subject: [PATCH 3/7] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
+Subject: [PATCH 4/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
  headers"
 
 This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
@@ -16,10 +16,10 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
  1 file changed, 4 insertions(+), 9 deletions(-)
 
 diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
-index 6aaa33cf7622..7264d4036427 100644
+index fa0cb3ed25d8..871f6b3f8c1f 100644
 --- a/daemon/graphdriver/btrfs/btrfs.go
 +++ b/daemon/graphdriver/btrfs/btrfs.go
-@@ -4,17 +4,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
+@@ -4,17 +4,12 @@ package btrfs
  
  /*
  #include <stdlib.h>
@@ -42,5 +42,5 @@ index 6aaa33cf7622..7264d4036427 100644
  static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
      snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
 -- 
-2.45.2
+2.51.0
 

0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch

@@ -1,7 +1,7 @@
-From 8829bb8ec53399fd41dd6f46e2bad64e773e8eaa Mon Sep 17 00:00:00 2001
+From f6e33b35f540cc1ac3c7cc6403916e23239fdb23 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 4/7] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 5/6] bsc1073877: apparmor: clobber docker-default profile on
  start
 
 In the process of making docker-default reloading far less expensive,
@@ -22,7 +22,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  3 files changed, 17 insertions(+), 6 deletions(-)
 
 diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
-index 81e10b6cbec0..e695667a190f 100644
+index a1048e303c1e..e087f6b9265f 100644
 --- a/daemon/apparmor_default.go
 +++ b/daemon/apparmor_default.go
 @@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
@@ -54,12 +54,12 @@ index 81e10b6cbec0..e695667a190f 100644
  	return nil
  }
 diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
-index be4938f5b61a..2b326fea5829 100644
+index 37974bbb9778..095aa728a7a8 100644
 --- a/daemon/apparmor_default_unsupported.go
 +++ b/daemon/apparmor_default_unsupported.go
 @@ -2,6 +2,10 @@
  
- package daemon // import "github.com/docker/docker/daemon"
+ package daemon
  
 +func clobberDefaultAppArmorProfile() error {
 +	return nil
@@ -69,10 +69,10 @@ index be4938f5b61a..2b326fea5829 100644
  	return nil
  }
 diff --git a/daemon/daemon.go b/daemon/daemon.go
-index e7ca77d8cbfc..13b39538fb00 100644
+index 2e0a36eb102b..f28c6e061fa9 100644
 --- a/daemon/daemon.go
 +++ b/daemon/daemon.go
-@@ -916,8 +916,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
+@@ -878,8 +878,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
  		log.G(ctx).Warnf("Failed to configure golang's threads limit: %v", err)
  	}
  
@@ -81,9 +81,9 @@ index e7ca77d8cbfc..13b39538fb00 100644
 +	// Make sure we clobber any pre-existing docker-default profile to ensure
 +	// that upgrades to the profile actually work smoothly.
 +	if err := clobberDefaultAppArmorProfile(); err != nil {
- 		log.G(ctx).Errorf(err.Error())
+ 		log.G(ctx).WithError(err).Error("Failed to ensure default apparmor profile is loaded")
  	}
  
 -- 
-2.45.2
+2.51.0
 

0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch

@@ -1,7 +1,7 @@
-From 24173cd6a2643e5e680e84920864f42ed43b6f28 Mon Sep 17 00:00:00 2001
+From 7bd32fa91ed29b32d42991304b9a55a1f7db2ece Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 11 Oct 2023 21:19:12 +1100
-Subject: [PATCH 5/7] SLE12: revert "apparmor: remove version-conditionals from
+Subject: [PATCH 6/6] SLE12: revert "apparmor: remove version-conditionals from
  template"
 
 This reverts the following commits:
@@ -17,11 +17,11 @@ apparmor_parser version is quite old.
 
 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 ---
- contrib/apparmor/main.go      | 16 ++++++-
+ contrib/apparmor/main.go                      | 16 +++-
- contrib/apparmor/template.go  | 16 +++++++
+ contrib/apparmor/template.go                  | 16 ++++
- pkg/aaparser/aaparser.go      | 86 +++++++++++++++++++++++++++++++++++
+ pkg/aaparser/aaparser.go                      | 86 +++++++++++++++++++
- profiles/apparmor/apparmor.go | 16 ++++++-
+ .../moby/profiles/apparmor/apparmor.go        | 16 +++-
- profiles/apparmor/template.go |  4 ++
+ .../moby/profiles/apparmor/template.go        |  4 +
  5 files changed, 134 insertions(+), 4 deletions(-)
  create mode 100644 pkg/aaparser/aaparser.go
 
@@ -248,10 +248,10 @@ index 000000000000..89b48b2dba58
 +	numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
 +	return numericVersion, nil
 +}
-diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
+diff --git a/vendor/github.com/moby/profiles/apparmor/apparmor.go b/vendor/github.com/moby/profiles/apparmor/apparmor.go
-index 277c853ebe1f..d1aad80cbfd2 100644
+index 445eed64e979..871b1f7d63c2 100644
---- a/profiles/apparmor/apparmor.go
+--- a/vendor/github.com/moby/profiles/apparmor/apparmor.go
-+++ b/profiles/apparmor/apparmor.go
++++ b/vendor/github.com/moby/profiles/apparmor/apparmor.go
 @@ -11,10 +11,14 @@ import (
  	"path"
  	"strings"
@@ -291,11 +291,11 @@ index 277c853ebe1f..d1aad80cbfd2 100644
  	return compiled.Execute(out, p)
  }
  
-diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
+diff --git a/vendor/github.com/moby/profiles/apparmor/template.go b/vendor/github.com/moby/profiles/apparmor/template.go
-index 8dbc1b610288..2062aab1ac99 100644
+index 2ebcc218a702..682425f71e64 100644
---- a/profiles/apparmor/template.go
+--- a/vendor/github.com/moby/profiles/apparmor/template.go
-+++ b/profiles/apparmor/template.go
++++ b/vendor/github.com/moby/profiles/apparmor/template.go
-@@ -23,6 +23,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+@@ -22,6 +22,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
    capability,
    file,
    umount,
@@ -303,7 +303,7 @@ index 8dbc1b610288..2062aab1ac99 100644
    # Host (privileged) processes may send signals to container processes.
    signal (receive) peer=unconfined,
    # runc may send signals to container processes (for "docker stop").
-@@ -33,6 +34,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+@@ -32,6 +33,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
    signal (receive) peer={{.DaemonProfile}},
    # Container processes may send signals amongst themselves.
    signal (send,receive) peer={{.Name}},
@@ -311,7 +311,7 @@ index 8dbc1b610288..2062aab1ac99 100644
  
    deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
    # deny write to files not in /proc/<number>/** or /proc/sys/**
-@@ -53,7 +55,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+@@ -52,7 +54,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
    deny /sys/devices/virtual/powercap/** rwklx,
    deny /sys/kernel/security/** rwklx,
  
@@ -322,5 +322,5 @@ index 8dbc1b610288..2062aab1ac99 100644
  }
  `
 -- 
-2.45.2
+2.51.0
 

0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch

@@ -1,890 +0,0 @@
-From dd16d113b9215bf5b0b56c409e7272ce07525836 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <cyphar@cyphar.com>
-Date: Tue, 7 May 2024 01:51:25 +1000
-Subject: [PATCH 6/7] bsc1221916: update to patched buildkit version to fix
- symlink resolution
-
-SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1221916
-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
----
- vendor.mod                                    |   2 +
- vendor.sum                                    |   4 +-
- .../buildkit/cache/contenthash/checksum.go    | 393 ++++++++++--------
- .../moby/buildkit/cache/contenthash/path.go   | 161 +++----
- vendor/modules.txt                            |   3 +-
- 5 files changed, 314 insertions(+), 249 deletions(-)
-
-diff --git a/vendor.mod b/vendor.mod
-index d69d2aa9f87f..5c42a653b91b 100644
---- a/vendor.mod
-+++ b/vendor.mod
-@@ -114,6 +114,8 @@ require (
- 	tags.cncf.io/container-device-interface v0.7.2
- )
- 
-+replace github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240624075140-0db2d2345b94
-+
- require (
- 	cloud.google.com/go v0.110.8 // indirect
- 	cloud.google.com/go/compute v1.23.1 // indirect
-diff --git a/vendor.sum b/vendor.sum
-index 7a5bd6b4077b..f2aba7f8d3eb 100644
---- a/vendor.sum
-+++ b/vendor.sum
-@@ -199,6 +199,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
- github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
- github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
- github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-+github.com/cyphar/buildkit v0.0.0-20240624075140-0db2d2345b94 h1:xBwPT+ap0LDYsQJh1VKm9NNEKF5A7e/P3TRjnbTqZUE=
-+github.com/cyphar/buildkit v0.0.0-20240624075140-0db2d2345b94/go.mod h1:2cyVOv9NoHM7arphK9ZfHIWKn9YVZRFd1wXB8kKmEzY=
- github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
- github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
- github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-@@ -480,8 +482,6 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
- github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
- github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
- github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
--github.com/moby/buildkit v0.13.2 h1:nXNszM4qD9E7QtG7bFWPnDI1teUQFQglBzon/IU3SzI=
--github.com/moby/buildkit v0.13.2/go.mod h1:2cyVOv9NoHM7arphK9ZfHIWKn9YVZRFd1wXB8kKmEzY=
- github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
- github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
- github.com/moby/ipvs v1.1.0 h1:ONN4pGaZQgAx+1Scz5RvWV4Q7Gb+mvfRh3NsPS+1XQQ=
-diff --git a/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go b/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go
-index e0f58d57b3db..ec649f69b5e0 100644
---- a/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go
-+++ b/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go
-@@ -10,6 +10,7 @@ import (
- 	"path/filepath"
- 	"strings"
- 	"sync"
-+	"sync/atomic"
- 
- 	iradix "github.com/hashicorp/go-immutable-radix"
- 	"github.com/hashicorp/golang-lru/simplelru"
-@@ -290,7 +291,7 @@ func keyPath(p string) string {
- // HandleChange notifies the source about a modification operation
- func (cc *cacheContext) HandleChange(kind fsutil.ChangeKind, p string, fi os.FileInfo, err error) (retErr error) {
- 	p = keyPath(p)
--	k := convertPathToKey([]byte(p))
-+	k := convertPathToKey(p)
- 
- 	deleteDir := func(cr *CacheRecord) {
- 		if cr.Type == CacheRecordTypeDir {
-@@ -369,7 +370,7 @@ func (cc *cacheContext) HandleChange(kind fsutil.ChangeKind, p string, fi os.Fil
- 	// note that the source may be called later because data writing is async
- 	if fi.Mode()&os.ModeSymlink == 0 && stat.Linkname != "" {
- 		ln := path.Join("/", filepath.ToSlash(stat.Linkname))
--		v, ok := cc.txn.Get(convertPathToKey([]byte(ln)))
-+		v, ok := cc.txn.Get(convertPathToKey(ln))
- 		if ok {
- 			cp := *v.(*CacheRecord)
- 			cr = &cp
-@@ -407,7 +408,7 @@ func (cc *cacheContext) Checksum(ctx context.Context, mountable cache.Mountable,
- 	defer m.clean()
- 
- 	if !opts.Wildcard && len(opts.IncludePatterns) == 0 && len(opts.ExcludePatterns) == 0 {
--		return cc.checksumFollow(ctx, m, p, opts.FollowLinks)
-+		return cc.lazyChecksum(ctx, m, p, opts.FollowLinks)
- 	}
- 
- 	includedPaths, err := cc.includedPaths(ctx, m, p, opts)
-@@ -418,7 +419,7 @@ func (cc *cacheContext) Checksum(ctx context.Context, mountable cache.Mountable,
- 	if opts.FollowLinks {
- 		for i, w := range includedPaths {
- 			if w.record.Type == CacheRecordTypeSymlink {
--				dgst, err := cc.checksumFollow(ctx, m, w.path, opts.FollowLinks)
-+				dgst, err := cc.lazyChecksum(ctx, m, w.path, opts.FollowLinks)
- 				if err != nil {
- 					return "", err
- 				}
-@@ -445,30 +446,6 @@ func (cc *cacheContext) Checksum(ctx context.Context, mountable cache.Mountable,
- 	return digester.Digest(), nil
- }
- 
--func (cc *cacheContext) checksumFollow(ctx context.Context, m *mount, p string, follow bool) (digest.Digest, error) {
--	const maxSymlinkLimit = 255
--	i := 0
--	for {
--		if i > maxSymlinkLimit {
--			return "", errors.Errorf("too many symlinks: %s", p)
--		}
--		cr, err := cc.checksumNoFollow(ctx, m, p)
--		if err != nil {
--			return "", err
--		}
--		if cr.Type == CacheRecordTypeSymlink && follow {
--			link := cr.Linkname
--			if !path.IsAbs(cr.Linkname) {
--				link = path.Join(path.Dir(p), link)
--			}
--			i++
--			p = link
--		} else {
--			return cr.Digest, nil
--		}
--	}
--}
--
- func (cc *cacheContext) includedPaths(ctx context.Context, m *mount, p string, opts ChecksumOpts) ([]*includedPath, error) {
- 	cc.mu.Lock()
- 	defer cc.mu.Unlock()
-@@ -478,12 +455,12 @@ func (cc *cacheContext) includedPaths(ctx context.Context, m *mount, p string, o
- 	}
- 
- 	root := cc.tree.Root()
--	scan, err := cc.needsScan(root, "")
-+	scan, err := cc.needsScan(root, "", false)
- 	if err != nil {
- 		return nil, err
- 	}
- 	if scan {
--		if err := cc.scanPath(ctx, m, ""); err != nil {
-+		if err := cc.scanPath(ctx, m, "", false); err != nil {
- 			return nil, err
- 		}
- 	}
-@@ -536,13 +513,13 @@ func (cc *cacheContext) includedPaths(ctx context.Context, m *mount, p string, o
- 		}
- 	} else {
- 		origPrefix = p
--		k = convertPathToKey([]byte(origPrefix))
-+		k = convertPathToKey(origPrefix)
- 
- 		// We need to resolve symlinks here, in case the base path
- 		// involves a symlink. That will match fsutil behavior of
- 		// calling functions such as stat and walk.
- 		var cr *CacheRecord
--		k, cr, err = getFollowLinks(root, k, true)
-+		k, cr, err = getFollowLinks(root, k, false)
- 		if err != nil {
- 			return nil, err
- 		}
-@@ -554,7 +531,7 @@ func (cc *cacheContext) includedPaths(ctx context.Context, m *mount, p string, o
- 			iter.SeekLowerBound(append(append([]byte{}, k...), 0))
- 		}
- 
--		resolvedPrefix = string(convertKeyToPath(k))
-+		resolvedPrefix = convertKeyToPath(k)
- 	} else {
- 		k, _, keyOk = iter.Next()
- 	}
-@@ -565,7 +542,7 @@ func (cc *cacheContext) includedPaths(ctx context.Context, m *mount, p string, o
- 	)
- 
- 	for keyOk {
--		fn := string(convertKeyToPath(k))
-+		fn := convertKeyToPath(k)
- 
- 		// Convert the path prefix from what we found in the prefix
- 		// tree to what the argument specified.
-@@ -751,36 +728,12 @@ func wildcardPrefix(root *iradix.Node, p string) (string, []byte, bool, error) {
- 		return "", nil, false, nil
- 	}
- 
--	linksWalked := 0
--	k, cr, err := getFollowLinksWalk(root, convertPathToKey([]byte(d1)), true, &linksWalked)
-+	// Only resolve the final symlink component if there are components in the
-+	// wildcard segment.
-+	k, cr, err := getFollowLinks(root, convertPathToKey(d1), d2 != "")
- 	if err != nil {
- 		return "", k, false, err
- 	}
--
--	if d2 != "" && cr != nil && cr.Type == CacheRecordTypeSymlink {
--		// getFollowLinks only handles symlinks in path
--		// components before the last component, so
--		// handle last component in d1 specially.
--		resolved := string(convertKeyToPath(k))
--		for {
--			v, ok := root.Get(k)
--
--			if !ok {
--				return d1, k, false, nil
--			}
--			if v.(*CacheRecord).Type != CacheRecordTypeSymlink {
--				break
--			}
--
--			linksWalked++
--			if linksWalked > 255 {
--				return "", k, false, errors.Errorf("too many links")
--			}
--
--			resolved := cleanLink(resolved, v.(*CacheRecord).Linkname)
--			k = convertPathToKey([]byte(resolved))
--		}
--	}
- 	return d1, k, cr != nil, nil
- }
- 
-@@ -816,19 +769,22 @@ func containsWildcards(name string) bool {
- 	return false
- }
- 
--func (cc *cacheContext) checksumNoFollow(ctx context.Context, m *mount, p string) (*CacheRecord, error) {
-+func (cc *cacheContext) lazyChecksum(ctx context.Context, m *mount, p string, followTrailing bool) (digest.Digest, error) {
- 	p = keyPath(p)
-+	k := convertPathToKey(p)
- 
-+	// Try to look up the path directly without doing a scan.
- 	cc.mu.RLock()
- 	if cc.txn == nil {
- 		root := cc.tree.Root()
- 		cc.mu.RUnlock()
--		v, ok := root.Get(convertPathToKey([]byte(p)))
--		if ok {
--			cr := v.(*CacheRecord)
--			if cr.Digest != "" {
--				return cr, nil
--			}
-+
-+		_, cr, err := getFollowLinks(root, k, followTrailing)
-+		if err != nil {
-+			return "", err
-+		}
-+		if cr != nil && cr.Digest != "" {
-+			return cr.Digest, nil
- 		}
- 	} else {
- 		cc.mu.RUnlock()
-@@ -848,7 +804,11 @@ func (cc *cacheContext) checksumNoFollow(ctx context.Context, m *mount, p string
- 		}
- 	}()
- 
--	return cc.lazyChecksum(ctx, m, p)
-+	cr, err := cc.scanChecksum(ctx, m, p, followTrailing)
-+	if err != nil {
-+		return "", err
-+	}
-+	return cr.Digest, nil
- }
- 
- func (cc *cacheContext) commitActiveTransaction() {
-@@ -856,7 +816,7 @@ func (cc *cacheContext) commitActiveTransaction() {
- 		addParentToMap(d, cc.dirtyMap)
- 	}
- 	for d := range cc.dirtyMap {
--		k := convertPathToKey([]byte(d))
-+		k := convertPathToKey(d)
- 		if _, ok := cc.txn.Get(k); ok {
- 			cc.txn.Insert(k, &CacheRecord{Type: CacheRecordTypeDir})
- 		}
-@@ -867,21 +827,21 @@ func (cc *cacheContext) commitActiveTransaction() {
- 	cc.txn = nil
- }
- 
--func (cc *cacheContext) lazyChecksum(ctx context.Context, m *mount, p string) (*CacheRecord, error) {
-+func (cc *cacheContext) scanChecksum(ctx context.Context, m *mount, p string, followTrailing bool) (*CacheRecord, error) {
- 	root := cc.tree.Root()
--	scan, err := cc.needsScan(root, p)
-+	scan, err := cc.needsScan(root, p, followTrailing)
- 	if err != nil {
- 		return nil, err
- 	}
- 	if scan {
--		if err := cc.scanPath(ctx, m, p); err != nil {
-+		if err := cc.scanPath(ctx, m, p, followTrailing); err != nil {
- 			return nil, err
- 		}
- 	}
--	k := convertPathToKey([]byte(p))
-+	k := convertPathToKey(p)
- 	txn := cc.tree.Txn()
- 	root = txn.Root()
--	cr, updated, err := cc.checksum(ctx, root, txn, m, k, true)
-+	cr, updated, err := cc.checksum(ctx, root, txn, m, k, followTrailing)
- 	if err != nil {
- 		return nil, err
- 	}
-@@ -890,9 +850,9 @@ func (cc *cacheContext) lazyChecksum(ctx context.Context, m *mount, p string) (*
- 	return cr, err
- }
- 
--func (cc *cacheContext) checksum(ctx context.Context, root *iradix.Node, txn *iradix.Txn, m *mount, k []byte, follow bool) (*CacheRecord, bool, error) {
-+func (cc *cacheContext) checksum(ctx context.Context, root *iradix.Node, txn *iradix.Txn, m *mount, k []byte, followTrailing bool) (*CacheRecord, bool, error) {
- 	origk := k
--	k, cr, err := getFollowLinks(root, k, follow)
-+	k, cr, err := getFollowLinks(root, k, followTrailing)
- 	if err != nil {
- 		return nil, false, err
- 	}
-@@ -918,7 +878,9 @@ func (cc *cacheContext) checksum(ctx context.Context, root *iradix.Node, txn *ir
- 			}
- 			h.Write(bytes.TrimPrefix(subk, k))
- 
--			subcr, _, err := cc.checksum(ctx, root, txn, m, subk, true)
-+			// We do not follow trailing links when checksumming a directory's
-+			// contents.
-+			subcr, _, err := cc.checksum(ctx, root, txn, m, subk, false)
- 			if err != nil {
- 				return nil, false, err
- 			}
-@@ -935,7 +897,7 @@ func (cc *cacheContext) checksum(ctx context.Context, root *iradix.Node, txn *ir
- 		dgst = digest.NewDigest(digest.SHA256, h)
- 
- 	default:
--		p := string(convertKeyToPath(bytes.TrimSuffix(k, []byte{0})))
-+		p := convertKeyToPath(bytes.TrimSuffix(k, []byte{0}))
- 
- 		target, err := m.mount(ctx)
- 		if err != nil {
-@@ -967,42 +929,82 @@ func (cc *cacheContext) checksum(ctx context.Context, root *iradix.Node, txn *ir
- 	return cr2, true, nil
- }
- 
--// needsScan returns false if path is in the tree or a parent path is in tree
--// and subpath is missing
--func (cc *cacheContext) needsScan(root *iradix.Node, p string) (bool, error) {
--	var linksWalked int
--	return cc.needsScanFollow(root, p, &linksWalked)
-+// pathSet is a set of path prefixes that can be used to see if a given path is
-+// lexically a child of any path in the set. All paths provided to this set
-+// MUST be absolute and use / as the separator.
-+type pathSet struct {
-+	// prefixes contains paths of the form "/a/b/", so that we correctly detect
-+	// /a/b as being a parent of /a/b/c but not /a/bc.
-+	prefixes []string
- }
- 
--func (cc *cacheContext) needsScanFollow(root *iradix.Node, p string, linksWalked *int) (bool, error) {
--	if p == "/" {
--		p = ""
--	}
--	v, ok := root.Get(convertPathToKey([]byte(p)))
--	if !ok {
--		if p == "" {
--			return true, nil
-+// add a path to the set. This is a no-op if includes(path) == true.
-+func (s *pathSet) add(p string) {
-+	// Ensure the path is absolute and clean.
-+	p = path.Join("/", p)
-+	if !s.includes(p) {
-+		if p != "/" {
-+			p += "/"
- 		}
--		return cc.needsScanFollow(root, path.Clean(path.Dir(p)), linksWalked)
-+		s.prefixes = append(s.prefixes, p)
-+	}
-+}
-+
-+// includes returns true iff there is a path in the pathSet which is a lexical
-+// parent of the given path. The provided path MUST be an absolute path and
-+// MUST NOT contain any ".." components, as they will be path.Clean'd.
-+func (s pathSet) includes(p string) bool {
-+	// Ensure the path is absolute and clean.
-+	p = path.Join("/", p)
-+	if p != "/" {
-+		p += "/"
- 	}
--	cr := v.(*CacheRecord)
--	if cr.Type == CacheRecordTypeSymlink {
--		if *linksWalked > 255 {
--			return false, errTooManyLinks
-+	for _, prefix := range s.prefixes {
-+		if strings.HasPrefix(p, prefix) {
-+			return true
- 		}
--		*linksWalked++
--		link := path.Clean(cr.Linkname)
--		if !path.IsAbs(cr.Linkname) {
--			link = path.Join("/", path.Dir(p), link)
-+	}
-+	return false
-+}
-+
-+// needsScan returns false if path is in the tree or a parent path is in tree
-+// and subpath is missing.
-+func (cc *cacheContext) needsScan(root *iradix.Node, path string, followTrailing bool) (bool, error) {
-+	var (
-+		goodPaths       pathSet
-+		hasParentInTree bool
-+	)
-+	k := convertPathToKey(path)
-+	_, cr, err := getFollowLinksCallback(root, k, followTrailing, func(subpath string, cr *CacheRecord) error {
-+		// If we found a path that exists in the cache, add it to the set of
-+		// known-scanned paths. Otherwise, verify whether the not-found subpath
-+		// is inside a known-scanned path (we might have hit a "..", taking us
-+		// out of the scanned paths, or we might hit a non-existent path inside
-+		// a scanned path). getFollowLinksCallback iterates left-to-right, so
-+		// we will always hit ancestors first.
-+		if cr != nil {
-+			hasParentInTree = cr.Type != CacheRecordTypeSymlink
-+			goodPaths.add(subpath)
-+		} else {
-+			hasParentInTree = goodPaths.includes(subpath)
- 		}
--		return cc.needsScanFollow(root, link, linksWalked)
-+		return nil
-+	})
-+	if err != nil {
-+		return false, err
- 	}
--	return false, nil
-+	return cr == nil && !hasParentInTree, nil
- }
- 
--func (cc *cacheContext) scanPath(ctx context.Context, m *mount, p string) (retErr error) {
-+// Only used by TestNeedScanChecksumRegression to make sure scanPath is not
-+// called for paths we have already scanned.
-+var (
-+	scanCounterEnable bool
-+	scanCounter       atomic.Uint64
-+)
-+
-+func (cc *cacheContext) scanPath(ctx context.Context, m *mount, p string, followTrailing bool) (retErr error) {
- 	p = path.Join("/", p)
--	d, _ := path.Split(p)
- 
- 	mp, err := m.mount(ctx)
- 	if err != nil {
-@@ -1012,33 +1014,42 @@ func (cc *cacheContext) scanPath(ctx context.Context, m *mount, p string) (retEr
- 	n := cc.tree.Root()
- 	txn := cc.tree.Txn()
- 
--	parentPath, err := rootPath(mp, filepath.FromSlash(d), func(p, link string) error {
-+	resolvedPath, err := rootPath(mp, filepath.FromSlash(p), followTrailing, func(p, link string) error {
- 		cr := &CacheRecord{
- 			Type:     CacheRecordTypeSymlink,
- 			Linkname: filepath.ToSlash(link),
- 		}
--		k := []byte(path.Join("/", filepath.ToSlash(p)))
--		k = convertPathToKey(k)
--		txn.Insert(k, cr)
-+		p = path.Join("/", filepath.ToSlash(p))
-+		txn.Insert(convertPathToKey(p), cr)
- 		return nil
- 	})
- 	if err != nil {
- 		return err
- 	}
- 
--	err = filepath.Walk(parentPath, func(itemPath string, fi os.FileInfo, err error) error {
-+	// Scan the parent directory of the path we resolved, unless we're at the
-+	// root (in which case we scan the root).
-+	scanPath := filepath.Dir(resolvedPath)
-+	if !strings.HasPrefix(filepath.ToSlash(scanPath)+"/", filepath.ToSlash(mp)+"/") {
-+		scanPath = resolvedPath
-+	}
-+
-+	err = filepath.Walk(scanPath, func(itemPath string, fi os.FileInfo, err error) error {
-+		if scanCounterEnable {
-+			scanCounter.Add(1)
-+		}
- 		if err != nil {
-+			// If the root doesn't exist, ignore the error.
-+			if itemPath == scanPath && errors.Is(err, os.ErrNotExist) {
-+				return nil
-+			}
- 			return errors.Wrapf(err, "failed to walk %s", itemPath)
- 		}
- 		rel, err := filepath.Rel(mp, itemPath)
- 		if err != nil {
- 			return err
- 		}
--		k := []byte(path.Join("/", filepath.ToSlash(rel)))
--		if string(k) == "/" {
--			k = []byte{}
--		}
--		k = convertPathToKey(k)
-+		k := convertPathToKey(keyPath(rel))
- 		if _, ok := n.Get(k); !ok {
- 			cr := &CacheRecord{
- 				Type: CacheRecordTypeFile,
-@@ -1071,55 +1082,118 @@ func (cc *cacheContext) scanPath(ctx context.Context, m *mount, p string) (retEr
- 	return nil
- }
- 
--func getFollowLinks(root *iradix.Node, k []byte, follow bool) ([]byte, *CacheRecord, error) {
--	var linksWalked int
--	return getFollowLinksWalk(root, k, follow, &linksWalked)
-+// followLinksCallback is called after we try to resolve each element. If the
-+// path was not found, cr is nil.
-+type followLinksCallback func(path string, cr *CacheRecord) error
-+
-+// getFollowLinks is shorthand for getFollowLinksCallback(..., nil).
-+func getFollowLinks(root *iradix.Node, k []byte, followTrailing bool) ([]byte, *CacheRecord, error) {
-+	return getFollowLinksCallback(root, k, followTrailing, nil)
- }
- 
--func getFollowLinksWalk(root *iradix.Node, k []byte, follow bool, linksWalked *int) ([]byte, *CacheRecord, error) {
-+// getFollowLinksCallback looks up the requested key, fully resolving any
-+// symlink components encountered. The implementation is heavily based on
-+// <https://github.com/cyphar/filepath-securejoin>.
-+//
-+// followTrailing indicates whether the *final component* of the path should be
-+// resolved (effectively O_PATH|O_NOFOLLOW). Note that (in contrast to some
-+// Linux APIs), followTrailing is obeyed even if the key has a trailing slash
-+// (though paths like "foo/link/." will cause the link to be resolved).
-+//
-+// cb is a callback that is called for each path component encountered during
-+// path resolution (after the path component is looked up in the cache). This
-+// means for a path like /a/b/c, the callback will be called for at least
-+//
-+//	{/, /a, /a/b, /a/b/c}
-+//
-+// Note that if any of the components are symlinks, the paths will depend on
-+// the symlink contents and there will be more callbacks. If the requested key
-+// has a trailing slash, the callback will also be called for the final
-+// trailing-slash lookup (/a/b/c/ in the above example). Note that
-+// getFollowLinksCallback will try to look up the original key directly first
-+// and the callback is not called for this first lookup.
-+func getFollowLinksCallback(root *iradix.Node, k []byte, followTrailing bool, cb followLinksCallback) ([]byte, *CacheRecord, error) {
- 	v, ok := root.Get(k)
--	if ok {
-+	if ok && (!followTrailing || v.(*CacheRecord).Type != CacheRecordTypeSymlink) {
- 		return k, v.(*CacheRecord), nil
- 	}
--	if !follow || len(k) == 0 {
-+	if len(k) == 0 {
- 		return k, nil, nil
- 	}
- 
--	dir, file := splitKey(k)
-+	var (
-+		currentPath   = "/"
-+		remainingPath = convertKeyToPath(k)
-+		linksWalked   int
-+		cr            *CacheRecord
-+	)
-+	// Trailing slashes are significant for the cache, but path.Clean strips
-+	// them. We only care about the slash for the final lookup.
-+	remainingPath, hadTrailingSlash := strings.CutSuffix(remainingPath, "/")
-+	for remainingPath != "" {
-+		// Get next component.
-+		var part string
-+		if i := strings.IndexRune(remainingPath, '/'); i == -1 {
-+			part, remainingPath = remainingPath, ""
-+		} else {
-+			part, remainingPath = remainingPath[:i], remainingPath[i+1:]
-+		}
- 
--	k, parent, err := getFollowLinksWalk(root, dir, follow, linksWalked)
--	if err != nil {
--		return nil, nil, err
--	}
--	if parent != nil {
--		if parent.Type == CacheRecordTypeSymlink {
--			*linksWalked++
--			if *linksWalked > 255 {
--				return nil, nil, errors.Errorf("too many links")
-+		// Apply the component to the path. Since it is a single component, and
-+		// our current path contains no symlinks, we can just apply it
-+		// leixically.
-+		nextPath := keyPath(path.Join("/", currentPath, part))
-+		// In contrast to rootPath, we don't skip lookups for no-op components
-+		// or / because we need to call the callback for every path component
-+		// we hit (including /) and we need to make sure that the CacheRecord
-+		// we return is correct after every iteration.
-+
-+		cr = nil
-+		v, ok := root.Get(convertPathToKey(nextPath))
-+		if ok {
-+			cr = v.(*CacheRecord)
-+		}
-+		if cb != nil {
-+			if err := cb(nextPath, cr); err != nil {
-+				return nil, nil, err
- 			}
-+		}
-+		if !ok || cr.Type != CacheRecordTypeSymlink {
-+			currentPath = nextPath
-+			continue
-+		}
-+		if !followTrailing && remainingPath == "" {
-+			currentPath = nextPath
-+			break
-+		}
- 
--			link := cleanLink(string(convertKeyToPath(dir)), parent.Linkname)
--			return getFollowLinksWalk(root, append(convertPathToKey([]byte(link)), file...), follow, linksWalked)
-+		linksWalked++
-+		if linksWalked > maxSymlinkLimit {
-+			return nil, nil, errTooManyLinks
- 		}
--	}
--	k = append(k, file...)
--	v, ok = root.Get(k)
--	if ok {
--		return k, v.(*CacheRecord), nil
--	}
--	return k, nil, nil
--}
- 
--func cleanLink(dir, linkname string) string {
--	dirPath := path.Clean(dir)
--	if dirPath == "." || dirPath == "/" {
--		dirPath = ""
-+		remainingPath = cr.Linkname + "/" + remainingPath
-+		if path.IsAbs(cr.Linkname) {
-+			currentPath = "/"
-+		}
- 	}
--	link := path.Clean(linkname)
--	if !path.IsAbs(link) {
--		return path.Join("/", path.Join(path.Dir(dirPath), link))
-+	// We've already looked up the final component. However, if there was a
-+	// trailing slash in the original path, we need to do the lookup again with
-+	// the slash applied.
-+	if hadTrailingSlash {
-+		cr = nil
-+		currentPath += "/"
-+		v, ok := root.Get(convertPathToKey(currentPath))
-+		if ok {
-+			cr = v.(*CacheRecord)
-+		}
-+		if cb != nil {
-+			if err := cb(currentPath, cr); err != nil {
-+				return nil, nil, err
-+			}
-+		}
- 	}
--	return link
-+	return convertPathToKey(currentPath), cr, nil
- }
- 
- func prepareDigest(fp, p string, fi os.FileInfo) (digest.Digest, error) {
-@@ -1176,25 +1250,10 @@ func poolsCopy(dst io.Writer, src io.Reader) (written int64, err error) {
- 	return
- }
- 
--func convertPathToKey(p []byte) []byte {
-+func convertPathToKey(p string) []byte {
- 	return bytes.Replace([]byte(p), []byte("/"), []byte{0}, -1)
- }
- 
--func convertKeyToPath(p []byte) []byte {
--	return bytes.Replace([]byte(p), []byte{0}, []byte("/"), -1)
--}
--
--func splitKey(k []byte) ([]byte, []byte) {
--	foundBytes := false
--	i := len(k) - 1
--	for {
--		if i <= 0 || foundBytes && k[i] == 0 {
--			break
--		}
--		if k[i] != 0 {
--			foundBytes = true
--		}
--		i--
--	}
--	return append([]byte{}, k[:i]...), k[i:]
-+func convertKeyToPath(p []byte) string {
-+	return string(bytes.Replace(p, []byte{0}, []byte("/"), -1))
- }
-diff --git a/vendor/github.com/moby/buildkit/cache/contenthash/path.go b/vendor/github.com/moby/buildkit/cache/contenthash/path.go
-index 42b7fd8349c7..ae950f713241 100644
---- a/vendor/github.com/moby/buildkit/cache/contenthash/path.go
-+++ b/vendor/github.com/moby/buildkit/cache/contenthash/path.go
-@@ -1,108 +1,111 @@
-+// This code mostly comes from <https://github.com/cyphar/filepath-securejoin>.
-+
-+// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
-+// Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
- package contenthash
- 
- import (
- 	"os"
- 	"path/filepath"
-+	"strings"
- 
- 	"github.com/pkg/errors"
- )
- 
--var (
--	errTooManyLinks = errors.New("too many links")
--)
-+var errTooManyLinks = errors.New("too many links")
-+
-+const maxSymlinkLimit = 255
- 
- type onSymlinkFunc func(string, string) error
- 
--// rootPath joins a path with a root, evaluating and bounding any
--// symlink to the root directory.
--// This is containerd/continuity/fs RootPath implementation with a callback on
--// resolving the symlink.
--func rootPath(root, path string, cb onSymlinkFunc) (string, error) {
--	if path == "" {
-+// rootPath joins a path with a root, evaluating and bounding any symlink to
-+// the root directory. This is a slightly modified version of SecureJoin from
-+// github.com/cyphar/filepath-securejoin, with a callback which we call after
-+// each symlink resolution.
-+func rootPath(root, unsafePath string, followTrailing bool, cb onSymlinkFunc) (string, error) {
-+	if unsafePath == "" {
- 		return root, nil
- 	}
--	var linksWalked int // to protect against cycles
--	for {
--		i := linksWalked
--		newpath, err := walkLinks(root, path, &linksWalked, cb)
--		if err != nil {
--			return "", err
--		}
--		path = newpath
--		if i == linksWalked {
--			newpath = filepath.Join("/", newpath)
--			if path == newpath {
--				return filepath.Join(root, newpath), nil
--			}
--			path = newpath
--		}
--	}
--}
- 
--func walkLink(root, path string, linksWalked *int, cb onSymlinkFunc) (newpath string, islink bool, err error) {
--	if *linksWalked > 255 {
--		return "", false, errTooManyLinks
--	}
-+	unsafePath = filepath.FromSlash(unsafePath)
-+	var (
-+		currentPath string
-+		linksWalked int
-+	)
-+	for unsafePath != "" {
-+		// Windows-specific: remove any drive letters from the path.
-+		if v := filepath.VolumeName(unsafePath); v != "" {
-+			unsafePath = unsafePath[len(v):]
-+		}
- 
--	path = filepath.Join("/", path)
--	if path == "/" {
--		return path, false, nil
--	}
--	realPath := filepath.Join(root, path)
-+		// Remove any unnecessary trailing slashes.
-+		unsafePath = strings.TrimSuffix(unsafePath, string(filepath.Separator))
- 
--	fi, err := os.Lstat(realPath)
--	if err != nil {
--		// If path does not yet exist, treat as non-symlink
--		if errors.Is(err, os.ErrNotExist) {
--			return path, false, nil
-+		// Get the next path component.
-+		var part string
-+		if i := strings.IndexRune(unsafePath, filepath.Separator); i == -1 {
-+			part, unsafePath = unsafePath, ""
-+		} else {
-+			part, unsafePath = unsafePath[:i], unsafePath[i+1:]
- 		}
--		return "", false, err
--	}
--	if fi.Mode()&os.ModeSymlink == 0 {
--		return path, false, nil
--	}
--	newpath, err = os.Readlink(realPath)
--	if err != nil {
--		return "", false, err
--	}
--	if cb != nil {
--		if err := cb(path, newpath); err != nil {
--			return "", false, err
--		}
--	}
--	*linksWalked++
--	return newpath, true, nil
--}
- 
--func walkLinks(root, path string, linksWalked *int, cb onSymlinkFunc) (string, error) {
--	switch dir, file := filepath.Split(path); {
--	case dir == "":
--		newpath, _, err := walkLink(root, file, linksWalked, cb)
--		return newpath, err
--	case file == "":
--		if os.IsPathSeparator(dir[len(dir)-1]) {
--			if dir == "/" {
--				return dir, nil
--			}
--			return walkLinks(root, dir[:len(dir)-1], linksWalked, cb)
-+		// Apply the component lexically to the path we are building. path does
-+		// not contain any symlinks, and we are lexically dealing with a single
-+		// component, so it's okay to do filepath.Clean here.
-+		nextPath := filepath.Join(string(filepath.Separator), currentPath, part)
-+		if nextPath == string(filepath.Separator) {
-+			// If we end up back at the root, we don't need to re-evaluate /.
-+			currentPath = ""
-+			continue
- 		}
--		newpath, _, err := walkLink(root, dir, linksWalked, cb)
--		return newpath, err
--	default:
--		newdir, err := walkLinks(root, dir, linksWalked, cb)
--		if err != nil {
-+		fullPath := root + string(filepath.Separator) + nextPath
-+
-+		// Figure out whether the path is a symlink.
-+		fi, err := os.Lstat(fullPath)
-+		if err != nil && !errors.Is(err, os.ErrNotExist) {
- 			return "", err
- 		}
--		newpath, islink, err := walkLink(root, filepath.Join(newdir, file), linksWalked, cb)
-+		// Treat non-existent path components the same as non-symlinks (we
-+		// can't do any better here).
-+		if errors.Is(err, os.ErrNotExist) || fi.Mode()&os.ModeSymlink == 0 {
-+			currentPath = nextPath
-+			continue
-+		}
-+		// Don't resolve the final component with !followTrailing.
-+		if !followTrailing && unsafePath == "" {
-+			currentPath = nextPath
-+			break
-+		}
-+
-+		// It's a symlink, so get its contents and expand it by prepending it
-+		// to the yet-unparsed path.
-+		linksWalked++
-+		if linksWalked > maxSymlinkLimit {
-+			return "", errTooManyLinks
-+		}
-+
-+		dest, err := os.Readlink(fullPath)
- 		if err != nil {
- 			return "", err
- 		}
--		if !islink {
--			return newpath, nil
-+		if cb != nil {
-+			if err := cb(nextPath, dest); err != nil {
-+				return "", err
-+			}
- 		}
--		if filepath.IsAbs(newpath) {
--			return newpath, nil
-+
-+		unsafePath = dest + string(filepath.Separator) + unsafePath
-+		// Absolute symlinks reset any work we've already done.
-+		if filepath.IsAbs(dest) {
-+			currentPath = ""
- 		}
--		return filepath.Join(newdir, newpath), nil
- 	}
-+
-+	// There should be no lexical components left in path here, but just for
-+	// safety do a filepath.Clean before the join.
-+	finalPath := filepath.Join(string(filepath.Separator), currentPath)
-+	return filepath.Join(root, finalPath), nil
- }
-diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 7f3e6497785d..247f49f3518e 100644
---- a/vendor/modules.txt
-+++ b/vendor/modules.txt
-@@ -711,7 +711,7 @@ github.com/mitchellh/hashstructure/v2
- # github.com/mitchellh/reflectwalk v1.0.2
- ## explicit
- github.com/mitchellh/reflectwalk
--# github.com/moby/buildkit v0.13.2
-+# github.com/moby/buildkit v0.13.2 => github.com/cyphar/buildkit v0.0.0-20240624075140-0db2d2345b94
- ## explicit; go 1.21
- github.com/moby/buildkit/api/services/control
- github.com/moby/buildkit/api/types
-@@ -1610,3 +1610,4 @@ tags.cncf.io/container-device-interface/pkg/parser
- # tags.cncf.io/container-device-interface/specs-go v0.7.0
- ## explicit; go 1.19
- tags.cncf.io/container-device-interface/specs-go
-+# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240624075140-0db2d2345b94
--- 
-2.45.2
-

0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch

@@ -1,53 +0,0 @@
-From 62035ba22a45bde6bed2da321e7ad954f5b461b4 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <cyphar@cyphar.com>
-Date: Wed, 19 Jun 2024 16:30:49 +1000
-Subject: [PATCH 7/7] bsc1214855: volume: use AtomicWriteFile to save volume
- options
-
-If the system (or Docker) crashes while saivng the volume options, on
-restart the daemon will error out when trying to read the options file
-because it doesn't contain valid JSON.
-
-In such a crash scenario, the new volume will be treated as though it
-has the default options configuration. This is not ideal, but volumes
-created on very old Docker versions (pre-1.11[1], circa 2016) do not
-have opts.json and so doing some kind of cleanup when loading the volume
-store (even if we take care to only delete empty volumes) could delete
-existing volumes carried over from very old Docker versions that users
-would not expect to disappear.
-
-Ultimately, if a user creates a volume and the system crashes, a volume
-that has the wrong config is better than Docker not being able to start.
-
-[1]: commit b05b2370757d ("Support mount opts for `local` volume driver")
-
-SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1214855
-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
----
- volume/local/local.go | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/volume/local/local.go b/volume/local/local.go
-index 6e96aeea4189..4412f34a3da9 100644
---- a/volume/local/local.go
-+++ b/volume/local/local.go
-@@ -17,6 +17,7 @@ import (
- 	"github.com/docker/docker/daemon/names"
- 	"github.com/docker/docker/errdefs"
- 	"github.com/docker/docker/pkg/idtools"
-+	"github.com/docker/docker/pkg/ioutils"
- 	"github.com/docker/docker/quota"
- 	"github.com/docker/docker/volume"
- 	"github.com/pkg/errors"
-@@ -388,7 +389,7 @@ func (v *localVolume) saveOpts() error {
- 	if err != nil {
- 		return err
- 	}
--	err = os.WriteFile(filepath.Join(v.rootPath, "opts.json"), b, 0o600)
-+	err = ioutils.AtomicWriteFile(filepath.Join(v.rootPath, "opts.json"), b, 0o600)
- 	if err != nil {
- 		return errdefs.System(errors.Wrap(err, "error while persisting volume options"))
- 	}
--- 
-2.45.2
-

_service

@@ -3,18 +3,26 @@
     <param name="url">https://github.com/moby/moby.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">26.1.5_ce_%h</param>
+    <param name="versionformat">28.4.0_ce_%h</param>
-    <param name="revision">v26.1.5</param>
+    <param name="revision">v28.4.0</param>
     <param name="filename">docker</param>
   </service>
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/docker/cli.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">26.1.5_ce</param>
+    <param name="versionformat">28.4.0_ce</param>
-    <param name="revision">v26.1.5</param>
+    <param name="revision">v28.4.0</param>
     <param name="filename">docker-cli</param>
   </service>
+  <service name="tar_scm" mode="manual">
+    <param name="url">https://github.com/docker/buildx.git</param>
+    <param name="scm">git</param>
+    <param name="exclude">.git</param>
+    <param name="versionformat">0.28.0</param>
+    <param name="revision">v0.28.0</param>
+    <param name="filename">docker-buildx</param>
+  </service>
   <service name="recompress" mode="manual">
     <param name="file">docker-*.tar</param>
     <param name="compression">xz</param>

cli-0001-openSUSE-point-users-to-docker-buildx-package.patch

@@ -0,0 +1,44 @@
+From 02b49739668ea5ffb0b240c2a264eb9bb378f56f Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Mon, 1 Sep 2025 16:05:24 +1000
+Subject: [PATCH 1/2] openSUSE: point users to docker-buildx package
+
+The reference to a "buildx component" is a little confusing in the
+context of (open)SUSE packaging and might confuse users, as they just
+need to install the "docker-buildx" package.
+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ cmd/docker/builder.go | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/cmd/docker/builder.go b/cmd/docker/builder.go
+index 00fc1b40f1ab..ff3becd1c9e7 100644
+--- a/cmd/docker/builder.go
++++ b/cmd/docker/builder.go
+@@ -20,7 +20,7 @@
+ const (
+ 	builderDefaultPlugin = "buildx"
+ 	buildxMissingWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
+-            Install the buildx component to build images with BuildKit:
++            Install the docker-buildx package to build images with BuildKit:
+             https://docs.docker.com/go/buildx/`
+ 
+ 	buildkitDisabledWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
+@@ -28,11 +28,11 @@
+             environment-variable.`
+ 
+ 	buildxMissingError = `ERROR: BuildKit is enabled but the buildx component is missing or broken.
+-       Install the buildx component to build images with BuildKit:
++       Install the docker-buildx package to build images with BuildKit:
+        https://docs.docker.com/go/buildx/`
+ 
+ 	bakeMissingError = `ERROR: docker bake requires the buildx component but it is missing or broken.
+-       Install the buildx component to use bake:
++       Install the docker-buildx package to use bake:
+        https://docs.docker.com/go/buildx/`
+ )
+ 
+-- 
+2.51.0
+

cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch

@@ -0,0 +1,98 @@
+From b7fb811f2c032bdd42b914aa00dc2a793ddb003f Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Fri, 15 Aug 2025 19:55:53 +1000
+Subject: [PATCH 2/2] SECRETS: SUSE: default to DOCKER_BUILDKIT=0 for "docker
+ build"
+
+For systems with SUSEConnect auto-injection enabled, docker-buildx does
+not include our injected secrets. For SLE15 and earlier, enabling
+"docker build" to auto-switch to "docker buildx build" would thus break
+existing users of the feature.
+
+So, make DOCKER_BUILDKIT=0 the default. Users can still opt-in to using
+BuildKit with DOCKER_BUILDKIT=1 or using subcommands like "docker bake"
+or "docker buildx $foo", but existing users won't be broken by the
+change.
+
+Users that do switch BuildKit can inject SCC credentials in a far more
+deliberate (and thus more secure) manner by using
+
+  RUN --mount=type=secret,id=SCCcredentials zypper -n ...
+
+in their Dockerfiles, and then using
+
+  docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
+
+for their builds.
+
+SUSE-Bug: https://jira.suse.com/browse/PED-12534
+SUSE-Bug: https://jira.suse.com/browse/PED-8905
+SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1247594
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ cmd/docker/builder.go | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/cmd/docker/builder.go b/cmd/docker/builder.go
+index ff3becd1c9e7..61306cc6785e 100644
+--- a/cmd/docker/builder.go
++++ b/cmd/docker/builder.go
+@@ -23,9 +23,19 @@
+             Install the docker-buildx package to build images with BuildKit:
+             https://docs.docker.com/go/buildx/`
+ 
+-	buildkitDisabledWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
+-            BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
+-            environment-variable.`
++	buildkitDisabledWarning = `INFORMATION: This version of Docker has been patched by SUSE.
++        These patches allow for automatic access to the host SUSE subscription
++        inside containers, allowing for customers to create derived images with
++        "docker build" using SUSE packages. However, this feature is
++        incompatible with BuildKit and so "docker build" will use the legacy
++        builder by default. In order to disable this message and continue using
++        the legacy builder, set the DOCKER_BUILDKIT=0 environment-variable.
++
++        In order to opt-in to using BuildKit, set the DOCKER_BUILDKIT=1
++        environment-variable. See the SLE16 documentation for information on
++        how to switch to BuildKit while still maintaining access to SCC
++        credentials. In order to use BuildKit, you must have the docker-buildx
++        package installed.`
+ 
+ 	buildxMissingError = `ERROR: BuildKit is enabled but the buildx component is missing or broken.
+        Install the docker-buildx package to build images with BuildKit:
+@@ -48,7 +58,7 @@ func newBuilderError(errorMsg string, pluginLoadErr error) error {
+ 
+ //nolint:gocyclo
+ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []string) ([]string, []string, []string, error) {
+-	var buildKitDisabled, useBuilder, useAlias bool
++	var buildKitDisabled, showDisabledWarning, useBuilder, useAlias bool
+ 	var envs []string
+ 
+ 	// check DOCKER_BUILDKIT env var is not empty
+@@ -63,6 +73,14 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
+ 		} else {
+ 			useBuilder = true
+ 		}
++	} else {
++		// SUSE: Disable automatic usage of docker-buildx if unspecified (for
++		// pre-SLE16) to maintain support for SUSEConnect auto-injection. If a
++		// user specifies DOCKER_BUILDKIT=1 manually, that's up to them.
++		buildKitDisabled = true
++		// Only show the disabled "warning" when the user hasn't explicitly
++		// opted into DOCKER_BUILDKIT=0.
++		showDisabledWarning = true
+ 	}
+ 	// docker bake always requires buildkit; ignore "DOCKER_BUILDKIT=0".
+ 	if buildKitDisabled && len(args) > 0 && args[0] == "bake" {
+@@ -102,7 +120,7 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
+ 		// is deprecated. For Windows / WCOW, BuildKit is still experimental,
+ 		// so we don't print this warning, even if the daemon advertised that
+ 		// it supports BuildKit.
+-		if dockerCli.ServerInfo().OSType != "windows" {
++		if showDisabledWarning && dockerCli.ServerInfo().OSType != "windows" {
+ 			_, _ = fmt.Fprintf(dockerCli.Err(), "%s\n\n", buildkitDisabledWarning)
+ 		}
+ 		return args, osargs, nil, nil
+-- 
+2.51.0
+

docker-28.4.0_ce_249d679a6.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:73bf3e1c1b73100b35d428e65eb9ddbb5eba630ca1903ec122313539ff81c282
+size 10671788

docker-buildx-0.28.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d9f918d63e74fea28bfc9d4766982611b63525fff08aee99bb9096541354eb2c
+size 8071860

docker-cli-28.4.0_ce.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4ef957ca985d14dfcd65ca125e035b917da61cd664ebc3816411e1ecc8815379
+size 4280768

docker-integration.sh

@@ -0,0 +1,291 @@
+#!/bin/bash
+# docker-integration: run Docker's integration tests
+# Copyright (C) 2024 SUSE LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeuo pipefail
+
+TESTDIR=/usr/src/docker-test
+TEST_SRCDIR="$TESTDIR/src"
+TEST_BINDIR="$TESTDIR/bin"
+
+TMPROOT="$(mktemp --tmpdir -d docker-integration-tmpdir.XXXXXX)"
+TMPDIR="$TMPROOT/tmp"
+DEST="$TMPROOT/dest"
+
+mkdir -p "$TMPDIR" "$TEST_BINDIR" "$DEST"
+chmod 1777 "$TMPDIR"
+chmod 777 "$TMPROOT"
+
+function usage() {
+	cat >&2 <<-EOF
+	docker-integration.sh [-Av] [-r TestName] [-t timeout] [<test-suites>...]
+
+	Arguments:
+	  -A
+	         Run all tests (do not fail on first suite failure).
+	  -v
+	         Run tests in verbose mode (go test -v).
+	  -r
+	         Only run tests that match the given regular expression (go test -run).
+	  -t <timeout=$timeout>
+	         Set the per-suite timeout to <timeout> (go test -timeout).
+	  <test-suites>...
+	         Only run the given test suites in /usr/src/docker-test. The
+	         default is to run all test suites
+
+	Examples:
+
+	  Run the build and network integration tests with a 60 minute timeout:
+
+	    ./docker-integration.sh -t 60m integration/build integration/network
+
+	  Run all of the tests in verbose mode with a 6 hour timeout:
+
+	    ./docker-integration.sh -Av -t 360m
+
+	This script is maintained by openSUSE in the Virtualization:containers
+	project, and is only intended to be used by openSUSE developers.
+	EOF
+	exit "${1:-1}"
+}
+
+fail_fast=1
+verbose=
+filter=
+timeout=20m
+while getopts "Ahr:t:v" opt; do
+	case "$opt" in
+	A)
+		fail_fast=
+		;;
+	v)
+		verbose=1
+		;;
+	r)
+		filter="$OPTARG"
+		;;
+	t)
+		timeout="$OPTARG"
+		;;
+	h)
+		usage 0
+		;;
+	:)
+		echo "Missing argument: -$OPTARG" >&2
+		usage 1
+		;;
+	\?)
+		echo "Invalid option: -$OPTARG" >&2
+		usage 1
+		;;
+	esac
+done
+
+pushd "$TEST_SRCDIR"
+
+if [ "$OPTIND" -le "$#" ]; then
+	SUITES=("${@:$OPTIND:$(($#+1))}")
+else
+	readarray -t SUITES <<<"$(find . -type f -name test.main -printf "%h\n")"
+fi
+echo "Planning to run suites {${SUITES[@]}}."
+
+# Download the frozen images.
+if ! [ -d /docker-frozen-images ]; then
+	# TODO: Get the hashes from /usr/src/docker-test/Dockerfile...
+	contrib/download-frozen-image-v2.sh "$TMPDIR/docker-frozen-images" \
+		busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
+		busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
+		debian:bookworm-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 \
+		hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
+		arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
+	sudo cp -r "$TMPDIR/docker-frozen-images" /
+fi
+
+# Create binaries in $TEST_BINDIR.
+if ! [ -e "$TEST_BINDIR/docker-basic-plugin" ]; then
+	(
+		pushd "$TEST_SRCDIR/testutil/fixtures/plugin/basic"
+
+		go mod init docker-basic-plugin
+		go build -o "$TEST_BINDIR/docker-basic-plugin" .
+	)
+fi
+if ! [ -e "$TEST_BINDIR/registry-v2" ]; then
+	# The v2.x tags of Docker registry don't use go.mod, and pre-date the move
+	# to github.com/distribution, so we need to create a fake GOPATH with the
+	# old github.com/docker/distribution import path.
+	(
+		export GOPATH="$(mktemp -d -p "$TMPROOT" distribution-build-gopath.XXXXXX)"
+		pushd "$GOPATH"
+
+		git clone \
+			--depth=1 --branch=v2.8.3 \
+			https://github.com/distribution/distribution.git \
+			src/github.com/docker/distribution
+
+		pushd src/github.com/docker/distribution
+
+		GO111MODULE=off go build -o "$TEST_BINDIR/registry-v2" ./cmd/registry
+	)
+fi
+if ! [ -e "$TEST_BINDIR/ctr" ]; then
+	containerd-ctr --help >/dev/null
+	ln -sf "$(which containerd-ctr)" "$TEST_BINDIR/ctr"
+fi
+if ! [ -e "$TEST_BINDIR/docker" ]; then
+	# The integration-cli tests require a Docker 17.06.2 client (from 2017).
+	# This is mainly because the tests are all based on the specific output the
+	# client gives, and some tests fail on modern client versions.
+	(
+		export GOPATH="$(mktemp -d -p "$TMPROOT" distribution-build-gopath.XXXXXX)"
+		pushd "$GOPATH"
+
+		# This tag also comes from the time when this was called
+		# github.com/docker/docker-ce-packaging, so we need to work around this
+		# by moving the cli component into the right path...
+		git clone \
+			--depth=1 --branch=v17.06.2-ce \
+			https://github.com/docker/cli.git \
+			src/github.com/docker/docker-ce-packaging
+		mv \
+			src/github.com/docker/docker-ce-packaging/components/cli \
+			src/github.com/docker/cli
+
+		pushd src/github.com/docker/cli
+		GO111MODULE=off go build -o "$TEST_BINDIR/docker" ./cmd/docker
+	)
+fi
+
+# Create an unprivilegeduser account for tests.
+if ! ( grep unprivilegeduser /etc/passwd &>/dev/null ); then
+	useradd --create-home --gid docker unprivilegeduser
+fi
+
+# Disable SUSE secrets for tests, as some tests (TestDiff from
+# integration/container) will fail if we have secrets injected.
+[ -e /etc/docker/suse-secrets-enable ] && \
+	mv -nv /etc/docker/suse-secrets-enable{,-DISABLED}
+sudo systemctl restart docker
+
+# Make sure docker-buildx is disabled.
+[ -e /usr/lib/docker/cli-plugins/docker-buildx ] && \
+	mv -nv /usr/lib/docker/cli-plugins/docker-buildx{,-DISABLED}
+
+# Disable any daemon configurations.
+[ -e /etc/docker/daemon.json ] && \
+	mv -nv /etc/docker/daemon.json{,.DISABLED}
+
+set -x
+
+# In order for< gotest.tools/v3/assert> to parse the source and give us useful
+# error messages, we have to create a fake source directory that points at
+# $TEST_SRCDIR. This path is replaced with %{docker_builddir} during the
+# docker.spec build.
+__DOCKER_BUILDIR="@@docker_builddir@@"
+DOCKER_BUILDDIR="${DOCKER_BUILDDIR:-$__DOCKER_BUILDIR}"
+sudo rm -rvf "$DOCKER_BUILDDIR"
+sudo mkdir -p "$(dirname "$DOCKER_BUILDDIR")"
+sudo ln -svf "$TEST_SRCDIR" "$DOCKER_BUILDDIR"
+
+# Clean up any old containers/images/networks/volumes before running the tests.
+# We need to do this *BEFORE* we set PATH, as the outdated $TEST_BINDIR/docker
+# doesn't support some of these commands.
+docker container prune -f
+docker image prune -af
+#docker buildx prune -af
+docker network prune -f
+docker volume prune -af
+[ -z "$(docker plugin ls -q)" ] || docker plugin ls -q | xargs docker plugin rm -f
+docker system prune -af
+
+export DOCKERFILE="$TEST_SRCDIR/Dockerfile"
+export TMPDIR="$TMPDIR"
+export TEMP="$TMPDIR"
+export HOME="$TMPDIR/fake-home"
+export DEST="$TEST_SRCDIR/bundles"
+export ABS_DEST="$DEST"
+export PATH="$TEST_BINDIR:$PATH"
+
+export TZ=UTC
+export DOCKER_INTEGRATION_DAEMON_DEST="$ABS_DEST"
+export DOCKER_HOST=unix:///run/docker.sock
+export DOCKER_GRAPHDRIVER=overlay2
+export DOCKER_USERLANDPROXY=true
+export DOCKER_REMAP_ROOT="${DOCKER_REMAP_ROOT:-}"
+export DOCKER_TMPDIR="$TMPDIR"
+export DOCKER_SUSE_SECRETS_ENABLE=0
+
+set +x
+
+# Make sure that we have a dummy "destination" directory for tests.
+rm -rf "$DOCKER_INTEGRATION_DAEMON_DEST"
+mkdir -p "$DOCKER_INTEGRATION_DAEMON_DEST"
+
+# Install the emptyfs images.
+sh ./hack/make/.build-empty-images
+
+ls -la "$TMPROOT"
+
+success=0
+failed_suites=()
+for suite_name in "${SUITES[@]}"; do
+	suite_name="${suite_name#*./}"
+	pushd "$TEST_SRCDIR/$suite_name"
+
+	test_flags=()
+	[ -n "$verbose" ] && test_flags+=("-test.v")
+	[ -n "$filter" ] && test_flags+=("-test.run" "$filter")
+
+	if [[ "$suite_name" == "integration-cli" ]]; then
+		# We need to disable docker-buildx for the integration-cli tests
+		# because otherwise the "docker build" command will use the wrong
+		# builder and the output won't match what the tests expect.
+		timeout=360m
+	fi
+	test_flags+=("-test.timeout" "$timeout")
+
+	echo "Running suite $suite_name (${test_flags[@]}) [success=$success fail=${#failed_suites[@]}]"
+
+	set -x +e
+	sudo -E HOME="$HOME" TMPDIR="$TMPDIR" PATH="$PATH" \
+		./test.main "${test_flags[@]}"
+	err="$?"
+	if (( $err != 0 )); then
+		[ -z "$fail_fast" ] || exit "$err"
+		failed_suites+=("$suite_name")
+	else
+		(( success++ ))
+	fi
+	set +x -e
+
+	popd
+done
+
+[ -e /usr/lib/docker/cli-plugins/docker-buildx-DISABLED ] && \
+	mv -nv /usr/lib/docker/cli-plugins/docker-buildx{-DISABLED,}
+
+[ -e /etc/docker/suse-secrets-enable-DISABLED ] && \
+	mv -nv /etc/docker/suse-secrets-enable{-DISABLED,}
+
+[ -e /etc/docker/daemon.json.DISABLED ] && \
+	mv -nv /etc/docker/daemon.json{.DISABLED,}
+
+echo "Suite results: $success success(es) ${#failed_suites[@]} failure(s)."
+if (( ${#failed_suites[@]} > 0 )); then
+	echo "Failed suites:"
+	printf " - %s\n" "${failed_suites[@]}"
+	exit 1
+fi

docker-rpmlintrc

@@ -1,2 +1,7 @@
-addFilter("^docker-bash-completion.noarch: (E|W): non-executable-script /usr/share/bash-completion/completions/docker")
+addFilter("^docker-(stable-)?bash-completion.noarch: (E|W): non-executable-script /usr/share/bash-completion/completions/docker")
-addFilter("^docker-zsh-completion.noarch: W: non-conffile-in-etc /etc/zsh_completion.d/_docker")
+addFilter("^docker-(stable-)?zsh-completion.noarch: W: non-conffile-in-etc /etc/zsh_completion.d/_docker")
+
+# The docker-integration-tests-devel package contains all of the source code of
+# Docker, which causes a bunch of warnings. Note that
+# docker-integration-tests-devel is used internally and isn't actually shipped.
+addFilter("^docker-(stable-)?integration-tests-devel\..*: (E|W): .*")

docker.changes

@@ -1,3 +1,460 @@
+-------------------------------------------------------------------
+Thu Sep  4 08:37:24 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.28.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.28.0>
+- Update to Docker 28.4.0-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2840>
+- Rebased patches:
+  * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+  * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
+  * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
+
+-------------------------------------------------------------------
+Mon Sep  1 05:48:29 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update warnings and errors related to "docker buildx ..." so that they
+  reference our openSUSE docker-buildx packages.
+  + cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
+- Enable building docker-buildx for SLE15 systems with SUSEConnect secret
+  injection enabled. PED-12534 PED-8905 bsc#1247594
+
+  As docker-buildx does not support our SUSEConnect secret injection (and some
+  users depend "docker build" working transparently), patch the docker CLI so
+  that "docker build" will no longer automatically call "docker buildx build",
+  effectively making DOCKER_BUILDKIT=0 the default configuration. Users can
+  manually use "docker buildx ..." commands or set DOCKER_BUILDKIT=1 in order
+  to opt-in to using docker-buildx.
+
+  Users can silence the "docker build" warning by setting DOCKER_BUILDKIT=0
+  explicitly.
+
+  In order to inject SCC credentials with docker-buildx, users should use
+
+    RUN --mount=type=secret,id=SCCcredentials zypper -n ...
+
+  in their Dockerfiles, and
+
+    docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
+
+  when doing their builds.
+
+  + cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
+
+-------------------------------------------------------------------
+Tue Jul 29 14:44:44 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.3.3-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2833>
+  CVE-2025-54388 bsc#1247367
+
+-------------------------------------------------------------------
+Wed Jul 23 04:23:57 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.26.1. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.26.1>
+
+-------------------------------------------------------------------
+Mon Jul 21 21:53:38 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.26.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.26.0>
+
+-------------------------------------------------------------------
+Thu Jul 17 04:32:55 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Go 1.24 for builds, to match upstream.
+
+-------------------------------------------------------------------
+Wed Jul  9 19:54:47 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.3.2-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2832>
+
+-------------------------------------------------------------------
+Thu Jul  3 01:24:33 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.3.1-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2831>
+
+-------------------------------------------------------------------
+Wed Jun 25 15:33:36 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.3.0-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2830>
+  bsc#1246556
+- Rebase patches:
+ * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+ * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Mon Jun 23 12:46:53 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+[ This update is a no-op, only needed to work around unfortunate automated
+  packaging script behaviour on SLES. ]
+
+- The following patches were removed in openSUSE in the Docker 28.1.1-ce
+  update, but the patch names were later renamed in a SLES-only update before
+  Docker 28.1.1-ce was submitted to SLES.
+
+  This causes the SLES build scripts to refuse the update because the patches
+  are not referenced in the changelog. There is no obvious place to put the
+  patch removals (the 28.1.1-ce update removing the patches chronologically
+  predates their renaming in SLES), so they are included here a dummy changelog
+  entry to work around the issue.
+
+  - 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+  - 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+
+-------------------------------------------------------------------
+Wed Jun 18 06:22:56 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.25.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.25.0>
+
+-------------------------------------------------------------------
+Thu Jun  5 16:12:14 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
+  Docker does not have permission to access the host zypper credentials in this
+  mode (and unprivileged users cannot disable the feature using
+  /etc/docker/suse-secrets-enable.) bsc#1240150
+
+  * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+
+- Rebase patches:
+  * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+  * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Wed Jun  4 05:21:19 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Always clear SUSEConnect suse_* secrets when starting containers regardless
+  of whether the daemon was built with SUSEConnect support. Not doing this
+  causes containers from SUSEConnect-enabled daemons to fail to start when
+  running with SUSEConnect-disabled (i.e. upstream) daemons.
+
+  This was a long-standing issue with our secrets support but until recently
+  this would've required migrating from SLE packages to openSUSE packages
+  (which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
+  away from in-built SUSEConnect support, this is now a practical issue users
+  will run into. bsc#1244035
+
+  + 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+
+- Rearrange patches:
+  - 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  - 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  - 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  + 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  - 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  + 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Wed Jun  4 05:21:18 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+[NOTE: This update was only ever released in SLES and Leap.]
+
+- Always clear SUSEConnect suse_* secrets when starting containers regardless
+  of whether the daemon was built with SUSEConnect support. Not doing this
+  causes containers from SUSEConnect-enabled daemons to fail to start when
+  running with SUSEConnect-disabled (i.e. upstream) daemons.
+
+  This was a long-standing issue with our secrets support but until recently
+  this would've required migrating from SLE packages to openSUSE packages
+  (which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
+  away from in-built SUSEConnect support, this is now a practical issue users
+  will run into. bsc#1244035
+
+  + 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+
+- Rearrange patches:
+  - 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  - 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  - 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  + 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  - 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  + 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  - 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+  + 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+  - 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+  + 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+
+-------------------------------------------------------------------
+Fri May 30 17:55:22 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.2.2-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2822>
+- Rebase patches:
+ * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Fri May 30 09:26:40 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.2.1-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2820> bsc#1243833
+  <https://github.com/moby/moby/releases/tag/v28.2.1>
+- Rebase patches:
+ * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Thu May 22 12:48:59 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.24.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.24.0>
+
+-------------------------------------------------------------------
+Thu May  1 16:27:28 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 28.1.1-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/28/#2811> bsc#1242114
+  Includes upstream fixes:
+   - CVE-2025-22872 bsc#1241830
+- Remove long-outdated build handling for deprecated and unsupported
+  devicemapper and AUFS storage drivers. AUFS was removed in v24, and
+  devicemapper was removed in v25.
+  <https://docs.docker.com/engine/deprecated/#aufs-storage-driver>
+- Rebase patches:
+ * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+- Remove upstreamed patches:
+ - 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+ - 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+ - cli-0001-docs-include-required-tools-in-source-tree.patch
+
+-------------------------------------------------------------------
+Mon Apr 28 18:22:47 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.23.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.23.0>
+
+-------------------------------------------------------------------
+Thu Apr 10 03:18:42 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.22.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.22.0>
+  * Includes fixes for CVE-2025-0495. bsc#1239765
+
+-------------------------------------------------------------------
+Thu Apr 10 03:09:38 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Disable transparent SUSEConnect support for SLE-16. PED-12534
+
+  When this patchset was first added in 2013 (and rewritten over the years),
+  there was no upstream way to easily provide SLE customers with a way to build
+  container images based on SLE using the host subscription. However, with
+  docker-buildx you can now define secrets for builds (this is not entirely
+  transparent, but we can easily document this new requirement for SLE-16).
+
+  Users should use
+
+    RUN --mount=type=secret,id=SCCcredentials zypper -n ...
+
+  in their Dockerfiles, and
+
+    docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
+
+  when doing their builds.
+
+- Now that the only blocker for docker-buildx support was removed for SLE-16,
+  enable docker-buildx for SLE-16 as well. PED-8905
+
+-------------------------------------------------------------------
+Wed Mar 26 02:36:16 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Don't use the new container-selinux conditional requires on SLE-12, as the
+  RPM version there doesn't support it. Arguably the change itself is a bit
+  suspect but we can fix that later. bsc#1237367
+
+-------------------------------------------------------------------
+Tue Mar 25 01:11:54 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185
+  + 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+- Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322
+  + 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+- Refresh patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+
+-------------------------------------------------------------------
+Thu Mar 20 16:09:49 UTC 2025 - Fabian Vogt <fvogt@suse.com>
+
+- Make container-selinux requirement conditional on selinux-policy
+  (bsc#1237367)
+
+-------------------------------------------------------------------
+Wed Feb 19 04:28:34 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 27.5.1-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/27/#2741> bsc#1237335
+- Rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  * cli-0001-docs-include-required-tools-in-source-tree.patch
+- Update to docker-buildx 0.20.1. See upstream changelog online at
+  <https://github.com/docker/buildx/releases/tag/v0.20.1>
+
+-------------------------------------------------------------------
+Wed Dec 18 12:29:07 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 27.4.1-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/27/#2741>
+- Rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  * cli-0001-docs-include-required-tools-in-source-tree.patch
+
+-------------------------------------------------------------------
+Tue Dec 17 13:20:39 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx 0.19.3. See upstream changelog online at
+  <https://github.com/docker/buildx/releases/tag/v0.19.3>
+
+-------------------------------------------------------------------
+Fri Dec 13 06:12:25 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 27.4.0-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/27/#274>
+- Rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  * cli-0001-docs-include-required-tools-in-source-tree.patch
+- Remove upstreamed patches:
+  - 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
+  - 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
+
+-------------------------------------------------------------------
+Wed Dec 11 10:14:56 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update docker-buildx to v0.19.2. See upstream changelog online at
+  <https://github.com/docker/buildx/releases/tag/v0.19.2>.
+
+  Some notable changelogs from the last update:
+    * <https://github.com/docker/buildx/releases/tag/v0.19.0>
+    * <https://github.com/docker/buildx/releases/tag/v0.18.0>
+- Update to Go 1.22.
+
+-------------------------------------------------------------------
+Wed Dec 11 05:39:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Add a new toggle file /etc/docker/suse-secrets-enable which allows users to
+  disable the SUSEConnect integration with Docker (which creates special mounts
+  in /run/secrets to allow container-suseconnect to authenticate containers
+  with registries on registered hosts). bsc#1231348 bsc#1232999
+
+  In order to disable these mounts, just do
+
+    echo 0 > /etc/docker/suse-secrets-enable
+
+  and restart Docker. In order to re-enable them, just do
+
+    echo 1 > /etc/docker/suse-secrets-enable
+
+  and restart Docker. Docker will output information on startup to tell you
+  whether the SUSE secrets feature is enabled or not.
+
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+
+-------------------------------------------------------------------
+Wed Nov 27 12:10:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Disable docker-buildx builds for SLES. It turns out that build containers
+  with docker-buildx don't currently get the SUSE secrets mounts applied,
+  meaning that container-suseconnect doesn't work when building images.
+  bsc#1233819
+
+-------------------------------------------------------------------
+Wed Nov 20 05:34:38 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Add docker-integration-tests-devel subpackage for building and running the
+  upstream Docker integration tests on machines to test that Docker works
+  properly. Users should not install this package.
+- docker-rpmlintrc updated to include allow-list for all of the integration
+  tests package, since it contains a bunch of stuff that wouldn't normally be
+  allowed.
+
+-------------------------------------------------------------------
+Tue Nov 12 06:34:28 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from
+  sysconfig a long time ago, and apparently this causes issues with systemd in
+  some cases.
+
+-------------------------------------------------------------------
+Wed Oct 16 22:24:52 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Further merge docker and docker-stable specfiles to minimise the differences.
+  The main thing is that we now include both halves of the
+  Conflicts/Provides/Obsoletes dance in both specfiles.
+
+-------------------------------------------------------------------
+Wed Oct 16 05:37:14 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.17.1 to match standalone docker-buildx package we
+  are replacing. See upstream changelog online at
+  <https://github.com/docker/buildx/releases/tag/v0.17.1>
+
+-------------------------------------------------------------------
+Wed Sep 18 13:47:45 UTC 2024 - Ana Guerrero <ana.guerrero@suse.com>
+
+- Add %{_sysconfdir}/audit/rules.d to filelist.
+
+-------------------------------------------------------------------
+Sat Sep  7 06:07:50 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Mark docker-buildx as required since classic "docker build" has been
+  deprecated since Docker 23.0. bsc#1230331
+- Import docker-buildx v0.16.2 as a subpackage. Previously this was a separate
+  package, but with docker-stable it will be necessary to maintain the packages
+  together and it makes more sense to have them live in the same OBS package.
+  bsc#1230333
+- Make some minor name macro updates to help with the docker-stable package
+  fork.
+
 -------------------------------------------------------------------
 Wed Jul 31 05:28:09 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 
@@ -27,8 +484,8 @@ Wed Jul 31 04:58:15 UTC 2024 - Aleksa Sarai <asarai@suse.com>
   <https://docs.docker.com/engine/release-notes/25.0/#2506>
 - This update includes fixes for:
   * CVE-2024-41110. bsc#1228324
-  * CVE-2023-47108. bsc#1217070
+  * CVE-2023-47108. bsc#1217070 bsc#1229806
-  * CVE-2023-45142. bsc#1228553
+  * CVE-2023-45142. bsc#1228553 bsc#1229806
 - Rebase patches:
   * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
   * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@@ -98,6 +555,7 @@ Mon Mar 25 12:34:56 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 
 - Update to Docker 25.0.5-ce. See upstream changelog online at
   <https://docs.docker.com/engine/release-notes/25.0/#2505> bsc#1223409
+  bsc#1234089 CVE-2024-29018
 - Rebase patches:
   * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
   * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch

docker.service

@@ -16,7 +16,7 @@ EnvironmentFile=/etc/sysconfig/docker
 # enabled by default because enabling socket activation means that on boot your
 # containers won't start until someone tries to administer the Docker daemon.
 Type=notify
-ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
+ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/runc $DOCKER_OPTS
 ExecReload=/bin/kill -s HUP $MAINPID
 
 # Having non-zero Limit*s causes performance problems due to accounting overhead

docker.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package docker
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,38 +16,71 @@
 #
 # nodebuginfo
 
+
 %bcond_without  apparmor
 
+# This subpackage is only used for testing by developers, and shouldn't be
+# built for actual users.
+%bcond_with     integration_tests
+
+%if 0%{?is_opensuse} == 0 && 0%{?suse_version} < 1600
+# SUSEConnect support ("SUSE secrets") only makes sense for SLES hosts.
+%bcond_without  suseconnect
+%else
+%bcond_with     suseconnect
+%endif
+# BuildKit (docker-buildx) is only provided for SLE >= 15 and openSUSE.
+%if 0%{?is_opensuse} || 0%{?suse_version} >= 1500
+%bcond_without  buildx
+%else
+%bcond_with     buildx
+%endif
+
+# The flavour is defined with a macro to try to keep docker and docker-stable
+# as similar as possible, to make maintenance a little easier.
+%define flavour %{nil}
+
 # Where important update information will be stored, such that an administrator
 # is guaranteed to see the relevant warning.
 %define update_messages %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}
 
+# Test binaries.
+%define testdir /usr/src/docker-test
+
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir /var/adm/fillup-templates
 %endif
 
+# MANUAL: This needs to be updated with every docker update.
+%define docker_real_version 28.4.0
+%define docker_git_version 249d679a6
+%define docker_version %{docker_real_version}_ce
+# This "nice version" is so that docker --version gives a result that can be
+# parsed by other people. boo#1182476
+%define docker_nice_version %{docker_real_version}-ce
+
+%if %{with buildx}
+# MANUAL: This needs to be updated with every docker-buildx update.
+%define buildx_version 0.28.0
+%endif
+
 # Used when generating the "build" information for Docker version. The value of
 # git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define real_version 26.1.5
+%define git_commit_epoch 1756931329
-%define git_version 411e817ddf71
-%define git_commit_epoch 1721763388
 
-Name:           docker
+Name:           docker%{flavour}
-Version:        %{real_version}_ce
+Version:        %{docker_version}
-# This "nice version" is so that docker --version gives a result that can be
-# parsed by other people. boo#1182476
-%define nice_version %{real_version}-ce
 Release:        0
 Summary:        The Moby-project Linux container runtime
 License:        Apache-2.0
 Group:          System/Management
 URL:            http://www.docker.io
-Source:         %{name}-%{version}_%{git_version}.tar.xz
+Source:         docker-%{docker_version}_%{docker_git_version}.tar.xz
-Source1:        %{name}-cli-%{version}.tar.xz
+Source1:        docker-cli-%{docker_version}.tar.xz
 Source3:        docker-rpmlintrc
 # TODO: Move these source files to somewhere nicer.
 Source100:      docker.service
@@ -58,48 +91,45 @@ Source130:      README_SUSE.md
 Source140:      docker-audit.rules
 Source150:      docker-daemon.json
 Source160:      docker.sysusers
+# docker-integration-tests-devel
+Source900:      docker-integration.sh
 # NOTE: All of these patches are maintained in <https://github.com/suse/docker>
 #       in the suse-v<version> branch. Make sure you update the patches in that
 #       branch and then git-format-patch the patch here.
 # SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
 #               which is not snapshotted when images are committed.
-Patch100:       0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+Patch100:       0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
-Patch101:       0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+Patch101:       0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+Patch102:       0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+Patch901:       cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
+Patch902:       cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
 # UPSTREAM: Revert of upstream patch to keep SLE-12 build working.
-Patch200:       0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+Patch200:       0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
 # UPSTREAM: Backport of <https://github.com/moby/moby/pull/41954>.
-Patch201:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+Patch201:       0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 # UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12.
-Patch202:       0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+Patch202:       0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
-# UPSTREAM: Backport of <https://github.com/moby/buildkit/pull/4896> and
-#           <https://github.com/moby/buildkit/pull/5060>.
-Patch203:       0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
-# UPSTREAM: Backport of <https://github.com/moby/moby/pull/48034>.
-Patch204:       0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
-# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
-Patch900:       cli-0001-docs-include-required-tools-in-source-tree.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
-BuildRequires:  device-mapper-devel >= 1.2.68
 BuildRequires:  fdupes
 %if %{with apparmor}
 BuildRequires:  libapparmor-devel
 %endif
+BuildRequires:  fish
+BuildRequires:  go-go-md2man
 BuildRequires:  libbtrfs-devel >= 3.8
 BuildRequires:  libseccomp-devel >= 2.2
 BuildRequires:  libtool
 BuildRequires:  linux-glibc-devel
 BuildRequires:  procps
 BuildRequires:  sqlite3-devel
-BuildRequires:  zsh
-BuildRequires:  fish
-BuildRequires:  go-go-md2man
-BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  sysuser-tools
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  zsh
+BuildRequires:  golang(API) = 1.24
+BuildRequires:  pkgconfig(libsystemd)
 %if %{with apparmor}
-%if 0%{?sle_version} >= 150000
+%if 0%{?suse_version} >= 1500
 # This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
 # don't need to support Docker+selinux for SLE 12 anyway.
 Requires:       (apparmor-parser or container-selinux)
@@ -113,13 +143,27 @@ Recommends:     apparmor-parser
 Requires:       apparmor-parser
 %endif
 %else
+%if 0%{?suse_version} >= 1500
+# This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
+# don't need to support Docker+selinux for SLE 12 anyway.
+Requires:       (container-selinux if selinux-policy)
+%else
 Requires:       container-selinux
 %endif
+%endif
 Requires:       ca-certificates-mozilla
 # The docker-proxy binary used to be in a separate package. We obsolete it,
 # since now docker-proxy is maintained as part of this package.
 Obsoletes:      docker-libnetwork < 0.7.0.2
-Provides:       docker-libnetwork = 0.7.0.2.%{version}
+Provides:       docker-libnetwork = 0.7.0.2.%{docker_version}
+# docker-stable cannot be used alongside docker.
+%if "%{name}" == "docker-stable"
+Provides:       docker = %{docker_version}
+Obsoletes:      docker < %{docker_version}
+Conflicts:      docker
+%else
+Conflicts:      docker-stable
+%endif
 # Required to actually run containers. We require the minimum version that is
 # pinned by Docker, but in order to avoid headaches we allow for updates.
 Requires:       runc >= 1.1.9
@@ -127,25 +171,22 @@ Requires:       containerd >= 1.7.3
 # Needed for --init support. We don't use "tini", we use our own implementation
 # which handles edge-cases better.
 Requires:       catatonit
-# Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used
-Requires:       e2fsprogs
 Requires:       iproute2 >= 3.5
 Requires:       iptables >= 1.4
 Requires:       procps
 Requires:       tar >= 1.26
 Requires:       xz >= 4.9
+%if %{with buildx}
+# Standard docker-build is deprecated, so require docker-buildx to avoid users
+# hitting bugs that have long since been fixed by docker-buildx. bsc#1230331
+Requires:       %{name}-buildx
+%endif
 %?sysusers_requires
 Requires(post): %fillup_prereq
 Requires(post): udev
 Requires(post): shadow
-# Not necessary, but must be installed when the underlying system is
-# configured to use lvm and the user doesn't explicitly provide a
-# different storage-driver than devicemapper
-Recommends:     lvm2 >= 2.2.89
-Recommends:     git-core >= 1.7
-# Required for "docker buildx" support.
-Recommends:     %{name}-buildx
 Recommends:     %{name}-rootless-extras
+Recommends:     git-core >= 1.7
 ExcludeArch:    s390 ppc
 
 %description
@@ -157,27 +198,95 @@ Docker is a great building block for automating distributed systems: large-scale
 web deployments, database clusters, continuous deployment systems, private PaaS,
 service-oriented architectures, etc.
 
+%if %{with buildx}
+%package buildx
+Version:        %{buildx_version}
+Summary:        Docker CLI plugin for extended build capabilities with BuildKit
+License:        Apache-2.0
+URL:            https://github.com/docker/buildx
+Source500:      docker-buildx-%{buildx_version}.tar.xz
+Group:          System/Management
+Requires:       %{name} >= 19.03.0_ce
+# docker-stable cannot be used alongside docker.
+%if "%{name}" == "docker-stable"
+Provides:       docker-buildx = %{buildx_version}
+Obsoletes:      docker-buildx < %{buildx_version}
+Conflicts:      docker-buildx
+%else
+Conflicts:      docker-stable-buildx
+%endif
+
+%description buildx
+buildx is a Docker CLI plugin for extended build capabilities with BuildKit.
+
+Key features:
+- Familiar UI from docker build
+- Full BuildKit capabilities with container driver
+- Multiple builder instance support
+- Multi-node builds for cross-platform images
+- Compose build support
+- High-level build constructs (bake)
+- In-container driver support (both Docker and Kubernetes)
+%endif
+
 %package rootless-extras
 Summary:        Rootless support for Docker
 Group:          System/Management
-Requires:       %{name} = %{version}
+Requires:       %{name} = %{docker_version}
-Requires:       slirp4netns >= 0.4
 Requires:       fuse-overlayfs >= 0.7
 Requires:       rootlesskit
+Requires:       slirp4netns >= 0.4
 BuildArch:      noarch
+# docker-stable cannot be used alongside docker.
+%if "%{name}" == "docker-stable"
+Provides:       docker-rootless-extras = %{docker_version}
+Obsoletes:      docker-rootless-extras < %{docker_version}
+Conflicts:      docker-rootless-extras
+%else
+Conflicts:      docker-stable-rootless-extras
+%endif
 
 %description rootless-extras
 Rootless support for Docker.
 Use dockerd-rootless.sh to run the daemon.
 Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh.
 
+%if %{with integration_tests}
+%package integration-tests-devel
+Summary:        Rootless support for Docker
+Group:          TestSuite
+Requires:       %{name} = %{docker_version}
+Requires:       containerd-ctr
+Requires:       curl
+Requires:       gcc
+Requires:       git
+Requires:       glibc-devel-static
+Requires:       go
+Requires:       jq
+Requires:       libcap-progs
+
+%description integration-tests-devel
+Integration testing binaries for Docker.
+
+THIS PACKAGE SHOULD NOT BE INSTALLED BY END-USERS, IT IS ONLY INTENDED FOR
+INTERNAL DEVELOPMENT OF THE DOCKER PACKAGE FOR (OPEN)SUSE.
+%endif
+
 %package bash-completion
 Summary:        Bash Completion for %{name}
 Group:          System/Shells
-Requires:       %{name} = %{version}
+Requires:       %{name} = %{docker_version}
 Requires:       bash-completion
 Supplements:    packageand(%{name}:bash-completion)
 BuildArch:      noarch
+# docker-stable cannot be used alongside docker.
+%if "%{name}" == "docker-stable"
+Provides:       docker-bash-completion = %{docker_version}
+Obsoletes:      docker-bash-completion < %{docker_version}
+Conflicts:      docker-bash-completion
+%else
+Conflicts:      docker-stable-bash-completion
+%endif
 
 %description bash-completion
 Bash command line completion support for %{name}.
@@ -185,10 +294,18 @@ Bash command line completion support for %{name}.
 %package zsh-completion
 Summary:        Zsh Completion for %{name}
 Group:          System/Shells
-Requires:       %{name} = %{version}
+Requires:       %{name} = %{docker_version}
 Requires:       zsh
 Supplements:    packageand(%{name}:zsh)
 BuildArch:      noarch
+# docker-stable cannot be used alongside docker.
+%if "%{name}" == "docker-stable"
+Provides:       docker-zsh-completion = %{docker_version}
+Obsoletes:      docker-zsh-completion < %{docker_version}
+Conflicts:      docker-zsh-completion
+%else
+Conflicts:      docker-stable-zsh-completion
+%endif
 
 %description zsh-completion
 Zsh command line completion support for %{name}.
@@ -196,33 +313,55 @@ Zsh command line completion support for %{name}.
 %package fish-completion
 Summary:        Fish completion for %{name}
 Group:          System/Shells
-Requires:       %{name} = %{version}
+Requires:       %{name} = %{docker_version}
 Requires:       fish
 Supplements:    packageand(%{name}:fish)
 BuildArch:      noarch
+# docker-stable cannot be used alongside docker.
+%if "%{name}" == "docker-stable"
+Provides:       docker-fish-completion = %{docker_version}
+Obsoletes:      docker-fish-completion < %{docker_version}
+Conflicts:      docker-fish-completion
+%else
+Conflicts:      docker-stable-fish-completion
+%endif
 
 %description fish-completion
 Fish command line completion support for %{name}.
 
 %prep
 # docker-cli
-%define cli_builddir %{_builddir}/%{name}-cli-%{version}
+%define cli_builddir %{_builddir}/docker-cli-%{docker_version}
-%setup -q -T -b 1 -n %{name}-cli-%{version}
+%setup -q -T -b 1 -n docker-cli-%{docker_version}
 [ "%{cli_builddir}" = "$PWD" ]
-# offline manpages
+%if %{with buildx}
-%patch -P900 -p1
+%patch -P901 -p1
+%if %{with suseconnect}
+# PATCH-SUSE: Secrets patch for docker-build.
+%patch -P902 -p1
+%endif
+%endif
+
+%if %{with buildx}
+# docker-buildx
+%define buildx_builddir %{_builddir}/docker-buildx-%{buildx_version}
+%setup -q -T -b 500 -n docker-buildx-%{buildx_version}
+[ "%{buildx_builddir}" = "$PWD" ]
+%endif
 
 # docker
-%define docker_builddir %{_builddir}/%{name}-%{version}_%{git_version}
+%define docker_builddir %{_builddir}/docker-%{docker_version}_%{docker_git_version}
-%setup -q -n %{name}-%{version}_%{git_version}
+%setup -q -n docker-%{docker_version}_%{docker_git_version}
 [ "%{docker_builddir}" = "$PWD" ]
 # README_SUSE.md for documentation.
 cp %{SOURCE130} .
 
-%if 0%{?is_opensuse} == 0
+# bsc#1244035 (secrets patch to remove unreferenced secrets -- always applies).
-# PATCH-SUSE: Secrets patches.
 %patch -P100 -p1
+%if %{with suseconnect}
+# PATCH-SUSE: Secrets patches.
 %patch -P101 -p1
+%patch -P102 -p1
 %endif
 %if 0%{?sle_version} == 120000
 # Patches to build on SLE-12.
@@ -232,22 +371,11 @@ cp %{SOURCE130} .
 %patch -P201 -p1
 # Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
 %patch -P202 -p1
-# bsc#1221916
-%patch -P203 -p1
-# bsc#1214855
-%patch -P204 -p1
 
 %build
-%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf
+%sysusers_generate_pre %{SOURCE160} %{name} docker.conf
 
-BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
+BUILDTAGS="apparmor selinux seccomp pkcs11"
-%if 0%{?sle_version} == 120000
-	# Allow us to build with older distros but still have deferred removal
-	# support at runtime. We only use this when building on SLE12, because
-	# later openSUSE/SLE versions have a new enough libdevicemapper to not
-	# require the runtime checking.
-	BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS"
-%endif
 
 export AUTO_GOPATH=1
 # Make sure we always build PIC code. bsc#1048046
@@ -255,9 +383,9 @@ export BUILDFLAGS="-buildmode=pie"
 # Specify all of the versioning information. We use SOURCE_DATE_EPOCH if it's
 # been injected by rpmbuild, otherwise we use the hardcoded git_commit_epoch
 # generated above. boo#1064781
-export VERSION="%{nice_version}"
+export VERSION="%{docker_nice_version}"
-export DOCKER_GITCOMMIT="%{git_version}"
+export DOCKER_GITCOMMIT="%{docker_git_version}"
-export GITCOMMIT="%{git_version}"
+export GITCOMMIT="%{docker_git_version}"
 export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
 export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
 
@@ -267,9 +395,26 @@ export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null |
 
 pushd "%{docker_builddir}"
 # use go module for build
-ln -s {vendor,go}.mod
+cp {vendor,go}.mod
-ln -s {vendor,go}.sum
+cp {vendor,go}.sum
 ./hack/make.sh dynbinary
+# dockerd man page
+GO_MD2MAN=go-md2man make -C ./man/
+
+%if %{with integration_tests}
+# build test binaries for integration tests
+readarray -t integration_dirs \
+	<<<"$(go list -test -f '{{- if ne .ForTest "" -}}{{- .Dir -}}{{- end -}}' ./integration/... ./integration-cli/...)"
+for dir in "${integration_dirs[@]}"
+do
+	pushd "$dir"
+	go test -c -buildmode=pie -tags "$BUILDTAGS" -o test.main .
+	popd
+done
+# Update __DOCKER_BUILDIR in the integration testing script.
+sed -i 's|^__DOCKER_BUILDIR=.*|__DOCKER_BUILDIR=%{docker_builddir}|g' "%{SOURCE900}"
+%endif
+
 popd
 
 ###################
@@ -278,11 +423,26 @@ popd
 
 pushd "%{cli_builddir}"
 # use go module for build
-ln -s {vendor,go}.mod
+cp {vendor,go}.mod
-ln -s {vendor,go}.sum
+cp {vendor,go}.sum
 make DISABLE_WARN_OUTSIDE_CONTAINER=1 dynbinary manpages
 popd
 
+%if %{with buildx}
+###################
+## DOCKER BUILDX ##
+###################
+
+pushd "%{buildx_builddir}"
+make \
+	CGO_ENABLED=1 \
+	VERSION="%{buildx_version}" \
+	REVISION="v%{buildx_version}" \
+	GO_EXTRA_FLAGS="-buildmode=pie" \
+	build
+popd
+%endif
+
 %install
 install -Dd -m0755 \
 	%{buildroot}%{_sysconfdir}/init.d \
@@ -296,48 +456,66 @@ install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/docker-proxy %{bui
 
 # cli-plugins/
 install -d %{buildroot}/usr/lib/docker/cli-plugins
+%if %{with buildx}
+# buildx plugin
+install -D -m0755 %{buildx_builddir}/bin/build/docker-buildx %{buildroot}/usr/lib/docker/cli-plugins/docker-buildx
+%endif
 
 # /var/lib/docker
 install -d %{buildroot}/%{_localstatedir}/lib/docker
 # daemon.json config file
 install -D -m0644 %{SOURCE150} %{buildroot}%{_sysconfdir}/docker/daemon.json
+%if %{with suseconnect}
+# SUSE-specific config file
+echo 1 > %{buildroot}%{_sysconfdir}/docker/suse-secrets-enable
+%endif
 
 # docker cli
 install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
-install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{name}"
+install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/docker"
-install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{name}"
+install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_docker"
-install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{name}.fish"
+install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/docker.fish"
 
 # systemd service
-install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{name}.service
+install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/docker.service
-install -D -m0644 %{SOURCE101} %{buildroot}%{_unitdir}/%{name}.socket
+install -D -m0644 %{SOURCE101} %{buildroot}%{_unitdir}/docker.socket
 ln -sf service %{buildroot}%{_sbindir}/rcdocker
 
 # udev rules that prevents dolphin to show all docker devices and slows down
 # upstream report https://bugs.kde.org/show_bug.cgi?id=329930
-install -D -m0644 %{SOURCE110} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
+install -D -m0644 %{SOURCE110} %{buildroot}%{_udevrulesdir}/80-docker.rules
 
 # audit rules
-install -D -m0640 %{SOURCE140} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
+install -D -m0640 %{SOURCE140} %{buildroot}%{_sysconfdir}/audit/rules.d/docker.rules
 
 # sysconfig file
 install -D -m0644 %{SOURCE120} %{buildroot}%{_fillupdir}/sysconfig.docker
 
 # install manpages (using the ones from the engine)
-install -d %{buildroot}%{_mandir}/man1
+for mansrcdir in %{cli_builddir}/man/man[1-9] %{docker_builddir}/man/man[1-9]
-install -p -m0644 %{cli_builddir}/man/man1/*.1 %{buildroot}%{_mandir}/man1
+do
-install -d %{buildroot}%{_mandir}/man5
+	section="$(basename $mansrcdir)"
-install -p -m0644 %{cli_builddir}/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
+	install -d %{buildroot}%{_mandir}/$section
-install -d %{buildroot}%{_mandir}/man8
+	install -p -m0644 $mansrcdir/* %{buildroot}%{_mandir}/$section
-install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8
+done
 
 # sysusers.d
-install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/docker.conf
 
 # rootless extras
 install -D -p -m 0755 contrib/dockerd-rootless.sh %{buildroot}/%{_bindir}/dockerd-rootless.sh
 install -D -p -m 0755 contrib/dockerd-rootless-setuptool.sh %{buildroot}/%{_bindir}/dockerd-rootless-setuptool.sh
 
+%if %{with integration_tests}
+# integration tests
+install -d %{buildroot}%{testdir}
+cp -ar %{docker_builddir} %{buildroot}%{testdir}/src
+install -d %{buildroot}%{testdir}/bin
+install -D -p -m 0755 %{SOURCE900} %{buildroot}%{testdir}/docker-integration.sh
+# remove all of the non-test binaries in bundles/
+rm -rfv %{buildroot}%{testdir}/src/bundles/
+%endif
+
 %fdupes %{buildroot}
 
 %pre -f %{name}.pre
@@ -356,17 +534,17 @@ grep -q '^dockremap:' /etc/subgid || \
 	usermod -w 100000000-200000000 dockremap &>/dev/null || \
 	echo "dockremap:100000000:100000001" >>/etc/subgid ||:
 
-%service_add_pre %{name}.service %{name}.socket
+%service_add_pre docker.service docker.socket
 
 %post
-%service_add_post %{name}.service %{name}.socket
+%service_add_post docker.service docker.socket
 %{fillup_only -n docker}
 
 %preun
-%service_del_preun %{name}.service %{name}.socket
+%service_del_preun docker.service docker.socket
 
 %postun
-%service_del_postun %{name}.service %{name}.socket
+%service_del_postun docker.service docker.socket
 
 %files
 %defattr(-,root,root)
@@ -381,37 +559,50 @@ grep -q '^dockremap:' /etc/subgid || \
 %dir /usr/lib/docker
 %dir /usr/lib/docker/cli-plugins
 
-%{_unitdir}/%{name}.service
+%{_unitdir}/docker.service
-%{_unitdir}/%{name}.socket
+%{_unitdir}/docker.socket
-%{_sysusersdir}/%{name}.conf
+%{_sysusersdir}/docker.conf
 
 %dir %{_sysconfdir}/docker
 %config(noreplace) %{_sysconfdir}/docker/daemon.json
+%if %{with suseconnect}
+%config(noreplace) %{_sysconfdir}/docker/suse-secrets-enable
+%endif
 %{_fillupdir}/sysconfig.docker
 
-%config %{_sysconfdir}/audit/rules.d/%{name}.rules
+%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
-%{_udevrulesdir}/80-%{name}.rules
+%config %{_sysconfdir}/audit/rules.d/docker.rules
+%{_udevrulesdir}/80-docker.rules
 
-%{_mandir}/man1/docker-*.1%{ext_man}
+%{_mandir}/man*/*%{ext_man}
-%{_mandir}/man1/docker.1%{ext_man}
+
-%{_mandir}/man5/Dockerfile.5%{ext_man}
+%if %{with buildx}
-%{_mandir}/man8/dockerd.8%{ext_man}
+%files buildx
+%defattr(-,root,root)
+/usr/lib/docker/cli-plugins/docker-buildx
+%endif
 
 %files rootless-extras
 %defattr(-,root,root)
 %{_bindir}/dockerd-rootless.sh
 %{_bindir}/dockerd-rootless-setuptool.sh
 
+%if %{with integration_tests}
+%files integration-tests-devel
+%defattr(-,root,root)
+%{testdir}
+%endif
+
 %files bash-completion
 %defattr(-,root,root)
-%{_datarootdir}/bash-completion/completions/%{name}
+%{_datarootdir}/bash-completion/completions/docker
 
 %files zsh-completion
 %defattr(-,root,root)
-%{_sysconfdir}/zsh_completion.d/_%{name}
+%{_sysconfdir}/zsh_completion.d/_docker
 
 %files fish-completion
 %defattr(-,root,root)
-%{_datadir}/fish/vendor_completions.d/%{name}.fish
+%{_datadir}/fish/vendor_completions.d/docker.fish
 
 %changelog