Overview

File cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch of Package docker

From b7fb811f2c032bdd42b914aa00dc2a793ddb003f Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Fri, 15 Aug 2025 19:55:53 +1000
Subject: [PATCH 2/2] SECRETS: SUSE: default to DOCKER_BUILDKIT=0 for "docker
 build"

For systems with SUSEConnect auto-injection enabled, docker-buildx does
not include our injected secrets. For SLE15 and earlier, enabling
"docker build" to auto-switch to "docker buildx build" would thus break
existing users of the feature.

So, make DOCKER_BUILDKIT=0 the default. Users can still opt-in to using
BuildKit with DOCKER_BUILDKIT=1 or using subcommands like "docker bake"
or "docker buildx $foo", but existing users won't be broken by the
change.

Users that do switch BuildKit can inject SCC credentials in a far more
deliberate (and thus more secure) manner by using

  RUN --mount=type=secret,id=SCCcredentials zypper -n ...

in their Dockerfiles, and then using

  docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .

for their builds.

SUSE-Bug: https://jira.suse.com/browse/PED-12534
SUSE-Bug: https://jira.suse.com/browse/PED-8905
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1247594
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
 cmd/docker/builder.go | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/cmd/docker/builder.go b/cmd/docker/builder.go
index ff3becd1c9e7..61306cc6785e 100644
--- a/cmd/docker/builder.go
+++ b/cmd/docker/builder.go
@@ -23,9 +23,19 @@
             Install the docker-buildx package to build images with BuildKit:
             https://docs.docker.com/go/buildx/`
 
-	buildkitDisabledWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
-            BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
-            environment-variable.`
+	buildkitDisabledWarning = `INFORMATION: This version of Docker has been patched by SUSE.
+        These patches allow for automatic access to the host SUSE subscription
+        inside containers, allowing for customers to create derived images with
+        "docker build" using SUSE packages. However, this feature is
+        incompatible with BuildKit and so "docker build" will use the legacy
+        builder by default. In order to disable this message and continue using
+        the legacy builder, set the DOCKER_BUILDKIT=0 environment-variable.
+
+        In order to opt-in to using BuildKit, set the DOCKER_BUILDKIT=1
+        environment-variable. See the SLE16 documentation for information on
+        how to switch to BuildKit while still maintaining access to SCC
+        credentials. In order to use BuildKit, you must have the docker-buildx
+        package installed.`
 
 	buildxMissingError = `ERROR: BuildKit is enabled but the buildx component is missing or broken.
        Install the docker-buildx package to build images with BuildKit:
@@ -48,7 +58,7 @@ func newBuilderError(errorMsg string, pluginLoadErr error) error {
 
 //nolint:gocyclo
 func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []string) ([]string, []string, []string, error) {
-	var buildKitDisabled, useBuilder, useAlias bool
+	var buildKitDisabled, showDisabledWarning, useBuilder, useAlias bool
 	var envs []string
 
 	// check DOCKER_BUILDKIT env var is not empty
@@ -63,6 +73,14 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
 		} else {
 			useBuilder = true
 		}
+	} else {
+		// SUSE: Disable automatic usage of docker-buildx if unspecified (for
+		// pre-SLE16) to maintain support for SUSEConnect auto-injection. If a
+		// user specifies DOCKER_BUILDKIT=1 manually, that's up to them.
+		buildKitDisabled = true
+		// Only show the disabled "warning" when the user hasn't explicitly
+		// opted into DOCKER_BUILDKIT=0.
+		showDisabledWarning = true
 	}
 	// docker bake always requires buildkit; ignore "DOCKER_BUILDKIT=0".
 	if buildKitDisabled && len(args) > 0 && args[0] == "bake" {
@@ -102,7 +120,7 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
 		// is deprecated. For Windows / WCOW, BuildKit is still experimental,
 		// so we don't print this warning, even if the daemon advertised that
 		// it supports BuildKit.
-		if dockerCli.ServerInfo().OSType != "windows" {
+		if showDisabledWarning && dockerCli.ServerInfo().OSType != "windows" {
 			_, _ = fmt.Fprintf(dockerCli.Err(), "%s\n\n", buildkitDisabledWarning)
 		}
 		return args, osargs, nil, nil
-- 
2.51.0
openSUSE Build Service is sponsored by
Places