File docker.spec of Package docker
```
#
# spec file for package docker
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# nodebuginfo
%bcond_without apparmor
# This subpackage is only used for testing by developers, and shouldn't be
# built for actual users.
%bcond_with integration_tests
%if 0%{?is_opensuse} == 0 && 0%{?suse_version} < 1600
# SUSEConnect support ("SUSE secrets") only makes sense for SLES hosts.
%bcond_without suseconnect
%else
%bcond_with suseconnect
%endif
# BuildKit (docker-buildx) is only provided for SLE >= 15 and openSUSE.
%if 0%{?is_opensuse} || 0%{?suse_version} >= 1500
%bcond_without buildx
%else
%bcond_with buildx
%endif
# The flavour is defined with a macro to try to keep docker and docker-stable
# as similar as possible, to make maintenance a little easier.
%define flavour %{nil}
# Where important update information will be stored, such that an administrator
# is guaranteed to see the relevant warning.
%define update_messages %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}
# Test binaries.
%define testdir /usr/src/docker-test
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates
%endif
# MANUAL: This needs to be updated with every docker update.
%define docker_real_version 29.2.1
%define docker_git_version 6bc6209b88
%define docker_version %{docker_real_version}_ce
# This "nice version" is so that docker --version gives a result that can be
# parsed by other people. boo#1182476
%define docker_nice_version %{docker_real_version}-ce
%if %{with buildx}
# MANUAL: This needs to be updated with every docker-buildx update.
%define buildx_version 0.31.1
%endif
# Used when generating the "build" information for Docker version. The value of
# git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
# helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
%define git_commit_epoch 1770050380
Name: docker%{flavour}
Version: %{docker_version}
Release: 0
Summary: The Moby-project Linux container runtime
License: Apache-2.0
Group: System/Management
URL: http://www.docker.io
Source: docker-%{docker_version}_%{docker_git_version}.tar.xz
Source1: docker-cli-%{docker_version}.tar.xz
Source3: docker-rpmlintrc
# TODO: Move these source files to somewhere nicer.
Source100: docker.service
Source101: docker.socket
Source110: 80-docker.rules
Source120: sysconfig.docker
Source130: README_SUSE.md
Source140: docker-audit.rules
Source150: docker-daemon.json
Source160: docker.sysusers
%if 0%{?suse_version} >= 1500
Source170: docker.tmpfiles
%endif
# docker-integration-tests-devel
Source900: docker-integration.sh
# NOTE: All of these patches are maintained in <https://github.com/suse/docker>
# in the suse-v<version> branch. Make sure you update the patches in that
# branch and then git-format-patch the patch here.
# SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
# which is not snapshotted when images are committed.
Patch100: 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
Patch101: 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
Patch102: 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
Patch901: cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
Patch902: cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
# UPSTREAM: Revert of upstream patch to keep SLE-12 build working.
Patch200: 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
# UPSTREAM: Backport of <https://github.com/moby/moby/pull/41954>.
Patch201: 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
# UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12.
Patch202: 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
Patch300: CVE-2024-24557-moby-cache-poisoning.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: ca-certificates
BuildRequires: fdupes
%if %{with apparmor}
BuildRequires: libapparmor-devel
%endif
BuildRequires: fish
BuildRequires: go-go-md2man
BuildRequires: libbtrfs-devel >= 3.8
BuildRequires: libseccomp-devel >= 2.2
BuildRequires: libtool
BuildRequires: linux-glibc-devel
BuildRequires: procps
BuildRequires: sqlite3-devel
BuildRequires: sysuser-tools
BuildRequires: zsh
BuildRequires: golang(API) >= 1.25
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libnftables)
%if %{with apparmor}
%if 0%{?suse_version} >= 1500
# This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
# don't need to support Docker+selinux for SLE 12 anyway.
Requires: (container-selinux if selinux-policy)
Requires: (apparmor-parser or container-selinux)
# This recommends is added to make sure that even if you have container-selinux
# installed you will still be prompted to install apparmor-parser which Docker
# requires to apply AppArmor profiles (for SELinux systems this doesn't matter
# but if you switch back to AppArmor on reboot this would result in insecure
# containers).
Recommends: apparmor-parser
%else
Requires: apparmor-parser
%endif
%else
%if 0%{?suse_version} >= 1500
# This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
# don't need to support Docker+selinux for SLE 12 anyway.
Requires: (container-selinux if selinux-policy)
%else
Requires: container-selinux
%endif
%endif
Requires: ca-certificates-mozilla
# The docker-proxy binary used to be in a separate package. We obsolete it,
# since now docker-proxy is maintained as part of this package.
Obsoletes: docker-libnetwork < 0.7.0.2
Provides: docker-libnetwork = 0.7.0.2.%{docker_version}
# docker-stable cannot be used alongside docker.
%if "%{name}" == "docker-stable"
Provides: docker = %{docker_version}
Obsoletes: docker < %{docker_version}
Conflicts: docker
%else
Conflicts: docker-stable
%endif
# Required to actually run containers. We require the minimum version that is
# pinned by Docker, but in order to avoid headaches we allow for updates.
Requires: runc >= 1.1.9
Requires: containerd >= 1.7.3
# Needed for --init support. We don't use "tini", we use our own implementation
# which handles edge-cases better.
Requires: catatonit
Requires: iproute2 >= 3.5
Requires: iptables >= 1.4
Requires: procps
Requires: tar >= 1.26
Requires: xz >= 4.9
%if %{with buildx}
# Standard docker-build is deprecated, so require docker-buildx to avoid users
# hitting bugs that have long since been fixed by docker-buildx. bsc#1230331
Requires: %{name}-buildx
%endif
%?sysusers_requires
Requires(post): %fillup_prereq
Requires(post): udev
Requires(post): shadow
Recommends: %{name}-rootless-extras
ExcludeArch: s390 ppc
%description
Docker complements LXC with a high-level API which operates at the process
level. It runs unix processes with strong guarantees of isolation and
repeatability across servers.
Docker is a great building block for automating distributed systems: large-scale
web deployments, database clusters, continuous deployment systems, private PaaS,
service-oriented architectures, etc.
%if %{with buildx}
%package buildx
Version: %{buildx_version}
Summary: Docker CLI plugin for extended build capabilities with BuildKit
License: Apache-2.0
URL: https://github.com/docker/buildx
Source500: docker-buildx-%{buildx_version}.tar.xz
Group: System/Management
Requires: %{name} >= 19.03.0_ce
# docker-stable cannot be used alongside docker.
%if "%{name}" == "docker-stable"
Provides: docker-buildx = %{buildx_version}
Obsoletes: docker-buildx < %{buildx_version}
Conflicts: docker-buildx
%else
Conflicts: docker-stable-buildx
%endif
%description buildx
buildx is a Docker CLI plugin for extended build capabilities with BuildKit.
Key features:
- Familiar UI from docker build
- Full BuildKit capabilities with container driver
- Multiple builder instance support
- Multi-node builds for cross-platform images
- Compose build support
- High-level build constructs (bake)
- In-container driver support (both Docker and Kubernetes)
%endif
%package rootless-extras
Summary: Rootless support for Docker
Group: System/Management
Requires: %{name} = %{docker_version}
Requires: fuse-overlayfs >= 0.7
Requires: rootlesskit
Requires: slirp4netns >= 0.4
BuildArch: noarch
# docker-stable cannot be used alongside docker.
%if "%{name}" == "docker-stable"
Provides: docker-rootless-extras = %{docker_version}
Obsoletes: docker-rootless-extras < %{docker_version}
Conflicts: docker-rootless-extras
%else
Conflicts: docker-stable-rootless-extras
%endif
%description rootless-extras
Rootless support for Docker.
Use dockerd-rootless.sh to run the daemon.
Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh.
%if %{with integration_tests}
%package integration-tests-devel
Summary: Rootless support for Docker
Group: TestSuite
Requires: %{name} = %{docker_version}
Requires: containerd-ctr
Requires: curl
Requires: gcc
Requires: git
Requires: glibc-devel-static
Requires: go
Requires: jq
Requires: libcap-progs
%description integration-tests-devel
Integration testing binaries for Docker.
THIS PACKAGE SHOULD NOT BE INSTALLED BY END-USERS, IT IS ONLY INTENDED FOR
INTERNAL DEVELOPMENT OF THE DOCKER PACKAGE FOR (OPEN)SUSE.
%endif
%package bash-completion
Summary: Bash Completion for %{name}
Group: System/Shells
Requires: %{name} = %{docker_version}
Requires: bash-completion
#obsolete packageand (see https://en.opensuse.org/RPM_Boolean_Dependencies)
%if 0%{?suse_version} && 0%{?suse_version} < 1500
Supplements: packageand(%{name}:bash-completion)
%else
Supplements: (%{name} and bash-completion)
%endif
BuildArch: noarch
# docker-stable cannot be used alongside docker.
%if "%{name}" == "docker-stable"
Provides: docker-bash-completion = %{docker_version}
Obsoletes: docker-bash-completion < %{docker_version}
Conflicts: docker-bash-completion
%else
Conflicts: docker-stable-bash-completion
%endif
%description bash-completion
Bash command line completion support for %{name}.
%package zsh-completion
Summary: Zsh Completion for %{name}
Group: System/Shells
Requires: %{name} = %{docker_version}
Requires: zsh
#obsolete packageand (see https://en.opensuse.org/RPM_Boolean_Dependencies)
%if 0%{?suse_version} && 0%{?suse_version} < 1500
Supplements: packageand(%{name}:zsh)
%else
Supplements: (%{name} and zsh)
%endif
BuildArch: noarch
# docker-stable cannot be used alongside docker.
%if "%{name}" == "docker-stable"
Provides: docker-zsh-completion = %{docker_version}
Obsoletes: docker-zsh-completion < %{docker_version}
Conflicts: docker-zsh-completion
%else
Conflicts: docker-stable-zsh-completion
%endif
%description zsh-completion
Zsh command line completion support for %{name}.
%package fish-completion
Summary: Fish completion for %{name}
Group: System/Shells
Requires: %{name} = %{docker_version}
Requires: fish
#obsolete packageand (see https://en.opensuse.org/RPM_Boolean_Dependencies)
%if 0%{?suse_version} && 0%{?suse_version} < 1500
Supplements: packageand(%{name}:fish)
%else
Supplements: (%{name} and fish)
%endif
BuildArch: noarch
# docker-stable cannot be used alongside docker.
%if "%{name}" == "docker-stable"
Provides: docker-fish-completion = %{docker_version}
Obsoletes: docker-fish-completion < %{docker_version}
Conflicts: docker-fish-completion
%else
Conflicts: docker-stable-fish-completion
%endif
%description fish-completion
Fish command line completion support for %{name}.
%prep
# docker-cli
%define cli_builddir %{_builddir}/docker-cli-%{docker_version}
%setup -q -T -b 1 -n docker-cli-%{docker_version}
[ "%{cli_builddir}" = "$PWD" ]
%if %{with buildx}
%patch -P901 -p1
%if %{with suseconnect}
# PATCH-SUSE: Secrets patch for docker-build.
%patch -P902 -p1
%endif
%endif
%if %{with buildx}
# docker-buildx
%define buildx_builddir %{_builddir}/docker-buildx-%{buildx_version}
%setup -q -T -b 500 -n docker-buildx-%{buildx_version}
[ "%{buildx_builddir}" = "$PWD" ]
%endif
# docker
%define docker_builddir %{_builddir}/docker-%{docker_version}_%{docker_git_version}
%setup -q -n docker-%{docker_version}_%{docker_git_version}
%patch300 -p1
[ "%{docker_builddir}" = "$PWD" ]
# README_SUSE.md for documentation.
cp %{SOURCE130} .
# bsc#1244035 (secrets patch to remove unreferenced secrets -- always applies).
%patch -P100 -p1
%if %{with suseconnect}
# PATCH-SUSE: Secrets patches.
%patch -P101 -p1
%patch -P102 -p1
%endif
%if 0%{?sle_version} == 120000
# Patches to build on SLE-12.
%patch -P200 -p1
%endif
# bsc#1099277
%patch -P201 -p1
# Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
%patch -P202 -p1
%build
%sysusers_generate_pre %{SOURCE160} %{name} docker.conf
BUILDTAGS="apparmor selinux seccomp pkcs11"
export AUTO_GOPATH=1
# Make sure we always build PIC code. bsc#1048046
export BUILDFLAGS="-buildmode=pie"
# Specify all of the versioning information. We use SOURCE_DATE_EPOCH if it's
# been injected by rpmbuild, otherwise we use the hardcoded git_commit_epoch
# generated above. boo#1064781
export VERSION="%{docker_nice_version}"
export DOCKER_GITCOMMIT="%{docker_git_version}"
