Merge pull request #1239 from glours/bump-compose-v2.39.2

bump Compose to version v2.39.2

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,30 @@
+<!--
+Please make sure you've read and understood our contributing guidelines;
+https://github.com/docker/cli/blob/master/CONTRIBUTING.md
+
+** Make sure all your commits include a signature generated with `git commit -s` **
+
+For additional information on our contributing process, read our contributing
+guide https://docs.docker.com/opensource/code/
+
+If this is a bug fix, make sure your description includes "fixes #xxxx", or
+"closes #xxxx"
+
+Please provide the following information:
+-->
+
+**- What I did**
+
+
+**- Description for the changelog**
+<!--
+Write a short (one line) summary that describes the changes in this
+pull request for inclusion in the changelog.
+It must be placed inside the below triple backticks section.
+
+NOTE: Only fill this section if changes introduced in this PR are user-facing.
+The PR must have a relevant impact/ label.
+-->
+```markdown changelog
+
+```

.github/workflows/ci.yml

@@ -0,0 +1,58 @@
+name: ci
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]{2}'
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  generate-matrix:
+    runs-on: ubuntu-24.04
+    outputs:
+      targets: ${{ steps.get-targets.outputs.targets }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Get targets
+        id: get-targets
+        run: |
+          echo "targets=$(jq -c '[to_entries[] | .key as $distro | .value.arches[] | {distro: $distro, arch: .}]' distros.json)" >> $GITHUB_OUTPUT
+
+  build:
+    needs:
+      - generate-matrix
+    runs-on: ${{ matrix.target.arch != 'amd64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
+    timeout-minutes: 60 # guardrails timeout for the whole job
+    strategy:
+      fail-fast: false
+      matrix:
+        target: ${{ fromJson(needs.generate-matrix.outputs.targets) }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      -
+        name: Build
+        run: |
+          make ARCH=${{ matrix.target.arch }} ${{ matrix.target.distro }}

.gitignore

@@ -1,8 +1,6 @@
 build
 debbuild
 rpmbuild
-tmp
-artifacts
 sources
+src
 *.tar
-image-linux*

.unir.yml

@@ -1,9 +1,10 @@
 # The list of people who can trigger an auto-merge with approvals
 whitelist:
-    - seemethere
-    - andrewhsu
-    - jose-bigio
-    - corbin-coleman
+  - andrewhsu
+  - silvin-lubecki
+  - StefanScherer
+  - thaJeztah
+  - zelahi
 
 # At least 2 approvals are needed for auto-merging
 approvals_needed: 2

Jenkinsfile

@@ -1,72 +1,131 @@
 #!groovy
 
-
-def genBranch(String arch) {
-	return [
-		"${arch}": { ->
-			stage("Build engine image on ${arch}") {
-				wrappedNode(label: "linux&&${arch}", cleanWorkspace: true) {
-					try {
-						checkout scm
-						sh("git clone https://github.com/docker/engine.git engine")
-						sh('make ENGINE_DIR=$(pwd)/engine image')
-					} finally {
-						sh('make ENGINE_DIR=$(pwd)/engine clean-image clean-engine')
-					}
-				}
-		}
-	}]
-}
-
 def branch = env.CHANGE_TARGET ?: env.BRANCH_NAME
 
-test_steps = [
-	'deb': { ->
-		stage('Ubuntu Xenial Debian Package') {
-			wrappedNode(label: 'ubuntu && x86_64', cleanWorkspace: true) {
-				checkout scm
-				sh('git clone https://github.com/docker/cli.git')
-				sh("git -C cli checkout $branch")
-				sh('git clone https://github.com/docker/engine.git')
-				sh("git -C engine checkout $branch")
-				sh('make VERSION=0.0.1-dev DOCKER_BUILD_PKGS=ubuntu-xenial ENGINE_DIR=$(pwd)/engine CLI_DIR=$(pwd)/cli deb')
-			}
-		}
-	},
-	'rpm': { ->
-		stage('Centos 7 RPM Package') {
-			wrappedNode(label: 'ubuntu && x86_64', cleanWorkspace: true) {
-				checkout scm
-				sh('git clone https://github.com/docker/cli.git')
-				sh("git -C cli checkout $branch")
-				sh('git clone https://github.com/docker/engine.git')
-				sh("git -C engine checkout $branch")
-				sh('make VERSION=0.0.1-dev DOCKER_BUILD_PKGS=centos-7 ENGINE_DIR=$(pwd)/engine CLI_DIR=$(pwd)/cli rpm')
-			}
-		}
-	},
-	'static': { ->
-		stage('Static Linux Binaries') {
-			wrappedNode(label: 'ubuntu && x86_64', cleanWorkspace: true) {
-				checkout scm
-				sh('git clone https://github.com/docker/cli.git')
-				sh("git -C cli checkout $branch")
-				sh('git clone https://github.com/docker/engine.git')
-				sh("git -C engine checkout $branch")
-				sh('make VERSION=0.0.1-dev DOCKER_BUILD_PKGS=static-linux ENGINE_DIR=$(pwd)/engine CLI_DIR=$(pwd)/cli static')
-			}
-		}
-	},
+def pkgs = [
+    [target: "centos-9",                 image: "quay.io/centos/centos:stream9",          arches: ["amd64", "aarch64"]],
+    [target: "centos-10",                image: "quay.io/centos/centos:stream10",         arches: ["amd64", "aarch64"]],          // CentOS Stream 10 (EOL: 2030)
+    [target: "debian-bullseye",          image: "debian:bullseye",                        arches: ["amd64", "aarch64", "armhf"]], // Debian 11 (oldstable, EOL: 2024-08-14, EOL (LTS): 2026-08-31)
+    [target: "debian-bookworm",          image: "debian:bookworm",                        arches: ["amd64", "aarch64", "armhf"]], // Debian 12 (stable, EOL: 2026-06-10, EOL (LTS): 2028-06-30)
+    [target: "debian-trixie",            image: "debian:trixie",                          arches: ["amd64", "aarch64", "armhf"]], // Debian 13 (testing)
+    [target: "fedora-41",                image: "fedora:41",                              arches: ["amd64", "aarch64"]],          // EOL: November 19, 2025
+    [target: "fedora-42",                image: "fedora:42",                              arches: ["amd64", "aarch64"]],          // EOL: May 13, 2026
+    [target: "raspbian-bullseye",        image: "balenalib/rpi-raspbian:bullseye",        arches: ["armhf"]],                     // Debian/Raspbian 11 (stable)
+    [target: "raspbian-bookworm",        image: "balenalib/rpi-raspbian:bookworm",        arches: ["armhf"]],                     // Debian/Raspbian 12 (next stable)
+    [target: "ubuntu-jammy",             image: "ubuntu:jammy",                           arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 22.04 LTS (End of support: June,  2027. EOL: April, 2032)
+    [target: "ubuntu-noble",             image: "ubuntu:noble",                           arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 24.04 LTS (End of support: June,  2029. EOL: April, 2034)
+    [target: "ubuntu-oracular",          image: "ubuntu:oracular",                        arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 24.10 (EOL: July, 2025)
+    [target: "ubuntu-plucky",            image: "ubuntu:plucky",                          arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 25.04 (EOL: January, 2026)
 ]
 
-arches = [
-	"x86_64",
-	"aarch64",
-	"armhf"
-]
+def genBuildStep(LinkedHashMap pkg, String arch) {
+    def nodeLabel = "linux&&${arch}"
+    def platform = ""
+    def branch = env.CHANGE_TARGET ?: env.BRANCH_NAME
 
-arches.each {
-	test_steps << genBranch(it)
+    if (arch == 'armhf') {
+        // Running armhf builds on EC2 requires --platform parameter
+        // Otherwise it accidentally pulls armel images which then breaks the verify step
+        platform = "--platform=linux/${arch}"
+        nodeLabel = "${nodeLabel}&&ubuntu"
+    } else {
+        nodeLabel = "${nodeLabel}&&ubuntu-2204"
+    }
+    return { ->
+        wrappedNode(label: nodeLabel, cleanWorkspace: true) {
+            stage("${pkg.target}-${arch}") {
+                // This is just a "dummy" stage to make the distro/arch visible
+                // in Jenkins' BlueOcean view, which truncates names....
+                sh 'echo starting...'
+            }
+            stage("info") {
+                sh 'docker version'
+                sh 'docker info'
+            }
+            stage("build") {
+                checkout scm
+                sh "make clean"
+                sh "make REF=$branch ARCH=${arch} ${pkg.target}"
+            }
+            stage("verify") {
+                sh "make IMAGE=${pkg.image} ARCH=${arch} verify"
+            }
+        }
+    }
 }
 
-parallel(test_steps)
+def build_package_steps = [
+    'static-linux': { ->
+        wrappedNode(label: 'ubuntu-2204 && x86_64', cleanWorkspace: true) {
+            stage("static-linux") {
+                // This is just a "dummy" stage to make the distro/arch visible
+                // in Jenkins' BlueOcean view, which truncates names....
+                sh 'echo starting...'
+            }
+            stage("info") {
+                sh 'docker version'
+                sh 'docker info'
+            }
+            stage("build") {
+                try {
+                    checkout scm
+                    sh "make REF=$branch DOCKER_BUILD_PKGS='static-linux' static"
+                } finally {
+                    sh "make clean"
+                }
+            }
+        }
+    },
+    'cross-mac': { ->
+        wrappedNode(label: 'ubuntu-2204 && x86_64', cleanWorkspace: true) {
+            stage("cross-mac") {
+                // This is just a "dummy" stage to make the distro/arch visible
+                // in Jenkins' BlueOcean view, which truncates names....
+                sh 'echo starting...'
+            }
+            stage("info") {
+                sh 'docker version'
+                sh 'docker info'
+            }
+            stage("build") {
+                try {
+                    checkout scm
+                    sh "make REF=$branch DOCKER_BUILD_PKGS='cross-mac' static"
+                } finally {
+                    sh "make clean"
+                }
+            }
+        }
+    },
+    'cross-win': { ->
+        wrappedNode(label: 'ubuntu-2204 && x86_64', cleanWorkspace: true) {
+            stage("cross-win") {
+                // This is just a "dummy" stage to make the distro/arch visible
+                // in Jenkins' BlueOcean view, which truncates names....
+                sh 'echo starting...'
+            }
+            stage("info") {
+                sh 'docker version'
+                sh 'docker info'
+            }
+            stage("build") {
+                try {
+                    checkout scm
+                    sh "make REF=$branch DOCKER_BUILD_PKGS='cross-win' static"
+                } finally {
+                    sh "make clean"
+                }
+            }
+        }
+    },
+]
+
+def genPackageSteps(opts) {
+    return opts.arches.collectEntries {
+        ["${opts.image}-${it}": genBuildStep(opts, it)]
+    }
+}
+
+build_package_steps << pkgs.collectEntries { genPackageSteps(it) }
+
+parallel(build_package_steps)

LICENSE

@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2013-2017 Docker, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

Makefile

@@ -1,17 +1,6 @@
-SHELL:=/bin/bash
-ENGINE_DIR:=$(CURDIR)/../engine
-CLI_DIR:=$(CURDIR)/../cli
-VERSION?=0.0.0-dev
-DOCKER_GITCOMMIT:=abcdefg
-ARCH=$(shell uname -m)
-STATIC_VERSION=$(shell static/gen-static-ver $(ENGINE_DIR) $(VERSION))
-GO_VERSION:=1.12.4
-DEFAULT_PRODUCT_LICENSE:=Community Engine
-PLATFORM=Docker Engine - Community
-BUILDTIME=$(shell date -u -d "@$${SOURCE_DATE_EPOCH:-$$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
-export DEFAULT_PRODUCT_LICENSE
-export PLATFORM
-export BUILDTIME
+include common.mk
+
+STATIC_VERSION=$(shell static/gen-static-ver $(realpath $(CURDIR)/src/github.com/docker/docker) $(VERSION))
 
 # Taken from: https://www.cmcrossroads.com/article/printing-value-makefile-variable
 print-%  : ; @echo $($*)
@@ -20,53 +9,100 @@ print-%  : ; @echo $($*)
 help: ## show make targets
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf " \033[36m%-20s\033[0m  %s\n", $$1, $$2}' $(MAKEFILE_LIST)
 
-.PHONY: clean-engine
-clean-engine:
-	rm -rf $(ENGINE_DIR)
+.PHONY: clean-src
+clean-src:
+	[ ! -d src ] || $(CHOWN) -R $(shell id -u):$(shell id -g) src
+	$(RM) -r src
 
-.PHONY: clean-image
-clean-image:
-	$(MAKE) ENGINE_DIR=$(ENGINE_DIR) -C image clean
+.PHONY: src
+src: src/github.com/docker/cli src/github.com/docker/docker src/github.com/docker/buildx src/github.com/docker/compose src/github.com/docker/model-cli ## clone source
 
+ifdef CLI_DIR
+src/github.com/docker/cli:
+	mkdir -p "$(@D)"
+	cp -r "$(CLI_DIR)" $@
+else
+src/github.com/docker/cli:
+	git init $@
+	git -C $@ remote add origin "$(DOCKER_CLI_REPO)"
+endif
+
+ifdef ENGINE_DIR
+src/github.com/docker/docker:
+	mkdir -p "$(@D)"
+	cp -r "$(ENGINE_DIR)" $@
+else
+src/github.com/docker/docker:
+	git init $@
+	git -C $@ remote add origin "$(DOCKER_ENGINE_REPO)"
+endif
+
+src/github.com/docker/buildx:
+	git init $@
+	git -C $@ remote add origin "$(DOCKER_BUILDX_REPO)"
+
+src/github.com/docker/compose:
+	git init $@
+	git -C $@ remote add origin "$(DOCKER_COMPOSE_REPO)"
+
+src/github.com/docker/model-cli:
+	git init $@
+	git -C $@ remote add origin "$(DOCKER_MODEL_REPO)"
+
+.PHONY: checkout-cli
+checkout-cli: src/github.com/docker/cli
+	./scripts/checkout.sh src/github.com/docker/cli "$(DOCKER_CLI_REF)"
+
+.PHONY: checkout-docker
+checkout-docker: src/github.com/docker/docker
+	./scripts/checkout.sh src/github.com/docker/docker "$(DOCKER_ENGINE_REF)"
+
+.PHONY: checkout-buildx
+checkout-buildx: src/github.com/docker/buildx
+	./scripts/checkout.sh src/github.com/docker/buildx "$(DOCKER_BUILDX_REF)"
+
+.PHONY: checkout-compose
+checkout-compose: src/github.com/docker/compose
+	./scripts/checkout.sh src/github.com/docker/compose "$(DOCKER_COMPOSE_REF)"
+
+.PHONY: checkout-model
+checkout-model: src/github.com/docker/model-cli
+	./scripts/checkout.sh src/github.com/docker/model-cli "$(DOCKER_MODEL_REF)"
+
+.PHONY: checkout
+checkout: checkout-cli checkout-docker checkout-buildx checkout-compose checkout-model ## checkout source at the given reference(s)
 
 .PHONY: clean
-clean: clean-image ## remove build artifacts
+clean: clean-src ## remove build artifacts
 	$(MAKE) -C rpm clean
 	$(MAKE) -C deb clean
 	$(MAKE) -C static clean
 
-.PHONY: rpm
-rpm: DOCKER_BUILD_PKGS:=$(shell find rpm -type d | grep ".*-.*" | sed 's/^rpm\///')
-rpm: ## build rpm packages
-	for p in $(DOCKER_BUILD_PKGS); do \
-		$(MAKE) -C $@ VERSION=$(VERSION) ENGINE_DIR=$(ENGINE_DIR) CLI_DIR=$(CLI_DIR) GO_VERSION=$(GO_VERSION) $${p}; \
-	done
+.PHONY: deb rpm
+deb rpm: checkout ## build rpm/deb packages
+	$(MAKE) -C $@ VERSION=$(VERSION) GO_VERSION=$(GO_VERSION) $@
 
-.PHONY: deb
-deb: DOCKER_BUILD_PKGS:=$(shell find deb -type d | grep ".*-.*" | sed 's/^deb\///')
-deb: ## build deb packages
-	for p in $(DOCKER_BUILD_PKGS); do \
-		$(MAKE) -C $@ VERSION=$(VERSION) ENGINE_DIR=$(ENGINE_DIR) CLI_DIR=$(CLI_DIR) GO_VERSION=$(GO_VERSION) $${p}; \
-	done
+.PHONY: centos-% fedora-% rhel-%
+centos-% fedora-% rhel-%: checkout ## build rpm packages for the specified distro
+	$(MAKE) -C rpm VERSION=$(VERSION) GO_VERSION=$(GO_VERSION) $@
+
+.PHONY: debian-% raspbian-% ubuntu-%
+debian-% raspbian-% ubuntu-%: checkout ## build deb packages for the specified distro
+	$(MAKE) -C deb VERSION=$(VERSION) GO_VERSION=$(GO_VERSION) $@
 
 .PHONY: static
 static: DOCKER_BUILD_PKGS:=static-linux cross-mac cross-win cross-arm
-static: ## build static-compiled packages
+static: checkout ## build static-compiled packages
 	for p in $(DOCKER_BUILD_PKGS); do \
-		$(MAKE) -C $@ VERSION=$(VERSION) ENGINE_DIR=$(ENGINE_DIR) CLI_DIR=$(CLI_DIR) GO_VERSION=$(GO_VERSION) $${p}; \
+		$(MAKE) -C $@ VERSION=$(VERSION) GO_VERSION=$(GO_VERSION) TARGETPLATFORM=$(TARGETPLATFORM) CONTAINERD_VERSION=$(CONTAINERD_VERSION) RUNC_VERSION=$(RUNC_VERSION) $${p}; \
 	done
 
-# TODO - figure out multi-arch
-.PHONY: image
-image: DOCKER_BUILD_PKGS:=image-linux
-image: ## build static-compiled packages
-	for p in $(DOCKER_BUILD_PKGS); do \
-		$(MAKE) -C $@ VERSION=$(VERSION) ENGINE_DIR=$(ENGINE_DIR) CLI_DIR=$(CLI_DIR) GO_VERSION=$(GO_VERSION) $${p}; \
-	done
-
-engine-$(ARCH).tar:
-	$(MAKE) -C image $@
-
-.PHONY: release
-release:
-	$(MAKE) -C image $@
+.PHONY: verify
+verify: ## verify installation of packages
+# to verify using packages from staging, use: make VERIFY_PACKAGE_REPO=stage IMAGE=ubuntu:noble verify
+	docker run $(VERIFY_PLATFORM) --rm -i \
+		-v "$$(pwd):/v" \
+		-e DEBIAN_FRONTEND=noninteractive \
+		-e PACKAGE_REPO=$(VERIFY_PACKAGE_REPO) \
+		-w /v \
+		$(IMAGE) ./verify

README.md

@@ -1,17 +1,16 @@
 # Docker CE Packaging
 
-This repo contains the open source scripts for packaging
-[Docker CE products](https://store.docker.com/search?offering=community&q=&type=edition).
+This repo contains the open source scripts for packaging the
+[Docker Engine](https://docs.docker.com/engine/), the Docker CLI, CLI plugins,
+and rootless-extras packages.
 
-This repository is solely maintained by Docker, Inc.
+The repository contains Dockerfiles to build packages for various distributions,
+which can be found in the "rpm" and "deb" subdirectories, as well as scripts to
+build static binaries.
 
-The scripts will build for this list of packages types:
-
-* DEB packages for Ubuntu 18.04 Bionic
-* DEB packages for Ubuntu 16.04 Xenial
-* DEB packages for Debian 10 Buster
-* DEB packages for Debian 9 Stretch
-* RPM packages for Fedora 28
-* RPM packages for Fedora 27
-* RPM packages for CentOS 7
-* TGZ and ZIP files with static binaries
+Docker uses these recipes to build and release packages that are available on the
+https://download.docker.com package repositories. We welcome contributions to
+this repository, including the addition of new distros or distro-versions. Note,
+however, that Docker makes a subselection of distros and architectures for release,
+and not all distros available in this repository may be released to download.docker.com,
+but you can use these scripts to build your own packages.

common.mk

@@ -0,0 +1,62 @@
+ARCH=$(shell uname -m)
+
+# These are the architecture formats as used in release-packaging Jenkinsfile
+# This is an ugly chimera, nobody uses this combination of dpkg and uname formats
+# Why don't we pick one format and stick with it? Because at the time of writing
+# it was deemed too risky/involving too many changes across repos to change architecture
+# formats in release-packaging Jenkinsfile. But someone please do it.
+# Why do we need to list this here? Because I haven't been able to figure out how
+# to do Makefile rules with multiple patterns. (See how it's used in {deb,rpm}/Makefile)
+# Adding new architectures or changing the format in release-packaging will prevent make
+# from finding the corresponding rule unless this list is updated.
+# Or Jenkinsfiles/Makefiles removed (🎵 Gotta have faith-a-faith-a-faith... 🎵)
+ARCHES:=amd64 aarch64 armhf armel s390x ppc64le
+
+BUILDTIME=$(shell date -u -d "@$${SOURCE_DATE_EPOCH:-$$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
+CHOWN:=docker run --rm -v $(CURDIR):/v -w /v alpine chown
+DEFAULT_PRODUCT_LICENSE:=Community Engine
+PACKAGER_NAME?=
+DOCKER_GITCOMMIT:=abcdefg
+GO_VERSION:=1.24.6
+PLATFORM=Docker Engine - Community
+SHELL:=/bin/bash
+VERSION?=0.0.1-dev
+
+# DOCKER_CLI_REPO and DOCKER_ENGINE_REPO define the source repositories to clone
+# the source from. These can be overridden to build from a fork.
+DOCKER_CLI_REPO     ?= https://github.com/docker/cli.git
+DOCKER_ENGINE_REPO  ?= https://github.com/docker/docker.git
+DOCKER_COMPOSE_REPO ?= https://github.com/docker/compose.git
+DOCKER_BUILDX_REPO  ?= https://github.com/docker/buildx.git
+DOCKER_MODEL_REPO   ?= https://github.com/docker/model-cli.git
+
+# REF can be used to specify the same branch or tag to use for *both* the CLI
+# and Engine source code. This can be useful if both the CLI and Engine have a
+# release branch with the same name (e.g. "19.03"), or of both repositories have
+# tagged a release with the same version.
+#
+# For other situations, specify DOCKER_CLI_REF and/or DOCKER_ENGINE_REF separately.
+REF                ?= HEAD
+DOCKER_CLI_REF     ?= $(REF)
+DOCKER_ENGINE_REF  ?= $(REF)
+# DOCKER_COMPOSE_REF is the version of compose to package. It usually is a tag,
+# but can be a valid git reference in DOCKER_COMPOSE_REPO.
+DOCKER_COMPOSE_REF ?= v2.39.2
+# DOCKER_BUILDX_REF is the version of compose to package. It usually is a tag,
+# but can be a valid git reference in DOCKER_BUILDX_REPO.
+DOCKER_BUILDX_REF  ?= v0.26.1
+# DOCKER_MODEL_REF is the version of model to package. It is usually a tag,
+# but can be a valid git reference in DOCKER_MODEL_REPO.
+DOCKER_MODEL_REF   ?= v0.1.36
+
+# Use "stage" to install dependencies from download-stage.docker.com during the
+# verify step. Leave empty or use any other value to install from download.docker.com
+VERIFY_PACKAGE_REPO ?= prod
+
+# Optional flags like --platform=linux/armhf
+VERIFY_PLATFORM ?=
+
+export BUILDTIME
+export DEFAULT_PRODUCT_LICENSE
+export PACKAGER_NAME
+export PLATFORM

common/dockerd.json

@@ -1,11 +0,0 @@
-{
-    "image": "docker.io/${ENGINE_IMAGE}",
-    "imagePath": "/var/lib/docker-engine/engine.tar",
-    "namespace":"docker",
-    "args": [
-        "--containerd", "/run/containerd/containerd.sock",
-        "--default-runtime", "containerd",
-        "--add-runtime", "containerd=runc"
-    ],
-    "scope": "${ENGINE_SCOPE}"
-}

containerd.mk

@@ -1,17 +0,0 @@
-# Common things for containerd functionality
-
-CONTAINERD_PROXY_COMMIT=35c543bd887878714213cf61ee14038499fd25b7
-CONTAINERD_SHIM_PROCESS_IMAGE=docker.io/docker/containerd-shim-process:ff98a47
-
-# If containerd is running use that socket instead
-ifeq ("$(shell systemctl is-active containerd)", "active")
-CONTAINERD_SOCK:=/var/run/containerd/containerd.sock
-else
-CONTAINERD_SOCK:=/var/run/docker/containerd/docker-containerd.sock
-endif
-CTR=docker run \
-	--rm -i \
-	-v $(CONTAINERD_SOCK):/ours/containerd.sock \
-	-v $(CURDIR)/artifacts:/artifacts \
-	docker:18.06.0-ce \
-	docker-containerd-ctr -a /ours/containerd.sock

deb/Makefile

@@ -1,44 +1,62 @@
-include ../containerd.mk
+include ../common.mk
 
-SHELL:=/bin/bash
-ARCH:=$(shell uname -m)
-CLI_DIR:=$(CURDIR)/../../cli
-ENGINE_DIR:=$(CURDIR)/../../engine
-GITCOMMIT?=$(shell cd $(CLI_DIR) && git rev-parse --short HEAD)
-VERSION?=0.0.0-dev
-STATIC_VERSION=$(shell ../static/gen-static-ver $(ENGINE_DIR) $(VERSION))
+PLUGINS_DIR=$(realpath $(CURDIR)/../plugins)
 GO_BASE_IMAGE=golang
-GO_VERSION:=1.12.4
-GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION)
-DEB_VERSION=$(shell ./gen-deb-ver $(CLI_DIR) "$(VERSION)")
-CHOWN:=docker run --rm -v $(CURDIR):/v -w /v alpine chown
+GO_IMAGE?=$(GO_BASE_IMAGE):$(GO_VERSION)-bookworm
 EPOCH?=5
+GEN_DEB_VER=$(shell ./gen-deb-ver $(realpath $(CURDIR)/../src/github.com/docker/cli) "$(VERSION)")
+GEN_BUILDX_DEB_VER=$(shell ./gen-deb-ver $(realpath $(CURDIR)/../src/github.com/docker/buildx) "$(DOCKER_BUILDX_REF)")
+GEN_COMPOSE_DEB_VER=$(shell ./gen-deb-ver $(realpath $(CURDIR)/../src/github.com/docker/compose) "$(DOCKER_COMPOSE_REF)")
+GEN_MODEL_DEB_VER=$(shell ./gen-deb-ver $(realpath $(CURDIR)/../src/github.com/docker/model-cli) "$(DOCKER_MODEL_REF)")
+CLI_GITCOMMIT?=$(shell cd $(realpath $(CURDIR)/../src/github.com/docker/cli) && git rev-parse --short HEAD)
+ENGINE_GITCOMMIT?=$(shell cd $(realpath $(CURDIR)/../src/github.com/docker/docker) && git rev-parse --short HEAD)
+BUILDX_GITCOMMIT?=$(shell cd $(realpath $(CURDIR)/../src/github.com/docker/buildx) && git rev-parse --short HEAD)
 
 ifdef BUILD_IMAGE
 	BUILD_IMAGE_FLAG=--build-arg $(BUILD_IMAGE)
 endif
 
 COMMON_FILES=common
-BUILD?=docker build \
+BUILD?=DOCKER_BUILDKIT=1 \
+	docker build \
 	$(BUILD_IMAGE_FLAG) \
 	--build-arg GO_IMAGE=$(GO_IMAGE) \
 	--build-arg COMMON_FILES=$(COMMON_FILES) \
 	-t debbuild-$@/$(ARCH) \
-	-f $(CURDIR)/$@/Dockerfile .
+	--platform linux/$(ARCH) \
+	-f $@/Dockerfile \
+	.
+
 # Additional flags may be necessary at some point
 RUN_FLAGS=
-RUN=docker run --rm -i \
-	-e EPOCH='$(EPOCH)' \
-	-e DEB_VERSION=$(word 1, $(DEB_VERSION)) \
-	-e VERSION=$(word 2, $(DEB_VERSION)) \
-	-e DOCKER_GITCOMMIT=$(GITCOMMIT) \
+
+# FIXME(thaJeztah): disabling seccomp to handle (armhf) tar "chown / chmod" failing
+# when running in a Ubuntu 24.04 container on a Ubuntu 20.04.6 host (kernel 5.15.0-1053-aws);
+# see https://github.com/docker/docker-ce-packaging/pull/1006#issuecomment-2006878743
+RUN?=docker run --rm \
+	--security-opt seccomp=unconfined \
+	--platform linux/$(ARCH) \
 	-e PLATFORM \
+	-e EPOCH='$(EPOCH)' \
+	-e DEB_VERSION=$(word 1, $(GEN_DEB_VER)) \
+	-e VERSION=$(word 2, $(GEN_DEB_VER)) \
+	-e CLI_GITCOMMIT=$(CLI_GITCOMMIT) \
+	-e ENGINE_GITCOMMIT=$(ENGINE_GITCOMMIT) \
+	-e BUILDX_VERSION=$(DOCKER_BUILDX_REF) \
+	-e BUILDX_DEB_VERSION=$(word 1, $(GEN_BUILDX_DEB_VER)) \
+	-e BUILDX_GITCOMMIT=$(BUILDX_GITCOMMIT) \
+	-e COMPOSE_VERSION=$(DOCKER_COMPOSE_REF) \
+	-e COMPOSE_DEB_VERSION=$(word 1, $(GEN_COMPOSE_DEB_VER)) \
+	-e MODEL_VERSION=$(DOCKER_MODEL_REF) \
+	-e MODEL_DEB_VERSION=$(word 1, $(GEN_MODEL_DEB_VER)) \
 	-v $(CURDIR)/debbuild/$@:/build \
 	$(RUN_FLAGS) \
 	debbuild-$@/$(ARCH)
 
-SOURCE_FILES=engine-image cli.tgz engine.tgz docker.service docker.socket distribution_based_engine.json plugin-installers.tgz
-SOURCES=$(addprefix sources/, $(SOURCE_FILES))
+DEBIAN_VERSIONS ?= debian-bullseye debian-bookworm debian-trixie
+UBUNTU_VERSIONS ?= ubuntu-jammy ubuntu-noble ubuntu-oracular ubuntu-plucky
+RASPBIAN_VERSIONS ?= raspbian-bullseye raspbian-bookworm
+DISTROS := $(DEBIAN_VERSIONS) $(UBUNTU_VERSIONS) $(RASPBIAN_VERSIONS)
 
 .PHONY: help
 help: ## show make targets
@@ -50,91 +68,73 @@ clean: ## remove build artifacts
 	$(RM) -r debbuild
 	[ ! -d sources ] || $(CHOWN) -R $(shell id -u):$(shell id -g) sources
 	$(RM) -r sources
-	$(RM) engine-image
-
-engine-$(ARCH).tar:
-	$(MAKE) -C ../image image-linux
-	docker save -o $@ $$(cat ../image/image-linux)
+	-docker builder prune -f --filter until=24h
 
 .PHONY: deb
-deb: ubuntu debian raspbian ## build all deb packages
+deb: ubuntu debian ## build all deb packages except for raspbian
 
 .PHONY: ubuntu
-ubuntu: ubuntu-bionic ubuntu-xenial ## build all ubuntu deb packages
+ubuntu: $(UBUNTU_VERSIONS) ## build all ubuntu deb packages
 
 .PHONY: debian
-debian: debian-stretch ## build all debian deb packages
+debian: $(DEBIAN_VERSIONS) ## build all debian deb packages
 
 .PHONY: raspbian
-raspbian: raspbian-stretch ## build all raspbian deb packages
+raspbian: $(RASPBIAN_VERSIONS) ## build all raspbian deb packages
 
-.PHONY: ubuntu-%
-ubuntu-%: ## build ubuntu deb packages
-ubuntu-%: $(SOURCES)
+.PHONY: $(DISTROS)
+$(DISTROS): sources
+	@echo "== Building packages for $@ =="
+	mkdir -p "debbuild/$@"
 	$(BUILD)
 	$(RUN)
-	$(CHOWN) -R $(shell id -u):$(shell id -g) debbuild/$@
+	$(CHOWN) -R $(shell id -u):$(shell id -g) "debbuild/$@"
 
-.PHONY: debian-buster
-debian-buster: ## build debian buster deb packages
-debian-buster: $(SOURCES)
-	$(BUILD)
-	$(RUN)
-	$(CHOWN) -R $(shell id -u):$(shell id -g) debbuild/$@
-
-.PHONY: debian-stretch
-debian-stretch: ## build debian stretch deb packages
-debian-stretch: $(SOURCES)
-	$(BUILD)
-	$(RUN)
-	$(CHOWN) -R $(shell id -u):$(shell id -g) debbuild/$@
-
-.PHONY: raspbian-stretch
-raspbian-stretch: ## build raspbian stretch deb packages
-raspbian-stretch: $(SOURCES)
-	$(BUILD)
-	$(RUN)
-	$(CHOWN) -R $(shell id -u):$(shell id -g) debbuild/$@
+.PHONY: sources
+sources: sources/cli.tgz sources/engine.tgz sources/buildx.tgz sources/compose.tgz sources/model.tgz
 
 sources/engine.tgz:
 	mkdir -p $(@D)
-	docker run --rm -i -w /v \
-		-v $(ENGINE_DIR):/engine \
+	docker run --rm -w /v \
+		-v $(realpath $(CURDIR)/../src/github.com/docker/docker):/engine \
 		-v $(CURDIR)/$(@D):/v \
 		alpine \
 		tar -C / -c -z -f /v/engine.tgz --exclude .git engine
 
 sources/cli.tgz:
 	mkdir -p $(@D)
-	docker run --rm -i -w /v \
-		-v $(CLI_DIR):/cli \
+	docker run --rm -w /v \
+		-v $(realpath $(CURDIR)/../src/github.com/docker/cli):/cli \
 		-v $(CURDIR)/$(@D):/v \
 		alpine \
 		tar -C / -c -z -f /v/cli.tgz --exclude .git cli
 
-sources/docker.service: ../systemd/docker.service
+sources/buildx.tgz:
 	mkdir -p $(@D)
-	cp $< $@
-
-sources/docker.socket: ../systemd/docker.socket
-	mkdir -p $(@D)
-	cp $< $@
-
-# TODO: Figure out how to decouple this
-# TODO: These might just end up being static files that are hardcoded
-# TODO: FROM HERE <=====================
-sources/distribution_based_engine.json: sources/engine-image
-	mkdir -p $(@D)
-	echo '{"platform":"Docker Engine - Community","engine_image":"engine-community","containerd_min_version":"1.2.0-beta.1","runtime":"host_install"}' > $@
-
-sources/engine-image:
-	mkdir -p $(@D)
-	echo "docker.io/dockereng/engine-community:$(STATIC_VERSION)" > $@
-# TODO: TO HERE <=====================
-
-sources/plugin-installers.tgz: $(wildcard ../plugins/*)
-	docker run --rm -i -w /v \
-		-v $(shell readlink -e ../plugins):/plugins \
-		-v $(CURDIR)/sources:/v \
+	docker run --rm -w /v \
+		-v $(realpath $(CURDIR)/../src/github.com/docker/buildx):/buildx \
+		-v $(CURDIR)/$(@D):/v \
 		alpine \
-		tar -C / -c -z -f /v/plugin-installers.tgz --exclude .git plugins
+		tar -C / -c -z -f /v/buildx.tgz --exclude .git buildx
+
+sources/compose.tgz:
+	mkdir -p $(@D)
+	docker run --rm -w /v \
+		-v $(realpath $(CURDIR)/../src/github.com/docker/compose):/compose \
+		-v $(CURDIR)/$(@D):/v \
+		alpine \
+		tar -C / -c -z -f /v/compose.tgz --exclude .git compose
+
+sources/model.tgz:
+	mkdir -p $(@D)
+	docker run --rm -w /v \
+		-v $(realpath $(CURDIR)/../src/github.com/docker/model-cli):/model \
+		-v $(CURDIR)/$(@D):/v \
+		alpine \
+		tar -C / -c -z -f /v/model.tgz --exclude .git model
+
+# See ARCHES in common.mk. Could not figure out how to match both distro and arch.
+BUNDLES:=$(addsuffix .tar.gz,$(addprefix debbuild/bundles-ce-%-,$(ARCHES)))
+
+$(BUNDLES): %
+	tar czf $@ --transform="s|^debbuild/\(.*\)|bundles/$(VERSION)/build-deb/\1|" debbuild/$*

deb/README.md

@@ -3,30 +3,37 @@
 `.deb` packages can be built from this directory with the following syntax
 
 ```shell
-make ENGINE_DIR=/path/to/engine CLI_DIR=/path/to/cli deb
+make deb
 ```
 
 Artifacts will be located in `debbuild` under the following directory structure:
 `debbuild/$distro-$distro_version/`
 
-### NOTES:
+### Building from local source
+
+Specify the location of the source repositories for the engine and cli when
+building packages
+
 * `ENGINE_DIR` -> Specifies the directory where the engine code is located, eg: `$GOPATH/src/github.com/docker/docker`
 * `CLI_DIR` -> Specifies the directory where the cli code is located, eg: `$GOPATH/src/github.com/docker/cli`
 
+```shell
+make ENGINE_DIR=/path/to/engine CLI_DIR=/path/to/cli deb
+```
+
 ## Specifying a specific distro
 
 ```shell
-make ENGINE_DIR=/path/to/engine CLI_DIR=/path/to/cli ubuntu
+make ubuntu
 ```
 
 ## Specifying a specific distro version
 ```shell
-make ENGINE_DIR=/path/to/engine CLI_DIR=/path/to/cli ubuntu-xenial
+make ubuntu-noble
 ```
 
-## Building the latest docker-ce
+## Building the for all distros
 
 ```shell
-git clone https://github.com/docker/docker-ce.git
-make ENGINE_DIR=docker-ce/components/engine CLI_DIR=docker-ce/components/cli deb
+make deb
 ```

deb/build-deb

@@ -6,27 +6,36 @@ set -e
 mkdir -p /root/build-deb/engine
 tar -C /root/build-deb -xzf /sources/engine.tgz
 mkdir -p /root/build-deb/cli
-tar  -C /root/build-deb -xzf /sources/cli.tgz
+tar -C /root/build-deb -xzf /sources/cli.tgz
+mkdir -p /root/build-deb/buildx
+tar -C /root/build-deb -xzf /sources/buildx.tgz
+mkdir -p /root/build-deb/compose
+tar -C /root/build-deb -xzf /sources/compose.tgz
+mkdir -p /root/build-deb/model
+tar -C /root/build-deb -xzf /sources/model.tgz
 
 # link them to their canonical path
 mkdir -p /go/src/github.com/docker
 ln -snf /root/build-deb/engine /go/src/github.com/docker/docker
 ln -snf /root/build-deb/cli /go/src/github.com/docker/cli
+ln -snf /root/build-deb/buildx /go/src/github.com/docker/buildx
+ln -snf /root/build-deb/compose /go/src/github.com/docker/compose
+ln -snf /root/build-deb/model /go/src/github.com/docker/model-cli
 
 EPOCH="${EPOCH:-}"
 EPOCH_SEP=""
 if [[ ! -z "$EPOCH" ]]; then
-    EPOCH_SEP=":"
+	EPOCH_SEP=":"
 fi
 
 if [[ -z "$DEB_VERSION" ]]; then
-    echo "DEB_VERSION is required to build deb packages"
-    exit 1
+	echo "DEB_VERSION is required to build deb packages"
+	exit 1
 fi
 
 echo VERSION AAA $VERSION
 
-VERSION=${VERSION:-$( cat cli/VERSION )}
+VERSION=${VERSION:-$(cat cli/VERSION)}
 
 echo VERSION bbb $VERSION
 
@@ -34,15 +43,47 @@ debSource="$(awk -F ': ' '$1 == "Source" { print $2; exit }' debian/control)"
 debMaintainer="$(awk -F ': ' '$1 == "Maintainer" { print $2; exit }' debian/control)"
 debDate="$(date --rfc-2822)"
 
+# Include an extra `1` in the version, in case we ever would have to re-build an
+# already published release with a packaging-only change.
+pkgRevision=1
+
+# Generate changelog. The version/name of the generated packages are based on this.
+#
+# Resulting packages are formatted as;
+#
+# - name of the package (e.g., "docker-ce")
+# - version (e.g., "23.0.0~beta.0")
+# - pkgRevision (usually "-0", see above), which allows updating packages with
+#   packaging-only changes (without a corresponding release of the software
+#   that's packaged).
+# - distro (e.g., "ubuntu")
+# - VERSION_ID (e.g. "22.04" or "11") this must be "sortable" to make sure that
+#   packages are upgraded when upgrading to a newer distro version ("codename"
+#   cannot be used for this, as they're not sorted)
+# - SUITE ("codename"), e.g. "jammy" or "bullseye". This is mostly for convenience,
+#   because some places refer to distro versions by codename, others by version.
+#   we prefix the codename with a tilde (~), which effectively excludes it from
+#   version comparison.
+#
+# Note that while the `${EPOCH}${EPOCH_SEP}` is part of the version, it is not
+# included in the package's *filename*. (And if you're wondering: we needed the
+# EPOCH because of our use of CalVer, which made version comparing not work in
+# some cases).
+#
+# Examples:
+#
+# docker-ce_23.0.0~beta.0-1~debian.11~bullseye_amd64.deb
+# docker-ce_23.0.0~beta.0-1~ubuntu.22.04~jammy_amd64.deb
 cat > "debian/changelog" <<-EOF
-$debSource (${EPOCH}${EPOCH_SEP}${DEB_VERSION}-0~${DISTRO}-${SUITE}) $SUITE; urgency=low
+$debSource (${EPOCH}${EPOCH_SEP}${DEB_VERSION}-${pkgRevision}~${DISTRO}.${VERSION_ID}~${SUITE}) $SUITE; urgency=low
   * Version: $VERSION
  -- $debMaintainer  $debDate
 EOF
 # The space above at the start of the line for the debMaintainer is very important
 
 # Give the script a git commit because it wants it
-export DOCKER_GITCOMMIT=${DOCKER_GITCOMMIT-$(cd cli; $GIT_COMMAND rev-parse --short HEAD)}
+export CLI_GITCOMMIT=${CLI_GITCOMMIT-$(cd cli; $GIT_COMMAND rev-parse --short HEAD)}
+export ENGINE_GITCOMMIT=${ENGINE_GITCOMMIT-$(cd engine; $GIT_COMMAND rev-parse --short HEAD)}
 
 echo VERSION BBB $VERSION
 dpkg-buildpackage -uc -us -I.git

deb/common/compat

@@ -1 +0,0 @@
-9

deb/common/control

@@ -4,18 +4,13 @@ Priority: optional
 Maintainer: Docker <support@docker.com>
 Build-Depends: bash,
                bash-completion,
-               libbtrfs-dev | btrfs-tools,
                ca-certificates,
                cmake,
                dh-apparmor,
-               dh-systemd,
+               debhelper-compat (= 12),
                gcc,
                git,
                libc-dev,
-               libdevmapper-dev,
-               libltdl-dev,
-               libseccomp-dev,
-               libseccomp2,
                libsystemd-dev,
                libtool,
                make,
@@ -27,24 +22,32 @@ Vcs-Git: git://github.com/docker/docker.git
 
 Package: docker-ce
 Architecture: linux-any
-Depends: docker-ce-cli, containerd.io, iptables, libseccomp2 (>= 2.3.0), ${shlibs:Depends}
-Recommends: aufs-tools,
+Pre-Depends: init-system-helpers (>= 1.54~)
+Depends: containerd.io (>= 1.7.27),
+         docker-ce-cli,
+         iptables,
+         ${shlibs:Depends}
+Recommends: apparmor,
             ca-certificates,
-            cgroupfs-mount | cgroup-lite,
+            docker-ce-rootless-extras,
             git,
             pigz,
-            xz-utils,
-            libltdl7,
-            ${apparmor:Recommends}
-Conflicts: docker (<< 1.5~), docker.io, lxc-docker, lxc-docker-virtual-package, docker-engine, docker-engine-cs
-Replaces: docker-engine
+            procps,
+            xz-utils
+Suggests: cgroupfs-mount | cgroup-lite,
+            kmod,
+Conflicts: docker (<< 1.5~),
+           docker-engine,
+           docker.io
+Replaces: docker-engine,
+          docker-ce-cli (<< 5:28.0.0)
 Description: Docker: the open-source application container engine
  Docker is a product for you to build, ship and run any application as a
  lightweight container
  .
  Docker containers are both hardware-agnostic and platform-agnostic. This means
- they can run anywhere, from your laptop to the largest cloud compute instance and
- everything in between - and they don't require you to use a particular
+ they can run anywhere, from your laptop to the largest cloud compute instance
+ and everything in between - and they don't require you to use a particular
  language, framework or packaging system. That makes them great building blocks
  for deploying and scaling web apps, databases, and backend services without
  depending on a particular stack or provider.
@@ -52,7 +55,12 @@ Description: Docker: the open-source application container engine
 Package: docker-ce-cli
 Architecture: linux-any
 Depends: ${shlibs:Depends}
-Conflicts: docker (<< 1.5~), docker.io, lxc-docker, lxc-docker-virtual-package, docker-engine, docker-engine-cs
+Recommends: docker-buildx-plugin,
+            docker-compose-plugin
+Suggests: docker-model-plugin
+Conflicts: docker (<< 1.5~),
+           docker-engine,
+           docker.io
 Replaces: docker-ce (<< 5:0)
 Breaks: docker-ce (<< 5:0)
 Description: Docker CLI: the open-source application container engine
@@ -60,8 +68,56 @@ Description: Docker CLI: the open-source application container engine
  lightweight container
  .
  Docker containers are both hardware-agnostic and platform-agnostic. This means
- they can run anywhere, from your laptop to the largest cloud compute instance and
- everything in between - and they don't require you to use a particular
+ they can run anywhere, from your laptop to the largest cloud compute instance
+ and everything in between - and they don't require you to use a particular
  language, framework or packaging system. That makes them great building blocks
  for deploying and scaling web apps, databases, and backend services without
  depending on a particular stack or provider.
+
+Package: docker-ce-rootless-extras
+Architecture: linux-any
+Depends: dbus-user-session,
+         ${shlibs:Depends}
+Enhances: docker-ce
+Conflicts: rootlesskit
+Replaces: rootlesskit
+Breaks: rootlesskit
+# slirp4netns (>= 0.4.0) is available in Debian since 11 and Ubuntu since 19.10
+Recommends: slirp4netns (>= 0.4.0)
+# Unlike RPM, DEB packages do not contain "Recommends: fuse-overlayfs (>= 0.7.0)" here,
+# because Debian (since 10) and Ubuntu support the kernel-mode rootless overlayfs.
+Description: Rootless support for Docker.
+ Use dockerd-rootless.sh to run the daemon.
+ Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh.
+ This package contains RootlessKit, but does not contain VPNKit.
+ Either VPNKit or slirp4netns (>= 0.4.0) needs to be installed separately.
+Homepage: https://docs.docker.com/engine/security/rootless/
+
+Package: docker-buildx-plugin
+Priority: optional
+Replaces: docker-ce-cli
+Architecture: linux-any
+Enhances: docker-ce-cli
+Description: Docker Buildx cli plugin.
+ This plugin provides the 'docker buildx' subcommand.
+Homepage: https://github.com/docker/buildx
+
+Package: docker-compose-plugin
+Priority: optional
+Architecture: linux-any
+Recommends: docker-buildx-plugin
+Enhances: docker-ce-cli
+Description: Docker Compose (V2) plugin for the Docker CLI.
+ This plugin provides the 'docker compose' subcommand.
+ .
+ The binary can also be run standalone as a direct replacement for
+ Docker Compose V1 ('docker-compose').
+Homepage: https://github.com/docker/compose
+
+Package: docker-model-plugin
+Priority: optional
+Architecture: linux-any
+Enhances: docker-ce-cli
+Description: Docker Model Runner plugin for the Docker CLI.
+ This plugin provides the 'docker model' subcommand.
+Homepage: https://docs.docker.com/model-runner/

deb/common/docker-ce-cli.bash-completion

@@ -1 +0,0 @@
-cli/contrib/completion/bash/docker

deb/common/docker-ce.dirs

@@ -0,0 +1 @@
+/etc/docker

deb/common/docker-ce.docker.default

@@ -1,20 +0,0 @@
-# Docker Upstart and SysVinit configuration file
-
-#
-# THIS FILE DOES NOT APPLY TO SYSTEMD
-#
-#   Please see the documentation for "systemd drop-ins":
-#   https://docs.docker.com/engine/admin/systemd/
-#
-
-# Customize location of Docker binary (especially for development testing).
-#DOCKERD="/usr/local/bin/dockerd"
-
-# Use DOCKER_OPTS to modify the daemon startup options.
-#DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
-
-# If you need Docker to use an HTTP proxy, it can also be specified here.
-#export http_proxy="http://127.0.0.1:3128/"
-
-# This is also a handy place to tweak where Docker's temporary files go.
-#export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp"

deb/common/docker-ce.docker.default

@@ -0,0 +1 @@
+../engine/contrib/init/sysvinit-debian/docker.default

deb/common/docker-ce.docker.init

@@ -1,156 +0,0 @@
-#!/bin/sh
-set -e
-
-### BEGIN INIT INFO
-# Provides:           docker
-# Required-Start:     $syslog $remote_fs
-# Required-Stop:      $syslog $remote_fs
-# Should-Start:       cgroupfs-mount cgroup-lite
-# Should-Stop:        cgroupfs-mount cgroup-lite
-# Default-Start:      2 3 4 5
-# Default-Stop:       0 1 6
-# Short-Description:  Create lightweight, portable, self-sufficient containers.
-# Description:
-#  Docker is an open-source project to easily create lightweight, portable,
-#  self-sufficient containers from any application. The same container that a
-#  developer builds and tests on a laptop can run at scale, in production, on
-#  VMs, bare metal, OpenStack clusters, public clouds and more.
-### END INIT INFO
-
-export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
-
-BASE=docker
-
-# modify these in /etc/default/$BASE (/etc/default/docker)
-DOCKERD=/usr/bin/dockerd
-# This is the pid file managed by docker itself
-DOCKER_PIDFILE=/var/run/$BASE.pid
-# This is the pid file created/managed by start-stop-daemon
-DOCKER_SSD_PIDFILE=/var/run/$BASE-ssd.pid
-DOCKER_LOGFILE=/var/log/$BASE.log
-DOCKER_OPTS=
-DOCKER_DESC="Docker"
-
-# Get lsb functions
-. /lib/lsb/init-functions
-
-if [ -f /etc/default/$BASE ]; then
-	. /etc/default/$BASE
-fi
-
-# Check docker is present
-if [ ! -x $DOCKERD ]; then
-	log_failure_msg "$DOCKERD not present or not executable"
-	exit 1
-fi
-
-check_init() {
-	# see also init_is_upstart in /lib/lsb/init-functions (which isn't available in Ubuntu 12.04, or we'd use it directly)
-	if [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; then
-		log_failure_msg "$DOCKER_DESC is managed via upstart, try using service $BASE $1"
-		exit 1
-	fi
-}
-
-fail_unless_root() {
-	if [ "$(id -u)" != '0' ]; then
-		log_failure_msg "$DOCKER_DESC must be run as root"
-		exit 1
-	fi
-}
-
-cgroupfs_mount() {
-	# see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount
-	if grep -v '^#' /etc/fstab | grep -q cgroup \
-		|| [ ! -e /proc/cgroups ] \
-		|| [ ! -d /sys/fs/cgroup ]; then
-		return
-	fi
-	if ! mountpoint -q /sys/fs/cgroup; then
-		mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
-	fi
-	(
-		cd /sys/fs/cgroup
-		for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
-			mkdir -p $sys
-			if ! mountpoint -q $sys; then
-				if ! mount -n -t cgroup -o $sys cgroup $sys; then
-					rmdir $sys || true
-				fi
-			fi
-		done
-	)
-}
-
-case "$1" in
-	start)
-		check_init
-		
-		fail_unless_root
-
-		cgroupfs_mount
-
-		touch "$DOCKER_LOGFILE"
-		chgrp docker "$DOCKER_LOGFILE"
-
-		ulimit -n 1048576
-
-		# Having non-zero limits causes performance problems due to accounting overhead
-		# in the kernel. We recommend using cgroups to do container-local accounting.
-		if [ "$BASH" ]; then
-			ulimit -u unlimited
-		else
-			ulimit -p unlimited
-		fi
-
-		log_begin_msg "Starting $DOCKER_DESC: $BASE"
-		start-stop-daemon --start --background \
-			--no-close \
-			--exec "$DOCKERD" \
-			--pidfile "$DOCKER_SSD_PIDFILE" \
-			--make-pidfile \
-			-- \
-				-p "$DOCKER_PIDFILE" \
-				$DOCKER_OPTS \
-					>> "$DOCKER_LOGFILE" 2>&1
-		log_end_msg $?
-		;;
-
-	stop)
-		check_init
-		fail_unless_root
-		if [ -f "$DOCKER_SSD_PIDFILE" ]; then
-			log_begin_msg "Stopping $DOCKER_DESC: $BASE"
-			start-stop-daemon --stop --pidfile "$DOCKER_SSD_PIDFILE" --retry 10
-			log_end_msg $?
-		else
-			log_warning_msg "Docker already stopped - file $DOCKER_SSD_PIDFILE not found."
-		fi
-		;;
-
-	restart)
-		check_init
-		fail_unless_root
-		docker_pid=`cat "$DOCKER_SSD_PIDFILE" 2>/dev/null`
-		[ -n "$docker_pid" ] \
-			&& ps -p $docker_pid > /dev/null 2>&1 \
-			&& $0 stop
-		$0 start
-		;;
-
-	force-reload)
-		check_init
-		fail_unless_root
-		$0 restart
-		;;
-
-	status)
-		check_init
-		status_of_proc -p "$DOCKER_SSD_PIDFILE" "$DOCKERD" "$DOCKER_DESC"
-		;;
-
-	*)
-		echo "Usage: service docker {start|stop|restart|status}"
-		exit 1
-		;;
-esac

deb/common/docker-ce.docker.init

@@ -0,0 +1 @@
+../engine/contrib/init/sysvinit-debian/docker

deb/common/docker-ce.docker.service

@@ -0,0 +1 @@
+../engine/contrib/init/systemd/docker.service

deb/common/docker-ce.docker.socket

@@ -0,0 +1 @@
+../engine/contrib/init/systemd/docker.socket

deb/common/docker-ce.docker.upstart

@@ -1,72 +0,0 @@
-description "Docker daemon"
-
-start on (filesystem and net-device-up IFACE!=lo)
-stop on runlevel [!2345]
-
-limit nofile 524288 1048576
-
-# Having non-zero limits causes performance problems due to accounting overhead
-# in the kernel. We recommend using cgroups to do container-local accounting.
-limit nproc unlimited unlimited
-
-respawn
-
-kill timeout 20
-
-pre-start script
-	# see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount
-	if grep -v '^#' /etc/fstab | grep -q cgroup \
-		|| [ ! -e /proc/cgroups ] \
-		|| [ ! -d /sys/fs/cgroup ]; then
-		exit 0
-	fi
-	if ! mountpoint -q /sys/fs/cgroup; then
-		mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
-	fi
-	(
-		cd /sys/fs/cgroup
-		for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
-			mkdir -p $sys
-			if ! mountpoint -q $sys; then
-				if ! mount -n -t cgroup -o $sys cgroup $sys; then
-					rmdir $sys || true
-				fi
-			fi
-		done
-	)
-end script
-
-script
-	# modify these in /etc/default/$UPSTART_JOB (/etc/default/docker)
-	DOCKERD=/usr/bin/dockerd
-	DOCKER_OPTS=
-	if [ -f /etc/default/$UPSTART_JOB ]; then
-		. /etc/default/$UPSTART_JOB
-	fi
-	exec "$DOCKERD" $DOCKER_OPTS --raw-logs
-end script
-
-# Don't emit "started" event until docker.sock is ready.
-# See https://github.com/docker/docker/issues/6647
-post-start script
-	DOCKER_OPTS=
-	DOCKER_SOCKET=
-	if [ -f /etc/default/$UPSTART_JOB ]; then
-		. /etc/default/$UPSTART_JOB
-	fi
-
-	if ! printf "%s" "$DOCKER_OPTS" | grep -qE -e '-H|--host'; then
-		DOCKER_SOCKET=/var/run/docker.sock
-	else
-		DOCKER_SOCKET=$(printf "%s" "$DOCKER_OPTS" | grep -oP -e '(-H|--host)\W*unix://\K(\S+)' | sed 1q)
-	fi
-
-	if [ -n "$DOCKER_SOCKET" ]; then
-		while ! [ -e "$DOCKER_SOCKET" ]; do
-			initctl status $UPSTART_JOB | grep -qE "(stop|respawn)/" && exit 1
-			echo "Waiting for $DOCKER_SOCKET"
-			sleep 0.1
-		done
-		echo "$DOCKER_SOCKET is up"
-	fi
-end script

deb/common/docker-ce.maintscript

@@ -0,0 +1 @@
+rm_conffile /etc/init/docker.conf 5:24.0.5-1~

deb/common/docker-ce.manpages

@@ -0,0 +1 @@
+engine/man/man*/*

deb/common/rules

@@ -1,60 +1,149 @@
 #!/usr/bin/make -f
 
+# Include default Makefile variables.
+include /usr/share/dpkg/default.mk
+
+# Build all armhf binaries as ARMv6 with hard float, to support both
+# Debian armhf and Raspbian armhf.
+ifeq ($(DEB_TARGET_ARCH),armhf)
+	export CFLAGS += -marm -march=armv6+fp
+	export GOARM := 6
+endif
+
 VERSION ?= $(shell cat engine/VERSION)
-DOCKER_GOPATH := /go/src/github.com/docker
+# TODO(thaJeztah): allow passing this version when building.
+PKG_REVISION ?= 1
+export PKG_REVISION
 
-override_dh_gencontrol:
-	# if we're on Ubuntu, we need to Recommends: apparmor
-	echo 'apparmor:Recommends=$(shell dpkg-vendor --is Ubuntu && echo apparmor)' >> debian/docker-ce.substvars
-	dh_gencontrol
+# force packages to be built with xz compression, as Ubuntu 21.10 and up use
+# zstd compression, which is non-standard, and breaks 'dpkg-sig --verify'
+override_dh_builddeb:
+	dh_builddeb -- -Zxz
 
+# Determine the Go module mode based on the presence of vendor.mod or go.mod
+override_dh_auto_build: GOMOD := $(if $(wildcard engine/vendor.mod),off,$(if $(wildcard engine/go.mod),on,$(error "No go.mod or vendor.mod found in engine directory")))
+# Override the default dh_auto_build target
 override_dh_auto_build:
 	# Build the daemon and dependencies
-	cd engine && PRODUCT=docker ./hack/make.sh dynbinary
+	cd engine && GO111MODULE=$(GOMOD) DOCKER_GITCOMMIT=$(ENGINE_GITCOMMIT) PRODUCT=docker ./hack/make.sh dynbinary
 	cd engine && TMP_GOPATH="/go" hack/dockerfile/install/install.sh tini
-	cd engine && TMP_GOPATH="/go" hack/dockerfile/install/install.sh proxy dynamic
+	cd engine && TMP_GOPATH="/go" hack/dockerfile/install/install.sh rootlesskit dynamic
+
+	#  build  man-pages
+	make -C engine/man
+
 	# Build the CLI
-	cd /go/src/github.com/docker/cli && \
-		LDFLAGS='' DISABLE_WARN_OUTSIDE_CONTAINER=1 make VERSION=$(VERSION) GITCOMMIT=$(DOCKER_GITCOMMIT) dynbinary manpages
-	# Build the CLI plugins
-	# Make sure to set LDFLAGS="" since, dpkg-buildflags sets it to some weird values
-	set -e;cd /sources && \
-		tar xzf plugin-installers.tgz; \
-		for installer in plugins/*.installer; do \
-			LDFLAGS='' bash $${installer} build; \
-		done
+	make -C /go/src/github.com/docker/cli DISABLE_WARN_OUTSIDE_CONTAINER=1 VERSION=$(VERSION) GITCOMMIT=$(CLI_GITCOMMIT) LDFLAGS='' dynbinary manpages shell-completion
+
+	# Build buildx plugin
+	cd /go/src/github.com/docker/buildx \
+	&& mkdir -p /usr/libexec/docker/cli-plugins/ \
+	&& GO111MODULE=on \
+		CGO_ENABLED=0 \
+			go build \
+				-mod=vendor \
+				-trimpath \
+				-ldflags "-w -X github.com/docker/buildx/version.Version=$(BUILDX_VERSION) -X github.com/docker/buildx/version.Revision=$(BUILDX_GITCOMMIT) -X github.com/docker/buildx/version.Package=github.com/docker/buildx" \
+				-o "/usr/libexec/docker/cli-plugins/docker-buildx" \
+				./cmd/buildx
+
+	# Build the compose plugin
+	make -C /go/src/github.com/docker/compose VERSION=$(COMPOSE_VERSION) DESTDIR=/usr/libexec/docker/cli-plugins build
+
+	# Build the model plugin
+	GO111MODULE=on make -C /go/src/github.com/docker/model-cli VERSION=$(MODEL_VERSION) ce-release \
+	&& mv /go/src/github.com/docker/model-cli/dist/docker-model /usr/libexec/docker/cli-plugins/docker-model
 
 override_dh_auto_test:
-	./engine/bundles/dynbinary-daemon/dockerd -v
-	./cli/build/docker -v
+	ver="$$(engine/bundles/dynbinary-daemon/dockerd --version)"; \
+		test "$$ver" = "Docker version $(VERSION), build $(ENGINE_GITCOMMIT)" && echo "PASS: daemon version OK" || (echo "FAIL: daemon version ($$ver) did not match" && exit 1)
+
+	ver="$$(cli/build/docker --version)"; \
+		test "$$ver" = "Docker version $(VERSION), build $(CLI_GITCOMMIT)" && echo "PASS: cli version OK" || (echo "FAIL: cli version ($$ver) did not match" && exit 1)
+
+	ver="$$(/usr/libexec/docker/cli-plugins/docker-buildx docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $$1 == "Version" { print $$2 }')"; \
+		test "$$ver" = "$(BUILDX_VERSION)" && echo "PASS: docker-buildx version OK" || (echo "FAIL: docker-buildx version ($$ver) did not match" && exit 1)
+
+	ver="$$(/usr/libexec/docker/cli-plugins/docker-compose docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $$1 == "Version" { print $$2 }')"; \
+		test "$$ver" = "$(COMPOSE_VERSION)" && echo "PASS: docker-compose version OK" || (echo "FAIL: docker-compose version ($$ver) did not match" && exit 1)
+
+	ver="$$(/usr/libexec/docker/cli-plugins/docker-model docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $$1 == "Version" { print $$2 }')"; \
+		test "$$ver" = "$(MODEL_VERSION)" && echo "PASS: docker-model version OK" || (echo "FAIL: docker-model version ($$ver) did not match" && exit 1)
 
 override_dh_strip:
 	# Go has lots of problems with stripping, so just don't
 
+# http://manpages.debian.org/dh_dwz
+override_dh_dwz:
+	# dh_dwz in debhelper versions less than 13 has issues with files that are missing debug symbols (once we update to debhelper-compat 13+ this can be removed)
+	@# https://packages.debian.org/debhelper
+	@# https://packages.ubuntu.com/debhelper
+
 override_dh_auto_install:
 	# docker-ce-cli install
-	install -D -m 0644 /go/src/github.com/docker/cli/contrib/completion/fish/docker.fish debian/docker-ce-cli/usr/share/fish/vendor_completions.d/docker.fish
-	install -D -m 0644 /go/src/github.com/docker/cli/contrib/completion/zsh/_docker debian/docker-ce-cli/usr/share/zsh/vendor-completions/_docker
-	install -D -m 0755 /go/src/github.com/docker/cli/build/docker debian/docker-ce-cli/usr/bin/docker
-	set -e;cd /sources && \
-		tar xzf plugin-installers.tgz; \
-		for installer in plugins/*.installer; do \
-			DESTDIR=/root/build-deb/debian/docker-ce-cli \
-			PREFIX=/usr/libexec/docker/cli-plugins \
-				bash $${installer} install_plugin; \
-		done
+	install -D -p -m 0755 cli/build/docker debian/docker-ce-cli/usr/bin/docker
+
+	# docker-ce-cli shell-completion
+	#
+	# We are manually installing bash completions instead of using the "dh_bash-completion"
+	# debhelper (see [1]); dh_bash-completion only supports bash, and none of the other shells,
+	# which meant that we had to install 2 out of 3 manually, which was confusing ("what about
+	# Bash?"). Given that locations to install these completion scripts are well-known, we
+	# can safely use the manual approach for installing  them.
+	#
+	# In future, can consider using "dh_shell_completions" (see [2]), which supports bash, zsh
+	# and fish. However, "dh_shell_completions" is still really premature, and not available
+	# in stable releases. So, currently, adding it as build-dependency, especially since
+	# these are well-known, may not be a good choice, but we can revisit that in future
+	# if things mature in this area.
+	#
+	# Observant readers may notice that we don't include PowerShell completion in
+	# this list (even though Cobra provides them, and PowerShell *can* be installed
+	# oon Linux). The short story is that there's no well-defined location, nor
+	# a well-defined approach for this.
+	#
+	# The PowerShell maintainers (see [3]) considering that no completion scripts
+	# are needed for anything following the PowerShell specifications, and for
+	# anything else, PowerShell is capable enough to use zsh and bash completions.
+	#
+	# All of the above taken into account; it's fuzzy enough to just leave it as
+	# an exercise for the user to decide what to do.
+	#
+	# [1]: https://manpages.debian.org/bookworm/bash-completion/dh_bash-completion.1.en.html
+	# [2]: https://manpages.debian.org/testing/dh-shell-completions/dh_shell_completions.1.en.html
+	# [3]: https://github.com/PowerShell/PowerShell/issues/17582
+	install -D -p -m 0644 cli/build/completion/bash/docker debian/docker-ce-cli/usr/share/bash-completion/completions/docker
+	install -D -p -m 0644 cli/build/completion/fish/docker.fish debian/docker-ce-cli/usr/share/fish/vendor_completions.d/docker.fish
+	install -D -p -m 0644 cli/build/completion/zsh/_docker debian/docker-ce-cli/usr/share/zsh/vendor-completions/_docker
+
 	# docker-ce install
-	install -D -m 0644 /sources/docker.service debian/docker-ce/lib/systemd/system/docker.service
-	install -D -m 0644 /sources/docker.socket debian/docker-ce/lib/systemd/system/docker.socket
-	install -D -m 0755 $(shell readlink -e engine/bundles/dynbinary-daemon/dockerd) debian/docker-ce/usr/bin/dockerd
-	install -D -m 0755 /usr/local/bin/docker-proxy debian/docker-ce/usr/bin/docker-proxy
-	install -D -m 0755 /usr/local/bin/docker-init debian/docker-ce/usr/bin/docker-init
-	install -D -m 0644 /sources/distribution_based_engine.json debian/docker-ce/var/lib/docker-engine/distribution_based_engine.json
+	install -D -p -m 0755 $(shell readlink -e engine/bundles/dynbinary-daemon/dockerd) debian/docker-ce/usr/bin/dockerd
+	install -D -p -m 0755 $(shell readlink -e engine/bundles/dynbinary-daemon/docker-proxy) debian/docker-ce/usr/bin/docker-proxy
+	install -D -p -m 0755 /usr/local/bin/docker-init debian/docker-ce/usr/libexec/docker/docker-init
+
+	# docker-buildx-plugin install
+	install -D -p -m 0755 /usr/libexec/docker/cli-plugins/docker-buildx debian/docker-buildx-plugin/usr/libexec/docker/cli-plugins/docker-buildx
+
+	# docker-compose-plugin install
+	install -D -p -m 0755 /usr/libexec/docker/cli-plugins/docker-compose debian/docker-compose-plugin/usr/libexec/docker/cli-plugins/docker-compose
+
+	# docker-model-plugin install
+	install -D -p -m 0755 /usr/libexec/docker/cli-plugins/docker-model debian/docker-model-plugin/usr/libexec/docker/cli-plugins/docker-model
+
+	# docker-ce-rootless-extras install
+	install -D -p -m 0755 /usr/local/bin/rootlesskit debian/docker-ce-rootless-extras/usr/bin/rootlesskit
+	install -D -p -m 0755 engine/contrib/dockerd-rootless.sh debian/docker-ce-rootless-extras/usr/bin/dockerd-rootless.sh
+	install -D -p -m 0755 engine/contrib/dockerd-rootless-setuptool.sh debian/docker-ce-rootless-extras/usr/bin/dockerd-rootless-setuptool.sh
+	# TODO: how can we install vpnkit?
 
 override_dh_installinit:
 	# use "docker" as our service name, not "docker-ce"
 	dh_installinit --name=docker
 
+override_dh_installsystemd:
+	# use "docker" as our service name, not "docker-ce"
+	dh_installsystemd --name=docker
+
 override_dh_shlibdeps:
 	dh_shlibdeps --dpkg-shlibdeps-params=--ignore-missing-info
 
@@ -63,5 +152,20 @@ override_dh_install:
 	# TODO Can we do this from within our container?
 	dh_apparmor --profile-name=docker-ce -pdocker-ce
 
+override_dh_gencontrol:
+	# Use separate version for the buildx-plugin package, then generate the other control files as usual
+	# TODO override "Source" field in control as well (to point to buildx, as it doesn't match the package name)
+	dh_gencontrol -pdocker-buildx-plugin -- -v$${BUILDX_DEB_VERSION#v}-$${PKG_REVISION}~$${DISTRO}.$${VERSION_ID}~$${SUITE}
+
+	# Use separate version for the compose-plugin package, then generate the other control files as usual
+	# TODO override "Source" field in control as well (to point to compose, as it doesn't match the package name)
+	dh_gencontrol -pdocker-compose-plugin -- -v$${COMPOSE_DEB_VERSION#v}-$${PKG_REVISION}~$${DISTRO}.$${VERSION_ID}~$${SUITE}
+
+	# Use separate version for the model-plugin package, then generate the other control files as usual
+	# TODO override "Source" field in control as well (to point to model, as it doesn't match the package name)
+	dh_gencontrol -pdocker-model-plugin -- -v$${MODEL_DEB_VERSION#v}-$${PKG_REVISION}~$${DISTRO}.$${VERSION_ID}~$${SUITE}
+
+	dh_gencontrol --remaining-packages
+
 %:
-	dh $@ --with=bash-completion $(shell command -v dh_systemd_enable > /dev/null 2>&1 && echo --with=systemd)
+	dh $@ --with=bash-completion

deb/common/source/format

@@ -0,0 +1 @@
+1.0

deb/debian-bookworm/Dockerfile

@@ -0,0 +1,40 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=debian
+ARG SUITE=bookworm
+ARG VERSION_ID=12
+ARG BUILD_IMAGE=${DISTRO}:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y curl devscripts equivs git
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+ARG COMMON_FILES
+COPY --link ${COMMON_FILES} /root/build-deb/debian
+RUN apt-get update \
+ && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
+
+COPY --link sources/ /sources
+ARG DISTRO
+ARG SUITE
+ARG VERSION_ID
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV VERSION_ID=${VERSION_ID}
+
+COPY --link --from=golang /usr/local/go /usr/local/go
+
+WORKDIR /root/build-deb
+COPY build-deb /root/build-deb/build-deb
+
+ENTRYPOINT ["/root/build-deb/build-deb"]

deb/debian-bullseye/Dockerfile

@@ -0,0 +1,40 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=debian
+ARG SUITE=bullseye
+ARG VERSION_ID=11
+ARG BUILD_IMAGE=${DISTRO}:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y curl devscripts equivs git
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+ARG COMMON_FILES
+COPY --link ${COMMON_FILES} /root/build-deb/debian
+RUN apt-get update \
+ && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
+
+COPY --link sources/ /sources
+ARG DISTRO
+ARG SUITE
+ARG VERSION_ID
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV VERSION_ID=${VERSION_ID}
+
+COPY --link --from=golang /usr/local/go /usr/local/go
+
+WORKDIR /root/build-deb
+COPY build-deb /root/build-deb/build-deb
+
+ENTRYPOINT ["/root/build-deb/build-deb"]

deb/debian-buster/Dockerfile

@@ -1,29 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=debian:buster
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-
-RUN apt-get update && apt-get install -y curl devscripts equivs git
-
-ARG GO_VERSION
-ENV GOPATH /go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV DOCKER_BUILDTAGS apparmor seccomp selinux
-ENV RUNC_BUILDTAGS apparmor seccomp selinux
-
-ARG COMMON_FILES
-COPY ${COMMON_FILES} /root/build-deb/debian
-RUN mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
-
-COPY sources/ /sources
-
-ENV DISTRO debian
-ENV SUITE buster
-
-COPY --from=golang /usr/local/go /usr/local/go
-
-WORKDIR /root/build-deb
-COPY build-deb /root/build-deb/build-deb
-
-ENTRYPOINT ["/root/build-deb/build-deb"]

deb/debian-stretch/Dockerfile

@@ -1,29 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=debian:stretch
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-
-RUN apt-get update && apt-get install -y curl devscripts equivs git
-
-ARG GO_VERSION
-ENV GOPATH /go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV DOCKER_BUILDTAGS apparmor seccomp selinux
-ENV RUNC_BUILDTAGS apparmor seccomp selinux
-
-ARG COMMON_FILES
-COPY ${COMMON_FILES} /root/build-deb/debian
-RUN mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
-
-COPY sources/ /sources
-
-ENV DISTRO debian
-ENV SUITE stretch
-
-COPY --from=golang /usr/local/go /usr/local/go
-
-WORKDIR /root/build-deb
-COPY build-deb /root/build-deb/build-deb
-
-ENTRYPOINT ["/root/build-deb/build-deb"]

deb/debian-trixie/Dockerfile

@@ -0,0 +1,40 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=debian
+ARG SUITE=trixie
+ARG VERSION_ID=13
+ARG BUILD_IMAGE=${DISTRO}:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y curl devscripts equivs git
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+ARG COMMON_FILES
+COPY --link ${COMMON_FILES} /root/build-deb/debian
+RUN apt-get update \
+ && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
+
+COPY --link sources/ /sources
+ARG DISTRO
+ARG SUITE
+ARG VERSION_ID
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV VERSION_ID=${VERSION_ID}
+
+COPY --link --from=golang /usr/local/go /usr/local/go
+
+WORKDIR /root/build-deb
+COPY build-deb /root/build-deb/build-deb
+
+ENTRYPOINT ["/root/build-deb/build-deb"]

deb/gen-deb-ver

@@ -1,87 +1,79 @@
 #!/usr/bin/env bash
 
-ENGINE_DIR="$1"
+REPO_DIR="$1"
 VERSION="$2"
-origVersion=$VERSION
 
-[[ $# < 2 ]] && echo 'not enough args' && exit 1
-
-DATE_COMMAND="date"
-if [[ $(uname) -eq "Darwin" ]]; then
-    DATE_COMMAND="docker run --rm alpine date"
+if [ -z "$REPO_DIR" ] || [ -z "$VERSION" ]; then
+	# shellcheck disable=SC2016
+	echo 'usage: ./gen-deb-ver ${REPO_DIR} ${VERSION}'
+	exit 1
 fi
 
-gen_deb_version() {
-    # Adds an increment to the deb version to get proper order
-    # 18.01.0-tp1   -> 18.01.0-0.1-tp1
-    # 18.01.0-beta1 -> 18.01.0-1.1-beta1
-    # 18.01.0-rc1   -> 18.01.0-2.1-rc1
-    # 18.01.0       -> 18.01.0-3
-    fullVersion="$1"
-    pattern="$2"
-    increment="$3"
-    testVersion="${fullVersion#*-$pattern}"
-    baseVersion="${fullVersion%-"$pattern"*}"
-    echo "$baseVersion-$increment.$testVersion.$pattern$testVersion"
-}
+GIT_COMMAND="git -C $REPO_DIR"
+origVersion="$VERSION"
+debVersion="${VERSION#v}"
 
-case "$VERSION" in
-    *-dev)
-        debVersion="$VERSION"
-        ;;
-    *-tp[0-9]*)
-        debVersion="$(gen_deb_version "$VERSION" tp 0)"
-        ;;
-    *-beta[0-9]*)
-        debVersion="$(gen_deb_version "$VERSION" beta 1)"
-        ;;
-    *-rc[0-9]*)
-        debVersion="$(gen_deb_version "$VERSION" rc 2)"
-        ;;
-    *)
-        debVersion="$VERSION-3"
-        ;;
-esac
+# deb packages require a tilde (~) instead of a hyphen (-) as separator between
+# the version # and pre-release suffixes, otherwise pre-releases are sorted AFTER
+# non-pre-release versions, which would prevent users from updating from a pre-
+# release version to the "ga" version.
+#
+# For details, see this thread on the Debian mailing list:
+# https://lists.debian.org/debian-policy/1998/06/msg00099.html
+#
+# The code below replaces hyphens with tildes. Note that an intermediate $tilde
+# variable is needed to make this work on all versions of Bash. In some versions
+# of Bash, the tilde would be substituted with $HOME (even when escaped (\~) or
+# quoted ('~').
+tilde='~'
+debVersion="${debVersion//-/$tilde}"
 
-export TZ=UTC
+# if we have a "-dev" suffix or have change in Git, this is a nightly build, and
+# we'll create a pseudo version based on commit-date and -sha.
+if [[ "$VERSION" == *-dev ]] || [ -n "$($GIT_COMMAND status --porcelain)" ]; then
+	export TZ=UTC
 
-tilde='~' # ouch Bash 4.2 vs 4.3, you keel me
-# git running in different directories, backwards compatible too
-GIT_COMMAND="git -C $ENGINE_DIR"
-debVersion="${debVersion//-/$tilde}" # using \~ or '~' here works in 4.3, but not 4.2; just ~ causes $HOME to be inserted, hence the $tilde
-# if we have a "-dev" suffix or have change in Git, let's make this package version more complex so it works better
-if [[ "$VERSION" == *-dev ]]; then
-    # based on golang's pseudo-version: https://groups.google.com/forum/#!topic/golang-dev/a5PqQuBljF4
-    #
-    # using a "pseudo-version" of the form v0.0.0-yyyymmddhhmmss-abcdefabcdef,
-    # where the time is the commit time in UTC and the final suffix is the prefix
-    # of the commit hash. The time portion ensures that two pseudo-versions can
-    # be compared to determine which happened later, the commit hash identifes
-    # the underlying commit, and the v0.0.0- prefix identifies the pseudo-version
-    # as a pre-release before version v0.0.0, so that the go command prefers any
-    # tagged release over any pseudo-version.
-    gitUnix="$($GIT_COMMAND log -1 --pretty='%ct')"
-    gitDate="$($DATE_COMMAND --utc --date "@$gitUnix" +'%Y%m%d%H%M%S')"
-    gitCommit="$($GIT_COMMAND log -1 --pretty='%h')"
-    debVersion="0.0.0-${gitDate}-${gitCommit}"
-    origVersion=$debVersion
+	# based on golang's pseudo-version: https://groups.google.com/forum/#!topic/golang-dev/a5PqQuBljF4
+	#
+	# using a "pseudo-version" of the form v0.0.0-yyyymmddhhmmss-abcdefabcdef,
+	# where the time is the commit time in UTC and the final suffix is the prefix
+	# of the commit hash. The time portion ensures that two pseudo-versions can
+	# be compared to determine which happened later, the commit hash identifes
+	# the underlying commit, and the v0.0.0- prefix identifies the pseudo-version
+	# as a pre-release before version v0.0.0, so that the go command prefers any
+	# tagged release over any pseudo-version.
+	gitUnix="$($GIT_COMMAND log -1 --pretty='%ct')"
 
-    # verify that nightly builds are always < actual releases
-    #
-    # $ dpkg --compare-versions 1.5.0 gt 1.5.0~rc1 && echo true || echo false
-    # true
-    # $ dpkg --compare-versions 1.5.0~rc1 gt 0.0.0-20180719213347-5daff5a && echo true || echo false
-    # true
-    # $ dpkg --compare-versions 18.06.0-ce-rc3 gt 18.06.0-ce-rc2  && echo true || echo false
-    # true
-    # $ dpkg --compare-versions 18.06.0-ce gt 18.06.0-ce-rc2  && echo true || echo false
-    # false
-    # $ dpkg --compare-versions 18.06.0-ce-rc3 gt 0.0.0-20180719213347-5daff5a  && echo true || echo false
-    # true
-    # $ dpkg --compare-versions 18.06.0-ce gt 0.0.0-20180719213347-5daff5a  && echo true || echo false
-    # true
-    # $ dpkg --compare-versions 0.0.0-20180719213702-cd5e2db gt 0.0.0-20180719213347-5daff5a && echo true || echo false
-    # true
+	if [ "$(uname)" = "Darwin" ]; then
+		# Using BSD date (macOS), which doesn't support the --date option
+		# date -jf "<input format>" "<input value>" +"<output format>" (https://unix.stackexchange.com/a/86510)
+		gitDate="$(TZ=UTC date -u -jf "%s" "$gitUnix" +'%Y%m%d%H%M%S')"
+	else
+		# Using GNU date (Linux)
+		gitDate="$(TZ=UTC date -u --date "@$gitUnix" +'%Y%m%d%H%M%S')"
+	fi
+
+	gitCommit="$($GIT_COMMAND log -1 --pretty='%h')"
+	# generated version is now something like '0.0.0-20180719213702-cd5e2db'
+	origVersion="0.0.0-${gitDate}-${gitCommit}" # (using hyphens)
+	debVersion="0.0.0~${gitDate}.${gitCommit}"  # (using tilde and periods)
+
+	# verify that nightly builds are always < actual releases
+	#
+	# $ dpkg --compare-versions 1.5.0 gt 1.5.0~rc1 && echo true || echo false
+	# true
+	# $ dpkg --compare-versions 1.5.0~rc1 gt 0.0.0-20180719213347-5daff5a && echo true || echo false
+	# true
+	# $ dpkg --compare-versions 18.06.0-ce-rc3 gt 18.06.0-ce-rc2  && echo true || echo false
+	# true
+	# $ dpkg --compare-versions 18.06.0-ce gt 18.06.0-ce-rc2  && echo true || echo false
+	# false
+	# $ dpkg --compare-versions 18.06.0-ce-rc3 gt 0.0.0-20180719213347-5daff5a  && echo true || echo false
+	# true
+	# $ dpkg --compare-versions 18.06.0-ce gt 0.0.0-20180719213347-5daff5a  && echo true || echo false
+	# true
+	# $ dpkg --compare-versions 0.0.0-20180719213702-cd5e2db gt 0.0.0-20180719213347-5daff5a && echo true || echo false
+	# true
 fi
 
 echo "$debVersion" "$origVersion"

deb/raspbian-bookworm/Dockerfile

@@ -0,0 +1,40 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=raspbian
+ARG SUITE=bookworm
+ARG VERSION_ID=12
+ARG BUILD_IMAGE=balenalib/rpi-raspbian:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y curl devscripts equivs git
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+ARG COMMON_FILES
+COPY --link ${COMMON_FILES} /root/build-deb/debian
+RUN apt-get update \
+ && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
+
+COPY --link sources/ /sources
+ARG DISTRO
+ARG SUITE
+ARG VERSION_ID
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV VERSION_ID=${VERSION_ID}
+
+COPY --link --from=golang /usr/local/go /usr/local/go
+
+WORKDIR /root/build-deb
+COPY build-deb /root/build-deb/build-deb
+
+ENTRYPOINT ["/root/build-deb/build-deb"]

deb/raspbian-bullseye/Dockerfile

@@ -0,0 +1,40 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=raspbian
+ARG SUITE=bullseye
+ARG VERSION_ID=11
+ARG BUILD_IMAGE=balenalib/rpi-raspbian:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y curl devscripts equivs git
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+ARG COMMON_FILES
+COPY --link ${COMMON_FILES} /root/build-deb/debian
+RUN apt-get update \
+ && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
+
+COPY --link sources/ /sources
+ARG DISTRO
+ARG SUITE
+ARG VERSION_ID
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV VERSION_ID=${VERSION_ID}
+
+COPY --link --from=golang /usr/local/go /usr/local/go
+
+WORKDIR /root/build-deb
+COPY build-deb /root/build-deb/build-deb
+
+ENTRYPOINT ["/root/build-deb/build-deb"]

deb/raspbian-stretch/Dockerfile

@@ -1,29 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=resin/rpi-raspbian:stretch
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-
-RUN apt-get update && apt-get install -y curl devscripts equivs git
-
-ARG GO_VERSION
-ENV GOPATH /go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV DOCKER_BUILDTAGS apparmor seccomp selinux
-ENV RUNC_BUILDTAGS apparmor seccomp selinux
-
-ARG COMMON_FILES
-COPY ${COMMON_FILES} /root/build-deb/debian
-RUN mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
-
-COPY sources/ /sources
-
-ENV DISTRO raspbian
-ENV SUITE stretch
-
-COPY --from=golang /usr/local/go /usr/local/go
-
-WORKDIR /root/build-deb
-COPY build-deb /root/build-deb/build-deb
-
-ENTRYPOINT ["/root/build-deb/build-deb"]

deb/ubuntu-bionic/Dockerfile

@@ -1,29 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=ubuntu:bionic
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-
-RUN apt-get update && apt-get install -y curl devscripts equivs git
-
-ARG GO_VERSION
-ENV GOPATH /go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV DOCKER_BUILDTAGS apparmor seccomp selinux
-ENV RUNC_BUILDTAGS apparmor seccomp selinux
-
-ARG COMMON_FILES
-COPY ${COMMON_FILES} /root/build-deb/debian
-RUN mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
-
-COPY sources/ /sources
-
-ENV DISTRO ubuntu
-ENV SUITE bionic
-
-COPY --from=golang /usr/local/go /usr/local/go
-
-WORKDIR /root/build-deb
-COPY build-deb /root/build-deb/build-deb
-
-ENTRYPOINT ["/root/build-deb/build-deb"]

deb/ubuntu-cosmic/Dockerfile

@@ -1,29 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=ubuntu:cosmic
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-
-RUN apt-get update && apt-get install -y curl devscripts equivs git
-
-ARG GO_VERSION
-ENV GOPATH /go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV DOCKER_BUILDTAGS apparmor seccomp selinux
-ENV RUNC_BUILDTAGS apparmor seccomp selinux
-
-ARG COMMON_FILES
-COPY ${COMMON_FILES} /root/build-deb/debian
-RUN mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
-
-COPY sources/ /sources
-
-ENV DISTRO ubuntu
-ENV SUITE cosmic
-
-COPY --from=golang /usr/local/go /usr/local/go
-
-WORKDIR /root/build-deb
-COPY build-deb /root/build-deb/build-deb
-
-ENTRYPOINT ["/root/build-deb/build-deb"]

deb/ubuntu-disco/Dockerfile

@@ -1,29 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=ubuntu:disco
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-
-RUN apt-get update && apt-get install -y curl devscripts equivs git
-
-ARG GO_VERSION
-ENV GOPATH /go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV DOCKER_BUILDTAGS apparmor seccomp selinux
-ENV RUNC_BUILDTAGS apparmor seccomp selinux
-
-ARG COMMON_FILES
-COPY ${COMMON_FILES} /root/build-deb/debian
-RUN mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
-
-COPY sources/ /sources
-
-ENV DISTRO ubuntu
-ENV SUITE disco
-
-COPY --from=golang /usr/local/go /usr/local/go
-
-WORKDIR /root/build-deb
-COPY build-deb /root/build-deb/build-deb
-
-ENTRYPOINT ["/root/build-deb/build-deb"]

deb/ubuntu-jammy/Dockerfile

@@ -0,0 +1,46 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=ubuntu
+ARG SUITE=jammy
+ARG VERSION_ID=22.04
+ARG BUILD_IMAGE=${DISTRO}:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+
+# Remove diverted man binary to prevent man-pages being replaced with "minimized" message. See docker/for-linux#639
+RUN if  [ "$(dpkg-divert --truename /usr/bin/man)" = "/usr/bin/man.REAL" ]; then \
+        rm -f /usr/bin/man; \
+        dpkg-divert --quiet --remove --rename /usr/bin/man; \
+    fi
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y curl devscripts equivs git
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+ARG COMMON_FILES
+COPY --link ${COMMON_FILES} /root/build-deb/debian
+RUN apt-get update \
+ && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
+
+COPY --link sources/ /sources
+ARG DISTRO
+ARG SUITE
+ARG VERSION_ID
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV VERSION_ID=${VERSION_ID}
+
+COPY --link --from=golang /usr/local/go /usr/local/go
+
+WORKDIR /root/build-deb
+COPY build-deb /root/build-deb/build-deb
+
+ENTRYPOINT ["/root/build-deb/build-deb"]

deb/ubuntu-noble/Dockerfile

@@ -0,0 +1,46 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=ubuntu
+ARG SUITE=noble
+ARG VERSION_ID=24.04
+ARG BUILD_IMAGE=${DISTRO}:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+
+# Remove diverted man binary to prevent man-pages being replaced with "minimized" message. See docker/for-linux#639
+RUN if  [ "$(dpkg-divert --truename /usr/bin/man)" = "/usr/bin/man.REAL" ]; then \
+        rm -f /usr/bin/man; \
+        dpkg-divert --quiet --remove --rename /usr/bin/man; \
+    fi
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y curl devscripts equivs git
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+ARG COMMON_FILES
+COPY --link ${COMMON_FILES} /root/build-deb/debian
+RUN apt-get update \
+ && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
+
+COPY --link sources/ /sources
+ARG DISTRO
+ARG SUITE
+ARG VERSION_ID
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV VERSION_ID=${VERSION_ID}
+
+COPY --link --from=golang /usr/local/go /usr/local/go
+
+WORKDIR /root/build-deb
+COPY build-deb /root/build-deb/build-deb
+
+ENTRYPOINT ["/root/build-deb/build-deb"]

deb/ubuntu-oracular/Dockerfile

@@ -0,0 +1,46 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=ubuntu
+ARG SUITE=oracular
+ARG VERSION_ID=24.10
+ARG BUILD_IMAGE=${DISTRO}:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+
+# Remove diverted man binary to prevent man-pages being replaced with "minimized" message. See docker/for-linux#639
+RUN if  [ "$(dpkg-divert --truename /usr/bin/man)" = "/usr/bin/man.REAL" ]; then \
+        rm -f /usr/bin/man; \
+        dpkg-divert --quiet --remove --rename /usr/bin/man; \
+    fi
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y curl devscripts equivs git
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+ARG COMMON_FILES
+COPY --link ${COMMON_FILES} /root/build-deb/debian
+RUN apt-get update \
+ && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
+
+COPY --link sources/ /sources
+ARG DISTRO
+ARG SUITE
+ARG VERSION_ID
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV VERSION_ID=${VERSION_ID}
+
+COPY --link --from=golang /usr/local/go /usr/local/go
+
+WORKDIR /root/build-deb
+COPY build-deb /root/build-deb/build-deb
+
+ENTRYPOINT ["/root/build-deb/build-deb"]

deb/ubuntu-plucky/Dockerfile

@@ -0,0 +1,46 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=ubuntu
+ARG SUITE=plucky
+ARG VERSION_ID=25.04
+ARG BUILD_IMAGE=${DISTRO}:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+
+# Remove diverted man binary to prevent man-pages being replaced with "minimized" message. See docker/for-linux#639
+RUN if  [ "$(dpkg-divert --truename /usr/bin/man)" = "/usr/bin/man.REAL" ]; then \
+        rm -f /usr/bin/man; \
+        dpkg-divert --quiet --remove --rename /usr/bin/man; \
+    fi
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y curl devscripts equivs git
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+ARG COMMON_FILES
+COPY --link ${COMMON_FILES} /root/build-deb/debian
+RUN apt-get update \
+ && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
+
+COPY --link sources/ /sources
+ARG DISTRO
+ARG SUITE
+ARG VERSION_ID
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV VERSION_ID=${VERSION_ID}
+
+COPY --link --from=golang /usr/local/go /usr/local/go
+
+WORKDIR /root/build-deb
+COPY build-deb /root/build-deb/build-deb
+
+ENTRYPOINT ["/root/build-deb/build-deb"]

deb/ubuntu-xenial/Dockerfile

@@ -1,29 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=ubuntu:xenial
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-
-RUN apt-get update && apt-get install -y curl devscripts equivs git
-
-ARG GO_VERSION
-ENV GOPATH /go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV DOCKER_BUILDTAGS apparmor seccomp selinux
-ENV RUNC_BUILDTAGS apparmor seccomp selinux
-
-ARG COMMON_FILES
-COPY ${COMMON_FILES} /root/build-deb/debian
-RUN mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/build-deb/debian/control
-
-COPY sources/ /sources
-
-ENV DISTRO ubuntu
-ENV SUITE xenial
-
-COPY --from=golang /usr/local/go /usr/local/go
-
-WORKDIR /root/build-deb
-COPY build-deb /root/build-deb/build-deb
-
-ENTRYPOINT ["/root/build-deb/build-deb"]

distros.json

@@ -0,0 +1,141 @@
+{
+    "centos-9": {
+        "image": "quay.io/centos/centos:stream9",
+        "arches": [
+            "amd64",
+            "aarch64"
+        ],
+        "description": "CentOS Stream 9",
+        "end_of_life": "2027"
+    },
+    "centos-10": {
+        "image": "quay.io/centos/centos:stream10",
+        "arches": [
+            "amd64",
+            "aarch64"
+        ],
+        "description": "CentOS Stream 10",
+        "end_of_life": "2030"
+    },
+    "debian-bullseye": {
+        "image": "debian:bullseye",
+        "arches": [
+            "amd64",
+            "aarch64",
+            "armhf"
+        ],
+        "description": "Debian 11 (oldstable)"
+    },
+    "debian-bookworm": {
+        "image": "debian:bookworm",
+        "arches": [
+            "amd64",
+            "aarch64",
+            "armhf"
+        ],
+        "description": "Debian 12 (stable)"
+    },
+    "debian-trixie": {
+        "image": "debian:trixie",
+        "arches": [
+            "amd64",
+            "aarch64",
+            "armhf"
+        ],
+        "description": "Debian 13 (Next stable)"
+    },
+    "fedora-41": {
+        "image": "fedora:41",
+        "arches": [
+            "amd64",
+            "aarch64"
+        ],
+        "end_of_life": "November, 2025"
+    },
+    "fedora-42": {
+        "image": "fedora:42",
+        "arches": [
+            "amd64",
+            "aarch64"
+        ],
+        "end_of_life": "November, 2025"
+    },
+    "raspbian-bullseye": {
+        "image": "balenalib/rpi-raspbian:bullseye",
+        "arches": [
+            "armhf"
+        ],
+        "description": "Debian/Raspbian 11 (stable)"
+    },
+    "raspbian-bookworm": {
+        "image": "balenalib/rpi-raspbian:bookworm",
+        "arches": [
+            "armhf"
+        ],
+        "description": "Debian/Raspbian 12 (next stable)"
+    },
+    "ubuntu-jammy": {
+        "image": "ubuntu:jammy",
+        "arches": [
+            "amd64",
+            "aarch64",
+            "armhf"
+        ],
+        "description": "Ubuntu 22.04 LTS",
+        "end_of_life": "04-2032",
+        "end_of_support": "04-2027"
+    },
+    "ubuntu-noble": {
+        "image": "ubuntu:noble",
+        "arches": [
+            "amd64",
+            "aarch64",
+            "armhf"
+        ],
+        "description": "Ubuntu 24.04 LTS",
+        "end_of_life": "04-2034",
+        "end_of_support": "06-2029"
+    },
+    "ubuntu-oracular": {
+        "image": "ubuntu:oracular",
+        "arches": [
+            "amd64",
+            "aarch64",
+            "armhf"
+        ],
+        "description": "Ubuntu 24.10",
+        "end_of_life": "07-2025",
+        "end_of_support": "07-2025"
+    },
+    "ubuntu-plucky": {
+        "image": "ubuntu:plucky",
+        "arches": [
+            "amd64",
+            "aarch64",
+            "armhf"
+        ],
+        "description": "Ubuntu 25.04",
+        "end_of_life": "01-2026",
+        "end_of_support": "01-2026"
+    },
+    "rhel-8": {
+        "image": "registry.access.redhat.com/ubi8/ubi",
+        "arches": [
+            "amd64",
+            "aarch64"
+        ],
+        "description": "Red Hat Enterprise Linux 8",
+        "end_of_life": "05-2029",
+        "end_of_support": "05-2024"
+    },
+    "rhel-9": {
+        "image": "registry.access.redhat.com/ubi9/ubi",
+        "arches": [
+            "amd64",
+            "aarch64"
+        ],
+        "description": "Red Hat Enterprise Linux 9",
+        "end_of_life": "05-2032",
+        "end_of_support": "05-2027"
+    }
+}

image/Dockerfile.engine

@@ -1,101 +0,0 @@
-# Common builder
-ARG GO_IMAGE
-FROM ${GO_IMAGE} as builder
-
-COPY hack/dockerfile/install/tini.installer /
-COPY hack/dockerfile/install/proxy.installer /
-RUN apt-get update && apt-get install -y \
-    bash \
-    btrfs-tools \
-    ca-certificates \
-    cmake \
-    gcc \
-    git \
-    libc-dev \
-    libgcc-6-dev \
-    libltdl-dev \
-    libseccomp-dev \
-    libtool \
-    make
-RUN grep "_COMMIT=" /*.installer  |cut -f2- -d: > /binaries-commits
-
-# dockerd
-FROM builder as dockerd-builder
-RUN apt-get install -y \
-    libsystemd-dev
-WORKDIR /go/src/github.com/docker/docker
-COPY . /go/src/github.com/docker/docker
-ARG VERSION
-ARG GITCOMMIT
-ARG BUILDTIME
-ARG PLATFORM
-ARG PRODUCT
-ARG DEFAULT_PRODUCT_LICENSE
-ENV VERSION ${VERSION}
-ENV GITCOMMIT ${GITCOMMIT}
-ENV BUILDTIME ${BUILDTIME}
-ENV PLATFORM ${PLATFORM}
-ENV PRODUCT ${PRODUCT}
-ENV DEFAULT_PRODUCT_LICENSE ${DEFAULT_PRODUCT_LICENSE}
-# TODO The way we set the version could easily be simplified not to depend on hack/...
-RUN bash ./hack/make/.go-autogen
-RUN go build -o /sbin/dockerd \
-    -tags 'autogen apparmor seccomp selinux journald exclude_graphdriver_devicemapper' \
-    -i \
-    -buildmode=pie \
-    -a -ldflags '-w'\
-    github.com/docker/docker/cmd/dockerd
-
-# docker-proxy
-# TODO if libnetwork folds into the docker tree this can be combined above
-FROM builder as proxy-builder
-RUN git clone https://github.com/docker/libnetwork.git /go/src/github.com/docker/libnetwork
-WORKDIR /go/src/github.com/docker/libnetwork
-RUN . /binaries-commits && \
-    git checkout -q "$LIBNETWORK_COMMIT" && \
-    CGO_ENABLED=0 go build -buildmode=pie -ldflags="$PROXY_LDFLAGS" \
-        -o /sbin/docker-proxy \
-        github.com/docker/libnetwork/cmd/proxy
-
-# docker-init - TODO move this out, last time we bumped was 2016!
-FROM builder as init-builder
-RUN git clone https://github.com/krallin/tini.git /tini
-WORKDIR /tini
-RUN . /binaries-commits && \
-    git checkout -q "$TINI_COMMIT" && \
-    cmake . && make tini-static && \
-    cp tini-static /sbin/docker-init
-
-# runc
-FROM builder as runc-builder
-RUN apt-get install -y libseccomp-dev
-RUN git clone https://github.com/opencontainers/runc.git /go/src/github.com/opencontainers/runc
-WORKDIR /go/src/github.com/opencontainers/runc
-RUN . /binaries-commits && \
-    git checkout -q "$RUNC_COMMIT" && \
-    make BUILDTAGS='seccomp apparmor' static && make install
-
-# Final docker image
-FROM scratch
-ARG VERSION
-ARG GITCOMMIT
-ARG BUILDTIME
-ARG PLATFORM
-ARG ENGINE_IMAGE
-COPY --from=dockerd-builder /sbin/dockerd /bin/
-COPY --from=proxy-builder /sbin/docker-proxy /bin/
-COPY --from=init-builder /sbin/docker-init /bin/
-COPY --from=runc-builder /usr/local/sbin/runc /bin/
-
-LABEL \
-    org.opencontainers.image.authors="Docker Inc." \
-    org.opencontainers.image.created="${BUILDTIME}" \
-    org.opencontainers.image.documentation="https://docs.docker.com/" \
-    org.opencontainers.image.licenses="Apache-2.0" \
-    org.opencontainers.image.revision="${GITCOMMIT}" \
-    org.opencontainers.image.url="https://www.docker.com/products/docker-engine" \
-    org.opencontainers.image.vendor="Docker Inc." \
-    org.opencontainers.image.version="${VERSION}" \
-    com.docker.distribution_based_engine="{\"platform\":\"${PLATFORM}\",\"engine_image\":\"${ENGINE_IMAGE}\",\"containerd_min_version\":\"1.2.0-beta.1\",\"runtime\":\"host_install\"}"
-
-ENTRYPOINT ["/bin/dockerd"]

image/Dockerfile.engine-dm

@@ -1,97 +0,0 @@
-# Common builder
-ARG GO_IMAGE
-ARG BASE_IMAGE=centos:7
-FROM ${GO_IMAGE} as golang
-
-FROM ${BASE_IMAGE} as builder
-ENV GOPATH=/go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV AUTO_GOPATH 1
-COPY --from=golang /usr/local/go /usr/local/go
-COPY hack/dockerfile/install/tini.installer /
-COPY hack/dockerfile/install/proxy.installer /
-RUN yum install -y \
-    bash \
-    ca-certificates \
-    cmake \
-    gcc \
-    git \
-    glibc-static \
-    libtool \
-    make
-RUN grep "_COMMIT=" /*.installer  |cut -f2- -d: > /binaries-commits
-
-# dockerd
-FROM builder as dockerd-builder
-RUN yum install -y \
-    btrfs-progs-devel \
-    device-mapper-devel \
-    libseccomp-devel \
-    selinux-policy-devel \
-    systemd-devel
-WORKDIR /go/src/github.com/docker/docker
-COPY . /go/src/github.com/docker/docker
-ARG VERSION
-ARG GITCOMMIT
-ARG BUILDTIME
-ARG PLATFORM
-ARG PRODUCT
-ARG DEFAULT_PRODUCT_LICENSE
-ENV VERSION ${VERSION}
-ENV GITCOMMIT ${GITCOMMIT}
-ENV BUILDTIME ${BUILDTIME}
-ENV PLATFORM ${PLATFORM}
-ENV PRODUCT ${PRODUCT}
-ENV DEFAULT_PRODUCT_LICENSE ${DEFAULT_PRODUCT_LICENSE}
-# TODO The way we set the version could easily be simplified not to depend on hack/...
-RUN bash ./hack/make/.go-autogen
-RUN go build -o /dockerd \
-    -tags 'autogen apparmor seccomp selinux journald' \
-    -i \
-    -buildmode=pie \
-    -a -ldflags '-w'\
-    github.com/docker/docker/cmd/dockerd
-
-# docker-proxy
-# TODO if libnetwork folds into the docker tree this can be combined above
-FROM builder as proxy-builder
-RUN git clone https://github.com/docker/libnetwork.git /go/src/github.com/docker/libnetwork
-WORKDIR /go/src/github.com/docker/libnetwork
-RUN . /binaries-commits && \
-    git checkout -q "$LIBNETWORK_COMMIT" && \
-    go build -buildmode=pie -ldflags="-w" \
-        -o /docker-proxy \
-        github.com/docker/libnetwork/cmd/proxy
-
-# docker-init - TODO move this out, last time we bumped was 2016!
-FROM builder as init-builder
-RUN git clone https://github.com/krallin/tini.git /tini
-WORKDIR /tini
-RUN . /binaries-commits && \
-    git checkout -q "$TINI_COMMIT" && \
-    cmake . && make tini-static && \
-    cp tini-static /docker-init
-
-# Final docker image
-FROM scratch
-ARG VERSION
-ARG GITCOMMIT
-ARG BUILDTIME
-ARG PLATFORM
-ARG ENGINE_IMAGE
-COPY --from=dockerd-builder /dockerd /bin/
-COPY --from=proxy-builder /docker-proxy /bin/
-COPY --from=init-builder /docker-init /bin/
-
-LABEL \
-    org.opencontainers.image.authors="Docker Inc." \
-    org.opencontainers.image.created="${BUILDTIME}" \
-    org.opencontainers.image.documentation="https://docs.docker.com/" \
-    org.opencontainers.image.licenses="Apache-2.0" \
-    org.opencontainers.image.revision="${GITCOMMIT}" \
-    org.opencontainers.image.url="https://www.docker.com/products/docker-engine" \
-    org.opencontainers.image.vendor="Docker Inc." \
-    org.opencontainers.image.version="${VERSION}" \
-    com.docker.distribution_based_engine="{\"platform\":\"${PLATFORM}\",\"engine_image\":\"${ENGINE_IMAGE}\",\"containerd_min_version\":\"1.2.0-beta.1\",\"runtime\":\"host_install\"}"
-
-ENTRYPOINT ["/bin/dockerd"]

image/Makefile

@@ -1,90 +0,0 @@
-SHELL:=/bin/bash
-ENGINE_DIR:=$(CURDIR)/../../engine
-CLI_DIR:=$(CURDIR)/../../cli
-VERSION?=0.0.0-dev
-GO_BASE_IMAGE=golang
-GO_VERSION:=1.12.4
-ENGINE_GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION)
-STATIC_VERSION=$(shell ../static/gen-static-ver $(ENGINE_DIR) $(VERSION))
-DOCKER_HUB_ORG?=dockereng
-ARCH=$(shell uname -m)
-ENGINE_IMAGE?=engine-community
-CHOWN:=docker run --rm -v $(CURDIR):/v -w /v alpine chown
-DEFAULT_PRODUCT_LICENSE?=Community Engine
-PLATFORM?=Docker Engine - Community
-BUILDTIME?=$(shell date -u -d "@$${SOURCE_DATE_EPOCH:-$$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
-IMAGE_WITH_TAG=$(DOCKER_HUB_ORG)/$(ENGINE_IMAGE):$(STATIC_VERSION)
-ifdef BASE_IMAGE
-	# TODO: Clean this up to only set ENGINE_GO_IMAGE
-	BASE_IMAGE_FLAG=--build-arg BASE_IMAGE=$(BASE_IMAGE)
-	ENGINE_GO_IMAGE=$(BASE_IMAGE)
-endif
-IMAGE_BUILD?=docker build -t  $(IMAGE_WITH_TAG) \
-	--build-arg GO_IMAGE="$(ENGINE_GO_IMAGE)" \
-	--build-arg VERSION="$(STATIC_VERSION)" \
-	--build-arg GITCOMMIT="$$(cd $(ENGINE_DIR) && git rev-parse --short=7 HEAD)" \
-	--build-arg BUILDTIME="$(BUILDTIME)" \
-	--build-arg PLATFORM="$(PLATFORM)" \
-	--build-arg PRODUCT="$(PRODUCT)" \
-	--build-arg ENGINE_IMAGE="$(ENGINE_IMAGE)" \
-	--build-arg DEFAULT_PRODUCT_LICENSE="$(DEFAULT_PRODUCT_LICENSE)" \
-	$(BASE_IMAGE_FLAG) \
-	--file $< $(ENGINE_DIR)
-
-.PHONY: help
-help: ## show make targets
-	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf " \033[36m%-20s\033[0m  %s\n", $$1, $$2}' $(MAKEFILE_LIST)
-
-.PHONY: clean
-clean: ## remove build artifacts
-	-$(RM) $(ENGINE_DIR)/Dockerfile.engine
-	-$(RM) $(ENGINE_DIR)/Dockerfile.engine-dm
-	-docker rmi $(IMAGE_WITH_TAG)
-	-docker rmi $(IMAGE_WITH_TAG)-dm
-	-rm -f image-linux
-	-$(RM) -r artifacts
-	-$(RM) *.tar
-
-.PHONY: image
-image: image-linux
-
-$(ENGINE_DIR)/Dockerfile.%: Dockerfile.%
-	cp $< $@
-
-DOCKER2OCI=artifacts/docker2oci
-$(DOCKER2OCI):
-	-$(CHOWN) -R $(shell id -u):$(shell id -g) $(@D)
-	docker run --name docker2oci $(ENGINE_GO_IMAGE) sh -c 'go get github.com/coolljt0725/docker2oci'
-	mkdir -p $(@D)
-	docker cp docker2oci:/go/bin/docker2oci "$@"
-	docker rm -f docker2oci
-	$(CHOWN) -R $(shell id -u):$(shell id -g) $(@D)
-
-# builds across multiple archs because the base images
-# utilize manifests
-image-linux: $(ENGINE_DIR)/Dockerfile.engine
-	$(IMAGE_BUILD)
-	echo $(IMAGE_WITH_TAG) > $@
-
-engine-$(ARCH).tar: engine-$(ARCH)-docker-compat.tar $(DOCKER2OCI)
-	mkdir -p artifacts
-	./$(DOCKER2OCI) -i $< artifacts/engine-image
-	mkdir -p $(@D)
-	tar c -C artifacts/engine-image . > $@
-
-engine-$(ARCH)-docker-compat.tar: image-linux
-	docker save -o $@ $$(cat $<)
-
-image-linux-dm: ENGINE_IMAGE:=$(ENGINE_IMAGE)-dm
-image-linux-dm: $(ENGINE_DIR)/Dockerfile.engine-dm
-	$(IMAGE_BUILD)
-	echo $(IMAGE_WITH_TAG) > $@
-
-engine-$(ARCH)-dm.tar: engine-$(ARCH)-dm-docker-compat.tar $(DOCKER2OCI)
-	mkdir -p artifacts
-	./$(DOCKER2OCI) -i $< artifacts/engine-image
-	mkdir -p $(@D)
-	tar c -C artifacts/engine-image . > $@
-
-engine-$(ARCH)-dm-docker-compat.tar: image-linux-dm
-	docker save -o $@ $$(cat $<)

install-containerd-helpers

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+
+###
+# Script Name:  install-containerd-helpers
+#
+# Description: A library that containers helpers to install containerd on different
+#              distributions based on a package manager
+###
+set -x extglob
+
+# Steps taken from: https://docs.docker.com/install/linux/docker-ce/centos/
+function install_rpm_containerd() {
+	if [ "${PACKAGE_REPO}" = "stage" ]; then
+		REPO_URL="https://download-stage.docker.com/linux/${DIST_ID}/docker-ce-staging.repo"
+	else
+		REPO_URL="https://download.docker.com/linux/${DIST_ID}/docker-ce.repo"
+	fi
+
+	# Install containerd dependency for non-zypper dependecies
+	echo "[DEBUG] Installing engine dependencies from ${REPO_URL}"
+
+	# Note: we enable test channel to be able to test non-stable containerd packages as well.
+	# Once a containerd package becomes stable it will also be available in the test channel,
+	# so this logic works for both cases.
+	# (See also same logic in install_debian_containerd)
+
+	if command -v dnf5; then
+		dnf --version
+
+		# FIXME(thaJeztah); strip empty lines as workaround for https://github.com/rpm-software-management/dnf5/issues/1603
+		TMP_REPO_FILE="$(mktemp --dry-run)"
+		curl -fsSL "${REPO_URL}" | tr -s '\n' > "${TMP_REPO_FILE}"
+		dnf config-manager addrepo --save-filename=docker-ce.repo  --overwrite --from-repofile="${TMP_REPO_FILE}"
+		rm -f "${TMP_REPO_FILE}"
+		# dnf config-manager addrepo --save-filename=docker-ce.repo --from-repofile="${REPO_URL}"
+		dnf config-manager setopt 'docker-ce-*.enabled=0'
+		dnf config-manager setopt 'docker-ce-test.enabled=1'
+		dnf makecache
+	elif command -v dnf; then
+		dnf --version
+
+		dnf config-manager --add-repo "${REPO_URL}"
+		dnf config-manager --set-disabled 'docker-ce-*'
+		dnf config-manager --set-enabled 'docker-ce-test'
+		dnf makecache
+	else
+		yum-config-manager --add-repo "${REPO_URL}"
+		yum-config-manager --disable 'docker-ce-*'
+		yum-config-manager --enable 'docker-ce-test'
+		yum makecache
+	fi
+}
+
+# Steps taken from: https://docs.docker.com/install/linux/docker-ce/ubuntu/
+function install_debian_containerd() {
+	if [ "${PACKAGE_REPO}" = "stage" ]; then
+		REPO_URL="https://download-stage.docker.com/linux/${DIST_ID}"
+	else
+		REPO_URL="https://download.docker.com/linux/${DIST_ID}"
+	fi
+
+	echo "[DEBUG] Installing engine dependencies from ${REPO_URL}"
+
+	#TODO include this step in the get.docker.com installation script
+	# Make sure ca-certificates are up-to-date
+	update-ca-certificates -f
+
+	install -m 0755 -d /etc/apt/keyrings
+	curl -fsSL "${REPO_URL}/gpg" | tee /etc/apt/keyrings/docker.asc
+	chmod a+r /etc/apt/keyrings/docker.asc
+
+	if [ "${DIST_VERSION}" = "sid" ]; then
+		echo 'Debian sid ("unstable") cannot be used for packaging: replace with the actual codename'
+		exit 1
+	fi
+	ARCH=$(dpkg --print-architecture)
+
+	# Note: we enable test channel to be able to test non-stable containerd packages as well.
+	# Once a containerd package becomes stable it will also be available in the test channel,
+	# so this logic works for both cases.
+	# (See also same logic in install_rpm_containerd)
+	echo "deb [arch=${ARCH} signed-by=/etc/apt/keyrings/docker.asc] ${REPO_URL} ${DIST_VERSION} test" > /etc/apt/sources.list.d/docker.list
+
+	apt-get update
+}

plugins/.common

@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-
-DESTDIR=${DESTDIR:-}
-PREFIX=${PREFIX:-/usr/local}
-
-add_github_ssh_host() {
-    # You're not able to clone from github unless you add to known_hosts
-    if ! grep ~/.ssh/known_hosts "github.com" >/dev/null 2>/dev/null; then
-        mkdir -p ~/.ssh
-        ssh-keyscan github.com >> ~/.ssh/known_hosts
-    fi
-}
-
-install_binary() {
-    for binary in "$@"; do
-        mkdir -p "${DESTDIR}${PREFIX}"
-        install -p -m 755 "${binary}" "${DESTDIR}${PREFIX}"
-    done
-}
-
-build_or_install() {
-    case $1 in
-        build)
-            build
-            ;;
-        build_mac)
-            build_mac
-            ;;
-        install_plugin)
-            install_plugin
-            ;;
-        *)
-            echo "Are you sure that's a command? o.O"
-            exit 1
-            ;;
-    esac
-}

plugins/app.installer

@@ -1,32 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-source "$(dirname "$0")/.common"
-
-GOPATH=$(go env GOPATH)
-REPO=https://github.com/docker/app.git
-COMMIT=v0.8.0-beta1
-DEST=${GOPATH}/src/github.com/docker/app
-
-build() {
-    if [ ! -d "${DEST}" ]; then
-        git clone "${REPO}" "${DEST}"
-    fi
-    (
-        cd "${DEST}"
-        git fetch --all
-        git checkout -q "${COMMIT}"
-        # There's no real versions yet, but this'll just leave it blank
-        make dynamic
-    )
-}
-
-install_plugin() {
-    (
-        cd "${DEST}"
-        install_binary bin/docker-app
-    )
-}
-
-build_or_install "$@"

rpm/Makefile

@@ -1,48 +1,75 @@
-include ../containerd.mk
+include ../common.mk
 
-ARCH=$(shell uname -m)
-ENGINE_DIR:=$(CURDIR)/../../engine
-CLI_DIR:=$(CURDIR)/../../cli
-GITCOMMIT=$(shell cd $(ENGINE_DIR) && git rev-parse --short HEAD)
-VERSION?=0.0.0-dev
-STATIC_VERSION=$(shell ../static/gen-static-ver $(ENGINE_DIR) $(VERSION))
+PLUGINS_DIR=$(realpath $(CURDIR)/../plugins)
 GO_BASE_IMAGE=golang
-GO_VERSION:=1.12.4
-GO_IMAGE?=$(GO_BASE_IMAGE):$(GO_VERSION)
-GEN_RPM_VER=$(shell ./gen-rpm-ver $(CLI_DIR) $(VERSION))
-CHOWN=docker run --rm -i -v $(CURDIR):/v -w /v alpine chown
+GO_IMAGE?=$(GO_BASE_IMAGE):$(GO_VERSION)-bookworm
+GEN_RPM_VER=$(shell ./gen-rpm-ver $(realpath $(CURDIR)/../src/github.com/docker/cli) "$(VERSION)")
+GEN_BUILDX_RPM_VER=$(shell ./gen-rpm-ver $(realpath $(CURDIR)/../src/github.com/docker/buildx) "$(DOCKER_BUILDX_REF)")
+GEN_COMPOSE_RPM_VER=$(shell ./gen-rpm-ver $(realpath $(CURDIR)/../src/github.com/docker/compose) "$(DOCKER_COMPOSE_REF)")
+GEN_MODEL_RPM_VER=$(shell ./gen-rpm-ver $(realpath $(CURDIR)/../src/github.com/docker/model-cli) "$(DOCKER_MODEL_REF)")
+CLI_GITCOMMIT?=$(shell cd $(realpath $(CURDIR)/../src/github.com/docker/cli) && git rev-parse --short HEAD)
+ENGINE_GITCOMMIT?=$(shell cd $(realpath $(CURDIR)/../src/github.com/docker/docker) && git rev-parse --short HEAD)
+BUILDX_GITCOMMIT?=$(shell cd $(realpath $(CURDIR)/../src/github.com/docker/buildx) && git rev-parse --short HEAD)
 
-DOCKERFILE=Dockerfile
-ifdef NEEDS_ARCH_SPECIFIC
-	DOCKERFILE=Dockerfile.$(ARCH)
+ifdef RH_USER
+	RH_FLAGS=--secret id=rh-user,env=RH_USER --secret id=rh-pass,env=RH_PASS
 endif
 ifdef BUILD_IMAGE
 	BUILD_IMAGE_FLAG=--build-arg $(BUILD_IMAGE)
 endif
-BUILD?=docker build \
+BUILD?=DOCKER_BUILDKIT=1 \
+	docker build \
+	$(RH_FLAGS) \
 	$(BUILD_IMAGE_FLAG) \
 	--build-arg GO_IMAGE=$(GO_IMAGE) \
 	-t rpmbuild-$@/$(ARCH) \
-	-f $@/$(DOCKERFILE) \
+	--platform linux/$(ARCH) \
+	-f $@/Dockerfile \
 	.
 
-SPEC_FILES?=docker-ce.spec docker-ce-cli.spec
+
+SPEC_FILES?=docker-ce.spec docker-ce-cli.spec docker-ce-rootless-extras.spec docker-buildx-plugin.spec docker-compose-plugin.spec docker-model-plugin.spec
+
 SPECS?=$(addprefix SPECS/, $(SPEC_FILES))
-RPMBUILD=docker run --privileged --rm -i \
-	-e PLATFORM \
-	-v $(CURDIR)/rpmbuild/SOURCES:/root/rpmbuild/SOURCES \
-	-v $(CURDIR)/rpmbuild/RPMS:/root/rpmbuild/RPMS \
-	-v $(CURDIR)/rpmbuild/SRPMS:/root/rpmbuild/SRPMS
 RPMBUILD_FLAGS?=-ba\
-	--define '_gitcommit $(word 3,$(GEN_RPM_VER))' \
+	--define '_gitcommit_cli $(CLI_GITCOMMIT)' \
+	--define '_gitcommit_engine $(ENGINE_GITCOMMIT)' \
 	--define '_release $(word 2,$(GEN_RPM_VER))' \
 	--define '_version $(word 1,$(GEN_RPM_VER))' \
 	--define '_origversion $(word 4, $(GEN_RPM_VER))' \
+	--define '_buildx_rpm_version $(word 1,$(GEN_BUILDX_RPM_VER))' \
+	--define '_buildx_version $(word 4,$(GEN_BUILDX_RPM_VER))' \
+	--define '_buildx_gitcommit $(BUILDX_GITCOMMIT)' \
+	--define '_compose_rpm_version $(word 1,$(GEN_COMPOSE_RPM_VER))' \
+	--define '_compose_version $(word 4,$(GEN_COMPOSE_RPM_VER))' \
+	--define '_model_rpm_version $(word 1,$(GEN_MODEL_RPM_VER))' \
+	--define '_model_version $(word 4,$(GEN_MODEL_RPM_VER))' \
+	$(RPMBUILD_EXTRA_FLAGS) \
 	$(SPECS)
-RUN?=$(RPMBUILD) rpmbuild-$@/$(ARCH) $(RPMBUILD_FLAGS)
 
-SOURCE_FILES=engine-image engine.tgz cli.tgz docker.service docker.socket distribution_based_engine.json plugin-installers.tgz
-SOURCES=$(addprefix rpmbuild/SOURCES/, $(SOURCE_FILES))
+# Additional flags may be necessary at some point
+RUN_FLAGS=
+
+# FIXME(thaJeztah): disabling seccomp to handle (ppc64le) tar "chown / chmod"
+# failing when running in a Fedora 40 container on a Debian bookworm host;
+# see https://github.com/docker/docker-ce-packaging/issues/1012 and
+# https://github.com/docker/docker-ce-packaging/pull/1006#issuecomment-2006878743
+RUN?=docker run --rm \
+	--security-opt seccomp=unconfined \
+	--platform linux/$(ARCH) \
+	-e PLATFORM \
+	-v $(CURDIR)/rpmbuild/SOURCES:/root/rpmbuild/SOURCES:ro \
+	-v $(CURDIR)/rpmbuild/$@/RPMS:/root/rpmbuild/RPMS \
+	-v $(CURDIR)/rpmbuild/$@/SRPMS:/root/rpmbuild/SRPMS \
+	$(RUN_FLAGS) \
+	rpmbuild-$@/$(ARCH) $(RPMBUILD_FLAGS)
+
+FEDORA_RELEASES ?= fedora-41 fedora-42
+CENTOS_RELEASES ?= centos-9 centos-10
+RHEL_RELEASES ?= rhel-8 rhel-9
+
+DISTROS := $(FEDORA_RELEASES) $(CENTOS_RELEASES) $(RHEL_RELEASES)
+BUNDLES := $(patsubst %,rpmbuild/bundles-ce-%-$(DPKG_ARCH).tar.gz,$(DISTROS))
 
 .PHONY: help
 help: ## show make targets
@@ -52,77 +79,73 @@ help: ## show make targets
 clean: ## remove build artifacts
 	[ ! -d rpmbuild ] || $(CHOWN) -R $(shell id -u):$(shell id -g) rpmbuild
 	$(RM) -r rpmbuild/
-	[ ! -d artifacts ] || $(CHOWN) -R $(shell id -u):$(shell id -g) artifacts
-	$(RM) -r artifacts/
-	[ ! -d tmp ] || $(CHOWN) -R $(shell id -u):$(shell id -g) tmp
-	$(RM) -r tmp/
-	-docker rm docker2oci
-	$(MAKE) -C ../image clean
+	-docker builder prune -f --filter until=24h
 
 .PHONY: rpm
 rpm: fedora centos ## build all rpm packages
 
 .PHONY: fedora
-fedora: fedora-30 fedora-29 fedora-28 ## build all fedora rpm packages
+fedora: $(FEDORA_RELEASES) ## build all fedora rpm packages
 
 .PHONY: centos
-centos: centos-7 ## build all centos rpm packages
+centos: $(CENTOS_RELEASES) ## build all centos rpm packages
 
-.PHONY: fedora-%
-fedora-%: ## build fedora rpm packages
-fedora-%: $(SOURCES)
-	$(CHOWN) -R root:root rpmbuild
+.PHONY: rhel
+rhel: $(RHEL_RELEASES) ## build all rhel rpm packages
+
+.PHONY: $(DISTROS)
+$(DISTROS): sources
+	@echo "== Building packages for $@ =="
+	mkdir -p "rpmbuild/$@"
 	$(BUILD)
 	$(RUN)
-	$(CHOWN) -R $(shell id -u):$(shell id -g) rpmbuild
+	$(CHOWN) -R $(shell id -u):$(shell id -g) "rpmbuild/$@"
 
-.PHONY: centos-7
-centos-7: ## build centos-7 rpm packages
-centos-7: $(SOURCES)
-	$(CHOWN) -R root:root rpmbuild
-	$(BUILD)
-	$(RUN)
-	$(CHOWN) -R $(shell id -u):$(shell id -g) rpmbuild
+.PHONY: sources
+sources: rpmbuild/SOURCES/engine.tgz rpmbuild/SOURCES/cli.tgz rpmbuild/SOURCES/buildx.tgz rpmbuild/SOURCES/compose.tgz rpmbuild/SOURCES/model.tgz
 
 rpmbuild/SOURCES/engine.tgz:
-	mkdir -p rpmbuild/SOURCES
-	docker run --rm -i -w /v \
-		-v $(ENGINE_DIR):/engine \
-		-v $(CURDIR)/rpmbuild/SOURCES:/v \
+	mkdir -p $(@D)
+	docker run --rm -w /v \
+		-v $(realpath $(CURDIR)/../src/github.com/docker/docker):/engine \
+		-v $(CURDIR)/$(@D):/v \
 		alpine \
 		tar -C / -c -z -f /v/engine.tgz --exclude .git engine
 
 rpmbuild/SOURCES/cli.tgz:
-	mkdir -p rpmbuild/SOURCES
-	docker run --rm -i -w /v \
-		-v $(CLI_DIR):/cli \
-		-v $(CURDIR)/rpmbuild/SOURCES:/v \
+	mkdir -p $(@D)
+	docker run --rm -w /v \
+		-v $(realpath $(CURDIR)/../src/github.com/docker/cli):/cli \
+		-v $(CURDIR)/$(@D):/v \
 		alpine \
 		tar -C / -c -z -f /v/cli.tgz --exclude .git cli
 
-rpmbuild/SOURCES/docker.service: ../systemd/docker.service
+rpmbuild/SOURCES/buildx.tgz:
 	mkdir -p $(@D)
-	cp $< $@
-
-rpmbuild/SOURCES/docker.socket: ../systemd/docker.socket
-	mkdir -p $(@D)
-	cp $< $@
-
-# TODO: Figure out how to decouple this
-# TODO: These might just end up being static files that are hardcoded
-# TODO: FROM HERE <=====================
-rpmbuild/SOURCES/engine-image:
-	mkdir -p $(@D)
-	echo "docker.io/dockereng/engine-community-dm:$(STATIC_VERSION)" > $@
-
-rpmbuild/SOURCES/distribution_based_engine.json: rpmbuild/SOURCES/engine-image
-	mkdir -p $(@D)
-	echo '{"platform":"Docker Engine - Community","engine_image":"engine-community-dm","containerd_min_version":"1.2.0-beta.1","runtime":"host_install"}' > $@
-# TODO: TO HERE <=====================
-
-rpmbuild/SOURCES/plugin-installers.tgz: $(wildcard ../plugins/*)
-	docker run --rm -i -w /v \
-		-v $(shell readlink -e ../plugins):/plugins \
-		-v $(CURDIR)/rpmbuild/SOURCES:/v \
+	docker run --rm -w /v \
+		-v $(realpath $(CURDIR)/../src/github.com/docker/buildx):/buildx \
+		-v $(CURDIR)/$(@D):/v \
 		alpine \
-		tar -C / -c -z -f /v/plugin-installers.tgz --exclude .git plugins
+		tar -C / -c -z -f /v/buildx.tgz --exclude .git buildx
+
+rpmbuild/SOURCES/compose.tgz:
+	mkdir -p $(@D)
+	docker run --rm -w /v \
+		-v $(realpath $(CURDIR)/../src/github.com/docker/compose):/compose \
+		-v $(CURDIR)/$(@D):/v \
+		alpine \
+		tar -C / -c -z -f /v/compose.tgz --exclude .git compose
+
+rpmbuild/SOURCES/model.tgz:
+	mkdir -p $(@D)
+	docker run --rm -w /v \
+		-v $(realpath $(CURDIR)/../src/github.com/docker/model-cli):/model \
+		-v $(CURDIR)/$(@D):/v \
+		alpine \
+		tar -C / -c -z -f /v/model.tgz --exclude .git model
+
+# See ARCHES in common.mk. Could not figure out how to match both distro and arch.
+BUNDLES:=$(addsuffix .tar.gz,$(addprefix rpmbuild/bundles-ce-%-,$(ARCHES)))
+
+$(BUNDLES): %
+	tar czf $@ --transform="s|^rpmbuild/\(.*\)|bundles/$(VERSION)/build-rpm/\1|" rpmbuild/$*

rpm/README.md

@@ -3,30 +3,37 @@
 `.rpm` packages can be built from this directory with the following syntax
 
 ```shell
-make ENGINE_DIR=/path/to/engine CLI_DIR=/path/to/cli rpm
+make rpm
 ```
 
 Artifacts will be located in `rpmbuild` under the following directory structure:
 `rpmbuild/$distro-$distro_version/`
 
-### NOTES:
+### Building from local source
+
+Specify the location of the source repositories for the engine and cli when
+building packages
+
 * `ENGINE_DIR` -> Specifies the directory where the engine code is located, eg: `$GOPATH/src/github.com/docker/docker`
 * `CLI_DIR` -> Specifies the directory where the cli code is located, eg: `$GOPATH/src/github.com/docker/cli`
 
+```shell
+make ENGINE_DIR=/path/to/engine CLI_DIR=/path/to/cli rpm
+```
+
 ## Specifying a specific distro
 
 ```shell
-make ENGINE_DIR=/path/to/engine CLI_DIR=/path/to/cli fedora
+make centos
 ```
 
 ## Specifying a specific distro version
 ```shell
-make ENGINE_DIR=/path/to/engine CLI_DIR=/path/to/cli fedora-25
+make centos-9
 ```
 
-## Building the latest docker-ce
+## Building the for all distros
 
 ```shell
-git clone https://github.com/docker/docker-ce.git
-make ENGINE_DIR=docker-ce/components/engine CLI_DIR=docker-ce/components/cli rpm
+make rpm
 ```

rpm/SPECS/docker-buildx-plugin.spec

@@ -0,0 +1,51 @@
+%global debug_package %{nil}
+
+Name: docker-buildx-plugin
+Version: %{_buildx_rpm_version}
+Release: %{_release}%{?dist}
+Epoch: 0
+Source0: buildx.tgz
+Summary: Docker Buildx plugin for the Docker CLI
+Group: Tools/Docker
+License: Apache-2.0
+URL: https://github.com/docker/buildx
+Vendor: Docker
+Packager: Docker <support@docker.com>
+
+BuildRequires: bash
+
+%description
+Docker Buildx plugin for the Docker CLI.
+
+%prep
+%setup -q -c -n src -a 0
+
+%build
+pushd ${RPM_BUILD_DIR}/src/buildx
+	GO111MODULE=on \
+	CGO_ENABLED=0 \
+		go build \
+			-mod=vendor \
+			-trimpath \
+			-ldflags="-w -X github.com/docker/buildx/version.Version=%{_buildx_version} -X github.com/docker/buildx/version.Revision=%{_buildx_gitcommit} -X github.com/docker/buildx/version.Package=github.com/docker/buildx" \
+			-o "bin/docker-buildx" \
+			./cmd/buildx
+popd
+
+%check
+ver="$(${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-buildx docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $1 == "Version" { print $2 }')"; \
+	test "$ver" = "%{_buildx_version}" && echo "PASS: docker-buildx version OK" || (echo "FAIL: docker-buildx version ($ver) did not match" && exit 1)
+
+%install
+install -D -p -m 0755 ${RPM_BUILD_DIR}/src/buildx/bin/docker-buildx ${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-buildx
+
+%files
+%{_libexecdir}/docker/cli-plugins/docker-buildx
+
+%post
+
+%preun
+
+%postun
+
+%changelog

rpm/SPECS/docker-ce-cli.spec

@@ -6,24 +6,27 @@ Release: %{_release}%{?dist}
 Epoch: 1
 Summary: The open-source application container engine
 Group: Tools/Docker
-License: ASL 2.0
+License: Apache-2.0
 Source0: cli.tgz
-Source1: plugin-installers.tgz
 URL: https://www.docker.com
 Vendor: Docker
 Packager: Docker <support@docker.com>
 
 # required packages on install
 Requires: /bin/sh
+Requires: /usr/sbin/groupadd
+
+Recommends: docker-buildx-plugin
+Recommends: docker-compose-plugin
+
+Suggests: docker-model-plugin
 
 BuildRequires: make
-BuildRequires: libtool-ltdl-devel
 BuildRequires: git
 
 # conflicting packages
 Conflicts: docker
 Conflicts: docker-io
-Conflicts: docker-engine-cs
 Conflicts: docker-ee
 Conflicts: docker-ee-cli
 
@@ -32,81 +35,56 @@ Docker is is a product for you to build, ship and run any application as a
 lightweight container.
 
 Docker containers are both hardware-agnostic and platform-agnostic. This means
-they can run anywhere, from your laptop to the largest cloud compute instance and
-everything in between - and they don't require you to use a particular
+they can run anywhere, from your laptop to the largest cloud compute instance
+and everything in between - and they don't require you to use a particular
 language, framework or packaging system. That makes them great building blocks
 for deploying and scaling web apps, databases, and backend services without
 depending on a particular stack or provider.
 
 %prep
-%setup -q -c -n src -a 1
+%setup -q -c -n src -a 0
 
 %build
 mkdir -p /go/src/github.com/docker
 rm -f /go/src/github.com/docker/cli
-ln -s /root/rpmbuild/BUILD/src/cli /go/src/github.com/docker/cli
-pushd /go/src/github.com/docker/cli
-DISABLE_WARN_OUTSIDE_CONTAINER=1 make VERSION=%{_origversion} GITCOMMIT=%{_gitcommit} dynbinary manpages # cli
-popd
+ln -snf ${RPM_BUILD_DIR}/src/cli /go/src/github.com/docker/cli
+make -C /go/src/github.com/docker/cli DISABLE_WARN_OUTSIDE_CONTAINER=1 VERSION=%{_origversion} GITCOMMIT=%{_gitcommit_cli} dynbinary manpages shell-completion
 
-# Build all associated plugins
-pushd /root/rpmbuild/BUILD/src/plugins
-for installer in *.installer; do
-    bash ${installer} build
-done
-popd
-
-
-# %check
-# cli/build/docker -v
+%check
+ver="$(cli/build/docker --version)"; \
+    test "$ver" = "Docker version %{_origversion}, build %{_gitcommit_cli}" && echo "PASS: cli version OK" || (echo "FAIL: cli version ($ver) did not match" && exit 1)
 
 %install
 # install binary
-install -d $RPM_BUILD_ROOT/%{_bindir}
-install -p -m 755 cli/build/docker $RPM_BUILD_ROOT/%{_bindir}/docker
-
-# install plugins
-pushd /root/rpmbuild/BUILD/src/plugins
-for installer in *.installer; do
-    DESTDIR=$RPM_BUILD_ROOT \
-        PREFIX=/usr/libexec/docker/cli-plugins \
-        bash ${installer} install_plugin
-done
-popd
+install -D -p -m 755 cli/build/docker ${RPM_BUILD_ROOT}%{_bindir}/docker
 
 # add bash, zsh, and fish completions
-install -d $RPM_BUILD_ROOT/usr/share/bash-completion/completions
-install -d $RPM_BUILD_ROOT/usr/share/zsh/vendor-completions
-install -d $RPM_BUILD_ROOT/usr/share/fish/vendor_completions.d
-install -p -m 644 cli/contrib/completion/bash/docker $RPM_BUILD_ROOT/usr/share/bash-completion/completions/docker
-install -p -m 644 cli/contrib/completion/zsh/_docker $RPM_BUILD_ROOT/usr/share/zsh/vendor-completions/_docker
-install -p -m 644 cli/contrib/completion/fish/docker.fish $RPM_BUILD_ROOT/usr/share/fish/vendor_completions.d/docker.fish
+install -D -p -m 644 cli/build/completion/bash/docker ${RPM_BUILD_ROOT}%{_datadir}/bash-completion/completions/docker
+install -D -p -m 644 cli/build/completion/zsh/_docker ${RPM_BUILD_ROOT}%{_datadir}/zsh/vendor-completions/_docker
+install -D -p -m 644 cli/build/completion/fish/docker.fish ${RPM_BUILD_ROOT}%{_datadir}/fish/vendor_completions.d/docker.fish
 
-# install manpages
-install -d %{buildroot}%{_mandir}/man1
-install -p -m 644 cli/man/man1/*.1 $RPM_BUILD_ROOT/%{_mandir}/man1
-install -d %{buildroot}%{_mandir}/man5
-install -p -m 644 cli/man/man5/*.5 $RPM_BUILD_ROOT/%{_mandir}/man5
-install -d %{buildroot}%{_mandir}/man8
-install -p -m 644 cli/man/man8/*.8 $RPM_BUILD_ROOT/%{_mandir}/man8
+# install man-pages
+for sec in $(seq 1 9); do
+    if [ -d "cli/man/man${sec}" ]; then
+        # Note: we need to create destination dirs first (instead "install -D") due to wildcards used.
+        install -d ${RPM_BUILD_ROOT}%{_mandir}/man${sec} && \
+        install -p -m 644 cli/man/man${sec}/*.${sec} ${RPM_BUILD_ROOT}%{_mandir}/man${sec};
+    fi
+done
 
 mkdir -p build-docs
 for cli_file in LICENSE MAINTAINERS NOTICE README.md; do
-    cp "cli/$cli_file" "build-docs/$cli_file"
+    install -D -p -m 644 "cli/$cli_file" "build-docs/$cli_file"
 done
 
 # list files owned by the package here
 %files
 %doc build-docs/LICENSE build-docs/MAINTAINERS build-docs/NOTICE build-docs/README.md
-/%{_bindir}/docker
-/usr/libexec/docker/cli-plugins/*
-/usr/share/bash-completion/completions/docker
-/usr/share/zsh/vendor-completions/_docker
-/usr/share/fish/vendor_completions.d/docker.fish
-%doc
-/%{_mandir}/man1/*
-/%{_mandir}/man5/*
-/%{_mandir}/man8/*
+%{_bindir}/docker
+%{_datadir}/bash-completion/completions/docker
+%{_datadir}/zsh/vendor-completions/_docker
+%{_datadir}/fish/vendor_completions.d/docker.fish
+%{_mandir}/man*/*
 
 
 %post

rpm/SPECS/docker-ce-rootless-extras.spec

@@ -0,0 +1,63 @@
+%global debug_package %{nil}
+
+Name: docker-ce-rootless-extras
+Version: %{_version}
+Release: %{_release}%{?dist}
+Epoch: 0
+Source0: engine.tgz
+Summary: Rootless support for Docker
+Group: Tools/Docker
+License: Apache-2.0
+URL: https://docs.docker.com/engine/security/rootless/
+Vendor: Docker
+Packager: Docker <support@docker.com>
+
+Requires: docker-ce
+# TODO: conditionally add `Requires: dbus-daemon` for Fedora and CentOS 8
+# slirp4netns >= 0.4 is available in the all supported versions of CentOS and Fedora.
+Requires: slirp4netns >= 0.4
+# fuse-overlayfs >= 0.7 is available in the all supported versions of CentOS and Fedora.
+Requires: fuse-overlayfs >= 0.7
+
+BuildRequires: bash
+
+# conflicting packages
+Conflicts: rootlesskit
+
+%description
+Rootless support for Docker.
+Use dockerd-rootless.sh to run the daemon.
+Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh .
+This package contains RootlessKit, but does not contain VPNKit.
+Either VPNKit or slirp4netns (>= 0.4.0) needs to be installed separately.
+
+%prep
+%setup -q -c -n src -a 0
+
+%build
+
+export DOCKER_GITCOMMIT=%{_gitcommit_engine}
+mkdir -p /go/src/github.com/docker
+ln -snf ${RPM_BUILD_DIR}/src/engine /go/src/github.com/docker/docker
+TMP_GOPATH="/go" ${RPM_BUILD_DIR}/src/engine/hack/dockerfile/install/install.sh rootlesskit dynamic
+
+%check
+/usr/local/bin/rootlesskit -v
+
+%install
+install -D -p -m 0755 engine/contrib/dockerd-rootless.sh ${RPM_BUILD_ROOT}%{_bindir}/dockerd-rootless.sh
+install -D -p -m 0755 engine/contrib/dockerd-rootless-setuptool.sh ${RPM_BUILD_ROOT}%{_bindir}/dockerd-rootless-setuptool.sh
+install -D -p -m 0755 /usr/local/bin/rootlesskit ${RPM_BUILD_ROOT}%{_bindir}/rootlesskit
+
+%files
+%{_bindir}/dockerd-rootless.sh
+%{_bindir}/dockerd-rootless-setuptool.sh
+%{_bindir}/rootlesskit
+
+%post
+
+%preun
+
+%postun
+
+%changelog

rpm/SPECS/docker-ce.spec

@@ -1,71 +1,58 @@
 %global debug_package %{nil}
 
-
 Name: docker-ce
 Version: %{_version}
 Release: %{_release}%{?dist}
 Epoch: 3
 Source0: engine.tgz
-Source1: docker.service
-Source2: docker.socket
 Summary: The open-source application container engine
 Group: Tools/Docker
-License: ASL 2.0
+License: Apache-2.0
 URL: https://www.docker.com
 Vendor: Docker
 Packager: Docker <support@docker.com>
 
+Requires: /usr/sbin/groupadd
+# Provides modprobe, which we use to load br_netfilter if not loaded.
+Suggests: kmod
 Requires: docker-ce-cli
-Requires: container-selinux >= 2.9
-Requires: libseccomp >= 2.3
-Requires: systemd-units
+Recommends: docker-ce-rootless-extras
+Requires: container-selinux
+Requires: systemd
 Requires: iptables
+%if %{undefined rhel} || 0%{?rhel} < 9
+# Libcgroup is no longer available in RHEL/CentOS >= 9 distros.
 Requires: libcgroup
-Requires: containerd.io
+%endif
+Requires: containerd.io >= 1.7.27
 Requires: tar
 Requires: xz
 
-# Resolves: rhbz#1165615
-Requires: device-mapper-libs >= 1.02.90-1
-
 BuildRequires: bash
-BuildRequires: btrfs-progs-devel
 BuildRequires: ca-certificates
 BuildRequires: cmake
-BuildRequires: device-mapper-devel
 BuildRequires: gcc
 BuildRequires: git
 BuildRequires: glibc-static
-BuildRequires: libseccomp-devel
-BuildRequires: libselinux-devel
 BuildRequires: libtool
-BuildRequires: libtool-ltdl-devel
 BuildRequires: make
 BuildRequires: pkgconfig
 BuildRequires: pkgconfig(systemd)
-BuildRequires: selinux-policy-devel
 BuildRequires: systemd-devel
 BuildRequires: tar
-BuildRequires: which
 
 # conflicting packages
 Conflicts: docker
 Conflicts: docker-io
-Conflicts: docker-engine-cs
 Conflicts: docker-ee
 
-# Obsolete packages
-Obsoletes: docker-ce-selinux
-Obsoletes: docker-engine-selinux
-Obsoletes: docker-engine
-
 %description
-Docker is is a product for you to build, ship and run any application as a
+Docker is a product for you to build, ship and run any application as a
 lightweight container.
 
 Docker containers are both hardware-agnostic and platform-agnostic. This means
-they can run anywhere, from your laptop to the largest cloud compute instance and
-everything in between - and they don't require you to use a particular
+they can run anywhere, from your laptop to the largest cloud compute instance
+and everything in between - and they don't require you to use a particular
 language, framework or packaging system. That makes them great building blocks
 for deploying and scaling web apps, databases, and backend services without
 depending on a particular stack or provider.
@@ -74,81 +61,67 @@ depending on a particular stack or provider.
 %setup -q -c -n src -a 0
 
 %build
-export DOCKER_GITCOMMIT=%{_gitcommit}
-mkdir -p /go/src/github.com/docker
-ln -s /root/rpmbuild/BUILD/src/engine /go/src/github.com/docker/docker
 
-pushd engine
-for component in tini "proxy dynamic";do
-    TMP_GOPATH="/go" hack/dockerfile/install/install.sh $component
-done
-VERSION=%{_origversion} PRODUCT=docker hack/make.sh dynbinary
+export DOCKER_GITCOMMIT=%{_gitcommit_engine}
+mkdir -p /go/src/github.com/docker
+ln -snf ${RPM_BUILD_DIR}/src/engine /go/src/github.com/docker/docker
+
+pushd ${RPM_BUILD_DIR}/src/engine
+TMP_GOPATH="/go" hack/dockerfile/install/install.sh tini
+
+# Determine Go module mode based on file presence
+if [ -f vendor.mod ]; then
+    GOMOD=off
+elif [ -f go.mod ]; then
+    GOMOD=on
+else
+    echo "No go.mod or vendor.mod found in engine directory"
+    exit 1
+fi
+GO111MODULE=$GOMOD VERSION=%{_origversion} PRODUCT=docker hack/make.sh dynbinary
 popd
 
+#  build  man-pages
+make -C ${RPM_BUILD_DIR}/src/engine/man
+
 %check
-engine/bundles/dynbinary-daemon/dockerd -v
+ver="$(engine/bundles/dynbinary-daemon/dockerd --version)"; \
+    test "$ver" = "Docker version %{_origversion}, build %{_gitcommit_engine}" && echo "PASS: daemon version OK" || (echo "FAIL: daemon version ($ver) did not match" && exit 1)
 
 %install
-# install daemon binary
-install -D -p -m 0755 $(readlink -f engine/bundles/dynbinary-daemon/dockerd) $RPM_BUILD_ROOT/%{_bindir}/dockerd
-
-# install proxy
-install -D -p -m 0755 /usr/local/bin/docker-proxy $RPM_BUILD_ROOT/%{_bindir}/docker-proxy
-
-# install tini
-install -D -p -m 755 /usr/local/bin/docker-init $RPM_BUILD_ROOT/%{_bindir}/docker-init
+install -D -p -m 0755 $(readlink -f engine/bundles/dynbinary-daemon/dockerd) ${RPM_BUILD_ROOT}%{_bindir}/dockerd
+install -D -p -m 0755 $(readlink -f engine/bundles/dynbinary-daemon/docker-proxy) ${RPM_BUILD_ROOT}%{_bindir}/docker-proxy
+install -D -p -m 0755 /usr/local/bin/docker-init ${RPM_BUILD_ROOT}%{_libexecdir}/docker/docker-init
 
 # install systemd scripts
-install -D -m 0644 %{_topdir}/SOURCES/docker.service $RPM_BUILD_ROOT/%{_unitdir}/docker.service
-install -D -m 0644 %{_topdir}/SOURCES/docker.socket $RPM_BUILD_ROOT/%{_unitdir}/docker.socket
+install -D -p -m 0644 engine/contrib/init/systemd/docker.service ${RPM_BUILD_ROOT}%{_unitdir}/docker.service
+install -D -p -m 0644 engine/contrib/init/systemd/docker.socket ${RPM_BUILD_ROOT}%{_unitdir}/docker.socket
 
-# install json for docker engine activate / upgrade
-install -D -m 0644 %{_topdir}/SOURCES/distribution_based_engine.json $RPM_BUILD_ROOT/var/lib/docker-engine/distribution_based_engine-ce.json
+# install manpages
+make -C ${RPM_BUILD_DIR}/src/engine/man DESTDIR=${RPM_BUILD_ROOT} mandir=%{_mandir} install
+
+# create the config directory
+mkdir -p ${RPM_BUILD_ROOT}/etc/docker
 
 %files
-/%{_bindir}/dockerd
-/%{_bindir}/docker-proxy
-/%{_bindir}/docker-init
-/%{_unitdir}/docker.service
-/%{_unitdir}/docker.socket
-/var/lib/docker-engine/distribution_based_engine-ce.json
-
-%pre
-if [ $1 -gt 0 ] ; then
-    # package upgrade scenario, before new files are installed
-
-    # clear any old state
-    rm -f %{_localstatedir}/lib/rpm-state/docker-is-active > /dev/null 2>&1 || :
-
-    # check if docker service is running
-    if systemctl is-active docker > /dev/null 2>&1; then
-        systemctl stop docker > /dev/null 2>&1 || :
-        touch %{_localstatedir}/lib/rpm-state/docker-is-active > /dev/null 2>&1 || :
-    fi
-fi
+%{_bindir}/dockerd
+%{_bindir}/docker-proxy
+%{_libexecdir}/docker/docker-init
+%{_unitdir}/docker.service
+%{_unitdir}/docker.socket
+%{_mandir}/man*/*
+%dir /etc/docker
 
 %post
-%systemd_post docker
+%systemd_post docker.service
 if ! getent group docker > /dev/null; then
     groupadd --system docker
 fi
 
-
 %preun
-%systemd_preun docker
+%systemd_preun docker.service docker.socket
 
 %postun
-%systemd_postun_with_restart docker
-
-%posttrans
-if [ $1 -ge 0 ] ; then
-    # package upgrade scenario, after new files are installed
-
-    # check if docker was running before upgrade
-    if [ -f %{_localstatedir}/lib/rpm-state/docker-is-active ]; then
-        systemctl start docker > /dev/null 2>&1 || :
-        rm -f %{_localstatedir}/lib/rpm-state/docker-is-active > /dev/null 2>&1 || :
-    fi
-fi
+%systemd_postun_with_restart docker.service
 
 %changelog

rpm/SPECS/docker-compose-plugin.spec

@@ -0,0 +1,57 @@
+%global debug_package %{nil}
+
+Name: docker-compose-plugin
+Version: %{_compose_rpm_version}
+Release: %{_release}%{?dist}
+Epoch: 0
+Source0: compose.tgz
+Summary: Docker Compose (V2) plugin for the Docker CLI
+Group: Tools/Docker
+License: Apache-2.0
+URL: https://github.com/docker/compose/
+Vendor: Docker
+Packager: Docker <support@docker.com>
+
+Enhances: docker-ce-cli
+Recommends: docker-buildx-plugin
+
+BuildRequires: bash
+
+%description
+Docker Compose (V2) plugin for the Docker CLI.
+
+This plugin provides the 'docker compose' subcommand.
+
+The binary can also be run standalone as a direct replacement for
+Docker Compose V1 ('docker-compose').
+
+%prep
+%setup -q -c -n src -a 0
+
+%build
+make -C ${RPM_BUILD_DIR}/src/compose VERSION=%{_compose_version} DESTDIR=./bin build
+
+%check
+ver="$(${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-compose docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $1 == "Version" { print $2 }')"; \
+    test "$ver" = "%{_compose_version}" && echo "PASS: docker-compose version OK" || (echo "FAIL: docker-compose version ($ver) did not match" && exit 1)
+
+%install
+install -D -p -m 0755 ${RPM_BUILD_DIR}/src/compose/bin/docker-compose ${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-compose
+
+for f in LICENSE MAINTAINERS NOTICE README.md; do
+    install -D -p -m 0644 "${RPM_BUILD_DIR}/src/compose/$f" "docker-compose-plugin-docs/$f"
+done
+
+%files
+%doc docker-compose-plugin-docs/*
+%license docker-compose-plugin-docs/LICENSE
+%license docker-compose-plugin-docs/NOTICE
+%{_libexecdir}/docker/cli-plugins/docker-compose
+
+%post
+
+%preun
+
+%postun
+
+%changelog

rpm/SPECS/docker-model-plugin.spec

@@ -0,0 +1,52 @@
+%global debug_package %{nil}
+
+Name: docker-model-plugin
+Version: %{_model_rpm_version}
+Release: %{_release}%{?dist}
+Epoch: 0
+Source0: model.tgz
+Summary: Docker Model Runner plugin for the Docker CLI
+Group: Tools/Docker
+License: Apache-2.0
+URL: https://docs.docker.com/model-runner/
+Vendor: Docker
+Packager: Docker <support@docker.com>
+
+Enhances: docker-ce-cli
+
+BuildRequires: bash
+
+%description
+Docker Model Runner plugin for the Docker CLI.
+
+This plugin provides the 'docker model' subcommand.
+
+%prep
+%setup -q -c -n src -a 0
+
+%build
+GO111MODULE=on make -C ${RPM_BUILD_DIR}/src/model VERSION=%{_model_version} ce-release
+
+%check
+ver="$(${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-model docker-cli-plugin-metadata | awk '{ gsub(/[",:]/,"")}; $1 == "Version" { print $2 }')"; \
+    test "$ver" = "%{_model_version}" && echo "PASS: docker-model version OK" || (echo "FAIL: docker-model version ($ver) did not match" && exit 1)
+
+%install
+install -D -p -m 0755 ${RPM_BUILD_DIR}/src/model/dist/docker-model ${RPM_BUILD_ROOT}%{_libexecdir}/docker/cli-plugins/docker-model
+
+for f in LICENSE; do
+    install -D -p -m 0644 "${RPM_BUILD_DIR}/src/model/$f" "docker-model-plugin-docs/$f"
+done
+
+%files
+%doc docker-model-plugin-docs/*
+%license docker-model-plugin-docs/LICENSE
+%{_libexecdir}/docker/cli-plugins/docker-model
+
+%post
+
+%preun
+
+%postun
+
+%changelog

rpm/centos-10/Dockerfile

@@ -0,0 +1,35 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=centos
+ARG SUITE=10
+ARG BUILD_IMAGE=quay.io/centos/${DISTRO}:stream${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+ENV AUTO_GOPATH=1
+ENV DOCKER_BUILDTAGS=exclude_graphdriver_btrfs
+ARG DISTRO
+ARG SUITE
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+
+# RHEL8 / CentOS 8 changed behavior and no longer "rpm --import" or
+# "rpmkeys --import"as part of rpm package's %post scriplet. See
+# https://forums.centos.org/viewtopic.php?f=54&t=72574, and
+# https://access.redhat.com/solutions/3720351
+RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial-SHA256
+RUN dnf install -y rpm-build dnf-plugins-core
+RUN dnf config-manager --set-enabled crb
+
+COPY --link SPECS /root/rpmbuild/SPECS
+RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
+COPY --link --from=golang /usr/local/go /usr/local/go
+WORKDIR /root/rpmbuild
+ENTRYPOINT ["/bin/rpmbuild"]

rpm/centos-7/Dockerfile

@@ -1,20 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=centos:7
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-ENV DISTRO centos
-ENV SUITE 7
-ENV GOPATH=/go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV AUTO_GOPATH 1
-ENV DOCKER_BUILDTAGS seccomp selinux
-ENV RUNC_BUILDTAGS seccomp selinux
-RUN yum install -y rpm-build rpmlint
-COPY SPECS /root/rpmbuild/SPECS
-# Overwrite repo that was failing on aarch64
-RUN sed -i 's/altarch/centos/g' /etc/yum.repos.d/CentOS-Sources.repo
-RUN yum-builddep -y /root/rpmbuild/SPECS/*.spec
-COPY --from=golang /usr/local/go /usr/local/go
-WORKDIR /root/rpmbuild
-ENTRYPOINT ["/bin/rpmbuild"]

rpm/centos-9/Dockerfile

@@ -0,0 +1,35 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=centos
+ARG SUITE=9
+ARG BUILD_IMAGE=quay.io/centos/${DISTRO}:stream${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+ENV AUTO_GOPATH=1
+ENV DOCKER_BUILDTAGS=exclude_graphdriver_btrfs
+ARG DISTRO
+ARG SUITE
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+
+# RHEL8 / CentOS 8 changed behavior and no longer "rpm --import" or
+# "rpmkeys --import"as part of rpm package's %post scriplet. See
+# https://forums.centos.org/viewtopic.php?f=54&t=72574, and
+# https://access.redhat.com/solutions/3720351
+RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+RUN dnf install -y rpm-build dnf-plugins-core
+RUN dnf config-manager --set-enabled crb
+
+COPY --link SPECS /root/rpmbuild/SPECS
+RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
+COPY --link --from=golang /usr/local/go /usr/local/go
+WORKDIR /root/rpmbuild
+ENTRYPOINT ["/bin/rpmbuild"]

rpm/fedora-28/Dockerfile

@@ -1,18 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=fedora:28
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-ENV DISTRO fedora
-ENV SUITE 28
-ENV GOPATH /go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV AUTO_GOPATH 1
-ENV DOCKER_BUILDTAGS seccomp selinux
-ENV RUNC_BUILDTAGS seccomp selinux
-RUN dnf install -y rpm-build rpmlint dnf-plugins-core
-COPY SPECS /root/rpmbuild/SPECS
-RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
-COPY --from=golang /usr/local/go /usr/local/go
-WORKDIR /root/rpmbuild
-ENTRYPOINT ["/bin/rpmbuild"]

rpm/fedora-29/Dockerfile

@@ -1,18 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=fedora:29
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-ENV DISTRO fedora
-ENV SUITE 29
-ENV GOPATH /go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV AUTO_GOPATH 1
-ENV DOCKER_BUILDTAGS seccomp selinux
-ENV RUNC_BUILDTAGS seccomp selinux
-RUN dnf install -y rpm-build rpmlint dnf-plugins-core
-COPY SPECS /root/rpmbuild/SPECS
-RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
-COPY --from=golang /usr/local/go /usr/local/go
-WORKDIR /root/rpmbuild
-ENTRYPOINT ["/bin/rpmbuild"]

rpm/fedora-30/Dockerfile

@@ -1,18 +0,0 @@
-ARG GO_IMAGE
-ARG BUILD_IMAGE=fedora:30
-FROM ${GO_IMAGE} as golang
-
-FROM ${BUILD_IMAGE}
-ENV DISTRO fedora
-ENV SUITE 30
-ENV GOPATH /go
-ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
-ENV AUTO_GOPATH 1
-ENV DOCKER_BUILDTAGS seccomp selinux
-ENV RUNC_BUILDTAGS seccomp selinux
-RUN dnf install -y rpm-build rpmlint dnf-plugins-core
-COPY SPECS /root/rpmbuild/SPECS
-RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
-COPY --from=golang /usr/local/go /usr/local/go
-WORKDIR /root/rpmbuild
-ENTRYPOINT ["/bin/rpmbuild"]

rpm/fedora-41/Dockerfile

@@ -0,0 +1,50 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=fedora
+ARG SUITE=41
+ARG BUILD_IMAGE=${DISTRO}:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+ENV AUTO_GOPATH=1
+ARG DISTRO
+ARG SUITE
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+RUN dnf install -y rpm-build dnf-plugins-core
+# FIXME(thaJeztah): workaround for building on Fedora 41 on arm64
+#
+# This is the equivalent of https://github.com/docker/containerd-packaging/pull/390
+# for containerd packages, but unlike for containerd packages, we currently do
+# not run into this issue when building docker-ce packages. We're installing
+# this as a precaution, but perhaps it's not needed.
+#
+# go1.21 and up have a patch that enforces the use of ld.gold to work around
+# a bug in GNU binutils. See;
+# - https://github.com/golang/go/issues/22040.
+# - https://github.com/golang/go/commit/cd77738198ffe0c4a1db58352c89f9b2d2a4e85e
+#
+# Fedora 41 and up has a fixed version of binutils, and no longer requires that
+# patch, but may fail without ld.gold installed;
+#
+#   /usr/bin/gcc -Wl,-z,now -Wl,-z,nocopyreloc -fuse-ld=gold -o $WORK/b001/exe/a.out -rdynamic /tmp/go-link-1738353519/go.o /tmp/go-link-1738353519/000000.o /tmp/go-link-1738353519/000001.o /tmp/go-link-1738353519/000002.o /tmp/go-link-1738353519/000003.o /tmp/go-link-1738353519/000004.o /tmp/go-link-1738353519/000005.o /tmp/go-link-1738353519/000006.o /tmp/go-link-1738353519/000007.o /tmp/go-link-1738353519/000008.o /tmp/go-link-1738353519/000009.o /tmp/go-link-1738353519/000010.o /tmp/go-link-1738353519/000011.o /tmp/go-link-1738353519/000012.o /tmp/go-link-1738353519/000013.o /tmp/go-link-1738353519/000014.o /tmp/go-link-1738353519/000015.o /tmp/go-link-1738353519/000016.o /tmp/go-link-1738353519/000017.o /tmp/go-link-1738353519/000018.o /tmp/go-link-1738353519/000019.o /tmp/go-link-1738353519/000020.o /tmp/go-link-1738353519/000021.o /tmp/go-link-1738353519/000022.o /tmp/go-link-1738353519/000023.o /tmp/go-link-1738353519/000024.o -O2 -g -lresolv -O2 -g -lpthread -O2 -g -ldl -O2 -g
+#   collect2: fatal error: cannot find 'ld'
+#
+# Fedora's build of Go carries a patch for that, but it's not (yet) in upstream;
+# - https://src.fedoraproject.org/rpms/golang/blob/a867bd88a656c1d6e91e7b18bab696dc3fcf1e77/f/0006-Default-to-ld.bfd-on-ARM64.patch
+# - https://src.fedoraproject.org/rpms/golang/c/a867bd88a656c1d6e91e7b18bab696dc3fcf1e77?branch=rawhide
+#
+# As a workaround; install binutils-gold
+RUN if [ "$(arch)" = 'aarch64' ]; then dnf -y install binutils-gold; fi
+COPY --link SPECS /root/rpmbuild/SPECS
+RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
+COPY --link --from=golang /usr/local/go /usr/local/go
+WORKDIR /root/rpmbuild
+ENTRYPOINT ["/bin/rpmbuild"]

rpm/fedora-42/Dockerfile

@@ -0,0 +1,51 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=fedora
+ARG SUITE=42
+ARG BUILD_IMAGE=${DISTRO}:${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+ENV AUTO_GOPATH=1
+ARG DISTRO
+ARG SUITE
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+RUN dnf install -y rpm-build dnf-plugins-core
+# FIXME(thaJeztah): workaround for building on Fedora 41 and up on arm64
+#
+# This is the equivalent of https://github.com/docker/containerd-packaging/pull/390
+# for containerd packages, but unlike for containerd packages, we currently do
+# not run into this issue when building docker-ce packages. We're installing
+# this as a precaution, but perhaps it's not needed.
+#
+# go1.21 and up have a patch that enforces the use of ld.gold to work around
+# a bug in GNU binutils. See;
+# - https://github.com/golang/go/issues/22040.
+# - https://github.com/golang/go/commit/cd77738198ffe0c4a1db58352c89f9b2d2a4e85e
+#
+# Fedora 41 and up has a fixed version of binutils, and no longer requires that
+# patch, but may fail without ld.gold installed;
+#
+#   /usr/bin/gcc -Wl,-z,now -Wl,-z,nocopyreloc -fuse-ld=gold -o $WORK/b001/exe/a.out -rdynamic /tmp/go-link-1738353519/go.o /tmp/go-link-1738353519/000000.o /tmp/go-link-1738353519/000001.o /tmp/go-link-1738353519/000002.o /tmp/go-link-1738353519/000003.o /tmp/go-link-1738353519/000004.o /tmp/go-link-1738353519/000005.o /tmp/go-link-1738353519/000006.o /tmp/go-link-1738353519/000007.o /tmp/go-link-1738353519/000008.o /tmp/go-link-1738353519/000009.o /tmp/go-link-1738353519/000010.o /tmp/go-link-1738353519/000011.o /tmp/go-link-1738353519/000012.o /tmp/go-link-1738353519/000013.o /tmp/go-link-1738353519/000014.o /tmp/go-link-1738353519/000015.o /tmp/go-link-1738353519/000016.o /tmp/go-link-1738353519/000017.o /tmp/go-link-1738353519/000018.o /tmp/go-link-1738353519/000019.o /tmp/go-link-1738353519/000020.o /tmp/go-link-1738353519/000021.o /tmp/go-link-1738353519/000022.o /tmp/go-link-1738353519/000023.o /tmp/go-link-1738353519/000024.o -O2 -g -lresolv -O2 -g -lpthread -O2 -g -ldl -O2 -g
+#   collect2: fatal error: cannot find 'ld'
+#
+# Fedora's build of Go carries a patch for that, but it's not (yet) in upstream;
+# - https://src.fedoraproject.org/rpms/golang/blob/a867bd88a656c1d6e91e7b18bab696dc3fcf1e77/f/0006-Default-to-ld.bfd-on-ARM64.patch
+# - https://src.fedoraproject.org/rpms/golang/c/a867bd88a656c1d6e91e7b18bab696dc3fcf1e77?branch=rawhide
+#
+# As a workaround; install binutils-gold
+RUN if [ "$(rpm --query --queryformat='%{ARCH}' rpm)" = 'aarch64' ] && ! command -v ld.gold; then dnf -y install binutils-gold; fi
+
+COPY --link SPECS /root/rpmbuild/SPECS
+RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
+COPY --link --from=golang /usr/local/go /usr/local/go
+WORKDIR /root/rpmbuild
+ENTRYPOINT ["/bin/rpmbuild"]

rpm/gen-rpm-ver

@@ -1,68 +1,115 @@
 #!/usr/bin/env bash
 
-ENGINE_DIR=$1
-VERSION=$2
+REPO_DIR="$1"
+VERSION="$2"
 
-[[ $# < 2 ]] && echo 'not enough args' && exit 1
-
-DATE_COMMAND="date"
-if [[ $(uname) -eq "Darwin" ]]; then
-    DATE_COMMAND="docker run --rm alpine date"
+if [ -z "$REPO_DIR" ] || [ -z "$VERSION" ]; then
+	# shellcheck disable=SC2016
+	echo 'usage: ./gen-rpm-ver ${REPO_DIR} ${VERSION}'
+	exit 1
 fi
 
-GIT_COMMAND="git -C $ENGINE_DIR"
+GIT_COMMAND="git -C $REPO_DIR"
 origVersion="$VERSION"
-rpmVersion="$VERSION"
-rpmRelease=3
+rpmVersion="${VERSION#v}"
 
-# rpmRelease versioning is as follows
-# Docker 18.01.0-ce:  version=18.01.0.ce, release=3
-# Docker 18.01.0-ce-tp1: version=18.01.0.ce, release=0.1.tp1
-# Docker 18.01.0-ce-beta1: version=18.01.0.ce, release=1.1.beta1
-# Docker 18.01.0-ce-rc1: version=18.01.0.ce, release=2.1.rc1
-# Docker 18.01.0-ce-cs1: version=18.01.0.ce.cs1, release=1
-# Docker 18.01.0-ce-cs1-rc1: version=18.01.0.ce.cs1, release=0.1.rc1
-# Docker 18.01.0-ce-dev nightly: version=18.01.0.ce, release=0.0.YYYYMMDD.HHMMSS.gitHASH
+# rpm "Release:" field ($rpmRelease) is used to set the "_release" macro, which
+# is an incremental number for builds of the same release (Version: / #rpmVersion).
+#
+# This field can be:
+#
+# - Version: 0   : Package was built, but no matching upstream release (e.g., can be used for "nightly" builds)
+# - Version: 1   : Package was built for an upstream (pre)release version
+# - Version: > 1 : Only to be used for packaging-only changes (new package built for a version for which a package was already built/released)
+#
+# For details, see the Fedora packaging guide:
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_complex_versioning_with_a_reasonable_upstream
+#
+# Note that older versions of the rpm spec allowed more traditional information
+# in this field, which is still allowed, but considered deprecated; see
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_complex_versioning_with_a_reasonable_upstream
+#
+# In our case, this means that all releases, except for "nightly" builds should
+# use "Version: 1". Only in an exceptional case, where we need to publish a new
+# package (build) for an existing release, "Version: 2" should be used; this script
+# does not currently account for that situation.
+#
+# Assuming all tagged version of rpmRelease correspond with an upstream release,
+# this means that versioning is as follows:
+#
+# Docker 23.0.0:         version=23.0.0, release=1
+# Docker 23.0.0-alpha.1: version=23.0.0, release=1
+# Docker 23.0.0-beta.1:  version=23.0.0, release=1
+# Docker 23.0.0-rc.1:    version=23.0.0, release=1
+# Docker 23.0.0-dev:     version=0.0.0~YYYYMMDDHHMMSS.gitHASH, release=0
+rpmRelease=1
 
-if [[ "$rpmVersion" =~ .*-tp[0-9]+$ ]]; then
-    tpVersion=${rpmVersion#*-tp}
-    rpmVersion=${rpmVersion%-tp*}
-    rpmRelease="0.${tpVersion}.tp${tpVersion}"
-elif [[ "$rpmVersion" =~ .*-beta[0-9]+$ ]]; then
-    betaVersion=${rpmVersion#*-beta}
-    rpmVersion=${rpmVersion%-beta*}
-    rpmRelease="1.${betaVersion}.beta${betaVersion}"
-elif [[ "$rpmVersion" =~ .*-rc[0-9]+$ ]]; then
-    rcVersion=${rpmVersion#*-rc}
-    rpmVersion=${rpmVersion%-rc*}
-    rpmRelease="2.${rcVersion}.rc${rcVersion}"
-fi
+# rpm packages require a tilde (~) instead of a hyphen (-) as separator between
+# the version # and pre-release suffixes, otherwise pre-releases are sorted AFTER
+# non-pre-release versions, which would prevent users from updating from a pre-
+# release version to the "ga" version.
+#
+# For details, see the Fedora packaging guide:
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_handling_non_sorting_versions_with_tilde_dot_and_caret
+#
+# > The tilde symbol (‘~’) is used before a version component which must sort
+# > earlier than any non-tilde component. It is used for any pre-release versions
+# > which wouldn’t otherwise sort appropriately.
+# >
+# > For example, with upstream releases 0.4.0, 0.4.1, 0.5.0-rc1, 0.5.0-rc2, 0.5.0,
+# > the two "release candidates" should use 0.5.0~rc1 and 0.5.0~rc2 in the Version:
+# > field. Bugfix or "patchlevel" releases that some upstream make should be handled
+# > using simple versioning. The separator used by upstream may need to be replaced
+# > by a dot or dropped.
+# >
+# > For example, if the same upstream released 0.5.0-post1 as a bugfix version,
+# > this "post-release" should use 0.5.0.post1 in the Version: field. Note that
+# > 0.5.0.post1 sorts lower than both 0.5.1 and 0.5.0.1.
+#
+# The code below replaces hyphens with tildes. Note that an intermediate $tilde
+# variable is needed to make this work on all versions of Bash. In some versions
+# of Bash, the tilde would be substituted with $HOME (even when escaped (\~) or
+# quoted ('~').
+tilde='~'
+rpmVersion="${rpmVersion//-/$tilde}"
 
 DOCKER_GITCOMMIT=$($GIT_COMMAND rev-parse --short HEAD)
 if [ -n "$($GIT_COMMAND status --porcelain --untracked-files=no)" ]; then
-    DOCKER_GITCOMMIT="$DOCKER_GITCOMMIT-unsupported"
+	DOCKER_GITCOMMIT="$DOCKER_GITCOMMIT-unsupported"
 fi
 
-# if we have a "-dev" suffix or have change in Git, let's make this package version more complex so it works better
-if [[ "$rpmVersion" == *-dev ]] || [ -n "$($GIT_COMMAND status --porcelain)" ]; then
-    # based on golang's pseudo-version: https://groups.google.com/forum/#!topic/golang-dev/a5PqQuBljF4
-    #
-    # using a "pseudo-version" of the form v0.0.0-yyyymmddhhmmss-abcdefabcdef,
-    # where the time is the commit time in UTC and the final suffix is the prefix
-    # of the commit hash. The time portion ensures that two pseudo-versions can
-    # be compared to determine which happened later, the commit hash identifes
-    # the underlying commit, and the v0.0.0- prefix identifies the pseudo-version
-    # as a pre-release before version v0.0.0, so that the go command prefers any
-    # tagged release over any pseudo-version.
-    gitUnix="$($GIT_COMMAND log -1 --pretty='%ct')"
-    gitDate="$($DATE_COMMAND --utc --date "@$gitUnix" +'%Y%m%d%H%M%S')"
-    gitCommit="$($GIT_COMMAND log -1 --pretty='%h')"
-    # rpmVersion is now something like '0.0.0-20180719213702-cd5e2db'
-    rpmVersion="0.0.0-${gitDate}-${gitCommit}"
-    rpmRelease="0"
-    origVersion=$rpmVersion
+# if we have a "-dev" suffix or have change in Git, this is a nightly build, and
+# we'll create a pseudo version based on commit-date and -sha.
+if [[ "$VERSION" == *-dev ]] || [ -n "$($GIT_COMMAND status --porcelain)" ]; then
+	export TZ=UTC
+
+	# based on golang's pseudo-version: https://groups.google.com/forum/#!topic/golang-dev/a5PqQuBljF4
+	#
+	# using a "pseudo-version" of the form v0.0.0-yyyymmddhhmmss-abcdefabcdef,
+	# where the time is the commit time in UTC and the final suffix is the prefix
+	# of the commit hash. The time portion ensures that two pseudo-versions can
+	# be compared to determine which happened later, the commit hash identifes
+	# the underlying commit, and the v0.0.0- prefix identifies the pseudo-version
+	# as a pre-release before version v0.0.0, so that the go command prefers any
+	# tagged release over any pseudo-version.
+	gitUnix="$($GIT_COMMAND log -1 --pretty='%ct')"
+
+	if [ "$(uname)" = "Darwin" ]; then
+		# Using BSD date (macOS), which doesn't support the --date option
+		# date -jf "<input format>" "<input value>" +"<output format>" (https://unix.stackexchange.com/a/86510)
+		gitDate="$(TZ=UTC date -u -jf "%s" "$gitUnix" +'%Y%m%d%H%M%S')"
+	else
+		# Using GNU date (Linux)
+		gitDate="$(TZ=UTC date -u --date "@$gitUnix" +'%Y%m%d%H%M%S')"
+	fi
+
+	gitCommit="$($GIT_COMMAND log -1 --pretty='%h')"
+	# generated version is now something like '0.0.0-20180719213702-cd5e2db'
+	origVersion="0.0.0-${gitDate}-${gitCommit}" # (using hyphens)
+	rpmVersion="0.0.0~${gitDate}.${gitCommit}"  # (using tilde and periods)
+	rpmRelease=0
 fi
 
-# Replace any other dashes with periods
+# Replace any remaining dashes with periods
 rpmVersion="${rpmVersion//-/.}"
-echo $rpmVersion $rpmRelease $DOCKER_GITCOMMIT $origVersion
+echo "$rpmVersion $rpmRelease $DOCKER_GITCOMMIT $origVersion"

rpm/rhel-8/Dockerfile

@@ -0,0 +1,45 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=rhel
+ARG SUITE=8
+ARG BUILD_IMAGE=registry.access.redhat.com/ubi8/ubi
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE} AS subscribed-image
+RUN --mount=type=secret,id=rh-user --mount=type=secret,id=rh-pass <<-EOT
+	rm -f /etc/rhsm-host
+
+	if [ ! -f /run/secrets/rh-user ] || [ ! -f /run/secrets/rh-pass ]; then
+		echo "Either RH_USER or RH_PASS is not set. Running build without subscription."
+	else
+		subscription-manager register \
+			--username="$(cat /run/secrets/rh-user)" \
+			--password="$(cat /run/secrets/rh-pass)"
+
+		subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
+		# dnf config-manager --set-enabled codeready-builder-for-rhel-8-$(arch)-rpms
+	fi
+EOT
+
+FROM subscribed-image
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+ENV AUTO_GOPATH=1
+ENV DOCKER_BUILDTAGS=exclude_graphdriver_btrfs
+ARG DISTRO
+ARG SUITE
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+
+RUN dnf install -y rpm-build
+COPY --link SPECS /root/rpmbuild/SPECS
+RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
+COPY --link --from=golang /usr/local/go /usr/local/go
+WORKDIR /root/rpmbuild
+ENTRYPOINT ["/bin/rpmbuild"]

rpm/rhel-9/Dockerfile

@@ -0,0 +1,45 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_IMAGE=golang:latest
+ARG DISTRO=rhel
+ARG SUITE=9
+ARG BUILD_IMAGE=registry.access.redhat.com/ubi9/ubi
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE} AS subscribed-image
+RUN --mount=type=secret,id=rh-user --mount=type=secret,id=rh-pass <<-EOT
+	rm -f /etc/rhsm-host
+
+	if [ ! -f /run/secrets/rh-user ] || [ ! -f /run/secrets/rh-pass ]; then
+		echo "Either RH_USER or RH_PASS is not set. Running build without subscription."
+	else
+		subscription-manager register \
+			--username="$(cat /run/secrets/rh-user)" \
+			--password="$(cat /run/secrets/rh-pass)"
+
+		subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
+		# dnf config-manager --set-enabled codeready-builder-for-rhel-9-$(arch)-rpms
+	fi
+EOT
+
+FROM subscribed-image
+
+ENV GOPROXY=https://proxy.golang.org|direct
+ENV GO111MODULE=on
+ENV GOPATH=/go
+ENV GOTOOLCHAIN=local
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+ENV AUTO_GOPATH=1
+ENV DOCKER_BUILDTAGS=exclude_graphdriver_btrfs
+ARG DISTRO
+ARG SUITE
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+
+RUN dnf install -y rpm-build
+COPY --link SPECS /root/rpmbuild/SPECS
+RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
+COPY --link --from=golang /usr/local/go /usr/local/go
+WORKDIR /root/rpmbuild
+ENTRYPOINT ["/bin/rpmbuild"]

scripts/checkout.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env sh
+
+#   Copyright 2018-2020 Docker Inc.
+
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+checkout() (
+	set -ex
+	SRC="$1"
+	REF="$2"
+	REF_FETCH="$REF"
+	# if ref is branch or tag, retrieve its canonical form
+	REF=$(git -C "$SRC" ls-remote --refs --heads --tags origin "$REF" | awk '{print $2}')
+	if [ -n "$REF" ]; then
+		# if branch or tag then create it locally too
+		REF_FETCH="$REF:$REF"
+	else
+		REF="FETCH_HEAD"
+	fi
+	git -C "$SRC" fetch --update-head-ok --depth 1 origin "$REF_FETCH"
+	git -C "$SRC" checkout -q "$REF"
+)
+
+
+# Only execute checkout function above if this file is executed, not sourced from another script
+prog=checkout.sh # needs to be in sync with this file's name
+if [ "$(basename -- $0)" = "$prog" ]; then
+	checkout $*
+fi

static/Makefile

@@ -1,14 +1,30 @@
-SHELL:=/bin/bash
-ENGINE_DIR:=$(CURDIR)/../../engine
-CLI_DIR:=$(CURDIR)/../../cli
-VERSION?=0.0.0-dev
-STATIC_VERSION=$(shell ./gen-static-ver $(ENGINE_DIR) $(VERSION))
-CHOWN=docker run --rm -v $(CURDIR):/v -w /v alpine chown
+include ../common.mk
+
+CLI_DIR=$(realpath $(CURDIR)/../src/github.com/docker/cli)
+ENGINE_DIR=$(realpath $(CURDIR)/../src/github.com/docker/docker)
+BUILDX_DIR=$(realpath $(CURDIR)/../src/github.com/docker/buildx)
+
+ENGINE_GITCOMMIT?=$(shell cd $(realpath $(CURDIR)/../src/github.com/docker/docker) && git rev-parse --short HEAD)
+
+GEN_STATIC_VER=$(shell ./gen-static-ver $(CLI_DIR) $(VERSION))
 HASH_CMD=docker run -v $(CURDIR):/sum -w /sum debian:jessie bash hash_files
 DIR_TO_HASH:=build/linux
-DEFAULT_PRODUCT_LICENSE?=Community Engine
+DOCKER_CLI_GOLANG_IMG=golang:$(GO_VERSION)
 
-DOCKER_CLI_GOLANG_IMG=$(shell awk '$$1=="FROM"{split($$2,a,"-");print a[1];exit}' $(CLI_DIR)/dockerfiles/Dockerfile.dev)
+DOCKER_BUILD_OPTS=
+
+ifneq ($(strip $(CONTAINERD_VERSION)),)
+# Set custom build-args to override the containerd version to build for static
+# packages.
+DOCKER_BUILD_OPTS +=--build-arg=CONTAINERD_VERSION=$(CONTAINERD_VERSION)
+endif
+
+ifneq ($(strip $(RUNC_VERSION)),)
+# Set custom build-args to override the runc version to build for static packages.
+DOCKER_BUILD_OPTS +=--build-arg=RUNC_VERSION=$(RUNC_VERSION)
+endif
+
+ENGINE_BUILD_OPTS=--build-arg VERSION=$(GEN_STATIC_VER) --build-arg DOCKER_GITCOMMIT=$(ENGINE_GITCOMMIT) --build-arg DEFAULT_PRODUCT_LICENSE --build-arg PACKAGER_NAME --build-arg PLATFORM $(DOCKER_BUILD_OPTS)
 
 .PHONY: help
 help: ## show make targets
@@ -18,88 +34,82 @@ help: ## show make targets
 clean: ## remove build artifacts
 	[ ! -d build ] || $(CHOWN) -R $(shell id -u):$(shell id -g) build
 	$(RM) -r build
+	-docker builder prune -f --filter until=24h
 
 .PHONY: static
 static: static-linux cross-mac cross-win cross-arm ## create all static packages
 
 .PHONY: static-linux
-static-linux: static-cli static-engine ## create tgz with linux x86_64 client and server
+static-linux: static-cli static-engine static-buildx-plugin ## create tgz
 	mkdir -p build/linux/docker
 	cp $(CLI_DIR)/build/docker build/linux/docker/
-	for f in dockerd containerd ctr containerd-shim docker-init docker-proxy runc; do \
-		cp -L $(ENGINE_DIR)/bundles/binary-daemon/$$f build/linux/docker/$$f; \
+	for f in dockerd containerd ctr containerd-shim containerd-shim-runc-v2 docker-init docker-proxy runc; do \
+		cp -L $(ENGINE_DIR)/bundles/binary/$$f build/linux/docker/$$f; \
 	done
-	tar -C build/linux -c -z -f build/linux/docker-$(STATIC_VERSION).tgz docker
+	tar -C build/linux -c -z -f build/linux/docker-$(GEN_STATIC_VER).tgz docker
 
 	# extra binaries for running rootless
 	mkdir -p build/linux/docker-rootless-extras
-	for f in rootlesskit rootlesskit-docker-proxy dockerd-rootless.sh vpnkit; do \
-		if [ -f $(ENGINE_DIR)/bundles/binary-daemon/$$f ]; then \
-			cp -L $(ENGINE_DIR)/bundles/binary-daemon/$$f build/linux/docker-rootless-extras/$$f; \
+	for f in rootlesskit dockerd-rootless.sh dockerd-rootless-setuptool.sh vpnkit; do \
+		if [ -f $(ENGINE_DIR)/bundles/binary/$$f ]; then \
+			cp -L $(ENGINE_DIR)/bundles/binary/$$f build/linux/docker-rootless-extras/$$f; \
 		fi \
 	done
-	tar -C build/linux -c -z -f build/linux/docker-rootless-extras-$(STATIC_VERSION).tgz docker-rootless-extras
+	tar -C build/linux -c -z -f build/linux/docker-rootless-extras-$(GEN_STATIC_VER).tgz docker-rootless-extras
+
+	# buildx
+	tar -C $(BUILDX_DIR)/bin -c -z -f build/linux/docker-buildx-plugin-$(DOCKER_BUILDX_REF:v%=%).tgz docker-buildx
 
 .PHONY: hash_files
 hash_files:
 	@echo "Hashing directory $(DIR_TO_HASH)"
 	$(HASH_CMD) "$(DIR_TO_HASH)"
 
+.PHONY: buildx
+buildx:
+	docker buildx inspect | grep -q 'Driver: docker-container' || docker buildx create --use
+
 .PHONY: cross-mac
-cross-mac: cross-all-cli cross-mac-plugins ## create tgz with darwin x86_64 client only
-	mkdir -p build/mac/docker
-	cp $(CLI_DIR)/build/docker-darwin-amd64 build/mac/docker/docker
-	tar -C build/mac -c -z -f build/mac/docker-$(STATIC_VERSION).tgz docker
+cross-mac: buildx
+	cd $(CLI_DIR) && VERSION=$(GEN_STATIC_VER) docker buildx bake --set binary.platform=darwin/amd64,darwin/arm64 binary
+	dest=$$PWD/build/mac; cd $(CLI_DIR)/build && for platform in *; do \
+		arch=$$(echo $$platform | cut -d_ -f2); \
+		mkdir -p $$dest/$$arch/docker; \
+		cp $$platform/docker-darwin-* $$dest/$$arch/docker/docker && \
+		tar -C $$dest/$$arch -c -z -f $$dest/$$arch/docker-$(GEN_STATIC_VER).tgz docker; \
+	done
 
 .PHONY: cross-win
-cross-win: cross-all-cli cross-win-engine cross-win-plugins ## create zip file with windows x86_64 client and server
-	mkdir -p build/win/docker
-	cp $(CLI_DIR)/build/docker-windows-amd64 build/win/docker/docker.exe
-	cp $(ENGINE_DIR)/bundles/cross/windows/amd64/dockerd-$(STATIC_VERSION).exe build/win/docker/dockerd.exe
-	docker run --rm -v $(CURDIR)/build/win:/v -w /v alpine sh -c 'apk update&&apk add zip&&zip -r docker-$(STATIC_VERSION).zip docker'
+cross-win: cross-win-engine
+	cd $(CLI_DIR) && VERSION=$(GEN_STATIC_VER) docker buildx bake --set binary.platform=windows/amd64 binary
+	mkdir -p build/win/amd64/docker
+	cp $(CLI_DIR)/build/docker-windows-amd64.exe build/win/amd64/docker/docker.exe
+	cp $(ENGINE_DIR)/bundles/cross/win/dockerd.exe build/win/amd64/docker/dockerd.exe
+	docker run --rm -v $(CURDIR)/build/win/amd64:/v -w /v alpine sh -c 'apk update&&apk add zip&&zip -r docker-$(GEN_STATIC_VER).zip docker'
 	$(CHOWN) -R $(shell id -u):$(shell id -g) build
 
 .PHONY: cross-arm
 cross-arm: cross-all-cli ## create tgz with linux armhf client only
 	mkdir -p build/arm/docker
 	cp $(CLI_DIR)/build/docker-linux-arm build/arm/docker/docker
-	tar -C build/arm -c -z -f build/arm/docker-$(STATIC_VERSION).tgz docker
+	tar -C build/arm -c -z -f build/arm/docker-$(GEN_STATIC_VER).tgz docker
 
 .PHONY: static-cli
 static-cli:
-	$(MAKE) -C $(CLI_DIR) -f docker.Makefile VERSION=$(STATIC_VERSION) build
+	cd $(CLI_DIR) && VERSION=$(GEN_STATIC_VER) docker buildx bake --set binary.platform=$(TARGETPLATFORM) --set binary.args.CGO_ENABLED=$(CGO_ENABLED) binary
 
 .PHONY: static-engine
 static-engine:
-	$(MAKE) -C $(ENGINE_DIR) VERSION=$(STATIC_VERSION) binary
+	cd $(ENGINE_DIR) && docker buildx build --target all $(ENGINE_BUILD_OPTS) --output "./bundles/binary" .
+
+.PHONY: static-buildx-plugin
+static-buildx-plugin:
+	cd $(BUILDX_DIR) && docker buildx bake --set binaries.platform=$(TARGETPLATFORM) binaries && mv ./bin/build/buildx ./bin/docker-buildx
 
 .PHONY: cross-all-cli
 cross-all-cli:
-	$(MAKE) -C $(CLI_DIR) -f docker.Makefile VERSION=$(STATIC_VERSION) cross
+	$(MAKE) -C $(CLI_DIR) -f docker.Makefile VERSION=$(GEN_STATIC_VER) cross
 
 .PHONY: cross-win-engine
 cross-win-engine:
-	$(MAKE) -C $(ENGINE_DIR) VERSION=$(STATIC_VERSION) DOCKER_CROSSPLATFORMS=windows/amd64 cross
-
-BUILD_PLUGIN_RUN_VARS = --rm -i \
-	-e GOOS=$(SPOOF_GOOS) \
-	-v "$(CURDIR)/build/$(CLI_BUILD_DIR)/docker/cli-plugins":/out \
-	-v "$(CURDIR)/../plugins":/plugins:ro \
-	-v "$(CURDIR)/scripts/build-cli-plugins":/build:ro
-
-.PHONY: cross-mac-plugins
-cross-mac-plugins: SPOOF_GOOS := darwin
-cross-mac-plugins: CLI_BUILD_DIR := mac
-cross-mac-plugins:
-	mkdir -p build/$(CLI_BUILD_DIR)/docker
-	docker run $(BUILD_PLUGIN_RUN_VARS) $(DOCKER_CLI_GOLANG_IMG) /build
-	$(CHOWN) -R $(shell id -u):$(shell id -g) build
-
-.PHONY: cross-win-plugins
-cross-win-plugins: SPOOF_GOOS := windows
-cross-win-plugins: CLI_BUILD_DIR := win
-cross-win-plugins:
-	mkdir -p build/$(CLI_BUILD_DIR)/docker/cli-plugins
-	docker run $(BUILD_PLUGIN_RUN_VARS) $(DOCKER_CLI_GOLANG_IMG) /build
-	$(CHOWN) -R $(shell id -u):$(shell id -g) build
-	find build/$(CLI_BUILD_DIR)/docker -type f -not -name "*.exe" -exec mv {} {}.exe \;
+	cd $(ENGINE_DIR) && docker buildx build --target binary $(ENGINE_BUILD_OPTS) --platform windows/amd64 --output "./bundles/cross/win" .

static/gen-static-ver

@@ -1,35 +1,46 @@
 #!/usr/bin/env bash
 
-ENGINE_DIR=$1
-VERSION=$2
+REPO_DIR="$1"
+VERSION="$2"
 
-if [ -z "$ENGINE_DIR" ] || [ -z "$VERSION" ]; then
-    echo 'usage: ./gen-static-ver ${ENGINE_DIR} ${VERSION}'
-    exit 1
+if [ -z "$REPO_DIR" ] || [ -z "$VERSION" ]; then
+	# shellcheck disable=SC2016
+	echo 'usage: ./gen-static-ver ${REPO_DIR} ${VERSION}'
+	exit 1
 fi
 
-DATE_COMMAND="date"
-if [[ $(uname) -eq "Darwin" ]]; then
-    DATE_COMMAND="docker run --rm alpine date"
-fi
-GIT_COMMAND="git -C $ENGINE_DIR"
+GIT_COMMAND="git -C $REPO_DIR"
 
-staticVersion="$VERSION"
-if [[ "$VERSION" == *-dev ]]; then
-    # based on golang's pseudo-version: https://groups.google.com/forum/#!topic/golang-dev/a5PqQuBljF4
-    #
-    # using a "pseudo-version" of the form v0.0.0-yyyymmddhhmmss-abcdefabcdef,
-    # where the time is the commit time in UTC and the final suffix is the prefix
-    # of the commit hash. The time portion ensures that two pseudo-versions can
-    # be compared to determine which happened later, the commit hash identifes
-    # the underlying commit, and the v0.0.0- prefix identifies the pseudo-version
-    # as a pre-release before version v0.0.0, so that the go command prefers any
-    # tagged release over any pseudo-version.
-    gitUnix="$($GIT_COMMAND log -1 --pretty='%ct')"
-    gitDate="$($DATE_COMMAND --utc --date "@$gitUnix" +'%Y%m%d%H%M%S')"
-    gitCommit="$($GIT_COMMAND log -1 --pretty='%h')"
-    # staticVersion is now something like '0.0.0-20180719213702-cd5e2db'
-    staticVersion="0.0.0-${gitDate}-${gitCommit}"
+staticVersion="${VERSION#v}"
+
+# if we have a "-dev" suffix or have change in Git, this is a nightly build, and
+# we'll create a pseudo version based on commit-date and -sha.
+if [[ "$VERSION" == *-dev ]] || [ -n "$($GIT_COMMAND status --porcelain)" ]; then
+	export TZ=UTC
+
+	# based on golang's pseudo-version: https://groups.google.com/forum/#!topic/golang-dev/a5PqQuBljF4
+	#
+	# using a "pseudo-version" of the form v0.0.0-yyyymmddhhmmss-abcdefabcdef,
+	# where the time is the commit time in UTC and the final suffix is the prefix
+	# of the commit hash. The time portion ensures that two pseudo-versions can
+	# be compared to determine which happened later, the commit hash identifes
+	# the underlying commit, and the v0.0.0- prefix identifies the pseudo-version
+	# as a pre-release before version v0.0.0, so that the go command prefers any
+	# tagged release over any pseudo-version.
+	gitUnix="$($GIT_COMMAND log -1 --pretty='%ct')"
+
+	if [ "$(uname)" = "Darwin" ]; then
+		# Using BSD date (macOS), which doesn't support the --date option
+		# date -jf "<input format>" "<input value>" +"<output format>" (https://unix.stackexchange.com/a/86510)
+		gitDate="$(TZ=UTC date -u -jf "%s" "$gitUnix" +'%Y%m%d%H%M%S')"
+	else
+		# Using GNU date (Linux)
+		gitDate="$(TZ=UTC date -u --date "@$gitUnix" +'%Y%m%d%H%M%S')"
+	fi
+
+	gitCommit="$($GIT_COMMAND log -1 --pretty='%h')"
+	# generated version is now something like '0.0.0-20180719213702-cd5e2db'
+	staticVersion="0.0.0-${gitDate}-${gitCommit}" # (using hyphens)
 fi
 
 echo "$staticVersion"

static/hash_files

@@ -5,7 +5,7 @@
 DIR_TO_LOOK_IN=${1:-build/linux}
 
 for f in $(find "$DIR_TO_LOOK_IN" -type f); do
-    for hash_algo in md5 sha256; do
-        "${hash_algo}sum" "$f" > "$f.$hash_algo"
-    done
+	for hash_algo in md5 sha256; do
+		"${hash_algo}sum" "$f" >"$f.$hash_algo"
+	done
 done

static/scripts/build-cli-plugins

@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-shopt -s globstar
-
-# /plugins should be volume mounted from root plugins dir
-# /out should also be volume mounted from static/out/
-for installer in /plugins/*.installer; do
-    bash "${installer}" build
-    DESTDIR='/out' PREFIX="/" bash "${installer}" install_plugin
-done

systemd/docker.service

@@ -1,47 +0,0 @@
-[Unit]
-Description=Docker Application Container Engine
-Documentation=https://docs.docker.com
-BindsTo=containerd.service
-After=network-online.target firewalld.service containerd.service
-Wants=network-online.target
-Requires=docker.socket
-
-[Service]
-Type=notify
-# the default is not to use systemd for cgroups because the delegate issues still
-# exists and systemd currently does not support the cgroup feature set required
-# for containers run by docker
-ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
-ExecReload=/bin/kill -s HUP $MAINPID
-TimeoutSec=0
-RestartSec=2
-Restart=always
-
-# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
-# Both the old, and new location are accepted by systemd 229 and up, so using the old location
-# to make them work for either version of systemd.
-StartLimitBurst=3
-
-# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
-# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
-# this option work for either version of systemd.
-StartLimitInterval=60s
-
-# Having non-zero Limit*s causes performance problems due to accounting overhead
-# in the kernel. We recommend using cgroups to do container-local accounting.
-LimitNOFILE=infinity
-LimitNPROC=infinity
-LimitCORE=infinity
-
-# Comment TasksMax if your systemd version does not support it.
-# Only systemd 226 and above support this option.
-TasksMax=infinity
-
-# set delegate yes so that systemd does not reset the cgroups of docker containers
-Delegate=yes
-
-# kill only the docker process, not all processes in the cgroup
-KillMode=process
-
-[Install]
-WantedBy=multi-user.target

systemd/docker.socket

@@ -1,12 +0,0 @@
-[Unit]
-Description=Docker Socket for the API
-PartOf=docker.service
-
-[Socket]
-ListenStream=/var/run/docker.sock
-SocketMode=0660
-SocketUser=root
-SocketGroup=docker
-
-[Install]
-WantedBy=sockets.target

verify

@@ -0,0 +1,149 @@
+#!/usr/bin/env bash
+
+###
+# Script Name:  verify
+#
+# Description: This runs a smoke test to verify that the packages can be installed corrected
+###
+
+# build/${DIST_ID}/${DIST_VERSION}/${ARCH} - location of all packages
+# Manually Testing: docker run --rm -it -v $(pwd):/v -w /v "centos:7" ./verify
+
+set -e
+
+source install-containerd-helpers
+
+function verify() {
+	if dpkg --version >/dev/null 2>/dev/null; then
+		verify_deb
+	elif rpm --version >/dev/null 2>/dev/null; then
+		verify_rpm
+	else
+		echo "[ERROR] Unable to determine base os:"
+		cat /etc/os-release
+		exit 1
+	fi
+}
+
+function verify_binaries() {
+	docker --version
+	docker buildx version
+	docker compose version
+	docker model version
+	dockerd --version
+	docker-proxy --version
+	containerd --version
+	ctr --version
+	containerd-shim -v
+	containerd-shim-runc-v1 -v
+	containerd-shim-runc-v2 -v
+	runc --version
+}
+
+function verify_deb() {
+	# First install prerequisites for our script and dpkg and apt to run correctly.
+	# This list SHOULD NOT include dependencies of docker itself, otherwise we would
+	# not be able to verify that our packages specify all the required dependencies.
+	apt-get update
+	apt-get -y install --no-install-recommends \
+		apt-transport-https \
+		ca-certificates \
+		curl \
+		gnupg2 \
+		lsb-release
+
+	DIST_ID=$(source /etc/os-release; echo "$ID")
+	DIST_VERSION=$(lsb_release -sc)
+	if [ "${DIST_VERSION}" = "sid" ]; then
+		echo 'Debian sid ("unstable") cannot be used for packaging: replace with the actual codename'
+		exit 1
+	fi
+
+	install_debian_containerd
+
+	packages=$(find "deb/debbuild/${DIST_ID}-${DIST_VERSION}/" -type f -name "*.deb")
+	# All local packages need to be prefixed with `./` or else apt-get doesn't understand where to pull from
+	packages=$(echo "${packages}" | awk '$0="./"$0' | xargs)
+
+	(
+		set -x
+		# Install the locally built packages using 'dpkg' because installing with
+		# 'apt-get' would attempt to install dependency packages (such as the CLI)
+		# from download.docker.com instead of the locally built CLI package. Given
+		# that 'dpkg -i' does not install any dependency (but will fail if depen-
+		# dencies are missing), we use the '--ignore-depends' option to ignore
+		# packages we know to be missing at this stage, and '--force-depends' to
+		# only warn about any other missing dependency.
+		#
+		# shellcheck disable=SC2086
+		dpkg \
+			--ignore-depends=containerd.io,iptables,libdevmapper,libdevmapper1.02.1 \
+			--force-depends \
+			-i ${packages}
+
+		# After installing the local packages, we run 'apt-get install' with the
+		# '--fix-broken' option to trigger installation of the dependencies, which
+		# should succeed successfully. This step is to verify that not only the
+		# packages can be installed, but also that all dependencies (including
+		# containerd.io) can be resolved correctly for the distro that we built for,
+		# before going through the whole pipeline and publishing the packages.
+		#
+		# The '--no-upgrade' option is set to prevent apt from attempting to install
+		# packages from download(-stage).docker.com that we already installed using
+		# the local packages above. Without this, installing (e.g.) ./docker-ce-cli
+		# would result in apt installing "docker-ce" from the package repository and
+		# produce a "the following packages will be DOWNGRADED" error.
+		#
+		# shellcheck disable=SC2086
+		apt-get -y install --no-install-recommends --no-upgrade --fix-broken ${packages}
+	)
+
+	verify_binaries
+}
+
+function verify_rpm() {
+	DIST_ID=$(. /etc/os-release; echo "${ID}")
+	DIST_VERSION=$(. /etc/os-release; echo "${VERSION_ID}" | cut -d'.' -f1)
+
+	pkg_manager="yum"
+	pkg_config_manager="yum-config-manager"
+	if dnf --version; then
+		pkg_manager="dnf"
+		pkg_config_manager="dnf config-manager"
+		dnf clean all
+		${pkg_manager} install -y 'dnf-command(config-manager)'
+	fi
+
+	case ${DIST_ID}:${DIST_VERSION} in
+	ol:7*)
+		# Needed for container-selinux
+		${pkg_config_manager} --enable ol7_addons
+		;;
+	fedora*)
+		dnf install -y findutils
+		;;
+	esac
+
+	install_rpm_containerd
+
+	# find all rpm packages, exclude src package
+	echo "[DEBUG] Installing engine rpms"
+	packages=$(find "rpm/rpmbuild/${DIST_ID}-${DIST_VERSION}/RPMS/" -type f -name "*.rpm" | sed '/src/d')
+
+	# install all non-source packages
+	(
+		set -x
+		product_version=$(source /etc/os-release; echo "${REDHAT_SUPPORT_PRODUCT_VERSION:-}")
+		if [ "$product_version" = 'rawhide' ]; then
+				# force $releasever to account for Fedora pre-release images, as they
+				# may still be using "rawhide", which is not present on our package
+				# repositories on download.docker.com.
+				export DNF_VAR_releasever="$DIST_VERSION"
+		fi
+		${pkg_manager} install -y ${packages}
+	)
+
+	verify_binaries
+}
+
+verify