Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2025-09-01 17:16:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Mon Sep 1 17:16:51 2025 rev:174 rq:1302148 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2025-08-06 18:41:24.184938009 +0200 +++ /work/SRC/openSUSE:Factory/.docker.new.1977/docker.changes 2025-09-01 17:17:01.271970881 +0200 @@ -1,0 +2,31 @@ +Mon Sep 1 05:48:29 UTC 2025 - Aleksa Sarai <[email protected]> + +- Update warnings and errors related to "docker buildx ..." so that they + reference our openSUSE docker-buildx packages. + + cli-0001-openSUSE-point-users-to-docker-buildx-package.patch +- Enable building docker-buildx for SLE systems with SUSEConnect secret + injection enabled (i.e., SLE15 and earlier). PED-12534 PED-8905 bsc#1247594 + + As docker-buildx does not support our SUSEConnect secret injection (and some + users depend "docker build" working transparently), patch the docker CLI so + that "docker build" will no longer automatically call "docker buildx build", + effectively making DOCKER_BUILDKIT=0 the default configuration. Users can + manually use "docker buildx ..." commands or set DOCKER_BUILDKIT=1 in order + to opt-in to using docker-buildx. + + Users can silence the "docker build" warning by setting DOCKER_BUILDKIT=0 + explicitly. + + In order to inject SCC credentials with docker-buildx, users should use + + RUN --mount=type=secret,id=SCCcredentials zypper -n ... + + in their Dockerfiles, and + + docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file . + + when doing their builds. + + + cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch + +------------------------------------------------------------------- New: ---- cli-0001-openSUSE-point-users-to-docker-buildx-package.patch cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch ----------(New B)---------- New: reference our openSUSE docker-buildx packages. + cli-0001-openSUSE-point-users-to-docker-buildx-package.patch - Enable building docker-buildx for SLE systems with SUSEConnect secret New: + cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.5nzQcJ/_old 2025-09-01 17:17:02.020002552 +0200 +++ /var/tmp/diff_new_pack.5nzQcJ/_new 2025-09-01 17:17:02.024002722 +0200 @@ -26,12 +26,14 @@ %if 0%{?is_opensuse} == 0 && 0%{?suse_version} < 1600 # SUSEConnect support ("SUSE secrets") only makes sense for SLES hosts. %bcond_without suseconnect -# There is currently a known bug between buildx and SUSE secrets, so we don't -# package docker-buildx for SLES<16. bsc#1233819 -%bcond_with buildx %else %bcond_with suseconnect +%endif +# BuildKit (docker-buildx) is only provided for SLE >= 15 and openSUSE. +%if 0%{?is_opensuse} || 0%{?suse_version} >= 1500 %bcond_without buildx +%else +%bcond_with buildx %endif # The flavour is defined with a macro to try to keep docker and docker-stable @@ -99,6 +101,8 @@ Patch100: 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch Patch101: 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch Patch102: 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch +Patch901: cli-0001-openSUSE-point-users-to-docker-buildx-package.patch +Patch902: cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch # UPSTREAM: Revert of upstream patch to keep SLE-12 build working. Patch200: 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch # UPSTREAM: Backport of <https://github.com/moby/moby/pull/41954>. @@ -330,6 +334,13 @@ %define cli_builddir %{_builddir}/docker-cli-%{docker_version} %setup -q -T -b 1 -n docker-cli-%{docker_version} [ "%{cli_builddir}" = "$PWD" ] +%if %{with buildx} +%patch -P901 -p1 +%if %{with suseconnect} +# PATCH-SUSE: Secrets patch for docker-build. +%patch -P902 -p1 +%endif +%endif %if %{with buildx} # docker-buildx ++++++ cli-0001-openSUSE-point-users-to-docker-buildx-package.patch ++++++ >From bc7d40e1e670f81b252a8c8d62a4aecc936ff339 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Mon, 1 Sep 2025 16:05:24 +1000 Subject: [PATCH 1/2] openSUSE: point users to docker-buildx package The reference to a "buildx component" is a little confusing in the context of (open)SUSE packaging and might confuse users, as they just need to install the "docker-buildx" package. Signed-off-by: Aleksa Sarai <[email protected]> --- cmd/docker/builder.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/docker/builder.go b/cmd/docker/builder.go index cccae304fe5e..cc597f0fd5a7 100644 --- a/cmd/docker/builder.go +++ b/cmd/docker/builder.go @@ -19,7 +19,7 @@ const ( builderDefaultPlugin = "buildx" buildxMissingWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release. - Install the buildx component to build images with BuildKit: + Install the docker-buildx package to build images with BuildKit: https://docs.docker.com/go/buildx/` buildkitDisabledWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release. @@ -27,11 +27,11 @@ environment-variable.` buildxMissingError = `ERROR: BuildKit is enabled but the buildx component is missing or broken. - Install the buildx component to build images with BuildKit: + Install the docker-buildx package to build images with BuildKit: https://docs.docker.com/go/buildx/` bakeMissingError = `ERROR: docker bake requires the buildx component but it is missing or broken. - Install the buildx component to use bake: + Install the docker-buildx package to use bake: https://docs.docker.com/go/buildx/` ) -- 2.51.0 ++++++ cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch ++++++ >From 7b786d5a84add65f1da629c2184dc0d5d2c812ff Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Fri, 15 Aug 2025 19:55:53 +1000 Subject: [PATCH 2/2] SECRETS: SUSE: default to DOCKER_BUILDKIT=0 for "docker build" For systems with SUSEConnect auto-injection enabled, docker-buildx does not include our injected secrets. For SLE15 and earlier, enabling "docker build" to auto-switch to "docker buildx build" would thus break existing users of the feature. So, make DOCKER_BUILDKIT=0 the default. Users can still opt-in to using BuildKit with DOCKER_BUILDKIT=1 or using subcommands like "docker bake" or "docker buildx $foo", but existing users won't be broken by the change. Users that do switch BuildKit can inject SCC credentials in a far more deliberate (and thus more secure) manner by using RUN --mount=type=secret,id=SCCcredentials zypper -n ... in their Dockerfiles, and then using docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file . for their builds. SUSE-Bug: https://jira.suse.com/browse/PED-12534 SUSE-Bug: https://jira.suse.com/browse/PED-8905 SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1247594 Signed-off-by: Aleksa Sarai <[email protected]> --- cmd/docker/builder.go | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/cmd/docker/builder.go b/cmd/docker/builder.go index cc597f0fd5a7..65c798e057ee 100644 --- a/cmd/docker/builder.go +++ b/cmd/docker/builder.go @@ -22,9 +22,19 @@ Install the docker-buildx package to build images with BuildKit: https://docs.docker.com/go/buildx/` - buildkitDisabledWarning = `DEPRECATED: The legacy builder is deprecated and will be removed in a future release. - BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0 - environment-variable.` + buildkitDisabledWarning = `INFORMATION: This version of Docker has been patched by SUSE. + These patches allow for automatic access to the host SUSE subscription + inside containers, allowing for customers to create derived images with + "docker build" using SUSE packages. However, this feature is + incompatible with BuildKit and so "docker build" will use the legacy + builder by default. In order to disable this message and continue using + the legacy builder, set the DOCKER_BUILDKIT=0 environment-variable. + + In order to opt-in to using BuildKit, set the DOCKER_BUILDKIT=1 + environment-variable. See the SLE16 documentation for information on + how to switch to BuildKit while still maintaining access to SCC + credentials. In order to use BuildKit, you must have the docker-buildx + package installed.` buildxMissingError = `ERROR: BuildKit is enabled but the buildx component is missing or broken. Install the docker-buildx package to build images with BuildKit: @@ -47,7 +57,7 @@ func newBuilderError(errorMsg string, pluginLoadErr error) error { //nolint:gocyclo func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []string) ([]string, []string, []string, error) { - var buildKitDisabled, useBuilder, useAlias bool + var buildKitDisabled, showDisabledWarning, useBuilder, useAlias bool var envs []string // check DOCKER_BUILDKIT env var is not empty @@ -62,6 +72,14 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st } else { useBuilder = true } + } else { + // SUSE: Disable automatic usage of docker-buildx if unspecified (for + // pre-SLE16) to maintain support for SUSEConnect auto-injection. If a + // user specifies DOCKER_BUILDKIT=1 manually, that's up to them. + buildKitDisabled = true + // Only show the disabled "warning" when the user hasn't explicitly + // opted into DOCKER_BUILDKIT=0. + showDisabledWarning = true } // docker bake always requires buildkit; ignore "DOCKER_BUILDKIT=0". if buildKitDisabled && len(args) > 0 && args[0] == "bake" { @@ -101,7 +119,7 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st // is deprecated. For Windows / WCOW, BuildKit is still experimental, // so we don't print this warning, even if the daemon advertised that // it supports BuildKit. - if dockerCli.ServerInfo().OSType != "windows" { + if showDisabledWarning && dockerCli.ServerInfo().OSType != "windows" { _, _ = fmt.Fprintf(dockerCli.Err(), "%s\n\n", buildkitDisabledWarning) } return args, osargs, nil, nil -- 2.51.0
