move docker stuff here

base/containerd/config.toml

@@ -0,0 +1,15 @@
+#root = "/var/lib/containerd"
+#state = "/run/containerd"
+#subreaper = true
+#oom_score = 0
+
+#[grpc]
+#  address = "/run/containerd/containerd.sock"
+#  uid = 0
+#  gid = 0
+
+#[debug]
+#  address = "/run/containerd/debug.sock"
+#  uid = 0
+#  gid = 0
+#  level = "info"

base/containerd/containerd-1.4.0-Update-path-to-use-packaged-daemon-executable-in-ser.patch

@@ -0,0 +1,26 @@
+From b5190a190d133660b3bba2187c6b5186a1655224 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Tue, 15 Sep 2020 17:40:30 +0000
+Subject: [PATCH] Update path to use packaged daemon executable in service unit
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ containerd.service | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/containerd.service b/containerd.service
+index 38a345945..4e262acb3 100644
+--- a/containerd.service
++++ b/containerd.service
+@@ -21,7 +21,7 @@ After=network.target local-fs.target
+ #uncomment to enable the experimental sbservice (sandboxed) version of containerd/cri integration
+ #Environment="ENABLE_CRI_SANDBOXES=sandboxed"
+ ExecStartPre=-/sbin/modprobe overlay
+-ExecStart=/usr/local/bin/containerd
++ExecStart=/usr/bin/containerd
+ 
+ Type=notify
+ Delegate=yes
+-- 
+2.40.1
+

base/containerd/containerd.spec

@@ -0,0 +1,308 @@
+%bcond_with btrfs
+%bcond_without seccomp
+%bcond_without systemd
+
+%define golang_set_gopath(d:) \
+export GOPATH="%{-d:%{-d*}}%{!-d:$(pwd -P)}"; \
+export PATH="$PATH:$GOPATH/bin"; \
+export GO111MODULE=off
+
+%define golang_init_gopath(d:) \
+%{golang_set_gopath} \
+rm -rf "${GOPATH}/"{src,pkg,bin} \
+install -d "${GOPATH}"/{src,pkg,bin}
+
+%define golang_src_path(p:) ${GOPATH:-.}/src/%{-p*}
+%define gobuilddir %{golang_src_path}
+
+%define golang_prep(p:s:S:) \
+install -d "$GOPATH/src/%{-p*}" && \
+tar -x %{-S:--strip-components=%{-S*}} -C "%{golang_src_path -p %{-p*}}" -f %{-s*}
+
+%define golang_install(p:s:S:) %{golang_prep}\
+go install %{-p*}
+
+%define containerd_release 1.7.2
+%define containerd_commit  0cae528dd6cb557f7201036e9f43420650207b58
+%global containerd_short_sha %(c=%containerd_commit; echo ${c:0:7})
+%define containerd_package github.com/containerd/containerd
+%define containerd_src %{golang_src_path -p %containerd_package}
+
+## Pre/Post release VCS metadata, for NVR when unmatched with a
+## release tag.
+# Update date to datestamp when containerd upstream data is bumped.
+%global containerd_rpm_snapshot_date 20210617
+%global containerd_rpm_snapshot_vcs git%{containerd_short_sha}
+# Get the version bits before the dash or plus.
+%global containerd_rpm_version %(r=%containerd_release; echo ${r%%%%-*})
+# Pre/Post release suffix with VCS info embedded into release.
+%global containerd_rpm_release_suffix .%{containerd_rpm_snapshot_date}.%{containerd_rpm_snapshot_vcs}
+
+%global containerd_buildtags %{?containerd_buildtags} selinux
+%if %{with btrfs}
+%global containerd_buildtags %{?containerd_buildtags} btrfs
+%else
+%global containerd_buildtags %{?containerd_buildtags} no_btrfs
+%endif
+%if %{with seccomp}
+%global containerd_buildtags %{?containerd_buildtags} seccomp
+%endif
+
+Name: containerd
+Version: %{containerd_rpm_version}
+Release: 1%{?dist}
+# Upstream license specification: Apache-2.0
+License: ASL 2.0
+Summary: An industry-standard container runtime with an emphasis on simplicity, robustness and portability
+
+Source0: https://%{containerd_package}/archive/%{containerd_commit}/containerd-%{containerd_release}-%{containerd_short_sha}.tar.gz
+Source1: config.toml
+
+Patch1000: containerd-1.4.0-Update-path-to-use-packaged-daemon-executable-in-ser.patch
+
+# Runtime requirements
+Requires: runc
+%if %{with seccomp}
+# Require the version of seccomp that we were built against.
+%global seccomp_version %(pkg-config --modversion libseccomp 2>/dev/null || echo 0)
+Requires: libseccomp%{?_isa} >= %{seccomp_version}
+%endif
+# container-selinux 2.120.0 adds necessary support for containerd-cri
+Conflicts: container-selinux < 2.120.0
+
+# Compilation requirements
+BuildRequires: golang >= 1.18.3
+BuildRequires: kernel-headers
+BuildRequires: libselinux-devel
+BuildRequires: go-rpm-macros
+BuildRequires: systemd-rpm-macros
+BuildRequires: go-md2man
+%if %{with btrfs}
+BuildRequires: btrfs-progs-devel
+%endif
+%if %{with seccomp}
+BuildRequires: libseccomp-devel
+%endif
+
+%description
+containerd is an industry-standard container runtime with an emphasis
+on simplicity, robustness and portability. It is available as a daemon
+for Linux and Windows, which can manage the complete container
+lifecycle of its host system: image transfer and storage, container
+execution and supervision, low-level storage and network attachments,
+etc.
+
+%package stress
+License: ASL 2.0
+Summary: stress test a containerd daemon
+Requires: %{name} = %{version}-%{release}
+
+%description stress
+%{summary}.
+
+%prep
+%setup -c -T -n %{name}-%{version}-%{release}
+%golang_init_gopath
+
+%golang_prep -p %{containerd_package} -s %SOURCE0 -S 1
+
+cd "%containerd_src"
+%patch1000 -p1
+
+%build
+%golang_set_gopath
+cd "%containerd_src"
+export LDFLAGS="-X %{containerd_package}/version.Version=%{version} -X %{containerd_package}/version.Revision=%{containerd_commit} "
+export BUILDTAGS="%{containerd_buildtags}"
+for cmd in containerd  containerd-shim  containerd-shim-runc-v1  containerd-shim-runc-v2  containerd-stress  ctr  gen-manpages ; do
+  %gobuild -o %{gobuilddir}/bin/$cmd %{containerd_src}/cmd/$cmd
+done
+mkdir _man
+go-md2man -in docs/man/containerd-config.8.md -out _man/containerd-config.8
+go-md2man -in docs/man/containerd-config.toml.5.md -out _man/containerd-config.toml.5
+%{gobuilddir}/bin/gen-manpages containerd.8 _man
+%{gobuilddir}/bin/gen-manpages ctr.8 _man
+rm %{gobuilddir}/bin/gen-manpages
+
+%check
+%golang_set_gopath
+export BUILDTAGS="%{containerd_buildtags}"
+# Run scoped unit tests - skips some if not running as root.
+%if %{without btrfs}
+# We want to build/run tests the same way we build the binaries
+export EXTRA_TESTFLAGS="-tags='%{containerd_buildtags}'"
+%endif
+make -C %{containerd_src} test
+
+%install
+%golang_set_gopath
+
+# Install containerd binaries
+install -d %{buildroot}%{_bindir}
+install -p %{gobuilddir}/bin/* %{buildroot}%{_bindir}/
+install -d %{buildroot}%{_mandir}/man{5,8}
+install -p -m 644 %{containerd_src}/_man/*.5 %{buildroot}%{_mandir}/man5/
+install -p -m 644 %{containerd_src}/_man/*.8 %{buildroot}%{_mandir}/man8/
+install -D -p -m 0644 %{S:1} %{buildroot}%{_sysconfdir}/containerd/config.toml
+
+%if %{with systemd}
+install -D -p -m 644 %{containerd_src}/containerd.service %{buildroot}%{_unitdir}/containerd.service
+%endif
+install -d %{buildroot}%{_localstatedir}/lib/containerd
+
+%if 0%{?amzn} == 2
+# On a fresh install of container-selinux, or updating from selinux-policy in
+# amzn2-core to one that more closely tracks upstream, we need to relabel critical
+# files to pick up changes to file_contexts introduced by those packages.
+%define selinux_relabel_paths %{_bindir}/ctr %{_bindir}/containerd %{_bindir}/containerd-shim* %{_sysconfdir}/containerd/config.toml %{_localstatedir}/lib/containerd
+%define do_selinux_relabel() /usr/sbin/selinuxenabled && /usr/sbin/restorecon -r %*
+
+%triggerin -- container-selinux
+if [ $1 -eq 1 ]; then # new install, not update
+  %{do_selinux_relabel} %{selinux_relabel_paths} ||:
+fi
+
+%triggerun -- selinux-policy < 3.13.1-266
+if [ $1 -eq 1 ]; then # update, not uninstall
+  %{do_selinux_relabel} %{selinux_relabel_paths} ||:
+fi
+
+%triggerin stress -- container-selinux
+if [ $1 -eq 1 ]; then # new install, not update
+  %{do_selinux_relabel} %{_bindir}/containerd-stress ||:
+fi
+
+%triggerun stress -- selinux-policy < 3.13.1-266
+if [ $1 -eq 1 ]; then # update, not uninstall
+  %{do_selinux_relabel} %{_bindir}/containerd-stress ||:
+fi
+%endif
+
+%files
+%license src/github.com/containerd/containerd/LICENSE
+%doc src/github.com/containerd/containerd/README.md
+%{_bindir}/ctr
+%{_bindir}/containerd
+%{_bindir}/containerd-shim
+%{_bindir}/containerd-shim-runc-v1
+%{_bindir}/containerd-shim-runc-v2
+%config(noreplace) %{_sysconfdir}/containerd/config.toml
+%dir %{_localstatedir}/lib/containerd
+%if %{with systemd}
+%{_unitdir}/containerd.service
+%endif
+%{_mandir}/man5/containerd-config.toml.5*
+%{_mandir}/man8/containerd-config.8*
+%{_mandir}/man8/containerd.8*
+%{_mandir}/man8/ctr.8*
+
+%files stress
+%{_bindir}/containerd-stress
+
+%post
+%if %{with systemd}
+%systemd_post containerd
+%endif
+
+%preun
+%if %{with systemd}
+%systemd_preun containerd
+%endif
+
+%postun
+%if %{with systemd}
+%systemd_postun_with_restart containerd
+%endif
+
+%changelog
+* Thu Jul 06 2023 Lucas Meneghel <lmr@amazon.com> - 1.7.2-1.amzn2023.0.1
+- containerd: Update to upstream 1.7.2
+- Dropped patches that are included with the new version
+
+* Fri Mar 17 2023 Sonia Xu <sonix@amazon.com> - 1.6.19-1.amzn2023.0.1
+- Update to v1.6.19
+- Update patch to apply properly
+
+* Tue Mar 14 2023 Sai Harsha <ssuryad@amazon.com> - 1.6.8-2.amzn2023.0.4
+- Fix CVE-2022-1996
+
+* Mon Jan 30 2023 Stewart Smith <trawets@amazon.com> - 1.6.8-2.amzn2023.0.3
+- Mass rebuild for AL2023
+
+* Tue Dec 20 2022 Chanchal Mathew <chancham@amazon.com> - 1.6.8-2.amzn2022.0.2
+- Rebuild for CVE-2022-2879, CVE-2022-41715, CVE-2022-41716 in golang
+
+* Tue Oct 11 2022 Chanchal Mathew <chancham@amazon.com> - 1.6.8-2
+- Fix FTBFS
+
+* Tue Oct 04 2022 Chanchal Mathew <chancham@amazon.com> - 1.6.8-1
+- Update to 1.6.8 from upstream
+
+* Mon Oct 03 2022 Stewart Smith <trawets@amazon.com> - 1.6.6-1.amzn2022.0.3
+- AL2022 pre-GA mass rebuild
+
+* Wed Sep 28 2022 Mansi Jaitly <mjaitly@amazon.com> - 1.6.6-1.amzn2022.0.2
+- Rebuild due to golang-1.19.1-1.amzn2022.0.1 update
+
+* Fri Jul 22 2022 Stewart Smith <trawets@amazon.com> - 1.6.6-1.amzn2022.0.1
+- build without btrfs on Amazon Linux
+
+* Mon Jun 20 2022 Sai Harsha <ssuryad@amazon.com> - 1.6.6-1
+- Update to 1.6.6 from upstream
+- Remove patches included upstream since 1.4.13
+
+* Tue May 31 2022 Sai Harsha <ssuryad@amazon.com> - 1.4.13-3
+- Limit the response size of ExecSync
+
+* Tue Mar 29 2022 Malcolm Inglis <miinglis@amazon.com> - 1.4.13-2
+- Apply patch for CVE-2022-24769
+
+* Tue Mar 29 2022 Malcolm Inglis <miinglis@amazon.com> - 1.4.13-1
+- Update to 1.4.13 from upstream
+- Update golang BuildRequires to 1.16.15
+- Remove patches included upstream since 1.4.6
+
+* Thu Feb 24 2022 Malcolm Inglis <miinglis@amazon.com> - 1.4.6-9
+- Apply patch for CVE-2022-23648
+
+* Wed Dec 08 2021 Paul Ezvan <paulezva@amazon.fr> - 1.4.6-8
+- Build for AL2022
+
+* Wed Nov 17 2021 Jamie Anderson <jamieand@amazon.com> - 1.4.6-7
+- CVE-2021-41190
+
+* Tue Nov 02 2021 Jamie Anderson <jamieand@amazon.com> - 1.4.6-5
+- Fix typo in container-selinux Conflicts:
+
+* Fri Oct 29 2021 Jamie Anderson <jamieand@amazon.com> - 1.4.6-4
+- Add selinux to buildtags
+- Conflict with container-selinux versions that don't have containerd-cri support
+
+* Fri Sep 24 2021 Jamie Anderson <jamieand@amazon.com> - 1.4.6-3
+- Apply patches for CVE-2021-41103
+
+* Mon Jul 12 2021 Jamie Anderson <jamieand@amazon.com> - 1.4.6-2
+- Apply patch for CVE-2021-32760
+
+* Thu Jun 17 2021 Jamie Anderson <jamieand@amazon.com> - 1.4.6-1
+- Update to 1.4.6 from upstream
+
+* Thu Feb 25 2021 Jamie Anderson <jamieand@amazon.com> - 1.4.4-1
+- Update to 1.4.4 from upstream
+
+* Tue Nov 17 2020 Samuel Karp <skarp@amazon.com> - 1.4.1-2
+- Apply patch for CVE-2020-15257
+
+* Fri Nov 13 2020 Jamie Anderson <jamieand@amazon.com> - 1.4.1
+- Update to 1.4.1 from upstream
+
+* Wed Sep 23 2020 Jamie Anderson <jamieand@amazon.com> - 1.4.0
+- Update to 1.4.0 from upstream
+- Add triggers to relabel after container-selinux install
+
+* Mon Feb 10 2020 Jamie Anderson <jamieand@amazon.com> - 1.3.2
+- Update to 1.3.2 from upstream
+
+* Mon May 13 2019 Jacob Vallejo <jakeev@amazon.com> - 1.2.6-1
+- Initial packaging
+

base/docker/README-docker-runtimes.d

@@ -0,0 +1,7 @@
+Users can add runtimes (in addition to runc) to Docker by adding executable
+files in /etc/docker-runtimes.d.
+
+The name of the file becomes the name of the runtime.
+
+To disable an installed runtime file without RPM clobbering it and re-enabling
+it on an update, remove the executable bits (chmod a-x).

base/docker/docker-20.10.17-Skip-kubeconfig-and-loadcontext-tests-that-require-root.patch

@@ -0,0 +1,54 @@
+From 4c4d58519541008ef8982e1fcffe76c60e1389f5 Mon Sep 17 00:00:00 2001
+From: Sai Harsha <ssuryad@amazon.com>
+Date: Tue, 14 Jun 2022 06:39:31 +0000
+Subject: [PATCH 1/1] Skip TestSaveLoadContexts and TestExportKubeconfig
+
+Skipping TestExportKubeconfig and TestSaveLoadContexts tests which require root access
+
+---
+ cli/command/context/export-import_test.go | 2 ++
+ cli/context/kubernetes/endpoint_test.go   | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/cli/command/context/export-import_test.go b/cli/command/context/export-import_test.go
+index bf0cd88..6be9384 100644
+--- a/cli/command/context/export-import_test.go
++++ b/cli/command/context/export-import_test.go
+@@ -8,6 +8,7 @@ import (
+ 	"path/filepath"
+ 	"testing"
+ 
++	"github.com/docker/docker/testutil"
+ 	"github.com/docker/cli/cli/streams"
+ 	"gotest.tools/v3/assert"
+ )
+@@ -71,6 +72,7 @@ func TestExportImportPipe(t *testing.T) {
+ }
+ 
+ func TestExportKubeconfig(t *testing.T) {
++	testutil.RequiresRoot(t)
+	contextFile := filepath.Join(t.TempDir(), "exported")
+	cli := makeFakeCli(t)
+	createTestContextWithKube(t, cli)
+diff --git a/cli/context/kubernetes/endpoint_test.go b/cli/context/kubernetes/endpoint_test.go
+index 89eeb9d..700e21e 100644
+--- a/cli/context/kubernetes/endpoint_test.go
++++ b/cli/context/kubernetes/endpoint_test.go
+@@ -5,6 +5,7 @@ import (
+ 	"os"
+ 	"testing"
+ 
++	"github.com/docker/docker/testutil"
+ 	"github.com/docker/cli/cli/context"
+ 	"github.com/docker/cli/cli/context/store"
+ 	"gotest.tools/v3/assert"
+@@ -41,6 +42,7 @@ var testStoreCfg = store.NewConfig(
+ )
+ 
+ func TestSaveLoadContexts(t *testing.T) {
++	testutil.RequiresRoot(t)
+	store := store.New(t.TempDir(), testStoreCfg)
+	assert.NilError(t, save(store, testEndpoint("https://test", "test", nil, nil, nil, false), "raw-notls"))
+	assert.NilError(t, save(store, testEndpoint("https://test", "test", nil, nil, nil, true), "raw-notls-skip"))
+-- 
+2.32.0

base/docker/docker-20.10.4-Limit-logger-errors-logged-into-daemon-logs.patch

@@ -0,0 +1,112 @@
+From fb5a9ec741c4a2246624b694d88db2e5fabc9118 Mon Sep 17 00:00:00 2001
+From: Angel Velazquez <angelcar@amazon.com>
+Date: Thu, 20 May 2021 16:59:30 -0700
+Subject: [PATCH] Limit the rate at which logger errors are logged into daemon
+ logs
+
+Logging to daemon logs every time there's an error with a log driver can be
+problematic since daemon logs can grow rapidly, potentially exhausting disk
+space.
+
+Instead, it's preferable to limit the rate at which log driver errors are allowed
+to be written. By default, this limit is 333 entries per second max.
+
+Signed-off-by: Angel Velazquez <angelcar@amazon.com>
+---
+ daemon/logger/copier.go       |  6 ++----
+ daemon/logger/logger_error.go | 24 ++++++++++++++++++++++++
+ daemon/logger/ring.go         | 12 ++----------
+ 3 files changed, 28 insertions(+), 14 deletions(-)
+ create mode 100644 daemon/logger/logger_error.go
+
+diff --git a/daemon/logger/copier.go b/daemon/logger/copier.go
+index e2ee36c0987e..30c68ea364d2 100644
+--- a/daemon/logger/copier.go
++++ b/daemon/logger/copier.go
+@@ -126,8 +126,7 @@ func (c *Copier) copySrc(name string, src io.Reader) {
+ 					}
+ 
+ 					if logErr := c.dst.Log(msg); logErr != nil {
+-						logWritesFailedCount.Inc(1)
+-						logrus.Errorf("Failed to log msg %q for logger %s: %s", msg.Line, c.dst.Name(), logErr)
++						logDriverError(c.dst.Name(), string(msg.Line), logErr)
+ 					}
+ 				}
+ 				p += q + 1
+@@ -159,8 +158,7 @@ func (c *Copier) copySrc(name string, src io.Reader) {
+ 					hasMorePartial = true
+ 
+ 					if logErr := c.dst.Log(msg); logErr != nil {
+-						logWritesFailedCount.Inc(1)
+-						logrus.Errorf("Failed to log msg %q for logger %s: %s", msg.Line, c.dst.Name(), logErr)
++						logDriverError(c.dst.Name(), string(msg.Line), logErr)
+ 					}
+ 					p = 0
+ 					n = 0
+diff --git a/daemon/logger/logger_error.go b/daemon/logger/logger_error.go
+new file mode 100644
+index 000000000000..70f4311979c4
+--- /dev/null
++++ b/daemon/logger/logger_error.go
+@@ -0,0 +1,24 @@
++package logger
++
++import (
++	"github.com/sirupsen/logrus"
++	"golang.org/x/time/rate"
++)
++
++// Rates based on journald defaults of 10,000 messages in 30s.
++// reference: https://www.freedesktop.org/software/systemd/man/journald.conf.html#RateLimitIntervalSec=
++var logErrorLimiter = rate.NewLimiter(333, 333)
++
++// logDriverError logs errors produced by log drivers to the daemon logs. It also increments the logWritesFailedCount
++// metric.
++// Logging to the daemon logs is limited to 333 operations per second at most. If this limit is exceeded, the
++// logWritesFailedCount is still counted, but logging to the daemon logs is omitted in order to prevent disk saturation.
++func logDriverError(loggerName, msgLine string, logErr error) {
++	logWritesFailedCount.Inc(1)
++	if logErrorLimiter.Allow() {
++		logrus.WithError(logErr).
++			WithField("driver", loggerName).
++			WithField("message", msgLine).
++			Errorf("Error writing log message")
++	}
++}
+diff --git a/daemon/logger/ring.go b/daemon/logger/ring.go
+index b6432aed36f7..3b2652af63c1 100644
+--- a/daemon/logger/ring.go
++++ b/daemon/logger/ring.go
+@@ -4,8 +4,6 @@ import (
+ 	"errors"
+ 	"sync"
+ 	"sync/atomic"
+-
+-	"github.com/sirupsen/logrus"
+ )
+ 
+ const (
+@@ -104,10 +102,7 @@ func (r *RingLogger) Close() error {
+ 		}
+ 
+ 		if err := r.l.Log(msg); err != nil {
+-			logrus.WithField("driver", r.l.Name()).
+-				WithField("container", r.logInfo.ContainerID).
+-				WithError(err).
+-				Errorf("Error writing log message")
++			logDriverError(r.l.Name(), string(msg.Line), err)
+ 			logErr = true
+ 		}
+ 	}
+@@ -128,10 +123,7 @@ func (r *RingLogger) run() {
+ 			return
+ 		}
+ 		if err := r.l.Log(msg); err != nil {
+-			logrus.WithField("driver", r.l.Name()).
+-				WithField("container", r.logInfo.ContainerID).
+-				WithError(err).
+-				Errorf("Error writing log message")
++			logDriverError(r.l.Name(), string(msg.Line), err)
+ 		}
+ 	}
+ }

base/docker/docker-20.10.4-Restore-containerd-dependency-restart-policy-and-nof.patch

@@ -0,0 +1,47 @@
+From e2d3dd827bcca6cba9e0f2b869d872af07ff2999 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Mon, 22 Mar 2021 20:33:57 +0000
+Subject: [PATCH] Restore containerd dependency, restart policy, and nofile
+ settings to service file
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ contrib/init/systemd/docker.service | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/init/systemd/docker.service b/contrib/init/systemd/docker.service
+index 7e87245..1654f0b 100644
+--- a/contrib/init/systemd/docker.service
++++ b/contrib/init/systemd/docker.service
+@@ -1,7 +1,8 @@
+ [Unit]
+ Description=Docker Application Container Engine
+ Documentation=https://docs.docker.com
+-After=network-online.target docker.socket firewalld.service
++BindsTo=containerd.service
++After=network-online.target docker.socket firewalld.service containerd.service
+ Wants=network-online.target
+ Requires=docker.socket
+ 
+@@ -17,7 +18,7 @@ ExecStartPre=/usr/libexec/docker/docker-setup-runtimes.sh
+ # for containers run by docker
+ ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES
+ ExecReload=/bin/kill -s HUP $MAINPID
+-LimitNOFILE=1048576
++LimitNOFILE=infinity
+ # Having non-zero Limit*s causes performance problems due to accounting overhead
+ # in the kernel. We recommend using cgroups to do container-local accounting.
+ LimitNPROC=infinity
+@@ -31,7 +32,8 @@ Delegate=yes
+ # kill only the docker process, not all processes in the cgroup
+ KillMode=process
+ # restart the docker process if it exits prematurely
+-Restart=on-failure
++RestartSec=2
++Restart=always
+ StartLimitBurst=3
+ StartLimitInterval=60s
+ 
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.4-Skip-auth-middleware-test.patch

@@ -0,0 +1,33 @@
+From ff6ad03b4a9774b2a87c12445b31f54078c06b55 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Thu, 4 Mar 2021 17:48:05 +0000
+Subject: [PATCH] Skip auth/middleware test that creates sockets
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ pkg/authorization/middleware_unix_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/pkg/authorization/middleware_unix_test.go b/pkg/authorization/middleware_unix_test.go
+index 468cb59..b5e26ac 100644
+--- a/pkg/authorization/middleware_unix_test.go
++++ b/pkg/authorization/middleware_unix_test.go
+@@ -7,6 +7,7 @@ import (
+ 	"net/http"
+ 	"net/http/httptest"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/docker/docker/pkg/plugingetter"
+ 	"gotest.tools/v3/assert"
+@@ -14,6 +15,7 @@ import (
+ )
+ 
+ func TestMiddlewareWrapHandler(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	server := authZPluginTestServer{t: t}
+ 	server.start()
+ 	defer server.stop()
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-btrfs-graphdriver-tests-if-not-root.patch

@@ -0,0 +1,53 @@
+From 4d116f8caee01d47e344571c0fe4b805ae44e8d8 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Fri, 19 Mar 2021 20:59:20 +0000
+Subject: [PATCH] Skip btrfs graphdriver tests if not root
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ daemon/graphdriver/btrfs/btrfs_test.go | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/daemon/graphdriver/btrfs/btrfs_test.go b/daemon/graphdriver/btrfs/btrfs_test.go
+index b70e93b..c75960b 100644
+--- a/daemon/graphdriver/btrfs/btrfs_test.go
++++ b/daemon/graphdriver/btrfs/btrfs_test.go
+@@ -6,6 +6,7 @@ import (
+ 	"os"
+ 	"path"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/docker/docker/daemon/graphdriver/graphtest"
+ )
+@@ -13,22 +14,27 @@ import (
+ // This avoids creating a new driver for each test if all tests are run
+ // Make sure to put new tests between TestBtrfsSetup and TestBtrfsTeardown
+ func TestBtrfsSetup(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	graphtest.GetDriver(t, "btrfs")
+ }
+ 
+ func TestBtrfsCreateEmpty(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	graphtest.DriverTestCreateEmpty(t, "btrfs")
+ }
+ 
+ func TestBtrfsCreateBase(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	graphtest.DriverTestCreateBase(t, "btrfs")
+ }
+ 
+ func TestBtrfsCreateSnap(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	graphtest.DriverTestCreateSnap(t, "btrfs")
+ }
+ 
+ func TestBtrfsSubvolDelete(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	d := graphtest.GetDriver(t, "btrfs")
+ 	if err := d.CreateReadWrite("test", "", nil); err != nil {
+ 		t.Fatal(err)
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.4-Skip-builder-tests-that-require-root.patch

@@ -0,0 +1,102 @@
+From 1f8ac5f2a45ccbedb0904f6ac938f94ea655c49a Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Wed, 3 Mar 2021 22:00:57 +0000
+Subject: [PATCH] Skip builder tests that require root
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ builder/dockerfile/internals_test.go | 5 +++++
+ builder/remotecontext/tarsum_test.go | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/builder/dockerfile/internals_test.go b/builder/dockerfile/internals_test.go
+index 5353167..5a68a39 100644
+--- a/builder/dockerfile/internals_test.go
++++ b/builder/dockerfile/internals_test.go
+@@ -5,6 +5,7 @@ import (
+ 	"os"
+ 	"runtime"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/docker/docker/api/types"
+ 	"github.com/docker/docker/api/types/backend"
+@@ -23,6 +24,7 @@ import (
+ )
+ 
+ func TestEmptyDockerfile(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test")
+ 	defer cleanup()
+ 
+@@ -32,6 +34,7 @@ func TestEmptyDockerfile(t *testing.T) {
+ }
+ 
+ func TestSymlinkDockerfile(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test")
+ 	defer cleanup()
+ 
+@@ -47,6 +50,7 @@ func TestSymlinkDockerfile(t *testing.T) {
+ }
+ 
+ func TestDockerfileOutsideTheBuildContext(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test")
+ 	defer cleanup()
+ 
+@@ -59,6 +63,7 @@ func TestDockerfileOutsideTheBuildContext(t *testing.T) {
+ }
+ 
+ func TestNonExistingDockerfile(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test")
+ 	defer cleanup()
+ 
+diff --git a/builder/remotecontext/tarsum_test.go b/builder/remotecontext/tarsum_test.go
+index c6a417d..93643a5 100644
+--- a/builder/remotecontext/tarsum_test.go
++++ b/builder/remotecontext/tarsum_test.go
+@@ -5,6 +5,7 @@ import (
+ 	"os"
+ 	"path/filepath"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/docker/docker/builder"
+ 	"github.com/docker/docker/pkg/archive"
+@@ -23,6 +24,7 @@ func init() {
+ }
+ 
+ func TestCloseRootDirectory(t *testing.T) {
++	testutil.RequiresRoot(t)
+	contextDir, err := os.MkdirTemp("", "builder-tarsum-test")
+ 	defer os.RemoveAll(contextDir)
+ 	if err != nil {
+@@ -44,6 +46,7 @@ func TestCloseRootDirectory(t *testing.T) {
+ }
+ 
+ func TestHashFile(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	contextDir, cleanup := createTestTempDir(t, "", "builder-tarsum-test")
+ 	defer cleanup()
+ 
+@@ -69,6 +72,7 @@ func TestHashFile(t *testing.T) {
+ }
+ 
+ func TestHashSubdir(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	contextDir, cleanup := createTestTempDir(t, "", "builder-tarsum-test")
+ 	defer cleanup()
+ 
+@@ -106,6 +110,7 @@ func TestHashSubdir(t *testing.T) {
+ }
+ 
+ func TestRemoveDirectory(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	contextDir, cleanup := createTestTempDir(t, "", "builder-tarsum-test")
+ 	defer cleanup()
+ 
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-cli-tests-that-require-network.patch

@@ -0,0 +1,54 @@
+From 29cf333688cf38c615f6a2c4dfc8a1fddbbbb4aa Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Wed, 3 Mar 2021 23:02:57 +0000
+Subject: [PATCH] Skip cli tests that require network
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ cli/command/image/pull_test.go | 2 ++
+ cli/command/image/push_test.go | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/cli/command/image/pull_test.go b/cli/command/image/pull_test.go
+index b9d4970..bb7ce0e 100644
+--- a/cli/command/image/pull_test.go
++++ b/cli/command/image/pull_test.go
+@@ -6,6 +6,7 @@ import (
+	"io"
+ 	"strings"
+ 	"testing"
++	"github.com/docker/cli/testutil"
+ 
+ 	"github.com/docker/cli/internal/test"
+ 	"github.com/docker/cli/internal/test/notary"
+@@ -16,6 +17,7 @@ import (
+ )
+ 
+ func TestNewPullCommandErrors(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	testCases := []struct {
+ 		name          string
+ 		args          []string
+diff --git a/cli/command/image/push_test.go b/cli/command/image/push_test.go
+index 9636369..14bfbd2 100644
+--- a/cli/command/image/push_test.go
++++ b/cli/command/image/push_test.go
+@@ -5,6 +5,7 @@ import (
+	"io"
+ 	"strings"
+ 	"testing"
++	"github.com/docker/cli/testutil"
+ 
+ 	"github.com/docker/cli/internal/test"
+ 	"github.com/docker/docker/api/types"
+@@ -13,6 +14,7 @@ import (
+ )
+ 
+ func TestNewPushCommandErrors(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	testCases := []struct {
+ 		name          string
+ 		args          []string
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-compression-tests-that-require-root.patch

@@ -0,0 +1,46 @@
+From 4622551eb4d29bee8fb30290368a4cce5af56737 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Fri, 19 Mar 2021 20:10:01 +0000
+Subject: [PATCH] Skip compression tests that require root
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ cli/command/image/build/context_test.go | 2 ++
+ cli/command/image/build_test.go         | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/cli/command/image/build/context_test.go b/cli/command/image/build/context_test.go
+index f216978..1dbea0b 100644
+--- a/cli/command/image/build/context_test.go
++++ b/cli/command/image/build/context_test.go
+@@ -10,6 +10,7 @@ import (
+ 	"runtime"
+ 	"strings"
+ 	"testing"
++	"github.com/docker/cli/testutil"
+ 
+ 	"github.com/docker/docker/pkg/archive"
+ 	"github.com/docker/docker/pkg/fileutils"
+@@ -173,6 +174,7 @@ func TestGetContextFromReaderString(t *testing.T) {
+ }
+ 
+ func TestGetContextFromReaderTar(t *testing.T) {
++	testutil.RequiresRoot(t)
+	contextDir := createTestTempDir(t)
+	createTestTempFile(t, contextDir, DefaultDockerfileName, dockerfileContents)
+ 
+diff --git a/cli/command/image/build_test.go b/cli/command/image/build_test.go
+index cef80a3..34014dd 100644
+--- a/cli/command/image/build_test.go
++++ b/cli/command/image/build_test.go
+@@ -27,6 +27,7 @@ import (
+ )
+ 
+ func TestRunBuildDockerfileFromStdinWithCompress(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	defer env.Patch(t, "DOCKER_BUILDKIT", "0")()
+ 	buffer := new(bytes.Buffer)
+ 	fakeBuild := newFakeBuild()
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.4-Skip-devmapper-tests-that-don-t-work-in-a-buildroot.patch

@@ -0,0 +1,85 @@
+From 00faa3a1652a57c9f8f6ceeb930020680d3d5295 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Tue, 2 Mar 2021 19:11:09 +0000
+Subject: [PATCH] Skip devmapper tests that don't work in a buildroot
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ daemon/graphdriver/devmapper/devmapper_test.go | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/daemon/graphdriver/devmapper/devmapper_test.go b/daemon/graphdriver/devmapper/devmapper_test.go
+index afd6c5b..dc59dc5 100644
+--- a/daemon/graphdriver/devmapper/devmapper_test.go
++++ b/daemon/graphdriver/devmapper/devmapper_test.go
+@@ -8,6 +8,7 @@ import (
+ 	"os/exec"
+ 	"syscall"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 	"time"
+ 
+ 	"github.com/docker/docker/daemon/graphdriver"
+@@ -17,6 +18,10 @@ import (
+ )
+ 
+ func init() {
++	if _, err := os.Stat("/.initialized"); err == nil {
++		// Don't try to call initLoopbacks() in a buildroot
++		return nil
++	}
+ 	// Reduce the size of the base fs and loopback for the tests
+ 	defaultDataLoopbackSize = 300 * 1024 * 1024
+ 	defaultMetaDataLoopbackSize = 200 * 1024 * 1024
+@@ -71,26 +76,32 @@ func getBaseLoopStats() (*syscall.Stat_t, error) {
+ // This avoids creating a new driver for each test if all tests are run
+ // Make sure to put new tests between TestDevmapperSetup and TestDevmapperTeardown
+ func TestDevmapperSetup(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.GetDriver(t, "devicemapper")
+ }
+ 
+ func TestDevmapperCreateEmpty(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.DriverTestCreateEmpty(t, "devicemapper")
+ }
+ 
+ func TestDevmapperCreateBase(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.DriverTestCreateBase(t, "devicemapper")
+ }
+ 
+ func TestDevmapperCreateSnap(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.DriverTestCreateSnap(t, "devicemapper")
+ }
+ 
+ func TestDevmapperTeardown(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.PutDriver(t)
+ }
+ 
+ func TestDevmapperReduceLoopBackSize(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	tenMB := int64(10 * 1024 * 1024)
+ 	testChangeLoopBackSize(t, -tenMB, defaultDataLoopbackSize, defaultMetaDataLoopbackSize)
+ }
+@@ -101,6 +112,7 @@ func TestDevmapperIncreaseLoopBackSize(t *testing.T) {
+ }
+ 
+ func testChangeLoopBackSize(t *testing.T, delta, expectDataSize, expectMetaDataSize int64) {
++	testutil.SkipIfBuildroot(t)
+ 	driver := graphtest.GetDriver(t, "devicemapper").(*graphtest.Driver).Driver.(*graphdriver.NaiveDiffDriver).ProtoDriver.(*Driver)
+ 	defer graphtest.PutDriver(t)
+ 	// make sure data or metadata loopback size are the default size
+@@ -129,6 +141,7 @@ func testChangeLoopBackSize(t *testing.T, delta, expectDataSize, expectMetaDataS
+ 
+ // Make sure devices.Lock() has been release upon return from cleanupDeletedDevices() function
+ func TestDevmapperLockReleasedDeviceDeletion(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	driver := graphtest.GetDriver(t, "devicemapper").(*graphtest.Driver).Driver.(*graphdriver.NaiveDiffDriver).ProtoDriver.(*Driver)
+ 	defer graphtest.PutDriver(t)
+ 
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-distribution-tests-that-network.patch

@@ -0,0 +1,32 @@
+From e880fb184cc9147cc9dd3387752c1ef8b3d20be2 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Wed, 3 Mar 2021 21:20:24 +0000
+Subject: [PATCH] Skip distribution tests that network
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ distribution/xfer/transfer_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/distribution/xfer/transfer_test.go b/distribution/xfer/transfer_test.go
+index f8f8e96..6764f17 100644
+--- a/distribution/xfer/transfer_test.go
++++ b/distribution/xfer/transfer_test.go
+@@ -3,12 +3,14 @@ package xfer // import "github.com/docker/docker/distribution/xfer"
+ import (
+ 	"sync/atomic"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 	"time"
+ 
+ 	"github.com/docker/docker/pkg/progress"
+ )
+ 
+ func TestTransfer(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	makeXferFunc := func(id string) DoFunc {
+ 		return func(progressChan chan<- progress.Progress, start <-chan struct{}, _ chan<- struct{}) Transfer {
+ 			select {
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-engine-layer-tests.patch

@@ -0,0 +1,160 @@
+From bad779d02c86a9cf6bdd3b376920093da9441739 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Mon, 8 Mar 2021 19:27:36 +0000
+Subject: [PATCH] Skip layer tests that require root
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ layer/layer_test.go      | 7 +++++++
+ layer/layer_unix_test.go | 2 ++
+ layer/migration_test.go  | 3 +++
+ layer/mount_test.go      | 4 ++++
+ 4 files changed, 16 insertions(+)
+
+diff --git a/layer/layer_test.go b/layer/layer_test.go
+index 9199b9c..abd6bde 100644
+--- a/layer/layer_test.go
++++ b/layer/layer_test.go
+@@ -9,6 +9,7 @@ import (
+ 	"runtime"
+ 	"strings"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/containerd/continuity/driver"
+ 	"github.com/docker/docker/daemon/graphdriver"
+@@ -258,6 +259,7 @@ func assertLayerEqual(t *testing.T, l1, l2 Layer) {
+ }
+ 
+ func TestMountAndRegister(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	ls, _, cleanup := newTestStore(t)
+ 	defer cleanup()
+ 
+@@ -299,6 +301,7 @@ func TestMountAndRegister(t *testing.T) {
+ }
+ 
+ func TestLayerRelease(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	// TODO Windows: Figure out why this is failing
+ 	if runtime.GOOS == "windows" {
+ 		t.Skip("Failing on Windows")
+@@ -348,6 +351,7 @@ func TestLayerRelease(t *testing.T) {
+ }
+ 
+ func TestStoreRestore(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	// TODO Windows: Figure out why this is failing
+ 	if runtime.GOOS == "windows" {
+ 		t.Skip("Failing on Windows")
+@@ -463,6 +467,7 @@ func TestStoreRestore(t *testing.T) {
+ }
+ 
+ func TestTarStreamStability(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	// TODO Windows: Figure out why this is failing
+ 	if runtime.GOOS == "windows" {
+ 		t.Skip("Failing on Windows")
+@@ -656,6 +661,7 @@ func assertReferences(t *testing.T, references ...Layer) {
+ }
+ 
+ func TestRegisterExistingLayer(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	ls, _, cleanup := newTestStore(t)
+ 	defer cleanup()
+ 
+@@ -692,6 +698,7 @@ func TestRegisterExistingLayer(t *testing.T) {
+ }
+ 
+ func TestTarStreamVerification(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	// TODO Windows: Figure out why this is failing
+ 	if runtime.GOOS == "windows" {
+ 		t.Skip("Failing on Windows")
+diff --git a/layer/layer_unix_test.go b/layer/layer_unix_test.go
+index 6830158..fc12af7 100644
+--- a/layer/layer_unix_test.go
++++ b/layer/layer_unix_test.go
+@@ -4,6 +4,7 @@ package layer // import "github.com/docker/docker/layer"
+ 
+ import (
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ )
+ 
+ func graphDiffSize(ls Store, l Layer) (int64, error) {
+@@ -18,6 +19,7 @@ func graphDiffSize(ls Store, l Layer) (int64, error) {
+ // Unix as Windows graph driver does not support Changes which is indirectly
+ // invoked by calling DiffSize on the driver
+ func TestLayerSize(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	ls, _, cleanup := newTestStore(t)
+ 	defer cleanup()
+ 
+diff --git a/layer/migration_test.go b/layer/migration_test.go
+index 2b5c330..1cb6d0d 100644
+--- a/layer/migration_test.go
++++ b/layer/migration_test.go
+@@ -9,6 +9,7 @@ import (
+ 	"path/filepath"
+ 	"runtime"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/docker/docker/daemon/graphdriver"
+ 	"github.com/docker/docker/pkg/stringid"
+@@ -41,6 +42,7 @@ func writeTarSplitFile(name string, tarContent []byte) error {
+ }
+ 
+ func TestLayerMigration(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	// TODO Windows: Figure out why this is failing
+ 	if runtime.GOOS == "windows" {
+ 		t.Skip("Failing on Windows")
+@@ -177,6 +179,7 @@ func tarFromFilesInGraph(graph graphdriver.Driver, graphID, parentID string, fil
+ }
+ 
+ func TestLayerMigrationNoTarsplit(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	// TODO Windows: Figure out why this is failing
+ 	if runtime.GOOS == "windows" {
+ 		t.Skip("Failing on Windows")
+diff --git a/layer/mount_test.go b/layer/mount_test.go
+index 3c868b2..c2ea782 100644
+--- a/layer/mount_test.go
++++ b/layer/mount_test.go
+@@ -5,6 +5,7 @@ import (
+ 	"runtime"
+ 	"sort"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/containerd/continuity/driver"
+ 	"github.com/docker/docker/pkg/archive"
+@@ -12,6 +13,7 @@ import (
+ )
+ 
+ func TestMountInit(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	// TODO Windows: Figure out why this is failing
+ 	if runtime.GOOS == "windows" {
+ 		t.Skip("Failing on Windows")
+@@ -71,6 +73,7 @@ func TestMountInit(t *testing.T) {
+ }
+ 
+ func TestMountSize(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	// TODO Windows: Figure out why this is failing
+ 	if runtime.GOOS == "windows" {
+ 		t.Skip("Failing on Windows")
+@@ -120,6 +123,7 @@ func TestMountSize(t *testing.T) {
+ }
+ 
+ func TestMountChanges(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	// TODO Windows: Figure out why this is failing
+ 	if runtime.GOOS == "windows" {
+ 		t.Skip("Failing on Windows")
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-get-source-mount.patch

@@ -0,0 +1,33 @@
+From a7a12b2fcec36a5d60e60f87dc6808bdf012f4d8 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Thu, 11 Mar 2021 21:40:57 +0000
+Subject: [PATCH] Skip daemon/TestGetSourceMount in buildroot
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ daemon/oci_linux_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/daemon/oci_linux_test.go b/daemon/oci_linux_test.go
+index 890875a..f814dbc 100644
+--- a/daemon/oci_linux_test.go
++++ b/daemon/oci_linux_test.go
+@@ -5,6 +5,7 @@ import (
+ 	"os"
+ 	"path/filepath"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	containertypes "github.com/docker/docker/api/types/container"
+ 	"github.com/docker/docker/container"
+@@ -180,6 +181,7 @@ func TestSysctlOverrideHost(t *testing.T) {
+ }
+ 
+ func TestGetSourceMount(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	// must be able to find source mount for /
+ 	mnt, _, err := getSourceMount("/")
+ 	assert.NilError(t, err)
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.4-Skip-git-tests.patch

@@ -0,0 +1,35 @@
+From 41d73e0b128e30ea17f5e319906846a9da2fcdd5 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Fri, 19 Mar 2021 18:34:30 +0000
+Subject: [PATCH] Skip git tests
+
+These tests fail in a buildroot because they try to talk to GitHub
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ cli/command/image/build_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/cli/command/image/build_test.go b/cli/command/image/build_test.go
+index 4317a74..cef80a3 100644
+--- a/cli/command/image/build_test.go
++++ b/cli/command/image/build_test.go
+@@ -12,6 +12,7 @@ import (
+ 	"path/filepath"
+ 	"sort"
+ 	"testing"
++	"github.com/docker/cli/testutil"
+ 
+ 	"github.com/docker/cli/cli/streams"
+ 	"github.com/docker/cli/internal/test"
+@@ -126,6 +127,7 @@ COPY data /data
+ // TODO: test "context selection" logic directly when runBuild is refactored
+ // to support testing (ex: docker/cli#294)
+ func TestRunBuildFromGitHubSpecialCase(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	defer env.Patch(t, "DOCKER_BUILDKIT", "0")()
+ 	cmd := NewBuildCommand(test.NewFakeCli(&fakeClient{}))
+ 	// Clone a small repo that exists so git doesn't prompt for credentials
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.4-Skip-mutating-vfs-tests.patch

@@ -0,0 +1,57 @@
+From 29304ba81dd3a600454c017d7720a608143d87a0 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Tue, 2 Mar 2021 19:26:37 +0000
+Subject: [PATCH] Skip mutating vfs tests
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ daemon/graphdriver/vfs/vfs_test.go | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/daemon/graphdriver/vfs/vfs_test.go b/daemon/graphdriver/vfs/vfs_test.go
+index 7c59ec3..9562959 100644
+--- a/daemon/graphdriver/vfs/vfs_test.go
++++ b/daemon/graphdriver/vfs/vfs_test.go
+@@ -4,6 +4,7 @@ package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"
+ 
+ import (
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/docker/docker/daemon/graphdriver/graphtest"
+ 
+@@ -17,25 +18,31 @@ func init() {
+ // This avoids creating a new driver for each test if all tests are run
+ // Make sure to put new tests between TestVfsSetup and TestVfsTeardown
+ func TestVfsSetup(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.GetDriver(t, "vfs")
+ }
+ 
+ func TestVfsCreateEmpty(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.DriverTestCreateEmpty(t, "vfs")
+ }
+ 
+ func TestVfsCreateBase(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.DriverTestCreateBase(t, "vfs")
+ }
+ 
+ func TestVfsCreateSnap(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.DriverTestCreateSnap(t, "vfs")
+ }
+ 
+ func TestVfsSetQuota(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.DriverTestSetQuota(t, "vfs", false)
+ }
+ 
+ func TestVfsTeardown(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	graphtest.PutDriver(t)
+ }
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-mutating-volume-local-tests.patch

@@ -0,0 +1,57 @@
+From cdaa60828f12a4e3f122e2120e57c6508456cb4d Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Wed, 3 Mar 2021 17:55:10 +0000
+Subject: [PATCH] Skip mutating volume/local tests
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ volume/local/local_test.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/volume/local/local_test.go b/volume/local/local_test.go
+index 8045e87..12bc7d8 100644
+--- a/volume/local/local_test.go
++++ b/volume/local/local_test.go
+@@ -8,6 +8,7 @@ import (
+ 	"runtime"
+ 	"strings"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/docker/docker/pkg/idtools"
+ 	"github.com/moby/sys/mountinfo"
+@@ -31,6 +32,7 @@ func TestGetAddress(t *testing.T) {
+ }
+ 
+ func TestRemove(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	skip.If(t, runtime.GOOS == "windows", "FIXME: investigate why this test fails on CI")
+	rootDir, err := os.MkdirTemp("", "local-volume-test")
+ 	if err != nil {
+@@ -74,6 +76,7 @@ func TestRemove(t *testing.T) {
+ }
+ 
+ func TestInitializeWithVolumes(t *testing.T) {
++	testutil.RequiresRoot(t)
+	rootDir, err := os.MkdirTemp("", "local-volume-test")
+ 	if err != nil {
+ 		t.Fatal(err)
+@@ -106,6 +109,7 @@ func TestInitializeWithVolumes(t *testing.T) {
+ }
+ 
+ func TestCreate(t *testing.T) {
++	testutil.RequiresRoot(t)
+	rootDir, err := os.MkdirTemp("", "local-volume-test")
+ 	if err != nil {
+ 		t.Fatal(err)
+@@ -277,6 +281,7 @@ func TestCreateWithOpts(t *testing.T) {
+ }
+ 
+ func TestRelaodNoOpts(t *testing.T) {
++	testutil.RequiresRoot(t)
+	rootDir, err := os.MkdirTemp("", "volume-test-reload-no-opts")
+ 	if err != nil {
+ 		t.Fatal(err)
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-pkg-authorization-tests-that-create-sockets.patch

@@ -0,0 +1,49 @@
+From 56221d3508e4e82f4fc51c17836609eb031af670 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Wed, 3 Mar 2021 18:19:29 +0000
+Subject: [PATCH] Skip pkg/authorization tests that create sockets
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ pkg/authorization/authz_unix_test.go | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
+index 9b48986..0ac5e92 100644
+--- a/pkg/authorization/authz_unix_test.go
++++ b/pkg/authorization/authz_unix_test.go
+@@ -17,6 +17,7 @@ import (
+ 	"reflect"
+ 	"strings"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/docker/docker/pkg/plugins"
+ 	"github.com/docker/go-connections/tlsconfig"
+@@ -28,6 +29,7 @@ const (
+ )
+ 
+ func TestAuthZRequestPluginError(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	server := authZPluginTestServer{t: t}
+ 	server.start()
+ 	defer server.stop()
+@@ -59,6 +61,7 @@ func TestAuthZRequestPluginError(t *testing.T) {
+ }
+ 
+ func TestAuthZRequestPlugin(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	server := authZPluginTestServer{t: t}
+ 	server.start()
+ 	defer server.stop()
+@@ -91,6 +94,7 @@ func TestAuthZRequestPlugin(t *testing.T) {
+ }
+ 
+ func TestAuthZResponsePlugin(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	server := authZPluginTestServer{t: t}
+ 	server.start()
+ 	defer server.stop()
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-pkg-idtools-tests-that-require-root.patch

@@ -0,0 +1,20 @@
+Index: docker-ce-17.11.0-ce/pkg/idtools/idtools_unix_test.go
+===================================================================
+--- docker-ce-17.11.0-ce.orig/pkg/idtools/idtools_unix_test.go
++++ docker-ce-17.11.0-ce/pkg/idtools/idtools_unix_test.go
+@@ -239,6 +239,7 @@ func delUser(t *testing.T, name string) 
+ }
+ 
+ func TestParseSubidFileWithNewlinesAndComments(t *testing.T) {
++	RequiresRoot(t)
+	tmpDir, err := os.MkdirTemp("", "parsesubid")
+ 	if err != nil {
+ 		t.Fatal(err)
+@@ -267,6 +268,7 @@ dockremap:231072:65536`
+ }
+ 
+ func TestGetRootUIDGID(t *testing.T) {
++	RequiresRoot(t)
+ 	uidMap := []IDMap{
+ 		{
+ 			ContainerID: 0,

base/docker/docker-20.10.4-Skip-pkg-sysinfo-tests-that-require-root.patch

@@ -0,0 +1,32 @@
+From 34f63b7d07c0a1c9a8986c896ebbdf6ae131629f Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Wed, 3 Mar 2021 17:45:43 +0000
+Subject: [PATCH] Skip pkg/sysinfo tests that require root
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ pkg/sysinfo/sysinfo_linux_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/pkg/sysinfo/sysinfo_linux_test.go b/pkg/sysinfo/sysinfo_linux_test.go
+index aa557c9..ffb4b70 100644
+--- a/pkg/sysinfo/sysinfo_linux_test.go
++++ b/pkg/sysinfo/sysinfo_linux_test.go
+@@ -6,12 +6,14 @@ import (
+ 	"path"
+ 	"path/filepath"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"golang.org/x/sys/unix"
+ 	"gotest.tools/v3/assert"
+ )
+ 
+ func TestReadProcBool(t *testing.T) {
++	testutil.RequiresRoot(t)
+	tmpDir, err := os.MkdirTemp("", "test-sysinfo-proc")
+ 	assert.NilError(t, err)
+ 	defer os.RemoveAll(tmpDir)
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-quota-tests.patch

@@ -0,0 +1,33 @@
+From 6ff01f51e73537015d6ec9a182f6b740cea16e76 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Thu, 4 Mar 2021 18:11:39 +0000
+Subject: [PATCH] Skip quota tests that try to manage block devices
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ quota/projectquota_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/quota/projectquota_test.go b/quota/projectquota_test.go
+index 9bf5c29..4e1e9c2 100644
+--- a/quota/projectquota_test.go
++++ b/quota/projectquota_test.go
+@@ -8,6 +8,7 @@ import (
+ 	"os"
+ 	"path/filepath"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"gotest.tools/v3/assert"
+ 	is "gotest.tools/v3/assert/cmp"
+@@ -17,6 +18,7 @@ import (
+ const testQuotaSize = 10 * 1024 * 1024
+ 
+ func TestBlockDev(t *testing.T) {
++	testutil.SkipIfBuildroot(t)
+ 	if msg, ok := CanTestQuota(); !ok {
+ 		t.Skip(msg)
+ 	}
+-- 
+2.25.0.24.gbc7a3d4
+

base/docker/docker-20.10.4-Skip-volume-store-tests.patch

@@ -0,0 +1,41 @@
+From de0a19b6da6b704d63e4c36586f120a6ee6b262a Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Wed, 10 Mar 2021 19:12:49 +0000
+Subject: [PATCH] Skip volume store tests that require root
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ volume/service/store_test.go | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/volume/service/store_test.go b/volume/service/store_test.go
+index 5442f45..ef044d0 100644
+--- a/volume/service/store_test.go
++++ b/volume/service/store_test.go
+@@ -9,6 +9,7 @@ import (
+ 	"os"
+ 	"strings"
+ 	"testing"
++	"github.com/docker/docker/testutil"
+ 
+ 	"github.com/docker/docker/volume"
+ 	volumedrivers "github.com/docker/docker/volume/drivers"
+@@ -288,6 +289,7 @@ func TestDefererencePluginOnCreateError(t *testing.T) {
+ }
+ 
+ func TestRefDerefRemove(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	t.Parallel()
+ 
+ 	driverName := "test-ref-deref-remove"
+@@ -309,6 +311,7 @@ func TestRefDerefRemove(t *testing.T) {
+ }
+ 
+ func TestGet(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	t.Parallel()
+ 
+ 	driverName := "test-get"
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.4-fix-TestTarUntarWithXattr-failure-on-4.14+-kernel.patch

@@ -0,0 +1,22 @@
+diff --git a/pkg/archive/archive_unix_test.go b/pkg/archive/archive_unix_test.go
+index dc4e1fd..6fb8895 100644
+--- a/pkg/archive/archive_unix_test.go
++++ b/pkg/archive/archive_unix_test.go
+@@ -241,7 +241,7 @@ func TestTarUntarWithXattr(t *testing.T) {
+	err = os.WriteFile(filepath.Join(origin, "3"), []byte("will be ignored"), 0700)
+ 	assert.NilError(t, err)
+ 	// there is no known Go implementation of setcap/getcap with support for v3 file capability
+-	out, err := exec.Command("setcap", "cap_block_suspend+ep", filepath.Join(origin, "2")).CombinedOutput()
++	out, err := exec.Command("setcap", "cap_sys_nice+ep", filepath.Join(origin, "2")).CombinedOutput()
+ 	assert.NilError(t, err, string(out))
+ 
+ 	for _, c := range []Compression{
+@@ -262,7 +262,7 @@ func TestTarUntarWithXattr(t *testing.T) {
+ 		}
+ 		out, err := exec.Command("getcap", filepath.Join(origin, "2")).CombinedOutput()
+ 		assert.NilError(t, err, string(out))
+-		assert.Check(t, is.Contains(string(out), "cap_block_suspend=ep"), "untar should have kept the 'security.capability' xattr")
++		assert.Check(t, is.Contains(string(out), "cap_sys_nice+ep"), "untar should have kept the 'security.capability' xattr")
+ 	}
+ }
+ 

base/docker/docker-20.10.4-systemd-unit-runtimes.d.patch

@@ -0,0 +1,43 @@
+From 414e5fb4ca7f14fae5ff57c4fb1fd64b77e9b733 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Fri, 12 Mar 2021 17:10:08 +0000
+Subject: [PATCH] Support /etc/docker-runtimes.d
+
+Reworked for docker 20.10.4
+Original patch message:
+  From 77efbceb6f074900c72855af903b63685803bc59 Mon Sep 17 00:00:00 2001
+  From: Jacob Vallejo <jakeev@amazon.com>
+  Date: Mon, 23 Sep 2019 15:58:38 -0700
+  Subject: [PATCH] Support /etc/docker-runtimes.d
+
+  Use additional configured runtimes by evaluating their configs and
+  subsequently providing any necessary configuration flags to the docker
+  daemon at startup.
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ contrib/init/systemd/docker.service | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/init/systemd/docker.service b/contrib/init/systemd/docker.service
+index d76aee3..7e87245 100644
+--- a/contrib/init/systemd/docker.service
++++ b/contrib/init/systemd/docker.service
+@@ -9,10 +9,13 @@ Requires=docker.socket
+ Type=notify
+ EnvironmentFile=-/etc/sysconfig/docker
+ EnvironmentFile=-/etc/sysconfig/docker-storage
++EnvironmentFile=-/run/docker/runtimes.env
++ExecStartPre=/bin/mkdir -p /run/docker
++ExecStartPre=/usr/libexec/docker/docker-setup-runtimes.sh
+ # the default is not to use systemd for cgroups because the delegate issues still
+ # exists and systemd currently does not support the cgroup feature set required
+ # for containers run by docker
+-ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS
++ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES
+ ExecReload=/bin/kill -s HUP $MAINPID
+ LimitNOFILE=1048576
+ # Having non-zero Limit*s causes performance problems due to accounting overhead
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.4-systemd-unit-sysconfig.patch

@@ -0,0 +1,40 @@
+From 863e370fa7b6abffe839ba405b72f409116ad677 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Wed, 10 Mar 2021 19:25:02 +0000
+Subject: [PATCH] Support the use of sysconfig envvars in unit
+
+Reworked for 20.10.4
+Original patch message:
+  From: Jacob Vallejo <jakeev@amazon.com>
+  Date: Mon, 23 Sep 2019 15:55:53 -0700
+  Subject: [PATCH] Support the use of sysconfig envvars in unit
+
+  Environment variables may be conventionally configured here and are
+  wired up into the startup of docker if they are provided.
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ contrib/init/systemd/docker.service | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/init/systemd/docker.service b/contrib/init/systemd/docker.service
+index 5174631..a92685e 100644
+--- a/contrib/init/systemd/docker.service
++++ b/contrib/init/systemd/docker.service
+@@ -7,10 +7,12 @@ Requires=docker.socket
+ 
+ [Service]
+ Type=notify
++EnvironmentFile=-/etc/sysconfig/docker
++EnvironmentFile=-/etc/sysconfig/docker-storage
+ # the default is not to use systemd for cgroups because the delegate issues still
+ # exists and systemd currently does not support the cgroup feature set required
+ # for containers run by docker
+-ExecStart=/usr/bin/dockerd -H fd://
++ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS
+ ExecReload=/bin/kill -s HUP $MAINPID
+ LimitNOFILE=1048576
+ # Having non-zero Limit*s causes performance problems due to accounting overhead
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.4-sysvinit-add-storage-opts.patch

@@ -0,0 +1,29 @@
+Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker
+===================================================================
+--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker
++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker
+@@ -30,6 +30,15 @@ lockfile="/var/lock/subsys/$prog"
+ logfile="/var/log/$prog"
+ 
+ [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
++[ -e /etc/sysconfig/${prog}-storage ] && . /etc/sysconfig/${prog}-storage
++
++# Additional start options for the Docker daemon can
++# be defined in the $OPTIONS variable in /etc/sysconfig/docker,
++# which is also the variable name referenced by the systemd unit.
++# If $OPTIONS is not defined, we set it to the value of $other_args,
++# which is the variable name expected by the upstream sysvinit script.
++OPTIONS="${OPTIONS:-${other_args}}"
++
+ 
+ prestart() {
+ 	service cgconfig status > /dev/null
+@@ -56,7 +65,7 @@ start() {
+ 		prestart
+ 		printf "Starting $prog:\t"
+ 		echo "\n$(date)\n" >> $logfile
+-		"$unshare" -m -- nohup $exec $other_args >> $logfile 2>&1 &
++		"$unshare" -m -- nohup $exec ${OPTIONS} ${DOCKER_STORAGE_OPTIONS} >> $logfile 2>&1 &
+ 		pid=$!
+ 		touch $lockfile
+ 		# wait up to 10 seconds for the pidfile to exist.  see

base/docker/docker-20.10.4-sysvinit-configurable-start-timeout.patch

@@ -0,0 +1,26 @@
+Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker
+===================================================================
+--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker
++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker
+@@ -41,6 +41,9 @@ logfile="/var/log/$prog"
+ # which is the variable name expected by the upstream sysvinit script.
+ OPTIONS="${OPTIONS:-${other_args}}"
+ 
++# How many seconds to wait for the pidfile to appear after starting the daemon.
++# The default value from upstream is 10.
++DAEMON_PIDFILE_TIMEOUT="${DAEMON_PIDFILE_TIMEOUT:-10}"
+ 
+ prestart() {
+ 	service cgconfig status > /dev/null
+@@ -70,10 +73,8 @@ start() {
+ 		"$unshare" -m -- nohup $exec ${OPTIONS} ${DOCKER_STORAGE_OPTIONS} >> $logfile 2>&1 &
+ 		pid=$!
+ 		touch $lockfile
+-		# wait up to 10 seconds for the pidfile to exist.  see
+-		# https://github.com/docker/docker/issues/5359
+ 		tries=0
+-		while [ ! -f $pidfile -a $tries -lt 10 ]; do
++		while [ ! -f $pidfile -a $tries -lt ${DAEMON_PIDFILE_TIMEOUT} ]; do
+ 			sleep 1
+ 			tries=$((tries + 1))
+ 			echo -n '.'

base/docker/docker-20.10.4-sysvinit-increase-daemon-maxfiles.patch

@@ -0,0 +1,13 @@
+Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker
+===================================================================
+--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker
++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker
+@@ -32,6 +32,8 @@ logfile="/var/log/$prog"
+ [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
+ [ -e /etc/sysconfig/${prog}-storage ] && . /etc/sysconfig/${prog}-storage
+ 
++[ -n "${DAEMON_MAXFILES}" ] && ulimit -n "${DAEMON_MAXFILES}"
++
+ # Additional start options for the Docker daemon can
+ # be defined in the $OPTIONS variable in /etc/sysconfig/docker,
+ # which is also the variable name referenced by the systemd unit.

base/docker/docker-20.10.4-sysvinit-stop-before-network.patch

@@ -0,0 +1,13 @@
+Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker
+===================================================================
+--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker
++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker
+@@ -4,7 +4,7 @@
+ #
+ #       Daemon for docker.com
+ #
+-# chkconfig:   2345 95 95
++# chkconfig:   2345 95 05
+ # description: Daemon for docker.com
+ 
+ ### BEGIN INIT INFO

base/docker/docker-20.10.4-sysvinit-use-nohup.patch

@@ -0,0 +1,13 @@
+Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker
+===================================================================
+--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker
++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker
+@@ -56,7 +56,7 @@ start() {
+ 		prestart
+ 		printf "Starting $prog:\t"
+ 		echo "\n$(date)\n" >> $logfile
+-		"$unshare" -m -- $exec $other_args >> $logfile 2>&1 &
++		"$unshare" -m -- nohup $exec $other_args >> $logfile 2>&1 &
+ 		pid=$!
+ 		touch $lockfile
+ 		# wait up to 10 seconds for the pidfile to exist.  see

base/docker/docker-20.10.7-Add-test-skip-helpers-to-cli.patch

@@ -0,0 +1,96 @@
+From f8f7e0d380488665cb77d8213d816bfdeeb7a252 Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Wed, 18 Aug 2021 22:33:15 +0000
+Subject: [PATCH] Add test skip helpers to cli/testutil
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ testutil/helpers.go         | 14 ++++++++++++++
+ testutil/helpers_unix.go    | 34 ++++++++++++++++++++++++++++++++++
+ testutil/helpers_windows.go | 12 ++++++++++++
+ 3 files changed, 60 insertions(+)
+ create mode 100644 testutil/helpers.go
+ create mode 100644 testutil/helpers_unix.go
+ create mode 100644 testutil/helpers_windows.go
+
+diff --git a/testutil/helpers.go b/testutil/helpers.go
+new file mode 100644
+index 0000000..0eeff25
+--- /dev/null
++++ b/testutil/helpers.go
+@@ -0,0 +1,14 @@
++package testutil // import "github.com/docker/cli/testutil"
++
++import (
++	"flag"
++)
++
++// This variable and the init() function copied from
++// https://github.com/containerd/containerd/blob/master/pkg/testutil/helpers.go
++// Original Copyright The Containerd Authors.  Licensed under the Apache License, Version 2.0.
++var rootEnabled bool
++
++func init() {
++	flag.BoolVar(&rootEnabled, "test.root", false, "enable tests that require root")
++}
+diff --git a/testutil/helpers_unix.go b/testutil/helpers_unix.go
+new file mode 100644
+index 0000000..c846775
+--- /dev/null
++++ b/testutil/helpers_unix.go
+@@ -0,0 +1,34 @@
++// +build !windows
++
++package testutil
++
++import (
++	"os"
++	"testing"
++
++	"gotest.tools/v3/assert"
++)
++
++// This function was copied from
++// https://github.com/containerd/containerd/blob/master/pkg/testutil/helpers_unix.go
++// Original Copyright The Containerd Authors.  Licensed under the Apache License, Version 2.0.
++// RequiresRoot skips tests that require root, unless the test.root flag has
++// been set
++func RequiresRoot(t testing.TB) {
++	if !rootEnabled {
++		t.Skip("skipping test that requires root")
++	}
++	assert.Equal(t, 0, os.Getuid(), "This test must be run as root.")
++}
++
++// This function is adapted from a previous patch applied by Amazon
++// The existence of /.initialized or /builddir is a marker that we're in a build chroot
++// Tests that perform filesystem operations, generate non-localhost network traffic,
++// and possibly other things, are likely to not work correctly
++func SkipIfBuildroot(t testing.TB) {
++	if _, err := os.Stat("/.initialized"); err == nil {
++		t.Skip("not appropriate for a buildroot environment")
++	} else if _, err := os.Stat("/builddir"); err == nil {
++		t.Skip("not appropriate for a buildroot environment")
++	}
++}
+diff --git a/testutil/helpers_windows.go b/testutil/helpers_windows.go
+new file mode 100644
+index 0000000..aefeca0
+--- /dev/null
++++ b/testutil/helpers_windows.go
+@@ -0,0 +1,12 @@
++// +build windows
++
++package testutil
++
++import "testing"
++
++func RequiresRoot(t testing.TB) {
++}
++
++func SkipIfBuildroot(t testing.TB) {
++}
++
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.7-Add-test-skip-helpers-to-testutil.patch

@@ -0,0 +1,99 @@
+From 021e33a5b2c3384243e3ae76444bb90006214f5a Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Wed, 18 Aug 2021 22:17:52 +0000
+Subject: [PATCH] Add test skip helpers to testutil
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ testutil/helpers.go         | 10 ++++++++++
+ testutil/helpers_unix.go    | 34 ++++++++++++++++++++++++++++++++++
+ testutil/helpers_windows.go | 12 ++++++++++++
+ 3 files changed, 56 insertions(+)
+ create mode 100644 testutil/helpers_unix.go
+ create mode 100644 testutil/helpers_windows.go
+
+diff --git a/testutil/helpers.go b/testutil/helpers.go
+index e522b5a..6de9de5 100644
+--- a/testutil/helpers.go
++++ b/testutil/helpers.go
+@@ -1,9 +1,19 @@
+ package testutil // import "github.com/docker/docker/testutil"
+ 
+ import (
++	"flag"
+ 	"io"
+ )
+ 
++// This variable and the init() function copied from
++// https://github.com/containerd/containerd/blob/master/pkg/testutil/helpers.go
++// Original Copyright The Containerd Authors.  Licensed under the Apache License, Version 2.0.
++var rootEnabled bool
++
++func init() {
++	flag.BoolVar(&rootEnabled, "test.root", false, "enable tests that require root")
++}
++
+ // DevZero acts like /dev/zero but in an OS-independent fashion.
+ var DevZero io.Reader = devZero{}
+ 
+diff --git a/testutil/helpers_unix.go b/testutil/helpers_unix.go
+new file mode 100644
+index 0000000..c846775
+--- /dev/null
++++ b/testutil/helpers_unix.go
+@@ -0,0 +1,34 @@
++// +build !windows
++
++package testutil
++
++import (
++	"os"
++	"testing"
++
++	"gotest.tools/v3/assert"
++)
++
++// This function was copied from
++// https://github.com/containerd/containerd/blob/master/pkg/testutil/helpers_unix.go
++// Original Copyright The Containerd Authors.  Licensed under the Apache License, Version 2.0.
++// RequiresRoot skips tests that require root, unless the test.root flag has
++// been set
++func RequiresRoot(t testing.TB) {
++	if !rootEnabled {
++		t.Skip("skipping test that requires root")
++	}
++	assert.Equal(t, 0, os.Getuid(), "This test must be run as root.")
++}
++
++// This function is adapted from a previous patch applied by Amazon
++// The existence of /.initialized or /builddir is a marker that we're in a build chroot
++// Tests that perform filesystem operations, generate non-localhost network traffic,
++// and possibly other things, are likely to not work correctly
++func SkipIfBuildroot(t testing.TB) {
++	if _, err := os.Stat("/.initialized"); err == nil {
++		t.Skip("not appropriate for a buildroot environment")
++	} else if _, err := os.Stat("/builddir"); err == nil {
++		t.Skip("not appropriate for a buildroot environment")
++	}
++}
+diff --git a/testutil/helpers_windows.go b/testutil/helpers_windows.go
+new file mode 100644
+index 0000000..aefeca0
+--- /dev/null
++++ b/testutil/helpers_windows.go
+@@ -0,0 +1,12 @@
++// +build windows
++
++package testutil
++
++import "testing"
++
++func RequiresRoot(t testing.TB) {
++}
++
++func SkipIfBuildroot(t testing.TB) {
++}
++
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.7-Skip-overlay-tar-untar-test.patch

@@ -0,0 +1,41 @@
+From fc8490a29aa87f81ad4a58c5b759317acb77876e Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Mon, 16 Aug 2021 17:21:38 +0000
+Subject: [PATCH] Skip overlay/tar/untar test
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ pkg/archive/archive_linux_test.go | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/pkg/archive/archive_linux_test.go b/pkg/archive/archive_linux_test.go
+index 800fda6..08a196b 100644
+--- a/pkg/archive/archive_linux_test.go
++++ b/pkg/archive/archive_linux_test.go
+@@ -9,6 +9,7 @@ import (
+ 
+ 	"github.com/containerd/containerd/sys"
+ 	"github.com/docker/docker/pkg/system"
++	"github.com/docker/docker/testutil"
+ 	"golang.org/x/sys/unix"
+ 	"gotest.tools/v3/assert"
+ 	"gotest.tools/v3/skip"
+@@ -87,6 +88,7 @@ func checkFileMode(t *testing.T, path string, perm os.FileMode) {
+ }
+ 
+ func TestOverlayTarUntar(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	oldmask, err := system.Umask(0)
+ 	assert.NilError(t, err)
+ 	defer system.Umask(oldmask)
+@@ -126,6 +128,7 @@ func TestOverlayTarUntar(t *testing.T) {
+ }
+ 
+ func TestOverlayTarAUFSUntar(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	oldmask, err := system.Umask(0)
+ 	assert.NilError(t, err)
+ 	defer system.Umask(oldmask)
+-- 
+2.31.0.rc2
+

base/docker/docker-20.10.7-Skip-pkg-archive-tests-that-require-root.patch

@@ -0,0 +1,33 @@
+From d099d78e4ac135ff2fcf24e08ad7573067b37a5a Mon Sep 17 00:00:00 2001
+From: Jamie Anderson <jamieand@amazon.com>
+Date: Mon, 16 Aug 2021 17:31:32 +0000
+Subject: [PATCH] Skip pkg/archive tests that require root
+
+Signed-off-by: Jamie Anderson <jamieand@amazon.com>
+---
+ pkg/archive/changes_test.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/pkg/archive/changes_test.go b/pkg/archive/changes_test.go
+index 0a2689d..490af6d 100644
+--- a/pkg/archive/changes_test.go
++++ b/pkg/archive/changes_test.go
+@@ -13,6 +13,7 @@ import (
+ 	"time"
+ 
+ 	"github.com/docker/docker/pkg/system"
++	"github.com/docker/docker/testutil"
+ 	"gotest.tools/v3/assert"
+ 	"gotest.tools/v3/skip"
+ )
+@@ -187,6 +188,7 @@ func TestChangesWithChanges(t *testing.T) {
+ 
+ // See https://github.com/docker/docker/pull/13590
+ func TestChangesWithChangesGH13590(t *testing.T) {
++	testutil.RequiresRoot(t)
+ 	// TODO Windows. Needs further investigation to identify the failure
+ 	if runtime.GOOS == "windows" {
+ 		t.Skip("needs more investigation")
+-- 
+2.31.0.rc2
+

base/docker/docker-setup-runtimes.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+{
+    echo -n "DOCKER_ADD_RUNTIMES=\""
+    for file in /etc/docker-runtimes.d/*; do
+        [ -f "$file" ] && [ -x "$file" ] && echo -n "--add-runtime $(basename "$file")=$file "
+    done
+    echo "\""
+} > /run/docker/runtimes.env

base/docker/docker-storage.sysconfig

@@ -0,0 +1,14 @@
+# This file may be automatically generated by an installation program.
+
+# By default, Docker uses a loopback-mounted sparse file in
+# /var/lib/docker.  The loopback makes it slower, and there are some
+# restrictive defaults, such as 100GB max storage.
+
+# If your installation did not set a custom storage for Docker, you
+# may do it below.
+
+# Example: Use a custom pair of raw logical volumes (one for metadata,
+# one for data).
+# DOCKER_STORAGE_OPTIONS="--storage-opt dm.metadatadev=/dev/myvg/my-docker-metadata --storage-opt dm.datadev=/dev/myvg/my-docker-data"
+
+DOCKER_STORAGE_OPTIONS=

base/docker/docker.sysconfig

@@ -0,0 +1,13 @@
+# The max number of open files for the daemon itself, and all
+# running containers.  The default value of 1048576 mirrors the value
+# used by the systemd service unit.
+DAEMON_MAXFILES=1048576
+
+# Additional startup options for the Docker daemon, for example:
+# OPTIONS="--ip-forward=true --iptables=true"
+# By default we limit the number of open files per container
+OPTIONS="--default-ulimit nofile=32768:65536"
+
+# How many seconds the sysvinit script waits for the pidfile to appear
+# when starting the daemon.
+DAEMON_PIDFILE_TIMEOUT=10

base/docker/no-private-mnt-namespace.patch

@@ -0,0 +1,13 @@
+Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker
+===================================================================
+--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker
++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker
+@@ -70,7 +70,7 @@ start() {
+ 		prestart
+ 		printf "Starting $prog:\t"
+ 		echo "\n$(date)\n" >> $logfile
+-		"$unshare" -m -- nohup $exec ${OPTIONS} ${DOCKER_STORAGE_OPTIONS} >> $logfile 2>&1 &
++		nohup $exec ${OPTIONS} ${DOCKER_STORAGE_OPTIONS} >> $logfile 2>&1 &
+ 		pid=$!
+ 		touch $lockfile
+ 		tries=0

base/docker/runc-allow-git-sha-override.patch

@@ -0,0 +1,19 @@
+Index: docker-ce-17.11.0-ce/components/engine/runc-69663f0bd4b60df09991c08812a60108003fa340/Makefile
+===================================================================
+--- docker-ce-17.11.0-ce.orig/components/engine/runc-69663f0bd4b60df09991c08812a60108003fa340/Makefile
++++ docker-ce-17.11.0-ce/components/engine/runc-69663f0bd4b60df09991c08812a60108003fa340/Makefile
+@@ -12,8 +12,12 @@ GIT_BRANCH_CLEAN := $(shell echo $(GIT_B
+ RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
+ PROJECT := github.com/opencontainers/runc
+ BUILDTAGS := seccomp
+-COMMIT_NO := $(shell git rev-parse HEAD 2> /dev/null || true)
+-COMMIT := $(if $(shell git status --porcelain --untracked-files=no),"${COMMIT_NO}-dirty","${COMMIT_NO}")
++ifeq ($(GIT_COMMIT_OVERRIDE),)
++	COMMIT_NO := $(shell git rev-parse HEAD 2> /dev/null || true)
++	COMMIT := $(if $(shell git status --porcelain --untracked-files=no),"${COMMIT_NO}-dirty","${COMMIT_NO}")
++else
++	COMMIT := $(GIT_COMMIT_OVERRIDE)
++endif
+ 
+ MAN_DIR := $(CURDIR)/man/man8
+ MAN_PAGES = $(shell ls $(MAN_DIR)/*.8)

base/docker/tini-allow-git-sha-override.patch

@@ -0,0 +1,55 @@
+Index: tini/CMakeLists.txt
+===================================================================
+--- a/tini/CMakeLists.txt
++++ b/tini/CMakeLists.txt
+@@ -13,27 +13,32 @@ if(MINIMAL)
+ 	add_definitions(-DTINI_MINIMAL=1)
+ endif()
+ 
+-# Extract git version and dirty-ness
+-execute_process (
+-  COMMAND git --git-dir "${PROJECT_SOURCE_DIR}/.git" --work-tree "${PROJECT_SOURCE_DIR}" log -n 1 --date=local --pretty=format:%h
+-  WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}"
+-  RESULT_VARIABLE git_version_check_ret
+-  OUTPUT_VARIABLE tini_VERSION_GIT
+-)
+-
+-execute_process(
+-  COMMAND git --git-dir "${PROJECT_SOURCE_DIR}/.git" --work-tree "${PROJECT_SOURCE_DIR}" status --porcelain --untracked-files=no
+-  WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}"
+-  OUTPUT_VARIABLE git_dirty_check_out
+-)
++if("$ENV{GIT_COMMIT_OVERRIDE}" EQUAL "")
+ 
+-if("${git_version_check_ret}" EQUAL 0)
+-  set(tini_VERSION_GIT " - git.${tini_VERSION_GIT}")
+-  if(NOT "${git_dirty_check_out}" STREQUAL "")
+-    set(tini_VERSION_GIT "${tini_VERSION_GIT}-dirty")
++  # Extract git version and dirty-ness
++  execute_process (
++    COMMAND git --git-dir "${PROJECT_SOURCE_DIR}/.git" --work-tree "${PROJECT_SOURCE_DIR}" log -n 1 --date=local --pretty=format:%h
++    WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}"
++    RESULT_VARIABLE git_version_check_ret
++    OUTPUT_VARIABLE tini_VERSION_GIT
++  )
++
++  execute_process(
++    COMMAND git --git-dir "${PROJECT_SOURCE_DIR}/.git" --work-tree "${PROJECT_SOURCE_DIR}" status --porcelain --untracked-files=no
++    WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}"
++    OUTPUT_VARIABLE git_dirty_check_out
++  )
++
++  if("${git_version_check_ret}" EQUAL 0)
++    set(tini_VERSION_GIT " - git.${tini_VERSION_GIT}")
++    if(NOT "${git_dirty_check_out}" STREQUAL "")
++      set(tini_VERSION_GIT "${tini_VERSION_GIT}-dirty")
++    endif()
++  else()
++    set(tini_VERSION_GIT "")
+   endif()
+ else()
+-  set(tini_VERSION_GIT "")
++  set(tini_VERSION_GIT " - git.$ENV{GIT_COMMIT_OVERRIDE}")
+ endif()
+ 
+ # Flags

base/libseccomp/libseccomp.spec

@@ -0,0 +1,248 @@
+Name:           libseccomp
+Version:        2.5.3
+Release:        1%{?dist}
+Summary:        Enhanced seccomp library
+License:        LGPLv2
+URL:            https://github.com/seccomp/libseccomp
+Source0:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
+
+BuildRequires:  gcc
+BuildRequires:  gperf
+BuildRequires:  make
+
+%ifnarch riscv64 s390
+# Versions prior to 3.13.0-4 do not work on ARM with newer glibc 2.25.0-6
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1466017
+BuildRequires:  valgrind >= 1:3.13.0-4
+%endif
+
+%description
+The libseccomp library provides an easy to use interface to the Linux Kernel's
+syscall filtering mechanism, seccomp.  The libseccomp API allows an application
+to specify which syscalls, and optionally which syscall arguments, the
+application is allowed to execute, all of which are enforced by the Linux
+Kernel.
+
+%package devel
+Summary:        Development files used to build applications with libseccomp support
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description devel
+The libseccomp library provides an easy to use interface to the Linux Kernel's
+syscall filtering mechanism, seccomp.  The libseccomp API allows an application
+to specify which syscalls, and optionally which syscall arguments, the
+application is allowed to execute, all of which are enforced by the Linux
+Kernel.
+
+%package static
+Summary:        Enhanced seccomp static library
+Requires:       %{name}-devel%{?_isa} = %{version}-%{release}
+
+%description static
+The libseccomp library provides an easy to use interface to the Linux Kernel's
+syscall filtering mechanism, seccomp.  The libseccomp API allows an application
+to specify which syscalls, and optionally which syscall arguments, the
+application is allowed to execute, all of which are enforced by the Linux
+Kernel.
+
+%prep
+%autosetup -p1
+
+%build
+%configure
+%make_build
+
+%install
+mkdir -p %{buildroot}/%{_libdir}
+mkdir -p %{buildroot}/%{_includedir}
+mkdir -p %{buildroot}/%{_mandir}
+
+%make_install
+
+rm -f %{buildroot}/%{_libdir}/libseccomp.la
+
+%check
+%make_build check
+
+
+%files
+%license LICENSE
+%doc CREDITS README.md CHANGELOG CONTRIBUTING.md
+%{_libdir}/libseccomp.so.*
+
+%files devel
+%{_includedir}/seccomp.h
+%{_includedir}/seccomp-syscalls.h
+%{_libdir}/libseccomp.so
+%{_libdir}/pkgconfig/libseccomp.pc
+%{_bindir}/scmp_sys_resolver
+%{_mandir}/man1/*
+%{_mandir}/man3/*
+
+%files static
+%{_libdir}/libseccomp.a
+
+%changelog
+* Wed Feb 01 2023 Stewart Smith <trawets@amazon.com> - 2.5.3-1.amzn2023.0.2
+- Mass rebuild for AL2023
+
+* Sat Oct 01 2022 Stewart Smith <trawets@amazon.com> - 2.5.3-1.amzn2022.0.1
+- AL2022 pre-GA mass rebuild
+
+* Sat Nov 06 2021 Neal Gompa <ngompa@fedoraproject.org> - 2.5.3-1
+- New upstream version (#2020824)
+
+* Wed Nov 03 2021 Debarshi Ray <rishi@fedoraproject.org> - 2.5.2-1
+- New upstream version (#1900097)
+
+* Wed Nov 03 2021 Debarshi Ray <rishi@fedoraproject.org> - 2.5.1-1
+- New upstream version (#1900097)
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Aug 05 2020 Neal Gompa <ngompa13@gmail.com> - 2.5.0-3
+- Apply fixes to change internal handling of the notification fd (#1865802)
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Jul 24 2020 Neal Gompa <ngompa13@gmail.com> - 2.5.0-1
+- New upstream version (#1858965)
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Dec 16 2019 Neal Gompa <ngompa13@gmail.com> - 2.4.2-2
+- Modernize spec
+- Backport fix for missing __SNR_ppoll symbol (#1777889)
+- Refresh patch to build on aarch64 with upstream version
+
+* Wed Nov 20 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.4.2-1
+- New upstream version (#1765314)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.1-1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Apr 17 2019 Paul Moore <paul@paul-moore.com> - 2.4.1-0
+- New upstream version
+
+* Thu Mar 14 2019 Paul Moore <paul@paul-moore.com> - 2.4.0-0
+- New upstream version
+- Added a hack to workaround test failures (see %%check above)
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Nov 07 2018 Paul Moore <paul@paul-moore.com> - 2.3.3-4
+- Remove ldconfig scriptlet, thanks to James Antill (RHBZ #1644074)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Jan 10 2018 Paul Moore <pmoore@redhat.com> - 2.3.3-1
+- New upstream version
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Jun 29 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.3.2-3
+- Re-enable valgrind-based tests on ARMv7
+
+* Thu Jun 29 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.3.2-2
+- Disable running valgrind-based tests on ARMv7 due to glibc/valgrind bug (RHBZ #1466017)
+
+* Wed Mar 01 2017 Paul Moore <pmoore@redhat.com> -2.3.2-1
+- New upstream version
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Apr 20 2016 Paul Moore <pmoore@redhat.com> - 2.3.1-1
+- Cleanup the changelog whitespace and escape the macros to make rpmlint happy
+
+* Wed Apr 20 2016 Paul Moore <pmoore@redhat.com> - 2.3.1-0
+- New upstream version
+
+* Tue Mar  1 2016 Peter Robinson <pbrobinson@fedoraproject.org> 2.3.0-1
+- No valgrind on s390
+
+* Mon Feb 29 2016 Paul Moore <pmoore@redhat.com> - 2.3.0-0
+- New upstream version
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.3-1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jul 08 2015 Paul Moore <pmoore@redhat.com> - 2.2.3-0
+- New upstream version
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed May 13 2015 Paul Moore <pmoore@redhat.com> - 2.2.1-0
+- New upstream version
+
+* Thu Feb 12 2015 Paul Moore <pmoore@redhat.com> - 2.2.0-0
+- New upstream version
+- Added aarch64 support
+- Added a static build
+
+* Thu Sep 18 2014 Paul Moore <pmoore@redhat.com> - 2.1.1-6
+- Fully builds on i686, x86_64, and armv7hl (RHBZ #1106071)
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.1.1-4
+- fix license handling
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu Feb 27 2014 Paul Moore <pmoore@redhat.com> - 2.1.1-2
+- Build with CFLAGS="${optflags}"
+
+* Mon Feb 17 2014 Paul Moore <pmoore@redhat.com> - 2.1.1-1
+- Removed the kernel dependency (RHBZ #1065572)
+
+* Thu Oct 31 2013 Paul Moore <pmoore@redhat.com> - 2.1.1-0
+- New upstream version
+- Added a %%check procedure for self-test during build
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.0-1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Tue Jun 11 2013 Paul Moore <pmoore@redhat.com> - 2.1.0-0
+- New upstream version
+- Added support for the ARM architecture
+- Added the scmp_sys_resolver tool
+
+* Mon Jan 28 2013 Paul Moore <pmoore@redhat.com> - 2.0.0-0
+- New upstream version
+
+* Tue Nov 13 2012 Paul Moore <pmoore@redhat.com> - 1.0.1-0
+- New upstream version with several important fixes
+
+* Tue Jul 31 2012 Paul Moore <pmoore@redhat.com> - 1.0.0-0
+- New upstream version
+- Remove verbose build patch as it is no longer needed
+- Enable _smp_mflags during build stage
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Jul 10 2012 Paul Moore <pmoore@redhat.com> - 0.1.0-1
+- Limit package to x86/x86_64 platforms (RHBZ #837888)
+
+* Tue Jun 12 2012 Paul Moore <pmoore@redhat.com> - 0.1.0-0
+- Initial version
+