Import Debian changes 20.10.16-ok1

docker.io (20.10.16-ok1) yangtze; urgency=medium

  * Initial release.

debian/NEWS

@@ -0,0 +1,41 @@
+docker.io (20.10.2-0ubuntu2) hirsute; urgency=medium
+
+  As of version 20.10.2-0ubuntu2, upgrading the docker.io package will fail if
+  any containers are still using AUFS. It will be necessary to take some
+  measures to move existing containers away from aufs and delete the directory
+  /var/lib/docker/aufs before upgrading can succeed. See the previous NEWS
+  entry for instructions on moving away from AUFS.
+
+  Note: Option 3 from the previous NEWS entry is no longer going to be a valid
+        option moving forward. Users will have to either migrate their
+        containers to a supported storage driver or maintain their own kernel
+        builds with AUFS support.
+
+ -- William 'jawn-smith' Wilson <william.wilson@canonical.com>  Wed, 24 Feb 2021 16:06:03 -0600
+
+docker.io (1.8.3~ds1-3) unstable; urgency=medium
+
+  As of src:linux 4.0+ (specifically, >= 3.18-1~exp1), AUFS support is no longer
+  included in official Debian-compiled kernels.  What this means to Docker users
+  is that if your existing images are stored within the "AUFS" graph driver that
+  once you update your kernel, your images (and containers) will become
+  inaccessible (due to the kernel not having the necessary aufs modules to mount
+  them).  To recover from this, there are a couple options (detailed below).
+
+  1. Use the included nuke script to blow away your existing "/var/lib/docker"
+     contents and start fresh with Linux 4.0+:
+
+       service docker stop
+       /usr/share/docker.io/contrib/nuke-graph-directory.sh /var/lib/docker
+       service docker start
+
+  2. Use "docker save" (see "docker help save" for usage) before booting 4.0+ to
+     preserve your images on-disk as tar files, then follow the nuke step from
+     the previous option followed by using "docker load" to re-load your images.
+
+  3. Update to src:linux >= 4.1.1-1~exp1 ("aufs: Apply patches to enable
+     building aufs out-of-tree"), and then compile the aufs modules out-of-tree
+     (a package for doing this module compilation automatically doesn't yet
+     exist at the time of this writing, but might in the future).
+
+ -- Tianon Gravi <tianon@debian.org>  Tue, 01 Dec 2015 01:02:44 -0800

debian/README.Debian

@@ -0,0 +1,47 @@
+Docker on Debian
+================
+
+To enable docker memory limitation, the kernel needs to be loaded with
+boot parameters: cgroup_enable=memory swapaccount=1.
+
+This is because enabling memory cgroup support has some run-time overhead,
+and kernel maintainers don't want to slow down systems unnecessarily.
+
+http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg764104.html
+https://github.com/docker/docker/issues/396
+
+To instruct the kernel to enable memory cgroup support, edit
+/etc/default/grub and extend GRUB_CMDLINE_LINUX_DEFAULT like:
+
+GRUB_CMDLINE_LINUX_DEFAULT="cgroup_enable=memory swapaccount=1"
+
+Then run update-grub, and reboot.
+
+
+It's worth pointing out that upstream maintains a "check-config.sh" script for
+verifying not only proper kernel configuration (which isn't terribly relevant in
+the Debian context), but also the host system configuration, especially and
+including whether a properly mounted cgroup hierarchy can be found.  If you're
+using cgroupfs-mount or systemd, chances are very high that you have one, but if
+not, you're likely to see strange behavior.
+
+In the docker.io package, one can find the "check-config.sh" script under
+"/usr/share/docker.io/contrib/check-config.sh", which when run (does NOT require
+root/sudo) will report on problems with your installation/configuration.
+
+
+As noted in the upstream documentation (https://docs.docker.io), Docker will
+allow non-root users in the "docker" group to access "docker.sock" and thus
+communicate with the daemon.  To add yourself to the "docker" group, use
+something like:
+
+adduser YOURUSER docker
+
+As also noted in the upstream documentation, the "docker" group (and any other
+means of accessing the Docker API) is root-equivalent.  If you don't trust a
+user with root on your box, you shouldn't trust them with Docker either.
+If you are interested in further information about the security aspects of
+Docker, please be sure to read the "Docker Security" article in the
+upstream documentation:
+
+    https://docs.docker.com/engine/security/security/

debian/changelog

@@ -0,0 +1,5 @@
+docker.io (20.10.16-ok1) yangtze; urgency=medium
+
+  * Initial release.
+
+ -- Luoyaoming <luoyaoming@kylinos.cn>  Fri, 16 Dec 2022 10:05:31 +0800

debian/clean

@@ -0,0 +1,8 @@
+.gocache/
+.gopath/
+cli/build/
+cli/man/man*/
+engine/bundles/
+engine/dockerversion/*_autogen*.go
+libnetwork/docker-proxy
+tini/build/

debian/compat

@@ -0,0 +1 @@
+11

debian/control

@@ -0,0 +1,127 @@
+Source: docker.io
+Section: admin
+Priority: optional
+Maintainer: Openkylin Developers <packaging@lists.openkylin.top>
+XSBC-Original-Maintainer: Paul Tagliamonte <paultag@debian.org>
+Uploaders: Openkylin Developers <packaging@lists.openkylin.top>
+Build-Conflicts: golang-github-docker-docker-dev
+Build-Depends: bash-completion,
+               ca-certificates,
+               cmake,
+               debconf (>= 0.5),
+               debhelper (>= 11),
+               dh-apparmor,
+               dh-exec,
+               dh-golang,
+               git,
+               golang-go,
+               libapparmor-dev,
+               libbtrfs-dev | btrfs-progs (<< 4.16.1~),
+               libdevmapper-dev (>= 2:1.02.68~),
+               libltdl-dev,
+               libseccomp-dev,
+               libsystemd-dev (>= 209~),
+               pkg-config,
+               procps,
+               tzdata
+Standards-Version: 3.9.8
+Homepage: https://www.docker.com/community-edition
+Vcs-Git: https://gitee.com/openkylin/docker.io.git
+Vcs-Browser: https://gitee.com/openkylin/docker.io
+XS-Go-Import-Path: github.com/docker/docker
+
+Package: docker.io
+Architecture: amd64 arm64 armhf i386 ppc64el riscv64 s390x
+Depends: adduser,
+         containerd (>= 1.2.6-0),
+         iptables,
+         ${misc:Depends},
+         ${shlibs:Depends}
+Recommends: ca-certificates,
+            git,
+            pigz,
+            ubuntu-fan,
+            xz-utils,
+            ${apparmor:Recommends}
+Replaces: docker (<< 1.5~)
+Breaks: docker (<< 1.5~)
+Suggests: aufs-tools,
+          btrfs-progs,
+          cgroupfs-mount | cgroup-lite,
+          debootstrap,
+          docker-doc,
+          rinse,
+          zfs-fuse | zfsutils
+Built-Using: ${libc:Built-Using}, ${misc:Built-Using}
+Description: Linux container runtime
+ Docker complements kernel namespacing with a high-level API which operates at
+ the process level. It runs unix processes with strong guarantees of isolation
+ and repeatability across servers.
+ .
+ Docker is a great building block for automating distributed systems:
+ large-scale web deployments, database clusters, continuous deployment systems,
+ private PaaS, service-oriented architectures, etc.
+ .
+ This package contains the daemon and client. Using docker.io on non-amd64 hosts
+ is not supported at this time. Please be careful when using it on anything
+ besides amd64.
+ .
+ Also, note that kernel version 3.8 or above is required for proper operation of
+ the daemon process, and that any lower versions may have subtle and/or glaring
+ issues.
+
+Package: vim-syntax-docker
+Architecture: all
+Depends: vim, ${misc:Depends}
+Recommends: vim-addon-manager
+Suggests: docker.io
+Description: Docker container engine - Vim highlighting syntax files
+ This package provides syntax files for the Vim editor for editing Dockerfiles
+ from the Docker container engine.
+
+Package: golang-github-docker-docker-dev
+Architecture: all
+Depends: golang-github-ishidawataru-sctp-dev,
+         golang-github-docker-docker-credential-helpers-dev,
+         golang-github-seccomp-libseccomp-golang-dev,
+         ${misc:Depends}
+Replaces: golang-docker-dev (<< 1.8.2~ds1-0)
+Breaks: golang-docker-dev (<< 1.8.2~ds1-0)
+Provides: golang-docker-dev
+Description: Externally reusable Go packages included with Docker
+ These packages are intentionally developed by upstream in such a way that they
+ are reusable to projects outside Docker and only rely on each other or other
+ external dependencies to be built.
+
+Package: golang-docker-dev
+Section: oldlibs
+Priority: optional
+Architecture: all
+Depends: golang-github-docker-docker-dev, ${misc:Depends}
+Description: Transitional package for golang-github-docker-docker-dev
+ This is a transitional package to ease upgrades to the
+ golang-github-docker-docker-dev package. It can safely be removed.
+
+Package: docker-doc
+Provides: docker.io-doc
+Section: doc
+Architecture: all
+Depends: ${misc:Depends}
+Description: Linux container runtime -- documentation
+ Docker complements kernel namespacing with a high-level API which operates at
+ the process level. It runs unix processes with strong guarantees of isolation
+ and repeatability across servers.
+ .
+ Docker is a great building block for automating distributed systems:
+ large-scale web deployments, database clusters, continuous deployment systems,
+ private PaaS, service-oriented architectures, etc.
+ .
+ This package contains the daemon and client. Using docker.io on non-amd64 hosts
+ is not supported at this time. Please be careful when using it on anything
+ besides amd64.
+ .
+ Also, note that kernel version 3.8 or above is required for proper operation of
+ the daemon process, and that any lower versions may have subtle and/or glaring
+ issues.
+ .
+ This package provides documentation for Docker.

debian/docker-doc.docs

@@ -0,0 +1,2 @@
+cli/docs/*
+engine/docs/*

debian/docker.io.bash-completion

@@ -0,0 +1 @@
+cli/contrib/completion/bash/docker

debian/docker.io.dirs

@@ -0,0 +1 @@
+etc/docker

debian/docker.io.docker.service

@@ -0,0 +1,48 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=https://docs.docker.com
+After=network-online.target firewalld.service containerd.service
+Wants=network-online.target
+Requires=docker.socket
+Wants=containerd.service
+
+[Service]
+Type=notify
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
+ExecReload=/bin/kill -s HUP $MAINPID
+TimeoutSec=0
+RestartSec=2
+Restart=always
+
+# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
+# Both the old, and new location are accepted by systemd 229 and up, so using the old location
+# to make them work for either version of systemd.
+StartLimitBurst=3
+
+# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
+# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
+# this option work for either version of systemd.
+StartLimitInterval=60s
+
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=infinity
+LimitNPROC=infinity
+LimitCORE=infinity
+
+# Comment TasksMax if your systemd version does not support it.
+# Only systemd 226 and above support this option.
+TasksMax=infinity
+
+# set delegate yes so that systemd does not reset the cgroups of docker containers
+Delegate=yes
+
+# kill only the docker process, not all processes in the cgroup
+KillMode=process
+OOMScoreAdjust=-500
+
+[Install]
+WantedBy=multi-user.target

debian/docker.io.docker.socket

@@ -0,0 +1,11 @@
+[Unit]
+Description=Docker Socket for the API
+
+[Socket]
+ListenStream=/var/run/docker.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target

debian/docker.io.docs

@@ -0,0 +1 @@
+engine/README.md

debian/docker.io.install

@@ -0,0 +1,11 @@
+#!/usr/bin/dh-exec
+
+# https://github.com/docker/docker-ce/blob/v19.03.2/components/packaging/deb/common/rules#L36
+cli/build/docker => usr/bin/docker
+engine/bundles/dynbinary-daemon/dockerd => usr/bin/dockerd
+libnetwork/docker-proxy => usr/bin/docker-proxy
+tini/build/tini-static => usr/bin/docker-init
+
+cli/contrib/completion/zsh/_docker usr/share/zsh/vendor-completions/
+engine/contrib/check-config.sh usr/share/docker.io/contrib/
+engine/contrib/nuke-graph-directory.sh usr/share/docker.io/contrib/

debian/docker.io.maintscript

@@ -0,0 +1,5 @@
+mv_conffile /etc/bash_completion.d/docker.io /etc/bash_completion.d/docker 1.2.0~
+mv_conffile /etc/default/docker.io /etc/default/docker 1.2.0~
+mv_conffile /etc/init.d/docker.io /etc/init.d/docker 1.2.0~
+mv_conffile /etc/init/docker.io.conf /etc/init/docker.conf 1.2.0~
+rm_conffile /etc/bash_completion.d/docker 1.11.2~

debian/docker.io.manpages

@@ -0,0 +1 @@
+cli/man/man*/*

debian/docker.io.postinst

@@ -0,0 +1,109 @@
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+
+case "$1" in
+	configure)
+		if [ -z "$2" ]; then
+			# make sure the "docker" system group exists for "docker.socket" to apply it as the group on "docker.sock"
+			if ! getent group docker > /dev/null 2>&1; then
+				addgroup --system docker
+			fi
+		fi
+
+		# Ensure config directory permissions
+		#  On a fresh install, $2 = '' and dpkg "le-nl" treat that as a
+		#  greater version, so the body is not executed.
+		if dpkg --compare-versions "$2" le-nl '1.11.2~ds1-1'; then
+			if [ "$(stat -c '%a' /etc/docker)" = '700' ]; then
+				chmod 0755 /etc/docker
+			fi
+		fi
+
+		# ZFS handling: create a dedicated ZFS docker dataset to handle all children containers in a single,
+		# persistent, place.
+		# Also check if zfs executable exists and if it is in $PATH.
+		# The zfs command is provided by zfs-fuse | zfsutils and they
+		# are runtime Suggested dependencies which means they are not
+		# necessarily available during configuration time (LP: #1910133).
+		if [ -x "$(command -v zfs)" ] && modinfo zfs >/dev/null 2>&1; then
+			# if there is no mountpoint /var/lib/docker:
+			# 1: create <currentpool>/var/lib/docker if doesn’t exist (zfs mount?)
+			# /var/lib with canmount off if doesn’t exist
+			# /var with canmount off if doesn’t exist
+			rpool="$(zfs mount | awk '$2=="/" {print $1}'|  cut -d/ -f1)"
+
+			if [ -n "$rpool" ]; then
+				dockermnt="$(findmnt -n -o SOURCE /var/lib/docker || true)"
+
+				# Create <currentpool>/var/lib/docker if doesn’t exist
+				if echo "$dockermnt" | grep -qE '^$|/ROOT/'; then
+					zfs create -o canmount=off "$rpool"/var 2>/dev/null || true
+					zfs create -o canmount=off "$rpool"/var/lib 2>/dev/null || true
+					if dpkg --compare-versions "$2" le-nl '19.03.8-0ubuntu2'; then
+						invoke-rc.d docker stop || true
+						mv /var/lib/docker /var/lib/docker.migrating
+					fi
+					zfs create "$rpool"/var/lib/docker 2>/dev/null || true
+					dockermnt="$rpool"/var/lib/docker
+				fi
+
+				if dpkg --compare-versions "$2" le-nl '19.03.8-0ubuntu2'; then
+					mv /var/lib/docker.migrating/* /var/lib/docker/
+					rmdir /var/lib/docker.migrating/
+					# Migrate datasets
+					for dataset in $(zfs list -H -t filesystem -o name,mountpoint,canmount -r "$rpool"/ROOT | grep -E "/var/lib/[0-9a-f]{64}(-init)?\slegacy\son" | cut -f1); do
+						dockerid=${dataset##*/}
+						zfs rename "$dataset" "$dockermnt/$dockerid" || true
+					done
+					# Purge their zsys history datasets
+					for dataset in $(zfs list -H -t snapshot -o name -r "$rpool"/var/lib/docker | grep "@autozsys_"); do
+						zfs destroy -R "$dataset" || true
+					done
+					invoke-rc.d docker start || true
+				fi
+			fi
+		fi
+
+		;;
+	abort-*)
+		# How'd we get here??
+		exit 1
+		;;
+	*)
+		;;
+esac
+
+# restart Docker if it's running (thus this is an upgrade) and the user (via debconf) tells us they're OK with that
+db_version 2.0
+db_fset docker.io/restart seen false
+if [ -n "$2" ] && [ "$1" = 'configure' ] && {
+	# either:
+	#   - we're doing "dpkg-reconfigure" (and thus need to "db_input" to make sure users can change their answer between installs/upgrades)
+	#   - we're doing install/upgrade and Docker is running (and thus it matters whether or not the user wants us to restart Docker for them)
+	[ -n "${DEBCONF_RECONFIGURE:-}" ] \
+	|| invoke-rc.d --disclose-deny docker status > /dev/null 2>&1
+}; then
+	db_input high docker.io/restart || :
+	db_go || :
+	if [ -z "${DEBCONF_RECONFIGURE:-}" ]; then
+		# only perform the actual restart if we're doing install/upgrade (not during interactive "dpkg-reconfigure")
+		db_get docker.io/restart
+		if [ "$RET" = 'true' ]; then
+			# Docker daemon appears to be running and should be restarted
+			invoke-rc.d docker restart || :
+		fi
+	fi
+fi
+db_stop
+
+#DEBHELPER#
+
+# because we had to use "dh_installinit --no-start", we get to make sure the daemon is started on first install (and upgrades thereafter, if it isn't running)
+# (this is adapted from debhelper's "autoscripts/postinst-init")
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ]; then
+	if [ -z "${DEBCONF_RECONFIGURE:-}" ] && ! invoke-rc.d docker status > /dev/null 2>&1 ; then
+		invoke-rc.d docker start || :
+	fi
+fi

debian/docker.io.postrm

@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+
+#DEBHELPER#
+
+case "$1" in
+	purge)
+		# if we have our saved "nuke-graph-directory.sh", let's use it
+		# see also docker.io.prerm
+		if [ -x /var/lib/docker/nuke-graph-directory.sh ]; then
+			/var/lib/docker/nuke-graph-directory.sh /var/lib/docker
+		fi
+		;;
+
+	*)
+		;;
+esac

debian/docker.io.preinst

@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+if [ -e "/var/lib/docker/aufs" ]; then
+	echo "The aufs storage-driver is no longer supported."
+	echo "Please ensure that none of your containers are"
+	echo "using the aufs storage driver, remove the directory"
+	echo "/var/lib/docker/aufs and try again."
+	exit 1
+fi

debian/docker.io.prerm

@@ -0,0 +1,29 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+	remove)
+		# if we're removing, we need to save "nuke-graph-directory.sh" so that
+		# we can still purge "/var/lib/docker" later if necessary
+		# see also docker.io.postrm
+		if \
+			[ -d /var/lib/docker ] \
+			&& [ -x /usr/share/docker.io/contrib/nuke-graph-directory.sh ] \
+		; then
+			if cp -v /usr/share/docker.io/contrib/nuke-graph-directory.sh /var/lib/docker/; then
+				chmod +x /var/lib/docker/nuke-graph-directory.sh || :
+			fi
+		fi
+		;;
+
+	*)
+		;;
+esac
+
+#DEBHELPER#
+
+# because we had to use "dh_installinit --no-start", we get to make sure the daemon is stopped on uninstall
+# (this is adapted from debhelper's "autoscripts/prerm-init-norestart")
+if [ "$1" = remove ]; then
+	invoke-rc.d docker stop
+fi

debian/docker.io.templates

@@ -0,0 +1,14 @@
+Template: docker.io/restart
+Type: boolean
+Default: false
+Description: Automatically restart Docker daemon?
+ If Docker is upgraded without restarting the Docker daemon, Docker will often
+ have trouble starting new containers, and in some cases even maintaining the
+ containers it is currently running. See https://launchpad.net/bugs/1658691 for
+ an example of this breakage.
+ .
+ Normally, upgrading the package would simply restart the associated daemon(s).
+ In the case of the Docker daemon, that would also imply stopping all running
+ containers (which will only be restarted if they're part of a "service", have
+ an appropriate restart policy configured, or have some other means of being
+ restarted such as an external systemd unit).

debian/gbp.conf

@@ -0,0 +1,15 @@
+[DEFAULT]
+cleaner = fakeroot debian/rules clean
+pristine-tar = True
+merge = False
+debian-tag = %(version)s
+
+[git-buildpackage]
+export-dir = ../build-area/
+tarball-dir = ../tarballs/
+
+[dch]
+id-length = 0
+meta = True
+auto = True
+full = True

debian/golang-github-docker-docker-dev.install

@@ -0,0 +1,23 @@
+#!/usr/bin/dh-exec
+
+engine/api usr/share/gocode/src/github.com/docker/docker/
+engine/client usr/share/gocode/src/github.com/docker/docker/
+engine/dockerversion usr/share/gocode/src/github.com/docker/docker/
+engine/errdefs usr/share/gocode/src/github.com/docker/docker/
+engine/image usr/share/gocode/src/github.com/docker/docker/
+engine/oci usr/share/gocode/src/github.com/docker/docker/
+engine/opts usr/share/gocode/src/github.com/docker/docker/
+engine/pkg usr/share/gocode/src/github.com/docker/docker/
+engine/registry usr/share/gocode/src/github.com/docker/docker/
+engine/rootless usr/share/gocode/src/github.com/docker/docker/
+engine/vendor usr/share/gocode/src/github.com/docker/docker/
+cli/cli usr/share/gocode/src/github.com/docker/cli/
+cli/opts usr/share/gocode/src/github.com/docker/cli/
+libnetwork/datastore usr/share/gocode/src/github.com/docker/libnetwork/
+libnetwork/discoverapi usr/share/gocode/src/github.com/docker/libnetwork/
+libnetwork/ipamutils usr/share/gocode/src/github.com/docker/libnetwork/
+libnetwork/ns usr/share/gocode/src/github.com/docker/libnetwork/
+libnetwork/options usr/share/gocode/src/github.com/docker/libnetwork/
+libnetwork/resolvconf usr/share/gocode/src/github.com/docker/libnetwork/
+libnetwork/testutils usr/share/gocode/src/github.com/docker/libnetwork/
+libnetwork/types usr/share/gocode/src/github.com/docker/libnetwork/

debian/rules

@@ -0,0 +1,133 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+include /usr/share/dpkg/pkg-info.mk
+
+export VERSION := $(DEB_VERSION_UPSTREAM)
+
+export DOCKER_GITCOMMIT := $(DEB_VERSION)
+
+# temporary build path (see http://golang.org/doc/code.html#GOPATH)
+OUR_GOPATH := $(CURDIR)/.gopath
+export GOPATH := $(OUR_GOPATH)
+export GOCACHE := $(CURDIR)/.gocache
+
+# https://blog.golang.org/go116-module-changes (TODO figure out a new solution for Go 1.17+)
+export GO111MODULE := auto
+
+# AppArmor can be optionally used in Debian and is there by default in Ubuntu, so we need support for it compiled into our binary
+# same story with SELinux
+export DOCKER_BUILDTAGS := apparmor seccomp selinux
+
+ifneq (,$(filter parallel=%, $(DEB_BUILD_OPTIONS)))
+	NUMJOBS := $(patsubst parallel=%, %, $(filter parallel=%, $(DEB_BUILD_OPTIONS)))
+	MAKEFLAGS += -j '$(NUMJOBS)'
+endif
+
+override_dh_gencontrol:
+	# if we're on Ubuntu, we need to Recommends: apparmor
+	echo 'apparmor:Recommends=$(shell dpkg-vendor --is Ubuntu && echo apparmor)' >> debian/docker.io.substvars
+	echo 'libc:Built-Using=$(shell dpkg-query -f '$${source:Package} (= $${source:Version})' -W libc-dev-bin)' >> debian/docker.io.substvars
+	# use "dh_golang" to generate "misc:Built-Using" (via "go list")
+	DH_GOLANG_BUILDPKG=' \
+		-tags "$(DOCKER_BUILDTAGS)" \
+		github.com/docker/docker/cmd/dockerd \
+		github.com/docker/cli/cmd/docker \
+		github.com/docker/libnetwork/cmd/proxy \
+	' dh_golang --builddirectory='$(OUR_GOPATH:$(CURDIR)/%=%)'
+	dh_gencontrol
+
+override_dh_auto_configure:
+	# set up GOPATH symlink farm
+	# libnetwork
+	mkdir -p '$(OUR_GOPATH)/src/github.com/docker'
+	ln -sfT '$(CURDIR)/libnetwork' '$(OUR_GOPATH)/src/github.com/docker/libnetwork'
+	# cli
+	mkdir -p '$(OUR_GOPATH)/src/github.com/docker'
+	ln -sfT '$(CURDIR)/cli' '$(OUR_GOPATH)/src/github.com/docker/cli'
+	# engine
+	mkdir -p '$(OUR_GOPATH)/src/github.com/docker'
+	ln -sfT '$(CURDIR)/engine' '$(OUR_GOPATH)/src/github.com/docker/docker'
+
+override_dh_auto_build: _build-tini _build-proxy _build-cli _build-manpages _build-engine
+	@#
+
+# several "supporting binaries" need to be built and installed
+# (https://github.com/docker/docker-ce/tree/v19.03.6/components/engine/hack/dockerfile/install)
+
+_build-tini: # (docker-init)
+	mkdir -p tini/build
+	cd tini/build \
+		&& cmake .. \
+		&& make tini-static
+
+_build-proxy: # (from libnetwork)
+	go build -o libnetwork/docker-proxy github.com/docker/libnetwork/cmd/proxy
+
+_build-cli:
+	DISABLE_WARN_OUTSIDE_CONTAINER=1 \
+		make -C cli \
+			LDFLAGS='' \
+			VERSION='$(VERSION)' \
+			GITCOMMIT='$(DOCKER_GITCOMMIT)' \
+			dynbinary
+
+# https://github.com/docker/docker-ce/blob/v19.03.6/components/cli/scripts/docs/generate-man.sh
+# (replacing hard-coded "/tmp/gen-manpages" with "debian/tmp/gen-manpages")
+_build-manpages:
+	cd '$(OUR_GOPATH)/src/github.com/docker/cli' \
+		&& export PATH='$(OUR_GOPATH)/bin':"$$PATH" \
+		&& sed 's!/tmp/gen-manpages!$(CURDIR)/debian/tmp/gen-manpages!g' scripts/docs/generate-man.sh \
+		&& sed 's!/go/bin/go-md2man!$(OUR_GOPATH)/bin/go-md2man!g' scripts/docs/generate-man.sh \
+			| bash
+
+_build-engine:
+	cd engine \
+		&& PRODUCT=docker ./hack/make.sh dynbinary
+
+# basic smoke test to ensure binaries built successfully
+# (especially since their actual tests are *really* involved)
+override_dh_auto_test:
+	# tini
+	./tini/build/tini-static --version
+	# cli
+	./cli/build/docker --version
+	# engine
+	./engine/bundles/dynbinary-daemon/dockerd --version
+
+override_dh_strip:
+	# Go has lots of problems with stripping, so just don't
+
+override_dh_auto_install:
+	# we use dh_install / dh-exec for installing files where they need to be
+
+# "--no-start" because we have a debconf prompt to determine whether to restart during upgrades
+# (which means we get to handle both "start" and "stop" ourselves too)
+override_dh_installinit:
+	dh_installinit --name=docker --no-start
+
+override_dh_installsystemd:
+	# We take care of determining whether the docker.io service should be
+	# restarted during upgrades or not ourselves, based on the debconf
+	# choice made by the user during installation.  For this reason, we
+	# invoke dh_installsystemd with "--no-stop-on-upgrade" in order
+	# to avoid indiscriminately stopping the service during upgrades.
+	dh_installsystemd --name=docker --no-start -pdocker.io --no-stop-on-upgrade docker.service
+	dh_installsystemd --name=docker --no-start -pdocker.io --no-stop-on-upgrade docker.socket
+
+override_dh_installudev:
+	# use priority z80 to match the upstream priority of 80
+	dh_installudev --priority=z80
+
+override_dh_install:
+	dh_install
+	dh_apparmor --profile-name=docker.io -pdocker.io
+
+override_dh_shlibdeps:
+	dh_shlibdeps --dpkg-shlibdeps-params=--ignore-missing-info
+
+override_dh_auto_clean:
+	@# stop debhelper from doing "make clean"
+
+%:
+	dh $@ --with=bash-completion

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/source/options

@@ -0,0 +1 @@
+create-empty-orig

debian/tests/basic-smoke

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+. debian/tests/common
+
+defer 'journalctl -u docker | tail'
+
+# make sure Docker itself is working before we go too deep down the rabbit hole
+docker version
+
+debootstrap \
+	--variant=minbase \
+	stable \
+	"$tempDir" \
+	http://httpredir.debian.org/debian
+
+tar -cC "$tempDir" . | docker import - debian
+defer 'docker rmi debian'
+
+docker run --name test debian true
+defer 'docker rm -f test'

debian/tests/common

@@ -0,0 +1,16 @@
+set -eux
+set -o pipefail
+
+exitTraps=( 'true' )
+doExit() {
+	for exitTrap in "${exitTraps[@]}"; do
+		eval "$exitTrap" || true
+	done
+}
+trap 'doExit' EXIT
+defer() {
+	exitTraps=( "$@" "${exitTraps[@]}" )
+}
+
+tempDir="$(mktemp -d)"
+defer "rm -rf '$tempDir'"

debian/tests/control

@@ -0,0 +1,11 @@
+Tests: basic-smoke
+Depends: debian-archive-keyring, debootstrap, @
+Restrictions: allow-stderr isolation-machine needs-root
+
+Tests: docker-in-lxd
+Depends: dctrl-tools, lxd
+Restrictions: allow-stderr isolation-machine needs-root
+
+#Tests: integration
+#Depends: ca-certificates, curl, git, golang-check.v1-dev, jq, @, @builddeps@
+#Restrictions: allow-stderr isolation-machine needs-root rw-build-tree

debian/tests/docker-in-lxd

@@ -0,0 +1,219 @@
+#!/bin/bash
+
+. debian/tests/common
+
+arch=$(dpkg --print-architecture)
+release=$(lsb_release -rs)
+suite=$(lsb_release -cs)
+
+if [ "$arch" = "i386" -a "$release" \> "19.04" ]; then
+    exit 0
+fi
+
+# This stolen from lxd's debconf magic.
+random_ipv4() {
+  while :; do
+    SUBNET="10.$(shuf -i 1-255 -n 1).$(shuf -i 0-255 -n 1)"
+
+    # Check if well known
+    if [ "${SUBNET}" = "10.10.10" ]; then
+      continue
+    fi
+
+    # Check if used locally
+    if ip -4 route show | grep -q ${SUBNET}; then
+      continue
+    fi
+
+    # Attempt to see if used behind the gateway
+    if ping -n -q ${SUBNET}.1 -c 1 -W 1 >/dev/null 2>&1; then
+      continue
+    fi
+
+    if ping -n -q ${SUBNET}.254 -c 1 -W 1 >/dev/null 2>&1; then
+      continue
+    fi
+
+    break
+  done
+
+  echo ${SUBNET}
+}
+
+# Detect LXD API extensions
+lxd_extension() {
+  lxc info | grep -q "^\- ${1}$"
+}
+
+# Copy the local apt package archive over to the lxd container.
+# This function assumes that the container is named "docker".
+copy_local_apt_files() {
+  for local_source in $(apt-get indextargets | grep-dctrl -F URI -e '^file:/' -sURI); do
+    local_source=${local_source#file:}
+    local_dir=$(dirname "${local_source}")
+    lxc exec docker -- mkdir -p "${local_dir}"
+    tar -cC "${local_dir}" . | lxc exec docker -- tar -xC "${local_dir}"
+  done
+}
+
+time lxd waitready --timeout 600
+
+# Attempt to auto-configure ipv4, but only when really running under
+# autopkgtest.
+if [ -n "${AUTOPKGTEST_TMP:-}" ]; then
+    lxd init --auto
+    if lxd_extension "network"; then
+        if ! lxc profile device list default | grep -q eth0; then
+            lxc network create adt-br0
+            lxc network attach-profile adt-br0 default eth0
+        fi
+    else
+        sleep 10
+        systemctl stop lxd-bridge
+        SUBNET=$(random_ipv4)
+        cat <<EOF > /etc/default/lxd-bridge
+USE_LXD_BRIDGE="true"
+LXD_BRIDGE="lxdbr0"
+UPDATE_PROFILE="true"
+LXD_IPV4_ADDR="${SUBNET}.1"
+LXD_IPV4_NETMASK="255.255.255.0"
+LXD_IPV4_NETWORK="${SUBNET}.1/24"
+LXD_IPV4_DHCP_RANGE="${SUBNET}.2,${SUBNET}.254"
+LXD_IPV4_DHCP_MAX="252"
+LXD_IPV4_NAT="true"
+LXD_IPV6_ADDR=""
+LXD_IPV6_MASK=""
+LXD_IPV6_NETWORK=""
+LXD_IPV6_NAT="false"
+LXD_IPV6_PROXY="false"
+EOF
+        systemctl start lxd-bridge
+    fi
+fi
+
+if [ -n "${http_proxy:-}" ]; then
+    lxc config set core.proxy_http $http_proxy
+fi
+if [ -n "${https_proxy:-}" ]; then
+    lxc config set core.proxy_https $https_proxy
+fi
+if [ -n "${noproxy:-}" ]; then
+    lxc config set core.proxy_ignore_hosts $noproxy
+fi
+
+lxc launch ubuntu-daily:${suite}/${arch} docker -c security.nesting=true
+
+defer 'lxc delete --force docker'
+
+# autopkgtest will have done some complicated things to ensure that "apt
+# install docker.io" installs the version that should be tested in the
+# host. But we want to test that version of docker in the container, so
+# replace the entire apt configuration of the container with that of the host
+# (after waiting for cloud-init to avoid racing with its attempts to rewrite
+# the apt config).
+lxc exec docker -- cloud-init status --wait
+lxc exec docker -- rm -rf /etc/apt
+lxc exec docker -- mkdir /etc/apt
+tar -cC /etc/apt . | lxc exec docker -- tar -xC /etc/apt
+
+copy_local_apt_files
+
+if [ -n "${http_proxy:-}" ]; then
+    lxc exec docker -- mkdir -p /etc/systemd/system/docker.service.d
+    cat <<EOF | lxc file push - docker/etc/systemd/system/docker.service.d/http-proxy.conf
+[Service]
+Environment="HTTP_PROXY=$http_proxy"
+EOF
+fi
+if [ -n "${https_proxy:-}" ]; then
+    lxc exec docker -- mkdir -p /etc/systemd/system/docker.service.d
+    cat <<EOF | lxc file push - docker/etc/systemd/system/docker.service.d/https-proxy.conf
+[Service]
+Environment="HTTPS_PROXY=$https_proxy"
+EOF
+fi
+if [ -n "${no_proxy:-}" ]; then
+    lxc exec docker -- mkdir -p /etc/systemd/system/docker.service.d
+    cat <<EOF | lxc file push - docker/etc/systemd/system/docker.service.d/no-proxy.conf
+[Service]
+Environment="NO_PROXY=$no_proxy"
+EOF
+fi
+
+attempts=0
+while ! lxc exec docker -- grep -q ^nameserver /etc/resolv.conf; do
+    sleep 1
+    attempts=$((attempts+1))
+    if [ $attempts -gt 30 ]; then
+        echo "Network failed to come up after 30 seconds"
+        exit 1
+    fi
+done
+if ! lxc exec docker -- sh -c 'grep ^nameserver /etc/resolv.conf | grep -qv 127.0.0.53'
+then
+    echo "systemd-resolved"
+    while ! lxc exec docker -- sh -c 'grep -v fe80 /run/systemd/resolve/resolv.conf | grep -q ^nameserver'; do
+        sleep 1
+        attempts=$((attempts+1))
+        if [ $attempts -gt 30 ]; then
+            echo "Network failed to come up after 30 seconds"
+            exit 1
+        fi
+    done
+fi
+
+# Perform a full upgrade and restart the container before attempting
+# to install docker.io.  See
+# https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1942276 for
+# more details.
+lxc exec docker -- apt-get update
+lxc exec docker --env DEBIAN_FRONTEND=noninteractive -- apt-get full-upgrade -y
+lxc restart docker
+sleep 5
+
+# We call this again here because if the local apt repository lived
+# under /tmp, it won't be available anymore after a container restart.
+copy_local_apt_files
+lxc exec docker -- apt-get update
+
+lxc exec docker --env DEBIAN_FRONTEND=noninteractive -- apt-get install docker.io -y
+
+# Now basically run the simplest possible test inside the container.
+
+case ${arch} in
+    amd64|i386|s390x)
+        image_hello_world=${arch}/hello-world
+        image_ubuntu="${arch}/ubuntu:devel";;
+    armhf)
+        image_hello_world=arm32v7/hello-world
+        image_ubuntu=arm32v7/ubuntu:devel;;
+    ppc64el)
+        image_hello_world=ppc64le/hello-world
+        image_ubuntu=ppc64le/ubuntu:devel;;
+    arm64)
+        image_hello_world=arm64v8/hello-world
+        image_ubuntu=arm64v8/ubuntu:devel;;
+    *)
+        echo "unknown arch: ${arch}"
+        exit 2;;
+esac
+
+lxc exec docker -- docker run "${image_hello_world}"
+
+ubuntu_devel_suite=$(lxc exec docker -- docker run --rm "${image_ubuntu}" \
+                         /bin/bash -c 'source /etc/lsb-release && echo "$DISTRIB_CODENAME"')
+
+# We also need to run some commands inside an ubuntu:devel container,
+# to make sure that docker.io can work correctly with the latest
+# glibc.
+#
+# It's also important to make sure the docker container is using the
+# same apt configuration from the lxd container, which itself is the
+# same apt configuration from the host.
+#
+# We just want to perform this test when the docker.io package is
+# being tested against the development release of Ubuntu.
+if [ "${ubuntu_devel_suite}" = "${suite}" ]; then
+  lxc exec docker -- docker run -v /etc/apt:/etc/apt "${image_ubuntu}" \
+      /bin/bash -c 'apt-get update; apt-get full-upgrade -y && apt-get install -y hello'
+fi

debian/tests/integration

@@ -0,0 +1,41 @@
+#!/bin/bash
+set -e
+
+# apply patches
+dpkg-source --before-build .
+
+# prepare the environment
+./debian/rules dh_configure
+export GOPATH="$PWD/.gopath"
+export DOCKER_GITCOMMIT="foo"
+
+# docker's tests need an unprivileged user available at this username
+useradd --system --gid docker --comment 'Docker Test Suite Unprivileged User' unprivilegeduser
+
+# https://github.com/docker/docker/blob/7307998a44237a8943792c279b81ff5a387a86fa/builder/dockerfile/builder.go#L34-L44
+proxyArgs=(
+	http_proxy
+	https_proxy
+	ftp_proxy
+	no_proxy
+)
+DOCKER_BUILD_ARGS=
+for proxyArgBase in "${proxyArgs[@]}"; do
+	for proxyArg in "${proxyArgBase^^}" "$proxyArgBase"; do
+		if [ -n "${!proxyArg}" ]; then
+			[ -z "$DOCKER_BUILD_ARGS" ] || DOCKER_BUILD_ARGS+=' '
+			DOCKER_BUILD_ARGS+="--build-arg ${proxyArg}=${!proxyArg}"
+		fi
+	done
+done
+export DOCKER_BUILD_ARGS
+
+# run the tests
+./hack/make.sh test-integration-cli
+
+# clean up cruft we've created
+./debian/rules clean
+userdel --force unprivilegeduser
+
+# unapply patches
+dpkg-source --after-build .

debian/vim-syntax-docker.install

@@ -0,0 +1 @@
+debian/vim-syntax-docker.yaml /usr/share/vim/registry/

debian/vim-syntax-docker.yaml

@@ -0,0 +1,6 @@
+addon: dockerfile
+description: "Addon to highlight Docker's Dockerfiles"
+files:
+  - doc/dockerfile.txt
+  - ftdetect/dockerfile.vim
+  - syntax/dockerfile.vim

debian/watch

@@ -0,0 +1,31 @@
+version=4
+
+# github's ".../tags" paginates too soon, so we lose historical versions too early for tianon's tastes (hence uscan.tianon.xyz)
+#  https://github.com/docker/docker/tags
+
+opts=\
+component=engine,\
+dversionmangle=s/[+~](debian|dfsg|ds|deb)\d*$//,\
+uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/,\
+filenamemangle=s/.+\/v(\d\S*)\.tar\.gz/docker.io_$1.orig-engine.tar.gz/ \
+  https://github.com/moby/moby/tags .*/archive/.*v(\d\S*).tar.gz
+
+opts=\
+component=cli,\
+uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/,\
+filenamemangle=s/.+\/v(\d\S*)\.tar\.gz/docker.io_$1.orig-cli.tar.gz/ \
+  https://github.com/docker/cli/tags .*/archive/.*v(\d\S*).tar.gz
+
+opts=\
+component=libnetwork,\
+uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/,\
+filenamemangle=s/.+\/docker-(\d\S*)\.tar\.gz/docker.io_$1.orig-libnetwork.tar.gz/ \
+  https://uscan.tianon.xyz/github.com/tianon/docker-libnetwork-tags \
+  https://github.com/.*/docker-(\d\S*)\.tar\.gz
+
+opts=\
+component=tini,\
+uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/,\
+filenamemangle=s/.+\/docker-(\d\S*)\.tar\.gz/docker.io_$1.orig-tini.tar.gz/ \
+  https://uscan.tianon.xyz/github.com/tianon/docker-tini-tags \
+  https://github.com/.*/docker-(\d\S*)\.tar\.gz