13 files changed, 1493 insertions, 391 deletions
diff --git a/app-containers/docker/Manifest b/app-containers/docker/Manifest
index 93e6aa676e60..bd1c7e1ad7a7 100644
--- a/app-containers/docker/Manifest
+++ b/app-containers/docker/Manifest
@@ -1,3 +1,6 @@
-DIST docker-20.10.12.tar.gz 11091999 BLAKE2B e3b1c40d2dcd2df9b158942759e035d53481dbd63c0fda188ec8564b0249402f5eff5f25fcb1a53c5d9af5b4c49f0919fc07f1f52d0b7333044c0a9c12631c21 SHA512 f4122c8cbc67e6b7703856dc76d6f15d7fab1b2001d4916b89958d5319c16d8b8445881841ef4804e8d47d64694184aec1be93e22d7baceb021c4a99c2c03753
-DIST docker-20.10.14.tar.gz 10989937 BLAKE2B 4b510408c8cf2aef3a9777996aadd024e61df519c6c83d8c59e066058fb082f72ee14405b011731cb3663abdf0759d8f005b3336f6e9b6430270a2e1ba337436 SHA512 94ee555337aaf96bb95ce8cbe8fe1d9c8b87fcd4f256d2af5082fc47915f7576882929c1211ef7fba0c754097bdef5e6df59abbdf77456d3babe139f4353ed21
-DIST docker-20.10.16.tar.gz 11182324 BLAKE2B 8d6676a24b3b53f9155a53eb55a1b5074c5724788102356cae8ead55dbf2f2c2875ea4a0a9eaee4a7720d8f11671b2f748eb8c61b67b81992342d1171feaaaa7 SHA512 5fdf87f98a951af87a334a5a403e36b975ff6c4647d0656dde2bd763d27562c620346f3746adafa1439c205869c721a3bef750f8302734499423ca789218f85d
+DIST docker-24.0.5.tar.gz 14456089 BLAKE2B be13a4256787152cb35ddb96d80e97a5e5b587094f1c61d18158737a037c4e81b88c186098ba7416eb7778022ece07bc31ee55af13d3e3da8e0bbd5452ad027f SHA512 cde2e47e7658b153399ee29154ec21eebf54b292185e07d43b968895dcfdfead95e4507fefb713859a4540f21d8007116d3ebeaa1fb7ba305fb2a0449ba1bee6
+DIST docker-24.0.6.tar.gz 14462378 BLAKE2B bced8e687abac59254a9969df46f323a835627a724889e5966bea08df8766b4291914442001d1b573280c45ac4d357a673e98e8fba2b8d116a1dbd65424ccf78 SHA512 d9bf0ba756b1ebe69a44819d7c6aa5d66dad8db5bcc41233e2bfce8131334a2fe1af3972de7f602b7911231288d29aaea797b7a05b335c2d7214a613b27c4b63
+DIST docker-24.0.7.tar.gz 14658649 BLAKE2B 73bad494640ef8cad2b9b991f94414d8bec4dd88b120b0f8238f74d01269c445270f45410ac2c78af074356c3ba60a7c550ab28f5da5924bdc6d8b99e85a1360 SHA512 08f22fcbce163c3ba8eb21302fd38ff04fd3f27067f5715a3c527ba2efe67f694fac80bfe6d6b5e22d06d98917e1685a9d3d9b58991f221354f637f4a8bdc526
+DIST docker-25.0.1.tar.gz 15936052 BLAKE2B 32b24893c9b098b218b16548be074588ad98ed31c8b87ab3fa467f79e33e96ce94f694b86f2920b1166e64c153b1c2482cb602117f673d23f0fc5ccc9b28ae92 SHA512 816c888925cf609e7caa6e491b45614f69fdd7df5ed4f783d8a77cf86d9f46f4f457a95a943aa75ecddf99d080daf78bc0dba55e9648960dc539b1ae62052361
+DIST docker-25.0.4.tar.gz 15953567 BLAKE2B 85398de80b14f21d611822a1714ac987d919cf6a2a8059d8a6d41c9b63fd63a04013e47e01021eccdbd107f1a3f8ee55dc1ecbc4b6c9cc20ff2854434e3b6af7 SHA512 07e724de305def32a1e32a724a8041be193745c4f0d549708723cf5d14b840f74648e83e790fd526e00a6c6fdb7e487ee4e5ed0752fbe172d673ab86fe8819d2
+DIST docker-26.1.0.tar.gz 16390376 BLAKE2B 6703e9b153c430bc28aed2e7de7bada0203353d61f0a2ce3d49ddbd017eab196a685dd1ab1e719a6b287813eb5fa4f2c612e2cf1ab95789d6e79ebe5dac7ace3 SHA512 47b6b9af9947016884614b6bc25977e1db281da95c9b8b34c753c21c664a737a893f9fa65d92cbb897735aae3893567e106e6bababb5507e069b1e0981e48d50
diff --git a/app-containers/docker/docker-20.10.12-r1.ebuild b/app-containers/docker/docker-24.0.5-r1.ebuild
index 95c508dbb975..2421fd8dd3eb 100644
--- a/app-containers/docker/docker-20.10.12-r1.ebuild
+++ b/app-containers/docker/docker-24.0.5-r1.ebuild
@@ -1,11 +1,11 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 EGO_PN=github.com/docker/docker
 MY_PV=${PV/_/-}
-GIT_COMMIT=459d0dfbbb
 inherit linux-info systemd udev golang-vcs-snapshot
+GIT_COMMIT=4ffc61430bbe6d3d405bdf357b766bf303ff3cc5
 
 DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
 HOMEPAGE="https://www.docker.com/"
@@ -14,7 +14,7 @@ SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
 LICENSE="Apache-2.0"
 SLOT="0"
 KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
-IUSE="apparmor aufs btrfs +cli +container-init device-mapper hardened overlay seccomp"
+IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux systemd"
 
 DEPEND="
 	acct-group/docker
@@ -23,13 +23,11 @@ DEPEND="
 	btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
 	device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] )
 	seccomp? ( >=sys-libs/libseccomp-2.2.1 )
+	systemd? ( sys-apps/systemd )
 "
 
 # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
 # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
-# https://github.com/moby/moby/tree/master//hack/dockerfile/install
-# make sure docker-proxy is pinned to exact version from ^,
-# for appropriate branch/version of course
 RDEPEND="
 	${DEPEND}
 	>=net-firewall/iptables-1.4
@@ -37,10 +35,10 @@ RDEPEND="
 	>=dev-vcs/git-1.7
 	>=app-arch/xz-utils-4.9
 	dev-libs/libltdl
-	>=app-containers/containerd-1.4.12[apparmor?,btrfs?,device-mapper?,seccomp?]
-	~app-containers/docker-proxy-0.8.0_p20210525
-	cli? ( ~app-containers/docker-cli-${PV} )
+	>=app-containers/containerd-1.7.1[apparmor?,btrfs?,device-mapper?,seccomp?]
+	!app-containers/docker-proxy
 	container-init? ( >=sys-process/tini-0.19.0[static] )
+	selinux? ( sec-policy/selinux-docker )
 "
 
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
@@ -56,98 +54,173 @@ S="${WORKDIR}/${P}/src/${EGO_PN}"
 
 # https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
 PATCHES=(
-	"${FILESDIR}/etcd-F_OFD_GETLK-fix.patch"
-	"${FILESDIR}/ppc64-buildmode.patch"
+	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
+	"${FILESDIR}/docker-24.0.5-automagic-systemd.patch"
 )
 
-# see "contrib/check-config.sh" from upstream's sources
-CONFIG_CHECK="
-	~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
-	~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
-	~CGROUP_NET_PRIO
-	~KEYS
-	~VETH ~BRIDGE ~BRIDGE_NETFILTER
-	~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE ~NETFILTER_XT_MARK
-	~NETFILTER_NETLINK ~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK ~NETFILTER_XT_MATCH_IPVS
-	~IP_NF_NAT ~NF_NAT
-	~POSIX_MQUEUE
-
-	~USER_NS
-	~SECCOMP
-	~CGROUP_PIDS
-	~MEMCG_SWAP
-
-	~BLK_CGROUP ~BLK_DEV_THROTTLING
-	~CGROUP_PERF
-	~CGROUP_HUGETLB
-	~NET_CLS_CGROUP
-	~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
-	~IP_VS ~IP_VS_PROTO_TCP ~IP_VS_PROTO_UDP ~IP_VS_NFCT ~IP_VS_RR
-
-	~VXLAN
-	~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH ~XFRM_ALGO ~XFRM_USER
-	~IPVLAN
-	~MACVLAN ~DUMMY
-
-	~OVERLAY_FS ~!OVERLAY_FS_REDIRECT_DIR
-	~EXT4_FS_SECURITY
-	~EXT4_FS_POSIX_ACL
-"
-
-ERROR_KEYS="CONFIG_KEYS: is mandatory"
-ERROR_MEMCG_SWAP="CONFIG_MEMCG_SWAP: is required if you wish to limit swap usage of containers"
-ERROR_RESOURCE_COUNTERS="CONFIG_RESOURCE_COUNTERS: is optional for container statistics gathering"
-
-ERROR_BLK_CGROUP="CONFIG_BLK_CGROUP: is optional for container statistics gathering"
-ERROR_IOSCHED_CFQ="CONFIG_IOSCHED_CFQ: is optional for container statistics gathering"
-ERROR_CGROUP_PERF="CONFIG_CGROUP_PERF: is optional for container statistics gathering"
-ERROR_CFS_BANDWIDTH="CONFIG_CFS_BANDWIDTH: is optional for container statistics gathering"
-ERROR_XFRM_ALGO="CONFIG_XFRM_ALGO: is optional for secure networks"
-ERROR_XFRM_USER="CONFIG_XFRM_USER: is optional for secure networks"
-
 pkg_setup() {
+	# this is based on "contrib/check-config.sh" from upstream's sources
+	# required features.
+	CONFIG_CHECK="
+		~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
+		~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
+		~KEYS
+		~VETH ~BRIDGE ~BRIDGE_NETFILTER
+		~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~NETFILTER_XT_MARK
+		~IP_NF_NAT ~NF_NAT
+		~POSIX_MQUEUE
+	"
+	WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
+
+	if kernel_is lt 4 8; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
 
-	if kernel_is lt 4 5; then
+	if kernel_is le 5 1; then
 		CONFIG_CHECK+="
-			~MEMCG_KMEM
+			~NF_NAT_IPV4
 		"
-		ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional"
 	fi
 
-	if kernel_is lt 4 7; then
+	if kernel_is le 5 2; then
 		CONFIG_CHECK+="
-			~DEVPTS_MULTIPLE_INSTANCES
+			~NF_NAT_NEEDED
 		"
 	fi
 
-	if kernel_is lt 5 1; then
+	if kernel_is ge 4 15; then
 		CONFIG_CHECK+="
-			~NF_NAT_IPV4
-			~IOSCHED_CFQ
-			~CFQ_GROUP_IOSCHED
+			~CGROUP_BPF
 		"
 	fi
 
-	if kernel_is lt 5 2; then
+	# optional features
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	if use seccomp; then
 		CONFIG_CHECK+="
-			~NF_NAT_NEEDED
+			~SECCOMP ~SECCOMP_FILTER
 		"
 	fi
 
-	if kernel_is lt 5 8; then
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+			"
+	fi
+
+	if kernel_is le 5 8; then
 		CONFIG_CHECK+="
 			~MEMCG_SWAP_ENABLED
 		"
 	fi
 
-	if use aufs; then
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NATIVE
+		"
+	if kernel_is lt 5 19; then
+		CONFIG_CHECK+="
+			~LEGACY_VSYSCALL_EMULATE
+			"
+	fi
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NONE
+		"
+	WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
+		Containers with <=glibc-2.13 will not work"
+
+	if kernel_is le 4 5; then
 		CONFIG_CHECK+="
-			~AUFS_FS
-			~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+			~MEMCG_KMEM
 		"
-		ERROR_AUFS_FS="CONFIG_AUFS_FS: is required to be set if and only if aufs is patched to kernel instead of using standalone"
 	fi
 
+	if kernel_is lt 5; then
+		CONFIG_CHECK+="
+			~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~BLK_CGROUP ~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP ~CGROUP_NET_PRIO
+		~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		"
+
+	if use selinux; then
+		CONFIG_CHECK+="
+			~SECURITY_SELINUX
+			"
+	fi
+
+	if use apparmor; then
+		CONFIG_CHECK+="
+			~SECURITY_APPARMOR
+			"
+	fi
+
+	# if ! is_set EXT4_USE_FOR_EXT2; then
+	#	check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
+	#	if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
+	#		echo "    $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
+	#	fi
+	# fi
+
+	CONFIG_CHECK+="
+		~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+	"
+
+	# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
+	#	if is_set EXT4_USE_FOR_EXT2; then
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
+	#	else
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
+	#	fi
+	# fi
+
+	# network drivers
+	CONFIG_CHECK+="
+		~VXLAN ~BRIDGE_VLAN_FILTERING
+		~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
+		~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
+	"
+	if kernel_is le 5 3; then
+		CONFIG_CHECK+="
+			~INET_XFRM_MODE_TRANSPORT
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~IPVLAN
+		"
+	CONFIG_CHECK+="
+		~MACVLAN ~DUMMY
+		"
+	CONFIG_CHECK+="
+		~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
+	"
+
+	# storage drivers
 	if use btrfs; then
 		CONFIG_CHECK+="
 			~BTRFS_FS
@@ -157,10 +230,14 @@ pkg_setup() {
 
 	if use device-mapper; then
 		CONFIG_CHECK+="
-			~BLK_DEV_DM ~DM_THIN_PROVISIONING ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+			~BLK_DEV_DM ~DM_THIN_PROVISIONING
 		"
 	fi
 
+	CONFIG_CHECK+="
+		~OVERLAY_FS
+	"
+
 	linux-info_pkg_setup
 }
 
@@ -176,7 +253,7 @@ src_compile() {
 
 	# let's set up some optional features :)
 	export DOCKER_BUILDTAGS=''
-	for gd in aufs btrfs device-mapper overlay; do
+	for gd in btrfs device-mapper overlay; do
 		if ! use $gd; then
 			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
 		fi
@@ -188,15 +265,9 @@ src_compile() {
 		fi
 	done
 
-	if use hardened; then
-		sed -i "s/EXTLDFLAGS_STATIC='/&-fno-PIC /" hack/make.sh || die
-		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
-		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
-			-i hack/make/dynbinary-daemon || die
-		grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
-	fi
+	export SYSTEMD=$(usex systemd 1 0)
 
-	# build daemon
+	# build binaries
 	./hack/make.sh dynbinary || die 'dynbinary failed'
 }
 
@@ -205,7 +276,8 @@ src_install() {
 	dosym containerd-shim /usr/bin/docker-containerd-shim
 	dosym runc /usr/bin/docker-runc
 	use container-init && dosym tini /usr/bin/docker-init
-	newbin bundles/dynbinary-daemon/dockerd dockerd
+	dobin bundles/dynbinary-daemon/dockerd
+	dobin bundles/dynbinary-daemon/docker-proxy
 
 	newinitd contrib/init/openrc/docker.initd docker
 	newconfd contrib/init/openrc/docker.confd docker
@@ -214,7 +286,7 @@ src_install() {
 
 	udev_dorules contrib/udev/*.rules
 
-	dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
+	dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
 	dodoc -r docs/*
 
 	# note: intentionally not using "doins" so that we preserve +x bits
@@ -255,25 +327,8 @@ pkg_postinst() {
 		elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
 		elog
 	fi
+}
 
-	if use cli; then
-		ewarn "Starting with docker 20.10.2, docker has been split into"
-		ewarn "two packages upstream, so Gentoo has followed suit."
-		ewarn
-		ewarn "app-containers/docker contains the daemon and"
-		ewarn "app-containers/docker-cli contains the docker command."
-		ewarn
-		ewarn "docker currently installs docker-cli using the cli use flag."
-		ewarn
-		ewarn "This use flag is temporary, so you need to take the"
-		ewarn "following actions:"
-		ewarn
-		ewarn "First, disable the cli use flag for app-containers/docker"
-		ewarn
-		ewarn "Then, if you need docker-cli and docker on the same machine,"
-		ewarn "run the following command:"
-		ewarn
-		ewarn "# emerge --noreplace docker-cli"
-		ewarn
-	fi
+pkg_postrm() {
+	udev_reload
 }
diff --git a/app-containers/docker/docker-20.10.16.ebuild b/app-containers/docker/docker-24.0.6.ebuild
index 58fd7b5b426c..6a8cc58fd1f6 100644
--- a/app-containers/docker/docker-20.10.16.ebuild
+++ b/app-containers/docker/docker-24.0.6.ebuild
@@ -1,11 +1,11 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 EGO_PN=github.com/docker/docker
 MY_PV=${PV/_/-}
-GIT_COMMIT=f756502055
 inherit linux-info systemd udev golang-vcs-snapshot
+GIT_COMMIT=1a7969545d73537545645f5cd2c79b7a77e7d39f
 
 DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
 HOMEPAGE="https://www.docker.com/"
@@ -14,8 +14,7 @@ SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
 LICENSE="Apache-2.0"
 SLOT="0"
 KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
-IUSE="apparmor aufs btrfs +cli +container-init device-mapper hardened
-overlay seccomp selinux"
+IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux"
 
 DEPEND="
 	acct-group/docker
@@ -28,9 +27,6 @@ DEPEND="
 
 # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
 # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
-# https://github.com/moby/moby/tree/master//hack/dockerfile/install
-# make sure docker-proxy is pinned to exact version from ^,
-# for appropriate branchch/version of course
 RDEPEND="
 	${DEPEND}
 	>=net-firewall/iptables-1.4
@@ -38,9 +34,9 @@ RDEPEND="
 	>=dev-vcs/git-1.7
 	>=app-arch/xz-utils-4.9
 	dev-libs/libltdl
-	>=app-containers/containerd-1.6.4[apparmor?,btrfs?,device-mapper?,seccomp?]
-	~app-containers/docker-proxy-0.8.0_p20220315
-	cli? ( ~app-containers/docker-cli-${PV} )
+	>=app-containers/containerd-1.7.3[apparmor?,btrfs?,device-mapper?,seccomp?]
+	>=app-containers/runc-1.1.9[apparmor?,seccomp?]
+	!app-containers/docker-proxy
 	container-init? ( >=sys-process/tini-0.19.0[static] )
 	selinux? ( sec-policy/selinux-docker )
 "
@@ -58,97 +54,172 @@ S="${WORKDIR}/${P}/src/${EGO_PN}"
 
 # https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
 PATCHES=(
-	"${FILESDIR}/ppc64-buildmode.patch"
+	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
 )
 
-# see "contrib/check-config.sh" from upstream's sources
-CONFIG_CHECK="
-	~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
-	~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
-	~CGROUP_NET_PRIO
-	~KEYS
-	~VETH ~BRIDGE ~BRIDGE_NETFILTER
-	~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE ~NETFILTER_XT_MARK
-	~NETFILTER_NETLINK ~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK ~NETFILTER_XT_MATCH_IPVS
-	~IP_NF_NAT ~NF_NAT
-	~POSIX_MQUEUE
-
-	~USER_NS
-	~SECCOMP
-	~CGROUP_PIDS
-	~MEMCG_SWAP
-
-	~BLK_CGROUP ~BLK_DEV_THROTTLING
-	~CGROUP_PERF
-	~CGROUP_HUGETLB
-	~NET_CLS_CGROUP
-	~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
-	~IP_VS ~IP_VS_PROTO_TCP ~IP_VS_PROTO_UDP ~IP_VS_NFCT ~IP_VS_RR
-
-	~VXLAN
-	~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH ~XFRM_ALGO ~XFRM_USER
-	~IPVLAN
-	~MACVLAN ~DUMMY
-
-	~OVERLAY_FS ~!OVERLAY_FS_REDIRECT_DIR
-	~EXT4_FS_SECURITY
-	~EXT4_FS_POSIX_ACL
-"
-
-ERROR_KEYS="CONFIG_KEYS: is mandatory"
-ERROR_MEMCG_SWAP="CONFIG_MEMCG_SWAP: is required if you wish to limit swap usage of containers"
-ERROR_RESOURCE_COUNTERS="CONFIG_RESOURCE_COUNTERS: is optional for container statistics gathering"
-
-ERROR_BLK_CGROUP="CONFIG_BLK_CGROUP: is optional for container statistics gathering"
-ERROR_IOSCHED_CFQ="CONFIG_IOSCHED_CFQ: is optional for container statistics gathering"
-ERROR_CGROUP_PERF="CONFIG_CGROUP_PERF: is optional for container statistics gathering"
-ERROR_CFS_BANDWIDTH="CONFIG_CFS_BANDWIDTH: is optional for container statistics gathering"
-ERROR_XFRM_ALGO="CONFIG_XFRM_ALGO: is optional for secure networks"
-ERROR_XFRM_USER="CONFIG_XFRM_USER: is optional for secure networks"
-
 pkg_setup() {
+	# this is based on "contrib/check-config.sh" from upstream's sources
+	# required features.
+	CONFIG_CHECK="
+		~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
+		~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
+		~KEYS
+		~VETH ~BRIDGE ~BRIDGE_NETFILTER
+		~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~NETFILTER_XT_MARK
+		~IP_NF_NAT ~NF_NAT
+		~POSIX_MQUEUE
+	"
+	WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
+
+	if kernel_is lt 4 8; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
 
-	if kernel_is lt 4 5; then
+	if kernel_is le 5 1; then
 		CONFIG_CHECK+="
-			~MEMCG_KMEM
+			~NF_NAT_IPV4
 		"
-		ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional"
 	fi
 
-	if kernel_is lt 4 7; then
+	if kernel_is le 5 2; then
 		CONFIG_CHECK+="
-			~DEVPTS_MULTIPLE_INSTANCES
+			~NF_NAT_NEEDED
 		"
 	fi
 
-	if kernel_is lt 5 1; then
+	if kernel_is ge 4 15; then
 		CONFIG_CHECK+="
-			~NF_NAT_IPV4
-			~IOSCHED_CFQ
-			~CFQ_GROUP_IOSCHED
+			~CGROUP_BPF
 		"
 	fi
 
-	if kernel_is lt 5 2; then
+	# optional features
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	if use seccomp; then
 		CONFIG_CHECK+="
-			~NF_NAT_NEEDED
+			~SECCOMP ~SECCOMP_FILTER
 		"
 	fi
 
-	if kernel_is lt 5 8; then
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+			"
+	fi
+
+	if kernel_is le 5 8; then
 		CONFIG_CHECK+="
 			~MEMCG_SWAP_ENABLED
 		"
 	fi
 
-	if use aufs; then
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NATIVE
+		"
+	if kernel_is lt 5 19; then
+		CONFIG_CHECK+="
+			~LEGACY_VSYSCALL_EMULATE
+			"
+	fi
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NONE
+		"
+	WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
+		Containers with <=glibc-2.13 will not work"
+
+	if kernel_is le 4 5; then
+		CONFIG_CHECK+="
+			~MEMCG_KMEM
+		"
+	fi
+
+	if kernel_is lt 5; then
 		CONFIG_CHECK+="
-			~AUFS_FS
-			~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+			~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
 		"
-		ERROR_AUFS_FS="CONFIG_AUFS_FS: is required to be set if and only if aufs is patched to kernel instead of using standalone"
 	fi
 
+	CONFIG_CHECK+="
+		~BLK_CGROUP ~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP ~CGROUP_NET_PRIO
+		~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		"
+
+	if use selinux; then
+		CONFIG_CHECK+="
+			~SECURITY_SELINUX
+			"
+	fi
+
+	if use apparmor; then
+		CONFIG_CHECK+="
+			~SECURITY_APPARMOR
+			"
+	fi
+
+	# if ! is_set EXT4_USE_FOR_EXT2; then
+	#	check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
+	#	if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
+	#		echo "    $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
+	#	fi
+	# fi
+
+	CONFIG_CHECK+="
+		~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+	"
+
+	# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
+	#	if is_set EXT4_USE_FOR_EXT2; then
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
+	#	else
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
+	#	fi
+	# fi
+
+	# network drivers
+	CONFIG_CHECK+="
+		~VXLAN ~BRIDGE_VLAN_FILTERING
+		~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
+		~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
+	"
+	if kernel_is le 5 3; then
+		CONFIG_CHECK+="
+			~INET_XFRM_MODE_TRANSPORT
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~IPVLAN
+		"
+	CONFIG_CHECK+="
+		~MACVLAN ~DUMMY
+		"
+	CONFIG_CHECK+="
+		~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
+	"
+
+	# storage drivers
 	if use btrfs; then
 		CONFIG_CHECK+="
 			~BTRFS_FS
@@ -158,10 +229,14 @@ pkg_setup() {
 
 	if use device-mapper; then
 		CONFIG_CHECK+="
-			~BLK_DEV_DM ~DM_THIN_PROVISIONING ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+			~BLK_DEV_DM ~DM_THIN_PROVISIONING
 		"
 	fi
 
+	CONFIG_CHECK+="
+		~OVERLAY_FS
+	"
+
 	linux-info_pkg_setup
 }
 
@@ -177,7 +252,7 @@ src_compile() {
 
 	# let's set up some optional features :)
 	export DOCKER_BUILDTAGS=''
-	for gd in aufs btrfs device-mapper overlay; do
+	for gd in btrfs device-mapper overlay; do
 		if ! use $gd; then
 			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
 		fi
@@ -189,15 +264,7 @@ src_compile() {
 		fi
 	done
 
-	if use hardened; then
-		sed -i "s/EXTLDFLAGS_STATIC='/&-fno-PIC /" hack/make.sh || die
-		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
-		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
-			-i hack/make/dynbinary-daemon || die
-		grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
-	fi
-
-	# build daemon
+	# build binaries
 	./hack/make.sh dynbinary || die 'dynbinary failed'
 }
 
@@ -206,7 +273,8 @@ src_install() {
 	dosym containerd-shim /usr/bin/docker-containerd-shim
 	dosym runc /usr/bin/docker-runc
 	use container-init && dosym tini /usr/bin/docker-init
-	newbin bundles/dynbinary-daemon/dockerd dockerd
+	dobin bundles/dynbinary-daemon/dockerd
+	dobin bundles/dynbinary-daemon/docker-proxy
 
 	newinitd contrib/init/openrc/docker.initd docker
 	newconfd contrib/init/openrc/docker.confd docker
@@ -215,7 +283,7 @@ src_install() {
 
 	udev_dorules contrib/udev/*.rules
 
-	dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
+	dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
 	dodoc -r docs/*
 
 	# note: intentionally not using "doins" so that we preserve +x bits
@@ -256,25 +324,8 @@ pkg_postinst() {
 		elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
 		elog
 	fi
+}
 
-	if use cli; then
-		ewarn "Starting with docker 20.10.2, docker has been split into"
-		ewarn "two packages upstream, so Gentoo has followed suit."
-		ewarn
-		ewarn "app-containers/docker contains the daemon and"
-		ewarn "app-containers/docker-cli contains the docker command."
-		ewarn
-		ewarn "docker currently installs docker-cli using the cli use flag."
-		ewarn
-		ewarn "This use flag is temporary, so you need to take the"
-		ewarn "following actions:"
-		ewarn
-		ewarn "First, disable the cli use flag for app-containers/docker"
-		ewarn
-		ewarn "Then, if you need docker-cli and docker on the same machine,"
-		ewarn "run the following command:"
-		ewarn
-		ewarn "# emerge --noreplace docker-cli"
-		ewarn
-	fi
+pkg_postrm() {
+	udev_reload
 }
diff --git a/app-containers/docker/docker-20.10.14.ebuild b/app-containers/docker/docker-24.0.7-r1.ebuild
index d57cbbed264c..ad913c3d0c3b 100644
--- a/app-containers/docker/docker-20.10.14.ebuild
+++ b/app-containers/docker/docker-24.0.7-r1.ebuild
@@ -1,11 +1,11 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 EGO_PN=github.com/docker/docker
 MY_PV=${PV/_/-}
-GIT_COMMIT=87a90dc786
 inherit linux-info systemd udev golang-vcs-snapshot
+GIT_COMMIT=311b9ff0aa93aa55880e1e5f8871c4fb69583426
 
 DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
 HOMEPAGE="https://www.docker.com/"
@@ -14,8 +14,7 @@ SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
 LICENSE="Apache-2.0"
 SLOT="0"
 KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
-IUSE="apparmor aufs btrfs +cli +container-init device-mapper hardened
-overlay seccomp selinux"
+IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux systemd"
 
 DEPEND="
 	acct-group/docker
@@ -24,13 +23,11 @@ DEPEND="
 	btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
 	device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] )
 	seccomp? ( >=sys-libs/libseccomp-2.2.1 )
+	systemd? ( sys-apps/systemd )
 "
 
 # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
 # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
-# https://github.com/moby/moby/tree/master//hack/dockerfile/install
-# make sure docker-proxy is pinned to exact version from ^,
-# for appropriate branchch/version of course
 RDEPEND="
 	${DEPEND}
 	>=net-firewall/iptables-1.4
@@ -38,9 +35,9 @@ RDEPEND="
 	>=dev-vcs/git-1.7
 	>=app-arch/xz-utils-4.9
 	dev-libs/libltdl
-	>=app-containers/containerd-1.4.12[apparmor?,btrfs?,device-mapper?,seccomp?]
-	~app-containers/docker-proxy-0.8.0_p20210525
-	cli? ( ~app-containers/docker-cli-${PV} )
+	>=app-containers/containerd-1.7.3[apparmor?,btrfs?,device-mapper?,seccomp?]
+	>=app-containers/runc-1.1.9[apparmor?,seccomp?]
+	!app-containers/docker-proxy
 	container-init? ( >=sys-process/tini-0.19.0[static] )
 	selinux? ( sec-policy/selinux-docker )
 "
@@ -58,97 +55,173 @@ S="${WORKDIR}/${P}/src/${EGO_PN}"
 
 # https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
 PATCHES=(
-	"${FILESDIR}/ppc64-buildmode.patch"
+	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
+	"${FILESDIR}/docker-24.0.5-automagic-systemd.patch"
 )
 
-# see "contrib/check-config.sh" from upstream's sources
-CONFIG_CHECK="
-	~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
-	~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
-	~CGROUP_NET_PRIO
-	~KEYS
-	~VETH ~BRIDGE ~BRIDGE_NETFILTER
-	~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE ~NETFILTER_XT_MARK
-	~NETFILTER_NETLINK ~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK ~NETFILTER_XT_MATCH_IPVS
-	~IP_NF_NAT ~NF_NAT
-	~POSIX_MQUEUE
-
-	~USER_NS
-	~SECCOMP
-	~CGROUP_PIDS
-	~MEMCG_SWAP
-
-	~BLK_CGROUP ~BLK_DEV_THROTTLING
-	~CGROUP_PERF
-	~CGROUP_HUGETLB
-	~NET_CLS_CGROUP
-	~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
-	~IP_VS ~IP_VS_PROTO_TCP ~IP_VS_PROTO_UDP ~IP_VS_NFCT ~IP_VS_RR
-
-	~VXLAN
-	~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH ~XFRM_ALGO ~XFRM_USER
-	~IPVLAN
-	~MACVLAN ~DUMMY
-
-	~OVERLAY_FS ~!OVERLAY_FS_REDIRECT_DIR
-	~EXT4_FS_SECURITY
-	~EXT4_FS_POSIX_ACL
-"
-
-ERROR_KEYS="CONFIG_KEYS: is mandatory"
-ERROR_MEMCG_SWAP="CONFIG_MEMCG_SWAP: is required if you wish to limit swap usage of containers"
-ERROR_RESOURCE_COUNTERS="CONFIG_RESOURCE_COUNTERS: is optional for container statistics gathering"
-
-ERROR_BLK_CGROUP="CONFIG_BLK_CGROUP: is optional for container statistics gathering"
-ERROR_IOSCHED_CFQ="CONFIG_IOSCHED_CFQ: is optional for container statistics gathering"
-ERROR_CGROUP_PERF="CONFIG_CGROUP_PERF: is optional for container statistics gathering"
-ERROR_CFS_BANDWIDTH="CONFIG_CFS_BANDWIDTH: is optional for container statistics gathering"
-ERROR_XFRM_ALGO="CONFIG_XFRM_ALGO: is optional for secure networks"
-ERROR_XFRM_USER="CONFIG_XFRM_USER: is optional for secure networks"
-
 pkg_setup() {
+	# this is based on "contrib/check-config.sh" from upstream's sources
+	# required features.
+	CONFIG_CHECK="
+		~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
+		~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
+		~KEYS
+		~VETH ~BRIDGE ~BRIDGE_NETFILTER
+		~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~NETFILTER_XT_MARK
+		~IP_NF_NAT ~NF_NAT
+		~POSIX_MQUEUE
+	"
+	WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
+
+	if kernel_is lt 4 8; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
 
-	if kernel_is lt 4 5; then
+	if kernel_is le 5 1; then
 		CONFIG_CHECK+="
-			~MEMCG_KMEM
+			~NF_NAT_IPV4
 		"
-		ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional"
 	fi
 
-	if kernel_is lt 4 7; then
+	if kernel_is le 5 2; then
 		CONFIG_CHECK+="
-			~DEVPTS_MULTIPLE_INSTANCES
+			~NF_NAT_NEEDED
 		"
 	fi
 
-	if kernel_is lt 5 1; then
+	if kernel_is ge 4 15; then
 		CONFIG_CHECK+="
-			~NF_NAT_IPV4
-			~IOSCHED_CFQ
-			~CFQ_GROUP_IOSCHED
+			~CGROUP_BPF
 		"
 	fi
 
-	if kernel_is lt 5 2; then
+	# optional features
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	if use seccomp; then
 		CONFIG_CHECK+="
-			~NF_NAT_NEEDED
+			~SECCOMP ~SECCOMP_FILTER
 		"
 	fi
 
-	if kernel_is lt 5 8; then
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+			"
+	fi
+
+	if kernel_is le 5 8; then
 		CONFIG_CHECK+="
 			~MEMCG_SWAP_ENABLED
 		"
 	fi
 
-	if use aufs; then
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NATIVE
+		"
+	if kernel_is lt 5 19; then
+		CONFIG_CHECK+="
+			~LEGACY_VSYSCALL_EMULATE
+			"
+	fi
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NONE
+		"
+	WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
+		Containers with <=glibc-2.13 will not work"
+
+	if kernel_is le 4 5; then
 		CONFIG_CHECK+="
-			~AUFS_FS
-			~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+			~MEMCG_KMEM
 		"
-		ERROR_AUFS_FS="CONFIG_AUFS_FS: is required to be set if and only if aufs is patched to kernel instead of using standalone"
 	fi
 
+	if kernel_is lt 5; then
+		CONFIG_CHECK+="
+			~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~BLK_CGROUP ~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP ~CGROUP_NET_PRIO
+		~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		"
+
+	if use selinux; then
+		CONFIG_CHECK+="
+			~SECURITY_SELINUX
+			"
+	fi
+
+	if use apparmor; then
+		CONFIG_CHECK+="
+			~SECURITY_APPARMOR
+			"
+	fi
+
+	# if ! is_set EXT4_USE_FOR_EXT2; then
+	#	check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
+	#	if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
+	#		echo "    $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
+	#	fi
+	# fi
+
+	CONFIG_CHECK+="
+		~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+	"
+
+	# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
+	#	if is_set EXT4_USE_FOR_EXT2; then
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
+	#	else
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
+	#	fi
+	# fi
+
+	# network drivers
+	CONFIG_CHECK+="
+		~VXLAN ~BRIDGE_VLAN_FILTERING
+		~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
+		~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
+	"
+	if kernel_is le 5 3; then
+		CONFIG_CHECK+="
+			~INET_XFRM_MODE_TRANSPORT
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~IPVLAN
+		"
+	CONFIG_CHECK+="
+		~MACVLAN ~DUMMY
+		"
+	CONFIG_CHECK+="
+		~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
+	"
+
+	# storage drivers
 	if use btrfs; then
 		CONFIG_CHECK+="
 			~BTRFS_FS
@@ -158,10 +231,14 @@ pkg_setup() {
 
 	if use device-mapper; then
 		CONFIG_CHECK+="
-			~BLK_DEV_DM ~DM_THIN_PROVISIONING ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+			~BLK_DEV_DM ~DM_THIN_PROVISIONING
 		"
 	fi
 
+	CONFIG_CHECK+="
+		~OVERLAY_FS
+	"
+
 	linux-info_pkg_setup
 }
 
@@ -177,7 +254,7 @@ src_compile() {
 
 	# let's set up some optional features :)
 	export DOCKER_BUILDTAGS=''
-	for gd in aufs btrfs device-mapper overlay; do
+	for gd in btrfs device-mapper overlay; do
 		if ! use $gd; then
 			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
 		fi
@@ -189,15 +266,9 @@ src_compile() {
 		fi
 	done
 
-	if use hardened; then
-		sed -i "s/EXTLDFLAGS_STATIC='/&-fno-PIC /" hack/make.sh || die
-		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
-		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
-			-i hack/make/dynbinary-daemon || die
-		grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
-	fi
+	export SYSTEMD=$(usex systemd 1 0)
 
-	# build daemon
+	# build binaries
 	./hack/make.sh dynbinary || die 'dynbinary failed'
 }
 
@@ -206,7 +277,8 @@ src_install() {
 	dosym containerd-shim /usr/bin/docker-containerd-shim
 	dosym runc /usr/bin/docker-runc
 	use container-init && dosym tini /usr/bin/docker-init
-	newbin bundles/dynbinary-daemon/dockerd dockerd
+	dobin bundles/dynbinary-daemon/dockerd
+	dobin bundles/dynbinary-daemon/docker-proxy
 
 	newinitd contrib/init/openrc/docker.initd docker
 	newconfd contrib/init/openrc/docker.confd docker
@@ -215,7 +287,7 @@ src_install() {
 
 	udev_dorules contrib/udev/*.rules
 
-	dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
+	dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
 	dodoc -r docs/*
 
 	# note: intentionally not using "doins" so that we preserve +x bits
@@ -256,25 +328,8 @@ pkg_postinst() {
 		elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
 		elog
 	fi
+}
 
-	if use cli; then
-		ewarn "Starting with docker 20.10.2, docker has been split into"
-		ewarn "two packages upstream, so Gentoo has followed suit."
-		ewarn
-		ewarn "app-containers/docker contains the daemon and"
-		ewarn "app-containers/docker-cli contains the docker command."
-		ewarn
-		ewarn "docker currently installs docker-cli using the cli use flag."
-		ewarn
-		ewarn "This use flag is temporary, so you need to take the"
-		ewarn "following actions:"
-		ewarn
-		ewarn "First, disable the cli use flag for app-containers/docker"
-		ewarn
-		ewarn "Then, if you need docker-cli and docker on the same machine,"
-		ewarn "run the following command:"
-		ewarn
-		ewarn "# emerge --noreplace docker-cli"
-		ewarn
-	fi
+pkg_postrm() {
+	udev_reload
 }
diff --git a/app-containers/docker/docker-25.0.1.ebuild b/app-containers/docker/docker-25.0.1.ebuild
new file mode 100644
index 000000000000..92c7e31beb2d
--- /dev/null
+++ b/app-containers/docker/docker-25.0.1.ebuild
@@ -0,0 +1,318 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+EGO_PN=github.com/docker/docker
+MY_PV=${PV/_/-}
+inherit linux-info systemd udev golang-vcs-snapshot
+GIT_COMMIT=71fa3ab079ec13d17257f86fa92db8d7f24802f1
+
+DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
+HOMEPAGE="https://www.docker.com/"
+SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor btrfs +container-init overlay seccomp selinux"
+
+DEPEND="
+	acct-group/docker
+	>=dev-db/sqlite-3.7.9:3
+	apparmor? ( sys-libs/libapparmor )
+	btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
+	seccomp? ( >=sys-libs/libseccomp-2.2.1 )
+"
+
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
+RDEPEND="
+	${DEPEND}
+	>=net-firewall/iptables-1.4
+	sys-process/procps
+	>=dev-vcs/git-1.7
+	>=app-arch/xz-utils-4.9
+	dev-libs/libltdl
+	>=app-containers/containerd-1.7.3[apparmor?,btrfs?,seccomp?]
+	>=app-containers/runc-1.1.9[apparmor?,seccomp?]
+	!app-containers/docker-proxy
+	container-init? ( >=sys-process/tini-0.19.0[static] )
+	selinux? ( sec-policy/selinux-docker )
+"
+
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
+BDEPEND="
+	>=dev-lang/go-1.16.12
+	dev-go/go-md2man
+	virtual/pkgconfig
+"
+# tests require running dockerd as root and downloading containers
+RESTRICT="installsources strip test"
+
+S="${WORKDIR}/${P}/src/${EGO_PN}"
+
+# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
+PATCHES=(
+	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
+)
+
+pkg_setup() {
+	# this is based on "contrib/check-config.sh" from upstream's sources
+	# required features.
+	CONFIG_CHECK="
+		~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
+		~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
+		~KEYS
+		~VETH ~BRIDGE ~BRIDGE_NETFILTER
+		~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~NETFILTER_XT_MARK
+		~IP_NF_NAT ~NF_NAT
+		~POSIX_MQUEUE
+	"
+	WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
+
+	if kernel_is lt 4 8; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
+
+	if kernel_is le 5 1; then
+		CONFIG_CHECK+="
+			~NF_NAT_IPV4
+		"
+	fi
+
+	if kernel_is le 5 2; then
+		CONFIG_CHECK+="
+			~NF_NAT_NEEDED
+		"
+	fi
+
+	if kernel_is ge 4 15; then
+		CONFIG_CHECK+="
+			~CGROUP_BPF
+		"
+	fi
+
+	# optional features
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	if use seccomp; then
+		CONFIG_CHECK+="
+			~SECCOMP ~SECCOMP_FILTER
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+			"
+	fi
+
+	if kernel_is le 5 8; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP_ENABLED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NATIVE
+		"
+	if kernel_is lt 5 19; then
+		CONFIG_CHECK+="
+			~LEGACY_VSYSCALL_EMULATE
+			"
+	fi
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NONE
+		"
+	WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
+		Containers with <=glibc-2.13 will not work"
+
+	if kernel_is le 4 5; then
+		CONFIG_CHECK+="
+			~MEMCG_KMEM
+		"
+	fi
+
+	if kernel_is lt 5; then
+		CONFIG_CHECK+="
+			~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~BLK_CGROUP ~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP ~CGROUP_NET_PRIO
+		~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		"
+
+	if use selinux; then
+		CONFIG_CHECK+="
+			~SECURITY_SELINUX
+			"
+	fi
+
+	if use apparmor; then
+		CONFIG_CHECK+="
+			~SECURITY_APPARMOR
+			"
+	fi
+
+	# if ! is_set EXT4_USE_FOR_EXT2; then
+	#	check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
+	#	if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
+	#		echo "    $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
+	#	fi
+	# fi
+
+	CONFIG_CHECK+="
+		~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+	"
+
+	# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
+	#	if is_set EXT4_USE_FOR_EXT2; then
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
+	#	else
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
+	#	fi
+	# fi
+
+	# network drivers
+	CONFIG_CHECK+="
+		~VXLAN ~BRIDGE_VLAN_FILTERING
+		~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
+		~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
+	"
+	if kernel_is le 5 3; then
+		CONFIG_CHECK+="
+			~INET_XFRM_MODE_TRANSPORT
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~IPVLAN
+		"
+	CONFIG_CHECK+="
+		~MACVLAN ~DUMMY
+		"
+	CONFIG_CHECK+="
+		~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
+	"
+
+	# storage drivers
+	if use btrfs; then
+		CONFIG_CHECK+="
+			~BTRFS_FS
+			~BTRFS_FS_POSIX_ACL
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~OVERLAY_FS
+	"
+
+	linux-info_pkg_setup
+}
+
+src_compile() {
+	export DOCKER_GITCOMMIT="${GIT_COMMIT}"
+	export GOPATH="${WORKDIR}/${P}"
+	export VERSION=${PV}
+
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
+	export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
+
+	# let's set up some optional features :)
+	export DOCKER_BUILDTAGS=''
+	for gd in btrfs overlay; do
+		if ! use $gd; then
+			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
+		fi
+	done
+
+	for tag in apparmor seccomp; do
+		if use $tag; then
+			DOCKER_BUILDTAGS+=" $tag"
+		fi
+	done
+
+	# build binaries
+	./hack/make.sh dynbinary || die 'dynbinary failed'
+}
+
+src_install() {
+	dosym containerd /usr/bin/docker-containerd
+	dosym containerd-shim /usr/bin/docker-containerd-shim
+	dosym runc /usr/bin/docker-runc
+	use container-init && dosym tini /usr/bin/docker-init
+	dobin bundles/dynbinary-daemon/dockerd
+	dobin bundles/dynbinary-daemon/docker-proxy
+
+	newinitd contrib/init/openrc/docker.initd docker
+	newconfd contrib/init/openrc/docker.confd docker
+
+	systemd_dounit contrib/init/systemd/docker.{service,socket}
+
+	udev_dorules contrib/udev/*.rules
+
+	dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
+	dodoc -r docs/*
+
+	# note: intentionally not using "doins" so that we preserve +x bits
+	dodir /usr/share/${PN}/contrib
+	cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
+}
+
+pkg_postinst() {
+	udev_reload
+
+	elog
+	elog "To use Docker, the Docker daemon must be running as root. To automatically"
+	elog "start the Docker daemon at boot:"
+	if systemd_is_booted || has_version sys-apps/systemd; then
+		elog "  systemctl enable docker.service"
+	else
+		elog "  rc-update add docker default"
+	fi
+	elog
+	elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
+	elog '  usermod -aG docker <youruser>'
+	elog
+
+	if use overlay; then
+		elog " Overlay storage driver/USEflag has been deprecated"
+		elog " in favor of overlay2 (enabled unconditionally)"
+		elog
+	fi
+
+	if has_version sys-fs/zfs; then
+		elog " ZFS storage driver is available"
+		elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
+		elog
+	fi
+}
+
+pkg_postrm() {
+	udev_reload
+}
diff --git a/app-containers/docker/docker-25.0.4.ebuild b/app-containers/docker/docker-25.0.4.ebuild
new file mode 100644
index 000000000000..739506d1d063
--- /dev/null
+++ b/app-containers/docker/docker-25.0.4.ebuild
@@ -0,0 +1,318 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+EGO_PN=github.com/docker/docker
+MY_PV=${PV/_/-}
+inherit linux-info systemd udev golang-vcs-snapshot
+GIT_COMMIT=061aa95809be396a6b5542618d8a34b02a21ff77
+
+DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
+HOMEPAGE="https://www.docker.com/"
+SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor btrfs +container-init overlay seccomp selinux"
+
+DEPEND="
+	acct-group/docker
+	>=dev-db/sqlite-3.7.9:3
+	apparmor? ( sys-libs/libapparmor )
+	btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
+	seccomp? ( >=sys-libs/libseccomp-2.2.1 )
+"
+
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
+RDEPEND="
+	${DEPEND}
+	>=net-firewall/iptables-1.4
+	sys-process/procps
+	>=dev-vcs/git-1.7
+	>=app-arch/xz-utils-4.9
+	dev-libs/libltdl
+	>=app-containers/containerd-1.7.12[apparmor?,btrfs?,seccomp?]
+	>=app-containers/runc-1.1.12[apparmor?,seccomp?]
+	!app-containers/docker-proxy
+	container-init? ( >=sys-process/tini-0.19.0[static] )
+	selinux? ( sec-policy/selinux-docker )
+"
+
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
+BDEPEND="
+	>=dev-lang/go-1.16.12
+	dev-go/go-md2man
+	virtual/pkgconfig
+"
+# tests require running dockerd as root and downloading containers
+RESTRICT="installsources strip test"
+
+S="${WORKDIR}/${P}/src/${EGO_PN}"
+
+# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
+PATCHES=(
+	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
+)
+
+pkg_setup() {
+	# this is based on "contrib/check-config.sh" from upstream's sources
+	# required features.
+	CONFIG_CHECK="
+		~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
+		~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
+		~KEYS
+		~VETH ~BRIDGE ~BRIDGE_NETFILTER
+		~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~NETFILTER_XT_MARK
+		~IP_NF_NAT ~NF_NAT
+		~POSIX_MQUEUE
+	"
+	WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
+
+	if kernel_is lt 4 8; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
+
+	if kernel_is le 5 1; then
+		CONFIG_CHECK+="
+			~NF_NAT_IPV4
+		"
+	fi
+
+	if kernel_is le 5 2; then
+		CONFIG_CHECK+="
+			~NF_NAT_NEEDED
+		"
+	fi
+
+	if kernel_is ge 4 15; then
+		CONFIG_CHECK+="
+			~CGROUP_BPF
+		"
+	fi
+
+	# optional features
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	if use seccomp; then
+		CONFIG_CHECK+="
+			~SECCOMP ~SECCOMP_FILTER
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+			"
+	fi
+
+	if kernel_is le 5 8; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP_ENABLED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NATIVE
+		"
+	if kernel_is lt 5 19; then
+		CONFIG_CHECK+="
+			~LEGACY_VSYSCALL_EMULATE
+			"
+	fi
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NONE
+		"
+	WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
+		Containers with <=glibc-2.13 will not work"
+
+	if kernel_is le 4 5; then
+		CONFIG_CHECK+="
+			~MEMCG_KMEM
+		"
+	fi
+
+	if kernel_is lt 5; then
+		CONFIG_CHECK+="
+			~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~BLK_CGROUP ~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP ~CGROUP_NET_PRIO
+		~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		"
+
+	if use selinux; then
+		CONFIG_CHECK+="
+			~SECURITY_SELINUX
+			"
+	fi
+
+	if use apparmor; then
+		CONFIG_CHECK+="
+			~SECURITY_APPARMOR
+			"
+	fi
+
+	# if ! is_set EXT4_USE_FOR_EXT2; then
+	#	check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
+	#	if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
+	#		echo "    $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
+	#	fi
+	# fi
+
+	CONFIG_CHECK+="
+		~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+	"
+
+	# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
+	#	if is_set EXT4_USE_FOR_EXT2; then
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
+	#	else
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
+	#	fi
+	# fi
+
+	# network drivers
+	CONFIG_CHECK+="
+		~VXLAN ~BRIDGE_VLAN_FILTERING
+		~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
+		~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
+	"
+	if kernel_is le 5 3; then
+		CONFIG_CHECK+="
+			~INET_XFRM_MODE_TRANSPORT
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~IPVLAN
+		"
+	CONFIG_CHECK+="
+		~MACVLAN ~DUMMY
+		"
+	CONFIG_CHECK+="
+		~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
+	"
+
+	# storage drivers
+	if use btrfs; then
+		CONFIG_CHECK+="
+			~BTRFS_FS
+			~BTRFS_FS_POSIX_ACL
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~OVERLAY_FS
+	"
+
+	linux-info_pkg_setup
+}
+
+src_compile() {
+	export DOCKER_GITCOMMIT="${GIT_COMMIT}"
+	export GOPATH="${WORKDIR}/${P}"
+	export VERSION=${PV}
+
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
+	export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
+
+	# let's set up some optional features :)
+	export DOCKER_BUILDTAGS=''
+	for gd in btrfs overlay; do
+		if ! use $gd; then
+			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
+		fi
+	done
+
+	for tag in apparmor seccomp; do
+		if use $tag; then
+			DOCKER_BUILDTAGS+=" $tag"
+		fi
+	done
+
+	# build binaries
+	./hack/make.sh dynbinary || die 'dynbinary failed'
+}
+
+src_install() {
+	dosym containerd /usr/bin/docker-containerd
+	dosym containerd-shim /usr/bin/docker-containerd-shim
+	dosym runc /usr/bin/docker-runc
+	use container-init && dosym tini /usr/bin/docker-init
+	dobin bundles/dynbinary-daemon/dockerd
+	dobin bundles/dynbinary-daemon/docker-proxy
+
+	newinitd contrib/init/openrc/docker.initd docker
+	newconfd contrib/init/openrc/docker.confd docker
+
+	systemd_dounit contrib/init/systemd/docker.{service,socket}
+
+	udev_dorules contrib/udev/*.rules
+
+	dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
+	dodoc -r docs/*
+
+	# note: intentionally not using "doins" so that we preserve +x bits
+	dodir /usr/share/${PN}/contrib
+	cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
+}
+
+pkg_postinst() {
+	udev_reload
+
+	elog
+	elog "To use Docker, the Docker daemon must be running as root. To automatically"
+	elog "start the Docker daemon at boot:"
+	if systemd_is_booted || has_version sys-apps/systemd; then
+		elog "  systemctl enable docker.service"
+	else
+		elog "  rc-update add docker default"
+	fi
+	elog
+	elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
+	elog '  usermod -aG docker <youruser>'
+	elog
+
+	if use overlay; then
+		elog " Overlay storage driver/USEflag has been deprecated"
+		elog " in favor of overlay2 (enabled unconditionally)"
+		elog
+	fi
+
+	if has_version sys-fs/zfs; then
+		elog " ZFS storage driver is available"
+		elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
+		elog
+	fi
+}
+
+pkg_postrm() {
+	udev_reload
+}
diff --git a/app-containers/docker/docker-26.1.0-r1.ebuild b/app-containers/docker/docker-26.1.0-r1.ebuild
new file mode 100644
index 000000000000..9a1e51a65f67
--- /dev/null
+++ b/app-containers/docker/docker-26.1.0-r1.ebuild
@@ -0,0 +1,322 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+EGO_PN=github.com/docker/docker
+MY_PV=${PV/_/-}
+inherit golang-vcs-snapshot linux-info systemd udev
+GIT_COMMIT=061aa95809be396a6b5542618d8a34b02a21ff77
+
+DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
+HOMEPAGE="https://www.docker.com/"
+SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor btrfs +container-init overlay seccomp selinux systemd"
+
+DEPEND="
+	acct-group/docker
+	>=dev-db/sqlite-3.7.9:3
+	apparmor? ( sys-libs/libapparmor )
+	btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
+	seccomp? ( >=sys-libs/libseccomp-2.2.1 )
+	systemd? ( sys-apps/systemd )
+"
+
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
+RDEPEND="
+	${DEPEND}
+	>=net-firewall/iptables-1.4
+	sys-process/procps
+	>=dev-vcs/git-1.7
+	>=app-arch/xz-utils-4.9
+	>=app-containers/containerd-1.7.15[apparmor?,btrfs?,seccomp?]
+	>=app-containers/runc-1.1.12[apparmor?,seccomp?]
+	!app-containers/docker-proxy
+	container-init? ( >=sys-process/tini-0.19.0[static] )
+	selinux? ( sec-policy/selinux-docker )
+"
+
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
+BDEPEND="
+	>=dev-lang/go-1.16.12
+	dev-go/go-md2man
+	virtual/pkgconfig
+"
+# tests require running dockerd as root and downloading containers
+RESTRICT="installsources strip test"
+
+S="${WORKDIR}/${P}/src/${EGO_PN}"
+
+# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
+PATCHES=(
+	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
+	"${FILESDIR}/docker-26.1.0-automagic-systemd.patch"
+)
+
+pkg_setup() {
+	# this is based on "contrib/check-config.sh" from upstream's sources
+	# required features.
+	CONFIG_CHECK="
+		~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
+		~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
+		~KEYS
+		~VETH ~BRIDGE ~BRIDGE_NETFILTER
+		~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~NETFILTER_XT_MARK
+		~IP_NF_NAT ~NF_NAT
+		~POSIX_MQUEUE
+	"
+	WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
+
+	if kernel_is lt 4 8; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
+
+	if kernel_is le 5 1; then
+		CONFIG_CHECK+="
+			~NF_NAT_IPV4
+		"
+	fi
+
+	if kernel_is le 5 2; then
+		CONFIG_CHECK+="
+			~NF_NAT_NEEDED
+		"
+	fi
+
+	if kernel_is ge 4 15; then
+		CONFIG_CHECK+="
+			~CGROUP_BPF
+		"
+	fi
+
+	# optional features
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	if use seccomp; then
+		CONFIG_CHECK+="
+			~SECCOMP ~SECCOMP_FILTER
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+			"
+	fi
+
+	if kernel_is le 5 8; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP_ENABLED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NATIVE
+		"
+	if kernel_is lt 5 19; then
+		CONFIG_CHECK+="
+			~LEGACY_VSYSCALL_EMULATE
+			"
+	fi
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NONE
+		"
+	WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
+		Containers with <=glibc-2.13 will not work"
+
+	if kernel_is le 4 5; then
+		CONFIG_CHECK+="
+			~MEMCG_KMEM
+		"
+	fi
+
+	if kernel_is lt 5; then
+		CONFIG_CHECK+="
+			~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~BLK_CGROUP ~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP ~CGROUP_NET_PRIO
+		~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		"
+
+	if use selinux; then
+		CONFIG_CHECK+="
+			~SECURITY_SELINUX
+			"
+	fi
+
+	if use apparmor; then
+		CONFIG_CHECK+="
+			~SECURITY_APPARMOR
+			"
+	fi
+
+	# if ! is_set EXT4_USE_FOR_EXT2; then
+	#	check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
+	#	if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
+	#		echo "    $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
+	#	fi
+	# fi
+
+	CONFIG_CHECK+="
+		~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+	"
+
+	# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
+	#	if is_set EXT4_USE_FOR_EXT2; then
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
+	#	else
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
+	#	fi
+	# fi
+
+	# network drivers
+	CONFIG_CHECK+="
+		~VXLAN ~BRIDGE_VLAN_FILTERING
+		~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
+		~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
+	"
+	if kernel_is le 5 3; then
+		CONFIG_CHECK+="
+			~INET_XFRM_MODE_TRANSPORT
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~IPVLAN
+		"
+	CONFIG_CHECK+="
+		~MACVLAN ~DUMMY
+		"
+	CONFIG_CHECK+="
+		~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
+	"
+
+	# storage drivers
+	if use btrfs; then
+		CONFIG_CHECK+="
+			~BTRFS_FS
+			~BTRFS_FS_POSIX_ACL
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~OVERLAY_FS
+	"
+
+	linux-info_pkg_setup
+}
+
+src_compile() {
+	export DOCKER_GITCOMMIT="${GIT_COMMIT}"
+	export GOPATH="${WORKDIR}/${P}"
+	export VERSION=${PV}
+	tc-export PKG_CONFIG
+
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
+	export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
+
+	# let's set up some optional features :)
+	export DOCKER_BUILDTAGS=''
+	for gd in btrfs overlay; do
+		if ! use $gd; then
+			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
+		fi
+	done
+
+	for tag in apparmor seccomp; do
+		if use $tag; then
+			DOCKER_BUILDTAGS+=" $tag"
+		fi
+	done
+
+	export SYSTEMD=$(usex systemd 1 0)
+
+	# build binaries
+	./hack/make.sh dynbinary || die 'dynbinary failed'
+}
+
+src_install() {
+	dosym containerd /usr/bin/docker-containerd
+	dosym containerd-shim /usr/bin/docker-containerd-shim
+	dosym runc /usr/bin/docker-runc
+	use container-init && dosym tini /usr/bin/docker-init
+	dobin bundles/dynbinary-daemon/dockerd
+	dobin bundles/dynbinary-daemon/docker-proxy
+
+	newinitd contrib/init/openrc/docker.initd docker
+	newconfd contrib/init/openrc/docker.confd docker
+
+	systemd_dounit contrib/init/systemd/docker.{service,socket}
+
+	udev_dorules contrib/udev/*.rules
+
+	dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
+	dodoc -r docs/*
+
+	# note: intentionally not using "doins" so that we preserve +x bits
+	dodir /usr/share/${PN}/contrib
+	cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
+}
+
+pkg_postinst() {
+	udev_reload
+
+	elog
+	elog "To use Docker, the Docker daemon must be running as root. To automatically"
+	elog "start the Docker daemon at boot:"
+	if systemd_is_booted || has_version sys-apps/systemd; then
+		elog "  systemctl enable docker.service"
+	else
+		elog "  rc-update add docker default"
+	fi
+	elog
+	elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
+	elog '  usermod -aG docker <youruser>'
+	elog
+
+	if use overlay; then
+		elog " Overlay storage driver/USEflag has been deprecated"
+		elog " in favor of overlay2 (enabled unconditionally)"
+		elog
+	fi
+
+	if has_version sys-fs/zfs; then
+		elog " ZFS storage driver is available"
+		elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
+		elog
+	fi
+}
+
+pkg_postrm() {
+	udev_reload
+}
diff --git a/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch b/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch
new file mode 100644
index 000000000000..22aa145f33b8
--- /dev/null
+++ b/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch
@@ -0,0 +1,28 @@
+From bb69104381805014eb7675682d204fe460a52388 Mon Sep 17 00:00:00 2001
+From: Jan Breig <git@pygos.space>
+Date: Mon, 16 May 2022 14:58:36 +0200
+Subject: [PATCH] Openrc: Depend on containerd init script
+
+Signed-off-by: Jan Breig <git@pygos.space>
+---
+ contrib/init/openrc/docker.initd | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/contrib/init/openrc/docker.initd b/contrib/init/openrc/docker.initd
+index 3229223bad..57defb8f57 100644
+--- a/contrib/init/openrc/docker.initd
++++ b/contrib/init/openrc/docker.initd
+@@ -17,6 +17,10 @@ rc_ulimit="${DOCKER_ULIMIT:--c unlimited -n 1048576 -u unlimited}"
+ 
+ retry="${DOCKER_RETRY:-TERM/60/KILL/10}"
+ 
++depend() {
++	need containerd
++}
++
+ start_pre() {
+ 	checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
+ }
+-- 
+2.35.1
+
diff --git a/app-containers/docker/files/docker-24.0.5-automagic-systemd.patch b/app-containers/docker/files/docker-24.0.5-automagic-systemd.patch
new file mode 100644
index 000000000000..fb764b3b1a99
--- /dev/null
+++ b/app-containers/docker/files/docker-24.0.5-automagic-systemd.patch
@@ -0,0 +1,13 @@
+https://bugs.gentoo.org/914076
+https://github.com/moby/moby/issues/47770
+--- a/hack/make.sh
++++ b/hack/make.sh
+@@ -90,7 +90,7 @@ add_buildtag() {
+ 	[[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2"
+ }
+ 
+-if ${PKG_CONFIG} 'libsystemd' 2> /dev/null; then
++if [[ -n "$SYSTEMD" ]] && [[ "$SYSTEMD" == 1 ]] && ${PKG_CONFIG} 'libsystemd' 2> /dev/null; then
+ 	DOCKER_BUILDTAGS+=" journald"
+ fi
+ 
diff --git a/app-containers/docker/files/docker-26.1.0-automagic-systemd.patch b/app-containers/docker/files/docker-26.1.0-automagic-systemd.patch
new file mode 100644
index 000000000000..004dbb9ad3c7
--- /dev/null
+++ b/app-containers/docker/files/docker-26.1.0-automagic-systemd.patch
@@ -0,0 +1,13 @@
+https://bugs.gentoo.org/914076
+https://github.com/moby/moby/issues/47770
+--- a/hack/make.sh
++++ b/hack/make.sh
+@@ -83,7 +83,7 @@ if [ ! "$GOPATH" ]; then
+ 	exit 1
+ fi
+ 
+-if ${PKG_CONFIG} 'libsystemd' 2> /dev/null; then
++if [[ -n "$SYSTEMD" ]] && [[ "$SYSTEMD" == 1 ]] && ${PKG_CONFIG} 'libsystemd' 2> /dev/null; then
+ 	DOCKER_BUILDTAGS+=" journald"
+ fi
+ 
diff --git a/app-containers/docker/files/etcd-F_OFD_GETLK-fix.patch b/app-containers/docker/files/etcd-F_OFD_GETLK-fix.patch
deleted file mode 100644
index bd574e26f040..000000000000
--- a/app-containers/docker/files/etcd-F_OFD_GETLK-fix.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From ec81adb21605acd56b122bc35c53644b13d3ab7e Mon Sep 17 00:00:00 2001
-From: Moritz Both <mb@aldebaran.de>
-Date: Sun, 1 Nov 2020 23:20:12 +0100
-Subject: [PATCH] pkg/fileutil: fix constant for linux locking
-
-The constant F_OFD_GETLK is 36, not 37, according to
-/usr/include/bits/fcntl-linux.h
-Credits go to joakim-tjernlund who digged deep enough
-to find this.
-
-Fixes #31182
----
- pkg/fileutil/lock_linux.go | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pkg/fileutil/lock_linux.go b/pkg/fileutil/lock_linux.go
-index 939fea62381..004d35fa23b 100644
---- a/vendor/github.com/coreos/etcd/pkg/fileutil/lock_linux.go
-+++ b/vendor/github.com/coreos/etcd/pkg/fileutil/lock_linux.go
-@@ -29,7 +29,7 @@ import (
- //
- // constants from /usr/include/bits/fcntl-linux.h
- const (
--	F_OFD_GETLK  = 37
-+	F_OFD_GETLK  = 36
- 	F_OFD_SETLK  = 37
- 	F_OFD_SETLKW = 38
- )
diff --git a/app-containers/docker/files/ppc64-buildmode.patch b/app-containers/docker/files/ppc64-buildmode.patch
deleted file mode 100644
index f16756e85041..000000000000
--- a/app-containers/docker/files/ppc64-buildmode.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From c4135e37e54a6480abfe18746f227f05cb9269ab Mon Sep 17 00:00:00 2001
-From: Georgy Yakovlev <gyakovlev@gentoo.org>
-Date: Thu, 10 Jun 2021 16:19:22 -0700
-Subject: [PATCH] don't use buildmode=pie on ppc64
-
-It's already omitted for ppc64 in
-hack/dockerfile/install/install.sh
-not using wildcard, because GOARCH=ppc64le supports pie
-
-Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
----
- hack/make/.binary | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hack/make/.binary b/hack/make/.binary
-index 5ea3e373f2..7a911de15a 100644
---- a/hack/make/.binary
-+++ b/hack/make/.binary
-@@ -70,7 +70,7 @@ hash_files() {
- 
- 	# -buildmode=pie is not supported on Windows and Linux on mips and riscv64.
- 	case "$(go env GOOS)/$(go env GOARCH)" in
--		windows/* | linux/mips* | linux/riscv*) ;;
-+		windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;;
- 
- 		*)
- 			BUILDFLAGS+=("-buildmode=pie")
--- 
-2.32.0
-
diff --git a/app-containers/docker/metadata.xml b/app-containers/docker/metadata.xml
index e58aa2015b46..5c680bb1005b 100644
--- a/app-containers/docker/metadata.xml
+++ b/app-containers/docker/metadata.xml
@@ -12,28 +12,11 @@
 		<email>williamh@gentoo.org</email>
 		<name>William Hubbs</name>
 	</maintainer>
-	<maintainer type="person">
-		<email>gyakovlev@gentoo.org</email>
-		<name>Georgy Yakovlev</name>
-	</maintainer>
 	<use>
-		<flag name="aufs">
-			Enables dependencies for the "aufs" graph driver, including
-			necessary kernel flags.
-		</flag>
-		<flag name="apparmor">
-			Enable AppArmor support.
-		</flag>
 		<flag name="btrfs">
 			Enables dependencies for the "btrfs" graph driver, including
 			necessary kernel flags.
 		</flag>
-			<flag name="cli">
-				This is a temporary use flag which pulls in
-				app-containers/docker-cli, the docker command line client.
-				This flag is here to assist in the transition to split packages
-				and will be removed in a future release.
-		</flag>
 		<flag name="container-init">
 			Makes the a staticly-linked init system tini available inside a
 			container.
@@ -49,5 +32,6 @@
 	</use>
 	<upstream>
 		<remote-id type="github">moby/moby</remote-id>
+		<remote-id type="cpe">cpe:/a:docker:docker</remote-id>
 	</upstream>
 </pkgmetadata>