diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5f78fbd0..d825166b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -29,6 +29,7 @@ jobs:
       fail-fast: false
       matrix:
         name:
+          - docker-engine
           - docker-cli
           - buildx
           - compose
diff --git a/common/vars.mk b/common/vars.mk
index 1051cb10..008ac4ab 100644
--- a/common/vars.mk
+++ b/common/vars.mk
@@ -20,11 +20,13 @@ export GO_IMAGE_VARIANT ?= buster
 export PKG_VENDOR ?= Docker
 export PKG_PACKAGER ?= Docker <support@docker.com>
 
+export DOCKER_ENGINE_REPO ?= https://github.com/docker/docker.git
 export DOCKER_CLI_REPO ?= https://github.com/docker/cli.git
 export BUILDX_REPO ?= https://github.com/docker/buildx.git
 export COMPOSE_REPO ?= https://github.com/docker/compose.git
 export CREDENTIAL_HELPERS_REPO ?= https://github.com/docker/docker-credential-helpers.git
 
+export DOCKER_ENGINE_VERSION ?= v20.10.17
 export DOCKER_CLI_VERSION ?= v20.10.17
 export BUILDX_VERSION ?= v0.9.1
 export COMPOSE_VERSION ?= v2.10.2
diff --git a/pkg/docker-engine/.dockerignore b/pkg/docker-engine/.dockerignore
new file mode 100644
index 00000000..5e56e040
--- /dev/null
+++ b/pkg/docker-engine/.dockerignore
@@ -0,0 +1 @@
+/bin
diff --git a/pkg/docker-engine/.gitignore b/pkg/docker-engine/.gitignore
new file mode 100644
index 00000000..5e56e040
--- /dev/null
+++ b/pkg/docker-engine/.gitignore
@@ -0,0 +1 @@
+/bin
diff --git a/pkg/docker-engine/Dockerfile b/pkg/docker-engine/Dockerfile
new file mode 100644
index 00000000..7c374ea6
--- /dev/null
+++ b/pkg/docker-engine/Dockerfile
@@ -0,0 +1,339 @@
+# syntax=docker/dockerfile:1
+
+# Copyright 2022 Docker Packaging authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG XX_VERSION="1.1.2"
+ARG ALPINE_VERSION="3.16"
+ARG DEBIAN_FRONTEND="noninteractive"
+
+# go
+ARG GO_IMAGE="golang"
+ARG GO_VERSION="1.18.5"
+ARG GO_IMAGE_VARIANT="buster"
+
+# pkg matrix
+ARG PKG_RELEASE="debian11"
+ARG PKG_TYPE="deb"
+ARG PKG_DISTRO="debian"
+ARG PKG_SUITE="bullseye"
+ARG PKG_BASE_IMAGE="debian:bullseye"
+
+# deb specific
+ARG PKG_DEB_EPOCH="5"
+ARG PKG_DEB_REVISION="0"
+
+# rpm specific
+ARG PKG_RPM_RELEASE="1"
+
+# cross compilation helper
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+# osxcross contains the MacOSX SDK for xx
+FROM dockercore/golang-cross:xx-sdk-extras AS osxsdk
+
+# go base image to retrieve /usr/local/go
+FROM --platform=$BUILDPLATFORM ${GO_IMAGE}:${GO_VERSION}-${GO_IMAGE_VARIANT} AS go
+
+# dummy stage for unsupported platforms
+FROM --platform=$BUILDPLATFORM busybox AS builder-dummy
+RUN mkdir -p /out
+FROM scratch AS build-dummy
+COPY --from=builder-dummy /out /out
+
+# base stage for fetching sources and create final release
+FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS base
+RUN apk add --no-cache bash curl file git zip tar
+
+FROM base AS src
+WORKDIR /src
+ARG DOCKER_ENGINE_REPO
+RUN git init . && git remote add origin "${DOCKER_ENGINE_REPO}"
+ARG DOCKER_ENGINE_VERSION
+RUN git fetch origin "${DOCKER_ENGINE_VERSION}" +refs/heads/*:refs/remotes/origin/* +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
+
+FROM base AS src-tgz
+RUN --mount=from=src,source=/src,target=/engine \
+    mkdir /out && tar -C / -zcf /out/engine.tgz --exclude .git engine
+
+# deb
+FROM --platform=$BUILDPLATFORM ${PKG_BASE_IMAGE} AS build-base-deb
+COPY --from=xx / /
+ARG DEBIAN_FRONTEND
+RUN apt-get update && apt-get install -y bash curl devscripts equivs git
+ENV GOPROXY="https://proxy.golang.org|direct"
+ENV GOPATH="/go"
+ENV GO111MODULE="off"
+ENV PATH="$PATH:/usr/local/go/bin:$GOPATH/bin"
+ENV DOCKER_BUILDTAGS apparmor seccomp selinux
+ENV RUNC_BUILDTAGS apparmor seccomp selinux
+ARG PKG_RELEASE
+RUN <<EOT
+  case "$PKG_RELEASE" in
+    ubuntu1804)
+      # FIXME: https://github.com/docker/docker-ce-packaging/issues/758
+      apt-get install --allow-downgrades -y libudev1=237-3ubuntu10.53 libsystemd0=237-3ubuntu10.53
+      ;;
+    ubuntu2004|ubuntu2204)
+      if [ "$(dpkg-divert --truename /usr/bin/man)" = "/usr/bin/man.REAL" ]; then
+        rm -f /usr/bin/man
+        dpkg-divert --quiet --remove --rename /usr/bin/man
+      fi
+      ;;
+  esac
+EOT
+
+FROM build-base-deb AS build-deb
+COPY deb /root/package/debian
+ARG TARGETPLATFORM
+ARG DEBIAN_FRONTEND
+ARG PKG_RELEASE
+RUN mk-build-deps -t "xx-apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i /root/package/debian/control
+WORKDIR /root/package
+COPY --from=src /src ./engine
+ARG DOCKER_ENGINE_VERSION
+ARG PKG_DISTRO
+ARG PKG_SUITE
+ARG PKG_PACKAGER
+ARG PKG_DEB_REVISION
+ARG PKG_DEB_EPOCH
+ARG SOURCE_DATE_EPOCH
+RUN --mount=source=common,target=/common \
+    --mount=type=bind,from=go,source=/usr/local/go,target=/usr/local/go \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -e
+  mkdir -p /out
+  if [ "$(xx-info arch)" != "$(TARGETPLATFORM= xx-info arch)" ]; then
+    echo "$(xx-info arch) architecture is not supported"
+    exit 0
+  fi
+  export DOCKER_ENGINE_REVISION=$(git --git-dir ./engine/.git rev-parse --short HEAD)
+  debVersion=${DOCKER_ENGINE_VERSION#v}
+  debVersion=$(echo $debVersion | sed "s/-/~/")
+  cat > "debian/changelog" <<-EOF
+docker-ce (${PKG_DEB_EPOCH}$([ -n "$PKG_DEB_EPOCH" ] && echo ":")${debVersion}-${PKG_DEB_REVISION}) $PKG_SUITE; urgency=low
+  * Version: $DOCKER_ENGINE_VERSION
+ -- $(awk -F ': ' '$1 == "Maintainer" { print $2; exit }' debian/control)  $(date --rfc-2822)
+EOF
+  xx-go --wrap
+  set -x
+  chmod -x debian/compat debian/control debian/docs
+  dpkg-buildpackage -us -uc
+  pkgoutput="/out/${PKG_DISTRO}/${PKG_SUITE}/$(xx-info arch)"
+  if [ -n "$(xx-info variant)" ]; then
+    pkgoutput="${pkgoutput}/$(xx-info variant)"
+  fi
+  mkdir -p "${pkgoutput}"
+  cp /root/docker* ${pkgoutput}/
+EOT
+
+FROM build-dummy AS builder-deb-darwin
+FROM build-deb AS builder-deb-linux
+FROM build-dummy AS builder-deb-windows
+FROM builder-deb-${TARGETOS} AS builder-deb
+
+# rpm
+FROM --platform=$BUILDPLATFORM ${PKG_BASE_IMAGE} AS build-base-rpm
+COPY --from=xx / /
+ENV GOPROXY="https://proxy.golang.org|direct"
+ENV GOPATH="/go"
+ENV GO111MODULE="off"
+ENV PATH="$PATH:/usr/local/go/bin:$GOPATH/bin"
+ENV DOCKER_BUILDTAGS seccomp selinux
+ENV RUNC_BUILDTAGS seccomp selinux
+ARG PKG_RELEASE
+RUN <<EOT
+  case "$PKG_RELEASE" in
+    centos7)
+      [ -f /etc/yum.repos.d/CentOS-Sources.repo ] && sed -i 's/altarch/centos/g' /etc/yum.repos.d/CentOS-Sources.repo
+      yum install -y git rpm-build rpmlint
+      ;;
+    centos8)
+      [ -f /etc/yum.repos.d/CentOS-Stream-Sources.repo ] && sed -i 's/altarch/centos/g' /etc/yum.repos.d/CentOS-Stream-Sources.repo
+      [ -f /etc/yum.repos.d/CentOS-Stream-PowerTools.repo ] && sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-Stream-PowerTools.repo
+      rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+      dnf install -y rpm-build git rpmlint dnf-plugins-core
+      ;;
+    centos9)
+      rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+      dnf install -y rpm-build git rpmlint dnf-plugins-core
+      dnf config-manager --set-enabled crb
+      ;;
+    oraclelinux7)
+      [ -f /etc/yum.repos.d/CentOS-Sources.repo ] && sed -i 's/altarch/centos/g' /etc/yum.repos.d/CentOS-Sources.repo
+      yum install -y git rpm-build rpmlint
+      yum-config-manager --enable ol7_addons --enable ol7_optional_latest
+      ;;
+    oraclelinux8)
+      dnf install -y git rpm-build rpmlint dnf-plugins-core
+      dnf config-manager --enable ol8_addons --enable ol8_codeready_builder
+      ;;
+    oraclelinux9)
+      dnf install -y git rpm-build rpmlint dnf-plugins-core
+      dnf config-manager --enable ol9_addons --enable ol9_codeready_builder
+      ;;
+    fedora*)
+      dnf install -y git rpm-build rpmlint dnf-plugins-core
+      ;;
+  esac
+EOT
+
+FROM build-base-rpm AS build-rpm
+COPY rpm /root/rpmbuild/SPECS
+ARG TARGETPLATFORM
+RUN <<EOT
+  set -e
+  case "$PKG_RELEASE" in
+    centos7)
+      yum-builddep -y /root/rpmbuild/SPECS/*.spec
+      ;;
+    oraclelinux7)
+      yum-builddep --define '_without_btrfs 1' -y /root/rpmbuild/SPECS/*.spec
+      ;;
+    centos*|oraclelinux*)
+      dnf builddep --define '_without_btrfs 1' -y /root/rpmbuild/SPECS/*.spec
+      ;;
+    *)
+      dnf builddep -y /root/rpmbuild/SPECS/*.spec
+      ;;
+  esac
+EOT
+WORKDIR /root/rpmbuild
+COPY --from=src-tgz /out/engine.tgz ./SOURCES/
+ARG DOCKER_ENGINE_VERSION
+ARG PKG_RELEASE
+ARG PKG_DISTRO
+ARG PKG_SUITE
+ARG PKG_PACKAGER
+ARG PKG_RPM_RELEASE
+ARG SOURCE_DATE_EPOCH
+RUN --mount=source=common,target=/common \
+    --mount=type=bind,from=go,source=/usr/local/go,target=/usr/local/go \
+    --mount=type=bind,from=src,source=/src,target=/usr/local/src/engine \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -e
+  mkdir -p /out
+  if [ "$(xx-info arch)" != "$(TARGETPLATFORM= xx-info arch)" ]; then
+    echo "$(xx-info arch) architecture is not supported"
+    exit 0
+  fi
+  cp /common/systemd/* ./SOURCES/
+  rpmVersion=${DOCKER_ENGINE_VERSION#v}
+  rpmVersion=$(echo $rpmVersion | sed "s/-/~/")
+  xx-go --wrap
+  set -x
+  rpmDefine=(
+    --define "_version ${rpmVersion}"
+    --define "_origversion ${DOCKER_ENGINE_VERSION#v}"
+    --define "_release $PKG_RPM_RELEASE"
+    --define "_commit $(git --git-dir /usr/local/src/engine/.git rev-parse --short HEAD)"
+  )
+  case "$PKG_RELEASE" in
+    centos8|centos9|oraclelinux*)
+      rpmDefine+=(--define "_without_btrfs 1")
+      export DOCKER_BUILDTAGS="exclude_graphdriver_btrfs $DOCKER_BUILDTAGS"
+      ;;
+  esac
+  rpmbuild -ba "${rpmDefine[@]}" /root/rpmbuild/SPECS/*.spec
+  pkgoutput="/out/${PKG_DISTRO}/${PKG_SUITE}/$(xx-info arch)"
+  if [ -n "$(xx-info variant)" ]; then
+    pkgoutput="${pkgoutput}/$(xx-info variant)"
+  fi
+  mkdir -p "${pkgoutput}"
+  cp ./RPMS/*/*.* ./SRPMS/* ${pkgoutput}/
+EOT
+
+FROM build-dummy AS builder-rpm-darwin
+FROM build-rpm AS builder-rpm-linux
+FROM build-dummy AS builder-rpm-windows
+FROM builder-rpm-${TARGETOS} AS builder-rpm
+
+# static
+FROM --platform=$BUILDPLATFORM ${PKG_BASE_IMAGE} AS build-base-static
+COPY --from=xx / /
+ARG DEBIAN_FRONTEND
+RUN apt-get update && apt-get install -y --no-install-recommends clang dpkg-dev file git lld llvm pkg-config
+ENV GOPROXY="https://proxy.golang.org|direct"
+ENV GOPATH="/go"
+ENV PATH="$PATH:/usr/local/go/bin:$GOPATH/bin"
+ENV GO111MODULE="off"
+ARG TARGETPLATFORM
+RUN xx-apt-get install -y \
+  bash \
+  binutils \
+  ca-certificates \
+  cmake \
+  curl \
+  gcc \
+  g++ \
+  libbtrfs-dev \
+  libc6-dev \
+  libdevmapper-dev \
+  libgcc-10-dev \
+  libltdl-dev \
+  pkg-config
+FROM build-base-static AS build-static
+ARG TARGETPLATFORM
+ARG DOCKER_ENGINE_VERSION
+ARG GO_LINKMODE=static
+ARG DOCKER_BUILDTAGS="apparmor seccomp"
+WORKDIR /go/src/github.com/docker/docker
+RUN --mount=type=bind,from=src,source=/src,target=.,rw \
+    --mount=type=bind,from=go,source=/usr/local/go,target=/usr/local/go,rw \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -ex
+  xx-go --wrap
+  mkdir -p /out/docker
+  VERSION=${DOCKER_ENGINE_VERSION} ./hack/make.sh binary
+  mv $(readlink -e ./bundles/binary-daemon/dockerd) /out/docker/dockerd
+  PREFIX=/out/docker TMP_GOPATH="/go" hack/dockerfile/install/install.sh tini
+  PREFIX=/out/docker TMP_GOPATH="/go" hack/dockerfile/install/install.sh proxy
+  xx-verify --static /out/docker/dockerd
+  xx-verify --static /out/docker/docker-proxy
+  xx-verify --static /out/docker/docker-init
+EOT
+
+FROM build-base-static AS builder-static
+ARG DEBIAN_FRONTEND
+RUN apt-get update && apt-get install -y --no-install-recommends bash file zip tar
+WORKDIR /build
+ARG DOCKER_ENGINE_VERSION
+ARG TARGETPLATFORM
+RUN --mount=type=bind,from=src,source=/src,target=/src \
+    --mount=type=bind,from=build-static,source=/out,target=/build <<EOT
+  set -e
+  pkgoutput="/out/static/$(xx-info os)/$(xx-info arch)"
+  if [ -n "$(xx-info variant)" ]; then
+    pkgoutput="${pkgoutput}/$(xx-info variant)"
+  fi
+  mkdir -p "${pkgoutput}"
+  for pkgname in *; do
+    workdir=$(mktemp -d -t docker-packaging.XXXXXXXXXX)
+    mkdir -p "$workdir/${pkgname}"
+    (set -x ; cp ${pkgname}/* /src/LICENSE /src/README.md "$workdir/${pkgname}/")
+    if [ "$(xx-info os)" = "windows" ]; then
+      (set -x ; cd "$workdir" ; zip -r "${pkgoutput}/${pkgname}_${DOCKER_ENGINE_VERSION#v}.zip" ${pkgname})
+    else
+      (set -x ; tar -czf "${pkgoutput}/${pkgname}_${DOCKER_ENGINE_VERSION#v}.tgz" -C "$workdir" ${pkgname})
+    fi
+  done
+EOT
+
+FROM builder-${PKG_TYPE} AS build-pkg
+
+FROM scratch AS pkg
+COPY --from=build-pkg /out /
diff --git a/pkg/docker-engine/Makefile b/pkg/docker-engine/Makefile
new file mode 100644
index 00000000..2207241f
--- /dev/null
+++ b/pkg/docker-engine/Makefile
@@ -0,0 +1,38 @@
+# Copyright 2022 Docker Packaging authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+include ../../common/vars.mk
+
+DESTDIR ?= $(BASEDIR)/bin
+BAKE_DEFINITIONS ?= -f docker-bake.hcl -f ../../common/packages.hcl
+PKG_LIST ?= deb rpm static
+DEFAULT_RULE ?= pkg
+
+export PKG_DEB_REVISION = 3
+export PKG_RPM_RELEASE = 3
+
+.PHONY: all
+all: $(DEFAULT_RULE)
+	# noop
+
+.PHONY: all-%
+all-%: $(DEFAULT_RULE)-%
+	# noop
+
+.PHONY: version
+version:
+	@echo $(DOCKER_ENGINE_VERSION)
+
+include ../../common/packages.mk
+include ../../common/build.mk
diff --git a/pkg/docker-engine/common/systemd/docker.service b/pkg/docker-engine/common/systemd/docker.service
new file mode 100644
index 00000000..b5400bbb
--- /dev/null
+++ b/pkg/docker-engine/common/systemd/docker.service
@@ -0,0 +1,47 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=https://docs.docker.com
+After=network-online.target docker.socket firewalld.service containerd.service
+Wants=network-online.target
+Requires=docker.socket containerd.service
+
+[Service]
+Type=notify
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
+ExecReload=/bin/kill -s HUP $MAINPID
+TimeoutSec=0
+RestartSec=2
+Restart=always
+
+# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
+# Both the old, and new location are accepted by systemd 229 and up, so using the old location
+# to make them work for either version of systemd.
+StartLimitBurst=3
+
+# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
+# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
+# this option work for either version of systemd.
+StartLimitInterval=60s
+
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=infinity
+LimitNPROC=infinity
+LimitCORE=infinity
+
+# Comment TasksMax if your systemd version does not support it.
+# Only systemd 226 and above support this option.
+TasksMax=infinity
+
+# set delegate yes so that systemd does not reset the cgroups of docker containers
+Delegate=yes
+
+# kill only the docker process, not all processes in the cgroup
+KillMode=process
+OOMScoreAdjust=-500
+
+[Install]
+WantedBy=multi-user.target
diff --git a/pkg/docker-engine/common/systemd/docker.socket b/pkg/docker-engine/common/systemd/docker.socket
new file mode 100644
index 00000000..9db50491
--- /dev/null
+++ b/pkg/docker-engine/common/systemd/docker.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Docker Socket for the API
+
+[Socket]
+ListenStream=/var/run/docker.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target
diff --git a/pkg/docker-engine/deb/compat b/pkg/docker-engine/deb/compat
new file mode 100644
index 00000000..f599e28b
--- /dev/null
+++ b/pkg/docker-engine/deb/compat
@@ -0,0 +1 @@
+10
diff --git a/pkg/docker-engine/deb/control b/pkg/docker-engine/deb/control
new file mode 100644
index 00000000..7d2f8e64
--- /dev/null
+++ b/pkg/docker-engine/deb/control
@@ -0,0 +1,79 @@
+Source: docker-ce
+Section: admin
+Priority: optional
+Maintainer: Docker <support@docker.com>
+Homepage: https://www.docker.com
+Vcs-Browser: https://github.com/docker/docker
+Vcs-Git: git://github.com/docker/docker.git
+Standards-Version: 3.9.6
+Build-Depends: bash,
+               bash-completion,
+               ca-certificates,
+               cmake,
+               dh-apparmor,
+               debhelper (>= 10~) | dh-systemd,
+               gcc,
+               git,
+               libbtrfs-dev | btrfs-tools,
+               libc-dev,
+               libdevmapper-dev,
+               libltdl-dev,
+               libseccomp-dev,
+               libseccomp2,
+               libsystemd-dev,
+               libtool,
+               make,
+               pkg-config
+
+Package: docker-ce
+Architecture: linux-any
+Depends: containerd.io (>= 1.4.1),
+         docker-ce-cli,
+         iptables,
+         libseccomp2 (>= 2.3.0),
+         ${shlibs:Depends}
+Recommends: apparmor,
+            ca-certificates,
+            docker-ce-rootless-extras,
+            git,
+            libltdl7,
+            pigz,
+            procps,
+            xz-utils
+Suggests: aufs-tools [amd64], cgroupfs-mount | cgroup-lite
+Conflicts: docker (<< 1.5~),
+           docker-engine,
+           docker-engine-cs,
+           docker.io,
+           lxc-docker,
+           lxc-docker-virtual-package
+Replaces: docker-engine
+Description: Docker: the open-source application container engine
+ Docker is a product for you to build, ship and run any application as a
+ lightweight container
+ .
+ Docker containers are both hardware-agnostic and platform-agnostic. This means
+ they can run anywhere, from your laptop to the largest cloud compute instance and
+ everything in between - and they don't require you to use a particular
+ language, framework or packaging system. That makes them great building blocks
+ for deploying and scaling web apps, databases, and backend services without
+ depending on a particular stack or provider.
+
+Package: docker-ce-rootless-extras
+Architecture: linux-any
+Depends: dbus-user-session,
+         ${shlibs:Depends}
+Enhances: docker-ce
+Conflicts: rootlesskit
+Replaces: rootlesskit
+Breaks: rootlesskit
+# slirp4netns (>= 0.4.0) is available in Debian since 11 and Ubuntu since 19.10
+Recommends: slirp4netns (>= 0.4.0)
+# Unlike RPM, DEB packages do not contain "Recommends: fuse-overlayfs (>= 0.7.0)" here,
+# because Debian (since 10) and Ubuntu support the kernel-mode rootless overlayfs.
+Description: Rootless support for Docker.
+  Use dockerd-rootless.sh to run the daemon.
+  Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh .
+  This package contains RootlessKit, but does not contain VPNKit.
+  Either VPNKit or slirp4netns (>= 0.4.0) needs to be installed separately.
+Homepage: https://docs.docker.com/engine/security/rootless/
diff --git a/pkg/docker-engine/deb/docker-ce.docker.default b/pkg/docker-engine/deb/docker-ce.docker.default
new file mode 100644
index 00000000..c4e93199
--- /dev/null
+++ b/pkg/docker-engine/deb/docker-ce.docker.default
@@ -0,0 +1,20 @@
+# Docker Upstart and SysVinit configuration file
+
+#
+# THIS FILE DOES NOT APPLY TO SYSTEMD
+#
+#   Please see the documentation for "systemd drop-ins":
+#   https://docs.docker.com/engine/admin/systemd/
+#
+
+# Customize location of Docker binary (especially for development testing).
+#DOCKERD="/usr/local/bin/dockerd"
+
+# Use DOCKER_OPTS to modify the daemon startup options.
+#DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
+
+# If you need Docker to use an HTTP proxy, it can also be specified here.
+#export http_proxy="http://127.0.0.1:3128/"
+
+# This is also a handy place to tweak where Docker's temporary files go.
+#export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp"
diff --git a/pkg/docker-engine/deb/docker-ce.docker.init b/pkg/docker-engine/deb/docker-ce.docker.init
new file mode 100755
index 00000000..9c8fa6be
--- /dev/null
+++ b/pkg/docker-engine/deb/docker-ce.docker.init
@@ -0,0 +1,156 @@
+#!/bin/sh
+set -e
+
+### BEGIN INIT INFO
+# Provides:           docker
+# Required-Start:     $syslog $remote_fs
+# Required-Stop:      $syslog $remote_fs
+# Should-Start:       cgroupfs-mount cgroup-lite
+# Should-Stop:        cgroupfs-mount cgroup-lite
+# Default-Start:      2 3 4 5
+# Default-Stop:       0 1 6
+# Short-Description:  Create lightweight, portable, self-sufficient containers.
+# Description:
+#  Docker is an open-source project to easily create lightweight, portable,
+#  self-sufficient containers from any application. The same container that a
+#  developer builds and tests on a laptop can run at scale, in production, on
+#  VMs, bare metal, OpenStack clusters, public clouds and more.
+### END INIT INFO
+
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+BASE=docker
+
+# modify these in /etc/default/$BASE (/etc/default/docker)
+DOCKERD=/usr/bin/dockerd
+# This is the pid file managed by docker itself
+DOCKER_PIDFILE=/var/run/$BASE.pid
+# This is the pid file created/managed by start-stop-daemon
+DOCKER_SSD_PIDFILE=/var/run/$BASE-ssd.pid
+DOCKER_LOGFILE=/var/log/$BASE.log
+DOCKER_OPTS=
+DOCKER_DESC="Docker"
+
+# Get lsb functions
+. /lib/lsb/init-functions
+
+if [ -f /etc/default/$BASE ]; then
+	. /etc/default/$BASE
+fi
+
+# Check docker is present
+if [ ! -x $DOCKERD ]; then
+	log_failure_msg "$DOCKERD not present or not executable"
+	exit 1
+fi
+
+check_init() {
+	# see also init_is_upstart in /lib/lsb/init-functions (which isn't available in Ubuntu 12.04, or we'd use it directly)
+	if [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; then
+		log_failure_msg "$DOCKER_DESC is managed via upstart, try using service $BASE $1"
+		exit 1
+	fi
+}
+
+fail_unless_root() {
+	if [ "$(id -u)" != '0' ]; then
+		log_failure_msg "$DOCKER_DESC must be run as root"
+		exit 1
+	fi
+}
+
+cgroupfs_mount() {
+	# see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount
+	if grep -v '^#' /etc/fstab | grep -q cgroup \
+		|| [ ! -e /proc/cgroups ] \
+		|| [ ! -d /sys/fs/cgroup ]; then
+		return
+	fi
+	if ! mountpoint -q /sys/fs/cgroup; then
+		mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
+	fi
+	(
+		cd /sys/fs/cgroup
+		for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
+			mkdir -p $sys
+			if ! mountpoint -q $sys; then
+				if ! mount -n -t cgroup -o $sys cgroup $sys; then
+					rmdir $sys || true
+				fi
+			fi
+		done
+	)
+}
+
+case "$1" in
+	start)
+		check_init
+		
+		fail_unless_root
+
+		cgroupfs_mount
+
+		touch "$DOCKER_LOGFILE"
+		chgrp docker "$DOCKER_LOGFILE"
+
+		ulimit -n 1048576
+
+		# Having non-zero limits causes performance problems due to accounting overhead
+		# in the kernel. We recommend using cgroups to do container-local accounting.
+		if [ "$BASH" ]; then
+			ulimit -u unlimited
+		else
+			ulimit -p unlimited
+		fi
+
+		log_begin_msg "Starting $DOCKER_DESC: $BASE"
+		start-stop-daemon --start --background \
+			--no-close \
+			--exec "$DOCKERD" \
+			--pidfile "$DOCKER_SSD_PIDFILE" \
+			--make-pidfile \
+			-- \
+				-p "$DOCKER_PIDFILE" \
+				$DOCKER_OPTS \
+					>> "$DOCKER_LOGFILE" 2>&1
+		log_end_msg $?
+		;;
+
+	stop)
+		check_init
+		fail_unless_root
+		if [ -f "$DOCKER_SSD_PIDFILE" ]; then
+			log_begin_msg "Stopping $DOCKER_DESC: $BASE"
+			start-stop-daemon --stop --pidfile "$DOCKER_SSD_PIDFILE" --retry 10
+			log_end_msg $?
+		else
+			log_warning_msg "Docker already stopped - file $DOCKER_SSD_PIDFILE not found."
+		fi
+		;;
+
+	restart)
+		check_init
+		fail_unless_root
+		docker_pid=`cat "$DOCKER_SSD_PIDFILE" 2>/dev/null`
+		[ -n "$docker_pid" ] \
+			&& ps -p $docker_pid > /dev/null 2>&1 \
+			&& $0 stop
+		$0 start
+		;;
+
+	force-reload)
+		check_init
+		fail_unless_root
+		$0 restart
+		;;
+
+	status)
+		check_init
+		status_of_proc -p "$DOCKER_SSD_PIDFILE" "$DOCKERD" "$DOCKER_DESC"
+		;;
+
+	*)
+		echo "Usage: service docker {start|stop|restart|status}"
+		exit 1
+		;;
+esac
diff --git a/pkg/docker-engine/deb/docker-ce.docker.upstart b/pkg/docker-engine/deb/docker-ce.docker.upstart
new file mode 100644
index 00000000..d58f7d6a
--- /dev/null
+++ b/pkg/docker-engine/deb/docker-ce.docker.upstart
@@ -0,0 +1,72 @@
+description "Docker daemon"
+
+start on (filesystem and net-device-up IFACE!=lo)
+stop on runlevel [!2345]
+
+limit nofile 524288 1048576
+
+# Having non-zero limits causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+limit nproc unlimited unlimited
+
+respawn
+
+kill timeout 20
+
+pre-start script
+	# see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount
+	if grep -v '^#' /etc/fstab | grep -q cgroup \
+		|| [ ! -e /proc/cgroups ] \
+		|| [ ! -d /sys/fs/cgroup ]; then
+		exit 0
+	fi
+	if ! mountpoint -q /sys/fs/cgroup; then
+		mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
+	fi
+	(
+		cd /sys/fs/cgroup
+		for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
+			mkdir -p $sys
+			if ! mountpoint -q $sys; then
+				if ! mount -n -t cgroup -o $sys cgroup $sys; then
+					rmdir $sys || true
+				fi
+			fi
+		done
+	)
+end script
+
+script
+	# modify these in /etc/default/$UPSTART_JOB (/etc/default/docker)
+	DOCKERD=/usr/bin/dockerd
+	DOCKER_OPTS=
+	if [ -f /etc/default/$UPSTART_JOB ]; then
+		. /etc/default/$UPSTART_JOB
+	fi
+	exec "$DOCKERD" $DOCKER_OPTS --raw-logs
+end script
+
+# Don't emit "started" event until docker.sock is ready.
+# See https://github.com/docker/docker/issues/6647
+post-start script
+	DOCKER_OPTS=
+	DOCKER_SOCKET=
+	if [ -f /etc/default/$UPSTART_JOB ]; then
+		. /etc/default/$UPSTART_JOB
+	fi
+
+	if ! printf "%s" "$DOCKER_OPTS" | grep -qE -e '-H|--host'; then
+		DOCKER_SOCKET=/var/run/docker.sock
+	else
+		DOCKER_SOCKET=$(printf "%s" "$DOCKER_OPTS" | grep -oP -e '(-H|--host)\W*unix://\K(\S+)' | sed 1q)
+	fi
+
+	if [ -n "$DOCKER_SOCKET" ]; then
+		while ! [ -e "$DOCKER_SOCKET" ]; do
+			initctl status $UPSTART_JOB | grep -qE "(stop|respawn)/" && exit 1
+			echo "Waiting for $DOCKER_SOCKET"
+			sleep 0.1
+		done
+		echo "$DOCKER_SOCKET is up"
+	fi
+end script
diff --git a/pkg/docker-engine/deb/docker-ce.postinst b/pkg/docker-engine/deb/docker-ce.postinst
new file mode 100755
index 00000000..eeef6ca8
--- /dev/null
+++ b/pkg/docker-engine/deb/docker-ce.postinst
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+	configure)
+		if [ -z "$2" ]; then
+			if ! getent group docker > /dev/null; then
+				groupadd --system docker
+			fi
+		fi
+		;;
+	abort-*)
+		# How'd we get here??
+		exit 1
+		;;
+	*)
+		;;
+esac
+
+#DEBHELPER#
diff --git a/pkg/docker-engine/deb/docs b/pkg/docker-engine/deb/docs
new file mode 100644
index 00000000..073f189a
--- /dev/null
+++ b/pkg/docker-engine/deb/docs
@@ -0,0 +1 @@
+engine/README.md
diff --git a/pkg/docker-engine/deb/rules b/pkg/docker-engine/deb/rules
new file mode 100755
index 00000000..39b58390
--- /dev/null
+++ b/pkg/docker-engine/deb/rules
@@ -0,0 +1,53 @@
+#!/usr/bin/make -f
+
+# force packages to be built with xz compression, as Ubuntu 21.10 and up use
+# zstd compression, which is non-standard, and breaks 'dpkg-sig --verify'
+override_dh_builddeb:
+	dh_builddeb -- -Zxz
+
+override_dh_auto_build:
+	mkdir -p /go/src/github.com/docker
+	ln -snf $(CURDIR)/engine /go/src/github.com/docker/docker
+	cd /go/src/github.com/docker/docker && VERSION=$(DOCKER_ENGINE_VERSION) GITCOMMIT=$(DOCKER_ENGINE_REVISION) PRODUCT=docker ./hack/make.sh dynbinary
+	cd /go/src/github.com/docker/docker && TMP_GOPATH="/go" hack/dockerfile/install/install.sh tini
+	cd /go/src/github.com/docker/docker && TMP_GOPATH="/go" hack/dockerfile/install/install.sh proxy dynamic
+	cd /go/src/github.com/docker/docker && TMP_GOPATH="/go" hack/dockerfile/install/install.sh rootlesskit dynamic
+
+override_dh_auto_test:
+	ver="$$(engine/bundles/dynbinary-daemon/dockerd --version)"; \
+		test "$$ver" = "Docker version $(DOCKER_ENGINE_VERSION), build $(DOCKER_ENGINE_REVISION)" && echo "PASS: daemon version OK" || (echo "FAIL: daemon version ($$ver) did not match" && exit 1)
+
+override_dh_strip:
+	# Go has lots of problems with stripping, so just don't
+
+override_dh_auto_install:
+	install -D -m 0644 /common/systemd/docker.service debian/docker-ce/lib/systemd/system/docker.service
+	install -D -m 0644 /common/systemd/docker.socket debian/docker-ce/lib/systemd/system/docker.socket
+	install -D -m 0755 $(shell readlink -e engine/bundles/dynbinary-daemon/dockerd) debian/docker-ce/usr/bin/dockerd
+	install -D -m 0755 /usr/local/bin/docker-proxy debian/docker-ce/usr/bin/docker-proxy
+	install -D -m 0755 /usr/local/bin/docker-init debian/docker-ce/usr/bin/docker-init
+
+	# docker-ce-rootless-extras install
+	install -D -m 0755 /usr/local/bin/rootlesskit debian/docker-ce-rootless-extras/usr/bin/rootlesskit
+	install -D -m 0755 /usr/local/bin/rootlesskit-docker-proxy debian/docker-ce-rootless-extras/usr/bin/rootlesskit-docker-proxy
+	install -D -m 0755 engine/contrib/dockerd-rootless.sh debian/docker-ce-rootless-extras/usr/bin/dockerd-rootless.sh
+	install -D -m 0755 engine/contrib/dockerd-rootless-setuptool.sh debian/docker-ce-rootless-extras/usr/bin/dockerd-rootless-setuptool.sh
+	# TODO: how can we install vpnkit?
+
+override_dh_installinit:
+	# use "docker" as our service name, not "docker-ce"
+	dh_installinit --name=docker
+
+override_dh_shlibdeps:
+	dh_shlibdeps --dpkg-shlibdeps-params=--ignore-missing-info
+
+override_dh_install:
+	dh_install
+	# TODO Can we do this from within our container?
+	dh_apparmor --profile-name=docker-ce -pdocker-ce
+
+override_dh_gencontrol:
+	dh_gencontrol --remaining-packages
+
+%:
+	dh $@
diff --git a/pkg/docker-engine/deb/source/format b/pkg/docker-engine/deb/source/format
new file mode 100644
index 00000000..d3827e75
--- /dev/null
+++ b/pkg/docker-engine/deb/source/format
@@ -0,0 +1 @@
+1.0
diff --git a/pkg/docker-engine/docker-bake.hcl b/pkg/docker-engine/docker-bake.hcl
new file mode 100644
index 00000000..4dfba5fd
--- /dev/null
+++ b/pkg/docker-engine/docker-bake.hcl
@@ -0,0 +1,161 @@
+// Copyright 2022 Docker Packaging authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+# Sets the docker engine repo. Will be used to clone the repo at
+# DOCKER_ENGINE_VERSION ref to include the README.md and LICENSE for the
+# static packages and also create version string.
+variable "DOCKER_ENGINE_REPO" {
+  default = "https://github.com/docker/docker.git"
+}
+
+# Sets the docker engine helpers version to build from source.
+variable "DOCKER_ENGINE_VERSION" {
+  default = "v20.10.17"
+}
+
+# Sets Go image, version and variant to use for building
+variable "GO_IMAGE" {
+  default = ""
+}
+variable "GO_VERSION" {
+  default = ""
+}
+variable "GO_IMAGE_VARIANT" {
+  default = ""
+}
+
+# Sets the pkg name.
+variable "PKG_NAME" {
+  default = "docker-ce"
+}
+
+# Sets the list of package types to build: apk, deb, rpm or static
+variable "PKG_TYPE" {
+  default = "static"
+}
+
+# Sets release flavor. See packages.hcl and packages.mk for more details.
+variable "PKG_RELEASE" {
+  default = "static"
+}
+target "_pkg-static" {
+  args = {
+    PKG_RELEASE = ""
+    PKG_TYPE = "static"
+  }
+}
+
+# Sets the vendor/maintainer name (only for linux packages)
+variable "PKG_VENDOR" {
+  default = "Docker"
+}
+
+# Sets the name of the company that produced the package (only for linux packages)
+variable "PKG_PACKAGER" {
+  default = "Docker <support@docker.com>"
+}
+
+# Include an extra `.0` in the version, in case we ever would have to re-build
+# an already published release with a packaging-only change.
+variable "PKG_DEB_REVISION" {
+  default = "0"
+}
+
+# rpm "Release:" field ($rpmRelease) is used to set the "_release" macro, which
+# is an incremental number for builds of the same release (Version: / #rpmVersion)
+# - Version: 0   : Package was built, but no matching upstream release (e.g., can be used for "nightly" builds)
+# - Version: 1   : Package was built for an upstream (pre)release version
+# - Version: > 1 : Only to be used for packaging-only changes (new package built for a version for which a package was already built/released)
+variable "PKG_RPM_RELEASE" {
+  default = "1"
+}
+
+# Defines the output folder
+variable "DESTDIR" {
+  default = ""
+}
+function "bindir" {
+  params = [defaultdir]
+  result = DESTDIR != "" ? DESTDIR : "./bin/${defaultdir}"
+}
+
+# Defines cache scope for GitHub Actions cache exporter
+variable "BUILD_CACHE_SCOPE" {
+  default = ""
+}
+
+group "default" {
+  targets = ["pkg"]
+}
+
+target "_common" {
+  inherits = ["_pkg-${PKG_RELEASE}"]
+  args = {
+    BUILDKIT_MULTI_PLATFORM = 1
+    DOCKER_ENGINE_REPO = DOCKER_ENGINE_REPO
+    DOCKER_ENGINE_VERSION = DOCKER_ENGINE_VERSION
+    GO_IMAGE = GO_IMAGE
+    GO_VERSION = GO_VERSION
+    GO_IMAGE_VARIANT = GO_IMAGE_VARIANT
+    PKG_NAME = PKG_NAME
+    PKG_VENDOR = PKG_VENDOR
+    PKG_PACKAGER = PKG_PACKAGER
+    PKG_DEB_REVISION = PKG_DEB_REVISION
+    PKG_RPM_RELEASE = PKG_RPM_RELEASE
+  }
+  cache-from = [BUILD_CACHE_SCOPE != "" ? "type=gha,scope=${BUILD_CACHE_SCOPE}-${PKG_RELEASE}" : ""]
+  cache-to = [BUILD_CACHE_SCOPE != "" ? "type=gha,scope=${BUILD_CACHE_SCOPE}-${PKG_RELEASE}" : ""]
+}
+
+target "_platforms" {
+  platforms = [
+    "linux/amd64",
+    "linux/arm/v7",
+    "linux/arm64",
+    "linux/ppc64le",
+    "linux/s390x",
+    "windows/amd64"
+  ]
+}
+
+# $ PKG_RELEASE=debian11 docker buildx bake pkg
+# $ docker buildx bake --set *.platform=linux/amd64 --set *.output=./bin pkg
+target "pkg" {
+  inherits = ["_common"]
+  target = "pkg"
+  output = [bindir(PKG_RELEASE)]
+}
+
+# Same as pkg but for all supported platforms
+target "pkg-cross" {
+  inherits = ["pkg", "_platforms"]
+}
+
+# Special target: https://github.com/docker/metadata-action#bake-definition
+target "meta-helper" {
+  tags = ["dockereng/packaging:docker-engine-local"]
+}
+
+# Create release image by using ./bin folder as named context. Therefore
+# pkg-cross target must be run before using this target:
+# $ PKG_RELEASE=debian11 docker buildx bake pkg-cross
+# $ docker buildx bake release --push --set *.tags=docker/packaging:docker-engine-v20.10.17
+target "release" {
+  inherits = ["meta-helper", "_platforms"]
+  dockerfile = "../../common/release.Dockerfile"
+  target = "release"
+  contexts = {
+    bin-folder = "./bin"
+  }
+}
diff --git a/pkg/docker-engine/rpm/docker-ce-rootless-extras.spec b/pkg/docker-engine/rpm/docker-ce-rootless-extras.spec
new file mode 100644
index 00000000..8ef78d16
--- /dev/null
+++ b/pkg/docker-engine/rpm/docker-ce-rootless-extras.spec
@@ -0,0 +1,63 @@
+%global debug_package %{nil}
+
+Name: docker-ce-rootless-extras
+Version: %{_version}
+Release: %{_release}%{?dist}
+Epoch: 0
+Source0: engine.tgz
+Summary: Rootless support for Docker
+Group: Tools/Docker
+License: ASL 2.0
+URL: https://docs.docker.com/engine/security/rootless/
+Vendor: Docker
+Packager: Docker <support@docker.com>
+
+Requires: docker-ce
+# TODO: conditionally add `Requires: dbus-daemon` for Fedora and CentOS 8
+# slirp4netns >= 0.4 is available in the all supported versions of CentOS and Fedora.
+Requires: slirp4netns >= 0.4
+# fuse-overlayfs >= 0.7 is available in the all supported versions of CentOS and Fedora.
+Requires: fuse-overlayfs >= 0.7
+
+BuildRequires: bash
+
+# conflicting packages
+Conflicts: rootlesskit
+
+%description
+Rootless support for Docker.
+Use dockerd-rootless.sh to run the daemon.
+Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh .
+This package contains RootlessKit, but does not contain VPNKit.
+Either VPNKit or slirp4netns (>= 0.4.0) needs to be installed separately.
+
+%prep
+%setup -q -c -n src -a 0
+
+%build
+mkdir -p /go/src/github.com/docker
+ln -snf ${RPM_BUILD_DIR}/src/engine /go/src/github.com/docker/docker
+TMP_GOPATH="/go" GITCOMMIT=%{_commit} ${RPM_BUILD_DIR}/src/engine/hack/dockerfile/install/install.sh rootlesskit dynamic
+
+%check
+/usr/local/bin/rootlesskit -v
+
+%install
+install -D -p -m 0755 engine/contrib/dockerd-rootless.sh ${RPM_BUILD_ROOT}%{_bindir}/dockerd-rootless.sh
+install -D -p -m 0755 engine/contrib/dockerd-rootless-setuptool.sh ${RPM_BUILD_ROOT}%{_bindir}/dockerd-rootless-setuptool.sh
+install -D -p -m 0755 /usr/local/bin/rootlesskit ${RPM_BUILD_ROOT}%{_bindir}/rootlesskit
+install -D -p -m 0755 /usr/local/bin/rootlesskit-docker-proxy ${RPM_BUILD_ROOT}%{_bindir}/rootlesskit-docker-proxy
+
+%files
+%{_bindir}/dockerd-rootless.sh
+%{_bindir}/dockerd-rootless-setuptool.sh
+%{_bindir}/rootlesskit
+%{_bindir}/rootlesskit-docker-proxy
+
+%post
+
+%preun
+
+%postun
+
+%changelog
diff --git a/pkg/docker-engine/rpm/docker-ce.spec b/pkg/docker-engine/rpm/docker-ce.spec
new file mode 100644
index 00000000..28904262
--- /dev/null
+++ b/pkg/docker-engine/rpm/docker-ce.spec
@@ -0,0 +1,124 @@
+%global debug_package %{nil}
+
+# BTRFS is enabled by default, but can be disabled by defining _without_btrfs
+%if %{undefined _with_btrfs} && %{undefined _without_btrfs}
+%define _with_btrfs 1
+%endif
+
+Name: docker-ce
+Version: %{_version}
+Release: %{_release}%{?dist}
+Epoch: 3
+Source0: engine.tgz
+Source1: docker.service
+Source2: docker.socket
+Summary: The open-source application container engine
+Group: Tools/Docker
+License: ASL 2.0
+URL: https://www.docker.com
+Vendor: Docker
+Packager: Docker <support@docker.com>
+
+Requires: /usr/sbin/groupadd
+Requires: docker-ce-cli
+Requires: docker-ce-rootless-extras
+Requires: container-selinux >= 2:2.74
+Requires: libseccomp >= 2.3
+Requires: systemd
+Requires: iptables
+%if %{undefined rhel} || 0%{?rhel} < 9
+# Libcgroup is no longer available in RHEL/CentOS >= 9 distros.
+Requires: libcgroup
+%endif
+Requires: containerd.io >= 1.4.1
+Requires: tar
+Requires: xz
+
+BuildRequires: bash
+%{?_with_btrfs:BuildRequires: btrfs-progs-devel}
+BuildRequires: ca-certificates
+BuildRequires: cmake
+BuildRequires: device-mapper-devel
+BuildRequires: gcc
+BuildRequires: git
+BuildRequires: glibc-static
+BuildRequires: libarchive
+BuildRequires: libseccomp-devel
+BuildRequires: libselinux-devel
+BuildRequires: libtool
+BuildRequires: libtool-ltdl-devel
+BuildRequires: make
+BuildRequires: pkgconfig
+BuildRequires: pkgconfig(systemd)
+BuildRequires: selinux-policy-devel
+BuildRequires: systemd-devel
+BuildRequires: tar
+BuildRequires: which
+
+Conflicts: docker
+Conflicts: docker-io
+Conflicts: docker-engine-cs
+Conflicts: docker-ee
+
+Obsoletes: docker-ce-selinux
+Obsoletes: docker-engine-selinux
+Obsoletes: docker-engine
+
+%description
+Docker is a product for you to build, ship and run any application as a
+lightweight container.
+
+Docker containers are both hardware-agnostic and platform-agnostic. This means
+they can run anywhere, from your laptop to the largest cloud compute instance
+and everything in between - and they don't require you to use a particular
+language, framework or packaging system. That makes them great building blocks
+for deploying and scaling web apps, databases, and backend services without
+depending on a particular stack or provider.
+
+%prep
+%setup -q -c -n src -a 0
+
+%build
+mkdir -p /go/src/github.com/docker
+rm -f /go/src/github.com/docker/docker
+ln -snf ${RPM_BUILD_DIR}/src/engine /go/src/github.com/docker/docker
+pushd /go/src/github.com/docker/docker
+TMP_GOPATH="/go" hack/dockerfile/install/install.sh tini
+TMP_GOPATH="/go" hack/dockerfile/install/install.sh proxy dynamic
+VERSION=%{_origversion} DOCKER_GITCOMMIT=%{_commit} PRODUCT=docker hack/make.sh dynbinary
+popd
+
+%check
+ver="$(engine/bundles/dynbinary-daemon/dockerd --version)"; \
+    test "$ver" = "Docker version %{_origversion}, build %{_commit}" && echo "PASS: daemon version OK" || (echo "FAIL: daemon version ($ver) did not match" && exit 1)
+
+%install
+# install binaries
+install -D -p -m 0755 $(readlink -f engine/bundles/dynbinary-daemon/dockerd) ${RPM_BUILD_ROOT}%{_bindir}/dockerd
+install -D -p -m 0755 /usr/local/bin/docker-proxy ${RPM_BUILD_ROOT}%{_bindir}/docker-proxy
+install -D -p -m 0755 /usr/local/bin/docker-init ${RPM_BUILD_ROOT}%{_bindir}/docker-init
+
+# install systemd scripts
+install -D -m 0644 engine/contrib/init/systemd/docker.service ${RPM_BUILD_ROOT}%{_unitdir}/docker.service
+install -D -m 0644 engine/contrib/init/systemd/docker.socket ${RPM_BUILD_ROOT}%{_unitdir}/docker.socket
+
+%files
+%{_bindir}/dockerd
+%{_bindir}/docker-proxy
+%{_bindir}/docker-init
+%{_unitdir}/docker.service
+%{_unitdir}/docker.socket
+
+%post
+%systemd_post docker.service
+if ! getent group docker > /dev/null; then
+    groupadd --system docker
+fi
+
+%preun
+%systemd_preun docker.service
+
+%postun
+%systemd_postun_with_restart docker.service
+
+%changelog