diff --git a/.abf.yml b/.abf.yml
index e88a466..4095b07 100644
--- a/.abf.yml
+++ b/.abf.yml
@@ -1,6 +1,6 @@
 sources:
-  buildx-0.5.1.tar.gz: 5803fd02093f886beaca35553986216e02bbecec
-  cli-20.10.8.tar.gz: c4cb4c5c215fade682052584179c6de3f0cf0d47
-  libnetwork-master.tar.gz: c1f5f8cc9cb16cf7bda8faf43436cd2f99253262
-  moby-20.10.8.tar.gz: a5bf98362185b34b2cd0e41af30106bebfcd8531
+  buildx-0.10.5.tar.gz: ebfb3eb86e2e7776d90930fa2eef0b22193cddf3
+  cli-24.0.2.tar.gz: a935389283acba305d94897dc64a55d1889f294d
+  libnetwork-master.tar.gz: 8d80f7317377a2b5059d4a5907cc3d0885797a33
+  moby-24.0.2.tar.gz: af6b3c2af980f1643f48de8442560d444799df16
   tini-0.19.0.tar.gz: 2245210bdd29faea02e566a192df4c7df702b264
diff --git a/docker.spec b/docker.spec
index ad267a9..4a326e1 100644
--- a/docker.spec
+++ b/docker.spec
@@ -1,7 +1,7 @@
 # modifying the dockerinit binary breaks the SHA1 sum check by docker
 
 %global tini_version 0.19.0
-%global buildx_version 0.5.1
+%global buildx_version 0.10.5
 
 %global project docker
 %global repo %{project}
@@ -11,12 +11,12 @@
 %global gopath  %{_libdir}/golang
 %define gosrc %{gopath}/src/pkg/%{import_path}
 
-%global commit      b0f5bc36fea9dfb9672e1e9b1278ebab797b9ee0
+%global commit      659604f9ee60f147020bdd444b26e4b5c636dc28
 %global shortcommit %(c=%{commit}; echo ${c:0:7})
 
 Summary:	Automates deployment of containerized applications
 Name:		docker
-Version:	20.10.8
+Version:	24.0.2
 %global moby_version %{version}
 Release:	2
 License:	ASL 2.0
@@ -60,7 +60,7 @@ BuildRequires:	cmake
 Requires(pre):	systemd
 %systemd_requires
 # With docker >= 1.11 you now need containerd (and runC or crun as a dep)
-Requires:	containerd >= 0.2.3
+Requires:	containerd
 Requires:	crun
 # need xz to work with ubuntu images
 # https://bugzilla.redhat.com/show_bug.cgi?id=1045220
@@ -71,7 +71,12 @@ Requires(postun):	sed
 # https://bugzilla.redhat.com/show_bug.cgi?id=1034919
 # No longer needed in Fedora because of libcontainer
 Provides:	lxc-docker = %{version}
-Provides:	docker-swarm = %{version}-%{release}
+Provides:	docker-swarm = %{EVRD}
+# compat with Docker repos for RH
+Provides:	docker-ce = %{EVRD}
+Recommends:	(%{name}-fish-completion if fish)
+Recommends:	(%{name}-zsh-completion if zsh)
+Recommends:	(%{name}-vim if vim)
 
 %description
 Docker is an open-source engine that automates the deployment of any
@@ -118,23 +123,27 @@ This package installs %{summary}.
 %prep
 %autosetup -p1 -n moby-%{version}
 tar xf %{SOURCE10}
-mv libnetwork-master libnetwork
 tar xf %{SOURCE11}
 mv tini-%{tini_version} tini
 tar xf %{SOURCE12}
 tar xf %{SOURCE13}
 mv buildx-%{buildx_version} buildx
+find . -name "*~" |xargs rm || :
+# Needs to be done after unpacking extra bits, given we may want
+# to patch tini -- so no %%autosetup
+%autopatch -p1
 
 %build
 mkdir -p GO/src/github.com/{docker,krallin}
 ln -s $(pwd)/cli-%{version} GO/src/github.com/docker/cli
-ln -s $(pwd)/libnetwork GO/src/github.com/docker/libnetwork
+ln -s $(pwd)/libnetwork-master GO/src/github.com/docker/libnetwork
 ln -s $(pwd)/tini GO/src/github.com/krallin/tini
 ln -s $(pwd) GO/src/github.com/docker/docker
 export DOCKER_GITCOMMIT="%{shortcommit}"
 export DOCKER_CLI_EXPERIMENTAL=enabled
 export TMP_GOPATH="$(pwd)/GO"
 export GOPATH=%{gopath}:"$(pwd)/GO"
+export GO111MODULE=off
 
 # docker-init
 cd tini
@@ -143,7 +152,6 @@ cd tini
 cd ../..
 
 # dockerd
-export GO111MODULE=off
 DOCKER_BUILDTAGS='selinux seccomp journald' VERSION=%{moby_version} hack/make.sh dynbinary
 
 # docker-proxy
@@ -156,12 +164,13 @@ cd cli-%{version}
     DISABLE_WARN_OUTSIDE_CONTAINER=1 make VERSION=%{moby_version} LDFLAGS="-linkmode=external" dynbinary
 cd ..
 
+
 %install
 # install binaries
 install -d %{buildroot}%{_bindir}
 install -p -m 755 cli-%{version}/build/docker-linux-* %{buildroot}%{_bindir}/docker
 install -d %{buildroot}%{_sbindir}
-install -p -m 755 bundles/dynbinary-daemon/dockerd-%{moby_version} %{buildroot}%{_sbindir}/dockerd
+install -p -m 755 bundles/dynbinary-daemon/dockerd %{buildroot}%{_sbindir}/dockerd
 install -p -m 755 libnetwork/proxy %{buildroot}%{_bindir}/docker-proxy
 install -p -m 755 tini/build/tini-static %{buildroot}%{_bindir}/docker-init
 
diff --git a/docker.sysusers b/docker.sysusers
new file mode 100644
index 0000000..0f62654
--- /dev/null
+++ b/docker.sysusers
@@ -0,0 +1 @@
+g docker - -
diff --git a/nftables-docker.nft b/nftables-docker.nft
new file mode 100644
index 0000000..a485300
--- /dev/null
+++ b/nftables-docker.nft
@@ -0,0 +1,60 @@
+table ip filter {
+	chain INPUT {
+		type filter hook input priority 0; policy accept;
+	}
+
+	chain FORWARD {
+		type filter hook forward priority 0; policy accept;
+		counter jump DOCKER-USER
+		counter jump DOCKER-ISOLATION-STAGE-1
+		oifname "docker0" ct state established,related counter accept
+		oifname "docker0" counter jump DOCKER
+		iifname "docker0" oifname != "docker0" counter accept
+		iifname "docker0" oifname "docker0" counter accept
+	}
+
+	chain OUTPUT {
+		type filter hook output priority 0; policy accept;
+	}
+
+	chain DOCKER {
+	}
+
+	chain DOCKER-ISOLATION-STAGE-1 {
+		iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2
+		counter return
+	}
+
+	chain DOCKER-ISOLATION-STAGE-2 {
+		oifname "docker0" counter drop
+		counter return
+	}
+
+	chain DOCKER-USER {
+		counter return
+	}
+}
+table ip nat {
+	chain PREROUTING {
+		type nat hook prerouting priority -100; policy accept;
+		fib daddr type local counter jump DOCKER
+	}
+
+	chain INPUT {
+		type nat hook input priority 100; policy accept;
+	}
+
+	chain POSTROUTING {
+		type nat hook postrouting priority 100; policy accept;
+		oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
+	}
+
+	chain OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
+	}
+
+	chain DOCKER {
+		iifname "docker0" counter return
+	}
+}