vendor: update c/storage and c/image

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

vendor/github.com/containers/image/v5/docker/docker_client.go

@@ -61,8 +61,8 @@ type certPath struct {
 var (
 	homeCertDir     = filepath.FromSlash(".config/containers/certs.d")
 	perHostCertDirs = []certPath{
-		{path: "/etc/containers/certs.d", absolute: true},
-		{path: "/etc/docker/certs.d", absolute: true},
+		{path: etcDir + "/containers/certs.d", absolute: true},
+		{path: etcDir + "/docker/certs.d", absolute: true},
 	}
 
 	defaultUserAgent = "containers/" + version.Version + " (github.com/containers/image)"

vendor/github.com/containers/image/v5/docker/docker_image_src.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"regexp"
 	"strconv"
 	"strings"
 	"sync"
@@ -343,12 +344,16 @@ func handle206Response(streams chan io.ReadCloser, errs chan error, body io.Read
 	buffered := makeBufferedNetworkReader(body, 64, 16384)
 	defer buffered.Close()
 	mr := multipart.NewReader(buffered, boundary)
+	parts := 0
 	for {
 		p, err := mr.NextPart()
 		if err != nil {
 			if err != io.EOF {
 				errs <- err
 			}
+			if parts != len(chunks) {
+				errs <- errors.Errorf("invalid number of chunks returned by the server")
+			}
 			return
 		}
 		s := signalCloseReader{
@@ -359,9 +364,34 @@ func handle206Response(streams chan io.ReadCloser, errs chan error, body io.Read
 		// NextPart() cannot be called while the current part
 		// is being read, so wait until it is closed
 		<-s.closed
+		parts++
 	}
 }
 
+var multipartByteRangesRe = regexp.MustCompile("multipart/byteranges; boundary=([A-Za-z-0-9:]+)")
+
+func parseMediaType(contentType string) (string, map[string]string, error) {
+	mediaType, params, err := mime.ParseMediaType(contentType)
+	if err != nil {
+		if err == mime.ErrInvalidMediaParameter {
+			// CloudFront returns an invalid MIME type, that contains an unquoted ":" in the boundary
+			// param, let's handle it here.
+			matches := multipartByteRangesRe.FindStringSubmatch(contentType)
+			if len(matches) == 2 {
+				mediaType = "multipart/byteranges"
+				params = map[string]string{
+					"boundary": matches[1],
+				}
+				err = nil
+			}
+		}
+		if err != nil {
+			return "", nil, err
+		}
+	}
+	return mediaType, params, err
+}
+
 // GetBlobAt returns a sequential channel of readers that contain data for the requested
 // blob chunks, and a channel that might get a single error value.
 // The specified chunks must be not overlapping and sorted by their offset.
@@ -397,7 +427,7 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo,
 		go splitHTTP200ResponseToPartial(streams, errs, res.Body, chunks)
 		return streams, errs, nil
 	case http.StatusPartialContent:
-		mediaType, params, err := mime.ParseMediaType(res.Header.Get("Content-Type"))
+		mediaType, params, err := parseMediaType(res.Header.Get("Content-Type"))
 		if err != nil {
 			return nil, nil, err
 		}

vendor/github.com/containers/image/v5/docker/lookaside.go

@@ -25,7 +25,7 @@ var systemRegistriesDirPath = builtinRegistriesDirPath
 
 // builtinRegistriesDirPath is the path to registries.d.
 // DO NOT change this, instead see systemRegistriesDirPath above.
-const builtinRegistriesDirPath = "/etc/containers/registries.d"
+const builtinRegistriesDirPath = etcDir + "/containers/registries.d"
 
 // userRegistriesDirPath is the path to the per user registries.d.
 var userRegistriesDir = filepath.FromSlash(".config/containers/registries.d")

vendor/github.com/containers/image/v5/docker/paths_common.go

@@ -0,0 +1,6 @@
+//go:build !freebsd
+// +build !freebsd
+
+package docker
+
+const etcDir = "/etc"

vendor/github.com/containers/image/v5/docker/paths_freebsd.go

@@ -0,0 +1,6 @@
+//go:build freebsd
+// +build freebsd
+
+package docker
+
+const etcDir = "/usr/local/etc"

vendor/github.com/containers/image/v5/pkg/sysregistriesv2/paths_common.go

@@ -0,0 +1,12 @@
+//go:build !freebsd
+// +build !freebsd
+
+package sysregistriesv2
+
+// builtinRegistriesConfPath is the path to the registry configuration file.
+// DO NOT change this, instead see systemRegistriesConfPath above.
+const builtinRegistriesConfPath = "/etc/containers/registries.conf"
+
+// builtinRegistriesConfDirPath is the path to the registry configuration directory.
+// DO NOT change this, instead see systemRegistriesConfDirectoryPath above.
+const builtinRegistriesConfDirPath = "/etc/containers/registries.conf.d"

vendor/github.com/containers/image/v5/pkg/sysregistriesv2/paths_freebsd.go

@@ -0,0 +1,12 @@
+//go:build freebsd
+// +build freebsd
+
+package sysregistriesv2
+
+// builtinRegistriesConfPath is the path to the registry configuration file.
+// DO NOT change this, instead see systemRegistriesConfPath above.
+const builtinRegistriesConfPath = "/usr/local/etc/containers/registries.conf"
+
+// builtinRegistriesConfDirPath is the path to the registry configuration directory.
+// DO NOT change this, instead see systemRegistriesConfDirectoryPath above.
+const builtinRegistriesConfDirPath = "/usr/local/etc/containers/registries.conf.d"

vendor/github.com/containers/image/v5/pkg/sysregistriesv2/system_registries_v2.go

@@ -25,20 +25,12 @@ import (
 // -ldflags '-X github.com/containers/image/v5/sysregistries.systemRegistriesConfPath=$your_path'
 var systemRegistriesConfPath = builtinRegistriesConfPath
 
-// builtinRegistriesConfPath is the path to the registry configuration file.
-// DO NOT change this, instead see systemRegistriesConfPath above.
-const builtinRegistriesConfPath = "/etc/containers/registries.conf"
-
 // systemRegistriesConfDirPath is the path to the system-wide registry
 // configuration directory and is used to add/subtract potential registries for
 // obtaining images.  You can override this at build time with
 // -ldflags '-X github.com/containers/image/v5/sysregistries.systemRegistriesConfDirectoryPath=$your_path'
 var systemRegistriesConfDirPath = builtinRegistriesConfDirPath
 
-// builtinRegistriesConfDirPath is the path to the registry configuration directory.
-// DO NOT change this, instead see systemRegistriesConfDirectoryPath above.
-const builtinRegistriesConfDirPath = "/etc/containers/registries.conf.d"
-
 // AuthenticationFileHelper is a special key for credential helpers indicating
 // the usage of consulting containers-auth.json files instead of a credential
 // helper.

vendor/github.com/containers/image/v5/signature/policy_config.go

@@ -32,10 +32,6 @@ import (
 // -ldflags '-X github.com/containers/image/v5/signature.systemDefaultPolicyPath=$your_path'
 var systemDefaultPolicyPath = builtinDefaultPolicyPath
 
-// builtinDefaultPolicyPath is the policy path used for DefaultPolicy().
-// DO NOT change this, instead see systemDefaultPolicyPath above.
-const builtinDefaultPolicyPath = "/etc/containers/policy.json"
-
 // userPolicyFile is the path to the per user policy path.
 var userPolicyFile = filepath.FromSlash(".config/containers/policy.json")
 

vendor/github.com/containers/image/v5/signature/policy_paths_common.go

@@ -0,0 +1,8 @@
+//go:build !freebsd
+// +build !freebsd
+
+package signature
+
+// builtinDefaultPolicyPath is the policy path used for DefaultPolicy().
+// DO NOT change this, instead see systemDefaultPolicyPath above.
+const builtinDefaultPolicyPath = "/etc/containers/policy.json"

vendor/github.com/containers/image/v5/signature/policy_paths_freebsd.go

@@ -0,0 +1,8 @@
+//go:build freebsd
+// +build freebsd
+
+package signature
+
+// builtinDefaultPolicyPath is the policy path used for DefaultPolicy().
+// DO NOT change this, instead see systemDefaultPolicyPath above.
+const builtinDefaultPolicyPath = "/usr/local/etc/containers/policy.json"

vendor/github.com/containers/image/v5/version/version.go

@@ -8,10 +8,10 @@ const (
 	// VersionMinor is for functionality in a backwards-compatible manner
 	VersionMinor = 21
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 1
+	VersionPatch = 2
 
 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = ""
+	VersionDev = "-dev"
 )
 
 // Version is the specification version that the package types support.

vendor/github.com/containers/storage/Makefile

@@ -59,8 +59,8 @@ binary local-binary: containers-storage
 local-gccgo: ## build using gccgo on the host
 	GCCGO=$(PWD)/hack/gccgo-wrapper.sh $(GO) build $(MOD_VENDOR) -compiler gccgo $(BUILDFLAGS) -o containers-storage.gccgo ./cmd/containers-storage
 
-local-cross: ## cross build the binaries for arm, darwin, and\nfreebsd
-	@for target in linux/amd64 linux/386 linux/arm linux/arm64 linux/ppc64 linux/ppc64le darwin/amd64 windows/amd64 ; do \
+local-cross: ## cross build the binaries for arm, darwin, and freebsd
+	@for target in linux/amd64 linux/386 linux/arm linux/arm64 linux/ppc64 linux/ppc64le darwin/amd64 windows/amd64 freebsd/amd64 freebsd/arm64 ; do \
 		os=`echo $${target} | cut -f1 -d/` ; \
 		arch=`echo $${target} | cut -f2 -d/` ; \
 		suffix=$${os}.$${arch} ; \

vendor/github.com/containers/storage/VERSION

@@ -1 +1 @@
-1.40.2
+1.41.1-dev

vendor/github.com/containers/storage/drivers/overlay/overlay.go

@@ -207,14 +207,18 @@ func checkSupportVolatile(home, runhome string) (bool, error) {
 // checkAndRecordIDMappedSupport checks and stores if the kernel supports mounting overlay on top of a
 // idmapped lower layer.
 func checkAndRecordIDMappedSupport(home, runhome string) (bool, error) {
+	if os.Geteuid() != 0 {
+		return false, nil
+	}
+
 	feature := "idmapped-lower-dir"
 	overlayCacheResult, overlayCacheText, err := cachedFeatureCheck(runhome, feature)
 	if err == nil {
 		if overlayCacheResult {
-			logrus.Debugf("Cached value indicated that overlay is supported")
+			logrus.Debugf("Cached value indicated that idmapped mounts for overlay are supported")
 			return true, nil
 		}
-		logrus.Debugf("Cached value indicated that overlay is not supported")
+		logrus.Debugf("Cached value indicated that idmapped mounts for overlay are not supported")
 		return false, errors.New(overlayCacheText)
 	}
 	supportsIDMappedMounts, err := supportsIdmappedLowerLayers(home)

vendor/github.com/containers/storage/go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/google/go-intervals v0.0.2
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/json-iterator/go v1.1.12
-	github.com/klauspost/compress v1.15.2
+	github.com/klauspost/compress v1.15.4
 	github.com/klauspost/pgzip v1.2.5
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible

vendor/github.com/containers/storage/go.sum

@@ -425,8 +425,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.15.1/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
-github.com/klauspost/compress v1.15.2 h1:3WH+AG7s2+T8o3nrM/8u2rdqUEcQhmga7smjrT41nAw=
-github.com/klauspost/compress v1.15.2/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
+github.com/klauspost/compress v1.15.4 h1:1kn4/7MepF/CHmYub99/nNX8az0IJjfSOU/jbnTVfqQ=
+github.com/klauspost/compress v1.15.4/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
 github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=

vendor/github.com/containers/storage/pkg/chrootarchive/archive.go

@@ -5,9 +5,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
-	"net"
 	"os"
-	"os/user"
 	"path/filepath"
 	"sync"
 
@@ -17,13 +15,6 @@ import (
 	"github.com/pkg/errors"
 )
 
-func init() {
-	// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
-	// environment not in the chroot from untrusted files.
-	_, _ = user.Lookup("storage")
-	_, _ = net.LookupHost("localhost")
-}
-
 // NewArchiver returns a new Archiver which uses chrootarchive.Untar
 func NewArchiver(idMappings *idtools.IDMappings) *archive.Archiver {
 	archiver := archive.NewArchiver(idMappings)

vendor/github.com/containers/storage/pkg/chrootarchive/chroot_linux.go

@@ -3,7 +3,9 @@ package chrootarchive
 import (
 	"fmt"
 	"io/ioutil"
+	"net"
 	"os"
+	"os/user"
 	"path/filepath"
 
 	"github.com/containers/storage/pkg/mount"
@@ -23,6 +25,11 @@ func chroot(path string) (err error) {
 		return err
 	}
 
+	// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
+	// environment not in the chroot from untrusted files.
+	_, _ = user.Lookup("storage")
+	_, _ = net.LookupHost("localhost")
+
 	// if the process doesn't have CAP_SYS_ADMIN, but does have CAP_SYS_CHROOT, we need to use the actual chroot
 	if !caps.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) && caps.Get(capability.EFFECTIVE, capability.CAP_SYS_CHROOT) {
 		return realChroot(path)

vendor/github.com/containers/storage/pkg/chunked/storage_linux.go

@@ -918,6 +918,9 @@ func (c *chunkedDiffer) storeMissingFiles(streams chan io.ReadCloser, errs chan
 			case p := <-streams:
 				part = p
 			case err := <-errs:
+				if err == nil {
+					return errors.New("not enough data returned from the server")
+				}
 				return err
 			}
 			if part == nil {
@@ -1081,12 +1084,18 @@ func mergeMissingChunks(missingParts []missingPart, target int) []missingPart {
 
 func (c *chunkedDiffer) retrieveMissingFiles(dest string, dirfd int, missingParts []missingPart, options *archive.TarOptions) error {
 	var chunksToRequest []ImageSourceChunk
-	for _, c := range missingParts {
-		if c.OriginFile == nil && !c.Hole {
-			chunksToRequest = append(chunksToRequest, *c.SourceChunk)
+
+	calculateChunksToRequest := func() {
+		chunksToRequest = []ImageSourceChunk{}
+		for _, c := range missingParts {
+			if c.OriginFile == nil && !c.Hole {
+				chunksToRequest = append(chunksToRequest, *c.SourceChunk)
+			}
 		}
 	}
 
+	calculateChunksToRequest()
+
 	// There are some missing files.  Prepare a multirange request for the missing chunks.
 	var streams chan io.ReadCloser
 	var err error
@@ -1106,6 +1115,7 @@ func (c *chunkedDiffer) retrieveMissingFiles(dest string, dirfd int, missingPart
 
 			// Merge more chunks to request
 			missingParts = mergeMissingChunks(missingParts, requested/2)
+			calculateChunksToRequest()
 			continue
 		}
 		return err
@@ -1575,6 +1585,8 @@ func (c *chunkedDiffer) ApplyDiff(dest string, options *archive.TarOptions) (gra
 	wg.Wait()
 
 	for _, res := range copyResults[:filesToWaitFor] {
+		r := &mergedEntries[res.index]
+
 		if res.err != nil {
 			return output, res.err
 		}
@@ -1584,8 +1596,6 @@ func (c *chunkedDiffer) ApplyDiff(dest string, options *archive.TarOptions) (gra
 			continue
 		}
 
-		r := &mergedEntries[res.index]
-
 		missingPartsSize += r.Size
 
 		remainingSize := r.Size

vendor/github.com/containers/storage/pkg/mount/mounter_freebsd.go

@@ -1,3 +1,6 @@
+//go:build freebsd && cgo
+// +build freebsd,cgo
+
 package mount
 
 /*

vendor/github.com/containers/storage/pkg/mount/mounter_unsupported.go

@@ -1,4 +1,6 @@
-// +build !linux,!freebsd
+//go:build !linux && !(freebsd && cgo)
+// +build !linux
+// +build !freebsd !cgo
 
 package mount
 

vendor/github.com/containers/storage/storage.conf-freebsd

@@ -5,8 +5,8 @@
 # files.
 #
 #  Note: The storage.conf file overrides other storage.conf files based on this precedence:
-#      /usr/containers/storage.conf
-#      /etc/containers/storage.conf
+#      /usr/local/share/containers/storage.conf
+#      /usr/local/etc/containers/storage.conf
 #      $HOME/.config/containers/storage.conf
 #      $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set)
 # See man 5 containers-storage.conf for more information

vendor/github.com/containers/storage/store.go

@@ -1195,6 +1195,11 @@ func (s *store) imageTopLayerForMapping(image *Image, ristore ROImageStore, crea
 				if layer == nil {
 					layer = cLayer
 					parentLayer = cParentLayer
+					if store != rlstore {
+						// The layer is in another store, so we cannot
+						// create a mapped version of it to the image.
+						createMappedLayer = false
+					}
 				}
 			}
 		}

vendor/github.com/containers/storage/types/options.go

@@ -25,22 +25,6 @@ type TomlConfig struct {
 	} `toml:"storage"`
 }
 
-const (
-	// these are default path for run and graph root for rootful users
-	// for rootless path is constructed via getRootlessStorageOpts
-	defaultRunRoot   string = "/run/containers/storage"
-	defaultGraphRoot string = "/var/lib/containers/storage"
-)
-
-// defaultConfigFile path to the system wide storage.conf file
-var (
-	defaultConfigFile         = "/usr/share/containers/storage.conf"
-	defaultOverrideConfigFile = "/etc/containers/storage.conf"
-	defaultConfigFileSet      = false
-	// DefaultStoreOptions is a reasonable default set of options.
-	defaultStoreOptions StoreOptions
-)
-
 const (
 	overlayDriver = "overlay"
 	overlay2      = "overlay2"

vendor/github.com/containers/storage/types/options_darwin.go

@@ -0,0 +1,17 @@
+package types
+
+const (
+	// these are default path for run and graph root for rootful users
+	// for rootless path is constructed via getRootlessStorageOpts
+	defaultRunRoot   string = "/run/containers/storage"
+	defaultGraphRoot string = "/var/lib/containers/storage"
+)
+
+// defaultConfigFile path to the system wide storage.conf file
+var (
+	defaultConfigFile         = "/usr/share/containers/storage.conf"
+	defaultOverrideConfigFile = "/etc/containers/storage.conf"
+	defaultConfigFileSet      = false
+	// DefaultStoreOptions is a reasonable default set of options.
+	defaultStoreOptions StoreOptions
+)

vendor/github.com/containers/storage/types/options_freebsd.go

@@ -0,0 +1,17 @@
+package types
+
+const (
+	// these are default path for run and graph root for rootful users
+	// for rootless path is constructed via getRootlessStorageOpts
+	defaultRunRoot   string = "/var/run/containers/storage"
+	defaultGraphRoot string = "/var/db/containers/storage"
+)
+
+// defaultConfigFile path to the system wide storage.conf file
+var (
+	defaultConfigFile         = "/usr/local/share/containers/storage.conf"
+	defaultOverrideConfigFile = "/usr/local/etc/containers/storage.conf"
+	defaultConfigFileSet      = false
+	// DefaultStoreOptions is a reasonable default set of options.
+	defaultStoreOptions StoreOptions
+)

vendor/github.com/containers/storage/types/options_linux.go

@@ -0,0 +1,17 @@
+package types
+
+const (
+	// these are default path for run and graph root for rootful users
+	// for rootless path is constructed via getRootlessStorageOpts
+	defaultRunRoot   string = "/run/containers/storage"
+	defaultGraphRoot string = "/var/lib/containers/storage"
+)
+
+// defaultConfigFile path to the system wide storage.conf file
+var (
+	defaultConfigFile         = "/usr/share/containers/storage.conf"
+	defaultOverrideConfigFile = "/etc/containers/storage.conf"
+	defaultConfigFileSet      = false
+	// DefaultStoreOptions is a reasonable default set of options.
+	defaultStoreOptions StoreOptions
+)

vendor/github.com/containers/storage/types/options_windows.go

@@ -0,0 +1,17 @@
+package types
+
+const (
+	// these are default path for run and graph root for rootful users
+	// for rootless path is constructed via getRootlessStorageOpts
+	defaultRunRoot   string = "/run/containers/storage"
+	defaultGraphRoot string = "/var/lib/containers/storage"
+)
+
+// defaultConfigFile path to the system wide storage.conf file
+var (
+	defaultConfigFile         = "/usr/share/containers/storage.conf"
+	defaultOverrideConfigFile = "/etc/containers/storage.conf"
+	defaultConfigFileSet      = false
+	// DefaultStoreOptions is a reasonable default set of options.
+	defaultStoreOptions StoreOptions
+)