Vendor in latest projectatomic/buildah

buildah fixed its probelm where it was not pulling in
the ENV of the base image. This pulls that change into
libpod as well.

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #832
Approved by: mheon

vendor.conf

@@ -88,7 +88,7 @@ k8s.io/kube-openapi 275e2ce91dec4c05a4094a7b1daee5560b555ac9 https://github.com/
 k8s.io/utils 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e https://github.com/kubernetes/utils
 github.com/mrunalp/fileutils master
 github.com/varlink/go master
-github.com/projectatomic/buildah 40325d3e31cae9b2332a7e61d715c0687b4ce8fa
+github.com/projectatomic/buildah 25f4e8ec639044bff4ab393188d083782f07b61c
 github.com/Nvveen/Gotty master
 github.com/fsouza/go-dockerclient master
 github.com/openshift/imagebuilder master

vendor/github.com/projectatomic/buildah/add.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/containers/storage/pkg/archive"
+	"github.com/containers/storage/pkg/idtools"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/libpod/pkg/chrootuser"
@@ -26,7 +27,7 @@ type AddAndCopyOptions struct {
 // addURL copies the contents of the source URL to the destination.  This is
 // its own function so that deferred closes happen after we're done pulling
 // down each item of potentially many.
-func addURL(destination, srcurl string) error {
+func addURL(destination, srcurl string, owner idtools.IDPair) error {
 	logrus.Debugf("saving %q to %q", srcurl, destination)
 	resp, err := http.Get(srcurl)
 	if err != nil {
@@ -37,6 +38,9 @@ func addURL(destination, srcurl string) error {
 	if err != nil {
 		return errors.Wrapf(err, "error creating %q", destination)
 	}
+	if err = f.Chown(owner.UID, owner.GID); err != nil {
+		return errors.Wrapf(err, "error setting owner of %q", destination)
+	}
 	if last := resp.Header.Get("Last-Modified"); last != "" {
 		if mtime, err2 := time.Parse(time.RFC1123, last); err2 != nil {
 			logrus.Debugf("error parsing Last-Modified time %q: %v", last, err2)
@@ -80,11 +84,17 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
 	if err != nil {
 		return err
 	}
+	containerOwner := idtools.IDPair{UID: int(user.UID), GID: int(user.GID)}
+	hostUID, hostGID, err := getHostIDs(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap, user.UID, user.GID)
+	if err != nil {
+		return err
+	}
+	hostOwner := idtools.IDPair{UID: int(hostUID), GID: int(hostGID)}
 	dest := mountPoint
 	if destination != "" && filepath.IsAbs(destination) {
 		dest = filepath.Join(dest, destination)
 	} else {
-		if err = ensureDir(filepath.Join(dest, b.WorkDir()), user, 0755); err != nil {
+		if err = idtools.MkdirAllAndChownNew(filepath.Join(dest, b.WorkDir()), 0755, hostOwner); err != nil {
 			return err
 		}
 		dest = filepath.Join(dest, b.WorkDir(), destination)
@@ -93,7 +103,7 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
 	// with a '/', create it so that we can be sure that it's a directory,
 	// and any files we're copying will be placed in the directory.
 	if len(destination) > 0 && destination[len(destination)-1] == os.PathSeparator {
-		if err = ensureDir(dest, user, 0755); err != nil {
+		if err = idtools.MkdirAllAndChownNew(dest, 0755, hostOwner); err != nil {
 			return err
 		}
 	}
@@ -112,6 +122,9 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
 	if len(source) > 1 && (destfi == nil || !destfi.IsDir()) {
 		return errors.Errorf("destination %q is not a directory", dest)
 	}
+	copyFileWithTar := b.copyFileWithTar(&containerOwner)
+	copyWithTar := b.copyWithTar(&containerOwner)
+	untarPath := b.untarPath(nil)
 	for _, src := range source {
 		if strings.HasPrefix(src, "http://") || strings.HasPrefix(src, "https://") {
 			// We assume that source is a file, and we're copying
@@ -127,10 +140,7 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
 			if destfi != nil && destfi.IsDir() {
 				d = filepath.Join(dest, path.Base(url.Path))
 			}
-			if err := addURL(d, src); err != nil {
+			if err := addURL(d, src, hostOwner); err != nil {
-				return err
-			}
-			if err := setOwner("", d, user); err != nil {
 				return err
 			}
 			continue
@@ -153,16 +163,13 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
 				// the source directory into the target directory.  Try
 				// to create it first, so that if there's a problem,
 				// we'll discover why that won't work.
-				if err = ensureDir(dest, user, 0755); err != nil {
+				if err = idtools.MkdirAllAndChownNew(dest, 0755, hostOwner); err != nil {
 					return err
 				}
 				logrus.Debugf("copying %q to %q", gsrc+string(os.PathSeparator)+"*", dest+string(os.PathSeparator)+"*")
 				if err := copyWithTar(gsrc, dest); err != nil {
 					return errors.Wrapf(err, "error copying %q to %q", gsrc, dest)
 				}
-				if err := setOwner(gsrc, dest, user); err != nil {
-					return err
-				}
 				continue
 			}
 			if !extract || !archive.IsArchivePath(gsrc) {
@@ -178,9 +185,6 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
 				if err := copyFileWithTar(gsrc, d); err != nil {
 					return errors.Wrapf(err, "error copying %q to %q", gsrc, d)
 				}
-				if err := setOwner(gsrc, d, user); err != nil {
-					return err
-				}
 				continue
 			}
 			// We're extracting an archive into the destination directory.
@@ -205,49 +209,16 @@ func (b *Builder) user(mountPoint string, userspec string) (specs.User, error) {
 		GID:      gid,
 		Username: userspec,
 	}
+	if !strings.Contains(userspec, ":") {
+		groups, err2 := chrootuser.GetAdditionalGroupsForUser(mountPoint, uint64(u.UID))
+		if err2 != nil {
+			if errors.Cause(err2) != chrootuser.ErrNoSuchUser && err == nil {
+				err = err2
+			}
+		} else {
+			u.AdditionalGids = groups
+		}
+
+	}
 	return u, err
 }
-
-// setOwner sets the uid and gid owners of a given path.
-func setOwner(src, dest string, user specs.User) error {
-	fid, err := os.Stat(dest)
-	if err != nil {
-		return errors.Wrapf(err, "error reading %q", dest)
-	}
-	if !fid.IsDir() || src == "" {
-		if err := os.Lchown(dest, int(user.UID), int(user.GID)); err != nil {
-			return errors.Wrapf(err, "error setting ownership of %q", dest)
-		}
-		return nil
-	}
-	err = filepath.Walk(src, func(p string, info os.FileInfo, we error) error {
-		relPath, err2 := filepath.Rel(src, p)
-		if err2 != nil {
-			return errors.Wrapf(err2, "error getting relative path of %q to set ownership on destination", p)
-		}
-		if relPath != "." {
-			absPath := filepath.Join(dest, relPath)
-			if err2 := os.Lchown(absPath, int(user.UID), int(user.GID)); err != nil {
-				return errors.Wrapf(err2, "error setting ownership of %q", absPath)
-			}
-		}
-		return nil
-	})
-	if err != nil {
-		return errors.Wrapf(err, "error walking dir %q to set ownership", src)
-	}
-	return nil
-}
-
-// ensureDir creates a directory if it doesn't exist, setting ownership and permissions as passed by user and perm.
-func ensureDir(path string, user specs.User, perm os.FileMode) error {
-	if _, err := os.Stat(path); os.IsNotExist(err) {
-		if err := os.MkdirAll(path, perm); err != nil {
-			return errors.Wrapf(err, "error ensuring directory %q exists", path)
-		}
-		if err := os.Chown(path, int(user.UID), int(user.GID)); err != nil {
-			return errors.Wrapf(err, "error setting ownership of %q", path)
-		}
-	}
-	return nil
-}

vendor/github.com/projectatomic/buildah/buildah.go

@@ -67,6 +67,37 @@ func (p PullPolicy) String() string {
 	return fmt.Sprintf("unrecognized policy %d", p)
 }
 
+// NetworkConfigurationPolicy takes the value NetworkDefault, NetworkDisabled,
+// or NetworkEnabled.
+type NetworkConfigurationPolicy int
+
+const (
+	// NetworkDefault is one of the values that BuilderOptions.ConfigureNetwork
+	// can take, signalling that the default behavior should be used.
+	NetworkDefault NetworkConfigurationPolicy = iota
+	// NetworkDisabled is one of the values that BuilderOptions.ConfigureNetwork
+	// can take, signalling that network interfaces should NOT be configured for
+	// newly-created network namespaces.
+	NetworkDisabled
+	// NetworkEnabled is one of the values that BuilderOptions.ConfigureNetwork
+	// can take, signalling that network interfaces should be configured for
+	// newly-created network namespaces.
+	NetworkEnabled
+)
+
+// String formats a NetworkConfigurationPolicy as a string.
+func (p NetworkConfigurationPolicy) String() string {
+	switch p {
+	case NetworkDefault:
+		return "NetworkDefault"
+	case NetworkDisabled:
+		return "NetworkDisabled"
+	case NetworkEnabled:
+		return "NetworkEnabled"
+	}
+	return fmt.Sprintf("unknown NetworkConfigurationPolicy %d", p)
+}
+
 // Builder objects are used to represent containers which are being used to
 // build images.  They also carry potential updates which will be applied to
 // the image's configuration when the container's contents are used to build an
@@ -116,6 +147,23 @@ type Builder struct {
 	// DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format.
 	DefaultMountsFilePath string `json:"defaultMountsFilePath,omitempty"`
 
+	// NamespaceOptions controls how we set up the namespaces for processes that we run in the container.
+	NamespaceOptions NamespaceOptions
+	// ConfigureNetwork controls whether or not network interfaces and
+	// routing are configured for a new network namespace (i.e., when not
+	// joining another's namespace and not just using the host's
+	// namespace), effectively deciding whether or not the process has a
+	// usable network.
+	ConfigureNetwork NetworkConfigurationPolicy
+	// CNIPluginPath is the location of CNI plugin helpers, if they should be
+	// run from a location other than the default location.
+	CNIPluginPath string
+	// CNIConfigDir is the location of CNI configuration files, if the files in
+	// the default configuration directory shouldn't be used.
+	CNIConfigDir string
+	// ID mapping options to use when running processes in the container with non-host user namespaces.
+	IDMappingOptions IDMappingOptions
+
 	CommonBuildOpts *CommonBuildOptions
 }
 
@@ -136,6 +184,11 @@ type BuilderInfo struct {
 	OCIv1                 v1.Image
 	Docker                docker.V2Image
 	DefaultMountsFilePath string
+	NamespaceOptions      NamespaceOptions
+	ConfigureNetwork      string
+	CNIPluginPath         string
+	CNIConfigDir          string
+	IDMappingOptions      IDMappingOptions
 }
 
 // GetBuildInfo gets a pointer to a Builder object and returns a BuilderInfo object from it.
@@ -156,6 +209,11 @@ func GetBuildInfo(b *Builder) BuilderInfo {
 		OCIv1:                 b.OCIv1,
 		Docker:                b.Docker,
 		DefaultMountsFilePath: b.DefaultMountsFilePath,
+		NamespaceOptions:      b.NamespaceOptions,
+		ConfigureNetwork:      fmt.Sprintf("%v", b.ConfigureNetwork),
+		CNIPluginPath:         b.CNIPluginPath,
+		CNIConfigDir:          b.CNIConfigDir,
+		IDMappingOptions:      b.IDMappingOptions,
 	}
 }
 
@@ -250,7 +308,25 @@ type BuilderOptions struct {
 	// DefaultMountsFilePath is the file path holding the mounts to be
 	// mounted in "host-path:container-path" format
 	DefaultMountsFilePath string
-	CommonBuildOpts       *CommonBuildOptions
+	// NamespaceOptions controls how we set up namespaces for processes that
+	// we might need to run using the container's root filesystem.
+	NamespaceOptions NamespaceOptions
+	// ConfigureNetwork controls whether or not network interfaces and
+	// routing are configured for a new network namespace (i.e., when not
+	// joining another's namespace and not just using the host's
+	// namespace), effectively deciding whether or not the process has a
+	// usable network.
+	ConfigureNetwork NetworkConfigurationPolicy
+	// CNIPluginPath is the location of CNI plugin helpers, if they should be
+	// run from a location other than the default location.
+	CNIPluginPath string
+	// CNIConfigDir is the location of CNI configuration files, if the files in
+	// the default configuration directory shouldn't be used.
+	CNIConfigDir string
+	// ID mapping options to use if we're setting up our own user namespace.
+	IDMappingOptions *IDMappingOptions
+
+	CommonBuildOpts *CommonBuildOptions
 }
 
 // ImportOptions are used to initialize a Builder from an existing container

vendor/github.com/projectatomic/buildah/image.go

@@ -54,6 +54,7 @@ type containerImageRef struct {
 	preferredManifestType string
 	exporting             bool
 	squash                bool
+	tarPath               func(path string) (io.ReadCloser, error)
 }
 
 type containerImageSource struct {
@@ -132,10 +133,7 @@ func (i *containerImageRef) extractRootfs() (io.ReadCloser, error) {
 	if err != nil {
 		return nil, errors.Wrapf(err, "error extracting container %q", i.containerID)
 	}
-	tarOptions := &archive.TarOptions{
+	rc, err := i.tarPath(mountPoint)
-		Compression: archive.Uncompressed,
-	}
-	rc, err := archive.TarWithOptions(mountPoint, tarOptions)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error extracting container %q", i.containerID)
 	}
@@ -623,6 +621,7 @@ func (b *Builder) makeImageRef(manifestType string, exporting bool, squash bool,
 		preferredManifestType: manifestType,
 		exporting:             exporting,
 		squash:                squash,
+		tarPath:               b.tarPath(),
 	}
 	return ref, nil
 }

vendor/github.com/projectatomic/buildah/imagebuildah/build.go

@@ -107,8 +107,26 @@ type BuildOptions struct {
 	// Accepted values are OCIv1ImageFormat and Dockerv2ImageFormat.
 	OutputFormat string
 	// SystemContext holds parameters used for authentication.
-	SystemContext   *types.SystemContext
+	SystemContext *types.SystemContext
-	CommonBuildOpts *buildah.CommonBuildOptions
+	// NamespaceOptions controls how we set up namespaces processes that we
+	// might need when handling RUN instructions.
+	NamespaceOptions []buildah.NamespaceOption
+	// ConfigureNetwork controls whether or not network interfaces and
+	// routing are configured for a new network namespace (i.e., when not
+	// joining another's namespace and not just using the host's
+	// namespace), effectively deciding whether or not the process has a
+	// usable network.
+	ConfigureNetwork buildah.NetworkConfigurationPolicy
+	// CNIPluginPath is the location of CNI plugin helpers, if they should be
+	// run from a location other than the default location.
+	CNIPluginPath string
+	// CNIConfigDir is the location of CNI configuration files, if the files in
+	// the default configuration directory shouldn't be used.
+	CNIConfigDir string
+	// ID mapping options to use if we're setting up our own user namespace
+	// when handling RUN instructions.
+	IDMappingOptions *buildah.IDMappingOptions
+	CommonBuildOpts  *buildah.CommonBuildOptions
 	// DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format
 	DefaultMountsFilePath string
 	// IIDFile tells the builder to write the image ID to the specified file
@@ -154,6 +172,11 @@ type Executor struct {
 	volumeCache                    map[string]string
 	volumeCacheInfo                map[string]os.FileInfo
 	reportWriter                   io.Writer
+	namespaceOptions               []buildah.NamespaceOption
+	configureNetwork               buildah.NetworkConfigurationPolicy
+	cniPluginPath                  string
+	cniConfigDir                   string
+	idmappingOptions               *buildah.IDMappingOptions
 	commonBuildOptions             *buildah.CommonBuildOptions
 	defaultMountsFilePath          string
 	iidfile                        string
@@ -413,17 +436,21 @@ func (b *Executor) Run(run imagebuilder.Run, config docker.Config) error {
 		return errors.Errorf("no build container available")
 	}
 	options := buildah.RunOptions{
-		Hostname:        config.Hostname,
+		Hostname:   config.Hostname,
-		Runtime:         b.runtime,
+		Runtime:    b.runtime,
-		Args:            b.runtimeArgs,
+		Args:       b.runtimeArgs,
-		Mounts:          convertMounts(b.transientMounts),
+		Mounts:     convertMounts(b.transientMounts),
-		Env:             config.Env,
+		Env:        config.Env,
-		User:            config.User,
+		User:       config.User,
-		WorkingDir:      config.WorkingDir,
+		WorkingDir: config.WorkingDir,
-		Entrypoint:      config.Entrypoint,
+		Entrypoint: config.Entrypoint,
-		Cmd:             config.Cmd,
+		Cmd:        config.Cmd,
-		NetworkDisabled: config.NetworkDisabled,
+		Quiet:      b.quiet,
-		Quiet:           b.quiet,
+	}
+	if config.NetworkDisabled {
+		options.ConfigureNetwork = buildah.NetworkDisabled
+	} else {
+		options.ConfigureNetwork = buildah.NetworkEnabled
 	}
 
 	args := run.Args
@@ -489,6 +516,11 @@ func NewExecutor(store storage.Store, options BuildOptions) (*Executor, error) {
 		out:                   options.Out,
 		err:                   options.Err,
 		reportWriter:          options.ReportWriter,
+		namespaceOptions:      options.NamespaceOptions,
+		configureNetwork:      options.ConfigureNetwork,
+		cniPluginPath:         options.CNIPluginPath,
+		cniConfigDir:          options.CNIConfigDir,
+		idmappingOptions:      options.IDMappingOptions,
 		commonBuildOptions:    options.CommonBuildOpts,
 		defaultMountsFilePath: options.DefaultMountsFilePath,
 		iidfile:               options.IIDFile,
@@ -537,6 +569,11 @@ func (b *Executor) Prepare(ctx context.Context, ib *imagebuilder.Builder, node *
 		SignaturePolicyPath:   b.signaturePolicyPath,
 		ReportWriter:          b.reportWriter,
 		SystemContext:         b.systemContext,
+		NamespaceOptions:      b.namespaceOptions,
+		ConfigureNetwork:      b.configureNetwork,
+		CNIPluginPath:         b.cniPluginPath,
+		CNIConfigDir:          b.cniConfigDir,
+		IDMappingOptions:      b.idmappingOptions,
 		CommonBuildOpts:       b.commonBuildOptions,
 		DefaultMountsFilePath: b.defaultMountsFilePath,
 	}
@@ -668,7 +705,6 @@ func (b *Executor) Commit(ctx context.Context, ib *imagebuilder.Builder) (err er
 	for p := range config.ExposedPorts {
 		b.builder.SetPort(string(p))
 	}
-	b.builder.ClearEnv()
 	for _, envSpec := range config.Env {
 		spec := strings.SplitN(envSpec, "=", 2)
 		b.builder.SetEnv(spec[0], spec[1])

vendor/github.com/projectatomic/buildah/import.go

@@ -16,6 +16,7 @@ func importBuilderDataFromImage(ctx context.Context, store storage.Store, system
 	manifest := []byte{}
 	config := []byte{}
 	imageName := ""
+	uidmap, gidmap := convertStorageIDMaps(storage.DefaultStoreOptions.UIDMap, storage.DefaultStoreOptions.GIDMap)
 
 	if imageID != "" {
 		ref, err := is.Transport.ParseStoreReference(store, imageID)
@@ -39,6 +40,13 @@ func importBuilderDataFromImage(ctx context.Context, store storage.Store, system
 			if len(img.Names) > 0 {
 				imageName = img.Names[0]
 			}
+			if img.TopLayer != "" {
+				layer, err4 := store.Layer(img.TopLayer)
+				if err4 != nil {
+					return nil, errors.Wrapf(err4, "error reading information about image's top layer")
+				}
+				uidmap, gidmap = convertStorageIDMaps(layer.UIDMap, layer.GIDMap)
+			}
 		}
 	}
 
@@ -53,6 +61,13 @@ func importBuilderDataFromImage(ctx context.Context, store storage.Store, system
 		ContainerID:      containerID,
 		ImageAnnotations: map[string]string{},
 		ImageCreatedBy:   "",
+		NamespaceOptions: DefaultNamespaceOptions(),
+		IDMappingOptions: IDMappingOptions{
+			HostUIDMapping: len(uidmap) == 0,
+			HostGIDMapping: len(uidmap) == 0,
+			UIDMap:         uidmap,
+			GIDMap:         gidmap,
+		},
 	}
 
 	builder.initConfig()
@@ -87,6 +102,7 @@ func importBuilder(ctx context.Context, store storage.Store, options ImportOptio
 	if builder.FromImage != "" {
 		builder.Docker.ContainerConfig.Image = builder.FromImage
 	}
+	builder.IDMappingOptions.UIDMap, builder.IDMappingOptions.GIDMap = convertStorageIDMaps(c.UIDMap, c.GIDMap)
 
 	err = builder.Save()
 	if err != nil {

vendor/github.com/projectatomic/buildah/new.go

@@ -54,7 +54,7 @@ func reserveSELinuxLabels(store storage.Store, id string) error {
 					}
 					return err
 				}
-				// Prevent containers from using same MCS Label
+				// Prevent different containers from using same MCS label
 				if err := label.ReserveLabel(b.ProcessLabel); err != nil {
 					return err
 				}
@@ -133,6 +133,22 @@ func imageManifestAndConfig(ctx context.Context, ref types.ImageReference, syste
 	return nil, nil, nil
 }
 
+func newContainerIDMappingOptions(idmapOptions *IDMappingOptions) storage.IDMappingOptions {
+	var options storage.IDMappingOptions
+	if idmapOptions != nil {
+		options.HostUIDMapping = idmapOptions.HostUIDMapping
+		options.HostGIDMapping = idmapOptions.HostGIDMapping
+		uidmap, gidmap := convertRuntimeIDMaps(idmapOptions.UIDMap, idmapOptions.GIDMap)
+		if len(uidmap) > 0 && len(gidmap) > 0 {
+			options.UIDMap = uidmap
+			options.GIDMap = gidmap
+		} else {
+			options.HostUIDMapping = true
+			options.HostGIDMapping = true
+		}
+	}
+	return options
+}
 func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions) (*Builder, error) {
 	var ref types.ImageReference
 	var img *storage.Image
@@ -258,6 +274,8 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions
 	}
 
 	coptions := storage.ContainerOptions{}
+	coptions.IDMappingOptions = newContainerIDMappingOptions(options.IDMappingOptions)
+
 	container, err := store.CreateContainer("", []string{name}, imageID, "", "", &coptions)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error creating container")
@@ -278,6 +296,9 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions
 	if err != nil {
 		return nil, err
 	}
+	uidmap, gidmap := convertStorageIDMaps(container.UIDMap, container.GIDMap)
+	namespaceOptions := DefaultNamespaceOptions()
+	namespaceOptions.AddOrReplace(options.NamespaceOptions...)
 
 	builder := &Builder{
 		store:                 store,
@@ -293,7 +314,17 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions
 		ProcessLabel:          processLabel,
 		MountLabel:            mountLabel,
 		DefaultMountsFilePath: options.DefaultMountsFilePath,
-		CommonBuildOpts:       options.CommonBuildOpts,
+		NamespaceOptions:      namespaceOptions,
+		ConfigureNetwork:      options.ConfigureNetwork,
+		CNIPluginPath:         options.CNIPluginPath,
+		CNIConfigDir:          options.CNIConfigDir,
+		IDMappingOptions: IDMappingOptions{
+			HostUIDMapping: len(uidmap) == 0,
+			HostGIDMapping: len(uidmap) == 0,
+			UIDMap:         uidmap,
+			GIDMap:         gidmap,
+		},
+		CommonBuildOpts: options.CommonBuildOpts,
 	}
 
 	if options.Mount {

vendor/github.com/projectatomic/buildah/pkg/cli/common.go

@@ -5,11 +5,65 @@ package cli
 // that vendor in this code can use them too.
 
 import (
-	"github.com/projectatomic/buildah/imagebuildah"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/projectatomic/buildah"
+	"github.com/projectatomic/buildah/util"
 	"github.com/urfave/cli"
 )
 
 var (
+	usernsFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "userns",
+			Usage: "'container', `path` of user namespace to join, or 'host'",
+		},
+		cli.StringSliceFlag{
+			Name:  "userns-uid-map",
+			Usage: "`containerID:hostID:length` UID mapping to use in user namespace",
+		},
+		cli.StringSliceFlag{
+			Name:  "userns-gid-map",
+			Usage: "`containerID:hostID:length` GID mapping to use in user namespace",
+		},
+		cli.StringFlag{
+			Name:  "userns-uid-map-user",
+			Usage: "`name` of entries from /etc/subuid to use to set user namespace UID mapping",
+		},
+		cli.StringFlag{
+			Name:  "userns-gid-map-group",
+			Usage: "`name` of entries from /etc/subgid to use to set user namespace GID mapping",
+		},
+	}
+
+	NamespaceFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  string(specs.IPCNamespace),
+			Usage: "'container', `path` of IPC namespace to join, or 'host'",
+		},
+		cli.StringFlag{
+			Name:  string(specs.NetworkNamespace) + ", net",
+			Usage: "'container', `path` of network namespace to join, or 'host'",
+		},
+		cli.StringFlag{
+			Name:  "cni-config-dir",
+			Usage: "`directory` of CNI configuration files",
+			Value: util.DefaultCNIConfigDir,
+		},
+		cli.StringFlag{
+			Name:  "cni-plugin-path",
+			Usage: "`path` of CNI network plugins",
+			Value: util.DefaultCNIPluginPath,
+		},
+		cli.StringFlag{
+			Name:  string(specs.PIDNamespace),
+			Usage: "'container', `path` of PID namespace to join, or 'host'",
+		},
+		cli.StringFlag{
+			Name:  string(specs.UTSNamespace),
+			Usage: "'container', `path` of UTS namespace to join, or 'host'",
+		},
+	}
+
 	BudFlags = []cli.Flag{
 		cli.StringSliceFlag{
 			Name:  "annotation",
@@ -55,7 +109,7 @@ var (
 		},
 		cli.StringFlag{
 			Name:  "iidfile",
-			Usage: "Write the image ID to the file",
+			Usage: "`file` to write the image ID to",
 		},
 		cli.StringSliceFlag{
 			Name:  "label",
@@ -84,7 +138,7 @@ var (
 		cli.StringFlag{
 			Name:  "runtime",
 			Usage: "`path` to an alternate runtime",
-			Value: imagebuildah.DefaultRuntime,
+			Value: buildah.DefaultRuntime,
 		},
 		cli.StringSliceFlag{
 			Name:  "runtime-flag",
@@ -100,7 +154,7 @@ var (
 		},
 		cli.StringSliceFlag{
 			Name:  "tag, t",
-			Usage: "`tag` to apply to the built image",
+			Usage: "tagged `name` to apply to the built image",
 		},
 		cli.BoolTFlag{
 			Name:  "tls-verify",
@@ -108,7 +162,7 @@ var (
 		},
 	}
 
-	FromAndBudFlags = []cli.Flag{
+	FromAndBudFlags = append(append([]cli.Flag{
 		cli.StringSliceFlag{
 			Name:  "add-host",
 			Usage: "add a custom host-to-IP mapping (host:ip) (default [])",
@@ -162,5 +216,5 @@ var (
 			Name:  "volume, v",
 			Usage: "bind mount a volume into the container (default [])",
 		},
-	}
+	}, usernsFlags...), NamespaceFlags...)
 )

vendor/github.com/projectatomic/buildah/util.go

@@ -1,15 +1,18 @@
 package buildah
 
 import (
-	"github.com/containers/storage/pkg/chrootarchive"
+	"bufio"
-	"github.com/containers/storage/pkg/reexec"
+	"io"
-)
+	"os"
+	"strconv"
+	"strings"
 
-var (
+	"github.com/containers/storage/pkg/archive"
-	// CopyWithTar defines the copy method to use.
+	"github.com/containers/storage/pkg/chrootarchive"
-	copyWithTar     = chrootarchive.NewArchiver(nil).CopyWithTar
+	"github.com/containers/storage/pkg/idtools"
-	copyFileWithTar = chrootarchive.NewArchiver(nil).CopyFileWithTar
+	"github.com/containers/storage/pkg/reexec"
-	untarPath       = chrootarchive.NewArchiver(nil).UntarPath
+	rspec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
 )
 
 // InitReexec is a wrapper for reexec.Init().  It should be called at
@@ -32,3 +35,168 @@ func copyStringSlice(s []string) []string {
 	copy(t, s)
 	return t
 }
+
+func stringInSlice(s string, slice []string) bool {
+	for _, v := range slice {
+		if v == s {
+			return true
+		}
+	}
+	return false
+}
+
+func convertStorageIDMaps(UIDMap, GIDMap []idtools.IDMap) ([]rspec.LinuxIDMapping, []rspec.LinuxIDMapping) {
+	uidmap := make([]rspec.LinuxIDMapping, 0, len(UIDMap))
+	gidmap := make([]rspec.LinuxIDMapping, 0, len(GIDMap))
+	for _, m := range UIDMap {
+		uidmap = append(uidmap, rspec.LinuxIDMapping{
+			HostID:      uint32(m.HostID),
+			ContainerID: uint32(m.ContainerID),
+			Size:        uint32(m.Size),
+		})
+	}
+	for _, m := range GIDMap {
+		gidmap = append(gidmap, rspec.LinuxIDMapping{
+			HostID:      uint32(m.HostID),
+			ContainerID: uint32(m.ContainerID),
+			Size:        uint32(m.Size),
+		})
+	}
+	return uidmap, gidmap
+}
+
+func convertRuntimeIDMaps(UIDMap, GIDMap []rspec.LinuxIDMapping) ([]idtools.IDMap, []idtools.IDMap) {
+	uidmap := make([]idtools.IDMap, 0, len(UIDMap))
+	gidmap := make([]idtools.IDMap, 0, len(GIDMap))
+	for _, m := range UIDMap {
+		uidmap = append(uidmap, idtools.IDMap{
+			HostID:      int(m.HostID),
+			ContainerID: int(m.ContainerID),
+			Size:        int(m.Size),
+		})
+	}
+	for _, m := range GIDMap {
+		gidmap = append(gidmap, idtools.IDMap{
+			HostID:      int(m.HostID),
+			ContainerID: int(m.ContainerID),
+			Size:        int(m.Size),
+		})
+	}
+	return uidmap, gidmap
+}
+
+// copyFileWithTar returns a function which copies a single file from outside
+// of any container into our working container, mapping permissions using the
+// container's ID maps, possibly overridden using the passed-in chownOpts
+func (b *Builder) copyFileWithTar(chownOpts *idtools.IDPair) func(src, dest string) error {
+	convertedUIDMap, convertedGIDMap := convertRuntimeIDMaps(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap)
+	untarMappings := idtools.NewIDMappingsFromMaps(convertedUIDMap, convertedGIDMap)
+	archiver := chrootarchive.NewArchiverWithChown(nil, chownOpts, untarMappings)
+	return archiver.CopyFileWithTar
+}
+
+// copyWithTar returns a function which copies a directory tree from outside of
+// any container into our working container, mapping permissions using the
+// container's ID maps, possibly overridden using the passed-in chownOpts
+func (b *Builder) copyWithTar(chownOpts *idtools.IDPair) func(src, dest string) error {
+	convertedUIDMap, convertedGIDMap := convertRuntimeIDMaps(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap)
+	untarMappings := idtools.NewIDMappingsFromMaps(convertedUIDMap, convertedGIDMap)
+	archiver := chrootarchive.NewArchiverWithChown(nil, chownOpts, untarMappings)
+	return archiver.CopyWithTar
+}
+
+// untarPath returns a function which extracts an archive in a specified
+// location into our working container, mapping permissions using the
+// container's ID maps, possibly overridden using the passed-in chownOpts
+func (b *Builder) untarPath(chownOpts *idtools.IDPair) func(src, dest string) error {
+	convertedUIDMap, convertedGIDMap := convertRuntimeIDMaps(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap)
+	untarMappings := idtools.NewIDMappingsFromMaps(convertedUIDMap, convertedGIDMap)
+	archiver := chrootarchive.NewArchiverWithChown(nil, chownOpts, untarMappings)
+	return archiver.UntarPath
+}
+
+// tarPath returns a function which creates an archive of a specified
+// location in the container's filesystem, mapping permissions using the
+// container's ID maps
+func (b *Builder) tarPath() func(path string) (io.ReadCloser, error) {
+	convertedUIDMap, convertedGIDMap := convertRuntimeIDMaps(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap)
+	tarMappings := idtools.NewIDMappingsFromMaps(convertedUIDMap, convertedGIDMap)
+	return func(path string) (io.ReadCloser, error) {
+		return archive.TarWithOptions(path, &archive.TarOptions{
+			Compression: archive.Uncompressed,
+			UIDMaps:     tarMappings.UIDs(),
+			GIDMaps:     tarMappings.GIDs(),
+		})
+	}
+}
+
+// getProcIDMappings reads mappings from the named node under /proc.
+func getProcIDMappings(path string) ([]rspec.LinuxIDMapping, error) {
+	var mappings []rspec.LinuxIDMapping
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error reading ID mappings from %q", path)
+	}
+	defer f.Close()
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		fields := strings.Fields(line)
+		if len(fields) != 3 {
+			return nil, errors.Errorf("line %q from %q has %d fields, not 3", line, path, len(fields))
+		}
+		cid, err := strconv.ParseUint(fields[0], 10, 32)
+		if err != nil {
+			return nil, errors.Wrapf(err, "error parsing container ID value %q from line %q in %q", fields[0], line, path)
+		}
+		hid, err := strconv.ParseUint(fields[1], 10, 32)
+		if err != nil {
+			return nil, errors.Wrapf(err, "error parsing host ID value %q from line %q in %q", fields[1], line, path)
+		}
+		size, err := strconv.ParseUint(fields[2], 10, 32)
+		if err != nil {
+			return nil, errors.Wrapf(err, "error parsing size value %q from line %q in %q", fields[2], line, path)
+		}
+		mappings = append(mappings, rspec.LinuxIDMapping{ContainerID: uint32(cid), HostID: uint32(hid), Size: uint32(size)})
+	}
+	return mappings, nil
+}
+
+// getHostIDs uses ID mappings to compute the host-level IDs that will
+// correspond to a UID/GID pair in the container.
+func getHostIDs(uidmap, gidmap []rspec.LinuxIDMapping, uid, gid uint32) (uint32, uint32, error) {
+	uidMapped := true
+	for _, m := range uidmap {
+		uidMapped = false
+		if uid >= m.ContainerID && uid < m.ContainerID+m.Size {
+			uid = (uid - m.ContainerID) + m.HostID
+			uidMapped = true
+			break
+		}
+	}
+	if !uidMapped {
+		return 0, 0, errors.Errorf("container uses ID mappings, but doesn't map UID %d", uid)
+	}
+	gidMapped := true
+	for _, m := range gidmap {
+		gidMapped = false
+		if gid >= m.ContainerID && gid < m.ContainerID+m.Size {
+			gid = (gid - m.ContainerID) + m.HostID
+			gidMapped = true
+			break
+		}
+	}
+	if !gidMapped {
+		return 0, 0, errors.Errorf("container uses ID mappings, but doesn't map GID %d", gid)
+	}
+	return uid, gid, nil
+}
+
+// getHostRootIDs uses ID mappings in spec to compute the host-level IDs that will
+// correspond to UID/GID 0/0 in the container.
+func getHostRootIDs(spec *rspec.Spec) (uint32, uint32, error) {
+	if spec.Linux == nil {
+		return 0, 0, nil
+	}
+	return getHostIDs(spec.Linux.UIDMappings, spec.Linux.GIDMappings, 0, 0)
+}

vendor/github.com/projectatomic/buildah/util/types.go

@@ -0,0 +1,10 @@
+package util
+
+const (
+	// DefaultRuntime is the default command to use to run the container.
+	DefaultRuntime = "runc"
+	// DefaultCNIPluginPath is the default location of CNI plugin helpers.
+	DefaultCNIPluginPath = "/usr/libexec/cni:/opt/cni/bin"
+	// DefaultCNIConfigDir is the default location of CNI configuration files.
+	DefaultCNIConfigDir = "/etc/cni/net.d"
+)