Vendor in latest containers/image and contaners/storage

Made necessary changes to functions to include contex.Context wherever needed Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #640 Approved by: baude
2025-06-26 21:07:02 +08:00 · 2018-04-18 16:48:35 -04:00
parent 6a9dbf3305
commit 27107fdac1
96 changed files with 755 additions and 1299 deletions
--- a/cmd/podman/commit.go
+++ b/cmd/podman/commit.go
@ -100,7 +100,7 @@ func commitCmd(c *cli.Context) error {
 		Changes:       c.StringSlice("change"),
 		Author:        c.String("author"),
 	}
-	newImage, err := ctr.Commit(reference, options)
+	newImage, err := ctr.Commit(getContext(), reference, options)
 	if err != nil {
 		return err
 	}
--- a/cmd/podman/common.go
+++ b/cmd/podman/common.go
@ -1,6 +1,7 @@
 package main
 import (
 	"context"
 	"reflect"
 	"regexp"
 	"strings"
@ -67,6 +68,11 @@ func validateFlags(c *cli.Context, flags []cli.Flag) error {
 	return nil
 }
 // getContext returns a non-nil, empty context
 func getContext() context.Context {
 	return context.TODO()
 }
 // Common flags shared between commands
 var createFlags = []cli.Flag{
 	cli.StringSliceFlag{
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@ -180,12 +180,13 @@ func createCmd(c *cli.Context) error {
 	defer runtime.Shutdown(false)
 	rtc := runtime.GetConfig()
 	ctx := getContext()
-	newImage, err := runtime.ImageRuntime().New(c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
+	newImage, err := runtime.ImageRuntime().New(ctx, c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
 	if err != nil {
 		return err
 	}
-	data, err := newImage.Inspect()
+	data, err := newImage.Inspect(ctx)
 	createConfig, err := parseCreateOpts(c, runtime, newImage.Names()[0], data)
 	if err != nil {
 		return err
@ -209,7 +210,7 @@ func createCmd(c *cli.Context) error {
 	options = append(options, libpod.WithShmDir(createConfig.ShmDir))
 	options = append(options, libpod.WithShmSize(createConfig.Resources.ShmSize))
 	options = append(options, libpod.WithGroups(createConfig.GroupAdd))
-	ctr, err := runtime.NewContainer(runtimeSpec, options...)
+	ctr, err := runtime.NewContainer(ctx, runtimeSpec, options...)
 	if err != nil {
 		return err
 	}
--- a/cmd/podman/history.go
+++ b/cmd/podman/history.go
@ -110,7 +110,7 @@ func historyCmd(c *cli.Context) error {
 		format:  format,
 	}
-	history, layers, err := image.History()
+	history, layers, err := image.History(getContext())
 	if err != nil {
 		return errors.Wrapf(err, "error getting history of image %q", image.InputName)
 	}
--- a/cmd/podman/images.go
+++ b/cmd/podman/images.go
@ -1,6 +1,7 @@
 package main
 import (
 	"context"
 	"reflect"
 	"strings"
 	"time"
@ -105,8 +106,10 @@ func imagesCmd(c *cli.Context) error {
 		return errors.New("'podman images' requires at most 1 argument")
 	}
 	ctx := getContext()
 	if len(c.StringSlice("filter")) > 0 || newImage != nil {
-		filterFuncs, err = CreateFilterFuncs(runtime, c, newImage)
+		filterFuncs, err = CreateFilterFuncs(ctx, runtime, c, newImage)
 		if err != nil {
 			return err
 		}
@ -141,7 +144,7 @@ func imagesCmd(c *cli.Context) error {
 		filteredImages = images
 	}
-	return generateImagesOutput(runtime, filteredImages, opts)
+	return generateImagesOutput(ctx, runtime, filteredImages, opts)
 }
 func (i imagesOptions) setOutputFormat() string {
@ -179,7 +182,7 @@ func imagesToGeneric(templParams []imagesTemplateParams, JSONParams []imagesJSON
 }
 // getImagesTemplateOutput returns the images information to be printed in human readable format
-func getImagesTemplateOutput(runtime *libpod.Runtime, images []*image.Image, opts imagesOptions) (imagesOutput []imagesTemplateParams) {
+func getImagesTemplateOutput(ctx context.Context, runtime *libpod.Runtime, images []*image.Image, opts imagesOptions) (imagesOutput []imagesTemplateParams) {
 	for _, img := range images {
 		createdTime := img.Created()
@ -190,7 +193,7 @@ func getImagesTemplateOutput(runtime *libpod.Runtime, images []*image.Image, opt
 		// get all specified repo:tag pairs and print them separately
 		for repo, tags := range image.ReposToMap(img.Names()) {
 			for _, tag := range tags {
-				size, err := img.Size()
+				size, err := img.Size(ctx)
 				if err != nil {
 					size = nil
 				}
@ -210,9 +213,9 @@ func getImagesTemplateOutput(runtime *libpod.Runtime, images []*image.Image, opt
 }
 // getImagesJSONOutput returns the images information in its raw form
-func getImagesJSONOutput(runtime *libpod.Runtime, images []*image.Image) (imagesOutput []imagesJSONParams) {
+func getImagesJSONOutput(ctx context.Context, runtime *libpod.Runtime, images []*image.Image) (imagesOutput []imagesJSONParams) {
 	for _, img := range images {
-		size, err := img.Size()
+		size, err := img.Size(ctx)
 		if err != nil {
 			size = nil
 		}
@ -230,7 +233,7 @@ func getImagesJSONOutput(runtime *libpod.Runtime, images []*image.Image) (images
 // generateImagesOutput generates the images based on the format provided
-func generateImagesOutput(runtime *libpod.Runtime, images []*image.Image, opts imagesOptions) error {
+func generateImagesOutput(ctx context.Context, runtime *libpod.Runtime, images []*image.Image, opts imagesOptions) error {
 	if len(images) == 0 {
 		return nil
 	}
@ -238,10 +241,10 @@ func generateImagesOutput(runtime *libpod.Runtime, images []*image.Image, opts i
 	switch opts.format {
 	case formats.JSONString:
-		imagesOutput := getImagesJSONOutput(runtime, images)
+		imagesOutput := getImagesJSONOutput(ctx, runtime, images)
 		out = formats.JSONStructArray{Output: imagesToGeneric([]imagesTemplateParams{}, imagesOutput)}
 	default:
-		imagesOutput := getImagesTemplateOutput(runtime, images, opts)
+		imagesOutput := getImagesTemplateOutput(ctx, runtime, images, opts)
 		out = formats.StdoutTemplateArray{Output: imagesToGeneric(imagesOutput, []imagesJSONParams{}), Template: opts.outputformat, Fields: imagesOutput[0].HeaderMap()}
 	}
 	return formats.Writer(out).Out()
@ -266,7 +269,7 @@ func (i *imagesTemplateParams) HeaderMap() map[string]string {
 // CreateFilterFuncs returns an array of filter functions based on the user inputs
 // and is later used to filter images for output
-func CreateFilterFuncs(r *libpod.Runtime, c *cli.Context, img *image.Image) ([]image.ResultFilter, error) {
+func CreateFilterFuncs(ctx context.Context, r *libpod.Runtime, c *cli.Context, img *image.Image) ([]image.ResultFilter, error) {
 	var filterFuncs []image.ResultFilter
 	for _, filter := range c.StringSlice("filter") {
 		splitFilter := strings.Split(filter, "=")
@ -287,7 +290,7 @@ func CreateFilterFuncs(r *libpod.Runtime, c *cli.Context, img *image.Image) ([]i
 			filterFuncs = append(filterFuncs, image.DanglingFilter())
 		case "label":
 			labelFilter := strings.Join(splitFilter[1:], "=")
-			filterFuncs = append(filterFuncs, image.LabelFilter(labelFilter))
+			filterFuncs = append(filterFuncs, image.LabelFilter(ctx, labelFilter))
 		default:
 			return nil, errors.Errorf("invalid filter %s ", splitFilter[0])
 		}
--- a/cmd/podman/import.go
+++ b/cmd/podman/import.go
@ -107,7 +107,7 @@ func importCmd(c *cli.Context) error {
 		source = file
 	}
-	newImage, err := runtime.ImageRuntime().Import(source, reference, writer, image.SigningOptions{}, config)
+	newImage, err := runtime.ImageRuntime().Import(getContext(), source, reference, writer, image.SigningOptions{}, config)
 	if err == nil {
 		fmt.Println(newImage.ID())
 	}
--- a/cmd/podman/inspect.go
+++ b/cmd/podman/inspect.go
@ -1,6 +1,7 @@
 package main
 import (
 	"context"
 	"encoding/json"
 	"strings"
@ -86,7 +87,7 @@ func inspectCmd(c *cli.Context) error {
 		inspectType = inspectTypeContainer
 	}
-	inspectedObjects, iterateErr := iterateInput(c, args, runtime, inspectType)
+	inspectedObjects, iterateErr := iterateInput(getContext(), c, args, runtime, inspectType)
 	var out formats.Writer
 	if outputFormat != "" && outputFormat != formats.JSONString {
@ -102,7 +103,7 @@ func inspectCmd(c *cli.Context) error {
 }
 // func iterateInput iterates the images|containers the user has requested and returns the inspect data and error
-func iterateInput(c *cli.Context, args []string, runtime *libpod.Runtime, inspectType string) ([]interface{}, error) {
+func iterateInput(ctx context.Context, c *cli.Context, args []string, runtime *libpod.Runtime, inspectType string) ([]interface{}, error) {
 	var (
 		data           interface{}
 		inspectedItems []interface{}
@ -133,7 +134,7 @@ func iterateInput(c *cli.Context, args []string, runtime *libpod.Runtime, inspec
 				inspectError = errors.Wrapf(err, "error getting image %q", input)
 				break
 			}
-			data, err = image.Inspect()
+			data, err = image.Inspect(ctx)
 			if err != nil {
 				inspectError = errors.Wrapf(err, "error parsing image data %q", image.ID())
 				break
@ -146,7 +147,7 @@ func iterateInput(c *cli.Context, args []string, runtime *libpod.Runtime, inspec
 					inspectError = errors.Wrapf(err, "error getting image %q", input)
 					break
 				}
-				data, err = image.Inspect()
+				data, err = image.Inspect(ctx)
 				if err != nil {
 					inspectError = errors.Wrapf(err, "error parsing image data %q", image.ID())
 					break
--- a/cmd/podman/load.go
+++ b/cmd/podman/load.go
@ -98,18 +98,20 @@ func loadCmd(c *cli.Context) error {
 		writer = os.Stderr
 	}
 	ctx := getContext()
 	src := libpod.DockerArchive + ":" + input
-	newImage, err := runtime.ImageRuntime().New(src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
+	newImage, err := runtime.ImageRuntime().New(ctx, src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
 	if err != nil {
 		// generate full src name with specified image:tag
 		fullSrc := libpod.OCIArchive + ":" + input
 		if image != "" {
 			fullSrc = fullSrc + ":" + image
 		}
-		newImage, err = runtime.ImageRuntime().New(fullSrc, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
+		newImage, err = runtime.ImageRuntime().New(ctx, fullSrc, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
 		if err != nil {
 			src = libpod.DirTransport + ":" + input
-			newImage, err = runtime.ImageRuntime().New(src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
+			newImage, err = runtime.ImageRuntime().New(ctx, src, c.String("signature-policy"), "", writer, &libpodImage.DockerRegistryOptions{}, libpodImage.SigningOptions{}, false, false)
 			if err != nil {
 				return errors.Wrapf(err, "error pulling %q", src)
 			}
--- a/cmd/podman/pull.go
+++ b/cmd/podman/pull.go
@ -103,7 +103,7 @@ func pullCmd(c *cli.Context) error {
 		forceSecure = c.Bool("tls-verify")
 	}
-	newImage, err := runtime.ImageRuntime().New(image, c.String("signature-policy"), c.String("authfile"), writer, &dockerRegistryOptions, image2.SigningOptions{}, true, forceSecure)
+	newImage, err := runtime.ImageRuntime().New(getContext(), image, c.String("signature-policy"), c.String("authfile"), writer, &dockerRegistryOptions, image2.SigningOptions{}, true, forceSecure)
 	if err != nil {
 		return errors.Wrapf(err, "error pulling image %q", image)
 	}
--- a/cmd/podman/push.go
+++ b/cmd/podman/push.go
@ -151,5 +151,5 @@ func pushCmd(c *cli.Context) error {
 	}
 	//return runtime.PushImage(srcName, destName, options)
-	return newImage.PushImage(destName, manifestType, c.String("authfile"), c.String("signature-policy"), writer, c.Bool("compress"), so, &dockerRegistryOptions)
+	return newImage.PushImage(getContext(), destName, manifestType, c.String("authfile"), c.String("signature-policy"), writer, c.Bool("compress"), so, &dockerRegistryOptions)
 }
--- a/cmd/podman/restart.go
+++ b/cmd/podman/restart.go
@ -105,7 +105,7 @@ func restartCtr(timeout uint, ctr *libpod.Container) error {
 		}
 	}
-	if err := ctr.Start(); err != nil {
+	if err := ctr.Start(getContext()); err != nil {
 		return err
 	}
--- a/cmd/podman/run.go
+++ b/cmd/podman/run.go
@ -58,13 +58,15 @@ func runCmd(c *cli.Context) error {
 		return errors.Errorf("image name or ID is required")
 	}
 	ctx := getContext()
 	rtc := runtime.GetConfig()
-	newImage, err := runtime.ImageRuntime().New(c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
+	newImage, err := runtime.ImageRuntime().New(ctx, c.Args()[0], rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{}, false, false)
 	if err != nil {
 		return errors.Wrapf(err, "unable to find image")
 	}
-	data, err := newImage.Inspect()
+	data, err := newImage.Inspect(ctx)
 	if err != nil {
 		return err
 	}
@ -105,7 +107,7 @@ func runCmd(c *cli.Context) error {
 		options = append(options, libpod.WithCgroupParent(createConfig.CgroupParent))
 	}
-	ctr, err := runtime.NewContainer(runtimeSpec, options...)
+	ctr, err := runtime.NewContainer(ctx, runtimeSpec, options...)
 	if err != nil {
 		return err
 	}
@ -133,7 +135,7 @@ func runCmd(c *cli.Context) error {
 	// Handle detached start
 	if createConfig.Detach {
-		if err := ctr.Start(); err != nil {
+		if err := ctr.Start(ctx); err != nil {
 			// This means the command did not exist
 			exitCode = 127
 			if strings.Index(err.Error(), "permission denied") > -1 {
--- a/cmd/podman/save.go
+++ b/cmd/podman/save.go
@ -117,7 +117,7 @@ func saveCmd(c *cli.Context) error {
 		if err != nil {
 			return err
 		}
-		if err := newImage.PushImage(dest, manifestType, "", "", writer, c.Bool("compress"), libpodImage.SigningOptions{}, &libpodImage.DockerRegistryOptions{}); err != nil {
+		if err := newImage.PushImage(getContext(), dest, manifestType, "", "", writer, c.Bool("compress"), libpodImage.SigningOptions{}, &libpodImage.DockerRegistryOptions{}); err != nil {
 			if err2 := os.Remove(output); err2 != nil {
 				logrus.Errorf("error deleting %q: %v", output, err)
 			}
--- a/cmd/podman/start.go
+++ b/cmd/podman/start.go
@ -121,7 +121,7 @@ func startCmd(c *cli.Context) error {
 			continue
 		}
 		// Handle non-attach start
-		if err := ctr.Start(); err != nil {
+		if err := ctr.Start(getContext()); err != nil {
 			if lastError != nil {
 				fmt.Fprintln(os.Stderr, lastError)
 			}
--- a/cmd/podman/utils.go
+++ b/cmd/podman/utils.go
@ -161,7 +161,7 @@ func startAttachCtr(ctr *libpod.Container, stdout, stderr, stdin *os.File, detac
 		streams.AttachInput = false
 	}
-	attachChan, err := ctr.StartAndAttach(streams, detachKeys, resize)
+	attachChan, err := ctr.StartAndAttach(getContext(), streams, detachKeys, resize)
 	if err != nil {
 		return err
 	}
--- a/libpod/buildah/buildah.go
+++ b/libpod/buildah/buildah.go
@ -1,6 +1,7 @@
 package buildah
 import (
 	"context"
 	"encoding/json"
 	"path/filepath"
@ -128,11 +129,11 @@ type ImportOptions struct {
 // ImportBuilder creates a new build configuration using an already-present
 // container.
-func ImportBuilder(store storage.Store, options ImportOptions) (*Builder, error) {
+func ImportBuilder(ctx context.Context, store storage.Store, options ImportOptions) (*Builder, error) {
-	return importBuilder(store, options)
+	return importBuilder(ctx, store, options)
 }
-func importBuilder(store storage.Store, options ImportOptions) (*Builder, error) {
+func importBuilder(ctx context.Context, store storage.Store, options ImportOptions) (*Builder, error) {
 	if options.Container == "" {
 		return nil, errors.Errorf("container name must be specified")
 	}
@ -144,7 +145,7 @@ func importBuilder(store storage.Store, options ImportOptions) (*Builder, error)
 	systemContext := getSystemContext(&types.SystemContext{}, options.SignaturePolicyPath)
-	builder, err := importBuilderDataFromImage(store, systemContext, c.ImageID, options.Container, c.ID)
+	builder, err := importBuilderDataFromImage(ctx, store, systemContext, c.ImageID, options.Container, c.ID)
 	if err != nil {
 		return nil, err
 	}
@ -168,7 +169,7 @@ func importBuilder(store storage.Store, options ImportOptions) (*Builder, error)
 	return builder, nil
 }
-func importBuilderDataFromImage(store storage.Store, systemContext *types.SystemContext, imageID, containerName, containerID string) (*Builder, error) {
+func importBuilderDataFromImage(ctx context.Context, store storage.Store, systemContext *types.SystemContext, imageID, containerName, containerID string) (*Builder, error) {
 	manifest := []byte{}
 	config := []byte{}
 	imageName := ""
@ -178,16 +179,16 @@ func importBuilderDataFromImage(store storage.Store, systemContext *types.System
 		if err != nil {
 			return nil, errors.Wrapf(err, "no such image %q", imageID)
 		}
-		src, err2 := ref.NewImage(systemContext)
+		src, err2 := ref.NewImage(ctx, systemContext)
 		if err2 != nil {
 			return nil, errors.Wrapf(err2, "error instantiating image")
 		}
 		defer src.Close()
-		config, err = src.ConfigBlob()
+		config, err = src.ConfigBlob(ctx)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error reading image configuration")
 		}
-		manifest, _, err = src.Manifest()
+		manifest, _, err = src.Manifest(ctx)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error reading image manifest")
 		}
--- a/libpod/buildah/commit.go
+++ b/libpod/buildah/commit.go
@ -1,6 +1,7 @@
 package buildah
 import (
 	"context"
 	"fmt"
 	"io"
 	"time"
@ -74,7 +75,7 @@ type PushOptions struct {
 // Commit writes the contents of the container, along with its updated
 // configuration, to a new image in the specified location, and if we know how,
 // add any additional tags that were specified.
-func (b *Builder) Commit(dest types.ImageReference, options CommitOptions) error {
+func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options CommitOptions) error {
 	policy, err := signature.DefaultPolicy(getSystemContext(options.SystemContext, options.SignaturePolicyPath))
 	if err != nil {
 		return errors.Wrapf(err, "error obtaining default signature policy")
@ -96,7 +97,7 @@ func (b *Builder) Commit(dest types.ImageReference, options CommitOptions) error
 		return errors.Wrapf(err, "error computing layer digests and building metadata")
 	}
 	// "Copy" our image to where it needs to be.
-	err = cp.Image(policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, options.SystemContext, ""))
+	err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, options.SystemContext, ""))
 	if err != nil {
 		return errors.Wrapf(err, "error copying layers and metadata")
 	}
@ -120,7 +121,7 @@ func (b *Builder) Commit(dest types.ImageReference, options CommitOptions) error
 }
 // Push copies the contents of the image to a new location.
-func Push(image string, dest types.ImageReference, options PushOptions) error {
+func Push(ctx context.Context, image string, dest types.ImageReference, options PushOptions) error {
 	systemContext := getSystemContext(options.SystemContext, options.SignaturePolicyPath)
 	policy, err := signature.DefaultPolicy(systemContext)
 	if err != nil {
@ -136,7 +137,7 @@ func Push(image string, dest types.ImageReference, options PushOptions) error {
 		return errors.Wrapf(err, "error parsing reference to image %q", image)
 	}
 	// Copy everything.
-	err = cp.Image(policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, options.SystemContext, options.ManifestType))
+	err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, options.SystemContext, options.ManifestType))
 	if err != nil {
 		return errors.Wrapf(err, "error copying layers and metadata")
 	}
--- a/libpod/buildah/image.go
+++ b/libpod/buildah/image.go
@ -65,12 +65,12 @@ type containerImageSource struct {
 	exporting    bool
 }
-func (i *containerImageRef) NewImage(sc *types.SystemContext) (types.ImageCloser, error) {
+func (i *containerImageRef) NewImage(ctx context.Context, sc *types.SystemContext) (types.ImageCloser, error) {
-	src, err := i.NewImageSource(sc)
+	src, err := i.NewImageSource(ctx, sc)
 	if err != nil {
 		return nil, err
 	}
-	return image.FromSource(sc, src)
+	return image.FromSource(ctx, sc, src)
 }
 func expectedOCIDiffIDs(image v1.Image) int {
@ -93,7 +93,7 @@ func expectedDockerDiffIDs(image docker.V2Image) int {
 	return expected
 }
-func (i *containerImageRef) NewImageSource(sc *types.SystemContext) (src types.ImageSource, err error) {
+func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.SystemContext) (src types.ImageSource, err error) {
 	// Decide which type of manifest and configuration output we're going to provide.
 	manifestType := i.preferredManifestType
 	// If it's not a format we support, return an error.
@ -392,7 +392,7 @@ func (i *containerImageRef) NewImageSource(sc *types.SystemContext) (src types.I
 	return src, nil
 }
-func (i *containerImageRef) NewImageDestination(sc *types.SystemContext) (types.ImageDestination, error) {
+func (i *containerImageRef) NewImageDestination(ctx context.Context, sc *types.SystemContext) (types.ImageDestination, error) {
 	return nil, errors.Errorf("can't write to a container")
 }
@ -407,7 +407,7 @@ func (i *containerImageRef) StringWithinTransport() string {
 	return ""
 }
-func (i *containerImageRef) DeleteImage(*types.SystemContext) error {
+func (i *containerImageRef) DeleteImage(context.Context, *types.SystemContext) error {
 	// we were never here
 	return nil
 }
@ -443,18 +443,18 @@ func (i *containerImageSource) GetSignatures(ctx context.Context, instanceDigest
 	return nil, nil
 }
-func (i *containerImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+func (i *containerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
 	if instanceDigest != nil && *instanceDigest != digest.FromBytes(i.manifest) {
 		return nil, "", errors.Errorf("TODO")
 	}
 	return i.manifest, i.manifestType, nil
 }
-func (i *containerImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (i *containerImageSource) LayerInfosForCopy(context.Context) ([]types.BlobInfo, error) {
 	return nil, nil
 }
-func (i *containerImageSource) GetBlob(blob types.BlobInfo) (reader io.ReadCloser, size int64, err error) {
+func (i *containerImageSource) GetBlob(ctx context.Context, blob types.BlobInfo) (reader io.ReadCloser, size int64, err error) {
 	if blob.Digest == i.configDigest {
 		logrus.Debugf("start reading config")
 		reader := bytes.NewReader(i.config)
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@ -1,6 +1,7 @@
 package libpod
 import (
 	"context"
 	"io/ioutil"
 	"os"
 	"strconv"
@ -18,7 +19,7 @@ import (
 )
 // Init creates a container in the OCI runtime
-func (c *Container) Init() (err error) {
+func (c *Container) Init(ctx context.Context) (err error) {
 	if !c.batched {
 		c.lock.Lock()
 		defer c.lock.Unlock()
@ -52,7 +53,7 @@ func (c *Container) Init() (err error) {
 		}
 	}()
-	return c.init()
+	return c.init(ctx)
 }
 // Start starts a container
@ -61,7 +62,7 @@ func (c *Container) Init() (err error) {
 // started
 // Stopped containers will be deleted and re-created in runc, undergoing a fresh
 // Init()
-func (c *Container) Start() (err error) {
+func (c *Container) Start(ctx context.Context) (err error) {
 	if !c.batched {
 		c.lock.Lock()
 		defer c.lock.Unlock()
@ -100,12 +101,12 @@ func (c *Container) Start() (err error) {
 	if c.state.State == ContainerStateStopped {
 		// Reinitialize the container if we need to
-		if err := c.reinit(); err != nil {
+		if err := c.reinit(ctx); err != nil {
 			return err
 		}
 	} else if c.state.State == ContainerStateConfigured {
 		// Or initialize it for the first time if necessary
-		if err := c.init(); err != nil {
+		if err := c.init(ctx); err != nil {
 			return err
 		}
 	}
@ -124,7 +125,7 @@ func (c *Container) Start() (err error) {
 // attach call.
 // The channel will be closed automatically after the result of attach has been
 // sent
-func (c *Container) StartAndAttach(streams *AttachStreams, keys string, resize <-chan remotecommand.TerminalSize) (attachResChan <-chan error, err error) {
+func (c *Container) StartAndAttach(ctx context.Context, streams *AttachStreams, keys string, resize <-chan remotecommand.TerminalSize) (attachResChan <-chan error, err error) {
 	if !c.batched {
 		c.lock.Lock()
 		defer c.lock.Unlock()
@ -163,12 +164,12 @@ func (c *Container) StartAndAttach(streams *AttachStreams, keys string, resize <
 	if c.state.State == ContainerStateStopped {
 		// Reinitialize the container if we need to
-		if err := c.reinit(); err != nil {
+		if err := c.reinit(ctx); err != nil {
 			return nil, err
 		}
 	} else if c.state.State == ContainerStateConfigured {
 		// Or initialize it for the first time if necessary
-		if err := c.init(); err != nil {
+		if err := c.init(ctx); err != nil {
 			return nil, err
 		}
 	}
--- a/libpod/container_commit.go
+++ b/libpod/container_commit.go
@ -1,6 +1,7 @@
 package libpod
 import (
 	"context"
 	"strings"
 	is "github.com/containers/image/storage"
@ -24,7 +25,7 @@ type ContainerCommitOptions struct {
 // Commit commits the changes between a container and its image, creating a new
 // image
-func (c *Container) Commit(destImage string, options ContainerCommitOptions) (*image.Image, error) {
+func (c *Container) Commit(ctx context.Context, destImage string, options ContainerCommitOptions) (*image.Image, error) {
 	if !c.batched {
 		c.lock.Lock()
 		defer c.lock.Unlock()
@ -55,7 +56,7 @@ func (c *Container) Commit(destImage string, options ContainerCommitOptions) (*i
 		ReportWriter:        options.ReportWriter,
 		SystemContext:       sc,
 	}
-	importBuilder, err := buildah.ImportBuilder(c.runtime.store, builderOptions)
+	importBuilder, err := buildah.ImportBuilder(ctx, c.runtime.store, builderOptions)
 	if err != nil {
 		return nil, err
 	}
@ -96,7 +97,7 @@ func (c *Container) Commit(destImage string, options ContainerCommitOptions) (*i
 		return nil, err
 	}
-	if err = importBuilder.Commit(imageRef, commitOptions); err != nil {
+	if err = importBuilder.Commit(ctx, imageRef, commitOptions); err != nil {
 		return nil, err
 	}
 	return c.runtime.imageRuntime.NewFromLocal(imageRef.DockerReference().String())
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@ -1,6 +1,7 @@
 package libpod
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@ -176,7 +177,7 @@ func newContainer(rspec *spec.Spec, lockDir string) (*Container, error) {
 }
 // Create container root filesystem for use
-func (c *Container) setupStorage() error {
+func (c *Container) setupStorage(ctx context.Context) error {
 	if !c.valid {
 		return errors.Wrapf(ErrCtrRemoved, "container %s is not valid", c.ID())
 	}
@ -190,7 +191,7 @@ func (c *Container) setupStorage() error {
 		return errors.Wrapf(ErrInvalidArg, "must provide image ID and image name to use an image")
 	}
-	containerInfo, err := c.runtime.storageService.CreateContainerStorage(c.runtime.imageContext, c.config.RootfsImageName, c.config.RootfsImageID, c.config.Name, c.config.ID, c.config.MountLabel)
+	containerInfo, err := c.runtime.storageService.CreateContainerStorage(ctx, c.runtime.imageContext, c.config.RootfsImageName, c.config.RootfsImageID, c.config.Name, c.config.ID, c.config.MountLabel)
 	if err != nil {
 		return errors.Wrapf(err, "error creating container storage")
 	}
@ -412,13 +413,13 @@ func (c *Container) checkDependenciesRunningLocked(depCtrs map[string]*Container
 }
 // Initialize a container, creating it in the runtime
-func (c *Container) init() error {
+func (c *Container) init(ctx context.Context) error {
 	if err := c.makeBindMounts(); err != nil {
 		return err
 	}
 	// Generate the OCI spec
-	spec, err := c.generateSpec()
+	spec, err := c.generateSpec(ctx)
 	if err != nil {
 		return err
 	}
@ -443,7 +444,7 @@ func (c *Container) init() error {
 // Reinitialize a container
 // Deletes and recreates a container in the runtime
 // Should only be done on ContainerStateStopped containers
-func (c *Container) reinit() error {
+func (c *Container) reinit(ctx context.Context) error {
 	logrus.Debugf("Recreating container %s in OCI runtime", c.ID())
 	// If necessary, delete attach and ctl files
@ -468,13 +469,13 @@ func (c *Container) reinit() error {
 	logrus.Debugf("Successfully cleaned up container %s", c.ID())
 	// Initialize the container again
-	return c.init()
+	return c.init(ctx)
 }
 // Initialize (if necessary) and start a container
 // Performs all necessary steps to start a container that is not running
 // Does not lock or check validity
-func (c *Container) initAndStart() (err error) {
+func (c *Container) initAndStart(ctx context.Context) (err error) {
 	// If we are ContainerStateUnknown, throw an error
 	if c.state.State == ContainerStateUnknown {
 		return errors.Wrapf(ErrCtrStateInvalid, "container %s is in an unknown state", c.ID())
@ -527,7 +528,7 @@ func (c *Container) initAndStart() (err error) {
 	// If we are ContainerStateConfigured we need to init()
 	if c.state.State == ContainerStateConfigured {
-		if err := c.init(); err != nil {
+		if err := c.init(ctx); err != nil {
 			return err
 		}
 	}
@ -910,7 +911,7 @@ func (c *Container) generateHosts() (string, error) {
 // Generate spec for a container
 // Accepts a map of the container's dependencies
-func (c *Container) generateSpec() (*spec.Spec, error) {
+func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	g := generate.NewFromSpec(c.config.Spec)
 	// If network namespace was requested, add it now
@ -939,7 +940,7 @@ func (c *Container) generateSpec() (*spec.Spec, error) {
 	}
 	// Bind builtin image volumes
 	if c.config.ImageVolumes {
-		if err := c.addImageVolumes(&g); err != nil {
+		if err := c.addImageVolumes(ctx, &g); err != nil {
 			return nil, errors.Wrapf(err, "error mounting image volumes")
 		}
 	}
@ -1059,7 +1060,7 @@ func (c *Container) addNamespaceContainer(g *generate.Generator, ns LinuxNS, ctr
 	return nil
 }
-func (c *Container) addImageVolumes(g *generate.Generator) error {
+func (c *Container) addImageVolumes(ctx context.Context, g *generate.Generator) error {
 	mountPoint := c.state.Mountpoint
 	if !c.state.Mounted {
 		return errors.Wrapf(ErrInternal, "container is not mounted")
@ -1068,7 +1069,7 @@ func (c *Container) addImageVolumes(g *generate.Generator) error {
 	if err != nil {
 		return err
 	}
-	imageData, err := newImage.Inspect()
+	imageData, err := newImage.Inspect(ctx)
 	if err != nil {
 		return err
 	}
--- a/libpod/image/filters.go
+++ b/libpod/image/filters.go
@ -1,6 +1,7 @@
 package image
 import (
 	"context"
 	"strings"
 	"time"
@ -39,7 +40,7 @@ func DanglingFilter() ResultFilter {
 }
 // LabelFilter allows you to filter by images labels key and/or value
-func LabelFilter(labelfilter string) ResultFilter {
+func LabelFilter(ctx context.Context, labelfilter string) ResultFilter {
 	// We need to handle both label=key and label=key=value
 	return func(i *Image) bool {
 		var value string
@ -48,7 +49,7 @@ func LabelFilter(labelfilter string) ResultFilter {
 		if len(splitFilter) > 1 {
 			value = splitFilter[1]
 		}
-		labels, err := i.Labels()
+		labels, err := i.Labels(ctx)
 		if err != nil {
 			return false
 		}
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@ -1,6 +1,7 @@
 package image
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@ -117,7 +118,7 @@ func (ir *Runtime) NewFromLocal(name string) (*Image, error) {
 // New creates a new image object where the image could be local
 // or remote
-func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull, forceSecure bool) (*Image, error) {
+func (ir *Runtime) New(ctx context.Context, name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *DockerRegistryOptions, signingoptions SigningOptions, forcePull, forceSecure bool) (*Image, error) {
 	// We don't know if the image is local or not ... check local first
 	newImage := Image{
 		InputName:    name,
@ -137,7 +138,7 @@ func (ir *Runtime) New(name, signaturePolicyPath, authfile string, writer io.Wri
 	if signaturePolicyPath == "" {
 		signaturePolicyPath = ir.SignaturePolicyPath
 	}
-	imageName, err := newImage.pullImage(writer, authfile, signaturePolicyPath, signingoptions, dockeroptions, forceSecure)
+	imageName, err := newImage.pullImage(ctx, writer, authfile, signaturePolicyPath, signingoptions, dockeroptions, forceSecure)
 	if err != nil {
 		return nil, errors.Errorf("unable to pull %s", name)
 	}
@ -254,12 +255,12 @@ func (i *Image) Digest() digest.Digest {
 // Manifest returns the image's manifest as a byte array
 // and manifest type as a string.  The manifest type is
 // MediaTypeImageManifest from ociv1.
-func (i *Image) Manifest() ([]byte, string, error) {
+func (i *Image) Manifest(ctx context.Context) ([]byte, string, error) {
-	imgRef, err := i.toImageRef()
+	imgRef, err := i.toImageRef(ctx)
 	if err != nil {
 		return nil, "", err
 	}
-	return imgRef.Manifest()
+	return imgRef.Manifest(ctx)
 }
 // Names returns a string array of names associated with the image
@ -351,8 +352,8 @@ func (ir *Runtime) GetImages() ([]*Image, error) {
 // getImageDigest creates an image object and uses the hex value of the digest as the image ID
 // for parsing the store reference
-func getImageDigest(src types.ImageReference, ctx *types.SystemContext) (string, error) {
+func getImageDigest(ctx context.Context, src types.ImageReference, sc *types.SystemContext) (string, error) {
-	newImg, err := src.NewImage(ctx)
+	newImg, err := src.NewImage(ctx, sc)
 	if err != nil {
 		return "", err
 	}
@ -408,7 +409,7 @@ func (i *Image) UntagImage(tag string) error {
 }
 // PushImage pushes the given image to a location described by the given path
-func (i *Image) PushImage(destination, manifestMIMEType, authFile, signaturePolicyPath string, writer io.Writer, forceCompress bool, signingOptions SigningOptions, dockerRegistryOptions *DockerRegistryOptions) error {
+func (i *Image) PushImage(ctx context.Context, destination, manifestMIMEType, authFile, signaturePolicyPath string, writer io.Writer, forceCompress bool, signingOptions SigningOptions, dockerRegistryOptions *DockerRegistryOptions) error {
 	if destination == "" {
 		return errors.Wrapf(syscall.EINVAL, "destination image name must be specified")
 	}
@ -444,7 +445,7 @@ func (i *Image) PushImage(destination, manifestMIMEType, authFile, signaturePoli
 	copyOptions := getCopyOptions(writer, signaturePolicyPath, nil, dockerRegistryOptions, signingOptions, authFile, manifestMIMEType, forceCompress)
 	// Copy the image to the remote destination
-	err = cp.Image(policyContext, dest, src, copyOptions)
+	err = cp.Image(ctx, policyContext, dest, src, copyOptions)
 	if err != nil {
 		return errors.Wrapf(err, "Error copying image to the remote destination")
 	}
@ -477,12 +478,12 @@ func (i *Image) toStorageReference() (types.ImageReference, error) {
 // ToImageRef returns an image reference type from an image
 // TODO: Hopefully we can remove this exported function for mheon
-func (i *Image) ToImageRef() (types.Image, error) {
+func (i *Image) ToImageRef(ctx context.Context) (types.Image, error) {
-	return i.toImageRef()
+	return i.toImageRef(ctx)
 }
 // toImageRef returns an Image Reference type from an image
-func (i *Image) toImageRef() (types.Image, error) {
+func (i *Image) toImageRef(ctx context.Context) (types.Image, error) {
 	if i == nil {
 		return nil, errors.Errorf("cannot convert nil image to image reference")
 	}
@ -491,7 +492,7 @@ func (i *Image) toImageRef() (types.Image, error) {
 		if err != nil {
 			return nil, errors.Wrapf(err, "error parsing reference to image %q", i.ID())
 		}
-		imgRef, err := ref.NewImage(nil)
+		imgRef, err := ref.NewImage(ctx, nil)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error reading image %q", i.ID())
 		}
@ -506,13 +507,13 @@ type sizer interface {
 }
 //Size returns the size of the image
-func (i *Image) Size() (*uint64, error) {
+func (i *Image) Size(ctx context.Context) (*uint64, error) {
 	storeRef, err := is.Transport.ParseStoreReference(i.imageruntime.store, i.ID())
 	if err != nil {
 		return nil, err
 	}
 	systemContext := &types.SystemContext{}
-	img, err := storeRef.NewImageSource(systemContext)
+	img, err := storeRef.NewImageSource(ctx, systemContext)
 	if err != nil {
 		return nil, err
 	}
@ -540,12 +541,12 @@ func (i *Image) Layer() (*storage.Layer, error) {
 }
 // History gets the history of an image and information about its layers
-func (i *Image) History() ([]ociv1.History, []types.BlobInfo, error) {
+func (i *Image) History(ctx context.Context) ([]ociv1.History, []types.BlobInfo, error) {
-	img, err := i.toImageRef()
+	img, err := i.toImageRef(ctx)
 	if err != nil {
 		return nil, nil, err
 	}
-	oci, err := img.OCIConfig()
+	oci, err := img.OCIConfig(ctx)
 	if err != nil {
 		return nil, nil, err
 	}
@ -558,8 +559,8 @@ func (i *Image) Dangling() bool {
 }
 // Labels returns the image's labels
-func (i *Image) Labels() (map[string]string, error) {
+func (i *Image) Labels(ctx context.Context) (map[string]string, error) {
-	imgInspect, err := i.imageInspectInfo()
+	imgInspect, err := i.imageInspectInfo(ctx)
 	if err != nil {
 		return nil, nil
 	}
@ -567,8 +568,8 @@ func (i *Image) Labels() (map[string]string, error) {
 }
 // Annotations returns the annotations of an image
-func (i *Image) Annotations() (map[string]string, error) {
+func (i *Image) Annotations(ctx context.Context) (map[string]string, error) {
-	manifest, manifestType, err := i.Manifest()
+	manifest, manifestType, err := i.Manifest(ctx)
 	if err != nil {
 		return nil, err
 	}
@ -587,25 +588,25 @@ func (i *Image) Annotations() (map[string]string, error) {
 // ociv1Image converts and image to an imgref and then an
 // ociv1 image type
-func (i *Image) ociv1Image() (*ociv1.Image, error) {
+func (i *Image) ociv1Image(ctx context.Context) (*ociv1.Image, error) {
-	imgRef, err := i.toImageRef()
+	imgRef, err := i.toImageRef(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return imgRef.OCIConfig()
+	return imgRef.OCIConfig(ctx)
 }
-func (i *Image) imageInspectInfo() (*types.ImageInspectInfo, error) {
+func (i *Image) imageInspectInfo(ctx context.Context) (*types.ImageInspectInfo, error) {
 	if i.inspectInfo == nil {
 		sr, err := i.toStorageReference()
 		if err != nil {
 			return nil, err
 		}
-		ic, err := sr.NewImage(&types.SystemContext{})
+		ic, err := sr.NewImage(ctx, &types.SystemContext{})
 		if err != nil {
 			return nil, err
 		}
-		imgInspect, err := ic.Inspect()
+		imgInspect, err := ic.Inspect(ctx)
 		if err != nil {
 			return nil, err
 		}
@ -615,21 +616,21 @@ func (i *Image) imageInspectInfo() (*types.ImageInspectInfo, error) {
 }
 // Inspect returns an image's inspect data
-func (i *Image) Inspect() (*inspect.ImageData, error) {
+func (i *Image) Inspect(ctx context.Context) (*inspect.ImageData, error) {
-	ociv1Img, err := i.ociv1Image()
+	ociv1Img, err := i.ociv1Image(ctx)
 	if err != nil {
 		return nil, err
 	}
-	info, err := i.imageInspectInfo()
+	info, err := i.imageInspectInfo(ctx)
 	if err != nil {
 		return nil, err
 	}
-	annotations, err := i.Annotations()
+	annotations, err := i.Annotations(ctx)
 	if err != nil {
 		return nil, err
 	}
-	size, err := i.Size()
+	size, err := i.Size(ctx)
 	if err != nil {
 		return nil, err
 	}
@ -670,7 +671,7 @@ func (i *Image) Inspect() (*inspect.ImageData, error) {
 }
 // Import imports and image into the store and returns an image
-func (ir *Runtime) Import(path, reference string, writer io.Writer, signingOptions SigningOptions, imageConfig ociv1.Image) (*Image, error) {
+func (ir *Runtime) Import(ctx context.Context, path, reference string, writer io.Writer, signingOptions SigningOptions, imageConfig ociv1.Image) (*Image, error) {
 	file := TarballTransport + ":" + path
 	src, err := alltransports.ParseImageName(file)
 	if err != nil {
@ -694,7 +695,7 @@ func (ir *Runtime) Import(path, reference string, writer io.Writer, signingOptio
 	// if reference not given, get the image digest
 	if reference == "" {
-		reference, err = getImageDigest(src, sc)
+		reference, err = getImageDigest(ctx, src, sc)
 		if err != nil {
 			return nil, err
 		}
@ -709,7 +710,7 @@ func (ir *Runtime) Import(path, reference string, writer io.Writer, signingOptio
 	if err != nil {
 		errors.Wrapf(err, "error getting image reference for %q", reference)
 	}
-	if err = cp.Image(policyContext, dest, src, copyOptions); err != nil {
+	if err = cp.Image(ctx, policyContext, dest, src, copyOptions); err != nil {
 		return nil, err
 	}
 	return ir.NewFromLocal(reference)
--- a/libpod/image/image_test.go
+++ b/libpod/image/image_test.go
@ -1,6 +1,7 @@
 package image
 import (
 	"context"
 	"fmt"
 	"io"
 	"io/ioutil"
@ -81,9 +82,9 @@ func TestImage_NewFromLocal(t *testing.T) {
 	// Need images to be present for this test
 	ir, err := NewImageRuntimeFromOptions(so)
 	assert.NoError(t, err)
-	bb, err := ir.New("docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false, false)
+	bb, err := ir.New(context.Background(), "docker.io/library/busybox:latest", "", "", writer, nil, SigningOptions{}, false, false)
 	assert.NoError(t, err)
-	bbglibc, err := ir.New("docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false, false)
+	bbglibc, err := ir.New(context.Background(), "docker.io/library/busybox:glibc", "", "", writer, nil, SigningOptions{}, false, false)
 	assert.NoError(t, err)
 	tm, err := makeLocalMatrix(bb, bbglibc)
@ -126,7 +127,7 @@ func TestImage_New(t *testing.T) {
 	// Iterate over the names and delete the image
 	// after the pull
 	for _, img := range names {
-		newImage, err := ir.New(img, "", "", writer, nil, SigningOptions{}, false, false)
+		newImage, err := ir.New(context.Background(), img, "", "", writer, nil, SigningOptions{}, false, false)
 		assert.NoError(t, err)
 		assert.NotEqual(t, newImage.ID(), "")
 		err = newImage.Remove(false)
@ -150,7 +151,7 @@ func TestImage_MatchRepoTag(t *testing.T) {
 	}
 	ir, err := NewImageRuntimeFromOptions(so)
 	assert.NoError(t, err)
-	newImage, err := ir.New("busybox", "", "", os.Stdout, nil, SigningOptions{}, false, false)
+	newImage, err := ir.New(context.Background(), "busybox", "", "", os.Stdout, nil, SigningOptions{}, false, false)
 	assert.NoError(t, err)
 	err = newImage.TagImage("foo:latest")
 	assert.NoError(t, err)
--- a/libpod/image/pull.go
+++ b/libpod/image/pull.go
@ -1,6 +1,7 @@
 package image
 import (
 	"context"
 	"fmt"
 	"io"
 	"os"
@ -70,7 +71,7 @@ func (ir *Runtime) getPullStruct(srcRef types.ImageReference, destName string) (
 }
 // returns a list of pullStruct with the srcRef and DstRef based on the transport being used
-func (ir *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName string, sc *types.SystemContext) ([]*pullStruct, error) {
+func (ir *Runtime) getPullListFromRef(ctx context.Context, srcRef types.ImageReference, imgName string, sc *types.SystemContext) ([]*pullStruct, error) {
 	var pullStructs []*pullStruct
 	splitArr := strings.Split(imgName, ":")
 	archFile := splitArr[len(splitArr)-1]
@ -89,7 +90,7 @@ func (ir *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName strin
 		// to pull the first image stored in the tar file
 		if len(manifest) == 0 {
 			// use the hex of the digest if no manifest is found
-			reference, err := getImageDigest(srcRef, sc)
+			reference, err := getImageDigest(ctx, srcRef, sc)
 			if err != nil {
 				return nil, err
 			}
@ -104,7 +105,7 @@ func (ir *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName strin
 				dest = manifest[0].RepoTags[0]
 			} else {
 				// If the input image has no repotags, we need to feed it a dest anyways
-				dest, err = getImageDigest(srcRef, sc)
+				dest, err = getImageDigest(ctx, srcRef, sc)
 				if err != nil {
 					return nil, err
 				}
@ -155,7 +156,7 @@ func (ir *Runtime) getPullListFromRef(srcRef types.ImageReference, imgName strin
 // pullImage pulls an image from configured registries
 // By default, only the latest tag (or a specific tag if requested) will be
 // pulled.
-func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) (string, error) {
+func (i *Image) pullImage(ctx context.Context, writer io.Writer, authfile, signaturePolicyPath string, signingOptions SigningOptions, dockerOptions *DockerRegistryOptions, forceSecure bool) (string, error) {
 	// pullImage copies the image from the source to the destination
 	var pullStructs []*pullStruct
 	sc := GetSystemContext(signaturePolicyPath, authfile, false)
@ -167,7 +168,7 @@ func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string
 			return "", errors.Wrap(err, "error getting default registries to try")
 		}
 	} else {
-		pullStructs, err = i.imageruntime.getPullListFromRef(srcRef, i.InputName, sc)
+		pullStructs, err = i.imageruntime.getPullListFromRef(ctx, srcRef, i.InputName, sc)
 		if err != nil {
 			return "", errors.Wrapf(err, "error getting pullStruct info to pull image %q", i.InputName)
 		}
@ -201,7 +202,7 @@ func (i *Image) pullImage(writer io.Writer, authfile, signaturePolicyPath string
 		if writer != nil && (strings.HasPrefix(DockerTransport, imageInfo.srcRef.Transport().Name()) || imageInfo.srcRef.Transport().Name() == AtomicTransport) {
 			io.WriteString(writer, fmt.Sprintf("Trying to pull %s...", imageInfo.image))
 		}
-		if err = cp.Image(policyContext, imageInfo.dstRef, imageInfo.srcRef, copyOptions); err != nil {
+		if err = cp.Image(ctx, policyContext, imageInfo.dstRef, imageInfo.srcRef, copyOptions); err != nil {
 			if writer != nil {
 				io.WriteString(writer, "Failed\n")
 			}
--- a/libpod/pod.go
+++ b/libpod/pod.go
@ -1,6 +1,7 @@
 package libpod
 import (
 	"context"
 	"path/filepath"
 	"strings"
@ -81,7 +82,7 @@ func newPod(lockDir string, runtime *Runtime) (*Pod, error) {
 // containers. The container ID is mapped to the error encountered. The error is
 // set to ErrCtrExists
 // If both error and the map are nil, all containers were started successfully
-func (p *Pod) Start() (map[string]error, error) {
+func (p *Pod) Start(ctx context.Context) (map[string]error, error) {
 	p.lock.Lock()
 	defer p.lock.Unlock()
@ -111,7 +112,7 @@ func (p *Pod) Start() (map[string]error, error) {
 	// Traverse the graph beginning at nodes with no dependencies
 	for _, node := range graph.noDepNodes {
-		startNode(node, false, ctrErrors, ctrsVisited)
+		startNode(ctx, node, false, ctrErrors, ctrsVisited)
 	}
 	return ctrErrors, nil
@ -119,7 +120,7 @@ func (p *Pod) Start() (map[string]error, error) {
 // Visit a node on a container graph and start the container, or set an error if
 // a dependency failed to start
-func startNode(node *containerNode, setError bool, ctrErrors map[string]error, ctrsVisited map[string]bool) {
+func startNode(ctx context.Context, node *containerNode, setError bool, ctrErrors map[string]error, ctrsVisited map[string]bool) {
 	// First, check if we have already visited the node
 	if ctrsVisited[node.id] {
 		return
@ -134,7 +135,7 @@ func startNode(node *containerNode, setError bool, ctrErrors map[string]error, c
 		// Hit anyone who depends on us, and set errors on them too
 		for _, successor := range node.dependedOn {
-			startNode(successor, true, ctrErrors, ctrsVisited)
+			startNode(ctx, successor, true, ctrErrors, ctrsVisited)
 		}
 		return
@ -187,7 +188,7 @@ func startNode(node *containerNode, setError bool, ctrErrors map[string]error, c
 	// Start the container (only if it is not running)
 	if !ctrErrored && node.container.state.State != ContainerStateRunning {
-		if err := node.container.initAndStart(); err != nil {
+		if err := node.container.initAndStart(ctx); err != nil {
 			ctrErrored = true
 			ctrErrors[node.id] = err
 		}
@ -197,7 +198,7 @@ func startNode(node *containerNode, setError bool, ctrErrors map[string]error, c
 	// Recurse to anyone who depends on us and start them
 	for _, successor := range node.dependedOn {
-		startNode(successor, ctrErrored, ctrErrors, ctrsVisited)
+		startNode(ctx, successor, ctrErrored, ctrErrors, ctrsVisited)
 	}
 	return
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@ -1,6 +1,7 @@
 package libpod
 import (
 	"context"
 	"os"
 	"path/filepath"
 	"strings"
@ -27,7 +28,7 @@ type CtrCreateOption func(*Container) error
 type ContainerFilter func(*Container) bool
 // NewContainer creates a new container from a given OCI config
-func (r *Runtime) NewContainer(rSpec *spec.Spec, options ...CtrCreateOption) (c *Container, err error) {
+func (r *Runtime) NewContainer(ctx context.Context, rSpec *spec.Spec, options ...CtrCreateOption) (c *Container, err error) {
 	r.lock.Lock()
 	defer r.lock.Unlock()
 	if !r.valid {
@ -60,7 +61,7 @@ func (r *Runtime) NewContainer(rSpec *spec.Spec, options ...CtrCreateOption) (c
 	}
 	// Set up storage for the container
-	if err := ctr.setupStorage(); err != nil {
+	if err := ctr.setupStorage(ctx); err != nil {
 		return nil, err
 	}
 	defer func() {
--- a/libpod/storage.go
+++ b/libpod/storage.go
@ -1,6 +1,7 @@
 package libpod
 import (
 	"context"
 	"encoding/json"
 	"time"
@ -56,7 +57,7 @@ func (metadata *RuntimeContainerMetadata) SetMountLabel(mountLabel string) {
 // CreateContainerStorage creates the storage end of things.  We already have the container spec created
 // TO-DO We should be passing in an Image object in the future.
-func (r *storageService) CreateContainerStorage(systemContext *types.SystemContext, imageName, imageID, containerName, containerID, mountLabel string) (ContainerInfo, error) {
+func (r *storageService) CreateContainerStorage(ctx context.Context, systemContext *types.SystemContext, imageName, imageID, containerName, containerID, mountLabel string) (ContainerInfo, error) {
 	var ref types.ImageReference
 	if imageName == "" && imageID == "" {
 		return ContainerInfo{}, ErrEmptyID
@ -74,7 +75,7 @@ func (r *storageService) CreateContainerStorage(systemContext *types.SystemConte
 		return ContainerInfo{}, err
 	}
 	// Pull out a copy of the image's configuration.
-	image, err := ref.NewImage(systemContext)
+	image, err := ref.NewImage(ctx, systemContext)
 	if err != nil {
 		return ContainerInfo{}, err
 	}
--- a/test/bin2img/bin2img.go
+++ b/test/bin2img/bin2img.go
@ -3,6 +3,7 @@ package main
 import (
 	"archive/tar"
 	"bytes"
 	"context"
 	"encoding/json"
 	"io"
 	"os"
@ -148,13 +149,14 @@ func main() {
 			logrus.Errorf("error parsing image name: %v", err)
 			os.Exit(1)
 		}
-		img, err := ref.NewImageDestination(nil)
+		ctx := context.TODO()
 		img, err := ref.NewImageDestination(ctx, nil)
 		if err != nil {
 			logrus.Errorf("error preparing to write image: %v", err)
 			os.Exit(1)
 		}
 		defer img.Close()
-		layer, err := img.PutBlob(layerBuffer, layerInfo, false)
+		layer, err := img.PutBlob(ctx, layerBuffer, layerInfo, false)
 		if err != nil {
 			logrus.Errorf("error preparing to write image: %v", err)
 			os.Exit(1)
@ -182,7 +184,7 @@ func main() {
 			Digest: digest.Canonical.FromBytes(cbytes),
 			Size:   int64(len(cbytes)),
 		}
-		configInfo, err = img.PutBlob(bytes.NewBuffer(cbytes), configInfo, false)
+		configInfo, err = img.PutBlob(ctx, bytes.NewBuffer(cbytes), configInfo, false)
 		if err != nil {
 			logrus.Errorf("error saving configuration: %v", err)
 			os.Exit(1)
@ -207,12 +209,12 @@ func main() {
 			logrus.Errorf("error encoding manifest: %v", err)
 			os.Exit(1)
 		}
-		err = img.PutManifest(mbytes)
+		err = img.PutManifest(ctx, mbytes)
 		if err != nil {
 			logrus.Errorf("error saving manifest: %v", err)
 			os.Exit(1)
 		}
-		err = img.Commit()
+		err = img.Commit(ctx)
 		if err != nil {
 			logrus.Errorf("error committing image: %v", err)
 			os.Exit(1)
--- a/test/copyimg/copyimg.go
+++ b/test/copyimg/copyimg.go
@ -1,6 +1,7 @@
 package main
 import (
 	"context"
 	"os"
 	"github.com/containers/image/copy"
@ -156,9 +157,10 @@ func main() {
 			}
 		}
 		ctx := context.TODO()
 		if imageName != "" {
 			if importFrom != "" {
-				err = copy.Image(policyContext, ref, importRef, options)
+				err = copy.Image(ctx, policyContext, ref, importRef, options)
 				if err != nil {
 					logrus.Errorf("error importing %s: %v", importFrom, err)
 					os.Exit(1)
@ -178,7 +180,7 @@ func main() {
 				}
 			}
 			if exportTo != "" {
-				err = copy.Image(policyContext, exportRef, ref, options)
+				err = copy.Image(ctx, policyContext, exportRef, ref, options)
 				if err != nil {
 					logrus.Errorf("error exporting %s: %v", exportTo, err)
 					os.Exit(1)
@ -186,7 +188,7 @@ func main() {
 			}
 		} else {
 			if importFrom != "" && exportTo != "" {
-				err = copy.Image(policyContext, exportRef, importRef, options)
+				err = copy.Image(ctx, policyContext, exportRef, importRef, options)
 				if err != nil {
 					logrus.Errorf("error copying %s to %s: %v", importFrom, exportTo, err)
 					os.Exit(1)
--- a/test/e2e/libpod_suite_test.go
+++ b/test/e2e/libpod_suite_test.go
@ -1,6 +1,7 @@
 package integration
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
@ -12,6 +13,7 @@ import (
 	"time"
 	"encoding/json"
 	"github.com/containers/image/copy"
 	"github.com/containers/image/signature"
 	"github.com/containers/image/storage"
@ -327,9 +329,7 @@ func (p *PodmanTest) CreateArtifact(image string) error {
 		return errors.Errorf("error parsing image name %v: %v", exportTo, err)
 	}
-	return copy.Image(policyContext, exportRef, importRef, options)
+	return copy.Image(getTestContext(), policyContext, exportRef, importRef, options)
 	return nil
 }
 // RestoreArtifact puts the cached image into our test store
@ -378,7 +378,7 @@ func (p *PodmanTest) RestoreArtifact(image string) error {
 	}()
 	options := &copy.Options{}
-	err = copy.Image(policyContext, ref, importRef, options)
+	err = copy.Image(getTestContext(), policyContext, ref, importRef, options)
 	if err != nil {
 		return errors.Errorf("error importing %s: %v", importFrom, err)
 	}
@ -622,3 +622,7 @@ func IsCommandAvailable(command string) bool {
 	}
 	return true
 }
 func getTestContext() context.Context {
 	return context.Background()
 }
--- a/vendor.conf
+++ b/vendor.conf
@ -10,8 +10,8 @@ github.com/containerd/cgroups 7a5fdd8330119dc70d850260db8f3594d89d6943
 github.com/containerd/continuity master
 github.com/containernetworking/cni v0.4.0
 github.com/containernetworking/plugins master
-github.com/containers/image 54ea27515e713429b1ae1bf5a63002c15c25a206
+github.com/containers/image e51d350816912bbd09a91f690cd394b6225c043d
-github.com/containers/storage 5d52f079f1709f0408a6c086c603d259b0e5da3e
+github.com/containers/storage ce923c1ed9e51c8fe58e41a86abc05be7b824f62
 github.com/coreos/go-systemd v14
 github.com/cri-o/ocicni master
 github.com/cyphar/filepath-securejoin v0.2.1
--- a/vendor/github.com/containerd/continuity/LICENSE
+++ b/vendor/github.com/containerd/continuity/LICENSE
@ -1,202 +0,0 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "{}"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.
   Copyright {yyyy} {name of copyright owner}
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--- a/vendor/github.com/containerd/continuity/README.md
+++ b/vendor/github.com/containerd/continuity/README.md
@ -1,74 +0,0 @@
 # continuity
 [![GoDoc](https://godoc.org/github.com/containerd/continuity?status.svg)](https://godoc.org/github.com/containerd/continuity)
 [![Build Status](https://travis-ci.org/containerd/continuity.svg?branch=master)](https://travis-ci.org/containerd/continuity)
 A transport-agnostic, filesystem metadata manifest system
 This project is a staging area for experiments in providing transport agnostic
 metadata storage.
 Please see https://github.com/opencontainers/specs/issues/11 for more details.
 ## Manifest Format
 A continuity manifest encodes filesystem metadata in Protocol Buffers.
 Please refer to [proto/manifest.proto](proto/manifest.proto).
 ## Usage
 Build:
 ```console
 $ make
 ```
 Create a manifest (of this repo itself):
 ```console
 $ ./bin/continuity build . > /tmp/a.pb
 ```
 Dump a manifest:
 ```console
 $ ./bin/continuity ls /tmp/a.pb
 ...
 -rw-rw-r--      270 B   /.gitignore
 -rw-rw-r--      88 B    /.mailmap
 -rw-rw-r--      187 B   /.travis.yml
 -rw-rw-r--      359 B   /AUTHORS
 -rw-rw-r--      11 kB   /LICENSE
 -rw-rw-r--      1.5 kB  /Makefile
 ...
 -rw-rw-r--      986 B   /testutil_test.go
 drwxrwxr-x      0 B     /version
 -rw-rw-r--      478 B   /version/version.go
 ```
 Verify a manifest:
 ```console
 $ ./bin/continuity verify . /tmp/a.pb
 ```
 Break the directory and restore using the manifest:
 ```console
 $ chmod 777 Makefile
 $ ./bin/continuity verify . /tmp/a.pb
 2017/06/23 08:00:34 error verifying manifest: resource "/Makefile" has incorrect mode: -rwxrwxrwx != -rw-rw-r--
 $ ./bin/continuity apply . /tmp/a.pb
 $ stat -c %a Makefile
 664
 $ ./bin/continuity verify . /tmp/a.pb
 ```
 ## Contribution Guide
 ### Building Proto Package
 If you change the proto file you will need to rebuild the generated Go with `go generate`.
 ```console
 $ go generate ./proto
 ```
--- a/vendor/github.com/containerd/continuity/vendor.conf
+++ b/vendor/github.com/containerd/continuity/vendor.conf
@ -1,12 +0,0 @@
 bazil.org/fuse 371fbbdaa8987b715bdd21d6adc4c9b20155f748
 github.com/dustin/go-humanize bb3d318650d48840a39aa21a027c6630e198e626
 github.com/golang/protobuf 1e59b77b52bf8e4b449a57e6f79f21226d571845
 github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
 github.com/opencontainers/go-digest 279bed98673dd5bef374d3b6e4b09e2af76183bf
 github.com/pkg/errors f15c970de5b76fac0b59abb32d62c17cc7bed265
 github.com/sirupsen/logrus 89742aefa4b206dcf400792f3bd35b542998eb3b
 github.com/spf13/cobra 2da4a54c5ceefcee7ca5dd0eea1e18a3b6366489
 github.com/spf13/pflag 4c012f6dcd9546820e378d0bdda4d8fc772cdfea
 golang.org/x/crypto 9f005a07e0d31d45e6656d241bb5c0f2efd4bc94
 golang.org/x/net a337091b0525af65de94df2eb7e98bd9962dcbe2
 golang.org/x/sys 665f6529cca930e27b831a0d1dafffbe1c172924
--- a/vendor/github.com/containers/image/copy/copy.go
+++ b/vendor/github.com/containers/image/copy/copy.go
@ -104,7 +104,7 @@ type Options struct {
 // Image copies image from srcRef to destRef, using policyContext to validate
 // source image admissibility.
-func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageReference, options *Options) (retErr error) {
+func Image(ctx context.Context, policyContext *signature.PolicyContext, destRef, srcRef types.ImageReference, options *Options) (retErr error) {
 	// NOTE this function uses an output parameter for the error return value.
 	// Setting this and returning is the ideal way to return an error.
 	//
@ -120,7 +120,7 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 		reportWriter = options.ReportWriter
 	}
-	dest, err := destRef.NewImageDestination(options.DestinationCtx)
+	dest, err := destRef.NewImageDestination(ctx, options.DestinationCtx)
 	if err != nil {
 		return errors.Wrapf(err, "Error initializing destination %s", transports.ImageName(destRef))
 	}
@ -130,7 +130,7 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 		}
 	}()
-	rawSource, err := srcRef.NewImageSource(options.SourceCtx)
+	rawSource, err := srcRef.NewImageSource(ctx, options.SourceCtx)
 	if err != nil {
 		return errors.Wrapf(err, "Error initializing source %s", transports.ImageName(srcRef))
 	}
@ -151,32 +151,32 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 	}
 	unparsedToplevel := image.UnparsedInstance(rawSource, nil)
-	multiImage, err := isMultiImage(unparsedToplevel)
+	multiImage, err := isMultiImage(ctx, unparsedToplevel)
 	if err != nil {
 		return errors.Wrapf(err, "Error determining manifest MIME type for %s", transports.ImageName(srcRef))
 	}
 	if !multiImage {
 		// The simple case: Just copy a single image.
-		if err := c.copyOneImage(policyContext, options, unparsedToplevel); err != nil {
+		if err := c.copyOneImage(ctx, policyContext, options, unparsedToplevel); err != nil {
 			return err
 		}
 	} else {
 		// This is a manifest list. Choose a single image and copy it.
 		// FIXME: Copy to destinations which support manifest lists, one image at a time.
-		instanceDigest, err := image.ChooseManifestInstanceFromManifestList(options.SourceCtx, unparsedToplevel)
+		instanceDigest, err := image.ChooseManifestInstanceFromManifestList(ctx, options.SourceCtx, unparsedToplevel)
 		if err != nil {
 			return errors.Wrapf(err, "Error choosing an image from manifest list %s", transports.ImageName(srcRef))
 		}
 		logrus.Debugf("Source is a manifest list; copying (only) instance %s", instanceDigest)
 		unparsedInstance := image.UnparsedInstance(rawSource, &instanceDigest)
-		if err := c.copyOneImage(policyContext, options, unparsedInstance); err != nil {
+		if err := c.copyOneImage(ctx, policyContext, options, unparsedInstance); err != nil {
 			return err
 		}
 	}
-	if err := c.dest.Commit(); err != nil {
+	if err := c.dest.Commit(ctx); err != nil {
 		return errors.Wrap(err, "Error committing the finished image")
 	}
@ -185,10 +185,10 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 // Image copies a single (on-manifest-list) image unparsedImage, using policyContext to validate
 // source image admissibility.
-func (c *copier) copyOneImage(policyContext *signature.PolicyContext, options *Options, unparsedImage *image.UnparsedImage) (retErr error) {
+func (c *copier) copyOneImage(ctx context.Context, policyContext *signature.PolicyContext, options *Options, unparsedImage *image.UnparsedImage) (retErr error) {
 	// The caller is handling manifest lists; this could happen only if a manifest list contains a manifest list.
 	// Make sure we fail cleanly in such cases.
-	multiImage, err := isMultiImage(unparsedImage)
+	multiImage, err := isMultiImage(ctx, unparsedImage)
 	if err != nil {
 		// FIXME FIXME: How to name a reference for the sub-image?
 		return errors.Wrapf(err, "Error determining manifest MIME type for %s", transports.ImageName(unparsedImage.Reference()))
@ -200,15 +200,15 @@ func (c *copier) copyOneImage(policyContext *signature.PolicyContext, options *O
 	// Please keep this policy check BEFORE reading any other information about the image.
 	// (the multiImage check above only matches the MIME type, which we have received anyway.
 	// Actual parsing of anything should be deferred.)
-	if allowed, err := policyContext.IsRunningImageAllowed(unparsedImage); !allowed || err != nil { // Be paranoid and fail if either return value indicates so.
+	if allowed, err := policyContext.IsRunningImageAllowed(ctx, unparsedImage); !allowed || err != nil { // Be paranoid and fail if either return value indicates so.
 		return errors.Wrap(err, "Source image rejected")
 	}
-	src, err := image.FromUnparsedImage(options.SourceCtx, unparsedImage)
+	src, err := image.FromUnparsedImage(ctx, options.SourceCtx, unparsedImage)
 	if err != nil {
 		return errors.Wrapf(err, "Error initializing image from source %s", transports.ImageName(c.rawSource.Reference()))
 	}
-	if err := checkImageDestinationForCurrentRuntimeOS(options.DestinationCtx, src, c.dest); err != nil {
+	if err := checkImageDestinationForCurrentRuntimeOS(ctx, options.DestinationCtx, src, c.dest); err != nil {
 		return err
 	}
@ -217,7 +217,7 @@ func (c *copier) copyOneImage(policyContext *signature.PolicyContext, options *O
 		sigs = [][]byte{}
 	} else {
 		c.Printf("Getting image source signatures\n")
-		s, err := src.Signatures(context.TODO())
+		s, err := src.Signatures(ctx)
 		if err != nil {
 			return errors.Wrap(err, "Error reading signatures")
 		}
@ -225,7 +225,7 @@ func (c *copier) copyOneImage(policyContext *signature.PolicyContext, options *O
 	}
 	if len(sigs) != 0 {
 		c.Printf("Checking if image destination supports signatures\n")
-		if err := c.dest.SupportsSignatures(); err != nil {
+		if err := c.dest.SupportsSignatures(ctx); err != nil {
 			return errors.Wrap(err, "Can not copy signatures")
 		}
 	}
@ -244,7 +244,7 @@ func (c *copier) copyOneImage(policyContext *signature.PolicyContext, options *O
 	// We compute preferredManifestMIMEType only to show it in error messages.
 	// Without having to add this context in an error message, we would be happy enough to know only that no conversion is needed.
-	preferredManifestMIMEType, otherManifestMIMETypeCandidates, err := ic.determineManifestConversion(c.dest.SupportedManifestMIMETypes(), options.ForceManifestMIMEType)
+	preferredManifestMIMEType, otherManifestMIMETypeCandidates, err := ic.determineManifestConversion(ctx, c.dest.SupportedManifestMIMETypes(), options.ForceManifestMIMEType)
 	if err != nil {
 		return err
 	}
@ -252,7 +252,7 @@ func (c *copier) copyOneImage(policyContext *signature.PolicyContext, options *O
 	// If src.UpdatedImageNeedsLayerDiffIDs(ic.manifestUpdates) will be true, it needs to be true by the time we get here.
 	ic.diffIDsAreNeeded = src.UpdatedImageNeedsLayerDiffIDs(*ic.manifestUpdates)
-	if err := ic.copyLayers(); err != nil {
+	if err := ic.copyLayers(ctx); err != nil {
 		return err
 	}
@ -260,7 +260,7 @@ func (c *copier) copyOneImage(policyContext *signature.PolicyContext, options *O
 	// and at least with the OpenShift registry "acceptschema2" option, there is no way to detect the support
 	// without actually trying to upload something and getting a types.ManifestTypeRejectedError.
 	// So, try the preferred manifest MIME type. If the process succeeds, fine…
-	manifest, err := ic.copyUpdatedConfigAndManifest()
+	manifest, err := ic.copyUpdatedConfigAndManifest(ctx)
 	if err != nil {
 		logrus.Debugf("Writing manifest using preferred type %s failed: %v", preferredManifestMIMEType, err)
 		// … if it fails, _and_ the failure is because the manifest is rejected, we may have other options.
@ -283,7 +283,7 @@ func (c *copier) copyOneImage(policyContext *signature.PolicyContext, options *O
 		for _, manifestMIMEType := range otherManifestMIMETypeCandidates {
 			logrus.Debugf("Trying to use manifest type %s…", manifestMIMEType)
 			ic.manifestUpdates.ManifestMIMEType = manifestMIMEType
-			attemptedManifest, err := ic.copyUpdatedConfigAndManifest()
+			attemptedManifest, err := ic.copyUpdatedConfigAndManifest(ctx)
 			if err != nil {
 				logrus.Debugf("Upload of manifest type %s failed: %v", manifestMIMEType, err)
 				errs = append(errs, fmt.Sprintf("%s(%v)", manifestMIMEType, err))
@ -309,7 +309,7 @@ func (c *copier) copyOneImage(policyContext *signature.PolicyContext, options *O
 	}
 	c.Printf("Storing signatures\n")
-	if err := c.dest.PutSignatures(sigs); err != nil {
+	if err := c.dest.PutSignatures(ctx, sigs); err != nil {
 		return errors.Wrap(err, "Error writing signatures")
 	}
@ -325,13 +325,13 @@ func (c *copier) Printf(format string, a ...interface{}) {
 	fmt.Fprintf(c.reportWriter, format, a...)
 }
-func checkImageDestinationForCurrentRuntimeOS(ctx *types.SystemContext, src types.Image, dest types.ImageDestination) error {
+func checkImageDestinationForCurrentRuntimeOS(ctx context.Context, sys *types.SystemContext, src types.Image, dest types.ImageDestination) error {
 	if dest.MustMatchRuntimeOS() {
 		wantedOS := runtime.GOOS
-		if ctx != nil && ctx.OSChoice != "" {
+		if sys != nil && sys.OSChoice != "" {
-			wantedOS = ctx.OSChoice
+			wantedOS = sys.OSChoice
 		}
-		c, err := src.OCIConfig()
+		c, err := src.OCIConfig(ctx)
 		if err != nil {
 			return errors.Wrapf(err, "Error parsing image configuration")
 		}
@ -364,11 +364,11 @@ func (ic *imageCopier) updateEmbeddedDockerReference() error {
 }
 // copyLayers copies layers from ic.src/ic.c.rawSource to dest, using and updating ic.manifestUpdates if necessary and ic.canModifyManifest.
-func (ic *imageCopier) copyLayers() error {
+func (ic *imageCopier) copyLayers(ctx context.Context) error {
 	srcInfos := ic.src.LayerInfos()
 	destInfos := []types.BlobInfo{}
 	diffIDs := []digest.Digest{}
-	updatedSrcInfos, err := ic.src.LayerInfosForCopy()
+	updatedSrcInfos, err := ic.src.LayerInfosForCopy(ctx)
 	if err != nil {
 		return err
 	}
@ -396,7 +396,7 @@ func (ic *imageCopier) copyLayers() error {
 			destInfo = srcLayer
 			ic.c.Printf("Skipping foreign layer %q copy to %s\n", destInfo.Digest, ic.c.dest.Reference().Transport().Name())
 		} else {
-			destInfo, diffID, err = ic.copyLayer(srcLayer)
+			destInfo, diffID, err = ic.copyLayer(ctx, srcLayer)
 			if err != nil {
 				return err
 			}
@ -429,7 +429,7 @@ func layerDigestsDiffer(a, b []types.BlobInfo) bool {
 // copyUpdatedConfigAndManifest updates the image per ic.manifestUpdates, if necessary,
 // stores the resulting config and manifest to the destination, and returns the stored manifest.
-func (ic *imageCopier) copyUpdatedConfigAndManifest() ([]byte, error) {
+func (ic *imageCopier) copyUpdatedConfigAndManifest(ctx context.Context) ([]byte, error) {
 	pendingImage := ic.src
 	if !reflect.DeepEqual(*ic.manifestUpdates, types.ManifestUpdateOptions{InformationOnly: ic.manifestUpdates.InformationOnly}) {
 		if !ic.canModifyManifest {
@ -444,38 +444,38 @@ func (ic *imageCopier) copyUpdatedConfigAndManifest() ([]byte, error) {
 			// If handling such registries turns out to be necessary, we could compute ic.diffIDsAreNeeded based on the full list of manifest MIME type candidates.
 			return nil, errors.Errorf("Can not convert image to %s, preparing DiffIDs for this case is not supported", ic.manifestUpdates.ManifestMIMEType)
 		}
-		pi, err := ic.src.UpdatedImage(*ic.manifestUpdates)
+		pi, err := ic.src.UpdatedImage(ctx, *ic.manifestUpdates)
 		if err != nil {
 			return nil, errors.Wrap(err, "Error creating an updated image manifest")
 		}
 		pendingImage = pi
 	}
-	manifest, _, err := pendingImage.Manifest()
+	manifest, _, err := pendingImage.Manifest(ctx)
 	if err != nil {
 		return nil, errors.Wrap(err, "Error reading manifest")
 	}
-	if err := ic.c.copyConfig(pendingImage); err != nil {
+	if err := ic.c.copyConfig(ctx, pendingImage); err != nil {
 		return nil, err
 	}
 	ic.c.Printf("Writing manifest to image destination\n")
-	if err := ic.c.dest.PutManifest(manifest); err != nil {
+	if err := ic.c.dest.PutManifest(ctx, manifest); err != nil {
 		return nil, errors.Wrap(err, "Error writing manifest")
 	}
 	return manifest, nil
 }
 // copyConfig copies config.json, if any, from src to dest.
-func (c *copier) copyConfig(src types.Image) error {
+func (c *copier) copyConfig(ctx context.Context, src types.Image) error {
 	srcInfo := src.ConfigInfo()
 	if srcInfo.Digest != "" {
 		c.Printf("Copying config %s\n", srcInfo.Digest)
-		configBlob, err := src.ConfigBlob()
+		configBlob, err := src.ConfigBlob(ctx)
 		if err != nil {
 			return errors.Wrapf(err, "Error reading config blob %s", srcInfo.Digest)
 		}
-		destInfo, err := c.copyBlobFromStream(bytes.NewReader(configBlob), srcInfo, nil, false, true)
+		destInfo, err := c.copyBlobFromStream(ctx, bytes.NewReader(configBlob), srcInfo, nil, false, true)
 		if err != nil {
 			return err
 		}
@ -495,9 +495,9 @@ type diffIDResult struct {
 // copyLayer copies a layer with srcInfo (with known Digest and possibly known Size) in src to dest, perhaps compressing it if canCompress,
 // and returns a complete blobInfo of the copied layer, and a value for LayerDiffIDs if diffIDIsNeeded
-func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest.Digest, error) {
+func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo) (types.BlobInfo, digest.Digest, error) {
 	// Check if we already have a blob with this digest
-	haveBlob, extantBlobSize, err := ic.c.dest.HasBlob(srcInfo)
+	haveBlob, extantBlobSize, err := ic.c.dest.HasBlob(ctx, srcInfo)
 	if err != nil {
 		return types.BlobInfo{}, "", errors.Wrapf(err, "Error checking for blob %s at destination", srcInfo.Digest)
 	}
@ -511,7 +511,7 @@ func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest
 		}
 		srcInfo.Size = extantBlobSize
 		// Tell the image destination that this blob's delta is being applied again.  For some image destinations, this can be faster than using GetBlob/PutBlob
-		blobinfo, err := ic.c.dest.ReapplyBlob(srcInfo)
+		blobinfo, err := ic.c.dest.ReapplyBlob(ctx, srcInfo)
 		if err != nil {
 			return types.BlobInfo{}, "", errors.Wrapf(err, "Error reapplying blob %s at destination", srcInfo.Digest)
 		}
@ -521,25 +521,29 @@ func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest
 	// Fallback: copy the layer, computing the diffID if we need to do so
 	ic.c.Printf("Copying blob %s\n", srcInfo.Digest)
-	srcStream, srcBlobSize, err := ic.c.rawSource.GetBlob(srcInfo)
+	srcStream, srcBlobSize, err := ic.c.rawSource.GetBlob(ctx, srcInfo)
 	if err != nil {
 		return types.BlobInfo{}, "", errors.Wrapf(err, "Error reading blob %s", srcInfo.Digest)
 	}
 	defer srcStream.Close()
-	blobInfo, diffIDChan, err := ic.copyLayerFromStream(srcStream, types.BlobInfo{Digest: srcInfo.Digest, Size: srcBlobSize},
+	blobInfo, diffIDChan, err := ic.copyLayerFromStream(ctx, srcStream, types.BlobInfo{Digest: srcInfo.Digest, Size: srcBlobSize},
 		diffIDIsNeeded)
 	if err != nil {
 		return types.BlobInfo{}, "", err
 	}
 	var diffIDResult diffIDResult // = {digest:""}
 	if diffIDIsNeeded {
-		diffIDResult = <-diffIDChan
+		select {
-		if diffIDResult.err != nil {
+		case <-ctx.Done():
-			return types.BlobInfo{}, "", errors.Wrap(diffIDResult.err, "Error computing layer DiffID")
+			return types.BlobInfo{}, "", ctx.Err()
 		case diffIDResult = <-diffIDChan:
 			if diffIDResult.err != nil {
 				return types.BlobInfo{}, "", errors.Wrap(diffIDResult.err, "Error computing layer DiffID")
 			}
 			logrus.Debugf("Computed DiffID %s for layer %s", diffIDResult.digest, srcInfo.Digest)
 			ic.c.cachedDiffIDs[srcInfo.Digest] = diffIDResult.digest
 		}
 		logrus.Debugf("Computed DiffID %s for layer %s", diffIDResult.digest, srcInfo.Digest)
 		ic.c.cachedDiffIDs[srcInfo.Digest] = diffIDResult.digest
 	}
 	return blobInfo, diffIDResult.digest, nil
 }
@ -548,7 +552,7 @@ func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest
 // it copies a blob with srcInfo (with known Digest and possibly known Size) from srcStream to dest,
 // perhaps compressing the stream if canCompress,
 // and returns a complete blobInfo of the copied blob and perhaps a <-chan diffIDResult if diffIDIsNeeded, to be read by the caller.
-func (ic *imageCopier) copyLayerFromStream(srcStream io.Reader, srcInfo types.BlobInfo,
+func (ic *imageCopier) copyLayerFromStream(ctx context.Context, srcStream io.Reader, srcInfo types.BlobInfo,
 	diffIDIsNeeded bool) (types.BlobInfo, <-chan diffIDResult, error) {
 	var getDiffIDRecorder func(compression.DecompressorFunc) io.Writer // = nil
 	var diffIDChan chan diffIDResult
@ -573,7 +577,7 @@ func (ic *imageCopier) copyLayerFromStream(srcStream io.Reader, srcInfo types.Bl
 			return pipeWriter
 		}
 	}
-	blobInfo, err := ic.c.copyBlobFromStream(srcStream, srcInfo, getDiffIDRecorder, ic.canModifyManifest, false) // Sets err to nil on success
+	blobInfo, err := ic.c.copyBlobFromStream(ctx, srcStream, srcInfo, getDiffIDRecorder, ic.canModifyManifest, false) // Sets err to nil on success
 	return blobInfo, diffIDChan, err
 	// We need the defer … pipeWriter.CloseWithError() to happen HERE so that the caller can block on reading from diffIDChan
 }
@ -607,7 +611,7 @@ func computeDiffID(stream io.Reader, decompressor compression.DecompressorFunc)
 // perhaps sending a copy to an io.Writer if getOriginalLayerCopyWriter != nil,
 // perhaps compressing it if canCompress,
 // and returns a complete blobInfo of the copied blob.
-func (c *copier) copyBlobFromStream(srcStream io.Reader, srcInfo types.BlobInfo,
+func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, srcInfo types.BlobInfo,
 	getOriginalLayerCopyWriter func(decompressor compression.DecompressorFunc) io.Writer,
 	canModifyBlob bool, isConfig bool) (types.BlobInfo, error) {
 	// The copying happens through a pipeline of connected io.Readers.
@ -689,7 +693,7 @@ func (c *copier) copyBlobFromStream(srcStream io.Reader, srcInfo types.BlobInfo,
 	}
 	// === Finally, send the layer stream to dest.
-	uploadedInfo, err := c.dest.PutBlob(destStream, inputInfo, isConfig)
+	uploadedInfo, err := c.dest.PutBlob(ctx, destStream, inputInfo, isConfig)
 	if err != nil {
 		return types.BlobInfo{}, errors.Wrap(err, "Error writing blob")
 	}
--- a/vendor/github.com/containers/image/copy/manifest.go
+++ b/vendor/github.com/containers/image/copy/manifest.go
@ -1,6 +1,7 @@
 package copy
 import (
 	"context"
 	"strings"
 	"github.com/containers/image/manifest"
@ -41,8 +42,8 @@ func (os *orderedSet) append(s string) {
 // Note that the conversion will only happen later, through ic.src.UpdatedImage
 // Returns the preferred manifest MIME type (whether we are converting to it or using it unmodified),
 // and a list of other possible alternatives, in order.
-func (ic *imageCopier) determineManifestConversion(destSupportedManifestMIMETypes []string, forceManifestMIMEType string) (string, []string, error) {
+func (ic *imageCopier) determineManifestConversion(ctx context.Context, destSupportedManifestMIMETypes []string, forceManifestMIMEType string) (string, []string, error) {
-	_, srcType, err := ic.src.Manifest()
+	_, srcType, err := ic.src.Manifest(ctx)
 	if err != nil { // This should have been cached?!
 		return "", nil, errors.Wrap(err, "Error reading manifest")
 	}
@ -111,8 +112,8 @@ func (ic *imageCopier) determineManifestConversion(destSupportedManifestMIMEType
 }
 // isMultiImage returns true if img is a list of images
-func isMultiImage(img types.UnparsedImage) (bool, error) {
+func isMultiImage(ctx context.Context, img types.UnparsedImage) (bool, error) {
-	_, mt, err := img.Manifest()
+	_, mt, err := img.Manifest(ctx)
 	if err != nil {
 		return false, err
 	}
--- a/vendor/github.com/containers/image/directory/directory_dest.go
+++ b/vendor/github.com/containers/image/directory/directory_dest.go
@ -1,6 +1,7 @@
 package directory
 import (
 	"context"
 	"io"
 	"io/ioutil"
 	"os"
@ -94,7 +95,7 @@ func (d *dirImageDestination) SupportedManifestMIMETypes() []string {
 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
 // Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
-func (d *dirImageDestination) SupportsSignatures() error {
+func (d *dirImageDestination) SupportsSignatures(ctx context.Context) error {
 	return nil
 }
@ -122,7 +123,7 @@ func (d *dirImageDestination) MustMatchRuntimeOS() bool {
 // WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
 // to any other readers for download using the supplied digest.
 // If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
-func (d *dirImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
+func (d *dirImageDestination) PutBlob(ctx context.Context, stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
 	blobFile, err := ioutil.TempFile(d.ref.path, "dir-put-blob")
 	if err != nil {
 		return types.BlobInfo{}, err
@ -138,6 +139,7 @@ func (d *dirImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 	digester := digest.Canonical.Digester()
 	tee := io.TeeReader(stream, digester.Hash())
 	// TODO: This can take quite some time, and should ideally be cancellable using ctx.Done().
 	size, err := io.Copy(blobFile, tee)
 	if err != nil {
 		return types.BlobInfo{}, err
@ -164,7 +166,7 @@ func (d *dirImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 // Unlike PutBlob, the digest can not be empty.  If HasBlob returns true, the size of the blob must also be returned.
 // If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
 // it returns a non-nil error only on an unexpected failure.
-func (d *dirImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+func (d *dirImageDestination) HasBlob(ctx context.Context, info types.BlobInfo) (bool, int64, error) {
 	if info.Digest == "" {
 		return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
 	}
@ -179,7 +181,7 @@ func (d *dirImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error)
 	return true, finfo.Size(), nil
 }
-func (d *dirImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+func (d *dirImageDestination) ReapplyBlob(ctx context.Context, info types.BlobInfo) (types.BlobInfo, error) {
 	return info, nil
 }
@ -187,11 +189,11 @@ func (d *dirImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo,
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *dirImageDestination) PutManifest(manifest []byte) error {
+func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte) error {
 	return ioutil.WriteFile(d.ref.manifestPath(), manifest, 0644)
 }
-func (d *dirImageDestination) PutSignatures(signatures [][]byte) error {
+func (d *dirImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
 	for i, sig := range signatures {
 		if err := ioutil.WriteFile(d.ref.signaturePath(i), sig, 0644); err != nil {
 			return err
@ -204,7 +206,7 @@ func (d *dirImageDestination) PutSignatures(signatures [][]byte) error {
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *dirImageDestination) Commit() error {
+func (d *dirImageDestination) Commit(ctx context.Context) error {
 	return nil
 }
--- a/vendor/github.com/containers/image/directory/directory_src.go
+++ b/vendor/github.com/containers/image/directory/directory_src.go
@ -37,7 +37,7 @@ func (s *dirImageSource) Close() error {
 // It may use a remote (= slow) service.
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
 // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
-func (s *dirImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+func (s *dirImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
 	if instanceDigest != nil {
 		return nil, "", errors.Errorf(`Getting target manifest not supported by "dir:"`)
 	}
@ -49,7 +49,7 @@ func (s *dirImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, str
 }
 // GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
-func (s *dirImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo) (io.ReadCloser, int64, error) {
 	r, err := os.Open(s.ref.layerPath(info.Digest))
 	if err != nil {
 		return nil, -1, err
@ -84,6 +84,6 @@ func (s *dirImageSource) GetSignatures(ctx context.Context, instanceDigest *dige
 }
 // LayerInfosForCopy() returns updated layer info that should be used when copying, in preference to values in the manifest, if specified.
-func (s *dirImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (s *dirImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	return nil, nil
 }
--- a/vendor/github.com/containers/image/directory/directory_transport.go
+++ b/vendor/github.com/containers/image/directory/directory_transport.go
@ -1,6 +1,7 @@
 package directory
 import (
 	"context"
 	"fmt"
 	"path/filepath"
 	"strings"
@ -138,29 +139,29 @@ func (ref dirReference) PolicyConfigurationNamespaces() []string {
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
 // WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
-func (ref dirReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+func (ref dirReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
 	src := newImageSource(ref)
-	return image.FromSource(ctx, src)
+	return image.FromSource(ctx, sys, src)
 }
 // NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref dirReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+func (ref dirReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) {
 	return newImageSource(ref), nil
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
 // The caller must call .Close() on the returned ImageDestination.
-func (ref dirReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+func (ref dirReference) NewImageDestination(ctx context.Context, sys *types.SystemContext) (types.ImageDestination, error) {
 	compress := false
-	if ctx != nil {
+	if sys != nil {
-		compress = ctx.DirForceCompress
+		compress = sys.DirForceCompress
 	}
 	return newImageDestination(ref, compress)
 }
 // DeleteImage deletes the named image from the registry, if supported.
-func (ref dirReference) DeleteImage(ctx *types.SystemContext) error {
+func (ref dirReference) DeleteImage(ctx context.Context, sys *types.SystemContext) error {
 	return errors.Errorf("Deleting images not implemented for dir: images")
 }
--- a/vendor/github.com/containers/image/docker/archive/dest.go
+++ b/vendor/github.com/containers/image/docker/archive/dest.go
@ -1,6 +1,7 @@
 package archive
 import (
 	"context"
 	"io"
 	"os"
@ -15,7 +16,7 @@ type archiveImageDestination struct {
 	writer               io.Closer
 }
-func newImageDestination(ctx *types.SystemContext, ref archiveReference) (types.ImageDestination, error) {
+func newImageDestination(ref archiveReference) (types.ImageDestination, error) {
 	if ref.destinationRef == nil {
 		return nil, errors.Errorf("docker-archive: destination reference not supplied (must be of form <path>:<reference:tag>)")
 	}
@ -66,6 +67,6 @@ func (d *archiveImageDestination) Close() error {
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *archiveImageDestination) Commit() error {
+func (d *archiveImageDestination) Commit(ctx context.Context) error {
-	return d.Destination.Commit()
+	return d.Destination.Commit(ctx)
 }
--- a/vendor/github.com/containers/image/docker/archive/src.go
+++ b/vendor/github.com/containers/image/docker/archive/src.go
@ -1,6 +1,7 @@
 package archive
 import (
 	"context"
 	"github.com/containers/image/docker/tarfile"
 	"github.com/containers/image/types"
 	"github.com/sirupsen/logrus"
@ -13,7 +14,7 @@ type archiveImageSource struct {
 // newImageSource returns a types.ImageSource for the specified image reference.
 // The caller must call .Close() on the returned ImageSource.
-func newImageSource(ctx *types.SystemContext, ref archiveReference) (types.ImageSource, error) {
+func newImageSource(ctx context.Context, ref archiveReference) (types.ImageSource, error) {
 	if ref.destinationRef != nil {
 		logrus.Warnf("docker-archive: references are not supported for sources (ignoring)")
 	}
@ -34,6 +35,6 @@ func (s *archiveImageSource) Reference() types.ImageReference {
 }
 // LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *archiveImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (s *archiveImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	return nil, nil
 }
--- a/vendor/github.com/containers/image/docker/archive/transport.go
+++ b/vendor/github.com/containers/image/docker/archive/transport.go
@ -1,6 +1,7 @@
 package archive
 import (
 	"context"
 	"fmt"
 	"strings"
@ -130,28 +131,28 @@ func (ref archiveReference) PolicyConfigurationNamespaces() []string {
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
 // WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
-func (ref archiveReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+func (ref archiveReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
 	src, err := newImageSource(ctx, ref)
 	if err != nil {
 		return nil, err
 	}
-	return ctrImage.FromSource(ctx, src)
+	return ctrImage.FromSource(ctx, sys, src)
 }
 // NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref archiveReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+func (ref archiveReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) {
 	return newImageSource(ctx, ref)
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
 // The caller must call .Close() on the returned ImageDestination.
-func (ref archiveReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+func (ref archiveReference) NewImageDestination(ctx context.Context, sys *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ctx, ref)
+	return newImageDestination(ref)
 }
 // DeleteImage deletes the named image from the registry, if supported.
-func (ref archiveReference) DeleteImage(ctx *types.SystemContext) error {
+func (ref archiveReference) DeleteImage(ctx context.Context, sys *types.SystemContext) error {
 	// Not really supported, for safety reasons.
 	return errors.New("Deleting images not implemented for docker-archive: images")
 }
--- a/vendor/github.com/containers/image/docker/daemon/client.go
+++ b/vendor/github.com/containers/image/docker/daemon/client.go
@ -15,10 +15,10 @@ const (
 )
 // NewDockerClient initializes a new API client based on the passed SystemContext.
-func newDockerClient(ctx *types.SystemContext) (*dockerclient.Client, error) {
+func newDockerClient(sys *types.SystemContext) (*dockerclient.Client, error) {
 	host := dockerclient.DefaultDockerHost
-	if ctx != nil && ctx.DockerDaemonHost != "" {
+	if sys != nil && sys.DockerDaemonHost != "" {
-		host = ctx.DockerDaemonHost
+		host = sys.DockerDaemonHost
 	}
 	// Sadly, unix:// sockets don't work transparently with dockerclient.NewClient.
@ -39,7 +39,7 @@ func newDockerClient(ctx *types.SystemContext) (*dockerclient.Client, error) {
 		if proto == "http" {
 			httpClient = httpConfig()
 		} else {
-			hc, err := tlsConfig(ctx)
+			hc, err := tlsConfig(sys)
 			if err != nil {
 				return nil, err
 			}
@ -50,16 +50,16 @@ func newDockerClient(ctx *types.SystemContext) (*dockerclient.Client, error) {
 	return dockerclient.NewClient(host, defaultAPIVersion, httpClient, nil)
 }
-func tlsConfig(ctx *types.SystemContext) (*http.Client, error) {
+func tlsConfig(sys *types.SystemContext) (*http.Client, error) {
 	options := tlsconfig.Options{}
-	if ctx != nil && ctx.DockerDaemonInsecureSkipTLSVerify {
+	if sys != nil && sys.DockerDaemonInsecureSkipTLSVerify {
 		options.InsecureSkipVerify = true
 	}
-	if ctx != nil && ctx.DockerDaemonCertPath != "" {
+	if sys != nil && sys.DockerDaemonCertPath != "" {
-		options.CAFile = filepath.Join(ctx.DockerDaemonCertPath, "ca.pem")
+		options.CAFile = filepath.Join(sys.DockerDaemonCertPath, "ca.pem")
-		options.CertFile = filepath.Join(ctx.DockerDaemonCertPath, "cert.pem")
+		options.CertFile = filepath.Join(sys.DockerDaemonCertPath, "cert.pem")
-		options.KeyFile = filepath.Join(ctx.DockerDaemonCertPath, "key.pem")
+		options.KeyFile = filepath.Join(sys.DockerDaemonCertPath, "key.pem")
 	}
 	tlsc, err := tlsconfig.Client(options)
--- a/vendor/github.com/containers/image/docker/daemon/daemon_dest.go
+++ b/vendor/github.com/containers/image/docker/daemon/daemon_dest.go
@ -1,6 +1,7 @@
 package daemon
 import (
 	"context"
 	"io"
 	"github.com/containers/image/docker/reference"
@ -9,7 +10,6 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 )
 type daemonImageDestination struct {
@ -25,7 +25,7 @@ type daemonImageDestination struct {
 }
 // newImageDestination returns a types.ImageDestination for the specified image reference.
-func newImageDestination(ctx *types.SystemContext, ref daemonReference) (types.ImageDestination, error) {
+func newImageDestination(ctx context.Context, sys *types.SystemContext, ref daemonReference) (types.ImageDestination, error) {
 	if ref.ref == nil {
 		return nil, errors.Errorf("Invalid destination docker-daemon:%s: a destination must be a name:tag", ref.StringWithinTransport())
 	}
@ -35,11 +35,11 @@ func newImageDestination(ctx *types.SystemContext, ref daemonReference) (types.I
 	}
 	var mustMatchRuntimeOS = true
-	if ctx != nil && ctx.DockerDaemonHost != client.DefaultDockerHost {
+	if sys != nil && sys.DockerDaemonHost != client.DefaultDockerHost {
 		mustMatchRuntimeOS = false
 	}
-	c, err := newDockerClient(ctx)
+	c, err := newDockerClient(sys)
 	if err != nil {
 		return nil, errors.Wrap(err, "Error initializing docker engine client")
 	}
@ -48,7 +48,7 @@ func newImageDestination(ctx *types.SystemContext, ref daemonReference) (types.I
 	// Commit() may never be called, so we may never read from this channel; so, make this buffered to allow imageLoadGoroutine to write status and terminate even if we never read it.
 	statusChannel := make(chan error, 1)
-	goroutineContext, goroutineCancel := context.WithCancel(context.Background())
+	goroutineContext, goroutineCancel := context.WithCancel(ctx)
 	go imageLoadGoroutine(goroutineContext, c, reader, statusChannel)
 	return &daemonImageDestination{
@ -124,9 +124,9 @@ func (d *daemonImageDestination) Reference() types.ImageReference {
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *daemonImageDestination) Commit() error {
+func (d *daemonImageDestination) Commit(ctx context.Context) error {
 	logrus.Debugf("docker-daemon: Closing tar stream")
-	if err := d.Destination.Commit(); err != nil {
+	if err := d.Destination.Commit(ctx); err != nil {
 		return err
 	}
 	if err := d.writer.Close(); err != nil {
@ -135,6 +135,10 @@ func (d *daemonImageDestination) Commit() error {
 	d.committed = true // We may still fail, but we are done sending to imageLoadGoroutine.
 	logrus.Debugf("docker-daemon: Waiting for status")
-	err := <-d.statusChannel
+	select {
-	return err
+	case <-ctx.Done():
 		return ctx.Err()
 	case err := <-d.statusChannel:
 		return err
 	}
 }
--- a/vendor/github.com/containers/image/docker/daemon/daemon_src.go
+++ b/vendor/github.com/containers/image/docker/daemon/daemon_src.go
@ -1,10 +1,11 @@
 package daemon
 import (
 	"context"
 	"github.com/containers/image/docker/tarfile"
 	"github.com/containers/image/types"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 )
 type daemonImageSource struct {
@ -26,14 +27,14 @@ type layerInfo struct {
 // (We could, perhaps, expect an exact sequence, assume that the first plaintext file
 // is the config, and that the following len(RootFS) files are the layers, but that feels
 // way too brittle.)
-func newImageSource(ctx *types.SystemContext, ref daemonReference) (types.ImageSource, error) {
+func newImageSource(ctx context.Context, sys *types.SystemContext, ref daemonReference) (types.ImageSource, error) {
-	c, err := newDockerClient(ctx)
+	c, err := newDockerClient(sys)
 	if err != nil {
 		return nil, errors.Wrap(err, "Error initializing docker engine client")
 	}
 	// Per NewReference(), ref.StringWithinTransport() is either an image ID (config digest), or a !reference.NameOnly() reference.
 	// Either way ImageSave should create a tarball with exactly one image.
-	inputStream, err := c.ImageSave(context.TODO(), []string{ref.StringWithinTransport()})
+	inputStream, err := c.ImageSave(ctx, []string{ref.StringWithinTransport()})
 	if err != nil {
 		return nil, errors.Wrap(err, "Error loading image from docker engine")
 	}
@ -56,6 +57,6 @@ func (s *daemonImageSource) Reference() types.ImageReference {
 }
 // LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *daemonImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (s *daemonImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	return nil, nil
 }
--- a/vendor/github.com/containers/image/docker/daemon/daemon_transport.go
+++ b/vendor/github.com/containers/image/docker/daemon/daemon_transport.go
@ -1,6 +1,7 @@
 package daemon
 import (
 	"context"
 	"github.com/pkg/errors"
 	"github.com/containers/image/docker/reference"
@ -156,28 +157,28 @@ func (ref daemonReference) PolicyConfigurationNamespaces() []string {
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
 // WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
-func (ref daemonReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+func (ref daemonReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
-	src, err := newImageSource(ctx, ref)
+	src, err := newImageSource(ctx, sys, ref)
 	if err != nil {
 		return nil, err
 	}
-	return image.FromSource(ctx, src)
+	return image.FromSource(ctx, sys, src)
 }
 // NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref daemonReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+func (ref daemonReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) {
-	return newImageSource(ctx, ref)
+	return newImageSource(ctx, sys, ref)
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
 // The caller must call .Close() on the returned ImageDestination.
-func (ref daemonReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+func (ref daemonReference) NewImageDestination(ctx context.Context, sys *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ctx, ref)
+	return newImageDestination(ctx, sys, ref)
 }
 // DeleteImage deletes the named image from the registry, if supported.
-func (ref daemonReference) DeleteImage(ctx *types.SystemContext) error {
+func (ref daemonReference) DeleteImage(ctx context.Context, sys *types.SystemContext) error {
 	// Should this just untag the image? Should this stop running containers?
 	// The semantics is not quite as clear as for remote repositories.
 	// The user can run (docker rmi) directly anyway, so, for now(?), punt instead of trying to guess what the user meant.
--- a/vendor/github.com/containers/image/docker/docker_client.go
+++ b/vendor/github.com/containers/image/docker/docker_client.go
@ -78,7 +78,7 @@ type bearerToken struct {
 // dockerClient is configuration for dealing with a single Docker registry.
 type dockerClient struct {
 	// The following members are set by newDockerClient and do not change afterwards.
-	ctx           *types.SystemContext
+	sys           *types.SystemContext
 	registry      string
 	username      string
 	password      string
@ -131,12 +131,12 @@ func serverDefault() *tls.Config {
 }
 // dockerCertDir returns a path to a directory to be consumed by tlsclientconfig.SetupCertificates() depending on ctx and hostPort.
-func dockerCertDir(ctx *types.SystemContext, hostPort string) (string, error) {
+func dockerCertDir(sys *types.SystemContext, hostPort string) (string, error) {
-	if ctx != nil && ctx.DockerCertPath != "" {
+	if sys != nil && sys.DockerCertPath != "" {
-		return ctx.DockerCertPath, nil
+		return sys.DockerCertPath, nil
 	}
-	if ctx != nil && ctx.DockerPerHostCertDirPath != "" {
+	if sys != nil && sys.DockerPerHostCertDirPath != "" {
-		return filepath.Join(ctx.DockerPerHostCertDirPath, hostPort), nil
+		return filepath.Join(sys.DockerPerHostCertDirPath, hostPort), nil
 	}
 	var (
@ -144,8 +144,8 @@ func dockerCertDir(ctx *types.SystemContext, hostPort string) (string, error) {
 		fullCertDirPath string
 	)
 	for _, systemPerHostCertDirPath := range systemPerHostCertDirPaths {
-		if ctx != nil && ctx.RootForImplicitAbsolutePaths != "" {
+		if sys != nil && sys.RootForImplicitAbsolutePaths != "" {
-			hostCertDir = filepath.Join(ctx.RootForImplicitAbsolutePaths, systemPerHostCertDirPath)
+			hostCertDir = filepath.Join(sys.RootForImplicitAbsolutePaths, systemPerHostCertDirPath)
 		} else {
 			hostCertDir = systemPerHostCertDirPath
 		}
@ -171,23 +171,23 @@ func dockerCertDir(ctx *types.SystemContext, hostPort string) (string, error) {
 // newDockerClientFromRef returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
 // “write” specifies whether the client will be used for "write" access (in particular passed to lookaside.go:toplevelFromSection)
-func newDockerClientFromRef(ctx *types.SystemContext, ref dockerReference, write bool, actions string) (*dockerClient, error) {
+func newDockerClientFromRef(sys *types.SystemContext, ref dockerReference, write bool, actions string) (*dockerClient, error) {
 	registry := reference.Domain(ref.ref)
-	username, password, err := config.GetAuthentication(ctx, reference.Domain(ref.ref))
+	username, password, err := config.GetAuthentication(sys, reference.Domain(ref.ref))
 	if err != nil {
 		return nil, errors.Wrapf(err, "error getting username and password")
 	}
-	sigBase, err := configuredSignatureStorageBase(ctx, ref, write)
+	sigBase, err := configuredSignatureStorageBase(sys, ref, write)
 	if err != nil {
 		return nil, err
 	}
 	remoteName := reference.Path(ref.ref)
-	return newDockerClientWithDetails(ctx, registry, username, password, actions, sigBase, remoteName)
+	return newDockerClientWithDetails(sys, registry, username, password, actions, sigBase, remoteName)
 }
 // newDockerClientWithDetails returns a new dockerClient instance for the given parameters
-func newDockerClientWithDetails(ctx *types.SystemContext, registry, username, password, actions string, sigBase signatureStorageBase, remoteName string) (*dockerClient, error) {
+func newDockerClientWithDetails(sys *types.SystemContext, registry, username, password, actions string, sigBase signatureStorageBase, remoteName string) (*dockerClient, error) {
 	hostName := registry
 	if registry == dockerHostname {
 		registry = dockerRegistry
@ -200,7 +200,7 @@ func newDockerClientWithDetails(ctx *types.SystemContext, registry, username, pa
 	// dockerHostname here, because it is more symmetrical to read the configuration in that case as well, and because
 	// generally the UI hides the existence of the different dockerRegistry.  But note that this behavior is
 	// undocumented and may change if docker/docker changes.
-	certDir, err := dockerCertDir(ctx, hostName)
+	certDir, err := dockerCertDir(sys, hostName)
 	if err != nil {
 		return nil, err
 	}
@ -208,12 +208,12 @@ func newDockerClientWithDetails(ctx *types.SystemContext, registry, username, pa
 		return nil, err
 	}
-	if ctx != nil && ctx.DockerInsecureSkipTLSVerify {
+	if sys != nil && sys.DockerInsecureSkipTLSVerify {
 		tr.TLSClientConfig.InsecureSkipVerify = true
 	}
 	return &dockerClient{
-		ctx:           ctx,
+		sys:           sys,
 		registry:      registry,
 		username:      username,
 		password:      password,
@ -228,8 +228,8 @@ func newDockerClientWithDetails(ctx *types.SystemContext, registry, username, pa
 // CheckAuth validates the credentials by attempting to log into the registry
 // returns an error if an error occcured while making the http request or the status code received was 401
-func CheckAuth(ctx context.Context, sCtx *types.SystemContext, username, password, registry string) error {
+func CheckAuth(ctx context.Context, sys *types.SystemContext, username, password, registry string) error {
-	newLoginClient, err := newDockerClientWithDetails(sCtx, registry, username, password, "", nil, "")
+	newLoginClient, err := newDockerClientWithDetails(sys, registry, username, password, "", nil, "")
 	if err != nil {
 		return errors.Wrapf(err, "error creating new docker client")
 	}
@ -268,7 +268,7 @@ type SearchResult struct {
 // The limit is the max number of results desired
 // Note: The limit value doesn't work with all registries
 // for example registry.access.redhat.com returns all the results without limiting it to the limit value
-func SearchRegistry(ctx context.Context, sCtx *types.SystemContext, registry, image string, limit int) ([]SearchResult, error) {
+func SearchRegistry(ctx context.Context, sys *types.SystemContext, registry, image string, limit int) ([]SearchResult, error) {
 	type V2Results struct {
 		// Repositories holds the results returned by the /v2/_catalog endpoint
 		Repositories []string `json:"repositories"`
@ -286,7 +286,7 @@ func SearchRegistry(ctx context.Context, sCtx *types.SystemContext, registry, im
 		registry = dockerV1Hostname
 	}
-	client, err := newDockerClientWithDetails(sCtx, registry, "", "", "", nil, "")
+	client, err := newDockerClientWithDetails(sys, registry, "", "", "", nil, "")
 	if err != nil {
 		return nil, errors.Wrapf(err, "error creating new docker client")
 	}
@ -374,8 +374,8 @@ func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method, url
 			req.Header.Add(n, hh)
 		}
 	}
-	if c.ctx != nil && c.ctx.DockerRegistryUserAgent != "" {
+	if c.sys != nil && c.sys.DockerRegistryUserAgent != "" {
-		req.Header.Add("User-Agent", c.ctx.DockerRegistryUserAgent)
+		req.Header.Add("User-Agent", c.sys.DockerRegistryUserAgent)
 	}
 	if sendAuth {
 		if err := c.setupRequestAuth(req); err != nil {
@ -503,12 +503,12 @@ func (c *dockerClient) detectProperties(ctx context.Context) error {
 		return nil
 	}
 	err := ping("https")
-	if err != nil && c.ctx != nil && c.ctx.DockerInsecureSkipTLSVerify {
+	if err != nil && c.sys != nil && c.sys.DockerInsecureSkipTLSVerify {
 		err = ping("http")
 	}
 	if err != nil {
 		err = errors.Wrap(err, "pinging docker registry returned")
-		if c.ctx != nil && c.ctx.DockerDisableV1Ping {
+		if c.sys != nil && c.sys.DockerDisableV1Ping {
 			return err
 		}
 		// best effort to understand if we're talking to a V1 registry
@ -527,7 +527,7 @@ func (c *dockerClient) detectProperties(ctx context.Context) error {
 			return true
 		}
 		isV1 := pingV1("https")
-		if !isV1 && c.ctx != nil && c.ctx.DockerInsecureSkipTLSVerify {
+		if !isV1 && c.sys != nil && c.sys.DockerInsecureSkipTLSVerify {
 			isV1 = pingV1("http")
 		}
 		if isV1 {
--- a/vendor/github.com/containers/image/docker/docker_image.go
+++ b/vendor/github.com/containers/image/docker/docker_image.go
@ -22,12 +22,12 @@ type Image struct {
 // newImage returns a new Image interface type after setting up
 // a client to the registry hosting the given image.
 // The caller must call .Close() on the returned Image.
-func newImage(ctx *types.SystemContext, ref dockerReference) (types.ImageCloser, error) {
+func newImage(ctx context.Context, sys *types.SystemContext, ref dockerReference) (types.ImageCloser, error) {
-	s, err := newImageSource(ctx, ref)
+	s, err := newImageSource(sys, ref)
 	if err != nil {
 		return nil, err
 	}
-	img, err := image.FromSource(ctx, s)
+	img, err := image.FromSource(ctx, sys, s)
 	if err != nil {
 		return nil, err
 	}
@ -40,10 +40,10 @@ func (i *Image) SourceRefFullName() string {
 }
 // GetRepositoryTags list all tags available in the repository. Note that this has no connection with the tag(s) used for this specific image, if any.
-func (i *Image) GetRepositoryTags() ([]string, error) {
+func (i *Image) GetRepositoryTags(ctx context.Context) ([]string, error) {
 	path := fmt.Sprintf(tagsPath, reference.Path(i.src.ref.ref))
 	// FIXME: Pass the context.Context
-	res, err := i.src.c.makeRequest(context.TODO(), "GET", path, nil, nil)
+	res, err := i.src.c.makeRequest(ctx, "GET", path, nil, nil)
 	if err != nil {
 		return nil, err
 	}
--- a/vendor/github.com/containers/image/docker/docker_image_dest.go
+++ b/vendor/github.com/containers/image/docker/docker_image_dest.go
@ -33,8 +33,8 @@ type dockerImageDestination struct {
 }
 // newImageDestination creates a new ImageDestination for the specified image reference.
-func newImageDestination(ctx *types.SystemContext, ref dockerReference) (types.ImageDestination, error) {
+func newImageDestination(sys *types.SystemContext, ref dockerReference) (types.ImageDestination, error) {
-	c, err := newDockerClientFromRef(ctx, ref, true, "pull,push")
+	c, err := newDockerClientFromRef(sys, ref, true, "pull,push")
 	if err != nil {
 		return nil, err
 	}
@ -66,8 +66,8 @@ func (d *dockerImageDestination) SupportedManifestMIMETypes() []string {
 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
 // Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
-func (d *dockerImageDestination) SupportsSignatures() error {
+func (d *dockerImageDestination) SupportsSignatures(ctx context.Context) error {
-	if err := d.c.detectProperties(context.TODO()); err != nil {
+	if err := d.c.detectProperties(ctx); err != nil {
 		return err
 	}
 	switch {
@ -109,9 +109,9 @@ func (c *sizeCounter) Write(p []byte) (n int, err error) {
 // WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
 // to any other readers for download using the supplied digest.
 // If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
-func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
+func (d *dockerImageDestination) PutBlob(ctx context.Context, stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
 	if inputInfo.Digest.String() != "" {
-		haveBlob, size, err := d.HasBlob(inputInfo)
+		haveBlob, size, err := d.HasBlob(ctx, inputInfo)
 		if err != nil {
 			return types.BlobInfo{}, err
 		}
@ -123,7 +123,7 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	// FIXME? Chunked upload, progress reporting, etc.
 	uploadPath := fmt.Sprintf(blobUploadPath, reference.Path(d.ref.ref))
 	logrus.Debugf("Uploading %s", uploadPath)
-	res, err := d.c.makeRequest(context.TODO(), "POST", uploadPath, nil, nil)
+	res, err := d.c.makeRequest(ctx, "POST", uploadPath, nil, nil)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
@ -140,7 +140,7 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	digester := digest.Canonical.Digester()
 	sizeCounter := &sizeCounter{}
 	tee := io.TeeReader(stream, io.MultiWriter(digester.Hash(), sizeCounter))
-	res, err = d.c.makeRequestToResolvedURL(context.TODO(), "PATCH", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, tee, inputInfo.Size, true)
+	res, err = d.c.makeRequestToResolvedURL(ctx, "PATCH", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, tee, inputInfo.Size, true)
 	if err != nil {
 		logrus.Debugf("Error uploading layer chunked, response %#v", res)
 		return types.BlobInfo{}, err
@ -159,7 +159,7 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	// TODO: check inputInfo.Digest == computedDigest https://github.com/containers/image/pull/70#discussion_r77646717
 	locationQuery.Set("digest", computedDigest.String())
 	uploadLocation.RawQuery = locationQuery.Encode()
-	res, err = d.c.makeRequestToResolvedURL(context.TODO(), "PUT", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, nil, -1, true)
+	res, err = d.c.makeRequestToResolvedURL(ctx, "PUT", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, nil, -1, true)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
@ -177,14 +177,14 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 // Unlike PutBlob, the digest can not be empty.  If HasBlob returns true, the size of the blob must also be returned.
 // If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
 // it returns a non-nil error only on an unexpected failure.
-func (d *dockerImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+func (d *dockerImageDestination) HasBlob(ctx context.Context, info types.BlobInfo) (bool, int64, error) {
 	if info.Digest == "" {
 		return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
 	}
 	checkPath := fmt.Sprintf(blobsPath, reference.Path(d.ref.ref), info.Digest.String())
 	logrus.Debugf("Checking %s", checkPath)
-	res, err := d.c.makeRequest(context.TODO(), "HEAD", checkPath, nil, nil)
+	res, err := d.c.makeRequest(ctx, "HEAD", checkPath, nil, nil)
 	if err != nil {
 		return false, -1, err
 	}
@ -204,7 +204,7 @@ func (d *dockerImageDestination) HasBlob(info types.BlobInfo) (bool, int64, erro
 	}
 }
-func (d *dockerImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+func (d *dockerImageDestination) ReapplyBlob(ctx context.Context, info types.BlobInfo) (types.BlobInfo, error) {
 	return info, nil
 }
@ -212,7 +212,7 @@ func (d *dockerImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInf
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *dockerImageDestination) PutManifest(m []byte) error {
+func (d *dockerImageDestination) PutManifest(ctx context.Context, m []byte) error {
 	digest, err := manifest.Digest(m)
 	if err != nil {
 		return err
@ -230,7 +230,7 @@ func (d *dockerImageDestination) PutManifest(m []byte) error {
 	if mimeType != "" {
 		headers["Content-Type"] = []string{mimeType}
 	}
-	res, err := d.c.makeRequest(context.TODO(), "PUT", path, headers, bytes.NewReader(m))
+	res, err := d.c.makeRequest(ctx, "PUT", path, headers, bytes.NewReader(m))
 	if err != nil {
 		return err
 	}
@ -267,19 +267,19 @@ func isManifestInvalidError(err error) bool {
 	return ec.ErrorCode() == v2.ErrorCodeManifestInvalid || ec.ErrorCode() == v2.ErrorCodeTagInvalid
 }
-func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
+func (d *dockerImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
 	// Do not fail if we don’t really need to support signatures.
 	if len(signatures) == 0 {
 		return nil
 	}
-	if err := d.c.detectProperties(context.TODO()); err != nil {
+	if err := d.c.detectProperties(ctx); err != nil {
 		return err
 	}
 	switch {
 	case d.c.signatureBase != nil:
 		return d.putSignaturesToLookaside(signatures)
 	case d.c.supportsSignatures:
-		return d.putSignaturesToAPIExtension(signatures)
+		return d.putSignaturesToAPIExtension(ctx, signatures)
 	default:
 		return errors.Errorf("X-Registry-Supports-Signatures extension not supported, and lookaside is not configured")
 	}
@ -378,7 +378,7 @@ func (c *dockerClient) deleteOneSignature(url *url.URL) (missing bool, err error
 }
 // putSignaturesToAPIExtension implements PutSignatures() using the X-Registry-Supports-Signatures API extension.
-func (d *dockerImageDestination) putSignaturesToAPIExtension(signatures [][]byte) error {
+func (d *dockerImageDestination) putSignaturesToAPIExtension(ctx context.Context, signatures [][]byte) error {
 	// Skip dealing with the manifest digest, or reading the old state, if not necessary.
 	if len(signatures) == 0 {
 		return nil
@ -393,7 +393,7 @@ func (d *dockerImageDestination) putSignaturesToAPIExtension(signatures [][]byte
 	// always adds signatures.  Eventually we should also allow removing signatures,
 	// but the X-Registry-Supports-Signatures API extension does not support that yet.
-	existingSignatures, err := d.c.getExtensionsSignatures(context.TODO(), d.ref, d.manifestDigest)
+	existingSignatures, err := d.c.getExtensionsSignatures(ctx, d.ref, d.manifestDigest)
 	if err != nil {
 		return err
 	}
@ -435,7 +435,7 @@ sigExists:
 		}
 		path := fmt.Sprintf(extensionsSignaturePath, reference.Path(d.ref.ref), d.manifestDigest.String())
-		res, err := d.c.makeRequest(context.TODO(), "PUT", path, nil, bytes.NewReader(body))
+		res, err := d.c.makeRequest(ctx, "PUT", path, nil, bytes.NewReader(body))
 		if err != nil {
 			return err
 		}
@ -457,6 +457,6 @@ sigExists:
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *dockerImageDestination) Commit() error {
+func (d *dockerImageDestination) Commit(ctx context.Context) error {
 	return nil
 }
--- a/vendor/github.com/containers/image/docker/docker_image_src.go
+++ b/vendor/github.com/containers/image/docker/docker_image_src.go
@ -30,8 +30,8 @@ type dockerImageSource struct {
 // newImageSource creates a new ImageSource for the specified image reference.
 // The caller must call .Close() on the returned ImageSource.
-func newImageSource(ctx *types.SystemContext, ref dockerReference) (*dockerImageSource, error) {
+func newImageSource(sys *types.SystemContext, ref dockerReference) (*dockerImageSource, error) {
-	c, err := newDockerClientFromRef(ctx, ref, false, "pull")
+	c, err := newDockerClientFromRef(sys, ref, false, "pull")
 	if err != nil {
 		return nil, err
 	}
@ -53,7 +53,7 @@ func (s *dockerImageSource) Close() error {
 }
 // LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *dockerImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (s *dockerImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	return nil, nil
 }
@ -74,11 +74,11 @@ func simplifyContentType(contentType string) string {
 // It may use a remote (= slow) service.
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
 // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
-func (s *dockerImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
 	if instanceDigest != nil {
-		return s.fetchManifest(context.TODO(), instanceDigest.String())
+		return s.fetchManifest(ctx, instanceDigest.String())
 	}
-	err := s.ensureManifestIsLoaded(context.TODO())
+	err := s.ensureManifestIsLoaded(ctx)
 	if err != nil {
 		return nil, "", err
 	}
@ -108,7 +108,7 @@ func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest strin
 //
 // ImageSource implementations are not required or expected to do any caching,
 // but because our signatures are “attached” to the manifest digest,
-// we need to ensure that the digest of the manifest returned by GetManifest(nil)
+// we need to ensure that the digest of the manifest returned by GetManifest(ctx, nil)
 // and used by GetSignatures(ctx, nil) are consistent, otherwise we would get spurious
 // signature verification failures when pulling while a tag is being updated.
 func (s *dockerImageSource) ensureManifestIsLoaded(ctx context.Context) error {
@ -131,13 +131,13 @@ func (s *dockerImageSource) ensureManifestIsLoaded(ctx context.Context) error {
 	return nil
 }
-func (s *dockerImageSource) getExternalBlob(urls []string) (io.ReadCloser, int64, error) {
+func (s *dockerImageSource) getExternalBlob(ctx context.Context, urls []string) (io.ReadCloser, int64, error) {
 	var (
 		resp *http.Response
 		err  error
 	)
 	for _, url := range urls {
-		resp, err = s.c.makeRequestToResolvedURL(context.TODO(), "GET", url, nil, nil, -1, false)
+		resp, err = s.c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, false)
 		if err == nil {
 			if resp.StatusCode != http.StatusOK {
 				err = errors.Errorf("error fetching external blob from %q: %d", url, resp.StatusCode)
@ -162,14 +162,14 @@ func getBlobSize(resp *http.Response) int64 {
 }
 // GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
-func (s *dockerImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo) (io.ReadCloser, int64, error) {
 	if len(info.URLs) != 0 {
-		return s.getExternalBlob(info.URLs)
+		return s.getExternalBlob(ctx, info.URLs)
 	}
 	path := fmt.Sprintf(blobsPath, reference.Path(s.ref.ref), info.Digest.String())
 	logrus.Debugf("Downloading %s", path)
-	res, err := s.c.makeRequest(context.TODO(), "GET", path, nil, nil)
+	res, err := s.c.makeRequest(ctx, "GET", path, nil, nil)
 	if err != nil {
 		return nil, 0, err
 	}
@ -309,8 +309,8 @@ func (s *dockerImageSource) getSignaturesFromAPIExtension(ctx context.Context, i
 }
 // deleteImage deletes the named image from the registry, if supported.
-func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
+func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerReference) error {
-	c, err := newDockerClientFromRef(ctx, ref, true, "push")
+	c, err := newDockerClientFromRef(sys, ref, true, "push")
 	if err != nil {
 		return err
 	}
@ -325,7 +325,7 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
 		return err
 	}
 	getPath := fmt.Sprintf(manifestPath, reference.Path(ref.ref), refTail)
-	get, err := c.makeRequest(context.TODO(), "GET", getPath, headers, nil)
+	get, err := c.makeRequest(ctx, "GET", getPath, headers, nil)
 	if err != nil {
 		return err
 	}
@ -347,7 +347,7 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
 	// When retrieving the digest from a registry >= 2.3 use the following header:
 	//   "Accept": "application/vnd.docker.distribution.manifest.v2+json"
-	delete, err := c.makeRequest(context.TODO(), "DELETE", deletePath, headers, nil)
+	delete, err := c.makeRequest(ctx, "DELETE", deletePath, headers, nil)
 	if err != nil {
 		return err
 	}
--- a/vendor/github.com/containers/image/docker/docker_transport.go
+++ b/vendor/github.com/containers/image/docker/docker_transport.go
@ -1,6 +1,7 @@
 package docker
 import (
 	"context"
 	"fmt"
 	"strings"
@ -127,25 +128,25 @@ func (ref dockerReference) PolicyConfigurationNamespaces() []string {
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
 // WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
-func (ref dockerReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+func (ref dockerReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
-	return newImage(ctx, ref)
+	return newImage(ctx, sys, ref)
 }
 // NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref dockerReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+func (ref dockerReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) {
-	return newImageSource(ctx, ref)
+	return newImageSource(sys, ref)
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
 // The caller must call .Close() on the returned ImageDestination.
-func (ref dockerReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+func (ref dockerReference) NewImageDestination(ctx context.Context, sys *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ctx, ref)
+	return newImageDestination(sys, ref)
 }
 // DeleteImage deletes the named image from the registry, if supported.
-func (ref dockerReference) DeleteImage(ctx *types.SystemContext) error {
+func (ref dockerReference) DeleteImage(ctx context.Context, sys *types.SystemContext) error {
-	return deleteImage(ctx, ref)
+	return deleteImage(ctx, sys, ref)
 }
 // tagOrDigest returns a tag or digest from the reference.
--- a/vendor/github.com/containers/image/docker/lookaside.go
+++ b/vendor/github.com/containers/image/docker/lookaside.go
@ -45,9 +45,9 @@ type registryNamespace struct {
 type signatureStorageBase *url.URL // The only documented value is nil, meaning storage is not supported.
 // configuredSignatureStorageBase reads configuration to find an appropriate signature storage URL for ref, for write access if “write”.
-func configuredSignatureStorageBase(ctx *types.SystemContext, ref dockerReference, write bool) (signatureStorageBase, error) {
+func configuredSignatureStorageBase(sys *types.SystemContext, ref dockerReference, write bool) (signatureStorageBase, error) {
 	// FIXME? Loading and parsing the config could be cached across calls.
-	dirPath := registriesDirPath(ctx)
+	dirPath := registriesDirPath(sys)
 	logrus.Debugf(`Using registries.d directory %s for sigstore configuration`, dirPath)
 	config, err := loadAndMergeConfig(dirPath)
 	if err != nil {
@ -74,13 +74,13 @@ func configuredSignatureStorageBase(ctx *types.SystemContext, ref dockerReferenc
 }
 // registriesDirPath returns a path to registries.d
-func registriesDirPath(ctx *types.SystemContext) string {
+func registriesDirPath(sys *types.SystemContext) string {
-	if ctx != nil {
+	if sys != nil {
-		if ctx.RegistriesDirPath != "" {
+		if sys.RegistriesDirPath != "" {
-			return ctx.RegistriesDirPath
+			return sys.RegistriesDirPath
 		}
-		if ctx.RootForImplicitAbsolutePaths != "" {
+		if sys.RootForImplicitAbsolutePaths != "" {
-			return filepath.Join(ctx.RootForImplicitAbsolutePaths, systemRegistriesDirPath)
+			return filepath.Join(sys.RootForImplicitAbsolutePaths, systemRegistriesDirPath)
 		}
 	}
 	return systemRegistriesDirPath
--- a/vendor/github.com/containers/image/docker/tarfile/dest.go
+++ b/vendor/github.com/containers/image/docker/tarfile/dest.go
@ -3,6 +3,7 @@ package tarfile
 import (
 	"archive/tar"
 	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@ -50,7 +51,7 @@ func (d *Destination) SupportedManifestMIMETypes() []string {
 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
 // Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
-func (d *Destination) SupportsSignatures() error {
+func (d *Destination) SupportsSignatures(ctx context.Context) error {
 	return errors.Errorf("Storing signatures for docker tar files is not supported")
 }
@ -71,7 +72,7 @@ func (d *Destination) MustMatchRuntimeOS() bool {
 // WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
 // to any other readers for download using the supplied digest.
 // If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
-func (d *Destination) PutBlob(stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
+func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
 	// Ouch, we need to stream the blob into a temporary file just to determine the size.
 	// When the layer is decompressed, we also have to generate the digest on uncompressed datas.
 	if inputInfo.Size == -1 || inputInfo.Digest.String() == "" {
@ -85,6 +86,7 @@ func (d *Destination) PutBlob(stream io.Reader, inputInfo types.BlobInfo, isConf
 		digester := digest.Canonical.Digester()
 		tee := io.TeeReader(stream, digester.Hash())
 		// TODO: This can take quite some time, and should ideally be cancellable using ctx.Done().
 		size, err := io.Copy(streamCopy, tee)
 		if err != nil {
 			return types.BlobInfo{}, err
@ -102,7 +104,7 @@ func (d *Destination) PutBlob(stream io.Reader, inputInfo types.BlobInfo, isConf
 	}
 	// Maybe the blob has been already sent
-	ok, size, err := d.HasBlob(inputInfo)
+	ok, size, err := d.HasBlob(ctx, inputInfo)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
@ -139,7 +141,7 @@ func (d *Destination) PutBlob(stream io.Reader, inputInfo types.BlobInfo, isConf
 // the blob must also be returned.  If the destination does not contain the
 // blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil); it
 // returns a non-nil error only on an unexpected failure.
-func (d *Destination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+func (d *Destination) HasBlob(ctx context.Context, info types.BlobInfo) (bool, int64, error) {
 	if info.Digest == "" {
 		return false, -1, errors.Errorf("Can not check for a blob with unknown digest")
 	}
@ -154,7 +156,7 @@ func (d *Destination) HasBlob(info types.BlobInfo) (bool, int64, error) {
 // returned false.  Like HasBlob and unlike PutBlob, the digest can not be
 // empty.  If the blob is a filesystem layer, this signifies that the changes
 // it describes need to be applied again when composing a filesystem tree.
-func (d *Destination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+func (d *Destination) ReapplyBlob(ctx context.Context, info types.BlobInfo) (types.BlobInfo, error) {
 	return info, nil
 }
@ -175,7 +177,7 @@ func (d *Destination) createRepositoriesFile(rootLayerID string) error {
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *Destination) PutManifest(m []byte) error {
+func (d *Destination) PutManifest(ctx context.Context, m []byte) error {
 	// We do not bother with types.ManifestTypeRejectedError; our .SupportedManifestMIMETypes() above is already providing only one alternative,
 	// so the caller trying a different manifest kind would be pointless.
 	var man manifest.Schema2
@ -351,6 +353,7 @@ func (d *Destination) sendFile(path string, expectedSize int64, stream io.Reader
 	if err := d.tar.WriteHeader(hdr); err != nil {
 		return err
 	}
 	// TODO: This can take quite some time, and should ideally be cancellable using a context.Context.
 	size, err := io.Copy(d.tar, stream)
 	if err != nil {
 		return err
@ -364,7 +367,7 @@ func (d *Destination) sendFile(path string, expectedSize int64, stream io.Reader
 // PutSignatures adds the given signatures to the docker tarfile (currently not
 // supported). MUST be called after PutManifest (signatures reference manifest
 // contents)
-func (d *Destination) PutSignatures(signatures [][]byte) error {
+func (d *Destination) PutSignatures(ctx context.Context, signatures [][]byte) error {
 	if len(signatures) != 0 {
 		return errors.Errorf("Storing signatures for docker tar files is not supported")
 	}
@ -373,6 +376,6 @@ func (d *Destination) PutSignatures(signatures [][]byte) error {
 // Commit finishes writing data to the underlying io.Writer.
 // It is the caller's responsibility to close it, if necessary.
-func (d *Destination) Commit() error {
+func (d *Destination) Commit(ctx context.Context) error {
 	return d.tar.Close()
 }
--- a/vendor/github.com/containers/image/docker/tarfile/src.go
+++ b/vendor/github.com/containers/image/docker/tarfile/src.go
@ -81,6 +81,7 @@ func NewSourceFromStream(inputStream io.Reader) (*Source, error) {
 		}
 	}()
 	// TODO: This can take quite some time, and should ideally be cancellable using a context.Context.
 	if _, err := io.Copy(tarCopyFile, inputStream); err != nil {
 		return nil, errors.Wrapf(err, "error copying contents to temporary file %q", tarCopyFile.Name())
 	}
@ -306,9 +307,9 @@ func (s *Source) prepareLayerData(tarManifest *ManifestItem, parsedConfig *manif
 // It may use a remote (= slow) service.
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
 // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
-func (s *Source) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+func (s *Source) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
 	if instanceDigest != nil {
-		// How did we even get here? GetManifest(nil) has returned a manifest.DockerV2Schema2MediaType.
+		// How did we even get here? GetManifest(ctx, nil) has returned a manifest.DockerV2Schema2MediaType.
 		return nil, "", errors.Errorf(`Manifest lists are not supported by "docker-daemon:"`)
 	}
 	if s.generatedManifest == nil {
@ -358,7 +359,7 @@ func (r readCloseWrapper) Close() error {
 }
 // GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
-func (s *Source) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+func (s *Source) GetBlob(ctx context.Context, info types.BlobInfo) (io.ReadCloser, int64, error) {
 	if err := s.ensureCachedDataIsPresent(); err != nil {
 		return nil, 0, err
 	}
@ -414,7 +415,7 @@ func (s *Source) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
 // (e.g. if the source never returns manifest lists).
 func (s *Source) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
 	if instanceDigest != nil {
-		// How did we even get here? GetManifest(nil) has returned a manifest.DockerV2Schema2MediaType.
+		// How did we even get here? GetManifest(ctx, nil) has returned a manifest.DockerV2Schema2MediaType.
 		return nil, errors.Errorf(`Manifest lists are not supported by "docker-daemon:"`)
 	}
 	return [][]byte{}, nil
--- a/vendor/github.com/containers/image/image/docker_list.go
+++ b/vendor/github.com/containers/image/image/docker_list.go
@ -1,6 +1,7 @@
 package image
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"runtime"
@ -34,14 +35,14 @@ type manifestList struct {
 // chooseDigestFromManifestList parses blob as a schema2 manifest list,
 // and returns the digest of the image appropriate for the current environment.
-func chooseDigestFromManifestList(ctx *types.SystemContext, blob []byte) (digest.Digest, error) {
+func chooseDigestFromManifestList(sys *types.SystemContext, blob []byte) (digest.Digest, error) {
 	wantedArch := runtime.GOARCH
-	if ctx != nil && ctx.ArchitectureChoice != "" {
+	if sys != nil && sys.ArchitectureChoice != "" {
-		wantedArch = ctx.ArchitectureChoice
+		wantedArch = sys.ArchitectureChoice
 	}
 	wantedOS := runtime.GOOS
-	if ctx != nil && ctx.OSChoice != "" {
+	if sys != nil && sys.OSChoice != "" {
-		wantedOS = ctx.OSChoice
+		wantedOS = sys.OSChoice
 	}
 	list := manifestList{}
@ -56,12 +57,12 @@ func chooseDigestFromManifestList(ctx *types.SystemContext, blob []byte) (digest
 	return "", fmt.Errorf("no image found in manifest list for architecture %s, OS %s", wantedArch, wantedOS)
 }
-func manifestSchema2FromManifestList(ctx *types.SystemContext, src types.ImageSource, manblob []byte) (genericManifest, error) {
+func manifestSchema2FromManifestList(ctx context.Context, sys *types.SystemContext, src types.ImageSource, manblob []byte) (genericManifest, error) {
-	targetManifestDigest, err := chooseDigestFromManifestList(ctx, manblob)
+	targetManifestDigest, err := chooseDigestFromManifestList(sys, manblob)
 	if err != nil {
 		return nil, err
 	}
-	manblob, mt, err := src.GetManifest(&targetManifestDigest)
+	manblob, mt, err := src.GetManifest(ctx, &targetManifestDigest)
 	if err != nil {
 		return nil, err
 	}
@ -74,20 +75,20 @@ func manifestSchema2FromManifestList(ctx *types.SystemContext, src types.ImageSo
 		return nil, errors.Errorf("Manifest image does not match selected manifest digest %s", targetManifestDigest)
 	}
-	return manifestInstanceFromBlob(ctx, src, manblob, mt)
+	return manifestInstanceFromBlob(ctx, sys, src, manblob, mt)
 }
 // ChooseManifestInstanceFromManifestList returns a digest of a manifest appropriate
 // for the current system from the manifest available from src.
-func ChooseManifestInstanceFromManifestList(ctx *types.SystemContext, src types.UnparsedImage) (digest.Digest, error) {
+func ChooseManifestInstanceFromManifestList(ctx context.Context, sys *types.SystemContext, src types.UnparsedImage) (digest.Digest, error) {
 	// For now this only handles manifest.DockerV2ListMediaType; we can generalize it later,
 	// probably along with manifest list editing.
-	blob, mt, err := src.Manifest()
+	blob, mt, err := src.Manifest(ctx)
 	if err != nil {
 		return "", err
 	}
 	if mt != manifest.DockerV2ListMediaType {
 		return "", fmt.Errorf("Internal error: Trying to select an image from a non-manifest-list manifest type %s", mt)
 	}
-	return chooseDigestFromManifestList(ctx, blob)
+	return chooseDigestFromManifestList(sys, blob)
 }
--- a/vendor/github.com/containers/image/image/docker_schema1.go
+++ b/vendor/github.com/containers/image/image/docker_schema1.go
@ -1,6 +1,7 @@
 package image
 import (
 	"context"
 	"encoding/json"
 	"github.com/containers/image/docker/reference"
@ -44,19 +45,19 @@ func (m *manifestSchema1) ConfigInfo() types.BlobInfo {
 // ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
 // The result is cached; it is OK to call this however often you need.
-func (m *manifestSchema1) ConfigBlob() ([]byte, error) {
+func (m *manifestSchema1) ConfigBlob(context.Context) ([]byte, error) {
 	return nil, nil
 }
 // OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
 // layers in the resulting configuration isn't guaranteed to be returned to due how
 // old image manifests work (docker v2s1 especially).
-func (m *manifestSchema1) OCIConfig() (*imgspecv1.Image, error) {
+func (m *manifestSchema1) OCIConfig(ctx context.Context) (*imgspecv1.Image, error) {
 	v2s2, err := m.convertToManifestSchema2(nil, nil)
 	if err != nil {
 		return nil, err
 	}
-	return v2s2.OCIConfig()
+	return v2s2.OCIConfig(ctx)
 }
 // LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
@ -88,7 +89,7 @@ func (m *manifestSchema1) EmbeddedDockerReferenceConflicts(ref reference.Named)
 }
 // Inspect returns various information for (skopeo inspect) parsed from the manifest and configuration.
-func (m *manifestSchema1) Inspect() (*types.ImageInspectInfo, error) {
+func (m *manifestSchema1) Inspect(context.Context) (*types.ImageInspectInfo, error) {
 	return m.m.Inspect(nil)
 }
@ -101,7 +102,7 @@ func (m *manifestSchema1) UpdatedImageNeedsLayerDiffIDs(options types.ManifestUp
 // UpdatedImage returns a types.Image modified according to options.
 // This does not change the state of the original Image object.
-func (m *manifestSchema1) UpdatedImage(options types.ManifestUpdateOptions) (types.Image, error) {
+func (m *manifestSchema1) UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (types.Image, error) {
 	copy := manifestSchema1{m: manifest.Schema1Clone(m.m)}
 	if options.LayerInfos != nil {
 		if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
@ -134,7 +135,7 @@ func (m *manifestSchema1) UpdatedImage(options types.ManifestUpdateOptions) (typ
 		if err != nil {
 			return nil, err
 		}
-		return m2.UpdatedImage(types.ManifestUpdateOptions{
+		return m2.UpdatedImage(ctx, types.ManifestUpdateOptions{
 			ManifestMIMEType: imgspecv1.MediaTypeImageManifest,
 			InformationOnly:  options.InformationOnly,
 		})
--- a/vendor/github.com/containers/image/image/docker_schema2.go
+++ b/vendor/github.com/containers/image/image/docker_schema2.go
@ -2,6 +2,7 @@ package image
 import (
 	"bytes"
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
@ -72,8 +73,8 @@ func (m *manifestSchema2) ConfigInfo() types.BlobInfo {
 // OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
 // layers in the resulting configuration isn't guaranteed to be returned to due how
 // old image manifests work (docker v2s1 especially).
-func (m *manifestSchema2) OCIConfig() (*imgspecv1.Image, error) {
+func (m *manifestSchema2) OCIConfig(ctx context.Context) (*imgspecv1.Image, error) {
-	configBlob, err := m.ConfigBlob()
+	configBlob, err := m.ConfigBlob(ctx)
 	if err != nil {
 		return nil, err
 	}
@ -89,12 +90,12 @@ func (m *manifestSchema2) OCIConfig() (*imgspecv1.Image, error) {
 // ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
 // The result is cached; it is OK to call this however often you need.
-func (m *manifestSchema2) ConfigBlob() ([]byte, error) {
+func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
 	if m.configBlob == nil {
 		if m.src == nil {
 			return nil, errors.Errorf("Internal error: neither src nor configBlob set in manifestSchema2")
 		}
-		stream, _, err := m.src.GetBlob(types.BlobInfo{
+		stream, _, err := m.src.GetBlob(ctx, types.BlobInfo{
 			Digest: m.m.ConfigDescriptor.Digest,
 			Size:   m.m.ConfigDescriptor.Size,
 			URLs:   m.m.ConfigDescriptor.URLs,
@ -131,13 +132,13 @@ func (m *manifestSchema2) EmbeddedDockerReferenceConflicts(ref reference.Named)
 }
 // Inspect returns various information for (skopeo inspect) parsed from the manifest and configuration.
-func (m *manifestSchema2) Inspect() (*types.ImageInspectInfo, error) {
+func (m *manifestSchema2) Inspect(ctx context.Context) (*types.ImageInspectInfo, error) {
 	getter := func(info types.BlobInfo) ([]byte, error) {
 		if info.Digest != m.ConfigInfo().Digest {
 			// Shouldn't ever happen
 			return nil, errors.New("asked for a different config blob")
 		}
-		config, err := m.ConfigBlob()
+		config, err := m.ConfigBlob(ctx)
 		if err != nil {
 			return nil, err
 		}
@ -155,7 +156,7 @@ func (m *manifestSchema2) UpdatedImageNeedsLayerDiffIDs(options types.ManifestUp
 // UpdatedImage returns a types.Image modified according to options.
 // This does not change the state of the original Image object.
-func (m *manifestSchema2) UpdatedImage(options types.ManifestUpdateOptions) (types.Image, error) {
+func (m *manifestSchema2) UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (types.Image, error) {
 	copy := manifestSchema2{ // NOTE: This is not a deep copy, it still shares slices etc.
 		src:        m.src,
 		configBlob: m.configBlob,
@ -171,9 +172,9 @@ func (m *manifestSchema2) UpdatedImage(options types.ManifestUpdateOptions) (typ
 	switch options.ManifestMIMEType {
 	case "": // No conversion, OK
 	case manifest.DockerV2Schema1SignedMediaType, manifest.DockerV2Schema1MediaType:
-		return copy.convertToManifestSchema1(options.InformationOnly.Destination)
+		return copy.convertToManifestSchema1(ctx, options.InformationOnly.Destination)
 	case imgspecv1.MediaTypeImageManifest:
-		return copy.convertToManifestOCI1()
+		return copy.convertToManifestOCI1(ctx)
 	default:
 		return nil, errors.Errorf("Conversion of image manifest from %s to %s is not implemented", manifest.DockerV2Schema2MediaType, options.ManifestMIMEType)
 	}
@ -190,8 +191,8 @@ func oci1DescriptorFromSchema2Descriptor(d manifest.Schema2Descriptor) imgspecv1
 	}
 }
-func (m *manifestSchema2) convertToManifestOCI1() (types.Image, error) {
+func (m *manifestSchema2) convertToManifestOCI1(ctx context.Context) (types.Image, error) {
-	configOCI, err := m.OCIConfig()
+	configOCI, err := m.OCIConfig(ctx)
 	if err != nil {
 		return nil, err
 	}
@ -223,8 +224,8 @@ func (m *manifestSchema2) convertToManifestOCI1() (types.Image, error) {
 }
 // Based on docker/distribution/manifest/schema1/config_builder.go
-func (m *manifestSchema2) convertToManifestSchema1(dest types.ImageDestination) (types.Image, error) {
+func (m *manifestSchema2) convertToManifestSchema1(ctx context.Context, dest types.ImageDestination) (types.Image, error) {
-	configBytes, err := m.ConfigBlob()
+	configBytes, err := m.ConfigBlob(ctx)
 	if err != nil {
 		return nil, err
 	}
@ -252,7 +253,7 @@ func (m *manifestSchema2) convertToManifestSchema1(dest types.ImageDestination)
 		if historyEntry.EmptyLayer {
 			if !haveGzippedEmptyLayer {
 				logrus.Debugf("Uploading empty layer during conversion to schema 1")
-				info, err := dest.PutBlob(bytes.NewReader(gzippedEmptyLayer), types.BlobInfo{Digest: gzippedEmptyLayerDigest, Size: int64(len(gzippedEmptyLayer))}, false)
+				info, err := dest.PutBlob(ctx, bytes.NewReader(gzippedEmptyLayer), types.BlobInfo{Digest: gzippedEmptyLayerDigest, Size: int64(len(gzippedEmptyLayer))}, false)
 				if err != nil {
 					return nil, errors.Wrap(err, "Error uploading empty layer")
 				}
--- a/vendor/github.com/containers/image/image/manifest.go
+++ b/vendor/github.com/containers/image/image/manifest.go
@ -1,6 +1,7 @@
 package image
 import (
 	"context"
 	"fmt"
 	"github.com/containers/image/docker/reference"
@ -21,11 +22,11 @@ type genericManifest interface {
 	ConfigInfo() types.BlobInfo
 	// ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
 	// The result is cached; it is OK to call this however often you need.
-	ConfigBlob() ([]byte, error)
+	ConfigBlob(context.Context) ([]byte, error)
 	// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
 	// layers in the resulting configuration isn't guaranteed to be returned to due how
 	// old image manifests work (docker v2s1 especially).
-	OCIConfig() (*imgspecv1.Image, error)
+	OCIConfig(context.Context) (*imgspecv1.Image, error)
 	// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
 	// The Digest field is guaranteed to be provided; Size may be -1.
 	// WARNING: The list may contain duplicates, and they are semantically relevant.
@ -35,19 +36,19 @@ type genericManifest interface {
 	// (This embedding unfortunately happens for Docker schema1, please do not add support for this in any new formats.)
 	EmbeddedDockerReferenceConflicts(ref reference.Named) bool
 	// Inspect returns various information for (skopeo inspect) parsed from the manifest and configuration.
-	Inspect() (*types.ImageInspectInfo, error)
+	Inspect(context.Context) (*types.ImageInspectInfo, error)
 	// UpdatedImageNeedsLayerDiffIDs returns true iff UpdatedImage(options) needs InformationOnly.LayerDiffIDs.
 	// This is a horribly specific interface, but computing InformationOnly.LayerDiffIDs can be very expensive to compute
 	// (most importantly it forces us to download the full layers even if they are already present at the destination).
 	UpdatedImageNeedsLayerDiffIDs(options types.ManifestUpdateOptions) bool
 	// UpdatedImage returns a types.Image modified according to options.
 	// This does not change the state of the original Image object.
-	UpdatedImage(options types.ManifestUpdateOptions) (types.Image, error)
+	UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (types.Image, error)
 }
 // manifestInstanceFromBlob returns a genericManifest implementation for (manblob, mt) in src.
 // If manblob is a manifest list, it implicitly chooses an appropriate image from the list.
-func manifestInstanceFromBlob(ctx *types.SystemContext, src types.ImageSource, manblob []byte, mt string) (genericManifest, error) {
+func manifestInstanceFromBlob(ctx context.Context, sys *types.SystemContext, src types.ImageSource, manblob []byte, mt string) (genericManifest, error) {
 	switch manifest.NormalizedMIMEType(mt) {
 	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType:
 		return manifestSchema1FromManifest(manblob)
@ -56,7 +57,7 @@ func manifestInstanceFromBlob(ctx *types.SystemContext, src types.ImageSource, m
 	case manifest.DockerV2Schema2MediaType:
 		return manifestSchema2FromManifest(src, manblob)
 	case manifest.DockerV2ListMediaType:
-		return manifestSchema2FromManifestList(ctx, src, manblob)
+		return manifestSchema2FromManifestList(ctx, sys, src, manblob)
 	default: // Note that this may not be reachable, manifest.NormalizedMIMEType has a default for unknown values.
 		return nil, fmt.Errorf("Unimplemented manifest MIME type %s", mt)
 	}
--- a/vendor/github.com/containers/image/image/memory.go
+++ b/vendor/github.com/containers/image/image/memory.go
@ -39,7 +39,7 @@ func (i *memoryImage) Size() (int64, error) {
 }
 // Manifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
-func (i *memoryImage) Manifest() ([]byte, string, error) {
+func (i *memoryImage) Manifest(ctx context.Context) ([]byte, string, error) {
 	if i.serializedManifest == nil {
 		m, err := i.genericManifest.serialize()
 		if err != nil {
@ -60,6 +60,6 @@ func (i *memoryImage) Signatures(ctx context.Context) ([][]byte, error) {
 // LayerInfosForCopy returns an updated set of layer blob information which may not match the manifest.
 // The Digest field is guaranteed to be provided; Size may be -1.
 // WARNING: The list may contain duplicates, and they are semantically relevant.
-func (i *memoryImage) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (i *memoryImage) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	return nil, nil
 }
--- a/vendor/github.com/containers/image/image/oci.go
+++ b/vendor/github.com/containers/image/image/oci.go
@ -1,6 +1,7 @@
 package image
 import (
 	"context"
 	"encoding/json"
 	"io/ioutil"
@ -54,12 +55,12 @@ func (m *manifestOCI1) ConfigInfo() types.BlobInfo {
 // ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
 // The result is cached; it is OK to call this however often you need.
-func (m *manifestOCI1) ConfigBlob() ([]byte, error) {
+func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
 	if m.configBlob == nil {
 		if m.src == nil {
 			return nil, errors.Errorf("Internal error: neither src nor configBlob set in manifestOCI1")
 		}
-		stream, _, err := m.src.GetBlob(types.BlobInfo{
+		stream, _, err := m.src.GetBlob(ctx, types.BlobInfo{
 			Digest: m.m.Config.Digest,
 			Size:   m.m.Config.Size,
 			URLs:   m.m.Config.URLs,
@ -84,8 +85,8 @@ func (m *manifestOCI1) ConfigBlob() ([]byte, error) {
 // OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
 // layers in the resulting configuration isn't guaranteed to be returned to due how
 // old image manifests work (docker v2s1 especially).
-func (m *manifestOCI1) OCIConfig() (*imgspecv1.Image, error) {
+func (m *manifestOCI1) OCIConfig(ctx context.Context) (*imgspecv1.Image, error) {
-	cb, err := m.ConfigBlob()
+	cb, err := m.ConfigBlob(ctx)
 	if err != nil {
 		return nil, err
 	}
@ -111,13 +112,13 @@ func (m *manifestOCI1) EmbeddedDockerReferenceConflicts(ref reference.Named) boo
 }
 // Inspect returns various information for (skopeo inspect) parsed from the manifest and configuration.
-func (m *manifestOCI1) Inspect() (*types.ImageInspectInfo, error) {
+func (m *manifestOCI1) Inspect(ctx context.Context) (*types.ImageInspectInfo, error) {
 	getter := func(info types.BlobInfo) ([]byte, error) {
 		if info.Digest != m.ConfigInfo().Digest {
 			// Shouldn't ever happen
 			return nil, errors.New("asked for a different config blob")
 		}
-		config, err := m.ConfigBlob()
+		config, err := m.ConfigBlob(ctx)
 		if err != nil {
 			return nil, err
 		}
@ -135,7 +136,7 @@ func (m *manifestOCI1) UpdatedImageNeedsLayerDiffIDs(options types.ManifestUpdat
 // UpdatedImage returns a types.Image modified according to options.
 // This does not change the state of the original Image object.
-func (m *manifestOCI1) UpdatedImage(options types.ManifestUpdateOptions) (types.Image, error) {
+func (m *manifestOCI1) UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (types.Image, error) {
 	copy := manifestOCI1{ // NOTE: This is not a deep copy, it still shares slices etc.
 		src:        m.src,
 		configBlob: m.configBlob,
@ -156,7 +157,7 @@ func (m *manifestOCI1) UpdatedImage(options types.ManifestUpdateOptions) (types.
 		if err != nil {
 			return nil, err
 		}
-		return m2.UpdatedImage(types.ManifestUpdateOptions{
+		return m2.UpdatedImage(ctx, types.ManifestUpdateOptions{
 			ManifestMIMEType: options.ManifestMIMEType,
 			InformationOnly:  options.InformationOnly,
 		})
--- a/vendor/github.com/containers/image/image/sourced.go
+++ b/vendor/github.com/containers/image/image/sourced.go
@ -4,6 +4,7 @@
 package image
 import (
 	"context"
 	"github.com/containers/image/types"
 )
@ -28,8 +29,8 @@ type imageCloser struct {
 //
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage instead of calling this function.
-func FromSource(ctx *types.SystemContext, src types.ImageSource) (types.ImageCloser, error) {
+func FromSource(ctx context.Context, sys *types.SystemContext, src types.ImageSource) (types.ImageCloser, error) {
-	img, err := FromUnparsedImage(ctx, UnparsedInstance(src, nil))
+	img, err := FromUnparsedImage(ctx, sys, UnparsedInstance(src, nil))
 	if err != nil {
 		return nil, err
 	}
@ -63,18 +64,18 @@ type sourcedImage struct {
 // but other methods transparently return data from an appropriate single image.
 //
 // The Image must not be used after the underlying ImageSource is Close()d.
-func FromUnparsedImage(ctx *types.SystemContext, unparsed *UnparsedImage) (types.Image, error) {
+func FromUnparsedImage(ctx context.Context, sys *types.SystemContext, unparsed *UnparsedImage) (types.Image, error) {
 	// Note that the input parameter above is specifically *image.UnparsedImage, not types.UnparsedImage:
 	// we want to be able to use unparsed.src.  We could make that an explicit interface, but, well,
 	// this is the only UnparsedImage implementation around, anyway.
 	// NOTE: It is essential for signature verification that all parsing done in this object happens on the same manifest which is returned by unparsed.Manifest().
-	manifestBlob, manifestMIMEType, err := unparsed.Manifest()
+	manifestBlob, manifestMIMEType, err := unparsed.Manifest(ctx)
 	if err != nil {
 		return nil, err
 	}
-	parsedManifest, err := manifestInstanceFromBlob(ctx, unparsed.src, manifestBlob, manifestMIMEType)
+	parsedManifest, err := manifestInstanceFromBlob(ctx, sys, unparsed.src, manifestBlob, manifestMIMEType)
 	if err != nil {
 		return nil, err
 	}
@ -93,10 +94,10 @@ func (i *sourcedImage) Size() (int64, error) {
 }
 // Manifest overrides the UnparsedImage.Manifest to always use the fields which we have already fetched.
-func (i *sourcedImage) Manifest() ([]byte, string, error) {
+func (i *sourcedImage) Manifest(ctx context.Context) ([]byte, string, error) {
 	return i.manifestBlob, i.manifestMIMEType, nil
 }
-func (i *sourcedImage) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (i *sourcedImage) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
-	return i.UnparsedImage.src.LayerInfosForCopy()
+	return i.UnparsedImage.src.LayerInfosForCopy(ctx)
 }
--- a/vendor/github.com/containers/image/image/unparsed.go
+++ b/vendor/github.com/containers/image/image/unparsed.go
@ -41,9 +41,9 @@ func (i *UnparsedImage) Reference() types.ImageReference {
 }
 // Manifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
-func (i *UnparsedImage) Manifest() ([]byte, string, error) {
+func (i *UnparsedImage) Manifest(ctx context.Context) ([]byte, string, error) {
 	if i.cachedManifest == nil {
-		m, mt, err := i.src.GetManifest(i.instanceDigest)
+		m, mt, err := i.src.GetManifest(ctx, i.instanceDigest)
 		if err != nil {
 			return nil, "", err
 		}
--- a/vendor/github.com/containers/image/oci/archive/oci_dest.go
+++ b/vendor/github.com/containers/image/oci/archive/oci_dest.go
@ -1,6 +1,7 @@
 package archive
 import (
 	"context"
 	"io"
 	"os"
@ -16,12 +17,12 @@ type ociArchiveImageDestination struct {
 }
 // newImageDestination returns an ImageDestination for writing to an existing directory.
-func newImageDestination(ctx *types.SystemContext, ref ociArchiveReference) (types.ImageDestination, error) {
+func newImageDestination(ctx context.Context, sys *types.SystemContext, ref ociArchiveReference) (types.ImageDestination, error) {
 	tempDirRef, err := createOCIRef(ref.image)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error creating oci reference")
 	}
-	unpackedDest, err := tempDirRef.ociRefExtracted.NewImageDestination(ctx)
+	unpackedDest, err := tempDirRef.ociRefExtracted.NewImageDestination(ctx, sys)
 	if err != nil {
 		if err := tempDirRef.deleteTempDir(); err != nil {
 			return nil, errors.Wrapf(err, "error deleting temp directory", tempDirRef.tempDirectory)
@ -50,8 +51,8 @@ func (d *ociArchiveImageDestination) SupportedManifestMIMETypes() []string {
 }
 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures
-func (d *ociArchiveImageDestination) SupportsSignatures() error {
+func (d *ociArchiveImageDestination) SupportsSignatures(ctx context.Context) error {
-	return d.unpackedDest.SupportsSignatures()
+	return d.unpackedDest.SupportsSignatures(ctx)
 }
 func (d *ociArchiveImageDestination) DesiredLayerCompression() types.LayerCompression {
@ -72,32 +73,32 @@ func (d *ociArchiveImageDestination) MustMatchRuntimeOS() bool {
 // PutBlob writes contents of stream and returns data representing the result (with all data filled in).
 // inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
 // inputInfo.Size is the expected length of stream, if known.
-func (d *ociArchiveImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
+func (d *ociArchiveImageDestination) PutBlob(ctx context.Context, stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
-	return d.unpackedDest.PutBlob(stream, inputInfo, isConfig)
+	return d.unpackedDest.PutBlob(ctx, stream, inputInfo, isConfig)
 }
 // HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob
-func (d *ociArchiveImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+func (d *ociArchiveImageDestination) HasBlob(ctx context.Context, info types.BlobInfo) (bool, int64, error) {
-	return d.unpackedDest.HasBlob(info)
+	return d.unpackedDest.HasBlob(ctx, info)
 }
-func (d *ociArchiveImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+func (d *ociArchiveImageDestination) ReapplyBlob(ctx context.Context, info types.BlobInfo) (types.BlobInfo, error) {
-	return d.unpackedDest.ReapplyBlob(info)
+	return d.unpackedDest.ReapplyBlob(ctx, info)
 }
 // PutManifest writes manifest to the destination
-func (d *ociArchiveImageDestination) PutManifest(m []byte) error {
+func (d *ociArchiveImageDestination) PutManifest(ctx context.Context, m []byte) error {
-	return d.unpackedDest.PutManifest(m)
+	return d.unpackedDest.PutManifest(ctx, m)
 }
-func (d *ociArchiveImageDestination) PutSignatures(signatures [][]byte) error {
+func (d *ociArchiveImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
-	return d.unpackedDest.PutSignatures(signatures)
+	return d.unpackedDest.PutSignatures(ctx, signatures)
 }
 // Commit marks the process of storing the image as successful and asks for the image to be persisted
 // after the directory is made, it is tarred up into a file and the directory is deleted
-func (d *ociArchiveImageDestination) Commit() error {
+func (d *ociArchiveImageDestination) Commit(ctx context.Context) error {
-	if err := d.unpackedDest.Commit(); err != nil {
+	if err := d.unpackedDest.Commit(ctx); err != nil {
 		return errors.Wrapf(err, "error storing image %q", d.ref.image)
 	}
@ -124,6 +125,7 @@ func tarDirectory(src, dst string) error {
 	defer outFile.Close()
 	// copies the contents of the directory to the tar file
 	// TODO: This can take quite some time, and should ideally be cancellable using a context.Context.
 	_, err = io.Copy(outFile, input)
 	return err
--- a/vendor/github.com/containers/image/oci/archive/oci_src.go
+++ b/vendor/github.com/containers/image/oci/archive/oci_src.go
@ -19,13 +19,13 @@ type ociArchiveImageSource struct {
 // newImageSource returns an ImageSource for reading from an existing directory.
 // newImageSource untars the file and saves it in a temp directory
-func newImageSource(ctx *types.SystemContext, ref ociArchiveReference) (types.ImageSource, error) {
+func newImageSource(ctx context.Context, sys *types.SystemContext, ref ociArchiveReference) (types.ImageSource, error) {
 	tempDirRef, err := createUntarTempDir(ref)
 	if err != nil {
 		return nil, errors.Wrap(err, "error creating temp directory")
 	}
-	unpackedSrc, err := tempDirRef.ociRefExtracted.NewImageSource(ctx)
+	unpackedSrc, err := tempDirRef.ociRefExtracted.NewImageSource(ctx, sys)
 	if err != nil {
 		if err := tempDirRef.deleteTempDir(); err != nil {
 			return nil, errors.Wrapf(err, "error deleting temp directory", tempDirRef.tempDirectory)
@ -72,13 +72,13 @@ func (s *ociArchiveImageSource) Close() error {
 // It may use a remote (= slow) service.
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
 // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
-func (s *ociArchiveImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+func (s *ociArchiveImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
-	return s.unpackedSrc.GetManifest(instanceDigest)
+	return s.unpackedSrc.GetManifest(ctx, instanceDigest)
 }
 // GetBlob returns a stream for the specified blob, and the blob's size.
-func (s *ociArchiveImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+func (s *ociArchiveImageSource) GetBlob(ctx context.Context, info types.BlobInfo) (io.ReadCloser, int64, error) {
-	return s.unpackedSrc.GetBlob(info)
+	return s.unpackedSrc.GetBlob(ctx, info)
 }
 // GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
@ -90,6 +90,6 @@ func (s *ociArchiveImageSource) GetSignatures(ctx context.Context, instanceDiges
 }
 // LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *ociArchiveImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (s *ociArchiveImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	return nil, nil
 }
--- a/vendor/github.com/containers/image/oci/archive/oci_transport.go
+++ b/vendor/github.com/containers/image/oci/archive/oci_transport.go
@ -1,6 +1,7 @@
 package archive
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
@ -121,28 +122,28 @@ func (ref ociArchiveReference) PolicyConfigurationNamespaces() []string {
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
 // WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
-func (ref ociArchiveReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+func (ref ociArchiveReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
-	src, err := newImageSource(ctx, ref)
+	src, err := newImageSource(ctx, sys, ref)
 	if err != nil {
 		return nil, err
 	}
-	return image.FromSource(ctx, src)
+	return image.FromSource(ctx, sys, src)
 }
 // NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref ociArchiveReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+func (ref ociArchiveReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) {
-	return newImageSource(ctx, ref)
+	return newImageSource(ctx, sys, ref)
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
 // The caller must call .Close() on the returned ImageDestination.
-func (ref ociArchiveReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+func (ref ociArchiveReference) NewImageDestination(ctx context.Context, sys *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ctx, ref)
+	return newImageDestination(ctx, sys, ref)
 }
 // DeleteImage deletes the named image from the registry, if supported.
-func (ref ociArchiveReference) DeleteImage(ctx *types.SystemContext) error {
+func (ref ociArchiveReference) DeleteImage(ctx context.Context, sys *types.SystemContext) error {
 	return errors.Errorf("Deleting images not implemented for oci: images")
 }
@ -180,6 +181,7 @@ func createUntarTempDir(ref ociArchiveReference) (tempDirOCIRef, error) {
 	}
 	src := ref.resolvedFile
 	dst := tempDirRef.tempDirectory
 	// TODO: This can take quite some time, and should ideally be cancellable using a context.Context.
 	if err := archive.UntarPath(src, dst); err != nil {
 		if err := tempDirRef.deleteTempDir(); err != nil {
 			return tempDirOCIRef{}, errors.Wrapf(err, "error deleting temp directory %q", tempDirRef.tempDirectory)
--- a/vendor/github.com/containers/image/oci/layout/oci_dest.go
+++ b/vendor/github.com/containers/image/oci/layout/oci_dest.go
@ -1,6 +1,7 @@
 package layout
 import (
 	"context"
 	"encoding/json"
 	"io"
 	"io/ioutil"
@ -8,13 +9,12 @@ import (
 	"path/filepath"
 	"runtime"
 	"github.com/pkg/errors"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
-	"github.com/opencontainers/go-digest"
+	digest "github.com/opencontainers/go-digest"
 	imgspec "github.com/opencontainers/image-spec/specs-go"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )
 type ociImageDestination struct {
@ -24,9 +24,9 @@ type ociImageDestination struct {
 }
 // newImageDestination returns an ImageDestination for writing to an existing directory.
-func newImageDestination(ctx *types.SystemContext, ref ociReference) (types.ImageDestination, error) {
+func newImageDestination(sys *types.SystemContext, ref ociReference) (types.ImageDestination, error) {
 	if ref.image == "" {
-		return nil, errors.Errorf("cannot save image with empty image.ref.name")
+		return nil, errors.Errorf("cannot save image with empty reference name (syntax must be of form <transport>:<path>:<reference>)")
 	}
 	var index *imgspecv1.Index
@ -45,8 +45,8 @@ func newImageDestination(ctx *types.SystemContext, ref ociReference) (types.Imag
 	}
 	d := &ociImageDestination{ref: ref, index: *index}
-	if ctx != nil {
+	if sys != nil {
-		d.sharedBlobDir = ctx.OCISharedBlobDirPath
+		d.sharedBlobDir = sys.OCISharedBlobDirPath
 	}
 	if err := ensureDirectoryExists(d.ref.dir); err != nil {
@ -80,7 +80,7 @@ func (d *ociImageDestination) SupportedManifestMIMETypes() []string {
 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
 // Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
-func (d *ociImageDestination) SupportsSignatures() error {
+func (d *ociImageDestination) SupportsSignatures(ctx context.Context) error {
 	return errors.Errorf("Pushing signatures for OCI images is not supported")
 }
@ -105,7 +105,7 @@ func (d *ociImageDestination) MustMatchRuntimeOS() bool {
 // WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
 // to any other readers for download using the supplied digest.
 // If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
-func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
+func (d *ociImageDestination) PutBlob(ctx context.Context, stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
 	blobFile, err := ioutil.TempFile(d.ref.dir, "oci-put-blob")
 	if err != nil {
 		return types.BlobInfo{}, err
@ -124,6 +124,7 @@ func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 	digester := digest.Canonical.Digester()
 	tee := io.TeeReader(stream, digester.Hash())
 	// TODO: This can take quite some time, and should ideally be cancellable using ctx.Done().
 	size, err := io.Copy(blobFile, tee)
 	if err != nil {
 		return types.BlobInfo{}, err
@ -168,7 +169,7 @@ func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 // Unlike PutBlob, the digest can not be empty.  If HasBlob returns true, the size of the blob must also be returned.
 // If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
 // it returns a non-nil error only on an unexpected failure.
-func (d *ociImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+func (d *ociImageDestination) HasBlob(ctx context.Context, info types.BlobInfo) (bool, int64, error) {
 	if info.Digest == "" {
 		return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
 	}
@ -186,7 +187,7 @@ func (d *ociImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error)
 	return true, finfo.Size(), nil
 }
-func (d *ociImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+func (d *ociImageDestination) ReapplyBlob(ctx context.Context, info types.BlobInfo) (types.BlobInfo, error) {
 	return info, nil
 }
@ -194,7 +195,7 @@ func (d *ociImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo,
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *ociImageDestination) PutManifest(m []byte) error {
+func (d *ociImageDestination) PutManifest(ctx context.Context, m []byte) error {
 	digest, err := manifest.Digest(m)
 	if err != nil {
 		return err
@ -243,7 +244,7 @@ func (d *ociImageDestination) addManifest(desc *imgspecv1.Descriptor) {
 	d.index.Manifests = append(d.index.Manifests, *desc)
 }
-func (d *ociImageDestination) PutSignatures(signatures [][]byte) error {
+func (d *ociImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
 	if len(signatures) != 0 {
 		return errors.Errorf("Pushing signatures for OCI images is not supported")
 	}
@ -254,7 +255,7 @@ func (d *ociImageDestination) PutSignatures(signatures [][]byte) error {
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *ociImageDestination) Commit() error {
+func (d *ociImageDestination) Commit(ctx context.Context) error {
 	if err := ioutil.WriteFile(d.ref.ociLayoutPath(), []byte(`{"imageLayoutVersion": "1.0.0"}`), 0644); err != nil {
 		return err
 	}
--- a/vendor/github.com/containers/image/oci/layout/oci_src.go
+++ b/vendor/github.com/containers/image/oci/layout/oci_src.go
@ -24,15 +24,15 @@ type ociImageSource struct {
 }
 // newImageSource returns an ImageSource for reading from an existing directory.
-func newImageSource(ctx *types.SystemContext, ref ociReference) (types.ImageSource, error) {
+func newImageSource(sys *types.SystemContext, ref ociReference) (types.ImageSource, error) {
 	tr := tlsclientconfig.NewTransport()
 	tr.TLSClientConfig = tlsconfig.ServerDefault()
-	if ctx != nil && ctx.OCICertPath != "" {
+	if sys != nil && sys.OCICertPath != "" {
-		if err := tlsclientconfig.SetupCertificates(ctx.OCICertPath, tr.TLSClientConfig); err != nil {
+		if err := tlsclientconfig.SetupCertificates(sys.OCICertPath, tr.TLSClientConfig); err != nil {
 			return nil, err
 		}
-		tr.TLSClientConfig.InsecureSkipVerify = ctx.OCIInsecureSkipTLSVerify
+		tr.TLSClientConfig.InsecureSkipVerify = sys.OCIInsecureSkipTLSVerify
 	}
 	client := &http.Client{}
@ -42,9 +42,9 @@ func newImageSource(ctx *types.SystemContext, ref ociReference) (types.ImageSour
 		return nil, err
 	}
 	d := &ociImageSource{ref: ref, descriptor: descriptor, client: client}
-	if ctx != nil {
+	if sys != nil {
 		// TODO(jonboulle): check dir existence?
-		d.sharedBlobDir = ctx.OCISharedBlobDirPath
+		d.sharedBlobDir = sys.OCISharedBlobDirPath
 	}
 	return d, nil
 }
@ -63,7 +63,7 @@ func (s *ociImageSource) Close() error {
 // It may use a remote (= slow) service.
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
 // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
-func (s *ociImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+func (s *ociImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
 	var dig digest.Digest
 	var mimeType string
 	if instanceDigest == nil {
@ -93,9 +93,9 @@ func (s *ociImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, str
 }
 // GetBlob returns a stream for the specified blob, and the blob's size.
-func (s *ociImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+func (s *ociImageSource) GetBlob(ctx context.Context, info types.BlobInfo) (io.ReadCloser, int64, error) {
 	if len(info.URLs) != 0 {
-		return s.getExternalBlob(info.URLs)
+		return s.getExternalBlob(ctx, info.URLs)
 	}
 	path, err := s.ref.blobPath(info.Digest, s.sharedBlobDir)
@ -122,10 +122,17 @@ func (s *ociImageSource) GetSignatures(ctx context.Context, instanceDigest *dige
 	return [][]byte{}, nil
 }
-func (s *ociImageSource) getExternalBlob(urls []string) (io.ReadCloser, int64, error) {
+func (s *ociImageSource) getExternalBlob(ctx context.Context, urls []string) (io.ReadCloser, int64, error) {
 	errWrap := errors.New("failed fetching external blob from all urls")
 	for _, url := range urls {
-		resp, err := s.client.Get(url)
+
 		req, err := http.NewRequest("GET", url, nil)
 		if err != nil {
 			errWrap = errors.Wrapf(errWrap, "fetching %s failed %s", url, err.Error())
 			continue
 		}
 		resp, err := s.client.Do(req.WithContext(ctx))
 		if err != nil {
 			errWrap = errors.Wrapf(errWrap, "fetching %s failed %s", url, err.Error())
 			continue
@ -144,7 +151,7 @@ func (s *ociImageSource) getExternalBlob(urls []string) (io.ReadCloser, int64, e
 }
 // LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *ociImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (s *ociImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	return nil, nil
 }
--- a/vendor/github.com/containers/image/oci/layout/oci_transport.go
+++ b/vendor/github.com/containers/image/oci/layout/oci_transport.go
@ -1,6 +1,7 @@
 package layout
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"os"
@ -144,12 +145,12 @@ func (ref ociReference) PolicyConfigurationNamespaces() []string {
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
 // WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
-func (ref ociReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+func (ref ociReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
-	src, err := newImageSource(ctx, ref)
+	src, err := newImageSource(sys, ref)
 	if err != nil {
 		return nil, err
 	}
-	return image.FromSource(ctx, src)
+	return image.FromSource(ctx, sys, src)
 }
 // getIndex returns a pointer to the index references by this ociReference. If an error occurs opening an index nil is returned together
@ -217,18 +218,18 @@ func LoadManifestDescriptor(imgRef types.ImageReference) (imgspecv1.Descriptor,
 // NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref ociReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+func (ref ociReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) {
-	return newImageSource(ctx, ref)
+	return newImageSource(sys, ref)
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
 // The caller must call .Close() on the returned ImageDestination.
-func (ref ociReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+func (ref ociReference) NewImageDestination(ctx context.Context, sys *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ctx, ref)
+	return newImageDestination(sys, ref)
 }
 // DeleteImage deletes the named image from the registry, if supported.
-func (ref ociReference) DeleteImage(ctx *types.SystemContext) error {
+func (ref ociReference) DeleteImage(ctx context.Context, sys *types.SystemContext) error {
 	return errors.Errorf("Deleting images not implemented for oci: images")
 }
--- a/vendor/github.com/containers/image/openshift/openshift.go
+++ b/vendor/github.com/containers/image/openshift/openshift.go
@ -162,7 +162,7 @@ func (c *openshiftClient) convertDockerImageReference(ref string) (string, error
 type openshiftImageSource struct {
 	client *openshiftClient
 	// Values specific to this image
-	ctx *types.SystemContext
+	sys *types.SystemContext
 	// State
 	docker               types.ImageSource // The Docker Registry endpoint, or nil if not resolved yet
 	imageStreamImageName string            // Resolved image identifier, or "" if not known yet
@ -170,7 +170,7 @@ type openshiftImageSource struct {
 // newImageSource creates a new ImageSource for the specified reference.
 // The caller must call .Close() on the returned ImageSource.
-func newImageSource(ctx *types.SystemContext, ref openshiftReference) (types.ImageSource, error) {
+func newImageSource(sys *types.SystemContext, ref openshiftReference) (types.ImageSource, error) {
 	client, err := newOpenshiftClient(ref)
 	if err != nil {
 		return nil, err
@ -178,7 +178,7 @@ func newImageSource(ctx *types.SystemContext, ref openshiftReference) (types.Ima
 	return &openshiftImageSource{
 		client: client,
-		ctx:    ctx,
+		sys:    sys,
 	}, nil
 }
@ -204,19 +204,19 @@ func (s *openshiftImageSource) Close() error {
 // It may use a remote (= slow) service.
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
 // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
-func (s *openshiftImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+func (s *openshiftImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
-	if err := s.ensureImageIsResolved(context.TODO()); err != nil {
+	if err := s.ensureImageIsResolved(ctx); err != nil {
 		return nil, "", err
 	}
-	return s.docker.GetManifest(instanceDigest)
+	return s.docker.GetManifest(ctx, instanceDigest)
 }
 // GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
-func (s *openshiftImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+func (s *openshiftImageSource) GetBlob(ctx context.Context, info types.BlobInfo) (io.ReadCloser, int64, error) {
-	if err := s.ensureImageIsResolved(context.TODO()); err != nil {
+	if err := s.ensureImageIsResolved(ctx); err != nil {
 		return nil, 0, err
 	}
-	return s.docker.GetBlob(info)
+	return s.docker.GetBlob(ctx, info)
 }
 // GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
@ -247,7 +247,7 @@ func (s *openshiftImageSource) GetSignatures(ctx context.Context, instanceDigest
 }
 // LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (s *openshiftImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (s *openshiftImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	return nil, nil
 }
@ -291,7 +291,7 @@ func (s *openshiftImageSource) ensureImageIsResolved(ctx context.Context) error
 	if err != nil {
 		return err
 	}
-	d, err := dockerRef.NewImageSource(s.ctx)
+	d, err := dockerRef.NewImageSource(ctx, s.sys)
 	if err != nil {
 		return err
 	}
@ -308,7 +308,7 @@ type openshiftImageDestination struct {
 }
 // newImageDestination creates a new ImageDestination for the specified reference.
-func newImageDestination(ctx *types.SystemContext, ref openshiftReference) (types.ImageDestination, error) {
+func newImageDestination(ctx context.Context, sys *types.SystemContext, ref openshiftReference) (types.ImageDestination, error) {
 	client, err := newOpenshiftClient(ref)
 	if err != nil {
 		return nil, err
@ -322,7 +322,7 @@ func newImageDestination(ctx *types.SystemContext, ref openshiftReference) (type
 	if err != nil {
 		return nil, err
 	}
-	docker, err := dockerRef.NewImageDestination(ctx)
+	docker, err := dockerRef.NewImageDestination(ctx, sys)
 	if err != nil {
 		return nil, err
 	}
@ -350,7 +350,7 @@ func (d *openshiftImageDestination) SupportedManifestMIMETypes() []string {
 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
 // Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
-func (d *openshiftImageDestination) SupportsSignatures() error {
+func (d *openshiftImageDestination) SupportsSignatures(ctx context.Context) error {
 	return nil
 }
@ -375,37 +375,37 @@ func (d *openshiftImageDestination) MustMatchRuntimeOS() bool {
 // WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
 // to any other readers for download using the supplied digest.
 // If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
-func (d *openshiftImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
+func (d *openshiftImageDestination) PutBlob(ctx context.Context, stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
-	return d.docker.PutBlob(stream, inputInfo, isConfig)
+	return d.docker.PutBlob(ctx, stream, inputInfo, isConfig)
 }
 // HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
 // Unlike PutBlob, the digest can not be empty.  If HasBlob returns true, the size of the blob must also be returned.
 // If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
 // it returns a non-nil error only on an unexpected failure.
-func (d *openshiftImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+func (d *openshiftImageDestination) HasBlob(ctx context.Context, info types.BlobInfo) (bool, int64, error) {
-	return d.docker.HasBlob(info)
+	return d.docker.HasBlob(ctx, info)
 }
-func (d *openshiftImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+func (d *openshiftImageDestination) ReapplyBlob(ctx context.Context, info types.BlobInfo) (types.BlobInfo, error) {
-	return d.docker.ReapplyBlob(info)
+	return d.docker.ReapplyBlob(ctx, info)
 }
 // PutManifest writes manifest to the destination.
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *openshiftImageDestination) PutManifest(m []byte) error {
+func (d *openshiftImageDestination) PutManifest(ctx context.Context, m []byte) error {
 	manifestDigest, err := manifest.Digest(m)
 	if err != nil {
 		return err
 	}
 	d.imageStreamImageName = manifestDigest.String()
-	return d.docker.PutManifest(m)
+	return d.docker.PutManifest(ctx, m)
 }
-func (d *openshiftImageDestination) PutSignatures(signatures [][]byte) error {
+func (d *openshiftImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
 	if d.imageStreamImageName == "" {
 		return errors.Errorf("Internal error: Unknown manifest digest, can't add signatures")
 	}
@ -416,7 +416,7 @@ func (d *openshiftImageDestination) PutSignatures(signatures [][]byte) error {
 		return nil // No need to even read the old state.
 	}
-	image, err := d.client.getImage(context.TODO(), d.imageStreamImageName)
+	image, err := d.client.getImage(ctx, d.imageStreamImageName)
 	if err != nil {
 		return err
 	}
@ -457,7 +457,7 @@ sigExists:
 			Content:    newSig,
 		}
 		body, err := json.Marshal(sig)
-		_, err = d.client.doRequest(context.TODO(), "POST", "/oapi/v1/imagesignatures", body)
+		_, err = d.client.doRequest(ctx, "POST", "/oapi/v1/imagesignatures", body)
 		if err != nil {
 			return err
 		}
@ -470,8 +470,8 @@ sigExists:
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *openshiftImageDestination) Commit() error {
+func (d *openshiftImageDestination) Commit(ctx context.Context) error {
-	return d.docker.Commit()
+	return d.docker.Commit(ctx)
 }
 // These structs are subsets of github.com/openshift/origin/pkg/image/api/v1 and its dependencies.
--- a/vendor/github.com/containers/image/openshift/openshift_transport.go
+++ b/vendor/github.com/containers/image/openshift/openshift_transport.go
@ -1,6 +1,7 @@
 package openshift
 import (
 	"context"
 	"fmt"
 	"regexp"
 	"strings"
@ -130,27 +131,27 @@ func (ref openshiftReference) PolicyConfigurationNamespaces() []string {
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
 // WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
-func (ref openshiftReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+func (ref openshiftReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
-	src, err := newImageSource(ctx, ref)
+	src, err := newImageSource(sys, ref)
 	if err != nil {
 		return nil, err
 	}
-	return genericImage.FromSource(ctx, src)
+	return genericImage.FromSource(ctx, sys, src)
 }
 // NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref openshiftReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+func (ref openshiftReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) {
-	return newImageSource(ctx, ref)
+	return newImageSource(sys, ref)
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
 // The caller must call .Close() on the returned ImageDestination.
-func (ref openshiftReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+func (ref openshiftReference) NewImageDestination(ctx context.Context, sys *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ctx, ref)
+	return newImageDestination(ctx, sys, ref)
 }
 // DeleteImage deletes the named image from the registry, if supported.
-func (ref openshiftReference) DeleteImage(ctx *types.SystemContext) error {
+func (ref openshiftReference) DeleteImage(ctx context.Context, sys *types.SystemContext) error {
 	return errors.Errorf("Deleting images not implemented for atomic: images")
 }
--- a/vendor/github.com/containers/image/ostree/ostree_dest.go
+++ b/vendor/github.com/containers/image/ostree/ostree_dest.go
@ -5,6 +5,7 @@ package ostree
 import (
 	"bytes"
 	"compress/gzip"
 	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@ -103,7 +104,7 @@ func (d *ostreeImageDestination) SupportedManifestMIMETypes() []string {
 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
 // Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
-func (d *ostreeImageDestination) SupportsSignatures() error {
+func (d *ostreeImageDestination) SupportsSignatures(ctx context.Context) error {
 	return nil
 }
@ -123,7 +124,7 @@ func (d *ostreeImageDestination) MustMatchRuntimeOS() bool {
 	return true
 }
-func (d *ostreeImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
+func (d *ostreeImageDestination) PutBlob(ctx context.Context, stream io.Reader, inputInfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
 	tmpDir, err := ioutil.TempDir(d.tmpDirPath, "blob")
 	if err != nil {
 		return types.BlobInfo{}, err
@ -139,6 +140,7 @@ func (d *ostreeImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	digester := digest.Canonical.Digester()
 	tee := io.TeeReader(stream, digester.Hash())
 	// TODO: This can take quite some time, and should ideally be cancellable using ctx.Done().
 	size, err := io.Copy(blobFile, tee)
 	if err != nil {
 		return types.BlobInfo{}, err
@ -263,6 +265,8 @@ func generateTarSplitMetadata(output *bytes.Buffer, file string) (digest.Digest,
 }
 func (d *ostreeImageDestination) importBlob(selinuxHnd *C.struct_selabel_handle, repo *otbuiltin.Repo, blob *blobToImport) error {
 	// TODO: This can take quite some time, and should ideally be cancellable using a context.Context.
 	ostreeBranch := fmt.Sprintf("ociimage/%s", blob.Digest.Hex())
 	destinationPath := filepath.Join(d.tmpDirPath, blob.Digest.Hex(), "root")
 	if err := ensureDirectoryExists(destinationPath); err != nil {
@ -310,7 +314,7 @@ func (d *ostreeImageDestination) importConfig(repo *otbuiltin.Repo, blob *blobTo
 	return d.ostreeCommit(repo, ostreeBranch, destinationPath, []string{fmt.Sprintf("docker.size=%d", blob.Size)})
 }
-func (d *ostreeImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+func (d *ostreeImageDestination) HasBlob(ctx context.Context, info types.BlobInfo) (bool, int64, error) {
 	if d.repo == nil {
 		repo, err := openRepo(d.ref.repo)
@ -344,7 +348,7 @@ func (d *ostreeImageDestination) HasBlob(info types.BlobInfo) (bool, int64, erro
 	return true, size, nil
 }
-func (d *ostreeImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+func (d *ostreeImageDestination) ReapplyBlob(ctx context.Context, info types.BlobInfo) (types.BlobInfo, error) {
 	return info, nil
 }
@ -352,7 +356,7 @@ func (d *ostreeImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInf
 // FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-func (d *ostreeImageDestination) PutManifest(manifestBlob []byte) error {
+func (d *ostreeImageDestination) PutManifest(ctx context.Context, manifestBlob []byte) error {
 	d.manifest = string(manifestBlob)
 	if err := json.Unmarshal(manifestBlob, &d.schema); err != nil {
@ -373,7 +377,7 @@ func (d *ostreeImageDestination) PutManifest(manifestBlob []byte) error {
 	return ioutil.WriteFile(manifestPath, manifestBlob, 0644)
 }
-func (d *ostreeImageDestination) PutSignatures(signatures [][]byte) error {
+func (d *ostreeImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
 	path := filepath.Join(d.tmpDirPath, d.ref.signaturePath(0))
 	if err := ensureParentDirectoryExists(path); err != nil {
 		return err
@ -389,7 +393,7 @@ func (d *ostreeImageDestination) PutSignatures(signatures [][]byte) error {
 	return nil
 }
-func (d *ostreeImageDestination) Commit() error {
+func (d *ostreeImageDestination) Commit(ctx context.Context) error {
 	repo, err := otbuiltin.OpenRepo(d.ref.repo)
 	if err != nil {
 		return err
--- a/vendor/github.com/containers/image/ostree/ostree_src.go
+++ b/vendor/github.com/containers/image/ostree/ostree_src.go
@ -42,7 +42,7 @@ type ostreeImageSource struct {
 }
 // newImageSource returns an ImageSource for reading from an existing directory.
-func newImageSource(ctx *types.SystemContext, tmpDir string, ref ostreeReference) (types.ImageSource, error) {
+func newImageSource(tmpDir string, ref ostreeReference) (types.ImageSource, error) {
 	return &ostreeImageSource{ref: ref, tmpDir: tmpDir, compressed: nil}, nil
 }
@ -92,7 +92,7 @@ func (s *ostreeImageSource) getTarSplitData(blob string) ([]byte, error) {
 // GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
 // It may use a remote (= slow) service.
-func (s *ostreeImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+func (s *ostreeImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
 	if instanceDigest != nil {
 		return nil, "", errors.Errorf(`Manifest lists are not supported by "ostree:"`)
 	}
@ -256,13 +256,13 @@ func (s *ostreeImageSource) readSingleFile(commit, path string) (io.ReadCloser,
 }
 // GetBlob returns a stream for the specified blob, and the blob's size.
-func (s *ostreeImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+func (s *ostreeImageSource) GetBlob(ctx context.Context, info types.BlobInfo) (io.ReadCloser, int64, error) {
 	blob := info.Digest.Hex()
 	// Ensure s.compressed is initialized.  It is build by LayerInfosForCopy.
 	if s.compressed == nil {
-		_, err := s.LayerInfosForCopy()
+		_, err := s.LayerInfosForCopy(ctx)
 		if err != nil {
 			return nil, -1, err
 		}
@ -366,9 +366,9 @@ func (s *ostreeImageSource) GetSignatures(ctx context.Context, instanceDigest *d
 // LayerInfosForCopy() returns the list of layer blobs that make up the root filesystem of
 // the image, after they've been decompressed.
-func (s *ostreeImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (s *ostreeImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	updatedBlobInfos := []types.BlobInfo{}
-	manifestBlob, manifestType, err := s.GetManifest(nil)
+	manifestBlob, manifestType, err := s.GetManifest(ctx, nil)
 	if err != nil {
 		return nil, err
 	}
--- a/vendor/github.com/containers/image/ostree/ostree_transport.go
+++ b/vendor/github.com/containers/image/ostree/ostree_transport.go
@ -4,6 +4,7 @@ package ostree
 import (
 	"bytes"
 	"context"
 	"fmt"
 	"os"
 	"path/filepath"
@ -181,46 +182,46 @@ func (s *ostreeImageCloser) Size() (int64, error) {
 // The caller must call .Close() on the returned ImageCloser.
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
-func (ref ostreeReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+func (ref ostreeReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
 	var tmpDir string
-	if ctx == nil || ctx.OSTreeTmpDirPath == "" {
+	if sys == nil || sys.OSTreeTmpDirPath == "" {
 		tmpDir = os.TempDir()
 	} else {
-		tmpDir = ctx.OSTreeTmpDirPath
+		tmpDir = sys.OSTreeTmpDirPath
 	}
-	src, err := newImageSource(ctx, tmpDir, ref)
+	src, err := newImageSource(tmpDir, ref)
 	if err != nil {
 		return nil, err
 	}
-	return image.FromSource(ctx, src)
+	return image.FromSource(ctx, sys, src)
 }
 // NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref ostreeReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+func (ref ostreeReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) {
 	var tmpDir string
-	if ctx == nil || ctx.OSTreeTmpDirPath == "" {
+	if sys == nil || sys.OSTreeTmpDirPath == "" {
 		tmpDir = os.TempDir()
 	} else {
-		tmpDir = ctx.OSTreeTmpDirPath
+		tmpDir = sys.OSTreeTmpDirPath
 	}
-	return newImageSource(ctx, tmpDir, ref)
+	return newImageSource(tmpDir, ref)
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
 // The caller must call .Close() on the returned ImageDestination.
-func (ref ostreeReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+func (ref ostreeReference) NewImageDestination(ctx context.Context, sys *types.SystemContext) (types.ImageDestination, error) {
 	var tmpDir string
-	if ctx == nil || ctx.OSTreeTmpDirPath == "" {
+	if sys == nil || sys.OSTreeTmpDirPath == "" {
 		tmpDir = os.TempDir()
 	} else {
-		tmpDir = ctx.OSTreeTmpDirPath
+		tmpDir = sys.OSTreeTmpDirPath
 	}
 	return newImageDestination(ref, tmpDir)
 }
 // DeleteImage deletes the named image from the registry, if supported.
-func (ref ostreeReference) DeleteImage(ctx *types.SystemContext) error {
+func (ref ostreeReference) DeleteImage(ctx context.Context, sys *types.SystemContext) error {
 	return errors.Errorf("Deleting images not implemented for ostree: images")
 }
--- a/vendor/github.com/containers/image/pkg/docker/config/config.go
+++ b/vendor/github.com/containers/image/pkg/docker/config/config.go
@ -42,8 +42,8 @@ var (
 )
 // SetAuthentication stores the username and password in the auth.json file
-func SetAuthentication(ctx *types.SystemContext, registry, username, password string) error {
+func SetAuthentication(sys *types.SystemContext, registry, username, password string) error {
-	return modifyJSON(ctx, func(auths *dockerConfigFile) (bool, error) {
+	return modifyJSON(sys, func(auths *dockerConfigFile) (bool, error) {
 		if ch, exists := auths.CredHelpers[registry]; exists {
 			return false, setAuthToCredHelper(ch, registry, username, password)
 		}
@ -58,13 +58,13 @@ func SetAuthentication(ctx *types.SystemContext, registry, username, password st
 // GetAuthentication returns the registry credentials stored in
 // either auth.json file or .docker/config.json
 // If an entry is not found empty strings are returned for the username and password
-func GetAuthentication(ctx *types.SystemContext, registry string) (string, string, error) {
+func GetAuthentication(sys *types.SystemContext, registry string) (string, string, error) {
-	if ctx != nil && ctx.DockerAuthConfig != nil {
+	if sys != nil && sys.DockerAuthConfig != nil {
-		return ctx.DockerAuthConfig.Username, ctx.DockerAuthConfig.Password, nil
+		return sys.DockerAuthConfig.Username, sys.DockerAuthConfig.Password, nil
 	}
 	dockerLegacyPath := filepath.Join(homedir.Get(), dockerLegacyCfg)
-	pathToAuth, err := getPathToAuth(ctx)
+	pathToAuth, err := getPathToAuth(sys)
 	if err != nil {
 		return "", "", err
 	}
@ -86,8 +86,8 @@ func GetAuthentication(ctx *types.SystemContext, registry string) (string, strin
 // GetUserLoggedIn returns the username logged in to registry from either
 // auth.json or XDG_RUNTIME_DIR
 // Used to tell the user if someone is logged in to the registry when logging in
-func GetUserLoggedIn(ctx *types.SystemContext, registry string) (string, error) {
+func GetUserLoggedIn(sys *types.SystemContext, registry string) (string, error) {
-	path, err := getPathToAuth(ctx)
+	path, err := getPathToAuth(sys)
 	if err != nil {
 		return "", err
 	}
@ -99,8 +99,8 @@ func GetUserLoggedIn(ctx *types.SystemContext, registry string) (string, error)
 }
 // RemoveAuthentication deletes the credentials stored in auth.json
-func RemoveAuthentication(ctx *types.SystemContext, registry string) error {
+func RemoveAuthentication(sys *types.SystemContext, registry string) error {
-	return modifyJSON(ctx, func(auths *dockerConfigFile) (bool, error) {
+	return modifyJSON(sys, func(auths *dockerConfigFile) (bool, error) {
 		// First try cred helpers.
 		if ch, exists := auths.CredHelpers[registry]; exists {
 			return false, deleteAuthFromCredHelper(ch, registry)
@ -118,8 +118,8 @@ func RemoveAuthentication(ctx *types.SystemContext, registry string) error {
 }
 // RemoveAllAuthentication deletes all the credentials stored in auth.json
-func RemoveAllAuthentication(ctx *types.SystemContext) error {
+func RemoveAllAuthentication(sys *types.SystemContext) error {
-	return modifyJSON(ctx, func(auths *dockerConfigFile) (bool, error) {
+	return modifyJSON(sys, func(auths *dockerConfigFile) (bool, error) {
 		auths.CredHelpers = make(map[string]string)
 		auths.AuthConfigs = make(map[string]dockerAuthConfig)
 		return true, nil
@ -130,13 +130,13 @@ func RemoveAllAuthentication(ctx *types.SystemContext) error {
 // The path can be overriden by the user if the overwrite-path flag is set
 // If the flag is not set and XDG_RUNTIME_DIR is ser, the auth.json file is saved in XDG_RUNTIME_DIR/containers
 // Otherwise, the auth.json file is stored in /run/user/UID/containers
-func getPathToAuth(ctx *types.SystemContext) (string, error) {
+func getPathToAuth(sys *types.SystemContext) (string, error) {
-	if ctx != nil {
+	if sys != nil {
-		if ctx.AuthFilePath != "" {
+		if sys.AuthFilePath != "" {
-			return ctx.AuthFilePath, nil
+			return sys.AuthFilePath, nil
 		}
-		if ctx.RootForImplicitAbsolutePaths != "" {
+		if sys.RootForImplicitAbsolutePaths != "" {
-			return filepath.Join(ctx.RootForImplicitAbsolutePaths, defaultPath, strconv.Itoa(os.Getuid()), authCfg, authCfgFileName), nil
+			return filepath.Join(sys.RootForImplicitAbsolutePaths, defaultPath, strconv.Itoa(os.Getuid()), authCfg, authCfgFileName), nil
 		}
 	}
@ -183,8 +183,8 @@ func readJSONFile(path string, legacyFormat bool) (dockerConfigFile, error) {
 }
 // modifyJSON writes to auth.json if the dockerConfigFile has been updated
-func modifyJSON(ctx *types.SystemContext, editor func(auths *dockerConfigFile) (bool, error)) error {
+func modifyJSON(sys *types.SystemContext, editor func(auths *dockerConfigFile) (bool, error)) error {
-	path, err := getPathToAuth(ctx)
+	path, err := getPathToAuth(sys)
 	if err != nil {
 		return err
 	}
--- a/vendor/github.com/containers/image/pkg/sysregistries/system_registries.go
+++ b/vendor/github.com/containers/image/pkg/sysregistries/system_registries.go
@ -41,13 +41,13 @@ func normalizeRegistries(regs *registries) {
 // Reads the global registry file from the filesystem. Returns
 // a byte array
-func readRegistryConf(ctx *types.SystemContext) ([]byte, error) {
+func readRegistryConf(sys *types.SystemContext) ([]byte, error) {
 	dirPath := systemRegistriesConfPath
-	if ctx != nil {
+	if sys != nil {
-		if ctx.SystemRegistriesConfPath != "" {
+		if sys.SystemRegistriesConfPath != "" {
-			dirPath = ctx.SystemRegistriesConfPath
+			dirPath = sys.SystemRegistriesConfPath
-		} else if ctx.RootForImplicitAbsolutePaths != "" {
+		} else if sys.RootForImplicitAbsolutePaths != "" {
-			dirPath = filepath.Join(ctx.RootForImplicitAbsolutePaths, systemRegistriesConfPath)
+			dirPath = filepath.Join(sys.RootForImplicitAbsolutePaths, systemRegistriesConfPath)
 		}
 	}
 	configBytes, err := ioutil.ReadFile(dirPath)
@ -59,10 +59,10 @@ var readConf = readRegistryConf
 // Loads the registry configuration file from the filesystem and
 // then unmarshals it.  Returns the unmarshalled object.
-func loadRegistryConf(ctx *types.SystemContext) (*tomlConfig, error) {
+func loadRegistryConf(sys *types.SystemContext) (*tomlConfig, error) {
 	config := &tomlConfig{}
-	configBytes, err := readConf(ctx)
+	configBytes, err := readConf(sys)
 	if err != nil {
 		return nil, err
 	}
@ -78,8 +78,8 @@ func loadRegistryConf(ctx *types.SystemContext) (*tomlConfig, error) {
 // of the registries as defined in the system-wide
 // registries file.  it returns an empty array if none are
 // defined
-func GetRegistries(ctx *types.SystemContext) ([]string, error) {
+func GetRegistries(sys *types.SystemContext) ([]string, error) {
-	config, err := loadRegistryConf(ctx)
+	config, err := loadRegistryConf(sys)
 	if err != nil {
 		return nil, err
 	}
@ -90,8 +90,8 @@ func GetRegistries(ctx *types.SystemContext) ([]string, error) {
 // of the insecure registries as defined in the system-wide
 // registries file.  it returns an empty array if none are
 // defined
-func GetInsecureRegistries(ctx *types.SystemContext) ([]string, error) {
+func GetInsecureRegistries(sys *types.SystemContext) ([]string, error) {
-	config, err := loadRegistryConf(ctx)
+	config, err := loadRegistryConf(sys)
 	if err != nil {
 		return nil, err
 	}
--- a/vendor/github.com/containers/image/signature/policy_config.go
+++ b/vendor/github.com/containers/image/signature/policy_config.go
@ -44,21 +44,21 @@ func (err InvalidPolicyFormatError) Error() string {
 // DefaultPolicy returns the default policy of the system.
 // Most applications should be using this method to get the policy configured
 // by the system administrator.
-// ctx should usually be nil, can be set to override the default.
+// sys should usually be nil, can be set to override the default.
 // NOTE: When this function returns an error, report it to the user and abort.
 // DO NOT hard-code fallback policies in your application.
-func DefaultPolicy(ctx *types.SystemContext) (*Policy, error) {
+func DefaultPolicy(sys *types.SystemContext) (*Policy, error) {
-	return NewPolicyFromFile(defaultPolicyPath(ctx))
+	return NewPolicyFromFile(defaultPolicyPath(sys))
 }
 // defaultPolicyPath returns a path to the default policy of the system.
-func defaultPolicyPath(ctx *types.SystemContext) string {
+func defaultPolicyPath(sys *types.SystemContext) string {
-	if ctx != nil {
+	if sys != nil {
-		if ctx.SignaturePolicyPath != "" {
+		if sys.SignaturePolicyPath != "" {
-			return ctx.SignaturePolicyPath
+			return sys.SignaturePolicyPath
 		}
-		if ctx.RootForImplicitAbsolutePaths != "" {
+		if sys.RootForImplicitAbsolutePaths != "" {
-			return filepath.Join(ctx.RootForImplicitAbsolutePaths, systemDefaultPolicyPath)
+			return filepath.Join(sys.RootForImplicitAbsolutePaths, systemDefaultPolicyPath)
 		}
 	}
 	return systemDefaultPolicyPath
--- a/vendor/github.com/containers/image/signature/policy_eval.go
+++ b/vendor/github.com/containers/image/signature/policy_eval.go
@ -55,14 +55,14 @@ type PolicyRequirement interface {
 	//   a container based on this image; use IsRunningImageAllowed instead.
 	// - Just because a signature is accepted does not automatically mean the contents of the
 	//   signature are authorized to run code as root, or to affect system or cluster configuration.
-	isSignatureAuthorAccepted(image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error)
+	isSignatureAuthorAccepted(ctx context.Context, image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error)
 	// isRunningImageAllowed returns true if the requirement allows running an image.
 	// If it returns false, err must be non-nil, and should be an PolicyRequirementError if evaluation
 	// succeeded but the result was rejection.
 	// WARNING: This validates signatures and the manifest, but does not download or validate the
 	// layers. Users must validate that the layers match their expected digests.
-	isRunningImageAllowed(image types.UnparsedImage) (bool, error)
+	isRunningImageAllowed(ctx context.Context, image types.UnparsedImage) (bool, error)
 }
 // PolicyReferenceMatch specifies a set of image identities accepted in PolicyRequirement.
@ -175,7 +175,7 @@ func (pc *PolicyContext) requirementsForImageRef(ref types.ImageReference) Polic
 //   a container based on this image; use IsRunningImageAllowed instead.
 // - Just because a signature is accepted does not automatically mean the contents of the
 //   signature are authorized to run code as root, or to affect system or cluster configuration.
-func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(image types.UnparsedImage) (sigs []*Signature, finalErr error) {
+func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(ctx context.Context, image types.UnparsedImage) (sigs []*Signature, finalErr error) {
 	if err := pc.changeState(pcReady, pcInUse); err != nil {
 		return nil, err
 	}
@ -191,7 +191,7 @@ func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(image types.UnparsedIma
 	// FIXME: rename Signatures to UnverifiedSignatures
 	// FIXME: pass context.Context
-	unverifiedSignatures, err := image.Signatures(context.TODO())
+	unverifiedSignatures, err := image.Signatures(ctx)
 	if err != nil {
 		return nil, err
 	}
@ -206,7 +206,7 @@ func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(image types.UnparsedIma
 		for reqNumber, req := range reqs {
 			// FIXME: Log the requirement itself? For now, we use just the number.
 			// FIXME: supply state
-			switch res, as, err := req.isSignatureAuthorAccepted(image, sig); res {
+			switch res, as, err := req.isSignatureAuthorAccepted(ctx, image, sig); res {
 			case sarAccepted:
 				if as == nil { // Coverage: this should never happen
 					logrus.Debugf(" Requirement %d: internal inconsistency: sarAccepted but no parsed contents", reqNumber)
@ -256,7 +256,7 @@ func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(image types.UnparsedIma
 // succeeded but the result was rejection.
 // WARNING: This validates signatures and the manifest, but does not download or validate the
 // layers. Users must validate that the layers match their expected digests.
-func (pc *PolicyContext) IsRunningImageAllowed(image types.UnparsedImage) (res bool, finalErr error) {
+func (pc *PolicyContext) IsRunningImageAllowed(ctx context.Context, image types.UnparsedImage) (res bool, finalErr error) {
 	if err := pc.changeState(pcReady, pcInUse); err != nil {
 		return false, err
 	}
@ -276,7 +276,7 @@ func (pc *PolicyContext) IsRunningImageAllowed(image types.UnparsedImage) (res b
 	for reqNumber, req := range reqs {
 		// FIXME: supply state
-		allowed, err := req.isRunningImageAllowed(image)
+		allowed, err := req.isRunningImageAllowed(ctx, image)
 		if !allowed {
 			logrus.Debugf("Requirement %d: denied, done", reqNumber)
 			return false, err
--- a/vendor/github.com/containers/image/signature/policy_eval_baselayer.go
+++ b/vendor/github.com/containers/image/signature/policy_eval_baselayer.go
@ -3,15 +3,17 @@
 package signature
 import (
 	"context"
 	"github.com/containers/image/types"
 	"github.com/sirupsen/logrus"
 )
-func (pr *prSignedBaseLayer) isSignatureAuthorAccepted(image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {
+func (pr *prSignedBaseLayer) isSignatureAuthorAccepted(ctx context.Context, image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {
 	return sarUnknown, nil, nil
 }
-func (pr *prSignedBaseLayer) isRunningImageAllowed(image types.UnparsedImage) (bool, error) {
+func (pr *prSignedBaseLayer) isRunningImageAllowed(ctx context.Context, image types.UnparsedImage) (bool, error) {
 	// FIXME? Reject this at policy parsing time already?
 	logrus.Errorf("signedBaseLayer not implemented yet!")
 	return false, PolicyRequirementError("signedBaseLayer not implemented yet!")
--- a/vendor/github.com/containers/image/signature/policy_eval_signedby.go
+++ b/vendor/github.com/containers/image/signature/policy_eval_signedby.go
@ -15,7 +15,7 @@ import (
 	"github.com/opencontainers/go-digest"
 )
-func (pr *prSignedBy) isSignatureAuthorAccepted(image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {
+func (pr *prSignedBy) isSignatureAuthorAccepted(ctx context.Context, image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {
 	switch pr.KeyType {
 	case SBKeyTypeGPGKeys:
 	case SBKeyTypeSignedByGPGKeys, SBKeyTypeX509Certificates, SBKeyTypeSignedByX509CAs:
@ -69,7 +69,7 @@ func (pr *prSignedBy) isSignatureAuthorAccepted(image types.UnparsedImage, sig [
 			return nil
 		},
 		validateSignedDockerManifestDigest: func(digest digest.Digest) error {
-			m, _, err := image.Manifest()
+			m, _, err := image.Manifest(ctx)
 			if err != nil {
 				return err
 			}
@ -90,16 +90,16 @@ func (pr *prSignedBy) isSignatureAuthorAccepted(image types.UnparsedImage, sig [
 	return sarAccepted, signature, nil
 }
-func (pr *prSignedBy) isRunningImageAllowed(image types.UnparsedImage) (bool, error) {
+func (pr *prSignedBy) isRunningImageAllowed(ctx context.Context, image types.UnparsedImage) (bool, error) {
 	// FIXME: pass context.Context
-	sigs, err := image.Signatures(context.TODO())
+	sigs, err := image.Signatures(ctx)
 	if err != nil {
 		return false, err
 	}
 	var rejections []error
 	for _, s := range sigs {
 		var reason error
-		switch res, _, err := pr.isSignatureAuthorAccepted(image, s); res {
+		switch res, _, err := pr.isSignatureAuthorAccepted(ctx, image, s); res {
 		case sarAccepted:
 			// One accepted signature is enough.
 			return true, nil
--- a/vendor/github.com/containers/image/signature/policy_eval_simple.go
+++ b/vendor/github.com/containers/image/signature/policy_eval_simple.go
@ -3,26 +3,27 @@
 package signature
 import (
 	"context"
 	"fmt"
 	"github.com/containers/image/transports"
 	"github.com/containers/image/types"
 )
-func (pr *prInsecureAcceptAnything) isSignatureAuthorAccepted(image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {
+func (pr *prInsecureAcceptAnything) isSignatureAuthorAccepted(ctx context.Context, image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {
 	// prInsecureAcceptAnything semantics: Every image is allowed to run,
 	// but this does not consider the signature as verified.
 	return sarUnknown, nil, nil
 }
-func (pr *prInsecureAcceptAnything) isRunningImageAllowed(image types.UnparsedImage) (bool, error) {
+func (pr *prInsecureAcceptAnything) isRunningImageAllowed(ctx context.Context, image types.UnparsedImage) (bool, error) {
 	return true, nil
 }
-func (pr *prReject) isSignatureAuthorAccepted(image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {
+func (pr *prReject) isSignatureAuthorAccepted(ctx context.Context, image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {
 	return sarRejected, nil, PolicyRequirementError(fmt.Sprintf("Any signatures for image %s are rejected by policy.", transports.ImageName(image.Reference())))
 }
-func (pr *prReject) isRunningImageAllowed(image types.UnparsedImage) (bool, error) {
+func (pr *prReject) isRunningImageAllowed(ctx context.Context, image types.UnparsedImage) (bool, error) {
 	return false, PolicyRequirementError(fmt.Sprintf("Running image %s is rejected by policy.", transports.ImageName(image.Reference())))
 }
--- a/vendor/github.com/containers/image/storage/storage_image.go
+++ b/vendor/github.com/containers/image/storage/storage_image.go
@ -102,7 +102,7 @@ func (s storageImageSource) Close() error {
 }
 // GetBlob reads the data blob or filesystem layer which matches the digest and size, if given.
-func (s *storageImageSource) GetBlob(info types.BlobInfo) (rc io.ReadCloser, n int64, err error) {
+func (s *storageImageSource) GetBlob(ctx context.Context, info types.BlobInfo) (rc io.ReadCloser, n int64, err error) {
 	rc, n, _, err = s.getBlobAndLayerID(info)
 	return rc, n, err
 }
@ -158,7 +158,7 @@ func (s *storageImageSource) getBlobAndLayerID(info types.BlobInfo) (rc io.ReadC
 }
 // GetManifest() reads the image's manifest.
-func (s *storageImageSource) GetManifest(instanceDigest *digest.Digest) (manifestBlob []byte, MIMEType string, err error) {
+func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) (manifestBlob []byte, MIMEType string, err error) {
 	if instanceDigest != nil {
 		return nil, "", ErrNoManifestLists
 	}
@ -175,9 +175,9 @@ func (s *storageImageSource) GetManifest(instanceDigest *digest.Digest) (manifes
 // LayerInfosForCopy() returns the list of layer blobs that make up the root filesystem of
 // the image, after they've been decompressed.
-func (s *storageImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (s *storageImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	updatedBlobInfos := []types.BlobInfo{}
-	_, manifestType, err := s.GetManifest(nil)
+	_, manifestType, err := s.GetManifest(ctx, nil)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error reading image manifest for %q", s.image.ID)
 	}
@ -239,7 +239,7 @@ func (s *storageImageSource) GetSignatures(ctx context.Context, instanceDigest *
 // newImageDestination sets us up to write a new image, caching blobs in a temporary directory until
 // it's time to Commit() the image
-func newImageDestination(ctx *types.SystemContext, imageRef storageReference) (*storageImageDestination, error) {
+func newImageDestination(imageRef storageReference) (*storageImageDestination, error) {
 	directory, err := ioutil.TempDir(temporaryDirectoryForBigFiles, "storage")
 	if err != nil {
 		return nil, errors.Wrapf(err, "error creating a temporary directory")
@ -283,7 +283,7 @@ func (s storageImageDestination) DesiredLayerCompression() types.LayerCompressio
 // PutBlob stores a layer or data blob in our temporary directory, checking that any information
 // in the blobinfo matches the incoming data.
-func (s *storageImageDestination) PutBlob(stream io.Reader, blobinfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
+func (s *storageImageDestination) PutBlob(ctx context.Context, stream io.Reader, blobinfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) {
 	errorBlobInfo := types.BlobInfo{
 		Digest: "",
 		Size:   -1,
@ -309,6 +309,7 @@ func (s *storageImageDestination) PutBlob(stream io.Reader, blobinfo types.BlobI
 		return errorBlobInfo, errors.Wrap(err, "error setting up to decompress blob")
 	}
 	// Copy the data to the file.
 	// TODO: This can take quite some time, and should ideally be cancellable using ctx.Done().
 	_, err = io.Copy(diffID.Hash(), decompressed)
 	decompressed.Close()
 	if err != nil {
@ -346,7 +347,7 @@ func (s *storageImageDestination) PutBlob(stream io.Reader, blobinfo types.BlobI
 // Unlike PutBlob, the digest can not be empty.  If HasBlob returns true, the size of the blob must also be returned.
 // If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
 // it returns a non-nil error only on an unexpected failure.
-func (s *storageImageDestination) HasBlob(blobinfo types.BlobInfo) (bool, int64, error) {
+func (s *storageImageDestination) HasBlob(ctx context.Context, blobinfo types.BlobInfo) (bool, int64, error) {
 	if blobinfo.Digest == "" {
 		return false, -1, errors.Errorf(`Can not check for a blob with unknown digest`)
 	}
@ -383,8 +384,8 @@ func (s *storageImageDestination) HasBlob(blobinfo types.BlobInfo) (bool, int64,
 // ReapplyBlob is now a no-op, assuming HasBlob() says we already have it, since Commit() can just apply the
 // same one when it walks the list in the manifest.
-func (s *storageImageDestination) ReapplyBlob(blobinfo types.BlobInfo) (types.BlobInfo, error) {
+func (s *storageImageDestination) ReapplyBlob(ctx context.Context, blobinfo types.BlobInfo) (types.BlobInfo, error) {
-	present, size, err := s.HasBlob(blobinfo)
+	present, size, err := s.HasBlob(ctx, blobinfo)
 	if !present {
 		return types.BlobInfo{}, errors.Errorf("error reapplying blob %+v: blob was not previously applied", blobinfo)
 	}
@ -459,7 +460,7 @@ func (s *storageImageDestination) getConfigBlob(info types.BlobInfo) ([]byte, er
 	return nil, errors.New("blob not found")
 }
-func (s *storageImageDestination) Commit() error {
+func (s *storageImageDestination) Commit(ctx context.Context) error {
 	// Find the list of layer blobs.
 	if len(s.manifest) == 0 {
 		return errors.New("Internal error: storageImageDestination.Commit() called without PutManifest()")
@ -481,7 +482,7 @@ func (s *storageImageDestination) Commit() error {
 			// Check if it's elsewhere and the caller just forgot to pass it to us in a PutBlob(),
 			// or to even check if we had it.
 			logrus.Debugf("looking for diffID for blob %+v", blob.Digest)
-			has, _, err := s.HasBlob(blob)
+			has, _, err := s.HasBlob(ctx, blob)
 			if err != nil {
 				return errors.Wrapf(err, "error checking for a layer based on blob %q", blob.Digest.String())
 			}
@ -544,6 +545,7 @@ func (s *storageImageDestination) Commit() error {
 			return errors.Errorf("error applying blob %q: content not found", blob.Digest)
 		}
 		// Build the new layer using the diff, regardless of where it came from.
 		// TODO: This can take quite some time, and should ideally be cancellable using ctx.Done().
 		layer, _, err := s.imageRef.transport.store.PutLayer(id, lastLayer, nil, "", false, nil, diff)
 		if err != nil {
 			return errors.Wrapf(err, "error adding layer with blob %q", blob.Digest)
@ -679,7 +681,7 @@ func (s *storageImageDestination) SupportedManifestMIMETypes() []string {
 }
 // PutManifest writes the manifest to the destination.
-func (s *storageImageDestination) PutManifest(manifest []byte) error {
+func (s *storageImageDestination) PutManifest(ctx context.Context, manifest []byte) error {
 	s.manifest = make([]byte, len(manifest))
 	copy(s.manifest, manifest)
 	return nil
@ -687,7 +689,7 @@ func (s *storageImageDestination) PutManifest(manifest []byte) error {
 // SupportsSignatures returns an error if we can't expect GetSignatures() to return data that was
 // previously supplied to PutSignatures().
-func (s *storageImageDestination) SupportsSignatures() error {
+func (s *storageImageDestination) SupportsSignatures(ctx context.Context) error {
 	return nil
 }
@ -703,7 +705,7 @@ func (s *storageImageDestination) MustMatchRuntimeOS() bool {
 }
 // PutSignatures records the image's signatures for committing as a single data blob.
-func (s *storageImageDestination) PutSignatures(signatures [][]byte) error {
+func (s *storageImageDestination) PutSignatures(ctx context.Context, signatures [][]byte) error {
 	sizes := []int{}
 	sigblob := []byte{}
 	for _, sig := range signatures {
@ -769,12 +771,12 @@ func (s *storageImageCloser) Size() (int64, error) {
 }
 // newImage creates an image that also knows its size
-func newImage(ctx *types.SystemContext, s storageReference) (types.ImageCloser, error) {
+func newImage(ctx context.Context, sys *types.SystemContext, s storageReference) (types.ImageCloser, error) {
 	src, err := newImageSource(s)
 	if err != nil {
 		return nil, err
 	}
-	img, err := image.FromSource(ctx, src)
+	img, err := image.FromSource(ctx, sys, src)
 	if err != nil {
 		return nil, err
 	}
--- a/vendor/github.com/containers/image/storage/storage_reference.go
+++ b/vendor/github.com/containers/image/storage/storage_reference.go
@ -3,6 +3,7 @@
 package storage
 import (
 	"context"
 	"strings"
 	"github.com/containers/image/docker/reference"
@ -181,11 +182,11 @@ func (s storageReference) PolicyConfigurationNamespaces() []string {
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
 // WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
-func (s storageReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+func (s storageReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
-	return newImage(ctx, s)
+	return newImage(ctx, sys, s)
 }
-func (s storageReference) DeleteImage(ctx *types.SystemContext) error {
+func (s storageReference) DeleteImage(ctx context.Context, sys *types.SystemContext) error {
 	img, err := s.resolveImage()
 	if err != nil {
 		return err
@ -200,10 +201,10 @@ func (s storageReference) DeleteImage(ctx *types.SystemContext) error {
 	return err
 }
-func (s storageReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+func (s storageReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) {
 	return newImageSource(s)
 }
-func (s storageReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+func (s storageReference) NewImageDestination(ctx context.Context, sys *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ctx, s)
+	return newImageDestination(s)
 }
--- a/vendor/github.com/containers/image/tarball/tarball_reference.go
+++ b/vendor/github.com/containers/image/tarball/tarball_reference.go
@ -1,6 +1,7 @@
 package tarball
 import (
 	"context"
 	"fmt"
 	"os"
 	"strings"
@ -66,12 +67,12 @@ func (r *tarballReference) PolicyConfigurationNamespaces() []string {
 // NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 // verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
 // WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
-func (r *tarballReference) NewImage(ctx *types.SystemContext) (types.ImageCloser, error) {
+func (r *tarballReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
-	src, err := r.NewImageSource(ctx)
+	src, err := r.NewImageSource(ctx, sys)
 	if err != nil {
 		return nil, err
 	}
-	img, err := image.FromSource(ctx, src)
+	img, err := image.FromSource(ctx, sys, src)
 	if err != nil {
 		src.Close()
 		return nil, err
@ -79,7 +80,7 @@ func (r *tarballReference) NewImage(ctx *types.SystemContext) (types.ImageCloser
 	return img, nil
 }
-func (r *tarballReference) DeleteImage(ctx *types.SystemContext) error {
+func (r *tarballReference) DeleteImage(ctx context.Context, sys *types.SystemContext) error {
 	for _, filename := range r.filenames {
 		if err := os.Remove(filename); err != nil && !os.IsNotExist(err) {
 			return fmt.Errorf("error removing %q: %v", filename, err)
@ -88,6 +89,6 @@ func (r *tarballReference) DeleteImage(ctx *types.SystemContext) error {
 	return nil
 }
-func (r *tarballReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+func (r *tarballReference) NewImageDestination(ctx context.Context, sys *types.SystemContext) (types.ImageDestination, error) {
 	return nil, fmt.Errorf(`"tarball:" locations can only be read from, not written to`)
 }
--- a/vendor/github.com/containers/image/tarball/tarball_src.go
+++ b/vendor/github.com/containers/image/tarball/tarball_src.go
@ -34,7 +34,7 @@ type tarballImageSource struct {
 	manifest   []byte
 }
-func (r *tarballReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+func (r *tarballReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) {
 	// Gather up the digests, sizes, and date information for all of the files.
 	filenames := []string{}
 	diffIDs := []digest.Digest{}
@ -87,6 +87,7 @@ func (r *tarballReference) NewImageSource(ctx *types.SystemContext) (types.Image
 			layerType = imgspecv1.MediaTypeImageLayer
 			uncompressed = nil
 		}
 		// TODO: This can take quite some time, and should ideally be cancellable using ctx.Done().
 		n, err := io.Copy(ioutil.Discard, reader)
 		if err != nil {
 			return nil, fmt.Errorf("error reading %q: %v", filename, err)
@ -206,7 +207,7 @@ func (is *tarballImageSource) Close() error {
 	return nil
 }
-func (is *tarballImageSource) GetBlob(blobinfo types.BlobInfo) (io.ReadCloser, int64, error) {
+func (is *tarballImageSource) GetBlob(ctx context.Context, blobinfo types.BlobInfo) (io.ReadCloser, int64, error) {
 	// We should only be asked about things in the manifest.  Maybe the configuration blob.
 	if blobinfo.Digest == is.configID {
 		return ioutil.NopCloser(bytes.NewBuffer(is.config)), is.configSize, nil
@ -232,7 +233,7 @@ func (is *tarballImageSource) GetBlob(blobinfo types.BlobInfo) (io.ReadCloser, i
 // It may use a remote (= slow) service.
 // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
 // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
-func (is *tarballImageSource) GetManifest(instanceDigest *digest.Digest) ([]byte, string, error) {
+func (is *tarballImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
 	if instanceDigest != nil {
 		return nil, "", fmt.Errorf("manifest lists are not supported by the %q transport", transportName)
 	}
@ -255,6 +256,6 @@ func (is *tarballImageSource) Reference() types.ImageReference {
 }
 // LayerInfosForCopy() returns updated layer info that should be used when reading, in preference to values in the manifest, if specified.
-func (*tarballImageSource) LayerInfosForCopy() ([]types.BlobInfo, error) {
+func (*tarballImageSource) LayerInfosForCopy(ctx context.Context) ([]types.BlobInfo, error) {
 	return nil, nil
 }
--- a/vendor/github.com/containers/image/types/types.go
+++ b/vendor/github.com/containers/image/types/types.go
@ -78,16 +78,16 @@ type ImageReference interface {
 	// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
 	// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
 	// WARNING: This may not do the right thing for a manifest list, see image.FromSource for details.
-	NewImage(ctx *SystemContext) (ImageCloser, error)
+	NewImage(ctx context.Context, sys *SystemContext) (ImageCloser, error)
 	// NewImageSource returns a types.ImageSource for this reference.
 	// The caller must call .Close() on the returned ImageSource.
-	NewImageSource(ctx *SystemContext) (ImageSource, error)
+	NewImageSource(ctx context.Context, sys *SystemContext) (ImageSource, error)
 	// NewImageDestination returns a types.ImageDestination for this reference.
 	// The caller must call .Close() on the returned ImageDestination.
-	NewImageDestination(ctx *SystemContext) (ImageDestination, error)
+	NewImageDestination(ctx context.Context, sys *SystemContext) (ImageDestination, error)
 	// DeleteImage deletes the named image from the registry, if supported.
-	DeleteImage(ctx *SystemContext) error
+	DeleteImage(ctx context.Context, sys *SystemContext) error
 }
 // BlobInfo collects known information about a blob (layer/config).
@ -117,10 +117,10 @@ type ImageSource interface {
 	// It may use a remote (= slow) service.
 	// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
 	// this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
-	GetManifest(instanceDigest *digest.Digest) ([]byte, string, error)
+	GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error)
 	// GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
 	// The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided.
-	GetBlob(BlobInfo) (io.ReadCloser, int64, error)
+	GetBlob(context.Context, BlobInfo) (io.ReadCloser, int64, error)
 	// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
 	// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve signatures for
 	// (when the primary manifest is a manifest list); this never happens if the primary manifest is not a manifest list
@ -129,7 +129,7 @@ type ImageSource interface {
 	// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer blobsums that are listed in the image's manifest.
 	// The Digest field is guaranteed to be provided; Size may be -1.
 	// WARNING: The list may contain duplicates, and they are semantically relevant.
-	LayerInfosForCopy() ([]BlobInfo, error)
+	LayerInfosForCopy(ctx context.Context) ([]BlobInfo, error)
 }
 // LayerCompression indicates if layers must be compressed, decompressed or preserved
@ -166,7 +166,7 @@ type ImageDestination interface {
 	SupportedManifestMIMETypes() []string
 	// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
 	// Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
-	SupportsSignatures() error
+	SupportsSignatures(ctx context.Context) error
 	// DesiredLayerCompression indicates the kind of compression to apply on layers
 	DesiredLayerCompression() LayerCompression
 	// AcceptsForeignLayerURLs returns false iff foreign layers in manifest should be actually
@ -181,25 +181,25 @@ type ImageDestination interface {
 	// WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
 	// to any other readers for download using the supplied digest.
 	// If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
-	PutBlob(stream io.Reader, inputInfo BlobInfo, isConfig bool) (BlobInfo, error)
+	PutBlob(ctx context.Context, stream io.Reader, inputInfo BlobInfo, isConfig bool) (BlobInfo, error)
 	// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
 	// Unlike PutBlob, the digest can not be empty.  If HasBlob returns true, the size of the blob must also be returned.
 	// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
 	// it returns a non-nil error only on an unexpected failure.
-	HasBlob(info BlobInfo) (bool, int64, error)
+	HasBlob(ctx context.Context, info BlobInfo) (bool, int64, error)
 	// ReapplyBlob informs the image destination that a blob for which HasBlob previously returned true would have been passed to PutBlob if it had returned false.  Like HasBlob and unlike PutBlob, the digest can not be empty.  If the blob is a filesystem layer, this signifies that the changes it describes need to be applied again when composing a filesystem tree.
-	ReapplyBlob(info BlobInfo) (BlobInfo, error)
+	ReapplyBlob(ctx context.Context, info BlobInfo) (BlobInfo, error)
 	// PutManifest writes manifest to the destination.
 	// FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
 	// If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 	// but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
-	PutManifest(manifest []byte) error
+	PutManifest(ctx context.Context, manifest []byte) error
-	PutSignatures(signatures [][]byte) error
+	PutSignatures(ctx context.Context, signatures [][]byte) error
 	// Commit marks the process of storing the image as successful and asks for the image to be persisted.
 	// WARNING: This does not have any transactional semantics:
 	// - Uploaded data MAY be visible to others before Commit() is called
 	// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-	Commit() error
+	Commit(ctx context.Context) error
 }
 // ManifestTypeRejectedError is returned by ImageDestination.PutManifest if the destination is in principle available,
@ -225,7 +225,7 @@ type UnparsedImage interface {
 	// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
 	Reference() ImageReference
 	// Manifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
-	Manifest() ([]byte, string, error)
+	Manifest(ctx context.Context) ([]byte, string, error)
 	// Signatures is like ImageSource.GetSignatures, but the result is cached; it is OK to call this however often you need.
 	Signatures(ctx context.Context) ([][]byte, error)
 }
@ -242,11 +242,11 @@ type Image interface {
 	ConfigInfo() BlobInfo
 	// ConfigBlob returns the blob described by ConfigInfo, if ConfigInfo().Digest != ""; nil otherwise.
 	// The result is cached; it is OK to call this however often you need.
-	ConfigBlob() ([]byte, error)
+	ConfigBlob(context.Context) ([]byte, error)
 	// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
 	// layers in the resulting configuration isn't guaranteed to be returned to due how
 	// old image manifests work (docker v2s1 especially).
-	OCIConfig() (*v1.Image, error)
+	OCIConfig(context.Context) (*v1.Image, error)
 	// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
 	// The Digest field is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided.
 	// WARNING: The list may contain duplicates, and they are semantically relevant.
@ -254,13 +254,13 @@ type Image interface {
 	// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer blobsums that are listed in the image's manifest.
 	// The Digest field is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided.
 	// WARNING: The list may contain duplicates, and they are semantically relevant.
-	LayerInfosForCopy() ([]BlobInfo, error)
+	LayerInfosForCopy(context.Context) ([]BlobInfo, error)
 	// EmbeddedDockerReferenceConflicts whether a Docker reference embedded in the manifest, if any, conflicts with destination ref.
 	// It returns false if the manifest does not embed a Docker reference.
 	// (This embedding unfortunately happens for Docker schema1, please do not add support for this in any new formats.)
 	EmbeddedDockerReferenceConflicts(ref reference.Named) bool
 	// Inspect returns various information for (skopeo inspect) parsed from the manifest and configuration.
-	Inspect() (*ImageInspectInfo, error)
+	Inspect(context.Context) (*ImageInspectInfo, error)
 	// UpdatedImageNeedsLayerDiffIDs returns true iff UpdatedImage(options) needs InformationOnly.LayerDiffIDs.
 	// This is a horribly specific interface, but computing InformationOnly.LayerDiffIDs can be very expensive to compute
 	// (most importantly it forces us to download the full layers even if they are already present at the destination).
@ -268,7 +268,7 @@ type Image interface {
 	// UpdatedImage returns a types.Image modified according to options.
 	// Everything in options.InformationOnly should be provided, other fields should be set only if a modification is desired.
 	// This does not change the state of the original Image object.
-	UpdatedImage(options ManifestUpdateOptions) (Image, error)
+	UpdatedImage(ctx context.Context, options ManifestUpdateOptions) (Image, error)
 	// Size returns an approximation of the amount of disk space which is consumed by the image in its current
 	// location.  If the size is not known, -1 will be returned.
 	Size() (int64, error)
--- a/vendor/github.com/containers/image/vendor.conf
+++ b/vendor/github.com/containers/image/vendor.conf
@ -1,3 +1,5 @@
 github.com/containers/image
 github.com/sirupsen/logrus v1.0.0
 github.com/containers/storage master
 github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76
@ -8,11 +10,9 @@ github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
 github.com/docker/go-units 0dadbb0345b35ec7ef35e228dabb8de89a65bf52
 github.com/docker/libtrust aabc10ec26b754e797f9028f4589c5b7bd90dc20
 github.com/ghodss/yaml 04f313413ffd65ce25f2541bfd2b2ceec5c0908c
 github.com/gorilla/context 08b5f424b9271eedf6f9f0ce86cb9396ed337a42
 github.com/gorilla/mux 94e7d24fd285520f3d12ae998f7fdd6b5393d453
 github.com/imdario/mergo 50d4dbd4eb0e84778abe37cefef140271d96fade
 github.com/mattn/go-runewidth 14207d285c6c197daabb5c9793d63e7af9ab2d50
 github.com/mattn/go-shellwords 005a0944d84452842197c2108bd9168ced206f78
 github.com/mistifyio/go-zfs c0224de804d438efd11ea6e52ada8014537d6062
 github.com/mtrmac/gpgme b2432428689ca58c2b8e8dea9449d3295cf96fc9
 github.com/opencontainers/go-digest aa2ec055abd10d26d539eb630a92241b781ce4bc
--- a/vendor/github.com/containers/storage/pkg/archive/example_changes.go
+++ b/vendor/github.com/containers/storage/pkg/archive/example_changes.go
@ -1,97 +0,0 @@
 // +build ignore
 // Simple tool to create an archive stream from an old and new directory
 //
 // By default it will stream the comparison of two temporary directories with junk files
 package main
 import (
 	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"path"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/sirupsen/logrus"
 )
 var (
 	flDebug  = flag.Bool("D", false, "debugging output")
 	flNewDir = flag.String("newdir", "", "")
 	flOldDir = flag.String("olddir", "", "")
 	log      = logrus.New()
 )
 func main() {
 	flag.Usage = func() {
 		fmt.Println("Produce a tar from comparing two directory paths. By default a demo tar is created of around 200 files (including hardlinks)")
 		fmt.Printf("%s [OPTIONS]\n", os.Args[0])
 		flag.PrintDefaults()
 	}
 	flag.Parse()
 	log.Out = os.Stderr
 	if (len(os.Getenv("DEBUG")) > 0) || *flDebug {
 		logrus.SetLevel(logrus.DebugLevel)
 	}
 	var newDir, oldDir string
 	if len(*flNewDir) == 0 {
 		var err error
 		newDir, err = ioutil.TempDir("", "storage-test-newDir")
 		if err != nil {
 			log.Fatal(err)
 		}
 		defer os.RemoveAll(newDir)
 		if _, err := prepareUntarSourceDirectory(100, newDir, true); err != nil {
 			log.Fatal(err)
 		}
 	} else {
 		newDir = *flNewDir
 	}
 	if len(*flOldDir) == 0 {
 		oldDir, err := ioutil.TempDir("", "storage-test-oldDir")
 		if err != nil {
 			log.Fatal(err)
 		}
 		defer os.RemoveAll(oldDir)
 	} else {
 		oldDir = *flOldDir
 	}
 	changes, err := archive.ChangesDirs(newDir, oldDir)
 	if err != nil {
 		log.Fatal(err)
 	}
 	a, err := archive.ExportChanges(newDir, changes)
 	if err != nil {
 		log.Fatal(err)
 	}
 	defer a.Close()
 	i, err := io.Copy(os.Stdout, a)
 	if err != nil && err != io.EOF {
 		log.Fatal(err)
 	}
 	fmt.Fprintf(os.Stderr, "wrote archive of %d bytes", i)
 }
 func prepareUntarSourceDirectory(numberOfFiles int, targetPath string, makeLinks bool) (int, error) {
 	fileData := []byte("fooo")
 	for n := 0; n < numberOfFiles; n++ {
 		fileName := fmt.Sprintf("file-%d", n)
 		if err := ioutil.WriteFile(path.Join(targetPath, fileName), fileData, 0700); err != nil {
 			return 0, err
 		}
 		if makeLinks {
 			if err := os.Link(path.Join(targetPath, fileName), path.Join(targetPath, fileName+"-link")); err != nil {
 				return 0, err
 			}
 		}
 	}
 	totalSize := numberOfFiles * len(fileData)
 	return totalSize, nil
 }
--- a/vendor/github.com/containers/storage/store.go
+++ b/vendor/github.com/containers/storage/store.go
@ -173,7 +173,7 @@ type Store interface {
 	// process's main() function needs to import our pkg/reexec package and
 	// should begin with something like this in order to allow us to
 	// properly start that child process:
-	//   if reexec.Init {
+	//   if reexec.Init() {
 	//       return
 	//   }
 	PutLayer(id, parent string, names []string, mountLabel string, writeable bool, options *LayerOptions, diff io.Reader) (*Layer, int64, error)
@ -253,7 +253,7 @@ type Store interface {
 	// process's main() function needs to import our pkg/reexec package and
 	// should begin with something like this in order to allow us to
 	// properly start that child process:
-	//   if reexec.Init {
+	//   if reexec.Init() {
 	//       return
 	//   }
 	Mount(id, mountLabel string) (string, error)
@ -288,7 +288,7 @@ type Store interface {
 	// process's main() function needs to import our pkg/reexec package and
 	// should begin with something like this in order to allow us to
 	// properly start that child process:
-	//   if reexec.Init {
+	//   if reexec.Init() {
 	//       return
 	//   }
 	ApplyDiff(to string, diff io.Reader) (int64, error)
@ -512,6 +512,14 @@ type store struct {
 // These defaults observe environment variables:
 //  * `STORAGE_DRIVER` for the name of the storage driver to attempt to use
 //  * `STORAGE_OPTS` for the string of options to pass to the driver
 //
 // Note that we do some of this work in a child process.  The calling process's
 // main() function needs to import our pkg/reexec package and should begin with
 // something like this in order to allow us to properly start that child
 // process:
 //   if reexec.Init() {
 //       return
 //   }
 func GetStore(options StoreOptions) (Store, error) {
 	if options.RunRoot == "" && options.GraphRoot == "" && options.GraphDriverName == "" && len(options.GraphDriverOptions) == 0 {
 		options = DefaultStoreOptions
--- a/vendor/github.com/cyphar/filepath-securejoin/LICENSE
+++ b/vendor/github.com/cyphar/filepath-securejoin/LICENSE
@ -1,28 +0,0 @@
 Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
 Copyright (C) 2017 SUSE LLC. All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
   * Redistributions of source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.
   * Redistributions in binary form must reproduce the above
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
   * Neither the name of Google Inc. nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/vendor/github.com/cyphar/filepath-securejoin/README.md
+++ b/vendor/github.com/cyphar/filepath-securejoin/README.md
@ -1,65 +0,0 @@
 ## `filepath-securejoin` ##
 [![Build Status](https://travis-ci.org/cyphar/filepath-securejoin.svg?branch=master)](https://travis-ci.org/cyphar/filepath-securejoin)
 An implementation of `SecureJoin`, a [candidate for inclusion in the Go
 standard library][go#20126]. The purpose of this function is to be a "secure"
 alternative to `filepath.Join`, and in particular it provides certain
 guarantees that are not provided by `filepath.Join`.
 This is the function prototype:
 ```go
 func SecureJoin(root, unsafePath string) (string, error)
 ```
 This library **guarantees** the following:
 * If no error is set, the resulting string **must** be a child path of
  `SecureJoin` and will not contain any symlink path components (they will all
  be expanded).
 * When expanding symlinks, all symlink path components **must** be resolved
  relative to the provided root. In particular, this can be considered a
  userspace implementation of how `chroot(2)` operates on file paths. Note that
  these symlinks will **not** be expanded lexically (`filepath.Clean` is not
  called on the input before processing).
 * Non-existant path components are unaffected by `SecureJoin` (similar to
  `filepath.EvalSymlinks`'s semantics).
 * The returned path will always be `filepath.Clean`ed and thus not contain any
  `..` components.
 A (trivial) implementation of this function on GNU/Linux systems could be done
 with the following (note that this requires root privileges and is far more
 opaque than the implementation in this library, and also requires that
 `readlink` is inside the `root` path):
 ```go
 package securejoin
 import (
 	"os/exec"
 	"path/filepath"
 )
 func SecureJoin(root, unsafePath string) (string, error) {
 	unsafePath = string(filepath.Separator) + unsafePath
 	cmd := exec.Command("chroot", root,
 		"readlink", "--canonicalize-missing", "--no-newline", unsafePath)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return "", err
 	}
 	expanded := string(output)
 	return filepath.Join(root, expanded), nil
 }
 ```
 [go#20126]: https://github.com/golang/go/issues/20126
 ### License ###
 The license of this project is the same as Go, which is a BSD 3-clause license
 available in the `LICENSE` file.
--- a/vendor/github.com/cyphar/filepath-securejoin/vendor.conf
+++ b/vendor/github.com/cyphar/filepath-securejoin/vendor.conf
@ -1 +0,0 @@
 github.com/pkg/errors v0.8.0
--- a/vendor/github.com/docker/docker/hack/README.md
+++ b/vendor/github.com/docker/docker/hack/README.md
@ -1,60 +0,0 @@
 ## About
 This directory contains a collection of scripts used to build and manage this
 repository. If there are any issues regarding the intention of a particular
 script (or even part of a certain script), please reach out to us.
 It may help us either refine our current scripts, or add on new ones
 that are appropriate for a given use case.
 ## DinD (dind.sh)
 DinD is a wrapper script which allows Docker to be run inside a Docker
 container. DinD requires the container to
 be run with privileged mode enabled.
 ## Generate Authors (generate-authors.sh)
 Generates AUTHORS; a file with all the names and corresponding emails of
 individual contributors. AUTHORS can be found in the home directory of
 this repository.
 ## Make
 There are two make files, each with different extensions. Neither are supposed
 to be called directly; only invoke `make`. Both scripts run inside a Docker
 container.
 ### make.ps1
 - The Windows native build script that uses PowerShell semantics; it is limited
 unlike `hack\make.sh` since it does not provide support for the full set of
 operations provided by the Linux counterpart, `make.sh`. However, `make.ps1`
 does provide support for local Windows development and Windows to Windows CI.
 More information is found within `make.ps1` by the author, @jhowardmsft
 ### make.sh
 - Referenced via `make test` when running tests on a local machine,
 or directly referenced when running tests inside a Docker development container.  
 - When running on a local machine, `make test` to run all tests found in
 `test`, `test-unit`, `test-integration-cli`, and `test-docker-py` on
 your local machine. The default timeout is set in `make.sh` to 60 minutes
 (`${TIMEOUT:=60m}`), since it currently takes up to an hour to run
 all of the tests.
 - When running inside a Docker development container, `hack/make.sh` does
 not have a single target that runs all the tests. You need to provide a
 single command line with multiple targets that performs the same thing.
 An example referenced from [Run targets inside a development container](https://docs.docker.com/opensource/project/test-and-docs/#run-targets-inside-a-development-container): `root@5f8630b873fe:/go/src/github.com/moby/moby# hack/make.sh dynbinary binary cross test-unit test-integration-cli test-docker-py`
 - For more information related to testing outside the scope of this README,
 refer to
 [Run tests and test documentation](https://docs.docker.com/opensource/project/test-and-docs/)
 ## Release (release.sh)
 Releases any bundles built by `make` on a public AWS S3 bucket.
 For information regarding configuration, please view `release.sh`.
 ## Vendor (vendor.sh)
 A shell script that is a wrapper around Vndr. For information on how to use
 this, please refer to [vndr's README](https://github.com/LK4D4/vndr/blob/master/README.md)
--- a/vendor/github.com/docker/docker/hack/integration-cli-on-swarm/README.md
+++ b/vendor/github.com/docker/docker/hack/integration-cli-on-swarm/README.md
@ -1,69 +0,0 @@
 # Integration Testing on Swarm
 IT on Swarm allows you to execute integration test in parallel across a Docker Swarm cluster
 ## Architecture
 ### Master service
  - Works as a funker caller
  - Calls a worker funker (`-worker-service`) with a chunk of `-check.f` filter strings (passed as a file via `-input` flag, typically `/mnt/input`)
 ### Worker service
  - Works as a funker callee
  - Executes an equivalent of `TESTFLAGS=-check.f TestFoo|TestBar|TestBaz ... make test-integration-cli` using the bind-mounted API socket (`docker.sock`)
 ### Client
  - Controls master and workers via `docker stack`
  - No need to have a local daemon
 Typically, the master and workers are supposed to be running on a cloud environment,
 while the client is supposed to be running on a laptop, e.g. Docker for Mac/Windows.
 ## Requirement
  - Docker daemon 1.13 or later
  - Private registry for distributed execution with multiple nodes
 ## Usage
 ### Step 1: Prepare images
    $ make build-integration-cli-on-swarm
 Following environment variables are known to work in this step:
 - `BUILDFLAGS`
 - `DOCKER_INCREMENTAL_BINARY`
 Note: during the transition into Moby Project, you might need to create a symbolic link `$GOPATH/src/github.com/docker/docker` to `$GOPATH/src/github.com/moby/moby`. 
 ### Step 2: Execute tests
    $ ./hack/integration-cli-on-swarm/integration-cli-on-swarm -replicas 40 -push-worker-image YOUR_REGISTRY.EXAMPLE.COM/integration-cli-worker:latest 
 Following environment variables are known to work in this step:
 - `DOCKER_GRAPHDRIVER`
 - `DOCKER_EXPERIMENTAL`
 #### Flags
 Basic flags:
 - `-replicas N`: the number of worker service replicas. i.e. degree of parallelism.
 - `-chunks N`: the number of chunks. By default, `chunks` == `replicas`.
 - `-push-worker-image REGISTRY/IMAGE:TAG`: push the worker image to the registry. Note that if you have only single node and hence you do not need a private registry, you do not need to specify `-push-worker-image`.
 Experimental flags for mitigating makespan nonuniformity:
 - `-shuffle`: Shuffle the test filter strings
 Flags for debugging IT on Swarm itself:
 - `-rand-seed N`: the random seed. This flag is useful for deterministic replaying. By default(0), the timestamp is used.
 - `-filters-file FILE`: the file contains `-check.f` strings. By default, the file is automatically generated.
 - `-dry-run`: skip the actual workload
 - `keep-executor`: do not auto-remove executor containers, which is used for running privileged programs on Swarm
--- a/vendor/github.com/docker/docker/hack/integration-cli-on-swarm/agent/vendor.conf
+++ b/vendor/github.com/docker/docker/hack/integration-cli-on-swarm/agent/vendor.conf
@ -1,2 +0,0 @@
 # dependencies specific to worker (i.e. github.com/docker/docker/...) are not vendored here
 github.com/bfirsh/funker-go eaa0a2e06f30e72c9a0b7f858951e581e26ef773
--- a/vendor/github.com/docker/docker/profiles/seccomp/generate.go
+++ b/vendor/github.com/docker/docker/profiles/seccomp/generate.go
@ -1,32 +0,0 @@
 // +build ignore
 package main
 import (
 	"encoding/json"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"github.com/docker/docker/profiles/seccomp"
 )
 // saves the default seccomp profile as a json file so people can use it as a
 // base for their own custom profiles
 func main() {
 	wd, err := os.Getwd()
 	if err != nil {
 		panic(err)
 	}
 	f := filepath.Join(wd, "default.json")
 	// write the default profile to the file
 	b, err := json.MarshalIndent(seccomp.DefaultProfile(), "", "\t")
 	if err != nil {
 		panic(err)
 	}
 	if err := ioutil.WriteFile(f, b, 0644); err != nil {
 		panic(err)
 	}
 }
		`@ -1,2 +0,0 @@`
			`# dependencies specific to worker (i.e. github.com/docker/docker/...) are not vendored here`
			`github.com/bfirsh/funker-go eaa0a2e06f30e72c9a0b7f858951e581e26ef773`