Bump to Buildah v1.37.0

Bump Buidah to v1.37.0 Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
2025-11-30 18:18:18 +08:00 · 2024-07-29 16:12:07 -04:00
parent d38268062a
commit 286fbf98d1
33 changed files with 798 additions and 280 deletions
--- a/vendor/github.com/containers/buildah/.cirrus.yml
+++ b/vendor/github.com/containers/buildah/.cirrus.yml
@@ -32,7 +32,7 @@ env:
    DEBIAN_NAME: "debian-13"

    # Image identifiers
-    IMAGE_SUFFIX: "c20240620t153000z-f40f39d13"
+    IMAGE_SUFFIX: "c20240708t152000z-f40f39d13"
    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
    PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
    DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@@ -2,6 +2,78 @@

 # Changelog

+## vv1.37.0 (2024-07-26)
+
+    Bump c/storage, c/image, c/common for v1.37.0
+    "build with basename resolving user arg" tests: correct ARG use
+    bud-multiple-platform-no-run test: correct ARG use
+    imagebuildah: always have default values for $TARGET... args ready
+    bump github.com/openshift/imagebuilder to v1.2.14
+    fix(deps): update module github.com/docker/docker to v27.1.1+incompatible
+    fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.1
+    fix(deps): update module github.com/docker/docker to v27.1.0+incompatible
+    CI: use local registry, part 2 of 2
+    CI: use local registry, part 1 of 2
+    fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.1
+    Revert "fix(deps): update github.com/containers/image/v5 to v5.31.1"
+    Replace libimage.LookupReferenceFunc with the manifests version
+    conformance tests: enable testing CompatVolumes
+    conformance tests: add a test that tries to chown a volume
+    imagebuildah: make traditional volume handling not the default
+    StageExecutor.prepare(): mark base image volumes for preservation
+    fix(deps): update module github.com/containers/image/v5 to v5.31.1
+    Vendor in latest containers/(common, storage, image)
+    fix(deps): update module golang.org/x/term to v0.22.0
+    fix(deps): update module golang.org/x/sys to v0.22.0
+    fix(deps): update golang.org/x/exp digest to 7f521ea
+    fix(deps): update github.com/containers/luksy digest to a8846e2
+    imagebuildah.StageExecutor.Copy(): reject new flags for now
+    bump github.com/openshift/imagebuilder to v1.2.11
+    Rework parsing of --pull flags
+    fix(deps): update module github.com/containers/image/v5 to v5.31.1
+    imagebuildah.StageExecutor.prepare(): log the --platform flag
+    CI VMs: bump
+    buildah copy: preserve owner info with --from= a container or image
+    conformance tests: enable testing CompatSetParent
+    containerImageRef.NewImageSource(): move the FROM comment to first
+    commit: set "parent" for docker format only when requested
+    Update godoc for Builder.EnsureContainerPathAs
+    fix(deps): update module github.com/spf13/cobra to v1.8.1
+    fix(deps): update module github.com/containernetworking/cni to v1.2.0
+    fix(deps): update module github.com/opencontainers/runc to v1.1.13
+    Change default for podman build to --pull missing
+    fix(deps): update module github.com/containers/common to v0.59.1
+    Clarify definition of --pull options
+    buildah: fix a nil pointer reference on FreeBSD
+    Use /var/tmp for $TMPDIR for vfs conformance jobs
+    Cirrus: run `df` during job setup
+    conformance: use quay.io/libpod/centos:7 instead of centos:8
+    Stop setting "parent" in docker format
+    conformance: check if workdir trims path separator suffixes
+    push integration test: pass password to docker login via stdin
+    Re-enable the "copy with chown" conformance test
+    healthcheck: Add support for `--start-interval`
+    fix(deps): update module github.com/docker/docker to v26.1.4+incompatible
+    fix(deps): update module github.com/containerd/containerd to v1.7.18
+    tests: set _CONTAINERS_USERNS_CONFIGURED=done for libnetwork
+    Cross-build on Fedora
+    Drop copyStringSlice() and copyStringStringMap()
+    fix(deps): update module golang.org/x/crypto to v0.24.0
+    fix(deps): update module github.com/openshift/imagebuilder to v1.2.10
+    Provide an uptime_netbsd.go
+    Spell unix as "!windows"
+    Add netbsd to lists-of-OSes
+    fix(deps): update golang.org/x/exp digest to fd00a4e
+    [skip-ci] Packit: enable c10s downstream sync
+    CI VMs: bump, to debian with cgroups v2
+    Document when BlobDirectory is overridden
+    fix secret mounts for env vars when using chroot isolation
+    Change to take a types.ImageReference arg
+    imagebuildah: Support custom image reference lookup for cache push/pull
+    fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.0
+    Bump to v1.37.0-dev
+    CI: Clarify Debian use for conformance tests
+
 ## v1.36.0 (2024-05-23)

    build: be more selective about specifying the default OS
--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@@ -1,3 +1,74 @@
+- Changelog for vv1.37.0 (2024-07-26)
+  * Bump c/storage, c/image, c/common for v1.37.0
+  * "build with basename resolving user arg" tests: correct ARG use
+  * bud-multiple-platform-no-run test: correct ARG use
+  * imagebuildah: always have default values for $TARGET... args ready
+  * bump github.com/openshift/imagebuilder to v1.2.14
+  * fix(deps): update module github.com/docker/docker to v27.1.1+incompatible
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.1
+  * fix(deps): update module github.com/docker/docker to v27.1.0+incompatible
+  * CI: use local registry, part 2 of 2
+  * CI: use local registry, part 1 of 2
+  * fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.1
+  * Revert "fix(deps): update github.com/containers/image/v5 to v5.31.1"
+  * Replace libimage.LookupReferenceFunc with the manifests version
+  * conformance tests: enable testing CompatVolumes
+  * conformance tests: add a test that tries to chown a volume
+  * imagebuildah: make traditional volume handling not the default
+  * StageExecutor.prepare(): mark base image volumes for preservation
+  * fix(deps): update module github.com/containers/image/v5 to v5.31.1
+  * Vendor in latest containers/(common, storage, image)
+  * fix(deps): update module golang.org/x/term to v0.22.0
+  * fix(deps): update module golang.org/x/sys to v0.22.0
+  * fix(deps): update golang.org/x/exp digest to 7f521ea
+  * fix(deps): update github.com/containers/luksy digest to a8846e2
+  * imagebuildah.StageExecutor.Copy(): reject new flags for now
+  * bump github.com/openshift/imagebuilder to v1.2.11
+  * Rework parsing of --pull flags
+  * fix(deps): update module github.com/containers/image/v5 to v5.31.1
+  * imagebuildah.StageExecutor.prepare(): log the --platform flag
+  * CI VMs: bump
+  * buildah copy: preserve owner info with --from= a container or image
+  * conformance tests: enable testing CompatSetParent
+  * containerImageRef.NewImageSource(): move the FROM comment to first
+  * commit: set "parent" for docker format only when requested
+  * Update godoc for Builder.EnsureContainerPathAs
+  * fix(deps): update module github.com/spf13/cobra to v1.8.1
+  * fix(deps): update module github.com/containernetworking/cni to v1.2.0
+  * fix(deps): update module github.com/opencontainers/runc to v1.1.13
+  * Change default for podman build to --pull missing
+  * fix(deps): update module github.com/containers/common to v0.59.1
+  * Clarify definition of --pull options
+  * buildah: fix a nil pointer reference on FreeBSD
+  * Use /var/tmp for $TMPDIR for vfs conformance jobs
+  * Cirrus: run `df` during job setup
+  * conformance: use quay.io/libpod/centos:7 instead of centos:8
+  * Stop setting "parent" in docker format
+  * conformance: check if workdir trims path separator suffixes
+  * push integration test: pass password to docker login via stdin
+  * Re-enable the "copy with chown" conformance test
+  * healthcheck: Add support for `--start-interval`
+  * fix(deps): update module github.com/docker/docker to v26.1.4+incompatible
+  * fix(deps): update module github.com/containerd/containerd to v1.7.18
+  * tests: set _CONTAINERS_USERNS_CONFIGURED=done for libnetwork
+  * Cross-build on Fedora
+  * Drop copyStringSlice() and copyStringStringMap()
+  * fix(deps): update module golang.org/x/crypto to v0.24.0
+  * fix(deps): update module github.com/openshift/imagebuilder to v1.2.10
+  * Provide an uptime_netbsd.go
+  * Spell unix as "!windows"
+  * Add netbsd to lists-of-OSes
+  * fix(deps): update golang.org/x/exp digest to fd00a4e
+  * [skip-ci] Packit: enable c10s downstream sync
+  * CI VMs: bump, to debian with cgroups v2
+  * Document when BlobDirectory is overridden
+  * fix secret mounts for env vars when using chroot isolation
+  * Change to take a types.ImageReference arg
+  * imagebuildah: Support custom image reference lookup for cache push/pull
+  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.0
+  * Bump to v1.37.0-dev
+  * CI: Clarify Debian use for conformance tests
+
 - Changelog for v1.36.0 (2024-05-23)
  * build: be more selective about specifying the default OS
  * Bump to c/common v0.59.0
--- a/vendor/github.com/containers/buildah/define/build.go
+++ b/vendor/github.com/containers/buildah/define/build.go
@@ -4,7 +4,7 @@ import (
 	"io"
 	"time"

-	"github.com/containers/common/libimage"
+	"github.com/containers/common/libimage/manifests"
 	nettypes "github.com/containers/common/libnetwork/types"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/types"
@@ -349,25 +349,29 @@ type BuildOptions struct {
 	CDIConfigDir string
 	// CachePullSourceLookupReferenceFunc is an optional LookupReferenceFunc
 	// used to look up source references for cache pulls.
-	CachePullSourceLookupReferenceFunc libimage.LookupReferenceFunc
+	CachePullSourceLookupReferenceFunc manifests.LookupReferenceFunc
 	// CachePullDestinationLookupReferenceFunc is an optional generator
 	// function which provides a LookupReferenceFunc used to look up
 	// destination references for cache pulls.
 	//
 	// BlobDirectory will be ignored for cache pulls if this option is set.
-	CachePullDestinationLookupReferenceFunc func(srcRef types.ImageReference) libimage.LookupReferenceFunc
+	CachePullDestinationLookupReferenceFunc func(srcRef types.ImageReference) manifests.LookupReferenceFunc
 	// CachePushSourceLookupReferenceFunc is an optional generator function
 	// which provides a LookupReferenceFunc used to look up source
 	// references for cache pushes.
 	//
 	// BlobDirectory will be ignored for cache pushes if this option is set.
-	CachePushSourceLookupReferenceFunc func(dest types.ImageReference) libimage.LookupReferenceFunc
+	CachePushSourceLookupReferenceFunc func(dest types.ImageReference) manifests.LookupReferenceFunc
 	// CachePushDestinationLookupReferenceFunc is an optional
 	// LookupReferenceFunc used to look up destination references for cache
 	// pushes
-	CachePushDestinationLookupReferenceFunc libimage.LookupReferenceFunc
+	CachePushDestinationLookupReferenceFunc manifests.LookupReferenceFunc
 	// CompatSetParent causes the "parent" field to be set in the image's
 	// configuration when committing in Docker format.  Newer
 	// BuildKit-based docker build doesn't set this field.
 	CompatSetParent types.OptionalBool
+	// CompatVolumes causes the contents of locations marked as volumes in
+	// base images or by a VOLUME instruction to be preserved during RUN
+	// instructions.  Newer BuildKit-based docker build doesn't bother.
+	CompatVolumes types.OptionalBool
 }
--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.37.0-dev"
+	Version = "1.37.0"

 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"
--- a/vendor/github.com/containers/buildah/imagebuildah/build.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/build.go
@@ -38,6 +38,7 @@ import (
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/openshift/imagebuilder"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"
 	"golang.org/x/exp/slices"
 	"golang.org/x/sync/semaphore"
 )
@@ -204,6 +205,9 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options define.B
 	if options.SystemContext == nil {
 		options.SystemContext = &types.SystemContext{}
 	}
+	if options.AdditionalBuildContexts == nil {
+		options.AdditionalBuildContexts = make(map[string]*define.AdditionalBuildContext)
+	}

 	if len(options.Platforms) == 0 {
 		options.Platforms = append(options.Platforms, struct{ OS, Arch, Variant string }{
@@ -213,9 +217,6 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options define.B
 	}

 	if options.AllPlatforms {
-		if options.AdditionalBuildContexts == nil {
-			options.AdditionalBuildContexts = make(map[string]*define.AdditionalBuildContext)
-		}
 		options.Platforms, err = platformsForBaseImages(ctx, logger, paths, files, options.From, options.Args, options.AdditionalBuildContexts, options.SystemContext)
 		if err != nil {
 			return "", nil, err
@@ -251,11 +252,7 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options define.B
 			logPrefix = "[" + platforms.Format(platformSpec) + "] "
 		}
 		// Deep copy args to prevent concurrent read/writes over Args.
-		argsCopy := make(map[string]string)
-		for key, value := range options.Args {
-			argsCopy[key] = value
-		}
-		platformOptions.Args = argsCopy
+		platformOptions.Args = maps.Clone(options.Args)
 		builds.Go(func() error {
 			loggerPerPlatform := logger
 			if platformOptions.LogFile != "" && platformOptions.LogSplitByPlatform {
@@ -395,36 +392,38 @@ func buildDockerfilesOnce(ctx context.Context, store storage.Store, logger *logr
 	// --platform was explicitly selected for this build
 	// so set correct TARGETPLATFORM in args if it is not
 	// already selected by the user.
+	builtinArgDefaults := make(map[string]string)
 	if options.SystemContext.OSChoice != "" && options.SystemContext.ArchitectureChoice != "" {
 		// os component from --platform string populates TARGETOS
 		// buildkit parity: give priority to user's `--build-arg`
-		if _, ok := options.Args["TARGETOS"]; !ok {
-			options.Args["TARGETOS"] = options.SystemContext.OSChoice
-		}
+		builtinArgDefaults["TARGETOS"] = options.SystemContext.OSChoice
 		// arch component from --platform string populates TARGETARCH
 		// buildkit parity: give priority to user's `--build-arg`
-		if _, ok := options.Args["TARGETARCH"]; !ok {
-			options.Args["TARGETARCH"] = options.SystemContext.ArchitectureChoice
-		}
+		builtinArgDefaults["TARGETARCH"] = options.SystemContext.ArchitectureChoice
 		// variant component from --platform string populates TARGETVARIANT
 		// buildkit parity: give priority to user's `--build-arg`
-		if _, ok := options.Args["TARGETVARIANT"]; !ok {
-			if options.SystemContext.VariantChoice != "" {
-				options.Args["TARGETVARIANT"] = options.SystemContext.VariantChoice
-			}
-		}
+		builtinArgDefaults["TARGETVARIANT"] = options.SystemContext.VariantChoice
 		// buildkit parity: give priority to user's `--build-arg`
-		if _, ok := options.Args["TARGETPLATFORM"]; !ok {
-			// buildkit parity: TARGETPLATFORM should be always created
-			// from SystemContext and not `TARGETOS` and `TARGETARCH` because
-			// users can always override values of `TARGETOS` and `TARGETARCH`
-			// but `TARGETPLATFORM` should be set independent of those values.
-			options.Args["TARGETPLATFORM"] = options.SystemContext.OSChoice + "/" + options.SystemContext.ArchitectureChoice
-			if options.SystemContext.VariantChoice != "" {
-				options.Args["TARGETPLATFORM"] = options.Args["TARGETPLATFORM"] + "/" + options.SystemContext.VariantChoice
-			}
+		// buildkit parity: TARGETPLATFORM should be always created
+		// from SystemContext and not `TARGETOS` and `TARGETARCH` because
+		// users can always override values of `TARGETOS` and `TARGETARCH`
+		// but `TARGETPLATFORM` should be set independent of those values.
+		builtinArgDefaults["TARGETPLATFORM"] = builtinArgDefaults["TARGETOS"] + "/" + builtinArgDefaults["TARGETARCH"]
+		if options.SystemContext.VariantChoice != "" {
+			builtinArgDefaults["TARGETPLATFORM"] += "/" + options.SystemContext.VariantChoice
+		}
+	} else {
+		// fill them in using values for the default platform
+		defaultPlatform := platforms.DefaultSpec()
+		builtinArgDefaults["TARGETOS"] = defaultPlatform.OS
+		builtinArgDefaults["TARGETVARIANT"] = defaultPlatform.Variant
+		builtinArgDefaults["TARGETARCH"] = defaultPlatform.Architecture
+		builtinArgDefaults["TARGETPLATFORM"] = defaultPlatform.OS + "/" + defaultPlatform.Architecture
+		if defaultPlatform.Variant != "" {
+			builtinArgDefaults["TARGETPLATFORM"] += "/" + defaultPlatform.Variant
 		}
 	}
+	delete(options.Args, "TARGETPLATFORM")

 	for i, d := range dockerfilecontents[1:] {
 		additionalNode, err := imagebuilder.ParseDockerfile(bytes.NewReader(d))
@@ -440,6 +439,9 @@ func buildDockerfilesOnce(ctx context.Context, store storage.Store, logger *logr
 		return "", nil, fmt.Errorf("creating build executor: %w", err)
 	}
 	b := imagebuilder.NewBuilder(options.Args)
+	for k, v := range builtinArgDefaults {
+		b.BuiltinArgDefaults[k] = v
+	}
 	defaultContainerConfig, err := config.Default()
 	if err != nil {
 		return "", nil, fmt.Errorf("failed to get container config: %w", err)
--- a/vendor/github.com/containers/buildah/imagebuildah/executor.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/executor.go
@@ -161,6 +161,7 @@ type Executor struct {
 	sbomScanOptions                         []define.SBOMScanOptions
 	cdiConfigDir                            string
 	compatSetParent                         types.OptionalBool
+	compatVolumes                           types.OptionalBool
 }

 type imageTypeAndHistoryAndDiffIDs struct {
@@ -318,6 +319,7 @@ func newExecutor(logger *logrus.Logger, logPrefix string, store storage.Store, o
 		sbomScanOptions:                         options.SBOMScanOptions,
 		cdiConfigDir:                            options.CDIConfigDir,
 		compatSetParent:                         options.CompatSetParent,
+		compatVolumes:                           options.CompatVolumes,
 	}
 	if exec.err == nil {
 		exec.err = os.Stderr
@@ -771,18 +773,19 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image
 									base = child.Next.Value
 								}
 							}
+							builtinArgs := argsMapToSlice(stage.Builder.BuiltinArgDefaults)
 							headingArgs := argsMapToSlice(stage.Builder.HeadingArgs)
 							userArgs := argsMapToSlice(stage.Builder.Args)
 							// append heading args so if --build-arg key=value is not
 							// specified but default value is set in Containerfile
 							// via `ARG key=value` so default value can be used.
-							userArgs = append(headingArgs, userArgs...)
+							userArgs = append(builtinArgs, append(userArgs, headingArgs...)...)
 							baseWithArg, err := imagebuilder.ProcessWord(base, userArgs)
 							if err != nil {
 								return "", nil, fmt.Errorf("while replacing arg variables with values for format %q: %w", base, err)
 							}
 							b.baseMap[baseWithArg] = struct{}{}
-							logrus.Debugf("base for stage %d: %q", stageIndex, base)
+							logrus.Debugf("base for stage %d: %q resolves to %q", stageIndex, base, baseWithArg)
 							// Check if selected base is not an additional
 							// build context and if base is a valid stage
 							// add it to current stage's dependency tree.
@@ -809,16 +812,18 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image
 							// if following ADD or COPY needs any other
 							// stage.
 							stageName := rootfs
+							builtinArgs := argsMapToSlice(stage.Builder.BuiltinArgDefaults)
 							headingArgs := argsMapToSlice(stage.Builder.HeadingArgs)
 							userArgs := argsMapToSlice(stage.Builder.Args)
 							// append heading args so if --build-arg key=value is not
 							// specified but default value is set in Containerfile
 							// via `ARG key=value` so default value can be used.
-							userArgs = append(headingArgs, userArgs...)
+							userArgs = append(builtinArgs, append(userArgs, headingArgs...)...)
 							baseWithArg, err := imagebuilder.ProcessWord(stageName, userArgs)
 							if err != nil {
 								return "", nil, fmt.Errorf("while replacing arg variables with values for format %q: %w", stageName, err)
 							}
+							logrus.Debugf("stage %d name: %q resolves to %q", stageIndex, stageName, baseWithArg)
 							stageName = baseWithArg
 							// If --from=<index> convert index to name
 							if index, err := strconv.Atoi(stageName); err == nil {
--- a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
@@ -44,6 +44,7 @@ import (
 	"github.com/openshift/imagebuilder/dockerfile/command"
 	"github.com/openshift/imagebuilder/dockerfile/parser"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 )

 // StageExecutor bundles up what we need to know when executing one stage of a
@@ -80,42 +81,22 @@ type StageExecutor struct {
 // Preserve informs the stage executor that from this point on, it needs to
 // ensure that only COPY and ADD instructions can modify the contents of this
 // directory or anything below it.
-// The StageExecutor handles this by caching the contents of directories which
-// have been marked this way before executing a RUN instruction, invalidating
-// that cache when an ADD or COPY instruction sets any location under the
-// directory as the destination, and using the cache to reset the contents of
-// the directory tree after processing each RUN instruction.
+// When CompatVolumes is enabled, the StageExecutor handles this by caching the
+// contents of directories which have been marked this way before executing a
+// RUN instruction, invalidating that cache when an ADD or COPY instruction
+// sets any location under the directory as the destination, and using the
+// cache to reset the contents of the directory tree after processing each RUN
+// instruction.
 // It would be simpler if we could just mark the directory as a read-only bind
 // mount of itself during Run(), but the directory is expected to be remain
 // writeable while the RUN instruction is being handled, even if any changes
 // made within the directory are ultimately discarded.
 func (s *StageExecutor) Preserve(path string) error {
-	logrus.Debugf("PRESERVE %q", path)
-	if s.volumes.Covers(path) {
-		// This path is already a subdirectory of a volume path that
-		// we're already preserving, so there's nothing new to be done
-		// except ensure that it exists.
-		createdDirPerms := os.FileMode(0755)
-		if err := copier.Mkdir(s.mountPoint, filepath.Join(s.mountPoint, path), copier.MkdirOptions{ChmodNew: &createdDirPerms}); err != nil {
-			return fmt.Errorf("ensuring volume path exists: %w", err)
-		}
-		if err := s.volumeCacheInvalidate(path); err != nil {
-			return fmt.Errorf("ensuring volume path %q is preserved: %w", filepath.Join(s.mountPoint, path), err)
-		}
-		return nil
-	}
-	// Figure out where the cache for this volume would be stored.
-	s.preserved++
-	cacheDir, err := s.executor.store.ContainerDirectory(s.builder.ContainerID)
-	if err != nil {
-		return fmt.Errorf("unable to locate temporary directory for container")
-	}
-	cacheFile := filepath.Join(cacheDir, fmt.Sprintf("volume%d.tar", s.preserved))
-	// Save info about the top level of the location that we'll be archiving.
-	var archivedPath string
+	logrus.Debugf("PRESERVE %q in %q", path, s.builder.ContainerID)

 	// Try and resolve the symlink (if one exists)
 	// Set archivedPath and path based on whether a symlink is found or not
+	var archivedPath string
 	if evaluated, err := copier.Eval(s.mountPoint, filepath.Join(s.mountPoint, path), copier.EvalOptions{}); err == nil {
 		symLink, err := filepath.Rel(s.mountPoint, evaluated)
 		if err != nil {
@@ -130,9 +111,55 @@ func (s *StageExecutor) Preserve(path string) error {
 		return fmt.Errorf("evaluating path %q: %w", path, err)
 	}

+	const createdDirPerms = os.FileMode(0o755)
+	if s.executor.compatVolumes != types.OptionalBoolTrue {
+		logrus.Debugf("ensuring volume path %q exists", path)
+		createdDirPerms := createdDirPerms
+		if err := copier.Mkdir(s.mountPoint, archivedPath, copier.MkdirOptions{ChmodNew: &createdDirPerms}); err != nil {
+			return fmt.Errorf("ensuring volume path exists: %w", err)
+		}
+		logrus.Debugf("not doing volume save-and-restore of %q in %q", path, s.builder.ContainerID)
+		return nil
+	}
+
+	if s.volumes.Covers(path) {
+		// This path is a subdirectory of a volume path that we're
+		// already preserving, so there's nothing new to be done except
+		// ensure that it exists.
+		st, err := os.Stat(archivedPath)
+		if errors.Is(err, os.ErrNotExist) {
+			// We do have to create it.  That means it's not in any
+			// cached copy of the path that covers it, so we have
+			// to invalidate such cached copy.
+			logrus.Debugf("have to create volume %q", path)
+			createdDirPerms := createdDirPerms
+			if err := copier.Mkdir(s.mountPoint, filepath.Join(s.mountPoint, path), copier.MkdirOptions{ChmodNew: &createdDirPerms}); err != nil {
+				return fmt.Errorf("ensuring volume path exists: %w", err)
+			}
+			if err := s.volumeCacheInvalidate(path); err != nil {
+				return fmt.Errorf("ensuring volume path %q is preserved: %w", filepath.Join(s.mountPoint, path), err)
+			}
+			if st, err = os.Stat(archivedPath); err != nil {
+				return fmt.Errorf("checking on just-created volume path: %w", err)
+			}
+		}
+		s.volumeCacheInfo[path] = st
+		return nil
+	}
+
+	// Figure out where the cache for this volume would be stored.
+	s.preserved++
+	cacheDir, err := s.executor.store.ContainerDirectory(s.builder.ContainerID)
+	if err != nil {
+		return fmt.Errorf("unable to locate temporary directory for container")
+	}
+	cacheFile := filepath.Join(cacheDir, fmt.Sprintf("volume%d.tar", s.preserved))
+
+	// Save info about the top level of the location that we'll be archiving.
 	st, err := os.Stat(archivedPath)
 	if errors.Is(err, os.ErrNotExist) {
-		createdDirPerms := os.FileMode(0755)
+		logrus.Debugf("have to create volume %q", path)
+		createdDirPerms := os.FileMode(0o755)
 		if err = copier.Mkdir(s.mountPoint, archivedPath, copier.MkdirOptions{ChmodNew: &createdDirPerms}); err != nil {
 			return fmt.Errorf("ensuring volume path exists: %w", err)
 		}
@@ -145,11 +172,13 @@ func (s *StageExecutor) Preserve(path string) error {
 	s.volumeCacheInfo[path] = st
 	if !s.volumes.Add(path) {
 		// This path is not a subdirectory of a volume path that we're
-		// already preserving, so adding it to the list should work.
+		// already preserving, so adding it to the list should have
+		// worked.
 		return fmt.Errorf("adding %q to the volume cache", path)
 	}
 	s.volumeCache[path] = cacheFile
-	// Now prune cache files for volumes that are now supplanted by this one.
+
+	// Now prune cache files for volumes that are newly supplanted by this one.
 	removed := []string{}
 	for cachedPath := range s.volumeCache {
 		// Walk our list of cached volumes, and check that they're
@@ -168,6 +197,7 @@ func (s *StageExecutor) Preserve(path string) error {
 			removed = append(removed, cachedPath)
 		}
 	}
+
 	// Actually remove the caches that we decided to remove.
 	for _, cachedPath := range removed {
 		archivedPath := filepath.Join(s.mountPoint, cachedPath)
@@ -274,7 +304,7 @@ func (s *StageExecutor) volumeCacheRestoreVFS() (err error) {
 		if err := copier.Remove(s.mountPoint, archivedPath, copier.RemoveOptions{All: true}); err != nil {
 			return err
 		}
-		createdDirPerms := os.FileMode(0755)
+		createdDirPerms := os.FileMode(0o755)
 		if err := copier.Mkdir(s.mountPoint, archivedPath, copier.MkdirOptions{ChmodNew: &createdDirPerms}); err != nil {
 			return err
 		}
@@ -772,32 +802,33 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
 	}
 	namespaceOptions := append([]define.NamespaceOption{}, s.executor.namespaceOptions...)
 	options := buildah.RunOptions{
-		Args:             s.executor.runtimeArgs,
-		Cmd:              config.Cmd,
-		ContextDir:       s.executor.contextDir,
-		ConfigureNetwork: s.executor.configureNetwork,
-		Entrypoint:       config.Entrypoint,
-		Env:              config.Env,
-		Hostname:         config.Hostname,
-		Logger:           s.executor.logger,
-		Mounts:           s.executor.transientMounts,
-		NamespaceOptions: namespaceOptions,
-		NoHostname:       s.executor.noHostname,
-		NoHosts:          s.executor.noHosts,
-		NoPivot:          os.Getenv("BUILDAH_NOPIVOT") != "",
-		Quiet:            s.executor.quiet,
-		RunMounts:        run.Mounts,
-		Runtime:          s.executor.runtime,
-		Secrets:          s.executor.secrets,
-		SSHSources:       s.executor.sshsources,
-		StageMountPoints: stageMountPoints,
-		Stderr:           s.executor.err,
-		Stdin:            stdin,
-		Stdout:           s.executor.out,
-		SystemContext:    s.executor.systemContext,
-		Terminal:         buildah.WithoutTerminal,
-		User:             config.User,
-		WorkingDir:       config.WorkingDir,
+		Args:                 s.executor.runtimeArgs,
+		Cmd:                  config.Cmd,
+		ContextDir:           s.executor.contextDir,
+		ConfigureNetwork:     s.executor.configureNetwork,
+		Entrypoint:           config.Entrypoint,
+		Env:                  config.Env,
+		Hostname:             config.Hostname,
+		Logger:               s.executor.logger,
+		Mounts:               slices.Clone(s.executor.transientMounts),
+		NamespaceOptions:     namespaceOptions,
+		NoHostname:           s.executor.noHostname,
+		NoHosts:              s.executor.noHosts,
+		NoPivot:              os.Getenv("BUILDAH_NOPIVOT") != "",
+		Quiet:                s.executor.quiet,
+		CompatBuiltinVolumes: types.OptionalBoolFalse,
+		RunMounts:            run.Mounts,
+		Runtime:              s.executor.runtime,
+		Secrets:              s.executor.secrets,
+		SSHSources:           s.executor.sshsources,
+		StageMountPoints:     stageMountPoints,
+		Stderr:               s.executor.err,
+		Stdin:                stdin,
+		Stdout:               s.executor.out,
+		SystemContext:        s.executor.systemContext,
+		Terminal:             buildah.WithoutTerminal,
+		User:                 config.User,
+		WorkingDir:           config.WorkingDir,
 	}

 	// Honor `RUN --network=<>`.
@@ -824,20 +855,40 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
 			args = append([]string{"/bin/sh", "-c"}, args...)
 		}
 	}
-	mounts, err := s.volumeCacheSave()
-	if err != nil {
-		return err
+
+	if s.executor.compatVolumes == types.OptionalBoolTrue {
+		// Only bother with saving/restoring the contents of volumes if
+		// we've been specifically asked to.
+		mounts, err := s.volumeCacheSave()
+		if err != nil {
+			return err
+		}
+		options.Mounts = append(options.Mounts, mounts...)
 	}
-	options.Mounts = append(options.Mounts, mounts...)
+
+	// The list of built-in volumes isn't passed in via RunOptions, so make
+	// sure the builder's list of built-in volumes includes anything that
+	// the configuration thinks is a built-in volume.
+	s.builder.ClearVolumes()
+	for v := range config.Volumes {
+		s.builder.AddVolume(v)
+	}
+
 	if len(heredocMounts) > 0 {
 		options.Mounts = append(options.Mounts, heredocMounts...)
 	}
 	err = s.builder.Run(args, options)
-	if err2 := s.volumeCacheRestore(); err2 != nil {
-		if err == nil {
-			return err2
+
+	if s.executor.compatVolumes == types.OptionalBoolTrue {
+		// Only bother with saving/restoring the contents of volumes if
+		// we've been specifically asked to.
+		if err2 := s.volumeCacheRestore(); err2 != nil {
+			if err == nil {
+				return err2
+			}
 		}
 	}
+
 	return err
 }

@@ -1027,6 +1078,14 @@ func (s *StageExecutor) prepare(ctx context.Context, from string, initializeIBCo
 		// Make this our "current" working container.
 		s.mountPoint = mountPoint
 		s.builder = builder
+		// Now that the rootfs is mounted, set up handling of volumes from the base image.
+		s.volumeCache = make(map[string]string)
+		s.volumeCacheInfo = make(map[string]os.FileInfo)
+		for _, v := range builder.Volumes() {
+			if err := s.Preserve(v); err != nil {
+				return nil, fmt.Errorf("marking base image volume %q for preservation: %w", v, err)
+			}
+		}
 	}
 	logrus.Debugln("Container ID:", builder.ContainerID)
 	return builder, nil
--- a/vendor/github.com/containers/buildah/pkg/cli/build.go
+++ b/vendor/github.com/containers/buildah/pkg/cli/build.go
@@ -361,6 +361,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 		CDIConfigDir:            iopts.CDIConfigDir,
 		CNIConfigDir:            iopts.CNIConfigDir,
 		CNIPluginPath:           iopts.CNIPlugInPath,
+		CompatVolumes:           types.NewOptionalBool(iopts.CompatVolumes),
 		ConfidentialWorkload:    confidentialWorkloadOptions,
 		CPPFlags:                iopts.CPPFlags,
 		CommonBuildOpts:         commonOpts,
--- a/vendor/github.com/containers/buildah/pkg/cli/common.go
+++ b/vendor/github.com/containers/buildah/pkg/cli/common.go
@@ -119,6 +119,7 @@ type BudResults struct {
 	OSVersion           string
 	CWOptions           string
 	SBOMOptions         []string
+	CompatVolumes       bool
 }

 // FromAndBugResults represents the results for common flags
@@ -228,6 +229,7 @@ func GetBudFlags(flags *BudResults) pflag.FlagSet {
 	fs.StringVar(&flags.CacheTTL, "cache-ttl", "", "only consider cache images under specified duration.")
 	fs.StringVar(&flags.CertDir, "cert-dir", "", "use certificates at the specified path to access the registry")
 	fs.BoolVar(&flags.Compress, "compress", false, "this is a legacy option, which has no effect on the image")
+	fs.BoolVar(&flags.CompatVolumes, "compat-volumes", false, "preserve the contents of VOLUMEs during RUN instructions")
 	fs.StringArrayVar(&flags.CPPFlags, "cpp-flag", []string{}, "set additional flag to pass to C preprocessor (cpp)")
 	fs.StringVar(&flags.Creds, "creds", "", "use `[username[:password]]` for accessing the registry")
 	fs.StringVarP(&flags.CWOptions, "cw", "", "", "confidential workload `options`")
--- a/vendor/github.com/containers/buildah/run.go
+++ b/vendor/github.com/containers/buildah/run.go
@@ -170,6 +170,12 @@ type RunOptions struct {
 	// CDIConfigDir is the location of CDI configuration files, if the files in
 	// the default configuration locations shouldn't be used.
 	CDIConfigDir string
+	// CompatBuiltinVolumes causes the contents of locations marked as
+	// volumes in the container's configuration to be set up as bind mounts to
+	// directories which are not in the container's rootfs, hiding changes
+	// made to contents of those changes when the container is subsequently
+	// committed.
+	CompatBuiltinVolumes types.OptionalBool
 }

 // RunMountArtifacts are the artifacts created when using a run mount.
--- a/vendor/github.com/containers/buildah/run_common.go
+++ b/vendor/github.com/containers/buildah/run_common.go
@@ -39,6 +39,7 @@ import (
 	netUtil "github.com/containers/common/libnetwork/util"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/common/pkg/subscriptions"
+	"github.com/containers/image/v5/types"
 	imageTypes "github.com/containers/image/v5/types"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/fileutils"
@@ -1304,7 +1305,7 @@ func init() {
 }

 // If this succeeds, the caller must call cleanupMounts().
-func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath string, optionMounts []specs.Mount, bindFiles map[string]string, builtinVolumes, volumeMounts []string, runFileMounts []string, runMountInfo runMountInfo) (*runMountArtifacts, error) {
+func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath string, optionMounts []specs.Mount, bindFiles map[string]string, builtinVolumes []string, compatBuiltinVolumes types.OptionalBool, volumeMounts []string, runFileMounts []string, runMountInfo runMountInfo) (*runMountArtifacts, error) {
 	// Start building a new list of mounts.
 	var mounts []specs.Mount
 	haveMount := func(destination string) bool {
@@ -1374,7 +1375,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
 	}()
 	// Add temporary copies of the contents of volume locations at the
 	// volume locations, unless we already have something there.
-	builtins, err := runSetupBuiltinVolumes(b.MountLabel, mountPoint, cdir, builtinVolumes, int(rootUID), int(rootGID))
+	builtins, err := runSetupBuiltinVolumes(b.MountLabel, mountPoint, cdir, builtinVolumes, compatBuiltinVolumes, int(rootUID), int(rootGID))
 	if err != nil {
 		return nil, err
 	}
@@ -1411,17 +1412,31 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
 	return mountArtifacts, nil
 }

-func runSetupBuiltinVolumes(mountLabel, mountPoint, containerDir string, builtinVolumes []string, rootUID, rootGID int) ([]specs.Mount, error) {
+func runSetupBuiltinVolumes(mountLabel, mountPoint, containerDir string, builtinVolumes []string, compatBuiltinVolumes types.OptionalBool, rootUID, rootGID int) ([]specs.Mount, error) {
 	var mounts []specs.Mount
 	hostOwner := idtools.IDPair{UID: rootUID, GID: rootGID}
 	// Add temporary copies of the contents of volume locations at the
 	// volume locations, unless we already have something there.
 	for _, volume := range builtinVolumes {
-		volumePath := filepath.Join(containerDir, "buildah-volumes", digest.Canonical.FromString(volume).Hex())
-		initializeVolume := false
+		// Make sure the volume exists in the rootfs.
+		createDirPerms := os.FileMode(0o755)
+		err := copier.Mkdir(mountPoint, filepath.Join(mountPoint, volume), copier.MkdirOptions{
+			ChownNew: &hostOwner,
+			ChmodNew: &createDirPerms,
+		})
+		if err != nil {
+			return nil, fmt.Errorf("ensuring volume path %q: %w", filepath.Join(mountPoint, volume), err)
+		}
+		// If we're not being asked to bind mount anonymous volumes
+		// onto the volume paths, we're done here.
+		if compatBuiltinVolumes != types.OptionalBoolTrue {
+			continue
+		}
 		// If we need to, create the directory that we'll use to hold
 		// the volume contents.  If we do need to create it, then we'll
 		// need to populate it, too, so make a note of that.
+		volumePath := filepath.Join(containerDir, "buildah-volumes", digest.Canonical.FromString(volume).Hex())
+		initializeVolume := false
 		if err := fileutils.Exists(volumePath); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return nil, err
@@ -1435,15 +1450,7 @@ func runSetupBuiltinVolumes(mountLabel, mountPoint, containerDir string, builtin
 			}
 			initializeVolume = true
 		}
-		// Make sure the volume exists in the rootfs and read its attributes.
-		createDirPerms := os.FileMode(0755)
-		err := copier.Mkdir(mountPoint, filepath.Join(mountPoint, volume), copier.MkdirOptions{
-			ChownNew: &hostOwner,
-			ChmodNew: &createDirPerms,
-		})
-		if err != nil {
-			return nil, fmt.Errorf("ensuring volume path %q: %w", filepath.Join(mountPoint, volume), err)
-		}
+		// Read the attributes of the volume's location in the rootfs.
 		srcPath, err := copier.Eval(mountPoint, filepath.Join(mountPoint, volume), copier.EvalOptions{})
 		if err != nil {
 			return nil, fmt.Errorf("evaluating path %q: %w", srcPath, err)
--- a/vendor/github.com/containers/buildah/run_freebsd.go
+++ b/vendor/github.com/containers/buildah/run_freebsd.go
@@ -259,7 +259,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		SystemContext:    options.SystemContext,
 	}

-	runArtifacts, err := b.setupMounts(mountPoint, spec, path, options.Mounts, bindFiles, volumes, b.CommonBuildOpts.Volumes, options.RunMounts, runMountInfo)
+	runArtifacts, err := b.setupMounts(mountPoint, spec, path, options.Mounts, bindFiles, volumes, options.CompatBuiltinVolumes, b.CommonBuildOpts.Volumes, options.RunMounts, runMountInfo)
 	if err != nil {
 		return fmt.Errorf("resolving mountpoints for container %q: %w", b.ContainerID, err)
 	}
--- a/vendor/github.com/containers/buildah/run_linux.go
+++ b/vendor/github.com/containers/buildah/run_linux.go
@@ -475,7 +475,7 @@ rootless=%d
 		SystemContext:    options.SystemContext,
 	}

-	runArtifacts, err := b.setupMounts(mountPoint, spec, path, options.Mounts, bindFiles, volumes, b.CommonBuildOpts.Volumes, options.RunMounts, runMountInfo)
+	runArtifacts, err := b.setupMounts(mountPoint, spec, path, options.Mounts, bindFiles, volumes, options.CompatBuiltinVolumes, b.CommonBuildOpts.Volumes, options.RunMounts, runMountInfo)
 	if err != nil {
 		return fmt.Errorf("resolving mountpoints for container %q: %w", b.ContainerID, err)
 	}