Vendor in containers/(buildah, common)

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

vendor/github.com/containers/buildah/.cirrus.yml

@@ -32,7 +32,7 @@ env:
     DEBIAN_NAME: "debian-13"
 
     # Image identifiers
-    IMAGE_SUFFIX: "c20240102t212217z-f39f38d13"
+    IMAGE_SUFFIX: "c20240222t143004z-f39f38d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
     DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
@@ -221,6 +221,7 @@ integration_task:
             DISTRO_NV: "${DEBIAN_NAME}"
             IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'vfs'
+            CI_DESIRED_RUNTIME: runc
         # OVERLAY
         - env:
             DISTRO_NV: "${FEDORA_NAME}"
@@ -234,6 +235,7 @@ integration_task:
             DISTRO_NV: "${DEBIAN_NAME}"
             IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'overlay'
+            CI_DESIRED_RUNTIME: runc
 
     gce_instance:
         image_name: "$IMAGE_NAME"
@@ -323,6 +325,8 @@ in_podman_task:
 # set of tasks all passed, and allows confirming that based on the status
 # of this task.
 success_task:
+    # N/B: The prow merge-bot (tide) is sensitized to this exact name, DO NOT CHANGE IT.
+    # Ref: https://github.com/openshift/release/pull/48909
     name: "Total Success"
     alias: success
 

vendor/github.com/containers/buildah/Makefile

@@ -4,6 +4,10 @@ APPARMORTAG := $(shell hack/apparmor_tag.sh)
 STORAGETAGS := exclude_graphdriver_devicemapper $(shell ./btrfs_tag.sh) $(shell ./btrfs_installed_tag.sh) $(shell ./hack/libsubid_tag.sh)
 SECURITYTAGS ?= seccomp $(APPARMORTAG)
 TAGS ?= $(SECURITYTAGS) $(STORAGETAGS) $(shell ./hack/systemd_tag.sh)
+ifeq ($(shell uname -s),FreeBSD)
+# FreeBSD needs CNI until netavark is supported
+TAGS += cni
+endif
 BUILDTAGS += $(TAGS)
 PREFIX := /usr/local
 BINDIR := $(PREFIX)/bin
@@ -87,7 +91,7 @@ endif
 buildah: bin/buildah
 
 ALL_CROSS_TARGETS := $(addprefix bin/buildah.,$(subst /,.,$(shell $(GO) tool dist list)))
-LINUX_CROSS_TARGETS := $(filter bin/buildah.linux.%,$(ALL_CROSS_TARGETS))
+LINUX_CROSS_TARGETS := $(filter-out %.loong64,$(filter bin/buildah.linux.%,$(ALL_CROSS_TARGETS)))
 DARWIN_CROSS_TARGETS := $(filter bin/buildah.darwin.%,$(ALL_CROSS_TARGETS))
 WINDOWS_CROSS_TARGETS := $(addsuffix .exe,$(filter bin/buildah.windows.%,$(ALL_CROSS_TARGETS)))
 FREEBSD_CROSS_TARGETS := $(filter bin/buildah.freebsd.%,$(ALL_CROSS_TARGETS))
@@ -196,7 +200,7 @@ test-unit: tests/testreport/testreport
 	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) ./cmd/buildah -args --root $$tmp/root --runroot $$tmp/runroot --storage-driver vfs --signature-policy $(shell pwd)/tests/policy.json --registries-conf $(shell pwd)/tests/registries.conf
 
 vendor-in-container:
-	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.20 make vendor
+	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.21 make vendor
 
 .PHONY: vendor
 vendor:

vendor/github.com/containers/buildah/bind/mount.go

@@ -11,11 +11,11 @@ import (
 	"syscall"
 
 	"github.com/containers/buildah/util"
-	cutil "github.com/containers/common/pkg/util"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/mount"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sys/unix"
 )
 
@@ -192,11 +192,11 @@ func SetupIntermediateMountNamespace(spec *specs.Spec, bundlePath string) (unmou
 // Decide if the mount should not be redirected to an intermediate location first.
 func leaveBindMountAlone(mount specs.Mount) bool {
 	// If we know we shouldn't do a redirection for this mount, skip it.
-	if cutil.StringInSlice(NoBindOption, mount.Options) {
+	if slices.Contains(mount.Options, NoBindOption) {
 		return true
 	}
 	// If we're not bind mounting it in, we don't need to do anything for it.
-	if mount.Type != "bind" && !cutil.StringInSlice("bind", mount.Options) && !cutil.StringInSlice("rbind", mount.Options) {
+	if mount.Type != "bind" && !slices.Contains(mount.Options, "bind") && !slices.Contains(mount.Options, "rbind") {
 		return true
 	}
 	return false
@@ -294,7 +294,7 @@ func UnmountMountpoints(mountpoint string, mountpointsToRemove []string) error {
 			}
 		}
 		// if we're also supposed to remove this thing, do that, too
-		if cutil.StringInSlice(mount.Mountpoint, mountpointsToRemove) {
+		if slices.Contains(mountpointsToRemove, mount.Mountpoint) {
 			if err := os.Remove(mount.Mountpoint); err != nil {
 				return fmt.Errorf("removing %q: %w", mount.Mountpoint, err)
 			}

vendor/github.com/containers/buildah/bind/util.go

@@ -1,8 +1,8 @@
 package bind
 
 import (
-	"github.com/containers/common/pkg/util"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"golang.org/x/exp/slices"
 )
 
 const (
@@ -14,7 +14,7 @@ const (
 
 func stripNoBindOption(spec *specs.Spec) {
 	for i := range spec.Mounts {
-		if util.StringInSlice(NoBindOption, spec.Mounts[i].Options) {
+		if slices.Contains(spec.Mounts[i].Options, NoBindOption) {
 			prunedOptions := make([]string, 0, len(spec.Mounts[i].Options))
 			for _, option := range spec.Mounts[i].Options {
 				if option != NoBindOption {

vendor/github.com/containers/buildah/chroot/run_common.go

@@ -34,6 +34,8 @@ const (
 	runUsingChrootCommand = "buildah-chroot-runtime"
 	// runUsingChrootExec is a command we use as a key for reexec
 	runUsingChrootExecCommand = "buildah-chroot-exec"
+	// containersConfEnv is an environment variable that we need to pass down except for the command itself
+	containersConfEnv = "CONTAINERS_CONF"
 )
 
 func init() {
@@ -128,6 +130,9 @@ func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reade
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
 	cmd.Dir = "/"
 	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
+	if _, ok := os.LookupEnv(containersConfEnv); ok {
+		cmd.Env = append(cmd.Env, containersConfEnv+"="+os.Getenv(containersConfEnv))
+	}
 
 	interrupted := make(chan os.Signal, 100)
 	cmd.Hook = func(int) error {
@@ -511,6 +516,9 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
 	cmd.Dir = "/"
 	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
+	if _, ok := os.LookupEnv(containersConfEnv); ok {
+		cmd.Env = append(cmd.Env, containersConfEnv+"="+os.Getenv(containersConfEnv))
+	}
 	if ctty != nil {
 		cmd.Setsid = true
 		cmd.Ctty = ctty

vendor/github.com/containers/buildah/config.go

@@ -12,7 +12,6 @@ import (
 	"github.com/containers/buildah/define"
 	"github.com/containers/buildah/docker"
 	internalUtil "github.com/containers/buildah/internal/util"
-	"github.com/containers/common/pkg/util"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/compression"
 	"github.com/containers/image/v5/transports"
@@ -20,6 +19,7 @@ import (
 	"github.com/containers/storage/pkg/stringid"
 	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 )
 
 // unmarshalConvertedConfig obtains the config blob of img valid for the wantedManifestMIMEType format
@@ -229,10 +229,10 @@ func (b *Builder) OSFeatures() []string {
 // SetOSFeature adds a feature of the OS which the container, or a container
 // built using an image built from this container, depends on the OS supplying.
 func (b *Builder) SetOSFeature(feature string) {
-	if !util.StringInSlice(feature, b.OCIv1.OSFeatures) {
+	if !slices.Contains(b.OCIv1.OSFeatures, feature) {
 		b.OCIv1.OSFeatures = append(b.OCIv1.OSFeatures, feature)
 	}
-	if !util.StringInSlice(feature, b.Docker.OSFeatures) {
+	if !slices.Contains(b.Docker.OSFeatures, feature) {
 		b.Docker.OSFeatures = append(b.Docker.OSFeatures, feature)
 	}
 }
@@ -241,7 +241,7 @@ func (b *Builder) SetOSFeature(feature string) {
 // container built using an image built from this container, depends on the OS
 // supplying.
 func (b *Builder) UnsetOSFeature(feature string) {
-	if util.StringInSlice(feature, b.OCIv1.OSFeatures) {
+	if slices.Contains(b.OCIv1.OSFeatures, feature) {
 		features := make([]string, 0, len(b.OCIv1.OSFeatures))
 		for _, f := range b.OCIv1.OSFeatures {
 			if f != feature {
@@ -250,7 +250,7 @@ func (b *Builder) UnsetOSFeature(feature string) {
 		}
 		b.OCIv1.OSFeatures = features
 	}
-	if util.StringInSlice(feature, b.Docker.OSFeatures) {
+	if slices.Contains(b.Docker.OSFeatures, feature) {
 		features := make([]string, 0, len(b.Docker.OSFeatures))
 		for _, f := range b.Docker.OSFeatures {
 			if f != feature {

vendor/github.com/containers/buildah/define/types.go

@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.34.1-dev"
+	Version = "1.35.0-dev"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"
@@ -54,6 +54,9 @@ const (
 	SNP TeeType = "snp"
 )
 
+// DefaultRlimitValue is the value set by default for nofile and nproc
+const RLimitDefaultValue = uint64(1048576)
+
 // TeeType is a supported trusted execution environment type.
 type TeeType string
 

vendor/github.com/containers/buildah/imagebuildah/build.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	gotypes "go/types"
 	"io"
 	"net/http"
 	"os"
@@ -36,6 +37,7 @@ import (
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/openshift/imagebuilder"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sync/semaphore"
 )
 
@@ -493,6 +495,26 @@ func preprocessContainerfileContents(logger *logrus.Logger, containerfile string
 	return &stdoutBuffer, nil
 }
 
+// platformIsUnknown checks if the platform value indicates that the
+// corresponding index entry is suitable for use as a base image
+func platformIsAcceptable(platform *v1.Platform, logger *logrus.Logger) bool {
+	if platform == nil {
+		logger.Trace("rejecting potential base image with no platform information")
+		return false
+	}
+	if gotypes.SizesFor("gc", platform.Architecture) == nil {
+		// the compiler's never heard of this
+		logger.Tracef("rejecting potential base image architecture %q for which Go has no knowledge of how to do unsafe code", platform.Architecture)
+		return false
+	}
+	if slices.Contains([]string{"", "unknown"}, platform.OS) {
+		// we're hard-wired to reject images with these values
+		logger.Tracef("rejecting potential base image for which the OS value is always-rejected value %q", platform.OS)
+		return false
+	}
+	return true
+}
+
 // platformsForBaseImages resolves the names of base images from the
 // dockerfiles, and if they are all valid references to manifest lists, returns
 // the list of platforms that are supported by all of the base images.
@@ -570,7 +592,10 @@ func platformsForBaseImages(ctx context.Context, logger *logrus.Logger, dockerfi
 		if baseImageIndex == 0 {
 			// populate the list with the first image's normalized platforms
 			for _, instance := range index.Manifests {
-				if instance.Platform == nil {
+				if !platformIsAcceptable(instance.Platform, logger) {
+					continue
+				}
+				if instance.ArtifactType != "" {
 					continue
 				}
 				platform := internalUtil.NormalizePlatform(*instance.Platform)
@@ -581,7 +606,10 @@ func platformsForBaseImages(ctx context.Context, logger *logrus.Logger, dockerfi
 			// prune the list of any normalized platforms this base image doesn't support
 			imagePlatforms := make(map[string]struct{})
 			for _, instance := range index.Manifests {
-				if instance.Platform == nil {
+				if !platformIsAcceptable(instance.Platform, logger) {
+					continue
+				}
+				if instance.ArtifactType != "" {
 					continue
 				}
 				platform := internalUtil.NormalizePlatform(*instance.Platform)

vendor/github.com/containers/buildah/imagebuildah/stage_executor.go

@@ -1217,7 +1217,24 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string,
 		}
 		logrus.Debugf("Parsed Step: %+v", *step)
 		if !s.executor.quiet {
-			s.log("%s", step.Original)
+			logMsg := step.Original
+			if len(step.Heredocs) > 0 {
+				summarizeHeredoc := func(doc string) string {
+					doc = strings.TrimSpace(doc)
+					lines := strings.Split(strings.ReplaceAll(doc, "\r\n", "\n"), "\n")
+					summary := lines[0]
+					if len(lines) > 1 {
+						summary += "..."
+					}
+					return summary
+				}
+
+				for _, doc := range node.Heredocs {
+					heredocContent := summarizeHeredoc(doc.Content)
+					logMsg = logMsg + " (" + heredocContent + ")"
+				}
+			}
+			s.log("%s", logMsg)
 		}
 
 		// Check if there's a --from if the step command is COPY.
@@ -1737,11 +1754,15 @@ func (s *StageExecutor) getCreatedBy(node *parser.Node, addedContentSummary stri
 		buildArgs := s.getBuildArgsKey()
 		return "/bin/sh -c #(nop) ARG " + buildArgs
 	case "RUN":
+		shArg := ""
 		buildArgs := s.getBuildArgsResolvedForRun()
-		if buildArgs != "" {
-			return "|" + strconv.Itoa(len(strings.Split(buildArgs, " "))) + " " + buildArgs + " /bin/sh -c " + node.Original[4:]
+		if len(node.Original) > 4 {
+			shArg = node.Original[4:]
 		}
-		result := "/bin/sh -c " + node.Original[4:]
+		if buildArgs != "" {
+			return "|" + strconv.Itoa(len(strings.Split(buildArgs, " "))) + " " + buildArgs + " /bin/sh -c " + shArg
+		}
+		result := "/bin/sh -c " + shArg
 		if len(node.Heredocs) > 0 {
 			for _, doc := range node.Heredocs {
 				heredocContent := strings.TrimSpace(doc.Content)

vendor/github.com/containers/buildah/internal/volumes/volumes.go

@@ -235,11 +235,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 	}
 	// if id is set a new subdirectory with `id` will be created under /host-temp/buildah-build-cache/id
 	id := ""
-	//buidkit parity: cache directory defaults to 755
+	// buildkit parity: cache directory defaults to 755
 	mode = 0o755
-	//buidkit parity: cache directory defaults to uid 0 if not specified
+	// buildkit parity: cache directory defaults to uid 0 if not specified
 	uid := 0
-	//buidkit parity: cache directory defaults to gid 0 if not specified
+	// buildkit parity: cache directory defaults to gid 0 if not specified
 	gid := 0
 	// sharing mode
 	sharing := "shared"
@@ -384,7 +384,7 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 			UID: uid,
 			GID: gid,
 		}
-		//buildkit parity: change uid and gid if specified otheriwise keep `0`
+		// buildkit parity: change uid and gid if specified otheriwise keep `0`
 		err = idtools.MkdirAllAndChownNew(newMount.Source, os.FileMode(mode), idPair)
 		if err != nil {
 			return newMount, nil, fmt.Errorf("unable to change uid,gid of cache directory: %w", err)
@@ -602,7 +602,7 @@ func GetTmpfsMount(args []string) (specs.Mount, error) {
 			// Alias for "ro"
 			newMount.Options = append(newMount.Options, "ro")
 		case "tmpcopyup":
-			//the path that is shadowed by the tmpfs mount is recursively copied up to the tmpfs itself.
+			// the path that is shadowed by the tmpfs mount is recursively copied up to the tmpfs itself.
 			newMount.Options = append(newMount.Options, argName)
 		case "tmpfs-mode":
 			if !hasArgValue {

vendor/github.com/containers/buildah/pkg/cli/build.go

@@ -19,12 +19,12 @@ import (
 	"github.com/containers/buildah/pkg/parse"
 	"github.com/containers/buildah/pkg/util"
 	"github.com/containers/common/pkg/auth"
-	cutil "github.com/containers/common/pkg/util"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
 )
 
 type BuildOptions struct {
@@ -316,13 +316,6 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 			iopts.NoCache = true
 		}
 	}
-	var pullPushRetryDelay time.Duration
-	pullPushRetryDelay, err = time.ParseDuration(iopts.RetryDelay)
-	if err != nil {
-		return options, nil, nil, fmt.Errorf("unable to parse value provided %q as --retry-delay: %w", iopts.RetryDelay, err)
-	}
-	// Following log line is used in integration test.
-	logrus.Debugf("Setting MaxPullPushRetries to %d and PullPushRetryDelay to %v", iopts.Retry, pullPushRetryDelay)
 
 	if c.Flag("network").Changed && c.Flag("isolation").Changed {
 		if isolation == define.IsolationChroot {
@@ -340,7 +333,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 		if err != nil {
 			return options, nil, nil, err
 		}
-		if !cutil.StringInSlice(contextDir, sbomScanOption.ContextDir) {
+		if !slices.Contains(sbomScanOption.ContextDir, contextDir) {
 			sbomScanOption.ContextDir = append(sbomScanOption.ContextDir, contextDir)
 		}
 		for _, abc := range additionalBuildContext {
@@ -405,7 +398,6 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 		OutputFormat:            format,
 		Platforms:               platforms,
 		PullPolicy:              pullPolicy,
-		PullPushRetryDelay:      pullPushRetryDelay,
 		Quiet:                   iopts.Quiet,
 		RemoveIntermediateCtrs:  iopts.Rm,
 		ReportWriter:            reporter,
@@ -424,6 +416,15 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 		UnsetEnvs:               iopts.UnsetEnvs,
 		UnsetLabels:             iopts.UnsetLabels,
 	}
+	if iopts.RetryDelay != "" {
+		options.PullPushRetryDelay, err = time.ParseDuration(iopts.RetryDelay)
+		if err != nil {
+			return options, nil, nil, fmt.Errorf("unable to parse value provided %q as --retry-delay: %w", iopts.RetryDelay, err)
+		}
+		// Following log line is used in integration test.
+		logrus.Debugf("Setting MaxPullPushRetries to %d and PullPushRetryDelay to %v", iopts.Retry, options.PullPushRetryDelay)
+	}
+
 	if iopts.Quiet {
 		options.ReportWriter = io.Discard
 	}

vendor/github.com/containers/buildah/pkg/cli/common.go

@@ -367,7 +367,7 @@ func GetFromAndBudFlags(flags *FromAndBudResults, usernsResults *UserNSResults,
 	fs := pflag.FlagSet{}
 	defaultContainerConfig, err := config.Default()
 	if err != nil {
-		return fs, fmt.Errorf("failed to get container config: %w", err)
+		return fs, fmt.Errorf("failed to get default container config: %w", err)
 	}
 
 	fs.StringSliceVar(&flags.AddHost, "add-host", []string{}, "add a custom host-to-IP mapping (`host:ip`) (default [])")
@@ -392,8 +392,8 @@ func GetFromAndBudFlags(flags *FromAndBudResults, usernsResults *UserNSResults,
 	fs.StringVar(&flags.Isolation, "isolation", DefaultIsolation(), "`type` of process isolation to use. Use BUILDAH_ISOLATION environment variable to override.")
 	fs.StringVarP(&flags.Memory, "memory", "m", "", "memory limit (format: <number>[<unit>], where unit = b, k, m or g)")
 	fs.StringVar(&flags.MemorySwap, "memory-swap", "", "swap limit equal to memory plus swap: '-1' to enable unlimited swap")
-	fs.IntVar(&flags.Retry, "retry", MaxPullPushRetries, "number of times to retry in case of failure when performing push/pull")
-	fs.StringVar(&flags.RetryDelay, "retry-delay", PullPushRetryDelay.String(), "delay between retries in case of push/pull failures")
+	fs.IntVar(&flags.Retry, "retry", int(defaultContainerConfig.Engine.Retry), "number of times to retry in case of failure when performing push/pull")
+	fs.StringVar(&flags.RetryDelay, "retry-delay", defaultContainerConfig.Engine.RetryDelay, "delay between retries in case of push/pull failures")
 	fs.String("arch", runtime.GOARCH, "set the ARCH of the image to the provided value instead of the architecture of the host")
 	fs.String("os", runtime.GOOS, "prefer `OS` instead of the running OS when pulling images")
 	fs.StringSlice("platform", []string{parse.DefaultPlatform()}, "set the `OS/ARCH[/VARIANT]` of the image to the provided value instead of the current operating system and architecture of the host (for example \"linux/arm\")")

vendor/github.com/containers/buildah/pkg/parse/parse.go

@@ -491,7 +491,9 @@ func PullPolicyFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name string)
 	if err != nil {
 		return 0, err
 	}
-	if pullNeverFlagValue || strings.EqualFold(pullFlagValue, "never") {
+	if pullNeverFlagValue ||
+		strings.EqualFold(pullFlagValue, "never") ||
+		strings.EqualFold(pullFlagValue, "false") {
 		pullPolicy = define.PullNever
 	}
 	logrus.Debugf("Pull Policy for pull [%v]", pullPolicy)
@@ -814,8 +816,11 @@ func SBOMScanOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name str
 		return nil, fmt.Errorf("invalid value for --sbom-purl-output: %w", err)
 	}
 
-	if options.Image == "" || len(options.Commands) == 0 || (options.SBOMOutput == "" && options.ImageSBOMOutput == "" && options.PURLOutput == "" && options.ImagePURLOutput == "") {
-		return options, fmt.Errorf("sbom configuration missing one or more of (%q, %q, %q, %q, %q or %q)", "--sbom-scanner-imag", "--sbom-scanner-command", "--sbom-output", "--sbom-image-output", "--sbom-purl-output", "--sbom-image-purl-output")
+	if options.Image == "" || len(options.Commands) == 0 {
+		return options, fmt.Errorf("sbom configuration missing one or more of (%q or %q)", "--sbom-scanner-image", "--sbom-scanner-command")
+	}
+	if options.SBOMOutput == "" && options.ImageSBOMOutput == "" && options.PURLOutput == "" && options.ImagePURLOutput == "" {
+		return options, fmt.Errorf("sbom configuration missing one or more of (%q, %q, %q or %q)", "--sbom-output", "--sbom-image-output", "--sbom-purl-output", "--sbom-image-purl-output")
 	}
 	if len(options.Commands) > 1 && options.MergeStrategy == "" {
 		return options, fmt.Errorf("sbom configuration included multiple %q values but no %q value", "--sbom-scanner-command", "--sbom-merge-strategy")

vendor/github.com/containers/buildah/run_freebsd.go

@@ -25,7 +25,6 @@ import (
 	"github.com/containers/common/libnetwork/resolvconf"
 	nettypes "github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/config"
-	cutil "github.com/containers/common/pkg/util"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/containers/storage/pkg/stringid"
@@ -34,6 +33,7 @@ import (
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sys/unix"
 )
 
@@ -203,7 +203,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	rootIDPair := &idtools.IDPair{UID: int(rootUID), GID: int(rootGID)}
 
 	hostFile := ""
-	if !options.NoHosts && !cutil.StringInSlice(config.DefaultHostsFile, volumes) && options.ConfigureNetwork != define.NetworkDisabled {
+	if !options.NoHosts && !slices.Contains(volumes, config.DefaultHostsFile) && options.ConfigureNetwork != define.NetworkDisabled {
 		hostFile, err = b.generateHosts(path, rootIDPair, mountPoint, spec)
 		if err != nil {
 			return err
@@ -211,7 +211,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		bindFiles[config.DefaultHostsFile] = hostFile
 	}
 
-	if !cutil.StringInSlice(resolvconf.DefaultResolvConf, volumes) && options.ConfigureNetwork != define.NetworkDisabled && !(len(b.CommonBuildOpts.DNSServers) == 1 && strings.ToLower(b.CommonBuildOpts.DNSServers[0]) == "none") {
+	if !slices.Contains(volumes, resolvconf.DefaultResolvConf) && options.ConfigureNetwork != define.NetworkDisabled && !(len(b.CommonBuildOpts.DNSServers) == 1 && strings.ToLower(b.CommonBuildOpts.DNSServers[0]) == "none") {
 		resolvFile, err := b.addResolvConf(path, rootIDPair, b.CommonBuildOpts.DNSServers, b.CommonBuildOpts.DNSSearch, b.CommonBuildOpts.DNSOptions, nil)
 		if err != nil {
 			return err

vendor/github.com/containers/buildah/run_linux.go

@@ -35,7 +35,6 @@ import (
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/common/pkg/hooks"
 	hooksExec "github.com/containers/common/pkg/hooks/exec"
-	cutil "github.com/containers/common/pkg/util"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/ioutils"
 	"github.com/containers/storage/pkg/lockfile"
@@ -45,6 +44,7 @@ import (
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sys/unix"
 )
 
@@ -261,7 +261,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	rootIDPair := &idtools.IDPair{UID: int(rootUID), GID: int(rootGID)}
 
 	hostFile := ""
-	if !options.NoHosts && !cutil.StringInSlice(config.DefaultHostsFile, volumes) && options.ConfigureNetwork != define.NetworkDisabled {
+	if !options.NoHosts && !slices.Contains(volumes, config.DefaultHostsFile) && options.ConfigureNetwork != define.NetworkDisabled {
 		hostFile, err = b.generateHosts(path, rootIDPair, mountPoint, spec)
 		if err != nil {
 			return err
@@ -269,7 +269,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		bindFiles[config.DefaultHostsFile] = hostFile
 	}
 
-	if !options.NoHostname && !(cutil.StringInSlice("/etc/hostname", volumes)) {
+	if !options.NoHostname && !(slices.Contains(volumes, "/etc/hostname")) {
 		hostFile, err := b.generateHostname(path, spec.Hostname, rootIDPair)
 		if err != nil {
 			return err
@@ -278,7 +278,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		bindFiles["/etc/hostname"] = hostFile
 	}
 
-	if !cutil.StringInSlice(resolvconf.DefaultResolvConf, volumes) && options.ConfigureNetwork != define.NetworkDisabled && !(len(b.CommonBuildOpts.DNSServers) == 1 && strings.ToLower(b.CommonBuildOpts.DNSServers[0]) == "none") {
+	if !slices.Contains(volumes, resolvconf.DefaultResolvConf) && options.ConfigureNetwork != define.NetworkDisabled && !(len(b.CommonBuildOpts.DNSServers) == 1 && strings.ToLower(b.CommonBuildOpts.DNSServers[0]) == "none") {
 		resolvFile, err := b.addResolvConf(path, rootIDPair, b.CommonBuildOpts.DNSServers, b.CommonBuildOpts.DNSSearch, b.CommonBuildOpts.DNSOptions, spec.Linux.Namespaces)
 		if err != nil {
 			return err
@@ -854,6 +854,9 @@ func addRlimits(ulimit []string, g *generate.Generator, defaultUlimits []string)
 	var (
 		ul  *units.Ulimit
 		err error
+		// setup rlimits
+		nofileSet bool
+		nprocSet  bool
 	)
 
 	ulimit = append(defaultUlimits, ulimit...)
@@ -862,8 +865,39 @@ func addRlimits(ulimit []string, g *generate.Generator, defaultUlimits []string)
 			return fmt.Errorf("ulimit option %q requires name=SOFT:HARD, failed to be parsed: %w", u, err)
 		}
 
+		if strings.ToUpper(ul.Name) == "NOFILE" {
+			nofileSet = true
+		}
+		if strings.ToUpper(ul.Name) == "NPROC" {
+			nprocSet = true
+		}
 		g.AddProcessRlimits("RLIMIT_"+strings.ToUpper(ul.Name), uint64(ul.Hard), uint64(ul.Soft))
 	}
+	if !nofileSet {
+		max := define.RLimitDefaultValue
+		var rlimit unix.Rlimit
+		if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err == nil {
+			if max < rlimit.Max || unshare.IsRootless() {
+				max = rlimit.Max
+			}
+		} else {
+			logrus.Warnf("Failed to return RLIMIT_NOFILE ulimit %q", err)
+		}
+		g.AddProcessRlimits("RLIMIT_NOFILE", max, max)
+	}
+	if !nprocSet {
+		max := define.RLimitDefaultValue
+		var rlimit unix.Rlimit
+		if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err == nil {
+			if max < rlimit.Max || unshare.IsRootless() {
+				max = rlimit.Max
+			}
+		} else {
+			logrus.Warnf("Failed to return RLIMIT_NPROC ulimit %q", err)
+		}
+		g.AddProcessRlimits("RLIMIT_NPROC", max, max)
+	}
+
 	return nil
 }
 

vendor/github.com/containers/buildah/scan.go

@@ -10,10 +10,10 @@ import (
 
 	"github.com/containers/buildah/define"
 	"github.com/containers/buildah/internal/sbom"
-	"github.com/containers/common/pkg/util"
 	"github.com/mattn/go-shellwords"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 )
 
 func stringSliceReplaceAll(slice []string, replacements map[string]string, important []string) (built []string, replacedAnImportantValue bool) {
@@ -23,7 +23,7 @@ func stringSliceReplaceAll(slice []string, replacements map[string]string, impor
 		for from, to := range replacements {
 			previous := element
 			if element = strings.ReplaceAll(previous, from, to); element != previous {
-				if len(important) == 0 || util.StringInSlice(from, important) {
+				if len(important) == 0 || slices.Contains(important, from) {
 					replacedAnImportantValue = true
 				}
 			}

vendor/github.com/containers/buildah/util/util.go

@@ -15,7 +15,6 @@ import (
 	"github.com/containers/buildah/define"
 	"github.com/containers/common/libimage"
 	"github.com/containers/common/pkg/config"
-	"github.com/containers/common/pkg/util"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/pkg/shortnames"
 	"github.com/containers/image/v5/signature"
@@ -26,6 +25,7 @@ import (
 	"github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 )
 
 const (
@@ -45,9 +45,9 @@ var (
 	}
 )
 
-// StringInSlice is deprecated, use github.com/containers/common/pkg/util.StringInSlice
+// StringInSlice is deprecated, use golang.org/x/exp/slices.Contains
 func StringInSlice(s string, slice []string) bool {
-	return util.StringInSlice(s, slice)
+	return slices.Contains(slice, s)
 }
 
 // resolveName checks if name is a valid image name, and if that name doesn't
@@ -244,7 +244,7 @@ func Runtime() string {
 
 	conf, err := config.Default()
 	if err != nil {
-		logrus.Warnf("Error loading container config when searching for local runtime: %v", err)
+		logrus.Warnf("Error loading default container config when searching for local runtime: %v", err)
 		return define.DefaultRuntime
 	}
 	return conf.Engine.OCIRuntime