[v5.6] Bump Buildah to v1.41.3

Bump Buildah to v1.41.3 in preparation for Podman v5.6.0. This vendoring also
cures a last minute issue in the Buildah build code.

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/checkpoint-restore/checkpointctl v1.3.0
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
 	github.com/containernetworking/plugins v1.7.1
-	github.com/containers/buildah v1.41.1
+	github.com/containers/buildah v1.41.3
 	github.com/containers/common v0.64.1
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.8.6

go.sum

@@ -62,8 +62,8 @@ github.com/containernetworking/cni v1.3.0 h1:v6EpN8RznAZj9765HhXQrtXgX+ECGebEYEm
 github.com/containernetworking/cni v1.3.0/go.mod h1:Bs8glZjjFfGPHMw6hQu82RUgEPNGEaBb9KS5KtNMnJ4=
 github.com/containernetworking/plugins v1.7.1 h1:CNAR0jviDj6FS5Vg85NTgKWLDzZPfi/lj+VJfhMDTIs=
 github.com/containernetworking/plugins v1.7.1/go.mod h1:xuMdjuio+a1oVQsHKjr/mgzuZ24leAsqUYRnzGoXHy0=
-github.com/containers/buildah v1.41.1 h1:WiFZsxLbnPgo00gAX4pVwFa+e3Kypx0IoC9ubFMlQDs=
-github.com/containers/buildah v1.41.1/go.mod h1:vVIYC6f5gbPNfhprdMZh9lkOJzzM7lta0romUtBFSw0=
+github.com/containers/buildah v1.41.3 h1:L6wyRXGR+Cejx+/LMsEryi1JmuwbAICZEje+tQ7ihMs=
+github.com/containers/buildah v1.41.3/go.mod h1:vVIYC6f5gbPNfhprdMZh9lkOJzzM7lta0romUtBFSw0=
 github.com/containers/common v0.64.1 h1:E8vSiL+B84/UCsyVSb70GoxY9cu+0bseLujm4EKF6GE=
 github.com/containers/common v0.64.1/go.mod h1:CtfQNHoCAZqWeXMwdShcsxmMJSeGRgKKMqAwRKmWrHE=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=

vendor/github.com/containers/buildah/CHANGELOG.md

@@ -2,6 +2,19 @@
 
 # Changelog
 
+## v1.41.3 (2025-08-14)
+
+    Commit: don't depend on MountImage(), because .imagestore
+
+## v1.41.2 (2025-08-13)
+
+    Rework how we decide what to filter out of layer diffs
+    Note that we have to build `true` first for the sake of its tests
+    copier.Stat(): return owner UID and GID if available
+    copier.Get(): ensure that directory entries end in "/"
+    copier.Get(): strip user and group names from entries
+    imagebuildah.Executor/StageExecutor: check numeric --from= values
+
 ## v1.41.1 (2025-08-06)
 
     [release-1.41] Bump Buildah to v1.41.1

vendor/github.com/containers/buildah/changelog.txt

@@ -1,3 +1,14 @@
+- Changelog for v1.41.3 (2025-08-14)
+  * Commit: don't depend on MountImage(), because .imagestore
+
+- Changelog for v1.41.2 (2025-08-13)
+  * Rework how we decide what to filter out of layer diffs
+  * Note that we have to build `true` first for the sake of its tests
+  * copier.Stat(): return owner UID and GID if available
+  * copier.Get(): ensure that directory entries end in "/"
+  * copier.Get(): strip user and group names from entries
+  * imagebuildah.Executor/StageExecutor: check numeric --from= values
+
 - Changelog for v1.41.1 (2025-08-06)
   * [release-1.41] Bump Buildah to v1.41.1
   * [release-1.41] Bump c/* projects and Buildah to v1.41.1

vendor/github.com/containers/buildah/copier/copier.go

@@ -201,7 +201,7 @@ func (req *request) UIDMap() []idtools.IDMap {
 	case requestEval:
 		return nil
 	case requestStat:
-		return nil
+		return req.StatOptions.UIDMap
 	case requestGet:
 		return req.GetOptions.UIDMap
 	case requestPut:
@@ -226,7 +226,7 @@ func (req *request) GIDMap() []idtools.IDMap {
 	case requestEval:
 		return nil
 	case requestStat:
-		return nil
+		return req.StatOptions.GIDMap
 	case requestGet:
 		return req.GetOptions.GIDMap
 	case requestPut:
@@ -284,6 +284,7 @@ type StatForItem struct {
 	Size            int64       // dereferenced value for symlinks
 	Mode            os.FileMode // dereferenced value for symlinks
 	ModTime         time.Time   // dereferenced value for symlinks
+	UID, GID        int64       // usually in the uint32 range, set to -1 if unknown
 	IsSymlink       bool
 	IsDir           bool   // dereferenced value for symlinks
 	IsRegular       bool   // dereferenced value for symlinks
@@ -342,8 +343,9 @@ func Eval(root string, directory string, _ EvalOptions) (string, error) {
 
 // StatOptions controls parts of Stat()'s behavior.
 type StatOptions struct {
-	CheckForArchives bool     // check for and populate the IsArchive bit in returned values
-	Excludes         []string // contents to pretend don't exist, using the OS-specific path separator
+	UIDMap, GIDMap   []idtools.IDMap // map from hostIDs to containerIDs when returning results
+	CheckForArchives bool            // check for and populate the IsArchive bit in returned values
+	Excludes         []string        // contents to pretend don't exist, using the OS-specific path separator
 }
 
 // Stat globs the specified pattern in the specified directory and returns its
@@ -975,7 +977,7 @@ func copierHandler(bulkReader io.Reader, bulkWriter io.Writer, req request) (*re
 		resp := copierHandlerEval(req)
 		return resp, nil, nil
 	case requestStat:
-		resp := copierHandlerStat(req, pm)
+		resp := copierHandlerStat(req, pm, idMappings)
 		return resp, nil, nil
 	case requestGet:
 		return copierHandlerGet(bulkWriter, req, pm, idMappings)
@@ -1102,7 +1104,7 @@ func copierHandlerEval(req request) *response {
 	return &response{Eval: evalResponse{Evaluated: filepath.Join(req.rootPrefix, resolvedTarget)}}
 }
 
-func copierHandlerStat(req request, pm *fileutils.PatternMatcher) *response {
+func copierHandlerStat(req request, pm *fileutils.PatternMatcher, idMappings *idtools.IDMappings) *response {
 	errorResponse := func(fmtspec string, args ...any) *response {
 		return &response{Error: fmt.Sprintf(fmtspec, args...), Stat: statResponse{}}
 	}
@@ -1160,6 +1162,17 @@ func copierHandlerStat(req request, pm *fileutils.PatternMatcher) *response {
 			}
 			result.Size = linfo.Size()
 			result.Mode = linfo.Mode()
+			result.UID, result.GID = -1, -1
+			if uid, gid, err := owner(linfo); err == nil {
+				if idMappings != nil && !idMappings.Empty() {
+					hostPair := idtools.IDPair{UID: uid, GID: gid}
+					uid, gid, err = idMappings.ToContainer(hostPair)
+					if err != nil {
+						return errorResponse("copier: stat: mapping host filesystem owners %#v to container filesystem owners: %w", hostPair, err)
+					}
+				}
+				result.UID, result.GID = int64(uid), int64(gid)
+			}
 			result.ModTime = linfo.ModTime()
 			result.IsDir = linfo.IsDir()
 			result.IsRegular = result.Mode.IsRegular()
@@ -1272,7 +1285,7 @@ func checkLinks(item string, req request, info os.FileInfo) (string, os.FileInfo
 func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMatcher, idMappings *idtools.IDMappings) (*response, func() error, error) {
 	statRequest := req
 	statRequest.Request = requestStat
-	statResponse := copierHandlerStat(req, pm)
+	statResponse := copierHandlerStat(req, pm, idMappings)
 	errorResponse := func(fmtspec string, args ...any) (*response, func() error, error) {
 		return &response{Error: fmt.Sprintf(fmtspec, args...), Stat: statResponse.Stat, Get: getResponse{}}, nil, nil
 	}
@@ -1591,6 +1604,7 @@ func copierHandlerGetOne(srcfi os.FileInfo, symlinkTarget, name, contentPath str
 	if name != "" {
 		hdr.Name = filepath.ToSlash(name)
 	}
+	hdr.Uname, hdr.Gname = "", ""
 	if options.Rename != nil {
 		hdr.Name = handleRename(options.Rename, hdr.Name)
 	}
@@ -1698,6 +1712,9 @@ func copierHandlerGetOne(srcfi os.FileInfo, symlinkTarget, name, contentPath str
 		if options.ChmodDirs != nil {
 			hdr.Mode = int64(*options.ChmodDirs)
 		}
+		if !strings.HasSuffix(hdr.Name, "/") {
+			hdr.Name += "/"
+		}
 	} else {
 		if options.ChownFiles != nil {
 			hdr.Uid, hdr.Gid = options.ChownFiles.UID, options.ChownFiles.GID
@@ -2266,7 +2283,7 @@ type EnsurePath struct {
 
 // EnsureOptions controls parts of Ensure()'s behavior.
 type EnsureOptions struct {
-	UIDMap, GIDMap []idtools.IDMap // map from hostIDs to containerIDs in the chroot
+	UIDMap, GIDMap []idtools.IDMap // map from containerIDs to hostIDs in the chroot
 	Paths          []EnsurePath
 }
 
@@ -2433,7 +2450,7 @@ type ConditionalRemovePath struct {
 
 // ConditionalRemoveOptions controls parts of ConditionalRemove()'s behavior.
 type ConditionalRemoveOptions struct {
-	UIDMap, GIDMap []idtools.IDMap // map from hostIDs to containerIDs in the chroot
+	UIDMap, GIDMap []idtools.IDMap // map from containerIDs to hostIDs in the chroot
 	Paths          []ConditionalRemovePath
 }
 

vendor/github.com/containers/buildah/define/types.go

@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.41.1"
+	Version = "1.41.3"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"

vendor/github.com/containers/buildah/image.go

@@ -107,6 +107,8 @@ type containerImageRef struct {
 	extraImageContent     map[string]string
 	compatSetParent       types.OptionalBool
 	layerExclusions       []copier.ConditionalRemovePath
+	layerMountTargets     []copier.ConditionalRemovePath
+	layerPullUps          []copier.EnsureParentPath
 	unsetAnnotations      []string
 	setAnnotations        []string
 	createdAnnotation     types.OptionalBool
@@ -784,7 +786,73 @@ func (mb *ociManifestBuilder) manifestAndConfig() ([]byte, []byte, error) {
 	return omanifestbytes, oconfig, nil
 }
 
-func (i *containerImageRef) NewImageSource(_ context.Context, _ *types.SystemContext) (src types.ImageSource, err error) {
+// filterExclusionsByImage returns a slice of the members of "exclusions" which are present in the image with the specified ID
+func (i containerImageRef) filterExclusionsByImage(ctx context.Context, exclusions []copier.EnsureParentPath, imageID string) ([]copier.EnsureParentPath, error) {
+	if len(exclusions) == 0 || imageID == "" {
+		return nil, nil
+	}
+	var paths []copier.EnsureParentPath
+	mountPoint, err := i.store.MountImage(imageID, nil, i.mountLabel)
+	cleanup := func() {
+		if _, err := i.store.UnmountImage(imageID, false); err != nil {
+			logrus.Debugf("unmounting image %q: %v", imageID, err)
+		}
+	}
+	if err != nil && errors.Is(err, storage.ErrLayerUnknown) {
+		// if an imagestore is being used, this could be expected
+		if b, err2 := NewBuilder(ctx, i.store, BuilderOptions{
+			FromImage:       imageID,
+			PullPolicy:      define.PullNever,
+			ContainerSuffix: "tmp",
+		}); err2 == nil {
+			mountPoint, err = b.Mount(i.mountLabel)
+			cleanup = func() {
+				cid := b.ContainerID
+				if err := b.Delete(); err != nil {
+					logrus.Debugf("unmounting image %q as container %q: %v", imageID, cid, err)
+				}
+			}
+		}
+	}
+	if err != nil {
+		return nil, fmt.Errorf("mounting image %q to examine its contents: %w", imageID, err)
+	}
+	defer cleanup()
+	globs := make([]string, 0, len(exclusions))
+	for _, exclusion := range exclusions {
+		globs = append(globs, exclusion.Path)
+	}
+	options := copier.StatOptions{}
+	stats, err := copier.Stat(mountPoint, mountPoint, options, globs)
+	if err != nil {
+		return nil, fmt.Errorf("checking for potential exclusion items in image %q: %w", imageID, err)
+	}
+	for _, stat := range stats {
+		for _, exclusion := range exclusions {
+			if stat.Glob != exclusion.Path {
+				continue
+			}
+			for result, stat := range stat.Results {
+				if result != exclusion.Path {
+					continue
+				}
+				if exclusion.ModTime != nil && !exclusion.ModTime.Equal(stat.ModTime) {
+					continue
+				}
+				if exclusion.Mode != nil && *exclusion.Mode != stat.Mode {
+					continue
+				}
+				if exclusion.Owner != nil && (int64(exclusion.Owner.UID) != stat.UID && int64(exclusion.Owner.GID) != stat.GID) {
+					continue
+				}
+				paths = append(paths, exclusion)
+			}
+		}
+	}
+	return paths, nil
+}
+
+func (i *containerImageRef) NewImageSource(ctx context.Context, _ *types.SystemContext) (src types.ImageSource, err error) {
 	// These maps will let us check if a layer ID is part of one group or another.
 	parentLayerIDs := make(map[string]bool)
 	apiLayerIDs := make(map[string]bool)
@@ -948,6 +1016,7 @@ func (i *containerImageRef) NewImageSource(_ context.Context, _ *types.SystemCon
 		}
 		var rc io.ReadCloser
 		var errChan chan error
+		var layerExclusions []copier.ConditionalRemovePath
 		if i.confidentialWorkload.Convert {
 			// Convert the root filesystem into an encrypted disk image.
 			rc, err = i.extractConfidentialWorkloadFS(i.confidentialWorkload)
@@ -980,6 +1049,18 @@ func (i *containerImageRef) NewImageSource(_ context.Context, _ *types.SystemCon
 				if i.emptyLayer && layerID == i.layerID {
 					continue
 				}
+				if layerID == i.layerID {
+					// We need to filter out any mount targets that we created.
+					layerExclusions = append(slices.Clone(i.layerExclusions), i.layerMountTargets...)
+					// And we _might_ need to filter out directories that modified
+					// by creating and removing mount targets, _if_ they were the
+					// same in the base image for this stage.
+					layerPullUps, err := i.filterExclusionsByImage(ctx, i.layerPullUps, i.fromImageID)
+					if err != nil {
+						return nil, fmt.Errorf("checking which exclusions are in base image %q: %w", i.fromImageID, err)
+					}
+					layerExclusions = append(layerExclusions, layerPullUps...)
+				}
 				// Extract this layer, one of possibly many.
 				rc, err = i.store.Diff("", layerID, diffOptions)
 				if err != nil {
@@ -1002,7 +1083,7 @@ func (i *containerImageRef) NewImageSource(_ context.Context, _ *types.SystemCon
 		// At this point, there are multiple ways that can happen.
 		diffBeingAltered := i.compression != archive.Uncompressed
 		diffBeingAltered = diffBeingAltered || i.layerModTime != nil || i.layerLatestModTime != nil
-		diffBeingAltered = diffBeingAltered || len(i.layerExclusions) != 0
+		diffBeingAltered = diffBeingAltered || len(layerExclusions) != 0
 		if diffBeingAltered {
 			destHasher = digest.Canonical.Digester()
 			multiWriter = io.MultiWriter(counter, destHasher.Hash())
@@ -1022,7 +1103,7 @@ func (i *containerImageRef) NewImageSource(_ context.Context, _ *types.SystemCon
 		// Use specified timestamps in the layer, if we're doing that for history
 		// entries.
 		nestedWriteCloser := ioutils.NewWriteCloserWrapper(writer, writeCloser.Close)
-		writeCloser = makeFilteredLayerWriteCloser(nestedWriteCloser, i.layerModTime, i.layerLatestModTime, i.layerExclusions)
+		writeCloser = makeFilteredLayerWriteCloser(nestedWriteCloser, i.layerModTime, i.layerLatestModTime, layerExclusions)
 		writer = writeCloser
 		// Okay, copy from the raw diff through the filter, compressor, and counter and
 		// digesters.
@@ -1443,6 +1524,24 @@ func (b *Builder) makeContainerImageRef(options CommitOptions) (*containerImageR
 		return nil, fmt.Errorf("getting the per-container data directory for %q: %w", b.ContainerID, err)
 	}
 
+	gatherExclusions := func(excludesFiles []string) ([]copier.ConditionalRemovePath, error) {
+		var excludes []copier.ConditionalRemovePath
+		for _, excludesFile := range excludesFiles {
+			if strings.Contains(excludesFile, containerExcludesSubstring) {
+				continue
+			}
+			excludesData, err := os.ReadFile(excludesFile)
+			if err != nil {
+				return nil, fmt.Errorf("reading commit exclusions for %q: %w", b.ContainerID, err)
+			}
+			var theseExcludes []copier.ConditionalRemovePath
+			if err := json.Unmarshal(excludesData, &theseExcludes); err != nil {
+				return nil, fmt.Errorf("parsing commit exclusions for %q: %w", b.ContainerID, err)
+			}
+			excludes = append(excludes, theseExcludes...)
+		}
+		return excludes, nil
+	}
 	mountTargetFiles, err := filepath.Glob(filepath.Join(cdir, containerExcludesDir, "*"))
 	if err != nil {
 		return nil, fmt.Errorf("checking for commit exclusions for %q: %w", b.ContainerID, err)
@@ -1451,29 +1550,27 @@ func (b *Builder) makeContainerImageRef(options CommitOptions) (*containerImageR
 	if err != nil {
 		return nil, fmt.Errorf("checking for commit pulled-up items for %q: %w", b.ContainerID, err)
 	}
-	excludesFiles := slices.Clone(mountTargetFiles)
-	if !options.ConfidentialWorkloadOptions.Convert && !options.Squash {
-		excludesFiles = append(excludesFiles, pulledUpFiles...)
+	layerMountTargets, err := gatherExclusions(mountTargetFiles)
+	if err != nil {
+		return nil, err
+	}
+	if len(layerMountTargets) > 0 {
+		logrus.Debugf("these items were created for use as mount targets: %#v", layerMountTargets)
+	}
+	layerPullUps, err := gatherExclusions(pulledUpFiles)
+	if err != nil {
+		return nil, err
+	}
+	if len(layerPullUps) > 0 {
+		logrus.Debugf("these items appear to have been pulled up: %#v", layerPullUps)
 	}
 	var layerExclusions []copier.ConditionalRemovePath
-	for _, excludesFile := range excludesFiles {
-		if strings.Contains(excludesFile, containerExcludesSubstring) {
-			continue
-		}
-		excludesData, err := os.ReadFile(excludesFile)
-		if err != nil {
-			return nil, fmt.Errorf("reading commit exclusions for %q: %w", b.ContainerID, err)
-		}
-		var excludes []copier.ConditionalRemovePath
-		if err := json.Unmarshal(excludesData, &excludes); err != nil {
-			return nil, fmt.Errorf("parsing commit exclusions for %q: %w", b.ContainerID, err)
-		}
-		layerExclusions = append(layerExclusions, excludes...)
-	}
 	if options.CompatLayerOmissions == types.OptionalBoolTrue {
-		layerExclusions = append(layerExclusions, compatLayerExclusions...)
+		layerExclusions = slices.Clone(compatLayerExclusions)
+	}
+	if len(layerExclusions) > 0 {
+		logrus.Debugf("excluding these items from committed layer: %#v", layerExclusions)
 	}
-	logrus.Debugf("excluding these items from committed layer: %#v", layerExclusions)
 
 	manifestType := options.PreferredManifestType
 	if manifestType == "" {
@@ -1577,6 +1674,8 @@ func (b *Builder) makeContainerImageRef(options CommitOptions) (*containerImageR
 		extraImageContent:     maps.Clone(options.ExtraImageContent),
 		compatSetParent:       options.CompatSetParent,
 		layerExclusions:       layerExclusions,
+		layerMountTargets:     layerMountTargets,
+		layerPullUps:          layerPullUps,
 		createdAnnotation:     options.CreatedAnnotation,
 	}
 	if ref.created != nil {

vendor/github.com/containers/buildah/imagebuildah/executor.go

@@ -862,7 +862,7 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image
 							logrus.Debugf("stage %d name: %q resolves to %q", stageIndex, stageName, baseWithArg)
 							stageName = baseWithArg
 							// If --from=<index> convert index to name
-							if index, err := strconv.Atoi(stageName); err == nil {
+							if index, err := strconv.Atoi(stageName); err == nil && index >= 0 && index < stageIndex {
 								stageName = stages[index].Name
 							}
 							// Check if selected base is not an additional

vendor/github.com/containers/buildah/imagebuildah/stage_executor.go

@@ -467,7 +467,7 @@ func (s *StageExecutor) performCopy(excludes []string, copies ...imagebuilder.Co
 				// exists and if stage short_name matches any
 				// additionalContext replace stage with additional
 				// build context.
-				if index, err := strconv.Atoi(from); err == nil {
+				if index, err := strconv.Atoi(from); err == nil && index >= 0 && index < s.index {
 					from = s.stages[index].Name
 				}
 				if foundContext, ok := s.executor.additionalBuildContexts[from]; ok {
@@ -1395,7 +1395,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string,
 				// also account if the index is given instead
 				// of name so convert index in --from=<index>
 				// to name.
-				if index, err := strconv.Atoi(from); err == nil {
+				if index, err := strconv.Atoi(from); err == nil && index >= 0 && index < s.index {
 					from = s.stages[index].Name
 				}
 				// If additional buildContext contains this

vendor/modules.txt

@@ -108,7 +108,7 @@ github.com/containernetworking/cni/pkg/version
 # github.com/containernetworking/plugins v1.7.1
 ## explicit; go 1.23.0
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.41.1
+# github.com/containers/buildah v1.41.3
 ## explicit; go 1.23.3
 github.com/containers/buildah
 github.com/containers/buildah/bind