vendor: update containers/{common,storage,image,buildah}

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

vendor/github.com/containers/buildah/.cirrus.yml

@@ -120,7 +120,7 @@ vendor_task:
 
     # Runs within Cirrus's "community cluster"
     container:
-        image: docker.io/library/golang:1.20
+        image: docker.io/library/golang:latest
         cpu: 1
         memory: 1
 

vendor/github.com/containers/buildah/Makefile

@@ -73,17 +73,16 @@ bin/buildah: $(SOURCES) cmd/buildah/*.go internal/mkcw/embed/entrypoint.gz
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) $(GO_GCFLAGS) "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah
 
 ifneq ($(shell as --version | grep x86_64),)
+internal/mkcw/embed/entrypoint.gz: internal/mkcw/embed/entrypoint
+	$(RM) $@
+	gzip -k $^
+
 internal/mkcw/embed/entrypoint: internal/mkcw/embed/entrypoint.s
 	$(AS) -o $(patsubst %.s,%.o,$^) $^
 	$(LD) -o $@ $(patsubst %.s,%.o,$^)
 	strip $@
-else
-.PHONY: internal/mkcw/embed/entrypoint
 endif
 
-internal/mkcw/embed/entrypoint.gz: internal/mkcw/embed/entrypoint
-	$(RM) $@
-	gzip -k $^
 
 .PHONY: buildah
 buildah: bin/buildah

vendor/github.com/containers/buildah/define/types.go

@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.33.1"
+	Version = "1.33.2-dev"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"

vendor/github.com/containers/buildah/import.go

@@ -22,7 +22,7 @@ func importBuilderDataFromImage(ctx context.Context, store storage.Store, system
 		return nil, errors.New("Internal error: imageID is empty in importBuilderDataFromImage")
 	}
 
-	storeopts, err := storage.DefaultStoreOptions(false, 0)
+	storeopts, err := storage.DefaultStoreOptions()
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/buildah/pkg/jail/jail.go

@@ -4,10 +4,13 @@
 package jail
 
 import (
+	"strconv"
 	"strings"
+	"sync"
 	"syscall"
 	"unsafe"
 
+	"github.com/containers/buildah/pkg/util"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
@@ -28,6 +31,11 @@ type config struct {
 	params map[string]interface{}
 }
 
+var (
+	needVnetJailOnce sync.Once
+	needVnetJail     bool
+)
+
 func NewConfig() *config {
 	return &config{
 		params: make(map[string]interface{}),
@@ -178,3 +186,47 @@ func (j *jail) Set(jconf *config) error {
 	_, err := jailSet(jconf, JAIL_UPDATE)
 	return err
 }
+
+// Return true if its necessary to have a separate jail to own the vnet.  For
+// FreeBSD 13.3 and later, we don't need a separate vnet jail since it is
+// possible to configure the network without either attaching to the container's
+// jail or trusting the ifconfig and route utilities in the container. If for
+// any reason, we fail to parse the OS version, we default to returning true.
+func NeedVnetJail() bool {
+	needVnetJailOnce.Do(func() {
+		needVnetJail = true
+		version, err := util.ReadKernelVersion()
+		if err != nil {
+			logrus.Errorf("failed to determine OS version: %v", err)
+			return
+		}
+		// Expected formats "<major>.<minor>-<RELEASE|STABLE|CURRENT>" optionally
+		// followed by "-<patchlevel>"
+		parts := strings.Split(string(version), "-")
+		if len(parts) < 2 {
+			logrus.Errorf("unexpected OS version: %s", version)
+			return
+		}
+		ver := strings.Split(parts[0], ".")
+		if len(parts) != 2 {
+			logrus.Errorf("unexpected OS version: %s", version)
+			return
+		}
+
+		// FreeBSD 13.3 and later have support for 'ifconfig -j' and 'route -j'
+		major, err := strconv.Atoi(ver[0])
+		if err != nil {
+			logrus.Errorf("unexpected OS version: %s", version)
+			return
+		}
+		minor, err := strconv.Atoi(ver[1])
+		if err != nil {
+			logrus.Errorf("unexpected OS version: %s", version)
+			return
+		}
+		if major > 13 || (major == 13 && minor > 2) {
+			needVnetJail = false
+		}
+	})
+	return needVnetJail
+}

vendor/github.com/containers/buildah/run_freebsd.go

@@ -156,7 +156,11 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 
 	containerName := Package + "-" + filepath.Base(path)
 	if configureNetwork {
-		g.AddAnnotation("org.freebsd.parentJail", containerName+"-vnet")
+		if jail.NeedVnetJail() {
+			g.AddAnnotation("org.freebsd.parentJail", containerName+"-vnet")
+		} else {
+			g.AddAnnotation("org.freebsd.jail.vnet", "new")
+		}
 	}
 
 	homeDir, err := b.configureUIDGID(g, mountPoint, options)
@@ -247,9 +251,11 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 
 	defer b.cleanupTempVolumes()
 
-	// If we are creating a network, make the vnet here so that we
-	// can execute the OCI runtime inside it.
-	if configureNetwork {
+	// If we are creating a network, make the vnet here so that we can
+	// execute the OCI runtime inside it. For FreeBSD-13.3 and later, we can
+	// configure the container network settings from outside the jail, which
+	// removes the need for a separate jail to manage the vnet.
+	if configureNetwork && jail.NeedVnetJail() {
 		mynetns := containerName + "-vnet"
 
 		jconf := jail.NewConfig()
@@ -426,7 +432,12 @@ func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, optio
 	}
 	logrus.Debugf("configureNetworks: %v", configureNetworks)
 
-	mynetns := containerName + "-vnet"
+	var mynetns string
+	if jail.NeedVnetJail() {
+		mynetns = containerName + "-vnet"
+	} else {
+		mynetns = containerName
+	}
 
 	networks := make(map[string]nettypes.PerNetworkOptions, len(configureNetworks))
 	for i, network := range configureNetworks {

vendor/github.com/containers/common/libimage/inspect.go

@@ -180,22 +180,26 @@ func (i *Image) Inspect(ctx context.Context, options *InspectOptions) (*ImageDat
 		}
 
 	// Docker image
-	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema2MediaType:
+	case manifest.DockerV2Schema2MediaType:
 		rawConfig, err := i.rawConfigBlob(ctx)
 		if err != nil {
 			return nil, err
 		}
-		var dockerManifest manifest.Schema2V1Image
-		if err := json.Unmarshal(rawConfig, &dockerManifest); err != nil {
+		var dockerConfig manifest.Schema2V1Image
+		if err := json.Unmarshal(rawConfig, &dockerConfig); err != nil {
 			return nil, err
 		}
-		data.Comment = dockerManifest.Comment
+		data.Comment = dockerConfig.Comment
 		// NOTE: Health checks may be listed in the container config or
 		// the config.
-		data.HealthCheck = dockerManifest.ContainerConfig.Healthcheck
-		if data.HealthCheck == nil && dockerManifest.Config != nil {
-			data.HealthCheck = dockerManifest.Config.Healthcheck
+		data.HealthCheck = dockerConfig.ContainerConfig.Healthcheck
+		if data.HealthCheck == nil && dockerConfig.Config != nil {
+			data.HealthCheck = dockerConfig.Config.Healthcheck
 		}
+
+	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType:
+		// There seem to be at least _some_ images with .Healthcheck set in schema1 (possibly just as an artifact
+		// of testing format conversion?), so this could plausibly read these values.
 	}
 
 	if data.Annotations == nil {

vendor/github.com/containers/common/pkg/config/default.go

@@ -13,7 +13,6 @@ import (
 	nettypes "github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/apparmor"
 	"github.com/containers/common/pkg/cgroupv2"
-	"github.com/containers/common/pkg/util"
 	"github.com/containers/storage/pkg/homedir"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/containers/storage/types"
@@ -196,7 +195,9 @@ func defaultConfig() (*Config, error) {
 	}
 
 	defaultEngineConfig.SignaturePolicyPath = DefaultSignaturePolicyPath
-	if useUserConfigLocations() {
+	// NOTE: For now we want Windows to use system locations.
+	// GetRootlessUID == -1 on Windows, so exclude negative range
+	if unshare.GetRootlessUID() > 0 {
 		configHome, err := homedir.GetConfigHome()
 		if err != nil {
 			return nil, err
@@ -320,7 +321,7 @@ func defaultEngineConfig() (*EngineConfig, error) {
 			return nil, err
 		}
 	}
-	storeOpts, err := types.DefaultStoreOptions(useUserConfigLocations(), unshare.GetRootlessUID())
+	storeOpts, err := types.DefaultStoreOptions()
 	if err != nil {
 		return nil, err
 	}
@@ -480,11 +481,14 @@ func defaultEngineConfig() (*EngineConfig, error) {
 }
 
 func defaultTmpDir() (string, error) {
-	if !useUserConfigLocations() {
+	// NOTE: For now we want Windows to use system locations.
+	// GetRootlessUID == -1 on Windows, so exclude negative range
+	rootless := unshare.GetRootlessUID() > 0
+	if !rootless {
 		return getLibpodTmpDir(), nil
 	}
 
-	runtimeDir, err := util.GetRuntimeDir()
+	runtimeDir, err := homedir.GetRuntimeDir()
 	if err != nil {
 		return "", err
 	}
@@ -669,12 +673,6 @@ func getDefaultSSHConfig() string {
 	return filepath.Join(dirname, ".ssh", "config")
 }
 
-func useUserConfigLocations() bool {
-	// NOTE: For now we want Windows to use system locations.
-	// GetRootlessUID == -1 on Windows, so exclude negative range
-	return unshare.GetRootlessUID() > 0
-}
-
 // getDefaultImage returns the default machine image stream
 // On Windows this refers to the Fedora major release number
 func getDefaultMachineImage() string {

vendor/github.com/containers/common/pkg/netns/netns_linux.go

@@ -30,7 +30,7 @@ import (
 	"sync"
 
 	"github.com/containernetworking/plugins/pkg/ns"
-	"github.com/containers/common/pkg/util"
+	"github.com/containers/storage/pkg/homedir"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -40,7 +40,7 @@ import (
 // rootless, it needs to be at a location writable by user.
 func GetNSRunDir() (string, error) {
 	if unshare.IsRootless() {
-		rootlessDir, err := util.GetRuntimeDir()
+		rootlessDir, err := homedir.GetRuntimeDir()
 		if err != nil {
 			return "", err
 		}

vendor/github.com/containers/common/pkg/util/util_supported.go

@@ -1,91 +0,0 @@
-//go:build linux || darwin || freebsd
-// +build linux darwin freebsd
-
-package util
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-	"sync"
-	"syscall"
-
-	"github.com/containers/storage/pkg/homedir"
-	"github.com/containers/storage/pkg/unshare"
-	"github.com/sirupsen/logrus"
-)
-
-var (
-	rootlessRuntimeDirOnce sync.Once
-	rootlessRuntimeDir     string
-)
-
-// isWriteableOnlyByOwner checks that the specified permission mask allows write
-// access only to the owner.
-func isWriteableOnlyByOwner(perm os.FileMode) bool {
-	return (perm & 0o722) == 0o700
-}
-
-// GetRuntimeDir returns the runtime directory
-func GetRuntimeDir() (string, error) {
-	var rootlessRuntimeDirError error
-
-	rootlessRuntimeDirOnce.Do(func() {
-		runtimeDir, err := homedir.GetRuntimeDir()
-		if err != nil {
-			logrus.Debug(err)
-		}
-		if runtimeDir != "" {
-			st, err := os.Stat(runtimeDir)
-			if err != nil {
-				rootlessRuntimeDirError = err
-				return
-			}
-			if int(st.Sys().(*syscall.Stat_t).Uid) != os.Geteuid() {
-				rootlessRuntimeDirError = fmt.Errorf("XDG_RUNTIME_DIR directory %q is not owned by the current user", runtimeDir)
-				return
-			}
-		}
-		uid := fmt.Sprintf("%d", unshare.GetRootlessUID())
-		if runtimeDir == "" {
-			tmpDir := filepath.Join("/run", "user", uid)
-			if err := os.MkdirAll(tmpDir, 0o700); err != nil {
-				logrus.Debugf("unable to make temp dir: %v", err)
-			}
-			st, err := os.Stat(tmpDir)
-			if err == nil && int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() && isWriteableOnlyByOwner(st.Mode().Perm()) {
-				runtimeDir = tmpDir
-			}
-		}
-		if runtimeDir == "" {
-			tmpDir := filepath.Join(os.TempDir(), fmt.Sprintf("podman-run-%s", uid))
-			if err := os.MkdirAll(tmpDir, 0o700); err != nil {
-				logrus.Debugf("unable to make temp dir %v", err)
-			}
-			st, err := os.Stat(tmpDir)
-			if err == nil && int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() && isWriteableOnlyByOwner(st.Mode().Perm()) {
-				runtimeDir = tmpDir
-			}
-		}
-		if runtimeDir == "" {
-			home := os.Getenv("HOME")
-			if home == "" {
-				rootlessRuntimeDirError = errors.New("neither XDG_RUNTIME_DIR nor HOME was set non-empty")
-				return
-			}
-			resolvedHome, err := filepath.EvalSymlinks(home)
-			if err != nil {
-				rootlessRuntimeDirError = fmt.Errorf("cannot resolve home: %w", err)
-				return
-			}
-			runtimeDir = filepath.Join(resolvedHome, "rundir")
-		}
-		rootlessRuntimeDir = runtimeDir
-	})
-
-	if rootlessRuntimeDirError != nil {
-		return "", rootlessRuntimeDirError
-	}
-	return rootlessRuntimeDir, nil
-}

vendor/github.com/containers/common/pkg/util/util_windows.go

@@ -1,13 +0,0 @@
-//go:build windows
-// +build windows
-
-package util
-
-import (
-	"errors"
-)
-
-// getRuntimeDir returns the runtime directory
-func GetRuntimeDir() (string, error) {
-	return "", errors.New("this function is not implemented for windows")
-}

vendor/github.com/containers/image/v5/storage/storage_transport.go

@@ -213,7 +213,7 @@ func (s *storageTransport) GetStore() (storage.Store, error) {
 	// Return the transport's previously-set store.  If we don't have one
 	// of those, initialize one now.
 	if s.store == nil {
-		options, err := storage.DefaultStoreOptionsAutoDetectUID()
+		options, err := storage.DefaultStoreOptions()
 		if err != nil {
 			return nil, err
 		}

vendor/github.com/containers/image/v5/version/version.go

@@ -8,10 +8,10 @@ const (
 	// VersionMinor is for functionality in a backwards-compatible manner
 	VersionMinor = 29
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 0
+	VersionPatch = 1
 
 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = ""
+	VersionDev = "-dev"
 )
 
 // Version is the specification version that the package types support.

vendor/github.com/containers/storage/.cirrus.yml

@@ -23,7 +23,7 @@ env:
     # GCE project where images live
     IMAGE_PROJECT: "libpod-218412"
     # VM Image built in containers/automation_images
-    IMAGE_SUFFIX: "c20231004t194547z-f39f38d13"
+    IMAGE_SUFFIX: "c20231116t174419z-f39f38d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
 

vendor/github.com/containers/storage/VERSION

@@ -1 +1 @@
-1.51.0
+1.51.1-dev

vendor/github.com/containers/storage/pkg/chunked/storage_linux.go

@@ -254,7 +254,7 @@ func convertTarToZstdChunked(destDirectory string, blobSize int64, iss ImageSour
 
 // GetDiffer returns a differ than can be used with ApplyDiffWithDiffer.
 func GetDiffer(ctx context.Context, store storage.Store, blobSize int64, annotations map[string]string, iss ImageSourceSeekable) (graphdriver.Differ, error) {
-	storeOpts, err := types.DefaultStoreOptionsAutoDetectUID()
+	storeOpts, err := types.DefaultStoreOptions()
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/storage/pkg/homedir/homedir.go

@@ -6,21 +6,6 @@ import (
 	"path/filepath"
 )
 
-// GetConfigHome returns XDG_CONFIG_HOME.
-// GetConfigHome returns $HOME/.config and nil error if XDG_CONFIG_HOME is not set.
-//
-// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
-func GetConfigHome() (string, error) {
-	if xdgConfigHome := os.Getenv("XDG_CONFIG_HOME"); xdgConfigHome != "" {
-		return xdgConfigHome, nil
-	}
-	home := Get()
-	if home == "" {
-		return "", errors.New("could not get either XDG_CONFIG_HOME or HOME")
-	}
-	return filepath.Join(home, ".config"), nil
-}
-
 // GetDataHome returns XDG_DATA_HOME.
 // GetDataHome returns $HOME/.local/share and nil error if XDG_DATA_HOME is not set.
 //

vendor/github.com/containers/storage/pkg/homedir/homedir_others.go

@@ -8,6 +8,8 @@ package homedir
 
 import (
 	"errors"
+	"os"
+	"path/filepath"
 )
 
 // GetRuntimeDir is unsupported on non-linux system.
@@ -19,3 +21,18 @@ func GetRuntimeDir() (string, error) {
 func StickRuntimeDirContents(files []string) ([]string, error) {
 	return nil, errors.New("homedir.StickRuntimeDirContents() is not supported on this system")
 }
+
+// GetConfigHome returns XDG_CONFIG_HOME.
+// GetConfigHome returns $HOME/.config and nil error if XDG_CONFIG_HOME is not set.
+//
+// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
+func GetConfigHome() (string, error) {
+	if xdgConfigHome := os.Getenv("XDG_CONFIG_HOME"); xdgConfigHome != "" {
+		return xdgConfigHome, nil
+	}
+	home := Get()
+	if home == "" {
+		return "", errors.New("could not get either XDG_CONFIG_HOME or HOME")
+	}
+	return filepath.Join(home, ".config"), nil
+}

vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go

@@ -7,12 +7,16 @@ package homedir
 // NOTE: this package has originally been copied from github.com/docker/docker.
 
 import (
-	"errors"
+	"fmt"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
+	"sync"
+	"syscall"
 
 	"github.com/containers/storage/pkg/unshare"
+	"github.com/sirupsen/logrus"
 )
 
 // Key returns the env var name for the user's home dir based on
@@ -40,18 +44,6 @@ func GetShortcutString() string {
 	return "~"
 }
 
-// GetRuntimeDir returns XDG_RUNTIME_DIR.
-// XDG_RUNTIME_DIR is typically configured via pam_systemd.
-// GetRuntimeDir returns non-nil error if XDG_RUNTIME_DIR is not set.
-//
-// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
-func GetRuntimeDir() (string, error) {
-	if xdgRuntimeDir := os.Getenv("XDG_RUNTIME_DIR"); xdgRuntimeDir != "" {
-		return filepath.EvalSymlinks(xdgRuntimeDir)
-	}
-	return "", errors.New("could not get XDG_RUNTIME_DIR")
-}
-
 // StickRuntimeDirContents sets the sticky bit on files that are under
 // XDG_RUNTIME_DIR, so that the files won't be periodically removed by the system.
 //
@@ -94,3 +86,95 @@ func stick(f string) error {
 	m |= os.ModeSticky
 	return os.Chmod(f, m)
 }
+
+var (
+	rootlessConfigHomeDirError error
+	rootlessConfigHomeDirOnce  sync.Once
+	rootlessConfigHomeDir      string
+	rootlessRuntimeDirOnce     sync.Once
+	rootlessRuntimeDir         string
+)
+
+// isWriteableOnlyByOwner checks that the specified permission mask allows write
+// access only to the owner.
+func isWriteableOnlyByOwner(perm os.FileMode) bool {
+	return (perm & 0o722) == 0o700
+}
+
+// GetConfigHome returns XDG_CONFIG_HOME.
+// GetConfigHome returns $HOME/.config and nil error if XDG_CONFIG_HOME is not set.
+//
+// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
+func GetConfigHome() (string, error) {
+	rootlessConfigHomeDirOnce.Do(func() {
+		cfgHomeDir := os.Getenv("XDG_CONFIG_HOME")
+		if cfgHomeDir == "" {
+			home := Get()
+			resolvedHome, err := filepath.EvalSymlinks(home)
+			if err != nil {
+				rootlessConfigHomeDirError = fmt.Errorf("cannot resolve %s: %w", home, err)
+				return
+			}
+			tmpDir := filepath.Join(resolvedHome, ".config")
+			_ = os.MkdirAll(tmpDir, 0o700)
+			st, err := os.Stat(tmpDir)
+			if err == nil && int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() && isWriteableOnlyByOwner(st.Mode().Perm()) {
+				cfgHomeDir = tmpDir
+			} else {
+				rootlessConfigHomeDirError = fmt.Errorf("path %q exists and it is not writeable only by the current user", tmpDir)
+				return
+			}
+		}
+		rootlessConfigHomeDir = cfgHomeDir
+	})
+
+	return rootlessConfigHomeDir, rootlessConfigHomeDirError
+}
+
+// GetRuntimeDir returns a directory suitable to store runtime files.
+// The function will try to use the XDG_RUNTIME_DIR env variable if it is set.
+// XDG_RUNTIME_DIR is typically configured via pam_systemd.
+// If XDG_RUNTIME_DIR is not set, GetRuntimeDir will try to find a suitable
+// directory for the current user.
+//
+// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
+func GetRuntimeDir() (string, error) {
+	var rootlessRuntimeDirError error
+
+	rootlessRuntimeDirOnce.Do(func() {
+		runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
+
+		if runtimeDir != "" {
+			rootlessRuntimeDir, rootlessRuntimeDirError = filepath.EvalSymlinks(runtimeDir)
+			return
+		}
+
+		uid := strconv.Itoa(unshare.GetRootlessUID())
+		if runtimeDir == "" {
+			tmpDir := filepath.Join("/run", "user", uid)
+			if err := os.MkdirAll(tmpDir, 0o700); err != nil {
+				logrus.Debug(err)
+			}
+			st, err := os.Lstat(tmpDir)
+			if err == nil && int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() && isWriteableOnlyByOwner(st.Mode().Perm()) {
+				runtimeDir = tmpDir
+			}
+		}
+		if runtimeDir == "" {
+			tmpDir := filepath.Join(os.TempDir(), fmt.Sprintf("storage-run-%s", uid))
+			if err := os.MkdirAll(tmpDir, 0o700); err != nil {
+				logrus.Debug(err)
+			}
+			st, err := os.Lstat(tmpDir)
+			if err == nil && int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() && isWriteableOnlyByOwner(st.Mode().Perm()) {
+				runtimeDir = tmpDir
+			} else {
+				rootlessRuntimeDirError = fmt.Errorf("path %q exists and it is not writeable only by the current user", tmpDir)
+				return
+			}
+		}
+		rootlessRuntimeDir = runtimeDir
+	})
+
+	return rootlessRuntimeDir, rootlessRuntimeDirError
+}

vendor/github.com/containers/storage/store.go

@@ -1,6 +1,7 @@
 package storage
 
 import (
+	_ "embed"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -2741,7 +2742,13 @@ func (s *store) Status() ([][2]string, error) {
 	return rlstore.Status()
 }
 
+//go:embed VERSION
+var storageVersion string
+
 func (s *store) Version() ([][2]string, error) {
+	if trimmedVersion := strings.TrimSpace(storageVersion); trimmedVersion != "" {
+		return [][2]string{{"Version", trimmedVersion}}, nil
+	}
 	return [][2]string{}, nil
 }
 
@@ -3545,8 +3552,8 @@ func SetDefaultConfigFilePath(path string) {
 }
 
 // DefaultConfigFile returns the path to the storage config file used
-func DefaultConfigFile(rootless bool) (string, error) {
-	return types.DefaultConfigFile(rootless)
+func DefaultConfigFile() (string, error) {
+	return types.DefaultConfigFile()
 }
 
 // ReloadConfigurationFile parses the specified configuration file and overrides

vendor/github.com/containers/storage/types/options.go

@@ -11,7 +11,9 @@ import (
 
 	"github.com/BurntSushi/toml"
 	cfg "github.com/containers/storage/pkg/config"
+	"github.com/containers/storage/pkg/homedir"
 	"github.com/containers/storage/pkg/idtools"
+	"github.com/containers/storage/pkg/unshare"
 	"github.com/sirupsen/logrus"
 )
 
@@ -87,7 +89,7 @@ func loadDefaultStoreOptions() {
 
 	_, err := os.Stat(defaultOverrideConfigFile)
 	if err == nil {
-		// The DefaultConfigFile(rootless) function returns the path
+		// The DefaultConfigFile() function returns the path
 		// of the used storage.conf file, by returning defaultConfigFile
 		// If override exists containers/storage uses it by default.
 		defaultConfigFile = defaultOverrideConfigFile
@@ -109,21 +111,41 @@ func loadDefaultStoreOptions() {
 	setDefaults()
 }
 
-// defaultStoreOptionsIsolated is an internal implementation detail of DefaultStoreOptions to allow testing.
-// Everyone but the tests this is intended for should only call DefaultStoreOptions, never this function.
-func defaultStoreOptionsIsolated(rootless bool, rootlessUID int, storageConf string) (StoreOptions, error) {
+// loadStoreOptions returns the default storage ops for containers
+func loadStoreOptions() (StoreOptions, error) {
+	storageConf, err := DefaultConfigFile()
+	if err != nil {
+		return defaultStoreOptions, err
+	}
+	return loadStoreOptionsFromConfFile(storageConf)
+}
+
+// usePerUserStorage returns whether the user private storage must be used.
+// We cannot simply use the unshare.IsRootless() condition, because
+// that checks only if the current process needs a user namespace to
+// work and it would break cases where the process is already created
+// in a user namespace (e.g. nested Podman/Buildah) and the desired
+// behavior is to use system paths instead of user private paths.
+func usePerUserStorage() bool {
+	return unshare.IsRootless() && unshare.GetRootlessUID() != 0
+}
+
+// loadStoreOptionsFromConfFile is an internal implementation detail of DefaultStoreOptions to allow testing.
+// Everyone but the tests this is intended for should only call loadStoreOptions, never this function.
+func loadStoreOptionsFromConfFile(storageConf string) (StoreOptions, error) {
 	var (
 		defaultRootlessRunRoot   string
 		defaultRootlessGraphRoot string
 		err                      error
 	)
+
 	defaultStoreOptionsOnce.Do(loadDefaultStoreOptions)
 	if loadDefaultStoreOptionsErr != nil {
 		return StoreOptions{}, loadDefaultStoreOptionsErr
 	}
 	storageOpts := defaultStoreOptions
-	if rootless && rootlessUID != 0 {
-		storageOpts, err = getRootlessStorageOpts(rootlessUID, storageOpts)
+	if usePerUserStorage() {
+		storageOpts, err = getRootlessStorageOpts(storageOpts)
 		if err != nil {
 			return storageOpts, err
 		}
@@ -137,7 +159,7 @@ func defaultStoreOptionsIsolated(rootless bool, rootlessUID int, storageConf str
 		defaultRootlessGraphRoot = storageOpts.GraphRoot
 		storageOpts = StoreOptions{}
 		reloadConfigurationFileIfNeeded(storageConf, &storageOpts)
-		if rootless && rootlessUID != 0 {
+		if usePerUserStorage() {
 			// If the file did not specify a graphroot or runroot,
 			// set sane defaults so we don't try and use root-owned
 			// directories
@@ -156,6 +178,7 @@ func defaultStoreOptionsIsolated(rootless bool, rootlessUID int, storageConf str
 	if storageOpts.RunRoot == "" {
 		return storageOpts, fmt.Errorf("runroot must be set")
 	}
+	rootlessUID := unshare.GetRootlessUID()
 	runRoot, err := expandEnvPath(storageOpts.RunRoot, rootlessUID)
 	if err != nil {
 		return storageOpts, err
@@ -186,26 +209,17 @@ func defaultStoreOptionsIsolated(rootless bool, rootlessUID int, storageConf str
 	return storageOpts, nil
 }
 
-// loadStoreOptions returns the default storage ops for containers
-func loadStoreOptions(rootless bool, rootlessUID int) (StoreOptions, error) {
-	storageConf, err := DefaultConfigFile(rootless && rootlessUID != 0)
-	if err != nil {
-		return defaultStoreOptions, err
-	}
-	return defaultStoreOptionsIsolated(rootless, rootlessUID, storageConf)
-}
-
 // UpdateOptions should be called iff container engine received a SIGHUP,
 // otherwise use DefaultStoreOptions
-func UpdateStoreOptions(rootless bool, rootlessUID int) (StoreOptions, error) {
-	storeOptions, storeError = loadStoreOptions(rootless, rootlessUID)
+func UpdateStoreOptions() (StoreOptions, error) {
+	storeOptions, storeError = loadStoreOptions()
 	return storeOptions, storeError
 }
 
 // DefaultStoreOptions returns the default storage ops for containers
-func DefaultStoreOptions(rootless bool, rootlessUID int) (StoreOptions, error) {
+func DefaultStoreOptions() (StoreOptions, error) {
 	once.Do(func() {
-		storeOptions, storeError = loadStoreOptions(rootless, rootlessUID)
+		storeOptions, storeError = loadStoreOptions()
 	})
 	return storeOptions, storeError
 }
@@ -270,14 +284,26 @@ func isRootlessDriver(driver string) bool {
 }
 
 // getRootlessStorageOpts returns the storage opts for containers running as non root
-func getRootlessStorageOpts(rootlessUID int, systemOpts StoreOptions) (StoreOptions, error) {
+func getRootlessStorageOpts(systemOpts StoreOptions) (StoreOptions, error) {
 	var opts StoreOptions
 
-	dataDir, rootlessRuntime, err := getRootlessDirInfo(rootlessUID)
+	rootlessUID := unshare.GetRootlessUID()
+
+	dataDir, err := homedir.GetDataHome()
 	if err != nil {
 		return opts, err
 	}
-	opts.RunRoot = rootlessRuntime
+
+	rootlessRuntime, err := homedir.GetRuntimeDir()
+	if err != nil {
+		return opts, err
+	}
+
+	opts.RunRoot = filepath.Join(rootlessRuntime, "containers")
+	if err := os.MkdirAll(opts.RunRoot, 0o700); err != nil {
+		return opts, fmt.Errorf("unable to make rootless runtime: %w", err)
+	}
+
 	opts.PullOptions = systemOpts.PullOptions
 	if systemOpts.RootlessStoragePath != "" {
 		opts.GraphRoot, err = expandEnvPath(systemOpts.RootlessStoragePath, rootlessUID)
@@ -343,12 +369,6 @@ func getRootlessStorageOpts(rootlessUID int, systemOpts StoreOptions) (StoreOpti
 	return opts, nil
 }
 
-// DefaultStoreOptionsAutoDetectUID returns the default storage ops for containers
-func DefaultStoreOptionsAutoDetectUID() (StoreOptions, error) {
-	uid := getRootlessUID()
-	return DefaultStoreOptions(uid != 0, uid)
-}
-
 var prevReloadConfig = struct {
 	storeOptions *StoreOptions
 	mod          time.Time
@@ -518,8 +538,8 @@ func Options() (StoreOptions, error) {
 }
 
 // Save overwrites the tomlConfig in storage.conf with the given conf
-func Save(conf TomlConfig, rootless bool) error {
-	configFile, err := DefaultConfigFile(rootless)
+func Save(conf TomlConfig) error {
+	configFile, err := DefaultConfigFile()
 	if err != nil {
 		return err
 	}
@@ -537,10 +557,10 @@ func Save(conf TomlConfig, rootless bool) error {
 }
 
 // StorageConfig is used to retrieve the storage.conf toml in order to overwrite it
-func StorageConfig(rootless bool) (*TomlConfig, error) {
+func StorageConfig() (*TomlConfig, error) {
 	config := new(TomlConfig)
 
-	configFile, err := DefaultConfigFile(rootless)
+	configFile, err := DefaultConfigFile()
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/storage/types/utils.go

@@ -2,162 +2,15 @@ package types
 
 import (
 	"errors"
-	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 
 	"github.com/containers/storage/pkg/homedir"
-	"github.com/containers/storage/pkg/system"
 	"github.com/sirupsen/logrus"
 )
 
-// GetRootlessRuntimeDir returns the runtime directory when running as non root
-func GetRootlessRuntimeDir(rootlessUID int) (string, error) {
-	path, err := getRootlessRuntimeDir(rootlessUID)
-	if err != nil {
-		return "", err
-	}
-	path = filepath.Join(path, "containers")
-	if err := os.MkdirAll(path, 0o700); err != nil {
-		return "", fmt.Errorf("unable to make rootless runtime: %w", err)
-	}
-	return path, nil
-}
-
-type rootlessRuntimeDirEnvironment interface {
-	getProcCommandFile() string
-	getRunUserDir() string
-	getTmpPerUserDir() string
-
-	homeDirGetRuntimeDir() (string, error)
-	systemLstat(string) (*system.StatT, error)
-	homedirGet() string
-}
-
-type rootlessRuntimeDirEnvironmentImplementation struct {
-	procCommandFile string
-	runUserDir      string
-	tmpPerUserDir   string
-}
-
-func (env rootlessRuntimeDirEnvironmentImplementation) getProcCommandFile() string {
-	return env.procCommandFile
-}
-
-func (env rootlessRuntimeDirEnvironmentImplementation) getRunUserDir() string {
-	return env.runUserDir
-}
-
-func (env rootlessRuntimeDirEnvironmentImplementation) getTmpPerUserDir() string {
-	return env.tmpPerUserDir
-}
-
-func (rootlessRuntimeDirEnvironmentImplementation) homeDirGetRuntimeDir() (string, error) {
-	return homedir.GetRuntimeDir()
-}
-
-func (rootlessRuntimeDirEnvironmentImplementation) systemLstat(path string) (*system.StatT, error) {
-	return system.Lstat(path)
-}
-
-func (rootlessRuntimeDirEnvironmentImplementation) homedirGet() string {
-	return homedir.Get()
-}
-
-func isRootlessRuntimeDirOwner(dir string, env rootlessRuntimeDirEnvironment) bool {
-	st, err := env.systemLstat(dir)
-	return err == nil && int(st.UID()) == os.Getuid() && st.Mode()&0o700 == 0o700 && st.Mode()&0o066 == 0o000
-}
-
-// getRootlessRuntimeDirIsolated is an internal implementation detail of getRootlessRuntimeDir to allow testing.
-// Everyone but the tests this is intended for should only call getRootlessRuntimeDir, never this function.
-func getRootlessRuntimeDirIsolated(env rootlessRuntimeDirEnvironment) (string, error) {
-	runtimeDir, err := env.homeDirGetRuntimeDir()
-	if err == nil {
-		return runtimeDir, nil
-	}
-
-	initCommand, err := os.ReadFile(env.getProcCommandFile())
-	if err != nil || string(initCommand) == "systemd" {
-		runUserDir := env.getRunUserDir()
-		if isRootlessRuntimeDirOwner(runUserDir, env) {
-			return runUserDir, nil
-		}
-	}
-
-	tmpPerUserDir := env.getTmpPerUserDir()
-	if tmpPerUserDir != "" {
-		if _, err := env.systemLstat(tmpPerUserDir); os.IsNotExist(err) {
-			if err := os.Mkdir(tmpPerUserDir, 0o700); err != nil {
-				logrus.Errorf("Failed to create temp directory for user: %v", err)
-			} else {
-				return tmpPerUserDir, nil
-			}
-		} else if isRootlessRuntimeDirOwner(tmpPerUserDir, env) {
-			return tmpPerUserDir, nil
-		}
-	}
-
-	homeDir := env.homedirGet()
-	if homeDir == "" {
-		return "", errors.New("neither XDG_RUNTIME_DIR nor temp dir nor HOME was set non-empty")
-	}
-	resolvedHomeDir, err := filepath.EvalSymlinks(homeDir)
-	if err != nil {
-		return "", err
-	}
-	return filepath.Join(resolvedHomeDir, "rundir"), nil
-}
-
-func getRootlessRuntimeDir(rootlessUID int) (string, error) {
-	return getRootlessRuntimeDirIsolated(
-		rootlessRuntimeDirEnvironmentImplementation{
-			"/proc/1/comm",
-			fmt.Sprintf("/run/user/%d", rootlessUID),
-			fmt.Sprintf("%s/containers-user-%d", os.TempDir(), rootlessUID),
-		},
-	)
-}
-
-// getRootlessDirInfo returns the parent path of where the storage for containers and
-// volumes will be in rootless mode
-func getRootlessDirInfo(rootlessUID int) (string, string, error) {
-	rootlessRuntime, err := GetRootlessRuntimeDir(rootlessUID)
-	if err != nil {
-		return "", "", err
-	}
-
-	dataDir, err := homedir.GetDataHome()
-	if err == nil {
-		return dataDir, rootlessRuntime, nil
-	}
-
-	home := homedir.Get()
-	if home == "" {
-		return "", "", fmt.Errorf("neither XDG_DATA_HOME nor HOME was set non-empty: %w", err)
-	}
-	// runc doesn't like symlinks in the rootfs path, and at least
-	// on CoreOS /home is a symlink to /var/home, so resolve any symlink.
-	resolvedHome, err := filepath.EvalSymlinks(home)
-	if err != nil {
-		return "", "", err
-	}
-	dataDir = filepath.Join(resolvedHome, ".local", "share")
-
-	return dataDir, rootlessRuntime, nil
-}
-
-func getRootlessUID() int {
-	uidEnv := os.Getenv("_CONTAINERS_ROOTLESS_UID")
-	if uidEnv != "" {
-		u, _ := strconv.Atoi(uidEnv)
-		return u
-	}
-	return os.Geteuid()
-}
-
 func expandEnvPath(path string, rootlessUID int) (string, error) {
 	var err error
 	path = strings.Replace(path, "$UID", strconv.Itoa(rootlessUID), -1)
@@ -169,7 +22,7 @@ func expandEnvPath(path string, rootlessUID int) (string, error) {
 	return newpath, nil
 }
 
-func DefaultConfigFile(rootless bool) (string, error) {
+func DefaultConfigFile() (string, error) {
 	if defaultConfigFileSet {
 		return defaultConfigFile, nil
 	}
@@ -177,7 +30,7 @@ func DefaultConfigFile(rootless bool) (string, error) {
 	if path, ok := os.LookupEnv(storageConfEnv); ok {
 		return path, nil
 	}
-	if !rootless {
+	if !usePerUserStorage() {
 		if _, err := os.Stat(defaultOverrideConfigFile); err == nil {
 			return defaultOverrideConfigFile, nil
 		}

vendor/github.com/containers/storage/utils.go

@@ -11,19 +11,9 @@ func ParseIDMapping(UIDMapSlice, GIDMapSlice []string, subUIDMap, subGIDMap stri
 	return types.ParseIDMapping(UIDMapSlice, GIDMapSlice, subUIDMap, subGIDMap)
 }
 
-// GetRootlessRuntimeDir returns the runtime directory when running as non root
-func GetRootlessRuntimeDir(rootlessUID int) (string, error) {
-	return types.GetRootlessRuntimeDir(rootlessUID)
-}
-
-// DefaultStoreOptionsAutoDetectUID returns the default storage options for containers
-func DefaultStoreOptionsAutoDetectUID() (types.StoreOptions, error) {
-	return types.DefaultStoreOptionsAutoDetectUID()
-}
-
 // DefaultStoreOptions returns the default storage options for containers
-func DefaultStoreOptions(rootless bool, rootlessUID int) (types.StoreOptions, error) {
-	return types.DefaultStoreOptions(rootless, rootlessUID)
+func DefaultStoreOptions() (types.StoreOptions, error) {
+	return types.DefaultStoreOptions()
 }
 
 func validateMountOptions(mountOptions []string) error {