vendor: update containers/{common,storage,image,buildah}

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

vendor/github.com/containers/buildah/.cirrus.yml

@@ -120,7 +120,7 @@ vendor_task:
 
     # Runs within Cirrus's "community cluster"
     container:
-        image: docker.io/library/golang:1.20
+        image: docker.io/library/golang:latest
         cpu: 1
         memory: 1
 

vendor/github.com/containers/buildah/Makefile

@@ -73,17 +73,16 @@ bin/buildah: $(SOURCES) cmd/buildah/*.go internal/mkcw/embed/entrypoint.gz
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) $(GO_GCFLAGS) "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah
 
 ifneq ($(shell as --version | grep x86_64),)
+internal/mkcw/embed/entrypoint.gz: internal/mkcw/embed/entrypoint
+	$(RM) $@
+	gzip -k $^
+
 internal/mkcw/embed/entrypoint: internal/mkcw/embed/entrypoint.s
 	$(AS) -o $(patsubst %.s,%.o,$^) $^
 	$(LD) -o $@ $(patsubst %.s,%.o,$^)
 	strip $@
-else
-.PHONY: internal/mkcw/embed/entrypoint
 endif
 
-internal/mkcw/embed/entrypoint.gz: internal/mkcw/embed/entrypoint
-	$(RM) $@
-	gzip -k $^
 
 .PHONY: buildah
 buildah: bin/buildah

vendor/github.com/containers/buildah/define/types.go

@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.33.1"
+	Version = "1.33.2-dev"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"

vendor/github.com/containers/buildah/import.go

@@ -22,7 +22,7 @@ func importBuilderDataFromImage(ctx context.Context, store storage.Store, system
 		return nil, errors.New("Internal error: imageID is empty in importBuilderDataFromImage")
 	}
 
-	storeopts, err := storage.DefaultStoreOptions(false, 0)
+	storeopts, err := storage.DefaultStoreOptions()
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/buildah/pkg/jail/jail.go

@@ -4,10 +4,13 @@
 package jail
 
 import (
+	"strconv"
 	"strings"
+	"sync"
 	"syscall"
 	"unsafe"
 
+	"github.com/containers/buildah/pkg/util"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
@@ -28,6 +31,11 @@ type config struct {
 	params map[string]interface{}
 }
 
+var (
+	needVnetJailOnce sync.Once
+	needVnetJail     bool
+)
+
 func NewConfig() *config {
 	return &config{
 		params: make(map[string]interface{}),
@@ -178,3 +186,47 @@ func (j *jail) Set(jconf *config) error {
 	_, err := jailSet(jconf, JAIL_UPDATE)
 	return err
 }
+
+// Return true if its necessary to have a separate jail to own the vnet.  For
+// FreeBSD 13.3 and later, we don't need a separate vnet jail since it is
+// possible to configure the network without either attaching to the container's
+// jail or trusting the ifconfig and route utilities in the container. If for
+// any reason, we fail to parse the OS version, we default to returning true.
+func NeedVnetJail() bool {
+	needVnetJailOnce.Do(func() {
+		needVnetJail = true
+		version, err := util.ReadKernelVersion()
+		if err != nil {
+			logrus.Errorf("failed to determine OS version: %v", err)
+			return
+		}
+		// Expected formats "<major>.<minor>-<RELEASE|STABLE|CURRENT>" optionally
+		// followed by "-<patchlevel>"
+		parts := strings.Split(string(version), "-")
+		if len(parts) < 2 {
+			logrus.Errorf("unexpected OS version: %s", version)
+			return
+		}
+		ver := strings.Split(parts[0], ".")
+		if len(parts) != 2 {
+			logrus.Errorf("unexpected OS version: %s", version)
+			return
+		}
+
+		// FreeBSD 13.3 and later have support for 'ifconfig -j' and 'route -j'
+		major, err := strconv.Atoi(ver[0])
+		if err != nil {
+			logrus.Errorf("unexpected OS version: %s", version)
+			return
+		}
+		minor, err := strconv.Atoi(ver[1])
+		if err != nil {
+			logrus.Errorf("unexpected OS version: %s", version)
+			return
+		}
+		if major > 13 || (major == 13 && minor > 2) {
+			needVnetJail = false
+		}
+	})
+	return needVnetJail
+}

vendor/github.com/containers/buildah/run_freebsd.go

@@ -156,7 +156,11 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 
 	containerName := Package + "-" + filepath.Base(path)
 	if configureNetwork {
-		g.AddAnnotation("org.freebsd.parentJail", containerName+"-vnet")
+		if jail.NeedVnetJail() {
+			g.AddAnnotation("org.freebsd.parentJail", containerName+"-vnet")
+		} else {
+			g.AddAnnotation("org.freebsd.jail.vnet", "new")
+		}
 	}
 
 	homeDir, err := b.configureUIDGID(g, mountPoint, options)
@@ -247,9 +251,11 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 
 	defer b.cleanupTempVolumes()
 
-	// If we are creating a network, make the vnet here so that we
-	// can execute the OCI runtime inside it.
-	if configureNetwork {
+	// If we are creating a network, make the vnet here so that we can
+	// execute the OCI runtime inside it. For FreeBSD-13.3 and later, we can
+	// configure the container network settings from outside the jail, which
+	// removes the need for a separate jail to manage the vnet.
+	if configureNetwork && jail.NeedVnetJail() {
 		mynetns := containerName + "-vnet"
 
 		jconf := jail.NewConfig()
@@ -426,7 +432,12 @@ func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, optio
 	}
 	logrus.Debugf("configureNetworks: %v", configureNetworks)
 
-	mynetns := containerName + "-vnet"
+	var mynetns string
+	if jail.NeedVnetJail() {
+		mynetns = containerName + "-vnet"
+	} else {
+		mynetns = containerName
+	}
 
 	networks := make(map[string]nettypes.PerNetworkOptions, len(configureNetworks))
 	for i, network := range configureNetworks {