Bump Buildah to v1.24.0

Bumps Buildah to v1.24.0 and adopts the new values for pull:
true, false, never, and always.  The pull-never and pull-always options
for the build command are still usable, but they have been removed from
the man page documentation with this change.

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>

vendor/github.com/containers/common/libnetwork/cni/config.go

@@ -60,7 +60,7 @@ func (n *cniNetwork) networkCreate(newNetwork *types.Network, defaultNet bool) (
 	// Therefore the next podman command tries to create the default net again and it would
 	// fail because it thinks the network is used on the host.
 	var usedNetworks []*net.IPNet
-	if !defaultNet {
+	if !defaultNet && newNetwork.Driver == types.BridgeNetworkDriver {
 		usedNetworks, err = internalutil.GetUsedSubnets(n)
 		if err != nil {
 			return nil, err

vendor/github.com/containers/common/libnetwork/netavark/config.go

@@ -74,7 +74,7 @@ func (n *netavarkNetwork) networkCreate(newNetwork *types.Network, defaultNet bo
 	// Therefore the next podman command tries to create the default net again and it would
 	// fail because it thinks the network is used on the host.
 	var usedNetworks []*net.IPNet
-	if !defaultNet {
+	if !defaultNet && newNetwork.Driver == types.BridgeNetworkDriver {
 		usedNetworks, err = internalutil.GetUsedSubnets(n)
 		if err != nil {
 			return nil, err

vendor/github.com/containers/common/libnetwork/netavark/exec.go

@@ -107,7 +107,7 @@ func (n *netavarkNetwork) execNetavark(args []string, stdin, result interface{})
 		logWriter = io.MultiWriter(logWriter, &logrusNetavarkWriter{})
 	}
 
-	cmd := exec.Command(n.netavarkBinary, args...)
+	cmd := exec.Command(n.netavarkBinary, append(n.getCommonNetavarkOptions(), args...)...)
 	// connect the pipes to stdin and stdout
 	cmd.Stdin = stdinR
 	cmd.Stdout = stdoutW

vendor/github.com/containers/common/libnetwork/netavark/network.go

@@ -25,11 +25,13 @@ type netavarkNetwork struct {
 	// networkRunDir is where temporary files are stored, i.e.the ipam db, aardvark config etc
 	networkRunDir string
 
-	// tells netavark wheather this is rootless mode or rootfull, "true" or "false"
+	// tells netavark whether this is rootless mode or rootfull, "true" or "false"
 	networkRootless bool
 
 	// netavarkBinary is the path to the netavark binary.
 	netavarkBinary string
+	// aardvarkBinary is the path to the aardvark binary.
+	aardvarkBinary string
 
 	// defaultNetwork is the name for the default network.
 	defaultNetwork string
@@ -59,6 +61,8 @@ type InitConfig struct {
 
 	// NetavarkBinary is the path to the netavark binary.
 	NetavarkBinary string
+	// AardvarkBinary is the path to the aardvark binary.
+	AardvarkBinary string
 
 	// NetworkRunDir is where temporary files are stored, i.e.the ipam db, aardvark config
 	NetworkRunDir string
@@ -108,6 +112,7 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		networkConfigDir: conf.NetworkConfigDir,
 		networkRunDir:    conf.NetworkRunDir,
 		netavarkBinary:   conf.NetavarkBinary,
+		aardvarkBinary:   conf.AardvarkBinary,
 		networkRootless:  unshare.IsRootless(),
 		ipamDBPath:       filepath.Join(conf.NetworkRunDir, "ipam.db"),
 		defaultNetwork:   defaultNetworkName,

vendor/github.com/containers/common/libnetwork/netavark/run.go

@@ -55,7 +55,7 @@ func (n *netavarkNetwork) Setup(namespacePath string, options types.SetupOptions
 	}
 
 	result := map[string]types.StatusBlock{}
-	err = n.execNetavark([]string{"--config", n.networkRunDir, "--rootless=" + strconv.FormatBool(n.networkRootless), "setup", namespacePath}, netavarkOpts, &result)
+	err = n.execNetavark([]string{"setup", namespacePath}, netavarkOpts, &result)
 	if err != nil {
 		// lets dealloc ips to prevent leaking
 		if err := n.deallocIPs(&options.NetworkOptions); err != nil {
@@ -95,7 +95,7 @@ func (n *netavarkNetwork) Teardown(namespacePath string, options types.TeardownO
 		return errors.Wrap(err, "failed to convert net opts")
 	}
 
-	retErr := n.execNetavark([]string{"--config", n.networkRunDir, "--rootless=" + strconv.FormatBool(n.networkRootless), "teardown", namespacePath}, netavarkOpts, nil)
+	retErr := n.execNetavark([]string{"teardown", namespacePath}, netavarkOpts, nil)
 
 	// when netavark returned an error we still free the used ips
 	// otherwise we could end up in a state where block the ips forever
@@ -111,6 +111,10 @@ func (n *netavarkNetwork) Teardown(namespacePath string, options types.TeardownO
 	return retErr
 }
 
+func (n *netavarkNetwork) getCommonNetavarkOptions() []string {
+	return []string{"--config", n.networkRunDir, "--rootless=" + strconv.FormatBool(n.networkRootless), "--aardvark-binary=" + n.aardvarkBinary}
+}
+
 func (n *netavarkNetwork) convertNetOpts(opts types.NetworkOptions) (*netavarkOptions, error) {
 	netavarkOptions := netavarkOptions{
 		NetworkOptions: opts,

vendor/github.com/containers/common/libnetwork/network/interface.go

@@ -31,6 +31,11 @@ const (
 	netavarkConfigDir = "/etc/containers/networks"
 	// netavarkRunDir is the run directory for the rootful temporary network files such as the ipam db
 	netavarkRunDir = "/run/containers/networks"
+
+	// netavarkBinary is the name of the netavark binary
+	netavarkBinary = "netavark"
+	// aardvarkBinary is the name of the aardvark binary
+	aardvarkBinary = "aardvark-dns"
 )
 
 // NetworkBackend returns the network backend name and interface
@@ -51,11 +56,17 @@ func NetworkBackend(store storage.Store, conf *config.Config, syslog bool) (type
 
 	switch backend {
 	case types.Netavark:
-		netavarkBin, err := conf.FindHelperBinary("netavark", false)
+		netavarkBin, err := conf.FindHelperBinary(netavarkBinary, false)
 		if err != nil {
 			return "", nil, err
 		}
 
+		aardvarkBin, err := conf.FindHelperBinary(aardvarkBinary, false)
+		if err != nil {
+			// this is not a fatal error we can still use netavark without dns
+			logrus.Warnf("%s binary not found, container dns will not be enabled", aardvarkBin)
+		}
+
 		confDir := conf.Network.NetworkConfigDir
 		if confDir == "" {
 			confDir = getDefaultNetavarkConfigDir(store)
@@ -74,6 +85,7 @@ func NetworkBackend(store storage.Store, conf *config.Config, syslog bool) (type
 			NetworkConfigDir: confDir,
 			NetworkRunDir:    runDir,
 			NetavarkBinary:   netavarkBin,
+			AardvarkBinary:   aardvarkBin,
 			DefaultNetwork:   conf.Network.DefaultNetwork,
 			DefaultSubnet:    conf.Network.DefaultSubnet,
 			Syslog:           syslog,

vendor/github.com/containers/common/pkg/config/config.go

@@ -181,11 +181,6 @@ type ContainersConfig struct {
 	// performance implications.
 	PrepareVolumeOnCreate bool `toml:"prepare_volume_on_create,omitempty"`
 
-	// RootlessNetworking depicts the "kind" of networking for rootless
-	// containers.  Valid options are `slirp4netns` and `cni`. Default is
-	// `slirp4netns` on Linux, and `cni` on non-Linux OSes.
-	RootlessNetworking string `toml:"rootless_networking,omitempty"`
-
 	// SeccompProfile is the seccomp.json profile path which is used as the
 	// default for the runtime.
 	SeccompProfile string `toml:"seccomp_profile,omitempty"`
@@ -1193,7 +1188,7 @@ func (c *Config) FindHelperBinary(name string, searchPATH bool) (string, error)
 	return "", errors.Errorf("could not find %q in one of %v.  %s", name, c.Engine.HelperBinariesDir, configHint)
 }
 
-// ImageCopyTmpDir default directory to store tempory image files during copy
+// ImageCopyTmpDir default directory to store temporary image files during copy
 func (c *Config) ImageCopyTmpDir() (string, error) {
 	if path, found := os.LookupEnv("TMPDIR"); found {
 		return path, nil

vendor/github.com/containers/common/pkg/config/containers.conf

@@ -197,10 +197,6 @@ default_sysctls = [
 #
 #prepare_volume_on_create = false
 
-# Indicates the networking to be used for rootless containers
-#
-#rootless_networking = "slirp4netns"
-
 # Path to the seccomp.json profile which is used as the default seccomp profile
 # for the runtime.
 #

vendor/github.com/containers/common/pkg/config/default.go

@@ -177,23 +177,22 @@ func DefaultConfig() (*Config, error) {
 				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 				"TERM=xterm",
 			},
-			EnvHost:            false,
-			HTTPProxy:          true,
-			Init:               false,
-			InitPath:           "",
-			IPCNS:              "private",
-			LogDriver:          defaultLogDriver(),
-			LogSizeMax:         DefaultLogSizeMax,
-			NetNS:              "private",
-			NoHosts:            false,
-			PidsLimit:          DefaultPidsLimit,
-			PidNS:              "private",
-			RootlessNetworking: getDefaultRootlessNetwork(),
-			ShmSize:            DefaultShmSize,
-			TZ:                 "",
-			Umask:              "0022",
-			UTSNS:              "private",
-			UserNSSize:         DefaultUserNSSize,
+			EnvHost:    false,
+			HTTPProxy:  true,
+			Init:       false,
+			InitPath:   "",
+			IPCNS:      "private",
+			LogDriver:  defaultLogDriver(),
+			LogSizeMax: DefaultLogSizeMax,
+			NetNS:      "private",
+			NoHosts:    false,
+			PidsLimit:  DefaultPidsLimit,
+			PidNS:      "private",
+			ShmSize:    DefaultShmSize,
+			TZ:         "",
+			Umask:      "0022",
+			UTSNS:      "private",
+			UserNSSize: DefaultUserNSSize,
 		},
 		Network: NetworkConfig{
 			DefaultNetwork: "podman",
@@ -566,9 +565,3 @@ func (c *Config) LogDriver() string {
 func (c *Config) MachineEnabled() bool {
 	return c.Engine.MachineEnabled
 }
-
-// RootlessNetworking returns the "kind" of networking
-// rootless containers should use
-func (c *Config) RootlessNetworking() string {
-	return c.Containers.RootlessNetworking
-}

vendor/github.com/containers/common/pkg/config/default_linux.go

@@ -24,12 +24,6 @@ func getDefaultMachineUser() string {
 	return "core"
 }
 
-// getDefaultRootlessNetwork returns the default rootless network configuration.
-// It is "slirp4netns" for Linux.
-func getDefaultRootlessNetwork() string {
-	return "slirp4netns"
-}
-
 // getDefaultProcessLimits returns the nproc for the current process in ulimits format
 // Note that nfile sometimes cannot be set to unlimited, and the limit is hardcoded
 // to (oldMaxSize) 1048576 (2^20), see: http://stackoverflow.com/a/1213069/1811501

vendor/github.com/containers/common/pkg/config/default_unsupported.go

@@ -13,12 +13,6 @@ func getDefaultMachineUser() string {
 	return "core"
 }
 
-// getDefaultRootlessNetwork returns the default rootless network configuration.
-// It is "cni" for non-Linux OSes (to better support `podman-machine` usecases).
-func getDefaultRootlessNetwork() string {
-	return "cni"
-}
-
 // isCgroup2UnifiedMode returns whether we are running in cgroup2 mode.
 func isCgroup2UnifiedMode() (isUnified bool, isUnifiedErr error) {
 	return false, nil

vendor/github.com/containers/common/pkg/config/default_windows.go

@@ -11,12 +11,6 @@ func getDefaultMachineUser() string {
 	return "user"
 }
 
-// getDefaultRootlessNetwork returns the default rootless network configuration.
-// It is "cni" for non-Linux OSes (to better support `podman-machine` usecases).
-func getDefaultRootlessNetwork() string {
-	return "cni"
-}
-
 // isCgroup2UnifiedMode returns whether we are running in cgroup2 mode.
 func isCgroup2UnifiedMode() (isUnified bool, isUnifiedErr error) {
 	return false, nil

vendor/github.com/containers/common/pkg/flag/flag.go

@@ -95,7 +95,7 @@ func (os *OptionalString) Value() string {
 // newoptionalString
 type optionalStringValue OptionalString
 
-// NewOptionalStringValue returns a pflag.Value fo the string.
+// NewOptionalStringValue returns a pflag.Value for the string.
 func NewOptionalStringValue(p *OptionalString) pflag.Value {
 	p.present = false
 	return (*optionalStringValue)(p)

vendor/github.com/containers/common/pkg/secrets/shelldriver/shelldriver.go

@@ -36,7 +36,7 @@ type driverConfig struct {
 	LookupCommand string `mapstructure:"lookup"`
 	// StoreCommand contains a shell command that stores a secret.
 	// The secret id is provided as environment variable SECRET_ID
-	// The secret value itself is provied over stdin
+	// The secret value itself is provided over stdin
 	StoreCommand string `mapstructure:"store"`
 }
 

vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go

@@ -149,14 +149,15 @@ func getMountsMap(path string) (string, string, error) { //nolint
 
 // MountsWithUIDGID copies, adds, and mounts the subscriptions to the container root filesystem
 // mountLabel: MAC/SELinux label for container content
-// containerWorkingDir: Private data for storing subscriptions on the host mounted in container.
+// containerRunDir: Private data for storing subscriptions on the host mounted in container.
 // mountFile: Additional mount points required for the container.
-// mountPoint: Container image mountpoint
+// mountPoint: Container image mountpoint, or the directory from the hosts perspective that
+//   corresponds to `/` in the container.
 // uid: to assign to content created for subscriptions
 // gid: to assign to content created for subscriptions
 // rootless: indicates whether container is running in rootless mode
 // disableFips: indicates whether system should ignore fips mode
-func MountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
+func MountsWithUIDGID(mountLabel, containerRunDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
 	var (
 		subscriptionMounts []rspec.Mount
 		mountFiles         []string
@@ -174,7 +175,7 @@ func MountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint str
 	}
 	for _, file := range mountFiles {
 		if _, err := os.Stat(file); err == nil {
-			mounts, err := addSubscriptionsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
+			mounts, err := addSubscriptionsFromMountsFile(file, mountLabel, containerRunDir, uid, gid)
 			if err != nil {
 				logrus.Warnf("Failed to mount subscriptions, skipping entry in %s: %v", file, err)
 			}
@@ -191,7 +192,7 @@ func MountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint str
 	_, err := os.Stat("/etc/system-fips")
 	switch {
 	case err == nil:
-		if err := addFIPSModeSubscription(&subscriptionMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
+		if err := addFIPSModeSubscription(&subscriptionMounts, containerRunDir, mountPoint, mountLabel, uid, gid); err != nil {
 			logrus.Errorf("Adding FIPS mode subscription to container: %v", err)
 		}
 	case os.IsNotExist(err):
@@ -210,7 +211,7 @@ func rchown(chowndir string, uid, gid int) error {
 
 // addSubscriptionsFromMountsFile copies the contents of host directory to container directory
 // and returns a list of mounts
-func addSubscriptionsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
+func addSubscriptionsFromMountsFile(filePath, mountLabel, containerRunDir string, uid, gid int) ([]rspec.Mount, error) {
 	var mounts []rspec.Mount
 	defaultMountsPaths := getMounts(filePath)
 	for _, path := range defaultMountsPaths {
@@ -228,7 +229,7 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerWorkingDir st
 			return nil, err
 		}
 
-		ctrDirOrFileOnHost := filepath.Join(containerWorkingDir, ctrDirOrFile)
+		ctrDirOrFileOnHost := filepath.Join(containerRunDir, ctrDirOrFile)
 
 		// In the event of a restart, don't want to copy subscriptions over again as they already would exist in ctrDirOrFileOnHost
 		_, err = os.Stat(ctrDirOrFileOnHost)
@@ -300,13 +301,17 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerWorkingDir st
 	return mounts, nil
 }
 
-// addFIPSModeSubscription creates /run/secrets/system-fips in the container
-// root filesystem if /etc/system-fips exists on hosts.
-// This enables the container to be FIPS compliant and run openssl in
-// FIPS mode as the host is also in FIPS mode.
-func addFIPSModeSubscription(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
+// addFIPSModeSubscription adds mounts to the `mounts` slice that are needed for the container to run openssl in FIPs mode
+// (i.e: be FIPs compliant).
+// It should only be called if /etc/system-fips exists on host.
+// It primarily does two things:
+// - creates /run/secrets/system-fips in the container root filesystem, and adds it to the `mounts` slice.
+// - If `/etc/crypto-policies/back-ends` already exists inside of the container, it creates
+//   `/usr/share/crypto-policies/back-ends/FIPS` inside the container as well.
+//   It is done from within the container to ensure to avoid policy incompatibility between the container and host.
+func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, mountLabel string, uid, gid int) error {
 	subscriptionsDir := "/run/secrets"
-	ctrDirOnHost := filepath.Join(containerWorkingDir, subscriptionsDir)
+	ctrDirOnHost := filepath.Join(containerRunDir, subscriptionsDir)
 	if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
 		if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil { //nolint
 			return err
@@ -322,7 +327,7 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerWorkingDir, mountPo
 		if err != nil {
 			return errors.Wrap(err, "creating system-fips file in container for FIPS mode")
 		}
-		defer file.Close()
+		file.Close()
 	}
 
 	if !mountExists(*mounts, subscriptionsDir) {

vendor/github.com/containers/common/version/version.go

@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "0.46.1-dev"
+const Version = "0.47.1"