[v5.5] Bump buildah from v1.40.0 to v1.40.1

Bump the version of buildah that we use from v1.40.0 to v1.40.1. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2025-10-09 23:15:39 +08:00 · 2025-06-04 13:58:46 -04:00
parent b1938316c3
commit 4ef6a8715c
16 changed files with 160 additions and 59 deletions
--- a/go.mod
+++ b/go.mod
@ -12,7 +12,7 @@ require (
 	github.com/checkpoint-restore/checkpointctl v1.3.0
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
 	github.com/containernetworking/plugins v1.6.2
-	github.com/containers/buildah v1.40.0
+	github.com/containers/buildah v1.40.1
 	github.com/containers/common v0.63.1
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.8.6
--- a/go.sum
+++ b/go.sum
@ -66,8 +66,8 @@ github.com/containernetworking/cni v1.3.0 h1:v6EpN8RznAZj9765HhXQrtXgX+ECGebEYEm
 github.com/containernetworking/cni v1.3.0/go.mod h1:Bs8glZjjFfGPHMw6hQu82RUgEPNGEaBb9KS5KtNMnJ4=
 github.com/containernetworking/plugins v1.6.2 h1:pqP8Mq923TLyef5g97XfJ/xpDeVek4yF8A4mzy9Tc4U=
 github.com/containernetworking/plugins v1.6.2/go.mod h1:SP5UG3jDO9LtmfbBJdP+nl3A1atOtbj2MBOYsnaxy64=
-github.com/containers/buildah v1.40.0 h1:qCHTKnL/UEutxT6ZS8Zvhy7QUpe719jEIeGMSlcN3j4=
-github.com/containers/buildah v1.40.0/go.mod h1:U6qj0nseq6t97T2kkNpjgo0WBVRYIXASIOlS5eWvlhM=
+github.com/containers/buildah v1.40.1 h1:RW+Fbelwblzg1mJfKfyGZPS4Nbc5QtT866fJ9pYFtYo=
+github.com/containers/buildah v1.40.1/go.mod h1:1UCQBc3LZrT4u5R/u7igGgUQxeDlJmn/OyYDQ9mumFk=
 github.com/containers/common v0.63.1 h1:6g02gbW34PaRVH4Heb2Pk11x0SdbQ+8AfeKKeQGqYBE=
 github.com/containers/common v0.63.1/go.mod h1:+3GCotSqNdIqM3sPs152VvW7m5+Mg8Kk+PExT3G9hZw=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
--- a/vendor/github.com/containers/buildah/.cirrus.yml
+++ b/vendor/github.com/containers/buildah/.cirrus.yml
@ -6,7 +6,7 @@ env:
    #### Global variables used for all tasks
    ####
    # Name of the ultimate destination branch for this CI run, PR or post-merge.
-    DEST_BRANCH: "main"
+    DEST_BRANCH: "release-1.40"
    GOPATH: "/var/tmp/go"
    GOSRC: "${GOPATH}/src/github.com/containers/buildah"
    GOCACHE: "/tmp/go-build"
@ -22,18 +22,20 @@ env:
    IN_PODMAN: 'false'
    # root or rootless
    PRIV_NAME: root
+    # default "mention the $BUILDAH_RUNTIME in the task alias, with initial whitespace" value
+    RUNTIME_N: ""

    ####
    #### Cache-image names to test with
    ####
    # GCE project where images live
    IMAGE_PROJECT: "libpod-218412"
-    FEDORA_NAME: "fedora-41"
-    PRIOR_FEDORA_NAME: "fedora-40"
+    FEDORA_NAME: "fedora-42"
+    PRIOR_FEDORA_NAME: "fedora-41"
    DEBIAN_NAME: "debian-13"

    # Image identifiers
-    IMAGE_SUFFIX: "c20250324t111922z-f41f40d13"
+    IMAGE_SUFFIX: "c20250422t130822z-f42f41d13"
    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
    PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
    DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
@ -122,7 +124,7 @@ vendor_task:

    # Runs within Cirrus's "community cluster"
    container:
-        image: docker.io/library/golang:1.23
+        image: docker.io/library/golang:1.23.3
        cpu: 1
        memory: 1

@ -196,7 +198,7 @@ conformance_task:


 integration_task:
-    name: "Integration $DISTRO_NV w/ $STORAGE_DRIVER"
+    name: "Integration $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER"
    alias: integration
    skip: *not_build_docs
    depends_on: *smoke_vendor
@ -207,11 +209,26 @@ integration_task:
            DISTRO_NV: "${FEDORA_NAME}"
            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
            STORAGE_DRIVER: 'vfs'
-        # Disabled until we update to f41/42 as f40 does not have go 1.22
-        # - env:
-        #     DISTRO_NV: "${PRIOR_FEDORA_NAME}"
-        #     IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
-        #     STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${FEDORA_NAME}"
+            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
        - env:
            DISTRO_NV: "${DEBIAN_NAME}"
            IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
@ -221,11 +238,26 @@ integration_task:
            DISTRO_NV: "${FEDORA_NAME}"
            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
            STORAGE_DRIVER: 'overlay'
-        # Disabled until we update to f41/42 as f40 does not have go 1.22
-        # - env:
-        #     DISTRO_NV: "${PRIOR_FEDORA_NAME}"
-        #     IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
-        #     STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${FEDORA_NAME}"
+            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
        - env:
            DISTRO_NV: "${DEBIAN_NAME}"
            IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
@ -255,7 +287,7 @@ integration_task:
        golang_version_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh golang'

 integration_rootless_task:
-    name: "Integration rootless $DISTRO_NV w/ $STORAGE_DRIVER"
+    name: "Integration rootless $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER"
    alias: integration_rootless
    skip: *not_build_docs
    depends_on: *smoke_vendor
@ -268,12 +300,29 @@ integration_rootless_task:
            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
            STORAGE_DRIVER: 'overlay'
            PRIV_NAME: rootless
-        # Disabled until we update to f40/41 as f39 does not have go 1.22
-        # - env:
-        #     DISTRO_NV: "${PRIOR_FEDORA_NAME}"
-        #     IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
-        #     STORAGE_DRIVER: 'overlay'
-        #     PRIV_NAME: rootless
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
+        - env:
+            DISTRO_NV: "${FEDORA_NAME}"
+            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
        - env:
            DISTRO_NV: "${DEBIAN_NAME}"
            IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@ -2,6 +2,16 @@

 # Changelog

+## v1.40.1 (2025-06-04)
+
+    vendor: update c/common to v0.63.1
+    CI: run integration tests on Fedora with both crun and runc
+    buildah-build(1): clarify that --cgroup-parent affects RUN instructions
+    runUsingRuntime: use named constants for runtime states
+    Add a dummy "runtime" that just dumps its config file
+    run: handle relabeling bind mounts ourselves
+    Tweak our handling of variant values, again
+
 ## v1.40.0 (2025-04-17)

    Bump c/storage to v1.58.0, c/image v5.35.0, c/common v0.63.0
--- a/vendor/github.com/containers/buildah/Makefile
+++ b/vendor/github.com/containers/buildah/Makefile
@ -59,7 +59,7 @@ export GOLANGCI_LINT_VERSION := 2.1.0
 #     Note: Uses the -N -l go compiler options to disable compiler optimizations
 #           and inlining. Using these build options allows you to subsequently
 #           use source debugging tools like delve.
-all: bin/buildah bin/imgtype bin/copy bin/inet bin/tutorial docs
+all: bin/buildah bin/imgtype bin/copy bin/inet bin/tutorial bin/dumpspec docs

 # Update nix/nixpkgs.json its latest stable commit
 .PHONY: nixpkgs
@ -107,6 +107,9 @@ bin/buildah.%: $(SOURCES)
 	mkdir -p ./bin
 	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah

+bin/dumpspec: $(SOURCES)
+	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/dumpspec
+
 bin/imgtype: $(SOURCES)
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/imgtype/imgtype.go

--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@ -1,3 +1,12 @@
+- Changelog for v1.40.1 (2025-06-04)
+  * vendor: update c/common to v0.63.1
+  * CI: run integration tests on Fedora with both crun and runc
+  * buildah-build(1): clarify that --cgroup-parent affects RUN instructions
+  * runUsingRuntime: use named constants for runtime states
+  * Add a dummy "runtime" that just dumps its config file
+  * run: handle relabeling bind mounts ourselves
+  * Tweak our handling of variant values, again
+
 - Changelog for v1.40.0 (2025-04-17)
  * Bump c/storage to v1.58.0, c/image v5.35.0, c/common v0.63.0
  * fix(deps): update module github.com/docker/docker to v28.1.0+incompatible
--- a/vendor/github.com/containers/buildah/chroot/pty_unsupported.go
+++ b/vendor/github.com/containers/buildah/chroot/pty_unsupported.go
@ -1,11 +0,0 @@
-//go:build !linux && !(freebsd && cgo)
-
-package chroot
-
-import (
-	"errors"
-)
-
-func getPtyDescriptors() (int, int, error) {
-	return -1, -1, errors.New("getPtyDescriptors not supported on this platform")
-}
--- a/vendor/github.com/containers/buildah/chroot/run_common.go
+++ b/vendor/github.com/containers/buildah/chroot/run_common.go
@ -18,6 +18,7 @@ import (
 	"syscall"

 	"github.com/containers/buildah/bind"
+	"github.com/containers/buildah/internal/pty"
 	"github.com/containers/buildah/util"
 	"github.com/containers/storage/pkg/ioutils"
 	"github.com/containers/storage/pkg/reexec"
@ -217,7 +218,7 @@ func runUsingChrootMain() {
 	var stderr io.Writer
 	fdDesc := make(map[int]string)
 	if options.Spec.Process.Terminal {
-		ptyMasterFd, ptyFd, err := getPtyDescriptors()
+		ptyMasterFd, ptyFd, err := pty.GetPtyDescriptors()
 		if err != nil {
 			logrus.Errorf("error opening PTY descriptors: %v", err)
 			os.Exit(1)
--- a/vendor/github.com/containers/buildah/config.go
+++ b/vendor/github.com/containers/buildah/config.go
@ -146,18 +146,9 @@ func (b *Builder) fixupConfig(sys *types.SystemContext) {
 	if b.Architecture() == "" {
 		if sys != nil && sys.ArchitectureChoice != "" {
 			b.SetArchitecture(sys.ArchitectureChoice)
-		} else {
-			b.SetArchitecture(currentPlatformSpecification.Architecture)
-		}
-		// in case the arch string we started with was shorthand for a known arch+variant pair, normalize it
-		ps := internalUtil.NormalizePlatform(ociv1.Platform{OS: b.OS(), Architecture: b.Architecture(), Variant: b.Variant()})
-		b.SetArchitecture(ps.Architecture)
-		b.SetVariant(ps.Variant)
-	}
-	if b.Variant() == "" {
-		if sys != nil && sys.VariantChoice != "" {
 			b.SetVariant(sys.VariantChoice)
 		} else {
+			b.SetArchitecture(currentPlatformSpecification.Architecture)
 			b.SetVariant(currentPlatformSpecification.Variant)
 		}
 		// in case the arch string we started with was shorthand for a known arch+variant pair, normalize it
--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.40.0"
+	Version = "1.40.1"

 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"
--- a/vendor/github.com/containers/buildah/internal/pty/pty_posix.go
+++ b/vendor/github.com/containers/buildah/internal/pty/pty_posix.go
@ -1,6 +1,6 @@
 //go:build freebsd && cgo

-package chroot
+package pty

 // #include <fcntl.h>
 // #include <stdlib.h>
@ -37,7 +37,9 @@ func unlockpt(fd int) error {
 	return nil
 }

-func getPtyDescriptors() (int, int, error) {
+// GetPtyDescriptors allocates a new pseudoterminal and returns the control and
+// pseudoterminal file descriptors.
+func GetPtyDescriptors() (int, int, error) {
 	// Create a pseudo-terminal and open the control side
 	controlFd, err := openpt()
 	if err != nil {
--- a/vendor/github.com/containers/buildah/internal/pty/pty_ptmx.go
+++ b/vendor/github.com/containers/buildah/internal/pty/pty_ptmx.go
@ -1,6 +1,6 @@
 //go:build linux

-package chroot
+package pty

 import (
 	"fmt"
@ -11,9 +11,11 @@ import (
 	"golang.org/x/sys/unix"
 )

-// Open a PTY using the /dev/ptmx device. The main advantage of using
-// this instead of posix_openpt is that it avoids cgo.
-func getPtyDescriptors() (int, int, error) {
+// GetPtyDescriptors allocates a new pseudoterminal and returns the control and
+// pseudoterminal file descriptors.  This implementation uses the /dev/ptmx
+// device. The main advantage of using this instead of posix_openpt is that it
+// avoids cgo.
+func GetPtyDescriptors() (int, int, error) {
 	// Create a pseudo-terminal -- open a copy of the master side.
 	controlFd, err := unix.Open("/dev/ptmx", os.O_RDWR, 0o600)
 	if err != nil {
--- a/vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go
+++ b/vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go
@ -0,0 +1,13 @@
+//go:build !linux && !(freebsd && cgo)
+
+package pty
+
+import (
+	"errors"
+)
+
+// GetPtyDescriptors would allocate a new pseudoterminal and return the control and
+// pseudoterminal file descriptors, if only it could.
+func GetPtyDescriptors() (int, int, error) {
+	return -1, -1, errors.New("GetPtyDescriptors not supported on this platform")
+}
--- a/vendor/github.com/containers/buildah/run_common.go
+++ b/vendor/github.com/containers/buildah/run_common.go
@ -696,8 +696,9 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, moreCreateArgs [
 			return 1, fmt.Errorf("parsing container state %q from %s: %w", string(stateOutput), runtime, err)
 		}
 		switch state.Status {
-		case "running":
-		case "stopped":
+		case specs.StateCreating, specs.StateCreated, specs.StateRunning:
+			// all fine
+		case specs.StateStopped:
 			atomic.StoreUint32(&stopped, 1)
 		default:
 			return 1, fmt.Errorf("container status unexpectedly changed to %q", state.Status)
--- a/vendor/github.com/containers/buildah/run_linux.go
+++ b/vendor/github.com/containers/buildah/run_linux.go
@ -543,6 +543,33 @@ rootless=%d

 	defer b.cleanupTempVolumes()

+	// Handle mount flags that request that the source locations for "bind" mountpoints be
+	// relabeled, and filter those flags out of the list of mount options we pass to the
+	// runtime.
+	for i := range spec.Mounts {
+		switch spec.Mounts[i].Type {
+		default:
+			continue
+		case "bind", "rbind":
+			// all good, keep going
+		}
+		zflag := ""
+		for _, opt := range spec.Mounts[i].Options {
+			if opt == "z" || opt == "Z" {
+				zflag = opt
+			}
+		}
+		if zflag == "" {
+			continue
+		}
+		spec.Mounts[i].Options = slices.DeleteFunc(spec.Mounts[i].Options, func(opt string) bool {
+			return opt == "z" || opt == "Z"
+		})
+		if err := relabel(spec.Mounts[i].Source, b.MountLabel, zflag == "z"); err != nil {
+			return fmt.Errorf("setting file label %q on %q: %w", b.MountLabel, spec.Mounts[i].Source, err)
+		}
+	}
+
 	switch isolation {
 	case define.IsolationOCI:
 		var moreCreateArgs []string
@ -1139,16 +1166,19 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string,
 			if err := relabel(host, mountLabel, true); err != nil {
 				return specs.Mount{}, err
 			}
+			options = slices.DeleteFunc(options, func(o string) bool { return o == "z" })
 		}
 		if foundZ {
 			if err := relabel(host, mountLabel, false); err != nil {
 				return specs.Mount{}, err
 			}
+			options = slices.DeleteFunc(options, func(o string) bool { return o == "Z" })
 		}
 		if foundU {
 			if err := chown.ChangeHostPathOwnership(host, true, idMaps.processUID, idMaps.processGID); err != nil {
 				return specs.Mount{}, err
 			}
+			options = slices.DeleteFunc(options, func(o string) bool { return o == "U" })
 		}
 		if foundO {
 			if (upperDir != "" && workDir == "") || (workDir != "" && upperDir == "") {
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -110,7 +110,7 @@ github.com/containernetworking/cni/pkg/version
 # github.com/containernetworking/plugins v1.6.2
 ## explicit; go 1.23
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.40.0
+# github.com/containers/buildah v1.40.1
 ## explicit; go 1.23.3
 github.com/containers/buildah
 github.com/containers/buildah/bind
@ -125,6 +125,7 @@ github.com/containers/buildah/internal/mkcw
 github.com/containers/buildah/internal/mkcw/types
 github.com/containers/buildah/internal/open
 github.com/containers/buildah/internal/parse
+github.com/containers/buildah/internal/pty
 github.com/containers/buildah/internal/sbom
 github.com/containers/buildah/internal/tmpdir
 github.com/containers/buildah/internal/util