Merge pull request #19079 from containers/renovate/github.com-containers-buildah-1.x

fix(deps): update module github.com/containers/buildah to v1.31.0

go.mod

@@ -12,14 +12,14 @@ require (
 	github.com/container-orchestrated-devices/container-device-interface v0.5.4
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.3.0
-	github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b
+	github.com/containers/buildah v1.31.0
-	github.com/containers/common v0.54.0
+	github.com/containers/common v0.55.1
 	github.com/containers/conmon v2.0.20+incompatible
-	github.com/containers/image/v5 v5.26.0
+	github.com/containers/image/v5 v5.26.1
 	github.com/containers/libhvee v0.2.0
 	github.com/containers/ocicrypt v1.1.7
 	github.com/containers/psgo v1.8.0
-	github.com/containers/storage v1.47.0
+	github.com/containers/storage v1.48.0
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/coreos/stream-metadata-go v0.4.3
 	github.com/crc-org/vfkit v0.0.5-0.20230602131541-3d57f09010c9

go.sum

@@ -239,14 +239,14 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV
 github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
 github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q6mVDp5H1HnjM=
 github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
-github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b h1:cTb0Sxu/tIQ9uPIchFmkYs+uOtylhyO+0h2+i3XzisQ=
+github.com/containers/buildah v1.31.0 h1:NgVtEyTsR7e/XLTSJElbInnGPjdDGNHqLKADPHzaUGg=
-github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b/go.mod h1:O2jiDd5+569W8cwqyLnRKiqAHOPTi/Kj+oDlFNsFg24=
+github.com/containers/buildah v1.31.0/go.mod h1:tcgXcGhqw3kw49RapUS7tskEhxKLG4eVFJKA/QzgwNU=
-github.com/containers/common v0.54.0 h1:jJ2QVuliTa/40QxyDe1ZS1U/7BsDea7qdBeZE0VPu3E=
+github.com/containers/common v0.55.1 h1:sOlcIxEYXoR3OSHufew7CuSeOWr7a2jHGYw3r+xKA1k=
-github.com/containers/common v0.54.0/go.mod h1:xbA3bUfth8p2xmqSg01oxHNDRJA71SAVUCqhyEISKic=
+github.com/containers/common v0.55.1/go.mod h1:ZKPllYOZ2xj2rgWRdnHHVvWg6ru4BT28En8mO8DMMPk=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
-github.com/containers/image/v5 v5.26.0 h1:P9H4+N/7fTTClnFthIWgJU+0LBkhGlW2tCWR+UNG0Vs=
+github.com/containers/image/v5 v5.26.1 h1:8y3xq8GO/6y8FR+nAedHPsAFiAtOrab9qHTBpbqaX8g=
-github.com/containers/image/v5 v5.26.0/go.mod h1:QSW67adLL/B4eYsFPG6TjH5Ye4LiLazPAGWk5oQnUdQ=
+github.com/containers/image/v5 v5.26.1/go.mod h1:IwlOGzTkGnmfirXxt0hZeJlzv1zVukE03WZQ203Z9GA=
 github.com/containers/libhvee v0.2.0 h1:6h7LdSvBt176oIdMXKkgxdoT/IVP+o/gkwgyjWzvEAo=
 github.com/containers/libhvee v0.2.0/go.mod h1:Zr2Qhnl5THW/HQjF1o8HmxXWjvHfJb8fvd0ThTzHMys=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
@@ -259,8 +259,8 @@ github.com/containers/ocicrypt v1.1.7/go.mod h1:7CAhjcj2H8AYp5YvEie7oVSK2AhBY8Ns
 github.com/containers/psgo v1.8.0 h1:2loGekmGAxM9ir5OsXWEfGwFxorMPYnc6gEDsGFQvhY=
 github.com/containers/psgo v1.8.0/go.mod h1:T8ZxnX3Ur4RvnhxFJ7t8xJ1F48RhiZB4rSrOaR/qGHc=
 github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s=
-github.com/containers/storage v1.47.0 h1:Tl/onL8yE/4QABc2kfPDaTSYijk3QrmXGrO21KXkj58=
+github.com/containers/storage v1.48.0 h1:wiPs8J2xiFoOEAhxHDRtP6A90Jzj57VqzLRXOqeizns=
-github.com/containers/storage v1.47.0/go.mod h1:pRp3lkRo2qodb/ltpnudoXggrviRmaCmU5a5GhTBae0=
+github.com/containers/storage v1.48.0/go.mod h1:pRp3lkRo2qodb/ltpnudoXggrviRmaCmU5a5GhTBae0=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=

vendor/github.com/containers/buildah/.cirrus.yml

@@ -27,12 +27,12 @@ env:
     ####
     # GCE project where images live
     IMAGE_PROJECT: "libpod-218412"
-    FEDORA_NAME: "fedora-37"
+    FEDORA_NAME: "fedora-38"
-    PRIOR_FEDORA_NAME: "fedora-36"
+    PRIOR_FEDORA_NAME: "fedora-37"
-    DEBIAN_NAME: "debian-12"
+    DEBIAN_NAME: "debian-13"
 
     # Image identifiers
-    IMAGE_SUFFIX: "c20230405t152256z-f37f36d12"
+    IMAGE_SUFFIX: "c20230614t132754z-f38f37d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
     DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"

vendor/github.com/containers/buildah/CHANGELOG.md

@@ -2,6 +2,92 @@
 
 # Changelog
 
+## v1.31.0 (2023-06-30)
+
+    Bump c/common to 0.55.1 and c/image to 5.26.1
+    Bump c/image to 5.26.0 and c/common to 0.54.0
+    vendor: update c/{common,image,storage} to latest
+    chore: pkg imported more than once
+    buildah: add pasta(1) support
+    use slirp4netns package from c/common
+    update c/common to latest
+    add hostname to /etc/hosts when running with host network
+    vendor: update c/common to latest
+    [CI:BUILD] Packit: add jobs for downstream Fedora package builds
+    fix(deps): update module golang.org/x/sync to v0.3.0
+    fix(deps): update module golang.org/x/crypto to v0.10.0
+    Add smoke tests for encryption CLI helpers
+    fix(deps): update module golang.org/x/term to v0.9.0
+    fix(deps): update module github.com/opencontainers/runtime-spec to v1.1.0-rc.3
+    Remove device mapper support
+    Remove use of deprecated tar.TypeRegA
+    Update tooling to support newer golangci-lint
+    Make cli.EncryptConfig,DecryptConfig, GetFormat public
+    Don't decrypt images by default
+    fix(deps): update module github.com/onsi/gomega to v1.27.8
+    fix(deps): update github.com/containers/storage digest to 3f3fb2f
+    Renovate: Don't touch fragile test stuffs
+    [CI:DOCS] Update comment to remove ambiguity
+    fix(deps): update github.com/containers/image/v5 digest to abe5133
+    fix(deps): update module github.com/sirupsen/logrus to v1.9.3
+    fix(deps): update module github.com/containerd/containerd to v1.7.2
+    Explicitly ref. quay images for CI
+    At startup, log the effective capabilities for debugging
+    parse: use GetTempDir from internal utils
+    GetTmpDir: honor image_copy_tmp_dir from containers.conf
+    docs/Makefile: don't show sed invocations
+    CI: Support testing w/ podman-next COPR packages
+    intermediate-images inherit-label test: make it debuggable
+    fix(deps): update github.com/containers/common digest to 462ccdd
+    Add a warning to `--secret` docs
+    vendor: bump c/storage to v1.46.2-0.20230526114421-55ee2d19292f
+    executor: apply label to only final stage
+    remove registry.centos.org
+    Go back to setting SysProcAttr.Pdeathsig for child processes
+    Fix auth.json path (validated on Fedora 38) wq Signed-off-by: Andreas Mack <andreas.mack@gmail.com>
+    fix(deps): update module github.com/stretchr/testify to v1.8.3
+    CI: fix test broken by renovatebot
+    chore(deps): update quay.io/libpod/testimage docker tag to v20221018
+    fix(deps): update module github.com/onsi/gomega to v1.27.7
+    test: use debian instead of docker.io/library/debian:testing-slim
+    vendor: bump logrus to 1.9.2
+    [skip-ci] Update tim-actions/get-pr-commits action to v1.3.0
+    Revert "Proof of concept: nightly dependency treadmill"
+    fix(deps): update module github.com/sirupsen/logrus to v1.9.1
+    vendor in containers/(common,storage,image)
+    fix(deps): update module github.com/docker/distribution to v2.8.2+incompatible
+    run: drop Pdeathsig
+    chroot: lock thread before setPdeathsig
+    tests: add a case for required=false
+    fix(deps): update module github.com/openshift/imagebuilder to v1.2.5
+    build: validate volumes on backend
+    secret: accept required flag w/o value
+    fix(deps): update module github.com/containerd/containerd to v1.7.1
+    fix(deps): update module golang.org/x/crypto to v0.9.0
+    Update the demos README file to fix minor typos
+    fix(deps): update module golang.org/x/sync to v0.2.0
+    fix(deps): update module golang.org/x/term to v0.8.0
+    manifest, push: use source as destination if not specified
+    run,mount: remove path only if they didnt pre-exist
+    Cirrus: Fix meta task failing to find commit
+    parse: filter edge-case for podman-remote
+    fix(deps): update module github.com/opencontainers/runc to v1.1.7
+    fix(deps): update module github.com/docker/docker to v23.0.5+incompatible
+    build: --platform must accept only arch
+    fix(deps): update module github.com/containers/common to v0.53.0
+    makefile: increase conformance timeout
+    Cap suffixDigitsModulo to a 9-digits suffix.
+    Rename conflict to suffixDigitsModulo
+    fix(deps): update module github.com/opencontainers/runtime-spec to v1.1.0-rc.2
+    fix(deps): update module github.com/opencontainers/runc to v1.1.6
+    chore(deps): update centos docker tag to v8
+    Clarify the need for qemu-user-static package
+    chore(deps): update quay.io/centos/centos docker tag to v8
+    Renovate: Ensure test/tools/go.mod is managed
+    Revert "buildah image should not enable fuse-overlayfs for rootful mode"
+    Bump to v1.31.0-dev
+    parse: add support for relabel bind mount option
+
 ## v1.30.0 (2023-04-06)
 
     fix(deps): update module github.com/opencontainers/runc to v1.1.5

vendor/github.com/containers/buildah/Makefile

@@ -179,7 +179,8 @@ tests/testreport/testreport: tests/testreport/testreport.go
 
 .PHONY: test-unit
 test-unit: tests/testreport/testreport
-	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) $(shell $(GO) list ./... | grep -v vendor | grep -v tests | grep -v cmd) -timeout 45m
+	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) $(shell $(GO) list ./... | grep -v vendor | grep -v tests | grep -v cmd | grep -v chroot | grep -v copier) -timeout 45m
+	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)"        $(RACEFLAGS) ./chroot ./copier -timeout 45m
 	tmp=$(shell mktemp -d) ; \
 	mkdir -p $$tmp/root $$tmp/runroot; \
 	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) ./cmd/buildah -args --root $$tmp/root --runroot $$tmp/runroot --storage-driver vfs --signature-policy $(shell pwd)/tests/policy.json --registries-conf $(shell pwd)/tests/registries.conf

vendor/github.com/containers/buildah/changelog.txt

@@ -1,3 +1,88 @@
+- Changelog for v1.31.0 (2023-06-30)
+  * Bump c/common to 0.55.1 and c/image to 5.26.1
+  * Bump c/image to 5.26.0 and c/common to 0.54.0
+  * vendor: update c/{common,image,storage} to latest
+  * chore: pkg imported more than once
+  * buildah: add pasta(1) support
+  * use slirp4netns package from c/common
+  * update c/common to latest
+  * add hostname to /etc/hosts when running with host network
+  * vendor: update c/common to latest
+  * [CI:BUILD] Packit: add jobs for downstream Fedora package builds
+  * fix(deps): update module golang.org/x/sync to v0.3.0
+  * fix(deps): update module golang.org/x/crypto to v0.10.0
+  * Add smoke tests for encryption CLI helpers
+  * fix(deps): update module golang.org/x/term to v0.9.0
+  * fix(deps): update module github.com/opencontainers/runtime-spec to v1.1.0-rc.3
+  * Remove device mapper support
+  * Remove use of deprecated tar.TypeRegA
+  * Update tooling to support newer golangci-lint
+  * Make cli.EncryptConfig,DecryptConfig, GetFormat public
+  * Don't decrypt images by default
+  * fix(deps): update module github.com/onsi/gomega to v1.27.8
+  * fix(deps): update github.com/containers/storage digest to 3f3fb2f
+  * Renovate: Don't touch fragile test stuffs
+  * [CI:DOCS] Update comment to remove ambiguity
+  * fix(deps): update github.com/containers/image/v5 digest to abe5133
+  * fix(deps): update module github.com/sirupsen/logrus to v1.9.3
+  * fix(deps): update module github.com/containerd/containerd to v1.7.2
+  * Explicitly ref. quay images for CI
+  * At startup, log the effective capabilities for debugging
+  * parse: use GetTempDir from internal utils
+  * GetTmpDir: honor image_copy_tmp_dir from containers.conf
+  * docs/Makefile: don't show sed invocations
+  * CI: Support testing w/ podman-next COPR packages
+  * intermediate-images inherit-label test: make it debuggable
+  * fix(deps): update github.com/containers/common digest to 462ccdd
+  * Add a warning to `--secret` docs
+  * vendor: bump c/storage to v1.46.2-0.20230526114421-55ee2d19292f
+  * executor: apply label to only final stage
+  * remove registry.centos.org
+  * Go back to setting SysProcAttr.Pdeathsig for child processes
+  * Fix auth.json path (validated on Fedora 38) wq Signed-off-by: Andreas Mack <andreas.mack@gmail.com>
+  * fix(deps): update module github.com/stretchr/testify to v1.8.3
+  * CI: fix test broken by renovatebot
+  * chore(deps): update quay.io/libpod/testimage docker tag to v20221018
+  * fix(deps): update module github.com/onsi/gomega to v1.27.7
+  * test: use debian instead of docker.io/library/debian:testing-slim
+  * vendor: bump logrus to 1.9.2
+  * [skip-ci] Update tim-actions/get-pr-commits action to v1.3.0
+  * Revert "Proof of concept: nightly dependency treadmill"
+  * fix(deps): update module github.com/sirupsen/logrus to v1.9.1
+  * vendor in containers/(common,storage,image)
+  * fix(deps): update module github.com/docker/distribution to v2.8.2+incompatible
+  * run: drop Pdeathsig
+  * chroot: lock thread before setPdeathsig
+  * tests: add a case for required=false
+  * fix(deps): update module github.com/openshift/imagebuilder to v1.2.5
+  * build: validate volumes on backend
+  * secret: accept required flag w/o value
+  * fix(deps): update module github.com/containerd/containerd to v1.7.1
+  * fix(deps): update module golang.org/x/crypto to v0.9.0
+  * Update the demos README file to fix minor typos
+  * fix(deps): update module golang.org/x/sync to v0.2.0
+  * fix(deps): update module golang.org/x/term to v0.8.0
+  * manifest, push: use source as destination if not specified
+  * run,mount: remove path only if they didnt pre-exist
+  * Cirrus: Fix meta task failing to find commit
+  * parse: filter edge-case for podman-remote
+  * fix(deps): update module github.com/opencontainers/runc to v1.1.7
+  * fix(deps): update module github.com/docker/docker to v23.0.5+incompatible
+  * build: --platform must accept only arch
+  * fix(deps): update module github.com/containers/common to v0.53.0
+  * makefile: increase conformance timeout
+  * Cap suffixDigitsModulo to a 9-digits suffix.
+  * Rename conflict to suffixDigitsModulo
+  * fix(deps): update module github.com/opencontainers/runtime-spec to v1.1.0-rc.2
+  * fix(deps): update module github.com/opencontainers/runc to v1.1.6
+  * chore(deps): update centos docker tag to v8
+  * Clarify the need for qemu-user-static package
+  * chore(deps): update quay.io/centos/centos docker tag to v8
+  * Renovate: Ensure test/tools/go.mod is managed
+  * Revert "buildah image should not enable fuse-overlayfs for rootful mode"
+  * Bump to v1.31.0-dev
+  * parse: add support for relabel bind mount option
+
 - Changelog for v1.30.0 (2023-04-06)
   * fix(deps): update module github.com/opencontainers/runc to v1.1.5
   * fix(deps): update module github.com/fsouza/go-dockerclient to v1.9.7

vendor/github.com/containers/buildah/define/types.go

@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.31.0-dev"
+	Version = "1.31.0"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"

vendor/github.com/containers/buildah/imagebuildah/executor.go

@@ -22,7 +22,6 @@ import (
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/manifest"
-	is "github.com/containers/image/v5/storage"
 	storageTransport "github.com/containers/image/v5/storage"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
@@ -424,7 +423,7 @@ func (b *Executor) getImageTypeAndHistoryAndDiffIDs(ctx context.Context, imageID
 	if ok {
 		return imageInfo.manifestType, imageInfo.history, imageInfo.diffIDs, imageInfo.err
 	}
-	imageRef, err := is.Transport.ParseStoreReference(b.store, "@"+imageID)
+	imageRef, err := storageTransport.Transport.ParseStoreReference(b.store, "@"+imageID)
 	if err != nil {
 		return "", nil, nil, fmt.Errorf("getting image reference %q: %w", imageID, err)
 	}
@@ -992,8 +991,8 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image
 	// Add additional tags and print image names recorded in storage
 	if dest, err := b.resolveNameToImageRef(b.output); err == nil {
 		switch dest.Transport().Name() {
-		case is.Transport.Name():
+		case storageTransport.Transport.Name():
-			img, err := is.Transport.GetStoreImage(b.store, dest)
+			img, err := storageTransport.Transport.GetStoreImage(b.store, dest)
 			if err != nil {
 				return imageID, ref, fmt.Errorf("locating just-written image %q: %w", transports.ImageName(dest), err)
 			}
@@ -1004,7 +1003,7 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image
 				logrus.Debugf("assigned names %v to image %q", img.Names, img.ID)
 			}
 			// Report back the caller the tags applied, if any.
-			img, err = is.Transport.GetStoreImage(b.store, dest)
+			img, err = storageTransport.Transport.GetStoreImage(b.store, dest)
 			if err != nil {
 				return imageID, ref, fmt.Errorf("locating just-written image %q: %w", transports.ImageName(dest), err)
 			}

vendor/github.com/containers/buildah/run.go

@@ -10,7 +10,6 @@ import (
 	"github.com/containers/image/v5/types"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 )
 
@@ -199,8 +198,8 @@ type runMountInfo struct {
 
 // IDMaps are the UIDs, GID, and maps for the run
 type IDMaps struct {
-	uidmap     []spec.LinuxIDMapping
+	uidmap     []specs.LinuxIDMapping
-	gidmap     []spec.LinuxIDMapping
+	gidmap     []specs.LinuxIDMapping
 	rootUID    int
 	rootGID    int
 	processUID int

vendor/github.com/containers/buildah/run_common.go

@@ -48,7 +48,6 @@ import (
 	storageTypes "github.com/containers/storage/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
@@ -118,7 +117,7 @@ func (b *Builder) addResolvConf(rdir string, chownOpts *idtools.IDPair, dnsServe
 }
 
 // generateHosts creates a containers hosts file
-func (b *Builder) generateHosts(rdir string, chownOpts *idtools.IDPair, imageRoot string, spec *spec.Spec) (string, error) {
+func (b *Builder) generateHosts(rdir string, chownOpts *idtools.IDPair, imageRoot string, spec *specs.Spec) (string, error) {
 	conf, err := config.Default()
 	if err != nil {
 		return "", err
@@ -1468,7 +1467,7 @@ func runSetupBuiltinVolumes(mountLabel, mountPoint, containerDir string, builtin
 }
 
 // Destinations which can be cleaned up after every RUN
-func cleanableDestinationListFromMounts(mounts []spec.Mount) []string {
+func cleanableDestinationListFromMounts(mounts []specs.Mount) []string {
 	mountDest := []string{}
 	for _, mount := range mounts {
 		// Add all destination to mountArtifacts so that they can be cleaned up later
@@ -1509,7 +1508,7 @@ func checkIfMountDestinationPreExists(root string, dest string) (bool, error) {
 // runSetupRunMounts sets up mounts that exist only in this RUN, not in subsequent runs
 //
 // If this function succeeds, the caller must unlock runMountArtifacts.TargetLocks (when??)
-func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources runMountInfo, idMaps IDMaps) ([]spec.Mount, *runMountArtifacts, error) {
+func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources runMountInfo, idMaps IDMaps) ([]specs.Mount, *runMountArtifacts, error) {
 	// If `type` is not set default to TypeBind
 	mountType := define.TypeBind
 	mountTargets := make([]string, 0, 10)
@@ -1527,7 +1526,7 @@ func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources
 		}
 	}()
 	for _, mount := range mounts {
-		var mountSpec *spec.Mount
+		var mountSpec *specs.Mount
 		var err error
 		var envFile, image string
 		var agent *sshagent.AgentServer
@@ -1622,7 +1621,7 @@ func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources
 	return finalMounts, artifacts, nil
 }
 
-func (b *Builder) getBindMount(tokens []string, context *imageTypes.SystemContext, contextDir string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir string) (*spec.Mount, string, error) {
+func (b *Builder) getBindMount(tokens []string, context *imageTypes.SystemContext, contextDir string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir string) (*specs.Mount, string, error) {
 	if contextDir == "" {
 		return nil, "", errors.New("Context Directory for current run invocation is not configured")
 	}
@@ -1639,7 +1638,7 @@ func (b *Builder) getBindMount(tokens []string, context *imageTypes.SystemContex
 	return &volumes[0], image, nil
 }
 
-func (b *Builder) getTmpfsMount(tokens []string, idMaps IDMaps) (*spec.Mount, error) {
+func (b *Builder) getTmpfsMount(tokens []string, idMaps IDMaps) (*specs.Mount, error) {
 	var optionMounts []specs.Mount
 	mount, err := internalParse.GetTmpfsMount(tokens)
 	if err != nil {
@@ -1653,7 +1652,7 @@ func (b *Builder) getTmpfsMount(tokens []string, idMaps IDMaps) (*spec.Mount, er
 	return &volumes[0], nil
 }
 
-func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secret, idMaps IDMaps, workdir string) (*spec.Mount, string, error) {
+func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secret, idMaps IDMaps, workdir string) (*specs.Mount, string, error) {
 	errInvalidSyntax := errors.New("secret should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")
 	if len(tokens) == 0 {
 		return nil, "", errInvalidSyntax
@@ -1781,7 +1780,7 @@ func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secr
 }
 
 // getSSHMount parses the --mount type=ssh flag in the Containerfile, checks if there's an ssh source provided, and creates and starts an ssh-agent to be forwarded into the container
-func (b *Builder) getSSHMount(tokens []string, count int, sshsources map[string]*sshagent.Source, idMaps IDMaps) (*spec.Mount, *sshagent.AgentServer, error) {
+func (b *Builder) getSSHMount(tokens []string, count int, sshsources map[string]*sshagent.Source, idMaps IDMaps) (*specs.Mount, *sshagent.AgentServer, error) {
 	errInvalidSyntax := errors.New("ssh should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")
 
 	var err error

vendor/github.com/containers/buildah/run_linux.go

@@ -40,7 +40,6 @@ import (
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/docker/go-units"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
@@ -157,7 +156,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		for _, m := range g.Mounts() {
 			mounts[m.Destination] = true
 		}
-		newMounts := []spec.Mount{}
+		newMounts := []specs.Mount{}
 		for _, d := range b.Devices {
 			// Default permission is read-only.
 			perm := "ro"
@@ -166,7 +165,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 			if strings.Contains(string(d.Rule.Permissions), "w") {
 				perm = "rw"
 			}
-			devMnt := spec.Mount{
+			devMnt := specs.Mount{
 				Destination: d.Destination,
 				Type:        parse.TypeBind,
 				Source:      d.Source,
@@ -185,7 +184,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		g.Config.Mounts = append(newMounts, g.Config.Mounts...)
 	} else {
 		for _, d := range b.Devices {
-			sDev := spec.LinuxDevice{
+			sDev := specs.LinuxDevice{
 				Type:     string(d.Type),
 				Path:     d.Path,
 				Major:    d.Major,
@@ -380,8 +379,8 @@ rootless=%d
 	return err
 }
 
-func (b *Builder) setupOCIHooks(config *spec.Spec, hasVolumes bool) (map[string][]spec.Hook, error) {
+func (b *Builder) setupOCIHooks(config *specs.Spec, hasVolumes bool) (map[string][]specs.Hook, error) {
-	allHooks := make(map[string][]spec.Hook)
+	allHooks := make(map[string][]specs.Hook)
 	if len(b.CommonBuildOpts.OCIHooksDir) == 0 {
 		if unshare.IsRootless() {
 			return nil, nil
@@ -472,17 +471,13 @@ func addCommonOptsToSpec(commonOpts *define.CommonBuildOptions, g *generate.Gene
 	return nil
 }
 
-func setupSlirp4netnsNetwork(netns, cid string, options []string) (func(), map[string]nettypes.StatusBlock, error) {
+func setupSlirp4netnsNetwork(config *config.Config, netns, cid string, options []string) (func(), map[string]nettypes.StatusBlock, error) {
-	defConfig, err := config.Default()
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to get container config: %w", err)
-	}
 	// we need the TmpDir for the slirp4netns code
-	if err := os.MkdirAll(defConfig.Engine.TmpDir, 0o751); err != nil {
+	if err := os.MkdirAll(config.Engine.TmpDir, 0o751); err != nil {
 		return nil, nil, fmt.Errorf("failed to create tempdir: %w", err)
 	}
 	res, err := slirp4netns.Setup(&slirp4netns.SetupOptions{
-		Config:       defConfig,
+		Config:       config,
 		ContainerID:  cid,
 		Netns:        netns,
 		ExtraOptions: options,
@@ -519,14 +514,9 @@ func setupSlirp4netnsNetwork(netns, cid string, options []string) (func(), map[s
 	}, netStatus, nil
 }
 
-func setupPasta(netns string, options []string) (func(), map[string]nettypes.StatusBlock, error) {
+func setupPasta(config *config.Config, netns string, options []string) (func(), map[string]nettypes.StatusBlock, error) {
-	defConfig, err := config.Default()
+	err := pasta.Setup(&pasta.SetupOptions{
-	if err != nil {
+		Config:       config,
-		return nil, nil, fmt.Errorf("failed to get container config: %w", err)
-	}
-
-	err = pasta.Setup(&pasta.SetupOptions{
-		Config:       defConfig,
 		Netns:        netns,
 		ExtraOptions: options,
 	})
@@ -565,18 +555,33 @@ func setupPasta(netns string, options []string) (func(), map[string]nettypes.Sta
 func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, options RunOptions, network, containerName string) (teardown func(), netStatus map[string]nettypes.StatusBlock, err error) {
 	netns := fmt.Sprintf("/proc/%d/ns/net", pid)
 	var configureNetworks []string
+	defConfig, err := config.Default()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get container config: %w", err)
+	}
 
 	name, networkOpts, hasOpts := strings.Cut(network, ":")
 	var netOpts []string
 	if hasOpts {
 		netOpts = strings.Split(networkOpts, ",")
 	}
+	if isolation == IsolationOCIRootless && name == "" {
+		switch defConfig.Network.DefaultRootlessNetworkCmd {
+		case slirp4netns.BinaryName, "":
+			name = slirp4netns.BinaryName
+		case pasta.BinaryName:
+			name = pasta.BinaryName
+		default:
+			return nil, nil, fmt.Errorf("invalid default_rootless_network_cmd option %q",
+				defConfig.Network.DefaultRootlessNetworkCmd)
+		}
+	}
+
 	switch {
-	case name == slirp4netns.BinaryName,
+	case name == slirp4netns.BinaryName:
-		isolation == IsolationOCIRootless && name == "":
+		return setupSlirp4netnsNetwork(defConfig, netns, containerName, netOpts)
-		return setupSlirp4netnsNetwork(netns, containerName, netOpts)
 	case name == pasta.BinaryName:
-		return setupPasta(netns, netOpts)
+		return setupPasta(defConfig, netns, netOpts)
 
 	// Basically default case except we make sure to not split an empty
 	// name as this would return a slice with one empty string which is
@@ -1107,7 +1112,7 @@ func setupCapabilities(g *generate.Generator, defaultCapabilities, adds, drops [
 	return setupCapDrop(g, drops...)
 }
 
-func addOrReplaceMount(mounts []specs.Mount, mount specs.Mount) []spec.Mount {
+func addOrReplaceMount(mounts []specs.Mount, mount specs.Mount) []specs.Mount {
 	for i := range mounts {
 		if mounts[i].Destination == mount.Destination {
 			mounts[i] = mount
@@ -1120,7 +1125,7 @@ func addOrReplaceMount(mounts []specs.Mount, mount specs.Mount) []spec.Mount {
 // setupSpecialMountSpecChanges creates special mounts for depending on the namespaces
 // logic taken from podman and adapted for buildah
 // https://github.com/containers/podman/blob/4ba71f955a944790edda6e007e6d074009d437a7/pkg/specgen/generate/oci.go#L178
-func setupSpecialMountSpecChanges(spec *spec.Spec, shmSize string) ([]specs.Mount, error) {
+func setupSpecialMountSpecChanges(spec *specs.Spec, shmSize string) ([]specs.Mount, error) {
 	mounts := spec.Mounts
 	isRootless := unshare.IsRootless()
 	isNewUserns := false
@@ -1236,7 +1241,7 @@ func setupSpecialMountSpecChanges(spec *spec.Spec, shmSize string) ([]specs.Moun
 	return mounts, nil
 }
 
-func checkIdsGreaterThan5(ids []spec.LinuxIDMapping) bool {
+func checkIdsGreaterThan5(ids []specs.LinuxIDMapping) bool {
 	for _, r := range ids {
 		if r.ContainerID <= 5 && 5 < r.ContainerID+r.Size {
 			return true
@@ -1246,7 +1251,7 @@ func checkIdsGreaterThan5(ids []spec.LinuxIDMapping) bool {
 }
 
 // If this function succeeds and returns a non-nil *lockfile.LockFile, the caller must unlock it (when??).
-func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir string) (*spec.Mount, *lockfile.LockFile, error) {
+func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir string) (*specs.Mount, *lockfile.LockFile, error) {
 	var optionMounts []specs.Mount
 	mount, targetLock, err := internalParse.GetCacheMount(tokens, b.store, b.MountLabel, stageMountPoints, workDir)
 	if err != nil {

vendor/github.com/containers/common/pkg/secrets/secrets.go

@@ -50,7 +50,7 @@ var errDataSize = errors.New("secret data must be larger than 0 and less than 51
 var secretsFile = "secrets.json"
 
 // secretNameRegexp matches valid secret names
-// Allowed: 64 [a-zA-Z0-9-_.] characters, and the start and end character must be [a-zA-Z0-9]
+// Allowed: 253 [a-zA-Z0-9-_.] characters, and the start and end character must be [a-zA-Z0-9]
 var secretNameRegexp = regexp.Delayed(`^[a-zA-Z0-9][a-zA-Z0-9_.-]*$`)
 
 // SecretsManager holds information on handling secrets
@@ -144,12 +144,7 @@ func NewManager(rootPath string) (*SecretsManager, error) {
 	return manager, nil
 }
 
-func (s *SecretsManager) newSecret(name string) (*Secret, error) {
+func (s *SecretsManager) newID() (string, error) {
-	secr := new(Secret)
-	secr.Name = name
-	secr.CreatedAt = time.Now()
-	secr.UpdatedAt = secr.CreatedAt
-
 	for {
 		newID := stringid.GenerateNonCryptoID()
 		// GenerateNonCryptoID() gives 64 characters, so we truncate to correct length
@@ -157,13 +152,11 @@ func (s *SecretsManager) newSecret(name string) (*Secret, error) {
 		_, err := s.lookupSecret(newID)
 		if err != nil {
 			if errors.Is(err, ErrNoSuchSecret) {
-				secr.ID = newID
+				return newID, nil
-				break
 			}
-			return nil, err
+			return "", err
 		}
 	}
-	return secr, nil
 }
 
 // Store takes a name, creates a secret and stores the secret metadata and the secret payload.
@@ -197,13 +190,10 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti
 		}
 		secr.UpdatedAt = time.Now()
 	} else {
-		if options.Replace {
+		secr = new(Secret)
-			return "", fmt.Errorf("%s: %w", name, ErrNoSuchSecret)
+		secr.Name = name
-		}
+		secr.CreatedAt = time.Now()
-		secr, err = s.newSecret(name)
+		secr.UpdatedAt = secr.CreatedAt
-		if err != nil {
-			return "", err
-		}
 	}
 
 	if options.Metadata == nil {
@@ -225,6 +215,7 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti
 	if err != nil {
 		return "", err
 	}
+
 	if options.Replace {
 		err = driver.Delete(secr.ID)
 		if err != nil {
@@ -232,6 +223,11 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti
 		}
 	}
 
+	secr.ID, err = s.newID()
+	if err != nil {
+		return "", err
+	}
+
 	err = driver.Store(secr.ID, data)
 	if err != nil {
 		return "", fmt.Errorf("creating secret %s: %w", name, err)
@@ -326,8 +322,8 @@ func (s *SecretsManager) LookupSecretData(nameOrID string) (*Secret, []byte, err
 
 // validateSecretName checks if the secret name is valid.
 func validateSecretName(name string) error {
-	if !secretNameRegexp.MatchString(name) || len(name) > 64 || strings.HasSuffix(name, "-") || strings.HasSuffix(name, ".") {
+	if !secretNameRegexp.MatchString(name) || len(name) > 253 || strings.HasSuffix(name, "-") || strings.HasSuffix(name, ".") {
-		return fmt.Errorf("only 64 [a-zA-Z0-9-_.] characters allowed, and the start and end character must be [a-zA-Z0-9]: %s: %w", name, errInvalidSecretName)
+		return fmt.Errorf("only 253 [a-zA-Z0-9-_.] characters allowed, and the start and end character must be [a-zA-Z0-9]: %s: %w", name, errInvalidSecretName)
 	}
 	return nil
 }

vendor/github.com/containers/common/pkg/servicereaper/service.go

@@ -1,5 +1,5 @@
-//go:build linux
+//go:build linux || freebsd
-// +build linux
+// +build linux freebsd
 
 package servicereaper
 

vendor/github.com/containers/common/version/version.go

@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "0.54.0"
+const Version = "0.55.1"

vendor/github.com/containers/image/v5/version/version.go

@@ -8,7 +8,7 @@ const (
 	// VersionMinor is for functionality in a backwards-compatible manner
 	VersionMinor = 26
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 0
+	VersionPatch = 1
 
 	// VersionDev indicates development branch. Releases will be empty string.
 	VersionDev = ""

vendor/github.com/containers/storage/VERSION

@@ -1 +1 @@
-1.47.0
+1.48.0

vendor/github.com/containers/storage/pkg/archive/archive.go

@@ -131,16 +131,6 @@ const (
 	OverlayWhiteoutFormat
 )
 
-const (
-	modeISDIR  = 0o40000  // Directory
-	modeISFIFO = 0o10000  // FIFO
-	modeISREG  = 0o100000 // Regular file
-	modeISLNK  = 0o120000 // Symbolic link
-	modeISBLK  = 0o60000  // Block special file
-	modeISCHR  = 0o20000  // Character special file
-	modeISSOCK = 0o140000 // Socket
-)
-
 // IsArchivePath checks if the (possibly compressed) file at the given path
 // starts with a tar file header.
 func IsArchivePath(path string) bool {
@@ -358,7 +348,7 @@ func FileInfoHeader(name string, fi os.FileInfo, link string) (*tar.Header, erro
 	if err != nil {
 		return nil, err
 	}
-	hdr.Mode = fillGo18FileTypeBits(int64(chmodTarEntry(os.FileMode(hdr.Mode))), fi)
+	hdr.Mode = int64(chmodTarEntry(os.FileMode(hdr.Mode)))
 	name, err = canonicalTarName(name, fi.IsDir())
 	if err != nil {
 		return nil, fmt.Errorf("tar: cannot canonicalize path: %w", err)
@@ -370,31 +360,6 @@ func FileInfoHeader(name string, fi os.FileInfo, link string) (*tar.Header, erro
 	return hdr, nil
 }
 
-// fillGo18FileTypeBits fills type bits which have been removed on Go 1.9 archive/tar
-// https://github.com/golang/go/commit/66b5a2f
-func fillGo18FileTypeBits(mode int64, fi os.FileInfo) int64 {
-	fm := fi.Mode()
-	switch {
-	case fm.IsRegular():
-		mode |= modeISREG
-	case fi.IsDir():
-		mode |= modeISDIR
-	case fm&os.ModeSymlink != 0:
-		mode |= modeISLNK
-	case fm&os.ModeDevice != 0:
-		if fm&os.ModeCharDevice != 0 {
-			mode |= modeISCHR
-		} else {
-			mode |= modeISBLK
-		}
-	case fm&os.ModeNamedPipe != 0:
-		mode |= modeISFIFO
-	case fm&os.ModeSocket != 0:
-		mode |= modeISSOCK
-	}
-	return mode
-}
-
 // ReadSecurityXattrToTarHeader reads security.capability, security,image
 // xattrs from filesystem to a tar header
 func ReadSecurityXattrToTarHeader(path string, hdr *tar.Header) error {

vendor/github.com/containers/storage/pkg/regexp/regexp.go

@@ -10,7 +10,9 @@ import (
 // used as global variables. Using this structure helps speed the startup time
 // of apps that want to use global regex variables. This library initializes them on
 // first use as opposed to the start of the executable.
-type Regexp = *regexpStruct
+type Regexp struct {
+	*regexpStruct
+}
 
 type regexpStruct struct {
 	_      noCopy
@@ -26,7 +28,7 @@ func Delayed(val string) Regexp {
 	if precompile {
 		re.regexp = regexp.MustCompile(re.val)
 	}
-	return re
+	return Regexp{re}
 }
 
 func (re *regexpStruct) compile() {

vendor/github.com/containers/storage/pkg/unshare/unshare_freebsd.go

@@ -59,7 +59,7 @@ func (c *Cmd) Start() error {
 	if err != nil {
 		pidRead.Close()
 		pidWrite.Close()
-		return fmt.Errorf("creating pid pipe: %w", err)
+		return fmt.Errorf("creating continue read/write pipe: %w", err)
 	}
 	c.Env = append(c.Env, fmt.Sprintf("_Containers-continue-pipe=%d", len(c.ExtraFiles)+3))
 	c.ExtraFiles = append(c.ExtraFiles, continueRead)

vendor/github.com/containers/storage/pkg/unshare/unshare_linux.go

@@ -129,7 +129,7 @@ func (c *Cmd) Start() error {
 	if err != nil {
 		pidRead.Close()
 		pidWrite.Close()
-		return fmt.Errorf("creating pid pipe: %w", err)
+		return fmt.Errorf("creating continue read/write pipe: %w", err)
 	}
 	c.Env = append(c.Env, fmt.Sprintf("_Containers-continue-pipe=%d", len(c.ExtraFiles)+3))
 	c.ExtraFiles = append(c.ExtraFiles, continueRead)

vendor/modules.txt

@@ -105,7 +105,7 @@ github.com/containernetworking/cni/pkg/version
 # github.com/containernetworking/plugins v1.3.0
 ## explicit; go 1.20
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b
+# github.com/containers/buildah v1.31.0
 ## explicit; go 1.18
 github.com/containers/buildah
 github.com/containers/buildah/bind
@@ -128,7 +128,7 @@ github.com/containers/buildah/pkg/rusage
 github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/util
-# github.com/containers/common v0.54.0
+# github.com/containers/common v0.55.1
 ## explicit; go 1.18
 github.com/containers/common/libimage
 github.com/containers/common/libimage/define
@@ -186,7 +186,7 @@ github.com/containers/common/version
 # github.com/containers/conmon v2.0.20+incompatible
 ## explicit
 github.com/containers/conmon/runner/config
-# github.com/containers/image/v5 v5.26.0
+# github.com/containers/image/v5 v5.26.1
 ## explicit; go 1.18
 github.com/containers/image/v5/copy
 github.com/containers/image/v5/directory
@@ -293,7 +293,7 @@ github.com/containers/psgo/internal/dev
 github.com/containers/psgo/internal/host
 github.com/containers/psgo/internal/proc
 github.com/containers/psgo/internal/process
-# github.com/containers/storage v1.47.0
+# github.com/containers/storage v1.48.0
 ## explicit; go 1.19
 github.com/containers/storage
 github.com/containers/storage/drivers