new "image" mount type

Add a new "image" mount type to `--mount`.  The source of the mount is
the name or ID of an image.  The destination is the path inside the
container.  Image mounts further support an optional `rw,readwrite`
parameter which if set to "true" will yield the mount writable inside
the container.  Note that no changes are propagated to the image mount
on the host (which in any case is read only).

Mounts are overlay mounts.  To support read-only overlay mounts, vendor
a non-release version of Buildah.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

pkg/specgen/specgen.go

@@ -214,6 +214,9 @@ type ContainerStorageConfig struct {
 	// Overlay volumes are named volumes that will be added to the container.
 	// Optional.
 	OverlayVolumes []*OverlayVolume `json:"overlay_volumes,omitempty"`
+	// Image volumes bind-mount a container-image mount into the container.
+	// Optional.
+	ImageVolumes []*ImageVolume `json:"image_volumes,omitempty"`
 	// Devices are devices that will be added to the container.
 	// Optional.
 	Devices []spec.LinuxDevice `json:"devices,omitempty"`
@@ -476,6 +479,19 @@ type OverlayVolume struct {
 	Source string `json:"source,omitempty"`
 }
 
+// ImageVolume is a volume based on a container image.  The container image is
+// first mounted on the host and is then bind-mounted into the container.  An
+// ImageVolume is always mounted read only.
+type ImageVolume struct {
+	// Source is the source of the image volume.  The image can be referred
+	// to by name and by ID.
+	Source string
+	// Destination is the absolute path of the mount in the container.
+	Destination string
+	// ReadWrite sets the volume writable.
+	ReadWrite bool
+}
+
 // PortMapping is one or more ports that will be mapped into the container.
 type PortMapping struct {
 	// HostIP is the IP that we will bind to on the host.