new "image" mount type

Add a new "image" mount type to `--mount`.  The source of the mount is
the name or ID of an image.  The destination is the path inside the
container.  Image mounts further support an optional `rw,readwrite`
parameter which if set to "true" will yield the mount writable inside
the container.  Note that no changes are propagated to the image mount
on the host (which in any case is read only).

Mounts are overlay mounts.  To support read-only overlay mounts, vendor
a non-release version of Buildah.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

vendor/github.com/containers/buildah/commit.go

@@ -167,17 +167,17 @@ var (
 // variable, if it's set.  The contents are expected to be a JSON-encoded
 // github.com/openshift/api/config/v1.Image, set by an OpenShift build
 // controller that arranged for us to be run in a container.
-func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error {
+func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) (insecure bool, err error) {
 	transport := dest.Transport()
 	if transport == nil {
-		return nil
+		return false, nil
 	}
 	if transport.Name() != docker.Transport.Name() {
-		return nil
+		return false, nil
 	}
 	dref := dest.DockerReference()
 	if dref == nil || reference.Domain(dref) == "" {
-		return nil
+		return false, nil
 	}
 
 	if registrySources, ok := os.LookupEnv("BUILD_REGISTRY_SOURCES"); ok && len(registrySources) > 0 {
@@ -188,7 +188,7 @@ func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error
 			AllowedRegistries  []string `json:"allowedRegistries,omitempty"`
 		}
 		if err := json.Unmarshal([]byte(registrySources), &sources); err != nil {
-			return errors.Wrapf(err, "error parsing $BUILD_REGISTRY_SOURCES (%q) as JSON", registrySources)
+			return false, errors.Wrapf(err, "error parsing $BUILD_REGISTRY_SOURCES (%q) as JSON", registrySources)
 		}
 		blocked := false
 		if len(sources.BlockedRegistries) > 0 {
@@ -199,7 +199,7 @@ func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error
 			}
 		}
 		if blocked {
-			return errors.Errorf("%s registry at %q denied by policy: it is in the blocked registries list", forWhat, reference.Domain(dref))
+			return false, errors.Errorf("%s registry at %q denied by policy: it is in the blocked registries list", forWhat, reference.Domain(dref))
 		}
 		allowed := true
 		if len(sources.AllowedRegistries) > 0 {
@@ -211,10 +211,13 @@ func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error
 			}
 		}
 		if !allowed {
-			return errors.Errorf("%s registry at %q denied by policy: not in allowed registries list", forWhat, reference.Domain(dref))
+			return false, errors.Errorf("%s registry at %q denied by policy: not in allowed registries list", forWhat, reference.Domain(dref))
+		}
+		if len(sources.InsecureRegistries) > 0 {
+			return true, nil
 		}
 	}
-	return nil
+	return false, nil
 }
 
 // Commit writes the contents of the container, along with its updated
@@ -278,9 +281,18 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 	}()
 
 	// Check if the commit is blocked by $BUILDER_REGISTRY_SOURCES.
-	if err := checkRegistrySourcesAllows("commit to", dest); err != nil {
+	insecure, err := checkRegistrySourcesAllows("commit to", dest)
+	if err != nil {
 		return imgID, nil, "", err
 	}
+	if insecure {
+		if systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
+			return imgID, nil, "", errors.Errorf("can't require tls verification on an insecured registry")
+		}
+		systemContext.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
+		systemContext.OCIInsecureSkipTLSVerify = true
+		systemContext.DockerDaemonInsecureSkipTLSVerify = true
+	}
 	if len(options.AdditionalTags) > 0 {
 		names, err := util.ExpandNames(options.AdditionalTags, "", systemContext, b.store)
 		if err != nil {
@@ -291,9 +303,18 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 			if err != nil {
 				return imgID, nil, "", errors.Wrapf(err, "error parsing image name %q as an image reference", name)
 			}
-			if err := checkRegistrySourcesAllows("commit to", additionalDest); err != nil {
+			insecure, err := checkRegistrySourcesAllows("commit to", additionalDest)
+			if err != nil {
 				return imgID, nil, "", err
 			}
+			if insecure {
+				if systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
+					return imgID, nil, "", errors.Errorf("can't require tls verification on an insecured registry")
+				}
+				systemContext.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
+				systemContext.OCIInsecureSkipTLSVerify = true
+				systemContext.DockerDaemonInsecureSkipTLSVerify = true
+			}
 		}
 	}
 	logrus.Debugf("committing image with reference %q is allowed by policy", transports.ImageName(dest))
@@ -398,7 +419,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 		}
 		if options.IIDFile != "" {
 			if err = ioutil.WriteFile(options.IIDFile, []byte(img.ID), 0644); err != nil {
-				return imgID, nil, "", errors.Wrapf(err, "failed to write image ID to file %q", options.IIDFile)
+				return imgID, nil, "", err
 			}
 		}
 	}
@@ -471,9 +492,18 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options
 	}
 
 	// Check if the push is blocked by $BUILDER_REGISTRY_SOURCES.
-	if err := checkRegistrySourcesAllows("push to", dest); err != nil {
+	insecure, err := checkRegistrySourcesAllows("push to", dest)
+	if err != nil {
 		return nil, "", err
 	}
+	if insecure {
+		if systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
+			return nil, "", errors.Errorf("can't require tls verification on an insecured registry")
+		}
+		systemContext.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
+		systemContext.OCIInsecureSkipTLSVerify = true
+		systemContext.DockerDaemonInsecureSkipTLSVerify = true
+	}
 	logrus.Debugf("pushing image to reference %q is allowed by policy", transports.ImageName(dest))
 
 	// Copy everything.