[v5.4-rhel] Bump Buildah to v1.39.4

Bump Buildah to v1.39.4.  This will fix a DDIF issue as noted in: https://issues.redhat.com/browse/RHEL-85212 and https://github.com/containers/podman/issues/25593.

This also addresesses an Image Mode issue when tweaking mount variables
as noted in: https://issues.redhat.com/browse/RHEL-79560

Fixes: https://issues.redhat.com/browse/RHEL-85218,
https://issues.redhat.com/browse/RHEL-85219,
https://issues.redhat.com/browse/RHEL-85116,
https://issues.redhat.com/browse/RHEL-85117

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>

go.mod

@@ -13,11 +13,11 @@ require (
 	github.com/checkpoint-restore/checkpointctl v1.3.0
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
 	github.com/containernetworking/plugins v1.5.1
-	github.com/containers/buildah v1.39.3
+	github.com/containers/buildah v1.39.4
-	github.com/containers/common v0.62.2
+	github.com/containers/common v0.62.3
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.8.3
-	github.com/containers/image/v5 v5.34.2
+	github.com/containers/image/v5 v5.34.3
 	github.com/containers/libhvee v0.9.0
 	github.com/containers/ocicrypt v1.2.1
 	github.com/containers/psgo v1.9.0

go.sum

@@ -76,16 +76,16 @@ github.com/containernetworking/cni v1.2.3 h1:hhOcjNVUQTnzdRJ6alC5XF+wd9mfGIUaj8F
 github.com/containernetworking/cni v1.2.3/go.mod h1:DuLgF+aPd3DzcTQTtp/Nvl1Kim23oFKdm2okJzBQA5M=
 github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+E5J/EcKOE4gQ=
 github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM=
-github.com/containers/buildah v1.39.3 h1:JAIbtTblL6XIdhfH+/5ndSR++0yonF2409jlQ+rD8SE=
+github.com/containers/buildah v1.39.4 h1:XTL1+N9wJcSAqXUl4ReFK286QWLTIGp44jBqs9Qd2y0=
-github.com/containers/buildah v1.39.3/go.mod h1:WtjZt6kqSVzibr7AVkW9QlLok6pB0jlLe2LedgmL4+s=
+github.com/containers/buildah v1.39.4/go.mod h1:EPFAYD/27eXceT8shzWxKg+asgorc8nzrjiG9qFCqTk=
-github.com/containers/common v0.62.2 h1:xO45OOoeq17EZMIDZoSyRqg7GXGcRHa9sXlrr75zH+U=
+github.com/containers/common v0.62.3 h1:aOGryqXfW6aKBbHbqOveH7zB+ihavUN03X/2pUSvWFI=
-github.com/containers/common v0.62.2/go.mod h1:veFiR9iq2j3CHXtB4YnPHuOkSRdhIQ3bAY8AFMP/5bE=
+github.com/containers/common v0.62.3/go.mod h1:3R8kDox2prC9uj/a2hmXj/YjZz5sBEUNrcDiw51S0Lo=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.8.3 h1:Am3VdjXTn8Mn+dNhgkiRcCFOTSM8u9aWKLW3KTHOGjk=
 github.com/containers/gvisor-tap-vsock v0.8.3/go.mod h1:46MvrqNuRNbjV4ZsZ3mHVJjR2Eh+fpyRh72EvWWFFjU=
-github.com/containers/image/v5 v5.34.2 h1:3r1etun4uJYq5197tcymUcI1h6+zyzKS9PtRtBlEKMI=
+github.com/containers/image/v5 v5.34.3 h1:/cMgfyA4Y7ILH7nzWP/kqpkE5Df35Ek4bp5ZPvJOVmI=
-github.com/containers/image/v5 v5.34.2/go.mod h1:MG++slvQSZVq5ejAcLdu4APGsKGMb0YHHnAo7X28fdE=
+github.com/containers/image/v5 v5.34.3/go.mod h1:MG++slvQSZVq5ejAcLdu4APGsKGMb0YHHnAo7X28fdE=
 github.com/containers/libhvee v0.9.0 h1:5UxJMka1lDfxTeITA25Pd8QVVttJAG43eQS1Getw1tc=
 github.com/containers/libhvee v0.9.0/go.mod h1:p44VJd8jMIx3SRN1eM6PxfCEwXQE0lJ0dQppCAlzjPQ=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=

vendor/github.com/containers/buildah/CHANGELOG.md

@@ -2,6 +2,11 @@
 
 # Changelog
 
+## v1.39.4 (2025-03-27)
+
+    [release-1.39] Bump c/image to v5.34.3, c/common v0.62.3
+    createPlatformContainer: drop MS_REMOUNT|MS_BIND
+
 ## v1.39.3 (2025-03-12)
 
     [release-1.39] Bump c/storage to v1.57.2, c/image v5.34.2, c/common v0.62.2

vendor/github.com/containers/buildah/changelog.txt

@@ -1,3 +1,7 @@
+- Changelog for v1.39.4 (2025-03-27)
+  * [release-1.39] Bump c/image to v5.34.3, c/common v0.62.3
+  * createPlatformContainer: drop MS_REMOUNT|MS_BIND
+
 - Changelog for v1.39.3 (2025-03-12)
   * [release-1.39] Bump c/storage to v1.57.2, c/image v5.34.2, c/common v0.62.2
 

vendor/github.com/containers/buildah/chroot/run_linux.go

@@ -263,7 +263,7 @@ func createPlatformContainer(options runUsingChrootExecSubprocOptions) error {
 		return fmt.Errorf("changing to host root directory: %w", err)
 	}
 	// make sure we only unmount things under this tree
-	if err := unix.Mount(".", ".", "bind", unix.MS_REMOUNT|unix.MS_BIND|unix.MS_SLAVE|unix.MS_REC, ""); err != nil {
+	if err := unix.Mount(".", ".", "", unix.MS_SLAVE|unix.MS_REC, ""); err != nil {
 		return fmt.Errorf("tweaking mount flags on host root directory before unmounting from mount namespace: %w", err)
 	}
 	// detach this (unnamed?) old directory

vendor/github.com/containers/buildah/define/types.go

@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.39.3"
+	Version = "1.39.4"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"

vendor/github.com/containers/common/version/version.go

@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "0.62.2"
+const Version = "0.62.3"

vendor/github.com/containers/image/v5/tarball/tarball_src.go

@@ -14,8 +14,9 @@ import (
 
 	"github.com/containers/image/v5/internal/imagesource/impl"
 	"github.com/containers/image/v5/internal/imagesource/stubs"
+	"github.com/containers/image/v5/pkg/compression"
+	compressionTypes "github.com/containers/image/v5/pkg/compression/types"
 	"github.com/containers/image/v5/types"
-	"github.com/klauspost/pgzip"
 	digest "github.com/opencontainers/go-digest"
 	imgspecs "github.com/opencontainers/image-spec/specs-go"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -82,31 +83,47 @@ func (r *tarballReference) NewImageSource(ctx context.Context, sys *types.System
 			}
 		}
 
-		// Default to assuming the layer is compressed.
-		layerType := imgspecv1.MediaTypeImageLayerGzip
-
 		// Set up to digest the file as it is.
 		blobIDdigester := digest.Canonical.Digester()
 		reader = io.TeeReader(reader, blobIDdigester.Hash())
 
-		// Set up to digest the file after we maybe decompress it.
+		var layerType string
-		diffIDdigester := digest.Canonical.Digester()
+		var diffIDdigester digest.Digester
-		uncompressed, err := pgzip.NewReader(reader)
+		// If necessary, digest the file after we decompress it.
-		if err == nil {
+		if err := func() error { // A scope for defer
-			// It is compressed, so the diffID is the digest of the uncompressed version
+			format, decompressor, reader, err := compression.DetectCompressionFormat(reader)
-			reader = io.TeeReader(uncompressed, diffIDdigester.Hash())
+			if err != nil {
-		} else {
+				return err
-			// It is not compressed, so the diffID and the blobID are going to be the same
+			}
-			diffIDdigester = blobIDdigester
+			if decompressor != nil {
-			layerType = imgspecv1.MediaTypeImageLayer
+				uncompressed, err := decompressor(reader)
-			uncompressed = nil
+				if err != nil {
-		}
+					return err
-		// TODO: This can take quite some time, and should ideally be cancellable using ctx.Done().
+				}
-		if _, err := io.Copy(io.Discard, reader); err != nil {
+				defer uncompressed.Close()
-			return nil, fmt.Errorf("error reading %q: %w", filename, err)
+				// It is compressed, so the diffID is the digest of the uncompressed version
-		}
+				diffIDdigester = digest.Canonical.Digester()
-		if uncompressed != nil {
+				reader = io.TeeReader(uncompressed, diffIDdigester.Hash())
-			uncompressed.Close()
+				switch format.Name() {
+				case compressionTypes.GzipAlgorithmName:
+					layerType = imgspecv1.MediaTypeImageLayerGzip
+				case compressionTypes.ZstdAlgorithmName:
+					layerType = imgspecv1.MediaTypeImageLayerZstd
+				default: // This is incorrect, but we have no good options, and it is what this transport was historically doing.
+					layerType = imgspecv1.MediaTypeImageLayerGzip
+				}
+			} else {
+				// It is not compressed, so the diffID and the blobID are going to be the same
+				diffIDdigester = blobIDdigester
+				layerType = imgspecv1.MediaTypeImageLayer
+			}
+			// TODO: This can take quite some time, and should ideally be cancellable using ctx.Done().
+			if _, err := io.Copy(io.Discard, reader); err != nil {
+				return fmt.Errorf("error reading %q: %w", filename, err)
+			}
+			return nil
+		}(); err != nil {
+			return nil, err
 		}
 
 		// Grab our uncompressed and possibly-compressed digests and sizes.

vendor/github.com/containers/image/v5/version/version.go

@@ -8,7 +8,7 @@ const (
 	// VersionMinor is for functionality in a backwards-compatible manner
 	VersionMinor = 34
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 2
+	VersionPatch = 3
 
 	// VersionDev indicates development branch. Releases will be empty string.
 	VersionDev = ""

vendor/modules.txt

@@ -147,7 +147,7 @@ github.com/containernetworking/cni/pkg/version
 # github.com/containernetworking/plugins v1.5.1
 ## explicit; go 1.20
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.39.3
+# github.com/containers/buildah v1.39.4
 ## explicit; go 1.22.8
 github.com/containers/buildah
 github.com/containers/buildah/bind
@@ -179,7 +179,7 @@ github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/pkg/volumes
 github.com/containers/buildah/util
-# github.com/containers/common v0.62.2
+# github.com/containers/common v0.62.3
 ## explicit; go 1.22.8
 github.com/containers/common/internal
 github.com/containers/common/internal/attributedstring
@@ -252,7 +252,7 @@ github.com/containers/conmon/runner/config
 # github.com/containers/gvisor-tap-vsock v0.8.3
 ## explicit; go 1.22.0
 github.com/containers/gvisor-tap-vsock/pkg/types
-# github.com/containers/image/v5 v5.34.2
+# github.com/containers/image/v5 v5.34.3
 ## explicit; go 1.22.8
 github.com/containers/image/v5/copy
 github.com/containers/image/v5/directory