Vendor in latest containers/storage and containers/image

Update container/image to address a commit error when copying layers and metadata.
This change may require users to recreate containers.

container/storage added some new lock protection to prevent possible deadlock and
data corruption.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1381
Approved by: mheon

vendor/github.com/containers/image/README.md

@@ -25,7 +25,7 @@ them as necessary, and to sign and verify images.
 The containers/image project is only a library with no user interface;
 you can either incorporate it into your Go programs, or use the `skopeo` tool:
 
-The [skopeo](https://github.com/projectatomic/skopeo) tool uses the
+The [skopeo](https://github.com/containers/skopeo) tool uses the
 containers/image library and takes advantage of many of its features,
 e.g. `skopeo copy` exposes the `containers/image/copy.Image` functionality.
 
@@ -42,7 +42,7 @@ What this project tests against dependencies-wise is located
 ## Building
 
 If you want to see what the library can do, or an example of how it is called,
-consider starting with the [skopeo](https://github.com/projectatomic/skopeo) tool
+consider starting with the [skopeo](https://github.com/containers/skopeo) tool
 instead.
 
 To integrate this library into your project, put it into `$GOPATH` or use
@@ -73,7 +73,9 @@ When developing this library, please use `make` (or `make … BUILDTAGS=…`) to
 
 ## License
 
-ASL 2.0
+Apache License 2.0
+
+SPDX-License-Identifier: Apache-2.0
 
 ## Contact
 

vendor/github.com/containers/image/copy/copy.go

@@ -71,7 +71,6 @@ func (d *digestingReader) Read(p []byte) (int, error) {
 // copier allows us to keep track of diffID values for blobs, and other
 // data shared across one or more images in a possible manifest list.
 type copier struct {
-	copiedBlobs      map[digest.Digest]digest.Digest
 	cachedDiffIDs    map[digest.Digest]digest.Digest
 	dest             types.ImageDestination
 	rawSource        types.ImageSource
@@ -141,7 +140,6 @@ func Image(ctx context.Context, policyContext *signature.PolicyContext, destRef,
 	}()
 
 	c := &copier{
-		copiedBlobs:      make(map[digest.Digest]digest.Digest),
 		cachedDiffIDs:    make(map[digest.Digest]digest.Digest),
 		dest:             dest,
 		rawSource:        rawSource,

vendor/github.com/containers/image/docker/docker_client.go

@@ -462,6 +462,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, realm, service, scope
 	if c.username != "" && c.password != "" {
 		authReq.SetBasicAuth(c.username, c.password)
 	}
+	logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
 	tr := tlsclientconfig.NewTransport()
 	// TODO(runcom): insecure for now to contact the external token service
 	tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
@@ -497,8 +498,8 @@ func (c *dockerClient) detectProperties(ctx context.Context) error {
 	ping := func(scheme string) error {
 		url := fmt.Sprintf(resolvedPingV2URL, scheme, c.registry)
 		resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, true)
-		logrus.Debugf("Ping %s err %#v", url, err)
 		if err != nil {
+			logrus.Debugf("Ping %s err %#v", url, err)
 			return err
 		}
 		defer resp.Body.Close()

vendor/github.com/containers/image/docker/docker_image_src.go

@@ -310,7 +310,14 @@ func (s *dockerImageSource) getSignaturesFromAPIExtension(ctx context.Context, i
 
 // deleteImage deletes the named image from the registry, if supported.
 func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerReference) error {
-	c, err := newDockerClientFromRef(sys, ref, true, "push")
+	// docker/distribution does not document what action should be used for deleting images.
+	//
+	// Current docker/distribution requires "pull" for reading the manifest and "delete" for deleting it.
+	// quay.io requires "push" (an explicit "pull" is unnecessary), does not grant any token (fails parsing the request) if "delete" is included.
+	// OpenShift ignores the action string (both the password and the token is an OpenShift API token identifying a user).
+	//
+	// We have to hard-code a single string, luckily both docker/distribution and quay.io support "*" to mean "everything".
+	c, err := newDockerClientFromRef(sys, ref, true, "*")
 	if err != nil {
 		return err
 	}

vendor/github.com/containers/image/manifest/docker_schema2.go

@@ -57,8 +57,9 @@ type Schema2HealthConfig struct {
 	Test []string `json:",omitempty"`
 
 	// Zero means to inherit. Durations are expressed as integer nanoseconds.
-	Interval time.Duration `json:",omitempty"` // Interval is the time to wait between checks.
-	Timeout  time.Duration `json:",omitempty"` // Timeout is the time to wait before considering the check to have hung.
+	StartPeriod time.Duration `json:",omitempty"` // StartPeriod is the time to wait after starting before running the first check.
+	Interval    time.Duration `json:",omitempty"` // Interval is the time to wait between checks.
+	Timeout     time.Duration `json:",omitempty"` // Timeout is the time to wait before considering the check to have hung.
 
 	// Retries is the number of consecutive failures needed to consider a container as unhealthy.
 	// Zero means inherit.

vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go

@@ -34,11 +34,13 @@ func SetupCertificates(dir string, tlsc *tls.Config) error {
 	for _, f := range fs {
 		fullPath := filepath.Join(dir, f.Name())
 		if strings.HasSuffix(f.Name(), ".crt") {
-			systemPool, err := tlsconfig.SystemCertPool()
-			if err != nil {
-				return errors.Wrap(err, "unable to get system cert pool")
+			if tlsc.RootCAs == nil {
+				systemPool, err := tlsconfig.SystemCertPool()
+				if err != nil {
+					return errors.Wrap(err, "unable to get system cert pool")
+				}
+				tlsc.RootCAs = systemPool
 			}
-			tlsc.RootCAs = systemPool
 			logrus.Debugf(" crt: %s", fullPath)
 			data, err := ioutil.ReadFile(fullPath)
 			if err != nil {