vendor: update docker v28 and c/{common,image}

Update to the latest c/{common,image} which inclused an update to
docker v28, that update is NOT backwards compatible so I had to fix a
few types.

NOTE: handler.ExecCreateConfig is used directly by the bindings. Thus
this is an API break for pkg/bindings. Including docker types as part of
any stable pkg/bindings API was a very bad idea.

I see no way to avoid that unless we never want to docker v28, which is
not easy as the update comes in from c/image and maybe other packages.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

vendor/github.com/containers/common/internal/deepcopy.go

@@ -1,10 +1,10 @@
 package internal
 
 import (
+	"maps"
 	"slices"
 
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"golang.org/x/exp/maps"
 )
 
 // DeepCopyDescriptor copies a Descriptor, deeply copying its contents

vendor/github.com/containers/common/libimage/image.go

@@ -14,6 +14,7 @@ import (
 	"github.com/containerd/platforms"
 	"github.com/containers/common/libimage/platform"
 	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
 	storageTransport "github.com/containers/image/v5/storage"
 	"github.com/containers/image/v5/types"
@@ -1002,7 +1003,7 @@ func (i *Image) Manifest(ctx context.Context) (rawManifest []byte, mimeType stri
 	if err != nil {
 		return nil, "", err
 	}
-	return src.GetManifest(ctx, nil)
+	return image.UnparsedInstance(src, nil).Manifest(ctx)
 }
 
 // getImageID creates an image object and uses the hex value of the config

vendor/github.com/containers/common/libimage/inspect.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"time"
 
+	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
@@ -159,7 +160,7 @@ func (i *Image) Inspect(ctx context.Context, options *InspectOptions) (*ImageDat
 	if err != nil {
 		return nil, err
 	}
-	manifestRaw, manifestType, err := src.GetManifest(ctx, nil)
+	manifestRaw, manifestType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/common/libimage/manifest_list.go

@@ -18,6 +18,7 @@ import (
 	"github.com/containers/common/pkg/supplemented"
 	imageCopy "github.com/containers/image/v5/copy"
 	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/oci/layout"
 	"github.com/containers/image/v5/signature"
@@ -370,11 +371,12 @@ func (i *Image) IsManifestList(ctx context.Context) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	imgRef, err := ref.NewImageSource(ctx, i.runtime.systemContextCopy())
+	imgSrc, err := ref.NewImageSource(ctx, i.runtime.systemContextCopy())
 	if err != nil {
 		return false, err
 	}
-	_, manifestType, err := imgRef.GetManifest(ctx, nil)
+	defer imgSrc.Close()
+	_, manifestType, err := image.UnparsedInstance(imgSrc, nil).Manifest(ctx)
 	if err != nil {
 		return false, err
 	}
@@ -717,7 +719,7 @@ func (m *ManifestList) AnnotateInstance(d digest.Digest, options *ManifestListAn
 			return err
 		}
 		defer src.Close()
-		subjectManifestBytes, subjectManifestType, err := src.GetManifest(ctx, nil)
+		subjectManifestBytes, subjectManifestType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
 		if err != nil {
 			return err
 		}

vendor/github.com/containers/common/libimage/manifests/manifests.go

@@ -526,7 +526,7 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 	var instanceInfos []instanceInfo
 	var manifestDigest digest.Digest
 
-	primaryManifestBytes, primaryManifestType, err := src.GetManifest(ctx, nil)
+	primaryManifestBytes, primaryManifestType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
 	if err != nil {
 		return "", fmt.Errorf("reading manifest from %q: %w", transports.ImageName(ref), err)
 	}
@@ -613,7 +613,8 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 
 	knownConfigTypes := []string{manifest.DockerV2Schema2ConfigMediaType, v1.MediaTypeImageConfig}
 	for _, instanceInfo := range instanceInfos {
-		manifestBytes, manifestType, err := src.GetManifest(ctx, instanceInfo.instanceDigest)
+		unparsedInstance := image.UnparsedInstance(src, instanceInfo.instanceDigest)
+		manifestBytes, manifestType, err := unparsedInstance.Manifest(ctx)
 		if err != nil {
 			return "", fmt.Errorf("reading manifest from %q, instance %q: %w", transports.ImageName(ref), instanceInfo.instanceDigest, err)
 		}
@@ -625,7 +626,7 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 		hasPlatformConfig := instanceInfo.ArtifactType == "" && slices.Contains(knownConfigTypes, instanceInfo.ConfigInfo.MediaType)
 		needToParsePlatformConfig := (instanceInfo.OS == "" || instanceInfo.Architecture == "")
 		if hasPlatformConfig && needToParsePlatformConfig {
-			img, err := image.FromUnparsedImage(ctx, sys, image.UnparsedInstance(src, instanceInfo.instanceDigest))
+			img, err := image.FromUnparsedImage(ctx, sys, unparsedInstance)
 			if err != nil {
 				return "", fmt.Errorf("reading configuration blob from %q: %w", transports.ImageName(ref), err)
 			}
@@ -712,12 +713,12 @@ func (l *list) AddArtifact(ctx context.Context, sys *types.SystemContext, option
 	// reason.
 	var subject *v1.Descriptor
 	if options.SubjectReference != nil {
-		subjectReference, err := options.SubjectReference.NewImageSource(ctx, sys)
+		subjectSource, err := options.SubjectReference.NewImageSource(ctx, sys)
 		if err != nil {
 			return "", fmt.Errorf("setting up to read manifest and configuration from subject %q: %w", transports.ImageName(options.SubjectReference), err)
 		}
-		defer subjectReference.Close()
-		subjectManifestBytes, subjectManifestType, err := subjectReference.GetManifest(ctx, nil)
+		defer subjectSource.Close()
+		subjectManifestBytes, subjectManifestType, err := image.UnparsedInstance(subjectSource, nil).Manifest(ctx)
 		if err != nil {
 			return "", fmt.Errorf("reading manifest from subject %q: %w", transports.ImageName(options.SubjectReference), err)
 		}

vendor/github.com/containers/common/libnetwork/netavark/run.go

@@ -26,7 +26,7 @@ func (n *netavarkNetwork) execUpdate(networkName string, networkDNSServers []str
 
 // Setup will setup the container network namespace. It returns
 // a map of StatusBlocks, the key is the network name.
-func (n *netavarkNetwork) Setup(namespacePath string, options types.SetupOptions) (map[string]types.StatusBlock, error) {
+func (n *netavarkNetwork) Setup(namespacePath string, options types.SetupOptions) (_ map[string]types.StatusBlock, retErr error) {
 	n.lock.Lock()
 	defer n.lock.Unlock()
 	err := n.loadNetworks()
@@ -44,6 +44,15 @@ func (n *netavarkNetwork) Setup(namespacePath string, options types.SetupOptions
 	if err != nil {
 		return nil, err
 	}
+	defer func() {
+		// In case the setup failed for whatever reason podman will not start the
+		// container so we must free the allocated ips again to not leak them.
+		if retErr != nil {
+			if err := n.deallocIPs(&options.NetworkOptions); err != nil {
+				logrus.Error(err)
+			}
+		}
+	}()
 
 	netavarkOpts, needPlugin, err := n.convertNetOpts(options.NetworkOptions)
 	if err != nil {
@@ -72,15 +81,7 @@ func (n *netavarkNetwork) Setup(namespacePath string, options types.SetupOptions
 
 	result := map[string]types.StatusBlock{}
 	setup := func() error {
-		err := n.execNetavark([]string{"setup", namespacePath}, needPlugin, netavarkOpts, &result)
-		if err != nil {
-			// lets dealloc ips to prevent leaking
-			if err := n.deallocIPs(&options.NetworkOptions); err != nil {
-				logrus.Error(err)
-			}
-			return err
-		}
-		return nil
+		return n.execNetavark([]string{"setup", namespacePath}, needPlugin, netavarkOpts, &result)
 	}
 
 	if n.rootlessNetns != nil {

vendor/github.com/containers/common/libnetwork/slirp4netns/slirp4netns.go

@@ -685,6 +685,10 @@ func openSlirp4netnsPort(apiSocket, proto, hostip string, hostport, guestport ui
 	if _, err := conn.Write([]byte(fmt.Sprintf("%s\n", data))); err != nil {
 		return fmt.Errorf("cannot write to control socket %s: %w", apiSocket, err)
 	}
+	//nolint:errcheck // This cast should never fail, if it does we get a interface
+	// conversion panic and a stack trace on how we ended up here which is more
+	// valuable than returning a human friendly error test as we don't know how it
+	// happened.
 	if err := conn.(*net.UnixConn).CloseWrite(); err != nil {
 		return fmt.Errorf("cannot shutdown the socket %s: %w", apiSocket, err)
 	}

vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go

@@ -24,7 +24,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   # Allow certain signals from OCI runtimes (podman, runc and crun)
   signal (receive) peer={/usr/bin/,/usr/sbin/,}runc,
   signal (receive) peer={/usr/bin/,/usr/sbin/,}crun*,
-  signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}podman,
+  signal (receive) peer={/usr/bin/,/usr/sbin/,}podman,
 {{end}}
 
   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)

vendor/github.com/containers/common/pkg/cgroups/cgroups_linux.go

@@ -843,11 +843,16 @@ func UserOwnsCurrentSystemdCgroup() (bool, error) {
 		if err != nil {
 			return false, err
 		}
+
 		s := st.Sys()
 		if s == nil {
-			return false, fmt.Errorf("stat cgroup path %s", cgroupPath)
+			return false, fmt.Errorf("stat cgroup path is nil %s", cgroupPath)
 		}
 
+		//nolint:errcheck // This cast should never fail, if it does we get a interface
+		// conversion panic and a stack trace on how we ended up here which is more
+		// valuable than returning a human friendly error test as we don't know how it
+		// happened.
 		if int(s.(*syscall.Stat_t).Uid) != uid {
 			return false, nil
 		}

vendor/github.com/containers/common/pkg/chown/chown_unix.go

@@ -29,9 +29,11 @@ func ChangeHostPathOwnership(path string, recursive bool, uid, gid int) error {
 				return err
 			}
 
+			//nolint:errcheck
+			stat := f.Sys().(*syscall.Stat_t)
 			// Get current ownership
-			currentUID := int(f.Sys().(*syscall.Stat_t).Uid)
-			currentGID := int(f.Sys().(*syscall.Stat_t).Gid)
+			currentUID := int(stat.Uid)
+			currentGID := int(stat.Gid)
 
 			if uid != currentUID || gid != currentGID {
 				return os.Lchown(filePath, uid, gid)
@@ -49,9 +51,11 @@ func ChangeHostPathOwnership(path string, recursive bool, uid, gid int) error {
 			return fmt.Errorf("failed to get host path information: %w", err)
 		}
 
+		//nolint:errcheck
+		stat := f.Sys().(*syscall.Stat_t)
 		// Get current ownership
-		currentUID := int(f.Sys().(*syscall.Stat_t).Uid)
-		currentGID := int(f.Sys().(*syscall.Stat_t).Gid)
+		currentUID := int(stat.Uid)
+		currentGID := int(stat.Gid)
 
 		if uid != currentUID || gid != currentGID {
 			if err := os.Lchown(path, uid, gid); err != nil {

vendor/github.com/containers/common/pkg/config/config.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/containers/common/internal/attributedstring"
 	"github.com/containers/common/libnetwork/types"
-	"github.com/containers/common/pkg/capabilities"
 	"github.com/containers/storage/pkg/fileutils"
 	"github.com/containers/storage/pkg/homedir"
 	"github.com/containers/storage/pkg/unshare"
@@ -979,24 +978,6 @@ func (c *Config) GetDefaultEnvEx(envHost, httpProxy bool) []string {
 	return append(env, c.Containers.Env.Get()...)
 }
 
-// Capabilities returns the capabilities parses the Add and Drop capability
-// list from the default capabilities for the container
-func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) ([]string, error) {
-	userNotRoot := func(user string) bool {
-		if user == "" || user == "root" || user == "0" {
-			return false
-		}
-		return true
-	}
-
-	defaultCapabilities := c.Containers.DefaultCapabilities.Get()
-	if userNotRoot(user) {
-		defaultCapabilities = []string{}
-	}
-
-	return capabilities.MergeCapabilities(defaultCapabilities, addCapabilities, dropCapabilities)
-}
-
 // Device parses device mapping string to a src, dest & permissions string
 // Valid values for device looklike:
 //

vendor/github.com/containers/common/pkg/config/config_linux.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"github.com/containers/common/pkg/capabilities"
 	selinux "github.com/opencontainers/selinux/go-selinux"
 )
 
@@ -26,3 +27,21 @@ var defaultHelperBinariesDir = []string{
 	"/usr/libexec/podman",
 	"/usr/lib/podman",
 }
+
+// Capabilities returns the capabilities parses the Add and Drop capability
+// list from the default capabilities for the container
+func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) ([]string, error) {
+	userNotRoot := func(user string) bool {
+		if user == "" || user == "root" || user == "0" {
+			return false
+		}
+		return true
+	}
+
+	defaultCapabilities := c.Containers.DefaultCapabilities.Get()
+	if userNotRoot(user) {
+		defaultCapabilities = []string{}
+	}
+
+	return capabilities.MergeCapabilities(defaultCapabilities, addCapabilities, dropCapabilities)
+}

vendor/github.com/containers/common/pkg/config/config_local.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"regexp"
+	"strconv"
 	"strings"
 
 	"github.com/containers/storage/pkg/fileutils"
@@ -97,8 +97,9 @@ func (c *ContainersConfig) validateTZ() error {
 }
 
 func (c *ContainersConfig) validateUmask() error {
-	validUmask := regexp.MustCompile(`^[0-7]{1,4}$`)
-	if !validUmask.MatchString(c.Umask) {
+	// Valid values are 0 to 7777 octal.
+	_, err := strconv.ParseUint(c.Umask, 8, 12)
+	if err != nil {
 		return fmt.Errorf("not a valid umask %s", c.Umask)
 	}
 	return nil

vendor/github.com/containers/common/pkg/config/config_unsupported.go

@@ -5,3 +5,9 @@ package config
 func selinuxEnabled() bool {
 	return false
 }
+
+// Capabilities returns the capabilities parses the Add and Drop capability
+// list from the default capabilities for the container
+func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) ([]string, error) {
+	return nil, nil
+}

vendor/github.com/containers/common/pkg/config/default.go

@@ -539,7 +539,7 @@ func (c *Config) NetNS() string {
 	return c.Containers.NetNS
 }
 
-func (c EngineConfig) EventsLogMaxSize() uint64 {
+func (c *EngineConfig) EventsLogMaxSize() uint64 {
 	return uint64(c.EventsLogFileMaxSize)
 }
 

vendor/github.com/containers/common/pkg/secrets/secrets.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/containers/common/pkg/secrets/define"
@@ -12,7 +13,6 @@ import (
 	"github.com/containers/common/pkg/secrets/passdriver"
 	"github.com/containers/common/pkg/secrets/shelldriver"
 	"github.com/containers/storage/pkg/lockfile"
-	"github.com/containers/storage/pkg/regexp"
 	"github.com/containers/storage/pkg/stringid"
 	"golang.org/x/exp/maps"
 )
@@ -50,10 +50,6 @@ var errDataSize = errors.New("secret data must be larger than 0 and less than 51
 // secretsFile is the name of the file that the secrets database will be stored in
 var secretsFile = "secrets.json"
 
-// secretNameRegexp matches valid secret names
-// Allowed: 253 characters, excluding ,/=\0
-var secretNameRegexp = regexp.Delayed("^[^,/=\000]+$")
-
 // SecretsManager holds information on handling secrets
 //
 // revive does not like the name because the package is already called secrets
@@ -320,9 +316,7 @@ func (s *SecretsManager) LookupSecretData(nameOrID string) (*Secret, []byte, err
 
 // validateSecretName checks if the secret name is valid.
 func validateSecretName(name string) error {
-	if len(name) == 0 ||
-		len(name) > 253 ||
-		!secretNameRegexp.MatchString(name) {
+	if len(name) == 0 || len(name) > 253 || strings.ContainsAny(name, ",/=\000") {
 		return fmt.Errorf("secret name %q can not include '=', '/', ',', or the '\\0' (NULL) and be between 1 and 253 characters: %w", name, errInvalidSecretName)
 	}
 	return nil

vendor/github.com/containers/common/pkg/supplemented/supplemented.go

@@ -205,7 +205,7 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 		}
 
 		// Read the default manifest for the image.
-		manifestBytes, manifestType, err := src.GetManifest(ctx, nil)
+		manifestBytes, manifestType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
 		if err != nil {
 			return nil, fmt.Errorf("reading default manifest from image %q: %w", transports.ImageName(ref), err)
 		}
@@ -261,7 +261,7 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 		}
 
 		// Read the instance's manifest.
-		manifestBytes, manifestType, err := manifestToRead.src.GetManifest(ctx, manifestToRead.instance)
+		manifestBytes, manifestType, err := image.UnparsedInstance(manifestToRead.src, manifestToRead.instance).Manifest(ctx)
 		if err != nil {
 			// if errors.Is(err, storage.ErrImageUnknown) || errors.Is(err, os.ErrNotExist) {
 			// Trust that we either don't need it, or that it's in another reference.

vendor/github.com/containers/common/pkg/sysinfo/sysinfo.go

@@ -1,6 +1,6 @@
 package sysinfo
 
-import "github.com/docker/docker/pkg/parsers"
+import "github.com/containers/storage/pkg/parsers"
 
 // SysInfo stores information about which features a kernel supports.
 // TODO Windows: Factor out platform specific capabilities.

vendor/github.com/containers/common/version/version.go

@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "0.62.1"
+const Version = "0.63.0-dev"