fix(deps): update module github.com/containers/buildah to v1.31.0

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-11-30 10:07:33 +08:00 · 2023-07-01 00:26:07 +00:00
parent 82af41cf2a
commit d0359fccaa
21 changed files with 270 additions and 133 deletions
--- a/vendor/github.com/containers/buildah/.cirrus.yml
+++ b/vendor/github.com/containers/buildah/.cirrus.yml
@@ -27,12 +27,12 @@ env:
    ####
    # GCE project where images live
    IMAGE_PROJECT: "libpod-218412"
-    FEDORA_NAME: "fedora-37"
-    PRIOR_FEDORA_NAME: "fedora-36"
-    DEBIAN_NAME: "debian-12"
+    FEDORA_NAME: "fedora-38"
+    PRIOR_FEDORA_NAME: "fedora-37"
+    DEBIAN_NAME: "debian-13"

    # Image identifiers
-    IMAGE_SUFFIX: "c20230405t152256z-f37f36d12"
+    IMAGE_SUFFIX: "c20230614t132754z-f38f37d13"
    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
    PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
    DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@@ -2,6 +2,92 @@

 # Changelog

+## v1.31.0 (2023-06-30)
+
+    Bump c/common to 0.55.1 and c/image to 5.26.1
+    Bump c/image to 5.26.0 and c/common to 0.54.0
+    vendor: update c/{common,image,storage} to latest
+    chore: pkg imported more than once
+    buildah: add pasta(1) support
+    use slirp4netns package from c/common
+    update c/common to latest
+    add hostname to /etc/hosts when running with host network
+    vendor: update c/common to latest
+    [CI:BUILD] Packit: add jobs for downstream Fedora package builds
+    fix(deps): update module golang.org/x/sync to v0.3.0
+    fix(deps): update module golang.org/x/crypto to v0.10.0
+    Add smoke tests for encryption CLI helpers
+    fix(deps): update module golang.org/x/term to v0.9.0
+    fix(deps): update module github.com/opencontainers/runtime-spec to v1.1.0-rc.3
+    Remove device mapper support
+    Remove use of deprecated tar.TypeRegA
+    Update tooling to support newer golangci-lint
+    Make cli.EncryptConfig,DecryptConfig, GetFormat public
+    Don't decrypt images by default
+    fix(deps): update module github.com/onsi/gomega to v1.27.8
+    fix(deps): update github.com/containers/storage digest to 3f3fb2f
+    Renovate: Don't touch fragile test stuffs
+    [CI:DOCS] Update comment to remove ambiguity
+    fix(deps): update github.com/containers/image/v5 digest to abe5133
+    fix(deps): update module github.com/sirupsen/logrus to v1.9.3
+    fix(deps): update module github.com/containerd/containerd to v1.7.2
+    Explicitly ref. quay images for CI
+    At startup, log the effective capabilities for debugging
+    parse: use GetTempDir from internal utils
+    GetTmpDir: honor image_copy_tmp_dir from containers.conf
+    docs/Makefile: don't show sed invocations
+    CI: Support testing w/ podman-next COPR packages
+    intermediate-images inherit-label test: make it debuggable
+    fix(deps): update github.com/containers/common digest to 462ccdd
+    Add a warning to `--secret` docs
+    vendor: bump c/storage to v1.46.2-0.20230526114421-55ee2d19292f
+    executor: apply label to only final stage
+    remove registry.centos.org
+    Go back to setting SysProcAttr.Pdeathsig for child processes
+    Fix auth.json path (validated on Fedora 38) wq Signed-off-by: Andreas Mack <andreas.mack@gmail.com>
+    fix(deps): update module github.com/stretchr/testify to v1.8.3
+    CI: fix test broken by renovatebot
+    chore(deps): update quay.io/libpod/testimage docker tag to v20221018
+    fix(deps): update module github.com/onsi/gomega to v1.27.7
+    test: use debian instead of docker.io/library/debian:testing-slim
+    vendor: bump logrus to 1.9.2
+    [skip-ci] Update tim-actions/get-pr-commits action to v1.3.0
+    Revert "Proof of concept: nightly dependency treadmill"
+    fix(deps): update module github.com/sirupsen/logrus to v1.9.1
+    vendor in containers/(common,storage,image)
+    fix(deps): update module github.com/docker/distribution to v2.8.2+incompatible
+    run: drop Pdeathsig
+    chroot: lock thread before setPdeathsig
+    tests: add a case for required=false
+    fix(deps): update module github.com/openshift/imagebuilder to v1.2.5
+    build: validate volumes on backend
+    secret: accept required flag w/o value
+    fix(deps): update module github.com/containerd/containerd to v1.7.1
+    fix(deps): update module golang.org/x/crypto to v0.9.0
+    Update the demos README file to fix minor typos
+    fix(deps): update module golang.org/x/sync to v0.2.0
+    fix(deps): update module golang.org/x/term to v0.8.0
+    manifest, push: use source as destination if not specified
+    run,mount: remove path only if they didnt pre-exist
+    Cirrus: Fix meta task failing to find commit
+    parse: filter edge-case for podman-remote
+    fix(deps): update module github.com/opencontainers/runc to v1.1.7
+    fix(deps): update module github.com/docker/docker to v23.0.5+incompatible
+    build: --platform must accept only arch
+    fix(deps): update module github.com/containers/common to v0.53.0
+    makefile: increase conformance timeout
+    Cap suffixDigitsModulo to a 9-digits suffix.
+    Rename conflict to suffixDigitsModulo
+    fix(deps): update module github.com/opencontainers/runtime-spec to v1.1.0-rc.2
+    fix(deps): update module github.com/opencontainers/runc to v1.1.6
+    chore(deps): update centos docker tag to v8
+    Clarify the need for qemu-user-static package
+    chore(deps): update quay.io/centos/centos docker tag to v8
+    Renovate: Ensure test/tools/go.mod is managed
+    Revert "buildah image should not enable fuse-overlayfs for rootful mode"
+    Bump to v1.31.0-dev
+    parse: add support for relabel bind mount option
+
 ## v1.30.0 (2023-04-06)

    fix(deps): update module github.com/opencontainers/runc to v1.1.5
--- a/vendor/github.com/containers/buildah/Makefile
+++ b/vendor/github.com/containers/buildah/Makefile
@@ -179,7 +179,8 @@ tests/testreport/testreport: tests/testreport/testreport.go

 .PHONY: test-unit
 test-unit: tests/testreport/testreport
-	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) $(shell $(GO) list ./... | grep -v vendor | grep -v tests | grep -v cmd) -timeout 45m
+	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) $(shell $(GO) list ./... | grep -v vendor | grep -v tests | grep -v cmd | grep -v chroot | grep -v copier) -timeout 45m
+	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)"        $(RACEFLAGS) ./chroot ./copier -timeout 45m
 	tmp=$(shell mktemp -d) ; \
 	mkdir -p $$tmp/root $$tmp/runroot; \
 	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) ./cmd/buildah -args --root $$tmp/root --runroot $$tmp/runroot --storage-driver vfs --signature-policy $(shell pwd)/tests/policy.json --registries-conf $(shell pwd)/tests/registries.conf
--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@@ -1,3 +1,88 @@
+- Changelog for v1.31.0 (2023-06-30)
+  * Bump c/common to 0.55.1 and c/image to 5.26.1
+  * Bump c/image to 5.26.0 and c/common to 0.54.0
+  * vendor: update c/{common,image,storage} to latest
+  * chore: pkg imported more than once
+  * buildah: add pasta(1) support
+  * use slirp4netns package from c/common
+  * update c/common to latest
+  * add hostname to /etc/hosts when running with host network
+  * vendor: update c/common to latest
+  * [CI:BUILD] Packit: add jobs for downstream Fedora package builds
+  * fix(deps): update module golang.org/x/sync to v0.3.0
+  * fix(deps): update module golang.org/x/crypto to v0.10.0
+  * Add smoke tests for encryption CLI helpers
+  * fix(deps): update module golang.org/x/term to v0.9.0
+  * fix(deps): update module github.com/opencontainers/runtime-spec to v1.1.0-rc.3
+  * Remove device mapper support
+  * Remove use of deprecated tar.TypeRegA
+  * Update tooling to support newer golangci-lint
+  * Make cli.EncryptConfig,DecryptConfig, GetFormat public
+  * Don't decrypt images by default
+  * fix(deps): update module github.com/onsi/gomega to v1.27.8
+  * fix(deps): update github.com/containers/storage digest to 3f3fb2f
+  * Renovate: Don't touch fragile test stuffs
+  * [CI:DOCS] Update comment to remove ambiguity
+  * fix(deps): update github.com/containers/image/v5 digest to abe5133
+  * fix(deps): update module github.com/sirupsen/logrus to v1.9.3
+  * fix(deps): update module github.com/containerd/containerd to v1.7.2
+  * Explicitly ref. quay images for CI
+  * At startup, log the effective capabilities for debugging
+  * parse: use GetTempDir from internal utils
+  * GetTmpDir: honor image_copy_tmp_dir from containers.conf
+  * docs/Makefile: don't show sed invocations
+  * CI: Support testing w/ podman-next COPR packages
+  * intermediate-images inherit-label test: make it debuggable
+  * fix(deps): update github.com/containers/common digest to 462ccdd
+  * Add a warning to `--secret` docs
+  * vendor: bump c/storage to v1.46.2-0.20230526114421-55ee2d19292f
+  * executor: apply label to only final stage
+  * remove registry.centos.org
+  * Go back to setting SysProcAttr.Pdeathsig for child processes
+  * Fix auth.json path (validated on Fedora 38) wq Signed-off-by: Andreas Mack <andreas.mack@gmail.com>
+  * fix(deps): update module github.com/stretchr/testify to v1.8.3
+  * CI: fix test broken by renovatebot
+  * chore(deps): update quay.io/libpod/testimage docker tag to v20221018
+  * fix(deps): update module github.com/onsi/gomega to v1.27.7
+  * test: use debian instead of docker.io/library/debian:testing-slim
+  * vendor: bump logrus to 1.9.2
+  * [skip-ci] Update tim-actions/get-pr-commits action to v1.3.0
+  * Revert "Proof of concept: nightly dependency treadmill"
+  * fix(deps): update module github.com/sirupsen/logrus to v1.9.1
+  * vendor in containers/(common,storage,image)
+  * fix(deps): update module github.com/docker/distribution to v2.8.2+incompatible
+  * run: drop Pdeathsig
+  * chroot: lock thread before setPdeathsig
+  * tests: add a case for required=false
+  * fix(deps): update module github.com/openshift/imagebuilder to v1.2.5
+  * build: validate volumes on backend
+  * secret: accept required flag w/o value
+  * fix(deps): update module github.com/containerd/containerd to v1.7.1
+  * fix(deps): update module golang.org/x/crypto to v0.9.0
+  * Update the demos README file to fix minor typos
+  * fix(deps): update module golang.org/x/sync to v0.2.0
+  * fix(deps): update module golang.org/x/term to v0.8.0
+  * manifest, push: use source as destination if not specified
+  * run,mount: remove path only if they didnt pre-exist
+  * Cirrus: Fix meta task failing to find commit
+  * parse: filter edge-case for podman-remote
+  * fix(deps): update module github.com/opencontainers/runc to v1.1.7
+  * fix(deps): update module github.com/docker/docker to v23.0.5+incompatible
+  * build: --platform must accept only arch
+  * fix(deps): update module github.com/containers/common to v0.53.0
+  * makefile: increase conformance timeout
+  * Cap suffixDigitsModulo to a 9-digits suffix.
+  * Rename conflict to suffixDigitsModulo
+  * fix(deps): update module github.com/opencontainers/runtime-spec to v1.1.0-rc.2
+  * fix(deps): update module github.com/opencontainers/runc to v1.1.6
+  * chore(deps): update centos docker tag to v8
+  * Clarify the need for qemu-user-static package
+  * chore(deps): update quay.io/centos/centos docker tag to v8
+  * Renovate: Ensure test/tools/go.mod is managed
+  * Revert "buildah image should not enable fuse-overlayfs for rootful mode"
+  * Bump to v1.31.0-dev
+  * parse: add support for relabel bind mount option
+
 - Changelog for v1.30.0 (2023-04-06)
  * fix(deps): update module github.com/opencontainers/runc to v1.1.5
  * fix(deps): update module github.com/fsouza/go-dockerclient to v1.9.7
--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.31.0-dev"
+	Version = "1.31.0"

 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"
--- a/vendor/github.com/containers/buildah/imagebuildah/executor.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/executor.go
@@ -22,7 +22,6 @@ import (
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/manifest"
-	is "github.com/containers/image/v5/storage"
 	storageTransport "github.com/containers/image/v5/storage"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
@@ -424,7 +423,7 @@ func (b *Executor) getImageTypeAndHistoryAndDiffIDs(ctx context.Context, imageID
 	if ok {
 		return imageInfo.manifestType, imageInfo.history, imageInfo.diffIDs, imageInfo.err
 	}
-	imageRef, err := is.Transport.ParseStoreReference(b.store, "@"+imageID)
+	imageRef, err := storageTransport.Transport.ParseStoreReference(b.store, "@"+imageID)
 	if err != nil {
 		return "", nil, nil, fmt.Errorf("getting image reference %q: %w", imageID, err)
 	}
@@ -992,8 +991,8 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image
 	// Add additional tags and print image names recorded in storage
 	if dest, err := b.resolveNameToImageRef(b.output); err == nil {
 		switch dest.Transport().Name() {
-		case is.Transport.Name():
-			img, err := is.Transport.GetStoreImage(b.store, dest)
+		case storageTransport.Transport.Name():
+			img, err := storageTransport.Transport.GetStoreImage(b.store, dest)
 			if err != nil {
 				return imageID, ref, fmt.Errorf("locating just-written image %q: %w", transports.ImageName(dest), err)
 			}
@@ -1004,7 +1003,7 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image
 				logrus.Debugf("assigned names %v to image %q", img.Names, img.ID)
 			}
 			// Report back the caller the tags applied, if any.
-			img, err = is.Transport.GetStoreImage(b.store, dest)
+			img, err = storageTransport.Transport.GetStoreImage(b.store, dest)
 			if err != nil {
 				return imageID, ref, fmt.Errorf("locating just-written image %q: %w", transports.ImageName(dest), err)
 			}
--- a/vendor/github.com/containers/buildah/run.go
+++ b/vendor/github.com/containers/buildah/run.go
@@ -10,7 +10,6 @@ import (
 	"github.com/containers/image/v5/types"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 )

@@ -199,8 +198,8 @@ type runMountInfo struct {

 // IDMaps are the UIDs, GID, and maps for the run
 type IDMaps struct {
-	uidmap     []spec.LinuxIDMapping
-	gidmap     []spec.LinuxIDMapping
+	uidmap     []specs.LinuxIDMapping
+	gidmap     []specs.LinuxIDMapping
 	rootUID    int
 	rootGID    int
 	processUID int
--- a/vendor/github.com/containers/buildah/run_common.go
+++ b/vendor/github.com/containers/buildah/run_common.go
@@ -48,7 +48,6 @@ import (
 	storageTypes "github.com/containers/storage/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
@@ -118,7 +117,7 @@ func (b *Builder) addResolvConf(rdir string, chownOpts *idtools.IDPair, dnsServe
 }

 // generateHosts creates a containers hosts file
-func (b *Builder) generateHosts(rdir string, chownOpts *idtools.IDPair, imageRoot string, spec *spec.Spec) (string, error) {
+func (b *Builder) generateHosts(rdir string, chownOpts *idtools.IDPair, imageRoot string, spec *specs.Spec) (string, error) {
 	conf, err := config.Default()
 	if err != nil {
 		return "", err
@@ -1468,7 +1467,7 @@ func runSetupBuiltinVolumes(mountLabel, mountPoint, containerDir string, builtin
 }

 // Destinations which can be cleaned up after every RUN
-func cleanableDestinationListFromMounts(mounts []spec.Mount) []string {
+func cleanableDestinationListFromMounts(mounts []specs.Mount) []string {
 	mountDest := []string{}
 	for _, mount := range mounts {
 		// Add all destination to mountArtifacts so that they can be cleaned up later
@@ -1509,7 +1508,7 @@ func checkIfMountDestinationPreExists(root string, dest string) (bool, error) {
 // runSetupRunMounts sets up mounts that exist only in this RUN, not in subsequent runs
 //
 // If this function succeeds, the caller must unlock runMountArtifacts.TargetLocks (when??)
-func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources runMountInfo, idMaps IDMaps) ([]spec.Mount, *runMountArtifacts, error) {
+func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources runMountInfo, idMaps IDMaps) ([]specs.Mount, *runMountArtifacts, error) {
 	// If `type` is not set default to TypeBind
 	mountType := define.TypeBind
 	mountTargets := make([]string, 0, 10)
@@ -1527,7 +1526,7 @@ func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources
 		}
 	}()
 	for _, mount := range mounts {
-		var mountSpec *spec.Mount
+		var mountSpec *specs.Mount
 		var err error
 		var envFile, image string
 		var agent *sshagent.AgentServer
@@ -1622,7 +1621,7 @@ func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources
 	return finalMounts, artifacts, nil
 }

-func (b *Builder) getBindMount(tokens []string, context *imageTypes.SystemContext, contextDir string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir string) (*spec.Mount, string, error) {
+func (b *Builder) getBindMount(tokens []string, context *imageTypes.SystemContext, contextDir string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir string) (*specs.Mount, string, error) {
 	if contextDir == "" {
 		return nil, "", errors.New("Context Directory for current run invocation is not configured")
 	}
@@ -1639,7 +1638,7 @@ func (b *Builder) getBindMount(tokens []string, context *imageTypes.SystemContex
 	return &volumes[0], image, nil
 }

-func (b *Builder) getTmpfsMount(tokens []string, idMaps IDMaps) (*spec.Mount, error) {
+func (b *Builder) getTmpfsMount(tokens []string, idMaps IDMaps) (*specs.Mount, error) {
 	var optionMounts []specs.Mount
 	mount, err := internalParse.GetTmpfsMount(tokens)
 	if err != nil {
@@ -1653,7 +1652,7 @@ func (b *Builder) getTmpfsMount(tokens []string, idMaps IDMaps) (*spec.Mount, er
 	return &volumes[0], nil
 }

-func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secret, idMaps IDMaps, workdir string) (*spec.Mount, string, error) {
+func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secret, idMaps IDMaps, workdir string) (*specs.Mount, string, error) {
 	errInvalidSyntax := errors.New("secret should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")
 	if len(tokens) == 0 {
 		return nil, "", errInvalidSyntax
@@ -1781,7 +1780,7 @@ func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secr
 }

 // getSSHMount parses the --mount type=ssh flag in the Containerfile, checks if there's an ssh source provided, and creates and starts an ssh-agent to be forwarded into the container
-func (b *Builder) getSSHMount(tokens []string, count int, sshsources map[string]*sshagent.Source, idMaps IDMaps) (*spec.Mount, *sshagent.AgentServer, error) {
+func (b *Builder) getSSHMount(tokens []string, count int, sshsources map[string]*sshagent.Source, idMaps IDMaps) (*specs.Mount, *sshagent.AgentServer, error) {
 	errInvalidSyntax := errors.New("ssh should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")

 	var err error
--- a/vendor/github.com/containers/buildah/run_linux.go
+++ b/vendor/github.com/containers/buildah/run_linux.go
@@ -40,7 +40,6 @@ import (
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/docker/go-units"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
@@ -157,7 +156,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		for _, m := range g.Mounts() {
 			mounts[m.Destination] = true
 		}
-		newMounts := []spec.Mount{}
+		newMounts := []specs.Mount{}
 		for _, d := range b.Devices {
 			// Default permission is read-only.
 			perm := "ro"
@@ -166,7 +165,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 			if strings.Contains(string(d.Rule.Permissions), "w") {
 				perm = "rw"
 			}
-			devMnt := spec.Mount{
+			devMnt := specs.Mount{
 				Destination: d.Destination,
 				Type:        parse.TypeBind,
 				Source:      d.Source,
@@ -185,7 +184,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		g.Config.Mounts = append(newMounts, g.Config.Mounts...)
 	} else {
 		for _, d := range b.Devices {
-			sDev := spec.LinuxDevice{
+			sDev := specs.LinuxDevice{
 				Type:     string(d.Type),
 				Path:     d.Path,
 				Major:    d.Major,
@@ -380,8 +379,8 @@ rootless=%d
 	return err
 }

-func (b *Builder) setupOCIHooks(config *spec.Spec, hasVolumes bool) (map[string][]spec.Hook, error) {
-	allHooks := make(map[string][]spec.Hook)
+func (b *Builder) setupOCIHooks(config *specs.Spec, hasVolumes bool) (map[string][]specs.Hook, error) {
+	allHooks := make(map[string][]specs.Hook)
 	if len(b.CommonBuildOpts.OCIHooksDir) == 0 {
 		if unshare.IsRootless() {
 			return nil, nil
@@ -472,17 +471,13 @@ func addCommonOptsToSpec(commonOpts *define.CommonBuildOptions, g *generate.Gene
 	return nil
 }

-func setupSlirp4netnsNetwork(netns, cid string, options []string) (func(), map[string]nettypes.StatusBlock, error) {
-	defConfig, err := config.Default()
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to get container config: %w", err)
-	}
+func setupSlirp4netnsNetwork(config *config.Config, netns, cid string, options []string) (func(), map[string]nettypes.StatusBlock, error) {
 	// we need the TmpDir for the slirp4netns code
-	if err := os.MkdirAll(defConfig.Engine.TmpDir, 0o751); err != nil {
+	if err := os.MkdirAll(config.Engine.TmpDir, 0o751); err != nil {
 		return nil, nil, fmt.Errorf("failed to create tempdir: %w", err)
 	}
 	res, err := slirp4netns.Setup(&slirp4netns.SetupOptions{
-		Config:       defConfig,
+		Config:       config,
 		ContainerID:  cid,
 		Netns:        netns,
 		ExtraOptions: options,
@@ -519,14 +514,9 @@ func setupSlirp4netnsNetwork(netns, cid string, options []string) (func(), map[s
 	}, netStatus, nil
 }

-func setupPasta(netns string, options []string) (func(), map[string]nettypes.StatusBlock, error) {
-	defConfig, err := config.Default()
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to get container config: %w", err)
-	}
-
-	err = pasta.Setup(&pasta.SetupOptions{
-		Config:       defConfig,
+func setupPasta(config *config.Config, netns string, options []string) (func(), map[string]nettypes.StatusBlock, error) {
+	err := pasta.Setup(&pasta.SetupOptions{
+		Config:       config,
 		Netns:        netns,
 		ExtraOptions: options,
 	})
@@ -565,18 +555,33 @@ func setupPasta(netns string, options []string) (func(), map[string]nettypes.Sta
 func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, options RunOptions, network, containerName string) (teardown func(), netStatus map[string]nettypes.StatusBlock, err error) {
 	netns := fmt.Sprintf("/proc/%d/ns/net", pid)
 	var configureNetworks []string
+	defConfig, err := config.Default()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get container config: %w", err)
+	}

 	name, networkOpts, hasOpts := strings.Cut(network, ":")
 	var netOpts []string
 	if hasOpts {
 		netOpts = strings.Split(networkOpts, ",")
 	}
+	if isolation == IsolationOCIRootless && name == "" {
+		switch defConfig.Network.DefaultRootlessNetworkCmd {
+		case slirp4netns.BinaryName, "":
+			name = slirp4netns.BinaryName
+		case pasta.BinaryName:
+			name = pasta.BinaryName
+		default:
+			return nil, nil, fmt.Errorf("invalid default_rootless_network_cmd option %q",
+				defConfig.Network.DefaultRootlessNetworkCmd)
+		}
+	}
+
 	switch {
-	case name == slirp4netns.BinaryName,
-		isolation == IsolationOCIRootless && name == "":
-		return setupSlirp4netnsNetwork(netns, containerName, netOpts)
+	case name == slirp4netns.BinaryName:
+		return setupSlirp4netnsNetwork(defConfig, netns, containerName, netOpts)
 	case name == pasta.BinaryName:
-		return setupPasta(netns, netOpts)
+		return setupPasta(defConfig, netns, netOpts)

 	// Basically default case except we make sure to not split an empty
 	// name as this would return a slice with one empty string which is
@@ -1107,7 +1112,7 @@ func setupCapabilities(g *generate.Generator, defaultCapabilities, adds, drops [
 	return setupCapDrop(g, drops...)
 }

-func addOrReplaceMount(mounts []specs.Mount, mount specs.Mount) []spec.Mount {
+func addOrReplaceMount(mounts []specs.Mount, mount specs.Mount) []specs.Mount {
 	for i := range mounts {
 		if mounts[i].Destination == mount.Destination {
 			mounts[i] = mount
@@ -1120,7 +1125,7 @@ func addOrReplaceMount(mounts []specs.Mount, mount specs.Mount) []spec.Mount {
 // setupSpecialMountSpecChanges creates special mounts for depending on the namespaces
 // logic taken from podman and adapted for buildah
 // https://github.com/containers/podman/blob/4ba71f955a944790edda6e007e6d074009d437a7/pkg/specgen/generate/oci.go#L178
-func setupSpecialMountSpecChanges(spec *spec.Spec, shmSize string) ([]specs.Mount, error) {
+func setupSpecialMountSpecChanges(spec *specs.Spec, shmSize string) ([]specs.Mount, error) {
 	mounts := spec.Mounts
 	isRootless := unshare.IsRootless()
 	isNewUserns := false
@@ -1236,7 +1241,7 @@ func setupSpecialMountSpecChanges(spec *spec.Spec, shmSize string) ([]specs.Moun
 	return mounts, nil
 }

-func checkIdsGreaterThan5(ids []spec.LinuxIDMapping) bool {
+func checkIdsGreaterThan5(ids []specs.LinuxIDMapping) bool {
 	for _, r := range ids {
 		if r.ContainerID <= 5 && 5 < r.ContainerID+r.Size {
 			return true
@@ -1246,7 +1251,7 @@ func checkIdsGreaterThan5(ids []spec.LinuxIDMapping) bool {
 }

 // If this function succeeds and returns a non-nil *lockfile.LockFile, the caller must unlock it (when??).
-func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir string) (*spec.Mount, *lockfile.LockFile, error) {
+func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir string) (*specs.Mount, *lockfile.LockFile, error) {
 	var optionMounts []specs.Mount
 	mount, targetLock, err := internalParse.GetCacheMount(tokens, b.store, b.MountLabel, stageMountPoints, workDir)
 	if err != nil {