Merge pull request #21260 from umohnani8/img-filters

Fix image filters parsing

go.mod

@@ -11,14 +11,14 @@ require (
 	github.com/checkpoint-restore/go-criu/v7 v7.0.0
 	github.com/containernetworking/plugins v1.4.0
 	github.com/containers/buildah v1.33.2-0.20231121195905-d1a1c53c8e1c
-	github.com/containers/common v0.57.1-0.20231206135104-b647eb3a5eea
+	github.com/containers/common v0.57.1-0.20240124083822-167512e3cfc4
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.7.2
-	github.com/containers/image/v5 v5.29.1-0.20231214202217-8eabe0f6b3eb
+	github.com/containers/image/v5 v5.29.1-0.20231221164234-1b221d4a9c28
 	github.com/containers/libhvee v0.6.0
 	github.com/containers/ocicrypt v1.1.9
 	github.com/containers/psgo v1.8.0
-	github.com/containers/storage v1.51.1-0.20231205203947-fe005407c7d5
+	github.com/containers/storage v1.51.1-0.20231221151421-1020ab61b4e5
 	github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
 	github.com/coreos/stream-metadata-go v0.4.4
 	github.com/crc-org/vfkit v0.5.0
@@ -49,7 +49,7 @@ require (
 	github.com/onsi/gomega v1.31.1
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc6
-	github.com/opencontainers/runc v1.1.10
+	github.com/opencontainers/runc v1.1.11
 	github.com/opencontainers/runtime-spec v1.1.1-0.20230823135140-4fec88fd00a4
 	github.com/opencontainers/runtime-tools v0.9.1-0.20230914150019-408c51e934dc
 	github.com/opencontainers/selinux v1.11.0
@@ -82,7 +82,7 @@ require (
 require (
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/Microsoft/hcsshim v0.12.0-rc.1 // indirect
+	github.com/Microsoft/hcsshim v0.12.0-rc.2 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6 // indirect
@@ -92,14 +92,14 @@ require (
 	github.com/chenzhuoyu/iasm v0.9.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/containerd/cgroups/v3 v3.0.2 // indirect
-	github.com/containerd/containerd v1.7.11 // indirect
+	github.com/containerd/containerd v1.7.12 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/containernetworking/cni v1.1.2 // indirect
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 	github.com/containers/luksy v0.0.0-20231030195837-b5a7f79da98b // indirect
-	github.com/coreos/go-oidc/v3 v3.7.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.9.0 // indirect
 	github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -118,14 +118,14 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
-	github.com/go-openapi/errors v0.20.4 // indirect
+	github.com/go-openapi/errors v0.21.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/loads v0.21.2 // indirect
 	github.com/go-openapi/runtime v0.26.0 // indirect
 	github.com/go-openapi/spec v0.20.9 // indirect
-	github.com/go-openapi/strfmt v0.21.9 // indirect
-	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/go-openapi/strfmt v0.21.10 // indirect
+	github.com/go-openapi/swag v0.22.5 // indirect
 	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
@@ -136,7 +136,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/go-containerregistry v0.16.1 // indirect
+	github.com/google/go-containerregistry v0.17.0 // indirect
 	github.com/google/go-intervals v0.0.2 // indirect
 	github.com/google/pprof v0.0.0-20230323073829-e72429f035bd // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -150,7 +150,7 @@ require (
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/leodido/go-urn v1.2.4 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20230213213521-fdfea0d469b6 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
@@ -179,15 +179,15 @@ require (
 	github.com/proglottis/gpgme v0.1.3 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/seccomp/libseccomp-golang v0.10.0 // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/sigstore/fulcio v1.4.3 // indirect
 	github.com/sigstore/rekor v1.2.2 // indirect
-	github.com/sigstore/sigstore v1.7.6 // indirect
+	github.com/sigstore/sigstore v1.8.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
-	github.com/sylabs/sif/v2 v2.15.0 // indirect
+	github.com/sylabs/sif/v2 v2.15.1 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
@@ -213,7 +213,7 @@ require (
 	golang.org/x/tools v0.16.1 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 // indirect
-	google.golang.org/grpc v1.58.3 // indirect
+	google.golang.org/grpc v1.59.0 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

go.sum

@@ -67,8 +67,8 @@ github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn
 github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
 github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
 github.com/Microsoft/hcsshim v0.9.4/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
-github.com/Microsoft/hcsshim v0.12.0-rc.1 h1:Hy+xzYujv7urO5wrgcG58SPMOXNLrj4WCJbySs2XX/A=
-github.com/Microsoft/hcsshim v0.12.0-rc.1/go.mod h1:Y1a1S0QlYp1mBpyvGiuEdOfZqnao+0uX5AWHXQ5NhZU=
+github.com/Microsoft/hcsshim v0.12.0-rc.2 h1:gfKebjq3Mq17Ys+4cjE8vc2h6tZVeqCGb9a7vBVqpAk=
+github.com/Microsoft/hcsshim v0.12.0-rc.2/go.mod h1:G2TZhBED5frlh/hsuxV5CDh/ylkSFknPAMPpQg9owQw=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
@@ -194,8 +194,8 @@ github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09Zvgq
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
 github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
-github.com/containerd/containerd v1.7.11 h1:lfGKw3eU35sjV0aG2eYZTiwFEY1pCzxdzicHP3SZILw=
-github.com/containerd/containerd v1.7.11/go.mod h1:5UluHxHTX2rdvYuZ5OJTC5m/KJNs0Zs9wVoJm9zf5ZE=
+github.com/containerd/containerd v1.7.12 h1:+KQsnv4VnzyxWcfO9mlxxELaoztsDEjOuCMPAuPqgU0=
+github.com/containerd/containerd v1.7.12/go.mod h1:/5OMpE1p0ylxtEUGY8kuCYkDRzJm9NO1TFMWjUpdevk=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -257,14 +257,14 @@ github.com/containernetworking/plugins v1.4.0 h1:+w22VPYgk7nQHw7KT92lsRmuToHvb7w
 github.com/containernetworking/plugins v1.4.0/go.mod h1:UYhcOyjefnrQvKvmmyEKsUA+M9Nfn7tqULPpH0Pkcj0=
 github.com/containers/buildah v1.33.2-0.20231121195905-d1a1c53c8e1c h1:E7nxvH3N3kpyson0waJv1X+eY9hAs+x2zQswsK+//yY=
 github.com/containers/buildah v1.33.2-0.20231121195905-d1a1c53c8e1c/go.mod h1:oMNfVrZGEfWVOxXTNOYPMdZzDfSo2umURK/TO0d8TRk=
-github.com/containers/common v0.57.1-0.20231206135104-b647eb3a5eea h1:PI6EWt76Df+v4KrZ6Wn1Fvz/zQvbAYO+2gAQeBGzj3s=
-github.com/containers/common v0.57.1-0.20231206135104-b647eb3a5eea/go.mod h1:WbO7Tl8eLCt/+b35lsuc1NkWy7cZsdgF84EJ7VKhgOU=
+github.com/containers/common v0.57.1-0.20240124083822-167512e3cfc4 h1:gX7CDGPna9aj5J5UXLfzX8F0rwVHVWwAS6wXGATMMUc=
+github.com/containers/common v0.57.1-0.20240124083822-167512e3cfc4/go.mod h1:3V+lxqRPM/HhF3Vizml1m698IAC08xCVM3waMWX4E/Q=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.7.2 h1:6CyU5D85C0/DciRRd7W0bPljK4FAS+DPrrHEQMHfZKY=
 github.com/containers/gvisor-tap-vsock v0.7.2/go.mod h1:6NiTxh2GCVxZQLPzfuEB78/Osp2Usd9uf6nLdd6PiUY=
-github.com/containers/image/v5 v5.29.1-0.20231214202217-8eabe0f6b3eb h1:lCFjLpNX0BXdset9e5T5lp/MnPh4FmulIP3gkrntFts=
-github.com/containers/image/v5 v5.29.1-0.20231214202217-8eabe0f6b3eb/go.mod h1:OVejSoGky0FNBvFris29zLQs7bcVWtGM/cZwQ6e38Ik=
+github.com/containers/image/v5 v5.29.1-0.20231221164234-1b221d4a9c28 h1:dI4/9x4Oh8SWEKIP8KcwoCFUWDO8jHbbfLhaFr20R/Y=
+github.com/containers/image/v5 v5.29.1-0.20231221164234-1b221d4a9c28/go.mod h1:LC9m+8ED9+Vuw2WSd/mgvrHbi/44WJj/XBDNdiZC0AY=
 github.com/containers/libhvee v0.6.0 h1:tUzwSz8R0GjR6IctgDnkTMjdtCk5Mxhpai4Vyv6UeF4=
 github.com/containers/libhvee v0.6.0/go.mod h1:f/q1wCdQqOLiK3IZqqBfOD7exMZYBU5pDYsrMa/pSFg=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
@@ -279,15 +279,15 @@ github.com/containers/ocicrypt v1.1.9/go.mod h1:dTKx1918d8TDkxXvarscpNVY+lyPakPN
 github.com/containers/psgo v1.8.0 h1:2loGekmGAxM9ir5OsXWEfGwFxorMPYnc6gEDsGFQvhY=
 github.com/containers/psgo v1.8.0/go.mod h1:T8ZxnX3Ur4RvnhxFJ7t8xJ1F48RhiZB4rSrOaR/qGHc=
 github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s=
-github.com/containers/storage v1.51.1-0.20231205203947-fe005407c7d5 h1:eiCkAt+i9BYRjR7KEKPI3iORCSABhY+spM/w8BkI2lo=
-github.com/containers/storage v1.51.1-0.20231205203947-fe005407c7d5/go.mod h1:pMhG1O3eMGlQKpuEuv7ves+K3BsK8/UJs8ctV5fEaoI=
+github.com/containers/storage v1.51.1-0.20231221151421-1020ab61b4e5 h1:HzlHfy8C02EMrA9YUMUxAAgL9G1XCD0saMU9Lwg4Gfg=
+github.com/containers/storage v1.51.1-0.20231221151421-1020ab61b4e5/go.mod h1:s37+wxZpGp2eh4vzBKZl9vil/s+j6KhcrdgdMoWZGCg=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
 github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
 github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/coreos/go-oidc/v3 v3.7.0 h1:FTdj0uexT4diYIPlF4yoFVI5MRO1r5+SEcIpEw9vC0o=
-github.com/coreos/go-oidc/v3 v3.7.0/go.mod h1:yQzSCqBnK3e6Fs5l+f5i0F8Kwf0zpH9bPEsbY00KanM=
+github.com/coreos/go-oidc/v3 v3.9.0 h1:0J/ogVOd4y8P0f0xUh8l9t07xRP/d8tccvjHl2dcsSo=
+github.com/coreos/go-oidc/v3 v3.9.0/go.mod h1:rTKz2PYwftcrtoCzV5g5kvfJoWcm0Mk8AF8y1iAQro4=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
@@ -381,9 +381,6 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a h1:yDWHCSQ40h88yih2JAcL6Ls/kVkSE8GFACTGVnMPruw=
-github.com/facebookgo/limitgroup v0.0.0-20150612190941-6abd8d71ec01 h1:IeaD1VDVBPlx3viJT9Md8if8IxxJnO+x0JCGb054heg=
-github.com/facebookgo/muster v0.0.0-20150708232844-fd3d7953fd52 h1:a4DFiKFJiDRGFD1qIcqGLX/WlUMD9dyLSLDt+9QZgt8=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
@@ -433,8 +430,8 @@ github.com/go-openapi/analysis v0.21.4/go.mod h1:4zQ35W4neeZTqh3ol0rv/O8JBbka9Qy
 github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
-github.com/go-openapi/errors v0.20.4 h1:unTcVm6PispJsMECE3zWgvG4xTiKda1LIR5rCRWLG6M=
-github.com/go-openapi/errors v0.20.4/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuAOhlsB1FSgk=
+github.com/go-openapi/errors v0.21.0 h1:FhChC/duCnfoLj1gZ0BgaBmzhJC2SL/sJr8a2vAobSY=
+github.com/go-openapi/errors v0.21.0/go.mod h1:jxNTMUxRCKj65yb/okJGEtahVd7uvWnuWfj53bse4ho=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
 github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
@@ -462,16 +459,16 @@ github.com/go-openapi/spec v0.20.9/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6
 github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg=
 github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
-github.com/go-openapi/strfmt v0.21.9 h1:LnEGOO9qyEC1v22Bzr323M98G13paIUGPU7yeJtG9Xs=
-github.com/go-openapi/strfmt v0.21.9/go.mod h1:0k3v301mglEaZRJdDDGSlN6Npq4VMVU69DE0LUyf7uA=
+github.com/go-openapi/strfmt v0.21.10 h1:JIsly3KXZB/Qf4UzvzJpg4OELH/0ASDQsyk//TTBDDk=
+github.com/go-openapi/strfmt v0.21.10/go.mod h1:vNDMwbilnl7xKiO/Ve/8H8Bb2JIInBnH+lqiw6QWgis=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU=
-github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/swag v0.22.5 h1:fVS63IE3M0lsuWRzuom3RLwUMVI2peDH01s6M70ugys=
+github.com/go-openapi/swag v0.22.5/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0=
 github.com/go-openapi/validate v0.22.1 h1:G+c2ub6q47kfX1sOBLwIQwzBVt8qmOAARyo/9Fqs9NU=
 github.com/go-openapi/validate v0.22.1/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
@@ -582,8 +579,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
-github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ=
-github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
+github.com/google/go-containerregistry v0.17.0 h1:5p+zYs/R4VGHkhyvgWurWrpJ2hW4Vv9fQI+GzdcwXLk=
+github.com/google/go-containerregistry v0.17.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
 github.com/google/go-intervals v0.0.2 h1:FGrVEiUnTRKR8yE04qzXYaJMtnIYqobR5QbblK3ixcM=
 github.com/google/go-intervals v0.0.2/go.mod h1:MkaR3LNRfeKLPmqgJYs4E66z5InYjmCjbbr4TQlcT6Y=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -652,8 +649,6 @@ github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/honeycombio/beeline-go v1.10.0 h1:cUDe555oqvw8oD76BQJ8alk7FP0JZ/M/zXpNvOEDLDc=
-github.com/honeycombio/libhoney-go v1.16.0 h1:kPpqoz6vbOzgp7jC6SR7SkNj7rua7rgxvznI6M3KdHc=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/hugelgupf/p9 v0.3.1-0.20230822151754-54f5c5530921 h1:cfYGdNpXGZobTSSDFB+wx2FRfWptM7sCkScJgVx0Tkk=
 github.com/hugelgupf/p9 v0.3.1-0.20230822151754-54f5c5530921/go.mod h1:nMr69J6AmirlSvzeVLK7gj4DUY1oYtSwcSiSJ7BBb0A=
@@ -675,7 +670,7 @@ github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
 github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548 h1:dYTbLf4m0a5u0KLmPfB6mgxbcV7588bOCx79hxa5Sr4=
+github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs=
 github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
@@ -730,8 +725,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=
 github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4=
-github.com/letsencrypt/boulder v0.0.0-20230213213521-fdfea0d469b6 h1:unJdfS94Y3k85TKy+mvKzjW5R9rIC+Lv4KGbE7uNu0I=
-github.com/letsencrypt/boulder v0.0.0-20230213213521-fdfea0d469b6/go.mod h1:PUgW5vI9ANEaV6qv9a6EKu8gAySgwf0xrzG9xIB/CK0=
+github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e h1:RLTpX495BXToqxpM90Ws4hXEo4Wfh81jr9DX1n/4WOo=
+github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e/go.mod h1:EAuqr9VFWxBi9nD5jc/EA2MT1RFty9288TF6zdtYoCU=
 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
 github.com/linuxkit/virtsock v0.0.0-20220523201153-1a23e78aa7a2 h1:DZMFueDbfz6PNc1GwDRA8+6lBx1TB9UnxDQliCqR73Y=
 github.com/linuxkit/virtsock v0.0.0-20220523201153-1a23e78aa7a2/go.mod h1:SWzULI85WerrFt3u+nIm5F9l7EvxZTKQvd0InF3nmgM=
@@ -964,8 +959,8 @@ github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24
 github.com/sebdah/goldie/v2 v2.5.3 h1:9ES/mNN+HNUbNWpVAlrzuZ7jE+Nrczbj8uFRjM7624Y=
 github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY=
 github.com/seccomp/libseccomp-golang v0.10.0/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/secure-systems-lab/go-securesystemslib v0.7.0 h1:OwvJ5jQf9LnIAS83waAjPbcMsODrTQUpJ02eNLUoxBg=
-github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xeGtfIqFy7Do03K4cdCY0A/GlJLDKLHI=
+github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=
+github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
@@ -980,8 +975,8 @@ github.com/sigstore/fulcio v1.4.3 h1:9JcUCZjjVhRF9fmhVuz6i1RyhCc/EGCD7MOl+iqCJLQ
 github.com/sigstore/fulcio v1.4.3/go.mod h1:BQPWo7cfxmJwgaHlphUHUpFkp5+YxeJes82oo39m5og=
 github.com/sigstore/rekor v1.2.2 h1:5JK/zKZvcQpL/jBmHvmFj3YbpDMBQnJQ6ygp8xdF3bY=
 github.com/sigstore/rekor v1.2.2/go.mod h1:FGnWBGWzeNceJnp0x9eDFd41mI8aQqCjj+Zp0IEs0Qg=
-github.com/sigstore/sigstore v1.7.6 h1:zB0woXx+3Bp7dk7AjklHF1VhXBdCs84VXkZbp0IHLv8=
-github.com/sigstore/sigstore v1.7.6/go.mod h1:FJE+NpEZIs4QKqZl4B2RtaVLVDcDtocAwTiNlexeBkY=
+github.com/sigstore/sigstore v1.8.0 h1:sSRWXv1JiDsK4T2wNWVYcvKCgxcSrhQ/QUJxsfCO4OM=
+github.com/sigstore/sigstore v1.8.0/go.mod h1:l12B1gFlLIpBIVeqk/q1Lb+6YSOGNuN3xLExIjYH+qc=
 github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -1038,8 +1033,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/sylabs/sif/v2 v2.15.0 h1:Nv0tzksFnoQiQ2eUwpAis9nVqEu4c3RcNSxX8P3Cecw=
-github.com/sylabs/sif/v2 v2.15.0/go.mod h1:X1H7eaPz6BAxA84POMESXoXfTqgAnLQkujyF/CQFWTc=
+github.com/sylabs/sif/v2 v2.15.1 h1:75BcunPOY11fVhe02/WHuNLTfDd3OHH0ex0MuuNMYX0=
+github.com/sylabs/sif/v2 v2.15.1/go.mod h1:YiwCUdZOhiohnPbyxuxvCZa+03HwAaiC+vfAKZPR8nQ=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
@@ -1090,8 +1085,6 @@ github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU=
-github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
@@ -1552,8 +1545,8 @@ google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTp
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ=
-google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
+google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
+google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1572,7 +1565,6 @@ google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/alexcesaro/statsd.v2 v2.0.0 h1:FXkZSCZIH17vLCO5sO2UucTHsH9pc+17F6pl3JVCwMc=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

pkg/autoupdate/autoupdate.go

@@ -316,7 +316,7 @@ func (t *task) localUpdateAvailable() (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	return localImg.Digest().String() != t.image.Digest().String(), nil
+	return localImg.ID() != t.image.ID(), nil
 }
 
 // rollbackImage rolls back the task's image to the previous version before the update.

pkg/domain/infra/tunnel/images.go

@@ -37,8 +37,8 @@ func (ir *ImageEngine) Remove(ctx context.Context, imagesArg []string, opts enti
 func (ir *ImageEngine) List(ctx context.Context, opts entities.ImageListOptions) ([]*entities.ImageSummary, error) {
 	filters := make(map[string][]string, len(opts.Filter))
 	for _, filter := range opts.Filter {
-		f := strings.Split(filter, "=")
-		filters[f[0]] = f[1:]
+		f := strings.SplitN(filter, "=", 2)
+		filters[f[0]] = append(filters[f[0]], f[1])
 	}
 	options := new(images.ListOptions).WithAll(opts.All).WithFilters(filters)
 	psImages, err := images.List(ir.ClientCtx, options)

test/e2e/images_test.go

@@ -496,4 +496,53 @@ RUN > file2
 
 	})
 
+	It("podman images filter should be AND logic", func() {
+		dockerfile := `FROM quay.io/libpod/alpine:latest
+LABEL abc=""
+LABEL xyz=""
+`
+		podmanTest.BuildImage(dockerfile, "test-abc-xyz", "true")
+
+		dockerfile2 := `FROM quay.io/libpod/alpine:latest
+LABEL xyz="bar"
+`
+		podmanTest.BuildImage(dockerfile2, "test-xyz", "true")
+
+		session := podmanTest.Podman([]string{"images", "-f", "label=xyz"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+		Expect(session.OutputToStringArray()).To(HaveLen(3))
+		Expect(session.OutputToString()).To(ContainSubstring("test-abc-xyz"))
+		Expect(session.OutputToString()).To(ContainSubstring("test-xyz"))
+
+		session = podmanTest.Podman([]string{"images", "-f", "label=xyz=bar"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+		Expect(session.OutputToStringArray()).To(HaveLen(2))
+		Expect(session.OutputToString()).To(ContainSubstring("test-xyz"))
+
+		session = podmanTest.Podman([]string{"images", "-f", "label=abc"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+		Expect(session.OutputToStringArray()).To(HaveLen(2))
+		Expect(session.OutputToString()).To(ContainSubstring("test-abc-xyz"))
+
+		session = podmanTest.Podman([]string{"images", "-f", "label=abc", "-f", "label=xyz"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+		Expect(session.OutputToStringArray()).To(HaveLen(2))
+		Expect(session.OutputToString()).To(ContainSubstring("test-abc-xyz"))
+
+		session = podmanTest.Podman([]string{"images", "-f", "label=xyz=bar", "-f", "label=abc"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+		Expect(session.OutputToStringArray()).To(HaveLen(1))
+
+		session = podmanTest.Podman([]string{"images", "-f", "label=xyz", "-f", "reference=test-abc-xyz"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+		Expect(session.OutputToStringArray()).To(HaveLen(2))
+		Expect(session.OutputToString()).To(ContainSubstring("test-abc-xyz"))
+	})
+
 })

test/system/030-run.bats

@@ -629,12 +629,16 @@ json-file | f
 @test "podman inspect includes image data" {
     randomname=$(random_string 30)
 
-    run_podman inspect $IMAGE --format "{{.ID}} {{.Digest}}"
+    run_podman inspect $IMAGE --format "{{.ID}}"
     expected="$IMAGE $output"
+    run_podman inspect $IMAGE --format "{{.RepoDigests}}"
+    expectedDigests="$output"
 
     run_podman run --name $randomname $IMAGE true
-    run_podman container inspect $randomname --format "{{.ImageName}} {{.Image}} {{.ImageDigest}}"
+    run_podman container inspect $randomname --format "{{.ImageName}} {{.Image}}"
     is "$output" "$expected"
+    run_podman container inspect $randomname --format "{{.ImageDigest}}"
+    assert "$output" =~ "$expectedDigests"
     run_podman rm -f -t0 $randomname
 }
 

test/system/120-load.bats

@@ -109,8 +109,8 @@ verify_iid_and_name() {
     _sudo true || skip "cannot sudo to $notme"
 
     # Preserve digest of original image; we will compare against it later
-    run_podman image inspect --format '{{.Digest}}' $IMAGE
-    src_digest=$output
+    run_podman image inspect --format '{{.RepoDigests}}' $IMAGE
+    src_digests=$output
 
     # image name that is not likely to exist in the destination
     newname=foo.bar/nonesuch/c_$(random_string 10 | tr A-Z a-z):mytag
@@ -132,14 +132,14 @@ verify_iid_and_name() {
 
     # Confirm that we have it, and that its digest matches our original
     run_podman image inspect --format '{{.Digest}}' $newname
-    is "$output" "$src_digest" "Digest of re-fetched image matches original"
+    assert "$output" =~ "$src_digests" "Digest of re-fetched image is in list of original image digests"
 
     # test tagging capability
     run_podman untag $IMAGE $newname
     run_podman image scp ${notme}@localhost::$newname foobar:123
 
     run_podman image inspect --format '{{.Digest}}' foobar:123
-    is "$output" "$src_digest" "Digest of re-fetched image matches original"
+    assert "$output" =~ "$src_digest" "Digest of re-fetched image is in list of original image digests"
 
     # remove root img for transfer back with another name
     _sudo $PODMAN image rm $newname

vendor/github.com/Microsoft/hcsshim/.golangci.yml

@@ -20,6 +20,7 @@ linters:
     # - typecheck
     # - unused
 
+    - errorlint # error wrapping (eg, not using `errors.Is`, using `%s` instead of `%w` in `fmt.Errorf`)
     - gofmt # whether code was gofmt-ed
     - govet # enabled by default, but just to be sure
     - nolintlint # ill-formed or insufficient nolint directives
@@ -53,6 +54,12 @@ issues:
       text: "^ST1003: should not use underscores in package names$"
       source: "^package cri_containerd$"
 
+    # don't bother with propper error wrapping in test code
+    - path: cri-containerd
+      linters:
+        - errorlint
+      text: "non-wrapping format verb for fmt.Errorf"
+
     # This repo has a LOT of generated schema files, operating system bindings, and other
     # things that ST1003 from stylecheck won't like (screaming case Windows api constants for example).
     # There's also some structs that we *could* change the initialisms to be Go friendly

vendor/github.com/Microsoft/hcsshim/README.md

@@ -9,15 +9,18 @@ It is primarily used in the [Moby](https://github.com/moby/moby) and [Containerd
 ## Building
 
 While this repository can be used as a library of sorts to call the HCS apis, there are a couple binaries built out of the repository as well. The main ones being the Linux guest agent, and an implementation of the [runtime v2 containerd shim api](https://github.com/containerd/containerd/blob/master/runtime/v2/README.md).
+
 ### Linux Hyper-V Container Guest Agent
 
 To build the Linux guest agent itself all that's needed is to set your GOOS to "Linux" and build out of ./cmd/gcs.
+
 ```powershell
 C:\> $env:GOOS="linux"
 C:\> go build .\cmd\gcs\
 ```
 
 or on a Linux machine
+
 ```sh
 > go build ./cmd/gcs
 ```
@@ -33,13 +36,15 @@ make all
 ```
 
 If the build is successful, in the `./out` folder you should see:
+
 ```sh
 > ls ./out/
 delta.tar.gz  initrd.img  rootfs.tar.gz
 ```
 
 ### Containerd Shim
-For info on the Runtime V2 API: https://github.com/containerd/containerd/blob/master/runtime/v2/README.md.
+
+For info on the [Runtime V2 API](https://github.com/containerd/containerd/blob/master/runtime/v2/README.md).
 
 Contrary to the typical Linux architecture of shim -> runc, the runhcs shim is used both to launch and manage the lifetime of containers.
 
@@ -48,7 +53,9 @@ C:\> $env:GOOS="windows"
 C:\> go build .\cmd\containerd-shim-runhcs-v1
 ```
 
-Then place the binary in the same directory that Containerd is located at in your environment. A default Containerd configuration file can be generated by running:
+Then place the binary in the same directory that Containerd is located at in your environment.
+A default Containerd configuration file can be generated by running:
+
 ```powershell
 .\containerd.exe config default | Out-File "C:\Program Files\containerd\config.toml" -Encoding ascii
 ```
@@ -56,6 +63,7 @@ Then place the binary in the same directory that Containerd is located at in you
 This config file will already have the shim set as the default runtime for cri interactions.
 
 To trial using the shim out with ctr.exe:
+
 ```powershell
 C:\> ctr.exe run --runtime io.containerd.runhcs.v1 --rm mcr.microsoft.com/windows/nanoserver:2004 windows-test cmd /c "echo Hello World!"
 ```
@@ -64,16 +72,69 @@ C:\> ctr.exe run --runtime io.containerd.runhcs.v1 --rm mcr.microsoft.com/window
 
 This project welcomes contributions and suggestions. Most contributions require you to agree to a
 Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
-the rights to use your contribution. For details, visit https://cla.microsoft.com.
+the rights to use your contribution. For details, visit [Microsoft CLA](https://cla.microsoft.com).
 
 When you submit a pull request, a CLA-bot will automatically determine whether you need to provide
 a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions
 provided by the bot. You will only need to do this once across all repos using our CLA.
 
-We also require that contributors [sign their commits](https://git-scm.com/docs/git-commit) using `git commit -s` or `git commit --signoff` to
-certify they either authored the work themselves or otherwise have permission to use it in this project. Please see https://developercertificate.org/ for
-more info, as well as to make sure that you can attest to the rules listed. Our CI uses the [DCO Github app](https://github.com/apps/dco) to ensure
-that all commits in a given PR are signed-off.
+We require that contributors sign their commits
+to certify they either authored the work themselves or otherwise have permission to use it in this project.
+
+We also require that contributors sign their commits using  using [`git commit --signoff`][git-commit-s]
+to certify they either authored the work themselves or otherwise have permission to use it in this project.
+A range of commits can be signed off using [`git rebase --signoff`][git-rebase-s].
+
+Please see  [the developer certificate](https://developercertificate.org) for more info,
+as well as to make sure that you can attest to the rules listed.
+Our CI uses the [DCO Github app](https://github.com/apps/dco) to ensure that all commits in a given PR are signed-off.
+
+### Linting
+
+Code must pass a linting stage, which uses [`golangci-lint`][lint].
+Since `./test` is a separate Go module, the linter is run from both the root and the
+`test` directories. Additionally, the linter is run with `GOOS` set to both `windows` and
+`linux`.
+
+The linting settings are stored in [`.golangci.yaml`](./.golangci.yaml), and can be run
+automatically with VSCode by adding the following to your workspace or folder settings:
+
+```json
+    "go.lintTool": "golangci-lint",
+    "go.lintOnSave": "package",
+```
+
+Additional editor [integrations options are also available][lint-ide].
+
+Alternatively, `golangci-lint` can be [installed][lint-install] and run locally:
+
+```shell
+# use . or specify a path to only lint a package
+# to show all lint errors, use flags "--max-issues-per-linter=0 --max-same-issues=0"
+> golangci-lint run
+```
+
+To run across the entire repo for both `GOOS=windows` and `linux`:
+
+```powershell
+> foreach ( $goos in ('windows', 'linux') ) {
+    foreach ( $repo in ('.', 'test') ) {
+        pwsh -Command "cd $repo && go env -w GOOS=$goos && golangci-lint.exe run --verbose"
+    }
+}
+```
+
+### Go Generate
+
+The pipeline checks that auto-generated code, via `go generate`, are up to date.
+Similar to the [linting stage](#linting), `go generate` is run in both the root and test Go modules.
+
+This can be done via:
+
+```shell
+> go generate ./...
+> cd test && go generate ./...
+```
 
 ## Code of Conduct
 
@@ -83,7 +144,7 @@ contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additio
 
 ## Dependencies
 
-This project requires Golang 1.17 or newer to build.
+This project requires Golang 1.18 or newer to build.
 
 For system requirements to run this project, see the Microsoft docs on [Windows Container requirements](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/system-requirements).
 
@@ -100,3 +161,10 @@ For additional details, see [Report a Computer Security Vulnerability](https://t
 
 ---------------
 Copyright (c) 2018 Microsoft Corp.  All rights reserved.
+
+[lint]: https://golangci-lint.run/
+[lint-ide]: https://golangci-lint.run/usage/integrations/#editor-integration
+[lint-install]: https://golangci-lint.run/usage/install/#local-installation
+
+[git-commit-s]: https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s
+[git-rebase-s]: https://git-scm.com/docs/git-rebase#Documentation/git-rebase.txt---signoff

vendor/github.com/Microsoft/hcsshim/computestorage/attach.go

@@ -38,3 +38,31 @@ func AttachLayerStorageFilter(ctx context.Context, layerPath string, layerData L
 	}
 	return nil
 }
+
+// AttachOverlayFilter sets up a filter of the given type on a writable container layer.  Currently the only
+// supported filter types are WCIFS & UnionFS (defined in internal/hcs/schema2/layer.go)
+//
+// `volumePath` is volume path at which writable layer is mounted. If the
+// path does not end in a `\` the platform will append it automatically.
+//
+// `layerData` is the parent read-only layer data.
+func AttachOverlayFilter(ctx context.Context, volumePath string, layerData LayerData) (err error) {
+	title := "hcsshim::AttachOverlayFilter"
+	ctx, span := oc.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(
+		trace.StringAttribute("volumePath", volumePath),
+	)
+
+	bytes, err := json.Marshal(layerData)
+	if err != nil {
+		return err
+	}
+
+	err = hcsAttachOverlayFilter(volumePath, string(bytes))
+	if err != nil {
+		return errors.Wrap(err, "failed to attach overlay filter")
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/detach.go

@@ -4,7 +4,9 @@ package computestorage
 
 import (
 	"context"
+	"encoding/json"
 
+	hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2"
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/pkg/errors"
 	"go.opencensus.io/trace"
@@ -26,3 +28,27 @@ func DetachLayerStorageFilter(ctx context.Context, layerPath string) (err error)
 	}
 	return nil
 }
+
+// DetachOverlayFilter detaches the filter on a writable container layer.
+//
+// `volumePath` is a path to writable container volume.
+func DetachOverlayFilter(ctx context.Context, volumePath string, filterType hcsschema.FileSystemFilterType) (err error) {
+	title := "hcsshim::DetachOverlayFilter"
+	ctx, span := oc.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(trace.StringAttribute("volumePath", volumePath))
+
+	layerData := LayerData{}
+	layerData.FilterType = filterType
+	bytes, err := json.Marshal(layerData)
+	if err != nil {
+		return err
+	}
+
+	err = hcsDetachOverlayFilter(volumePath, string(bytes))
+	if err != nil {
+		return errors.Wrap(err, "failed to detach overlay filter")
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/storage.go

@@ -19,14 +19,17 @@ import (
 //sys hcsFormatWritableLayerVhd(handle windows.Handle) (hr error) = computestorage.HcsFormatWritableLayerVhd?
 //sys hcsGetLayerVhdMountPath(vhdHandle windows.Handle, mountPath **uint16) (hr error) = computestorage.HcsGetLayerVhdMountPath?
 //sys hcsSetupBaseOSVolume(layerPath string, volumePath string, options string) (hr error) = computestorage.HcsSetupBaseOSVolume?
+//sys hcsAttachOverlayFilter(volumePath string, layerData string) (hr error) = computestorage.HcsAttachOverlayFilter?
+//sys hcsDetachOverlayFilter(volumePath string, layerData string) (hr error) = computestorage.HcsDetachOverlayFilter?
 
 type Version = hcsschema.Version
 type Layer = hcsschema.Layer
 
 // LayerData is the data used to describe parent layer information.
 type LayerData struct {
-	SchemaVersion Version `json:"SchemaVersion,omitempty"`
-	Layers        []Layer `json:"Layers,omitempty"`
+	SchemaVersion Version                        `json:"SchemaVersion,omitempty"`
+	Layers        []Layer                        `json:"Layers,omitempty"`
+	FilterType    hcsschema.FileSystemFilterType `json:"FilterType,omitempty"`
 }
 
 // ExportLayerOptions are the set of options that are used with the `computestorage.HcsExportLayer` syscall.

vendor/github.com/Microsoft/hcsshim/computestorage/zsyscall_windows.go

@@ -43,8 +43,10 @@ var (
 	modcomputestorage = windows.NewLazySystemDLL("computestorage.dll")
 
 	procHcsAttachLayerStorageFilter = modcomputestorage.NewProc("HcsAttachLayerStorageFilter")
+	procHcsAttachOverlayFilter      = modcomputestorage.NewProc("HcsAttachOverlayFilter")
 	procHcsDestroyLayer             = modcomputestorage.NewProc("HcsDestroyLayer")
 	procHcsDetachLayerStorageFilter = modcomputestorage.NewProc("HcsDetachLayerStorageFilter")
+	procHcsDetachOverlayFilter      = modcomputestorage.NewProc("HcsDetachOverlayFilter")
 	procHcsExportLayer              = modcomputestorage.NewProc("HcsExportLayer")
 	procHcsFormatWritableLayerVhd   = modcomputestorage.NewProc("HcsFormatWritableLayerVhd")
 	procHcsGetLayerVhdMountPath     = modcomputestorage.NewProc("HcsGetLayerVhdMountPath")
@@ -83,6 +85,35 @@ func _hcsAttachLayerStorageFilter(layerPath *uint16, layerData *uint16) (hr erro
 	return
 }
 
+func hcsAttachOverlayFilter(volumePath string, layerData string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(volumePath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(layerData)
+	if hr != nil {
+		return
+	}
+	return _hcsAttachOverlayFilter(_p0, _p1)
+}
+
+func _hcsAttachOverlayFilter(volumePath *uint16, layerData *uint16) (hr error) {
+	hr = procHcsAttachOverlayFilter.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsAttachOverlayFilter.Addr(), 2, uintptr(unsafe.Pointer(volumePath)), uintptr(unsafe.Pointer(layerData)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
 func hcsDestroyLayer(layerPath string) (hr error) {
 	var _p0 *uint16
 	_p0, hr = syscall.UTF16PtrFromString(layerPath)
@@ -131,6 +162,35 @@ func _hcsDetachLayerStorageFilter(layerPath *uint16) (hr error) {
 	return
 }
 
+func hcsDetachOverlayFilter(volumePath string, layerData string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(volumePath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(layerData)
+	if hr != nil {
+		return
+	}
+	return _hcsDetachOverlayFilter(_p0, _p1)
+}
+
+func _hcsDetachOverlayFilter(volumePath *uint16, layerData *uint16) (hr error) {
+	hr = procHcsDetachOverlayFilter.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsDetachOverlayFilter.Addr(), 2, uintptr(unsafe.Pointer(volumePath)), uintptr(unsafe.Pointer(layerData)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
 func hcsExportLayer(layerPath string, exportFolderPath string, layerData string, options string) (hr error) {
 	var _p0 *uint16
 	_p0, hr = syscall.UTF16PtrFromString(layerPath)

vendor/github.com/Microsoft/hcsshim/container.go

@@ -75,7 +75,7 @@ func init() {
 func CreateContainer(id string, c *ContainerConfig) (Container, error) {
 	fullConfig, err := mergemaps.MergeJSON(c, createContainerAdditionalJSON)
 	if err != nil {
-		return nil, fmt.Errorf("failed to merge additional JSON '%s': %s", createContainerAdditionalJSON, err)
+		return nil, fmt.Errorf("failed to merge additional JSON '%s': %w", createContainerAdditionalJSON, err)
 	}
 
 	system, err := hcs.CreateComputeSystem(context.Background(), id, fullConfig)

vendor/github.com/Microsoft/hcsshim/errors.go

@@ -115,6 +115,7 @@ func (e *ContainerError) Error() string {
 		s += " encountered an error during " + e.Operation
 	}
 
+	//nolint:errorlint // legacy code
 	switch e.Err.(type) {
 	case nil:
 		break
@@ -145,6 +146,7 @@ func (e *ProcessError) Error() string {
 		s += " encountered an error during " + e.Operation
 	}
 
+	//nolint:errorlint // legacy code
 	switch e.Err.(type) {
 	case nil:
 		break
@@ -166,10 +168,10 @@ func (e *ProcessError) Error() string {
 // already exited, or does not exist. Both IsAlreadyStopped and IsNotExist
 // will currently return true when the error is ErrElementNotFound.
 func IsNotExist(err error) bool {
-	if _, ok := err.(EndpointNotFoundError); ok {
+	if _, ok := err.(EndpointNotFoundError); ok { //nolint:errorlint // legacy code
 		return true
 	}
-	if _, ok := err.(NetworkNotFoundError); ok {
+	if _, ok := err.(NetworkNotFoundError); ok { //nolint:errorlint // legacy code
 		return true
 	}
 	return hcs.IsNotExist(getInnerError(err))
@@ -224,6 +226,7 @@ func IsAccessIsDenied(err error) bool {
 }
 
 func getInnerError(err error) error {
+	//nolint:errorlint // legacy code
 	switch pe := err.(type) {
 	case nil:
 		return nil
@@ -236,14 +239,14 @@ func getInnerError(err error) error {
 }
 
 func convertSystemError(err error, c *container) error {
-	if serr, ok := err.(*hcs.SystemError); ok {
+	if serr, ok := err.(*hcs.SystemError); ok { //nolint:errorlint // legacy code
 		return &ContainerError{Container: c, Operation: serr.Op, Err: serr.Err, Events: serr.Events}
 	}
 	return err
 }
 
 func convertProcessError(err error, p *process) error {
-	if perr, ok := err.(*hcs.ProcessError); ok {
+	if perr, ok := err.(*hcs.ProcessError); ok { //nolint:errorlint // legacy code
 		return &ProcessError{Process: p, Operation: perr.Op, Err: perr.Err, Events: perr.Events}
 	}
 	return err

vendor/github.com/Microsoft/hcsshim/internal/hcs/process.go

@@ -63,7 +63,7 @@ func (process *Process) SystemID() string {
 }
 
 func (process *Process) processSignalResult(ctx context.Context, err error) (bool, error) {
-	switch err {
+	switch err { //nolint:errorlint
 	case nil:
 		return true, nil
 	case ErrVmcomputeOperationInvalidState, ErrComputeSystemDoesNotExist, ErrElementNotFound:

vendor/github.com/Microsoft/hcsshim/internal/hcs/schema2/layer.go

@@ -9,6 +9,13 @@
 
 package hcsschema
 
+type FileSystemFilterType string
+
+const (
+	UnionFS FileSystemFilterType = "UnionFS"
+	WCIFS   FileSystemFilterType = "WCIFS"
+)
+
 type Layer struct {
 	Id string `json:"Id,omitempty"`
 

vendor/github.com/Microsoft/hcsshim/internal/hcs/schema2/registry_hive.go

@@ -0,0 +1,13 @@
+package hcsschema
+
+// NOTE: manually added
+
+type RegistryHive string
+
+// List of RegistryHive
+const (
+	RegistryHive_SYSTEM   RegistryHive = "System"
+	RegistryHive_SOFTWARE RegistryHive = "Software"
+	RegistryHive_SECURITY RegistryHive = "Security"
+	RegistryHive_SAM      RegistryHive = "Sam"
+)

vendor/github.com/Microsoft/hcsshim/internal/hcs/schema2/registry_key.go

@@ -10,7 +10,7 @@
 package hcsschema
 
 type RegistryKey struct {
-	Hive string `json:"Hive,omitempty"`
+	Hive RegistryHive `json:"Hive,omitempty"`
 
 	Name string `json:"Name,omitempty"`
 

vendor/github.com/Microsoft/hcsshim/internal/hcs/schema2/registry_value.go

@@ -14,7 +14,7 @@ type RegistryValue struct {
 
 	Name string `json:"Name,omitempty"`
 
-	Type_ string `json:"Type,omitempty"`
+	Type_ RegistryValueType `json:"Type,omitempty"`
 
 	//  One and only one value type must be set.
 	StringValue string `json:"StringValue,omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/hcs/schema2/registry_value_type.go

@@ -0,0 +1,17 @@
+package hcsschema
+
+// NOTE: manually added
+
+type RegistryValueType string
+
+// List of RegistryValueType
+const (
+	RegistryValueType_NONE            RegistryValueType = "None"
+	RegistryValueType_STRING          RegistryValueType = "String"
+	RegistryValueType_EXPANDED_STRING RegistryValueType = "ExpandedString"
+	RegistryValueType_MULTI_STRING    RegistryValueType = "MultiString"
+	RegistryValueType_BINARY          RegistryValueType = "Binary"
+	RegistryValueType_D_WORD          RegistryValueType = "DWord"
+	RegistryValueType_Q_WORD          RegistryValueType = "QWord"
+	RegistryValueType_CUSTOM_TYPE     RegistryValueType = "CustomType"
+)

vendor/github.com/Microsoft/hcsshim/internal/hcs/system.go

@@ -97,7 +97,7 @@ func CreateComputeSystem(ctx context.Context, id string, hcsDocumentInterface in
 	events, err := processAsyncHcsResult(ctx, createError, resultJSON, computeSystem.callbackNumber,
 		hcsNotificationSystemCreateCompleted, &timeout.SystemCreate)
 	if err != nil {
-		if err == ErrTimeout {
+		if errors.Is(err, ErrTimeout) {
 			// Terminate the compute system if it still exists. We're okay to
 			// ignore a failure here.
 			_ = computeSystem.Terminate(ctx)
@@ -238,7 +238,7 @@ func (computeSystem *System) Shutdown(ctx context.Context) error {
 
 	resultJSON, err := vmcompute.HcsShutdownComputeSystem(ctx, computeSystem.handle, "")
 	events := processHcsResult(ctx, resultJSON)
-	switch err {
+	switch err { //nolint:errorlint
 	case nil, ErrVmcomputeAlreadyStopped, ErrComputeSystemDoesNotExist, ErrVmcomputeOperationPending:
 	default:
 		return makeSystemError(computeSystem, operation, err, events)
@@ -259,7 +259,7 @@ func (computeSystem *System) Terminate(ctx context.Context) error {
 
 	resultJSON, err := vmcompute.HcsTerminateComputeSystem(ctx, computeSystem.handle, "")
 	events := processHcsResult(ctx, resultJSON)
-	switch err {
+	switch err { //nolint:errorlint
 	case nil, ErrVmcomputeAlreadyStopped, ErrComputeSystemDoesNotExist, ErrVmcomputeOperationPending:
 	default:
 		return makeSystemError(computeSystem, operation, err, events)
@@ -279,7 +279,7 @@ func (computeSystem *System) waitBackground() {
 	span.AddAttributes(trace.StringAttribute("cid", computeSystem.id))
 
 	err := waitForNotification(ctx, computeSystem.callbackNumber, hcsNotificationSystemExited, nil)
-	switch err {
+	switch err { //nolint:errorlint
 	case nil:
 		log.G(ctx).Debug("system exited")
 	case ErrVmcomputeUnexpectedExit:

vendor/github.com/Microsoft/hcsshim/internal/hns/hnsfuncs.go

@@ -31,7 +31,7 @@ func hnsCallRawResponse(method, path, request string) (*hnsResponse, error) {
 func hnsCall(method, path, request string, returnResponse interface{}) error {
 	hnsresponse, err := hnsCallRawResponse(method, path, request)
 	if err != nil {
-		return fmt.Errorf("failed during hnsCallRawResponse: %v", err)
+		return fmt.Errorf("failed during hnsCallRawResponse: %w", err)
 	}
 	if !hnsresponse.Success {
 		return fmt.Errorf("hns failed with error : %s", hnsresponse.Error)

vendor/github.com/Microsoft/hcsshim/internal/hns/namespace.go

@@ -56,7 +56,7 @@ func issueNamespaceRequest(id *string, method, subpath string, request interface
 		if strings.Contains(err.Error(), "Element not found.") {
 			return nil, os.ErrNotExist
 		}
-		return nil, fmt.Errorf("%s %s: %s", method, hnspath, err)
+		return nil, fmt.Errorf("%s %s: %w", method, hnspath, err)
 	}
 	return &ns, err
 }
@@ -86,7 +86,7 @@ func GetNamespaceEndpoints(id string) ([]string, error) {
 			var endpoint namespaceEndpointRequest
 			err = json.Unmarshal(rsrc.Data, &endpoint)
 			if err != nil {
-				return nil, fmt.Errorf("unmarshal endpoint: %s", err)
+				return nil, fmt.Errorf("unmarshal endpoint: %w", err)
 			}
 			endpoints = append(endpoints, endpoint.ID)
 		}

vendor/github.com/Microsoft/hcsshim/internal/jobobject/iocp.go

@@ -4,6 +4,7 @@ package jobobject
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"sync"
 	"unsafe"
@@ -59,7 +60,7 @@ func pollIOCP(ctx context.Context, iocpHandle windows.Handle) {
 				}).Warn("failed to parse job object message")
 				continue
 			}
-			if err := msq.Enqueue(notification); err == queue.ErrQueueClosed {
+			if err := msq.Enqueue(notification); errors.Is(err, queue.ErrQueueClosed) {
 				// Write will only return an error when the queue is closed.
 				// The only time a queue would ever be closed is when we call `Close` on
 				// the job it belongs to which also removes it from the jobMap, so something

vendor/github.com/Microsoft/hcsshim/internal/jobobject/jobobject.go

@@ -374,7 +374,7 @@ func (job *JobObject) Pids() ([]uint32, error) {
 		return []uint32{}, nil
 	}
 
-	if err != winapi.ERROR_MORE_DATA {
+	if err != winapi.ERROR_MORE_DATA { //nolint:errorlint
 		return nil, fmt.Errorf("failed initial query for PIDs in job object: %w", err)
 	}
 

vendor/github.com/Microsoft/hcsshim/internal/jobobject/limits.go

@@ -143,6 +143,13 @@ func (job *JobObject) SetCPUAffinity(affinityBitMask uint64) error {
 		return err
 	}
 	info.BasicLimitInformation.LimitFlags |= uint32(windows.JOB_OBJECT_LIMIT_AFFINITY)
+
+	// We really, really shouldn't be running on 32 bit, but just in case (and to satisfy CodeQL) ...
+	const maxUintptr = ^uintptr(0)
+	if affinityBitMask > uint64(maxUintptr) {
+		return fmt.Errorf("affinity bitmask (%d) exceeds max allowable value (%d)", affinityBitMask, maxUintptr)
+	}
+
 	info.BasicLimitInformation.Affinity = uintptr(affinityBitMask)
 	return job.setExtendedInformation(info)
 }

vendor/github.com/Microsoft/hcsshim/internal/log/format.go

@@ -104,6 +104,7 @@ func encode(v interface{}) (_ []byte, err error) {
 	if jErr := enc.Encode(v); jErr != nil {
 		if err != nil {
 			// TODO (go1.20): use multierror via fmt.Errorf("...: %w; ...: %w", ...)
+			//nolint:errorlint // non-wrapping format verb for fmt.Errorf
 			return nil, fmt.Errorf("protojson encoding: %v; json encoding: %w", err, jErr)
 		}
 		return nil, fmt.Errorf("json encoding: %w", jErr)

vendor/github.com/Microsoft/hcsshim/internal/logfields/fields.go

@@ -46,6 +46,7 @@ const (
 
 	ExpectedType = "expected-type"
 	Bool         = "bool"
+	Int32        = "int32"
 	Uint32       = "uint32"
 	Uint64       = "uint64"
 

vendor/github.com/Microsoft/hcsshim/internal/memory/pool.go

@@ -126,7 +126,7 @@ func (pa *PoolAllocator) Allocate(size uint64) (MappedRegion, error) {
 	// this means that there are no more regions for the current class, try expanding
 	if nextCls != memCls {
 		if err := pa.split(memCls); err != nil {
-			if err == ErrInvalidMemoryClass {
+			if errors.Is(err, ErrInvalidMemoryClass) {
 				return nil, ErrNotEnoughSpace
 			}
 			return nil, err
@@ -147,7 +147,7 @@ func (pa *PoolAllocator) Allocate(size uint64) (MappedRegion, error) {
 }
 
 // Release marks a memory region of class `memCls` and offset `offset` as free and tries to merge smaller regions into
-// a bigger one
+// a bigger one.
 func (pa *PoolAllocator) Release(reg MappedRegion) error {
 	mp := pa.pools[reg.Type()]
 	if mp == nil {
@@ -164,7 +164,7 @@ func (pa *PoolAllocator) Release(reg MappedRegion) error {
 		return ErrNotAllocated
 	}
 	if err := pa.merge(n.parent); err != nil {
-		if err != ErrEarlyMerge {
+		if !errors.Is(err, ErrEarlyMerge) {
 			return err
 		}
 	}

vendor/github.com/Microsoft/hcsshim/internal/safefile/safeopen.go

@@ -243,7 +243,7 @@ func RemoveRelative(path string, root *os.File) error {
 	if err == nil {
 		defer f.Close()
 		err = deleteOnClose(f)
-		if err == syscall.ERROR_ACCESS_DENIED {
+		if err == syscall.ERROR_ACCESS_DENIED { //nolint:errorlint
 			// Maybe the file is marked readonly. Clear the bit and retry.
 			_ = clearReadOnly(f)
 			err = deleteOnClose(f)

vendor/github.com/Microsoft/hcsshim/internal/vmcompute/vmcompute.go

@@ -104,7 +104,7 @@ func execute(ctx gcontext.Context, timeout time.Duration, f func() error) error
 	}()
 	select {
 	case <-ctx.Done():
-		if ctx.Err() == gcontext.DeadlineExceeded {
+		if ctx.Err() == gcontext.DeadlineExceeded { //nolint:errorlint
 			log.G(ctx).WithField(logfields.Timeout, trueTimeout).
 				Warning("Syscall did not complete within operation timeout. This may indicate a platform issue. " +
 					"If it appears to be making no forward progress, obtain the stacks and see if there is a syscall " +
@@ -150,7 +150,7 @@ func HcsCreateComputeSystem(ctx gcontext.Context, id string, configuration strin
 		if result != "" {
 			span.AddAttributes(trace.StringAttribute("result", result))
 		}
-		if hr != errVmcomputeOperationPending {
+		if hr != errVmcomputeOperationPending { //nolint:errorlint // explicitly returned
 			oc.SetSpanStatus(span, hr)
 		}
 	}()
@@ -205,7 +205,7 @@ func HcsStartComputeSystem(ctx gcontext.Context, computeSystem HcsSystem, option
 		if result != "" {
 			span.AddAttributes(trace.StringAttribute("result", result))
 		}
-		if hr != errVmcomputeOperationPending {
+		if hr != errVmcomputeOperationPending { //nolint:errorlint // explicitly returned
 			oc.SetSpanStatus(span, hr)
 		}
 	}()
@@ -228,7 +228,7 @@ func HcsShutdownComputeSystem(ctx gcontext.Context, computeSystem HcsSystem, opt
 		if result != "" {
 			span.AddAttributes(trace.StringAttribute("result", result))
 		}
-		if hr != errVmcomputeOperationPending {
+		if hr != errVmcomputeOperationPending { //nolint:errorlint // explicitly returned
 			oc.SetSpanStatus(span, hr)
 		}
 	}()
@@ -251,7 +251,7 @@ func HcsTerminateComputeSystem(ctx gcontext.Context, computeSystem HcsSystem, op
 		if result != "" {
 			span.AddAttributes(trace.StringAttribute("result", result))
 		}
-		if hr != errVmcomputeOperationPending {
+		if hr != errVmcomputeOperationPending { //nolint:errorlint // explicitly returned
 			oc.SetSpanStatus(span, hr)
 		}
 	}()
@@ -274,7 +274,7 @@ func HcsPauseComputeSystem(ctx gcontext.Context, computeSystem HcsSystem, option
 		if result != "" {
 			span.AddAttributes(trace.StringAttribute("result", result))
 		}
-		if hr != errVmcomputeOperationPending {
+		if hr != errVmcomputeOperationPending { //nolint:errorlint // explicitly returned
 			oc.SetSpanStatus(span, hr)
 		}
 	}()
@@ -297,7 +297,7 @@ func HcsResumeComputeSystem(ctx gcontext.Context, computeSystem HcsSystem, optio
 		if result != "" {
 			span.AddAttributes(trace.StringAttribute("result", result))
 		}
-		if hr != errVmcomputeOperationPending {
+		if hr != errVmcomputeOperationPending { //nolint:errorlint // explicitly returned
 			oc.SetSpanStatus(span, hr)
 		}
 	}()
@@ -621,7 +621,7 @@ func HcsSaveComputeSystem(ctx gcontext.Context, computeSystem HcsSystem, options
 		if result != "" {
 			span.AddAttributes(trace.StringAttribute("result", result))
 		}
-		if hr != errVmcomputeOperationPending {
+		if hr != errVmcomputeOperationPending { //nolint:errorlint // explicitly returned
 			oc.SetSpanStatus(span, hr)
 		}
 	}()

vendor/github.com/Microsoft/hcsshim/internal/wclayer/baselayerreader.go

@@ -1,3 +1,5 @@
+//go:build windows
+
 package wclayer
 
 import (
@@ -64,7 +66,7 @@ func (r *baseLayerReader) walkUntilCancelled() error {
 		return nil
 	})
 
-	if err == errorIterationCanceled {
+	if err == errorIterationCanceled { //nolint:errorlint // explicitly returned
 		return nil
 	}
 
@@ -103,7 +105,7 @@ func (r *baseLayerReader) walkUntilCancelled() error {
 		return nil
 	})
 
-	if err == errorIterationCanceled {
+	if err == errorIterationCanceled { //nolint:errorlint // explicitly returned
 		return nil
 	}
 

vendor/github.com/Microsoft/hcsshim/internal/wclayer/converttobaselayer.go

@@ -1,3 +1,5 @@
+//go:build windows
+
 package wclayer
 
 import (

vendor/github.com/Microsoft/hcsshim/internal/wclayer/expandscratchsize.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/Microsoft/hcsshim/internal/hcserror"
 	"github.com/Microsoft/hcsshim/internal/oc"
-	"github.com/Microsoft/hcsshim/osversion"
 	"go.opencensus.io/trace"
 )
 
@@ -30,14 +29,17 @@ func ExpandScratchSize(ctx context.Context, path string, size uint64) (err error
 		return hcserror.New(err, title, "")
 	}
 
-	// Manually expand the volume now in order to work around bugs in 19H1 and
-	// prerelease versions of Vb. Remove once this is fixed in Windows.
-	if build := osversion.Build(); build >= osversion.V19H1 && build < 19020 {
-		err = expandSandboxVolume(ctx, path)
-		if err != nil {
-			return err
-		}
+	// Always expand the volume too. In case of legacy layers not expanding the volume here works because
+	// the PrepareLayer call internally handles the expansion. However, in other cases (like CimFS) we
+	// don't call PrepareLayer and so the volume will never be expanded.  This also means in case of
+	// legacy layers, we might have a small perf hit because the VHD is mounted twice for expansion (once
+	// here and once during the PrepareLayer call). But as long as the perf hit is minimal, we should be
+	// okay.
+	err = expandSandboxVolume(ctx, path)
+	if err != nil {
+		return err
 	}
+
 	return nil
 }
 

vendor/github.com/Microsoft/hcsshim/internal/wclayer/legacy.go

@@ -154,7 +154,7 @@ func (r *legacyLayerReader) walkUntilCancelled() error {
 		}
 		return nil
 	})
-	if err == errorIterationCanceled {
+	if err == errorIterationCanceled { //nolint:errorlint // explicitly returned
 		return nil
 	}
 	if err == nil {
@@ -196,7 +196,7 @@ func findBackupStreamSize(r io.Reader) (int64, error) {
 	for {
 		hdr, err := br.Next()
 		if err != nil {
-			if err == io.EOF {
+			if errors.Is(err, io.EOF) {
 				err = nil
 			}
 			return 0, err
@@ -428,7 +428,7 @@ func (w *legacyLayerWriter) initUtilityVM() error {
 		// immutable.
 		err = cloneTree(w.parentRoots[0], w.destRoot, UtilityVMFilesPath, mutatedUtilityVMFiles)
 		if err != nil {
-			return fmt.Errorf("cloning the parent utility VM image failed: %s", err)
+			return fmt.Errorf("cloning the parent utility VM image failed: %w", err)
 		}
 		w.HasUtilityVM = true
 	}
@@ -451,7 +451,7 @@ func (w *legacyLayerWriter) reset() error {
 
 		for {
 			bhdr, err := br.Next()
-			if err == io.EOF {
+			if errors.Is(err, io.EOF) {
 				// end of backupstream data
 				break
 			}

vendor/github.com/Microsoft/hcsshim/internal/winapi/cimfs.go

@@ -1,3 +1,5 @@
+//go:build windows
+
 package winapi
 
 import (
@@ -34,7 +36,7 @@ type CimFsFileMetadata struct {
 //sys CimDismountImage(volumeID *g) (hr error) = cimfs.CimDismountImage?
 
 //sys CimCreateImage(imagePath string, oldFSName *uint16, newFSName *uint16, cimFSHandle *FsHandle) (hr error) = cimfs.CimCreateImage?
-//sys CimCloseImage(cimFSHandle FsHandle) (hr error) = cimfs.CimCloseImage?
+//sys CimCloseImage(cimFSHandle FsHandle) = cimfs.CimCloseImage?
 //sys CimCommitImage(cimFSHandle FsHandle) (hr error) = cimfs.CimCommitImage?
 
 //sys CimCreateFile(cimFSHandle FsHandle, path string, file *CimFsFileMetadata, cimStreamHandle *StreamHandle) (hr error) = cimfs.CimCreateFile?

vendor/github.com/Microsoft/hcsshim/internal/winapi/zsyscall_windows.go

@@ -184,18 +184,12 @@ func _CMLocateDevNode(pdnDevInst *uint32, pDeviceID *uint16, uFlags uint32) (hr
 	return
 }
 
-func CimCloseImage(cimFSHandle FsHandle) (hr error) {
-	hr = procCimCloseImage.Find()
-	if hr != nil {
+func CimCloseImage(cimFSHandle FsHandle) (err error) {
+	err = procCimCloseImage.Find()
+	if err != nil {
 		return
 	}
-	r0, _, _ := syscall.Syscall(procCimCloseImage.Addr(), 1, uintptr(cimFSHandle), 0, 0)
-	if int32(r0) < 0 {
-		if r0&0x1fff0000 == 0x00070000 {
-			r0 &= 0xffff
-		}
-		hr = syscall.Errno(r0)
-	}
+	syscall.Syscall(procCimCloseImage.Addr(), 1, uintptr(cimFSHandle), 0, 0)
 	return
 }
 

vendor/github.com/containers/common/internal/attributedstring/slice.go

@@ -42,8 +42,8 @@ func (a *Slice) Set(values []string) {
 }
 
 // UnmarshalTOML is the custom unmarshal method for Slice.
-func (a *Slice) UnmarshalTOML(data interface{}) error {
-	iFaceSlice, ok := data.([]interface{})
+func (a *Slice) UnmarshalTOML(data any) error {
+	iFaceSlice, ok := data.([]any)
 	if !ok {
 		return fmt.Errorf("unable to cast to interface array: %v", data)
 	}
@@ -53,7 +53,7 @@ func (a *Slice) UnmarshalTOML(data interface{}) error {
 		switch val := x.(type) {
 		case string: // Strings are directly appended to the slice.
 			loadedStrings = append(loadedStrings, val)
-		case map[string]interface{}: // The attribute struct is represented as a map.
+		case map[string]any: // The attribute struct is represented as a map.
 			for k, v := range val { // Iterate over all _supported_ keys.
 				switch k {
 				case "append":
@@ -81,16 +81,15 @@ func (a *Slice) UnmarshalTOML(data interface{}) error {
 
 // MarshalTOML is the custom marshal method for Slice.
 func (a *Slice) MarshalTOML() ([]byte, error) {
-	iFaceSlice := make([]interface{}, 0, len(a.Values))
+	iFaceSlice := make([]any, 0, len(a.Values))
 
 	for _, x := range a.Values {
 		iFaceSlice = append(iFaceSlice, x)
 	}
 
 	if a.Attributes.Append != nil {
-		Attributes := make(map[string]any)
-		Attributes["append"] = *a.Attributes.Append
-		iFaceSlice = append(iFaceSlice, Attributes)
+		attributes := map[string]any{"append": *a.Attributes.Append}
+		iFaceSlice = append(iFaceSlice, attributes)
 	}
 
 	buf := new(bytes.Buffer)

vendor/github.com/containers/common/libimage/copier.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
@@ -518,8 +517,8 @@ func checkRegistrySourcesAllows(dest types.ImageReference) (insecure *bool, err
 		return nil, fmt.Errorf("registry %q denied by policy: not in allowed registries list (%s)", reference.Domain(dref), registrySources)
 	}
 
-	for _, inseureDomain := range sources.InsecureRegistries {
-		if inseureDomain == reference.Domain(dref) {
+	for _, insecureDomain := range sources.InsecureRegistries {
+		if insecureDomain == reference.Domain(dref) {
 			insecure := true
 			return &insecure, nil
 		}

vendor/github.com/containers/common/libimage/disk_usage.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
@@ -37,7 +36,7 @@ func (r *Runtime) DiskUsage(ctx context.Context) ([]ImageDiskUsage, int64, error
 		return nil, -1, err
 	}
 
-	layerTree, err := r.layerTree(images)
+	layerTree, err := r.layerTree(ctx, images)
 	if err != nil {
 		return nil, -1, err
 	}
@@ -80,7 +79,7 @@ func (r *Runtime) DiskUsage(ctx context.Context) ([]ImageDiskUsage, int64, error
 
 // diskUsageForImage returns the disk-usage baseistics for the specified image.
 func diskUsageForImage(ctx context.Context, image *Image, tree *layerTree) ([]ImageDiskUsage, error) {
-	if err := image.isCorrupted(""); err != nil {
+	if err := image.isCorrupted(ctx, ""); err != nil {
 		return nil, err
 	}
 

vendor/github.com/containers/common/libimage/events.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 

vendor/github.com/containers/common/libimage/filters.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
@@ -21,33 +20,28 @@ import (
 // indicates that the image matches the criteria.
 type filterFunc func(*Image) (bool, error)
 
-// Apply the specified filters.  At least one filter of each key must apply.
-func (i *Image) applyFilters(filters map[string][]filterFunc) (bool, error) {
-	matches := false
-	for key := range filters { // and
-		matches = false
-		for _, filter := range filters[key] { // or
-			var err error
-			matches, err = filter(i)
+// Apply the specified filters.  All filters of each key must apply.
+func (i *Image) applyFilters(ctx context.Context, filters map[string][]filterFunc) (bool, error) {
+	for key := range filters {
+		for _, filter := range filters[key] {
+			matches, err := filter(i)
 			if err != nil {
 				// Some images may have been corrupted in the
 				// meantime, so do an extra check and make the
 				// error non-fatal (see containers/podman/issues/12582).
-				if errCorrupted := i.isCorrupted(""); errCorrupted != nil {
+				if errCorrupted := i.isCorrupted(ctx, ""); errCorrupted != nil {
 					logrus.Errorf(errCorrupted.Error())
 					return false, nil
 				}
 				return false, err
 			}
-			if matches {
-				break
+			// If any filter within a group doesn't match, return false
+			if !matches {
+				return false, nil
 			}
 		}
-		if !matches {
-			return false, nil
-		}
 	}
-	return matches, nil
+	return true, nil
 }
 
 // filterImages returns a slice of images which are passing all specified
@@ -63,7 +57,7 @@ func (r *Runtime) filterImages(ctx context.Context, images []*Image, options *Li
 	}
 	result := []*Image{}
 	for i := range images {
-		match, err := images[i].applyFilters(filters)
+		match, err := images[i].applyFilters(ctx, filters)
 		if err != nil {
 			return nil, err
 		}
@@ -84,7 +78,7 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 	var tree *layerTree
 	getTree := func() (*layerTree, error) {
 		if tree == nil {
-			t, err := r.layerTree(nil)
+			t, err := r.layerTree(ctx, nil)
 			if err != nil {
 				return nil, err
 			}
@@ -93,6 +87,7 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 		return tree, nil
 	}
 
+	var wantedReferenceMatches, unwantedReferenceMatches []string
 	filters := map[string][]filterFunc{}
 	duplicate := map[string]string{}
 	for _, f := range options.Filters {
@@ -184,7 +179,12 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 			filter = filterManifest(ctx, manifest)
 
 		case "reference":
-			filter = filterReferences(r, value)
+			if negate {
+				unwantedReferenceMatches = append(unwantedReferenceMatches, value)
+			} else {
+				wantedReferenceMatches = append(wantedReferenceMatches, value)
+			}
+			continue
 
 		case "until":
 			until, err := r.until(value)
@@ -202,6 +202,11 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 		filters[key] = append(filters[key], filter)
 	}
 
+	// reference filters is a special case as it does an OR for positive matches
+	// and an AND logic for negative matches
+	filter := filterReferences(r, wantedReferenceMatches, unwantedReferenceMatches)
+	filters["reference"] = append(filters["reference"], filter)
+
 	return filters, nil
 }
 
@@ -273,57 +278,99 @@ func filterManifest(ctx context.Context, value bool) filterFunc {
 	}
 }
 
-// filterReferences creates a reference filter for matching the specified value.
-func filterReferences(r *Runtime, value string) filterFunc {
-	lookedUp, _, _ := r.LookupImage(value, nil)
+// filterReferences creates a reference filter for matching the specified wantedReferenceMatches value (OR logic)
+// and for matching the unwantedReferenceMatches values (AND logic)
+func filterReferences(r *Runtime, wantedReferenceMatches, unwantedReferenceMatches []string) filterFunc {
 	return func(img *Image) (bool, error) {
-		if lookedUp != nil {
-			if lookedUp.ID() == img.ID() {
+		// Empty reference filters, return true
+		if len(wantedReferenceMatches) == 0 && len(unwantedReferenceMatches) == 0 {
+			return true, nil
+		}
+
+		unwantedMatched := false
+		// Go through the unwanted matches first
+		for _, value := range unwantedReferenceMatches {
+			matches, err := imageMatchesReferenceFilter(r, img, value)
+			if err != nil {
+				return false, err
+			}
+			if matches {
+				unwantedMatched = true
+			}
+		}
+
+		// If there are no wanted match filters, then return false for the image
+		// that matched the unwanted value otherwise return true
+		if len(wantedReferenceMatches) == 0 {
+			return !unwantedMatched, nil
+		}
+
+		// Go through the wanted matches
+		// If an image matches the wanted filter but it also matches the unwanted
+		// filter, don't add it to the output
+		for _, value := range wantedReferenceMatches {
+			matches, err := imageMatchesReferenceFilter(r, img, value)
+			if err != nil {
+				return false, err
+			}
+			if matches && !unwantedMatched {
 				return true, nil
 			}
 		}
 
-		refs, err := img.NamesReferences()
-		if err != nil {
-			return false, err
-		}
-
-		for _, ref := range refs {
-			refString := ref.String() // FQN with tag/digest
-			candidates := []string{refString}
-
-			// Split the reference into 3 components (twice if digested/tagged):
-			// 1) Fully-qualified reference
-			// 2) Without domain
-			// 3) Without domain and path
-			if named, isNamed := ref.(reference.Named); isNamed {
-				candidates = append(candidates,
-					reference.Path(named),                           // path/name without tag/digest (Path() removes it)
-					refString[strings.LastIndex(refString, "/")+1:]) // name with tag/digest
-
-				trimmedString := reference.TrimNamed(named).String()
-				if refString != trimmedString {
-					tagOrDigest := refString[len(trimmedString):]
-					candidates = append(candidates,
-						trimmedString,                     // FQN without tag/digest
-						reference.Path(named)+tagOrDigest, // path/name with tag/digest
-						trimmedString[strings.LastIndex(trimmedString, "/")+1:]) // name without tag/digest
-				}
-			}
-
-			for _, candidate := range candidates {
-				// path.Match() is also used by Docker's reference.FamiliarMatch().
-				matched, _ := path.Match(value, candidate)
-				if matched {
-					return true, nil
-				}
-			}
-		}
-
 		return false, nil
 	}
 }
 
+// imageMatchesReferenceFilter returns true if an image matches the filter value given
+func imageMatchesReferenceFilter(r *Runtime, img *Image, value string) (bool, error) {
+	lookedUp, _, _ := r.LookupImage(value, nil)
+	if lookedUp != nil {
+		if lookedUp.ID() == img.ID() {
+			return true, nil
+		}
+	}
+
+	refs, err := img.NamesReferences()
+	if err != nil {
+		return false, err
+	}
+
+	for _, ref := range refs {
+		refString := ref.String() // FQN with tag/digest
+		candidates := []string{refString}
+
+		// Split the reference into 3 components (twice if digested/tagged):
+		// 1) Fully-qualified reference
+		// 2) Without domain
+		// 3) Without domain and path
+		if named, isNamed := ref.(reference.Named); isNamed {
+			candidates = append(candidates,
+				reference.Path(named),                           // path/name without tag/digest (Path() removes it)
+				refString[strings.LastIndex(refString, "/")+1:]) // name with tag/digest
+
+			trimmedString := reference.TrimNamed(named).String()
+			if refString != trimmedString {
+				tagOrDigest := refString[len(trimmedString):]
+				candidates = append(candidates,
+					trimmedString,                     // FQN without tag/digest
+					reference.Path(named)+tagOrDigest, // path/name with tag/digest
+					trimmedString[strings.LastIndex(trimmedString, "/")+1:]) // name without tag/digest
+			}
+		}
+
+		for _, candidate := range candidates {
+			// path.Match() is also used by Docker's reference.FamiliarMatch().
+			matched, _ := path.Match(value, candidate)
+			if matched {
+				return true, nil
+			}
+		}
+	}
+
+	return false, nil
+}
+
 // filterLabel creates a label for matching the specified value.
 func filterLabel(ctx context.Context, value string) filterFunc {
 	return func(img *Image) (bool, error) {

vendor/github.com/containers/common/libimage/history.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
@@ -26,7 +25,7 @@ func (i *Image) History(ctx context.Context) ([]ImageHistory, error) {
 		return nil, err
 	}
 
-	layerTree, err := i.runtime.layerTree(nil)
+	layerTree, err := i.runtime.layerTree(ctx, nil)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/common/libimage/image.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
@@ -67,7 +66,7 @@ type Image struct {
 	}
 }
 
-// reload the image and pessimitically clear all cached data.
+// reload the image and pessimistically clear all cached data.
 func (i *Image) reload() error {
 	logrus.Tracef("Reloading image %s", i.ID())
 	img, err := i.runtime.store.Image(i.ID())
@@ -85,7 +84,7 @@ func (i *Image) reload() error {
 }
 
 // isCorrupted returns an error if the image may be corrupted.
-func (i *Image) isCorrupted(name string) error {
+func (i *Image) isCorrupted(ctx context.Context, name string) error {
 	// If it's a manifest list, we're good for now.
 	if _, err := i.getManifestList(); err == nil {
 		return nil
@@ -96,7 +95,7 @@ func (i *Image) isCorrupted(name string) error {
 		return err
 	}
 
-	img, err := ref.NewImage(context.Background(), nil)
+	img, err := ref.NewImage(ctx, nil)
 	if err != nil {
 		if name == "" {
 			name = i.ID()[:12]
@@ -258,7 +257,7 @@ func (i *Image) TopLayer() string {
 
 // Parent returns the parent image or nil if there is none
 func (i *Image) Parent(ctx context.Context) (*Image, error) {
-	tree, err := i.runtime.layerTree(nil)
+	tree, err := i.runtime.layerTree(ctx, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -292,7 +291,7 @@ func (i *Image) Children(ctx context.Context) ([]*Image, error) {
 // created for this invocation only.
 func (i *Image) getChildren(ctx context.Context, all bool, tree *layerTree) ([]*Image, error) {
 	if tree == nil {
-		t, err := i.runtime.layerTree(nil)
+		t, err := i.runtime.layerTree(ctx, nil)
 		if err != nil {
 			return nil, err
 		}
@@ -611,7 +610,7 @@ func (i *Image) Untag(name string) error {
 	}
 
 	// FIXME: this is breaking Podman CI but must be re-enabled once
-	// c/storage supports alterting the digests of an image.  Then,
+	// c/storage supports altering the digests of an image.  Then,
 	// Podman will do the right thing.
 	//
 	// !!! Also make sure to re-enable the tests !!!
@@ -1031,7 +1030,7 @@ func getImageID(ctx context.Context, src types.ImageReference, sys *types.System
 //   - 2) a bool indicating whether architecture, os or variant were set (some callers need that to decide whether they need to throw an error)
 //   - 3) a fatal error that occurred prior to check for matches (e.g., storage errors etc.)
 func (i *Image) matchesPlatform(ctx context.Context, os, arch, variant string) (error, bool, error) {
-	if err := i.isCorrupted(""); err != nil {
+	if err := i.isCorrupted(ctx, ""); err != nil {
 		return err, false, nil
 	}
 	inspectInfo, err := i.inspectInfo(ctx)

vendor/github.com/containers/common/libimage/image_config.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 

vendor/github.com/containers/common/libimage/image_tree.go

@@ -1,9 +1,9 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
@@ -38,7 +38,7 @@ func (i *Image) Tree(traverseChildren bool) (string, error) {
 		fmt.Fprintf(sb, "No Image Layers")
 	}
 
-	layerTree, err := i.runtime.layerTree(nil)
+	layerTree, err := i.runtime.layerTree(context.Background(), nil)
 	if err != nil {
 		return "", err
 	}
@@ -53,7 +53,7 @@ func (i *Image) Tree(traverseChildren bool) (string, error) {
 		return tree.Print(), nil
 	}
 
-	// Walk all layers of the image and assemlbe their data.  Note that the
+	// Walk all layers of the image and assemble their data.  Note that the
 	// tree is constructed in reverse order to remain backwards compatible
 	// with Podman.
 	contents := []string{}

vendor/github.com/containers/common/libimage/import.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 

vendor/github.com/containers/common/libimage/inspect.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 

vendor/github.com/containers/common/libimage/layer_tree.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
@@ -92,14 +91,14 @@ func (l *layerNode) repoTags() ([]string, error) {
 
 // layerTree extracts a layerTree from the layers in the local storage and
 // relates them to the specified images.
-func (r *Runtime) layerTree(images []*Image) (*layerTree, error) {
+func (r *Runtime) layerTree(ctx context.Context, images []*Image) (*layerTree, error) {
 	layers, err := r.store.Layers()
 	if err != nil {
 		return nil, err
 	}
 
 	if images == nil {
-		images, err = r.ListImages(context.Background(), nil, nil)
+		images, err = r.ListImages(ctx, nil, nil)
 		if err != nil {
 			return nil, err
 		}

vendor/github.com/containers/common/libimage/load.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 

vendor/github.com/containers/common/libimage/manifest_list.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
@@ -314,7 +313,7 @@ func (m *ManifestList) Add(ctx context.Context, name string, options *ManifestLi
 	return newDigest, nil
 }
 
-// Options for annotationg a manifest list.
+// Options for annotating a manifest list.
 type ManifestListAnnotateOptions struct {
 	// Add the specified annotations to the added image.
 	Annotations map[string]string

vendor/github.com/containers/common/libimage/normalize.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 

vendor/github.com/containers/common/libimage/oci.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 

vendor/github.com/containers/common/libimage/platform.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 

vendor/github.com/containers/common/libimage/pull.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
@@ -31,7 +30,7 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// PullOptions allows for custommizing image pulls.
+// PullOptions allows for customizing image pulls.
 type PullOptions struct {
 	CopyOptions
 
@@ -511,7 +510,7 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str
 
 	// If the local image is corrupted, we need to repull it.
 	if localImage != nil {
-		if err := localImage.isCorrupted(imageName); err != nil {
+		if err := localImage.isCorrupted(ctx, imageName); err != nil {
 			logrus.Error(err)
 			localImage = nil
 		}

vendor/github.com/containers/common/libimage/push.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
@@ -13,7 +12,7 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// PushOptions allows for custommizing image pushes.
+// PushOptions allows for customizing image pushes.
 type PushOptions struct {
 	CopyOptions
 }

vendor/github.com/containers/common/libimage/runtime.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 
@@ -162,7 +161,7 @@ func (r *Runtime) storageToImage(storageImage *storage.Image, ref types.ImageRef
 	}
 }
 
-// Exists returns true if the specicifed image exists in the local containers
+// Exists returns true if the specified image exists in the local containers
 // storage.  Note that it may return false if an image corrupted.
 func (r *Runtime) Exists(name string) (bool, error) {
 	image, _, err := r.LookupImage(name, nil)
@@ -172,7 +171,7 @@ func (r *Runtime) Exists(name string) (bool, error) {
 	if image == nil {
 		return false, nil
 	}
-	if err := image.isCorrupted(name); err != nil {
+	if err := image.isCorrupted(context.Background(), name); err != nil {
 		logrus.Error(err)
 		return false, nil
 	}
@@ -235,8 +234,12 @@ func (r *Runtime) LookupImage(name string, options *LookupImageOptions) (*Image,
 		if storageRef.Transport().Name() != storageTransport.Transport.Name() {
 			return nil, "", fmt.Errorf("unsupported transport %q for looking up local images", storageRef.Transport().Name())
 		}
-		img, err := storageTransport.Transport.GetStoreImage(r.store, storageRef)
+		_, img, err := storageTransport.ResolveReference(storageRef)
 		if err != nil {
+			if errors.Is(err, storageTransport.ErrNoSuchImage) {
+				// backward compatibility
+				return nil, "", storage.ErrImageUnknown
+			}
 			return nil, "", err
 		}
 		logrus.Debugf("Found image %q in local containers storage (%s)", name, storageRef.StringWithinTransport())
@@ -347,9 +350,9 @@ func (r *Runtime) lookupImageInLocalStorage(name, candidate string, namedCandida
 		if err != nil {
 			return nil, err
 		}
-		img, err = storageTransport.Transport.GetStoreImage(r.store, ref)
+		_, img, err = storageTransport.ResolveReference(ref)
 		if err != nil {
-			if errors.Is(err, storage.ErrImageUnknown) {
+			if errors.Is(err, storageTransport.ErrNoSuchImage) {
 				return nil, nil
 			}
 			return nil, err
@@ -605,7 +608,7 @@ func (r *Runtime) ListImages(ctx context.Context, names []string, options *ListI
 	// as the layer tree will computed once for all instead of once for
 	// each individual image (see containers/podman/issues/17828).
 
-	tree, err := r.layerTree(images)
+	tree, err := r.layerTree(ctx, images)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/common/libimage/save.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 

vendor/github.com/containers/common/libimage/search.go

@@ -1,5 +1,4 @@
 //go:build !remote
-// +build !remote
 
 package libimage
 

vendor/github.com/containers/common/libnetwork/cni/cni_conversion.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package cni
 
@@ -18,8 +17,8 @@ import (
 	internalutil "github.com/containers/common/libnetwork/internal/util"
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/libnetwork/util"
-	pkgutil "github.com/containers/common/pkg/util"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sys/unix"
 )
 
@@ -32,13 +31,13 @@ func createNetworkFromCNIConfigList(conf *libcni.NetworkConfigList, confPath str
 		IPAMOptions: map[string]string{},
 	}
 
-	cniJSON := make(map[string]interface{})
+	cniJSON := make(map[string]any)
 	err := json.Unmarshal(conf.Bytes, &cniJSON)
 	if err != nil {
 		return nil, fmt.Errorf("failed to unmarshal network config %s: %w", conf.Name, err)
 	}
 	if args, ok := cniJSON["args"]; ok {
-		if key, ok := args.(map[string]interface{}); ok {
+		if key, ok := args.(map[string]any); ok {
 			// read network labels and options from the conf file
 			network.Labels = getNetworkArgsFromConfList(key, podmanLabelKey)
 			network.Options = getNetworkArgsFromConfList(key, podmanOptionsKey)
@@ -215,9 +214,9 @@ func convertIPAMConfToNetwork(network *types.Network, ipam *ipamConfig, confPath
 }
 
 // getNetworkArgsFromConfList returns the map of args in a conflist, argType should be labels or options
-func getNetworkArgsFromConfList(args map[string]interface{}, argType string) map[string]string {
+func getNetworkArgsFromConfList(args map[string]any, argType string) map[string]string {
 	if args, ok := args[argType]; ok {
-		if labels, ok := args.(map[string]interface{}); ok {
+		if labels, ok := args.(map[string]any); ok {
 			result := make(map[string]string, len(labels))
 			for k, v := range labels {
 				if v, ok := v.(string); ok {
@@ -299,7 +298,7 @@ func (n *cniNetwork) createCNIConfigListFromNetwork(network *types.Network, writ
 	// the dnsname plugin also needs to be updated for 1.0.0
 	// TODO change to 1.0.0 when most distros support it
 	ncList := newNcList(network.Name, "0.4.0", network.Labels, network.Options)
-	var plugins []interface{}
+	var plugins []any
 
 	switch network.Driver {
 	case types.BridgeNetworkDriver:
@@ -359,7 +358,7 @@ func convertSpecgenPortsToCNIPorts(ports []types.PortMapping) ([]cniPortMapEntry
 		protocols := strings.Split(port.Protocol, ",")
 
 		for _, protocol := range protocols {
-			if !pkgutil.StringInSlice(protocol, []string{"tcp", "udp", "sctp"}) {
+			if !slices.Contains([]string{"tcp", "udp", "sctp"}, protocol) {
 				return nil, fmt.Errorf("unknown port protocol %s", protocol)
 			}
 			cniPort := cniPortMapEntry{
@@ -421,11 +420,11 @@ func parseOptions(networkOptions map[string]string, networkDriver string) (*opti
 		case types.ModeOption:
 			switch networkDriver {
 			case types.MacVLANNetworkDriver:
-				if !pkgutil.StringInSlice(v, types.ValidMacVLANModes) {
+				if !slices.Contains(types.ValidMacVLANModes, v) {
 					return nil, fmt.Errorf("unknown macvlan mode %q", v)
 				}
 			case types.IPVLANNetworkDriver:
-				if !pkgutil.StringInSlice(v, types.ValidIPVLANModes) {
+				if !slices.Contains(types.ValidIPVLANModes, v) {
 					return nil, fmt.Errorf("unknown ipvlan mode %q", v)
 				}
 			default:

vendor/github.com/containers/common/libnetwork/cni/cni_exec.go

@@ -17,7 +17,6 @@
 // limitations under the License.
 
 //go:build linux || freebsd
-// +build linux freebsd
 
 package cni
 

vendor/github.com/containers/common/libnetwork/cni/cni_types.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package cni
 
@@ -116,7 +115,7 @@ type dnsNameConfig struct {
 }
 
 // ncList describes a generic map
-type ncList map[string]interface{}
+type ncList map[string]any
 
 // newNcList creates a generic map of values with string
 // keys and adds in version and network name
@@ -139,8 +138,6 @@ func newNcList(name, version string, labels, options map[string]string) ncList {
 
 // newHostLocalBridge creates a new LocalBridge for host-local
 func newHostLocalBridge(name string, isGateWay, ipMasq bool, mtu, vlan int, ipamConf *ipamConfig) *hostLocalBridge {
-	caps := make(map[string]bool)
-	caps["ips"] = true
 	bridge := hostLocalBridge{
 		PluginType:  "bridge",
 		BrName:      name,
@@ -154,7 +151,7 @@ func newHostLocalBridge(name string, isGateWay, ipMasq bool, mtu, vlan int, ipam
 		bridge.IPAM = *ipamConf
 		// if we use host-local set the ips cap to ensure we can set static ips via runtime config
 		if ipamConf.PluginType == types.HostLocalIPAMDriver {
-			bridge.Capabilities = caps
+			bridge.Capabilities = map[string]bool{"ips": true}
 		}
 	}
 	return &bridge
@@ -216,13 +213,10 @@ func newIPAMDefaultRoute(isIPv6 bool) (ipamRoute, error) {
 // newPortMapPlugin creates a predefined, default portmapping
 // configuration
 func newPortMapPlugin() portMapConfig {
-	caps := make(map[string]bool)
-	caps["portMappings"] = true
-	p := portMapConfig{
+	return portMapConfig{
 		PluginType:   "portmap",
-		Capabilities: caps,
+		Capabilities: map[string]bool{"portMappings": true},
 	}
-	return p
 }
 
 // newFirewallPlugin creates a generic firewall plugin
@@ -246,12 +240,10 @@ func newTuningPlugin() tuningConfig {
 // newDNSNamePlugin creates the dnsname config with a given
 // domainname
 func newDNSNamePlugin(domainName string) dnsNameConfig {
-	caps := make(map[string]bool, 1)
-	caps["aliases"] = true
 	return dnsNameConfig{
 		PluginType:   "dnsname",
 		DomainName:   domainName,
-		Capabilities: caps,
+		Capabilities: map[string]bool{"aliases": true},
 	}
 }
 

vendor/github.com/containers/common/libnetwork/cni/config.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package cni
 
@@ -11,8 +10,8 @@ import (
 
 	internalutil "github.com/containers/common/libnetwork/internal/util"
 	"github.com/containers/common/libnetwork/types"
-	pkgutil "github.com/containers/common/pkg/util"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 )
 
 func (n *cniNetwork) NetworkUpdate(_ string, _ types.NetworkUpdateOptions) error {
@@ -206,7 +205,7 @@ func createIPMACVLAN(network *types.Network) error {
 		if err != nil {
 			return err
 		}
-		if !pkgutil.StringInSlice(network.NetworkInterface, interfaceNames) {
+		if !slices.Contains(interfaceNames, network.NetworkInterface) {
 			return fmt.Errorf("parent interface %s does not exist", network.NetworkInterface)
 		}
 	}

vendor/github.com/containers/common/libnetwork/cni/config_freebsd.go

@@ -1,5 +1,4 @@
 //go:build freebsd
-// +build freebsd
 
 package cni
 

vendor/github.com/containers/common/libnetwork/cni/config_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package cni
 

vendor/github.com/containers/common/libnetwork/cni/network.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package cni
 

vendor/github.com/containers/common/libnetwork/cni/run.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package cni
 
@@ -70,8 +69,9 @@ func (n *cniNetwork) Setup(namespacePath string, options types.SetupOptions) (ma
 			// If we have more than one static ip we need parse the ips via runtime config,
 			// make sure to add the ips capability to the first plugin otherwise it doesn't get the ips
 			if len(netOpts.StaticIPs) > 0 && !network.cniNet.Plugins[0].Network.Capabilities["ips"] {
-				caps := make(map[string]interface{})
-				caps["capabilities"] = map[string]bool{"ips": true}
+				caps := map[string]any{
+					"capabilities": map[string]bool{"ips": true},
+				}
 				network.cniNet.Plugins[0], retErr = libcni.InjectConf(network.cniNet.Plugins[0], caps)
 				if retErr != nil {
 					return retErr
@@ -174,7 +174,7 @@ func getRuntimeConfig(netns, conName, conID, networkName string, ports []cniPort
 			// Only K8S_POD_NAME is used by dnsname to get the container name.
 			{"K8S_POD_NAME", conName},
 		},
-		CapabilityArgs: map[string]interface{}{},
+		CapabilityArgs: map[string]any{},
 	}
 
 	// Propagate environment CNI_ARGS

vendor/github.com/containers/common/libnetwork/etchosts/hosts.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 
 	"github.com/containers/common/pkg/config"
-	"github.com/containers/common/pkg/util"
+	"golang.org/x/exp/slices"
 )
 
 const (
@@ -220,7 +220,7 @@ func checkIfEntryExists(current HostEntry, entries HostEntries) bool {
 		if current.IP == rm.IP {
 			// it is enough if one of the names match, in this case we remove the full entry
 			for _, name := range current.Names {
-				if util.StringInSlice(name, rm.Names) {
+				if slices.Contains(rm.Names, name) {
 					return true
 				}
 			}

vendor/github.com/containers/common/libnetwork/internal/util/bridge.go

@@ -7,13 +7,13 @@ import (
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/libnetwork/util"
 	"github.com/containers/common/pkg/config"
-	pkgutil "github.com/containers/common/pkg/util"
+	"golang.org/x/exp/slices"
 )
 
 func CreateBridge(n NetUtil, network *types.Network, usedNetworks []*net.IPNet, subnetPools []config.SubnetPool) error {
 	if network.NetworkInterface != "" {
 		bridges := GetBridgeInterfaceNames(n)
-		if pkgutil.StringInSlice(network.NetworkInterface, bridges) {
+		if slices.Contains(bridges, network.NetworkInterface) {
 			return fmt.Errorf("bridge name %s already in use", network.NetworkInterface)
 		}
 		if !types.NameRegex.MatchString(network.NetworkInterface) {

vendor/github.com/containers/common/libnetwork/internal/util/interface.go

@@ -7,7 +7,7 @@ import "github.com/containers/common/libnetwork/types"
 
 // NetUtil is a helper interface which all network interfaces should implement to allow easy code sharing
 type NetUtil interface {
-	// ForEach eaxecutes the given function for each network
+	// ForEach executes the given function for each network
 	ForEach(func(types.Network))
 	// Len returns the number of networks
 	Len() int

vendor/github.com/containers/common/libnetwork/internal/util/util.go

@@ -7,8 +7,8 @@ import (
 
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/config"
-	"github.com/containers/common/pkg/util"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 )
 
 // GetBridgeInterfaceNames returns all bridge interface names
@@ -51,7 +51,7 @@ func GetFreeDeviceName(n NetUtil) (string, error) {
 	// Start by 1, 0 is reserved for the default network
 	for i := 1; i < 1000000; i++ {
 		deviceName := fmt.Sprintf("%s%d", n.DefaultInterfaceName(), i)
-		if !util.StringInSlice(deviceName, names) {
+		if !slices.Contains(names, deviceName) {
 			logrus.Debugf("found free device name %s", deviceName)
 			return deviceName, nil
 		}

vendor/github.com/containers/common/libnetwork/netavark/config.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package netavark
 
@@ -16,14 +15,14 @@ import (
 
 	internalutil "github.com/containers/common/libnetwork/internal/util"
 	"github.com/containers/common/libnetwork/types"
-	"github.com/containers/common/pkg/util"
 	"github.com/containers/storage/pkg/stringid"
+	"golang.org/x/exp/slices"
 )
 
 func sliceRemoveDuplicates(strList []string) []string {
 	list := make([]string, 0, len(strList))
 	for _, item := range strList {
-		if !util.StringInSlice(item, list) {
+		if !slices.Contains(list, item) {
 			list = append(list, item)
 		}
 	}
@@ -71,7 +70,7 @@ func (n *netavarkNetwork) NetworkUpdate(name string, options types.NetworkUpdate
 	networkDNSServersBefore := network.NetworkDNSServers
 	networkDNSServersAfter := []string{}
 	for _, server := range networkDNSServersBefore {
-		if util.StringInSlice(server, options.RemoveDNSServers) {
+		if slices.Contains(options.RemoveDNSServers, server) {
 			continue
 		}
 		networkDNSServersAfter = append(networkDNSServersAfter, server)
@@ -273,7 +272,7 @@ func createIpvlanOrMacvlan(network *types.Network) error {
 		if err != nil {
 			return err
 		}
-		if !util.StringInSlice(network.NetworkInterface, interfaceNames) {
+		if !slices.Contains(interfaceNames, network.NetworkInterface) {
 			return fmt.Errorf("parent interface %s does not exist", network.NetworkInterface)
 		}
 	}
@@ -319,11 +318,11 @@ func createIpvlanOrMacvlan(network *types.Network) error {
 		switch key {
 		case types.ModeOption:
 			if isMacVlan {
-				if !util.StringInSlice(value, types.ValidMacVLANModes) {
+				if !slices.Contains(types.ValidMacVLANModes, value) {
 					return fmt.Errorf("unknown macvlan mode %q", value)
 				}
 			} else {
-				if !util.StringInSlice(value, types.ValidIPVLANModes) {
+				if !slices.Contains(types.ValidIPVLANModes, value) {
 					return fmt.Errorf("unknown ipvlan mode %q", value)
 				}
 			}
@@ -473,7 +472,7 @@ func getAllPlugins(dirs []string) []string {
 		if err == nil {
 			for _, entry := range entries {
 				name := entry.Name()
-				if !util.StringInSlice(name, plugins) {
+				if !slices.Contains(plugins, name) {
 					plugins = append(plugins, name)
 				}
 			}

vendor/github.com/containers/common/libnetwork/netavark/const.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package netavark
 

vendor/github.com/containers/common/libnetwork/netavark/exec.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package netavark
 
@@ -77,7 +76,7 @@ func getRustLogEnv() string {
 // used to marshal the netavark output into it. This can be nil.
 // All errors return by this function should be of the type netavarkError
 // to provide a helpful error message.
-func (n *netavarkNetwork) execNetavark(args []string, needPlugin bool, stdin, result interface{}) error {
+func (n *netavarkNetwork) execNetavark(args []string, needPlugin bool, stdin, result any) error {
 	// set the netavark log level to the same as the podman
 	env := append(os.Environ(), getRustLogEnv())
 	// Netavark need access to iptables in $PATH. As it turns out debian doesn't put
@@ -102,11 +101,11 @@ func (n *netavarkNetwork) execNetavark(args []string, needPlugin bool, stdin, re
 	return n.execBinary(n.netavarkBinary, append(n.getCommonNetavarkOptions(needPlugin), args...), stdin, result, env)
 }
 
-func (n *netavarkNetwork) execPlugin(path string, args []string, stdin, result interface{}) error {
+func (n *netavarkNetwork) execPlugin(path string, args []string, stdin, result any) error {
 	return n.execBinary(path, args, stdin, result, nil)
 }
 
-func (n *netavarkNetwork) execBinary(path string, args []string, stdin, result interface{}, env []string) error {
+func (n *netavarkNetwork) execBinary(path string, args []string, stdin, result any, env []string) error {
 	stdinR, stdinW, err := os.Pipe()
 	if err != nil {
 		return newNetavarkError("failed to create stdin pipe", err)

vendor/github.com/containers/common/libnetwork/netavark/ipam.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package netavark
 
@@ -48,7 +47,7 @@ func (e *ipamError) Error() string {
 	return msg
 }
 
-func newIPAMError(cause error, msg string, args ...interface{}) *ipamError {
+func newIPAMError(cause error, msg string, args ...any) *ipamError {
 	return &ipamError{
 		msg:   fmt.Sprintf(msg, args...),
 		cause: cause,

vendor/github.com/containers/common/libnetwork/netavark/network.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package netavark
 

vendor/github.com/containers/common/libnetwork/netavark/run.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package netavark
 
@@ -11,8 +10,8 @@ import (
 
 	"github.com/containers/common/libnetwork/internal/util"
 	"github.com/containers/common/libnetwork/types"
-	pkgutil "github.com/containers/common/pkg/util"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 )
 
 type netavarkOptions struct {
@@ -175,7 +174,7 @@ func (n *netavarkNetwork) convertNetOpts(opts types.NetworkOptions) (*netavarkOp
 			return nil, false, err
 		}
 		netavarkOptions.Networks[network] = net
-		if !pkgutil.StringInSlice(net.Driver, builtinDrivers) {
+		if !slices.Contains(builtinDrivers, net.Driver) {
 			needsPlugin = true
 		}
 	}

vendor/github.com/containers/common/libnetwork/network/interface.go

@@ -1,5 +1,4 @@
 //go:build linux || freebsd
-// +build linux freebsd
 
 package network
 

vendor/github.com/containers/common/libnetwork/resolvconf/resolv.go

@@ -7,9 +7,9 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/containers/common/pkg/util"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 )
 
 const (
@@ -111,7 +111,7 @@ func getDefaultResolvConf(params *Params) ([]byte, bool, error) {
 
 // unsetSearchDomainsIfNeeded removes the search domain when they contain a single dot as element.
 func unsetSearchDomainsIfNeeded(searches []string) []string {
-	if util.StringInSlice(".", searches) {
+	if slices.Contains(searches, ".") {
 		return nil
 	}
 	return searches
@@ -173,7 +173,7 @@ func Remove(path string, nameservers []string) error {
 	oldNameservers := getNameservers(contents)
 	newNameserver := make([]string, 0, len(oldNameservers))
 	for _, ns := range oldNameservers {
-		if !util.StringInSlice(ns, nameservers) {
+		if !slices.Contains(nameservers, ns) {
 			newNameserver = append(newNameserver, ns)
 		}
 	}

vendor/github.com/containers/common/libnetwork/slirp4netns/slirp4netns.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package slirp4netns
 
@@ -706,7 +705,7 @@ func openSlirp4netnsPort(apiSocket, proto, hostip string, hostport, guestport ui
 	}
 	// if there is no 'error' key in the received JSON data, then the operation was
 	// successful.
-	var y map[string]interface{}
+	var y map[string]any
 	if err := json.Unmarshal(buf[0:readLength], &y); err != nil {
 		return fmt.Errorf("parsing error status from slirp4netns: %w", err)
 	}

vendor/github.com/containers/common/libnetwork/util/filters.go

@@ -7,6 +7,7 @@ import (
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/filters"
 	"github.com/containers/common/pkg/util"
+	"golang.org/x/exp/slices"
 )
 
 func GenerateNetworkFilters(f map[string][]string) ([]types.FilterFunc, error) {
@@ -32,7 +33,7 @@ func createFilterFuncs(key string, filterValues []string) (types.FilterFunc, err
 	case types.Driver:
 		// matches network driver
 		return func(net types.Network) bool {
-			return util.StringInSlice(net.Driver, filterValues)
+			return slices.Contains(filterValues, net.Driver)
 		}, nil
 
 	case "id":

vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go

@@ -1,5 +1,4 @@
 //go:build linux && apparmor
-// +build linux,apparmor
 
 package apparmor
 

vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go

@@ -1,5 +1,4 @@
 //go:build linux && apparmor
-// +build linux,apparmor
 
 package apparmor
 

vendor/github.com/containers/common/pkg/apparmor/apparmor_unsupported.go

@@ -1,5 +1,4 @@
 //go:build !linux || !apparmor
-// +build !linux !apparmor
 
 package apparmor
 

vendor/github.com/containers/common/pkg/capabilities/capabilities.go

@@ -13,6 +13,7 @@ import (
 	"sync"
 
 	"github.com/syndtr/gocapability/capability"
+	"golang.org/x/exp/slices"
 )
 
 var (
@@ -54,16 +55,6 @@ func init() {
 	}
 }
 
-// stringInSlice determines if a string is in a string slice, returns bool
-func stringInSlice(s string, sl []string) bool {
-	for _, i := range sl {
-		if i == s {
-			return true
-		}
-	}
-	return false
-}
-
 var (
 	boundingSetOnce sync.Once
 	boundingSetRet  []string
@@ -115,7 +106,7 @@ func NormalizeCapabilities(caps []string) ([]string, error) {
 		if !strings.HasPrefix(c, "CAP_") {
 			c = "CAP_" + c
 		}
-		if !stringInSlice(c, capabilityList) {
+		if !slices.Contains(capabilityList, c) {
 			return nil, fmt.Errorf("%q: %w", c, ErrUnknownCapability)
 		}
 		normalized = append(normalized, c)
@@ -127,7 +118,7 @@ func NormalizeCapabilities(caps []string) ([]string, error) {
 // ValidateCapabilities validates if caps only contains valid capabilities.
 func ValidateCapabilities(caps []string) error {
 	for _, c := range caps {
-		if !stringInSlice(c, capabilityList) {
+		if !slices.Contains(capabilityList, c) {
 			return fmt.Errorf("%q: %w", c, ErrUnknownCapability)
 		}
 	}
@@ -159,8 +150,8 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 		return nil, err
 	}
 
-	if stringInSlice(All, capDrop) {
-		if stringInSlice(All, capAdd) {
+	if slices.Contains(capDrop, All) {
+		if slices.Contains(capAdd, All) {
 			return nil, errors.New("adding all caps and removing all caps not allowed")
 		}
 		// "Drop" all capabilities; return what's in capAdd instead
@@ -168,7 +159,7 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 		return capAdd, nil
 	}
 
-	if stringInSlice(All, capAdd) {
+	if slices.Contains(capAdd, All) {
 		base, err = BoundingSet()
 		if err != nil {
 			return nil, err
@@ -176,14 +167,14 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 		capAdd = []string{}
 	} else {
 		for _, add := range capAdd {
-			if stringInSlice(add, capDrop) {
+			if slices.Contains(capDrop, add) {
 				return nil, fmt.Errorf("capability %q cannot be dropped and added", add)
 			}
 		}
 	}
 
 	for _, drop := range capDrop {
-		if stringInSlice(drop, capAdd) {
+		if slices.Contains(capAdd, drop) {
 			return nil, fmt.Errorf("capability %q cannot be dropped and added", drop)
 		}
 	}
@@ -191,7 +182,7 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 	caps := make([]string, 0, len(base)+len(capAdd))
 	// Drop any capabilities in capDrop that are in base
 	for _, cap := range base {
-		if stringInSlice(cap, capDrop) {
+		if slices.Contains(capDrop, cap) {
 			continue
 		}
 		caps = append(caps, cap)
@@ -199,7 +190,7 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 
 	// Add any capabilities in capAdd that are not in base
 	for _, cap := range capAdd {
-		if stringInSlice(cap, base) {
+		if slices.Contains(base, cap) {
 			continue
 		}
 		caps = append(caps, cap)

vendor/github.com/containers/common/pkg/cgroups/blkio_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package cgroups
 

vendor/github.com/containers/common/pkg/cgroups/cgroups_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package cgroups
 
@@ -22,6 +21,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/cgroups/fs2"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"
 )
 
 var (
@@ -73,12 +73,13 @@ const (
 var handlers map[string]controllerHandler
 
 func init() {
-	handlers = make(map[string]controllerHandler)
-	handlers[CPU] = getCPUHandler()
-	handlers[CPUset] = getCpusetHandler()
-	handlers[Memory] = getMemoryHandler()
-	handlers[Pids] = getPidsHandler()
-	handlers[Blkio] = getBlkioHandler()
+	handlers = map[string]controllerHandler{
+		CPU:    getCPUHandler(),
+		CPUset: getCpusetHandler(),
+		Memory: getMemoryHandler(),
+		Pids:   getPidsHandler(),
+		Blkio:  getBlkioHandler(),
+	}
 }
 
 // getAvailableControllers get the available controllers
@@ -492,10 +493,7 @@ func (c *CgroupControl) AddPid(pid int) error {
 		return fs2.CreateCgroupPath(path, c.config)
 	}
 
-	names := make([]string, 0, len(handlers))
-	for n := range handlers {
-		names = append(names, n)
-	}
+	names := maps.Keys(handlers)
 
 	for _, c := range c.additionalControllers {
 		if !c.symlink {

vendor/github.com/containers/common/pkg/cgroups/cgroups_supported.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package cgroups
 

vendor/github.com/containers/common/pkg/cgroups/cgroups_unsupported.go

@@ -1,5 +1,4 @@
 //go:build !linux
-// +build !linux
 
 package cgroups
 

vendor/github.com/containers/common/pkg/cgroups/cpu_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package cgroups
 

vendor/github.com/containers/common/pkg/cgroups/cpuset_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package cgroups
 

vendor/github.com/containers/common/pkg/cgroups/memory_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package cgroups
 

vendor/github.com/containers/common/pkg/cgroups/pids_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package cgroups
 

vendor/github.com/containers/common/pkg/cgroups/systemd.go

@@ -1,5 +1,4 @@
 //go:build !linux
-// +build !linux
 
 package cgroups
 

vendor/github.com/containers/common/pkg/cgroups/systemd_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package cgroups
 

vendor/github.com/containers/common/pkg/cgroups/utils_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package cgroups
 

vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go

@@ -1,5 +1,4 @@
 //go:build !linux
-// +build !linux
 
 package cgroupv2
 

vendor/github.com/containers/common/pkg/chown/chown_unix.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package chown
 

vendor/github.com/containers/common/pkg/config/config.go

@@ -13,12 +13,12 @@ import (
 	"github.com/containers/common/internal/attributedstring"
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/capabilities"
-	"github.com/containers/common/pkg/util"
 	"github.com/containers/storage/pkg/ioutils"
 	"github.com/containers/storage/pkg/unshare"
 	units "github.com/docker/go-units"
 	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 )
 
 const (
@@ -918,7 +918,7 @@ func (c *Config) GetDefaultEnvEx(envHost, httpProxy bool) []string {
 }
 
 // Capabilities returns the capabilities parses the Add and Drop capability
-// list from the default capabiltiies for the container
+// list from the default capabilities for the container
 func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) ([]string, error) {
 	userNotRoot := func(user string) bool {
 		if user == "" || user == "root" || user == "0" {
@@ -1228,7 +1228,7 @@ func ValidateImageVolumeMode(mode string) error {
 	if mode == "" {
 		return nil
 	}
-	if util.StringInSlice(mode, validImageVolumeModes) {
+	if slices.Contains(validImageVolumeModes, mode) {
 		return nil
 	}
 
@@ -1245,7 +1245,7 @@ func (c *Config) FindInitBinary() (string, error) {
 	if c.Engine.InitPath != "" {
 		return c.Engine.InitPath, nil
 	}
-	// keep old default working to guarantee backwards comapt
+	// keep old default working to guarantee backwards compat
 	if _, err := os.Stat(DefaultInitPath); err == nil {
 		return DefaultInitPath, nil
 	}