Vendor in latest buildah

Signed-off-by: baude <bbaude@redhat.com> Closes: #1007 Approved by: baude
2025-06-24 03:08:13 +08:00 · 2018-06-27 08:55:20 -05:00
parent f6c0fc1aa8
commit e1b47c1507
13 changed files with 247 additions and 63 deletions
--- a/vendor.conf
+++ b/vendor.conf
@ -88,7 +88,7 @@ k8s.io/kube-openapi 275e2ce91dec4c05a4094a7b1daee5560b555ac9 https://github.com/
 k8s.io/utils 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e https://github.com/kubernetes/utils
 github.com/mrunalp/fileutils master
 github.com/varlink/go master
-github.com/projectatomic/buildah 2441ff4f9f6a5e635f85c177892f096a46503d6f
+github.com/projectatomic/buildah e098ef46fd32af5e77c7c65315d454653a36d6dd
 github.com/Nvveen/Gotty master
 github.com/fsouza/go-dockerclient master
 github.com/openshift/imagebuilder master
--- a/vendor/github.com/projectatomic/buildah/bind/mount_unsupported.go
+++ b/vendor/github.com/projectatomic/buildah/bind/mount_unsupported.go
@ -3,23 +3,11 @@
 package bind

 import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"sort"
-	"strings"
-	"syscall"
-
-	"github.com/containers/storage/pkg/idtools"
-	"github.com/containers/storage/pkg/mount"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
 )

 // SetupIntermediateMountNamespace returns a no-op unmountAll() and no error.
 func SetupIntermediateMountNamespace(spec *specs.Spec, bundlePath string) (unmountAll func() error, err error) {
-	stripNoBuildahBindOption(spec)
+	stripNoBindOption(spec)
 	return func() error { return nil }, nil
 }
--- a/vendor/github.com/projectatomic/buildah/buildah.go
+++ b/vendor/github.com/projectatomic/buildah/buildah.go
@ -15,6 +15,7 @@ import (
 	"github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/buildah/docker"
+	"github.com/projectatomic/buildah/util"
 )

 const (
@ -105,6 +106,8 @@ func (p NetworkConfigurationPolicy) String() string {
 type Builder struct {
 	store storage.Store

+	// Args define variables that users can pass at build-time to the builder
+	Args map[string]string
 	// Type is used to help identify a build container's metadata.  It
 	// should not be modified.
 	Type string `json:"type"`
@ -147,6 +150,8 @@ type Builder struct {
 	// DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format.
 	DefaultMountsFilePath string `json:"defaultMountsFilePath,omitempty"`

+	// Isolation controls how we handle "RUN" statements and the Run() method.
+	Isolation Isolation
 	// NamespaceOptions controls how we set up the namespaces for processes that we run in the container.
 	NamespaceOptions NamespaceOptions
 	// ConfigureNetwork controls whether or not network interfaces and
@ -193,11 +198,15 @@ type BuilderInfo struct {
 	OCIv1                 v1.Image
 	Docker                docker.V2Image
 	DefaultMountsFilePath string
+	Isolation             string
 	NamespaceOptions      NamespaceOptions
 	ConfigureNetwork      string
 	CNIPluginPath         string
 	CNIConfigDir          string
 	IDMappingOptions      IDMappingOptions
+	DefaultCapabilities   []string
+	AddCapabilities       []string
+	DropCapabilities      []string
 }

 // GetBuildInfo gets a pointer to a Builder object and returns a BuilderInfo object from it.
@ -218,11 +227,15 @@ func GetBuildInfo(b *Builder) BuilderInfo {
 		OCIv1:                 b.OCIv1,
 		Docker:                b.Docker,
 		DefaultMountsFilePath: b.DefaultMountsFilePath,
+		Isolation:             b.Isolation.String(),
 		NamespaceOptions:      b.NamespaceOptions,
 		ConfigureNetwork:      fmt.Sprintf("%v", b.ConfigureNetwork),
 		CNIPluginPath:         b.CNIPluginPath,
 		CNIConfigDir:          b.CNIConfigDir,
 		IDMappingOptions:      b.IDMappingOptions,
+		DefaultCapabilities:   append([]string{}, util.DefaultCapabilities...),
+		AddCapabilities:       append([]string{}, b.AddCapabilities...),
+		DropCapabilities:      append([]string{}, b.DropCapabilities...),
 	}
 }

@ -279,6 +292,9 @@ type CommonBuildOptions struct {

 // BuilderOptions are used to initialize a new Builder.
 type BuilderOptions struct {
+
+	// Args define variables that users can pass at build-time to the builder
+	Args map[string]string
 	// FromImage is the name of the image which should be used as the
 	// starting point for the container.  It can be set to an empty value
 	// or "scratch" to indicate that the container should not be based on
@ -317,6 +333,9 @@ type BuilderOptions struct {
 	// DefaultMountsFilePath is the file path holding the mounts to be
 	// mounted in "host-path:container-path" format
 	DefaultMountsFilePath string
+	// Isolation controls how we handle "RUN" statements and the Run()
+	// method.
+	Isolation Isolation
 	// NamespaceOptions controls how we set up namespaces for processes that
 	// we might need to run using the container's root filesystem.
 	NamespaceOptions NamespaceOptions
--- a/vendor/github.com/projectatomic/buildah/commit.go
+++ b/vendor/github.com/projectatomic/buildah/commit.go
@ -105,10 +105,17 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 			logrus.Debugf("error destroying signature policy context: %v", err2)
 		}
 	}()
-	// Check if we're keeping everything in local storage.  If so, we can take certain shortcuts.
-	_, destIsStorage := dest.Transport().(is.StoreTransport)
-	exporting := !destIsStorage
-	src, err := b.makeImageRef(options.PreferredManifestType, options.Parent, exporting, options.Squash, options.Compression, options.HistoryTimestamp)
+	// Check if the base image is already in the destination and it's some kind of local
+	// storage.  If so, we can skip recompressing any layers that come from the base image.
+	exportBaseLayers := true
+	if transport, destIsStorage := dest.Transport().(is.StoreTransport); destIsStorage && b.FromImageID != "" {
+		if baseref, err := transport.ParseReference(b.FromImageID); baseref != nil && err == nil {
+			if img, err := transport.GetImage(baseref); img != nil && err == nil {
+				exportBaseLayers = false
+			}
+		}
+	}
+	src, err := b.makeImageRef(options.PreferredManifestType, options.Parent, exportBaseLayers, options.Squash, options.Compression, options.HistoryTimestamp)
 	if err != nil {
 		return imgID, errors.Wrapf(err, "error computing layer digests and building metadata")
 	}
--- a/vendor/github.com/projectatomic/buildah/config_noseccomp.go
+++ b/vendor/github.com/projectatomic/buildah/config_noseccomp.go
@ -0,0 +1,11 @@
+// +build !seccomp
+
+package buildah
+
+import "github.com/opencontainers/runtime-spec/specs-go"
+
+func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
+	// If no seccomp is being used, the Seccomp profile in the Linux spec
+	// is not set
+	return nil
+}
--- a/vendor/github.com/projectatomic/buildah/config_seccomp.go
+++ b/vendor/github.com/projectatomic/buildah/config_seccomp.go
@ -0,0 +1,35 @@
+// +build seccomp
+
+package buildah
+
+import (
+	"io/ioutil"
+
+	"github.com/docker/docker/profiles/seccomp"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+)
+
+func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
+	switch seccompProfilePath {
+	case "unconfined":
+		spec.Linux.Seccomp = nil
+	case "":
+		seccompConfig, err := seccomp.GetDefaultProfile(spec)
+		if err != nil {
+			return errors.Wrapf(err, "loading default seccomp profile failed")
+		}
+		spec.Linux.Seccomp = seccompConfig
+	default:
+		seccompProfile, err := ioutil.ReadFile(seccompProfilePath)
+		if err != nil {
+			return errors.Wrapf(err, "opening seccomp profile (%s) failed", seccompProfilePath)
+		}
+		seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), spec)
+		if err != nil {
+			return errors.Wrapf(err, "loading seccomp profile (%s) failed", seccompProfilePath)
+		}
+		spec.Linux.Seccomp = seccompConfig
+	}
+	return nil
+}
--- a/vendor/github.com/projectatomic/buildah/imagebuildah/build.go
+++ b/vendor/github.com/projectatomic/buildah/imagebuildah/build.go
@ -67,8 +67,11 @@ type BuildOptions struct {
 	IgnoreUnrecognizedInstructions bool
 	// Quiet tells us whether or not to announce steps as we go through them.
 	Quiet bool
-	// Runtime is the name of the command to run for RUN instructions.  It
-	// should accept the same arguments and flags that runc does.
+	// Isolation controls how Run() runs things.
+	Isolation buildah.Isolation
+	// Runtime is the name of the command to run for RUN instructions when
+	// Isolation is either IsolationDefault or IsolationOCI.  It should
+	// accept the same arguments and flags that runc does.
 	Runtime string
 	// RuntimeArgs adds global arguments for the runtime.
 	RuntimeArgs []string
@ -193,6 +196,7 @@ type Executor struct {
 	volumeCache                    map[string]string
 	volumeCacheInfo                map[string]os.FileInfo
 	reportWriter                   io.Writer
+	isolation                      buildah.Isolation
 	namespaceOptions               []buildah.NamespaceOption
 	configureNetwork               buildah.NetworkConfigurationPolicy
 	cniPluginPath                  string
@ -551,6 +555,7 @@ func NewExecutor(store storage.Store, options BuildOptions) (*Executor, error) {
 		out:                     options.Out,
 		err:                     options.Err,
 		reportWriter:            options.ReportWriter,
+		isolation:               options.Isolation,
 		namespaceOptions:        options.NamespaceOptions,
 		configureNetwork:        options.ConfigureNetwork,
 		cniPluginPath:           options.CNIPluginPath,
@ -601,6 +606,7 @@ func (b *Executor) Prepare(ctx context.Context, ib *imagebuilder.Builder, node *
 		b.log("FROM %s", from)
 	}
 	builderOptions := buildah.BuilderOptions{
+		Args:                  ib.Args,
 		FromImage:             from,
 		PullPolicy:            b.pullPolicy,
 		Registry:              b.registry,
@ -608,6 +614,7 @@ func (b *Executor) Prepare(ctx context.Context, ib *imagebuilder.Builder, node *
 		SignaturePolicyPath:   b.signaturePolicyPath,
 		ReportWriter:          b.reportWriter,
 		SystemContext:         b.systemContext,
+		Isolation:             b.isolation,
 		NamespaceOptions:      b.namespaceOptions,
 		ConfigureNetwork:      b.configureNetwork,
 		CNIPluginPath:         b.cniPluginPath,
@ -673,7 +680,7 @@ func (b *Executor) Prepare(ctx context.Context, ib *imagebuilder.Builder, node *
 	}
 	b.mountPoint = mountPoint
 	b.builder = builder
-	// Add the top  layer of this image to b.topLayers so we can keep track of them
+	// Add the top layer of this image to b.topLayers so we can keep track of them
 	// when building with cached images.
 	b.topLayers = append(b.topLayers, builder.TopLayer)
 	return nil
--- a/vendor/github.com/projectatomic/buildah/import.go
+++ b/vendor/github.com/projectatomic/buildah/import.go
@ -43,6 +43,11 @@ func importBuilderDataFromImage(ctx context.Context, store storage.Store, system
 		}
 	}

+	defaultNamespaceOptions, err := DefaultNamespaceOptions()
+	if err != nil {
+		return nil, err
+	}
+
 	builder := &Builder{
 		store:            store,
 		Type:             containerType,
@ -52,7 +57,7 @@ func importBuilderDataFromImage(ctx context.Context, store storage.Store, system
 		ContainerID:      containerID,
 		ImageAnnotations: map[string]string{},
 		ImageCreatedBy:   "",
-		NamespaceOptions: DefaultNamespaceOptions(),
+		NamespaceOptions: defaultNamespaceOptions,
 		IDMappingOptions: IDMappingOptions{
 			HostUIDMapping: len(uidmap) == 0,
 			HostGIDMapping: len(uidmap) == 0,
--- a/vendor/github.com/projectatomic/buildah/new.go
+++ b/vendor/github.com/projectatomic/buildah/new.go
@ -292,7 +292,13 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions
 		return nil, err
 	}
 	uidmap, gidmap := convertStorageIDMaps(container.UIDMap, container.GIDMap)
-	namespaceOptions := DefaultNamespaceOptions()
+
+	defaultNamespaceOptions, err := DefaultNamespaceOptions()
+	if err != nil {
+		return nil, err
+	}
+
+	namespaceOptions := defaultNamespaceOptions
 	namespaceOptions.AddOrReplace(options.NamespaceOptions...)

 	builder := &Builder{
@ -307,6 +313,7 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions
 		ProcessLabel:          processLabel,
 		MountLabel:            mountLabel,
 		DefaultMountsFilePath: options.DefaultMountsFilePath,
+		Isolation:             options.Isolation,
 		NamespaceOptions:      namespaceOptions,
 		ConfigureNetwork:      options.ConfigureNetwork,
 		CNIPluginPath:         options.CNIPluginPath,
@ -321,6 +328,7 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions
 		DropCapabilities: copyStringSlice(options.DropCapabilities),
 		CommonBuildOpts:  options.CommonBuildOpts,
 		TopLayer:         topLayer,
+		Args:             options.Args,
 	}

 	if options.Mount {
--- a/vendor/github.com/projectatomic/buildah/pkg/cli/common.go
+++ b/vendor/github.com/projectatomic/buildah/pkg/cli/common.go
@ -119,6 +119,10 @@ var (
 			Name:  "iidfile",
 			Usage: "`file` to write the image ID to",
 		},
+		cli.StringFlag{
+			Name:  "isolation",
+			Usage: "`type` of process isolation to use",
+		},
 		cli.StringSliceFlag{
 			Name:  "label",
 			Usage: "Set metadata for an image (default [])",
--- a/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go
+++ b/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go
@ -294,6 +294,7 @@ func SystemContextFromOptions(c *cli.Context) (*types.SystemContext, error) {
 	if c.GlobalIsSet("registries-conf-dir") {
 		ctx.RegistriesDirPath = c.GlobalString("registries-conf-dir")
 	}
+	ctx.DockerRegistryUserAgent = fmt.Sprintf("Buildah/%s", buildah.Version)
 	return ctx, nil
 }

@ -529,3 +530,23 @@ func NamespaceOptions(c *cli.Context) (namespaceOptions buildah.NamespaceOptions
 	}
 	return options, policy, nil
 }
+
+func defaultIsolation() buildah.Isolation {
+	isolation := os.Getenv("BUILDAH_ISOLATION")
+	if strings.HasPrefix(strings.ToLower(isolation), "oci") {
+		return buildah.IsolationOCI
+	}
+	return buildah.IsolationDefault
+}
+
+// IsolationOption parses the --isolation flag.
+func IsolationOption(c *cli.Context) (buildah.Isolation, error) {
+	if c.String("isolation") != "" {
+		if strings.HasPrefix(strings.ToLower(c.String("isolation")), "oci") {
+			return buildah.IsolationOCI, nil
+		} else {
+			return buildah.IsolationDefault, errors.Errorf("unrecognized isolation type %q", c.String("isolation"))
+		}
+	}
+	return defaultIsolation(), nil
+}
--- a/vendor/github.com/projectatomic/buildah/run.go
+++ b/vendor/github.com/projectatomic/buildah/run.go
@ -21,7 +21,6 @@ import (
 	"github.com/containernetworking/cni/libcni"
 	"github.com/containers/storage/pkg/ioutils"
 	"github.com/containers/storage/pkg/reexec"
-	"github.com/docker/docker/profiles/seccomp"
 	units "github.com/docker/go-units"
 	digest "github.com/opencontainers/go-digest"
 	"github.com/opencontainers/runtime-spec/specs-go"
@ -103,10 +102,34 @@ type IDMappingOptions struct {
 	GIDMap         []specs.LinuxIDMapping
 }

+// Isolation provides a way to specify whether we're supposed to use a proper
+// OCI runtime, or some other method for running commands.
+type Isolation int
+
+const (
+	// IsolationDefault is whatever we think will work best.
+	IsolationDefault Isolation = iota
+	// IsolationOCI is a proper OCI runtime.
+	IsolationOCI
+)
+
+// String converts a Isolation into a string.
+func (i Isolation) String() string {
+	switch i {
+	case IsolationDefault:
+		return "IsolationDefault"
+	case IsolationOCI:
+		return "IsolationOCI"
+	}
+	return fmt.Sprintf("unrecognized isolation type %d", i)
+}
+
 // RunOptions can be used to alter how a command is run in the container.
 type RunOptions struct {
 	// Hostname is the hostname we set for the running container.
 	Hostname string
+	// Isolation is either IsolationDefault or IsolationOCI.
+	Isolation Isolation
 	// Runtime is the name of the command to run.  It should accept the same arguments
 	// that runc does, and produce similar output.
 	Runtime string
@ -167,7 +190,7 @@ type RunOptions struct {

 // DefaultNamespaceOptions returns the default namespace settings from the
 // runtime-tools generator library.
-func DefaultNamespaceOptions() NamespaceOptions {
+func DefaultNamespaceOptions() (NamespaceOptions, error) {
 	options := NamespaceOptions{
 		{Name: string(specs.CgroupNamespace), Host: true},
 		{Name: string(specs.IPCNamespace), Host: true},
@ -177,8 +200,11 @@ func DefaultNamespaceOptions() NamespaceOptions {
 		{Name: string(specs.UserNamespace), Host: true},
 		{Name: string(specs.UTSNamespace), Host: true},
 	}
-	g := generate.New()
-	spec := g.Spec()
+	g, err := generate.New("linux")
+	if err != nil {
+		return options, err
+	}
+	spec := g.Config
 	if spec.Linux != nil {
 		for _, ns := range spec.Linux.Namespaces {
 			options.AddOrReplace(NamespaceOption{
@ -187,7 +213,7 @@ func DefaultNamespaceOptions() NamespaceOptions {
 			})
 		}
 	}
-	return options
+	return options, nil
 }

 // Find the configuration for the namespace of the given type.  If there are
@ -658,30 +684,6 @@ func setupCapabilities(g *generate.Generator, firstAdds, firstDrops, secondAdds,
 	return nil
 }

-func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
-	switch seccompProfilePath {
-	case "unconfined":
-		spec.Linux.Seccomp = nil
-	case "":
-		seccompConfig, err := seccomp.GetDefaultProfile(spec)
-		if err != nil {
-			return errors.Wrapf(err, "loading default seccomp profile failed")
-		}
-		spec.Linux.Seccomp = seccompConfig
-	default:
-		seccompProfile, err := ioutil.ReadFile(seccompProfilePath)
-		if err != nil {
-			return errors.Wrapf(err, "opening seccomp profile (%s) failed", seccompProfilePath)
-		}
-		seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), spec)
-		if err != nil {
-			return errors.Wrapf(err, "loading seccomp profile (%s) failed", seccompProfilePath)
-		}
-		spec.Linux.Seccomp = seccompConfig
-	}
-	return nil
-}
-
 func setupApparmor(spec *specs.Spec, apparmorProfile string) error {
 	spec.Process.ApparmorProfile = apparmorProfile
 	return nil
@ -795,6 +797,53 @@ func setupNamespaces(g *generate.Generator, namespaceOptions NamespaceOptions, i
 	return configureNetwork, configureNetworks, configureUTS, nil
 }

+// Search for a command that isn't given as an absolute path using the $PATH
+// under the rootfs.  We can't resolve absolute symbolic links without
+// chroot()ing, which we may not be able to do, so just accept a link as a
+// valid resolution.
+func runLookupPath(g *generate.Generator, command []string) []string {
+	// Look for the configured $PATH.
+	spec := g.Spec()
+	envPath := ""
+	for i := range spec.Process.Env {
+		if strings.HasPrefix(spec.Process.Env[i], "PATH=") {
+			envPath = spec.Process.Env[i]
+		}
+	}
+	// If there is no configured $PATH, supply one.
+	if envPath == "" {
+		defaultPath := "/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin"
+		envPath = "PATH=" + defaultPath
+		g.AddProcessEnv("PATH", defaultPath)
+	}
+	// No command, nothing to do.
+	if len(command) == 0 {
+		return command
+	}
+	// Command is already an absolute path, use it as-is.
+	if filepath.IsAbs(command[0]) {
+		return command
+	}
+	// For each element in the PATH,
+	for _, pathEntry := range filepath.SplitList(envPath[5:]) {
+		// if it's the empty string, it's ".", which is the Cwd,
+		if pathEntry == "" {
+			pathEntry = spec.Process.Cwd
+		}
+		// build the absolute path which it might be,
+		candidate := filepath.Join(pathEntry, command[0])
+		// check if it's there,
+		if fi, err := os.Lstat(filepath.Join(spec.Root.Path, candidate)); fi != nil && err == nil {
+			// and if it's not a directory, and either a symlink or executable,
+			if !fi.IsDir() && ((fi.Mode()&os.ModeSymlink != 0) || (fi.Mode()&0111 != 0)) {
+				// use that.
+				return append([]string{candidate}, command[1:]...)
+			}
+		}
+	}
+	return command
+}
+
 // Run runs the specified command in the container's root filesystem.
 func (b *Builder) Run(command []string, options RunOptions) error {
 	var user specs.User
@ -814,9 +863,14 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 			logrus.Errorf("error removing %q: %v", path, err2)
 		}
 	}()
-	gp := generate.New()
+	gp, err := generate.New("linux")
+	if err != nil {
+		return err
+	}
+
 	g := &gp

+	g.ClearProcessEnv()
 	for _, envSpec := range append(b.Env(), options.Env...) {
 		env := strings.SplitN(envSpec, "=", 2)
 		if len(env) > 1 {
@ -824,6 +878,10 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		}
 	}

+	for src, dest := range b.Args {
+		g.AddProcessEnv(src, dest)
+	}
+
 	if b.CommonBuildOpts == nil {
 		return errors.Errorf("Invalid format on container you must recreate the container")
 	}
@ -832,11 +890,6 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		return err
 	}

-	if len(command) > 0 {
-		g.SetProcessArgs(command)
-	} else {
-		g.SetProcessArgs(nil)
-	}
 	if options.WorkingDir != "" {
 		g.SetProcessCwd(options.WorkingDir)
 	} else if b.WorkDir() != "" {
@ -853,15 +906,25 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 			logrus.Errorf("error unmounting container: %v", err2)
 		}
 	}()
+	g.SetRootPath(mountPoint)
+	if len(command) > 0 {
+		command = runLookupPath(g, command)
+		g.SetProcessArgs(command)
+	} else {
+		g.SetProcessArgs(nil)
+	}

 	setupMaskedPaths(g)
 	setupReadOnlyPaths(g)

-	g.SetRootPath(mountPoint)
-
 	setupTerminal(g, options.Terminal, options.TerminalSize)

-	namespaceOptions := DefaultNamespaceOptions()
+	defaultNamespaceOptions, err := DefaultNamespaceOptions()
+	if err != nil {
+		return err
+	}
+
+	namespaceOptions := defaultNamespaceOptions
 	namespaceOptions.AddOrReplace(b.NamespaceOptions...)
 	namespaceOptions.AddOrReplace(options.NamespaceOptions...)

@ -967,7 +1030,20 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		}
 	}

-	return b.runUsingRuntimeSubproc(options, configureNetwork, configureNetworks, spec, mountPoint, path, Package+"-"+filepath.Base(path))
+	isolation := options.Isolation
+	if isolation == IsolationDefault {
+		isolation = b.Isolation
+		if isolation == IsolationDefault {
+			isolation = IsolationOCI
+		}
+	}
+	switch isolation {
+	case IsolationOCI:
+		err = b.runUsingRuntimeSubproc(options, configureNetwork, configureNetworks, spec, mountPoint, path, Package+"-"+filepath.Base(path))
+	default:
+		err = errors.Errorf("don't know how to run this command")
+	}
+	return err
 }

 type runUsingRuntimeSubprocOptions struct {
--- a/vendor/github.com/projectatomic/buildah/vendor.conf
+++ b/vendor/github.com/projectatomic/buildah/vendor.conf
@ -1,3 +1,4 @@
+github.com/Azure/go-ansiterm master
 github.com/blang/semver master
 github.com/BurntSushi/toml master
 github.com/containerd/continuity master
@ -23,6 +24,8 @@ github.com/hashicorp/go-multierror master
 github.com/imdario/mergo master
 github.com/mattn/go-runewidth master
 github.com/mattn/go-shellwords master
+github.com/Microsoft/go-winio master
+github.com/Microsoft/hcsshim master
 github.com/mistifyio/go-zfs master
 github.com/moby/moby f8806b18b4b92c5e1980f6e11c917fad201cd73c
 github.com/mtrmac/gpgme master
@ -32,7 +35,7 @@ github.com/opencontainers/image-spec v1.0.0
 github.com/opencontainers/runc master
 github.com/opencontainers/runtime-spec v1.0.0
 github.com/opencontainers/runtime-tools master
-github.com/opencontainers/selinux 6ccd0b50d53ae771fe5259ff7a4039110777aa2d
+github.com/opencontainers/selinux 3b2399ec5682aea5c9160d44fa53387d7e65ccf5
 github.com/openshift/imagebuilder master
 github.com/ostreedev/ostree-go aeb02c6b6aa2889db3ef62f7855650755befd460
 github.com/pborman/uuid master