vendor: update buildah version

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1269
Approved by: rhatdan

vendor.conf

@@ -49,7 +49,7 @@ github.com/opencontainers/go-digest v1.0.0-rc0
 github.com/opencontainers/image-spec v1.0.0
 github.com/opencontainers/runc b4e2ecb452d9ee4381137cc0a7e6715b96bed6de
 github.com/opencontainers/runtime-spec v1.0.0
-github.com/opencontainers/runtime-tools 625e2322645b151a7cbb93a8b42920933e72167f
+github.com/opencontainers/runtime-tools master
 github.com/opencontainers/selinux b6fa367ed7f534f9ba25391cc2d467085dbb445a
 github.com/ostreedev/ostree-go master
 github.com/pkg/errors v0.8.0
@@ -90,7 +90,7 @@ k8s.io/kube-openapi 275e2ce91dec4c05a4094a7b1daee5560b555ac9 https://github.com/
 k8s.io/utils 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e https://github.com/kubernetes/utils
 github.com/mrunalp/fileutils master
 github.com/varlink/go master
-github.com/projectatomic/buildah 35a37f36d37bf84397d7f79f6bb8649f728c19f1
+github.com/projectatomic/buildah 308ad3d7fc63ee34ed213c2ffa6b345441600b8f
 github.com/Nvveen/Gotty master
 github.com/fsouza/go-dockerclient master
 github.com/openshift/imagebuilder master

vendor/github.com/opencontainers/runtime-tools/README.md

@@ -69,7 +69,7 @@ validation/linux_cgroups_hugetlb.t .................... 0/1
 
 validation/linux_cgroups_memory.t ..................... 9/9
 validation/linux_rootfs_propagation_shared.t ...... 252/282
-  not ok shared root propogation exposes "/target348456609/mount892511628/example376408222"
+  not ok shared root propagation exposes "/target348456609/mount892511628/example376408222"
 
   Skipped: 29
      /dev/null (default device) has unconfigured permissions

vendor/github.com/projectatomic/buildah/buildah.go

@@ -24,7 +24,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.3-dev"
+	Version = "1.4-dev"
 	// The value we use to identify what type of information, currently a
 	// serialized Builder structure, we are using as per-container state.
 	// This should only be changed when we make incompatible changes to

vendor/github.com/projectatomic/buildah/chroot/run.go

@@ -551,9 +551,7 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
 		cmd.Setsid = true
 		cmd.Ctty = ctty
 	}
-	if spec.Process.OOMScoreAdj != nil {
+	cmd.OOMScoreAdj = spec.Process.OOMScoreAdj
-		cmd.OOMScoreAdj = *spec.Process.OOMScoreAdj
-	}
 	cmd.ExtraFiles = append([]*os.File{preader}, cmd.ExtraFiles...)
 	cmd.Hook = func(int) error {
 		for _, f := range closeOnceRunning {

vendor/github.com/projectatomic/buildah/imagebuildah/build.go

@@ -1203,8 +1203,9 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options BuildOpt
 			}
 			data = resp.Body
 		} else {
-			if !filepath.IsAbs(dfile) {
+			// If the Dockerfile isn't found try prepending the
-				logrus.Debugf("resolving local Dockerfile %q", dfile)
+			// context directory to it.
+			if _, err := os.Stat(dfile); os.IsNotExist(err) {
 				dfile = filepath.Join(options.ContextDirectory, dfile)
 			}
 			logrus.Debugf("reading local Dockerfile %q", dfile)

vendor/github.com/projectatomic/buildah/pkg/parse/parse.go

@@ -545,6 +545,8 @@ func defaultIsolation() (buildah.Isolation, error) {
 	if isSet {
 		if strings.HasPrefix(strings.ToLower(isolation), "oci") {
 			return buildah.IsolationOCI, nil
+		} else if strings.HasPrefix(strings.ToLower(isolation), "rootless") {
+			return buildah.IsolationOCIRootless, nil
 		} else if strings.HasPrefix(strings.ToLower(isolation), "chroot") {
 			return buildah.IsolationChroot, nil
 		}
@@ -558,6 +560,8 @@ func IsolationOption(c *cli.Context) (buildah.Isolation, error) {
 	if c.String("isolation") != "" {
 		if strings.HasPrefix(strings.ToLower(c.String("isolation")), "oci") {
 			return buildah.IsolationOCI, nil
+		} else if strings.HasPrefix(strings.ToLower(c.String("isolation")), "rootless") {
+			return buildah.IsolationOCIRootless, nil
 		} else if strings.HasPrefix(strings.ToLower(c.String("isolation")), "chroot") {
 			return buildah.IsolationChroot, nil
 		} else {

vendor/github.com/projectatomic/buildah/run.go

@@ -116,6 +116,8 @@ const (
 	// IsolationChroot is a more chroot-like environment: less isolation,
 	// but with fewer requirements.
 	IsolationChroot
+	// IsolationOCIRootless is a proper OCI runtime in rootless mode.
+	IsolationOCIRootless
 )
 
 // String converts a Isolation into a string.
@@ -127,6 +129,8 @@ func (i Isolation) String() string {
 		return "IsolationOCI"
 	case IsolationChroot:
 		return "IsolationChroot"
+	case IsolationOCIRootless:
+		return "IsolationOCIRootless"
 	}
 	return fmt.Sprintf("unrecognized isolation type %d", i)
 }
@@ -135,7 +139,7 @@ func (i Isolation) String() string {
 type RunOptions struct {
 	// Hostname is the hostname we set for the running container.
 	Hostname string
-	// Isolation is either IsolationDefault, IsolationOCI, or IsolationChroot.
+	// Isolation is either IsolationDefault, IsolationOCI, IsolationChroot, or IsolationOCIRootless.
 	Isolation Isolation
 	// Runtime is the name of the runtime to run.  It should accept the
 	// same arguments that runc does, and produce similar output.
@@ -350,6 +354,13 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
 		return false
 	}
 
+	ipc := namespaceOptions.Find(string(specs.IPCNamespace))
+	hostIPC := ipc == nil || ipc.Host
+	net := namespaceOptions.Find(string(specs.NetworkNamespace))
+	hostNetwork := net == nil || net.Host
+	user := namespaceOptions.Find(string(specs.UserNamespace))
+	hostUser := user == nil || user.Host
+
 	// Copy mounts from the generated list.
 	mountCgroups := true
 	specMounts := []specs.Mount{}
@@ -357,9 +368,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
 		// Override some of the mounts from the generated list if we're doing different things with namespaces.
 		if specMount.Destination == "/dev/shm" {
 			specMount.Options = []string{"nosuid", "noexec", "nodev", "mode=1777", "size=" + shmSize}
-			user := namespaceOptions.Find(string(specs.UserNamespace))
+			if hostIPC && !hostUser {
-			ipc := namespaceOptions.Find(string(specs.IPCNamespace))
-			if (ipc == nil || ipc.Host) && (user != nil && !user.Host) {
 				if _, err := os.Stat("/dev/shm"); err != nil && os.IsNotExist(err) {
 					continue
 				}
@@ -372,9 +381,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
 			}
 		}
 		if specMount.Destination == "/dev/mqueue" {
-			user := namespaceOptions.Find(string(specs.UserNamespace))
+			if hostIPC && !hostUser {
-			ipc := namespaceOptions.Find(string(specs.IPCNamespace))
-			if (ipc == nil || ipc.Host) && (user != nil && !user.Host) {
 				if _, err := os.Stat("/dev/mqueue"); err != nil && os.IsNotExist(err) {
 					continue
 				}
@@ -387,9 +394,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
 			}
 		}
 		if specMount.Destination == "/sys" {
-			user := namespaceOptions.Find(string(specs.UserNamespace))
+			if hostNetwork && !hostUser {
-			net := namespaceOptions.Find(string(specs.NetworkNamespace))
-			if (net == nil || net.Host) && (user != nil && !user.Host) {
 				mountCgroups = false
 				if _, err := os.Stat("/sys"); err != nil && os.IsNotExist(err) {
 					continue
@@ -715,7 +720,6 @@ func setupTerminal(g *generate.Generator, terminalPolicy TerminalPolicy, termina
 
 func setupNamespaces(g *generate.Generator, namespaceOptions NamespaceOptions, idmapOptions IDMappingOptions, policy NetworkConfigurationPolicy) (configureNetwork bool, configureNetworks []string, configureUTS bool, err error) {
 	// Set namespace options in the container configuration.
-	hostPidns := false
 	configureUserns := false
 	specifiedNetwork := false
 	for _, namespaceOption := range namespaceOptions {
@@ -725,8 +729,6 @@ func setupNamespaces(g *generate.Generator, namespaceOptions NamespaceOptions, i
 			if !namespaceOption.Host && namespaceOption.Path == "" {
 				configureUserns = true
 			}
-		case string(specs.PIDNamespace):
-			hostPidns = namespaceOption.Host
 		case string(specs.NetworkNamespace):
 			specifiedNetwork = true
 			configureNetwork = false
@@ -754,11 +756,9 @@ func setupNamespaces(g *generate.Generator, namespaceOptions NamespaceOptions, i
 			return false, nil, false, errors.Wrapf(err, "error adding %q namespace %q for run", namespaceOption.Name, namespaceOption.Path)
 		}
 	}
+
 	// If we've got mappings, we're going to have to create a user namespace.
 	if len(idmapOptions.UIDMap) > 0 || len(idmapOptions.GIDMap) > 0 || configureUserns {
-		if hostPidns {
-			return false, nil, false, errors.New("unable to mix host PID namespace with user namespace")
-		}
 		if err := g.AddOrReplaceLinuxNamespace(specs.UserNamespace, ""); err != nil {
 			return false, nil, false, errors.Wrapf(err, "error adding new %q namespace for run", string(specs.UserNamespace))
 		}
@@ -940,25 +940,25 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 			logrus.Errorf("error removing %q: %v", path, err2)
 		}
 	}()
+
 	gp, err := generate.New("linux")
 	if err != nil {
 		return err
 	}
-
 	g := &gp
 
-	b.configureEnvironment(g, options)
+	isolation := options.Isolation
-
+	if isolation == IsolationDefault {
-	if os.Getuid() != 0 {
+		isolation = b.Isolation
-		g.RemoveMount("/dev/pts")
+		if isolation == IsolationDefault {
-		devPts := specs.Mount{
+			isolation = IsolationOCI
-			Destination: "/dev/pts",
-			Type:        "devpts",
-			Source:      "devpts",
-			Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
 		}
-		g.AddMount(devPts)
 	}
+	if err := checkAndOverrideIsolationOptions(isolation, &options); err != nil {
+		return err
+	}
+
+	b.configureEnvironment(g, options)
 
 	if b.CommonBuildOpts == nil {
 		return errors.Errorf("Invalid format on container you must recreate the container")
@@ -1070,24 +1070,139 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		}
 	}
 
-	isolation := options.Isolation
-	if isolation == IsolationDefault {
-		isolation = b.Isolation
-		if isolation == IsolationDefault {
-			isolation = IsolationOCI
-		}
-	}
 	switch isolation {
 	case IsolationOCI:
-		err = b.runUsingRuntimeSubproc(options, configureNetwork, configureNetworks, spec, mountPoint, path, Package+"-"+filepath.Base(path))
+		// The default is --rootless=auto, which makes troubleshooting a bit harder.
+		// rootlessFlag := []string{"--rootless=false"}
+		// for _, arg := range options.Args {
+		// 	if strings.HasPrefix(arg, "--rootless") {
+		// 		rootlessFlag = nil
+		// 	}
+		// }
+		// options.Args = append(options.Args, rootlessFlag...)
+		err = b.runUsingRuntimeSubproc(options, configureNetwork, configureNetworks, nil, spec, mountPoint, path, Package+"-"+filepath.Base(path))
 	case IsolationChroot:
 		err = chroot.RunUsingChroot(spec, path, options.Stdin, options.Stdout, options.Stderr)
+	case IsolationOCIRootless:
+		if err := setupRootlessSpecChanges(spec, path, rootUID, rootGID); err != nil {
+			return err
+		}
+		rootlessFlag := []string{"--rootless=true"}
+		for _, arg := range options.Args {
+			if strings.HasPrefix(arg, "--rootless") {
+				rootlessFlag = nil
+			}
+		}
+		options.Args = append(options.Args, rootlessFlag...)
+		err = b.runUsingRuntimeSubproc(options, configureNetwork, configureNetworks, []string{"--no-new-keyring", "--no-pivot"}, spec, mountPoint, path, Package+"-"+filepath.Base(path))
 	default:
 		err = errors.Errorf("don't know how to run this command")
 	}
 	return err
 }
 
+func checkAndOverrideIsolationOptions(isolation Isolation, options *RunOptions) error {
+	switch isolation {
+	case IsolationOCIRootless:
+		if ns := options.NamespaceOptions.Find(string(specs.IPCNamespace)); ns == nil || ns.Host {
+			logrus.Debugf("Forcing use of an IPC namespace.")
+		}
+		options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.IPCNamespace)})
+		if ns := options.NamespaceOptions.Find(string(specs.NetworkNamespace)); ns != nil && !ns.Host {
+			logrus.Debugf("Disabling network namespace.")
+		}
+		options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.NetworkNamespace), Host: true})
+		if ns := options.NamespaceOptions.Find(string(specs.PIDNamespace)); ns == nil || ns.Host {
+			logrus.Debugf("Forcing use of a PID namespace.")
+		}
+		options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.PIDNamespace), Host: false})
+		if ns := options.NamespaceOptions.Find(string(specs.UserNamespace)); ns == nil || ns.Host {
+			logrus.Debugf("Forcing use of a user namespace.")
+		}
+		options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.UserNamespace)})
+		if ns := options.NamespaceOptions.Find(string(specs.UTSNamespace)); ns != nil && !ns.Host {
+			logrus.Debugf("Disabling UTS namespace.")
+		}
+		options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.UTSNamespace), Host: true})
+	case IsolationOCI:
+		pidns := options.NamespaceOptions.Find(string(specs.PIDNamespace))
+		userns := options.NamespaceOptions.Find(string(specs.UserNamespace))
+		if (pidns == nil || pidns.Host) && (userns != nil && !userns.Host) {
+			return fmt.Errorf("not allowed to mix host PID namespace with container user namespace")
+		}
+	}
+	return nil
+}
+
+func setupRootlessSpecChanges(spec *specs.Spec, bundleDir string, rootUID, rootGID uint32) error {
+	spec.Hostname = ""
+	spec.Process.User.AdditionalGids = nil
+	spec.Linux.Resources = nil
+
+	emptyDir := filepath.Join(bundleDir, "empty")
+	if err := os.Mkdir(emptyDir, 0); err != nil {
+		return errors.Wrapf(err, "error creating %q", emptyDir)
+	}
+
+	// Replace /sys with a read-only bind mount.
+	mounts := []specs.Mount{
+		{
+			Source:      "/dev",
+			Destination: "/dev",
+			Type:        "tmpfs",
+			Options:     []string{"private", "strictatime", "noexec", "nosuid", "mode=755", "size=65536k"},
+		},
+		{
+			Source:      "mqueue",
+			Destination: "/dev/mqueue",
+			Type:        "mqueue",
+			Options:     []string{"private", "nodev", "noexec", "nosuid"},
+		},
+		{
+			Source:      "pts",
+			Destination: "/dev/pts",
+			Type:        "devpts",
+			Options:     []string{"private", "noexec", "nosuid", "newinstance", "ptmxmode=0666", "mode=0620"},
+		},
+		{
+			Source:      "shm",
+			Destination: "/dev/shm",
+			Type:        "tmpfs",
+			Options:     []string{"private", "nodev", "noexec", "nosuid", "mode=1777", "size=65536k"},
+		},
+		{
+			Source:      "/proc",
+			Destination: "/proc",
+			Type:        "proc",
+			Options:     []string{"private", "nodev", "noexec", "nosuid"},
+		},
+		{
+			Source:      "/sys",
+			Destination: "/sys",
+			Type:        "bind",
+			Options:     []string{bind.NoBindOption, "rbind", "private", "nodev", "noexec", "nosuid", "ro"},
+		},
+	}
+	// Cover up /sys/fs/cgroup and /sys/fs/selinux, if they exist in our source for /sys.
+	if _, err := os.Stat("/sys/fs/cgroup"); err == nil {
+		spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/cgroup")
+	}
+	if _, err := os.Stat("/sys/fs/selinux"); err == nil {
+		spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
+	}
+	// Keep anything that isn't under /dev, /proc, or /sys.
+	for i := range spec.Mounts {
+		if spec.Mounts[i].Destination == "/dev" || strings.HasPrefix(spec.Mounts[i].Destination, "/dev/") ||
+			spec.Mounts[i].Destination == "/proc" || strings.HasPrefix(spec.Mounts[i].Destination, "/proc/") ||
+			spec.Mounts[i].Destination == "/sys" || strings.HasPrefix(spec.Mounts[i].Destination, "/sys/") {
+			continue
+		}
+		mounts = append(mounts, spec.Mounts[i])
+	}
+	spec.Mounts = mounts
+	return nil
+}
+
 type runUsingRuntimeSubprocOptions struct {
 	Options           RunOptions
 	Spec              *specs.Spec
@@ -1095,10 +1210,11 @@ type runUsingRuntimeSubprocOptions struct {
 	BundlePath        string
 	ConfigureNetwork  bool
 	ConfigureNetworks []string
+	MoreCreateArgs    []string
 	ContainerName     string
 }
 
-func (b *Builder) runUsingRuntimeSubproc(options RunOptions, configureNetwork bool, configureNetworks []string, spec *specs.Spec, rootPath, bundlePath, containerName string) (err error) {
+func (b *Builder) runUsingRuntimeSubproc(options RunOptions, configureNetwork bool, configureNetworks, moreCreateArgs []string, spec *specs.Spec, rootPath, bundlePath, containerName string) (err error) {
 	var confwg sync.WaitGroup
 	config, conferr := json.Marshal(runUsingRuntimeSubprocOptions{
 		Options:           options,
@@ -1107,6 +1223,7 @@ func (b *Builder) runUsingRuntimeSubproc(options RunOptions, configureNetwork bo
 		BundlePath:        bundlePath,
 		ConfigureNetwork:  configureNetwork,
 		ConfigureNetworks: configureNetworks,
+		MoreCreateArgs:    moreCreateArgs,
 		ContainerName:     containerName,
 	})
 	if conferr != nil {
@@ -1177,7 +1294,7 @@ func runUsingRuntimeMain() {
 		os.Exit(1)
 	}
 	// Run the container, start to finish.
-	status, err := runUsingRuntime(options.Options, options.ConfigureNetwork, options.ConfigureNetworks, options.Spec, options.RootPath, options.BundlePath, options.ContainerName)
+	status, err := runUsingRuntime(options.Options, options.ConfigureNetwork, options.ConfigureNetworks, options.MoreCreateArgs, options.Spec, options.RootPath, options.BundlePath, options.ContainerName)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error running container: %v\n", err)
 		os.Exit(1)
@@ -1192,7 +1309,7 @@ func runUsingRuntimeMain() {
 	os.Exit(1)
 }
 
-func runUsingRuntime(options RunOptions, configureNetwork bool, configureNetworks []string, spec *specs.Spec, rootPath, bundlePath, containerName string) (wstatus unix.WaitStatus, err error) {
+func runUsingRuntime(options RunOptions, configureNetwork bool, configureNetworks, moreCreateArgs []string, spec *specs.Spec, rootPath, bundlePath, containerName string) (wstatus unix.WaitStatus, err error) {
 	// Lock the caller to a single OS-level thread.
 	runtime.LockOSThread()
 
@@ -1226,8 +1343,6 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, configureNetwork
 		runtime = util.Runtime()
 	}
 
-	// Default to not specifying a console socket location.
-	var moreCreateArgs []string
 	// Default to just passing down our stdio.
 	getCreateStdio := func() (io.ReadCloser, io.WriteCloser, io.WriteCloser) {
 		return os.Stdin, os.Stdout, os.Stderr
@@ -1313,6 +1428,7 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, configureNetwork
 	del.Stderr = os.Stderr
 
 	// Actually create the container.
+	logrus.Debugf("Running %q", create.Args)
 	err = create.Run()
 	if err != nil {
 		return 1, errors.Wrapf(err, "error creating container for %v: %s", spec.Process.Args, runCollectOutput(errorFds, closeBeforeReadingErrorFds))
@@ -1373,6 +1489,7 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, configureNetwork
 	go runCopyStdio(&stdio, copyPipes, stdioPipe, copyConsole, consoleListener, finishCopy, finishedCopy, spec)
 
 	// Start the container.
+	logrus.Debugf("Running %q", start.Args)
 	err = start.Run()
 	if err != nil {
 		return 1, errors.Wrapf(err, "error starting container")

vendor/github.com/projectatomic/buildah/unshare/unshare.go

@@ -33,7 +33,7 @@ type Cmd struct {
 	Setsid                     bool
 	Setpgrp                    bool
 	Ctty                       *os.File
-	OOMScoreAdj                int
+	OOMScoreAdj                *int
 	Hook                       func(pid int) error
 }
 
@@ -234,18 +234,18 @@ func (c *Cmd) Start() error {
 		}
 	}
 
-	// Adjust the process's OOM score.
+	if c.OOMScoreAdj != nil {
-	oomScoreAdj, err := os.OpenFile(fmt.Sprintf("/proc/%s/oom_score_adj", pidString), os.O_TRUNC|os.O_WRONLY, 0)
+		oomScoreAdj, err := os.OpenFile(fmt.Sprintf("/proc/%s/oom_score_adj", pidString), os.O_TRUNC|os.O_WRONLY, 0)
-	if err != nil {
+		if err != nil {
-		fmt.Fprintf(continueWrite, "error opening oom_score_adj: %v", err)
+			fmt.Fprintf(continueWrite, "error opening oom_score_adj: %v", err)
-		return errors.Wrapf(err, "error opening /proc/%s/oom_score_adj", pidString)
+			return errors.Wrapf(err, "error opening /proc/%s/oom_score_adj", pidString)
+		}
+		defer oomScoreAdj.Close()
+		if _, err := fmt.Fprintf(oomScoreAdj, "%d\n", *c.OOMScoreAdj); err != nil {
+			fmt.Fprintf(continueWrite, "error writing \"%d\" to oom_score_adj: %v", c.OOMScoreAdj, err)
+			return errors.Wrapf(err, "error writing \"%d\" to /proc/%s/oom_score_adj", c.OOMScoreAdj, pidString)
+		}
 	}
-	if _, err := fmt.Fprintf(oomScoreAdj, "%d\n", c.OOMScoreAdj); err != nil {
-		fmt.Fprintf(continueWrite, "error writing \"%d\" to oom_score_adj: %v", c.OOMScoreAdj, err)
-		return errors.Wrapf(err, "error writing \"%d\" to /proc/%s/oom_score_adj", c.OOMScoreAdj, pidString)
-	}
-	defer oomScoreAdj.Close()
-
 	// Run any additional setup that we want to do before the child starts running proper.
 	if c.Hook != nil {
 		if err = c.Hook(pid); err != nil {

vendor/github.com/projectatomic/buildah/util.go

@@ -7,7 +7,7 @@ import (
 	"sync"
 
 	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/pkg/sysregistries"
+	"github.com/containers/image/pkg/sysregistriesv2"
 	"github.com/containers/image/types"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/chrootarchive"
@@ -166,12 +166,18 @@ func (b *Builder) tarPath() func(path string) (io.ReadCloser, error) {
 	}
 }
 
-// getRegistries obtains the list of registries defined in the global registries file.
+// getRegistries obtains the list of search registries defined in the global registries file.
 func getRegistries(sc *types.SystemContext) ([]string, error) {
-	searchRegistries, err := sysregistries.GetRegistries(sc)
+	var searchRegistries []string
+	registries, err := sysregistriesv2.GetRegistries(sc)
 	if err != nil {
 		return nil, errors.Wrapf(err, "unable to parse the registries.conf file")
 	}
+	for _, registry := range sysregistriesv2.FindUnqualifiedSearchRegistries(registries) {
+		if !registry.Blocked {
+			searchRegistries = append(searchRegistries, registry.URL)
+		}
+	}
 	return searchRegistries, nil
 }
 

vendor/github.com/projectatomic/buildah/util/util.go

@@ -15,7 +15,7 @@ import (
 	dockerarchive "github.com/containers/image/docker/archive"
 	"github.com/containers/image/docker/reference"
 	ociarchive "github.com/containers/image/oci/archive"
-	"github.com/containers/image/pkg/sysregistries"
+	"github.com/containers/image/pkg/sysregistriesv2"
 	"github.com/containers/image/signature"
 	is "github.com/containers/image/storage"
 	"github.com/containers/image/tarball"
@@ -114,11 +114,17 @@ func ResolveName(name string, firstRegistry string, sc *types.SystemContext, sto
 	}
 
 	// Figure out the list of registries.
-	registries, err := sysregistries.GetRegistries(sc)
+	var registries []string
+	allRegistries, err := sysregistriesv2.GetRegistries(sc)
 	if err != nil {
 		logrus.Debugf("unable to read configured registries to complete %q: %v", name, err)
 		registries = []string{}
 	}
+	for _, registry := range sysregistriesv2.FindUnqualifiedSearchRegistries(allRegistries) {
+		if !registry.Blocked {
+			registries = append(registries, registry.URL)
+		}
+	}
 
 	// Create all of the combinations.  Some registries need an additional component added, so
 	// use our lookaside map to keep track of them.  If there are no configured registries, we'll

vendor/github.com/projectatomic/buildah/vendor.conf

@@ -4,7 +4,7 @@ github.com/BurntSushi/toml master
 github.com/containerd/continuity master
 github.com/containernetworking/cni v0.6.0
 github.com/seccomp/containers-golang master
-github.com/containers/image 134f99bed228d6297dc01d152804f6f09f185418
+github.com/containers/image 216acb1bcd2c1abef736ee322e17147ee2b7d76c
 github.com/containers/storage 17c7d1fee5603ccf6dd97edc14162fc1510e7e23
 github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716
 github.com/docker/docker b8571fd81c7d2223c9ecbf799c693e3ef1daaea9