diff --git a/vendor/github.com/projectatomic/buildah/buildah.go b/vendor/github.com/projectatomic/buildah/buildah.go
index 9b55dc320c..da07e37ebb 100644
--- a/vendor/github.com/projectatomic/buildah/buildah.go
+++ b/vendor/github.com/projectatomic/buildah/buildah.go
@@ -89,6 +89,8 @@ type Builder struct {
 	ImageAnnotations map[string]string `json:"annotations,omitempty"`
 	// ImageCreatedBy is a description of how this container was built.
 	ImageCreatedBy string `json:"created-by,omitempty"`
+	// ImageHistoryComment is a description of how our added layers were built.
+	ImageHistoryComment string `json:"history-comment,omitempty"`
 
 	// Image metadata and runtime settings, in multiple formats.
 	OCIv1  v1.Image       `json:"ociv1,omitempty"`
diff --git a/vendor/github.com/projectatomic/buildah/commit.go b/vendor/github.com/projectatomic/buildah/commit.go
index a5b8aaf406..d752473fa5 100644
--- a/vendor/github.com/projectatomic/buildah/commit.go
+++ b/vendor/github.com/projectatomic/buildah/commit.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"time"
 
 	cp "github.com/containers/image/copy"
@@ -46,6 +47,8 @@ type CommitOptions struct {
 	// github.com/containers/image/types SystemContext to hold credentials
 	// and other authentication/authorization information.
 	SystemContext *types.SystemContext
+	// IIDFile tells the builder to write the image ID to the specified file
+	IIDFile string
 }
 
 // PushOptions can be used to alter how an image is copied somewhere.
@@ -121,7 +124,13 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 
 	img, err := is.Transport.GetStoreImage(b.store, dest)
 	if err == nil {
-		fmt.Printf("%s\n", img.ID)
+		if options.IIDFile != "" {
+			if err := ioutil.WriteFile(options.IIDFile, []byte(img.ID), 0644); err != nil {
+				return errors.Wrapf(err, "failed to write Image ID File %q", options.IIDFile)
+			}
+		} else {
+			fmt.Printf("%s\n", img.ID)
+		}
 	}
 	return nil
 }
diff --git a/vendor/github.com/projectatomic/buildah/config.go b/vendor/github.com/projectatomic/buildah/config.go
index efbb133def..c5fabdec60 100644
--- a/vendor/github.com/projectatomic/buildah/config.go
+++ b/vendor/github.com/projectatomic/buildah/config.go
@@ -588,7 +588,7 @@ func (b *Builder) Comment() string {
 	return b.Docker.Comment
 }
 
-// SetComment sets the Comment which will be set in the container and in
+// SetComment sets the comment which will be set in the container and in
 // containers built using images built from the container.
 // Note: this setting is not present in the OCIv1 image format, so it is
 // discarded when writing images using OCIv1 formats.
@@ -596,6 +596,18 @@ func (b *Builder) SetComment(comment string) {
 	b.Docker.Comment = comment
 }
 
+// HistoryComment returns the comment which will be used in the history item
+// which will describe the latest layer when we commit an image.
+func (b *Builder) HistoryComment() string {
+	return b.ImageHistoryComment
+}
+
+// SetHistoryComment sets the comment which will be used in the history item
+// which will describe the latest layer when we commit an image.
+func (b *Builder) SetHistoryComment(comment string) {
+	b.ImageHistoryComment = comment
+}
+
 // StopSignal returns the signal which will be set in the container and in
 // containers built using images buiilt from the container
 func (b *Builder) StopSignal() string {
diff --git a/vendor/github.com/projectatomic/buildah/image.go b/vendor/github.com/projectatomic/buildah/image.go
index e5a49f1f95..a54643806d 100644
--- a/vendor/github.com/projectatomic/buildah/image.go
+++ b/vendor/github.com/projectatomic/buildah/image.go
@@ -46,6 +46,7 @@ type containerImageRef struct {
 	dconfig               []byte
 	created               time.Time
 	createdBy             string
+	historyComment        string
 	annotations           map[string]string
 	preferredManifestType string
 	exporting             bool
@@ -303,6 +304,7 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System
 		Created:    &i.created,
 		CreatedBy:  i.createdBy,
 		Author:     oimage.Author,
+		Comment:    i.historyComment,
 		EmptyLayer: false,
 	}
 	oimage.History = append(oimage.History, onews)
@@ -310,6 +312,7 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System
 		Created:    i.created,
 		CreatedBy:  i.createdBy,
 		Author:     dimage.Author,
+		Comment:    i.historyComment,
 		EmptyLayer: false,
 	}
 	dimage.History = append(dimage.History, dnews)
@@ -521,6 +524,7 @@ func (b *Builder) makeImageRef(manifestType string, exporting bool, compress arc
 		dconfig:               dconfig,
 		created:               created,
 		createdBy:             b.CreatedBy(),
+		historyComment:        b.HistoryComment(),
 		annotations:           b.Annotations(),
 		preferredManifestType: manifestType,
 		exporting:             exporting,
diff --git a/vendor/github.com/projectatomic/buildah/imagebuildah/build.go b/vendor/github.com/projectatomic/buildah/imagebuildah/build.go
index c477e09965..81e8108a01 100644
--- a/vendor/github.com/projectatomic/buildah/imagebuildah/build.go
+++ b/vendor/github.com/projectatomic/buildah/imagebuildah/build.go
@@ -110,6 +110,8 @@ type BuildOptions struct {
 	CommonBuildOpts *buildah.CommonBuildOptions
 	// DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format
 	DefaultMountsFilePath string
+	// IIDFile tells the builder to write the image ID to the specified file
+	IIDFile string
 }
 
 // Executor is a buildah-based implementation of the imagebuilder.Executor
@@ -146,6 +148,7 @@ type Executor struct {
 	reportWriter                   io.Writer
 	commonBuildOptions             *buildah.CommonBuildOptions
 	defaultMountsFilePath          string
+	iidfile                        string
 }
 
 // withName creates a new child executor that will be used whenever a COPY statement uses --from=NAME.
@@ -477,6 +480,7 @@ func NewExecutor(store storage.Store, options BuildOptions) (*Executor, error) {
 		reportWriter:          options.ReportWriter,
 		commonBuildOptions:    options.CommonBuildOpts,
 		defaultMountsFilePath: options.DefaultMountsFilePath,
+		iidfile:               options.IIDFile,
 	}
 	if exec.err == nil {
 		exec.err = os.Stderr
@@ -683,6 +687,7 @@ func (b *Executor) Commit(ctx context.Context, ib *imagebuilder.Builder) (err er
 		AdditionalTags:        b.additionalTags,
 		ReportWriter:          b.reportWriter,
 		PreferredManifestType: b.outputFormat,
+		IIDFile:               b.iidfile,
 	}
 	return b.builder.Commit(ctx, imageRef, options)
 }
diff --git a/vendor/github.com/projectatomic/buildah/pkg/cli/common.go b/vendor/github.com/projectatomic/buildah/pkg/cli/common.go
index bead9e6be9..ea91146882 100644
--- a/vendor/github.com/projectatomic/buildah/pkg/cli/common.go
+++ b/vendor/github.com/projectatomic/buildah/pkg/cli/common.go
@@ -24,6 +24,10 @@ var (
 			Value: "",
 			Usage: "use certificates at the specified path to access the registry",
 		},
+		cli.BoolFlag{
+			Name:  "compress",
+			Usage: "This is legacy option, which has no effect on the image",
+		},
 		cli.StringFlag{
 			Name:  "creds",
 			Value: "",
@@ -37,6 +41,10 @@ var (
 			Name:  "format",
 			Usage: "`format` of the built image's manifest and metadata",
 		},
+		cli.StringFlag{
+			Name:  "iidfile",
+			Usage: "Write the image ID to the file",
+		},
 		cli.BoolTFlag{
 			Name:  "pull",
 			Usage: "pull the image if not present",
@@ -49,6 +57,10 @@ var (
 			Name:  "quiet, q",
 			Usage: "refrain from announcing build instructions and image read/write progress",
 		},
+		cli.BoolFlag{
+			Name:  "rm",
+			Usage: "Remove intermediate containers after a successful build.  Buildah does not currently support cacheing so this is a NOOP.",
+		},
 		cli.StringFlag{
 			Name:  "runtime",
 			Usage: "`path` to an alternate runtime",
@@ -62,6 +74,10 @@ var (
 			Name:  "signature-policy",
 			Usage: "`pathname` of signature policy file (not usually used)",
 		},
+		cli.BoolFlag{
+			Name:  "squash",
+			Usage: "Squash newly built layers into a single new layer. Buildah does not currently support cacheing so this is a NOOP.",
+		},
 		cli.StringSliceFlag{
 			Name:  "tag, t",
 			Usage: "`tag` to apply to the built image",
diff --git a/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go b/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go
index f2159d930e..505601f25f 100644
--- a/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go
+++ b/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"path/filepath"
 	"reflect"
 	"regexp"
 	"strings"
@@ -56,7 +57,7 @@ func ParseCommonBuildOptions(c *cli.Context) (*buildah.CommonBuildOptions, error
 	if _, err := units.FromHumanSize(c.String("shm-size")); err != nil {
 		return nil, errors.Wrapf(err, "invalid --shm-size")
 	}
-	if err := parseVolumes(c.StringSlice("volume")); err != nil {
+	if err := ParseVolumes(c.StringSlice("volume")); err != nil {
 		return nil, err
 	}
 
@@ -122,7 +123,8 @@ func parseSecurityOpts(securityOpts []string, commonOpts *buildah.CommonBuildOpt
 	return nil
 }
 
-func parseVolumes(volumes []string) error {
+// ParseVolumes validates the host and container paths passed in to the --volume flag
+func ParseVolumes(volumes []string) error {
 	if len(volumes) == 0 {
 		return nil
 	}
@@ -147,6 +149,9 @@ func parseVolumes(volumes []string) error {
 }
 
 func validateVolumeHostDir(hostDir string) error {
+	if !filepath.IsAbs(hostDir) {
+		return errors.Errorf("invalid host path, must be an absolute path %q", hostDir)
+	}
 	if _, err := os.Stat(hostDir); err != nil {
 		return errors.Wrapf(err, "error checking path %q", hostDir)
 	}
@@ -154,8 +159,8 @@ func validateVolumeHostDir(hostDir string) error {
 }
 
 func validateVolumeCtrDir(ctrDir string) error {
-	if ctrDir[0] != '/' {
-		return errors.Errorf("invalid container directory path %q", ctrDir)
+	if !filepath.IsAbs(ctrDir) {
+		return errors.Errorf("invalid container path, must be an absolute path %q", ctrDir)
 	}
 	return nil
 }
diff --git a/vendor/github.com/projectatomic/buildah/run.go b/vendor/github.com/projectatomic/buildah/run.go
index 12312f6a49..b45a0e3a6f 100644
--- a/vendor/github.com/projectatomic/buildah/run.go
+++ b/vendor/github.com/projectatomic/buildah/run.go
@@ -19,6 +19,7 @@ import (
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
+	"github.com/projectatomic/libpod/pkg/secrets"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh/terminal"
 )
@@ -197,20 +198,14 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, optionMounts
 	}
 
 	// Add secrets mounts
-	mountsFiles := []string{OverrideMountsFile, b.DefaultMountsFilePath}
-	for _, file := range mountsFiles {
-		secretMounts, err := secretMounts(file, b.MountLabel, cdir)
-		if err != nil {
-			logrus.Warn("error mounting secrets, skipping...")
+	secretMounts := secrets.SecretMounts(b.MountLabel, cdir, b.DefaultMountsFilePath)
+	for _, mount := range secretMounts {
+		if haveMount(mount.Destination) {
 			continue
 		}
-		for _, mount := range secretMounts {
-			if haveMount(mount.Destination) {
-				continue
-			}
-			mounts = append(mounts, mount)
-		}
+		mounts = append(mounts, mount)
 	}
+
 	// Add temporary copies of the contents of volume locations at the
 	// volume locations, unless we already have something there.
 	for _, volume := range builtinVolumes {
diff --git a/vendor/github.com/projectatomic/buildah/secrets.go b/vendor/github.com/projectatomic/buildah/secrets.go
deleted file mode 100644
index 087bf6ba57..0000000000
--- a/vendor/github.com/projectatomic/buildah/secrets.go
+++ /dev/null
@@ -1,198 +0,0 @@
-package buildah
-
-import (
-	"bufio"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-
-	rspec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/selinux/go-selinux/label"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-)
-
-var (
-	// DefaultMountsFile holds the default mount paths in the form
-	// "host_path:container_path"
-	DefaultMountsFile = "/usr/share/containers/mounts.conf"
-	// OverrideMountsFile holds the default mount paths in the form
-	// "host_path:container_path" overriden by the user
-	OverrideMountsFile = "/etc/containers/mounts.conf"
-)
-
-// secretData stores the name of the file and the content read from it
-type secretData struct {
-	name string
-	data []byte
-}
-
-// saveTo saves secret data to given directory
-func (s secretData) saveTo(dir string) error {
-	path := filepath.Join(dir, s.name)
-	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil && !os.IsExist(err) {
-		return err
-	}
-	return ioutil.WriteFile(path, s.data, 0700)
-}
-
-func readAll(root, prefix string) ([]secretData, error) {
-	path := filepath.Join(root, prefix)
-
-	data := []secretData{}
-
-	files, err := ioutil.ReadDir(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return data, nil
-		}
-
-		return nil, err
-	}
-
-	for _, f := range files {
-		fileData, err := readFile(root, filepath.Join(prefix, f.Name()))
-		if err != nil {
-			// If the file did not exist, might be a dangling symlink
-			// Ignore the error
-			if os.IsNotExist(err) {
-				continue
-			}
-			return nil, err
-		}
-		data = append(data, fileData...)
-	}
-
-	return data, nil
-}
-
-func readFile(root, name string) ([]secretData, error) {
-	path := filepath.Join(root, name)
-
-	s, err := os.Stat(path)
-	if err != nil {
-		return nil, err
-	}
-
-	if s.IsDir() {
-		dirData, err := readAll(root, name)
-		if err != nil {
-			return nil, err
-		}
-		return dirData, nil
-	}
-	bytes, err := ioutil.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-	return []secretData{{name: name, data: bytes}}, nil
-}
-
-func getHostSecretData(hostDir string) ([]secretData, error) {
-	var allSecrets []secretData
-	hostSecrets, err := readAll(hostDir, "")
-	if err != nil {
-		return nil, errors.Wrapf(err, "failed to read secrets from %q", hostDir)
-	}
-	return append(allSecrets, hostSecrets...), nil
-}
-
-func getMounts(filePath string) []string {
-	file, err := os.Open(filePath)
-	if err != nil {
-		logrus.Warnf("file %q not found, skipping...", filePath)
-		return nil
-	}
-	defer file.Close()
-	scanner := bufio.NewScanner(file)
-	if err = scanner.Err(); err != nil {
-		logrus.Warnf("error reading file %q, skipping...", filePath)
-		return nil
-	}
-	var mounts []string
-	for scanner.Scan() {
-		mounts = append(mounts, scanner.Text())
-	}
-	return mounts
-}
-
-// getHostAndCtrDir separates the host:container paths
-func getMountsMap(path string) (string, string, error) {
-	arr := strings.SplitN(path, ":", 2)
-	if len(arr) == 2 {
-		return arr[0], arr[1], nil
-	}
-	return "", "", errors.Errorf("unable to get host and container dir")
-}
-
-// secretMount copies the contents of host directory to container directory
-// and returns a list of mounts
-func secretMounts(filePath, mountLabel, containerWorkingDir string) ([]rspec.Mount, error) {
-	var mounts []rspec.Mount
-	defaultMountsPaths := getMounts(filePath)
-	for _, path := range defaultMountsPaths {
-		hostDir, ctrDir, err := getMountsMap(path)
-		if err != nil {
-			return nil, err
-		}
-		// skip if the hostDir path doesn't exist
-		if _, err = os.Stat(hostDir); os.IsNotExist(err) {
-			logrus.Warnf("%q doesn't exist, skipping", hostDir)
-			continue
-		}
-
-		ctrDirOnHost := filepath.Join(containerWorkingDir, ctrDir)
-		if err = os.RemoveAll(ctrDirOnHost); err != nil {
-			return nil, fmt.Errorf("remove container directory failed: %v", err)
-		}
-
-		if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
-			return nil, fmt.Errorf("making container directory failed: %v", err)
-		}
-
-		hostDir, err = resolveSymbolicLink(hostDir)
-		if err != nil {
-			return nil, err
-		}
-
-		data, err := getHostSecretData(hostDir)
-		if err != nil {
-			return nil, errors.Wrapf(err, "getting host secret data failed")
-		}
-		for _, s := range data {
-			if err := s.saveTo(ctrDirOnHost); err != nil {
-				return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOnHost)
-			}
-		}
-
-		err = label.Relabel(ctrDirOnHost, mountLabel, false)
-		if err != nil {
-			return nil, errors.Wrap(err, "error applying correct labels")
-		}
-
-		m := rspec.Mount{
-			Source:      ctrDirOnHost,
-			Destination: ctrDir,
-			Type:        "bind",
-			Options:     []string{"bind"},
-		}
-
-		mounts = append(mounts, m)
-	}
-	return mounts, nil
-}
-
-// resolveSymbolicLink resolves a possbile symlink path. If the path is a symlink, returns resolved
-// path; if not, returns the original path.
-func resolveSymbolicLink(path string) (string, error) {
-	info, err := os.Lstat(path)
-	if err != nil {
-		return "", err
-	}
-	if info.Mode()&os.ModeSymlink != os.ModeSymlink {
-		return path, nil
-	}
-	return filepath.EvalSymlinks(path)
-}