update buildah and c/common to latest

also includes bumps for c/storage and c/image

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

go.mod

@@ -11,13 +11,13 @@ require (
 	github.com/container-orchestrated-devices/container-device-interface v0.5.1
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.1.1
-	github.com/containers/buildah v1.27.0
-	github.com/containers/common v0.49.2-0.20220826180622-c2dcb4e70340
+	github.com/containers/buildah v1.27.1-0.20220907121344-97a52b13bb27
+	github.com/containers/common v0.49.2-0.20220908074553-1a09baf471c4
 	github.com/containers/conmon v2.0.20+incompatible
-	github.com/containers/image/v5 v5.22.0
+	github.com/containers/image/v5 v5.22.1-0.20220907162003-651744379993
 	github.com/containers/ocicrypt v1.1.5
 	github.com/containers/psgo v1.7.3
-	github.com/containers/storage v1.42.0
+	github.com/containers/storage v1.42.1-0.20220909095216-b32188140319
 	github.com/coreos/go-systemd/v22 v22.3.2
 	github.com/coreos/stream-metadata-go v0.0.0-20210225230131-70edb9eb47b3
 	github.com/cyphar/filepath-securejoin v0.2.3
@@ -42,10 +42,10 @@ require (
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6
 	github.com/nxadm/tail v1.4.8
 	github.com/onsi/ginkgo v1.16.5
-	github.com/onsi/gomega v1.20.0
+	github.com/onsi/gomega v1.20.2
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198
-	github.com/opencontainers/runc v1.1.3
+	github.com/opencontainers/runc v1.1.4
 	github.com/opencontainers/runtime-spec v1.0.3-0.20211214071223-8958f93039ab
 	github.com/opencontainers/runtime-tools v0.9.1-0.20220714195903-17b3287fafb7
 	github.com/opencontainers/selinux v1.10.1
@@ -61,7 +61,7 @@ require (
 	github.com/vbauerster/mpb/v7 v7.5.2
 	github.com/vishvananda/netlink v1.1.1-0.20220115184804-dd687eb2f2d4
 	go.etcd.io/bbolt v1.3.6
-	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
 	golang.org/x/sys v0.0.0-20220823224334-20c2bfdbfe24
 	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
 	golang.org/x/text v0.3.7

go.sum

@@ -34,6 +34,8 @@ cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2Z
 cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U=
 cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
 cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
+cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
+cloud.google.com/go v0.103.0/go.mod h1:vwLx1nqLrzLX/fpwSMOXmFIqBOyHsvHbnAdbGSJ+mKk=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@@ -65,6 +67,7 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
+cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc=
 contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/14rcole/gopopulate v0.0.0-20180821133914-b175b219e774 h1:SCbEWT58NSt7d2mcFdvxC9uyrdcTfvBbPLThhkDmXzg=
@@ -84,10 +87,12 @@ github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKn
 github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
 github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc=
 github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U=
+github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA=
 github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
 github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
 github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
 github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
+github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
 github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg=
 github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
@@ -108,11 +113,13 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
+github.com/DataDog/zstd v1.5.0/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
 github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
+github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
 github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
 github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
@@ -149,6 +156,7 @@ github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMo
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/OpenPeeDeeP/depguard v1.0.1/go.mod h1:xsIw86fROiiwelg+jB2uM9PiKihMMmUx/1V+TNhjQvM=
 github.com/ProtonMail/go-crypto v0.0.0-20220517143526-88bb52951d5b/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
+github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895/go.mod h1:UBYPn8k0D56RtnR8RFQMjmh4KrZzWJ5o7Z9SYjossQ8=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
@@ -178,6 +186,7 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-metrics v0.3.9/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc=
 github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc=
+github.com/armon/go-metrics v0.4.0/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
@@ -188,18 +197,32 @@ github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi
 github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.44.44/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go v1.44.76/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go-v2 v1.16.5/go.mod h1:Wh7MEsmEApyL5hrWzpDkba4gwAPc5/piwLVLFnCxp48=
+github.com/aws/aws-sdk-go-v2 v1.16.11/go.mod h1:WTACcleLz6VZTp7fak4EO5b9Q4foxbn+8PIz3PmyKlo=
 github.com/aws/aws-sdk-go-v2/config v1.15.11/go.mod h1:mD5tNFciV7YHNjPpFYqJ6KGpoSfY107oZULvTHIxtbI=
+github.com/aws/aws-sdk-go-v2/config v1.17.0/go.mod h1:4SKzBMiB8lV0fw2w7eDBo/LjQyHFITN4vUUuqpurFmI=
 github.com/aws/aws-sdk-go-v2/credentials v1.12.6/go.mod h1:mQgnRmBPF2S/M01W4T4Obp3ZaZB6o1s/R8cOUda9vtI=
+github.com/aws/aws-sdk-go-v2/credentials v1.12.13/go.mod h1:9fDEemXizwXrxPU1MTzv69LP/9D8HVl5qHAQO9A9ikY=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.6/go.mod h1:ClLMcuQA/wcHPmOIfNzNI4Y1Q0oDbmEkbYhMFOzHDh8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.12/go.mod h1:aZ4vZnyUuxedC7eD4JyEHpGnCz+O2sHQEx3VvAwklSE=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.12/go.mod h1:Afj/U8svX6sJ77Q+FPWMzabJ9QjbwP32YlopgKALUpg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.18/go.mod h1:348MLhzV1GSlZSMusdwQpXKbhD7X2gbI/TxwAPKkYZQ=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.6/go.mod h1:FwpAKI+FBPIELJIdmQzlLtRe8LQSOreMcM2wBsPMvvc=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.12/go.mod h1:ckaCVTEdGAxO6KwTGzgskxR1xM+iJW4lxMyDFVda2Fc=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.13/go.mod h1:hiM/y1XPp3DoEPhoVEYc/CZcS58dP6RKJRDFp99wdX0=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.19/go.mod h1:cVHo8KTuHjShb9V8/VjH3S/8+xPu16qx8fdGwmotJhE=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.6/go.mod h1:DxAPjquoEHf3rUHh1b9+47RAaXB8/7cB6jkzCt/GOEI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.12/go.mod h1:1TODGhheLWjpQWSuhYuAUWYTCKwEjx2iblIFKDHjeTc=
 github.com/aws/aws-sdk-go-v2/service/kms v1.17.3/go.mod h1:EKkrWWXwWYf8x3Nrm6Oix3zZP9NRBHqxw5buFGVBHA0=
+github.com/aws/aws-sdk-go-v2/service/kms v1.18.4/go.mod h1:WG8HUJKtDqXJM3+CNZeN+2wvdcJb5vprKo01fr1KQW4=
 github.com/aws/aws-sdk-go-v2/service/sso v1.11.9/go.mod h1:UqRD9bBt15P0ofRyDZX6CfsIqPpzeHOhZKWzgSuAzpo=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.16/go.mod h1:mS5xqLZc/6kc06IpXn5vRxdLaED+jEuaSRv5BxtnsiY=
 github.com/aws/aws-sdk-go-v2/service/sts v1.16.7/go.mod h1:lVxTdiiSHY3jb1aeg+BBFtDzZGSUCv6qaNOyEGCJ1AY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.16.13/go.mod h1:Ru3QVMLygVs/07UQ3YDur1AQZZp2tUNje8wfloFttC0=
 github.com/aws/smithy-go v1.11.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/aws/smithy-go v1.12.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/beeker1121/goque v1.0.3-0.20191103205551-d618510128af/go.mod h1:84CWnaDz4g1tEVnFLnuBigmGK15oPohy0RfvSN8d4eg=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
 github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -232,6 +255,7 @@ github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8n
 github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
 github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc=
+github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
@@ -251,12 +275,15 @@ github.com/checkpoint-restore/checkpointctl v0.0.0-20220321135231-33f4a66335f0/g
 github.com/checkpoint-restore/go-criu/v5 v5.2.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
 github.com/checkpoint-restore/go-criu/v5 v5.3.0 h1:wpFFOoomK3389ue2lAb0Boag6XPht5QYpipxmSNL4d8=
 github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
-github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
+github.com/chzyer/logex v1.2.1 h1:XHDu3E6q+gdHgsdTPH6ImJMIp436vR6MPtH8gP05QzM=
+github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 h1:q763qf9huN11kDQavWsoZXJNW3xEE4JJyHa5Q25/sd8=
+github.com/chzyer/readline v1.5.1 h1:upd/6fQk4src78LMRzh5vItIt361/o4uq553V8B5sGI=
+github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
+github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
 github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc=
 github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
@@ -266,6 +293,7 @@ github.com/cilium/ebpf v0.9.0/go.mod h1:+OhNOIXx/Fnu1IE8bJz2dzOA+VSfyTfdNUVdlQnx
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -297,8 +325,9 @@ github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4S
 github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
 github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE=
 github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU=
-github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4=
 github.com/containerd/cgroups v1.0.3/go.mod h1:/ofk34relqNjSGyqPrmEULrO4Sc8LJhvJmWbUCUKqj8=
+github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA=
+github.com/containerd/cgroups v1.0.4/go.mod h1:nLNQtsF7Sl2HxNebu77i1R0oDlhiTG+kO4JTrUzo6IA=
 github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
@@ -392,15 +421,16 @@ github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRD
 github.com/containernetworking/plugins v1.0.1/go.mod h1:QHCfGpaTwYTbbH+nZXKVTxNBDZcxSOplJT5ico8/FLE=
 github.com/containernetworking/plugins v1.1.1 h1:+AGfFigZ5TiQH00vhR8qPeSatj53eNGz0C1d3wVYlHE=
 github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19sZPp3ry5uHSkI4LPxV8=
-github.com/containers/buildah v1.27.0 h1:LJ1ks7vKxwPzJGr5BWVvigbtVL9w7XeHtNEmiIOPJqI=
-github.com/containers/buildah v1.27.0/go.mod h1:anH3ExvDXRNP9zLQCrOc1vWb5CrhqLF/aYFim4tslvA=
+github.com/containers/buildah v1.27.1-0.20220907121344-97a52b13bb27 h1:LRgKJ/JUd6iTocPg/q7oMZ9ilnbew50JXClXgiEoR9Q=
+github.com/containers/buildah v1.27.1-0.20220907121344-97a52b13bb27/go.mod h1:0iWhIkE70dkoVuwpmZy5/DXpBdI3C23iYmBQccTDWMU=
 github.com/containers/common v0.49.1/go.mod h1:ueM5hT0itKqCQvVJDs+EtjornAQtrHYxQJzP2gxeGIg=
-github.com/containers/common v0.49.2-0.20220826180622-c2dcb4e70340 h1:Qg3LBb6sp5clQBF9OPqumvlCJGsMl6N2b5hEDttRbWA=
-github.com/containers/common v0.49.2-0.20220826180622-c2dcb4e70340/go.mod h1:xC4qkLfW9R+YSDknlT9xU+NDNxIw017U8AyohGtr9Ec=
+github.com/containers/common v0.49.2-0.20220908074553-1a09baf471c4 h1:+Z/KvBR34ihTFkliEGuj+kNX+8G/OEv1n8Nv4OiAXkI=
+github.com/containers/common v0.49.2-0.20220908074553-1a09baf471c4/go.mod h1:HaPvle8BvLTyjtY9B4HJoNCl60DpHwCDLA2FsZTWaak=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
-github.com/containers/image/v5 v5.22.0 h1:KemxPmD4D2YYOFZN2SgoTk7nBFcnwPiPW0MqjYtknSE=
 github.com/containers/image/v5 v5.22.0/go.mod h1:D8Ksv2RNB8qLJ7xe1P3rgJJOSQpahA6amv2Ax++/YO4=
+github.com/containers/image/v5 v5.22.1-0.20220907162003-651744379993 h1:Dsga+pCSq+2JwIaHaxilCWrLpzSQIbBdovTCHb8zPag=
+github.com/containers/image/v5 v5.22.1-0.20220907162003-651744379993/go.mod h1:/Ruurd87C6Ap45t1PWNOD8+SGwiZbk79XCgs1iUTvYA=
 github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a h1:spAGlqziZjCJL25C6F1zsQY05tfCKE9F5YwtEWWe6hU=
 github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc=
@@ -413,8 +443,10 @@ github.com/containers/ocicrypt v1.1.5/go.mod h1:WgjxPWdTJMqYMjf3M6cuIFFA1/MpyyhI
 github.com/containers/psgo v1.7.3 h1:KTNurTMXpZjDJHWmlieVO7k7jgKJ4CR/HpPeSaAKtgc=
 github.com/containers/psgo v1.7.3/go.mod h1:PfaNzzHmMb8M9/blPgyD4BB3ZEj/0ApZIxN6nNtA+t4=
 github.com/containers/storage v1.37.0/go.mod h1:kqeJeS0b7DO2ZT1nVWs0XufrmPFbgV3c+Q/45RlH6r4=
-github.com/containers/storage v1.42.0 h1:zm2AQD4NDeTB3JQ8X+Wo5+VRqNB+b4ocEd7Qj6ylPJA=
 github.com/containers/storage v1.42.0/go.mod h1:JiUJwOgOo1dr2DdOUc1MRe2GCAXABYoYmOdPF8yvH78=
+github.com/containers/storage v1.42.1-0.20220907083030-5aff7f62e8d0/go.mod h1:nj2fW3rgwkr6toBVFzv5OqUYs1kowX+AMiPjgv2UXN0=
+github.com/containers/storage v1.42.1-0.20220909095216-b32188140319 h1:39KnMhYzk3fFH3njZgZogEHPagPQn8JlLZEWIUQQZ1I=
+github.com/containers/storage v1.42.1-0.20220909095216-b32188140319/go.mod h1:nj2fW3rgwkr6toBVFzv5OqUYs1kowX+AMiPjgv2UXN0=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -477,6 +509,7 @@ github.com/disiqueira/gotree/v3 v3.0.2/go.mod h1:ZuyjE4+mUQZlbpkI24AmruZKhg3VHEg
 github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
 github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.16+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY=
 github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
@@ -496,7 +529,6 @@ github.com/docker/go-connections v0.4.1-0.20210727194412-58542c764a11/go.mod h1:
 github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
 github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
 github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
-github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
 github.com/docker/go-plugins-helpers v0.0.0-20211224144127-6eecb7beb651 h1:YcvzLmdrP/b8kLAGJ8GT7bdncgCAiWxJZIlt84D+RJg=
 github.com/docker/go-plugins-helpers v0.0.0-20211224144127-6eecb7beb651/go.mod h1:LFyLie6XcDbyKGeVK6bHe+9aJTYCxWLBg5IrJZOaXKA=
@@ -511,6 +543,7 @@ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/eggsampler/acme/v3 v3.2.1/go.mod h1:/qh0rKC/Dh7Jj+p4So7DbWmFNzC4dpcpK53r226Fhuo=
+github.com/eggsampler/acme/v3 v3.3.0/go.mod h1:/qh0rKC/Dh7Jj+p4So7DbWmFNzC4dpcpK53r226Fhuo=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
@@ -547,8 +580,9 @@ github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGE
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
-github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
+github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/flynn/go-docopt v0.0.0-20140912013429-f6dd2ebbb31e/go.mod h1:HyVoz1Mz5Co8TFO8EupIdlcpwShBmY98dkT2xeHkvEI=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
@@ -562,8 +596,8 @@ github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5
 github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/fsouza/go-dockerclient v1.7.7/go.mod h1:njNCXvoZj3sLPjf3yO0DPHf1mdLdCPDYPc14GskKA4Y=
-github.com/fsouza/go-dockerclient v1.8.1 h1:a27vHYqNSZz88nUAurI1o6W5PgEt63nAWilOI+j63RE=
-github.com/fsouza/go-dockerclient v1.8.1/go.mod h1:zmA2ogSxRnXmbZcy0Aq7yhRoCdP/bDns/qghCK9SWtM=
+github.com/fsouza/go-dockerclient v1.8.3 h1:ckb6sG98D607PNQo012YEhQ8hvuRHx7RISIJM5tjkQM=
+github.com/fsouza/go-dockerclient v1.8.3/go.mod h1:oenNB8JjNKY4o8I/sug4Qah9si/7OxH4MjL+u7oBxP8=
 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
 github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM=
 github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E=
@@ -574,6 +608,7 @@ github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
 github.com/gin-gonic/gin v1.7.1/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY=
+github.com/gin-gonic/gin v1.7.7/go.mod h1:axIBovoeJpVj8S3BwE0uPMTeReE4+AfFtqpqaZ1qq1U=
 github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-critic/go-critic v0.6.1/go.mod h1:SdNCfU0yF3UBjtaZGw6586/WocupMOJuiqgom5DsQxM=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -584,10 +619,12 @@ github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3I
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
+github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
 github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
@@ -618,7 +655,9 @@ github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+
 github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4=
 github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
 github.com/go-redis/redis/v8 v8.11.4/go.mod h1:2Z2wHZXdQpCDXEGzqMockDpNyYvi2l4Pxt6RJr792+w=
+github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
 github.com/go-rod/rod v0.107.3/go.mod h1:4SqYRUrcc4dSr9iT36YRZ4hdUAPg3A0O8RhxAMh0eCQ=
+github.com/go-rod/rod v0.109.1/go.mod h1:GZDtmEs6RpF6kBRYpGCZXxXlKNneKVPiKOjaMbmVVjE=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
@@ -642,27 +681,45 @@ github.com/go-toolsmith/typep v1.0.0/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2
 github.com/go-toolsmith/typep v1.0.2/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU=
 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobuffalo/attrs v0.1.0/go.mod h1:fmNpaWyHM0tRm8gCZWKx8yY9fvaNLo2PyzBNSrBZ5Hw=
+github.com/gobuffalo/attrs v1.0.1/go.mod h1:qGdnq2RukKtBl4ASJit0OFckc5XGSyTFk98SvRpMFrQ=
 github.com/gobuffalo/envy v1.8.1/go.mod h1:FurDp9+EDPE4aIUS3ZLyD+7/9fpx7YRt/ukY6jIHf0w=
 github.com/gobuffalo/envy v1.9.0/go.mod h1:FurDp9+EDPE4aIUS3ZLyD+7/9fpx7YRt/ukY6jIHf0w=
+github.com/gobuffalo/envy v1.10.1/go.mod h1:AWx4++KnNOW3JOeEvhSaq+mvgAvnMYOY1XSIin4Mago=
 github.com/gobuffalo/fizz v1.10.0/go.mod h1:J2XGPO0AfJ1zKw7+2BA+6FEGAkyEsdCOLvN93WCT2WI=
+github.com/gobuffalo/fizz v1.14.0/go.mod h1:0aF1kAZYCfKqbLM/lmZ3jXFyqqWE/kY/nIOKnNdAYXQ=
 github.com/gobuffalo/flect v0.1.5/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80=
 github.com/gobuffalo/flect v0.2.0/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80=
 github.com/gobuffalo/flect v0.2.1/go.mod h1:vmkQwuZYhN5Pc4ljYQZzP+1sq+NEkK+lh20jmEmX3jc=
+github.com/gobuffalo/flect v0.2.4/go.mod h1:1ZyCLIbg0YD7sDkzvFdPoOydPtD8y9JQnrOROolUcM8=
+github.com/gobuffalo/flect v0.2.5/go.mod h1:1ZyCLIbg0YD7sDkzvFdPoOydPtD8y9JQnrOROolUcM8=
 github.com/gobuffalo/genny/v2 v2.0.5/go.mod h1:kRkJuAw9mdI37AiEYjV4Dl+TgkBDYf8HZVjLkqe5eBg=
+github.com/gobuffalo/genny/v2 v2.0.8/go.mod h1:R45scCyQfff2HysNJHNanjrpvPw4Qu+rM1MOMDBB5oU=
+github.com/gobuffalo/genny/v2 v2.0.9/go.mod h1:R45scCyQfff2HysNJHNanjrpvPw4Qu+rM1MOMDBB5oU=
 github.com/gobuffalo/github_flavored_markdown v1.1.0/go.mod h1:TSpTKWcRTI0+v7W3x8dkSKMLJSUpuVitlptCkpeY8ic=
+github.com/gobuffalo/github_flavored_markdown v1.1.1/go.mod h1:yU32Pen+eorS58oxh/bNZx76zUOCJwmvyV5FBrvzOKQ=
 github.com/gobuffalo/helpers v0.6.0/go.mod h1:pncVrer7x/KRvnL5aJABLAuT/RhKRR9klL6dkUOhyv8=
 github.com/gobuffalo/helpers v0.6.1/go.mod h1:wInbDi0vTJKZBviURTLRMFLE4+nF2uRuuL2fnlYo7w4=
+github.com/gobuffalo/helpers v0.6.4/go.mod h1:m2aOKsTl3KB0RUwwpxf3tykaaitujQ3irivqrlNAcJ0=
 github.com/gobuffalo/logger v1.0.3/go.mod h1:SoeejUwldiS7ZsyCBphOGURmWdwUFXs0J7TCjEhjKxM=
+github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs=
 github.com/gobuffalo/nulls v0.2.0/go.mod h1:w4q8RoSCEt87Q0K0sRIZWYeIxkxog5mh3eN3C/n+dUc=
+github.com/gobuffalo/nulls v0.4.1/go.mod h1:pp8e1hWTRJZFpMl4fj/CVbSMlaxjeGKkFq4RuBZi3w8=
 github.com/gobuffalo/packd v0.3.0/go.mod h1:zC7QkmNkYVGKPw4tHpBQ+ml7W/3tIebgeo1b36chA3Q=
 github.com/gobuffalo/packd v1.0.0/go.mod h1:6VTc4htmJRFB7u1m/4LeMTWjFoYrUiBkU9Fdec9hrhI=
+github.com/gobuffalo/packd v1.0.1/go.mod h1:PP2POP3p3RXGz7Jh6eYEf93S7vA2za6xM7QT85L4+VY=
 github.com/gobuffalo/packr/v2 v2.8.0/go.mod h1:PDk2k3vGevNE3SwVyVRgQCCXETC9SaONCNSXT1Q8M1g=
 github.com/gobuffalo/plush/v4 v4.0.0/go.mod h1:ErFS3UxKqEb8fpFJT7lYErfN/Nw6vHGiDMTjxpk5bQ0=
+github.com/gobuffalo/plush/v4 v4.1.9/go.mod h1:9OOII9uAM5pZnhWu1OkQnboXJjaWMQ7kcTl3zNcxvTM=
+github.com/gobuffalo/plush/v4 v4.1.11/go.mod h1:9OOII9uAM5pZnhWu1OkQnboXJjaWMQ7kcTl3zNcxvTM=
 github.com/gobuffalo/pop/v5 v5.3.1/go.mod h1:vcEDhh6cJ3WVENqJDFt/6z7zNb7lLnlN8vj3n5G9rYA=
+github.com/gobuffalo/pop/v6 v6.0.0/go.mod h1:5rd3OnViLhjteR8+0i/mT9Q4CzkTzCoR7tm/9mmAic4=
+github.com/gobuffalo/pop/v6 v6.0.4/go.mod h1:dFcrMNPOwk+sl1Oa0lOb/jGbmjv+JV+5CZjMWNYR3KI=
 github.com/gobuffalo/tags/v3 v3.0.2/go.mod h1:ZQeN6TCTiwAFnS0dNcbDtSgZDwNKSpqajvVtt6mlYpA=
 github.com/gobuffalo/tags/v3 v3.1.0/go.mod h1:ZQeN6TCTiwAFnS0dNcbDtSgZDwNKSpqajvVtt6mlYpA=
+github.com/gobuffalo/tags/v3 v3.1.2/go.mod h1:o3ldUfKv50jxWAC8eZHXMm8dnKW3YvyZUMr0xqUcZTI=
 github.com/gobuffalo/validate/v3 v3.0.0/go.mod h1:HFpjq+AIiA2RHoQnQVTFKF/ZpUPXwyw82LgyDPxQ9r0=
 github.com/gobuffalo/validate/v3 v3.1.0/go.mod h1:HFpjq+AIiA2RHoQnQVTFKF/ZpUPXwyw82LgyDPxQ9r0=
+github.com/gobuffalo/validate/v3 v3.3.1/go.mod h1:Ehu8ieNJQuUM4peDDr/0VapzdGA7RgTc3wbe51vHfS0=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
@@ -675,6 +732,9 @@ github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gofrs/uuid v4.1.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU=
 github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -684,8 +744,10 @@ github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -757,8 +819,9 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8
 github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
-github.com/google/go-containerregistry v0.10.0 h1:qd/fv2nQajGZJenaNcdaghlwSPjQ0NphN9hzArr2WWg=
 github.com/google/go-containerregistry v0.10.0/go.mod h1:C7uwbB1QUAtvnknyd3ethxJRd4gtEjU/9WLXzckfI1Y=
+github.com/google/go-containerregistry v0.11.0 h1:Xt8x1adcREjFcmDoDK8OdOsjxu90PHkGuwNP8GiHMLM=
+github.com/google/go-containerregistry v0.11.0/go.mod h1:BBaYtsHPHA42uEgAvd/NejvAfPSlz281sJWqupjSxfk=
 github.com/google/go-intervals v0.0.2 h1:FGrVEiUnTRKR8yE04qzXYaJMtnIYqobR5QbblK3ixcM=
 github.com/google/go-intervals v0.0.2/go.mod h1:MkaR3LNRfeKLPmqgJYs4E66z5InYjmCjbbr4TQlcT6Y=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -814,6 +877,7 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORR
 github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU=
 github.com/gordonklaus/ineffassign v0.0.0-20210225214923-2e10b2664254/go.mod h1:M9mZEtGIsR1oDaZagNPNG9iq9n2HrhZ17dsXk73V3Lw=
 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA=
+github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
 github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
 github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
 github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
@@ -866,6 +930,7 @@ github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39
 github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v1.1.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
+github.com/hashicorp/go-hclog v1.2.1/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
@@ -876,9 +941,11 @@ github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ=
+github.com/hashicorp/go-plugin v1.4.4/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
+github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
@@ -896,9 +963,11 @@ github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdv
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.4.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -913,12 +982,16 @@ github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/J
 github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk=
 github.com/hashicorp/vault/api v1.7.2/go.mod h1:xbfA+1AvxFseDzxxdWaL0uO99n1+tndus4GCrtouy0M=
 github.com/hashicorp/vault/sdk v0.5.1/go.mod h1:DoGraE9kKGNcVgPmTuX357Fm6WAx1Okvde8Vp3dPDoU=
+github.com/hashicorp/vault/sdk v0.5.3/go.mod h1:DoGraE9kKGNcVgPmTuX357Fm6WAx1Okvde8Vp3dPDoU=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
-github.com/honeycombio/beeline-go v1.1.1 h1:sU8r4ae34uEL3/CguSl8Mr+Asz9DL1nfH9Wwk85Pc7U=
+github.com/hashicorp/yamux v0.1.0/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/honeycombio/beeline-go v1.1.1/go.mod h1:kN0cfUGBMfA87DyCYbiiLoSzWsnw3bluZvNEWtatHxk=
-github.com/honeycombio/libhoney-go v1.15.2 h1:5NGcjOxZZma13dmzNcl3OtGbF1hECA0XHJNHEb2t2ck=
+github.com/honeycombio/beeline-go v1.9.0 h1:MM/20HBFE2AKno0N9bOgEicSHHiTkTklGdtjdtAEWbk=
+github.com/honeycombio/beeline-go v1.9.0/go.mod h1:/8gmL2gGFbAnIhfldNUj26AFi7+JTdjtTfIujJww6yI=
 github.com/honeycombio/libhoney-go v1.15.2/go.mod h1:JzhRPYgoBCd0rZvudrqmej4Ntx0w7AT3wAJpf5+t1WA=
+github.com/honeycombio/libhoney-go v1.15.8 h1:TECEltZ48K6J4NG1JVYqmi0vCJNnHYooFor83fgKesA=
+github.com/honeycombio/libhoney-go v1.15.8/go.mod h1:+tnL2etFnJmVx30yqmoUkVyQjp7uRJw0a2QGu48lSyY=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo=
 github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4=
@@ -947,8 +1020,16 @@ github.com/jackc/pgconn v0.0.0-20190824142844-760dd75542eb/go.mod h1:lLjNuW/+OfW
 github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsUgOEh9hBm+xYTstcNHg7UPMVJqRfQxq4s=
 github.com/jackc/pgconn v1.5.0/go.mod h1:QeD3lBfpTFe8WUnPZWN5KY/mB8FGMIYRdd8P8Jr0fAI=
 github.com/jackc/pgconn v1.6.0/go.mod h1:yeseQo4xhQbgyJs2c87RAXOH2i624N0Fh1KSPJya7qo=
+github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfGIB/o=
+github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY=
+github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
+github.com/jackc/pgconn v1.10.0/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
+github.com/jackc/pgconn v1.10.1/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
+github.com/jackc/pgconn v1.12.1/go.mod h1:ZkhRC59Llhrq3oSfrikvwQ5NaxYExr6twkdkMLaKono=
 github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
 github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE=
+github.com/jackc/pgmock v0.0.0-20201204152224-4fe30f7445fd/go.mod h1:hrBW0Enj2AZTNpt/7Y5rr2xe/9Mn757Wtb2xeBzPv2c=
+github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgproto3 v1.1.0/go.mod h1:eR5FA3leWg7p9aeAqi37XOTgTIbkABlvcPB3E5rlc78=
 github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA=
@@ -957,23 +1038,41 @@ github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvW
 github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
 github.com/jackc/pgproto3/v2 v2.0.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
 github.com/jackc/pgproto3/v2 v2.0.2/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
+github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
+github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
+github.com/jackc/pgproto3/v2 v2.3.0/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
 github.com/jackc/pgservicefile v0.0.0-20200307190119-3430c5407db8/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
+github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
 github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg=
 github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
 github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
 github.com/jackc/pgtype v1.3.0/go.mod h1:b0JqxHvPmljG+HQ5IsvQ0yqeSi4nGcDTVjFoiLDb0Ik=
+github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
+github.com/jackc/pgtype v1.8.1/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
+github.com/jackc/pgtype v1.11.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
 github.com/jackc/pgx v3.6.2+incompatible/go.mod h1:0ZGrqGqkRlliWnWB4zKnWtjbSWbGkVEFm4TeybAXq+I=
 github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
 github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
 github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
 github.com/jackc/pgx/v4 v4.6.0/go.mod h1:vPh43ZzxijXUVJ+t/EmXBtFmbFVO72cuneCT9oAlxAg=
+github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
+github.com/jackc/pgx/v4 v4.13.0/go.mod h1:9P4X524sErlaxj0XSGZk7s+LD0eOyu1ZDUrrpznYDF0=
+github.com/jackc/pgx/v4 v4.16.1/go.mod h1:SIhx0D5hoADaiXZVyv+3gSm3LCIIINTVO0PficsvWGQ=
 github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v1.1.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
+github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
+github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
+github.com/jellydator/ttlcache/v2 v2.11.1/go.mod h1:RtE5Snf0/57e+2cLWFYWCCsLas2Hy3c5Z4n14XmSvTI=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jgautheron/goconst v1.5.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4=
+github.com/jhump/gopoet v0.0.0-20190322174617-17282ff210b3/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI=
+github.com/jhump/gopoet v0.1.0/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI=
+github.com/jhump/goprotoc v0.5.0/go.mod h1:VrbvcYrQOrTi3i0Vf+m+oqQWk9l72mjkJCYo7UvLHRQ=
 github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74=
 github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4=
+github.com/jhump/protoreflect v1.11.0/go.mod h1:U7aMIjN0NWq9swDP7xDdoMfRHb35uiuTd3Z9nFXJf5E=
+github.com/jhump/protoreflect v1.12.0/go.mod h1:JytZfP5d0r8pVNLZvai7U/MCuTWITgrI4tTg7puQFKI=
 github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c=
 github.com/jinzhu/copier v0.3.5 h1:GlvfUwHk62RokgqVNvYsku0TATCF7bAHVwEXoBh3iJg=
 github.com/jinzhu/copier v0.3.5/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
@@ -987,8 +1086,10 @@ github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548 h1:dYTbLf4m0a5u0KLm
 github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548/go.mod h1:hGT6jSUVzF6no3QaDSMLGLEHtHSBSefs+MgcDWnmhmo=
 github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks=
 github.com/jmoiron/sqlx v1.3.4/go.mod h1:2BljVx/86SuTyjE+aPYlHCTNvZrnJXghYGpNiXLBMCQ=
+github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ=
 github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
+github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
@@ -1031,6 +1132,7 @@ github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47e
 github.com/klauspost/compress v1.15.1/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/compress v1.15.4/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/compress v1.15.7/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
+github.com/klauspost/compress v1.15.8/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/compress v1.15.9 h1:wKRjX6JRtDdrE9qwa4b/Cip7ACOshUI4smpCQanqjSY=
 github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
@@ -1057,12 +1159,15 @@ github.com/kunwardeep/paralleltest v1.0.3/go.mod h1:vLydzomDFpk7yu5UX02RmP0H8QfR
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/kyoh86/exportloopref v0.1.8/go.mod h1:1tUcJeiioIs7VWe5gcOObrux3lb66+sBqGZrRkMwPgg=
 github.com/labstack/echo/v4 v4.3.0/go.mod h1:PvmtTvhVqKDzDQy4d3bWzPjZLzom4iQbAZy2sgZ/qI8=
+github.com/labstack/echo/v4 v4.7.2/go.mod h1:xkCDAdFCIf8jsFQ5NnbK7oqaF/yU1A1X20Ltm0OvSks=
 github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k=
+github.com/labstack/gommon v0.3.1/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM=
 github.com/ldez/gomoddirectives v0.2.2/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0=
 github.com/ldez/tagliatelle v0.2.0/go.mod h1:8s6WJQwEYHbKZDsp/LjArytKOG8qaMrKQQ3mFukHs88=
 github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
-github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e h1:1aV3EJ4ZMsc63MFU4rB+ccSEhZvvVD71T9RA4Rqd3hI=
 github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e/go.mod h1:Bl3mfF2LHYepsU2XfzMceIglyByfPe1IFAXtO+p37Qk=
+github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e h1:2ba+yBBeT8ZFyZjRLPDKvkqVrWX4CCYAuR6nuJGojD0=
+github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e/go.mod h1:54WQpg5QI0mpRhxoj9bxysLqA5WJylVsLtXOrb3zAiU=
 github.com/letsencrypt/challtestsrv v1.2.1/go.mod h1:Ur4e4FvELUXLGhkMztHOsPIsvGxD/kzSJninOrkM+zc=
 github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@@ -1071,7 +1176,10 @@ github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.3.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.6/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
 github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
@@ -1127,6 +1235,7 @@ github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lL
 github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
+github.com/mattn/go-sqlite3 v1.14.9/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/mattn/go-sqlite3 v2.0.3+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
@@ -1144,11 +1253,13 @@ github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZ
 github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517/go.mod h1:KQ7+USdGKfpPjXk4Ga+5XxQM4Lm4e3gAogrreFAYpOg=
 github.com/mgechev/revive v1.1.2/go.mod h1:bnXsMr+ZTH09V5rssEI+jHAZ4z+ZdyhgO/zsy3EhK+0=
 github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc=
+github.com/microcosm-cc/bluemonday v1.0.16/go.mod h1:Z0r70sCuXHig8YpBzCc5eGHAap2K7e/u082ZUpDRRqM=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
 github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
 github.com/miekg/dns v1.1.45/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
+github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
@@ -1254,8 +1365,9 @@ github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
 github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
-github.com/onsi/ginkgo/v2 v2.1.4 h1:GNapqRSid3zijZ9H77KrgVG4/8KqiyRsxcSxe+7ApXY=
 github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU=
+github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU=
+github.com/onsi/ginkgo/v2 v2.1.6/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk=
 github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
@@ -1270,8 +1382,10 @@ github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
 github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
-github.com/onsi/gomega v1.20.0 h1:8W0cWlwFkflGPLltQvLRB7ZVD5HuP6ng320w2IS245Q=
 github.com/onsi/gomega v1.20.0/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo=
+github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo=
+github.com/onsi/gomega v1.20.2 h1:8uQq0zMgLEfa0vRrrBgaJF2gyW9Da9BmfGV+OyUzfkY=
+github.com/onsi/gomega v1.20.2/go.mod h1:iYAIXgPSaDHak0LCMA+AWBpIKBr8WZicMxnE8luStNc=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -1331,6 +1445,7 @@ github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7
 github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -1358,8 +1473,9 @@ github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3O
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_golang v1.12.1 h1:ZiaPsmm9uiBeaSMRznKsCDNtPCS0T3JVDGF+06gjBzk=
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
+github.com/prometheus/client_golang v1.12.2 h1:51L9cDoUHVrXx4zWYlcLQIZ+d+VXHgqnYKkIuq4g/34=
+github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
 github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -1375,8 +1491,9 @@ github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8b
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.32.1 h1:hWIdL3N2HoUx3B8j3YN9mWor0qhY/NlEKZEaXxuIRh4=
 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
+github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE=
+github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
 github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@@ -1409,8 +1526,9 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.3.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.5.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.6.2 h1:aIihoIOHCiLZHxyoNQ+ABL4NKhFTgKLBdMLyEAh98m0=
 github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
+github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/rootless-containers/rootlesskit v1.0.1 h1:jepqW1txFSowKSMAEkVhWH3Oa1TCY9S400MVYe/6Iro=
 github.com/rootless-containers/rootlesskit v1.0.1/go.mod h1:t2UAiYagxrJ+wmpFAUIZPcqsm4k2B7ve6g7lILKbloc=
 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
@@ -1449,11 +1567,13 @@ github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNX
 github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs=
 github.com/shirou/gopsutil/v3 v3.21.10/go.mod h1:t75NhzCZ/dYyPQjyQmrAYP6c8+LCdFANeBMdLPCNnew=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
+github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
 github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sigstore/sigstore v1.3.1-0.20220629021053-b95fc0d626c1 h1:5TPCWtlOsaCiuAaglfZX7obd+/kuE8lGUhsVQzmQSaI=
 github.com/sigstore/sigstore v1.3.1-0.20220629021053-b95fc0d626c1/go.mod h1:y83NePRM98MJpbGgBgi54UZduhG0aD7lYngAVCx+i/E=
+github.com/sigstore/sigstore v1.4.0 h1:5A3eUhbSQkhiqJNUPi/2UMKdTyb3NKfWcVjaTBkkaJk=
+github.com/sigstore/sigstore v1.4.0/go.mod h1:z3kt1jm2A39M+g7emkQ8jdErL/haCMEjkNxvqTf41/k=
 github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -1527,12 +1647,14 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/sylabs/sif/v2 v2.7.1 h1:XXt9AP39sQfsMCGOGQ/XP9H47yqZOvAonalkaCaNIYM=
 github.com/sylabs/sif/v2 v2.7.1/go.mod h1:bBse2nEFd3yHkmq6KmAOFEWQg5LdFYiQUdVcgamxlc8=
+github.com/sylabs/sif/v2 v2.7.2 h1:eCxtl2ub9fPfrO7g2JPagn6HKDhv+Kl92Jz6+ww2Y1Q=
+github.com/sylabs/sif/v2 v2.7.2/go.mod h1:LQOdYXC9a8i7BleTKRw9lohi0rTbXkJOeS9u0ebvgyM=
 github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
@@ -1540,6 +1662,7 @@ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtse
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
 github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc=
+github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48=
 github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
 github.com/tchap/go-patricia v2.3.0+incompatible h1:GkY4dP3cEfEASBPPkWd+AmjYxhmDkqO9/zg7R0lSQRs=
 github.com/tchap/go-patricia v2.3.0+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
@@ -1548,8 +1671,9 @@ github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY=
 github.com/tetafro/godot v1.4.11/go.mod h1:LR3CJpxDVGlYOWn3ZZg1PgNZdTUvzsZWu8xaEohUpn8=
 github.com/theupdateframework/go-tuf v0.3.0/go.mod h1:E5XP0wXitrFUHe4b8cUcAAdxBW4LbfnqF4WXXGLgWNo=
-github.com/theupdateframework/go-tuf v0.3.1 h1:NkjMlCuLcDpHNtsWXY4lTmbbQQ5nOM7JSBbOKEEiI1c=
 github.com/theupdateframework/go-tuf v0.3.1/go.mod h1:lhHZ3Vt2pdAh15h0Cc6gWdlI+Okn2ZznD3q/cNjd5jw=
+github.com/theupdateframework/go-tuf v0.4.0 h1:KTFzOsIdtmMe4KTEOEcDdD68uXYf2hDYq+Bh+hU7yWU=
+github.com/theupdateframework/go-tuf v0.4.0/go.mod h1:kfQTX2LhNeK/cp03OBiZHoua0Pp2l9w4ShRwFtc0oKg=
 github.com/timakin/bodyclose v0.0.0-20200424151742-cb6215831a94/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
@@ -1607,12 +1731,16 @@ github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f h1:p4VB7kIXpOQvVn1ZaTIVp+3vuYAXFe3OJEvjbUYJLaA=
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/vmihailenco/msgpack/v4 v4.3.12 h1:07s4sz9IReOgdikxLTKNbBdqDMLsjPKXwvCazn8G65U=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
+github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU=
+github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q/V5KbhBonMG9jc=
 github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY=
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
+github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
+github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
 github.com/weppos/publicsuffix-go v0.15.1-0.20210807195340-dc689ff0bb59/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
 github.com/weppos/publicsuffix-go v0.15.1-0.20220329081811-9a40b608a236/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
+github.com/weppos/publicsuffix-go v0.15.1-0.20220413065649-906f534b73a4/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -1629,9 +1757,12 @@ github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:
 github.com/yeya24/promlinter v0.1.0/go.mod h1:rs5vtZzeBHqqMwXqFScncpCF6u06lezhZepno9AB1Oc=
 github.com/ysmood/goob v0.4.0/go.mod h1:u6yx7ZhS4Exf2MwciFr6nIM8knHQIE22lFpWHnfql18=
 github.com/ysmood/got v0.31.2/go.mod h1:pE1l4LOwOBhQg6A/8IAatkGp7uZjnalzrZolnlhhMgY=
+github.com/ysmood/got v0.31.3/go.mod h1:pE1l4LOwOBhQg6A/8IAatkGp7uZjnalzrZolnlhhMgY=
 github.com/ysmood/gotrace v0.6.0/go.mod h1:TzhIG7nHDry5//eYZDYcTzuJLYQIkykJzCRIo4/dzQM=
 github.com/ysmood/gson v0.7.1/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg=
+github.com/ysmood/gson v0.7.2/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg=
 github.com/ysmood/leakless v0.7.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ=
+github.com/ysmood/leakless v0.8.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ=
 github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg=
 github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM=
 github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc=
@@ -1642,6 +1773,7 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs=
 github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA=
 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
@@ -1667,8 +1799,9 @@ go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3M
 go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc=
 go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4=
 go.mozilla.org/mozlog v0.0.0-20170222151521-4bb13139d403/go.mod h1:jHoPAGnDrCy6kaI2tAze5Prf0Nr0w/oNkROt2lw3n3o=
-go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 h1:A/5uWzF44DlIgdm/PQFwfMkW0JX+cIcQi/SwLAmZP5M=
 go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -1677,16 +1810,13 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
-go.opentelemetry.io/contrib v0.20.0 h1:ubFQUn0VCZ0gPwIoJfBJVpeBlyRMxu8Mm/huKWYd9p0=
 go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0/go.mod h1:vEhqr0m4eTc+DWxfsXoXue2GBgV2uUwVznkGIHW/e5w=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4=
-go.opentelemetry.io/contrib/propagators v0.19.0 h1:HrixVNZYFjUl/Db+Tr3DhqzLsVW9GeVf/Gye+C5dNUY=
 go.opentelemetry.io/contrib/propagators v0.19.0/go.mod h1:4QOdZClXISU5S43xZxk5tYaWcpb+lehqfKtE6PK6msE=
 go.opentelemetry.io/otel v0.19.0/go.mod h1:j9bF567N9EfomkSidSfmMwIwIBuP37AMAIzVW85OxSg=
 go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo=
-go.opentelemetry.io/otel v1.3.0 h1:APxLf0eiBwLl+SOXiJJCVYzA1OOJNyAoV8C5RNRyy7Y=
 go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs=
 go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM=
 go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.3.0/go.mod h1:VpP4/RMn8bv8gNo9uK7/IMY4mtWLELsS+JIP0inH0h4=
@@ -1703,13 +1833,13 @@ go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi
 go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE=
 go.opentelemetry.io/otel/trace v0.19.0/go.mod h1:4IXiNextNOpPnRlI4ryK69mn5iC84bjBWZQA5DXz/qg=
 go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw=
-go.opentelemetry.io/otel/trace v1.3.0 h1:doy8Hzb1RJ+I3yFhtDmwNc7tIyw1tNMOIsyPzp1NOGY=
 go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKunbvWM4/fEjk=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
+go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
@@ -1717,6 +1847,7 @@ go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
+go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
 go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
@@ -1745,10 +1876,12 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
@@ -1756,8 +1889,9 @@ golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1796,6 +1930,7 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1860,6 +1995,7 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -1876,8 +2012,11 @@ golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220524220425-1d687d428aca/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e h1:TsQ7F31D3bUCLeqPT0u+yjp1guoArKaNKmCr22PYgTQ=
+golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220708220712-1185a9018129/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1901,6 +2040,7 @@ golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j
 golang.org/x/oauth2 v0.0.0-20220524215830-622c5d57e401/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
 golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
+golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1914,8 +2054,9 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220513210516-0976fa681c29/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8=
 golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -2041,9 +2182,11 @@ golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210915083310-ed5796bab164/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -2052,6 +2195,7 @@ golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -2060,8 +2204,10 @@ golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220823224334-20c2bfdbfe24 h1:TyKJRhyo17yWxOMCTHKWrc5rddHORMlnZ/j57umaUd8=
 golang.org/x/sys v0.0.0-20220823224334-20c2bfdbfe24/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -2091,8 +2237,9 @@ golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 h1:GZokNIeuVkl3aZHJchRrr13WCsols02MLUcz1U9is6M=
 golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 h1:ftMN5LMiBFjbzleLqtoBZk7KdJwhuybIU+FckUHgoyQ=
+golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -2139,6 +2286,7 @@ golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200117220505-0cba7a3a9ee9/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
@@ -2207,8 +2355,10 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
-golang.org/x/tools v0.1.10 h1:QjFRCZxdOhBJ/UNgnBZLbNV13DlbnK0quyivTnXJM20=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
+golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4=
+golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -2260,7 +2410,9 @@ google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69
 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
 google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
 google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
+google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g=
 google.golang.org/api v0.86.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
+google.golang.org/api v0.92.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -2268,7 +2420,6 @@ google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww
 google.golang.org/appengine v1.6.2/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk=
 google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -2360,8 +2511,11 @@ google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP
 google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f h1:hJ/Y5SqPXbarffmAsApliUlcvMU+wScNGfyop4bZm8o=
+google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220720214146-176da50484ac h1:EOa+Yrhx1C0O+4pHeXeWrCwdI0tWI6IfUU56Vebs9wQ=
+google.golang.org/genproto v0.0.0-20220720214146-176da50484ac/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE=
 google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -2401,8 +2555,9 @@ google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ5
 google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
 google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.47.0 h1:9n77onPX5F3qfFCqjy9dhn8PbNQsIKeVU04J9G7umt8=
 google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
+google.golang.org/grpc v1.48.0 h1:rQOsyJ/8+ufEDJd/Gdsz7HG220Mh9HAhFHRGnIjda0w=
+google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=

vendor/github.com/beorn7/perks/LICENSE

@@ -1,20 +0,0 @@
-Copyright (C) 2013 Blake Mizerany
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

vendor/github.com/beorn7/perks/quantile/stream.go

@@ -1,316 +0,0 @@
-// Package quantile computes approximate quantiles over an unbounded data
-// stream within low memory and CPU bounds.
-//
-// A small amount of accuracy is traded to achieve the above properties.
-//
-// Multiple streams can be merged before calling Query to generate a single set
-// of results. This is meaningful when the streams represent the same type of
-// data. See Merge and Samples.
-//
-// For more detailed information about the algorithm used, see:
-//
-// Effective Computation of Biased Quantiles over Data Streams
-//
-// http://www.cs.rutgers.edu/~muthu/bquant.pdf
-package quantile
-
-import (
-	"math"
-	"sort"
-)
-
-// Sample holds an observed value and meta information for compression. JSON
-// tags have been added for convenience.
-type Sample struct {
-	Value float64 `json:",string"`
-	Width float64 `json:",string"`
-	Delta float64 `json:",string"`
-}
-
-// Samples represents a slice of samples. It implements sort.Interface.
-type Samples []Sample
-
-func (a Samples) Len() int           { return len(a) }
-func (a Samples) Less(i, j int) bool { return a[i].Value < a[j].Value }
-func (a Samples) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
-
-type invariant func(s *stream, r float64) float64
-
-// NewLowBiased returns an initialized Stream for low-biased quantiles
-// (e.g. 0.01, 0.1, 0.5) where the needed quantiles are not known a priori, but
-// error guarantees can still be given even for the lower ranks of the data
-// distribution.
-//
-// The provided epsilon is a relative error, i.e. the true quantile of a value
-// returned by a query is guaranteed to be within (1±Epsilon)*Quantile.
-//
-// See http://www.cs.rutgers.edu/~muthu/bquant.pdf for time, space, and error
-// properties.
-func NewLowBiased(epsilon float64) *Stream {
-	ƒ := func(s *stream, r float64) float64 {
-		return 2 * epsilon * r
-	}
-	return newStream(ƒ)
-}
-
-// NewHighBiased returns an initialized Stream for high-biased quantiles
-// (e.g. 0.01, 0.1, 0.5) where the needed quantiles are not known a priori, but
-// error guarantees can still be given even for the higher ranks of the data
-// distribution.
-//
-// The provided epsilon is a relative error, i.e. the true quantile of a value
-// returned by a query is guaranteed to be within 1-(1±Epsilon)*(1-Quantile).
-//
-// See http://www.cs.rutgers.edu/~muthu/bquant.pdf for time, space, and error
-// properties.
-func NewHighBiased(epsilon float64) *Stream {
-	ƒ := func(s *stream, r float64) float64 {
-		return 2 * epsilon * (s.n - r)
-	}
-	return newStream(ƒ)
-}
-
-// NewTargeted returns an initialized Stream concerned with a particular set of
-// quantile values that are supplied a priori. Knowing these a priori reduces
-// space and computation time. The targets map maps the desired quantiles to
-// their absolute errors, i.e. the true quantile of a value returned by a query
-// is guaranteed to be within (Quantile±Epsilon).
-//
-// See http://www.cs.rutgers.edu/~muthu/bquant.pdf for time, space, and error properties.
-func NewTargeted(targetMap map[float64]float64) *Stream {
-	// Convert map to slice to avoid slow iterations on a map.
-	// ƒ is called on the hot path, so converting the map to a slice
-	// beforehand results in significant CPU savings.
-	targets := targetMapToSlice(targetMap)
-
-	ƒ := func(s *stream, r float64) float64 {
-		var m = math.MaxFloat64
-		var f float64
-		for _, t := range targets {
-			if t.quantile*s.n <= r {
-				f = (2 * t.epsilon * r) / t.quantile
-			} else {
-				f = (2 * t.epsilon * (s.n - r)) / (1 - t.quantile)
-			}
-			if f < m {
-				m = f
-			}
-		}
-		return m
-	}
-	return newStream(ƒ)
-}
-
-type target struct {
-	quantile float64
-	epsilon  float64
-}
-
-func targetMapToSlice(targetMap map[float64]float64) []target {
-	targets := make([]target, 0, len(targetMap))
-
-	for quantile, epsilon := range targetMap {
-		t := target{
-			quantile: quantile,
-			epsilon:  epsilon,
-		}
-		targets = append(targets, t)
-	}
-
-	return targets
-}
-
-// Stream computes quantiles for a stream of float64s. It is not thread-safe by
-// design. Take care when using across multiple goroutines.
-type Stream struct {
-	*stream
-	b      Samples
-	sorted bool
-}
-
-func newStream(ƒ invariant) *Stream {
-	x := &stream{ƒ: ƒ}
-	return &Stream{x, make(Samples, 0, 500), true}
-}
-
-// Insert inserts v into the stream.
-func (s *Stream) Insert(v float64) {
-	s.insert(Sample{Value: v, Width: 1})
-}
-
-func (s *Stream) insert(sample Sample) {
-	s.b = append(s.b, sample)
-	s.sorted = false
-	if len(s.b) == cap(s.b) {
-		s.flush()
-	}
-}
-
-// Query returns the computed qth percentiles value. If s was created with
-// NewTargeted, and q is not in the set of quantiles provided a priori, Query
-// will return an unspecified result.
-func (s *Stream) Query(q float64) float64 {
-	if !s.flushed() {
-		// Fast path when there hasn't been enough data for a flush;
-		// this also yields better accuracy for small sets of data.
-		l := len(s.b)
-		if l == 0 {
-			return 0
-		}
-		i := int(math.Ceil(float64(l) * q))
-		if i > 0 {
-			i -= 1
-		}
-		s.maybeSort()
-		return s.b[i].Value
-	}
-	s.flush()
-	return s.stream.query(q)
-}
-
-// Merge merges samples into the underlying streams samples. This is handy when
-// merging multiple streams from separate threads, database shards, etc.
-//
-// ATTENTION: This method is broken and does not yield correct results. The
-// underlying algorithm is not capable of merging streams correctly.
-func (s *Stream) Merge(samples Samples) {
-	sort.Sort(samples)
-	s.stream.merge(samples)
-}
-
-// Reset reinitializes and clears the list reusing the samples buffer memory.
-func (s *Stream) Reset() {
-	s.stream.reset()
-	s.b = s.b[:0]
-}
-
-// Samples returns stream samples held by s.
-func (s *Stream) Samples() Samples {
-	if !s.flushed() {
-		return s.b
-	}
-	s.flush()
-	return s.stream.samples()
-}
-
-// Count returns the total number of samples observed in the stream
-// since initialization.
-func (s *Stream) Count() int {
-	return len(s.b) + s.stream.count()
-}
-
-func (s *Stream) flush() {
-	s.maybeSort()
-	s.stream.merge(s.b)
-	s.b = s.b[:0]
-}
-
-func (s *Stream) maybeSort() {
-	if !s.sorted {
-		s.sorted = true
-		sort.Sort(s.b)
-	}
-}
-
-func (s *Stream) flushed() bool {
-	return len(s.stream.l) > 0
-}
-
-type stream struct {
-	n float64
-	l []Sample
-	ƒ invariant
-}
-
-func (s *stream) reset() {
-	s.l = s.l[:0]
-	s.n = 0
-}
-
-func (s *stream) insert(v float64) {
-	s.merge(Samples{{v, 1, 0}})
-}
-
-func (s *stream) merge(samples Samples) {
-	// TODO(beorn7): This tries to merge not only individual samples, but
-	// whole summaries. The paper doesn't mention merging summaries at
-	// all. Unittests show that the merging is inaccurate. Find out how to
-	// do merges properly.
-	var r float64
-	i := 0
-	for _, sample := range samples {
-		for ; i < len(s.l); i++ {
-			c := s.l[i]
-			if c.Value > sample.Value {
-				// Insert at position i.
-				s.l = append(s.l, Sample{})
-				copy(s.l[i+1:], s.l[i:])
-				s.l[i] = Sample{
-					sample.Value,
-					sample.Width,
-					math.Max(sample.Delta, math.Floor(s.ƒ(s, r))-1),
-					// TODO(beorn7): How to calculate delta correctly?
-				}
-				i++
-				goto inserted
-			}
-			r += c.Width
-		}
-		s.l = append(s.l, Sample{sample.Value, sample.Width, 0})
-		i++
-	inserted:
-		s.n += sample.Width
-		r += sample.Width
-	}
-	s.compress()
-}
-
-func (s *stream) count() int {
-	return int(s.n)
-}
-
-func (s *stream) query(q float64) float64 {
-	t := math.Ceil(q * s.n)
-	t += math.Ceil(s.ƒ(s, t) / 2)
-	p := s.l[0]
-	var r float64
-	for _, c := range s.l[1:] {
-		r += p.Width
-		if r+c.Width+c.Delta > t {
-			return p.Value
-		}
-		p = c
-	}
-	return p.Value
-}
-
-func (s *stream) compress() {
-	if len(s.l) < 2 {
-		return
-	}
-	x := s.l[len(s.l)-1]
-	xi := len(s.l) - 1
-	r := s.n - 1 - x.Width
-
-	for i := len(s.l) - 2; i >= 0; i-- {
-		c := s.l[i]
-		if c.Width+x.Width+x.Delta <= s.ƒ(s, r) {
-			x.Width += c.Width
-			s.l[xi] = x
-			// Remove element at i.
-			copy(s.l[i:], s.l[i+1:])
-			s.l = s.l[:len(s.l)-1]
-			xi -= 1
-		} else {
-			x = c
-			xi = i
-		}
-		r -= c.Width
-	}
-}
-
-func (s *stream) samples() Samples {
-	samples := make(Samples, len(s.l))
-	copy(samples, s.l)
-	return samples
-}

vendor/github.com/cespare/xxhash/v2/LICENSE.txt

@@ -1,22 +0,0 @@
-Copyright (c) 2016 Caleb Spare
-
-MIT License
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

vendor/github.com/cespare/xxhash/v2/README.md

@@ -1,69 +0,0 @@
-# xxhash
-
-[![Go Reference](https://pkg.go.dev/badge/github.com/cespare/xxhash/v2.svg)](https://pkg.go.dev/github.com/cespare/xxhash/v2)
-[![Test](https://github.com/cespare/xxhash/actions/workflows/test.yml/badge.svg)](https://github.com/cespare/xxhash/actions/workflows/test.yml)
-
-xxhash is a Go implementation of the 64-bit
-[xxHash](http://cyan4973.github.io/xxHash/) algorithm, XXH64. This is a
-high-quality hashing algorithm that is much faster than anything in the Go
-standard library.
-
-This package provides a straightforward API:
-
-```
-func Sum64(b []byte) uint64
-func Sum64String(s string) uint64
-type Digest struct{ ... }
-    func New() *Digest
-```
-
-The `Digest` type implements hash.Hash64. Its key methods are:
-
-```
-func (*Digest) Write([]byte) (int, error)
-func (*Digest) WriteString(string) (int, error)
-func (*Digest) Sum64() uint64
-```
-
-This implementation provides a fast pure-Go implementation and an even faster
-assembly implementation for amd64.
-
-## Compatibility
-
-This package is in a module and the latest code is in version 2 of the module.
-You need a version of Go with at least "minimal module compatibility" to use
-github.com/cespare/xxhash/v2:
-
-* 1.9.7+ for Go 1.9
-* 1.10.3+ for Go 1.10
-* Go 1.11 or later
-
-I recommend using the latest release of Go.
-
-## Benchmarks
-
-Here are some quick benchmarks comparing the pure-Go and assembly
-implementations of Sum64.
-
-| input size | purego | asm |
-| --- | --- | --- |
-| 5 B   |  979.66 MB/s |  1291.17 MB/s  |
-| 100 B | 7475.26 MB/s | 7973.40 MB/s  |
-| 4 KB  | 17573.46 MB/s | 17602.65 MB/s |
-| 10 MB | 17131.46 MB/s | 17142.16 MB/s |
-
-These numbers were generated on Ubuntu 18.04 with an Intel i7-8700K CPU using
-the following commands under Go 1.11.2:
-
-```
-$ go test -tags purego -benchtime 10s -bench '/xxhash,direct,bytes'
-$ go test -benchtime 10s -bench '/xxhash,direct,bytes'
-```
-
-## Projects using this package
-
-- [InfluxDB](https://github.com/influxdata/influxdb)
-- [Prometheus](https://github.com/prometheus/prometheus)
-- [VictoriaMetrics](https://github.com/VictoriaMetrics/VictoriaMetrics)
-- [FreeCache](https://github.com/coocood/freecache)
-- [FastCache](https://github.com/VictoriaMetrics/fastcache)

vendor/github.com/cespare/xxhash/v2/go.mod

@@ -1,3 +0,0 @@
-module github.com/cespare/xxhash/v2
-
-go 1.11

vendor/github.com/cespare/xxhash/v2/xxhash.go

@@ -1,235 +0,0 @@
-// Package xxhash implements the 64-bit variant of xxHash (XXH64) as described
-// at http://cyan4973.github.io/xxHash/.
-package xxhash
-
-import (
-	"encoding/binary"
-	"errors"
-	"math/bits"
-)
-
-const (
-	prime1 uint64 = 11400714785074694791
-	prime2 uint64 = 14029467366897019727
-	prime3 uint64 = 1609587929392839161
-	prime4 uint64 = 9650029242287828579
-	prime5 uint64 = 2870177450012600261
-)
-
-// NOTE(caleb): I'm using both consts and vars of the primes. Using consts where
-// possible in the Go code is worth a small (but measurable) performance boost
-// by avoiding some MOVQs. Vars are needed for the asm and also are useful for
-// convenience in the Go code in a few places where we need to intentionally
-// avoid constant arithmetic (e.g., v1 := prime1 + prime2 fails because the
-// result overflows a uint64).
-var (
-	prime1v = prime1
-	prime2v = prime2
-	prime3v = prime3
-	prime4v = prime4
-	prime5v = prime5
-)
-
-// Digest implements hash.Hash64.
-type Digest struct {
-	v1    uint64
-	v2    uint64
-	v3    uint64
-	v4    uint64
-	total uint64
-	mem   [32]byte
-	n     int // how much of mem is used
-}
-
-// New creates a new Digest that computes the 64-bit xxHash algorithm.
-func New() *Digest {
-	var d Digest
-	d.Reset()
-	return &d
-}
-
-// Reset clears the Digest's state so that it can be reused.
-func (d *Digest) Reset() {
-	d.v1 = prime1v + prime2
-	d.v2 = prime2
-	d.v3 = 0
-	d.v4 = -prime1v
-	d.total = 0
-	d.n = 0
-}
-
-// Size always returns 8 bytes.
-func (d *Digest) Size() int { return 8 }
-
-// BlockSize always returns 32 bytes.
-func (d *Digest) BlockSize() int { return 32 }
-
-// Write adds more data to d. It always returns len(b), nil.
-func (d *Digest) Write(b []byte) (n int, err error) {
-	n = len(b)
-	d.total += uint64(n)
-
-	if d.n+n < 32 {
-		// This new data doesn't even fill the current block.
-		copy(d.mem[d.n:], b)
-		d.n += n
-		return
-	}
-
-	if d.n > 0 {
-		// Finish off the partial block.
-		copy(d.mem[d.n:], b)
-		d.v1 = round(d.v1, u64(d.mem[0:8]))
-		d.v2 = round(d.v2, u64(d.mem[8:16]))
-		d.v3 = round(d.v3, u64(d.mem[16:24]))
-		d.v4 = round(d.v4, u64(d.mem[24:32]))
-		b = b[32-d.n:]
-		d.n = 0
-	}
-
-	if len(b) >= 32 {
-		// One or more full blocks left.
-		nw := writeBlocks(d, b)
-		b = b[nw:]
-	}
-
-	// Store any remaining partial block.
-	copy(d.mem[:], b)
-	d.n = len(b)
-
-	return
-}
-
-// Sum appends the current hash to b and returns the resulting slice.
-func (d *Digest) Sum(b []byte) []byte {
-	s := d.Sum64()
-	return append(
-		b,
-		byte(s>>56),
-		byte(s>>48),
-		byte(s>>40),
-		byte(s>>32),
-		byte(s>>24),
-		byte(s>>16),
-		byte(s>>8),
-		byte(s),
-	)
-}
-
-// Sum64 returns the current hash.
-func (d *Digest) Sum64() uint64 {
-	var h uint64
-
-	if d.total >= 32 {
-		v1, v2, v3, v4 := d.v1, d.v2, d.v3, d.v4
-		h = rol1(v1) + rol7(v2) + rol12(v3) + rol18(v4)
-		h = mergeRound(h, v1)
-		h = mergeRound(h, v2)
-		h = mergeRound(h, v3)
-		h = mergeRound(h, v4)
-	} else {
-		h = d.v3 + prime5
-	}
-
-	h += d.total
-
-	i, end := 0, d.n
-	for ; i+8 <= end; i += 8 {
-		k1 := round(0, u64(d.mem[i:i+8]))
-		h ^= k1
-		h = rol27(h)*prime1 + prime4
-	}
-	if i+4 <= end {
-		h ^= uint64(u32(d.mem[i:i+4])) * prime1
-		h = rol23(h)*prime2 + prime3
-		i += 4
-	}
-	for i < end {
-		h ^= uint64(d.mem[i]) * prime5
-		h = rol11(h) * prime1
-		i++
-	}
-
-	h ^= h >> 33
-	h *= prime2
-	h ^= h >> 29
-	h *= prime3
-	h ^= h >> 32
-
-	return h
-}
-
-const (
-	magic         = "xxh\x06"
-	marshaledSize = len(magic) + 8*5 + 32
-)
-
-// MarshalBinary implements the encoding.BinaryMarshaler interface.
-func (d *Digest) MarshalBinary() ([]byte, error) {
-	b := make([]byte, 0, marshaledSize)
-	b = append(b, magic...)
-	b = appendUint64(b, d.v1)
-	b = appendUint64(b, d.v2)
-	b = appendUint64(b, d.v3)
-	b = appendUint64(b, d.v4)
-	b = appendUint64(b, d.total)
-	b = append(b, d.mem[:d.n]...)
-	b = b[:len(b)+len(d.mem)-d.n]
-	return b, nil
-}
-
-// UnmarshalBinary implements the encoding.BinaryUnmarshaler interface.
-func (d *Digest) UnmarshalBinary(b []byte) error {
-	if len(b) < len(magic) || string(b[:len(magic)]) != magic {
-		return errors.New("xxhash: invalid hash state identifier")
-	}
-	if len(b) != marshaledSize {
-		return errors.New("xxhash: invalid hash state size")
-	}
-	b = b[len(magic):]
-	b, d.v1 = consumeUint64(b)
-	b, d.v2 = consumeUint64(b)
-	b, d.v3 = consumeUint64(b)
-	b, d.v4 = consumeUint64(b)
-	b, d.total = consumeUint64(b)
-	copy(d.mem[:], b)
-	d.n = int(d.total % uint64(len(d.mem)))
-	return nil
-}
-
-func appendUint64(b []byte, x uint64) []byte {
-	var a [8]byte
-	binary.LittleEndian.PutUint64(a[:], x)
-	return append(b, a[:]...)
-}
-
-func consumeUint64(b []byte) ([]byte, uint64) {
-	x := u64(b)
-	return b[8:], x
-}
-
-func u64(b []byte) uint64 { return binary.LittleEndian.Uint64(b) }
-func u32(b []byte) uint32 { return binary.LittleEndian.Uint32(b) }
-
-func round(acc, input uint64) uint64 {
-	acc += input * prime2
-	acc = rol31(acc)
-	acc *= prime1
-	return acc
-}
-
-func mergeRound(acc, val uint64) uint64 {
-	val = round(0, val)
-	acc ^= val
-	acc = acc*prime1 + prime4
-	return acc
-}
-
-func rol1(x uint64) uint64  { return bits.RotateLeft64(x, 1) }
-func rol7(x uint64) uint64  { return bits.RotateLeft64(x, 7) }
-func rol11(x uint64) uint64 { return bits.RotateLeft64(x, 11) }
-func rol12(x uint64) uint64 { return bits.RotateLeft64(x, 12) }
-func rol18(x uint64) uint64 { return bits.RotateLeft64(x, 18) }
-func rol23(x uint64) uint64 { return bits.RotateLeft64(x, 23) }
-func rol27(x uint64) uint64 { return bits.RotateLeft64(x, 27) }
-func rol31(x uint64) uint64 { return bits.RotateLeft64(x, 31) }

vendor/github.com/cespare/xxhash/v2/xxhash_amd64.go

@@ -1,13 +0,0 @@
-// +build !appengine
-// +build gc
-// +build !purego
-
-package xxhash
-
-// Sum64 computes the 64-bit xxHash digest of b.
-//
-//go:noescape
-func Sum64(b []byte) uint64
-
-//go:noescape
-func writeBlocks(d *Digest, b []byte) int

vendor/github.com/cespare/xxhash/v2/xxhash_amd64.s

@@ -1,215 +0,0 @@
-// +build !appengine
-// +build gc
-// +build !purego
-
-#include "textflag.h"
-
-// Register allocation:
-// AX	h
-// SI	pointer to advance through b
-// DX	n
-// BX	loop end
-// R8	v1, k1
-// R9	v2
-// R10	v3
-// R11	v4
-// R12	tmp
-// R13	prime1v
-// R14	prime2v
-// DI	prime4v
-
-// round reads from and advances the buffer pointer in SI.
-// It assumes that R13 has prime1v and R14 has prime2v.
-#define round(r) \
-	MOVQ  (SI), R12 \
-	ADDQ  $8, SI    \
-	IMULQ R14, R12  \
-	ADDQ  R12, r    \
-	ROLQ  $31, r    \
-	IMULQ R13, r
-
-// mergeRound applies a merge round on the two registers acc and val.
-// It assumes that R13 has prime1v, R14 has prime2v, and DI has prime4v.
-#define mergeRound(acc, val) \
-	IMULQ R14, val \
-	ROLQ  $31, val \
-	IMULQ R13, val \
-	XORQ  val, acc \
-	IMULQ R13, acc \
-	ADDQ  DI, acc
-
-// func Sum64(b []byte) uint64
-TEXT ·Sum64(SB), NOSPLIT, $0-32
-	// Load fixed primes.
-	MOVQ ·prime1v(SB), R13
-	MOVQ ·prime2v(SB), R14
-	MOVQ ·prime4v(SB), DI
-
-	// Load slice.
-	MOVQ b_base+0(FP), SI
-	MOVQ b_len+8(FP), DX
-	LEAQ (SI)(DX*1), BX
-
-	// The first loop limit will be len(b)-32.
-	SUBQ $32, BX
-
-	// Check whether we have at least one block.
-	CMPQ DX, $32
-	JLT  noBlocks
-
-	// Set up initial state (v1, v2, v3, v4).
-	MOVQ R13, R8
-	ADDQ R14, R8
-	MOVQ R14, R9
-	XORQ R10, R10
-	XORQ R11, R11
-	SUBQ R13, R11
-
-	// Loop until SI > BX.
-blockLoop:
-	round(R8)
-	round(R9)
-	round(R10)
-	round(R11)
-
-	CMPQ SI, BX
-	JLE  blockLoop
-
-	MOVQ R8, AX
-	ROLQ $1, AX
-	MOVQ R9, R12
-	ROLQ $7, R12
-	ADDQ R12, AX
-	MOVQ R10, R12
-	ROLQ $12, R12
-	ADDQ R12, AX
-	MOVQ R11, R12
-	ROLQ $18, R12
-	ADDQ R12, AX
-
-	mergeRound(AX, R8)
-	mergeRound(AX, R9)
-	mergeRound(AX, R10)
-	mergeRound(AX, R11)
-
-	JMP afterBlocks
-
-noBlocks:
-	MOVQ ·prime5v(SB), AX
-
-afterBlocks:
-	ADDQ DX, AX
-
-	// Right now BX has len(b)-32, and we want to loop until SI > len(b)-8.
-	ADDQ $24, BX
-
-	CMPQ SI, BX
-	JG   fourByte
-
-wordLoop:
-	// Calculate k1.
-	MOVQ  (SI), R8
-	ADDQ  $8, SI
-	IMULQ R14, R8
-	ROLQ  $31, R8
-	IMULQ R13, R8
-
-	XORQ  R8, AX
-	ROLQ  $27, AX
-	IMULQ R13, AX
-	ADDQ  DI, AX
-
-	CMPQ SI, BX
-	JLE  wordLoop
-
-fourByte:
-	ADDQ $4, BX
-	CMPQ SI, BX
-	JG   singles
-
-	MOVL  (SI), R8
-	ADDQ  $4, SI
-	IMULQ R13, R8
-	XORQ  R8, AX
-
-	ROLQ  $23, AX
-	IMULQ R14, AX
-	ADDQ  ·prime3v(SB), AX
-
-singles:
-	ADDQ $4, BX
-	CMPQ SI, BX
-	JGE  finalize
-
-singlesLoop:
-	MOVBQZX (SI), R12
-	ADDQ    $1, SI
-	IMULQ   ·prime5v(SB), R12
-	XORQ    R12, AX
-
-	ROLQ  $11, AX
-	IMULQ R13, AX
-
-	CMPQ SI, BX
-	JL   singlesLoop
-
-finalize:
-	MOVQ  AX, R12
-	SHRQ  $33, R12
-	XORQ  R12, AX
-	IMULQ R14, AX
-	MOVQ  AX, R12
-	SHRQ  $29, R12
-	XORQ  R12, AX
-	IMULQ ·prime3v(SB), AX
-	MOVQ  AX, R12
-	SHRQ  $32, R12
-	XORQ  R12, AX
-
-	MOVQ AX, ret+24(FP)
-	RET
-
-// writeBlocks uses the same registers as above except that it uses AX to store
-// the d pointer.
-
-// func writeBlocks(d *Digest, b []byte) int
-TEXT ·writeBlocks(SB), NOSPLIT, $0-40
-	// Load fixed primes needed for round.
-	MOVQ ·prime1v(SB), R13
-	MOVQ ·prime2v(SB), R14
-
-	// Load slice.
-	MOVQ b_base+8(FP), SI
-	MOVQ b_len+16(FP), DX
-	LEAQ (SI)(DX*1), BX
-	SUBQ $32, BX
-
-	// Load vN from d.
-	MOVQ d+0(FP), AX
-	MOVQ 0(AX), R8   // v1
-	MOVQ 8(AX), R9   // v2
-	MOVQ 16(AX), R10 // v3
-	MOVQ 24(AX), R11 // v4
-
-	// We don't need to check the loop condition here; this function is
-	// always called with at least one block of data to process.
-blockLoop:
-	round(R8)
-	round(R9)
-	round(R10)
-	round(R11)
-
-	CMPQ SI, BX
-	JLE  blockLoop
-
-	// Copy vN back to d.
-	MOVQ R8, 0(AX)
-	MOVQ R9, 8(AX)
-	MOVQ R10, 16(AX)
-	MOVQ R11, 24(AX)
-
-	// The number of bytes written is SI minus the old base pointer.
-	SUBQ b_base+8(FP), SI
-	MOVQ SI, ret+32(FP)
-
-	RET

vendor/github.com/cespare/xxhash/v2/xxhash_other.go

@@ -1,76 +0,0 @@
-// +build !amd64 appengine !gc purego
-
-package xxhash
-
-// Sum64 computes the 64-bit xxHash digest of b.
-func Sum64(b []byte) uint64 {
-	// A simpler version would be
-	//   d := New()
-	//   d.Write(b)
-	//   return d.Sum64()
-	// but this is faster, particularly for small inputs.
-
-	n := len(b)
-	var h uint64
-
-	if n >= 32 {
-		v1 := prime1v + prime2
-		v2 := prime2
-		v3 := uint64(0)
-		v4 := -prime1v
-		for len(b) >= 32 {
-			v1 = round(v1, u64(b[0:8:len(b)]))
-			v2 = round(v2, u64(b[8:16:len(b)]))
-			v3 = round(v3, u64(b[16:24:len(b)]))
-			v4 = round(v4, u64(b[24:32:len(b)]))
-			b = b[32:len(b):len(b)]
-		}
-		h = rol1(v1) + rol7(v2) + rol12(v3) + rol18(v4)
-		h = mergeRound(h, v1)
-		h = mergeRound(h, v2)
-		h = mergeRound(h, v3)
-		h = mergeRound(h, v4)
-	} else {
-		h = prime5
-	}
-
-	h += uint64(n)
-
-	i, end := 0, len(b)
-	for ; i+8 <= end; i += 8 {
-		k1 := round(0, u64(b[i:i+8:len(b)]))
-		h ^= k1
-		h = rol27(h)*prime1 + prime4
-	}
-	if i+4 <= end {
-		h ^= uint64(u32(b[i:i+4:len(b)])) * prime1
-		h = rol23(h)*prime2 + prime3
-		i += 4
-	}
-	for ; i < end; i++ {
-		h ^= uint64(b[i]) * prime5
-		h = rol11(h) * prime1
-	}
-
-	h ^= h >> 33
-	h *= prime2
-	h ^= h >> 29
-	h *= prime3
-	h ^= h >> 32
-
-	return h
-}
-
-func writeBlocks(d *Digest, b []byte) int {
-	v1, v2, v3, v4 := d.v1, d.v2, d.v3, d.v4
-	n := len(b)
-	for len(b) >= 32 {
-		v1 = round(v1, u64(b[0:8:len(b)]))
-		v2 = round(v2, u64(b[8:16:len(b)]))
-		v3 = round(v3, u64(b[16:24:len(b)]))
-		v4 = round(v4, u64(b[24:32:len(b)]))
-		b = b[32:len(b):len(b)]
-	}
-	d.v1, d.v2, d.v3, d.v4 = v1, v2, v3, v4
-	return n - len(b)
-}

vendor/github.com/cespare/xxhash/v2/xxhash_safe.go

@@ -1,15 +0,0 @@
-// +build appengine
-
-// This file contains the safe implementations of otherwise unsafe-using code.
-
-package xxhash
-
-// Sum64String computes the 64-bit xxHash digest of s.
-func Sum64String(s string) uint64 {
-	return Sum64([]byte(s))
-}
-
-// WriteString adds more data to d. It always returns len(s), nil.
-func (d *Digest) WriteString(s string) (n int, err error) {
-	return d.Write([]byte(s))
-}

vendor/github.com/cespare/xxhash/v2/xxhash_unsafe.go

@@ -1,57 +0,0 @@
-// +build !appengine
-
-// This file encapsulates usage of unsafe.
-// xxhash_safe.go contains the safe implementations.
-
-package xxhash
-
-import (
-	"unsafe"
-)
-
-// In the future it's possible that compiler optimizations will make these
-// XxxString functions unnecessary by realizing that calls such as
-// Sum64([]byte(s)) don't need to copy s. See https://golang.org/issue/2205.
-// If that happens, even if we keep these functions they can be replaced with
-// the trivial safe code.
-
-// NOTE: The usual way of doing an unsafe string-to-[]byte conversion is:
-//
-//   var b []byte
-//   bh := (*reflect.SliceHeader)(unsafe.Pointer(&b))
-//   bh.Data = (*reflect.StringHeader)(unsafe.Pointer(&s)).Data
-//   bh.Len = len(s)
-//   bh.Cap = len(s)
-//
-// Unfortunately, as of Go 1.15.3 the inliner's cost model assigns a high enough
-// weight to this sequence of expressions that any function that uses it will
-// not be inlined. Instead, the functions below use a different unsafe
-// conversion designed to minimize the inliner weight and allow both to be
-// inlined. There is also a test (TestInlining) which verifies that these are
-// inlined.
-//
-// See https://github.com/golang/go/issues/42739 for discussion.
-
-// Sum64String computes the 64-bit xxHash digest of s.
-// It may be faster than Sum64([]byte(s)) by avoiding a copy.
-func Sum64String(s string) uint64 {
-	b := *(*[]byte)(unsafe.Pointer(&sliceHeader{s, len(s)}))
-	return Sum64(b)
-}
-
-// WriteString adds more data to d. It always returns len(s), nil.
-// It may be faster than Write([]byte(s)) by avoiding a copy.
-func (d *Digest) WriteString(s string) (n int, err error) {
-	d.Write(*(*[]byte)(unsafe.Pointer(&sliceHeader{s, len(s)})))
-	// d.Write always returns len(s), nil.
-	// Ignoring the return output and returning these fixed values buys a
-	// savings of 6 in the inliner's cost model.
-	return len(s), nil
-}
-
-// sliceHeader is similar to reflect.SliceHeader, but it assumes that the layout
-// of the first two words is the same as the layout of a string.
-type sliceHeader struct {
-	s   string
-	cap int
-}

vendor/github.com/chzyer/readline/README.md

@@ -11,7 +11,7 @@
 <img src="https://raw.githubusercontent.com/chzyer/readline/assets/logo_f.png" />
 </p>
 
-A powerful readline library in `Linux` `macOS` `Windows` `Solaris`
+A powerful readline library in `Linux` `macOS` `Windows` `Solaris` `AIX`
 
 ## Guide
 

vendor/github.com/chzyer/readline/go.mod

@@ -0,0 +1,10 @@
+module github.com/chzyer/readline
+
+go 1.15
+
+require (
+	github.com/chzyer/test v1.0.0
+	golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5
+)
+
+require github.com/chzyer/logex v1.2.1

vendor/github.com/chzyer/readline/go.sum

@@ -0,0 +1,6 @@
+github.com/chzyer/logex v1.2.1 h1:XHDu3E6q+gdHgsdTPH6ImJMIp436vR6MPtH8gP05QzM=
+github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ=
+github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
+github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
+golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5 h1:y/woIyUBFbpQGKS0u1aHF/40WUDnek3fPOyD08H5Vng=
+golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

vendor/github.com/chzyer/readline/operation.go

@@ -109,10 +109,12 @@ func (o *Operation) ioloop() {
 		keepInSearchMode := false
 		keepInCompleteMode := false
 		r := o.t.ReadRune()
+
 		if o.GetConfig().FuncFilterInputRune != nil {
 			var process bool
 			r, process = o.GetConfig().FuncFilterInputRune(r)
 			if !process {
+				o.t.KickRead()
 				o.buf.Refresh(nil) // to refresh the line
 				continue           // ignore this rune
 			}
@@ -434,6 +436,10 @@ func (o *Operation) Slice() ([]byte, error) {
 }
 
 func (o *Operation) Close() {
+	select {
+	case o.errchan <- io.EOF:
+	default:
+	}
 	o.history.Close()
 }
 

vendor/github.com/chzyer/readline/readline.go

@@ -17,7 +17,9 @@
 //
 package readline
 
-import "io"
+import (
+	"io"
+)
 
 type Instance struct {
 	Config    *Config
@@ -270,14 +272,24 @@ func (i *Instance) ReadSlice() ([]byte, error) {
 }
 
 // we must make sure that call Close() before process exit.
+// if there has a pending reading operation, that reading will be interrupted.
+// so you can capture the signal and call Instance.Close(), it's thread-safe.
 func (i *Instance) Close() error {
+	i.Config.Stdin.Close()
+	i.Operation.Close()
 	if err := i.Terminal.Close(); err != nil {
 		return err
 	}
-	i.Config.Stdin.Close()
-	i.Operation.Close()
 	return nil
 }
+
+// call CaptureExitSignal when you want readline exit gracefully.
+func (i *Instance) CaptureExitSignal() {
+	CaptureExitSignal(func() {
+		i.Close()
+	})
+}
+
 func (i *Instance) Clean() {
 	i.Operation.Clean()
 }

vendor/github.com/chzyer/readline/term.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build darwin dragonfly freebsd linux,!appengine netbsd openbsd solaris
+// +build aix darwin dragonfly freebsd linux,!appengine netbsd openbsd os400 solaris
 
 // Package terminal provides support functions for dealing with terminals, as
 // commonly found on UNIX systems.

vendor/github.com/chzyer/readline/term_nosyscall6.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build solaris
+// +build aix os400 solaris
 
 package readline
 

vendor/github.com/chzyer/readline/terminal.go

@@ -125,6 +125,7 @@ func (t *Terminal) ioloop() {
 	var (
 		isEscape       bool
 		isEscapeEx     bool
+		isEscapeSS3    bool
 		expectNextChar bool
 	)
 
@@ -152,9 +153,15 @@ func (t *Terminal) ioloop() {
 		if isEscape {
 			isEscape = false
 			if r == CharEscapeEx {
+				// ^][
 				expectNextChar = true
 				isEscapeEx = true
 				continue
+			} else if r == CharO {
+				// ^]O
+				expectNextChar = true
+				isEscapeSS3 = true
+				continue
 			}
 			r = escapeKey(r, buf)
 		} else if isEscapeEx {
@@ -177,6 +184,15 @@ func (t *Terminal) ioloop() {
 				expectNextChar = true
 				continue
 			}
+		} else if isEscapeSS3 {
+			isEscapeSS3 = false
+			if key := readEscKey(r, buf); key != nil {
+				r = escapeSS3Key(key)
+			}
+			if r == 0 {
+				expectNextChar = true
+				continue
+			}
 		}
 
 		expectNextChar = true

vendor/github.com/chzyer/readline/utils.go

@@ -6,9 +6,11 @@ import (
 	"container/list"
 	"fmt"
 	"os"
+	"os/signal"
 	"strconv"
 	"strings"
 	"sync"
+	"syscall"
 	"time"
 	"unicode"
 )
@@ -41,6 +43,7 @@ const (
 	CharCtrlY     = 25
 	CharCtrlZ     = 26
 	CharEsc       = 27
+	CharO         = 79
 	CharEscapeEx  = 91
 	CharBackspace = 127
 )
@@ -121,6 +124,27 @@ func escapeExKey(key *escapeKeyPair) rune {
 	return r
 }
 
+// translate EscOX SS3 codes for up/down/etc.
+func escapeSS3Key(key *escapeKeyPair) rune {
+	var r rune
+	switch key.typ {
+	case 'D':
+		r = CharBackward
+	case 'C':
+		r = CharForward
+	case 'A':
+		r = CharPrev
+	case 'B':
+		r = CharNext
+	case 'H':
+		r = CharLineStart
+	case 'F':
+		r = CharLineEnd
+	default:
+	}
+	return r
+}
+
 type escapeKeyPair struct {
 	attr string
 	typ  rune
@@ -275,3 +299,13 @@ func Debug(o ...interface{}) {
 	fmt.Fprintln(f, o...)
 	f.Close()
 }
+
+func CaptureExitSignal(f func()) {
+	cSignal := make(chan os.Signal, 1)
+	signal.Notify(cSignal, os.Interrupt, syscall.SIGTERM)
+	go func() {
+		for range cSignal {
+			f()
+		}
+	}()
+}

vendor/github.com/chzyer/readline/utils_unix.go

@@ -1,4 +1,4 @@
-// +build darwin dragonfly freebsd linux,!appengine netbsd openbsd solaris
+// +build aix darwin dragonfly freebsd linux,!appengine netbsd openbsd os400 solaris
 
 package readline
 

vendor/github.com/containers/buildah/.cirrus.yml

@@ -31,7 +31,7 @@ env:
     #PRIOR_FEDORA_NAME: "fedora-35"
     UBUNTU_NAME: "ubuntu-2204"
 
-    IMAGE_SUFFIX: "c6013173500215296"
+    IMAGE_SUFFIX: "c5124654741323776"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     #PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
     UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"

vendor/github.com/containers/buildah/Makefile

@@ -14,10 +14,8 @@ BUILDAH := buildah
 GO := go
 GO_LDFLAGS := $(shell if $(GO) version|grep -q gccgo; then echo "-gccgoflags"; else echo "-ldflags"; fi)
 GO_GCFLAGS := $(shell if $(GO) version|grep -q gccgo; then echo "-gccgoflags"; else echo "-gcflags"; fi)
-GO110 := 1.10
-GOVERSION := $(findstring $(GO110),$(shell go version))
 # test for go module support
-ifeq ($(shell go help mod >/dev/null 2>&1 && echo true), true)
+ifeq ($(shell $(GO) help mod >/dev/null 2>&1 && echo true), true)
 export GO_BUILD=GO111MODULE=on $(GO) build -mod=vendor
 export GO_TEST=GO111MODULE=on $(GO) test -mod=vendor
 else
@@ -31,9 +29,12 @@ GIT_COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),${COMMIT
 SOURCE_DATE_EPOCH ?= $(if $(shell date +%s),$(shell date +%s),$(error "date failed"))
 STATIC_STORAGETAGS = "containers_image_openpgp exclude_graphdriver_devicemapper $(STORAGE_TAGS)"
 
-CNI_COMMIT := $(shell sed -n 's;\tgithub.com/containernetworking/cni \([^ \n]*\).*$\;\1;p' go.mod)
-#RUNC_COMMIT := $(shell sed -n 's;\tgithub.com/opencontainers/runc \([^ \n]*\).*$\;\1;p' go.mod)
-RUNC_COMMIT := v1.0.0-rc8
+# we get GNU make 3.x in MacOS build envs, which wants # to be escaped in
+# strings, while the 4.x we have on Linux doesn't. this is the documented
+# workaround
+COMMENT := \#
+CNI_COMMIT := $(shell sed -n 's;^$(COMMENT) github.com/containernetworking/cni \([^ \n]*\).*$$;\1;p' vendor/modules.txt)
+RUNC_COMMIT := $(shell sed -n 's;^$(COMMENT) github.com/opencontainers/runc \([^ \n]*\).*$$;\1;p' vendor/modules.txt)
 LIBSECCOMP_COMMIT := release-2.3
 
 EXTRA_LDFLAGS ?=

vendor/github.com/containers/buildah/chroot/pty_posix.go

@@ -0,0 +1,64 @@
+//go:build freebsd && cgo
+// +build freebsd,cgo
+
+package chroot
+
+// #include <fcntl.h>
+// #include <stdlib.h>
+import "C"
+
+import (
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func openpt() (int, error) {
+	fd, err := C.posix_openpt(C.O_RDWR)
+	if err != nil {
+		return -1, err
+	}
+	if _, err := C.grantpt(fd); err != nil {
+		return -1, err
+	}
+	return int(fd), nil
+}
+
+func ptsname(fd int) (string, error) {
+	path, err := C.ptsname(C.int(fd))
+	if err != nil {
+		return "", err
+	}
+	return C.GoString(path), nil
+}
+
+func unlockpt(fd int) error {
+	if _, err := C.unlockpt(C.int(fd)); err != nil {
+		return err
+	}
+	return nil
+}
+
+func getPtyDescriptors() (int, int, error) {
+	// Create a pseudo-terminal and open the control side
+	controlFd, err := openpt()
+	if err != nil {
+		logrus.Errorf("error opening PTY control side using posix_openpt: %v", err)
+		return -1, -1, err
+	}
+	if err = unlockpt(controlFd); err != nil {
+		logrus.Errorf("error unlocking PTY: %v", err)
+		return -1, -1, err
+	}
+	// Get a handle for the other end.
+	ptyName, err := ptsname(controlFd)
+	if err != nil {
+		logrus.Errorf("error getting PTY name: %v", err)
+		return -1, -1, err
+	}
+	ptyFd, err := unix.Open(ptyName, unix.O_RDWR, 0)
+	if err != nil {
+		logrus.Errorf("error opening PTY: %v", err)
+		return -1, -1, err
+	}
+	return controlFd, ptyFd, nil
+}

vendor/github.com/containers/buildah/chroot/pty_ptmx.go

@@ -0,0 +1,47 @@
+//go:build linux
+// +build linux
+
+package chroot
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+// Open a PTY using the /dev/ptmx device. The main advantage of using
+// this instead of posix_openpt is that it avoids cgo.
+func getPtyDescriptors() (int, int, error) {
+	// Create a pseudo-terminal -- open a copy of the master side.
+	controlFd, err := unix.Open("/dev/ptmx", os.O_RDWR, 0600)
+	if err != nil {
+		return -1, -1, fmt.Errorf("error opening PTY master using /dev/ptmx: %v", err)
+	}
+	// Set the kernel's lock to "unlocked".
+	locked := 0
+	if result, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(controlFd), unix.TIOCSPTLCK, uintptr(unsafe.Pointer(&locked))); int(result) == -1 {
+		return -1, -1, fmt.Errorf("error unlocking PTY descriptor: %v", err)
+	}
+	// Get a handle for the other end.
+	ptyFd, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(controlFd), unix.TIOCGPTPEER, unix.O_RDWR|unix.O_NOCTTY)
+	if int(ptyFd) == -1 {
+		if errno, isErrno := err.(syscall.Errno); !isErrno || (errno != syscall.EINVAL && errno != syscall.ENOTTY) {
+			return -1, -1, fmt.Errorf("error getting PTY descriptor: %v", err)
+		}
+		// EINVAL means the kernel's too old to understand TIOCGPTPEER.  Try TIOCGPTN.
+		ptyN, err := unix.IoctlGetInt(controlFd, unix.TIOCGPTN)
+		if err != nil {
+			return -1, -1, fmt.Errorf("error getting PTY number: %v", err)
+		}
+		ptyName := fmt.Sprintf("/dev/pts/%d", ptyN)
+		fd, err := unix.Open(ptyName, unix.O_RDWR|unix.O_NOCTTY, 0620)
+		if err != nil {
+			return -1, -1, fmt.Errorf("error opening PTY %q: %v", ptyName, err)
+		}
+		ptyFd = uintptr(fd)
+	}
+	return controlFd, int(ptyFd), nil
+}

vendor/github.com/containers/buildah/chroot/pty_unsupported.go

@@ -0,0 +1,13 @@
+//go:build !linux && !(freebsd && cgo)
+// +build !linux
+// +build !freebsd !cgo
+
+package chroot
+
+import (
+	"errors"
+)
+
+func getPtyDescriptors() (int, int, error) {
+	return -1, -1, errors.New("getPtyDescriptors not supported on this platform")
+}

vendor/github.com/containers/buildah/chroot/run_common.go

@@ -0,0 +1,828 @@
+//go:build linux || freebsd
+// +build linux freebsd
+
+package chroot
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+
+	"github.com/containers/buildah/bind"
+	"github.com/containers/buildah/util"
+	"github.com/containers/storage/pkg/ioutils"
+	"github.com/containers/storage/pkg/reexec"
+	"github.com/containers/storage/pkg/unshare"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+	"golang.org/x/term"
+)
+
+const (
+	// runUsingChrootCommand is a command we use as a key for reexec
+	runUsingChrootCommand = "buildah-chroot-runtime"
+	// runUsingChrootExec is a command we use as a key for reexec
+	runUsingChrootExecCommand = "buildah-chroot-exec"
+)
+
+func init() {
+	reexec.Register(runUsingChrootCommand, runUsingChrootMain)
+	reexec.Register(runUsingChrootExecCommand, runUsingChrootExecMain)
+	for limitName, limitNumber := range rlimitsMap {
+		rlimitsReverseMap[limitNumber] = limitName
+	}
+}
+
+type runUsingChrootExecSubprocOptions struct {
+	Spec       *specs.Spec
+	BundlePath string
+}
+
+// RunUsingChroot runs a chrooted process, using some of the settings from the
+// passed-in spec, and using the specified bundlePath to hold temporary files,
+// directories, and mountpoints.
+func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reader, stdout, stderr io.Writer) (err error) {
+	var confwg sync.WaitGroup
+	var homeFound bool
+	for _, env := range spec.Process.Env {
+		if strings.HasPrefix(env, "HOME=") {
+			homeFound = true
+			break
+		}
+	}
+	if !homeFound {
+		spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("HOME=%s", homeDir))
+	}
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	// Write the runtime configuration, mainly for debugging.
+	specbytes, err := json.Marshal(spec)
+	if err != nil {
+		return err
+	}
+	if err = ioutils.AtomicWriteFile(filepath.Join(bundlePath, "config.json"), specbytes, 0600); err != nil {
+		return fmt.Errorf("error storing runtime configuration: %w", err)
+	}
+	logrus.Debugf("config = %v", string(specbytes))
+
+	// Default to using stdin/stdout/stderr if we weren't passed objects to use.
+	if stdin == nil {
+		stdin = os.Stdin
+	}
+	if stdout == nil {
+		stdout = os.Stdout
+	}
+	if stderr == nil {
+		stderr = os.Stderr
+	}
+
+	// Create a pipe for passing configuration down to the next process.
+	preader, pwriter, err := os.Pipe()
+	if err != nil {
+		return fmt.Errorf("error creating configuration pipe: %w", err)
+	}
+	config, conferr := json.Marshal(runUsingChrootSubprocOptions{
+		Spec:       spec,
+		BundlePath: bundlePath,
+	})
+	if conferr != nil {
+		return fmt.Errorf("error encoding configuration for %q: %w", runUsingChrootCommand, conferr)
+	}
+
+	// Set our terminal's mode to raw, to pass handling of special
+	// terminal input to the terminal in the container.
+	if spec.Process.Terminal && term.IsTerminal(unix.Stdin) {
+		state, err := term.MakeRaw(unix.Stdin)
+		if err != nil {
+			logrus.Warnf("error setting terminal state: %v", err)
+		} else {
+			defer func() {
+				if err = term.Restore(unix.Stdin, state); err != nil {
+					logrus.Errorf("unable to restore terminal state: %v", err)
+				}
+			}()
+		}
+	}
+
+	// Raise any resource limits that are higher than they are now, before
+	// we drop any more privileges.
+	if err = setRlimits(spec, false, true); err != nil {
+		return err
+	}
+
+	// Start the grandparent subprocess.
+	cmd := unshare.Command(runUsingChrootCommand)
+	setPdeathsig(cmd.Cmd)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
+	cmd.Dir = "/"
+	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
+
+	interrupted := make(chan os.Signal, 100)
+	cmd.Hook = func(int) error {
+		signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
+		go func() {
+			for receivedSignal := range interrupted {
+				if err := cmd.Process.Signal(receivedSignal); err != nil {
+					logrus.Infof("%v while attempting to forward %v to child process", err, receivedSignal)
+				}
+			}
+		}()
+		return nil
+	}
+
+	logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
+	confwg.Add(1)
+	go func() {
+		_, conferr = io.Copy(pwriter, bytes.NewReader(config))
+		pwriter.Close()
+		confwg.Done()
+	}()
+	cmd.ExtraFiles = append([]*os.File{preader}, cmd.ExtraFiles...)
+	err = cmd.Run()
+	confwg.Wait()
+	signal.Stop(interrupted)
+	close(interrupted)
+	if err == nil {
+		return conferr
+	}
+	return err
+}
+
+// main() for grandparent subprocess.  Its main job is to shuttle stdio back
+// and forth, managing a pseudo-terminal if we want one, for our child, the
+// parent subprocess.
+func runUsingChrootMain() {
+	var options runUsingChrootSubprocOptions
+
+	runtime.LockOSThread()
+
+	// Set logging.
+	if level := os.Getenv("LOGLEVEL"); level != "" {
+		if ll, err := strconv.Atoi(level); err == nil {
+			logrus.SetLevel(logrus.Level(ll))
+		}
+		os.Unsetenv("LOGLEVEL")
+	}
+
+	// Unpack our configuration.
+	confPipe := os.NewFile(3, "confpipe")
+	if confPipe == nil {
+		fmt.Fprintf(os.Stderr, "error reading options pipe\n")
+		os.Exit(1)
+	}
+	defer confPipe.Close()
+	if err := json.NewDecoder(confPipe).Decode(&options); err != nil {
+		fmt.Fprintf(os.Stderr, "error decoding options: %v\n", err)
+		os.Exit(1)
+	}
+
+	if options.Spec == nil || options.Spec.Process == nil {
+		fmt.Fprintf(os.Stderr, "invalid options spec in runUsingChrootMain\n")
+		os.Exit(1)
+	}
+
+	// Prepare to shuttle stdio back and forth.
+	rootUID32, rootGID32, err := util.GetHostRootIDs(options.Spec)
+	if err != nil {
+		logrus.Errorf("error determining ownership for container stdio")
+		os.Exit(1)
+	}
+	rootUID := int(rootUID32)
+	rootGID := int(rootGID32)
+	relays := make(map[int]int)
+	closeOnceRunning := []*os.File{}
+	var ctty *os.File
+	var stdin io.Reader
+	var stdinCopy io.WriteCloser
+	var stdout io.Writer
+	var stderr io.Writer
+	fdDesc := make(map[int]string)
+	if options.Spec.Process.Terminal {
+		ptyMasterFd, ptyFd, err := getPtyDescriptors()
+		if err != nil {
+			logrus.Errorf("error opening PTY descriptors: %v", err)
+			os.Exit(1)
+		}
+		// Make notes about what's going where.
+		relays[ptyMasterFd] = unix.Stdout
+		relays[unix.Stdin] = ptyMasterFd
+		fdDesc[ptyMasterFd] = "container terminal"
+		fdDesc[unix.Stdin] = "stdin"
+		fdDesc[unix.Stdout] = "stdout"
+		winsize := &unix.Winsize{}
+		// Set the pseudoterminal's size to the configured size, or our own.
+		if options.Spec.Process.ConsoleSize != nil {
+			// Use configured sizes.
+			winsize.Row = uint16(options.Spec.Process.ConsoleSize.Height)
+			winsize.Col = uint16(options.Spec.Process.ConsoleSize.Width)
+		} else {
+			if term.IsTerminal(unix.Stdin) {
+				// Use the size of our terminal.
+				winsize, err = unix.IoctlGetWinsize(unix.Stdin, unix.TIOCGWINSZ)
+				if err != nil {
+					logrus.Debugf("error reading current terminal's size")
+					winsize.Row = 0
+					winsize.Col = 0
+				}
+			}
+		}
+		if winsize.Row != 0 && winsize.Col != 0 {
+			if err = unix.IoctlSetWinsize(ptyFd, unix.TIOCSWINSZ, winsize); err != nil {
+				logrus.Warnf("error setting terminal size for pty")
+			}
+			// FIXME - if we're connected to a terminal, we should
+			// be passing the updated terminal size down when we
+			// receive a SIGWINCH.
+		}
+		// Open an *os.File object that we can pass to our child.
+		ctty = os.NewFile(uintptr(ptyFd), "/dev/tty")
+		// Set ownership for the PTY.
+		if err = ctty.Chown(rootUID, rootGID); err != nil {
+			var cttyInfo unix.Stat_t
+			err2 := unix.Fstat(ptyFd, &cttyInfo)
+			from := ""
+			op := "setting"
+			if err2 == nil {
+				op = "changing"
+				from = fmt.Sprintf("from %d/%d ", cttyInfo.Uid, cttyInfo.Gid)
+			}
+			logrus.Warnf("error %s ownership of container PTY %sto %d/%d: %v", op, from, rootUID, rootGID, err)
+		}
+		// Set permissions on the PTY.
+		if err = ctty.Chmod(0620); err != nil {
+			logrus.Errorf("error setting permissions of container PTY: %v", err)
+			os.Exit(1)
+		}
+		// Make a note that our child (the parent subprocess) should
+		// have the PTY connected to its stdio, and that we should
+		// close it once it's running.
+		stdin = ctty
+		stdout = ctty
+		stderr = ctty
+		closeOnceRunning = append(closeOnceRunning, ctty)
+	} else {
+		// Create pipes for stdio.
+		stdinRead, stdinWrite, err := os.Pipe()
+		if err != nil {
+			logrus.Errorf("error opening pipe for stdin: %v", err)
+		}
+		stdoutRead, stdoutWrite, err := os.Pipe()
+		if err != nil {
+			logrus.Errorf("error opening pipe for stdout: %v", err)
+		}
+		stderrRead, stderrWrite, err := os.Pipe()
+		if err != nil {
+			logrus.Errorf("error opening pipe for stderr: %v", err)
+		}
+		// Make notes about what's going where.
+		relays[unix.Stdin] = int(stdinWrite.Fd())
+		relays[int(stdoutRead.Fd())] = unix.Stdout
+		relays[int(stderrRead.Fd())] = unix.Stderr
+		fdDesc[int(stdinWrite.Fd())] = "container stdin pipe"
+		fdDesc[int(stdoutRead.Fd())] = "container stdout pipe"
+		fdDesc[int(stderrRead.Fd())] = "container stderr pipe"
+		fdDesc[unix.Stdin] = "stdin"
+		fdDesc[unix.Stdout] = "stdout"
+		fdDesc[unix.Stderr] = "stderr"
+		// Set ownership for the pipes.
+		if err = stdinRead.Chown(rootUID, rootGID); err != nil {
+			logrus.Errorf("error setting ownership of container stdin pipe: %v", err)
+			os.Exit(1)
+		}
+		if err = stdoutWrite.Chown(rootUID, rootGID); err != nil {
+			logrus.Errorf("error setting ownership of container stdout pipe: %v", err)
+			os.Exit(1)
+		}
+		if err = stderrWrite.Chown(rootUID, rootGID); err != nil {
+			logrus.Errorf("error setting ownership of container stderr pipe: %v", err)
+			os.Exit(1)
+		}
+		// Make a note that our child (the parent subprocess) should
+		// have the pipes connected to its stdio, and that we should
+		// close its ends of them once it's running.
+		stdin = stdinRead
+		stdout = stdoutWrite
+		stderr = stderrWrite
+		closeOnceRunning = append(closeOnceRunning, stdinRead, stdoutWrite, stderrWrite)
+		stdinCopy = stdinWrite
+		defer stdoutRead.Close()
+		defer stderrRead.Close()
+	}
+	for readFd, writeFd := range relays {
+		if err := unix.SetNonblock(readFd, true); err != nil {
+			logrus.Errorf("error setting descriptor %d (%s) non-blocking: %v", readFd, fdDesc[readFd], err)
+			return
+		}
+		if err := unix.SetNonblock(writeFd, false); err != nil {
+			logrus.Errorf("error setting descriptor %d (%s) blocking: %v", relays[writeFd], fdDesc[writeFd], err)
+			return
+		}
+	}
+	if err := unix.SetNonblock(relays[unix.Stdin], true); err != nil {
+		logrus.Errorf("error setting %d to nonblocking: %v", relays[unix.Stdin], err)
+	}
+	go func() {
+		buffers := make(map[int]*bytes.Buffer)
+		for _, writeFd := range relays {
+			buffers[writeFd] = new(bytes.Buffer)
+		}
+		pollTimeout := -1
+		stdinClose := false
+		for len(relays) > 0 {
+			fds := make([]unix.PollFd, 0, len(relays))
+			for fd := range relays {
+				fds = append(fds, unix.PollFd{Fd: int32(fd), Events: unix.POLLIN | unix.POLLHUP})
+			}
+			_, err := unix.Poll(fds, pollTimeout)
+			if !util.LogIfNotRetryable(err, fmt.Sprintf("poll: %v", err)) {
+				return
+			}
+			removeFds := make(map[int]struct{})
+			for _, rfd := range fds {
+				if rfd.Revents&unix.POLLHUP == unix.POLLHUP {
+					removeFds[int(rfd.Fd)] = struct{}{}
+				}
+				if rfd.Revents&unix.POLLNVAL == unix.POLLNVAL {
+					logrus.Debugf("error polling descriptor %s: closed?", fdDesc[int(rfd.Fd)])
+					removeFds[int(rfd.Fd)] = struct{}{}
+				}
+				if rfd.Revents&unix.POLLIN == 0 {
+					if stdinClose && stdinCopy == nil {
+						continue
+					}
+					continue
+				}
+				b := make([]byte, 8192)
+				nread, err := unix.Read(int(rfd.Fd), b)
+				util.LogIfNotRetryable(err, fmt.Sprintf("read %s: %v", fdDesc[int(rfd.Fd)], err))
+				if nread > 0 {
+					if wfd, ok := relays[int(rfd.Fd)]; ok {
+						nwritten, err := buffers[wfd].Write(b[:nread])
+						if err != nil {
+							logrus.Debugf("buffer: %v", err)
+							continue
+						}
+						if nwritten != nread {
+							logrus.Debugf("buffer: expected to buffer %d bytes, wrote %d", nread, nwritten)
+							continue
+						}
+					}
+					// If this is the last of the data we'll be able to read
+					// from this descriptor, read as much as there is to read.
+					for rfd.Revents&unix.POLLHUP == unix.POLLHUP {
+						nr, err := unix.Read(int(rfd.Fd), b)
+						util.LogIfUnexpectedWhileDraining(err, fmt.Sprintf("read %s: %v", fdDesc[int(rfd.Fd)], err))
+						if nr <= 0 {
+							break
+						}
+						if wfd, ok := relays[int(rfd.Fd)]; ok {
+							nwritten, err := buffers[wfd].Write(b[:nr])
+							if err != nil {
+								logrus.Debugf("buffer: %v", err)
+								break
+							}
+							if nwritten != nr {
+								logrus.Debugf("buffer: expected to buffer %d bytes, wrote %d", nr, nwritten)
+								break
+							}
+						}
+					}
+				}
+				if nread == 0 {
+					removeFds[int(rfd.Fd)] = struct{}{}
+				}
+			}
+			pollTimeout = -1
+			for wfd, buffer := range buffers {
+				if buffer.Len() > 0 {
+					nwritten, err := unix.Write(wfd, buffer.Bytes())
+					util.LogIfNotRetryable(err, fmt.Sprintf("write %s: %v", fdDesc[wfd], err))
+					if nwritten >= 0 {
+						_ = buffer.Next(nwritten)
+					}
+				}
+				if buffer.Len() > 0 {
+					pollTimeout = 100
+				}
+				if wfd == relays[unix.Stdin] && stdinClose && buffer.Len() == 0 {
+					stdinCopy.Close()
+					delete(relays, unix.Stdin)
+				}
+			}
+			for rfd := range removeFds {
+				if rfd == unix.Stdin {
+					buffer, found := buffers[relays[unix.Stdin]]
+					if found && buffer.Len() > 0 {
+						stdinClose = true
+						continue
+					}
+				}
+				if !options.Spec.Process.Terminal && rfd == unix.Stdin {
+					stdinCopy.Close()
+				}
+				delete(relays, rfd)
+			}
+		}
+	}()
+
+	// Set up mounts and namespaces, and run the parent subprocess.
+	status, err := runUsingChroot(options.Spec, options.BundlePath, ctty, stdin, stdout, stderr, closeOnceRunning)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "error running subprocess: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Pass the process's exit status back to the caller by exiting with the same status.
+	if status.Exited() {
+		if status.ExitStatus() != 0 {
+			fmt.Fprintf(os.Stderr, "subprocess exited with status %d\n", status.ExitStatus())
+		}
+		os.Exit(status.ExitStatus())
+	} else if status.Signaled() {
+		fmt.Fprintf(os.Stderr, "subprocess exited on %s\n", status.Signal())
+		os.Exit(1)
+	}
+}
+
+// runUsingChroot, still in the grandparent process, sets up various bind
+// mounts and then runs the parent process in its own user namespace with the
+// necessary ID mappings.
+func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io.Reader, stdout, stderr io.Writer, closeOnceRunning []*os.File) (wstatus unix.WaitStatus, err error) {
+	var confwg sync.WaitGroup
+
+	// Create a new mount namespace for ourselves and bind mount everything to a new location.
+	undoIntermediates, err := bind.SetupIntermediateMountNamespace(spec, bundlePath)
+	if err != nil {
+		return 1, err
+	}
+	defer func() {
+		if undoErr := undoIntermediates(); undoErr != nil {
+			logrus.Debugf("error cleaning up intermediate mount NS: %v", err)
+		}
+	}()
+
+	// Bind mount in our filesystems.
+	undoChroots, err := setupChrootBindMounts(spec, bundlePath)
+	if err != nil {
+		return 1, err
+	}
+	defer func() {
+		if undoErr := undoChroots(); undoErr != nil {
+			logrus.Debugf("error cleaning up intermediate chroot bind mounts: %v", err)
+		}
+	}()
+
+	// Create a pipe for passing configuration down to the next process.
+	preader, pwriter, err := os.Pipe()
+	if err != nil {
+		return 1, fmt.Errorf("error creating configuration pipe: %w", err)
+	}
+	config, conferr := json.Marshal(runUsingChrootExecSubprocOptions{
+		Spec:       spec,
+		BundlePath: bundlePath,
+	})
+	if conferr != nil {
+		fmt.Fprintf(os.Stderr, "error re-encoding configuration for %q", runUsingChrootExecCommand)
+		os.Exit(1)
+	}
+
+	// Apologize for the namespace configuration that we're about to ignore.
+	logNamespaceDiagnostics(spec)
+
+	// Start the parent subprocess.
+	cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...)
+	setPdeathsig(cmd.Cmd)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
+	cmd.Dir = "/"
+	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
+	if ctty != nil {
+		cmd.Setsid = true
+		cmd.Ctty = ctty
+	}
+	cmd.ExtraFiles = append([]*os.File{preader}, cmd.ExtraFiles...)
+	if err := setPlatformUnshareOptions(spec, cmd); err != nil {
+		return 1, fmt.Errorf("error setting platform unshare options: %w", err)
+
+	}
+	interrupted := make(chan os.Signal, 100)
+	cmd.Hook = func(int) error {
+		for _, f := range closeOnceRunning {
+			f.Close()
+		}
+		signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
+		go func() {
+			for receivedSignal := range interrupted {
+				if err := cmd.Process.Signal(receivedSignal); err != nil {
+					logrus.Infof("%v while attempting to forward %v to child process", err, receivedSignal)
+				}
+			}
+		}()
+		return nil
+	}
+
+	logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
+	confwg.Add(1)
+	go func() {
+		_, conferr = io.Copy(pwriter, bytes.NewReader(config))
+		pwriter.Close()
+		confwg.Done()
+	}()
+	err = cmd.Run()
+	confwg.Wait()
+	signal.Stop(interrupted)
+	close(interrupted)
+	if err != nil {
+		if exitError, ok := err.(*exec.ExitError); ok {
+			if waitStatus, ok := exitError.ProcessState.Sys().(syscall.WaitStatus); ok {
+				if waitStatus.Exited() {
+					if waitStatus.ExitStatus() != 0 {
+						fmt.Fprintf(os.Stderr, "subprocess exited with status %d\n", waitStatus.ExitStatus())
+					}
+					os.Exit(waitStatus.ExitStatus())
+				} else if waitStatus.Signaled() {
+					fmt.Fprintf(os.Stderr, "subprocess exited on %s\n", waitStatus.Signal())
+					os.Exit(1)
+				}
+			}
+		}
+		fmt.Fprintf(os.Stderr, "process exited with error: %v", err)
+		os.Exit(1)
+	}
+
+	return 0, nil
+}
+
+// main() for parent subprocess.  Its main job is to try to make our
+// environment look like the one described by the runtime configuration blob,
+// and then launch the intended command as a child.
+func runUsingChrootExecMain() {
+	args := os.Args[1:]
+	var options runUsingChrootExecSubprocOptions
+	var err error
+
+	runtime.LockOSThread()
+
+	// Set logging.
+	if level := os.Getenv("LOGLEVEL"); level != "" {
+		if ll, err := strconv.Atoi(level); err == nil {
+			logrus.SetLevel(logrus.Level(ll))
+		}
+		os.Unsetenv("LOGLEVEL")
+	}
+
+	// Unpack our configuration.
+	confPipe := os.NewFile(3, "confpipe")
+	if confPipe == nil {
+		fmt.Fprintf(os.Stderr, "error reading options pipe\n")
+		os.Exit(1)
+	}
+	defer confPipe.Close()
+	if err := json.NewDecoder(confPipe).Decode(&options); err != nil {
+		fmt.Fprintf(os.Stderr, "error decoding options: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Set the hostname.  We're already in a distinct UTS namespace and are admins in the user
+	// namespace which created it, so we shouldn't get a permissions error, but seccomp policy
+	// might deny our attempt to call sethostname() anyway, so log a debug message for that.
+	if options.Spec == nil || options.Spec.Process == nil {
+		fmt.Fprintf(os.Stderr, "invalid options spec passed in\n")
+		os.Exit(1)
+	}
+
+	if options.Spec.Hostname != "" {
+		setContainerHostname(options.Spec.Hostname)
+	}
+
+	// Try to chroot into the root.  Do this before we potentially
+	// block the syscall via the seccomp profile. Allow the
+	// platform to override this - on FreeBSD, we use a simple
+	// jail to set the hostname in the container
+	if err := createPlatformContainer(options); err != nil {
+		var oldst, newst unix.Stat_t
+		if err := unix.Stat(options.Spec.Root.Path, &oldst); err != nil {
+			fmt.Fprintf(os.Stderr, "error stat()ing intended root directory %q: %v\n", options.Spec.Root.Path, err)
+			os.Exit(1)
+		}
+		if err := unix.Chdir(options.Spec.Root.Path); err != nil {
+			fmt.Fprintf(os.Stderr, "error chdir()ing to intended root directory %q: %v\n", options.Spec.Root.Path, err)
+			os.Exit(1)
+		}
+		if err := unix.Chroot(options.Spec.Root.Path); err != nil {
+			fmt.Fprintf(os.Stderr, "error chroot()ing into directory %q: %v\n", options.Spec.Root.Path, err)
+			os.Exit(1)
+		}
+		if err := unix.Stat("/", &newst); err != nil {
+			fmt.Fprintf(os.Stderr, "error stat()ing current root directory: %v\n", err)
+			os.Exit(1)
+		}
+		if oldst.Dev != newst.Dev || oldst.Ino != newst.Ino {
+			fmt.Fprintf(os.Stderr, "unknown error chroot()ing into directory %q: %v\n", options.Spec.Root.Path, err)
+			os.Exit(1)
+		}
+		logrus.Debugf("chrooted into %q", options.Spec.Root.Path)
+	}
+
+	// not doing because it's still shared: creating devices
+	// not doing because it's not applicable: setting annotations
+	// not doing because it's still shared: setting sysctl settings
+	// not doing because cgroupfs is read only: configuring control groups
+	// -> this means we can use the freezer to make sure there aren't any lingering processes
+	// -> this means we ignore cgroups-based controls
+	// not doing because we don't set any in the config: running hooks
+	// not doing because we don't set it in the config: setting rootfs read-only
+	// not doing because we don't set it in the config: setting rootfs propagation
+	logrus.Debugf("setting apparmor profile")
+	if err = setApparmorProfile(options.Spec); err != nil {
+		fmt.Fprintf(os.Stderr, "error setting apparmor profile for process: %v\n", err)
+		os.Exit(1)
+	}
+	if err = setSelinuxLabel(options.Spec); err != nil {
+		fmt.Fprintf(os.Stderr, "error setting SELinux label for process: %v\n", err)
+		os.Exit(1)
+	}
+
+	logrus.Debugf("setting resource limits")
+	if err = setRlimits(options.Spec, false, false); err != nil {
+		fmt.Fprintf(os.Stderr, "error setting process resource limits for process: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Try to change to the directory.
+	cwd := options.Spec.Process.Cwd
+	if !filepath.IsAbs(cwd) {
+		cwd = "/" + cwd
+	}
+	cwd = filepath.Clean(cwd)
+	if err := unix.Chdir("/"); err != nil {
+		fmt.Fprintf(os.Stderr, "error chdir()ing into new root directory %q: %v\n", options.Spec.Root.Path, err)
+		os.Exit(1)
+	}
+	if err := unix.Chdir(cwd); err != nil {
+		fmt.Fprintf(os.Stderr, "error chdir()ing into directory %q under root %q: %v\n", cwd, options.Spec.Root.Path, err)
+		os.Exit(1)
+	}
+	logrus.Debugf("changed working directory to %q", cwd)
+
+	// Drop privileges.
+	user := options.Spec.Process.User
+	if len(user.AdditionalGids) > 0 {
+		gids := make([]int, len(user.AdditionalGids))
+		for i := range user.AdditionalGids {
+			gids[i] = int(user.AdditionalGids[i])
+		}
+		logrus.Debugf("setting supplemental groups")
+		if err = syscall.Setgroups(gids); err != nil {
+			fmt.Fprintf(os.Stderr, "error setting supplemental groups list: %v", err)
+			os.Exit(1)
+		}
+	} else {
+		setgroups, _ := ioutil.ReadFile("/proc/self/setgroups")
+		if strings.Trim(string(setgroups), "\n") != "deny" {
+			logrus.Debugf("clearing supplemental groups")
+			if err = syscall.Setgroups([]int{}); err != nil {
+				fmt.Fprintf(os.Stderr, "error clearing supplemental groups list: %v", err)
+				os.Exit(1)
+			}
+		}
+	}
+
+	logrus.Debugf("setting gid")
+	if err = unix.Setresgid(int(user.GID), int(user.GID), int(user.GID)); err != nil {
+		fmt.Fprintf(os.Stderr, "error setting GID: %v", err)
+		os.Exit(1)
+	}
+
+	if err = setSeccomp(options.Spec); err != nil {
+		fmt.Fprintf(os.Stderr, "error setting seccomp filter for process: %v\n", err)
+		os.Exit(1)
+	}
+
+	logrus.Debugf("setting capabilities")
+	var keepCaps []string
+	if user.UID != 0 {
+		keepCaps = []string{"CAP_SETUID"}
+	}
+	if err := setCapabilities(options.Spec, keepCaps...); err != nil {
+		fmt.Fprintf(os.Stderr, "error setting capabilities for process: %v\n", err)
+		os.Exit(1)
+	}
+
+	logrus.Debugf("setting uid")
+	if err = unix.Setresuid(int(user.UID), int(user.UID), int(user.UID)); err != nil {
+		fmt.Fprintf(os.Stderr, "error setting UID: %v", err)
+		os.Exit(1)
+	}
+
+	// Actually run the specified command.
+	cmd := exec.Command(args[0], args[1:]...)
+	setPdeathsig(cmd)
+	cmd.Env = options.Spec.Process.Env
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	cmd.Dir = cwd
+	logrus.Debugf("Running %#v (PATH = %q)", cmd, os.Getenv("PATH"))
+	interrupted := make(chan os.Signal, 100)
+	if err = cmd.Start(); err != nil {
+		fmt.Fprintf(os.Stderr, "process failed to start with error: %v", err)
+	}
+	go func() {
+		for range interrupted {
+			if err := cmd.Process.Signal(syscall.SIGKILL); err != nil {
+				logrus.Infof("%v while attempting to send SIGKILL to child process", err)
+			}
+		}
+	}()
+	signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
+	err = cmd.Wait()
+	signal.Stop(interrupted)
+	close(interrupted)
+	if err != nil {
+		if exitError, ok := err.(*exec.ExitError); ok {
+			if waitStatus, ok := exitError.ProcessState.Sys().(syscall.WaitStatus); ok {
+				if waitStatus.Exited() {
+					if waitStatus.ExitStatus() != 0 {
+						fmt.Fprintf(os.Stderr, "subprocess exited with status %d\n", waitStatus.ExitStatus())
+					}
+					os.Exit(waitStatus.ExitStatus())
+				} else if waitStatus.Signaled() {
+					fmt.Fprintf(os.Stderr, "subprocess exited on %s\n", waitStatus.Signal())
+					os.Exit(1)
+				}
+			}
+		}
+		fmt.Fprintf(os.Stderr, "process exited with error: %v", err)
+		os.Exit(1)
+	}
+}
+
+// parses the resource limits for ourselves and any processes that
+// we'll start into a format that's more in line with the kernel APIs
+func parseRlimits(spec *specs.Spec) (map[int]unix.Rlimit, error) {
+	if spec.Process == nil {
+		return nil, nil
+	}
+	parsed := make(map[int]unix.Rlimit)
+	for _, limit := range spec.Process.Rlimits {
+		resource, recognized := rlimitsMap[strings.ToUpper(limit.Type)]
+		if !recognized {
+			return nil, fmt.Errorf("error parsing limit type %q", limit.Type)
+		}
+		parsed[resource] = makeRlimit(limit)
+	}
+	return parsed, nil
+}
+
+// setRlimits sets any resource limits that we want to apply to processes that
+// we'll start.
+func setRlimits(spec *specs.Spec, onlyLower, onlyRaise bool) error {
+	limits, err := parseRlimits(spec)
+	if err != nil {
+		return err
+	}
+	for resource, desired := range limits {
+		var current unix.Rlimit
+		if err := unix.Getrlimit(resource, &current); err != nil {
+			return fmt.Errorf("error reading %q limit: %w", rlimitsReverseMap[resource], err)
+		}
+		if desired.Max > current.Max && onlyLower {
+			// this would raise a hard limit, and we're only here to lower them
+			continue
+		}
+		if desired.Max < current.Max && onlyRaise {
+			// this would lower a hard limit, and we're only here to raise them
+			continue
+		}
+		if err := unix.Setrlimit(resource, &desired); err != nil {
+			return fmt.Errorf("error setting %q limit to soft=%d,hard=%d (was soft=%d,hard=%d): %w", rlimitsReverseMap[resource], desired.Cur, desired.Max, current.Cur, current.Max, err)
+		}
+	}
+	return nil
+}
+
+func isDevNull(dev os.FileInfo) bool {
+	if dev.Mode()&os.ModeCharDevice != 0 {
+		stat, _ := dev.Sys().(*syscall.Stat_t)
+		nullStat := syscall.Stat_t{}
+		if err := syscall.Stat(os.DevNull, &nullStat); err != nil {
+			logrus.Warnf("unable to stat /dev/null: %v", err)
+			return false
+		}
+		if stat.Rdev == nullStat.Rdev {
+			return true
+		}
+	}
+	return false
+}

vendor/github.com/containers/buildah/chroot/run_freebsd.go

@@ -0,0 +1,269 @@
+//go:build freebsd
+// +build freebsd
+
+package chroot
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"syscall"
+
+	"github.com/containers/buildah/pkg/jail"
+	"github.com/containers/storage/pkg/mount"
+	"github.com/containers/storage/pkg/unshare"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+var (
+	rlimitsMap = map[string]int{
+		"RLIMIT_AS":      unix.RLIMIT_AS,
+		"RLIMIT_CORE":    unix.RLIMIT_CORE,
+		"RLIMIT_CPU":     unix.RLIMIT_CPU,
+		"RLIMIT_DATA":    unix.RLIMIT_DATA,
+		"RLIMIT_FSIZE":   unix.RLIMIT_FSIZE,
+		"RLIMIT_MEMLOCK": unix.RLIMIT_MEMLOCK,
+		"RLIMIT_NOFILE":  unix.RLIMIT_NOFILE,
+		"RLIMIT_NPROC":   unix.RLIMIT_NPROC,
+		"RLIMIT_RSS":     unix.RLIMIT_RSS,
+		"RLIMIT_STACK":   unix.RLIMIT_STACK,
+	}
+	rlimitsReverseMap = map[int]string{}
+)
+
+type runUsingChrootSubprocOptions struct {
+	Spec       *specs.Spec
+	BundlePath string
+}
+
+func setPlatformUnshareOptions(spec *specs.Spec, cmd *unshare.Cmd) error {
+	return nil
+}
+
+func setContainerHostname(name string) {
+	// On FreeBSD, we have to set this later when we create the
+	// jail below in createPlatformContainer
+}
+
+func setSelinuxLabel(spec *specs.Spec) error {
+	// Ignore this on FreeBSD
+	return nil
+}
+
+func setApparmorProfile(spec *specs.Spec) error {
+	// FreeBSD doesn't have apparmor`
+	return nil
+}
+
+func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
+	// FreeBSD capabilities are nothing like Linux
+	return nil
+}
+
+func makeRlimit(limit specs.POSIXRlimit) unix.Rlimit {
+	return unix.Rlimit{Cur: int64(limit.Soft), Max: int64(limit.Hard)}
+}
+
+func createPlatformContainer(options runUsingChrootExecSubprocOptions) error {
+	path := options.Spec.Root.Path
+	jconf := jail.NewConfig()
+	jconf.Set("name", filepath.Base(path)+"-chroot")
+	jconf.Set("host.hostname", options.Spec.Hostname)
+	jconf.Set("persist", false)
+	jconf.Set("path", path)
+	jconf.Set("ip4", jail.INHERIT)
+	jconf.Set("ip6", jail.INHERIT)
+	jconf.Set("allow.raw_sockets", true)
+	jconf.Set("enforce_statfs", 1)
+	_, err := jail.CreateAndAttach(jconf)
+	if err != nil {
+		return fmt.Errorf("error creating jail: %w", err)
+	}
+	return nil
+}
+
+// logNamespaceDiagnostics knows which namespaces we want to create.
+// Output debug messages when that differs from what we're being asked to do.
+func logNamespaceDiagnostics(spec *specs.Spec) {
+	// Nothing here for FreeBSD
+}
+
+func makeReadOnly(mntpoint string, flags uintptr) error {
+	var fs unix.Statfs_t
+	// Make sure it's read-only.
+	if err := unix.Statfs(mntpoint, &fs); err != nil {
+		return fmt.Errorf("error checking if directory %q was bound read-only: %w", mntpoint, err)
+	}
+	return nil
+}
+
+func saveDir(spec *specs.Spec, path string) string {
+	id := filepath.Base(spec.Root.Path)
+	return filepath.Join(filepath.Dir(path), ".save-"+id)
+}
+
+func copyFile(source, dest string) error {
+	in, err := os.Open(source)
+	if err != nil {
+		return err
+	}
+	defer in.Close()
+
+	out, err := os.Create(dest)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	_, err = io.Copy(out, in)
+	if err != nil {
+		return err
+	}
+	return out.Close()
+}
+
+type rename struct {
+	from, to string
+}
+
+// setupChrootBindMounts actually bind mounts things under the rootfs, and returns a
+// callback that will clean up its work.
+func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func() error, err error) {
+	renames := []rename{}
+	unmounts := []string{}
+	removes := []string{}
+	undoBinds = func() error {
+		for _, r := range renames {
+			if err2 := os.Rename(r.to, r.from); err2 != nil {
+				logrus.Warnf("pkg/chroot: error renaming %q to %q: %v", r.to, r.from, err2)
+				if err == nil {
+					err = err2
+				}
+			}
+		}
+		for _, path := range unmounts {
+			if err2 := mount.Unmount(path); err2 != nil {
+				logrus.Warnf("pkg/chroot: error unmounting %q: %v", spec.Root.Path, err2)
+				if err == nil {
+					err = err2
+				}
+			}
+		}
+		for _, path := range removes {
+			if err2 := os.Remove(path); err2 != nil {
+				logrus.Warnf("pkg/chroot: error removing %q: %v", path, err2)
+				if err == nil {
+					err = err2
+				}
+			}
+		}
+		return err
+	}
+
+	// Now mount all of those things to be under the rootfs's location in this
+	// mount namespace.
+	for _, m := range spec.Mounts {
+		// If the target is there, we can just mount it.
+		var srcinfo os.FileInfo
+		switch m.Type {
+		case "nullfs":
+			srcinfo, err = os.Stat(m.Source)
+			if err != nil {
+				return undoBinds, fmt.Errorf("error examining %q for mounting in mount namespace: %w", m.Source, err)
+			}
+		}
+		target := filepath.Join(spec.Root.Path, m.Destination)
+		if _, err := os.Stat(target); err != nil {
+			// If the target can't be stat()ted, check the error.
+			if !os.IsNotExist(err) {
+				return undoBinds, fmt.Errorf("error examining %q for mounting in mount namespace: %w", target, err)
+			}
+			// The target isn't there yet, so create it, and make a
+			// note to remove it later.
+			// XXX: This was copied from the linux version which supports bind mounting files.
+			// Leaving it here since I plan to add this to FreeBSD's nullfs.
+			if m.Type != "nullfs" || srcinfo.IsDir() {
+				if err = os.MkdirAll(target, 0111); err != nil {
+					return undoBinds, fmt.Errorf("error creating mountpoint %q in mount namespace: %w", target, err)
+				}
+				removes = append(removes, target)
+			} else {
+				if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil {
+					return undoBinds, fmt.Errorf("error ensuring parent of mountpoint %q (%q) is present in mount namespace: %w", target, filepath.Dir(target), err)
+				}
+				// Don't do this until we can support file mounts in nullfs
+				/*var file *os.File
+				if file, err = os.OpenFile(target, os.O_WRONLY|os.O_CREATE, 0); err != nil {
+					return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
+				}
+				file.Close()
+				removes = append(removes, target)*/
+			}
+		}
+		logrus.Debugf("mount: %v", m)
+		switch m.Type {
+		case "nullfs":
+			// Do the bind mount.
+			if !srcinfo.IsDir() {
+				logrus.Debugf("emulating file mount %q on %q", m.Source, target)
+				_, err := os.Stat(target)
+				if err == nil {
+					save := saveDir(spec, target)
+					if _, err := os.Stat(save); err != nil {
+						if os.IsNotExist(err) {
+							err = os.MkdirAll(save, 0111)
+						}
+						if err != nil {
+							return undoBinds, fmt.Errorf("error creating file mount save directory %q: %w", save, err)
+						}
+						removes = append(removes, save)
+					}
+					savePath := filepath.Join(save, filepath.Base(target))
+					if _, err := os.Stat(target); err == nil {
+						logrus.Debugf("moving %q to %q", target, savePath)
+						if err := os.Rename(target, savePath); err != nil {
+							return undoBinds, fmt.Errorf("error moving %q to %q: %w", target, savePath, err)
+						}
+						renames = append(renames, rename{
+							from: target,
+							to:   savePath,
+						})
+					}
+				} else {
+					removes = append(removes, target)
+				}
+				if err := copyFile(m.Source, target); err != nil {
+					return undoBinds, fmt.Errorf("error copying %q to %q: %w", m.Source, target, err)
+				}
+			} else {
+				logrus.Debugf("bind mounting %q on %q", m.Destination, filepath.Join(spec.Root.Path, m.Destination))
+				if err := mount.Mount(m.Source, target, "nullfs", strings.Join(m.Options, ",")); err != nil {
+					return undoBinds, fmt.Errorf("error bind mounting %q from host to %q in mount namespace (%q): %w", m.Source, m.Destination, target, err)
+				}
+				logrus.Debugf("bind mounted %q to %q", m.Source, target)
+				unmounts = append(unmounts, target)
+			}
+		case "devfs", "fdescfs", "tmpfs":
+			// Mount /dev, /dev/fd.
+			if err := mount.Mount(m.Source, target, m.Type, strings.Join(m.Options, ",")); err != nil {
+				return undoBinds, fmt.Errorf("error mounting %q to %q in mount namespace (%q, %q): %w", m.Type, m.Destination, target, strings.Join(m.Options, ","), err)
+			}
+			logrus.Debugf("mounted a %q to %q", m.Type, target)
+			unmounts = append(unmounts, target)
+		}
+	}
+	return undoBinds, nil
+}
+
+// setPdeathsig sets a parent-death signal for the process
+func setPdeathsig(cmd *exec.Cmd) {
+	if cmd.SysProcAttr == nil {
+		cmd.SysProcAttr = &syscall.SysProcAttr{}
+	}
+	cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
+}

vendor/github.com/containers/buildah/chroot/run_linux.go

@@ -4,44 +4,23 @@
 package chroot
 
 import (
-	"bytes"
-	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
-	"io/ioutil"
 	"os"
 	"os/exec"
-	"os/signal"
 	"path/filepath"
-	"runtime"
-	"strconv"
 	"strings"
-	"sync"
 	"syscall"
 	"time"
-	"unsafe"
 
-	"github.com/containers/buildah/bind"
 	"github.com/containers/buildah/copier"
-	"github.com/containers/buildah/util"
-	"github.com/containers/storage/pkg/ioutils"
 	"github.com/containers/storage/pkg/mount"
-	"github.com/containers/storage/pkg/reexec"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/syndtr/gocapability/capability"
 	"golang.org/x/sys/unix"
-	"golang.org/x/term"
-)
-
-const (
-	// runUsingChrootCommand is a command we use as a key for reexec
-	runUsingChrootCommand = "buildah-chroot-runtime"
-	// runUsingChrootExec is a command we use as a key for reexec
-	runUsingChrootExecCommand = "buildah-chroot-exec"
 )
 
 var (
@@ -66,14 +45,6 @@ var (
 	rlimitsReverseMap = map[int]string{}
 )
 
-func init() {
-	reexec.Register(runUsingChrootCommand, runUsingChrootMain)
-	reexec.Register(runUsingChrootExecCommand, runUsingChrootExecMain)
-	for limitName, limitNumber := range rlimitsMap {
-		rlimitsReverseMap[limitNumber] = limitName
-	}
-}
-
 type runUsingChrootSubprocOptions struct {
 	Spec        *specs.Spec
 	BundlePath  string
@@ -81,495 +52,11 @@ type runUsingChrootSubprocOptions struct {
 	GIDMappings []syscall.SysProcIDMap
 }
 
-type runUsingChrootExecSubprocOptions struct {
-	Spec       *specs.Spec
-	BundlePath string
-}
-
-// RunUsingChroot runs a chrooted process, using some of the settings from the
-// passed-in spec, and using the specified bundlePath to hold temporary files,
-// directories, and mountpoints.
-func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reader, stdout, stderr io.Writer) (err error) {
-	var confwg sync.WaitGroup
-	var homeFound bool
-	for _, env := range spec.Process.Env {
-		if strings.HasPrefix(env, "HOME=") {
-			homeFound = true
-			break
-		}
-	}
-	if !homeFound {
-		spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("HOME=%s", homeDir))
-	}
-	runtime.LockOSThread()
-	defer runtime.UnlockOSThread()
-
-	// Write the runtime configuration, mainly for debugging.
-	specbytes, err := json.Marshal(spec)
-	if err != nil {
-		return err
-	}
-	if err = ioutils.AtomicWriteFile(filepath.Join(bundlePath, "config.json"), specbytes, 0600); err != nil {
-		return fmt.Errorf("error storing runtime configuration: %w", err)
-	}
-	logrus.Debugf("config = %v", string(specbytes))
-
-	// Default to using stdin/stdout/stderr if we weren't passed objects to use.
-	if stdin == nil {
-		stdin = os.Stdin
-	}
-	if stdout == nil {
-		stdout = os.Stdout
-	}
-	if stderr == nil {
-		stderr = os.Stderr
-	}
-
-	// Create a pipe for passing configuration down to the next process.
-	preader, pwriter, err := os.Pipe()
-	if err != nil {
-		return fmt.Errorf("error creating configuration pipe: %w", err)
-	}
-	config, conferr := json.Marshal(runUsingChrootSubprocOptions{
-		Spec:       spec,
-		BundlePath: bundlePath,
-	})
-	if conferr != nil {
-		return fmt.Errorf("error encoding configuration for %q: %w", runUsingChrootCommand, conferr)
-	}
-
-	// Set our terminal's mode to raw, to pass handling of special
-	// terminal input to the terminal in the container.
-	if spec.Process.Terminal && term.IsTerminal(unix.Stdin) {
-		state, err := term.MakeRaw(unix.Stdin)
-		if err != nil {
-			logrus.Warnf("error setting terminal state: %v", err)
-		} else {
-			defer func() {
-				if err = term.Restore(unix.Stdin, state); err != nil {
-					logrus.Errorf("unable to restore terminal state: %v", err)
-				}
-			}()
-		}
-	}
-
-	// Raise any resource limits that are higher than they are now, before
-	// we drop any more privileges.
-	if err = setRlimits(spec, false, true); err != nil {
-		return err
-	}
-
-	// Start the grandparent subprocess.
-	cmd := unshare.Command(runUsingChrootCommand)
-	setPdeathsig(cmd.Cmd)
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
-	cmd.Dir = "/"
-	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
-
-	interrupted := make(chan os.Signal, 100)
-	cmd.Hook = func(int) error {
-		signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
-		go func() {
-			for receivedSignal := range interrupted {
-				if err := cmd.Process.Signal(receivedSignal); err != nil {
-					logrus.Infof("%v while attempting to forward %v to child process", err, receivedSignal)
-				}
-			}
-		}()
-		return nil
-	}
-
-	logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
-	confwg.Add(1)
-	go func() {
-		_, conferr = io.Copy(pwriter, bytes.NewReader(config))
-		pwriter.Close()
-		confwg.Done()
-	}()
-	cmd.ExtraFiles = append([]*os.File{preader}, cmd.ExtraFiles...)
-	err = cmd.Run()
-	confwg.Wait()
-	signal.Stop(interrupted)
-	close(interrupted)
-	if err == nil {
-		return conferr
-	}
-	return err
-}
-
-// main() for grandparent subprocess.  Its main job is to shuttle stdio back
-// and forth, managing a pseudo-terminal if we want one, for our child, the
-// parent subprocess.
-func runUsingChrootMain() {
-	var options runUsingChrootSubprocOptions
-
-	runtime.LockOSThread()
-
-	// Set logging.
-	if level := os.Getenv("LOGLEVEL"); level != "" {
-		if ll, err := strconv.Atoi(level); err == nil {
-			logrus.SetLevel(logrus.Level(ll))
-		}
-		os.Unsetenv("LOGLEVEL")
-	}
-
-	// Unpack our configuration.
-	confPipe := os.NewFile(3, "confpipe")
-	if confPipe == nil {
-		fmt.Fprintf(os.Stderr, "error reading options pipe\n")
-		os.Exit(1)
-	}
-	defer confPipe.Close()
-	if err := json.NewDecoder(confPipe).Decode(&options); err != nil {
-		fmt.Fprintf(os.Stderr, "error decoding options: %v\n", err)
-		os.Exit(1)
-	}
-
-	if options.Spec == nil || options.Spec.Process == nil {
-		fmt.Fprintf(os.Stderr, "invalid options spec in runUsingChrootMain\n")
-		os.Exit(1)
-	}
-
-	// Prepare to shuttle stdio back and forth.
-	rootUID32, rootGID32, err := util.GetHostRootIDs(options.Spec)
-	if err != nil {
-		logrus.Errorf("error determining ownership for container stdio")
-		os.Exit(1)
-	}
-	rootUID := int(rootUID32)
-	rootGID := int(rootGID32)
-	relays := make(map[int]int)
-	closeOnceRunning := []*os.File{}
-	var ctty *os.File
-	var stdin io.Reader
-	var stdinCopy io.WriteCloser
-	var stdout io.Writer
-	var stderr io.Writer
-	fdDesc := make(map[int]string)
-	if options.Spec.Process.Terminal {
-		// Create a pseudo-terminal -- open a copy of the master side.
-		ptyMasterFd, err := unix.Open("/dev/ptmx", os.O_RDWR, 0600)
-		if err != nil {
-			logrus.Errorf("error opening PTY master using /dev/ptmx: %v", err)
-			os.Exit(1)
-		}
-		// Set the kernel's lock to "unlocked".
-		locked := 0
-		if result, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(ptyMasterFd), unix.TIOCSPTLCK, uintptr(unsafe.Pointer(&locked))); int(result) == -1 {
-			logrus.Errorf("error unlocking PTY descriptor: %v", err)
-			os.Exit(1)
-		}
-		// Get a handle for the other end.
-		ptyFd, _, err := unix.Syscall(unix.SYS_IOCTL, uintptr(ptyMasterFd), unix.TIOCGPTPEER, unix.O_RDWR|unix.O_NOCTTY)
-		if int(ptyFd) == -1 {
-			if errno, isErrno := err.(syscall.Errno); !isErrno || (errno != syscall.EINVAL && errno != syscall.ENOTTY) {
-				logrus.Errorf("error getting PTY descriptor: %v", err)
-				os.Exit(1)
-			}
-			// EINVAL means the kernel's too old to understand TIOCGPTPEER.  Try TIOCGPTN.
-			ptyN, err := unix.IoctlGetInt(ptyMasterFd, unix.TIOCGPTN)
-			if err != nil {
-				logrus.Errorf("error getting PTY number: %v", err)
-				os.Exit(1)
-			}
-			ptyName := fmt.Sprintf("/dev/pts/%d", ptyN)
-			fd, err := unix.Open(ptyName, unix.O_RDWR|unix.O_NOCTTY, 0620)
-			if err != nil {
-				logrus.Errorf("error opening PTY %q: %v", ptyName, err)
-				os.Exit(1)
-			}
-			ptyFd = uintptr(fd)
-		}
-		// Make notes about what's going where.
-		relays[ptyMasterFd] = unix.Stdout
-		relays[unix.Stdin] = ptyMasterFd
-		fdDesc[ptyMasterFd] = "container terminal"
-		fdDesc[unix.Stdin] = "stdin"
-		fdDesc[unix.Stdout] = "stdout"
-		winsize := &unix.Winsize{}
-		// Set the pseudoterminal's size to the configured size, or our own.
-		if options.Spec.Process.ConsoleSize != nil {
-			// Use configured sizes.
-			winsize.Row = uint16(options.Spec.Process.ConsoleSize.Height)
-			winsize.Col = uint16(options.Spec.Process.ConsoleSize.Width)
-		} else {
-			if term.IsTerminal(unix.Stdin) {
-				// Use the size of our terminal.
-				winsize, err = unix.IoctlGetWinsize(unix.Stdin, unix.TIOCGWINSZ)
-				if err != nil {
-					logrus.Debugf("error reading current terminal's size")
-					winsize.Row = 0
-					winsize.Col = 0
-				}
-			}
-		}
-		if winsize.Row != 0 && winsize.Col != 0 {
-			if err = unix.IoctlSetWinsize(int(ptyFd), unix.TIOCSWINSZ, winsize); err != nil {
-				logrus.Warnf("error setting terminal size for pty")
-			}
-			// FIXME - if we're connected to a terminal, we should
-			// be passing the updated terminal size down when we
-			// receive a SIGWINCH.
-		}
-		// Open an *os.File object that we can pass to our child.
-		ctty = os.NewFile(ptyFd, "/dev/tty")
-		// Set ownership for the PTY.
-		if err = ctty.Chown(rootUID, rootGID); err != nil {
-			var cttyInfo unix.Stat_t
-			err2 := unix.Fstat(int(ptyFd), &cttyInfo)
-			from := ""
-			op := "setting"
-			if err2 == nil {
-				op = "changing"
-				from = fmt.Sprintf("from %d/%d ", cttyInfo.Uid, cttyInfo.Gid)
-			}
-			logrus.Warnf("error %s ownership of container PTY %sto %d/%d: %v", op, from, rootUID, rootGID, err)
-		}
-		// Set permissions on the PTY.
-		if err = ctty.Chmod(0620); err != nil {
-			logrus.Errorf("error setting permissions of container PTY: %v", err)
-			os.Exit(1)
-		}
-		// Make a note that our child (the parent subprocess) should
-		// have the PTY connected to its stdio, and that we should
-		// close it once it's running.
-		stdin = ctty
-		stdout = ctty
-		stderr = ctty
-		closeOnceRunning = append(closeOnceRunning, ctty)
-	} else {
-		// Create pipes for stdio.
-		stdinRead, stdinWrite, err := os.Pipe()
-		if err != nil {
-			logrus.Errorf("error opening pipe for stdin: %v", err)
-		}
-		stdoutRead, stdoutWrite, err := os.Pipe()
-		if err != nil {
-			logrus.Errorf("error opening pipe for stdout: %v", err)
-		}
-		stderrRead, stderrWrite, err := os.Pipe()
-		if err != nil {
-			logrus.Errorf("error opening pipe for stderr: %v", err)
-		}
-		// Make notes about what's going where.
-		relays[unix.Stdin] = int(stdinWrite.Fd())
-		relays[int(stdoutRead.Fd())] = unix.Stdout
-		relays[int(stderrRead.Fd())] = unix.Stderr
-		fdDesc[int(stdinWrite.Fd())] = "container stdin pipe"
-		fdDesc[int(stdoutRead.Fd())] = "container stdout pipe"
-		fdDesc[int(stderrRead.Fd())] = "container stderr pipe"
-		fdDesc[unix.Stdin] = "stdin"
-		fdDesc[unix.Stdout] = "stdout"
-		fdDesc[unix.Stderr] = "stderr"
-		// Set ownership for the pipes.
-		if err = stdinRead.Chown(rootUID, rootGID); err != nil {
-			logrus.Errorf("error setting ownership of container stdin pipe: %v", err)
-			os.Exit(1)
-		}
-		if err = stdoutWrite.Chown(rootUID, rootGID); err != nil {
-			logrus.Errorf("error setting ownership of container stdout pipe: %v", err)
-			os.Exit(1)
-		}
-		if err = stderrWrite.Chown(rootUID, rootGID); err != nil {
-			logrus.Errorf("error setting ownership of container stderr pipe: %v", err)
-			os.Exit(1)
-		}
-		// Make a note that our child (the parent subprocess) should
-		// have the pipes connected to its stdio, and that we should
-		// close its ends of them once it's running.
-		stdin = stdinRead
-		stdout = stdoutWrite
-		stderr = stderrWrite
-		closeOnceRunning = append(closeOnceRunning, stdinRead, stdoutWrite, stderrWrite)
-		stdinCopy = stdinWrite
-		defer stdoutRead.Close()
-		defer stderrRead.Close()
-	}
-	for readFd, writeFd := range relays {
-		if err := unix.SetNonblock(readFd, true); err != nil {
-			logrus.Errorf("error setting descriptor %d (%s) non-blocking: %v", readFd, fdDesc[readFd], err)
-			return
-		}
-		if err := unix.SetNonblock(writeFd, false); err != nil {
-			logrus.Errorf("error setting descriptor %d (%s) blocking: %v", relays[writeFd], fdDesc[writeFd], err)
-			return
-		}
-	}
-	if err := unix.SetNonblock(relays[unix.Stdin], true); err != nil {
-		logrus.Errorf("error setting %d to nonblocking: %v", relays[unix.Stdin], err)
-	}
-	go func() {
-		buffers := make(map[int]*bytes.Buffer)
-		for _, writeFd := range relays {
-			buffers[writeFd] = new(bytes.Buffer)
-		}
-		pollTimeout := -1
-		stdinClose := false
-		for len(relays) > 0 {
-			fds := make([]unix.PollFd, 0, len(relays))
-			for fd := range relays {
-				fds = append(fds, unix.PollFd{Fd: int32(fd), Events: unix.POLLIN | unix.POLLHUP})
-			}
-			_, err := unix.Poll(fds, pollTimeout)
-			if !util.LogIfNotRetryable(err, fmt.Sprintf("poll: %v", err)) {
-				return
-			}
-			removeFds := make(map[int]struct{})
-			for _, rfd := range fds {
-				if rfd.Revents&unix.POLLHUP == unix.POLLHUP {
-					removeFds[int(rfd.Fd)] = struct{}{}
-				}
-				if rfd.Revents&unix.POLLNVAL == unix.POLLNVAL {
-					logrus.Debugf("error polling descriptor %s: closed?", fdDesc[int(rfd.Fd)])
-					removeFds[int(rfd.Fd)] = struct{}{}
-				}
-				if rfd.Revents&unix.POLLIN == 0 {
-					if stdinClose && stdinCopy == nil {
-						continue
-					}
-					continue
-				}
-				b := make([]byte, 8192)
-				nread, err := unix.Read(int(rfd.Fd), b)
-				util.LogIfNotRetryable(err, fmt.Sprintf("read %s: %v", fdDesc[int(rfd.Fd)], err))
-				if nread > 0 {
-					if wfd, ok := relays[int(rfd.Fd)]; ok {
-						nwritten, err := buffers[wfd].Write(b[:nread])
-						if err != nil {
-							logrus.Debugf("buffer: %v", err)
-							continue
-						}
-						if nwritten != nread {
-							logrus.Debugf("buffer: expected to buffer %d bytes, wrote %d", nread, nwritten)
-							continue
-						}
-					}
-					// If this is the last of the data we'll be able to read
-					// from this descriptor, read as much as there is to read.
-					for rfd.Revents&unix.POLLHUP == unix.POLLHUP {
-						nr, err := unix.Read(int(rfd.Fd), b)
-						util.LogIfUnexpectedWhileDraining(err, fmt.Sprintf("read %s: %v", fdDesc[int(rfd.Fd)], err))
-						if nr <= 0 {
-							break
-						}
-						if wfd, ok := relays[int(rfd.Fd)]; ok {
-							nwritten, err := buffers[wfd].Write(b[:nr])
-							if err != nil {
-								logrus.Debugf("buffer: %v", err)
-								break
-							}
-							if nwritten != nr {
-								logrus.Debugf("buffer: expected to buffer %d bytes, wrote %d", nr, nwritten)
-								break
-							}
-						}
-					}
-				}
-				if nread == 0 {
-					removeFds[int(rfd.Fd)] = struct{}{}
-				}
-			}
-			pollTimeout = -1
-			for wfd, buffer := range buffers {
-				if buffer.Len() > 0 {
-					nwritten, err := unix.Write(wfd, buffer.Bytes())
-					util.LogIfNotRetryable(err, fmt.Sprintf("write %s: %v", fdDesc[wfd], err))
-					if nwritten >= 0 {
-						_ = buffer.Next(nwritten)
-					}
-				}
-				if buffer.Len() > 0 {
-					pollTimeout = 100
-				}
-				if wfd == relays[unix.Stdin] && stdinClose && buffer.Len() == 0 {
-					stdinCopy.Close()
-					delete(relays, unix.Stdin)
-				}
-			}
-			for rfd := range removeFds {
-				if rfd == unix.Stdin {
-					buffer, found := buffers[relays[unix.Stdin]]
-					if found && buffer.Len() > 0 {
-						stdinClose = true
-						continue
-					}
-				}
-				if !options.Spec.Process.Terminal && rfd == unix.Stdin {
-					stdinCopy.Close()
-				}
-				delete(relays, rfd)
-			}
-		}
-	}()
-
-	// Set up mounts and namespaces, and run the parent subprocess.
-	status, err := runUsingChroot(options.Spec, options.BundlePath, ctty, stdin, stdout, stderr, closeOnceRunning)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "error running subprocess: %v\n", err)
-		os.Exit(1)
-	}
-
-	// Pass the process's exit status back to the caller by exiting with the same status.
-	if status.Exited() {
-		if status.ExitStatus() != 0 {
-			fmt.Fprintf(os.Stderr, "subprocess exited with status %d\n", status.ExitStatus())
-		}
-		os.Exit(status.ExitStatus())
-	} else if status.Signaled() {
-		fmt.Fprintf(os.Stderr, "subprocess exited on %s\n", status.Signal())
-		os.Exit(1)
-	}
-}
-
-// runUsingChroot, still in the grandparent process, sets up various bind
-// mounts and then runs the parent process in its own user namespace with the
-// necessary ID mappings.
-func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io.Reader, stdout, stderr io.Writer, closeOnceRunning []*os.File) (wstatus unix.WaitStatus, err error) {
-	var confwg sync.WaitGroup
-
-	// Create a new mount namespace for ourselves and bind mount everything to a new location.
-	undoIntermediates, err := bind.SetupIntermediateMountNamespace(spec, bundlePath)
-	if err != nil {
-		return 1, err
-	}
-	defer func() {
-		if undoErr := undoIntermediates(); undoErr != nil {
-			logrus.Debugf("error cleaning up intermediate mount NS: %v", err)
-		}
-	}()
-
-	// Bind mount in our filesystems.
-	undoChroots, err := setupChrootBindMounts(spec, bundlePath)
-	if err != nil {
-		return 1, err
-	}
-	defer func() {
-		if undoErr := undoChroots(); undoErr != nil {
-			logrus.Debugf("error cleaning up intermediate chroot bind mounts: %v", err)
-		}
-	}()
-
-	// Create a pipe for passing configuration down to the next process.
-	preader, pwriter, err := os.Pipe()
-	if err != nil {
-		return 1, fmt.Errorf("error creating configuration pipe: %w", err)
-	}
-	config, conferr := json.Marshal(runUsingChrootExecSubprocOptions{
-		Spec:       spec,
-		BundlePath: bundlePath,
-	})
-	if conferr != nil {
-		fmt.Fprintf(os.Stderr, "error re-encoding configuration for %q", runUsingChrootExecCommand)
-		os.Exit(1)
-	}
-
-	// Apologize for the namespace configuration that we're about to ignore.
-	logNamespaceDiagnostics(spec)
-
+func setPlatformUnshareOptions(spec *specs.Spec, cmd *unshare.Cmd) error {
 	// If we have configured ID mappings, set them here so that they can apply to the child.
 	hostUidmap, hostGidmap, err := unshare.GetHostIDMappings("")
 	if err != nil {
-		return 1, err
+		return err
 	}
 	uidmap, gidmap := spec.Linux.UIDMappings, spec.Linux.GIDMappings
 	if len(uidmap) == 0 {
@@ -587,12 +74,6 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
 		}
 	}
 
-	// Start the parent subprocess.
-	cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...)
-	setPdeathsig(cmd.Cmd)
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
-	cmd.Dir = "/"
-	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
 	cmd.UnshareFlags = syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS
 	requestedUserNS := false
 	for _, ns := range spec.Linux.Namespaces {
@@ -606,258 +87,13 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
 		cmd.GidMappings = gidmap
 		cmd.GidMappingsEnableSetgroups = true
 	}
-	if ctty != nil {
-		cmd.Setsid = true
-		cmd.Ctty = ctty
-	}
 	cmd.OOMScoreAdj = spec.Process.OOMScoreAdj
-	cmd.ExtraFiles = append([]*os.File{preader}, cmd.ExtraFiles...)
-	interrupted := make(chan os.Signal, 100)
-	cmd.Hook = func(int) error {
-		for _, f := range closeOnceRunning {
-			f.Close()
-		}
-		signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
-		go func() {
-			for receivedSignal := range interrupted {
-				if err := cmd.Process.Signal(receivedSignal); err != nil {
-					logrus.Infof("%v while attempting to forward %v to child process", err, receivedSignal)
-				}
-			}
-		}()
 	return nil
 }
 
-	logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
-	confwg.Add(1)
-	go func() {
-		_, conferr = io.Copy(pwriter, bytes.NewReader(config))
-		pwriter.Close()
-		confwg.Done()
-	}()
-	err = cmd.Run()
-	confwg.Wait()
-	signal.Stop(interrupted)
-	close(interrupted)
-	if err != nil {
-		if exitError, ok := err.(*exec.ExitError); ok {
-			if waitStatus, ok := exitError.ProcessState.Sys().(syscall.WaitStatus); ok {
-				if waitStatus.Exited() {
-					if waitStatus.ExitStatus() != 0 {
-						fmt.Fprintf(os.Stderr, "subprocess exited with status %d\n", waitStatus.ExitStatus())
-					}
-					os.Exit(waitStatus.ExitStatus())
-				} else if waitStatus.Signaled() {
-					fmt.Fprintf(os.Stderr, "subprocess exited on %s\n", waitStatus.Signal())
-					os.Exit(1)
-				}
-			}
-		}
-		fmt.Fprintf(os.Stderr, "process exited with error: %v", err)
-		os.Exit(1)
-	}
-
-	return 0, nil
-}
-
-// main() for parent subprocess.  Its main job is to try to make our
-// environment look like the one described by the runtime configuration blob,
-// and then launch the intended command as a child.
-func runUsingChrootExecMain() {
-	args := os.Args[1:]
-	var options runUsingChrootExecSubprocOptions
-	var err error
-
-	runtime.LockOSThread()
-
-	// Set logging.
-	if level := os.Getenv("LOGLEVEL"); level != "" {
-		if ll, err := strconv.Atoi(level); err == nil {
-			logrus.SetLevel(logrus.Level(ll))
-		}
-		os.Unsetenv("LOGLEVEL")
-	}
-
-	// Unpack our configuration.
-	confPipe := os.NewFile(3, "confpipe")
-	if confPipe == nil {
-		fmt.Fprintf(os.Stderr, "error reading options pipe\n")
-		os.Exit(1)
-	}
-	defer confPipe.Close()
-	if err := json.NewDecoder(confPipe).Decode(&options); err != nil {
-		fmt.Fprintf(os.Stderr, "error decoding options: %v\n", err)
-		os.Exit(1)
-	}
-
-	// Set the hostname.  We're already in a distinct UTS namespace and are admins in the user
-	// namespace which created it, so we shouldn't get a permissions error, but seccomp policy
-	// might deny our attempt to call sethostname() anyway, so log a debug message for that.
-	if options.Spec == nil || options.Spec.Process == nil {
-		fmt.Fprintf(os.Stderr, "invalid options spec passed in\n")
-		os.Exit(1)
-	}
-
-	if options.Spec.Hostname != "" {
-		if err := unix.Sethostname([]byte(options.Spec.Hostname)); err != nil {
-			logrus.Debugf("failed to set hostname %q for process: %v", options.Spec.Hostname, err)
-		}
-	}
-
-	// Try to chroot into the root.  Do this before we potentially block the syscall via the
-	// seccomp profile.
-	var oldst, newst unix.Stat_t
-	if err := unix.Stat(options.Spec.Root.Path, &oldst); err != nil {
-		fmt.Fprintf(os.Stderr, "error stat()ing intended root directory %q: %v\n", options.Spec.Root.Path, err)
-		os.Exit(1)
-	}
-	if err := unix.Chdir(options.Spec.Root.Path); err != nil {
-		fmt.Fprintf(os.Stderr, "error chdir()ing to intended root directory %q: %v\n", options.Spec.Root.Path, err)
-		os.Exit(1)
-	}
-	if err := unix.Chroot(options.Spec.Root.Path); err != nil {
-		fmt.Fprintf(os.Stderr, "error chroot()ing into directory %q: %v\n", options.Spec.Root.Path, err)
-		os.Exit(1)
-	}
-	if err := unix.Stat("/", &newst); err != nil {
-		fmt.Fprintf(os.Stderr, "error stat()ing current root directory: %v\n", err)
-		os.Exit(1)
-	}
-	if oldst.Dev != newst.Dev || oldst.Ino != newst.Ino {
-		fmt.Fprintf(os.Stderr, "unknown error chroot()ing into directory %q: %v\n", options.Spec.Root.Path, err)
-		os.Exit(1)
-	}
-	logrus.Debugf("chrooted into %q", options.Spec.Root.Path)
-
-	// not doing because it's still shared: creating devices
-	// not doing because it's not applicable: setting annotations
-	// not doing because it's still shared: setting sysctl settings
-	// not doing because cgroupfs is read only: configuring control groups
-	// -> this means we can use the freezer to make sure there aren't any lingering processes
-	// -> this means we ignore cgroups-based controls
-	// not doing because we don't set any in the config: running hooks
-	// not doing because we don't set it in the config: setting rootfs read-only
-	// not doing because we don't set it in the config: setting rootfs propagation
-	logrus.Debugf("setting apparmor profile")
-	if err = setApparmorProfile(options.Spec); err != nil {
-		fmt.Fprintf(os.Stderr, "error setting apparmor profile for process: %v\n", err)
-		os.Exit(1)
-	}
-	if err = setSelinuxLabel(options.Spec); err != nil {
-		fmt.Fprintf(os.Stderr, "error setting SELinux label for process: %v\n", err)
-		os.Exit(1)
-	}
-
-	logrus.Debugf("setting resource limits")
-	if err = setRlimits(options.Spec, false, false); err != nil {
-		fmt.Fprintf(os.Stderr, "error setting process resource limits for process: %v\n", err)
-		os.Exit(1)
-	}
-
-	// Try to change to the directory.
-	cwd := options.Spec.Process.Cwd
-	if !filepath.IsAbs(cwd) {
-		cwd = "/" + cwd
-	}
-	cwd = filepath.Clean(cwd)
-	if err := unix.Chdir("/"); err != nil {
-		fmt.Fprintf(os.Stderr, "error chdir()ing into new root directory %q: %v\n", options.Spec.Root.Path, err)
-		os.Exit(1)
-	}
-	if err := unix.Chdir(cwd); err != nil {
-		fmt.Fprintf(os.Stderr, "error chdir()ing into directory %q under root %q: %v\n", cwd, options.Spec.Root.Path, err)
-		os.Exit(1)
-	}
-	logrus.Debugf("changed working directory to %q", cwd)
-
-	// Drop privileges.
-	user := options.Spec.Process.User
-	if len(user.AdditionalGids) > 0 {
-		gids := make([]int, len(user.AdditionalGids))
-		for i := range user.AdditionalGids {
-			gids[i] = int(user.AdditionalGids[i])
-		}
-		logrus.Debugf("setting supplemental groups")
-		if err = syscall.Setgroups(gids); err != nil {
-			fmt.Fprintf(os.Stderr, "error setting supplemental groups list: %v", err)
-			os.Exit(1)
-		}
-	} else {
-		setgroups, _ := ioutil.ReadFile("/proc/self/setgroups")
-		if strings.Trim(string(setgroups), "\n") != "deny" {
-			logrus.Debugf("clearing supplemental groups")
-			if err = syscall.Setgroups([]int{}); err != nil {
-				fmt.Fprintf(os.Stderr, "error clearing supplemental groups list: %v", err)
-				os.Exit(1)
-			}
-		}
-	}
-
-	logrus.Debugf("setting gid")
-	if err = syscall.Setresgid(int(user.GID), int(user.GID), int(user.GID)); err != nil {
-		fmt.Fprintf(os.Stderr, "error setting GID: %v", err)
-		os.Exit(1)
-	}
-
-	if err = setSeccomp(options.Spec); err != nil {
-		fmt.Fprintf(os.Stderr, "error setting seccomp filter for process: %v\n", err)
-		os.Exit(1)
-	}
-
-	logrus.Debugf("setting capabilities")
-	var keepCaps []string
-	if user.UID != 0 {
-		keepCaps = []string{"CAP_SETUID"}
-	}
-	if err := setCapabilities(options.Spec, keepCaps...); err != nil {
-		fmt.Fprintf(os.Stderr, "error setting capabilities for process: %v\n", err)
-		os.Exit(1)
-	}
-
-	logrus.Debugf("setting uid")
-	if err = syscall.Setresuid(int(user.UID), int(user.UID), int(user.UID)); err != nil {
-		fmt.Fprintf(os.Stderr, "error setting UID: %v", err)
-		os.Exit(1)
-	}
-
-	// Actually run the specified command.
-	cmd := exec.Command(args[0], args[1:]...)
-	setPdeathsig(cmd)
-	cmd.Env = options.Spec.Process.Env
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	cmd.Dir = cwd
-	logrus.Debugf("Running %#v (PATH = %q)", cmd, os.Getenv("PATH"))
-	interrupted := make(chan os.Signal, 100)
-	if err = cmd.Start(); err != nil {
-		fmt.Fprintf(os.Stderr, "process failed to start with error: %v", err)
-	}
-	go func() {
-		for range interrupted {
-			if err := cmd.Process.Signal(syscall.SIGKILL); err != nil {
-				logrus.Infof("%v while attempting to send SIGKILL to child process", err)
-			}
-		}
-	}()
-	signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
-	err = cmd.Wait()
-	signal.Stop(interrupted)
-	close(interrupted)
-	if err != nil {
-		if exitError, ok := err.(*exec.ExitError); ok {
-			if waitStatus, ok := exitError.ProcessState.Sys().(syscall.WaitStatus); ok {
-				if waitStatus.Exited() {
-					if waitStatus.ExitStatus() != 0 {
-						fmt.Fprintf(os.Stderr, "subprocess exited with status %d\n", waitStatus.ExitStatus())
-					}
-					os.Exit(waitStatus.ExitStatus())
-				} else if waitStatus.Signaled() {
-					fmt.Fprintf(os.Stderr, "subprocess exited on %s\n", waitStatus.Signal())
-					os.Exit(1)
-				}
-			}
-		}
-		fmt.Fprintf(os.Stderr, "process exited with error: %v", err)
-		os.Exit(1)
+func setContainerHostname(name string) {
+	if err := unix.Sethostname([]byte(name)); err != nil {
+		logrus.Debugf("failed to set hostname %q for process: %v", name, err)
 	}
 }
 
@@ -985,48 +221,12 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
 	return nil
 }
 
-// parses the resource limits for ourselves and any processes that
-// we'll start into a format that's more in line with the kernel APIs
-func parseRlimits(spec *specs.Spec) (map[int]unix.Rlimit, error) {
-	if spec.Process == nil {
-		return nil, nil
-	}
-	parsed := make(map[int]unix.Rlimit)
-	for _, limit := range spec.Process.Rlimits {
-		resource, recognized := rlimitsMap[strings.ToUpper(limit.Type)]
-		if !recognized {
-			return nil, fmt.Errorf("error parsing limit type %q", limit.Type)
-		}
-		parsed[resource] = unix.Rlimit{Cur: limit.Soft, Max: limit.Hard}
-	}
-	return parsed, nil
+func makeRlimit(limit specs.POSIXRlimit) unix.Rlimit {
+	return unix.Rlimit{Cur: limit.Soft, Max: limit.Hard}
 }
 
-// setRlimits sets any resource limits that we want to apply to processes that
-// we'll start.
-func setRlimits(spec *specs.Spec, onlyLower, onlyRaise bool) error {
-	limits, err := parseRlimits(spec)
-	if err != nil {
-		return err
-	}
-	for resource, desired := range limits {
-		var current unix.Rlimit
-		if err := unix.Getrlimit(resource, &current); err != nil {
-			return fmt.Errorf("error reading %q limit: %w", rlimitsReverseMap[resource], err)
-		}
-		if desired.Max > current.Max && onlyLower {
-			// this would raise a hard limit, and we're only here to lower them
-			continue
-		}
-		if desired.Max < current.Max && onlyRaise {
-			// this would lower a hard limit, and we're only here to raise them
-			continue
-		}
-		if err := unix.Setrlimit(resource, &desired); err != nil {
-			return fmt.Errorf("error setting %q limit to soft=%d,hard=%d (was soft=%d,hard=%d): %w", rlimitsReverseMap[resource], desired.Cur, desired.Max, current.Cur, current.Max, err)
-		}
-	}
-	return nil
+func createPlatformContainer(options runUsingChrootExecSubprocOptions) error {
+	return errors.New("unsupported createPlatformContainer")
 }
 
 func makeReadOnly(mntpoint string, flags uintptr) error {
@@ -1043,21 +243,6 @@ func makeReadOnly(mntpoint string, flags uintptr) error {
 	return nil
 }
 
-func isDevNull(dev os.FileInfo) bool {
-	if dev.Mode()&os.ModeCharDevice != 0 {
-		stat, _ := dev.Sys().(*syscall.Stat_t)
-		nullStat := syscall.Stat_t{}
-		if err := syscall.Stat(os.DevNull, &nullStat); err != nil {
-			logrus.Warnf("unable to stat /dev/null: %v", err)
-			return false
-		}
-		if stat.Rdev == nullStat.Rdev {
-			return true
-		}
-	}
-	return false
-}
-
 // setupChrootBindMounts actually bind mounts things under the rootfs, and returns a
 // callback that will clean up its work.
 func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func() error, err error) {

vendor/github.com/containers/buildah/chroot/seccomp_freebsd.go

@@ -0,0 +1,13 @@
+//go:build freebsd && seccomp
+// +build freebsd,seccomp
+
+package chroot
+
+import (
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func setSeccomp(spec *specs.Spec) error {
+	// Ignore this on FreeBSD
+	return nil
+}

vendor/github.com/containers/buildah/chroot/seccomp_unsupported.go

@@ -1,5 +1,5 @@
-//go:build !linux || !seccomp
-// +build !linux !seccomp
+//go:build (!linux && !freebsd) || !seccomp
+// +build !linux,!freebsd !seccomp
 
 package chroot
 

vendor/github.com/containers/buildah/chroot/selinux_unsupported.go

@@ -1,5 +1,5 @@
-//go:build !linux
-// +build !linux
+//go:build !linux && !freebsd
+// +build !linux,!freebsd
 
 package chroot
 

vendor/github.com/containers/buildah/chroot/unsupported.go

@@ -1,5 +1,5 @@
-//go:build !linux
-// +build !linux
+//go:build !linux && !freebsd
+// +build !linux,!freebsd
 
 package chroot
 

vendor/github.com/containers/buildah/commit.go

@@ -374,17 +374,17 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 	}
 	if err == nil {
 		imgID = img.ID
-		prunedNames := make([]string, 0, len(img.Names))
+		toPruneNames := make([]string, 0, len(img.Names))
 		for _, name := range img.Names {
-			if !(nameToRemove != "" && strings.Contains(name, nameToRemove)) {
-				prunedNames = append(prunedNames, name)
+			if nameToRemove != "" && strings.Contains(name, nameToRemove) {
+				toPruneNames = append(toPruneNames, name)
 			}
 		}
-		if len(prunedNames) < len(img.Names) {
-			if err = b.store.SetNames(imgID, prunedNames); err != nil {
-				return imgID, nil, "", fmt.Errorf("failed to prune temporary name from image %q: %w", imgID, err)
+		if len(toPruneNames) > 0 {
+			if err = b.store.RemoveNames(imgID, toPruneNames); err != nil {
+				return imgID, nil, "", fmt.Errorf("failed to remove temporary name from image %q: %w", imgID, err)
 			}
-			logrus.Debugf("reassigned names %v to image %q", prunedNames, img.ID)
+			logrus.Debugf("removing %v from assigned names to image %q", nameToRemove, img.ID)
 			dest2, err := is.Transport.ParseStoreReference(b.store, "@"+imgID)
 			if err != nil {
 				return imgID, nil, "", fmt.Errorf("error creating unnamed destination reference for image: %w", err)

vendor/github.com/containers/buildah/copier/xattrs.go

@@ -4,12 +4,12 @@
 package copier
 
 import (
+	"errors"
 	"fmt"
 	"path/filepath"
 	"strings"
 	"syscall"
 
-	"github.com/containers/buildah/util"
 	"golang.org/x/sys/unix"
 )
 
@@ -45,11 +45,11 @@ func Lgetxattrs(path string) (map[string]string, error) {
 		list = make([]byte, listSize)
 		size, err := unix.Llistxattr(path, list)
 		if err != nil {
-			if util.Cause(err) == syscall.ERANGE {
+			if errors.Is(err, syscall.ERANGE) {
 				listSize *= 2
 				continue
 			}
-			if (util.Cause(err) == syscall.ENOTSUP) || (util.Cause(err) == syscall.ENOSYS) {
+			if errors.Is(err, syscall.ENOTSUP) || errors.Is(err, syscall.ENOSYS) {
 				// treat these errors listing xattrs as equivalent to "no xattrs"
 				list = list[:0]
 				break
@@ -71,7 +71,7 @@ func Lgetxattrs(path string) (map[string]string, error) {
 				attributeValue = make([]byte, attributeSize)
 				size, err := unix.Lgetxattr(path, attribute, attributeValue)
 				if err != nil {
-					if util.Cause(err) == syscall.ERANGE {
+					if errors.Is(err, syscall.ERANGE) {
 						attributeSize *= 2
 						continue
 					}

vendor/github.com/containers/buildah/define/types.go

@@ -30,7 +30,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.27.0"
+	Version = "1.28.0-dev"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"

vendor/github.com/containers/buildah/go.mod

@@ -3,7 +3,7 @@ module github.com/containers/buildah
 go 1.17
 
 require (
-	github.com/containerd/containerd v1.6.6
+	github.com/containerd/containerd v1.6.8
 	github.com/containernetworking/cni v1.1.2
 	github.com/containers/common v0.49.1
 	github.com/containers/image/v5 v5.22.0
@@ -11,16 +11,16 @@ require (
 	github.com/containers/storage v1.42.0
 	github.com/docker/distribution v2.8.1+incompatible
 	github.com/docker/docker v20.10.17+incompatible
-	github.com/docker/go-units v0.4.0
-	github.com/fsouza/go-dockerclient v1.8.1
+	github.com/docker/go-units v0.5.0
+	github.com/fsouza/go-dockerclient v1.8.3
 	github.com/ghodss/yaml v1.0.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/onsi/ginkgo v1.16.5
-	github.com/onsi/gomega v1.20.0
+	github.com/onsi/gomega v1.20.1
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198
-	github.com/opencontainers/runc v1.1.3
+	github.com/opencontainers/runc v1.1.4
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/opencontainers/runtime-tools v0.9.1-0.20220714195903-17b3287fafb7
 	github.com/opencontainers/selinux v1.10.1
@@ -42,7 +42,7 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/BurntSushi/toml v1.2.0 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/Microsoft/hcsshim v0.9.3 // indirect
+	github.com/Microsoft/hcsshim v0.9.4 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/beorn7/perks v1.0.1 // indirect

vendor/github.com/containers/buildah/go.sum

@@ -123,8 +123,9 @@ github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwT
 github.com/Microsoft/hcsshim v0.8.22/go.mod h1:91uVCVzvX2QD16sMCenoxxXo6L1wJnLMX2PSufFMtF0=
 github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
 github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
-github.com/Microsoft/hcsshim v0.9.3 h1:k371PzBuRrz2b+ebGuI2nVgVhgsVX60jMfSw80NECxo=
 github.com/Microsoft/hcsshim v0.9.3/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
+github.com/Microsoft/hcsshim v0.9.4 h1:mnUj0ivWy6UzbB1uLFqKR6F+ZyiDc7j4iGgHTpO+5+I=
+github.com/Microsoft/hcsshim v0.9.4/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
@@ -278,8 +279,9 @@ github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0
 github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s=
 github.com/containerd/containerd v1.5.9/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ=
 github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0NpumIq9ODB0kLtoE=
-github.com/containerd/containerd v1.6.6 h1:xJNPhbrmz8xAMDNoVjHy9YHtWwEQNS+CDkcIRh7t8Y0=
 github.com/containerd/containerd v1.6.6/go.mod h1:ZoP1geJldzCVY3Tonoz7b1IXk8rIX0Nltt5QE4OMNk0=
+github.com/containerd/containerd v1.6.8 h1:h4dOFDwzHmqFEP754PgfgTeVXFnLiRc6kiqC7tplDJs=
+github.com/containerd/containerd v1.6.8/go.mod h1:By6p5KqPK0/7/CgO/A6t/Gz+CUYUu2zf1hUaaymVXB0=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -432,8 +434,9 @@ github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6Uezg
 github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
-github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
@@ -483,8 +486,8 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4
 github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/fsouza/go-dockerclient v1.7.7/go.mod h1:njNCXvoZj3sLPjf3yO0DPHf1mdLdCPDYPc14GskKA4Y=
-github.com/fsouza/go-dockerclient v1.8.1 h1:a27vHYqNSZz88nUAurI1o6W5PgEt63nAWilOI+j63RE=
-github.com/fsouza/go-dockerclient v1.8.1/go.mod h1:zmA2ogSxRnXmbZcy0Aq7yhRoCdP/bDns/qghCK9SWtM=
+github.com/fsouza/go-dockerclient v1.8.3 h1:ckb6sG98D607PNQo012YEhQ8hvuRHx7RISIJM5tjkQM=
+github.com/fsouza/go-dockerclient v1.8.3/go.mod h1:oenNB8JjNKY4o8I/sug4Qah9si/7OxH4MjL+u7oBxP8=
 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
 github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
@@ -1038,8 +1041,9 @@ github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
 github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
-github.com/onsi/gomega v1.20.0 h1:8W0cWlwFkflGPLltQvLRB7ZVD5HuP6ng320w2IS245Q=
 github.com/onsi/gomega v1.20.0/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo=
+github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
+github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -1058,8 +1062,9 @@ github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04s
 github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
 github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
 github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
-github.com/opencontainers/runc v1.1.3 h1:vIXrkId+0/J2Ymu2m7VjGvbSlAId9XNRPhn2p4b+d8w=
 github.com/opencontainers/runc v1.1.3/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
+github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg=
+github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=

vendor/github.com/containers/buildah/image.go

@@ -430,6 +430,16 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System
 			return nil, fmt.Errorf("error compressing %s: %w", what, err)
 		}
 		writer := io.MultiWriter(writeCloser, srcHasher.Hash())
+		// Scrub any local user names that might correspond to UIDs or GIDs of
+		// files in this layer.
+		{
+			nestedWriteCloser := ioutils.NewWriteCloserWrapper(writer, writeCloser.Close)
+			writeCloser = newTarFilterer(nestedWriteCloser, func(hdr *tar.Header) (bool, bool, io.Reader) {
+				hdr.Uname, hdr.Gname = "", ""
+				return false, false, nil
+			})
+			writer = io.Writer(writeCloser)
+		}
 		// Use specified timestamps in the layer, if we're doing that for
 		// history entries.
 		if i.created != nil {

vendor/github.com/containers/buildah/internal/parse/parse.go

@@ -18,6 +18,7 @@ import (
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/lockfile"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
+	selinux "github.com/opencontainers/selinux/go-selinux"
 )
 
 const (
@@ -188,6 +189,7 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 		setDest           bool
 		setShared         bool
 		setReadOnly       bool
+		foundSElinuxLabel bool
 	)
 	fromStage := ""
 	newMount := specs.Mount{
@@ -217,7 +219,10 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 			// Alias for "ro"
 			newMount.Options = append(newMount.Options, "ro")
 			setReadOnly = true
-		case "shared", "rshared", "private", "rprivate", "slave", "rslave", "Z", "z", "U":
+		case "Z", "z":
+			newMount.Options = append(newMount.Options, kv[0])
+			foundSElinuxLabel = true
+		case "shared", "rshared", "private", "rprivate", "slave", "rslave", "U":
 			newMount.Options = append(newMount.Options, kv[0])
 			setShared = true
 		case "sharing":
@@ -280,6 +285,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 		}
 	}
 
+	// If selinux is enabled and no selinux option was configured
+	// default to `z` i.e shared content label.
+	if !foundSElinuxLabel && (selinux.EnforceMode() != selinux.Disabled) && fromStage == "" {
+		newMount.Options = append(newMount.Options, "z")
+	}
+
 	if !setDest {
 		return newMount, lockedTargets, errBadVolDest
 	}

vendor/github.com/containers/buildah/pkg/cli/build.go

@@ -310,6 +310,14 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 			return options, nil, nil, fmt.Errorf("unable to parse value provided %q as --cache-ttl: %w", iopts.CacheTTL, err)
 		}
 	}
+	var pullPushRetryDelay time.Duration
+	pullPushRetryDelay, err = time.ParseDuration(iopts.RetryDelay)
+	if err != nil {
+		return options, nil, nil, fmt.Errorf("unable to parse value provided %q as --retry-delay: %w", iopts.RetryDelay, err)
+	}
+	// Following log line is used in integration test.
+	logrus.Debugf("Setting MaxPullPushRetries to %d and PullPushRetryDelay to %v", iopts.Retry, pullPushRetryDelay)
+
 	options = define.BuildOptions{
 		AddCapabilities:         iopts.CapAdd,
 		AdditionalBuildContexts: additionalBuildContext,
@@ -349,7 +357,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 		LogRusage:               iopts.LogRusage,
 		LogSplitByPlatform:      iopts.LogSplitByPlatform,
 		Manifest:                iopts.Manifest,
-		MaxPullPushRetries:      MaxPullPushRetries,
+		MaxPullPushRetries:      iopts.Retry,
 		NamespaceOptions:        namespaceOptions,
 		NoCache:                 iopts.NoCache,
 		OS:                      systemContext.OSChoice,
@@ -361,7 +369,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 		OutputFormat:            format,
 		Platforms:               platforms,
 		PullPolicy:              pullPolicy,
-		PullPushRetryDelay:      PullPushRetryDelay,
+		PullPushRetryDelay:      pullPushRetryDelay,
 		Quiet:                   iopts.Quiet,
 		RemoveIntermediateCtrs:  iopts.Rm,
 		ReportWriter:            reporter,

vendor/github.com/containers/buildah/pkg/cli/common.go

@@ -125,6 +125,8 @@ type FromAndBudResults struct {
 	Isolation      string
 	Memory         string
 	MemorySwap     string
+	Retry          int
+	RetryDelay     string
 	SecurityOpt    []string
 	ShmSize        string
 	Ulimit         []string
@@ -344,6 +346,8 @@ func GetFromAndBudFlags(flags *FromAndBudResults, usernsResults *UserNSResults,
 	fs.StringVar(&flags.Isolation, "isolation", DefaultIsolation(), "`type` of process isolation to use. Use BUILDAH_ISOLATION environment variable to override.")
 	fs.StringVarP(&flags.Memory, "memory", "m", "", "memory limit (format: <number>[<unit>], where unit = b, k, m or g)")
 	fs.StringVar(&flags.MemorySwap, "memory-swap", "", "swap limit equal to memory plus swap: '-1' to enable unlimited swap")
+	fs.IntVar(&flags.Retry, "retry", MaxPullPushRetries, "number of times to retry in case of failure when performing push/pull")
+	fs.StringVar(&flags.RetryDelay, "retry-delay", PullPushRetryDelay.String(), "delay between retries in case of push/pull failures")
 	fs.String("arch", runtime.GOARCH, "set the ARCH of the image to the provided value instead of the architecture of the host")
 	fs.String("os", runtime.GOOS, "prefer `OS` instead of the running OS when pulling images")
 	fs.StringSlice("platform", []string{parse.DefaultPlatform()}, "set the OS/ARCH/VARIANT of the image to the provided value instead of the current operating system and architecture of the host (for example `linux/arm`)")
@@ -386,6 +390,8 @@ func GetFromAndBudFlagsCompletions() commonComp.FlagCompletions {
 	flagCompletion["memory-swap"] = commonComp.AutocompleteNone
 	flagCompletion["os"] = commonComp.AutocompleteNone
 	flagCompletion["platform"] = commonComp.AutocompleteNone
+	flagCompletion["retry"] = commonComp.AutocompleteNone
+	flagCompletion["retry-delay"] = commonComp.AutocompleteNone
 	flagCompletion["security-opt"] = commonComp.AutocompleteNone
 	flagCompletion["shm-size"] = commonComp.AutocompleteNone
 	flagCompletion["ulimit"] = commonComp.AutocompleteNone
@@ -454,7 +460,7 @@ func VerifyFlagsArgsOrder(args []string) error {
 	return nil
 }
 
-// aliasFlags is a function to handle backwards compatibility with old flags
+// AliasFlags is a function to handle backwards compatibility with old flags
 func AliasFlags(f *pflag.FlagSet, name string) pflag.NormalizedName {
 	switch name {
 	case "net":

vendor/github.com/containers/buildah/pkg/parse/parse.go

@@ -345,6 +345,15 @@ func SystemContextFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name strin
 		ctx.OCIInsecureSkipTLSVerify = !tlsVerify
 		ctx.DockerDaemonInsecureSkipTLSVerify = !tlsVerify
 	}
+	insecure, err := flags.GetBool("insecure")
+	if err == nil && findFlagFunc("insecure").Changed {
+		if ctx.DockerInsecureSkipTLSVerify != types.OptionalBoolUndefined {
+			return nil, errors.New("--insecure may not be used with --tls-verify")
+		}
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(insecure)
+		ctx.OCIInsecureSkipTLSVerify = insecure
+		ctx.DockerDaemonInsecureSkipTLSVerify = insecure
+	}
 	disableCompression, err := flags.GetBool("disable-compression")
 	if err == nil {
 		if disableCompression {

vendor/github.com/containers/buildah/run_common.go

@@ -262,6 +262,7 @@ func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, opti
 	}
 	g.SetProcessUID(user.UID)
 	g.SetProcessGID(user.GID)
+	g.AddProcessAdditionalGid(user.GID)
 	for _, gid := range user.AdditionalGids {
 		g.AddProcessAdditionalGid(gid)
 	}

vendor/github.com/containers/buildah/util/util.go

@@ -466,22 +466,3 @@ func VerifyTagName(imageSpec string) (types.ImageReference, error) {
 	}
 	return ref, nil
 }
-
-// Cause returns the most underlying error for the provided one. There is a
-// maximum error depth of 100 to avoid endless loops. An additional error log
-// message will be created if this maximum has reached.
-func Cause(err error) (cause error) {
-	cause = err
-
-	const maxDepth = 100
-	for i := 0; i <= maxDepth; i++ {
-		res := errors.Unwrap(cause)
-		if res == nil {
-			return cause
-		}
-		cause = res
-	}
-
-	logrus.Errorf("Max error depth of %d reached, cannot unwrap until root cause: %v", maxDepth, err)
-	return cause
-}

vendor/github.com/containers/common/libimage/copier.go

@@ -413,7 +413,7 @@ func checkRegistrySourcesAllows(dest types.ImageReference) (insecure *bool, err
 		AllowedRegistries  []string `json:"allowedRegistries,omitempty"`
 	}
 	if err := json.Unmarshal([]byte(registrySources), &sources); err != nil {
-		return nil, fmt.Errorf("error parsing $BUILD_REGISTRY_SOURCES (%q) as JSON: %w", registrySources, err)
+		return nil, fmt.Errorf("parsing $BUILD_REGISTRY_SOURCES (%q) as JSON: %w", registrySources, err)
 	}
 	blocked := false
 	if len(sources.BlockedRegistries) > 0 {

vendor/github.com/containers/common/libimage/manifests/manifests.go

@@ -87,11 +87,11 @@ func Create() List {
 func LoadFromImage(store storage.Store, image string) (string, List, error) {
 	img, err := store.Image(image)
 	if err != nil {
-		return "", nil, fmt.Errorf("error locating image %q for loading manifest list: %w", image, err)
+		return "", nil, fmt.Errorf("locating image %q for loading manifest list: %w", image, err)
 	}
 	manifestBytes, err := store.ImageBigData(img.ID, storage.ImageDigestManifestBigDataNamePrefix)
 	if err != nil {
-		return "", nil, fmt.Errorf("error locating image %q for loading manifest list: %w", image, err)
+		return "", nil, fmt.Errorf("locating image %q for loading manifest list: %w", image, err)
 	}
 	manifestList, err := manifests.FromBlob(manifestBytes)
 	if err != nil {
@@ -103,10 +103,10 @@ func LoadFromImage(store storage.Store, image string) (string, List, error) {
 	}
 	instancesBytes, err := store.ImageBigData(img.ID, instancesData)
 	if err != nil {
-		return "", nil, fmt.Errorf("error locating image %q for loading instance list: %w", image, err)
+		return "", nil, fmt.Errorf("locating image %q for loading instance list: %w", image, err)
 	}
 	if err := json.Unmarshal(instancesBytes, &list.instances); err != nil {
-		return "", nil, fmt.Errorf("error decoding instance list for image %q: %w", image, err)
+		return "", nil, fmt.Errorf("decoding instance list for image %q: %w", image, err)
 	}
 	list.instances[""] = img.ID
 	return img.ID, list, err
@@ -152,18 +152,18 @@ func (l *list) SaveToImage(store storage.Store, imageID string, names []string,
 		}
 		return imageID, nil
 	}
-	return "", fmt.Errorf("error creating image to hold manifest list: %w", err)
+	return "", fmt.Errorf("creating image to hold manifest list: %w", err)
 }
 
 // Reference returns an image reference for the composite image being built
 // in the list, or an error if the list has never been saved to a local image.
 func (l *list) Reference(store storage.Store, multiple cp.ImageListSelection, instances []digest.Digest) (types.ImageReference, error) {
 	if l.instances[""] == "" {
-		return nil, fmt.Errorf("error building reference to list: %w", ErrListImageUnknown)
+		return nil, fmt.Errorf("building reference to list: %w", ErrListImageUnknown)
 	}
 	s, err := is.Transport.ParseStoreReference(store, l.instances[""])
 	if err != nil {
-		return nil, fmt.Errorf("error creating ImageReference from image %q: %w", l.instances[""], err)
+		return nil, fmt.Errorf("creating ImageReference from image %q: %w", l.instances[""], err)
 	}
 	references := make([]types.ImageReference, 0, len(l.instances))
 	whichInstances := make([]digest.Digest, 0, len(l.instances))
@@ -187,7 +187,7 @@ func (l *list) Reference(store storage.Store, multiple cp.ImageListSelection, in
 		imageName := l.instances[instance]
 		ref, err := alltransports.ParseImageName(imageName)
 		if err != nil {
-			return nil, fmt.Errorf("error creating ImageReference from image %q: %w", imageName, err)
+			return nil, fmt.Errorf("creating ImageReference from image %q: %w", imageName, err)
 		}
 		references = append(references, ref)
 	}
@@ -199,7 +199,7 @@ func (l *list) Push(ctx context.Context, dest types.ImageReference, options Push
 	// Load the system signing policy.
 	pushPolicy, err := signature.DefaultPolicy(options.SystemContext)
 	if err != nil {
-		return nil, "", fmt.Errorf("error obtaining default signature policy: %w", err)
+		return nil, "", fmt.Errorf("obtaining default signature policy: %w", err)
 	}
 
 	// Override the settings for local storage to make sure that we can always read the source "image".
@@ -207,7 +207,7 @@ func (l *list) Push(ctx context.Context, dest types.ImageReference, options Push
 
 	policyContext, err := signature.NewPolicyContext(pushPolicy)
 	if err != nil {
-		return nil, "", fmt.Errorf("error creating new signature policy context: %w", err)
+		return nil, "", fmt.Errorf("creating new signature policy context: %w", err)
 	}
 	defer func() {
 		if err2 := policyContext.Destroy(); err2 != nil {
@@ -273,7 +273,7 @@ func (l *list) Push(ctx context.Context, dest types.ImageReference, options Push
 func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.ImageReference, all bool) (digest.Digest, error) {
 	src, err := ref.NewImageSource(ctx, sys)
 	if err != nil {
-		return "", fmt.Errorf("error setting up to read manifest and configuration from %q: %w", transports.ImageName(ref), err)
+		return "", fmt.Errorf("setting up to read manifest and configuration from %q: %w", transports.ImageName(ref), err)
 	}
 	defer src.Close()
 
@@ -288,13 +288,13 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 
 	primaryManifestBytes, primaryManifestType, err := src.GetManifest(ctx, nil)
 	if err != nil {
-		return "", fmt.Errorf("error reading manifest from %q: %w", transports.ImageName(ref), err)
+		return "", fmt.Errorf("reading manifest from %q: %w", transports.ImageName(ref), err)
 	}
 
 	if manifest.MIMETypeIsMultiImage(primaryManifestType) {
 		lists, err := manifests.FromBlob(primaryManifestBytes)
 		if err != nil {
-			return "", fmt.Errorf("error parsing manifest list in %q: %w", transports.ImageName(ref), err)
+			return "", fmt.Errorf("parsing manifest list in %q: %w", transports.ImageName(ref), err)
 		}
 		if all {
 			for i, instance := range lists.OCIv1().Manifests {
@@ -318,11 +318,11 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 		} else {
 			list, err := manifest.ListFromBlob(primaryManifestBytes, primaryManifestType)
 			if err != nil {
-				return "", fmt.Errorf("error parsing manifest list in %q: %w", transports.ImageName(ref), err)
+				return "", fmt.Errorf("parsing manifest list in %q: %w", transports.ImageName(ref), err)
 			}
 			instanceDigest, err := list.ChooseInstance(sys)
 			if err != nil {
-				return "", fmt.Errorf("error selecting image from manifest list in %q: %w", transports.ImageName(ref), err)
+				return "", fmt.Errorf("selecting image from manifest list in %q: %w", transports.ImageName(ref), err)
 			}
 			added := false
 			for i, instance := range lists.OCIv1().Manifests {
@@ -364,11 +364,11 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 		if instanceInfo.OS == "" || instanceInfo.Architecture == "" {
 			img, err := image.FromUnparsedImage(ctx, sys, image.UnparsedInstance(src, instanceInfo.instanceDigest))
 			if err != nil {
-				return "", fmt.Errorf("error reading configuration blob from %q: %w", transports.ImageName(ref), err)
+				return "", fmt.Errorf("reading configuration blob from %q: %w", transports.ImageName(ref), err)
 			}
 			config, err := img.OCIConfig(ctx)
 			if err != nil {
-				return "", fmt.Errorf("error reading info about config blob from %q: %w", transports.ImageName(ref), err)
+				return "", fmt.Errorf("reading info about config blob from %q: %w", transports.ImageName(ref), err)
 			}
 			if instanceInfo.OS == "" {
 				instanceInfo.OS = config.OS
@@ -382,12 +382,12 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 		}
 		manifestBytes, manifestType, err := src.GetManifest(ctx, instanceInfo.instanceDigest)
 		if err != nil {
-			return "", fmt.Errorf("error reading manifest from %q, instance %q: %w", transports.ImageName(ref), instanceInfo.instanceDigest, err)
+			return "", fmt.Errorf("reading manifest from %q, instance %q: %w", transports.ImageName(ref), instanceInfo.instanceDigest, err)
 		}
 		if instanceInfo.instanceDigest == nil {
 			manifestDigest, err = manifest.Digest(manifestBytes)
 			if err != nil {
-				return "", fmt.Errorf("error computing digest of manifest from %q: %w", transports.ImageName(ref), err)
+				return "", fmt.Errorf("computing digest of manifest from %q: %w", transports.ImageName(ref), err)
 			}
 			instanceInfo.instanceDigest = &manifestDigest
 			instanceInfo.Size = int64(len(manifestBytes))
@@ -396,7 +396,7 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 		}
 		err = l.List.AddInstance(*instanceInfo.instanceDigest, instanceInfo.Size, manifestType, instanceInfo.OS, instanceInfo.Architecture, instanceInfo.OSVersion, instanceInfo.OSFeatures, instanceInfo.Variant, instanceInfo.Features, instanceInfo.Annotations)
 		if err != nil {
-			return "", fmt.Errorf("error adding instance with digest %q: %w", *instanceInfo.instanceDigest, err)
+			return "", fmt.Errorf("adding instance with digest %q: %w", *instanceInfo.instanceDigest, err)
 		}
 		if _, ok := l.instances[*instanceInfo.instanceDigest]; !ok {
 			l.instances[*instanceInfo.instanceDigest] = transports.ImageName(ref)

vendor/github.com/containers/common/libimage/normalize.go

@@ -18,7 +18,7 @@ func NormalizeName(name string) (reference.Named, error) {
 	// NOTE: this code is in symmetrie with containers/image/pkg/shortnames.
 	ref, err := reference.Parse(name)
 	if err != nil {
-		return nil, fmt.Errorf("error normalizing name %q: %w", name, err)
+		return nil, fmt.Errorf("normalizing name %q: %w", name, err)
 	}
 
 	named, ok := ref.(reference.Named)

vendor/github.com/containers/common/libimage/pull.go

@@ -163,7 +163,7 @@ func (r *Runtime) Pull(ctx context.Context, name string, pullPolicy config.PullP
 	for _, name := range pulledImages {
 		image, _, err := r.LookupImage(name, nil)
 		if err != nil {
-			return nil, fmt.Errorf("error locating pulled image %q name in containers storage: %w", name, err)
+			return nil, fmt.Errorf("locating pulled image %q name in containers storage: %w", name, err)
 		}
 
 		// Note that we can ignore the 2nd return value here. Some
@@ -318,7 +318,7 @@ func (r *Runtime) storageReferencesReferencesFromArchiveReader(ctx context.Conte
 	for _, destName := range destNames {
 		destRef, err := storageTransport.Transport.ParseStoreReference(r.store, destName)
 		if err != nil {
-			return nil, nil, fmt.Errorf("error parsing dest reference name %#v: %w", destName, err)
+			return nil, nil, fmt.Errorf("parsing dest reference name %#v: %w", destName, err)
 		}
 		references = append(references, destRef)
 	}
@@ -399,7 +399,7 @@ func (r *Runtime) copyFromRegistry(ctx context.Context, ref types.ImageReference
 		}
 		tagged, err := reference.WithTag(named, tag)
 		if err != nil {
-			return nil, fmt.Errorf("error creating tagged reference (name %s, tag %s): %w", named.String(), tag, err)
+			return nil, fmt.Errorf("creating tagged reference (name %s, tag %s): %w", named.String(), tag, err)
 		}
 		pulled, err := r.copySingleImageFromRegistry(ctx, tagged.String(), pullPolicy, options)
 		if err != nil {

vendor/github.com/containers/common/libimage/search.go

@@ -281,7 +281,7 @@ func searchRepositoryTags(ctx context.Context, sys *types.SystemContext, registr
 	}
 	tags, err := registryTransport.GetRepositoryTags(ctx, sys, imageRef)
 	if err != nil {
-		return nil, fmt.Errorf("error getting repository tags: %v", err)
+		return nil, fmt.Errorf("getting repository tags: %v", err)
 	}
 	limit := searchMaxQueries
 	if len(tags) < limit {

vendor/github.com/containers/common/pkg/auth/auth.go

@@ -158,7 +158,7 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO
 	}
 	if unauthorized, ok := err.(docker.ErrUnauthorizedForCredentials); ok {
 		logrus.Debugf("error logging into %q: %v", key, unauthorized)
-		return fmt.Errorf("error logging into %q: invalid username/password", key)
+		return fmt.Errorf("logging into %q: invalid username/password", key)
 	}
 	return fmt.Errorf("authenticating creds for %q: %w", key, err)
 }

vendor/github.com/containers/common/pkg/cgroups/cgroups.go

@@ -145,7 +145,7 @@ func getAvailableControllers(exclude map[string]controllerHandler, cgroup2 bool)
 		}
 		controllersFileBytes, err := ioutil.ReadFile(controllersFile)
 		if err != nil {
-			return nil, fmt.Errorf("failed while reading controllers for cgroup v2 from %q: %w", controllersFile, err)
+			return nil, fmt.Errorf("failed while reading controllers for cgroup v2: %w", err)
 		}
 		for _, controllerName := range strings.Fields(string(controllersFileBytes)) {
 			c := controller{
@@ -264,7 +264,7 @@ func (c *CgroupControl) initialize() (err error) {
 	}()
 	if c.cgroup2 {
 		if err := createCgroupv2Path(filepath.Join(cgroupRoot, c.path)); err != nil {
-			return fmt.Errorf("error creating cgroup path %s: %w", c.path, err)
+			return fmt.Errorf("creating cgroup path %s: %w", c.path, err)
 		}
 	}
 	for name, handler := range handlers {
@@ -285,7 +285,7 @@ func (c *CgroupControl) initialize() (err error) {
 			}
 			path := c.getCgroupv1Path(ctr.name)
 			if err := os.MkdirAll(path, 0o755); err != nil {
-				return fmt.Errorf("error creating cgroup path for %s: %w", ctr.name, err)
+				return fmt.Errorf("creating cgroup path for %s: %w", ctr.name, err)
 			}
 		}
 	}

vendor/github.com/containers/common/pkg/cgroups/cgroups_linux.go

@@ -98,7 +98,7 @@ func getAvailableControllers(exclude map[string]controllerHandler, cgroup2 bool)
 		}
 		controllersFileBytes, err := ioutil.ReadFile(controllersFile)
 		if err != nil {
-			return nil, fmt.Errorf("failed while reading controllers for cgroup v2 from %q: %w", controllersFile, err)
+			return nil, fmt.Errorf("failed while reading controllers for cgroup v2: %w", err)
 		}
 		for _, controllerName := range strings.Fields(string(controllersFileBytes)) {
 			c := controller{
@@ -217,7 +217,7 @@ func (c *CgroupControl) initialize() (err error) {
 	}()
 	if c.cgroup2 {
 		if err := createCgroupv2Path(filepath.Join(cgroupRoot, c.config.Path)); err != nil {
-			return fmt.Errorf("error creating cgroup path %s: %w", c.config.Path, err)
+			return fmt.Errorf("creating cgroup path %s: %w", c.config.Path, err)
 		}
 	}
 	for name, handler := range handlers {
@@ -238,7 +238,7 @@ func (c *CgroupControl) initialize() (err error) {
 			}
 			path := c.getCgroupv1Path(ctr.name)
 			if err := os.MkdirAll(path, 0o755); err != nil {
-				return fmt.Errorf("error creating cgroup path for %s: %w", ctr.name, err)
+				return fmt.Errorf("creating cgroup path for %s: %w", ctr.name, err)
 			}
 		}
 	}

vendor/github.com/containers/common/pkg/cgroups/cgroups_supported.go

@@ -80,7 +80,7 @@ func UserOwnsCurrentSystemdCgroup() (bool, error) {
 		}
 		s := st.Sys()
 		if s == nil {
-			return false, fmt.Errorf("error stat cgroup path %s", cgroupPath)
+			return false, fmt.Errorf("stat cgroup path %s", cgroupPath)
 		}
 
 		if int(s.(*syscall.Stat_t).Uid) != uid {

vendor/github.com/containers/common/pkg/cgroups/utils.go

@@ -26,7 +26,7 @@ func readAcctList(ctr *CgroupControl, name string) ([]uint64, error) {
 	p := filepath.Join(ctr.getCgroupv1Path(CPUAcct), name)
 	data, err := ioutil.ReadFile(p)
 	if err != nil {
-		return nil, fmt.Errorf("reading %s: %w", p, err)
+		return nil, err
 	}
 	r := []uint64{}
 	for _, s := range strings.Split(string(data), " ") {
@@ -92,7 +92,12 @@ func cpusetCopyFileFromParent(dir, file string, cgroupv2 bool) ([]byte, error) {
 	}
 	data, err := ioutil.ReadFile(parentPath)
 	if err != nil {
-		return nil, fmt.Errorf("open %s: %w", path, err)
+		// if the file doesn't exist, it is likely that the cpuset controller
+		// is not enabled in the kernel.
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, err
 	}
 	if strings.Trim(string(data), "\n") != "" {
 		return data, nil
@@ -169,7 +174,7 @@ func (c *CgroupControl) createCgroupDirectory(controller string) (bool, error) {
 	}
 
 	if err := os.MkdirAll(cPath, 0o755); err != nil {
-		return false, fmt.Errorf("error creating cgroup for %s: %w", controller, err)
+		return false, fmt.Errorf("creating cgroup for %s: %w", controller, err)
 	}
 	return true, nil
 }

vendor/github.com/containers/common/pkg/config/default_freebsd.go

@@ -1,7 +1,7 @@
 package config
 
 func getDefaultCgroupsMode() string {
-	return "disabled"
+	return "enabled"
 }
 
 // In theory, FreeBSD should be able to use shm locks but in practice,

vendor/github.com/containers/common/pkg/manifests/manifests.go

@@ -452,23 +452,23 @@ func (l *list) Serialize(mimeType string) ([]byte, error) {
 		if l.preferOCI() {
 			res, err = json.Marshal(&l.oci)
 			if err != nil {
-				return nil, fmt.Errorf("error marshalling OCI image index: %w", err)
+				return nil, fmt.Errorf("marshalling OCI image index: %w", err)
 			}
 		} else {
 			res, err = json.Marshal(&l.docker)
 			if err != nil {
-				return nil, fmt.Errorf("error marshalling Docker manifest list: %w", err)
+				return nil, fmt.Errorf("marshalling Docker manifest list: %w", err)
 			}
 		}
 	case v1.MediaTypeImageIndex:
 		res, err = json.Marshal(&l.oci)
 		if err != nil {
-			return nil, fmt.Errorf("error marshalling OCI image index: %w", err)
+			return nil, fmt.Errorf("marshalling OCI image index: %w", err)
 		}
 	case manifest.DockerV2ListMediaType:
 		res, err = json.Marshal(&l.docker)
 		if err != nil {
-			return nil, fmt.Errorf("error marshalling Docker manifest list: %w", err)
+			return nil, fmt.Errorf("marshalling Docker manifest list: %w", err)
 		}
 	default:
 		return nil, fmt.Errorf("serializing list to type %q not implemented: %w", mimeType, ErrManifestTypeNotSupported)

vendor/github.com/containers/common/pkg/parse/parse_unix.go

@@ -39,7 +39,7 @@ func DeviceFromPath(device string) ([]devices.Device, error) {
 	// If source device is a directory
 	srcDevices, err := devices.GetDevices(src)
 	if err != nil {
-		return nil, fmt.Errorf("error getting source devices from directory %s: %w", src, err)
+		return nil, fmt.Errorf("getting source devices from directory %s: %w", src, err)
 	}
 	devs := make([]devices.Device, 0, len(srcDevices))
 	for _, d := range srcDevices {

vendor/github.com/containers/common/pkg/report/formatter.go

@@ -59,16 +59,22 @@ type Formatter struct {
 func (f *Formatter) Parse(origin Origin, text string) (*Formatter, error) {
 	f.Origin = origin
 
+	// docker tries to be smart and replaces \n with the actual newline character.
+	// For compat we do the same but this will break formats such as '{{printf "\n"}}'
+	// To be backwards compatible with the previous behavior we try to replace and
+	// parse the template. If it fails use the original text and parse again.
+	var normText string
 	switch {
 	case strings.HasPrefix(text, "table "):
 		f.RenderTable = true
-		text = "{{range .}}" + NormalizeFormat(text) + "{{end -}}"
+		normText = "{{range .}}" + NormalizeFormat(text) + "{{end -}}"
+		text = "{{range .}}" + text + "{{end -}}"
 	case OriginUser == origin:
-		text = EnforceRange(NormalizeFormat(text))
+		normText = EnforceRange(NormalizeFormat(text))
+		text = EnforceRange(text)
 	default:
-		text = NormalizeFormat(text)
+		normText = NormalizeFormat(text)
 	}
-	f.text = text
 
 	if f.RenderTable || origin == OriginPodman {
 		tw := tabwriter.NewWriter(f.writer, 12, 2, 2, ' ', tabwriter.StripEscape)
@@ -77,10 +83,14 @@ func (f *Formatter) Parse(origin Origin, text string) (*Formatter, error) {
 		f.RenderHeaders = true
 	}
 
-	tmpl, err := f.template.Funcs(template.FuncMap(DefaultFuncs)).Parse(text)
+	tmpl, err := f.template.Funcs(template.FuncMap(DefaultFuncs)).Parse(normText)
 	if err != nil {
+		tmpl, err = f.template.Funcs(template.FuncMap(DefaultFuncs)).Parse(text)
+		f.template = tmpl
+		f.text = text
 		return f, err
 	}
+	f.text = normText
 	f.template = tmpl
 	return f, nil
 }

vendor/github.com/containers/common/pkg/secrets/secrets.go

@@ -183,12 +183,12 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, driv
 	}
 	err = driver.Store(secr.ID, data)
 	if err != nil {
-		return "", fmt.Errorf("error creating secret %s: %w", name, err)
+		return "", fmt.Errorf("creating secret %s: %w", name, err)
 	}
 
 	err = s.store(secr)
 	if err != nil {
-		return "", fmt.Errorf("error creating secret %s: %w", name, err)
+		return "", fmt.Errorf("creating secret %s: %w", name, err)
 	}
 
 	return secr.ID, nil
@@ -218,12 +218,12 @@ func (s *SecretsManager) Delete(nameOrID string) (string, error) {
 
 	err = driver.Delete(secretID)
 	if err != nil {
-		return "", fmt.Errorf("error deleting secret %s: %w", nameOrID, err)
+		return "", fmt.Errorf("deleting secret %s: %w", nameOrID, err)
 	}
 
 	err = s.delete(secretID)
 	if err != nil {
-		return "", fmt.Errorf("error deleting secret %s: %w", nameOrID, err)
+		return "", fmt.Errorf("deleting secret %s: %w", nameOrID, err)
 	}
 	return secretID, nil
 }

vendor/github.com/containers/common/pkg/ssh/connection_golang.go

@@ -275,7 +275,7 @@ func ValidateAndConfigure(uri *url.URL, iden string) (*ssh.ClientConfig, error)
 	keyFilePath := filepath.Join(homedir.Get(), ".ssh", "known_hosts")
 	known, err := knownhosts.New(keyFilePath)
 	if err != nil {
-		return nil, fmt.Errorf("error creating host key callback function for %s: %w", keyFilePath, err)
+		return nil, fmt.Errorf("creating host key callback function for %s: %w", keyFilePath, err)
 	}
 
 	cfg := &ssh.ClientConfig{

vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go

@@ -256,7 +256,7 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerRunDir string
 				}
 				for _, s := range data {
 					if err := s.saveTo(ctrDirOrFileOnHost); err != nil {
-						return nil, fmt.Errorf("error saving data to container filesystem on host %q: %w", ctrDirOrFileOnHost, err)
+						return nil, fmt.Errorf("saving data to container filesystem on host %q: %w", ctrDirOrFileOnHost, err)
 					}
 				}
 			case mode.IsRegular():
@@ -278,7 +278,7 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerRunDir string
 
 			err = label.Relabel(ctrDirOrFileOnHost, mountLabel, false)
 			if err != nil {
-				return nil, fmt.Errorf("error applying correct labels: %w", err)
+				return nil, fmt.Errorf("applying correct labels: %w", err)
 			}
 			if uid != 0 || gid != 0 {
 				if err := rchown(ctrDirOrFileOnHost, uid, gid); err != nil {

vendor/github.com/containers/common/pkg/supplemented/supplemented.go

@@ -58,7 +58,7 @@ func Reference(ref types.ImageReference, supplemental []types.ImageReference, mu
 func (s *supplementedImageReference) NewImage(ctx context.Context, sys *types.SystemContext) (types.ImageCloser, error) {
 	src, err := s.NewImageSource(ctx, sys)
 	if err != nil {
-		return nil, fmt.Errorf("error building a new Image using an ImageSource: %w", err)
+		return nil, fmt.Errorf("building a new Image using an ImageSource: %w", err)
 	}
 	return image.FromSource(ctx, sys, src)
 }
@@ -75,7 +75,7 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 	// Open the default instance for reading.
 	top, err := s.ImageReference.NewImageSource(ctx, sys)
 	if err != nil {
-		return nil, fmt.Errorf("error opening %q as image source: %w", transports.ImageName(s.ImageReference), err)
+		return nil, fmt.Errorf("opening %q as image source: %w", transports.ImageName(s.ImageReference), err)
 	}
 
 	defer func() {
@@ -105,14 +105,14 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 		// Mark this instance as being associated with this ImageSource.
 		manifestDigest, err := manifest.Digest(manifestBytes)
 		if err != nil {
-			return fmt.Errorf("error computing digest over manifest %q: %w", string(manifestBytes), err)
+			return fmt.Errorf("computing digest over manifest %q: %w", string(manifestBytes), err)
 		}
 		sources[manifestDigest] = src
 
 		// Parse the manifest as a single image.
 		man, err := manifest.FromBlob(manifestBytes, manifestType)
 		if err != nil {
-			return fmt.Errorf("error parsing manifest %q: %w", string(manifestBytes), err)
+			return fmt.Errorf("parsing manifest %q: %w", string(manifestBytes), err)
 		}
 
 		// Log the config blob's digest and the blobs of its layers as associated with this manifest.
@@ -135,14 +135,14 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 		// Mark this instance as being associated with this ImageSource.
 		manifestDigest, err := manifest.Digest(manifestBytes)
 		if err != nil {
-			return fmt.Errorf("error computing manifest digest: %w", err)
+			return fmt.Errorf("computing manifest digest: %w", err)
 		}
 		sources[manifestDigest] = src
 
 		// Parse the manifest as a list of images.
 		list, err := manifest.ListFromBlob(manifestBytes, manifestType)
 		if err != nil {
-			return fmt.Errorf("error parsing manifest blob %q as a %q: %w", string(manifestBytes), manifestType, err)
+			return fmt.Errorf("parsing manifest blob %q as a %q: %w", string(manifestBytes), manifestType, err)
 		}
 
 		// Figure out which of its instances we want to look at.
@@ -151,7 +151,7 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 		case cp.CopySystemImage:
 			instance, err := list.ChooseInstance(sys)
 			if err != nil {
-				return fmt.Errorf("error selecting appropriate instance from list: %w", err)
+				return fmt.Errorf("selecting appropriate instance from list: %w", err)
 			}
 			chaseInstances = []digest.Digest{instance}
 		case cp.CopySpecificImages:
@@ -194,14 +194,14 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 		} else {
 			src, err = ref.NewImageSource(ctx, sys)
 			if err != nil {
-				return nil, fmt.Errorf("error opening %q as image source: %w", transports.ImageName(ref), err)
+				return nil, fmt.Errorf("opening %q as image source: %w", transports.ImageName(ref), err)
 			}
 		}
 
 		// Read the default manifest for the image.
 		manifestBytes, manifestType, err := src.GetManifest(ctx, nil)
 		if err != nil {
-			return nil, fmt.Errorf("error reading default manifest from image %q: %w", transports.ImageName(ref), err)
+			return nil, fmt.Errorf("reading default manifest from image %q: %w", transports.ImageName(ref), err)
 		}
 
 		// If this is the first image, mark it as our starting point.
@@ -223,18 +223,18 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 		// Record the digest of the ImageSource's default instance's manifest.
 		manifestDigest, err := manifest.Digest(manifestBytes)
 		if err != nil {
-			return nil, fmt.Errorf("error computing digest of manifest from image %q: %w", transports.ImageName(ref), err)
+			return nil, fmt.Errorf("computing digest of manifest from image %q: %w", transports.ImageName(ref), err)
 		}
 		sis.sourceDefaultInstances[src] = manifestDigest
 
 		// If the ImageSource's default manifest is a list, parse each of its instances.
 		if manifest.MIMETypeIsMultiImage(manifestType) {
 			if err = addMulti(manifestBytes, manifestType, src); err != nil {
-				return nil, fmt.Errorf("error adding multi-image %q: %w", transports.ImageName(ref), err)
+				return nil, fmt.Errorf("adding multi-image %q: %w", transports.ImageName(ref), err)
 			}
 		} else {
 			if err = addSingle(manifestBytes, manifestType, src); err != nil {
-				return nil, fmt.Errorf("error adding single image %q: %w", transports.ImageName(ref), err)
+				return nil, fmt.Errorf("adding single image %q: %w", transports.ImageName(ref), err)
 			}
 		}
 	}
@@ -261,18 +261,18 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 			// Trust that we either don't need it, or that it's in another reference.
 			// continue
 			// }
-			return nil, fmt.Errorf("error reading manifest for instance %q: %w", manifestToRead.instance, err)
+			return nil, fmt.Errorf("reading manifest for instance %q: %w", manifestToRead.instance, err)
 		}
 
 		if manifest.MIMETypeIsMultiImage(manifestType) {
 			// Add the list's contents.
 			if err = addMulti(manifestBytes, manifestType, manifestToRead.src); err != nil {
-				return nil, fmt.Errorf("error adding single image instance %q: %w", manifestToRead.instance, err)
+				return nil, fmt.Errorf("adding single image instance %q: %w", manifestToRead.instance, err)
 			}
 		} else {
 			// Add the single image's contents.
 			if err = addSingle(manifestBytes, manifestType, manifestToRead.src); err != nil {
-				return nil, fmt.Errorf("error adding single image instance %q: %w", manifestToRead.instance, err)
+				return nil, fmt.Errorf("adding single image instance %q: %w", manifestToRead.instance, err)
 			}
 		}
 	}
@@ -313,17 +313,17 @@ func (s *supplementedImageSource) GetManifest(ctx context.Context, instanceDiges
 		}
 		return sourceInstance.GetManifest(ctx, requestInstanceDigest)
 	}
-	return nil, "", fmt.Errorf("error getting manifest for digest %q: %w", *instanceDigest, ErrDigestNotFound)
+	return nil, "", fmt.Errorf("getting manifest for digest %q: %w", *instanceDigest, ErrDigestNotFound)
 }
 
 func (s *supplementedImageSource) GetBlob(ctx context.Context, blob types.BlobInfo, bic types.BlobInfoCache) (io.ReadCloser, int64, error) {
 	sourceInstance, ok := s.instancesByBlobDigest[blob.Digest]
 	if !ok {
-		return nil, -1, fmt.Errorf("error blob %q in known instances: %w", blob.Digest, ErrBlobNotFound)
+		return nil, -1, fmt.Errorf("blob %q in known instances: %w", blob.Digest, ErrBlobNotFound)
 	}
 	src, ok := s.sourceInstancesByInstance[sourceInstance]
 	if !ok {
-		return nil, -1, fmt.Errorf("error getting image source for instance %q: %w", sourceInstance, ErrDigestNotFound)
+		return nil, -1, fmt.Errorf("getting image source for instance %q: %w", sourceInstance, ErrDigestNotFound)
 	}
 	return src.GetBlob(ctx, blob, bic)
 }
@@ -364,7 +364,7 @@ func (s *supplementedImageSource) GetSignatures(ctx context.Context, instanceDig
 	if src != nil {
 		return src.GetSignatures(ctx, requestInstanceDigest)
 	}
-	return nil, fmt.Errorf("error finding instance for instance digest %q to read signatures: %w", digest, ErrDigestNotFound)
+	return nil, fmt.Errorf("finding instance for instance digest %q to read signatures: %w", digest, ErrDigestNotFound)
 }
 
 func (s *supplementedImageSource) LayerInfosForCopy(ctx context.Context, instanceDigest *digest.Digest) ([]types.BlobInfo, error) {
@@ -387,7 +387,7 @@ func (s *supplementedImageSource) LayerInfosForCopy(ctx context.Context, instanc
 	if src != nil {
 		blobInfos, err := src.LayerInfosForCopy(ctx, requestInstanceDigest)
 		if err != nil {
-			return nil, fmt.Errorf("error reading layer infos for copy from instance %q: %w", instanceDigest, err)
+			return nil, fmt.Errorf("reading layer infos for copy from instance %q: %w", instanceDigest, err)
 		}
 		var manifestDigest digest.Digest
 		if instanceDigest != nil {
@@ -398,5 +398,5 @@ func (s *supplementedImageSource) LayerInfosForCopy(ctx context.Context, instanc
 		}
 		return blobInfos, nil
 	}
-	return nil, fmt.Errorf("error finding instance for instance digest %q to copy layers: %w", errMsgDigest, ErrDigestNotFound)
+	return nil, fmt.Errorf("finding instance for instance digest %q to copy layers: %w", errMsgDigest, ErrDigestNotFound)
 }

vendor/github.com/containers/image/v5/docker/archive/dest.go

@@ -3,7 +3,6 @@ package archive
 import (
 	"context"
 	"fmt"
-	"io"
 
 	"github.com/containers/image/v5/docker/internal/tarfile"
 	"github.com/containers/image/v5/internal/private"
@@ -13,8 +12,8 @@ import (
 type archiveImageDestination struct {
 	*tarfile.Destination // Implements most of types.ImageDestination
 	ref                  archiveReference
-	archive              *tarfile.Writer // Should only be closed if writer != nil
-	writer               io.Closer       // May be nil if the archive is shared
+	writer               *Writer // Should be closed if closeWriter
+	closeWriter          bool
 }
 
 func newImageDestination(sys *types.SystemContext, ref archiveReference) (private.ImageDestination, error) {
@@ -22,29 +21,28 @@ func newImageDestination(sys *types.SystemContext, ref archiveReference) (privat
 		return nil, fmt.Errorf("Destination reference must not contain a manifest index @%d", ref.sourceIndex)
 	}
 
-	var archive *tarfile.Writer
-	var writer io.Closer
-	if ref.archiveWriter != nil {
-		archive = ref.archiveWriter
-		writer = nil
+	var writer *Writer
+	var closeWriter bool
+	if ref.writer != nil {
+		writer = ref.writer
+		closeWriter = false
 	} else {
-		fh, err := openArchiveForWriting(ref.path)
+		w, err := NewWriter(sys, ref.path)
 		if err != nil {
 			return nil, err
 		}
-
-		archive = tarfile.NewWriter(fh)
-		writer = fh
+		writer = w
+		closeWriter = true
 	}
-	tarDest := tarfile.NewDestination(sys, archive, ref.Transport().Name(), ref.ref)
+	tarDest := tarfile.NewDestination(sys, writer.archive, ref.Transport().Name(), ref.ref)
 	if sys != nil && sys.DockerArchiveAdditionalTags != nil {
 		tarDest.AddRepoTags(sys.DockerArchiveAdditionalTags)
 	}
 	return &archiveImageDestination{
 		Destination: tarDest,
 		ref:         ref,
-		archive:     archive,
 		writer:      writer,
+		closeWriter: closeWriter,
 	}, nil
 }
 
@@ -56,7 +54,7 @@ func (d *archiveImageDestination) Reference() types.ImageReference {
 
 // Close removes resources associated with an initialized ImageDestination, if any.
 func (d *archiveImageDestination) Close() error {
-	if d.writer != nil {
+	if d.closeWriter {
 		return d.writer.Close()
 	}
 	return nil
@@ -70,8 +68,15 @@ func (d *archiveImageDestination) Close() error {
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
 func (d *archiveImageDestination) Commit(ctx context.Context, unparsedToplevel types.UnparsedImage) error {
-	if d.writer != nil {
-		return d.archive.Close()
+	d.writer.imageCommitted()
+	if d.closeWriter {
+		// We could do this only in .Close(), but failures in .Close() are much more likely to be
+		// ignored by callers that use defer. So, in single-image destinations, try to complete
+		// the archive here.
+		// But if Commit() is never called, let .Close() clean up.
+		err := d.writer.Close()
+		d.closeWriter = false
+		return err
 	}
 	return nil
 }

vendor/github.com/containers/image/v5/docker/archive/transport.go

@@ -53,7 +53,7 @@ type archiveReference struct {
 	// file, not necessarily path precisely).
 	archiveReader *tarfile.Reader
 	// If not nil, must have been created for path
-	archiveWriter *tarfile.Writer
+	writer *Writer
 }
 
 // ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an Docker ImageReference.
@@ -108,7 +108,7 @@ func NewIndexReference(path string, sourceIndex int) (types.ImageReference, erro
 // newReference returns a docker archive reference for a path, an optional reference or sourceIndex,
 // and optionally a tarfile.Reader and/or a tarfile.Writer matching path.
 func newReference(path string, ref reference.NamedTagged, sourceIndex int,
-	archiveReader *tarfile.Reader, archiveWriter *tarfile.Writer) (types.ImageReference, error) {
+	archiveReader *tarfile.Reader, writer *Writer) (types.ImageReference, error) {
 	if strings.Contains(path, ":") {
 		return nil, fmt.Errorf("Invalid docker-archive: reference: colon in path %q is not supported", path)
 	}
@@ -126,7 +126,7 @@ func newReference(path string, ref reference.NamedTagged, sourceIndex int,
 		ref:           ref,
 		sourceIndex:   sourceIndex,
 		archiveReader: archiveReader,
-		archiveWriter: archiveWriter,
+		writer:        writer,
 	}, nil
 }
 

vendor/github.com/containers/image/v5/docker/archive/writer.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"sync"
 
 	"github.com/containers/image/v5/docker/internal/tarfile"
 	"github.com/containers/image/v5/docker/reference"
@@ -14,46 +15,18 @@ import (
 // Writer manages a single in-progress Docker archive and allows adding images to it.
 type Writer struct {
 	path        string // The original, user-specified path; not the maintained temporary file, if any
+	regularFile bool   // path refers to a regular file (e.g. not a pipe)
 	archive     *tarfile.Writer
 	writer      io.Closer
+
+	// The following state can only be acccessed with the mutex held.
+	mutex     sync.Mutex
+	hadCommit bool // At least one successful commit has happened
 }
 
 // NewWriter returns a Writer for path.
 // The caller should call .Close() on the returned object.
 func NewWriter(sys *types.SystemContext, path string) (*Writer, error) {
-	fh, err := openArchiveForWriting(path)
-	if err != nil {
-		return nil, err
-	}
-	archive := tarfile.NewWriter(fh)
-
-	return &Writer{
-		path:    path,
-		archive: archive,
-		writer:  fh,
-	}, nil
-}
-
-// Close writes all outstanding data about images to the archive, and
-// releases state associated with the Writer, if any.
-// No more images can be added after this is called.
-func (w *Writer) Close() error {
-	err := w.archive.Close()
-	if err2 := w.writer.Close(); err2 != nil && err == nil {
-		err = err2
-	}
-	return err
-}
-
-// NewReference returns an ImageReference that allows adding an image to Writer,
-// with an optional reference.
-func (w *Writer) NewReference(destinationRef reference.NamedTagged) (types.ImageReference, error) {
-	return newReference(w.path, destinationRef, -1, nil, w.archive)
-}
-
-// openArchiveForWriting opens path for writing a tar archive,
-// making a few sanity checks.
-func openArchiveForWriting(path string) (*os.File, error) {
 	// path can be either a pipe or a regular file
 	// in the case of a pipe, we require that we can open it for write
 	// in the case of a regular file, we don't want to overwrite any pre-existing file
@@ -69,15 +42,62 @@ func openArchiveForWriting(path string) (*os.File, error) {
 			fh.Close()
 		}
 	}()
+
 	fhStat, err := fh.Stat()
 	if err != nil {
 		return nil, fmt.Errorf("statting file %q: %w", path, err)
 	}
-
-	if fhStat.Mode().IsRegular() && fhStat.Size() != 0 {
+	regularFile := fhStat.Mode().IsRegular()
+	if regularFile && fhStat.Size() != 0 {
 		return nil, errors.New("docker-archive doesn't support modifying existing images")
 	}
 
+	archive := tarfile.NewWriter(fh)
+
 	succeeded = true
-	return fh, nil
+	return &Writer{
+		path:        path,
+		regularFile: regularFile,
+		archive:     archive,
+		writer:      fh,
+		hadCommit:   false,
+	}, nil
+}
+
+// imageCommitted notifies the Writer that at least one image was successfully commited to the stream.
+func (w *Writer) imageCommitted() {
+	w.mutex.Lock()
+	defer w.mutex.Unlock()
+	w.hadCommit = true
+}
+
+// Close writes all outstanding data about images to the archive, and
+// releases state associated with the Writer, if any.
+// No more images can be added after this is called.
+func (w *Writer) Close() error {
+	err := w.archive.Close()
+	if err2 := w.writer.Close(); err2 != nil && err == nil {
+		err = err2
+	}
+	if err == nil && w.regularFile && !w.hadCommit {
+		// Writing to the destination never had a success; delete the destination if we created it.
+		// This is done primarily because we don’t implement adding another image to a pre-existing image, so if we
+		// left a partial archive around (notably because reading from the _source_ has failed), we couldn’t retry without
+		// the caller manually deleting the partial archive. So, delete it instead.
+		//
+		// Archives with at least one successfully created image are left around; they might still be valuable.
+		//
+		// Note a corner case: If there _originally_ was an empty file (which is not a valid archive anyway), this deletes it.
+		// Ideally, if w.regularFile, we should write the full contents to a temporary file and use os.Rename here, only on success.
+		if err2 := os.Remove(w.path); err2 != nil {
+			err = err2
+		}
+	}
+	return err
+}
+
+// NewReference returns an ImageReference that allows adding an image to Writer,
+// with an optional reference.
+func (w *Writer) NewReference(destinationRef reference.NamedTagged) (types.ImageReference, error) {
+	return newReference(w.path, destinationRef, -1, nil, w)
 }

vendor/github.com/containers/image/v5/docker/distribution_error.go

@@ -1,46 +1,60 @@
-package client
+// Code below is taken from https://github.com/distribution/distribution/blob/a4d9db5a884b70be0c96dd6a7a9dbef4f2798c51/registry/client/errors.go
+// Copyright 2022 github.com/distribution/distribution authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package docker
 
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 
 	"github.com/docker/distribution/registry/api/errcode"
-	"github.com/docker/distribution/registry/client/auth/challenge"
+	dockerChallenge "github.com/docker/distribution/registry/client/auth/challenge"
 )
 
-// ErrNoErrorsInBody is returned when an HTTP response body parses to an empty
+// errNoErrorsInBody is returned when an HTTP response body parses to an empty
 // errcode.Errors slice.
-var ErrNoErrorsInBody = errors.New("no error details found in HTTP response body")
+var errNoErrorsInBody = errors.New("no error details found in HTTP response body")
 
-// UnexpectedHTTPStatusError is returned when an unexpected HTTP status is
+// unexpectedHTTPStatusError is returned when an unexpected HTTP status is
 // returned when making a registry api call.
-type UnexpectedHTTPStatusError struct {
+type unexpectedHTTPStatusError struct {
 	Status string
 }
 
-func (e *UnexpectedHTTPStatusError) Error() string {
+func (e *unexpectedHTTPStatusError) Error() string {
 	return fmt.Sprintf("received unexpected HTTP status: %s", e.Status)
 }
 
-// UnexpectedHTTPResponseError is returned when an expected HTTP status code
+// unexpectedHTTPResponseError is returned when an expected HTTP status code
 // is returned, but the content was unexpected and failed to be parsed.
-type UnexpectedHTTPResponseError struct {
+type unexpectedHTTPResponseError struct {
 	ParseErr   error
 	StatusCode int
 	Response   []byte
 }
 
-func (e *UnexpectedHTTPResponseError) Error() string {
+func (e *unexpectedHTTPResponseError) Error() string {
 	return fmt.Sprintf("error parsing HTTP %d response body: %s: %q", e.StatusCode, e.ParseErr.Error(), string(e.Response))
 }
 
 func parseHTTPErrorResponse(statusCode int, r io.Reader) error {
 	var errors errcode.Errors
-	body, err := ioutil.ReadAll(r)
+	body, err := io.ReadAll(r)
 	if err != nil {
 		return err
 	}
@@ -63,7 +77,7 @@ func parseHTTPErrorResponse(statusCode int, r io.Reader) error {
 	}
 
 	if err := json.Unmarshal(body, &errors); err != nil {
-		return &UnexpectedHTTPResponseError{
+		return &unexpectedHTTPResponseError{
 			ParseErr:   err,
 			StatusCode: statusCode,
 			Response:   body,
@@ -73,8 +87,8 @@ func parseHTTPErrorResponse(statusCode int, r io.Reader) error {
 	if len(errors) == 0 {
 		// If there was no error specified in the body, return
 		// UnexpectedHTTPResponseError.
-		return &UnexpectedHTTPResponseError{
-			ParseErr:   ErrNoErrorsInBody,
+		return &unexpectedHTTPResponseError{
+			ParseErr:   errNoErrorsInBody,
 			StatusCode: statusCode,
 			Response:   body,
 		}
@@ -94,15 +108,15 @@ func mergeErrors(err1, err2 error) error {
 	return errcode.Errors(append(makeErrorList(err1), makeErrorList(err2)...))
 }
 
-// HandleErrorResponse returns error parsed from HTTP response for an
+// handleErrorResponse returns error parsed from HTTP response for an
 // unsuccessful HTTP response code (in the range 400 - 499 inclusive). An
 // UnexpectedHTTPStatusError returned for response code outside of expected
 // range.
-func HandleErrorResponse(resp *http.Response) error {
+func handleErrorResponse(resp *http.Response) error {
 	if resp.StatusCode >= 400 && resp.StatusCode < 500 {
 		// Check for OAuth errors within the `WWW-Authenticate` header first
 		// See https://tools.ietf.org/html/rfc6750#section-3
-		for _, c := range challenge.ResponseChallenges(resp) {
+		for _, c := range dockerChallenge.ResponseChallenges(resp) {
 			if c.Scheme == "bearer" {
 				var err errcode.Error
 				// codes defined at https://tools.ietf.org/html/rfc6750#section-3.1
@@ -124,16 +138,10 @@ func HandleErrorResponse(resp *http.Response) error {
 			}
 		}
 		err := parseHTTPErrorResponse(resp.StatusCode, resp.Body)
-		if uErr, ok := err.(*UnexpectedHTTPResponseError); ok && resp.StatusCode == 401 {
+		if uErr, ok := err.(*unexpectedHTTPResponseError); ok && resp.StatusCode == 401 {
 			return errcode.ErrorCodeUnauthorized.WithDetail(uErr.Response)
 		}
 		return err
 	}
-	return &UnexpectedHTTPStatusError{Status: resp.Status}
-}
-
-// SuccessStatus returns true if the argument is a successful HTTP response
-// code (in the range 200 - 399 inclusive).
-func SuccessStatus(status int) bool {
-	return status >= 200 && status <= 399
+	return &unexpectedHTTPStatusError{Status: resp.Status}
 }

vendor/github.com/containers/image/v5/docker/docker_client.go

@@ -27,7 +27,6 @@ import (
 	"github.com/containers/storage/pkg/homedir"
 	"github.com/docker/distribution/registry/api/errcode"
 	v2 "github.com/docker/distribution/registry/api/v2"
-	clientLib "github.com/docker/distribution/registry/client"
 	"github.com/docker/go-connections/tlsconfig"
 	digest "github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -126,6 +125,7 @@ type dockerClient struct {
 }
 
 type authScope struct {
+	resourceType string
 	remoteName   string
 	actions      string
 }
@@ -236,6 +236,7 @@ func newDockerClientFromRef(sys *types.SystemContext, ref dockerReference, regis
 	}
 	client.signatureBase = sigBase
 	client.useSigstoreAttachments = registryConfig.useSigstoreAttachments(ref)
+	client.scope.resourceType = "repository"
 	client.scope.actions = actions
 	client.scope.remoteName = reference.Path(ref.ref)
 	return client, nil
@@ -474,6 +475,33 @@ func (c *dockerClient) makeRequest(ctx context.Context, method, path string, hea
 	return c.makeRequestToResolvedURL(ctx, method, url, headers, stream, -1, auth, extraScope)
 }
 
+// Checks if the auth headers in the response contain an indication of a failed
+// authorizdation because of an "insufficient_scope" error. If that's the case,
+// returns the required scope to be used for fetching a new token.
+func needsRetryWithUpdatedScope(err error, res *http.Response) (bool, *authScope) {
+	if err == nil && res.StatusCode == http.StatusUnauthorized {
+		challenges := parseAuthHeader(res.Header)
+		for _, challenge := range challenges {
+			if challenge.Scheme == "bearer" {
+				if errmsg, ok := challenge.Parameters["error"]; ok && errmsg == "insufficient_scope" {
+					if scope, ok := challenge.Parameters["scope"]; ok && scope != "" {
+						if newScope, err := parseAuthScope(scope); err == nil {
+							return true, newScope
+						} else {
+							logrus.WithFields(logrus.Fields{
+								"error":     err,
+								"scope":     scope,
+								"challenge": challenge,
+							}).Error("Failed to parse the authentication scope from the given challenge")
+						}
+					}
+				}
+			}
+		}
+	}
+	return false, nil
+}
+
 // parseRetryAfter determines the delay required by the "Retry-After" header in res and returns it,
 // silently falling back to fallbackDelay if the header is missing or invalid.
 func parseRetryAfter(res *http.Response, fallbackDelay time.Duration) time.Duration {
@@ -513,6 +541,29 @@ func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method stri
 	for {
 		res, err := c.makeRequestToResolvedURLOnce(ctx, method, url, headers, stream, streamLen, auth, extraScope)
 		attempts++
+
+		// By default we use pre-defined scopes per operation. In
+		// certain cases, this can fail when our authentication is
+		// insufficient, then we might be getting an error back with a
+		// Www-Authenticate Header indicating an insufficient scope.
+		//
+		// Check for that and update the client challenges to retry after
+		// requesting a new token
+		//
+		// We only try this on the first attempt, to not overload an
+		// already struggling server.
+		// We also cannot retry with a body (stream != nil) as stream
+		// was already read
+		if attempts == 1 && stream == nil && auth != noAuth {
+			if retry, newScope := needsRetryWithUpdatedScope(err, res); retry {
+				logrus.Debug("Detected insufficient_scope error, will retry request with updated scope")
+				// Note: This retry ignores extraScope. That’s, strictly speaking, incorrect, but we don’t currently
+				// expect the insufficient_scope errors to happen for those callers. If that changes, we can add support
+				// for more than one extra scope.
+				res, err = c.makeRequestToResolvedURLOnce(ctx, method, url, headers, stream, streamLen, auth, newScope)
+				extraScope = newScope
+			}
+		}
 		if res == nil || res.StatusCode != http.StatusTooManyRequests || // Only retry on StatusTooManyRequests, success or other failure is returned to caller immediately
 			stream != nil || // We can't retry with a body (which is not restartable in the general case)
 			attempts == backoffNumIterations {
@@ -592,8 +643,18 @@ func (c *dockerClient) setupRequestAuth(req *http.Request, extraScope *authScope
 				cacheKey := ""
 				scopes := []authScope{c.scope}
 				if extraScope != nil {
-					// Using ':' as a separator here is unambiguous because getBearerToken below uses the same separator when formatting a remote request (and because repository names can't contain colons).
-					cacheKey = fmt.Sprintf("%s:%s", extraScope.remoteName, extraScope.actions)
+					// Using ':' as a separator here is unambiguous because getBearerToken below
+					// uses the same separator when formatting a remote request (and because
+					// repository names that we create can't contain colons, and extraScope values
+					// coming from a server come from `parseAuthScope`, which also splits on colons).
+					cacheKey = fmt.Sprintf("%s:%s:%s", extraScope.resourceType, extraScope.remoteName, extraScope.actions)
+					if colonCount := strings.Count(cacheKey, ":"); colonCount != 2 {
+						return fmt.Errorf(
+							"Internal error: there must be exactly 2 colons in the cacheKey ('%s') but got %d",
+							cacheKey,
+							colonCount,
+						)
+					}
 					scopes = append(scopes, *extraScope)
 				}
 				var token bearerToken
@@ -648,9 +709,10 @@ func (c *dockerClient) getBearerTokenOAuth2(ctx context.Context, challenge chall
 	if service, ok := challenge.Parameters["service"]; ok && service != "" {
 		params.Add("service", service)
 	}
+
 	for _, scope := range scopes {
-		if scope.remoteName != "" && scope.actions != "" {
-			params.Add("scope", fmt.Sprintf("repository:%s:%s", scope.remoteName, scope.actions))
+		if scope.resourceType != "" && scope.remoteName != "" && scope.actions != "" {
+			params.Add("scope", fmt.Sprintf("%s:%s:%s", scope.resourceType, scope.remoteName, scope.actions))
 		}
 	}
 	params.Add("grant_type", "refresh_token")
@@ -700,8 +762,8 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
 	}
 
 	for _, scope := range scopes {
-		if scope.remoteName != "" && scope.actions != "" {
-			params.Add("scope", fmt.Sprintf("repository:%s:%s", scope.remoteName, scope.actions))
+		if scope.resourceType != "" && scope.remoteName != "" && scope.actions != "" {
+			params.Add("scope", fmt.Sprintf("%s:%s:%s", scope.resourceType, scope.remoteName, scope.actions))
 		}
 	}
 
@@ -977,7 +1039,7 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe
 	defer res.Body.Close()
 
 	if res.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("downloading signatures for %s in %s: %w", manifestDigest, ref.ref.Name(), clientLib.HandleErrorResponse(res))
+		return nil, fmt.Errorf("downloading signatures for %s in %s: %w", manifestDigest, ref.ref.Name(), handleErrorResponse(res))
 	}
 
 	body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureListBodySize)

vendor/github.com/containers/image/v5/docker/docker_image_dest.go

@@ -358,6 +358,7 @@ func (d *dockerImageDestination) TryReusingBlobWithOptions(ctx context.Context,
 		// Checking candidateRepo, and mounting from it, requires an
 		// expanded token scope.
 		extraScope := &authScope{
+			resourceType: "repository",
 			remoteName:   reference.Path(candidateRepo),
 			actions:      "pull",
 		}

vendor/github.com/containers/image/v5/docker/errors.go

@@ -4,8 +4,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-
-	"github.com/docker/distribution/registry/client"
 )
 
 var (
@@ -35,7 +33,7 @@ func httpResponseToError(res *http.Response, context string) error {
 	case http.StatusTooManyRequests:
 		return ErrTooManyRequests
 	case http.StatusUnauthorized:
-		err := client.HandleErrorResponse(res)
+		err := handleErrorResponse(res)
 		return ErrUnauthorizedForCredentials{Err: err}
 	default:
 		if context != "" {
@@ -48,8 +46,8 @@ func httpResponseToError(res *http.Response, context string) error {
 // registryHTTPResponseToError creates a Go error from an HTTP error response of a docker/distribution
 // registry
 func registryHTTPResponseToError(res *http.Response) error {
-	err := client.HandleErrorResponse(res)
-	if e, ok := err.(*client.UnexpectedHTTPResponseError); ok {
+	err := handleErrorResponse(res)
+	if e, ok := err.(*unexpectedHTTPResponseError); ok {
 		response := string(e.Response)
 		if len(response) > 50 {
 			response = response[:50] + "..."

vendor/github.com/containers/image/v5/docker/wwwauthenticate.go

@@ -3,6 +3,7 @@ package docker
 // Based on github.com/docker/distribution/registry/client/auth/authchallenge.go, primarily stripping unnecessary dependencies.
 
 import (
+	"fmt"
 	"net/http"
 	"strings"
 )
@@ -70,6 +71,18 @@ func parseAuthHeader(header http.Header) []challenge {
 	return challenges
 }
 
+// parseAuthScope parses an authentication scope string of the form `$resource:$remote:$actions`
+func parseAuthScope(scopeStr string) (*authScope, error) {
+	if parts := strings.Split(scopeStr, ":"); len(parts) == 3 {
+		return &authScope{
+			resourceType: parts[0],
+			remoteName:   parts[1],
+			actions:      parts[2],
+		}, nil
+	}
+	return nil, fmt.Errorf("error parsing auth scope: '%s'", scopeStr)
+}
+
 // NOTE: This is not a fully compliant parser per RFC 7235:
 // Most notably it does not support more than one challenge within a single header
 // Some of the whitespace parsing also seems noncompliant.

vendor/github.com/containers/image/v5/internal/imagedestination/impl/compat.go

@@ -22,13 +22,14 @@ type Compat struct {
 // for implementations of private.ImageDestination.
 //
 // Use it like this:
+//
 //	type yourDestination struct {
 //		impl.Compat
 //		…
 //	}
+//
 //	dest := &yourDestination{…}
 //	dest.Compat = impl.AddCompat(dest)
-//
 func AddCompat(dest private.ImageDestinationInternalOnly) Compat {
 	return Compat{dest}
 }

vendor/github.com/containers/image/v5/internal/imagedestination/stubs/stubs.go

@@ -3,15 +3,18 @@
 // Compare with imagedestination/impl, which might require non-trivial implementation work.
 //
 // There are two kinds of stubs:
-// - Pure stubs, like ImplementsPutBlobPartial. Those can just be included in an imageDestination
+//
+// First, there are pure stubs, like ImplementsPutBlobPartial. Those can just be included in an imageDestination
 // implementation:
 //
 //	type yourDestination struct {
 //		stubs.ImplementsPutBlobPartial
 //		…
 //	}
-// - Stubs with a constructor, like NoPutBlobPartialInitialize. The Initialize marker
+//
+// Second, there are stubs with a constructor, like NoPutBlobPartialInitialize. The Initialize marker
 // means that a constructor must be called:
+//
 //	type yourDestination struct {
 //		stubs.NoPutBlobPartialInitialize
 //		…
@@ -21,5 +24,4 @@
 //		…
 //		NoPutBlobPartialInitialize: stubs.NoPutBlobPartial(ref),
 //	}
-//
 package stubs

vendor/github.com/containers/image/v5/internal/imagesource/impl/compat.go

@@ -19,13 +19,14 @@ type Compat struct {
 // for implementations of private.ImageSource.
 //
 // Use it like this:
+//
 //	type yourSource struct {
 //		impl.Compat
 //		…
 //	}
+//
 //	src := &yourSource{…}
 //	src.Compat = impl.AddCompat(src)
-//
 func AddCompat(src private.ImageSourceInternalOnly) Compat {
 	return Compat{src}
 }

vendor/github.com/containers/image/v5/internal/imagesource/stubs/stubs.go

@@ -3,15 +3,19 @@
 // Compare with imagesource/impl, which might require non-trivial implementation work.
 //
 // There are two kinds of stubs:
-// - Pure stubs, like ImplementsGetBlobAt. Those can just be included in an ImageSource
+//
+// First, there are pure stubs, like ImplementsGetBlobAt. Those can just be included in an ImageSource
+//
 // implementation:
 //
 //	type yourSource struct {
 //		stubs.ImplementsGetBlobAt
 //		…
 //	}
-// - Stubs with a constructor, like NoGetBlobAtInitialize. The Initialize marker
+//
+// Second, there are stubs with a constructor, like NoGetBlobAtInitialize. The Initialize marker
 // means that a constructor must be called:
+
 //	type yourSource struct {
 //		stubs.NoGetBlobAtInitialize
 //		…
@@ -21,5 +25,4 @@
 //		…
 //		NoGetBlobAtInitialize: stubs.NoGetBlobAt(ref),
 //	}
-//
 package stubs

vendor/github.com/containers/image/v5/manifest/common.go

@@ -228,3 +228,16 @@ func compressionVariantsRecognizeMIMEType(variantTable []compressionMIMETypeSet,
 	variants := findCompressionMIMETypeSet(variantTable, mimeType)
 	return variants != nil // Alternatively, this could be len(variants) > 1, but really the caller should ask about a specific algorithm.
 }
+
+// imgInspectLayersFromLayerInfos converts a list of layer infos, presumably obtained from a Manifest.LayerInfos()
+// method call, into a format suitable for inclusion in a types.ImageInspectInfo structure.
+func imgInspectLayersFromLayerInfos(infos []LayerInfo) []types.ImageInspectLayer {
+	layers := make([]types.ImageInspectLayer, len(infos))
+	for i, info := range infos {
+		layers[i].MIMEType = info.MediaType
+		layers[i].Digest = info.Digest
+		layers[i].Size = info.Size
+		layers[i].Annotations = info.Annotations
+	}
+	return layers
+}

vendor/github.com/containers/image/v5/manifest/docker_schema1.go

@@ -221,13 +221,16 @@ func (m *Schema1) Inspect(_ func(types.BlobInfo) ([]byte, error)) (*types.ImageI
 	if err := json.Unmarshal([]byte(m.History[0].V1Compatibility), s1); err != nil {
 		return nil, err
 	}
+	layerInfos := m.LayerInfos()
 	i := &types.ImageInspectInfo{
 		Tag:           m.Tag,
 		Created:       &s1.Created,
 		DockerVersion: s1.DockerVersion,
 		Architecture:  s1.Architecture,
 		Os:            s1.OS,
-		Layers:        layerInfosToStrings(m.LayerInfos()),
+		Layers:        layerInfosToStrings(layerInfos),
+		LayersData:    imgInspectLayersFromLayerInfos(layerInfos),
+		Author:        s1.Author,
 	}
 	if s1.Config != nil {
 		i.Labels = s1.Config.Labels

vendor/github.com/containers/image/v5/manifest/docker_schema2.go

@@ -271,6 +271,7 @@ func (m *Schema2) Inspect(configGetter func(types.BlobInfo) ([]byte, error)) (*t
 	if err := json.Unmarshal(config, s2); err != nil {
 		return nil, err
 	}
+	layerInfos := m.LayerInfos()
 	i := &types.ImageInspectInfo{
 		Tag:           "",
 		Created:       &s2.Created,
@@ -278,7 +279,9 @@ func (m *Schema2) Inspect(configGetter func(types.BlobInfo) ([]byte, error)) (*t
 		Architecture:  s2.Architecture,
 		Variant:       s2.Variant,
 		Os:            s2.OS,
-		Layers:        layerInfosToStrings(m.LayerInfos()),
+		Layers:        layerInfosToStrings(layerInfos),
+		LayersData:    imgInspectLayersFromLayerInfos(layerInfos),
+		Author:        s2.Author,
 	}
 	if s2.Config != nil {
 		i.Labels = s2.Config.Labels

vendor/github.com/containers/image/v5/manifest/oci.go

@@ -212,6 +212,7 @@ func (m *OCI1) Inspect(configGetter func(types.BlobInfo) ([]byte, error)) (*type
 	if err := json.Unmarshal(config, d1); err != nil {
 		return nil, err
 	}
+	layerInfos := m.LayerInfos()
 	i := &types.ImageInspectInfo{
 		Tag:           "",
 		Created:       v1.Created,
@@ -219,8 +220,10 @@ func (m *OCI1) Inspect(configGetter func(types.BlobInfo) ([]byte, error)) (*type
 		Labels:        v1.Config.Labels,
 		Architecture:  v1.Architecture,
 		Os:            v1.OS,
-		Layers:        layerInfosToStrings(m.LayerInfos()),
+		Layers:        layerInfosToStrings(layerInfos),
+		LayersData:    imgInspectLayersFromLayerInfos(layerInfos),
 		Env:           v1.Config.Env,
+		Author:        v1.Author,
 	}
 	return i, nil
 }

vendor/github.com/containers/image/v5/openshift/openshift-copies.go

@@ -545,8 +545,10 @@ type clientConfigLoadingRules struct {
 // Load is a modified copy of k8s.io/kubernetes/pkg/client/unversioned/clientcmd.ClientConfigLoadingRules.Load
 // Load starts by running the MigrationRules and then
 // takes the loading rules and returns a Config object based on following rules.
-//   if the ExplicitPath, return the unmerged explicit file
-//   Otherwise, return a merged config based on the Precedence slice
+//
+//   - if the ExplicitPath, return the unmerged explicit file
+//   - Otherwise, return a merged config based on the Precedence slice
+//
 // A missing ExplicitPath file produces an error. Empty filenames or other missing files are ignored.
 // Read errors or files with non-deserializable content produce errors.
 // The first file to set a particular map key wins and map key's value is never changed.

vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go

@@ -20,8 +20,8 @@ import (
 // short names.
 //
 // Examples:
-//  * short names: "image:tag", "library/fedora"
-//  * not short names: "quay.io/image", "localhost/image:tag",
+//   - short names: "image:tag", "library/fedora"
+//   - not short names: "quay.io/image", "localhost/image:tag",
 //     "server.org:5000/lib/image", "image@sha256:..."
 func IsShortName(input string) bool {
 	isShort, _, _ := parseUnnormalizedShortName(input)
@@ -402,9 +402,9 @@ func Resolve(ctx *types.SystemContext, name string) (*Resolved, error) {
 // not a short name), it is returned as is.  In case, it's a short name, the
 // returned slice of named references looks as follows:
 //
-//  1) If present, the short-name alias
-//  2) "localhost/" as used by many container engines such as Podman and Buildah
-//  3) Unqualified-search registries from the registries.conf files
+//  1. If present, the short-name alias
+//  2. "localhost/" as used by many container engines such as Podman and Buildah
+//  3. Unqualified-search registries from the registries.conf files
 //
 // Note that tags and digests are stripped from the specified name before
 // looking up an alias. Stripped off tags and digests are later on appended to

vendor/github.com/containers/image/v5/tarball/doc.go

@@ -2,6 +2,7 @@
 // tarballs and an optional template configuration.
 //
 // An example:
+//
 //	package main
 //
 //	import (

vendor/github.com/containers/image/v5/types/types.go

@@ -177,6 +177,7 @@ type BICReplacementCandidate struct {
 // BlobInfoCache records data useful for reusing blobs, or substituting equivalent ones, to avoid unnecessary blob copies.
 //
 // It records two kinds of data:
+//
 //   - Sets of corresponding digest vs. uncompressed digest ("DiffID") pairs:
 //     One of the two digests is known to be uncompressed, and a single uncompressed digest may correspond to more than one compressed digest.
 //     This allows matching compressed layer blobs to existing local uncompressed layers (to avoid unnecessary download and decompression),
@@ -465,7 +466,17 @@ type ImageInspectInfo struct {
 	Variant       string
 	Os            string
 	Layers        []string
+	LayersData    []ImageInspectLayer
 	Env           []string
+	Author        string
+}
+
+// ImageInspectLayer is a set of metadata describing an image layers' detail
+type ImageInspectLayer struct {
+	MIMEType    string // "" if unknown.
+	Digest      digest.Digest
+	Size        int64 // -1 if unknown.
+	Annotations map[string]string
 }
 
 // DockerAuthConfig contains authorization information for connecting to a registry.

vendor/github.com/containers/image/v5/version/version.go

@@ -8,10 +8,10 @@ const (
 	// VersionMinor is for functionality in a backwards-compatible manner
 	VersionMinor = 22
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 0
+	VersionPatch = 1
 
 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = ""
+	VersionDev = "-dev"
 )
 
 // Version is the specification version that the package types support.

vendor/github.com/containers/storage/.cirrus.yml

@@ -132,7 +132,7 @@ lint_task:
 meta_task:
 
     container:
-        image: "quay.io/libpod/imgts:${IMAGE_SUFFIX}"
+        image: "quay.io/libpod/imgts:latest"
         cpu: 1
         memory: 1
 

vendor/github.com/containers/storage/VERSION

@@ -1 +1 @@
-1.42.0
+1.42.1-dev

vendor/github.com/containers/storage/drivers/aufs/aufs.go

@@ -47,7 +47,7 @@ import (
 	mountpk "github.com/containers/storage/pkg/mount"
 	"github.com/containers/storage/pkg/parsers"
 	"github.com/containers/storage/pkg/system"
-	"github.com/opencontainers/runc/libcontainer/userns"
+	"github.com/containers/storage/pkg/unshare"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 	"github.com/vbatts/tar-split/tar/storage"
@@ -200,7 +200,7 @@ func supportsAufs() error {
 	// proc/filesystems for when aufs is supported
 	exec.Command("modprobe", "aufs").Run()
 
-	if userns.RunningInUserNS() {
+	if unshare.IsRootless() {
 		return ErrAufsNested
 	}
 

vendor/github.com/containers/storage/drivers/chown.go

@@ -2,6 +2,7 @@ package graphdriver
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"os"
 
@@ -93,7 +94,7 @@ func ChownPathByMaps(path string, toContainer, toHost *idtools.IDMappings) error
 		return err
 	}
 	if len(output) > 0 {
-		return fmt.Errorf(string(output))
+		return errors.New(string(output))
 	}
 
 	return nil

vendor/github.com/containers/storage/drivers/copy/copy_linux.go

@@ -27,7 +27,6 @@ import (
 	"github.com/containers/storage/pkg/pools"
 	"github.com/containers/storage/pkg/system"
 	"github.com/containers/storage/pkg/unshare"
-	"github.com/opencontainers/runc/libcontainer/userns"
 	"golang.org/x/sys/unix"
 )
 
@@ -207,7 +206,7 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error {
 			s.Close()
 
 		case mode&os.ModeDevice != 0:
-			if userns.RunningInUserNS() {
+			if unshare.IsRootless() {
 				// cannot create a device if running in user namespace
 				return nil
 			}

vendor/github.com/containers/storage/drivers/devmapper/device_setup.go

@@ -166,10 +166,11 @@ func readLVMConfig(root string) (directLVMConfig, error) {
 	if len(b) == 0 {
 		return cfg, nil
 	}
-
-	err = json.Unmarshal(b, &cfg)
+	if err := json.Unmarshal(b, &cfg); err != nil {
 		return cfg, fmt.Errorf("unmarshaling previous device setup config: %w", err)
 	}
+	return cfg, nil
+}
 
 func writeLVMConfig(root string, cfg directLVMConfig) error {
 	p := filepath.Join(root, "setup-config.json")

vendor/github.com/containers/storage/drivers/fsdiff.go

@@ -10,7 +10,7 @@ import (
 	"github.com/containers/storage/pkg/chrootarchive"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/ioutils"
-	"github.com/opencontainers/runc/libcontainer/userns"
+	"github.com/containers/storage/pkg/unshare"
 	"github.com/sirupsen/logrus"
 )
 
@@ -179,7 +179,7 @@ func (gdw *NaiveDiffDriver) ApplyDiff(id, parent string, options ApplyDiffOpts)
 	}
 
 	tarOptions := &archive.TarOptions{
-		InUserNS:          userns.RunningInUserNS(),
+		InUserNS:          unshare.IsRootless(),
 		IgnoreChownErrors: options.IgnoreChownErrors,
 		ForceMask:         forceMask,
 	}

vendor/github.com/containers/storage/drivers/overlay/check_116.go

@@ -1,14 +1,17 @@
-// +build go1.16
+//go:build linux
+// +build linux
 
 package overlay
 
 import (
+	"errors"
 	"io/fs"
 	"path/filepath"
 	"strings"
 
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/system"
+	"golang.org/x/sys/unix"
 )
 
 func scanForMountProgramIndicators(home string) (detected bool, err error) {
@@ -26,7 +29,7 @@ func scanForMountProgramIndicators(home string) (detected bool, err error) {
 		}
 		if d.IsDir() {
 			xattrs, err := system.Llistxattr(path)
-			if err != nil {
+			if err != nil && !errors.Is(err, unix.EOPNOTSUPP) {
 				return err
 			}
 			for _, xattr := range xattrs {

vendor/github.com/containers/storage/drivers/overlay/idmapped_utils.go

@@ -21,17 +21,6 @@ type attr struct {
 	userNs      uint64
 }
 
-const (
-	// _MOUNT_ATTR_IDMAP - Idmap mount to @userns_fd in struct mount_attr
-	_MOUNT_ATTR_IDMAP = 0x00100000 //nolint:golint
-
-	// _OPEN_TREE_CLONE - Clone the source path mount
-	_OPEN_TREE_CLONE = 0x00000001 //nolint:golint
-
-	// _MOVE_MOUNT_F_EMPTY_PATH - Move the path referenced by the fd
-	_MOVE_MOUNT_F_EMPTY_PATH = 0x00000004 //nolint:golint
-)
-
 // openTree is a wrapper for the open_tree syscall
 func openTree(path string, flags int) (fd int, err error) {
 	var _p0 *byte
@@ -61,7 +50,7 @@ func moveMount(fdTree int, target string) (err error) {
 		return err
 	}
 
-	flags := _MOVE_MOUNT_F_EMPTY_PATH
+	flags := unix.MOVE_MOUNT_F_EMPTY_PATH
 
 	_, _, e1 := syscall.Syscall6(uintptr(unix.SYS_MOVE_MOUNT),
 		uintptr(fdTree), uintptr(unsafe.Pointer(_p1)),
@@ -98,14 +87,14 @@ func createIDMappedMount(source, target string, pid int) error {
 	}
 
 	var attr attr
-	attr.attrSet = _MOUNT_ATTR_IDMAP
+	attr.attrSet = unix.MOUNT_ATTR_IDMAP
 	attr.attrClr = 0
 	attr.propagation = 0
 	attr.userNs = uint64(userNsFile.Fd())
 
 	defer userNsFile.Close()
 
-	targetDirFd, err := openTree(source, _OPEN_TREE_CLONE|unix.AT_RECURSIVE)
+	targetDirFd, err := openTree(source, unix.OPEN_TREE_CLONE)
 	if err != nil {
 		return err
 	}

vendor/github.com/containers/storage/drivers/overlay/overlay.go

@@ -34,7 +34,6 @@ import (
 	units "github.com/docker/go-units"
 	"github.com/hashicorp/go-multierror"
 	digest "github.com/opencontainers/go-digest"
-	"github.com/opencontainers/runc/libcontainer/userns"
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
@@ -1346,7 +1345,11 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
 	}
 	if !d.usingMetacopy {
 		if hasMetacopyOption(optsList) {
+			if d.options.mountProgram == "" {
 				logrus.StandardLogger().Logf(logLevel, "Ignoring global metacopy option, not supported with booted kernel")
+			} else {
+				logrus.Debugf("Ignoring global metacopy option, the mount program doesn't support it")
+			}
 		}
 		optsList = stripOption(optsList, "metacopy=on")
 	}
@@ -1608,7 +1611,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
 			diffDir := path.Join(id, "diff")
 			opts = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", strings.Join(relLowers, ":"), diffDir, workdir)
 		} else {
-			opts = fmt.Sprintf("lowerdir=%s", strings.Join(relLowers, ":"))
+			opts = fmt.Sprintf("lowerdir=%s:%s", diffDir, strings.Join(relLowers, ":"))
 		}
 		if len(optsList) > 0 {
 			opts = fmt.Sprintf("%s,%s", opts, strings.Join(optsList, ","))
@@ -1826,7 +1829,7 @@ func (d *Driver) ApplyDiffWithDiffer(id, parent string, options *graphdriver.App
 		GIDMaps:           idMappings.GIDs(),
 		IgnoreChownErrors: d.options.ignoreChownErrors,
 		WhiteoutFormat:    d.getWhiteoutFormat(),
-		InUserNS:          userns.RunningInUserNS(),
+		InUserNS:          unshare.IsRootless(),
 	})
 	out.Target = applyDir
 	return out, err
@@ -1884,7 +1887,7 @@ func (d *Driver) ApplyDiff(id, parent string, options graphdriver.ApplyDiffOpts)
 		IgnoreChownErrors: d.options.ignoreChownErrors,
 		ForceMask:         d.options.forceMask,
 		WhiteoutFormat:    d.getWhiteoutFormat(),
-		InUserNS:          userns.RunningInUserNS(),
+		InUserNS:          unshare.IsRootless(),
 	}); err != nil {
 		return 0, err
 	}

vendor/github.com/containers/storage/go.mod

@@ -5,10 +5,10 @@ module github.com/containers/storage
 require (
 	github.com/BurntSushi/toml v1.2.0
 	github.com/Microsoft/go-winio v0.5.2
-	github.com/Microsoft/hcsshim v0.9.3
+	github.com/Microsoft/hcsshim v0.9.4
 	github.com/containerd/stargz-snapshotter/estargz v0.12.0
 	github.com/cyphar/filepath-securejoin v0.2.3
-	github.com/docker/go-units v0.4.0
+	github.com/docker/go-units v0.5.0
 	github.com/google/go-intervals v0.0.2
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/json-iterator/go v1.1.12
@@ -18,7 +18,7 @@ require (
 	github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible
 	github.com/moby/sys/mountinfo v0.6.2
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/runc v1.1.3
+	github.com/opencontainers/runc v1.1.4
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/opencontainers/selinux v1.10.1
 	github.com/sirupsen/logrus v1.9.0

vendor/github.com/containers/storage/go.sum

@@ -57,8 +57,8 @@ github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2
 github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00=
 github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
 github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
-github.com/Microsoft/hcsshim v0.9.3 h1:k371PzBuRrz2b+ebGuI2nVgVhgsVX60jMfSw80NECxo=
-github.com/Microsoft/hcsshim v0.9.3/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
+github.com/Microsoft/hcsshim v0.9.4 h1:mnUj0ivWy6UzbB1uLFqKR6F+ZyiDc7j4iGgHTpO+5+I=
+github.com/Microsoft/hcsshim v0.9.4/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
@@ -246,8 +246,9 @@ github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6Uezg
 github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
 github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
-github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
@@ -521,8 +522,8 @@ github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h
 github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
 github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
-github.com/opencontainers/runc v1.1.3 h1:vIXrkId+0/J2Ymu2m7VjGvbSlAId9XNRPhn2p4b+d8w=
-github.com/opencontainers/runc v1.1.3/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
+github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg=
+github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=