Merge pull request #24540 from Luap99/vendor

vendor containers projects to tagged versions
2025-05-17 23:26:08 +08:00 · 2024-11-12 15:00:03 +00:00
parent da8995658b 0a1363d8eb
commit f41eab21de
15 changed files with 531 additions and 151 deletions
--- a/go.mod
+++ b/go.mod
@ -13,18 +13,18 @@ require (
 	github.com/checkpoint-restore/checkpointctl v1.3.0
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
 	github.com/containernetworking/plugins v1.5.1
-	github.com/containers/buildah v1.37.1-0.20241104213057-0dc5f958934a
-	github.com/containers/common v0.60.1-0.20241106101802-8130e31c0832
+	github.com/containers/buildah v1.38.0
+	github.com/containers/common v0.61.0
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.8.0
-	github.com/containers/image/v5 v5.32.3-0.20241105183637-59417aed3db1
-	github.com/containers/libhvee v0.7.1
+	github.com/containers/image/v5 v5.33.0
+	github.com/containers/libhvee v0.9.0
 	github.com/containers/ocicrypt v1.2.0
 	github.com/containers/psgo v1.9.0
-	github.com/containers/storage v1.55.2-0.20241104201357-ad5f2a48e9e9
+	github.com/containers/storage v1.56.0
 	github.com/containers/winquit v1.1.0
 	github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
-	github.com/crc-org/crc/v2 v2.38.0
+	github.com/crc-org/crc/v2 v2.43.0
 	github.com/crc-org/vfkit v0.5.1
 	github.com/cyphar/filepath-securejoin v0.3.4
 	github.com/digitalocean/go-qemu v0.0.0-20230711162256-2e3d0186973e
@ -170,7 +170,7 @@ require (
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/buildkit v0.17.0 // indirect
+	github.com/moby/buildkit v0.17.1 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
--- a/go.sum
+++ b/go.sum
@ -79,18 +79,18 @@ github.com/containernetworking/cni v1.2.3 h1:hhOcjNVUQTnzdRJ6alC5XF+wd9mfGIUaj8F
 github.com/containernetworking/cni v1.2.3/go.mod h1:DuLgF+aPd3DzcTQTtp/Nvl1Kim23oFKdm2okJzBQA5M=
 github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+E5J/EcKOE4gQ=
 github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM=
-github.com/containers/buildah v1.37.1-0.20241104213057-0dc5f958934a h1:0ZkxeT5b46pyfvwnplL3yxI4XscQXFoXWVpn619qIYA=
-github.com/containers/buildah v1.37.1-0.20241104213057-0dc5f958934a/go.mod h1:zyzg/OC40RZUl6NxvPkBHjaPHKFNGsAMyd8JrbseNwE=
-github.com/containers/common v0.60.1-0.20241106101802-8130e31c0832 h1:bu0QHPZns2JbbaEArh+Khs9ajAoX8/biSdBYWAD+/Ec=
-github.com/containers/common v0.60.1-0.20241106101802-8130e31c0832/go.mod h1:7MOGFZ12UTBYSPxvQpBBJHTbHho0qizdMR6MlDZwGBA=
+github.com/containers/buildah v1.38.0 h1:FmciZMwzhdcvtWj+8IE+61+lfTG2JfgrbZ2DUnEMnTE=
+github.com/containers/buildah v1.38.0/go.mod h1:tUsHC2bcgR5Q/R76qZUn7x0FRglqPFry2g5KhWfH4LI=
+github.com/containers/common v0.61.0 h1:j/84PTqZIKKYy42OEJsZmjZ4g4Kq2ERuC3tqp2yWdh4=
+github.com/containers/common v0.61.0/go.mod h1:NGRISq2vTFPSbhNqj6MLwyes4tWSlCnqbJg7R77B8xc=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.8.0 h1:Z8ZEWb+Lio0d+lXexONdUWT4rm9lF91vH0g3ARnMy7o=
 github.com/containers/gvisor-tap-vsock v0.8.0/go.mod h1:LVwnMiNvhxyGfhaMEQcXKJhNnN4h8woB9U3wf8rYOPc=
-github.com/containers/image/v5 v5.32.3-0.20241105183637-59417aed3db1 h1:QOxFuqs21puYp9EnMaAEMgygtSORUYKn0felPS4rXa0=
-github.com/containers/image/v5 v5.32.3-0.20241105183637-59417aed3db1/go.mod h1:qsONoo3ZvAnrwa2+49bY6m3ewtJO5+A1AaELCtGuDKc=
-github.com/containers/libhvee v0.7.1 h1:dWGF5GLq9DZvXo3P8aDp3cNieL5eCaSell4UmeA/jY4=
-github.com/containers/libhvee v0.7.1/go.mod h1:fRKB3AyIqHMvq6xaeYhTpckM2cdoq0oecolyoiuLP7M=
+github.com/containers/image/v5 v5.33.0 h1:6oPEFwTurf7pDTGw7TghqGs8K0+OvPtY/UyzU0B2DfE=
+github.com/containers/image/v5 v5.33.0/go.mod h1:T7HpASmvnp2H1u4cyckMvCzLuYgpD18dSmabSw0AcHk=
+github.com/containers/libhvee v0.9.0 h1:5UxJMka1lDfxTeITA25Pd8QVVttJAG43eQS1Getw1tc=
+github.com/containers/libhvee v0.9.0/go.mod h1:p44VJd8jMIx3SRN1eM6PxfCEwXQE0lJ0dQppCAlzjPQ=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/luksy v0.0.0-20241007190014-e2530d691420 h1:57rxgU2wdI3lZMDZtao09WjCWmxBKOxI/Sj37IpCV50=
@ -99,8 +99,8 @@ github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sir
 github.com/containers/ocicrypt v1.2.0/go.mod h1:ZNviigQajtdlxIZGibvblVuIFBKIuUI2M0QM12SD31U=
 github.com/containers/psgo v1.9.0 h1:eJ74jzSaCHnWt26OlKZROSyUyRcGDf+gYBdXnxrMW4g=
 github.com/containers/psgo v1.9.0/go.mod h1:0YoluUm43Mz2UnBIh1P+6V6NWcbpTL5uRtXyOcH0B5A=
-github.com/containers/storage v1.55.2-0.20241104201357-ad5f2a48e9e9 h1:qB+KgM08F5GEGzdzrWLUHs41NU6d/+TUMEP2xMeyjGs=
-github.com/containers/storage v1.55.2-0.20241104201357-ad5f2a48e9e9/go.mod h1:c6WKowcAlED/DkWGNuL9bvGYqIWCVy7isRMdCSKWNjk=
+github.com/containers/storage v1.56.0 h1:DZ9KSkj6M2tvj/4bBoaJu3QDHRl35BwsZ4kmLJS97ZI=
+github.com/containers/storage v1.56.0/go.mod h1:c6WKowcAlED/DkWGNuL9bvGYqIWCVy7isRMdCSKWNjk=
 github.com/containers/winquit v1.1.0 h1:jArun04BNDQvt2W0Y78kh9TazN2EIEMG5Im6/JY7+pE=
 github.com/containers/winquit v1.1.0/go.mod h1:PsPeZlnbkmGGIToMPHF1zhWjBUkd8aHjMOr/vFcPxw8=
 github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
@ -110,8 +110,8 @@ github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7
 github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 h1:OoRAFlvDGCUqDLampLQjk0yeeSGdF9zzst/3G9IkBbc=
 github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09/go.mod h1:m2r/smMKsKwgMSAoFKHaa68ImdCSNuKE1MxvQ64xuCQ=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/crc-org/crc/v2 v2.38.0 h1:8QcoH4hYksfKUQOLXHZw4jIY1aNS162WraZR4mzQzC8=
-github.com/crc-org/crc/v2 v2.38.0/go.mod h1:HPY6grOaExM4Bhmd3T4RSkP0eizWsb8wSgoSwNsV5+k=
+github.com/crc-org/crc/v2 v2.43.0 h1:JK0+spFohhIJ6vcHCdmYbKX2Bhu7syV7rVADRl9kaMo=
+github.com/crc-org/crc/v2 v2.43.0/go.mod h1:nwaYCJMLrVX6eD6mv3l7IdxPwd17Wacqt4lOrizGy2s=
 github.com/crc-org/vfkit v0.5.1 h1:r1zNf1g1bLbgu5BgIQodirvYaIGWJQ91eS/PIgNO6lo=
 github.com/crc-org/vfkit v0.5.1/go.mod h1:Hqi20zQcqXMk6JqvByvOidHYv+KzPx3G+cjkdGSWv60=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
@ -359,8 +359,8 @@ github.com/mistifyio/go-zfs/v3 v3.0.1 h1:YaoXgBePoMA12+S1u/ddkv+QqxcfiZK4prI6HPn
 github.com/mistifyio/go-zfs/v3 v3.0.1/go.mod h1:CzVgeB0RvF2EGzQnytKVvVSDwmKJXxkOTUGbNrTja/k=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.17.0 h1:ZA/4AxwBbve1f3ZaNNJQiCBtTV62R6YweWNwq4A+sTc=
-github.com/moby/buildkit v0.17.0/go.mod h1:ru8NFyDHD8HbuKaLXJIjK9nr3x6FZR+IWjtF07S+wdM=
+github.com/moby/buildkit v0.17.1 h1:VWj6eIdk7u6acHPn2CiA+tdq0/mQoBEk9ckweRzWmPw=
+github.com/moby/buildkit v0.17.1/go.mod h1:ru8NFyDHD8HbuKaLXJIjK9nr3x6FZR+IWjtF07S+wdM=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@ -1034,21 +1034,6 @@ echo -n madeit-$teststring >$tmpfile
 		Expect(session.OutputToString()).To(ContainSubstring("key.pem"))
 	})

-	It("podman run with FIPS mode secrets", func() {
-		SkipIfRootless("rootless can not manipulate system-fips file")
-		fipsFile := "/etc/system-fips"
-		err = os.WriteFile(fipsFile, []byte{}, 0755)
-		Expect(err).ToNot(HaveOccurred())
-
-		session := podmanTest.Podman([]string{"run", "--rm", ALPINE, "ls", "/run/secrets"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitCleanly())
-		Expect(session.OutputToString()).To(ContainSubstring("system-fips"))
-
-		err = os.Remove(fipsFile)
-		Expect(err).ToNot(HaveOccurred())
-	})
-
 	It("podman run without group-add", func() {
 		session := podmanTest.Podman([]string{"run", "--rm", ALPINE, "id"})
 		session.WaitWithDefaultTimeout()
--- a/vendor/github.com/containers/buildah/.cirrus.yml
+++ b/vendor/github.com/containers/buildah/.cirrus.yml
@ -27,12 +27,12 @@ env:
    ####
    # GCE project where images live
    IMAGE_PROJECT: "libpod-218412"
-    FEDORA_NAME: "fedora-40"
-    PRIOR_FEDORA_NAME: "fedora-39"
+    FEDORA_NAME: "fedora-41"
+    PRIOR_FEDORA_NAME: "fedora-40"
    DEBIAN_NAME: "debian-13"

    # Image identifiers
-    IMAGE_SUFFIX: "c20241010t105554z-f40f39d13"
+    IMAGE_SUFFIX: "c20241106t163000z-f41f40d13"
    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
    PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
    DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@ -2,6 +2,127 @@

 # Changelog

+## v1.38.0 (2024-11-08)
+
+    Bump to c/common v0.61.0, c/image v5.33.0, c/storage v1.56.0
+    fix(deps): update module golang.org/x/crypto to v0.29.0
+    fix(deps): update module github.com/moby/buildkit to v0.17.1
+    fix(deps): update module github.com/containers/storage to v1.56.0
+    tests: skip two ulimit tests
+    CI VMs: bump f40 -> f41
+    tests/tools: rebuild tools when we change versions
+    tests/tools: update golangci-lint to v1.61.0
+    fix(deps): update module github.com/moby/buildkit to v0.17.0
+    Handle RUN --mount with relative targets and no configured workdir
+    tests: bud: make parallel-safe
+    fix(deps): update module github.com/opencontainers/runc to v1.2.1
+    fix(deps): update golang.org/x/exp digest to f66d83c
+    fix(deps): update github.com/opencontainers/runtime-tools digest to 6c9570a
+    tests: blobcache: use unique image name
+    tests: sbom: never write to cwd
+    tests: mkcw: bug fixes, refactor
+    deps: bump runc to v1.2.0
+    deps: switch to moby/sys/userns
+    tests/test_runner.sh: remove some redundancies
+    Integration tests: run git daemon on a random-but-bind()able port
+    fix(deps): update module github.com/opencontainers/selinux to v1.11.1
+    go.mod: remove unnecessary replace
+    Document more buildah build --secret options
+    Add support for COPY --exclude and ADD --exclude options
+    fix(deps): update github.com/containers/luksy digest to e2530d6
+    chore(deps): update dependency containers/automation_images to v20241010
+    fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4
+    Properly validate cache IDs and sources
+    [skip-ci] Packit: constrain koji job to fedora package to avoid dupes
+    Audit and tidy OWNERS
+    fix(deps): update module golang.org/x/crypto to v0.28.0
+    tests: add quotes to names
+    vendor: update c/common to latest
+    CVE-2024-9407: validate "bind-propagation" flag settings
+    vendor: switch to moby/sys/capability
+    Don't set ambient capabilities
+    Document that zstd:chunked is downgraded to zstd when encrypting
+    fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3
+    buildah-manifest-create.1: Fix manpage section
+    chore(deps): update dependency ubuntu to v24
+    Make `buildah manifest push --all` true by default
+    chroot: add newlines at the end of printed error messages
+    Do not error on trying to write IMA xattr as rootless
+    fix: remove duplicate conditions
+    fix(deps): update module github.com/moby/buildkit to v0.16.0
+    fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2
+    Document how entrypoint is configured in buildah config
+    In a container, try to register binfmt_misc
+    imagebuildah.StageExecutor: clean up volumes/volumeCache
+    build: fall back to parsing a TARGETPLATFORM build-arg
+    `manifest add --artifact`: handle multiple values
+    Packit: split out ELN jobs and reuse fedora downstream targets
+    Packit: Enable sidetags for bodhi updates
+    fix(deps): update module github.com/docker/docker to v27.2.1+incompatible
+    tests/bud.bats: add git source
+    add: add support for git source
+    Add support for the new c/common pasta options
+    vendor latest c/common
+    fix(deps): update module golang.org/x/term to v0.24.0
+    fix(deps): update module github.com/fsouza/go-dockerclient to v1.12.0
+    packit: update fedora and epel targets
+    cirrus: disable f39 testing
+    cirrus: fix fedora names
+    update to go 1.22
+    Vendor c/common:9d025e4cb348
+    copier: handle globbing with "**" path components
+    fix(deps): update golang.org/x/exp digest to 9b4947d
+    fix(deps): update github.com/containers/luksy digest to 2e7307c
+    imagebuildah: make scratch config handling toggleable
+    fix(deps): update module github.com/docker/docker to v27.2.0+incompatible
+    Add a validation script for Makefile $(SOURCES)
+    fix(deps): update module github.com/openshift/imagebuilder to v1.2.15
+    New VMs
+    Update some godocs, use 0o to prefix an octal in a comment
+    buildah-build.1.md: expand the --layer-label description
+    fix(deps): update module github.com/containers/common to v0.60.2
+    run: fix a nil pointer dereference on FreeBSD
+    CI: enable the whitespace linter
+    Fix some govet linter warnings
+    Commit(): retry committing to local storage on storage.LayerUnknown
+    CI: enable the gofumpt linter
+    conformance: move weirdly-named files out of the repository
+    fix(deps): update module github.com/docker/docker to v27.1.2+incompatible
+    fix(deps): update module github.com/containers/common to v0.60.1
+    *: use gofmt -s, add gofmt linter
+    *: fix build tags
+    fix(deps): update module github.com/containers/image/v5 to v5.32.1
+    Add(): re-escape any globbed items that included escapes
+    conformance tests: use mirror.gcr.io for most images
+    unit tests: use test-specific policy.json and registries.conf
+    fix(deps): update module golang.org/x/sys to v0.24.0
+    Update to spun-out "github.com/containerd/platforms"
+    Bump github.com/containerd/containerd
+    test/tools/Makefile: duplicate the vendor-in-container target
+    linters: unchecked error
+    linters: don't end loop iterations with "else" when "then" would
+    linters: unused arguments shouldn't have names
+    linters: rename checkIdsGreaterThan5() to checkIDsGreaterThan5()
+    linters: don't name variables "cap"
+    `make lint`: use --timeout instead of --deadline
+    Drop the e2e test suite
+    fix(deps): update module golang.org/x/crypto to v0.26.0
+    fix(deps): update module github.com/onsi/gomega to v1.34.1
+    `make vendor-in-container`: use the caller's Go cache if it exists
+    fix(deps): fix test/tools ginkgo typo
+    fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1
+    Update to keep up with API changes in storage
+    fix(deps): update github.com/containers/luksy digest to 1f482a9
+    install: On Debian/Ubuntu, add installation of libbtrfs-dev
+    fix(deps): update module golang.org/x/sys to v0.23.0
+    fix(deps): update golang.org/x/exp digest to 8a7402a
+    fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.2
+    Use Epoch: 2 and respect the epoch in dependencies.
+    Bump to Buildah v1.38.0-dev
+    AddAndCopyOptions: add CertPath, InsecureSkipTLSVerify, Retry fields
+    Add PrependedLinkedLayers/AppendedLinkedLayers to CommitOptions
+    integration tests: teach starthttpd() about TLS and pid files
+
 ## vv1.37.0 (2024-07-26)

    Bump c/storage, c/image, c/common for v1.37.0
--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@ -1,3 +1,123 @@
+- Changelog for v1.38.0 (2024-11-08)
+  * Bump to c/common v0.61.0, c/image v5.33.0, c/storage v1.56.0
+  * fix(deps): update module golang.org/x/crypto to v0.29.0
+  * fix(deps): update module github.com/moby/buildkit to v0.17.1
+  * fix(deps): update module github.com/containers/storage to v1.56.0
+  * tests: skip two ulimit tests
+  * CI VMs: bump f40 -> f41
+  * tests/tools: rebuild tools when we change versions
+  * tests/tools: update golangci-lint to v1.61.0
+  * fix(deps): update module github.com/moby/buildkit to v0.17.0
+  * Handle RUN --mount with relative targets and no configured workdir
+  * tests: bud: make parallel-safe
+  * fix(deps): update module github.com/opencontainers/runc to v1.2.1
+  * fix(deps): update golang.org/x/exp digest to f66d83c
+  * fix(deps): update github.com/opencontainers/runtime-tools digest to 6c9570a
+  * tests: blobcache: use unique image name
+  * tests: sbom: never write to cwd
+  * tests: mkcw: bug fixes, refactor
+  * deps: bump runc to v1.2.0
+  * deps: switch to moby/sys/userns
+  * tests/test_runner.sh: remove some redundancies
+  * Integration tests: run git daemon on a random-but-bind()able port
+  * fix(deps): update module github.com/opencontainers/selinux to v1.11.1
+  * go.mod: remove unnecessary replace
+  * Document more buildah build --secret options
+  * Add support for COPY --exclude and ADD --exclude options
+  * fix(deps): update github.com/containers/luksy digest to e2530d6
+  * chore(deps): update dependency containers/automation_images to v20241010
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4
+  * Properly validate cache IDs and sources
+  * [skip-ci] Packit: constrain koji job to fedora package to avoid dupes
+  * Audit and tidy OWNERS
+  * fix(deps): update module golang.org/x/crypto to v0.28.0
+  * tests: add quotes to names
+  * vendor: update c/common to latest
+  * CVE-2024-9407: validate "bind-propagation" flag settings
+  * vendor: switch to moby/sys/capability
+  * Don't set ambient capabilities
+  * Document that zstd:chunked is downgraded to zstd when encrypting
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3
+  * buildah-manifest-create.1: Fix manpage section
+  * chore(deps): update dependency ubuntu to v24
+  * Make `buildah manifest push --all` true by default
+  * chroot: add newlines at the end of printed error messages
+  * Do not error on trying to write IMA xattr as rootless
+  * fix: remove duplicate conditions
+  * fix(deps): update module github.com/moby/buildkit to v0.16.0
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2
+  * Document how entrypoint is configured in buildah config
+  * In a container, try to register binfmt_misc
+  * imagebuildah.StageExecutor: clean up volumes/volumeCache
+  * build: fall back to parsing a TARGETPLATFORM build-arg
+  * `manifest add --artifact`: handle multiple values
+  * Packit: split out ELN jobs and reuse fedora downstream targets
+  * Packit: Enable sidetags for bodhi updates
+  * fix(deps): update module github.com/docker/docker to v27.2.1+incompatible
+  * tests/bud.bats: add git source
+  * add: add support for git source
+  * Add support for the new c/common pasta options
+  * vendor latest c/common
+  * fix(deps): update module golang.org/x/term to v0.24.0
+  * fix(deps): update module github.com/fsouza/go-dockerclient to v1.12.0
+  * packit: update fedora and epel targets
+  * cirrus: disable f39 testing
+  * cirrus: fix fedora names
+  * update to go 1.22
+  * Vendor c/common:9d025e4cb348
+  * copier: handle globbing with "**" path components
+  * fix(deps): update golang.org/x/exp digest to 9b4947d
+  * fix(deps): update github.com/containers/luksy digest to 2e7307c
+  * imagebuildah: make scratch config handling toggleable
+  * fix(deps): update module github.com/docker/docker to v27.2.0+incompatible
+  * Add a validation script for Makefile $(SOURCES)
+  * fix(deps): update module github.com/openshift/imagebuilder to v1.2.15
+  * New VMs
+  * Update some godocs, use 0o to prefix an octal in a comment
+  * buildah-build.1.md: expand the --layer-label description
+  * fix(deps): update module github.com/containers/common to v0.60.2
+  * run: fix a nil pointer dereference on FreeBSD
+  * CI: enable the whitespace linter
+  * Fix some govet linter warnings
+  * Commit(): retry committing to local storage on storage.LayerUnknown
+  * CI: enable the gofumpt linter
+  * conformance: move weirdly-named files out of the repository
+  * fix(deps): update module github.com/docker/docker to v27.1.2+incompatible
+  * fix(deps): update module github.com/containers/common to v0.60.1
+  * *: use gofmt -s, add gofmt linter
+  * *: fix build tags
+  * fix(deps): update module github.com/containers/image/v5 to v5.32.1
+  * Add(): re-escape any globbed items that included escapes
+  * conformance tests: use mirror.gcr.io for most images
+  * unit tests: use test-specific policy.json and registries.conf
+  * fix(deps): update module golang.org/x/sys to v0.24.0
+  * Update to spun-out "github.com/containerd/platforms"
+  * Bump github.com/containerd/containerd
+  * test/tools/Makefile: duplicate the vendor-in-container target
+  * linters: unchecked error
+  * linters: don't end loop iterations with "else" when "then" would
+  * linters: unused arguments shouldn't have names
+  * linters: rename checkIdsGreaterThan5() to checkIDsGreaterThan5()
+  * linters: don't name variables "cap"
+  * `make lint`: use --timeout instead of --deadline
+  * Drop the e2e test suite
+  * fix(deps): update module golang.org/x/crypto to v0.26.0
+  * fix(deps): update module github.com/onsi/gomega to v1.34.1
+  * `make vendor-in-container`: use the caller's Go cache if it exists
+  * fix(deps): fix test/tools ginkgo typo
+  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1
+  * Update to keep up with API changes in storage
+  * fix(deps): update github.com/containers/luksy digest to 1f482a9
+  * install: On Debian/Ubuntu, add installation of libbtrfs-dev
+  * fix(deps): update module golang.org/x/sys to v0.23.0
+  * fix(deps): update golang.org/x/exp digest to 8a7402a
+  * fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.2
+  * Use Epoch: 2 and respect the epoch in dependencies.
+  * Bump to Buildah v1.38.0-dev
+  * AddAndCopyOptions: add CertPath, InsecureSkipTLSVerify, Retry fields
+  * Add PrependedLinkedLayers/AppendedLinkedLayers to CommitOptions
+  * integration tests: teach starthttpd() about TLS and pid files
+
 - Changelog for vv1.37.0 (2024-07-26)
  * Bump c/storage, c/image, c/common for v1.37.0
  * "build with basename resolving user arg" tests: correct ARG use
--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.38.0-dev"
+	Version = "1.38.0"

 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"
--- a/vendor/github.com/containers/common/libnetwork/resolvconf/resolvconf.go
+++ b/vendor/github.com/containers/common/libnetwork/resolvconf/resolvconf.go
@ -32,11 +32,12 @@ var (
 	// ipLocalhost is a regex pattern for IPv4 or IPv6 loopback range.
 	ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)`

-	localhostNSRegexp = regexp.Delayed(`(?m)^nameserver\s+` + ipLocalhost + `\s*\n*`)
-	nsIPv6Regexp      = regexp.Delayed(`(?m)^nameserver\s+` + ipv6Address + `\s*\n*`)
-	nsRegexp          = regexp.Delayed(`^\s*nameserver\s*((` + ipv4Address + `)|(` + ipv6Address + `))\s*$`)
-	searchRegexp      = regexp.Delayed(`^\s*search\s*(([^\s]+\s*)*)$`)
-	optionsRegexp     = regexp.Delayed(`^\s*options\s*(([^\s]+\s*)*)$`)
+	localhostNSRegexp     = regexp.Delayed(`(?m)^nameserver\s+` + ipLocalhost + `\s*\n*`)
+	nsIPv6Regexp          = regexp.Delayed(`(?m)^nameserver\s+` + ipv6Address + `\s*\n*`)
+	nsIPv6LinkLocalRegexp = regexp.Delayed(`(?m)^nameserver\s+` + ipv6Address + `%.*\s*\n*`)
+	nsRegexp              = regexp.Delayed(`^\s*nameserver\s*((` + ipv4Address + `)|(` + ipv6Address + `))\s*$`)
+	searchRegexp          = regexp.Delayed(`^\s*search\s*(([^\s]+\s*)*)$`)
+	optionsRegexp         = regexp.Delayed(`^\s*options\s*(([^\s]+\s*)*)$`)
 )

 // filterResolvDNS cleans up the config in resolvConf.  It has two main jobs:
@ -54,6 +55,10 @@ func filterResolvDNS(resolvConf []byte, ipv6Enabled bool, netnsEnabled bool) []b
 	// if IPv6 is not enabled, also clean out any IPv6 address nameserver
 	if !ipv6Enabled {
 		cleanedResolvConf = nsIPv6Regexp.ReplaceAll(cleanedResolvConf, []byte{})
+	} else {
+		// If ipv6 is we still must remove any ipv6 link-local addresses as
+		// the zone will never match the interface name or index in the container.
+		cleanedResolvConf = nsIPv6LinkLocalRegexp.ReplaceAll(cleanedResolvConf, []byte{})
 	}
 	// if the resulting resolvConf has no more nameservers defined, add appropriate
 	// default DNS servers for IPv4 and (optionally) IPv6
--- a/vendor/github.com/containers/common/pkg/cgroups/systemd_linux.go
+++ b/vendor/github.com/containers/common/pkg/cgroups/systemd_linux.go
@ -4,8 +4,12 @@ package cgroups

 import (
 	"context"
+	"errors"
 	"fmt"
+	"math/big"
 	"path/filepath"
+	"slices"
+	"strconv"
 	"strings"

 	systemdDbus "github.com/coreos/go-systemd/v22/dbus"
@ -53,7 +57,11 @@ func systemdCreate(resources *configs.Resources, path string, c *systemdDbus.Con
 			properties = append(properties, p)
 		}

-		uMap, sMap, bMap, iMap, structMap := resourcesToProps(resources, v2)
+		uMap, sMap, bMap, iMap, structMap, err := resourcesToProps(resources, v2)
+		if err != nil {
+			lastError = err
+			continue
+		}
 		for k, v := range uMap {
 			p := systemdDbus.Property{
 				Name:  k,
@ -95,7 +103,7 @@ func systemdCreate(resources *configs.Resources, path string, c *systemdDbus.Con
 		}

 		ch := make(chan string)
-		_, err := c.StartTransientUnitContext(context.TODO(), name, "replace", properties, ch)
+		_, err = c.StartTransientUnitContext(context.TODO(), name, "replace", properties, ch)
 		if err != nil {
 			lastError = err
 			continue
@ -142,7 +150,7 @@ func systemdDestroyConn(path string, c *systemdDbus.Conn) error {
 	return nil
 }

-func resourcesToProps(res *configs.Resources, v2 bool) (map[string]uint64, map[string]string, map[string][]byte, map[string]int64, map[string][]BlkioDev) {
+func resourcesToProps(res *configs.Resources, v2 bool) (map[string]uint64, map[string]string, map[string][]byte, map[string]int64, map[string][]BlkioDev, error) {
 	bMap := make(map[string][]byte)
 	// this array is not used but will be once more resource limits are added
 	sMap := make(map[string]string)
@ -179,11 +187,19 @@ func resourcesToProps(res *configs.Resources, v2 bool) (map[string]uint64, map[s

 	// CPUSet
 	if res.CpusetCpus != "" {
-		bits := []byte(res.CpusetCpus)
+		bits, err := rangeToBits(res.CpusetCpus)
+		if err != nil {
+			return nil, nil, nil, nil, nil, fmt.Errorf("resources.CpusetCpus=%q conversion error: %w",
+				res.CpusetCpus, err)
+		}
 		bMap["AllowedCPUs"] = bits
 	}
 	if res.CpusetMems != "" {
-		bits := []byte(res.CpusetMems)
+		bits, err := rangeToBits(res.CpusetMems)
+		if err != nil {
+			return nil, nil, nil, nil, nil, fmt.Errorf("resources.CpusetMems=%q conversion error: %w",
+				res.CpusetMems, err)
+		}
 		bMap["AllowedMemoryNodes"] = bits
 	}

@ -258,5 +274,51 @@ func resourcesToProps(res *configs.Resources, v2 bool) (map[string]uint64, map[s
 		}
 	}

-	return uMap, sMap, bMap, iMap, structMap
+	return uMap, sMap, bMap, iMap, structMap, nil
+}
+
+func rangeToBits(str string) ([]byte, error) {
+	bits := new(big.Int)
+
+	for _, r := range strings.Split(str, ",") {
+		// allow extra spaces around
+		r = strings.TrimSpace(r)
+		// allow empty elements (extra commas)
+		if r == "" {
+			continue
+		}
+		startr, endr, ok := strings.Cut(r, "-")
+		if ok {
+			start, err := strconv.ParseUint(startr, 10, 32)
+			if err != nil {
+				return nil, err
+			}
+			end, err := strconv.ParseUint(endr, 10, 32)
+			if err != nil {
+				return nil, err
+			}
+			if start > end {
+				return nil, errors.New("invalid range: " + r)
+			}
+			for i := start; i <= end; i++ {
+				bits.SetBit(bits, int(i), 1)
+			}
+		} else {
+			val, err := strconv.ParseUint(startr, 10, 32)
+			if err != nil {
+				return nil, err
+			}
+			bits.SetBit(bits, int(val), 1)
+		}
+	}
+
+	ret := bits.Bytes()
+	if len(ret) == 0 {
+		// do not allow empty values
+		return nil, errors.New("empty value")
+	}
+
+	// fit cpuset parsing order in systemd
+	slices.Reverse(ret)
+	return ret, nil
 }
--- a/vendor/github.com/containers/common/pkg/netns/netns_linux.go
+++ b/vendor/github.com/containers/common/pkg/netns/netns_linux.go
@ -260,34 +260,37 @@ func newNSPath(nsPath string) (ns.NetNS, error) {
 // UnmountNS unmounts the given netns path
 func UnmountNS(nsPath string) error {
 	// Only unmount if it's been bind-mounted (don't touch namespaces in /proc...)
-	if !strings.HasPrefix(nsPath, "/proc/") {
-		// EINVAL means the path exists but is not mounted, just try to remove the path below
-		if err := unix.Unmount(nsPath, unix.MNT_DETACH); err != nil && !errors.Is(err, unix.EINVAL) {
-			// If path does not exists we can return without error as we have nothing to do.
+	if strings.HasPrefix(nsPath, "/proc/") {
+		return nil
+	}
+	// EINVAL means the path exists but is not mounted, just try to remove the path below
+	if err := unix.Unmount(nsPath, unix.MNT_DETACH); err != nil && !errors.Is(err, unix.EINVAL) {
+		// If path does not exists we can return without error as we have nothing to do.
+		if errors.Is(err, unix.ENOENT) {
+			return nil
+		}
+
+		return fmt.Errorf("failed to unmount NS: at %s: %w", nsPath, err)
+	}
+
+	var err error
+	// wait for up to 60s in the loop
+	for range 6000 {
+		if err = os.Remove(nsPath); err != nil {
+			if errors.Is(err, unix.EBUSY) {
+				// mount is still busy, sleep a moment and try again to remove
+				logrus.Debugf("Netns %s still busy, try removing it again in 10ms", nsPath)
+				time.Sleep(10 * time.Millisecond)
+				continue
+			}
+			// If path does not exists we can return without error.
 			if errors.Is(err, unix.ENOENT) {
 				return nil
 			}
-
-			return fmt.Errorf("failed to unmount NS: at %s: %w", nsPath, err)
-		}
-
-		for {
-			if err := os.Remove(nsPath); err != nil {
-				if errors.Is(err, unix.EBUSY) {
-					// mount is still busy, sleep a moment and try again to remove
-					logrus.Debugf("Netns %s still busy, try removing it again in 10ms", nsPath)
-					time.Sleep(10 * time.Millisecond)
-					continue
-				}
-				// If path does not exists we can return without error.
-				if errors.Is(err, unix.ENOENT) {
-					break
-				}
-				return fmt.Errorf("failed to remove ns path: %w", err)
-			}
-			break
+			return fmt.Errorf("failed to remove ns path: %w", err)
 		}
+		return nil
 	}

-	return nil
+	return fmt.Errorf("failed to remove ns path (timeout after 60s): %w", err)
 }
--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
@ -155,6 +155,25 @@ func getMountsMap(path string) (string, string, error) { //nolint
 	return "", "", fmt.Errorf("unable to get host and container dir from path: %s", path)
 }

+// Return true iff the system is in FIPS mode as determined by reading
+// /proc/sys/crypto/fips_enabled.
+func shouldAddFIPSMounts() bool {
+	fips_enabled, err := os.ReadFile("/proc/sys/crypto/fips_enabled")
+	if err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			logrus.Errorf("Failed to read /proc/sys/crypto/fips_enabled to determine FIPS state: %v", err)
+		}
+		return false
+	}
+
+	if strings.TrimSpace(string(fips_enabled)) != "1" {
+		logrus.Debug("/proc/sys/crypto/fips_enabled does not contain '1', not adding FIPS mode bind mounts")
+		return false
+	}
+
+	return true
+}
+
 // MountsWithUIDGID copies, adds, and mounts the subscriptions to the container root filesystem
 // mountLabel: MAC/SELinux label for container content
 // containerRunDir: Private data for storing subscriptions on the host mounted in container.
@ -194,22 +213,16 @@ func MountsWithUIDGID(mountLabel, containerRunDir, mountFile, mountPoint string,
 		}
 	}

-	// Only add FIPS subscription mount if disableFips=false
-	if disableFips {
+	// Only add FIPS subscription mount if disableFips is false and
+	// /proc/sys/crypto/fips_enabled contains "1"
+	if disableFips || !shouldAddFIPSMounts() {
 		return subscriptionMounts
 	}
-	// Add FIPS mode subscription if /etc/system-fips exists on the host
-	err := fileutils.Exists("/etc/system-fips")
-	switch {
-	case err == nil:
-		if err := addFIPSModeSubscription(&subscriptionMounts, containerRunDir, mountPoint, mountLabel, uid, gid); err != nil {
-			logrus.Errorf("Adding FIPS mode subscription to container: %v", err)
-		}
-	case errors.Is(err, os.ErrNotExist):
-		logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode subscription")
-	default:
-		logrus.Errorf("stat /etc/system-fips failed for FIPS mode subscription: %v", err)
+
+	if err := addFIPSMounts(&subscriptionMounts, containerRunDir, mountPoint, mountLabel, uid, gid); err != nil {
+		logrus.Errorf("Adding FIPS mode bind mounts to container: %v", err)
 	}
+
 	return subscriptionMounts
 }

@ -306,43 +319,97 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerRunDir string
 	return mounts, nil
 }

-// addFIPSModeSubscription adds mounts to the `mounts` slice that are needed for the container to run openssl in FIPs mode
-// (i.e: be FIPs compliant).
-// It should only be called if /etc/system-fips exists on host.
-// It primarily does two things:
-//   - creates /run/secrets/system-fips in the container root filesystem, and adds it to the `mounts` slice.
-//   - If `/etc/crypto-policies/back-ends` already exists inside of the container, it creates
-//     `/usr/share/crypto-policies/back-ends/FIPS` inside the container as well.
-//     It is done from within the container to ensure to avoid policy incompatibility between the container and host.
-func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, mountLabel string, uid, gid int) error {
-	subscriptionsDir := "/run/secrets"
-	ctrDirOnHost := filepath.Join(containerRunDir, subscriptionsDir)
-	if err := fileutils.Exists(ctrDirOnHost); errors.Is(err, os.ErrNotExist) {
-		if err = idtools.MkdirAllAs(ctrDirOnHost, 0o755, uid, gid); err != nil { //nolint
-			return err
-		}
-		if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
-			return fmt.Errorf("applying correct labels on %q: %w", ctrDirOnHost, err)
-		}
+func containerHasEtcSystemFips(subscriptionsDir, mountPoint string) (bool, error) {
+	containerEtc, err := securejoin.SecureJoin(mountPoint, "etc")
+	if err != nil {
+		return false, fmt.Errorf("Container /etc resolution error: %w", err)
 	}
-	fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
-	// In the event of restart, it is possible for the FIPS mode file to already exist
-	if err := fileutils.Exists(fipsFile); errors.Is(err, os.ErrNotExist) {
-		file, err := os.Create(fipsFile)
-		if err != nil {
-			return fmt.Errorf("creating system-fips file in container for FIPS mode: %w", err)
-		}
-		file.Close()
+	if fileutils.Lexists(filepath.Join(containerEtc, "system-fips")) != nil {
+		logrus.Debug("/etc/system-fips does not exist in the container, not creating /run/secrets/system-fips")
+		return false, nil
 	}

-	if !mountExists(*mounts, subscriptionsDir) {
-		m := rspec.Mount{
-			Source:      ctrDirOnHost,
-			Destination: subscriptionsDir,
-			Type:        "bind",
-			Options:     []string{"bind", "rprivate"},
+	fipsFileTarget, err := securejoin.SecureJoin(mountPoint, "etc/system-fips")
+	if err != nil {
+		return false, fmt.Errorf("Container /etc/system-fips resolution error: %w", err)
+	}
+	if fipsFileTarget != filepath.Join(mountPoint, subscriptionsDir, "system-fips") {
+		logrus.Warnf("/etc/system-fips exists in the container, but is not a symlink to %[1]v/system-fips; not creating %[1]v/system-fips", subscriptionsDir)
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// addFIPSMounts adds mounts to the `mounts` slice that are needed
+// for the container to run cryptographic libraries (openssl, gnutls, NSS, ...)
+// in FIPS mode (i.e: be FIPS compliant).
+// It should only be called if /proc/sys/crypto/fips_enabled on the host
+// contains '1'.
+// It does three things:
+//   - creates /run/secrets/system-fips in the container root filesystem if
+//     /etc/system-fips exists and is a symlink to /run/secrets/system-fips,
+//     and adds it to the `mounts` slice. This is, for example, the case on
+//     RHEL 8, but not on newer RHEL, since /etc/system-fips is deprecated.
+//   - Bind-mounts `/usr/share/crypto-policies/back-ends/FIPS` over
+//     `/etc/crypto-policies/back-ends` if the former exists inside of the
+//     container. This is done from within the container to avoid policy
+//     incompatibility between container and host.
+//   - If a bind mount for `/etc/crypto-policies/back-ends` was created,
+//     bind-mounts `/usr/share/crypto-policies/default-fips-config` over
+//     `/etc/crypto-policies/config` if the former exists inside of the
+//     container. If it does not exist, creates a new temporary file containing
+//     "FIPS\n", and bind-mounts that over `/etc/crypto-policies/config`.
+//
+// Starting in CentOS 10 Stream, the crypto-policies package gracefully recognizes the two bind mounts
+//
+//   - /etc/crypto-policies/config -> /usr/share/crypto-policies/default-fips-config
+//   - /etc/crypto-policies/back-ends/FIPS -> /usr/share/crypto-policies/back-ends/FIPS
+//
+// and unmounts them when users manually change the policy, or removes and
+// restores the mounts when the crypto-policies package is upgraded.
+func addFIPSMounts(mounts *[]rspec.Mount, containerRunDir, mountPoint, mountLabel string, uid, gid int) error {
+	// Check whether $container/etc/system-fips exists and is a symlink to /run/secrets/system-fips
+	subscriptionsDir := "/run/secrets"
+
+	createSystemFipsSecret, err := containerHasEtcSystemFips(subscriptionsDir, mountPoint)
+	if err != nil {
+		return err
+	}
+	if createSystemFipsSecret {
+		// This container contains
+		//   /etc/system-fips -> /run/secrets/system-fips
+		// and expects podman to create this file if the container should
+		// be in FIPS mode
+		ctrDirOnHost := filepath.Join(containerRunDir, subscriptionsDir)
+		if err := fileutils.Exists(ctrDirOnHost); errors.Is(err, os.ErrNotExist) {
+			if err = idtools.MkdirAllAs(ctrDirOnHost, 0o755, uid, gid); err != nil { //nolint
+				return err
+			}
+			if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
+				return fmt.Errorf("applying correct labels on %q: %w", ctrDirOnHost, err)
+			}
+		}
+		fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
+
+		// In the event of restart, it is possible for the FIPS mode file to already exist
+		if err := fileutils.Exists(fipsFile); errors.Is(err, os.ErrNotExist) {
+			file, err := os.Create(fipsFile)
+			if err != nil {
+				return fmt.Errorf("creating system-fips file in container for FIPS mode: %w", err)
+			}
+			file.Close()
+		}
+
+		if !mountExists(*mounts, subscriptionsDir) {
+			m := rspec.Mount{
+				Source:      ctrDirOnHost,
+				Destination: subscriptionsDir,
+				Type:        "bind",
+				Options:     []string{"bind", "rprivate"},
+			}
+			*mounts = append(*mounts, m)
 		}
-		*mounts = append(*mounts, m)
 	}

 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
@ -370,27 +437,44 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,

 	// Make sure we set the config to FIPS so that the container does not overwrite
 	// /etc/crypto-policies/back-ends when crypto-policies-scripts is reinstalled.
-	cryptoPoliciesConfigFile := filepath.Join(containerRunDir, "fips-config")
-	file, err := os.Create(cryptoPoliciesConfigFile)
+	//
+	// Starting in CentOS 10 Stream, crypto-policies provides
+	// /usr/share/crypto-policies/default-fips-config as bind mount source
+	// file and the crypto-policies tooling gracefully deals with the two bind-mounts
+	//   /etc/crypto-policies/back-ends -> /usr/share/crypto-policies/back-ends/FIPS
+	//   /etc/crypto-policies/config -> /usr/share/crypto-policies/default-fips-config
+	// if they both exist.
+	srcPolicyConfig := "/usr/share/crypto-policies/default-fips-config"
+	destPolicyConfig := "/etc/crypto-policies/config"
+	srcPolicyConfigOnHost, err := securejoin.SecureJoin(mountPoint, srcPolicyConfig)
 	if err != nil {
-		return fmt.Errorf("creating fips config file in container for FIPS mode: %w", err)
-	}
-	defer file.Close()
-	if _, err := file.WriteString("FIPS\n"); err != nil {
-		return fmt.Errorf("writing fips config file in container for FIPS mode: %w", err)
-	}
-	if err = label.Relabel(cryptoPoliciesConfigFile, mountLabel, false); err != nil {
-		return fmt.Errorf("applying correct labels on fips-config file: %w", err)
-	}
-	if err := file.Chown(uid, gid); err != nil {
-		return fmt.Errorf("chown fips-config file: %w", err)
+		return fmt.Errorf("Could not expand %q in container: %w", srcPolicyConfig, err)
 	}

-	policyConfig := "/etc/crypto-policies/config"
-	if !mountExists(*mounts, policyConfig) {
+	if err = fileutils.Exists(srcPolicyConfigOnHost); err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			return fmt.Errorf("Could not check whether %q exists in container: %w", srcPolicyConfig, err)
+		}
+
+		// /usr/share/crypto-policies/default-fips-config does not exist, let's create it ourselves
+		cryptoPoliciesConfigFile := filepath.Join(containerRunDir, "fips-config")
+		if err := os.WriteFile(cryptoPoliciesConfigFile, []byte("FIPS\n"), 0o644); err != nil {
+			return fmt.Errorf("Failed to write fips config file in container for FIPS mode: %w", err)
+		}
+		if err = label.Relabel(cryptoPoliciesConfigFile, mountLabel, false); err != nil {
+			return fmt.Errorf("Failed to apply correct labels on fips config file: %w", err)
+		}
+		if err := os.Chown(cryptoPoliciesConfigFile, uid, gid); err != nil {
+			return fmt.Errorf("Failed to chown fips config file: %w", err)
+		}
+
+		srcPolicyConfigOnHost = cryptoPoliciesConfigFile
+	}
+
+	if !mountExists(*mounts, destPolicyConfig) {
 		m := rspec.Mount{
-			Source:      cryptoPoliciesConfigFile,
-			Destination: policyConfig,
+			Source:      srcPolicyConfigOnHost,
+			Destination: destPolicyConfig,
 			Type:        "bind",
 			Options:     []string{"bind", "rprivate"},
 		}
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@ -1,4 +1,4 @@
 package version

 // Version is the version of the build.
-const Version = "0.61.0-dev"
+const Version = "0.61.0"
--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
@ -11,7 +11,7 @@ const (
 	VersionPatch = 0

 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = "-dev"
+	VersionDev = ""
 )

 // Version is the specification version that the package types support.
--- a/vendor/github.com/containers/storage/VERSION
+++ b/vendor/github.com/containers/storage/VERSION
@ -1 +1 @@
-1.56.0-dev
+1.56.0
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -143,8 +143,8 @@ github.com/containernetworking/cni/pkg/version
 # github.com/containernetworking/plugins v1.5.1
 ## explicit; go 1.20
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.37.1-0.20241104213057-0dc5f958934a
-## explicit; go 1.22.0
+# github.com/containers/buildah v1.38.0
+## explicit; go 1.22.6
 github.com/containers/buildah
 github.com/containers/buildah/bind
 github.com/containers/buildah/chroot
@ -174,7 +174,7 @@ github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/pkg/volumes
 github.com/containers/buildah/util
-# github.com/containers/common v0.60.1-0.20241106101802-8130e31c0832
+# github.com/containers/common v0.61.0
 ## explicit; go 1.22.6
 github.com/containers/common/internal
 github.com/containers/common/internal/attributedstring
@ -247,7 +247,7 @@ github.com/containers/conmon/runner/config
 # github.com/containers/gvisor-tap-vsock v0.8.0
 ## explicit; go 1.22.0
 github.com/containers/gvisor-tap-vsock/pkg/types
-# github.com/containers/image/v5 v5.32.3-0.20241105183637-59417aed3db1
+# github.com/containers/image/v5 v5.33.0
 ## explicit; go 1.22.6
 github.com/containers/image/v5/copy
 github.com/containers/image/v5/directory
@ -320,8 +320,8 @@ github.com/containers/image/v5/transports
 github.com/containers/image/v5/transports/alltransports
 github.com/containers/image/v5/types
 github.com/containers/image/v5/version
-# github.com/containers/libhvee v0.7.1
-## explicit; go 1.18
+# github.com/containers/libhvee v0.9.0
+## explicit; go 1.22.0
 github.com/containers/libhvee/pkg/hypervctl
 github.com/containers/libhvee/pkg/kvp/ginsu
 github.com/containers/libhvee/pkg/wmiext
@ -358,7 +358,7 @@ github.com/containers/psgo/internal/dev
 github.com/containers/psgo/internal/host
 github.com/containers/psgo/internal/proc
 github.com/containers/psgo/internal/process
-# github.com/containers/storage v1.55.2-0.20241104201357-ad5f2a48e9e9
+# github.com/containers/storage v1.56.0
 ## explicit; go 1.22.0
 github.com/containers/storage
 github.com/containers/storage/drivers
@ -423,8 +423,8 @@ github.com/coreos/go-systemd/v22/dbus
 github.com/coreos/go-systemd/v22/internal/dlopen
 github.com/coreos/go-systemd/v22/journal
 github.com/coreos/go-systemd/v22/sdjournal
-# github.com/crc-org/crc/v2 v2.38.0
-## explicit; go 1.21
+# github.com/crc-org/crc/v2 v2.43.0
+## explicit; go 1.22.0
 github.com/crc-org/crc/v2/pkg/crc/logging
 github.com/crc-org/crc/v2/pkg/os
 # github.com/crc-org/vfkit v0.5.1
@ -801,7 +801,7 @@ github.com/mistifyio/go-zfs/v3
 # github.com/mitchellh/mapstructure v1.5.0
 ## explicit; go 1.14
 github.com/mitchellh/mapstructure
-# github.com/moby/buildkit v0.17.0
+# github.com/moby/buildkit v0.17.1
 ## explicit; go 1.22.0
 github.com/moby/buildkit/frontend/dockerfile/command
 github.com/moby/buildkit/frontend/dockerfile/parser