vendor latest c/{buildah,common,image,storage}

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

vendor/github.com/containers/storage/drivers/overlay/composefs.go

@@ -12,6 +12,7 @@ import (
 	"path/filepath"
 	"strings"
 	"sync"
+	"sync/atomic"
 
 	"github.com/containers/storage/pkg/chunked/dump"
 	"github.com/containers/storage/pkg/fsverity"
@@ -24,6 +25,10 @@ var (
 	composeFsHelperOnce sync.Once
 	composeFsHelperPath string
 	composeFsHelperErr  error
+
+	// skipMountViaFile is used to avoid trying to mount EROFS directly via the file if we already know the current kernel
+	// does not support it.  Mounting directly via a file will be supported in kernel 6.12.
+	skipMountViaFile atomic.Bool
 )
 
 func getComposeFsHelper() (string, error) {
@@ -136,17 +141,15 @@ func hasACL(path string) (bool, error) {
 	return binary.LittleEndian.Uint32(flags)&LCFS_EROFS_FLAGS_HAS_ACL != 0, nil
 }
 
-func openComposefsMount(dataDir string) (int, error) {
-	blobFile := getComposefsBlob(dataDir)
-	loop, err := loopback.AttachLoopDeviceRO(blobFile)
-	if err != nil {
-		return -1, err
-	}
-	defer loop.Close()
+func openBlobFile(blobFile string, hasACL, useLoopDevice bool) (int, error) {
+	if useLoopDevice {
+		loop, err := loopback.AttachLoopDeviceRO(blobFile)
+		if err != nil {
+			return -1, err
+		}
+		defer loop.Close()
 
-	hasACL, err := hasACL(blobFile)
-	if err != nil {
-		return -1, err
+		blobFile = loop.Name()
 	}
 
 	fsfd, err := unix.Fsopen("erofs", 0)
@@ -155,7 +158,7 @@ func openComposefsMount(dataDir string) (int, error) {
 	}
 	defer unix.Close(fsfd)
 
-	if err := unix.FsconfigSetString(fsfd, "source", loop.Name()); err != nil {
+	if err := unix.FsconfigSetString(fsfd, "source", blobFile); err != nil {
 		return -1, fmt.Errorf("failed to set source for erofs filesystem: %w", err)
 	}
 
@@ -172,7 +175,7 @@ func openComposefsMount(dataDir string) (int, error) {
 	if err := unix.FsconfigCreate(fsfd); err != nil {
 		buffer := make([]byte, 4096)
 		if n, _ := unix.Read(fsfd, buffer); n > 0 {
-			return -1, fmt.Errorf("failed to create erofs filesystem: %s: %w", string(buffer[:n]), err)
+			return -1, fmt.Errorf("failed to create erofs filesystem: %s: %w", strings.TrimSuffix(string(buffer[:n]), "\n"), err)
 		}
 		return -1, fmt.Errorf("failed to create erofs filesystem: %w", err)
 	}
@@ -188,6 +191,26 @@ func openComposefsMount(dataDir string) (int, error) {
 	return mfd, nil
 }
 
+func openComposefsMount(dataDir string) (int, error) {
+	blobFile := getComposefsBlob(dataDir)
+
+	hasACL, err := hasACL(blobFile)
+	if err != nil {
+		return -1, err
+	}
+
+	if !skipMountViaFile.Load() {
+		fd, err := openBlobFile(blobFile, hasACL, false)
+		if err == nil || !errors.Is(err, unix.ENOTBLK) {
+			return fd, err
+		}
+		logrus.Debugf("The current kernel doesn't support mounting EROFS directly from a file, fallback to a loopback device")
+		skipMountViaFile.Store(true)
+	}
+
+	return openBlobFile(blobFile, hasACL, true)
+}
+
 func mountComposefsBlob(dataDir, mountPoint string) error {
 	mfd, err := openComposefsMount(dataDir)
 	if err != nil {
@@ -196,7 +219,7 @@ func mountComposefsBlob(dataDir, mountPoint string) error {
 	defer unix.Close(mfd)
 
 	if err := unix.MoveMount(mfd, "", unix.AT_FDCWD, mountPoint, unix.MOVE_MOUNT_F_EMPTY_PATH); err != nil {
-		return fmt.Errorf("failed to move mount: %w", err)
+		return fmt.Errorf("failed to move mount to %q: %w", mountPoint, err)
 	}
 	return nil
 }

vendor/github.com/containers/storage/drivers/overlay/overlay.go

@@ -589,7 +589,7 @@ func parseOptions(options []string) (*overlayOptions, error) {
 			m := os.FileMode(mask)
 			o.forceMask = &m
 		default:
-			return nil, fmt.Errorf("overlay: Unknown option %s", key)
+			return nil, fmt.Errorf("overlay: unknown option %s", key)
 		}
 	}
 	return o, nil
@@ -1579,7 +1579,6 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
 	}()
 
 	composeFsLayers := []string{}
-	composeFsLayersDir := filepath.Join(dir, "composefs-layers")
 	maybeAddComposefsMount := func(lowerID string, i int, readWrite bool) (string, error) {
 		composefsBlob := d.getComposefsData(lowerID)
 		if err := fileutils.Exists(composefsBlob); err != nil {
@@ -1594,7 +1593,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
 			return "", fmt.Errorf("cannot mount a composefs layer as writeable")
 		}
 
-		dest := filepath.Join(composeFsLayersDir, strconv.Itoa(i))
+		dest := d.getStorePrivateDirectory(id, dir, fmt.Sprintf("composefs-layers/%d", i), inAdditionalStore)
 		if err := os.MkdirAll(dest, 0o700); err != nil {
 			return "", err
 		}
@@ -1878,6 +1877,16 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
 	return mergedDir, nil
 }
 
+// getStorePrivateDirectory returns a directory path for storing data that requires exclusive access.
+// If 'inAdditionalStore' is true, the path will be under the rundir, otherwise it will be placed in
+// the primary store.
+func (d *Driver) getStorePrivateDirectory(id, layerDir, subdir string, inAdditionalStore bool) string {
+	if inAdditionalStore {
+		return path.Join(d.runhome, id, subdir)
+	}
+	return path.Join(layerDir, subdir)
+}
+
 // getMergedDir returns the directory path that should be used as the mount point for the overlayfs.
 func (d *Driver) getMergedDir(id, dir string, inAdditionalStore bool) string {
 	// Ordinarily, .Get() (layer mounting) callers are supposed to guarantee exclusion.
@@ -1897,10 +1906,7 @@ func (d *Driver) getMergedDir(id, dir string, inAdditionalStore bool) string {
 	// TO DO: LOCKING BUG: the .DiffSize operation does not currently hold an exclusive lock on the primary store.
 	// (_Some_ of the callers might be better ported to use a metadata-only size computation instead of DiffSize,
 	// but DiffSize probably needs to remain for computing sizes of container’s RW layers.)
-	if inAdditionalStore {
-		return path.Join(d.runhome, id, "merged")
-	}
-	return path.Join(dir, "merged")
+	return d.getStorePrivateDirectory(id, dir, "merged", inAdditionalStore)
 }
 
 // Put unmounts the mount path created for the give id.