Merge branch 'main' into explicit-decrypt

.cirrus.yml

@@ -83,9 +83,9 @@ meta_task:
         GCPJSON: ENCRYPTED[d3614d6f5cc0e66be89d4252b3365fd84f14eee0259d4eb47e25fc0bc2842c7937f5ee8c882b7e547b4c5ec4b6733b14]
         GCPNAME: ENCRYPTED[8509e6a681b859479ce6aa275bd3c4ac82de5beec6df6057925afc4cd85b7ef2e879066ae8baaa2d453b82958e434578]
         GCPPROJECT: ENCRYPTED[cc09b62d0ec6746a3df685e663ad25d9d5af95ef5fd843c96f3d0ec9d7f065dc63216b9c685c9f43a776a1d403991494]
-        CIRRUS_CLONE_DEPTH: 1  # source not used
 
-    script: '/usr/local/bin/entrypoint.sh |& ${_TIMESTAMP}'
+    clone_script: 'true'
+    script: '/usr/local/bin/entrypoint.sh'
 
 
 smoke_task:
@@ -192,7 +192,7 @@ conformance_task:
     gce_instance:
         image_name: "${DEBIAN_CACHE_IMAGE_NAME}"
 
-    timeout_in: 25m
+    timeout_in: 65m
 
     matrix:
         - env:

.github/workflows/pr.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: get pr commits
         id: 'get-pr-commits'
-        uses: tim-actions/get-pr-commits@c64db31d359214d244884dd68f971a110b29ab83 # v1.2.0
+        uses: tim-actions/get-pr-commits@3efc1387ead42029a0d488ab98f24b7452dc3cde # v1.3.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 

Makefile

@@ -167,7 +167,7 @@ install.runc:
 
 .PHONY: test-conformance
 test-conformance:
-	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover -timeout 20m ./tests/conformance
+	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover -timeout 60m ./tests/conformance
 
 .PHONY: test-integration
 test-integration: install.tools

chroot/run_common.go

@@ -501,6 +501,10 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
 	// Apologize for the namespace configuration that we're about to ignore.
 	logNamespaceDiagnostics(spec)
 
+	// We need to lock the thread so that PR_SET_PDEATHSIG won't trigger if the current thread exits.
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
 	// Start the parent subprocess.
 	cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...)
 	setPdeathsig(cmd.Cmd)

cmd/buildah/manifest.go

@@ -210,7 +210,7 @@ func init() {
 			return manifestPushCmd(cmd, args, manifestPushOpts)
 		},
 		Example: `buildah manifest push mylist:v1.11 transport:imageName`,
-		Args:    cobra.MinimumNArgs(2),
+		Args:    cobra.MinimumNArgs(1),
 	}
 	manifestPushCommand.SetUsageTemplate(UsageTemplate())
 	flags = manifestPushCommand.Flags()
@@ -830,20 +830,20 @@ func manifestPushCmd(c *cobra.Command, args []string, opts pushOptions) error {
 	case 0:
 		return errors.New("At least a source list ID must be specified")
 	case 1:
-		return errors.New("Two arguments are necessary to push: source and destination")
+		listImageSpec = args[0]
+		destSpec = "docker://"+listImageSpec
 	case 2:
 		listImageSpec = args[0]
 		destSpec = args[1]
-		if listImageSpec == "" {
-			return fmt.Errorf(`invalid image name "%s"`, listImageSpec)
-		}
-		if destSpec == "" {
-			return fmt.Errorf(`invalid image name "%s"`, destSpec)
-		}
 	default:
 		return errors.New("Only two arguments are necessary to push: source and destination")
 	}
-
+	if listImageSpec == "" {
+		return fmt.Errorf(`invalid image name "%s"`, listImageSpec)
+	}
+	if destSpec == "" {
+		return fmt.Errorf(`invalid image name "%s"`, destSpec)
+	}
 	store, err := getStore(c)
 	if err != nil {
 		return err

contrib/cirrus/build.sh

@@ -15,27 +15,6 @@ if [[ "$IN_PODMAN" == "true" ]]
 then
     in_podman --rm $IN_PODMAN_NAME $0
 else
-    # Nightly dependency-bump job: fetch latest versions of the
-    # Big Three dependencies, and run full CI test suite. Notification
-    # email will go out to monitor-list upon failure.
-    if [[ "$CIRRUS_CRON" = "treadmill" ]]; then
-        for pkg in common image/v5 storage; do
-            echo "go mod edit --require containers/$pkg@main"
-            go mod edit --require github.com/containers/$pkg@main
-            make vendor
-        done
-        git add vendor
-        # Show what changed.
-        echo "git diff go.mod, then git diff --stat:"
-        git diff go.mod
-        git diff --stat
-        env GIT_AUTHOR_NAME='No B. Dee'               \
-            GIT_AUTHOR_EMAIL='[email protected]'     \
-            GIT_COMMITTER_NAME='No B. Dee'            \
-            GIT_COMMITTER_EMAIL='[email protected]'  \
-            git commit -asm"Bump containers/common,image,storage"
-    fi
-
     echo "Compiling buildah (\$GOSRC=$GOSRC)"
     showrun make clean all
 

demos/README.md

@@ -35,7 +35,7 @@ $ sudo buildah login quay.io
 $ buildah login quay.io
 ```
 
-There are several variables you will want to set that are listed at the top of the script. The name for the container image, your quay.io username, your name, and the Fedora release number:
+There are several variables you will want to set that are listed at the top of the script. The name for the container image, your Quay.io username, your name, and the Fedora release number:
 
     demoimg=myshdemo
     quayuser=UserNameHere
@@ -49,11 +49,11 @@ filename: [`docker-compatibility-demo.sh`](docker-compatibility-demo.sh)
 
 This demo builds an nginx container image using Buildah. It modifies the homepage and commits the image. The container is tested using `podman run` and then stopped. The Docker daemon is then started and the image is pushed to the Docker repository. The container is started using `docker run` and tested.
 
-There are several variables you will want to set that are listed at the top of the script. The name for the container image, your quay.io username, your name, and the Fedora release number:
+There are several variables you will want to set that are listed at the top of the script. The name for the container image, your Quay.io username, your name, and the Fedora release number:
 
     demoimg=dockercompatibilitydemo
     quayuser=UsernameHere
-    myname=YourNameHear
+    myname=YourNameHere
     distro=fedora
     distrorelease=30
     pkgmgr=dnf   # switch to yum if using yum
@@ -64,11 +64,11 @@ filename: [`docker-bud-demo.sh`](buildah-bud-demo.sh)
 
 This demo builds an nginx container image using Buildah with. Buildah's `buildah-using-docker`, or `bud` option, provides a mechanism for using existing Dockerfiles to build the container image. This image is the same as the image in the Docker compatibility demo (at time of creating this README). The container is tested using `podman run` and then stopped. The Docker daemon is then started and the image is pushed to the Docker repository. The container is started using `docker run` and tested.
 
-There are several variables you will want to set that are listed at the top of the script. The name for the container image, your quay.io username, your name, and the Fedora release number:
+There are several variables you will want to set that are listed at the top of the script. The name for the container image, your Quay.io username, your name, and the Fedora release number:
 
     demoimg=buildahbuddemo
     quayuser=UsernameHere
-    myname=YourNameHear
+    myname=YourNameHere
     distro=fedora
     distrorelease=30
     pkgmgr=dnf   # switch to yum if using yum

docs/buildah-build.1.md

@@ -608,7 +608,7 @@ process.
 
 Set the OS/ARCH of the built image (and its base image, if your build uses one)
 to the provided value instead of using the current operating system and
-architecture of the host (for example `linux/arm`).
+architecture of the host (for example `linux/arm`, `linux/arm64`, `linux/amd64`).
 
 The `--platform` flag can be specified more than once, or given a
 comma-separated list of values as its argument.  When more than one platform is

go.mod

@@ -3,55 +3,55 @@ module github.com/containers/buildah
 go 1.18
 
 require (
-	github.com/containerd/containerd v1.7.0
+	github.com/containerd/containerd v1.7.1
 	github.com/containernetworking/cni v1.1.2
-	github.com/containers/common v0.52.0
-	github.com/containers/image/v5 v5.25.0
+	github.com/containers/common v0.53.1-0.20230516065732-82045748b3e3
+	github.com/containers/image/v5 v5.25.1-0.20230511204805-94ab8dee62ea
 	github.com/containers/ocicrypt v1.1.7
-	github.com/containers/storage v1.46.1
+	github.com/containers/storage v1.46.2-0.20230508110141-51c23d59f8f3
 	github.com/cyphar/filepath-securejoin v0.2.3
-	github.com/docker/distribution v2.8.1+incompatible
-	github.com/docker/docker v23.0.3+incompatible
+	github.com/docker/distribution v2.8.2+incompatible
+	github.com/docker/docker v23.0.6+incompatible
 	github.com/docker/go-units v0.5.0
 	github.com/fsouza/go-dockerclient v1.9.7
 	github.com/ghodss/yaml v1.0.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/onsi/ginkgo v1.16.5
-	github.com/onsi/gomega v1.27.6
+	github.com/onsi/gomega v1.27.7
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
-	github.com/opencontainers/runc v1.1.6
+	github.com/opencontainers/image-spec v1.1.0-rc3
+	github.com/opencontainers/runc v1.1.7
 	github.com/opencontainers/runtime-spec v1.1.0-rc.2
 	github.com/opencontainers/runtime-tools v0.9.1-0.20230317050512-e931285f4b69
 	github.com/opencontainers/selinux v1.11.0
-	github.com/openshift/imagebuilder v1.2.4-0.20230309135844-a3c3f8358ca3
+	github.com/openshift/imagebuilder v1.2.5
 	github.com/seccomp/libseccomp-golang v0.10.0
-	github.com/sirupsen/logrus v1.9.0
+	github.com/sirupsen/logrus v1.9.2
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.2
+	github.com/stretchr/testify v1.8.3
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	go.etcd.io/bbolt v1.3.7
-	golang.org/x/crypto v0.8.0
-	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.7.0
-	golang.org/x/term v0.7.0
+	golang.org/x/crypto v0.9.0
+	golang.org/x/sync v0.2.0
+	golang.org/x/sys v0.8.0
+	golang.org/x/term v0.8.0
 )
 
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/BurntSushi/toml v1.2.1 // indirect
-	github.com/Microsoft/go-winio v0.6.0 // indirect
-	github.com/Microsoft/hcsshim v0.10.0-rc.7 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Microsoft/hcsshim v0.10.0-rc.8 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/container-orchestrated-devices/container-device-interface v0.5.4 // indirect
 	github.com/containerd/cgroups v1.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/containernetworking/plugins v1.2.0 // indirect
+	github.com/containernetworking/plugins v1.3.0 // indirect
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -64,16 +64,16 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/runtime v0.25.0 // indirect
-	github.com/go-openapi/spec v0.20.8 // indirect
+	github.com/go-openapi/runtime v0.26.0 // indirect
+	github.com/go-openapi/spec v0.20.9 // indirect
 	github.com/go-openapi/strfmt v0.21.7 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/go-containerregistry v0.13.0 // indirect
+	github.com/google/go-containerregistry v0.14.0 // indirect
 	github.com/google/go-intervals v0.0.2 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
@@ -83,8 +83,8 @@ require (
 	github.com/jinzhu/copier v0.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.16.4 // indirect
-	github.com/klauspost/pgzip v1.2.6-0.20220930104621-17e8dac29df8 // indirect
+	github.com/klauspost/compress v1.16.5 // indirect
+	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20230213213521-fdfea0d469b6 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
@@ -106,28 +106,28 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/proglottis/gpgme v0.1.3 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/sigstore/fulcio v1.2.0 // indirect
-	github.com/sigstore/rekor v1.1.0 // indirect
-	github.com/sigstore/sigstore v1.6.0 // indirect
+	github.com/sigstore/fulcio v1.3.1 // indirect
+	github.com/sigstore/rekor v1.1.1 // indirect
+	github.com/sigstore/sigstore v1.6.4 // indirect
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
-	github.com/sylabs/sif/v2 v2.11.1 // indirect
+	github.com/sylabs/sif/v2 v2.11.3 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/theupdateframework/go-tuf v0.5.2 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/ulikunitz/xz v0.5.11 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
-	github.com/vbauerster/mpb/v8 v8.3.0 // indirect
+	github.com/vbauerster/mpb/v8 v8.4.0 // indirect
 	github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
-	github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
 	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
-	golang.org/x/mod v0.9.0 // indirect
-	golang.org/x/net v0.9.0 // indirect
+	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
-	golang.org/x/tools v0.7.0 // indirect
-	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
+	golang.org/x/tools v0.9.1 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	google.golang.org/grpc v1.54.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
@@ -138,5 +138,3 @@ require (
 	k8s.io/klog v1.0.0 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
-
-replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2-0.20211123152302-43a7dee1ec31