short-name aliasing

Add support for short-name aliasing.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

23 files changed, 376 insertions, 301 deletions

diff --git a/vendor/github.com/containers/buildah/Makefile b/vendor/github.com/containers/buildah/Makefile
index 7b2cfcf81..e70dd161d 100644
--- a/vendor/github.com/containers/buildah/Makefile
+++ b/vendor/github.com/containers/buildah/Makefile
@@ -34,7 +34,7 @@ RUNC_COMMIT := v1.0.0-rc8
 LIBSECCOMP_COMMIT := release-2.3
 
 EXTRA_LDFLAGS ?=
-LDFLAGS := -ldflags '-X main.GitCommit=$(GIT_COMMIT) -X main.buildInfo=$(SOURCE_DATE_EPOCH) -X main.cniVersion=$(CNI_COMMIT) $(EXTRA_LDFLAGS)'
+BUILDAH_LDFLAGS := -ldflags '-X main.GitCommit=$(GIT_COMMIT) -X main.buildInfo=$(SOURCE_DATE_EPOCH) -X main.cniVersion=$(CNI_COMMIT) $(EXTRA_LDFLAGS)'
 SOURCES=*.go imagebuildah/*.go bind/*.go chroot/*.go cmd/buildah/*.go copier/*.go docker/*.go pkg/blobcache/*.go pkg/cli/*.go pkg/parse/*.go util/*.go
 
 LINTFLAGS ?=
@@ -56,7 +56,7 @@ static:
 
 .PHONY: bin/buildah
 bin/buildah:  $(SOURCES)
-	$(GO_BUILD) $(LDFLAGS) -o $@ $(BUILDFLAGS) ./cmd/buildah
+	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./cmd/buildah
 
 .PHONY: buildah
 buildah: bin/buildah
@@ -67,11 +67,11 @@ cross: bin/buildah.darwin.amd64 bin/buildah.linux.386 bin/buildah.linux.amd64 bi
 .PHONY: bin/buildah.%
 bin/buildah.%:
 	mkdir -p ./bin
-	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah
+	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah
 
 .PHONY: bin/imgtype
 bin/imgtype: *.go docker/*.go util/*.go tests/imgtype/imgtype.go
-	$(GO_BUILD) $(LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/imgtype/imgtype.go
+	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/imgtype/imgtype.go
 
 .PHONY: clean
 clean:
diff --git a/vendor/github.com/containers/buildah/add.go b/vendor/github.com/containers/buildah/add.go
index 80ee0d912..6cfd6a09f 100644
--- a/vendor/github.com/containers/buildah/add.go
+++ b/vendor/github.com/containers/buildah/add.go
@@ -71,7 +71,7 @@ func sourceIsRemote(source string) bool {
 }
 
 // getURL writes a tar archive containing the named content
-func getURL(src, mountpoint, renameTarget string, writer io.Writer) error {
+func getURL(src string, chown *idtools.IDPair, mountpoint, renameTarget string, writer io.Writer) error {
 	url, err := url.Parse(src)
 	if err != nil {
 		return err
@@ -122,10 +122,18 @@ func getURL(src, mountpoint, renameTarget string, writer io.Writer) error {
 	// Write the output archive.  Set permissions for compatibility.
 	tw := tar.NewWriter(writer)
 	defer tw.Close()
+	uid := 0
+	gid := 0
+	if chown != nil {
+		uid = chown.UID
+		gid = chown.GID
+	}
 	hdr := tar.Header{
 		Typeflag: tar.TypeReg,
 		Name:     name,
 		Size:     size,
+		Uid:      uid,
+		Gid:      gid,
 		Mode:     0600,
 		ModTime:  date,
 	}
@@ -323,7 +331,7 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
 			pipeReader, pipeWriter := io.Pipe()
 			wg.Add(1)
 			go func() {
-				getErr = getURL(src, mountPoint, renameTarget, pipeWriter)
+				getErr = getURL(src, chownFiles, mountPoint, renameTarget, pipeWriter)
 				pipeWriter.Close()
 				wg.Done()
 			}()
@@ -341,9 +349,9 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
 					putOptions := copier.PutOptions{
 						UIDMap:     destUIDMap,
 						GIDMap:     destGIDMap,
-						ChownDirs:  chownDirs,
+						ChownDirs:  nil,
 						ChmodDirs:  nil,
-						ChownFiles: chownFiles,
+						ChownFiles: nil,
 						ChmodFiles: nil,
 					}
 					putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher))
diff --git a/vendor/github.com/containers/buildah/btrfs_installed_tag.sh b/vendor/github.com/containers/buildah/btrfs_installed_tag.sh
index c4d99f377..f2f2b33c8 100644
--- a/vendor/github.com/containers/buildah/btrfs_installed_tag.sh
+++ b/vendor/github.com/containers/buildah/btrfs_installed_tag.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-cc -E - > /dev/null 2> /dev/null << EOF
+${CPP:-${CC:-cc} -E} ${CPPFLAGS} - > /dev/null 2> /dev/null << EOF
 #include <btrfs/ioctl.h>
 EOF
 if test $? -ne 0 ; then
diff --git a/vendor/github.com/containers/buildah/btrfs_tag.sh b/vendor/github.com/containers/buildah/btrfs_tag.sh
index 59cb969ad..ea753d4d0 100644
--- a/vendor/github.com/containers/buildah/btrfs_tag.sh
+++ b/vendor/github.com/containers/buildah/btrfs_tag.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-cc -E - > /dev/null 2> /dev/null << EOF
+${CPP:-${CC:-cc} -E} ${CPPFLAGS} - > /dev/null 2> /dev/null << EOF
 #include <btrfs/version.h>
 EOF
 if test $? -ne 0 ; then
diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go
index 86695508c..96e8619a8 100644
--- a/vendor/github.com/containers/buildah/buildah.go
+++ b/vendor/github.com/containers/buildah/buildah.go
@@ -28,7 +28,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.17.0"
+	Version = "1.18.0-dev"
 	// The value we use to identify what type of information, currently a
 	// serialized Builder structure, we are using as per-container state.
 	// This should only be changed when we make incompatible changes to
diff --git a/vendor/github.com/containers/buildah/copier/copier.go b/vendor/github.com/containers/buildah/copier/copier.go
index 9ebc8e2a3..84b636202 100644
--- a/vendor/github.com/containers/buildah/copier/copier.go
+++ b/vendor/github.com/containers/buildah/copier/copier.go
@@ -7,7 +7,9 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"net"
 	"os"
+	"os/user"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -35,6 +37,14 @@ const (
 
 func init() {
 	reexec.Register(copierCommand, copierMain)
+	// Attempt a user and host lookup to force libc (glibc, and possibly others that use dynamic
+	// modules to handle looking up user and host information) to load modules that match the libc
+	// our binary is currently using.  Hopefully they're loaded on first use, so that they won't
+	// need to be loaded after we've chrooted into the rootfs, which could include modules that
+	// don't match our libc and which can't be loaded, or modules which we don't want to execute
+	// because we don't trust their code.
+	_, _ = user.Lookup("buildah")
+	_, _ = net.LookupHost("localhost")
 }
 
 // isArchivePath returns true if the specified path can be read like a (possibly
diff --git a/vendor/github.com/containers/buildah/copier/xattrs.go b/vendor/github.com/containers/buildah/copier/xattrs.go
index 71769989c..c757adcc8 100644
--- a/vendor/github.com/containers/buildah/copier/xattrs.go
+++ b/vendor/github.com/containers/buildah/copier/xattrs.go
@@ -45,6 +45,11 @@ func Lgetxattrs(path string) (map[string]string, error) {
 				listSize *= 2
 				continue
 			}
+			if (unwrapError(err) == syscall.ENOTSUP) || (unwrapError(err) == syscall.ENOSYS) {
+				// treat these errors listing xattrs as equivalent to "no xattrs"
+				list = list[:0]
+				break
+			}
 			return nil, errors.Wrapf(err, "error listing extended attributes of %q", path)
 		}
 		list = list[:size]
diff --git a/vendor/github.com/containers/buildah/go.mod b/vendor/github.com/containers/buildah/go.mod
index 6fe683f4b..2bc71f948 100644
--- a/vendor/github.com/containers/buildah/go.mod
+++ b/vendor/github.com/containers/buildah/go.mod
@@ -5,10 +5,10 @@ go 1.12
 require (
 	github.com/containerd/containerd v1.4.1 // indirect
 	github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784
-	github.com/containers/common v0.26.2
-	github.com/containers/image/v5 v5.7.0
+	github.com/containers/common v0.26.3
+	github.com/containers/image/v5 v5.8.0
 	github.com/containers/ocicrypt v1.0.3
-	github.com/containers/storage v1.23.7
+	github.com/containers/storage v1.23.9
 	github.com/docker/distribution v2.7.1+incompatible
 	github.com/docker/docker v17.12.0-ce-rc1.0.20201020191947-73dc6a680cdd+incompatible // indirect
 	github.com/docker/go-units v0.4.0
@@ -17,6 +17,7 @@ require (
 	github.com/ghodss/yaml v1.0.0
 	github.com/hashicorp/go-multierror v1.1.0
 	github.com/ishidawataru/sctp v0.0.0-20191218070446-00ab2ac2db07 // indirect
+	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
 	github.com/mattn/go-shellwords v1.0.10
 	github.com/moby/sys/mount v0.1.1 // indirect
 	github.com/moby/term v0.0.0-20200915141129-7f0af18e79f2 // indirect
diff --git a/vendor/github.com/containers/buildah/go.sum b/vendor/github.com/containers/buildah/go.sum
index 65268af4e..1952ace1a 100644
--- a/vendor/github.com/containers/buildah/go.sum
+++ b/vendor/github.com/containers/buildah/go.sum
@@ -45,6 +45,12 @@ github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnweb
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/checkpoint-restore/go-criu/v4 v4.0.2/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
+github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 h1:q763qf9huN11kDQavWsoZXJNW3xEE4JJyHa5Q25/sd8=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.0.0-20200507155900-a9f01edf17e3/go.mod h1:XT+cAw5wfvsodedcijoh1l9cf7v1x9FlFB/3VmF/O8s=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
@@ -65,17 +71,20 @@ github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDG
 github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
 github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784 h1:rqUVLD8I859xRgUx/WMC3v7QAFqbLKZbs+0kqYboRJc=
 github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
-github.com/containers/common v0.26.2 h1:TysMCBpzq3gDFD9GzM0TKTGjtq/9HySWevKtlrvVGRU=
-github.com/containers/common v0.26.2/go.mod h1:igUeog5hx8rYhJk67rG6rGAh3zEcf0Uxuzm9KpXzo2E=
+github.com/containers/common v0.26.3 h1:5Kb5fMmJ7/xMiJ+iEbPA+5pQpl/FGxCgJex4nml4Slo=
+github.com/containers/common v0.26.3/go.mod h1:hJWZIlrl5MsE2ELNRa+MPp6I1kPbXHauuj0Ym4BsLG4=
 github.com/containers/image/v5 v5.7.0 h1:fiTC8/Xbr+zEP6njGTZtPW/3UD7MC93nC9DbUoWdxkA=
 github.com/containers/image/v5 v5.7.0/go.mod h1:8aOy+YaItukxghRORkvhq5ibWttHErzDLy6egrKfKos=
+github.com/containers/image/v5 v5.8.0 h1:B3FGHi0bdGXgg698kBIGOlHCXN5n+scJr6/5354GOPU=
+github.com/containers/image/v5 v5.8.0/go.mod h1:jKxdRtyIDumVa56hdsZvV+gwx4zB50hRou6pIuCWLkg=
 github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
 github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/ocicrypt v1.0.3 h1:vYgl+RZ9Q3DPMuTfxmN+qp0X2Bj52uuY2vnt6GzVe1c=
 github.com/containers/ocicrypt v1.0.3/go.mod h1:CUBa+8MRNL/VkpxYIpaMtgn1WgXGyvPQj8jcy0EVG6g=
 github.com/containers/storage v1.23.6/go.mod h1:haFs0HRowKwyzvWEx9EgI3WsL8XCSnBDb5f8P5CAxJY=
-github.com/containers/storage v1.23.7 h1:43ImvG/npvQSZXRjaudVvKISIuZSfI6qvtSNQQSGO/A=
 github.com/containers/storage v1.23.7/go.mod h1:cUT2zHjtx+WlVri30obWmM2gpqpi8jfPsmIzP1TVpEI=
+github.com/containers/storage v1.23.9 h1:qbgnTp76pLSyW3vYwY5GH4vk5cHYVXFJ+CsUEBp9TMw=
+github.com/containers/storage v1.23.9/go.mod h1:3b2ktpB6pw53SEeIoFfO0sQfP9+IoJJKPq5iJk74gxE=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -214,25 +223,37 @@ github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCV
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a h1:FaWFmfWdAUKbSCtOU2QjDaorUexogfaMgbipgYATUMU=
+github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a/go.mod h1:UJSiEoRfvx3hP73CvoARgeLjaIOjybY9vj8PUPPFGeU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.11.1 h1:bPb7nMRdOZYDrpPMTA3EInUQrdgoBinqUuSwlGdKDdE=
 github.com/klauspost/compress v1.11.1/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
+github.com/klauspost/compress v1.11.2 h1:MiK62aErc3gIiVEtyzKfeOHgW7atJb5g/KNX5m3c2nQ=
+github.com/klauspost/compress v1.11.2/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
 github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lunixbochs/vtclean v0.0.0-20180621232353-2d01aacdc34a h1:weJVJJRzAJBFRlAiJQROKQs8oC9vOxvm4rZmBBk0ONw=
+github.com/lunixbochs/vtclean v0.0.0-20180621232353-2d01aacdc34a/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/manifoldco/promptui v0.8.0 h1:R95mMF+McvXZQ7j1g8ucVZE1gLP3Sv6j9vlF9kyRqQo=
+github.com/manifoldco/promptui v0.8.0/go.mod h1:n4zTdgP0vr0S3w7/O/g98U+e0gwLScEXGwov2nIKuGQ=
+github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs=
+github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-shellwords v1.0.10 h1:Y7Xqm8piKOO3v10Thp7Z36h4FYFjt5xB//6XvOrs2Gw=
@@ -479,6 +500,7 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
diff --git a/vendor/github.com/containers/buildah/imagebuildah/build.go b/vendor/github.com/containers/buildah/imagebuildah/build.go
index 76dfeaf54..a97a403b3 100644
--- a/vendor/github.com/containers/buildah/imagebuildah/build.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/build.go
@@ -216,20 +216,19 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options BuildOpt
 			}
 			data = resp.Body
 		} else {
-			// If the Dockerfile isn't found try prepending the
-			// context directory to it.
 			dinfo, err := os.Stat(dfile)
-			if os.IsNotExist(err) {
-				// If they are "/workDir/Dockerfile" and "/workDir"
-				// so don't joint it
+			if err != nil {
+				// If the Dockerfile isn't available, try again with
+				// context directory prepended (if not prepended yet).
 				if !strings.HasPrefix(dfile, options.ContextDirectory) {
 					dfile = filepath.Join(options.ContextDirectory, dfile)
+					dinfo, err = os.Stat(dfile)
 				}
-				dinfo, err = os.Stat(dfile)
-				if err != nil {
-					return "", nil, err
-				}
 			}
+			if err != nil {
+				return "", nil, err
+			}
+
 			// If given a directory, add '/Dockerfile' to it.
 			if dinfo.Mode().IsDir() {
 				dfile = filepath.Join(dfile, "Dockerfile")
diff --git a/vendor/github.com/containers/buildah/imagebuildah/executor.go b/vendor/github.com/containers/buildah/imagebuildah/executor.go
index 77c224ad8..8c96b4e67 100644
--- a/vendor/github.com/containers/buildah/imagebuildah/executor.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/executor.go
@@ -17,6 +17,7 @@ import (
 	"github.com/containers/buildah/util"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
 	is "github.com/containers/image/v5/storage"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
@@ -111,6 +112,15 @@ type Executor struct {
 	stagesSemaphore                *semaphore.Weighted
 	jobs                           int
 	logRusage                      bool
+	imageInfoLock                  sync.Mutex
+	imageInfoCache                 map[string]imageTypeAndHistoryAndDiffIDs
+}
+
+type imageTypeAndHistoryAndDiffIDs struct {
+	manifestType string
+	history      []v1.History
+	diffIDs      []digest.Digest
+	err          error
 }
 
 // NewExecutor creates a new instance of the imagebuilder.Executor interface.
@@ -215,6 +225,7 @@ func NewExecutor(store storage.Store, options BuildOptions, mainNode *parser.Nod
 		terminatedStage:                make(map[string]struct{}),
 		jobs:                           jobs,
 		logRusage:                      options.LogRusage,
+		imageInfoCache:                 make(map[string]imageTypeAndHistoryAndDiffIDs),
 	}
 	if exec.err == nil {
 		exec.err = os.Stderr
@@ -335,22 +346,43 @@ func (b *Executor) waitForStage(ctx context.Context, name string, stages imagebu
 	}
 }
 
-// getImageHistoryAndDiffIDs returns the history and diff IDs list of imageID.
-func (b *Executor) getImageHistoryAndDiffIDs(ctx context.Context, imageID string) ([]v1.History, []digest.Digest, error) {
+// getImageTypeAndHistoryAndDiffIDs returns the manifest type, history, and diff IDs list of imageID.
+func (b *Executor) getImageTypeAndHistoryAndDiffIDs(ctx context.Context, imageID string) (string, []v1.History, []digest.Digest, error) {
+	b.imageInfoLock.Lock()
+	imageInfo, ok := b.imageInfoCache[imageID]
+	b.imageInfoLock.Unlock()
+	if ok {
+		return imageInfo.manifestType, imageInfo.history, imageInfo.diffIDs, imageInfo.err
+	}
 	imageRef, err := is.Transport.ParseStoreReference(b.store, "@"+imageID)
 	if err != nil {
-		return nil, nil, errors.Wrapf(err, "error getting image reference %q", imageID)
+		return "", nil, nil, errors.Wrapf(err, "error getting image reference %q", imageID)
 	}
 	ref, err := imageRef.NewImage(ctx, nil)
 	if err != nil {
-		return nil, nil, errors.Wrapf(err, "error creating new image from reference to image %q", imageID)
+		return "", nil, nil, errors.Wrapf(err, "error creating new image from reference to image %q", imageID)
 	}
 	defer ref.Close()
 	oci, err := ref.OCIConfig(ctx)
 	if err != nil {
-		return nil, nil, errors.Wrapf(err, "error getting possibly-converted OCI config of image %q", imageID)
+		return "", nil, nil, errors.Wrapf(err, "error getting possibly-converted OCI config of image %q", imageID)
+	}
+	manifestBytes, manifestFormat, err := ref.Manifest(ctx)
+	if err != nil {
+		return "", nil, nil, errors.Wrapf(err, "error getting manifest of image %q", imageID)
+	}
+	if manifestFormat == "" && len(manifestBytes) > 0 {
+		manifestFormat = manifest.GuessMIMEType(manifestBytes)
+	}
+	b.imageInfoLock.Lock()
+	b.imageInfoCache[imageID] = imageTypeAndHistoryAndDiffIDs{
+		manifestType: manifestFormat,
+		history:      oci.History,
+		diffIDs:      oci.RootFS.DiffIDs,
+		err:          nil,
 	}
-	return oci.History, oci.RootFS.DiffIDs, nil
+	b.imageInfoLock.Unlock()
+	return manifestFormat, oci.History, oci.RootFS.DiffIDs, nil
 }
 
 func (b *Executor) buildStage(ctx context.Context, cleanupStages map[int]*StageExecutor, stages imagebuilder.Stages, stageIndex int) (imageID string, ref reference.Canonical, err error) {
diff --git a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
index e157bb1c8..6c058e226 100644
--- a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
@@ -1110,7 +1110,7 @@ func (s *StageExecutor) intermediateImageExists(ctx context.Context, currNode *p
 	var baseHistory []v1.History
 	var baseDiffIDs []digest.Digest
 	if s.builder.FromImageID != "" {
-		baseHistory, baseDiffIDs, err = s.executor.getImageHistoryAndDiffIDs(ctx, s.builder.FromImageID)
+		_, baseHistory, baseDiffIDs, err = s.executor.getImageTypeAndHistoryAndDiffIDs(ctx, s.builder.FromImageID)
 		if err != nil {
 			return "", errors.Wrapf(err, "error getting history of base image %q", s.builder.FromImageID)
 		}
@@ -1142,10 +1142,15 @@ func (s *StageExecutor) intermediateImageExists(ctx context.Context, currNode *p
 		}
 		// Next we double check that the history of this image is equivalent to the previous
 		// lines in the Dockerfile up till the point we are at in the build.
-		history, diffIDs, err := s.executor.getImageHistoryAndDiffIDs(ctx, image.ID)
+		manifestType, history, diffIDs, err := s.executor.getImageTypeAndHistoryAndDiffIDs(ctx, image.ID)
 		if err != nil {
 			return "", errors.Wrapf(err, "error getting history of %q", image.ID)
 		}
+		// If this candidate isn't of the type that we're building, then it may have lost
+		// some format-specific information that a building-without-cache run wouldn't lose.
+		if manifestType != s.executor.outputFormat {
+			continue
+		}
 		// children + currNode is the point of the Dockerfile we are currently at.
 		if s.historyAndDiffIDsMatch(baseHistory, baseDiffIDs, currNode, history, diffIDs, addedContentDigest, buildAddsLayer) {
 			return image.ID, nil
@@ -1276,5 +1281,5 @@ func (s *StageExecutor) commit(ctx context.Context, createdBy string, emptyLayer
 }
 
 func (s *StageExecutor) EnsureContainerPath(path string) error {
-	return copier.Mkdir(s.mountPoint, path, copier.MkdirOptions{})
+	return copier.Mkdir(s.mountPoint, filepath.Join(s.mountPoint, path), copier.MkdirOptions{})
 }
diff --git a/vendor/github.com/containers/buildah/libdm_tag.sh b/vendor/github.com/containers/buildah/libdm_tag.sh
index d3668aab1..815b5d914 100644
--- a/vendor/github.com/containers/buildah/libdm_tag.sh
+++ b/vendor/github.com/containers/buildah/libdm_tag.sh
@@ -2,7 +2,7 @@
 tmpdir="$PWD/tmp.$RANDOM"
 mkdir -p "$tmpdir"
 trap 'rm -fr "$tmpdir"' EXIT
-cc -o "$tmpdir"/libdm_tag -ldevmapper -x c - > /dev/null 2> /dev/null << EOF
+${CC:-cc} ${CFLAGS} ${CPPFLAGS} ${LDFLAGS} -o "$tmpdir"/libdm_tag -x c - -ldevmapper > /dev/null 2> /dev/null << EOF
 #include <libdevmapper.h>
 int main() {
 	struct dm_task *task;
diff --git a/vendor/github.com/containers/buildah/new.go b/vendor/github.com/containers/buildah/new.go
index 4f4b1564b..c1abb1cdb 100644
--- a/vendor/github.com/containers/buildah/new.go
+++ b/vendor/github.com/containers/buildah/new.go
@@ -4,13 +4,14 @@ import (
 	"context"
 	"fmt"
 	"math/rand"
+	"os"
 	"strings"
-	"time"
 
 	"github.com/containers/buildah/util"
+	"github.com/containers/image/v5/docker"
 	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
-	"github.com/containers/image/v5/pkg/sysregistriesv2"
+	"github.com/containers/image/v5/pkg/shortnames"
 	is "github.com/containers/image/v5/storage"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
@@ -103,145 +104,168 @@ func newContainerIDMappingOptions(idmapOptions *IDMappingOptions) storage.IDMapp
 	return options
 }
 
-func resolveImage(ctx context.Context, systemContext *types.SystemContext, store storage.Store, options BuilderOptions) (types.ImageReference, string, *storage.Image, error) {
-	type failure struct {
-		resolvedImageName string
-		err               error
-	}
-	candidates, transport, searchRegistriesWereUsedButEmpty, err := util.ResolveName(options.FromImage, options.Registry, systemContext, store)
+func resolveLocalImage(systemContext *types.SystemContext, store storage.Store, options BuilderOptions) (types.ImageReference, string, *storage.Image, error) {
+	candidates, _, _, err := util.ResolveName(options.FromImage, options.Registry, systemContext, store)
 	if err != nil {
-		return nil, "", nil, errors.Wrapf(err, "error parsing reference to image %q", options.FromImage)
+		return nil, "", nil, errors.Wrapf(err, "error resolving local image %q", options.FromImage)
 	}
-
-	failures := []failure{}
 	for _, image := range candidates {
-		if transport == "" {
-			img, err := store.Image(image)
-			if err != nil {
-				logrus.Debugf("error looking up known-local image %q: %v", image, err)
-				failures = append(failures, failure{resolvedImageName: image, err: err})
+		img, err := store.Image(image)
+		if err != nil {
+			if errors.Cause(err) == storage.ErrImageUnknown {
 				continue
 			}
-			ref, err := is.Transport.ParseStoreReference(store, img.ID)
-			if err != nil {
-				return nil, "", nil, errors.Wrapf(err, "error parsing reference to image %q", img.ID)
-			}
-			return ref, transport, img, nil
+			return nil, "", nil, err
 		}
-
-		trans := transport
-		if transport != util.DefaultTransport {
-			trans = trans + ":"
-		}
-		srcRef, err := alltransports.ParseImageName(trans + image)
+		ref, err := is.Transport.ParseStoreReference(store, img.ID)
 		if err != nil {
-			logrus.Debugf("error parsing image name %q: %v", trans+image, err)
-			failures = append(failures, failure{
-				resolvedImageName: image,
-				err:               errors.Wrapf(err, "error parsing attempted image name %q", trans+image),
-			})
-			continue
+			return nil, "", nil, errors.Wrapf(err, "error parsing reference to image %q", img.ID)
 		}
+		return ref, ref.Transport().Name(), img, nil
+	}
+
+	return nil, "", nil, nil
+}
+
+// getShortNameMode looks up the `CONTAINERS_SHORT_NAME_ALIASING` environment
+// variable.  If it's "on", return `nil` to use the defaults from
+// containers/image and the registries.conf files on the system.  If it's
+// "off", empty or unset, return types.ShortNameModeDisabled to turn off
+// short-name aliasing by default.
+//
+// TODO: remove this function once we want to default to short-name aliasing.
+func getShortNameMode() *types.ShortNameMode {
+	env := os.Getenv("CONTAINERS_SHORT_NAME_ALIASING")
+	if strings.ToLower(env) == "on" {
+		return nil // default to whatever registries.conf and c/image decide
+	}
+	mode := types.ShortNameModeDisabled
+	return &mode
+}
 
-		if options.PullPolicy == PullAlways {
+func resolveImage(ctx context.Context, systemContext *types.SystemContext, store storage.Store, options BuilderOptions) (types.ImageReference, string, *storage.Image, error) {
+	if systemContext == nil {
+		systemContext = &types.SystemContext{}
+	}
+	systemContext.ShortNameMode = getShortNameMode()
+
+	fromImage := options.FromImage
+	// If the image name includes a transport we can use it as it.  Special
+	// treatment for docker references which are subject to pull policies
+	// that we're handling below.
+	srcRef, err := alltransports.ParseImageName(options.FromImage)
+	if err == nil {
+		if srcRef.Transport().Name() == docker.Transport.Name() {
+			fromImage = srcRef.DockerReference().String()
+		} else {
 			pulledImg, pulledReference, err := pullAndFindImage(ctx, store, srcRef, options, systemContext)
-			if err != nil {
-				logrus.Debugf("unable to pull and read image %q: %v", image, err)
-				failures = append(failures, failure{resolvedImageName: image, err: err})
-				continue
-			}
-			return pulledReference, transport, pulledImg, nil
+			return pulledReference, srcRef.Transport().Name(), pulledImg, err
 		}
+	}
 
-		destImage, err := localImageNameForReference(ctx, store, srcRef)
-		if err != nil {
-			return nil, "", nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef))
+	localImageRef, _, localImage, err := resolveLocalImage(systemContext, store, options)
+	if err != nil {
+		return nil, "", nil, err
+	}
+
+	// If we could resolve the image locally, check if it was referenced by
+	// ID.  In that case, we don't need to bother any further and can
+	// prevent prompting the user.
+	if localImage != nil && strings.HasPrefix(localImage.ID, options.FromImage) {
+		return localImageRef, localImageRef.Transport().Name(), localImage, nil
+	}
+
+	if options.PullPolicy == PullNever || options.PullPolicy == PullIfMissing {
+		if localImage != nil {
+			return localImageRef, localImageRef.Transport().Name(), localImage, nil
 		}
-		if destImage == "" {
-			return nil, "", nil, errors.Errorf("error computing local image name for %q", transports.ImageName(srcRef))
+		if options.PullPolicy == PullNever {
+			return nil, "", nil, errors.Errorf("pull policy is %q but %q could not be found locally", "never", options.FromImage)
 		}
-		ref, err := is.Transport.ParseStoreReference(store, destImage)
+	}
+
+	resolved, err := shortnames.Resolve(systemContext, fromImage)
+	if err != nil {
+		return nil, "", nil, err
+	}
+
+	// Print the image-resolution description unless we're looking for a
+	// new image and already found a local image.  In many cases, the
+	// description will be more confusing than helpful (e.g., `buildah from
+	// localImage`).
+	if desc := resolved.Description(); len(desc) > 0 {
+		logrus.Debug(desc)
+		if !(options.PullPolicy == PullIfNewer && localImage != nil) {
+			if options.ReportWriter != nil {
+				if _, err := options.ReportWriter.Write([]byte(desc + "\n")); err != nil {
+					return nil, "", nil, err
+				}
+			}
+		}
+	}
+
+	var pullErrors []error
+	for _, pullCandidate := range resolved.PullCandidates {
+		ref, err := docker.NewReference(pullCandidate.Value)
 		if err != nil {
-			return nil, "", nil, errors.Wrapf(err, "error parsing reference to image %q", destImage)
+			return nil, "", nil, err
 		}
 
-		if options.PullPolicy == PullIfNewer {
-			img, err := is.Transport.GetStoreImage(store, ref)
-			if err == nil {
-				// Let's see if this image is on the repository and if it's there
-				// then note it's Created date.
-				var repoImageCreated time.Time
-				repoImageFound := false
-				repoImage, err := srcRef.NewImage(ctx, systemContext)
-				if err == nil {
-					inspect, err := repoImage.Inspect(ctx)
-					if err == nil {
-						repoImageFound = true
-						repoImageCreated = *inspect.Created
-					}
-					repoImage.Close()
-				}
-				if !repoImageFound || repoImageCreated == img.Created {
-					// The image is only local or the same date is on the
-					// local and repo versions of the image, no need to pull.
-					return ref, transport, img, nil
-				}
+		// We're tasked to pull a "newer" image.  If there's no local
+		// image, we have no base for comparison, so we'll pull the
+		// first available image.
+		//
+		// If there's a local image, the `pullCandidate` is considered
+		// to be newer if its time stamp differs from the local one.
+		// Otherwise, we don't pull and skip it.
+		if options.PullPolicy == PullIfNewer && localImage != nil {
+			remoteImage, err := ref.NewImage(ctx, systemContext)
+			if err != nil {
+				logrus.Debugf("unable to remote-inspect image %q: %v", pullCandidate.Value.String(), err)
+				pullErrors = append(pullErrors, err)
+				continue
 			}
-		} else {
-			// Get the image from the store if present for PullNever and PullIfMissing
-			img, err := is.Transport.GetStoreImage(store, ref)
-			if err == nil {
-				return ref, transport, img, nil
+			defer remoteImage.Close()
+
+			remoteData, err := remoteImage.Inspect(ctx)
+			if err != nil {
+				logrus.Debugf("unable to remote-inspect image %q: %v", pullCandidate.Value.String(), err)
+				pullErrors = append(pullErrors, err)
+				continue
 			}
-			if errors.Cause(err) == storage.ErrImageUnknown && options.PullPolicy == PullNever {
-				logrus.Debugf("no such image %q: %v", transports.ImageName(ref), err)
-				failures = append(failures, failure{
-					resolvedImageName: image,
-					err:               errors.Errorf("no such image %q", transports.ImageName(ref)),
-				})
+
+			// FIXME: we should compare image digests not time stamps.
+			// Comparing time stamps is flawed.  Be aware that fixing
+			// it may entail non-trivial changes to the tests.  Please
+			// refer to https://github.com/containers/buildah/issues/2779
+			// for more.
+			if localImage.Created.Equal(*remoteData.Created) {
 				continue
 			}
 		}
 
-		pulledImg, pulledReference, err := pullAndFindImage(ctx, store, srcRef, options, systemContext)
+		pulledImg, pulledReference, err := pullAndFindImage(ctx, store, ref, options, systemContext)
 		if err != nil {
-			logrus.Debugf("unable to pull and read image %q: %v", image, err)
-			failures = append(failures, failure{resolvedImageName: image, err: err})
+			logrus.Debugf("unable to pull and read image %q: %v", pullCandidate.Value.String(), err)
+			pullErrors = append(pullErrors, err)
 			continue
 		}
-		return pulledReference, transport, pulledImg, nil
-	}
-
-	if len(failures) != len(candidates) {
-		return nil, "", nil, errors.Errorf("internal error: %d candidates (%#v) vs. %d failures (%#v)", len(candidates), candidates, len(failures), failures)
-	}
 
-	registriesConfPath := sysregistriesv2.ConfigPath(systemContext)
-	switch len(failures) {
-	case 0:
-		if searchRegistriesWereUsedButEmpty {
-			return nil, "", nil, errors.Errorf("image name %q is a short name and no search registries are defined in %s.", options.FromImage, registriesConfPath)
+		// Make sure to record the short-name alias if necessary.
+		if err = pullCandidate.Record(); err != nil {
+			return nil, "", nil, err
 		}
-		return nil, "", nil, errors.Errorf("internal error: no pull candidates were available for %q for an unknown reason", options.FromImage)
 
-	case 1:
-		err := failures[0].err
-		if failures[0].resolvedImageName != options.FromImage {
-			err = errors.Wrapf(err, "while pulling %q as %q", options.FromImage, failures[0].resolvedImageName)
-		}
-		if searchRegistriesWereUsedButEmpty {
-			err = errors.Wrapf(err, "(image name %q is a short name and no search registries are defined in %s)", options.FromImage, registriesConfPath)
-		}
-		return nil, "", nil, err
+		return pulledReference, "", pulledImg, nil
+	}
 
-	default:
-		// NOTE: a multi-line error string:
-		e := fmt.Sprintf("The following failures happened while trying to pull image specified by %q based on search registries in %s:", options.FromImage, registriesConfPath)
-		for _, f := range failures {
-			e = e + fmt.Sprintf("\n* %q: %s", f.resolvedImageName, f.err.Error())
-		}
-		return nil, "", nil, errors.New(e)
+	// If we were looking for a newer image but could not find one, return
+	// the local image if present.
+	if options.PullPolicy == PullIfNewer && localImage != nil {
+		return localImageRef, localImageRef.Transport().Name(), localImage, nil
 	}
+
+	return nil, "", nil, resolved.FormatPullErrors(pullErrors)
 }
 
 func containerNameExist(name string, containers []storage.Container) bool {
diff --git a/vendor/github.com/containers/buildah/pkg/cli/common.go b/vendor/github.com/containers/buildah/pkg/cli/common.go
index af7453c91..62a328de0 100644
--- a/vendor/github.com/containers/buildah/pkg/cli/common.go
+++ b/vendor/github.com/containers/buildah/pkg/cli/common.go
@@ -59,7 +59,6 @@ type BudResults struct {
 	Creds               string
 	DisableCompression  bool
 	DisableContentTrust bool
-	DecryptionKeys      []string
 	File                []string
 	Format              string
 	Iidfile             string
@@ -90,38 +89,39 @@ type BudResults struct {
 // FromAndBugResults represents the results for common flags
 // in bud and from
 type FromAndBudResults struct {
-	AddHost      []string
-	BlobCache    string
-	CapAdd       []string
-	CapDrop      []string
-	CgroupParent string
-	CPUPeriod    uint64
-	CPUQuota     int64
-	CPUSetCPUs   string
-	CPUSetMems   string
-	CPUShares    uint64
-	Devices      []string
-	DNSSearch    []string
-	DNSServers   []string
-	DNSOptions   []string
-	HTTPProxy    bool
-	Isolation    string
-	Memory       string
-	MemorySwap   string
-	OverrideArch string
-	OverrideOS   string
-	SecurityOpt  []string
-	ShmSize      string
-	Ulimit       []string
-	Volumes      []string
+	AddHost        []string
+	BlobCache      string
+	CapAdd         []string
+	CapDrop        []string
+	CgroupParent   string
+	CPUPeriod      uint64
+	CPUQuota       int64
+	CPUSetCPUs     string
+	CPUSetMems     string
+	CPUShares      uint64
+	DecryptionKeys []string
+	Devices        []string
+	DNSSearch      []string
+	DNSServers     []string
+	DNSOptions     []string
+	HTTPProxy      bool
+	Isolation      string
+	Memory         string
+	MemorySwap     string
+	OverrideArch   string
+	OverrideOS     string
+	SecurityOpt    []string
+	ShmSize        string
+	Ulimit         []string
+	Volumes        []string
 }
 
 // GetUserNSFlags returns the common flags for usernamespace
 func GetUserNSFlags(flags *UserNSResults) pflag.FlagSet {
 	usernsFlags := pflag.FlagSet{}
 	usernsFlags.StringVar(&flags.UserNS, "userns", "", "'container', `path` of user namespace to join, or 'host'")
-	usernsFlags.StringSliceVar(&flags.UserNSUIDMap, "userns-uid-map", []string{}, "`containerID:hostID:length` UID mapping to use in user namespace")
-	usernsFlags.StringSliceVar(&flags.UserNSGIDMap, "userns-gid-map", []string{}, "`containerID:hostID:length` GID mapping to use in user namespace")
+	usernsFlags.StringSliceVar(&flags.UserNSUIDMap, "userns-uid-map", []string{}, "`containerUID:hostUID:length` UID mapping to use in user namespace")
+	usernsFlags.StringSliceVar(&flags.UserNSGIDMap, "userns-gid-map", []string{}, "`containerGID:hostGID:length` GID mapping to use in user namespace")
 	usernsFlags.StringVar(&flags.UserNSUIDMapUser, "userns-uid-map-user", "", "`name` of entries from /etc/subuid to use to set user namespace UID mapping")
 	usernsFlags.StringVar(&flags.UserNSGIDMapGroup, "userns-gid-map-group", "", "`name` of entries from /etc/subgid to use to set user namespace GID mapping")
 	return usernsFlags
@@ -208,6 +208,9 @@ func GetBudFlags(flags *BudResults) pflag.FlagSet {
 	fs.StringSliceVar(&flags.RuntimeFlags, "runtime-flag", []string{}, "add global flags for the container runtime")
 	fs.StringVar(&flags.SignBy, "sign-by", "", "sign the image using a GPG key with the specified `FINGERPRINT`")
 	fs.StringVar(&flags.SignaturePolicy, "signature-policy", "", "`pathname` of signature policy file (not usually used)")
+	if err := fs.MarkHidden("signature-policy"); err != nil {
+		panic(fmt.Sprintf("error marking the signature-policy flag as hidden: %v", err))
+	}
 	fs.BoolVar(&flags.Squash, "squash", false, "squash newly built layers into a single new layer")
 	fs.StringArrayVarP(&flags.Tag, "tag", "t", []string{}, "tagged `name` to apply to the built image")
 	fs.StringVar(&flags.Target, "target", "", "set the target build stage to build")
@@ -265,6 +268,7 @@ func GetFromAndBudFlags(flags *FromAndBudResults, usernsResults *UserNSResults,
 	fs.Uint64VarP(&flags.CPUShares, "cpu-shares", "c", 0, "CPU shares (relative weight)")
 	fs.StringVar(&flags.CPUSetCPUs, "cpuset-cpus", "", "CPUs in which to allow execution (0-3, 0,1)")
 	fs.StringVar(&flags.CPUSetMems, "cpuset-mems", "", "memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.")
+	fs.StringSliceVar(&flags.DecryptionKeys, "decryption-key", nil, "key needed to decrypt the image")
 	fs.StringArrayVar(&flags.Devices, "device", defaultContainerConfig.Containers.Devices, "Additional devices to be used within containers (default [])")
 	fs.StringSliceVar(&flags.DNSSearch, "dns-search", defaultContainerConfig.Containers.DNSSearches, "Set custom DNS search domains")
 	fs.StringSliceVar(&flags.DNSServers, "dns", defaultContainerConfig.Containers.DNSServers, "Set custom DNS servers or disable it completely by setting it to 'none', which prevents the automatic creation of `/etc/resolv.conf`.")
@@ -308,6 +312,7 @@ func GetFromAndBudFlagsCompletions() commonComp.FlagCompletions {
 	flagCompletion["cpu-shares"] = commonComp.AutocompleteNone
 	flagCompletion["cpuset-cpus"] = commonComp.AutocompleteNone
 	flagCompletion["cpuset-mems"] = commonComp.AutocompleteNone
+	flagCompletion["decryption-key"] = commonComp.AutocompleteNone
 	flagCompletion["device"] = commonComp.AutocompleteDefault
 	flagCompletion["dns-search"] = commonComp.AutocompleteNone
 	flagCompletion["dns"] = commonComp.AutocompleteNone
diff --git a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
index ee2e9a7c8..32f888fa8 100644
--- a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
+++ b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
@@ -38,7 +38,7 @@ type secretData struct {
 // saveTo saves secret data to given directory
 func (s secretData) saveTo(dir string) error {
 	path := filepath.Join(dir, s.name)
-	if err := os.MkdirAll(filepath.Dir(path), s.dirMode); err != nil && !os.IsExist(err) {
+	if err := os.MkdirAll(filepath.Dir(path), s.dirMode); err != nil {
 		return err
 	}
 	return ioutil.WriteFile(path, s.data, s.mode)
diff --git a/vendor/github.com/containers/buildah/pull.go b/vendor/github.com/containers/buildah/pull.go
index bb52ec1ed..d7e7b8890 100644
--- a/vendor/github.com/containers/buildah/pull.go
+++ b/vendor/github.com/containers/buildah/pull.go
@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/containers/buildah/pkg/blobcache"
-	"github.com/containers/buildah/util"
 	"github.com/containers/image/v5/directory"
 	"github.com/containers/image/v5/docker"
 	dockerarchive "github.com/containers/image/v5/docker/archive"
@@ -18,6 +17,7 @@ import (
 	"github.com/containers/image/v5/signature"
 	is "github.com/containers/image/v5/storage"
 	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
 	encconfig "github.com/containers/ocicrypt/config"
 	"github.com/containers/storage"
@@ -171,63 +171,63 @@ func Pull(ctx context.Context, imageName string, options PullOptions) (imageID s
 		OciDecryptConfig:    options.OciDecryptConfig,
 	}
 
-	storageRef, transport, img, err := resolveImage(ctx, systemContext, options.Store, boptions)
+	if !options.AllTags {
+		_, _, img, err := resolveImage(ctx, systemContext, options.Store, boptions)
+		if err != nil {
+			return "", err
+		}
+		return img.ID, nil
+	}
+
+	srcRef, err := alltransports.ParseImageName(imageName)
+	if err == nil && srcRef.Transport().Name() != docker.Transport.Name() {
+		return "", errors.New("Non-docker transport is not supported, for --all-tags pulling")
+	}
+
+	storageRef, _, _, err := resolveImage(ctx, systemContext, options.Store, boptions)
 	if err != nil {
 		return "", err
 	}
 
 	var errs *multierror.Error
-	if options.AllTags {
-		if transport != util.DefaultTransport {
-			return "", errors.New("Non-docker transport is not supported, for --all-tags pulling")
-		}
-
-		repo := reference.TrimNamed(storageRef.DockerReference())
-		dockerRef, err := docker.NewReference(reference.TagNameOnly(storageRef.DockerReference()))
+	repo := reference.TrimNamed(storageRef.DockerReference())
+	dockerRef, err := docker.NewReference(reference.TagNameOnly(storageRef.DockerReference()))
+	if err != nil {
+		return "", errors.Wrapf(err, "internal error creating docker.Transport reference for %s", storageRef.DockerReference().String())
+	}
+	tags, err := docker.GetRepositoryTags(ctx, systemContext, dockerRef)
+	if err != nil {
+		return "", errors.Wrapf(err, "error getting repository tags")
+	}
+	for _, tag := range tags {
+		tagged, err := reference.WithTag(repo, tag)
 		if err != nil {
-			return "", errors.Wrapf(err, "internal error creating docker.Transport reference for %s", storageRef.DockerReference().String())
+			errs = multierror.Append(errs, err)
+			continue
 		}
-		tags, err := docker.GetRepositoryTags(ctx, systemContext, dockerRef)
+		taggedRef, err := docker.NewReference(tagged)
 		if err != nil {
-			return "", errors.Wrapf(err, "error getting repository tags")
+			return "", errors.Wrapf(err, "internal error creating docker.Transport reference for %s", tagged.String())
 		}
-		for _, tag := range tags {
-			tagged, err := reference.WithTag(repo, tag)
-			if err != nil {
-				errs = multierror.Append(errs, err)
-				continue
+		if options.ReportWriter != nil {
+			if _, err := options.ReportWriter.Write([]byte("Pulling " + tagged.String() + "\n")); err != nil {
+				return "", errors.Wrapf(err, "error writing pull report")
 			}
-			taggedRef, err := docker.NewReference(tagged)
-			if err != nil {
-				return "", errors.Wrapf(err, "internal error creating docker.Transport reference for %s", tagged.String())
-			}
-			if options.ReportWriter != nil {
-				if _, err := options.ReportWriter.Write([]byte("Pulling " + tagged.String() + "\n")); err != nil {
-					return "", errors.Wrapf(err, "error writing pull report")
-				}
-			}
-			ref, err := pullImage(ctx, options.Store, taggedRef, options, systemContext)
-			if err != nil {
-				errs = multierror.Append(errs, err)
-				continue
-			}
-			taggedImg, err := is.Transport.GetStoreImage(options.Store, ref)
-			if err != nil {
-				errs = multierror.Append(errs, err)
-				continue
-			}
-			imageID = taggedImg.ID
 		}
-	} else {
-		imageID = img.ID
-	}
-	if errs == nil {
-		err = nil
-	} else {
-		err = errs.ErrorOrNil()
+		ref, err := pullImage(ctx, options.Store, taggedRef, options, systemContext)
+		if err != nil {
+			errs = multierror.Append(errs, err)
+			continue
+		}
+		taggedImg, err := is.Transport.GetStoreImage(options.Store, ref)
+		if err != nil {
+			errs = multierror.Append(errs, err)
+			continue
+		}
+		imageID = taggedImg.ID
 	}
 
-	return imageID, err
+	return imageID, errs.ErrorOrNil()
 }
 
 func pullImage(ctx context.Context, store storage.Store, srcRef types.ImageReference, options PullOptions, sc *types.SystemContext) (types.ImageReference, error) {
diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go
index 3a07407b0..d907941ed 100644
--- a/vendor/github.com/containers/buildah/run_linux.go
+++ b/vendor/github.com/containers/buildah/run_linux.go
@@ -23,6 +23,7 @@ import (
 	"github.com/containernetworking/cni/libcni"
 	"github.com/containers/buildah/bind"
 	"github.com/containers/buildah/chroot"
+	"github.com/containers/buildah/copier"
 	"github.com/containers/buildah/pkg/overlay"
 	"github.com/containers/buildah/pkg/secrets"
 	"github.com/containers/buildah/util"
@@ -165,11 +166,6 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	spec := g.Config
 	g = nil
 
-	logrus.Debugf("ensuring working directory %q exists", filepath.Join(mountPoint, spec.Process.Cwd))
-	if err = os.MkdirAll(filepath.Join(mountPoint, spec.Process.Cwd), 0755); err != nil && !os.IsExist(err) {
-		return err
-	}
-
 	// Set the seccomp configuration using the specified profile name.  Some syscalls are
 	// allowed if certain capabilities are to be granted (example: CAP_SYS_CHROOT and chroot),
 	// so we sorted out the capabilities lists first.
@@ -184,6 +180,15 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	}
 	rootIDPair := &idtools.IDPair{UID: int(rootUID), GID: int(rootGID)}
 
+	mode := os.FileMode(0755)
+	coptions := copier.MkdirOptions{
+		ChownNew: rootIDPair,
+		ChmodNew: &mode,
+	}
+	if err := copier.Mkdir(mountPoint, filepath.Join(mountPoint, spec.Process.Cwd), coptions); err != nil {
+		return err
+	}
+
 	bindFiles := make(map[string]string)
 	namespaceOptions := append(b.NamespaceOptions, options.NamespaceOptions...)
 	volumes := b.Volumes()
@@ -1981,7 +1986,6 @@ func (b *Builder) configureEnvironment(g *generate.Generator, options RunOptions
 }
 
 func setupRootlessSpecChanges(spec *specs.Spec, bundleDir string, shmSize string) error {
-	spec.Hostname = ""
 	spec.Process.User.AdditionalGids = nil
 	spec.Linux.Resources = nil
 
@@ -2137,10 +2141,6 @@ func checkAndOverrideIsolationOptions(isolation Isolation, options *RunOptions)
 			logrus.Debugf("Forcing use of a user namespace.")
 		}
 		options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.UserNamespace)})
-		if ns := options.NamespaceOptions.Find(string(specs.UTSNamespace)); ns != nil && !ns.Host {
-			logrus.Debugf("Disabling UTS namespace.")
-		}
-		options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.UTSNamespace), Host: true})
 	case IsolationOCI:
 		pidns := options.NamespaceOptions.Find(string(specs.PIDNamespace))
 		userns := options.NamespaceOptions.Find(string(specs.UserNamespace))
diff --git a/vendor/github.com/containers/buildah/util/util.go b/vendor/github.com/containers/buildah/util/util.go
index 00efc8d21..99f68d9e1 100644
--- a/vendor/github.com/containers/buildah/util/util.go
+++ b/vendor/github.com/containers/buildah/util/util.go
@@ -12,10 +12,10 @@ import (
 
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/pkg/shortnames"
 	"github.com/containers/image/v5/pkg/sysregistriesv2"
 	"github.com/containers/image/v5/signature"
 	is "github.com/containers/image/v5/storage"
-	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
 	"github.com/containers/storage"
@@ -69,42 +69,10 @@ func ResolveName(name string, firstRegistry string, sc *types.SystemContext, sto
 		}
 	}
 
-	// If the image includes a transport's name as a prefix, use it as-is.
-	if strings.HasPrefix(name, DefaultTransport) {
-		return []string{strings.TrimPrefix(name, DefaultTransport)}, DefaultTransport, false, nil
-	}
-	split := strings.SplitN(name, ":", 2)
-	if StartsWithValidTransport(name) && len(split) == 2 {
-		if trans := transports.Get(split[0]); trans != nil {
-			return []string{split[1]}, trans.Name(), false, nil
-		}
-	}
-	// If the image name already included a domain component, we're done.
-	named, err := reference.ParseNormalizedNamed(name)
-	if err != nil {
-		return nil, "", false, errors.Wrapf(err, "error parsing image name %q", name)
-	}
-	if named.String() == name {
-		// Parsing produced the same result, so there was a domain name in there to begin with.
-		return []string{name}, DefaultTransport, false, nil
-	}
-	if reference.Domain(named) != "" && RegistryDefaultPathPrefix[reference.Domain(named)] != "" {
-		// If this domain can cause us to insert something in the middle, check if that happened.
-		repoPath := reference.Path(named)
-		domain := reference.Domain(named)
-		tag := ""
-		if tagged, ok := named.(reference.Tagged); ok {
-			tag = ":" + tagged.Tag()
-		}
-		digest := ""
-		if digested, ok := named.(reference.Digested); ok {
-			digest = "@" + digested.Digest().String()
-		}
-		defaultPrefix := RegistryDefaultPathPrefix[reference.Domain(named)] + "/"
-		if strings.HasPrefix(repoPath, defaultPrefix) && path.Join(domain, repoPath[len(defaultPrefix):])+tag+digest == name {
-			// Yup, parsing just inserted a bit in the middle, so there was a domain name there to begin with.
-			return []string{name}, DefaultTransport, false, nil
-		}
+	// Transports are not supported for local image look ups.
+	srcRef, err := alltransports.ParseImageName(name)
+	if err == nil {
+		return []string{srcRef.StringWithinTransport()}, srcRef.Transport().Name(), false, nil
 	}
 
 	// Figure out the list of registries.
@@ -126,25 +94,26 @@ func ResolveName(name string, firstRegistry string, sc *types.SystemContext, sto
 	}
 	searchRegistriesAreEmpty := len(registries) == 0
 
-	// Create all of the combinations.  Some registries need an additional component added, so
-	// use our lookaside map to keep track of them.  If there are no configured registries, we'll
-	// return a name using "localhost" as the registry name.
-	candidates := []string{}
-	initRegistries := []string{"localhost"}
+	var candidates []string
+	// Set the first registry if requested.
 	if firstRegistry != "" && firstRegistry != "localhost" {
-		initRegistries = append([]string{firstRegistry}, initRegistries...)
-	}
-	for _, registry := range append(initRegistries, registries...) {
-		if registry == "" {
-			continue
-		}
 		middle := ""
-		if prefix, ok := RegistryDefaultPathPrefix[registry]; ok && !strings.ContainsRune(name, '/') {
+		if prefix, ok := RegistryDefaultPathPrefix[firstRegistry]; ok && !strings.ContainsRune(name, '/') {
 			middle = prefix
 		}
-		candidate := path.Join(registry, middle, name)
+		candidate := path.Join(firstRegistry, middle, name)
 		candidates = append(candidates, candidate)
 	}
+
+	// Local short-name resolution.
+	namedCandidates, err := shortnames.ResolveLocally(sc, name)
+	if err != nil {
+		return nil, "", false, err
+	}
+	for _, named := range namedCandidates {
+		candidates = append(candidates, named.String())
+	}
+
 	return candidates, DefaultTransport, searchRegistriesAreEmpty, nil
 }
 
diff --git a/vendor/github.com/containers/buildah/util/util_linux.go b/vendor/github.com/containers/buildah/util/util_linux.go
index 1a13699df..cca1f9e7e 100644
--- a/vendor/github.com/containers/buildah/util/util_linux.go
+++ b/vendor/github.com/containers/buildah/util/util_linux.go
@@ -1,7 +1,6 @@
 package util
 
 import (
-	"os"
 	"syscall"
 
 	"golang.org/x/sys/unix"
@@ -19,11 +18,3 @@ func IsCgroup2UnifiedMode() (bool, error) {
 	})
 	return isUnified, isUnifiedErr
 }
-
-func UID(st os.FileInfo) int {
-	return int(st.Sys().(*syscall.Stat_t).Uid)
-}
-
-func GID(st os.FileInfo) int {
-	return int(st.Sys().(*syscall.Stat_t).Gid)
-}
diff --git a/vendor/github.com/containers/buildah/util/util_unix.go b/vendor/github.com/containers/buildah/util/util_unix.go
index 04d9a01cc..29983e40f 100644
--- a/vendor/github.com/containers/buildah/util/util_unix.go
+++ b/vendor/github.com/containers/buildah/util/util_unix.go
@@ -29,3 +29,11 @@ func (h *HardlinkChecker) Add(fi os.FileInfo, name string) {
 		h.hardlinks.Store(makeHardlinkDeviceAndInode(st), name)
 	}
 }
+
+func UID(st os.FileInfo) int {
+	return int(st.Sys().(*syscall.Stat_t).Uid)
+}
+
+func GID(st os.FileInfo) int {
+	return int(st.Sys().(*syscall.Stat_t).Gid)
+}
diff --git a/vendor/github.com/containers/buildah/util/util_unsupported.go b/vendor/github.com/containers/buildah/util/util_unsupported.go
index 8810536a6..05a68f60b 100644
--- a/vendor/github.com/containers/buildah/util/util_unsupported.go
+++ b/vendor/github.com/containers/buildah/util/util_unsupported.go
@@ -2,19 +2,7 @@
 
 package util
 
-import (
-	"os"
-)
-
 // IsCgroup2UnifiedMode returns whether we are running in cgroup 2 cgroup2 mode.
 func IsCgroup2UnifiedMode() (bool, error) {
 	return false, nil
 }
-
-func UID(st os.FileInfo) int {
-	return 0
-}
-
-func GID(st os.FileInfo) int {
-	return 0
-}
diff --git a/vendor/github.com/containers/buildah/util/util_windows.go b/vendor/github.com/containers/buildah/util/util_windows.go
index 0e7f92325..18965ab17 100644
--- a/vendor/github.com/containers/buildah/util/util_windows.go
+++ b/vendor/github.com/containers/buildah/util/util_windows.go
@@ -14,3 +14,11 @@ func (h *HardlinkChecker) Check(fi os.FileInfo) string {
 }
 func (h *HardlinkChecker) Add(fi os.FileInfo, name string) {
 }
+
+func UID(st os.FileInfo) int {
+	return 0
+}
+
+func GID(st os.FileInfo) int {
+	return 0
+}