When checking that certain directories are masked, treat the
readable-but-empty case as acceptable, as before, and now also accept
the actually-unreadable case, which can happen with crun 1.24.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
v28.3.3
Bump c/common to v0.64.2 docker/docker to v28.3.3, and
ulikunitz/xv to v0.5.12.
This is in preparation for Podman v5.6.1 and to also clear
CVE-2025-58058 and to be ultra cautious about CVE-2025-54388
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Fall back to creating a new builder with it if MountImage() fails on the
base image, because when the store is configured with its "imagestore"
option, that can happen.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Bump to Buildah v1.41.2 in order to get some last minute
fixes for a breaking change into Podman v5.6.0.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
After narrowing down the list of parent directories which we might need
to exclude to those which are present in the base image, filter them out
of the layer diff as it is generated.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a note that we need a test binary built for the sake of a few
conformance tests, for people who run the conformance tests directly
instead of using the top-level makefile target.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When generating archives, clear user and group names to keep up with
recent changes to the storage library.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we look up a stage that's referred to in a COPY --from argument,
treat the string as a stage number not only if it parses as one, as we
checked before, but now also require that the number correspond to one
of the stages that would be completed before the one into which the
content will be copied.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This bumps the following projects:
c/storage v1.59.1
c/image v5.36.1
c/common v0.64.1
and then Buidlah to v1.41.1
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
and ChangeTime
When generating a checksum for files mounted into container via
`--mount=type=bind` ignore their `ModTime`, `AccessTime` and
`ChangeTime` so we can maintain cache burst consistency with `COPY`
command.
Closes: https://github.com/containers/buildah/issues/6291
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Make the history created-by field note when a label was unset, or if the
one of the CLI flags that modifies the timestamps in the layer were
used, so that the cache evaluation logic can factor that into account.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Treat the five optional bool flags as optional bool values, allowing for
them to not be set if they weren't explicitly given on the command line.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When suppressing what we think are pulled-up directories at commit-time,
only do that when we're _not_ squashing the image, in which case we
really do need to output it into the one layer that our output image
will have.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a test that causes parent directories of mount targets to be "pulled
up" if we're running on top of overlay in a situation where its native
diff method is available, and ensure that we can still avoid adding
those directories to the committed layer when we're the only reason they
were pulled up.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When Ensure() tells us about the parent directories of a mountpoint
target that it created for us, add them to the list of items that we'll
exclude from the commit unless something else causes them to be
modified.
The "native" overlay diff method just walks the diff directory, so we
can get directories in the committed layer that look exactly like the
ones in the previous layer, depending on the storage driver. And while
it's barely noticeable, we can still control for it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Have Ensure() also return the parent directories of items that it
created, along with information about them that can be used to filter
them out of the layer at commit-time.
This modifies the signature of Ensure(), but it was added in 1.41.0, and
shouldn't (yet) have any external users.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add an optional ModTimeNew field to MkdirOptions, for setting the
timestamp on newly-created directories. Note that the timestamps on
parent directories of the topmost newly-created directories are not
something we affect, so they'll be updated as usual.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Now the bud --help output correctly reads that the default behavior when
--pull is not provided at all is "missing", and that the default value
for --pull if explicitly provided but without value is "always".
Fixes#6266.
Signed-off-by: Romain Geissler <romain.geissler@amadeus.com>
... c/common v0.64.0
Bump to c/storage v1.59.0, c/image to v5.36.0, and
c/common to v0.64.0 in preparation for Buildah v1.41.0 and
Podman v5.6.0
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
When building images for `manifest` list using `--platform` same image
is used for multiple platform if base is `scratch` , following PR adds a
check to always verify `platform` of `cache` with `target`.
Closes: https://github.com/containers/podman/issues/18723
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
openshift-merge-bot[bot]
Nalin Dahyabhai
tomsweeneyredhat
flouthoc
Romain Geissler
renovate[bot]