import buildah-1.11.6-8.module+el8.3.0+8233+627fbb78

.buildah.metadata

@@ -0,0 +1 @@
+da35ceecbee25d37313869956f602161fc282153 SOURCES/buildah-9513cb8.tar.gz

.gitignore

@@ -0,0 +1 @@
+SOURCES/buildah-9513cb8.tar.gz

SOURCES/1996.patch

@@ -0,0 +1,153 @@
+From f09346578021c12069b6deb9487a1462b8d28a83 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Thu, 21 Nov 2019 15:32:41 -0500
+Subject: [PATCH 1/3] bind: don't complain about missing mountpoints
+
+When we go to unmount a tree of mounts, if one of the directories isn't
+there, instead of returning an error as before, log a debug message and
+keep going.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ bind/mount.go | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/bind/mount.go b/bind/mount.go
+index e1ae323b9..adde901fd 100644
+--- a/bind/mount.go
++++ b/bind/mount.go
+@@ -264,6 +264,10 @@ func UnmountMountpoints(mountpoint string, mountpointsToRemove []string) error {
+ 		mount := getMountByID(id)
+ 		// check if this mountpoint is mounted
+ 		if err := unix.Lstat(mount.Mountpoint, &st); err != nil {
++			if os.IsNotExist(err) {
++				logrus.Debugf("mountpoint %q is not present(?), skipping", mount.Mountpoint)
++				continue
++			}
+ 			return errors.Wrapf(err, "error checking if %q is mounted", mount.Mountpoint)
+ 		}
+ 		if mount.Major != int(unix.Major(st.Dev)) || mount.Minor != int(unix.Minor(st.Dev)) {
+
+From c5fb681a6082b78c422eb3531667dc6d607a9355 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Fri, 22 Nov 2019 14:22:26 -0500
+Subject: [PATCH 2/3] chroot: Unmount with MNT_DETACH instead of
+ UnmountMountpoints()
+
+Unmounting the rootfs with MNT_DETACH should unmount everything below
+it, so we don't need to use the more exhaustive method that our bind
+package uses for its bind mounts.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ chroot/run.go | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/chroot/run.go b/chroot/run.go
+index fbccbcdb0..76ac78d1f 100644
+--- a/chroot/run.go
++++ b/chroot/run.go
+@@ -15,6 +15,7 @@ import (
+ 	"strings"
+ 	"sync"
+ 	"syscall"
++	"time"
+ 	"unsafe"
+ 
+ 	"github.com/containers/buildah/bind"
+@@ -1002,12 +1003,19 @@ func isDevNull(dev os.FileInfo) bool {
+ // callback that will clean up its work.
+ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func() error, err error) {
+ 	var fs unix.Statfs_t
+-	removes := []string{}
+ 	undoBinds = func() error {
+-		if err2 := bind.UnmountMountpoints(spec.Root.Path, removes); err2 != nil {
+-			logrus.Warnf("pkg/chroot: error unmounting %q: %v", spec.Root.Path, err2)
+-			if err == nil {
+-				err = err2
++		if err2 := unix.Unmount(spec.Root.Path, unix.MNT_DETACH); err2 != nil {
++			retries := 0
++			for (err2 == unix.EBUSY || err2 == unix.EAGAIN) && retries < 50 {
++				time.Sleep(50 * time.Millisecond)
++				err2 = unix.Unmount(spec.Root.Path, unix.MNT_DETACH)
++				retries++
++			}
++			if err2 != nil {
++				logrus.Warnf("pkg/chroot: error unmounting %q (retried %d times): %v", spec.Root.Path, retries, err2)
++				if err == nil {
++					err = err2
++				}
+ 			}
+ 		}
+ 		return err
+@@ -1096,6 +1104,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 	// Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes
+ 	// attempting to interact with labeling, when they aren't allowed to do so.
+ 	spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
++
+ 	// Bind mount in everything we've been asked to mount.
+ 	for _, m := range spec.Mounts {
+ 		// Skip anything that we just mounted.
+@@ -1141,13 +1150,11 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 			if !os.IsNotExist(err) {
+ 				return undoBinds, errors.Wrapf(err, "error examining %q for mounting in mount namespace", target)
+ 			}
+-			// The target isn't there yet, so create it, and make a
+-			// note to remove it later.
++			// The target isn't there yet, so create it.
+ 			if srcinfo.IsDir() {
+ 				if err = os.MkdirAll(target, 0111); err != nil {
+ 					return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
+ 				}
+-				removes = append(removes, target)
+ 			} else {
+ 				if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil {
+ 					return undoBinds, errors.Wrapf(err, "error ensuring parent of mountpoint %q (%q) is present in mount namespace", target, filepath.Dir(target))
+@@ -1157,7 +1164,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 					return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
+ 				}
+ 				file.Close()
+-				removes = append(removes, target)
+ 			}
+ 		}
+ 		requestFlags := bindFlags
+@@ -1266,7 +1272,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 		if err := os.Mkdir(roEmptyDir, 0700); err != nil {
+ 			return undoBinds, errors.Wrapf(err, "error creating empty directory %q", roEmptyDir)
+ 		}
+-		removes = append(removes, roEmptyDir)
+ 	}
+ 
+ 	// Set up any masked paths that we need to.  If we're running inside of
+
+From ec1be6a51941e10b5316c911ef97c88940f7c095 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Fri, 22 Nov 2019 14:52:25 -0500
+Subject: [PATCH 3/3] overlay.bats typo: fuse-overlays should be fuse-overlayfs
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ tests/overlay.bats | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/overlay.bats b/tests/overlay.bats
+index 04056f680..7cc2d0c62 100644
+--- a/tests/overlay.bats
++++ b/tests/overlay.bats
+@@ -3,14 +3,14 @@
+ load helpers
+ 
+ @test "overlay specific level" {
+-  if test \! -e /usr/bin/fuse-overlays -a  "$BUILDAH_ISOLATION" = "rootless"; then
++  if test \! -e /usr/bin/fuse-overlayfs -a "$BUILDAH_ISOLATION" = "rootless"; then
+     skip "BUILDAH_ISOLATION = $BUILDAH_ISOLATION" and no /usr/bin/fuse-overlayfs present
+   fi
+   image=alpine
+   mkdir ${TESTDIR}/lower
+   touch ${TESTDIR}/lower/foo
+ 
+-cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image)
++  cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image)
+ 
+   # This should succeed
+   run_buildah --log-level=error run $cid ls /lower/foo

SOURCES/2031.patch

@@ -0,0 +1,147 @@
+From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
+From: Daniel J Walsh <dwalsh@redhat.com>
+Date: Tue, 17 Dec 2019 15:24:29 -0500
+Subject: [PATCH] Add support for FIPS-Mode backends
+
+If host is running in fips mode, then RHEL8.2 and beyond container images
+will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
+This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
+order to make all tools in the container follow the FIPS Mode rules.
+
+Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
+---
+ pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
+ run_linux.go           |  2 +-
+ 2 files changed, 39 insertions(+), 11 deletions(-)
+
+diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
+index 80ca05016..ee2e9a7c8 100644
+--- a/pkg/secrets/secrets.go
++++ b/pkg/secrets/secrets.go
+@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, string, error) {
+ }
+ 
+ // SecretMounts copies, adds, and mounts the secrets to the container root filesystem
++// Deprecated, Please use SecretMountWithUIDGID
+ func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
+ 	return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
+ }
+ 
+-// SecretMountsWithUIDGID specifies the uid/gid of the owner
+-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
++// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
++// mountLabel: MAC/SELinux label for container content
++// containerWorkingDir: Private data for storing secrets on the host mounted in container.
++// mountFile: Additional mount points required for the container.
++// mountPoint: Container image mountpoint
++// uid: to assign to content created for secrets
++// gid: to assign to content created for secrets
++// rootless: indicates whether container is running in rootless mode
++// disableFips: indicates whether system should ignore fips mode
++func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
+ 	var (
+ 		secretMounts []rspec.Mount
+ 		mountFiles   []string
+@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
+ 	}
+ 	for _, file := range mountFiles {
+ 		if _, err := os.Stat(file); err == nil {
+-			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
++			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
+ 			if err != nil {
+ 				logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
+ 			}
+@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
+ 	// Add FIPS mode secret if /etc/system-fips exists on the host
+ 	_, err := os.Stat("/etc/system-fips")
+ 	if err == nil {
+-		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
++		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
+ 			logrus.Errorf("error adding FIPS mode secret to container: %v", err)
+ 		}
+ 	} else if os.IsNotExist(err) {
+@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid int) error {
+ 
+ // addSecretsFromMountsFile copies the contents of host directory to container directory
+ // and returns a list of mounts
+-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
++func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
+ 	var mounts []rspec.Mount
+ 	defaultMountsPaths := getMounts(filePath)
+ 	for _, path := range defaultMountsPaths {
+@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
+ 		}
+ 
+ 		m := rspec.Mount{
+-			Source:      filepath.Join(mountPrefix, ctrDirOrFile),
++			Source:      ctrDirOrFileOnHost,
+ 			Destination: ctrDirOrFile,
+ 			Type:        "bind",
+ 			Options:     []string{"bind", "rprivate"},
+@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
+ // root filesystem if /etc/system-fips exists on hosts.
+ // This enables the container to be FIPS compliant and run openssl in
+ // FIPS mode as the host is also in FIPS mode.
+-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
++func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
+ 	secretsDir := "/run/secrets"
+ 	ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
+ 	if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
+ 		if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
+-			return errors.Wrapf(err, "making container directory on host failed")
++			return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
+ 		}
+ 		if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
+-			return errors.Wrap(err, "error applying correct labels")
++			return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
+ 		}
+ 	}
+ 	fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
+@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
+ 
+ 	if !mountExists(*mounts, secretsDir) {
+ 		m := rspec.Mount{
+-			Source:      filepath.Join(mountPrefix, secretsDir),
++			Source:      ctrDirOnHost,
+ 			Destination: secretsDir,
+ 			Type:        "bind",
+ 			Options:     []string{"bind", "rprivate"},
+@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
+ 		*mounts = append(*mounts, m)
+ 	}
+ 
++	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
++	destDir := "/etc/crypto-policies/back-ends"
++	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++	if _, err := os.Stat(srcOnHost); err != nil {
++		if os.IsNotExist(err) {
++			return nil
++		}
++		return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
++	}
++
++	if !mountExists(*mounts, destDir) {
++		m := rspec.Mount{
++			Source:      srcOnHost,
++			Destination: destDir,
++			Type:        "bind",
++			Options:     []string{"bind", "rprivate"},
++		}
++		*mounts = append(*mounts, m)
++	}
+ 	return nil
+ }
+ 
+diff --git a/run_linux.go b/run_linux.go
+index 4c2d73edd..c8e75eada 100644
+--- a/run_linux.go
++++ b/run_linux.go
+@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
+ 	}
+ 
+ 	// Get the list of secrets mounts.
+-	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
++	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
+ 
+ 	// Add temporary copies of the contents of volume locations at the
+ 	// volume locations, unless we already have something there.

SOURCES/CVE-2020-1702-1801930.patch

@@ -0,0 +1,390 @@
+From be1eb6f70fb40e45096b69aeb048d54c526a4a8f Mon Sep 17 00:00:00 2001
+From: Valentin Rothberg <rothberg@redhat.com>
+Date: Thu, 6 Feb 2020 09:49:15 +0100
+Subject: [PATCH] [1.11-rhel] update github.com/containers/image
+
+Note that this includes fixes for
+https://access.redhat.com/security/cve/CVE-2020-1702.
+
+Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
+---
+ go.mod                                        |  2 +-
+ go.sum                                        |  2 +
+ .../image/v5/docker/docker_client.go          |  6 +-
+ .../image/v5/docker/docker_image_dest.go      |  3 +-
+ .../image/v5/docker/docker_image_src.go       | 10 ++--
+ .../image/v5/docker/tarfile/dest.go           |  3 +-
+ .../containers/image/v5/docker/tarfile/src.go |  9 +--
+ .../image/v5/image/docker_schema2.go          |  4 +-
+ .../containers/image/v5/image/oci.go          |  4 +-
+ .../image/v5/internal/iolimits/iolimits.go    | 60 +++++++++++++++++++
+ .../image/v5/openshift/openshift.go           |  4 +-
+ vendor/modules.txt                            |  3 +-
+ 12 files changed, 89 insertions(+), 21 deletions(-)
+ create mode 100644 vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
+
+diff --git a/go.mod b/go.mod
+index 684b00ff5..b94792238 100644
+--- a/go.mod
++++ b/go.mod
+@@ -5,7 +5,7 @@ go 1.12
+ require (
+ 	github.com/blang/semver v3.5.0+incompatible // indirect
+ 	github.com/containernetworking/cni v0.7.1
+-	github.com/containers/image/v5 v5.0.0
++	github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
+ 	github.com/containers/storage v1.14.0
+ 	github.com/cyphar/filepath-securejoin v0.2.2
+ 	github.com/docker/distribution v2.7.1+incompatible
+diff --git a/go.sum b/go.sum
+index 1cce3ff7e..ef8729952 100644
+--- a/go.sum
++++ b/go.sum
+@@ -54,6 +54,8 @@ github.com/containers/image/v4 v4.0.1 h1:idNGHChj0Pyv3vLrxul2oSVMZLeFqpoq3CjLeVg
+ github.com/containers/image/v4 v4.0.1/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
+ github.com/containers/image/v5 v5.0.0 h1:arnXgbt1ucsC/ndtSpiQY87rA0UjhF+/xQnPzqdBDn4=
+ github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
++github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0 h1:iV4aHKRoPcHp5BISsuiPMyaCjGJfLKp/FUMAG1NeqvE=
++github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
+ github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
+ github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
+ github.com/containers/storage v1.13.4 h1:j0bBaJDKbUHtAW1MXPFnwXJtqcH+foWeuXK1YaBV5GA=
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
+index 0b012c703..bff077a40 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_client.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
+@@ -6,7 +6,6 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
+-	"io/ioutil"
+ 	"net/http"
+ 	"net/url"
+ 	"os"
+@@ -17,6 +16,7 @@ import (
+ 	"time"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/pkg/docker/config"
+ 	"github.com/containers/image/v5/pkg/sysregistriesv2"
+ 	"github.com/containers/image/v5/pkg/tlsclientconfig"
+@@ -597,7 +597,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
+ 	default:
+ 		return nil, errors.Errorf("unexpected http code: %d (%s), URL: %s", res.StatusCode, http.StatusText(res.StatusCode), authReq.URL)
+ 	}
+-	tokenBlob, err := ioutil.ReadAll(res.Body)
++	tokenBlob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -690,7 +690,7 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe
+ 		return nil, errors.Wrapf(clientLib.HandleErrorResponse(res), "Error downloading signatures for %s in %s", manifestDigest, ref.ref.Name())
+ 	}
+ 
+-	body, err := ioutil.ReadAll(res.Body)
++	body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureListBodySize)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+index 417d97aec..ce8a1f357 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+@@ -15,6 +15,7 @@ import (
+ 	"strings"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/blobinfocache/none"
+ 	"github.com/containers/image/v5/types"
+@@ -620,7 +621,7 @@ sigExists:
+ 		}
+ 		defer res.Body.Close()
+ 		if res.StatusCode != http.StatusCreated {
+-			body, err := ioutil.ReadAll(res.Body)
++			body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxErrorBodySize)
+ 			if err == nil {
+ 				logrus.Debugf("Error body %s", string(body))
+ 			}
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+index 35beb30e5..5436d9b7d 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+@@ -12,6 +12,7 @@ import (
+ 	"strconv"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/sysregistriesv2"
+ 	"github.com/containers/image/v5/types"
+@@ -156,7 +157,8 @@ func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest strin
+ 	if res.StatusCode != http.StatusOK {
+ 		return nil, "", errors.Wrapf(client.HandleErrorResponse(res), "Error reading manifest %s in %s", tagOrDigest, s.ref.ref.Name())
+ 	}
+-	manblob, err := ioutil.ReadAll(res.Body)
++
++	manblob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxManifestBodySize)
+ 	if err != nil {
+ 		return nil, "", err
+ 	}
+@@ -342,7 +344,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
+ 		} else if res.StatusCode != http.StatusOK {
+ 			return nil, false, errors.Errorf("Error reading signature from %s: status %d (%s)", url.String(), res.StatusCode, http.StatusText(res.StatusCode))
+ 		}
+-		sig, err := ioutil.ReadAll(res.Body)
++		sig, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureBodySize)
+ 		if err != nil {
+ 			return nil, false, err
+ 		}
+@@ -401,7 +403,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
+ 		return err
+ 	}
+ 	defer get.Body.Close()
+-	manifestBody, err := ioutil.ReadAll(get.Body)
++	manifestBody, err := iolimits.ReadAtMost(get.Body, iolimits.MaxManifestBodySize)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -424,7 +426,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
+ 	}
+ 	defer delete.Body.Close()
+ 
+-	body, err := ioutil.ReadAll(delete.Body)
++	body, err := iolimits.ReadAtMost(delete.Body, iolimits.MaxErrorBodySize)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
+index b02c60bb3..9748ca112 100644
+--- a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
++++ b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
+@@ -13,6 +13,7 @@ import (
+ 	"time"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/internal/tmpdir"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/types"
+@@ -135,7 +136,7 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t
+ 	}
+ 
+ 	if isConfig {
+-		buf, err := ioutil.ReadAll(stream)
++		buf, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
+ 		if err != nil {
+ 			return types.BlobInfo{}, errors.Wrap(err, "Error reading Config file stream")
+ 		}
+diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/src.go b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
+index ad0a3d2cb..bbf604da6 100644
+--- a/vendor/github.com/containers/image/v5/docker/tarfile/src.go
++++ b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
+@@ -11,6 +11,7 @@ import (
+ 	"path"
+ 	"sync"
+ 
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/internal/tmpdir"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/compression"
+@@ -187,13 +188,13 @@ func findTarComponent(inputFile io.Reader, path string) (*tar.Reader, *tar.Heade
+ }
+ 
+ // readTarComponent returns full contents of componentPath.
+-func (s *Source) readTarComponent(path string) ([]byte, error) {
++func (s *Source) readTarComponent(path string, limit int) ([]byte, error) {
+ 	file, err := s.openTarComponent(path)
+ 	if err != nil {
+ 		return nil, errors.Wrapf(err, "Error loading tar component %s", path)
+ 	}
+ 	defer file.Close()
+-	bytes, err := ioutil.ReadAll(file)
++	bytes, err := iolimits.ReadAtMost(file, limit)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -224,7 +225,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
+ 	}
+ 
+ 	// Read and parse config.
+-	configBytes, err := s.readTarComponent(tarManifest[0].Config)
++	configBytes, err := s.readTarComponent(tarManifest[0].Config, iolimits.MaxConfigBodySize)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -250,7 +251,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
+ // loadTarManifest loads and decodes the manifest.json.
+ func (s *Source) loadTarManifest() ([]ManifestItem, error) {
+ 	// FIXME? Do we need to deal with the legacy format?
+-	bytes, err := s.readTarComponent(manifestFileName)
++	bytes, err := s.readTarComponent(manifestFileName, iolimits.MaxTarFileManifestSize)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/vendor/github.com/containers/image/v5/image/docker_schema2.go b/vendor/github.com/containers/image/v5/image/docker_schema2.go
+index 254c13f78..29c5047d7 100644
+--- a/vendor/github.com/containers/image/v5/image/docker_schema2.go
++++ b/vendor/github.com/containers/image/v5/image/docker_schema2.go
+@@ -7,10 +7,10 @@ import (
+ 	"encoding/hex"
+ 	"encoding/json"
+ 	"fmt"
+-	"io/ioutil"
+ 	"strings"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/blobinfocache/none"
+ 	"github.com/containers/image/v5/types"
+@@ -102,7 +102,7 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
+ 			return nil, err
+ 		}
+ 		defer stream.Close()
+-		blob, err := ioutil.ReadAll(stream)
++		blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
+ 		if err != nil {
+ 			return nil, err
+ 		}
+diff --git a/vendor/github.com/containers/image/v5/image/oci.go b/vendor/github.com/containers/image/v5/image/oci.go
+index 18a38d463..406da262f 100644
+--- a/vendor/github.com/containers/image/v5/image/oci.go
++++ b/vendor/github.com/containers/image/v5/image/oci.go
+@@ -4,9 +4,9 @@ import (
+ 	"context"
+ 	"encoding/json"
+ 	"fmt"
+-	"io/ioutil"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/blobinfocache/none"
+ 	"github.com/containers/image/v5/types"
+@@ -67,7 +67,7 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
+ 			return nil, err
+ 		}
+ 		defer stream.Close()
+-		blob, err := ioutil.ReadAll(stream)
++		blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
+ 		if err != nil {
+ 			return nil, err
+ 		}
+diff --git a/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
+new file mode 100644
+index 000000000..3fed1995c
+--- /dev/null
++++ b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
+@@ -0,0 +1,60 @@
++package iolimits
++
++import (
++	"io"
++	"io/ioutil"
++
++	"github.com/pkg/errors"
++)
++
++// All constants below are intended to be used as limits for `ReadAtMost`. The
++// immediate use-case for limiting the size of in-memory copied data is to
++// protect against OOM DOS attacks as described inCVE-2020-1702. Instead of
++// copying data until running out of memory, we error out after hitting the
++// specified limit.
++const (
++	// megaByte denotes one megabyte and is intended to be used as a limit in
++	// `ReadAtMost`.
++	megaByte = 1 << 20
++	// MaxManifestBodySize is the maximum allowed size of a manifest. The limit
++	// of 4 MB aligns with the one of a Docker registry:
++	// https://github.com/docker/distribution/blob/a8371794149d1d95f1e846744b05c87f2f825e5a/registry/handlers/manifests.go#L30
++	MaxManifestBodySize = 4 * megaByte
++	// MaxAuthTokenBodySize is the maximum allowed size of an auth token.
++	// The limit of 1 MB is considered to be greatly sufficient.
++	MaxAuthTokenBodySize = megaByte
++	// MaxSignatureListBodySize is the maximum allowed size of a signature list.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxSignatureListBodySize = 4 * megaByte
++	// MaxSignatureBodySize is the maximum allowed size of a signature.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxSignatureBodySize = 4 * megaByte
++	// MaxErrorBodySize is the maximum allowed size of an error-response body.
++	// The limit of 1 MB is considered to be greatly sufficient.
++	MaxErrorBodySize = megaByte
++	// MaxConfigBodySize is the maximum allowed size of a config blob.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxConfigBodySize = 4 * megaByte
++	// MaxOpenShiftStatusBody is the maximum allowed size of an OpenShift status body.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxOpenShiftStatusBody = 4 * megaByte
++	// MaxTarFileManifestSize is the maximum allowed size of a (docker save)-like manifest (which may contain multiple images)
++	// The limit of 1 MB is considered to be greatly sufficient.
++	MaxTarFileManifestSize = megaByte
++)
++
++// ReadAtMost reads from reader and errors out if the specified limit (in bytes) is exceeded.
++func ReadAtMost(reader io.Reader, limit int) ([]byte, error) {
++	limitedReader := io.LimitReader(reader, int64(limit+1))
++
++	res, err := ioutil.ReadAll(limitedReader)
++	if err != nil {
++		return nil, err
++	}
++
++	if len(res) > limit {
++		return nil, errors.Errorf("exceeded maximum allowed size of %d bytes", limit)
++	}
++
++	return res, nil
++}
+diff --git a/vendor/github.com/containers/image/v5/openshift/openshift.go b/vendor/github.com/containers/image/v5/openshift/openshift.go
+index 016de4803..c37e1b751 100644
+--- a/vendor/github.com/containers/image/v5/openshift/openshift.go
++++ b/vendor/github.com/containers/image/v5/openshift/openshift.go
+@@ -7,13 +7,13 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
+-	"io/ioutil"
+ 	"net/http"
+ 	"net/url"
+ 	"strings"
+ 
+ 	"github.com/containers/image/v5/docker"
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/types"
+ 	"github.com/containers/image/v5/version"
+@@ -102,7 +102,7 @@ func (c *openshiftClient) doRequest(ctx context.Context, method, path string, re
+ 		return nil, err
+ 	}
+ 	defer res.Body.Close()
+-	body, err := ioutil.ReadAll(res.Body)
++	body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxOpenShiftStatusBody)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index 840dae067..3f72f3f34 100644
+--- a/vendor/modules.txt
++++ b/vendor/modules.txt
+@@ -48,7 +48,7 @@ github.com/containernetworking/cni/pkg/types
+ github.com/containernetworking/cni/pkg/types/020
+ github.com/containernetworking/cni/pkg/types/current
+ github.com/containernetworking/cni/pkg/version
+-# github.com/containers/image/v5 v5.0.0
++# github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
+ github.com/containers/image/v5/copy
+ github.com/containers/image/v5/directory
+ github.com/containers/image/v5/directory/explicitfilepath
+@@ -59,6 +59,7 @@ github.com/containers/image/v5/docker/policyconfiguration
+ github.com/containers/image/v5/docker/reference
+ github.com/containers/image/v5/docker/tarfile
+ github.com/containers/image/v5/image
++github.com/containers/image/v5/internal/iolimits
+ github.com/containers/image/v5/internal/pkg/keyctl
+ github.com/containers/image/v5/internal/tmpdir
+ github.com/containers/image/v5/manifest

SOURCES/buildah-1756986.patch

@@ -0,0 +1,98 @@
+From 6d7ab38f33edb9ab87a290a0c68cfd27b55b061f Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Wed, 8 Jan 2020 11:02:05 -0500
+Subject: [PATCH 1/2] Check for .dockerignore specifically
+
+When generating the list of exclusions to process .dockerignore
+contents, don't include .dockerignore if we don't have a .dockerignore
+file in the context directory.  That way, if the file doesn't exist, and
+the caller didn't pass in any patterns, we get no patterns instead of
+just one ".dockerignore" pattern, and we can hit the faster copy path.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+
+Closes: #2072
+Approved by: giuseppe
+---
+ add.go | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/add.go b/add.go
+index b5119e369..e82a5ef9a 100644
+--- a/add.go
++++ b/add.go
+@@ -215,7 +215,12 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
+ 	if contextDir == "" {
+ 		return nil, nil
+ 	}
+-	patterns := []string{".dockerignore"}
++	// If there's no .dockerignore file, then we don't have to add a
++	// pattern to tell copy logic to ignore it later.
++	var patterns []string
++	if _, err := os.Stat(filepath.Join(contextDir, ".dockerignore")); err == nil || !os.IsNotExist(err) {
++		patterns = []string{".dockerignore"}
++	}
+ 	for _, ignoreSpec := range lines {
+ 		ignoreSpec = strings.TrimSpace(ignoreSpec)
+ 		// ignore comments passed back from .dockerignore
+@@ -224,7 +229,8 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
+ 		}
+ 		// if the spec starts with '!' it means the pattern
+ 		// should be included. make a note so that we can move
+-		// it to the front of the updated pattern
++		// it to the front of the updated pattern, and insert
++		// the context dir's path in between
+ 		includeFlag := ""
+ 		if strings.HasPrefix(ignoreSpec, "!") {
+ 			includeFlag = "!"
+
+From f999964084ce75c833b0cffd17fb09b947dad506 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Wed, 8 Jan 2020 11:04:57 -0500
+Subject: [PATCH 2/2] copyFileWithTar: close source files at the right time
+
+Close source files after we've finished reading from them, rather than
+leaving it for later.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+
+Closes: #2072
+Approved by: giuseppe
+---
+ util.go | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/util.go b/util.go
+index b4670e41c..2f923357c 100644
+--- a/util.go
++++ b/util.go
+@@ -165,11 +165,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
+ 				if err != nil {
+ 					return errors.Wrapf(err, "error opening %q to copy its contents", src)
+ 				}
+-				defer func() {
+-					if err := f.Close(); err != nil {
+-						logrus.Debugf("error closing %s: %v", fi.Name(), err)
+-					}
+-				}()
+ 			}
+ 		}
+ 
+@@ -200,6 +195,9 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
+ 					logrus.Debugf("error copying contents of %s: %v", fi.Name(), err)
+ 					copyErr = err
+ 				}
++				if err = srcFile.Close(); err != nil {
++					logrus.Debugf("error closing %s: %v", fi.Name(), err)
++				}
+ 			}
+ 			if err = writer.Close(); err != nil {
+ 				logrus.Debugf("error closing write pipe for %s: %v", hdr.Name, err)
+@@ -213,7 +211,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
+ 		if err == nil {
+ 			err = copyErr
+ 		}
+-		f = nil
+ 		if pipeWriter != nil {
+ 			pipeWriter.Close()
+ 		}

SOURCES/buildah-CVE-2020-10696.patch

@@ -0,0 +1,58 @@
+From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
+From: TomSweeneyRedHat <tsweeney@redhat.com>
+Date: Tue, 24 Mar 2020 20:10:22 -0400
+Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
+
+Stealing @nalind 's workaround to avoid refetching
+content after a file read failure.  Under the right
+circumstances that could be a symlink to a file meant
+to overwrite a good file with bad data.
+
+Testing:
+```
+goodstuff
+
+[1] 14901
+
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+no FROM statement found
+
+goodstuff
+```
+
+Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
+---
+ imagebuildah/util.go | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/imagebuildah/util.go b/imagebuildah/util.go
+index 29ea60970..5f14c9883 100644
+--- a/imagebuildah/util.go
++++ b/imagebuildah/util.go
+@@ -14,6 +14,7 @@ import (
+ 
+ 	"github.com/containers/buildah"
+ 	"github.com/containers/storage/pkg/chrootarchive"
++	"github.com/containers/storage/pkg/ioutils"
+ 	"github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error {
+ 		}
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
++		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
+ 		}
+ 	}
+@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error {
+ 	if err := chrootarchive.Untar(reader, dir, nil); err != nil {
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil {
++		if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile)
+ 		}
+ 	}

SPECS/buildah.spec

@@ -0,0 +1,741 @@
+%global with_debug 1
+%global with_bundled 1
+
+%if 0%{?with_debug}
+%global _find_debuginfo_dwz_opts %{nil}
+%global _dwz_low_mem_die_limit 0
+%else
+%global debug_package %{nil}
+%endif
+
+%if 0%{?rhel} > 7 && ! 0%{?fedora}
+%define gobuild(o:) \
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+%endif
+
+%global provider github
+%global provider_tld com
+%global project containers
+%global repo buildah
+# https://github.com/containers/buildah
+%global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
+%global git0 https://%{import_path}
+%global commit0 9513cb8c7bec0f7789c696aee4d252ebf85194cc
+%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
+
+Name: %{repo}
+Version: 1.11.6
+Release: 8%{?dist}
+Summary: A command line tool used for creating OCI Images
+License: ASL 2.0
+URL: https://%{name}.io
+# Build fails with: No matching package to install: 'golang >= 1.12.12-4' on i686
+ExcludeArch: i686
+Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1784952
+Patch1: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1702
+# https://github.com/containers/buildah/commit/be1eb6f70fb40e45096b69aeb048d54c526a4a8f.patch
+Patch2: CVE-2020-1702-1801930.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1756986
+# backported:  https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2181.patch
+Patch3: buildah-1756986.patch
+# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
+# patch:       https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
+Patch4: buildah-CVE-2020-10696.patch
+BuildRequires: golang >= 1.12.12-4
+BuildRequires: git
+BuildRequires: glib2-devel
+BuildRequires: libseccomp-devel
+BuildRequires: ostree-devel
+BuildRequires: glibc-static
+BuildRequires: go-md2man
+BuildRequires: gpgme-devel
+BuildRequires: device-mapper-devel
+BuildRequires: libassuan-devel
+BuildRequires: make
+Requires: runc >= 1.0.0-26
+Requires: containers-common
+Requires: container-selinux
+Requires: slirp4netns >= 0.3-0
+
+%description
+The %{name} package provides a command line tool which can be used to
+* create a working container from scratch
+or
+* create a working container from an image as a starting point
+* mount/umount a working container's root file system for manipulation
+* save container's root file system layer to create a new image
+* delete a working container or an image
+
+%package tests
+Summary: Tests for %{name}
+Requires: %{name} = %{version}-%{release}
+Requires: bzip2
+Requires: podman
+Requires: golang
+
+%description tests
+%{summary}
+
+This package contains system tests for %{name}
+
+%prep
+%autosetup -Sgit -n %{name}-%{commit0}
+sed -i 's/GOMD2MAN =/GOMD2MAN ?=/' docs/Makefile
+sed -i '/docs install/d' Makefile
+
+%build
+mkdir _build
+pushd _build
+mkdir -p src/%{provider}.%{provider_tld}/%{project}
+ln -s $(dirs +1 -l) src/%{import_path}
+popd
+
+mv vendor src
+
+export GOPATH=$(pwd)/_build:$(pwd)
+export BUILDTAGS='seccomp selinux btrfs_noversion exclude_graphdriver_btrfs'
+export GO111MODULE=off
+rm -f src/github.com/containers/storage/drivers/register/register_btrfs.go
+%gobuild -o %{name} %{import_path}/cmd/%{name}
+%gobuild -o imgtype %{import_path}/tests/imgtype
+GOMD2MAN=go-md2man %{__make} -C docs
+
+%install
+export GOPATH=$(pwd)/_build:$(pwd):%{gopath}
+make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
+install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
+cp -pav tests/. %{buildroot}/%{_datadir}/%{name}/test/system
+cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
+make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
+
+#define license tag if not already defined
+%{!?_licensedir:%global license %doc}
+
+%files
+%license LICENSE
+%doc README.md
+%{_bindir}/%{name}
+%{_mandir}/man1/%{name}*
+%dir %{_datadir}/bash-completion
+%dir %{_datadir}/bash-completion/completions
+%{_datadir}/bash-completion/completions/%{name}
+
+%files tests
+%license LICENSE
+%{_bindir}/%{name}-imgtype
+%{_datadir}/%{name}/test
+
+%changelog
+* Thu Jul 16 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-8
+- exclude i686 arch
+- Related: #1821193
+
+* Wed Apr 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-7
+- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
+- Resolves: #1819393
+
+* Mon Feb 24 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-6
+- fix "COPY command takes long time with buildah"
+- Resolves: #1806118
+
+* Mon Feb 17 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-5
+- fix CVE-2020-1702
+- Resolves: #1801930
+- adding the first phase of FIPS fix
+- Related: #1784952
+
+* Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-4
+- compile in FIPS mode
+- Related: RHELPLAN-25139
+
+* Mon Dec 09 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-3
+- be sure to use golang >= 1.12.12-4
+- Related: RHELPLAN-25139
+
+* Sat Dec 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-2
+- fix chroot: unmount with MNT_DETACH instead of UnmountMountpoints()
+- bug reference 1772179
+- Related: RHELPLAN-25139
+
+* Thu Dec 05 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-1
+- update to buildah 1.11.6
+- Related: RHELPLAN-25139
+
+* Thu Nov 21 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.5-1
+- update to buildah 1.11.5
+- Related: RHELPLAN-25139
+
+* Thu Nov 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.4-2
+- fix %%gobuild macro to not to ignore BUILDTAGS
+- Related: RHELPLAN-25139
+
+* Thu Nov 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.4-1
+- update to 1.11.4
+- Related: RHELPLAN-25139
+
+* Tue Sep 17 2019 Jindrich Novy <jnovy@redhat.com> - 1.9.0-5
+- Use autosetup macro again.
+
+* Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.9.0-4
+- Fix CVE-2019-10214 (#1734653).
+
+* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-3
+- Resolves: #1721247 - enable fips mode
+
+* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-2
+- Resolves: #1720654 - tests subpackage depends on golang explicitly
+
+* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-1
+- Resolves: #1720654 - rebase to v1.9.0
+
+* Fri Jun 14 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.8.3-1
+- Resolves: #1720654 - rebase to v1.8.3
+
+* Tue Apr  9 2019 Eduardo Santiago <santiago@redhat.com> - 1.8-0.git021d607
+- package system tests
+
+* Tue Dec 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-3.gite94b4f9
+- re-enable debuginfo
+
+* Mon Dec 17 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-2.gite94b4f9
+- go toolset not in scl anymore
+
+* Fri Nov 23 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-1.gite94b4f9
+- rebase
+
+* Mon Nov 19 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.4-3.git608fa84
+- fedora-like go compiler macro in buildrequires is enough
+
+* Wed Oct 10 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.4-2.git608fa84
+- rebase
+
+* Mon Aug 13 2018 Lokesh Mandvekar <lsm5@redhat.com> - 1.3-3.git4888163
+- Resolves: #1615611 - rebuild with gobuild tag 'no_openssl'
+
+* Wed Aug 08 2018 Lokesh Mandvekar <lsm5@redhat.com> - 1.3-2.git4888163
+- Resolves: #1614009 - built with updated scl-ized go-toolset dep
+- build with %%gobuild
+
+* Sun Aug 5 2018 Dan Walsh <dwalsh@redhat.com> - 1.3-1
+- Bump to v1.3
+- Vendor in lates containers/image
+- build-using-dockerfile: let -t include transports again
+- Block use of /proc/acpi and /proc/keys from inside containers
+- Fix handling of --registries-conf
+- Fix becoming a maintainer link
+- add optional CI test fo darwin
+- Don't pass a nil error to errors.Wrapf()
+- image filter test: use kubernetes/pause as a "since"
+- Add --cidfile option to from
+- vendor: update containers/storage
+- Contributors need to find the CONTRIBUTOR.md file easier
+- Add a --loglevel option to build-with-dockerfile
+- Create Development plan
+- cmd: Code improvement
+- allow buildah cross compile for a darwin target
+- Add unused function param lint check
+- docs: Follow man-pages(7) suggestions for SYNOPSIS
+- Start using github.com/seccomp/containers-golang
+- umount: add all option to umount all mounted containers
+- runConfigureNetwork(): remove an unused parameter
+- Update github.com/opencontainers/selinux
+- Fix buildah bud --layers
+- Force ownership of /etc/hosts and /etc/resolv.conf to 0:0
+- main: if unprivileged, reexec in a user namespace
+- Vendor in latest imagebuilder
+- Reduce the complexity of the buildah.Run function
+- mount: output it before replacing lastError
+- Vendor in latest selinux-go code
+- Implement basic recognition of the "--isolation" option
+- Run(): try to resolve non-absolute paths using $PATH
+- Run(): don't include any default environment variables
+- build without seccomp
+- vendor in latest runtime-tools
+- bind/mount_unsupported.go: remove import errors
+- Update github.com/opencontainers/runc
+- Add Capabilities lists to BuilderInfo
+- Tweaks for commit tests
+- commit: recognize committing to second storage locations
+- Fix ARGS parsing for run commands
+- Add info on registries.conf to from manpage
+- Switch from using docker to podman for testing in .papr
+- buildah: set the HTTP User-Agent
+- ONBUILD tutorial
+- Add information about the configuration files to the install docs
+- Makefile: add uninstall
+- Add tilde info for push to troubleshooting
+- mount: support multiple inputs
+- Use the right formatting when adding entries to /etc/hosts
+- Vendor in latest go-selinux bindings
+- Allow --userns-uid-map/--userns-gid-map to be global options
+- bind: factor out UnmountMountpoints
+- Run(): simplify runCopyStdio()
+- Run(): handle POLLNVAL results
+- Run(): tweak terminal mode handling
+- Run(): rename 'copyStdio' to 'copyPipes'
+- Run(): don't set a Pdeathsig for the runtime
+- Run(): add options for adding and removing capabilities
+- Run(): don't use a callback when a slice will do
+- setupSeccomp(): refactor
+- Change RunOptions.Stdin/Stdout/Stderr to just be Reader/Writers
+- Escape use of '_' in .md docs
+- Break out getProcIDMappings()
+- Break out SetupIntermediateMountNamespace()
+- Add Multi From Demo
+- Use the c/image conversion code instead of converting configs manually
+- Don't throw away the manifest MIME type and guess again
+- Consolidate loading manifest and config in initConfig
+- Pass a types.Image to Builder.initConfig
+- Require an image ID in importBuilderDataFromImage
+- Use c/image/manifest.GuessMIMEType instead of a custom heuristic
+- Do not ignore any parsing errors in initConfig
+- Explicitly handle "from scratch" images in Builder.initConfig
+- Fix parsing of OCI images
+- Simplify dead but dangerous-looking error handling
+- Don't ignore v2s1 history if docker_version is not set
+- Add --rm and --force-rm to buildah bud
+- Add --all,-a flag to buildah images
+- Separate stdio buffering from writing
+- Remove tty check from images --format
+- Add environment variable BUILDAH_RUNTIME
+- Add --layers and --no-cache to buildah bud
+- Touch up images man
+- version.md: fix DESCRIPTION
+- tests: add containers test
+- tests: add images test
+- images: fix usage
+- fix make clean error
+- Change 'registries' to 'container registries' in man
+- add commit test
+- Add(): learn to record hashes of what we add
+- Minor update to buildah config documentation for entrypoint
+- Bump to v1.2-dev
+- Add registries.conf link to a few man pages
+
+* Tue Jul 24 2018 Lokesh Mandvekar <lsm5@redhat.com> - 1.2-3
+- do not depend on btrfs-progs for rhel8
+
+* Thu Jul 19 2018 Dan Walsh <dwalsh@redhat.com> - 1.2-2
+- buildah does not require ostree
+
+* Sun Jul 15 2018 Dan Walsh <dwalsh@redhat.com> 1.2-1
+- Vendor in latest containers/image
+- build-using-dockerfile: let -t include transports again
+- Block use of /proc/acpi and /proc/keys from inside containers
+- Fix handling of --registries-conf
+- Fix becoming a maintainer link
+- add optional CI test fo darwin
+- Don't pass a nil error to errors.Wrapf()
+- image filter test: use kubernetes/pause as a "since"
+- Add --cidfile option to from
+- vendor: update containers/storage
+- Contributors need to find the CONTRIBUTOR.md file easier
+- Add a --loglevel option to build-with-dockerfile
+- Create Development plan
+- cmd: Code improvement
+- allow buildah cross compile for a darwin target
+- Add unused function param lint check
+- docs: Follow man-pages(7) suggestions for SYNOPSIS
+- Start using github.com/seccomp/containers-golang
+- umount: add all option to umount all mounted containers
+- runConfigureNetwork(): remove an unused parameter
+- Update github.com/opencontainers/selinux
+- Fix buildah bud --layers
+- Force ownership of /etc/hosts and /etc/resolv.conf to 0:0
+- main: if unprivileged, reexec in a user namespace
+- Vendor in latest imagebuilder
+- Reduce the complexity of the buildah.Run function
+- mount: output it before replacing lastError
+- Vendor in latest selinux-go code
+- Implement basic recognition of the "--isolation" option
+- Run(): try to resolve non-absolute paths using $PATH
+- Run(): don't include any default environment variables
+- build without seccomp
+- vendor in latest runtime-tools
+- bind/mount_unsupported.go: remove import errors
+- Update github.com/opencontainers/runc
+- Add Capabilities lists to BuilderInfo
+- Tweaks for commit tests
+- commit: recognize committing to second storage locations
+- Fix ARGS parsing for run commands
+- Add info on registries.conf to from manpage
+- Switch from using docker to podman for testing in .papr
+- buildah: set the HTTP User-Agent
+- ONBUILD tutorial
+- Add information about the configuration files to the install docs
+- Makefile: add uninstall
+- Add tilde info for push to troubleshooting
+- mount: support multiple inputs
+- Use the right formatting when adding entries to /etc/hosts
+- Vendor in latest go-selinux bindings
+- Allow --userns-uid-map/--userns-gid-map to be global options
+- bind: factor out UnmountMountpoints
+- Run(): simplify runCopyStdio()
+- Run(): handle POLLNVAL results
+- Run(): tweak terminal mode handling
+- Run(): rename 'copyStdio' to 'copyPipes'
+- Run(): don't set a Pdeathsig for the runtime
+- Run(): add options for adding and removing capabilities
+- Run(): don't use a callback when a slice will do
+- setupSeccomp(): refactor
+- Change RunOptions.Stdin/Stdout/Stderr to just be Reader/Writers
+- Escape use of '_' in .md docs
+- Break out getProcIDMappings()
+- Break out SetupIntermediateMountNamespace()
+- Add Multi From Demo
+- Use the c/image conversion code instead of converting configs manually
+- Don't throw away the manifest MIME type and guess again
+- Consolidate loading manifest and config in initConfig
+- Pass a types.Image to Builder.initConfig
+- Require an image ID in importBuilderDataFromImage
+- Use c/image/manifest.GuessMIMEType instead of a custom heuristic
+- Do not ignore any parsing errors in initConfig
+- Explicitly handle "from scratch" images in Builder.initConfig
+- Fix parsing of OCI images
+- Simplify dead but dangerous-looking error handling
+- Don't ignore v2s1 history if docker_version is not set
+- Add --rm and --force-rm to buildah bud
+- Add --all,-a flag to buildah images
+- Separate stdio buffering from writing
+- Remove tty check from images --format
+- Add environment variable BUILDAH_RUNTIME
+- Add --layers and --no-cache to buildah bud
+- Touch up images man
+- version.md: fix DESCRIPTION
+- tests: add containers test
+- tests: add images test
+- images: fix usage
+- fix make clean error
+- Change 'registries' to 'container registries' in man
+- add commit test
+- Add(): learn to record hashes of what we add
+- Minor update to buildah config documentation for entrypoint
+- Add registries.conf link to a few man pages
+
+* Sun Jun 10 2018 Dan Walsh <dwalsh@redhat.com> 1.1-1
+- Drop capabilities if running container processes as non root
+- Print Warning message if cmd will not be used based on entrypoint
+- Update 01-intro.md
+- Shouldn't add insecure registries to list of search registries
+- Report errors on bad transports specification when pushing images
+- Move parsing code out of common for namespaces and into pkg/parse.go
+- Add disable-content-trust noop flag to bud
+- Change freenode chan to buildah
+- runCopyStdio(): don't close stdin unless we saw POLLHUP
+- Add registry errors for pull
+- runCollectOutput(): just read until the pipes are closed on us
+- Run(): provide redirection for stdio
+- rmi, rm: add test
+- add mount test
+- Add parameter judgment for commands that do not require parameters
+- Add context dir to bud command in baseline test
+- run.bats: check that we can run with symlinks in the bundle path
+- Give better messages to users when image can not be found
+- use absolute path for bundlePath
+- Add environment variable to buildah --format
+- rm: add validation to args and all option
+- Accept json array input for config entrypoint
+- Run(): process RunOptions.Mounts, and its flags
+- Run(): only collect error output from stdio pipes if we created some
+- Add OnBuild support for Dockerfiles
+- Quick fix on demo readme
+- run: fix validate flags
+- buildah bud should require a context directory or URL
+- Touchup tutorial for run changes
+- Validate common bud and from flags
+- images: Error if the specified imagename does not exist
+- inspect: Increase err judgments to avoid panic
+- add test to inspect
+- buildah bud picks up ENV from base image
+- Extend the amount of time travis_wait should wait
+- Add a make target for Installing CNI plugins
+- Add tests for namespace control flags
+- copy.bats: check ownerships in the container
+- Fix SELinux test errors when SELinux is enabled
+- Add example CNI configurations
+- Run: set supplemental group IDs
+- Run: use a temporary mount namespace
+- Use CNI to configure container networks
+- add/secrets/commit: Use mappings when setting permissions on added content
+- Add CLI options for specifying namespace and cgroup setup
+- Always set mappings when using user namespaces
+- Run(): break out creation of stdio pipe descriptors
+- Read UID/GID mapping information from containers and images
+- Additional bud CI tests
+- Run integration tests under travis_wait in Travis
+- build-using-dockerfile: add --annotation
+- Implement --squash for build-using-dockerfile and commit
+- Vendor in latest container/storage for devicemapper support
+- add test to inspect
+- Vendor github.com/onsi/ginkgo and github.com/onsi/gomega
+- Test with Go 1.10, too
+- Add console syntax highlighting to troubleshooting page
+- bud.bats: print "$output" before checking its contents
+- Manage "Run" containers more closely
+- Break Builder.Run()'s "run runc" bits out
+- util.ResolveName(): handle completion for tagged/digested image names
+- Handle /etc/hosts and /etc/resolv.conf properly in container
+- Documentation fixes
+- Make it easier to parse our temporary directory as an image name
+- Makefile: list new pkg/ subdirectoris as dependencies for buildah
+- containerImageSource: return more-correct errors
+- API cleanup: PullPolicy and TerminalPolicy should be types
+- Make "run --terminal" and "run -t" aliases for "run --tty"
+- Vendor github.com/containernetworking/cni v0.6.0
+- Update github.com/containers/storage
+- Update github.com/projectatomic/libpod
+- Add support for buildah bud --label
+- buildah push/from can push and pull images with no reference
+- Vendor in latest containers/image
+- Update gometalinter to fix install.tools error
+- Update troubleshooting with new run workaround
+- Added a bud demo and tidied up
+- Attempt to download file from url, if fails assume Dockerfile
+- Add buildah bud CI tests for ENV variables
+- Re-enable rpm .spec version check and new commit test
+- Update buildah scratch demo to support el7
+- Added Docker compatibility demo
+- Update to F28 and new run format in baseline test
+- Touchup man page short options across man pages
+- Added demo dir and a demo. chged distrorlease
+- builder-inspect: fix format option
+- Add cpu-shares short flag (-c) and cpu-shares CI tests
+- Minor fixes to formatting in rpm spec changelog
+- Fix rpm .spec changelog formatting
+- CI tests and minor fix for cache related noop flags
+- buildah-from: add effective value to mount propagation
+
+* Mon May 7 2018 Dan Walsh <dwalsh@redhat.com> 1.0-1
+- Remove buildah run cmd and entrypoint execution
+- Add Files section with registries.conf to pertinent man pages
+- Force "localhost" as a default registry
+- Add --compress, --rm, --squash flags as a noop for bud
+- Add FIPS mode secret to buildah run and bud
+- Add config --comment/--domainname/--history-comment/--hostname
+- Add support for --iidfile to bud and commit
+- Add /bin/sh -c to entrypoint in config
+- buildah images and podman images are listing different sizes
+- Remove tarball as an option from buildah push --help
+- Update entrypoint behaviour to match docker
+- Display imageId after commit
+- config: add support for StopSignal
+- Allow referencing stages as index and names
+- Add multi-stage builds support
+- Vendor in latest imagebuilder, to get mixed case AS support
+- Allow umount to have multi-containers
+- Update buildah push doc
+- buildah bud walks symlinks
+- Imagename is required for commit atm, update manpage
+
+* Thu May 03 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.16-3.git532e267
+- Resolves: #1573681
+- built commit 532e267
+
+* Tue Apr 10 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.16.0-2.git6f7d05b
+- built commit 6f7d05b
+
+* Wed Apr 4 2018 Dan Walsh <dwalsh@redhat.com> 0.16-1
+-   Add support for shell
+-   Vendor in latest containers/image
+-    	 docker-archive generates docker legacy compatible images
+-	 Do not create $DiffID subdirectories for layers with no configs
+- 	 Ensure the layer IDs in legacy docker/tarfile metadata are unique
+-	 docker-archive: repeated layers are symlinked in the tar file
+-	 sysregistries: remove all trailing slashes
+-	 Improve docker/* error messages
+-	 Fix failure to make auth directory
+-	 Create a new slice in Schema1.UpdateLayerInfos
+-	 Drop unused storageImageDestination.{image,systemContext}
+-	 Load a *storage.Image only once in storageImageSource
+-	 Support gzip for docker-archive files
+-	 Remove .tar extension from blob and config file names
+-	 ostree, src: support copy of compressed layers
+-	 ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size
+-	 image: fix docker schema v1 -> OCI conversion
+-	 Add /etc/containers/certs.d as default certs directory
+-  Change image time to locale, add troubleshooting.md, add logo to other mds
+-   Allow --cmd parameter to have commands as values
+-   Document the mounts.conf file
+-   Fix man pages to format correctly
+-   buildah from now supports pulling images using the following transports:
+-   docker-archive, oci-archive, and dir.
+-   If the user overrides the storage driver, the options should be dropped
+-   Show Config/Manifest as JSON string in inspect when format is not set
+-   Adds feature to pull compressed docker-archive files
+
+* Tue Feb 27 2018 Dan Walsh <dwalsh@redhat.com> 0.15-1
+- Fix handling of buildah run command options
+
+* Mon Feb 26 2018 Dan Walsh <dwalsh@redhat.com> 0.14-1
+- If commonOpts do not exist, we should return rather then segfault
+- Display full error string instead of just status
+- Implement --volume and --shm-size for bud and from
+- Fix secrets patch for buildah bud
+- Fixes the naming issue of blobs and config for the dir transport by removing the .tar extension
+
+* Mon Feb 26 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.13-1.git99066e0
+- use correct version
+
+* Mon Feb 26 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.12-4.git99066e0
+- enable debuginfo
+
+* Mon Feb 26 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.12-3.git99066e0
+- BR: libseccomp-devel
+
+* Mon Feb 26 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.12-2.git99066e0
+- Resolves: #1548535
+- built commit 99066e0
+
+* Mon Feb 12 2018 Dan Walsh <dwalsh@redhat.com> 0.12-1
+- Added handing for simpler error message for Unknown Dockerfile instructions.
+- Change default certs directory to /etc/containers/certs.dir
+- Vendor in latest containers/image
+- Vendor in latest containers/storage
+- build-using-dockerfile: set the 'author' field for MAINTAINER
+- Return exit code 1 when buildah-rmi fails
+- Trim the image reference to just its name before calling getImageName
+- Touch up rmi -f usage statement
+- Add --format and --filter to buildah containers
+- Add --prune,-p option to rmi command
+- Add authfile param to commit
+- Fix --runtime-flag for buildah run and bud
+- format should override quiet for images
+- Allow all auth params to work with bud
+- Do not overwrite directory permissions on --chown
+- Unescape HTML characters output into the terminal
+- Fix: setting the container name to the image
+- Prompt for un/pwd if not supplied with --creds
+- Make bud be really quiet
+- Return a better error message when failed to resolve an image
+- Update auth tests and fix bud man page
+
+* Mon Feb 05 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.11-3.git49095a8
+- Resolves: #1542236 - add ostree and bump runc dep
+
+* Thu Feb 01 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.11-2.git49095a8
+- rebased to 49095a83f8622cf69532352d183337635562e261
+
+* Tue Jan 16 2018 Dan Walsh <dwalsh@redhat.com> 0.11-1
+- Add --all to remove containers
+- Add --all functionality to rmi
+- Show ctrid when doing rm -all
+- Ignore sequential duplicate layers when reading v2s1
+- Lots of minor bug fixes
+- Vendor in latest containers/image and containers/storage
+
+* Sat Dec 23 2017 Dan Walsh <dwalsh@redhat.com> 0.10-2
+- Fix checkin
+
+* Sat Dec 23 2017 Dan Walsh <dwalsh@redhat.com> 0.10-1
+- Display Config and Manifest as strings
+- Bump containers/image
+- Use configured registries to resolve image names
+- Update to work with newer image library
+- Add --chown option to add/copy commands
+
+* Tue Dec 12 2017 Lokesh Mandvekar <lsm5@redhat.com> - 0.9-2.git04ea079
+- build for all arches
+
+* Sat Dec 2 2017 Dan Walsh <dwalsh@redhat.com> 0.9-1
+- Allow push to use the image id
+- Make sure builtin volumes have the correct label
+
+* Wed Nov 22 2017 Dan Walsh <dwalsh@redhat.com> 0.8-1
+- Buildah bud was failing on SELinux machines, this fixes this
+- Block access to certain kernel file systems inside of the container
+
+* Thu Nov 16 2017 Dan Walsh <dwalsh@redhat.com> 0.7-1
+- Ignore errors when trying to read containers buildah.json for loading SELinux reservations
+-     Use credentials from kpod login for buildah
+- Adds support for converting manifest types when using the dir transport
+- Rework how we do UID resolution in images
+- Bump github.com/vbatts/tar-split
+- Set option.terminal appropriately in run
+
+* Thu Nov 16 2017 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.5-5.gitf7dc659
+- revert building for s390x, it is intended for rhel 7.5
+
+* Wed Nov 15 2017 Dan Walsh <dwalsh@redhat.com> 0.5-4
+- Add requires for container-selinux
+
+* Mon Nov 13 2017 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.5-3.gitf7dc659
+- build for s390x, https://bugzilla.redhat.com/show_bug.cgi?id=1482234
+
+* Wed Nov 08 2017 Dan Walsh <dwalsh@redhat.com> 0.5-2
+-  Bump github.com/vbatts/tar-split
+-  Fixes CVE That could allow a container image to cause a DOS
+
+* Tue Nov 07 2017 Dan Walsh <dwalsh@redhat.com> 0.5-1
+-  Add secrets patch to buildah
+-  Add proper SELinux labeling to buildah run
+-  Add tls-verify to bud command
+-  Make filtering by date use the image's date
+-  images: don't list unnamed images twice
+-  Fix timeout issue
+-  Add further tty verbiage to buildah run
+-  Make inspect try an image on failure if type not specified
+-  Add support for `buildah run --hostname`
+-  Tons of bug fixes and code cleanup
+
+* Tue Nov  7 2017 Nalin Dahyabhai <nalin@redhat.com> - 0.4-2.git01db066
+- bump to latest version
+- set GIT_COMMIT at build-time
+
+* Fri Sep 22 2017 Dan Walsh <dwalsh@redhat.com> 0.4-1.git9cbccf88c
+-   Add default transport to push if not provided
+-   Avoid trying to print a nil ImageReference
+-   Add authentication to commit and push
+-   Add information on buildah from man page on transports
+-   Remove --transport flag
+-   Run: do not complain about missing volume locations
+-   Add credentials to buildah from
+-   Remove export command
+-   Run(): create the right working directory
+-   Improve "from" behavior with unnamed references
+-   Avoid parsing image metadata for dates and layers
+-   Read the image's creation date from public API
+-   Bump containers/storage and containers/image
+-   Don't panic if an image's ID can't be parsed
+-   Turn on --enable-gc when running gometalinter
+-   rmi: handle truncated image IDs
+
+* Fri Sep 22 2017 Lokesh Mandvekar <lsm5@redhat.com> - 0.4-1.git9cbccf8
+- bump to v0.4
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.3-4.gitb9b2a8a
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.3-3.gitb9b2a8a
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Jul 20 2017 Dan Walsh <dwalsh@redhat.com> 0.3-2.gitb9b2a8a7e
+- Bump for inclusion of OCI 1.0 Runtime and Image Spec
+
+* Tue Jul 18 2017 Dan Walsh <dwalsh@redhat.com> 0.2.0-1.gitac2aad6
+-   buildah run: Add support for -- ending options parsing
+-   buildah Add/Copy support for glob syntax
+-   buildah commit: Add flag to remove containers on commit
+-   buildah push: Improve man page and help information
+-   buildah run: add a way to disable PTY allocation
+-   Buildah docs: clarify --runtime-flag of run command
+-   Update to match newer storage and image-spec APIs
+-   Update containers/storage and containers/image versions
+-   buildah export: add support
+-   buildah images: update commands
+-   buildah images: Add JSON output option
+-   buildah rmi: update commands
+-   buildah containers: Add JSON output option
+-   buildah version: add command
+-   buildah run: Handle run without an explicit command correctly
+-   Ensure volume points get created, and with perms
+-   buildah containers: Add a -a/--all option
+
+* Wed Jun 14 2017 Dan Walsh <dwalsh@redhat.com> 0.1.0-2.git597d2ab9
+- Release Candidate 1
+- All features have now been implemented.
+
+* Fri Apr 14 2017 Dan Walsh <dwalsh@redhat.com> 0.0.1-1.git7a0a5333
+- First package for Fedora