Vendor containers/image and containers/storage

Vendor updated containers/image and containers/storage, along
with any new dependencies they drag in, and updated versions of other
dependencies that happen to get pulled in.

github.com/coreos/go-systemd/daemon/SdNotify() now takes a boolean to
control whether or not it unsets the NOTIFY_SOCKET variable from the
calling process's environment.  Adapt.

github.com/opencontainers/runtime-tools/generate/Generator.AddProcessEnv()
now takes the environment variable name and value as two arguments, not
one.  Adapt.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

vendor/github.com/containers/image/docker/docker_client.go

@@ -4,7 +4,6 @@ import (
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -20,6 +19,7 @@ import (
 	"github.com/containers/storage/pkg/homedir"
 	"github.com/docker/go-connections/sockets"
 	"github.com/docker/go-connections/tlsconfig"
+	"github.com/pkg/errors"
 )
 
 const (
@@ -101,7 +101,7 @@ func setupCertificates(dir string, tlsc *tls.Config) error {
 		if strings.HasSuffix(f.Name(), ".crt") {
 			systemPool, err := tlsconfig.SystemCertPool()
 			if err != nil {
-				return fmt.Errorf("unable to get system cert pool: %v", err)
+				return errors.Wrap(err, "unable to get system cert pool")
 			}
 			tlsc.RootCAs = systemPool
 			logrus.Debugf("crt: %s", fullPath)
@@ -116,7 +116,7 @@ func setupCertificates(dir string, tlsc *tls.Config) error {
 			keyName := certName[:len(certName)-5] + ".key"
 			logrus.Debugf("cert: %s", fullPath)
 			if !hasFile(fs, keyName) {
-				return fmt.Errorf("missing key %s for client certificate %s. Note that CA certificates should use the extension .crt", keyName, certName)
+				return errors.Errorf("missing key %s for client certificate %s. Note that CA certificates should use the extension .crt", keyName, certName)
 			}
 			cert, err := tls.LoadX509KeyPair(filepath.Join(dir, certName), filepath.Join(dir, keyName))
 			if err != nil {
@@ -129,7 +129,7 @@ func setupCertificates(dir string, tlsc *tls.Config) error {
 			certName := keyName[:len(keyName)-4] + ".cert"
 			logrus.Debugf("key: %s", fullPath)
 			if !hasFile(fs, certName) {
-				return fmt.Errorf("missing client certificate %s for key %s", certName, keyName)
+				return errors.Errorf("missing client certificate %s for key %s", certName, keyName)
 			}
 		}
 	}
@@ -240,7 +240,7 @@ func (c *dockerClient) makeRequestToResolvedURL(method, url string, headers map[
 func (c *dockerClient) setupRequestAuth(req *http.Request) error {
 	tokens := strings.SplitN(strings.TrimSpace(c.wwwAuthenticate), " ", 2)
 	if len(tokens) != 2 {
-		return fmt.Errorf("expected 2 tokens in WWW-Authenticate: %d, %s", len(tokens), c.wwwAuthenticate)
+		return errors.Errorf("expected 2 tokens in WWW-Authenticate: %d, %s", len(tokens), c.wwwAuthenticate)
 	}
 	switch tokens[0] {
 	case "Basic":
@@ -264,18 +264,48 @@ func (c *dockerClient) setupRequestAuth(req *http.Request) error {
 			return err
 		}
 		chs := parseAuthHeader(res.Header)
+		// We could end up in this "if" statement if the /v2/ call (during ping)
+		// returned 401 with a valid WWW-Authenticate=Bearer header.
+		// That doesn't **always** mean, however, that the specific API request
+		// (different from /v2/) actually needs to be authorized.
+		// One example of this _weird_ scenario happens with GCR.io docker
+		// registries.
 		if res.StatusCode != http.StatusUnauthorized || chs == nil || len(chs) == 0 {
-			// no need for bearer? wtf?
-			return nil
+			// With gcr.io, the /v2/ call returns a 401 with a valid WWW-Authenticate=Bearer
+			// header but the repository could be _public_ (no authorization is needed).
+			// Hence, the registry response contains no challenges and the status
+			// code is not 401.
+			// We just skip this case as it's not standard on docker/distribution
+			// registries (https://github.com/docker/distribution/blob/master/docs/spec/api.md#api-version-check)
+			if res.StatusCode != http.StatusUnauthorized {
+				return nil
+			}
+			// gcr.io private repositories pull instead requires us to send user:pass pair in
+			// order to retrieve a token and setup the correct Bearer token.
+			// try again one last time with Basic Auth
+			testReq2 := *req
+			// Do not use the body stream, or we couldn't reuse it for the "real" call later.
+			testReq2.Body = nil
+			testReq2.ContentLength = 0
+			testReq2.SetBasicAuth(c.username, c.password)
+			res, err := c.client.Do(&testReq2)
+			if err != nil {
+				return err
+			}
+			chs = parseAuthHeader(res.Header)
+			if res.StatusCode != http.StatusUnauthorized || chs == nil || len(chs) == 0 {
+				// no need for bearer? wtf?
+				return nil
+			}
 		}
 		// Arbitrarily use the first challenge, there is no reason to expect more than one.
 		challenge := chs[0]
 		if challenge.Scheme != "bearer" { // Another artifact of trying to handle WWW-Authenticate before it actually happens.
-			return fmt.Errorf("Unimplemented: WWW-Authenticate Bearer replaced by %#v", challenge.Scheme)
+			return errors.Errorf("Unimplemented: WWW-Authenticate Bearer replaced by %#v", challenge.Scheme)
 		}
 		realm, ok := challenge.Parameters["realm"]
 		if !ok {
-			return fmt.Errorf("missing realm in bearer auth challenge")
+			return errors.Errorf("missing realm in bearer auth challenge")
 		}
 		service, _ := challenge.Parameters["service"] // Will be "" if not present
 		scope, _ := challenge.Parameters["scope"]     // Will be "" if not present
@@ -286,7 +316,7 @@ func (c *dockerClient) setupRequestAuth(req *http.Request) error {
 		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
 		return nil
 	}
-	return fmt.Errorf("no handler for %s authentication", tokens[0])
+	return errors.Errorf("no handler for %s authentication", tokens[0])
 	// support docker bearer with authconfig's Auth string? see docker2aci
 }
 
@@ -317,11 +347,11 @@ func (c *dockerClient) getBearerToken(realm, service, scope string) (string, err
 	defer res.Body.Close()
 	switch res.StatusCode {
 	case http.StatusUnauthorized:
-		return "", fmt.Errorf("unable to retrieve auth token: 401 unauthorized")
+		return "", errors.Errorf("unable to retrieve auth token: 401 unauthorized")
 	case http.StatusOK:
 		break
 	default:
-		return "", fmt.Errorf("unexpected http code: %d, URL: %s", res.StatusCode, authReq.URL)
+		return "", errors.Errorf("unexpected http code: %d, URL: %s", res.StatusCode, authReq.URL)
 	}
 	tokenBlob, err := ioutil.ReadAll(res.Body)
 	if err != nil {
@@ -365,7 +395,7 @@ func getAuth(ctx *types.SystemContext, registry string) (string, string, error)
 			if os.IsNotExist(err) {
 				return "", "", nil
 			}
-			return "", "", fmt.Errorf("%s - %v", oldDockerCfgPath, err)
+			return "", "", errors.Wrap(err, oldDockerCfgPath)
 		}
 
 		j, err := ioutil.ReadFile(oldDockerCfgPath)
@@ -377,7 +407,7 @@ func getAuth(ctx *types.SystemContext, registry string) (string, string, error)
 		}
 
 	} else if err != nil {
-		return "", "", fmt.Errorf("%s - %v", dockerCfgPath, err)
+		return "", "", errors.Wrap(err, dockerCfgPath)
 	}
 
 	// I'm feeling lucky
@@ -414,7 +444,7 @@ func (c *dockerClient) ping() (*pingResponse, error) {
 		defer resp.Body.Close()
 		logrus.Debugf("Ping %s status %d", scheme+"://"+c.registry+"/v2/", resp.StatusCode)
 		if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
-			return nil, fmt.Errorf("error pinging repository, response code %d", resp.StatusCode)
+			return nil, errors.Errorf("error pinging repository, response code %d", resp.StatusCode)
 		}
 		pr := &pingResponse{}
 		pr.WWWAuthenticate = resp.Header.Get("WWW-Authenticate")
@@ -427,7 +457,7 @@ func (c *dockerClient) ping() (*pingResponse, error) {
 		pr, err = ping("http")
 	}
 	if err != nil {
-		err = fmt.Errorf("pinging docker registry returned %+v", err)
+		err = errors.Wrap(err, "pinging docker registry returned")
 		if c.ctx != nil && c.ctx.DockerDisableV1Ping {
 			return nil, err
 		}