Bump to 0.7

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Ignore errors when trying to read containers buildah.json
2026-01-31 14:29:03 +00:00 · 2017-11-16 22:00:38 +00:00 · 2017-11-16 21:12:38 +00:00 · 2017-11-16 18:08:52 +00:00 · 2017-11-15 17:47:53 +00:00 · 2017-11-15 13:38:28 +00:00
946 changed files with 101246 additions and 36423 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,3 @@
+docs/buildah*.1
+/buildah
+/imgtype
--- a/.redhat-ci.sh
+++ b/.redhat-ci.sh
@@ -14,15 +14,20 @@ dnf install -y \
  device-mapper-devel \
  findutils \
  git \
+  glib2-devel \
+  gnupg \
  golang \
  gpgme-devel \
  libassuan-devel \
+  libseccomp-devel \
+  libselinux-devel \
+  libselinux-utils \
  make \
+  ostree-devel \
  which

-# Red Hat CI adds a merge commit, for testing, which fails the
+# PAPR adds a merge commit, for testing, which fails the
 # short-commit-subject validation test, so tell git-validate.sh to only check
 # up to, but not including, the merge commit.
 export GITVALIDATE_TIP=$(cd $GOSRC; git log -2 --pretty='%H' | tail -n 1)
-make -C $GOSRC install.tools all validate
-$GOSRC/tests/test_runner.sh
+make -C $GOSRC install.tools runc all validate test-unit test-integration TAGS="seccomp"
--- a/.papr.yml
+++ b/.papr.yml
@@ -0,0 +1,15 @@
+branches:
+  - master
+  - auto
+  - try
+
+host:
+  distro: fedora/26/atomic
+
+required: true
+
+tests:
+  # mount yum repos to inherit injected mirrors from PAPR
+  - docker run --net=host --privileged -v /etc/yum.repos.d:/etc/yum.repos.d.host:ro
+    -v $PWD:/code registry.fedoraproject.org/fedora:26 sh -c
+    "cp -fv /etc/yum.repos.d{.host/*.repo,} && /code/.papr.sh"
--- a/.redhat-ci.yml
+++ b/.redhat-ci.yml
@@ -1,12 +0,0 @@
-branches:
-  - master
-  - auto
-  - try
-
-host:
-  distro: fedora/25/atomic
-
-required: true
-
-tests:
-  - docker run --privileged -v $PWD:/code fedora:25 /code/.redhat-ci.sh
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,14 +1,30 @@
 language: go
-go:
-    - 1.7
-    - 1.8
-    - tip
 dist: trusty
 sudo: required
+go: 
+    - 1.7
+    - 1.8
+    - 1.9.x
+    - tip
+
+matrix:
+  # If the latest unstable development version of go fails, that's OK.
+  allow_failures:
+    - go: tip
+
+  # Don't hold on the tip tests to finish.  Mark tests green if the
+  # stable versions pass.
+  fast_finish: true
+
+services:
+    - docker
 before_install:
    - sudo add-apt-repository -y ppa:duggan/bats
    - sudo apt-get -qq update
-    - sudo apt-get -qq install bats btrfs-tools git libdevmapper-dev libgpgme11-dev
+    - sudo apt-get -qq install bats btrfs-tools git libapparmor-dev libdevmapper-dev libglib2.0-dev libgpgme11-dev libselinux1-dev
+    - sudo apt-get -qq remove libseccomp2
 script:
-    - make install.tools all validate
+    - make install.tools install.libseccomp.sudo all runc validate TAGS="apparmor seccomp containers_image_ostree_stub"
+    - go test -c -tags "apparmor seccomp `./btrfs_tag.sh` `./libdm_tag.sh` `./ostree_tag.sh` `./selinux_tag.sh`" ./cmd/buildah
+    - tmp=`mktemp -d`; mkdir $tmp/root $tmp/runroot; sudo PATH="$PATH" ./buildah.test -test.v -root $tmp/root -runroot $tmp/runroot -storage-driver vfs -signature-policy `pwd`/tests/policy.json
    - cd tests; sudo PATH="$PATH" ./test_runner.sh
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -0,0 +1,80 @@
+# Changelog
+
+## 0.5 - 2017-11-07
+    Add secrets patch to buildah
+    Add proper SELinux labeling to buildah run
+    Add tls-verify to bud command
+    Make filtering by date use the image's date
+    images: don't list unnamed images twice
+    Fix timeout issue
+    Add further tty verbiage to buildah run
+    Make inspect try an image on failure if type not specified
+    Add support for `buildah run --hostname`
+    Tons of bug fixes and code cleanup
+
+## 0.4 - 2017-09-22
+### Added
+    Update buildah spec file to match new version
+    Bump to version 0.4
+    Add default transport to push if not provided
+    Add authentication to commit and push
+    Remove --transport flag
+    Run: don't complain about missing volume locations
+    Add credentials to buildah from
+    Remove export command
+    Bump containers/storage and containers/image
+
+## 0.3 - 2017-07-20
+## 0.2 - 2017-07-18
+### Added
+    Vendor in latest containers/image and containers/storage
+    Update image-spec and runtime-spec to v1.0.0
+    Add support for -- ending options parsing to buildah run
+    Add/Copy need to support glob syntax
+    Add flag to remove containers on commit
+    Add buildah export support
+    update 'buildah images' and 'buildah rmi' commands
+    buildah containers/image: Add JSON output option
+    Add 'buildah version' command
+    Handle "run" without an explicit command correctly
+    Ensure volume points get created, and with perms
+    Add a -a/--all option to "buildah containers"
+
+## 0.1 - 2017-06-14
+### Added
+    Vendor in latest container/storage container/image
+    Add a "push" command
+    Add an option to specify a Create date for images
+    Allow building a source image from another image
+    Improve buildah commit performance
+    Add a --volume flag to "buildah run"
+    Fix inspect/tag-by-truncated-image-ID
+    Include image-spec and runtime-spec versions
+    buildah mount command should list mounts when no arguments are given.
+    Make the output image format selectable
+    commit images in multiple formats
+    Also import configurations from V2S1 images
+    Add a "tag" command
+    Add an "inspect" command
+    Update reference comments for docker types origins
+    Improve configuration preservation in imagebuildah
+    Report pull/commit progress by default
+    Contribute buildah.spec
+    Remove --mount from buildah-from
+    Add a build-using-dockerfile command (alias: bud)
+    Create manpages for the buildah project
+    Add installation for buildah and bash completions
+    Rename "list"/"delete" to "containers"/"rm"
+    Switch `buildah list quiet` option to only list container id's
+    buildah delete should be able to delete multiple containers
+    Correctly set tags on the names of pulled images
+    Don't mix "config" in with "run" and "commit"
+    Add a "list" command, for listing active builders
+    Add "add" and "copy" commands
+    Add a "run" command, using runc
+    Massive refactoring
+    Make a note to distinguish compression of layers
+
+## 0.0 - 2017-01-26
+### Added
+    Initial version, needs work
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,142 @@
+# Contributing to Buildah
+
+We'd love to have you join the community! Below summarizes the processes
+that we follow.
+
+## Topics
+
+* [Reporting Issues](#reporting-issues)
+* [Submitting Pull Requests](#submitting-pull-requests)
+* [Communications](#communications)
+* [Becoming a Maintainer](#becoming-a-maintainer)
+
+## Reporting Issues
+
+Before reporting an issue, check our backlog of
+[open issues](https://github.com/projectatomic/buildah/issues)
+to see if someone else has already reported it. If so, feel free to add
+your scenario, or additional information, to the discussion. Or simply
+"subscribe" to it to be notified when it is updated.
+
+If you find a new issue with the project we'd love to hear about it! The most
+important aspect of a bug report is that it includes enough information for
+us to reproduce it. So, please include as much detail as possible and try
+to remove the extra stuff that doesn't really relate to the issue itself.
+The easier it is for us to reproduce it, the faster it'll be fixed!
+
+Please don't include any private/sensitive information in your issue!
+
+## Submitting Pull Requests
+
+No Pull Request (PR) is too small! Typos, additional comments in the code,
+new testcases, bug fixes, new features, more documentation, ... it's all
+welcome!
+
+While bug fixes can first be identified via an "issue", that is not required.
+It's ok to just open up a PR with the fix, but make sure you include the same
+information you would have included in an issue - like how to reproduce it.
+
+PRs for new features should include some background on what use cases the
+new code is trying to address. When possible and when it makes sense, try to break-up
+larger PRs into smaller ones - it's easier to review smaller
+code changes. But only if those smaller ones make sense as stand-alone PRs.
+
+Regardless of the type of PR, all PRs should include:
+* well documented code changes
+* additional testcases. Ideally, they should fail w/o your code change applied
+* documentation changes
+
+Squash your commits into logical pieces of work that might want to be reviewed
+separate from the rest of the PRs. But, squashing down to just one commit is ok
+too since in the end the entire PR will be reviewed anyway. When in doubt,
+squash.
+
+PRs that fix issues should include a reference like `Closes #XXXX` in the
+commit message so that github will automatically close the referenced issue
+when the PR is merged.
+
+<!--
+All PRs require at least two LGTMs (Looks Good To Me) from maintainers.
+-->
+
+### Sign your PRs
+
+The sign-off is a line at the end of the explanation for the patch. Your
+signature certifies that you wrote the patch or otherwise have the right to pass
+it on as an open-source patch. The rules are simple: if you can certify
+the below (from [developercertificate.org](http://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+Then you just add a line to every git commit message:
+
+    Signed-off-by: Joe Smith <joe.smith@email.com>
+
+Use your real name (sorry, no pseudonyms or anonymous contributions.)
+
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
+
+## Communications
+
+For general questions, or discussions, please use the
+IRC group on `irc.freenode.net` called `cri-o`
+that has been setup.
+
+For discussions around issues/bugs and features, you can use the github
+[issues](https://github.com/projectatomic/buildah/issues)
+and
+[PRs](https://github.com/projectatomic/buildah/pulls)
+tracking system.
+
+<!--
+## Becoming a Maintainer
+
+To become a maintainer you must first be nominated by an existing maintainer.
+If a majority (>50%) of maintainers agree then the proposal is adopted and
+you will be added to the list.
+
+Removing a maintainer requires at least 75% of the remaining maintainers
+approval, or if the person requests to be removed then it is automatic.
+Normally, a maintainer will only be removed if they are considered to be
+inactive for a long period of time or are viewed as disruptive to the community.
+
+The current list of maintainers can be found in the
+[MAINTAINERS](MAINTAINERS) file.
+-->
--- a/50
+++ b/50
@@ -1,17 +1,30 @@
-AUTOTAGS := $(shell ./btrfs_tag.sh) $(shell ./libdm_tag.sh)
+AUTOTAGS := $(shell ./btrfs_tag.sh) $(shell ./libdm_tag.sh) $(shell ./ostree_tag.sh) $(shell ./selinux_tag.sh)
+TAGS := seccomp
 PREFIX := /usr/local
 BINDIR := $(PREFIX)/bin
 BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
 BUILDFLAGS := -tags "$(AUTOTAGS) $(TAGS)"
+GO := go

-all: buildah docs
+GIT_COMMIT := $(shell git rev-parse --short HEAD)
+BUILD_INFO := $(shell date +%s)
+
+RUNC_COMMIT := c5ec25487693612aed95673800863e134785f946
+LIBSECCOMP_COMMIT := release-2.3
+
+LDFLAGS := -ldflags '-X main.gitCommit=${GIT_COMMIT} -X main.buildInfo=${BUILD_INFO}'
+
+all: buildah imgtype docs

 buildah: *.go imagebuildah/*.go cmd/buildah/*.go docker/*.go util/*.go
-	go build -o buildah $(BUILDFLAGS) ./cmd/buildah
+	$(GO) build $(LDFLAGS) -o buildah $(BUILDFLAGS) ./cmd/buildah
+
+imgtype: *.go docker/*.go util/*.go tests/imgtype.go
+	$(GO) build $(LDFLAGS) -o imgtype $(BUILDFLAGS) ./tests/imgtype.go

 .PHONY: clean
 clean:
-	$(RM) buildah
+	$(RM) buildah imgtype
 	$(MAKE) -C docs clean 

 .PHONY: docs
@@ -38,11 +51,24 @@ validate:

 .PHONY: install.tools
 install.tools:
-	go get -u $(BUILDFLAGS) github.com/cpuguy83/go-md2man
-	go get -u $(BUILDFLAGS) github.com/vbatts/git-validation
-	go get -u $(BUILDFLAGS) gopkg.in/alecthomas/gometalinter.v1
+	$(GO) get -u $(BUILDFLAGS) github.com/cpuguy83/go-md2man
+	$(GO) get -u $(BUILDFLAGS) github.com/vbatts/git-validation
+	$(GO) get -u $(BUILDFLAGS) gopkg.in/alecthomas/gometalinter.v1
 	gometalinter.v1 -i

+.PHONY: runc
+runc: gopath
+	rm -rf ../../opencontainers/runc
+	git clone https://github.com/opencontainers/runc ../../opencontainers/runc
+	cd ../../opencontainers/runc && git checkout $(RUNC_COMMIT) && $(GO) build -tags "$(AUTOTAGS) $(TAGS)"
+	ln -sf ../../opencontainers/runc/runc
+
+.PHONY: install.libseccomp.sudo
+install.libseccomp.sudo: gopath
+	rm -rf ../../seccomp/libseccomp
+	git clone https://github.com/seccomp/libseccomp ../../seccomp/libseccomp
+	cd ../../seccomp/libseccomp && git checkout $(LIBSECCOMP_COMMIT) && ./autogen.sh && ./configure --prefix=/usr && make all && sudo make install
+
 .PHONY: install
 install:
 	install -D -m0755 buildah $(DESTDIR)/$(BINDIR)/buildah
@@ -51,3 +77,13 @@ install:
 .PHONY: install.completions
 install.completions:
 	install -m 644 -D contrib/completions/bash/buildah $(DESTDIR)/${BASHINSTALLDIR}/buildah
+
+.PHONY: test-integration
+test-integration:
+	cd tests; ./test_runner.sh
+
+.PHONY: test-unit
+test-unit:
+	tmp=$(shell mktemp -d) ; \
+	mkdir -p $$tmp/root $$tmp/runroot; \
+	$(GO) test -v -tags "$(AUTOTAGS) $(TAGS)" ./cmd/buildah -args -root $$tmp/root -runroot $$tmp/runroot -storage-driver vfs -signature-policy $(shell pwd)/tests/policy.json
--- a/README.md
+++ b/README.md
@@ -1,4 +1,6 @@
-buildah - a tool which facilitates building OCI container images
+![buildah logo](https://cdn.rawgit.com/projectatomic/buildah/master/logos/buildah.svg)
+
+# [Buildah](https://www.youtube.com/embed/YVk5NgSiUw8) - a tool which facilitates building OCI container images
 ================================================================

 [![Go Report Card](https://goreportcard.com/badge/github.com/projectatomic/buildah)](https://goreportcard.com/report/github.com/projectatomic/buildah)
@@ -6,7 +8,7 @@ buildah - a tool which facilitates building OCI container images

 Note: this package is in alpha, but is close to being feature-complete.

-The buildah package provides a command line tool which can be used to
+The Buildah package provides a command line tool which can be used to
 * create a working container, either from scratch or using an image as a starting point
 * create an image, either from a working container or via the instructions in a Dockerfile
 * images can be built in either the OCI image format or the traditional upstream docker image format
@@ -15,19 +17,24 @@ The buildah package provides a command line tool which can be used to
 * use the updated contents of a container's root filesystem as a filesystem layer to create a new image
 * delete a working container or an image

+**[Changelog](CHANGELOG.md)**
+
 **Installation notes**

-Prior to installing buildah, install the following packages on your linux distro:
+Prior to installing Buildah, install the following packages on your linux distro:
 * make
 * golang (Requires version 1.8.1 or higher.)
 * bats
-* btrfs-progs-devel 
-* device-mapper-devel 
-* gpgme-devel 
-* libassuan-devel 
-* git 
+* btrfs-progs-devel
 * bzip2
+* device-mapper-devel
+* git
 * go-md2man
+* gpgme-devel
+* glib2-devel
+* libassuan-devel
+* ostree-devel
+* runc (Requires version 1.0 RC4 or higher.)
 * skopeo-containers

 In Fedora, you can use this command:
@@ -39,50 +46,102 @@ In Fedora, you can use this command:
    bats \
    btrfs-progs-devel \
    device-mapper-devel \
+    glib2-devel \
    gpgme-devel \
    libassuan-devel \
+    ostree-devel \
    git \
    bzip2 \
    go-md2man \
+    runc \
    skopeo-containers
 ```

-Then to install buildah follow the steps in this example: 
+Then to install Buildah on Fedora follow the steps in this example:
+

 ```
  mkdir ~/buildah
  cd ~/buildah
-  export GOPATH=`pwd` 
-  git clone https://github.com/projectatomic/buildah ./src/github.com/projectatomic/buildah 
-  cd ./src/github.com/projectatomic/buildah 
-  make 
+  export GOPATH=`pwd`
+  git clone https://github.com/projectatomic/buildah ./src/github.com/projectatomic/buildah
+  cd ./src/github.com/projectatomic/buildah
+  make
  make install
  buildah --help
 ```

-buildah uses `runc` to run commands when `buildah run` is used, or when `buildah build-using-dockerfile`
+In RHEL 7, ensure that you are subscribed to `rhel-7-server-rpms`,
+`rhel-7-server-extras-rpms`, and `rhel-7-server-optional-rpms`, then
+run this command:
+
+```
+ yum -y install \
+    make \
+    golang \
+    bats \
+    btrfs-progs-devel \
+    device-mapper-devel \
+    glib2-devel \
+    gpgme-devel \
+    libassuan-devel \
+    ostree-devel \
+    git \
+    bzip2 \
+    go-md2man \
+    runc \
+    skopeo-containers
+```
+
+The build steps for Buildah on RHEL are the same as Fedora, above.
+
+In Ubuntu zesty and xenial, you can use this command:
+
+```
+  apt-get -y install software-properties-common
+  add-apt-repository -y ppa:alexlarsson/flatpak
+  add-apt-repository -y ppa:gophers/archive
+  apt-add-repository -y ppa:projectatomic/ppa
+  apt-get -y -qq update
+  apt-get -y install bats btrfs-tools git libapparmor-dev libdevmapper-dev libglib2.0-dev libgpgme11-dev libostree-dev libseccomp-dev libselinux1-dev skopeo-containers go-md2man
+  apt-get -y install golang-1.8
+```
+Then to install Buildah on Ubuntu follow the steps in this example:
+
+```
+  mkdir ~/buildah
+  cd ~/buildah
+  export GOPATH=`pwd`
+  git clone https://github.com/projectatomic/buildah ./src/github.com/projectatomic/buildah
+  cd ./src/github.com/projectatomic/buildah
+  PATH=/usr/lib/go-1.8/bin:$PATH make runc all TAGS="apparmor seccomp"
+  make install
+  buildah --help
+```
+Buildah uses `runc` to run commands when `buildah run` is used, or when `buildah build-using-dockerfile`
 encounters a `RUN` instruction, so you'll also need to build and install a compatible version of
-[runc](https://github.com/opencontainers/runc) for buildah to call for those cases.
+[runc](https://github.com/opencontainers/runc) for Buildah to call for those cases.

 ## Commands
-| Command               | Description |
-| --------------------- | --------------------------------------------------- |
-| buildah-add(1)        | Add the contents of a file, URL, or a directory to the container. |
-| buildah-bud(1)        | Build an image using instructions from Dockerfiles. |
-| buildah-commit(1)     | Create an image from a working container. |
-| buildah-config(1)     | Update image configuration settings. |
-| buildah-containers(1) | List the working containers and their base images. |
-| buildah-copy(1)       | Copies the contents of a file, URL, or directory into a container's working directory. |
-| buildah-from(1)       | Creates a new working container, either from scratch or using a specified image as a starting point. |
-| buildah-images(1)     | List images in local storage. |
-| buildah-inspect(1)    | Inspects the configuration of a container or image. |
-| buildah-mount(1)      | Mount the working container's root filesystem. |
-| buildah-push(1)       | Copies an image from local storage. |
-| buildah-rm(1)         | Removes one or more working containers. |
-| buildah-rmi(1)        | Removes one or more images. |
-| buildah-run(1)        | Run a command inside of the container. |
-| buildah-tag(1)        | Add an additional name to a local image. |
-| buildah-umount(1)     | Unmount a working container's root file system. |
+| Command                                              | Description                                                                                          |
+| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
+| [buildah-add(1)](/docs/buildah-add.md)               | Add the contents of a file, URL, or a directory to the container.                                    |
+| [buildah-bud(1)](/docs/buildah-bud.md)               | Build an image using instructions from Dockerfiles.                                                  |
+| [buildah-commit(1)](/docs/buildah-commit.md)         | Create an image from a working container.                                                            |
+| [buildah-config(1)](/docs/buildah-config.md)         | Update image configuration settings.                                                                 |
+| [buildah-containers(1)](/docs/buildah-containers.md) | List the working containers and their base images.                                                   |
+| [buildah-copy(1)](/docs/buildah-copy.md)             | Copies the contents of a file, URL, or directory into a container's working directory.               |
+| [buildah-from(1)](/docs/buildah-from.md)             | Creates a new working container, either from scratch or using a specified image as a starting point. |
+| [buildah-images(1)](/docs/buildah-images.md)         | List images in local storage.                                                                        |
+| [buildah-inspect(1)](/docs/buildah-inspect.md)       | Inspects the configuration of a container or image.                                                  |
+| [buildah-mount(1)](/docs/buildah-mount.md)           | Mount the working container's root filesystem.                                                       |
+| [buildah-push(1)](/docs/buildah-push.md)             | Copies an image from local storage.                                                                  |
+| [buildah-rm(1)](/docs/buildah-rm.md)                 | Removes one or more working containers.                                                              |
+| [buildah-rmi(1)](/docs/buildah-rmi.md)               | Removes one or more images.                                                                          |
+| [buildah-run(1)](/docs/buildah-run.md)               | Run a command inside of the container.                                                               |
+| [buildah-tag(1)](/docs/buildah-tag.md)               | Add an additional name to a local image.                                                             |
+| [buildah-umount(1)](/docs/buildah-umount.md)         | Unmount a working container's root file system.                                                      |
+| [buildah-version(1)](/docs/buildah-version.md)       | Display the Buildah Version Information             |

 **Future goals include:**
 * more CI tests
--- a/add.go
+++ b/add.go
@@ -8,12 +8,12 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
+	"syscall"
 	"time"

-	"github.com/Sirupsen/logrus"
 	"github.com/containers/storage/pkg/archive"
-	"github.com/containers/storage/pkg/chrootarchive"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

 // addURL copies the contents of the source URL to the destination.  This is
@@ -120,44 +120,54 @@ func (b *Builder) Add(destination string, extract bool, source ...string) error
 			}
 			continue
 		}
-		srcfi, err := os.Stat(src)
+
+		glob, err := filepath.Glob(src)
 		if err != nil {
-			return errors.Wrapf(err, "error reading %q", src)
+			return errors.Wrapf(err, "invalid glob %q", src)
 		}
-		if srcfi.IsDir() {
-			// The source is a directory, so copy the contents of
-			// the source directory into the target directory.  Try
-			// to create it first, so that if there's a problem,
-			// we'll discover why that won't work.
-			d := dest
-			if err := os.MkdirAll(d, 0755); err != nil {
-				return errors.Wrapf(err, "error ensuring directory %q exists", d)
-			}
-			logrus.Debugf("copying %q to %q", src+string(os.PathSeparator)+"*", d+string(os.PathSeparator)+"*")
-			if err := chrootarchive.CopyWithTar(src, d); err != nil {
-				return errors.Wrapf(err, "error copying %q to %q", src, d)
-			}
-			continue
+		if len(glob) == 0 {
+			return errors.Wrapf(syscall.ENOENT, "no files found matching %q", src)
 		}
-		if !extract || !archive.IsArchivePath(src) {
-			// This source is a file, and either it's not an
-			// archive, or we don't care whether or not it's an
-			// archive.
-			d := dest
-			if destfi != nil && destfi.IsDir() {
-				d = filepath.Join(dest, filepath.Base(src))
+		for _, gsrc := range glob {
+			srcfi, err := os.Stat(gsrc)
+			if err != nil {
+				return errors.Wrapf(err, "error reading %q", gsrc)
 			}
-			// Copy the file, preserving attributes.
-			logrus.Debugf("copying %q to %q", src, d)
-			if err := chrootarchive.CopyFileWithTar(src, d); err != nil {
-				return errors.Wrapf(err, "error copying %q to %q", src, d)
+			if srcfi.IsDir() {
+				// The source is a directory, so copy the contents of
+				// the source directory into the target directory.  Try
+				// to create it first, so that if there's a problem,
+				// we'll discover why that won't work.
+				d := dest
+				if err := os.MkdirAll(d, 0755); err != nil {
+					return errors.Wrapf(err, "error ensuring directory %q exists", d)
+				}
+				logrus.Debugf("copying %q to %q", gsrc+string(os.PathSeparator)+"*", d+string(os.PathSeparator)+"*")
+				if err := copyWithTar(gsrc, d); err != nil {
+					return errors.Wrapf(err, "error copying %q to %q", gsrc, d)
+				}
+				continue
+			}
+			if !extract || !archive.IsArchivePath(gsrc) {
+				// This source is a file, and either it's not an
+				// archive, or we don't care whether or not it's an
+				// archive.
+				d := dest
+				if destfi != nil && destfi.IsDir() {
+					d = filepath.Join(dest, filepath.Base(gsrc))
+				}
+				// Copy the file, preserving attributes.
+				logrus.Debugf("copying %q to %q", gsrc, d)
+				if err := copyFileWithTar(gsrc, d); err != nil {
+					return errors.Wrapf(err, "error copying %q to %q", gsrc, d)
+				}
+				continue
+			}
+			// We're extracting an archive into the destination directory.
+			logrus.Debugf("extracting contents of %q into %q", gsrc, dest)
+			if err := untarPath(gsrc, dest); err != nil {
+				return errors.Wrapf(err, "error extracting %q into %q", gsrc, dest)
 			}
-			continue
-		}
-		// We're extracting an archive into the destination directory.
-		logrus.Debugf("extracting contents of %q into %q", src, dest)
-		if err := chrootarchive.UntarPath(src, dest); err != nil {
-			return errors.Wrapf(err, "error extracting %q into %q", src, dest)
 		}
 	}
 	return nil
--- a/buildah.go
+++ b/buildah.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"

+	"github.com/containers/image/types"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/ioutils"
 	"github.com/opencontainers/image-spec/specs-go/v1"
@@ -19,9 +20,17 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package
-	Version       = "0.1"
+	Version = "0.7"
+	// The value we use to identify what type of information, currently a
+	// serialized Builder structure, we are using as per-container state.
+	// This should only be changed when we make incompatible changes to
+	// that data structure, as it's used to distinguish containers which
+	// are "ours" from ones that aren't.
 	containerType = Package + " 0.0.1"
-	stateFile     = Package + ".json"
+	// The file in the per-container directory which we use to store our
+	// per-container state.  If it isn't there, then the container isn't
+	// one of our build containers.
+	stateFile = Package + ".json"
 )

 const (
@@ -68,6 +77,10 @@ type Builder struct {
 	// MountPoint is the last location where the container's root
 	// filesystem was mounted.  It should not be modified.
 	MountPoint string `json:"mountpoint,omitempty"`
+	// ProcessLabel is the SELinux process label associated with the container
+	ProcessLabel string `json:"process-label,omitempty"`
+	// MountLabel is the SELinux mount label associated with the container
+	MountLabel string `json:"mount-label,omitempty"`

 	// ImageAnnotations is a set of key-value pairs which is stored in the
 	// image's manifest.
@@ -78,6 +91,8 @@ type Builder struct {
 	// Image metadata and runtime settings, in multiple formats.
 	OCIv1  v1.Image       `json:"ociv1,omitempty"`
 	Docker docker.V2Image `json:"docker,omitempty"`
+	// DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format
+	DefaultMountsFilePath string `json:"defaultMountsFilePath,omitempty"`
 }

 // BuilderOptions are used to initialize a new Builder.
@@ -95,8 +110,13 @@ type BuilderOptions struct {
 	PullPolicy int
 	// Registry is a value which is prepended to the image's name, if it
 	// needs to be pulled and the image name alone can not be resolved to a
-	// reference to a source image.
+	// reference to a source image.  No separator is implicitly added.
 	Registry string
+	// Transport is a value which is prepended to the image's name, if it
+	// needs to be pulled and the image name alone, or the image name and
+	// the registry together, can not be resolved to a reference to a
+	// source image.  No separator is implicitly added.
+	Transport string
 	// Mount signals to NewBuilder() that the container should be mounted
 	// immediately.
 	Mount bool
@@ -109,6 +129,11 @@ type BuilderOptions struct {
 	// ReportWriter is an io.Writer which will be used to log the reading
 	// of the source image from a registry, if we end up pulling the image.
 	ReportWriter io.Writer
+	// github.com/containers/image/types SystemContext to hold credentials
+	// and other authentication/authorization information.
+	SystemContext *types.SystemContext
+	// DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format
+	DefaultMountsFilePath string
 }

 // ImportOptions are used to initialize a Builder from an existing container
--- a/cmd/buildah/bud.go
+++ b/cmd/buildah/bud.go
@@ -5,22 +5,29 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/Sirupsen/logrus"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/buildah/imagebuildah"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )

 var (
 	budFlags = []cli.Flag{
-		cli.BoolFlag{
-			Name:  "quiet, q",
-			Usage: "refrain from announcing build instructions and image read/write progress",
+		cli.StringFlag{
+			Name:  "authfile",
+			Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+		},
+		cli.StringSliceFlag{
+			Name:  "build-arg",
+			Usage: "`argument=value` to supply to the builder",
+		},
+		cli.StringSliceFlag{
+			Name:  "file, f",
+			Usage: "`pathname or URL` of a Dockerfile",
 		},
 		cli.StringFlag{
-			Name:  "registry",
-			Usage: "prefix to prepend to the image name in order to pull the image",
-			Value: DefaultRegistry,
+			Name:  "format",
+			Usage: "`format` of the built image's manifest and metadata",
 		},
 		cli.BoolTFlag{
 			Name:  "pull",
@@ -30,13 +37,9 @@ var (
 			Name:  "pull-always",
 			Usage: "pull the image, even if a version is present",
 		},
-		cli.StringFlag{
-			Name:  "signature-policy",
-			Usage: "`pathname` of signature policy file (not usually used)",
-		},
-		cli.StringSliceFlag{
-			Name:  "build-arg",
-			Usage: "`argument=value` to supply to the builder",
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "refrain from announcing build instructions and image read/write progress",
 		},
 		cli.StringFlag{
 			Name:  "runtime",
@@ -48,18 +51,19 @@ var (
 			Usage: "add global flags for the container runtime",
 		},
 		cli.StringFlag{
-			Name:  "format",
-			Usage: "`format` of the built image's manifest and metadata",
+			Name:  "signature-policy",
+			Usage: "`pathname` of signature policy file (not usually used)",
 		},
 		cli.StringSliceFlag{
 			Name:  "tag, t",
 			Usage: "`tag` to apply to the built image",
 		},
-		cli.StringSliceFlag{
-			Name:  "file, f",
-			Usage: "`pathname or URL` of a Dockerfile",
+		cli.BoolTFlag{
+			Name:  "tls-verify",
+			Usage: "require HTTPS and verify certificates when accessing the registry",
 		},
 	}
+
 	budDescription = "Builds an OCI image using instructions in one or more Dockerfiles."
 	budCommand     = cli.Command{
 		Name:        "build-using-dockerfile",
@@ -82,39 +86,14 @@ func budCmd(c *cli.Context) error {
 			tags = tags[1:]
 		}
 	}
-	registry := DefaultRegistry
-	if c.IsSet("registry") {
-		registry = c.String("registry")
-	}
-	pull := true
-	if c.IsSet("pull") {
-		pull = c.BoolT("pull")
-	}
-	pullAlways := false
-	if c.IsSet("pull-always") {
-		pull = c.Bool("pull-always")
-	}
-	runtimeFlags := []string{}
-	if c.IsSet("runtime-flag") {
-		runtimeFlags = c.StringSlice("runtime-flag")
-	}
-	runtime := ""
-	if c.IsSet("runtime") {
-		runtime = c.String("runtime")
-	}
-
 	pullPolicy := imagebuildah.PullNever
-	if pull {
+	if c.BoolT("pull") {
 		pullPolicy = imagebuildah.PullIfMissing
 	}
-	if pullAlways {
+	if c.Bool("pull-always") {
 		pullPolicy = imagebuildah.PullAlways
 	}

-	signaturePolicy := ""
-	if c.IsSet("signature-policy") {
-		signaturePolicy = c.String("signature-policy")
-	}
 	args := make(map[string]string)
 	if c.IsSet("build-arg") {
 		for _, arg := range c.StringSlice("build-arg") {
@@ -126,14 +105,8 @@ func budCmd(c *cli.Context) error {
 			}
 		}
 	}
-	quiet := false
-	if c.IsSet("quiet") {
-		quiet = c.Bool("quiet")
-	}
-	dockerfiles := []string{}
-	if c.IsSet("file") || c.IsSet("f") {
-		dockerfiles = c.StringSlice("file")
-	}
+
+	dockerfiles := c.StringSlice("file")
 	format := "oci"
 	if c.IsSet("format") {
 		format = strings.ToLower(c.String("format"))
@@ -199,6 +172,9 @@ func budCmd(c *cli.Context) error {
 	if len(dockerfiles) == 0 {
 		dockerfiles = append(dockerfiles, filepath.Join(contextDir, "Dockerfile"))
 	}
+	if err := validateFlags(c, budFlags); err != nil {
+		return err
+	}

 	store, err := getStore(c)
 	if err != nil {
@@ -208,18 +184,19 @@ func budCmd(c *cli.Context) error {
 	options := imagebuildah.BuildOptions{
 		ContextDirectory:    contextDir,
 		PullPolicy:          pullPolicy,
-		Registry:            registry,
 		Compression:         imagebuildah.Gzip,
-		Quiet:               quiet,
-		SignaturePolicyPath: signaturePolicy,
+		Quiet:               c.Bool("quiet"),
+		SignaturePolicyPath: c.String("signature-policy"),
+		SkipTLSVerify:       !c.Bool("tls-verify"),
 		Args:                args,
 		Output:              output,
 		AdditionalTags:      tags,
-		Runtime:             runtime,
-		RuntimeArgs:         runtimeFlags,
+		Runtime:             c.String("runtime"),
+		RuntimeArgs:         c.StringSlice("runtime-flag"),
 		OutputFormat:        format,
+		AuthFilePath:        c.String("authfile"),
 	}
-	if !quiet {
+	if !c.Bool("quiet") {
 		options.ReportWriter = os.Stderr
 	}

--- a/cmd/buildah/commit.go
+++ b/cmd/buildah/commit.go
@@ -15,17 +15,28 @@ import (

 var (
 	commitFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "cert-dir",
+			Value: "",
+			Usage: "use certificates at the specified path to access the registry",
+		},
+		cli.StringFlag{
+			Name:  "creds",
+			Value: "",
+			Usage: "use `username[:password]` for accessing the registry",
+		},
 		cli.BoolFlag{
 			Name:  "disable-compression, D",
 			Usage: "don't compress layers",
 		},
-		cli.StringFlag{
-			Name:  "signature-policy",
-			Usage: "`pathname` of signature policy file (not usually used)",
-		},
 		cli.StringFlag{
 			Name:  "format, f",
 			Usage: "`format` of the image manifest and metadata",
+			Value: "oci",
+		},
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "don't output progress information when writing images",
 		},
 		cli.StringFlag{
 			Name:   "reference-time",
@@ -33,8 +44,16 @@ var (
 			Hidden: true,
 		},
 		cli.BoolFlag{
-			Name:  "quiet, q",
-			Usage: "don't output progress information when writing images",
+			Name:  "rm",
+			Usage: "remove the container and its content after committing it to an image. Default leaves the container and its content in place.",
+		},
+		cli.StringFlag{
+			Name:  "signature-policy",
+			Usage: "`pathname` of signature policy file (not usually used)",
+		},
+		cli.BoolTFlag{
+			Name:  "tls-verify",
+			Usage: "Require HTTPS and verify certificates when accessing the registry",
 		},
 	}
 	commitDescription = "Writes a new image using the container's read-write layer and, if it is based\n   on an image, the layers of that image"
@@ -62,22 +81,13 @@ func commitCmd(c *cli.Context) error {
 		return errors.Errorf("too many arguments specified")
 	}
 	image := args[0]
+	if err := validateFlags(c, commitFlags); err != nil {
+		return err
+	}

-	signaturePolicy := ""
-	if c.IsSet("signature-policy") {
-		signaturePolicy = c.String("signature-policy")
-	}
-	compress := archive.Uncompressed
-	if !c.IsSet("disable-compression") || !c.Bool("disable-compression") {
-		compress = archive.Gzip
-	}
-	quiet := false
-	if c.IsSet("quiet") {
-		quiet = c.Bool("quiet")
-	}
-	format := "oci"
-	if c.IsSet("format") {
-		format = c.String("format")
+	compress := archive.Gzip
+	if c.Bool("disable-compression") {
+		compress = archive.Uncompressed
 	}
 	timestamp := time.Now().UTC()
 	if c.IsSet("reference-time") {
@@ -88,6 +98,8 @@ func commitCmd(c *cli.Context) error {
 		}
 		timestamp = finfo.ModTime().UTC()
 	}
+
+	format := c.String("format")
 	if strings.HasPrefix(strings.ToLower(format), "oci") {
 		format = buildah.OCIv1ImageManifest
 	} else if strings.HasPrefix(strings.ToLower(format), "docker") {
@@ -114,13 +126,19 @@ func commitCmd(c *cli.Context) error {
 		dest = dest2
 	}

+	systemContext, err := systemContextFromOptions(c)
+	if err != nil {
+		return errors.Wrapf(err, "error building system context")
+	}
+
 	options := buildah.CommitOptions{
 		PreferredManifestType: format,
 		Compression:           compress,
-		SignaturePolicyPath:   signaturePolicy,
+		SignaturePolicyPath:   c.String("signature-policy"),
 		HistoryTimestamp:      &timestamp,
+		SystemContext:         systemContext,
 	}
-	if !quiet {
+	if !c.Bool("quiet") {
 		options.ReportWriter = os.Stderr
 	}
 	err = builder.Commit(dest, options)
@@ -128,5 +146,8 @@ func commitCmd(c *cli.Context) error {
 		return errors.Wrapf(err, "error committing container %q to %q", builder.Container, image)
 	}

+	if c.Bool("rm") {
+		return builder.Delete()
+	}
 	return nil
 }
--- a/cmd/buildah/common.go
+++ b/cmd/buildah/common.go
@@ -2,9 +2,16 @@ package main

 import (
 	"os"
+	"reflect"
+	"regexp"
+	"strings"
+	"syscall"
+	"time"

 	is "github.com/containers/image/storage"
+	"github.com/containers/image/types"
 	"github.com/containers/storage"
+	digest "github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/buildah"
 	"github.com/urfave/cli"
@@ -71,3 +78,124 @@ func openImage(store storage.Store, name string) (builder *buildah.Builder, err
 	}
 	return builder, nil
 }
+
+func getDateAndDigestAndSize(image storage.Image, store storage.Store) (time.Time, string, int64, error) {
+	created := time.Time{}
+	is.Transport.SetStore(store)
+	storeRef, err := is.Transport.ParseStoreReference(store, "@"+image.ID)
+	if err != nil {
+		return created, "", -1, err
+	}
+	img, err := storeRef.NewImage(nil)
+	if err != nil {
+		return created, "", -1, err
+	}
+	defer img.Close()
+	imgSize, sizeErr := img.Size()
+	if sizeErr != nil {
+		imgSize = -1
+	}
+	manifest, _, manifestErr := img.Manifest()
+	manifestDigest := ""
+	if manifestErr == nil && len(manifest) > 0 {
+		manifestDigest = digest.Canonical.FromBytes(manifest).String()
+	}
+	inspectInfo, inspectErr := img.Inspect()
+	if inspectErr == nil && inspectInfo != nil {
+		created = inspectInfo.Created
+	}
+	if sizeErr != nil {
+		err = sizeErr
+	} else if manifestErr != nil {
+		err = manifestErr
+	} else if inspectErr != nil {
+		err = inspectErr
+	}
+	return created, manifestDigest, imgSize, err
+}
+
+// systemContextFromOptions returns a SystemContext populated with values
+// per the input parameters provided by the caller for the use in authentication.
+func systemContextFromOptions(c *cli.Context) (*types.SystemContext, error) {
+	ctx := &types.SystemContext{
+		DockerCertPath: c.String("cert-dir"),
+	}
+	if c.IsSet("tls-verify") {
+		ctx.DockerInsecureSkipTLSVerify = !c.BoolT("tls-verify")
+	}
+	if c.IsSet("creds") {
+		var err error
+		ctx.DockerAuthConfig, err = getDockerAuth(c.String("creds"))
+		if err != nil {
+			return nil, err
+		}
+	}
+	if c.IsSet("signature-policy") {
+		ctx.SignaturePolicyPath = c.String("signature-policy")
+	}
+	if c.IsSet("authfile") {
+		ctx.AuthFilePath = c.String("authfile")
+	}
+	return ctx, nil
+}
+
+func parseCreds(creds string) (string, string, error) {
+	if creds == "" {
+		return "", "", errors.Wrapf(syscall.EINVAL, "credentials can't be empty")
+	}
+	up := strings.SplitN(creds, ":", 2)
+	if len(up) == 1 {
+		return up[0], "", nil
+	}
+	if up[0] == "" {
+		return "", "", errors.Wrapf(syscall.EINVAL, "username can't be empty")
+	}
+	return up[0], up[1], nil
+}
+
+func getDockerAuth(creds string) (*types.DockerAuthConfig, error) {
+	username, password, err := parseCreds(creds)
+	if err != nil {
+		return nil, err
+	}
+	return &types.DockerAuthConfig{
+		Username: username,
+		Password: password,
+	}, nil
+}
+
+// validateFlags searches for StringFlags or StringSlice flags that never had
+// a value set.  This commonly occurs when the CLI mistakenly takes the next
+// option and uses it as a value.
+func validateFlags(c *cli.Context, flags []cli.Flag) error {
+	re, err := regexp.Compile("^-.+")
+	if err != nil {
+		return errors.Wrap(err, "compiling regex failed")
+	}
+
+	for _, flag := range flags {
+		switch reflect.TypeOf(flag).String() {
+		case "cli.StringSliceFlag":
+			{
+				f := flag.(cli.StringSliceFlag)
+				name := strings.Split(f.Name, ",")
+				val := c.StringSlice(name[0])
+				for _, v := range val {
+					if ok := re.MatchString(v); ok {
+						return errors.Errorf("option --%s requires a value", name[0])
+					}
+				}
+			}
+		case "cli.StringFlag":
+			{
+				f := flag.(cli.StringFlag)
+				name := strings.Split(f.Name, ",")
+				val := c.String(name[0])
+				if ok := re.MatchString(val); ok {
+					return errors.Errorf("option --%s requires a value", name[0])
+				}
+			}
+		}
+	}
+	return nil
+}
--- a/cmd/buildah/common_test.go
+++ b/cmd/buildah/common_test.go
@@ -0,0 +1,123 @@
+package main
+
+import (
+	"flag"
+	"os"
+	"os/user"
+	"testing"
+
+	is "github.com/containers/image/storage"
+	"github.com/containers/storage"
+	"github.com/projectatomic/buildah"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli"
+)
+
+var (
+	signaturePolicyPath = ""
+	storeOptions        = storage.DefaultStoreOptions
+)
+
+func TestMain(m *testing.M) {
+	flag.StringVar(&signaturePolicyPath, "signature-policy", "", "pathname of signature policy file (not usually used)")
+	options := storage.StoreOptions{}
+	debug := false
+	flag.StringVar(&options.GraphRoot, "root", "", "storage root dir")
+	flag.StringVar(&options.RunRoot, "runroot", "", "storage state dir")
+	flag.StringVar(&options.GraphDriverName, "storage-driver", "", "storage driver")
+	flag.BoolVar(&debug, "debug", false, "turn on debug logging")
+	flag.Parse()
+	if options.GraphRoot != "" || options.RunRoot != "" || options.GraphDriverName != "" {
+		storeOptions = options
+	}
+	if buildah.InitReexec() {
+		return
+	}
+	logrus.SetLevel(logrus.ErrorLevel)
+	if debug {
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+	os.Exit(m.Run())
+}
+
+func TestGetStore(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	set := flag.NewFlagSet("test", 0)
+	globalSet := flag.NewFlagSet("test", 0)
+	globalSet.String("root", "", "path to the directory in which data, including images, is stored")
+	globalSet.String("runroot", "", "path to the directory in which state is stored")
+	globalSet.String("storage-driver", "", "storage driver")
+	globalCtx := cli.NewContext(nil, globalSet, nil)
+	globalCtx.GlobalSet("root", storeOptions.GraphRoot)
+	globalCtx.GlobalSet("runroot", storeOptions.RunRoot)
+	globalCtx.GlobalSet("storage-driver", storeOptions.GraphDriverName)
+	command := cli.Command{Name: "TestGetStore"}
+	c := cli.NewContext(nil, set, globalCtx)
+	c.Command = command
+
+	_, err := getStore(c)
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+func TestGetSize(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+
+	// Pull an image so that we know we have at least one
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	_, _, _, err = getDateAndDigestAndSize(images[0], store)
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+func failTestIfNotRoot(t *testing.T) {
+	u, err := user.Current()
+	if err != nil {
+		t.Log("Could not determine user.  Running without root may cause tests to fail")
+	} else if u.Uid != "0" {
+		t.Fatal("tests will fail unless run as root")
+	}
+}
+
+func pullTestImage(t *testing.T, imageName string) (string, error) {
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	}
+	options := buildah.BuilderOptions{
+		FromImage:           imageName,
+		SignaturePolicyPath: signaturePolicyPath,
+	}
+
+	b, err := buildah.NewBuilder(store, options)
+	if err != nil {
+		t.Fatal(err)
+	}
+	id := b.FromImageID
+	err = b.Delete()
+	if err != nil {
+		t.Fatal(err)
+	}
+	return id, nil
+}
--- a/cmd/buildah/config.go
+++ b/cmd/buildah/config.go
@@ -3,10 +3,10 @@ package main
 import (
 	"strings"

-	"github.com/Sirupsen/logrus"
 	"github.com/mattn/go-shellwords"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/buildah"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )

@@ -18,58 +18,58 @@ const (

 var (
 	configFlags = []cli.Flag{
-		cli.StringFlag{
-			Name:  "author",
-			Usage: "image author contact `information`",
-		},
-		cli.StringFlag{
-			Name:  "created-by",
-			Usage: "`description` of how the image was created",
-			Value: DefaultCreatedBy,
+		cli.StringSliceFlag{
+			Name:  "annotation, a",
+			Usage: "add `annotation` e.g. annotation=value, for the target image",
 		},
 		cli.StringFlag{
 			Name:  "arch",
-			Usage: "`architecture` of the target image",
+			Usage: "set `architecture` of the target image",
 		},
 		cli.StringFlag{
-			Name:  "os",
-			Usage: "`operating system` of the target image",
-		},
-		cli.StringFlag{
-			Name:  "user, u",
-			Usage: "`user` to run containers based on image as",
-		},
-		cli.StringSliceFlag{
-			Name:  "port, p",
-			Usage: "`port` to expose when running containers based on image",
-		},
-		cli.StringSliceFlag{
-			Name:  "env, e",
-			Usage: "`environment variable` to set when running containers based on image",
-		},
-		cli.StringFlag{
-			Name:  "entrypoint",
-			Usage: "`entry point` for containers based on image",
+			Name:  "author",
+			Usage: "set image author contact `information`",
 		},
 		cli.StringFlag{
 			Name:  "cmd",
-			Usage: "`command` for containers based on image",
-		},
-		cli.StringSliceFlag{
-			Name:  "volume, v",
-			Usage: "`volume` to create for containers based on image",
+			Usage: "sets the default `command` to run for containers based on the image",
 		},
 		cli.StringFlag{
-			Name:  "workingdir",
-			Usage: "working `directory` for containers based on image",
+			Name:  "created-by",
+			Usage: "add `description` of how the image was created",
+			Value: DefaultCreatedBy,
+		},
+		cli.StringFlag{
+			Name:  "entrypoint",
+			Usage: "set `entry point` for containers based on image",
+		},
+		cli.StringSliceFlag{
+			Name:  "env, e",
+			Usage: "add `environment variable` to be set when running containers based on image",
 		},
 		cli.StringSliceFlag{
 			Name:  "label, l",
-			Usage: "image configuration `label` e.g. label=value",
+			Usage: "add image configuration `label` e.g. label=value",
+		},
+		cli.StringFlag{
+			Name:  "os",
+			Usage: "set `operating system` of the target image",
 		},
 		cli.StringSliceFlag{
-			Name:  "annotation, a",
-			Usage: "`annotation` e.g. annotation=value, for the target image",
+			Name:  "port, p",
+			Usage: "add `port` to expose when running containers based on image",
+		},
+		cli.StringFlag{
+			Name:  "user, u",
+			Usage: "set default `user` to run inside containers based on image",
+		},
+		cli.StringSliceFlag{
+			Name:  "volume, v",
+			Usage: "add default `volume` path to be created for containers based on image",
+		},
+		cli.StringFlag{
+			Name:  "workingdir",
+			Usage: "set working `directory` for containers based on image",
 		},
 	}
 	configDescription = "Modifies the configuration values which will be saved to the image"
@@ -171,6 +171,9 @@ func configCmd(c *cli.Context) error {
 		return errors.Errorf("too many arguments specified")
 	}
 	name := args[0]
+	if err := validateFlags(c, configFlags); err != nil {
+		return err
+	}

 	store, err := getStore(c)
 	if err != nil {
--- a/cmd/buildah/containers.go
+++ b/cmd/buildah/containers.go
@@ -1,6 +1,7 @@
 package main

 import (
+	"encoding/json"
 	"fmt"

 	"github.com/pkg/errors"
@@ -8,11 +9,23 @@ import (
 	"github.com/urfave/cli"
 )

+type jsonContainer struct {
+	ID            string `json:"id"`
+	Builder       bool   `json:"builder"`
+	ImageID       string `json:"imageid"`
+	ImageName     string `json:"imagename"`
+	ContainerName string `json:"containername"`
+}
+
 var (
 	containersFlags = []cli.Flag{
 		cli.BoolFlag{
-			Name:  "quiet, q",
-			Usage: "display only container IDs",
+			Name:  "all, a",
+			Usage: "also list non-buildah containers",
+		},
+		cli.BoolFlag{
+			Name:  "json",
+			Usage: "output in JSON format",
 		},
 		cli.BoolFlag{
 			Name:  "noheading, n",
@@ -22,6 +35,10 @@ var (
 			Name:  "notruncate",
 			Usage: "do not truncate output",
 		},
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "display only container IDs",
+		},
 	}
 	containersDescription = "Lists containers which appear to be " + buildah.Package + " working containers, their\n   names and IDs, and the names and IDs of the images from which they were\n   initialized"
 	containersCommand     = cli.Command{
@@ -35,48 +52,95 @@ var (
 )

 func containersCmd(c *cli.Context) error {
+	if err := validateFlags(c, containersFlags); err != nil {
+		return err
+	}
 	store, err := getStore(c)
 	if err != nil {
 		return err
 	}

-	quiet := false
-	if c.IsSet("quiet") {
-		quiet = c.Bool("quiet")
+	quiet := c.Bool("quiet")
+	truncate := !c.Bool("notruncate")
+	JSONContainers := []jsonContainer{}
+	jsonOut := c.Bool("json")
+
+	list := func(n int, containerID, imageID, image, container string, isBuilder bool) {
+		if jsonOut {
+			JSONContainers = append(JSONContainers, jsonContainer{ID: containerID, Builder: isBuilder, ImageID: imageID, ImageName: image, ContainerName: container})
+			return
+		}
+
+		if n == 0 && !c.Bool("noheading") && !quiet {
+			if truncate {
+				fmt.Printf("%-12s  %-8s %-12s %-32s %s\n", "CONTAINER ID", "BUILDER", "IMAGE ID", "IMAGE NAME", "CONTAINER NAME")
+			} else {
+				fmt.Printf("%-64s %-8s %-64s %-32s %s\n", "CONTAINER ID", "BUILDER", "IMAGE ID", "IMAGE NAME", "CONTAINER NAME")
+			}
+		}
+		if quiet {
+			fmt.Printf("%s\n", containerID)
+		} else {
+			isBuilderValue := ""
+			if isBuilder {
+				isBuilderValue = "   *"
+			}
+			if truncate {
+				fmt.Printf("%-12.12s  %-8s %-12.12s %-32s %s\n", containerID, isBuilderValue, imageID, image, container)
+			} else {
+				fmt.Printf("%-64s %-8s %-64s %-32s %s\n", containerID, isBuilderValue, imageID, image, container)
+			}
+		}
 	}
-	noheading := false
-	if c.IsSet("noheading") {
-		noheading = c.Bool("noheading")
-	}
-	truncate := true
-	if c.IsSet("notruncate") {
-		truncate = !c.Bool("notruncate")
+	seenImages := make(map[string]string)
+	imageNameForID := func(id string) string {
+		if id == "" {
+			return buildah.BaseImageFakeName
+		}
+		imageName, ok := seenImages[id]
+		if ok {
+			return imageName
+		}
+		img, err2 := store.Image(id)
+		if err2 == nil && len(img.Names) > 0 {
+			seenImages[id] = img.Names[0]
+		}
+		return seenImages[id]
 	}

 	builders, err := openBuilders(store)
 	if err != nil {
 		return errors.Wrapf(err, "error reading build containers")
 	}
-	if len(builders) > 0 && !noheading && !quiet {
-		if truncate {
-			fmt.Printf("%-12s %-12s %-10s %s\n", "CONTAINER ID", "IMAGE ID", "IMAGE NAME", "CONTAINER NAME")
-		} else {
-			fmt.Printf("%-64s %-64s %-10s %s\n", "CONTAINER ID", "IMAGE ID", "IMAGE NAME", "CONTAINER NAME")
+	if !c.Bool("all") {
+		for i, builder := range builders {
+			image := imageNameForID(builder.FromImageID)
+			list(i, builder.ContainerID, builder.FromImageID, image, builder.Container, true)
+		}
+	} else {
+		builderMap := make(map[string]struct{})
+		for _, builder := range builders {
+			builderMap[builder.ContainerID] = struct{}{}
+		}
+		containers, err2 := store.Containers()
+		if err2 != nil {
+			return errors.Wrapf(err2, "error reading list of all containers")
+		}
+		for i, container := range containers {
+			name := ""
+			if len(container.Names) > 0 {
+				name = container.Names[0]
+			}
+			_, ours := builderMap[container.ID]
+			list(i, container.ID, container.ImageID, imageNameForID(container.ImageID), name, ours)
 		}
 	}
-	for _, builder := range builders {
-		if builder.FromImage == "" {
-			builder.FromImage = buildah.BaseImageFakeName
-		}
-		if quiet {
-			fmt.Printf("%s\n", builder.ContainerID)
-		} else {
-			if truncate {
-				fmt.Printf("%-12.12s %-12.12s %-10s %s\n", builder.ContainerID, builder.FromImageID, builder.FromImage, builder.Container)
-			} else {
-				fmt.Printf("%-64s %-64s %-10s %s\n", builder.ContainerID, builder.FromImageID, builder.FromImage, builder.Container)
-			}
+	if jsonOut {
+		data, err := json.MarshalIndent(JSONContainers, "", "    ")
+		if err != nil {
+			return err
 		}
+		fmt.Printf("%s\n", data)
 	}

 	return nil
--- a/cmd/buildah/from.go
+++ b/cmd/buildah/from.go
@@ -9,15 +9,22 @@ import (
 	"github.com/urfave/cli"
 )

-const (
-	// DefaultRegistry is a prefix that we apply to an image name if we
-	// can't find one in the local Store, in order to generate a source
-	// reference for the image that we can then copy to the local Store.
-	DefaultRegistry = "docker://"
-)
-
 var (
 	fromFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "authfile",
+			Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+		},
+		cli.StringFlag{
+			Name:  "cert-dir",
+			Value: "",
+			Usage: "use certificates at the specified path to access the registry",
+		},
+		cli.StringFlag{
+			Name:  "creds",
+			Value: "",
+			Usage: "use `username[:password]` for accessing the registry",
+		},
 		cli.StringFlag{
 			Name:  "name",
 			Usage: "`name` for the working container",
@@ -28,20 +35,19 @@ var (
 		},
 		cli.BoolFlag{
 			Name:  "pull-always",
-			Usage: "pull the image even if one with the same name is already present",
+			Usage: "pull the image even if named image is present in store (supersedes pull option)",
 		},
-		cli.StringFlag{
-			Name:  "registry",
-			Usage: "`prefix` to prepend to the image name in order to pull the image",
-			Value: DefaultRegistry,
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "don't output progress information when pulling images",
 		},
 		cli.StringFlag{
 			Name:  "signature-policy",
 			Usage: "`pathname` of signature policy file (not usually used)",
 		},
-		cli.BoolFlag{
-			Name:  "quiet, q",
-			Usage: "don't output progress information when pulling images",
+		cli.BoolTFlag{
+			Name:  "tls-verify",
+			Usage: "require HTTPS and verify certificates when accessing the registry",
 		},
 	}
 	fromDescription = "Creates a new working container, either from scratch or using a specified\n   image as a starting point"
@@ -65,42 +71,24 @@ func fromCmd(c *cli.Context) error {
 	if len(args) > 1 {
 		return errors.Errorf("too many arguments specified")
 	}
-	image := args[0]
+	if err := validateFlags(c, fromFlags); err != nil {
+		return err
+	}

-	registry := DefaultRegistry
-	if c.IsSet("registry") {
-		registry = c.String("registry")
-	}
-	pull := true
-	if c.IsSet("pull") {
-		pull = c.BoolT("pull")
-	}
-	pullAlways := false
-	if c.IsSet("pull-always") {
-		pull = c.Bool("pull-always")
+	systemContext, err := systemContextFromOptions(c)
+	if err != nil {
+		return errors.Wrapf(err, "error building system context")
 	}

 	pullPolicy := buildah.PullNever
-	if pull {
+	if c.BoolT("pull") {
 		pullPolicy = buildah.PullIfMissing
 	}
-	if pullAlways {
+	if c.Bool("pull-always") {
 		pullPolicy = buildah.PullAlways
 	}

-	name := ""
-	if c.IsSet("name") {
-		name = c.String("name")
-	}
-	signaturePolicy := ""
-	if c.IsSet("signature-policy") {
-		signaturePolicy = c.String("signature-policy")
-	}
-
-	quiet := false
-	if c.IsSet("quiet") {
-		quiet = c.Bool("quiet")
-	}
+	signaturePolicy := c.String("signature-policy")

 	store, err := getStore(c)
 	if err != nil {
@@ -108,13 +96,14 @@ func fromCmd(c *cli.Context) error {
 	}

 	options := buildah.BuilderOptions{
-		FromImage:           image,
-		Container:           name,
-		PullPolicy:          pullPolicy,
-		Registry:            registry,
-		SignaturePolicyPath: signaturePolicy,
+		FromImage:             args[0],
+		Container:             c.String("name"),
+		PullPolicy:            pullPolicy,
+		SignaturePolicyPath:   signaturePolicy,
+		SystemContext:         systemContext,
+		DefaultMountsFilePath: c.GlobalString("default-mounts-file"),
 	}
-	if !quiet {
+	if !c.Bool("quiet") {
 		options.ReportWriter = os.Stderr
 	}

--- a/cmd/buildah/images.go
+++ b/cmd/buildah/images.go
@@ -2,26 +2,75 @@ package main

 import (
 	"fmt"
+	"os"
+	"strings"
+	"text/template"
+	"time"

+	"encoding/json"
+
+	is "github.com/containers/image/storage"
+	"github.com/containers/storage"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )

+type jsonImage struct {
+	ID    string   `json:"id"`
+	Names []string `json:"names"`
+}
+
+type imageOutputParams struct {
+	ID        string
+	Name      string
+	Digest    string
+	CreatedAt string
+	Size      string
+}
+
+type filterParams struct {
+	dangling         string
+	label            string
+	beforeImage      string // Images are sorted by date, so we can just output until we see the image
+	sinceImage       string // Images are sorted by date, so we can just output until we don't see the image
+	beforeDate       time.Time
+	sinceDate        time.Time
+	referencePattern string
+}
+
 var (
 	imagesFlags = []cli.Flag{
 		cli.BoolFlag{
-			Name:  "quiet, q",
-			Usage: "display only image IDs",
+			Name:  "digests",
+			Usage: "show digests",
+		},
+		cli.StringFlag{
+			Name:  "filter, f",
+			Usage: "filter output based on conditions provided",
+		},
+		cli.StringFlag{
+			Name:  "format",
+			Usage: "pretty-print images using a Go template. will override --quiet",
+		},
+		cli.BoolFlag{
+			Name:  "json",
+			Usage: "output in JSON format",
 		},
 		cli.BoolFlag{
 			Name:  "noheading, n",
 			Usage: "do not print column headings",
 		},
 		cli.BoolFlag{
-			Name:  "notruncate",
+			Name:  "no-trunc, notruncate",
 			Usage: "do not truncate output",
 		},
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "display only image IDs",
+		},
 	}
+
 	imagesDescription = "Lists locally stored images."
 	imagesCommand     = cli.Command{
 		Name:        "images",
@@ -34,52 +83,312 @@ var (
 )

 func imagesCmd(c *cli.Context) error {
+	if err := validateFlags(c, imagesFlags); err != nil {
+		return err
+	}
 	store, err := getStore(c)
 	if err != nil {
 		return err
 	}

-	quiet := false
-	if c.IsSet("quiet") {
-		quiet = c.Bool("quiet")
-	}
-	noheading := false
-	if c.IsSet("noheading") {
-		noheading = c.Bool("noheading")
-	}
-	truncate := true
-	if c.IsSet("notruncate") {
-		truncate = !c.Bool("notruncate")
-	}
 	images, err := store.Images()
 	if err != nil {
 		return errors.Wrapf(err, "error reading images")
 	}

-	if len(images) > 0 && !noheading && !quiet {
-		if truncate {
-			fmt.Printf("%-12s %s\n", "IMAGE ID", "IMAGE NAME")
-		} else {
-			fmt.Printf("%-64s %s\n", "IMAGE ID", "IMAGE NAME")
+	quiet := c.Bool("quiet")
+	truncate := !c.Bool("no-trunc")
+	digests := c.Bool("digests")
+	hasTemplate := c.IsSet("format")
+
+	name := ""
+	if len(c.Args()) == 1 {
+		name = c.Args().Get(0)
+	} else if len(c.Args()) > 1 {
+		return errors.New("'buildah images' requires at most 1 argument")
+	}
+	if c.IsSet("json") {
+		JSONImages := []jsonImage{}
+		for _, image := range images {
+			JSONImages = append(JSONImages, jsonImage{ID: image.ID, Names: image.Names})
+		}
+		data, err2 := json.MarshalIndent(JSONImages, "", "    ")
+		if err2 != nil {
+			return err2
+		}
+		fmt.Printf("%s\n", data)
+		return nil
+	}
+	var params *filterParams
+	if c.IsSet("filter") {
+		params, err = parseFilter(store, images, c.String("filter"))
+		if err != nil {
+			return errors.Wrapf(err, "error parsing filter")
+		}
+	} else {
+		params = nil
+	}
+
+	if len(images) > 0 && !c.Bool("noheading") && !quiet && !hasTemplate {
+		outputHeader(truncate, digests)
+	}
+
+	return outputImages(images, c.String("format"), store, params, name, hasTemplate, truncate, digests, quiet)
+}
+
+func parseFilter(store storage.Store, images []storage.Image, filter string) (*filterParams, error) {
+	params := new(filterParams)
+	filterStrings := strings.Split(filter, ",")
+	for _, param := range filterStrings {
+		pair := strings.SplitN(param, "=", 2)
+		switch strings.TrimSpace(pair[0]) {
+		case "dangling":
+			if pair[1] == "true" || pair[1] == "false" {
+				params.dangling = pair[1]
+			} else {
+				return nil, fmt.Errorf("invalid filter: '%s=[%s]'", pair[0], pair[1])
+			}
+		case "label":
+			params.label = pair[1]
+		case "before":
+			beforeDate, err := setFilterDate(store, images, pair[1])
+			if err != nil {
+				return nil, fmt.Errorf("no such id: %s", pair[0])
+			}
+			params.beforeDate = beforeDate
+			params.beforeImage = pair[1]
+		case "since":
+			sinceDate, err := setFilterDate(store, images, pair[1])
+			if err != nil {
+				return nil, fmt.Errorf("no such id: %s", pair[0])
+			}
+			params.sinceDate = sinceDate
+			params.sinceImage = pair[1]
+		case "reference":
+			params.referencePattern = pair[1]
+		default:
+			return nil, fmt.Errorf("invalid filter: '%s'", pair[0])
 		}
 	}
+	return params, nil
+}
+
+func setFilterDate(store storage.Store, images []storage.Image, imgName string) (time.Time, error) {
 	for _, image := range images {
-		if quiet {
-			fmt.Printf("%s\n", image.ID)
-			continue
-		}
-		names := []string{""}
-		if len(image.Names) > 0 {
-			names = image.Names
-		}
-		for _, name := range names {
-			if truncate {
-				fmt.Printf("%-12.12s %s\n", image.ID, name)
-			} else {
-				fmt.Printf("%-64s %s\n", image.ID, name)
+		for _, name := range image.Names {
+			if matchesReference(name, imgName) {
+				// Set the date to this image
+				ref, err := is.Transport.ParseStoreReference(store, "@"+image.ID)
+				if err != nil {
+					return time.Time{}, fmt.Errorf("error parsing reference to image %q: %v", image.ID, err)
+				}
+				img, err := ref.NewImage(nil)
+				if err != nil {
+					return time.Time{}, fmt.Errorf("error reading image %q: %v", image.ID, err)
+				}
+				defer img.Close()
+				inspect, err := img.Inspect()
+				if err != nil {
+					return time.Time{}, fmt.Errorf("error inspecting image %q: %v", image.ID, err)
+				}
+				date := inspect.Created
+				return date, nil
 			}
 		}
 	}
+	return time.Time{}, fmt.Errorf("Could not locate image %q", imgName)
+}

+func outputHeader(truncate, digests bool) {
+	if truncate {
+		fmt.Printf("%-20s %-56s ", "IMAGE ID", "IMAGE NAME")
+	} else {
+		fmt.Printf("%-64s %-56s ", "IMAGE ID", "IMAGE NAME")
+	}
+
+	if digests {
+		fmt.Printf("%-71s ", "DIGEST")
+	}
+
+	fmt.Printf("%-22s %s\n", "CREATED AT", "SIZE")
+}
+
+func outputImages(images []storage.Image, format string, store storage.Store, filters *filterParams, argName string, hasTemplate, truncate, digests, quiet bool) error {
+	for _, image := range images {
+		createdTime := image.Created
+
+		inspectedTime, digest, size, _ := getDateAndDigestAndSize(image, store)
+		if !inspectedTime.IsZero() {
+			if createdTime != inspectedTime {
+				logrus.Debugf("image record and configuration disagree on the image's creation time for %q, using the one from the configuration", image)
+				createdTime = inspectedTime
+			}
+		}
+
+		names := []string{}
+		if len(image.Names) > 0 {
+			names = image.Names
+		} else {
+			// images without names should be printed with "<none>" as the image name
+			names = append(names, "<none>")
+		}
+		for _, name := range names {
+			if !matchesFilter(image, store, name, filters) || !matchesReference(name, argName) {
+				continue
+			}
+			if quiet {
+				fmt.Printf("%-64s\n", image.ID)
+				// We only want to print each id once
+				break
+			}
+
+			params := imageOutputParams{
+				ID:        image.ID,
+				Name:      name,
+				Digest:    digest,
+				CreatedAt: createdTime.Format("Jan 2, 2006 15:04"),
+				Size:      formattedSize(size),
+			}
+			if hasTemplate {
+				if err := outputUsingTemplate(format, params); err != nil {
+					return err
+				}
+				continue
+			}
+
+			outputUsingFormatString(truncate, digests, params)
+		}
+	}
 	return nil
 }
+
+func matchesFilter(image storage.Image, store storage.Store, name string, params *filterParams) bool {
+	if params == nil {
+		return true
+	}
+	if params.dangling != "" && !matchesDangling(name, params.dangling) {
+		return false
+	} else if params.label != "" && !matchesLabel(image, store, params.label) {
+		return false
+	} else if params.beforeImage != "" && !matchesBeforeImage(image, name, params) {
+		return false
+	} else if params.sinceImage != "" && !matchesSinceImage(image, name, params) {
+		return false
+	} else if params.referencePattern != "" && !matchesReference(name, params.referencePattern) {
+		return false
+	}
+	return true
+}
+
+func matchesDangling(name string, dangling string) bool {
+	if dangling == "false" && name != "<none>" {
+		return true
+	} else if dangling == "true" && name == "<none>" {
+		return true
+	}
+	return false
+}
+
+func matchesLabel(image storage.Image, store storage.Store, label string) bool {
+	storeRef, err := is.Transport.ParseStoreReference(store, "@"+image.ID)
+	if err != nil {
+		return false
+	}
+	img, err := storeRef.NewImage(nil)
+	if err != nil {
+		return false
+	}
+	defer img.Close()
+	info, err := img.Inspect()
+	if err != nil {
+		return false
+	}
+
+	pair := strings.SplitN(label, "=", 2)
+	for key, value := range info.Labels {
+		if key == pair[0] {
+			if len(pair) == 2 {
+				if value == pair[1] {
+					return true
+				}
+			} else {
+				return false
+			}
+		}
+	}
+	return false
+}
+
+// Returns true if the image was created since the filter image.  Returns
+// false otherwise
+func matchesBeforeImage(image storage.Image, name string, params *filterParams) bool {
+	if image.Created.IsZero() || image.Created.Before(params.beforeDate) {
+		return true
+	}
+	return false
+}
+
+// Returns true if the image was created since the filter image.  Returns
+// false otherwise
+func matchesSinceImage(image storage.Image, name string, params *filterParams) bool {
+	if image.Created.IsZero() || image.Created.After(params.sinceDate) {
+		return true
+	}
+	return false
+}
+
+func matchesID(imageID, argID string) bool {
+	return strings.HasPrefix(imageID, argID)
+}
+
+func matchesReference(name, argName string) bool {
+	if argName == "" {
+		return true
+	}
+	splitName := strings.Split(name, ":")
+	// If the arg contains a tag, we handle it differently than if it does not
+	if strings.Contains(argName, ":") {
+		splitArg := strings.Split(argName, ":")
+		return strings.HasSuffix(splitName[0], splitArg[0]) && (splitName[1] == splitArg[1])
+	}
+	return strings.HasSuffix(splitName[0], argName)
+}
+
+func formattedSize(size int64) string {
+	suffixes := [5]string{"B", "KB", "MB", "GB", "TB"}
+
+	count := 0
+	formattedSize := float64(size)
+	for formattedSize >= 1024 && count < 4 {
+		formattedSize /= 1024
+		count++
+	}
+	return fmt.Sprintf("%.4g %s", formattedSize, suffixes[count])
+}
+
+func outputUsingTemplate(format string, params imageOutputParams) error {
+	tmpl, err := template.New("image").Parse(format)
+	if err != nil {
+		return errors.Wrapf(err, "Template parsing error")
+	}
+
+	err = tmpl.Execute(os.Stdout, params)
+	if err != nil {
+		return err
+	}
+	fmt.Println()
+	return nil
+}
+
+func outputUsingFormatString(truncate, digests bool, params imageOutputParams) {
+	if truncate {
+		fmt.Printf("%-20.12s %-56s", params.ID, params.Name)
+	} else {
+		fmt.Printf("%-64s %-56s", params.ID, params.Name)
+	}
+
+	if digests {
+		fmt.Printf(" %-64s", params.Digest)
+	}
+	fmt.Printf(" %-22s %s\n", params.CreatedAt, params.Size)
+}
--- a/cmd/buildah/images_test.go
+++ b/cmd/buildah/images_test.go
@@ -0,0 +1,713 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	is "github.com/containers/image/storage"
+	"github.com/containers/storage"
+)
+
+func TestTemplateOutputBlankTemplate(t *testing.T) {
+	params := imageOutputParams{
+		ID:        "0123456789abcdef",
+		Name:      "test/image:latest",
+		Digest:    "sha256:012345789abcdef012345789abcdef012345789abcdef012345789abcdef",
+		CreatedAt: "Jan 01 2016 10:45",
+		Size:      "97 KB",
+	}
+
+	err := outputUsingTemplate("", params)
+	//Output: Words
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+func TestTemplateOutputValidTemplate(t *testing.T) {
+	params := imageOutputParams{
+		ID:        "0123456789abcdef",
+		Name:      "test/image:latest",
+		Digest:    "sha256:012345789abcdef012345789abcdef012345789abcdef012345789abcdef",
+		CreatedAt: "Jan 01 2016 10:45",
+		Size:      "97 KB",
+	}
+
+	templateString := "{{.ID}}"
+
+	output, err := captureOutputWithError(func() error {
+		return outputUsingTemplate(templateString, params)
+	})
+	if err != nil {
+		t.Error(err)
+	} else if strings.TrimSpace(output) != strings.TrimSpace(params.ID) {
+		t.Errorf("Error with template output:\nExpected: %s\nReceived: %s\n", params.ID, output)
+	}
+}
+
+func TestFormatStringOutput(t *testing.T) {
+	params := imageOutputParams{
+		ID:        "012345789abcdef",
+		Name:      "test/image:latest",
+		Digest:    "sha256:012345789abcdef012345789abcdef012345789abcdef012345789abcdef",
+		CreatedAt: "Jan 01 2016 10:45",
+		Size:      "97 KB",
+	}
+
+	output := captureOutput(func() {
+		outputUsingFormatString(true, true, params)
+	})
+	expectedOutput := fmt.Sprintf("%-20.12s %-56s %-64s %-22s %s\n", params.ID, params.Name, params.Digest, params.CreatedAt, params.Size)
+	if output != expectedOutput {
+		t.Errorf("Error outputting using format string:\n\texpected: %s\n\treceived: %s\n", expectedOutput, output)
+	}
+}
+
+func TestSizeFormatting(t *testing.T) {
+	size := formattedSize(0)
+	if size != "0 B" {
+		t.Errorf("Error formatting size: expected '%s' got '%s'", "0 B", size)
+	}
+
+	size = formattedSize(1024)
+	if size != "1 KB" {
+		t.Errorf("Error formatting size: expected '%s' got '%s'", "1 KB", size)
+	}
+
+	size = formattedSize(1024 * 1024 * 1024 * 1024 * 1024)
+	if size != "1024 TB" {
+		t.Errorf("Error formatting size: expected '%s' got '%s'", "1024 TB", size)
+	}
+}
+
+func TestOutputHeader(t *testing.T) {
+	output := captureOutput(func() {
+		outputHeader(true, false)
+	})
+	expectedOutput := fmt.Sprintf("%-20s %-56s %-22s %s\n", "IMAGE ID", "IMAGE NAME", "CREATED AT", "SIZE")
+	if output != expectedOutput {
+		t.Errorf("Error outputting header:\n\texpected: %s\n\treceived: %s\n", expectedOutput, output)
+	}
+
+	output = captureOutput(func() {
+		outputHeader(true, true)
+	})
+	expectedOutput = fmt.Sprintf("%-20s %-56s %-71s %-22s %s\n", "IMAGE ID", "IMAGE NAME", "DIGEST", "CREATED AT", "SIZE")
+	if output != expectedOutput {
+		t.Errorf("Error outputting header:\n\texpected: %s\n\treceived: %s\n", expectedOutput, output)
+	}
+
+	output = captureOutput(func() {
+		outputHeader(false, false)
+	})
+	expectedOutput = fmt.Sprintf("%-64s %-56s %-22s %s\n", "IMAGE ID", "IMAGE NAME", "CREATED AT", "SIZE")
+	if output != expectedOutput {
+		t.Errorf("Error outputting header:\n\texpected: %s\n\treceived: %s\n", expectedOutput, output)
+	}
+}
+
+func TestMatchWithTag(t *testing.T) {
+	isMatch := matchesReference("docker.io/kubernetes/pause:latest", "pause:latest")
+	if !isMatch {
+		t.Error("expected match, got not match")
+	}
+
+	isMatch = matchesReference("docker.io/kubernetes/pause:latest", "kubernetes/pause:latest")
+	if !isMatch {
+		t.Error("expected match, got no match")
+	}
+}
+
+func TestNoMatchesReferenceWithTag(t *testing.T) {
+	isMatch := matchesReference("docker.io/kubernetes/pause:latest", "redis:latest")
+	if isMatch {
+		t.Error("expected no match, got match")
+	}
+
+	isMatch = matchesReference("docker.io/kubernetes/pause:latest", "kubernetes/redis:latest")
+	if isMatch {
+		t.Error("expected no match, got match")
+	}
+}
+
+func TestMatchesReferenceWithoutTag(t *testing.T) {
+	isMatch := matchesReference("docker.io/kubernetes/pause:latest", "pause")
+	if !isMatch {
+		t.Error("expected match, got not match")
+	}
+
+	isMatch = matchesReference("docker.io/kubernetes/pause:latest", "kubernetes/pause")
+	if !isMatch {
+		t.Error("expected match, got no match")
+	}
+}
+
+func TestNoMatchesReferenceWithoutTag(t *testing.T) {
+	isMatch := matchesReference("docker.io/kubernetes/pause:latest", "redis")
+	if isMatch {
+		t.Error("expected no match, got match")
+	}
+
+	isMatch = matchesReference("docker.io/kubernetes/pause:latest", "kubernetes/redis")
+	if isMatch {
+		t.Error("expected no match, got match")
+	}
+}
+
+func TestOutputImagesQuietTruncated(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	// Pull an image so that we know we have at least one
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	// Tests quiet and truncated output
+	output, err := captureOutputWithError(func() error {
+		return outputImages(images[:1], "", store, nil, "", false, true, false, true)
+	})
+	expectedOutput := fmt.Sprintf("%-64s\n", images[0].ID)
+	if err != nil {
+		t.Error("quiet/truncated output produces error")
+	} else if strings.TrimSpace(output) != strings.TrimSpace(expectedOutput) {
+		t.Errorf("quiet/truncated output does not match expected value\nExpected: %s\nReceived: %s\n", expectedOutput, output)
+	}
+}
+
+func TestOutputImagesQuietNotTruncated(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+
+	// Pull an image so that we know we have at least one
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	// Tests quiet and non-truncated output
+	output, err := captureOutputWithError(func() error {
+		return outputImages(images[:1], "", store, nil, "", false, false, false, true)
+	})
+	expectedOutput := fmt.Sprintf("%-64s\n", images[0].ID)
+	if err != nil {
+		t.Error("quiet/non-truncated output produces error")
+	} else if strings.TrimSpace(output) != strings.TrimSpace(expectedOutput) {
+		t.Errorf("quiet/non-truncated output does not match expected value\nExpected: %s\nReceived: %s\n", expectedOutput, output)
+	}
+}
+
+func TestOutputImagesFormatString(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+
+	// Pull an image so that we know we have at least one
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	// Tests output with format template
+	output, err := captureOutputWithError(func() error {
+		return outputImages(images[:1], "{{.ID}}", store, nil, "", true, true, false, false)
+	})
+	expectedOutput := fmt.Sprintf("%s", images[0].ID)
+	if err != nil {
+		t.Error("format string output produces error")
+	} else if strings.TrimSpace(output) != strings.TrimSpace(expectedOutput) {
+		t.Errorf("format string output does not match expected value\nExpected: %s\nReceived: %s\n", expectedOutput, output)
+	}
+}
+
+func TestOutputImagesFormatTemplate(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+
+	// Pull an image so that we know we have at least one
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	// Tests quiet and non-truncated output
+	output, err := captureOutputWithError(func() error {
+		return outputImages(images[:1], "", store, nil, "", false, false, false, true)
+	})
+	expectedOutput := fmt.Sprintf("%-64s\n", images[0].ID)
+	if err != nil {
+		t.Error("format template output produces error")
+	} else if strings.TrimSpace(output) != strings.TrimSpace(expectedOutput) {
+		t.Errorf("format template output does not match expected value\nExpected: %s\nReceived: %s\n", expectedOutput, output)
+	}
+}
+
+func TestOutputImagesArgNoMatch(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+
+	// Pull an image so that we know we have at least one
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	// Tests output with an arg name that does not match.  Args ending in ":" cannot match
+	// because all images in the repository must have a tag, and here the tag is an
+	// empty string
+	output, err := captureOutputWithError(func() error {
+		return outputImages(images[:1], "", store, nil, "foo:", false, true, false, false)
+	})
+	expectedOutput := fmt.Sprintf("")
+	if err != nil {
+		t.Error("arg no match output produces error")
+	} else if strings.TrimSpace(output) != strings.TrimSpace(expectedOutput) {
+		t.Error("arg no match output should be empty")
+	}
+}
+
+func TestOutputMultipleImages(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+
+	// Pull two images so that we know we have at least two
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+	_, err = pullTestImage(t, "alpine:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	// Tests quiet and truncated output
+	output, err := captureOutputWithError(func() error {
+		return outputImages(images[:2], "", store, nil, "", false, true, false, true)
+	})
+	expectedOutput := fmt.Sprintf("%-64s\n%-64s\n", images[0].ID, images[1].ID)
+	if err != nil {
+		t.Error("multi-image output produces error")
+	} else if strings.TrimSpace(output) != strings.TrimSpace(expectedOutput) {
+		t.Errorf("multi-image output does not match expected value\nExpected: %s\nReceived: %s\n", expectedOutput, output)
+	}
+}
+
+func TestParseFilterAllParams(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+	// Pull an image so we know we have it
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	label := "dangling=true,label=a=b,before=busybox:latest,since=busybox:latest,reference=abcdef"
+	params, err := parseFilter(store, images, label)
+	if err != nil {
+		t.Fatalf("error parsing filter: %v", err)
+	}
+
+	ref, err := is.Transport.ParseStoreReference(store, "busybox:latest")
+	if err != nil {
+		t.Fatalf("error parsing store reference: %v", err)
+	}
+	img, err := ref.NewImage(nil)
+	if err != nil {
+		t.Fatalf("error reading image from store: %v", err)
+	}
+	defer img.Close()
+	inspect, err := img.Inspect()
+	if err != nil {
+		t.Fatalf("error inspecting image in store: %v", err)
+	}
+
+	expectedParams := &filterParams{
+		dangling:         "true",
+		label:            "a=b",
+		beforeImage:      "busybox:latest",
+		beforeDate:       inspect.Created,
+		sinceImage:       "busybox:latest",
+		sinceDate:        inspect.Created,
+		referencePattern: "abcdef",
+	}
+	if *params != *expectedParams {
+		t.Errorf("filter did not return expected result\n\tExpected: %v\n\tReceived: %v", expectedParams, params)
+	}
+}
+
+func TestParseFilterInvalidDangling(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+	// Pull an image so we know we have it
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	label := "dangling=NO,label=a=b,before=busybox:latest,since=busybox:latest,reference=abcdef"
+	_, err = parseFilter(store, images, label)
+	if err == nil || err.Error() != "invalid filter: 'dangling=[NO]'" {
+		t.Fatalf("expected error parsing filter")
+	}
+}
+
+func TestParseFilterInvalidBefore(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+	// Pull an image so we know we have it
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	label := "dangling=false,label=a=b,before=:,since=busybox:latest,reference=abcdef"
+	_, err = parseFilter(store, images, label)
+	if err == nil || !strings.Contains(err.Error(), "no such id") {
+		t.Fatalf("expected error parsing filter")
+	}
+}
+
+func TestParseFilterInvalidSince(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+	// Pull an image so we know we have it
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	label := "dangling=false,label=a=b,before=busybox:latest,since=:,reference=abcdef"
+	_, err = parseFilter(store, images, label)
+	if err == nil || !strings.Contains(err.Error(), "no such id") {
+		t.Fatalf("expected error parsing filter")
+	}
+}
+
+func TestParseFilterInvalidFilter(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+	// Pull an image so we know we have it
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	label := "foo=bar"
+	_, err = parseFilter(store, images, label)
+	if err == nil || err.Error() != "invalid filter: 'foo'" {
+		t.Fatalf("expected error parsing filter")
+	}
+}
+
+func TestMatchesDangingTrue(t *testing.T) {
+	if !matchesDangling("<none>", "true") {
+		t.Error("matchesDangling() should return true with dangling=true and name=<none>")
+	}
+
+	if !matchesDangling("hello", "false") {
+		t.Error("matchesDangling() should return true with dangling=false and name='hello'")
+	}
+}
+
+func TestMatchesDangingFalse(t *testing.T) {
+	if matchesDangling("hello", "true") {
+		t.Error("matchesDangling() should return false with dangling=true and name=hello")
+	}
+
+	if matchesDangling("<none>", "false") {
+		t.Error("matchesDangling() should return false with dangling=false and name=<none>")
+	}
+}
+
+func TestMatchesLabelTrue(t *testing.T) {
+	//TODO: How do I implement this?
+}
+
+func TestMatchesLabelFalse(t *testing.T) {
+	// TODO: How do I implement this?
+}
+
+func TestMatchesBeforeImageTrue(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+
+	// Pull an image so that we know we have at least one
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	// by default, params.seenImage is false
+	params := new(filterParams)
+	params.beforeDate = time.Now()
+	params.beforeImage = "foo:bar"
+	if !matchesBeforeImage(images[0], ":", params) {
+		t.Error("should have matched beforeImage")
+	}
+}
+
+func TestMatchesBeforeImageFalse(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+	// Pull an image so that we know we have at least one
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	// by default, params.seenImage is false
+	params := new(filterParams)
+	params.beforeDate = time.Time{}
+	params.beforeImage = "foo:bar"
+	// Should return false because the image has been seen
+	if matchesBeforeImage(images[0], ":", params) {
+		t.Error("should not have matched beforeImage")
+	}
+}
+
+func TestMatchesSinceeImageTrue(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+	// Pull an image so that we know we have at least one
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	// by default, params.seenImage is false
+	params := new(filterParams)
+	params.sinceDate = time.Time{}
+	params.sinceImage = "foo:bar"
+	if !matchesSinceImage(images[0], ":", params) {
+		t.Error("should have matched SinceImage")
+	}
+}
+
+func TestMatchesSinceImageFalse(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if err != nil {
+		t.Fatal(err)
+	} else if store != nil {
+		is.Transport.SetStore(store)
+	}
+	// Pull an image so that we know we have at least one
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+
+	// by default, params.seenImage is false
+	params := new(filterParams)
+	params.sinceDate = time.Now()
+	params.sinceImage = "foo:bar"
+	// Should return false because the image has been seen
+	if matchesSinceImage(images[0], ":", params) {
+		t.Error("should not have matched sinceImage")
+	}
+
+	if matchesSinceImage(images[0], "foo:bar", params) {
+		t.Error("image should have been filtered out")
+	}
+}
+
+func captureOutputWithError(f func() error) (string, error) {
+	old := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	err := f()
+
+	w.Close()
+	os.Stdout = old
+	var buf bytes.Buffer
+	io.Copy(&buf, r)
+	return buf.String(), err
+}
+
+// Captures output so that it can be compared to expected values
+func captureOutput(f func()) string {
+	old := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	f()
+
+	w.Close()
+	os.Stdout = old
+	var buf bytes.Buffer
+	io.Copy(&buf, r)
+	return buf.String()
+}
--- a/cmd/buildah/inspect.go
+++ b/cmd/buildah/inspect.go
@@ -21,14 +21,15 @@ ID: {{.ContainerID}}

 var (
 	inspectFlags = []cli.Flag{
-		cli.StringFlag{
-			Name:  "type, t",
-			Usage: "look at the item of the specified `type` (container or image) and name",
-		},
 		cli.StringFlag{
 			Name:  "format, f",
 			Usage: "use `format` as a Go template to format the output",
 		},
+		cli.StringFlag{
+			Name:  "type, t",
+			Usage: "look at the item of the specified `type` (container or image) and name",
+			Value: inspectTypeContainer,
+		},
 	}
 	inspectDescription = "Inspects a build container's or built image's configuration."
 	inspectCommand     = cli.Command{
@@ -51,23 +52,13 @@ func inspectCmd(c *cli.Context) error {
 	if len(args) > 1 {
 		return errors.Errorf("too many arguments specified")
 	}
-
-	itemType := inspectTypeContainer
-	if c.IsSet("type") {
-		itemType = c.String("type")
-	}
-	switch itemType {
-	case inspectTypeContainer:
-	case inspectTypeImage:
-	default:
-		return errors.Errorf("the only recognized types are %q and %q", inspectTypeContainer, inspectTypeImage)
+	if err := validateFlags(c, inspectFlags); err != nil {
+		return err
 	}

 	format := defaultFormat
-	if c.IsSet("format") {
-		if c.String("format") != "" {
-			format = c.String("format")
-		}
+	if c.String("format") != "" {
+		format = c.String("format")
 	}
 	t := template.Must(template.New("format").Parse(format))

@@ -78,17 +69,25 @@ func inspectCmd(c *cli.Context) error {
 		return err
 	}

-	switch itemType {
+	switch c.String("type") {
 	case inspectTypeContainer:
 		builder, err = openBuilder(store, name)
 		if err != nil {
-			return errors.Wrapf(err, "error reading build container %q", name)
+			if c.IsSet("type") {
+				return errors.Wrapf(err, "error reading build container %q", name)
+			}
+			builder, err = openImage(store, name)
+			if err != nil {
+				return errors.Wrapf(err, "error reading build object %q", name)
+			}
 		}
 	case inspectTypeImage:
 		builder, err = openImage(store, name)
 		if err != nil {
 			return errors.Wrapf(err, "error reading image %q", name)
 		}
+	default:
+		return errors.Errorf("the only recognized types are %q and %q", inspectTypeContainer, inspectTypeImage)
 	}

 	if c.IsSet("format") {
--- a/cmd/buildah/main.go
+++ b/cmd/buildah/main.go
@@ -4,15 +4,17 @@ import (
 	"fmt"
 	"os"

-	"github.com/Sirupsen/logrus"
 	"github.com/containers/storage"
 	ispecs "github.com/opencontainers/image-spec/specs-go"
 	rspecs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/projectatomic/buildah"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )

 func main() {
+	debug := false
+
 	var defaultStoreDriverOptions *cli.StringSlice
 	if buildah.InitReexec() {
 		return
@@ -27,6 +29,10 @@ func main() {
 		defaultStoreDriverOptions = &optionSlice
 	}
 	app.Flags = []cli.Flag{
+		cli.BoolFlag{
+			Name:  "debug",
+			Usage: "print debugging information",
+		},
 		cli.StringFlag{
 			Name:  "root",
 			Usage: "storage root dir",
@@ -47,17 +53,17 @@ func main() {
 			Usage: "storage driver option",
 			Value: defaultStoreDriverOptions,
 		},
-		cli.BoolFlag{
-			Name:  "debug",
-			Usage: "print debugging information",
+		cli.StringFlag{
+			Name:  "default-mounts-file",
+			Usage: "path to default mounts file",
+			Value: buildah.DefaultMountsFile,
 		},
 	}
 	app.Before = func(c *cli.Context) error {
 		logrus.SetLevel(logrus.ErrorLevel)
-		if c.GlobalIsSet("debug") {
-			if c.GlobalBool("debug") {
-				logrus.SetLevel(logrus.DebugLevel)
-			}
+		if c.GlobalBool("debug") {
+			debug = true
+			logrus.SetLevel(logrus.DebugLevel)
 		}
 		return nil
 	}
@@ -88,10 +94,15 @@ func main() {
 		runCommand,
 		tagCommand,
 		umountCommand,
+		versionCommand,
 	}
 	err := app.Run(os.Args)
 	if err != nil {
-		logrus.Errorf("%v", err)
-		os.Exit(1)
+		if debug {
+			logrus.Errorf(err.Error())
+		} else {
+			fmt.Fprintln(os.Stderr, err.Error())
+		}
+		cli.OsExiter(1)
 	}
 }
--- a/cmd/buildah/mount.go
+++ b/cmd/buildah/mount.go
@@ -30,15 +30,15 @@ func mountCmd(c *cli.Context) error {
 	if len(args) > 1 {
 		return errors.Errorf("too many arguments specified")
 	}
+	if err := validateFlags(c, mountFlags); err != nil {
+		return err
+	}

 	store, err := getStore(c)
 	if err != nil {
 		return err
 	}
-	truncate := true
-	if c.IsSet("notruncate") {
-		truncate = !c.Bool("notruncate")
-	}
+	truncate := !c.Bool("notruncate")

 	if len(args) == 1 {
 		name := args[0]
--- a/cmd/buildah/push.go
+++ b/cmd/buildah/push.go
@@ -1,10 +1,15 @@
 package main

 import (
+	"fmt"
 	"os"
+	"strings"

+	"github.com/containers/image/manifest"
+	"github.com/containers/image/transports"
 	"github.com/containers/image/transports/alltransports"
 	"github.com/containers/storage/pkg/archive"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/buildah"
 	"github.com/urfave/cli"
@@ -12,27 +17,59 @@ import (

 var (
 	pushFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "authfile",
+			Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+		},
+		cli.StringFlag{
+			Name:  "cert-dir",
+			Value: "",
+			Usage: "use certificates at the specified path to access the registry",
+		},
+		cli.StringFlag{
+			Name:  "creds",
+			Value: "",
+			Usage: "use `username[:password]` for accessing the registry",
+		},
 		cli.BoolFlag{
 			Name:  "disable-compression, D",
 			Usage: "don't compress layers",
 		},
 		cli.StringFlag{
-			Name:  "signature-policy",
-			Usage: "`pathname` of signature policy file (not usually used)",
+			Name:  "format, f",
+			Usage: "manifest type (oci, v2s1, or v2s2) to use when saving image using the 'dir:' transport (default is manifest type of source)",
 		},
 		cli.BoolFlag{
 			Name:  "quiet, q",
 			Usage: "don't output progress information when pushing images",
 		},
+		cli.StringFlag{
+			Name:  "signature-policy",
+			Usage: "`pathname` of signature policy file (not usually used)",
+		},
+		cli.BoolTFlag{
+			Name:  "tls-verify",
+			Usage: "require HTTPS and verify certificates when accessing the registry",
+		},
 	}
-	pushDescription = "Pushes an image to a specified location."
-	pushCommand     = cli.Command{
+	pushDescription = fmt.Sprintf(`
+   Pushes an image to a specified location.
+
+   The Image "DESTINATION" uses a "transport":"details" format.
+
+   Supported transports:
+   %s
+
+   See buildah-push(1) section "DESTINATION" for the expected format
+`, strings.Join(transports.ListNames(), ", "))
+
+	pushCommand = cli.Command{
 		Name:        "push",
-		Usage:       "Push an image to a specified location",
+		Usage:       "Push an image to a specified destination",
 		Description: pushDescription,
 		Flags:       pushFlags,
 		Action:      pushCmd,
-		ArgsUsage:   "IMAGE [TRANSPORT:]IMAGE",
+		ArgsUsage:   "IMAGE DESTINATION",
 	}
 )

@@ -41,37 +78,64 @@ func pushCmd(c *cli.Context) error {
 	if len(args) < 2 {
 		return errors.New("source and destination image IDs must be specified")
 	}
+	if err := validateFlags(c, pushFlags); err != nil {
+		return err
+	}
 	src := args[0]
 	destSpec := args[1]

-	signaturePolicy := ""
-	if c.IsSet("signature-policy") {
-		signaturePolicy = c.String("signature-policy")
-	}
-	compress := archive.Uncompressed
-	if !c.IsSet("disable-compression") || !c.Bool("disable-compression") {
-		compress = archive.Gzip
-	}
-	quiet := false
-	if c.IsSet("quiet") {
-		quiet = c.Bool("quiet")
+	compress := archive.Gzip
+	if c.Bool("disable-compression") {
+		compress = archive.Uncompressed
 	}

 	store, err := getStore(c)
 	if err != nil {
 		return err
 	}
+
 	dest, err := alltransports.ParseImageName(destSpec)
+	// add the docker:// transport to see if they neglected it.
 	if err != nil {
-		return err
+		if strings.Contains(destSpec, "://") {
+			return err
+		}
+
+		destSpec = "docker://" + destSpec
+		dest2, err2 := alltransports.ParseImageName(destSpec)
+		if err2 != nil {
+			return err
+		}
+		dest = dest2
+	}
+
+	systemContext, err := systemContextFromOptions(c)
+	if err != nil {
+		return errors.Wrapf(err, "error building system context")
+	}
+
+	var manifestType string
+	if c.IsSet("format") {
+		switch c.String("format") {
+		case "oci":
+			manifestType = imgspecv1.MediaTypeImageManifest
+		case "v2s1":
+			manifestType = manifest.DockerV2Schema1SignedMediaType
+		case "v2s2", "docker":
+			manifestType = manifest.DockerV2Schema2MediaType
+		default:
+			return fmt.Errorf("unknown format %q. Choose on of the supported formats: 'oci', 'v2s1', or 'v2s2'", c.String("format"))
+		}
 	}

 	options := buildah.PushOptions{
 		Compression:         compress,
-		SignaturePolicyPath: signaturePolicy,
+		ManifestType:        manifestType,
+		SignaturePolicyPath: c.String("signature-policy"),
 		Store:               store,
+		SystemContext:       systemContext,
 	}
-	if !quiet {
+	if !c.Bool("quiet") {
 		options.ReportWriter = os.Stderr
 	}

--- a/cmd/buildah/rmi.go
+++ b/cmd/buildah/rmi.go
@@ -2,108 +2,220 @@ package main

 import (
 	"fmt"
-	"os"

-	"github.com/Sirupsen/logrus"
-	"github.com/containers/image/storage"
+	is "github.com/containers/image/storage"
 	"github.com/containers/image/transports"
 	"github.com/containers/image/transports/alltransports"
 	"github.com/containers/image/types"
+	"github.com/containers/storage"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )

 var (
-	rmiDescription = "Removes one or more locally stored images."
-	rmiCommand     = cli.Command{
+	rmiDescription = "removes one or more locally stored images."
+	rmiFlags       = []cli.Flag{
+		cli.BoolFlag{
+			Name:  "force, f",
+			Usage: "force removal of the image",
+		},
+	}
+	rmiCommand = cli.Command{
 		Name:        "rmi",
-		Usage:       "Removes one or more images from local storage",
+		Usage:       "removes one or more images from local storage",
 		Description: rmiDescription,
 		Action:      rmiCmd,
 		ArgsUsage:   "IMAGE-NAME-OR-ID [...]",
+		Flags:       rmiFlags,
 	}
 )

 func rmiCmd(c *cli.Context) error {
+	force := c.Bool("force")
+
 	args := c.Args()
 	if len(args) == 0 {
 		return errors.Errorf("image name or ID must be specified")
 	}
+	if err := validateFlags(c, rmiFlags); err != nil {
+		return err
+	}

 	store, err := getStore(c)
 	if err != nil {
 		return err
 	}

-	var e error
 	for _, id := range args {
-		// If it's an exact name or ID match with the underlying
-		// storage library's information about the image, then it's
-		// enough.
-		_, err = store.DeleteImage(id, true)
+		image, err := getImage(id, store)
 		if err != nil {
-			var ref types.ImageReference
-			// If it's looks like a proper image reference, parse
-			// it and check if it corresponds to an image that
-			// actually exists.
-			if ref2, err2 := alltransports.ParseImageName(id); err2 == nil {
-				if img, err3 := ref2.NewImage(nil); err3 == nil {
-					img.Close()
-					ref = ref2
+			return errors.Wrapf(err, "could not get image %q", id)
+		}
+		if image != nil {
+			ctrIDs, err := runningContainers(image, store)
+			if err != nil {
+				return errors.Wrapf(err, "error getting running containers for image %q", id)
+			}
+			if len(ctrIDs) > 0 && len(image.Names) <= 1 {
+				if force {
+					err = removeContainers(ctrIDs, store)
+					if err != nil {
+						return errors.Wrapf(err, "error removing containers %v for image %q", ctrIDs, id)
+					}
 				} else {
-					logrus.Debugf("error confirming presence of image %q: %v", transports.ImageName(ref2), err3)
+					for _, ctrID := range ctrIDs {
+						return fmt.Errorf("Could not remove image %q (must force) - container %q is using its reference image", id, ctrID)
+					}
 				}
+			}
+			// If the user supplied an ID, we cannot delete the image if it is referred to by multiple tags
+			if matchesID(image.ID, id) {
+				if len(image.Names) > 1 && !force {
+					return fmt.Errorf("unable to delete %s (must force) - image is referred to in multiple tags", image.ID)
+				}
+				// If it is forced, we have to untag the image so that it can be deleted
+				image.Names = image.Names[:0]
 			} else {
-				logrus.Debugf("error parsing %q as an image reference: %v", id, err2)
-			}
-			if ref == nil {
-				// If it's looks like an image reference that's
-				// relative to our storage, parse it and check
-				// if it corresponds to an image that actually
-				// exists.
-				if ref2, err2 := storage.Transport.ParseStoreReference(store, id); err2 == nil {
-					if img, err3 := ref2.NewImage(nil); err3 == nil {
-						img.Close()
-						ref = ref2
-					} else {
-						logrus.Debugf("error confirming presence of image %q: %v", transports.ImageName(ref2), err3)
-					}
-				} else {
-					logrus.Debugf("error parsing %q as a store reference: %v", id, err2)
+				name, err2 := untagImage(id, image, store)
+				if err2 != nil {
+					return errors.Wrapf(err, "error removing tag %q from image %q", id, image.ID)
 				}
+				fmt.Printf("untagged: %s\n", name)
 			}
-			if ref == nil {
-				// If it might be an ID that's relative to our
-				// storage, parse it and check if it
-				// corresponds to an image that actually
-				// exists.  This _should_ be redundant, since
-				// we already tried deleting the image using
-				// the ID directly above, but it can't hurt,
-				// either.
-				if ref2, err2 := storage.Transport.ParseStoreReference(store, "@"+id); err2 == nil {
-					if img, err3 := ref2.NewImage(nil); err3 == nil {
-						img.Close()
-						ref = ref2
-					} else {
-						logrus.Debugf("error confirming presence of image %q: %v", transports.ImageName(ref2), err3)
-					}
-				} else {
-					logrus.Debugf("error parsing %q as an image reference: %v", "@"+id, err2)
-				}
+
+			if len(image.Names) > 0 {
+				continue
 			}
-			if ref != nil {
-				err = ref.DeleteImage(nil)
+			id, err := removeImage(image, store)
+			if err != nil {
+				return errors.Wrapf(err, "error removing image %q", image.ID)
 			}
+			fmt.Printf("%s\n", id)
 		}
-		if e == nil {
-			e = err
-		}
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error removing image %q: %v\n", id, err)
-			continue
-		}
-		fmt.Printf("%s\n", id)
 	}

-	return e
+	return nil
+}
+
+func getImage(id string, store storage.Store) (*storage.Image, error) {
+	var ref types.ImageReference
+	ref, err := properImageRef(id)
+	if err != nil {
+		logrus.Debug(err)
+	}
+	if ref == nil {
+		if ref, err = storageImageRef(store, id); err != nil {
+			logrus.Debug(err)
+		}
+	}
+	if ref == nil {
+		if ref, err = storageImageID(store, id); err != nil {
+			logrus.Debug(err)
+		}
+	}
+	if ref != nil {
+		image, err2 := is.Transport.GetStoreImage(store, ref)
+		if err2 != nil {
+			return nil, errors.Wrapf(err2, "error reading image using reference %q", transports.ImageName(ref))
+		}
+		return image, nil
+	}
+	return nil, err
+}
+
+func untagImage(imgArg string, image *storage.Image, store storage.Store) (string, error) {
+	newNames := []string{}
+	removedName := ""
+	for _, name := range image.Names {
+		if matchesReference(name, imgArg) {
+			removedName = name
+			continue
+		}
+		newNames = append(newNames, name)
+	}
+	if removedName != "" {
+		if err := store.SetNames(image.ID, newNames); err != nil {
+			return "", errors.Wrapf(err, "error removing name %q from image %q", removedName, image.ID)
+		}
+	}
+	return removedName, nil
+}
+
+func removeImage(image *storage.Image, store storage.Store) (string, error) {
+	if _, err := store.DeleteImage(image.ID, true); err != nil {
+		return "", errors.Wrapf(err, "could not remove image %q", image.ID)
+	}
+	return image.ID, nil
+}
+
+// Returns a list of running containers associated with the given ImageReference
+func runningContainers(image *storage.Image, store storage.Store) ([]string, error) {
+	ctrIDs := []string{}
+	containers, err := store.Containers()
+	if err != nil {
+		return nil, err
+	}
+	for _, ctr := range containers {
+		if ctr.ImageID == image.ID {
+			ctrIDs = append(ctrIDs, ctr.ID)
+		}
+	}
+	return ctrIDs, nil
+}
+
+func removeContainers(ctrIDs []string, store storage.Store) error {
+	for _, ctrID := range ctrIDs {
+		if err := store.DeleteContainer(ctrID); err != nil {
+			return errors.Wrapf(err, "could not remove container %q", ctrID)
+		}
+	}
+	return nil
+}
+
+// If it's looks like a proper image reference, parse it and check if it
+// corresponds to an image that actually exists.
+func properImageRef(id string) (types.ImageReference, error) {
+	var err error
+	if ref, err := alltransports.ParseImageName(id); err == nil {
+		if img, err2 := ref.NewImage(nil); err2 == nil {
+			img.Close()
+			return ref, nil
+		}
+		return nil, errors.Wrapf(err, "error confirming presence of image reference %q", transports.ImageName(ref))
+	}
+	return nil, errors.Wrapf(err, "error parsing %q as an image reference", id)
+}
+
+// If it's looks like an image reference that's relative to our storage, parse
+// it and check if it corresponds to an image that actually exists.
+func storageImageRef(store storage.Store, id string) (types.ImageReference, error) {
+	var err error
+	if ref, err := is.Transport.ParseStoreReference(store, id); err == nil {
+		if img, err2 := ref.NewImage(nil); err2 == nil {
+			img.Close()
+			return ref, nil
+		}
+		return nil, errors.Wrapf(err, "error confirming presence of storage image reference %q", transports.ImageName(ref))
+	}
+	return nil, errors.Wrapf(err, "error parsing %q as a storage image reference", id)
+}
+
+// If it might be an ID that's relative to our storage, truncated or not, so
+// parse it and check if it corresponds to an image that we have stored
+// locally.
+func storageImageID(store storage.Store, id string) (types.ImageReference, error) {
+	var err error
+	imageID := id
+	if img, err := store.Image(id); err == nil && img != nil {
+		imageID = img.ID
+	}
+	if ref, err := is.Transport.ParseStoreReference(store, "@"+imageID); err == nil {
+		if img, err2 := ref.NewImage(nil); err2 == nil {
+			img.Close()
+			return ref, nil
+		}
+		return nil, errors.Wrapf(err, "error confirming presence of storage image reference %q", transports.ImageName(ref))
+	}
+	return nil, errors.Wrapf(err, "error parsing %q as a storage image reference: %v", "@"+id)
 }
--- a/cmd/buildah/rmi_test.go
+++ b/cmd/buildah/rmi_test.go
@@ -0,0 +1,141 @@
+package main
+
+import (
+	"strings"
+	"testing"
+
+	is "github.com/containers/image/storage"
+	"github.com/containers/storage"
+)
+
+func TestProperImageRefTrue(t *testing.T) {
+	// Pull an image so we know we have it
+	_, err := pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove")
+	}
+	// This should match a url path
+	imgRef, err := properImageRef("docker://busybox:latest")
+	if err != nil {
+		t.Errorf("could not match image: %v", err)
+	} else if imgRef == nil {
+		t.Error("Returned nil Image Reference")
+	}
+}
+
+func TestProperImageRefFalse(t *testing.T) {
+	// Pull an image so we know we have it
+	_, err := pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatal("could not pull image to remove")
+	}
+	// This should match a url path
+	imgRef, _ := properImageRef("docker://:")
+	if imgRef != nil {
+		t.Error("should not have found an Image Reference")
+	}
+}
+
+func TestStorageImageRefTrue(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if store != nil {
+		is.Transport.SetStore(store)
+	}
+	if err != nil {
+		t.Fatalf("could not get store: %v", err)
+	}
+	// Pull an image so we know we have it
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+	imgRef, err := storageImageRef(store, "busybox")
+	if err != nil {
+		t.Errorf("could not match image: %v", err)
+	} else if imgRef == nil {
+		t.Error("Returned nil Image Reference")
+	}
+}
+
+func TestStorageImageRefFalse(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if store != nil {
+		is.Transport.SetStore(store)
+	}
+	if err != nil {
+		t.Fatalf("could not get store: %v", err)
+	}
+	// Pull an image so we know we have it
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+	imgRef, _ := storageImageRef(store, "")
+	if imgRef != nil {
+		t.Error("should not have found an Image Reference")
+	}
+}
+
+func TestStorageImageIDTrue(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if store != nil {
+		is.Transport.SetStore(store)
+	}
+	if err != nil {
+		t.Fatalf("could not get store: %v", err)
+	}
+	// Pull an image so we know we have it
+	_, err = pullTestImage(t, "busybox:latest")
+	if err != nil {
+		t.Fatalf("could not pull image to remove: %v", err)
+	}
+	//Somehow I have to get the id of the image I just pulled
+	images, err := store.Images()
+	if err != nil {
+		t.Fatalf("Error reading images: %v", err)
+	}
+	id, err := captureOutputWithError(func() error {
+		return outputImages(images, "", store, nil, "busybox:latest", false, false, false, true)
+	})
+	if err != nil {
+		t.Fatalf("Error getting id of image: %v", err)
+	}
+	id = strings.TrimSpace(id)
+
+	imgRef, err := storageImageID(store, id)
+	if err != nil {
+		t.Errorf("could not match image: %v", err)
+	} else if imgRef == nil {
+		t.Error("Returned nil Image Reference")
+	}
+}
+
+func TestStorageImageIDFalse(t *testing.T) {
+	// Make sure the tests are running as root
+	failTestIfNotRoot(t)
+
+	store, err := storage.GetStore(storeOptions)
+	if store != nil {
+		is.Transport.SetStore(store)
+	}
+	if err != nil {
+		t.Fatalf("could not get store: %v", err)
+	}
+	// Pull an image so we know we have it
+
+	id := ""
+
+	imgRef, _ := storageImageID(store, id)
+	if imgRef != nil {
+		t.Error("should not have returned Image Reference")
+	}
+}
--- a/cmd/buildah/run.go
+++ b/cmd/buildah/run.go
@@ -6,15 +6,19 @@ import (
 	"strings"
 	"syscall"

-	"github.com/Sirupsen/logrus"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/buildah"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )

 var (
 	runFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "hostname",
+			Usage: "Set the hostname inside of the container",
+		},
 		cli.StringFlag{
 			Name:  "runtime",
 			Usage: "`path` to an alternate runtime",
@@ -24,6 +28,10 @@ var (
 			Name:  "runtime-flag",
 			Usage: "add global flags for the container runtime",
 		},
+		cli.BoolFlag{
+			Name:  "tty",
+			Usage: "allocate a pseudo-TTY in the container",
+		},
 		cli.StringSliceFlag{
 			Name:  "volume, v",
 			Usage: "bind mount a host location into the container while running the command",
@@ -46,19 +54,13 @@ func runCmd(c *cli.Context) error {
 		return errors.Errorf("container ID must be specified")
 	}
 	name := args[0]
-	args = args.Tail()
+	if err := validateFlags(c, runFlags); err != nil {
+		return err
+	}

-	runtime := ""
-	if c.IsSet("runtime") {
-		runtime = c.String("runtime")
-	}
-	flags := []string{}
-	if c.IsSet("runtime-flag") {
-		flags = c.StringSlice("runtime-flag")
-	}
-	volumes := []string{}
-	if c.IsSet("v") || c.IsSet("volume") {
-		volumes = c.StringSlice("volume")
+	args = args.Tail()
+	if len(args) > 0 && args[0] == "--" {
+		args = args[1:]
 	}

 	store, err := getStore(c)
@@ -71,16 +73,21 @@ func runCmd(c *cli.Context) error {
 		return errors.Wrapf(err, "error reading build container %q", name)
 	}

-	hostname := ""
-	if c.IsSet("hostname") {
-		hostname = c.String("hostname")
-	}
 	options := buildah.RunOptions{
-		Hostname: hostname,
-		Runtime:  runtime,
-		Args:     flags,
+		Hostname: c.String("hostname"),
+		Runtime:  c.String("runtime"),
+		Args:     c.StringSlice("runtime-flag"),
 	}
-	for _, volumeSpec := range volumes {
+
+	if c.IsSet("tty") {
+		if c.Bool("tty") {
+			options.Terminal = buildah.WithTerminal
+		} else {
+			options.Terminal = buildah.WithoutTerminal
+		}
+	}
+
+	for _, volumeSpec := range c.StringSlice("volume") {
 		volSpec := strings.Split(volumeSpec, ":")
 		if len(volSpec) >= 2 {
 			mountOptions := "bind"
--- a/cmd/buildah/version.go
+++ b/cmd/buildah/version.go
@@ -0,0 +1,48 @@
+package main
+
+import (
+	"fmt"
+	"runtime"
+	"strconv"
+	"time"
+
+	ispecs "github.com/opencontainers/image-spec/specs-go"
+	rspecs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/projectatomic/buildah"
+	"github.com/urfave/cli"
+)
+
+//Overwritten at build time
+var (
+	gitCommit string
+	buildInfo string
+)
+
+//Function to get and print info for version command
+func versionCmd(c *cli.Context) error {
+
+	//converting unix time from string to int64
+	buildTime, err := strconv.ParseInt(buildInfo, 10, 64)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("Version:      ", buildah.Version)
+	fmt.Println("Go Version:   ", runtime.Version())
+	fmt.Println("Image Spec:   ", ispecs.Version)
+	fmt.Println("Runtime Spec: ", rspecs.Version)
+	fmt.Println("Git Commit:   ", gitCommit)
+
+	//Prints out the build time in readable format
+	fmt.Println("Built:        ", time.Unix(buildTime, 0).Format(time.ANSIC))
+	fmt.Println("OS/Arch:      ", runtime.GOOS+"/"+runtime.GOARCH)
+
+	return nil
+}
+
+//cli command to print out the version info of buildah
+var versionCommand = cli.Command{
+	Name:   "version",
+	Usage:  "Display the Buildah Version Information",
+	Action: versionCmd,
+}
--- a/commit.go
+++ b/commit.go
@@ -2,10 +2,10 @@ package buildah

 import (
 	"bytes"
+	"fmt"
 	"io"
 	"time"

-	"github.com/Sirupsen/logrus"
 	cp "github.com/containers/image/copy"
 	"github.com/containers/image/signature"
 	is "github.com/containers/image/storage"
@@ -13,10 +13,10 @@ import (
 	"github.com/containers/image/types"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/archive"
-	"github.com/containers/storage/pkg/stringid"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/buildah/util"
+	"github.com/sirupsen/logrus"
 )

 var (
@@ -55,6 +55,9 @@ type CommitOptions struct {
 	// HistoryTimestamp is the timestamp used when creating new items in the
 	// image's history.  If unset, the current time will be used.
 	HistoryTimestamp *time.Time
+	// github.com/containers/image/types SystemContext to hold credentials
+	// and other authentication/authorization information.
+	SystemContext *types.SystemContext
 }

 // PushOptions can be used to alter how an image is copied somewhere.
@@ -74,6 +77,12 @@ type PushOptions struct {
 	ReportWriter io.Writer
 	// Store is the local storage store which holds the source image.
 	Store storage.Store
+	// github.com/containers/image/types SystemContext to hold credentials
+	// and other authentication/authorization information.
+	SystemContext *types.SystemContext
+	// ManifestType is the format to use when saving the imge using the 'dir' transport
+	// possible options are oci, v2s1, and v2s2
+	ManifestType string
 }

 // shallowCopy copies the most recent layer, the configuration, and the manifest from one image to another.
@@ -82,38 +91,23 @@ type PushOptions struct {
 // We assume that "dest" is a reference to a local image (specifically, a containers/image/storage.storageReference),
 // and will fail if it isn't.
 func (b *Builder) shallowCopy(dest types.ImageReference, src types.ImageReference, systemContext *types.SystemContext) error {
+	var names []string
 	// Read the target image name.
-	if dest.DockerReference() == nil {
-		return errors.New("can't write to an unnamed image")
+	if dest.DockerReference() != nil {
+		names = []string{dest.DockerReference().String()}
 	}
-	names, err := util.ExpandTags([]string{dest.DockerReference().String()})
-	if err != nil {
-		return err
-	}
-	// Make a temporary image reference.
-	tmpName := stringid.GenerateRandomID() + "-tmp-" + Package + "-commit"
-	tmpRef, err := is.Transport.ParseStoreReference(b.store, tmpName)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err2 := tmpRef.DeleteImage(systemContext); err2 != nil {
-			logrus.Debugf("error deleting temporary image %q: %v", tmpName, err2)
-		}
-	}()
-	// Open the source for reading and a temporary image for writing.
+	// Open the source for reading and the new image for writing.
 	srcImage, err := src.NewImage(systemContext)
 	if err != nil {
 		return errors.Wrapf(err, "error reading configuration to write to image %q", transports.ImageName(dest))
 	}
 	defer srcImage.Close()
-	tmpImage, err := tmpRef.NewImageDestination(systemContext)
+	destImage, err := dest.NewImageDestination(systemContext)
 	if err != nil {
-		return errors.Wrapf(err, "error opening temporary copy of image %q for writing", transports.ImageName(dest))
+		return errors.Wrapf(err, "error opening image %q for writing", transports.ImageName(dest))
 	}
-	defer tmpImage.Close()
 	// Write an empty filesystem layer, because the image layer requires at least one.
-	_, err = tmpImage.PutBlob(bytes.NewReader(gzippedEmptyLayer), types.BlobInfo{Size: int64(len(gzippedEmptyLayer))})
+	_, err = destImage.PutBlob(bytes.NewReader(gzippedEmptyLayer), types.BlobInfo{Size: int64(len(gzippedEmptyLayer))})
 	if err != nil {
 		return errors.Wrapf(err, "error writing dummy layer for image %q", transports.ImageName(dest))
 	}
@@ -126,12 +120,12 @@ func (b *Builder) shallowCopy(dest types.ImageReference, src types.ImageReferenc
 		return errors.Errorf("error reading new configuration for image %q: it's empty", transports.ImageName(dest))
 	}
 	logrus.Debugf("read configuration blob %q", string(config))
-	// Write the configuration to the temporary image.
+	// Write the configuration to the new image.
 	configBlobInfo := types.BlobInfo{
 		Digest: digest.Canonical.FromBytes(config),
 		Size:   int64(len(config)),
 	}
-	_, err = tmpImage.PutBlob(bytes.NewReader(config), configBlobInfo)
+	_, err = destImage.PutBlob(bytes.NewReader(config), configBlobInfo)
 	if err != nil && len(config) > 0 {
 		return errors.Wrapf(err, "error writing image configuration for temporary copy of %q", transports.ImageName(dest))
 	}
@@ -140,24 +134,42 @@ func (b *Builder) shallowCopy(dest types.ImageReference, src types.ImageReferenc
 	if err != nil {
 		return errors.Wrapf(err, "error reading new manifest for image %q", transports.ImageName(dest))
 	}
-	// Write the manifest to the temporary image.
-	err = tmpImage.PutManifest(manifest)
+	// Write the manifest to the new image.
+	err = destImage.PutManifest(manifest)
 	if err != nil {
-		return errors.Wrapf(err, "error writing new manifest to temporary copy of image %q", transports.ImageName(dest))
+		return errors.Wrapf(err, "error writing new manifest to image %q", transports.ImageName(dest))
 	}
-	// Save the temporary image.
-	err = tmpImage.Commit()
+	// Save the new image.
+	err = destImage.Commit()
 	if err != nil {
 		return errors.Wrapf(err, "error committing new image %q", transports.ImageName(dest))
 	}
-	// Locate the temporary image in the lower-level API.  Read its item names.
-	tmpImg, err := is.Transport.GetStoreImage(b.store, tmpRef)
+	err = destImage.Close()
 	if err != nil {
-		return errors.Wrapf(err, "error locating temporary image %q", transports.ImageName(dest))
+		return errors.Wrapf(err, "error closing new image %q", transports.ImageName(dest))
 	}
-	items, err := b.store.ListImageBigData(tmpImg.ID)
+	// Locate the new image in the lower-level API.  Extract its items.
+	destImg, err := is.Transport.GetStoreImage(b.store, dest)
 	if err != nil {
-		return errors.Wrapf(err, "error reading list of named data for image %q", tmpImg.ID)
+		return errors.Wrapf(err, "error locating new image %q", transports.ImageName(dest))
+	}
+	items, err := b.store.ListImageBigData(destImg.ID)
+	if err != nil {
+		return errors.Wrapf(err, "error reading list of named data for image %q", destImg.ID)
+	}
+	bigdata := make(map[string][]byte)
+	for _, itemName := range items {
+		var data []byte
+		data, err = b.store.ImageBigData(destImg.ID, itemName)
+		if err != nil {
+			return errors.Wrapf(err, "error reading named data %q for image %q", itemName, destImg.ID)
+		}
+		bigdata[itemName] = data
+	}
+	// Delete the image so that we can recreate it.
+	_, err = b.store.DeleteImage(destImg.ID, true)
+	if err != nil {
+		return errors.Wrapf(err, "error deleting image %q for rewriting", destImg.ID)
 	}
 	// Look up the container's read-write layer.
 	container, err := b.store.Container(b.ContainerID)
@@ -174,9 +186,9 @@ func (b *Builder) shallowCopy(dest types.ImageReference, src types.ImageReferenc
 		parentLayer = img.TopLayer
 	}
 	// Extract the read-write layer's contents.
-	layerDiff, err := b.store.Diff(parentLayer, container.LayerID)
+	layerDiff, err := b.store.Diff(parentLayer, container.LayerID, nil)
 	if err != nil {
-		return errors.Wrapf(err, "error reading layer from source image %q", transports.ImageName(src))
+		return errors.Wrapf(err, "error reading layer %q from source image %q", container.LayerID, transports.ImageName(src))
 	}
 	defer layerDiff.Close()
 	// Write a copy of the layer for the new image to reference.
@@ -184,8 +196,8 @@ func (b *Builder) shallowCopy(dest types.ImageReference, src types.ImageReferenc
 	if err != nil {
 		return errors.Wrapf(err, "error creating new read-only layer from container %q", b.ContainerID)
 	}
-	// Create a low-level image record that uses the new layer.
-	image, err := b.store.CreateImage("", []string{}, layer.ID, "", nil)
+	// Create a low-level image record that uses the new layer, discarding the old metadata.
+	image, err := b.store.CreateImage(destImg.ID, []string{}, layer.ID, "{}", nil)
 	if err != nil {
 		err2 := b.store.DeleteLayer(layer.ID)
 		if err2 != nil {
@@ -193,7 +205,7 @@ func (b *Builder) shallowCopy(dest types.ImageReference, src types.ImageReferenc
 		}
 		return errors.Wrapf(err, "error creating new low-level image %q", transports.ImageName(dest))
 	}
-	logrus.Debugf("created image ID %q", image.ID)
+	logrus.Debugf("(re-)created image ID %q using layer %q", image.ID, layer.ID)
 	defer func() {
 		if err != nil {
 			_, err2 := b.store.DeleteImage(image.ID, true)
@@ -202,30 +214,22 @@ func (b *Builder) shallowCopy(dest types.ImageReference, src types.ImageReferenc
 			}
 		}
 	}()
-	// Copy the configuration and manifest, which are big data items, along with whatever else is there.
-	for _, item := range items {
-		var data []byte
-		data, err = b.store.ImageBigData(tmpImg.ID, item)
+	// Store the configuration and manifest, which are big data items, along with whatever else is there.
+	for itemName, data := range bigdata {
+		err = b.store.SetImageBigData(image.ID, itemName, data)
 		if err != nil {
-			return errors.Wrapf(err, "error copying data item %q", item)
+			return errors.Wrapf(err, "error saving data item %q", itemName)
 		}
-		err = b.store.SetImageBigData(image.ID, item, data)
+		logrus.Debugf("saved data item %q to %q", itemName, image.ID)
+	}
+	// Add the target name(s) to the new image.
+	if len(names) > 0 {
+		err = util.AddImageNames(b.store, image, names)
 		if err != nil {
-			return errors.Wrapf(err, "error copying data item %q", item)
+			return errors.Wrapf(err, "error assigning names %v to new image", names)
 		}
-		logrus.Debugf("copied data item %q to %q", item, image.ID)
+		logrus.Debugf("assigned names %v to image %q", names, image.ID)
 	}
-	// Set low-level metadata in the new image so that the image library will accept it as a real image.
-	err = b.store.SetMetadata(image.ID, "{}")
-	if err != nil {
-		return errors.Wrapf(err, "error assigning metadata to new image %q", transports.ImageName(dest))
-	}
-	// Move the target name(s) from the temporary image to the new image.
-	err = util.AddImageNames(b.store, image, names)
-	if err != nil {
-		return errors.Wrapf(err, "error assigning names %v to new image", names)
-	}
-	logrus.Debugf("assigned names %v to image %q", names, image.ID)
 	return nil
 }

@@ -235,12 +239,17 @@ func (b *Builder) shallowCopy(dest types.ImageReference, src types.ImageReferenc
 func (b *Builder) Commit(dest types.ImageReference, options CommitOptions) error {
 	policy, err := signature.DefaultPolicy(getSystemContext(options.SignaturePolicyPath))
 	if err != nil {
-		return err
+		return errors.Wrapf(err, "error obtaining default signature policy")
 	}
 	policyContext, err := signature.NewPolicyContext(policy)
 	if err != nil {
-		return err
+		return errors.Wrapf(err, "error creating new signature policy context")
 	}
+	defer func() {
+		if err2 := policyContext.Destroy(); err2 != nil {
+			logrus.Debugf("error destroying signature polcy context: %v", err2)
+		}
+	}()
 	// Check if we're keeping everything in local storage.  If so, we can take certain shortcuts.
 	_, destIsStorage := dest.Transport().(is.StoreTransport)
 	exporting := !destIsStorage
@@ -250,7 +259,7 @@ func (b *Builder) Commit(dest types.ImageReference, options CommitOptions) error
 	}
 	if exporting {
 		// Copy everything.
-		err = cp.Image(policyContext, dest, src, getCopyOptions(options.ReportWriter))
+		err = cp.Image(policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, options.SystemContext, ""))
 		if err != nil {
 			return errors.Wrapf(err, "error copying layers and metadata")
 		}
@@ -285,12 +294,17 @@ func Push(image string, dest types.ImageReference, options PushOptions) error {
 	systemContext := getSystemContext(options.SignaturePolicyPath)
 	policy, err := signature.DefaultPolicy(systemContext)
 	if err != nil {
-		return err
+		return errors.Wrapf(err, "error obtaining default signature policy")
 	}
 	policyContext, err := signature.NewPolicyContext(policy)
 	if err != nil {
-		return err
+		return errors.Wrapf(err, "error creating new signature policy context")
 	}
+	defer func() {
+		if err2 := policyContext.Destroy(); err2 != nil {
+			logrus.Debugf("error destroying signature polcy context: %v", err2)
+		}
+	}()
 	importOptions := ImportFromImageOptions{
 		Image:               image,
 		SignaturePolicyPath: options.SignaturePolicyPath,
@@ -317,9 +331,12 @@ func Push(image string, dest types.ImageReference, options PushOptions) error {
 		return errors.Wrapf(err, "error recomputing layer digests and building metadata")
 	}
 	// Copy everything.
-	err = cp.Image(policyContext, dest, src, getCopyOptions(options.ReportWriter))
+	err = cp.Image(policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, options.SystemContext, options.ManifestType))
 	if err != nil {
 		return errors.Wrapf(err, "error copying layers and metadata")
 	}
+	if options.ReportWriter != nil {
+		fmt.Fprintf(options.ReportWriter, "\n")
+	}
 	return nil
 }
--- a/common.go
+++ b/common.go
@@ -7,9 +7,12 @@ import (
 	"github.com/containers/image/types"
 )

-func getCopyOptions(reportWriter io.Writer) *cp.Options {
+func getCopyOptions(reportWriter io.Writer, sourceSystemContext *types.SystemContext, destinationSystemContext *types.SystemContext, manifestType string) *cp.Options {
 	return &cp.Options{
-		ReportWriter: reportWriter,
+		ReportWriter:          reportWriter,
+		SourceCtx:             sourceSystemContext,
+		DestinationCtx:        destinationSystemContext,
+		ForceManifestMIMEType: manifestType,
 	}
 }

--- a/config.go
+++ b/config.go
@@ -21,8 +21,9 @@ func makeOCIv1Image(dimage *docker.V2Image) (ociv1.Image, error) {
 	if config == nil {
 		config = &dimage.ContainerConfig
 	}
+	dcreated := dimage.Created.UTC()
 	image := ociv1.Image{
-		Created:      dimage.Created.UTC(),
+		Created:      &dcreated,
 		Author:       dimage.Author,
 		Architecture: dimage.Architecture,
 		OS:           dimage.OS,
@@ -38,7 +39,7 @@ func makeOCIv1Image(dimage *docker.V2Image) (ociv1.Image, error) {
 		},
 		RootFS: ociv1.RootFS{
 			Type:    "",
-			DiffIDs: []string{},
+			DiffIDs: []digest.Digest{},
 		},
 		History: []ociv1.History{},
 	}
@@ -51,13 +52,12 @@ func makeOCIv1Image(dimage *docker.V2Image) (ociv1.Image, error) {
 	}
 	if RootFS.Type == docker.TypeLayers {
 		image.RootFS.Type = docker.TypeLayers
-		for _, id := range RootFS.DiffIDs {
-			image.RootFS.DiffIDs = append(image.RootFS.DiffIDs, id.String())
-		}
+		image.RootFS.DiffIDs = append(image.RootFS.DiffIDs, RootFS.DiffIDs...)
 	}
 	for _, history := range dimage.History {
+		hcreated := history.Created.UTC()
 		ohistory := ociv1.History{
-			Created:    history.Created.UTC(),
+			Created:    &hcreated,
 			CreatedBy:  history.CreatedBy,
 			Author:     history.Author,
 			Comment:    history.Comment,
@@ -98,13 +98,7 @@ func makeDockerV2S2Image(oimage *ociv1.Image) (docker.V2Image, error) {
 	}
 	if oimage.RootFS.Type == docker.TypeLayers {
 		image.RootFS.Type = docker.TypeLayers
-		for _, id := range oimage.RootFS.DiffIDs {
-			d, err := digest.Parse(id)
-			if err != nil {
-				return docker.V2Image{}, err
-			}
-			image.RootFS.DiffIDs = append(image.RootFS.DiffIDs, d)
-		}
+		image.RootFS.DiffIDs = append(image.RootFS.DiffIDs, oimage.RootFS.DiffIDs...)
 	}
 	for _, history := range oimage.History {
 		dhistory := docker.V2S2History{
@@ -224,8 +218,8 @@ func (b *Builder) fixupConfig() {
 	if b.Docker.Created.IsZero() {
 		b.Docker.Created = now
 	}
-	if b.OCIv1.Created.IsZero() {
-		b.OCIv1.Created = now
+	if b.OCIv1.Created == nil || b.OCIv1.Created.IsZero() {
+		b.OCIv1.Created = &now
 	}
 	if b.OS() == "" {
 		b.SetOS(runtime.GOOS)
@@ -559,3 +553,8 @@ func (b *Builder) Domainname() string {
 func (b *Builder) SetDomainname(name string) {
 	b.Docker.Config.Domainname = name
 }
+
+// SetDefaultMountsFilePath sets the mounts file path for testing purposes
+func (b *Builder) SetDefaultMountsFilePath(path string) {
+	b.DefaultMountsFilePath = path
+}
--- a/contrib/completions/bash/buildah
+++ b/contrib/completions/bash/buildah
@@ -168,6 +168,7 @@ return 1
         --runroot
         --storage-driver
         --storage-opt
+         --default-mounts-file
         "

     case "$prev" in
@@ -290,9 +291,13 @@ return 1
          -D
          --quiet
          -q
+          --rm
+          --tls-verify
  "

     local options_with_args="
+          --cert-dir
+          --creds
          --signature-policy
          --format
          -f
@@ -336,10 +341,11 @@ return 1
     --pull-always
     --quiet
     -q
+     --tls-verify
  "

     local options_with_args="
-     --registry
+     --authfile
     --signature-policy
     --runtime
     --runtime-flag
@@ -376,10 +382,12 @@ return 1
 _buildah_run() {
     local boolean_options="
     --help
+     --tty
     -h
  "

     local options_with_args="
+     --hostname
     --runtime
     --runtime-flag
     --volume
@@ -470,9 +478,15 @@ return 1
          -D
          --quiet
          -q
+          --tls-verify
  "

     local options_with_args="
+          --authfile
+          --cert-dir
+          --creds
+          --format
+          -f
          --signature-policy
  "

@@ -529,11 +543,14 @@ return 1
     local boolean_options="
     --help
     -h
+     --json
     --quiet
     -q
     --noheading
     -n
     --notruncate
+     -a
+     --all
  "

     local options_with_args="
@@ -552,6 +569,7 @@ return 1
     local boolean_options="
     --help
     -h
+     --json
     --quiet
     -q
     --noheading
@@ -609,11 +627,14 @@ return 1
     --pull-always
     --quiet
     -q
+     --tls-verify
  "

     local options_with_args="
+     --authfile
+     --cert-dir
+     --creds
     --name
-     --registry
     --signature-policy
  "

@@ -628,6 +649,16 @@ return 1
     esac
 }

+ _buildah_version() {
+     local boolean_options="
+     --help
+     -h
+     "
+
+     local options_with_args="
+     "
+}
+
 _buildah() {
   local previous_extglob_setting=$(shopt -p extglob)
   shopt -s extglob
@@ -651,6 +682,7 @@ return 1
       tag
       umount
       unmount
+       version
   )

   # These options are valid as global options for all client commands
--- a/contrib/rpm/buildah.spec
+++ b/contrib/rpm/buildah.spec
@@ -21,11 +21,11 @@
 # https://github.com/projectatomic/buildah
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
-%global commit         a0a5333b94264d1fb1e072d63bcb98f9e2981b49
+%global commit         REPLACEWITHCOMMITID
 %global shortcommit    %(c=%{commit}; echo ${c:0:7})

 Name:           buildah
-Version:        0.1
+Version:        0.7
 Release:        1.git%{shortcommit}%{?dist}
 Summary:        A command line tool used to creating OCI Images
 License:        ASL 2.0
@@ -41,7 +41,10 @@ BuildRequires:  gpgme-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  btrfs-progs-devel
 BuildRequires:  libassuan-devel
+BuildRequires:  glib2-devel
+BuildRequires:  ostree-devel
 Requires:       runc >= 1.0.0-6
+Requires:       container-selinux
 Requires:       skopeo-containers
 Provides:       %{repo} = %{version}-%{release}

@@ -67,7 +70,7 @@ popd
 mv vendor src

 export GOPATH=$(pwd)/_build:$(pwd):%{gopath}
-make all
+make all GIT_COMMIT=%{shortcommit}

 %install
 export GOPATH=$(pwd)/_build:$(pwd):%{gopath}
@@ -85,5 +88,67 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 %{_datadir}/bash-completion/completions/*

 %changelog
+* Thu Nov 16 2017 Dan Walsh <dwalsh@redhat.com> 0.7-1
+- Ignore errors when trying to read containers buildah.json for loading SELinux reservations
+-     Use credentials from kpod login for buildah
+
+* Wed Nov 15 2017 Dan Walsh <dwalsh@redhat.com> 0.6-1
+- Adds support for converting manifest types when using the dir transport
+- Rework how we do UID resolution in images
+- Bump github.com/vbatts/tar-split
+- Set option.terminal appropriately in run
+
+* Tue Nov 07 2017 Dan Walsh <dwalsh@redhat.com> 0.5-1
+-  Add secrets patch to buildah
+-  Add proper SELinux labeling to buildah run
+-  Add tls-verify to bud command
+-  Make filtering by date use the image's date
+-  images: don't list unnamed images twice
+-  Fix timeout issue
+-  Add further tty verbiage to buildah run
+-  Make inspect try an image on failure if type not specified
+-  Add support for `buildah run --hostname`
+-  Tons of bug fixes and code cleanup
+
+* Fri Sep 22 2017 Dan Walsh <dwalsh@redhat.com> 0.4-1.git9cbccf88c
+-   Add default transport to push if not provided
+-   Avoid trying to print a nil ImageReference
+-   Add authentication to commit and push
+-   Add information on buildah from man page on transports
+-   Remove --transport flag
+-   Run: do not complain about missing volume locations
+-   Add credentials to buildah from
+-   Remove export command
+-   Run(): create the right working directory
+-   Improve "from" behavior with unnamed references
+-   Avoid parsing image metadata for dates and layers
+-   Read the image's creation date from public API
+-   Bump containers/storage and containers/image
+-   Don't panic if an image's ID can't be parsed
+-   Turn on --enable-gc when running gometalinter
+-   rmi: handle truncated image IDs
+
+* Thu Jul 20 2017 Dan Walsh <dwalsh@redhat.com> 0.3.0-1
+- Bump for inclusion of OCI 1.0 Runtime and Image Spec
+
+* Tue Jul 18 2017 Dan Walsh <dwalsh@redhat.com> 0.2.0-1
+-   buildah run: Add support for -- ending options parsing 
+-   buildah Add/Copy support for glob syntax
+-   buildah commit: Add flag to remove containers on commit
+-   buildah push: Improve man page and help information
+-   buildah run: add a way to disable PTY allocation
+-   Buildah docs: clarify --runtime-flag of run command
+-   Update to match newer storage and image-spec APIs
+-   Update containers/storage and containers/image versions
+-   buildah export: add support
+-   buildah images: update commands
+-   buildah images: Add JSON output option
+-   buildah rmi: update commands
+-   buildah containers: Add JSON output option
+-   buildah version: add command
+-   buildah run: Handle run without an explicit command correctly
+-   Ensure volume points get created, and with perms
+-   buildah containers: Add a -a/--all option 
+
 * Fri Apr 14 2017 Dan Walsh <dwalsh@redhat.com> 0.0.1-1.git7a0a5333
 - First package for Fedora
--- a/delete.go
+++ b/delete.go
@@ -1,6 +1,7 @@
 package buildah

 import (
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 )

@@ -13,5 +14,5 @@ func (b *Builder) Delete() error {
 	b.MountPoint = ""
 	b.Container = ""
 	b.ContainerID = ""
-	return nil
+	return label.ReleaseLabel(b.ProcessLabel)
 }
--- a/docs/buildah-bud.md
+++ b/docs/buildah-bud.md
@@ -14,6 +14,18 @@ to a temporary location.

 ## OPTIONS

+**--authfile** *path*
+
+Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json
+which is set using `kpod login`
+
+**--build-arg** *arg=value*
+
+Specifies a build argument and its value, which will be interpolated in
+instructions read from the Dockerfiles in the same way that environment
+variables are, but which will not be added to environment variable list in the
+resulting image's configuration.
+
 **-f, --file** *Dockerfile*

 Specifies a Dockerfile which contains instructions for building the image,
@@ -25,6 +37,12 @@ If a build context is not specified, and at least one Dockerfile is a
 local file, the directory in which it resides will be used as the build
 context.

+**--format**
+
+Control the format for the built image's manifest and configuration data.
+Recognized formats include *oci* (OCI image-spec v1.0, the default) and
+*docker* (version 2, using schema format 2 for the manifest).
+
 **--pull**

 Pull the image if it is not present.  If this flag is disabled (with
@@ -35,23 +53,11 @@ Defaults to *true*.

 Pull the image even if a version of the image is already present.

-**--registry** *registry*
+**--quiet**

-A prefix to prepend to the image name in order to pull the image.  Default
-value is "docker://"
-
-**--signature-policy** *signaturepolicy*
-
-Pathname of a signature policy file to use.  It is not recommended that this
-option be used, as the default behavior of using the system-wide default policy
-(frequently */etc/containers/policy.json*) is most often preferred.
-
-**--build-arg** *arg=value*
-
-Specifies a build argument and its value, which will be interpolated in
-instructions read from the Dockerfiles in the same way that environment
-variables are, but which will not be added to environment variable list in the
-resulting image's configuration.
+Suppress output messages which indicate which instruction is being processed,
+and of progress when pulling images from a registry, and when writing the
+output image.

 **--runtime** *path*

@@ -62,22 +68,20 @@ commands specified by the **RUN** instruction.

 Adds global flags for the container rutime.

+**--signature-policy** *signaturepolicy*
+
+Pathname of a signature policy file to use.  It is not recommended that this
+option be used, as the default behavior of using the system-wide default policy
+(frequently */etc/containers/policy.json*) is most often preferred.
+
 **-t, --tag** *imageName*

 Specifies the name which will be assigned to the resulting image if the build
 process completes successfully.

-**--format**
+**--tls-verify** *bool-value*

-Control the format for the built image's manifest and configuration data.
-Recognized formats include *oci* (OCI image-spec v1.0, the default) and
-*docker* (version 2, using schema format 2 for the manifest).
-
-**--quiet**
-
-Suppress output messages which indicate which instruction is being processed,
-and of progress when pulling images from a registry, and when writing the
-output image.
+Require HTTPS and verify certificates when talking to container registries (defaults to true)

 ## EXAMPLE

@@ -89,7 +93,9 @@ buildah bud -f Dockerfile.simple -f Dockerfile.notsosimple

 buildah bud -t imageName .

-buildah bud -t imageName -f Dockerfile.simple
+buildah bud --tls-verify=true -t imageName -f Dockerfile.simple
+
+buildah bud --tls-verify=false -t imageName .

 ## SEE ALSO
-buildah(1)
+buildah(1) kpod-login(1)
--- a/docs/buildah-commit.md
+++ b/docs/buildah-commit.md
@@ -13,19 +13,18 @@ specified, an ID is assigned, but no name is assigned to the image.

 ## OPTIONS

+**--cert-dir** *path*
+
+Use certificates at *path* (*.crt, *.cert, *.key) to connect to the registry
+
+**--creds** *creds*
+
+The username[:password] to use to authenticate with the registry if required.
+
 **--disable-compression, -D**

 Don't compress filesystem layers when building the image.

-**--signature-policy**
-
-Pathname of a signature policy file to use.  It is not recommended that this
-option be used, as the default behavior of using the system-wide default policy
-(frequently */etc/containers/policy.json*) is most often preferred.
-
-**--quiet**
-
-When writing the output image, suppress progress output.

 **--format**

@@ -33,15 +32,44 @@ Control the format for the image manifest and configuration data.  Recognized
 formats include *oci* (OCI image-spec v1.0, the default) and *docker* (version
 2, using schema format 2 for the manifest).

+**--quiet**
+
+When writing the output image, suppress progress output.
+
+**--rm**
+Remove the container and its content after committing it to an image.
+Default leaves the container and its content in place.
+
+**--signature-policy**
+
+Pathname of a signature policy file to use.  It is not recommended that this
+option be used, as the default behavior of using the system-wide default policy
+(frequently */etc/containers/policy.json*) is most often preferred.
+
+**--tls-verify** *bool-value*
+
+Require HTTPS and verify certificates when talking to container registries (defaults to true)
+
 ## EXAMPLE

-buildah commit containerID
+This example saves an image based on the container.
+ `buildah commit containerID`

-buildah commit containerID newImageName
+This example saves an image named newImageName based on the container.
+ `buildah commit --rm containerID newImageName`

-buildah commit --disable-compression --signature-policy '/etc/containers/policy.json' containerID

-buildah commit --disable-compression --signature-policy '/etc/containers/policy.json' containerID newImageName
+This example saves an image based on the container disabling compression.
+ `buildah commit --disable-compression containerID`
+
+This example saves an image named newImageName based on the container disabling compression.
+ `buildah commit --disable-compression containerID newImageName`
+
+This example commits the container to the image on the local registry while turning off tls verification.
+ `buildah commit --tls-verify=false containerID docker://localhost:5000/imageId`
+
+This example commits the container to the image on the local registry using credentials and certificates for authentication.
+ `buildah commit --cert-dir ~/auth  --tls-verify=true --creds=username:password containerID docker://localhost:5000/imageId`

 ## SEE ALSO
 buildah(1)
--- a/docs/buildah-containers.md
+++ b/docs/buildah-containers.md
@@ -7,11 +7,20 @@ buildah containers - List the working containers and their base images.
 **buildah** **containers** [*options* [...]]

 ## DESCRIPTION
-Lists containers which appear to be buildah working containers, their names and
+Lists containers which appear to be Buildah working containers, their names and
 IDs, and the names and IDs of the images from which they were initialized.

 ## OPTIONS

+**--all, -a**
+
+List information about all containers, including those which were not created
+by and are not being used by Buildah.
+
+**--json**
+
+Output in JSON format.
+
 **--noheading, -n**

 Omit the table headings from the listing of containers.
@@ -32,6 +41,8 @@ buildah containers --quiet

 buildah containers -q --noheading --notruncate

+buildah containers --json
+
 ## SEE ALSO
 buildah(1)

--- a/docs/buildah-from.md
+++ b/docs/buildah-from.md
@@ -8,13 +8,47 @@ buildah from - Creates a new working container, either from scratch or using a s

 ## DESCRIPTION
 Creates a working container based upon the specified image name.  If the
-supplied image name is "scratch" a new empty container is created.
+supplied image name is "scratch" a new empty container is created. Image names
+uses a "transport":"details" format.
+
+Multiple transports are supported:
+
+  **dir:**_path_
+  An existing local directory _path_ retrieving the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
+
+  **docker://**_docker-reference_ (Default)
+  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in `$XDG_RUNTIME_DIR/containers/auth.json`, which is set e.g. using `(kpod login)`.
+
+  **docker-archive:**_path_
+  An image is retrieved as a `docker load` formatted file.
+
+  **docker-daemon:**_docker-reference_
+  An image _docker-reference_ stored in the docker daemon internal storage.  _docker-reference_ must contain either a tag or a digest.  Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
+
+  **oci:**_path_**:**_tag_
+  An image _tag_ in a directory compliant with "Open Container Image Layout Specification" at _path_.
+
+  **ostree:**_image_[**@**_/absolute/repo/path_]
+  An image in local OSTree repository.  _/absolute/repo/path_ defaults to _/ostree/repo_.

 ## RETURN VALUE
 The container ID of the container that was created.  On error, -1 is returned and errno is returned.

 ## OPTIONS

+**--authfile** *path*
+
+Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json
+which is set using `kpod login`
+
+**--cert-dir** *path*
+
+Use certificates at *path* (*.crt, *.cert, *.key) to connect to the registry
+
+**--creds** *creds*
+
+The username[:password] to use to authenticate with the registry if required.
+
 **--name** *name*

 A *name* for the working container
@@ -29,10 +63,9 @@ Defaults to *true*.

 Pull the image even if a version of the image is already present.

-**--registry** *registry*
+**--quiet**

-A prefix to prepend to the image name in order to pull the image.  Default
-value is "docker://"
+If an image needs to be pulled from the registry, suppress progress output.

 **--signature-policy** *signaturepolicy*

@@ -40,19 +73,25 @@ Pathname of a signature policy file to use.  It is not recommended that this
 option be used, as the default behavior of using the system-wide default policy
 (frequently */etc/containers/policy.json*) is most often preferred.

-**--quiet**
+**--tls-verify** *bool-value*

-If an image needs to be pulled from the registry, suppress progress output.
+Require HTTPS and verify certificates when talking to container registries (defaults to true)

 ## EXAMPLE

-buildah from imagename --pull --registry "myregistry://"
+buildah from imagename --pull

-buildah from myregistry://imagename --pull
+buildah from docker://myregistry.example.com/imagename --pull

 buildah from imagename --signature-policy /etc/containers/policy.json

-buildah from imagename --pull-always --registry "myregistry://" --name "mycontainer"
+buildah from docker://myregistry.example.com/imagename --pull-always --name "mycontainer"
+
+buildah from myregistry/myrepository/imagename:imagetag --tls-verify=false
+
+buildah from myregistry/myrepository/imagename:imagetag --creds=myusername:mypassword --cert-dir ~/auth
+
+buildah from myregistry/myrepository/imagename:imagetag --authfile=/tmp/auths/myauths.json

 ## SEE ALSO
-buildah(1)
+buildah(1) kpod-login(1)
--- a/docs/buildah-images.md
+++ b/docs/buildah-images.md
@@ -11,25 +11,46 @@ Displays locally stored images, their names, and their IDs.

 ## OPTIONS

+**--digests**
+
+Show the image digests.
+
+**--filter, -f=[]**
+
+Filter output based on conditions provided (default []).  Valid
+keywords are 'dangling', 'label', 'before' and 'since'.
+
+**--format="TEMPLATE"**
+
+Pretty-print images using a Go template.  Will override --quiet
+
+**--json**
+
+Display the output in JSON format.
+
 **--noheading, -n**

 Omit the table headings from the listing of images.

-**--notruncate**
+**no-trunc**

 Do not truncate output.

 **--quiet, -q**

-Lists only the image IDs.
+Displays only the image IDs.

 ## EXAMPLE

 buildah images

+buildah images --json
+
 buildah images --quiet

 buildah images -q --noheading --notruncate

+buildah images --filter dangling=true
+
 ## SEE ALSO
 buildah(1)
--- a/docs/buildah-inspect.md
+++ b/docs/buildah-inspect.md
@@ -7,7 +7,7 @@ buildah inspect - Display information about working containers or images.
 **buildah** **inspect** [*options* [...] --] **ID**

 ## DESCRIPTION
-Prints the low-level information on buildah object(s) (e.g. container, images) identified by name or ID. By default, this will render all results in a
+Prints the low-level information on Buildah object(s) (e.g. container, images) identified by name or ID. By default, this will render all results in a
 JSON array. If the container and image have the same name, this will return container JSON for unspecified type. If a format is specified, 
 the given template will be executed for each result.

@@ -19,7 +19,7 @@ Use *template* as a Go template when formatting the output.

 Users of this option should be familiar with the [*text/template*
 package](https://golang.org/pkg/text/template/) in the Go standard library, and
-of internals of buildah's implementation.
+of internals of Buildah's implementation.

 **--type** *container* | *image*

--- a/docs/buildah-push.md
+++ b/docs/buildah-push.md
@@ -10,29 +10,98 @@ buildah push - Push an image from local storage to elsewhere.
 Pushes an image from local storage to a specified destination, decompressing
 and recompessing layers as needed.

+## imageID
+Image stored in local container/storage
+
+## DESTINATION
+
+ The DESTINATION is a location to store container images
+ The Image "DESTINATION" uses a "transport":"details" format.
+
+ Multiple transports are supported:
+
+  **dir:**_path_
+  An existing local directory _path_ storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
+
+  **docker://**_docker-reference_
+  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in `$XDG_RUNTIME_DIR/containers/auth.json`, which is set e.g. using `(kpod login)`.
+
+  **docker-archive:**_path_[**:**_docker-reference_]
+  An image is stored in the `docker save` formatted file.  _docker-reference_ is only used when creating such a file, and it must not contain a digest.
+
+  **docker-daemon:**_docker-reference_
+  An image _docker-reference_ stored in the docker daemon internal storage.  _docker-reference_ must contain either a tag or a digest.  Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
+
+  **oci:**_path_**:**_tag_
+  An image _tag_ in a directory compliant with "Open Container Image Layout Specification" at _path_.
+
+  **ostree:**_image_[**@**_/absolute/repo/path_]
+  An image in local OSTree repository.  _/absolute/repo/path_ defaults to _/ostree/repo_.
+
 ## OPTIONS

+**--authfile** *path*
+
+Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json
+which is set using `kpod login`
+
+**--cert-dir** *path*
+
+Use certificates at *path* (*.crt, *.cert, *.key) to connect to the registry
+
+**--creds** *creds*
+
+The username[:password] to use to authenticate with the registry if required.
+
 **--disable-compression, -D**

 Don't compress copies of filesystem layers which will be pushed.

+**--format, -f**
+
+Manifest Type (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source)
+
+**--quiet**
+
+When writing the output image, suppress progress output.
+
 **--signature-policy**

 Pathname of a signature policy file to use.  It is not recommended that this
 option be used, as the default behavior of using the system-wide default policy
 (frequently */etc/containers/policy.json*) is most often preferred.

-**--quiet**
+**--tls-verify** *bool-value*

-When writing the output image, suppress progress output.
+Require HTTPS and verify certificates when talking to container registries (defaults to true)

 ## EXAMPLE

-buildah push imageID dir:/path/to/image
+This example extracts the imageID image to a local directory in docker format.

-buildah push imageID oci-layout:/path/to/layout
+ `# buildah push imageID dir:/path/to/image`

-buildah push imageID docker://registry/repository:tag
+This example extracts the imageID image to a local directory in oci format.
+
+ `# buildah push imageID oci:/path/to/layout`
+
+This example extracts the imageID image to a container registry named registry.example.com.
+
+ `# buildah push imageID docker://registry.example.com/repository:tag`
+
+This example extracts the imageID image to a private container registry named registry.example.com with authentication from /tmp/auths/myauths.json.
+
+ `# buildah push --authfile /tmp/auths/myauths.json imageID docker://registry.example.com/repository:tag`
+
+This example extracts the imageID image and puts into the local docker container store.
+
+ `# buildah push imageID docker-daemon:image:tag`
+
+This example extracts the imageID image and puts it into the registry on the localhost while turning off tls verification.
+ `# buildah push --tls-verify=false imageID docker://localhost:5000/my-imageID`
+
+This example extracts the imageID image and puts it into the registry on the localhost using credentials and certificates for authentication.
+ `# buildah push --cert-dir ~/auth --tls-verify=true --creds=username:password imageID docker://localhost:5000/my-imageID`

 ## SEE ALSO
-buildah(1)
+buildah(1) kpod-login(1)
--- a/docs/buildah-rmi.md
+++ b/docs/buildah-rmi.md
@@ -9,10 +9,18 @@ buildah rmi - Removes one or more images.
 ## DESCRIPTION
 Removes one or more locally stored images.

+## OPTIONS
+
+**--force, -f**
+
+Executing this command will stop all containers that are using the image and remove them from the system
+
 ## EXAMPLE

 buildah rmi imageID

+buildah rmi --force imageID
+
 buildah rmi imageID1 imageID2 imageID3

 ## SEE ALSO
--- a/docs/buildah-run.md
+++ b/docs/buildah-run.md
@@ -10,27 +10,50 @@ buildah run - Run a command inside of the container.
 Launches a container and runs the specified command in that container using the
 container's root filesystem as a root filesystem, using configuration settings
 inherited from the container's image or as specified using previous calls to
-the *buildah config* command.
+the *buildah config* command.  If you execute *buildah run* and expect an
+interactive shell, you need to specify the --tty flag.

 ## OPTIONS

+**--hostname**
+Set the hostname inside of the running container.
+
 **--runtime** *path*

 The *path* to an alternate OCI-compatible runtime.

 **--runtime-flag** *flag*

-Adds global flags for the container rutime.
+Adds global flags for the container runtime. To list the supported flags, please
+consult manpages of your selected container runtime (`runc` is the default
+runtime, the manpage to consult is `runc(8)`)
+
+**--tty**
+
+By default a pseudo-TTY is allocated only when buildah's standard input is
+attached to a pseudo-TTY.  Setting the `--tty` option to `true` will cause a
+pseudo-TTY to be allocated inside the container connecting the user's "terminal"
+with the stdin and stdout stream of the container.  Setting the `--tty` option to
+`false` will prevent the pseudo-TTY from being allocated.

 **--volume, -v** *source*:*destination*:*flags*

 Bind mount a location from the host into the container for its lifetime.

+NOTE: End parsing of options with the `--` option, so that you can pass other 
+options to the command inside of the container
+
 ## EXAMPLE

-buildah run containerID 'ps -auxw'
+buildah run containerID -- ps -auxw

-buildah run containerID --runtime-flag --no-new-keyring 'ps -auxw'
+buildah run containerID --hostname myhost -- ps -auxw
+
+buildah run containerID --runtime-flag --no-new-keyring -- ps -auxw
+
+buildah run --tty containerID /bin/bash
+
+buildah run --tty=false containerID ls /

 ## SEE ALSO
 buildah(1)
--- a/docs/buildah-version.md
+++ b/docs/buildah-version.md
@@ -0,0 +1,27 @@
+## buildah-version "1" "June 2017" "Buildah"
+
+## NAME
+buildah version - Display the Buildah Version Information.
+
+## SYNOPSIS
+**buildah version**
+[**--help**|**-h**]
+
+## DESCRIPTION
+Shows the following information: Version, Go Version, Image Spec, Runtime Spec, Git Commit, Build Time, OS, and Architecture.
+
+## OPTIONS
+
+**--help, -h**
+  Print usage statement
+
+## EXAMPLE
+
+buildah version
+
+buildah version --help
+
+buildah version -h
+
+## SEE ALSO
+buildah(1)
--- a/docs/buildah.md
+++ b/docs/buildah.md
@@ -1,14 +1,14 @@
 ## buildah "1" "March 2017" "buildah"

 ## NAME
-buildah - A command line tool to facilitate working with containers and using them to build images.
+Buildah - A command line tool to facilitate working with containers and using them to build images.

 ## SYNOPSIS
 buildah [OPTIONS] COMMAND [ARG...]


 ## DESCRIPTION
-The buildah package provides a command line tool which can be used to:
+The Buildah package provides a command line tool which can be used to:

    * Create a working container, either from scratch or using an image as a starting point.
    * Mount a working container's root filesystem for manipulation.
@@ -18,6 +18,18 @@ The buildah package provides a command line tool which can be used to:

 ## OPTIONS

+**--debug**
+
+Print debugging information
+
+**--default-mounts-file**
+
+path to default mounts file (default path: "/usr/share/containers/mounts.conf")
+
+**--help, -h**
+
+Show help
+
 **--root** **value**

 Storage root dir (default: "/var/lib/containers/storage")
@@ -34,14 +46,6 @@ Storage driver

 Storage driver option

-**--debug**
-
-Print debugging information
-
-**--help, -h**
-
-Show help
-
 **--version, -v**

 Print the version
@@ -67,3 +71,5 @@ Print the version
 | buildah-run(1)        | Run a command inside of the container.                                                               |
 | buildah-tag(1)        | Add an additional name to a local image.                                                             |
 | buildah-umount(1)     | Unmount a working container's root file system.                                                      |
+| buildah-version(1)    | Display the Buildah Version Information
+                                               |
--- a/docs/tutorials/01-intro.md
+++ b/docs/tutorials/01-intro.md
@@ -0,0 +1,236 @@
+# Buildah Tutorial 1
+## Building OCI container images
+
+The purpose of this tutorial is to demonstrate how Buildah can be used to build container images compliant with the [Open Container Initiative](https://www.opencontainers.org/) (OCI) [image specification](https://github.com/opencontainers/image-spec). Images can be built from existing images, from scratch, and using Dockerfiles. OCI images built using the Buildah command line tool (CLI) and the underlying OCI based technologies (e.g. [containers/image](https://github.com/containers/image) and [containers/storage](https://github.com/containers/storage)) are portable and can therefore run in a Docker environment.
+
+In brief the `containers/image` project provides mechanisms to copy, push, pull, inspect and sign container images. The `containers/storage` project provides mechanisms for storing filesystem layers, container images, and containers. Buildah is a CLI that takes advantage of these underlying projects and therefore allows you to build, move, and manage container images and containers.  
+
+First step is to install Buildah. Run as root because you will need to be root for running Buildah commands:
+
+    # dnf -y install buildah
+
+After installing Buildah we can see there are no images installed. The `buildah images` command will list all the images:
+
+    # buildah images
+
+We can also see that there are also no containers by running:
+
+    # buildah containers
+  
+When you build a working container from an existing image, Buildah defaults to appending '-working-container' to the image's name to construct a name for the container. The Buildah CLI conveniently returns the name of the new container. You can take advantage of this by assigning the returned value to a shell varible using standard shell assignment :
+
+    # container=$(buildah from fedora)
+
+It is not required to assign a shell variable. Running `buildah from fedora` is sufficient. It just helps simplify commands later. To see the name of the container that we stored in the shell variable:
+
+    # echo $container
+
+What can we do with this new container? Let's try running bash:
+
+    # buildah run $container bash
+    
+Notice we get a new shell prompt because we are running a bash shell inside of the container. It should be noted that `buildah run` is primarily intended for helping debug during the build process. A runtime like runc or a container interface like [CRI-O](https://github.com/kubernetes-incubator/cri-o) is more suited for starting containers in production.
+
+Be sure to `exit` out of the container and let's try running something else:
+
+    # buildah run $container java
+
+Oops. Java is not installed. A message containing something like the following was returned.
+
+    container_linux.go:274: starting container process caused "exec: \"java\": executable file not found in $PATH"
+    
+Lets try installing it using:
+    
+    # buildah run $container -- dnf -y install java
+
+The `--` syntax basically tells Buildah: there are no more `buildah run` command options after this point. The options after this point are for inside the containers shell. It is required if the command we specify includes command line options which are not meant for Buildah. 
+
+Now running `buildah run $container java` will show that Java has been installed. It will return the standard Java `Usage` output.
+
+## Building a container from scratch
+
+One of the advantages of using `buildah` to build OCI compliant container images is that you can easily build a container image from scratch and therefore exclude unnecessary packages from your image. E.g. most final container images for production probably don't need a package manager like `dnf`. 
+
+Let's build a container from scratch. The special "image" name "scratch" tells Buildah to create an empty container.  The container has a small amount of metadata about the container but no real Linux content. 
+
+    # newcontainer=$(buildah from scratch)
+  
+You can see this new empty container by running:
+
+    # buildah containers
+  
+You should see output similar to the following:
+
+    CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
+    82af3b9a9488     *     3d85fcda5754 docker.io/library/fedora:latest  fedora-working-container
+    ac8fa6be0f0a     *                  scratch                          working-container
+
+Its container name is working-container by default and it's stored in the `$newcontainer` variable. Notice the image name (IMAGE NAME) is "scratch". This just indicates that there is no real image yet. i.e. It is containers/storage but there is no representation in containers/image. So when we run:
+
+    # buildah images
+  
+We don't see the image listed. There is no corresponding scratch image. It is an empty container.
+
+So does this container actually do anything? Let's see.
+
+    # buildah run $newcontainer bash
+    
+Nope. This really is empty. The package installer `dnf` is not even inside this container. It's essentially an empty layer on top of the kernel. So what can be done with that?  Thankfully there is a `buildah mount` command.
+
+    # scratchmnt=$(buildah mount $newcontainer)
+    
+By echoing `$scratchmnt` we can see the path for the [overlay image](https://wiki.archlinux.org/index.php/Overlay_filesystem), which gives you a link directly to the root file system of the container.
+
+    # echo $scratchmnt
+    /var/lib/containers/storage/overlay/b78d0e11957d15b5d1fe776293bd40a36c28825fb6cf76f407b4d0a95b2a200d/diff  
+    
+Notice that the overlay image is under `/var/lib/containers/storage` as one would expect. (See above on `containers/storage` or for more information see [containers/storage](https://github.com/containers/storage).) 
+
+Now that we have a new empty container we can install or remove software packages or simply copy content into that container. So let's install `bash` and `coreutils` so that we can run bash scripts. This could easily be `nginx` or other packages needed for your container.
+
+    # dnf install --installroot $scratchmnt --release 26 bash coreutils --setopt install_weak_deps=false -y
+
+Let's try it out (showing the prompt in this example to demonstrate the difference):
+
+    # buildah run $newcontainer bash
+    bash-4.4# cd /usr/bin
+    bash-4.4# ls
+    bash-4.4# exit
+
+Notice we have a `/usr/bin` directory in the newcontainer's image layer. Let's first copy a simple file from our host into the container. Create a file called runecho.sh which contains the following:
+
+    #!/bin/bash
+    for i in `seq 0 9`;
+    do
+    	echo "This is a new container from ipbabble [" $i "]"
+    done
+
+Change the permissions on the file so that it can be run:
+
+    # chmod +x runecho.sh
+    
+With `buildah` files can be copied into the new image and we can also configure the image to run commands. Let's copy this new command into the container's `/usr/bin` directory and configure the container to run the command when the container is run: 
+
+    # buildah copy $newcontainer ./runecho.sh /usr/bin
+    # buildah config --cmd /usr/bin/runecho.sh $newcontainer
+    
+Now run the container:
+
+    # buildah run $newcontainer
+    This is a new container from ipbabble [ 0 ]
+    This is a new container from ipbabble [ 1 ]
+    This is a new container from ipbabble [ 2 ]
+    This is a new container from ipbabble [ 3 ]
+    This is a new container from ipbabble [ 4 ]
+    This is a new container from ipbabble [ 5 ]
+    This is a new container from ipbabble [ 6 ]
+    This is a new container from ipbabble [ 7 ]
+    This is a new container from ipbabble [ 8 ]
+    This is a new container from ipbabble [ 9 ]
+
+It works! Congratulations, you have built a new OCI container from scratch that uses bash scripting. Let's add some more configuration information.
+
+    # buildah config --created-by "ipbabble"  $newcontainer
+    # buildah config --author "wgh at redhat.com @ipbabble" --label name=fedora26-bashecho $newcontainer
+ 
+We can inspect the container's metadata using the `inspect` command:
+ 
+    # buildah inspect $newcontainer
+
+We should probably unmount and commit the image:
+
+     # buildah unmount $newcontainer
+     # buildah commit $newcontainer fedora-bashecho
+     # buildah images
+     
+And you can see there is a new image called `fedora-bashecho:latest`. You can inspect the new image using:
+
+    # buildah inspect --type=image fedora-bashecho
+
+Later when you want to create a new container or containers from this image, you simply need need to do `buildah from fedora-bashecho`. This will create a new containers based on this image for you. 
+
+Now that you have the new image you can remove the scratch container called working-container:
+
+    # buildah rm $newcontainer
+
+or
+
+    # buildah rm working-container
+
+## OCI images built using Buildah are portable
+
+Let's test if this new OCI image is really portable to another OCI technology like Docker. First you should install Docker and start it. Notice that Docker requires a daemon process (that's quite big) in order to run any client commands. Buildah has no daemon requirement.
+
+    # dnf -y install docker
+    # systemctl start docker
+    
+Let's copy that image from where containers/storage stores it to where the Docker daemon stores its images, so that we can run it using Docker. We can achieve this using `buildah push`. This copies the image to Docker's repository area which is located under `/var/lib/docker`. Docker's repository is managed by the Docker daemon. This needs to be explicitly stated by telling Buildah to push to the Docker repository protocol using `docker-daemon:`.
+
+    # buildah push fedora-bashecho docker-daemon:fedora-bashecho:latest
+
+Under the covers, the containers/image library calls into the containers/storage library to read the image's contents, and sends them to the local Docker daemon. This can take a little while. And usually you won't need to do this. If you're using `buildah` you are probably not using Docker. This is just for demo purposes. Let's try it:
+
+    # docker run fedora-bashecho 
+    This is a new container from ipbabble [ 0 ]
+    This is a new container from ipbabble [ 1 ]
+    This is a new container from ipbabble [ 2 ]
+    This is a new container from ipbabble [ 3 ]
+    This is a new container from ipbabble [ 4 ]
+    This is a new container from ipbabble [ 5 ]
+    This is a new container from ipbabble [ 6 ]
+    This is a new container from ipbabble [ 7 ]
+    This is a new container from ipbabble [ 8 ]
+    This is a new container from ipbabble [ 9 ]
+    
+OCI container images built with `buildah` are completely standard as expected. So now it might be time to run:
+
+    # dnf -y remove docker
+
+## Using Dockerfiles with Buildah
+
+What if you have been using Docker for a while and have some existing Dockerfiles. Not a problem. Buildah can build images using a Dockerfile. The `build-using-dockerfile`, or `bud` for short, takes a Dockerfile as input and produces an OCI image.
+
+Find one of your Dockerfiles or create a file called Dockerfile. Use the following example or some variation if you'd like:
+
+    # Base on the Fedora
+    FROM fedora:latest
+    MAINTAINER  ipbabble email buildahboy@redhat.com # not a real email
+
+    # Update image and install httpd
+    RUN echo "Updating all fedora packages"; dnf -y update; dnf -y clean all
+    RUN echo "Installing httpd"; dnf -y install httpd
+ 
+    # Expose the default httpd port 80
+    EXPOSE 80
+
+    # Run the httpd
+    CMD ["/usr/sbin/httpd", "-DFOREGROUND"]
+
+Now run `buildah bud` with the name of the Dockerfile and the name to be given to the created image (e.g. fedora-httpd):
+
+    # buildah bud -f Dockerfile -t fedora-httpd
+
+or, because `buildah bud` defaults to Dockerfile (note the period at the end of the example):
+
+    # buildah bud -t fedora-httpd .
+
+You will see all the steps of the Dockerfile executing. Afterwards `buildah images` will show you the new image. Now we need to create the container using `buildah from` and test it with `buildah run`:
+
+    # httpcontainer=$(buildah from fedora-httpd)
+    # buildah run $httpcontainer
+    
+While that container is running, in another shell run:
+
+    # curl localhost
+    
+You will see the standard Apache webpage.
+
+Why not try and modify the Dockerfile. Do not install httpd, but instead ADD the runecho.sh file and have it run as the CMD. 
+
+## Congratulations
+
+Well done. You have learned a lot about Buildah using this short tutorial. Hopefully you followed along with the examples and found them to be sufficient. Be sure to look at Buildah's man pages to see the other useful commands you can use. Have fun playing.
+
+If you have any suggestions or issues please post them at the [ProjectAtomic Buildah Issues page](https://github.com/projectatomic/buildah/issues).
+
+For more information on Buildah and how you might contribute please visit the [Buildah home page on Github](https://github.com/projectatomic/buildah).
--- a/examples/all-the-things.sh
+++ b/examples/all-the-things.sh
@@ -24,7 +24,7 @@ echo yay > $mountpoint1/file-in-root
 read
 : "[1m Produce an image from the container [0m"
 read
-buildah commit "$container1" containers-storage:${2:-first-new-image}
+buildah commit "$container1" ${2:-first-new-image}
 read
 : "[1m Verify that our new image is there [0m"
 read
--- a/examples/lighttpd.sh
+++ b/examples/lighttpd.sh
@@ -0,0 +1,17 @@
+#!/bin/bash -x
+
+ctr1=`buildah from ${1:-fedora}`
+
+## Get all updates and install our minimal httpd server
+buildah run $ctr1 -- dnf update -y
+buildah run $ctr1 -- dnf install -y lighttpd
+
+## Include some buildtime annotations
+buildah config --annotation "com.example.build.host=$(uname -n)" $ctr1
+
+## Run our server and expose the port
+buildah config $ctr1 --cmd "/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf"
+buildah config $ctr1 --port 80
+
+## Commit this container to an image name
+buildah commit $ctr1 ${2:-$USER/lighttpd}
--- a/image.go
+++ b/image.go
@@ -2,6 +2,7 @@ package buildah

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"io"
 	"io/ioutil"
@@ -9,7 +10,6 @@ import (
 	"path/filepath"
 	"time"

-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/image"
 	"github.com/containers/image/manifest"
@@ -23,6 +23,7 @@ import (
 	"github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/buildah/docker"
+	"github.com/sirupsen/logrus"
 )

 const (
@@ -68,32 +69,16 @@ type containerImageSource struct {
 }

 func (i *containerImageRef) NewImage(sc *types.SystemContext) (types.Image, error) {
-	src, err := i.NewImageSource(sc, nil)
+	src, err := i.NewImageSource(sc)
 	if err != nil {
 		return nil, err
 	}
 	return image.FromSource(src)
 }

-func selectManifestType(preferred string, acceptable, supported []string) string {
-	selected := preferred
-	for _, accept := range acceptable {
-		if preferred == accept {
-			return preferred
-		}
-		for _, support := range supported {
-			if accept == support {
-				selected = accept
-			}
-		}
-	}
-	return selected
-}
-
-func (i *containerImageRef) NewImageSource(sc *types.SystemContext, manifestTypes []string) (src types.ImageSource, err error) {
+func (i *containerImageRef) NewImageSource(sc *types.SystemContext) (src types.ImageSource, err error) {
 	// Decide which type of manifest and configuration output we're going to provide.
-	supportedManifestTypes := []string{v1.MediaTypeImageManifest, docker.V2S2MediaTypeManifest}
-	manifestType := selectManifestType(i.preferredManifestType, manifestTypes, supportedManifestTypes)
+	manifestType := i.preferredManifestType
 	// If it's not a format we support, return an error.
 	if manifestType != v1.MediaTypeImageManifest && manifestType != docker.V2S2MediaTypeManifest {
 		return nil, errors.Errorf("no supported manifest types (attempted to use %q, only know %q and %q)",
@@ -172,7 +157,7 @@ func (i *containerImageRef) NewImageSource(sc *types.SystemContext, manifestType
 	}

 	oimage.RootFS.Type = docker.TypeLayers
-	oimage.RootFS.DiffIDs = []string{}
+	oimage.RootFS.DiffIDs = []digest.Digest{}
 	dimage.RootFS = &docker.V2S2RootFS{}
 	dimage.RootFS.Type = docker.TypeLayers
 	dimage.RootFS.DiffIDs = []digest.Digest{}
@@ -215,12 +200,12 @@ func (i *containerImageRef) NewImageSource(sc *types.SystemContext, manifestType
 			dmanifest.Layers = append(dmanifest.Layers, dlayerDescriptor)
 			// Add a note about the diffID, which should be uncompressed digest of the blob, but
 			// just use the layer ID here.
-			oimage.RootFS.DiffIDs = append(oimage.RootFS.DiffIDs, fakeLayerDigest.String())
+			oimage.RootFS.DiffIDs = append(oimage.RootFS.DiffIDs, fakeLayerDigest)
 			dimage.RootFS.DiffIDs = append(dimage.RootFS.DiffIDs, fakeLayerDigest)
 			continue
 		}
 		// Start reading the layer.
-		rc, err := i.store.Diff("", layerID)
+		rc, err := i.store.Diff("", layerID, nil)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error extracting layer %q", layerID)
 		}
@@ -283,14 +268,14 @@ func (i *containerImageRef) NewImageSource(sc *types.SystemContext, manifestType
 		}
 		dmanifest.Layers = append(dmanifest.Layers, dlayerDescriptor)
 		// Add a note about the diffID, which is always an uncompressed value.
-		oimage.RootFS.DiffIDs = append(oimage.RootFS.DiffIDs, srcHasher.Digest().String())
+		oimage.RootFS.DiffIDs = append(oimage.RootFS.DiffIDs, srcHasher.Digest())
 		dimage.RootFS.DiffIDs = append(dimage.RootFS.DiffIDs, srcHasher.Digest())
 	}

 	if i.addHistory {
 		// Build history notes in the image configurations.
 		onews := v1.History{
-			Created:    i.created,
+			Created:    &i.created,
 			CreatedBy:  i.createdBy,
 			Author:     oimage.Author,
 			EmptyLayer: false,
@@ -417,7 +402,7 @@ func (i *containerImageSource) Reference() types.ImageReference {
 	return i.ref
 }

-func (i *containerImageSource) GetSignatures() ([][]byte, error) {
+func (i *containerImageSource) GetSignatures(ctx context.Context) ([][]byte, error) {
 	return nil, nil
 }

--- a/imagebuildah/build.go
+++ b/imagebuildah/build.go
@@ -8,7 +8,6 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/Sirupsen/logrus"
 	is "github.com/containers/image/storage"
 	"github.com/containers/image/transports"
 	"github.com/containers/image/transports/alltransports"
@@ -22,6 +21,7 @@ import (
 	"github.com/openshift/imagebuilder"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/buildah"
+	"github.com/sirupsen/logrus"
 )

 const (
@@ -51,8 +51,13 @@ type BuildOptions struct {
 	PullPolicy int
 	// Registry is a value which is prepended to the image's name, if it
 	// needs to be pulled and the image name alone can not be resolved to a
-	// reference to a source image.
+	// reference to a source image.  No separator is implicitly added.
 	Registry string
+	// Transport is a value which is prepended to the image's name, if it
+	// needs to be pulled and the image name alone, or the image name and
+	// the registry together, can not be resolved to a reference to a
+	// source image.  No separator is implicitly added.
+	Transport string
 	// IgnoreUnrecognizedInstructions tells us to just log instructions we
 	// don't recognize, and try to keep going.
 	IgnoreUnrecognizedInstructions bool
@@ -90,6 +95,8 @@ type BuildOptions struct {
 	// specified, indicating that the shared, system-wide default policy
 	// should be used.
 	SignaturePolicyPath string
+	// SkipTLSVerify denotes whether TLS verification should not be used.
+	SkipTLSVerify bool
 	// ReportWriter is an io.Writer which will be used to report the
 	// progress of the (possible) pulling of the source image and the
 	// writing of the new image.
@@ -98,6 +105,7 @@ type BuildOptions struct {
 	// configuration data.
 	// Accepted values are OCIv1ImageFormat and Dockerv2ImageFormat.
 	OutputFormat string
+	AuthFilePath string
 }

 // Executor is a buildah-based implementation of the imagebuilder.Executor
@@ -108,6 +116,7 @@ type Executor struct {
 	builder                        *buildah.Builder
 	pullPolicy                     int
 	registry                       string
+	transport                      string
 	ignoreUnrecognizedInstructions bool
 	quiet                          bool
 	runtime                        string
@@ -130,11 +139,15 @@ type Executor struct {
 	reportWriter                   io.Writer
 }

-func makeSystemContext(signaturePolicyPath string) *types.SystemContext {
+func makeSystemContext(signaturePolicyPath, authFilePath string, skipTLSVerify bool) *types.SystemContext {
 	sc := &types.SystemContext{}
 	if signaturePolicyPath != "" {
 		sc.SignaturePolicyPath = signaturePolicyPath
 	}
+	if authFilePath != "" {
+		sc.AuthFilePath = authFilePath
+	}
+	sc.DockerInsecureSkipTLSVerify = skipTLSVerify
 	return sc
 }

@@ -153,7 +166,15 @@ func (b *Executor) Preserve(path string) error {
 	logrus.Debugf("PRESERVE %q", path)
 	if b.volumes.Covers(path) {
 		// This path is already a subdirectory of a volume path that
-		// we're already preserving, so there's nothing new to be done.
+		// we're already preserving, so there's nothing new to be done
+		// except ensure that it exists.
+		archivedPath := filepath.Join(b.mountPoint, path)
+		if err := os.MkdirAll(archivedPath, 0755); err != nil {
+			return errors.Wrapf(err, "error ensuring volume path %q exists", archivedPath)
+		}
+		if err := b.volumeCacheInvalidate(path); err != nil {
+			return errors.Wrapf(err, "error ensuring volume path %q is preserved", archivedPath)
+		}
 		return nil
 	}
 	// Figure out where the cache for this volume would be stored.
@@ -166,9 +187,15 @@ func (b *Executor) Preserve(path string) error {
 	// Save info about the top level of the location that we'll be archiving.
 	archivedPath := filepath.Join(b.mountPoint, path)
 	st, err := os.Stat(archivedPath)
+	if os.IsNotExist(err) {
+		if err = os.MkdirAll(archivedPath, 0755); err != nil {
+			return errors.Wrapf(err, "error ensuring volume path %q exists", archivedPath)
+		}
+		st, err = os.Stat(archivedPath)
+	}
 	if err != nil {
 		logrus.Debugf("error reading info about %q: %v", archivedPath, err)
-		return err
+		return errors.Wrapf(err, "error reading info about volume path %q", archivedPath)
 	}
 	b.volumeCacheInfo[path] = st
 	if !b.volumes.Add(path) {
@@ -241,6 +268,9 @@ func (b *Executor) volumeCacheSave() error {
 		if !os.IsNotExist(err) {
 			return errors.Wrapf(err, "error checking for cache of %q in %q", archivedPath, cacheFile)
 		}
+		if err := os.MkdirAll(archivedPath, 0755); err != nil {
+			return errors.Wrapf(err, "error ensuring volume path %q exists", archivedPath)
+		}
 		logrus.Debugf("caching contents of volume %q in %q", archivedPath, cacheFile)
 		cache, err := os.Create(cacheFile)
 		if err != nil {
@@ -273,7 +303,7 @@ func (b *Executor) volumeCacheRestore() error {
 		if err := os.RemoveAll(archivedPath); err != nil {
 			return errors.Wrapf(err, "error clearing volume path %q", archivedPath)
 		}
-		if err := os.MkdirAll(archivedPath, 0700); err != nil {
+		if err := os.MkdirAll(archivedPath, 0755); err != nil {
 			return errors.Wrapf(err, "error recreating volume path %q", archivedPath)
 		}
 		err = archive.Untar(cache, archivedPath, nil)
@@ -386,6 +416,7 @@ func NewExecutor(store storage.Store, options BuildOptions) (*Executor, error) {
 		contextDir:                     options.ContextDirectory,
 		pullPolicy:                     options.PullPolicy,
 		registry:                       options.Registry,
+		transport:                      options.Transport,
 		ignoreUnrecognizedInstructions: options.IgnoreUnrecognizedInstructions,
 		quiet:               options.Quiet,
 		runtime:             options.Runtime,
@@ -396,7 +427,7 @@ func NewExecutor(store storage.Store, options BuildOptions) (*Executor, error) {
 		outputFormat:        options.OutputFormat,
 		additionalTags:      options.AdditionalTags,
 		signaturePolicyPath: options.SignaturePolicyPath,
-		systemContext:       makeSystemContext(options.SignaturePolicyPath),
+		systemContext:       makeSystemContext(options.SignaturePolicyPath, options.AuthFilePath, options.SkipTLSVerify),
 		volumeCache:         make(map[string]string),
 		volumeCacheInfo:     make(map[string]os.FileInfo),
 		log:                 options.Log,
@@ -441,6 +472,7 @@ func (b *Executor) Prepare(ib *imagebuilder.Builder, node *parser.Node, from str
 		FromImage:           from,
 		PullPolicy:          b.pullPolicy,
 		Registry:            b.registry,
+		Transport:           b.transport,
 		SignaturePolicyPath: b.signaturePolicyPath,
 		ReportWriter:        b.reportWriter,
 	}
--- a/imagebuildah/util.go
+++ b/imagebuildah/util.go
@@ -9,10 +9,10 @@ import (
 	"path"
 	"strings"

-	"github.com/Sirupsen/logrus"
 	"github.com/containers/storage/pkg/chrootarchive"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/buildah"
+	"github.com/sirupsen/logrus"
 )

 func cloneToDirectory(url, dir string) error {
--- a/logos/buildah-logo-_both.png
+++ b/logos/buildah-logo-_both.png
--- a/logos/buildah-logo-reverse.png
+++ b/logos/buildah-logo-reverse.png
--- a/logos/buildah-logo-reverse_md.png
+++ b/logos/buildah-logo-reverse_md.png
--- a/logos/buildah-logo-reverse_sm.png
+++ b/logos/buildah-logo-reverse_sm.png
--- a/logos/buildah-logo.png
+++ b/logos/buildah-logo.png
--- a/logos/buildah-logo_med.png
+++ b/logos/buildah-logo_med.png
--- a/logos/buildah-logo_sm.png
+++ b/logos/buildah-logo_sm.png
--- a/logos/buildah-no-text.png
+++ b/logos/buildah-no-text.png
--- a/logos/buildah.svg
+++ b/logos/buildah.svg
--- a/new.go
+++ b/new.go
@@ -2,34 +2,154 @@ package buildah

 import (
 	"fmt"
+	"os"
 	"strings"

-	"github.com/Sirupsen/logrus"
 	is "github.com/containers/image/storage"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/transports/alltransports"
+	"github.com/containers/image/types"
 	"github.com/containers/storage"
+	"github.com/opencontainers/selinux/go-selinux"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/openshift/imagebuilder"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

 const (
 	// BaseImageFakeName is the "name" of a source image which we interpret
 	// as "no image".
 	BaseImageFakeName = imagebuilder.NoBaseImageSpecifier
+
+	// DefaultTransport is a prefix that we apply to an image name if we
+	// can't find one in the local Store, in order to generate a source
+	// reference for the image that we can then copy to the local Store.
+	DefaultTransport = "docker://"
 )

+func reserveSELinuxLabels(store storage.Store, id string) error {
+	if selinux.GetEnabled() {
+		containers, err := store.Containers()
+		if err != nil {
+			return err
+		}
+
+		for _, c := range containers {
+			if id == c.ID {
+				continue
+			} else {
+				b, err := OpenBuilder(store, c.ID)
+				if err != nil {
+					if os.IsNotExist(err) {
+						// Ignore not exist errors since containers probably created by other tool
+						// TODO, we need to read other containers json data to reserve their SELinux labels
+						continue
+					}
+					return err
+				}
+				// Prevent containers from using same MCS Label
+				if err := label.ReserveLabel(b.ProcessLabel); err != nil {
+					return err
+				}
+			}
+		}
+	}
+	return nil
+}
+
 func newBuilder(store storage.Store, options BuilderOptions) (*Builder, error) {
+	var ref types.ImageReference
 	var img *storage.Image
 	manifest := []byte{}
 	config := []byte{}

-	name := "working-container"
 	if options.FromImage == BaseImageFakeName {
 		options.FromImage = ""
 	}
 	image := options.FromImage
+
+	if options.Transport == "" {
+		options.Transport = DefaultTransport
+	}
+
+	systemContext := getSystemContext(options.SignaturePolicyPath)
+
+	imageID := ""
+	if image != "" {
+		var err error
+		if options.PullPolicy == PullAlways {
+			pulledReference, err2 := pullImage(store, options, systemContext)
+			if err2 != nil {
+				return nil, errors.Wrapf(err2, "error pulling image %q", image)
+			}
+			ref = pulledReference
+		}
+		if ref == nil {
+			srcRef, err2 := alltransports.ParseImageName(image)
+			if err2 != nil {
+				srcRef2, err3 := alltransports.ParseImageName(options.Registry + image)
+				if err3 != nil {
+					srcRef3, err4 := alltransports.ParseImageName(options.Transport + options.Registry + image)
+					if err4 != nil {
+						return nil, errors.Wrapf(err4, "error parsing image name %q", options.Transport+options.Registry+image)
+					}
+					srcRef2 = srcRef3
+				}
+				srcRef = srcRef2
+			}
+
+			destImage, err2 := localImageNameForReference(store, srcRef)
+			if err2 != nil {
+				return nil, errors.Wrapf(err2, "error computing local image name for %q", transports.ImageName(srcRef))
+			}
+			if destImage == "" {
+				return nil, errors.Errorf("error computing local image name for %q", transports.ImageName(srcRef))
+			}
+
+			ref, err = is.Transport.ParseStoreReference(store, destImage)
+			if err != nil {
+				return nil, errors.Wrapf(err, "error parsing reference to image %q", destImage)
+			}
+
+			image = destImage
+		}
+		img, err = is.Transport.GetStoreImage(store, ref)
+		if err != nil {
+			if errors.Cause(err) == storage.ErrImageUnknown && options.PullPolicy != PullIfMissing {
+				return nil, errors.Wrapf(err, "no such image %q", transports.ImageName(ref))
+			}
+			ref2, err2 := pullImage(store, options, systemContext)
+			if err2 != nil {
+				return nil, errors.Wrapf(err2, "error pulling image %q", image)
+			}
+			ref = ref2
+			img, err = is.Transport.GetStoreImage(store, ref)
+		}
+		if err != nil {
+			return nil, errors.Wrapf(err, "no such image %q", transports.ImageName(ref))
+		}
+		imageID = img.ID
+		src, err := ref.NewImage(systemContext)
+		if err != nil {
+			return nil, errors.Wrapf(err, "error instantiating image for %q", transports.ImageName(ref))
+		}
+		defer src.Close()
+		config, err = src.ConfigBlob()
+		if err != nil {
+			return nil, errors.Wrapf(err, "error reading image configuration for %q", transports.ImageName(ref))
+		}
+		manifest, _, err = src.Manifest()
+		if err != nil {
+			return nil, errors.Wrapf(err, "error reading image manifest for %q", transports.ImageName(ref))
+		}
+	}
+
+	name := "working-container"
 	if options.Container != "" {
 		name = options.Container
 	} else {
+		var err2 error
 		if image != "" {
 			prefix := image
 			s := strings.Split(prefix, "/")
@@ -46,69 +166,17 @@ func newBuilder(store storage.Store, options BuilderOptions) (*Builder, error) {
 			}
 			name = prefix + "-" + name
 		}
-	}
-	if name != "" {
-		var err error
 		suffix := 1
 		tmpName := name
-		for err != storage.ErrContainerUnknown {
-			_, err = store.Container(tmpName)
-			if err == nil {
+		for errors.Cause(err2) != storage.ErrContainerUnknown {
+			_, err2 = store.Container(tmpName)
+			if err2 == nil {
 				suffix++
 				tmpName = fmt.Sprintf("%s-%d", name, suffix)
 			}
 		}
 		name = tmpName
 	}
-
-	systemContext := getSystemContext(options.SignaturePolicyPath)
-
-	imageID := ""
-	if image != "" {
-		if options.PullPolicy == PullAlways {
-			err := pullImage(store, options, systemContext)
-			if err != nil {
-				return nil, errors.Wrapf(err, "error pulling image %q", image)
-			}
-		}
-		ref, err := is.Transport.ParseStoreReference(store, image)
-		if err != nil {
-			return nil, errors.Wrapf(err, "error parsing reference to image %q", image)
-		}
-		img, err = is.Transport.GetStoreImage(store, ref)
-		if err != nil {
-			if err == storage.ErrImageUnknown && options.PullPolicy != PullIfMissing {
-				return nil, errors.Wrapf(err, "no such image %q", image)
-			}
-			err = pullImage(store, options, systemContext)
-			if err != nil {
-				return nil, errors.Wrapf(err, "error pulling image %q", image)
-			}
-			ref, err = is.Transport.ParseStoreReference(store, image)
-			if err != nil {
-				return nil, errors.Wrapf(err, "error parsing reference to image %q", image)
-			}
-			img, err = is.Transport.GetStoreImage(store, ref)
-		}
-		if err != nil {
-			return nil, errors.Wrapf(err, "no such image %q", image)
-		}
-		imageID = img.ID
-		src, err := ref.NewImage(systemContext)
-		if err != nil {
-			return nil, errors.Wrapf(err, "error instantiating image")
-		}
-		defer src.Close()
-		config, err = src.ConfigBlob()
-		if err != nil {
-			return nil, errors.Wrapf(err, "error reading image configuration")
-		}
-		manifest, _, err = src.Manifest()
-		if err != nil {
-			return nil, errors.Wrapf(err, "error reading image manifest")
-		}
-	}
-
 	coptions := storage.ContainerOptions{}
 	container, err := store.CreateContainer("", []string{name}, imageID, "", "", &coptions)
 	if err != nil {
@@ -123,21 +191,32 @@ func newBuilder(store storage.Store, options BuilderOptions) (*Builder, error) {
 		}
 	}()

+	if err := reserveSELinuxLabels(store, container.ID); err != nil {
+		return nil, err
+	}
+	processLabel, mountLabel, err := label.InitLabels(nil)
+	if err != nil {
+		return nil, err
+	}
+
 	builder := &Builder{
-		store:            store,
-		Type:             containerType,
-		FromImage:        image,
-		FromImageID:      imageID,
-		Config:           config,
-		Manifest:         manifest,
-		Container:        name,
-		ContainerID:      container.ID,
-		ImageAnnotations: map[string]string{},
-		ImageCreatedBy:   "",
+		store:                 store,
+		Type:                  containerType,
+		FromImage:             image,
+		FromImageID:           imageID,
+		Config:                config,
+		Manifest:              manifest,
+		Container:             name,
+		ContainerID:           container.ID,
+		ImageAnnotations:      map[string]string{},
+		ImageCreatedBy:        "",
+		ProcessLabel:          processLabel,
+		MountLabel:            mountLabel,
+		DefaultMountsFilePath: options.DefaultMountsFilePath,
 	}

 	if options.Mount {
-		_, err = builder.Mount("")
+		_, err = builder.Mount(mountLabel)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error mounting build container")
 		}
--- a/ostree_tag.sh
+++ b/ostree_tag.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+if ! pkg-config ostree-1 2> /dev/null ; then
+	echo containers_image_ostree_stub
+fi
--- a/pull.go
+++ b/pull.go
@@ -1,58 +1,114 @@
 package buildah

 import (
-	"github.com/Sirupsen/logrus"
+	"strings"
+
 	cp "github.com/containers/image/copy"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/signature"
 	is "github.com/containers/image/storage"
+	"github.com/containers/image/transports"
 	"github.com/containers/image/transports/alltransports"
 	"github.com/containers/image/types"
 	"github.com/containers/storage"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

-func pullImage(store storage.Store, options BuilderOptions, sc *types.SystemContext) error {
+func localImageNameForReference(store storage.Store, srcRef types.ImageReference) (string, error) {
+	if srcRef == nil {
+		return "", errors.Errorf("reference to image is empty")
+	}
+	ref := srcRef.DockerReference()
+	if ref == nil {
+		name := srcRef.StringWithinTransport()
+		_, err := is.Transport.ParseStoreReference(store, name)
+		if err == nil {
+			return name, nil
+		}
+		if strings.LastIndex(name, "/") != -1 {
+			name = name[strings.LastIndex(name, "/")+1:]
+			_, err = is.Transport.ParseStoreReference(store, name)
+			if err == nil {
+				return name, nil
+			}
+		}
+		return "", errors.Errorf("reference to image %q is not a named reference", transports.ImageName(srcRef))
+	}
+
+	name := ""
+	if named, ok := ref.(reference.Named); ok {
+		name = named.Name()
+		if namedTagged, ok := ref.(reference.NamedTagged); ok {
+			name = name + ":" + namedTagged.Tag()
+		}
+		if canonical, ok := ref.(reference.Canonical); ok {
+			name = name + "@" + canonical.Digest().String()
+		}
+	}
+
+	if _, err := is.Transport.ParseStoreReference(store, name); err != nil {
+		return "", errors.Wrapf(err, "error parsing computed local image name %q", name)
+	}
+	return name, nil
+}
+
+func pullImage(store storage.Store, options BuilderOptions, sc *types.SystemContext) (types.ImageReference, error) {
 	name := options.FromImage

 	spec := name
 	if options.Registry != "" {
 		spec = options.Registry + spec
 	}
+	spec2 := spec
+	if options.Transport != "" {
+		spec2 = options.Transport + spec
+	}

 	srcRef, err := alltransports.ParseImageName(name)
 	if err != nil {
 		srcRef2, err2 := alltransports.ParseImageName(spec)
 		if err2 != nil {
-			return errors.Wrapf(err2, "error parsing image name %q", spec)
+			srcRef3, err3 := alltransports.ParseImageName(spec2)
+			if err3 != nil {
+				return nil, errors.Wrapf(err3, "error parsing image name %q", spec2)
+			}
+			srcRef2 = srcRef3
 		}
 		srcRef = srcRef2
 	}

-	if ref := srcRef.DockerReference(); ref != nil {
-		name = srcRef.DockerReference().Name()
-		if tagged, ok := srcRef.DockerReference().(reference.NamedTagged); ok {
-			name = name + ":" + tagged.Tag()
-		}
+	destName, err := localImageNameForReference(store, srcRef)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef))
+	}
+	if destName == "" {
+		return nil, errors.Errorf("error computing local image name for %q", transports.ImageName(srcRef))
 	}

-	destRef, err := is.Transport.ParseStoreReference(store, name)
+	destRef, err := is.Transport.ParseStoreReference(store, destName)
 	if err != nil {
-		return errors.Wrapf(err, "error parsing full image name %q", name)
+		return nil, errors.Wrapf(err, "error parsing image name %q", destName)
 	}

 	policy, err := signature.DefaultPolicy(sc)
 	if err != nil {
-		return err
+		return nil, errors.Wrapf(err, "error obtaining default signature policy")
 	}

 	policyContext, err := signature.NewPolicyContext(policy)
 	if err != nil {
-		return err
+		return nil, errors.Wrapf(err, "error creating new signature policy context")
 	}

+	defer func() {
+		if err2 := policyContext.Destroy(); err2 != nil {
+			logrus.Debugf("error destroying signature polcy context: %v", err2)
+		}
+	}()
+
 	logrus.Debugf("copying %q to %q", spec, name)

-	err = cp.Image(policyContext, destRef, srcRef, getCopyOptions(options.ReportWriter))
-	return err
+	err = cp.Image(policyContext, destRef, srcRef, getCopyOptions(options.ReportWriter, options.SystemContext, nil, ""))
+	return destRef, err
 }
--- a/run.go
+++ b/run.go
@@ -8,11 +8,13 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/Sirupsen/logrus"
 	"github.com/containers/storage/pkg/ioutils"
+	digest "github.com/opencontainers/go-digest"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/crypto/ssh/terminal"
 )

 const (
@@ -64,7 +66,7 @@ type RunOptions struct {
 	Terminal int
 }

-func setupMounts(spec *specs.Spec, optionMounts []specs.Mount, bindFiles, volumes []string) error {
+func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, optionMounts []specs.Mount, bindFiles, volumes []string) error {
 	// The passed-in mounts matter the most to us.
 	mounts := make([]specs.Mount, len(optionMounts))
 	copy(mounts, optionMounts)
@@ -98,17 +100,52 @@ func setupMounts(spec *specs.Spec, optionMounts []specs.Mount, bindFiles, volume
 			Options:     []string{"rbind", "ro"},
 		})
 	}
-	// Add tmpfs filesystems at volume locations, unless we already have something there.
+
+	cdir, err := b.store.ContainerDirectory(b.ContainerID)
+	if err != nil {
+		return errors.Wrapf(err, "error determining work directory for container %q", b.ContainerID)
+	}
+
+	// Add secrets mounts
+	mountsFiles := []string{OverrideMountsFile, b.DefaultMountsFilePath}
+	for _, file := range mountsFiles {
+		secretMounts, err := secretMounts(file, b.MountLabel, cdir)
+		if err != nil {
+			logrus.Warn("error mounting secrets, skipping...")
+		}
+		for _, mount := range secretMounts {
+			if haveMount(mount.Destination) {
+				continue
+			}
+			mounts = append(mounts, mount)
+		}
+	}
+	// Add temporary copies of the contents of volume locations at the
+	// volume locations, unless we already have something there.
 	for _, volume := range volumes {
 		if haveMount(volume) {
-			// Already mounting something there, no need for a tmpfs.
+			// Already mounting something there, no need to bother.
 			continue
 		}
-		// Mount a tmpfs there.
+		subdir := digest.Canonical.FromString(volume).Hex()
+		volumePath := filepath.Join(cdir, "buildah-volumes", subdir)
+		// If we need to, initialize the volume path's initial contents.
+		if _, err = os.Stat(volumePath); os.IsNotExist(err) {
+			if err = os.MkdirAll(volumePath, 0755); err != nil {
+				return errors.Wrapf(err, "error creating directory %q for volume %q in container %q", volumePath, volume, b.ContainerID)
+			}
+			srcPath := filepath.Join(mountPoint, volume)
+			if err = copyFileWithTar(srcPath, volumePath); err != nil && !os.IsNotExist(err) {
+				return errors.Wrapf(err, "error populating directory %q for volume %q in container %q using contents of %q", volumePath, volume, b.ContainerID, srcPath)
+			}
+
+		}
+		// Add the bind mount.
 		mounts = append(mounts, specs.Mount{
-			Source:      "tmpfs",
+			Source:      volumePath,
 			Destination: volume,
-			Type:        "tmpfs",
+			Type:        "bind",
+			Options:     []string{"bind"},
 		})
 	}
 	// Set the list in the spec.
@@ -131,12 +168,6 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	}()
 	g := generate.New()

-	if b.OS() != "" {
-		g.SetPlatformOS(b.OS())
-	}
-	if b.Architecture() != "" {
-		g.SetPlatformArch(b.Architecture())
-	}
 	for _, envSpec := range append(b.Env(), options.Env...) {
 		env := strings.SplitN(envSpec, "=", 2)
 		if len(env) > 1 {
@@ -145,14 +176,16 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	}
 	if len(command) > 0 {
 		g.SetProcessArgs(command)
-	} else if len(options.Cmd) != 0 {
-		g.SetProcessArgs(options.Cmd)
-	} else if len(b.Cmd()) != 0 {
-		g.SetProcessArgs(b.Cmd())
-	} else if len(options.Entrypoint) != 0 {
-		g.SetProcessArgs(options.Entrypoint)
-	} else if len(b.Entrypoint()) != 0 {
-		g.SetProcessArgs(b.Entrypoint())
+	} else {
+		cmd := b.Cmd()
+		if len(options.Cmd) > 0 {
+			cmd = options.Cmd
+		}
+		ep := b.Entrypoint()
+		if len(options.Entrypoint) > 0 {
+			ep = options.Entrypoint
+		}
+		g.SetProcessArgs(append(ep, cmd...))
 	}
 	if options.WorkingDir != "" {
 		g.SetProcessCwd(options.WorkingDir)
@@ -164,7 +197,9 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	} else if b.Hostname() != "" {
 		g.SetHostname(b.Hostname())
 	}
-	mountPoint, err := b.Mount("")
+	g.SetProcessSelinuxLabel(b.ProcessLabel)
+	g.SetLinuxMountLabel(b.MountLabel)
+	mountPoint, err := b.Mount(b.MountLabel)
 	if err != nil {
 		return err
 	}
@@ -176,7 +211,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	g.SetRootPath(mountPoint)
 	switch options.Terminal {
 	case DefaultTerminal:
-		g.SetProcessTerminal(logrus.IsTerminal(os.Stdout))
+		g.SetProcessTerminal(terminal.IsTerminal(int(os.Stdout.Fd())))
 	case WithTerminal:
 		g.SetProcessTerminal(true)
 	case WithoutTerminal:
@@ -201,12 +236,12 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	if spec.Process.Cwd == "" {
 		spec.Process.Cwd = DefaultWorkingDir
 	}
-	if err = os.MkdirAll(filepath.Join(mountPoint, b.WorkDir()), 0755); err != nil {
-		return errors.Wrapf(err, "error ensuring working directory %q exists", b.WorkDir())
+	if err = os.MkdirAll(filepath.Join(mountPoint, spec.Process.Cwd), 0755); err != nil {
+		return errors.Wrapf(err, "error ensuring working directory %q exists", spec.Process.Cwd)
 	}

 	bindFiles := []string{"/etc/hosts", "/etc/resolv.conf"}
-	err = setupMounts(spec, options.Mounts, bindFiles, b.Volumes())
+	err = b.setupMounts(mountPoint, spec, options.Mounts, bindFiles, b.Volumes())
 	if err != nil {
 		return errors.Wrapf(err, "error resolving mountpoints for container")
 	}
--- a/secrets.go
+++ b/secrets.go
@@ -0,0 +1,198 @@
+package buildah
+
+import (
+	"bufio"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	rspec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// DefaultMountsFile holds the default mount paths in the form
+	// "host_path:container_path"
+	DefaultMountsFile = "/usr/share/containers/mounts.conf"
+	// OverrideMountsFile holds the default mount paths in the form
+	// "host_path:container_path" overriden by the user
+	OverrideMountsFile = "/etc/containers/mounts.conf"
+)
+
+// SecretData info
+type SecretData struct {
+	Name string
+	Data []byte
+}
+
+func getMounts(filePath string) []string {
+	file, err := os.Open(filePath)
+	if err != nil {
+		logrus.Warnf("file %q not found, skipping...", filePath)
+		return nil
+	}
+	defer file.Close()
+	scanner := bufio.NewScanner(file)
+	if err = scanner.Err(); err != nil {
+		logrus.Warnf("error reading file %q, skipping...", filePath)
+		return nil
+	}
+	var mounts []string
+	for scanner.Scan() {
+		mounts = append(mounts, scanner.Text())
+	}
+	return mounts
+}
+
+// SaveTo saves secret data to given directory
+func (s SecretData) SaveTo(dir string) error {
+	path := filepath.Join(dir, s.Name)
+	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil && !os.IsExist(err) {
+		return err
+	}
+	return ioutil.WriteFile(path, s.Data, 0700)
+}
+
+func readAll(root, prefix string) ([]SecretData, error) {
+	path := filepath.Join(root, prefix)
+
+	data := []SecretData{}
+
+	files, err := ioutil.ReadDir(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return data, nil
+		}
+
+		return nil, err
+	}
+
+	for _, f := range files {
+		fileData, err := readFile(root, filepath.Join(prefix, f.Name()))
+		if err != nil {
+			// If the file did not exist, might be a dangling symlink
+			// Ignore the error
+			if os.IsNotExist(err) {
+				continue
+			}
+			return nil, err
+		}
+		data = append(data, fileData...)
+	}
+
+	return data, nil
+}
+
+func readFile(root, name string) ([]SecretData, error) {
+	path := filepath.Join(root, name)
+
+	s, err := os.Stat(path)
+	if err != nil {
+		return nil, err
+	}
+
+	if s.IsDir() {
+		dirData, err2 := readAll(root, name)
+		if err2 != nil {
+			return nil, err2
+		}
+		return dirData, nil
+	}
+	bytes, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	return []SecretData{{Name: name, Data: bytes}}, nil
+}
+
+// getHostAndCtrDir separates the host:container paths
+func getMountsMap(path string) (string, string, error) {
+	arr := strings.SplitN(path, ":", 2)
+	if len(arr) == 2 {
+		return arr[0], arr[1], nil
+	}
+	return "", "", errors.Errorf("unable to get host and container dir")
+}
+
+func getHostSecretData(hostDir string) ([]SecretData, error) {
+	var allSecrets []SecretData
+	hostSecrets, err := readAll(hostDir, "")
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to read secrets from %q", hostDir)
+	}
+	return append(allSecrets, hostSecrets...), nil
+}
+
+// secretMount copies the contents of host directory to container directory
+// and returns a list of mounts
+func secretMounts(filePath, mountLabel, containerWorkingDir string) ([]rspec.Mount, error) {
+	var mounts []rspec.Mount
+	defaultMountsPaths := getMounts(filePath)
+	for _, path := range defaultMountsPaths {
+		hostDir, ctrDir, err := getMountsMap(path)
+		if err != nil {
+			return nil, err
+		}
+		// skip if the hostDir path doesn't exist
+		if _, err = os.Stat(hostDir); os.IsNotExist(err) {
+			logrus.Warnf("%q doesn't exist, skipping", hostDir)
+			continue
+		}
+
+		ctrDirOnHost := filepath.Join(containerWorkingDir, ctrDir)
+		if err = os.RemoveAll(ctrDirOnHost); err != nil {
+			return nil, fmt.Errorf("remove container directory failed: %v", err)
+		}
+
+		if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
+			return nil, fmt.Errorf("making container directory failed: %v", err)
+		}
+
+		hostDir, err = resolveSymbolicLink(hostDir)
+		if err != nil {
+			return nil, err
+		}
+
+		data, err := getHostSecretData(hostDir)
+		if err != nil {
+			return nil, errors.Wrapf(err, "getting host secret data failed")
+		}
+		for _, s := range data {
+			err = s.SaveTo(ctrDirOnHost)
+			if err != nil {
+				return nil, err
+			}
+		}
+		err = label.Relabel(ctrDirOnHost, mountLabel, false)
+		if err != nil {
+			return nil, errors.Wrap(err, "error applying correct labels")
+		}
+
+		m := rspec.Mount{
+			Source:      ctrDirOnHost,
+			Destination: ctrDir,
+			Type:        "bind",
+			Options:     []string{"bind"},
+		}
+
+		mounts = append(mounts, m)
+	}
+	return mounts, nil
+}
+
+// resolveSymbolicLink resolves a possbile symlink path. If the path is a symlink, returns resolved
+// path; if not, returns the original path.
+func resolveSymbolicLink(path string) (string, error) {
+	info, err := os.Lstat(path)
+	if err != nil {
+		return "", err
+	}
+	if info.Mode()&os.ModeSymlink != os.ModeSymlink {
+		return path, nil
+	}
+	return filepath.EvalSymlinks(path)
+}
--- a/selinux_tag.sh
+++ b/selinux_tag.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+if pkg-config libselinux 2> /dev/null ; then
+	echo selinux
+fi
--- a/tests/basic.bats
+++ b/tests/basic.bats
@@ -95,6 +95,12 @@ load helpers
  cmp ${TESTDIR}/other-randomfile $yetanothernewroot/other-randomfile
  buildah delete $yetanothernewcid

+  newcid=$(buildah from new-image)
+  buildah commit --rm --signature-policy ${TESTSDIR}/policy.json $newcid containers-storage:remove-container-image
+  run buildah mount $newcid
+  [ "$status" -ne 0 ]
+
+  buildah rmi remove-container-image
  buildah rmi containers-storage:other-new-image
  buildah rmi another-new-image
  run buildah --debug=false images -q
@@ -104,5 +110,6 @@ load helpers
    buildah rmi $id
  done
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" == "" ]
 }
--- a/tests/bud.bats
+++ b/tests/bud.bats
@@ -9,6 +9,7 @@ load helpers
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }

@@ -24,6 +25,7 @@ load helpers
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]

  target=alpine-image
@@ -37,6 +39,7 @@ load helpers
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }

@@ -52,6 +55,7 @@ load helpers
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]

  target=alpine-image
@@ -65,6 +69,7 @@ load helpers
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }

@@ -81,11 +86,14 @@ load helpers
  run test -s $root/vol/subvol/subvolfile
  [ "$status" -ne 0 ]
  test -s $root/vol/volfile
+  test -s $root/vol/Dockerfile
+  test -s $root/vol/Dockerfile2
  run test -s $root/vol/anothervolfile
  [ "$status" -ne 0 ]
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }

@@ -98,6 +106,7 @@ load helpers
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }

@@ -110,6 +119,7 @@ load helpers
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }

@@ -122,6 +132,7 @@ load helpers
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }

@@ -134,6 +145,7 @@ load helpers
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }

@@ -153,6 +165,7 @@ load helpers
  buildah rm ${cid}
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }

@@ -166,6 +179,7 @@ load helpers
  buildah --debug=false images -q
  buildah rmi $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }

@@ -175,13 +189,50 @@ load helpers
  target3=so-many-scratch-images
  buildah bud --signature-policy ${TESTSDIR}/policy.json -t ${target} -t ${target2} -t ${target3} ${TESTSDIR}/bud/from-scratch
  run buildah --debug=false images
+  [ "$status" -eq 0 ]
  cid=$(buildah from ${target})
  buildah rm ${cid}
  cid=$(buildah from library/${target2})
  buildah rm ${cid}
  cid=$(buildah from ${target3}:latest)
  buildah rm ${cid}
-  buildah rmi $(buildah --debug=false images -q)
+  buildah rmi -f $(buildah --debug=false images -q)
  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
+  [ "$output" = "" ]
+}
+
+@test "bud-volume-perms" {
+  # This Dockerfile needs us to be able to handle a working RUN instruction.
+  if ! which runc ; then
+    skip
+  fi
+  target=volume-image
+  buildah bud --signature-policy ${TESTSDIR}/policy.json -t ${target} ${TESTSDIR}/bud/volume-perms
+  cid=$(buildah from ${target})
+  root=$(buildah mount ${cid})
+  run test -s $root/vol/subvol/subvolfile
+  [ "$status" -ne 0 ]
+  run stat -c %f $root/vol/subvol
+  [ "$status" -eq 0 ]
+  [ "$output" = 41ed ]
+  buildah rm ${cid}
+  buildah rmi $(buildah --debug=false images -q)
+  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
+  [ "$output" = "" ]
+}
+
+@test "bud-from-glob" {
+  target=alpine-image
+  buildah bud --signature-policy ${TESTSDIR}/policy.json -t ${target} -f Dockerfile2.glob ${TESTSDIR}/bud/from-multiple-files
+  cid=$(buildah from ${target})
+  root=$(buildah mount ${cid})
+  cmp $root/Dockerfile1.alpine ${TESTSDIR}/bud/from-multiple-files/Dockerfile1.alpine
+  cmp $root/Dockerfile2.withfrom ${TESTSDIR}/bud/from-multiple-files/Dockerfile2.withfrom
+  buildah rm ${cid}
+  buildah rmi $(buildah --debug=false images -q)
+  run buildah --debug=false images -q
+  [ "$status" -eq 0 ]
  [ "$output" = "" ]
 }
--- a/tests/bud/from-multiple-files/Dockerfile2.glob
+++ b/tests/bud/from-multiple-files/Dockerfile2.glob
@@ -0,0 +1,2 @@
+FROM alpine
+COPY Dockerfile* /
--- a/tests/bud/preserve-volumes/Dockerfile
+++ b/tests/bud/preserve-volumes/Dockerfile
@@ -14,3 +14,9 @@ VOLUME /vol/subvol
 RUN dd if=/dev/zero bs=512 count=1 of=/vol/anothervolfile
 # Which means that in the image we're about to commit, /vol/anothervolfile
 # shouldn't exist, either.
+
+# ADD files which should persist.
+ADD Dockerfile /vol/Dockerfile
+RUN stat /vol/Dockerfile
+ADD Dockerfile /vol/Dockerfile2
+RUN stat /vol/Dockerfile2
--- a/tests/bud/volume-perms/Dockerfile
+++ b/tests/bud/volume-perms/Dockerfile
@@ -0,0 +1,6 @@
+FROM alpine
+VOLUME /vol/subvol
+# At this point, the directory should exist, with default permissions 0755, the
+# contents below /vol/subvol should be frozen, and we shouldn't get an error
+# from trying to write to it because we it was created automatically.
+RUN dd if=/dev/zero bs=512 count=1 of=/vol/subvol/subvolfile
--- a/tests/copy.bats
+++ b/tests/copy.bats
@@ -21,6 +21,13 @@ load helpers
  buildah copy $cid ${TESTDIR}/randomfile
  buildah copy $cid ${TESTDIR}/other-randomfile ${TESTDIR}/third-randomfile ${TESTDIR}/randomfile /etc
  buildah rm $cid
+
+  cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json alpine)
+  root=$(buildah mount $cid)
+  buildah config --workingdir / $cid
+  buildah copy $cid "${TESTDIR}/*randomfile" /etc
+  (cd ${TESTDIR}; for i in *randomfile; do cmp $i ${root}/etc/$i; done)
+  buildah rm $cid
 }

@test "copy-local-plain" {
--- a/tests/formats.bats
+++ b/tests/formats.bats
@@ -3,7 +3,6 @@
 load helpers

@test "write-formats" {
-  buildimgtype
  cid=$(buildah from --pull=false --signature-policy ${TESTSDIR}/policy.json scratch)
  buildah commit --signature-policy ${TESTSDIR}/policy.json $cid scratch-image-default
  buildah commit --format dockerv2 --signature-policy ${TESTSDIR}/policy.json $cid scratch-image-docker
@@ -20,7 +19,6 @@ load helpers
 }

@test "bud-formats" {
-  buildimgtype
  buildah build-using-dockerfile --signature-policy ${TESTSDIR}/policy.json -t scratch-image-default -f bud/from-scratch/Dockerfile
  buildah build-using-dockerfile --format dockerv2 --signature-policy ${TESTSDIR}/policy.json -t scratch-image-docker -f bud/from-scratch/Dockerfile
  buildah build-using-dockerfile --format ociv1 --signature-policy ${TESTSDIR}/policy.json -t scratch-image-oci -f bud/from-scratch/Dockerfile
--- a/tests/from.bats
+++ b/tests/from.bats
@@ -0,0 +1,114 @@
+#!/usr/bin/env bats
+
+load helpers
+
+@test "commit-to-from-elsewhere" {
+  elsewhere=${TESTDIR}/elsewhere-img
+  mkdir -p ${elsewhere}
+
+  cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json scratch)
+  buildah commit --signature-policy ${TESTSDIR}/policy.json $cid dir:${elsewhere}
+  buildah rm $cid
+
+  cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json dir:${elsewhere})
+  buildah rm $cid
+  buildah rmi ${elsewhere}
+  [ "$cid" = elsewhere-img-working-container ]
+
+  cid=$(buildah from --pull-always --signature-policy ${TESTSDIR}/policy.json dir:${elsewhere})
+  buildah rm $cid
+  buildah rmi ${elsewhere}
+  [ "$cid" = `basename ${elsewhere}`-working-container ]
+
+  cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json scratch)
+  buildah commit --signature-policy ${TESTSDIR}/policy.json $cid dir:${elsewhere}
+  buildah rm $cid
+
+  cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json dir:${elsewhere})
+  buildah rm $cid
+  buildah rmi ${elsewhere}
+  [ "$cid" = elsewhere-img-working-container ]
+
+  cid=$(buildah from --pull-always --signature-policy ${TESTSDIR}/policy.json dir:${elsewhere})
+  buildah rm $cid
+  buildah rmi ${elsewhere}
+  [ "$cid" = `basename ${elsewhere}`-working-container ]
+}
+
+@test "from-authenticate-cert" {
+
+  mkdir -p ${TESTDIR}/auth
+  # Create certifcate via openssl
+  openssl req -newkey rsa:4096 -nodes -sha256 -keyout ${TESTDIR}/auth/domain.key -x509 -days 2 -out ${TESTDIR}/auth/domain.crt -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=localhost"
+  # Skopeo and buildah both require *.cert file
+  cp ${TESTDIR}/auth/domain.crt ${TESTDIR}/auth/domain.cert
+
+  # Create a private registry that uses certificate and creds file
+#  docker run -d -p 5000:5000 --name registry -v ${TESTDIR}/auth:${TESTDIR}/auth:Z -e REGISTRY_HTTP_TLS_CERTIFICATE=${TESTDIR}/auth/domain.crt -e REGISTRY_HTTP_TLS_KEY=${TESTDIR}/auth/domain.key registry:2
+
+  # When more buildah auth is in place convert the below.
+#  docker pull alpine
+#  docker tag alpine localhost:5000/my-alpine
+#  docker push localhost:5000/my-alpine
+
+#  ctrid=$(buildah from localhost:5000/my-alpine --cert-dir ${TESTDIR}/auth)
+#  buildah rm $ctrid
+#  buildah rmi -f $(buildah --debug=false images -q)
+
+  # This should work
+#  ctrid=$(buildah from localhost:5000/my-alpine --cert-dir ${TESTDIR}/auth  --tls-verify true)
+
+  rm -rf ${TESTDIR}/auth
+
+  # This should fail
+  run ctrid=$(buildah from localhost:5000/my-alpine --cert-dir ${TESTDIR}/auth  --tls-verify true)
+  [ "$status" -ne 0 ]
+
+  # Clean up
+#  docker rm -f $(docker ps --all -q)
+#  docker rmi -f localhost:5000/my-alpine
+#  docker rmi -f $(docker images -q)
+#  buildah rm $ctrid
+#  buildah rmi -f $(buildah --debug=false images -q)
+}
+
+@test "from-authenticate-cert-and-creds" {
+
+  mkdir -p  ${TESTDIR}/auth
+  # Create creds and store in ${TESTDIR}/auth/htpasswd
+#  docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > ${TESTDIR}/auth/htpasswd
+  # Create certifcate via openssl
+  openssl req -newkey rsa:4096 -nodes -sha256 -keyout ${TESTDIR}/auth/domain.key -x509 -days 2 -out ${TESTDIR}/auth/domain.crt -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=localhost"
+  # Skopeo and buildah both require *.cert file
+  cp ${TESTDIR}/auth/domain.crt ${TESTDIR}/auth/domain.cert
+
+  # Create a private registry that uses certificate and creds file
+#  docker run -d -p 5000:5000 --name registry -v ${TESTDIR}/auth:${TESTDIR}/auth:Z -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=${TESTDIR}/auth/htpasswd -e REGISTRY_HTTP_TLS_CERTIFICATE=${TESTDIR}/auth/domain.crt -e REGISTRY_HTTP_TLS_KEY=${TESTDIR}/auth/domain.key registry:2
+
+  # When more buildah auth is in place convert the below.
+#  docker pull alpine
+#  docker login localhost:5000 --username testuser --password testpassword
+#  docker tag alpine localhost:5000/my-alpine
+#  docker push localhost:5000/my-alpine
+
+#  ctrid=$(buildah from localhost:5000/my-alpine --cert-dir ${TESTDIR}/auth)
+#  buildah rm $ctrid
+#  buildah rmi -f $(buildah --debug=false images -q)
+
+#  docker logout localhost:5000
+
+  # This should fail
+  run ctrid=$(buildah from localhost:5000/my-alpine --cert-dir ${TESTDIR}/auth  --tls-verify true)
+  [ "$status" -ne 0 ]
+
+  # This should work
+#  ctrid=$(buildah from localhost:5000/my-alpine --cert-dir ${TESTDIR}/auth  --tls-verify true --creds=testuser:testpassword)
+
+  # Clean up
+  rm -rf ${TESTDIR}/auth
+#  docker rm -f $(docker ps --all -q)
+#  docker rmi -f localhost:5000/my-alpine
+#  docker rmi -f $(docker images -q)
+#  buildah rm $ctrid
+#  buildah rmi -f $(buildah --debug=false images -q)
+}
--- a/tests/helpers.bash
+++ b/tests/helpers.bash
@@ -1,18 +1,16 @@
 #!/bin/bash

 BUILDAH_BINARY=${BUILDAH_BINARY:-$(dirname ${BASH_SOURCE})/../buildah}
+IMGTYPE_BINARY=${IMGTYPE_BINARY:-$(dirname ${BASH_SOURCE})/../imgtype}
 TESTSDIR=${TESTSDIR:-$(dirname ${BASH_SOURCE})}
+STORAGE_DRIVER=${STORAGE_DRIVER:-vfs}
+PATH=$(dirname ${BASH_SOURCE})/..:${PATH}

 function setup() {
-	suffix=$(dd if=/dev/urandom bs=12 count=1 status=none | base64 | tr +/ _.)
+	suffix=$(dd if=/dev/urandom bs=12 count=1 status=none | base64 | tr +/ABCDEFGHIJKLMNOPQRSTUVWXYZ _.abcdefghijklmnopqrstuvwxyz)
 	TESTDIR=${BATS_TMPDIR}/tmp.${suffix}
 	rm -fr ${TESTDIR}
 	mkdir -p ${TESTDIR}/{root,runroot}
-	REPO=${TESTDIR}/root
-}
-
-function buildimgtype() {
-	go build -tags "$(${TESTSDIR}/../btrfs_tag.sh; ${TESTSDIR}/../libdm_tag.sh)" -o imgtype ${TESTSDIR}/imgtype.go
 }

 function starthttpd() {
@@ -44,9 +42,9 @@ function createrandom() {
 }

 function buildah() {
-	${BUILDAH_BINARY} --debug --root ${TESTDIR}/root --runroot ${TESTDIR}/runroot --storage-driver vfs "$@"
+	${BUILDAH_BINARY} --debug --root ${TESTDIR}/root --runroot ${TESTDIR}/runroot --storage-driver ${STORAGE_DRIVER} "$@"
 }

 function imgtype() {
-        ./imgtype -root ${TESTDIR}/root -runroot ${TESTDIR}/runroot -storage-driver vfs "$@"
+        ${IMGTYPE_BINARY} -root ${TESTDIR}/root -runroot ${TESTDIR}/runroot -storage-driver ${STORAGE_DRIVER} "$@"
 }
--- a/tests/imgtype.go
+++ b/tests/imgtype.go
@@ -4,22 +4,28 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
+	"os"
 	"strings"

-	"github.com/Sirupsen/logrus"
 	is "github.com/containers/image/storage"
 	"github.com/containers/image/types"
 	"github.com/containers/storage"
 	"github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/projectatomic/buildah"
 	"github.com/projectatomic/buildah/docker"
+	"github.com/sirupsen/logrus"
 )

 func main() {
+	if buildah.InitReexec() {
+		return
+	}
+
 	expectedManifestType := ""
 	expectedConfigType := ""

 	storeOptions := storage.DefaultStoreOptions
+	debug := flag.Bool("debug", false, "turn on debug logging")
 	root := flag.String("root", storeOptions.GraphRoot, "storage root directory")
 	runroot := flag.String("runroot", storeOptions.RunRoot, "storage runtime directory")
 	driver := flag.String("storage-driver", storeOptions.GraphDriverName, "storage driver")
@@ -29,6 +35,10 @@ func main() {
 	showm := flag.Bool("show-manifest", false, "output the manifest JSON")
 	showc := flag.Bool("show-config", false, "output the configuration JSON")
 	flag.Parse()
+	logrus.SetLevel(logrus.ErrorLevel)
+	if debug != nil && *debug {
+		logrus.SetLevel(logrus.DebugLevel)
+	}
 	switch *mtype {
 	case buildah.OCIv1ImageManifest:
 		expectedManifestType = *mtype
@@ -40,8 +50,9 @@ func main() {
 		expectedManifestType = ""
 		expectedConfigType = ""
 	default:
-		logrus.Fatalf("unknown -expected-manifest-type value, expected either %q or %q or %q",
+		logrus.Errorf("unknown -expected-manifest-type value, expected either %q or %q or %q",
 			buildah.OCIv1ImageManifest, buildah.Dockerv2ImageManifest, "*")
+		return
 	}
 	if root != nil {
 		storeOptions.GraphRoot = *root
@@ -65,10 +76,17 @@ func main() {
 	}
 	store, err := storage.GetStore(storeOptions)
 	if err != nil {
-		logrus.Fatalf("error opening storage: %v", err)
+		logrus.Errorf("error opening storage: %v", err)
+		return
 	}
-	defer store.Shutdown(false)

+	errors := false
+	defer func() {
+		store.Shutdown(false)
+		if errors {
+			os.Exit(1)
+		}
+	}()
 	for _, image := range args {
 		oImage := v1.Image{}
 		dImage := docker.V2Image{}
@@ -79,60 +97,74 @@ func main() {

 		ref, err := is.Transport.ParseStoreReference(store, image)
 		if err != nil {
-			logrus.Fatalf("error parsing reference %q: %v", image, err)
-		}
-
-		src, err := ref.NewImageSource(systemContext, []string{expectedManifestType})
-		if err != nil {
-			logrus.Fatalf("error opening source image %q: %v", image, err)
-		}
-		defer src.Close()
-
-		manifest, manifestType, err := src.GetManifest()
-		if err != nil {
-			logrus.Fatalf("error reading manifest from %q: %v", image, err)
+			logrus.Errorf("error parsing reference %q: %v", image, err)
+			errors = true
+			continue
 		}

 		img, err := ref.NewImage(systemContext)
 		if err != nil {
-			logrus.Fatalf("error opening image %q: %v", image, err)
+			logrus.Errorf("error opening image %q: %v", image, err)
+			errors = true
+			continue
 		}
 		defer img.Close()

 		config, err := img.ConfigBlob()
 		if err != nil {
-			logrus.Fatalf("error reading configuration from %q: %v", image, err)
+			logrus.Errorf("error reading configuration from %q: %v", image, err)
+			errors = true
+			continue
+		}
+
+		manifest, manifestType, err := img.Manifest()
+		if err != nil {
+			logrus.Errorf("error reading manifest from %q: %v", image, err)
+			errors = true
+			continue
 		}

 		switch expectedManifestType {
 		case buildah.OCIv1ImageManifest:
 			err = json.Unmarshal(manifest, &oManifest)
 			if err != nil {
-				logrus.Fatalf("error parsing manifest from %q: %v", image, err)
+				logrus.Errorf("error parsing manifest from %q: %v", image, err)
+				errors = true
+				continue
 			}
 			err = json.Unmarshal(config, &oImage)
 			if err != nil {
-				logrus.Fatalf("error parsing config from %q: %v", image, err)
+				logrus.Errorf("error parsing config from %q: %v", image, err)
+				errors = true
+				continue
 			}
 			manifestType = v1.MediaTypeImageManifest
 			configType = oManifest.Config.MediaType
 		case buildah.Dockerv2ImageManifest:
 			err = json.Unmarshal(manifest, &dManifest)
 			if err != nil {
-				logrus.Fatalf("error parsing manifest from %q: %v", image, err)
+				logrus.Errorf("error parsing manifest from %q: %v", image, err)
+				errors = true
+				continue
 			}
 			err = json.Unmarshal(config, &dImage)
 			if err != nil {
-				logrus.Fatalf("error parsing config from %q: %v", image, err)
+				logrus.Errorf("error parsing config from %q: %v", image, err)
+				errors = true
+				continue
 			}
 			manifestType = dManifest.MediaType
 			configType = dManifest.Config.MediaType
 		}
 		if expectedManifestType != "" && manifestType != expectedManifestType {
-			logrus.Fatalf("expected manifest type %q in %q, got %q", expectedManifestType, image, manifestType)
+			logrus.Errorf("expected manifest type %q in %q, got %q", expectedManifestType, image, manifestType)
+			errors = true
+			continue
 		}
 		if expectedConfigType != "" && configType != expectedConfigType {
-			logrus.Fatalf("expected config type %q in %q, got %q", expectedConfigType, image, configType)
+			logrus.Errorf("expected config type %q in %q, got %q", expectedConfigType, image, configType)
+			errors = true
+			continue
 		}
 		if showm != nil && *showm {
 			fmt.Println(string(manifest))
--- a/tests/push.bats
+++ b/tests/push.bats
@@ -18,3 +18,23 @@ load helpers
    buildah rm "$cid"
  done
 }
+
+@test "push with manifest type conversion" {
+  cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json alpine)
+  run buildah push --signature-policy ${TESTSDIR}/policy.json --format oci alpine dir:my-dir
+  echo "$output"
+  [ "$status" -eq 0 ]
+  manifest=$(cat my-dir/manifest.json)
+  run grep "application/vnd.oci.image.config.v1+json" <<< "$manifest"
+  echo "$output"
+  [ "$status" -eq 0 ]
+  run buildah push --signature-policy ${TESTSDIR}/policy.json --format v2s2 alpine dir:my-dir
+  echo "$output"
+  [ "$status" -eq 0 ]
+  run grep "application/vnd.docker.distribution.manifest.v2+json" my-dir/manifest.json
+  echo "$output"
+  [ "$status" -eq 0 ]
+  buildah rm "$cid"
+  buildah rmi alpine
+  rm -rf my-dir
+}
--- a/tests/rpm.bats
+++ b/tests/rpm.bats
@@ -0,0 +1,58 @@
+#!/usr/bin/env bats
+
+load helpers
+
+@test "rpm-build" {
+	if ! which runc ; then
+		skip
+	fi
+
+	# Build a container to use for building the binaries.
+	image=registry.fedoraproject.org/fedora:26
+	cid=$(buildah --debug=false from --pull --signature-policy ${TESTSDIR}/policy.json $image)
+	root=$(buildah --debug=false mount $cid)
+	commit=$(git log --format=%H -n 1)
+	shortcommit=$(echo ${commit} | cut -c-7)
+	mkdir -p ${root}/rpmbuild/{SOURCES,SPECS}
+
+	# Build the tarball.
+	(cd ..; git archive --format tar.gz --prefix=buildah-${commit}/ ${commit}) > ${root}/rpmbuild/SOURCES/buildah-${shortcommit}.tar.gz
+
+	# Update the .spec file with the commit ID.
+	sed s:REPLACEWITHCOMMITID:${commit}:g ${TESTSDIR}/../contrib/rpm/buildah.spec > ${root}/rpmbuild/SPECS/buildah.spec
+
+	# Install build dependencies and build binary packages.
+	buildah --debug=false run $cid -- dnf -y install 'dnf-command(builddep)' rpm-build
+	buildah --debug=false run $cid -- dnf -y builddep --spec rpmbuild/SPECS/buildah.spec
+	buildah --debug=false run $cid -- rpmbuild --define "_topdir /rpmbuild" -ba /rpmbuild/SPECS/buildah.spec
+
+	# Build a second new container.
+	cid2=$(buildah --debug=false from --pull --signature-policy ${TESTSDIR}/policy.json registry.fedoraproject.org/fedora:26)
+	root2=$(buildah --debug=false mount $cid2)
+
+	# Copy the binary packages from the first container to the second one, and build a list of
+	# their filenames relative to the root of the second container.
+	rpms=
+	mkdir -p ${root2}/packages
+	for rpm in ${root}/rpmbuild/RPMS/*/*.rpm ; do
+		cp $rpm ${root2}/packages/
+		rpms="$rpms "/packages/$(basename $rpm)
+	done
+
+	# Install the binary packages into the second container.
+	buildah --debug=false run $cid2 -- dnf -y install $rpms
+
+	# Run the binary package and compare its self-identified version to the one we tried to build.
+	id=$(buildah --debug=false run $cid2 -- buildah version | awk '/^Git Commit:/ { print $NF }')
+	bv=$(buildah --debug=false run $cid2 -- buildah version | awk '/^Version:/ { print $NF }')
+	rv=$(buildah --debug=false run $cid2 -- rpm -q --queryformat '%{version}' buildah)
+	echo "short commit: $shortcommit"
+	echo "id: $id"
+	echo "buildah version: $bv"
+	echo "buildah rpm version: $rv"
+	test $shortcommit = $id
+	test $bv = $rv
+
+	# Clean up.
+	buildah --debug=false rm $cid $cid2
+}
--- a/tests/run.bats
+++ b/tests/run.bats
@@ -6,23 +6,105 @@ load helpers
 	if ! which runc ; then
 		skip
 	fi
+	runc --version
 	createrandom ${TESTDIR}/randomfile
 	cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json alpine)
 	root=$(buildah mount $cid)
 	buildah config $cid --workingdir /tmp
 	run buildah --debug=false run $cid pwd
+	[ "$status" -eq 0 ]
 	[ "$output" = /tmp ]
 	buildah config $cid --workingdir /root
 	run buildah --debug=false run        $cid pwd
+	[ "$status" -eq 0 ]
 	[ "$output" = /root ]
 	cp ${TESTDIR}/randomfile $root/tmp/
 	buildah run        $cid cp /tmp/randomfile /tmp/other-randomfile
 	test -s $root/tmp/other-randomfile
 	cmp ${TESTDIR}/randomfile $root/tmp/other-randomfile
+
 	buildah unmount $cid
 	buildah rm $cid
 }

+@test "run--args" {
+	if ! which runc ; then
+		skip
+	fi
+	cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json alpine)
+
+	# This should fail, because buildah run doesn't have a -n flag.
+	run buildah --debug=false run $cid echo -n test
+	[ "$status" -ne 0 ]
+
+	# This should succeed, because buildah run stops caring at the --, which is preserved as part of the command.
+	run buildah --debug=false run $cid echo -- -n test
+	[ "$status" -eq 0 ]
+	echo :"$output":
+	[ "$output" = "-- -n test" ]
+
+	# This should succeed, because buildah run stops caring at the --, which is not part of the command.
+	run buildah --debug=false run $cid -- echo -n -- test
+	[ "$status" -eq 0 ]
+	echo :"$output":
+	[ "$output" = "-- test" ]
+
+	# This should succeed, because buildah run stops caring at the --.
+	run buildah --debug=false run $cid -- echo -- -n test --
+	[ "$status" -eq 0 ]
+	echo :"$output":
+	[ "$output" = "-- -n test --" ]
+
+	# This should succeed, because buildah run stops caring at the --.
+	run buildah --debug=false run $cid -- echo -n "test"
+	[ "$status" -eq 0 ]
+	echo :"$output":
+	[ "$output" = "test" ]
+
+	buildah rm $cid
+}
+
+@test "run-cmd" {
+	if ! which runc ; then
+		skip
+	fi
+	cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json alpine)
+	buildah config $cid --workingdir /tmp
+
+	buildah config $cid --entrypoint ""
+	buildah config $cid --cmd pwd
+	run buildah --debug=false run $cid
+	[ "$status" -eq 0 ]
+	[ "$output" = /tmp ]
+
+	buildah config $cid --entrypoint echo
+	run buildah --debug=false run $cid
+	[ "$status" -eq 0 ]
+	[ "$output" = pwd ]
+
+	buildah config $cid --cmd ""
+	run buildah --debug=false run $cid
+	[ "$status" -eq 0 ]
+	[ "$output" = "" ]
+
+	buildah config $cid --entrypoint ""
+	run buildah --debug=false run $cid echo that-other-thing
+	[ "$status" -eq 0 ]
+	[ "$output" = that-other-thing ]
+
+	buildah config $cid --cmd echo
+	run buildah --debug=false run $cid echo that-other-thing
+	[ "$status" -eq 0 ]
+	[ "$output" = that-other-thing ]
+
+	buildah config $cid --entrypoint echo
+	run buildah --debug=false run $cid echo that-other-thing
+	[ "$status" -eq 0 ]
+	[ "$output" = that-other-thing ]
+
+	buildah rm $cid
+}
+
@test "run-user" {
 	if ! which runc ; then
 		skip
@@ -36,8 +118,10 @@ load helpers
 	root=$(buildah mount $cid)

 	testuser=jimbo
+	testbogususer=nosuchuser
 	testgroup=jimbogroup
 	testuid=$RANDOM
+	testotheruid=$RANDOM
 	testgid=$RANDOM
 	testgroupid=$RANDOM
 	echo "$testuser:x:$testuid:$testgid:Jimbo Jenkins:/home/$testuser:/bin/sh" >> $root/etc/passwd
@@ -46,52 +130,116 @@ load helpers
 	buildah config $cid -u ""
 	buildah run -- $cid id
 	run buildah --debug=false run -- $cid id -u
+	[ "$status" -eq 0 ]
 	[ "$output" = 0 ]
 	run buildah --debug=false run -- $cid id -g
+	[ "$status" -eq 0 ]
 	[ "$output" = 0 ]

 	buildah config $cid -u ${testuser}
 	buildah run -- $cid id
 	run buildah --debug=false run -- $cid id -u
+	[ "$status" -eq 0 ]
 	[ "$output" = $testuid ]
 	run buildah --debug=false run -- $cid id -g
+	[ "$status" -eq 0 ]
 	[ "$output" = $testgid ]

 	buildah config $cid -u ${testuid}
 	buildah run -- $cid id
 	run buildah --debug=false run -- $cid id -u
+	[ "$status" -eq 0 ]
 	[ "$output" = $testuid ]
 	run buildah --debug=false run -- $cid id -g
+	[ "$status" -eq 0 ]
 	[ "$output" = $testgid ]

 	buildah config $cid -u ${testuser}:${testgroup}
 	buildah run -- $cid id
 	run buildah --debug=false run -- $cid id -u
+	[ "$status" -eq 0 ]
 	[ "$output" = $testuid ]
 	run buildah --debug=false run -- $cid id -g
+	[ "$status" -eq 0 ]
 	[ "$output" = $testgroupid ]

 	buildah config $cid -u ${testuid}:${testgroup}
 	buildah run -- $cid id
 	run buildah --debug=false run -- $cid id -u
+	[ "$status" -eq 0 ]
 	[ "$output" = $testuid ]
 	run buildah --debug=false run -- $cid id -g
+	[ "$status" -eq 0 ]
 	[ "$output" = $testgroupid ]

+	buildah config $cid -u ${testotheruid}:${testgroup}
+	buildah run -- $cid id
+	run buildah --debug=false run -- $cid id -u
+	[ "$status" -eq 0 ]
+	[ "$output" = $testotheruid ]
+	run buildah --debug=false run -- $cid id -g
+	[ "$status" -eq 0 ]
+	[ "$output" = $testgroupid ]
+
+	buildah config $cid -u ${testotheruid}
+	buildah run -- $cid id
+	run buildah --debug=false run -- $cid id -u
+	[ "$status" -eq 0 ]
+	[ "$output" = $testotheruid ]
+	run buildah --debug=false run -- $cid id -g
+	[ "$status" -eq 0 ]
+	[ "$output" = 0 ]
+
 	buildah config $cid -u ${testuser}:${testgroupid}
 	buildah run -- $cid id
 	run buildah --debug=false run -- $cid id -u
+	[ "$status" -eq 0 ]
 	[ "$output" = $testuid ]
 	run buildah --debug=false run -- $cid id -g
+	[ "$status" -eq 0 ]
 	[ "$output" = $testgroupid ]

 	buildah config $cid -u ${testuid}:${testgroupid}
 	buildah run -- $cid id
 	run buildah --debug=false run -- $cid id -u
+	[ "$status" -eq 0 ]
 	[ "$output" = $testuid ]
 	run buildah --debug=false run -- $cid id -g
+	[ "$status" -eq 0 ]
 	[ "$output" = $testgroupid ]

+	buildah config $cid -u ${testbogususer}
+	run buildah --debug=false run -- $cid id -u
+	[ "$status" -ne 0 ]
+	[[ "$output" =~ "unknown user" ]]
+	run buildah --debug=false run -- $cid id -g
+	[ "$status" -ne 0 ]
+	[[ "$output" =~ "unknown user" ]]
+
+	ln -vsf /etc/passwd $root/etc/passwd
+	buildah config $cid -u ${testuser}:${testgroup}
+	run buildah --debug=false run -- $cid id -u
+	echo "$output"
+	[ "$status" -ne 0 ]
+	[[ "$output" =~ "unknown user" ]]
+
 	buildah unmount $cid
 	buildah rm $cid
 }
+
+@test "run --hostname" {
+	if ! which runc ; then
+		skip
+	fi
+	runc --version
+	cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json alpine)
+	run buildah --debug=false run $cid hostname
+	echo "$output"
+	[ "$status" -eq 0 ]
+	[ "$output" != "foobar" ]
+	run buildah --debug=false run --hostname foobar $cid hostname
+	echo "$output"
+	[ "$status" -eq 0 ]
+	[ "$output" = "foobar" ]
+	buildah rm $cid
+}
--- a/tests/secrets.bats
+++ b/tests/secrets.bats
@@ -0,0 +1,33 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+    mkdir $TESTSDIR/containers
+    touch $TESTSDIR/mounts.conf
+    MOUNTS_PATH=$TESTSDIR/containers/mounts.conf
+    echo "$TESTSDIR/rhel/secrets:/run/secrets" > $MOUNTS_PATH
+
+    mkdir $TESTSDIR/rhel
+    mkdir $TESTSDIR/rhel/secrets
+    touch $TESTSDIR/rhel/secrets/test.txt
+    echo "Testing secrets mounts. I am mounted!" > $TESTSDIR/rhel/secrets/test.txt
+}
+
+@test "bind secrets mounts to container" {
+    if ! which runc ; then
+		skip
+    fi
+    runc --version
+    cid=$(buildah --default-mounts-file "$MOUNTS_PATH" --debug=false from --pull --signature-policy ${TESTSDIR}/policy.json alpine)
+    run buildah --debug=false run $cid ls /run
+    echo "$output"
+    [ "$status" -eq 0 ]
+    mounts="$output"
+    run grep "secrets" <<< "$mounts"
+    echo "$output"
+    [ "$status" -eq 0 ]
+    buildah rm $cid
+    rm -rf $TESTSDIR/containers
+    rm -rf $TESTSDIR/rhel
+}
--- a/tests/selinux.bats
+++ b/tests/selinux.bats
@@ -0,0 +1,26 @@
+#!/usr/bin/env bats
+
+load helpers
+
+@test "selinux test" {
+  if ! which selinuxenabled ; then
+    skip "No selinuxenabled"
+   elif ! /usr/sbin/selinuxenabled; then
+     skip "selinux is disabled"
+  fi
+  image=alpine
+  cid=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json $image)
+  firstlabel=$(buildah --debug=false run $cid cat /proc/1/attr/current)
+  run buildah --debug=false run $cid cat /proc/1/attr/current
+  [ "$status" -eq 0 ]
+  [ "$output" == $firstlabel ]
+
+  cid1=$(buildah from --pull --signature-policy ${TESTSDIR}/policy.json $image)
+  run buildah --debug=false run $cid1 cat /proc/1/attr/current
+  [ "$status" -eq 0 ]
+  [ "$output" != $firstlabel ]
+
+  buildah rm $cid
+  buildah rm $cid1
+}
+
--- a/tests/test_buildah_authentication.sh
+++ b/tests/test_buildah_authentication.sh
@@ -0,0 +1,181 @@
+#!/bin/bash
+# test_buildah_authentication
+# A script to be run at the command line with Buildah installed.
+# This will test the code and should be run with this command:
+#
+# /bin/bash -v test_buildah_authentication.sh
+
+########
+# Create creds and store in /root/auth/htpasswd
+########
+registry=$(buildah from registry:2)
+buildah run $registry -- htpasswd -Bbn testuser testpassword > /root/auth/htpasswd
+
+########
+# Create certificate via openssl
+########
+openssl req -newkey rsa:4096 -nodes -sha256 -keyout /root/auth/domain.key -x509 -days 2 -out /root/auth/domain.crt -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=localhost"
+
+########
+# Skopeo and buildah both require *.cert file
+########
+cp /root/auth/domain.crt /root/auth/domain.cert
+
+########
+# Create a private registry that uses certificate and creds file
+########
+docker run -d -p 5000:5000 --name registry -v /root/auth:/root/auth:Z -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/root/auth/htpasswd -e REGISTRY_HTTP_TLS_CERTIFICATE=/root/auth/domain.crt -e REGISTRY_HTTP_TLS_KEY=/root/auth/domain.key registry:2
+
+########
+# Pull alpine
+########
+buildah from alpine
+
+buildah containers
+
+buildah images
+
+########
+# Log into docker on local repo
+########
+docker login localhost:5000 --username testuser --password testpassword
+
+########
+# Push to the local repo using cached Docker creds.
+########
+buildah push --cert-dir /root/auth alpine docker://localhost:5000/my-alpine
+
+########
+# Show stuff
+########
+docker ps --all
+
+docker images
+
+buildah containers
+
+buildah images
+
+########
+# Buildah pulls using certs and cached Docker creds.
+# Should show two alpine images and containers when done.
+########
+ctrid=$(buildah from localhost:5000/my-alpine --cert-dir /root/auth)
+
+buildah containers
+
+buildah images
+
+########
+# Clean up Buildah
+########
+buildah rm $ctrid
+buildah rmi -f localhost:5000/my-alpine:latest
+
+########
+# Show stuff
+########
+docker ps --all
+
+docker images
+
+buildah containers
+
+buildah images
+
+########
+# Log out of local repo
+########
+docker logout localhost:5000
+
+########
+# Push using only certs, this should fail.
+########
+buildah push --cert-dir /root/auth --tls-verify=true alpine docker://localhost:5000/my-alpine
+
+########
+# Push using creds, certs and no transport, this should work.
+########
+buildah push --cert-dir ~/auth --tls-verify=true --creds=testuser:testpassword alpine localhost:5000/my-alpine
+
+########
+# No creds anywhere, only the certificate, this should fail.
+########
+buildah from localhost:5000/my-alpine --cert-dir /root/auth  --tls-verify=true
+
+########
+# Log in with creds, this should work
+########
+ctrid=$(buildah from localhost:5000/my-alpine --cert-dir /root/auth  --tls-verify=true --creds=testuser:testpassword)
+
+########
+# Show stuff
+########
+docker ps --all
+
+docker images
+
+buildah containers
+
+buildah images
+
+########
+# Clean up Buildah
+########
+buildah rm $ctrid
+buildah rmi -f $(buildah --debug=false images -q)
+
+########
+# Pull alpine
+########
+buildah from alpine
+
+########
+# Show stuff
+########
+docker ps --all
+
+docker images
+
+buildah containers
+
+buildah images
+
+########
+# Let's test commit
+########
+
+########
+# No credentials, this should fail.
+########
+buildah commit --cert-dir /root/auth  --tls-verify=true alpine-working-container docker://localhost:5000/my-commit-alpine
+
+########
+# This should work, writing image in registry.  Will not create an image locally.
+########
+buildah commit --cert-dir /root/auth  --tls-verify=true --creds=testuser:testpassword  alpine-working-container docker://localhost:5000/my-commit-alpine
+
+########
+# Pull the new image that we just commited
+########
+buildah from localhost:5000/my-commit-alpine --cert-dir /root/auth  --tls-verify=true --creds=testuser:testpassword
+
+########
+# Show stuff
+########
+docker ps --all
+
+docker images
+
+buildah containers
+
+buildah images
+
+########
+# Clean up
+########
+rm -rf ${TESTDIR}/auth
+docker rm -f $(docker ps --all -q)
+docker rmi -f $(docker images -q)
+buildah rm $(buildah containers -q)
+buildah rmi -f $(buildah --debug=false images -q)
--- a/tests/test_runner.sh
+++ b/tests/test_runner.sh
@@ -3,6 +3,10 @@ set -e

 cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"

+# Default to using /var/tmp for test space, since it's more likely to support
+# labels than /tmp, which is often on tmpfs.
+export TMPDIR=${TMPDIR:-/var/tmp}
+
 # Load the helpers.
 . helpers.bash

--- a/tests/validate/gometalinter.sh
+++ b/tests/validate/gometalinter.sh
@@ -8,6 +8,7 @@ if ! which gometalinter.v1 > /dev/null 2> /dev/null ; then
 	exit 1
 fi
 exec gometalinter.v1 \
+	--enable-gc \
 	--exclude='error return value not checked.*(Close|Log|Print).*\(errcheck\)$' \
 	--exclude='.*_test\.go:.*error return value not checked.*\(errcheck\)$' \
 	--exclude='duplicate of.*_test.go.*\(dupl\)$' \
@@ -16,5 +17,5 @@ exec gometalinter.v1 \
 	--disable=gas \
 	--disable=aligncheck \
 	--cyclo-over=40 \
-	--deadline=240s \
+	--deadline=480s \
 	--tests "$@"
--- a/tests/version.bats
+++ b/tests/version.bats
@@ -0,0 +1,17 @@
+#!/usr/bin/env bats
+
+load helpers
+
+@test "buildah version test" {
+	run buildah version
+	echo "$output"
+	[ "$status" -eq 0 ]
+}
+
+@test "buildah version up to date in .spec file" {
+	run buildah version
+	[ "$status" -eq 0 ]
+	bversion=$(echo "$output" | awk '/^Version:/ { print $NF }')
+	rversion=$(cat ${TESTSDIR}/../contrib/rpm/buildah.spec | awk '/^Version:/ { print $NF }')
+	test "$bversion" = "$rversion"
+}
--- a/user.go
+++ b/user.go
@@ -26,39 +26,34 @@ func getUser(rootdir, userspec string) (specs.User, error) {
 	uid64, uerr := strconv.ParseUint(userspec, 10, 32)
 	if uerr == nil && groupspec == "" {
 		// We parsed the user name as a number, and there's no group
-		// component, so we need to look up the user's primary GID.
+		// component, so try to look up the primary GID of the user who
+		// has this UID.
 		var name string
 		name, gid64, gerr = lookupGroupForUIDInContainer(rootdir, uid64)
 		if gerr == nil {
 			userspec = name
 		} else {
-			if userrec, err := user.LookupId(userspec); err == nil {
-				gid64, gerr = strconv.ParseUint(userrec.Gid, 10, 32)
-				userspec = userrec.Name
-			}
+			// Leave userspec alone, but swallow the error and just
+			// use GID 0.
+			gid64 = 0
+			gerr = nil
 		}
 	}
 	if uerr != nil {
+		// The user ID couldn't be parsed as a number, so try to look
+		// up the user's UID and primary GID.
 		uid64, gid64, uerr = lookupUserInContainer(rootdir, userspec)
 		gerr = uerr
 	}
-	if uerr != nil {
-		if userrec, err := user.Lookup(userspec); err == nil {
-			uid64, uerr = strconv.ParseUint(userrec.Uid, 10, 32)
-			gid64, gerr = strconv.ParseUint(userrec.Gid, 10, 32)
-		}
-	}

 	if groupspec != "" {
+		// We have a group name or number, so parse it.
 		gid64, gerr = strconv.ParseUint(groupspec, 10, 32)
 		if gerr != nil {
+			// The group couldn't be parsed as a number, so look up
+			// the group's GID.
 			gid64, gerr = lookupGroupInContainer(rootdir, groupspec)
 		}
-		if gerr != nil {
-			if group, err := user.LookupGroup(groupspec); err == nil {
-				gid64, gerr = strconv.ParseUint(group.Gid, 10, 32)
-			}
-		}
 	}

 	if uerr == nil && gerr == nil {
--- a/user_basic.go
+++ b/user_basic.go
@@ -1,4 +1,4 @@
-// +build !cgo !linux
+// +build !linux

 package buildah

--- a/user_linux.go
+++ b/user_linux.go
@@ -0,0 +1,235 @@
+// +build linux
+
+package buildah
+
+import (
+	"bufio"
+	"flag"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"os/user"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/containers/storage/pkg/reexec"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	openChrootedCommand = Package + "-open"
+)
+
+func init() {
+	reexec.Register(openChrootedCommand, openChrootedFileMain)
+}
+
+func openChrootedFileMain() {
+	status := 0
+	flag.Parse()
+	if len(flag.Args()) < 1 {
+		os.Exit(1)
+	}
+	// Our first parameter is the directory to chroot into.
+	if err := unix.Chdir(flag.Arg(0)); err != nil {
+		fmt.Fprintf(os.Stderr, "chdir(): %v", err)
+		os.Exit(1)
+	}
+	if err := unix.Chroot(flag.Arg(0)); err != nil {
+		fmt.Fprintf(os.Stderr, "chroot(): %v", err)
+		os.Exit(1)
+	}
+	// Anything else is a file we want to dump out.
+	for _, filename := range flag.Args()[1:] {
+		f, err := os.Open(filename)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "open(%q): %v", filename, err)
+			status = 1
+			continue
+		}
+		_, err = io.Copy(os.Stdout, f)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "read(%q): %v", filename, err)
+		}
+		f.Close()
+	}
+	os.Exit(status)
+}
+
+func openChrootedFile(rootdir, filename string) (*exec.Cmd, io.ReadCloser, error) {
+	// The child process expects a chroot and one or more filenames that
+	// will be consulted relative to the chroot directory and concatenated
+	// to its stdout.  Start it up.
+	cmd := reexec.Command(openChrootedCommand, rootdir, filename)
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, nil, err
+	}
+	err = cmd.Start()
+	if err != nil {
+		return nil, nil, err
+	}
+	// Hand back the child's stdout for reading, and the child to reap.
+	return cmd, stdout, nil
+}
+
+var (
+	lookupUser, lookupGroup sync.Mutex
+)
+
+type lookupPasswdEntry struct {
+	name string
+	uid  uint64
+	gid  uint64
+}
+type lookupGroupEntry struct {
+	name string
+	gid  uint64
+}
+
+func readWholeLine(rc *bufio.Reader) ([]byte, error) {
+	line, isPrefix, err := rc.ReadLine()
+	if err != nil {
+		return nil, err
+	}
+	for isPrefix {
+		// We didn't get a whole line.  Keep reading chunks until we find an end of line, and discard them.
+		for isPrefix {
+			logrus.Debugf("discarding partial line %q", string(line))
+			_, isPrefix, err = rc.ReadLine()
+			if err != nil {
+				return nil, err
+			}
+		}
+		// That last read was the end of a line, so now we try to read the (beginning of?) the next line.
+		line, isPrefix, err = rc.ReadLine()
+		if err != nil {
+			return nil, err
+		}
+	}
+	return line, nil
+}
+
+func parseNextPasswd(rc *bufio.Reader) *lookupPasswdEntry {
+	line, err := readWholeLine(rc)
+	if err != nil {
+		return nil
+	}
+	fields := strings.Split(string(line), ":")
+	if len(fields) < 7 {
+		return nil
+	}
+	uid, err := strconv.ParseUint(fields[2], 10, 32)
+	if err != nil {
+		return nil
+	}
+	gid, err := strconv.ParseUint(fields[3], 10, 32)
+	if err != nil {
+		return nil
+	}
+	return &lookupPasswdEntry{
+		name: fields[0],
+		uid:  uid,
+		gid:  gid,
+	}
+}
+
+func parseNextGroup(rc *bufio.Reader) *lookupGroupEntry {
+	line, err := readWholeLine(rc)
+	if err != nil {
+		return nil
+	}
+	fields := strings.Split(string(line), ":")
+	if len(fields) < 4 {
+		return nil
+	}
+	gid, err := strconv.ParseUint(fields[2], 10, 32)
+	if err != nil {
+		return nil
+	}
+	return &lookupGroupEntry{
+		name: fields[0],
+		gid:  gid,
+	}
+}
+
+func lookupUserInContainer(rootdir, username string) (uid uint64, gid uint64, err error) {
+	cmd, f, err := openChrootedFile(rootdir, "/etc/passwd")
+	if err != nil {
+		return 0, 0, err
+	}
+	defer func() {
+		_ = cmd.Wait()
+	}()
+	rc := bufio.NewReader(f)
+	defer f.Close()
+
+	lookupUser.Lock()
+	defer lookupUser.Unlock()
+
+	pwd := parseNextPasswd(rc)
+	for pwd != nil {
+		if pwd.name != username {
+			pwd = parseNextPasswd(rc)
+			continue
+		}
+		return pwd.uid, pwd.gid, nil
+	}
+
+	return 0, 0, user.UnknownUserError(fmt.Sprintf("error looking up user %q", username))
+}
+
+func lookupGroupForUIDInContainer(rootdir string, userid uint64) (username string, gid uint64, err error) {
+	cmd, f, err := openChrootedFile(rootdir, "/etc/passwd")
+	if err != nil {
+		return "", 0, err
+	}
+	defer func() {
+		_ = cmd.Wait()
+	}()
+	rc := bufio.NewReader(f)
+	defer f.Close()
+
+	lookupUser.Lock()
+	defer lookupUser.Unlock()
+
+	pwd := parseNextPasswd(rc)
+	for pwd != nil {
+		if pwd.uid != userid {
+			pwd = parseNextPasswd(rc)
+			continue
+		}
+		return pwd.name, pwd.gid, nil
+	}
+
+	return "", 0, user.UnknownUserError(fmt.Sprintf("error looking up user with UID %d", userid))
+}
+
+func lookupGroupInContainer(rootdir, groupname string) (gid uint64, err error) {
+	cmd, f, err := openChrootedFile(rootdir, "/etc/group")
+	if err != nil {
+		return 0, err
+	}
+	defer func() {
+		_ = cmd.Wait()
+	}()
+	rc := bufio.NewReader(f)
+	defer f.Close()
+
+	lookupGroup.Lock()
+	defer lookupGroup.Unlock()
+
+	grp := parseNextGroup(rc)
+	for grp != nil {
+		if grp.name != groupname {
+			grp = parseNextGroup(rc)
+			continue
+		}
+		return grp.gid, nil
+	}
+
+	return 0, user.UnknownGroupError(fmt.Sprintf("error looking up group %q", groupname))
+}
--- a/user_unix_cgo.go
+++ b/user_unix_cgo.go
@@ -1,124 +0,0 @@
-// +build cgo
-// +build linux
-
-package buildah
-
-// #include <sys/types.h>
-// #include <grp.h>
-// #include <pwd.h>
-// #include <stdlib.h>
-// #include <stdio.h>
-// #include <string.h>
-// typedef FILE * pFILE;
-import "C"
-
-import (
-	"fmt"
-	"os/user"
-	"path/filepath"
-	"sync"
-	"syscall"
-	"unsafe"
-
-	"github.com/pkg/errors"
-)
-
-func fopenContainerFile(rootdir, filename string) (C.pFILE, error) {
-	var st, lst syscall.Stat_t
-
-	ctrfile := filepath.Join(rootdir, filename)
-	cctrfile := C.CString(ctrfile)
-	defer C.free(unsafe.Pointer(cctrfile))
-	mode := C.CString("r")
-	defer C.free(unsafe.Pointer(mode))
-	f, err := C.fopen(cctrfile, mode)
-	if f == nil || err != nil {
-		return nil, errors.Wrapf(err, "error opening %q", ctrfile)
-	}
-	if err = syscall.Fstat(int(C.fileno(f)), &st); err != nil {
-		return nil, errors.Wrapf(err, "fstat(%q)", ctrfile)
-	}
-	if err = syscall.Lstat(ctrfile, &lst); err != nil {
-		return nil, errors.Wrapf(err, "lstat(%q)", ctrfile)
-	}
-	if st.Dev != lst.Dev || st.Ino != lst.Ino {
-		return nil, errors.Errorf("%q is not a regular file", ctrfile)
-	}
-	return f, nil
-}
-
-var (
-	lookupUser, lookupGroup sync.Mutex
-)
-
-func lookupUserInContainer(rootdir, username string) (uint64, uint64, error) {
-	name := C.CString(username)
-	defer C.free(unsafe.Pointer(name))
-
-	f, err := fopenContainerFile(rootdir, "/etc/passwd")
-	if err != nil {
-		return 0, 0, err
-	}
-	defer C.fclose(f)
-
-	lookupUser.Lock()
-	defer lookupUser.Unlock()
-
-	pwd := C.fgetpwent(f)
-	for pwd != nil {
-		if C.strcmp(pwd.pw_name, name) != 0 {
-			pwd = C.fgetpwent(f)
-			continue
-		}
-		return uint64(pwd.pw_uid), uint64(pwd.pw_gid), nil
-	}
-
-	return 0, 0, user.UnknownUserError(fmt.Sprintf("error looking up user %q", username))
-}
-
-func lookupGroupForUIDInContainer(rootdir string, userid uint64) (string, uint64, error) {
-	f, err := fopenContainerFile(rootdir, "/etc/passwd")
-	if err != nil {
-		return "", 0, err
-	}
-	defer C.fclose(f)
-
-	lookupUser.Lock()
-	defer lookupUser.Unlock()
-
-	pwd := C.fgetpwent(f)
-	for pwd != nil {
-		if uint64(pwd.pw_uid) != userid {
-			pwd = C.fgetpwent(f)
-			continue
-		}
-		return C.GoString(pwd.pw_name), uint64(pwd.pw_gid), nil
-	}
-
-	return "", 0, user.UnknownUserError(fmt.Sprintf("error looking up user with UID %d", userid))
-}
-
-func lookupGroupInContainer(rootdir, groupname string) (uint64, error) {
-	name := C.CString(groupname)
-	defer C.free(unsafe.Pointer(name))
-
-	f, err := fopenContainerFile(rootdir, "/etc/group")
-	if err != nil {
-		return 0, err
-	}
-	defer C.fclose(f)
-
-	lookupGroup.Lock()
-	defer lookupGroup.Unlock()
-
-	grp := C.fgetgrent(f)
-	for grp != nil {
-		if C.strcmp(grp.gr_name, name) != 0 {
-			grp = C.fgetgrent(f)
-			continue
-		}
-		return uint64(grp.gr_gid), nil
-	}
-
-	return 0, user.UnknownGroupError(fmt.Sprintf("error looking up group %q", groupname))
-}
--- a/util.go
+++ b/util.go
@@ -1,9 +1,17 @@
 package buildah

 import (
+	"github.com/containers/storage/pkg/chrootarchive"
 	"github.com/containers/storage/pkg/reexec"
 )

+var (
+	// CopyWithTar defines the copy method to use.
+	copyWithTar     = chrootarchive.NewArchiver(nil).CopyWithTar
+	copyFileWithTar = chrootarchive.NewArchiver(nil).CopyFileWithTar
+	untarPath       = chrootarchive.NewArchiver(nil).UntarPath
+)
+
 // InitReexec is a wrapper for reexec.Init().  It should be called at
 // the start of main(), and if it returns true, main() should return
 // immediately.
--- a/vendor.conf
+++ b/vendor.conf
@@ -1,14 +1,15 @@
 github.com/BurntSushi/toml master
 github.com/Nvveen/Gotty master
 github.com/blang/semver master
-github.com/containers/image master
-github.com/containers/storage master
-github.com/docker/distribution master
-github.com/docker/docker 0f9ec7e47072b0c2e954b5b821bde5c1fe81bfa7
+github.com/containers/image f950aa3529148eb0dea90888c24b6682da641b13
+github.com/containers/storage d7921c6facc516358070a1306689eda18adaa20a
+github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716
+github.com/docker/docker 30eb4d8cdc422b023d5f11f29a82ecb73554183b
 github.com/docker/engine-api master
-github.com/docker/go-connections e15c02316c12de00874640cd76311849de2aeed5
-github.com/docker/go-units master
-github.com/docker/libtrust master
+github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
+github.com/docker/go-units 0dadbb0345b35ec7ef35e228dabb8de89a65bf52
+github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
+github.com/docker/libtrust aabc10ec26b754e797f9028f4589c5b7bd90dc20
 github.com/fsouza/go-dockerclient master
 github.com/ghodss/yaml master
 github.com/golang/glog master
@@ -19,22 +20,23 @@ github.com/imdario/mergo master
 github.com/mattn/go-runewidth master
 github.com/mattn/go-shellwords master
 github.com/mistifyio/go-zfs master
-github.com/moby/moby 0f9ec7e47072b0c2e954b5b821bde5c1fe81bfa7
+github.com/moby/moby f8806b18b4b92c5e1980f6e11c917fad201cd73c
 github.com/mtrmac/gpgme master
 github.com/opencontainers/go-digest aa2ec055abd10d26d539eb630a92241b781ce4bc
-github.com/opencontainers/image-spec v1.0.0-rc5
+github.com/opencontainers/image-spec v1.0.0
 github.com/opencontainers/runc master
-github.com/opencontainers/runtime-spec v1.0.0-rc5
-github.com/opencontainers/runtime-tools 8addcc695096a0fc61010af8766952546bba7cd0
-github.com/opencontainers/selinux ba1aefe8057f1d0cfb8e88d0ec1dc85925ef987d
+github.com/opencontainers/runtime-spec v1.0.0
+github.com/opencontainers/runtime-tools master
+github.com/opencontainers/selinux b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd
 github.com/openshift/imagebuilder master
+github.com/ostreedev/ostree-go aeb02c6b6aa2889db3ef62f7855650755befd460
 github.com/pborman/uuid master
 github.com/pkg/errors master
-github.com/Sirupsen/logrus master
+github.com/sirupsen/logrus master
 github.com/syndtr/gocapability master
 github.com/tchap/go-patricia master
 github.com/urfave/cli master
-github.com/vbatts/tar-split master
+github.com/vbatts/tar-split v0.10.2
 golang.org/x/crypto master
 golang.org/x/net master
 golang.org/x/sys master
@@ -44,3 +46,11 @@ gopkg.in/yaml.v2 cd8b52f8269e0feb286dfeef29f8fe4d5b397e0b
 k8s.io/apimachinery master
 k8s.io/client-go master
 k8s.io/kubernetes master
+github.com/hashicorp/go-multierror master
+github.com/hashicorp/errwrap master
+github.com/xeipuuv/gojsonschema master
+github.com/xeipuuv/gojsonreference master
+github.com/containerd/continuity master
+github.com/gogo/protobuf master
+github.com/xeipuuv/gojsonpointer master
+github.com/pquerna/ffjson d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac
--- a/vendor/github.com/Sirupsen/logrus/terminal_appengine.go
+++ b/vendor/github.com/Sirupsen/logrus/terminal_appengine.go
@@ -1,10 +0,0 @@
-// +build appengine
-
-package logrus
-
-import "io"
-
-// IsTerminal returns true if stderr's file descriptor is a terminal.
-func IsTerminal(f io.Writer) bool {
-	return true
-}
--- a/vendor/github.com/Sirupsen/logrus/terminal_bsd.go
+++ b/vendor/github.com/Sirupsen/logrus/terminal_bsd.go
@@ -1,10 +0,0 @@
-// +build darwin freebsd openbsd netbsd dragonfly
-// +build !appengine
-
-package logrus
-
-import "syscall"
-
-const ioctlReadTermios = syscall.TIOCGETA
-
-type Termios syscall.Termios
--- a/vendor/github.com/Sirupsen/logrus/terminal_notwindows.go
+++ b/vendor/github.com/Sirupsen/logrus/terminal_notwindows.go
@@ -1,28 +0,0 @@
-// Based on ssh/terminal:
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build linux darwin freebsd openbsd netbsd dragonfly
-// +build !appengine
-
-package logrus
-
-import (
-	"io"
-	"os"
-	"syscall"
-	"unsafe"
-)
-
-// IsTerminal returns true if stderr's file descriptor is a terminal.
-func IsTerminal(f io.Writer) bool {
-	var termios Termios
-	switch v := f.(type) {
-	case *os.File:
-		_, _, err := syscall.Syscall6(syscall.SYS_IOCTL, uintptr(v.Fd()), ioctlReadTermios, uintptr(unsafe.Pointer(&termios)), 0, 0, 0)
-		return err == 0
-	default:
-		return false
-	}
-}
--- a/vendor/github.com/Sirupsen/logrus/terminal_solaris.go
+++ b/vendor/github.com/Sirupsen/logrus/terminal_solaris.go
@@ -1,21 +0,0 @@
-// +build solaris,!appengine
-
-package logrus
-
-import (
-	"io"
-	"os"
-
-	"golang.org/x/sys/unix"
-)
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal(f io.Writer) bool {
-	switch v := f.(type) {
-	case *os.File:
-		_, err := unix.IoctlGetTermios(int(v.Fd()), unix.TCGETA)
-		return err == nil
-	default:
-		return false
-	}
-}
--- a/vendor/github.com/Sirupsen/logrus/terminal_windows.go
+++ b/vendor/github.com/Sirupsen/logrus/terminal_windows.go
@@ -1,33 +0,0 @@
-// Based on ssh/terminal:
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build windows,!appengine
-
-package logrus
-
-import (
-	"io"
-	"os"
-	"syscall"
-	"unsafe"
-)
-
-var kernel32 = syscall.NewLazyDLL("kernel32.dll")
-
-var (
-	procGetConsoleMode = kernel32.NewProc("GetConsoleMode")
-)
-
-// IsTerminal returns true if stderr's file descriptor is a terminal.
-func IsTerminal(f io.Writer) bool {
-	switch v := f.(type) {
-	case *os.File:
-		var st uint32
-		r, _, e := syscall.Syscall(procGetConsoleMode.Addr(), 2, uintptr(v.Fd()), uintptr(unsafe.Pointer(&st)), 0)
-		return r != 0 && e == 0
-	default:
-		return false
-	}
-}
--- a/vendor/github.com/containers/image/README.md
+++ b/vendor/github.com/containers/image/README.md
@@ -0,0 +1,79 @@
+[![GoDoc](https://godoc.org/github.com/containers/image?status.svg)](https://godoc.org/github.com/containers/image) [![Build Status](https://travis-ci.org/containers/image.svg?branch=master)](https://travis-ci.org/containers/image)
+=
+
+`image` is a set of Go libraries aimed at working in various way with
+containers' images and container image registries.
+
+The containers/image library allows application to pull and push images from
+container image registries, like the upstream docker registry. It also
+implements "simple image signing".
+
+The containers/image library also allows you to inspect a repository on a
+container registry without pulling down the image. This means it fetches the
+repository's manifest and it is able to show you a `docker inspect`-like json
+output about a whole repository or a tag. This library, in contrast to `docker
+inspect`, helps you gather useful information about a repository or a tag
+without requiring you to run `docker pull`.
+
+The containers/image library also allows you to translate from one image format
+to another, for example docker container images to OCI images. It also allows
+you to copy container images between various registries, possibly converting
+them as necessary, and to sign and verify images.
+
+## Command-line usage
+
+The containers/image project is only a library with no user interface;
+you can either incorporate it into your Go programs, or use the `skopeo` tool:
+
+The [skopeo](https://github.com/projectatomic/skopeo) tool uses the
+containers/image library and takes advantage of many of its features,
+e.g. `skopeo copy` exposes the `containers/image/copy.Image` functionality.
+
+## Dependencies
+
+This library does not ship a committed version of its dependencies in a `vendor`
+subdirectory.  This is so you can make well-informed decisions about which
+libraries you should use with this package in your own projects, and because
+types defined in the `vendor` directory would be impossible to use from your projects.
+
+What this project tests against dependencies-wise is located
+[in vendor.conf](https://github.com/containers/image/blob/master/vendor.conf).
+
+## Building
+
+If you want to see what the library can do, or an example of how it is called,
+consider starting with the [skopeo](https://github.com/projectatomic/skopeo) tool
+instead.
+
+To integrate this library into your project, put it into `$GOPATH` or use
+your preferred vendoring tool to include a copy in your project.
+Ensure that the dependencies documented [in vendor.conf](https://github.com/containers/image/blob/master/vendor.conf)
+are also available
+(using those exact versions or different versions of your choosing).
+
+This library, by default, also depends on the GpgME and libostree C libraries. Either install them:
+```sh
+Fedora$ dnf install gpgme-devel libassuan-devel libostree-devel
+macOS$ brew install gpgme
+```
+or use the build tags described below to avoid the dependencies (e.g. using `go build -tags …`)
+
+### Supported build tags
+
+- `containers_image_openpgp`: Use a Golang-only OpenPGP implementation for signature verification instead of the default cgo/gpgme-based implementation;
+the primary downside is that creating new signatures with the Golang-only implementation is not supported.
+- `containers_image_ostree_stub`: Instead of importing `ostree:` transport in `github.com/containers/image/transports/alltransports`, use a stub which reports that the transport is not supported. This allows building the library without requiring the `libostree` development libraries. The `github.com/containers/image/ostree` package is completely disabled
+and impossible to import when this build tag is in use.
+
+## Contributing
+
+When developing this library, please use `make` (or `make … BUILDTAGS=…`) to take advantage of the tests and validation.
+
+## License
+
+ASL 2.0
+
+## Contact
+
+- Mailing list: [containers-dev](https://groups.google.com/forum/?hl=en#!forum/containers-dev)
+- IRC: #[container-projects](irc://irc.freenode.net:6667/#container-projects) on freenode.net
--- a/vendor/github.com/containers/image/copy/copy.go
+++ b/vendor/github.com/containers/image/copy/copy.go
@@ -3,16 +3,15 @@ package copy
 import (
 	"bytes"
 	"compress/gzip"
+	"context"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"reflect"
+	"runtime"
 	"strings"
 	"time"

-	pb "gopkg.in/cheggaaa/pb.v1"
-
-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/image"
 	"github.com/containers/image/pkg/compression"
 	"github.com/containers/image/signature"
@@ -20,6 +19,8 @@ import (
 	"github.com/containers/image/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	pb "gopkg.in/cheggaaa/pb.v1"
 )

 type digestingReader struct {
@@ -93,6 +94,8 @@ type Options struct {
 	DestinationCtx   *types.SystemContext
 	ProgressInterval time.Duration                 // time to wait between reports to signal the progress channel
 	Progress         chan types.ProgressProperties // Reported to when ProgressInterval has arrived for a single artifact+offset.
+	// manifest MIME type of image set by user. "" is default and means use the autodetection to the the manifest MIME type
+	ForceManifestMIMEType string
 }

 // Image copies image from srcRef to destRef, using policyContext to validate
@@ -127,9 +130,7 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 		}
 	}()

-	destSupportedManifestMIMETypes := dest.SupportedManifestMIMETypes()
-
-	rawSource, err := srcRef.NewImageSource(options.SourceCtx, destSupportedManifestMIMETypes)
+	rawSource, err := srcRef.NewImageSource(options.SourceCtx)
 	if err != nil {
 		return errors.Wrapf(err, "Error initializing source %s", transports.ImageName(srcRef))
 	}
@@ -157,6 +158,10 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 		}
 	}()

+	if err := checkImageDestinationForCurrentRuntimeOS(src, dest); err != nil {
+		return err
+	}
+
 	if src.IsMultiImage() {
 		return errors.Errorf("can not copy %s: manifest contains multiple images", transports.ImageName(srcRef))
 	}
@@ -166,7 +171,7 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 		sigs = [][]byte{}
 	} else {
 		writeReport("Getting image source signatures\n")
-		s, err := src.Signatures()
+		s, err := src.Signatures(context.TODO())
 		if err != nil {
 			return errors.Wrap(err, "Error reading signatures")
 		}
@@ -189,7 +194,7 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe

 	// We compute preferredManifestMIMEType only to show it in error messages.
 	// Without having to add this context in an error message, we would be happy enough to know only that no conversion is needed.
-	preferredManifestMIMEType, otherManifestMIMETypeCandidates, err := determineManifestConversion(&manifestUpdates, src, destSupportedManifestMIMETypes, canModifyManifest)
+	preferredManifestMIMEType, otherManifestMIMETypeCandidates, err := determineManifestConversion(&manifestUpdates, src, dest.SupportedManifestMIMETypes(), canModifyManifest, options.ForceManifestMIMEType)
 	if err != nil {
 		return err
 	}
@@ -277,6 +282,22 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
 	return nil
 }

+func checkImageDestinationForCurrentRuntimeOS(src types.Image, dest types.ImageDestination) error {
+	if dest.MustMatchRuntimeOS() {
+		c, err := src.OCIConfig()
+		if err != nil {
+			return errors.Wrapf(err, "Error parsing image configuration")
+		}
+		osErr := fmt.Errorf("image operating system %q cannot be used on %q", c.OS, runtime.GOOS)
+		if runtime.GOOS == "windows" && c.OS == "linux" {
+			return osErr
+		} else if runtime.GOOS != "windows" && c.OS == "windows" {
+			return osErr
+		}
+	}
+	return nil
+}
+
 // updateEmbeddedDockerReference handles the Docker reference embedded in Docker schema1 manifests.
 func updateEmbeddedDockerReference(manifestUpdates *types.ManifestUpdateOptions, dest types.ImageDestination, src types.Image, canModifyManifest bool) error {
 	destRef := dest.Reference().DockerReference()
@@ -561,7 +582,7 @@ func (ic *imageCopier) copyBlobFromStream(srcStream io.Reader, srcInfo types.Blo
 	bar.ShowPercent = false
 	bar.Start()
 	destStream = bar.NewProxyReader(destStream)
-	defer fmt.Fprint(ic.reportWriter, "\n")
+	defer bar.Finish()

 	// === Send a copy of the original, uncompressed, stream, to a separate path if necessary.
 	var originalLayerReader io.Reader // DO NOT USE this other than to drain the input if no other consumer in the pipeline has done so.
--- a/vendor/github.com/containers/image/copy/manifest.go
+++ b/vendor/github.com/containers/image/copy/manifest.go
@@ -3,10 +3,10 @@ package copy
 import (
 	"strings"

-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

 // preferredManifestMIMETypes lists manifest MIME types in order of our preference, if we can't use the original manifest and need to convert.
@@ -41,12 +41,16 @@ func (os *orderedSet) append(s string) {
 // Note that the conversion will only happen later, through src.UpdatedImage
 // Returns the preferred manifest MIME type (whether we are converting to it or using it unmodified),
 // and a list of other possible alternatives, in order.
-func determineManifestConversion(manifestUpdates *types.ManifestUpdateOptions, src types.Image, destSupportedManifestMIMETypes []string, canModifyManifest bool) (string, []string, error) {
+func determineManifestConversion(manifestUpdates *types.ManifestUpdateOptions, src types.Image, destSupportedManifestMIMETypes []string, canModifyManifest bool, forceManifestMIMEType string) (string, []string, error) {
 	_, srcType, err := src.Manifest()
 	if err != nil { // This should have been cached?!
 		return "", nil, errors.Wrap(err, "Error reading manifest")
 	}

+	if forceManifestMIMEType != "" {
+		destSupportedManifestMIMETypes = []string{forceManifestMIMEType}
+	}
+
 	if len(destSupportedManifestMIMETypes) == 0 {
 		return srcType, []string{}, nil // Anything goes; just use the original as is, do not try any conversions.
 	}
--- a/vendor/github.com/containers/image/directory/directory_dest.go
+++ b/vendor/github.com/containers/image/directory/directory_dest.go
@@ -4,19 +4,77 @@ import (
 	"io"
 	"io/ioutil"
 	"os"
+	"path/filepath"

 	"github.com/containers/image/types"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

+const version = "Directory Transport Version: 1.0\n"
+
+// ErrNotContainerImageDir indicates that the directory doesn't match the expected contents of a directory created
+// using the 'dir' transport
+var ErrNotContainerImageDir = errors.New("not a containers image directory, don't want to overwrite important data")
+
 type dirImageDestination struct {
-	ref dirReference
+	ref      dirReference
+	compress bool
 }

-// newImageDestination returns an ImageDestination for writing to an existing directory.
-func newImageDestination(ref dirReference) types.ImageDestination {
-	return &dirImageDestination{ref}
+// newImageDestination returns an ImageDestination for writing to a directory.
+func newImageDestination(ref dirReference, compress bool) (types.ImageDestination, error) {
+	d := &dirImageDestination{ref: ref, compress: compress}
+
+	// If directory exists check if it is empty
+	// if not empty, check whether the contents match that of a container image directory and overwrite the contents
+	// if the contents don't match throw an error
+	dirExists, err := pathExists(d.ref.resolvedPath)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error checking for path %q", d.ref.resolvedPath)
+	}
+	if dirExists {
+		isEmpty, err := isDirEmpty(d.ref.resolvedPath)
+		if err != nil {
+			return nil, err
+		}
+
+		if !isEmpty {
+			versionExists, err := pathExists(d.ref.versionPath())
+			if err != nil {
+				return nil, errors.Wrapf(err, "error checking if path exists %q", d.ref.versionPath())
+			}
+			if versionExists {
+				contents, err := ioutil.ReadFile(d.ref.versionPath())
+				if err != nil {
+					return nil, err
+				}
+				// check if contents of version file is what we expect it to be
+				if string(contents) != version {
+					return nil, ErrNotContainerImageDir
+				}
+			} else {
+				return nil, ErrNotContainerImageDir
+			}
+			// delete directory contents so that only one image is in the directory at a time
+			if err = removeDirContents(d.ref.resolvedPath); err != nil {
+				return nil, errors.Wrapf(err, "error erasing contents in %q", d.ref.resolvedPath)
+			}
+			logrus.Debugf("overwriting existing container image directory %q", d.ref.resolvedPath)
+		}
+	} else {
+		// create directory if it doesn't exist
+		if err := os.MkdirAll(d.ref.resolvedPath, 0755); err != nil {
+			return nil, errors.Wrapf(err, "unable to create directory %q", d.ref.resolvedPath)
+		}
+	}
+	// create version file
+	err = ioutil.WriteFile(d.ref.versionPath(), []byte(version), 0755)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error creating version file %q", d.ref.versionPath())
+	}
+	return d, nil
 }

 // Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
@@ -42,7 +100,7 @@ func (d *dirImageDestination) SupportsSignatures() error {

 // ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
 func (d *dirImageDestination) ShouldCompressLayers() bool {
-	return false
+	return d.compress
 }

 // AcceptsForeignLayerURLs returns false iff foreign layers in manifest should be actually
@@ -51,6 +109,11 @@ func (d *dirImageDestination) AcceptsForeignLayerURLs() bool {
 	return false
 }

+// MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise.
+func (d *dirImageDestination) MustMatchRuntimeOS() bool {
+	return false
+}
+
 // PutBlob writes contents of stream and returns data representing the result (with all data filled in).
 // inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
 // inputInfo.Size is the expected length of stream, if known.
@@ -142,3 +205,39 @@ func (d *dirImageDestination) PutSignatures(signatures [][]byte) error {
 func (d *dirImageDestination) Commit() error {
 	return nil
 }
+
+// returns true if path exists
+func pathExists(path string) (bool, error) {
+	_, err := os.Stat(path)
+	if err == nil {
+		return true, nil
+	}
+	if err != nil && os.IsNotExist(err) {
+		return false, nil
+	}
+	return false, err
+}
+
+// returns true if directory is empty
+func isDirEmpty(path string) (bool, error) {
+	files, err := ioutil.ReadDir(path)
+	if err != nil {
+		return false, err
+	}
+	return len(files) == 0, nil
+}
+
+// deletes the contents of a directory
+func removeDirContents(path string) error {
+	files, err := ioutil.ReadDir(path)
+	if err != nil {
+		return err
+	}
+
+	for _, file := range files {
+		if err := os.RemoveAll(filepath.Join(path, file.Name())); err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/Show More
+++ b/Show More