bump to v0.1.25

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Fix CVE in tar-split
2026-01-31 14:29:03 +00:00 · 2017-11-08 15:59:01 +01:00 · 2017-11-08 15:58:43 +01:00 · 2017-11-07 20:40:03 +01:00 · 2017-11-07 19:34:26 +01:00 · 2017-11-07 17:53:25 +01:00
1385 changed files with 285190 additions and 46720 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,10 +1,24 @@
-sudo: required

-services:
-  - docker
+matrix:
+  include:
+  -  os: linux
+     sudo: required
+     services:
+       - docker
+  -  os: osx

 notifications:
  email: false

+install:
+  # NOTE: The (brew update) should not be necessary, and slows things down;
+  # we include it as a workaround for https://github.com/Homebrew/brew/issues/3299
+  # ideally Travis should bake the (brew update) into its images
+  # (https://github.com/travis-ci/travis-ci/issues/8552 ), but that’s only going
+  # to happen around November 2017 per https://blog.travis-ci.com/2017-10-16-a-new-default-os-x-image-is-coming .
+  # Remove the (brew update) at that time.
+  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then brew update && brew install gpgme ; fi
+
 script:
-  - make check
+  - if [[ "$TRAVIS_OS_NAME" == "osx" ]];   then hack/travis_osx.sh ; fi
+  - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then make check ; fi
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -8,7 +8,9 @@ that we follow.
 * [Reporting Issues](#reporting-issues)
 * [Submitting Pull Requests](#submitting-pull-requests)
 * [Communications](#communications)
-* [Becomign a Maintainer](#becoming-a-maintainer)
+<!--
+* [Becoming a Maintainer](#becoming-a-maintainer)
+-->

 ## Reporting Issues

@@ -37,9 +39,9 @@ It's ok to just open up a PR with the fix, but make sure you include the same
 information you would have included in an issue - like how to reproduce it.

 PRs for new features should include some background on what use cases the
-new code is trying to address. And, when possible and it makes, try to break-up
+new code is trying to address. When possible and when it makes sense, try to break-up
 larger PRs into smaller ones - it's easier to review smaller
-code changes. But, only if those smaller ones make sense as stand-alone PRs.
+code changes. But only if those smaller ones make sense as stand-alone PRs.

 Regardless of the type of PR, all PRs should include:
 * well documented code changes
@@ -47,9 +49,9 @@ Regardless of the type of PR, all PRs should include:
 * documentation changes

 Squash your commits into logical pieces of work that might want to be reviewed
-separate from the rest of the PRs. But, squashing down to just one commit is ok
-too since in the end the entire PR will be reviewed anyway. When in doubt, 
-squash.
+separate from the rest of the PRs. Ideally, each commit should implement a single
+idea, and the PR branch should pass the tests at every commit.  GitHub makes it easy
+to review the cumulative effect of many commits; so, when in doubt, use smaller commits.

 PRs that fix issues should include a reference like `Closes #XXXX` in the
 commit message so that github will automatically close the referenced issue
@@ -115,7 +117,7 @@ commit automatically with `git commit -s`.

 ## Communications

-For general questions, or dicsussions, please use the 
+For general questions, or discussions, please use the 
 IRC group on `irc.freenode.net` called `container-projects`
 that has been setup.

--- a/39
+++ b/39
@@ -1,25 +1,24 @@
 FROM fedora

 RUN dnf -y update && dnf install -y make git golang golang-github-cpuguy83-go-md2man \
+	# storage deps
+	btrfs-progs-devel \
+	device-mapper-devel \
 	# gpgme bindings deps
 	libassuan-devel gpgme-devel \
+	ostree-devel \
 	gnupg \
-	# registry v1 deps
-	xz-devel \
-	python-devel \
-	python-pip \
-	swig \
-	redhat-rpm-config \
-	openssl-devel \
-	patch
+	# OpenShift deps
+	which tar wget hostname util-linux bsdtar socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof docker iproute \
+	&& dnf clean all

-# Install three versions of the registry. The first is an older version that
+# Install two versions of the registry. The first is an older version that
 # only supports schema1 manifests. The second is a newer version that supports
 # both. This allows integration-cli tests to cover push/pull with both schema1
-# and schema2 manifests. Install registry v1 also.
-ENV REGISTRY_COMMIT_SCHEMA1 ec87e9b6971d831f0eff752ddb54fb64693e51cd
-ENV REGISTRY_COMMIT 47a064d4195a9b56133891bbb13620c3ac83a827
+# and schema2 manifests.
 RUN set -x \
+	&& REGISTRY_COMMIT_SCHEMA1=ec87e9b6971d831f0eff752ddb54fb64693e51cd \
+	&& REGISTRY_COMMIT=47a064d4195a9b56133891bbb13620c3ac83a827 \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \
 	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \
@@ -28,25 +27,15 @@ RUN set -x \
 	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \
 	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
 		go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \
-	&& rm -rf "$GOPATH" \
-	&& export DRV1="$(mktemp -d)" \
-	&& git clone https://github.com/docker/docker-registry.git "$DRV1" \
-	# no need for setuptools since we have a version conflict with fedora
-	&& sed -i.bak s/setuptools==5.8//g "$DRV1/requirements/main.txt" \
-	&& sed -i.bak s/setuptools==5.8//g "$DRV1/depends/docker-registry-core/requirements/main.txt" \
-	&& pip install "$DRV1/depends/docker-registry-core" \
-	&& pip install file://"$DRV1#egg=docker-registry[bugsnag,newrelic,cors]" \
-	&& patch $(python -c 'import boto; import os; print os.path.dirname(boto.__file__)')/connection.py \
-		< "$DRV1/contrib/boto_header_patch.diff" \
-	&& dnf -y update && dnf install -y m2crypto
+	&& rm -rf "$GOPATH"

 RUN set -x \
-	&& yum install -y which git tar wget hostname util-linux bsdtar socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof docker iproute \
 	&& export GOPATH=$(mktemp -d) \
-	&& git clone -b v1.3.0-alpha.3 git://github.com/openshift/origin "$GOPATH/src/github.com/openshift/origin" \
+	&& git clone --depth 1 -b v1.5.0-alpha.3 git://github.com/openshift/origin "$GOPATH/src/github.com/openshift/origin" \
 	&& (cd "$GOPATH/src/github.com/openshift/origin" && make clean build && make all WHAT=cmd/dockerregistry) \
 	&& cp -a "$GOPATH/src/github.com/openshift/origin/_output/local/bin/linux"/*/* /usr/local/bin \
 	&& cp "$GOPATH/src/github.com/openshift/origin/images/dockerregistry/config.yml" /atomic-registry-config.yml \
+	&& rm -rf "$GOPATH" \
 	&& mkdir /registry

 ENV GOPATH /usr/share/gocode:/go
--- a/Dockerfile.build
+++ b/Dockerfile.build
@@ -1,5 +1,14 @@
-FROM ubuntu:16.04
-RUN apt-get update
-RUN apt-get install -y golang git-core libgpgme11-dev go-md2man
+FROM ubuntu:17.04
+
+RUN apt-get update && apt-get install -y \
+    golang \
+    btrfs-tools \
+    git-core \
+    libdevmapper-dev \
+    libgpgme11-dev \
+    go-md2man \
+    libglib2.0-dev \
+    libostree-dev
+
 ENV GOPATH=/
 WORKDIR /src/github.com/projectatomic/skopeo
--- a/54
+++ b/54
@@ -2,19 +2,37 @@

 export GO15VENDOREXPERIMENT=1

+ifeq ($(shell uname),Darwin)
+PREFIX ?= ${DESTDIR}/usr/local
+DARWIN_BUILD_TAG=containers_image_ostree_stub
+# On macOS, (brew install gpgme) installs it within /usr/local, but /usr/local/include is not in the default search path.
+# Rather than hard-code this directory, use gpgme-config. Sadly that must be done at the top-level user
+# instead of locally in the gpgme subpackage, because cgo supports only pkg-config, not general shell scripts,
+# and gpgme does not install a pkg-config file.
+# If gpgme is not installed or gpgme-config can’t be found for other reasons, the error is silently ignored
+# (and the user will probably find out because the cgo compilation will fail).
+GPGME_ENV := CGO_CFLAGS="$(shell gpgme-config --cflags 2>/dev/null)" CGO_LDFLAGS="$(shell gpgme-config --libs 2>/dev/null)"
+else
 PREFIX ?= ${DESTDIR}/usr
+endif
+
 INSTALLDIR=${PREFIX}/bin
 MANINSTALLDIR=${PREFIX}/share/man
 CONTAINERSSYSCONFIGDIR=${DESTDIR}/etc/containers
 REGISTRIESDDIR=${CONTAINERSSYSCONFIGDIR}/registries.d
 SIGSTOREDIR=${DESTDIR}/var/lib/atomic/sigstore
 BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
-GO_MD2MAN ?= /usr/bin/go-md2man
+GO_MD2MAN ?= go-md2man
+GO ?= go

 ifeq ($(DEBUG), 1)
  override GOGCFLAGS += -N -l
 endif

+ifeq ($(shell go env GOOS), linux)
+  GO_DYN_FLAGS="-buildmode=pie"
+endif
+
 GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
 DOCKER_IMAGE := skopeo-dev$(if $(GIT_BRANCH),:$(GIT_BRANCH))
 # set env like gobuildtag?
@@ -32,6 +50,11 @@ GIT_COMMIT := $(shell git rev-parse HEAD 2> /dev/null || true)

 MANPAGES_MD = $(wildcard docs/*.md)

+BTRFS_BUILD_TAG = $(shell hack/btrfs_tag.sh)
+LIBDM_BUILD_TAG = $(shell hack/libdm_tag.sh)
+LOCAL_BUILD_TAGS = $(BTRFS_BUILD_TAG) $(LIBDM_BUILD_TAG) $(DARWIN_BUILD_TAG)
+BUILDTAGS += $(LOCAL_BUILD_TAGS)
+
 #   make all DEBUG=1
 #     Note: Uses the -N -l go compiler options to disable compiler optimizations
 #           and inlining. Using these build options allows you to subsequently
@@ -43,19 +66,19 @@ all: binary docs
 binary: cmd/skopeo
 	docker build ${DOCKER_BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
 	docker run --rm --security-opt label:disable -v $$(pwd):/src/github.com/projectatomic/skopeo \
-		skopeobuildimage make binary-local $(if $(DEBUG),DEBUG=$(DEBUG))
+		skopeobuildimage make binary-local $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'

 binary-static: cmd/skopeo
 	docker build ${DOCKER_BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
 	docker run --rm --security-opt label:disable -v $$(pwd):/src/github.com/projectatomic/skopeo \
-		skopeobuildimage make binary-local-static $(if $(DEBUG),DEBUG=$(DEBUG))
+		skopeobuildimage make binary-local-static $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'

 # Build w/o using Docker containers
 binary-local:
-	go build -ldflags "-X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo
+	$(GPGME_ENV) $(GO) build ${GO_DYN_FLAGS} -ldflags "-X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo

 binary-local-static:
-	go build -ldflags "-extldflags \"-static\" -X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo
+	$(GPGME_ENV) $(GO) build -ldflags "-extldflags \"-static\" -X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo

 build-container:
 	docker build ${DOCKER_BUILD_ARGS} -t "$(DOCKER_IMAGE)" .
@@ -71,17 +94,22 @@ clean:

 install: install-binary install-docs install-completions
 	install -d -m 755 ${SIGSTOREDIR}
-	install -D -m 644 default-policy.json ${CONTAINERSSYSCONFIGDIR}/policy.json
-	install -D -m 644 default.yaml ${REGISTRIESDDIR}/default.yaml
+	install -d -m 755 ${CONTAINERSSYSCONFIGDIR}
+	install -m 644 default-policy.json ${CONTAINERSSYSCONFIGDIR}/policy.json
+	install -d -m 755 ${REGISTRIESDDIR}
+	install -m 644 default.yaml ${REGISTRIESDDIR}/default.yaml

 install-binary: ./skopeo
-	install -D -m 755 skopeo ${INSTALLDIR}/skopeo
+	install -d -m 755 ${INSTALLDIR}
+	install -m 755 skopeo ${INSTALLDIR}/skopeo

 install-docs: docs/skopeo.1
-	install -D -m 644 docs/skopeo.1 ${MANINSTALLDIR}/man1/skopeo.1
+	install -d -m 755 ${MANINSTALLDIR}/man1
+	install -m 644 docs/skopeo.1 ${MANINSTALLDIR}/man1/skopeo.1

 install-completions:
-	install -m 644 -D completions/bash/skopeo ${BASHINSTALLDIR}/skopeo
+	install -m 755 -d ${BASHINSTALLDIR}
+	install -m 644 completions/bash/skopeo ${BASHINSTALLDIR}/skopeo

 shell: build-container
 	$(DOCKER_RUN_DOCKER) bash
@@ -90,11 +118,11 @@ check: validate test-unit test-integration

 # The tests can run out of entropy and block in containers, so replace /dev/random.
 test-integration: build-container
-	$(DOCKER_RUN_DOCKER) bash -c 'rm -f /dev/random; ln -sf /dev/urandom /dev/random; SKOPEO_CONTAINER_TESTS=1 hack/make.sh test-integration'
+	$(DOCKER_RUN_DOCKER) bash -c 'rm -f /dev/random; ln -sf /dev/urandom /dev/random; SKOPEO_CONTAINER_TESTS=1 BUILDTAGS="$(BUILDTAGS)" hack/make.sh test-integration'

 test-unit: build-container
 	# Just call (make test unit-local) here instead of worrying about environment differences, e.g. GO15VENDOREXPERIMENT.
-	$(DOCKER_RUN_DOCKER) make test-unit-local
+	$(DOCKER_RUN_DOCKER) make test-unit-local BUILDTAGS='$(BUILDTAGS)'

 validate: build-container
 	$(DOCKER_RUN_DOCKER) hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
@@ -106,4 +134,4 @@ validate-local:
 	hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet

 test-unit-local:
-	go test -tags "$(BUILDTAGS)" $$(go list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/projectatomic/skopeo/\(integration\|vendor/.*\)$$')
+	$(GPGME_ENV) $(GO) test -tags "$(BUILDTAGS)" $$($(GO) list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/projectatomic/skopeo/\(integration\|vendor/.*\)$$')
--- a/README.md
+++ b/README.md
@@ -1,16 +1,44 @@
 skopeo [![Build Status](https://travis-ci.org/projectatomic/skopeo.svg?branch=master)](https://travis-ci.org/projectatomic/skopeo)
 =

-_Please be aware `skopeo` is still work in progress and it currently supports only registry API V2_
+`skopeo` is a command line utility that performs various operations on container images and image repositories.  Skopeo works with API V2 registries such as Docker registries, the Atomic registry, private registries, local directories and local OCI-layout directories.  Skopeo does not require a daemon to be running to perform these operations which consist of:

-`skopeo` is a command line utility for various operations on container images and image repositories.
+ * Inspecting an image showing its properties including its layers.
+ * Copying an image from and to various storage mechanisms.
+ * Deleting an image from an image repository.
+ * When required by the repository, skopeo can pass the appropriate credentials and certificates for authentication.
+
+ Skopeo operates on the following image and repository types:
+
+ * containers-storage:docker-reference
+         An image located in a local containers/storage image store.  Location and image store specified in /etc/containers/storage.conf
+
+ * dir:path
+         An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
+
+ * docker://docker-reference
+         An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in $HOME/.docker/config.json, which is set e.g. using (docker login).
+
+ * docker-archive:path[:docker-reference]
+         An image is stored in the `docker save` formated file.  docker-reference is only used when creating such a file, and it must not contain a digest.
+
+ * docker-daemon:docker-reference
+         An image docker-reference stored in the docker daemon internal storage.  docker-reference must contain either a tag or a digest.  Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
+
+ * oci:path:tag
+         An image tag in a directory compliant with "Open Container Image Layout Specification" at path.
+
+ * ostree:image[@/absolute/repo/path]
+         An image in local OSTree repository.  /absolute/repo/path defaults to /ostree/repo.

 Inspecting a repository
 -
 `skopeo` is able to _inspect_ a repository on a Docker registry and fetch images layers.
-By _inspect_ I mean it fetches the repository's manifest and it is able to show you a `docker inspect`-like
+The _inspect_ command fetches the repository's manifest and it is able to show you a `docker inspect`-like
 json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about
-a repository or a tag before pulling it (using disk space) - e.g. - which tags are available for the given repository? which labels the image has?
+a repository or a tag before pulling it (using disk space).  The inspect command can show you which tags are available for the given 
+repository, the labels the image has, the creation date and operating system of the image and more.  
+

 Examples:
 ```sh
@@ -54,7 +82,7 @@ local directories, and local OCI-layout directories:
 ```sh
 $ skopeo copy docker://busybox:1-glibc atomic:myns/unsigned:streaming
 $ skopeo copy docker://busybox:latest dir:existingemptydirectory
-$ skopeo copy docker://busybox:latest oci:busybox_ocilayout
+$ skopeo copy docker://busybox:latest oci:busybox_ocilayout:latest
 ```

 Deleting images
@@ -103,43 +131,64 @@ you'll get an error. You can fix this by either logging in (via `docker login`)

 Building
 -
-To build the manual you will need go-md2man.
+To build the `skopeo` binary you need at least Go 1.5 because it uses the latest `GO15VENDOREXPERIMENT` flag.
+
+There are two ways to build skopeo: in a container, or locally without a container.  Choose the one which better matches your needs and environment.
+
+### Building without a container
+Building without a container requires a bit more manual work and setup in your environment, but it is more flexible:
+- It should work in more environments (e.g. for native macOS builds)
+- It does not require root privileges (after dependencies are installed)
+- It is faster, therefore more convenient for developing `skopeo`.
+
+Install the necessary dependencies:
 ```sh
-$ sudo apt-get install go-md2man
+Fedora$ sudo dnf install gpgme-devel libassuan-devel btrfs-progs-devel device-mapper-devel ostree-devel
+macOS$ brew install gpgme
 ```
-To build the `skopeo` binary you need at least Go 1.5 because it uses the latest `GO15VENDOREXPERIMENT` flag. Also, make sure to clone the repository in your `GOPATH` - otherwise compilation fails.  
+
+Make sure to clone this repository in your `GOPATH` - otherwise compilation fails.
+
 ```sh
 $ git clone https://github.com/projectatomic/skopeo $GOPATH/src/github.com/projectatomic/skopeo
-$ cd $GOPATH/src/github.com/projectatomic/skopeo && make all
+$ cd $GOPATH/src/github.com/projectatomic/skopeo && make binary-local
 ```

-To build localy on OSX:
+### Building in a container
+Building in a container is simpler, but more restrictive:
+- It requires the `docker` command and the ability to run Linux containers
+- The created executable is a Linux executable, and depends on dynamic libraries which may only be available only in a container of a similar Linux distribution.
+
 ```sh
-$ brew install gpgme
-$ make binary-local
+$ make binary # Or (make all) to also build documentation, see below.
 ```

-You may need to install additional development packages: `gpgme-devel` and `libassuan-devel`
+### Building documentation
+To build the manual you will need go-md2man.
 ```sh
-$ dnf install gpgme-devel libassuan-devel
+Debian$ sudo apt-get install go-md2man
+Fedora$ sudo dnf install go-md2man
 ```
+Then
+```sh
+$ make docs
+```
+
 Installing
 -
 If you built from source:
 ```sh
 $ sudo make install
 ```
-`skopeo` is also available from Fedora 23:
+`skopeo` is also available from Fedora 23 (and later):
 ```sh
-sudo dnf install skopeo
+$ sudo dnf install skopeo
 ```
 TODO
 -
 - list all images on registry?
 - registry v2 search?
- support output to docker load tar(s)
 - show repo tags via flag or when reference isn't tagged or digested
- add tests (integration with deployed registries in container - Docker-like)
 - support rkt/appc image spec

 NOT TODO
@@ -151,22 +200,32 @@ CONTRIBUTING

 ### Dependencies management

-`skopeo` uses a custom bash script for dependencies management. This script is located at `hack/vendor.sh`.
+`skopeo` uses [`vndr`](https://github.com/LK4D4/vndr) for dependencies management.

 In order to add a new dependency to this project:

- add a new line to `hack/vendor.sh` (e.g. `clone git github.com/pkg/errors master`)
- run `hack/vendor.sh`
+- add a new line to `vendor.conf` according to `vndr` rules (e.g. `github.com/pkg/errors master`)
+- run `vndr github.com/pkg/errors`

-In order to update an existing dependency (or more):
+In order to update an existing dependency:

- update the relevant dependency line in `hack/vendor.sh`
- run `hack/vendor.sh`
+- update the relevant dependency line in `vendor.conf`
+- run `vndr github.com/pkg/errors`

-In order to test out new PRs from [containers/image](https://github.com/containers/image) to not break `skopeo`:
+When new PRs for [containers/image](https://github.com/containers/image) break `skopeo` (i.e. `containers/image` tests fail in `make test-skopeo`):

- update `hack/vendor.sh`. Find out the `containers/image` dependency; update it to vendor from your own branch and your own repository fork (e.g. `clone git github.com/containers/image my-branch https://github.com/runcom/image`)
- run `hack/vendor.sh`
+- create out a new branch in your `skopeo` checkout and switch to it
+- update `vendor.conf`. Find out the `containers/image` dependency; update it to vendor from your own branch and your own repository fork (e.g. `github.com/containers/image my-branch https://github.com/runcom/image`)
+- run `vndr github.com/containers/image`
+- make any other necessary changes in the skopeo repo (e.g. add other dependencies now requied by `containers/image`, or update skopeo for changed `containers/image` API)
+- optionally add new integration tests to the skopeo repo
+- submit the resulting branch as a skopeo PR, marked “DO NOT MERGE”
+- iterate until tests pass and the PR is reviewed
+- then the original `containers/image` PR can be merged, disregarding its `make test-skopeo` failure
+- as soon as possible after that, in the skopeo PR, restore the `containers/image` line in `vendor.conf` to use `containers/image:master`
+- run `vndr github.com/containers/image`
+- update the skopeo PR with the result, drop the “DO NOT MERGE” marking
+- after tests complete succcesfully again, merge the skopeo PR

 License
 -
--- a/cmd/skopeo/cgo_pthread_ordering_workaround.go
+++ b/cmd/skopeo/cgo_pthread_ordering_workaround.go
@@ -1,3 +1,5 @@
+// +build !containers_image_openpgp
+
 package main

 /*
--- a/cmd/skopeo/copy.go
+++ b/cmd/skopeo/copy.go
@@ -4,9 +4,11 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strings"

 	"github.com/containers/image/copy"
 	"github.com/containers/image/transports"
+	"github.com/containers/image/transports/alltransports"
 	"github.com/containers/image/types"
 	"github.com/urfave/cli"
 )
@@ -37,11 +39,11 @@ func copyHandler(context *cli.Context) error {
 	}
 	defer policyContext.Destroy()

-	srcRef, err := transports.ParseImageName(context.Args()[0])
+	srcRef, err := alltransports.ParseImageName(context.Args()[0])
 	if err != nil {
 		return fmt.Errorf("Invalid source name %s: %v", context.Args()[0], err)
 	}
-	destRef, err := transports.ParseImageName(context.Args()[1])
+	destRef, err := alltransports.ParseImageName(context.Args()[1])
 	if err != nil {
 		return fmt.Errorf("Invalid destination name %s: %v", context.Args()[1], err)
 	}
@@ -63,8 +65,17 @@ func copyHandler(context *cli.Context) error {
 }

 var copyCmd = cli.Command{
-	Name:      "copy",
-	Usage:     "Copy an image from one location to another",
+	Name:  "copy",
+	Usage: "Copy an IMAGE-NAME from one location to another",
+	Description: fmt.Sprintf(`
+
+	Container "IMAGE-NAME" uses a "transport":"details" format.
+
+	Supported transports:
+	%s
+
+	See skopeo(1) section "IMAGE NAMES" for the expected format
+	`, strings.Join(transports.ListNames(), ", ")),
 	ArgsUsage: "SOURCE-IMAGE DESTINATION-IMAGE",
 	Action:    copyHandler,
 	// FIXME: Do we need to namespace the GPG aspect?
@@ -94,7 +105,7 @@ var copyCmd = cli.Command{
 		},
 		cli.BoolTFlag{
 			Name:  "src-tls-verify",
-			Usage: "require HTTPS and verify certificates when talking to the docker source registry (defaults to true)",
+			Usage: "require HTTPS and verify certificates when talking to the container source registry (defaults to true)",
 		},
 		cli.StringFlag{
 			Name:  "dest-cert-dir",
@@ -103,7 +114,22 @@ var copyCmd = cli.Command{
 		},
 		cli.BoolTFlag{
 			Name:  "dest-tls-verify",
-			Usage: "require HTTPS and verify certificates when talking to the docker destination registry (defaults to true)",
+			Usage: "require HTTPS and verify certificates when talking to the container destination registry (defaults to true)",
+		},
+		cli.StringFlag{
+			Name:  "dest-ostree-tmp-dir",
+			Value: "",
+			Usage: "`DIRECTORY` to use for OSTree temporary files",
+		},
+		cli.StringFlag{
+			Name:  "src-shared-blob-dir",
+			Value: "",
+			Usage: "`DIRECTORY` to use to fetch retrieved blobs (OCI layout sources only)",
+		},
+		cli.StringFlag{
+			Name:  "dest-shared-blob-dir",
+			Value: "",
+			Usage: "`DIRECTORY` to use to store retrieved blobs (OCI layout destinations only)",
 		},
 	},
 }
--- a/cmd/skopeo/delete.go
+++ b/cmd/skopeo/delete.go
@@ -3,8 +3,10 @@ package main
 import (
 	"errors"
 	"fmt"
+	"strings"

 	"github.com/containers/image/transports"
+	"github.com/containers/image/transports/alltransports"
 	"github.com/urfave/cli"
 )

@@ -13,7 +15,7 @@ func deleteHandler(context *cli.Context) error {
 		return errors.New("Usage: delete imageReference")
 	}

-	ref, err := transports.ParseImageName(context.Args()[0])
+	ref, err := alltransports.ParseImageName(context.Args()[0])
 	if err != nil {
 		return fmt.Errorf("Invalid source name %s: %v", context.Args()[0], err)
 	}
@@ -22,15 +24,20 @@ func deleteHandler(context *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	if err := ref.DeleteImage(ctx); err != nil {
-		return err
-	}
-	return nil
+	return ref.DeleteImage(ctx)
 }

 var deleteCmd = cli.Command{
-	Name:      "delete",
-	Usage:     "Delete image IMAGE-NAME",
+	Name:  "delete",
+	Usage: "Delete image IMAGE-NAME",
+	Description: fmt.Sprintf(`
+	Delete an "IMAGE_NAME" from a transport
+
+	Supported transports:
+	%s
+
+	See skopeo(1) section "IMAGE NAMES" for the expected format
+	`, strings.Join(transports.ListNames(), ", ")),
 	ArgsUsage: "IMAGE-NAME",
 	Action:    deleteHandler,
 	Flags: []cli.Flag{
@@ -46,7 +53,7 @@ var deleteCmd = cli.Command{
 		},
 		cli.BoolTFlag{
 			Name:  "tls-verify",
-			Usage: "require HTTPS and verify certificates when talking to docker registries (defaults to true)",
+			Usage: "require HTTPS and verify certificates when talking to container registries (defaults to true)",
 		},
 	},
 }
--- a/cmd/skopeo/inspect.go
+++ b/cmd/skopeo/inspect.go
@@ -3,11 +3,15 @@ package main
 import (
 	"encoding/json"
 	"fmt"
+	"strings"
 	"time"

 	"github.com/containers/image/docker"
 	"github.com/containers/image/manifest"
-	"github.com/docker/distribution/digest"
+	"github.com/containers/image/transports"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )

@@ -26,18 +30,26 @@ type inspectOutput struct {
 }

 var inspectCmd = cli.Command{
-	Name:      "inspect",
-	Usage:     "Inspect image IMAGE-NAME",
+	Name:  "inspect",
+	Usage: "Inspect image IMAGE-NAME",
+	Description: fmt.Sprintf(`
+	Return low-level information about "IMAGE-NAME" in a registry/transport
+
+	Supported transports:
+	%s
+
+	See skopeo(1) section "IMAGE NAMES" for the expected format
+	`, strings.Join(transports.ListNames(), ", ")),
 	ArgsUsage: "IMAGE-NAME",
 	Flags: []cli.Flag{
 		cli.StringFlag{
-			Name:  "cert-path",
+			Name:  "cert-dir",
 			Value: "",
 			Usage: "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry",
 		},
 		cli.BoolTFlag{
 			Name:  "tls-verify",
-			Usage: "require HTTPS and verify certificates when talking to docker registries (defaults to true)",
+			Usage: "require HTTPS and verify certificates when talking to container registries (defaults to true)",
 		},
 		cli.BoolFlag{
 			Name:  "raw",
@@ -49,12 +61,17 @@ var inspectCmd = cli.Command{
 			Usage: "Use `USERNAME[:PASSWORD]` for accessing the registry",
 		},
 	},
-	Action: func(c *cli.Context) error {
+	Action: func(c *cli.Context) (retErr error) {
 		img, err := parseImage(c)
 		if err != nil {
 			return err
 		}
-		defer img.Close()
+
+		defer func() {
+			if err := img.Close(); err != nil {
+				retErr = errors.Wrapf(retErr, fmt.Sprintf("(could not close image: %v) ", err))
+			}
+		}()

 		rawManifest, _, err := img.Manifest()
 		if err != nil {
@@ -91,7 +108,13 @@ var inspectCmd = cli.Command{
 			outputData.Name = dockerImg.SourceRefFullName()
 			outputData.RepoTags, err = dockerImg.GetRepositoryTags()
 			if err != nil {
-				return fmt.Errorf("Error determining repository tags: %v", err)
+				// some registries may decide to block the "list all tags" endpoint
+				// gracefully allow the inspect to continue in this case. Currently
+				// the IBM Bluemix container registry has this restriction.
+				if !strings.Contains(err.Error(), "401") {
+					return fmt.Errorf("Error determining repository tags: %v", err)
+				}
+				logrus.Warnf("Registry disallows tag list retrieval; skipping")
 			}
 		}
 		out, err := json.MarshalIndent(outputData, "", "    ")
--- a/cmd/skopeo/layers.go
+++ b/cmd/skopeo/layers.go
@@ -1,7 +1,6 @@
 package main

 import (
-	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -9,9 +8,9 @@ import (

 	"github.com/containers/image/directory"
 	"github.com/containers/image/image"
-	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
 	"github.com/urfave/cli"
 )

@@ -20,33 +19,35 @@ var layersCmd = cli.Command{
 	Usage:     "Get layers of IMAGE-NAME",
 	ArgsUsage: "IMAGE-NAME [LAYER...]",
 	Hidden:    true,
-	Action: func(c *cli.Context) error {
+	Action: func(c *cli.Context) (retErr error) {
 		fmt.Fprintln(os.Stderr, `DEPRECATED: skopeo layers is deprecated in favor of skopeo copy`)
 		if c.NArg() == 0 {
 			return errors.New("Usage: layers imageReference [layer...]")
 		}
-		rawSource, err := parseImageSource(c, c.Args()[0], []string{
-			// TODO: skopeo layers only supports these now
-			// eventually we'll remove this command altogether...
-			manifest.DockerV2Schema1SignedMediaType,
-			manifest.DockerV2Schema1MediaType,
-		})
+		rawSource, err := parseImageSource(c, c.Args()[0])
 		if err != nil {
 			return err
 		}
 		src, err := image.FromSource(rawSource)
 		if err != nil {
-			rawSource.Close()
+			if closeErr := rawSource.Close(); closeErr != nil {
+				return errors.Wrapf(err, " (close error: %v)", closeErr)
+			}
+
 			return err
 		}
-		defer src.Close()
+		defer func() {
+			if err := src.Close(); err != nil {
+				retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			}
+		}()

 		var blobDigests []digest.Digest
 		for _, dString := range c.Args().Tail() {
 			if !strings.HasPrefix(dString, "sha256:") {
 				dString = "sha256:" + dString
 			}
-			d, err := digest.ParseDigest(dString)
+			d, err := digest.Parse(dString)
 			if err != nil {
 				return err
 			}
@@ -80,7 +81,12 @@ var layersCmd = cli.Command{
 		if err != nil {
 			return err
 		}
-		defer dest.Close()
+
+		defer func() {
+			if err := dest.Close(); err != nil {
+				retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			}
+		}()

 		for _, digest := range blobDigests {
 			r, blobSize, err := rawSource.GetBlob(types.BlobInfo{Digest: digest, Size: -1})
@@ -88,10 +94,11 @@ var layersCmd = cli.Command{
 				return err
 			}
 			if _, err := dest.PutBlob(r, types.BlobInfo{Digest: digest, Size: blobSize}); err != nil {
-				r.Close()
+				if closeErr := r.Close(); closeErr != nil {
+					return errors.Wrapf(err, " (close error: %v)", closeErr)
+				}
 				return err
 			}
-			r.Close()
 		}

 		manifest, _, err := src.Manifest()
@@ -102,10 +109,6 @@ var layersCmd = cli.Command{
 			return err
 		}

-		if err := dest.Commit(); err != nil {
-			return err
-		}
-
-		return nil
+		return dest.Commit()
 	},
 }
--- a/cmd/skopeo/main.go
+++ b/cmd/skopeo/main.go
@@ -4,9 +4,10 @@ import (
 	"fmt"
 	"os"

-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/signature"
+	"github.com/containers/storage/pkg/reexec"
 	"github.com/projectatomic/skopeo/version"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )

@@ -32,7 +33,7 @@ func createApp() *cli.App {
 		},
 		cli.BoolTFlag{
 			Name:   "tls-verify",
-			Usage:  "require HTTPS and verify certificates when talking to docker registries (defaults to true)",
+			Usage:  "require HTTPS and verify certificates when talking to container registries (defaults to true)",
 			Hidden: true,
 		},
 		cli.StringFlag{
@@ -40,10 +41,14 @@ func createApp() *cli.App {
 			Value: "",
 			Usage: "Path to a trust policy file",
 		},
+		cli.BoolFlag{
+			Name:  "insecure-policy",
+			Usage: "run the tool without any policy check",
+		},
 		cli.StringFlag{
 			Name:  "registries.d",
 			Value: "",
-			Usage: "use registry configuration files in `DIR` (e.g. for docker signature storage)",
+			Usage: "use registry configuration files in `DIR` (e.g. for container signature storage)",
 		},
 	}
 	app.Before = func(c *cli.Context) error {
@@ -63,11 +68,15 @@ func createApp() *cli.App {
 		manifestDigestCmd,
 		standaloneSignCmd,
 		standaloneVerifyCmd,
+		untrustedSignatureDumpCmd,
 	}
 	return app
 }

 func main() {
+	if reexec.Init() {
+		return
+	}
 	app := createApp()
 	if err := app.Run(os.Args); err != nil {
 		logrus.Fatal(err)
@@ -79,7 +88,9 @@ func getPolicyContext(c *cli.Context) (*signature.PolicyContext, error) {
 	policyPath := c.GlobalString("policy")
 	var policy *signature.Policy // This could be cached across calls, if we had an application context.
 	var err error
-	if policyPath == "" {
+	if c.GlobalBool("insecure-policy") {
+		policy = &signature.Policy{Default: []signature.PolicyRequirement{signature.NewPRInsecureAcceptAnything()}}
+	} else if policyPath == "" {
 		policy, err = signature.DefaultPolicy(nil)
 	} else {
 		policy, err = signature.NewPolicyFromFile(policyPath)
--- a/cmd/skopeo/signing.go
+++ b/cmd/skopeo/signing.go
@@ -1,6 +1,7 @@
 package main

 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -27,6 +28,7 @@ func standaloneSign(context *cli.Context) error {
 	if err != nil {
 		return fmt.Errorf("Error initializing GPG: %v", err)
 	}
+	defer mech.Close()
 	signature, err := signature.SignDockerManifest(manifest, dockerReference, mech, fingerprint)
 	if err != nil {
 		return fmt.Errorf("Error creating signature: %v", err)
@@ -73,6 +75,7 @@ func standaloneVerify(context *cli.Context) error {
 	if err != nil {
 		return fmt.Errorf("Error initializing GPG: %v", err)
 	}
+	defer mech.Close()
 	sig, err := signature.VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprint)
 	if err != nil {
 		return fmt.Errorf("Error verifying signature: %v", err)
@@ -88,3 +91,40 @@ var standaloneVerifyCmd = cli.Command{
 	ArgsUsage: "MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT SIGNATURE",
 	Action:    standaloneVerify,
 }
+
+func untrustedSignatureDump(context *cli.Context) error {
+	if len(context.Args()) != 1 {
+		return errors.New("Usage: skopeo untrusted-signature-dump-without-verification signature")
+	}
+	untrustedSignaturePath := context.Args()[0]
+
+	untrustedSignature, err := ioutil.ReadFile(untrustedSignaturePath)
+	if err != nil {
+		return fmt.Errorf("Error reading untrusted signature from %s: %v", untrustedSignaturePath, err)
+	}
+
+	untrustedInfo, err := signature.GetUntrustedSignatureInformationWithoutVerifying(untrustedSignature)
+	if err != nil {
+		return fmt.Errorf("Error decoding untrusted signature: %v", err)
+	}
+	untrustedOut, err := json.MarshalIndent(untrustedInfo, "", "    ")
+	if err != nil {
+		return err
+	}
+	fmt.Fprintln(context.App.Writer, string(untrustedOut))
+	return nil
+}
+
+// WARNING: Do not use the contents of this for ANY security decisions,
+// and be VERY CAREFUL about showing this information to humans in any way which suggest that these values “are probably” reliable.
+// There is NO REASON to expect the values to be correct, or not intentionally misleading
+// (including things like “✅ Verified by $authority”)
+//
+// The subcommand is undocumented, and it may be renamed or entirely disappear in the future.
+var untrustedSignatureDumpCmd = cli.Command{
+	Name:      "untrusted-signature-dump-without-verification",
+	Usage:     "Dump contents of a signature WITHOUT VERIFYING IT",
+	ArgsUsage: "SIGNATURE",
+	Hidden:    true,
+	Action:    untrustedSignatureDump,
+}
--- a/cmd/skopeo/signing_test.go
+++ b/cmd/skopeo/signing_test.go
@@ -1,12 +1,14 @@
 package main

 import (
+	"encoding/json"
 	"io/ioutil"
 	"os"
 	"testing"
+	"time"

 	"github.com/containers/image/signature"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -16,6 +18,8 @@ const (
 	fixturesTestImageManifestDigest = digest.Digest("sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55")
 	// fixturesTestKeyFingerprint is the fingerprint of the private key.
 	fixturesTestKeyFingerprint = "1D8230F6CDB6A06716E414C1DB72F2188BB46CC8"
+	// fixturesTestKeyFingerprint is the key ID of the private key.
+	fixturesTestKeyShortID = "DB72F2188BB46CC8"
 )

 // Test that results of runSkopeo failed with nothing on stdout, and substring
@@ -27,6 +31,13 @@ func assertTestFailed(t *testing.T, stdout string, err error, substring string)
 }

 func TestStandaloneSign(t *testing.T) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	require.NoError(t, err)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil {
+		t.Skipf("Signing not supported: %v", err)
+	}
+
 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/manifest"
 	os.Setenv("GNUPGHOME", "fixtures")
@@ -55,7 +66,7 @@ func TestStandaloneSign(t *testing.T) {
 		manifestPath, "" /* empty reference */, fixturesTestKeyFingerprint)
 	assertTestFailed(t, out, err, "empty signature content")

-	// Unknown key. (FIXME? The error is 'Error creating signature: End of file")
+	// Unknown key.
 	out, err = runSkopeo("standalone-sign", "-o", "/dev/null",
 		manifestPath, dockerReference, "UNKNOWN GPG FINGERPRINT")
 	assert.Error(t, err)
@@ -72,17 +83,18 @@ func TestStandaloneSign(t *testing.T) {
 	defer os.Remove(sigOutput.Name())
 	out, err = runSkopeo("standalone-sign", "-o", sigOutput.Name(),
 		manifestPath, dockerReference, fixturesTestKeyFingerprint)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Empty(t, out)

 	sig, err := ioutil.ReadFile(sigOutput.Name())
 	require.NoError(t, err)
 	manifest, err := ioutil.ReadFile(manifestPath)
 	require.NoError(t, err)
-	mech, err := signature.NewGPGSigningMechanism()
+	mech, err = signature.NewGPGSigningMechanism()
 	require.NoError(t, err)
+	defer mech.Close()
 	verified, err := signature.VerifyDockerManifestSignature(sig, manifest, dockerReference, mech, fixturesTestKeyFingerprint)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, dockerReference, verified.DockerReference)
 	assert.Equal(t, fixturesTestImageManifestDigest, verified.DockerManifestDigest)
 }
@@ -125,3 +137,42 @@ func TestStandaloneVerify(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "Signature verified, digest "+fixturesTestImageManifestDigest.String()+"\n", out)
 }
+
+func TestUntrustedSignatureDump(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+		{"a1", "a2", "a3", "a4"},
+	} {
+		out, err := runSkopeo(append([]string{"untrusted-signature-dump-without-verification"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("untrusted-signature-dump-without-verification",
+		"/this/doesnt/exist")
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error reading signature (input is not a signature)
+	out, err = runSkopeo("untrusted-signature-dump-without-verification", "fixtures/image.manifest.json")
+	assertTestFailed(t, out, err, "Error decoding untrusted signature")
+
+	// Success
+	for _, path := range []string{"fixtures/image.signature", "fixtures/corrupt.signature"} {
+		// Success
+		out, err = runSkopeo("untrusted-signature-dump-without-verification", path)
+		require.NoError(t, err)
+
+		var info signature.UntrustedSignatureInformation
+		err := json.Unmarshal([]byte(out), &info)
+		require.NoError(t, err)
+		assert.Equal(t, fixturesTestImageManifestDigest, info.UntrustedDockerManifestDigest)
+		assert.Equal(t, "testing/manifest", info.UntrustedDockerReference)
+		assert.NotNil(t, info.UntrustedCreatorID)
+		assert.Equal(t, "atomic ", *info.UntrustedCreatorID)
+		assert.NotNil(t, info.UntrustedTimestamp)
+		assert.True(t, time.Unix(1458239713, 0).Equal(*info.UntrustedTimestamp))
+		assert.Equal(t, fixturesTestKeyShortID, info.UntrustedShortKeyIdentifier)
+	}
+}
--- a/cmd/skopeo/utils.go
+++ b/cmd/skopeo/utils.go
@@ -4,7 +4,7 @@ import (
 	"errors"
 	"strings"

-	"github.com/containers/image/transports"
+	"github.com/containers/image/transports/alltransports"
 	"github.com/containers/image/types"
 	"github.com/urfave/cli"
 )
@@ -16,6 +16,8 @@ func contextFromGlobalOptions(c *cli.Context, flagPrefix string) (*types.SystemC
 		// DEPRECATED: keep this here for backward compatibility, but override
 		// them if per subcommand flags are provided (see below).
 		DockerInsecureSkipTLSVerify: !c.GlobalBoolT("tls-verify"),
+		OSTreeTmpDirPath:            c.String(flagPrefix + "ostree-tmp-dir"),
+		OCISharedBlobDirPath:        c.String(flagPrefix + "shared-blob-dir"),
 	}
 	if c.IsSet(flagPrefix + "tls-verify") {
 		ctx.DockerInsecureSkipTLSVerify = !c.BoolT(flagPrefix + "tls-verify")
@@ -59,7 +61,7 @@ func getDockerAuth(creds string) (*types.DockerAuthConfig, error) {
 // The caller must call .Close() on the returned Image.
 func parseImage(c *cli.Context) (types.Image, error) {
 	imgName := c.Args().First()
-	ref, err := transports.ParseImageName(imgName)
+	ref, err := alltransports.ParseImageName(imgName)
 	if err != nil {
 		return nil, err
 	}
@@ -71,10 +73,9 @@ func parseImage(c *cli.Context) (types.Image, error) {
 }

 // parseImageSource converts image URL-like string to an ImageSource.
-// requestedManifestMIMETypes is as in types.ImageReference.NewImageSource.
 // The caller must call .Close() on the returned ImageSource.
-func parseImageSource(c *cli.Context, name string, requestedManifestMIMETypes []string) (types.ImageSource, error) {
-	ref, err := transports.ParseImageName(name)
+func parseImageSource(c *cli.Context, name string) (types.ImageSource, error) {
+	ref, err := alltransports.ParseImageName(name)
 	if err != nil {
 		return nil, err
 	}
@@ -82,5 +83,5 @@ func parseImageSource(c *cli.Context, name string, requestedManifestMIMETypes []
 	if err != nil {
 		return nil, err
 	}
-	return ref.NewImageSource(ctx, requestedManifestMIMETypes)
+	return ref.NewImageSource(ctx)
 }
--- a/completions/bash/skopeo
+++ b/completions/bash/skopeo
@@ -23,10 +23,11 @@ _skopeo_copy() {
     local options_with_args="
 	--sign-by
 	--src-creds --screds
-	--src-cert-path
+	--src-cert-dir
 	--src-tls-verify
 	--dest-creds --dcreds
-	--dest-cert-path
+	--dest-cert-dir
+	--dest-ostree-tmp-dir
 	--dest-tls-verify
     "
     local boolean_options="
@@ -38,7 +39,7 @@ _skopeo_copy() {
 _skopeo_inspect() {
     local options_with_args="
 	--creds
-	--cert-path
+	--cert-dir
     "
     local boolean_options="
 	--raw
@@ -75,7 +76,7 @@ _skopeo_manifest_digest() {
 _skopeo_delete() {
     local options_with_args="
 	   --creds
-	   --cert-path
+	   --cert-dir
     "
     local boolean_options="
 	   --tls-verify
@@ -86,7 +87,7 @@ _skopeo_delete() {
 _skopeo_layers() {
     local options_with_args="
 	   --creds
-	   --cert-path
+	   --cert-dir
     "
     local boolean_options="
 	   --tls-verify
@@ -100,6 +101,7 @@ _skopeo_skopeo() {
 	   --registries.d
     "
     local boolean_options="
+	   --insecure-policy
 	   --debug
 	   --version -v
 	   --help -h
--- a/docs/skopeo.1.md
+++ b/docs/skopeo.1.md
@@ -2,36 +2,36 @@
 % Jhon Honce
 % August 2016
 # NAME
-skopeo -- Various operations with container images images and container image registries
+skopeo -- Various operations with container images and container image registries
 # SYNOPSIS
 **skopeo** [_global options_] _command_ [_command options_]
 # DESCRIPTION
-`skopeo` is a command line utility providing various operations with container images and container image registries. For example, it is able to inspect a repository on a Docker registry and fetch image. It fetches the repository's manifest and it is able to show you a `docker inspect`-like json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about a repository or a tag without requiring you to run `docker pull` - e.g. - which tags are available for the given repository? which labels the image has?
+`skopeo` is a command line utility providing various operations with container images and container image registries. For example, it is able to inspect a repository on a container registry and fetch image. It fetches the repository's manifest and it is able to show you a `docker inspect`-like json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about a repository or a tag without requiring you to run `docker pull` - e.g. - which tags are available for the given repository? which labels the image has?

 It also allows you to copy container images between various registries, possibly converting them as necessary, and to sign and verify images.
 ## IMAGE NAMES
 Most commands refer to container images, using a _transport_`:`_details_ format. The following formats are supported:

-  **atomic:**_namespace_**/**_stream_**:**_tag_
-  An image in the current project of the current default Atomic
-  Registry. The current project and Atomic Registry instance are by
-  default read from `$HOME/.kube/config`, which is set e.g. using
-  `(oc login)`.
+  **containers-storage:**_docker-reference_
+  An image located in a local containers/storage image store.  Location and image store specified in /etc/containers/storage.conf

  **dir:**_path_
-  An existing local directory _path_ storing the manifest, layer
-  tarballs and signatures as individual files. This is a
-  non-standardized format, primarily useful for debugging or
-  noninvasive container inspection.
+  An existing local directory _path_ storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.

  **docker://**_docker-reference_
-  An image in a registry implementing the "Docker Registry HTTP API V2".
-  By default, uses the authorization state in `$HOME/.docker/config.json`,
-  which is set e.g. using `(docker login)`.
+  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in `$HOME/.docker/config.json`, which is set e.g. using `(docker login)`.
+
+  **docker-archive:**_path_[**:**_docker-reference_]
+  An image is stored in the `docker save` formated file.  _docker-reference_ is only used when creating such a file, and it must not contain a digest.
+
+  **docker-daemon:**_docker-reference_
+  An image _docker-reference_ stored in the docker daemon internal storage.  _docker-reference_ must contain either a tag or a digest.  Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).

  **oci:**_path_**:**_tag_
-  An image _tag_ in a directory compliant with "Open Container Image
-  Layout Specification" at _path_.
+  An image _tag_ in a directory compliant with "Open Container Image Layout Specification" at _path_.
+
+  **ostree:**_image_[**@**_/absolute/repo/path_]
+  An image in local OSTree repository.  _/absolute/repo/path_ defaults to _/ostree/repo_.

 # OPTIONS

@@ -39,7 +39,9 @@ Most commands refer to container images, using a _transport_`:`_details_ format.

  **--policy** _path-to-policy_ Path to a policy.json file to use for verifying signatures and deciding whether an image is trusted, overriding the default trust policy file.

-  **--registries.d** _dir_ use registry configuration files in _dir_ (e.g. for docker signature storage), overriding the default path.
+  **--insecure-policy** Adopt an insecure, permissive policy that allows anything. This obviates the need for a policy file.
+
+  **--registries.d** _dir_ use registry configuration files in _dir_ (e.g. for container signature storage), overriding the default path.

  **--help**|**-h** Show help

@@ -68,18 +70,20 @@ Uses the system's trust policy to validate images, rejects images not trusted by

  **--src-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry

-  **--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to docker source registry (defaults to true)
+  **--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container source registry (defaults to true)

  **--dest-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry

-  **--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to docker destination registry (defaults to true)
+  **--dest-ostree-tmp-dir** _path_ Directory to use for OSTree temporary files.
+
+  **--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container destination registry (defaults to true)

 Existing signatures, if any, are preserved as well.

 ## skopeo delete
 **skopeo delete** _image-name_

-Mark _image-name_ for deletion.  To release the allocated disk space, you need to execute the docker registry garabage collector. E.g.,
+Mark _image-name_ for deletion.  To release the allocated disk space, you need to execute the container registry garabage collector. E.g.,

 ```sh
 $ docker exec -it registry bin/registry garbage-collect /etc/docker/registry/config.yml
@@ -89,7 +93,7 @@ $ docker exec -it registry bin/registry garbage-collect /etc/docker/registry/con

  **--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry

-  **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to docker registries (defaults to true)
+  **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true)

 Additionally, the registry must allow deletions by setting `REGISTRY_STORAGE_DELETE_ENABLED=true` for the registry daemon.

@@ -106,7 +110,7 @@ Return low-level information about _image-name_ in a registry

  **--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry

-  **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to docker registries (defaults to true)
+  **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true)

 ## skopeo manifest-digest
 **skopeo manifest-digest** _manifest-file_
--- a/hack/.vendor-helpers.sh
+++ b/hack/.vendor-helpers.sh
@@ -1,115 +0,0 @@
-#!/usr/bin/env bash
-
-PROJECT=github.com/projectatomic/skopeo
-
-# Downloads dependencies into vendor/ directory
-mkdir -p vendor
-
-original_GOPATH=$GOPATH
-export GOPATH="${PWD}/vendor:$GOPATH"
-
-find="/usr/bin/find"
-
-clone() {
-	local delete_vendor=true
-	if [ "x$1" = x--keep-vendor ]; then
-		delete_vendor=false
-		shift
-	fi
-
-	local vcs="$1"
-	local pkg="$2"
-	local rev="$3"
-	local url="$4"
-
-	: ${url:=https://$pkg}
-	local target="vendor/src/$pkg"
-
-	echo -n "$pkg @ $rev: "
-
-	if [ -d "$target" ]; then
-		echo -n 'rm old, '
-		rm -rf "$target"
-	fi
-
-	echo -n 'clone, '
-	case "$vcs" in
-		git)
-			git clone --quiet --no-checkout "$url" "$target"
-			( cd "$target" && git checkout --quiet "$rev" && git reset --quiet --hard "$rev" -- )
-			;;
-		hg)
-			hg clone --quiet --updaterev "$rev" "$url" "$target"
-			;;
-	esac
-
-	echo -n 'rm VCS, '
-	( cd "$target" && rm -rf .{git,hg} )
-
-	if $delete_vendor; then
-		echo -n 'rm vendor, '
-		( cd "$target" && rm -rf vendor Godeps/_workspace )
-	fi
-
-	echo done
-}
-
-clean() {
-	# If $GOPATH starts with ./vendor, (go list) shows the short-form import paths for packages inside ./vendor.
-	# So, reset GOPATH to the external value (without ./vendor), so that the grep -v works.
-	local packages=($(GOPATH=$original_GOPATH go list -e ./... | grep -v "^${PROJECT}/vendor"))
-	local platforms=( linux/amd64 linux/386 )
-
-	local buildTags=(  )
-
-	echo
-
-	echo -n 'collecting import graph, '
-	local IFS=$'\n'
-	local imports=( $(
-		for platform in "${platforms[@]}"; do
-			export GOOS="${platform%/*}";
-			export GOARCH="${platform##*/}";
-			go list -e -tags "$buildTags" -f '{{join .Deps "\n"}}' "${packages[@]}"
-			go list -e -tags "$buildTags" -f '{{join .TestImports "\n"}}' "${packages[@]}"
-		done | grep -vE "^${PROJECT}" | sort -u
-	) )
-	# .TestImports does not include indirect dependencies, so do one more iteration.
-	imports+=( $(
-		go list -e -f '{{join .Deps "\n"}}' "${imports[@]}" | grep -vE "^${PROJECT}" | sort -u
-	) )
-	imports=( $(go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' "${imports[@]}") )
-	unset IFS
-
-	echo -n 'pruning unused packages, '
-	findArgs=(
-		# This directory contains only .c and .h files which are necessary
-		# -path vendor/src/github.com/mattn/go-sqlite3/code
-	)
-	for import in "${imports[@]}"; do
-		[ "${#findArgs[@]}" -eq 0 ] || findArgs+=( -or )
-		findArgs+=( -path "vendor/src/$import" )
-	done
-	local IFS=$'\n'
-	local prune=( $($find vendor -depth -type d -not '(' "${findArgs[@]}" ')') )
-	unset IFS
-	for dir in "${prune[@]}"; do
-		$find "$dir" -maxdepth 1 -not -type d -not -name 'LICENSE*' -not -name 'COPYING*' -exec rm -v -f '{}' ';'
-		rmdir "$dir" 2>/dev/null || true
-	done
-
-	echo -n 'pruning unused files, '
-	$find vendor -type f -name '*_test.go' -exec rm -v '{}' ';'
-
-	echo done
-}
-
-# Fix up hard-coded imports that refer to Godeps paths so they'll work with our vendoring
-fix_rewritten_imports () {
-       local pkg="$1"
-       local remove="${pkg}/Godeps/_workspace/src/"
-       local target="vendor/src/$pkg"
-
-       echo "$pkg: fixing rewritten imports"
-       $find "$target" -name \*.go -exec sed -i -e "s|\"${remove}|\"|g" {} \;
-}
--- a/hack/btrfs_tag.sh
+++ b/hack/btrfs_tag.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+cc -E - > /dev/null 2> /dev/null << EOF
+#include <btrfs/version.h>
+EOF
+if test $? -ne 0 ; then
+	echo btrfs_noversion
+fi
--- a/hack/libdm_tag.sh
+++ b/hack/libdm_tag.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+tmpdir="$PWD/tmp.$RANDOM"
+mkdir -p "$tmpdir"
+trap 'rm -fr "$tmpdir"' EXIT
+cc -c -o "$tmpdir"/libdm_tag.o -x c - > /dev/null 2> /dev/null << EOF
+#include <libdevmapper.h>
+int main() {
+	struct dm_task *task;
+	return 0;
+}
+EOF
+if test $? -ne 0 ; then
+	echo libdm_no_deferred_remove
+fi
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -72,10 +72,10 @@ TESTFLAGS+=" -test.timeout=10m"
 go_test_dir() {
 	dir=$1
 	(
-		echo '+ go test' $TESTFLAGS "${SKOPEO_PKG}${dir#.}"
+		echo '+ go test' $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"} "${SKOPEO_PKG}${dir#.}"
 		cd "$dir"
 		export DEST="$ABS_DEST" # we're in a subshell, so this is safe -- our integration-cli tests need DEST, and "cd" screws it up
-		go test $TESTFLAGS
+		go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
 	)
 }

--- a/hack/make/test-integration
+++ b/hack/make/test-integration
@@ -8,7 +8,7 @@ bundle_test_integration() {

 # subshell so that we can export PATH without breaking other things
 (
-	make binary-local
+	make binary-local ${BUILDTAGS:+BUILDTAGS="$BUILDTAGS"}
 	make install
 	export GO15VENDOREXPERIMENT=1
 	bundle_test_integration
--- a/hack/travis_osx.sh
+++ b/hack/travis_osx.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -e
+
+export GOPATH=$(pwd)/_gopath
+export PATH=$GOPATH/bin:$PATH
+
+_projectatomic="${GOPATH}/src/github.com/projectatomic"
+mkdir -vp ${_projectatomic}
+ln -vsf $(pwd) ${_projectatomic}/skopeo
+
+go get -u github.com/cpuguy83/go-md2man github.com/golang/lint/golint
+
+cd ${_projectatomic}/skopeo
+make validate-local test-unit-local binary-local
+sudo make install
+skopeo -v
--- a/hack/vendor.sh
+++ b/hack/vendor.sh
@@ -1,40 +1,15 @@
-#!/usr/bin/env bash
+#!/bin/bash
+
+# This file is just wrapper around vndr (github.com/LK4D4/vndr) tool.
+# For updating dependencies you should change `vendor.conf` file in root of the
+# project. Please refer to https://github.com/LK4D4/vndr/blob/master/README.md for
+# vndr usage.
+
 set -e

-cd "$(dirname "$BASH_SOURCE")/.."
-rm -rf vendor/
-source 'hack/.vendor-helpers.sh'
+if ! hash vndr; then
+	echo "Please install vndr with \"go get github.com/LK4D4/vndr\" and put it in your \$GOPATH"
+	exit 1
+fi

-clone git github.com/urfave/cli v1.17.0
-clone git github.com/containers/image master
-clone git gopkg.in/cheggaaa/pb.v1 ad4efe000aa550bb54918c06ebbadc0ff17687b9 https://github.com/cheggaaa/pb
-clone git github.com/Sirupsen/logrus v0.10.0
-clone git github.com/go-check/check v1
-clone git github.com/stretchr/testify v1.1.3
-clone git github.com/davecgh/go-spew master
-clone git github.com/pmezard/go-difflib master
-# docker deps from https://github.com/docker/docker/blob/v1.11.2/hack/vendor.sh
-clone git github.com/docker/docker v1.12.1
-clone git github.com/docker/engine-api 4eca04ae18f4f93f40196a17b9aa6e11262a7269
-clone git github.com/docker/go-connections 4ccf312bf1d35e5dbda654e57a9be4c3f3cd0366
-clone git github.com/vbatts/tar-split v0.9.11
-clone git github.com/gorilla/context 14f550f51a
-clone git github.com/gorilla/mux e444e69cbd
-clone git github.com/docker/go-units 651fc226e7441360384da338d0fd37f2440ffbe3
-clone git golang.org/x/net master https://github.com/golang/net.git
-# end docker deps
-clone git github.com/docker/distribution 07f32ac1831ed0fc71960b7da5d6bb83cb6881b5
-clone git github.com/docker/libtrust master
-clone git github.com/opencontainers/runc master
-clone git github.com/opencontainers/image-spec 7dc1ee39c59c6949612c6fdf502a4727750cb063
-clone git github.com/mtrmac/gpgme master
-# openshift/origin' k8s dependencies as of OpenShift v1.1.5
-clone git github.com/golang/glog 44145f04b68cf362d9c4df2182967c2275eaefed
-clone git k8s.io/kubernetes 4a3f9c5b19c7ff804cbc1bf37a15c044ca5d2353 https://github.com/openshift/kubernetes
-clone git github.com/ghodss/yaml 73d445a93680fa1a78ae23a5839bad48f32ba1ee
-clone git gopkg.in/yaml.v2 d466437aa4adc35830964cffc5b5f262c63ddcb4
-clone git github.com/imdario/mergo 6633656539c1639d9d78127b7d47c622b5d7b6dc
-
-clean
-
-mv vendor/src/* vendor/
+vndr "$@"
--- a/integration/check_test.go
+++ b/integration/check_test.go
@@ -12,9 +12,6 @@ import (
 const (
 	privateRegistryURL0 = "127.0.0.1:5000"
 	privateRegistryURL1 = "127.0.0.1:5001"
-	privateRegistryURL2 = "127.0.0.1:5002"
-	privateRegistryURL3 = "127.0.0.1:5003"
-	privateRegistryURL4 = "127.0.0.1:5004"
 )

 func Test(t *testing.T) {
@@ -26,15 +23,13 @@ func init() {
 }

 type SkopeoSuite struct {
-	regV1         *testRegistryV1
 	regV2         *testRegistryV2
-	regV2Shema1   *testRegistryV2
-	regV1WithAuth *testRegistryV1 // does v1 support auth?
 	regV2WithAuth *testRegistryV2
 }

 func (s *SkopeoSuite) SetUpSuite(c *check.C) {
-
+	_, err := exec.LookPath(skopeoBinary)
+	c.Assert(err, check.IsNil)
 }

 func (s *SkopeoSuite) TearDownSuite(c *check.C) {
@@ -42,24 +37,14 @@ func (s *SkopeoSuite) TearDownSuite(c *check.C) {
 }

 func (s *SkopeoSuite) SetUpTest(c *check.C) {
-	_, err := exec.LookPath(skopeoBinary)
-	c.Assert(err, check.IsNil)
-
-	s.regV1 = setupRegistryV1At(c, privateRegistryURL0, false) // TODO:(runcom)
-	s.regV2 = setupRegistryV2At(c, privateRegistryURL1, false, false)
-	s.regV2Shema1 = setupRegistryV2At(c, privateRegistryURL2, false, true)
-	s.regV1WithAuth = setupRegistryV1At(c, privateRegistryURL3, true) // not used
-	s.regV2WithAuth = setupRegistryV2At(c, privateRegistryURL4, true, false)
+	s.regV2 = setupRegistryV2At(c, privateRegistryURL0, false, false)
+	s.regV2WithAuth = setupRegistryV2At(c, privateRegistryURL1, true, false)
 }

 func (s *SkopeoSuite) TearDownTest(c *check.C) {
-	// not checking V1 registries now...
 	if s.regV2 != nil {
 		s.regV2.Close()
 	}
-	if s.regV2Shema1 != nil {
-		s.regV2Shema1.Close()
-	}
 	if s.regV2WithAuth != nil {
 		//cmd := exec.Command("docker", "logout", s.regV2WithAuth)
 		//c.Assert(cmd.Run(), check.IsNil)
@@ -85,6 +70,13 @@ func (s *SkopeoSuite) TestNeedAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C
 	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 }

+func (s *SkopeoSuite) TestCertDirInsteadOfCertPath(c *check.C) {
+	wanted := ".*flag provided but not defined: -cert-path.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-path=/")
+	wanted = ".*unauthorized: authentication required.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-dir=/etc/docker/certs.d/")
+}
+
 // TODO(runcom): as soon as we can push to registries ensure you can inspect here
 // not just get image not found :)
 func (s *SkopeoSuite) TestNoNeedAuthToPrivateRegistryV2ImageNotFound(c *check.C) {
--- a/integration/copy_test.go
+++ b/integration/copy_test.go
@@ -1,9 +1,10 @@
 package main

 import (
-	"bytes"
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"log"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -11,20 +12,26 @@ import (
 	"strings"

 	"github.com/containers/image/manifest"
-	"github.com/docker/distribution/digest"
+	"github.com/containers/image/signature"
 	"github.com/go-check/check"
+	"github.com/opencontainers/go-digest"
+	"github.com/opencontainers/image-tools/image"
 )

 func init() {
 	check.Suite(&CopySuite{})
 }

-const v2DockerRegistryURL = "localhost:5555" // Update also policy.json
+const (
+	v2DockerRegistryURL   = "localhost:5555" // Update also policy.json
+	v2s1DockerRegistryURL = "localhost:5556"
+)

 type CopySuite struct {
-	cluster  *openshiftCluster
-	registry *testRegistryV2
-	gpgHome  string
+	cluster    *openshiftCluster
+	registry   *testRegistryV2
+	s1Registry *testRegistryV2
+	gpgHome    string
 }

 func (s *CopySuite) SetUpSuite(c *check.C) {
@@ -34,7 +41,7 @@ func (s *CopySuite) SetUpSuite(c *check.C) {

 	s.cluster = startOpenshiftCluster(c) // FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.

-	for _, stream := range []string{"unsigned", "personal", "official", "naming", "cosigned", "compression"} {
+	for _, stream := range []string{"unsigned", "personal", "official", "naming", "cosigned", "compression", "schema1", "schema2"} {
 		isJSON := fmt.Sprintf(`{
 			"kind": "ImageStream",
 			"apiVersion": "v1",
@@ -46,7 +53,9 @@ func (s *CopySuite) SetUpSuite(c *check.C) {
 		runCommandWithInput(c, isJSON, "oc", "create", "-f", "-")
 	}

-	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, false, false) // FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
+	// FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
+	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, false, false)
+	s.s1Registry = setupRegistryV2At(c, v2s1DockerRegistryURL, false, true)

 	gpgHome, err := ioutil.TempDir("", "skopeo-gpg")
 	c.Assert(err, check.IsNil)
@@ -72,35 +81,24 @@ func (s *CopySuite) TearDownSuite(c *check.C) {
 	if s.registry != nil {
 		s.registry.Close()
 	}
+	if s.s1Registry != nil {
+		s.s1Registry.Close()
+	}
 	if s.cluster != nil {
-		s.cluster.tearDown()
+		s.cluster.tearDown(c)
 	}
 }

-// fileFromFixtureFixture applies edits to inputPath and returns a path to the temporary file.
-// Callers should defer os.Remove(the_returned_path)
-func fileFromFixture(c *check.C, inputPath string, edits map[string]string) string {
-	contents, err := ioutil.ReadFile(inputPath)
-	c.Assert(err, check.IsNil)
-	for template, value := range edits {
-		contents = bytes.Replace(contents, []byte(template), []byte(value), -1)
-	}
-
-	file, err := ioutil.TempFile("", "policy.json")
-	c.Assert(err, check.IsNil)
-	path := file.Name()
-
-	_, err = file.Write(contents)
-	c.Assert(err, check.IsNil)
-	err = file.Close()
-	c.Assert(err, check.IsNil)
-	return path
-}
-
 func (s *CopySuite) TestCopyFailsWithManifestList(c *check.C) {
+	c.ExpectFailure("manifest-list-hotfix sacrificed hotfixes for being able to copy images")
 	assertSkopeoFails(c, ".*can not copy docker://estesp/busybox:latest: manifest contains multiple images.*", "copy", "docker://estesp/busybox:latest", "dir:somedir")
 }

+func (s *CopySuite) TestCopyFailsWhenImageOSDoesntMatchRuntimeOS(c *check.C) {
+	c.Skip("can't run this on Travis")
+	assertSkopeoFails(c, `.*image operating system "windows" cannot be used on "linux".*`, "copy", "docker://microsoft/windowsservercore", "containers-storage:test")
+}
+
 func (s *CopySuite) TestCopySimpleAtomicRegistry(c *check.C) {
 	dir1, err := ioutil.TempDir("", "copy-1")
 	c.Assert(err, check.IsNil)
@@ -114,10 +112,9 @@ func (s *CopySuite) TestCopySimpleAtomicRegistry(c *check.C) {
 	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:amd64", "dir:"+dir1)
 	// "push": dir: → atomic:
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "dir:"+dir1, "atomic:localhost:5000/myns/unsigned:unsigned")
-	// The result of pushing and pulling is an unmodified image.
+	// The result of pushing and pulling is an equivalent image, except for schema1 embedded names.
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/unsigned:unsigned", "dir:"+dir2)
-	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
-	c.Assert(out, check.Equals, "")
+	assertSchema1DirImagesAreEqualExceptNames(c, dir1, "estesp/busybox:amd64", dir2, "myns/unsigned:unsigned")
 }

 // The most basic (skopeo copy) use:
@@ -141,14 +138,66 @@ func (s *CopySuite) TestCopySimple(c *check.C) {
 	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
 	c.Assert(out, check.Equals, "")

-	// docker v2s2 -> OCI image layout
+	// docker v2s2 -> OCI image layout with image name
 	// ociDest will be created by oci: if it doesn't exist
 	// so don't create it here to exercise auto-creation
-	ociDest := "busybox-latest"
+	ociDest := "busybox-latest-image"
+	ociImgName := "busybox"
 	defer os.RemoveAll(ociDest)
-	assertSkopeoSucceeds(c, "", "copy", "docker://busybox:latest", "oci:"+ociDest)
+	assertSkopeoSucceeds(c, "", "copy", "docker://busybox:latest", "oci:"+ociDest+":"+ociImgName)
 	_, err = os.Stat(ociDest)
 	c.Assert(err, check.IsNil)
+
+	// docker v2s2 -> OCI image layout without image name
+	ociDest = "busybox-latest-noimage"
+	defer os.RemoveAll(ociDest)
+	assertSkopeoFails(c, ".*Error initializing destination oci:busybox-latest-noimage:: cannot save image with empty image.ref.name.*", "copy", "docker://busybox:latest", "oci:"+ociDest)
+}
+
+// Check whether dir: images in dir1 and dir2 are equal, ignoring schema1 signatures.
+func assertDirImagesAreEqual(c *check.C, dir1, dir2 string) {
+	// The manifests may have different JWS signatures; so, compare the manifests by digests, which
+	// strips the signatures.
+	digests := []digest.Digest{}
+	for _, dir := range []string{dir1, dir2} {
+		manifestPath := filepath.Join(dir, "manifest.json")
+		m, err := ioutil.ReadFile(manifestPath)
+		c.Assert(err, check.IsNil)
+		digest, err := manifest.Digest(m)
+		c.Assert(err, check.IsNil)
+		digests = append(digests, digest)
+	}
+	c.Assert(digests[0], check.Equals, digests[1])
+	// Then compare the rest file by file.
+	out := combinedOutputOfCommand(c, "diff", "-urN", "-x", "manifest.json", dir1, dir2)
+	c.Assert(out, check.Equals, "")
+}
+
+// Check whether schema1 dir: images in dir1 and dir2 are equal, ignoring schema1 signatures and the embedded path/tag values, which should have the expected values.
+func assertSchema1DirImagesAreEqualExceptNames(c *check.C, dir1, ref1, dir2, ref2 string) {
+	// The manifests may have different JWS signatures and names; so, unmarshal and delete these elements.
+	manifests := []map[string]interface{}{}
+	for dir, ref := range map[string]string{dir1: ref1, dir2: ref2} {
+		manifestPath := filepath.Join(dir, "manifest.json")
+		m, err := ioutil.ReadFile(manifestPath)
+		c.Assert(err, check.IsNil)
+		data := map[string]interface{}{}
+		err = json.Unmarshal(m, &data)
+		c.Assert(err, check.IsNil)
+		c.Assert(data["schemaVersion"], check.Equals, float64(1))
+		colon := strings.LastIndex(ref, ":")
+		c.Assert(colon, check.Not(check.Equals), -1)
+		c.Assert(data["name"], check.Equals, ref[:colon])
+		c.Assert(data["tag"], check.Equals, ref[colon+1:])
+		for _, key := range []string{"signatures", "name", "tag"} {
+			delete(data, key)
+		}
+		manifests = append(manifests, data)
+	}
+	c.Assert(manifests[0], check.DeepEquals, manifests[1])
+	// Then compare the rest file by file.
+	out := combinedOutputOfCommand(c, "diff", "-urN", "-x", "manifest.json", dir1, dir2)
+	c.Assert(out, check.Equals, "")
 }

 // Streaming (skopeo copy)
@@ -166,28 +215,68 @@ func (s *CopySuite) TestCopyStreaming(c *check.C) {
 	// Compare (copies of) the original and the copy:
 	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:amd64", "dir:"+dir1)
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/unsigned:streaming", "dir:"+dir2)
-	// The manifests will have different JWS signatures; so, compare the manifests by digests, which
-	// strips the signatures, and remove them, comparing the rest file by file.
-	digests := []digest.Digest{}
-	for _, dir := range []string{dir1, dir2} {
-		manifestPath := filepath.Join(dir, "manifest.json")
-		m, err := ioutil.ReadFile(manifestPath)
-		c.Assert(err, check.IsNil)
-		digest, err := manifest.Digest(m)
-		c.Assert(err, check.IsNil)
-		digests = append(digests, digest)
-		err = os.Remove(manifestPath)
-		c.Assert(err, check.IsNil)
-		c.Logf("Manifest file %s (digest %s) removed", manifestPath, digest)
-	}
-	c.Assert(digests[0], check.Equals, digests[1])
-	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
-	c.Assert(out, check.Equals, "")
+	assertSchema1DirImagesAreEqualExceptNames(c, dir1, "estesp/busybox:amd64", dir2, "myns/unsigned:streaming")
 	// FIXME: Also check pushing to docker://
 }

+// OCI round-trip testing. It's very important to make sure that OCI <-> Docker
+// conversion works (while skopeo handles many things, one of the most obvious
+// benefits of a tool like skopeo is that you can use OCI tooling to create an
+// image and then as the final step convert the image to a non-standard format
+// like Docker). But this only works if we _test_ it.
+func (s *CopySuite) TestCopyOCIRoundTrip(c *check.C) {
+	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"
+
+	oci1, err := ioutil.TempDir("", "oci-1")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci1)
+	oci2, err := ioutil.TempDir("", "oci-2")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci2)
+
+	// Docker -> OCI
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "docker://busybox", "oci:"+oci1+":latest")
+	// OCI -> Docker
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "oci:"+oci1+":latest", ourRegistry+"original/busybox:oci_copy")
+	// Docker -> OCI
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", ourRegistry+"original/busybox:oci_copy", "oci:"+oci2+":latest")
+	// OCI -> Docker
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "oci:"+oci2+":latest", ourRegistry+"original/busybox:oci_copy2")
+
+	// TODO: Add some more tags to output to and check those work properly.
+
+	// First, make sure the OCI blobs are the same. This should _always_ be true.
+	out := combinedOutputOfCommand(c, "diff", "-urN", oci1+"/blobs", oci2+"/blobs")
+	c.Assert(out, check.Equals, "")
+
+	// For some silly reason we pass a logger to the OCI library here...
+	logger := log.New(os.Stderr, "", 0)
+
+	// Verify using the upstream OCI image validator, this should catch most
+	// non-compliance errors. DO NOT REMOVE THIS TEST UNLESS IT'S ABSOLUTELY
+	// NECESSARY.
+	err = image.ValidateLayout(oci1, nil, logger)
+	c.Assert(err, check.IsNil)
+	err = image.ValidateLayout(oci2, nil, logger)
+	c.Assert(err, check.IsNil)
+
+	// Now verify that everything is identical. Currently this is true, but
+	// because we recompute the manifests on-the-fly this doesn't necessarily
+	// always have to be true (but if this breaks in the future __PLEASE__ make
+	// sure that the breakage actually makes sense before removing this check).
+	out = combinedOutputOfCommand(c, "diff", "-urN", oci1, oci2)
+	c.Assert(out, check.Equals, "")
+}
+
 // --sign-by and --policy copy, primarily using atomic:
 func (s *CopySuite) TestCopySignatures(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
 	dir, err := ioutil.TempDir("", "signatures-dest")
 	c.Assert(err, check.IsNil)
 	defer os.RemoveAll(dir)
@@ -205,38 +294,45 @@ func (s *CopySuite) TestCopySignatures(c *check.C) {

 	// type: signedBy
 	// Sign the images
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "docker://busybox:1.23", "atomic:localhost:5000/myns/personal:personal")
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "official@example.com", "docker://busybox:1.23.2", "atomic:localhost:5000/myns/official:official")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "docker://busybox:1.26", "atomic:localhost:5006/myns/personal:personal")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "official@example.com", "docker://busybox:1.26.1", "atomic:localhost:5006/myns/official:official")
 	// Verify that we can pull them
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/personal:personal", dirDest)
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/official:official", dirDest)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/personal:personal", dirDest)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/official:official", dirDest)
 	// Verify that mis-signed images are rejected
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/personal:personal", "atomic:localhost:5000/myns/official:attack")
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/personal:attack")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/personal:personal", "atomic:localhost:5006/myns/official:attack")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/personal:attack")
 	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
-		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/personal:attack", dirDest)
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/personal:attack", dirDest)
 	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
-		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/official:attack", dirDest)
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/official:attack", dirDest)

 	// Verify that signed identity is verified.
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/naming:test1")
-	assertSkopeoFails(c, ".*Source image rejected: Signature for identity localhost:5000/myns/official:official is not accepted.*",
-		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/naming:test1", dirDest)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/naming:test1")
+	assertSkopeoFails(c, ".*Source image rejected: Signature for identity localhost:5006/myns/official:official is not accepted.*",
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/naming:test1", dirDest)
 	// signedIdentity works
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/naming:naming")
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/naming:naming", dirDest)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/naming:naming")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/naming:naming", dirDest)

 	// Verify that cosigning requirements are enforced
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/cosigned:cosigned")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned")
 	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
-		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/cosigned:cosigned", dirDest)
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/cosigned:cosigned", dirDest)

-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/cosigned:cosigned")
-	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/cosigned:cosigned", dirDest)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/cosigned:cosigned", dirDest)
 }

 // --policy copy for dir: sources
 func (s *CopySuite) TestCopyDirSignatures(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
 	topDir, err := ioutil.TempDir("", "dir-signatures-top")
 	c.Assert(err, check.IsNil)
 	defer os.RemoveAll(topDir)
@@ -287,10 +383,10 @@ func (s *CopySuite) TestCopyCompression(c *check.C) {
 	defer os.RemoveAll(topDir)

 	for i, t := range []struct{ fixture, remote string }{
-		//{"uncompressed-image-s1", "docker://" + v2DockerRegistryURL + "/compression/compression:s1"}, // FIXME: depends on push to tag working
-		//{"uncompressed-image-s2", "docker://" + v2DockerRegistryURL + "/compression/compression:s2"}, // FIXME: depends on push to tag working
+		{"uncompressed-image-s1", "docker://" + v2DockerRegistryURL + "/compression/compression:s1"},
+		{"uncompressed-image-s2", "docker://" + v2DockerRegistryURL + "/compression/compression:s2"},
 		{"uncompressed-image-s1", "atomic:localhost:5000/myns/compression:s1"},
-		//{"uncompressed-image-s2", "atomic:localhost:5000/myns/compression:s2"}, // FIXME: The unresolved "MANIFEST_UNKNOWN"/"unexpected end of JSON input" failure
+		{"uncompressed-image-s2", "atomic:localhost:5000/myns/compression:s2"},
 	} {
 		dir := filepath.Join(topDir, fmt.Sprintf("case%d", i))
 		err := os.MkdirAll(dir, 0755)
@@ -336,11 +432,18 @@ func findRegularFiles(c *check.C, root string) []string {

 // --sign-by and policy use for docker: with sigstore
 func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
 	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"

 	tmpDir, err := ioutil.TempDir("", "signatures-sigstore")
 	c.Assert(err, check.IsNil)
-	//defer os.RemoveAll(tmpDir)
+	defer os.RemoveAll(tmpDir)
 	copyDest := filepath.Join(tmpDir, "dest")
 	err = os.Mkdir(copyDest, 0755)
 	c.Assert(err, check.IsNil)
@@ -381,7 +484,6 @@ func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {
 	// Deleting the image succeeds,
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "delete", ourRegistry+"signed/busybox")
 	// and the signature file has been deleted (but we leave the directories around).
-	// a signature file has been created,
 	foundFiles = findRegularFiles(c, plainSigstore)
 	c.Assert(foundFiles, check.HasLen, 0)

@@ -398,6 +500,64 @@ func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"public/busybox", dirDest)
 }

+// atomic: and docker: X-Registry-Supports-Signatures works and interoperates
+func (s *CopySuite) TestCopyAtomicExtension(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that the reading/writing works using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
+	topDir, err := ioutil.TempDir("", "atomic-extension")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(topDir)
+	for _, subdir := range []string{"dirAA", "dirAD", "dirDA", "dirDD", "registries.d"} {
+		err := os.MkdirAll(filepath.Join(topDir, subdir), 0755)
+		c.Assert(err, check.IsNil)
+	}
+	registriesDir := filepath.Join(topDir, "registries.d")
+	dirDest := "dir:" + topDir
+	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
+	defer os.Remove(policy)
+
+	// Get an image to work with to an atomic: destination.  Also verifies that we can use Docker repositories without X-Registry-Supports-Signatures
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "docker://busybox", "atomic:localhost:5000/myns/extension:unsigned")
+	// Pulling an unsigned image using atomic: fails.
+	assertSkopeoFails(c, ".*Source image rejected: A signature was required, but no signature exists.*",
+		"--tls-verify=false", "--policy", policy,
+		"copy", "atomic:localhost:5000/myns/extension:unsigned", dirDest+"/dirAA")
+	// The same when pulling using docker:
+	assertSkopeoFails(c, ".*Source image rejected: A signature was required, but no signature exists.*",
+		"--tls-verify=false", "--policy", policy, "--registries.d", registriesDir,
+		"copy", "docker://localhost:5000/myns/extension:unsigned", dirDest+"/dirAD")
+
+	// Sign the image using atomic:
+	assertSkopeoSucceeds(c, "", "--tls-verify=false",
+		"copy", "--sign-by", "personal@example.com", "atomic:localhost:5000/myns/extension:unsigned", "atomic:localhost:5000/myns/extension:atomic")
+	// Pulling the image using atomic: now succeeds.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy,
+		"copy", "atomic:localhost:5000/myns/extension:atomic", dirDest+"/dirAA")
+	// The same when pulling using docker:
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir,
+		"copy", "docker://localhost:5000/myns/extension:atomic", dirDest+"/dirAD")
+	// Both access methods result in the same data.
+	assertDirImagesAreEqual(c, filepath.Join(topDir, "dirAA"), filepath.Join(topDir, "dirAD"))
+
+	// Get another image (different so that they don't share signatures, and sign it using docker://)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir,
+		"copy", "--sign-by", "personal@example.com", "docker://estesp/busybox:ppc64le", "atomic:localhost:5000/myns/extension:extension")
+	c.Logf("%s", combinedOutputOfCommand(c, "oc", "get", "istag", "extension:extension", "-o", "json"))
+	// Pulling the image using atomic: succeeds.
+	assertSkopeoSucceeds(c, "", "--debug", "--tls-verify=false", "--policy", policy,
+		"copy", "atomic:localhost:5000/myns/extension:extension", dirDest+"/dirDA")
+	// The same when pulling using docker:
+	assertSkopeoSucceeds(c, "", "--debug", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir,
+		"copy", "docker://localhost:5000/myns/extension:extension", dirDest+"/dirDD")
+	// Both access methods result in the same data.
+	assertDirImagesAreEqual(c, filepath.Join(topDir, "dirDA"), filepath.Join(topDir, "dirDD"))
+}
+
 func (s *SkopeoSuite) TestCopySrcWithAuth(c *check.C) {
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--dest-creds=testuser:testpassword", "docker://busybox", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 	dir1, err := ioutil.TempDir("", "copy-1")
@@ -414,3 +574,61 @@ func (s *SkopeoSuite) TestCopySrcAndDestWithAuth(c *check.C) {
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--dest-creds=testuser:testpassword", "docker://busybox", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--src-creds=testuser:testpassword", "--dest-creds=testuser:testpassword", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), fmt.Sprintf("docker://%s/test:auth", s.regV2WithAuth.url))
 }
+
+func (s *CopySuite) TestCopyNoPanicOnHTTPResponseWOTLSVerifyFalse(c *check.C) {
+	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"
+
+	// dir:test isn't created beforehand just because we already know this could
+	// just fail when evaluating the src
+	assertSkopeoFails(c, ".*server gave HTTP response to HTTPS client.*",
+		"copy", ourRegistry+"foobar", "dir:test")
+}
+
+func (s *CopySuite) TestCopySchemaConversion(c *check.C) {
+	// Test conversion / schema autodetection both for the OpenShift embedded registry…
+	s.testCopySchemaConversionRegistries(c, "docker://localhost:5005/myns/schema1", "docker://localhost:5006/myns/schema2")
+	// … and for various docker/distribution registry versions.
+	s.testCopySchemaConversionRegistries(c, "docker://"+v2s1DockerRegistryURL+"/schema1", "docker://"+v2DockerRegistryURL+"/schema2")
+}
+
+func (s *CopySuite) testCopySchemaConversionRegistries(c *check.C, schema1Registry, schema2Registry string) {
+	topDir, err := ioutil.TempDir("", "schema-conversion")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(topDir)
+	for _, subdir := range []string{"input1", "input2", "dest2"} {
+		err := os.MkdirAll(filepath.Join(topDir, subdir), 0755)
+		c.Assert(err, check.IsNil)
+	}
+	input1Dir := filepath.Join(topDir, "input1")
+	input2Dir := filepath.Join(topDir, "input2")
+	destDir := filepath.Join(topDir, "dest2")
+
+	// Ensure we are working with a schema2 image.
+	// dir: accepts any manifest format, i.e. this makes …/input2 a schema2 source which cannot be asked to produce schema1 like ordinary docker: registries can.
+	assertSkopeoSucceeds(c, "", "copy", "docker://busybox", "dir:"+input2Dir)
+	verifyManifestMIMEType(c, input2Dir, manifest.DockerV2Schema2MediaType)
+	// 2→2 (the "f2t2" in tag means "from 2 to 2")
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "dir:"+input2Dir, schema2Registry+":f2t2")
+	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", schema2Registry+":f2t2", "dir:"+destDir)
+	verifyManifestMIMEType(c, destDir, manifest.DockerV2Schema2MediaType)
+	// 2→1; we will use the result as a schema1 image for further tests.
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "dir:"+input2Dir, schema1Registry+":f2t1")
+	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", schema1Registry+":f2t1", "dir:"+input1Dir)
+	verifyManifestMIMEType(c, input1Dir, manifest.DockerV2Schema1SignedMediaType)
+	// 1→1
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "dir:"+input1Dir, schema1Registry+":f1t1")
+	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", schema1Registry+":f1t1", "dir:"+destDir)
+	verifyManifestMIMEType(c, destDir, manifest.DockerV2Schema1SignedMediaType)
+	// 1→2: image stays unmodified schema1
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "dir:"+input1Dir, schema2Registry+":f1t2")
+	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", schema2Registry+":f1t2", "dir:"+destDir)
+	verifyManifestMIMEType(c, destDir, manifest.DockerV2Schema1SignedMediaType)
+}
+
+// Verify manifest in a dir: image at dir is expectedMIMEType.
+func verifyManifestMIMEType(c *check.C, dir string, expectedMIMEType string) {
+	manifestBlob, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+	c.Assert(err, check.IsNil)
+	mimeType := manifest.GuessMIMEType(manifestBlob)
+	c.Assert(mimeType, check.Equals, expectedMIMEType)
+}
--- a/integration/fixtures/policy.json
+++ b/integration/fixtures/policy.json
@@ -13,6 +13,13 @@
                    "keyPath": "@keydir@/personal-pubkey.gpg"
                }
            ],
+            "localhost:5000/myns/extension": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
            "docker.io/openshift": [
                {
                    "type": "insecureAcceptAnything"
@@ -38,46 +45,46 @@
            ]
        },
        "atomic": {
-            "localhost:5000/myns/personal": [
+            "localhost:5006/myns/personal": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "@keydir@/personal-pubkey.gpg"
                }
            ],
-            "localhost:5000/myns/official": [
+            "localhost:5006/myns/official": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "@keydir@/official-pubkey.gpg"
                }
            ],
-            "localhost:5000/myns/naming:test1": [
+            "localhost:5006/myns/naming:test1": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "@keydir@/official-pubkey.gpg"
                }
            ],
-            "localhost:5000/myns/naming:naming": [
+            "localhost:5006/myns/naming:naming": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "@keydir@/official-pubkey.gpg",
                    "signedIdentity": {
                        "type": "exactRepository",
-                        "dockerRepository": "localhost:5000/myns/official"
+                        "dockerRepository": "localhost:5006/myns/official"
                    }
                }
            ],
-            "localhost:5000/myns/cosigned:cosigned": [
+            "localhost:5006/myns/cosigned:cosigned": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "@keydir@/official-pubkey.gpg",
                    "signedIdentity": {
                        "type": "exactRepository",
-                        "dockerRepository": "localhost:5000/myns/official"
+                        "dockerRepository": "localhost:5006/myns/official"
                    }
                },
                {
@@ -85,6 +92,13 @@
                    "keyType": "GPGKeys",
                    "keyPath": "@keydir@/personal-pubkey.gpg"
                }
+            ],
+            "localhost:5000/myns/extension": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
            ]
        }
    }
--- a/integration/openshift.go
+++ b/integration/openshift.go
@@ -14,49 +14,63 @@ import (
 	"github.com/go-check/check"
 )

+var adminKUBECONFIG = map[string]string{
+	"KUBECONFIG": "openshift.local.config/master/admin.kubeconfig",
+}
+
 // openshiftCluster is an OpenShift API master and integrated registry
 // running on localhost.
 type openshiftCluster struct {
-	c          *check.C
 	workingDir string
-	master     *exec.Cmd
-	registry   *exec.Cmd
+	processes  []*exec.Cmd // Processes to terminate on teardown; append to the end, terminate from end to the start.
 }

 // startOpenshiftCluster creates a new openshiftCluster.
 // WARNING: This affects state in users' home directory! Only run
 // in isolated test environment.
 func startOpenshiftCluster(c *check.C) *openshiftCluster {
-	cluster := &openshiftCluster{c: c}
+	cluster := &openshiftCluster{}

 	dir, err := ioutil.TempDir("", "openshift-cluster")
-	cluster.c.Assert(err, check.IsNil)
+	c.Assert(err, check.IsNil)
 	cluster.workingDir = dir

-	cluster.startMaster()
-	cluster.startRegistry()
-	cluster.ocLoginToProject()
-	cluster.dockerLogin()
-	cluster.relaxImageSignerPermissions()
+	cluster.startMaster(c)
+	cluster.prepareRegistryConfig(c)
+	cluster.startRegistry(c)
+	cluster.ocLoginToProject(c)
+	cluster.dockerLogin(c)
+	cluster.relaxImageSignerPermissions(c)

 	return cluster
 }

+// clusterCmd creates an exec.Cmd in cluster.workingDir with current environment modified by environment
+func (cluster *openshiftCluster) clusterCmd(env map[string]string, name string, args ...string) *exec.Cmd {
+	cmd := exec.Command(name, args...)
+	cmd.Dir = cluster.workingDir
+	cmd.Env = os.Environ()
+	for key, value := range env {
+		cmd.Env = modifyEnviron(cmd.Env, key, value)
+	}
+	return cmd
+}
+
 // startMaster starts the OpenShift master (etcd+API server) and waits for it to be ready, or terminates on failure.
-func (c *openshiftCluster) startMaster() {
-	c.master = exec.Command("openshift", "start", "master")
-	c.master.Dir = c.workingDir
-	stdout, err := c.master.StdoutPipe()
+func (cluster *openshiftCluster) startMaster(c *check.C) {
+	cmd := cluster.clusterCmd(nil, "openshift", "start", "master")
+	cluster.processes = append(cluster.processes, cmd)
+	stdout, err := cmd.StdoutPipe()
 	// Send both to the same pipe. This might cause the two streams to be mixed up,
 	// but logging actually goes only to stderr - this primarily ensure we log any
 	// unexpected output to stdout.
-	c.master.Stderr = c.master.Stdout
-	err = c.master.Start()
-	c.c.Assert(err, check.IsNil)
+	cmd.Stderr = cmd.Stdout
+	err = cmd.Start()
+	c.Assert(err, check.IsNil)

-	portOpen, terminatePortCheck := newPortChecker(c.c, 8443)
+	portOpen, terminatePortCheck := newPortChecker(c, 8443)
 	defer func() {
-		c.c.Logf("Terminating port check")
+		c.Logf("Terminating port check")
 		terminatePortCheck <- true
 	}()

@@ -64,12 +78,12 @@ func (c *openshiftCluster) startMaster() {
 	logCheckFound := make(chan bool)
 	go func() {
 		defer func() {
-			c.c.Logf("Log checker exiting")
+			c.Logf("Log checker exiting")
 		}()
 		scanner := bufio.NewScanner(stdout)
 		for scanner.Scan() {
 			line := scanner.Text()
-			c.c.Logf("Log line: %s", line)
+			c.Logf("Log line: %s", line)
 			if strings.Contains(line, "Started Origin Controllers") {
 				logCheckFound <- true
 				return
@@ -78,7 +92,7 @@ func (c *openshiftCluster) startMaster() {
 			// Note: we can block before we get here.
 			select {
 			case <-terminateLogCheck:
-				c.c.Logf("terminated")
+				c.Logf("terminated")
 				return
 			default:
 				// Do not block here and read the next line.
@@ -87,107 +101,152 @@ func (c *openshiftCluster) startMaster() {
 		logCheckFound <- false
 	}()
 	defer func() {
-		c.c.Logf("Terminating log check")
+		c.Logf("Terminating log check")
 		terminateLogCheck <- true
 	}()

 	gotPortCheck := false
 	gotLogCheck := false
 	for !gotPortCheck || !gotLogCheck {
-		c.c.Logf("Waiting for master")
+		c.Logf("Waiting for master")
 		select {
 		case <-portOpen:
-			c.c.Logf("port check done")
+			c.Logf("port check done")
 			gotPortCheck = true
 		case found := <-logCheckFound:
-			c.c.Logf("log check done, found: %t", found)
+			c.Logf("log check done, found: %t", found)
 			if !found {
-				c.c.Fatal("log check done, success message not found")
+				c.Fatal("log check done, success message not found")
 			}
 			gotLogCheck = true
 		}
 	}
-	c.c.Logf("OK, master started!")
+	c.Logf("OK, master started!")
 }

-// startRegistry starts the OpenShift registry and waits for it to be ready, or terminates on failure.
-func (c *openshiftCluster) startRegistry() {
-	//KUBECONFIG=openshift.local.config/master/openshift-registry.kubeconfig DOCKER_REGISTRY_URL=127.0.0.1:5000
-	c.registry = exec.Command("dockerregistry", "/atomic-registry-config.yml")
-	c.registry.Dir = c.workingDir
-	c.registry.Env = os.Environ()
-	c.registry.Env = modifyEnviron(c.registry.Env, "KUBECONFIG", "openshift.local.config/master/openshift-registry.kubeconfig")
-	c.registry.Env = modifyEnviron(c.registry.Env, "DOCKER_REGISTRY_URL", "127.0.0.1:5000")
-	consumeAndLogOutputs(c.c, "registry", c.registry)
-	err := c.registry.Start()
-	c.c.Assert(err, check.IsNil)
+// prepareRegistryConfig creates a registry service account and a related k8s client configuration in ${cluster.workingDir}/openshift.local.registry.
+func (cluster *openshiftCluster) prepareRegistryConfig(c *check.C) {
+	// This partially mimics the objects created by (oadm registry), except that we run the
+	// server directly as an ordinary process instead of a pod with an implicitly attached service account.
+	saJSON := `{
+		"apiVersion": "v1",
+		"kind": "ServiceAccount",
+		"metadata": {
+			"name": "registry"
+		}
+	}`
+	cmd := cluster.clusterCmd(adminKUBECONFIG, "oc", "create", "-f", "-")
+	runExecCmdWithInput(c, cmd, saJSON)

-	portOpen, terminatePortCheck := newPortChecker(c.c, 5000)
+	cmd = cluster.clusterCmd(adminKUBECONFIG, "oadm", "policy", "add-cluster-role-to-user", "system:registry", "-z", "registry")
+	out, err := cmd.CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
+	c.Assert(string(out), check.Equals, "cluster role \"system:registry\" added: \"registry\"\n")
+
+	cmd = cluster.clusterCmd(adminKUBECONFIG, "oadm", "create-api-client-config", "--client-dir=openshift.local.registry", "--basename=openshift-registry", "--user=system:serviceaccount:default:registry")
+	out, err = cmd.CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
+	c.Assert(string(out), check.Equals, "")
+}
+
+// startRegistry starts the OpenShift registry with configPart on port, waits for it to be ready, and returns the process object, or terminates on failure.
+func (cluster *openshiftCluster) startRegistryProcess(c *check.C, port int, configPath string) *exec.Cmd {
+	cmd := cluster.clusterCmd(map[string]string{
+		"KUBECONFIG":          "openshift.local.registry/openshift-registry.kubeconfig",
+		"DOCKER_REGISTRY_URL": fmt.Sprintf("127.0.0.1:%d", port),
+	}, "dockerregistry", configPath)
+	consumeAndLogOutputs(c, fmt.Sprintf("registry-%d", port), cmd)
+	err := cmd.Start()
+	c.Assert(err, check.IsNil)
+
+	portOpen, terminatePortCheck := newPortChecker(c, port)
 	defer func() {
 		terminatePortCheck <- true
 	}()
-	c.c.Logf("Waiting for registry to start")
+	c.Logf("Waiting for registry to start")
 	<-portOpen
-	c.c.Logf("OK, Registry port open")
+	c.Logf("OK, Registry port open")
+
+	return cmd
+}
+
+// startRegistry starts the OpenShift registry and waits for it to be ready, or terminates on failure.
+func (cluster *openshiftCluster) startRegistry(c *check.C) {
+	// Our “primary” registry
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5000, "/atomic-registry-config.yml"))
+
+	// A registry configured with acceptschema2:false
+	schema1Config := fileFromFixture(c, "/atomic-registry-config.yml", map[string]string{
+		"addr: :5000":              "addr: :5005",
+		"rootdirectory: /registry": "rootdirectory: /registry-schema1",
+		// The default configuration currently already contains acceptschema2: false
+	})
+	// Make sure the configuration contains "acceptschema2: false", because eventually it will be enabled upstream and this function will need to be updated.
+	configContents, err := ioutil.ReadFile(schema1Config)
+	c.Assert(err, check.IsNil)
+	c.Assert(string(configContents), check.Matches, "(?s).*acceptschema2: false.*")
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5005, schema1Config))
+
+	// A registry configured with acceptschema2:true
+	schema2Config := fileFromFixture(c, "/atomic-registry-config.yml", map[string]string{
+		"addr: :5000":              "addr: :5006",
+		"rootdirectory: /registry": "rootdirectory: /registry-schema2",
+		"acceptschema2: false":     "acceptschema2: true",
+	})
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5006, schema2Config))
 }

 // ocLogin runs (oc login) and (oc new-project) on the cluster, or terminates on failure.
-func (c *openshiftCluster) ocLoginToProject() {
-	c.c.Logf("oc login")
-	cmd := exec.Command("oc", "login", "--certificate-authority=openshift.local.config/master/ca.crt", "-u", "myuser", "-p", "mypw", "https://localhost:8443")
-	cmd.Dir = c.workingDir
+func (cluster *openshiftCluster) ocLoginToProject(c *check.C) {
+	c.Logf("oc login")
+	cmd := cluster.clusterCmd(nil, "oc", "login", "--certificate-authority=openshift.local.config/master/ca.crt", "-u", "myuser", "-p", "mypw", "https://localhost:8443")
 	out, err := cmd.CombinedOutput()
-	c.c.Assert(err, check.IsNil, check.Commentf("%s", out))
-	c.c.Assert(string(out), check.Matches, "(?s).*Login successful.*") // (?s) : '.' will also match newlines
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	c.Assert(string(out), check.Matches, "(?s).*Login successful.*") // (?s) : '.' will also match newlines

-	outString := combinedOutputOfCommand(c.c, "oc", "new-project", "myns")
-	c.c.Assert(outString, check.Matches, `(?s).*Now using project "myns".*`) // (?s) : '.' will also match newlines
+	outString := combinedOutputOfCommand(c, "oc", "new-project", "myns")
+	c.Assert(outString, check.Matches, `(?s).*Now using project "myns".*`) // (?s) : '.' will also match newlines
 }

 // dockerLogin simulates (docker login) to the cluster, or terminates on failure.
 // We do not run (docker login) directly, because that requires a running daemon and a docker package.
-func (c *openshiftCluster) dockerLogin() {
+func (cluster *openshiftCluster) dockerLogin(c *check.C) {
 	dockerDir := filepath.Join(homedir.Get(), ".docker")
 	err := os.Mkdir(dockerDir, 0700)
-	c.c.Assert(err, check.IsNil)
+	c.Assert(err, check.IsNil)

-	out := combinedOutputOfCommand(c.c, "oc", "config", "view", "-o", "json", "-o", "jsonpath={.users[*].user.token}")
-	c.c.Logf("oc config value: %s", out)
-	configJSON := fmt.Sprintf(`{
-		"auths": {
-			"localhost:5000": {
+	out := combinedOutputOfCommand(c, "oc", "config", "view", "-o", "json", "-o", "jsonpath={.users[*].user.token}")
+	c.Logf("oc config value: %s", out)
+	authValue := base64.StdEncoding.EncodeToString([]byte("unused:" + out))
+	auths := []string{}
+	for _, port := range []int{5000, 5005, 5006} {
+		auths = append(auths, fmt.Sprintf(`"localhost:%d": {
 				"auth": "%s",
 				"email": "unused"
-			}
-		}
-	}`, base64.StdEncoding.EncodeToString([]byte("unused:"+out)))
+			}`, port, authValue))
+	}
+	configJSON := `{"auths": {` + strings.Join(auths, ",") + `}}`
 	err = ioutil.WriteFile(filepath.Join(dockerDir, "config.json"), []byte(configJSON), 0600)
-	c.c.Assert(err, check.IsNil)
+	c.Assert(err, check.IsNil)
 }

 // relaxImageSignerPermissions opens up the system:image-signer permissions so that
 // anyone can work with signatures
 // FIXME: This also allows anyone to DoS anyone else; this design is really not all
 // that workable, but it is the best we can do for now.
-func (c *openshiftCluster) relaxImageSignerPermissions() {
-	cmd := exec.Command("oadm", "policy", "add-cluster-role-to-group", "system:image-signer", "system:authenticated")
-	cmd.Dir = c.workingDir
-	cmd.Env = os.Environ()
-	cmd.Env = modifyEnviron(cmd.Env, "KUBECONFIG", "openshift.local.config/master/admin.kubeconfig")
+func (cluster *openshiftCluster) relaxImageSignerPermissions(c *check.C) {
+	cmd := cluster.clusterCmd(adminKUBECONFIG, "oadm", "policy", "add-cluster-role-to-group", "system:image-signer", "system:authenticated")
 	out, err := cmd.CombinedOutput()
-	c.c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
-	c.c.Assert(string(out), check.Equals, "")
+	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
+	c.Assert(string(out), check.Equals, "cluster role \"system:image-signer\" added: \"system:authenticated\"\n")
 }

 // tearDown stops the cluster services and deletes (only some!) of the state.
-func (c *openshiftCluster) tearDown() {
-	if c.registry != nil && c.registry.Process != nil {
-		c.registry.Process.Kill()
+func (cluster *openshiftCluster) tearDown(c *check.C) {
+	for i := len(cluster.processes) - 1; i >= 0; i-- {
+		cluster.processes[i].Process.Kill()
 	}
-	if c.master != nil && c.master.Process != nil {
-		c.master.Process.Kill()
-	}
-	if c.workingDir != "" {
-		os.RemoveAll(c.workingDir)
+	if cluster.workingDir != "" {
+		os.RemoveAll(cluster.workingDir)
 	}
 }
--- a/integration/openshift_shell_test.go
+++ b/integration/openshift_shell_test.go
@@ -0,0 +1,40 @@
+// +build openshift_shell
+
+package main
+
+import (
+	"os"
+	"os/exec"
+
+	"github.com/go-check/check"
+)
+
+/*
+TestRunShell is not really a test; it is a convenient way to use the registry setup code
+in openshift.go and CopySuite to get an interactive environment for experimentation.
+
+To use it, run:
+	sudo make shell
+to start a container, then within the container:
+	SKOPEO_CONTAINER_TESTS=1 PS1='nested> ' go test -tags openshift_shell -timeout=24h ./integration -v -check.v -check.vv -check.f='CopySuite.TestRunShell'
+
+An example of what can be done within the container:
+	cd ..; make binary-local install
+	./skopeo --tls-verify=false  copy --sign-by=personal@example.com docker://busybox:latest atomic:localhost:5000/myns/personal:personal
+	oc get istag personal:personal -o json
+	curl -L -v 'http://localhost:5000/v2/'
+	cat ~/.docker/config.json
+	curl -L -v 'http://localhost:5000/openshift/token&scope=repository:myns/personal:pull' --header 'Authorization: Basic $auth_from_docker'
+	curl -L -v 'http://localhost:5000/v2/myns/personal/manifests/personal' --header 'Authorization: Bearer $token_from_oauth'
+	curl -L -v 'http://localhost:5000/extensions/v2/myns/personal/signatures/$manifest_digest' --header 'Authorization: Bearer $token_from_oauth'
+*/
+func (s *CopySuite) TestRunShell(c *check.C) {
+	cmd := exec.Command("bash", "-i")
+	tty, err := os.OpenFile("/dev/tty", os.O_RDWR, 0)
+	c.Assert(err, check.IsNil)
+	cmd.Stdin = tty
+	cmd.Stdout = tty
+	cmd.Stderr = tty
+	err = cmd.Run()
+	c.Assert(err, check.IsNil)
+}
--- a/integration/registry.go
+++ b/integration/registry.go
@@ -13,23 +13,10 @@ import (
 )

 const (
-	binaryV1        = "docker-registry"
 	binaryV2        = "registry-v2"
 	binaryV2Schema1 = "registry-v2-schema1"
 )

-type testRegistryV1 struct {
-	cmd *exec.Cmd
-	url string
-	dir string
-}
-
-func setupRegistryV1At(c *check.C, url string, auth bool) *testRegistryV1 {
-	return &testRegistryV1{
-		url: url,
-	}
-}
-
 type testRegistryV2 struct {
 	cmd      *exec.Cmd
 	url      string
@@ -44,7 +31,7 @@ func setupRegistryV2At(c *check.C, url string, auth, schema1 bool) *testRegistry
 	c.Assert(err, check.IsNil)

 	// Wait for registry to be ready to serve requests.
-	for i := 0; i != 5; i++ {
+	for i := 0; i != 50; i++ {
 		if err = reg.Ping(); err == nil {
 			break
 		}
@@ -109,6 +96,7 @@ http:
 	}

 	cmd := exec.Command(binary, confPath)
+	consumeAndLogOutputs(c, fmt.Sprintf("registry-%s", url), cmd)
 	if err := cmd.Start(); err != nil {
 		os.RemoveAll(tmp)
 		if os.IsNotExist(err) {
--- a/integration/signing_test.go
+++ b/integration/signing_test.go
@@ -8,6 +8,7 @@ import (
 	"os/exec"
 	"strings"

+	"github.com/containers/image/signature"
 	"github.com/go-check/check"
 )

@@ -35,7 +36,7 @@ func findFingerprint(lineBytes []byte) (string, error) {
 	return "", errors.New("No fingerprint found")
 }

-func (s *SigningSuite) SetUpTest(c *check.C) {
+func (s *SigningSuite) SetUpSuite(c *check.C) {
 	_, err := exec.LookPath(skopeoBinary)
 	c.Assert(err, check.IsNil)

@@ -51,7 +52,7 @@ func (s *SigningSuite) SetUpTest(c *check.C) {
 	c.Assert(err, check.IsNil)
 }

-func (s *SigningSuite) TearDownTest(c *check.C) {
+func (s *SigningSuite) TearDownSuite(c *check.C) {
 	if s.gpgHome != "" {
 		err := os.RemoveAll(s.gpgHome)
 		c.Assert(err, check.IsNil)
@@ -62,6 +63,13 @@ func (s *SigningSuite) TearDownTest(c *check.C) {
 }

 func (s *SigningSuite) TestSignVerifySmoke(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/smoketest"

--- a/integration/utils.go
+++ b/integration/utils.go
@@ -1,7 +1,9 @@
 package main

 import (
+	"bytes"
 	"io"
+	"io/ioutil"
 	"net"
 	"os/exec"
 	"strings"
@@ -74,9 +76,15 @@ func assertSkopeoFails(c *check.C, regexp string, args ...string) {
 // runCommandWithInput runs a command as if exec.Command(), sending it the input to stdin,
 // and verifies that the exit status is 0, or terminates c on failure.
 func runCommandWithInput(c *check.C, input string, name string, args ...string) {
-	c.Logf("Running %s %s", name, strings.Join(args, " "))
 	cmd := exec.Command(name, args...)
-	consumeAndLogOutputs(c, name+" "+strings.Join(args, " "), cmd)
+	runExecCmdWithInput(c, cmd, input)
+}
+
+// runExecCmdWithInput runs an exec.Cmd, sending it the input to stdin,
+// and verifies that the exit status is 0, or terminates c on failure.
+func runExecCmdWithInput(c *check.C, cmd *exec.Cmd, input string) {
+	c.Logf("Running %s %s", cmd.Path, strings.Join(cmd.Args, " "))
+	consumeAndLogOutputs(c, cmd.Path+" "+strings.Join(cmd.Args, " "), cmd)
 	stdin, err := cmd.StdinPipe()
 	c.Assert(err, check.IsNil)
 	err = cmd.Start()
@@ -144,3 +152,25 @@ func modifyEnviron(env []string, name, value string) []string {
 	}
 	return append(res, prefix+value)
 }
+
+// fileFromFixtureFixture applies edits to inputPath and returns a path to the temporary file.
+// Callers should defer os.Remove(the_returned_path)
+func fileFromFixture(c *check.C, inputPath string, edits map[string]string) string {
+	contents, err := ioutil.ReadFile(inputPath)
+	c.Assert(err, check.IsNil)
+	for template, value := range edits {
+		updated := bytes.Replace(contents, []byte(template), []byte(value), -1)
+		c.Assert(bytes.Equal(updated, contents), check.Equals, false, check.Commentf("Replacing %s in %#v failed", template, string(contents))) // Verify that the template has matched something and we are not silently ignoring it.
+		contents = updated
+	}
+
+	file, err := ioutil.TempFile("", "policy.json")
+	c.Assert(err, check.IsNil)
+	path := file.Name()
+
+	_, err = file.Write(contents)
+	c.Assert(err, check.IsNil)
+	err = file.Close()
+	c.Assert(err, check.IsNil)
+	return path
+}
--- a/vendor.conf
+++ b/vendor.conf
@@ -0,0 +1,52 @@
+github.com/urfave/cli v1.17.0
+github.com/containers/image master
+github.com/opencontainers/go-digest master
+gopkg.in/cheggaaa/pb.v1 ad4efe000aa550bb54918c06ebbadc0ff17687b9 https://github.com/cheggaaa/pb
+github.com/containers/storage master
+github.com/sirupsen/logrus v1.0.0
+github.com/go-check/check v1
+github.com/stretchr/testify v1.1.3
+github.com/davecgh/go-spew master
+github.com/pmezard/go-difflib master
+github.com/pkg/errors master
+golang.org/x/crypto master
+# docker deps from https://github.com/docker/docker/blob/v1.11.2/hack/vendor.sh
+github.com/docker/docker 30eb4d8cdc422b023d5f11f29a82ecb73554183b
+github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
+github.com/vbatts/tar-split v0.10.2
+github.com/gorilla/context 14f550f51a
+github.com/gorilla/mux e444e69cbd
+github.com/docker/go-units 8a7beacffa3009a9ac66bad506b18ffdd110cf97
+golang.org/x/net master
+github.com/gogo/protobuf fcdc5011193ff531a548e9b0301828d5a5b97fd8
+# end docker deps
+golang.org/x/text master
+github.com/docker/distribution master
+github.com/docker/libtrust master
+github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
+github.com/opencontainers/runc master
+github.com/opencontainers/image-spec v1.0.0
+# -- start OCI image validation requirements.
+github.com/opencontainers/runtime-spec v1.0.0
+github.com/opencontainers/image-tools 6d941547fa1df31900990b3fb47ec2468c9c6469
+github.com/xeipuuv/gojsonschema master
+github.com/xeipuuv/gojsonreference master
+github.com/xeipuuv/gojsonpointer master
+go4.org master https://github.com/camlistore/go4
+github.com/ostreedev/ostree-go aeb02c6b6aa2889db3ef62f7855650755befd460
+# -- end OCI image validation requirements
+github.com/mtrmac/gpgme master
+# openshift/origin' k8s dependencies as of OpenShift v1.1.5
+github.com/golang/glog 44145f04b68cf362d9c4df2182967c2275eaefed
+k8s.io/client-go master
+github.com/ghodss/yaml 73d445a93680fa1a78ae23a5839bad48f32ba1ee
+gopkg.in/yaml.v2 d466437aa4adc35830964cffc5b5f262c63ddcb4
+github.com/imdario/mergo 6633656539c1639d9d78127b7d47c622b5d7b6dc
+# containers/storage's dependencies that aren't already being pulled in
+github.com/mistifyio/go-zfs 22c9b32c84eb0d0c6f4043b6e90fc94073de92fa
+github.com/pborman/uuid v1.0
+github.com/opencontainers/selinux master
+golang.org/x/sys master
+github.com/tchap/go-patricia v2.2.6
+github.com/BurntSushi/toml master
+github.com/pquerna/ffjson d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac
--- a/vendor/k8s.io/kubernetes/docs/user-guide/update-demo/local/LICENSE.angular
+++ b/vendor/k8s.io/kubernetes/docs/user-guide/update-demo/local/LICENSE.angular
@@ -1,6 +1,6 @@
-The MIT License
+The MIT License (MIT)

-Copyright (c) 2010-2014 Google, Inc. http://angularjs.org
+Copyright (c) 2013 TOML authors

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/vendor/github.com/BurntSushi/toml/README.md
+++ b/vendor/github.com/BurntSushi/toml/README.md
@@ -0,0 +1,218 @@
+## TOML parser and encoder for Go with reflection
+
+TOML stands for Tom's Obvious, Minimal Language. This Go package provides a
+reflection interface similar to Go's standard library `json` and `xml`
+packages. This package also supports the `encoding.TextUnmarshaler` and
+`encoding.TextMarshaler` interfaces so that you can define custom data
+representations. (There is an example of this below.)
+
+Spec: https://github.com/toml-lang/toml
+
+Compatible with TOML version
+[v0.4.0](https://github.com/toml-lang/toml/blob/master/versions/en/toml-v0.4.0.md)
+
+Documentation: https://godoc.org/github.com/BurntSushi/toml
+
+Installation:
+
+```bash
+go get github.com/BurntSushi/toml
+```
+
+Try the toml validator:
+
+```bash
+go get github.com/BurntSushi/toml/cmd/tomlv
+tomlv some-toml-file.toml
+```
+
+[![Build Status](https://travis-ci.org/BurntSushi/toml.svg?branch=master)](https://travis-ci.org/BurntSushi/toml) [![GoDoc](https://godoc.org/github.com/BurntSushi/toml?status.svg)](https://godoc.org/github.com/BurntSushi/toml)
+
+### Testing
+
+This package passes all tests in
+[toml-test](https://github.com/BurntSushi/toml-test) for both the decoder
+and the encoder.
+
+### Examples
+
+This package works similarly to how the Go standard library handles `XML`
+and `JSON`. Namely, data is loaded into Go values via reflection.
+
+For the simplest example, consider some TOML file as just a list of keys
+and values:
+
+```toml
+Age = 25
+Cats = [ "Cauchy", "Plato" ]
+Pi = 3.14
+Perfection = [ 6, 28, 496, 8128 ]
+DOB = 1987-07-05T05:45:00Z
+```
+
+Which could be defined in Go as:
+
+```go
+type Config struct {
+  Age int
+  Cats []string
+  Pi float64
+  Perfection []int
+  DOB time.Time // requires `import time`
+}
+```
+
+And then decoded with:
+
+```go
+var conf Config
+if _, err := toml.Decode(tomlData, &conf); err != nil {
+  // handle error
+}
+```
+
+You can also use struct tags if your struct field name doesn't map to a TOML
+key value directly:
+
+```toml
+some_key_NAME = "wat"
+```
+
+```go
+type TOML struct {
+  ObscureKey string `toml:"some_key_NAME"`
+}
+```
+
+### Using the `encoding.TextUnmarshaler` interface
+
+Here's an example that automatically parses duration strings into
+`time.Duration` values:
+
+```toml
+[[song]]
+name = "Thunder Road"
+duration = "4m49s"
+
+[[song]]
+name = "Stairway to Heaven"
+duration = "8m03s"
+```
+
+Which can be decoded with:
+
+```go
+type song struct {
+  Name     string
+  Duration duration
+}
+type songs struct {
+  Song []song
+}
+var favorites songs
+if _, err := toml.Decode(blob, &favorites); err != nil {
+  log.Fatal(err)
+}
+
+for _, s := range favorites.Song {
+  fmt.Printf("%s (%s)\n", s.Name, s.Duration)
+}
+```
+
+And you'll also need a `duration` type that satisfies the
+`encoding.TextUnmarshaler` interface:
+
+```go
+type duration struct {
+	time.Duration
+}
+
+func (d *duration) UnmarshalText(text []byte) error {
+	var err error
+	d.Duration, err = time.ParseDuration(string(text))
+	return err
+}
+```
+
+### More complex usage
+
+Here's an example of how to load the example from the official spec page:
+
+```toml
+# This is a TOML document. Boom.
+
+title = "TOML Example"
+
+[owner]
+name = "Tom Preston-Werner"
+organization = "GitHub"
+bio = "GitHub Cofounder & CEO\nLikes tater tots and beer."
+dob = 1979-05-27T07:32:00Z # First class dates? Why not?
+
+[database]
+server = "192.168.1.1"
+ports = [ 8001, 8001, 8002 ]
+connection_max = 5000
+enabled = true
+
+[servers]
+
+  # You can indent as you please. Tabs or spaces. TOML don't care.
+  [servers.alpha]
+  ip = "10.0.0.1"
+  dc = "eqdc10"
+
+  [servers.beta]
+  ip = "10.0.0.2"
+  dc = "eqdc10"
+
+[clients]
+data = [ ["gamma", "delta"], [1, 2] ] # just an update to make sure parsers support it
+
+# Line breaks are OK when inside arrays
+hosts = [
+  "alpha",
+  "omega"
+]
+```
+
+And the corresponding Go types are:
+
+```go
+type tomlConfig struct {
+	Title string
+	Owner ownerInfo
+	DB database `toml:"database"`
+	Servers map[string]server
+	Clients clients
+}
+
+type ownerInfo struct {
+	Name string
+	Org string `toml:"organization"`
+	Bio string
+	DOB time.Time
+}
+
+type database struct {
+	Server string
+	Ports []int
+	ConnMax int `toml:"connection_max"`
+	Enabled bool
+}
+
+type server struct {
+	IP string
+	DC string
+}
+
+type clients struct {
+	Data [][]interface{}
+	Hosts []string
+}
+```
+
+Note that a case insensitive match will be tried if an exact match can't be
+found.
+
+A working example of the above can be found in `_examples/example.{go,toml}`.
--- a/vendor/github.com/BurntSushi/toml/decode.go
+++ b/vendor/github.com/BurntSushi/toml/decode.go
@@ -0,0 +1,509 @@
+package toml
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"math"
+	"reflect"
+	"strings"
+	"time"
+)
+
+func e(format string, args ...interface{}) error {
+	return fmt.Errorf("toml: "+format, args...)
+}
+
+// Unmarshaler is the interface implemented by objects that can unmarshal a
+// TOML description of themselves.
+type Unmarshaler interface {
+	UnmarshalTOML(interface{}) error
+}
+
+// Unmarshal decodes the contents of `p` in TOML format into a pointer `v`.
+func Unmarshal(p []byte, v interface{}) error {
+	_, err := Decode(string(p), v)
+	return err
+}
+
+// Primitive is a TOML value that hasn't been decoded into a Go value.
+// When using the various `Decode*` functions, the type `Primitive` may
+// be given to any value, and its decoding will be delayed.
+//
+// A `Primitive` value can be decoded using the `PrimitiveDecode` function.
+//
+// The underlying representation of a `Primitive` value is subject to change.
+// Do not rely on it.
+//
+// N.B. Primitive values are still parsed, so using them will only avoid
+// the overhead of reflection. They can be useful when you don't know the
+// exact type of TOML data until run time.
+type Primitive struct {
+	undecoded interface{}
+	context   Key
+}
+
+// DEPRECATED!
+//
+// Use MetaData.PrimitiveDecode instead.
+func PrimitiveDecode(primValue Primitive, v interface{}) error {
+	md := MetaData{decoded: make(map[string]bool)}
+	return md.unify(primValue.undecoded, rvalue(v))
+}
+
+// PrimitiveDecode is just like the other `Decode*` functions, except it
+// decodes a TOML value that has already been parsed. Valid primitive values
+// can *only* be obtained from values filled by the decoder functions,
+// including this method. (i.e., `v` may contain more `Primitive`
+// values.)
+//
+// Meta data for primitive values is included in the meta data returned by
+// the `Decode*` functions with one exception: keys returned by the Undecoded
+// method will only reflect keys that were decoded. Namely, any keys hidden
+// behind a Primitive will be considered undecoded. Executing this method will
+// update the undecoded keys in the meta data. (See the example.)
+func (md *MetaData) PrimitiveDecode(primValue Primitive, v interface{}) error {
+	md.context = primValue.context
+	defer func() { md.context = nil }()
+	return md.unify(primValue.undecoded, rvalue(v))
+}
+
+// Decode will decode the contents of `data` in TOML format into a pointer
+// `v`.
+//
+// TOML hashes correspond to Go structs or maps. (Dealer's choice. They can be
+// used interchangeably.)
+//
+// TOML arrays of tables correspond to either a slice of structs or a slice
+// of maps.
+//
+// TOML datetimes correspond to Go `time.Time` values.
+//
+// All other TOML types (float, string, int, bool and array) correspond
+// to the obvious Go types.
+//
+// An exception to the above rules is if a type implements the
+// encoding.TextUnmarshaler interface. In this case, any primitive TOML value
+// (floats, strings, integers, booleans and datetimes) will be converted to
+// a byte string and given to the value's UnmarshalText method. See the
+// Unmarshaler example for a demonstration with time duration strings.
+//
+// Key mapping
+//
+// TOML keys can map to either keys in a Go map or field names in a Go
+// struct. The special `toml` struct tag may be used to map TOML keys to
+// struct fields that don't match the key name exactly. (See the example.)
+// A case insensitive match to struct names will be tried if an exact match
+// can't be found.
+//
+// The mapping between TOML values and Go values is loose. That is, there
+// may exist TOML values that cannot be placed into your representation, and
+// there may be parts of your representation that do not correspond to
+// TOML values. This loose mapping can be made stricter by using the IsDefined
+// and/or Undecoded methods on the MetaData returned.
+//
+// This decoder will not handle cyclic types. If a cyclic type is passed,
+// `Decode` will not terminate.
+func Decode(data string, v interface{}) (MetaData, error) {
+	rv := reflect.ValueOf(v)
+	if rv.Kind() != reflect.Ptr {
+		return MetaData{}, e("Decode of non-pointer %s", reflect.TypeOf(v))
+	}
+	if rv.IsNil() {
+		return MetaData{}, e("Decode of nil %s", reflect.TypeOf(v))
+	}
+	p, err := parse(data)
+	if err != nil {
+		return MetaData{}, err
+	}
+	md := MetaData{
+		p.mapping, p.types, p.ordered,
+		make(map[string]bool, len(p.ordered)), nil,
+	}
+	return md, md.unify(p.mapping, indirect(rv))
+}
+
+// DecodeFile is just like Decode, except it will automatically read the
+// contents of the file at `fpath` and decode it for you.
+func DecodeFile(fpath string, v interface{}) (MetaData, error) {
+	bs, err := ioutil.ReadFile(fpath)
+	if err != nil {
+		return MetaData{}, err
+	}
+	return Decode(string(bs), v)
+}
+
+// DecodeReader is just like Decode, except it will consume all bytes
+// from the reader and decode it for you.
+func DecodeReader(r io.Reader, v interface{}) (MetaData, error) {
+	bs, err := ioutil.ReadAll(r)
+	if err != nil {
+		return MetaData{}, err
+	}
+	return Decode(string(bs), v)
+}
+
+// unify performs a sort of type unification based on the structure of `rv`,
+// which is the client representation.
+//
+// Any type mismatch produces an error. Finding a type that we don't know
+// how to handle produces an unsupported type error.
+func (md *MetaData) unify(data interface{}, rv reflect.Value) error {
+
+	// Special case. Look for a `Primitive` value.
+	if rv.Type() == reflect.TypeOf((*Primitive)(nil)).Elem() {
+		// Save the undecoded data and the key context into the primitive
+		// value.
+		context := make(Key, len(md.context))
+		copy(context, md.context)
+		rv.Set(reflect.ValueOf(Primitive{
+			undecoded: data,
+			context:   context,
+		}))
+		return nil
+	}
+
+	// Special case. Unmarshaler Interface support.
+	if rv.CanAddr() {
+		if v, ok := rv.Addr().Interface().(Unmarshaler); ok {
+			return v.UnmarshalTOML(data)
+		}
+	}
+
+	// Special case. Handle time.Time values specifically.
+	// TODO: Remove this code when we decide to drop support for Go 1.1.
+	// This isn't necessary in Go 1.2 because time.Time satisfies the encoding
+	// interfaces.
+	if rv.Type().AssignableTo(rvalue(time.Time{}).Type()) {
+		return md.unifyDatetime(data, rv)
+	}
+
+	// Special case. Look for a value satisfying the TextUnmarshaler interface.
+	if v, ok := rv.Interface().(TextUnmarshaler); ok {
+		return md.unifyText(data, v)
+	}
+	// BUG(burntsushi)
+	// The behavior here is incorrect whenever a Go type satisfies the
+	// encoding.TextUnmarshaler interface but also corresponds to a TOML
+	// hash or array. In particular, the unmarshaler should only be applied
+	// to primitive TOML values. But at this point, it will be applied to
+	// all kinds of values and produce an incorrect error whenever those values
+	// are hashes or arrays (including arrays of tables).
+
+	k := rv.Kind()
+
+	// laziness
+	if k >= reflect.Int && k <= reflect.Uint64 {
+		return md.unifyInt(data, rv)
+	}
+	switch k {
+	case reflect.Ptr:
+		elem := reflect.New(rv.Type().Elem())
+		err := md.unify(data, reflect.Indirect(elem))
+		if err != nil {
+			return err
+		}
+		rv.Set(elem)
+		return nil
+	case reflect.Struct:
+		return md.unifyStruct(data, rv)
+	case reflect.Map:
+		return md.unifyMap(data, rv)
+	case reflect.Array:
+		return md.unifyArray(data, rv)
+	case reflect.Slice:
+		return md.unifySlice(data, rv)
+	case reflect.String:
+		return md.unifyString(data, rv)
+	case reflect.Bool:
+		return md.unifyBool(data, rv)
+	case reflect.Interface:
+		// we only support empty interfaces.
+		if rv.NumMethod() > 0 {
+			return e("unsupported type %s", rv.Type())
+		}
+		return md.unifyAnything(data, rv)
+	case reflect.Float32:
+		fallthrough
+	case reflect.Float64:
+		return md.unifyFloat64(data, rv)
+	}
+	return e("unsupported type %s", rv.Kind())
+}
+
+func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error {
+	tmap, ok := mapping.(map[string]interface{})
+	if !ok {
+		if mapping == nil {
+			return nil
+		}
+		return e("type mismatch for %s: expected table but found %T",
+			rv.Type().String(), mapping)
+	}
+
+	for key, datum := range tmap {
+		var f *field
+		fields := cachedTypeFields(rv.Type())
+		for i := range fields {
+			ff := &fields[i]
+			if ff.name == key {
+				f = ff
+				break
+			}
+			if f == nil && strings.EqualFold(ff.name, key) {
+				f = ff
+			}
+		}
+		if f != nil {
+			subv := rv
+			for _, i := range f.index {
+				subv = indirect(subv.Field(i))
+			}
+			if isUnifiable(subv) {
+				md.decoded[md.context.add(key).String()] = true
+				md.context = append(md.context, key)
+				if err := md.unify(datum, subv); err != nil {
+					return err
+				}
+				md.context = md.context[0 : len(md.context)-1]
+			} else if f.name != "" {
+				// Bad user! No soup for you!
+				return e("cannot write unexported field %s.%s",
+					rv.Type().String(), f.name)
+			}
+		}
+	}
+	return nil
+}
+
+func (md *MetaData) unifyMap(mapping interface{}, rv reflect.Value) error {
+	tmap, ok := mapping.(map[string]interface{})
+	if !ok {
+		if tmap == nil {
+			return nil
+		}
+		return badtype("map", mapping)
+	}
+	if rv.IsNil() {
+		rv.Set(reflect.MakeMap(rv.Type()))
+	}
+	for k, v := range tmap {
+		md.decoded[md.context.add(k).String()] = true
+		md.context = append(md.context, k)
+
+		rvkey := indirect(reflect.New(rv.Type().Key()))
+		rvval := reflect.Indirect(reflect.New(rv.Type().Elem()))
+		if err := md.unify(v, rvval); err != nil {
+			return err
+		}
+		md.context = md.context[0 : len(md.context)-1]
+
+		rvkey.SetString(k)
+		rv.SetMapIndex(rvkey, rvval)
+	}
+	return nil
+}
+
+func (md *MetaData) unifyArray(data interface{}, rv reflect.Value) error {
+	datav := reflect.ValueOf(data)
+	if datav.Kind() != reflect.Slice {
+		if !datav.IsValid() {
+			return nil
+		}
+		return badtype("slice", data)
+	}
+	sliceLen := datav.Len()
+	if sliceLen != rv.Len() {
+		return e("expected array length %d; got TOML array of length %d",
+			rv.Len(), sliceLen)
+	}
+	return md.unifySliceArray(datav, rv)
+}
+
+func (md *MetaData) unifySlice(data interface{}, rv reflect.Value) error {
+	datav := reflect.ValueOf(data)
+	if datav.Kind() != reflect.Slice {
+		if !datav.IsValid() {
+			return nil
+		}
+		return badtype("slice", data)
+	}
+	n := datav.Len()
+	if rv.IsNil() || rv.Cap() < n {
+		rv.Set(reflect.MakeSlice(rv.Type(), n, n))
+	}
+	rv.SetLen(n)
+	return md.unifySliceArray(datav, rv)
+}
+
+func (md *MetaData) unifySliceArray(data, rv reflect.Value) error {
+	sliceLen := data.Len()
+	for i := 0; i < sliceLen; i++ {
+		v := data.Index(i).Interface()
+		sliceval := indirect(rv.Index(i))
+		if err := md.unify(v, sliceval); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (md *MetaData) unifyDatetime(data interface{}, rv reflect.Value) error {
+	if _, ok := data.(time.Time); ok {
+		rv.Set(reflect.ValueOf(data))
+		return nil
+	}
+	return badtype("time.Time", data)
+}
+
+func (md *MetaData) unifyString(data interface{}, rv reflect.Value) error {
+	if s, ok := data.(string); ok {
+		rv.SetString(s)
+		return nil
+	}
+	return badtype("string", data)
+}
+
+func (md *MetaData) unifyFloat64(data interface{}, rv reflect.Value) error {
+	if num, ok := data.(float64); ok {
+		switch rv.Kind() {
+		case reflect.Float32:
+			fallthrough
+		case reflect.Float64:
+			rv.SetFloat(num)
+		default:
+			panic("bug")
+		}
+		return nil
+	}
+	return badtype("float", data)
+}
+
+func (md *MetaData) unifyInt(data interface{}, rv reflect.Value) error {
+	if num, ok := data.(int64); ok {
+		if rv.Kind() >= reflect.Int && rv.Kind() <= reflect.Int64 {
+			switch rv.Kind() {
+			case reflect.Int, reflect.Int64:
+				// No bounds checking necessary.
+			case reflect.Int8:
+				if num < math.MinInt8 || num > math.MaxInt8 {
+					return e("value %d is out of range for int8", num)
+				}
+			case reflect.Int16:
+				if num < math.MinInt16 || num > math.MaxInt16 {
+					return e("value %d is out of range for int16", num)
+				}
+			case reflect.Int32:
+				if num < math.MinInt32 || num > math.MaxInt32 {
+					return e("value %d is out of range for int32", num)
+				}
+			}
+			rv.SetInt(num)
+		} else if rv.Kind() >= reflect.Uint && rv.Kind() <= reflect.Uint64 {
+			unum := uint64(num)
+			switch rv.Kind() {
+			case reflect.Uint, reflect.Uint64:
+				// No bounds checking necessary.
+			case reflect.Uint8:
+				if num < 0 || unum > math.MaxUint8 {
+					return e("value %d is out of range for uint8", num)
+				}
+			case reflect.Uint16:
+				if num < 0 || unum > math.MaxUint16 {
+					return e("value %d is out of range for uint16", num)
+				}
+			case reflect.Uint32:
+				if num < 0 || unum > math.MaxUint32 {
+					return e("value %d is out of range for uint32", num)
+				}
+			}
+			rv.SetUint(unum)
+		} else {
+			panic("unreachable")
+		}
+		return nil
+	}
+	return badtype("integer", data)
+}
+
+func (md *MetaData) unifyBool(data interface{}, rv reflect.Value) error {
+	if b, ok := data.(bool); ok {
+		rv.SetBool(b)
+		return nil
+	}
+	return badtype("boolean", data)
+}
+
+func (md *MetaData) unifyAnything(data interface{}, rv reflect.Value) error {
+	rv.Set(reflect.ValueOf(data))
+	return nil
+}
+
+func (md *MetaData) unifyText(data interface{}, v TextUnmarshaler) error {
+	var s string
+	switch sdata := data.(type) {
+	case TextMarshaler:
+		text, err := sdata.MarshalText()
+		if err != nil {
+			return err
+		}
+		s = string(text)
+	case fmt.Stringer:
+		s = sdata.String()
+	case string:
+		s = sdata
+	case bool:
+		s = fmt.Sprintf("%v", sdata)
+	case int64:
+		s = fmt.Sprintf("%d", sdata)
+	case float64:
+		s = fmt.Sprintf("%f", sdata)
+	default:
+		return badtype("primitive (string-like)", data)
+	}
+	if err := v.UnmarshalText([]byte(s)); err != nil {
+		return err
+	}
+	return nil
+}
+
+// rvalue returns a reflect.Value of `v`. All pointers are resolved.
+func rvalue(v interface{}) reflect.Value {
+	return indirect(reflect.ValueOf(v))
+}
+
+// indirect returns the value pointed to by a pointer.
+// Pointers are followed until the value is not a pointer.
+// New values are allocated for each nil pointer.
+//
+// An exception to this rule is if the value satisfies an interface of
+// interest to us (like encoding.TextUnmarshaler).
+func indirect(v reflect.Value) reflect.Value {
+	if v.Kind() != reflect.Ptr {
+		if v.CanSet() {
+			pv := v.Addr()
+			if _, ok := pv.Interface().(TextUnmarshaler); ok {
+				return pv
+			}
+		}
+		return v
+	}
+	if v.IsNil() {
+		v.Set(reflect.New(v.Type().Elem()))
+	}
+	return indirect(reflect.Indirect(v))
+}
+
+func isUnifiable(rv reflect.Value) bool {
+	if rv.CanSet() {
+		return true
+	}
+	if _, ok := rv.Interface().(TextUnmarshaler); ok {
+		return true
+	}
+	return false
+}
+
+func badtype(expected string, data interface{}) error {
+	return e("cannot load TOML value of type %T into a Go %s", data, expected)
+}
--- a/vendor/github.com/BurntSushi/toml/decode_meta.go
+++ b/vendor/github.com/BurntSushi/toml/decode_meta.go
@@ -0,0 +1,121 @@
+package toml
+
+import "strings"
+
+// MetaData allows access to meta information about TOML data that may not
+// be inferrable via reflection. In particular, whether a key has been defined
+// and the TOML type of a key.
+type MetaData struct {
+	mapping map[string]interface{}
+	types   map[string]tomlType
+	keys    []Key
+	decoded map[string]bool
+	context Key // Used only during decoding.
+}
+
+// IsDefined returns true if the key given exists in the TOML data. The key
+// should be specified hierarchially. e.g.,
+//
+//	// access the TOML key 'a.b.c'
+//	IsDefined("a", "b", "c")
+//
+// IsDefined will return false if an empty key given. Keys are case sensitive.
+func (md *MetaData) IsDefined(key ...string) bool {
+	if len(key) == 0 {
+		return false
+	}
+
+	var hash map[string]interface{}
+	var ok bool
+	var hashOrVal interface{} = md.mapping
+	for _, k := range key {
+		if hash, ok = hashOrVal.(map[string]interface{}); !ok {
+			return false
+		}
+		if hashOrVal, ok = hash[k]; !ok {
+			return false
+		}
+	}
+	return true
+}
+
+// Type returns a string representation of the type of the key specified.
+//
+// Type will return the empty string if given an empty key or a key that
+// does not exist. Keys are case sensitive.
+func (md *MetaData) Type(key ...string) string {
+	fullkey := strings.Join(key, ".")
+	if typ, ok := md.types[fullkey]; ok {
+		return typ.typeString()
+	}
+	return ""
+}
+
+// Key is the type of any TOML key, including key groups. Use (MetaData).Keys
+// to get values of this type.
+type Key []string
+
+func (k Key) String() string {
+	return strings.Join(k, ".")
+}
+
+func (k Key) maybeQuotedAll() string {
+	var ss []string
+	for i := range k {
+		ss = append(ss, k.maybeQuoted(i))
+	}
+	return strings.Join(ss, ".")
+}
+
+func (k Key) maybeQuoted(i int) string {
+	quote := false
+	for _, c := range k[i] {
+		if !isBareKeyChar(c) {
+			quote = true
+			break
+		}
+	}
+	if quote {
+		return "\"" + strings.Replace(k[i], "\"", "\\\"", -1) + "\""
+	}
+	return k[i]
+}
+
+func (k Key) add(piece string) Key {
+	newKey := make(Key, len(k)+1)
+	copy(newKey, k)
+	newKey[len(k)] = piece
+	return newKey
+}
+
+// Keys returns a slice of every key in the TOML data, including key groups.
+// Each key is itself a slice, where the first element is the top of the
+// hierarchy and the last is the most specific.
+//
+// The list will have the same order as the keys appeared in the TOML data.
+//
+// All keys returned are non-empty.
+func (md *MetaData) Keys() []Key {
+	return md.keys
+}
+
+// Undecoded returns all keys that have not been decoded in the order in which
+// they appear in the original TOML document.
+//
+// This includes keys that haven't been decoded because of a Primitive value.
+// Once the Primitive value is decoded, the keys will be considered decoded.
+//
+// Also note that decoding into an empty interface will result in no decoding,
+// and so no keys will be considered decoded.
+//
+// In this sense, the Undecoded keys correspond to keys in the TOML document
+// that do not have a concrete type in your representation.
+func (md *MetaData) Undecoded() []Key {
+	undecoded := make([]Key, 0, len(md.keys))
+	for _, key := range md.keys {
+		if !md.decoded[key.String()] {
+			undecoded = append(undecoded, key)
+		}
+	}
+	return undecoded
+}
--- a/vendor/github.com/BurntSushi/toml/doc.go
+++ b/vendor/github.com/BurntSushi/toml/doc.go
@@ -0,0 +1,27 @@
+/*
+Package toml provides facilities for decoding and encoding TOML configuration
+files via reflection. There is also support for delaying decoding with
+the Primitive type, and querying the set of keys in a TOML document with the
+MetaData type.
+
+The specification implemented: https://github.com/toml-lang/toml
+
+The sub-command github.com/BurntSushi/toml/cmd/tomlv can be used to verify
+whether a file is a valid TOML document. It can also be used to print the
+type of each key in a TOML document.
+
+Testing
+
+There are two important types of tests used for this package. The first is
+contained inside '*_test.go' files and uses the standard Go unit testing
+framework. These tests are primarily devoted to holistically testing the
+decoder and encoder.
+
+The second type of testing is used to verify the implementation's adherence
+to the TOML specification. These tests have been factored into their own
+project: https://github.com/BurntSushi/toml-test
+
+The reason the tests are in a separate project is so that they can be used by
+any implementation of TOML. Namely, it is language agnostic.
+*/
+package toml
--- a/vendor/github.com/BurntSushi/toml/encode.go
+++ b/vendor/github.com/BurntSushi/toml/encode.go
@@ -0,0 +1,568 @@
+package toml
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+)
+
+type tomlEncodeError struct{ error }
+
+var (
+	errArrayMixedElementTypes = errors.New(
+		"toml: cannot encode array with mixed element types")
+	errArrayNilElement = errors.New(
+		"toml: cannot encode array with nil element")
+	errNonString = errors.New(
+		"toml: cannot encode a map with non-string key type")
+	errAnonNonStruct = errors.New(
+		"toml: cannot encode an anonymous field that is not a struct")
+	errArrayNoTable = errors.New(
+		"toml: TOML array element cannot contain a table")
+	errNoKey = errors.New(
+		"toml: top-level values must be Go maps or structs")
+	errAnything = errors.New("") // used in testing
+)
+
+var quotedReplacer = strings.NewReplacer(
+	"\t", "\\t",
+	"\n", "\\n",
+	"\r", "\\r",
+	"\"", "\\\"",
+	"\\", "\\\\",
+)
+
+// Encoder controls the encoding of Go values to a TOML document to some
+// io.Writer.
+//
+// The indentation level can be controlled with the Indent field.
+type Encoder struct {
+	// A single indentation level. By default it is two spaces.
+	Indent string
+
+	// hasWritten is whether we have written any output to w yet.
+	hasWritten bool
+	w          *bufio.Writer
+}
+
+// NewEncoder returns a TOML encoder that encodes Go values to the io.Writer
+// given. By default, a single indentation level is 2 spaces.
+func NewEncoder(w io.Writer) *Encoder {
+	return &Encoder{
+		w:      bufio.NewWriter(w),
+		Indent: "  ",
+	}
+}
+
+// Encode writes a TOML representation of the Go value to the underlying
+// io.Writer. If the value given cannot be encoded to a valid TOML document,
+// then an error is returned.
+//
+// The mapping between Go values and TOML values should be precisely the same
+// as for the Decode* functions. Similarly, the TextMarshaler interface is
+// supported by encoding the resulting bytes as strings. (If you want to write
+// arbitrary binary data then you will need to use something like base64 since
+// TOML does not have any binary types.)
+//
+// When encoding TOML hashes (i.e., Go maps or structs), keys without any
+// sub-hashes are encoded first.
+//
+// If a Go map is encoded, then its keys are sorted alphabetically for
+// deterministic output. More control over this behavior may be provided if
+// there is demand for it.
+//
+// Encoding Go values without a corresponding TOML representation---like map
+// types with non-string keys---will cause an error to be returned. Similarly
+// for mixed arrays/slices, arrays/slices with nil elements, embedded
+// non-struct types and nested slices containing maps or structs.
+// (e.g., [][]map[string]string is not allowed but []map[string]string is OK
+// and so is []map[string][]string.)
+func (enc *Encoder) Encode(v interface{}) error {
+	rv := eindirect(reflect.ValueOf(v))
+	if err := enc.safeEncode(Key([]string{}), rv); err != nil {
+		return err
+	}
+	return enc.w.Flush()
+}
+
+func (enc *Encoder) safeEncode(key Key, rv reflect.Value) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			if terr, ok := r.(tomlEncodeError); ok {
+				err = terr.error
+				return
+			}
+			panic(r)
+		}
+	}()
+	enc.encode(key, rv)
+	return nil
+}
+
+func (enc *Encoder) encode(key Key, rv reflect.Value) {
+	// Special case. Time needs to be in ISO8601 format.
+	// Special case. If we can marshal the type to text, then we used that.
+	// Basically, this prevents the encoder for handling these types as
+	// generic structs (or whatever the underlying type of a TextMarshaler is).
+	switch rv.Interface().(type) {
+	case time.Time, TextMarshaler:
+		enc.keyEqElement(key, rv)
+		return
+	}
+
+	k := rv.Kind()
+	switch k {
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32,
+		reflect.Int64,
+		reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32,
+		reflect.Uint64,
+		reflect.Float32, reflect.Float64, reflect.String, reflect.Bool:
+		enc.keyEqElement(key, rv)
+	case reflect.Array, reflect.Slice:
+		if typeEqual(tomlArrayHash, tomlTypeOfGo(rv)) {
+			enc.eArrayOfTables(key, rv)
+		} else {
+			enc.keyEqElement(key, rv)
+		}
+	case reflect.Interface:
+		if rv.IsNil() {
+			return
+		}
+		enc.encode(key, rv.Elem())
+	case reflect.Map:
+		if rv.IsNil() {
+			return
+		}
+		enc.eTable(key, rv)
+	case reflect.Ptr:
+		if rv.IsNil() {
+			return
+		}
+		enc.encode(key, rv.Elem())
+	case reflect.Struct:
+		enc.eTable(key, rv)
+	default:
+		panic(e("unsupported type for key '%s': %s", key, k))
+	}
+}
+
+// eElement encodes any value that can be an array element (primitives and
+// arrays).
+func (enc *Encoder) eElement(rv reflect.Value) {
+	switch v := rv.Interface().(type) {
+	case time.Time:
+		// Special case time.Time as a primitive. Has to come before
+		// TextMarshaler below because time.Time implements
+		// encoding.TextMarshaler, but we need to always use UTC.
+		enc.wf(v.UTC().Format("2006-01-02T15:04:05Z"))
+		return
+	case TextMarshaler:
+		// Special case. Use text marshaler if it's available for this value.
+		if s, err := v.MarshalText(); err != nil {
+			encPanic(err)
+		} else {
+			enc.writeQuoted(string(s))
+		}
+		return
+	}
+	switch rv.Kind() {
+	case reflect.Bool:
+		enc.wf(strconv.FormatBool(rv.Bool()))
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32,
+		reflect.Int64:
+		enc.wf(strconv.FormatInt(rv.Int(), 10))
+	case reflect.Uint, reflect.Uint8, reflect.Uint16,
+		reflect.Uint32, reflect.Uint64:
+		enc.wf(strconv.FormatUint(rv.Uint(), 10))
+	case reflect.Float32:
+		enc.wf(floatAddDecimal(strconv.FormatFloat(rv.Float(), 'f', -1, 32)))
+	case reflect.Float64:
+		enc.wf(floatAddDecimal(strconv.FormatFloat(rv.Float(), 'f', -1, 64)))
+	case reflect.Array, reflect.Slice:
+		enc.eArrayOrSliceElement(rv)
+	case reflect.Interface:
+		enc.eElement(rv.Elem())
+	case reflect.String:
+		enc.writeQuoted(rv.String())
+	default:
+		panic(e("unexpected primitive type: %s", rv.Kind()))
+	}
+}
+
+// By the TOML spec, all floats must have a decimal with at least one
+// number on either side.
+func floatAddDecimal(fstr string) string {
+	if !strings.Contains(fstr, ".") {
+		return fstr + ".0"
+	}
+	return fstr
+}
+
+func (enc *Encoder) writeQuoted(s string) {
+	enc.wf("\"%s\"", quotedReplacer.Replace(s))
+}
+
+func (enc *Encoder) eArrayOrSliceElement(rv reflect.Value) {
+	length := rv.Len()
+	enc.wf("[")
+	for i := 0; i < length; i++ {
+		elem := rv.Index(i)
+		enc.eElement(elem)
+		if i != length-1 {
+			enc.wf(", ")
+		}
+	}
+	enc.wf("]")
+}
+
+func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) {
+	if len(key) == 0 {
+		encPanic(errNoKey)
+	}
+	for i := 0; i < rv.Len(); i++ {
+		trv := rv.Index(i)
+		if isNil(trv) {
+			continue
+		}
+		panicIfInvalidKey(key)
+		enc.newline()
+		enc.wf("%s[[%s]]", enc.indentStr(key), key.maybeQuotedAll())
+		enc.newline()
+		enc.eMapOrStruct(key, trv)
+	}
+}
+
+func (enc *Encoder) eTable(key Key, rv reflect.Value) {
+	panicIfInvalidKey(key)
+	if len(key) == 1 {
+		// Output an extra newline between top-level tables.
+		// (The newline isn't written if nothing else has been written though.)
+		enc.newline()
+	}
+	if len(key) > 0 {
+		enc.wf("%s[%s]", enc.indentStr(key), key.maybeQuotedAll())
+		enc.newline()
+	}
+	enc.eMapOrStruct(key, rv)
+}
+
+func (enc *Encoder) eMapOrStruct(key Key, rv reflect.Value) {
+	switch rv := eindirect(rv); rv.Kind() {
+	case reflect.Map:
+		enc.eMap(key, rv)
+	case reflect.Struct:
+		enc.eStruct(key, rv)
+	default:
+		panic("eTable: unhandled reflect.Value Kind: " + rv.Kind().String())
+	}
+}
+
+func (enc *Encoder) eMap(key Key, rv reflect.Value) {
+	rt := rv.Type()
+	if rt.Key().Kind() != reflect.String {
+		encPanic(errNonString)
+	}
+
+	// Sort keys so that we have deterministic output. And write keys directly
+	// underneath this key first, before writing sub-structs or sub-maps.
+	var mapKeysDirect, mapKeysSub []string
+	for _, mapKey := range rv.MapKeys() {
+		k := mapKey.String()
+		if typeIsHash(tomlTypeOfGo(rv.MapIndex(mapKey))) {
+			mapKeysSub = append(mapKeysSub, k)
+		} else {
+			mapKeysDirect = append(mapKeysDirect, k)
+		}
+	}
+
+	var writeMapKeys = func(mapKeys []string) {
+		sort.Strings(mapKeys)
+		for _, mapKey := range mapKeys {
+			mrv := rv.MapIndex(reflect.ValueOf(mapKey))
+			if isNil(mrv) {
+				// Don't write anything for nil fields.
+				continue
+			}
+			enc.encode(key.add(mapKey), mrv)
+		}
+	}
+	writeMapKeys(mapKeysDirect)
+	writeMapKeys(mapKeysSub)
+}
+
+func (enc *Encoder) eStruct(key Key, rv reflect.Value) {
+	// Write keys for fields directly under this key first, because if we write
+	// a field that creates a new table, then all keys under it will be in that
+	// table (not the one we're writing here).
+	rt := rv.Type()
+	var fieldsDirect, fieldsSub [][]int
+	var addFields func(rt reflect.Type, rv reflect.Value, start []int)
+	addFields = func(rt reflect.Type, rv reflect.Value, start []int) {
+		for i := 0; i < rt.NumField(); i++ {
+			f := rt.Field(i)
+			// skip unexported fields
+			if f.PkgPath != "" && !f.Anonymous {
+				continue
+			}
+			frv := rv.Field(i)
+			if f.Anonymous {
+				t := f.Type
+				switch t.Kind() {
+				case reflect.Struct:
+					// Treat anonymous struct fields with
+					// tag names as though they are not
+					// anonymous, like encoding/json does.
+					if getOptions(f.Tag).name == "" {
+						addFields(t, frv, f.Index)
+						continue
+					}
+				case reflect.Ptr:
+					if t.Elem().Kind() == reflect.Struct &&
+						getOptions(f.Tag).name == "" {
+						if !frv.IsNil() {
+							addFields(t.Elem(), frv.Elem(), f.Index)
+						}
+						continue
+					}
+					// Fall through to the normal field encoding logic below
+					// for non-struct anonymous fields.
+				}
+			}
+
+			if typeIsHash(tomlTypeOfGo(frv)) {
+				fieldsSub = append(fieldsSub, append(start, f.Index...))
+			} else {
+				fieldsDirect = append(fieldsDirect, append(start, f.Index...))
+			}
+		}
+	}
+	addFields(rt, rv, nil)
+
+	var writeFields = func(fields [][]int) {
+		for _, fieldIndex := range fields {
+			sft := rt.FieldByIndex(fieldIndex)
+			sf := rv.FieldByIndex(fieldIndex)
+			if isNil(sf) {
+				// Don't write anything for nil fields.
+				continue
+			}
+
+			opts := getOptions(sft.Tag)
+			if opts.skip {
+				continue
+			}
+			keyName := sft.Name
+			if opts.name != "" {
+				keyName = opts.name
+			}
+			if opts.omitempty && isEmpty(sf) {
+				continue
+			}
+			if opts.omitzero && isZero(sf) {
+				continue
+			}
+
+			enc.encode(key.add(keyName), sf)
+		}
+	}
+	writeFields(fieldsDirect)
+	writeFields(fieldsSub)
+}
+
+// tomlTypeName returns the TOML type name of the Go value's type. It is
+// used to determine whether the types of array elements are mixed (which is
+// forbidden). If the Go value is nil, then it is illegal for it to be an array
+// element, and valueIsNil is returned as true.
+
+// Returns the TOML type of a Go value. The type may be `nil`, which means
+// no concrete TOML type could be found.
+func tomlTypeOfGo(rv reflect.Value) tomlType {
+	if isNil(rv) || !rv.IsValid() {
+		return nil
+	}
+	switch rv.Kind() {
+	case reflect.Bool:
+		return tomlBool
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32,
+		reflect.Int64,
+		reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32,
+		reflect.Uint64:
+		return tomlInteger
+	case reflect.Float32, reflect.Float64:
+		return tomlFloat
+	case reflect.Array, reflect.Slice:
+		if typeEqual(tomlHash, tomlArrayType(rv)) {
+			return tomlArrayHash
+		}
+		return tomlArray
+	case reflect.Ptr, reflect.Interface:
+		return tomlTypeOfGo(rv.Elem())
+	case reflect.String:
+		return tomlString
+	case reflect.Map:
+		return tomlHash
+	case reflect.Struct:
+		switch rv.Interface().(type) {
+		case time.Time:
+			return tomlDatetime
+		case TextMarshaler:
+			return tomlString
+		default:
+			return tomlHash
+		}
+	default:
+		panic("unexpected reflect.Kind: " + rv.Kind().String())
+	}
+}
+
+// tomlArrayType returns the element type of a TOML array. The type returned
+// may be nil if it cannot be determined (e.g., a nil slice or a zero length
+// slize). This function may also panic if it finds a type that cannot be
+// expressed in TOML (such as nil elements, heterogeneous arrays or directly
+// nested arrays of tables).
+func tomlArrayType(rv reflect.Value) tomlType {
+	if isNil(rv) || !rv.IsValid() || rv.Len() == 0 {
+		return nil
+	}
+	firstType := tomlTypeOfGo(rv.Index(0))
+	if firstType == nil {
+		encPanic(errArrayNilElement)
+	}
+
+	rvlen := rv.Len()
+	for i := 1; i < rvlen; i++ {
+		elem := rv.Index(i)
+		switch elemType := tomlTypeOfGo(elem); {
+		case elemType == nil:
+			encPanic(errArrayNilElement)
+		case !typeEqual(firstType, elemType):
+			encPanic(errArrayMixedElementTypes)
+		}
+	}
+	// If we have a nested array, then we must make sure that the nested
+	// array contains ONLY primitives.
+	// This checks arbitrarily nested arrays.
+	if typeEqual(firstType, tomlArray) || typeEqual(firstType, tomlArrayHash) {
+		nest := tomlArrayType(eindirect(rv.Index(0)))
+		if typeEqual(nest, tomlHash) || typeEqual(nest, tomlArrayHash) {
+			encPanic(errArrayNoTable)
+		}
+	}
+	return firstType
+}
+
+type tagOptions struct {
+	skip      bool // "-"
+	name      string
+	omitempty bool
+	omitzero  bool
+}
+
+func getOptions(tag reflect.StructTag) tagOptions {
+	t := tag.Get("toml")
+	if t == "-" {
+		return tagOptions{skip: true}
+	}
+	var opts tagOptions
+	parts := strings.Split(t, ",")
+	opts.name = parts[0]
+	for _, s := range parts[1:] {
+		switch s {
+		case "omitempty":
+			opts.omitempty = true
+		case "omitzero":
+			opts.omitzero = true
+		}
+	}
+	return opts
+}
+
+func isZero(rv reflect.Value) bool {
+	switch rv.Kind() {
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return rv.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		return rv.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return rv.Float() == 0.0
+	}
+	return false
+}
+
+func isEmpty(rv reflect.Value) bool {
+	switch rv.Kind() {
+	case reflect.Array, reflect.Slice, reflect.Map, reflect.String:
+		return rv.Len() == 0
+	case reflect.Bool:
+		return !rv.Bool()
+	}
+	return false
+}
+
+func (enc *Encoder) newline() {
+	if enc.hasWritten {
+		enc.wf("\n")
+	}
+}
+
+func (enc *Encoder) keyEqElement(key Key, val reflect.Value) {
+	if len(key) == 0 {
+		encPanic(errNoKey)
+	}
+	panicIfInvalidKey(key)
+	enc.wf("%s%s = ", enc.indentStr(key), key.maybeQuoted(len(key)-1))
+	enc.eElement(val)
+	enc.newline()
+}
+
+func (enc *Encoder) wf(format string, v ...interface{}) {
+	if _, err := fmt.Fprintf(enc.w, format, v...); err != nil {
+		encPanic(err)
+	}
+	enc.hasWritten = true
+}
+
+func (enc *Encoder) indentStr(key Key) string {
+	return strings.Repeat(enc.Indent, len(key)-1)
+}
+
+func encPanic(err error) {
+	panic(tomlEncodeError{err})
+}
+
+func eindirect(v reflect.Value) reflect.Value {
+	switch v.Kind() {
+	case reflect.Ptr, reflect.Interface:
+		return eindirect(v.Elem())
+	default:
+		return v
+	}
+}
+
+func isNil(rv reflect.Value) bool {
+	switch rv.Kind() {
+	case reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice:
+		return rv.IsNil()
+	default:
+		return false
+	}
+}
+
+func panicIfInvalidKey(key Key) {
+	for _, k := range key {
+		if len(k) == 0 {
+			encPanic(e("Key '%s' is not a valid table name. Key names "+
+				"cannot be empty.", key.maybeQuotedAll()))
+		}
+	}
+}
+
+func isValidKeyName(s string) bool {
+	return len(s) != 0
+}
--- a/vendor/github.com/BurntSushi/toml/encoding_types.go
+++ b/vendor/github.com/BurntSushi/toml/encoding_types.go
@@ -0,0 +1,19 @@
+// +build go1.2
+
+package toml
+
+// In order to support Go 1.1, we define our own TextMarshaler and
+// TextUnmarshaler types. For Go 1.2+, we just alias them with the
+// standard library interfaces.
+
+import (
+	"encoding"
+)
+
+// TextMarshaler is a synonym for encoding.TextMarshaler. It is defined here
+// so that Go 1.1 can be supported.
+type TextMarshaler encoding.TextMarshaler
+
+// TextUnmarshaler is a synonym for encoding.TextUnmarshaler. It is defined
+// here so that Go 1.1 can be supported.
+type TextUnmarshaler encoding.TextUnmarshaler
--- a/vendor/github.com/BurntSushi/toml/encoding_types_1.1.go
+++ b/vendor/github.com/BurntSushi/toml/encoding_types_1.1.go
@@ -0,0 +1,18 @@
+// +build !go1.2
+
+package toml
+
+// These interfaces were introduced in Go 1.2, so we add them manually when
+// compiling for Go 1.1.
+
+// TextMarshaler is a synonym for encoding.TextMarshaler. It is defined here
+// so that Go 1.1 can be supported.
+type TextMarshaler interface {
+	MarshalText() (text []byte, err error)
+}
+
+// TextUnmarshaler is a synonym for encoding.TextUnmarshaler. It is defined
+// here so that Go 1.1 can be supported.
+type TextUnmarshaler interface {
+	UnmarshalText(text []byte) error
+}
--- a/vendor/github.com/BurntSushi/toml/lex.go
+++ b/vendor/github.com/BurntSushi/toml/lex.go
@@ -0,0 +1,953 @@
+package toml
+
+import (
+	"fmt"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+type itemType int
+
+const (
+	itemError itemType = iota
+	itemNIL            // used in the parser to indicate no type
+	itemEOF
+	itemText
+	itemString
+	itemRawString
+	itemMultilineString
+	itemRawMultilineString
+	itemBool
+	itemInteger
+	itemFloat
+	itemDatetime
+	itemArray // the start of an array
+	itemArrayEnd
+	itemTableStart
+	itemTableEnd
+	itemArrayTableStart
+	itemArrayTableEnd
+	itemKeyStart
+	itemCommentStart
+	itemInlineTableStart
+	itemInlineTableEnd
+)
+
+const (
+	eof              = 0
+	comma            = ','
+	tableStart       = '['
+	tableEnd         = ']'
+	arrayTableStart  = '['
+	arrayTableEnd    = ']'
+	tableSep         = '.'
+	keySep           = '='
+	arrayStart       = '['
+	arrayEnd         = ']'
+	commentStart     = '#'
+	stringStart      = '"'
+	stringEnd        = '"'
+	rawStringStart   = '\''
+	rawStringEnd     = '\''
+	inlineTableStart = '{'
+	inlineTableEnd   = '}'
+)
+
+type stateFn func(lx *lexer) stateFn
+
+type lexer struct {
+	input string
+	start int
+	pos   int
+	line  int
+	state stateFn
+	items chan item
+
+	// Allow for backing up up to three runes.
+	// This is necessary because TOML contains 3-rune tokens (""" and ''').
+	prevWidths [3]int
+	nprev      int // how many of prevWidths are in use
+	// If we emit an eof, we can still back up, but it is not OK to call
+	// next again.
+	atEOF bool
+
+	// A stack of state functions used to maintain context.
+	// The idea is to reuse parts of the state machine in various places.
+	// For example, values can appear at the top level or within arbitrarily
+	// nested arrays. The last state on the stack is used after a value has
+	// been lexed. Similarly for comments.
+	stack []stateFn
+}
+
+type item struct {
+	typ  itemType
+	val  string
+	line int
+}
+
+func (lx *lexer) nextItem() item {
+	for {
+		select {
+		case item := <-lx.items:
+			return item
+		default:
+			lx.state = lx.state(lx)
+		}
+	}
+}
+
+func lex(input string) *lexer {
+	lx := &lexer{
+		input: input,
+		state: lexTop,
+		line:  1,
+		items: make(chan item, 10),
+		stack: make([]stateFn, 0, 10),
+	}
+	return lx
+}
+
+func (lx *lexer) push(state stateFn) {
+	lx.stack = append(lx.stack, state)
+}
+
+func (lx *lexer) pop() stateFn {
+	if len(lx.stack) == 0 {
+		return lx.errorf("BUG in lexer: no states to pop")
+	}
+	last := lx.stack[len(lx.stack)-1]
+	lx.stack = lx.stack[0 : len(lx.stack)-1]
+	return last
+}
+
+func (lx *lexer) current() string {
+	return lx.input[lx.start:lx.pos]
+}
+
+func (lx *lexer) emit(typ itemType) {
+	lx.items <- item{typ, lx.current(), lx.line}
+	lx.start = lx.pos
+}
+
+func (lx *lexer) emitTrim(typ itemType) {
+	lx.items <- item{typ, strings.TrimSpace(lx.current()), lx.line}
+	lx.start = lx.pos
+}
+
+func (lx *lexer) next() (r rune) {
+	if lx.atEOF {
+		panic("next called after EOF")
+	}
+	if lx.pos >= len(lx.input) {
+		lx.atEOF = true
+		return eof
+	}
+
+	if lx.input[lx.pos] == '\n' {
+		lx.line++
+	}
+	lx.prevWidths[2] = lx.prevWidths[1]
+	lx.prevWidths[1] = lx.prevWidths[0]
+	if lx.nprev < 3 {
+		lx.nprev++
+	}
+	r, w := utf8.DecodeRuneInString(lx.input[lx.pos:])
+	lx.prevWidths[0] = w
+	lx.pos += w
+	return r
+}
+
+// ignore skips over the pending input before this point.
+func (lx *lexer) ignore() {
+	lx.start = lx.pos
+}
+
+// backup steps back one rune. Can be called only twice between calls to next.
+func (lx *lexer) backup() {
+	if lx.atEOF {
+		lx.atEOF = false
+		return
+	}
+	if lx.nprev < 1 {
+		panic("backed up too far")
+	}
+	w := lx.prevWidths[0]
+	lx.prevWidths[0] = lx.prevWidths[1]
+	lx.prevWidths[1] = lx.prevWidths[2]
+	lx.nprev--
+	lx.pos -= w
+	if lx.pos < len(lx.input) && lx.input[lx.pos] == '\n' {
+		lx.line--
+	}
+}
+
+// accept consumes the next rune if it's equal to `valid`.
+func (lx *lexer) accept(valid rune) bool {
+	if lx.next() == valid {
+		return true
+	}
+	lx.backup()
+	return false
+}
+
+// peek returns but does not consume the next rune in the input.
+func (lx *lexer) peek() rune {
+	r := lx.next()
+	lx.backup()
+	return r
+}
+
+// skip ignores all input that matches the given predicate.
+func (lx *lexer) skip(pred func(rune) bool) {
+	for {
+		r := lx.next()
+		if pred(r) {
+			continue
+		}
+		lx.backup()
+		lx.ignore()
+		return
+	}
+}
+
+// errorf stops all lexing by emitting an error and returning `nil`.
+// Note that any value that is a character is escaped if it's a special
+// character (newlines, tabs, etc.).
+func (lx *lexer) errorf(format string, values ...interface{}) stateFn {
+	lx.items <- item{
+		itemError,
+		fmt.Sprintf(format, values...),
+		lx.line,
+	}
+	return nil
+}
+
+// lexTop consumes elements at the top level of TOML data.
+func lexTop(lx *lexer) stateFn {
+	r := lx.next()
+	if isWhitespace(r) || isNL(r) {
+		return lexSkip(lx, lexTop)
+	}
+	switch r {
+	case commentStart:
+		lx.push(lexTop)
+		return lexCommentStart
+	case tableStart:
+		return lexTableStart
+	case eof:
+		if lx.pos > lx.start {
+			return lx.errorf("unexpected EOF")
+		}
+		lx.emit(itemEOF)
+		return nil
+	}
+
+	// At this point, the only valid item can be a key, so we back up
+	// and let the key lexer do the rest.
+	lx.backup()
+	lx.push(lexTopEnd)
+	return lexKeyStart
+}
+
+// lexTopEnd is entered whenever a top-level item has been consumed. (A value
+// or a table.) It must see only whitespace, and will turn back to lexTop
+// upon a newline. If it sees EOF, it will quit the lexer successfully.
+func lexTopEnd(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case r == commentStart:
+		// a comment will read to a newline for us.
+		lx.push(lexTop)
+		return lexCommentStart
+	case isWhitespace(r):
+		return lexTopEnd
+	case isNL(r):
+		lx.ignore()
+		return lexTop
+	case r == eof:
+		lx.emit(itemEOF)
+		return nil
+	}
+	return lx.errorf("expected a top-level item to end with a newline, "+
+		"comment, or EOF, but got %q instead", r)
+}
+
+// lexTable lexes the beginning of a table. Namely, it makes sure that
+// it starts with a character other than '.' and ']'.
+// It assumes that '[' has already been consumed.
+// It also handles the case that this is an item in an array of tables.
+// e.g., '[[name]]'.
+func lexTableStart(lx *lexer) stateFn {
+	if lx.peek() == arrayTableStart {
+		lx.next()
+		lx.emit(itemArrayTableStart)
+		lx.push(lexArrayTableEnd)
+	} else {
+		lx.emit(itemTableStart)
+		lx.push(lexTableEnd)
+	}
+	return lexTableNameStart
+}
+
+func lexTableEnd(lx *lexer) stateFn {
+	lx.emit(itemTableEnd)
+	return lexTopEnd
+}
+
+func lexArrayTableEnd(lx *lexer) stateFn {
+	if r := lx.next(); r != arrayTableEnd {
+		return lx.errorf("expected end of table array name delimiter %q, "+
+			"but got %q instead", arrayTableEnd, r)
+	}
+	lx.emit(itemArrayTableEnd)
+	return lexTopEnd
+}
+
+func lexTableNameStart(lx *lexer) stateFn {
+	lx.skip(isWhitespace)
+	switch r := lx.peek(); {
+	case r == tableEnd || r == eof:
+		return lx.errorf("unexpected end of table name " +
+			"(table names cannot be empty)")
+	case r == tableSep:
+		return lx.errorf("unexpected table separator " +
+			"(table names cannot be empty)")
+	case r == stringStart || r == rawStringStart:
+		lx.ignore()
+		lx.push(lexTableNameEnd)
+		return lexValue // reuse string lexing
+	default:
+		return lexBareTableName
+	}
+}
+
+// lexBareTableName lexes the name of a table. It assumes that at least one
+// valid character for the table has already been read.
+func lexBareTableName(lx *lexer) stateFn {
+	r := lx.next()
+	if isBareKeyChar(r) {
+		return lexBareTableName
+	}
+	lx.backup()
+	lx.emit(itemText)
+	return lexTableNameEnd
+}
+
+// lexTableNameEnd reads the end of a piece of a table name, optionally
+// consuming whitespace.
+func lexTableNameEnd(lx *lexer) stateFn {
+	lx.skip(isWhitespace)
+	switch r := lx.next(); {
+	case isWhitespace(r):
+		return lexTableNameEnd
+	case r == tableSep:
+		lx.ignore()
+		return lexTableNameStart
+	case r == tableEnd:
+		return lx.pop()
+	default:
+		return lx.errorf("expected '.' or ']' to end table name, "+
+			"but got %q instead", r)
+	}
+}
+
+// lexKeyStart consumes a key name up until the first non-whitespace character.
+// lexKeyStart will ignore whitespace.
+func lexKeyStart(lx *lexer) stateFn {
+	r := lx.peek()
+	switch {
+	case r == keySep:
+		return lx.errorf("unexpected key separator %q", keySep)
+	case isWhitespace(r) || isNL(r):
+		lx.next()
+		return lexSkip(lx, lexKeyStart)
+	case r == stringStart || r == rawStringStart:
+		lx.ignore()
+		lx.emit(itemKeyStart)
+		lx.push(lexKeyEnd)
+		return lexValue // reuse string lexing
+	default:
+		lx.ignore()
+		lx.emit(itemKeyStart)
+		return lexBareKey
+	}
+}
+
+// lexBareKey consumes the text of a bare key. Assumes that the first character
+// (which is not whitespace) has not yet been consumed.
+func lexBareKey(lx *lexer) stateFn {
+	switch r := lx.next(); {
+	case isBareKeyChar(r):
+		return lexBareKey
+	case isWhitespace(r):
+		lx.backup()
+		lx.emit(itemText)
+		return lexKeyEnd
+	case r == keySep:
+		lx.backup()
+		lx.emit(itemText)
+		return lexKeyEnd
+	default:
+		return lx.errorf("bare keys cannot contain %q", r)
+	}
+}
+
+// lexKeyEnd consumes the end of a key and trims whitespace (up to the key
+// separator).
+func lexKeyEnd(lx *lexer) stateFn {
+	switch r := lx.next(); {
+	case r == keySep:
+		return lexSkip(lx, lexValue)
+	case isWhitespace(r):
+		return lexSkip(lx, lexKeyEnd)
+	default:
+		return lx.errorf("expected key separator %q, but got %q instead",
+			keySep, r)
+	}
+}
+
+// lexValue starts the consumption of a value anywhere a value is expected.
+// lexValue will ignore whitespace.
+// After a value is lexed, the last state on the next is popped and returned.
+func lexValue(lx *lexer) stateFn {
+	// We allow whitespace to precede a value, but NOT newlines.
+	// In array syntax, the array states are responsible for ignoring newlines.
+	r := lx.next()
+	switch {
+	case isWhitespace(r):
+		return lexSkip(lx, lexValue)
+	case isDigit(r):
+		lx.backup() // avoid an extra state and use the same as above
+		return lexNumberOrDateStart
+	}
+	switch r {
+	case arrayStart:
+		lx.ignore()
+		lx.emit(itemArray)
+		return lexArrayValue
+	case inlineTableStart:
+		lx.ignore()
+		lx.emit(itemInlineTableStart)
+		return lexInlineTableValue
+	case stringStart:
+		if lx.accept(stringStart) {
+			if lx.accept(stringStart) {
+				lx.ignore() // Ignore """
+				return lexMultilineString
+			}
+			lx.backup()
+		}
+		lx.ignore() // ignore the '"'
+		return lexString
+	case rawStringStart:
+		if lx.accept(rawStringStart) {
+			if lx.accept(rawStringStart) {
+				lx.ignore() // Ignore """
+				return lexMultilineRawString
+			}
+			lx.backup()
+		}
+		lx.ignore() // ignore the "'"
+		return lexRawString
+	case '+', '-':
+		return lexNumberStart
+	case '.': // special error case, be kind to users
+		return lx.errorf("floats must start with a digit, not '.'")
+	}
+	if unicode.IsLetter(r) {
+		// Be permissive here; lexBool will give a nice error if the
+		// user wrote something like
+		//   x = foo
+		// (i.e. not 'true' or 'false' but is something else word-like.)
+		lx.backup()
+		return lexBool
+	}
+	return lx.errorf("expected value but found %q instead", r)
+}
+
+// lexArrayValue consumes one value in an array. It assumes that '[' or ','
+// have already been consumed. All whitespace and newlines are ignored.
+func lexArrayValue(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case isWhitespace(r) || isNL(r):
+		return lexSkip(lx, lexArrayValue)
+	case r == commentStart:
+		lx.push(lexArrayValue)
+		return lexCommentStart
+	case r == comma:
+		return lx.errorf("unexpected comma")
+	case r == arrayEnd:
+		// NOTE(caleb): The spec isn't clear about whether you can have
+		// a trailing comma or not, so we'll allow it.
+		return lexArrayEnd
+	}
+
+	lx.backup()
+	lx.push(lexArrayValueEnd)
+	return lexValue
+}
+
+// lexArrayValueEnd consumes everything between the end of an array value and
+// the next value (or the end of the array): it ignores whitespace and newlines
+// and expects either a ',' or a ']'.
+func lexArrayValueEnd(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case isWhitespace(r) || isNL(r):
+		return lexSkip(lx, lexArrayValueEnd)
+	case r == commentStart:
+		lx.push(lexArrayValueEnd)
+		return lexCommentStart
+	case r == comma:
+		lx.ignore()
+		return lexArrayValue // move on to the next value
+	case r == arrayEnd:
+		return lexArrayEnd
+	}
+	return lx.errorf(
+		"expected a comma or array terminator %q, but got %q instead",
+		arrayEnd, r,
+	)
+}
+
+// lexArrayEnd finishes the lexing of an array.
+// It assumes that a ']' has just been consumed.
+func lexArrayEnd(lx *lexer) stateFn {
+	lx.ignore()
+	lx.emit(itemArrayEnd)
+	return lx.pop()
+}
+
+// lexInlineTableValue consumes one key/value pair in an inline table.
+// It assumes that '{' or ',' have already been consumed. Whitespace is ignored.
+func lexInlineTableValue(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case isWhitespace(r):
+		return lexSkip(lx, lexInlineTableValue)
+	case isNL(r):
+		return lx.errorf("newlines not allowed within inline tables")
+	case r == commentStart:
+		lx.push(lexInlineTableValue)
+		return lexCommentStart
+	case r == comma:
+		return lx.errorf("unexpected comma")
+	case r == inlineTableEnd:
+		return lexInlineTableEnd
+	}
+	lx.backup()
+	lx.push(lexInlineTableValueEnd)
+	return lexKeyStart
+}
+
+// lexInlineTableValueEnd consumes everything between the end of an inline table
+// key/value pair and the next pair (or the end of the table):
+// it ignores whitespace and expects either a ',' or a '}'.
+func lexInlineTableValueEnd(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case isWhitespace(r):
+		return lexSkip(lx, lexInlineTableValueEnd)
+	case isNL(r):
+		return lx.errorf("newlines not allowed within inline tables")
+	case r == commentStart:
+		lx.push(lexInlineTableValueEnd)
+		return lexCommentStart
+	case r == comma:
+		lx.ignore()
+		return lexInlineTableValue
+	case r == inlineTableEnd:
+		return lexInlineTableEnd
+	}
+	return lx.errorf("expected a comma or an inline table terminator %q, "+
+		"but got %q instead", inlineTableEnd, r)
+}
+
+// lexInlineTableEnd finishes the lexing of an inline table.
+// It assumes that a '}' has just been consumed.
+func lexInlineTableEnd(lx *lexer) stateFn {
+	lx.ignore()
+	lx.emit(itemInlineTableEnd)
+	return lx.pop()
+}
+
+// lexString consumes the inner contents of a string. It assumes that the
+// beginning '"' has already been consumed and ignored.
+func lexString(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case r == eof:
+		return lx.errorf("unexpected EOF")
+	case isNL(r):
+		return lx.errorf("strings cannot contain newlines")
+	case r == '\\':
+		lx.push(lexString)
+		return lexStringEscape
+	case r == stringEnd:
+		lx.backup()
+		lx.emit(itemString)
+		lx.next()
+		lx.ignore()
+		return lx.pop()
+	}
+	return lexString
+}
+
+// lexMultilineString consumes the inner contents of a string. It assumes that
+// the beginning '"""' has already been consumed and ignored.
+func lexMultilineString(lx *lexer) stateFn {
+	switch lx.next() {
+	case eof:
+		return lx.errorf("unexpected EOF")
+	case '\\':
+		return lexMultilineStringEscape
+	case stringEnd:
+		if lx.accept(stringEnd) {
+			if lx.accept(stringEnd) {
+				lx.backup()
+				lx.backup()
+				lx.backup()
+				lx.emit(itemMultilineString)
+				lx.next()
+				lx.next()
+				lx.next()
+				lx.ignore()
+				return lx.pop()
+			}
+			lx.backup()
+		}
+	}
+	return lexMultilineString
+}
+
+// lexRawString consumes a raw string. Nothing can be escaped in such a string.
+// It assumes that the beginning "'" has already been consumed and ignored.
+func lexRawString(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case r == eof:
+		return lx.errorf("unexpected EOF")
+	case isNL(r):
+		return lx.errorf("strings cannot contain newlines")
+	case r == rawStringEnd:
+		lx.backup()
+		lx.emit(itemRawString)
+		lx.next()
+		lx.ignore()
+		return lx.pop()
+	}
+	return lexRawString
+}
+
+// lexMultilineRawString consumes a raw string. Nothing can be escaped in such
+// a string. It assumes that the beginning "'''" has already been consumed and
+// ignored.
+func lexMultilineRawString(lx *lexer) stateFn {
+	switch lx.next() {
+	case eof:
+		return lx.errorf("unexpected EOF")
+	case rawStringEnd:
+		if lx.accept(rawStringEnd) {
+			if lx.accept(rawStringEnd) {
+				lx.backup()
+				lx.backup()
+				lx.backup()
+				lx.emit(itemRawMultilineString)
+				lx.next()
+				lx.next()
+				lx.next()
+				lx.ignore()
+				return lx.pop()
+			}
+			lx.backup()
+		}
+	}
+	return lexMultilineRawString
+}
+
+// lexMultilineStringEscape consumes an escaped character. It assumes that the
+// preceding '\\' has already been consumed.
+func lexMultilineStringEscape(lx *lexer) stateFn {
+	// Handle the special case first:
+	if isNL(lx.next()) {
+		return lexMultilineString
+	}
+	lx.backup()
+	lx.push(lexMultilineString)
+	return lexStringEscape(lx)
+}
+
+func lexStringEscape(lx *lexer) stateFn {
+	r := lx.next()
+	switch r {
+	case 'b':
+		fallthrough
+	case 't':
+		fallthrough
+	case 'n':
+		fallthrough
+	case 'f':
+		fallthrough
+	case 'r':
+		fallthrough
+	case '"':
+		fallthrough
+	case '\\':
+		return lx.pop()
+	case 'u':
+		return lexShortUnicodeEscape
+	case 'U':
+		return lexLongUnicodeEscape
+	}
+	return lx.errorf("invalid escape character %q; only the following "+
+		"escape characters are allowed: "+
+		`\b, \t, \n, \f, \r, \", \\, \uXXXX, and \UXXXXXXXX`, r)
+}
+
+func lexShortUnicodeEscape(lx *lexer) stateFn {
+	var r rune
+	for i := 0; i < 4; i++ {
+		r = lx.next()
+		if !isHexadecimal(r) {
+			return lx.errorf(`expected four hexadecimal digits after '\u', `+
+				"but got %q instead", lx.current())
+		}
+	}
+	return lx.pop()
+}
+
+func lexLongUnicodeEscape(lx *lexer) stateFn {
+	var r rune
+	for i := 0; i < 8; i++ {
+		r = lx.next()
+		if !isHexadecimal(r) {
+			return lx.errorf(`expected eight hexadecimal digits after '\U', `+
+				"but got %q instead", lx.current())
+		}
+	}
+	return lx.pop()
+}
+
+// lexNumberOrDateStart consumes either an integer, a float, or datetime.
+func lexNumberOrDateStart(lx *lexer) stateFn {
+	r := lx.next()
+	if isDigit(r) {
+		return lexNumberOrDate
+	}
+	switch r {
+	case '_':
+		return lexNumber
+	case 'e', 'E':
+		return lexFloat
+	case '.':
+		return lx.errorf("floats must start with a digit, not '.'")
+	}
+	return lx.errorf("expected a digit but got %q", r)
+}
+
+// lexNumberOrDate consumes either an integer, float or datetime.
+func lexNumberOrDate(lx *lexer) stateFn {
+	r := lx.next()
+	if isDigit(r) {
+		return lexNumberOrDate
+	}
+	switch r {
+	case '-':
+		return lexDatetime
+	case '_':
+		return lexNumber
+	case '.', 'e', 'E':
+		return lexFloat
+	}
+
+	lx.backup()
+	lx.emit(itemInteger)
+	return lx.pop()
+}
+
+// lexDatetime consumes a Datetime, to a first approximation.
+// The parser validates that it matches one of the accepted formats.
+func lexDatetime(lx *lexer) stateFn {
+	r := lx.next()
+	if isDigit(r) {
+		return lexDatetime
+	}
+	switch r {
+	case '-', 'T', ':', '.', 'Z', '+':
+		return lexDatetime
+	}
+
+	lx.backup()
+	lx.emit(itemDatetime)
+	return lx.pop()
+}
+
+// lexNumberStart consumes either an integer or a float. It assumes that a sign
+// has already been read, but that *no* digits have been consumed.
+// lexNumberStart will move to the appropriate integer or float states.
+func lexNumberStart(lx *lexer) stateFn {
+	// We MUST see a digit. Even floats have to start with a digit.
+	r := lx.next()
+	if !isDigit(r) {
+		if r == '.' {
+			return lx.errorf("floats must start with a digit, not '.'")
+		}
+		return lx.errorf("expected a digit but got %q", r)
+	}
+	return lexNumber
+}
+
+// lexNumber consumes an integer or a float after seeing the first digit.
+func lexNumber(lx *lexer) stateFn {
+	r := lx.next()
+	if isDigit(r) {
+		return lexNumber
+	}
+	switch r {
+	case '_':
+		return lexNumber
+	case '.', 'e', 'E':
+		return lexFloat
+	}
+
+	lx.backup()
+	lx.emit(itemInteger)
+	return lx.pop()
+}
+
+// lexFloat consumes the elements of a float. It allows any sequence of
+// float-like characters, so floats emitted by the lexer are only a first
+// approximation and must be validated by the parser.
+func lexFloat(lx *lexer) stateFn {
+	r := lx.next()
+	if isDigit(r) {
+		return lexFloat
+	}
+	switch r {
+	case '_', '.', '-', '+', 'e', 'E':
+		return lexFloat
+	}
+
+	lx.backup()
+	lx.emit(itemFloat)
+	return lx.pop()
+}
+
+// lexBool consumes a bool string: 'true' or 'false.
+func lexBool(lx *lexer) stateFn {
+	var rs []rune
+	for {
+		r := lx.next()
+		if !unicode.IsLetter(r) {
+			lx.backup()
+			break
+		}
+		rs = append(rs, r)
+	}
+	s := string(rs)
+	switch s {
+	case "true", "false":
+		lx.emit(itemBool)
+		return lx.pop()
+	}
+	return lx.errorf("expected value but found %q instead", s)
+}
+
+// lexCommentStart begins the lexing of a comment. It will emit
+// itemCommentStart and consume no characters, passing control to lexComment.
+func lexCommentStart(lx *lexer) stateFn {
+	lx.ignore()
+	lx.emit(itemCommentStart)
+	return lexComment
+}
+
+// lexComment lexes an entire comment. It assumes that '#' has been consumed.
+// It will consume *up to* the first newline character, and pass control
+// back to the last state on the stack.
+func lexComment(lx *lexer) stateFn {
+	r := lx.peek()
+	if isNL(r) || r == eof {
+		lx.emit(itemText)
+		return lx.pop()
+	}
+	lx.next()
+	return lexComment
+}
+
+// lexSkip ignores all slurped input and moves on to the next state.
+func lexSkip(lx *lexer, nextState stateFn) stateFn {
+	return func(lx *lexer) stateFn {
+		lx.ignore()
+		return nextState
+	}
+}
+
+// isWhitespace returns true if `r` is a whitespace character according
+// to the spec.
+func isWhitespace(r rune) bool {
+	return r == '\t' || r == ' '
+}
+
+func isNL(r rune) bool {
+	return r == '\n' || r == '\r'
+}
+
+func isDigit(r rune) bool {
+	return r >= '0' && r <= '9'
+}
+
+func isHexadecimal(r rune) bool {
+	return (r >= '0' && r <= '9') ||
+		(r >= 'a' && r <= 'f') ||
+		(r >= 'A' && r <= 'F')
+}
+
+func isBareKeyChar(r rune) bool {
+	return (r >= 'A' && r <= 'Z') ||
+		(r >= 'a' && r <= 'z') ||
+		(r >= '0' && r <= '9') ||
+		r == '_' ||
+		r == '-'
+}
+
+func (itype itemType) String() string {
+	switch itype {
+	case itemError:
+		return "Error"
+	case itemNIL:
+		return "NIL"
+	case itemEOF:
+		return "EOF"
+	case itemText:
+		return "Text"
+	case itemString, itemRawString, itemMultilineString, itemRawMultilineString:
+		return "String"
+	case itemBool:
+		return "Bool"
+	case itemInteger:
+		return "Integer"
+	case itemFloat:
+		return "Float"
+	case itemDatetime:
+		return "DateTime"
+	case itemTableStart:
+		return "TableStart"
+	case itemTableEnd:
+		return "TableEnd"
+	case itemKeyStart:
+		return "KeyStart"
+	case itemArray:
+		return "Array"
+	case itemArrayEnd:
+		return "ArrayEnd"
+	case itemCommentStart:
+		return "CommentStart"
+	}
+	panic(fmt.Sprintf("BUG: Unknown type '%d'.", int(itype)))
+}
+
+func (item item) String() string {
+	return fmt.Sprintf("(%s, %s)", item.typ.String(), item.val)
+}
--- a/vendor/github.com/BurntSushi/toml/parse.go
+++ b/vendor/github.com/BurntSushi/toml/parse.go
@@ -0,0 +1,592 @@
+package toml
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+	"unicode"
+	"unicode/utf8"
+)
+
+type parser struct {
+	mapping map[string]interface{}
+	types   map[string]tomlType
+	lx      *lexer
+
+	// A list of keys in the order that they appear in the TOML data.
+	ordered []Key
+
+	// the full key for the current hash in scope
+	context Key
+
+	// the base key name for everything except hashes
+	currentKey string
+
+	// rough approximation of line number
+	approxLine int
+
+	// A map of 'key.group.names' to whether they were created implicitly.
+	implicits map[string]bool
+}
+
+type parseError string
+
+func (pe parseError) Error() string {
+	return string(pe)
+}
+
+func parse(data string) (p *parser, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			var ok bool
+			if err, ok = r.(parseError); ok {
+				return
+			}
+			panic(r)
+		}
+	}()
+
+	p = &parser{
+		mapping:   make(map[string]interface{}),
+		types:     make(map[string]tomlType),
+		lx:        lex(data),
+		ordered:   make([]Key, 0),
+		implicits: make(map[string]bool),
+	}
+	for {
+		item := p.next()
+		if item.typ == itemEOF {
+			break
+		}
+		p.topLevel(item)
+	}
+
+	return p, nil
+}
+
+func (p *parser) panicf(format string, v ...interface{}) {
+	msg := fmt.Sprintf("Near line %d (last key parsed '%s'): %s",
+		p.approxLine, p.current(), fmt.Sprintf(format, v...))
+	panic(parseError(msg))
+}
+
+func (p *parser) next() item {
+	it := p.lx.nextItem()
+	if it.typ == itemError {
+		p.panicf("%s", it.val)
+	}
+	return it
+}
+
+func (p *parser) bug(format string, v ...interface{}) {
+	panic(fmt.Sprintf("BUG: "+format+"\n\n", v...))
+}
+
+func (p *parser) expect(typ itemType) item {
+	it := p.next()
+	p.assertEqual(typ, it.typ)
+	return it
+}
+
+func (p *parser) assertEqual(expected, got itemType) {
+	if expected != got {
+		p.bug("Expected '%s' but got '%s'.", expected, got)
+	}
+}
+
+func (p *parser) topLevel(item item) {
+	switch item.typ {
+	case itemCommentStart:
+		p.approxLine = item.line
+		p.expect(itemText)
+	case itemTableStart:
+		kg := p.next()
+		p.approxLine = kg.line
+
+		var key Key
+		for ; kg.typ != itemTableEnd && kg.typ != itemEOF; kg = p.next() {
+			key = append(key, p.keyString(kg))
+		}
+		p.assertEqual(itemTableEnd, kg.typ)
+
+		p.establishContext(key, false)
+		p.setType("", tomlHash)
+		p.ordered = append(p.ordered, key)
+	case itemArrayTableStart:
+		kg := p.next()
+		p.approxLine = kg.line
+
+		var key Key
+		for ; kg.typ != itemArrayTableEnd && kg.typ != itemEOF; kg = p.next() {
+			key = append(key, p.keyString(kg))
+		}
+		p.assertEqual(itemArrayTableEnd, kg.typ)
+
+		p.establishContext(key, true)
+		p.setType("", tomlArrayHash)
+		p.ordered = append(p.ordered, key)
+	case itemKeyStart:
+		kname := p.next()
+		p.approxLine = kname.line
+		p.currentKey = p.keyString(kname)
+
+		val, typ := p.value(p.next())
+		p.setValue(p.currentKey, val)
+		p.setType(p.currentKey, typ)
+		p.ordered = append(p.ordered, p.context.add(p.currentKey))
+		p.currentKey = ""
+	default:
+		p.bug("Unexpected type at top level: %s", item.typ)
+	}
+}
+
+// Gets a string for a key (or part of a key in a table name).
+func (p *parser) keyString(it item) string {
+	switch it.typ {
+	case itemText:
+		return it.val
+	case itemString, itemMultilineString,
+		itemRawString, itemRawMultilineString:
+		s, _ := p.value(it)
+		return s.(string)
+	default:
+		p.bug("Unexpected key type: %s", it.typ)
+		panic("unreachable")
+	}
+}
+
+// value translates an expected value from the lexer into a Go value wrapped
+// as an empty interface.
+func (p *parser) value(it item) (interface{}, tomlType) {
+	switch it.typ {
+	case itemString:
+		return p.replaceEscapes(it.val), p.typeOfPrimitive(it)
+	case itemMultilineString:
+		trimmed := stripFirstNewline(stripEscapedWhitespace(it.val))
+		return p.replaceEscapes(trimmed), p.typeOfPrimitive(it)
+	case itemRawString:
+		return it.val, p.typeOfPrimitive(it)
+	case itemRawMultilineString:
+		return stripFirstNewline(it.val), p.typeOfPrimitive(it)
+	case itemBool:
+		switch it.val {
+		case "true":
+			return true, p.typeOfPrimitive(it)
+		case "false":
+			return false, p.typeOfPrimitive(it)
+		}
+		p.bug("Expected boolean value, but got '%s'.", it.val)
+	case itemInteger:
+		if !numUnderscoresOK(it.val) {
+			p.panicf("Invalid integer %q: underscores must be surrounded by digits",
+				it.val)
+		}
+		val := strings.Replace(it.val, "_", "", -1)
+		num, err := strconv.ParseInt(val, 10, 64)
+		if err != nil {
+			// Distinguish integer values. Normally, it'd be a bug if the lexer
+			// provides an invalid integer, but it's possible that the number is
+			// out of range of valid values (which the lexer cannot determine).
+			// So mark the former as a bug but the latter as a legitimate user
+			// error.
+			if e, ok := err.(*strconv.NumError); ok &&
+				e.Err == strconv.ErrRange {
+
+				p.panicf("Integer '%s' is out of the range of 64-bit "+
+					"signed integers.", it.val)
+			} else {
+				p.bug("Expected integer value, but got '%s'.", it.val)
+			}
+		}
+		return num, p.typeOfPrimitive(it)
+	case itemFloat:
+		parts := strings.FieldsFunc(it.val, func(r rune) bool {
+			switch r {
+			case '.', 'e', 'E':
+				return true
+			}
+			return false
+		})
+		for _, part := range parts {
+			if !numUnderscoresOK(part) {
+				p.panicf("Invalid float %q: underscores must be "+
+					"surrounded by digits", it.val)
+			}
+		}
+		if !numPeriodsOK(it.val) {
+			// As a special case, numbers like '123.' or '1.e2',
+			// which are valid as far as Go/strconv are concerned,
+			// must be rejected because TOML says that a fractional
+			// part consists of '.' followed by 1+ digits.
+			p.panicf("Invalid float %q: '.' must be followed "+
+				"by one or more digits", it.val)
+		}
+		val := strings.Replace(it.val, "_", "", -1)
+		num, err := strconv.ParseFloat(val, 64)
+		if err != nil {
+			if e, ok := err.(*strconv.NumError); ok &&
+				e.Err == strconv.ErrRange {
+
+				p.panicf("Float '%s' is out of the range of 64-bit "+
+					"IEEE-754 floating-point numbers.", it.val)
+			} else {
+				p.panicf("Invalid float value: %q", it.val)
+			}
+		}
+		return num, p.typeOfPrimitive(it)
+	case itemDatetime:
+		var t time.Time
+		var ok bool
+		var err error
+		for _, format := range []string{
+			"2006-01-02T15:04:05Z07:00",
+			"2006-01-02T15:04:05",
+			"2006-01-02",
+		} {
+			t, err = time.ParseInLocation(format, it.val, time.Local)
+			if err == nil {
+				ok = true
+				break
+			}
+		}
+		if !ok {
+			p.panicf("Invalid TOML Datetime: %q.", it.val)
+		}
+		return t, p.typeOfPrimitive(it)
+	case itemArray:
+		array := make([]interface{}, 0)
+		types := make([]tomlType, 0)
+
+		for it = p.next(); it.typ != itemArrayEnd; it = p.next() {
+			if it.typ == itemCommentStart {
+				p.expect(itemText)
+				continue
+			}
+
+			val, typ := p.value(it)
+			array = append(array, val)
+			types = append(types, typ)
+		}
+		return array, p.typeOfArray(types)
+	case itemInlineTableStart:
+		var (
+			hash         = make(map[string]interface{})
+			outerContext = p.context
+			outerKey     = p.currentKey
+		)
+
+		p.context = append(p.context, p.currentKey)
+		p.currentKey = ""
+		for it := p.next(); it.typ != itemInlineTableEnd; it = p.next() {
+			if it.typ != itemKeyStart {
+				p.bug("Expected key start but instead found %q, around line %d",
+					it.val, p.approxLine)
+			}
+			if it.typ == itemCommentStart {
+				p.expect(itemText)
+				continue
+			}
+
+			// retrieve key
+			k := p.next()
+			p.approxLine = k.line
+			kname := p.keyString(k)
+
+			// retrieve value
+			p.currentKey = kname
+			val, typ := p.value(p.next())
+			// make sure we keep metadata up to date
+			p.setType(kname, typ)
+			p.ordered = append(p.ordered, p.context.add(p.currentKey))
+			hash[kname] = val
+		}
+		p.context = outerContext
+		p.currentKey = outerKey
+		return hash, tomlHash
+	}
+	p.bug("Unexpected value type: %s", it.typ)
+	panic("unreachable")
+}
+
+// numUnderscoresOK checks whether each underscore in s is surrounded by
+// characters that are not underscores.
+func numUnderscoresOK(s string) bool {
+	accept := false
+	for _, r := range s {
+		if r == '_' {
+			if !accept {
+				return false
+			}
+			accept = false
+			continue
+		}
+		accept = true
+	}
+	return accept
+}
+
+// numPeriodsOK checks whether every period in s is followed by a digit.
+func numPeriodsOK(s string) bool {
+	period := false
+	for _, r := range s {
+		if period && !isDigit(r) {
+			return false
+		}
+		period = r == '.'
+	}
+	return !period
+}
+
+// establishContext sets the current context of the parser,
+// where the context is either a hash or an array of hashes. Which one is
+// set depends on the value of the `array` parameter.
+//
+// Establishing the context also makes sure that the key isn't a duplicate, and
+// will create implicit hashes automatically.
+func (p *parser) establishContext(key Key, array bool) {
+	var ok bool
+
+	// Always start at the top level and drill down for our context.
+	hashContext := p.mapping
+	keyContext := make(Key, 0)
+
+	// We only need implicit hashes for key[0:-1]
+	for _, k := range key[0 : len(key)-1] {
+		_, ok = hashContext[k]
+		keyContext = append(keyContext, k)
+
+		// No key? Make an implicit hash and move on.
+		if !ok {
+			p.addImplicit(keyContext)
+			hashContext[k] = make(map[string]interface{})
+		}
+
+		// If the hash context is actually an array of tables, then set
+		// the hash context to the last element in that array.
+		//
+		// Otherwise, it better be a table, since this MUST be a key group (by
+		// virtue of it not being the last element in a key).
+		switch t := hashContext[k].(type) {
+		case []map[string]interface{}:
+			hashContext = t[len(t)-1]
+		case map[string]interface{}:
+			hashContext = t
+		default:
+			p.panicf("Key '%s' was already created as a hash.", keyContext)
+		}
+	}
+
+	p.context = keyContext
+	if array {
+		// If this is the first element for this array, then allocate a new
+		// list of tables for it.
+		k := key[len(key)-1]
+		if _, ok := hashContext[k]; !ok {
+			hashContext[k] = make([]map[string]interface{}, 0, 5)
+		}
+
+		// Add a new table. But make sure the key hasn't already been used
+		// for something else.
+		if hash, ok := hashContext[k].([]map[string]interface{}); ok {
+			hashContext[k] = append(hash, make(map[string]interface{}))
+		} else {
+			p.panicf("Key '%s' was already created and cannot be used as "+
+				"an array.", keyContext)
+		}
+	} else {
+		p.setValue(key[len(key)-1], make(map[string]interface{}))
+	}
+	p.context = append(p.context, key[len(key)-1])
+}
+
+// setValue sets the given key to the given value in the current context.
+// It will make sure that the key hasn't already been defined, account for
+// implicit key groups.
+func (p *parser) setValue(key string, value interface{}) {
+	var tmpHash interface{}
+	var ok bool
+
+	hash := p.mapping
+	keyContext := make(Key, 0)
+	for _, k := range p.context {
+		keyContext = append(keyContext, k)
+		if tmpHash, ok = hash[k]; !ok {
+			p.bug("Context for key '%s' has not been established.", keyContext)
+		}
+		switch t := tmpHash.(type) {
+		case []map[string]interface{}:
+			// The context is a table of hashes. Pick the most recent table
+			// defined as the current hash.
+			hash = t[len(t)-1]
+		case map[string]interface{}:
+			hash = t
+		default:
+			p.bug("Expected hash to have type 'map[string]interface{}', but "+
+				"it has '%T' instead.", tmpHash)
+		}
+	}
+	keyContext = append(keyContext, key)
+
+	if _, ok := hash[key]; ok {
+		// Typically, if the given key has already been set, then we have
+		// to raise an error since duplicate keys are disallowed. However,
+		// it's possible that a key was previously defined implicitly. In this
+		// case, it is allowed to be redefined concretely. (See the
+		// `tests/valid/implicit-and-explicit-after.toml` test in `toml-test`.)
+		//
+		// But we have to make sure to stop marking it as an implicit. (So that
+		// another redefinition provokes an error.)
+		//
+		// Note that since it has already been defined (as a hash), we don't
+		// want to overwrite it. So our business is done.
+		if p.isImplicit(keyContext) {
+			p.removeImplicit(keyContext)
+			return
+		}
+
+		// Otherwise, we have a concrete key trying to override a previous
+		// key, which is *always* wrong.
+		p.panicf("Key '%s' has already been defined.", keyContext)
+	}
+	hash[key] = value
+}
+
+// setType sets the type of a particular value at a given key.
+// It should be called immediately AFTER setValue.
+//
+// Note that if `key` is empty, then the type given will be applied to the
+// current context (which is either a table or an array of tables).
+func (p *parser) setType(key string, typ tomlType) {
+	keyContext := make(Key, 0, len(p.context)+1)
+	for _, k := range p.context {
+		keyContext = append(keyContext, k)
+	}
+	if len(key) > 0 { // allow type setting for hashes
+		keyContext = append(keyContext, key)
+	}
+	p.types[keyContext.String()] = typ
+}
+
+// addImplicit sets the given Key as having been created implicitly.
+func (p *parser) addImplicit(key Key) {
+	p.implicits[key.String()] = true
+}
+
+// removeImplicit stops tagging the given key as having been implicitly
+// created.
+func (p *parser) removeImplicit(key Key) {
+	p.implicits[key.String()] = false
+}
+
+// isImplicit returns true if the key group pointed to by the key was created
+// implicitly.
+func (p *parser) isImplicit(key Key) bool {
+	return p.implicits[key.String()]
+}
+
+// current returns the full key name of the current context.
+func (p *parser) current() string {
+	if len(p.currentKey) == 0 {
+		return p.context.String()
+	}
+	if len(p.context) == 0 {
+		return p.currentKey
+	}
+	return fmt.Sprintf("%s.%s", p.context, p.currentKey)
+}
+
+func stripFirstNewline(s string) string {
+	if len(s) == 0 || s[0] != '\n' {
+		return s
+	}
+	return s[1:]
+}
+
+func stripEscapedWhitespace(s string) string {
+	esc := strings.Split(s, "\\\n")
+	if len(esc) > 1 {
+		for i := 1; i < len(esc); i++ {
+			esc[i] = strings.TrimLeftFunc(esc[i], unicode.IsSpace)
+		}
+	}
+	return strings.Join(esc, "")
+}
+
+func (p *parser) replaceEscapes(str string) string {
+	var replaced []rune
+	s := []byte(str)
+	r := 0
+	for r < len(s) {
+		if s[r] != '\\' {
+			c, size := utf8.DecodeRune(s[r:])
+			r += size
+			replaced = append(replaced, c)
+			continue
+		}
+		r += 1
+		if r >= len(s) {
+			p.bug("Escape sequence at end of string.")
+			return ""
+		}
+		switch s[r] {
+		default:
+			p.bug("Expected valid escape code after \\, but got %q.", s[r])
+			return ""
+		case 'b':
+			replaced = append(replaced, rune(0x0008))
+			r += 1
+		case 't':
+			replaced = append(replaced, rune(0x0009))
+			r += 1
+		case 'n':
+			replaced = append(replaced, rune(0x000A))
+			r += 1
+		case 'f':
+			replaced = append(replaced, rune(0x000C))
+			r += 1
+		case 'r':
+			replaced = append(replaced, rune(0x000D))
+			r += 1
+		case '"':
+			replaced = append(replaced, rune(0x0022))
+			r += 1
+		case '\\':
+			replaced = append(replaced, rune(0x005C))
+			r += 1
+		case 'u':
+			// At this point, we know we have a Unicode escape of the form
+			// `uXXXX` at [r, r+5). (Because the lexer guarantees this
+			// for us.)
+			escaped := p.asciiEscapeToUnicode(s[r+1 : r+5])
+			replaced = append(replaced, escaped)
+			r += 5
+		case 'U':
+			// At this point, we know we have a Unicode escape of the form
+			// `uXXXX` at [r, r+9). (Because the lexer guarantees this
+			// for us.)
+			escaped := p.asciiEscapeToUnicode(s[r+1 : r+9])
+			replaced = append(replaced, escaped)
+			r += 9
+		}
+	}
+	return string(replaced)
+}
+
+func (p *parser) asciiEscapeToUnicode(bs []byte) rune {
+	s := string(bs)
+	hex, err := strconv.ParseUint(strings.ToLower(s), 16, 32)
+	if err != nil {
+		p.bug("Could not parse '%s' as a hexadecimal number, but the "+
+			"lexer claims it's OK: %s", s, err)
+	}
+	if !utf8.ValidRune(rune(hex)) {
+		p.panicf("Escaped character '\\u%s' is not valid UTF-8.", s)
+	}
+	return rune(hex)
+}
+
+func isStringType(ty itemType) bool {
+	return ty == itemString || ty == itemMultilineString ||
+		ty == itemRawString || ty == itemRawMultilineString
+}
--- a/vendor/github.com/BurntSushi/toml/type_check.go
+++ b/vendor/github.com/BurntSushi/toml/type_check.go
@@ -0,0 +1,91 @@
+package toml
+
+// tomlType represents any Go type that corresponds to a TOML type.
+// While the first draft of the TOML spec has a simplistic type system that
+// probably doesn't need this level of sophistication, we seem to be militating
+// toward adding real composite types.
+type tomlType interface {
+	typeString() string
+}
+
+// typeEqual accepts any two types and returns true if they are equal.
+func typeEqual(t1, t2 tomlType) bool {
+	if t1 == nil || t2 == nil {
+		return false
+	}
+	return t1.typeString() == t2.typeString()
+}
+
+func typeIsHash(t tomlType) bool {
+	return typeEqual(t, tomlHash) || typeEqual(t, tomlArrayHash)
+}
+
+type tomlBaseType string
+
+func (btype tomlBaseType) typeString() string {
+	return string(btype)
+}
+
+func (btype tomlBaseType) String() string {
+	return btype.typeString()
+}
+
+var (
+	tomlInteger   tomlBaseType = "Integer"
+	tomlFloat     tomlBaseType = "Float"
+	tomlDatetime  tomlBaseType = "Datetime"
+	tomlString    tomlBaseType = "String"
+	tomlBool      tomlBaseType = "Bool"
+	tomlArray     tomlBaseType = "Array"
+	tomlHash      tomlBaseType = "Hash"
+	tomlArrayHash tomlBaseType = "ArrayHash"
+)
+
+// typeOfPrimitive returns a tomlType of any primitive value in TOML.
+// Primitive values are: Integer, Float, Datetime, String and Bool.
+//
+// Passing a lexer item other than the following will cause a BUG message
+// to occur: itemString, itemBool, itemInteger, itemFloat, itemDatetime.
+func (p *parser) typeOfPrimitive(lexItem item) tomlType {
+	switch lexItem.typ {
+	case itemInteger:
+		return tomlInteger
+	case itemFloat:
+		return tomlFloat
+	case itemDatetime:
+		return tomlDatetime
+	case itemString:
+		return tomlString
+	case itemMultilineString:
+		return tomlString
+	case itemRawString:
+		return tomlString
+	case itemRawMultilineString:
+		return tomlString
+	case itemBool:
+		return tomlBool
+	}
+	p.bug("Cannot infer primitive type of lex item '%s'.", lexItem)
+	panic("unreachable")
+}
+
+// typeOfArray returns a tomlType for an array given a list of types of its
+// values.
+//
+// In the current spec, if an array is homogeneous, then its type is always
+// "Array". If the array is not homogeneous, an error is generated.
+func (p *parser) typeOfArray(types []tomlType) tomlType {
+	// Empty arrays are cool.
+	if len(types) == 0 {
+		return tomlArray
+	}
+
+	theType := types[0]
+	for _, t := range types[1:] {
+		if !typeEqual(theType, t) {
+			p.panicf("Array contains values of type '%s' and '%s', but "+
+				"arrays must be homogeneous.", theType, t)
+		}
+	}
+	return tomlArray
+}
--- a/vendor/github.com/BurntSushi/toml/type_fields.go
+++ b/vendor/github.com/BurntSushi/toml/type_fields.go
@@ -0,0 +1,242 @@
+package toml
+
+// Struct field handling is adapted from code in encoding/json:
+//
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the Go distribution.
+
+import (
+	"reflect"
+	"sort"
+	"sync"
+)
+
+// A field represents a single field found in a struct.
+type field struct {
+	name  string       // the name of the field (`toml` tag included)
+	tag   bool         // whether field has a `toml` tag
+	index []int        // represents the depth of an anonymous field
+	typ   reflect.Type // the type of the field
+}
+
+// byName sorts field by name, breaking ties with depth,
+// then breaking ties with "name came from toml tag", then
+// breaking ties with index sequence.
+type byName []field
+
+func (x byName) Len() int { return len(x) }
+
+func (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
+
+func (x byName) Less(i, j int) bool {
+	if x[i].name != x[j].name {
+		return x[i].name < x[j].name
+	}
+	if len(x[i].index) != len(x[j].index) {
+		return len(x[i].index) < len(x[j].index)
+	}
+	if x[i].tag != x[j].tag {
+		return x[i].tag
+	}
+	return byIndex(x).Less(i, j)
+}
+
+// byIndex sorts field by index sequence.
+type byIndex []field
+
+func (x byIndex) Len() int { return len(x) }
+
+func (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
+
+func (x byIndex) Less(i, j int) bool {
+	for k, xik := range x[i].index {
+		if k >= len(x[j].index) {
+			return false
+		}
+		if xik != x[j].index[k] {
+			return xik < x[j].index[k]
+		}
+	}
+	return len(x[i].index) < len(x[j].index)
+}
+
+// typeFields returns a list of fields that TOML should recognize for the given
+// type. The algorithm is breadth-first search over the set of structs to
+// include - the top struct and then any reachable anonymous structs.
+func typeFields(t reflect.Type) []field {
+	// Anonymous fields to explore at the current level and the next.
+	current := []field{}
+	next := []field{{typ: t}}
+
+	// Count of queued names for current level and the next.
+	count := map[reflect.Type]int{}
+	nextCount := map[reflect.Type]int{}
+
+	// Types already visited at an earlier level.
+	visited := map[reflect.Type]bool{}
+
+	// Fields found.
+	var fields []field
+
+	for len(next) > 0 {
+		current, next = next, current[:0]
+		count, nextCount = nextCount, map[reflect.Type]int{}
+
+		for _, f := range current {
+			if visited[f.typ] {
+				continue
+			}
+			visited[f.typ] = true
+
+			// Scan f.typ for fields to include.
+			for i := 0; i < f.typ.NumField(); i++ {
+				sf := f.typ.Field(i)
+				if sf.PkgPath != "" && !sf.Anonymous { // unexported
+					continue
+				}
+				opts := getOptions(sf.Tag)
+				if opts.skip {
+					continue
+				}
+				index := make([]int, len(f.index)+1)
+				copy(index, f.index)
+				index[len(f.index)] = i
+
+				ft := sf.Type
+				if ft.Name() == "" && ft.Kind() == reflect.Ptr {
+					// Follow pointer.
+					ft = ft.Elem()
+				}
+
+				// Record found field and index sequence.
+				if opts.name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct {
+					tagged := opts.name != ""
+					name := opts.name
+					if name == "" {
+						name = sf.Name
+					}
+					fields = append(fields, field{name, tagged, index, ft})
+					if count[f.typ] > 1 {
+						// If there were multiple instances, add a second,
+						// so that the annihilation code will see a duplicate.
+						// It only cares about the distinction between 1 or 2,
+						// so don't bother generating any more copies.
+						fields = append(fields, fields[len(fields)-1])
+					}
+					continue
+				}
+
+				// Record new anonymous struct to explore in next round.
+				nextCount[ft]++
+				if nextCount[ft] == 1 {
+					f := field{name: ft.Name(), index: index, typ: ft}
+					next = append(next, f)
+				}
+			}
+		}
+	}
+
+	sort.Sort(byName(fields))
+
+	// Delete all fields that are hidden by the Go rules for embedded fields,
+	// except that fields with TOML tags are promoted.
+
+	// The fields are sorted in primary order of name, secondary order
+	// of field index length. Loop over names; for each name, delete
+	// hidden fields by choosing the one dominant field that survives.
+	out := fields[:0]
+	for advance, i := 0, 0; i < len(fields); i += advance {
+		// One iteration per name.
+		// Find the sequence of fields with the name of this first field.
+		fi := fields[i]
+		name := fi.name
+		for advance = 1; i+advance < len(fields); advance++ {
+			fj := fields[i+advance]
+			if fj.name != name {
+				break
+			}
+		}
+		if advance == 1 { // Only one field with this name
+			out = append(out, fi)
+			continue
+		}
+		dominant, ok := dominantField(fields[i : i+advance])
+		if ok {
+			out = append(out, dominant)
+		}
+	}
+
+	fields = out
+	sort.Sort(byIndex(fields))
+
+	return fields
+}
+
+// dominantField looks through the fields, all of which are known to
+// have the same name, to find the single field that dominates the
+// others using Go's embedding rules, modified by the presence of
+// TOML tags. If there are multiple top-level fields, the boolean
+// will be false: This condition is an error in Go and we skip all
+// the fields.
+func dominantField(fields []field) (field, bool) {
+	// The fields are sorted in increasing index-length order. The winner
+	// must therefore be one with the shortest index length. Drop all
+	// longer entries, which is easy: just truncate the slice.
+	length := len(fields[0].index)
+	tagged := -1 // Index of first tagged field.
+	for i, f := range fields {
+		if len(f.index) > length {
+			fields = fields[:i]
+			break
+		}
+		if f.tag {
+			if tagged >= 0 {
+				// Multiple tagged fields at the same level: conflict.
+				// Return no field.
+				return field{}, false
+			}
+			tagged = i
+		}
+	}
+	if tagged >= 0 {
+		return fields[tagged], true
+	}
+	// All remaining fields have the same length. If there's more than one,
+	// we have a conflict (two fields named "X" at the same level) and we
+	// return no field.
+	if len(fields) > 1 {
+		return field{}, false
+	}
+	return fields[0], true
+}
+
+var fieldCache struct {
+	sync.RWMutex
+	m map[reflect.Type][]field
+}
+
+// cachedTypeFields is like typeFields but uses a cache to avoid repeated work.
+func cachedTypeFields(t reflect.Type) []field {
+	fieldCache.RLock()
+	f := fieldCache.m[t]
+	fieldCache.RUnlock()
+	if f != nil {
+		return f
+	}
+
+	// Compute fields without lock.
+	// Might duplicate effort but won't hold other computations back.
+	f = typeFields(t)
+	if f == nil {
+		f = []field{}
+	}
+
+	fieldCache.Lock()
+	if fieldCache.m == nil {
+		fieldCache.m = map[reflect.Type][]field{}
+	}
+	fieldCache.m[t] = f
+	fieldCache.Unlock()
+	return f
+}
--- a/vendor/github.com/Sirupsen/logrus/.gitignore
+++ b/vendor/github.com/Sirupsen/logrus/.gitignore
@@ -1 +0,0 @@
-logrus
--- a/vendor/github.com/Sirupsen/logrus/.travis.yml
+++ b/vendor/github.com/Sirupsen/logrus/.travis.yml
@@ -1,9 +0,0 @@
-language: go
-go:
-  - 1.3
-  - 1.4
-  - 1.5
-  - tip
-install:
-  - go get -t ./...
-script: GOMAXPROCS=4 GORACE="halt_on_error=1" go test -race -v ./...
--- a/vendor/github.com/Sirupsen/logrus/CHANGELOG.md
+++ b/vendor/github.com/Sirupsen/logrus/CHANGELOG.md
@@ -1,66 +0,0 @@
-# 0.10.0
-
-* feature: Add a test hook (#180)
-* feature: `ParseLevel` is now case-insensitive (#326)
-* feature: `FieldLogger` interface that generalizes `Logger` and `Entry` (#308)
-* performance: avoid re-allocations on `WithFields` (#335)
-
-# 0.9.0
-
-* logrus/text_formatter: don't emit empty msg
-* logrus/hooks/airbrake: move out of main repository
-* logrus/hooks/sentry: move out of main repository
-* logrus/hooks/papertrail: move out of main repository
-* logrus/hooks/bugsnag: move out of main repository
-* logrus/core: run tests with `-race`
-* logrus/core: detect TTY based on `stderr`
-* logrus/core: support `WithError` on logger
-* logrus/core: Solaris support
-
-# 0.8.7
-
-* logrus/core: fix possible race (#216)
-* logrus/doc: small typo fixes and doc improvements
-
-
-# 0.8.6
-
-* hooks/raven: allow passing an initialized client
-
-# 0.8.5
-
-* logrus/core: revert #208
-
-# 0.8.4
-
-* formatter/text: fix data race (#218)
-
-# 0.8.3
-
-* logrus/core: fix entry log level (#208)
-* logrus/core: improve performance of text formatter by 40%
-* logrus/core: expose `LevelHooks` type
-* logrus/core: add support for DragonflyBSD and NetBSD
-* formatter/text: print structs more verbosely
-
-# 0.8.2
-
-* logrus: fix more Fatal family functions
-
-# 0.8.1
-
-* logrus: fix not exiting on `Fatalf` and `Fatalln`
-
-# 0.8.0
-
-* logrus: defaults to stderr instead of stdout
-* hooks/sentry: add special field for `*http.Request`
-* formatter/text: ignore Windows for colors
-
-# 0.7.3
-
-* formatter/\*: allow configuration of timestamp layout
-
-# 0.7.2
-
-* formatter/text: Add configuration option for time format (#158)
--- a/vendor/github.com/Sirupsen/logrus/json_formatter.go
+++ b/vendor/github.com/Sirupsen/logrus/json_formatter.go
@@ -1,41 +0,0 @@
-package logrus
-
-import (
-	"encoding/json"
-	"fmt"
-)
-
-type JSONFormatter struct {
-	// TimestampFormat sets the format used for marshaling timestamps.
-	TimestampFormat string
-}
-
-func (f *JSONFormatter) Format(entry *Entry) ([]byte, error) {
-	data := make(Fields, len(entry.Data)+3)
-	for k, v := range entry.Data {
-		switch v := v.(type) {
-		case error:
-			// Otherwise errors are ignored by `encoding/json`
-			// https://github.com/Sirupsen/logrus/issues/137
-			data[k] = v.Error()
-		default:
-			data[k] = v
-		}
-	}
-	prefixFieldClashes(data)
-
-	timestampFormat := f.TimestampFormat
-	if timestampFormat == "" {
-		timestampFormat = DefaultTimestampFormat
-	}
-
-	data["time"] = entry.Time.Format(timestampFormat)
-	data["msg"] = entry.Message
-	data["level"] = entry.Level.String()
-
-	serialized, err := json.Marshal(data)
-	if err != nil {
-		return nil, fmt.Errorf("Failed to marshal fields to JSON, %v", err)
-	}
-	return append(serialized, '\n'), nil
-}
--- a/vendor/github.com/Sirupsen/logrus/logger.go
+++ b/vendor/github.com/Sirupsen/logrus/logger.go
@@ -1,212 +0,0 @@
-package logrus
-
-import (
-	"io"
-	"os"
-	"sync"
-)
-
-type Logger struct {
-	// The logs are `io.Copy`'d to this in a mutex. It's common to set this to a
-	// file, or leave it default which is `os.Stderr`. You can also set this to
-	// something more adventorous, such as logging to Kafka.
-	Out io.Writer
-	// Hooks for the logger instance. These allow firing events based on logging
-	// levels and log entries. For example, to send errors to an error tracking
-	// service, log to StatsD or dump the core on fatal errors.
-	Hooks LevelHooks
-	// All log entries pass through the formatter before logged to Out. The
-	// included formatters are `TextFormatter` and `JSONFormatter` for which
-	// TextFormatter is the default. In development (when a TTY is attached) it
-	// logs with colors, but to a file it wouldn't. You can easily implement your
-	// own that implements the `Formatter` interface, see the `README` or included
-	// formatters for examples.
-	Formatter Formatter
-	// The logging level the logger should log at. This is typically (and defaults
-	// to) `logrus.Info`, which allows Info(), Warn(), Error() and Fatal() to be
-	// logged. `logrus.Debug` is useful in
-	Level Level
-	// Used to sync writing to the log.
-	mu sync.Mutex
-}
-
-// Creates a new logger. Configuration should be set by changing `Formatter`,
-// `Out` and `Hooks` directly on the default logger instance. You can also just
-// instantiate your own:
-//
-//    var log = &Logger{
-//      Out: os.Stderr,
-//      Formatter: new(JSONFormatter),
-//      Hooks: make(LevelHooks),
-//      Level: logrus.DebugLevel,
-//    }
-//
-// It's recommended to make this a global instance called `log`.
-func New() *Logger {
-	return &Logger{
-		Out:       os.Stderr,
-		Formatter: new(TextFormatter),
-		Hooks:     make(LevelHooks),
-		Level:     InfoLevel,
-	}
-}
-
-// Adds a field to the log entry, note that you it doesn't log until you call
-// Debug, Print, Info, Warn, Fatal or Panic. It only creates a log entry.
-// If you want multiple fields, use `WithFields`.
-func (logger *Logger) WithField(key string, value interface{}) *Entry {
-	return NewEntry(logger).WithField(key, value)
-}
-
-// Adds a struct of fields to the log entry. All it does is call `WithField` for
-// each `Field`.
-func (logger *Logger) WithFields(fields Fields) *Entry {
-	return NewEntry(logger).WithFields(fields)
-}
-
-// Add an error as single field to the log entry.  All it does is call
-// `WithError` for the given `error`.
-func (logger *Logger) WithError(err error) *Entry {
-	return NewEntry(logger).WithError(err)
-}
-
-func (logger *Logger) Debugf(format string, args ...interface{}) {
-	if logger.Level >= DebugLevel {
-		NewEntry(logger).Debugf(format, args...)
-	}
-}
-
-func (logger *Logger) Infof(format string, args ...interface{}) {
-	if logger.Level >= InfoLevel {
-		NewEntry(logger).Infof(format, args...)
-	}
-}
-
-func (logger *Logger) Printf(format string, args ...interface{}) {
-	NewEntry(logger).Printf(format, args...)
-}
-
-func (logger *Logger) Warnf(format string, args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warnf(format, args...)
-	}
-}
-
-func (logger *Logger) Warningf(format string, args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warnf(format, args...)
-	}
-}
-
-func (logger *Logger) Errorf(format string, args ...interface{}) {
-	if logger.Level >= ErrorLevel {
-		NewEntry(logger).Errorf(format, args...)
-	}
-}
-
-func (logger *Logger) Fatalf(format string, args ...interface{}) {
-	if logger.Level >= FatalLevel {
-		NewEntry(logger).Fatalf(format, args...)
-	}
-	os.Exit(1)
-}
-
-func (logger *Logger) Panicf(format string, args ...interface{}) {
-	if logger.Level >= PanicLevel {
-		NewEntry(logger).Panicf(format, args...)
-	}
-}
-
-func (logger *Logger) Debug(args ...interface{}) {
-	if logger.Level >= DebugLevel {
-		NewEntry(logger).Debug(args...)
-	}
-}
-
-func (logger *Logger) Info(args ...interface{}) {
-	if logger.Level >= InfoLevel {
-		NewEntry(logger).Info(args...)
-	}
-}
-
-func (logger *Logger) Print(args ...interface{}) {
-	NewEntry(logger).Info(args...)
-}
-
-func (logger *Logger) Warn(args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warn(args...)
-	}
-}
-
-func (logger *Logger) Warning(args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warn(args...)
-	}
-}
-
-func (logger *Logger) Error(args ...interface{}) {
-	if logger.Level >= ErrorLevel {
-		NewEntry(logger).Error(args...)
-	}
-}
-
-func (logger *Logger) Fatal(args ...interface{}) {
-	if logger.Level >= FatalLevel {
-		NewEntry(logger).Fatal(args...)
-	}
-	os.Exit(1)
-}
-
-func (logger *Logger) Panic(args ...interface{}) {
-	if logger.Level >= PanicLevel {
-		NewEntry(logger).Panic(args...)
-	}
-}
-
-func (logger *Logger) Debugln(args ...interface{}) {
-	if logger.Level >= DebugLevel {
-		NewEntry(logger).Debugln(args...)
-	}
-}
-
-func (logger *Logger) Infoln(args ...interface{}) {
-	if logger.Level >= InfoLevel {
-		NewEntry(logger).Infoln(args...)
-	}
-}
-
-func (logger *Logger) Println(args ...interface{}) {
-	NewEntry(logger).Println(args...)
-}
-
-func (logger *Logger) Warnln(args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warnln(args...)
-	}
-}
-
-func (logger *Logger) Warningln(args ...interface{}) {
-	if logger.Level >= WarnLevel {
-		NewEntry(logger).Warnln(args...)
-	}
-}
-
-func (logger *Logger) Errorln(args ...interface{}) {
-	if logger.Level >= ErrorLevel {
-		NewEntry(logger).Errorln(args...)
-	}
-}
-
-func (logger *Logger) Fatalln(args ...interface{}) {
-	if logger.Level >= FatalLevel {
-		NewEntry(logger).Fatalln(args...)
-	}
-	os.Exit(1)
-}
-
-func (logger *Logger) Panicln(args ...interface{}) {
-	if logger.Level >= PanicLevel {
-		NewEntry(logger).Panicln(args...)
-	}
-}
--- a/vendor/github.com/Sirupsen/logrus/terminal_solaris.go
+++ b/vendor/github.com/Sirupsen/logrus/terminal_solaris.go
@@ -1,15 +0,0 @@
-// +build solaris
-
-package logrus
-
-import (
-	"os"
-
-	"golang.org/x/sys/unix"
-)
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal() bool {
-	_, err := unix.IoctlGetTermios(int(os.Stdout.Fd()), unix.TCGETA)
-	return err == nil
-}
--- a/vendor/github.com/Sirupsen/logrus/terminal_windows.go
+++ b/vendor/github.com/Sirupsen/logrus/terminal_windows.go
@@ -1,27 +0,0 @@
-// Based on ssh/terminal:
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build windows
-
-package logrus
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-var kernel32 = syscall.NewLazyDLL("kernel32.dll")
-
-var (
-	procGetConsoleMode = kernel32.NewProc("GetConsoleMode")
-)
-
-// IsTerminal returns true if stderr's file descriptor is a terminal.
-func IsTerminal() bool {
-	fd := syscall.Stderr
-	var st uint32
-	r, _, e := syscall.Syscall(procGetConsoleMode.Addr(), 2, uintptr(fd), uintptr(unsafe.Pointer(&st)), 0)
-	return r != 0 && e == 0
-}
--- a/vendor/github.com/Sirupsen/logrus/writer.go
+++ b/vendor/github.com/Sirupsen/logrus/writer.go
@@ -1,31 +0,0 @@
-package logrus
-
-import (
-	"bufio"
-	"io"
-	"runtime"
-)
-
-func (logger *Logger) Writer() *io.PipeWriter {
-	reader, writer := io.Pipe()
-
-	go logger.writerScanner(reader)
-	runtime.SetFinalizer(writer, writerFinalizer)
-
-	return writer
-}
-
-func (logger *Logger) writerScanner(reader *io.PipeReader) {
-	scanner := bufio.NewScanner(reader)
-	for scanner.Scan() {
-		logger.Print(scanner.Text())
-	}
-	if err := scanner.Err(); err != nil {
-		logger.Errorf("Error while reading from Writer: %s", err)
-	}
-	reader.Close()
-}
-
-func writerFinalizer(writer *io.PipeWriter) {
-	writer.Close()
-}
--- a/vendor/github.com/containers/image/README.md
+++ b/vendor/github.com/containers/image/README.md
@@ -0,0 +1,79 @@
+[![GoDoc](https://godoc.org/github.com/containers/image?status.svg)](https://godoc.org/github.com/containers/image) [![Build Status](https://travis-ci.org/containers/image.svg?branch=master)](https://travis-ci.org/containers/image)
+=
+
+`image` is a set of Go libraries aimed at working in various way with
+containers' images and container image registries.
+
+The containers/image library allows application to pull and push images from
+container image registries, like the upstream docker registry. It also
+implements "simple image signing".
+
+The containers/image library also allows you to inspect a repository on a
+container registry without pulling down the image. This means it fetches the
+repository's manifest and it is able to show you a `docker inspect`-like json
+output about a whole repository or a tag. This library, in contrast to `docker
+inspect`, helps you gather useful information about a repository or a tag
+without requiring you to run `docker pull`.
+
+The containers/image library also allows you to translate from one image format
+to another, for example docker container images to OCI images. It also allows
+you to copy container images between various registries, possibly converting
+them as necessary, and to sign and verify images.
+
+## Command-line usage
+
+The containers/image project is only a library with no user interface;
+you can either incorporate it into your Go programs, or use the `skopeo` tool:
+
+The [skopeo](https://github.com/projectatomic/skopeo) tool uses the
+containers/image library and takes advantage of many of its features,
+e.g. `skopeo copy` exposes the `containers/image/copy.Image` functionality.
+
+## Dependencies
+
+This library does not ship a committed version of its dependencies in a `vendor`
+subdirectory.  This is so you can make well-informed decisions about which
+libraries you should use with this package in your own projects, and because
+types defined in the `vendor` directory would be impossible to use from your projects.
+
+What this project tests against dependencies-wise is located
+[in vendor.conf](https://github.com/containers/image/blob/master/vendor.conf).
+
+## Building
+
+If you want to see what the library can do, or an example of how it is called,
+consider starting with the [skopeo](https://github.com/projectatomic/skopeo) tool
+instead.
+
+To integrate this library into your project, put it into `$GOPATH` or use
+your preferred vendoring tool to include a copy in your project.
+Ensure that the dependencies documented [in vendor.conf](https://github.com/containers/image/blob/master/vendor.conf)
+are also available
+(using those exact versions or different versions of your choosing).
+
+This library, by default, also depends on the GpgME and libostree C libraries. Either install them:
+```sh
+Fedora$ dnf install gpgme-devel libassuan-devel libostree-devel
+macOS$ brew install gpgme
+```
+or use the build tags described below to avoid the dependencies (e.g. using `go build -tags …`)
+
+### Supported build tags
+
+- `containers_image_openpgp`: Use a Golang-only OpenPGP implementation for signature verification instead of the default cgo/gpgme-based implementation;
+the primary downside is that creating new signatures with the Golang-only implementation is not supported.
+- `containers_image_ostree_stub`: Instead of importing `ostree:` transport in `github.com/containers/image/transports/alltransports`, use a stub which reports that the transport is not supported. This allows building the library without requiring the `libostree` development libraries. The `github.com/containers/image/ostree` package is completely disabled
+and impossible to import when this build tag is in use.
+
+## Contributing
+
+When developing this library, please use `make` (or `make … BUILDTAGS=…`) to take advantage of the tests and validation.
+
+## License
+
+ASL 2.0
+
+## Contact
+
+- Mailing list: [containers-dev](https://groups.google.com/forum/?hl=en#!forum/containers-dev)
+- IRC: #[container-projects](irc://irc.freenode.net:6667/#container-projects) on freenode.net
--- a/vendor/github.com/containers/image/copy/copy.go
+++ b/vendor/github.com/containers/image/copy/copy.go
@@ -3,28 +3,27 @@ package copy
 import (
 	"bytes"
 	"compress/gzip"
-	"errors"
+	"context"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"reflect"
+	"runtime"
+	"strings"
+	"time"

 	pb "gopkg.in/cheggaaa/pb.v1"

-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/image"
-	"github.com/containers/image/manifest"
+	"github.com/containers/image/pkg/compression"
 	"github.com/containers/image/signature"
 	"github.com/containers/image/transports"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

-// preferredManifestMIMETypes lists manifest MIME types in order of our preference, if we can't use the original manifest and need to convert.
-// Prefer v2s2 to v2s1 because v2s2 does not need to be changed when uploading to a different location.
-// Include v2s1 signed but not v2s1 unsigned, because docker/distribution requires a signature even if the unsigned MIME type is used.
-var preferredManifestMIMETypes = []string{manifest.DockerV2Schema2MediaType, manifest.DockerV2Schema1SignedMediaType}
-
 type digestingReader struct {
 	source           io.Reader
 	digester         digest.Digester
@@ -32,19 +31,36 @@ type digestingReader struct {
 	validationFailed bool
 }

+// imageCopier allows us to keep track of diffID values for blobs, and other
+// data, that we're copying between images, and cache other information that
+// might allow us to take some shortcuts
+type imageCopier struct {
+	copiedBlobs       map[digest.Digest]digest.Digest
+	cachedDiffIDs     map[digest.Digest]digest.Digest
+	manifestUpdates   *types.ManifestUpdateOptions
+	dest              types.ImageDestination
+	src               types.Image
+	rawSource         types.ImageSource
+	diffIDsAreNeeded  bool
+	canModifyManifest bool
+	reportWriter      io.Writer
+	progressInterval  time.Duration
+	progress          chan types.ProgressProperties
+}
+
 // newDigestingReader returns an io.Reader implementation with contents of source, which will eventually return a non-EOF error
 // and set validationFailed to true if the source stream does not match expectedDigest.
 func newDigestingReader(source io.Reader, expectedDigest digest.Digest) (*digestingReader, error) {
 	if err := expectedDigest.Validate(); err != nil {
-		return nil, fmt.Errorf("Invalid digest specification %s", expectedDigest)
+		return nil, errors.Errorf("Invalid digest specification %s", expectedDigest)
 	}
 	digestAlgorithm := expectedDigest.Algorithm()
 	if !digestAlgorithm.Available() {
-		return nil, fmt.Errorf("Invalid digest specification %s: unsupported digest algorithm %s", expectedDigest, digestAlgorithm)
+		return nil, errors.Errorf("Invalid digest specification %s: unsupported digest algorithm %s", expectedDigest, digestAlgorithm)
 	}
 	return &digestingReader{
 		source:           source,
-		digester:         digestAlgorithm.New(),
+		digester:         digestAlgorithm.Digester(),
 		expectedDigest:   expectedDigest,
 		validationFailed: false,
 	}, nil
@@ -57,14 +73,14 @@ func (d *digestingReader) Read(p []byte) (int, error) {
 			// Coverage: This should not happen, the hash.Hash interface requires
 			// d.digest.Write to never return an error, and the io.Writer interface
 			// requires n2 == len(input) if no error is returned.
-			return 0, fmt.Errorf("Error updating digest during verification: %d vs. %d, %v", n2, n, err)
+			return 0, errors.Wrapf(err, "Error updating digest during verification: %d vs. %d", n2, n)
 		}
 	}
 	if err == io.EOF {
 		actualDigest := d.digester.Digest()
 		if actualDigest != d.expectedDigest {
 			d.validationFailed = true
-			return 0, fmt.Errorf("Digest did not match, expected %s, got %s", d.expectedDigest, actualDigest)
+			return 0, errors.Errorf("Digest did not match, expected %s, got %s", d.expectedDigest, actualDigest)
 		}
 	}
 	return n, err
@@ -77,186 +93,263 @@ type Options struct {
 	ReportWriter     io.Writer
 	SourceCtx        *types.SystemContext
 	DestinationCtx   *types.SystemContext
+	ProgressInterval time.Duration                 // time to wait between reports to signal the progress channel
+	Progress         chan types.ProgressProperties // Reported to when ProgressInterval has arrived for a single artifact+offset.
 }

-// Image copies image from srcRef to destRef, using policyContext to validate source image admissibility.
-func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageReference, options *Options) error {
+// Image copies image from srcRef to destRef, using policyContext to validate
+// source image admissibility.
+func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageReference, options *Options) (retErr error) {
+	// NOTE this function uses an output parameter for the error return value.
+	// Setting this and returning is the ideal way to return an error.
+	//
+	// the defers in this routine will wrap the error return with its own errors
+	// which can be valuable context in the middle of a multi-streamed copy.
+	if options == nil {
+		options = &Options{}
+	}
+
 	reportWriter := ioutil.Discard
-	if options != nil && options.ReportWriter != nil {
+
+	if options.ReportWriter != nil {
 		reportWriter = options.ReportWriter
 	}
+
 	writeReport := func(f string, a ...interface{}) {
 		fmt.Fprintf(reportWriter, f, a...)
 	}

 	dest, err := destRef.NewImageDestination(options.DestinationCtx)
 	if err != nil {
-		return fmt.Errorf("Error initializing destination %s: %v", transports.ImageName(destRef), err)
+		return errors.Wrapf(err, "Error initializing destination %s", transports.ImageName(destRef))
 	}
-	defer dest.Close()
-	destSupportedManifestMIMETypes := dest.SupportedManifestMIMETypes()
+	defer func() {
+		if err := dest.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, " (dest: %v)", err)
+		}
+	}()

-	rawSource, err := srcRef.NewImageSource(options.SourceCtx, destSupportedManifestMIMETypes)
+	rawSource, err := srcRef.NewImageSource(options.SourceCtx)
 	if err != nil {
-		return fmt.Errorf("Error initializing source %s: %v", transports.ImageName(srcRef), err)
+		return errors.Wrapf(err, "Error initializing source %s", transports.ImageName(srcRef))
 	}
 	unparsedImage := image.UnparsedFromSource(rawSource)
 	defer func() {
 		if unparsedImage != nil {
-			unparsedImage.Close()
+			if err := unparsedImage.Close(); err != nil {
+				retErr = errors.Wrapf(retErr, " (unparsed: %v)", err)
+			}
 		}
 	}()

 	// Please keep this policy check BEFORE reading any other information about the image.
 	if allowed, err := policyContext.IsRunningImageAllowed(unparsedImage); !allowed || err != nil { // Be paranoid and fail if either return value indicates so.
-		return fmt.Errorf("Source image rejected: %v", err)
+		return errors.Wrap(err, "Source image rejected")
 	}
 	src, err := image.FromUnparsedImage(unparsedImage)
 	if err != nil {
-		return fmt.Errorf("Error initializing image from source %s: %v", transports.ImageName(srcRef), err)
+		return errors.Wrapf(err, "Error initializing image from source %s", transports.ImageName(srcRef))
 	}
 	unparsedImage = nil
-	defer src.Close()
+	defer func() {
+		if err := src.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, " (source: %v)", err)
+		}
+	}()
+
+	if err := checkImageDestinationForCurrentRuntimeOS(src, dest); err != nil {
+		return err
+	}

 	if src.IsMultiImage() {
-		return fmt.Errorf("can not copy %s: manifest contains multiple images", transports.ImageName(srcRef))
+		return errors.Errorf("can not copy %s: manifest contains multiple images", transports.ImageName(srcRef))
 	}

 	var sigs [][]byte
-	if options != nil && options.RemoveSignatures {
+	if options.RemoveSignatures {
 		sigs = [][]byte{}
 	} else {
 		writeReport("Getting image source signatures\n")
-		s, err := src.Signatures()
+		s, err := src.Signatures(context.TODO())
 		if err != nil {
-			return fmt.Errorf("Error reading signatures: %v", err)
+			return errors.Wrap(err, "Error reading signatures")
 		}
 		sigs = s
 	}
 	if len(sigs) != 0 {
 		writeReport("Checking if image destination supports signatures\n")
 		if err := dest.SupportsSignatures(); err != nil {
-			return fmt.Errorf("Can not copy signatures: %v", err)
+			return errors.Wrap(err, "Can not copy signatures")
 		}
 	}

 	canModifyManifest := len(sigs) == 0
 	manifestUpdates := types.ManifestUpdateOptions{}
+	manifestUpdates.InformationOnly.Destination = dest

-	if err := determineManifestConversion(&manifestUpdates, src, destSupportedManifestMIMETypes, canModifyManifest); err != nil {
+	if err := updateEmbeddedDockerReference(&manifestUpdates, dest, src, canModifyManifest); err != nil {
 		return err
 	}

-	if err := copyLayers(&manifestUpdates, dest, src, rawSource, canModifyManifest, reportWriter); err != nil {
-		return err
-	}
-
-	pendingImage := src
-	if !reflect.DeepEqual(manifestUpdates, types.ManifestUpdateOptions{InformationOnly: manifestUpdates.InformationOnly}) {
-		if !canModifyManifest {
-			return fmt.Errorf("Internal error: copy needs an updated manifest but that was known to be forbidden")
-		}
-		manifestUpdates.InformationOnly.Destination = dest
-		pendingImage, err = src.UpdatedImage(manifestUpdates)
-		if err != nil {
-			return fmt.Errorf("Error creating an updated image manifest: %v", err)
-		}
-	}
-	manifest, _, err := pendingImage.Manifest()
+	// We compute preferredManifestMIMEType only to show it in error messages.
+	// Without having to add this context in an error message, we would be happy enough to know only that no conversion is needed.
+	preferredManifestMIMEType, otherManifestMIMETypeCandidates, err := determineManifestConversion(&manifestUpdates, src, dest.SupportedManifestMIMETypes(), canModifyManifest)
 	if err != nil {
-		return fmt.Errorf("Error reading manifest: %v", err)
-	}
-
-	if err := copyConfig(dest, pendingImage, reportWriter); err != nil {
 		return err
 	}

-	if options != nil && options.SignBy != "" {
-		mech, err := signature.NewGPGSigningMechanism()
-		if err != nil {
-			return fmt.Errorf("Error initializing GPG: %v", err)
+	// If src.UpdatedImageNeedsLayerDiffIDs(manifestUpdates) will be true, it needs to be true by the time we get here.
+	ic := imageCopier{
+		copiedBlobs:       make(map[digest.Digest]digest.Digest),
+		cachedDiffIDs:     make(map[digest.Digest]digest.Digest),
+		manifestUpdates:   &manifestUpdates,
+		dest:              dest,
+		src:               src,
+		rawSource:         rawSource,
+		diffIDsAreNeeded:  src.UpdatedImageNeedsLayerDiffIDs(manifestUpdates),
+		canModifyManifest: canModifyManifest,
+		reportWriter:      reportWriter,
+		progressInterval:  options.ProgressInterval,
+		progress:          options.Progress,
+	}
+
+	if err := ic.copyLayers(); err != nil {
+		return err
+	}
+
+	// With docker/distribution registries we do not know whether the registry accepts schema2 or schema1 only;
+	// and at least with the OpenShift registry "acceptschema2" option, there is no way to detect the support
+	// without actually trying to upload something and getting a types.ManifestTypeRejectedError.
+	// So, try the preferred manifest MIME type. If the process succeeds, fine…
+	manifest, err := ic.copyUpdatedConfigAndManifest()
+	if err != nil {
+		logrus.Debugf("Writing manifest using preferred type %s failed: %v", preferredManifestMIMEType, err)
+		// … if it fails, _and_ the failure is because the manifest is rejected, we may have other options.
+		if _, isManifestRejected := errors.Cause(err).(types.ManifestTypeRejectedError); !isManifestRejected || len(otherManifestMIMETypeCandidates) == 0 {
+			// We don’t have other options.
+			// In principle the code below would handle this as well, but the resulting  error message is fairly ugly.
+			// Don’t bother the user with MIME types if we have no choice.
+			return err
 		}
-		dockerReference := dest.Reference().DockerReference()
-		if dockerReference == nil {
-			return fmt.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(dest.Reference()))
+		// If the original MIME type is acceptable, determineManifestConversion always uses it as preferredManifestMIMEType.
+		// So if we are here, we will definitely be trying to convert the manifest.
+		// With !canModifyManifest, that would just be a string of repeated failures for the same reason,
+		// so let’s bail out early and with a better error message.
+		if !canModifyManifest {
+			return errors.Wrap(err, "Writing manifest failed (and converting it is not possible)")
 		}

-		writeReport("Signing manifest\n")
-		newSig, err := signature.SignDockerManifest(manifest, dockerReference.String(), mech, options.SignBy)
+		// errs is a list of errors when trying various manifest types. Also serves as an "upload succeeded" flag when set to nil.
+		errs := []string{fmt.Sprintf("%s(%v)", preferredManifestMIMEType, err)}
+		for _, manifestMIMEType := range otherManifestMIMETypeCandidates {
+			logrus.Debugf("Trying to use manifest type %s…", manifestMIMEType)
+			manifestUpdates.ManifestMIMEType = manifestMIMEType
+			attemptedManifest, err := ic.copyUpdatedConfigAndManifest()
+			if err != nil {
+				logrus.Debugf("Upload of manifest type %s failed: %v", manifestMIMEType, err)
+				errs = append(errs, fmt.Sprintf("%s(%v)", manifestMIMEType, err))
+				continue
+			}
+
+			// We have successfully uploaded a manifest.
+			manifest = attemptedManifest
+			errs = nil // Mark this as a success so that we don't abort below.
+			break
+		}
+		if errs != nil {
+			return fmt.Errorf("Uploading manifest failed, attempted the following formats: %s", strings.Join(errs, ", "))
+		}
+	}
+
+	if options.SignBy != "" {
+		newSig, err := createSignature(dest, manifest, options.SignBy, reportWriter)
 		if err != nil {
-			return fmt.Errorf("Error creating signature: %v", err)
+			return err
 		}
 		sigs = append(sigs, newSig)
 	}

-	writeReport("Writing manifest to image destination\n")
-	if err := dest.PutManifest(manifest); err != nil {
-		return fmt.Errorf("Error writing manifest: %v", err)
-	}
-
 	writeReport("Storing signatures\n")
 	if err := dest.PutSignatures(sigs); err != nil {
-		return fmt.Errorf("Error writing signatures: %v", err)
+		return errors.Wrap(err, "Error writing signatures")
 	}

 	if err := dest.Commit(); err != nil {
-		return fmt.Errorf("Error committing the finished image: %v", err)
+		return errors.Wrap(err, "Error committing the finished image")
 	}

 	return nil
 }

-// copyLayers copies layers from src/rawSource to dest, using and updating manifestUpdates if necessary and canModifyManifest.
-// If src.UpdatedImageNeedsLayerDiffIDs(manifestUpdates) will be true, it needs to be true by the time this function is called.
-func copyLayers(manifestUpdates *types.ManifestUpdateOptions, dest types.ImageDestination, src types.Image, rawSource types.ImageSource,
-	canModifyManifest bool, reportWriter io.Writer) error {
-	type copiedLayer struct {
-		blobInfo types.BlobInfo
-		diffID   digest.Digest
+func checkImageDestinationForCurrentRuntimeOS(src types.Image, dest types.ImageDestination) error {
+	if dest.MustMatchRuntimeOS() {
+		c, err := src.OCIConfig()
+		if err != nil {
+			return errors.Wrapf(err, "Error parsing image configuration")
+		}
+		osErr := fmt.Errorf("image operating system %q cannot be used on %q", c.OS, runtime.GOOS)
+		if runtime.GOOS == "windows" && c.OS == "linux" {
+			return osErr
+		} else if runtime.GOOS != "windows" && c.OS == "windows" {
+			return osErr
+		}
+	}
+	return nil
+}
+
+// updateEmbeddedDockerReference handles the Docker reference embedded in Docker schema1 manifests.
+func updateEmbeddedDockerReference(manifestUpdates *types.ManifestUpdateOptions, dest types.ImageDestination, src types.Image, canModifyManifest bool) error {
+	destRef := dest.Reference().DockerReference()
+	if destRef == nil {
+		return nil // Destination does not care about Docker references
+	}
+	if !src.EmbeddedDockerReferenceConflicts(destRef) {
+		return nil // No reference embedded in the manifest, or it matches destRef already.
 	}

-	diffIDsAreNeeded := src.UpdatedImageNeedsLayerDiffIDs(*manifestUpdates)
+	if !canModifyManifest {
+		return errors.Errorf("Copying a schema1 image with an embedded Docker reference to %s (Docker reference %s) would invalidate existing signatures. Explicitly enable signature removal to proceed anyway",
+			transports.ImageName(dest.Reference()), destRef.String())
+	}
+	manifestUpdates.EmbeddedDockerReference = destRef
+	return nil
+}

-	srcInfos := src.LayerInfos()
+// copyLayers copies layers from src/rawSource to dest, using and updating ic.manifestUpdates if necessary and ic.canModifyManifest.
+func (ic *imageCopier) copyLayers() error {
+	srcInfos := ic.src.LayerInfos()
 	destInfos := []types.BlobInfo{}
 	diffIDs := []digest.Digest{}
-	copiedLayers := map[digest.Digest]copiedLayer{}
 	for _, srcLayer := range srcInfos {
-		cl, ok := copiedLayers[srcLayer.Digest]
-		if !ok {
-			var (
-				destInfo types.BlobInfo
-				diffID   digest.Digest
-				err      error
-			)
-			if dest.AcceptsForeignLayerURLs() && len(srcLayer.URLs) != 0 {
-				// DiffIDs are, currently, needed only when converting from schema1.
-				// In which case src.LayerInfos will not have URLs because schema1
-				// does not support them.
-				if diffIDsAreNeeded {
-					return errors.New("getting DiffID for foreign layers is unimplemented")
-				}
-				destInfo = srcLayer
-				fmt.Fprintf(reportWriter, "Skipping foreign layer %q copy to %s\n", destInfo.Digest, dest.Reference().Transport().Name())
-			} else {
-				fmt.Fprintf(reportWriter, "Copying blob %s\n", srcLayer.Digest)
-				destInfo, diffID, err = copyLayer(dest, rawSource, srcLayer, diffIDsAreNeeded, canModifyManifest, reportWriter)
-				if err != nil {
-					return err
-				}
+		var (
+			destInfo types.BlobInfo
+			diffID   digest.Digest
+			err      error
+		)
+		if ic.dest.AcceptsForeignLayerURLs() && len(srcLayer.URLs) != 0 {
+			// DiffIDs are, currently, needed only when converting from schema1.
+			// In which case src.LayerInfos will not have URLs because schema1
+			// does not support them.
+			if ic.diffIDsAreNeeded {
+				return errors.New("getting DiffID for foreign layers is unimplemented")
+			}
+			destInfo = srcLayer
+			fmt.Fprintf(ic.reportWriter, "Skipping foreign layer %q copy to %s\n", destInfo.Digest, ic.dest.Reference().Transport().Name())
+		} else {
+			destInfo, diffID, err = ic.copyLayer(srcLayer)
+			if err != nil {
+				return err
 			}
-			cl = copiedLayer{blobInfo: destInfo, diffID: diffID}
-			copiedLayers[srcLayer.Digest] = cl
 		}
-		destInfos = append(destInfos, cl.blobInfo)
-		diffIDs = append(diffIDs, cl.diffID)
+		destInfos = append(destInfos, destInfo)
+		diffIDs = append(diffIDs, diffID)
 	}
-	manifestUpdates.InformationOnly.LayerInfos = destInfos
-	if diffIDsAreNeeded {
-		manifestUpdates.InformationOnly.LayerDiffIDs = diffIDs
+	ic.manifestUpdates.InformationOnly.LayerInfos = destInfos
+	if ic.diffIDsAreNeeded {
+		ic.manifestUpdates.InformationOnly.LayerDiffIDs = diffIDs
 	}
 	if layerDigestsDiffer(srcInfos, destInfos) {
-		manifestUpdates.LayerInfos = destInfos
+		ic.manifestUpdates.LayerInfos = destInfos
 	}
 	return nil
 }
@@ -274,21 +367,60 @@ func layerDigestsDiffer(a, b []types.BlobInfo) bool {
 	return false
 }

+// copyUpdatedConfigAndManifest updates the image per ic.manifestUpdates, if necessary,
+// stores the resulting config and manifest to the destination, and returns the stored manifest.
+func (ic *imageCopier) copyUpdatedConfigAndManifest() ([]byte, error) {
+	pendingImage := ic.src
+	if !reflect.DeepEqual(*ic.manifestUpdates, types.ManifestUpdateOptions{InformationOnly: ic.manifestUpdates.InformationOnly}) {
+		if !ic.canModifyManifest {
+			return nil, errors.Errorf("Internal error: copy needs an updated manifest but that was known to be forbidden")
+		}
+		if !ic.diffIDsAreNeeded && ic.src.UpdatedImageNeedsLayerDiffIDs(*ic.manifestUpdates) {
+			// We have set ic.diffIDsAreNeeded based on the preferred MIME type returned by determineManifestConversion.
+			// So, this can only happen if we are trying to upload using one of the other MIME type candidates.
+			// Because UpdatedImageNeedsLayerDiffIDs is true only when converting from s1 to s2, this case should only arise
+			// when ic.dest.SupportedManifestMIMETypes() includes both s1 and s2, the upload using s1 failed, and we are now trying s2.
+			// Supposedly s2-only registries do not exist or are extremely rare, so failing with this error message is good enough for now.
+			// If handling such registries turns out to be necessary, we could compute ic.diffIDsAreNeeded based on the full list of manifest MIME type candidates.
+			return nil, errors.Errorf("Can not convert image to %s, preparing DiffIDs for this case is not supported", ic.manifestUpdates.ManifestMIMEType)
+		}
+		pi, err := ic.src.UpdatedImage(*ic.manifestUpdates)
+		if err != nil {
+			return nil, errors.Wrap(err, "Error creating an updated image manifest")
+		}
+		pendingImage = pi
+	}
+	manifest, _, err := pendingImage.Manifest()
+	if err != nil {
+		return nil, errors.Wrap(err, "Error reading manifest")
+	}
+
+	if err := ic.copyConfig(pendingImage); err != nil {
+		return nil, err
+	}
+
+	fmt.Fprintf(ic.reportWriter, "Writing manifest to image destination\n")
+	if err := ic.dest.PutManifest(manifest); err != nil {
+		return nil, errors.Wrap(err, "Error writing manifest")
+	}
+	return manifest, nil
+}
+
 // copyConfig copies config.json, if any, from src to dest.
-func copyConfig(dest types.ImageDestination, src types.Image, reportWriter io.Writer) error {
+func (ic *imageCopier) copyConfig(src types.Image) error {
 	srcInfo := src.ConfigInfo()
 	if srcInfo.Digest != "" {
-		fmt.Fprintf(reportWriter, "Copying config %s\n", srcInfo.Digest)
+		fmt.Fprintf(ic.reportWriter, "Copying config %s\n", srcInfo.Digest)
 		configBlob, err := src.ConfigBlob()
 		if err != nil {
-			return fmt.Errorf("Error reading config blob %s: %v", srcInfo.Digest, err)
+			return errors.Wrapf(err, "Error reading config blob %s", srcInfo.Digest)
 		}
-		destInfo, err := copyBlobFromStream(dest, bytes.NewReader(configBlob), srcInfo, nil, false, reportWriter)
+		destInfo, err := ic.copyBlobFromStream(bytes.NewReader(configBlob), srcInfo, nil, false)
 		if err != nil {
 			return err
 		}
 		if destInfo.Digest != srcInfo.Digest {
-			return fmt.Errorf("Internal error: copying uncompressed config blob %s changed digest to %s", srcInfo.Digest, destInfo.Digest)
+			return errors.Errorf("Internal error: copying uncompressed config blob %s changed digest to %s", srcInfo.Digest, destInfo.Digest)
 		}
 	}
 	return nil
@@ -303,16 +435,40 @@ type diffIDResult struct {

 // copyLayer copies a layer with srcInfo (with known Digest and possibly known Size) in src to dest, perhaps compressing it if canCompress,
 // and returns a complete blobInfo of the copied layer, and a value for LayerDiffIDs if diffIDIsNeeded
-func copyLayer(dest types.ImageDestination, src types.ImageSource, srcInfo types.BlobInfo,
-	diffIDIsNeeded bool, canCompress bool, reportWriter io.Writer) (types.BlobInfo, digest.Digest, error) {
-	srcStream, srcBlobSize, err := src.GetBlob(srcInfo)
+func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest.Digest, error) {
+	// Check if we already have a blob with this digest
+	haveBlob, extantBlobSize, err := ic.dest.HasBlob(srcInfo)
 	if err != nil {
-		return types.BlobInfo{}, "", fmt.Errorf("Error reading blob %s: %v", srcInfo.Digest, err)
+		return types.BlobInfo{}, "", errors.Wrapf(err, "Error checking for blob %s at destination", srcInfo.Digest)
+	}
+	// If we already have a cached diffID for this blob, we don't need to compute it
+	diffIDIsNeeded := ic.diffIDsAreNeeded && (ic.cachedDiffIDs[srcInfo.Digest] == "")
+	// If we already have the blob, and we don't need to recompute the diffID, then we might be able to avoid reading it again
+	if haveBlob && !diffIDIsNeeded {
+		// Check the blob sizes match, if we were given a size this time
+		if srcInfo.Size != -1 && srcInfo.Size != extantBlobSize {
+			return types.BlobInfo{}, "", errors.Errorf("Error: blob %s is already present, but with size %d instead of %d", srcInfo.Digest, extantBlobSize, srcInfo.Size)
+		}
+		srcInfo.Size = extantBlobSize
+		// Tell the image destination that this blob's delta is being applied again.  For some image destinations, this can be faster than using GetBlob/PutBlob
+		blobinfo, err := ic.dest.ReapplyBlob(srcInfo)
+		if err != nil {
+			return types.BlobInfo{}, "", errors.Wrapf(err, "Error reapplying blob %s at destination", srcInfo.Digest)
+		}
+		fmt.Fprintf(ic.reportWriter, "Skipping fetch of repeat blob %s\n", srcInfo.Digest)
+		return blobinfo, ic.cachedDiffIDs[srcInfo.Digest], err
+	}
+
+	// Fallback: copy the layer, computing the diffID if we need to do so
+	fmt.Fprintf(ic.reportWriter, "Copying blob %s\n", srcInfo.Digest)
+	srcStream, srcBlobSize, err := ic.rawSource.GetBlob(srcInfo)
+	if err != nil {
+		return types.BlobInfo{}, "", errors.Wrapf(err, "Error reading blob %s", srcInfo.Digest)
 	}
 	defer srcStream.Close()

-	blobInfo, diffIDChan, err := copyLayerFromStream(dest, srcStream, types.BlobInfo{Digest: srcInfo.Digest, Size: srcBlobSize},
-		diffIDIsNeeded, canCompress, reportWriter)
+	blobInfo, diffIDChan, err := ic.copyLayerFromStream(srcStream, types.BlobInfo{Digest: srcInfo.Digest, Size: srcBlobSize},
+		diffIDIsNeeded)
 	if err != nil {
 		return types.BlobInfo{}, "", err
 	}
@@ -320,9 +476,10 @@ func copyLayer(dest types.ImageDestination, src types.ImageSource, srcInfo types
 	if diffIDIsNeeded {
 		diffIDResult = <-diffIDChan
 		if diffIDResult.err != nil {
-			return types.BlobInfo{}, "", fmt.Errorf("Error computing layer DiffID: %v", diffIDResult.err)
+			return types.BlobInfo{}, "", errors.Wrap(diffIDResult.err, "Error computing layer DiffID")
 		}
 		logrus.Debugf("Computed DiffID %s for layer %s", diffIDResult.digest, srcInfo.Digest)
+		ic.cachedDiffIDs[srcInfo.Digest] = diffIDResult.digest
 	}
 	return blobInfo, diffIDResult.digest, nil
 }
@@ -331,9 +488,9 @@ func copyLayer(dest types.ImageDestination, src types.ImageSource, srcInfo types
 // it copies a blob with srcInfo (with known Digest and possibly known Size) from srcStream to dest,
 // perhaps compressing the stream if canCompress,
 // and returns a complete blobInfo of the copied blob and perhaps a <-chan diffIDResult if diffIDIsNeeded, to be read by the caller.
-func copyLayerFromStream(dest types.ImageDestination, srcStream io.Reader, srcInfo types.BlobInfo,
-	diffIDIsNeeded bool, canCompress bool, reportWriter io.Writer) (types.BlobInfo, <-chan diffIDResult, error) {
-	var getDiffIDRecorder func(decompressorFunc) io.Writer // = nil
+func (ic *imageCopier) copyLayerFromStream(srcStream io.Reader, srcInfo types.BlobInfo,
+	diffIDIsNeeded bool) (types.BlobInfo, <-chan diffIDResult, error) {
+	var getDiffIDRecorder func(compression.DecompressorFunc) io.Writer // = nil
 	var diffIDChan chan diffIDResult

 	err := errors.New("Internal error: unexpected panic in copyLayer") // For pipeWriter.CloseWithError below
@@ -344,7 +501,7 @@ func copyLayerFromStream(dest types.ImageDestination, srcStream io.Reader, srcIn
 			pipeWriter.CloseWithError(err) // CloseWithError(nil) is equivalent to Close()
 		}()

-		getDiffIDRecorder = func(decompressor decompressorFunc) io.Writer {
+		getDiffIDRecorder = func(decompressor compression.DecompressorFunc) io.Writer {
 			// If this fails, e.g. because we have exited and due to pipeWriter.CloseWithError() above further
 			// reading from the pipe has failed, we don’t really care.
 			// We only read from diffIDChan if the rest of the flow has succeeded, and when we do read from it,
@@ -356,14 +513,13 @@ func copyLayerFromStream(dest types.ImageDestination, srcStream io.Reader, srcIn
 			return pipeWriter
 		}
 	}
-	blobInfo, err := copyBlobFromStream(dest, srcStream, srcInfo,
-		getDiffIDRecorder, canCompress, reportWriter) // Sets err to nil on success
+	blobInfo, err := ic.copyBlobFromStream(srcStream, srcInfo, getDiffIDRecorder, ic.canModifyManifest) // Sets err to nil on success
 	return blobInfo, diffIDChan, err
 	// We need the defer … pipeWriter.CloseWithError() to happen HERE so that the caller can block on reading from diffIDChan
 }

 // diffIDComputationGoroutine reads all input from layerStream, uncompresses using decompressor if necessary, and sends its digest, and status, if any, to dest.
-func diffIDComputationGoroutine(dest chan<- diffIDResult, layerStream io.ReadCloser, decompressor decompressorFunc) {
+func diffIDComputationGoroutine(dest chan<- diffIDResult, layerStream io.ReadCloser, decompressor compression.DecompressorFunc) {
 	result := diffIDResult{
 		digest: "",
 		err:    errors.New("Internal error: unexpected panic in diffIDComputationGoroutine"),
@@ -375,7 +531,7 @@ func diffIDComputationGoroutine(dest chan<- diffIDResult, layerStream io.ReadClo
 }

 // computeDiffID reads all input from layerStream, uncompresses it using decompressor if necessary, and returns its digest.
-func computeDiffID(stream io.Reader, decompressor decompressorFunc) (digest.Digest, error) {
+func computeDiffID(stream io.Reader, decompressor compression.DecompressorFunc) (digest.Digest, error) {
 	if decompressor != nil {
 		s, err := decompressor(stream)
 		if err != nil {
@@ -391,9 +547,9 @@ func computeDiffID(stream io.Reader, decompressor decompressorFunc) (digest.Dige
 // perhaps sending a copy to an io.Writer if getOriginalLayerCopyWriter != nil,
 // perhaps compressing it if canCompress,
 // and returns a complete blobInfo of the copied blob.
-func copyBlobFromStream(dest types.ImageDestination, srcStream io.Reader, srcInfo types.BlobInfo,
-	getOriginalLayerCopyWriter func(decompressor decompressorFunc) io.Writer, canCompress bool,
-	reportWriter io.Writer) (types.BlobInfo, error) {
+func (ic *imageCopier) copyBlobFromStream(srcStream io.Reader, srcInfo types.BlobInfo,
+	getOriginalLayerCopyWriter func(decompressor compression.DecompressorFunc) io.Writer,
+	canCompress bool) (types.BlobInfo, error) {
 	// The copying happens through a pipeline of connected io.Readers.
 	// === Input: srcStream

@@ -405,27 +561,27 @@ func copyBlobFromStream(dest types.ImageDestination, srcStream io.Reader, srcInf
 	// read stream to the end, and validation does not happen.
 	digestingReader, err := newDigestingReader(srcStream, srcInfo.Digest)
 	if err != nil {
-		return types.BlobInfo{}, fmt.Errorf("Error preparing to verify blob %s: %v", srcInfo.Digest, err)
+		return types.BlobInfo{}, errors.Wrapf(err, "Error preparing to verify blob %s", srcInfo.Digest)
 	}
 	var destStream io.Reader = digestingReader

 	// === Detect compression of the input stream.
-	// This requires us to “peek ahead” into the stream to read the initial part, which requires us to chain through another io.Reader returned by detectCompression.
-	decompressor, destStream, err := detectCompression(destStream) // We could skip this in some cases, but let's keep the code path uniform
+	// This requires us to “peek ahead” into the stream to read the initial part, which requires us to chain through another io.Reader returned by DetectCompression.
+	decompressor, destStream, err := compression.DetectCompression(destStream) // We could skip this in some cases, but let's keep the code path uniform
 	if err != nil {
-		return types.BlobInfo{}, fmt.Errorf("Error reading blob %s: %v", srcInfo.Digest, err)
+		return types.BlobInfo{}, errors.Wrapf(err, "Error reading blob %s", srcInfo.Digest)
 	}
 	isCompressed := decompressor != nil

 	// === Report progress using a pb.Reader.
 	bar := pb.New(int(srcInfo.Size)).SetUnits(pb.U_BYTES)
-	bar.Output = reportWriter
+	bar.Output = ic.reportWriter
 	bar.SetMaxWidth(80)
 	bar.ShowTimeLeft = false
 	bar.ShowPercent = false
 	bar.Start()
 	destStream = bar.NewProxyReader(destStream)
-	defer fmt.Fprint(reportWriter, "\n")
+	defer bar.Finish()

 	// === Send a copy of the original, uncompressed, stream, to a separate path if necessary.
 	var originalLayerReader io.Reader // DO NOT USE this other than to drain the input if no other consumer in the pipeline has done so.
@@ -436,7 +592,7 @@ func copyBlobFromStream(dest types.ImageDestination, srcStream io.Reader, srcInf

 	// === Compress the layer if it is uncompressed and compression is desired
 	var inputInfo types.BlobInfo
-	if !canCompress || isCompressed || !dest.ShouldCompressLayers() {
+	if !canCompress || isCompressed || !ic.dest.ShouldCompressLayers() {
 		logrus.Debugf("Using original blob without modification")
 		inputInfo = srcInfo
 	} else {
@@ -453,10 +609,21 @@ func copyBlobFromStream(dest types.ImageDestination, srcStream io.Reader, srcInf
 		inputInfo.Size = -1
 	}

+	// === Report progress using the ic.progress channel, if required.
+	if ic.progress != nil && ic.progressInterval > 0 {
+		destStream = &progressReader{
+			source:   destStream,
+			channel:  ic.progress,
+			interval: ic.progressInterval,
+			artifact: srcInfo,
+			lastTime: time.Now(),
+		}
+	}
+
 	// === Finally, send the layer stream to dest.
-	uploadedInfo, err := dest.PutBlob(destStream, inputInfo)
+	uploadedInfo, err := ic.dest.PutBlob(destStream, inputInfo)
 	if err != nil {
-		return types.BlobInfo{}, fmt.Errorf("Error writing blob: %v", err)
+		return types.BlobInfo{}, errors.Wrap(err, "Error writing blob")
 	}

 	// This is fairly horrible: the writer from getOriginalLayerCopyWriter wants to consumer
@@ -467,15 +634,15 @@ func copyBlobFromStream(dest types.ImageDestination, srcStream io.Reader, srcInf
 		logrus.Debugf("Consuming rest of the original blob to satisfy getOriginalLayerCopyWriter")
 		_, err := io.Copy(ioutil.Discard, originalLayerReader)
 		if err != nil {
-			return types.BlobInfo{}, fmt.Errorf("Error reading input blob %s: %v", srcInfo.Digest, err)
+			return types.BlobInfo{}, errors.Wrapf(err, "Error reading input blob %s", srcInfo.Digest)
 		}
 	}

 	if digestingReader.validationFailed { // Coverage: This should never happen.
-		return types.BlobInfo{}, fmt.Errorf("Internal error writing blob %s, digest verification failed but was ignored", srcInfo.Digest)
+		return types.BlobInfo{}, errors.Errorf("Internal error writing blob %s, digest verification failed but was ignored", srcInfo.Digest)
 	}
 	if inputInfo.Digest != "" && uploadedInfo.Digest != inputInfo.Digest {
-		return types.BlobInfo{}, fmt.Errorf("Internal error writing blob %s, blob with digest %s saved with digest %s", srcInfo.Digest, inputInfo.Digest, uploadedInfo.Digest)
+		return types.BlobInfo{}, errors.Errorf("Internal error writing blob %s, blob with digest %s saved with digest %s", srcInfo.Digest, inputInfo.Digest, uploadedInfo.Digest)
 	}
 	return uploadedInfo, nil
 }
@@ -492,41 +659,3 @@ func compressGoroutine(dest *io.PipeWriter, src io.Reader) {

 	_, err = io.Copy(zipper, src) // Sets err to nil, i.e. causes dest.Close()
 }
-
-// determineManifestConversion updates manifestUpdates to convert manifest to a supported MIME type, if necessary and canModifyManifest.
-// Note that the conversion will only happen later, through src.UpdatedImage
-func determineManifestConversion(manifestUpdates *types.ManifestUpdateOptions, src types.Image, destSupportedManifestMIMETypes []string, canModifyManifest bool) error {
-	if len(destSupportedManifestMIMETypes) == 0 {
-		return nil // Anything goes
-	}
-	supportedByDest := map[string]struct{}{}
-	for _, t := range destSupportedManifestMIMETypes {
-		supportedByDest[t] = struct{}{}
-	}
-
-	_, srcType, err := src.Manifest()
-	if err != nil { // This should have been cached?!
-		return fmt.Errorf("Error reading manifest: %v", err)
-	}
-	if _, ok := supportedByDest[srcType]; ok {
-		logrus.Debugf("Manifest MIME type %s is declared supported by the destination", srcType)
-		return nil
-	}
-
-	// OK, we should convert the manifest.
-	if !canModifyManifest {
-		logrus.Debugf("Manifest MIME type %s is not supported by the destination, but we can't modify the manifest, hoping for the best...")
-		return nil // Take our chances - FIXME? Or should we fail without trying?
-	}
-
-	var chosenType = destSupportedManifestMIMETypes[0] // This one is known to be supported.
-	for _, t := range preferredManifestMIMETypes {
-		if _, ok := supportedByDest[t]; ok {
-			chosenType = t
-			break
-		}
-	}
-	logrus.Debugf("Will convert manifest from MIME type %s to %s", srcType, chosenType)
-	manifestUpdates.ManifestMIMEType = chosenType
-	return nil
-}
--- a/vendor/github.com/containers/image/copy/manifest.go
+++ b/vendor/github.com/containers/image/copy/manifest.go
@@ -0,0 +1,102 @@
+package copy
+
+import (
+	"strings"
+
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// preferredManifestMIMETypes lists manifest MIME types in order of our preference, if we can't use the original manifest and need to convert.
+// Prefer v2s2 to v2s1 because v2s2 does not need to be changed when uploading to a different location.
+// Include v2s1 signed but not v2s1 unsigned, because docker/distribution requires a signature even if the unsigned MIME type is used.
+var preferredManifestMIMETypes = []string{manifest.DockerV2Schema2MediaType, manifest.DockerV2Schema1SignedMediaType}
+
+// orderedSet is a list of strings (MIME types in our case), with each string appearing at most once.
+type orderedSet struct {
+	list     []string
+	included map[string]struct{}
+}
+
+// newOrderedSet creates a correctly initialized orderedSet.
+// [Sometimes it would be really nice if Golang had constructors…]
+func newOrderedSet() *orderedSet {
+	return &orderedSet{
+		list:     []string{},
+		included: map[string]struct{}{},
+	}
+}
+
+// append adds s to the end of os, only if it is not included already.
+func (os *orderedSet) append(s string) {
+	if _, ok := os.included[s]; !ok {
+		os.list = append(os.list, s)
+		os.included[s] = struct{}{}
+	}
+}
+
+// determineManifestConversion updates manifestUpdates to convert manifest to a supported MIME type, if necessary and canModifyManifest.
+// Note that the conversion will only happen later, through src.UpdatedImage
+// Returns the preferred manifest MIME type (whether we are converting to it or using it unmodified),
+// and a list of other possible alternatives, in order.
+func determineManifestConversion(manifestUpdates *types.ManifestUpdateOptions, src types.Image, destSupportedManifestMIMETypes []string, canModifyManifest bool) (string, []string, error) {
+	_, srcType, err := src.Manifest()
+	if err != nil { // This should have been cached?!
+		return "", nil, errors.Wrap(err, "Error reading manifest")
+	}
+
+	if len(destSupportedManifestMIMETypes) == 0 {
+		return srcType, []string{}, nil // Anything goes; just use the original as is, do not try any conversions.
+	}
+	supportedByDest := map[string]struct{}{}
+	for _, t := range destSupportedManifestMIMETypes {
+		supportedByDest[t] = struct{}{}
+	}
+
+	// destSupportedManifestMIMETypes is a static guess; a particular registry may still only support a subset of the types.
+	// So, build a list of types to try in order of decreasing preference.
+	// FIXME? This treats manifest.DockerV2Schema1SignedMediaType and manifest.DockerV2Schema1MediaType as distinct,
+	// although we are not really making any conversion, and it is very unlikely that a destination would support one but not the other.
+	// In practice, schema1 is probably the lowest common denominator, so we would expect to try the first one of the MIME types
+	// and never attempt the other one.
+	prioritizedTypes := newOrderedSet()
+
+	// First of all, prefer to keep the original manifest unmodified.
+	if _, ok := supportedByDest[srcType]; ok {
+		prioritizedTypes.append(srcType)
+	}
+	if !canModifyManifest {
+		// We could also drop the !canModifyManifest parameter and have the caller
+		// make the choice; it is already doing that to an extent, to improve error
+		// messages.  But it is nice to hide the “if !canModifyManifest, do no conversion”
+		// special case in here; the caller can then worry (or not) only about a good UI.
+		logrus.Debugf("We can't modify the manifest, hoping for the best...")
+		return srcType, []string{}, nil // Take our chances - FIXME? Or should we fail without trying?
+	}
+
+	// Then use our list of preferred types.
+	for _, t := range preferredManifestMIMETypes {
+		if _, ok := supportedByDest[t]; ok {
+			prioritizedTypes.append(t)
+		}
+	}
+
+	// Finally, try anything else the destination supports.
+	for _, t := range destSupportedManifestMIMETypes {
+		prioritizedTypes.append(t)
+	}
+
+	logrus.Debugf("Manifest has MIME type %s, ordered candidate list [%s]", srcType, strings.Join(prioritizedTypes.list, ", "))
+	if len(prioritizedTypes.list) == 0 { // Coverage: destSupportedManifestMIMETypes is not empty (or we would have exited in the “Anything goes” case above), so this should never happen.
+		return "", nil, errors.New("Internal error: no candidate MIME types")
+	}
+	preferredType := prioritizedTypes.list[0]
+	if preferredType != srcType {
+		manifestUpdates.ManifestMIMEType = preferredType
+	} else {
+		logrus.Debugf("... will first try using the original manifest unmodified")
+	}
+	return preferredType, prioritizedTypes.list[1:], nil
+}
--- a/vendor/github.com/containers/image/copy/progress_reader.go
+++ b/vendor/github.com/containers/image/copy/progress_reader.go
@@ -0,0 +1,28 @@
+package copy
+
+import (
+	"io"
+	"time"
+
+	"github.com/containers/image/types"
+)
+
+// progressReader is a reader that reports its progress on an interval.
+type progressReader struct {
+	source   io.Reader
+	channel  chan types.ProgressProperties
+	interval time.Duration
+	artifact types.BlobInfo
+	lastTime time.Time
+	offset   uint64
+}
+
+func (r *progressReader) Read(p []byte) (int, error) {
+	n, err := r.source.Read(p)
+	r.offset += uint64(n)
+	if time.Since(r.lastTime) > r.interval {
+		r.channel <- types.ProgressProperties{Artifact: r.artifact, Offset: r.offset}
+		r.lastTime = time.Now()
+	}
+	return n, err
+}
--- a/vendor/github.com/containers/image/copy/sign.go
+++ b/vendor/github.com/containers/image/copy/sign.go
@@ -0,0 +1,35 @@
+package copy
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/containers/image/signature"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+	"github.com/pkg/errors"
+)
+
+// createSignature creates a new signature of manifest at (identified by) dest using keyIdentity.
+func createSignature(dest types.ImageDestination, manifest []byte, keyIdentity string, reportWriter io.Writer) ([]byte, error) {
+	mech, err := signature.NewGPGSigningMechanism()
+	if err != nil {
+		return nil, errors.Wrap(err, "Error initializing GPG")
+	}
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil {
+		return nil, errors.Wrap(err, "Signing not supported")
+	}
+
+	dockerReference := dest.Reference().DockerReference()
+	if dockerReference == nil {
+		return nil, errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(dest.Reference()))
+	}
+
+	fmt.Fprintf(reportWriter, "Signing manifest\n")
+	newSig, err := signature.SignDockerManifest(manifest, dockerReference.String(), mech, keyIdentity)
+	if err != nil {
+		return nil, errors.Wrap(err, "Error creating signature")
+	}
+	return newSig, nil
+}
--- a/vendor/github.com/containers/image/directory/directory_dest.go
+++ b/vendor/github.com/containers/image/directory/directory_dest.go
@@ -1,13 +1,13 @@
 package directory

 import (
-	"fmt"
 	"io"
 	"io/ioutil"
 	"os"

 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
 )

 type dirImageDestination struct {
@@ -26,7 +26,8 @@ func (d *dirImageDestination) Reference() types.ImageReference {
 }

 // Close removes resources associated with an initialized ImageDestination, if any.
-func (d *dirImageDestination) Close() {
+func (d *dirImageDestination) Close() error {
+	return nil
 }

 func (d *dirImageDestination) SupportedManifestMIMETypes() []string {
@@ -50,6 +51,11 @@ func (d *dirImageDestination) AcceptsForeignLayerURLs() bool {
 	return false
 }

+// MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise.
+func (d *dirImageDestination) MustMatchRuntimeOS() bool {
+	return false
+}
+
 // PutBlob writes contents of stream and returns data representing the result (with all data filled in).
 // inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
 // inputInfo.Size is the expected length of stream, if known.
@@ -69,7 +75,7 @@ func (d *dirImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 		}
 	}()

-	digester := digest.Canonical.New()
+	digester := digest.Canonical.Digester()
 	tee := io.TeeReader(stream, digester.Hash())

 	size, err := io.Copy(blobFile, tee)
@@ -78,7 +84,7 @@ func (d *dirImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 	}
 	computedDigest := digester.Digest()
 	if inputInfo.Size != -1 && size != inputInfo.Size {
-		return types.BlobInfo{}, fmt.Errorf("Size mismatch when copying %s, expected %d, got %d", computedDigest, inputInfo.Size, size)
+		return types.BlobInfo{}, errors.Errorf("Size mismatch when copying %s, expected %d, got %d", computedDigest, inputInfo.Size, size)
 	}
 	if err := blobFile.Sync(); err != nil {
 		return types.BlobInfo{}, err
@@ -94,6 +100,33 @@ func (d *dirImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 	return types.BlobInfo{Digest: computedDigest, Size: size}, nil
 }

+// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
+// Unlike PutBlob, the digest can not be empty.  If HasBlob returns true, the size of the blob must also be returned.
+// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
+// it returns a non-nil error only on an unexpected failure.
+func (d *dirImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+	if info.Digest == "" {
+		return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
+	}
+	blobPath := d.ref.layerPath(info.Digest)
+	finfo, err := os.Stat(blobPath)
+	if err != nil && os.IsNotExist(err) {
+		return false, -1, nil
+	}
+	if err != nil {
+		return false, -1, err
+	}
+	return true, finfo.Size(), nil
+}
+
+func (d *dirImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+	return info, nil
+}
+
+// PutManifest writes manifest to the destination.
+// FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
+// If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
+// but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
 func (d *dirImageDestination) PutManifest(manifest []byte) error {
 	return ioutil.WriteFile(d.ref.manifestPath(), manifest, 0644)
 }
--- a/vendor/github.com/containers/image/directory/directory_src.go
+++ b/vendor/github.com/containers/image/directory/directory_src.go
@@ -1,14 +1,15 @@
 package directory

 import (
-	"fmt"
+	"context"
 	"io"
 	"io/ioutil"
 	"os"

 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
 )

 type dirImageSource struct {
@@ -28,7 +29,8 @@ func (s *dirImageSource) Reference() types.ImageReference {
 }

 // Close removes resources associated with an initialized ImageSource, if any.
-func (s *dirImageSource) Close() {
+func (s *dirImageSource) Close() error {
+	return nil
 }

 // GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
@@ -42,7 +44,7 @@ func (s *dirImageSource) GetManifest() ([]byte, string, error) {
 }

 func (s *dirImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
-	return nil, "", fmt.Errorf(`Getting target manifest not supported by "dir:"`)
+	return nil, "", errors.Errorf(`Getting target manifest not supported by "dir:"`)
 }

 // GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
@@ -58,7 +60,7 @@ func (s *dirImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, err
 	return r, fi.Size(), nil
 }

-func (s *dirImageSource) GetSignatures() ([][]byte, error) {
+func (s *dirImageSource) GetSignatures(ctx context.Context) ([][]byte, error) {
 	signatures := [][]byte{}
 	for i := 0; ; i++ {
 		signature, err := ioutil.ReadFile(s.ref.signaturePath(i))
--- a/vendor/github.com/containers/image/directory/directory_transport.go
+++ b/vendor/github.com/containers/image/directory/directory_transport.go
@@ -1,18 +1,24 @@
 package directory

 import (
-	"errors"
 	"fmt"
 	"path/filepath"
 	"strings"

+	"github.com/pkg/errors"
+
 	"github.com/containers/image/directory/explicitfilepath"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/image"
+	"github.com/containers/image/transports"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
 )

+func init() {
+	transports.Register(Transport)
+}
+
 // Transport is an ImageTransport for directory paths.
 var Transport = dirTransport{}

@@ -33,7 +39,7 @@ func (t dirTransport) ParseReference(reference string) (types.ImageReference, er
 // scope passed to this function will not be "", that value is always allowed.
 func (t dirTransport) ValidatePolicyConfigurationScope(scope string) error {
 	if !strings.HasPrefix(scope, "/") {
-		return fmt.Errorf("Invalid scope %s: Must be an absolute path", scope)
+		return errors.Errorf("Invalid scope %s: Must be an absolute path", scope)
 	}
 	// Refuse also "/", otherwise "/" and "" would have the same semantics,
 	// and "" could be unexpectedly shadowed by the "/" entry.
@@ -42,7 +48,7 @@ func (t dirTransport) ValidatePolicyConfigurationScope(scope string) error {
 	}
 	cleaned := filepath.Clean(scope)
 	if cleaned != scope {
-		return fmt.Errorf(`Invalid scope %s: Uses non-canonical format, perhaps try %s`, scope, cleaned)
+		return errors.Errorf(`Invalid scope %s: Uses non-canonical format, perhaps try %s`, scope, cleaned)
 	}
 	return nil
 }
@@ -137,11 +143,9 @@ func (ref dirReference) NewImage(ctx *types.SystemContext) (types.Image, error)
 	return image.FromSource(src)
 }

-// NewImageSource returns a types.ImageSource for this reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref dirReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+func (ref dirReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	return newImageSource(ref), nil
 }

@@ -153,7 +157,7 @@ func (ref dirReference) NewImageDestination(ctx *types.SystemContext) (types.Ima

 // DeleteImage deletes the named image from the registry, if supported.
 func (ref dirReference) DeleteImage(ctx *types.SystemContext) error {
-	return fmt.Errorf("Deleting images not implemented for dir: images")
+	return errors.Errorf("Deleting images not implemented for dir: images")
 }

 // manifestPath returns a path for the manifest within a directory using our conventions.
--- a/vendor/github.com/containers/image/directory/explicitfilepath/path.go
+++ b/vendor/github.com/containers/image/directory/explicitfilepath/path.go
@@ -1,9 +1,10 @@
 package explicitfilepath

 import (
-	"fmt"
 	"os"
 	"path/filepath"
+
+	"github.com/pkg/errors"
 )

 // ResolvePathToFullyExplicit returns the input path converted to an absolute, no-symlinks, cleaned up path.
@@ -25,14 +26,14 @@ func ResolvePathToFullyExplicit(path string) (string, error) {
 			// This can still happen if there is a filesystem race condition, causing the Lstat() above to fail but the later resolution to succeed.
 			// We do not care to promise anything if such filesystem race conditions can happen, but we definitely don't want to return "."/".." components
 			// in the resulting path, and especially not at the end.
-			return "", fmt.Errorf("Unexpectedly missing special filename component in %s", path)
+			return "", errors.Errorf("Unexpectedly missing special filename component in %s", path)
 		}
 		resolvedPath := filepath.Join(resolvedParent, file)
 		// As a sanity check, ensure that there are no "." or ".." components.
 		cleanedResolvedPath := filepath.Clean(resolvedPath)
 		if cleanedResolvedPath != resolvedPath {
 			// Coverage: This should never happen.
-			return "", fmt.Errorf("Internal inconsistency: Path %s resolved to %s still cleaned up to %s", path, resolvedPath, cleanedResolvedPath)
+			return "", errors.Errorf("Internal inconsistency: Path %s resolved to %s still cleaned up to %s", path, resolvedPath, cleanedResolvedPath)
 		}
 		return resolvedPath, nil
 	default: // err != nil, unrecognized
--- a/vendor/github.com/containers/image/docker/archive/dest.go
+++ b/vendor/github.com/containers/image/docker/archive/dest.go
@@ -0,0 +1,66 @@
+package archive
+
+import (
+	"io"
+	"os"
+
+	"github.com/containers/image/docker/tarfile"
+	"github.com/containers/image/types"
+	"github.com/pkg/errors"
+)
+
+type archiveImageDestination struct {
+	*tarfile.Destination // Implements most of types.ImageDestination
+	ref                  archiveReference
+	writer               io.Closer
+}
+
+func newImageDestination(ctx *types.SystemContext, ref archiveReference) (types.ImageDestination, error) {
+	if ref.destinationRef == nil {
+		return nil, errors.Errorf("docker-archive: destination reference not supplied (must be of form <path>:<reference:tag>)")
+	}
+
+	// ref.path can be either a pipe or a regular file
+	// in the case of a pipe, we require that we can open it for write
+	// in the case of a regular file, we don't want to overwrite any pre-existing file
+	// so we check for Size() == 0 below (This is racy, but using O_EXCL would also be racy,
+	// only in a different way. Either way, it’s up to the user to not have two writers to the same path.)
+	fh, err := os.OpenFile(ref.path, os.O_WRONLY|os.O_CREATE, 0644)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error opening file %q", ref.path)
+	}
+
+	fhStat, err := fh.Stat()
+	if err != nil {
+		return nil, errors.Wrapf(err, "error statting file %q", ref.path)
+	}
+
+	if fhStat.Mode().IsRegular() && fhStat.Size() != 0 {
+		return nil, errors.New("docker-archive doesn't support modifying existing images")
+	}
+
+	return &archiveImageDestination{
+		Destination: tarfile.NewDestination(fh, ref.destinationRef),
+		ref:         ref,
+		writer:      fh,
+	}, nil
+}
+
+// Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
+// e.g. it should use the public hostname instead of the result of resolving CNAMEs or following redirects.
+func (d *archiveImageDestination) Reference() types.ImageReference {
+	return d.ref
+}
+
+// Close removes resources associated with an initialized ImageDestination, if any.
+func (d *archiveImageDestination) Close() error {
+	return d.writer.Close()
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted.
+// WARNING: This does not have any transactional semantics:
+// - Uploaded data MAY be visible to others before Commit() is called
+// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
+func (d *archiveImageDestination) Commit() error {
+	return d.Destination.Commit()
+}
--- a/vendor/github.com/containers/image/docker/archive/src.go
+++ b/vendor/github.com/containers/image/docker/archive/src.go
@@ -0,0 +1,36 @@
+package archive
+
+import (
+	"github.com/containers/image/docker/tarfile"
+	"github.com/containers/image/types"
+	"github.com/sirupsen/logrus"
+)
+
+type archiveImageSource struct {
+	*tarfile.Source // Implements most of types.ImageSource
+	ref             archiveReference
+}
+
+// newImageSource returns a types.ImageSource for the specified image reference.
+// The caller must call .Close() on the returned ImageSource.
+func newImageSource(ctx *types.SystemContext, ref archiveReference) types.ImageSource {
+	if ref.destinationRef != nil {
+		logrus.Warnf("docker-archive: references are not supported for sources (ignoring)")
+	}
+	src := tarfile.NewSource(ref.path)
+	return &archiveImageSource{
+		Source: src,
+		ref:    ref,
+	}
+}
+
+// Reference returns the reference used to set up this source, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+func (s *archiveImageSource) Reference() types.ImageReference {
+	return s.ref
+}
+
+// Close removes resources associated with an initialized ImageSource, if any.
+func (s *archiveImageSource) Close() error {
+	return nil
+}
--- a/vendor/github.com/containers/image/docker/archive/transport.go
+++ b/vendor/github.com/containers/image/docker/archive/transport.go
@@ -0,0 +1,153 @@
+package archive
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/containers/image/docker/reference"
+	ctrImage "github.com/containers/image/image"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+	"github.com/pkg/errors"
+)
+
+func init() {
+	transports.Register(Transport)
+}
+
+// Transport is an ImageTransport for local Docker archives.
+var Transport = archiveTransport{}
+
+type archiveTransport struct{}
+
+func (t archiveTransport) Name() string {
+	return "docker-archive"
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
+func (t archiveTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return ParseReference(reference)
+}
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+// (i.e. a valid PolicyConfigurationIdentity() or PolicyConfigurationNamespaces() return value).
+// It is acceptable to allow an invalid value which will never be matched, it can "only" cause user confusion.
+// scope passed to this function will not be "", that value is always allowed.
+func (t archiveTransport) ValidatePolicyConfigurationScope(scope string) error {
+	// See the explanation in archiveReference.PolicyConfigurationIdentity.
+	return errors.New(`docker-archive: does not support any scopes except the default "" one`)
+}
+
+// archiveReference is an ImageReference for Docker images.
+type archiveReference struct {
+	destinationRef reference.NamedTagged // only used for destinations
+	path           string
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an Docker ImageReference.
+func ParseReference(refString string) (types.ImageReference, error) {
+	if refString == "" {
+		return nil, errors.Errorf("docker-archive reference %s isn't of the form <path>[:<reference>]", refString)
+	}
+
+	parts := strings.SplitN(refString, ":", 2)
+	path := parts[0]
+	var destinationRef reference.NamedTagged
+
+	// A :tag was specified, which is only necessary for destinations.
+	if len(parts) == 2 {
+		ref, err := reference.ParseNormalizedNamed(parts[1])
+		if err != nil {
+			return nil, errors.Wrapf(err, "docker-archive parsing reference")
+		}
+		ref = reference.TagNameOnly(ref)
+
+		if _, isDigest := ref.(reference.Canonical); isDigest {
+			return nil, errors.Errorf("docker-archive doesn't support digest references: %s", refString)
+		}
+
+		refTagged, isTagged := ref.(reference.NamedTagged)
+		if !isTagged {
+			// Really shouldn't be hit...
+			return nil, errors.Errorf("internal error: reference is not tagged even after reference.TagNameOnly: %s", refString)
+		}
+		destinationRef = refTagged
+	}
+
+	return archiveReference{
+		destinationRef: destinationRef,
+		path:           path,
+	}, nil
+}
+
+func (ref archiveReference) Transport() types.ImageTransport {
+	return Transport
+}
+
+// StringWithinTransport returns a string representation of the reference, which MUST be such that
+// reference.Transport().ParseReference(reference.StringWithinTransport()) returns an equivalent reference.
+// NOTE: The returned string is not promised to be equal to the original input to ParseReference;
+// e.g. default attribute values omitted by the user may be filled in in the return value, or vice versa.
+// WARNING: Do not use the return value in the UI to describe an image, it does not contain the Transport().Name() prefix.
+func (ref archiveReference) StringWithinTransport() string {
+	if ref.destinationRef == nil {
+		return ref.path
+	}
+	return fmt.Sprintf("%s:%s", ref.path, ref.destinationRef.String())
+}
+
+// DockerReference returns a Docker reference associated with this reference
+// (fully explicit, i.e. !reference.IsNameOnly, but reflecting user intent,
+// not e.g. after redirect or alias processing), or nil if unknown/not applicable.
+func (ref archiveReference) DockerReference() reference.Named {
+	return ref.destinationRef
+}
+
+// PolicyConfigurationIdentity returns a string representation of the reference, suitable for policy lookup.
+// This MUST reflect user intent, not e.g. after processing of third-party redirects or aliases;
+// The value SHOULD be fully explicit about its semantics, with no hidden defaults, AND canonical
+// (i.e. various references with exactly the same semantics should return the same configuration identity)
+// It is fine for the return value to be equal to StringWithinTransport(), and it is desirable but
+// not required/guaranteed that it will be a valid input to Transport().ParseReference().
+// Returns "" if configuration identities for these references are not supported.
+func (ref archiveReference) PolicyConfigurationIdentity() string {
+	// Punt, the justification is similar to dockerReference.PolicyConfigurationIdentity.
+	return ""
+}
+
+// PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
+// for if explicit configuration for PolicyConfigurationIdentity() is not set.  The list will be processed
+// in order, terminating on first match, and an implicit "" is always checked at the end.
+// It is STRONGLY recommended for the first element, if any, to be a prefix of PolicyConfigurationIdentity(),
+// and each following element to be a prefix of the element preceding it.
+func (ref archiveReference) PolicyConfigurationNamespaces() []string {
+	// TODO
+	return []string{}
+}
+
+// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned Image.
+// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
+// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
+func (ref archiveReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+	src := newImageSource(ctx, ref)
+	return ctrImage.FromSource(src)
+}
+
+// NewImageSource returns a types.ImageSource for this reference.
+// The caller must call .Close() on the returned ImageSource.
+func (ref archiveReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+	return newImageSource(ctx, ref), nil
+}
+
+// NewImageDestination returns a types.ImageDestination for this reference.
+// The caller must call .Close() on the returned ImageDestination.
+func (ref archiveReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return newImageDestination(ctx, ref)
+}
+
+// DeleteImage deletes the named image from the registry, if supported.
+func (ref archiveReference) DeleteImage(ctx *types.SystemContext) error {
+	// Not really supported, for safety reasons.
+	return errors.New("Deleting images not implemented for docker-archive: images")
+}
--- a/vendor/github.com/containers/image/docker/daemon/client.go
+++ b/vendor/github.com/containers/image/docker/daemon/client.go
@@ -0,0 +1,69 @@
+package daemon
+
+import (
+	"net/http"
+	"path/filepath"
+
+	"github.com/containers/image/types"
+	dockerclient "github.com/docker/docker/client"
+	"github.com/docker/go-connections/tlsconfig"
+)
+
+const (
+	// The default API version to be used in case none is explicitly specified
+	defaultAPIVersion = "1.22"
+)
+
+// NewDockerClient initializes a new API client based on the passed SystemContext.
+func newDockerClient(ctx *types.SystemContext) (*dockerclient.Client, error) {
+	host := dockerclient.DefaultDockerHost
+	if ctx != nil && ctx.DockerDaemonHost != "" {
+		host = ctx.DockerDaemonHost
+	}
+
+	// Sadly, unix:// sockets don't work transparently with dockerclient.NewClient.
+	// They work fine with a nil httpClient; with a non-nil httpClient, the transport’s
+	// TLSClientConfig must be nil (or the client will try using HTTPS over the PF_UNIX socket
+	// regardless of the values in the *tls.Config), and we would have to call sockets.ConfigureTransport.
+	//
+	// We don't really want to configure anything for unix:// sockets, so just pass a nil *http.Client.
+	proto, _, _, err := dockerclient.ParseHost(host)
+	if err != nil {
+		return nil, err
+	}
+	var httpClient *http.Client
+	if proto != "unix" {
+		hc, err := tlsConfig(ctx)
+		if err != nil {
+			return nil, err
+		}
+		httpClient = hc
+	}
+
+	return dockerclient.NewClient(host, defaultAPIVersion, httpClient, nil)
+}
+
+func tlsConfig(ctx *types.SystemContext) (*http.Client, error) {
+	options := tlsconfig.Options{}
+	if ctx != nil && ctx.DockerDaemonInsecureSkipTLSVerify {
+		options.InsecureSkipVerify = true
+	}
+
+	if ctx != nil && ctx.DockerDaemonCertPath != "" {
+		options.CAFile = filepath.Join(ctx.DockerDaemonCertPath, "ca.pem")
+		options.CertFile = filepath.Join(ctx.DockerDaemonCertPath, "cert.pem")
+		options.KeyFile = filepath.Join(ctx.DockerDaemonCertPath, "key.pem")
+	}
+
+	tlsc, err := tlsconfig.Client(options)
+	if err != nil {
+		return nil, err
+	}
+
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tlsc,
+		},
+		CheckRedirect: dockerclient.CheckRedirect,
+	}, nil
+}
--- a/vendor/github.com/containers/image/docker/daemon/daemon_dest.go
+++ b/vendor/github.com/containers/image/docker/daemon/daemon_dest.go
@@ -1,66 +1,56 @@
 package daemon

 import (
-	"archive/tar"
-	"bytes"
-	"encoding/json"
-	"errors"
-	"fmt"
 	"io"
-	"io/ioutil"
-	"os"
-	"time"

-	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/docker/reference"
-	"github.com/containers/image/manifest"
+	"github.com/containers/image/docker/tarfile"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
-	"github.com/docker/engine-api/client"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 )

 type daemonImageDestination struct {
-	ref            daemonReference
-	namedTaggedRef reference.NamedTagged // Strictly speaking redundant with ref above; having the field makes it structurally impossible for later users to fail.
+	ref                  daemonReference
+	*tarfile.Destination // Implements most of types.ImageDestination
 	// For talking to imageLoadGoroutine
 	goroutineCancel context.CancelFunc
 	statusChannel   <-chan error
 	writer          *io.PipeWriter
-	tar             *tar.Writer
 	// Other state
 	committed bool // writer has been closed
 }

 // newImageDestination returns a types.ImageDestination for the specified image reference.
-func newImageDestination(systemCtx *types.SystemContext, ref daemonReference) (types.ImageDestination, error) {
+func newImageDestination(ctx *types.SystemContext, ref daemonReference) (types.ImageDestination, error) {
 	if ref.ref == nil {
-		return nil, fmt.Errorf("Invalid destination docker-daemon:%s: a destination must be a name:tag", ref.StringWithinTransport())
+		return nil, errors.Errorf("Invalid destination docker-daemon:%s: a destination must be a name:tag", ref.StringWithinTransport())
 	}
 	namedTaggedRef, ok := ref.ref.(reference.NamedTagged)
 	if !ok {
-		return nil, fmt.Errorf("Invalid destination docker-daemon:%s: a destination must be a name:tag", ref.StringWithinTransport())
+		return nil, errors.Errorf("Invalid destination docker-daemon:%s: a destination must be a name:tag", ref.StringWithinTransport())
 	}

-	c, err := client.NewClient(client.DefaultDockerHost, "1.22", nil, nil) // FIXME: overridable host
+	c, err := newDockerClient(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("Error initializing docker engine client: %v", err)
+		return nil, errors.Wrap(err, "Error initializing docker engine client")
 	}

 	reader, writer := io.Pipe()
 	// Commit() may never be called, so we may never read from this channel; so, make this buffered to allow imageLoadGoroutine to write status and terminate even if we never read it.
 	statusChannel := make(chan error, 1)

-	ctx, goroutineCancel := context.WithCancel(context.Background())
-	go imageLoadGoroutine(ctx, c, reader, statusChannel)
+	goroutineContext, goroutineCancel := context.WithCancel(context.Background())
+	go imageLoadGoroutine(goroutineContext, c, reader, statusChannel)

 	return &daemonImageDestination{
 		ref:             ref,
-		namedTaggedRef:  namedTaggedRef,
+		Destination:     tarfile.NewDestination(writer, namedTaggedRef),
 		goroutineCancel: goroutineCancel,
 		statusChannel:   statusChannel,
 		writer:          writer,
-		tar:             tar.NewWriter(writer),
 		committed:       false,
 	}, nil
 }
@@ -82,206 +72,49 @@ func imageLoadGoroutine(ctx context.Context, c *client.Client, reader *io.PipeRe

 	resp, err := c.ImageLoad(ctx, reader, true)
 	if err != nil {
-		err = fmt.Errorf("Error saving image to docker engine: %v", err)
+		err = errors.Wrap(err, "Error saving image to docker engine")
 		return
 	}
 	defer resp.Body.Close()
 }

+// MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise.
+func (d *daemonImageDestination) MustMatchRuntimeOS() bool {
+	return true
+}
+
 // Close removes resources associated with an initialized ImageDestination, if any.
-func (d *daemonImageDestination) Close() {
+func (d *daemonImageDestination) Close() error {
 	if !d.committed {
 		logrus.Debugf("docker-daemon: Closing tar stream to abort loading")
 		// In principle, goroutineCancel() should abort the HTTP request and stop the process from continuing.
-		// In practice, though, https://github.com/docker/engine-api/blob/master/client/transport/cancellable/cancellable.go
-		// currently just runs the HTTP request to completion in a goroutine, and returns early if the context is canceled
-		// without terminating the HTTP request at all.  So we need this CloseWithError to terminate sending the HTTP request Body
+		// In practice, though, various HTTP implementations used by client.Client.ImageLoad() (including
+		// https://github.com/golang/net/blob/master/context/ctxhttp/ctxhttp_pre17.go and the
+		// net/http version with native Context support in Go 1.7) do not always actually immediately cancel
+		// the operation: they may process the HTTP request, or a part of it, to completion in a goroutine, and
+		// return early if the context is canceled without terminating the goroutine at all.
+		// So we need this CloseWithError to terminate sending the HTTP request Body
 		// immediately, and hopefully, through terminating the sending which uses "Transfer-Encoding: chunked"" without sending
 		// the terminating zero-length chunk, prevent the docker daemon from processing the tar stream at all.
 		// Whether that works or not, closing the PipeWriter seems desirable in any case.
 		d.writer.CloseWithError(errors.New("Aborting upload, daemonImageDestination closed without a previous .Commit()"))
 	}
 	d.goroutineCancel()
+
+	return nil
 }

-// Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
-// e.g. it should use the public hostname instead of the result of resolving CNAMEs or following redirects.
 func (d *daemonImageDestination) Reference() types.ImageReference {
 	return d.ref
 }

-// SupportedManifestMIMETypes tells which manifest mime types the destination supports
-// If an empty slice or nil it's returned, then any mime type can be tried to upload
-func (d *daemonImageDestination) SupportedManifestMIMETypes() []string {
-	return []string{
-		manifest.DockerV2Schema2MediaType, // We rely on the types.Image.UpdatedImage schema conversion capabilities.
-	}
-}
-
-// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
-// Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
-func (d *daemonImageDestination) SupportsSignatures() error {
-	return fmt.Errorf("Storing signatures for docker-daemon: destinations is not supported")
-}
-
-// ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
-func (d *daemonImageDestination) ShouldCompressLayers() bool {
-	return false
-}
-
-// AcceptsForeignLayerURLs returns false iff foreign layers in manifest should be actually
-// uploaded to the image destination, true otherwise.
-func (d *daemonImageDestination) AcceptsForeignLayerURLs() bool {
-	return false
-}
-
-// PutBlob writes contents of stream and returns data representing the result (with all data filled in).
-// inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
-// inputInfo.Size is the expected length of stream, if known.
-// WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
-// to any other readers for download using the supplied digest.
-// If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
-func (d *daemonImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
-	if inputInfo.Digest.String() == "" {
-		return types.BlobInfo{}, fmt.Errorf(`"Can not stream a blob with unknown digest to "docker-daemon:"`)
-	}
-
-	if inputInfo.Size == -1 { // Ouch, we need to stream the blob into a temporary file just to determine the size.
-		logrus.Debugf("docker-daemon: input with unknown size, streaming to disk first…")
-		streamCopy, err := ioutil.TempFile(temporaryDirectoryForBigFiles, "docker-daemon-blob")
-		if err != nil {
-			return types.BlobInfo{}, err
-		}
-		defer os.Remove(streamCopy.Name())
-		defer streamCopy.Close()
-
-		size, err := io.Copy(streamCopy, stream)
-		if err != nil {
-			return types.BlobInfo{}, err
-		}
-		_, err = streamCopy.Seek(0, os.SEEK_SET)
-		if err != nil {
-			return types.BlobInfo{}, err
-		}
-		inputInfo.Size = size // inputInfo is a struct, so we are only modifying our copy.
-		stream = streamCopy
-		logrus.Debugf("… streaming done")
-	}
-
-	digester := digest.Canonical.New()
-	tee := io.TeeReader(stream, digester.Hash())
-	if err := d.sendFile(inputInfo.Digest.String(), inputInfo.Size, tee); err != nil {
-		return types.BlobInfo{}, err
-	}
-	return types.BlobInfo{Digest: digester.Digest(), Size: inputInfo.Size}, nil
-}
-
-func (d *daemonImageDestination) PutManifest(m []byte) error {
-	var man schema2Manifest
-	if err := json.Unmarshal(m, &man); err != nil {
-		return fmt.Errorf("Error parsing manifest: %v", err)
-	}
-	if man.SchemaVersion != 2 || man.MediaType != manifest.DockerV2Schema2MediaType {
-		return fmt.Errorf("Unsupported manifest type, need a Docker schema 2 manifest")
-	}
-
-	layerPaths := []string{}
-	for _, l := range man.Layers {
-		layerPaths = append(layerPaths, l.Digest.String())
-	}
-
-	// For github.com/docker/docker consumers, this works just as well as
-	//   refString := d.namedTaggedRef.String()  [i.e. d.ref.ref.String()]
-	// because when reading the RepoTags strings, github.com/docker/docker/reference
-	// normalizes both of them to the same value.
-	//
-	// Doing it this way to include the normalized-out `docker.io[/library]` does make
-	// a difference for github.com/projectatomic/docker consumers, with the
-	// “Add --add-registry and --block-registry options to docker daemon” patch.
-	// These consumers treat reference strings which include a hostname and reference
-	// strings without a hostname differently.
-	//
-	// Using the host name here is more explicit about the intent, and it has the same
-	// effect as (docker pull) in projectatomic/docker, which tags the result using
-	// a hostname-qualified reference.
-	// See https://github.com/containers/image/issues/72 for a more detailed
-	// analysis and explanation.
-	refString := fmt.Sprintf("%s:%s", d.namedTaggedRef.FullName(), d.namedTaggedRef.Tag())
-
-	items := []manifestItem{{
-		Config:       man.Config.Digest.String(),
-		RepoTags:     []string{refString},
-		Layers:       layerPaths,
-		Parent:       "",
-		LayerSources: nil,
-	}}
-	itemsBytes, err := json.Marshal(&items)
-	if err != nil {
-		return err
-	}
-
-	// FIXME? Do we also need to support the legacy format?
-	return d.sendFile(manifestFileName, int64(len(itemsBytes)), bytes.NewReader(itemsBytes))
-}
-
-type tarFI struct {
-	path string
-	size int64
-}
-
-func (t *tarFI) Name() string {
-	return t.path
-}
-func (t *tarFI) Size() int64 {
-	return t.size
-}
-func (t *tarFI) Mode() os.FileMode {
-	return 0444
-}
-func (t *tarFI) ModTime() time.Time {
-	return time.Unix(0, 0)
-}
-func (t *tarFI) IsDir() bool {
-	return false
-}
-func (t *tarFI) Sys() interface{} {
-	return nil
-}
-
-// sendFile sends a file into the tar stream.
-func (d *daemonImageDestination) sendFile(path string, expectedSize int64, stream io.Reader) error {
-	hdr, err := tar.FileInfoHeader(&tarFI{path: path, size: expectedSize}, "")
-	if err != nil {
-		return nil
-	}
-	logrus.Debugf("Sending as tar file %s", path)
-	if err := d.tar.WriteHeader(hdr); err != nil {
-		return err
-	}
-	size, err := io.Copy(d.tar, stream)
-	if err != nil {
-		return err
-	}
-	if size != expectedSize {
-		return fmt.Errorf("Size mismatch when copying %s, expected %d, got %d", path, expectedSize, size)
-	}
-	return nil
-}
-
-func (d *daemonImageDestination) PutSignatures(signatures [][]byte) error {
-	if len(signatures) != 0 {
-		return fmt.Errorf("Storing signatures for docker-daemon: destinations is not supported")
-	}
-	return nil
-}
-
 // Commit marks the process of storing the image as successful and asks for the image to be persisted.
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
 // - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
 func (d *daemonImageDestination) Commit() error {
 	logrus.Debugf("docker-daemon: Closing tar stream")
-	if err := d.tar.Close(); err != nil {
+	if err := d.Destination.Commit(); err != nil {
 		return err
 	}
 	if err := d.writer.Close(); err != nil {
--- a/vendor/github.com/containers/image/docker/daemon/daemon_src.go
+++ b/vendor/github.com/containers/image/docker/daemon/daemon_src.go
@@ -1,35 +1,22 @@
 package daemon

 import (
-	"archive/tar"
-	"bytes"
-	"encoding/json"
-	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
-	"path"

-	"github.com/containers/image/manifest"
+	"github.com/containers/image/docker/tarfile"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
-	"github.com/docker/engine-api/client"
+	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 )

 const temporaryDirectoryForBigFiles = "/var/tmp" // Do not use the system default of os.TempDir(), usually /tmp, because with systemd it could be a tmpfs.

 type daemonImageSource struct {
-	ref         daemonReference
-	tarCopyPath string
-	// The following data is only available after ensureCachedDataIsPresent() succeeds
-	tarManifest       *manifestItem // nil if not available yet.
-	configBytes       []byte
-	configDigest      digest.Digest
-	orderedDiffIDList []diffID
-	knownLayers       map[diffID]*layerInfo
-	// Other state
-	generatedManifest []byte // Private cache for GetManifest(), nil if not set yet.
+	ref             daemonReference
+	*tarfile.Source // Implements most of types.ImageSource
+	tarCopyPath     string
 }

 type layerInfo struct {
@@ -47,15 +34,15 @@ type layerInfo struct {
 // is the config, and that the following len(RootFS) files are the layers, but that feels
 // way too brittle.)
 func newImageSource(ctx *types.SystemContext, ref daemonReference) (types.ImageSource, error) {
-	c, err := client.NewClient(client.DefaultDockerHost, "1.22", nil, nil) // FIXME: overridable host
+	c, err := newDockerClient(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("Error initializing docker engine client: %v", err)
+		return nil, errors.Wrap(err, "Error initializing docker engine client")
 	}
 	// Per NewReference(), ref.StringWithinTransport() is either an image ID (config digest), or a !reference.NameOnly() reference.
 	// Either way ImageSave should create a tarball with exactly one image.
 	inputStream, err := c.ImageSave(context.TODO(), []string{ref.StringWithinTransport()})
 	if err != nil {
-		return nil, fmt.Errorf("Error loading image from docker engine: %v", err)
+		return nil, errors.Wrap(err, "Error loading image from docker engine")
 	}
 	defer inputStream.Close()

@@ -80,6 +67,7 @@ func newImageSource(ctx *types.SystemContext, ref daemonReference) (types.ImageS
 	succeeded = true
 	return &daemonImageSource{
 		ref:         ref,
+		Source:      tarfile.NewSource(tarCopyFile.Name()),
 		tarCopyPath: tarCopyFile.Name(),
 	}, nil
 }
@@ -91,271 +79,6 @@ func (s *daemonImageSource) Reference() types.ImageReference {
 }

 // Close removes resources associated with an initialized ImageSource, if any.
-func (s *daemonImageSource) Close() {
-	_ = os.Remove(s.tarCopyPath)
-}
-
-// tarReadCloser is a way to close the backing file of a tar.Reader when the user no longer needs the tar component.
-type tarReadCloser struct {
-	*tar.Reader
-	backingFile *os.File
-}
-
-func (t *tarReadCloser) Close() error {
-	return t.backingFile.Close()
-}
-
-// openTarComponent returns a ReadCloser for the specific file within the archive.
-// This is linear scan; we assume that the tar file will have a fairly small amount of files (~layers),
-// and that filesystem caching will make the repeated seeking over the (uncompressed) tarCopyPath cheap enough.
-// The caller should call .Close() on the returned stream.
-func (s *daemonImageSource) openTarComponent(componentPath string) (io.ReadCloser, error) {
-	f, err := os.Open(s.tarCopyPath)
-	if err != nil {
-		return nil, err
-	}
-	succeeded := false
-	defer func() {
-		if !succeeded {
-			f.Close()
-		}
-	}()
-
-	tarReader, header, err := findTarComponent(f, componentPath)
-	if err != nil {
-		return nil, err
-	}
-	if header == nil {
-		return nil, os.ErrNotExist
-	}
-	if header.FileInfo().Mode()&os.ModeType == os.ModeSymlink { // FIXME: untested
-		// We follow only one symlink; so no loops are possible.
-		if _, err := f.Seek(0, os.SEEK_SET); err != nil {
-			return nil, err
-		}
-		// The new path could easily point "outside" the archive, but we only compare it to existing tar headers without extracting the archive,
-		// so we don't care.
-		tarReader, header, err = findTarComponent(f, path.Join(path.Dir(componentPath), header.Linkname))
-		if err != nil {
-			return nil, err
-		}
-		if header == nil {
-			return nil, os.ErrNotExist
-		}
-	}
-
-	if !header.FileInfo().Mode().IsRegular() {
-		return nil, fmt.Errorf("Error reading tar archive component %s: not a regular file", header.Name)
-	}
-	succeeded = true
-	return &tarReadCloser{Reader: tarReader, backingFile: f}, nil
-}
-
-// findTarComponent returns a header and a reader matching path within inputFile,
-// or (nil, nil, nil) if not found.
-func findTarComponent(inputFile io.Reader, path string) (*tar.Reader, *tar.Header, error) {
-	t := tar.NewReader(inputFile)
-	for {
-		h, err := t.Next()
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return nil, nil, err
-		}
-		if h.Name == path {
-			return t, h, nil
-		}
-	}
-	return nil, nil, nil
-}
-
-// readTarComponent returns full contents of componentPath.
-func (s *daemonImageSource) readTarComponent(path string) ([]byte, error) {
-	file, err := s.openTarComponent(path)
-	if err != nil {
-		return nil, fmt.Errorf("Error loading tar component %s: %v", path, err)
-	}
-	defer file.Close()
-	bytes, err := ioutil.ReadAll(file)
-	if err != nil {
-		return nil, err
-	}
-	return bytes, nil
-}
-
-// ensureCachedDataIsPresent loads data necessary for any of the public accessors.
-func (s *daemonImageSource) ensureCachedDataIsPresent() error {
-	if s.tarManifest != nil {
-		return nil
-	}
-
-	// Read and parse manifest.json
-	tarManifest, err := s.loadTarManifest()
-	if err != nil {
-		return err
-	}
-
-	// Read and parse config.
-	configBytes, err := s.readTarComponent(tarManifest.Config)
-	if err != nil {
-		return err
-	}
-	var parsedConfig dockerImage // Most fields ommitted, we only care about layer DiffIDs.
-	if err := json.Unmarshal(configBytes, &parsedConfig); err != nil {
-		return fmt.Errorf("Error decoding tar config %s: %v", tarManifest.Config, err)
-	}
-
-	knownLayers, err := s.prepareLayerData(tarManifest, &parsedConfig)
-	if err != nil {
-		return err
-	}
-
-	// Success; commit.
-	s.tarManifest = tarManifest
-	s.configBytes = configBytes
-	s.configDigest = digest.FromBytes(configBytes)
-	s.orderedDiffIDList = parsedConfig.RootFS.DiffIDs
-	s.knownLayers = knownLayers
-	return nil
-}
-
-// loadTarManifest loads and decodes the manifest.json.
-func (s *daemonImageSource) loadTarManifest() (*manifestItem, error) {
-	// FIXME? Do we need to deal with the legacy format?
-	bytes, err := s.readTarComponent(manifestFileName)
-	if err != nil {
-		return nil, err
-	}
-	var items []manifestItem
-	if err := json.Unmarshal(bytes, &items); err != nil {
-		return nil, fmt.Errorf("Error decoding tar manifest.json: %v", err)
-	}
-	if len(items) != 1 {
-		return nil, fmt.Errorf("Unexpected tar manifest.json: expected 1 item, got %d", len(items))
-	}
-	return &items[0], nil
-}
-
-func (s *daemonImageSource) prepareLayerData(tarManifest *manifestItem, parsedConfig *dockerImage) (map[diffID]*layerInfo, error) {
-	// Collect layer data available in manifest and config.
-	if len(tarManifest.Layers) != len(parsedConfig.RootFS.DiffIDs) {
-		return nil, fmt.Errorf("Inconsistent layer count: %d in manifest, %d in config", len(tarManifest.Layers), len(parsedConfig.RootFS.DiffIDs))
-	}
-	knownLayers := map[diffID]*layerInfo{}
-	unknownLayerSizes := map[string]*layerInfo{} // Points into knownLayers, a "to do list" of items with unknown sizes.
-	for i, diffID := range parsedConfig.RootFS.DiffIDs {
-		if _, ok := knownLayers[diffID]; ok {
-			// Apparently it really can happen that a single image contains the same layer diff more than once.
-			// In that case, the diffID validation ensures that both layers truly are the same, and it should not matter
-			// which of the tarManifest.Layers paths is used; (docker save) actually makes the duplicates symlinks to the original.
-			continue
-		}
-		layerPath := tarManifest.Layers[i]
-		if _, ok := unknownLayerSizes[layerPath]; ok {
-			return nil, fmt.Errorf("Layer tarfile %s used for two different DiffID values", layerPath)
-		}
-		li := &layerInfo{ // A new element in each iteration
-			path: layerPath,
-			size: -1,
-		}
-		knownLayers[diffID] = li
-		unknownLayerSizes[layerPath] = li
-	}
-
-	// Scan the tar file to collect layer sizes.
-	file, err := os.Open(s.tarCopyPath)
-	if err != nil {
-		return nil, err
-	}
-	defer file.Close()
-	t := tar.NewReader(file)
-	for {
-		h, err := t.Next()
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return nil, err
-		}
-		if li, ok := unknownLayerSizes[h.Name]; ok {
-			li.size = h.Size
-			delete(unknownLayerSizes, h.Name)
-		}
-	}
-	if len(unknownLayerSizes) != 0 {
-		return nil, fmt.Errorf("Some layer tarfiles are missing in the tarball") // This could do with a better error reporting, if this ever happened in practice.
-	}
-
-	return knownLayers, nil
-}
-
-// GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
-// It may use a remote (= slow) service.
-func (s *daemonImageSource) GetManifest() ([]byte, string, error) {
-	if s.generatedManifest == nil {
-		if err := s.ensureCachedDataIsPresent(); err != nil {
-			return nil, "", err
-		}
-		m := schema2Manifest{
-			SchemaVersion: 2,
-			MediaType:     manifest.DockerV2Schema2MediaType,
-			Config: distributionDescriptor{
-				MediaType: manifest.DockerV2Schema2ConfigMediaType,
-				Size:      int64(len(s.configBytes)),
-				Digest:    s.configDigest,
-			},
-			Layers: []distributionDescriptor{},
-		}
-		for _, diffID := range s.orderedDiffIDList {
-			li, ok := s.knownLayers[diffID]
-			if !ok {
-				return nil, "", fmt.Errorf("Internal inconsistency: Information about layer %s missing", diffID)
-			}
-			m.Layers = append(m.Layers, distributionDescriptor{
-				Digest:    digest.Digest(diffID), // diffID is a digest of the uncompressed tarball
-				MediaType: manifest.DockerV2Schema2LayerMediaType,
-				Size:      li.size,
-			})
-		}
-		manifestBytes, err := json.Marshal(&m)
-		if err != nil {
-			return nil, "", err
-		}
-		s.generatedManifest = manifestBytes
-	}
-	return s.generatedManifest, manifest.DockerV2Schema2MediaType, nil
-}
-
-// GetTargetManifest returns an image's manifest given a digest. This is mainly used to retrieve a single image's manifest
-// out of a manifest list.
-func (s *daemonImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
-	// How did we even get here? GetManifest() above has returned a manifest.DockerV2Schema2MediaType.
-	return nil, "", fmt.Errorf(`Manifest lists are not supported by "docker-daemon:"`)
-}
-
-// GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
-func (s *daemonImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
-	if err := s.ensureCachedDataIsPresent(); err != nil {
-		return nil, 0, err
-	}
-
-	if info.Digest == s.configDigest { // FIXME? Implement a more general algorithm matching instead of assuming sha256.
-		return ioutil.NopCloser(bytes.NewReader(s.configBytes)), int64(len(s.configBytes)), nil
-	}
-
-	if li, ok := s.knownLayers[diffID(info.Digest)]; ok { // diffID is a digest of the uncompressed tarball,
-		stream, err := s.openTarComponent(li.path)
-		if err != nil {
-			return nil, 0, err
-		}
-		return stream, li.size, nil
-	}
-
-	return nil, 0, fmt.Errorf("Unknown blob %s", info.Digest)
-}
-
-// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
-func (s *daemonImageSource) GetSignatures() ([][]byte, error) {
-	return [][]byte{}, nil
+func (s *daemonImageSource) Close() error {
+	return os.Remove(s.tarCopyPath)
 }
--- a/vendor/github.com/containers/image/docker/daemon/daemon_transport.go
+++ b/vendor/github.com/containers/image/docker/daemon/daemon_transport.go
@@ -1,15 +1,19 @@
 package daemon

 import (
-	"errors"
-	"fmt"
+	"github.com/pkg/errors"

 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/image"
+	"github.com/containers/image/transports"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
 )

+func init() {
+	transports.Register(Transport)
+}
+
 // Transport is an ImageTransport for images managed by a local Docker daemon.
 var Transport = daemonTransport{}

@@ -47,26 +51,26 @@ type daemonReference struct {

 // ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
 func ParseReference(refString string) (types.ImageReference, error) {
-	// This is intended to be compatible with reference.ParseIDOrReference, but more strict about refusing some of the ambiguous cases.
+	// This is intended to be compatible with reference.ParseAnyReference, but more strict about refusing some of the ambiguous cases.
 	// In particular, this rejects unprefixed digest values (64 hex chars), and sha256 digest prefixes (sha256:fewer-than-64-hex-chars).

 	// digest:hexstring is structurally the same as a reponame:tag (meaning docker.io/library/reponame:tag).
-	// reference.ParseIDOrReference interprets such strings as digests.
-	if dgst, err := digest.ParseDigest(refString); err == nil {
+	// reference.ParseAnyReference interprets such strings as digests.
+	if dgst, err := digest.Parse(refString); err == nil {
 		// The daemon explicitly refuses to tag images with a reponame equal to digest.Canonical - but _only_ this digest name.
 		// Other digest references are ambiguous, so refuse them.
 		if dgst.Algorithm() != digest.Canonical {
-			return nil, fmt.Errorf("Invalid docker-daemon: reference %s: only digest algorithm %s accepted", refString, digest.Canonical)
+			return nil, errors.Errorf("Invalid docker-daemon: reference %s: only digest algorithm %s accepted", refString, digest.Canonical)
 		}
 		return NewReference(dgst, nil)
 	}

-	ref, err := reference.ParseNamed(refString) // This also rejects unprefixed digest values
+	ref, err := reference.ParseNormalizedNamed(refString) // This also rejects unprefixed digest values
 	if err != nil {
 		return nil, err
 	}
-	if ref.Name() == digest.Canonical.String() {
-		return nil, fmt.Errorf("Invalid docker-daemon: reference %s: The %s repository name is reserved for (non-shortened) digest references", refString, digest.Canonical)
+	if reference.FamiliarName(ref) == digest.Canonical.String() {
+		return nil, errors.Errorf("Invalid docker-daemon: reference %s: The %s repository name is reserved for (non-shortened) digest references", refString, digest.Canonical)
 	}
 	return NewReference("", ref)
 }
@@ -78,14 +82,15 @@ func NewReference(id digest.Digest, ref reference.Named) (types.ImageReference,
 	}
 	if ref != nil {
 		if reference.IsNameOnly(ref) {
-			return nil, fmt.Errorf("docker-daemon: reference %s has neither a tag nor a digest", ref.String())
+			return nil, errors.Errorf("docker-daemon: reference %s has neither a tag nor a digest", reference.FamiliarString(ref))
 		}
 		// A github.com/distribution/reference value can have a tag and a digest at the same time!
-		// docker/reference does not handle that, so fail.
+		// Most versions of docker/reference do not handle that (ignoring the tag), so reject such input.
+		// This MAY be accepted in the future.
 		_, isTagged := ref.(reference.NamedTagged)
 		_, isDigested := ref.(reference.Canonical)
 		if isTagged && isDigested {
-			return nil, fmt.Errorf("docker-daemon: references with both a tag and digest are currently not supported")
+			return nil, errors.Errorf("docker-daemon: references with both a tag and digest are currently not supported")
 		}
 	}
 	return daemonReference{
@@ -109,7 +114,7 @@ func (ref daemonReference) StringWithinTransport() string {
 	case ref.id != "":
 		return ref.id.String()
 	case ref.ref != nil:
-		return ref.ref.String()
+		return reference.FamiliarString(ref.ref)
 	default: // Coverage: Should never happen, NewReference above should refuse such values.
 		panic("Internal inconsistency: daemonReference has empty id and nil ref")
 	}
@@ -156,11 +161,9 @@ func (ref daemonReference) NewImage(ctx *types.SystemContext) (types.Image, erro
 	return image.FromSource(src)
 }

-// NewImageSource returns a types.ImageSource for this reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref daemonReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+func (ref daemonReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	return newImageSource(ctx, ref)
 }

@@ -175,5 +178,5 @@ func (ref daemonReference) DeleteImage(ctx *types.SystemContext) error {
 	// Should this just untag the image? Should this stop running containers?
 	// The semantics is not quite as clear as for remote repositories.
 	// The user can run (docker rmi) directly anyway, so, for now(?), punt instead of trying to guess what the user meant.
-	return fmt.Errorf("Deleting images not implemented for docker-daemon: images")
+	return errors.Errorf("Deleting images not implemented for docker-daemon: images")
 }
--- a/vendor/github.com/containers/image/docker/docker_client.go
+++ b/vendor/github.com/containers/image/docker/docker_client.go
@@ -1,58 +1,99 @@
 package docker

 import (
+	"context"
 	"crypto/tls"
-	"encoding/base64"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
-	"net"
 	"net/http"
-	"os"
 	"path/filepath"
 	"strings"
 	"time"

-	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/pkg/docker/config"
+	"github.com/containers/image/pkg/tlsclientconfig"
 	"github.com/containers/image/types"
-	"github.com/docker/docker/pkg/homedir"
-	"github.com/docker/go-connections/sockets"
+	"github.com/docker/distribution/registry/client"
 	"github.com/docker/go-connections/tlsconfig"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

 const (
-	dockerHostname     = "docker.io"
-	dockerRegistry     = "registry-1.docker.io"
-	dockerAuthRegistry = "https://index.docker.io/v1/"
+	dockerHostname = "docker.io"
+	dockerRegistry = "registry-1.docker.io"

-	dockerCfg         = ".docker"
-	dockerCfgFileName = "config.json"
-	dockerCfgObsolete = ".dockercfg"
+	systemPerHostCertDirPath = "/etc/docker/certs.d"

-	baseURL       = "%s://%s/v2/"
-	baseURLV1     = "%s://%s/v1/_ping"
-	tagsURL       = "%s/tags/list"
-	manifestURL   = "%s/manifests/%s"
-	blobsURL      = "%s/blobs/%s"
-	blobUploadURL = "%s/blobs/uploads/"
+	resolvedPingV2URL       = "%s://%s/v2/"
+	resolvedPingV1URL       = "%s://%s/v1/_ping"
+	tagsPath                = "/v2/%s/tags/list"
+	manifestPath            = "/v2/%s/manifests/%s"
+	blobsPath               = "/v2/%s/blobs/%s"
+	blobUploadPath          = "/v2/%s/blobs/uploads/"
+	extensionsSignaturePath = "/extensions/v2/%s/signatures/%s"
+
+	minimumTokenLifetimeSeconds = 60
+
+	extensionSignatureSchemaVersion = 2        // extensionSignature.Version
+	extensionSignatureTypeAtomic    = "atomic" // extensionSignature.Type
 )

-// ErrV1NotSupported is returned when we're trying to talk to a
-// docker V1 registry.
-var ErrV1NotSupported = errors.New("can't talk to a V1 docker registry")
+var (
+	// ErrV1NotSupported is returned when we're trying to talk to a
+	// docker V1 registry.
+	ErrV1NotSupported = errors.New("can't talk to a V1 docker registry")
+	// ErrUnauthorizedForCredentials is returned when the status code returned is 401
+	ErrUnauthorizedForCredentials = errors.New("unable to retrieve auth token: invalid username/password")
+)
+
+// extensionSignature and extensionSignatureList come from github.com/openshift/origin/pkg/dockerregistry/server/signaturedispatcher.go:
+// signature represents a Docker image signature.
+type extensionSignature struct {
+	Version int    `json:"schemaVersion"` // Version specifies the schema version
+	Name    string `json:"name"`          // Name must be in "sha256:<digest>@signatureName" format
+	Type    string `json:"type"`          // Type is optional, of not set it will be defaulted to "AtomicImageV1"
+	Content []byte `json:"content"`       // Content contains the signature
+}
+
+// signatureList represents list of Docker image signatures.
+type extensionSignatureList struct {
+	Signatures []extensionSignature `json:"signatures"`
+}
+
+type bearerToken struct {
+	Token     string    `json:"token"`
+	ExpiresIn int       `json:"expires_in"`
+	IssuedAt  time.Time `json:"issued_at"`
+}

 // dockerClient is configuration for dealing with a single Docker registry.
 type dockerClient struct {
-	ctx             *types.SystemContext
-	registry        string
-	username        string
-	password        string
-	wwwAuthenticate string // Cache of a value set by ping() if scheme is not empty
-	scheme          string // Cache of a value returned by a successful ping() if not empty
-	client          *http.Client
-	signatureBase   signatureStorageBase
+	// The following members are set by newDockerClient and do not change afterwards.
+	ctx           *types.SystemContext
+	registry      string
+	username      string
+	password      string
+	client        *http.Client
+	signatureBase signatureStorageBase
+	scope         authScope
+	// The following members are detected registry properties:
+	// They are set after a successful detectProperties(), and never change afterwards.
+	scheme             string // Empty value also used to indicate detectProperties() has not yet succeeded.
+	challenges         []challenge
+	supportsSignatures bool
+	// The following members are private state for setupRequestAuth, both are valid if token != nil.
+	token           *bearerToken
+	tokenExpiration time.Time
+}
+
+type authScope struct {
+	remoteName string
+	actions    string
 }

 // this is cloned from docker/go-connections because upstream docker has changed
@@ -67,151 +108,121 @@ func serverDefault() *tls.Config {
 	}
 }

-func newTransport() *http.Transport {
-	direct := &net.Dialer{
-		Timeout:   30 * time.Second,
-		KeepAlive: 30 * time.Second,
-		DualStack: true,
+// dockerCertDir returns a path to a directory to be consumed by tlsclientconfig.SetupCertificates() depending on ctx and hostPort.
+func dockerCertDir(ctx *types.SystemContext, hostPort string) string {
+	if ctx != nil && ctx.DockerCertPath != "" {
+		return ctx.DockerCertPath
 	}
-	tr := &http.Transport{
-		Proxy:               http.ProxyFromEnvironment,
-		Dial:                direct.Dial,
-		TLSHandshakeTimeout: 10 * time.Second,
-		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
-		DisableKeepAlives: true,
+	var hostCertDir string
+	if ctx != nil && ctx.DockerPerHostCertDirPath != "" {
+		hostCertDir = ctx.DockerPerHostCertDirPath
+	} else if ctx != nil && ctx.RootForImplicitAbsolutePaths != "" {
+		hostCertDir = filepath.Join(ctx.RootForImplicitAbsolutePaths, systemPerHostCertDirPath)
+	} else {
+		hostCertDir = systemPerHostCertDirPath
 	}
-	proxyDialer, err := sockets.DialerFromEnvironment(direct)
-	if err == nil {
-		tr.Dial = proxyDialer.Dial
-	}
-	return tr
+	return filepath.Join(hostCertDir, hostPort)
 }

-func setupCertificates(dir string, tlsc *tls.Config) error {
-	if dir == "" {
-		return nil
-	}
-	fs, err := ioutil.ReadDir(dir)
-	if err != nil && !os.IsNotExist(err) {
-		return err
-	}
-
-	for _, f := range fs {
-		fullPath := filepath.Join(dir, f.Name())
-		if strings.HasSuffix(f.Name(), ".crt") {
-			systemPool, err := tlsconfig.SystemCertPool()
-			if err != nil {
-				return fmt.Errorf("unable to get system cert pool: %v", err)
-			}
-			tlsc.RootCAs = systemPool
-			logrus.Debugf("crt: %s", fullPath)
-			data, err := ioutil.ReadFile(fullPath)
-			if err != nil {
-				return err
-			}
-			tlsc.RootCAs.AppendCertsFromPEM(data)
-		}
-		if strings.HasSuffix(f.Name(), ".cert") {
-			certName := f.Name()
-			keyName := certName[:len(certName)-5] + ".key"
-			logrus.Debugf("cert: %s", fullPath)
-			if !hasFile(fs, keyName) {
-				return fmt.Errorf("missing key %s for client certificate %s. Note that CA certificates should use the extension .crt", keyName, certName)
-			}
-			cert, err := tls.LoadX509KeyPair(filepath.Join(dir, certName), filepath.Join(dir, keyName))
-			if err != nil {
-				return err
-			}
-			tlsc.Certificates = append(tlsc.Certificates, cert)
-		}
-		if strings.HasSuffix(f.Name(), ".key") {
-			keyName := f.Name()
-			certName := keyName[:len(keyName)-4] + ".cert"
-			logrus.Debugf("key: %s", fullPath)
-			if !hasFile(fs, certName) {
-				return fmt.Errorf("missing client certificate %s for key %s", certName, keyName)
-			}
-		}
-	}
-	return nil
-}
-
-func hasFile(files []os.FileInfo, name string) bool {
-	for _, f := range files {
-		if f.Name() == name {
-			return true
-		}
-	}
-	return false
-}
-
-// newDockerClient returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
+// newDockerClientFromRef returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
 // “write” specifies whether the client will be used for "write" access (in particular passed to lookaside.go:toplevelFromSection)
-func newDockerClient(ctx *types.SystemContext, ref dockerReference, write bool) (*dockerClient, error) {
-	registry := ref.ref.Hostname()
-	if registry == dockerHostname {
-		registry = dockerRegistry
-	}
-	username, password, err := getAuth(ctx, ref.ref.Hostname())
+func newDockerClientFromRef(ctx *types.SystemContext, ref dockerReference, write bool, actions string) (*dockerClient, error) {
+	registry := reference.Domain(ref.ref)
+	username, password, err := config.GetAuthentication(ctx, reference.Domain(ref.ref))
 	if err != nil {
-		return nil, err
+		return nil, errors.Wrapf(err, "error getting username and password")
 	}
-	tr := newTransport()
-	if ctx != nil && (ctx.DockerCertPath != "" || ctx.DockerInsecureSkipTLSVerify) {
-		tlsc := &tls.Config{}
-
-		if err := setupCertificates(ctx.DockerCertPath, tlsc); err != nil {
-			return nil, err
-		}
-
-		tlsc.InsecureSkipVerify = ctx.DockerInsecureSkipTLSVerify
-		tr.TLSClientConfig = tlsc
-	}
-	if tr.TLSClientConfig == nil {
-		tr.TLSClientConfig = serverDefault()
-	}
-	client := &http.Client{Transport: tr}
-
 	sigBase, err := configuredSignatureStorageBase(ctx, ref, write)
 	if err != nil {
 		return nil, err
 	}
+	remoteName := reference.Path(ref.ref)
+
+	return newDockerClientWithDetails(ctx, registry, username, password, actions, sigBase, remoteName)
+}
+
+// newDockerClientWithDetails returns a new dockerClient instance for the given parameters
+func newDockerClientWithDetails(ctx *types.SystemContext, registry, username, password, actions string, sigBase signatureStorageBase, remoteName string) (*dockerClient, error) {
+	hostName := registry
+	if registry == dockerHostname {
+		registry = dockerRegistry
+	}
+	tr := tlsclientconfig.NewTransport()
+	tr.TLSClientConfig = serverDefault()
+
+	// It is undefined whether the host[:port] string for dockerHostname should be dockerHostname or dockerRegistry,
+	// because docker/docker does not read the certs.d subdirectory at all in that case.  We use the user-visible
+	// dockerHostname here, because it is more symmetrical to read the configuration in that case as well, and because
+	// generally the UI hides the existence of the different dockerRegistry.  But note that this behavior is
+	// undocumented and may change if docker/docker changes.
+	certDir := dockerCertDir(ctx, hostName)
+	if err := tlsclientconfig.SetupCertificates(certDir, tr.TLSClientConfig); err != nil {
+		return nil, err
+	}
+
+	if ctx != nil && ctx.DockerInsecureSkipTLSVerify {
+		tr.TLSClientConfig.InsecureSkipVerify = true
+	}

 	return &dockerClient{
 		ctx:           ctx,
 		registry:      registry,
 		username:      username,
 		password:      password,
-		client:        client,
+		client:        &http.Client{Transport: tr},
 		signatureBase: sigBase,
+		scope: authScope{
+			actions:    actions,
+			remoteName: remoteName,
+		},
 	}, nil
 }

-// makeRequest creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
-// url is NOT an absolute URL, but a path relative to the /v2/ top-level API path.  The host name and schema is taken from the client or autodetected.
-func (c *dockerClient) makeRequest(method, url string, headers map[string][]string, stream io.Reader) (*http.Response, error) {
-	if c.scheme == "" {
-		pr, err := c.ping()
-		if err != nil {
-			return nil, err
-		}
-		c.wwwAuthenticate = pr.WWWAuthenticate
-		c.scheme = pr.scheme
+// CheckAuth validates the credentials by attempting to log into the registry
+// returns an error if an error occcured while making the http request or the status code received was 401
+func CheckAuth(ctx context.Context, sCtx *types.SystemContext, username, password, registry string) error {
+	newLoginClient, err := newDockerClientWithDetails(sCtx, registry, username, password, "", nil, "")
+	if err != nil {
+		return errors.Wrapf(err, "error creating new docker client")
 	}

-	url = fmt.Sprintf(baseURL, c.scheme, c.registry) + url
-	return c.makeRequestToResolvedURL(method, url, headers, stream, -1, true)
+	resp, err := newLoginClient.makeRequest(ctx, "GET", "/v2/", nil, nil)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		return nil
+	case http.StatusUnauthorized:
+		return ErrUnauthorizedForCredentials
+	default:
+		return errors.Errorf("error occured with status code %q", resp.StatusCode)
+	}
+}
+
+// makeRequest creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
+// The host name and schema is taken from the client or autodetected, and the path is relative to it, i.e. the path usually starts with /v2/.
+func (c *dockerClient) makeRequest(ctx context.Context, method, path string, headers map[string][]string, stream io.Reader) (*http.Response, error) {
+	if err := c.detectProperties(ctx); err != nil {
+		return nil, err
+	}
+
+	url := fmt.Sprintf("%s://%s%s", c.scheme, c.registry, path)
+	return c.makeRequestToResolvedURL(ctx, method, url, headers, stream, -1, true)
 }

 // makeRequestToResolvedURL creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
 // streamLen, if not -1, specifies the length of the data expected on stream.
 // makeRequest should generally be preferred.
 // TODO(runcom): too many arguments here, use a struct
-func (c *dockerClient) makeRequestToResolvedURL(method, url string, headers map[string][]string, stream io.Reader, streamLen int64, sendAuth bool) (*http.Response, error) {
+func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method, url string, headers map[string][]string, stream io.Reader, streamLen int64, sendAuth bool) (*http.Response, error) {
 	req, err := http.NewRequest(method, url, stream)
 	if err != nil {
 		return nil, err
 	}
+	req = req.WithContext(ctx)
 	if streamLen != -1 { // Do not blindly overwrite if streamLen == -1, http.NewRequest above can figure out the length of bytes.Reader and similar objects without us having to compute it.
 		req.ContentLength = streamLen
 	}
@@ -224,7 +235,7 @@ func (c *dockerClient) makeRequestToResolvedURL(method, url string, headers map[
 	if c.ctx != nil && c.ctx.DockerRegistryUserAgent != "" {
 		req.Header.Add("User-Agent", c.ctx.DockerRegistryUserAgent)
 	}
-	if c.wwwAuthenticate != "" && sendAuth {
+	if sendAuth {
 		if err := c.setupRequestAuth(req); err != nil {
 			return nil, err
 		}
@@ -237,64 +248,58 @@ func (c *dockerClient) makeRequestToResolvedURL(method, url string, headers map[
 	return res, nil
 }

+// we're using the challenges from the /v2/ ping response and not the one from the destination
+// URL in this request because:
+//
+// 1) docker does that as well
+// 2) gcr.io is sending 401 without a WWW-Authenticate header in the real request
+//
+// debugging: https://github.com/containers/image/pull/211#issuecomment-273426236 and follows up
 func (c *dockerClient) setupRequestAuth(req *http.Request) error {
-	tokens := strings.SplitN(strings.TrimSpace(c.wwwAuthenticate), " ", 2)
-	if len(tokens) != 2 {
-		return fmt.Errorf("expected 2 tokens in WWW-Authenticate: %d, %s", len(tokens), c.wwwAuthenticate)
-	}
-	switch tokens[0] {
-	case "Basic":
-		req.SetBasicAuth(c.username, c.password)
+	if len(c.challenges) == 0 {
 		return nil
-	case "Bearer":
-		// FIXME? This gets a new token for every API request;
-		// we may be easily able to reuse a previous token, e.g.
-		// for OpenShift the token only identifies the user and does not vary
-		// across operations.  Should we just try the request first, and
-		// only get a new token on failure?
-		// OTOH what to do with the single-use body stream in that case?
-
-		// Try performing the request, expecting it to fail.
-		testReq := *req
-		// Do not use the body stream, or we couldn't reuse it for the "real" call later.
-		testReq.Body = nil
-		testReq.ContentLength = 0
-		res, err := c.client.Do(&testReq)
-		if err != nil {
-			return err
-		}
-		chs := parseAuthHeader(res.Header)
-		if res.StatusCode != http.StatusUnauthorized || chs == nil || len(chs) == 0 {
-			// no need for bearer? wtf?
+	}
+	schemeNames := make([]string, 0, len(c.challenges))
+	for _, challenge := range c.challenges {
+		schemeNames = append(schemeNames, challenge.Scheme)
+		switch challenge.Scheme {
+		case "basic":
+			req.SetBasicAuth(c.username, c.password)
 			return nil
+		case "bearer":
+			if c.token == nil || time.Now().After(c.tokenExpiration) {
+				realm, ok := challenge.Parameters["realm"]
+				if !ok {
+					return errors.Errorf("missing realm in bearer auth challenge")
+				}
+				service, _ := challenge.Parameters["service"] // Will be "" if not present
+				var scope string
+				if c.scope.remoteName != "" && c.scope.actions != "" {
+					scope = fmt.Sprintf("repository:%s:%s", c.scope.remoteName, c.scope.actions)
+				}
+				token, err := c.getBearerToken(req.Context(), realm, service, scope)
+				if err != nil {
+					return err
+				}
+				c.token = token
+				c.tokenExpiration = token.IssuedAt.Add(time.Duration(token.ExpiresIn) * time.Second)
+			}
+			req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", c.token.Token))
+			return nil
+		default:
+			logrus.Debugf("no handler for %s authentication", challenge.Scheme)
 		}
-		// Arbitrarily use the first challenge, there is no reason to expect more than one.
-		challenge := chs[0]
-		if challenge.Scheme != "bearer" { // Another artifact of trying to handle WWW-Authenticate before it actually happens.
-			return fmt.Errorf("Unimplemented: WWW-Authenticate Bearer replaced by %#v", challenge.Scheme)
-		}
-		realm, ok := challenge.Parameters["realm"]
-		if !ok {
-			return fmt.Errorf("missing realm in bearer auth challenge")
-		}
-		service, _ := challenge.Parameters["service"] // Will be "" if not present
-		scope, _ := challenge.Parameters["scope"]     // Will be "" if not present
-		token, err := c.getBearerToken(realm, service, scope)
-		if err != nil {
-			return err
-		}
-		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
-		return nil
 	}
-	return fmt.Errorf("no handler for %s authentication", tokens[0])
-	// support docker bearer with authconfig's Auth string? see docker2aci
+	logrus.Infof("None of the challenges sent by server (%s) are supported, trying an unauthenticated request anyway", strings.Join(schemeNames, ", "))
+	return nil
 }

-func (c *dockerClient) getBearerToken(realm, service, scope string) (string, error) {
+func (c *dockerClient) getBearerToken(ctx context.Context, realm, service, scope string) (*bearerToken, error) {
 	authReq, err := http.NewRequest("GET", realm, nil)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
+	authReq = authReq.WithContext(ctx)
 	getParams := authReq.URL.Query()
 	if service != "" {
 		getParams.Add("service", service)
@@ -306,141 +311,84 @@ func (c *dockerClient) getBearerToken(realm, service, scope string) (string, err
 	if c.username != "" && c.password != "" {
 		authReq.SetBasicAuth(c.username, c.password)
 	}
-	tr := newTransport()
+	tr := tlsclientconfig.NewTransport()
 	// TODO(runcom): insecure for now to contact the external token service
 	tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	client := &http.Client{Transport: tr}
 	res, err := client.Do(authReq)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	defer res.Body.Close()
 	switch res.StatusCode {
 	case http.StatusUnauthorized:
-		return "", fmt.Errorf("unable to retrieve auth token: 401 unauthorized")
+		return nil, ErrUnauthorizedForCredentials
 	case http.StatusOK:
 		break
 	default:
-		return "", fmt.Errorf("unexpected http code: %d, URL: %s", res.StatusCode, authReq.URL)
+		return nil, errors.Errorf("unexpected http code: %d, URL: %s", res.StatusCode, authReq.URL)
 	}
 	tokenBlob, err := ioutil.ReadAll(res.Body)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
-	tokenStruct := struct {
-		Token string `json:"token"`
-	}{}
-	if err := json.Unmarshal(tokenBlob, &tokenStruct); err != nil {
-		return "", err
+	var token bearerToken
+	if err := json.Unmarshal(tokenBlob, &token); err != nil {
+		return nil, err
 	}
-	// TODO(runcom): reuse tokens?
-	//hostAuthTokens, ok = rb.hostsV2AuthTokens[req.URL.Host]
-	//if !ok {
-	//hostAuthTokens = make(map[string]string)
-	//rb.hostsV2AuthTokens[req.URL.Host] = hostAuthTokens
-	//}
-	//hostAuthTokens[repo] = tokenStruct.Token
-	return tokenStruct.Token, nil
+	if token.ExpiresIn < minimumTokenLifetimeSeconds {
+		token.ExpiresIn = minimumTokenLifetimeSeconds
+		logrus.Debugf("Increasing token expiration to: %d seconds", token.ExpiresIn)
+	}
+	if token.IssuedAt.IsZero() {
+		token.IssuedAt = time.Now().UTC()
+	}
+	return &token, nil
 }

-func getAuth(ctx *types.SystemContext, registry string) (string, string, error) {
-	if ctx != nil && ctx.DockerAuthConfig != nil {
-		return ctx.DockerAuthConfig.Username, ctx.DockerAuthConfig.Password, nil
-	}
-	var dockerAuth dockerConfigFile
-	dockerCfgPath := filepath.Join(getDefaultConfigDir(".docker"), dockerCfgFileName)
-	if _, err := os.Stat(dockerCfgPath); err == nil {
-		j, err := ioutil.ReadFile(dockerCfgPath)
-		if err != nil {
-			return "", "", err
-		}
-		if err := json.Unmarshal(j, &dockerAuth); err != nil {
-			return "", "", err
-		}
-
-	} else if os.IsNotExist(err) {
-		// try old config path
-		oldDockerCfgPath := filepath.Join(getDefaultConfigDir(dockerCfgObsolete))
-		if _, err := os.Stat(oldDockerCfgPath); err != nil {
-			if os.IsNotExist(err) {
-				return "", "", nil
-			}
-			return "", "", fmt.Errorf("%s - %v", oldDockerCfgPath, err)
-		}
-
-		j, err := ioutil.ReadFile(oldDockerCfgPath)
-		if err != nil {
-			return "", "", err
-		}
-		if err := json.Unmarshal(j, &dockerAuth.AuthConfigs); err != nil {
-			return "", "", err
-		}
-
-	} else if err != nil {
-		return "", "", fmt.Errorf("%s - %v", dockerCfgPath, err)
+// detectProperties detects various properties of the registry.
+// See the dockerClient documentation for members which are affected by this.
+func (c *dockerClient) detectProperties(ctx context.Context) error {
+	if c.scheme != "" {
+		return nil
 	}

-	// I'm feeling lucky
-	if c, exists := dockerAuth.AuthConfigs[registry]; exists {
-		return decodeDockerAuth(c.Auth)
-	}
-
-	// bad luck; let's normalize the entries first
-	registry = normalizeRegistry(registry)
-	normalizedAuths := map[string]dockerAuthConfig{}
-	for k, v := range dockerAuth.AuthConfigs {
-		normalizedAuths[normalizeRegistry(k)] = v
-	}
-	if c, exists := normalizedAuths[registry]; exists {
-		return decodeDockerAuth(c.Auth)
-	}
-	return "", "", nil
-}
-
-type pingResponse struct {
-	WWWAuthenticate string
-	APIVersion      string
-	scheme          string
-}
-
-func (c *dockerClient) ping() (*pingResponse, error) {
-	ping := func(scheme string) (*pingResponse, error) {
-		url := fmt.Sprintf(baseURL, scheme, c.registry)
-		resp, err := c.makeRequestToResolvedURL("GET", url, nil, nil, -1, true)
+	ping := func(scheme string) error {
+		url := fmt.Sprintf(resolvedPingV2URL, scheme, c.registry)
+		resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, true)
 		logrus.Debugf("Ping %s err %#v", url, err)
 		if err != nil {
-			return nil, err
+			return err
 		}
 		defer resp.Body.Close()
-		logrus.Debugf("Ping %s status %d", scheme+"://"+c.registry+"/v2/", resp.StatusCode)
+		logrus.Debugf("Ping %s status %d", url, resp.StatusCode)
 		if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
-			return nil, fmt.Errorf("error pinging repository, response code %d", resp.StatusCode)
+			return errors.Errorf("error pinging repository, response code %d", resp.StatusCode)
 		}
-		pr := &pingResponse{}
-		pr.WWWAuthenticate = resp.Header.Get("WWW-Authenticate")
-		pr.APIVersion = resp.Header.Get("Docker-Distribution-Api-Version")
-		pr.scheme = scheme
-		return pr, nil
+		c.challenges = parseAuthHeader(resp.Header)
+		c.scheme = scheme
+		c.supportsSignatures = resp.Header.Get("X-Registry-Supports-Signatures") == "1"
+		return nil
 	}
-	pr, err := ping("https")
+	err := ping("https")
 	if err != nil && c.ctx != nil && c.ctx.DockerInsecureSkipTLSVerify {
-		pr, err = ping("http")
+		err = ping("http")
 	}
 	if err != nil {
-		err = fmt.Errorf("pinging docker registry returned %+v", err)
-		if c.ctx.DockerDisableV1Ping {
-			return nil, err
+		err = errors.Wrap(err, "pinging docker registry returned")
+		if c.ctx != nil && c.ctx.DockerDisableV1Ping {
+			return err
 		}
 		// best effort to understand if we're talking to a V1 registry
 		pingV1 := func(scheme string) bool {
-			url := fmt.Sprintf(baseURLV1, scheme, c.registry)
-			resp, err := c.makeRequestToResolvedURL("GET", url, nil, nil, -1, true)
+			url := fmt.Sprintf(resolvedPingV1URL, scheme, c.registry)
+			resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, true)
 			logrus.Debugf("Ping %s err %#v", url, err)
 			if err != nil {
 				return false
 			}
 			defer resp.Body.Close()
-			logrus.Debugf("Ping %s status %d", scheme+"://"+c.registry+"/v1/_ping", resp.StatusCode)
+			logrus.Debugf("Ping %s status %d", url, resp.StatusCode)
 			if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
 				return false
 			}
@@ -454,57 +402,29 @@ func (c *dockerClient) ping() (*pingResponse, error) {
 			err = ErrV1NotSupported
 		}
 	}
-	return pr, err
+	return err
 }

-func getDefaultConfigDir(confPath string) string {
-	return filepath.Join(homedir.Get(), confPath)
-}
-
-type dockerAuthConfig struct {
-	Auth string `json:"auth,omitempty"`
-}
-
-type dockerConfigFile struct {
-	AuthConfigs map[string]dockerAuthConfig `json:"auths"`
-}
-
-func decodeDockerAuth(s string) (string, string, error) {
-	decoded, err := base64.StdEncoding.DecodeString(s)
+// getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension,
+// using the original data structures.
+func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) {
+	path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest)
+	res, err := c.makeRequest(ctx, "GET", path, nil, nil)
 	if err != nil {
-		return "", "", err
+		return nil, err
 	}
-	parts := strings.SplitN(string(decoded), ":", 2)
-	if len(parts) != 2 {
-		// if it's invalid just skip, as docker does
-		return "", "", nil
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return nil, client.HandleErrorResponse(res)
 	}
-	user := parts[0]
-	password := strings.Trim(parts[1], "\x00")
-	return user, password, nil
-}
-
-// convertToHostname converts a registry url which has http|https prepended
-// to just an hostname.
-// Copied from github.com/docker/docker/registry/auth.go
-func convertToHostname(url string) string {
-	stripped := url
-	if strings.HasPrefix(url, "http://") {
-		stripped = strings.TrimPrefix(url, "http://")
-	} else if strings.HasPrefix(url, "https://") {
-		stripped = strings.TrimPrefix(url, "https://")
-	}
-
-	nameParts := strings.SplitN(stripped, "/", 2)
-
-	return nameParts[0]
-}
-
-func normalizeRegistry(registry string) string {
-	normalized := convertToHostname(registry)
-	switch normalized {
-	case "registry-1.docker.io", "docker.io":
-		return "index.docker.io"
-	}
-	return normalized
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var parsedBody extensionSignatureList
+	if err := json.Unmarshal(body, &parsedBody); err != nil {
+		return nil, errors.Wrapf(err, "Error decoding signature list")
+	}
+	return &parsedBody, nil
 }
--- a/vendor/github.com/containers/image/docker/docker_image.go
+++ b/vendor/github.com/containers/image/docker/docker_image.go
@@ -1,12 +1,15 @@
 package docker

 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"

+	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/image"
 	"github.com/containers/image/types"
+	"github.com/pkg/errors"
 )

 // Image is a Docker-specific implementation of types.Image with a few extra methods
@@ -20,7 +23,7 @@ type Image struct {
 // a client to the registry hosting the given image.
 // The caller must call .Close() on the returned Image.
 func newImage(ctx *types.SystemContext, ref dockerReference) (types.Image, error) {
-	s, err := newImageSource(ctx, ref, nil)
+	s, err := newImageSource(ctx, ref)
 	if err != nil {
 		return nil, err
 	}
@@ -33,20 +36,21 @@ func newImage(ctx *types.SystemContext, ref dockerReference) (types.Image, error

 // SourceRefFullName returns a fully expanded name for the repository this image is in.
 func (i *Image) SourceRefFullName() string {
-	return i.src.ref.ref.FullName()
+	return i.src.ref.ref.Name()
 }

 // GetRepositoryTags list all tags available in the repository. Note that this has no connection with the tag(s) used for this specific image, if any.
 func (i *Image) GetRepositoryTags() ([]string, error) {
-	url := fmt.Sprintf(tagsURL, i.src.ref.ref.RemoteName())
-	res, err := i.src.c.makeRequest("GET", url, nil, nil)
+	path := fmt.Sprintf(tagsPath, reference.Path(i.src.ref.ref))
+	// FIXME: Pass the context.Context
+	res, err := i.src.c.makeRequest(context.TODO(), "GET", path, nil, nil)
 	if err != nil {
 		return nil, err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != http.StatusOK {
 		// print url also
-		return nil, fmt.Errorf("Invalid status code returned when fetching tags list %d", res.StatusCode)
+		return nil, errors.Errorf("Invalid status code returned when fetching tags list %d", res.StatusCode)
 	}
 	type tagsRes struct {
 		Tags []string
--- a/vendor/github.com/containers/image/docker/docker_image_dest.go
+++ b/vendor/github.com/containers/image/docker/docker_image_dest.go
@@ -2,6 +2,9 @@ package docker

 import (
 	"bytes"
+	"context"
+	"crypto/rand"
+	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -10,10 +13,16 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/distribution/registry/api/v2"
+	"github.com/docker/distribution/registry/client"
+	"github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

 type dockerImageDestination struct {
@@ -25,7 +34,7 @@ type dockerImageDestination struct {

 // newImageDestination creates a new ImageDestination for the specified image reference.
 func newImageDestination(ctx *types.SystemContext, ref dockerReference) (types.ImageDestination, error) {
-	c, err := newDockerClient(ctx, ref, true)
+	c, err := newDockerClientFromRef(ctx, ref, true, "pull,push")
 	if err != nil {
 		return nil, err
 	}
@@ -42,12 +51,13 @@ func (d *dockerImageDestination) Reference() types.ImageReference {
 }

 // Close removes resources associated with an initialized ImageDestination, if any.
-func (d *dockerImageDestination) Close() {
+func (d *dockerImageDestination) Close() error {
+	return nil
 }

 func (d *dockerImageDestination) SupportedManifestMIMETypes() []string {
 	return []string{
-		// TODO(runcom): we'll add OCI as part of another PR here
+		imgspecv1.MediaTypeImageManifest,
 		manifest.DockerV2Schema2MediaType,
 		manifest.DockerV2Schema1SignedMediaType,
 		manifest.DockerV2Schema1MediaType,
@@ -57,7 +67,17 @@ func (d *dockerImageDestination) SupportedManifestMIMETypes() []string {
 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
 // Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
 func (d *dockerImageDestination) SupportsSignatures() error {
-	return fmt.Errorf("Pushing signatures to a Docker Registry is not supported")
+	if err := d.c.detectProperties(context.TODO()); err != nil {
+		return err
+	}
+	switch {
+	case d.c.signatureBase != nil:
+		return nil
+	case d.c.supportsSignatures:
+		return nil
+	default:
+		return errors.Errorf("X-Registry-Supports-Signatures extension not supported, and lookaside is not configured")
+	}
 }

 // ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
@@ -71,6 +91,11 @@ func (d *dockerImageDestination) AcceptsForeignLayerURLs() bool {
 	return true
 }

+// MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise.
+func (d *dockerImageDestination) MustMatchRuntimeOS() bool {
+	return false
+}
+
 // sizeCounter is an io.Writer which only counts the total size of its input.
 type sizeCounter struct{ size int64 }

@@ -87,52 +112,38 @@ func (c *sizeCounter) Write(p []byte) (n int, err error) {
 // If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
 func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
 	if inputInfo.Digest.String() != "" {
-		checkURL := fmt.Sprintf(blobsURL, d.ref.ref.RemoteName(), inputInfo.Digest.String())
-
-		logrus.Debugf("Checking %s", checkURL)
-		res, err := d.c.makeRequest("HEAD", checkURL, nil, nil)
+		haveBlob, size, err := d.HasBlob(inputInfo)
 		if err != nil {
 			return types.BlobInfo{}, err
 		}
-		defer res.Body.Close()
-		switch res.StatusCode {
-		case http.StatusOK:
-			logrus.Debugf("... already exists, not uploading")
-			return types.BlobInfo{Digest: inputInfo.Digest, Size: getBlobSize(res)}, nil
-		case http.StatusUnauthorized:
-			logrus.Debugf("... not authorized")
-			return types.BlobInfo{}, fmt.Errorf("not authorized to read from destination repository %s", d.ref.ref.RemoteName())
-		case http.StatusNotFound:
-			// noop
-		default:
-			return types.BlobInfo{}, fmt.Errorf("failed to read from destination repository %s: %v", d.ref.ref.RemoteName(), http.StatusText(res.StatusCode))
+		if haveBlob {
+			return types.BlobInfo{Digest: inputInfo.Digest, Size: size}, nil
 		}
-		logrus.Debugf("... failed, status %d", res.StatusCode)
 	}

 	// FIXME? Chunked upload, progress reporting, etc.
-	uploadURL := fmt.Sprintf(blobUploadURL, d.ref.ref.RemoteName())
-	logrus.Debugf("Uploading %s", uploadURL)
-	res, err := d.c.makeRequest("POST", uploadURL, nil, nil)
+	uploadPath := fmt.Sprintf(blobUploadPath, reference.Path(d.ref.ref))
+	logrus.Debugf("Uploading %s", uploadPath)
+	res, err := d.c.makeRequest(context.TODO(), "POST", uploadPath, nil, nil)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != http.StatusAccepted {
 		logrus.Debugf("Error initiating layer upload, response %#v", *res)
-		return types.BlobInfo{}, fmt.Errorf("Error initiating layer upload to %s, status %d", uploadURL, res.StatusCode)
+		return types.BlobInfo{}, errors.Errorf("Error initiating layer upload to %s, status %d", uploadPath, res.StatusCode)
 	}
 	uploadLocation, err := res.Location()
 	if err != nil {
-		return types.BlobInfo{}, fmt.Errorf("Error determining upload URL: %s", err.Error())
+		return types.BlobInfo{}, errors.Wrap(err, "Error determining upload URL")
 	}

-	digester := digest.Canonical.New()
+	digester := digest.Canonical.Digester()
 	sizeCounter := &sizeCounter{}
 	tee := io.TeeReader(stream, io.MultiWriter(digester.Hash(), sizeCounter))
-	res, err = d.c.makeRequestToResolvedURL("PATCH", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, tee, inputInfo.Size, true)
+	res, err = d.c.makeRequestToResolvedURL(context.TODO(), "PATCH", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, tee, inputInfo.Size, true)
 	if err != nil {
-		logrus.Debugf("Error uploading layer chunked, response %#v", *res)
+		logrus.Debugf("Error uploading layer chunked, response %#v", res)
 		return types.BlobInfo{}, err
 	}
 	defer res.Body.Close()
@@ -140,7 +151,7 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI

 	uploadLocation, err = res.Location()
 	if err != nil {
-		return types.BlobInfo{}, fmt.Errorf("Error determining upload URL: %s", err.Error())
+		return types.BlobInfo{}, errors.Wrap(err, "Error determining upload URL")
 	}

 	// FIXME: DELETE uploadLocation on failure
@@ -149,20 +160,59 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	// TODO: check inputInfo.Digest == computedDigest https://github.com/containers/image/pull/70#discussion_r77646717
 	locationQuery.Set("digest", computedDigest.String())
 	uploadLocation.RawQuery = locationQuery.Encode()
-	res, err = d.c.makeRequestToResolvedURL("PUT", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, nil, -1, true)
+	res, err = d.c.makeRequestToResolvedURL(context.TODO(), "PUT", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, nil, -1, true)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != http.StatusCreated {
 		logrus.Debugf("Error uploading layer, response %#v", *res)
-		return types.BlobInfo{}, fmt.Errorf("Error uploading layer to %s, status %d", uploadLocation, res.StatusCode)
+		return types.BlobInfo{}, errors.Errorf("Error uploading layer to %s, status %d", uploadLocation, res.StatusCode)
 	}

 	logrus.Debugf("Upload of layer %s complete", computedDigest)
 	return types.BlobInfo{Digest: computedDigest, Size: sizeCounter.size}, nil
 }

+// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
+// Unlike PutBlob, the digest can not be empty.  If HasBlob returns true, the size of the blob must also be returned.
+// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
+// it returns a non-nil error only on an unexpected failure.
+func (d *dockerImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+	if info.Digest == "" {
+		return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
+	}
+	checkPath := fmt.Sprintf(blobsPath, reference.Path(d.ref.ref), info.Digest.String())
+
+	logrus.Debugf("Checking %s", checkPath)
+	res, err := d.c.makeRequest(context.TODO(), "HEAD", checkPath, nil, nil)
+	if err != nil {
+		return false, -1, err
+	}
+	defer res.Body.Close()
+	switch res.StatusCode {
+	case http.StatusOK:
+		logrus.Debugf("... already exists")
+		return true, getBlobSize(res), nil
+	case http.StatusUnauthorized:
+		logrus.Debugf("... not authorized")
+		return false, -1, errors.Errorf("not authorized to read from destination repository %s", reference.Path(d.ref.ref))
+	case http.StatusNotFound:
+		logrus.Debugf("... not present")
+		return false, -1, nil
+	default:
+		return false, -1, errors.Errorf("failed to read from destination repository %s: %v", reference.Path(d.ref.ref), http.StatusText(res.StatusCode))
+	}
+}
+
+func (d *dockerImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+	return info, nil
+}
+
+// PutManifest writes manifest to the destination.
+// FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
+// If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
+// but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
 func (d *dockerImageDestination) PutManifest(m []byte) error {
 	digest, err := manifest.Digest(m)
 	if err != nil {
@@ -170,34 +220,69 @@ func (d *dockerImageDestination) PutManifest(m []byte) error {
 	}
 	d.manifestDigest = digest

-	reference, err := d.ref.tagOrDigest()
+	refTail, err := d.ref.tagOrDigest()
 	if err != nil {
 		return err
 	}
-	url := fmt.Sprintf(manifestURL, d.ref.ref.RemoteName(), reference)
+	path := fmt.Sprintf(manifestPath, reference.Path(d.ref.ref), refTail)

 	headers := map[string][]string{}
 	mimeType := manifest.GuessMIMEType(m)
 	if mimeType != "" {
 		headers["Content-Type"] = []string{mimeType}
 	}
-	res, err := d.c.makeRequest("PUT", url, headers, bytes.NewReader(m))
+	res, err := d.c.makeRequest(context.TODO(), "PUT", path, headers, bytes.NewReader(m))
 	if err != nil {
 		return err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != http.StatusCreated {
-		body, err := ioutil.ReadAll(res.Body)
-		if err == nil {
-			logrus.Debugf("Error body %s", string(body))
+		err = errors.Wrapf(client.HandleErrorResponse(res), "Error uploading manifest to %s", path)
+		if isManifestInvalidError(errors.Cause(err)) {
+			err = types.ManifestTypeRejectedError{Err: err}
 		}
-		logrus.Debugf("Error uploading manifest, status %d, %#v", res.StatusCode, res)
-		return fmt.Errorf("Error uploading manifest to %s, status %d", url, res.StatusCode)
+		return err
 	}
 	return nil
 }

+// isManifestInvalidError returns true iff err from client.HandleErrorReponse is a “manifest invalid” error.
+func isManifestInvalidError(err error) bool {
+	errors, ok := err.(errcode.Errors)
+	if !ok || len(errors) == 0 {
+		return false
+	}
+	ec, ok := errors[0].(errcode.ErrorCoder)
+	if !ok {
+		return false
+	}
+	// ErrorCodeManifestInvalid is returned by OpenShift with acceptschema2=false.
+	// ErrorCodeTagInvalid is returned by docker/distribution (at least as of commit ec87e9b6971d831f0eff752ddb54fb64693e51cd)
+	// when uploading to a tag (because it can’t find a matching tag inside the manifest)
+	return ec.ErrorCode() == v2.ErrorCodeManifestInvalid || ec.ErrorCode() == v2.ErrorCodeTagInvalid
+}
+
 func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
+	// Do not fail if we don’t really need to support signatures.
+	if len(signatures) == 0 {
+		return nil
+	}
+	if err := d.c.detectProperties(context.TODO()); err != nil {
+		return err
+	}
+	switch {
+	case d.c.signatureBase != nil:
+		return d.putSignaturesToLookaside(signatures)
+	case d.c.supportsSignatures:
+		return d.putSignaturesToAPIExtension(signatures)
+	default:
+		return errors.Errorf("X-Registry-Supports-Signatures extension not supported, and lookaside is not configured")
+	}
+}
+
+// putSignaturesToLookaside implements PutSignatures() from the lookaside location configured in s.c.signatureBase,
+// which is not nil.
+func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte) error {
 	// FIXME? This overwrites files one at a time, definitely not atomic.
 	// A failure when updating signatures with a reordered copy could lose some of them.

@@ -205,19 +290,17 @@ func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
 	if len(signatures) == 0 {
 		return nil
 	}
-	if d.c.signatureBase == nil {
-		return fmt.Errorf("Pushing signatures to a Docker Registry is not supported, and there is no applicable signature storage configured")
-	}

-	// FIXME: This assumption that signatures are stored after the manifest rather breaks the model.
 	if d.manifestDigest.String() == "" {
-		return fmt.Errorf("Unknown manifest digest, can't add signatures")
+		// This shouldn’t happen, ImageDestination users are required to call PutManifest before PutSignatures
+		return errors.Errorf("Unknown manifest digest, can't add signatures")
 	}

+	// NOTE: Keep this in sync with docs/signature-protocols.md!
 	for i, signature := range signatures {
 		url := signatureStorageURL(d.c.signatureBase, d.manifestDigest, i)
 		if url == nil {
-			return fmt.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
+			return errors.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
 		}
 		err := d.putOneSignature(url, signature)
 		if err != nil {
@@ -232,7 +315,7 @@ func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
 	for i := len(signatures); ; i++ {
 		url := signatureStorageURL(d.c.signatureBase, d.manifestDigest, i)
 		if url == nil {
-			return fmt.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
+			return errors.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
 		}
 		missing, err := d.c.deleteOneSignature(url)
 		if err != nil {
@@ -247,6 +330,7 @@ func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
 }

 // putOneSignature stores one signature to url.
+// NOTE: Keep this in sync with docs/signature-protocols.md!
 func (d *dockerImageDestination) putOneSignature(url *url.URL, signature []byte) error {
 	switch url.Scheme {
 	case "file":
@@ -262,14 +346,15 @@ func (d *dockerImageDestination) putOneSignature(url *url.URL, signature []byte)
 		return nil

 	case "http", "https":
-		return fmt.Errorf("Writing directly to a %s sigstore %s is not supported. Configure a sigstore-staging: location", url.Scheme, url.String())
+		return errors.Errorf("Writing directly to a %s sigstore %s is not supported. Configure a sigstore-staging: location", url.Scheme, url.String())
 	default:
-		return fmt.Errorf("Unsupported scheme when writing signature to %s", url.String())
+		return errors.Errorf("Unsupported scheme when writing signature to %s", url.String())
 	}
 }

 // deleteOneSignature deletes a signature from url, if it exists.
 // If it successfully determines that the signature does not exist, returns (true, nil)
+// NOTE: Keep this in sync with docs/signature-protocols.md!
 func (c *dockerClient) deleteOneSignature(url *url.URL) (missing bool, err error) {
 	switch url.Scheme {
 	case "file":
@@ -281,12 +366,88 @@ func (c *dockerClient) deleteOneSignature(url *url.URL) (missing bool, err error
 		return false, err

 	case "http", "https":
-		return false, fmt.Errorf("Writing directly to a %s sigstore %s is not supported. Configure a sigstore-staging: location", url.Scheme, url.String())
+		return false, errors.Errorf("Writing directly to a %s sigstore %s is not supported. Configure a sigstore-staging: location", url.Scheme, url.String())
 	default:
-		return false, fmt.Errorf("Unsupported scheme when deleting signature from %s", url.String())
+		return false, errors.Errorf("Unsupported scheme when deleting signature from %s", url.String())
 	}
 }

+// putSignaturesToAPIExtension implements PutSignatures() using the X-Registry-Supports-Signatures API extension.
+func (d *dockerImageDestination) putSignaturesToAPIExtension(signatures [][]byte) error {
+	// Skip dealing with the manifest digest, or reading the old state, if not necessary.
+	if len(signatures) == 0 {
+		return nil
+	}
+
+	if d.manifestDigest.String() == "" {
+		// This shouldn’t happen, ImageDestination users are required to call PutManifest before PutSignatures
+		return errors.Errorf("Unknown manifest digest, can't add signatures")
+	}
+
+	// Because image signatures are a shared resource in Atomic Registry, the default upload
+	// always adds signatures.  Eventually we should also allow removing signatures,
+	// but the X-Registry-Supports-Signatures API extension does not support that yet.
+
+	existingSignatures, err := d.c.getExtensionsSignatures(context.TODO(), d.ref, d.manifestDigest)
+	if err != nil {
+		return err
+	}
+	existingSigNames := map[string]struct{}{}
+	for _, sig := range existingSignatures.Signatures {
+		existingSigNames[sig.Name] = struct{}{}
+	}
+
+sigExists:
+	for _, newSig := range signatures {
+		for _, existingSig := range existingSignatures.Signatures {
+			if existingSig.Version == extensionSignatureSchemaVersion && existingSig.Type == extensionSignatureTypeAtomic && bytes.Equal(existingSig.Content, newSig) {
+				continue sigExists
+			}
+		}
+
+		// The API expect us to invent a new unique name. This is racy, but hopefully good enough.
+		var signatureName string
+		for {
+			randBytes := make([]byte, 16)
+			n, err := rand.Read(randBytes)
+			if err != nil || n != 16 {
+				return errors.Wrapf(err, "Error generating random signature len %d", n)
+			}
+			signatureName = fmt.Sprintf("%s@%032x", d.manifestDigest.String(), randBytes)
+			if _, ok := existingSigNames[signatureName]; !ok {
+				break
+			}
+		}
+		sig := extensionSignature{
+			Version: extensionSignatureSchemaVersion,
+			Name:    signatureName,
+			Type:    extensionSignatureTypeAtomic,
+			Content: newSig,
+		}
+		body, err := json.Marshal(sig)
+		if err != nil {
+			return err
+		}
+
+		path := fmt.Sprintf(extensionsSignaturePath, reference.Path(d.ref.ref), d.manifestDigest.String())
+		res, err := d.c.makeRequest(context.TODO(), "PUT", path, nil, bytes.NewReader(body))
+		if err != nil {
+			return err
+		}
+		defer res.Body.Close()
+		if res.StatusCode != http.StatusCreated {
+			body, err := ioutil.ReadAll(res.Body)
+			if err == nil {
+				logrus.Debugf("Error body %s", string(body))
+			}
+			logrus.Debugf("Error uploading signature, status %d, %#v", res.StatusCode, res)
+			return errors.Errorf("Error uploading signature to %s, status %d", path, res.StatusCode)
+		}
+	}
+
+	return nil
+}
+
 // Commit marks the process of storing the image as successful and asks for the image to be persisted.
 // WARNING: This does not have any transactional semantics:
 // - Uploaded data MAY be visible to others before Commit() is called
--- a/vendor/github.com/containers/image/docker/docker_image_src.go
+++ b/vendor/github.com/containers/image/docker/docker_image_src.go
@@ -1,6 +1,7 @@
 package docker

 import (
+	"context"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -10,38 +11,33 @@ import (
 	"os"
 	"strconv"

-	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
 	"github.com/docker/distribution/registry/client"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

 type dockerImageSource struct {
-	ref                        dockerReference
-	requestedManifestMIMETypes []string
-	c                          *dockerClient
+	ref dockerReference
+	c   *dockerClient
 	// State
 	cachedManifest         []byte // nil if not loaded yet
 	cachedManifestMIMEType string // Only valid if cachedManifest != nil
 }

-// newImageSource creates a new ImageSource for the specified image reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// newImageSource creates a new ImageSource for the specified image reference.
 // The caller must call .Close() on the returned ImageSource.
-func newImageSource(ctx *types.SystemContext, ref dockerReference, requestedManifestMIMETypes []string) (*dockerImageSource, error) {
-	c, err := newDockerClient(ctx, ref, false)
+func newImageSource(ctx *types.SystemContext, ref dockerReference) (*dockerImageSource, error) {
+	c, err := newDockerClientFromRef(ctx, ref, false, "pull")
 	if err != nil {
 		return nil, err
 	}
-	if requestedManifestMIMETypes == nil {
-		requestedManifestMIMETypes = manifest.DefaultRequestedManifestMIMETypes
-	}
 	return &dockerImageSource{
 		ref: ref,
-		requestedManifestMIMETypes: requestedManifestMIMETypes,
-		c: c,
+		c:   c,
 	}, nil
 }

@@ -52,7 +48,8 @@ func (s *dockerImageSource) Reference() types.ImageReference {
 }

 // Close removes resources associated with an initialized ImageSource, if any.
-func (s *dockerImageSource) Close() {
+func (s *dockerImageSource) Close() error {
+	return nil
 }

 // simplifyContentType drops parameters from a HTTP media type (see https://tools.ietf.org/html/rfc7231#section-3.1.1.1)
@@ -71,18 +68,18 @@ func simplifyContentType(contentType string) string {
 // GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
 // It may use a remote (= slow) service.
 func (s *dockerImageSource) GetManifest() ([]byte, string, error) {
-	err := s.ensureManifestIsLoaded()
+	err := s.ensureManifestIsLoaded(context.TODO())
 	if err != nil {
 		return nil, "", err
 	}
 	return s.cachedManifest, s.cachedManifestMIMEType, nil
 }

-func (s *dockerImageSource) fetchManifest(tagOrDigest string) ([]byte, string, error) {
-	url := fmt.Sprintf(manifestURL, s.ref.ref.RemoteName(), tagOrDigest)
+func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest string) ([]byte, string, error) {
+	path := fmt.Sprintf(manifestPath, reference.Path(s.ref.ref), tagOrDigest)
 	headers := make(map[string][]string)
-	headers["Accept"] = s.requestedManifestMIMETypes
-	res, err := s.c.makeRequest("GET", url, headers, nil)
+	headers["Accept"] = manifest.DefaultRequestedManifestMIMETypes
+	res, err := s.c.makeRequest(ctx, "GET", path, headers, nil)
 	if err != nil {
 		return nil, "", err
 	}
@@ -100,7 +97,7 @@ func (s *dockerImageSource) fetchManifest(tagOrDigest string) ([]byte, string, e
 // GetTargetManifest returns an image's manifest given a digest.
 // This is mainly used to retrieve a single image's manifest out of a manifest list.
 func (s *dockerImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
-	return s.fetchManifest(digest.String())
+	return s.fetchManifest(context.TODO(), digest.String())
 }

 // ensureManifestIsLoaded sets s.cachedManifest and s.cachedManifestMIMEType
@@ -110,7 +107,7 @@ func (s *dockerImageSource) GetTargetManifest(digest digest.Digest) ([]byte, str
 // we need to ensure that the digest of the manifest returned by GetManifest
 // and used by GetSignatures are consistent, otherwise we would get spurious
 // signature verification failures when pulling while a tag is being updated.
-func (s *dockerImageSource) ensureManifestIsLoaded() error {
+func (s *dockerImageSource) ensureManifestIsLoaded(ctx context.Context) error {
 	if s.cachedManifest != nil {
 		return nil
 	}
@@ -120,7 +117,7 @@ func (s *dockerImageSource) ensureManifestIsLoaded() error {
 		return err
 	}

-	manblob, mt, err := s.fetchManifest(reference)
+	manblob, mt, err := s.fetchManifest(ctx, reference)
 	if err != nil {
 		return err
 	}
@@ -136,13 +133,14 @@ func (s *dockerImageSource) getExternalBlob(urls []string) (io.ReadCloser, int64
 		err  error
 	)
 	for _, url := range urls {
-		resp, err = s.c.makeRequestToResolvedURL("GET", url, nil, nil, -1, false)
+		resp, err = s.c.makeRequestToResolvedURL(context.TODO(), "GET", url, nil, nil, -1, false)
 		if err == nil {
 			if resp.StatusCode != http.StatusOK {
-				err = fmt.Errorf("error fetching external blob from %q: %d", url, resp.StatusCode)
+				err = errors.Errorf("error fetching external blob from %q: %d", url, resp.StatusCode)
 				logrus.Debug(err)
 				continue
 			}
+			break
 		}
 	}
 	if resp.Body != nil && err == nil {
@@ -165,39 +163,63 @@ func (s *dockerImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64,
 		return s.getExternalBlob(info.URLs)
 	}

-	url := fmt.Sprintf(blobsURL, s.ref.ref.RemoteName(), info.Digest.String())
-	logrus.Debugf("Downloading %s", url)
-	res, err := s.c.makeRequest("GET", url, nil, nil)
+	path := fmt.Sprintf(blobsPath, reference.Path(s.ref.ref), info.Digest.String())
+	logrus.Debugf("Downloading %s", path)
+	res, err := s.c.makeRequest(context.TODO(), "GET", path, nil, nil)
 	if err != nil {
 		return nil, 0, err
 	}
 	if res.StatusCode != http.StatusOK {
 		// print url also
-		return nil, 0, fmt.Errorf("Invalid status code returned when fetching blob %d", res.StatusCode)
+		return nil, 0, errors.Errorf("Invalid status code returned when fetching blob %d", res.StatusCode)
 	}
 	return res.Body, getBlobSize(res), nil
 }

-func (s *dockerImageSource) GetSignatures() ([][]byte, error) {
-	if s.c.signatureBase == nil { // Skip dealing with the manifest digest if not necessary.
-		return [][]byte{}, nil
-	}
-
-	if err := s.ensureManifestIsLoaded(); err != nil {
+func (s *dockerImageSource) GetSignatures(ctx context.Context) ([][]byte, error) {
+	if err := s.c.detectProperties(ctx); err != nil {
 		return nil, err
 	}
-	manifestDigest, err := manifest.Digest(s.cachedManifest)
+	switch {
+	case s.c.signatureBase != nil:
+		return s.getSignaturesFromLookaside(ctx)
+	case s.c.supportsSignatures:
+		return s.getSignaturesFromAPIExtension(ctx)
+	default:
+		return [][]byte{}, nil
+	}
+}
+
+// manifestDigest returns a digest of the manifest, either from the supplied reference or from a fetched manifest.
+func (s *dockerImageSource) manifestDigest(ctx context.Context) (digest.Digest, error) {
+	if digested, ok := s.ref.ref.(reference.Digested); ok {
+		d := digested.Digest()
+		if d.Algorithm() == digest.Canonical {
+			return d, nil
+		}
+	}
+	if err := s.ensureManifestIsLoaded(ctx); err != nil {
+		return "", err
+	}
+	return manifest.Digest(s.cachedManifest)
+}
+
+// getSignaturesFromLookaside implements GetSignatures() from the lookaside location configured in s.c.signatureBase,
+// which is not nil.
+func (s *dockerImageSource) getSignaturesFromLookaside(ctx context.Context) ([][]byte, error) {
+	manifestDigest, err := s.manifestDigest(ctx)
 	if err != nil {
 		return nil, err
 	}

+	// NOTE: Keep this in sync with docs/signature-protocols.md!
 	signatures := [][]byte{}
 	for i := 0; ; i++ {
 		url := signatureStorageURL(s.c.signatureBase, manifestDigest, i)
 		if url == nil {
-			return nil, fmt.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
+			return nil, errors.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
 		}
-		signature, missing, err := s.getOneSignature(url)
+		signature, missing, err := s.getOneSignature(ctx, url)
 		if err != nil {
 			return nil, err
 		}
@@ -211,7 +233,8 @@ func (s *dockerImageSource) GetSignatures() ([][]byte, error) {

 // getOneSignature downloads one signature from url.
 // If it successfully determines that the signature does not exist, returns with missing set to true and error set to nil.
-func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, missing bool, err error) {
+// NOTE: Keep this in sync with docs/signature-protocols.md!
+func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (signature []byte, missing bool, err error) {
 	switch url.Scheme {
 	case "file":
 		logrus.Debugf("Reading %s", url.Path)
@@ -226,7 +249,12 @@ func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, mis

 	case "http", "https":
 		logrus.Debugf("GET %s", url)
-		res, err := s.c.client.Get(url.String())
+		req, err := http.NewRequest("GET", url.String(), nil)
+		if err != nil {
+			return nil, false, err
+		}
+		req = req.WithContext(ctx)
+		res, err := s.c.client.Do(req)
 		if err != nil {
 			return nil, false, err
 		}
@@ -234,7 +262,7 @@ func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, mis
 		if res.StatusCode == http.StatusNotFound {
 			return nil, true, nil
 		} else if res.StatusCode != http.StatusOK {
-			return nil, false, fmt.Errorf("Error reading signature from %s: status %d", url.String(), res.StatusCode)
+			return nil, false, errors.Errorf("Error reading signature from %s: status %d", url.String(), res.StatusCode)
 		}
 		sig, err := ioutil.ReadAll(res.Body)
 		if err != nil {
@@ -243,13 +271,34 @@ func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, mis
 		return sig, false, nil

 	default:
-		return nil, false, fmt.Errorf("Unsupported scheme when reading signature from %s", url.String())
+		return nil, false, errors.Errorf("Unsupported scheme when reading signature from %s", url.String())
 	}
 }

+// getSignaturesFromAPIExtension implements GetSignatures() using the X-Registry-Supports-Signatures API extension.
+func (s *dockerImageSource) getSignaturesFromAPIExtension(ctx context.Context) ([][]byte, error) {
+	manifestDigest, err := s.manifestDigest(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	parsedBody, err := s.c.getExtensionsSignatures(ctx, s.ref, manifestDigest)
+	if err != nil {
+		return nil, err
+	}
+
+	var sigs [][]byte
+	for _, sig := range parsedBody.Signatures {
+		if sig.Version == extensionSignatureSchemaVersion && sig.Type == extensionSignatureTypeAtomic {
+			sigs = append(sigs, sig.Content)
+		}
+	}
+	return sigs, nil
+}
+
 // deleteImage deletes the named image from the registry, if supported.
 func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
-	c, err := newDockerClient(ctx, ref, true)
+	c, err := newDockerClientFromRef(ctx, ref, true, "push")
 	if err != nil {
 		return err
 	}
@@ -259,12 +308,12 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
 	headers := make(map[string][]string)
 	headers["Accept"] = []string{manifest.DockerV2Schema2MediaType}

-	reference, err := ref.tagOrDigest()
+	refTail, err := ref.tagOrDigest()
 	if err != nil {
 		return err
 	}
-	getURL := fmt.Sprintf(manifestURL, ref.ref.RemoteName(), reference)
-	get, err := c.makeRequest("GET", getURL, headers, nil)
+	getPath := fmt.Sprintf(manifestPath, reference.Path(ref.ref), refTail)
+	get, err := c.makeRequest(context.TODO(), "GET", getPath, headers, nil)
 	if err != nil {
 		return err
 	}
@@ -276,17 +325,17 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
 	switch get.StatusCode {
 	case http.StatusOK:
 	case http.StatusNotFound:
-		return fmt.Errorf("Unable to delete %v. Image may not exist or is not stored with a v2 Schema in a v2 registry", ref.ref)
+		return errors.Errorf("Unable to delete %v. Image may not exist or is not stored with a v2 Schema in a v2 registry", ref.ref)
 	default:
-		return fmt.Errorf("Failed to delete %v: %s (%v)", ref.ref, manifestBody, get.Status)
+		return errors.Errorf("Failed to delete %v: %s (%v)", ref.ref, manifestBody, get.Status)
 	}

 	digest := get.Header.Get("Docker-Content-Digest")
-	deleteURL := fmt.Sprintf(manifestURL, ref.ref.RemoteName(), digest)
+	deletePath := fmt.Sprintf(manifestPath, reference.Path(ref.ref), digest)

 	// When retrieving the digest from a registry >= 2.3 use the following header:
 	//   "Accept": "application/vnd.docker.distribution.manifest.v2+json"
-	delete, err := c.makeRequest("DELETE", deleteURL, headers, nil)
+	delete, err := c.makeRequest(context.TODO(), "DELETE", deletePath, headers, nil)
 	if err != nil {
 		return err
 	}
@@ -297,7 +346,7 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
 		return err
 	}
 	if delete.StatusCode != http.StatusAccepted {
-		return fmt.Errorf("Failed to delete %v: %s (%v)", deleteURL, string(body), delete.Status)
+		return errors.Errorf("Failed to delete %v: %s (%v)", deletePath, string(body), delete.Status)
 	}

 	if c.signatureBase != nil {
@@ -309,7 +358,7 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
 		for i := 0; ; i++ {
 			url := signatureStorageURL(c.signatureBase, manifestDigest, i)
 			if url == nil {
-				return fmt.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
+				return errors.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
 			}
 			missing, err := c.deleteOneSignature(url)
 			if err != nil {
--- a/vendor/github.com/containers/image/docker/docker_transport.go
+++ b/vendor/github.com/containers/image/docker/docker_transport.go
@@ -6,9 +6,15 @@ import (

 	"github.com/containers/image/docker/policyconfiguration"
 	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/transports"
 	"github.com/containers/image/types"
+	"github.com/pkg/errors"
 )

+func init() {
+	transports.Register(Transport)
+}
+
 // Transport is an ImageTransport for Docker registry-hosted images.
 var Transport = dockerTransport{}

@@ -42,29 +48,30 @@ type dockerReference struct {
 // ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an Docker ImageReference.
 func ParseReference(refString string) (types.ImageReference, error) {
 	if !strings.HasPrefix(refString, "//") {
-		return nil, fmt.Errorf("docker: image reference %s does not start with //", refString)
+		return nil, errors.Errorf("docker: image reference %s does not start with //", refString)
 	}
-	ref, err := reference.ParseNamed(strings.TrimPrefix(refString, "//"))
+	ref, err := reference.ParseNormalizedNamed(strings.TrimPrefix(refString, "//"))
 	if err != nil {
 		return nil, err
 	}
-	ref = reference.WithDefaultTag(ref)
+	ref = reference.TagNameOnly(ref)
 	return NewReference(ref)
 }

 // NewReference returns a Docker reference for a named reference. The reference must satisfy !reference.IsNameOnly().
 func NewReference(ref reference.Named) (types.ImageReference, error) {
 	if reference.IsNameOnly(ref) {
-		return nil, fmt.Errorf("Docker reference %s has neither a tag nor a digest", ref.String())
+		return nil, errors.Errorf("Docker reference %s has neither a tag nor a digest", reference.FamiliarString(ref))
 	}
 	// A github.com/distribution/reference value can have a tag and a digest at the same time!
-	// docker/reference does not handle that, so fail.
+	// The docker/distribution API does not really support that (we can’t ask for an image with a specific
+	// tag and digest), so fail.  This MAY be accepted in the future.
 	// (Even if it were supported, the semantics of policy namespaces are unclear - should we drop
 	// the tag or the digest first?)
 	_, isTagged := ref.(reference.NamedTagged)
 	_, isDigested := ref.(reference.Canonical)
 	if isTagged && isDigested {
-		return nil, fmt.Errorf("Docker references with both a tag and digest are currently not supported")
+		return nil, errors.Errorf("Docker references with both a tag and digest are currently not supported")
 	}
 	return dockerReference{
 		ref: ref,
@@ -81,7 +88,7 @@ func (ref dockerReference) Transport() types.ImageTransport {
 // e.g. default attribute values omitted by the user may be filled in in the return value, or vice versa.
 // WARNING: Do not use the return value in the UI to describe an image, it does not contain the Transport().Name() prefix.
 func (ref dockerReference) StringWithinTransport() string {
-	return "//" + ref.ref.String()
+	return "//" + reference.FamiliarString(ref.ref)
 }

 // DockerReference returns a Docker reference associated with this reference
@@ -123,12 +130,10 @@ func (ref dockerReference) NewImage(ctx *types.SystemContext) (types.Image, erro
 	return newImage(ctx, ref)
 }

-// NewImageSource returns a types.ImageSource for this reference,
-// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
-// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// NewImageSource returns a types.ImageSource for this reference.
 // The caller must call .Close() on the returned ImageSource.
-func (ref dockerReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
-	return newImageSource(ctx, ref, requestedManifestMIMETypes)
+func (ref dockerReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+	return newImageSource(ctx, ref)
 }

 // NewImageDestination returns a types.ImageDestination for this reference.
@@ -151,5 +156,5 @@ func (ref dockerReference) tagOrDigest() (string, error) {
 		return ref.Tag(), nil
 	}
 	// This should not happen, NewReference above refuses reference.IsNameOnly values.
-	return "", fmt.Errorf("Internal inconsistency: Reference %s unexpectedly has neither a digest nor a tag", ref.ref.String())
+	return "", errors.Errorf("Internal inconsistency: Reference %s unexpectedly has neither a digest nor a tag", reference.FamiliarString(ref.ref))
 }
--- a/vendor/github.com/containers/image/docker/lookaside.go
+++ b/vendor/github.com/containers/image/docker/lookaside.go
@@ -9,11 +9,12 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/docker/distribution/digest"
-	"github.com/ghodss/yaml"
-
-	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/types"
+	"github.com/ghodss/yaml"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

 // systemRegistriesDirPath is the path to registries.d, used for locating lookaside Docker signature storage.
@@ -60,12 +61,13 @@ func configuredSignatureStorageBase(ctx *types.SystemContext, ref dockerReferenc

 	url, err := url.Parse(topLevel)
 	if err != nil {
-		return nil, fmt.Errorf("Invalid signature storage URL %s: %v", topLevel, err)
+		return nil, errors.Wrapf(err, "Invalid signature storage URL %s", topLevel)
 	}
+	// NOTE: Keep this in sync with docs/signature-protocols.md!
 	// FIXME? Restrict to explicitly supported schemes?
-	repo := ref.ref.FullName()    // Note that this is without a tag or digest.
-	if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references
-		return nil, fmt.Errorf("Unexpected path elements in Docker reference %s for signature storage", ref.ref.String())
+	repo := reference.Path(ref.ref) // Note that this is without a tag or digest.
+	if path.Clean(repo) != repo {   // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references
+		return nil, errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", ref.ref.String())
 	}
 	url.Path = url.Path + "/" + repo
 	return url, nil
@@ -114,12 +116,12 @@ func loadAndMergeConfig(dirPath string) (*registryConfiguration, error) {
 		var config registryConfiguration
 		err = yaml.Unmarshal(configBytes, &config)
 		if err != nil {
-			return nil, fmt.Errorf("Error parsing %s: %v", configPath, err)
+			return nil, errors.Wrapf(err, "Error parsing %s", configPath)
 		}

 		if config.DefaultDocker != nil {
 			if mergedConfig.DefaultDocker != nil {
-				return nil, fmt.Errorf(`Error parsing signature storage configuration: "default-docker" defined both in "%s" and "%s"`,
+				return nil, errors.Errorf(`Error parsing signature storage configuration: "default-docker" defined both in "%s" and "%s"`,
 					dockerDefaultMergedFrom, configPath)
 			}
 			mergedConfig.DefaultDocker = config.DefaultDocker
@@ -128,7 +130,7 @@ func loadAndMergeConfig(dirPath string) (*registryConfiguration, error) {

 		for nsName, nsConfig := range config.Docker { // includes config.Docker == nil
 			if _, ok := mergedConfig.Docker[nsName]; ok {
-				return nil, fmt.Errorf(`Error parsing signature storage configuration: "docker" namespace "%s" defined both in "%s" and "%s"`,
+				return nil, errors.Errorf(`Error parsing signature storage configuration: "docker" namespace "%s" defined both in "%s" and "%s"`,
 					nsName, nsMergedFrom[nsName], configPath)
 			}
 			mergedConfig.Docker[nsName] = nsConfig
@@ -189,11 +191,12 @@ func (ns registryNamespace) signatureTopLevel(write bool) string {

 // signatureStorageURL returns an URL usable for acessing signature index in base with known manifestDigest, or nil if not applicable.
 // Returns nil iff base == nil.
+// NOTE: Keep this in sync with docs/signature-protocols.md!
 func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) *url.URL {
 	if base == nil {
 		return nil
 	}
 	url := *base
-	url.Path = fmt.Sprintf("%s@%s/signature-%d", url.Path, manifestDigest.String(), index+1)
+	url.Path = fmt.Sprintf("%s@%s=%s/signature-%d", url.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1)
 	return &url
 }
--- a/vendor/github.com/containers/image/docker/policyconfiguration/naming.go
+++ b/vendor/github.com/containers/image/docker/policyconfiguration/naming.go
@@ -1,25 +1,24 @@
 package policyconfiguration

 import (
-	"errors"
-	"fmt"
 	"strings"

 	"github.com/containers/image/docker/reference"
+	"github.com/pkg/errors"
 )

 // DockerReferenceIdentity returns a string representation of the reference, suitable for policy lookup,
 // as a backend for ImageReference.PolicyConfigurationIdentity.
 // The reference must satisfy !reference.IsNameOnly().
 func DockerReferenceIdentity(ref reference.Named) (string, error) {
-	res := ref.FullName()
+	res := ref.Name()
 	tagged, isTagged := ref.(reference.NamedTagged)
 	digested, isDigested := ref.(reference.Canonical)
 	switch {
-	case isTagged && isDigested: // This should not happen, docker/reference.ParseNamed drops the tag.
-		return "", fmt.Errorf("Unexpected Docker reference %s with both a name and a digest", ref.String())
+	case isTagged && isDigested: // Note that this CAN actually happen.
+		return "", errors.Errorf("Unexpected Docker reference %s with both a name and a digest", reference.FamiliarString(ref))
 	case !isTagged && !isDigested: // This should not happen, the caller is expected to ensure !reference.IsNameOnly()
-		return "", fmt.Errorf("Internal inconsistency: Docker reference %s with neither a tag nor a digest", ref.String())
+		return "", errors.Errorf("Internal inconsistency: Docker reference %s with neither a tag nor a digest", reference.FamiliarString(ref))
 	case isTagged:
 		res = res + ":" + tagged.Tag()
 	case isDigested:
@@ -43,7 +42,7 @@ func DockerReferenceNamespaces(ref reference.Named) []string {
 	// ref.FullName() == ref.Hostname() + "/" + ref.RemoteName(), so the last
 	// iteration matches the host name (for any namespace).
 	res := []string{}
-	name := ref.FullName()
+	name := ref.Name()
 	for {
 		res = append(res, name)

--- a/vendor/github.com/containers/image/docker/reference/README.md
+++ b/vendor/github.com/containers/image/docker/reference/README.md
@@ -0,0 +1,2 @@
+This is a copy of github.com/docker/distribution/reference as of commit fb0bebc4b64e3881cc52a2478d749845ed76d2a8,
+except that ParseAnyReferenceWithSet has been removed to drop the dependency on github.com/docker/distribution/digestset.
--- a/vendor/github.com/containers/image/docker/reference/doc.go
+++ b/vendor/github.com/containers/image/docker/reference/doc.go
@@ -1,6 +0,0 @@
-// Package reference is a fork of the upstream docker/docker/reference package.
-// The package is forked because we need consistency especially when storing and
-// checking signatures (RH patches break this consistency because they modify
-// docker/docker/reference as part of a patch carried in projectatomic/docker).
-// The version of this package is v1.12.1 from upstream, update as necessary.
-package reference
--- a/vendor/github.com/containers/image/docker/reference/helpers.go
+++ b/vendor/github.com/containers/image/docker/reference/helpers.go
@@ -0,0 +1,42 @@
+package reference
+
+import "path"
+
+// IsNameOnly returns true if reference only contains a repo name.
+func IsNameOnly(ref Named) bool {
+	if _, ok := ref.(NamedTagged); ok {
+		return false
+	}
+	if _, ok := ref.(Canonical); ok {
+		return false
+	}
+	return true
+}
+
+// FamiliarName returns the familiar name string
+// for the given named, familiarizing if needed.
+func FamiliarName(ref Named) string {
+	if nn, ok := ref.(normalizedNamed); ok {
+		return nn.Familiar().Name()
+	}
+	return ref.Name()
+}
+
+// FamiliarString returns the familiar string representation
+// for the given reference, familiarizing if needed.
+func FamiliarString(ref Reference) string {
+	if nn, ok := ref.(normalizedNamed); ok {
+		return nn.Familiar().String()
+	}
+	return ref.String()
+}
+
+// FamiliarMatch reports whether ref matches the specified pattern.
+// See https://godoc.org/path#Match for supported patterns.
+func FamiliarMatch(pattern string, ref Reference) (bool, error) {
+	matched, err := path.Match(pattern, FamiliarString(ref))
+	if namedRef, isNamed := ref.(Named); isNamed && !matched {
+		matched, _ = path.Match(pattern, FamiliarName(namedRef))
+	}
+	return matched, err
+}
--- a/vendor/github.com/containers/image/docker/reference/normalize.go
+++ b/vendor/github.com/containers/image/docker/reference/normalize.go
@@ -0,0 +1,152 @@
+package reference
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/opencontainers/go-digest"
+)
+
+var (
+	legacyDefaultDomain = "index.docker.io"
+	defaultDomain       = "docker.io"
+	officialRepoName    = "library"
+	defaultTag          = "latest"
+)
+
+// normalizedNamed represents a name which has been
+// normalized and has a familiar form. A familiar name
+// is what is used in Docker UI. An example normalized
+// name is "docker.io/library/ubuntu" and corresponding
+// familiar name of "ubuntu".
+type normalizedNamed interface {
+	Named
+	Familiar() Named
+}
+
+// ParseNormalizedNamed parses a string into a named reference
+// transforming a familiar name from Docker UI to a fully
+// qualified reference. If the value may be an identifier
+// use ParseAnyReference.
+func ParseNormalizedNamed(s string) (Named, error) {
+	if ok := anchoredIdentifierRegexp.MatchString(s); ok {
+		return nil, fmt.Errorf("invalid repository name (%s), cannot specify 64-byte hexadecimal strings", s)
+	}
+	domain, remainder := splitDockerDomain(s)
+	var remoteName string
+	if tagSep := strings.IndexRune(remainder, ':'); tagSep > -1 {
+		remoteName = remainder[:tagSep]
+	} else {
+		remoteName = remainder
+	}
+	if strings.ToLower(remoteName) != remoteName {
+		return nil, errors.New("invalid reference format: repository name must be lowercase")
+	}
+
+	ref, err := Parse(domain + "/" + remainder)
+	if err != nil {
+		return nil, err
+	}
+	named, isNamed := ref.(Named)
+	if !isNamed {
+		return nil, fmt.Errorf("reference %s has no name", ref.String())
+	}
+	return named, nil
+}
+
+// splitDockerDomain splits a repository name to domain and remotename string.
+// If no valid domain is found, the default domain is used. Repository name
+// needs to be already validated before.
+func splitDockerDomain(name string) (domain, remainder string) {
+	i := strings.IndexRune(name, '/')
+	if i == -1 || (!strings.ContainsAny(name[:i], ".:") && name[:i] != "localhost") {
+		domain, remainder = defaultDomain, name
+	} else {
+		domain, remainder = name[:i], name[i+1:]
+	}
+	if domain == legacyDefaultDomain {
+		domain = defaultDomain
+	}
+	if domain == defaultDomain && !strings.ContainsRune(remainder, '/') {
+		remainder = officialRepoName + "/" + remainder
+	}
+	return
+}
+
+// familiarizeName returns a shortened version of the name familiar
+// to to the Docker UI. Familiar names have the default domain
+// "docker.io" and "library/" repository prefix removed.
+// For example, "docker.io/library/redis" will have the familiar
+// name "redis" and "docker.io/dmcgowan/myapp" will be "dmcgowan/myapp".
+// Returns a familiarized named only reference.
+func familiarizeName(named namedRepository) repository {
+	repo := repository{
+		domain: named.Domain(),
+		path:   named.Path(),
+	}
+
+	if repo.domain == defaultDomain {
+		repo.domain = ""
+		// Handle official repositories which have the pattern "library/<official repo name>"
+		if split := strings.Split(repo.path, "/"); len(split) == 2 && split[0] == officialRepoName {
+			repo.path = split[1]
+		}
+	}
+	return repo
+}
+
+func (r reference) Familiar() Named {
+	return reference{
+		namedRepository: familiarizeName(r.namedRepository),
+		tag:             r.tag,
+		digest:          r.digest,
+	}
+}
+
+func (r repository) Familiar() Named {
+	return familiarizeName(r)
+}
+
+func (t taggedReference) Familiar() Named {
+	return taggedReference{
+		namedRepository: familiarizeName(t.namedRepository),
+		tag:             t.tag,
+	}
+}
+
+func (c canonicalReference) Familiar() Named {
+	return canonicalReference{
+		namedRepository: familiarizeName(c.namedRepository),
+		digest:          c.digest,
+	}
+}
+
+// TagNameOnly adds the default tag "latest" to a reference if it only has
+// a repo name.
+func TagNameOnly(ref Named) Named {
+	if IsNameOnly(ref) {
+		namedTagged, err := WithTag(ref, defaultTag)
+		if err != nil {
+			// Default tag must be valid, to create a NamedTagged
+			// type with non-validated input the WithTag function
+			// should be used instead
+			panic(err)
+		}
+		return namedTagged
+	}
+	return ref
+}
+
+// ParseAnyReference parses a reference string as a possible identifier,
+// full digest, or familiar name.
+func ParseAnyReference(ref string) (Reference, error) {
+	if ok := anchoredIdentifierRegexp.MatchString(ref); ok {
+		return digestReference("sha256:" + ref), nil
+	}
+	if dgst, err := digest.Parse(ref); err == nil {
+		return digestReference(dgst), nil
+	}
+
+	return ParseNormalizedNamed(ref)
+}
--- a/vendor/github.com/containers/image/docker/reference/reference.go
+++ b/vendor/github.com/containers/image/docker/reference/reference.go
@@ -1,38 +1,120 @@
+// Package reference provides a general type to represent any way of referencing images within the registry.
+// Its main purpose is to abstract tags and digests (content-addressable hash).
+//
+// Grammar
+//
+// 	reference                       := name [ ":" tag ] [ "@" digest ]
+//	name                            := [domain '/'] path-component ['/' path-component]*
+//	domain                          := domain-component ['.' domain-component]* [':' port-number]
+//	domain-component                := /([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])/
+//	port-number                     := /[0-9]+/
+//	path-component                  := alpha-numeric [separator alpha-numeric]*
+// 	alpha-numeric                   := /[a-z0-9]+/
+//	separator                       := /[_.]|__|[-]*/
+//
+//	tag                             := /[\w][\w.-]{0,127}/
+//
+//	digest                          := digest-algorithm ":" digest-hex
+//	digest-algorithm                := digest-algorithm-component [ digest-algorithm-separator digest-algorithm-component ]
+//	digest-algorithm-separator      := /[+.-_]/
+//	digest-algorithm-component      := /[A-Za-z][A-Za-z0-9]*/
+//	digest-hex                      := /[0-9a-fA-F]{32,}/ ; At least 128 bit digest value
+//
+//	identifier                      := /[a-f0-9]{64}/
+//	short-identifier                := /[a-f0-9]{6,64}/
 package reference

 import (
 	"errors"
 	"fmt"
-	"regexp"
 	"strings"

-	"github.com/docker/distribution/digest"
-	distreference "github.com/docker/distribution/reference"
+	"github.com/opencontainers/go-digest"
 )

 const (
-	// DefaultTag defines the default tag used when performing images related actions and no tag or digest is specified
-	DefaultTag = "latest"
-	// DefaultHostname is the default built-in hostname
-	DefaultHostname = "docker.io"
-	// LegacyDefaultHostname is automatically converted to DefaultHostname
-	LegacyDefaultHostname = "index.docker.io"
-	// DefaultRepoPrefix is the prefix used for default repositories in default host
-	DefaultRepoPrefix = "library/"
+	// NameTotalLengthMax is the maximum total number of characters in a repository name.
+	NameTotalLengthMax = 255
 )

+var (
+	// ErrReferenceInvalidFormat represents an error while trying to parse a string as a reference.
+	ErrReferenceInvalidFormat = errors.New("invalid reference format")
+
+	// ErrTagInvalidFormat represents an error while trying to parse a string as a tag.
+	ErrTagInvalidFormat = errors.New("invalid tag format")
+
+	// ErrDigestInvalidFormat represents an error while trying to parse a string as a tag.
+	ErrDigestInvalidFormat = errors.New("invalid digest format")
+
+	// ErrNameContainsUppercase is returned for invalid repository names that contain uppercase characters.
+	ErrNameContainsUppercase = errors.New("repository name must be lowercase")
+
+	// ErrNameEmpty is returned for empty, invalid repository names.
+	ErrNameEmpty = errors.New("repository name must have at least one component")
+
+	// ErrNameTooLong is returned when a repository name is longer than NameTotalLengthMax.
+	ErrNameTooLong = fmt.Errorf("repository name must not be more than %v characters", NameTotalLengthMax)
+
+	// ErrNameNotCanonical is returned when a name is not canonical.
+	ErrNameNotCanonical = errors.New("repository name must be canonical")
+)
+
+// Reference is an opaque object reference identifier that may include
+// modifiers such as a hostname, name, tag, and digest.
+type Reference interface {
+	// String returns the full reference
+	String() string
+}
+
+// Field provides a wrapper type for resolving correct reference types when
+// working with encoding.
+type Field struct {
+	reference Reference
+}
+
+// AsField wraps a reference in a Field for encoding.
+func AsField(reference Reference) Field {
+	return Field{reference}
+}
+
+// Reference unwraps the reference type from the field to
+// return the Reference object. This object should be
+// of the appropriate type to further check for different
+// reference types.
+func (f Field) Reference() Reference {
+	return f.reference
+}
+
+// MarshalText serializes the field to byte text which
+// is the string of the reference.
+func (f Field) MarshalText() (p []byte, err error) {
+	return []byte(f.reference.String()), nil
+}
+
+// UnmarshalText parses text bytes by invoking the
+// reference parser to ensure the appropriately
+// typed reference object is wrapped by field.
+func (f *Field) UnmarshalText(p []byte) error {
+	r, err := Parse(string(p))
+	if err != nil {
+		return err
+	}
+
+	f.reference = r
+	return nil
+}
+
 // Named is an object with a full name
 type Named interface {
-	// Name returns normalized repository name, like "ubuntu".
+	Reference
 	Name() string
-	// String returns full reference, like "ubuntu@sha256:abcdef..."
-	String() string
-	// FullName returns full repository name with hostname, like "docker.io/library/ubuntu"
-	FullName() string
-	// Hostname returns hostname for the reference, like "docker.io"
-	Hostname() string
-	// RemoteName returns the repository component of the full name, like "library/ubuntu"
-	RemoteName() string
+}
+
+// Tagged is an object which has a tag
+type Tagged interface {
+	Reference
+	Tag() string
 }

 // NamedTagged is an object including a name and tag.
@@ -41,180 +123,311 @@ type NamedTagged interface {
 	Tag() string
 }

+// Digested is an object which has a digest
+// in which it can be referenced by
+type Digested interface {
+	Reference
+	Digest() digest.Digest
+}
+
 // Canonical reference is an object with a fully unique
-// name including a name with hostname and digest
+// name including a name with domain and digest
 type Canonical interface {
 	Named
 	Digest() digest.Digest
 }

-// ParseNamed parses s and returns a syntactically valid reference implementing
-// the Named interface. The reference must have a name, otherwise an error is
-// returned.
-// If an error was encountered it is returned, along with a nil Reference.
-func ParseNamed(s string) (Named, error) {
-	named, err := distreference.ParseNamed(s)
-	if err != nil {
-		return nil, fmt.Errorf("Error parsing reference: %q is not a valid repository/tag", s)
+// namedRepository is a reference to a repository with a name.
+// A namedRepository has both domain and path components.
+type namedRepository interface {
+	Named
+	Domain() string
+	Path() string
+}
+
+// Domain returns the domain part of the Named reference
+func Domain(named Named) string {
+	if r, ok := named.(namedRepository); ok {
+		return r.Domain()
 	}
-	r, err := WithName(named.Name())
+	domain, _ := splitDomain(named.Name())
+	return domain
+}
+
+// Path returns the name without the domain part of the Named reference
+func Path(named Named) (name string) {
+	if r, ok := named.(namedRepository); ok {
+		return r.Path()
+	}
+	_, path := splitDomain(named.Name())
+	return path
+}
+
+func splitDomain(name string) (string, string) {
+	match := anchoredNameRegexp.FindStringSubmatch(name)
+	if len(match) != 3 {
+		return "", name
+	}
+	return match[1], match[2]
+}
+
+// SplitHostname splits a named reference into a
+// hostname and name string. If no valid hostname is
+// found, the hostname is empty and the full value
+// is returned as name
+// DEPRECATED: Use Domain or Path
+func SplitHostname(named Named) (string, string) {
+	if r, ok := named.(namedRepository); ok {
+		return r.Domain(), r.Path()
+	}
+	return splitDomain(named.Name())
+}
+
+// Parse parses s and returns a syntactically valid Reference.
+// If an error was encountered it is returned, along with a nil Reference.
+// NOTE: Parse will not handle short digests.
+func Parse(s string) (Reference, error) {
+	matches := ReferenceRegexp.FindStringSubmatch(s)
+	if matches == nil {
+		if s == "" {
+			return nil, ErrNameEmpty
+		}
+		if ReferenceRegexp.FindStringSubmatch(strings.ToLower(s)) != nil {
+			return nil, ErrNameContainsUppercase
+		}
+		return nil, ErrReferenceInvalidFormat
+	}
+
+	if len(matches[1]) > NameTotalLengthMax {
+		return nil, ErrNameTooLong
+	}
+
+	var repo repository
+
+	nameMatch := anchoredNameRegexp.FindStringSubmatch(matches[1])
+	if nameMatch != nil && len(nameMatch) == 3 {
+		repo.domain = nameMatch[1]
+		repo.path = nameMatch[2]
+	} else {
+		repo.domain = ""
+		repo.path = matches[1]
+	}
+
+	ref := reference{
+		namedRepository: repo,
+		tag:             matches[2],
+	}
+	if matches[3] != "" {
+		var err error
+		ref.digest, err = digest.Parse(matches[3])
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	r := getBestReferenceType(ref)
+	if r == nil {
+		return nil, ErrNameEmpty
+	}
+
+	return r, nil
+}
+
+// ParseNamed parses s and returns a syntactically valid reference implementing
+// the Named interface. The reference must have a name and be in the canonical
+// form, otherwise an error is returned.
+// If an error was encountered it is returned, along with a nil Reference.
+// NOTE: ParseNamed will not handle short digests.
+func ParseNamed(s string) (Named, error) {
+	named, err := ParseNormalizedNamed(s)
 	if err != nil {
 		return nil, err
 	}
-	if canonical, isCanonical := named.(distreference.Canonical); isCanonical {
-		return WithDigest(r, canonical.Digest())
+	if named.String() != s {
+		return nil, ErrNameNotCanonical
 	}
-	if tagged, isTagged := named.(distreference.NamedTagged); isTagged {
-		return WithTag(r, tagged.Tag())
-	}
-	return r, nil
+	return named, nil
 }

 // WithName returns a named object representing the given string. If the input
 // is invalid ErrReferenceInvalidFormat will be returned.
 func WithName(name string) (Named, error) {
-	name, err := normalize(name)
-	if err != nil {
-		return nil, err
+	if len(name) > NameTotalLengthMax {
+		return nil, ErrNameTooLong
 	}
-	if err := validateName(name); err != nil {
-		return nil, err
+
+	match := anchoredNameRegexp.FindStringSubmatch(name)
+	if match == nil || len(match) != 3 {
+		return nil, ErrReferenceInvalidFormat
 	}
-	r, err := distreference.WithName(name)
-	if err != nil {
-		return nil, err
-	}
-	return &namedRef{r}, nil
+	return repository{
+		domain: match[1],
+		path:   match[2],
+	}, nil
 }

 // WithTag combines the name from "name" and the tag from "tag" to form a
 // reference incorporating both the name and the tag.
 func WithTag(name Named, tag string) (NamedTagged, error) {
-	r, err := distreference.WithTag(name, tag)
-	if err != nil {
-		return nil, err
+	if !anchoredTagRegexp.MatchString(tag) {
+		return nil, ErrTagInvalidFormat
 	}
-	return &taggedRef{namedRef{r}}, nil
+	var repo repository
+	if r, ok := name.(namedRepository); ok {
+		repo.domain = r.Domain()
+		repo.path = r.Path()
+	} else {
+		repo.path = name.Name()
+	}
+	if canonical, ok := name.(Canonical); ok {
+		return reference{
+			namedRepository: repo,
+			tag:             tag,
+			digest:          canonical.Digest(),
+		}, nil
+	}
+	return taggedReference{
+		namedRepository: repo,
+		tag:             tag,
+	}, nil
 }

 // WithDigest combines the name from "name" and the digest from "digest" to form
 // a reference incorporating both the name and the digest.
 func WithDigest(name Named, digest digest.Digest) (Canonical, error) {
-	r, err := distreference.WithDigest(name, digest)
-	if err != nil {
-		return nil, err
+	if !anchoredDigestRegexp.MatchString(digest.String()) {
+		return nil, ErrDigestInvalidFormat
 	}
-	return &canonicalRef{namedRef{r}}, nil
-}
-
-type namedRef struct {
-	distreference.Named
-}
-type taggedRef struct {
-	namedRef
-}
-type canonicalRef struct {
-	namedRef
-}
-
-func (r *namedRef) FullName() string {
-	hostname, remoteName := splitHostname(r.Name())
-	return hostname + "/" + remoteName
-}
-func (r *namedRef) Hostname() string {
-	hostname, _ := splitHostname(r.Name())
-	return hostname
-}
-func (r *namedRef) RemoteName() string {
-	_, remoteName := splitHostname(r.Name())
-	return remoteName
-}
-func (r *taggedRef) Tag() string {
-	return r.namedRef.Named.(distreference.NamedTagged).Tag()
-}
-func (r *canonicalRef) Digest() digest.Digest {
-	return r.namedRef.Named.(distreference.Canonical).Digest()
-}
-
-// WithDefaultTag adds a default tag to a reference if it only has a repo name.
-func WithDefaultTag(ref Named) Named {
-	if IsNameOnly(ref) {
-		ref, _ = WithTag(ref, DefaultTag)
+	var repo repository
+	if r, ok := name.(namedRepository); ok {
+		repo.domain = r.Domain()
+		repo.path = r.Path()
+	} else {
+		repo.path = name.Name()
 	}
+	if tagged, ok := name.(Tagged); ok {
+		return reference{
+			namedRepository: repo,
+			tag:             tagged.Tag(),
+			digest:          digest,
+		}, nil
+	}
+	return canonicalReference{
+		namedRepository: repo,
+		digest:          digest,
+	}, nil
+}
+
+// TrimNamed removes any tag or digest from the named reference.
+func TrimNamed(ref Named) Named {
+	domain, path := SplitHostname(ref)
+	return repository{
+		domain: domain,
+		path:   path,
+	}
+}
+
+func getBestReferenceType(ref reference) Reference {
+	if ref.Name() == "" {
+		// Allow digest only references
+		if ref.digest != "" {
+			return digestReference(ref.digest)
+		}
+		return nil
+	}
+	if ref.tag == "" {
+		if ref.digest != "" {
+			return canonicalReference{
+				namedRepository: ref.namedRepository,
+				digest:          ref.digest,
+			}
+		}
+		return ref.namedRepository
+	}
+	if ref.digest == "" {
+		return taggedReference{
+			namedRepository: ref.namedRepository,
+			tag:             ref.tag,
+		}
+	}
+
 	return ref
 }

-// IsNameOnly returns true if reference only contains a repo name.
-func IsNameOnly(ref Named) bool {
-	if _, ok := ref.(NamedTagged); ok {
-		return false
-	}
-	if _, ok := ref.(Canonical); ok {
-		return false
-	}
-	return true
+type reference struct {
+	namedRepository
+	tag    string
+	digest digest.Digest
 }

-// ParseIDOrReference parses string for an image ID or a reference. ID can be
-// without a default prefix.
-func ParseIDOrReference(idOrRef string) (digest.Digest, Named, error) {
-	if err := validateID(idOrRef); err == nil {
-		idOrRef = "sha256:" + idOrRef
-	}
-	if dgst, err := digest.ParseDigest(idOrRef); err == nil {
-		return dgst, nil, nil
-	}
-	ref, err := ParseNamed(idOrRef)
-	return "", ref, err
+func (r reference) String() string {
+	return r.Name() + ":" + r.tag + "@" + r.digest.String()
 }

-// splitHostname splits a repository name to hostname and remotename string.
-// If no valid hostname is found, the default hostname is used. Repository name
-// needs to be already validated before.
-func splitHostname(name string) (hostname, remoteName string) {
-	i := strings.IndexRune(name, '/')
-	if i == -1 || (!strings.ContainsAny(name[:i], ".:") && name[:i] != "localhost") {
-		hostname, remoteName = DefaultHostname, name
-	} else {
-		hostname, remoteName = name[:i], name[i+1:]
-	}
-	if hostname == LegacyDefaultHostname {
-		hostname = DefaultHostname
-	}
-	if hostname == DefaultHostname && !strings.ContainsRune(remoteName, '/') {
-		remoteName = DefaultRepoPrefix + remoteName
-	}
-	return
+func (r reference) Tag() string {
+	return r.tag
 }

-// normalize returns a repository name in its normalized form, meaning it
-// will not contain default hostname nor library/ prefix for official images.
-func normalize(name string) (string, error) {
-	host, remoteName := splitHostname(name)
-	if strings.ToLower(remoteName) != remoteName {
-		return "", errors.New("invalid reference format: repository name must be lowercase")
-	}
-	if host == DefaultHostname {
-		if strings.HasPrefix(remoteName, DefaultRepoPrefix) {
-			return strings.TrimPrefix(remoteName, DefaultRepoPrefix), nil
-		}
-		return remoteName, nil
-	}
-	return name, nil
+func (r reference) Digest() digest.Digest {
+	return r.digest
 }

-var validHex = regexp.MustCompile(`^([a-f0-9]{64})$`)
-
-func validateID(id string) error {
-	if ok := validHex.MatchString(id); !ok {
-		return fmt.Errorf("image ID %q is invalid", id)
-	}
-	return nil
+type repository struct {
+	domain string
+	path   string
 }

-func validateName(name string) error {
-	if err := validateID(name); err == nil {
-		return fmt.Errorf("Invalid repository name (%s), cannot specify 64-byte hexadecimal strings", name)
-	}
-	return nil
+func (r repository) String() string {
+	return r.Name()
+}
+
+func (r repository) Name() string {
+	if r.domain == "" {
+		return r.path
+	}
+	return r.domain + "/" + r.path
+}
+
+func (r repository) Domain() string {
+	return r.domain
+}
+
+func (r repository) Path() string {
+	return r.path
+}
+
+type digestReference digest.Digest
+
+func (d digestReference) String() string {
+	return digest.Digest(d).String()
+}
+
+func (d digestReference) Digest() digest.Digest {
+	return digest.Digest(d)
+}
+
+type taggedReference struct {
+	namedRepository
+	tag string
+}
+
+func (t taggedReference) String() string {
+	return t.Name() + ":" + t.tag
+}
+
+func (t taggedReference) Tag() string {
+	return t.tag
+}
+
+type canonicalReference struct {
+	namedRepository
+	digest digest.Digest
+}
+
+func (c canonicalReference) String() string {
+	return c.Name() + "@" + c.digest.String()
+}
+
+func (c canonicalReference) Digest() digest.Digest {
+	return c.digest
 }
--- a/vendor/github.com/containers/image/docker/reference/regexp.go
+++ b/vendor/github.com/containers/image/docker/reference/regexp.go
@@ -0,0 +1,143 @@
+package reference
+
+import "regexp"
+
+var (
+	// alphaNumericRegexp defines the alpha numeric atom, typically a
+	// component of names. This only allows lower case characters and digits.
+	alphaNumericRegexp = match(`[a-z0-9]+`)
+
+	// separatorRegexp defines the separators allowed to be embedded in name
+	// components. This allow one period, one or two underscore and multiple
+	// dashes.
+	separatorRegexp = match(`(?:[._]|__|[-]*)`)
+
+	// nameComponentRegexp restricts registry path component names to start
+	// with at least one letter or number, with following parts able to be
+	// separated by one period, one or two underscore and multiple dashes.
+	nameComponentRegexp = expression(
+		alphaNumericRegexp,
+		optional(repeated(separatorRegexp, alphaNumericRegexp)))
+
+	// domainComponentRegexp restricts the registry domain component of a
+	// repository name to start with a component as defined by domainRegexp
+	// and followed by an optional port.
+	domainComponentRegexp = match(`(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])`)
+
+	// domainRegexp defines the structure of potential domain components
+	// that may be part of image names. This is purposely a subset of what is
+	// allowed by DNS to ensure backwards compatibility with Docker image
+	// names.
+	domainRegexp = expression(
+		domainComponentRegexp,
+		optional(repeated(literal(`.`), domainComponentRegexp)),
+		optional(literal(`:`), match(`[0-9]+`)))
+
+	// TagRegexp matches valid tag names. From docker/docker:graph/tags.go.
+	TagRegexp = match(`[\w][\w.-]{0,127}`)
+
+	// anchoredTagRegexp matches valid tag names, anchored at the start and
+	// end of the matched string.
+	anchoredTagRegexp = anchored(TagRegexp)
+
+	// DigestRegexp matches valid digests.
+	DigestRegexp = match(`[A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}`)
+
+	// anchoredDigestRegexp matches valid digests, anchored at the start and
+	// end of the matched string.
+	anchoredDigestRegexp = anchored(DigestRegexp)
+
+	// NameRegexp is the format for the name component of references. The
+	// regexp has capturing groups for the domain and name part omitting
+	// the separating forward slash from either.
+	NameRegexp = expression(
+		optional(domainRegexp, literal(`/`)),
+		nameComponentRegexp,
+		optional(repeated(literal(`/`), nameComponentRegexp)))
+
+	// anchoredNameRegexp is used to parse a name value, capturing the
+	// domain and trailing components.
+	anchoredNameRegexp = anchored(
+		optional(capture(domainRegexp), literal(`/`)),
+		capture(nameComponentRegexp,
+			optional(repeated(literal(`/`), nameComponentRegexp))))
+
+	// ReferenceRegexp is the full supported format of a reference. The regexp
+	// is anchored and has capturing groups for name, tag, and digest
+	// components.
+	ReferenceRegexp = anchored(capture(NameRegexp),
+		optional(literal(":"), capture(TagRegexp)),
+		optional(literal("@"), capture(DigestRegexp)))
+
+	// IdentifierRegexp is the format for string identifier used as a
+	// content addressable identifier using sha256. These identifiers
+	// are like digests without the algorithm, since sha256 is used.
+	IdentifierRegexp = match(`([a-f0-9]{64})`)
+
+	// ShortIdentifierRegexp is the format used to represent a prefix
+	// of an identifier. A prefix may be used to match a sha256 identifier
+	// within a list of trusted identifiers.
+	ShortIdentifierRegexp = match(`([a-f0-9]{6,64})`)
+
+	// anchoredIdentifierRegexp is used to check or match an
+	// identifier value, anchored at start and end of string.
+	anchoredIdentifierRegexp = anchored(IdentifierRegexp)
+
+	// anchoredShortIdentifierRegexp is used to check if a value
+	// is a possible identifier prefix, anchored at start and end
+	// of string.
+	anchoredShortIdentifierRegexp = anchored(ShortIdentifierRegexp)
+)
+
+// match compiles the string to a regular expression.
+var match = regexp.MustCompile
+
+// literal compiles s into a literal regular expression, escaping any regexp
+// reserved characters.
+func literal(s string) *regexp.Regexp {
+	re := match(regexp.QuoteMeta(s))
+
+	if _, complete := re.LiteralPrefix(); !complete {
+		panic("must be a literal")
+	}
+
+	return re
+}
+
+// expression defines a full expression, where each regular expression must
+// follow the previous.
+func expression(res ...*regexp.Regexp) *regexp.Regexp {
+	var s string
+	for _, re := range res {
+		s += re.String()
+	}
+
+	return match(s)
+}
+
+// optional wraps the expression in a non-capturing group and makes the
+// production optional.
+func optional(res ...*regexp.Regexp) *regexp.Regexp {
+	return match(group(expression(res...)).String() + `?`)
+}
+
+// repeated wraps the regexp in a non-capturing group to get one or more
+// matches.
+func repeated(res ...*regexp.Regexp) *regexp.Regexp {
+	return match(group(expression(res...)).String() + `+`)
+}
+
+// group wraps the regexp in a non-capturing group.
+func group(res ...*regexp.Regexp) *regexp.Regexp {
+	return match(`(?:` + expression(res...).String() + `)`)
+}
+
+// capture wraps the expression in a capturing group.
+func capture(res ...*regexp.Regexp) *regexp.Regexp {
+	return match(`(` + expression(res...).String() + `)`)
+}
+
+// anchored anchors the regular expression by adding start and end delimiters.
+func anchored(res ...*regexp.Regexp) *regexp.Regexp {
+	return match(`^` + expression(res...).String() + `$`)
+}
--- a/vendor/github.com/containers/image/docker/tarfile/dest.go
+++ b/vendor/github.com/containers/image/docker/tarfile/dest.go
@@ -0,0 +1,258 @@
+package tarfile
+
+import (
+	"archive/tar"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"time"
+
+	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const temporaryDirectoryForBigFiles = "/var/tmp" // Do not use the system default of os.TempDir(), usually /tmp, because with systemd it could be a tmpfs.
+
+// Destination is a partial implementation of types.ImageDestination for writing to an io.Writer.
+type Destination struct {
+	writer  io.Writer
+	tar     *tar.Writer
+	repoTag string
+	// Other state.
+	blobs map[digest.Digest]types.BlobInfo // list of already-sent blobs
+}
+
+// NewDestination returns a tarfile.Destination for the specified io.Writer.
+func NewDestination(dest io.Writer, ref reference.NamedTagged) *Destination {
+	// For github.com/docker/docker consumers, this works just as well as
+	//   refString := ref.String()
+	// because when reading the RepoTags strings, github.com/docker/docker/reference
+	// normalizes both of them to the same value.
+	//
+	// Doing it this way to include the normalized-out `docker.io[/library]` does make
+	// a difference for github.com/projectatomic/docker consumers, with the
+	// “Add --add-registry and --block-registry options to docker daemon” patch.
+	// These consumers treat reference strings which include a hostname and reference
+	// strings without a hostname differently.
+	//
+	// Using the host name here is more explicit about the intent, and it has the same
+	// effect as (docker pull) in projectatomic/docker, which tags the result using
+	// a hostname-qualified reference.
+	// See https://github.com/containers/image/issues/72 for a more detailed
+	// analysis and explanation.
+	refString := fmt.Sprintf("%s:%s", ref.Name(), ref.Tag())
+	return &Destination{
+		writer:  dest,
+		tar:     tar.NewWriter(dest),
+		repoTag: refString,
+		blobs:   make(map[digest.Digest]types.BlobInfo),
+	}
+}
+
+// SupportedManifestMIMETypes tells which manifest mime types the destination supports
+// If an empty slice or nil it's returned, then any mime type can be tried to upload
+func (d *Destination) SupportedManifestMIMETypes() []string {
+	return []string{
+		manifest.DockerV2Schema2MediaType, // We rely on the types.Image.UpdatedImage schema conversion capabilities.
+	}
+}
+
+// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
+// Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
+func (d *Destination) SupportsSignatures() error {
+	return errors.Errorf("Storing signatures for docker tar files is not supported")
+}
+
+// ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
+func (d *Destination) ShouldCompressLayers() bool {
+	return false
+}
+
+// AcceptsForeignLayerURLs returns false iff foreign layers in manifest should be actually
+// uploaded to the image destination, true otherwise.
+func (d *Destination) AcceptsForeignLayerURLs() bool {
+	return false
+}
+
+// MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise.
+func (d *Destination) MustMatchRuntimeOS() bool {
+	return false
+}
+
+// PutBlob writes contents of stream and returns data representing the result (with all data filled in).
+// inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
+// inputInfo.Size is the expected length of stream, if known.
+// WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
+// to any other readers for download using the supplied digest.
+// If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
+func (d *Destination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
+	if inputInfo.Digest.String() == "" {
+		return types.BlobInfo{}, errors.Errorf("Can not stream a blob with unknown digest to docker tarfile")
+	}
+
+	ok, size, err := d.HasBlob(inputInfo)
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	if ok {
+		return types.BlobInfo{Digest: inputInfo.Digest, Size: size}, nil
+	}
+
+	if inputInfo.Size == -1 { // Ouch, we need to stream the blob into a temporary file just to determine the size.
+		logrus.Debugf("docker tarfile: input with unknown size, streaming to disk first ...")
+		streamCopy, err := ioutil.TempFile(temporaryDirectoryForBigFiles, "docker-tarfile-blob")
+		if err != nil {
+			return types.BlobInfo{}, err
+		}
+		defer os.Remove(streamCopy.Name())
+		defer streamCopy.Close()
+
+		size, err := io.Copy(streamCopy, stream)
+		if err != nil {
+			return types.BlobInfo{}, err
+		}
+		_, err = streamCopy.Seek(0, os.SEEK_SET)
+		if err != nil {
+			return types.BlobInfo{}, err
+		}
+		inputInfo.Size = size // inputInfo is a struct, so we are only modifying our copy.
+		stream = streamCopy
+		logrus.Debugf("... streaming done")
+	}
+
+	digester := digest.Canonical.Digester()
+	tee := io.TeeReader(stream, digester.Hash())
+	if err := d.sendFile(inputInfo.Digest.String(), inputInfo.Size, tee); err != nil {
+		return types.BlobInfo{}, err
+	}
+	d.blobs[inputInfo.Digest] = types.BlobInfo{Digest: digester.Digest(), Size: inputInfo.Size}
+	return types.BlobInfo{Digest: digester.Digest(), Size: inputInfo.Size}, nil
+}
+
+// HasBlob returns true iff the image destination already contains a blob with
+// the matching digest which can be reapplied using ReapplyBlob.  Unlike
+// PutBlob, the digest can not be empty.  If HasBlob returns true, the size of
+// the blob must also be returned.  If the destination does not contain the
+// blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil); it
+// returns a non-nil error only on an unexpected failure.
+func (d *Destination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+	if info.Digest == "" {
+		return false, -1, errors.Errorf("Can not check for a blob with unknown digest")
+	}
+	if blob, ok := d.blobs[info.Digest]; ok {
+		return true, blob.Size, nil
+	}
+	return false, -1, nil
+}
+
+// ReapplyBlob informs the image destination that a blob for which HasBlob
+// previously returned true would have been passed to PutBlob if it had
+// returned false.  Like HasBlob and unlike PutBlob, the digest can not be
+// empty.  If the blob is a filesystem layer, this signifies that the changes
+// it describes need to be applied again when composing a filesystem tree.
+func (d *Destination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+	return info, nil
+}
+
+// PutManifest writes manifest to the destination.
+// FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
+// If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
+// but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
+func (d *Destination) PutManifest(m []byte) error {
+	// We do not bother with types.ManifestTypeRejectedError; our .SupportedManifestMIMETypes() above is already providing only one alternative,
+	// so the caller trying a different manifest kind would be pointless.
+	var man schema2Manifest
+	if err := json.Unmarshal(m, &man); err != nil {
+		return errors.Wrap(err, "Error parsing manifest")
+	}
+	if man.SchemaVersion != 2 || man.MediaType != manifest.DockerV2Schema2MediaType {
+		return errors.Errorf("Unsupported manifest type, need a Docker schema 2 manifest")
+	}
+
+	layerPaths := []string{}
+	for _, l := range man.Layers {
+		layerPaths = append(layerPaths, l.Digest.String())
+	}
+
+	items := []ManifestItem{{
+		Config:       man.Config.Digest.String(),
+		RepoTags:     []string{d.repoTag},
+		Layers:       layerPaths,
+		Parent:       "",
+		LayerSources: nil,
+	}}
+	itemsBytes, err := json.Marshal(&items)
+	if err != nil {
+		return err
+	}
+
+	// FIXME? Do we also need to support the legacy format?
+	return d.sendFile(manifestFileName, int64(len(itemsBytes)), bytes.NewReader(itemsBytes))
+}
+
+type tarFI struct {
+	path string
+	size int64
+}
+
+func (t *tarFI) Name() string {
+	return t.path
+}
+func (t *tarFI) Size() int64 {
+	return t.size
+}
+func (t *tarFI) Mode() os.FileMode {
+	return 0444
+}
+func (t *tarFI) ModTime() time.Time {
+	return time.Unix(0, 0)
+}
+func (t *tarFI) IsDir() bool {
+	return false
+}
+func (t *tarFI) Sys() interface{} {
+	return nil
+}
+
+// sendFile sends a file into the tar stream.
+func (d *Destination) sendFile(path string, expectedSize int64, stream io.Reader) error {
+	hdr, err := tar.FileInfoHeader(&tarFI{path: path, size: expectedSize}, "")
+	if err != nil {
+		return nil
+	}
+	logrus.Debugf("Sending as tar file %s", path)
+	if err := d.tar.WriteHeader(hdr); err != nil {
+		return err
+	}
+	size, err := io.Copy(d.tar, stream)
+	if err != nil {
+		return err
+	}
+	if size != expectedSize {
+		return errors.Errorf("Size mismatch when copying %s, expected %d, got %d", path, expectedSize, size)
+	}
+	return nil
+}
+
+// PutSignatures adds the given signatures to the docker tarfile (currently not
+// supported). MUST be called after PutManifest (signatures reference manifest
+// contents)
+func (d *Destination) PutSignatures(signatures [][]byte) error {
+	if len(signatures) != 0 {
+		return errors.Errorf("Storing signatures for docker tar files is not supported")
+	}
+	return nil
+}
+
+// Commit finishes writing data to the underlying io.Writer.
+// It is the caller's responsibility to close it, if necessary.
+func (d *Destination) Commit() error {
+	return d.tar.Close()
+}
--- a/vendor/github.com/containers/image/docker/tarfile/doc.go
+++ b/vendor/github.com/containers/image/docker/tarfile/doc.go
@@ -0,0 +1,3 @@
+// Package tarfile is an internal implementation detail of some transports.
+// Do not use outside of the github.com/containers/image repo!
+package tarfile
--- a/vendor/github.com/containers/image/docker/tarfile/src.go
+++ b/vendor/github.com/containers/image/docker/tarfile/src.go
@@ -0,0 +1,360 @@
+package tarfile
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/pkg/compression"
+	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+// Source is a partial implementation of types.ImageSource for reading from tarPath.
+type Source struct {
+	tarPath string
+	// The following data is only available after ensureCachedDataIsPresent() succeeds
+	tarManifest       *ManifestItem // nil if not available yet.
+	configBytes       []byte
+	configDigest      digest.Digest
+	orderedDiffIDList []diffID
+	knownLayers       map[diffID]*layerInfo
+	// Other state
+	generatedManifest []byte // Private cache for GetManifest(), nil if not set yet.
+}
+
+type layerInfo struct {
+	path string
+	size int64
+}
+
+// NewSource returns a tarfile.Source for the specified path.
+func NewSource(path string) *Source {
+	// TODO: We could add support for multiple images in a single archive, so
+	//       that people could use docker-archive:opensuse.tar:opensuse:leap as
+	//       the source of an image.
+	return &Source{
+		tarPath: path,
+	}
+}
+
+// tarReadCloser is a way to close the backing file of a tar.Reader when the user no longer needs the tar component.
+type tarReadCloser struct {
+	*tar.Reader
+	backingFile *os.File
+}
+
+func (t *tarReadCloser) Close() error {
+	return t.backingFile.Close()
+}
+
+// openTarComponent returns a ReadCloser for the specific file within the archive.
+// This is linear scan; we assume that the tar file will have a fairly small amount of files (~layers),
+// and that filesystem caching will make the repeated seeking over the (uncompressed) tarPath cheap enough.
+// The caller should call .Close() on the returned stream.
+func (s *Source) openTarComponent(componentPath string) (io.ReadCloser, error) {
+	f, err := os.Open(s.tarPath)
+	if err != nil {
+		return nil, err
+	}
+	succeeded := false
+	defer func() {
+		if !succeeded {
+			f.Close()
+		}
+	}()
+
+	tarReader, header, err := findTarComponent(f, componentPath)
+	if err != nil {
+		return nil, err
+	}
+	if header == nil {
+		return nil, os.ErrNotExist
+	}
+	if header.FileInfo().Mode()&os.ModeType == os.ModeSymlink { // FIXME: untested
+		// We follow only one symlink; so no loops are possible.
+		if _, err := f.Seek(0, os.SEEK_SET); err != nil {
+			return nil, err
+		}
+		// The new path could easily point "outside" the archive, but we only compare it to existing tar headers without extracting the archive,
+		// so we don't care.
+		tarReader, header, err = findTarComponent(f, path.Join(path.Dir(componentPath), header.Linkname))
+		if err != nil {
+			return nil, err
+		}
+		if header == nil {
+			return nil, os.ErrNotExist
+		}
+	}
+
+	if !header.FileInfo().Mode().IsRegular() {
+		return nil, errors.Errorf("Error reading tar archive component %s: not a regular file", header.Name)
+	}
+	succeeded = true
+	return &tarReadCloser{Reader: tarReader, backingFile: f}, nil
+}
+
+// findTarComponent returns a header and a reader matching path within inputFile,
+// or (nil, nil, nil) if not found.
+func findTarComponent(inputFile io.Reader, path string) (*tar.Reader, *tar.Header, error) {
+	t := tar.NewReader(inputFile)
+	for {
+		h, err := t.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, nil, err
+		}
+		if h.Name == path {
+			return t, h, nil
+		}
+	}
+	return nil, nil, nil
+}
+
+// readTarComponent returns full contents of componentPath.
+func (s *Source) readTarComponent(path string) ([]byte, error) {
+	file, err := s.openTarComponent(path)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Error loading tar component %s", path)
+	}
+	defer file.Close()
+	bytes, err := ioutil.ReadAll(file)
+	if err != nil {
+		return nil, err
+	}
+	return bytes, nil
+}
+
+// ensureCachedDataIsPresent loads data necessary for any of the public accessors.
+func (s *Source) ensureCachedDataIsPresent() error {
+	if s.tarManifest != nil {
+		return nil
+	}
+
+	// Read and parse manifest.json
+	tarManifest, err := s.loadTarManifest()
+	if err != nil {
+		return err
+	}
+
+	// Check to make sure length is 1
+	if len(tarManifest) != 1 {
+		return errors.Errorf("Unexpected tar manifest.json: expected 1 item, got %d", len(tarManifest))
+	}
+
+	// Read and parse config.
+	configBytes, err := s.readTarComponent(tarManifest[0].Config)
+	if err != nil {
+		return err
+	}
+	var parsedConfig image // Most fields ommitted, we only care about layer DiffIDs.
+	if err := json.Unmarshal(configBytes, &parsedConfig); err != nil {
+		return errors.Wrapf(err, "Error decoding tar config %s", tarManifest[0].Config)
+	}
+
+	knownLayers, err := s.prepareLayerData(&tarManifest[0], &parsedConfig)
+	if err != nil {
+		return err
+	}
+
+	// Success; commit.
+	s.tarManifest = &tarManifest[0]
+	s.configBytes = configBytes
+	s.configDigest = digest.FromBytes(configBytes)
+	s.orderedDiffIDList = parsedConfig.RootFS.DiffIDs
+	s.knownLayers = knownLayers
+	return nil
+}
+
+// loadTarManifest loads and decodes the manifest.json.
+func (s *Source) loadTarManifest() ([]ManifestItem, error) {
+	// FIXME? Do we need to deal with the legacy format?
+	bytes, err := s.readTarComponent(manifestFileName)
+	if err != nil {
+		return nil, err
+	}
+	var items []ManifestItem
+	if err := json.Unmarshal(bytes, &items); err != nil {
+		return nil, errors.Wrap(err, "Error decoding tar manifest.json")
+	}
+	return items, nil
+}
+
+// LoadTarManifest loads and decodes the manifest.json
+func (s *Source) LoadTarManifest() ([]ManifestItem, error) {
+	return s.loadTarManifest()
+}
+
+func (s *Source) prepareLayerData(tarManifest *ManifestItem, parsedConfig *image) (map[diffID]*layerInfo, error) {
+	// Collect layer data available in manifest and config.
+	if len(tarManifest.Layers) != len(parsedConfig.RootFS.DiffIDs) {
+		return nil, errors.Errorf("Inconsistent layer count: %d in manifest, %d in config", len(tarManifest.Layers), len(parsedConfig.RootFS.DiffIDs))
+	}
+	knownLayers := map[diffID]*layerInfo{}
+	unknownLayerSizes := map[string]*layerInfo{} // Points into knownLayers, a "to do list" of items with unknown sizes.
+	for i, diffID := range parsedConfig.RootFS.DiffIDs {
+		if _, ok := knownLayers[diffID]; ok {
+			// Apparently it really can happen that a single image contains the same layer diff more than once.
+			// In that case, the diffID validation ensures that both layers truly are the same, and it should not matter
+			// which of the tarManifest.Layers paths is used; (docker save) actually makes the duplicates symlinks to the original.
+			continue
+		}
+		layerPath := tarManifest.Layers[i]
+		if _, ok := unknownLayerSizes[layerPath]; ok {
+			return nil, errors.Errorf("Layer tarfile %s used for two different DiffID values", layerPath)
+		}
+		li := &layerInfo{ // A new element in each iteration
+			path: layerPath,
+			size: -1,
+		}
+		knownLayers[diffID] = li
+		unknownLayerSizes[layerPath] = li
+	}
+
+	// Scan the tar file to collect layer sizes.
+	file, err := os.Open(s.tarPath)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+	t := tar.NewReader(file)
+	for {
+		h, err := t.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+		if li, ok := unknownLayerSizes[h.Name]; ok {
+			li.size = h.Size
+			delete(unknownLayerSizes, h.Name)
+		}
+	}
+	if len(unknownLayerSizes) != 0 {
+		return nil, errors.Errorf("Some layer tarfiles are missing in the tarball") // This could do with a better error reporting, if this ever happened in practice.
+	}
+
+	return knownLayers, nil
+}
+
+// GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
+// It may use a remote (= slow) service.
+func (s *Source) GetManifest() ([]byte, string, error) {
+	if s.generatedManifest == nil {
+		if err := s.ensureCachedDataIsPresent(); err != nil {
+			return nil, "", err
+		}
+		m := schema2Manifest{
+			SchemaVersion: 2,
+			MediaType:     manifest.DockerV2Schema2MediaType,
+			Config: distributionDescriptor{
+				MediaType: manifest.DockerV2Schema2ConfigMediaType,
+				Size:      int64(len(s.configBytes)),
+				Digest:    s.configDigest,
+			},
+			Layers: []distributionDescriptor{},
+		}
+		for _, diffID := range s.orderedDiffIDList {
+			li, ok := s.knownLayers[diffID]
+			if !ok {
+				return nil, "", errors.Errorf("Internal inconsistency: Information about layer %s missing", diffID)
+			}
+			m.Layers = append(m.Layers, distributionDescriptor{
+				Digest:    digest.Digest(diffID), // diffID is a digest of the uncompressed tarball
+				MediaType: manifest.DockerV2Schema2LayerMediaType,
+				Size:      li.size,
+			})
+		}
+		manifestBytes, err := json.Marshal(&m)
+		if err != nil {
+			return nil, "", err
+		}
+		s.generatedManifest = manifestBytes
+	}
+	return s.generatedManifest, manifest.DockerV2Schema2MediaType, nil
+}
+
+// GetTargetManifest returns an image's manifest given a digest. This is mainly used to retrieve a single image's manifest
+// out of a manifest list.
+func (s *Source) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
+	// How did we even get here? GetManifest() above has returned a manifest.DockerV2Schema2MediaType.
+	return nil, "", errors.Errorf(`Manifest lists are not supported by "docker-daemon:"`)
+}
+
+type readCloseWrapper struct {
+	io.Reader
+	closeFunc func() error
+}
+
+func (r readCloseWrapper) Close() error {
+	if r.closeFunc != nil {
+		return r.closeFunc()
+	}
+	return nil
+}
+
+// GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
+func (s *Source) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+	if err := s.ensureCachedDataIsPresent(); err != nil {
+		return nil, 0, err
+	}
+
+	if info.Digest == s.configDigest { // FIXME? Implement a more general algorithm matching instead of assuming sha256.
+		return ioutil.NopCloser(bytes.NewReader(s.configBytes)), int64(len(s.configBytes)), nil
+	}
+
+	if li, ok := s.knownLayers[diffID(info.Digest)]; ok { // diffID is a digest of the uncompressed tarball,
+		stream, err := s.openTarComponent(li.path)
+		if err != nil {
+			return nil, 0, err
+		}
+
+		// In order to handle the fact that digests != diffIDs (and thus that a
+		// caller which is trying to verify the blob will run into problems),
+		// we need to decompress blobs. This is a bit ugly, but it's a
+		// consequence of making everything addressable by their DiffID rather
+		// than by their digest...
+		//
+		// In particular, because the v2s2 manifest being generated uses
+		// DiffIDs, any caller of GetBlob is going to be asking for DiffIDs of
+		// layers not their _actual_ digest. The result is that copy/... will
+		// be verifing a "digest" which is not the actual layer's digest (but
+		// is instead the DiffID).
+
+		decompressFunc, reader, err := compression.DetectCompression(stream)
+		if err != nil {
+			return nil, 0, errors.Wrapf(err, "Detecting compression in blob %s", info.Digest)
+		}
+
+		if decompressFunc != nil {
+			reader, err = decompressFunc(reader)
+			if err != nil {
+				return nil, 0, errors.Wrapf(err, "Decompressing blob %s stream", info.Digest)
+			}
+		}
+
+		newStream := readCloseWrapper{
+			Reader:    reader,
+			closeFunc: stream.Close,
+		}
+
+		return newStream, li.size, nil
+	}
+
+	return nil, 0, errors.Errorf("Unknown blob %s", info.Digest)
+}
+
+// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
+func (s *Source) GetSignatures(ctx context.Context) ([][]byte, error) {
+	return [][]byte{}, nil
+}
--- a/vendor/github.com/containers/image/docker/daemon/daemon_types.go
+++ b/vendor/github.com/containers/image/docker/daemon/daemon_types.go
@@ -1,6 +1,6 @@
-package daemon
+package tarfile

-import "github.com/docker/distribution/digest"
+import "github.com/opencontainers/go-digest"

 // Various data structures.

@@ -13,7 +13,8 @@ const (
 	// legacyRepositoriesFileName = "repositories"
 )

-type manifestItem struct {
+// ManifestItem is an element of the array stored in the top-level manifest.json file.
+type ManifestItem struct {
 	Config       string
 	RepoTags     []string
 	Layers       []string
@@ -43,7 +44,7 @@ type schema2Manifest struct {

 // Based on github.com/docker/docker/image/image.go
 // MOST CONTENT OMITTED AS UNNECESSARY
-type dockerImage struct {
+type image struct {
 	RootFS *rootFS `json:"rootfs,omitempty"`
 }

--- a/vendor/github.com/containers/image/image/docker_list.go
+++ b/vendor/github.com/containers/image/image/docker_list.go
@@ -2,13 +2,12 @@ package image

 import (
 	"encoding/json"
-	"errors"
-	"fmt"
 	"runtime"

 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
 )

 type platformSpec struct {
@@ -17,7 +16,7 @@ type platformSpec struct {
 	OSVersion    string   `json:"os.version,omitempty"`
 	OSFeatures   []string `json:"os.features,omitempty"`
 	Variant      string   `json:"variant,omitempty"`
-	Features     []string `json:"features,omitempty"`
+	Features     []string `json:"features,omitempty"` // removed in OCI
 }

 // A manifestDescriptor references a platform-specific manifest.
@@ -54,10 +53,10 @@ func manifestSchema2FromManifestList(src types.ImageSource, manblob []byte) (gen

 	matches, err := manifest.MatchesDigest(manblob, targetManifestDigest)
 	if err != nil {
-		return nil, fmt.Errorf("Error computing manifest digest: %v", err)
+		return nil, errors.Wrap(err, "Error computing manifest digest")
 	}
 	if !matches {
-		return nil, fmt.Errorf("Manifest image does not match selected manifest digest %s", targetManifestDigest)
+		return nil, errors.Errorf("Manifest image does not match selected manifest digest %s", targetManifestDigest)
 	}

 	return manifestInstanceFromBlob(src, manblob, mt)
--- a/vendor/github.com/containers/image/image/docker_schema1.go
+++ b/vendor/github.com/containers/image/image/docker_schema1.go
@@ -2,8 +2,6 @@ package image

 import (
 	"encoding/json"
-	"errors"
-	"fmt"
 	"regexp"
 	"strings"
 	"time"
@@ -11,7 +9,9 @@ import (
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
 )

 var (
@@ -54,7 +54,7 @@ func manifestSchema1FromManifest(manifest []byte) (genericManifest, error) {
 		return nil, err
 	}
 	if mschema1.SchemaVersion != 1 {
-		return nil, fmt.Errorf("unsupported schema version %d", mschema1.SchemaVersion)
+		return nil, errors.Errorf("unsupported schema version %d", mschema1.SchemaVersion)
 	}
 	if len(mschema1.FSLayers) != len(mschema1.History) {
 		return nil, errors.New("length of history not equal to number of layers")
@@ -73,7 +73,7 @@ func manifestSchema1FromManifest(manifest []byte) (genericManifest, error) {
 func manifestSchema1FromComponents(ref reference.Named, fsLayers []fsLayersSchema1, history []historySchema1, architecture string) genericManifest {
 	var name, tag string
 	if ref != nil { // Well, what to do if it _is_ nil? Most consumers actually don't use these fields nowadays, so we might as well try not supplying them.
-		name = ref.RemoteName()
+		name = reference.Path(ref)
 		if tagged, ok := ref.(reference.NamedTagged); ok {
 			tag = tagged.Tag()
 		}
@@ -113,6 +113,17 @@ func (m *manifestSchema1) ConfigBlob() ([]byte, error) {
 	return nil, nil
 }

+// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
+// layers in the resulting configuration isn't guaranteed to be returned to due how
+// old image manifests work (docker v2s1 especially).
+func (m *manifestSchema1) OCIConfig() (*imgspecv1.Image, error) {
+	v2s2, err := m.convertToManifestSchema2(nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	return v2s2.OCIConfig()
+}
+
 // LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
 // The Digest field is guaranteed to be provided; Size may be -1.
 // WARNING: The list may contain duplicates, and they are semantically relevant.
@@ -124,19 +135,43 @@ func (m *manifestSchema1) LayerInfos() []types.BlobInfo {
 	return layers
 }

+// EmbeddedDockerReferenceConflicts whether a Docker reference embedded in the manifest, if any, conflicts with destination ref.
+// It returns false if the manifest does not embed a Docker reference.
+// (This embedding unfortunately happens for Docker schema1, please do not add support for this in any new formats.)
+func (m *manifestSchema1) EmbeddedDockerReferenceConflicts(ref reference.Named) bool {
+	// This is a bit convoluted: We can’t just have a "get embedded docker reference" method
+	// and have the “does it conflict” logic in the generic copy code, because the manifest does not actually
+	// embed a full docker/distribution reference, but only the repo name and tag (without the host name).
+	// So we would have to provide a “return repo without host name, and tag” getter for the generic code,
+	// which would be very awkward.  Instead, we do the matching here in schema1-specific code, and all the
+	// generic copy code needs to know about is reference.Named and that a manifest may need updating
+	// for some destinations.
+	name := reference.Path(ref)
+	var tag string
+	if tagged, isTagged := ref.(reference.NamedTagged); isTagged {
+		tag = tagged.Tag()
+	} else {
+		tag = ""
+	}
+	return m.Name != name || m.Tag != tag
+}
+
 func (m *manifestSchema1) imageInspectInfo() (*types.ImageInspectInfo, error) {
 	v1 := &v1Image{}
 	if err := json.Unmarshal([]byte(m.History[0].V1Compatibility), v1); err != nil {
 		return nil, err
 	}
-	return &types.ImageInspectInfo{
+	i := &types.ImageInspectInfo{
 		Tag:           m.Tag,
 		DockerVersion: v1.DockerVersion,
 		Created:       v1.Created,
-		Labels:        v1.Config.Labels,
 		Architecture:  v1.Architecture,
 		Os:            v1.OS,
-	}, nil
+	}
+	if v1.Config != nil {
+		i.Labels = v1.Config.Labels
+	}
+	return i, nil
 }

 // UpdatedImageNeedsLayerDiffIDs returns true iff UpdatedImage(options) needs InformationOnly.LayerDiffIDs.
@@ -153,7 +188,7 @@ func (m *manifestSchema1) UpdatedImage(options types.ManifestUpdateOptions) (typ
 	if options.LayerInfos != nil {
 		// Our LayerInfos includes empty layers (where m.History.V1Compatibility->ThrowAway), so expect them to be included here as well.
 		if len(copy.FSLayers) != len(options.LayerInfos) {
-			return nil, fmt.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.FSLayers), len(options.LayerInfos))
+			return nil, errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.FSLayers), len(options.LayerInfos))
 		}
 		for i, info := range options.LayerInfos {
 			// (docker push) sets up m.History.V1Compatibility->{Id,Parent} based on values of info.Digest,
@@ -162,6 +197,14 @@ func (m *manifestSchema1) UpdatedImage(options types.ManifestUpdateOptions) (typ
 			copy.FSLayers[(len(options.LayerInfos)-1)-i].BlobSum = info.Digest
 		}
 	}
+	if options.EmbeddedDockerReference != nil {
+		copy.Name = reference.Path(options.EmbeddedDockerReference)
+		if tagged, isTagged := options.EmbeddedDockerReference.(reference.NamedTagged); isTagged {
+			copy.Tag = tagged.Tag()
+		} else {
+			copy.Tag = ""
+		}
+	}

 	switch options.ManifestMIMEType {
 	case "": // No conversion, OK
@@ -171,7 +214,7 @@ func (m *manifestSchema1) UpdatedImage(options types.ManifestUpdateOptions) (typ
 	case manifest.DockerV2Schema2MediaType:
 		return copy.convertToManifestSchema2(options.InformationOnly.LayerInfos, options.InformationOnly.LayerDiffIDs)
 	default:
-		return nil, fmt.Errorf("Conversion of image manifest from %s to %s is not implemented", manifest.DockerV2Schema1SignedMediaType, options.ManifestMIMEType)
+		return nil, errors.Errorf("Conversion of image manifest from %s to %s is not implemented", manifest.DockerV2Schema1SignedMediaType, options.ManifestMIMEType)
 	}

 	return memoryImageFromManifest(&copy), nil
@@ -211,7 +254,7 @@ func fixManifestLayers(manifest *manifestSchema1) error {
 	for _, img := range imgs {
 		// skip IDs that appear after each other, we handle those later
 		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
-			return fmt.Errorf("ID %+v appears multiple times in manifest", img.ID)
+			return errors.Errorf("ID %+v appears multiple times in manifest", img.ID)
 		}
 		lastID = img.ID
 		idmap[lastID] = struct{}{}
@@ -222,7 +265,7 @@ func fixManifestLayers(manifest *manifestSchema1) error {
 			manifest.FSLayers = append(manifest.FSLayers[:i], manifest.FSLayers[i+1:]...)
 			manifest.History = append(manifest.History[:i], manifest.History[i+1:]...)
 		} else if imgs[i].Parent != imgs[i+1].ID {
-			return fmt.Errorf("Invalid parent ID. Expected %v, got %v", imgs[i+1].ID, imgs[i].Parent)
+			return errors.Errorf("Invalid parent ID. Expected %v, got %v", imgs[i+1].ID, imgs[i].Parent)
 		}
 	}
 	return nil
@@ -230,7 +273,7 @@ func fixManifestLayers(manifest *manifestSchema1) error {

 func validateV1ID(id string) error {
 	if ok := validHex.MatchString(id); !ok {
-		return fmt.Errorf("image ID %q is invalid", id)
+		return errors.Errorf("image ID %q is invalid", id)
 	}
 	return nil
 }
@@ -239,16 +282,16 @@ func validateV1ID(id string) error {
 func (m *manifestSchema1) convertToManifestSchema2(uploadedLayerInfos []types.BlobInfo, layerDiffIDs []digest.Digest) (types.Image, error) {
 	if len(m.History) == 0 {
 		// What would this even mean?! Anyhow, the rest of the code depends on fsLayers[0] and history[0] existing.
-		return nil, fmt.Errorf("Cannot convert an image with 0 history entries to %s", manifest.DockerV2Schema2MediaType)
+		return nil, errors.Errorf("Cannot convert an image with 0 history entries to %s", manifest.DockerV2Schema2MediaType)
 	}
 	if len(m.History) != len(m.FSLayers) {
-		return nil, fmt.Errorf("Inconsistent schema 1 manifest: %d history entries, %d fsLayers entries", len(m.History), len(m.FSLayers))
+		return nil, errors.Errorf("Inconsistent schema 1 manifest: %d history entries, %d fsLayers entries", len(m.History), len(m.FSLayers))
 	}
-	if len(uploadedLayerInfos) != len(m.FSLayers) {
-		return nil, fmt.Errorf("Internal error: uploaded %d blobs, but schema1 manifest has %d fsLayers", len(uploadedLayerInfos), len(m.FSLayers))
+	if uploadedLayerInfos != nil && len(uploadedLayerInfos) != len(m.FSLayers) {
+		return nil, errors.Errorf("Internal error: uploaded %d blobs, but schema1 manifest has %d fsLayers", len(uploadedLayerInfos), len(m.FSLayers))
 	}
-	if len(layerDiffIDs) != len(m.FSLayers) {
-		return nil, fmt.Errorf("Internal error: collected %d DiffID values, but schema1 manifest has %d fsLayers", len(layerDiffIDs), len(m.FSLayers))
+	if layerDiffIDs != nil && len(layerDiffIDs) != len(m.FSLayers) {
+		return nil, errors.Errorf("Internal error: collected %d DiffID values, but schema1 manifest has %d fsLayers", len(layerDiffIDs), len(m.FSLayers))
 	}

 	rootFS := rootFS{
@@ -263,7 +306,7 @@ func (m *manifestSchema1) convertToManifestSchema2(uploadedLayerInfos []types.Bl

 		var v1compat v1Compatibility
 		if err := json.Unmarshal([]byte(m.History[v1Index].V1Compatibility), &v1compat); err != nil {
-			return nil, fmt.Errorf("Error decoding history entry %d: %v", v1Index, err)
+			return nil, errors.Wrapf(err, "Error decoding history entry %d", v1Index)
 		}
 		history[v2Index] = imageHistory{
 			Created:    v1compat.Created,
@@ -274,12 +317,20 @@ func (m *manifestSchema1) convertToManifestSchema2(uploadedLayerInfos []types.Bl
 		}

 		if !v1compat.ThrowAway {
+			var size int64
+			if uploadedLayerInfos != nil {
+				size = uploadedLayerInfos[v2Index].Size
+			}
+			var d digest.Digest
+			if layerDiffIDs != nil {
+				d = layerDiffIDs[v2Index]
+			}
 			layers = append(layers, descriptor{
 				MediaType: "application/vnd.docker.image.rootfs.diff.tar.gzip",
-				Size:      uploadedLayerInfos[v2Index].Size,
+				Size:      size,
 				Digest:    m.FSLayers[v1Index].BlobSum,
 			})
-			rootFS.DiffIDs = append(rootFS.DiffIDs, layerDiffIDs[v2Index])
+			rootFS.DiffIDs = append(rootFS.DiffIDs, d)
 		}
 	}
 	configJSON, err := configJSONFromV1Config([]byte(m.History[0].V1Compatibility), rootFS, history)
--- a/vendor/github.com/containers/image/image/docker_schema2.go
+++ b/vendor/github.com/containers/image/image/docker_schema2.go
@@ -5,14 +5,16 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
-	"fmt"
 	"io/ioutil"
 	"strings"

-	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

 // gzippedEmptyLayer is a gzip-compressed version of an empty tar file (1024 NULL bytes)
@@ -77,12 +79,30 @@ func (m *manifestSchema2) ConfigInfo() types.BlobInfo {
 	return types.BlobInfo{Digest: m.ConfigDescriptor.Digest, Size: m.ConfigDescriptor.Size}
 }

+// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
+// layers in the resulting configuration isn't guaranteed to be returned to due how
+// old image manifests work (docker v2s1 especially).
+func (m *manifestSchema2) OCIConfig() (*imgspecv1.Image, error) {
+	configBlob, err := m.ConfigBlob()
+	if err != nil {
+		return nil, err
+	}
+	// docker v2s2 and OCI v1 are mostly compatible but v2s2 contains more fields
+	// than OCI v1. This unmarshal makes sure we drop docker v2s2
+	// fields that aren't needed in OCI v1.
+	configOCI := &imgspecv1.Image{}
+	if err := json.Unmarshal(configBlob, configOCI); err != nil {
+		return nil, err
+	}
+	return configOCI, nil
+}
+
 // ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
 // The result is cached; it is OK to call this however often you need.
 func (m *manifestSchema2) ConfigBlob() ([]byte, error) {
 	if m.configBlob == nil {
 		if m.src == nil {
-			return nil, fmt.Errorf("Internal error: neither src nor configBlob set in manifestSchema2")
+			return nil, errors.Errorf("Internal error: neither src nor configBlob set in manifestSchema2")
 		}
 		stream, _, err := m.src.GetBlob(types.BlobInfo{
 			Digest: m.ConfigDescriptor.Digest,
@@ -99,7 +119,7 @@ func (m *manifestSchema2) ConfigBlob() ([]byte, error) {
 		}
 		computedDigest := digest.FromBytes(blob)
 		if computedDigest != m.ConfigDescriptor.Digest {
-			return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.ConfigDescriptor.Digest)
+			return nil, errors.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.ConfigDescriptor.Digest)
 		}
 		m.configBlob = blob
 	}
@@ -121,6 +141,13 @@ func (m *manifestSchema2) LayerInfos() []types.BlobInfo {
 	return blobs
 }

+// EmbeddedDockerReferenceConflicts whether a Docker reference embedded in the manifest, if any, conflicts with destination ref.
+// It returns false if the manifest does not embed a Docker reference.
+// (This embedding unfortunately happens for Docker schema1, please do not add support for this in any new formats.)
+func (m *manifestSchema2) EmbeddedDockerReferenceConflicts(ref reference.Named) bool {
+	return false
+}
+
 func (m *manifestSchema2) imageInspectInfo() (*types.ImageInspectInfo, error) {
 	config, err := m.ConfigBlob()
 	if err != nil {
@@ -130,13 +157,16 @@ func (m *manifestSchema2) imageInspectInfo() (*types.ImageInspectInfo, error) {
 	if err := json.Unmarshal(config, v1); err != nil {
 		return nil, err
 	}
-	return &types.ImageInspectInfo{
+	i := &types.ImageInspectInfo{
 		DockerVersion: v1.DockerVersion,
 		Created:       v1.Created,
-		Labels:        v1.Config.Labels,
 		Architecture:  v1.Architecture,
 		Os:            v1.OS,
-	}, nil
+	}
+	if v1.Config != nil {
+		i.Labels = v1.Config.Labels
+	}
+	return i, nil
 }

 // UpdatedImageNeedsLayerDiffIDs returns true iff UpdatedImage(options) needs InformationOnly.LayerDiffIDs.
@@ -152,27 +182,65 @@ func (m *manifestSchema2) UpdatedImage(options types.ManifestUpdateOptions) (typ
 	copy := *m // NOTE: This is not a deep copy, it still shares slices etc.
 	if options.LayerInfos != nil {
 		if len(copy.LayersDescriptors) != len(options.LayerInfos) {
-			return nil, fmt.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.LayersDescriptors), len(options.LayerInfos))
+			return nil, errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.LayersDescriptors), len(options.LayerInfos))
 		}
 		copy.LayersDescriptors = make([]descriptor, len(options.LayerInfos))
 		for i, info := range options.LayerInfos {
+			copy.LayersDescriptors[i].MediaType = m.LayersDescriptors[i].MediaType
 			copy.LayersDescriptors[i].Digest = info.Digest
 			copy.LayersDescriptors[i].Size = info.Size
 			copy.LayersDescriptors[i].URLs = info.URLs
 		}
 	}
+	// Ignore options.EmbeddedDockerReference: it may be set when converting from schema1 to schema2, but we really don't care.

 	switch options.ManifestMIMEType {
 	case "": // No conversion, OK
 	case manifest.DockerV2Schema1SignedMediaType, manifest.DockerV2Schema1MediaType:
 		return copy.convertToManifestSchema1(options.InformationOnly.Destination)
+	case imgspecv1.MediaTypeImageManifest:
+		return copy.convertToManifestOCI1()
 	default:
-		return nil, fmt.Errorf("Conversion of image manifest from %s to %s is not implemented", manifest.DockerV2Schema2MediaType, options.ManifestMIMEType)
+		return nil, errors.Errorf("Conversion of image manifest from %s to %s is not implemented", manifest.DockerV2Schema2MediaType, options.ManifestMIMEType)
 	}

 	return memoryImageFromManifest(&copy), nil
 }

+func (m *manifestSchema2) convertToManifestOCI1() (types.Image, error) {
+	configOCI, err := m.OCIConfig()
+	if err != nil {
+		return nil, err
+	}
+	configOCIBytes, err := json.Marshal(configOCI)
+	if err != nil {
+		return nil, err
+	}
+
+	config := descriptorOCI1{
+		descriptor: descriptor{
+			MediaType: imgspecv1.MediaTypeImageConfig,
+			Size:      int64(len(configOCIBytes)),
+			Digest:    digest.FromBytes(configOCIBytes),
+		},
+	}
+
+	layers := make([]descriptorOCI1, len(m.LayersDescriptors))
+	for idx := range layers {
+		layers[idx] = descriptorOCI1{descriptor: m.LayersDescriptors[idx]}
+		if m.LayersDescriptors[idx].MediaType == manifest.DockerV2Schema2ForeignLayerMediaType {
+			layers[idx].MediaType = imgspecv1.MediaTypeImageLayerNonDistributable
+		} else {
+			// we assume layers are gzip'ed because docker v2s2 only deals with
+			// gzip'ed layers. However, OCI has non-gzip'ed layers as well.
+			layers[idx].MediaType = imgspecv1.MediaTypeImageLayerGzip
+		}
+	}
+
+	m1 := manifestOCI1FromComponents(config, m.src, configOCIBytes, layers)
+	return memoryImageFromManifest(m1), nil
+}
+
 // Based on docker/distribution/manifest/schema1/config_builder.go
 func (m *manifestSchema2) convertToManifestSchema1(dest types.ImageDestination) (types.Image, error) {
 	configBytes, err := m.ConfigBlob()
@@ -193,7 +261,7 @@ func (m *manifestSchema2) convertToManifestSchema1(dest types.ImageDestination)
 	haveGzippedEmptyLayer := false
 	if len(imageConfig.History) == 0 {
 		// What would this even mean?! Anyhow, the rest of the code depends on fsLayers[0] and history[0] existing.
-		return nil, fmt.Errorf("Cannot convert an image with 0 history entries to %s", manifest.DockerV2Schema1SignedMediaType)
+		return nil, errors.Errorf("Cannot convert an image with 0 history entries to %s", manifest.DockerV2Schema1SignedMediaType)
 	}
 	for v2Index, historyEntry := range imageConfig.History {
 		parentV1ID = v1ID
@@ -205,17 +273,17 @@ func (m *manifestSchema2) convertToManifestSchema1(dest types.ImageDestination)
 				logrus.Debugf("Uploading empty layer during conversion to schema 1")
 				info, err := dest.PutBlob(bytes.NewReader(gzippedEmptyLayer), types.BlobInfo{Digest: gzippedEmptyLayerDigest, Size: int64(len(gzippedEmptyLayer))})
 				if err != nil {
-					return nil, fmt.Errorf("Error uploading empty layer: %v", err)
+					return nil, errors.Wrap(err, "Error uploading empty layer")
 				}
 				if info.Digest != gzippedEmptyLayerDigest {
-					return nil, fmt.Errorf("Internal error: Uploaded empty layer has digest %#v instead of %s", info.Digest, gzippedEmptyLayerDigest)
+					return nil, errors.Errorf("Internal error: Uploaded empty layer has digest %#v instead of %s", info.Digest, gzippedEmptyLayerDigest)
 				}
 				haveGzippedEmptyLayer = true
 			}
 			blobDigest = gzippedEmptyLayerDigest
 		} else {
 			if nonemptyLayerIndex >= len(m.LayersDescriptors) {
-				return nil, fmt.Errorf("Invalid image configuration, needs more than the %d distributed layers", len(m.LayersDescriptors))
+				return nil, errors.Errorf("Invalid image configuration, needs more than the %d distributed layers", len(m.LayersDescriptors))
 			}
 			blobDigest = m.LayersDescriptors[nonemptyLayerIndex].Digest
 			nonemptyLayerIndex++
@@ -239,7 +307,7 @@ func (m *manifestSchema2) convertToManifestSchema1(dest types.ImageDestination)
 		fakeImage.ContainerConfig.Cmd = []string{historyEntry.CreatedBy}
 		v1CompatibilityBytes, err := json.Marshal(&fakeImage)
 		if err != nil {
-			return nil, fmt.Errorf("Internal error: Error creating v1compatibility for %#v", fakeImage)
+			return nil, errors.Errorf("Internal error: Error creating v1compatibility for %#v", fakeImage)
 		}

 		fsLayers[v1Index] = fsLayersSchema1{BlobSum: blobDigest}
--- a/vendor/github.com/containers/image/image/manifest.go
+++ b/vendor/github.com/containers/image/image/manifest.go
@@ -3,11 +3,11 @@ package image
 import (
 	"time"

-	"github.com/docker/distribution/digest"
-	"github.com/docker/engine-api/types/strslice"
-
+	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
+	"github.com/containers/image/pkg/strslice"
 	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 )

@@ -65,10 +65,18 @@ type genericManifest interface {
 	// ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
 	// The result is cached; it is OK to call this however often you need.
 	ConfigBlob() ([]byte, error)
+	// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
+	// layers in the resulting configuration isn't guaranteed to be returned to due how
+	// old image manifests work (docker v2s1 especially).
+	OCIConfig() (*imgspecv1.Image, error)
 	// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
 	// The Digest field is guaranteed to be provided; Size may be -1.
 	// WARNING: The list may contain duplicates, and they are semantically relevant.
 	LayerInfos() []types.BlobInfo
+	// EmbeddedDockerReferenceConflicts whether a Docker reference embedded in the manifest, if any, conflicts with destination ref.
+	// It returns false if the manifest does not embed a Docker reference.
+	// (This embedding unfortunately happens for Docker schema1, please do not add support for this in any new formats.)
+	EmbeddedDockerReferenceConflicts(ref reference.Named) bool
 	imageInspectInfo() (*types.ImageInspectInfo, error) // To be called by inspectManifest
 	// UpdatedImageNeedsLayerDiffIDs returns true iff UpdatedImage(options) needs InformationOnly.LayerDiffIDs.
 	// This is a horribly specific interface, but computing InformationOnly.LayerDiffIDs can be very expensive to compute
--- a/vendor/github.com/containers/image/image/memory.go
+++ b/vendor/github.com/containers/image/image/memory.go
@@ -1,7 +1,9 @@
 package image

 import (
-	"errors"
+	"context"
+
+	"github.com/pkg/errors"

 	"github.com/containers/image/types"
 )
@@ -32,7 +34,13 @@ func (i *memoryImage) Reference() types.ImageReference {
 }

 // Close removes resources associated with an initialized UnparsedImage, if any.
-func (i *memoryImage) Close() {
+func (i *memoryImage) Close() error {
+	return nil
+}
+
+// Size returns the size of the image as stored, if known, or -1 if not.
+func (i *memoryImage) Size() (int64, error) {
+	return -1, nil
 }

 // Manifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
@@ -48,7 +56,7 @@ func (i *memoryImage) Manifest() ([]byte, string, error) {
 }

 // Signatures is like ImageSource.GetSignatures, but the result is cached; it is OK to call this however often you need.
-func (i *memoryImage) Signatures() ([][]byte, error) {
+func (i *memoryImage) Signatures(ctx context.Context) ([][]byte, error) {
 	// Modifying an image invalidates signatures; a caller asking the updated image for signatures
 	// is probably confused.
 	return nil, errors.New("Internal error: Image.Signatures() is not supported for images modified in memory")
--- a/vendor/github.com/containers/image/image/oci.go
+++ b/vendor/github.com/containers/image/image/oci.go
@@ -2,22 +2,28 @@ package image

 import (
 	"encoding/json"
-	"fmt"
 	"io/ioutil"

+	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
 )

+type descriptorOCI1 struct {
+	descriptor
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
 type manifestOCI1 struct {
 	src               types.ImageSource // May be nil if configBlob is not nil
 	configBlob        []byte            // If set, corresponds to contents of ConfigDescriptor.
 	SchemaVersion     int               `json:"schemaVersion"`
-	MediaType         string            `json:"mediaType"`
-	ConfigDescriptor  descriptor        `json:"config"`
-	LayersDescriptors []descriptor      `json:"layers"`
+	ConfigDescriptor  descriptorOCI1    `json:"config"`
+	LayersDescriptors []descriptorOCI1  `json:"layers"`
+	Annotations       map[string]string `json:"annotations,omitempty"`
 }

 func manifestOCI1FromManifest(src types.ImageSource, manifest []byte) (genericManifest, error) {
@@ -29,12 +35,11 @@ func manifestOCI1FromManifest(src types.ImageSource, manifest []byte) (genericMa
 }

 // manifestOCI1FromComponents builds a new manifestOCI1 from the supplied data:
-func manifestOCI1FromComponents(config descriptor, configBlob []byte, layers []descriptor) genericManifest {
+func manifestOCI1FromComponents(config descriptorOCI1, src types.ImageSource, configBlob []byte, layers []descriptorOCI1) genericManifest {
 	return &manifestOCI1{
-		src:               nil,
+		src:               src,
 		configBlob:        configBlob,
 		SchemaVersion:     2,
-		MediaType:         imgspecv1.MediaTypeImageManifest,
 		ConfigDescriptor:  config,
 		LayersDescriptors: layers,
 	}
@@ -45,13 +50,13 @@ func (m *manifestOCI1) serialize() ([]byte, error) {
 }

 func (m *manifestOCI1) manifestMIMEType() string {
-	return m.MediaType
+	return imgspecv1.MediaTypeImageManifest
 }

 // ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
 // Note that the config object may not exist in the underlying storage in the return value of UpdatedImage! Use ConfigBlob() below.
 func (m *manifestOCI1) ConfigInfo() types.BlobInfo {
-	return types.BlobInfo{Digest: m.ConfigDescriptor.Digest, Size: m.ConfigDescriptor.Size}
+	return types.BlobInfo{Digest: m.ConfigDescriptor.Digest, Size: m.ConfigDescriptor.Size, Annotations: m.ConfigDescriptor.Annotations}
 }

 // ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
@@ -59,7 +64,7 @@ func (m *manifestOCI1) ConfigInfo() types.BlobInfo {
 func (m *manifestOCI1) ConfigBlob() ([]byte, error) {
 	if m.configBlob == nil {
 		if m.src == nil {
-			return nil, fmt.Errorf("Internal error: neither src nor configBlob set in manifestOCI1")
+			return nil, errors.Errorf("Internal error: neither src nor configBlob set in manifestOCI1")
 		}
 		stream, _, err := m.src.GetBlob(types.BlobInfo{
 			Digest: m.ConfigDescriptor.Digest,
@@ -76,24 +81,46 @@ func (m *manifestOCI1) ConfigBlob() ([]byte, error) {
 		}
 		computedDigest := digest.FromBytes(blob)
 		if computedDigest != m.ConfigDescriptor.Digest {
-			return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.ConfigDescriptor.Digest)
+			return nil, errors.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.ConfigDescriptor.Digest)
 		}
 		m.configBlob = blob
 	}
 	return m.configBlob, nil
 }

+// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
+// layers in the resulting configuration isn't guaranteed to be returned to due how
+// old image manifests work (docker v2s1 especially).
+func (m *manifestOCI1) OCIConfig() (*imgspecv1.Image, error) {
+	cb, err := m.ConfigBlob()
+	if err != nil {
+		return nil, err
+	}
+	configOCI := &imgspecv1.Image{}
+	if err := json.Unmarshal(cb, configOCI); err != nil {
+		return nil, err
+	}
+	return configOCI, nil
+}
+
 // LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
 // The Digest field is guaranteed to be provided; Size may be -1.
 // WARNING: The list may contain duplicates, and they are semantically relevant.
 func (m *manifestOCI1) LayerInfos() []types.BlobInfo {
 	blobs := []types.BlobInfo{}
 	for _, layer := range m.LayersDescriptors {
-		blobs = append(blobs, types.BlobInfo{Digest: layer.Digest, Size: layer.Size})
+		blobs = append(blobs, types.BlobInfo{Digest: layer.Digest, Size: layer.Size, Annotations: layer.Annotations, URLs: layer.URLs, MediaType: layer.MediaType})
 	}
 	return blobs
 }

+// EmbeddedDockerReferenceConflicts whether a Docker reference embedded in the manifest, if any, conflicts with destination ref.
+// It returns false if the manifest does not embed a Docker reference.
+// (This embedding unfortunately happens for Docker schema1, please do not add support for this in any new formats.)
+func (m *manifestOCI1) EmbeddedDockerReferenceConflicts(ref reference.Named) bool {
+	return false
+}
+
 func (m *manifestOCI1) imageInspectInfo() (*types.ImageInspectInfo, error) {
 	config, err := m.ConfigBlob()
 	if err != nil {
@@ -103,13 +130,16 @@ func (m *manifestOCI1) imageInspectInfo() (*types.ImageInspectInfo, error) {
 	if err := json.Unmarshal(config, v1); err != nil {
 		return nil, err
 	}
-	return &types.ImageInspectInfo{
+	i := &types.ImageInspectInfo{
 		DockerVersion: v1.DockerVersion,
 		Created:       v1.Created,
-		Labels:        v1.Config.Labels,
 		Architecture:  v1.Architecture,
 		Os:            v1.OS,
-	}, nil
+	}
+	if v1.Config != nil {
+		i.Labels = v1.Config.Labels
+	}
+	return i, nil
 }

 // UpdatedImageNeedsLayerDiffIDs returns true iff UpdatedImage(options) needs InformationOnly.LayerDiffIDs.
@@ -125,21 +155,25 @@ func (m *manifestOCI1) UpdatedImage(options types.ManifestUpdateOptions) (types.
 	copy := *m // NOTE: This is not a deep copy, it still shares slices etc.
 	if options.LayerInfos != nil {
 		if len(copy.LayersDescriptors) != len(options.LayerInfos) {
-			return nil, fmt.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.LayersDescriptors), len(options.LayerInfos))
+			return nil, errors.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.LayersDescriptors), len(options.LayerInfos))
 		}
-		copy.LayersDescriptors = make([]descriptor, len(options.LayerInfos))
+		copy.LayersDescriptors = make([]descriptorOCI1, len(options.LayerInfos))
 		for i, info := range options.LayerInfos {
+			copy.LayersDescriptors[i].MediaType = m.LayersDescriptors[i].MediaType
 			copy.LayersDescriptors[i].Digest = info.Digest
 			copy.LayersDescriptors[i].Size = info.Size
+			copy.LayersDescriptors[i].Annotations = info.Annotations
+			copy.LayersDescriptors[i].URLs = info.URLs
 		}
 	}
+	// Ignore options.EmbeddedDockerReference: it may be set when converting from schema1, but we really don't care.

 	switch options.ManifestMIMEType {
 	case "": // No conversion, OK
 	case manifest.DockerV2Schema2MediaType:
 		return copy.convertToManifestSchema2()
 	default:
-		return nil, fmt.Errorf("Conversion of image manifest from %s to %s is not implemented", imgspecv1.MediaTypeImageManifest, options.ManifestMIMEType)
+		return nil, errors.Errorf("Conversion of image manifest from %s to %s is not implemented", imgspecv1.MediaTypeImageManifest, options.ManifestMIMEType)
 	}

 	return memoryImageFromManifest(&copy), nil
@@ -147,7 +181,7 @@ func (m *manifestOCI1) UpdatedImage(options types.ManifestUpdateOptions) (types.

 func (m *manifestOCI1) convertToManifestSchema2() (types.Image, error) {
 	// Create a copy of the descriptor.
-	config := m.ConfigDescriptor
+	config := m.ConfigDescriptor.descriptor

 	// The only difference between OCI and DockerSchema2 is the mediatypes. The
 	// media type of the manifest is handled by manifestSchema2FromComponents.
@@ -155,7 +189,7 @@ func (m *manifestOCI1) convertToManifestSchema2() (types.Image, error) {

 	layers := make([]descriptor, len(m.LayersDescriptors))
 	for idx := range layers {
-		layers[idx] = m.LayersDescriptors[idx]
+		layers[idx] = m.LayersDescriptors[idx].descriptor
 		layers[idx].MediaType = manifest.DockerV2Schema2LayerMediaType
 	}

--- a/vendor/github.com/containers/image/image/sourced.go
+++ b/vendor/github.com/containers/image/image/sourced.go
@@ -71,6 +71,11 @@ func FromUnparsedImage(unparsed *UnparsedImage) (types.Image, error) {
 	}, nil
 }

+// Size returns the size of the image as stored, if it's known, or -1 if it isn't.
+func (i *sourcedImage) Size() (int64, error) {
+	return -1, nil
+}
+
 // Manifest overrides the UnparsedImage.Manifest to always use the fields which we have already fetched.
 func (i *sourcedImage) Manifest() ([]byte, string, error) {
 	return i.manifestBlob, i.manifestMIMEType, nil
--- a/vendor/github.com/containers/image/image/unparsed.go
+++ b/vendor/github.com/containers/image/image/unparsed.go
@@ -1,11 +1,13 @@
 package image

 import (
-	"fmt"
+	"context"

 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
 )

 // UnparsedImage implements types.UnparsedImage .
@@ -36,8 +38,8 @@ func (i *UnparsedImage) Reference() types.ImageReference {
 }

 // Close removes resources associated with an initialized UnparsedImage, if any.
-func (i *UnparsedImage) Close() {
-	i.src.Close()
+func (i *UnparsedImage) Close() error {
+	return i.src.Close()
 }

 // Manifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
@@ -53,13 +55,13 @@ func (i *UnparsedImage) Manifest() ([]byte, string, error) {
 		ref := i.Reference().DockerReference()
 		if ref != nil {
 			if canonical, ok := ref.(reference.Canonical); ok {
-				digest := canonical.Digest()
+				digest := digest.Digest(canonical.Digest())
 				matches, err := manifest.MatchesDigest(m, digest)
 				if err != nil {
-					return nil, "", fmt.Errorf("Error computing manifest digest: %v", err)
+					return nil, "", errors.Wrap(err, "Error computing manifest digest")
 				}
 				if !matches {
-					return nil, "", fmt.Errorf("Manifest does not match provided manifest digest %s", digest)
+					return nil, "", errors.Errorf("Manifest does not match provided manifest digest %s", digest)
 				}
 			}
 		}
@@ -71,9 +73,9 @@ func (i *UnparsedImage) Manifest() ([]byte, string, error) {
 }

 // Signatures is like ImageSource.GetSignatures, but the result is cached; it is OK to call this however often you need.
-func (i *UnparsedImage) Signatures() ([][]byte, error) {
+func (i *UnparsedImage) Signatures(ctx context.Context) ([][]byte, error) {
 	if i.cachedSignatures == nil {
-		sigs, err := i.src.GetSignatures()
+		sigs, err := i.src.GetSignatures(ctx)
 		if err != nil {
 			return nil, err
 		}
--- a/vendor/github.com/containers/image/manifest/manifest.go
+++ b/vendor/github.com/containers/image/manifest/manifest.go
@@ -3,8 +3,8 @@ package manifest
 import (
 	"encoding/json"

-	"github.com/docker/distribution/digest"
 	"github.com/docker/libtrust"
+	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 )

@@ -35,7 +35,7 @@ var DefaultRequestedManifestMIMETypes = []string{
 	DockerV2Schema2MediaType,
 	DockerV2Schema1SignedMediaType,
 	DockerV2Schema1MediaType,
-	DockerV2ListMediaType,
+	// DockerV2ListMediaType, // FIXME: Restore this ASAP
 }

 // GuessMIMEType guesses MIME type of a manifest and returns it _if it is recognized_, or "" if unknown or unrecognized.
@@ -54,7 +54,7 @@ func GuessMIMEType(manifest []byte) string {
 	}

 	switch meta.MediaType {
-	case DockerV2Schema2MediaType, DockerV2ListMediaType, imgspecv1.MediaTypeImageManifest, imgspecv1.MediaTypeImageManifestList: // A recognized type.
+	case DockerV2Schema2MediaType, DockerV2ListMediaType: // A recognized type.
 		return meta.MediaType
 	}
 	// this is the only way the function can return DockerV2Schema1MediaType, and recognizing that is essential for stripping the JWS signatures = computing the correct manifest digest.
@@ -64,7 +64,31 @@ func GuessMIMEType(manifest []byte) string {
 			return DockerV2Schema1SignedMediaType
 		}
 		return DockerV2Schema1MediaType
-	case 2: // Really should not happen, meta.MediaType should have been set. But given the data, this is our best guess.
+	case 2:
+		// best effort to understand if this is an OCI image since mediaType
+		// isn't in the manifest for OCI anymore
+		// for docker v2s2 meta.MediaType should have been set. But given the data, this is our best guess.
+		ociMan := struct {
+			Config struct {
+				MediaType string `json:"mediaType"`
+			} `json:"config"`
+			Layers []imgspecv1.Descriptor `json:"layers"`
+		}{}
+		if err := json.Unmarshal(manifest, &ociMan); err != nil {
+			return ""
+		}
+		if ociMan.Config.MediaType == imgspecv1.MediaTypeImageConfig && len(ociMan.Layers) != 0 {
+			return imgspecv1.MediaTypeImageManifest
+		}
+		ociIndex := struct {
+			Manifests []imgspecv1.Descriptor `json:"manifests"`
+		}{}
+		if err := json.Unmarshal(manifest, &ociIndex); err != nil {
+			return ""
+		}
+		if len(ociIndex.Manifests) != 0 && ociIndex.Manifests[0].MediaType == imgspecv1.MediaTypeImageManifest {
+			return imgspecv1.MediaTypeImageIndex
+		}
 		return DockerV2Schema2MediaType
 	}
 	return ""
--- a/vendor/github.com/containers/image/oci/archive/oci_dest.go
+++ b/vendor/github.com/containers/image/oci/archive/oci_dest.go
@@ -0,0 +1,131 @@
+package archive
+
+import (
+	"io"
+	"os"
+
+	"github.com/containers/image/types"
+	"github.com/containers/storage/pkg/archive"
+	"github.com/pkg/errors"
+)
+
+type ociArchiveImageDestination struct {
+	ref          ociArchiveReference
+	unpackedDest types.ImageDestination
+	tempDirRef   tempDirOCIRef
+}
+
+// newImageDestination returns an ImageDestination for writing to an existing directory.
+func newImageDestination(ctx *types.SystemContext, ref ociArchiveReference) (types.ImageDestination, error) {
+	tempDirRef, err := createOCIRef(ref.image)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error creating oci reference")
+	}
+	unpackedDest, err := tempDirRef.ociRefExtracted.NewImageDestination(ctx)
+	if err != nil {
+		if err := tempDirRef.deleteTempDir(); err != nil {
+			return nil, errors.Wrapf(err, "error deleting temp directory", tempDirRef.tempDirectory)
+		}
+		return nil, err
+	}
+	return &ociArchiveImageDestination{ref: ref,
+		unpackedDest: unpackedDest,
+		tempDirRef:   tempDirRef}, nil
+}
+
+// Reference returns the reference used to set up this destination.
+func (d *ociArchiveImageDestination) Reference() types.ImageReference {
+	return d.ref
+}
+
+// Close removes resources associated with an initialized ImageDestination, if any
+// Close deletes the temp directory of the oci-archive image
+func (d *ociArchiveImageDestination) Close() error {
+	defer d.tempDirRef.deleteTempDir()
+	return d.unpackedDest.Close()
+}
+
+func (d *ociArchiveImageDestination) SupportedManifestMIMETypes() []string {
+	return d.unpackedDest.SupportedManifestMIMETypes()
+}
+
+// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures
+func (d *ociArchiveImageDestination) SupportsSignatures() error {
+	return d.unpackedDest.SupportsSignatures()
+}
+
+// ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination
+func (d *ociArchiveImageDestination) ShouldCompressLayers() bool {
+	return d.unpackedDest.ShouldCompressLayers()
+}
+
+// AcceptsForeignLayerURLs returns false iff foreign layers in manifest should be actually
+// uploaded to the image destination, true otherwise.
+func (d *ociArchiveImageDestination) AcceptsForeignLayerURLs() bool {
+	return d.unpackedDest.AcceptsForeignLayerURLs()
+}
+
+// MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise
+func (d *ociArchiveImageDestination) MustMatchRuntimeOS() bool {
+	return d.unpackedDest.MustMatchRuntimeOS()
+}
+
+// PutBlob writes contents of stream and returns data representing the result (with all data filled in).
+// inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
+// inputInfo.Size is the expected length of stream, if known.
+func (d *ociArchiveImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
+	return d.unpackedDest.PutBlob(stream, inputInfo)
+}
+
+// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob
+func (d *ociArchiveImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+	return d.unpackedDest.HasBlob(info)
+}
+
+func (d *ociArchiveImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+	return d.unpackedDest.ReapplyBlob(info)
+}
+
+// PutManifest writes manifest to the destination
+func (d *ociArchiveImageDestination) PutManifest(m []byte) error {
+	return d.unpackedDest.PutManifest(m)
+}
+
+func (d *ociArchiveImageDestination) PutSignatures(signatures [][]byte) error {
+	return d.unpackedDest.PutSignatures(signatures)
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted
+// after the directory is made, it is tarred up into a file and the directory is deleted
+func (d *ociArchiveImageDestination) Commit() error {
+	if err := d.unpackedDest.Commit(); err != nil {
+		return errors.Wrapf(err, "error storing image %q", d.ref.image)
+	}
+
+	// path of directory to tar up
+	src := d.tempDirRef.tempDirectory
+	// path to save tarred up file
+	dst := d.ref.resolvedFile
+	return tarDirectory(src, dst)
+}
+
+// tar converts the directory at src and saves it to dst
+func tarDirectory(src, dst string) error {
+	// input is a stream of bytes from the archive of the directory at path
+	input, err := archive.Tar(src, archive.Uncompressed)
+	if err != nil {
+		return errors.Wrapf(err, "error retrieving stream of bytes from %q", src)
+	}
+
+	// creates the tar file
+	outFile, err := os.Create(dst)
+	if err != nil {
+		return errors.Wrapf(err, "error creating tar file %q", dst)
+	}
+	defer outFile.Close()
+
+	// copies the contents of the directory to the tar file
+	_, err = io.Copy(outFile, input)
+
+	return err
+}
--- a/vendor/github.com/containers/image/oci/archive/oci_src.go
+++ b/vendor/github.com/containers/image/oci/archive/oci_src.go
@@ -0,0 +1,88 @@
+package archive
+
+import (
+	"context"
+	"io"
+
+	ocilayout "github.com/containers/image/oci/layout"
+	"github.com/containers/image/types"
+	digest "github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+type ociArchiveImageSource struct {
+	ref         ociArchiveReference
+	unpackedSrc types.ImageSource
+	tempDirRef  tempDirOCIRef
+}
+
+// newImageSource returns an ImageSource for reading from an existing directory.
+// newImageSource untars the file and saves it in a temp directory
+func newImageSource(ctx *types.SystemContext, ref ociArchiveReference) (types.ImageSource, error) {
+	tempDirRef, err := createUntarTempDir(ref)
+	if err != nil {
+		return nil, errors.Wrap(err, "error creating temp directory")
+	}
+
+	unpackedSrc, err := tempDirRef.ociRefExtracted.NewImageSource(ctx)
+	if err != nil {
+		if err := tempDirRef.deleteTempDir(); err != nil {
+			return nil, errors.Wrapf(err, "error deleting temp directory", tempDirRef.tempDirectory)
+		}
+		return nil, err
+	}
+	return &ociArchiveImageSource{ref: ref,
+		unpackedSrc: unpackedSrc,
+		tempDirRef:  tempDirRef}, nil
+}
+
+// LoadManifestDescriptor loads the manifest
+func LoadManifestDescriptor(imgRef types.ImageReference) (imgspecv1.Descriptor, error) {
+	ociArchRef, ok := imgRef.(ociArchiveReference)
+	if !ok {
+		return imgspecv1.Descriptor{}, errors.Errorf("error typecasting, need type ociArchiveReference")
+	}
+	tempDirRef, err := createUntarTempDir(ociArchRef)
+	if err != nil {
+		return imgspecv1.Descriptor{}, errors.Wrap(err, "error creating temp directory")
+	}
+	defer tempDirRef.deleteTempDir()
+
+	descriptor, err := ocilayout.LoadManifestDescriptor(tempDirRef.ociRefExtracted)
+	if err != nil {
+		return imgspecv1.Descriptor{}, errors.Wrap(err, "error loading index")
+	}
+	return descriptor, nil
+}
+
+// Reference returns the reference used to set up this source.
+func (s *ociArchiveImageSource) Reference() types.ImageReference {
+	return s.ref
+}
+
+// Close removes resources associated with an initialized ImageSource, if any.
+// Close deletes the temporary directory at dst
+func (s *ociArchiveImageSource) Close() error {
+	defer s.tempDirRef.deleteTempDir()
+	return s.unpackedSrc.Close()
+}
+
+// GetManifest returns the image's manifest along with its MIME type
+// (which may be empty when it can't be determined but the manifest is available).
+func (s *ociArchiveImageSource) GetManifest() ([]byte, string, error) {
+	return s.unpackedSrc.GetManifest()
+}
+
+func (s *ociArchiveImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
+	return s.unpackedSrc.GetTargetManifest(digest)
+}
+
+// GetBlob returns a stream for the specified blob, and the blob's size.
+func (s *ociArchiveImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+	return s.unpackedSrc.GetBlob(info)
+}
+
+func (s *ociArchiveImageSource) GetSignatures(c context.Context) ([][]byte, error) {
+	return s.unpackedSrc.GetSignatures(c)
+}
--- a/vendor/github.com/containers/image/oci/archive/oci_transport.go
+++ b/vendor/github.com/containers/image/oci/archive/oci_transport.go
@@ -0,0 +1,225 @@
+package archive
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/containers/image/directory/explicitfilepath"
+	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/image"
+	ocilayout "github.com/containers/image/oci/layout"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+	"github.com/containers/storage/pkg/archive"
+	"github.com/pkg/errors"
+)
+
+func init() {
+	transports.Register(Transport)
+}
+
+// Transport is an ImageTransport for OCI archive
+// it creates an oci-archive tar file by calling into the OCI transport
+// tarring the directory created by oci and deleting the directory
+var Transport = ociArchiveTransport{}
+
+type ociArchiveTransport struct{}
+
+// ociArchiveReference is an ImageReference for OCI Archive paths
+type ociArchiveReference struct {
+	file         string
+	resolvedFile string
+	image        string
+}
+
+func (t ociArchiveTransport) Name() string {
+	return "oci-archive"
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix
+// into an ImageReference.
+func (t ociArchiveTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return ParseReference(reference)
+}
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+func (t ociArchiveTransport) ValidatePolicyConfigurationScope(scope string) error {
+	var file string
+	sep := strings.SplitN(scope, ":", 2)
+	file = sep[0]
+
+	if len(sep) == 2 {
+		image := sep[1]
+		if !refRegexp.MatchString(image) {
+			return errors.Errorf("Invalid image %s", image)
+		}
+	}
+
+	if !strings.HasPrefix(file, "/") {
+		return errors.Errorf("Invalid scope %s: must be an absolute path", scope)
+	}
+	// Refuse also "/", otherwise "/" and "" would have the same semantics,
+	// and "" could be unexpectedly shadowed by the "/" entry.
+	// (Note: we do allow "/:someimage", a bit ridiculous but why refuse it?)
+	if scope == "/" {
+		return errors.New(`Invalid scope "/": Use the generic default scope ""`)
+	}
+	cleaned := filepath.Clean(file)
+	if cleaned != file {
+		return errors.Errorf(`Invalid scope %s: Uses non-canonical path format, perhaps try with path %s`, scope, cleaned)
+	}
+	return nil
+}
+
+// annotation spex from https://github.com/opencontainers/image-spec/blob/master/annotations.md#pre-defined-annotation-keys
+const (
+	separator = `(?:[-._:@+]|--)`
+	alphanum  = `(?:[A-Za-z0-9]+)`
+	component = `(?:` + alphanum + `(?:` + separator + alphanum + `)*)`
+)
+
+var refRegexp = regexp.MustCompile(`^` + component + `(?:/` + component + `)*$`)
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an OCI ImageReference.
+func ParseReference(reference string) (types.ImageReference, error) {
+	var file, image string
+	sep := strings.SplitN(reference, ":", 2)
+	file = sep[0]
+
+	if len(sep) == 2 {
+		image = sep[1]
+	}
+	return NewReference(file, image)
+}
+
+// NewReference returns an OCI reference for a file and a image.
+func NewReference(file, image string) (types.ImageReference, error) {
+	resolved, err := explicitfilepath.ResolvePathToFullyExplicit(file)
+	if err != nil {
+		return nil, err
+	}
+	// This is necessary to prevent directory paths returned by PolicyConfigurationNamespaces
+	// from being ambiguous with values of PolicyConfigurationIdentity.
+	if strings.Contains(resolved, ":") {
+		return nil, errors.Errorf("Invalid OCI reference %s:%s: path %s contains a colon", file, image, resolved)
+	}
+	if len(image) > 0 && !refRegexp.MatchString(image) {
+		return nil, errors.Errorf("Invalid image %s", image)
+	}
+	return ociArchiveReference{file: file, resolvedFile: resolved, image: image}, nil
+}
+
+func (ref ociArchiveReference) Transport() types.ImageTransport {
+	return Transport
+}
+
+// StringWithinTransport returns a string representation of the reference, which MUST be such that
+// reference.Transport().ParseReference(reference.StringWithinTransport()) returns an equivalent reference.
+func (ref ociArchiveReference) StringWithinTransport() string {
+	return fmt.Sprintf("%s:%s", ref.file, ref.image)
+}
+
+// DockerReference returns a Docker reference associated with this reference
+func (ref ociArchiveReference) DockerReference() reference.Named {
+	return nil
+}
+
+// PolicyConfigurationIdentity returns a string representation of the reference, suitable for policy lookup.
+func (ref ociArchiveReference) PolicyConfigurationIdentity() string {
+	// NOTE: ref.image is not a part of the image identity, because "$dir:$someimage" and "$dir:" may mean the
+	// same image and the two can’t be statically disambiguated.  Using at least the repository directory is
+	// less granular but hopefully still useful.
+	return fmt.Sprintf("%s", ref.resolvedFile)
+}
+
+// PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
+// for if explicit configuration for PolicyConfigurationIdentity() is not set
+func (ref ociArchiveReference) PolicyConfigurationNamespaces() []string {
+	res := []string{}
+	path := ref.resolvedFile
+	for {
+		lastSlash := strings.LastIndex(path, "/")
+		// Note that we do not include "/"; it is redundant with the default "" global default,
+		// and rejected by ociTransport.ValidatePolicyConfigurationScope above.
+		if lastSlash == -1 || path == "/" {
+			break
+		}
+		res = append(res, path)
+		path = path[:lastSlash]
+	}
+	return res
+}
+
+// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned Image.
+func (ref ociArchiveReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+	src, err := newImageSource(ctx, ref)
+	if err != nil {
+		return nil, err
+	}
+	return image.FromSource(src)
+}
+
+// NewImageSource returns a types.ImageSource for this reference.
+// The caller must call .Close() on the returned ImageSource.
+func (ref ociArchiveReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
+	return newImageSource(ctx, ref)
+}
+
+// NewImageDestination returns a types.ImageDestination for this reference.
+// The caller must call .Close() on the returned ImageDestination.
+func (ref ociArchiveReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return newImageDestination(ctx, ref)
+}
+
+// DeleteImage deletes the named image from the registry, if supported.
+func (ref ociArchiveReference) DeleteImage(ctx *types.SystemContext) error {
+	return errors.Errorf("Deleting images not implemented for oci: images")
+}
+
+// struct to store the ociReference and temporary directory returned by createOCIRef
+type tempDirOCIRef struct {
+	tempDirectory   string
+	ociRefExtracted types.ImageReference
+}
+
+// deletes the temporary directory created
+func (t *tempDirOCIRef) deleteTempDir() error {
+	return os.RemoveAll(t.tempDirectory)
+}
+
+// createOCIRef creates the oci reference of the image
+func createOCIRef(image string) (tempDirOCIRef, error) {
+	dir, err := ioutil.TempDir("/var/tmp", "oci")
+	if err != nil {
+		return tempDirOCIRef{}, errors.Wrapf(err, "error creating temp directory")
+	}
+	ociRef, err := ocilayout.NewReference(dir, image)
+	if err != nil {
+		return tempDirOCIRef{}, err
+	}
+
+	tempDirRef := tempDirOCIRef{tempDirectory: dir, ociRefExtracted: ociRef}
+	return tempDirRef, nil
+}
+
+// creates the temporary directory and copies the tarred content to it
+func createUntarTempDir(ref ociArchiveReference) (tempDirOCIRef, error) {
+	tempDirRef, err := createOCIRef(ref.image)
+	if err != nil {
+		return tempDirOCIRef{}, errors.Wrap(err, "error creating oci reference")
+	}
+	src := ref.resolvedFile
+	dst := tempDirRef.tempDirectory
+	if err := archive.UntarPath(src, dst); err != nil {
+		if err := tempDirRef.deleteTempDir(); err != nil {
+			return tempDirOCIRef{}, errors.Wrapf(err, "error deleting temp directory %q", tempDirRef.tempDirectory)
+		}
+		return tempDirOCIRef{}, errors.Wrapf(err, "error untarring file %q", tempDirRef.tempDirectory)
+	}
+	return tempDirRef, nil
+}
--- a/vendor/github.com/containers/image/oci/layout/oci_dest.go
+++ b/vendor/github.com/containers/image/oci/layout/oci_dest.go
@@ -2,26 +2,63 @@ package layout

 import (
 	"encoding/json"
-	"errors"
-	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"runtime"
+
+	"github.com/pkg/errors"

 	"github.com/containers/image/manifest"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/opencontainers/go-digest"
+	imgspec "github.com/opencontainers/image-spec/specs-go"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 )

 type ociImageDestination struct {
-	ref ociReference
+	ref           ociReference
+	index         imgspecv1.Index
+	sharedBlobDir string
 }

 // newImageDestination returns an ImageDestination for writing to an existing directory.
-func newImageDestination(ref ociReference) types.ImageDestination {
-	return &ociImageDestination{ref: ref}
+func newImageDestination(ctx *types.SystemContext, ref ociReference) (types.ImageDestination, error) {
+	if ref.image == "" {
+		return nil, errors.Errorf("cannot save image with empty image.ref.name")
+	}
+
+	var index *imgspecv1.Index
+	if indexExists(ref) {
+		var err error
+		index, err = ref.getIndex()
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		index = &imgspecv1.Index{
+			Versioned: imgspec.Versioned{
+				SchemaVersion: 2,
+			},
+		}
+	}
+
+	d := &ociImageDestination{ref: ref, index: *index}
+	if ctx != nil {
+		d.sharedBlobDir = ctx.OCISharedBlobDirPath
+	}
+
+	if err := ensureDirectoryExists(d.ref.dir); err != nil {
+		return nil, err
+	}
+	// Per the OCI image specification, layouts MUST have a "blobs" subdirectory,
+	// but it MAY be empty (e.g. if we never end up calling PutBlob)
+	// https://github.com/opencontainers/image-spec/blame/7c889fafd04a893f5c5f50b7ab9963d5d64e5242/image-layout.md#L19
+	if err := ensureDirectoryExists(filepath.Join(d.ref.dir, "blobs")); err != nil {
+		return nil, err
+	}
+	return d, nil
 }

 // Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
@@ -31,20 +68,20 @@ func (d *ociImageDestination) Reference() types.ImageReference {
 }

 // Close removes resources associated with an initialized ImageDestination, if any.
-func (d *ociImageDestination) Close() {
+func (d *ociImageDestination) Close() error {
+	return nil
 }

 func (d *ociImageDestination) SupportedManifestMIMETypes() []string {
 	return []string{
 		imgspecv1.MediaTypeImageManifest,
-		manifest.DockerV2Schema2MediaType,
 	}
 }

 // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
 // Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
 func (d *ociImageDestination) SupportsSignatures() error {
-	return fmt.Errorf("Pushing signatures for OCI images is not supported")
+	return errors.Errorf("Pushing signatures for OCI images is not supported")
 }

 // ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
@@ -55,6 +92,11 @@ func (d *ociImageDestination) ShouldCompressLayers() bool {
 // AcceptsForeignLayerURLs returns false iff foreign layers in manifest should be actually
 // uploaded to the image destination, true otherwise.
 func (d *ociImageDestination) AcceptsForeignLayerURLs() bool {
+	return true
+}
+
+// MustMatchRuntimeOS returns true iff the destination can store only images targeted for the current runtime OS. False otherwise.
+func (d *ociImageDestination) MustMatchRuntimeOS() bool {
 	return false
 }

@@ -65,9 +107,6 @@ func (d *ociImageDestination) AcceptsForeignLayerURLs() bool {
 // to any other readers for download using the supplied digest.
 // If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
 func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
-	if err := ensureDirectoryExists(d.ref.dir); err != nil {
-		return types.BlobInfo{}, err
-	}
 	blobFile, err := ioutil.TempFile(d.ref.dir, "oci-put-blob")
 	if err != nil {
 		return types.BlobInfo{}, err
@@ -80,7 +119,7 @@ func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 		}
 	}()

-	digester := digest.Canonical.New()
+	digester := digest.Canonical.Digester()
 	tee := io.TeeReader(stream, digester.Hash())

 	size, err := io.Copy(blobFile, tee)
@@ -89,7 +128,7 @@ func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 	}
 	computedDigest := digester.Digest()
 	if inputInfo.Size != -1 && size != inputInfo.Size {
-		return types.BlobInfo{}, fmt.Errorf("Size mismatch when copying %s, expected %d, got %d", computedDigest, inputInfo.Size, size)
+		return types.BlobInfo{}, errors.Errorf("Size mismatch when copying %s, expected %d, got %d", computedDigest, inputInfo.Size, size)
 	}
 	if err := blobFile.Sync(); err != nil {
 		return types.BlobInfo{}, err
@@ -98,7 +137,7 @@ func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 		return types.BlobInfo{}, err
 	}

-	blobPath, err := d.ref.blobPath(computedDigest)
+	blobPath, err := d.ref.blobPath(computedDigest, d.sharedBlobDir)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
@@ -112,81 +151,105 @@ func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
 	return types.BlobInfo{Digest: computedDigest, Size: size}, nil
 }

-func createManifest(m []byte) ([]byte, string, error) {
-	om := imgspecv1.Manifest{}
-	mt := manifest.GuessMIMEType(m)
-	switch mt {
-	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType:
-		// There a simple reason about not yet implementing this.
-		// OCI image-spec assure about backward compatibility with docker v2s2 but not v2s1
-		// generating a v2s2 is a migration docker does when upgrading to 1.10.3
-		// and I don't think we should bother about this now (I don't want to have migration code here in skopeo)
-		return nil, "", errors.New("can't create an OCI manifest from Docker V2 schema 1 manifest")
-	case manifest.DockerV2Schema2MediaType:
-		if err := json.Unmarshal(m, &om); err != nil {
-			return nil, "", err
-		}
-		om.MediaType = imgspecv1.MediaTypeImageManifest
-		for i, l := range om.Layers {
-			if l.MediaType == manifest.DockerV2Schema2ForeignLayerMediaType {
-				om.Layers[i].MediaType = imgspecv1.MediaTypeImageLayerNonDistributable
-			} else {
-				om.Layers[i].MediaType = imgspecv1.MediaTypeImageLayer
-			}
-		}
-		om.Config.MediaType = imgspecv1.MediaTypeImageConfig
-		b, err := json.Marshal(om)
-		if err != nil {
-			return nil, "", err
-		}
-		return b, om.MediaType, nil
-	case manifest.DockerV2ListMediaType:
-		return nil, "", errors.New("can't create an OCI manifest from Docker V2 schema 2 manifest list")
-	case imgspecv1.MediaTypeImageManifestList:
-		return nil, "", errors.New("can't create an OCI manifest from OCI manifest list")
-	case imgspecv1.MediaTypeImageManifest:
-		return m, mt, nil
+// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
+// Unlike PutBlob, the digest can not be empty.  If HasBlob returns true, the size of the blob must also be returned.
+// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
+// it returns a non-nil error only on an unexpected failure.
+func (d *ociImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+	if info.Digest == "" {
+		return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
 	}
-	return nil, "", fmt.Errorf("unrecognized manifest media type %q", mt)
+	blobPath, err := d.ref.blobPath(info.Digest, d.sharedBlobDir)
+	if err != nil {
+		return false, -1, err
+	}
+	finfo, err := os.Stat(blobPath)
+	if err != nil && os.IsNotExist(err) {
+		return false, -1, nil
+	}
+	if err != nil {
+		return false, -1, err
+	}
+	return true, finfo.Size(), nil
 }

+func (d *ociImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+	return info, nil
+}
+
+// PutManifest writes manifest to the destination.
+// FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
+// If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
+// but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
 func (d *ociImageDestination) PutManifest(m []byte) error {
-	// TODO(mitr, runcom): this breaks signatures entirely since at this point we're creating a new manifest
-	// and signatures don't apply anymore. Will fix.
-	ociMan, mt, err := createManifest(m)
-	if err != nil {
-		return err
-	}
-	digest, err := manifest.Digest(ociMan)
+	digest, err := manifest.Digest(m)
 	if err != nil {
 		return err
 	}
 	desc := imgspecv1.Descriptor{}
-	desc.Digest = digest.String()
+	desc.Digest = digest
 	// TODO(runcom): beaware and add support for OCI manifest list
-	desc.MediaType = mt
-	desc.Size = int64(len(ociMan))
-	data, err := json.Marshal(desc)
+	desc.MediaType = imgspecv1.MediaTypeImageManifest
+	desc.Size = int64(len(m))
+
+	blobPath, err := d.ref.blobPath(digest, d.sharedBlobDir)
 	if err != nil {
 		return err
 	}
+	if err := ensureParentDirectoryExists(blobPath); err != nil {
+		return err
+	}
+	if err := ioutil.WriteFile(blobPath, m, 0644); err != nil {
+		return err
+	}

-	blobPath, err := d.ref.blobPath(digest)
-	if err != nil {
-		return err
+	if d.ref.image == "" {
+		return errors.Errorf("cannot save image with empyt image.ref.name")
 	}
-	if err := ioutil.WriteFile(blobPath, ociMan, 0644); err != nil {
-		return err
+
+	annotations := make(map[string]string)
+	annotations["org.opencontainers.image.ref.name"] = d.ref.image
+	desc.Annotations = annotations
+	desc.Platform = &imgspecv1.Platform{
+		Architecture: runtime.GOARCH,
+		OS:           runtime.GOOS,
 	}
-	// TODO(runcom): ugly here?
+	d.addManifest(&desc)
+
+	return nil
+}
+
+func (d *ociImageDestination) addManifest(desc *imgspecv1.Descriptor) {
+	for i, manifest := range d.index.Manifests {
+		if manifest.Annotations["org.opencontainers.image.ref.name"] == desc.Annotations["org.opencontainers.image.ref.name"] {
+			// TODO Should there first be a cleanup based on the descriptor we are going to replace?
+			d.index.Manifests[i] = *desc
+			return
+		}
+	}
+	d.index.Manifests = append(d.index.Manifests, *desc)
+}
+
+func (d *ociImageDestination) PutSignatures(signatures [][]byte) error {
+	if len(signatures) != 0 {
+		return errors.Errorf("Pushing signatures for OCI images is not supported")
+	}
+	return nil
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted.
+// WARNING: This does not have any transactional semantics:
+// - Uploaded data MAY be visible to others before Commit() is called
+// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
+func (d *ociImageDestination) Commit() error {
 	if err := ioutil.WriteFile(d.ref.ociLayoutPath(), []byte(`{"imageLayoutVersion": "1.0.0"}`), 0644); err != nil {
 		return err
 	}
-	descriptorPath := d.ref.descriptorPath(d.ref.tag)
-	if err := ensureParentDirectoryExists(descriptorPath); err != nil {
+	indexJSON, err := json.Marshal(d.index)
+	if err != nil {
 		return err
 	}
-	return ioutil.WriteFile(descriptorPath, data, 0644)
+	return ioutil.WriteFile(d.ref.indexPath(), indexJSON, 0644)
 }

 func ensureDirectoryExists(path string) error {
@@ -203,17 +266,15 @@ func ensureParentDirectoryExists(path string) error {
 	return ensureDirectoryExists(filepath.Dir(path))
 }

-func (d *ociImageDestination) PutSignatures(signatures [][]byte) error {
-	if len(signatures) != 0 {
-		return fmt.Errorf("Pushing signatures for OCI images is not supported")
+// indexExists checks whether the index location specified in the OCI reference exists.
+// The implementation is opinionated, since in case of unexpected errors false is returned
+func indexExists(ref ociReference) bool {
+	_, err := os.Stat(ref.indexPath())
+	if err == nil {
+		return true
 	}
-	return nil
-}
-
-// Commit marks the process of storing the image as successful and asks for the image to be persisted.
-// WARNING: This does not have any transactional semantics:
-// - Uploaded data MAY be visible to others before Commit() is called
-// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
-func (d *ociImageDestination) Commit() error {
-	return nil
+	if os.IsNotExist(err) {
+		return false
+	}
+	return true
 }
--- a/vendor/github.com/containers/image/oci/layout/oci_src.go
+++ b/vendor/github.com/containers/image/oci/layout/oci_src.go
@@ -1,24 +1,52 @@
 package layout

 import (
-	"encoding/json"
+	"context"
 	"io"
 	"io/ioutil"
+	"net/http"
 	"os"
+	"strconv"

-	"github.com/containers/image/manifest"
+	"github.com/containers/image/pkg/tlsclientconfig"
 	"github.com/containers/image/types"
-	"github.com/docker/distribution/digest"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
 )

 type ociImageSource struct {
-	ref ociReference
+	ref           ociReference
+	descriptor    imgspecv1.Descriptor
+	client        *http.Client
+	sharedBlobDir string
 }

 // newImageSource returns an ImageSource for reading from an existing directory.
-func newImageSource(ref ociReference) types.ImageSource {
-	return &ociImageSource{ref: ref}
+func newImageSource(ctx *types.SystemContext, ref ociReference) (types.ImageSource, error) {
+	tr := tlsclientconfig.NewTransport()
+	tr.TLSClientConfig = tlsconfig.ServerDefault()
+
+	if ctx != nil && ctx.OCICertPath != "" {
+		if err := tlsclientconfig.SetupCertificates(ctx.OCICertPath, tr.TLSClientConfig); err != nil {
+			return nil, err
+		}
+		tr.TLSClientConfig.InsecureSkipVerify = ctx.OCIInsecureSkipTLSVerify
+	}
+
+	client := &http.Client{}
+	client.Transport = tr
+	descriptor, err := ref.getManifestDescriptor()
+	if err != nil {
+		return nil, err
+	}
+	d := &ociImageSource{ref: ref, descriptor: descriptor, client: client}
+	if ctx != nil {
+		// TODO(jonboulle): check dir existence?
+		d.sharedBlobDir = ctx.OCISharedBlobDirPath
+	}
+	return d, nil
 }

 // Reference returns the reference used to set up this source.
@@ -27,25 +55,14 @@ func (s *ociImageSource) Reference() types.ImageReference {
 }

 // Close removes resources associated with an initialized ImageSource, if any.
-func (s *ociImageSource) Close() {
+func (s *ociImageSource) Close() error {
+	return nil
 }

 // GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
 // It may use a remote (= slow) service.
 func (s *ociImageSource) GetManifest() ([]byte, string, error) {
-	descriptorPath := s.ref.descriptorPath(s.ref.tag)
-	data, err := ioutil.ReadFile(descriptorPath)
-	if err != nil {
-		return nil, "", err
-	}
-
-	desc := imgspecv1.Descriptor{}
-	err = json.Unmarshal(data, &desc)
-	if err != nil {
-		return nil, "", err
-	}
-
-	manifestPath, err := s.ref.blobPath(digest.Digest(desc.Digest))
+	manifestPath, err := s.ref.blobPath(digest.Digest(s.descriptor.Digest), s.sharedBlobDir)
 	if err != nil {
 		return nil, "", err
 	}
@@ -54,11 +71,11 @@ func (s *ociImageSource) GetManifest() ([]byte, string, error) {
 		return nil, "", err
 	}

-	return m, manifest.GuessMIMEType(m), nil
+	return m, s.descriptor.MediaType, nil
 }

 func (s *ociImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
-	manifestPath, err := s.ref.blobPath(digest)
+	manifestPath, err := s.ref.blobPath(digest, s.sharedBlobDir)
 	if err != nil {
 		return nil, "", err
 	}
@@ -68,12 +85,20 @@ func (s *ociImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string
 		return nil, "", err
 	}

-	return m, manifest.GuessMIMEType(m), nil
+	// XXX: GetTargetManifest means that we don't have the context of what
+	//      mediaType the manifest has. In OCI this means that we don't know
+	//      what reference it came from, so we just *assume* that its
+	//      MediaTypeImageManifest.
+	return m, imgspecv1.MediaTypeImageManifest, nil
 }

 // GetBlob returns a stream for the specified blob, and the blob's size.
 func (s *ociImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
-	path, err := s.ref.blobPath(info.Digest)
+	if len(info.URLs) != 0 {
+		return s.getExternalBlob(info.URLs)
+	}
+
+	path, err := s.ref.blobPath(info.Digest, s.sharedBlobDir)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -89,6 +114,35 @@ func (s *ociImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, err
 	return r, fi.Size(), nil
 }

-func (s *ociImageSource) GetSignatures() ([][]byte, error) {
+func (s *ociImageSource) GetSignatures(context.Context) ([][]byte, error) {
 	return [][]byte{}, nil
 }
+
+func (s *ociImageSource) getExternalBlob(urls []string) (io.ReadCloser, int64, error) {
+	errWrap := errors.New("failed fetching external blob from all urls")
+	for _, url := range urls {
+		resp, err := s.client.Get(url)
+		if err != nil {
+			errWrap = errors.Wrapf(errWrap, "fetching %s failed %s", url, err.Error())
+			continue
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			resp.Body.Close()
+			errWrap = errors.Wrapf(errWrap, "fetching %s failed, response code not 200", url)
+			continue
+		}
+
+		return resp.Body, getBlobSize(resp), nil
+	}
+
+	return nil, 0, errWrap
+}
+
+func getBlobSize(resp *http.Response) int64 {
+	size, err := strconv.ParseInt(resp.Header.Get("Content-Length"), 10, 64)
+	if err != nil {
+		size = -1
+	}
+	return size
+}
--- a/Show More
+++ b/Show More