Merge pull request #22740 from Luap99/rootlessnetns-hosts

fix incorrect host.containers.internal entry for rootless bridge mode

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/checkpoint-restore/go-criu/v7 v7.1.0
 	github.com/containernetworking/plugins v1.4.1
 	github.com/containers/buildah v1.35.1-0.20240510150258-77f239ae12e5
-	github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb
+	github.com/containers/common v0.58.1-0.20240517090124-fa276b325847
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.7.4-0.20240515153903-01a1a0cd3f70
 	github.com/containers/image/v5 v5.30.2-0.20240509191815-9318d0eaaf78
@@ -30,7 +30,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.5
 	github.com/digitalocean/go-qemu v0.0.0-20230711162256-2e3d0186973e
 	github.com/docker/distribution v2.8.3+incompatible
-	github.com/docker/docker v26.1.2+incompatible
+	github.com/docker/docker v26.1.3+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/docker/go-plugins-helpers v0.0.0-20211224144127-6eecb7beb651
 	github.com/docker/go-units v0.5.0
@@ -98,7 +98,7 @@ require (
 	github.com/chenzhuoyu/iasm v0.9.1 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/containerd/cgroups/v3 v3.0.3 // indirect
-	github.com/containerd/containerd v1.7.16 // indirect
+	github.com/containerd/containerd v1.7.17 // indirect
 	github.com/containerd/errdefs v0.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
@@ -194,7 +194,7 @@ require (
 	github.com/sigstore/rekor v1.3.6 // indirect
 	github.com/sigstore/sigstore v1.8.3 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
-	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
+	github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect
 	github.com/sylabs/sif/v2 v2.16.0 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect

go.sum

@@ -63,8 +63,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0=
 github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0=
-github.com/containerd/containerd v1.7.16 h1:7Zsfe8Fkj4Wi2My6DXGQ87hiqIrmOXolm72ZEkFU5Mg=
+github.com/containerd/containerd v1.7.17 h1:KjNnn0+tAVQHAoaWRjmdak9WlvnFR/8rU1CHHy8Rm2A=
-github.com/containerd/containerd v1.7.16/go.mod h1:NL49g7A/Fui7ccmxV6zkBWwqMgmMxFWzujYCc+JLt7k=
+github.com/containerd/containerd v1.7.17/go.mod h1:vK+hhT4TIv2uejlcDlbVIc8+h/BqtKLIyNrtCZol8lI=
 github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM=
 github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
@@ -79,8 +79,8 @@ github.com/containernetworking/plugins v1.4.1 h1:+sJRRv8PKhLkXIl6tH1D7RMi+CbbHut
 github.com/containernetworking/plugins v1.4.1/go.mod h1:n6FFGKcaY4o2o5msgu/UImtoC+fpQXM3076VHfHbj60=
 github.com/containers/buildah v1.35.1-0.20240510150258-77f239ae12e5 h1:xtKtw/g2iDkirqSw6Dvvc2ZMPxBYhyN9xPdH81a7hO4=
 github.com/containers/buildah v1.35.1-0.20240510150258-77f239ae12e5/go.mod h1:ezOOMchy0Dcu/jKNNsTJbtxvOrhdogVkbG+UxkG77EY=
-github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb h1:mb5e8J/kErkytiM1J5hqdZENBJfSQyQ37Cgx0hinVYs=
+github.com/containers/common v0.58.1-0.20240517090124-fa276b325847 h1:34cLMWNLLytr35gxiklxsKfjrbYIW/GArhTF7hakx2Q=
-github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb/go.mod h1:SCOYkp6ul27v6WoNkbgvhAhhSEM6fYKl2My9/WuESdA=
+github.com/containers/common v0.58.1-0.20240517090124-fa276b325847/go.mod h1:9BdyHXC2fM6q+gqTVmnaf1tdGLnne0votxdPOTN3aY4=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.7.4-0.20240515153903-01a1a0cd3f70 h1:aACcXSIgcuPq5QdNZZ8B53BCdhqYvw33/8QmZWJATvg=
@@ -136,8 +136,8 @@ github.com/docker/cli v26.1.2+incompatible h1:/MWZpUMMlr1hCGyquL8QNbL1hbivQ1kLuT
 github.com/docker/cli v26.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v26.1.2+incompatible h1:UVX5ZOrrfTGZZYEP+ZDq3Xn9PdHNXaSYMFPDumMqG2k=
+github.com/docker/docker v26.1.3+incompatible h1:lLCzRbrVZrljpVNobJu1J2FHk8V0s4BawoZippkc+xo=
-github.com/docker/docker v26.1.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
 github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -485,8 +485,8 @@ github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
 github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 h1:lIOOHPEbXzO3vnmx2gok1Tfs31Q8GQqKLc8vVqyQq/I=
+github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 h1:pnnLyeX7o/5aX8qUQ69P/mLojDqwda8hFOCBTmP/6hw=
-github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8=
+github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6/go.mod h1:39R/xuhNgVhi+K0/zst4TLrJrVmbm6LVgl4A0+ZFS5M=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

libpod/container_internal_common.go

@@ -2299,6 +2299,15 @@ func (c *Container) addHosts() error {
 	var exclude []net.IP
 	if c.pastaResult != nil {
 		exclude = c.pastaResult.IPAddresses
+	} else if c.config.NetMode.IsBridge() {
+		// When running rootless we have to check the rootless netns ip addresses
+		// to not assign a ip that is already used in the rootless netns as it would
+		// not be routed to the host.
+		// https://github.com/containers/podman/issues/22653
+		info, err := c.runtime.network.RootlessNetnsInfo()
+		if err == nil {
+			exclude = info.IPAddresses
+		}
 	}
 
 	return etchosts.New(&etchosts.Params{

test/system/505-networking-pasta.bats

@@ -778,7 +778,7 @@ EOF
     assert "$output" =~ "$mac2" "mac address from cli is set on custom interface"
 }
 
-### Rootless unshare testins
+### Rootless unshare testing
 
 @test "Podman unshare --rootless-netns with Pasta" {
     skip_if_remote "unshare is local-only"
@@ -794,3 +794,30 @@ EOF
     run_podman unshare --rootless-netns ip addr
     is "$output" ".*${pasta_iface}.*"
 }
+
+# https://github.com/containers/podman/issues/22653
+@test "pasta/bridge and host.containers.internal" {
+    skip_if_no_ipv4 "IPv4 not routable on the host"
+    pasta_ip="$(default_addr 4)"
+
+    for network in "pasta" "bridge"; do
+        # special exit code logic needed here, it is possible that there is no host.containers.internal
+        # when there is only one ip one the host and that one is used by pasta.
+        # As such we have to deal with both cases.
+        run_podman '?' run --rm --network=$network $IMAGE grep host.containers.internal /etc/hosts
+        if [ "$status" -eq 0 ]; then
+            assert "$output" !~ "$pasta_ip" "pasta host ip must not be assigned ($network)"
+            assert "$(hostname -I)" =~ "$(cut -f1 <<<$output)" "ip is one of the host ips ($network)"
+        elif [ "$status" -eq 1 ]; then
+            # if only pasta ip then we cannot have a host.containers.internal entry
+            # make sure this fact is actually the case
+            assert "$pasta_ip" == "$(hostname -I | tr -d '[:space:]')" "pasta ip must the only one one the host ($network)"
+        else
+            die "unexpected exit code '$status' from grep or podman ($network)"
+        fi
+    done
+
+    host_ip=$(hostname -I | cut -f 1 -d " ")
+    run_podman run --rm --network=pasta:-a,169.254.0.2,-g,169.254.0.1,-n,24 $IMAGE grep host.containers.internal /etc/hosts
+    assert "$output" =~ "^$host_ip" "uses host first ip"
+}

vendor/github.com/containers/common/libnetwork/cni/run.go

@@ -295,3 +295,10 @@ func (n *cniNetwork) RunInRootlessNetns(toRun func() error) error {
 	}
 	return n.rootlessNetns.Run(n.lock, toRun)
 }
+
+func (n *cniNetwork) RootlessNetnsInfo() (*types.RootlessNetnsInfo, error) {
+	if n.rootlessNetns == nil {
+		return nil, types.ErrNotRootlessNetns
+	}
+	return n.rootlessNetns.Info(), nil
+}

vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_freebsd.go

@@ -3,6 +3,7 @@ package rootlessnetns
 import (
 	"errors"
 
+	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/storage/pkg/lockfile"
 )
@@ -26,3 +27,7 @@ func (n *Netns) Teardown(nets int, toRun func() error) error {
 func (n *Netns) Run(lock *lockfile.LockFile, toRun func() error) error {
 	return ErrNotSupported
 }
+
+func (n *Netns) Info() *types.RootlessNetnsInfo {
+	return &types.RootlessNetnsInfo{}
+}

vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_linux.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io/fs"
+	"net"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -13,6 +14,7 @@ import (
 	"github.com/containers/common/libnetwork/pasta"
 	"github.com/containers/common/libnetwork/resolvconf"
 	"github.com/containers/common/libnetwork/slirp4netns"
+	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/common/pkg/netns"
 	"github.com/containers/common/pkg/systemd"
@@ -51,6 +53,12 @@ type Netns struct {
 
 	// config contains containers.conf options.
 	config *config.Config
+
+	// ipAddresses used in the netns, this is needed to store
+	// the netns ips that are used by pasta. This is then handed
+	// back to the caller via IPAddresses() which then can make
+	// sure to not use them for host.containers.internal.
+	ipAddresses []net.IP
 }
 
 type rootlessNetnsError struct {
@@ -521,7 +529,24 @@ func (n *Netns) runInner(toRun func() error) (err error) {
 		if err := n.setupMounts(); err != nil {
 			return err
 		}
-		return toRun()
+		if err := toRun(); err != nil {
+			return err
+		}
+
+		// get the current active addresses in the netns, and store them
+		addrs, err := net.InterfaceAddrs()
+		if err != nil {
+			return err
+		}
+		ips := make([]net.IP, 0, len(addrs))
+		for _, addr := range addrs {
+			// make sure to skip localhost and other special addresses
+			if ipnet, ok := addr.(*net.IPNet); ok && ipnet.IP.IsGlobalUnicast() {
+				ips = append(ips, ipnet.IP)
+			}
+		}
+		n.ipAddresses = ips
+		return nil
 	})
 }
 
@@ -597,6 +622,14 @@ func (n *Netns) Run(lock *lockfile.LockFile, toRun func() error) error {
 	return inErr
 }
 
+// IPAddresses returns the currently used ip addresses in the netns
+// These should then not be assigned for the host.containers.internal entry.
+func (n *Netns) Info() *types.RootlessNetnsInfo {
+	return &types.RootlessNetnsInfo{
+		IPAddresses: n.ipAddresses,
+	}
+}
+
 func refCount(dir string, inc int) (int, error) {
 	file := filepath.Join(dir, refCountFile)
 	content, err := os.ReadFile(file)

vendor/github.com/containers/common/libnetwork/netavark/run.go

@@ -187,3 +187,10 @@ func (n *netavarkNetwork) RunInRootlessNetns(toRun func() error) error {
 	}
 	return n.rootlessNetns.Run(n.lock, toRun)
 }
+
+func (n *netavarkNetwork) RootlessNetnsInfo() (*types.RootlessNetnsInfo, error) {
+	if n.rootlessNetns == nil {
+		return nil, types.ErrNotRootlessNetns
+	}
+	return n.rootlessNetns.Info(), nil
+}

vendor/github.com/containers/common/libnetwork/types/network.go

@@ -31,6 +31,11 @@ type ContainerNetwork interface {
 	// Only used as rootless and should return an error as root.
 	RunInRootlessNetns(toRun func() error) error
 
+	// RootlessNetnsInfo return extra information about the rootless netns.
+	// Only valid when called after Setup().
+	// Only used as rootless and should return an error as root.
+	RootlessNetnsInfo() (*RootlessNetnsInfo, error)
+
 	// Drivers will return the list of supported network drivers
 	// for this interface.
 	Drivers() []string
@@ -334,6 +339,11 @@ type TeardownOptions struct {
 	NetworkOptions
 }
 
+type RootlessNetnsInfo struct {
+	// IPAddresses used in the netns, must not be used for host.containers.internal
+	IPAddresses []net.IP
+}
+
 // FilterFunc can be passed to NetworkList to filter the networks.
 type FilterFunc func(Network) bool
 

vendor/github.com/containers/common/pkg/secrets/secrets.go

@@ -218,11 +218,12 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti
 	}
 
 	if options.Replace {
-		if err := driver.Delete(secr.ID); err != nil && !errors.Is(err, define.ErrNoSuchSecret) {
+		err := driver.Delete(secr.ID)
-			return "", fmt.Errorf("deleting secret %s: %w", secr.ID, err)
+		if err != nil {
+			if !errors.Is(err, define.ErrNoSuchSecret) {
+				return "", fmt.Errorf("deleting driver secret %s: %w", secr.ID, err)
 			}
-
+		} else {
-		if err == nil {
 			if err := s.delete(secr.ID); err != nil && !errors.Is(err, define.ErrNoSuchSecret) {
 				return "", fmt.Errorf("deleting secret %s: %w", secr.ID, err)
 			}

vendor/github.com/stefanberger/go-pkcs11uri/.travis.yml

@@ -5,7 +5,7 @@ os:
 - linux
 
 go:
-  - "1.13.x"
+  - "1.19.x"
 
 matrix:
   include:
@@ -17,7 +17,7 @@ addons:
       - softhsm2
 
 install:
-  - curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.30.0
+  - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.53.2
 
 script:
   - make

vendor/github.com/stefanberger/go-pkcs11uri/pkcs11uri.go

@@ -19,7 +19,6 @@ package pkcs11uri
 import (
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -128,6 +127,12 @@ func (uri *Pkcs11URI) SetPathAttribute(name, value string) error {
 	return uri.setAttribute(uri.pathAttributes, name, value)
 }
 
+// SetPathAttributeUnencoded sets the value for a path attribute given as byte[].
+// The value must not have been pct-encoded already.
+func (uri *Pkcs11URI) SetPathAttributeUnencoded(name string, value []byte) {
+	uri.pathAttributes[name] = string(value)
+}
+
 // AddPathAttribute adds a path attribute; it returns an error if an attribute with the same
 // name already existed or if the given value cannot be pct-unescaped
 func (uri *Pkcs11URI) AddPathAttribute(name, value string) error {
@@ -137,6 +142,16 @@ func (uri *Pkcs11URI) AddPathAttribute(name, value string) error {
 	return uri.SetPathAttribute(name, value)
 }
 
+// AddPathAttributeUnencoded adds a path attribute given as byte[] which must not already be pct-encoded;
+// it returns an error if an attribute with the same name already existed
+func (uri *Pkcs11URI) AddPathAttributeUnencoded(name string, value []byte) error {
+	if _, ok := uri.pathAttributes[name]; ok {
+		return errors.New("duplicate path attribute")
+	}
+	uri.SetPathAttributeUnencoded(name, value)
+	return nil
+}
+
 // RemovePathAttribute removes a path attribute
 func (uri *Pkcs11URI) RemovePathAttribute(name string) {
 	delete(uri.pathAttributes, name)
@@ -173,6 +188,12 @@ func (uri *Pkcs11URI) SetQueryAttribute(name, value string) error {
 	return uri.setAttribute(uri.queryAttributes, name, value)
 }
 
+// SetQueryAttributeUnencoded sets the value for a quiery attribute given as byte[].
+// The value must not have been pct-encoded already.
+func (uri *Pkcs11URI) SetQueryAttributeUnencoded(name string, value []byte) {
+	uri.queryAttributes[name] = string(value)
+}
+
 // AddQueryAttribute adds a query attribute; it returns an error if an attribute with the same
 // name already existed or if the given value cannot be pct-unescaped
 func (uri *Pkcs11URI) AddQueryAttribute(name, value string) error {
@@ -182,6 +203,16 @@ func (uri *Pkcs11URI) AddQueryAttribute(name, value string) error {
 	return uri.SetQueryAttribute(name, value)
 }
 
+// AddQueryAttributeUnencoded adds a query attribute given as byte[] which must not already be pct-encoded;
+// it returns an error if an attribute with the same name already existed
+func (uri *Pkcs11URI) AddQueryAttributeUnencoded(name string, value []byte) error {
+	if _, ok := uri.queryAttributes[name]; ok {
+		return errors.New("duplicate query attribute")
+	}
+	uri.SetQueryAttributeUnencoded(name, value)
+	return nil
+}
+
 // RemoveQueryAttribute removes a path attribute
 func (uri *Pkcs11URI) RemoveQueryAttribute(name string) {
 	delete(uri.queryAttributes, name)
@@ -257,7 +288,7 @@ func (uri *Pkcs11URI) GetPIN() (string, error) {
 			if !filepath.IsAbs(pinuri.Path) {
 				return "", fmt.Errorf("PIN URI path '%s' is not absolute", pinuri.Path)
 			}
-			pin, err := ioutil.ReadFile(pinuri.Path)
+			pin, err := os.ReadFile(pinuri.Path)
 			if err != nil {
 				return "", fmt.Errorf("Could not open PIN file: %s", err)
 			}
@@ -426,7 +457,7 @@ func (uri *Pkcs11URI) GetModule() (string, error) {
 	moduleName = strings.ToLower(moduleName)
 
 	for _, dir := range searchdirs {
-		files, err := ioutil.ReadDir(dir)
+		files, err := os.ReadDir(dir)
 		if err != nil {
 			continue
 		}

vendor/modules.txt

@@ -107,7 +107,7 @@ github.com/chzyer/readline
 # github.com/containerd/cgroups/v3 v3.0.3
 ## explicit; go 1.18
 github.com/containerd/cgroups/v3/cgroup1/stats
-# github.com/containerd/containerd v1.7.16
+# github.com/containerd/containerd v1.7.17
 ## explicit; go 1.21
 github.com/containerd/containerd/errdefs
 github.com/containerd/containerd/log
@@ -171,7 +171,7 @@ github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/pkg/volumes
 github.com/containers/buildah/util
-# github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb
+# github.com/containers/common v0.58.1-0.20240517090124-fa276b325847
 ## explicit; go 1.21
 github.com/containers/common/internal
 github.com/containers/common/internal/attributedstring
@@ -469,7 +469,7 @@ github.com/distribution/reference
 github.com/docker/distribution/registry/api/errcode
 github.com/docker/distribution/registry/api/v2
 github.com/docker/distribution/registry/client/auth/challenge
-# github.com/docker/docker v26.1.2+incompatible
+# github.com/docker/docker v26.1.3+incompatible
 ## explicit
 github.com/docker/docker/api
 github.com/docker/docker/api/types
@@ -1022,8 +1022,8 @@ github.com/spf13/cobra
 # github.com/spf13/pflag v1.0.5
 ## explicit; go 1.12
 github.com/spf13/pflag
-# github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980
+# github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6
-## explicit
+## explicit; go 1.19
 github.com/stefanberger/go-pkcs11uri
 # github.com/stretchr/testify v1.9.0
 ## explicit; go 1.17