diff --git a/SOURCES/buildah-1756986.patch b/SOURCES/buildah-1756986.patch
new file mode 100644
index 0000000..e70ea76
--- /dev/null
+++ b/SOURCES/buildah-1756986.patch
@@ -0,0 +1,98 @@
+From 6d7ab38f33edb9ab87a290a0c68cfd27b55b061f Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Wed, 8 Jan 2020 11:02:05 -0500
+Subject: [PATCH 1/2] Check for .dockerignore specifically
+
+When generating the list of exclusions to process .dockerignore
+contents, don't include .dockerignore if we don't have a .dockerignore
+file in the context directory. That way, if the file doesn't exist, and
+the caller didn't pass in any patterns, we get no patterns instead of
+just one ".dockerignore" pattern, and we can hit the faster copy path.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+
+Closes: #2072
+Approved by: giuseppe
+---
+ add.go | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/add.go b/add.go
+index b5119e369..e82a5ef9a 100644
+--- a/add.go
++++ b/add.go
+@@ -215,7 +215,12 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
+ if contextDir == "" {
+ return nil, nil
+ }
+- patterns := []string{".dockerignore"}
++ // If there's no .dockerignore file, then we don't have to add a
++ // pattern to tell copy logic to ignore it later.
++ var patterns []string
++ if _, err := os.Stat(filepath.Join(contextDir, ".dockerignore")); err == nil || !os.IsNotExist(err) {
++ patterns = []string{".dockerignore"}
++ }
+ for _, ignoreSpec := range lines {
+ ignoreSpec = strings.TrimSpace(ignoreSpec)
+ // ignore comments passed back from .dockerignore
+@@ -224,7 +229,8 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
+ }
+ // if the spec starts with '!' it means the pattern
+ // should be included. make a note so that we can move
+- // it to the front of the updated pattern
++ // it to the front of the updated pattern, and insert
++ // the context dir's path in between
+ includeFlag := ""
+ if strings.HasPrefix(ignoreSpec, "!") {
+ includeFlag = "!"
+
+From f999964084ce75c833b0cffd17fb09b947dad506 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Wed, 8 Jan 2020 11:04:57 -0500
+Subject: [PATCH 2/2] copyFileWithTar: close source files at the right time
+
+Close source files after we've finished reading from them, rather than
+leaving it for later.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+
+Closes: #2072
+Approved by: giuseppe
+---
+ util.go | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/util.go b/util.go
+index b4670e41c..2f923357c 100644
+--- a/util.go
++++ b/util.go
+@@ -165,11 +165,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
+ if err != nil {
+ return errors.Wrapf(err, "error opening %q to copy its contents", src)
+ }
+- defer func() {
+- if err := f.Close(); err != nil {
+- logrus.Debugf("error closing %s: %v", fi.Name(), err)
+- }
+- }()
+ }
+ }
+
+@@ -200,6 +195,9 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
+ logrus.Debugf("error copying contents of %s: %v", fi.Name(), err)
+ copyErr = err
+ }
++ if err = srcFile.Close(); err != nil {
++ logrus.Debugf("error closing %s: %v", fi.Name(), err)
++ }
+ }
+ if err = writer.Close(); err != nil {
+ logrus.Debugf("error closing write pipe for %s: %v", hdr.Name, err)
+@@ -213,7 +211,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
+ if err == nil {
+ err = copyErr
+ }
+- f = nil
+ if pipeWriter != nil {
+ pipeWriter.Close()
+ }
diff --git a/SOURCES/buildah-1784950.patch b/SOURCES/buildah-1784950.patch
new file mode 100644
index 0000000..11ec21d
--- /dev/null
+++ b/SOURCES/buildah-1784950.patch
@@ -0,0 +1,145 @@
+From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
+From: Daniel J Walsh <dwalsh@redhat.com>
+Date: Tue, 17 Dec 2019 15:24:29 -0500
+Subject: [PATCH] Add support for FIPS-Mode backends
+
+If host is running in fips mode, then RHEL8.2 and beyond container images
+will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
+This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
+order to make all tools in the container follow the FIPS Mode rules.
+
+Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
+---
+ pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
+ run_linux.go | 2 +-
+ 2 files changed, 39 insertions(+), 11 deletions(-)
+
+diff -up ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go.1784950 ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go
+--- buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go.1784950 2020-02-19 16:26:58.582289704 +0100
++++ buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go 2020-02-19 16:26:58.584289732 +0100
+@@ -148,12 +148,21 @@ func getMountsMap(path string) (string,
+ }
+
+ // SecretMounts copies, adds, and mounts the secrets to the container root filesystem
++// Deprecated, Please use SecretMountWithUIDGID
+ func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
+ return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
+ }
+
+-// SecretMountsWithUIDGID specifies the uid/gid of the owner
+-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
++// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
++// mountLabel: MAC/SELinux label for container content
++// containerWorkingDir: Private data for storing secrets on the host mounted in container.
++// mountFile: Additional mount points required for the container.
++// mountPoint: Container image mountpoint
++// uid: to assign to content created for secrets
++// gid: to assign to content created for secrets
++// rootless: indicates whether container is running in rootless mode
++// disableFips: indicates whether system should ignore fips mode
++func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
+ var (
+ secretMounts []rspec.Mount
+ mountFiles []string
+@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel,
+ }
+ for _, file := range mountFiles {
+ if _, err := os.Stat(file); err == nil {
+- mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
++ mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
+ if err != nil {
+ logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
+ }
+@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel,
+ // Add FIPS mode secret if /etc/system-fips exists on the host
+ _, err := os.Stat("/etc/system-fips")
+ if err == nil {
+- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
++ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
+ logrus.Errorf("error adding FIPS mode secret to container: %v", err)
+ }
+ } else if os.IsNotExist(err) {
+@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid in
+
+ // addSecretsFromMountsFile copies the contents of host directory to container directory
+ // and returns a list of mounts
+-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
++func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
+ var mounts []rspec.Mount
+ defaultMountsPaths := getMounts(filePath)
+ for _, path := range defaultMountsPaths {
+@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath,
+ }
+
+ m := rspec.Mount{
+- Source: filepath.Join(mountPrefix, ctrDirOrFile),
++ Source: ctrDirOrFileOnHost,
+ Destination: ctrDirOrFile,
+ Type: "bind",
+ Options: []string{"bind", "rprivate"},
+@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath,
+ // root filesystem if /etc/system-fips exists on hosts.
+ // This enables the container to be FIPS compliant and run openssl in
+ // FIPS mode as the host is also in FIPS mode.
+-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
++func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
+ secretsDir := "/run/secrets"
+ ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
+ if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
+ if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
+- return errors.Wrapf(err, "making container directory on host failed")
++ return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
+ }
+ if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
+- return errors.Wrap(err, "error applying correct labels")
++ return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
+ }
+ }
+ fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
+@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.M
+
+ if !mountExists(*mounts, secretsDir) {
+ m := rspec.Mount{
+- Source: filepath.Join(mountPrefix, secretsDir),
++ Source: ctrDirOnHost,
+ Destination: secretsDir,
+ Type: "bind",
+ Options: []string{"bind", "rprivate"},
+@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.M
+ *mounts = append(*mounts, m)
+ }
+
++ srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
++ destDir := "/etc/crypto-policies/back-ends"
++ srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++ if _, err := os.Stat(srcOnHost); err != nil {
++ if os.IsNotExist(err) {
++ return nil
++ }
++ return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
++ }
++
++ if !mountExists(*mounts, destDir) {
++ m := rspec.Mount{
++ Source: srcOnHost,
++ Destination: destDir,
++ Type: "bind",
++ Options: []string{"bind", "rprivate"},
++ }
++ *mounts = append(*mounts, m)
++ }
+ return nil
+ }
+
+diff -up ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go.1784950 ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go
+--- buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go.1784950 2020-02-19 16:26:58.555289325 +0100
++++ buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go 2020-02-19 16:26:58.557289353 +0100
+@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint
+ }
+
+ // Get the list of secrets mounts.
+- secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
++ secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
+
+ // Add temporary copies of the contents of volume locations at the
+ // volume locations, unless we already have something there.
diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec
index 68a8001..c4e478b 100644
--- a/SPECS/buildah.spec
+++ b/SPECS/buildah.spec
@@ -25,12 +25,18 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
Name: %{repo}
Version: 1.11.6
-Release: 4%{?dist}
+Release: 6%{?dist}
Summary: A command line tool used for creating OCI Images
License: ASL 2.0
URL: https://%{name}.io
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1784950
+# backported: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch
+Patch1: buildah-1784950.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1756986
+# patch: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2181.patch
+Patch2: buildah-1756986.patch
BuildRequires: golang >= 1.12.12-4
BuildRequires: git
@@ -117,6 +123,14 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
%{_datadir}/%{name}/test
%changelog
+* Tue Feb 25 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-6
+- fix "COPY command takes long time with buildah"
+- Resolves: #1806119
+
+* Wed Feb 19 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-5
+- fix "Podman support for FIPS Mode requires a bind mount inside the container"
+- Resolves: #1804188
+
* Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-4
- compile in FIPS mode
- Related: RHELPLAN-25138