vendor latest common, image, storage

Pick up the latest registries.d and network changes.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

go.mod

@@ -64,9 +64,9 @@ require (
 	github.com/vbauerster/mpb/v8 v8.12.0
 	github.com/vishvananda/netlink v1.3.1
 	go.podman.io/buildah v1.42.1-0.20260421143840-0acb6b8cca85
-	go.podman.io/common v0.67.2-0.20260428163628-e3b0c9aa788d
-	go.podman.io/image/v5 v5.39.3-0.20260428163628-e3b0c9aa788d
-	go.podman.io/storage v1.62.1-0.20260428163628-e3b0c9aa788d
+	go.podman.io/common v0.67.2-0.20260430110239-06cbc5da36f1
+	go.podman.io/image/v5 v5.39.3-0.20260430110239-06cbc5da36f1
+	go.podman.io/storage v1.62.1-0.20260430110239-06cbc5da36f1
 	golang.org/x/crypto v0.50.0
 	golang.org/x/net v0.53.0
 	golang.org/x/sync v0.20.0

go.sum

@@ -431,12 +431,12 @@ go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09
 go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.podman.io/buildah v1.42.1-0.20260421143840-0acb6b8cca85 h1:rVKRagobPO6kGHOg2NhGNs6xWVgZctiOn4tmxa3cytA=
 go.podman.io/buildah v1.42.1-0.20260421143840-0acb6b8cca85/go.mod h1:JjFirF1zlILz55ZkVYYhLRnted7mPlmoS2w2ihYw8iw=
-go.podman.io/common v0.67.2-0.20260428163628-e3b0c9aa788d h1:/oR7Ke8lxnw/pTcQ3mcjKLPI0gn0xc/wGPKXGpq+/gM=
-go.podman.io/common v0.67.2-0.20260428163628-e3b0c9aa788d/go.mod h1:3Dn8ywd1MInft7FIPMBcLOvVWgAhiLFCwsNxCTc9QhM=
-go.podman.io/image/v5 v5.39.3-0.20260428163628-e3b0c9aa788d h1:mm8baBK0FvElAxfI6Z9knY0PcnjX4wVvlI+/H4lg1kI=
-go.podman.io/image/v5 v5.39.3-0.20260428163628-e3b0c9aa788d/go.mod h1:c1ged4R93jqNgA1E1Quywv65YAZvPZm4bOEqFMOi1OE=
-go.podman.io/storage v1.62.1-0.20260428163628-e3b0c9aa788d h1:V1Tk7mksAafNAjdDEdJ8IFKkKceYoWXDuOqO5RJw/OI=
-go.podman.io/storage v1.62.1-0.20260428163628-e3b0c9aa788d/go.mod h1:13aOBf6782/fbAzH7QNEqlVzFu+X4sS4MxDM/VdJGZU=
+go.podman.io/common v0.67.2-0.20260430110239-06cbc5da36f1 h1:RLBHWyNtJhiD5ZucydAh7zWXOxqX2+MTXVwt45OVkME=
+go.podman.io/common v0.67.2-0.20260430110239-06cbc5da36f1/go.mod h1:GLtgL6CqdqGKSXMvWJZ04WwlQczIJeyk4WRJntzox/c=
+go.podman.io/image/v5 v5.39.3-0.20260430110239-06cbc5da36f1 h1:CvxUIObaQSc5YyUupNWbXVN+THr2lDih40mRDa0iUmo=
+go.podman.io/image/v5 v5.39.3-0.20260430110239-06cbc5da36f1/go.mod h1:c1ged4R93jqNgA1E1Quywv65YAZvPZm4bOEqFMOi1OE=
+go.podman.io/storage v1.62.1-0.20260430110239-06cbc5da36f1 h1:3t6B2voX4pRA3UF20UDkGYRdw3m+xpvC0JUNB0VnpnM=
+go.podman.io/storage v1.62.1-0.20260430110239-06cbc5da36f1/go.mod h1:13aOBf6782/fbAzH7QNEqlVzFu+X4sS4MxDM/VdJGZU=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=

vendor/go.podman.io/common/libnetwork/internal/util/validate.go

@@ -4,8 +4,6 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"strings"
-	"unicode"
 
 	"go.podman.io/common/libnetwork/types"
 	"go.podman.io/common/libnetwork/util"
@@ -98,43 +96,6 @@ func ValidateSubnets(network *types.Network, addGateway bool, usedNetworks []*ne
 	return nil
 }
 
-func ValidateRoutes(routes []types.Route) error {
-	for _, route := range routes {
-		err := ValidateRoute(route)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func ValidateRoute(route types.Route) error {
-	if route.Destination.IP == nil {
-		return errors.New("route destination ip nil")
-	}
-
-	if route.Destination.Mask == nil {
-		return errors.New("route destination mask nil")
-	}
-
-	if route.Gateway == nil {
-		return errors.New("route gateway nil")
-	}
-
-	// Reparse to ensure destination is valid.
-	ip, ipNet, err := net.ParseCIDR(route.Destination.String())
-	if err != nil {
-		return fmt.Errorf("route destination invalid: %w", err)
-	}
-
-	// check that destination is a network and not an address
-	if !ip.Equal(ipNet.IP) {
-		return errors.New("route destination invalid")
-	}
-
-	return nil
-}
-
 func ValidateSetupOptions(n NetUtil, namespacePath string, options types.SetupOptions) error {
 	if namespacePath == "" {
 		return errors.New("namespacePath is empty")
@@ -176,23 +137,3 @@ func validatePerNetworkOpts(network *types.Network, netOpts *types.PerNetworkOpt
 	}
 	return nil
 }
-
-// ValidateInterfaceName validates the interface name based on the following rules:
-// 1. The name must be less than MaxInterfaceNameLength characters
-// 2. The name must not be "." or ".."
-// 3. The name must not contain / or : or any whitespace characters
-// ref to https://github.com/torvalds/linux/blob/81e4f8d68c66da301bb881862735bd74c6241a19/include/uapi/linux/if.h#L33C18-L33C20
-func ValidateInterfaceName(ifName string) error {
-	if len(ifName) > types.MaxInterfaceNameLength {
-		return fmt.Errorf("interface name is too long: interface names must be %d characters or less: %w", types.MaxInterfaceNameLength, types.ErrInvalidArg)
-	}
-	if ifName == "." || ifName == ".." {
-		return fmt.Errorf("interface name is . or ..: %w", types.ErrInvalidArg)
-	}
-	if strings.ContainsFunc(ifName, func(r rune) bool {
-		return r == '/' || r == ':' || unicode.IsSpace(r)
-	}) {
-		return fmt.Errorf("interface name contains / or : or whitespace characters: %w", types.ErrInvalidArg)
-	}
-	return nil
-}

vendor/go.podman.io/common/libnetwork/types/network.go

@@ -201,15 +201,31 @@ type Subnet struct {
 	LeaseRange *LeaseRange `json:"lease_range,omitempty"`
 }
 
+// RouteType represents the type of a route.
+type RouteType string
+
+const (
+	// RouteTypeUnicast is a regular route with a gateway (default).
+	RouteTypeUnicast RouteType = "unicast"
+	// RouteTypeBlackhole silently discards packets.
+	RouteTypeBlackhole RouteType = "blackhole"
+	// RouteTypeUnreachable rejects with "destination unreachable".
+	RouteTypeUnreachable RouteType = "unreachable"
+	// RouteTypeProhibit rejects with "administratively prohibited".
+	RouteTypeProhibit RouteType = "prohibit"
+)
+
 type Route struct {
 	// Destination for this route in CIDR form.
 	// swagger:strfmt string
 	Destination IPNet `json:"destination"`
-	// Gateway IP for this route.
+	// Gateway IP for this route. Required for unicast routes, must be empty for blackhole/unreachable/prohibit.
 	// swagger:strfmt string
-	Gateway net.IP `json:"gateway"`
+	Gateway net.IP `json:"gateway,omitempty"`
 	// Metric for this route. Optional.
 	Metric *uint32 `json:"metric,omitempty"`
+	// RouteType is the type of route: unicast (default), blackhole, unreachable, prohibit.
+	RouteType RouteType `json:"route_type,omitempty"`
 }
 
 // LeaseRange contains the range where IP are leased.

vendor/go.podman.io/common/pkg/config/containers.conf

@@ -936,9 +936,9 @@ default_sysctls = [
 #provider = ""
 
 # Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple silicon.
-# The default value is `true`. Supported on AppleHV(arm64) machines only.
+# The default value is `false`. Supported on AppleHV(arm64) machines only.
 #
-#rosetta=true
+#rosetta=false
 
 # Import the host's trusted CA certificates into the machine.
 # When set to true, the certificates from the host system are imported during machine startup.

vendor/go.podman.io/common/pkg/config/default.go

@@ -274,7 +274,7 @@ func defaultMachineConfig() MachineConfig {
 		Memory:   2048,
 		User:     getDefaultMachineUser(),
 		Volumes:  configfile.NewSlice(getDefaultMachineVolumes()),
-		Rosetta:  true,
+		Rosetta:  false,
 	}
 }
 

vendor/go.podman.io/common/pkg/netns/netns_linux.go

@@ -249,7 +249,7 @@ func (ns *netNS) Do(toRun func(NetNS) error) error {
 // GetNSRunDir returns the dir of where to create the netNS. When running
 // rootless, it needs to be at a location writable by user.
 func GetNSRunDir() (string, error) {
-	if unshare.IsRootless() {
+	if unshare.GetRootlessUID() > 0 {
 		rootlessDir, err := homedir.GetRuntimeDir()
 		if err != nil {
 			return "", err

vendor/go.podman.io/image/v5/docker/docker_client.go

@@ -33,8 +33,9 @@ import (
 	"go.podman.io/image/v5/pkg/sysregistriesv2"
 	"go.podman.io/image/v5/pkg/tlsclientconfig"
 	"go.podman.io/image/v5/types"
+	"go.podman.io/storage/pkg/configfile"
 	"go.podman.io/storage/pkg/fileutils"
-	"go.podman.io/storage/pkg/homedir"
+	"go.podman.io/storage/pkg/unshare"
 	"golang.org/x/sync/semaphore"
 )
 
@@ -60,19 +61,6 @@ const (
 	backoffMaxDelay      = 60 * time.Second
 )
 
-type certPath struct {
-	path     string
-	absolute bool
-}
-
-var (
-	homeCertDir     = filepath.FromSlash(".config/containers/certs.d")
-	perHostCertDirs = []certPath{
-		{path: etcDir + "/containers/certs.d", absolute: true},
-		{path: etcDir + "/docker/certs.d", absolute: true},
-	}
-)
-
 // extensionSignature and extensionSignatureList come from github.com/openshift/origin/pkg/dockerregistry/server/signaturedispatcher.go:
 // signature represents a Docker image signature.
 type extensionSignature struct {
@@ -167,22 +155,35 @@ func dockerCertDir(sys *types.SystemContext, hostPort string) (string, error) {
 		return filepath.Join(sys.DockerPerHostCertDirPath, hostPort), nil
 	}
 
-	var (
-		hostCertDir     string
-		fullCertDirPath string
-	)
+	rootForImplicitAbsolutePaths := ""
+	if sys != nil {
+		rootForImplicitAbsolutePaths = sys.RootForImplicitAbsolutePaths
+	}
 
-	for _, perHostCertDir := range append([]certPath{{path: filepath.Join(homedir.Get(), homeCertDir), absolute: false}}, perHostCertDirs...) {
-		if sys != nil && sys.RootForImplicitAbsolutePaths != "" && perHostCertDir.absolute {
-			hostCertDir = filepath.Join(sys.RootForImplicitAbsolutePaths, perHostCertDir.path)
-		} else {
-			hostCertDir = perHostCertDir.path
-		}
+	paths, err := configfile.GetSearchPaths(&configfile.File{
+		Name:                           "certs",
+		Extension:                      "d",
+		DoNotUseExtensionForConfigName: true,
+		UserId:                         unshare.GetRootlessUID(),
+		RootForImplicitAbsolutePaths:   rootForImplicitAbsolutePaths,
+	})
+	if err != nil {
+		return "", err
+	}
 
-		fullCertDirPath = filepath.Join(hostCertDir, hostPort)
-		err := fileutils.Exists(fullCertDirPath)
+	candidates := make([]string, 0, len(paths.DropInDirectories)+1)
+	candidates = append(candidates, paths.DropInDirectories...)
+	perHostCertDir := etcDir + "/docker/certs.d"
+	if rootForImplicitAbsolutePaths != "" {
+		perHostCertDir = filepath.Join(rootForImplicitAbsolutePaths, perHostCertDir)
+	}
+	candidates = append(candidates, perHostCertDir)
+
+	for _, baseDir := range candidates {
+		fullCertDirPath := filepath.Join(baseDir, hostPort)
+		err = fileutils.Exists(fullCertDirPath)
 		if err == nil {
-			break
+			return fullCertDirPath, nil
 		}
 		if os.IsNotExist(err) {
 			continue
@@ -193,7 +194,7 @@ func dockerCertDir(sys *types.SystemContext, hostPort string) (string, error) {
 		}
 		return "", err
 	}
-	return fullCertDirPath, nil
+	return "", nil
 }
 
 // newDockerClientFromRef returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
@@ -263,8 +264,10 @@ func newDockerClient(sys *types.SystemContext, registry, reference string) (*doc
 	if err != nil {
 		return nil, err
 	}
-	if err := tlsclientconfig.SetupCertificates(certDir, tlsClientConfig); err != nil {
-		return nil, err
+	if certDir != "" {
+		if err := tlsclientconfig.SetupCertificates(certDir, tlsClientConfig); err != nil {
+			return nil, err
+		}
 	}
 
 	// Check if TLS verification shall be skipped (default=false) which can

vendor/go.podman.io/image/v5/docker/registries_d.go

@@ -3,42 +3,29 @@ package docker
 import (
 	"errors"
 	"fmt"
-	"io/fs"
+	"io"
 	"net/url"
-	"os"
 	"path"
 	"path/filepath"
-	"strings"
 
 	"github.com/opencontainers/go-digest"
 	"github.com/sirupsen/logrus"
 	"go.podman.io/image/v5/docker/reference"
 	"go.podman.io/image/v5/internal/rootless"
 	"go.podman.io/image/v5/types"
-	"go.podman.io/storage/pkg/fileutils"
+	"go.podman.io/storage/pkg/configfile"
 	"go.podman.io/storage/pkg/homedir"
+	"go.podman.io/storage/pkg/unshare"
 	"gopkg.in/yaml.v3"
 )
 
-// systemRegistriesDirPath is the path to registries.d, used for locating lookaside Docker signature storage.
-// You can override this at build time with
-// -ldflags '-X go.podman.io/image/v5/docker.systemRegistriesDirPath=$your_path'
-var systemRegistriesDirPath = builtinRegistriesDirPath
-
-// builtinRegistriesDirPath is the path to registries.d.
-// DO NOT change this, instead see systemRegistriesDirPath above.
-const builtinRegistriesDirPath = etcDir + "/containers/registries.d"
-
-// userRegistriesDirPath is the path to the per user registries.d.
-var userRegistriesDir = filepath.FromSlash(".config/containers/registries.d")
-
 // defaultUserDockerDir is the default lookaside directory for unprivileged user
 var defaultUserDockerDir = filepath.FromSlash(".local/share/containers/sigstore")
 
 // defaultDockerDir is the default lookaside directory for root
 var defaultDockerDir = "/var/lib/containers/sigstore"
 
-// registryConfiguration is one of the files in registriesDirPath configuring lookaside locations, or the result of merging them all.
+// registryConfiguration is one of the files configuring lookaside locations, or the result of merging them all.
 // NOTE: Keep this in sync with docs/registries.d.md!
 type registryConfiguration struct {
 	DefaultDocker *registryNamespace `yaml:"default-docker"`
@@ -78,91 +65,56 @@ func SignatureStorageBaseURL(sys *types.SystemContext, ref types.ImageReference,
 
 // loadRegistryConfiguration returns a registryConfiguration appropriate for sys.
 func loadRegistryConfiguration(sys *types.SystemContext) (*registryConfiguration, error) {
-	dirPath := registriesDirPath(sys)
-	logrus.Debugf(`Using registries.d directory %s`, dirPath)
-	return loadAndMergeConfig(dirPath)
-}
-
-// registriesDirPath returns a path to registries.d
-func registriesDirPath(sys *types.SystemContext) string {
-	return registriesDirPathWithHomeDir(sys, homedir.Get())
-}
-
-// registriesDirPathWithHomeDir is an internal implementation detail of registriesDirPath,
-// it exists only to allow testing it with an artificial home directory.
-func registriesDirPathWithHomeDir(sys *types.SystemContext, homeDir string) string {
-	if sys != nil && sys.RegistriesDirPath != "" {
-		return sys.RegistriesDirPath
+	registriesFiles := configfile.File{
+		Name:                           "registries",
+		Extension:                      "yaml",
+		DoNotLoadMainFiles:             true,
+		DoNotUseExtensionForConfigName: true,
+		UserId:                         unshare.GetRootlessUID(),
+		ErrorIfNotFound:                false,
 	}
-	userRegistriesDirPath := filepath.Join(homeDir, userRegistriesDir)
-	if err := fileutils.Exists(userRegistriesDirPath); err == nil {
-		return userRegistriesDirPath
+	if sys != nil {
+		registriesFiles.RootForImplicitAbsolutePaths = sys.RootForImplicitAbsolutePaths
+		if sys.RegistriesDirPath != "" {
+			registriesFiles.CustomConfigFileDropInDirectory = sys.RegistriesDirPath
+			logrus.Debugf(`Using registries.d directory %s`, registriesFiles.CustomConfigFileDropInDirectory)
+		}
 	}
-	if sys != nil && sys.RootForImplicitAbsolutePaths != "" {
-		return filepath.Join(sys.RootForImplicitAbsolutePaths, systemRegistriesDirPath)
-	}
-
-	return systemRegistriesDirPath
-}
-
-// loadAndMergeConfig loads configuration files in dirPath
-// FIXME: Probably rename to loadRegistryConfigurationForPath
-func loadAndMergeConfig(dirPath string) (*registryConfiguration, error) {
 	mergedConfig := registryConfiguration{Docker: map[string]registryNamespace{}}
 	dockerDefaultMergedFrom := ""
 	nsMergedFrom := map[string]string{}
-
-	dir, err := os.Open(dirPath)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return &mergedConfig, nil
-		}
-		return nil, err
-	}
-	configNames, err := dir.Readdirnames(0)
-	if err != nil {
-		return nil, err
-	}
-	for _, configName := range configNames {
-		if !strings.HasSuffix(configName, ".yaml") {
-			continue
-		}
-		configPath := filepath.Join(dirPath, configName)
-		configBytes, err := os.ReadFile(configPath)
+	for item, err := range configfile.Read(&registriesFiles) {
 		if err != nil {
-			if errors.Is(err, fs.ErrNotExist) {
-				// file must have been removed between the directory listing
-				// and the open call, ignore that as it is a expected race
-				continue
-			}
 			return nil, err
 		}
-
-		var config registryConfiguration
-		err = yaml.Unmarshal(configBytes, &config)
+		contents, err := io.ReadAll(item.Reader)
 		if err != nil {
-			return nil, fmt.Errorf("parsing %s: %w", configPath, err)
+			return nil, err
+		}
+		logrus.Debugf(`Reading registries signature storage configuration from %q`, item.Name)
+		var config registryConfiguration
+		if err := yaml.Unmarshal(contents, &config); err != nil {
+			return nil, fmt.Errorf("parsing %s: %w", item.Name, err)
 		}
 
 		if config.DefaultDocker != nil {
 			if mergedConfig.DefaultDocker != nil {
 				return nil, fmt.Errorf(`Error parsing signature storage configuration: "default-docker" defined both in %q and %q`,
-					dockerDefaultMergedFrom, configPath)
+					dockerDefaultMergedFrom, item.Name)
 			}
 			mergedConfig.DefaultDocker = config.DefaultDocker
-			dockerDefaultMergedFrom = configPath
+			dockerDefaultMergedFrom = item.Name
 		}
 
-		for nsName, nsConfig := range config.Docker { // includes config.Docker == nil
+		for nsName, nsConfig := range config.Docker {
 			if _, ok := mergedConfig.Docker[nsName]; ok {
 				return nil, fmt.Errorf(`Error parsing signature storage configuration: "docker" namespace %q defined both in %q and %q`,
-					nsName, nsMergedFrom[nsName], configPath)
+					nsName, nsMergedFrom[nsName], item.Name)
 			}
 			mergedConfig.Docker[nsName] = nsConfig
-			nsMergedFrom[nsName] = configPath
+			nsMergedFrom[nsName] = item.Name
 		}
 	}
-
 	return &mergedConfig, nil
 }
 

vendor/go.podman.io/storage/check.go

@@ -833,6 +833,7 @@ func (s *store) Repair(report CheckReport, options *RepairOptions) []error {
 				}
 				if err = s.DeleteLayer(id); err != nil {
 					err = fmt.Errorf("deleting layer %s: %w", id, err)
+				} else {
 					logrus.Debugf("deleted layer %s", id)
 				}
 			}

vendor/go.podman.io/storage/drivers/overlay/overlay.go

@@ -443,6 +443,11 @@ func Init(home string, options graphdriver.Options) (graphdriver.Driver, error)
 		}
 	}
 
+	// Clean up stale tempdirs early, before MakePrivate.
+	if err := tempdir.RecoverStaleDirs(filepath.Join(home, tempDirName)); err != nil {
+		return nil, fmt.Errorf("overlay: recover stale temp dirs: %w", err)
+	}
+
 	if !opts.skipMountHome {
 		if err := mount.MakePrivate(home); err != nil {
 			return nil, fmt.Errorf("overlay: failed to make mount private: %w", err)
@@ -1392,7 +1397,7 @@ func (d *Driver) removeCommon(id string, cleanup func(string) error) error {
 	if err == nil {
 		linkPath := path.Join(d.home, linkDir, string(lid))
 		if err := cleanup(linkPath); err != nil {
-			logrus.Debugf("Failed to remove link: %v", err)
+			logrus.Warnf("Failed to remove link: %v", err)
 		}
 	}
 

vendor/go.podman.io/storage/layers.go

@@ -823,15 +823,18 @@ func (r *layerStore) GarbageCollect() error {
 		}
 
 		// Remove layer and any related data of unreferenced id
+		logrus.Debugf("removing driver layer %q", id)
 		if err := r.driver.Remove(id); err != nil {
-			logrus.Debugf("removing driver layer %q", id)
 			return err
 		}
-
-		logrus.Debugf("removing %q", r.tspath(id))
-		os.Remove(r.tspath(id))
-		logrus.Debugf("removing %q", r.datadir(id))
-		os.RemoveAll(r.datadir(id))
+		// Best-effort removal of orphaned metadata; the driver layer is
+		// already gone, so warn but don't fail the overall GC.
+		if err := os.Remove(r.tspath(id)); err != nil && !errors.Is(err, os.ErrNotExist) {
+			logrus.Warnf("Failed to remove tar-split file %q: %v", r.tspath(id), err)
+		}
+		if err := os.RemoveAll(r.datadir(id)); err != nil {
+			logrus.Warnf("Failed to remove data directory %q: %v", r.datadir(id), err)
+		}
 	}
 
 	// Clean up any orphaned tar-split or data files in the layer metadata
@@ -2118,7 +2121,6 @@ func (r *layerStore) internalDelete(id string) ([]tempdir.CleanupTempDirFunc, er
 		return cleanFunctions, err
 	}
 
-	cleanFunctions = append(cleanFunctions, tempDirectory.Cleanup)
 	if err := tempDirectory.StageDeletion(r.tspath(id)); err != nil && !errors.Is(err, os.ErrNotExist) {
 		return cleanFunctions, err
 	}

vendor/go.podman.io/storage/pkg/configfile/parse.go

@@ -384,7 +384,7 @@ func readDropInsFromPaths(paths []string, suffix string) ([]string, error) {
 			return nil, err
 		}
 		for _, entry := range entries {
-			if entry.Type().IsRegular() && strings.HasSuffix(entry.Name(), suffix) {
+			if !entry.IsDir() && strings.HasSuffix(entry.Name(), suffix) {
 				dropInMap[entry.Name()] = filepath.Join(path, entry.Name())
 			}
 		}

vendor/go.podman.io/storage/pkg/mount/mount.go

@@ -5,6 +5,8 @@ import (
 	"slices"
 	"strconv"
 	"strings"
+
+	"github.com/sirupsen/logrus"
 )
 
 // mountError holds an error from a mount or unmount operation
@@ -89,17 +91,19 @@ func RecursiveUnmount(target string) error {
 		return -cmp.Compare(len(a.Mountpoint), len(b.Mountpoint))
 	})
 
-	for i, m := range mounts {
+	var lastErr error
+	for _, m := range mounts {
 		if !strings.HasPrefix(m.Mountpoint, target) {
 			continue
 		}
-		if err := Unmount(m.Mountpoint); err != nil && i == len(mounts)-1 {
-			return err
+		if err := Unmount(m.Mountpoint); err != nil {
 			// Ignore errors for submounts and continue trying to unmount others
 			// The final unmount should fail if there are any submounts remaining
+			logrus.Warnf("Failed to unmount %s: %v", m.Mountpoint, err)
+			lastErr = err
 		}
 	}
-	return nil
+	return lastErr
 }
 
 // ForceUnmount lazily unmounts a filesystem on supported platforms,

vendor/go.podman.io/storage/pkg/system/rm.go

@@ -36,9 +36,10 @@ func EnsureRemoveAll(dir string) error {
 		return nil
 	}
 
-	// Attempt to unmount anything beneath this dir first
+	// Best-effort: if unmounting fails, the RemoveAll loop below may
+	// still succeed (or will surface its own, more specific error).
 	if err := mount.RecursiveUnmount(dir); err != nil {
-		logrus.Debugf("RecursiveUnmount on %s failed: %v", dir, err)
+		logrus.Warnf("RecursiveUnmount on %s failed: %v", dir, err)
 	}
 
 	for {

vendor/go.podman.io/storage/store.go

@@ -2668,7 +2668,7 @@ func (s *store) DeleteLayer(id string) (retErr error) {
 	}()
 	return s.writeToAllStores(func(rlstore rwLayerStore) error {
 		if rlstore.Exists(id) {
-			if l, err := rlstore.Get(id); err != nil {
+			if l, err := rlstore.Get(id); err == nil {
 				id = l.ID
 			}
 			layers, err := rlstore.Layers()

vendor/modules.txt

@@ -736,7 +736,7 @@ go.podman.io/buildah/pkg/sshagent
 go.podman.io/buildah/pkg/util
 go.podman.io/buildah/pkg/volumes
 go.podman.io/buildah/util
-# go.podman.io/common v0.67.2-0.20260428163628-e3b0c9aa788d
+# go.podman.io/common v0.67.2-0.20260430110239-06cbc5da36f1
 ## explicit; go 1.25.6
 go.podman.io/common/internal
 go.podman.io/common/libimage
@@ -802,7 +802,7 @@ go.podman.io/common/pkg/umask
 go.podman.io/common/pkg/util
 go.podman.io/common/pkg/version
 go.podman.io/common/version
-# go.podman.io/image/v5 v5.39.3-0.20260428163628-e3b0c9aa788d
+# go.podman.io/image/v5 v5.39.3-0.20260430110239-06cbc5da36f1
 ## explicit; go 1.25.6
 go.podman.io/image/v5/copy
 go.podman.io/image/v5/directory
@@ -879,7 +879,7 @@ go.podman.io/image/v5/transports
 go.podman.io/image/v5/transports/alltransports
 go.podman.io/image/v5/types
 go.podman.io/image/v5/version
-# go.podman.io/storage v1.62.1-0.20260428163628-e3b0c9aa788d
+# go.podman.io/storage v1.62.1-0.20260430110239-06cbc5da36f1
 ## explicit; go 1.25.0
 go.podman.io/storage
 go.podman.io/storage/drivers