16 files changed, 91 insertions, 54 deletions
diff --git a/.cirrus.yml b/.cirrus.yml
index 81bbe7c8f..14d3540c1 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -167,14 +167,18 @@ build_task:
               VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
               CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
               # ID for re-use of build output
+              CI_DESIRED_RUNTIME: crun
         - env: &priorfedora_envvars
               DISTRO_NV: ${PRIOR_FEDORA_NAME}
               VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
               CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN}
+              CI_DESIRED_RUNTIME: crun
         - env: &ubuntu_envvars
               DISTRO_NV: ${UBUNTU_NAME}
               VM_IMAGE_NAME: ${UBUNTU_CACHE_IMAGE_NAME}
               CTR_FQIN: ${UBUNTU_CONTAINER_FQIN}
+              # FIXME 2022-07-12: change to runc once #14833 is fixed!
+              CI_DESIRED_RUNTIME: crun
     env:
         TEST_FLAVOR: build
     clone_script: *full_clone
diff --git a/cmd/podman/common/completion.go b/cmd/podman/common/completion.go
index 6e6c33f9b..02369c74a 100644
--- a/cmd/podman/common/completion.go
+++ b/cmd/podman/common/completion.go
@@ -18,7 +18,6 @@ import (
 	"github.com/containers/podman/v4/libpod/define"
 	"github.com/containers/podman/v4/libpod/events"
 	"github.com/containers/podman/v4/pkg/domain/entities"
-	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/pkg/signal"
 	systemdDefine "github.com/containers/podman/v4/pkg/systemd/define"
 	"github.com/containers/podman/v4/pkg/util"
@@ -54,7 +53,7 @@ func setupContainerEngine(cmd *cobra.Command) (entities.ContainerEngine, error)
 		cobra.CompErrorln(err.Error())
 		return nil, err
 	}
-	if !registry.IsRemote() && rootless.IsRootless() {
+	if !registry.IsRemote() {
 		_, noMoveProcess := cmd.Annotations[registry.NoMoveProcess]
 
 		err := containerEngine.SetupRootless(registry.Context(), noMoveProcess)
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
index 923d0517f..d2646aa43 100644
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@@ -849,9 +849,9 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		_ = cmd.RegisterFlagCompletionFunc(cpuRtRuntimeFlagName, completion.AutocompleteNone)
 
 		cpuSharesFlagName := "cpu-shares"
-		createFlags.Uint64Var(
+		createFlags.Uint64VarP(
 			&cf.CPUShares,
-			cpuSharesFlagName, 0,
+			cpuSharesFlagName, "c", 0,
 			"CPU shares (relative weight)",
 		)
 		_ = cmd.RegisterFlagCompletionFunc(cpuSharesFlagName, completion.AutocompleteNone)
diff --git a/cmd/podman/root.go b/cmd/podman/root.go
index f28d92e2f..0520a0784 100644
--- a/cmd/podman/root.go
+++ b/cmd/podman/root.go
@@ -19,7 +19,6 @@ import (
 	"github.com/containers/podman/v4/pkg/checkpoint/crutils"
 	"github.com/containers/podman/v4/pkg/domain/entities"
 	"github.com/containers/podman/v4/pkg/parallel"
-	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/version"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -265,7 +264,7 @@ func persistentPreRunE(cmd *cobra.Command, args []string) error {
 	// 2) running as non-root
 	// 3) command doesn't require Parent Namespace
 	_, found := cmd.Annotations[registry.ParentNSRequired]
-	if !registry.IsRemote() && rootless.IsRootless() && !found {
+	if !registry.IsRemote() && !found {
 		_, noMoveProcess := cmd.Annotations[registry.NoMoveProcess]
 		err := registry.ContainerEngine().SetupRootless(registry.Context(), noMoveProcess)
 		if err != nil {
diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go
index 6823d77ba..8d0240a8d 100644
--- a/cmd/podman/system/service_abi.go
+++ b/cmd/podman/system/service_abi.go
@@ -11,7 +11,6 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/containers/common/pkg/cgroups"
 	"github.com/containers/podman/v4/cmd/podman/registry"
 	api "github.com/containers/podman/v4/pkg/api/server"
 	"github.com/containers/podman/v4/pkg/domain/entities"
@@ -24,26 +23,6 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-// maybeMoveToSubCgroup moves the current process in a sub cgroup when
-// it is running in the root cgroup on a system that uses cgroupv2.
-func maybeMoveToSubCgroup() error {
-	unifiedMode, err := cgroups.IsCgroup2UnifiedMode()
-	if err != nil {
-		return err
-	}
-	if !unifiedMode {
-		return nil
-	}
-	cgroup, err := utils.GetOwnCgroup()
-	if err != nil {
-		return err
-	}
-	if cgroup == "/" {
-		return utils.MoveUnderCgroupSubtree("init")
-	}
-	return nil
-}
-
 func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities.ServiceOptions) error {
 	var (
 		listener net.Listener
@@ -125,7 +104,7 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities
 		return err
 	}
 
-	if err := maybeMoveToSubCgroup(); err != nil {
+	if err := utils.MaybeMoveToSubCgroup(); err != nil {
 		return err
 	}
 
diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh
index 762a3b501..32f66bac2 100755
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -236,6 +236,16 @@ function _run_build() {
     make clean
     make vendor
     make podman-release  # includes podman, podman-remote, and docs
+
+    # Last-minute confirmation that we're testing the desired runtime.
+    # This Can't Possibly Fail™ in regular CI; only when updating VMs.
+    # $CI_DESIRED_RUNTIME must be defined in .cirrus.yml.
+    req_env_vars CI_DESIRED_RUNTIME
+    runtime=$(bin/podman info --format '{{.Host.OCIRuntime.Name}}')
+    # shellcheck disable=SC2154
+    if [[ "$runtime" != "$CI_DESIRED_RUNTIME" ]]; then
+        die "Built podman is using '$runtime'; this CI environment requires $CI_DESIRED_RUNTIME"
+    fi
 }
 
 function _run_altbuild() {
diff --git a/docs/source/markdown/podman-container-clone.1.md b/docs/source/markdown/podman-container-clone.1.md
index 5334ef883..3b9d79862 100644
--- a/docs/source/markdown/podman-container-clone.1.md
+++ b/docs/source/markdown/podman-container-clone.1.md
@@ -61,7 +61,7 @@ The sum of all runtimes across containers cannot exceed the amount allotted to t
 
 This option is not supported on cgroups V2 systems.
 
-#### **--cpu-shares**=*shares*
+#### **--cpu-shares**, **-c**=*shares*
 
 CPU shares (relative weight)
 
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index ceaa24aa8..a6ba69d6a 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -201,7 +201,7 @@ The sum of all runtimes across containers cannot exceed the amount allotted to t
 
 This flag is not supported on cgroups V2 systems.
 
-#### **--cpu-shares**=*shares*
+#### **--cpu-shares**, **-c**=*shares*
 
 CPU shares (relative weight)
 
@@ -450,7 +450,7 @@ container:
 
 Defaults to `true`
 
-#### **--image-volume**, **builtin-volume**=*bind|tmpfs|ignore*
+#### **--image-volume**=*bind|tmpfs|ignore*
 
 Tells Podman how to handle the builtin image volumes. Default is **bind**.
 
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index 6b4e74730..9561d65bf 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -220,7 +220,7 @@ The sum of all runtimes across containers cannot exceed the amount allotted to t
 
 This flag is not supported on cgroups V2 systems.
 
-#### **--cpu-shares**=*shares*
+#### **--cpu-shares**, **-c**=*shares*
 
 CPU shares (relative weight).
 
@@ -480,7 +480,7 @@ proxy environment at container build time.) (This option is not available with t
 
 Defaults to **true**.
 
-#### **--image-volume**, **builtin-volume**=**bind**|**tmpfs**|**ignore**
+#### **--image-volume**=**bind**|**tmpfs**|**ignore**
 
 Tells Podman how to handle the builtin image volumes. Default is **bind**.
 
diff --git a/docs/tutorials/rootless_tutorial.md b/docs/tutorials/rootless_tutorial.md
index 981916806..d9cf68a20 100644
--- a/docs/tutorials/rootless_tutorial.md
+++ b/docs/tutorials/rootless_tutorial.md
@@ -186,10 +186,10 @@ We do recognize that this doesn't really match how many people intend to use roo
 
 It is also helpful to distinguish between running Podman as a rootless user, and a container which is built to run rootless. If the container you're trying to run has a `USER` which is not root, then when mounting volumes you **must** use `--userns=keep-id`. This is because the container user would not be able to become `root` and access the mounted volumes.
 
-Other considerations in regards to volumes:
+Another consideration in regards to volumes:
 
-- You should always give the full path to the volume you'd like to mount
-- The mount point must exist in the container
+- When providing the path of a directory you'd like to bind-mount, the path needs to be provided as an absolute path
+  or a relative path that starts with `.` (a dot), otherwise the string will be interpreted as the name of a named volume.
 
 ## More information
 
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index 0faae01c8..3389abd88 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -67,6 +67,22 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) {
 }
 
 func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool) error {
+	runsUnderSystemd := utils.RunsOnSystemd()
+	if !runsUnderSystemd {
+		isPid1 := os.Getpid() == 1
+		if _, found := os.LookupEnv("container"); isPid1 || found {
+			if err := utils.MaybeMoveToSubCgroup(); err != nil {
+				// it is a best effort operation, so just print the
+				// error for debugging purposes.
+				logrus.Debugf("Could not move to subcgroup: %v", err)
+			}
+		}
+	}
+
+	if !rootless.IsRootless() {
+		return nil
+	}
+
 	// do it only after podman has already re-execed and running with uid==0.
 	hasCapSysAdmin, err := unshare.HasCapSysAdmin()
 	if err != nil {
@@ -82,7 +98,6 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
 			if err != nil {
 				return err
 			}
-			runsUnderSystemd := utils.RunsOnSystemd()
 			unitName := fmt.Sprintf("podman-%d.scope", os.Getpid())
 			if runsUnderSystemd || conf.Engine.CgroupManager == config.SystemdCgroupsManager {
 				if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil {
diff --git a/pkg/machine/e2e/list_test.go b/pkg/machine/e2e/list_test.go
index fb855c61e..8b7443d47 100644
--- a/pkg/machine/e2e/list_test.go
+++ b/pkg/machine/e2e/list_test.go
@@ -135,7 +135,7 @@ var _ = Describe("podman machine list", func() {
 		Expect(listSession2).To(Exit(0))
 
 		var listResponse []*entities.ListReporter
-		err = jsoniter.Unmarshal(listSession.Bytes(), &listResponse)
+		err = jsoniter.Unmarshal(listSession2.Bytes(), &listResponse)
 		Expect(err).To(BeNil())
 
 		// table format includes the header
diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go
index 6134e69e1..3b57455c4 100644
--- a/pkg/machine/qemu/machine.go
+++ b/pkg/machine/qemu/machine.go
@@ -240,20 +240,6 @@ func (p *Provider) LoadVMByName(name string) (machine.VM, error) {
 		return nil, err
 	}
 
-	// It is here for providing the ability to propagate
-	// proxy settings (e.g. HTTP_PROXY and others) on a start
-	// and avoid a need of re-creating/re-initiating a VM
-	if proxyOpts := machine.GetProxyVariables(); len(proxyOpts) > 0 {
-		proxyStr := "name=opt/com.coreos/environment,string="
-		var proxies string
-		for k, v := range proxyOpts {
-			proxies = fmt.Sprintf("%s%s=\"%s\"|", proxies, k, v)
-		}
-		proxyStr = fmt.Sprintf("%s%s", proxyStr, base64.StdEncoding.EncodeToString([]byte(proxies)))
-		vm.CmdLine = append(vm.CmdLine, "-fw_cfg", proxyStr)
-	}
-
-	logrus.Debug(vm.CmdLine)
 	return vm, nil
 }
 
@@ -573,15 +559,29 @@ func (v *MachineVM) Start(name string, _ machine.StartOptions) error {
 	attr := new(os.ProcAttr)
 	files := []*os.File{dnr, dnw, dnw, fd}
 	attr.Files = files
-	logrus.Debug(v.CmdLine)
 	cmdLine := v.CmdLine
 
+	// It is here for providing the ability to propagate
+	// proxy settings (e.g. HTTP_PROXY and others) on a start
+	// and avoid a need of re-creating/re-initiating a VM
+	if proxyOpts := machine.GetProxyVariables(); len(proxyOpts) > 0 {
+		proxyStr := "name=opt/com.coreos/environment,string="
+		var proxies string
+		for k, v := range proxyOpts {
+			proxies = fmt.Sprintf("%s%s=\"%s\"|", proxies, k, v)
+		}
+		proxyStr = fmt.Sprintf("%s%s", proxyStr, base64.StdEncoding.EncodeToString([]byte(proxies)))
+		cmdLine = append(cmdLine, "-fw_cfg", proxyStr)
+	}
+
 	// Disable graphic window when not in debug mode
 	// Done in start, so we're not suck with the debug level we used on init
 	if !logrus.IsLevelEnabled(logrus.DebugLevel) {
 		cmdLine = append(cmdLine, "-display", "none")
 	}
 
+	logrus.Debugf("qemu cmd: %v", cmdLine)
+
 	stderrBuf := &bytes.Buffer{}
 
 	cmd := &exec.Cmd{
diff --git a/test/e2e/build/Containerfile.with-platform b/test/e2e/build/Containerfile.with-platform
index 3bb585a0a..0b030d13c 100644
--- a/test/e2e/build/Containerfile.with-platform
+++ b/test/e2e/build/Containerfile.with-platform
@@ -1 +1,2 @@
+ARG TARGETPLATFORM
 FROM --platform=$TARGETPLATFORM alpine
diff --git a/test/e2e/run_cpu_test.go b/test/e2e/run_cpu_test.go
index b21be5729..e57eb3b26 100644
--- a/test/e2e/run_cpu_test.go
+++ b/test/e2e/run_cpu_test.go
@@ -94,7 +94,7 @@ var _ = Describe("Podman run cpu", func() {
 			Expect(result).Should(Exit(0))
 			Expect(result.OutputToString()).To(Equal("10000"))
 		} else {
-			result := podmanTest.Podman([]string{"run", "--rm", "--cpu-shares=2", ALPINE, "cat", "/sys/fs/cgroup/cpu/cpu.shares"})
+			result := podmanTest.Podman([]string{"run", "--rm", "-c", "2", ALPINE, "cat", "/sys/fs/cgroup/cpu/cpu.shares"})
 			result.WaitWithDefaultTimeout()
 			Expect(result).Should(Exit(0))
 			Expect(result.OutputToString()).To(Equal("2"))
diff --git a/utils/utils.go b/utils/utils.go
index 997de150d..aa1c6a958 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -190,3 +190,33 @@ func MovePauseProcessToScope(pausePidPath string) {
 		}
 	}
 }
+
+var (
+	maybeMoveToSubCgroupSync    sync.Once
+	maybeMoveToSubCgroupSyncErr error
+)
+
+// MaybeMoveToSubCgroup moves the current process in a sub cgroup when
+// it is running in the root cgroup on a system that uses cgroupv2.
+func MaybeMoveToSubCgroup() error {
+	maybeMoveToSubCgroupSync.Do(func() {
+		unifiedMode, err := cgroups.IsCgroup2UnifiedMode()
+		if err != nil {
+			maybeMoveToSubCgroupSyncErr = err
+			return
+		}
+		if !unifiedMode {
+			maybeMoveToSubCgroupSyncErr = nil
+			return
+		}
+		cgroup, err := GetOwnCgroup()
+		if err != nil {
+			maybeMoveToSubCgroupSyncErr = err
+			return
+		}
+		if cgroup == "/" {
+			maybeMoveToSubCgroupSyncErr = MoveUnderCgroupSubtree("init")
+		}
+	})
+	return maybeMoveToSubCgroupSyncErr
+}