15 files changed, 104 insertions, 29 deletions
diff --git a/.gitignore b/.gitignore
index d5d1206b5..e60b8c03a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,32 +1,33 @@
 /.artifacts/
-/_output/
+/bin/
 /brew
+/build/
+/cmd/podman/varlink/iopodman.go
+/cmd/podman/varlink/ioprojectatomicpodman.go
 /conmon/
+contrib/spec/podman.spec
+*.coverprofile
 /docs/*.[158]
 /docs/*.[158].gz
-/docs/remote
 /docs/build/
+/docs/remote
+.gopathok
+.idea*
+.nfs*
 *.o
 *.orig
+/_output/
 /pause/pause.o
-/bin/
+pkg/api/swagger.yaml
+/pkg/varlink/iopodman.go
+podman-remote*.zip
+podman*.tar.gz
+__pycache__
+release.txt
+.ropeproject
+*.rpm
 /test/bin2img/bin2img
 /test/checkseccomp/checkseccomp
 /test/copyimg/copyimg
 /test/goecho/goecho
-/build/
-.nfs*
-.ropeproject
-__pycache__
-/cmd/podman/varlink/ioprojectatomicpodman.go
-/cmd/podman/varlink/iopodman.go
-/pkg/varlink/iopodman.go
-.gopathok
-release.txt
-podman-remote*.zip
-podman*.tar.gz
-.idea*
 .vscode*
-contrib/spec/podman.spec
-*.rpm
-*.coverprofile
diff --git a/cmd/podman/manifest/add.go b/cmd/podman/manifest/add.go
index 20251ca87..c83beff7a 100644
--- a/cmd/podman/manifest/add.go
+++ b/cmd/podman/manifest/add.go
@@ -34,6 +34,7 @@ func init() {
 	flags.StringSliceVar(&manifestAddOpts.Annotation, "annotation", nil, "set an `annotation` for the specified image")
 	flags.StringVar(&manifestAddOpts.Arch, "arch", "", "override the `architecture` of the specified image")
 	flags.StringSliceVar(&manifestAddOpts.Features, "features", nil, "override the `features` of the specified image")
+	flags.StringVar(&manifestAddOpts.OS, "os", "", "override the `OS` of the specified image")
 	flags.StringVar(&manifestAddOpts.OSVersion, "os-version", "", "override the OS `version` of the specified image")
 	flags.StringVar(&manifestAddOpts.Variant, "variant", "", "override the `Variant` of the specified image")
 }
diff --git a/completions/bash/podman b/completions/bash/podman
index 41a76a967..d6e9408c6 100644
--- a/completions/bash/podman
+++ b/completions/bash/podman
@@ -1760,6 +1760,7 @@ _podman_manifest_add() {
      --annotation
      --arch
      --features
+     --os
      --os-version
      --variant
      "
diff --git a/docs/source/markdown/podman-manifest-add.1.md b/docs/source/markdown/podman-manifest-add.1.md
index 4ecf03900..857a98e12 100644
--- a/docs/source/markdown/podman-manifest-add.1.md
+++ b/docs/source/markdown/podman-manifest-add.1.md
@@ -38,6 +38,13 @@ retrieved from the image's configuration information.
 Specify the features list which the list or index records as requirements for
 the image.  This option is rarely used.
 
+**--os**
+
+Override the OS which the list or index records as a requirement for the image.
+If *imagename* refers to a manifest list or image index, the OS information
+will be retrieved from it.  Otherwise, it will be retrieved from the image's
+configuration information.
+
 **--os-version**
 
 Specify the OS version which the list or index records as a requirement for the
diff --git a/docs/source/markdown/podman-pull.1.md b/docs/source/markdown/podman-pull.1.md
index b3e35c672..aa558526a 100644
--- a/docs/source/markdown/podman-pull.1.md
+++ b/docs/source/markdown/podman-pull.1.md
@@ -4,9 +4,13 @@
 podman\-pull - Pull an image from a registry
 
 ## SYNOPSIS
-**podman pull** [*options*] *name*[:*tag*|@*digest*]
+**podman pull** [*options*] *source*
 
-**podman image pull** [*options*] *name*[:*tag*|@*digest*]
+**podman image pull** [*options*] *source*
+
+**podman pull** [*options*] [*transport*]*name*[:*tag*|@*digest*]
+
+**podman image pull** [*options*] [*transport*]*name*[:*tag*|@*digest*]
 
 ## DESCRIPTION
 Copies an image from a registry onto the local machine. **podman pull** pulls an
@@ -17,12 +21,12 @@ print the full image ID.  **podman pull** can also pull an image
 using its digest **podman pull** *image*@*digest*. **podman pull** can be used to pull
 images from archives and local storage using different transports.
 
-## imageID
-Image stored in local container/storage
+## Image storage
+Images are stored in local image storage.
 
 ## SOURCE
 
- The SOURCE is a location to get container images
+ The SOURCE is the location from which the container images are pulled.
  The Image "SOURCE" uses a "transport":"details" format.
 
  Multiple transports are supported:
diff --git a/docs/source/markdown/podman-push.1.md b/docs/source/markdown/podman-push.1.md
index 3f0350bcd..f029c8db1 100644
--- a/docs/source/markdown/podman-push.1.md
+++ b/docs/source/markdown/podman-push.1.md
@@ -14,8 +14,8 @@ Push is mainly used to push images to registries, however **podman push**
 can be used to save images to tarballs and directories using the following
 transports: **dir:**, **docker-archive:**, **docker-daemon:** and **oci-archive:**.
 
-## imageID
-Image stored in local container/storage
+## Image storage
+Images are pushed from those stored in local image storage.
 
 ## DESTINATION
 
diff --git a/go.mod b/go.mod
index 09077188c..576166df0 100644
--- a/go.mod
+++ b/go.mod
@@ -45,7 +45,7 @@ require (
 	github.com/opentracing/opentracing-go v1.1.0
 	github.com/pkg/errors v0.9.1
 	github.com/pmezard/go-difflib v1.0.0
-	github.com/rootless-containers/rootlesskit v0.9.3
+	github.com/rootless-containers/rootlesskit v0.9.4
 	github.com/seccomp/containers-golang v0.0.0-20190312124753-8ca8945ccf5f
 	github.com/sirupsen/logrus v1.5.0
 	github.com/spf13/cobra v0.0.7
diff --git a/go.sum b/go.sum
index 92ea6f545..167d52e0a 100644
--- a/go.sum
+++ b/go.sum
@@ -373,8 +373,8 @@ github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDa
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/rootless-containers/rootlesskit v0.9.3 h1:hrkZzBZT5vEnhAso6H1jHAcc4DT8h6/hp2z4yL0xu/8=
-github.com/rootless-containers/rootlesskit v0.9.3/go.mod h1:fx5DhInDgnR0Upj+2cOVacKuZJYSNKV5P/bCwGa+quQ=
+github.com/rootless-containers/rootlesskit v0.9.4 h1:6ogX7l3r3nlS7eTB8ePbLSQ6TZR1aVQzRjTy2SIBOzk=
+github.com/rootless-containers/rootlesskit v0.9.4/go.mod h1:fx5DhInDgnR0Upj+2cOVacKuZJYSNKV5P/bCwGa+quQ=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8 h1:2c1EFnZHIPCW8qKWgHMH/fX2PkSabFc5mrVzfUNdg5U=
 github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
diff --git a/libpod/image/manifests.go b/libpod/image/manifests.go
index 9dbeb4cc5..7ca17f86c 100644
--- a/libpod/image/manifests.go
+++ b/libpod/image/manifests.go
@@ -19,6 +19,7 @@ type ManifestAddOpts struct {
 	Arch       string            `json:"arch"`
 	Features   []string          `json:"features"`
 	Images     []string          `json:"images"`
+	OS         string            `json:"os"`
 	OSVersion  string            `json:"os_version"`
 	Variant    string            `json:"variant"`
 }
@@ -86,6 +87,11 @@ func addManifestToList(ref types.ImageReference, list manifests.List, systemCont
 	if err != nil {
 		return nil, err
 	}
+	if opts.OS != "" {
+		if err := list.SetOS(d, opts.OS); err != nil {
+			return nil, err
+		}
+	}
 	if len(opts.OSVersion) > 0 {
 		if err := list.SetOSVersion(d, opts.OSVersion); err != nil {
 			return nil, err
diff --git a/pkg/domain/entities/manifest.go b/pkg/domain/entities/manifest.go
index a9c961f9d..7316735b0 100644
--- a/pkg/domain/entities/manifest.go
+++ b/pkg/domain/entities/manifest.go
@@ -10,6 +10,7 @@ type ManifestAddOptions struct {
 	Arch       string   `json:"arch" schema:"arch"`
 	Features   []string `json:"features" schema:"features"`
 	Images     []string `json:"images" schema:"images"`
+	OS         string   `json:"os" schema:"os"`
 	OSVersion  string   `json:"os_version" schema:"os_version"`
 	Variant    string   `json:"variant" schema:"variant"`
 }
diff --git a/pkg/domain/infra/abi/manifest.go b/pkg/domain/infra/abi/manifest.go
index 27d4bf9a5..88331f96c 100644
--- a/pkg/domain/infra/abi/manifest.go
+++ b/pkg/domain/infra/abi/manifest.go
@@ -79,6 +79,7 @@ func (ir *ImageEngine) ManifestAdd(ctx context.Context, opts entities.ManifestAd
 		Arch:      opts.Arch,
 		Features:  opts.Features,
 		Images:    opts.Images,
+		OS:        opts.OS,
 		OSVersion: opts.OSVersion,
 		Variant:   opts.Variant,
 	}
diff --git a/pkg/domain/infra/tunnel/manifest.go b/pkg/domain/infra/tunnel/manifest.go
index 338256530..18b400533 100644
--- a/pkg/domain/infra/tunnel/manifest.go
+++ b/pkg/domain/infra/tunnel/manifest.go
@@ -41,6 +41,7 @@ func (ir *ImageEngine) ManifestAdd(ctx context.Context, opts entities.ManifestAd
 		Arch:      opts.Arch,
 		Features:  opts.Features,
 		Images:    opts.Images,
+		OS:        opts.OS,
 		OSVersion: opts.OSVersion,
 		Variant:   opts.Variant,
 	}
diff --git a/test/e2e/manifest_test.go b/test/e2e/manifest_test.go
index a52916e87..9b5a24771 100644
--- a/test/e2e/manifest_test.go
+++ b/test/e2e/manifest_test.go
@@ -85,4 +85,17 @@ var _ = Describe("Podman manifest", func() {
 		Expect(session.OutputToString()).To(ContainSubstring(imageListPPC64LEInstanceDigest))
 		Expect(session.OutputToString()).To(ContainSubstring(imageListS390XInstanceDigest))
 	})
+
+	It("podman manifest add --os", func() {
+		session := podmanTest.Podman([]string{"manifest", "create", "foo"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		session = podmanTest.Podman([]string{"manifest", "add", "--os", "bar", "foo", imageList})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		session = podmanTest.Podman([]string{"manifest", "inspect", "foo"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(ContainSubstring(`"os": "bar"`))
+	})
 })
diff --git a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go
index 893bf1da9..8ffadd859 100644
--- a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go
+++ b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go
@@ -2,11 +2,14 @@ package parent
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"net"
 	"os"
 	"path/filepath"
+	"strconv"
+	"strings"
 	"sync"
 	"syscall"
 
@@ -84,6 +87,39 @@ func (d *driver) RunParentDriver(initComplete chan struct{}, quit <-chan struct{
 	return nil
 }
 
+func isEPERM(err error) bool {
+	k := "permission denied"
+	// As of Go 1.14, errors.Is(err, syscall.EPERM) does not seem to work for
+	// "listen tcp 0.0.0.0:80: bind: permission denied" error from net.ListenTCP().
+	return errors.Is(err, syscall.EPERM) || strings.Contains(err.Error(), k)
+}
+
+// annotateEPERM annotates origErr for human-readability
+func annotateEPERM(origErr error, spec port.Spec) error {
+	// Read "net.ipv4.ip_unprivileged_port_start" value (typically 1024)
+	// TODO: what for IPv6?
+	// NOTE: sync.Once should not be used here
+	b, e := ioutil.ReadFile("/proc/sys/net/ipv4/ip_unprivileged_port_start")
+	if e != nil {
+		return origErr
+	}
+	start, e := strconv.Atoi(strings.TrimSpace(string(b)))
+	if e != nil {
+		return origErr
+	}
+	if spec.ParentPort >= start {
+		// origErr is unrelated to ip_unprivileged_port_start
+		return origErr
+	}
+	text := fmt.Sprintf("cannot expose privileged port %d, you might need to add \"net.ipv4.ip_unprivileged_port_start=0\" (currently %d) to /etc/sysctl.conf", spec.ParentPort, start)
+	if filepath.Base(os.Args[0]) == "rootlesskit" {
+		// NOTE: The following sentence is appended only if Args[0] == "rootlesskit", because it does not apply to Podman (as of Podman v1.9).
+		// Podman launches the parent driver in the child user namespace (but in the parent network namespace), which disables the file capability.
+		text += ", or set CAP_NET_BIND_SERVICE on rootlesskit binary"
+	}
+	return errors.Wrap(origErr, text)
+}
+
 func (d *driver) AddPort(ctx context.Context, spec port.Spec) (*port.Status, error) {
 	d.mu.Lock()
 	err := portutil.ValidatePortSpec(spec, d.ports)
@@ -106,6 +142,9 @@ func (d *driver) AddPort(ctx context.Context, spec port.Spec) (*port.Status, err
 		return nil, errors.New("spec was not validated?")
 	}
 	if err != nil {
+		if isEPERM(err) {
+			err = annotateEPERM(err, spec)
+		}
 		return nil, err
 	}
 	d.mu.Lock()
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 782a905a1..0a6d8ccd5 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -454,7 +454,7 @@ github.com/prometheus/common/model
 github.com/prometheus/procfs
 github.com/prometheus/procfs/internal/fs
 github.com/prometheus/procfs/internal/util
-# github.com/rootless-containers/rootlesskit v0.9.3
+# github.com/rootless-containers/rootlesskit v0.9.4
 github.com/rootless-containers/rootlesskit/pkg/msgutil
 github.com/rootless-containers/rootlesskit/pkg/port
 github.com/rootless-containers/rootlesskit/pkg/port/builtin