9 files changed, 75 insertions, 4 deletions

diff --git a/Makefile b/Makefile
index 253207f49..8a75c11fb 100644
--- a/Makefile
+++ b/Makefile
@@ -135,8 +135,13 @@ export PRINT_HELP_PYSCRIPT
 err_if_empty = $(if $(strip $($(1))),$(strip $($(1))),$(error Required variable $(1) value is undefined, whitespace, or empty))
 
 .PHONY: help
+ifneq (, ${PYTHON})
 help:
 	@$(PYTHON) -c "$$PRINT_HELP_PYSCRIPT" < $(MAKEFILE_LIST)
+else
+help:
+	$(error python required for 'make help', executable not found)
+endif
 
 .gopathok:
 ifeq ("$(wildcard $(GOPKGDIR))","")
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index f3ac50a59..cabfafabb 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -15,6 +15,7 @@
 - The `podman play kube` command now supports the Socket HostPath type ([#7112](https://github.com/containers/podman/issues/7112)).
 - The `podman play kube` command now supports read-only mounts.
 - The `podman play kube` command now supports setting labels on pods from Kubernetes metadata labels.
+- The `podman play kube` command now supports setting container restart policy ([#7656](https://github.com/containers/podman/issues/7656)).
 - The `podman play kube` command now properly handles `HostAlias` entries.
 - The `podman generate kube` command now adds entries to `/etc/hosts` from `--host-add` generated YAML as `HostAlias` entries.
 - The `podman play kube` and `podman generate kube` commands now properly support `shareProcessNamespace` to share the PID namespace in pods.
@@ -29,6 +30,9 @@
 - A new global option has been added to Podman, `--runtime-flags`, which allows for setting flags to use when the OCI runtime is called.
 - The `podman manifest add` command now supports the `--cert-dir`, `--auth-file`, `--creds`, and `--tls-verify` options.
 
+### Security
+- This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API.
+
 ### Changes
 - Podman will now retry pulling an image 3 times if a pull fails due to network errors.
 - The `podman exec` command would previously print error messages (e.g. `exec session exited with non-zero exit code -1`) when the command run exited with a non-0 exit code. It no longer does this. The `podman exec` command will still exit with the same exit code as the command run in the container did.
@@ -72,8 +76,12 @@
 - Fixed a bug where the `--infra-command` parameter to `podman pod create` was nonfunctional.
 - Fixed a bug where `podman auto-update` would fail for any container started with `--pull=always` ([#7407](https://github.com/containers/podman/issues/7407)).
 - Fixed a bug where the `podman wait` command would only accept a single argument.
+- Fixed a bug where the parsing of the `--volumes-from` option to `podman run` and `podman create` was broken, making it impossible to use multiple mount options at the same time ([#7701](https://github.com/containers/podman/issues/7701)).
+- Fixed a bug where the `podman exec` command would not join executed processes to the container's supplemental groups if the container was started with both the `--user` and `--group-add` options.
+- Fixed a bug where the `--iidfile` option to `podman-remote build` was nonfunctional.
 
 ### API
+- The Libpod API version has been bumped to v2.0.0 due to a breaking change in the Image List API.
 - Docker-compatible Volume Endpoints (Create, Inspect, List, Remove, Prune) are now available!
 - Added an endpoint for generating systemd unit files for containers.
 - The `last` parameter to the Libpod container list endpoint now has an alias, `limit` ([#6413](https://github.com/containers/podman/issues/6413)).
@@ -96,6 +104,9 @@
 - All non-hijacking responses to API requests should not include headers with the version of the server.
 - Fixed a bug where Libpod and Compat Events endpoints did not send response headers until the first event occurred ([#7263](https://github.com/containers/podman/issues/7263)).
 - Fixed a bug where the Build endpoints (Compat and Libpod) did not stream progress to the client.
+- Fixed a bug where the Stats endpoints (Compat and Libpod) did not properly handle clients disconnecting.
+- Fixed a bug where the Ignore parameter to the Libpod Stop endpoint was not performing properly.
+- Fixed a bug where the Compat Logs endpoint for containers did not stream its output in the correct format ([#7196](https://github.com/containers/podman/issues/7196)).
 
 ### Misc
 - Updated Buildah to v1.16.1
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index cc62c3f27..25c0c184f 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -191,6 +191,15 @@ func (ir *ImageEngine) Unmount(ctx context.Context, nameOrIDs []string, options
 	reports := []*entities.ImageUnmountReport{}
 	for _, img := range images {
 		report := entities.ImageUnmountReport{Id: img.ID()}
+		mounted, _, err := img.Mounted()
+		if err != nil {
+			// Errors will be caught in Unmount call below
+			// Default assumption to mounted
+			mounted = true
+		}
+		if !mounted {
+			continue
+		}
 		if err := img.Unmount(options.Force); err != nil {
 			if options.All && errors.Cause(err) == storage.ErrLayerNotMounted {
 				logrus.Debugf("Error umounting image %s, storage.ErrLayerNotMounted", img.ID())
diff --git a/pkg/domain/infra/tunnel/containers.go b/pkg/domain/infra/tunnel/containers.go
index 3e99b73b6..d0f90d900 100644
--- a/pkg/domain/infra/tunnel/containers.go
+++ b/pkg/domain/infra/tunnel/containers.go
@@ -389,6 +389,15 @@ func (ic *ContainerEngine) ContainerLogs(_ context.Context, nameOrIDs []string,
 }
 
 func (ic *ContainerEngine) ContainerAttach(ctx context.Context, nameOrID string, options entities.AttachOptions) error {
+	ctrs, err := getContainersByContext(ic.ClientCxt, false, false, []string{nameOrID})
+	if err != nil {
+		return err
+	}
+	ctr := ctrs[0]
+	if ctr.State != define.ContainerStateRunning.String() {
+		return errors.Errorf("you can only attach to running containers")
+	}
+
 	return containers.Attach(ic.ClientCxt, nameOrID, &options.DetachKeys, nil, bindings.PTrue, options.Stdin, options.Stdout, options.Stderr, nil)
 }
 
diff --git a/test/e2e/attach_test.go b/test/e2e/attach_test.go
index 7b18f71ac..8065f6298 100644
--- a/test/e2e/attach_test.go
+++ b/test/e2e/attach_test.go
@@ -40,7 +40,6 @@ var _ = Describe("Podman attach", func() {
 	})
 
 	It("podman attach to non-running container", func() {
-		SkipIfRemote()
 		session := podmanTest.Podman([]string{"create", "--name", "test1", "-d", "-i", ALPINE, "ls"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
@@ -51,8 +50,8 @@ var _ = Describe("Podman attach", func() {
 	})
 
 	It("podman container attach to non-running container", func() {
-		SkipIfRemote()
 		session := podmanTest.Podman([]string{"container", "create", "--name", "test1", "-d", "-i", ALPINE, "ls"})
+
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 
@@ -87,7 +86,6 @@ var _ = Describe("Podman attach", func() {
 		Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1))
 	})
 	It("podman attach to the latest container", func() {
-		SkipIfRemote()
 		session := podmanTest.Podman([]string{"run", "-d", "--name", "test1", ALPINE, "/bin/sh", "-c", "while true; do echo test1; sleep 1; done"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
@@ -96,7 +94,11 @@ var _ = Describe("Podman attach", func() {
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 
-		results := podmanTest.Podman([]string{"attach", "-l"})
+		cid := "-l"
+		if IsRemote() {
+			cid = "test2"
+		}
+		results := podmanTest.Podman([]string{"attach", cid})
 		time.Sleep(2 * time.Second)
 		results.Signal(syscall.SIGTSTP)
 		Expect(results.OutputToString()).To(ContainSubstring("test2"))
diff --git a/test/e2e/libpod_suite_remote_test.go b/test/e2e/libpod_suite_remote_test.go
index 874789b5e..e74d9bf7c 100644
--- a/test/e2e/libpod_suite_remote_test.go
+++ b/test/e2e/libpod_suite_remote_test.go
@@ -19,6 +19,10 @@ import (
 	"github.com/onsi/ginkgo"
 )
 
+func IsRemote() bool {
+	return true
+}
+
 func SkipIfRemote() {
 	ginkgo.Skip("This function is not enabled for remote podman")
 }
diff --git a/test/e2e/libpod_suite_test.go b/test/e2e/libpod_suite_test.go
index bfd898108..0f33798b7 100644
--- a/test/e2e/libpod_suite_test.go
+++ b/test/e2e/libpod_suite_test.go
@@ -12,6 +12,10 @@ import (
 	. "github.com/onsi/ginkgo"
 )
 
+func IsRemote() bool {
+	return false
+}
+
 func SkipIfRemote() {
 }
 
diff --git a/test/e2e/libpod_suite_varlink_test.go b/test/e2e/libpod_suite_varlink_test.go
index 750c8cd09..0d7032429 100644
--- a/test/e2e/libpod_suite_varlink_test.go
+++ b/test/e2e/libpod_suite_varlink_test.go
@@ -19,6 +19,10 @@ import (
 	"github.com/onsi/ginkgo"
 )
 
+func IsRemote() bool {
+	return true
+}
+
 func SkipIfRemote() {
 	ginkgo.Skip("This function is not enabled for remote podman")
 }
diff --git a/test/e2e/mount_test.go b/test/e2e/mount_test.go
index a2b448337..1fbb92b09 100644
--- a/test/e2e/mount_test.go
+++ b/test/e2e/mount_test.go
@@ -348,6 +348,25 @@ var _ = Describe("Podman mount", func() {
 		Expect(umount.ExitCode()).To(Equal(0))
 	})
 
+	It("podman umount --all", func() {
+		setup := podmanTest.PodmanNoCache([]string{"pull", fedoraMinimal})
+		setup.WaitWithDefaultTimeout()
+		Expect(setup.ExitCode()).To(Equal(0))
+
+		setup = podmanTest.PodmanNoCache([]string{"pull", ALPINE})
+		setup.WaitWithDefaultTimeout()
+		Expect(setup.ExitCode()).To(Equal(0))
+
+		mount := podmanTest.Podman([]string{"image", "mount", fedoraMinimal})
+		mount.WaitWithDefaultTimeout()
+		Expect(mount.ExitCode()).To(Equal(0))
+
+		umount := podmanTest.Podman([]string{"image", "umount", "--all"})
+		umount.WaitWithDefaultTimeout()
+		Expect(umount.ExitCode()).To(Equal(0))
+		Expect(len(umount.OutputToStringArray())).To(Equal(1))
+	})
+
 	It("podman mount many", func() {
 		setup := podmanTest.PodmanNoCache([]string{"pull", fedoraMinimal})
 		setup.WaitWithDefaultTimeout()
@@ -402,6 +421,10 @@ var _ = Describe("Podman mount", func() {
 		Expect(mount.ExitCode()).To(Equal(0))
 		Expect(mount.OutputToString()).To(Equal(""))
 
+		umount = podmanTest.PodmanNoCache([]string{"image", "umount", fedoraMinimal, ALPINE})
+		umount.WaitWithDefaultTimeout()
+		Expect(umount.ExitCode()).To(Equal(0))
+
 		mount1 = podmanTest.PodmanNoCache([]string{"image", "mount", "--all"})
 		mount1.WaitWithDefaultTimeout()
 		Expect(mount1.ExitCode()).To(Equal(0))