19 files changed, 116 insertions, 58 deletions

diff --git a/go.mod b/go.mod
index 6c5e05ef4..3c2e55f07 100644
--- a/go.mod
+++ b/go.mod
@@ -41,7 +41,7 @@ require (
 	github.com/hpcloud/tail v1.0.0
 	github.com/json-iterator/go v1.1.12
 	github.com/mattn/go-colorable v0.1.8 // indirect
-	github.com/mattn/go-isatty v0.0.12
+	github.com/mattn/go-isatty v0.0.14
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6
 	github.com/mrunalp/fileutils v0.5.0
 	github.com/onsi/ginkgo v1.16.4
diff --git a/go.sum b/go.sum
index 8e521cd8e..bee514506 100644
--- a/go.sum
+++ b/go.sum
@@ -625,8 +625,9 @@ github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ
 github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
+github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
diff --git a/libpod/define/config.go b/libpod/define/config.go
index 7a0d39e42..a5cf07afc 100644
--- a/libpod/define/config.go
+++ b/libpod/define/config.go
@@ -90,3 +90,6 @@ const (
 
 // DefaultRlimitValue is the value set by default for nofile and nproc
 const RLimitDefaultValue = uint64(1048576)
+
+// BindMountPrefix distinguishes its annotations from others
+const BindMountPrefix = "bind-mount-options:"
diff --git a/libpod/kube.go b/libpod/kube.go
index 57d99f3ef..bf86a9d16 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -241,11 +241,13 @@ func (p *Pod) podWithContainers(ctx context.Context, containers []*Container, po
 
 			isInit := ctr.IsInitCtr()
 
-			ctr, volumes, _, err := containerToV1Container(ctx, ctr)
+			ctr, volumes, _, annotations, err := containerToV1Container(ctx, ctr)
 			if err != nil {
 				return nil, err
 			}
-
+			for k, v := range annotations {
+				podAnnotations[define.BindMountPrefix+k] = v
+			}
 			// Since port bindings for the pod are handled by the
 			// infra container, wipe them here.
 			ctr.Ports = nil
@@ -271,7 +273,7 @@ func (p *Pod) podWithContainers(ctx context.Context, containers []*Container, po
 				deDupPodVolumes[vol.Name] = &vol
 			}
 		} else {
-			_, _, infraDNS, err := containerToV1Container(ctx, ctr)
+			_, _, infraDNS, _, err := containerToV1Container(ctx, ctr)
 			if err != nil {
 				return nil, err
 			}
@@ -359,17 +361,19 @@ func simplePodWithV1Containers(ctx context.Context, ctrs []*Container) (*v1.Pod,
 		if !ctr.HostNetwork() {
 			hostNetwork = false
 		}
-		kubeCtr, kubeVols, ctrDNS, err := containerToV1Container(ctx, ctr)
+		kubeCtr, kubeVols, ctrDNS, annotations, err := containerToV1Container(ctx, ctr)
 		if err != nil {
 			return nil, err
 		}
+		for k, v := range annotations {
+			kubeAnnotations[define.BindMountPrefix+k] = v
+		}
 		if isInit {
 			kubeInitCtrs = append(kubeInitCtrs, kubeCtr)
 		} else {
 			kubeCtrs = append(kubeCtrs, kubeCtr)
 		}
 		kubeVolumes = append(kubeVolumes, kubeVols...)
-
 		// Combine DNS information in sum'd structure
 		if ctrDNS != nil {
 			// nameservers
@@ -415,42 +419,44 @@ func simplePodWithV1Containers(ctx context.Context, ctrs []*Container) (*v1.Pod,
 
 // containerToV1Container converts information we know about a libpod container
 // to a V1.Container specification.
-func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []v1.Volume, *v1.PodDNSConfig, error) {
+func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []v1.Volume, *v1.PodDNSConfig, map[string]string, error) {
 	kubeContainer := v1.Container{}
 	kubeVolumes := []v1.Volume{}
+	annotations := make(map[string]string)
 	kubeSec, err := generateKubeSecurityContext(c)
 	if err != nil {
-		return kubeContainer, kubeVolumes, nil, err
+		return kubeContainer, kubeVolumes, nil, annotations, err
 	}
 
 	// NOTE: a privileged container mounts all of /dev/*.
 	if !c.Privileged() && len(c.config.Spec.Linux.Devices) > 0 {
 		// TODO Enable when we can support devices and their names
 		kubeContainer.VolumeDevices = generateKubeVolumeDeviceFromLinuxDevice(c.config.Spec.Linux.Devices)
-		return kubeContainer, kubeVolumes, nil, errors.Wrapf(define.ErrNotImplemented, "linux devices")
+		return kubeContainer, kubeVolumes, nil, annotations, errors.Wrapf(define.ErrNotImplemented, "linux devices")
 	}
 
 	if len(c.config.UserVolumes) > 0 {
-		volumeMounts, volumes, err := libpodMountsToKubeVolumeMounts(c)
+		volumeMounts, volumes, localAnnotations, err := libpodMountsToKubeVolumeMounts(c)
 		if err != nil {
-			return kubeContainer, kubeVolumes, nil, err
+			return kubeContainer, kubeVolumes, nil, nil, err
 		}
+		annotations = localAnnotations
 		kubeContainer.VolumeMounts = volumeMounts
 		kubeVolumes = append(kubeVolumes, volumes...)
 	}
 
 	envVariables, err := libpodEnvVarsToKubeEnvVars(c.config.Spec.Process.Env)
 	if err != nil {
-		return kubeContainer, kubeVolumes, nil, err
+		return kubeContainer, kubeVolumes, nil, annotations, err
 	}
 
 	portmappings, err := c.PortMappings()
 	if err != nil {
-		return kubeContainer, kubeVolumes, nil, err
+		return kubeContainer, kubeVolumes, nil, annotations, err
 	}
 	ports, err := ocicniPortMappingToContainerPort(portmappings)
 	if err != nil {
-		return kubeContainer, kubeVolumes, nil, err
+		return kubeContainer, kubeVolumes, nil, annotations, err
 	}
 
 	// Handle command and arguments.
@@ -469,11 +475,11 @@ func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []
 	kubeContainer.Stdin = c.Stdin()
 	img, _, err := c.runtime.libimageRuntime.LookupImage(image, nil)
 	if err != nil {
-		return kubeContainer, kubeVolumes, nil, err
+		return kubeContainer, kubeVolumes, nil, annotations, err
 	}
 	imgData, err := img.Inspect(ctx, false)
 	if err != nil {
-		return kubeContainer, kubeVolumes, nil, err
+		return kubeContainer, kubeVolumes, nil, annotations, err
 	}
 	if reflect.DeepEqual(imgData.Config.Cmd, kubeContainer.Command) {
 		kubeContainer.Command = nil
@@ -555,7 +561,7 @@ func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []
 		}
 		dns.Options = dnsOptions
 	}
-	return kubeContainer, kubeVolumes, &dns, nil
+	return kubeContainer, kubeVolumes, &dns, annotations, nil
 }
 
 // ocicniPortMappingToContainerPort takes an ocicni portmapping and converts
@@ -606,16 +612,23 @@ func libpodEnvVarsToKubeEnvVars(envs []string) ([]v1.EnvVar, error) {
 }
 
 // libpodMountsToKubeVolumeMounts converts the containers mounts to a struct kube understands
-func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, []v1.Volume, error) {
+func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, []v1.Volume, map[string]string, error) {
 	namedVolumes, mounts := c.sortUserVolumes(c.config.Spec)
 	vms := make([]v1.VolumeMount, 0, len(mounts))
 	vos := make([]v1.Volume, 0, len(mounts))
+	annotations := make(map[string]string)
 
 	var suffix string
 	for index, m := range mounts {
+		for _, opt := range m.Options {
+			if opt == "Z" || opt == "z" {
+				annotations[m.Source] = opt
+				break
+			}
+		}
 		vm, vo, err := generateKubeVolumeMount(m)
 		if err != nil {
-			return vms, vos, err
+			return vms, vos, annotations, err
 		}
 		// Name will be the same, so use the index as suffix
 		suffix = fmt.Sprintf("-%d", index)
@@ -629,7 +642,7 @@ func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, []v1.Volume
 		vms = append(vms, vm)
 		vos = append(vos, vo)
 	}
-	return vms, vos, nil
+	return vms, vos, annotations, nil
 }
 
 // generateKubePersistentVolumeClaim converts a ContainerNamedVolume to a Kubernetes PersistentVolumeClaim
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index 35389ec5e..cf72a6253 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -319,8 +319,8 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 		if err != nil {
 			return nil, err
 		}
-
 		specgenOpts := kube.CtrSpecGenOptions{
+			Annotations:       annotations,
 			Container:         initCtr,
 			Image:             pulledImage,
 			Volumes:           volumes,
diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go
index 09078fbfb..c4e6aa611 100644
--- a/pkg/machine/qemu/machine.go
+++ b/pkg/machine/qemu/machine.go
@@ -392,7 +392,12 @@ func (v *MachineVM) Stop(name string, _ machine.StopOptions) error {
 		logrus.Warn(err)
 	}
 	// Remove socket
-	return os.Remove(qemuSocketFile)
+	if err := os.Remove(qemuSocketFile); err != nil {
+		return err
+	}
+
+	fmt.Printf("Successfully stopped machine: %s", name)
+	return nil
 }
 
 // NewQMPMonitor creates the monitor subsection of our vm
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index c01d7a1f0..9389b1a20 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -12,6 +12,7 @@ import (
 	"github.com/containers/common/pkg/parse"
 	"github.com/containers/common/pkg/secrets"
 	"github.com/containers/image/v5/manifest"
+	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/podman/v3/libpod/network/types"
 	ann "github.com/containers/podman/v3/pkg/annotations"
 	"github.com/containers/podman/v3/pkg/domain/entities"
@@ -86,6 +87,8 @@ func ToPodOpt(ctx context.Context, podName string, p entities.PodCreateOptions,
 }
 
 type CtrSpecGenOptions struct {
+	// Annotations from the Pod
+	Annotations map[string]string
 	// Container as read from the pod yaml
 	Container v1.Container
 	// Image available to use (pulled or found local)
@@ -157,7 +160,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 		return nil, errors.Wrap(err, "Failed to set CPU quota")
 	}
 	if milliCPU > 0 {
-		period, quota := util.CoresToPeriodAndQuota(float64(milliCPU) / 1000)
+		period, quota := util.CoresToPeriodAndQuota(float64(milliCPU))
 		s.ResourceLimits.CPU = &spec.LinuxCPU{
 			Quota:  &quota,
 			Period: &period,
@@ -289,6 +292,14 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 		volume.MountPath = dest
 		switch volumeSource.Type {
 		case KubeVolumeTypeBindMount:
+			// If the container has bind mounts, we need to check if
+			// a selinux mount option exists for it
+			for k, v := range opts.Annotations {
+				// Make sure the z/Z option is not already there (from editing the YAML)
+				if strings.Replace(k, define.BindMountPrefix, "", 1) == volumeSource.Source && !util.StringInSlice("z", options) && !util.StringInSlice("Z", options) {
+					options = append(options, v)
+				}
+			}
 			mount := spec.Mount{
 				Destination: volume.MountPath,
 				Source:      volumeSource.Source,
diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go
index cb556991c..cb987e139 100644
--- a/test/e2e/generate_kube_test.go
+++ b/test/e2e/generate_kube_test.go
@@ -6,6 +6,8 @@ import (
 	"path/filepath"
 	"strconv"
 
+	"github.com/containers/podman/v3/libpod/define"
+
 	"github.com/containers/podman/v3/pkg/util"
 	. "github.com/containers/podman/v3/test/utils"
 	"github.com/ghodss/yaml"
@@ -555,6 +557,15 @@ var _ = Describe("Podman generate kube", func() {
 		kube.WaitWithDefaultTimeout()
 		Expect(kube).Should(Exit(0))
 
+		b, err := ioutil.ReadFile(outputFile)
+		Expect(err).ShouldNot(HaveOccurred())
+		pod := new(v1.Pod)
+		err = yaml.Unmarshal(b, pod)
+		Expect(err).To(BeNil())
+		val, found := pod.Annotations[define.BindMountPrefix+vol1]
+		Expect(found).To(BeTrue())
+		Expect(val).To(HaveSuffix("z"))
+
 		rm := podmanTest.Podman([]string{"pod", "rm", "-f", "test1"})
 		rm.WaitWithDefaultTimeout()
 		Expect(rm).Should(Exit(0))
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 0d5b9d52c..83ce751e6 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -2320,6 +2320,39 @@ MemoryReservation: {{ .HostConfig.MemoryReservation }}`})
 		}
 	})
 
+	It("podman play kube allows setting resource limits with --cpus 1", func() {
+		SkipIfContainerized("Resource limits require a running systemd")
+		SkipIfRootless("CPU limits require root")
+		podmanTest.CgroupManager = "systemd"
+
+		var (
+			expectedCpuLimit string = "1"
+		)
+
+		deployment := getDeployment(
+			withPod(getPod(withCtr(getCtr(
+				withCpuLimit(expectedCpuLimit),
+			)))))
+		err := generateKubeYaml("deployment", deployment, kubeYaml)
+		Expect(err).To(BeNil())
+
+		kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube).Should(Exit(0))
+
+		for _, pod := range getPodNamesInDeployment(deployment) {
+			inspect := podmanTest.Podman([]string{"inspect", getCtrNameInPod(&pod), "--format", `{{ .HostConfig.CpuPeriod }}:{{ .HostConfig.CpuQuota }}`})
+
+			inspect.WaitWithDefaultTimeout()
+			Expect(inspect).Should(Exit(0))
+
+			parts := strings.Split(strings.Trim(inspect.OutputToString(), "\n"), ":")
+			Expect(parts).To(HaveLen(2))
+
+			Expect(parts[0]).To(Equal(parts[1]))
+		}
+	})
+
 	It("podman play kube reports invalid image name", func() {
 		invalidImageName := "./myimage"
 
diff --git a/vendor/github.com/mattn/go-isatty/.travis.yml b/vendor/github.com/mattn/go-isatty/.travis.yml
deleted file mode 100644
index 604314dd4..000000000
--- a/vendor/github.com/mattn/go-isatty/.travis.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-language: go
-sudo: false
-go:
-  - 1.13.x
-  - tip
-
-before_install:
-  - go get -t -v ./...
-
-script:
-  - ./go.test.sh
-
-after_success:
-  - bash <(curl -s https://codecov.io/bash)
diff --git a/vendor/github.com/mattn/go-isatty/go.mod b/vendor/github.com/mattn/go-isatty/go.mod
index 605c4c221..c9a20b7f3 100644
--- a/vendor/github.com/mattn/go-isatty/go.mod
+++ b/vendor/github.com/mattn/go-isatty/go.mod
@@ -2,4 +2,4 @@ module github.com/mattn/go-isatty
 
 go 1.12
 
-require golang.org/x/sys v0.0.0-20200116001909-b77594299b42
+require golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c
diff --git a/vendor/github.com/mattn/go-isatty/isatty_bsd.go b/vendor/github.com/mattn/go-isatty/isatty_bsd.go
index 711f28808..39bbcf00f 100644
--- a/vendor/github.com/mattn/go-isatty/isatty_bsd.go
+++ b/vendor/github.com/mattn/go-isatty/isatty_bsd.go
@@ -1,3 +1,4 @@
+//go:build (darwin || freebsd || openbsd || netbsd || dragonfly) && !appengine
 // +build darwin freebsd openbsd netbsd dragonfly
 // +build !appengine
 
diff --git a/vendor/github.com/mattn/go-isatty/isatty_others.go b/vendor/github.com/mattn/go-isatty/isatty_others.go
index ff714a376..31503226f 100644
--- a/vendor/github.com/mattn/go-isatty/isatty_others.go
+++ b/vendor/github.com/mattn/go-isatty/isatty_others.go
@@ -1,4 +1,5 @@
-// +build appengine js nacl
+//go:build appengine || js || nacl || wasm
+// +build appengine js nacl wasm
 
 package isatty
 
diff --git a/vendor/github.com/mattn/go-isatty/isatty_plan9.go b/vendor/github.com/mattn/go-isatty/isatty_plan9.go
index c5b6e0c08..bae7f9bb3 100644
--- a/vendor/github.com/mattn/go-isatty/isatty_plan9.go
+++ b/vendor/github.com/mattn/go-isatty/isatty_plan9.go
@@ -1,3 +1,4 @@
+//go:build plan9
 // +build plan9
 
 package isatty
diff --git a/vendor/github.com/mattn/go-isatty/isatty_solaris.go b/vendor/github.com/mattn/go-isatty/isatty_solaris.go
index bdd5c79a0..0c3acf2dc 100644
--- a/vendor/github.com/mattn/go-isatty/isatty_solaris.go
+++ b/vendor/github.com/mattn/go-isatty/isatty_solaris.go
@@ -1,5 +1,5 @@
-// +build solaris
-// +build !appengine
+//go:build solaris && !appengine
+// +build solaris,!appengine
 
 package isatty
 
@@ -8,10 +8,9 @@ import (
 )
 
 // IsTerminal returns true if the given file descriptor is a terminal.
-// see: http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libbc/libc/gen/common/isatty.c
+// see: https://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libc/port/gen/isatty.c
 func IsTerminal(fd uintptr) bool {
-	var termio unix.Termio
-	err := unix.IoctlSetTermio(int(fd), unix.TCGETA, &termio)
+	_, err := unix.IoctlGetTermio(int(fd), unix.TCGETA)
 	return err == nil
 }
 
diff --git a/vendor/github.com/mattn/go-isatty/isatty_tcgets.go b/vendor/github.com/mattn/go-isatty/isatty_tcgets.go
index 31a1ca973..67787657f 100644
--- a/vendor/github.com/mattn/go-isatty/isatty_tcgets.go
+++ b/vendor/github.com/mattn/go-isatty/isatty_tcgets.go
@@ -1,4 +1,5 @@
-// +build linux aix
+//go:build (linux || aix || zos) && !appengine
+// +build linux aix zos
 // +build !appengine
 
 package isatty
diff --git a/vendor/github.com/mattn/go-isatty/isatty_windows.go b/vendor/github.com/mattn/go-isatty/isatty_windows.go
index 1fa869154..8e3c99171 100644
--- a/vendor/github.com/mattn/go-isatty/isatty_windows.go
+++ b/vendor/github.com/mattn/go-isatty/isatty_windows.go
@@ -1,5 +1,5 @@
-// +build windows
-// +build !appengine
+//go:build windows && !appengine
+// +build windows,!appengine
 
 package isatty
 
@@ -76,7 +76,7 @@ func isCygwinPipeName(name string) bool {
 }
 
 // getFileNameByHandle use the undocomented ntdll NtQueryObject to get file full name from file handler
-// since GetFileInformationByHandleEx is not avilable under windows Vista and still some old fashion
+// since GetFileInformationByHandleEx is not available under windows Vista and still some old fashion
 // guys are using Windows XP, this is a workaround for those guys, it will also work on system from
 // Windows vista to 10
 // see https://stackoverflow.com/a/18792477 for details
diff --git a/vendor/github.com/mattn/go-isatty/renovate.json b/vendor/github.com/mattn/go-isatty/renovate.json
deleted file mode 100644
index 5ae9d96b7..000000000
--- a/vendor/github.com/mattn/go-isatty/renovate.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "extends": [
-    "config:base"
-  ],
-  "postUpdateOptions": [
-    "gomodTidy"
-  ]
-}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index bfa14e711..1927f8285 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -423,7 +423,7 @@ github.com/manifoldco/promptui/list
 github.com/manifoldco/promptui/screenbuf
 # github.com/mattn/go-colorable v0.1.8
 github.com/mattn/go-colorable
-# github.com/mattn/go-isatty v0.0.12
+# github.com/mattn/go-isatty v0.0.14
 github.com/mattn/go-isatty
 # github.com/mattn/go-runewidth v0.0.13
 github.com/mattn/go-runewidth