11 files changed, 56 insertions, 57 deletions
diff --git a/.cirrus.yml b/.cirrus.yml
index 44c5d425d..c984c8859 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -38,7 +38,7 @@ env:
     UBUNTU_NAME: "ubuntu-2110"
 
     # Google-cloud VM Images
-    IMAGE_SUFFIX: "c6464310661611520"
+    IMAGE_SUFFIX: "c4831699639992320"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
     UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"
diff --git a/cmd/podman/common/completion.go b/cmd/podman/common/completion.go
index 9ebdcda2b..1c0065006 100644
--- a/cmd/podman/common/completion.go
+++ b/cmd/podman/common/completion.go
@@ -1115,6 +1115,13 @@ func AutocompleteNetworkDriver(cmd *cobra.Command, args []string, toComplete str
 	return drivers, cobra.ShellCompDirectiveNoFileComp
 }
 
+// AutocompleteNetworkIPAMDriver - Autocomplete network ipam driver option.
+// -> "bridge", "macvlan"
+func AutocompleteNetworkIPAMDriver(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	drivers := []string{types.HostLocalIPAMDriver, types.DHCPIPAMDriver, types.NoneIPAMDriver}
+	return drivers, cobra.ShellCompDirectiveNoFileComp
+}
+
 // AutocompletePodShareNamespace - Autocomplete pod create --share flag option.
 // -> "ipc", "net", "pid", "user", "uts", "cgroup", "none"
 func AutocompletePodShareNamespace(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
diff --git a/cmd/podman/networks/create.go b/cmd/podman/networks/create.go
index 8cf9bcada..84c58d4dc 100644
--- a/cmd/podman/networks/create.go
+++ b/cmd/podman/networks/create.go
@@ -33,6 +33,8 @@ var (
 	networkCreateOptions entities.NetworkCreateOptions
 	labels               []string
 	opts                 []string
+	ipamDriverFlagName   = "ipam-driver"
+	ipamDriver           string
 )
 
 func networkCreateFlags(cmd *cobra.Command) {
@@ -66,8 +68,8 @@ func networkCreateFlags(cmd *cobra.Command) {
 	flags.StringArrayVar(&labels, labelFlagName, nil, "set metadata on a network")
 	_ = cmd.RegisterFlagCompletionFunc(labelFlagName, completion.AutocompleteNone)
 
-	// TODO not supported yet
-	// flags.StringVar(&networkCreateOptions.IPamDriver, "ipam-driver", "",  "IP Address Management Driver")
+	flags.StringVar(&ipamDriver, ipamDriverFlagName, "", "IP Address Management Driver")
+	_ = cmd.RegisterFlagCompletionFunc(ipamDriverFlagName, common.AutocompleteNetworkIPAMDriver)
 
 	flags.BoolVar(&networkCreateOptions.IPv6, "ipv6", false, "enable IPv6 networking")
 
@@ -112,6 +114,12 @@ func networkCreate(cmd *cobra.Command, args []string) error {
 		Internal:    networkCreateOptions.Internal,
 	}
 
+	if cmd.Flags().Changed(ipamDriverFlagName) {
+		network.IPAMOptions = map[string]string{
+			types.Driver: ipamDriver,
+		}
+	}
+
 	// old --macvlan option
 	if networkCreateOptions.MacVLAN != "" {
 		logrus.Warn("The --macvlan option is deprecated, use `--driver macvlan --opt parent=<device>` instead")
diff --git a/contrib/podmanimage/README.md b/contrib/podmanimage/README.md
index 2452d7293..4f184ca28 100644
--- a/contrib/podmanimage/README.md
+++ b/contrib/podmanimage/README.md
@@ -18,9 +18,10 @@ The container images are:
 
   * `quay.io/containers/podman:<version>` and `quay.io/podman/stable:<version>` -
     These images are built daily.  They are intended to contain an unchanging
-    and stable version of podman. Though for the most recent `<version>` tag,
-    image contents will be updated to incorporate (especially) security upgrades.
-    For build details, please [see the configuration file](stable/Dockerfile).
+    and stable version of podman. For the most recent `<version>` tags (`vX`,
+    `vX.Y`, and `vX.Y.Z`) the image contents will be updated daily to incorporate
+    (especially) security upgrades.  For build details, please [see the
+    configuration file](stable/Dockerfile).
   * `quay.io/containers/podman:latest` and `quay.io/podman/stable:latest` -
     Built daily using the same Dockerfile as above.  The Podman version
     will remain the "latest" available in Fedora, however the other image
diff --git a/docs/source/markdown/podman-network-create.1.md b/docs/source/markdown/podman-network-create.1.md
index 479c36318..0cdb6fe88 100644
--- a/docs/source/markdown/podman-network-create.1.md
+++ b/docs/source/markdown/podman-network-create.1.md
@@ -49,6 +49,16 @@ Allocate container IP from a range.  The range must be a complete subnet and in
 must be used with a *subnet* option. Can be specified multiple times.
 The argument order of the **--subnet**, **--gateway** and **--ip-range** options must match.
 
+#### **--ipam-driver**=*driver*
+
+Set the ipam driver (IP Address Management Driver) for the network. When unset podman will choose an
+ipam driver automatically based on the network driver. Valid values are:
+ - `host-local`: IP addresses are assigned locally.
+ - `dhcp`: IP addresses are assigned from a dhcp server on your network. This driver is not yet supported with netavark.
+ - `none`: No ip addresses are assigned to the interfaces.
+
+You can see the driver in the **podman network inspect** output under the `ipam_options` field.
+
 #### **--ipv6**
 
 Enable IPv6 (Dual Stack) networking. If not subnets are given it will allocate a ipv4 and ipv6 subnet.
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index e9176e0b6..e4ccd0368 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -1288,7 +1288,8 @@ The `--userns=auto` flag, requires that the user name `containers` and a range o
 
 Example: `containers:2147483647:2147483648`.
 
-Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the `size` option. The `auto` options currently does not work in rootless mode
+Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the `size` option.
+The rootless option `--userns=keep-id` uses all the subuids and subgids of the user. Using `--userns=auto` when starting new containers will not work as long as any containers exist that were started with `--userns=keep-id`.
 
   Valid `auto` options:
 
diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go
index 65123b37e..1005d18da 100644
--- a/libpod/oci_conmon_exec_linux.go
+++ b/libpod/oci_conmon_exec_linux.go
@@ -462,7 +462,7 @@ func (r *ConmonOCIRuntime) startExec(c *Container, sessionID string, options *Ex
 		Setpgid: true,
 	}
 
-	err = startCommandGivenSelinux(execCmd, c)
+	err = startCommand(execCmd, c)
 
 	// We don't need children pipes  on the parent side
 	errorhandling.CloseQuiet(childSyncPipe)
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 264236dc1..06ba8a03f 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -38,7 +38,6 @@ import (
 	pmount "github.com/containers/storage/pkg/mount"
 	"github.com/coreos/go-systemd/v22/daemon"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -1247,7 +1246,7 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
 	if restoreOptions != nil {
 		runtimeRestoreStarted = time.Now()
 	}
-	err = startCommandGivenSelinux(cmd, ctr)
+	err = startCommand(cmd, ctr)
 
 	// regardless of whether we errored or not, we no longer need the children pipes
 	childSyncPipe.Close()
@@ -1414,9 +1413,7 @@ func (r *ConmonOCIRuntime) sharedConmonArgs(ctr *Container, cuuid, bundlePath, p
 	return args
 }
 
-// startCommandGivenSelinux starts a container ensuring to set the labels of
-// the process to make sure SELinux doesn't block conmon communication, if SELinux is enabled
-func startCommandGivenSelinux(cmd *exec.Cmd, ctr *Container) error {
+func startCommand(cmd *exec.Cmd, ctr *Container) error {
 	// Make sure to unset the NOTIFY_SOCKET and reset if afterwards if needed.
 	switch ctr.config.SdNotifyMode {
 	case define.SdNotifyModeContainer, define.SdNotifyModeIgnore:
@@ -1433,47 +1430,7 @@ func startCommandGivenSelinux(cmd *exec.Cmd, ctr *Container) error {
 		}
 	}
 
-	if !selinux.GetEnabled() {
-		return cmd.Start()
-	}
-	// Set the label of the conmon process to be level :s0
-	// This will allow the container processes to talk to fifo-files
-	// passed into the container by conmon
-	var (
-		plabel string
-		con    selinux.Context
-		err    error
-	)
-	plabel, err = selinux.CurrentLabel()
-	if err != nil {
-		return errors.Wrapf(err, "failed to get current SELinux label")
-	}
-
-	con, err = selinux.NewContext(plabel)
-	if err != nil {
-		return errors.Wrapf(err, "failed to get new context from SELinux label")
-	}
-
-	runtime.LockOSThread()
-	if con["level"] != "s0" && con["level"] != "" {
-		con["level"] = "s0"
-		if err = label.SetProcessLabel(con.Get()); err != nil {
-			runtime.UnlockOSThread()
-			return err
-		}
-	}
-	err = cmd.Start()
-	// Ignore error returned from SetProcessLabel("") call,
-	// can't recover.
-	if labelErr := label.SetProcessLabel(""); labelErr == nil {
-		// Unlock the thread only if the process label could be restored
-		// successfully.  Otherwise leave the thread locked and the Go runtime
-		// will terminate it once it returns to the threads pool.
-		runtime.UnlockOSThread()
-	} else {
-		logrus.Errorf("Unable to set process label: %q", labelErr)
-	}
-	return err
+	return cmd.Start()
 }
 
 // moveConmonToCgroupAndSignal gets a container's cgroupParent and moves the conmon process to that cgroup
diff --git a/pkg/bindings/README.md b/pkg/bindings/README.md
index 2863039e4..ebc8a13d1 100644
--- a/pkg/bindings/README.md
+++ b/pkg/bindings/README.md
@@ -30,6 +30,10 @@ rootful connections is `/run/podman/podman.sock` and for rootless it is `/run/US
 information about the Podman system service, see `man podman-system-service`.
 
 ### Creating a connection
+Ensure the [required dependencies](https://podman.io/getting-started/installation#build-and-run-dependencies) are installed,
+as they will be required to compile a Go program making use of the bindings.
+
+
 The first step for using the bindings is to create a connection to the socket.  As mentioned earlier, the destination
 of the socket depends on the user who owns it. In this case, a rootful connection is made.
 
diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go
index faf4db753..696668e52 100644
--- a/test/e2e/run_networking_test.go
+++ b/test/e2e/run_networking_test.go
@@ -1119,4 +1119,17 @@ EXPOSE 2004-2005/tcp`, ALPINE)
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 	})
+
+	It("podman run with ipam none driver", func() {
+		net := "ipam" + stringid.GenerateNonCryptoID()
+		session := podmanTest.Podman([]string{"network", "create", "--ipam-driver=none", net})
+		session.WaitWithDefaultTimeout()
+		defer podmanTest.removeNetwork(net)
+		Expect(session).Should(Exit(0))
+
+		session = podmanTest.Podman([]string{"run", "--network", net, ALPINE, "ip", "addr", "show", "eth0"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToStringArray()).To(HaveLen(4), "output should only show link local address")
+	})
 })
diff --git a/test/system/040-ps.bats b/test/system/040-ps.bats
index 8d0a405d2..6fc0b9b6e 100644
--- a/test/system/040-ps.bats
+++ b/test/system/040-ps.bats
@@ -99,9 +99,7 @@ EOF
     local t1=$SECONDS
     local delta_t=$((t1 - t0))
     if [[ $delta_t -gt 10 ]]; then
-        # FIXME FIXME FIXME: when buildah issue 3544 gets fixed and vendored,
-        # change 'echo' to 'die'
-        echo "podman build did not get killed within 10 seconds (actual time: $delta_t seconds)"
+        die "podman build did not get killed within 10 seconds (actual time: $delta_t seconds)"
     fi
 
     run_podman ps -a