8 files changed, 106 insertions, 81 deletions
diff --git a/.cirrus.yml b/.cirrus.yml
index 75f095fe0..b23ec1a90 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -87,6 +87,7 @@ ext_svc_check_task:
 automation_task:
     alias: 'automation'
     name: "Check Automation"
+    skip: &branch "$CIRRUS_PR == '' || $CIRRUS_TAG != ''" # Don't run for branches
     container: *smallcontainer
     env:
         TEST_FLAVOR: automation
@@ -231,6 +232,7 @@ validate_task:
 bindings_task:
     name: "Test Bindings"
     alias: bindings
+    skip: *branch
     depends_on:
         - build
     gce_instance: *standardvm
@@ -419,6 +421,7 @@ local_integration_test_task: &local_integration_test_task
     # Integration-test task name convention:
     # <int.|sys.> <podman|remote> <Distro NV> <root|rootless>
     name: &std_name_fmt "$TEST_FLAVOR $PODBIN_NAME $DISTRO_NV $PRIV_NAME $TEST_ENVIRON"
+    skip: *branch
     alias: local_integration_test
     depends_on:
         - unit_test
@@ -456,6 +459,7 @@ remote_integration_test_task:
 container_integration_test_task:
     name: *std_name_fmt
     alias: container_integration_test
+    skip: *branch
     depends_on:
         - unit_test
     matrix: &fedora_vm_axis
@@ -484,6 +488,7 @@ container_integration_test_task:
 rootless_integration_test_task:
     name: *std_name_fmt
     alias: rootless_integration_test
+    skip: *branch
     depends_on:
         - unit_test
     matrix: *fedora_vm_axis
diff --git a/contrib/cirrus/logformatter b/contrib/cirrus/logformatter
index 2ab8aa117..0cbd1f34b 100755
--- a/contrib/cirrus/logformatter
+++ b/contrib/cirrus/logformatter
@@ -517,25 +517,20 @@ END_SYNOPSIS
     }
 
     # eg "test fedora", "special_testing_rootless"
+    # WARNING: As of 2020-10-05, $CIRRUS_TASK_NAME reflects the same
+    # descriptive content as our $subtest_name argument (confirm via
+    # cross-checking runner.sh:logformatter() vs cirrus.yml:&std_name_fmt).
+    # If this ever becomes untrue, just add _tr("Subtest", $subtest_name).
     my $test_name = _env_replace("{CIRRUS_TASK_NAME}");
-    if (my $rcli = $ENV{RCLI}) {
-        $test_name .= " [remote]" if $rcli eq 'true';
-    }
-    else {
-        $test_name .= " [no RCLI; cannot determine remote/local]";
-    }
+    # (Special-case cleanup: Cirrus\ quotes\ spaces; remove for readability).
+    $test_name =~ s/\\\s+/ /g;
     $s .= _tr("Test name", $test_name);
 
-    # Subtest, e.g. system_test
-    $s .= _tr("Subtest", $subtest_name);
-
     # Link to further Cirrus results, e.g. other runs.
     # Build is mostly boring, it's usually TASK that we want to see.
-    $s .= _tr("Cirrus Build ID", "<small>" . _a("{CIRRUS_BUILD_ID}", "https://cirrus-ci.com/build/{CIRRUS_BUILD_ID}") . "</small>");
-    $s .= _tr("Cirrus <b>Task</b> ID", _a("{CIRRUS_TASK_ID}", "https://cirrus-ci.com/task/{CIRRUS_TASK_ID}"));
-
-    # "none", "rootless"
-    $s .= _tr("Special mode", _env_replace("{SPECIALMODE}"));
+    $s .= _tr("Cirrus", sprintf("<small>Build %s</small> / <b>Task %s</b>",
+                                _a("{CIRRUS_BUILD_ID}", "https://cirrus-ci.com/build/{CIRRUS_BUILD_ID}"),
+                                _a("{CIRRUS_TASK_ID}", "https://cirrus-ci.com/task/{CIRRUS_TASK_ID}")));
 
     $s .= "</table>\n";
     return $s;
diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh
index 17bb05019..13fab447c 100755
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -102,7 +102,7 @@ altbuild() {
     esac
 }
 
-integration_outputfilter() {
+logformatter() {
     # Use similar format as human-friendly task name from .cirrus.yml
     # shellcheck disable=SC2154
     output_name="$TEST_FLAVOR-$PODBIN_NAME-$DISTRO_NV-$PRIV_NAME-$TEST_ENVIRON"
@@ -134,10 +134,11 @@ dotest() {
         # does not return
     fi
 
-    output_filter="cat"  # no filter
-    if [[ "$testsuite" == "integration" ]]; then
-        output_filter=integration_outputfilter
-    fi
+    # 'logformatter' script makes test logs readable; only works for some tests
+    case "$testsuite" in
+        integration|system)  output_filter=logformatter ;;
+        *)                   output_filter="cat"        ;;
+    esac
 
     # containers/automation sets this to 0 for it's dbg() function
     # but the e2e integration tests are also sensitive to it.
@@ -210,7 +211,8 @@ case "$TEST_FLAVOR" in
     bindings)
         # shellcheck disable=SC2155
         export PATH=$PATH:$GOSRC/hack
-        cd pkg/bindings/test && ginkgo -trace -noColor -debug  -r
+        # Subshell needed for .cirrus.yml to find logformatter output in cwd
+        (cd pkg/bindings/test && ginkgo -trace -noColor -debug  -r) |& logformatter
         ;;
     endpoint)
         make test-binaries
diff --git a/pkg/api/handlers/compat/containers_attach.go b/pkg/api/handlers/compat/containers_attach.go
index 4a1196c89..a4013469b 100644
--- a/pkg/api/handlers/compat/containers_attach.go
+++ b/pkg/api/handlers/compat/containers_attach.go
@@ -92,30 +92,29 @@ func AttachContainer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	idleTracker := r.Context().Value("idletracker").(*idle.Tracker)
-	hijackChan := make(chan bool, 1)
+	logErr := func(e error) {
+		logrus.Error(errors.Wrapf(e, "error attaching to container %s", ctr.ID()))
+	}
 
 	// Perform HTTP attach.
 	// HTTPAttach will handle everything about the connection from here on
 	// (including closing it and writing errors to it).
-	if err := ctr.HTTPAttach(r, w, streams, detachKeys, nil, query.Stream, query.Logs, hijackChan); err != nil {
-		hijackComplete := <-hijackChan
+	hijackChan := make(chan bool, 1)
+	err = ctr.HTTPAttach(r, w, streams, detachKeys, nil, query.Stream, query.Logs, hijackChan)
 
-		// We can't really do anything about errors anymore. HTTPAttach
-		// should be writing them to the connection.
-		logrus.Errorf("Error attaching to container %s: %v", ctr.ID(), err)
+	if <-hijackChan {
+		// If connection was Hijacked, we have to signal it's being closed
+		t := r.Context().Value("idletracker").(*idle.Tracker)
+		defer t.Close()
 
-		if hijackComplete {
-			// We do need to tell the idle tracker that the
-			// connection has been closed, though. We can guarantee
-			// that is true after HTTPAttach exits.
-			idleTracker.Close()
-		} else {
-			// A hijack was not successfully completed. We need to
-			// report the error normally.
-			utils.InternalServerError(w, err)
+		if err != nil {
+			// Cannot report error to client as a 500 as the Upgrade set status to 101
+			logErr(err)
 		}
+	} else {
+		// If the Hijack failed we are going to assume we can still inform client of failure
+		utils.InternalServerError(w, err)
+		logErr(err)
 	}
-
 	logrus.Debugf("Attach for container %s completed successfully", ctr.ID())
 }
diff --git a/pkg/api/handlers/compat/exec.go b/pkg/api/handlers/compat/exec.go
index df51293c2..cc5db8efe 100644
--- a/pkg/api/handlers/compat/exec.go
+++ b/pkg/api/handlers/compat/exec.go
@@ -174,25 +174,26 @@ func ExecStartHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	idleTracker := r.Context().Value("idletracker").(*idle.Tracker)
-	hijackChan := make(chan bool, 1)
+	logErr := func(e error) {
+		logrus.Error(errors.Wrapf(e, "error attaching to container %s exec session %s", sessionCtr.ID(), sessionID))
+	}
 
-	if err := sessionCtr.ExecHTTPStartAndAttach(sessionID, r, w, nil, nil, nil, hijackChan); err != nil {
-		hijackComplete := <-hijackChan
+	hijackChan := make(chan bool, 1)
+	err = sessionCtr.ExecHTTPStartAndAttach(sessionID, r, w, nil, nil, nil, hijackChan)
 
-		logrus.Errorf("Error attaching to container %s exec session %s: %v", sessionCtr.ID(), sessionID, err)
+	if <-hijackChan {
+		// If connection was Hijacked, we have to signal it's being closed
+		t := r.Context().Value("idletracker").(*idle.Tracker)
+		defer t.Close()
 
-		if hijackComplete {
-			// We do need to tell the idle tracker that the
-			// connection has been closed, though. We can guarantee
-			// that is true after HTTPAttach exits.
-			idleTracker.Close()
-		} else {
-			// A hijack was not successfully completed. We need to
-			// report the error normally.
-			utils.InternalServerError(w, err)
+		if err != nil {
+			// Cannot report error to client as a 500 as the Upgrade set status to 101
+			logErr(err)
 		}
+	} else {
+		// If the Hijack failed we are going to assume we can still inform client of failure
+		utils.InternalServerError(w, err)
+		logErr(err)
 	}
-
 	logrus.Debugf("Attach for container %s exec session %s completed successfully", sessionCtr.ID(), sessionID)
 }
diff --git a/pkg/api/server/idle/tracker.go b/pkg/api/server/idle/tracker.go
index 1b378c492..50e41b7bf 100644
--- a/pkg/api/server/idle/tracker.go
+++ b/pkg/api/server/idle/tracker.go
@@ -61,10 +61,14 @@ func (t *Tracker) ConnState(conn net.Conn, state http.ConnState) {
 		oldActive := t.ActiveConnections()
 
 		// Either the server or a hijacking handler has closed the http connection to a client
-		if _, found := t.managed[conn]; found {
-			delete(t.managed, conn)
-		} else {
+		if conn == nil {
 			t.hijacked-- // guarded by t.mux above
+		} else {
+			if _, found := t.managed[conn]; found {
+				delete(t.managed, conn)
+			} else {
+				logrus.Warnf("IdleTracker %p: StateClosed transition by un-managed connection", conn)
+			}
 		}
 
 		// Transitioned from any "active" connection to no connections
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
index 09a9f6370..355a46fb7 100644
--- a/pkg/api/server/server.go
+++ b/pkg/api/server/server.go
@@ -8,9 +8,9 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"runtime"
 	goRuntime "runtime"
 	"strings"
+	"sync"
 	"syscall"
 	"time"
 
@@ -42,13 +42,19 @@ const (
 	UnlimitedServiceDuration = 0 * time.Second
 )
 
+// shutdownOnce ensures Shutdown() may safely be called from several go routines
+var shutdownOnce sync.Once
+
 // NewServer will create and configure a new API server with all defaults
 func NewServer(runtime *libpod.Runtime) (*APIServer, error) {
 	return newServer(runtime, DefaultServiceDuration, nil)
 }
 
 // NewServerWithSettings will create and configure a new API server using provided settings
-func NewServerWithSettings(runtime *libpod.Runtime, duration time.Duration, listener *net.Listener) (*APIServer, error) {
+func NewServerWithSettings(runtime *libpod.Runtime, duration time.Duration, listener *net.Listener) (
+	*APIServer,
+	error,
+) {
 	return newServer(runtime, duration, listener)
 }
 
@@ -180,7 +186,7 @@ func (s *APIServer) Serve() error {
 
 	go func() {
 		<-s.idleTracker.Done()
-		logrus.Debugf("API Server idle for %v", s.idleTracker.Duration)
+		logrus.Debugf("API Server idle for %s", s.idleTracker.Duration.Round(time.Second).String())
 		_ = s.Shutdown()
 	}()
 
@@ -224,31 +230,43 @@ func (s *APIServer) Serve() error {
 // Shutdown is a clean shutdown waiting on existing clients
 func (s *APIServer) Shutdown() error {
 	if s.idleTracker.Duration == UnlimitedServiceDuration {
-		logrus.Debug("APIServer.Shutdown ignored as Duration is UnlimitedService.")
+		logrus.Debug("APIServer.Shutdown ignored as Duration is UnlimitedService")
 		return nil
 	}
 
-	// Gracefully shutdown server(s), duration of wait same as idle window
-	// TODO: Should we really wait the idle window for shutdown?
-	ctx, cancel := context.WithTimeout(context.Background(), s.idleTracker.Duration)
-	defer cancel()
+	shutdownOnce.Do(func() {
+		if logrus.IsLevelEnabled(logrus.DebugLevel) {
+			_, file, line, _ := goRuntime.Caller(1)
+			logrus.Debugf("APIServer.Shutdown by %s:%d, %d/%d connection(s)",
+				file, line, s.idleTracker.ActiveConnections(), s.idleTracker.TotalConnections())
 
-	if logrus.IsLevelEnabled(logrus.DebugLevel) {
-		_, file, line, _ := runtime.Caller(1)
-		logrus.Debugf("APIServer.Shutdown by %s:%d, %d/%d connection(s)",
-			file, line, s.idleTracker.ActiveConnections(), s.idleTracker.TotalConnections())
-		if err := s.pprof.Shutdown(ctx); err != nil {
-			logrus.Warn("Failed to cleanly shutdown pprof Server: " + err.Error())
+			go func() {
+				ctx, cancel := context.WithTimeout(context.Background(), s.idleTracker.Duration)
+				go func() {
+					defer cancel()
+					if err := s.pprof.Shutdown(ctx); err != nil {
+						logrus.Warn(
+							errors.Wrapf(err, "failed to cleanly shutdown pprof Server"))
+					}
+				}()
+				<-ctx.Done()
+			}()
 		}
-	}
 
-	go func() {
-		err := s.Server.Shutdown(ctx)
-		if err != nil && err != context.Canceled && err != http.ErrServerClosed {
-			logrus.Error("Failed to cleanly shutdown APIServer: " + err.Error())
-		}
-	}()
-	<-ctx.Done()
+		// Gracefully shutdown server(s), duration of wait same as idle window
+		ctx, cancel := context.WithTimeout(context.Background(), s.idleTracker.Duration)
+		go func() {
+			defer cancel()
+
+			err := s.Server.Shutdown(ctx)
+			if err != nil && err != context.Canceled && err != http.ErrServerClosed {
+				logrus.Error(
+					errors.Wrapf(err, "failed to cleanly shutdown APIServer"))
+			}
+		}()
+		<-ctx.Done()
+	})
+
 	return nil
 }
 
diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go
index 29b16f765..e4957f442 100644
--- a/pkg/util/utils_linux.go
+++ b/pkg/util/utils_linux.go
@@ -60,11 +60,12 @@ func CheckRootlessUIDRange(uid int) error {
 	if err != nil {
 		return err
 	}
+	total := 0
 	for _, u := range uids {
-		// add 1 since we also map in the user's own UID
-		if uid > u.Size+1 {
-			return errors.Errorf("requested user's UID %d is too large for the rootless user namespace", uid)
-		}
+		total += u.Size
+	}
+	if uid > total {
+		return errors.Errorf("requested user's UID %d is too large for the rootless user namespace", uid)
 	}
 	return nil
 }