18 files changed, 165 insertions, 63 deletions

diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh
index 6b2d123f2..5b1bc8d5c 100755
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -233,6 +233,25 @@ function _run_consistency() {
     SUGGESTION="run 'make generate-bindings' and commit all changes" ./hack/tree_status.sh
     make completions
     SUGGESTION="run 'make completions' and commit all changes" ./hack/tree_status.sh
+
+    if  [[ -z "$CIRRUS_TAG" ]] && \
+        req_env_vars CIRRUS_CHANGE_IN_REPO CIRRUS_PR DEST_BRANCH
+    then
+        local base diffs regex i
+        # Prevent this check from detecting itself
+        i=i
+        msg "#####"
+        msg "Verifying no change adds new calls to ${i}o/${i}outil."
+        base=$(git merge-base $DEST_BRANCH $CIRRUS_CHANGE_IN_REPO)
+        diffs=$(git diff $base $CIRRUS_CHANGE_IN_REPO -- '*.go' ':^vendor/')
+        regex=$(echo -e "^(\\+.+${i}o/${i}outil)|(\\+.+${i}outil\\..+)")
+        if egrep -q "$regex"<<<"$diffs"; then
+            die "Found attempted use of deprecated ${i}outils:
+$(egrep -B 5 -A 5 "$regex"<<<"$diffs")"
+        fi
+    else
+        msg "Skipping check for ${i}o/${i}outil addition."
+    fi
 }
 
 function _run_build() {
diff --git a/contrib/podmanremoteimage/Containerfile b/contrib/podmanremoteimage/Containerfile
new file mode 100644
index 000000000..aa24b3956
--- /dev/null
+++ b/contrib/podmanremoteimage/Containerfile
@@ -0,0 +1,10 @@
+FROM registry.access.redhat.com/ubi8/go-toolset:latest AS builder
+WORKDIR /opt/app-root/src
+COPY . .
+RUN make podman-remote-static
+RUN GOOS=windows make podman-remote
+RUN GOOS=darwin make podman-remote
+
+FROM scratch
+COPY --from=builder /opt/app-root/src/bin .
+ENTRYPOINT ["/podman-remote-static"]
diff --git a/contrib/podmanremoteimage/README.md b/contrib/podmanremoteimage/README.md
new file mode 100644
index 000000000..e43df9c64
--- /dev/null
+++ b/contrib/podmanremoteimage/README.md
@@ -0,0 +1,25 @@
+podman-remote-images
+====================
+
+Overview
+--------
+
+This directory contains the containerfile for creating a container image which consist podman-remote binary
+for each platform (win/linux/mac).
+
+Users can copy those binaries onto the specific platforms using following instructions
+
+- For Windows binary
+```bash
+$ podman cp $(podman create --name remote-temp quay.io/containers/podman-remote-artifacts:latest):/windows/podman.exe . && podman rm remote-temp
+```
+
+- For Linux binary
+```bash
+$ podman cp $(podman create --name remote-temp quay.io/containers/podman-remote-artifacts:latest):/podman-remote-static . && podman rm remote-temp
+```
+
+- For Mac binary
+```bash
+$ podman cp $(podman create --name remote-temp quay.io/containers/podman-remote-artifacts:latest):/darwin/podman . && podman rm remote-temp
+```
diff --git a/docs/source/markdown/.gitignore b/docs/source/markdown/.gitignore
index af4c5360b..57a64e1c1 100644
--- a/docs/source/markdown/.gitignore
+++ b/docs/source/markdown/.gitignore
@@ -1,3 +1,4 @@
+podman-attach.1.md
 podman-auto-update.1.md
 podman-build.1.md
 podman-container-clone.1.md
diff --git a/docs/source/markdown/options/env.md b/docs/source/markdown/options/env.md
new file mode 100644
index 000000000..ace25138e
--- /dev/null
+++ b/docs/source/markdown/options/env.md
@@ -0,0 +1,5 @@
+#### **--env**, **-e**=*env*
+
+Set environment variables.
+
+This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host. As a special case, if an environment variable ending in __*__ is specified without a value, Podman will search the host environment for variables starting with the prefix and will add those variables to the container.
diff --git a/docs/source/markdown/options/sig-proxy.md b/docs/source/markdown/options/sig-proxy.md
new file mode 100644
index 000000000..bb940aed3
--- /dev/null
+++ b/docs/source/markdown/options/sig-proxy.md
@@ -0,0 +1,3 @@
+#### **--sig-proxy**
+
+Proxy received signals to the container process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied.
diff --git a/docs/source/markdown/podman-attach.1.md b/docs/source/markdown/podman-attach.1.md.in
index c073fccf8..427f764dc 100644
--- a/docs/source/markdown/podman-attach.1.md
+++ b/docs/source/markdown/podman-attach.1.md.in
@@ -28,9 +28,8 @@ The default is **false**.\
 
 Do not attach STDIN. The default is **false**.
 
-#### **--sig-proxy**
+@@option sig-proxy
 
-Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied.\
 The default is **true**.
 
 ## EXAMPLES
diff --git a/docs/source/markdown/podman-create.1.md.in b/docs/source/markdown/podman-create.1.md.in
index 742a32b5a..e182e289c 100644
--- a/docs/source/markdown/podman-create.1.md.in
+++ b/docs/source/markdown/podman-create.1.md.in
@@ -151,11 +151,7 @@ This option cannot be combined with **--network** that is set to **none** or **c
 
 @@option entrypoint
 
-#### **--env**, **-e**=*env*
-
-Set environment variables
-
-This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host. As a special case, if an environment variable ending in __*__ is specified without a value, Podman will search the host environment for variables starting with the prefix and will add those variables to the container.
+@@option env
 
 See [**Environment**](#environment) note below for precedence and examples.
 
diff --git a/docs/source/markdown/podman-exec.1.md.in b/docs/source/markdown/podman-exec.1.md.in
index 8198c319e..6ddf6d3ff 100644
--- a/docs/source/markdown/podman-exec.1.md.in
+++ b/docs/source/markdown/podman-exec.1.md.in
@@ -21,11 +21,7 @@ Start the exec session, but do not attach to it. The command will run in the bac
 
 Specify the key sequence for detaching a container. Format is a single character `[a-Z]` or one or more `ctrl-<value>` characters where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`. Specifying "" will disable this feature. The default is *ctrl-p,ctrl-q*.
 
-#### **--env**, **-e**=*env*
-
-Set environment variables.
-
-This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host. As a special case, if an environment variable ending in __*__ is specified without a value, Podman will search the host environment for variables starting with the prefix and will add those variables to the container.
+@@option env
 
 #### **--env-file**=*file*
 
diff --git a/docs/source/markdown/podman-machine-list.1.md b/docs/source/markdown/podman-machine-list.1.md
index 351e8cf1b..0c929dcdc 100644
--- a/docs/source/markdown/podman-machine-list.1.md
+++ b/docs/source/markdown/podman-machine-list.1.md
@@ -1,4 +1,4 @@
-% podman-machine-ls 1
+% podman-machine-list 1
 
 ## NAME
 podman\-machine\-list - List virtual machines
diff --git a/docs/source/markdown/podman-run.1.md.in b/docs/source/markdown/podman-run.1.md.in
index 2109a0e33..a50b82d2a 100644
--- a/docs/source/markdown/podman-run.1.md.in
+++ b/docs/source/markdown/podman-run.1.md.in
@@ -187,11 +187,7 @@ This option cannot be combined with **--network** that is set to **none** or **c
 
 @@option entrypoint
 
-#### **--env**, **-e**=*env*
-
-Set environment variables.
-
-This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host. As a special case, if an environment variable ending in __*__ is specified without a value, Podman will search the host environment for variables starting with the prefix and will add those variables to the container.
+@@option env
 
 See [**Environment**](#environment) note below for precedence and examples.
 
@@ -439,9 +435,9 @@ Note: Labeling can be disabled for all containers by setting **label=false** in
 
 @@option shm-size
 
-#### **--sig-proxy**
+@@option sig-proxy
 
-Sets whether the signals sent to the **podman run** command are proxied to the container process. SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is **true**.
+The default is **true**.
 
 @@option stop-signal
 
diff --git a/docs/source/markdown/podman-start.1.md.in b/docs/source/markdown/podman-start.1.md.in
index 6fa41018b..a1ccc4120 100644
--- a/docs/source/markdown/podman-start.1.md.in
+++ b/docs/source/markdown/podman-start.1.md.in
@@ -60,9 +60,9 @@ Valid filters are listed below:
 Instead of providing the container name or ID, use the last created container. If you use methods other than Podman
 to run containers such as CRI-O, the last started container could be from either of those methods. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
 
-#### **--sig-proxy**
+@@option sig-proxy
 
-Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true* when attaching, *false* otherwise.
+The default is **true** when attaching, **false** otherwise.
 
 ## EXAMPLE
 
diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md
index 2ec48aeb4..2293dea0a 100644
--- a/docs/source/markdown/podman-system-service.1.md
+++ b/docs/source/markdown/podman-system-service.1.md
@@ -1,4 +1,4 @@
-% podman-service 1
+% podman-system-service 1
 
 ## NAME
 podman\-system\-service - Run an API service
diff --git a/hack/libsubid_tag.sh b/hack/libsubid_tag.sh
index 31412b3e6..137826484 100755
--- a/hack/libsubid_tag.sh
+++ b/hack/libsubid_tag.sh
@@ -5,7 +5,7 @@ fi
 tmpdir="$PWD/tmp.$RANDOM"
 mkdir -p "$tmpdir"
 trap 'rm -fr "$tmpdir"' EXIT
-cc -o "$tmpdir"/libsubid_tag -l subid -x c - > /dev/null 2> /dev/null << EOF
+cc -o "$tmpdir"/libsubid_tag -x c - -l subid > /dev/null 2> /dev/null << EOF
 #include <shadow/subid.h>
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/hack/xref-helpmsgs-manpages b/hack/xref-helpmsgs-manpages
index de9ef8630..fbf2deb22 100755
--- a/hack/xref-helpmsgs-manpages
+++ b/hack/xref-helpmsgs-manpages
@@ -292,6 +292,15 @@ sub podman_man {
         chomp $line;
         next unless $line;		# skip empty lines
 
+        # First line (page title) must match the command name.
+        if ($line =~ /^%\s+/) {
+            my $expect = "% $command 1";
+            if ($line ne $expect) {
+                warn "$ME: $subpath:$.: wrong title line '$line'; should be '$expect'\n";
+                ++$Errs;
+            }
+        }
+
         # .md files designate sections with leading double hash
         if ($line =~ /^##\s*(GLOBAL\s+)?OPTIONS/) {
             $section = 'flags';
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
index 39423dabe..14446e6b5 100644
--- a/pkg/api/server/server.go
+++ b/pkg/api/server/server.go
@@ -69,7 +69,6 @@ func newServer(runtime *libpod.Runtime, listener net.Listener, opts entities.Ser
 		logrus.Debugf("CORS Headers were set to %q", opts.CorsHeaders)
 	}
 
-	logrus.Infof("API service listening on %q", listener.Addr())
 	router := mux.NewRouter().UseEncodedPath()
 	tracker := idle.NewTracker(opts.Timeout)
 
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index 847e81e69..bd9117f72 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 
 	buildahDefine "github.com/containers/buildah/define"
 	"github.com/containers/common/libimage"
@@ -698,9 +699,24 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			fmt.Println(playKubePod.ContainerErrors)
 		}
 
-		// Wait for each proxy to receive a READY message.
-		for _, proxy := range sdNotifyProxies {
-			if err := proxy.WaitAndClose(); err != nil {
+		// Wait for each proxy to receive a READY message. Use a wait
+		// group to prevent the potential for ABBA kinds of deadlocks.
+		var wg sync.WaitGroup
+		errors := make([]error, len(sdNotifyProxies))
+		for i := range sdNotifyProxies {
+			wg.Add(1)
+			go func(i int) {
+				err := sdNotifyProxies[i].WaitAndClose()
+				if err != nil {
+					err = fmt.Errorf("waiting for sd-notify proxy: %w", err)
+				}
+				errors[i] = err
+				wg.Done()
+			}(i)
+		}
+		wg.Wait()
+		for _, err := range errors {
+			if err != nil {
 				return nil, err
 			}
 		}
diff --git a/pkg/systemd/notifyproxy/notifyproxy.go b/pkg/systemd/notifyproxy/notifyproxy.go
index ea1522bb3..4b92d9e6c 100644
--- a/pkg/systemd/notifyproxy/notifyproxy.go
+++ b/pkg/systemd/notifyproxy/notifyproxy.go
@@ -1,6 +1,7 @@
 package notifyproxy
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"io"
@@ -109,48 +110,75 @@ func (p *NotifyProxy) WaitAndClose() error {
 		}
 	}()
 
-	const bufferSize = 1024
-	sBuilder := strings.Builder{}
-	for {
-		// Set a read deadline of one second such that we achieve a
-		// non-blocking read and can check if the container has already
-		// stopped running; in that case no READY message will be send
-		// and we're done.
-		if err := p.connection.SetReadDeadline(time.Now().Add(time.Second)); err != nil {
-			return err
-		}
-
+	// Since reading from the connection is blocking, we need to spin up two
+	// goroutines.  One waiting for the `READY` message, the other waiting
+	// for the container to stop running.
+	errorChan := make(chan error, 1)
+	readyChan := make(chan bool, 1)
+
+	go func() {
+		// Read until the `READY` message is received or the connection
+		// is closed.
+		const bufferSize = 1024
+		sBuilder := strings.Builder{}
 		for {
-			buffer := make([]byte, bufferSize)
-			num, err := p.connection.Read(buffer)
-			if err != nil {
-				if !errors.Is(err, os.ErrDeadlineExceeded) && !errors.Is(err, io.EOF) {
-					return err
+			for {
+				buffer := make([]byte, bufferSize)
+				num, err := p.connection.Read(buffer)
+				if err != nil {
+					if !errors.Is(err, io.EOF) {
+						errorChan <- err
+						return
+					}
+				}
+				sBuilder.Write(buffer[:num])
+				if num != bufferSize || buffer[num-1] == '\n' {
+					// Break as we read an entire line that
+					// we can inspect for the `READY`
+					// message.
+					break
 				}
 			}
-			sBuilder.Write(buffer[:num])
-			if num != bufferSize || buffer[num-1] == '\n' {
-				break
-			}
-		}
 
-		for _, line := range strings.Split(sBuilder.String(), "\n") {
-			if line == daemon.SdNotifyReady {
-				return nil
+			for _, line := range strings.Split(sBuilder.String(), "\n") {
+				if line == daemon.SdNotifyReady {
+					readyChan <- true
+					return
+				}
 			}
+			sBuilder.Reset()
 		}
-		sBuilder.Reset()
+	}()
 
-		if p.container == nil {
-			continue
-		}
+	if p.container != nil {
+		// Create a cancellable context to make sure the goroutine
+		// below terminates.
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+		go func() {
+			select {
+			case <-ctx.Done():
+				return
+			default:
+				state, err := p.container.State()
+				if err != nil {
+					errorChan <- err
+					return
+				}
+				if state != define.ContainerStateRunning {
+					errorChan <- fmt.Errorf("%w: %s", ErrNoReadyMessage, p.container.ID())
+					return
+				}
+				time.Sleep(time.Second)
+			}
+		}()
+	}
 
-		state, err := p.container.State()
-		if err != nil {
-			return err
-		}
-		if state != define.ContainerStateRunning {
-			return fmt.Errorf("%w: %s", ErrNoReadyMessage, p.container.ID())
-		}
+	// Wait for the ready/error channel.
+	select {
+	case <-readyChan:
+		return nil
+	case err := <-errorChan:
+		return err
 	}
 }