6 files changed, 275 insertions, 100 deletions
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
index a0aed984c..7086dc839 100644
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@@ -3,7 +3,7 @@ package common
 import (
 	"fmt"
 
-	buildahcli "github.com/containers/buildah/pkg/cli"
+	"github.com/containers/common/pkg/auth"
 	"github.com/containers/libpod/cmd/podman/registry"
 	"github.com/spf13/pflag"
 )
@@ -26,7 +26,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet {
 	)
 	createFlags.StringVar(
 		&cf.Authfile,
-		"authfile", buildahcli.GetDefaultAuthFile(),
+		"authfile", auth.GetDefaultAuthFile(),
 		"Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override",
 	)
 	createFlags.StringVar(
@@ -49,9 +49,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet {
 		"cap-drop", []string{},
 		"Drop capabilities from the container",
 	)
-	cgroupNS := ""
-	createFlags.StringVar(
-		&cgroupNS,
+	createFlags.String(
 		"cgroupns", containerConfig.CgroupNS(),
 		"cgroup namespace to use",
 	)
@@ -155,13 +153,10 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet {
 		"device-write-iops", []string{},
 		"Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda:1000)",
 	)
-	createFlags.StringVar(
-		&cf.Entrypoint,
-		"entrypoint", "",
+	createFlags.String("entrypoint", "",
 		"Overwrite the default ENTRYPOINT of the image",
 	)
-	createFlags.StringArrayVarP(
-		&cf.env,
+	createFlags.StringArrayP(
 		"env", "e", containerConfig.Env(),
 		"Set environment variables in container",
 	)
@@ -248,9 +243,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet {
 		"interactive", "i", false,
 		"Keep STDIN open even if not attached",
 	)
-	ipcNS := ""
-	createFlags.StringVar(
-		&ipcNS,
+	createFlags.String(
 		"ipc", containerConfig.IPCNS(),
 		"IPC namespace to use",
 	)
@@ -331,9 +324,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet {
 		"use `OS` instead of the running OS for choosing images",
 	)
 	// markFlagHidden(createFlags, "override-os")
-	pid := ""
-	createFlags.StringVar(
-		&pid,
+	createFlags.String(
 		"pid", containerConfig.PidNS(),
 		"PID namespace to use",
 	)
@@ -397,9 +388,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet {
 		"security-opt", containerConfig.SecurityOptions(),
 		"Security Options",
 	)
-	shmSize := ""
-	createFlags.StringVar(
-		&shmSize,
+	createFlags.String(
 		"shm-size", containerConfig.ShmSize(),
 		"Size of /dev/shm "+sizeWithUnitFormat,
 	)
@@ -464,15 +453,11 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet {
 		"user", "u", "",
 		"Username or UID (format: <name|uid>[:<group|gid>])",
 	)
-	userNS := ""
-	createFlags.StringVar(
-		&userNS,
+	createFlags.String(
 		"userns", containerConfig.Containers.UserNS,
 		"User namespace to use",
 	)
-	utsNS := ""
-	createFlags.StringVar(
-		&utsNS,
+	createFlags.String(
 		"uts", containerConfig.Containers.UTSNS,
 		"UTS namespace to use",
 	)
diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go
index 2f08bb6a6..8b38e3b47 100644
--- a/cmd/podman/common/create_opts.go
+++ b/cmd/podman/common/create_opts.go
@@ -31,8 +31,8 @@ type ContainerCLIOpts struct {
 	DeviceReadIOPs    []string
 	DeviceWriteBPs    []string
 	DeviceWriteIOPs   []string
-	Entrypoint        string
-	env               []string
+	Entrypoint        *string
+	Env               []string
 	EnvHost           bool
 	EnvFile           []string
 	Expose            []string
diff --git a/cmd/podman/common/ports.go b/cmd/podman/common/ports.go
index a96bafabd..2092bbe53 100644
--- a/cmd/podman/common/ports.go
+++ b/cmd/podman/common/ports.go
@@ -9,10 +9,10 @@ func verifyExpose(expose []string) error {
 	// add the expose ports from the user (--expose)
 	// can be single or a range
 	for _, expose := range expose {
-		//support two formats for expose, original format <portnum>/[<proto>] or <startport-endport>/[<proto>]
+		// support two formats for expose, original format <portnum>/[<proto>] or <startport-endport>/[<proto>]
 		_, port := nat.SplitProtoPort(expose)
-		//parse the start and end port and create a sequence of ports to expose
-		//if expose a port, the start and end port are the same
+		// parse the start and end port and create a sequence of ports to expose
+		// if expose a port, the start and end port are the same
 		_, _, err := nat.ParsePortRange(port)
 		if err != nil {
 			return errors.Wrapf(err, "invalid range format for --expose: %s", expose)
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go
index f8c58f1a4..ff7c39de2 100644
--- a/cmd/podman/common/specgen.go
+++ b/cmd/podman/common/specgen.go
@@ -26,6 +26,16 @@ func getCPULimits(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string)
 	cpu := &specs.LinuxCPU{}
 	hasLimits := false
 
+	const cpuPeriod = 100000
+
+	if c.CPUS > 0 {
+		quota := int64(c.CPUS * cpuPeriod)
+		period := uint64(cpuPeriod)
+
+		cpu.Period = &period
+		cpu.Quota = &quota
+		hasLimits = true
+	}
 	if c.CPUShares > 0 {
 		cpu.Shares = &c.CPUShares
 		hasLimits = true
@@ -142,6 +152,10 @@ func getMemoryLimits(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []strin
 			return nil, errors.Wrapf(err, "invalid value for memory")
 		}
 		memory.Limit = &ml
+		if c.MemorySwap == "" {
+			limit := 2 * ml
+			memory.Swap = &(limit)
+		}
 		hasLimits = true
 	}
 	if m := c.MemoryReservation; len(m) > 0 {
@@ -192,7 +206,6 @@ func getMemoryLimits(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []strin
 func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string) error {
 	var (
 		err error
-		//namespaces map[string]string
 	)
 
 	// validate flags as needed
@@ -234,9 +247,15 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 	// We are not handling the Expose flag yet.
 	// s.PortsExpose = c.Expose
 	s.PortMappings = c.Net.PublishPorts
-	s.PublishImagePorts = c.PublishAll
+	s.PublishExposedPorts = c.PublishAll
 	s.Pod = c.Pod
 
+	expose, err := createExpose(c.Expose)
+	if err != nil {
+		return err
+	}
+	s.Expose = expose
+
 	for k, v := range map[string]*specgen.Namespace{
 		c.IPC:       &s.IpcNS,
 		c.PID:       &s.PidNS,
@@ -316,15 +335,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 		env = envLib.Join(env, fileEnv)
 	}
 
-	// env overrides any previous variables
-	if cmdLineEnv := c.env; len(cmdLineEnv) > 0 {
-		parsedEnv, err := envLib.ParseSlice(cmdLineEnv)
-		if err != nil {
-			return err
-		}
-		env = envLib.Join(env, parsedEnv)
+	parsedEnv, err := envLib.ParseSlice(c.Env)
+	if err != nil {
+		return err
 	}
-	s.Env = env
+
+	s.Env = envLib.Join(env, parsedEnv)
 
 	// LABEL VARIABLES
 	labels, err := parse.GetAllLabels(c.LabelFile, c.Label)
@@ -364,20 +380,20 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 	s.WorkDir = workDir
 	entrypoint := []string{}
 	userCommand := []string{}
-	if ep := c.Entrypoint; len(ep) > 0 {
-		// Check if entrypoint specified is json
-		if err := json.Unmarshal([]byte(c.Entrypoint), &entrypoint); err != nil {
-			entrypoint = append(entrypoint, ep)
+	if c.Entrypoint != nil {
+		if ep := *c.Entrypoint; len(ep) > 0 {
+			// Check if entrypoint specified is json
+			if err := json.Unmarshal([]byte(*c.Entrypoint), &entrypoint); err != nil {
+				entrypoint = append(entrypoint, ep)
+			}
 		}
+		s.Entrypoint = entrypoint
 	}
-
 	var command []string
 
-	s.Entrypoint = entrypoint
-
 	// Build the command
 	// If we have an entry point, it goes first
-	if len(entrypoint) > 0 {
+	if c.Entrypoint != nil {
 		command = entrypoint
 	}
 	if len(inputCommand) > 0 {
@@ -386,9 +402,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 		userCommand = append(userCommand, inputCommand...)
 	}
 
-	if len(inputCommand) > 0 {
+	switch {
+	case len(inputCommand) > 0:
 		s.Command = userCommand
-	} else {
+	case c.Entrypoint != nil:
+		s.Command = []string{}
+	default:
 		s.Command = command
 	}
 
@@ -400,6 +419,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 		}
 		s.ShmSize = &shmSize
 	}
+	s.CNINetworks = c.Net.CNINetworks
 	s.HostAdd = c.Net.AddHosts
 	s.UseImageResolvConf = c.Net.UseImageResolvConf
 	s.DNSServers = c.Net.DNSServers
@@ -481,11 +501,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 	s.CapDrop = c.CapDrop
 	s.Privileged = c.Privileged
 	s.ReadOnlyFilesystem = c.ReadOnly
+	s.ConmonPidFile = c.ConmonPIDFile
 
 	// TODO
 	// ouitside of specgen and oci though
 	// defaults to true, check spec/storage
-	//s.readon = c.ReadOnlyTmpFS
+	// s.readon = c.ReadOnlyTmpFS
 	//  TODO convert to map?
 	// check if key=value and convert
 	sysmap := make(map[string]string)
@@ -511,10 +532,13 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 			case "label":
 				// TODO selinux opts and label opts are the same thing
 				s.ContainerSecurityConfig.SelinuxOpts = append(s.ContainerSecurityConfig.SelinuxOpts, con[1])
+				s.Annotations[define.InspectAnnotationLabel] = con[1]
 			case "apparmor":
 				s.ContainerSecurityConfig.ApparmorProfile = con[1]
+				s.Annotations[define.InspectAnnotationApparmor] = con[1]
 			case "seccomp":
 				s.SeccompProfilePath = con[1]
+				s.Annotations[define.InspectAnnotationSeccomp] = con[1]
 			default:
 				return fmt.Errorf("invalid --security-opt 2: %q", opt)
 			}
@@ -528,7 +552,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 
 	// Only add read-only tmpfs mounts in case that we are read-only and the
 	// read-only tmpfs flag has been set.
-	mounts, volumes, err := parseVolumes(c.Volume, c.Mount, c.TmpFS, (c.ReadOnlyTmpFS && c.ReadOnly))
+	mounts, volumes, err := parseVolumes(c.Volume, c.Mount, c.TmpFS, c.ReadOnlyTmpFS && c.ReadOnly)
 	if err != nil {
 		return err
 	}
@@ -536,12 +560,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 	s.Volumes = volumes
 
 	// TODO any idea why this was done
-	//devices := rtc.Containers.Devices
+	// devices := rtc.Containers.Devices
 	// TODO conflict on populate?
 	//
-	//if c.Changed("device") {
+	// if c.Changed("device") {
 	//	devices = append(devices, c.StringSlice("device")...)
-	//}
+	// }
 
 	for _, dev := range c.Devices {
 		s.Devices = append(s.Devices, specs.LinuxDevice{Path: dev})
@@ -553,7 +577,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 	// initpath
 	s.Stdin = c.Interactive
 	// quiet
-	//DeviceCgroupRules: c.StringSlice("device-cgroup-rule"),
+	// DeviceCgroupRules: c.StringSlice("device-cgroup-rule"),
 
 	// Rlimits/Ulimits
 	for _, u := range c.Ulimit {
@@ -573,10 +597,10 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 		s.Rlimits = append(s.Rlimits, rl)
 	}
 
-	//Tmpfs:         c.StringArray("tmpfs"),
+	// Tmpfs:         c.StringArray("tmpfs"),
 
 	// TODO how to handle this?
-	//Syslog:        c.Bool("syslog"),
+	// Syslog:        c.Bool("syslog"),
 
 	logOpts := make(map[string]string)
 	for _, o := range c.LogOptions {
@@ -597,12 +621,34 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 	s.Name = c.Name
 
 	s.OOMScoreAdj = &c.OOMScoreAdj
-	s.RestartPolicy = c.Restart
+	if c.Restart != "" {
+		splitRestart := strings.Split(c.Restart, ":")
+		switch len(splitRestart) {
+		case 1:
+			// No retries specified
+		case 2:
+			if strings.ToLower(splitRestart[0]) != "on-failure" {
+				return errors.Errorf("restart policy retries can only be specified with on-failure restart policy")
+			}
+			retries, err := strconv.Atoi(splitRestart[1])
+			if err != nil {
+				return errors.Wrapf(err, "error parsing restart policy retry count")
+			}
+			if retries < 0 {
+				return errors.Errorf("must specify restart policy retry count as a number greater than 0")
+			}
+			var retriesUint uint = uint(retries)
+			s.RestartRetries = &retriesUint
+		default:
+			return errors.Errorf("invalid restart policy: may specify retries at most once")
+		}
+		s.RestartPolicy = splitRestart[0]
+	}
 	s.Remove = c.Rm
 	s.StopTimeout = &c.StopTimeout
 
 	// TODO where should we do this?
-	//func verifyContainerResources(config *cc.CreateConfig, update bool) ([]string, error) {
+	// func verifyContainerResources(config *cc.CreateConfig, update bool) ([]string, error) {
 	return nil
 }
 
diff --git a/cmd/podman/common/types.go b/cmd/podman/common/types.go
deleted file mode 100644
index 2427ae975..000000000
--- a/cmd/podman/common/types.go
+++ /dev/null
@@ -1,3 +0,0 @@
-package common
-
-var DefaultKernelNamespaces = "cgroup,ipc,net,uts"
diff --git a/cmd/podman/common/util.go b/cmd/podman/common/util.go
index 5b99b8398..a3626b4e4 100644
--- a/cmd/podman/common/util.go
+++ b/cmd/podman/common/util.go
@@ -1,54 +1,201 @@
 package common
 
 import (
-	"fmt"
+	"net"
 	"strconv"
+	"strings"
 
-	"github.com/spf13/cobra"
-
-	"github.com/cri-o/ocicni/pkg/ocicni"
-	"github.com/docker/go-connections/nat"
+	"github.com/containers/libpod/pkg/specgen"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
-// createPortBindings iterates ports mappings and exposed ports into a format CNI understands
-func createPortBindings(ports []string) ([]ocicni.PortMapping, error) {
-	// TODO wants someone to rewrite this code in the future
-	var portBindings []ocicni.PortMapping
-	// The conversion from []string to natBindings is temporary while mheon reworks the port
-	// deduplication code.  Eventually that step will not be required.
-	_, natBindings, err := nat.ParsePortSpecs(ports)
-	if err != nil {
-		return nil, err
-	}
-	for containerPb, hostPb := range natBindings {
-		var pm ocicni.PortMapping
-		pm.ContainerPort = int32(containerPb.Int())
-		for _, i := range hostPb {
-			var hostPort int
-			var err error
-			pm.HostIP = i.HostIP
-			if i.HostPort == "" {
-				hostPort = containerPb.Int()
+// createExpose parses user-provided exposed port definitions and converts them
+// into SpecGen format.
+// TODO: The SpecGen format should really handle ranges more sanely - we could
+// be massively inflating what is sent over the wire with a large range.
+func createExpose(expose []string) (map[uint16]string, error) {
+	toReturn := make(map[uint16]string)
+
+	for _, e := range expose {
+		// Check for protocol
+		proto := "tcp"
+		splitProto := strings.Split(e, "/")
+		if len(splitProto) > 2 {
+			return nil, errors.Errorf("invalid expose format - protocol can only be specified once")
+		} else if len(splitProto) == 2 {
+			proto = splitProto[1]
+		}
+
+		// Check for a range
+		start, len, err := parseAndValidateRange(splitProto[0])
+		if err != nil {
+			return nil, err
+		}
+
+		var index uint16
+		for index = 0; index < len; index++ {
+			portNum := start + index
+			protocols, ok := toReturn[portNum]
+			if !ok {
+				toReturn[portNum] = proto
 			} else {
-				hostPort, err = strconv.Atoi(i.HostPort)
-				if err != nil {
-					return nil, errors.Wrapf(err, "unable to convert host port to integer")
-				}
+				newProto := strings.Join(append(strings.Split(protocols, ","), strings.Split(proto, ",")...), ",")
+				toReturn[portNum] = newProto
 			}
+		}
+	}
+
+	return toReturn, nil
+}
 
-			pm.HostPort = int32(hostPort)
-			pm.Protocol = containerPb.Proto()
-			portBindings = append(portBindings, pm)
+// createPortBindings iterates ports mappings into SpecGen format.
+func createPortBindings(ports []string) ([]specgen.PortMapping, error) {
+	// --publish is formatted as follows:
+	// [[hostip:]hostport[-endPort]:]containerport[-endPort][/protocol]
+	toReturn := make([]specgen.PortMapping, 0, len(ports))
+
+	for _, p := range ports {
+		var (
+			ctrPort                 string
+			proto, hostIP, hostPort *string
+		)
+
+		splitProto := strings.Split(p, "/")
+		switch len(splitProto) {
+		case 1:
+			// No protocol was provided
+		case 2:
+			proto = &(splitProto[1])
+		default:
+			return nil, errors.Errorf("invalid port format - protocol can only be specified once")
 		}
+
+		splitPort := strings.Split(splitProto[0], ":")
+		switch len(splitPort) {
+		case 1:
+			ctrPort = splitPort[0]
+		case 2:
+			hostPort = &(splitPort[0])
+			ctrPort = splitPort[1]
+		case 3:
+			hostIP = &(splitPort[0])
+			hostPort = &(splitPort[1])
+			ctrPort = splitPort[2]
+		default:
+			return nil, errors.Errorf("invalid port format - format is [[hostIP:]hostPort:]containerPort")
+		}
+
+		newPort, err := parseSplitPort(hostIP, hostPort, ctrPort, proto)
+		if err != nil {
+			return nil, err
+		}
+
+		toReturn = append(toReturn, newPort)
 	}
-	return portBindings, nil
+
+	return toReturn, nil
 }
 
-// NoArgs returns an error if any args are included.
-func NoArgs(cmd *cobra.Command, args []string) error {
-	if len(args) > 0 {
-		return fmt.Errorf("`%s` takes no arguments", cmd.CommandPath())
+// parseSplitPort parses individual components of the --publish flag to produce
+// a single port mapping in SpecGen format.
+func parseSplitPort(hostIP, hostPort *string, ctrPort string, protocol *string) (specgen.PortMapping, error) {
+	newPort := specgen.PortMapping{}
+	if ctrPort == "" {
+		return newPort, errors.Errorf("must provide a non-empty container port to publish")
+	}
+	ctrStart, ctrLen, err := parseAndValidateRange(ctrPort)
+	if err != nil {
+		return newPort, errors.Wrapf(err, "error parsing container port")
+	}
+	newPort.ContainerPort = ctrStart
+	newPort.Range = ctrLen
+
+	if protocol != nil {
+		if *protocol == "" {
+			return newPort, errors.Errorf("must provide a non-empty protocol to publish")
+		}
+		newPort.Protocol = *protocol
+	}
+	if hostIP != nil {
+		if *hostIP == "" {
+			return newPort, errors.Errorf("must provide a non-empty container host IP to publish")
+		}
+		testIP := net.ParseIP(*hostIP)
+		if testIP == nil {
+			return newPort, errors.Errorf("cannot parse %q as an IP address", *hostIP)
+		}
+		newPort.HostIP = testIP.String()
+	}
+	if hostPort != nil {
+		if *hostPort == "" {
+			return newPort, errors.Errorf("must provide a non-empty container host port to publish")
+		}
+		hostStart, hostLen, err := parseAndValidateRange(*hostPort)
+		if err != nil {
+			return newPort, errors.Wrapf(err, "error parsing host port")
+		}
+		if hostLen != ctrLen {
+			return newPort, errors.Errorf("host and container port ranges have different lengths: %d vs %d", hostLen, ctrLen)
+		}
+		newPort.HostPort = hostStart
+	}
+
+	hport := newPort.HostPort
+	if hport == 0 {
+		hport = newPort.ContainerPort
+	}
+	logrus.Debugf("Adding port mapping from %d to %d length %d protocol %q", hport, newPort.ContainerPort, newPort.Range, newPort.Protocol)
+
+	return newPort, nil
+}
+
+// Parse and validate a port range.
+// Returns start port, length of range, error.
+func parseAndValidateRange(portRange string) (uint16, uint16, error) {
+	splitRange := strings.Split(portRange, "-")
+	if len(splitRange) > 2 {
+		return 0, 0, errors.Errorf("invalid port format - port ranges are formatted as startPort-stopPort")
+	}
+
+	if splitRange[0] == "" {
+		return 0, 0, errors.Errorf("port numbers cannot be negative")
+	}
+
+	startPort, err := parseAndValidatePort(splitRange[0])
+	if err != nil {
+		return 0, 0, err
+	}
+
+	var rangeLen uint16 = 1
+	if len(splitRange) == 2 {
+		if splitRange[1] == "" {
+			return 0, 0, errors.Errorf("must provide ending number for port range")
+		}
+		endPort, err := parseAndValidatePort(splitRange[1])
+		if err != nil {
+			return 0, 0, err
+		}
+		if endPort <= startPort {
+			return 0, 0, errors.Errorf("the end port of a range must be higher than the start port - %d is not higher than %d", endPort, startPort)
+		}
+		// Our range is the total number of ports
+		// involved, so we need to add 1 (8080:8081 is
+		// 2 ports, for example, not 1)
+		rangeLen = endPort - startPort + 1
+	}
+
+	return startPort, rangeLen, nil
+}
+
+// Turn a single string into a valid U16 port.
+func parseAndValidatePort(port string) (uint16, error) {
+	num, err := strconv.Atoi(port)
+	if err != nil {
+		return 0, errors.Wrapf(err, "cannot parse %q as a port number", port)
+	}
+	if num < 1 || num > 65535 {
+		return 0, errors.Errorf("port numbers must be between 1 and 65535 (inclusive), got %d", num)
 	}
-	return nil
+	return uint16(num), nil
 }