5 files changed, 175 insertions, 117 deletions

diff --git a/cmd/podman/common/completion.go b/cmd/podman/common/completion.go
index cb3efe592..f1dea4113 100644
--- a/cmd/podman/common/completion.go
+++ b/cmd/podman/common/completion.go
@@ -13,7 +13,6 @@ import (
 	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/podman/v3/libpod/network/types"
 	"github.com/containers/podman/v3/pkg/domain/entities"
-	"github.com/containers/podman/v3/pkg/network"
 	"github.com/containers/podman/v3/pkg/rootless"
 	systemdDefine "github.com/containers/podman/v3/pkg/systemd/define"
 	"github.com/containers/podman/v3/pkg/util"
@@ -209,7 +208,7 @@ func getImages(cmd *cobra.Command, toComplete string) ([]string, cobra.ShellComp
 	return suggestions, cobra.ShellCompDirectiveNoFileComp
 }
 
-func getSecrets(cmd *cobra.Command, toComplete string) ([]string, cobra.ShellCompDirective) {
+func getSecrets(cmd *cobra.Command, toComplete string, cType completeType) ([]string, cobra.ShellCompDirective) {
 	suggestions := []string{}
 
 	engine, err := setupContainerEngine(cmd)
@@ -224,7 +223,13 @@ func getSecrets(cmd *cobra.Command, toComplete string) ([]string, cobra.ShellCom
 	}
 
 	for _, s := range secrets {
-		if strings.HasPrefix(s.Spec.Name, toComplete) {
+		// works the same as in getNetworks
+		if ((len(toComplete) > 1 && cType == completeDefault) ||
+			cType == completeIDs) && strings.HasPrefix(s.ID, toComplete) {
+			suggestions = append(suggestions, s.ID[0:12])
+		}
+		// include name in suggestions
+		if cType != completeIDs && strings.HasPrefix(s.Spec.Name, toComplete) {
 			suggestions = append(suggestions, s.Spec.Name)
 		}
 	}
@@ -256,12 +261,11 @@ func getNetworks(cmd *cobra.Command, toComplete string, cType completeType) ([]s
 	}
 
 	for _, n := range networks {
-		id := network.GetNetworkID(n.Name)
 		// include ids in suggestions if cType == completeIDs or
 		// more then 2 chars are typed and cType == completeDefault
 		if ((len(toComplete) > 1 && cType == completeDefault) ||
-			cType == completeIDs) && strings.HasPrefix(id, toComplete) {
-			suggestions = append(suggestions, id[0:12])
+			cType == completeIDs) && strings.HasPrefix(n.ID, toComplete) {
+			suggestions = append(suggestions, n.ID[0:12])
 		}
 		// include name in suggestions
 		if cType != completeIDs && strings.HasPrefix(n.Name, toComplete) {
@@ -470,7 +474,7 @@ func AutocompleteSecrets(cmd *cobra.Command, args []string, toComplete string) (
 	if !validCurrentCmdLine(cmd, args, toComplete) {
 		return nil, cobra.ShellCompDirectiveNoFileComp
 	}
-	return getSecrets(cmd, toComplete)
+	return getSecrets(cmd, toComplete, completeDefault)
 }
 
 func AutocompleteSecretCreate(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
@@ -1283,6 +1287,15 @@ func AutocompleteVolumeFilters(cmd *cobra.Command, args []string, toComplete str
 	return completeKeyValues(toComplete, kv)
 }
 
+// AutocompleteSecretFilters - Autocomplete secret ls --filter options.
+func AutocompleteSecretFilters(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	kv := keyValueCompletion{
+		"name=": func(s string) ([]string, cobra.ShellCompDirective) { return getSecrets(cmd, s, completeNames) },
+		"id=":   func(s string) ([]string, cobra.ShellCompDirective) { return getSecrets(cmd, s, completeIDs) },
+	}
+	return completeKeyValues(toComplete, kv)
+}
+
 // AutocompleteCheckpointCompressType - Autocomplete checkpoint compress type options.
 // -> "gzip", "none", "zstd"
 func AutocompleteCheckpointCompressType(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
index dad79348d..32d227e65 100644
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@@ -292,6 +292,14 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 			"Set proxy environment variables in the container based on the host proxy vars",
 		)
 
+		hostUserFlagName := "hostuser"
+		createFlags.StringSliceVar(
+			&cf.HostUsers,
+			hostUserFlagName, []string{},
+			"Host user account to add to /etc/passwd within container",
+		)
+		_ = cmd.RegisterFlagCompletionFunc(hostUserFlagName, completion.AutocompleteNone)
+
 		imageVolumeFlagName := "image-volume"
 		createFlags.StringVar(
 			&cf.ImageVolume,
@@ -327,13 +335,10 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(ipcFlagName, AutocompleteNamespace)
 
-		kernelMemoryFlagName := "kernel-memory"
-		createFlags.StringVar(
-			&cf.KernelMemory,
-			kernelMemoryFlagName, "",
-			"Kernel memory limit "+sizeWithUnitFormat,
+		createFlags.String(
+			"kernel-memory", "",
+			"DEPRECATED: Option is just hear for compatibility with Docker",
 		)
-		_ = cmd.RegisterFlagCompletionFunc(kernelMemoryFlagName, completion.AutocompleteNone)
 		// kernel-memory is deprecated in the runtime spec.
 		_ = createFlags.MarkHidden("kernel-memory")
 
@@ -535,14 +540,6 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(secretFlagName, AutocompleteSecrets)
 
-		securityOptFlagName := "security-opt"
-		createFlags.StringArrayVar(
-			&cf.SecurityOpt,
-			securityOptFlagName, []string{},
-			"Security Options",
-		)
-		_ = cmd.RegisterFlagCompletionFunc(securityOptFlagName, AutocompleteSecurityOption)
-
 		shmSizeFlagName := "shm-size"
 		createFlags.String(
 			shmSizeFlagName, shmSize(),
@@ -715,6 +712,13 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 			`If a container with the same name exists, replace it`,
 		)
 	}
+	securityOptFlagName := "security-opt"
+	createFlags.StringArrayVar(
+		&cf.SecurityOpt,
+		securityOptFlagName, []string{},
+		"Security Options",
+	)
+	_ = cmd.RegisterFlagCompletionFunc(securityOptFlagName, AutocompleteSecurityOption)
 
 	subgidnameFlagName := "subgidname"
 	createFlags.StringVar(
@@ -885,6 +889,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		"Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb)",
 	)
 	_ = cmd.RegisterFlagCompletionFunc(deviceReadBpsFlagName, completion.AutocompleteDefault)
+
 	volumesFromFlagName := "volumes-from"
 	createFlags.StringArrayVar(
 		&cf.VolumesFrom,
diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go
index 7d6471fd4..f2335a2be 100644
--- a/cmd/podman/common/create_opts.go
+++ b/cmd/podman/common/create_opts.go
@@ -18,7 +18,6 @@ import (
 	"github.com/containers/podman/v3/pkg/specgen"
 	"github.com/docker/docker/api/types/mount"
 	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 )
 
 func stringMaptoArray(m map[string]string) []string {
@@ -156,18 +155,11 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, rtc *c
 	}
 
 	// netMode
-	nsmode, networks, err := specgen.ParseNetworkNamespace(string(cc.HostConfig.NetworkMode), true)
+	nsmode, networks, netOpts, err := specgen.ParseNetworkFlag([]string{string(cc.HostConfig.NetworkMode)})
 	if err != nil {
 		return nil, nil, err
 	}
 
-	var netOpts map[string][]string
-	parts := strings.SplitN(string(cc.HostConfig.NetworkMode), ":", 2)
-	if len(parts) > 1 {
-		netOpts = make(map[string][]string)
-		netOpts[parts[0]] = strings.Split(parts[1], ",")
-	}
-
 	// network
 	// Note: we cannot emulate compat exactly here. we only allow specifics of networks to be
 	// defined when there is only one network.
@@ -184,52 +176,56 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, rtc *c
 	// network names
 	switch {
 	case len(cc.NetworkingConfig.EndpointsConfig) > 0:
-		var aliases []string
-
 		endpointsConfig := cc.NetworkingConfig.EndpointsConfig
-		cniNetworks := make([]string, 0, len(endpointsConfig))
+		networks := make(map[string]types.PerNetworkOptions, len(endpointsConfig))
 		for netName, endpoint := range endpointsConfig {
-			cniNetworks = append(cniNetworks, netName)
-
-			if endpoint == nil {
-				continue
-			}
-			if len(endpoint.Aliases) > 0 {
-				aliases = append(aliases, endpoint.Aliases...)
-			}
-		}
+			netOpts := types.PerNetworkOptions{}
+			if endpoint != nil {
+				netOpts.Aliases = endpoint.Aliases
 
-		// static IP and MAC
-		if len(endpointsConfig) == 1 {
-			for _, ep := range endpointsConfig {
-				if ep == nil {
-					continue
-				}
 				// if IP address is provided
-				if len(ep.IPAddress) > 0 {
-					staticIP := net.ParseIP(ep.IPAddress)
-					netInfo.StaticIP = &staticIP
+				if len(endpoint.IPAddress) > 0 {
+					staticIP := net.ParseIP(endpoint.IPAddress)
+					if staticIP == nil {
+						return nil, nil, errors.Errorf("failed to parse the ip address %q", endpoint.IPAddress)
+					}
+					netOpts.StaticIPs = append(netOpts.StaticIPs, staticIP)
 				}
-				// if IPAMConfig.IPv4Address is provided
-				if ep.IPAMConfig != nil && ep.IPAMConfig.IPv4Address != "" {
-					staticIP := net.ParseIP(ep.IPAMConfig.IPv4Address)
-					netInfo.StaticIP = &staticIP
+
+				if endpoint.IPAMConfig != nil {
+					// if IPAMConfig.IPv4Address is provided
+					if len(endpoint.IPAMConfig.IPv4Address) > 0 {
+						staticIP := net.ParseIP(endpoint.IPAMConfig.IPv4Address)
+						if staticIP == nil {
+							return nil, nil, errors.Errorf("failed to parse the ipv4 address %q", endpoint.IPAMConfig.IPv4Address)
+						}
+						netOpts.StaticIPs = append(netOpts.StaticIPs, staticIP)
+					}
+					// if IPAMConfig.IPv6Address is provided
+					if len(endpoint.IPAMConfig.IPv6Address) > 0 {
+						staticIP := net.ParseIP(endpoint.IPAMConfig.IPv6Address)
+						if staticIP == nil {
+							return nil, nil, errors.Errorf("failed to parse the ipv6 address %q", endpoint.IPAMConfig.IPv6Address)
+						}
+						netOpts.StaticIPs = append(netOpts.StaticIPs, staticIP)
+					}
 				}
 				// If MAC address is provided
-				if len(ep.MacAddress) > 0 {
-					staticMac, err := net.ParseMAC(ep.MacAddress)
+				if len(endpoint.MacAddress) > 0 {
+					staticMac, err := net.ParseMAC(endpoint.MacAddress)
 					if err != nil {
-						return nil, nil, err
+						return nil, nil, errors.Errorf("failed to parse the mac address %q", endpoint.MacAddress)
 					}
-					netInfo.StaticMAC = &staticMac
+					netOpts.StaticMAC = types.HardwareAddr(staticMac)
 				}
-				break
 			}
+
+			networks[netName] = netOpts
 		}
-		netInfo.Aliases = aliases
-		netInfo.CNINetworks = cniNetworks
+
+		netInfo.Networks = networks
 	case len(cc.HostConfig.NetworkMode) > 0:
-		netInfo.CNINetworks = networks
+		netInfo.Networks = networks
 	}
 
 	parsedTmp := make([]string, 0, len(cc.HostConfig.Tmpfs))
@@ -388,9 +384,6 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, rtc *c
 	if cc.HostConfig.Memory > 0 {
 		cliOpts.Memory = strconv.Itoa(int(cc.HostConfig.Memory))
 	}
-	if cc.HostConfig.KernelMemory > 0 {
-		logrus.Warnf("The --kernel-memory flag has been deprecated. May not work properly on your system.")
-	}
 
 	if cc.HostConfig.MemoryReservation > 0 {
 		cliOpts.MemoryReservation = strconv.Itoa(int(cc.HostConfig.MemoryReservation))
@@ -412,9 +405,6 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, rtc *c
 		cliOpts.ShmSize = strconv.Itoa(int(cc.HostConfig.ShmSize))
 	}
 
-	if cc.HostConfig.KernelMemory > 0 {
-		cliOpts.KernelMemory = strconv.Itoa(int(cc.HostConfig.KernelMemory))
-	}
 	if len(cc.HostConfig.RestartPolicy.Name) > 0 {
 		policy := cc.HostConfig.RestartPolicy.Name
 		// only add restart count on failure
diff --git a/cmd/podman/common/create_test.go b/cmd/podman/common/create_test.go
index 17b47dd16..601078b61 100644
--- a/cmd/podman/common/create_test.go
+++ b/cmd/podman/common/create_test.go
@@ -12,7 +12,7 @@ import (
 
 func TestPodOptions(t *testing.T) {
 	entry := "/test1"
-	exampleOptions := entities.ContainerCreateOptions{CPUS: 5.5, CPUSetCPUs: "0-4", Entrypoint: &entry, Hostname: "foo", Name: "testing123", Volume: []string{"/fakeVol1", "/fakeVol2"}, Net: &entities.NetOptions{CNINetworks: []string{"FakeNetwork"}}, PID: "ns:/proc/self/ns"}
+	exampleOptions := entities.ContainerCreateOptions{CPUS: 5.5, CPUSetCPUs: "0-4", Entrypoint: &entry, Hostname: "foo", Name: "testing123", Volume: []string{"/fakeVol1", "/fakeVol2"}, Net: &entities.NetOptions{DNSSearch: []string{"search"}}, PID: "ns:/proc/self/ns"}
 
 	podOptions := entities.PodCreateOptions{}
 	err := common.ContainerToPodOptions(&exampleOptions, &podOptions)
diff --git a/cmd/podman/common/netflags.go b/cmd/podman/common/netflags.go
index d11f3c9d2..425d85c9d 100644
--- a/cmd/podman/common/netflags.go
+++ b/cmd/podman/common/netflags.go
@@ -6,6 +6,7 @@ import (
 	"github.com/containers/common/pkg/completion"
 	"github.com/containers/podman/v3/cmd/podman/parse"
 	"github.com/containers/podman/v3/libpod/define"
+	"github.com/containers/podman/v3/libpod/network/types"
 	"github.com/containers/podman/v3/pkg/domain/entities"
 	"github.com/containers/podman/v3/pkg/specgen"
 	"github.com/containers/podman/v3/pkg/specgenutil"
@@ -52,6 +53,13 @@ func DefineNetFlags(cmd *cobra.Command) {
 	)
 	_ = cmd.RegisterFlagCompletionFunc(ipFlagName, completion.AutocompleteNone)
 
+	ip6FlagName := "ip6"
+	netFlags.String(
+		ip6FlagName, "",
+		"Specify a static IPv6 address for the container",
+	)
+	_ = cmd.RegisterFlagCompletionFunc(ip6FlagName, completion.AutocompleteNone)
+
 	macAddressFlagName := "mac-address"
 	netFlags.String(
 		macAddressFlagName, "",
@@ -60,8 +68,8 @@ func DefineNetFlags(cmd *cobra.Command) {
 	_ = cmd.RegisterFlagCompletionFunc(macAddressFlagName, completion.AutocompleteNone)
 
 	networkFlagName := "network"
-	netFlags.String(
-		networkFlagName, containerConfig.NetNS(),
+	netFlags.StringArray(
+		networkFlagName, nil,
 		"Connect a container to a network",
 	)
 	_ = cmd.RegisterFlagCompletionFunc(networkFlagName, AutocompleteNetworkFlag)
@@ -87,9 +95,7 @@ func DefineNetFlags(cmd *cobra.Command) {
 }
 
 // NetFlagsToNetOptions parses the network flags for the given cmd.
-// The netnsFromConfig bool is used to indicate if the --network flag
-// should always be parsed regardless if it was set on the cli.
-func NetFlagsToNetOptions(opts *entities.NetOptions, flags pflag.FlagSet, netnsFromConfig bool) (*entities.NetOptions, error) {
+func NetFlagsToNetOptions(opts *entities.NetOptions, flags pflag.FlagSet) (*entities.NetOptions, error) {
 	var (
 		err error
 	)
@@ -151,18 +157,6 @@ func NetFlagsToNetOptions(opts *entities.NetOptions, flags pflag.FlagSet, netnsF
 	}
 	opts.DNSSearch = dnsSearches
 
-	m, err := flags.GetString("mac-address")
-	if err != nil {
-		return nil, err
-	}
-	if len(m) > 0 {
-		mac, err := net.ParseMAC(m)
-		if err != nil {
-			return nil, err
-		}
-		opts.StaticMAC = &mac
-	}
-
 	inputPorts, err := flags.GetStringSlice("publish")
 	if err != nil {
 		return nil, err
@@ -174,52 +168,108 @@ func NetFlagsToNetOptions(opts *entities.NetOptions, flags pflag.FlagSet, netnsF
 		}
 	}
 
-	ip, err := flags.GetString("ip")
-	if err != nil {
-		return nil, err
-	}
-	if ip != "" {
-		staticIP := net.ParseIP(ip)
-		if staticIP == nil {
-			return nil, errors.Errorf("%s is not an ip address", ip)
-		}
-		if staticIP.To4() == nil {
-			return nil, errors.Wrapf(define.ErrInvalidArg, "%s is not an IPv4 address", ip)
-		}
-		opts.StaticIP = &staticIP
-	}
-
 	opts.NoHosts, err = flags.GetBool("no-hosts")
 	if err != nil {
 		return nil, err
 	}
 
-	// parse the --network value only when the flag is set or we need to use
-	// the netns config value, e.g. when --pod is not used
-	if netnsFromConfig || flags.Changed("network") {
-		network, err := flags.GetString("network")
+	// parse the network only when network was changed
+	// otherwise we send default to server so that the server
+	// can pick the correct default instead of the client
+	if flags.Changed("network") {
+		network, err := flags.GetStringArray("network")
 		if err != nil {
 			return nil, err
 		}
 
-		ns, cniNets, options, err := specgen.ParseNetworkString(network)
+		ns, networks, options, err := specgen.ParseNetworkFlag(network)
 		if err != nil {
 			return nil, err
 		}
 
-		if len(options) > 0 {
-			opts.NetworkOptions = options
-		}
+		opts.NetworkOptions = options
 		opts.Network = ns
-		opts.CNINetworks = cniNets
+		opts.Networks = networks
 	}
 
-	aliases, err := flags.GetStringSlice("network-alias")
-	if err != nil {
-		return nil, err
-	}
-	if len(aliases) > 0 {
-		opts.Aliases = aliases
+	if flags.Changed("ip") || flags.Changed("ip6") || flags.Changed("mac-address") || flags.Changed("network-alias") {
+		// if there is no network we add the default
+		if len(opts.Networks) == 0 {
+			opts.Networks = map[string]types.PerNetworkOptions{
+				"default": {},
+			}
+		}
+
+		for _, ipFlagName := range []string{"ip", "ip6"} {
+			ip, err := flags.GetString(ipFlagName)
+			if err != nil {
+				return nil, err
+			}
+			if ip != "" {
+				// if pod create --infra=false
+				if infra, err := flags.GetBool("infra"); err == nil && !infra {
+					return nil, errors.Wrapf(define.ErrInvalidArg, "cannot set --%s without infra container", ipFlagName)
+				}
+
+				staticIP := net.ParseIP(ip)
+				if staticIP == nil {
+					return nil, errors.Errorf("%q is not an ip address", ip)
+				}
+				if !opts.Network.IsBridge() && !opts.Network.IsDefault() {
+					return nil, errors.Wrapf(define.ErrInvalidArg, "--%s can only be set when the network mode is bridge", ipFlagName)
+				}
+				if len(opts.Networks) != 1 {
+					return nil, errors.Wrapf(define.ErrInvalidArg, "--%s can only be set for a single network", ipFlagName)
+				}
+				for name, netOpts := range opts.Networks {
+					netOpts.StaticIPs = append(netOpts.StaticIPs, staticIP)
+					opts.Networks[name] = netOpts
+				}
+			}
+		}
+
+		m, err := flags.GetString("mac-address")
+		if err != nil {
+			return nil, err
+		}
+		if len(m) > 0 {
+			// if pod create --infra=false
+			if infra, err := flags.GetBool("infra"); err == nil && !infra {
+				return nil, errors.Wrap(define.ErrInvalidArg, "cannot set --mac without infra container")
+			}
+			mac, err := net.ParseMAC(m)
+			if err != nil {
+				return nil, err
+			}
+			if !opts.Network.IsBridge() && !opts.Network.IsDefault() {
+				return nil, errors.Wrap(define.ErrInvalidArg, "--mac-address can only be set when the network mode is bridge")
+			}
+			if len(opts.Networks) != 1 {
+				return nil, errors.Wrap(define.ErrInvalidArg, "--mac-address can only be set for a single network")
+			}
+			for name, netOpts := range opts.Networks {
+				netOpts.StaticMAC = types.HardwareAddr(mac)
+				opts.Networks[name] = netOpts
+			}
+		}
+
+		aliases, err := flags.GetStringSlice("network-alias")
+		if err != nil {
+			return nil, err
+		}
+		if len(aliases) > 0 {
+			// if pod create --infra=false
+			if infra, err := flags.GetBool("infra"); err == nil && !infra {
+				return nil, errors.Wrap(define.ErrInvalidArg, "cannot set --network-alias without infra container")
+			}
+			if !opts.Network.IsBridge() && !opts.Network.IsDefault() {
+				return nil, errors.Wrap(define.ErrInvalidArg, "--network-alias can only be set when the network mode is bridge")
+			}
+			for name, netOpts := range opts.Networks {
+				netOpts.Aliases = aliases
+				opts.Networks[name] = netOpts
+			}
+		}
 	}
 
 	return opts, err