5 files changed, 114 insertions, 25 deletions
diff --git a/cmd/podman/common/completion.go b/cmd/podman/common/completion.go
index 02369c74a..60d056aaa 100644
--- a/cmd/podman/common/completion.go
+++ b/cmd/podman/common/completion.go
@@ -13,6 +13,7 @@ import (
 	libimageDefine "github.com/containers/common/libimage/define"
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/config"
+	"github.com/containers/common/pkg/ssh"
 	"github.com/containers/image/v5/pkg/sysregistriesv2"
 	"github.com/containers/podman/v4/cmd/podman/registry"
 	"github.com/containers/podman/v4/libpod/define"
@@ -543,6 +544,10 @@ func AutocompleteForKube(cmd *cobra.Command, args []string, toComplete string) (
 	return objs, cobra.ShellCompDirectiveNoFileComp
 }
 
+func AutocompleteForGenerate(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	return AutocompleteForKube(cmd, args, toComplete)
+}
+
 // AutocompleteContainersAndPods - Autocomplete container names and pod names.
 func AutocompleteContainersAndPods(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	if !validCurrentCmdLine(cmd, args, toComplete) {
@@ -1628,3 +1633,16 @@ func AutocompleteClone(cmd *cobra.Command, args []string, toComplete string) ([]
 	}
 	return nil, cobra.ShellCompDirectiveNoFileComp
 }
+
+// AutocompleteSSH - Autocomplete ssh modes
+func AutocompleteSSH(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	if !validCurrentCmdLine(cmd, args, toComplete) {
+		return nil, cobra.ShellCompDirectiveNoFileComp
+	}
+	return []string{string(ssh.GolangMode), string(ssh.NativeMode)}, cobra.ShellCompDirectiveNoFileComp
+}
+
+// AutocompleteHealthOnFailure - action to take once the container turns unhealthy.
+func AutocompleteHealthOnFailure(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	return define.SupportedHealthCheckOnFailureActions, cobra.ShellCompDirectiveNoFileComp
+}
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
index 00873b95b..8fff03773 100644
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@@ -28,10 +28,10 @@ func ContainerToPodOptions(containerCreate *entities.ContainerCreateOptions, pod
 }
 
 // DefineCreateFlags declares and instantiates the container create flags
-func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, isInfra bool, clone bool) {
+func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, mode entities.ContainerMode) {
 	createFlags := cmd.Flags()
 
-	if !isInfra && !clone { // regular create flags
+	if mode == entities.CreateMode { // regular create flags
 		annotationFlagName := "annotation"
 		createFlags.StringSliceVar(
 			&cf.Annotation,
@@ -103,27 +103,19 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(deviceCgroupRuleFlagName, completion.AutocompleteNone)
 
-		deviceReadIopsFlagName := "device-read-iops"
-		createFlags.StringSliceVar(
-			&cf.DeviceReadIOPs,
-			deviceReadIopsFlagName, []string{},
-			"Limit read rate (IO per second) from a device (e.g. --device-read-iops=/dev/sda:1000)",
-		)
-		_ = cmd.RegisterFlagCompletionFunc(deviceReadIopsFlagName, completion.AutocompleteDefault)
-
-		deviceWriteIopsFlagName := "device-write-iops"
-		createFlags.StringSliceVar(
-			&cf.DeviceWriteIOPs,
-			deviceWriteIopsFlagName, []string{},
-			"Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda:1000)",
-		)
-		_ = cmd.RegisterFlagCompletionFunc(deviceWriteIopsFlagName, completion.AutocompleteDefault)
-
 		createFlags.Bool(
 			"disable-content-trust", false,
 			"This is a Docker specific option and is a NOOP",
 		)
 
+		envMergeFlagName := "env-merge"
+		createFlags.StringArrayVar(
+			&cf.EnvMerge,
+			envMergeFlagName, []string{},
+			"Preprocess environment variables from image before injecting them into the container",
+		)
+		_ = cmd.RegisterFlagCompletionFunc(envMergeFlagName, completion.AutocompleteNone)
+
 		envFlagName := "env"
 		createFlags.StringArrayP(
 			envFlagName, "e", Env(),
@@ -216,6 +208,14 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(healthTimeoutFlagName, completion.AutocompleteNone)
 
+		healthOnFailureFlagName := "health-on-failure"
+		createFlags.StringVar(
+			&cf.HealthOnFailure,
+			healthOnFailureFlagName, "none",
+			"action to take once the container turns unhealthy",
+		)
+		_ = cmd.RegisterFlagCompletionFunc(healthOnFailureFlagName, AutocompleteHealthOnFailure)
+
 		createFlags.BoolVar(
 			&cf.HTTPProxy,
 			"http-proxy", containerConfig.Containers.HTTPProxy,
@@ -589,7 +589,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 			`If a container with the same name exists, replace it`,
 		)
 	}
-	if isInfra || (!clone && !isInfra) { // infra container flags, create should also pick these up
+	if mode == entities.InfraMode || (mode == entities.CreateMode) { // infra container flags, create should also pick these up
 		shmSizeFlagName := "shm-size"
 		createFlags.String(
 			shmSizeFlagName, shmSize(),
@@ -669,7 +669,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(cgroupParentFlagName, completion.AutocompleteDefault)
 		var conmonPidfileFlagName string
-		if !isInfra {
+		if mode == entities.CreateMode {
 			conmonPidfileFlagName = "conmon-pidfile"
 		} else {
 			conmonPidfileFlagName = "infra-conmon-pidfile"
@@ -682,7 +682,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		_ = cmd.RegisterFlagCompletionFunc(conmonPidfileFlagName, completion.AutocompleteDefault)
 
 		var entrypointFlagName string
-		if !isInfra {
+		if mode == entities.CreateMode {
 			entrypointFlagName = "entrypoint"
 		} else {
 			entrypointFlagName = "infra-command"
@@ -717,7 +717,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(labelFileFlagName, completion.AutocompleteDefault)
 
-		if isInfra {
+		if mode == entities.InfraMode {
 			nameFlagName := "infra-name"
 			createFlags.StringVar(
 				&cf.Name,
@@ -767,7 +767,8 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(volumesFromFlagName, AutocompleteContainers)
 	}
-	if clone || !isInfra { // clone and create only flags, we need this level of separation so clone does not pick up all of the flags
+
+	if mode == entities.CloneMode || mode == entities.CreateMode {
 		nameFlagName := "name"
 		createFlags.StringVar(
 			&cf.Name,
@@ -783,7 +784,8 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 			"Run container in an existing pod",
 		)
 		_ = cmd.RegisterFlagCompletionFunc(podFlagName, AutocompletePods)
-
+	}
+	if mode != entities.InfraMode { // clone create and update only flags, we need this level of separation so clone does not pick up all of the flags
 		cpuPeriodFlagName := "cpu-period"
 		createFlags.Uint64Var(
 			&cf.CPUPeriod,
@@ -832,8 +834,24 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(memorySwappinessFlagName, completion.AutocompleteNone)
 	}
-	// anyone can use these
+	if mode == entities.CreateMode || mode == entities.UpdateMode {
+		deviceReadIopsFlagName := "device-read-iops"
+		createFlags.StringSliceVar(
+			&cf.DeviceReadIOPs,
+			deviceReadIopsFlagName, []string{},
+			"Limit read rate (IO per second) from a device (e.g. --device-read-iops=/dev/sda:1000)",
+		)
+		_ = cmd.RegisterFlagCompletionFunc(deviceReadIopsFlagName, completion.AutocompleteDefault)
 
+		deviceWriteIopsFlagName := "device-write-iops"
+		createFlags.StringSliceVar(
+			&cf.DeviceWriteIOPs,
+			deviceWriteIopsFlagName, []string{},
+			"Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda:1000)",
+		)
+		_ = cmd.RegisterFlagCompletionFunc(deviceWriteIopsFlagName, completion.AutocompleteDefault)
+	}
+	// anyone can use these
 	cpusFlagName := "cpus"
 	createFlags.Float64Var(
 		&cf.CPUS,
diff --git a/cmd/podman/common/inspect.go b/cmd/podman/common/inspect.go
index 12a5af5a9..f82161d31 100644
--- a/cmd/podman/common/inspect.go
+++ b/cmd/podman/common/inspect.go
@@ -11,6 +11,10 @@ const (
 	NetworkType = "network"
 	// PodType is the pod type.
 	PodType = "pod"
+	// PodLegacyType is the pod type for backwards compatibility with the old pod inspect code.
+	// This allows us to use the shared inspect code but still provide the correct output format
+	// when podman pod inspect was called.
+	PodLegacyType = "pod-legacy"
 	// VolumeType is the volume type
 	VolumeType = "volume"
 )
diff --git a/cmd/podman/common/netflags.go b/cmd/podman/common/netflags.go
index e7aa265d1..90f05ab15 100644
--- a/cmd/podman/common/netflags.go
+++ b/cmd/podman/common/netflags.go
@@ -39,6 +39,11 @@ func DefineNetFlags(cmd *cobra.Command) {
 		"Set custom DNS options",
 	)
 	_ = cmd.RegisterFlagCompletionFunc(dnsOptFlagName, completion.AutocompleteNone)
+	netFlags.StringSlice(
+		"dns-option", containerConfig.DNSOptions(),
+		"Docker compatibility option== --dns-opt",
+	)
+	_ = netFlags.MarkHidden("dns-option")
 
 	dnsSearchFlagName := "dns-search"
 	netFlags.StringSlice(
@@ -146,6 +151,14 @@ func NetFlagsToNetOptions(opts *entities.NetOptions, flags pflag.FlagSet) (*enti
 		opts.DNSOptions = options
 	}
 
+	if flags.Changed("dns-option") {
+		options, err := flags.GetStringSlice("dns-option")
+		if err != nil {
+			return nil, err
+		}
+		opts.DNSOptions = append(opts.DNSOptions, options...)
+	}
+
 	if flags.Changed("dns-search") {
 		dnsSearches, err := flags.GetStringSlice("dns-search")
 		if err != nil {
diff --git a/cmd/podman/common/sign.go b/cmd/podman/common/sign.go
new file mode 100644
index 000000000..dc0d3ff5d
--- /dev/null
+++ b/cmd/podman/common/sign.go
@@ -0,0 +1,36 @@
+package common
+
+import (
+	"fmt"
+
+	"github.com/containers/common/pkg/ssh"
+	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/podman/v4/pkg/domain/entities"
+)
+
+// PrepareSigningPassphrase updates pushOpts.SignPassphrase and SignSigstorePrivateKeyPassphrase based on a --sign-passphrase-file value signPassphraseFile,
+// and validates pushOpts.Sign* consistency.
+// It may interactively prompt for a passphrase if one is required and wasn’t provided otherwise.
+func PrepareSigningPassphrase(pushOpts *entities.ImagePushOptions, signPassphraseFile string) error {
+	// c/common/libimage.Image does allow creating both simple signing and sigstore signatures simultaneously,
+	// with independent passphrases, but that would make the CLI probably too confusing.
+	// For now, use the passphrase with either, but only one of them.
+	if signPassphraseFile != "" && pushOpts.SignBy != "" && pushOpts.SignBySigstorePrivateKeyFile != "" {
+		return fmt.Errorf("only one of --sign-by and sign-by-sigstore-private-key can be used with --sign-passphrase-file")
+	}
+
+	var passphrase string
+	if signPassphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(signPassphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else if pushOpts.SignBySigstorePrivateKeyFile != "" {
+		p := ssh.ReadPassphrase()
+		passphrase = string(p)
+	} // pushOpts.SignBy triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided.
+	pushOpts.SignPassphrase = passphrase
+	pushOpts.SignSigstorePrivateKeyPassphrase = []byte(passphrase)
+	return nil
+}