6 files changed, 61 insertions, 86 deletions
diff --git a/cmd/podman/commit.go b/cmd/podman/commit.go
index 604e8d31c..b4d249c66 100644
--- a/cmd/podman/commit.go
+++ b/cmd/podman/commit.go
@@ -6,7 +6,6 @@ import (
 
 	"github.com/containers/libpod/cmd/podman/cliconfig"
 	"github.com/containers/libpod/pkg/adapter"
-	"github.com/containers/libpod/pkg/util"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
@@ -65,17 +64,6 @@ func commitCmd(c *cliconfig.CommitValues) error {
 	if len(args) > 1 {
 		reference = args[1]
 	}
-	if c.Flag("change").Changed {
-		for _, change := range c.Change {
-			splitChange := strings.Split(strings.ToUpper(change), "=")
-			if len(splitChange) == 1 {
-				splitChange = strings.Split(strings.ToUpper(change), " ")
-			}
-			if !util.StringInSlice(splitChange[0], ChangeCmds) {
-				return errors.Errorf("invalid syntax for --change: %s", change)
-			}
-		}
-	}
 
 	iid, err := runtime.Commit(getContext(), c, container, reference)
 	if err != nil {
diff --git a/cmd/podman/common.go b/cmd/podman/common.go
index 7610edbc0..6fa2b3c71 100644
--- a/cmd/podman/common.go
+++ b/cmd/podman/common.go
@@ -257,6 +257,10 @@ func getCreateFlags(c *cliconfig.PodmanCommand) {
 		"Add a host device to the container (default [])",
 	)
 	createFlags.StringSlice(
+		"device-cgroup-rule", []string{},
+		"Add a rule to the cgroup allowed devices list",
+	)
+	createFlags.StringSlice(
 		"device-read-bps", []string{},
 		"Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb)",
 	)
diff --git a/cmd/podman/pull.go b/cmd/podman/pull.go
index 1cbb3f45e..f800d68fe 100644
--- a/cmd/podman/pull.go
+++ b/cmd/podman/pull.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"strings"
 
 	buildahcli "github.com/containers/buildah/pkg/cli"
 	"github.com/containers/image/v5/docker"
@@ -15,6 +14,7 @@ import (
 	"github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/adapter"
 	"github.com/containers/libpod/pkg/util"
+	"github.com/docker/distribution/reference"
 	"github.com/opentracing/opentracing-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -101,18 +101,32 @@ func pullCmd(c *cliconfig.PullValues) (retError error) {
 		}
 	}
 
-	arr := strings.SplitN(args[0], ":", 2)
-	if len(arr) == 2 {
-		if c.Bool("all-tags") {
-			return errors.Errorf("tag can't be used with --all-tags")
+	ctx := getContext()
+	imageName := args[0]
+
+	imageRef, err := alltransports.ParseImageName(imageName)
+	if err != nil {
+		imageRef, err = alltransports.ParseImageName(fmt.Sprintf("%s://%s", docker.Transport.Name(), imageName))
+		if err != nil {
+			return errors.Errorf("invalid image reference %q", imageName)
 		}
 	}
 
-	ctx := getContext()
-	imgArg := args[0]
+	var writer io.Writer
+	if !c.Quiet {
+		writer = os.Stderr
+	}
+	// Special-case for docker-archive which allows multiple tags.
+	if imageRef.Transport().Name() == dockerarchive.Transport.Name() {
+		newImage, err := runtime.LoadFromArchiveReference(getContext(), imageRef, c.SignaturePolicy, writer)
+		if err != nil {
+			return errors.Wrapf(err, "error pulling image %q", imageName)
+		}
+		fmt.Println(newImage[0].ID())
+		return nil
+	}
 
 	var registryCreds *types.DockerAuthConfig
-
 	if c.Flag("creds").Changed {
 		creds, err := util.ParseRegistryCreds(c.Creds)
 		if err != nil {
@@ -120,14 +134,6 @@ func pullCmd(c *cliconfig.PullValues) (retError error) {
 		}
 		registryCreds = creds
 	}
-
-	var (
-		writer io.Writer
-	)
-	if !c.Quiet {
-		writer = os.Stderr
-	}
-
 	dockerRegistryOptions := image.DockerRegistryOptions{
 		DockerRegistryCreds: registryCreds,
 		DockerCertPath:      c.CertDir,
@@ -138,79 +144,52 @@ func pullCmd(c *cliconfig.PullValues) (retError error) {
 		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.TlsVerify)
 	}
 
-	// Special-case for docker-archive which allows multiple tags.
-	if strings.HasPrefix(imgArg, dockerarchive.Transport.Name()+":") {
-		srcRef, err := alltransports.ParseImageName(imgArg)
-		if err != nil {
-			return errors.Wrapf(err, "error parsing %q", imgArg)
-		}
-		newImage, err := runtime.LoadFromArchiveReference(getContext(), srcRef, c.SignaturePolicy, writer)
-		if err != nil {
-			return errors.Wrapf(err, "error pulling image from %q", imgArg)
-		}
-		fmt.Println(newImage[0].ID())
-
-		return nil
-	}
-
-	// FIXME: the default pull consults the registries.conf's search registries
-	// while the all-tags pull does not. This behavior must be fixed in the
-	// future and span across c/buildah, c/image and c/libpod to avoid redundant
-	// and error prone code.
-	//
-	// See https://bugzilla.redhat.com/show_bug.cgi?id=1701922 for background
-	// information.
 	if !c.Bool("all-tags") {
-		newImage, err := runtime.New(getContext(), imgArg, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, nil, util.PullImageAlways)
+		newImage, err := runtime.New(getContext(), imageName, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, nil, util.PullImageAlways)
 		if err != nil {
-			return errors.Wrapf(err, "error pulling image %q", imgArg)
+			return errors.Wrapf(err, "error pulling image %q", imageName)
 		}
 		fmt.Println(newImage.ID())
 		return nil
 	}
 
-	// FIXME: all-tags should use the libpod backend instead of baking its own bread.
-	spec := imgArg
-	systemContext := image.GetSystemContext("", c.Authfile, false)
-	srcRef, err := alltransports.ParseImageName(spec)
+	// --all-tags requires the docker transport
+	if imageRef.Transport().Name() != docker.Transport.Name() {
+		return errors.New("--all-tags requires docker transport")
+	}
+
+	// all-tags doesn't work with a tagged reference, so let's check early
+	namedRef, err := reference.Parse(imageName)
 	if err != nil {
-		dockerTransport := "docker://"
-		logrus.Debugf("error parsing image name %q, trying with transport %q: %v", spec, dockerTransport, err)
-		spec = dockerTransport + spec
-		srcRef2, err2 := alltransports.ParseImageName(spec)
-		if err2 != nil {
-			return errors.Wrapf(err2, "error parsing image name %q", imgArg)
-		}
-		srcRef = srcRef2
+		return errors.Wrapf(err, "error parsing %q", imageName)
 	}
-	var names []string
-	if srcRef.DockerReference() == nil {
-		return errors.New("Non-docker transport is currently not supported")
+	if _, isTagged := namedRef.(reference.Tagged); isTagged {
+		return errors.New("--all-tags requires a reference without a tag")
+
 	}
-	tags, err := docker.GetRepositoryTags(ctx, systemContext, srcRef)
+
+	systemContext := image.GetSystemContext("", c.Authfile, false)
+	tags, err := docker.GetRepositoryTags(ctx, systemContext, imageRef)
 	if err != nil {
 		return errors.Wrapf(err, "error getting repository tags")
 	}
-	for _, tag := range tags {
-		name := spec + ":" + tag
-		names = append(names, name)
-	}
 
 	var foundIDs []string
-	foundImage := true
-	for _, name := range names {
+	for _, tag := range tags {
+		name := imageName + ":" + tag
 		newImage, err := runtime.New(getContext(), name, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, nil, util.PullImageAlways)
 		if err != nil {
 			logrus.Errorf("error pulling image %q", name)
-			foundImage = false
 			continue
 		}
 		foundIDs = append(foundIDs, newImage.ID())
 	}
-	if len(names) == 1 && !foundImage {
-		return errors.Wrapf(err, "error pulling image %q", imgArg)
+
+	if len(tags) != len(foundIDs) {
+		return errors.Errorf("error pulling image %q", imageName)
 	}
-	if len(names) > 1 {
+
+	if len(foundIDs) > 1 {
 		fmt.Println("Pulled Images:")
 	}
 	for _, id := range foundIDs {
diff --git a/cmd/podman/shared/container.go b/cmd/podman/shared/container.go
index 9459247ed..ff3846e70 100644
--- a/cmd/podman/shared/container.go
+++ b/cmd/podman/shared/container.go
@@ -640,6 +640,11 @@ func GetNamespaces(pid int) *Namespace {
 	}
 }
 
+// GetNamespaceInfo is an exported wrapper for getNamespaceInfo
+func GetNamespaceInfo(path string) (string, error) {
+	return getNamespaceInfo(path)
+}
+
 func getNamespaceInfo(path string) (string, error) {
 	val, err := os.Readlink(path)
 	if err != nil {
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
index 010c80373..be5adcccb 100644
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@@ -22,6 +22,7 @@ import (
 	"github.com/containers/libpod/pkg/inspect"
 	ns "github.com/containers/libpod/pkg/namespaces"
 	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/libpod/pkg/seccomp"
 	cc "github.com/containers/libpod/pkg/spec"
 	"github.com/containers/libpod/pkg/util"
 	"github.com/docker/go-connections/nat"
@@ -31,10 +32,6 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// seccompLabelKey is the key of the image annotation embedding a seccomp
-// profile.
-const seccompLabelKey = "io.containers.seccomp.profile"
-
 func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) {
 	var (
 		healthCheck *manifest.Schema2HealthConfig
@@ -109,11 +106,11 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		}
 
 		if overrideOS == "" && imageData.Os != goruntime.GOOS {
-			return nil, nil, errors.Errorf("incompatible image OS %q on %q host", imageData.Os, goruntime.GOOS)
+			logrus.Infof("Using %q (OS) image on %q host", imageData.Os, goruntime.GOOS)
 		}
 
 		if overrideArch == "" && imageData.Architecture != goruntime.GOARCH {
-			return nil, nil, errors.Errorf("incompatible image architecture %q on %q host", imageData.Architecture, goruntime.GOARCH)
+			logrus.Infof("Using %q (architecture) on %q host", imageData.Architecture, goruntime.GOARCH)
 		}
 
 		names := newImage.Names()
@@ -713,11 +710,11 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 
 	// SECCOMP
 	if data != nil {
-		if value, exists := labels[seccompLabelKey]; exists {
+		if value, exists := labels[seccomp.ContainerImageLabel]; exists {
 			secConfig.SeccompProfileFromImage = value
 		}
 	}
-	if policy, err := cc.LookupSeccompPolicy(c.String("seccomp-policy")); err != nil {
+	if policy, err := seccomp.LookupPolicy(c.String("seccomp-policy")); err != nil {
 		return nil, err
 	} else {
 		secConfig.SeccompPolicy = policy
@@ -761,6 +758,7 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 			CPURtPeriod:       c.Uint64("cpu-rt-period"),
 			CPURtRuntime:      c.Int64("cpu-rt-runtime"),
 			CPUs:              c.Float64("cpus"),
+			DeviceCgroupRules: c.StringSlice("device-cgroup-rule"),
 			DeviceReadBps:     c.StringSlice("device-read-bps"),
 			DeviceReadIOps:    c.StringSlice("device-read-iops"),
 			DeviceWriteBps:    c.StringSlice("device-write-bps"),
diff --git a/cmd/podman/shared/intermediate.go b/cmd/podman/shared/intermediate.go
index cfb3f612c..ee212234f 100644
--- a/cmd/podman/shared/intermediate.go
+++ b/cmd/podman/shared/intermediate.go
@@ -386,6 +386,7 @@ func NewIntermediateLayer(c *cliconfig.PodmanCommand, remote bool) GenericCLIRes
 	m["detach"] = newCRBool(c, "detach")
 	m["detach-keys"] = newCRString(c, "detach-keys")
 	m["device"] = newCRStringSlice(c, "device")
+	m["device-cgroup-rule"] = newCRStringSlice(c, "device-cgroup-rule")
 	m["device-read-bps"] = newCRStringSlice(c, "device-read-bps")
 	m["device-read-iops"] = newCRStringSlice(c, "device-read-iops")
 	m["device-write-bps"] = newCRStringSlice(c, "device-write-bps")