4 files changed, 37 insertions, 48 deletions
diff --git a/cmd/podman/create_cli.go b/cmd/podman/create_cli.go
index 1a0830f2e..95b9321fd 100644
--- a/cmd/podman/create_cli.go
+++ b/cmd/podman/create_cli.go
@@ -201,6 +201,9 @@ func parseVolumesFrom(volumesFrom []string) error {
 }
 
 func validateVolumeHostDir(hostDir string) error {
+	if len(hostDir) == 0 {
+		return errors.Errorf("host directory cannot be empty")
+	}
 	if filepath.IsAbs(hostDir) {
 		if _, err := os.Stat(hostDir); err != nil {
 			return errors.Wrapf(err, "error checking path %q", hostDir)
@@ -212,6 +215,9 @@ func validateVolumeHostDir(hostDir string) error {
 }
 
 func validateVolumeCtrDir(ctrDir string) error {
+	if len(ctrDir) == 0 {
+		return errors.Errorf("container directory cannot be empty")
+	}
 	if !filepath.IsAbs(ctrDir) {
 		return errors.Errorf("invalid container path, must be an absolute path %q", ctrDir)
 	}
diff --git a/cmd/podman/main.go b/cmd/podman/main.go
index 43804ee35..604404827 100644
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@@ -148,16 +148,20 @@ func main() {
 			logrus.SetLevel(level)
 		}
 
-		// Only if not rootless, set rlimits for open files.
-		// We open numerous FDs for ports opened
-		if !rootless.IsRootless() {
-			rlimits := new(syscall.Rlimit)
-			rlimits.Cur = 1048576
-			rlimits.Max = 1048576
+		rlimits := new(syscall.Rlimit)
+		rlimits.Cur = 1048576
+		rlimits.Max = 1048576
+		if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+			if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+				return errors.Wrapf(err, "error getting rlimits")
+			}
+			rlimits.Cur = rlimits.Max
 			if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
 				return errors.Wrapf(err, "error setting new rlimits")
 			}
-		} else {
+		}
+
+		if rootless.IsRootless() {
 			logrus.Info("running as rootless")
 		}
 
diff --git a/cmd/podman/sign.go b/cmd/podman/sign.go
index e7367a311..1d9aecdc9 100644
--- a/cmd/podman/sign.go
+++ b/cmd/podman/sign.go
@@ -141,7 +141,8 @@ func signCmd(c *cli.Context) error {
 			return errors.Wrapf(err, "error creating new signature")
 		}
 
-		sigStoreDir = filepath.Join(sigStoreDir, strings.Replace(repos[0][strings.Index(repos[0], "/")+1:len(repos[0])], ":", "=", 1))
+		trimmedDigest := strings.TrimPrefix(repos[0], strings.Split(repos[0], "/")[0])
+		sigStoreDir = filepath.Join(sigStoreDir, strings.Replace(trimmedDigest, ":", "=", 1))
 		if err := os.MkdirAll(sigStoreDir, 0751); err != nil {
 			// The directory is allowed to exist
 			if !os.IsExist(err) {
diff --git a/cmd/podman/trust.go b/cmd/podman/trust.go
index 7c404cd3f..863f36d09 100644
--- a/cmd/podman/trust.go
+++ b/cmd/podman/trust.go
@@ -13,7 +13,6 @@ import (
 	"github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/trust"
 	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )
 
@@ -132,7 +131,7 @@ func showTrustCmd(c *cli.Context) error {
 	if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
 		return errors.Errorf("could not read trust policies")
 	}
-	policyJSON, err := trust.GetPolicyJSON(policyContentStruct, systemRegistriesDirPath)
+	policyJSON, showOutputMap, err := trust.GetPolicy(policyContentStruct, systemRegistriesDirPath)
 	if err != nil {
 		return errors.Wrapf(err, "error reading registry config file")
 	}
@@ -144,31 +143,12 @@ func showTrustCmd(c *cli.Context) error {
 	}
 
 	sortedRepos := sortPolicyJSONKey(policyJSON)
-	type policydefault struct {
-		Repo      string
-		Trusttype string
-		GPGid     string
-		Sigstore  string
-	}
-	var policyoutput []policydefault
-	for _, repo := range sortedRepos {
-		repoval := policyJSON[repo]
-		var defaultstruct policydefault
-		defaultstruct.Repo = repo
-		if repoval["type"] != nil {
-			defaultstruct.Trusttype = trustTypeDescription(repoval["type"].(string))
-		}
-		if repoval["keys"] != nil && len(repoval["keys"].([]string)) > 0 {
-			defaultstruct.GPGid = trust.GetGPGId(repoval["keys"].([]string))
-		}
-		if repoval["sigstore"] != nil {
-			defaultstruct.Sigstore = repoval["sigstore"].(string)
-		}
-		policyoutput = append(policyoutput, defaultstruct)
-	}
 	var output []interface{}
-	for _, ele := range policyoutput {
-		output = append(output, interface{}(ele))
+	for _, reponame := range sortedRepos {
+		showOutput, exists := showOutputMap[reponame]
+		if exists {
+			output = append(output, interface{}(showOutput))
+		}
 	}
 	out := formats.StdoutTemplateArray{Output: output, Template: "{{.Repo}}\t{{.Trusttype}}\t{{.GPGid}}\t{{.Sigstore}}"}
 	return formats.Writer(out).Out()
@@ -209,8 +189,10 @@ func setTrustCmd(c *cli.Context) error {
 		policyPath = trust.DefaultPolicyPath(runtime.SystemContext())
 	}
 	var policyContentStruct trust.PolicyContent
+	policyFileExists := false
 	_, err = os.Stat(policyPath)
 	if !os.IsNotExist(err) {
+		policyFileExists = true
 		policyContent, err := ioutil.ReadFile(policyPath)
 		if err != nil {
 			return errors.Wrapf(err, "unable to read %s", policyPath)
@@ -218,6 +200,9 @@ func setTrustCmd(c *cli.Context) error {
 		if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
 			return errors.Errorf("could not read trust policies")
 		}
+		if args[0] != "default" && len(policyContentStruct.Default) == 0 {
+			return errors.Errorf("Default trust policy must be set.")
+		}
 	}
 	var newReposContent []trust.RepoContent
 	if len(pubkeysfile) != 0 {
@@ -230,15 +215,18 @@ func setTrustCmd(c *cli.Context) error {
 	if args[0] == "default" {
 		policyContentStruct.Default = newReposContent
 	} else {
-		exists := false
+		if policyFileExists == false && len(policyContentStruct.Default) == 0 {
+			return errors.Errorf("Default trust policy must be set to create the policy file.")
+		}
+		registryExists := false
 		for transport, transportval := range policyContentStruct.Transports {
-			_, exists = transportval[args[0]]
-			if exists {
+			_, registryExists = transportval[args[0]]
+			if registryExists {
 				policyContentStruct.Transports[transport][args[0]] = newReposContent
 				break
 			}
 		}
-		if !exists {
+		if !registryExists {
 			if policyContentStruct.Transports == nil {
 				policyContentStruct.Transports = make(map[string]trust.RepoMap)
 			}
@@ -260,16 +248,6 @@ func setTrustCmd(c *cli.Context) error {
 	return nil
 }
 
-var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"}
-
-func trustTypeDescription(trustType string) string {
-	trustDescription, exist := typeDescription[trustType]
-	if !exist {
-		logrus.Warnf("invalid trust type %s", trustType)
-	}
-	return trustDescription
-}
-
 func sortPolicyJSONKey(m map[string]map[string]interface{}) []string {
 	keys := make([]string, len(m))
 	i := 0