9 files changed, 60 insertions, 28 deletions
diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh
index 724f7c3d5..e7ea05867 100644
--- a/contrib/cirrus/lib.sh
+++ b/contrib/cirrus/lib.sh
@@ -135,6 +135,7 @@ setup_rootless() {
     req_env_vars GOPATH GOSRC SECRET_ENV_RE
 
     ROOTLESS_USER="${ROOTLESS_USER:-some${RANDOM}dude}"
+    ROOTLESS_UID=""
 
     local rootless_uid
     local rootless_gid
@@ -158,6 +159,7 @@ setup_rootless() {
     cd $GOSRC || exit 1
     # Guarantee independence from specific values
     rootless_uid=$[RANDOM+1000]
+    ROOTLESS_UID=$rootless_uid
     rootless_gid=$[RANDOM+1000]
     msg "creating $rootless_uid:$rootless_gid $ROOTLESS_USER user"
     groupadd -g $rootless_gid $ROOTLESS_USER
@@ -173,7 +175,7 @@ setup_rootless() {
     ssh-keygen -t ed25519 -P "" -f "/home/$ROOTLESS_USER/.ssh/id_ed25519"
     ssh-keygen -t rsa -P "" -f "/home/$ROOTLESS_USER/.ssh/id_rsa"
 
-    msg "Setup authorized_keys"
+    msg "Set up authorized_keys"
     cat $HOME/.ssh/*.pub /home/$ROOTLESS_USER/.ssh/*.pub >> $HOME/.ssh/authorized_keys
     cat $HOME/.ssh/*.pub /home/$ROOTLESS_USER/.ssh/*.pub >> /home/$ROOTLESS_USER/.ssh/authorized_keys
 
@@ -186,9 +188,9 @@ setup_rootless() {
     # never be any non-localhost connections made from tests (using strict-mode).
     # If there are, it's either a security problem or a broken test, both of which
     # we want to lead to test failures.
-    msg "   setup known_hosts for $USER"
+    msg "   set up known_hosts for $USER"
     ssh-keyscan localhost > /root/.ssh/known_hosts
-    msg "   setup known_hosts for $ROOTLESS_USER"
+    msg "   set up known_hosts for $ROOTLESS_USER"
     # Maintain access-permission consistency with all other .ssh files.
     install -Z -m 700 -o $ROOTLESS_USER -g $ROOTLESS_USER \
         /root/.ssh/known_hosts /home/$ROOTLESS_USER/.ssh/known_hosts
diff --git a/contrib/cirrus/logformatter b/contrib/cirrus/logformatter
index e45f03df9..59969c3e7 100755
--- a/contrib/cirrus/logformatter
+++ b/contrib/cirrus/logformatter
@@ -190,6 +190,22 @@ END_HTML
     print { $out_fh } "<h2>Synopsis</h2>\n<hr/>\n",
         job_synopsis($test_name), "<hr/>\n";
 
+    # FOR DEBUGGING: dump environment, but in HTML comments to not clutter
+    # This is safe. There is a TOKEN envariable, but it's not sensitive.
+    # There are no sensitive/secret values in our execution environment,
+    # but we're careful anyway. $SECRET_ENV_RE is set in lib.sh
+    my $filter_re = $ENV{SECRET_ENV_RE} || 'ACCOUNT|GC[EP]|PASSW|SECRET|TOKEN';
+    $filter_re .= '|BASH_FUNC';   # These are long and un-useful
+
+    print { $out_fh } "<!-- Environment: -->\n";
+    for my $e (sort keys %ENV) {
+        next if $e =~ /$filter_re/;
+
+        my $val = escapeHTML($ENV{$e});
+        $val =~ s/--/-&#x002D;/g;       # double dash not valid in comments
+        printf { $out_fh } "<!--  %-20s %s -->\n", $e, $val;
+    }
+
     # State variables
     my $previous_timestamp = '';  # timestamp of previous line
     my $cirrus_task;              # Cirrus task number, used for linking
@@ -538,27 +554,24 @@ END_HTML
     # If Cirrus magic envariables are available, write a link to results.
     # FIXME: it'd be so nice to make this a clickable live link.
     #
-    # STATIC_MAGIC_BLOB is the name of a google-storage bucket. It is
-    # unlikely to change often, but if it does you will suddenly start
-    # seeing errors when trying to view formatted logs:
-    #
-    #    AccessDeniedAccess denied.Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.
-    #
-    # This happened in July 2020 when github.com/containers/libpod was
-    # renamed to podman. If something like that ever happens again, you
-    # will need to get the new magic blob value from:
-    #
-    #   https://console.cloud.google.com/storage/browser?project=libpod-218412
+    # As of June 2022 we use the Cirrus API[1] as the source of our logs,
+    # instead of linking directly to googleapis.com. This will allow us
+    # to abstract cloud-specific details, so we can one day use Amazon cloud.
+    # See #14569 for more info.
     #
-    # You will also probably need to set the bucket Public by clicking on
-    # the bucket name, then the Permissions tab. This is safe, since this
-    # project is fully open-source.
-    if ($have_formatted_log && $ENV{CIRRUS_TASK_ID}) {
-        my $URL_BASE          = "https://storage.googleapis.com";
-        my $STATIC_MAGIC_BLOB = "cirrus-ci-6707778565701632-fcae48";
-        my $ARTIFACT_NAME     = "html";
-
-        my $URL = "${URL_BASE}/${STATIC_MAGIC_BLOB}/artifacts/$ENV{CIRRUS_REPO_FULL_NAME}/$ENV{CIRRUS_TASK_ID}/${ARTIFACT_NAME}/${outfile}";
+    #   [1] https://cirrus-ci.org/guide/writing-tasks/#latest-build-artifacts
+    if ($have_formatted_log && $ENV{CIRRUS_BUILD_ID} && $ENV{CIRRUS_TASK_NAME}) {
+        my $URL_BASE  = "https://api.cirrus-ci.com";
+        my $build_id  = $ENV{CIRRUS_BUILD_ID};
+        my $task_name = $ENV{CIRRUS_TASK_NAME};
+
+        # Escape spaces in task names ("int fedora 35 podman root etc")
+        $task_name =~ s/\s/%20/g;
+
+        # URL is long and cumbersome and duplicaty. The task name cannot be
+        # reduced; the file name could, but I choose to leave it because I
+        # sometimes download HTML logs and oh how I hate "log.html" filenames.
+        my $URL = "${URL_BASE}/v1/artifact/build/$build_id/$task_name/html/${outfile}";
 
         print "\n\nAnnotated results:\n  $URL\n";
     }
diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh
index b9f43f395..d49286ad3 100755
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -142,7 +142,10 @@ exec_container() {
     # Line-separated arguments which include shell-escaped special characters
     declare -a envargs
     while read -r var_val; do
-        envargs+=("-e $var_val")
+        # Pass "-e VAR" on the command line, not "-e VAR=value". Podman can
+        # do a much better job of transmitting the value than we can,
+        # especially when value includes spaces.
+        envargs+=("-e" "$(awk -F= '{print $1}' <<<$var_val)")
     done <<<"$(passthrough_envars)"
 
     # VM Images and Container images are built using (nearly) identical operations.
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index f31cd6eeb..9bd35bd06 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -186,10 +186,11 @@ esac
 # Required to be defined by caller: Are we testing as root or a regular user
 case "$PRIV_NAME" in
     root)
-        if [[ "$TEST_FLAVOR" = "sys" ]]; then
+        if [[ "$TEST_FLAVOR" = "sys" || "$TEST_FLAVOR" = "apiv2" ]]; then
             # Used in local image-scp testing
             setup_rootless
             echo "PODMAN_ROOTLESS_USER=$ROOTLESS_USER" >> /etc/ci_environment
+            echo "PODMAN_ROOTLESS_UID=$ROOTLESS_UID" >> /etc/ci_environment
         fi
         ;;
     rootless)
@@ -203,6 +204,7 @@ esac
 
 if [[ -n "$ROOTLESS_USER" ]]; then
     echo "ROOTLESS_USER=$ROOTLESS_USER" >> /etc/ci_environment
+    echo "ROOTLESS_UID=$ROOTLESS_UID" >> /etc/ci_environment
 fi
 
 # Required to be defined by caller: Are we testing podman or podman-remote client
diff --git a/contrib/msi/podman.wxs b/contrib/msi/podman.wxs
index 786465589..ac2b5f328 100644
--- a/contrib/msi/podman.wxs
+++ b/contrib/msi/podman.wxs
@@ -41,7 +41,7 @@
 
     <CustomAction Id="AddPath" ExeCommand="add" FileKey="8F507E28-A61D-4E64-A92B-B5A00F023AE8" Execute="deferred" Impersonate="yes" Return="check"/>
     <CustomAction Id="RemovePath" ExeCommand="remove" FileKey="8F507E28-A61D-4E64-A92B-B5A00F023AE8" Execute="deferred" Impersonate="yes" Return="check"/>
-
+    <CustomAction Id='LaunchFile' ExeCommand="open &quot;[INSTALLDIR]podman-for-windows.html&quot;" FileKey="8F507E28-A61D-4E64-A92B-B5A00F023AE8"  Execute="immediate"  Impersonate="yes" Return="check"/>
     <Feature Id="Complete" Level="1">
       <ComponentRef Id="INSTALLDIR_Component"/>
       <ComponentRef Id="MainExecutable"/>
@@ -55,8 +55,9 @@
 
     <InstallExecuteSequence>
       <RemoveExistingProducts Before="InstallInitialize"/>
-      <Custom Action="AddPath" After="InstallFiles">NOT Installed</Custom>
+      <Custom Action="AddPath" Before="InstallFinalize"  After="InstallFiles">NOT Installed</Custom>
       <Custom Action="RemovePath" Before="RemoveFiles" After="InstallInitialize">(REMOVE="ALL") AND (NOT UPGRADINGPRODUCTCODE)</Custom>
+      <Custom Action='LaunchFile' After='InstallFinalize'>(NOT Installed) AND (NOT UILevel=2)</Custom>
     </InstallExecuteSequence>
 
   </Product>
diff --git a/contrib/podmanimage/README.md b/contrib/podmanimage/README.md
index b4ef81d84..0f4f715ad 100644
--- a/contrib/podmanimage/README.md
+++ b/contrib/podmanimage/README.md
@@ -32,7 +32,9 @@ The container images are:
   * `quay.io/podman/upstream:latest` - This image is built daily using the latest
     code found in this GitHub repository.  Due to the image changing frequently,
     it's not guaranteed to be stable or even executable.  The image is built with
-    [the upstream Containerfile](upstream/Containerfile).
+    [the upstream Containerfile](upstream/Containerfile). Note the actual compilation
+    of upstream podman [occurs continuously in
+    COPR](https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/).
 
 ## Sample Usage
 
diff --git a/contrib/podmanimage/stable/Containerfile b/contrib/podmanimage/stable/Containerfile
index 9121c5cde..70ff439d9 100644
--- a/contrib/podmanimage/stable/Containerfile
+++ b/contrib/podmanimage/stable/Containerfile
@@ -11,6 +11,9 @@ FROM registry.fedoraproject.org/fedora:latest
 # Don't include container-selinux and remove
 # directories used by dnf that are just taking
 # up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
 RUN dnf -y update && \
     rpm --setcaps shadow-utils 2>/dev/null && \
     dnf -y install podman fuse-overlayfs \
diff --git a/contrib/podmanimage/testing/Containerfile b/contrib/podmanimage/testing/Containerfile
index 16314a633..65c06f98c 100644
--- a/contrib/podmanimage/testing/Containerfile
+++ b/contrib/podmanimage/testing/Containerfile
@@ -11,6 +11,9 @@ FROM registry.fedoraproject.org/fedora:latest
 # Don't include container-selinux and remove
 # directories used by dnf that are just taking
 # up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
 RUN dnf -y update && \
     rpm --setcaps shadow-utils 2>/dev/null && \
     dnf -y install podman fuse-overlayfs \
diff --git a/contrib/podmanimage/upstream/Containerfile b/contrib/podmanimage/upstream/Containerfile
index c3a07a8d6..96e39c949 100644
--- a/contrib/podmanimage/upstream/Containerfile
+++ b/contrib/podmanimage/upstream/Containerfile
@@ -14,6 +14,9 @@ FROM registry.fedoraproject.org/fedora:latest
 # directories used by dnf that are just taking
 # up space.  The latest podman + deps. come from
 # https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
 RUN dnf -y update && \
     rpm --setcaps shadow-utils 2>/dev/null && \
     dnf -y install 'dnf-command(copr)' --enablerepo=updates-testing && \