18 files changed, 77 insertions, 38 deletions
diff --git a/libpod/config/config.go b/libpod/config/config.go
index c72a0efc7..5d59f1bf2 100644
--- a/libpod/config/config.go
+++ b/libpod/config/config.go
@@ -437,7 +437,7 @@ func probeConmon(conmonBinary string) error {
 // with cgroupsv2. Other OCI runtimes are not yet supporting cgroupsv2. This
 // might change in the future.
 func NewConfig(userConfigPath string) (*Config, error) {
-	// Start with the default config and interatively merge fields in the system
+	// Start with the default config and iteratively merge fields in the system
 	// configs.
 	config, err := defaultConfigFromMemory()
 	if err != nil {
diff --git a/libpod/container_api.go b/libpod/container_api.go
index ee879b69d..039619ea6 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -395,7 +395,7 @@ func (c *Container) Attach(streams *AttachStreams, keys string, resize <-chan re
 // HTTPAttach forwards an attach session over a hijacked HTTP session.
 // HTTPAttach will consume and close the included httpCon, which is expected to
 // be sourced from a hijacked HTTP connection.
-// The cancel channel is optional, and can be used to asyncronously cancel the
+// The cancel channel is optional, and can be used to asynchronously cancel the
 // attach session.
 // The streams variable is only supported if the container was not a terminal,
 // and allows specifying which of the container's standard streams will be
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index a543a19c0..50ae72499 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -670,8 +670,8 @@ type InspectAdditionalNetwork struct {
 	// DriverOpts is presently unused and maintained exclusively for
 	// compatibility.
 	DriverOpts map[string]string `json:"DriverOpts"`
-	// IPAMConfig is presently unused and maintained exlusively for
-	// compabitility.
+	// IPAMConfig is presently unused and maintained exclusively for
+	// compatibility.
 	IPAMConfig map[string]string `json:"IPAMConfig"`
 	// Links is presently unused and maintained exclusively for
 	// compatibility.
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index ff43bfc8f..a0805c1fa 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -951,7 +951,7 @@ func (c *Container) completeNetworkSetup() error {
 		return err
 	}
 	for _, line := range strings.Split(string(b), "\n") {
-		// only keep things that dont start with nameserver from the old
+		// only keep things that don't start with nameserver from the old
 		// resolv.conf file
 		if !strings.HasPrefix(line, "nameserver") {
 			outResolvConf = append([]string{line}, outResolvConf...)
diff --git a/libpod/container_log_linux.go b/libpod/container_log_linux.go
index 748715ed3..03010d8ed 100644
--- a/libpod/container_log_linux.go
+++ b/libpod/container_log_linux.go
@@ -11,7 +11,7 @@ import (
 	"time"
 
 	"github.com/containers/libpod/libpod/logs"
-	journal "github.com/coreos/go-systemd/sdjournal"
+	journal "github.com/coreos/go-systemd/v22/sdjournal"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
diff --git a/libpod/events/journal_linux.go b/libpod/events/journal_linux.go
index 9e6fffc29..482435038 100644
--- a/libpod/events/journal_linux.go
+++ b/libpod/events/journal_linux.go
@@ -7,8 +7,8 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/coreos/go-systemd/journal"
-	"github.com/coreos/go-systemd/sdjournal"
+	"github.com/coreos/go-systemd/v22/journal"
+	"github.com/coreos/go-systemd/v22/sdjournal"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
diff --git a/libpod/healthcheck_linux.go b/libpod/healthcheck_linux.go
index dca72430d..5da2d311b 100644
--- a/libpod/healthcheck_linux.go
+++ b/libpod/healthcheck_linux.go
@@ -9,8 +9,8 @@ import (
 	"strings"
 
 	"github.com/containers/libpod/pkg/rootless"
-	"github.com/coreos/go-systemd/dbus"
-	godbus "github.com/godbus/dbus"
+	"github.com/coreos/go-systemd/v22/dbus"
+	godbus "github.com/godbus/dbus/v5"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
diff --git a/libpod/image/filters.go b/libpod/image/filters.go
index c54ca6333..8ca3526a0 100644
--- a/libpod/image/filters.go
+++ b/libpod/image/filters.go
@@ -3,13 +3,13 @@ package image
 import (
 	"context"
 	"fmt"
-	"github.com/pkg/errors"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
 
 	"github.com/containers/libpod/pkg/inspect"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
 
diff --git a/libpod/image/image.go b/libpod/image/image.go
index 43fd52a1a..5f914ed79 100644
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@@ -916,12 +916,7 @@ func (i *Image) imageInspectInfo(ctx context.Context) (*types.ImageInspectInfo,
 	return i.inspectInfo, nil
 }
 
-// Inspect returns an image's inspect data
-func (i *Image) Inspect(ctx context.Context) (*inspect.ImageData, error) {
-	span, _ := opentracing.StartSpanFromContext(ctx, "imageInspect")
-	span.SetTag("type", "image")
-	defer span.Finish()
-
+func (i *Image) inspect(ctx context.Context, calculateSize bool) (*inspect.ImageData, error) {
 	ociv1Img, err := i.ociv1Image(ctx)
 	if err != nil {
 		ociv1Img = &ociv1.Image{}
@@ -936,8 +931,10 @@ func (i *Image) Inspect(ctx context.Context) (*inspect.ImageData, error) {
 	}
 
 	size := int64(-1)
-	if usize, err := i.Size(ctx); err == nil {
-		size = int64(*usize)
+	if calculateSize {
+		if usize, err := i.Size(ctx); err == nil {
+			size = int64(*usize)
+		}
 	}
 
 	repoTags, err := i.RepoTags()
@@ -1002,6 +999,26 @@ func (i *Image) Inspect(ctx context.Context) (*inspect.ImageData, error) {
 	return data, nil
 }
 
+// Inspect returns an image's inspect data
+func (i *Image) Inspect(ctx context.Context) (*inspect.ImageData, error) {
+	span, _ := opentracing.StartSpanFromContext(ctx, "imageInspect")
+
+	span.SetTag("type", "image")
+	defer span.Finish()
+
+	return i.inspect(ctx, true)
+}
+
+// InspectNoSize returns an image's inspect data without calculating the size for the image
+func (i *Image) InspectNoSize(ctx context.Context) (*inspect.ImageData, error) {
+	span, _ := opentracing.StartSpanFromContext(ctx, "imageInspectNoSize")
+
+	span.SetTag("type", "image")
+	defer span.Finish()
+
+	return i.inspect(ctx, false)
+}
+
 // Import imports and image into the store and returns an image
 func (ir *Runtime) Import(ctx context.Context, path, reference string, writer io.Writer, signingOptions SigningOptions, imageConfig ociv1.Image) (*Image, error) {
 	src, err := tarball.Transport.ParseReference(path)
diff --git a/libpod/kube.go b/libpod/kube.go
index 7a5ab670d..5511d303d 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -468,11 +468,26 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
 		return nil, err
 	}
 
+	var selinuxOpts v1.SELinuxOptions
+	opts := strings.SplitN(c.config.Spec.Annotations[InspectAnnotationLabel], ":", 2)
+	if len(opts) == 2 {
+		switch opts[0] {
+		case "type":
+			selinuxOpts.Type = opts[1]
+		case "level":
+			selinuxOpts.Level = opts[1]
+		}
+	}
+	if len(opts) == 1 {
+		if opts[0] == "disable" {
+			selinuxOpts.Type = "spc_t"
+		}
+	}
+
 	sc := v1.SecurityContext{
-		Capabilities: newCaps,
-		Privileged:   &priv,
-		// TODO How do we know if selinux were passed into podman
-		//SELinuxOptions:
+		Capabilities:   newCaps,
+		Privileged:     &priv,
+		SELinuxOptions: &selinuxOpts,
 		// RunAsNonRoot is an optional parameter; our first implementations should be root only; however
 		// I'm leaving this as a bread-crumb for later
 		//RunAsNonRoot:             &nonRoot,
diff --git a/libpod/logs/log.go b/libpod/logs/log.go
index 200ef3e99..6ad2a305f 100644
--- a/libpod/logs/log.go
+++ b/libpod/logs/log.go
@@ -167,8 +167,7 @@ func (l *LogLine) String(options *LogOptions) string {
 	var out string
 	if options.Multi {
 		if options.UseName {
-			cname := l.CName
-			out = fmt.Sprintf("%s ", cname)
+			out = l.CName + " "
 		} else {
 			cid := l.CID
 			if len(cid) > 12 {
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index d57b1a8eb..5a27a2abb 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -117,10 +117,10 @@ func (r *Runtime) configureNetNS(ctr *Container, ctrNS ns.NetNS) ([]*cnitypes.Re
 
 	networkStatus := make([]*cnitypes.Result, 0)
 	for idx, r := range results {
-		logrus.Debugf("[%d] CNI result: %v", idx, r.Result.String())
+		logrus.Debugf("[%d] CNI result: %v", idx, r.Result)
 		resultCurrent, err := cnitypes.GetResult(r.Result)
 		if err != nil {
-			return nil, errors.Wrapf(err, "error parsing CNI plugin result %q: %v", r.Result.String(), err)
+			return nil, errors.Wrapf(err, "error parsing CNI plugin result %q: %v", r.Result, err)
 		}
 		networkStatus = append(networkStatus, resultCurrent)
 	}
diff --git a/libpod/oci.go b/libpod/oci.go
index 2ea61851f..27edebefc 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -55,7 +55,7 @@ type OCIRuntime interface {
 	// to output; otherwise, STDOUT and STDERR will be multiplexed, with
 	// a header prepended as follows: 1-byte STREAM (0, 1, 2 for STDIN,
 	// STDOUT, STDERR), 3 null (0x00) bytes, 4-byte big endian length.
-	// If a cancel channel is provided, it can be used to asyncronously
+	// If a cancel channel is provided, it can be used to asynchronously
 	// termninate the attach session. Detach keys, if given, will also cause
 	// the attach session to be terminated if provided via the STDIN
 	// channel. If they are not provided, the default detach keys will be
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 800f89603..a5530e448 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -30,7 +30,7 @@ import (
 	"github.com/containers/libpod/pkg/util"
 	"github.com/containers/libpod/utils"
 	pmount "github.com/containers/storage/pkg/mount"
-	"github.com/coreos/go-systemd/activation"
+	"github.com/coreos/go-systemd/v22/activation"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index de93fdce7..ba2a6b93e 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/libpod/events"
+	"github.com/containers/libpod/pkg/cgroups"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/storage/pkg/stringid"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -438,9 +439,16 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool,
 		if err := c.ociRuntime.KillContainer(c, 9, false); err != nil {
 			return err
 		}
-		if err := c.unpause(); err != nil {
+		isV2, err := cgroups.IsCgroup2UnifiedMode()
+		if err != nil {
 			return err
 		}
+		// cgroups v1 and v2 handle signals on paused processes differently
+		if !isV2 {
+			if err := c.unpause(); err != nil {
+				return err
+			}
+		}
 		// Need to update container state to make sure we know it's stopped
 		if err := c.waitForExitFileAndSync(); err != nil {
 			return err
diff --git a/libpod/runtime_img.go b/libpod/runtime_img.go
index bae1c1ed8..6ac32878b 100644
--- a/libpod/runtime_img.go
+++ b/libpod/runtime_img.go
@@ -21,7 +21,7 @@ import (
 	"github.com/containers/image/v5/directory"
 	dockerarchive "github.com/containers/image/v5/docker/archive"
 	ociarchive "github.com/containers/image/v5/oci/archive"
-	"github.com/opencontainers/image-spec/specs-go/v1"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // Runtime API
@@ -209,11 +209,11 @@ func (r *Runtime) Import(ctx context.Context, source string, reference string, c
 }
 
 // donwloadFromURL downloads an image in the format "https:/example.com/myimage.tar"
-// and temporarily saves in it /var/tmp/importxyz, which is deleted after the image is imported
+// and temporarily saves in it $TMPDIR/importxyz, which is deleted after the image is imported
 func downloadFromURL(source string) (string, error) {
 	fmt.Printf("Downloading from %q\n", source)
 
-	outFile, err := ioutil.TempFile("/var/tmp", "import")
+	outFile, err := ioutil.TempFile(util.Tmpdir(), "import")
 	if err != nil {
 		return "", errors.Wrap(err, "error creating file")
 	}
@@ -234,9 +234,9 @@ func downloadFromURL(source string) (string, error) {
 }
 
 // DownloadFromFile reads all of the content from the reader and temporarily
-// saves in it /var/tmp/importxyz, which is deleted after the image is imported
+// saves in it $TMPDIR/importxyz, which is deleted after the image is imported
 func DownloadFromFile(reader *os.File) (string, error) {
-	outFile, err := ioutil.TempFile("/var/tmp", "import")
+	outFile, err := ioutil.TempFile(util.Tmpdir(), "import")
 	if err != nil {
 		return "", errors.Wrap(err, "error creating file")
 	}
diff --git a/libpod/runtime_pod_infra_linux.go b/libpod/runtime_pod_infra_linux.go
index da46f03e8..279cafa39 100644
--- a/libpod/runtime_pod_infra_linux.go
+++ b/libpod/runtime_pod_infra_linux.go
@@ -10,7 +10,7 @@ import (
 	"github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/util"
-	"github.com/opencontainers/image-spec/specs-go/v1"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
@@ -147,7 +147,7 @@ func (r *Runtime) createInfraContainer(ctx context.Context, p *Pod) (*Container,
 		return nil, err
 	}
 
-	data, err := newImage.Inspect(ctx)
+	data, err := newImage.InspectNoSize(ctx)
 	if err != nil {
 		return nil, err
 	}
diff --git a/libpod/storage.go b/libpod/storage.go
index 6375d031b..d675f4ffe 100644
--- a/libpod/storage.go
+++ b/libpod/storage.go
@@ -8,7 +8,7 @@ import (
 	"github.com/containers/image/v5/types"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/storage"
-	"github.com/opencontainers/image-spec/specs-go/v1"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opentracing/opentracing-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"