4 files changed, 71 insertions, 5 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index eba732d2a..514cdaee1 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"math"
 	"net"
 	"os"
 	"os/user"
@@ -35,6 +36,7 @@ import (
 	"github.com/containers/podman/v2/pkg/util"
 	"github.com/containers/podman/v2/utils"
 	"github.com/containers/storage/pkg/archive"
+	"github.com/containers/storage/pkg/idtools"
 	securejoin "github.com/cyphar/filepath-securejoin"
 	runcuser "github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -416,9 +418,43 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 
 	// Look up and add groups the user belongs to, if a group wasn't directly specified
 	if !strings.Contains(c.config.User, ":") {
+		// the gidMappings that are present inside the container user namespace
+		var gidMappings []idtools.IDMap
+
+		switch {
+		case len(c.config.IDMappings.GIDMap) > 0:
+			gidMappings = c.config.IDMappings.GIDMap
+		case rootless.IsRootless():
+			// Check whether the current user namespace has enough gids available.
+			availableGids, err := rootless.GetAvailableGids()
+			if err != nil {
+				return nil, errors.Wrapf(err, "cannot read number of available GIDs")
+			}
+			gidMappings = []idtools.IDMap{{
+				ContainerID: 0,
+				HostID:      0,
+				Size:        int(availableGids),
+			}}
+		default:
+			gidMappings = []idtools.IDMap{{
+				ContainerID: 0,
+				HostID:      0,
+				Size:        math.MaxInt32,
+			}}
+		}
 		for _, gid := range execUser.Sgids {
-			// FIXME: We need to add a flag to containers.conf to not add these for HPC Users.
-			g.AddProcessAdditionalGid(uint32(gid))
+			isGidAvailable := false
+			for _, m := range gidMappings {
+				if gid >= m.ContainerID && gid < m.ContainerID+m.Size {
+					isGidAvailable = true
+					break
+				}
+			}
+			if isGidAvailable {
+				g.AddProcessAdditionalGid(uint32(gid))
+			} else {
+				logrus.Warnf("additional gid=%d is not present in the user namespace, skip setting it", gid)
+			}
 		}
 	}
 
diff --git a/libpod/container_log_linux.go b/libpod/container_log_linux.go
index 73c2df76e..d895171cf 100644
--- a/libpod/container_log_linux.go
+++ b/libpod/container_log_linux.go
@@ -33,7 +33,7 @@ const (
 func (c *Container) readFromJournal(ctx context.Context, options *logs.LogOptions, logChannel chan *logs.LogLine) error {
 	var config journal.JournalReaderConfig
 	if options.Tail < 0 {
-		config.NumFromTail = math.MaxUint64
+		config.NumFromTail = 0
 	} else {
 		config.NumFromTail = uint64(options.Tail)
 	}
diff --git a/libpod/kube.go b/libpod/kube.go
index f83e99d82..6df79e394 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -303,12 +303,24 @@ func containerToV1Container(c *Container) (v1.Container, []v1.Volume, error) {
 	// This should not be applicable
 	//container.EnvFromSource =
 	kubeContainer.Env = envVariables
-	// TODO enable resources when we can support naming conventions
-	//container.Resources
 	kubeContainer.SecurityContext = kubeSec
 	kubeContainer.StdinOnce = false
 	kubeContainer.TTY = c.config.Spec.Process.Terminal
 
+	// TODO add CPU limit support.
+	if c.config.Spec.Linux != nil &&
+		c.config.Spec.Linux.Resources != nil &&
+		c.config.Spec.Linux.Resources.Memory != nil &&
+		c.config.Spec.Linux.Resources.Memory.Limit != nil {
+		if kubeContainer.Resources.Limits == nil {
+			kubeContainer.Resources.Limits = v1.ResourceList{}
+		}
+
+		qty := kubeContainer.Resources.Limits.Memory()
+		qty.Set(*c.config.Spec.Linux.Resources.Memory.Limit)
+		kubeContainer.Resources.Limits[v1.ResourceMemory] = *qty
+	}
+
 	return kubeContainer, kubeVolumes, nil
 }
 
diff --git a/libpod/pod.go b/libpod/pod.go
index a5a0532be..c8f62ca18 100644
--- a/libpod/pod.go
+++ b/libpod/pod.go
@@ -327,3 +327,21 @@ func (p *Pod) GetPodStats(previousContainerStats map[string]*define.ContainerSta
 	}
 	return newContainerStats, nil
 }
+
+// ProcessLabel returns the SELinux label associated with the pod
+func (p *Pod) ProcessLabel() (string, error) {
+	if !p.HasInfraContainer() {
+		return "", nil
+	}
+
+	id, err := p.InfraContainerID()
+	if err != nil {
+		return "", err
+	}
+
+	ctr, err := p.runtime.state.Container(id)
+	if err != nil {
+		return "", err
+	}
+	return ctr.ProcessLabel(), nil
+}