4 files changed, 112 insertions, 64 deletions

diff --git a/pkg/adapter/containers.go b/pkg/adapter/containers.go
index 430b6925d..287bd8474 100644
--- a/pkg/adapter/containers.go
+++ b/pkg/adapter/containers.go
@@ -307,7 +307,11 @@ func (r *LocalRuntime) Log(c *cliconfig.LogsValues, options *logs.LogOptions) er
 	if len(c.InputArgs) > 1 {
 		options.Multi = true
 	}
-	logChannel := make(chan *logs.LogLine, int(c.Tail)*len(c.InputArgs)+1)
+	tailLen := int(c.Tail)
+	if tailLen < 0 {
+		tailLen = 0
+	}
+	logChannel := make(chan *logs.LogLine, tailLen*len(c.InputArgs)+1)
 	containers, err := shortcuts.GetContainersByContext(false, c.Latest, c.InputArgs, r.Runtime)
 	if err != nil {
 		return err
@@ -396,17 +400,8 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode
 		}
 	}
 
-	config, err := r.Runtime.GetConfig()
-	if err != nil {
-		return exitCode, err
-	}
-	detachKeys := c.String("detach-keys")
-	if detachKeys == "" {
-		detachKeys = config.DetachKeys
-	}
-
 	// if the container was created as part of a pod, also start its dependencies, if any.
-	if err := StartAttachCtr(ctx, ctr, outputStream, errorStream, inputStream, detachKeys, c.Bool("sig-proxy"), true, c.IsSet("pod")); err != nil {
+	if err := StartAttachCtr(ctx, ctr, outputStream, errorStream, inputStream, c.String("detach-keys"), c.Bool("sig-proxy"), true, c.IsSet("pod")); err != nil {
 		// We've manually detached from the container
 		// Do not perform cleanup, or wait for container exit code
 		// Just exit immediately
@@ -543,12 +538,13 @@ func (r *LocalRuntime) Restore(ctx context.Context, c *cliconfig.RestoreValues)
 	)
 
 	options := libpod.ContainerCheckpointOptions{
-		Keep:           c.Keep,
-		TCPEstablished: c.TcpEstablished,
-		TargetFile:     c.Import,
-		Name:           c.Name,
-		IgnoreRootfs:   c.IgnoreRootfs,
-		IgnoreStaticIP: c.IgnoreStaticIP,
+		Keep:            c.Keep,
+		TCPEstablished:  c.TcpEstablished,
+		TargetFile:      c.Import,
+		Name:            c.Name,
+		IgnoreRootfs:    c.IgnoreRootfs,
+		IgnoreStaticIP:  c.IgnoreStaticIP,
+		IgnoreStaticMAC: c.IgnoreStaticMAC,
 	}
 
 	filterFuncs = append(filterFuncs, func(c *libpod.Container) bool {
@@ -656,20 +652,25 @@ func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigP
 
 			return exitCode, nil
 		}
-		if ctrRunning {
-			fmt.Println(ctr.ID())
-			continue
-		}
-		// Handle non-attach start
-		// If the container is in a pod, also set to recursively start dependencies
-		if err := ctr.Start(ctx, ctr.PodID() != ""); err != nil {
-			if lastError != nil {
-				fmt.Fprintln(os.Stderr, lastError)
+		// Start the container if it's not running already.
+		if !ctrRunning {
+			// Handle non-attach start
+			// If the container is in a pod, also set to recursively start dependencies
+			if err := ctr.Start(ctx, ctr.PodID() != ""); err != nil {
+				if lastError != nil {
+					fmt.Fprintln(os.Stderr, lastError)
+				}
+				lastError = errors.Wrapf(err, "unable to start container %q", container)
+				continue
 			}
-			lastError = errors.Wrapf(err, "unable to start container %q", container)
-			continue
 		}
-		fmt.Println(ctr.ID())
+		// Check if the container is referenced by ID or by name and print
+		// it accordingly.
+		if strings.HasPrefix(ctr.ID(), container) {
+			fmt.Println(ctr.ID())
+		} else {
+			fmt.Println(container)
+		}
 	}
 	return exitCode, lastError
 }
@@ -891,7 +892,7 @@ func (r *LocalRuntime) execPS(c *libpod.Container, args []string) ([]string, err
 	streams := new(libpod.AttachStreams)
 	streams.OutputStream = wPipe
 	streams.ErrorStream = wPipe
-	streams.InputStream = os.Stdin
+	streams.InputStream = bufio.NewReader(os.Stdin)
 	streams.AttachOutput = true
 	streams.AttachError = true
 	streams.AttachInput = true
@@ -969,7 +970,7 @@ func (r *LocalRuntime) ExecContainer(ctx context.Context, cli *cliconfig.ExecVal
 	streams.OutputStream = os.Stdout
 	streams.ErrorStream = os.Stderr
 	if cli.Interactive {
-		streams.InputStream = os.Stdin
+		streams.InputStream = bufio.NewReader(os.Stdin)
 		streams.AttachInput = true
 	}
 	streams.AttachOutput = true
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
index d8d5b884f..85f93ed3e 100644
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@@ -666,10 +666,69 @@ func getPodPorts(containers []v1.Container) []ocicni.PortMapping {
 	return infraPorts
 }
 
+func setupSecurityContext(securityConfig *createconfig.SecurityConfig, userConfig *createconfig.UserConfig, containerYAML v1.Container) {
+	if containerYAML.SecurityContext == nil {
+		return
+	}
+	if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil {
+		securityConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem
+	}
+	if containerYAML.SecurityContext.Privileged != nil {
+		securityConfig.Privileged = *containerYAML.SecurityContext.Privileged
+	}
+
+	if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
+		securityConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
+	}
+
+	if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil {
+		if seopt.User != "" {
+			securityConfig.SecurityOpts = append(securityConfig.SecurityOpts, fmt.Sprintf("label=user:%s", seopt.User))
+			securityConfig.LabelOpts = append(securityConfig.LabelOpts, fmt.Sprintf("user:%s", seopt.User))
+		}
+		if seopt.Role != "" {
+			securityConfig.SecurityOpts = append(securityConfig.SecurityOpts, fmt.Sprintf("label=role:%s", seopt.Role))
+			securityConfig.LabelOpts = append(securityConfig.LabelOpts, fmt.Sprintf("role:%s", seopt.Role))
+		}
+		if seopt.Type != "" {
+			securityConfig.SecurityOpts = append(securityConfig.SecurityOpts, fmt.Sprintf("label=type:%s", seopt.Type))
+			securityConfig.LabelOpts = append(securityConfig.LabelOpts, fmt.Sprintf("type:%s", seopt.Type))
+		}
+		if seopt.Level != "" {
+			securityConfig.SecurityOpts = append(securityConfig.SecurityOpts, fmt.Sprintf("label=level:%s", seopt.Level))
+			securityConfig.LabelOpts = append(securityConfig.LabelOpts, fmt.Sprintf("level:%s", seopt.Level))
+		}
+	}
+	if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
+		for _, capability := range caps.Add {
+			securityConfig.CapAdd = append(securityConfig.CapAdd, string(capability))
+		}
+		for _, capability := range caps.Drop {
+			securityConfig.CapDrop = append(securityConfig.CapDrop, string(capability))
+		}
+	}
+	if containerYAML.SecurityContext.RunAsUser != nil {
+		userConfig.User = fmt.Sprintf("%d", *containerYAML.SecurityContext.RunAsUser)
+	}
+	if containerYAML.SecurityContext.RunAsGroup != nil {
+		if userConfig.User == "" {
+			userConfig.User = "0"
+		}
+		userConfig.User = fmt.Sprintf("%s:%d", userConfig.User, *containerYAML.SecurityContext.RunAsGroup)
+	}
+}
+
 // kubeContainerToCreateConfig takes a v1.Container and returns a createconfig describing a container
 func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container, runtime *libpod.Runtime, newImage *image.Image, namespaces map[string]string, volumes map[string]string, podID string) (*createconfig.CreateConfig, error) {
 	var (
 		containerConfig createconfig.CreateConfig
+		pidConfig       createconfig.PidConfig
+		networkConfig   createconfig.NetworkConfig
+		cgroupConfig    createconfig.CgroupConfig
+		utsConfig       createconfig.UtsConfig
+		ipcConfig       createconfig.IpcConfig
+		userConfig      createconfig.UserConfig
+		securityConfig  createconfig.SecurityConfig
 	)
 
 	// The default for MemorySwappiness is -1, not 0
@@ -685,36 +744,15 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
 
 	imageData, _ := newImage.Inspect(ctx)
 
-	containerConfig.User = "0"
+	userConfig.User = "0"
 	if imageData != nil {
-		containerConfig.User = imageData.Config.User
+		userConfig.User = imageData.Config.User
 	}
 
-	if containerYAML.SecurityContext != nil {
-		if containerConfig.SecurityOpts != nil {
-			if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil {
-				containerConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem
-			}
-			if containerYAML.SecurityContext.Privileged != nil {
-				containerConfig.Privileged = *containerYAML.SecurityContext.Privileged
-			}
-
-			if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
-				containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
-			}
+	setupSecurityContext(&securityConfig, &userConfig, containerYAML)
 
-		}
-		if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
-			for _, capability := range caps.Add {
-				containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))
-			}
-			for _, capability := range caps.Drop {
-				containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability))
-			}
-		}
-	}
 	var err error
-	containerConfig.SeccompProfilePath, err = libpod.DefaultSeccompPath()
+	containerConfig.Security.SeccompProfilePath, err = libpod.DefaultSeccompPath()
 	if err != nil {
 		return nil, err
 	}
@@ -737,20 +775,28 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
 	containerConfig.StopSignal = 15
 
 	// If the user does not pass in ID mappings, just set to basics
-	if containerConfig.IDMappings == nil {
-		containerConfig.IDMappings = &storage.IDMappingOptions{}
+	if userConfig.IDMappings == nil {
+		userConfig.IDMappings = &storage.IDMappingOptions{}
 	}
 
-	containerConfig.NetMode = ns.NetworkMode(namespaces["net"])
-	containerConfig.IpcMode = ns.IpcMode(namespaces["ipc"])
-	containerConfig.UtsMode = ns.UTSMode(namespaces["uts"])
+	networkConfig.NetMode = ns.NetworkMode(namespaces["net"])
+	ipcConfig.IpcMode = ns.IpcMode(namespaces["ipc"])
+	utsConfig.UtsMode = ns.UTSMode(namespaces["uts"])
 	// disabled in code review per mheon
 	//containerConfig.PidMode = ns.PidMode(namespaces["pid"])
-	containerConfig.UsernsMode = ns.UsernsMode(namespaces["user"])
+	userConfig.UsernsMode = ns.UsernsMode(namespaces["user"])
 	if len(containerConfig.WorkDir) == 0 {
 		containerConfig.WorkDir = "/"
 	}
 
+	containerConfig.Pid = pidConfig
+	containerConfig.Network = networkConfig
+	containerConfig.Uts = utsConfig
+	containerConfig.Ipc = ipcConfig
+	containerConfig.Cgroup = cgroupConfig
+	containerConfig.User = userConfig
+	containerConfig.Security = securityConfig
+
 	// Set default environment variables and incorporate data from image, if necessary
 	envs := shared.EnvVariablesFromData(imageData)
 
diff --git a/pkg/adapter/runtime.go b/pkg/adapter/runtime.go
index 4f70e90f9..81a43853c 100644
--- a/pkg/adapter/runtime.go
+++ b/pkg/adapter/runtime.go
@@ -338,7 +338,7 @@ func (r *LocalRuntime) SaveImage(ctx context.Context, c *cliconfig.SaveValues) e
 	return newImage.Save(ctx, source, c.Format, c.Output, additionalTags, c.Quiet, c.Compress)
 }
 
-// LoadImage is a wrapper function for libpod PruneVolumes
+// LoadImage is a wrapper function for libpod LoadImage
 func (r *LocalRuntime) LoadImage(ctx context.Context, name string, cli *cliconfig.LoadValues) (string, error) {
 	var (
 		writer io.Writer
diff --git a/pkg/adapter/terminal_linux.go b/pkg/adapter/terminal_linux.go
index 16e552802..3dc5864e2 100644
--- a/pkg/adapter/terminal_linux.go
+++ b/pkg/adapter/terminal_linux.go
@@ -1,6 +1,7 @@
 package adapter
 
 import (
+	"bufio"
 	"context"
 	"fmt"
 	"os"
@@ -61,7 +62,7 @@ func StartAttachCtr(ctx context.Context, ctr *libpod.Container, stdout, stderr,
 	streams := new(libpod.AttachStreams)
 	streams.OutputStream = stdout
 	streams.ErrorStream = stderr
-	streams.InputStream = stdin
+	streams.InputStream = bufio.NewReader(stdin)
 	streams.AttachOutput = true
 	streams.AttachError = true
 	streams.AttachInput = true