6 files changed, 214 insertions, 91 deletions
diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go
index 8b2a5bfae..dc5f7a0df 100644
--- a/pkg/domain/infra/abi/containers.go
+++ b/pkg/domain/infra/abi/containers.go
@@ -173,13 +173,17 @@ func (ic *ContainerEngine) ContainerStop(ctx context.Context, namesOrIds []strin
 				return err
 			}
 		}
-		if c.AutoRemove() {
-			// Issue #7384: if the container is configured for
-			// auto-removal, it might already have been removed at
-			// this point.
-			return nil
+		err = c.Cleanup(ctx)
+		if err != nil {
+			// Issue #7384 and #11384: If the container is configured for
+			// auto-removal, it might already have been removed at this point.
+			// We still need to to cleanup since we do not know if the other cleanup process is successful
+			if c.AutoRemove() && (errors.Is(err, define.ErrNoSuchCtr) || errors.Is(err, define.ErrCtrRemoved)) {
+				return nil
+			}
+			return err
 		}
-		return c.Cleanup(ctx)
+		return nil
 	})
 	if err != nil {
 		return nil, err
@@ -367,7 +371,7 @@ func (ic *ContainerEngine) ContainerInspect(ctx context.Context, namesOrIds []st
 	if options.Latest {
 		ctr, err := ic.Libpod.GetLatestContainer()
 		if err != nil {
-			if errors.Cause(err) == define.ErrNoSuchCtr {
+			if errors.Is(err, define.ErrNoSuchCtr) {
 				return nil, []error{errors.Wrapf(err, "no containers to inspect")}, nil
 			}
 			return nil, nil, err
@@ -393,7 +397,7 @@ func (ic *ContainerEngine) ContainerInspect(ctx context.Context, namesOrIds []st
 		if err != nil {
 			// ErrNoSuchCtr is non-fatal, other errors will be
 			// treated as fatal.
-			if errors.Cause(err) == define.ErrNoSuchCtr {
+			if errors.Is(err, define.ErrNoSuchCtr) {
 				errs = append(errs, errors.Errorf("no such container %s", name))
 				continue
 			}
@@ -402,6 +406,12 @@ func (ic *ContainerEngine) ContainerInspect(ctx context.Context, namesOrIds []st
 
 		inspect, err := ctr.Inspect(options.Size)
 		if err != nil {
+			// ErrNoSuchCtr is non-fatal, other errors will be
+			// treated as fatal.
+			if errors.Is(err, define.ErrNoSuchCtr) {
+				errs = append(errs, errors.Errorf("no such container %s", name))
+				continue
+			}
 			return nil, nil, err
 		}
 
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index e8739615d..a88d38a10 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -521,6 +521,7 @@ func (ir *ImageEngine) Remove(ctx context.Context, images []string, opts entitie
 	libimageOptions := &libimage.RemoveImagesOptions{}
 	libimageOptions.Filters = []string{"readonly=false"}
 	libimageOptions.Force = opts.Force
+	libimageOptions.LookupManifest = opts.LookupManifest
 	if !opts.All {
 		libimageOptions.Filters = append(libimageOptions.Filters, "intermediate=false")
 	}
diff --git a/pkg/domain/infra/abi/manifest.go b/pkg/domain/infra/abi/manifest.go
index 666bc997d..1dd0686ac 100644
--- a/pkg/domain/infra/abi/manifest.go
+++ b/pkg/domain/infra/abi/manifest.go
@@ -306,7 +306,7 @@ func (ir *ImageEngine) ManifestRemove(ctx context.Context, names []string) (stri
 
 // ManifestRm removes the specified manifest list from storage
 func (ir *ImageEngine) ManifestRm(ctx context.Context, names []string) (report *entities.ImageRemoveReport, rmErrors []error) {
-	return ir.Remove(ctx, names, entities.ImageRemoveOptions{})
+	return ir.Remove(ctx, names, entities.ImageRemoveOptions{LookupManifest: true})
 }
 
 // ManifestPush pushes a manifest list or image index to the destination
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index 2799df794..87506f70c 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -196,9 +196,11 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 		if (ns.IsBridge() && len(cniNets) == 0) || ns.IsHost() {
 			return nil, errors.Errorf("invalid value passed to --network: bridge or host networking must be configured in YAML")
 		}
-		logrus.Debugf("Pod %q joining CNI networks: %v", podName, cniNets)
-		podOpt.Net.Network.NSMode = specgen.Bridge
-		podOpt.Net.CNINetworks = append(podOpt.Net.CNINetworks, cniNets...)
+
+		podOpt.Net.Network = ns
+		if len(cniNets) > 0 {
+			podOpt.Net.CNINetworks = append(podOpt.Net.CNINetworks, cniNets...)
+		}
 		if len(netOpts) > 0 {
 			podOpt.Net.NetworkOptions = netOpts
 		}
@@ -267,12 +269,9 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 	}
 
 	if podOpt.Infra {
-		imagePull := config.DefaultInfraImage
-		if podOpt.InfraImage != config.DefaultInfraImage && podOpt.InfraImage != "" {
-			imagePull = podOpt.InfraImage
-		}
+		containerConfig := util.DefaultContainerConfig()
 
-		pulledImages, err := pullImage(ic, writer, imagePull, options, config.PullPolicyNewer)
+		pulledImages, err := pullImage(ic, writer, containerConfig.Engine.InfraImage, options, config.PullPolicyNewer)
 		if err != nil {
 			return nil, err
 		}
@@ -305,76 +304,59 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 	}
 
 	containers := make([]*libpod.Container, 0, len(podYAML.Spec.Containers))
+	initContainers := make([]*libpod.Container, 0, len(podYAML.Spec.InitContainers))
 	cwd, err := os.Getwd()
 	if err != nil {
 		return nil, err
 	}
+
+	for _, initCtr := range podYAML.Spec.InitContainers {
+		// Init containers cannot have either of lifecycle, livenessProbe, readinessProbe, or startupProbe set
+		if initCtr.Lifecycle != nil || initCtr.LivenessProbe != nil || initCtr.ReadinessProbe != nil || initCtr.StartupProbe != nil {
+			return nil, errors.Errorf("cannot create an init container that has either of lifecycle, livenessProbe, readinessProbe, or startupProbe set")
+		}
+		pulledImage, labels, err := ic.getImageAndLabelInfo(ctx, cwd, annotations, writer, initCtr, options)
+		if err != nil {
+			return nil, err
+		}
+
+		specgenOpts := kube.CtrSpecGenOptions{
+			Container:         initCtr,
+			Image:             pulledImage,
+			Volumes:           volumes,
+			PodID:             pod.ID(),
+			PodName:           podName,
+			PodInfraID:        podInfraID,
+			ConfigMaps:        configMaps,
+			SeccompPaths:      seccompPaths,
+			RestartPolicy:     ctrRestartPolicy,
+			NetNSIsHost:       p.NetNS.IsHost(),
+			SecretsManager:    secretsManager,
+			LogDriver:         options.LogDriver,
+			Labels:            labels,
+			InitContainerType: define.AlwaysInitContainer,
+		}
+		specGen, err := kube.ToSpecGen(ctx, &specgenOpts)
+		if err != nil {
+			return nil, err
+		}
+		rtSpec, spec, opts, err := generate.MakeContainer(ctx, ic.Libpod, specGen)
+		if err != nil {
+			return nil, err
+		}
+		ctr, err := generate.ExecuteCreate(ctx, ic.Libpod, rtSpec, spec, false, opts...)
+		if err != nil {
+			return nil, err
+		}
+
+		initContainers = append(initContainers, ctr)
+	}
 	for _, container := range podYAML.Spec.Containers {
 		if !strings.Contains("infra", container.Name) {
-			// Contains all labels obtained from kube
-			labels := make(map[string]string)
-			var pulledImage *libimage.Image
-			buildFile, err := getBuildFile(container.Image, cwd)
-			if err != nil {
-				return nil, err
-			}
-			existsLocally, err := ic.Libpod.LibimageRuntime().Exists(container.Image)
+			pulledImage, labels, err := ic.getImageAndLabelInfo(ctx, cwd, annotations, writer, container, options)
 			if err != nil {
 				return nil, err
 			}
-			if (len(buildFile) > 0 && !existsLocally) || (len(buildFile) > 0 && options.Build) {
-				buildOpts := new(buildahDefine.BuildOptions)
-				commonOpts := new(buildahDefine.CommonBuildOptions)
-				buildOpts.ConfigureNetwork = buildahDefine.NetworkDefault
-				buildOpts.Isolation = buildahDefine.IsolationChroot
-				buildOpts.CommonBuildOpts = commonOpts
-				buildOpts.Output = container.Image
-				if _, _, err := ic.Libpod.Build(ctx, *buildOpts, []string{buildFile}...); err != nil {
-					return nil, err
-				}
-				i, _, err := ic.Libpod.LibimageRuntime().LookupImage(container.Image, new(libimage.LookupImageOptions))
-				if err != nil {
-					return nil, err
-				}
-				pulledImage = i
-			} else {
-				// NOTE: set the pull policy to "newer".  This will cover cases
-				// where the "latest" tag requires a pull and will also
-				// transparently handle "localhost/" prefixed files which *may*
-				// refer to a locally built image OR an image running a
-				// registry on localhost.
-				pullPolicy := config.PullPolicyNewer
-				if len(container.ImagePullPolicy) > 0 {
-					// Make sure to lower the strings since K8s pull policy
-					// may be capitalized (see bugzilla.redhat.com/show_bug.cgi?id=1985905).
-					rawPolicy := string(container.ImagePullPolicy)
-					pullPolicy, err = config.ParsePullPolicy(strings.ToLower(rawPolicy))
-					if err != nil {
-						return nil, err
-					}
-				}
-				pulledImages, err := pullImage(ic, writer, container.Image, options, pullPolicy)
-				if err != nil {
-					return nil, err
-				}
-				pulledImage = pulledImages[0]
-			}
-
-			// Handle kube annotations
-			for k, v := range annotations {
-				switch k {
-				// Auto update annotation without container name will apply to
-				// all containers within the pod
-				case autoupdate.Label, autoupdate.AuthfileLabel:
-					labels[k] = v
-				// Auto update annotation with container name will apply only
-				// to the specified container
-				case fmt.Sprintf("%s/%s", autoupdate.Label, container.Name),
-					fmt.Sprintf("%s/%s", autoupdate.AuthfileLabel, container.Name):
-					prefixAndCtr := strings.Split(k, "/")
-					labels[prefixAndCtr[0]] = v
-				}
-			}
 
 			specgenOpts := kube.CtrSpecGenOptions{
 				Container:      container,
@@ -395,7 +377,6 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			if err != nil {
 				return nil, err
 			}
-
 			rtSpec, spec, opts, err := generate.MakeContainer(ctx, ic.Libpod, specGen)
 			if err != nil {
 				return nil, err
@@ -424,12 +405,96 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 	for _, ctr := range containers {
 		playKubePod.Containers = append(playKubePod.Containers, ctr.ID())
 	}
+	for _, initCtr := range initContainers {
+		playKubePod.InitContainers = append(playKubePod.InitContainers, initCtr.ID())
+	}
 
 	report.Pods = append(report.Pods, playKubePod)
 
 	return &report, nil
 }
 
+// getImageAndLabelInfo returns the image information and how the image should be pulled plus as well as labels to be used for the container in the pod.
+// Moved this to a separate function so that it can be used for both init and regular containers when playing a kube yaml.
+func (ic *ContainerEngine) getImageAndLabelInfo(ctx context.Context, cwd string, annotations map[string]string, writer io.Writer, container v1.Container, options entities.PlayKubeOptions) (*libimage.Image, map[string]string, error) {
+	// Contains all labels obtained from kube
+	labels := make(map[string]string)
+	var pulledImage *libimage.Image
+	buildFile, err := getBuildFile(container.Image, cwd)
+	if err != nil {
+		return nil, nil, err
+	}
+	existsLocally, err := ic.Libpod.LibimageRuntime().Exists(container.Image)
+	if err != nil {
+		return nil, nil, err
+	}
+	if (len(buildFile) > 0 && !existsLocally) || (len(buildFile) > 0 && options.Build) {
+		buildOpts := new(buildahDefine.BuildOptions)
+		commonOpts := new(buildahDefine.CommonBuildOptions)
+		buildOpts.ConfigureNetwork = buildahDefine.NetworkDefault
+		buildOpts.Isolation = buildahDefine.IsolationChroot
+		buildOpts.CommonBuildOpts = commonOpts
+		buildOpts.Output = container.Image
+		if _, _, err := ic.Libpod.Build(ctx, *buildOpts, []string{buildFile}...); err != nil {
+			return nil, nil, err
+		}
+		i, _, err := ic.Libpod.LibimageRuntime().LookupImage(container.Image, new(libimage.LookupImageOptions))
+		if err != nil {
+			return nil, nil, err
+		}
+		pulledImage = i
+	} else {
+		// NOTE: set the pull policy to "newer".  This will cover cases
+		// where the "latest" tag requires a pull and will also
+		// transparently handle "localhost/" prefixed files which *may*
+		// refer to a locally built image OR an image running a
+		// registry on localhost.
+		pullPolicy := config.PullPolicyNewer
+		if len(container.ImagePullPolicy) > 0 {
+			// Make sure to lower the strings since K8s pull policy
+			// may be capitalized (see bugzilla.redhat.com/show_bug.cgi?id=1985905).
+			rawPolicy := string(container.ImagePullPolicy)
+			pullPolicy, err = config.ParsePullPolicy(strings.ToLower(rawPolicy))
+			if err != nil {
+				return nil, nil, err
+			}
+		}
+		// This ensures the image is the image store
+		pullOptions := &libimage.PullOptions{}
+		pullOptions.AuthFilePath = options.Authfile
+		pullOptions.CertDirPath = options.CertDir
+		pullOptions.SignaturePolicyPath = options.SignaturePolicy
+		pullOptions.Writer = writer
+		pullOptions.Username = options.Username
+		pullOptions.Password = options.Password
+		pullOptions.InsecureSkipTLSVerify = options.SkipTLSVerify
+
+		pulledImages, err := ic.Libpod.LibimageRuntime().Pull(ctx, container.Image, pullPolicy, pullOptions)
+		if err != nil {
+			return nil, nil, err
+		}
+		pulledImage = pulledImages[0]
+	}
+
+	// Handle kube annotations
+	for k, v := range annotations {
+		switch k {
+		// Auto update annotation without container name will apply to
+		// all containers within the pod
+		case autoupdate.Label, autoupdate.AuthfileLabel:
+			labels[k] = v
+		// Auto update annotation with container name will apply only
+		// to the specified container
+		case fmt.Sprintf("%s/%s", autoupdate.Label, container.Name),
+			fmt.Sprintf("%s/%s", autoupdate.AuthfileLabel, container.Name):
+			prefixAndCtr := strings.Split(k, "/")
+			labels[prefixAndCtr[0]] = v
+		}
+	}
+
+	return pulledImage, labels, nil
+}
+
 // playKubePVC creates a podman volume from a kube persistent volume claim.
 func (ic *ContainerEngine) playKubePVC(ctx context.Context, pvcYAML *v1.PersistentVolumeClaim, options entities.PlayKubeOptions) (*entities.PlayKubeReport, error) {
 	var report entities.PlayKubeReport
diff --git a/pkg/domain/infra/abi/pods.go b/pkg/domain/infra/abi/pods.go
index 98233f60d..6b432c214 100644
--- a/pkg/domain/infra/abi/pods.go
+++ b/pkg/domain/infra/abi/pods.go
@@ -83,6 +83,46 @@ func (ic *ContainerEngine) PodKill(ctx context.Context, namesOrIds []string, opt
 	return reports, nil
 }
 
+func (ic *ContainerEngine) PodLogs(ctx context.Context, nameOrID string, options entities.PodLogsOptions) error {
+	// Implementation accepts slice
+	podName := []string{nameOrID}
+	pod, err := getPodsByContext(false, options.Latest, podName, ic.Libpod)
+	if err != nil {
+		return err
+	}
+	// Get pod containers
+	podCtrs, err := pod[0].AllContainers()
+	if err != nil {
+		return err
+	}
+
+	ctrNames := []string{}
+	// Check if `kubectl pod logs -c ctrname <podname>` alike command is used
+	if options.ContainerName != "" {
+		ctrFound := false
+		for _, ctr := range podCtrs {
+			if ctr.ID() == options.ContainerName || ctr.Name() == options.ContainerName {
+				ctrNames = append(ctrNames, options.ContainerName)
+				ctrFound = true
+			}
+		}
+		if !ctrFound {
+			return errors.Wrapf(define.ErrNoSuchCtr, "container %s is not in pod %s", options.ContainerName, nameOrID)
+		}
+	} else {
+		// No container name specified select all containers
+		for _, ctr := range podCtrs {
+			ctrNames = append(ctrNames, ctr.Name())
+		}
+	}
+
+	// PodLogsOptions are similar but contains few extra fields like ctrName
+	// So cast other values as is so we can re-use the code
+	containerLogsOpts := entities.PodLogsOptionsToContainerLogsOptions(options)
+
+	return ic.ContainerLogs(ctx, ctrNames, containerLogsOpts)
+}
+
 func (ic *ContainerEngine) PodPause(ctx context.Context, namesOrIds []string, options entities.PodPauseOptions) ([]*entities.PodPauseReport, error) {
 	reports := []*entities.PodPauseReport{}
 	pods, err := getPodsByContext(options.All, options.Latest, namesOrIds, ic.Libpod)
diff --git a/pkg/domain/infra/abi/secrets.go b/pkg/domain/infra/abi/secrets.go
index 0bdb4ce60..2bf8eaae3 100644
--- a/pkg/domain/infra/abi/secrets.go
+++ b/pkg/domain/infra/abi/secrets.go
@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 
 	"github.com/containers/podman/v3/pkg/domain/entities"
+	"github.com/containers/podman/v3/pkg/domain/utils"
 	"github.com/pkg/errors"
 )
 
@@ -84,7 +85,7 @@ func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string
 	return reports, errs, nil
 }
 
-func (ic *ContainerEngine) SecretList(ctx context.Context) ([]*entities.SecretInfoReport, error) {
+func (ic *ContainerEngine) SecretList(ctx context.Context, opts entities.SecretListRequest) ([]*entities.SecretInfoReport, error) {
 	manager, err := ic.Libpod.SecretsManager()
 	if err != nil {
 		return nil, err
@@ -95,19 +96,25 @@ func (ic *ContainerEngine) SecretList(ctx context.Context) ([]*entities.SecretIn
 	}
 	report := make([]*entities.SecretInfoReport, 0, len(secretList))
 	for _, secret := range secretList {
-		reportItem := entities.SecretInfoReport{
-			ID:        secret.ID,
-			CreatedAt: secret.CreatedAt,
-			UpdatedAt: secret.CreatedAt,
-			Spec: entities.SecretSpec{
-				Name: secret.Name,
-				Driver: entities.SecretDriverSpec{
-					Name:    secret.Driver,
-					Options: secret.DriverOptions,
+		result, err := utils.IfPassesSecretsFilter(secret, opts.Filters)
+		if err != nil {
+			return nil, err
+		}
+		if result {
+			reportItem := entities.SecretInfoReport{
+				ID:        secret.ID,
+				CreatedAt: secret.CreatedAt,
+				UpdatedAt: secret.CreatedAt,
+				Spec: entities.SecretSpec{
+					Name: secret.Name,
+					Driver: entities.SecretDriverSpec{
+						Name:    secret.Driver,
+						Options: secret.DriverOptions,
+					},
 				},
-			},
+			}
+			report = append(report, &reportItem)
 		}
-		report = append(report, &reportItem)
 	}
 	return report, nil
 }