5 files changed, 91 insertions, 42 deletions

diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go
index c30129001..69c628669 100644
--- a/pkg/domain/infra/abi/containers.go
+++ b/pkg/domain/infra/abi/containers.go
@@ -515,6 +515,7 @@ func (ic *ContainerEngine) ContainerCheckpoint(ctx context.Context, namesOrIds [
 		PreCheckPoint:  options.PreCheckPoint,
 		WithPrevious:   options.WithPrevious,
 		Compression:    options.Compression,
+		PrintStats:     options.PrintStats,
 	}
 
 	if options.All {
@@ -531,10 +532,12 @@ func (ic *ContainerEngine) ContainerCheckpoint(ctx context.Context, namesOrIds [
 	}
 	reports := make([]*entities.CheckpointReport, 0, len(cons))
 	for _, con := range cons {
-		err = con.Checkpoint(ctx, checkOpts)
+		criuStatistics, runtimeCheckpointDuration, err := con.Checkpoint(ctx, checkOpts)
 		reports = append(reports, &entities.CheckpointReport{
-			Err: err,
-			Id:  con.ID(),
+			Err:             err,
+			Id:              con.ID(),
+			RuntimeDuration: runtimeCheckpointDuration,
+			CRIUStatistics:  criuStatistics,
 		})
 	}
 	return reports, nil
@@ -557,6 +560,7 @@ func (ic *ContainerEngine) ContainerRestore(ctx context.Context, namesOrIds []st
 		IgnoreStaticMAC: options.IgnoreStaticMAC,
 		ImportPrevious:  options.ImportPrevious,
 		Pod:             options.Pod,
+		PrintStats:      options.PrintStats,
 	}
 
 	filterFuncs := []libpod.ContainerFilter{
@@ -579,10 +583,12 @@ func (ic *ContainerEngine) ContainerRestore(ctx context.Context, namesOrIds []st
 	}
 	reports := make([]*entities.RestoreReport, 0, len(cons))
 	for _, con := range cons {
-		err := con.Restore(ctx, restoreOptions)
+		criuStatistics, runtimeRestoreDuration, err := con.Restore(ctx, restoreOptions)
 		reports = append(reports, &entities.RestoreReport{
-			Err: err,
-			Id:  con.ID(),
+			Err:             err,
+			Id:              con.ID(),
+			RuntimeDuration: runtimeRestoreDuration,
+			CRIUStatistics:  criuStatistics,
 		})
 	}
 	return reports, nil
diff --git a/pkg/domain/infra/abi/generate.go b/pkg/domain/infra/abi/generate.go
index 081a2464b..a4d6bcf86 100644
--- a/pkg/domain/infra/abi/generate.go
+++ b/pkg/domain/infra/abi/generate.go
@@ -124,8 +124,7 @@ func (ic *ContainerEngine) GenerateKube(ctx context.Context, nameOrIDs []string,
 		if err != nil {
 			return nil, err
 		}
-
-		b, err := generateKubeYAML(po)
+		b, err := generateKubeYAML(libpod.ConvertV1PodToYAMLPod(po))
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 8878bf128..8b44b869a 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -6,9 +6,12 @@ import (
 	"io/ioutil"
 	"net/url"
 	"os"
+	"os/exec"
+	"os/user"
 	"path"
 	"path/filepath"
 	"strconv"
+	"strings"
 
 	"github.com/containers/common/libimage"
 	"github.com/containers/common/pkg/config"
@@ -18,6 +21,7 @@ import (
 	"github.com/containers/image/v5/signature"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/podman/v3/pkg/domain/entities"
 	"github.com/containers/podman/v3/pkg/domain/entities/reports"
 	domainUtils "github.com/containers/podman/v3/pkg/domain/utils"
@@ -57,7 +61,7 @@ func (ir *ImageEngine) Prune(ctx context.Context, opts entities.ImagePruneOption
 		pruneOptions.Filters = append(pruneOptions.Filters, "containers=false")
 	}
 
-	var pruneReports []*reports.PruneReport
+	pruneReports := make([]*reports.PruneReport, 0)
 
 	// Now prune all images until we converge.
 	numPreviouslyRemovedImages := 1
@@ -330,6 +334,67 @@ func (ir *ImageEngine) Push(ctx context.Context, source string, destination stri
 	return pushError
 }
 
+// Transfer moves images from root to rootless storage so the user specified in the scp call can access and use the image modified by root
+func (ir *ImageEngine) Transfer(ctx context.Context, scpOpts entities.ImageScpOptions) error {
+	if scpOpts.User == "" {
+		return errors.Wrapf(define.ErrInvalidArg, "you must define a user when transferring from root to rootless storage")
+	}
+	var u *user.User
+	scpOpts.User = strings.Split(scpOpts.User, ":")[0] // split in case provided with uid:gid
+	_, err := strconv.Atoi(scpOpts.User)
+	if err != nil {
+		u, err = user.Lookup(scpOpts.User)
+		if err != nil {
+			return err
+		}
+	} else {
+		u, err = user.LookupId(scpOpts.User)
+		if err != nil {
+			return err
+		}
+	}
+	uid, err := strconv.Atoi(u.Uid)
+	if err != nil {
+		return err
+	}
+	gid, err := strconv.Atoi(u.Gid)
+	if err != nil {
+		return err
+	}
+	err = os.Chown(scpOpts.Save.Output, uid, gid) // chown the output because was created by root so we need to give th euser read access
+	if err != nil {
+		return err
+	}
+
+	podman, err := os.Executable()
+	if err != nil {
+		return err
+	}
+	machinectl, err := exec.LookPath("machinectl")
+	if err != nil {
+		logrus.Warn("defaulting to su since machinectl is not available, su will fail if no user session is available")
+		cmd := exec.Command("su", "-l", u.Username, "--command", podman+" --log-level="+logrus.GetLevel().String()+" --cgroup-manager=cgroupfs load --input="+scpOpts.Save.Output) // load the new image to the rootless storage
+		cmd.Stderr = os.Stderr
+		cmd.Stdout = os.Stdout
+		logrus.Debug("Executing load command su")
+		err = cmd.Run()
+		if err != nil {
+			return err
+		}
+	} else {
+		cmd := exec.Command(machinectl, "shell", "-q", u.Username+"@.host", podman, "--log-level="+logrus.GetLevel().String(), "--cgroup-manager=cgroupfs", "load", "--input", scpOpts.Save.Output) // load the new image to the rootless storage
+		cmd.Stderr = os.Stderr
+		cmd.Stdout = os.Stdout
+		logrus.Debug("Executing load command machinectl")
+		err = cmd.Run()
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (ir *ImageEngine) Tag(ctx context.Context, nameOrID string, tags []string, options entities.ImageTagOptions) error {
 	// Allow tagging manifest list instead of resolving instances from manifest
 	lookupOptions := &libimage.LookupImageOptions{ManifestList: true}
@@ -576,6 +641,7 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 	}
 	sc := ir.Libpod.SystemContext()
 	sc.DockerCertPath = options.CertDir
+	sc.AuthFilePath = options.Authfile
 
 	for _, signimage := range names {
 		err = func() error {
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index 751d6cc05..d2bb95f7c 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -269,17 +269,11 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 	}
 
 	if podOpt.Infra {
-		containerConfig := util.DefaultContainerConfig()
-
-		pulledImages, err := pullImage(ic, writer, containerConfig.Engine.InfraImage, options, config.PullPolicyNewer)
-		if err != nil {
-			return nil, err
-		}
-		infraOptions := entities.ContainerCreateOptions{ImageVolume: "bind"}
-
-		podSpec.PodSpecGen.InfraImage = pulledImages[0].Names()[0]
+		infraImage := util.DefaultContainerConfig().Engine.InfraImage
+		infraOptions := entities.NewInfraContainerCreateOptions()
+		podSpec.PodSpecGen.InfraImage = infraImage
 		podSpec.PodSpecGen.NoInfra = false
-		podSpec.PodSpecGen.InfraContainerSpec = specgen.NewSpecGenerator(pulledImages[0].Names()[0], false)
+		podSpec.PodSpecGen.InfraContainerSpec = specgen.NewSpecGenerator(infraImage, false)
 		podSpec.PodSpecGen.InfraContainerSpec.NetworkOptions = p.NetworkOptions
 
 		err = specgenutil.FillOutSpecGen(podSpec.PodSpecGen.InfraContainerSpec, &infraOptions, []string{})
@@ -333,6 +327,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			NetNSIsHost:       p.NetNS.IsHost(),
 			SecretsManager:    secretsManager,
 			LogDriver:         options.LogDriver,
+			LogOptions:        options.LogOptions,
 			Labels:            labels,
 			InitContainerType: define.AlwaysInitContainer,
 		}
@@ -371,6 +366,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 				NetNSIsHost:    p.NetNS.IsHost(),
 				SecretsManager: secretsManager,
 				LogDriver:      options.LogDriver,
+				LogOptions:     options.LogOptions,
 				Labels:         labels,
 			}
 			specGen, err := kube.ToSpecGen(ctx, &specgenOpts)
@@ -756,21 +752,3 @@ func (ic *ContainerEngine) PlayKubeDown(ctx context.Context, path string, _ enti
 	}
 	return reports, nil
 }
-
-// pullImage is a helper function to set up the proper pull options and pull the image for certain containers
-func pullImage(ic *ContainerEngine, writer io.Writer, imagePull string, options entities.PlayKubeOptions, pullPolicy config.PullPolicy) ([]*libimage.Image, error) {
-	// This ensures the image is the image store
-	pullOptions := &libimage.PullOptions{}
-	pullOptions.AuthFilePath = options.Authfile
-	pullOptions.CertDirPath = options.CertDir
-	pullOptions.SignaturePolicyPath = options.SignaturePolicy
-	pullOptions.Writer = writer
-	pullOptions.Username = options.Username
-	pullOptions.Password = options.Password
-	pullOptions.InsecureSkipTLSVerify = options.SkipTLSVerify
-	pulledImages, err := ic.Libpod.LibimageRuntime().Pull(context.Background(), imagePull, pullPolicy, pullOptions)
-	if err != nil {
-		return nil, err
-	}
-	return pulledImages, nil
-}
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index e326f26a8..7da7754f2 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -360,15 +360,15 @@ func (ic *ContainerEngine) Unshare(ctx context.Context, args []string, options e
 		return cmd.Run()
 	}
 
-	if options.RootlessCNI {
-		rootlesscni, err := ic.Libpod.GetRootlessCNINetNs(true)
+	if options.RootlessNetNS {
+		rootlessNetNS, err := ic.Libpod.GetRootlessNetNs(true)
 		if err != nil {
 			return err
 		}
 		// make sure to unlock, unshare can run for a long time
-		rootlesscni.Lock.Unlock()
-		defer rootlesscni.Cleanup(ic.Libpod)
-		return rootlesscni.Do(unshare)
+		rootlessNetNS.Lock.Unlock()
+		defer rootlessNetNS.Cleanup(ic.Libpod)
+		return rootlessNetNS.Do(unshare)
 	}
 	return unshare()
 }