6 files changed, 134 insertions, 36 deletions

diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go
index ff4277a2e..ec65dbe44 100644
--- a/pkg/domain/infra/abi/containers.go
+++ b/pkg/domain/infra/abi/containers.go
@@ -925,7 +925,7 @@ func (ic *ContainerEngine) ContainerRun(ctx context.Context, opts entities.Conta
 }
 
 func (ic *ContainerEngine) ContainerLogs(ctx context.Context, containers []string, options entities.ContainerLogsOptions) error {
-	if options.Writer == nil {
+	if options.StdoutWriter == nil && options.StderrWriter == nil {
 		return errors.New("no io.Writer set for container logs")
 	}
 
@@ -963,7 +963,7 @@ func (ic *ContainerEngine) ContainerLogs(ctx context.Context, containers []strin
 	}()
 
 	for line := range logChannel {
-		fmt.Fprintln(options.Writer, line.String(logOpts))
+		line.Write(options.StdoutWriter, options.StderrWriter, logOpts)
 	}
 
 	return nil
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 57a2bc4cf..394ba359c 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -28,6 +28,8 @@ import (
 	"github.com/containers/podman/v2/pkg/rootless"
 	"github.com/containers/podman/v2/pkg/util"
 	"github.com/containers/storage"
+	dockerRef "github.com/docker/distribution/reference"
+	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -718,9 +720,9 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 					logrus.Errorf("unable to close %s image source %q", srcRef.DockerReference().Name(), err)
 				}
 			}()
-			getManifest, _, err := rawSource.GetManifest(ctx, nil)
+			topManifestBlob, manifestType, err := rawSource.GetManifest(ctx, nil)
 			if err != nil {
-				return errors.Wrapf(err, "error getting getManifest")
+				return errors.Wrapf(err, "error getting manifest blob")
 			}
 			dockerReference := rawSource.Reference().DockerReference()
 			if dockerReference == nil {
@@ -743,34 +745,34 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 					return err
 				}
 			}
-			manifestDigest, err := manifest.Digest(getManifest)
+			manifestDigest, err := manifest.Digest(topManifestBlob)
 			if err != nil {
 				return err
 			}
 
-			// create signature
-			newSig, err := signature.SignDockerManifest(getManifest, dockerReference.String(), mech, options.SignBy)
-			if err != nil {
-				return errors.Wrapf(err, "error creating new signature")
-			}
-			// create the signstore file
-			signatureDir := fmt.Sprintf("%s@%s=%s", sigStoreDir, manifestDigest.Algorithm(), manifestDigest.Hex())
-			if err := os.MkdirAll(signatureDir, 0751); err != nil {
-				// The directory is allowed to exist
-				if !os.IsExist(err) {
-					logrus.Error(err)
-					return nil
+			if options.All {
+				if !manifest.MIMETypeIsMultiImage(manifestType) {
+					return errors.Errorf("%s is not a multi-architecture image (manifest type %s)", signimage, manifestType)
+				}
+				list, err := manifest.ListFromBlob(topManifestBlob, manifestType)
+				if err != nil {
+					return errors.Wrapf(err, "Error parsing manifest list %q", string(topManifestBlob))
+				}
+				instanceDigests := list.Instances()
+				for _, instanceDigest := range instanceDigests {
+					digest := instanceDigest
+					man, _, err := rawSource.GetManifest(ctx, &digest)
+					if err != nil {
+						return err
+					}
+					if err = putSignature(man, mech, sigStoreDir, instanceDigest, dockerReference, options); err != nil {
+						return errors.Wrapf(err, "error storing signature for %s, %v", dockerReference.String(), instanceDigest)
+					}
 				}
-			}
-			sigFilename, err := getSigFilename(signatureDir)
-			if err != nil {
-				logrus.Errorf("error creating sigstore file: %v", err)
 				return nil
 			}
-			err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644)
-			if err != nil {
-				logrus.Errorf("error storing signature for %s", rawSource.Reference().DockerReference().String())
-				return nil
+			if err = putSignature(topManifestBlob, mech, sigStoreDir, manifestDigest, dockerReference, options); err != nil {
+				return errors.Wrapf(err, "error storing signature for %s, %v", dockerReference.String(), manifestDigest)
 			}
 			return nil
 		}()
@@ -806,3 +808,26 @@ func localPathFromURI(url *url.URL) (string, error) {
 	}
 	return url.Path, nil
 }
+
+// putSignature creates signature and saves it to the signstore file
+func putSignature(manifestBlob []byte, mech signature.SigningMechanism, sigStoreDir string, instanceDigest digest.Digest, dockerReference dockerRef.Reference, options entities.SignOptions) error {
+	newSig, err := signature.SignDockerManifest(manifestBlob, dockerReference.String(), mech, options.SignBy)
+	if err != nil {
+		return err
+	}
+	signatureDir := fmt.Sprintf("%s@%s=%s", sigStoreDir, instanceDigest.Algorithm(), instanceDigest.Hex())
+	if err := os.MkdirAll(signatureDir, 0751); err != nil {
+		// The directory is allowed to exist
+		if !os.IsExist(err) {
+			return err
+		}
+	}
+	sigFilename, err := getSigFilename(signatureDir)
+	if err != nil {
+		return err
+	}
+	if err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index 3aeb6a2ee..5b983a3f4 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -212,8 +212,10 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			return nil, errors.Wrapf(err, "Failed to parse image %q", container.Image)
 		}
 		// In kube, if the image is tagged with latest, it should always pull
+		// but if the domain is localhost, that means the image was built locally
+		// so do not attempt a pull.
 		if tagged, isTagged := named.(reference.NamedTagged); isTagged {
-			if tagged.Tag() == image.LatestTag {
+			if tagged.Tag() == image.LatestTag && reference.Domain(named) != image.DefaultLocalRegistry {
 				pullPolicy = util.PullImageAlways
 			}
 		}
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index e4ed0a6be..b6da364fc 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io/ioutil"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -179,7 +180,16 @@ func (ic *ContainerEngine) SystemPrune(ctx context.Context, options entities.Sys
 			found = true
 		}
 		systemPruneReport.PodPruneReport = append(systemPruneReport.PodPruneReport, podPruneReport...)
-		containerPruneReport, err := ic.pruneContainersHelper(nil)
+		containerPruneOptions := entities.ContainerPruneOptions{}
+		for _, f := range options.Filter {
+			t := strings.SplitN(f, "=", 2)
+			containerPruneOptions.Filters = make(url.Values)
+			if len(t) < 2 {
+				return nil, errors.Errorf("filter input must be in the form of filter=value: %s is invalid", f)
+			}
+			containerPruneOptions.Filters.Add(t[0], t[1])
+		}
+		containerPruneReport, err := ic.ContainerPrune(ctx, containerPruneOptions)
 		if err != nil {
 			return nil, err
 		}
@@ -194,7 +204,7 @@ func (ic *ContainerEngine) SystemPrune(ctx context.Context, options entities.Sys
 			}
 		}
 
-		results, err := ic.Libpod.ImageRuntime().PruneImages(ctx, options.All, nil)
+		results, err := ic.Libpod.ImageRuntime().PruneImages(ctx, options.All, options.Filter)
 
 		if err != nil {
 			return nil, err
diff --git a/pkg/domain/infra/runtime_tunnel.go b/pkg/domain/infra/runtime_tunnel.go
index 6c85e837e..3fddf577c 100644
--- a/pkg/domain/infra/runtime_tunnel.go
+++ b/pkg/domain/infra/runtime_tunnel.go
@@ -5,18 +5,38 @@ package infra
 import (
 	"context"
 	"fmt"
+	"sync"
 
 	"github.com/containers/podman/v2/pkg/bindings"
 	"github.com/containers/podman/v2/pkg/domain/entities"
 	"github.com/containers/podman/v2/pkg/domain/infra/tunnel"
 )
 
+var (
+	connectionMutex = &sync.Mutex{}
+	connection      *context.Context
+)
+
+func newConnection(uri string, identity string) (context.Context, error) {
+	connectionMutex.Lock()
+	defer connectionMutex.Unlock()
+
+	if connection == nil {
+		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), uri, identity)
+		if err != nil {
+			return ctx, err
+		}
+		connection = &ctx
+	}
+	return *connection, nil
+}
+
 func NewContainerEngine(facts *entities.PodmanConfig) (entities.ContainerEngine, error) {
 	switch facts.EngineMode {
 	case entities.ABIMode:
 		return nil, fmt.Errorf("direct runtime not supported")
 	case entities.TunnelMode:
-		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), facts.URI, facts.Identity)
+		ctx, err := newConnection(facts.URI, facts.Identity)
 		return &tunnel.ContainerEngine{ClientCxt: ctx}, err
 	}
 	return nil, fmt.Errorf("runtime mode '%v' is not supported", facts.EngineMode)
@@ -28,7 +48,7 @@ func NewImageEngine(facts *entities.PodmanConfig) (entities.ImageEngine, error)
 	case entities.ABIMode:
 		return nil, fmt.Errorf("direct image runtime not supported")
 	case entities.TunnelMode:
-		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), facts.URI, facts.Identity)
+		ctx, err := newConnection(facts.URI, facts.Identity)
 		return &tunnel.ImageEngine{ClientCxt: ctx}, err
 	}
 	return nil, fmt.Errorf("runtime mode '%v' is not supported", facts.EngineMode)
diff --git a/pkg/domain/infra/tunnel/containers.go b/pkg/domain/infra/tunnel/containers.go
index e65fef0a4..ad7688f62 100644
--- a/pkg/domain/infra/tunnel/containers.go
+++ b/pkg/domain/infra/tunnel/containers.go
@@ -360,11 +360,12 @@ func (ic *ContainerEngine) ContainerCreate(ctx context.Context, s *specgen.SpecG
 func (ic *ContainerEngine) ContainerLogs(_ context.Context, nameOrIDs []string, options entities.ContainerLogsOptions) error {
 	since := options.Since.Format(time.RFC3339)
 	tail := strconv.FormatInt(options.Tail, 10)
-	stdout := options.Writer != nil
+	stdout := options.StdoutWriter != nil
+	stderr := options.StderrWriter != nil
 	opts := containers.LogOptions{
 		Follow:     &options.Follow,
 		Since:      &since,
-		Stderr:     &stdout,
+		Stderr:     &stderr,
 		Stdout:     &stdout,
 		Tail:       &tail,
 		Timestamps: &options.Timestamps,
@@ -372,10 +373,11 @@ func (ic *ContainerEngine) ContainerLogs(_ context.Context, nameOrIDs []string,
 	}
 
 	var err error
-	outCh := make(chan string)
+	stdoutCh := make(chan string)
+	stderrCh := make(chan string)
 	ctx, cancel := context.WithCancel(context.Background())
 	go func() {
-		err = containers.Logs(ic.ClientCxt, nameOrIDs[0], opts, outCh, outCh)
+		err = containers.Logs(ic.ClientCxt, nameOrIDs[0], opts, stdoutCh, stderrCh)
 		cancel()
 	}()
 
@@ -383,8 +385,14 @@ func (ic *ContainerEngine) ContainerLogs(_ context.Context, nameOrIDs []string,
 		select {
 		case <-ctx.Done():
 			return err
-		case line := <-outCh:
-			_, _ = io.WriteString(options.Writer, line+"\n")
+		case line := <-stdoutCh:
+			if options.StdoutWriter != nil {
+				_, _ = io.WriteString(options.StdoutWriter, line+"\n")
+			}
+		case line := <-stderrCh:
+			if options.StderrWriter != nil {
+				_, _ = io.WriteString(options.StderrWriter, line+"\n")
+			}
 		}
 	}
 }
@@ -515,6 +523,29 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 				reports = append(reports, &report)
 				return reports, errors.Wrapf(report.Err, "unable to start container %s", name)
 			}
+			if ctr.AutoRemove {
+				// Defer the removal, so we can return early if needed and
+				// de-spaghetti the code.
+				defer func() {
+					shouldRestart, err := containers.ShouldRestart(ic.ClientCxt, ctr.ID)
+					if err != nil {
+						logrus.Errorf("Failed to check if %s should restart: %v", ctr.ID, err)
+						return
+					}
+
+					if !shouldRestart {
+						if err := containers.Remove(ic.ClientCxt, ctr.ID, bindings.PFalse, bindings.PTrue); err != nil {
+							if errorhandling.Contains(err, define.ErrNoSuchCtr) ||
+								errorhandling.Contains(err, define.ErrCtrRemoved) {
+								logrus.Warnf("Container %s does not exist: %v", ctr.ID, err)
+							} else {
+								logrus.Errorf("Error removing container %s: %v", ctr.ID, err)
+							}
+						}
+					}
+				}()
+			}
+
 			exitCode, err := containers.Wait(ic.ClientCxt, name, nil)
 			if err == define.ErrNoSuchCtr {
 				// Check events
@@ -535,6 +566,16 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 		if !ctrRunning {
 			err = containers.Start(ic.ClientCxt, name, &options.DetachKeys)
 			if err != nil {
+				if ctr.AutoRemove {
+					if err := containers.Remove(ic.ClientCxt, ctr.ID, bindings.PFalse, bindings.PTrue); err != nil {
+						if errorhandling.Contains(err, define.ErrNoSuchCtr) ||
+							errorhandling.Contains(err, define.ErrCtrRemoved) {
+							logrus.Warnf("Container %s does not exist: %v", ctr.ID, err)
+						} else {
+							logrus.Errorf("Error removing container %s: %v", ctr.ID, err)
+						}
+					}
+				}
 				report.Err = errors.Wrapf(err, "unable to start container %q", name)
 				report.ExitCode = define.ExitCode(err)
 				reports = append(reports, &report)