11 files changed, 83 insertions, 167 deletions

diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go
index 5b5bc665e..0a8e5bc2f 100644
--- a/pkg/domain/infra/abi/containers.go
+++ b/pkg/domain/infra/abi/containers.go
@@ -309,31 +309,42 @@ func (ic *ContainerEngine) ContainerKill(ctx context.Context, namesOrIds []strin
 
 func (ic *ContainerEngine) ContainerRestart(ctx context.Context, namesOrIds []string, options entities.RestartOptions) ([]*entities.RestartReport, error) {
 	var (
-		ctrs []*libpod.Container
-		err  error
+		ctrs      []*libpod.Container
+		err       error
+		rawInputs = []string{}
 	)
 
 	if options.Running {
 		ctrs, err = ic.Libpod.GetRunningContainers()
+		for _, candidate := range ctrs {
+			rawInputs = append(rawInputs, candidate.ID())
+		}
+
 		if err != nil {
 			return nil, err
 		}
 	} else {
-		ctrs, err = getContainersByContext(options.All, options.Latest, namesOrIds, ic.Libpod)
+		ctrs, rawInputs, err = getContainersAndInputByContext(options.All, options.Latest, namesOrIds, options.Filters, ic.Libpod)
 		if err != nil {
 			return nil, err
 		}
 	}
-
+	idToRawInput := map[string]string{}
+	if len(rawInputs) == len(ctrs) {
+		for i := range ctrs {
+			idToRawInput[ctrs[i].ID()] = rawInputs[i]
+		}
+	}
 	reports := make([]*entities.RestartReport, 0, len(ctrs))
-	for _, con := range ctrs {
-		timeout := con.StopTimeout()
+	for _, c := range ctrs {
+		timeout := c.StopTimeout()
 		if options.Timeout != nil {
 			timeout = *options.Timeout
 		}
 		reports = append(reports, &entities.RestartReport{
-			Id:  con.ID(),
-			Err: con.RestartWithTimeout(ctx, timeout),
+			Id:       c.ID(),
+			Err:      c.RestartWithTimeout(ctx, timeout),
+			RawInput: idToRawInput[c.ID()],
 		})
 	}
 	return reports, nil
@@ -370,7 +381,7 @@ func (ic *ContainerEngine) ContainerRm(ctx context.Context, namesOrIds []string,
 	// this will fail and code will fall through to removing the container from libpod.`
 	tmpNames := []string{}
 	for _, ctr := range names {
-		report := reports.RmReport{Id: ctr, RawInput: ctr}
+		report := reports.RmReport{Id: ctr}
 		report.Err = ic.Libpod.RemoveStorageContainer(ctr, options.Force)
 		//nolint:gocritic
 		if report.Err == nil {
@@ -927,13 +938,15 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 	if err != nil {
 		return nil, err
 	}
+	idToRawInput := map[string]string{}
+	if len(rawInputs) == len(ctrs) {
+		for i := range ctrs {
+			idToRawInput[ctrs[i].ID()] = rawInputs[i]
+		}
+	}
 	// There can only be one container if attach was used
 	for i := range ctrs {
 		ctr := ctrs[i]
-		rawInput := ctr.ID()
-		if !options.All {
-			rawInput = rawInputs[i]
-		}
 		ctrState, err := ctr.State()
 		if err != nil {
 			return nil, err
@@ -947,7 +960,7 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 				// Exit cleanly immediately
 				reports = append(reports, &entities.ContainerStartReport{
 					Id:       ctr.ID(),
-					RawInput: rawInput,
+					RawInput: idToRawInput[ctr.ID()],
 					Err:      nil,
 					ExitCode: 0,
 				})
@@ -958,7 +971,7 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 				logrus.Debugf("Deadlock error: %v", err)
 				reports = append(reports, &entities.ContainerStartReport{
 					Id:       ctr.ID(),
-					RawInput: rawInput,
+					RawInput: idToRawInput[ctr.ID()],
 					Err:      err,
 					ExitCode: define.ExitCode(err),
 				})
@@ -968,7 +981,7 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 			if ctrRunning {
 				reports = append(reports, &entities.ContainerStartReport{
 					Id:       ctr.ID(),
-					RawInput: rawInput,
+					RawInput: idToRawInput[ctr.ID()],
 					Err:      nil,
 					ExitCode: 0,
 				})
@@ -978,7 +991,7 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 			if err != nil {
 				reports = append(reports, &entities.ContainerStartReport{
 					Id:       ctr.ID(),
-					RawInput: rawInput,
+					RawInput: idToRawInput[ctr.ID()],
 					Err:      err,
 					ExitCode: exitCode,
 				})
@@ -993,7 +1006,7 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 			exitCode = ic.GetContainerExitCode(ctx, ctr)
 			reports = append(reports, &entities.ContainerStartReport{
 				Id:       ctr.ID(),
-				RawInput: rawInput,
+				RawInput: idToRawInput[ctr.ID()],
 				Err:      err,
 				ExitCode: exitCode,
 			})
@@ -1006,7 +1019,7 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 			// If the container is in a pod, also set to recursively start dependencies
 			report := &entities.ContainerStartReport{
 				Id:       ctr.ID(),
-				RawInput: rawInput,
+				RawInput: idToRawInput[ctr.ID()],
 				ExitCode: 125,
 			}
 			if err := ctr.Start(ctx, true); err != nil {
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 77d1bf0db..f9839f62f 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -237,8 +237,9 @@ func (ir *ImageEngine) Pull(ctx context.Context, rawImage string, options entiti
 	pullOptions.Variant = options.Variant
 	pullOptions.SignaturePolicyPath = options.SignaturePolicy
 	pullOptions.InsecureSkipTLSVerify = options.SkipTLSVerify
+	pullOptions.Writer = options.Writer
 
-	if !options.Quiet {
+	if !options.Quiet && pullOptions.Writer == nil {
 		pullOptions.Writer = os.Stderr
 	}
 
diff --git a/pkg/domain/infra/abi/manifest.go b/pkg/domain/infra/abi/manifest.go
index e0c11267e..7e8c86526 100644
--- a/pkg/domain/infra/abi/manifest.go
+++ b/pkg/domain/infra/abi/manifest.go
@@ -32,7 +32,15 @@ func (ir *ImageEngine) ManifestCreate(ctx context.Context, name string, images [
 
 	manifestList, err := ir.Libpod.LibimageRuntime().CreateManifestList(name)
 	if err != nil {
-		return "", err
+		if errors.Is(err, storage.ErrDuplicateName) && opts.Amend {
+			amendList, amendErr := ir.Libpod.LibimageRuntime().LookupManifestList(name)
+			if amendErr != nil {
+				return "", err
+			}
+			manifestList = amendList
+		} else {
+			return "", err
+		}
 	}
 
 	addOptions := &libimage.ManifestListAddOptions{All: opts.All}
diff --git a/pkg/domain/infra/abi/parse/parse.go b/pkg/domain/infra/abi/parse/parse.go
index 19699589b..fb2876bb2 100644
--- a/pkg/domain/infra/abi/parse/parse.go
+++ b/pkg/domain/infra/abi/parse/parse.go
@@ -86,8 +86,11 @@ func VolumeOptions(opts map[string]string) ([]libpod.VolumeCreateOption, error)
 					if err != nil {
 						return nil, fmt.Errorf("cannot convert Timeout %s to an integer: %w", splitO[1], err)
 					}
+					if intTimeout < 0 {
+						return nil, fmt.Errorf("volume timeout cannot be negative (got %d)", intTimeout)
+					}
 					logrus.Debugf("Removing timeout from options and adding WithTimeout for Timeout %d", intTimeout)
-					libpodOptions = append(libpodOptions, libpod.WithVolumeDriverTimeout(intTimeout))
+					libpodOptions = append(libpodOptions, libpod.WithVolumeDriverTimeout(uint(intTimeout)))
 				default:
 					finalVal = append(finalVal, o)
 				}
diff --git a/pkg/domain/infra/abi/terminal/sigproxy_linux.go b/pkg/domain/infra/abi/terminal/sigproxy_commn.go
index 16d345f06..3a0132ef3 100644
--- a/pkg/domain/infra/abi/terminal/sigproxy_linux.go
+++ b/pkg/domain/infra/abi/terminal/sigproxy_commn.go
@@ -1,3 +1,6 @@
+//go:build linux || freebsd
+// +build linux freebsd
+
 package terminal
 
 import (
diff --git a/pkg/domain/infra/abi/terminal/terminal_linux.go b/pkg/domain/infra/abi/terminal/terminal_common.go
index 222590871..afae2c085 100644
--- a/pkg/domain/infra/abi/terminal/terminal_linux.go
+++ b/pkg/domain/infra/abi/terminal/terminal_common.go
@@ -1,3 +1,6 @@
+//go:build linux || freebsd
+// +build linux freebsd
+
 package terminal
 
 import (
diff --git a/pkg/domain/infra/abi/terminal/terminal_unsupported.go b/pkg/domain/infra/abi/terminal/terminal_unsupported.go
index 8fe325736..21ed6c8d4 100644
--- a/pkg/domain/infra/abi/terminal/terminal_unsupported.go
+++ b/pkg/domain/infra/abi/terminal/terminal_unsupported.go
@@ -1,5 +1,5 @@
-//go:build !linux
-// +build !linux
+//go:build !linux && !freebsd
+// +build !linux,!freebsd
 
 package terminal
 
diff --git a/pkg/domain/infra/abi/trust.go b/pkg/domain/infra/abi/trust.go
index 0e3d8fad9..c58ddff06 100644
--- a/pkg/domain/infra/abi/trust.go
+++ b/pkg/domain/infra/abi/trust.go
@@ -2,16 +2,11 @@ package abi
 
 import (
 	"context"
-	"encoding/json"
-	"errors"
 	"fmt"
 	"io/ioutil"
-	"os"
-	"strings"
 
 	"github.com/containers/podman/v4/pkg/domain/entities"
 	"github.com/containers/podman/v4/pkg/trust"
-	"github.com/sirupsen/logrus"
 )
 
 func (ir *ImageEngine) ShowTrust(ctx context.Context, args []string, options entities.ShowTrustOptions) (*entities.ShowTrustReport, error) {
@@ -34,11 +29,7 @@ func (ir *ImageEngine) ShowTrust(ctx context.Context, args []string, options ent
 	if len(options.RegistryPath) > 0 {
 		report.SystemRegistriesDirPath = options.RegistryPath
 	}
-	policyContentStruct, err := trust.GetPolicy(policyPath)
-	if err != nil {
-		return nil, fmt.Errorf("could not read trust policies: %w", err)
-	}
-	report.Policies, err = getPolicyShowOutput(policyContentStruct, report.SystemRegistriesDirPath)
+	report.Policies, err = trust.PolicyDescription(policyPath, report.SystemRegistriesDirPath)
 	if err != nil {
 		return nil, fmt.Errorf("could not show trust policies: %w", err)
 	}
@@ -46,133 +37,19 @@ func (ir *ImageEngine) ShowTrust(ctx context.Context, args []string, options ent
 }
 
 func (ir *ImageEngine) SetTrust(ctx context.Context, args []string, options entities.SetTrustOptions) error {
-	var (
-		policyContentStruct trust.PolicyContent
-		newReposContent     []trust.RepoContent
-	)
-	trustType := options.Type
-	if trustType == "accept" {
-		trustType = "insecureAcceptAnything"
-	}
-
-	pubkeysfile := options.PubKeysFile
-	if len(pubkeysfile) == 0 && trustType == "signedBy" {
-		return errors.New("at least one public key must be defined for type 'signedBy'")
+	if len(args) != 1 {
+		return fmt.Errorf("SetTrust called with unexpected %d args", len(args))
 	}
+	scope := args[0]
 
 	policyPath := trust.DefaultPolicyPath(ir.Libpod.SystemContext())
 	if len(options.PolicyPath) > 0 {
 		policyPath = options.PolicyPath
 	}
-	_, err := os.Stat(policyPath)
-	if !os.IsNotExist(err) {
-		policyContent, err := ioutil.ReadFile(policyPath)
-		if err != nil {
-			return err
-		}
-		if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
-			return errors.New("could not read trust policies")
-		}
-	}
-	if len(pubkeysfile) != 0 {
-		for _, filepath := range pubkeysfile {
-			newReposContent = append(newReposContent, trust.RepoContent{Type: trustType, KeyType: "GPGKeys", KeyPath: filepath})
-		}
-	} else {
-		newReposContent = append(newReposContent, trust.RepoContent{Type: trustType})
-	}
-	if args[0] == "default" {
-		policyContentStruct.Default = newReposContent
-	} else {
-		if len(policyContentStruct.Default) == 0 {
-			return errors.New("default trust policy must be set")
-		}
-		registryExists := false
-		for transport, transportval := range policyContentStruct.Transports {
-			_, registryExists = transportval[args[0]]
-			if registryExists {
-				policyContentStruct.Transports[transport][args[0]] = newReposContent
-				break
-			}
-		}
-		if !registryExists {
-			if policyContentStruct.Transports == nil {
-				policyContentStruct.Transports = make(map[string]trust.RepoMap)
-			}
-			if policyContentStruct.Transports["docker"] == nil {
-				policyContentStruct.Transports["docker"] = make(map[string][]trust.RepoContent)
-			}
-			policyContentStruct.Transports["docker"][args[0]] = append(policyContentStruct.Transports["docker"][args[0]], newReposContent...)
-		}
-	}
-
-	data, err := json.MarshalIndent(policyContentStruct, "", "    ")
-	if err != nil {
-		return fmt.Errorf("error setting trust policy: %w", err)
-	}
-	return ioutil.WriteFile(policyPath, data, 0644)
-}
-
-func getPolicyShowOutput(policyContentStruct trust.PolicyContent, systemRegistriesDirPath string) ([]*trust.Policy, error) {
-	var output []*trust.Policy
-
-	registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(policyContentStruct.Default) > 0 {
-		defaultPolicyStruct := trust.Policy{
-			Transport: "all",
-			Name:      "* (default)",
-			RepoName:  "default",
-			Type:      trustTypeDescription(policyContentStruct.Default[0].Type),
-		}
-		output = append(output, &defaultPolicyStruct)
-	}
-	for transport, transval := range policyContentStruct.Transports {
-		if transport == "docker" {
-			transport = "repository"
-		}
 
-		for repo, repoval := range transval {
-			tempTrustShowOutput := trust.Policy{
-				Name:      repo,
-				RepoName:  repo,
-				Transport: transport,
-				Type:      trustTypeDescription(repoval[0].Type),
-			}
-			// TODO - keyarr is not used and I don't know its intent; commenting out for now for someone to fix later
-			// keyarr := []string{}
-			uids := []string{}
-			for _, repoele := range repoval {
-				if len(repoele.KeyPath) > 0 {
-					// keyarr = append(keyarr, repoele.KeyPath)
-					uids = append(uids, trust.GetGPGIdFromKeyPath(repoele.KeyPath)...)
-				}
-				if len(repoele.KeyData) > 0 {
-					// keyarr = append(keyarr, string(repoele.KeyData))
-					uids = append(uids, trust.GetGPGIdFromKeyData(repoele.KeyData)...)
-				}
-			}
-			tempTrustShowOutput.GPGId = strings.Join(uids, ", ")
-
-			registryNamespace := trust.HaveMatchRegistry(repo, registryConfigs)
-			if registryNamespace != nil {
-				tempTrustShowOutput.SignatureStore = registryNamespace.SigStore
-			}
-			output = append(output, &tempTrustShowOutput)
-		}
-	}
-	return output, nil
-}
-
-var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"}
-
-func trustTypeDescription(trustType string) string {
-	trustDescription, exist := typeDescription[trustType]
-	if !exist {
-		logrus.Warnf("Invalid trust type %s", trustType)
-	}
-	return trustDescription
+	return trust.AddPolicyEntries(policyPath, trust.AddPolicyEntriesInput{
+		Scope:       scope,
+		Type:        options.Type,
+		PubKeyFiles: options.PubKeysFile,
+	})
 }
diff --git a/pkg/domain/infra/tunnel/containers.go b/pkg/domain/infra/tunnel/containers.go
index d49f029d5..023bee430 100644
--- a/pkg/domain/infra/tunnel/containers.go
+++ b/pkg/domain/infra/tunnel/containers.go
@@ -183,17 +183,22 @@ func (ic *ContainerEngine) ContainerRestart(ctx context.Context, namesOrIds []st
 	if to := opts.Timeout; to != nil {
 		options.WithTimeout(int(*to))
 	}
-	ctrs, err := getContainersByContext(ic.ClientCtx, opts.All, false, namesOrIds)
+	ctrs, rawInputs, err := getContainersAndInputByContext(ic.ClientCtx, opts.All, false, namesOrIds, opts.Filters)
 	if err != nil {
 		return nil, err
 	}
+	idToRawInput := map[string]string{}
+	for i := range ctrs {
+		idToRawInput[ctrs[i].ID] = rawInputs[i]
+	}
 	for _, c := range ctrs {
 		if opts.Running && c.State != define.ContainerStateRunning.String() {
 			continue
 		}
 		reports = append(reports, &entities.RestartReport{
-			Id:  c.ID,
-			Err: containers.Restart(ic.ClientCtx, c.ID, options),
+			Id:       c.ID,
+			Err:      containers.Restart(ic.ClientCtx, c.ID, options),
+			RawInput: idToRawInput[c.ID],
 		})
 	}
 	return reports, nil
@@ -667,10 +672,16 @@ func logIfRmError(id string, err error, reports []*reports.RmReport) {
 func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []string, options entities.ContainerStartOptions) ([]*entities.ContainerStartReport, error) {
 	reports := []*entities.ContainerStartReport{}
 	var exitCode = define.ExecErrorCodeGeneric
-	ctrs, namesOrIds, err := getContainersAndInputByContext(ic.ClientCtx, options.All, false, namesOrIds, options.Filters)
+	ctrs, rawInputs, err := getContainersAndInputByContext(ic.ClientCtx, options.All, false, namesOrIds, options.Filters)
 	if err != nil {
 		return nil, err
 	}
+	idToRawInput := map[string]string{}
+	if len(rawInputs) == len(ctrs) {
+		for i := range ctrs {
+			idToRawInput[ctrs[i].ID] = rawInputs[i]
+		}
+	}
 	removeOptions := new(containers.RemoveOptions).WithVolumes(true).WithForce(false)
 	removeContainer := func(id string) {
 		reports, err := containers.Remove(ic.ClientCtx, id, removeOptions)
@@ -678,15 +689,11 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 	}
 
 	// There can only be one container if attach was used
-	for i, ctr := range ctrs {
+	for _, ctr := range ctrs {
 		name := ctr.ID
-		rawInput := ctr.ID
-		if !options.All {
-			rawInput = namesOrIds[i]
-		}
 		report := entities.ContainerStartReport{
 			Id:       name,
-			RawInput: rawInput,
+			RawInput: idToRawInput[name],
 			ExitCode: exitCode,
 		}
 		ctrRunning := ctr.State == define.ContainerStateRunning.String()
diff --git a/pkg/domain/infra/tunnel/images.go b/pkg/domain/infra/tunnel/images.go
index bb3014099..2716aaf2a 100644
--- a/pkg/domain/infra/tunnel/images.go
+++ b/pkg/domain/infra/tunnel/images.go
@@ -110,6 +110,7 @@ func (ir *ImageEngine) Pull(ctx context.Context, rawImage string, opts entities.
 	options.WithAllTags(opts.AllTags).WithAuthfile(opts.Authfile).WithArch(opts.Arch).WithOS(opts.OS)
 	options.WithVariant(opts.Variant).WithPassword(opts.Password)
 	options.WithQuiet(opts.Quiet).WithUsername(opts.Username).WithPolicy(opts.PullPolicy.String())
+	options.WithProgressWriter(opts.Writer)
 	if s := opts.SkipTLSVerify; s != types.OptionalBoolUndefined {
 		if s == types.OptionalBoolTrue {
 			options.WithSkipTLSVerify(true)
diff --git a/pkg/domain/infra/tunnel/manifest.go b/pkg/domain/infra/tunnel/manifest.go
index 2a514861d..2e6134051 100644
--- a/pkg/domain/infra/tunnel/manifest.go
+++ b/pkg/domain/infra/tunnel/manifest.go
@@ -15,7 +15,7 @@ import (
 
 // ManifestCreate implements manifest create via ImageEngine
 func (ir *ImageEngine) ManifestCreate(ctx context.Context, name string, images []string, opts entities.ManifestCreateOptions) (string, error) {
-	options := new(manifests.CreateOptions).WithAll(opts.All)
+	options := new(manifests.CreateOptions).WithAll(opts.All).WithAmend(opts.Amend)
 	imageID, err := manifests.Create(ir.ClientCtx, name, images, options)
 	if err != nil {
 		return imageID, fmt.Errorf("error creating manifest: %w", err)