7 files changed, 88 insertions, 38 deletions
diff --git a/pkg/domain/entities/generate.go b/pkg/domain/entities/generate.go
index e431a70af..73dd64ecd 100644
--- a/pkg/domain/entities/generate.go
+++ b/pkg/domain/entities/generate.go
@@ -26,6 +26,12 @@ type GenerateSystemdOptions struct {
 	NoHeader bool
 	// TemplateUnitFile - make use of %i and %I to differentiate between the different instances of the unit
 	TemplateUnitFile bool
+	// Wants - systemd wants list for the container or pods
+	Wants []string
+	// After - systemd after list for the container or pods
+	After []string
+	// Requires - systemd requires list for the container or pods
+	Requires []string
 }
 
 // GenerateSystemdReport
diff --git a/pkg/domain/entities/network.go b/pkg/domain/entities/network.go
index 79edc3227..a057640b3 100644
--- a/pkg/domain/entities/network.go
+++ b/pkg/domain/entities/network.go
@@ -43,12 +43,12 @@ type NetworkRmReport struct {
 type NetworkCreateOptions struct {
 	DisableDNS bool
 	Driver     string
-	Gateway    net.IP
+	Gateways   []net.IP
 	Internal   bool
 	Labels     map[string]string
 	MacVLAN    string
-	Range      net.IPNet
-	Subnet     net.IPNet
+	Ranges     []string
+	Subnets    []string
 	IPv6       bool
 	// Mapping of driver options and values.
 	Options map[string]string
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 3adf9b26c..0b1281aac 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -12,6 +12,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"syscall"
 
 	"github.com/containers/common/libimage"
 	"github.com/containers/common/pkg/config"
@@ -94,7 +95,9 @@ func (ir *ImageEngine) Prune(ctx context.Context, opts entities.ImagePruneOption
 func toDomainHistoryLayer(layer *libimage.ImageHistory) entities.ImageHistoryLayer {
 	l := entities.ImageHistoryLayer{}
 	l.ID = layer.ID
-	l.Created = *layer.Created
+	if layer.Created != nil {
+		l.Created = *layer.Created
+	}
 	l.CreatedBy = layer.CreatedBy
 	copy(l.Tags, layer.Tags)
 	l.Size = layer.Size
@@ -780,7 +783,7 @@ func transferRootless(source entities.ImageScpOptions, dest entities.ImageScpOpt
 	return cmdLoad.Run()
 }
 
-// TransferRootful creates new podman processes using exec.Command and su/machinectl, transferring images between the given source and destination users
+// TransferRootful creates new podman processes using exec.Command and a new uid/gid alongside a cleared environment
 func transferRootful(source entities.ImageScpOptions, dest entities.ImageScpOptions, podman string, parentFlags []string) error {
 	basicCommand := []string{podman}
 	basicCommand = append(basicCommand, parentFlags...)
@@ -792,12 +795,9 @@ func transferRootful(source entities.ImageScpOptions, dest entities.ImageScpOpti
 	}
 	saveCommand = append(saveCommand, []string{"--output", source.File, source.Image}...)
 	loadCommand = append(loadCommand, []string{"--input", dest.File}...)
-	save := []string{strings.Join(saveCommand, " ")}
-	load := []string{strings.Join(loadCommand, " ")}
 
-	// if executing using sudo or transferring between two users, the TransferRootless approach will not work, default to using machinectl or su as necessary.
-	// the approach using sudo is preferable and more straightforward. There is no reason for using sudo in these situations
-	// since the feature is meant to transfer from root to rootless an vice versa without explicit sudo evocaiton.
+	// if executing using sudo or transferring between two users, the TransferRootless approach will not work, the new process needs to be set up
+	// with the proper uid and gid as well as environmental variables.
 	var uSave *user.User
 	var uLoad *user.User
 	var err error
@@ -828,20 +828,11 @@ func transferRootful(source entities.ImageScpOptions, dest entities.ImageScpOpti
 			return err
 		}
 	}
-	machinectl, err := exec.LookPath("machinectl")
-	if err != nil {
-		logrus.Warn("defaulting to su since machinectl is not available, su will fail if no user session is available")
-		err = execSu(uSave, save)
-		if err != nil {
-			return err
-		}
-		return execSu(uLoad, load)
-	}
-	err = execMachine(uSave, saveCommand, machinectl)
+	err = execPodman(uSave, saveCommand)
 	if err != nil {
 		return err
 	}
-	return execMachine(uLoad, loadCommand, machinectl)
+	return execPodman(uLoad, loadCommand)
 }
 
 func lookupUser(u string) (*user.User, error) {
@@ -851,21 +842,37 @@ func lookupUser(u string) (*user.User, error) {
 	return user.Lookup(u)
 }
 
-func execSu(execUser *user.User, command []string) error {
-	cmd := exec.Command("su", "-l", execUser.Username, "--command")
-	cmd = utils.CreateSCPCommand(cmd, command)
-	logrus.Debugf("Executing via su: %q", cmd)
-	return cmd.Run()
-}
-
-func execMachine(execUser *user.User, command []string, machinectl string) error {
-	verb := machinectl
-	args := []string{"shell", "-q", execUser.Username + "@.host"}
-	if execUser.Uid == "0" {
-		args = append([]string{verb}, args...)
-		verb = "sudo"
+func execPodman(execUser *user.User, command []string) error {
+	cmdLogin, err := utils.LoginUser(execUser.Username)
+	if err != nil {
+		return err
+	}
+	defer func() error {
+		err := cmdLogin.Process.Kill()
+		if err != nil {
+			return err
+		}
+		return cmdLogin.Wait()
+	}()
+	cmd := exec.Command(command[0], command[1:]...)
+	cmd.Env = []string{"PATH=" + os.Getenv("PATH"), "TERM=" + os.Getenv("TERM")}
+	cmd.Stderr = os.Stderr
+	cmd.Stdout = os.Stdout
+	uid, err := strconv.ParseInt(execUser.Uid, 10, 32)
+	if err != nil {
+		return err
+	}
+	gid, err := strconv.ParseInt(execUser.Gid, 10, 32)
+	if err != nil {
+		return err
+	}
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Credential: &syscall.Credential{
+			Uid:         uint32(uid),
+			Gid:         uint32(gid),
+			Groups:      nil,
+			NoSetGroups: false,
+		},
 	}
-	cmd := utils.CreateSCPCommand(exec.Command(verb, args...), command)
-	logrus.Debugf("Executing via machinectl: %q", cmd)
 	return cmd.Run()
 }
diff --git a/pkg/domain/infra/abi/images_test.go b/pkg/domain/infra/abi/images_test.go
index 20ef1b150..e38b9390d 100644
--- a/pkg/domain/infra/abi/images_test.go
+++ b/pkg/domain/infra/abi/images_test.go
@@ -1,5 +1,22 @@
 package abi
 
+import (
+	"testing"
+
+	"github.com/containers/common/libimage"
+	"github.com/stretchr/testify/assert"
+)
+
+// This is really intended to verify what happens with a
+// nil pointer in layer.Created, but we'll just sanity
+// check round tripping 42.
+func TestToDomainHistoryLayer(t *testing.T) {
+	var layer libimage.ImageHistory
+	layer.Size = 42
+	newLayer := toDomainHistoryLayer(&layer)
+	assert.Equal(t, layer.Size, newLayer.Size)
+}
+
 //
 // import (
 // 	"context"
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index 86a60e92d..cad8c4609 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -365,6 +365,11 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 		if err != nil {
 			return nil, err
 		}
+
+		for k, v := range podSpec.PodSpecGen.Labels { // add podYAML labels
+			labels[k] = v
+		}
+
 		specgenOpts := kube.CtrSpecGenOptions{
 			Annotations:       annotations,
 			Container:         initCtr,
@@ -405,7 +410,12 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 				return nil, err
 			}
 
+			for k, v := range podSpec.PodSpecGen.Labels { // add podYAML labels
+				labels[k] = v
+			}
+
 			specgenOpts := kube.CtrSpecGenOptions{
+				Annotations:    annotations,
 				Container:      container,
 				Image:          pulledImage,
 				Volumes:        volumes,
diff --git a/pkg/domain/infra/runtime_libpod.go b/pkg/domain/infra/runtime_libpod.go
index 519af5ab7..f9ceb9305 100644
--- a/pkg/domain/infra/runtime_libpod.go
+++ b/pkg/domain/infra/runtime_libpod.go
@@ -223,7 +223,7 @@ func getRuntime(ctx context.Context, fs *flag.FlagSet, opts *engineOpts) (*libpo
 	// TODO flag to set libpod static dir?
 	// TODO flag to set libpod tmp dir?
 
-	if fs.Changed("cni-config-dir") {
+	if fs.Changed("network-config-dir") {
 		options = append(options, libpod.WithCNIConfigDir(cfg.Network.NetworkConfigDir))
 	}
 	if fs.Changed("default-mounts-file") {
diff --git a/pkg/domain/infra/tunnel/generate.go b/pkg/domain/infra/tunnel/generate.go
index 49b66e908..235d478ec 100644
--- a/pkg/domain/infra/tunnel/generate.go
+++ b/pkg/domain/infra/tunnel/generate.go
@@ -8,7 +8,17 @@ import (
 )
 
 func (ic *ContainerEngine) GenerateSystemd(ctx context.Context, nameOrID string, opts entities.GenerateSystemdOptions) (*entities.GenerateSystemdReport, error) {
-	options := new(generate.SystemdOptions).WithUseName(opts.Name).WithContainerPrefix(opts.ContainerPrefix).WithNew(opts.New).WithNoHeader(opts.NoHeader).WithTemplateUnitFile(opts.TemplateUnitFile).WithPodPrefix(opts.PodPrefix).WithSeparator(opts.Separator)
+	options := new(
+		generate.SystemdOptions).
+		WithUseName(opts.Name).
+		WithContainerPrefix(opts.ContainerPrefix).
+		WithNew(opts.New).WithNoHeader(opts.NoHeader).
+		WithTemplateUnitFile(opts.TemplateUnitFile).
+		WithPodPrefix(opts.PodPrefix).
+		WithSeparator(opts.Separator).
+		WithWants(opts.Wants).
+		WithAfter(opts.After).
+		WithRequires(opts.Requires)
 
 	if opts.StartTimeout != nil {
 		options.WithStartTimeout(*opts.StartTimeout)