5 files changed, 103 insertions, 7 deletions
diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go
index 147ebd61b..2ee8f2441 100644
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@@ -13,6 +13,7 @@ import (
 	"github.com/containers/podman/v2/pkg/specgen"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
 
@@ -33,7 +34,43 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
 
 		_, mediaType, err := newImage.Manifest(ctx)
 		if err != nil {
-			return nil, err
+			if errors.Cause(err) != image.ErrImageIsBareList {
+				return nil, err
+			}
+			// if err is not runnable image
+			// use the local store image with repo@digest matches with the list, if exists
+			manifestByte, manifestType, err := newImage.GetManifest(ctx, nil)
+			if err != nil {
+				return nil, err
+			}
+			list, err := manifest.ListFromBlob(manifestByte, manifestType)
+			if err != nil {
+				return nil, err
+			}
+			images, err := r.ImageRuntime().GetImages()
+			if err != nil {
+				return nil, err
+			}
+			findLocal := false
+			listDigest, err := list.ChooseInstance(r.SystemContext())
+			if err != nil {
+				return nil, err
+			}
+			for _, img := range images {
+				for _, imageDigest := range img.Digests() {
+					if imageDigest == listDigest {
+						newImage = img
+						s.Image = img.ID()
+						mediaType = manifestType
+						findLocal = true
+						logrus.Debug("image contains manifest list, using image from local storage")
+						break
+					}
+				}
+			}
+			if !findLocal {
+				return nil, image.ErrImageIsBareList
+			}
 		}
 
 		if s.HealthConfig == nil && mediaType == manifest.DockerV2Schema2MediaType {
@@ -75,8 +112,8 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
 	if err != nil {
 		return nil, errors.Wrap(err, "error parsing fields in containers.conf")
 	}
-	if defaultEnvs["containers"] == "" {
-		defaultEnvs["containers"] = "podman"
+	if defaultEnvs["container"] == "" {
+		defaultEnvs["container"] = "podman"
 	}
 	var envs map[string]string
 
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index fda4c098c..2ac3b376f 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -95,7 +95,7 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
 		if len(names) > 0 {
 			imgName = names[0]
 		}
-		options = append(options, libpod.WithRootFSFromImage(newImage.ID(), imgName, s.Image))
+		options = append(options, libpod.WithRootFSFromImage(newImage.ID(), imgName, s.RawImageName))
 	}
 	if err := s.Validate(); err != nil {
 		return nil, errors.Wrap(err, "invalid config provided")
diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go
index 0bd39d5a4..43caf0fe9 100644
--- a/pkg/specgen/generate/pod_create.go
+++ b/pkg/specgen/generate/pod_create.go
@@ -84,12 +84,24 @@ func createPodOptions(p *specgen.PodSpecGenerator, rt *libpod.Runtime) ([]libpod
 	if len(p.CNINetworks) > 0 {
 		options = append(options, libpod.WithPodNetworks(p.CNINetworks))
 	}
+
+	if len(p.InfraImage) > 0 {
+		options = append(options, libpod.WithInfraImage(p.InfraImage))
+	}
+
+	if len(p.InfraCommand) > 0 {
+		options = append(options, libpod.WithInfraCommand(p.InfraCommand))
+	}
+
 	switch p.NetNS.NSMode {
 	case specgen.Bridge, specgen.Default, "":
 		logrus.Debugf("Pod using default network mode")
 	case specgen.Host:
 		logrus.Debugf("Pod will use host networking")
 		options = append(options, libpod.WithPodHostNetwork())
+	case specgen.Slirp:
+		logrus.Debugf("Pod will use slirp4netns")
+		options = append(options, libpod.WithPodSlirp4netns(p.NetworkOptions))
 	default:
 		return nil, errors.Errorf("pods presently do not support network mode %s", p.NetNS.NSMode)
 	}
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 87e8029a7..d17cd4a9a 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -7,6 +7,7 @@ import (
 	"github.com/containers/common/pkg/capabilities"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/podman/v2/libpod"
+	"github.com/containers/podman/v2/libpod/define"
 	"github.com/containers/podman/v2/libpod/image"
 	"github.com/containers/podman/v2/pkg/specgen"
 	"github.com/containers/podman/v2/pkg/util"
@@ -130,12 +131,13 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	}
 
 	configSpec := g.Config
+	configSpec.Process.Capabilities.Ambient = []string{}
 	configSpec.Process.Capabilities.Bounding = caplist
+	configSpec.Process.Capabilities.Inheritable = caplist
 
 	if s.User == "" || s.User == "root" || s.User == "0" {
 		configSpec.Process.Capabilities.Effective = caplist
 		configSpec.Process.Capabilities.Permitted = caplist
-		configSpec.Process.Capabilities.Inheritable = caplist
 	} else {
 		userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd)
 		if err != nil {
@@ -167,7 +169,52 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	}
 
 	g.SetRootReadonly(s.ReadOnlyFilesystem)
+
+	// Add default sysctls
+	defaultSysctls, err := util.ValidateSysctls(rtc.Sysctls())
+	if err != nil {
+		return err
+	}
+	for sysctlKey, sysctlVal := range defaultSysctls {
+
+		// Ignore mqueue sysctls if --ipc=host
+		if s.IpcNS.IsHost() && strings.HasPrefix(sysctlKey, "fs.mqueue.") {
+			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since IPC Namespace set to host", sysctlKey, sysctlVal)
+
+			continue
+		}
+
+		// Ignore net sysctls if --net=host
+		if s.NetNS.IsHost() && strings.HasPrefix(sysctlKey, "net.") {
+			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since Network Namespace set to host", sysctlKey, sysctlVal)
+			continue
+		}
+
+		// Ignore uts sysctls if --uts=host
+		if s.UtsNS.IsHost() && (strings.HasPrefix(sysctlKey, "kernel.domainname") || strings.HasPrefix(sysctlKey, "kernel.hostname")) {
+			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since UTS Namespace set to host", sysctlKey, sysctlVal)
+			continue
+		}
+
+		g.AddLinuxSysctl(sysctlKey, sysctlVal)
+	}
+
 	for sysctlKey, sysctlVal := range s.Sysctl {
+
+		if s.IpcNS.IsHost() && strings.HasPrefix(sysctlKey, "fs.mqueue.") {
+			return errors.Wrapf(define.ErrInvalidArg, "sysctl %s=%s can't be set since IPC Namespace set to host", sysctlKey, sysctlVal)
+		}
+
+		// Ignore net sysctls if --net=host
+		if s.NetNS.IsHost() && strings.HasPrefix(sysctlKey, "net.") {
+			return errors.Wrapf(define.ErrInvalidArg, "sysctl %s=%s can't be set since Host Namespace set to host", sysctlKey, sysctlVal)
+		}
+
+		// Ignore uts sysctls if --uts=host
+		if s.UtsNS.IsHost() && (strings.HasPrefix(sysctlKey, "kernel.domainname") || strings.HasPrefix(sysctlKey, "kernel.hostname")) {
+			return errors.Wrapf(define.ErrInvalidArg, "sysctl %s=%s can't be set since UTS Namespace set to host", sysctlKey, sysctlVal)
+		}
+
 		g.AddLinuxSysctl(sysctlKey, sysctlVal)
 	}
 
diff --git a/pkg/specgen/generate/storage.go b/pkg/specgen/generate/storage.go
index 7f55317ff..b225f79ee 100644
--- a/pkg/specgen/generate/storage.go
+++ b/pkg/specgen/generate/storage.go
@@ -195,9 +195,9 @@ func getVolumesFrom(volumesFrom []string, runtime *libpod.Runtime) (map[string]s
 		splitVol := strings.SplitN(volume, ":", 2)
 		if len(splitVol) == 2 {
 			splitOpts := strings.Split(splitVol[1], ",")
+			setRORW := false
+			setZ := false
 			for _, opt := range splitOpts {
-				setRORW := false
-				setZ := false
 				switch opt {
 				case "z":
 					if setZ {