6 files changed, 108 insertions, 25 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go
index fac02ad01..2d40dba8f 100644
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -52,7 +52,7 @@ func addPrivilegedDevices(g *generate.Generator) error {
 				if err == unix.EPERM {
 					continue
 				}
-				return errors.Wrapf(err, "stat %s", d.Path)
+				return err
 			}
 			// Skip devices that the user has not access to.
 			if st.Mode()&0007 == 0 {
@@ -90,7 +90,7 @@ func DevicesFromPath(g *generate.Generator, devicePath string) error {
 	}
 	st, err := os.Stat(resolvedDevicePath)
 	if err != nil {
-		return errors.Wrapf(err, "cannot stat device path %s", devicePath)
+		return err
 	}
 	if st.IsDir() {
 		found := false
@@ -231,10 +231,7 @@ func addDevice(g *generate.Generator, device string) error {
 	}
 	if rootless.IsRootless() {
 		if _, err := os.Stat(src); err != nil {
-			if os.IsNotExist(err) {
-				return errors.Wrapf(err, "the specified device %s doesn't exist", src)
-			}
-			return errors.Wrapf(err, "stat device %s exist", src)
+			return err
 		}
 		perm := "ro"
 		if strings.Contains(permissions, "w") {
@@ -353,3 +350,8 @@ func deviceFromPath(path string) (*spec.LinuxDevice, error) {
 		Minor:    int64(unix.Minor(devNumber)),
 	}, nil
 }
+
+func supportAmbientCapabilities() bool {
+	err := unix.Prctl(unix.PR_CAP_AMBIENT, unix.PR_CAP_AMBIENT_IS_SET, 0, 0, 0)
+	return err == nil
+}
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index f051537de..53dc35df1 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -223,6 +223,9 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 	for _, overlayVolume := range s.OverlayVolumes {
 		destinations = append(destinations, overlayVolume.Destination)
 	}
+	for _, imageVolume := range s.ImageVolumes {
+		destinations = append(destinations, imageVolume.Destination)
+	}
 	options = append(options, libpod.WithUserVolumes(destinations))
 
 	if len(volumes) != 0 {
@@ -248,6 +251,18 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 		options = append(options, libpod.WithOverlayVolumes(vols))
 	}
 
+	if len(s.ImageVolumes) != 0 {
+		var vols []*libpod.ContainerImageVolume
+		for _, v := range s.ImageVolumes {
+			vols = append(vols, &libpod.ContainerImageVolume{
+				Dest:      v.Destination,
+				Source:    v.Source,
+				ReadWrite: v.ReadWrite,
+			})
+		}
+		options = append(options, libpod.WithImageVolumes(vols))
+	}
+
 	if s.Command != nil {
 		options = append(options, libpod.WithCommand(s.Command))
 	}
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index 7e4f09dc4..ddc73ca61 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -127,6 +127,7 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 			return nil, errNoInfra
 		}
 		toReturn = append(toReturn, libpod.WithIPCNSFrom(infraCtr))
+		toReturn = append(toReturn, libpod.WithShmDir(infraCtr.ShmDir()))
 	case specgen.FromContainer:
 		ipcCtr, err := rt.LookupContainer(s.IpcNS.Value)
 		if err != nil {
@@ -278,7 +279,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
 	switch s.PidNS.NSMode {
 	case specgen.Path:
 		if _, err := os.Stat(s.PidNS.Value); err != nil {
-			return errors.Wrapf(err, "cannot find specified PID namespace path %q", s.PidNS.Value)
+			return errors.Wrap(err, "cannot find specified PID namespace path")
 		}
 		if err := g.AddOrReplaceLinuxNamespace(string(spec.PIDNamespace), s.PidNS.Value); err != nil {
 			return err
@@ -297,7 +298,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
 	switch s.IpcNS.NSMode {
 	case specgen.Path:
 		if _, err := os.Stat(s.IpcNS.Value); err != nil {
-			return errors.Wrapf(err, "cannot find specified IPC namespace path %q", s.IpcNS.Value)
+			return errors.Wrap(err, "cannot find specified IPC namespace path")
 		}
 		if err := g.AddOrReplaceLinuxNamespace(string(spec.IPCNamespace), s.IpcNS.Value); err != nil {
 			return err
@@ -316,7 +317,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
 	switch s.UtsNS.NSMode {
 	case specgen.Path:
 		if _, err := os.Stat(s.UtsNS.Value); err != nil {
-			return errors.Wrapf(err, "cannot find specified UTS namespace path %q", s.UtsNS.Value)
+			return errors.Wrap(err, "cannot find specified UTS namespace path")
 		}
 		if err := g.AddOrReplaceLinuxNamespace(string(spec.UTSNamespace), s.UtsNS.Value); err != nil {
 			return err
@@ -367,7 +368,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
 	switch s.UserNS.NSMode {
 	case specgen.Path:
 		if _, err := os.Stat(s.UserNS.Value); err != nil {
-			return errors.Wrapf(err, "cannot find specified user namespace path %s", s.UserNS.Value)
+			return errors.Wrap(err, "cannot find specified user namespace path")
 		}
 		if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), s.UserNS.Value); err != nil {
 			return err
@@ -410,7 +411,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
 	switch s.CgroupNS.NSMode {
 	case specgen.Path:
 		if _, err := os.Stat(s.CgroupNS.Value); err != nil {
-			return errors.Wrapf(err, "cannot find specified cgroup namespace path %s", s.CgroupNS.Value)
+			return errors.Wrap(err, "cannot find specified cgroup namespace path")
 		}
 		if err := g.AddOrReplaceLinuxNamespace(string(spec.CgroupNamespace), s.CgroupNS.Value); err != nil {
 			return err
@@ -429,7 +430,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
 	switch s.NetNS.NSMode {
 	case specgen.Path:
 		if _, err := os.Stat(s.NetNS.Value); err != nil {
-			return errors.Wrapf(err, "cannot find specified network namespace path %s", s.NetNS.Value)
+			return errors.Wrap(err, "cannot find specified network namespace path")
 		}
 		if err := g.AddOrReplaceLinuxNamespace(string(spec.NetworkNamespace), s.NetNS.Value); err != nil {
 			return err
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index d17cd4a9a..dee140282 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -135,7 +135,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	configSpec.Process.Capabilities.Bounding = caplist
 	configSpec.Process.Capabilities.Inheritable = caplist
 
-	if s.User == "" || s.User == "root" || s.User == "0" {
+	user := strings.Split(s.User, ":")[0]
+
+	if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
 		configSpec.Process.Capabilities.Effective = caplist
 		configSpec.Process.Capabilities.Permitted = caplist
 	} else {
@@ -145,6 +147,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		}
 		configSpec.Process.Capabilities.Effective = userCaps
 		configSpec.Process.Capabilities.Permitted = userCaps
+
+		// Ambient capabilities were added to Linux 4.3.  Set ambient
+		// capabilities only when the kernel supports them.
+		if supportAmbientCapabilities() {
+			configSpec.Process.Capabilities.Ambient = userCaps
+		}
 	}
 
 	g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
diff --git a/pkg/specgen/generate/validate.go b/pkg/specgen/generate/validate.go
index ed337321b..f0ab4b994 100644
--- a/pkg/specgen/generate/validate.go
+++ b/pkg/specgen/generate/validate.go
@@ -1,22 +1,20 @@
 package generate
 
 import (
+	"os"
+	"path/filepath"
+
 	"github.com/containers/common/pkg/sysinfo"
 	"github.com/containers/podman/v2/pkg/cgroups"
 	"github.com/containers/podman/v2/pkg/specgen"
+	"github.com/containers/podman/v2/utils"
 	"github.com/pkg/errors"
 )
 
-// Verify resource limits are sanely set, removing any limits that are not
-// possible with the current cgroups config.
-func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) {
+// Verify resource limits are sanely set when running on cgroup v1.
+func verifyContainerResourcesCgroupV1(s *specgen.SpecGenerator) ([]string, error) {
 	warnings := []string{}
 
-	cgroup2, err := cgroups.IsCgroup2UnifiedMode()
-	if err != nil || cgroup2 {
-		return warnings, err
-	}
-
 	sysInfo := sysinfo.New(true)
 
 	if s.ResourceLimits == nil {
@@ -24,9 +22,7 @@ func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) {
 	}
 
 	if s.ResourceLimits.Unified != nil {
-		if !cgroup2 {
-			return nil, errors.New("Cannot use --cgroup-conf without cgroup v2")
-		}
+		return nil, errors.New("Cannot use --cgroup-conf without cgroup v2")
 	}
 
 	// Memory checks
@@ -38,7 +34,7 @@ func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) {
 			memory.Swap = nil
 		}
 		if memory.Limit != nil && memory.Swap != nil && !sysInfo.SwapLimit {
-			warnings = append(warnings, "Your kernel does not support swap limit capabilities,or the cgroup is not mounted. Memory limited without swap.")
+			warnings = append(warnings, "Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.")
 			memory.Swap = nil
 		}
 		if memory.Limit != nil && memory.Swap != nil && *memory.Swap < *memory.Limit {
@@ -163,3 +159,48 @@ func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) {
 
 	return warnings, nil
 }
+
+// Verify resource limits are sanely set when running on cgroup v2.
+func verifyContainerResourcesCgroupV2(s *specgen.SpecGenerator) ([]string, error) {
+	warnings := []string{}
+
+	if s.ResourceLimits == nil {
+		return warnings, nil
+	}
+
+	if s.ResourceLimits.Memory != nil && s.ResourceLimits.Memory.Swap != nil {
+		own, err := utils.GetOwnCgroup()
+		if err != nil {
+			return warnings, err
+		}
+		memoryMax := filepath.Join("/sys/fs/cgroup", own, "memory.max")
+		memorySwapMax := filepath.Join("/sys/fs/cgroup", own, "memory.swap.max")
+		_, errMemoryMax := os.Stat(memoryMax)
+		_, errMemorySwapMax := os.Stat(memorySwapMax)
+		// Differently than cgroup v1, the memory.*max files are not present in the
+		// root directory, so we cannot query directly that, so as best effort use
+		// the current cgroup.
+		// Check whether memory.max exists in the current cgroup and memory.swap.max
+		//  does not.  In this case we can be sure memory swap is not enabled.
+		// If both files don't exist, the memory controller might not be enabled
+		// for the current cgroup.
+		if errMemoryMax == nil && errMemorySwapMax != nil {
+			warnings = append(warnings, "Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.")
+			s.ResourceLimits.Memory.Swap = nil
+		}
+	}
+	return warnings, nil
+}
+
+// Verify resource limits are sanely set, removing any limits that are not
+// possible with the current cgroups config.
+func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) {
+	cgroup2, err := cgroups.IsCgroup2UnifiedMode()
+	if err != nil {
+		return []string{}, err
+	}
+	if cgroup2 {
+		return verifyContainerResourcesCgroupV2(s)
+	}
+	return verifyContainerResourcesCgroupV1(s)
+}
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index fa4af7b2b..d68f55402 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -214,6 +214,9 @@ type ContainerStorageConfig struct {
 	// Overlay volumes are named volumes that will be added to the container.
 	// Optional.
 	OverlayVolumes []*OverlayVolume `json:"overlay_volumes,omitempty"`
+	// Image volumes bind-mount a container-image mount into the container.
+	// Optional.
+	ImageVolumes []*ImageVolume `json:"image_volumes,omitempty"`
 	// Devices are devices that will be added to the container.
 	// Optional.
 	Devices []spec.LinuxDevice `json:"devices,omitempty"`
@@ -476,6 +479,19 @@ type OverlayVolume struct {
 	Source string `json:"source,omitempty"`
 }
 
+// ImageVolume is a volume based on a container image.  The container image is
+// first mounted on the host and is then bind-mounted into the container.  An
+// ImageVolume is always mounted read only.
+type ImageVolume struct {
+	// Source is the source of the image volume.  The image can be referred
+	// to by name and by ID.
+	Source string
+	// Destination is the absolute path of the mount in the container.
+	Destination string
+	// ReadWrite sets the volume writable.
+	ReadWrite bool
+}
+
 // PortMapping is one or more ports that will be mapped into the container.
 type PortMapping struct {
 	// HostIP is the IP that we will bind to on the host.