6 files changed, 103 insertions, 6 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go
index 1d5dcd8e7..fac02ad01 100644
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -248,6 +248,13 @@ func addDevice(g *generate.Generator, device string) error {
 		}
 		g.Config.Mounts = append(g.Config.Mounts, devMnt)
 		return nil
+	} else if src == "/dev/fuse" {
+		// if the user is asking for fuse inside the container
+		// make sure the module is loaded.
+		f, err := unix.Open(src, unix.O_RDONLY|unix.O_NONBLOCK, 0)
+		if err == nil {
+			unix.Close(f)
+		}
 	}
 	dev.Path = dst
 	g.AddDevice(*dev)
diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go
index 147ebd61b..2ee8f2441 100644
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@@ -13,6 +13,7 @@ import (
 	"github.com/containers/podman/v2/pkg/specgen"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
 
@@ -33,7 +34,43 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
 
 		_, mediaType, err := newImage.Manifest(ctx)
 		if err != nil {
-			return nil, err
+			if errors.Cause(err) != image.ErrImageIsBareList {
+				return nil, err
+			}
+			// if err is not runnable image
+			// use the local store image with repo@digest matches with the list, if exists
+			manifestByte, manifestType, err := newImage.GetManifest(ctx, nil)
+			if err != nil {
+				return nil, err
+			}
+			list, err := manifest.ListFromBlob(manifestByte, manifestType)
+			if err != nil {
+				return nil, err
+			}
+			images, err := r.ImageRuntime().GetImages()
+			if err != nil {
+				return nil, err
+			}
+			findLocal := false
+			listDigest, err := list.ChooseInstance(r.SystemContext())
+			if err != nil {
+				return nil, err
+			}
+			for _, img := range images {
+				for _, imageDigest := range img.Digests() {
+					if imageDigest == listDigest {
+						newImage = img
+						s.Image = img.ID()
+						mediaType = manifestType
+						findLocal = true
+						logrus.Debug("image contains manifest list, using image from local storage")
+						break
+					}
+				}
+			}
+			if !findLocal {
+				return nil, image.ErrImageIsBareList
+			}
 		}
 
 		if s.HealthConfig == nil && mediaType == manifest.DockerV2Schema2MediaType {
@@ -75,8 +112,8 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
 	if err != nil {
 		return nil, errors.Wrap(err, "error parsing fields in containers.conf")
 	}
-	if defaultEnvs["containers"] == "" {
-		defaultEnvs["containers"] = "podman"
+	if defaultEnvs["container"] == "" {
+		defaultEnvs["container"] = "podman"
 	}
 	var envs map[string]string
 
diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go
index 101201252..43caf0fe9 100644
--- a/pkg/specgen/generate/pod_create.go
+++ b/pkg/specgen/generate/pod_create.go
@@ -99,6 +99,9 @@ func createPodOptions(p *specgen.PodSpecGenerator, rt *libpod.Runtime) ([]libpod
 	case specgen.Host:
 		logrus.Debugf("Pod will use host networking")
 		options = append(options, libpod.WithPodHostNetwork())
+	case specgen.Slirp:
+		logrus.Debugf("Pod will use slirp4netns")
+		options = append(options, libpod.WithPodSlirp4netns(p.NetworkOptions))
 	default:
 		return nil, errors.Errorf("pods presently do not support network mode %s", p.NetNS.NSMode)
 	}
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 87e8029a7..d17cd4a9a 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -7,6 +7,7 @@ import (
 	"github.com/containers/common/pkg/capabilities"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/podman/v2/libpod"
+	"github.com/containers/podman/v2/libpod/define"
 	"github.com/containers/podman/v2/libpod/image"
 	"github.com/containers/podman/v2/pkg/specgen"
 	"github.com/containers/podman/v2/pkg/util"
@@ -130,12 +131,13 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	}
 
 	configSpec := g.Config
+	configSpec.Process.Capabilities.Ambient = []string{}
 	configSpec.Process.Capabilities.Bounding = caplist
+	configSpec.Process.Capabilities.Inheritable = caplist
 
 	if s.User == "" || s.User == "root" || s.User == "0" {
 		configSpec.Process.Capabilities.Effective = caplist
 		configSpec.Process.Capabilities.Permitted = caplist
-		configSpec.Process.Capabilities.Inheritable = caplist
 	} else {
 		userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd)
 		if err != nil {
@@ -167,7 +169,52 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	}
 
 	g.SetRootReadonly(s.ReadOnlyFilesystem)
+
+	// Add default sysctls
+	defaultSysctls, err := util.ValidateSysctls(rtc.Sysctls())
+	if err != nil {
+		return err
+	}
+	for sysctlKey, sysctlVal := range defaultSysctls {
+
+		// Ignore mqueue sysctls if --ipc=host
+		if s.IpcNS.IsHost() && strings.HasPrefix(sysctlKey, "fs.mqueue.") {
+			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since IPC Namespace set to host", sysctlKey, sysctlVal)
+
+			continue
+		}
+
+		// Ignore net sysctls if --net=host
+		if s.NetNS.IsHost() && strings.HasPrefix(sysctlKey, "net.") {
+			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since Network Namespace set to host", sysctlKey, sysctlVal)
+			continue
+		}
+
+		// Ignore uts sysctls if --uts=host
+		if s.UtsNS.IsHost() && (strings.HasPrefix(sysctlKey, "kernel.domainname") || strings.HasPrefix(sysctlKey, "kernel.hostname")) {
+			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since UTS Namespace set to host", sysctlKey, sysctlVal)
+			continue
+		}
+
+		g.AddLinuxSysctl(sysctlKey, sysctlVal)
+	}
+
 	for sysctlKey, sysctlVal := range s.Sysctl {
+
+		if s.IpcNS.IsHost() && strings.HasPrefix(sysctlKey, "fs.mqueue.") {
+			return errors.Wrapf(define.ErrInvalidArg, "sysctl %s=%s can't be set since IPC Namespace set to host", sysctlKey, sysctlVal)
+		}
+
+		// Ignore net sysctls if --net=host
+		if s.NetNS.IsHost() && strings.HasPrefix(sysctlKey, "net.") {
+			return errors.Wrapf(define.ErrInvalidArg, "sysctl %s=%s can't be set since Host Namespace set to host", sysctlKey, sysctlVal)
+		}
+
+		// Ignore uts sysctls if --uts=host
+		if s.UtsNS.IsHost() && (strings.HasPrefix(sysctlKey, "kernel.domainname") || strings.HasPrefix(sysctlKey, "kernel.hostname")) {
+			return errors.Wrapf(define.ErrInvalidArg, "sysctl %s=%s can't be set since UTS Namespace set to host", sysctlKey, sysctlVal)
+		}
+
 		g.AddLinuxSysctl(sysctlKey, sysctlVal)
 	}
 
diff --git a/pkg/specgen/pod_validate.go b/pkg/specgen/pod_validate.go
index 907c0bb69..a6c61a203 100644
--- a/pkg/specgen/pod_validate.go
+++ b/pkg/specgen/pod_validate.go
@@ -72,9 +72,9 @@ func (p *PodSpecGenerator) Validate() error {
 			return exclusivePodOptions("NoInfra", "NoManageResolvConf")
 		}
 	}
-	if p.NetNS.NSMode != "" && p.NetNS.NSMode != Bridge && p.NetNS.NSMode != Default {
+	if p.NetNS.NSMode != "" && p.NetNS.NSMode != Bridge && p.NetNS.NSMode != Slirp && p.NetNS.NSMode != Default {
 		if len(p.PortMappings) > 0 {
-			return errors.New("PortMappings can only be used with Bridge mode networking")
+			return errors.New("PortMappings can only be used with Bridge or slirp4netns networking")
 		}
 		if len(p.CNINetworks) > 0 {
 			return errors.New("CNINetworks can only be used with Bridge mode networking")
diff --git a/pkg/specgen/podspecgen.go b/pkg/specgen/podspecgen.go
index 3c32ec365..7d771f5bb 100644
--- a/pkg/specgen/podspecgen.go
+++ b/pkg/specgen/podspecgen.go
@@ -134,6 +134,9 @@ type PodNetworkConfig struct {
 	// Conflicts with NoInfra=true and NoManageHosts.
 	// Optional.
 	HostAdd []string `json:"hostadd,omitempty"`
+	// NetworkOptions are additional options for each network
+	// Optional.
+	NetworkOptions map[string][]string `json:"network_options,omitempty"`
 }
 
 // PodCgroupConfig contains configuration options about a pod's cgroups.