10 files changed, 206 insertions, 66 deletions
diff --git a/pkg/adapter/containers.go b/pkg/adapter/containers.go
index 41607145d..47db5c0dc 100644
--- a/pkg/adapter/containers.go
+++ b/pkg/adapter/containers.go
@@ -341,12 +341,7 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode
 		// if the container was created as part of a pod, also start its dependencies, if any.
 		if err := ctr.Start(ctx, c.IsSet("pod")); err != nil {
 			// This means the command did not exist
-			exitCode = 127
-			e := strings.ToLower(err.Error())
-			if strings.Contains(e, "permission denied") || strings.Contains(e, "operation not permitted") || strings.Contains(e, "file not found") || strings.Contains(e, "no such file or directory") {
-				exitCode = 126
-			}
-			return exitCode, err
+			return define.ExitCode(err), err
 		}
 
 		fmt.Printf("%s\n", ctr.ID())
@@ -401,21 +396,14 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode
 		// Do not perform cleanup, or wait for container exit code
 		// Just exit immediately
 		if errors.Cause(err) == define.ErrDetach {
-			exitCode = 0
-			return exitCode, nil
-		}
-		// This means the command did not exist
-		exitCode = 127
-		e := strings.ToLower(err.Error())
-		if strings.Contains(e, "permission denied") || strings.Contains(e, "operation not permitted") {
-			exitCode = 126
+			return 0, nil
 		}
 		if c.IsSet("rm") {
 			if deleteError := r.Runtime.RemoveContainer(ctx, ctr, true, false); deleteError != nil {
 				logrus.Debugf("unable to remove container %s after failing to start and attach to it", ctr.ID())
 			}
 		}
-		return exitCode, err
+		return define.ExitCode(err), err
 	}
 
 	if ecode, err := ctr.Wait(); err != nil {
@@ -424,7 +412,7 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode
 			event, err := r.Runtime.GetLastContainerEvent(ctr.ID(), events.Exited)
 			if err != nil {
 				logrus.Errorf("Cannot get exit code: %v", err)
-				exitCode = 127
+				exitCode = define.ExecErrorCodeNotFound
 			} else {
 				exitCode = event.ContainerExitCode
 			}
@@ -576,7 +564,7 @@ func (r *LocalRuntime) Restore(ctx context.Context, c *cliconfig.RestoreValues)
 // Start will start a container
 func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigProxy bool) (int, error) {
 	var (
-		exitCode  = 125
+		exitCode  = define.ExecErrorCodeGeneric
 		lastError error
 	)
 
@@ -636,7 +624,7 @@ func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigP
 					event, err := r.Runtime.GetLastContainerEvent(ctr.ID(), events.Exited)
 					if err != nil {
 						logrus.Errorf("Cannot get exit code: %v", err)
-						exitCode = 127
+						exitCode = define.ExecErrorCodeNotFound
 					} else {
 						exitCode = event.ContainerExitCode
 					}
@@ -914,7 +902,7 @@ func (r *LocalRuntime) ExecContainer(ctx context.Context, cli *cliconfig.ExecVal
 		cmd []string
 	)
 	// default invalid command exit code
-	ec := 125
+	ec := define.ExecErrorCodeGeneric
 
 	if cli.Latest {
 		if ctr, err = r.GetLatestContainer(); err != nil {
diff --git a/pkg/adapter/containers_remote.go b/pkg/adapter/containers_remote.go
index 590fef43f..01e008e87 100644
--- a/pkg/adapter/containers_remote.go
+++ b/pkg/adapter/containers_remote.go
@@ -464,19 +464,22 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode
 	results := shared.NewIntermediateLayer(&c.PodmanCommand, true)
 	cid, err := iopodman.CreateContainer().Call(r.Conn, results.MakeVarlink())
 	if err != nil {
-		return 0, err
+		return exitCode, err
 	}
 	if c.Bool("detach") {
-		_, err := iopodman.StartContainer().Call(r.Conn, cid)
+		if _, err := iopodman.StartContainer().Call(r.Conn, cid); err != nil {
+			return exitCode, err
+		}
 		fmt.Println(cid)
-		return 0, err
+		return 0, nil
 	}
-	errChan, err := r.attach(ctx, os.Stdin, os.Stdout, cid, true, c.String("detach-keys"))
+	exitChan, errChan, err := r.attach(ctx, os.Stdin, os.Stdout, cid, true, c.String("detach-keys"))
 	if err != nil {
-		return 0, err
+		return exitCode, err
 	}
+	exitCode = <-exitChan
 	finalError := <-errChan
-	return 0, finalError
+	return exitCode, finalError
 }
 
 func ReadExitFile(runtimeTmp, ctrID string) (int, error) {
@@ -572,7 +575,7 @@ func (r *LocalRuntime) Attach(ctx context.Context, c *cliconfig.AttachValues) er
 			return err
 		}
 	}
-	errChan, err := r.attach(ctx, inputStream, os.Stdout, c.InputArgs[0], false, c.DetachKeys)
+	_, errChan, err := r.attach(ctx, inputStream, os.Stdout, c.InputArgs[0], false, c.DetachKeys)
 	if err != nil {
 		return err
 	}
@@ -669,7 +672,7 @@ func (r *LocalRuntime) Restore(ctx context.Context, c *cliconfig.RestoreValues)
 func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigProxy bool) (int, error) {
 	var (
 		finalErr error
-		exitCode = 125
+		exitCode = define.ExecErrorCodeGeneric
 	)
 	// TODO Figure out how to deal with exit codes
 	inputStream := os.Stdin
@@ -686,12 +689,13 @@ func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigP
 	}
 	// start.go makes sure that if attach, there can be only one ctr
 	if c.Attach {
-		errChan, err := r.attach(ctx, inputStream, os.Stdout, containerIDs[0], true, c.DetachKeys)
+		exitChan, errChan, err := r.attach(ctx, inputStream, os.Stdout, containerIDs[0], true, c.DetachKeys)
 		if err != nil {
 			return exitCode, nil
 		}
+		exitCode := <-exitChan
 		err = <-errChan
-		return 0, err
+		return exitCode, err
 	}
 
 	// TODO the notion of starting a pod container and its deps still needs to be worked through
@@ -710,13 +714,13 @@ func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigP
 	return exitCode, finalErr
 }
 
-func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid string, start bool, detachKeys string) (chan error, error) {
+func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid string, start bool, detachKeys string) (chan int, chan error, error) {
 	var (
 		oldTermState *term.State
 	)
 	spec, err := r.Spec(cid)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	resize := make(chan remotecommand.TerminalSize, 5)
 	haveTerminal := terminal.IsTerminal(int(os.Stdin.Fd()))
@@ -726,7 +730,7 @@ func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid s
 	if haveTerminal && spec.Process.Terminal {
 		cancel, oldTermState, err := handleTerminalAttach(ctx, resize)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		defer cancel()
 		defer restoreTerminal(oldTermState)
@@ -738,7 +742,7 @@ func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid s
 	reply, err := iopodman.Attach().Send(r.Conn, varlink.Upgrade, cid, detachKeys, start)
 	if err != nil {
 		restoreTerminal(oldTermState)
-		return nil, err
+		return nil, nil, err
 	}
 
 	// See if the server accepts the upgraded connection or returns an error
@@ -746,11 +750,12 @@ func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid s
 
 	if err != nil {
 		restoreTerminal(oldTermState)
-		return nil, err
+		return nil, nil, err
 	}
 
-	errChan := configureVarlinkAttachStdio(r.Conn.Reader, r.Conn.Writer, stdin, stdout, oldTermState, resize, nil)
-	return errChan, nil
+	ecChan := make(chan int, 1)
+	errChan := configureVarlinkAttachStdio(r.Conn.Reader, r.Conn.Writer, stdin, stdout, oldTermState, resize, ecChan)
+	return ecChan, errChan, nil
 }
 
 // PauseContainers pauses container(s) based on CLI inputs.
diff --git a/pkg/adapter/network.go b/pkg/adapter/network.go
index e4a160767..d407984ce 100644
--- a/pkg/adapter/network.go
+++ b/pkg/adapter/network.go
@@ -3,9 +3,9 @@
 package adapter
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
-	"github.com/containers/libpod/pkg/util"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@@ -14,6 +14,7 @@ import (
 	cniversion "github.com/containernetworking/cni/pkg/version"
 	"github.com/containers/libpod/cmd/podman/cliconfig"
 	"github.com/containers/libpod/pkg/network"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/pkg/errors"
 )
 
@@ -85,16 +86,69 @@ func (r *LocalRuntime) NetworkInspect(cli *cliconfig.NetworkInspectValues) error
 }
 
 // NetworkRemove deletes one or more CNI networks
-func (r *LocalRuntime) NetworkRemove(cli *cliconfig.NetworkRmValues) error {
+func (r *LocalRuntime) NetworkRemove(ctx context.Context, cli *cliconfig.NetworkRmValues) ([]string, map[string]error, error) {
+	var (
+		networkRmSuccesses []string
+		lastError          error
+	)
+	networkRmErrors := make(map[string]error)
+
 	for _, name := range cli.InputArgs {
-		cniPath, err := network.GetCNIConfigPathByName(name)
+		containers, err := r.GetAllContainers()
 		if err != nil {
-			return err
+			return networkRmSuccesses, networkRmErrors, err
 		}
-		if err := os.Remove(cniPath); err != nil {
-			return err
+		if err := r.removeNetwork(ctx, name, containers, cli.Force); err != nil {
+			if lastError != nil {
+				networkRmErrors[name] = lastError
+			}
+			lastError = err
+		} else {
+			networkRmSuccesses = append(networkRmSuccesses, fmt.Sprintf("Deleted: %s\n", name))
+		}
+	}
+	return networkRmSuccesses, networkRmErrors, lastError
+}
+
+// removeNetwork removes a single network and its containers given a force bool
+func (r *LocalRuntime) removeNetwork(ctx context.Context, name string, containers []*Container, force bool) error {
+	cniPath, err := network.GetCNIConfigPathByName(name)
+	if err != nil {
+		return err
+	}
+	// We need to iterate containers looking to see if they belong to the given network
+	for _, c := range containers {
+		if util.StringInSlice(name, c.Config().Networks) {
+			// if user passes force, we nuke containers
+			if force {
+				if err := r.RemoveContainer(ctx, c.Container, true, true); err != nil {
+					return err
+				}
+			} else {
+				// Without the the force option, we return an error
+				return errors.Errorf("%q has associated containers with it. use -f to forcibly delete containers", name)
+			}
+
 		}
-		fmt.Printf("Deleted: %s\n", name)
+	}
+	// Before we delete the configuration file, we need to make sure we can read and parse
+	// it to get the network interface name so we can remove that too
+	interfaceName, err := network.GetInterfaceNameFromConfig(cniPath)
+	if err != nil {
+		return errors.Wrapf(err, "failed to find network interface name in %q", cniPath)
+	}
+	liveNetworkNames, err := network.GetLiveNetworkNames()
+	if err != nil {
+		return errors.Wrapf(err, "failed to get live network names")
+	}
+	if util.StringInSlice(interfaceName, liveNetworkNames) {
+		if err := network.RemoveInterface(interfaceName); err != nil {
+			return errors.Wrapf(err, "failed to delete the network interface %q", interfaceName)
+		}
+	}
+	// Remove the configuration file
+	if err := os.Remove(cniPath); err != nil {
+		return errors.Wrapf(err, "failed to remove network configuration file %q", cniPath)
 	}
 	return nil
 }
diff --git a/pkg/network/devices.go b/pkg/network/devices.go
index 26101b6f7..85068a7d1 100644
--- a/pkg/network/devices.go
+++ b/pkg/network/devices.go
@@ -2,8 +2,10 @@ package network
 
 import (
 	"fmt"
-	"github.com/containers/libpod/pkg/util"
+	"os/exec"
 
+	"github.com/containers/libpod/pkg/util"
+	"github.com/containers/libpod/utils"
 	"github.com/sirupsen/logrus"
 )
 
@@ -39,3 +41,15 @@ func GetFreeDeviceName() (string, error) {
 	}
 	return deviceName, nil
 }
+
+// RemoveInterface removes an interface by the given name
+func RemoveInterface(interfaceName string) error {
+	// Make sure we have the ip command on the system
+	ipPath, err := exec.LookPath("ip")
+	if err != nil {
+		return err
+	}
+	// Delete the network interface
+	_, err = utils.ExecCmd(ipPath, []string{"link", "del", interfaceName}...)
+	return err
+}
diff --git a/pkg/network/files.go b/pkg/network/files.go
index 80fde5e17..d55ec2dfd 100644
--- a/pkg/network/files.go
+++ b/pkg/network/files.go
@@ -86,6 +86,7 @@ func GetNetworksFromFilesystem() ([]*allocator.Net, error) {
 					return nil, err
 				}
 				cniNetworks = append(cniNetworks, &ipamConf)
+				break
 			}
 		}
 	}
@@ -105,3 +106,26 @@ func GetNetworkNamesFromFileSystem() ([]string, error) {
 	}
 	return networkNames, nil
 }
+
+// GetInterfaceNameFromConfig returns the interface name for the bridge plugin
+func GetInterfaceNameFromConfig(path string) (string, error) {
+	var name string
+	conf, err := libcni.ConfListFromFile(path)
+	if err != nil {
+		return "", err
+	}
+	for _, cniplugin := range conf.Plugins {
+		if cniplugin.Network.Type == "bridge" {
+			plugin := make(map[string]interface{})
+			if err := json.Unmarshal(cniplugin.Bytes, &plugin); err != nil {
+				return "", err
+			}
+			name = plugin["bridge"].(string)
+			break
+		}
+	}
+	if len(name) == 0 {
+		return "", errors.New("unable to find interface name for network")
+	}
+	return name, nil
+}
diff --git a/pkg/spec/spec_test.go b/pkg/spec/spec_test.go
index 0abff491b..2f91e1b21 100644
--- a/pkg/spec/spec_test.go
+++ b/pkg/spec/spec_test.go
@@ -4,6 +4,8 @@ import (
 	"runtime"
 	"testing"
 
+	"github.com/containers/libpod/pkg/cgroups"
+	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/sysinfo"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/idtools"
@@ -26,14 +28,30 @@ func makeTestCreateConfig() *CreateConfig {
 	return cc
 }
 
-// TestPIDsLimit verifies the given pid-limit is correctly defined in the spec
-func TestPIDsLimit(t *testing.T) {
+func doCommonSkipChecks(t *testing.T) {
 	// The default configuration of podman enables seccomp, which is not available on non-Linux systems.
 	// Thus, any tests that use the default seccomp setting would fail.
 	// Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result.
 	if runtime.GOOS != "linux" {
 		t.Skip("seccomp, which is enabled by default, is only supported on Linux")
 	}
+
+	if rootless.IsRootless() {
+		isCgroupV2, err := cgroups.IsCgroup2UnifiedMode()
+		if err != nil {
+			t.Errorf("unexpected error: %v", err)
+		}
+
+		if !isCgroupV2 {
+			t.Skip("cgroups v1 cannot be used when rootless")
+		}
+	}
+}
+
+// TestPIDsLimit verifies the given pid-limit is correctly defined in the spec
+func TestPIDsLimit(t *testing.T) {
+	doCommonSkipChecks(t)
+
 	if !sysInfo.PidsLimit {
 		t.Skip("running test not supported by the host system")
 	}
@@ -50,12 +68,8 @@ func TestPIDsLimit(t *testing.T) {
 // TestBLKIOWeightDevice verifies the given blkio weight is correctly set in the
 // spec.
 func TestBLKIOWeightDevice(t *testing.T) {
-	// The default configuration of podman enables seccomp, which is not available on non-Linux systems.
-	// Thus, any tests that use the default seccomp setting would fail.
-	// Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result.
-	if runtime.GOOS != "linux" {
-		t.Skip("seccomp, which is enabled by default, is only supported on Linux")
-	}
+	doCommonSkipChecks(t)
+
 	if !sysInfo.BlkioWeightDevice {
 		t.Skip("running test not supported by the host system")
 	}
@@ -75,12 +89,8 @@ func TestBLKIOWeightDevice(t *testing.T) {
 // TestMemorySwap verifies that the given swap memory limit is correctly set in
 // the spec.
 func TestMemorySwap(t *testing.T) {
-	// The default configuration of podman enables seccomp, which is not available on non-Linux systems.
-	// Thus, any tests that use the default seccomp setting would fail.
-	// Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result.
-	if runtime.GOOS != "linux" {
-		t.Skip("seccomp, which is enabled by default, is only supported on Linux")
-	}
+	doCommonSkipChecks(t)
+
 	if !sysInfo.SwapLimit {
 		t.Skip("running test not supported by the host system")
 	}
diff --git a/pkg/util/utils.go b/pkg/util/utils.go
index 2261934f0..583bf5d18 100644
--- a/pkg/util/utils.go
+++ b/pkg/util/utils.go
@@ -377,3 +377,19 @@ func ValidatePullType(pullType string) (PullType, error) {
 		return PullImageMissing, errors.Errorf("invalid pull type %q", pullType)
 	}
 }
+
+// ExitCode reads the error message when failing to executing container process
+// and then returns 0 if no error, 126 if command does not exist, or 127 for
+// all other errors
+func ExitCode(err error) int {
+	if err == nil {
+		return 0
+	}
+	e := strings.ToLower(err.Error())
+	if strings.Contains(e, "file not found") ||
+		strings.Contains(e, "no such file or directory") {
+		return 127
+	}
+
+	return 126
+}
diff --git a/pkg/varlinkapi/attach.go b/pkg/varlinkapi/attach.go
index 1f8d48eb9..3bd487849 100644
--- a/pkg/varlinkapi/attach.go
+++ b/pkg/varlinkapi/attach.go
@@ -9,7 +9,9 @@ import (
 	"github.com/containers/libpod/cmd/podman/varlink"
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/define"
+	"github.com/containers/libpod/libpod/events"
 	"github.com/containers/libpod/pkg/varlinkapi/virtwriter"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"k8s.io/client-go/tools/remotecommand"
 )
@@ -79,11 +81,36 @@ func (i *LibpodAPI) Attach(call iopodman.VarlinkCall, name string, detachKeys st
 		finalErr = startAndAttach(ctr, streams, detachKeys, resize, errChan)
 	}
 
+	exitCode := define.ExitCode(finalErr)
 	if finalErr != define.ErrDetach && finalErr != nil {
 		logrus.Error(finalErr)
+	} else {
+		if ecode, err := ctr.Wait(); err != nil {
+			if errors.Cause(err) == define.ErrNoSuchCtr {
+				// Check events
+				event, err := i.Runtime.GetLastContainerEvent(ctr.ID(), events.Exited)
+				if err != nil {
+					logrus.Errorf("Cannot get exit code: %v", err)
+					exitCode = define.ExecErrorCodeNotFound
+				} else {
+					exitCode = event.ContainerExitCode
+				}
+			} else {
+				exitCode = define.ExitCode(err)
+			}
+		} else {
+			exitCode = int(ecode)
+		}
+	}
+
+	if ctr.AutoRemove() {
+		err := i.Runtime.RemoveContainer(getContext(), ctr, false, false)
+		if err != nil {
+			logrus.Errorf("Failed to remove container %s: %s", ctr.ID(), err.Error())
+		}
 	}
 
-	if err = virtwriter.HangUp(writer, 0); err != nil {
+	if err = virtwriter.HangUp(writer, uint32(exitCode)); err != nil {
 		logrus.Errorf("Failed to HANG-UP attach to %s: %s", ctr.ID(), err.Error())
 	}
 	return call.Writer.Flush()
diff --git a/pkg/varlinkapi/containers.go b/pkg/varlinkapi/containers.go
index 2dcdbc089..93f9d4fe3 100644
--- a/pkg/varlinkapi/containers.go
+++ b/pkg/varlinkapi/containers.go
@@ -319,12 +319,14 @@ func (i *LibpodAPI) ExportContainer(call iopodman.VarlinkCall, name, outPath str
 
 // GetContainerStats ...
 func (i *LibpodAPI) GetContainerStats(call iopodman.VarlinkCall, name string) error {
-	cgroupv2, err := cgroups.IsCgroup2UnifiedMode()
-	if err != nil {
-		return call.ReplyErrorOccurred(err.Error())
-	}
-	if rootless.IsRootless() && !cgroupv2 {
-		return call.ReplyErrRequiresCgroupsV2ForRootless("rootless containers cannot report container stats")
+	if rootless.IsRootless() {
+		cgroupv2, err := cgroups.IsCgroup2UnifiedMode()
+		if err != nil {
+			return call.ReplyErrorOccurred(err.Error())
+		}
+		if !cgroupv2 {
+			return call.ReplyErrRequiresCgroupsV2ForRootless("rootless containers cannot report container stats")
+		}
 	}
 	ctr, err := i.Runtime.LookupContainer(name)
 	if err != nil {
diff --git a/pkg/varlinkapi/pods.go b/pkg/varlinkapi/pods.go
index c0fd8b1f7..9b659f66b 100644
--- a/pkg/varlinkapi/pods.go
+++ b/pkg/varlinkapi/pods.go
@@ -5,12 +5,12 @@ package varlinkapi
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/containers/libpod/pkg/adapter/shortcuts"
 	"syscall"
 
 	"github.com/containers/libpod/cmd/podman/shared"
 	"github.com/containers/libpod/cmd/podman/varlink"
 	"github.com/containers/libpod/libpod"
+	"github.com/containers/libpod/pkg/adapter/shortcuts"
 )
 
 // CreatePod ...