8 files changed, 74 insertions, 43 deletions
diff --git a/pkg/bindings/containers/containers.go b/pkg/bindings/containers/containers.go
index 9e6dbef19..9913b773b 100644
--- a/pkg/bindings/containers/containers.go
+++ b/pkg/bindings/containers/containers.go
@@ -98,7 +98,7 @@ func Remove(ctx context.Context, nameOrID string, force, volumes *bool) error {
 		params.Set("force", strconv.FormatBool(*force))
 	}
 	if volumes != nil {
-		params.Set("vols", strconv.FormatBool(*volumes))
+		params.Set("v", strconv.FormatBool(*volumes))
 	}
 	response, err := conn.DoRequest(nil, http.MethodDelete, "/containers/%s", params, nil, nameOrID)
 	if err != nil {
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 05adc40fe..35675e1f3 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"net/url"
 	"os"
+	"path"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -682,10 +683,6 @@ func (ir *ImageEngine) Shutdown(_ context.Context) {
 }
 
 func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entities.SignOptions) (*entities.SignReport, error) {
-	dockerRegistryOptions := image.DockerRegistryOptions{
-		DockerCertPath: options.CertDir,
-	}
-
 	mech, err := signature.NewGPGSigningMechanism()
 	if err != nil {
 		return nil, errors.Wrap(err, "error initializing GPG")
@@ -704,7 +701,6 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 	}
 
 	for _, signimage := range names {
-		var sigStoreDir string
 		srcRef, err := alltransports.ParseImageName(signimage)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error parsing image name")
@@ -725,40 +721,38 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 		if dockerReference == nil {
 			return nil, errors.Errorf("cannot determine canonical Docker reference for destination %s", transports.ImageName(rawSource.Reference()))
 		}
-
-		// create the signstore file
-		rtc, err := ir.Libpod.GetConfig()
-		if err != nil {
-			return nil, err
-		}
-		newImage, err := ir.Libpod.ImageRuntime().New(ctx, signimage, rtc.Engine.SignaturePolicyPath, "", os.Stderr, &dockerRegistryOptions, image.SigningOptions{SignBy: options.SignBy}, nil, util.PullImageMissing)
-		if err != nil {
-			return nil, errors.Wrapf(err, "error pulling image %s", signimage)
+		var sigStoreDir string
+		if options.Directory != "" {
+			sigStoreDir = options.Directory
 		}
 		if sigStoreDir == "" {
 			if rootless.IsRootless() {
 				sigStoreDir = filepath.Join(filepath.Dir(ir.Libpod.StorageConfig().GraphRoot), "sigstore")
 			} else {
+				var sigStoreURI string
 				registryInfo := trust.HaveMatchRegistry(rawSource.Reference().DockerReference().String(), registryConfigs)
 				if registryInfo != nil {
-					if sigStoreDir = registryInfo.SigStoreStaging; sigStoreDir == "" {
-						sigStoreDir = registryInfo.SigStore
-
+					if sigStoreURI = registryInfo.SigStoreStaging; sigStoreURI == "" {
+						sigStoreURI = registryInfo.SigStore
 					}
 				}
+				if sigStoreURI == "" {
+					return nil, errors.Errorf("no signature storage configuration found for %s", rawSource.Reference().DockerReference().String())
+
+				}
+				sigStoreDir, err = localPathFromURI(sigStoreURI)
+				if err != nil {
+					return nil, errors.Wrapf(err, "invalid signature storage %s", sigStoreURI)
+				}
 			}
 		}
-		sigStoreDir, err = isValidSigStoreDir(sigStoreDir)
+		manifestDigest, err := manifest.Digest(getManifest)
 		if err != nil {
-			return nil, errors.Wrapf(err, "invalid signature storage %s", sigStoreDir)
-		}
-		repos, err := newImage.RepoDigests()
-		if err != nil {
-			return nil, errors.Wrapf(err, "error calculating repo digests for %s", signimage)
+			return nil, err
 		}
-		if len(repos) == 0 {
-			logrus.Errorf("no repodigests associated with the image %s", signimage)
-			continue
+		repo := reference.Path(dockerReference)
+		if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references
+			return nil, errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", dockerReference.String())
 		}
 
 		// create signature
@@ -766,22 +760,21 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 		if err != nil {
 			return nil, errors.Wrapf(err, "error creating new signature")
 		}
-
-		trimmedDigest := strings.TrimPrefix(repos[0], strings.Split(repos[0], "/")[0])
-		sigStoreDir = filepath.Join(sigStoreDir, strings.Replace(trimmedDigest, ":", "=", 1))
-		if err := os.MkdirAll(sigStoreDir, 0751); err != nil {
+		// create the signstore file
+		signatureDir := fmt.Sprintf("%s@%s=%s", filepath.Join(sigStoreDir, repo), manifestDigest.Algorithm(), manifestDigest.Hex())
+		if err := os.MkdirAll(signatureDir, 0751); err != nil {
 			// The directory is allowed to exist
 			if !os.IsExist(err) {
-				logrus.Errorf("error creating directory %s: %s", sigStoreDir, err)
+				logrus.Errorf("error creating directory %s: %s", signatureDir, err)
 				continue
 			}
 		}
-		sigFilename, err := getSigFilename(sigStoreDir)
+		sigFilename, err := getSigFilename(signatureDir)
 		if err != nil {
 			logrus.Errorf("error creating sigstore file: %v", err)
 			continue
 		}
-		err = ioutil.WriteFile(filepath.Join(sigStoreDir, sigFilename), newSig, 0644)
+		err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644)
 		if err != nil {
 			logrus.Errorf("error storing signature for %s", rawSource.Reference().DockerReference().String())
 			continue
@@ -809,14 +802,12 @@ func getSigFilename(sigStoreDirPath string) (string, error) {
 	}
 }
 
-func isValidSigStoreDir(sigStoreDir string) (string, error) {
-	writeURIs := map[string]bool{"file": true}
+func localPathFromURI(sigStoreDir string) (string, error) {
 	url, err := url.Parse(sigStoreDir)
 	if err != nil {
 		return sigStoreDir, errors.Wrapf(err, "invalid directory %s", sigStoreDir)
 	}
-	_, exists := writeURIs[url.Scheme]
-	if !exists {
+	if url.Scheme != "file" {
 		return sigStoreDir, errors.Errorf("writing to %s is not supported. Use a supported scheme", sigStoreDir)
 	}
 	sigStoreDir = url.Path
diff --git a/pkg/domain/infra/tunnel/containers.go b/pkg/domain/infra/tunnel/containers.go
index 1fad67b86..d2221ab7b 100644
--- a/pkg/domain/infra/tunnel/containers.go
+++ b/pkg/domain/infra/tunnel/containers.go
@@ -500,9 +500,6 @@ func (ic *ContainerEngine) ContainerList(ctx context.Context, options entities.C
 }
 
 func (ic *ContainerEngine) ContainerRun(ctx context.Context, opts entities.ContainerRunOptions) (*entities.ContainerRunReport, error) {
-	if opts.Rm {
-		logrus.Info("the remote client does not support --rm yet")
-	}
 	con, err := containers.CreateWithSpec(ic.ClientCxt, opts.Spec)
 	if err != nil {
 		return nil, err
@@ -526,6 +523,17 @@ func (ic *ContainerEngine) ContainerRun(ctx context.Context, opts entities.Conta
 	if err != nil {
 		report.ExitCode = define.ExitCode(err)
 	}
+	if opts.Rm {
+		if err := containers.Remove(ic.ClientCxt, con.ID, bindings.PFalse, bindings.PTrue); err != nil {
+			if errors.Cause(err) == define.ErrNoSuchCtr ||
+				errors.Cause(err) == define.ErrCtrRemoved {
+				logrus.Warnf("Container %s does not exist: %v", con.ID, err)
+			} else {
+				logrus.Errorf("Error removing container %s: %v", con.ID, err)
+			}
+		}
+	}
+
 	return &report, err
 }
 
diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c
index 0223c35ee..2e1fddc48 100644
--- a/pkg/rootless/rootless_linux.c
+++ b/pkg/rootless/rootless_linux.c
@@ -225,6 +225,16 @@ can_use_shortcut ()
   return ret;
 }
 
+int
+is_fd_inherited(int fd)
+{
+  if (open_files_set == NULL || fd > open_files_max_fd || fd < 0)
+  {
+    return 0;
+  }
+  return FD_ISSET(fd % FD_SETSIZE, &(open_files_set[fd / FD_SETSIZE])) ? 1 : 0;
+}
+
 static void __attribute__((constructor)) init()
 {
   const char *xdg_runtime_dir;
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index ccc8a1d94..c3f1fc7fa 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -32,6 +32,7 @@ extern uid_t rootless_gid();
 extern int reexec_in_user_namespace(int ready, char *pause_pid_file_path, char *file_to_read, int fd);
 extern int reexec_in_user_namespace_wait(int pid, int options);
 extern int reexec_userns_join(int pid, char *pause_pid_file_path);
+extern int is_fd_inherited(int fd);
 */
 import "C"
 
@@ -520,3 +521,8 @@ func ConfigurationMatches() (bool, error) {
 
 	return matches(GetRootlessGID(), gids, currentGIDs), nil
 }
+
+// IsFdInherited checks whether the fd is opened and valid to use
+func IsFdInherited(fd int) bool {
+	return int(C.is_fd_inherited(C.int(fd))) > 0
+}
diff --git a/pkg/rootless/rootless_unsupported.go b/pkg/rootless/rootless_unsupported.go
index 1499b737f..7dfb4a4b2 100644
--- a/pkg/rootless/rootless_unsupported.go
+++ b/pkg/rootless/rootless_unsupported.go
@@ -64,3 +64,8 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
 func ReadMappingsProc(path string) ([]idtools.IDMap, error) {
 	return nil, nil
 }
+
+// IsFdInherited checks whether the fd is opened and valid to use
+func IsFdInherited(fd int) bool {
+	return false
+}
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 9dfb35be3..b61ac2c30 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -238,6 +238,17 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 	if s.Entrypoint != nil {
 		options = append(options, libpod.WithEntrypoint(s.Entrypoint))
 	}
+	// If the user did not set an workdir but the image did, ensure it is
+	// created.
+	if s.WorkDir == "" && img != nil {
+		newWD, err := img.WorkingDir(ctx)
+		if err != nil {
+			return nil, err
+		}
+		if newWD != "" {
+			options = append(options, libpod.WithCreateWorkingDir())
+		}
+	}
 	if s.StopSignal != nil {
 		options = append(options, libpod.WithStopSignal(*s.StopSignal))
 	}
diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index 60de099fa..2348bc410 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -12,9 +12,9 @@ import (
 	"strings"
 
 	"github.com/containers/image/v5/types"
+	"github.com/ghodss/yaml"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v2"
 )
 
 // PolicyContent struct for policy.json file
@@ -157,7 +157,7 @@ func HaveMatchRegistry(key string, registryConfigs *RegistryConfiguration) *Regi
 			searchKey = searchKey[:strings.LastIndex(searchKey, "/")]
 		}
 	}
-	return nil
+	return registryConfigs.DefaultDocker
 }
 
 // CreateTmpFile creates a temp file under dir and writes the content into it