14 files changed, 103 insertions, 31 deletions
diff --git a/pkg/api/handlers/utils/pods.go b/pkg/api/handlers/utils/pods.go
index 8276fb55e..54ebe2d29 100644
--- a/pkg/api/handlers/utils/pods.go
+++ b/pkg/api/handlers/utils/pods.go
@@ -45,7 +45,7 @@ func GetPods(w http.ResponseWriter, r *http.Request) ([]*entities.ListPodsReport
 	}
 
 	if len(pods) == 0 {
-		return nil, nil
+		return []*entities.ListPodsReport{}, nil
 	}
 
 	lps := make([]*entities.ListPodsReport, 0, len(pods))
diff --git a/pkg/env/env.go b/pkg/env/env.go
index a16007a50..0d55e5560 100644
--- a/pkg/env/env.go
+++ b/pkg/env/env.go
@@ -12,14 +12,16 @@ import (
 	"github.com/pkg/errors"
 )
 
-// DefaultEnvVariables sets $PATH and $TERM.
-var DefaultEnvVariables = map[string]string{
-	"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-	"TERM": "xterm",
-}
-
 const whiteSpaces = " \t"
 
+// DefaultEnvVariables returns a default environment, with $PATH and $TERM set.
+func DefaultEnvVariables() map[string]string {
+	return map[string]string{
+		"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+		"TERM": "xterm",
+	}
+}
+
 // Slice transforms the specified map of environment variables into a
 // slice. If a value is non-empty, the key and value are joined with '='.
 func Slice(m map[string]string) []string {
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index c49d51fc5..e0c875fe9 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -31,12 +31,13 @@ const (
 type CreateResourceConfig struct {
 	BlkioWeight       uint16   // blkio-weight
 	BlkioWeightDevice []string // blkio-weight-device
-	CPUPeriod         uint64   // cpu-period
-	CPUQuota          int64    // cpu-quota
-	CPURtPeriod       uint64   // cpu-rt-period
-	CPURtRuntime      int64    // cpu-rt-runtime
-	CPUShares         uint64   // cpu-shares
-	CPUs              float64  // cpus
+	CgroupConf        map[string]string
+	CPUPeriod         uint64  // cpu-period
+	CPUQuota          int64   // cpu-quota
+	CPURtPeriod       uint64  // cpu-rt-period
+	CPURtRuntime      int64   // cpu-rt-runtime
+	CPUShares         uint64  // cpu-shares
+	CPUs              float64 // cpus
 	CPUsetCPUs        string
 	CPUsetMems        string   // cpuset-mems
 	DeviceCgroupRules []string //device-cgroup-rule
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index c7a838d4c..893ae3cab 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -321,13 +321,13 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	// config.
 	var defaultEnv map[string]string
 	if runtimeConfig == nil {
-		defaultEnv = env.DefaultEnvVariables
+		defaultEnv = env.DefaultEnvVariables()
 	} else {
 		defaultEnv, err = env.ParseSlice(runtimeConfig.Containers.Env)
 		if err != nil {
 			return nil, errors.Wrap(err, "Env fields in containers.conf failed ot parse")
 		}
-		defaultEnv = env.Join(env.DefaultEnvVariables, defaultEnv)
+		defaultEnv = env.Join(env.DefaultEnvVariables(), defaultEnv)
 	}
 
 	if err := addRlimits(config, &g); err != nil {
diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go
index 76961fa80..dc9e6b9d8 100644
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@@ -37,6 +37,23 @@ func (s *SpecGenerator) Validate() error {
 		}
 	}
 
+	// Containers being added to a pod cannot have certain network attributes
+	// associated with them because those should be on the infra container.
+	if len(s.Pod) > 0 && s.NetNS.NSMode == FromPod {
+		if s.StaticIP != nil || s.StaticIPv6 != nil {
+			return errors.Wrap(define.ErrNetworkOnPodContainer, "static ip addresses must be defined when the pod is created")
+		}
+		if s.StaticMAC != nil {
+			return errors.Wrap(define.ErrNetworkOnPodContainer, "MAC addresses must be defined when the pod is created")
+		}
+		if len(s.CNINetworks) > 0 {
+			return errors.Wrap(define.ErrNetworkOnPodContainer, "networks must be defined when the pod is created")
+		}
+		if len(s.PortMappings) > 0 || s.PublishExposedPorts {
+			return errors.Wrap(define.ErrNetworkOnPodContainer, "published or exposed ports must be defined when the pod is created")
+		}
+	}
+
 	//
 	// ContainerBasicConfig
 	//
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 5e4cc3399..d3e3d9278 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -112,7 +112,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 			// Pass capRequiredRequested in CapAdd field to normalize capabilities names
 			capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil)
 			if err != nil {
-				logrus.Errorf("capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ","))
+				return errors.Wrapf(err, "capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ","))
 			} else {
 				// Verify all capRequiered are in the capList
 				for _, cap := range capsRequired {
@@ -129,12 +129,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		}
 	}
 
-	g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
-
-	if err := setupApparmor(s, rtc, g); err != nil {
-		return err
-	}
-
 	configSpec := g.Config
 	configSpec.Process.Capabilities.Bounding = caplist
 
@@ -142,13 +136,21 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		configSpec.Process.Capabilities.Effective = caplist
 		configSpec.Process.Capabilities.Permitted = caplist
 		configSpec.Process.Capabilities.Inheritable = caplist
-		configSpec.Process.Capabilities.Ambient = caplist
 	} else {
-		configSpec.Process.Capabilities.Effective = []string{}
-		configSpec.Process.Capabilities.Permitted = []string{}
-		configSpec.Process.Capabilities.Inheritable = []string{}
-		configSpec.Process.Capabilities.Ambient = []string{}
+		userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd)
+		if err != nil {
+			return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
+		}
+		configSpec.Process.Capabilities.Effective = userCaps
+		configSpec.Process.Capabilities.Permitted = userCaps
 	}
+
+	g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
+
+	if err := setupApparmor(s, rtc, g); err != nil {
+		return err
+	}
+
 	// HANDLE SECCOMP
 	if s.SeccompProfilePath != "unconfined" {
 		seccompConfig, err := getSeccompConfig(s, configSpec, newImage)
diff --git a/pkg/specgen/generate/validate.go b/pkg/specgen/generate/validate.go
index dca45cc0e..ed337321b 100644
--- a/pkg/specgen/generate/validate.go
+++ b/pkg/specgen/generate/validate.go
@@ -23,6 +23,12 @@ func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) {
 		return warnings, nil
 	}
 
+	if s.ResourceLimits.Unified != nil {
+		if !cgroup2 {
+			return nil, errors.New("Cannot use --cgroup-conf without cgroup v2")
+		}
+	}
+
 	// Memory checks
 	if s.ResourceLimits.Memory != nil {
 		memory := s.ResourceLimits.Memory
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index a9161071b..a52225f87 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -415,6 +415,10 @@ type ContainerResourceConfig struct {
 	ThrottleReadIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"`
 	// IO write rate limit per cgroup per device, IO per second
 	ThrottleWriteIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"`
+	// CgroupConf are key-value options passed into the container runtime
+	// that are used to configure cgroup v2.
+	// Optional.
+	CgroupConf map[string]string `json:"unified,omitempty"`
 }
 
 // ContainerHealthCheckConfig describes a container healthcheck with attributes
diff --git a/pkg/systemd/generate/common.go b/pkg/systemd/generate/common.go
index d6d18a810..1fc4479ff 100644
--- a/pkg/systemd/generate/common.go
+++ b/pkg/systemd/generate/common.go
@@ -1,6 +1,7 @@
 package generate
 
 import (
+	"strconv"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -53,3 +54,15 @@ func filterPodFlags(command []string) []string {
 	}
 	return processed
 }
+
+// quoteArguments makes sure that all arguments with at least one whitespace
+// are quoted to make sure those are interpreted as one argument instead of
+// multiple ones.
+func quoteArguments(command []string) []string {
+	for i := range command {
+		if strings.ContainsAny(command[i], " \t") {
+			command[i] = strconv.Quote(command[i])
+		}
+	}
+	return command
+}
diff --git a/pkg/systemd/generate/common_test.go b/pkg/systemd/generate/common_test.go
index 389c30f59..d0ec5637c 100644
--- a/pkg/systemd/generate/common_test.go
+++ b/pkg/systemd/generate/common_test.go
@@ -28,3 +28,28 @@ func TestFilterPodFlags(t *testing.T) {
 		}
 	}
 }
+
+func TestQuoteArguments(t *testing.T) {
+	tests := []struct {
+		input  []string
+		output []string
+	}{
+		{
+			[]string{"foo", "bar=\"arg\""},
+			[]string{"foo", "bar=\"arg\""},
+		},
+		{
+			[]string{"foo", "bar=\"arg with space\""},
+			[]string{"foo", "\"bar=\\\"arg with space\\\"\""},
+		},
+		{
+			[]string{"foo", "bar=\"arg with\ttab\""},
+			[]string{"foo", "\"bar=\\\"arg with\\ttab\\\"\""},
+		},
+	}
+
+	for _, test := range tests {
+		quoted := quoteArguments(test.input)
+		assert.Equal(t, test.output, quoted)
+	}
+}
diff --git a/pkg/systemd/generate/containers.go b/pkg/systemd/generate/containers.go
index 3d266a7a1..5f6376977 100644
--- a/pkg/systemd/generate/containers.go
+++ b/pkg/systemd/generate/containers.go
@@ -241,6 +241,7 @@ func executeContainerTemplate(info *containerInfo, options entities.GenerateSyst
 			startCommand = append(startCommand, "--replace")
 		}
 		startCommand = append(startCommand, info.CreateCommand[index:]...)
+		startCommand = quoteArguments(startCommand)
 
 		info.ExecStartPre = "/bin/rm -f {{.PIDFile}} {{.ContainerIDFile}}"
 		info.ExecStart = strings.Join(startCommand, " ")
diff --git a/pkg/systemd/generate/containers_test.go b/pkg/systemd/generate/containers_test.go
index 41817c03c..b5c736c5a 100644
--- a/pkg/systemd/generate/containers_test.go
+++ b/pkg/systemd/generate/containers_test.go
@@ -117,7 +117,7 @@ After=network-online.target
 Environment=PODMAN_SYSTEMD_UNIT=%n
 Restart=always
 ExecStartPre=/bin/rm -f %t/jadda-jadda.pid %t/jadda-jadda.ctr-id
-ExecStart=/usr/bin/podman run --conmon-pidfile %t/jadda-jadda.pid --cidfile %t/jadda-jadda.ctr-id --cgroups=no-conmon -d --replace --name jadda-jadda --hostname hello-world awesome-image:latest command arg1 ... argN
+ExecStart=/usr/bin/podman run --conmon-pidfile %t/jadda-jadda.pid --cidfile %t/jadda-jadda.ctr-id --cgroups=no-conmon -d --replace --name jadda-jadda --hostname hello-world awesome-image:latest command arg1 ... argN "foo=arg \"with \" space"
 ExecStop=/usr/bin/podman stop --ignore --cidfile %t/jadda-jadda.ctr-id -t 42
 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/jadda-jadda.ctr-id
 PIDFile=%t/jadda-jadda.pid
@@ -296,7 +296,7 @@ WantedBy=multi-user.target default.target`
 				PIDFile:           "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:       42,
 				PodmanVersion:     "CI",
-				CreateCommand:     []string{"I'll get stripped", "container", "run", "--name", "jadda-jadda", "--hostname", "hello-world", "awesome-image:latest", "command", "arg1", "...", "argN"},
+				CreateCommand:     []string{"I'll get stripped", "container", "run", "--name", "jadda-jadda", "--hostname", "hello-world", "awesome-image:latest", "command", "arg1", "...", "argN", "foo=arg \"with \" space"},
 				EnvVariable:       EnvVariable,
 			},
 			goodWithNameAndGeneric,
diff --git a/pkg/systemd/generate/pods.go b/pkg/systemd/generate/pods.go
index ec28dfe84..dec9587d9 100644
--- a/pkg/systemd/generate/pods.go
+++ b/pkg/systemd/generate/pods.go
@@ -292,6 +292,7 @@ func executePodTemplate(info *podInfo, options entities.GenerateSystemdOptions)
 		}
 
 		startCommand = append(startCommand, podCreateArgs...)
+		startCommand = quoteArguments(startCommand)
 
 		info.ExecStartPre1 = "/bin/rm -f {{.PIDFile}} {{.PodIDFile}}"
 		info.ExecStartPre2 = strings.Join(startCommand, " ")
diff --git a/pkg/systemd/generate/pods_test.go b/pkg/systemd/generate/pods_test.go
index 32c760956..8bf4705a7 100644
--- a/pkg/systemd/generate/pods_test.go
+++ b/pkg/systemd/generate/pods_test.go
@@ -75,7 +75,7 @@ Before=container-1.service container-2.service
 Environment=PODMAN_SYSTEMD_UNIT=%n
 Restart=on-failure
 ExecStartPre=/bin/rm -f %t/pod-123abc.pid %t/pod-123abc.pod-id
-ExecStartPre=/usr/bin/podman pod create --infra-conmon-pidfile %t/pod-123abc.pid --pod-id-file %t/pod-123abc.pod-id --name foo --replace
+ExecStartPre=/usr/bin/podman pod create --infra-conmon-pidfile %t/pod-123abc.pid --pod-id-file %t/pod-123abc.pod-id --name foo "bar=arg with space" --replace
 ExecStart=/usr/bin/podman pod start --pod-id-file %t/pod-123abc.pod-id
 ExecStop=/usr/bin/podman pod stop --ignore --pod-id-file %t/pod-123abc.pod-id -t 10
 ExecStopPost=/usr/bin/podman pod rm --ignore -f --pod-id-file %t/pod-123abc.pod-id
@@ -118,7 +118,7 @@ WantedBy=multi-user.target default.target`
 				StopTimeout:      10,
 				PodmanVersion:    "CI",
 				RequiredServices: []string{"container-1", "container-2"},
-				CreateCommand:    []string{"podman", "pod", "create", "--name", "foo"},
+				CreateCommand:    []string{"podman", "pod", "create", "--name", "foo", "bar=arg with space"},
 			},
 			podGoodNamedNew,
 			true,