9 files changed, 75 insertions, 27 deletions
diff --git a/pkg/api/handlers/compat/containers.go b/pkg/api/handlers/compat/containers.go
index 6943b15ff..1ae6a990b 100644
--- a/pkg/api/handlers/compat/containers.go
+++ b/pkg/api/handlers/compat/containers.go
@@ -319,6 +319,14 @@ func LibpodToContainerJSON(l *libpod.Container, sz bool) (*types.ContainerJSON,
 		SizeRootFs:      &inspect.SizeRootFs,
 	}
 
+	// set Path and Args
+	processArgs := l.Config().Spec.Process.Args
+	if len(processArgs) > 0 {
+		cb.Path = processArgs[0]
+	}
+	if len(processArgs) > 1 {
+		cb.Args = processArgs[1:]
+	}
 	stopTimeout := int(l.StopTimeout())
 
 	exposedPorts := make(nat.PortSet)
@@ -346,7 +354,7 @@ func LibpodToContainerJSON(l *libpod.Container, sz bool) (*types.ContainerJSON,
 		OpenStdin:       inspect.Config.OpenStdin,
 		StdinOnce:       inspect.Config.StdinOnce,
 		Env:             inspect.Config.Env,
-		Cmd:             inspect.Config.Cmd,
+		Cmd:             l.Command(),
 		Healthcheck:     nil,
 		ArgsEscaped:     false,
 		Image:           imageName,
diff --git a/pkg/api/handlers/compat/containers_create.go b/pkg/api/handlers/compat/containers_create.go
index 8238d2d93..93e4fe540 100644
--- a/pkg/api/handlers/compat/containers_create.go
+++ b/pkg/api/handlers/compat/containers_create.go
@@ -87,20 +87,21 @@ func makeCreateConfig(ctx context.Context, containerConfig *config.Config, input
 		workDir = input.WorkingDir
 	}
 
-	if input.Entrypoint == nil {
-		entrypointSlice, err := newImage.Entrypoint(ctx)
+	// Only use image's Cmd when the user does not set the entrypoint
+	if input.Entrypoint == nil && len(input.Cmd) == 0 {
+		cmdSlice, err := newImage.Cmd(ctx)
 		if err != nil {
 			return createconfig.CreateConfig{}, err
 		}
-		input.Entrypoint = entrypointSlice
+		input.Cmd = cmdSlice
 	}
 
-	if len(input.Cmd) == 0 {
-		cmdSlice, err := newImage.Cmd(ctx)
+	if input.Entrypoint == nil {
+		entrypointSlice, err := newImage.Entrypoint(ctx)
 		if err != nil {
 			return createconfig.CreateConfig{}, err
 		}
-		input.Cmd = cmdSlice
+		input.Entrypoint = entrypointSlice
 	}
 
 	stopTimeout := containerConfig.Engine.StopTimeout
diff --git a/pkg/api/handlers/utils/pods.go b/pkg/api/handlers/utils/pods.go
index 8276fb55e..54ebe2d29 100644
--- a/pkg/api/handlers/utils/pods.go
+++ b/pkg/api/handlers/utils/pods.go
@@ -45,7 +45,7 @@ func GetPods(w http.ResponseWriter, r *http.Request) ([]*entities.ListPodsReport
 	}
 
 	if len(pods) == 0 {
-		return nil, nil
+		return []*entities.ListPodsReport{}, nil
 	}
 
 	lps := make([]*entities.ListPodsReport, 0, len(pods))
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index c49d51fc5..e0c875fe9 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -31,12 +31,13 @@ const (
 type CreateResourceConfig struct {
 	BlkioWeight       uint16   // blkio-weight
 	BlkioWeightDevice []string // blkio-weight-device
-	CPUPeriod         uint64   // cpu-period
-	CPUQuota          int64    // cpu-quota
-	CPURtPeriod       uint64   // cpu-rt-period
-	CPURtRuntime      int64    // cpu-rt-runtime
-	CPUShares         uint64   // cpu-shares
-	CPUs              float64  // cpus
+	CgroupConf        map[string]string
+	CPUPeriod         uint64  // cpu-period
+	CPUQuota          int64   // cpu-quota
+	CPURtPeriod       uint64  // cpu-rt-period
+	CPURtRuntime      int64   // cpu-rt-runtime
+	CPUShares         uint64  // cpu-shares
+	CPUs              float64 // cpus
 	CPUsetCPUs        string
 	CPUsetMems        string   // cpuset-mems
 	DeviceCgroupRules []string //device-cgroup-rule
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 893ae3cab..5e97620cc 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -180,7 +180,16 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 		g.AddMount(cgroupMnt)
 	}
 	g.SetProcessCwd(config.WorkDir)
-	g.SetProcessArgs(config.Command)
+
+	ProcessArgs := make([]string, 0)
+	if len(config.Entrypoint) > 0 {
+		ProcessArgs = config.Entrypoint
+	}
+	if len(config.Command) > 0 {
+		ProcessArgs = append(ProcessArgs, config.Command...)
+	}
+	g.SetProcessArgs(ProcessArgs)
+
 	g.SetProcessTerminal(config.Tty)
 
 	for key, val := range config.Annotations {
diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go
index 76961fa80..dc9e6b9d8 100644
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@@ -37,6 +37,23 @@ func (s *SpecGenerator) Validate() error {
 		}
 	}
 
+	// Containers being added to a pod cannot have certain network attributes
+	// associated with them because those should be on the infra container.
+	if len(s.Pod) > 0 && s.NetNS.NSMode == FromPod {
+		if s.StaticIP != nil || s.StaticIPv6 != nil {
+			return errors.Wrap(define.ErrNetworkOnPodContainer, "static ip addresses must be defined when the pod is created")
+		}
+		if s.StaticMAC != nil {
+			return errors.Wrap(define.ErrNetworkOnPodContainer, "MAC addresses must be defined when the pod is created")
+		}
+		if len(s.CNINetworks) > 0 {
+			return errors.Wrap(define.ErrNetworkOnPodContainer, "networks must be defined when the pod is created")
+		}
+		if len(s.PortMappings) > 0 || s.PublishExposedPorts {
+			return errors.Wrap(define.ErrNetworkOnPodContainer, "published or exposed ports must be defined when the pod is created")
+		}
+	}
+
 	//
 	// ContainerBasicConfig
 	//
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 5e4cc3399..d3e3d9278 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -112,7 +112,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 			// Pass capRequiredRequested in CapAdd field to normalize capabilities names
 			capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil)
 			if err != nil {
-				logrus.Errorf("capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ","))
+				return errors.Wrapf(err, "capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ","))
 			} else {
 				// Verify all capRequiered are in the capList
 				for _, cap := range capsRequired {
@@ -129,12 +129,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		}
 	}
 
-	g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
-
-	if err := setupApparmor(s, rtc, g); err != nil {
-		return err
-	}
-
 	configSpec := g.Config
 	configSpec.Process.Capabilities.Bounding = caplist
 
@@ -142,13 +136,21 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		configSpec.Process.Capabilities.Effective = caplist
 		configSpec.Process.Capabilities.Permitted = caplist
 		configSpec.Process.Capabilities.Inheritable = caplist
-		configSpec.Process.Capabilities.Ambient = caplist
 	} else {
-		configSpec.Process.Capabilities.Effective = []string{}
-		configSpec.Process.Capabilities.Permitted = []string{}
-		configSpec.Process.Capabilities.Inheritable = []string{}
-		configSpec.Process.Capabilities.Ambient = []string{}
+		userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd)
+		if err != nil {
+			return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
+		}
+		configSpec.Process.Capabilities.Effective = userCaps
+		configSpec.Process.Capabilities.Permitted = userCaps
 	}
+
+	g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
+
+	if err := setupApparmor(s, rtc, g); err != nil {
+		return err
+	}
+
 	// HANDLE SECCOMP
 	if s.SeccompProfilePath != "unconfined" {
 		seccompConfig, err := getSeccompConfig(s, configSpec, newImage)
diff --git a/pkg/specgen/generate/validate.go b/pkg/specgen/generate/validate.go
index dca45cc0e..ed337321b 100644
--- a/pkg/specgen/generate/validate.go
+++ b/pkg/specgen/generate/validate.go
@@ -23,6 +23,12 @@ func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) {
 		return warnings, nil
 	}
 
+	if s.ResourceLimits.Unified != nil {
+		if !cgroup2 {
+			return nil, errors.New("Cannot use --cgroup-conf without cgroup v2")
+		}
+	}
+
 	// Memory checks
 	if s.ResourceLimits.Memory != nil {
 		memory := s.ResourceLimits.Memory
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index a9161071b..a52225f87 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -415,6 +415,10 @@ type ContainerResourceConfig struct {
 	ThrottleReadIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"`
 	// IO write rate limit per cgroup per device, IO per second
 	ThrottleWriteIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"`
+	// CgroupConf are key-value options passed into the container runtime
+	// that are used to configure cgroup v2.
+	// Optional.
+	CgroupConf map[string]string `json:"unified,omitempty"`
 }
 
 // ContainerHealthCheckConfig describes a container healthcheck with attributes