15 files changed, 144 insertions, 13 deletions
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
index 18b48a3f6..e7c031234 100644
--- a/pkg/api/server/server.go
+++ b/pkg/api/server/server.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"context"
+	"fmt"
 	"log"
 	"net"
 	"net/http"
@@ -17,6 +18,7 @@ import (
 	"github.com/containers/podman/v2/pkg/api/handlers"
 	"github.com/containers/podman/v2/pkg/api/server/idletracker"
 	"github.com/coreos/go-systemd/v22/activation"
+	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/schema"
 	"github.com/pkg/errors"
@@ -147,8 +149,31 @@ func newServer(runtime *libpod.Runtime, duration time.Duration, listener *net.Li
 	return &server, nil
 }
 
-// Serve starts responding to HTTP requests
+// If the NOTIFY_SOCKET is set, communicate the PID and readiness, and
+// further unset NOTIFY_SOCKET to prevent containers from sending
+// messages and unset INVOCATION_ID so conmon and containers are in
+// the correct cgroup.
+func setupSystemd() {
+	if len(os.Getenv("NOTIFY_SOCKET")) == 0 {
+		return
+	}
+	payload := fmt.Sprintf("MAINPID=%d", os.Getpid())
+	payload += "\n"
+	payload += daemon.SdNotifyReady
+	if sent, err := daemon.SdNotify(true, payload); err != nil {
+		logrus.Errorf("Error notifying systemd of Conmon PID: %s", err.Error())
+	} else if sent {
+		logrus.Debugf("Notify sent successfully")
+	}
+
+	if err := os.Unsetenv("INVOCATION_ID"); err != nil {
+		logrus.Errorf("Error unsetting INVOCATION_ID: %s", err.Error())
+	}
+}
+
+// Serve starts responding to HTTP requests.
 func (s *APIServer) Serve() error {
+	setupSystemd()
 	sigChan := make(chan os.Signal, 1)
 	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
 	errChan := make(chan error, 1)
diff --git a/pkg/bindings/connection.go b/pkg/bindings/connection.go
index e820e1c8b..ef9644de8 100644
--- a/pkg/bindings/connection.go
+++ b/pkg/bindings/connection.go
@@ -180,8 +180,9 @@ func pingNewConnection(ctx context.Context) error {
 }
 
 func sshClient(_url *url.URL, secure bool, passPhrase string, identity string) (Connection, error) {
+	// if you modify the authmethods or their conditionals, you will also need to make similar
+	// changes in the client (currently cmd/podman/system/connection/add getUDS).
 	authMethods := []ssh.AuthMethod{}
-
 	if len(identity) > 0 {
 		auth, err := terminal.PublicKey(identity, []byte(passPhrase))
 		if err != nil {
@@ -205,6 +206,13 @@ func sshClient(_url *url.URL, secure bool, passPhrase string, identity string) (
 	if pw, found := _url.User.Password(); found {
 		authMethods = append(authMethods, ssh.Password(pw))
 	}
+	if len(authMethods) == 0 {
+		pass, err := terminal.ReadPassword("Login password:")
+		if err != nil {
+			return Connection{}, err
+		}
+		authMethods = append(authMethods, ssh.Password(string(pass)))
+	}
 
 	callback := ssh.InsecureIgnoreHostKey()
 	if secure {
diff --git a/pkg/domain/infra/abi/network.go b/pkg/domain/infra/abi/network.go
index 0183a90d8..c06714cbb 100644
--- a/pkg/domain/infra/abi/network.go
+++ b/pkg/domain/infra/abi/network.go
@@ -191,7 +191,7 @@ func createBridge(r *libpod.Runtime, name string, options entities.NetworkCreate
 	var plugins []network.CNIPlugins
 	var routes []network.IPAMRoute
 
-	defaultRoute, err := network.NewIPAMDefaultRoute()
+	defaultRoute, err := network.NewIPAMDefaultRoute(network.IsIPv6(subnet.IP))
 	if err != nil {
 		return "", err
 	}
diff --git a/pkg/domain/infra/tunnel/images.go b/pkg/domain/infra/tunnel/images.go
index c7bfdcd2b..b255c5da4 100644
--- a/pkg/domain/infra/tunnel/images.go
+++ b/pkg/domain/infra/tunnel/images.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/image/v5/docker/reference"
@@ -73,8 +74,16 @@ func (ir *ImageEngine) History(ctx context.Context, nameOrID string, opts entiti
 	}
 
 	for i, layer := range results {
-		hold := entities.ImageHistoryLayer{}
-		_ = utils.DeepCopy(&hold, layer)
+		// Created time comes over as an int64 so needs conversion to time.time
+		t := time.Unix(layer.Created, 0)
+		hold := entities.ImageHistoryLayer{
+			ID:        layer.ID,
+			Created:   t.UTC(),
+			CreatedBy: layer.CreatedBy,
+			Tags:      layer.Tags,
+			Size:      layer.Size,
+			Comment:   layer.Comment,
+		}
 		history.Layers[i] = hold
 	}
 	return &history, nil
diff --git a/pkg/network/ip.go b/pkg/network/ip.go
index 1798cd939..ba93a0d05 100644
--- a/pkg/network/ip.go
+++ b/pkg/network/ip.go
@@ -12,3 +12,8 @@ func CalcGatewayIP(ipn *net.IPNet) net.IP {
 	nid := ipn.IP.Mask(ipn.Mask)
 	return ip.NextIP(nid)
 }
+
+// IsIPv6 returns if netIP is IPv6.
+func IsIPv6(netIP net.IP) bool {
+	return netIP != nil && netIP.To4() == nil
+}
diff --git a/pkg/network/netconflist.go b/pkg/network/netconflist.go
index 4271d3f54..8187fdb39 100644
--- a/pkg/network/netconflist.go
+++ b/pkg/network/netconflist.go
@@ -6,6 +6,11 @@ import (
 	"path/filepath"
 )
 
+const (
+	defaultIPv4Route = "0.0.0.0/0"
+	defaultIPv6Route = "::/0"
+)
+
 // NcList describes a generic map
 type NcList map[string]interface{}
 
@@ -86,9 +91,13 @@ func NewIPAMRoute(r *net.IPNet) IPAMRoute { //nolint:interfacer
 }
 
 // NewIPAMDefaultRoute creates a new IPAMDefault route of
-// 0.0.0.0/0
-func NewIPAMDefaultRoute() (IPAMRoute, error) {
-	_, n, err := net.ParseCIDR("0.0.0.0/0")
+// 0.0.0.0/0 for IPv4 or ::/0 for IPv6
+func NewIPAMDefaultRoute(isIPv6 bool) (IPAMRoute, error) {
+	route := defaultIPv4Route
+	if isIPv6 {
+		route = defaultIPv6Route
+	}
+	_, n, err := net.ParseCIDR(route)
 	if err != nil {
 		return IPAMRoute{}, err
 	}
diff --git a/pkg/network/netconflist_test.go b/pkg/network/netconflist_test.go
new file mode 100644
index 000000000..a82a0140a
--- /dev/null
+++ b/pkg/network/netconflist_test.go
@@ -0,0 +1,38 @@
+package network
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestNewIPAMDefaultRoute(t *testing.T) {
+
+	tests := []struct {
+		name   string
+		isIPv6 bool
+		want   IPAMRoute
+	}{
+		{
+			name:   "IPv4 default route",
+			isIPv6: false,
+			want:   IPAMRoute{defaultIPv4Route},
+		},
+		{
+			name:   "IPv6 default route",
+			isIPv6: true,
+			want:   IPAMRoute{defaultIPv6Route},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := NewIPAMDefaultRoute(tt.isIPv6)
+			if err != nil {
+				t.Errorf("no errorr expected: %v", err)
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("NewIPAMDefaultRoute() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/pkg/network/network.go b/pkg/network/network.go
index b24c72f5f..db625da56 100644
--- a/pkg/network/network.go
+++ b/pkg/network/network.go
@@ -137,6 +137,15 @@ func networkIntersect(n1, n2 *net.IPNet) bool {
 // ValidateUserNetworkIsAvailable returns via an error if a network is available
 // to be used
 func ValidateUserNetworkIsAvailable(config *config.Config, userNet *net.IPNet) error {
+	if len(userNet.IP) == 0 || len(userNet.Mask) == 0 {
+		return errors.Errorf("network %s's ip or mask cannot be empty", userNet.String())
+	}
+
+	ones, bit := userNet.Mask.Size()
+	if ones == 0 || bit == 0 {
+		return errors.Errorf("network %s's mask is invalid", userNet.String())
+	}
+
 	networks, err := GetNetworksFromFilesystem(config)
 	if err != nil {
 		return err
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index c3f1fc7fa..ecd309d36 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -389,14 +389,12 @@ func TryJoinFromFilePaths(pausePidPath string, needNewNamespace bool, paths []st
 			lastErr = nil
 			break
 		} else {
-			fds, err := unix.Socketpair(unix.AF_UNIX, unix.SOCK_DGRAM, 0)
+			r, w, err := os.Pipe()
 			if err != nil {
 				lastErr = err
 				continue
 			}
 
-			r, w := os.NewFile(uintptr(fds[0]), "read file"), os.NewFile(uintptr(fds[1]), "write file")
-
 			defer errorhandling.CloseQuiet(r)
 
 			if _, _, err := becomeRootInUserNS("", path, w); err != nil {
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index 40f9bc029..c49d51fc5 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -125,6 +125,7 @@ type SecurityConfig struct {
 	ReadOnlyRootfs          bool              //read-only
 	ReadOnlyTmpfs           bool              //read-only-tmpfs
 	Sysctl                  map[string]string //sysctl
+	ProcOpts                []string
 }
 
 // CreateConfig is a pre OCI spec structure.  It represents user input from varlink or the CLI
diff --git a/pkg/spec/security.go b/pkg/spec/security.go
index fc908b49d..e152e3495 100644
--- a/pkg/spec/security.go
+++ b/pkg/spec/security.go
@@ -76,6 +76,8 @@ func (c *SecurityConfig) SetSecurityOpts(runtime *libpod.Runtime, securityOpts [
 			}
 
 			switch con[0] {
+			case "proc-opts":
+				c.ProcOpts = strings.Split(con[1], ",")
 			case "label":
 				c.LabelOpts = append(c.LabelOpts, con[1])
 			case "apparmor":
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 4635b755b..fda4c098c 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -164,13 +164,19 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 		}
 
 		if len(command) > 0 {
-			if command[0] == "/usr/sbin/init" || command[0] == "/sbin/init" || (filepath.Base(command[0]) == "systemd") {
+			useSystemdCommands := map[string]bool{
+				"/sbin/init":           true,
+				"/usr/sbin/init":       true,
+				"/usr/local/sbin/init": true,
+			}
+			if useSystemdCommands[command[0]] || (filepath.Base(command[0]) == "systemd") {
 				useSystemd = true
 			}
 		}
 	default:
 		return nil, errors.Wrapf(err, "invalid value %q systemd option requires 'true, false, always'", s.Systemd)
 	}
+	logrus.Debugf("using systemd mode: %t", useSystemd)
 	if useSystemd {
 		// is StopSignal was not set by the user then set it to systemd
 		// expected StopSigal
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index ee9f63680..fd324c6e1 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -18,6 +18,18 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+func setProcOpts(s *specgen.SpecGenerator, g *generate.Generator) {
+	if s.ProcOpts == nil {
+		return
+	}
+	for i := range g.Config.Mounts {
+		if g.Config.Mounts[i].Destination == "/proc" {
+			g.Config.Mounts[i].Options = s.ProcOpts
+			return
+		}
+	}
+}
+
 func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
 	var (
 		isRootless = rootless.IsRootless()
@@ -341,6 +353,8 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 		configSpec.Annotations[define.InspectAnnotationInit] = define.InspectResponseFalse
 	}
 
+	setProcOpts(s, &g)
+
 	return configSpec, nil
 }
 
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index 84a6c36a0..a9161071b 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -289,6 +289,8 @@ type ContainerSecurityConfig struct {
 	ReadOnlyFilesystem bool `json:"read_only_filesystem,omittempty"`
 	// Umask is the umask the init process of the container will be run with.
 	Umask string `json:"umask,omitempty"`
+	// ProcOpts are the options used for the proc mount.
+	ProcOpts []string `json:"procfs_opts,omitempty"`
 }
 
 // ContainerCgroupConfig contains configuration information about a container's
diff --git a/pkg/varlinkapi/create.go b/pkg/varlinkapi/create.go
index 2d3e20f67..e9309a2d4 100644
--- a/pkg/varlinkapi/create.go
+++ b/pkg/varlinkapi/create.go
@@ -704,7 +704,12 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		if err != nil {
 			return nil, errors.Wrapf(err, "cannot parse bool %s", c.String("systemd"))
 		}
-		if x && (command[0] == "/usr/sbin/init" || command[0] == "/sbin/init" || (filepath.Base(command[0]) == "systemd")) {
+		useSystemdCommands := map[string]bool{
+			"/sbin/init":           true,
+			"/usr/sbin/init":       true,
+			"/usr/local/sbin/init": true,
+		}
+		if x && (useSystemdCommands[command[0]] || (filepath.Base(command[0]) == "systemd")) {
 			systemd = true
 		}
 	}