8 files changed, 160 insertions, 4 deletions

diff --git a/pkg/adapter/containers.go b/pkg/adapter/containers.go
index 8481a0cec..fb85e54ba 100644
--- a/pkg/adapter/containers.go
+++ b/pkg/adapter/containers.go
@@ -766,3 +766,71 @@ func (r *LocalRuntime) Restart(ctx context.Context, c *cliconfig.RestartValues)
 	}
 	return pool.Run()
 }
+
+// Top display the running processes of a container
+func (r *LocalRuntime) Top(cli *cliconfig.TopValues) ([]string, error) {
+	var (
+		descriptors []string
+		container   *libpod.Container
+		err         error
+	)
+	if cli.Latest {
+		descriptors = cli.InputArgs
+		container, err = r.Runtime.GetLatestContainer()
+	} else {
+		descriptors = cli.InputArgs[1:]
+		container, err = r.Runtime.LookupContainer(cli.InputArgs[0])
+	}
+	if err != nil {
+		return nil, errors.Wrapf(err, "unable to lookup requested container")
+	}
+	return container.Top(descriptors)
+}
+
+// Prune removes stopped containers
+func (r *LocalRuntime) Prune(ctx context.Context, maxWorkers int, force bool) ([]string, map[string]error, error) {
+	var (
+		ok       = []string{}
+		failures = map[string]error{}
+		err      error
+	)
+
+	logrus.Debugf("Setting maximum rm workers to %d", maxWorkers)
+
+	filter := func(c *libpod.Container) bool {
+		state, err := c.State()
+		if err != nil {
+			logrus.Error(err)
+			return false
+		}
+		if c.PodID() != "" {
+			return false
+		}
+		if state == libpod.ContainerStateStopped || state == libpod.ContainerStateExited {
+			return true
+		}
+		return false
+	}
+	delContainers, err := r.Runtime.GetContainers(filter)
+	if err != nil {
+		return ok, failures, err
+	}
+	if len(delContainers) < 1 {
+		return ok, failures, err
+	}
+	pool := shared.NewPool("prune", maxWorkers, len(delContainers))
+	for _, c := range delContainers {
+		ctr := c
+		pool.Add(shared.Job{
+			ID: ctr.ID(),
+			Fn: func() error {
+				err := r.Runtime.RemoveContainer(ctx, ctr, force, false)
+				if err != nil {
+					logrus.Debugf("Failed to prune container %s: %s", ctr.ID(), err.Error())
+				}
+				return err
+			},
+		})
+	}
+	return pool.Run()
+}
diff --git a/pkg/adapter/containers_remote.go b/pkg/adapter/containers_remote.go
index 985310cce..5a67d4957 100644
--- a/pkg/adapter/containers_remote.go
+++ b/pkg/adapter/containers_remote.go
@@ -835,3 +835,51 @@ func (r *LocalRuntime) Restart(ctx context.Context, c *cliconfig.RestartValues)
 	}
 	return ok, failures, nil
 }
+
+// Top display the running processes of a container
+func (r *LocalRuntime) Top(cli *cliconfig.TopValues) ([]string, error) {
+	var (
+		ctr         *Container
+		err         error
+		descriptors []string
+	)
+	if cli.Latest {
+		ctr, err = r.GetLatestContainer()
+		descriptors = cli.InputArgs
+	} else {
+		ctr, err = r.LookupContainer(cli.InputArgs[0])
+		descriptors = cli.InputArgs[1:]
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iopodman.Top().Call(r.Conn, ctr.ID(), descriptors)
+}
+
+// Prune removes stopped containers
+func (r *LocalRuntime) Prune(ctx context.Context, maxWorkers int, force bool) ([]string, map[string]error, error) {
+
+	var (
+		ok       = []string{}
+		failures = map[string]error{}
+		ctrs     []*Container
+		err      error
+	)
+	logrus.Debugf("Setting maximum rm workers to %d", maxWorkers)
+
+	filters := []string{libpod.ContainerStateExited.String()}
+	ctrs, err = r.LookupContainersWithStatus(filters)
+	if err != nil {
+		return ok, failures, err
+	}
+	for _, c := range ctrs {
+		c := c
+		_, err := iopodman.RemoveContainer().Call(r.Conn, c.ID(), false, false)
+		if err != nil {
+			failures[c.ID()] = err
+		} else {
+			ok = append(ok, c.ID())
+		}
+	}
+	return ok, failures, nil
+}
diff --git a/pkg/adapter/runtime.go b/pkg/adapter/runtime.go
index 790ed5c89..0d840d65b 100644
--- a/pkg/adapter/runtime.go
+++ b/pkg/adapter/runtime.go
@@ -57,8 +57,8 @@ type Volume struct {
 type VolumeFilter func(*Volume) bool
 
 // GetRuntime returns a LocalRuntime struct with the actual runtime embedded in it
-func GetRuntime(c *cliconfig.PodmanCommand) (*LocalRuntime, error) {
-	runtime, err := libpodruntime.GetRuntime(c)
+func GetRuntime(ctx context.Context, c *cliconfig.PodmanCommand) (*LocalRuntime, error) {
+	runtime, err := libpodruntime.GetRuntime(ctx, c)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/adapter/runtime_remote.go b/pkg/adapter/runtime_remote.go
index 29ee821e0..6102daccf 100644
--- a/pkg/adapter/runtime_remote.go
+++ b/pkg/adapter/runtime_remote.go
@@ -46,7 +46,7 @@ type LocalRuntime struct {
 }
 
 // GetRuntime returns a LocalRuntime struct with the actual runtime embedded in it
-func GetRuntime(c *cliconfig.PodmanCommand) (*LocalRuntime, error) {
+func GetRuntime(ctx context.Context, c *cliconfig.PodmanCommand) (*LocalRuntime, error) {
 	runtime := RemoteRuntime{}
 	conn, err := runtime.Connect()
 	if err != nil {
diff --git a/pkg/inspect/inspect.go b/pkg/inspect/inspect.go
index 270e431ad..6978370ef 100644
--- a/pkg/inspect/inspect.go
+++ b/pkg/inspect/inspect.go
@@ -38,7 +38,8 @@ type HostConfig struct {
 	PidMode              string                      `json:"PidMode"`
 	Privileged           bool                        `json:"Privileged"`
 	PublishAllPorts      bool                        `json:"PublishAllPorts"` //TODO
-	ReadonlyRootfs       bool                        `json:"ReadonlyRootfs"`
+	ReadOnlyRootfs       bool                        `json:"ReadonlyRootfs"`
+	ReadOnlyTmpfs        bool                        `json:"ReadonlyTmpfs"`
 	SecurityOpt          []string                    `json:"SecurityOpt"`
 	UTSMode              string                      `json:"UTSMode"`
 	UsernsMode           string                      `json:"UsernsMode"`
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index e71d9d3db..064dedd45 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -113,6 +113,7 @@ type CreateConfig struct {
 	PublishAll         bool     //publish-all
 	Quiet              bool     //quiet
 	ReadOnlyRootfs     bool     //read-only
+	ReadOnlyTmpfs      bool     //read-only-tmpfs
 	Resources          CreateResourceConfig
 	Rm                 bool              //rm
 	StopSignal         syscall.Signal    // stop-signal
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 0371b6d4d..4cbed0ea4 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -341,6 +341,31 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 		}
 	}
 
+	if config.ReadOnlyRootfs && config.ReadOnlyTmpfs {
+		options := []string{"rw", "rprivate", "nosuid", "nodev", "tmpcopyup"}
+		for _, i := range []string{"/tmp", "/var/tmp"} {
+			if libpod.MountExists(g.Config.Mounts, i) {
+				continue
+			}
+			// Default options if nothing passed
+			tmpfsMnt := spec.Mount{
+				Destination: i,
+				Type:        "tmpfs",
+				Source:      "tmpfs",
+				Options:     options,
+			}
+			g.AddMount(tmpfsMnt)
+		}
+		if !libpod.MountExists(g.Config.Mounts, "/run") {
+			tmpfsMnt := spec.Mount{
+				Destination: "/run",
+				Type:        "tmpfs",
+				Source:      "tmpfs",
+				Options:     append(options, "noexec", "size=65536k"),
+			}
+			g.AddMount(tmpfsMnt)
+		}
+	}
 	for name, val := range config.Env {
 		g.AddProcessEnv(name, val)
 	}
diff --git a/pkg/varlinkapi/containers.go b/pkg/varlinkapi/containers.go
index 237407050..872c7bc26 100644
--- a/pkg/varlinkapi/containers.go
+++ b/pkg/varlinkapi/containers.go
@@ -733,3 +733,16 @@ func newPodmanLogLine(line *libpod.LogLine) iopodman.LogLine {
 		Cid:          line.CID,
 	}
 }
+
+// Top displays information about a container's running processes
+func (i *LibpodAPI) Top(call iopodman.VarlinkCall, nameOrID string, descriptors []string) error {
+	ctr, err := i.Runtime.LookupContainer(nameOrID)
+	if err != nil {
+		return call.ReplyContainerNotFound(ctr.ID(), err.Error())
+	}
+	topInfo, err := ctr.Top(descriptors)
+	if err != nil {
+		return call.ReplyErrorOccurred(err.Error())
+	}
+	return call.ReplyTop(topInfo)
+}