8 files changed, 76 insertions, 51 deletions

diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 0364b00a3..79e815490 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -40,25 +40,13 @@ func (ir *ImageEngine) Exists(_ context.Context, nameOrID string) (*entities.Boo
 }
 
 func (ir *ImageEngine) Prune(ctx context.Context, opts entities.ImagePruneOptions) ([]*reports.PruneReport, error) {
-	// NOTE: the terms "dangling" and "intermediate" are not used
-	// consistently across our code base.  In libimage, "dangling" means
-	// that an image has no tags.  "intermediate" means that an image is
-	// dangling and that no other image depends on it (i.e., has no
-	// children).
-	//
-	// While pruning usually refers to "dangling" images, it has always
-	// removed "intermediate" ones.
-	defaultOptions := &libimage.RemoveImagesOptions{
-		Filters:  append(opts.Filter, "intermediate=true", "containers=false", "readonly=false"),
+	pruneOptions := &libimage.RemoveImagesOptions{
+		Filters:  append(opts.Filter, "containers=false", "readonly=false"),
 		WithSize: true,
 	}
 
-	// `image prune --all` means to *also* remove images which are not in
-	// use by any container.  Since image filters are chained, we need to
-	// do two look ups since the default ones are a subset of all.
-	unusedOptions := &libimage.RemoveImagesOptions{
-		Filters:  append(opts.Filter, "containers=false", "readonly=false"),
-		WithSize: true,
+	if !opts.All {
+		pruneOptions.Filters = append(pruneOptions.Filters, "dangling=true")
 	}
 
 	var pruneReports []*reports.PruneReport
@@ -66,16 +54,12 @@ func (ir *ImageEngine) Prune(ctx context.Context, opts entities.ImagePruneOption
 	// Now prune all images until we converge.
 	numPreviouslyRemovedImages := 1
 	for {
-		removedDefault, rmErrors := ir.Libpod.LibimageRuntime().RemoveImages(ctx, nil, defaultOptions)
-		if rmErrors != nil {
-			return nil, errorhandling.JoinErrors(rmErrors)
-		}
-		removedUnused, rmErrors := ir.Libpod.LibimageRuntime().RemoveImages(ctx, nil, unusedOptions)
+		removedImages, rmErrors := ir.Libpod.LibimageRuntime().RemoveImages(ctx, nil, pruneOptions)
 		if rmErrors != nil {
 			return nil, errorhandling.JoinErrors(rmErrors)
 		}
 
-		for _, rmReport := range append(removedDefault, removedUnused...) {
+		for _, rmReport := range removedImages {
 			r := *rmReport
 			pruneReports = append(pruneReports, &reports.PruneReport{
 				Id:   r.ID,
@@ -83,7 +67,7 @@ func (ir *ImageEngine) Prune(ctx context.Context, opts entities.ImagePruneOption
 			})
 		}
 
-		numRemovedImages := len(removedDefault) + len(removedUnused)
+		numRemovedImages := len(removedImages)
 		if numRemovedImages+numPreviouslyRemovedImages == 0 {
 			break
 		}
diff --git a/pkg/domain/infra/abi/network.go b/pkg/domain/infra/abi/network.go
index 1a833332c..33ab280e5 100644
--- a/pkg/domain/infra/abi/network.go
+++ b/pkg/domain/infra/abi/network.go
@@ -71,7 +71,9 @@ func (ic *ContainerEngine) NetworkReload(ctx context.Context, names []string, op
 		report := new(entities.NetworkReloadReport)
 		report.Id = ctr.ID()
 		report.Err = ctr.ReloadNetwork()
-		if options.All && errors.Cause(report.Err) == define.ErrCtrStateInvalid {
+		// ignore errors for invalid ctr state and network mode when --all is used
+		if options.All && (errors.Cause(report.Err) == define.ErrCtrStateInvalid ||
+			errors.Cause(report.Err) == define.ErrNetworkModeInvalid) {
 			continue
 		}
 		reports = append(reports, report)
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index a94c5f5c5..0ac9b5d8d 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -12,7 +12,6 @@ import (
 
 	"github.com/containers/common/libimage"
 	"github.com/containers/common/pkg/config"
-	"github.com/containers/common/pkg/secrets"
 	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v3/libpod"
 	"github.com/containers/podman/v3/libpod/define"
@@ -161,7 +160,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 	)
 
 	// Create the secret manager before hand
-	secretsManager, err := secrets.NewManager(ic.Libpod.GetSecretsStorageDir())
+	secretsManager, err := ic.Libpod.SecretsManager()
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/domain/infra/abi/secrets.go b/pkg/domain/infra/abi/secrets.go
index 764f4a9dc..1e1cbc70f 100644
--- a/pkg/domain/infra/abi/secrets.go
+++ b/pkg/domain/infra/abi/secrets.go
@@ -6,7 +6,6 @@ import (
 	"io/ioutil"
 	"path/filepath"
 
-	"github.com/containers/common/pkg/secrets"
 	"github.com/containers/podman/v3/pkg/domain/entities"
 	"github.com/pkg/errors"
 )
@@ -14,7 +13,7 @@ import (
 func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader io.Reader, options entities.SecretCreateOptions) (*entities.SecretCreateReport, error) {
 	data, _ := ioutil.ReadAll(reader)
 	secretsPath := ic.Libpod.GetSecretsStorageDir()
-	manager, err := secrets.NewManager(secretsPath)
+	manager, err := ic.Libpod.SecretsManager()
 	if err != nil {
 		return nil, err
 	}
@@ -36,8 +35,7 @@ func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader
 }
 
 func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string) ([]*entities.SecretInfoReport, []error, error) {
-	secretsPath := ic.Libpod.GetSecretsStorageDir()
-	manager, err := secrets.NewManager(secretsPath)
+	manager, err := ic.Libpod.SecretsManager()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -71,8 +69,7 @@ func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string
 }
 
 func (ic *ContainerEngine) SecretList(ctx context.Context) ([]*entities.SecretInfoReport, error) {
-	secretsPath := ic.Libpod.GetSecretsStorageDir()
-	manager, err := secrets.NewManager(secretsPath)
+	manager, err := ic.Libpod.SecretsManager()
 	if err != nil {
 		return nil, err
 	}
@@ -105,8 +102,7 @@ func (ic *ContainerEngine) SecretRm(ctx context.Context, nameOrIDs []string, opt
 		toRemove []string
 		reports  = []*entities.SecretRmReport{}
 	)
-	secretsPath := ic.Libpod.GetSecretsStorageDir()
-	manager, err := secrets.NewManager(secretsPath)
+	manager, err := ic.Libpod.SecretsManager()
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/machine/pull.go b/pkg/machine/pull.go
index d9f34057f..68bb551dc 100644
--- a/pkg/machine/pull.go
+++ b/pkg/machine/pull.go
@@ -162,7 +162,11 @@ func Decompress(localPath, uncompressedPath string) error {
 		return err
 	}
 
-	if compressionType := archive.DetectCompression(sourceFile); compressionType.Extension() == "tar.xz" {
+	compressionType := archive.DetectCompression(sourceFile)
+	if compressionType != archive.Uncompressed {
+		fmt.Println("Extracting compressed file")
+	}
+	if compressionType == archive.Xz {
 		return decompressXZ(localPath, uncompressedFileWriter)
 	}
 	return decompressEverythingElse(localPath, uncompressedFileWriter)
@@ -172,7 +176,6 @@ func Decompress(localPath, uncompressedPath string) error {
 // Maybe extracting then renameing is a good idea here..
 // depends on xz: not pre-installed on mac, so it becomes a brew dependency
 func decompressXZ(src string, output io.Writer) error {
-	fmt.Println("Extracting compressed file")
 	cmd := exec.Command("xzcat", "-k", src)
 	//cmd := exec.Command("xz", "-d", "-k", "-v", src)
 	stdOut, err := cmd.StdoutPipe()
@@ -190,7 +193,6 @@ func decompressXZ(src string, output io.Writer) error {
 }
 
 func decompressEverythingElse(src string, output io.Writer) error {
-	fmt.Println("Extracting compressed file")
 	f, err := os.Open(src)
 	if err != nil {
 		return err
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 7682367b7..a0f5cc7e6 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -400,7 +400,24 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 	}
 
 	if len(s.Secrets) != 0 {
-		options = append(options, libpod.WithSecrets(s.Secrets))
+		manager, err := rt.SecretsManager()
+		if err != nil {
+			return nil, err
+		}
+		var secrs []*libpod.ContainerSecret
+		for _, s := range s.Secrets {
+			secr, err := manager.Lookup(s.Source)
+			if err != nil {
+				return nil, err
+			}
+			secrs = append(secrs, &libpod.ContainerSecret{
+				Secret: secr,
+				UID:    s.UID,
+				GID:    s.GID,
+				Mode:   s.Mode,
+			})
+		}
+		options = append(options, libpod.WithSecrets(secrs))
 	}
 
 	if len(s.EnvSecrets) != 0 {
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index 4e41061a5..054388384 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -250,27 +250,26 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 		if !exists {
 			return nil, errors.Errorf("Volume mount %s specified for container but not configured in volumes", volume.Name)
 		}
+
+		dest, options, err := parseMountPath(volume.MountPath, volume.ReadOnly)
+		if err != nil {
+			return nil, err
+		}
+
 		switch volumeSource.Type {
 		case KubeVolumeTypeBindMount:
-			if err := parse.ValidateVolumeCtrDir(volume.MountPath); err != nil {
-				return nil, errors.Wrapf(err, "error in parsing MountPath")
-			}
 			mount := spec.Mount{
-				Destination: volume.MountPath,
+				Destination: dest,
 				Source:      volumeSource.Source,
 				Type:        "bind",
-			}
-			if volume.ReadOnly {
-				mount.Options = []string{"ro"}
+				Options:     options,
 			}
 			s.Mounts = append(s.Mounts, mount)
 		case KubeVolumeTypeNamed:
 			namedVolume := specgen.NamedVolume{
-				Dest: volume.MountPath,
-				Name: volumeSource.Source,
-			}
-			if volume.ReadOnly {
-				namedVolume.Options = []string{"ro"}
+				Dest:    dest,
+				Name:    volumeSource.Source,
+				Options: options,
 			}
 			s.Volumes = append(s.Volumes, &namedVolume)
 		default:
@@ -300,6 +299,25 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 	return s, nil
 }
 
+func parseMountPath(mountPath string, readOnly bool) (string, []string, error) {
+	options := []string{}
+	splitVol := strings.Split(mountPath, ":")
+	if len(splitVol) > 2 {
+		return "", options, errors.Errorf("%q incorrect volume format, should be ctr-dir[:option]", mountPath)
+	}
+	dest := splitVol[0]
+	if len(splitVol) > 1 {
+		options = strings.Split(splitVol[1], ",")
+	}
+	if err := parse.ValidateVolumeCtrDir(dest); err != nil {
+		return "", options, errors.Wrapf(err, "error in parsing MountPath")
+	}
+	if readOnly {
+		options = append(options, "ro")
+	}
+	return dest, options, nil
+}
+
 func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container) {
 	if containerYAML.SecurityContext == nil {
 		return
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index 2e01d1535..2815bdebb 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -258,7 +258,7 @@ type ContainerStorageConfig struct {
 	RootfsPropagation string `json:"rootfs_propagation,omitempty"`
 	// Secrets are the secrets that will be added to the container
 	// Optional.
-	Secrets []string `json:"secrets,omitempty"`
+	Secrets []Secret `json:"secrets,omitempty"`
 	// Volatile specifies whether the container storage can be optimized
 	// at the cost of not syncing all the dirty files in memory.
 	Volatile bool `json:"volatile,omitempty"`
@@ -521,6 +521,13 @@ type PortMapping struct {
 	Protocol string `json:"protocol,omitempty"`
 }
 
+type Secret struct {
+	Source string
+	UID    uint32
+	GID    uint32
+	Mode   uint32
+}
+
 var (
 	// ErrNoStaticIPRootless is used when a rootless user requests to assign a static IP address
 	// to a pod or container