10 files changed, 242 insertions, 27 deletions
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
index b45b02d09..2ca4f228f 100644
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@@ -676,7 +676,7 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
 	if imageData != nil && imageData.Config != nil {
 		containerConfig.Command = append(containerConfig.Command, imageData.Config.Entrypoint...)
 	}
-	if len(containerConfig.Command) != 0 {
+	if len(containerYAML.Command) != 0 {
 		containerConfig.Command = append(containerConfig.Command, containerYAML.Command...)
 	} else if imageData != nil && imageData.Config != nil {
 		containerConfig.Command = append(containerConfig.Command, imageData.Config.Cmd...)
diff --git a/pkg/apparmor/apparmor_linux.go b/pkg/apparmor/apparmor_linux.go
index 0d01f41e9..479600408 100644
--- a/pkg/apparmor/apparmor_linux.go
+++ b/pkg/apparmor/apparmor_linux.go
@@ -4,6 +4,7 @@ package apparmor
 
 import (
 	"bufio"
+	"bytes"
 	"fmt"
 	"io"
 	"os"
@@ -104,6 +105,18 @@ func InstallDefault(name string) error {
 	return cmd.Wait()
 }
 
+// DefaultContent returns the default profile content as byte slice. The
+// profile is named as the provided `name`. The function errors if the profile
+// generation fails.
+func DefaultContent(name string) ([]byte, error) {
+	p := profileData{Name: name}
+	var bytes bytes.Buffer
+	if err := p.generateDefault(&bytes); err != nil {
+		return nil, err
+	}
+	return bytes.Bytes(), nil
+}
+
 // IsLoaded checks if a profile with the given name has been loaded into the
 // kernel.
 func IsLoaded(name string) (bool, error) {
diff --git a/pkg/apparmor/apparmor_linux_test.go b/pkg/apparmor/apparmor_linux_test.go
index ac3260723..e94293d87 100644
--- a/pkg/apparmor/apparmor_linux_test.go
+++ b/pkg/apparmor/apparmor_linux_test.go
@@ -78,10 +78,12 @@ Copyright 2009-2012 Canonical Ltd.
 	}
 }
 
-func TestInstallDefault(t *testing.T) {
-	profile := "libpod-default-testing"
-	aapath := "/sys/kernel/security/apparmor/"
+const (
+	aapath  = "/sys/kernel/security/apparmor/"
+	profile = "libpod-default-testing"
+)
 
+func TestInstallDefault(t *testing.T) {
 	if _, err := os.Stat(aapath); err != nil {
 		t.Skip("AppArmor isn't available in this environment")
 	}
@@ -127,3 +129,12 @@ func TestInstallDefault(t *testing.T) {
 	}
 	checkLoaded(false)
 }
+
+func TestDefaultContent(t *testing.T) {
+	if _, err := os.Stat(aapath); err != nil {
+		t.Skip("AppArmor isn't available in this environment")
+	}
+	if err := DefaultContent(profile); err != nil {
+		t.Fatalf("Couldn't retrieve default AppArmor profile content '%s': %v", profile, err)
+	}
+}
diff --git a/pkg/apparmor/apparmor_unsupported.go b/pkg/apparmor/apparmor_unsupported.go
index b2b4de5f5..13469f1b6 100644
--- a/pkg/apparmor/apparmor_unsupported.go
+++ b/pkg/apparmor/apparmor_unsupported.go
@@ -24,3 +24,8 @@ func CheckProfileAndLoadDefault(name string) (string, error) {
 	}
 	return "", ErrApparmorUnsupported
 }
+
+// DefaultContent dummy.
+func DefaultContent(name string) ([]byte, error) {
+	return nil, nil
+}
diff --git a/pkg/namespaces/namespaces.go b/pkg/namespaces/namespaces.go
index ec9276344..7ed95bd0f 100644
--- a/pkg/namespaces/namespaces.go
+++ b/pkg/namespaces/namespaces.go
@@ -4,6 +4,63 @@ import (
 	"strings"
 )
 
+// CgroupMode represents cgroup mode in the container.
+type CgroupMode string
+
+// IsHost indicates whether the container uses the host's cgroup.
+func (n CgroupMode) IsHost() bool {
+	return n == "host"
+}
+
+// IsNS indicates a cgroup namespace passed in by path (ns:<path>)
+func (n CgroupMode) IsNS() bool {
+	return strings.HasPrefix(string(n), "ns:")
+}
+
+// NS gets the path associated with a ns:<path> cgroup ns
+func (n CgroupMode) NS() string {
+	parts := strings.SplitN(string(n), ":", 2)
+	if len(parts) > 1 {
+		return parts[1]
+	}
+	return ""
+}
+
+// IsContainer indicates whether the container uses a new cgroup namespace.
+func (n CgroupMode) IsContainer() bool {
+	parts := strings.SplitN(string(n), ":", 2)
+	return len(parts) > 1 && parts[0] == "container"
+}
+
+// Container returns the name of the container whose cgroup namespace is going to be used.
+func (n CgroupMode) Container() string {
+	parts := strings.SplitN(string(n), ":", 2)
+	if len(parts) > 1 {
+		return parts[1]
+	}
+	return ""
+}
+
+// IsPrivate indicates whether the container uses the a private cgroup.
+func (n CgroupMode) IsPrivate() bool {
+	return n == "private"
+}
+
+// Valid indicates whether the Cgroup namespace is valid.
+func (n CgroupMode) Valid() bool {
+	parts := strings.Split(string(n), ":")
+	switch mode := parts[0]; mode {
+	case "", "host", "private", "ns":
+	case "container":
+		if len(parts) != 2 || parts[1] == "" {
+			return false
+		}
+	default:
+		return false
+	}
+	return true
+}
+
 // UsernsMode represents userns mode in the container.
 type UsernsMode string
 
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index 0042ed401..1fb1f829b 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -63,6 +63,7 @@ type CreateConfig struct {
 	CapDrop            []string // cap-drop
 	CidFile            string
 	ConmonPidFile      string
+	Cgroupns           string
 	CgroupParent       string // cgroup-parent
 	Command            []string
 	Detach             bool              // detach
@@ -101,6 +102,7 @@ type CreateConfig struct {
 	NetworkAlias       []string               //network-alias
 	PidMode            namespaces.PidMode     //pid
 	Pod                string                 //pod
+	CgroupMode         namespaces.CgroupMode  //cgroup
 	PortBindings       nat.PortMap
 	Privileged         bool     //privileged
 	Publish            []string //publish
@@ -268,6 +270,23 @@ func (c *CreateConfig) getContainerCreateOptions(runtime *libpod.Runtime, pod *l
 		options = append(options, libpod.WithNetNS(portBindings, postConfigureNetNS, string(c.NetMode), networks))
 	}
 
+	if c.CgroupMode.IsNS() {
+		ns := c.CgroupMode.NS()
+		if ns == "" {
+			return nil, errors.Errorf("invalid empty user-defined network namespace")
+		}
+		_, err := os.Stat(ns)
+		if err != nil {
+			return nil, err
+		}
+	} else if c.CgroupMode.IsContainer() {
+		connectedCtr, err := runtime.LookupContainer(c.CgroupMode.Container())
+		if err != nil {
+			return nil, errors.Wrapf(err, "container %q not found", c.CgroupMode.Container())
+		}
+		options = append(options, libpod.WithCgroupNSFrom(connectedCtr))
+	}
+
 	if c.PidMode.IsContainer() {
 		connectedCtr, err := runtime.LookupContainer(c.PidMode.Container())
 		if err != nil {
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 6d8d399f4..a8ab4911a 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -325,6 +325,10 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	if err := addIpcNS(config, &g); err != nil {
 		return nil, err
 	}
+
+	if err := addCgroupNS(config, &g); err != nil {
+		return nil, err
+	}
 	configSpec := g.Config
 
 	// HANDLE CAPABILITIES
@@ -418,6 +422,62 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 		}
 	}
 
+	// Add annotations
+	if configSpec.Annotations == nil {
+		configSpec.Annotations = make(map[string]string)
+	}
+
+	if config.CidFile != "" {
+		configSpec.Annotations[libpod.InspectAnnotationCIDFile] = config.CidFile
+	}
+
+	if config.Rm {
+		configSpec.Annotations[libpod.InspectAnnotationAutoremove] = libpod.InspectResponseTrue
+	} else {
+		configSpec.Annotations[libpod.InspectAnnotationAutoremove] = libpod.InspectResponseFalse
+	}
+
+	if len(config.VolumesFrom) > 0 {
+		configSpec.Annotations[libpod.InspectAnnotationVolumesFrom] = strings.Join(config.VolumesFrom, ",")
+	}
+
+	if config.Privileged {
+		configSpec.Annotations[libpod.InspectAnnotationPrivileged] = libpod.InspectResponseTrue
+	} else {
+		configSpec.Annotations[libpod.InspectAnnotationPrivileged] = libpod.InspectResponseFalse
+	}
+
+	if config.PublishAll {
+		configSpec.Annotations[libpod.InspectAnnotationPublishAll] = libpod.InspectResponseTrue
+	} else {
+		configSpec.Annotations[libpod.InspectAnnotationPublishAll] = libpod.InspectResponseFalse
+	}
+
+	if config.Init {
+		configSpec.Annotations[libpod.InspectAnnotationInit] = libpod.InspectResponseTrue
+	} else {
+		configSpec.Annotations[libpod.InspectAnnotationInit] = libpod.InspectResponseFalse
+	}
+
+	for _, opt := range config.SecurityOpts {
+		// Split on both : and =
+		splitOpt := strings.Split(opt, "=")
+		if len(splitOpt) == 1 {
+			splitOpt = strings.Split(opt, ":")
+		}
+		if len(splitOpt) < 2 {
+			continue
+		}
+		switch splitOpt[0] {
+		case "label":
+			configSpec.Annotations[libpod.InspectAnnotationLabel] = splitOpt[1]
+		case "seccomp":
+			configSpec.Annotations[libpod.InspectAnnotationSeccomp] = splitOpt[1]
+		case "apparmor":
+			configSpec.Annotations[libpod.InspectAnnotationApparmor] = splitOpt[1]
+		}
+	}
+
 	return configSpec, nil
 }
 
@@ -566,6 +626,23 @@ func addIpcNS(config *CreateConfig, g *generate.Generator) error {
 	return nil
 }
 
+func addCgroupNS(config *CreateConfig, g *generate.Generator) error {
+	cgroupMode := config.CgroupMode
+	if cgroupMode.IsNS() {
+		return g.AddOrReplaceLinuxNamespace(string(spec.CgroupNamespace), NS(string(cgroupMode)))
+	}
+	if cgroupMode.IsHost() {
+		return g.RemoveLinuxNamespace(spec.CgroupNamespace)
+	}
+	if cgroupMode.IsPrivate() {
+		return g.AddOrReplaceLinuxNamespace(spec.CgroupNamespace, "")
+	}
+	if cgroupMode.IsContainer() {
+		logrus.Debug("Using container cgroup mode")
+	}
+	return nil
+}
+
 func addRlimits(config *CreateConfig, g *generate.Generator) error {
 	var (
 		kernelMax  uint64 = 1048576
diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go
index 47fa1031f..318bd2b1b 100644
--- a/pkg/util/utils_linux.go
+++ b/pkg/util/utils_linux.go
@@ -1,7 +1,14 @@
 package util
 
 import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"syscall"
+
 	"github.com/containers/psgo"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // GetContainerPidInformationDescriptors returns a string slice of all supported
@@ -9,3 +16,39 @@ import (
 func GetContainerPidInformationDescriptors() ([]string, error) {
 	return psgo.ListDescriptors(), nil
 }
+
+// FindDeviceNodes parses /dev/ into a set of major:minor -> path, where
+// [major:minor] is the device's major and minor numbers formatted as, for
+// example, 2:0 and path is the path to the device node.
+// Symlinks to nodes are ignored.
+func FindDeviceNodes() (map[string]string, error) {
+	nodes := make(map[string]string)
+	err := filepath.Walk("/dev", func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			logrus.Warnf("Error descending into path %s: %v", path, err)
+			return filepath.SkipDir
+		}
+
+		// If we aren't a device node, do nothing.
+		if info.Mode()&(os.ModeDevice|os.ModeCharDevice) == 0 {
+			return nil
+		}
+
+		// We are a device node. Get major/minor.
+		sysstat, ok := info.Sys().(*syscall.Stat_t)
+		if !ok {
+			return errors.Errorf("Could not convert stat output for use")
+		}
+		major := uint64(sysstat.Rdev / 256)
+		minor := uint64(sysstat.Rdev % 256)
+
+		nodes[fmt.Sprintf("%d:%d", major, minor)] = path
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return nodes, nil
+}
diff --git a/pkg/util/utils_unsupported.go b/pkg/util/utils_unsupported.go
new file mode 100644
index 000000000..62805d7c8
--- /dev/null
+++ b/pkg/util/utils_unsupported.go
@@ -0,0 +1,12 @@
+// +build darwin windows
+
+package util
+
+import (
+	"github.com/pkg/errors"
+)
+
+// FindDeviceNodes is not implemented anywhere except Linux.
+func FindDeviceNodes() (map[string]string, error) {
+	return nil, errors.Errorf("not supported on non-Linux OSes")
+}
diff --git a/pkg/varlinkapi/containers.go b/pkg/varlinkapi/containers.go
index 83743351c..6f6909fac 100644
--- a/pkg/varlinkapi/containers.go
+++ b/pkg/varlinkapi/containers.go
@@ -19,7 +19,6 @@ import (
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/libpod/logs"
 	"github.com/containers/libpod/pkg/adapter/shortcuts"
-	cc "github.com/containers/libpod/pkg/spec"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/pkg/errors"
 )
@@ -172,16 +171,7 @@ func (i *LibpodAPI) InspectContainer(call iopodman.VarlinkCall, name string) err
 	if err != nil {
 		return call.ReplyContainerNotFound(name, err.Error())
 	}
-	inspectInfo, err := ctr.Inspect(true)
-	if err != nil {
-		return call.ReplyErrorOccurred(err.Error())
-	}
-	artifact, err := getArtifact(ctr)
-	if err != nil {
-		return call.ReplyErrorOccurred(err.Error())
-	}
-
-	data, err := shared.GetCtrInspectInfo(ctr.Config(), inspectInfo, artifact)
+	data, err := ctr.Inspect(true)
 	if err != nil {
 		return call.ReplyErrorOccurred(err.Error())
 	}
@@ -589,18 +579,6 @@ func (i *LibpodAPI) ContainerRestore(call iopodman.VarlinkCall, name string, kee
 	return call.ReplyContainerRestore(ctr.ID())
 }
 
-func getArtifact(ctr *libpod.Container) (*cc.CreateConfig, error) {
-	var createArtifact cc.CreateConfig
-	artifact, err := ctr.GetArtifact("create-config")
-	if err != nil {
-		return nil, err
-	}
-	if err := json.Unmarshal(artifact, &createArtifact); err != nil {
-		return nil, err
-	}
-	return &createArtifact, nil
-}
-
 // ContainerConfig returns just the container.config struct
 func (i *LibpodAPI) ContainerConfig(call iopodman.VarlinkCall, name string) error {
 	ctr, err := i.Runtime.LookupContainer(name)