12 files changed, 207 insertions, 70 deletions

diff --git a/pkg/api/handlers/compat/containers_create.go b/pkg/api/handlers/compat/containers_create.go
index 409a74de2..6e85872b2 100644
--- a/pkg/api/handlers/compat/containers_create.go
+++ b/pkg/api/handlers/compat/containers_create.go
@@ -66,7 +66,20 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
 		utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "make cli opts()"))
 		return
 	}
-	sg := specgen.NewSpecGenerator(newImage.ID(), cliOpts.RootFS)
+
+	imgNameOrID := newImage.ID()
+	// if the img had multi names with the same sha256 ID, should use the InputName, not the ID
+	if len(newImage.Names()) > 1 {
+		imageRef, err := utils.ParseDockerReference(newImage.InputName)
+		if err != nil {
+			utils.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest, err)
+			return
+		}
+		// maybe the InputName has no tag, so use full name to display
+		imgNameOrID = imageRef.DockerReference().String()
+	}
+
+	sg := specgen.NewSpecGenerator(imgNameOrID, cliOpts.RootFS)
 	if err := common.FillOutSpecGen(sg, cliOpts, args); err != nil {
 		utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "fill out specgen"))
 		return
diff --git a/pkg/api/handlers/compat/networks.go b/pkg/api/handlers/compat/networks.go
index fe13971b0..f0b922885 100644
--- a/pkg/api/handlers/compat/networks.go
+++ b/pkg/api/handlers/compat/networks.go
@@ -131,7 +131,7 @@ func getNetworkResourceByNameOrID(nameOrID string, runtime *libpod.Runtime, filt
 		Name:       conf.Name,
 		ID:         network.GetNetworkID(conf.Name),
 		Created:    time.Unix(int64(stat.Ctim.Sec), int64(stat.Ctim.Nsec)), // nolint: unconvert
-		Scope:      "",
+		Scope:      "local",
 		Driver:     network.DefaultNetworkDriver,
 		EnableIPv6: false,
 		IPAM: dockerNetwork.IPAM{
@@ -197,7 +197,7 @@ func ListNetworks(w http.ResponseWriter, r *http.Request) {
 	}
 
 	var reports []*types.NetworkResource
-	logrus.Errorf("netNames: %q", strings.Join(netNames, ", "))
+	logrus.Debugf("netNames: %q", strings.Join(netNames, ", "))
 	for _, name := range netNames {
 		report, err := getNetworkResourceByNameOrID(name, runtime, query.Filters)
 		if err != nil {
@@ -239,7 +239,7 @@ func CreateNetwork(w http.ResponseWriter, r *http.Request) {
 		Internal: networkCreate.Internal,
 		Labels:   networkCreate.Labels,
 	}
-	if networkCreate.IPAM != nil && networkCreate.IPAM.Config != nil {
+	if networkCreate.IPAM != nil && len(networkCreate.IPAM.Config) > 0 {
 		if len(networkCreate.IPAM.Config) > 1 {
 			utils.InternalServerError(w, errors.New("compat network create can only support one IPAM config"))
 			return
diff --git a/pkg/bindings/connection.go b/pkg/bindings/connection.go
index f2cb3147c..7b26037eb 100644
--- a/pkg/bindings/connection.go
+++ b/pkg/bindings/connection.go
@@ -182,30 +182,65 @@ func pingNewConnection(ctx context.Context) error {
 func sshClient(_url *url.URL, secure bool, passPhrase string, identity string) (Connection, error) {
 	// if you modify the authmethods or their conditionals, you will also need to make similar
 	// changes in the client (currently cmd/podman/system/connection/add getUDS).
-	authMethods := []ssh.AuthMethod{}
+
+	var signers []ssh.Signer // order Signers are appended to this list determines which key is presented to server
+
 	if len(identity) > 0 {
-		auth, err := terminal.PublicKey(identity, []byte(passPhrase))
+		s, err := terminal.PublicKey(identity, []byte(passPhrase))
 		if err != nil {
 			return Connection{}, errors.Wrapf(err, "failed to parse identity %q", identity)
 		}
-		logrus.Debugf("public key signer enabled for identity %q", identity)
-		authMethods = append(authMethods, auth)
+
+		signers = append(signers, s)
+		logrus.Debugf("SSH Ident Key %q %s %s", identity, ssh.FingerprintSHA256(s.PublicKey()), s.PublicKey().Type())
 	}
 
 	if sock, found := os.LookupEnv("SSH_AUTH_SOCK"); found {
-		logrus.Debugf("Found SSH_AUTH_SOCK %q, ssh-agent signer enabled", sock)
+		logrus.Debugf("Found SSH_AUTH_SOCK %q, ssh-agent signer(s) enabled", sock)
 
 		c, err := net.Dial("unix", sock)
 		if err != nil {
 			return Connection{}, err
 		}
-		a := agent.NewClient(c)
-		authMethods = append(authMethods, ssh.PublicKeysCallback(a.Signers))
+
+		agentSigners, err := agent.NewClient(c).Signers()
+		if err != nil {
+			return Connection{}, err
+		}
+		signers = append(signers, agentSigners...)
+
+		if logrus.IsLevelEnabled(logrus.DebugLevel) {
+			for _, s := range agentSigners {
+				logrus.Debugf("SSH Agent Key %s %s", ssh.FingerprintSHA256(s.PublicKey()), s.PublicKey().Type())
+			}
+		}
+	}
+
+	var authMethods []ssh.AuthMethod
+	if len(signers) > 0 {
+		var dedup = make(map[string]ssh.Signer)
+		// Dedup signers based on fingerprint, ssh-agent keys override CONTAINER_SSHKEY
+		for _, s := range signers {
+			fp := ssh.FingerprintSHA256(s.PublicKey())
+			if _, found := dedup[fp]; found {
+				logrus.Debugf("Dedup SSH Key %s %s", ssh.FingerprintSHA256(s.PublicKey()), s.PublicKey().Type())
+			}
+			dedup[fp] = s
+		}
+
+		var uniq []ssh.Signer
+		for _, s := range dedup {
+			uniq = append(uniq, s)
+		}
+		authMethods = append(authMethods, ssh.PublicKeysCallback(func() ([]ssh.Signer, error) {
+			return uniq, nil
+		}))
 	}
 
 	if pw, found := _url.User.Password(); found {
 		authMethods = append(authMethods, ssh.Password(pw))
 	}
+
 	if len(authMethods) == 0 {
 		callback := func() (string, error) {
 			pass, err := terminal.ReadPassword("Login password:")
diff --git a/pkg/domain/entities/container_ps.go b/pkg/domain/entities/container_ps.go
index b4e8446cb..ff3b087ed 100644
--- a/pkg/domain/entities/container_ps.go
+++ b/pkg/domain/entities/container_ps.go
@@ -12,6 +12,8 @@ import (
 
 // Listcontainer describes a container suitable for listing
 type ListContainer struct {
+	// AutoRemove
+	AutoRemove bool
 	// Container command
 	Command []string
 	// Container creation time
diff --git a/pkg/domain/entities/containers.go b/pkg/domain/entities/containers.go
index 39d679eaf..01086a2b3 100644
--- a/pkg/domain/entities/containers.go
+++ b/pkg/domain/entities/containers.go
@@ -227,8 +227,10 @@ type ContainerLogsOptions struct {
 	Tail int64
 	// Show timestamps in the logs.
 	Timestamps bool
-	// Write the logs to Writer.
-	Writer io.Writer
+	// Write the stdout to this Writer.
+	StdoutWriter io.Writer
+	// Write the stderr to this Writer.
+	StderrWriter io.Writer
 }
 
 // ExecOptions describes the cli values to exec into
diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go
index 81f12bff7..1538cbb8b 100644
--- a/pkg/domain/entities/images.go
+++ b/pkg/domain/entities/images.go
@@ -344,6 +344,7 @@ type SignOptions struct {
 	Directory string
 	SignBy    string
 	CertDir   string
+	All       bool
 }
 
 // SignReport describes the result of signing
diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go
index ff4277a2e..ec65dbe44 100644
--- a/pkg/domain/infra/abi/containers.go
+++ b/pkg/domain/infra/abi/containers.go
@@ -925,7 +925,7 @@ func (ic *ContainerEngine) ContainerRun(ctx context.Context, opts entities.Conta
 }
 
 func (ic *ContainerEngine) ContainerLogs(ctx context.Context, containers []string, options entities.ContainerLogsOptions) error {
-	if options.Writer == nil {
+	if options.StdoutWriter == nil && options.StderrWriter == nil {
 		return errors.New("no io.Writer set for container logs")
 	}
 
@@ -963,7 +963,7 @@ func (ic *ContainerEngine) ContainerLogs(ctx context.Context, containers []strin
 	}()
 
 	for line := range logChannel {
-		fmt.Fprintln(options.Writer, line.String(logOpts))
+		line.Write(options.StdoutWriter, options.StderrWriter, logOpts)
 	}
 
 	return nil
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 57a2bc4cf..394ba359c 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -28,6 +28,8 @@ import (
 	"github.com/containers/podman/v2/pkg/rootless"
 	"github.com/containers/podman/v2/pkg/util"
 	"github.com/containers/storage"
+	dockerRef "github.com/docker/distribution/reference"
+	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -718,9 +720,9 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 					logrus.Errorf("unable to close %s image source %q", srcRef.DockerReference().Name(), err)
 				}
 			}()
-			getManifest, _, err := rawSource.GetManifest(ctx, nil)
+			topManifestBlob, manifestType, err := rawSource.GetManifest(ctx, nil)
 			if err != nil {
-				return errors.Wrapf(err, "error getting getManifest")
+				return errors.Wrapf(err, "error getting manifest blob")
 			}
 			dockerReference := rawSource.Reference().DockerReference()
 			if dockerReference == nil {
@@ -743,34 +745,34 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 					return err
 				}
 			}
-			manifestDigest, err := manifest.Digest(getManifest)
+			manifestDigest, err := manifest.Digest(topManifestBlob)
 			if err != nil {
 				return err
 			}
 
-			// create signature
-			newSig, err := signature.SignDockerManifest(getManifest, dockerReference.String(), mech, options.SignBy)
-			if err != nil {
-				return errors.Wrapf(err, "error creating new signature")
-			}
-			// create the signstore file
-			signatureDir := fmt.Sprintf("%s@%s=%s", sigStoreDir, manifestDigest.Algorithm(), manifestDigest.Hex())
-			if err := os.MkdirAll(signatureDir, 0751); err != nil {
-				// The directory is allowed to exist
-				if !os.IsExist(err) {
-					logrus.Error(err)
-					return nil
+			if options.All {
+				if !manifest.MIMETypeIsMultiImage(manifestType) {
+					return errors.Errorf("%s is not a multi-architecture image (manifest type %s)", signimage, manifestType)
+				}
+				list, err := manifest.ListFromBlob(topManifestBlob, manifestType)
+				if err != nil {
+					return errors.Wrapf(err, "Error parsing manifest list %q", string(topManifestBlob))
+				}
+				instanceDigests := list.Instances()
+				for _, instanceDigest := range instanceDigests {
+					digest := instanceDigest
+					man, _, err := rawSource.GetManifest(ctx, &digest)
+					if err != nil {
+						return err
+					}
+					if err = putSignature(man, mech, sigStoreDir, instanceDigest, dockerReference, options); err != nil {
+						return errors.Wrapf(err, "error storing signature for %s, %v", dockerReference.String(), instanceDigest)
+					}
 				}
-			}
-			sigFilename, err := getSigFilename(signatureDir)
-			if err != nil {
-				logrus.Errorf("error creating sigstore file: %v", err)
 				return nil
 			}
-			err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644)
-			if err != nil {
-				logrus.Errorf("error storing signature for %s", rawSource.Reference().DockerReference().String())
-				return nil
+			if err = putSignature(topManifestBlob, mech, sigStoreDir, manifestDigest, dockerReference, options); err != nil {
+				return errors.Wrapf(err, "error storing signature for %s, %v", dockerReference.String(), manifestDigest)
 			}
 			return nil
 		}()
@@ -806,3 +808,26 @@ func localPathFromURI(url *url.URL) (string, error) {
 	}
 	return url.Path, nil
 }
+
+// putSignature creates signature and saves it to the signstore file
+func putSignature(manifestBlob []byte, mech signature.SigningMechanism, sigStoreDir string, instanceDigest digest.Digest, dockerReference dockerRef.Reference, options entities.SignOptions) error {
+	newSig, err := signature.SignDockerManifest(manifestBlob, dockerReference.String(), mech, options.SignBy)
+	if err != nil {
+		return err
+	}
+	signatureDir := fmt.Sprintf("%s@%s=%s", sigStoreDir, instanceDigest.Algorithm(), instanceDigest.Hex())
+	if err := os.MkdirAll(signatureDir, 0751); err != nil {
+		// The directory is allowed to exist
+		if !os.IsExist(err) {
+			return err
+		}
+	}
+	sigFilename, err := getSigFilename(signatureDir)
+	if err != nil {
+		return err
+	}
+	if err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/pkg/domain/infra/runtime_tunnel.go b/pkg/domain/infra/runtime_tunnel.go
index 6c85e837e..3fddf577c 100644
--- a/pkg/domain/infra/runtime_tunnel.go
+++ b/pkg/domain/infra/runtime_tunnel.go
@@ -5,18 +5,38 @@ package infra
 import (
 	"context"
 	"fmt"
+	"sync"
 
 	"github.com/containers/podman/v2/pkg/bindings"
 	"github.com/containers/podman/v2/pkg/domain/entities"
 	"github.com/containers/podman/v2/pkg/domain/infra/tunnel"
 )
 
+var (
+	connectionMutex = &sync.Mutex{}
+	connection      *context.Context
+)
+
+func newConnection(uri string, identity string) (context.Context, error) {
+	connectionMutex.Lock()
+	defer connectionMutex.Unlock()
+
+	if connection == nil {
+		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), uri, identity)
+		if err != nil {
+			return ctx, err
+		}
+		connection = &ctx
+	}
+	return *connection, nil
+}
+
 func NewContainerEngine(facts *entities.PodmanConfig) (entities.ContainerEngine, error) {
 	switch facts.EngineMode {
 	case entities.ABIMode:
 		return nil, fmt.Errorf("direct runtime not supported")
 	case entities.TunnelMode:
-		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), facts.URI, facts.Identity)
+		ctx, err := newConnection(facts.URI, facts.Identity)
 		return &tunnel.ContainerEngine{ClientCxt: ctx}, err
 	}
 	return nil, fmt.Errorf("runtime mode '%v' is not supported", facts.EngineMode)
@@ -28,7 +48,7 @@ func NewImageEngine(facts *entities.PodmanConfig) (entities.ImageEngine, error)
 	case entities.ABIMode:
 		return nil, fmt.Errorf("direct image runtime not supported")
 	case entities.TunnelMode:
-		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), facts.URI, facts.Identity)
+		ctx, err := newConnection(facts.URI, facts.Identity)
 		return &tunnel.ImageEngine{ClientCxt: ctx}, err
 	}
 	return nil, fmt.Errorf("runtime mode '%v' is not supported", facts.EngineMode)
diff --git a/pkg/domain/infra/tunnel/containers.go b/pkg/domain/infra/tunnel/containers.go
index e65fef0a4..ad7688f62 100644
--- a/pkg/domain/infra/tunnel/containers.go
+++ b/pkg/domain/infra/tunnel/containers.go
@@ -360,11 +360,12 @@ func (ic *ContainerEngine) ContainerCreate(ctx context.Context, s *specgen.SpecG
 func (ic *ContainerEngine) ContainerLogs(_ context.Context, nameOrIDs []string, options entities.ContainerLogsOptions) error {
 	since := options.Since.Format(time.RFC3339)
 	tail := strconv.FormatInt(options.Tail, 10)
-	stdout := options.Writer != nil
+	stdout := options.StdoutWriter != nil
+	stderr := options.StderrWriter != nil
 	opts := containers.LogOptions{
 		Follow:     &options.Follow,
 		Since:      &since,
-		Stderr:     &stdout,
+		Stderr:     &stderr,
 		Stdout:     &stdout,
 		Tail:       &tail,
 		Timestamps: &options.Timestamps,
@@ -372,10 +373,11 @@ func (ic *ContainerEngine) ContainerLogs(_ context.Context, nameOrIDs []string,
 	}
 
 	var err error
-	outCh := make(chan string)
+	stdoutCh := make(chan string)
+	stderrCh := make(chan string)
 	ctx, cancel := context.WithCancel(context.Background())
 	go func() {
-		err = containers.Logs(ic.ClientCxt, nameOrIDs[0], opts, outCh, outCh)
+		err = containers.Logs(ic.ClientCxt, nameOrIDs[0], opts, stdoutCh, stderrCh)
 		cancel()
 	}()
 
@@ -383,8 +385,14 @@ func (ic *ContainerEngine) ContainerLogs(_ context.Context, nameOrIDs []string,
 		select {
 		case <-ctx.Done():
 			return err
-		case line := <-outCh:
-			_, _ = io.WriteString(options.Writer, line+"\n")
+		case line := <-stdoutCh:
+			if options.StdoutWriter != nil {
+				_, _ = io.WriteString(options.StdoutWriter, line+"\n")
+			}
+		case line := <-stderrCh:
+			if options.StderrWriter != nil {
+				_, _ = io.WriteString(options.StderrWriter, line+"\n")
+			}
 		}
 	}
 }
@@ -515,6 +523,29 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 				reports = append(reports, &report)
 				return reports, errors.Wrapf(report.Err, "unable to start container %s", name)
 			}
+			if ctr.AutoRemove {
+				// Defer the removal, so we can return early if needed and
+				// de-spaghetti the code.
+				defer func() {
+					shouldRestart, err := containers.ShouldRestart(ic.ClientCxt, ctr.ID)
+					if err != nil {
+						logrus.Errorf("Failed to check if %s should restart: %v", ctr.ID, err)
+						return
+					}
+
+					if !shouldRestart {
+						if err := containers.Remove(ic.ClientCxt, ctr.ID, bindings.PFalse, bindings.PTrue); err != nil {
+							if errorhandling.Contains(err, define.ErrNoSuchCtr) ||
+								errorhandling.Contains(err, define.ErrCtrRemoved) {
+								logrus.Warnf("Container %s does not exist: %v", ctr.ID, err)
+							} else {
+								logrus.Errorf("Error removing container %s: %v", ctr.ID, err)
+							}
+						}
+					}
+				}()
+			}
+
 			exitCode, err := containers.Wait(ic.ClientCxt, name, nil)
 			if err == define.ErrNoSuchCtr {
 				// Check events
@@ -535,6 +566,16 @@ func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []stri
 		if !ctrRunning {
 			err = containers.Start(ic.ClientCxt, name, &options.DetachKeys)
 			if err != nil {
+				if ctr.AutoRemove {
+					if err := containers.Remove(ic.ClientCxt, ctr.ID, bindings.PFalse, bindings.PTrue); err != nil {
+						if errorhandling.Contains(err, define.ErrNoSuchCtr) ||
+							errorhandling.Contains(err, define.ErrCtrRemoved) {
+							logrus.Warnf("Container %s does not exist: %v", ctr.ID, err)
+						} else {
+							logrus.Errorf("Error removing container %s: %v", ctr.ID, err)
+						}
+					}
+				}
 				report.Err = errors.Wrapf(err, "unable to start container %q", name)
 				report.ExitCode = define.ExitCode(err)
 				reports = append(reports, &report)
diff --git a/pkg/ps/ps.go b/pkg/ps/ps.go
index cfdf3ee49..6c26e8708 100644
--- a/pkg/ps/ps.go
+++ b/pkg/ps/ps.go
@@ -179,24 +179,25 @@ func ListContainerBatch(rt *libpod.Runtime, ctr *libpod.Container, opts entities
 	}
 
 	ps := entities.ListContainer{
-		Command:   conConfig.Command,
-		Created:   conConfig.CreatedTime,
-		Exited:    exited,
-		ExitCode:  exitCode,
-		ExitedAt:  exitedTime.Unix(),
-		ID:        conConfig.ID,
-		Image:     conConfig.RootfsImageName,
-		ImageID:   conConfig.RootfsImageID,
-		IsInfra:   conConfig.IsInfra,
-		Labels:    conConfig.Labels,
-		Mounts:    ctr.UserVolumes(),
-		Names:     []string{conConfig.Name},
-		Pid:       pid,
-		Pod:       conConfig.Pod,
-		Ports:     portMappings,
-		Size:      size,
-		StartedAt: startedTime.Unix(),
-		State:     conState.String(),
+		AutoRemove: ctr.AutoRemove(),
+		Command:    conConfig.Command,
+		Created:    conConfig.CreatedTime,
+		Exited:     exited,
+		ExitCode:   exitCode,
+		ExitedAt:   exitedTime.Unix(),
+		ID:         conConfig.ID,
+		Image:      conConfig.RootfsImageName,
+		ImageID:    conConfig.RootfsImageID,
+		IsInfra:    conConfig.IsInfra,
+		Labels:     conConfig.Labels,
+		Mounts:     ctr.UserVolumes(),
+		Names:      []string{conConfig.Name},
+		Pid:        pid,
+		Pod:        conConfig.Pod,
+		Ports:      portMappings,
+		Size:       size,
+		StartedAt:  startedTime.Unix(),
+		State:      conState.String(),
 	}
 	if opts.Pod && len(conConfig.Pod) > 0 {
 		podName, err := rt.GetName(conConfig.Pod)
diff --git a/pkg/terminal/util.go b/pkg/terminal/util.go
index 169bec2af..231b47974 100644
--- a/pkg/terminal/util.go
+++ b/pkg/terminal/util.go
@@ -61,7 +61,7 @@ func ReadPassword(prompt string) (pw []byte, err error) {
 	}
 }
 
-func PublicKey(path string, passphrase []byte) (ssh.AuthMethod, error) {
+func PublicKey(path string, passphrase []byte) (ssh.Signer, error) {
 	key, err := ioutil.ReadFile(path)
 	if err != nil {
 		return nil, err
@@ -75,12 +75,9 @@ func PublicKey(path string, passphrase []byte) (ssh.AuthMethod, error) {
 		if len(passphrase) == 0 {
 			passphrase = ReadPassphrase()
 		}
-		signer, err = ssh.ParsePrivateKeyWithPassphrase(key, passphrase)
-		if err != nil {
-			return nil, err
-		}
+		return ssh.ParsePrivateKeyWithPassphrase(key, passphrase)
 	}
-	return ssh.PublicKeys(signer), nil
+	return signer, nil
 }
 
 func ReadPassphrase() []byte {