12 files changed, 100 insertions, 16 deletions
diff --git a/pkg/api/handlers/compat/images.go b/pkg/api/handlers/compat/images.go
index edefce010..ea2df4a73 100644
--- a/pkg/api/handlers/compat/images.go
+++ b/pkg/api/handlers/compat/images.go
@@ -415,8 +415,9 @@ func GetImages(w http.ResponseWriter, r *http.Request) {
 		All     bool
 		Digests bool
 		Filter  string // Docker 1.24 compatibility
+		Size    bool
 	}{
-		// This is where you can override the golang default value for one of fields
+		Size: true,
 	}
 
 	if err := decoder.Decode(&query, r.URL.Query()); err != nil {
@@ -443,7 +444,7 @@ func GetImages(w http.ResponseWriter, r *http.Request) {
 
 	imageEngine := abi.ImageEngine{Libpod: runtime}
 
-	listOptions := entities.ImageListOptions{All: query.All, Filter: filterList}
+	listOptions := entities.ImageListOptions{All: query.All, Filter: filterList, Size: query.Size}
 	summaries, err := imageEngine.List(r.Context(), listOptions)
 	if err != nil {
 		utils.Error(w, http.StatusInternalServerError, err)
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go
index 0ebf74f98..08646202a 100644
--- a/pkg/api/handlers/compat/images_build.go
+++ b/pkg/api/handlers/compat/images_build.go
@@ -95,6 +95,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 		ForceRm                bool     `schema:"forcerm"`
 		From                   string   `schema:"from"`
 		HTTPProxy              bool     `schema:"httpproxy"`
+		IdentityLabel          bool     `schema:"identitylabel"`
 		Ignore                 bool     `schema:"ignore"`
 		Isolation              string   `schema:"isolation"`
 		Jobs                   int      `schema:"jobs"` // nolint
@@ -126,10 +127,11 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 		UnsetEnvs              []string `schema:"unsetenv"`
 		Secrets                string   `schema:"secrets"`
 	}{
-		Dockerfile: "Dockerfile",
-		Registry:   "docker.io",
-		Rm:         true,
-		ShmSize:    64 * 1024 * 1024,
+		Dockerfile:    "Dockerfile",
+		IdentityLabel: true,
+		Registry:      "docker.io",
+		Rm:            true,
+		ShmSize:       64 * 1024 * 1024,
 	}
 
 	decoder := r.Context().Value(api.DecoderKey).(*schema.Decoder)
@@ -522,6 +524,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 			DNSSearch:          dnssearch,
 			DNSServers:         dnsservers,
 			HTTPProxy:          query.HTTPProxy,
+			IdentityLabel:      types.NewOptionalBool(query.IdentityLabel),
 			LabelOpts:          labelOpts,
 			Memory:             query.Memory,
 			MemorySwap:         query.MemSwap,
diff --git a/pkg/api/server/register_images.go b/pkg/api/server/register_images.go
index 89f808e7d..2ed7aa054 100644
--- a/pkg/api/server/register_images.go
+++ b/pkg/api/server/register_images.go
@@ -840,6 +840,11 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
 	//        - `id`=(`<image-id>`)
 	//        - `since`=(`<image-name>[:<tag>]`,  `<image id>` or `<image@digest>`)
 	//     type: string
+	//   - name: size
+	//     in: query
+	//     description: Compute the size of each image
+	//     type: boolean
+	//     default: true
 	// produces:
 	// - application/json
 	// responses:
diff --git a/pkg/bindings/README.md b/pkg/bindings/README.md
index 2863039e4..ebc8a13d1 100644
--- a/pkg/bindings/README.md
+++ b/pkg/bindings/README.md
@@ -30,6 +30,10 @@ rootful connections is `/run/podman/podman.sock` and for rootless it is `/run/US
 information about the Podman system service, see `man podman-system-service`.
 
 ### Creating a connection
+Ensure the [required dependencies](https://podman.io/getting-started/installation#build-and-run-dependencies) are installed,
+as they will be required to compile a Go program making use of the bindings.
+
+
 The first step for using the bindings is to create a connection to the socket.  As mentioned earlier, the destination
 of the socket depends on the user who owns it. In this case, a rootful connection is made.
 
diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go
index ab562377f..15900a2ed 100644
--- a/pkg/bindings/images/build.go
+++ b/pkg/bindings/images/build.go
@@ -19,6 +19,7 @@ import (
 	"strings"
 
 	"github.com/containers/buildah/define"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v4/pkg/auth"
 	"github.com/containers/podman/v4/pkg/bindings"
 	"github.com/containers/podman/v4/pkg/domain/entities"
@@ -250,6 +251,12 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO
 
 	params.Set("pullpolicy", options.PullPolicy.String())
 
+	switch options.CommonBuildOpts.IdentityLabel {
+	case types.OptionalBoolTrue:
+		params.Set("identitylabel", "1")
+	case types.OptionalBoolFalse:
+		params.Set("identitylabel", "0")
+	}
 	if options.Quiet {
 		params.Set("q", "1")
 	}
diff --git a/pkg/bindings/images/types.go b/pkg/bindings/images/types.go
index 75cb38a0a..87ec28dc2 100644
--- a/pkg/bindings/images/types.go
+++ b/pkg/bindings/images/types.go
@@ -31,6 +31,8 @@ type ListOptions struct {
 	All *bool
 	// filters that can be used to get a more specific list of images
 	Filters map[string][]string
+	// Compute the size of each image
+	Size *bool
 }
 
 //go:generate go run ../generator/generator.go GetOptions
diff --git a/pkg/bindings/images/types_list_options.go b/pkg/bindings/images/types_list_options.go
index f47cd9c75..7f479630f 100644
--- a/pkg/bindings/images/types_list_options.go
+++ b/pkg/bindings/images/types_list_options.go
@@ -46,3 +46,18 @@ func (o *ListOptions) GetFilters() map[string][]string {
 	}
 	return o.Filters
 }
+
+// WithSize set field Size to given value
+func (o *ListOptions) WithSize(value bool) *ListOptions {
+	o.Size = &value
+	return o
+}
+
+// GetSize returns value of field Size
+func (o *ListOptions) GetSize() bool {
+	if o.Size == nil {
+		var z bool
+		return z
+	}
+	return *o.Size
+}
diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go
index 7081c5d25..56126f46c 100644
--- a/pkg/domain/entities/images.go
+++ b/pkg/domain/entities/images.go
@@ -251,6 +251,7 @@ type ImageSearchReport struct {
 type ImageListOptions struct {
 	All    bool     `json:"all" schema:"all"`
 	Filter []string `json:"Filter,omitempty"`
+	Size   bool     `json:"size" schema:"size"`
 }
 
 type ImagePruneOptions struct {
diff --git a/pkg/domain/infra/abi/images_list.go b/pkg/domain/infra/abi/images_list.go
index 9a0aaaf3a..8825f1ac6 100644
--- a/pkg/domain/infra/abi/images_list.go
+++ b/pkg/domain/infra/abi/images_list.go
@@ -60,14 +60,16 @@ func (ir *ImageEngine) List(ctx context.Context, opts entities.ImageListOptions)
 		}
 		e.Containers = len(ctnrs)
 
-		sz, err := img.Size()
-		if err != nil {
-			return nil, errors.Wrapf(err, "error retrieving size of image %q: you may need to remove the image to resolve the error", img.ID())
+		if opts.Size {
+			sz, err := img.Size()
+			if err != nil {
+				return nil, errors.Wrapf(err, "error retrieving size of image %q: you may need to remove the image to resolve the error", img.ID())
+			}
+			e.Size = sz
+			// This is good enough for now, but has to be
+			// replaced later with correct calculation logic
+			e.VirtualSize = sz
 		}
-		e.Size = sz
-		// This is good enough for now, but has to be
-		// replaced later with correct calculation logic
-		e.VirtualSize = sz
 
 		parent, err := img.Parent(ctx)
 		if err != nil {
diff --git a/pkg/domain/infra/tunnel/images.go b/pkg/domain/infra/tunnel/images.go
index 18e10e8dd..4694189e3 100644
--- a/pkg/domain/infra/tunnel/images.go
+++ b/pkg/domain/infra/tunnel/images.go
@@ -38,7 +38,7 @@ func (ir *ImageEngine) List(ctx context.Context, opts entities.ImageListOptions)
 		f := strings.Split(filter, "=")
 		filters[f[0]] = f[1:]
 	}
-	options := new(images.ListOptions).WithAll(opts.All).WithFilters(filters)
+	options := new(images.ListOptions).WithAll(opts.All).WithFilters(filters).WithSize(opts.Size)
 	psImages, err := images.List(ir.ClientCtx, options)
 	if err != nil {
 		return nil, err
diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go
index 5d1ba511c..321c1b99c 100644
--- a/pkg/machine/qemu/machine.go
+++ b/pkg/machine/qemu/machine.go
@@ -439,6 +439,19 @@ func (v *MachineVM) Set(_ string, opts machine.SetOptions) error {
 		return nil
 	}
 
+	running, err := v.isRunning()
+	if err != nil {
+		return err
+	}
+
+	if running {
+		suffix := ""
+		if v.Name != machine.DefaultMachineName {
+			suffix = " " + v.Name
+		}
+		return errors.Errorf("cannot change setting while the vm is running, run 'podman machine stop%s' first", suffix)
+	}
+
 	changeCon, err := machine.AnyConnectionDefault(v.Name, v.Name+"-root")
 	if err != nil {
 		return err
@@ -846,6 +859,9 @@ func (v *MachineVM) Remove(_ string, opts machine.RemoveOptions) (string, func()
 	return confirmationMessage, func() error {
 		for _, f := range files {
 			if err := os.Remove(f); err != nil {
+				if errors.Is(err, os.ErrNotExist) {
+					continue
+				}
 				logrus.Error(err)
 			}
 		}
@@ -1120,11 +1136,16 @@ func (v *MachineVM) setupAPIForwarding(cmd []string) ([]string, string, apiForwa
 	cmd = append(cmd, []string{"-forward-dest", destSock}...)
 	cmd = append(cmd, []string{"-forward-user", forwardUser}...)
 	cmd = append(cmd, []string{"-forward-identity", v.IdentityPath}...)
-	link := socket.GetPath()
 
 	// The linking pattern is /var/run/docker.sock -> user global sock (link) -> machine sock (socket)
 	// This allows the helper to only have to maintain one constant target to the user, which can be
 	// repositioned without updating docker.sock.
+
+	link, err := v.userGlobalSocketLink()
+	if err != nil {
+		return cmd, socket.GetPath(), machineLocal
+	}
+
 	if !dockerClaimSupported() {
 		return cmd, socket.GetPath(), claimUnsupported
 	}
@@ -1163,6 +1184,16 @@ func (v *MachineVM) isIncompatible() bool {
 	return v.UID == -1
 }
 
+func (v *MachineVM) userGlobalSocketLink() (string, error) {
+	path, err := machine.GetDataDir(v.Name)
+	if err != nil {
+		logrus.Errorf("Resolving data dir: %s", err.Error())
+		return "", err
+	}
+	// User global socket is located in parent directory of machine dirs (one per user)
+	return filepath.Join(filepath.Dir(path), "podman.sock"), err
+}
+
 func (v *MachineVM) forwardSocketPath() (*MachineFile, error) {
 	sockName := "podman.sock"
 	path, err := machine.GetDataDir(v.Name)
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index cff6de5a3..e4d89294e 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -25,6 +25,7 @@ import (
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"github.com/syndtr/gocapability/capability"
 	"golang.org/x/sys/unix"
 )
 
@@ -114,8 +115,14 @@ func GetRootlessGID() int {
 
 func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) error {
 	var tool = "newuidmap"
+	mode := os.ModeSetuid
+	cap := capability.CAP_SETUID
+	idtype := "setuid"
 	if !uid {
 		tool = "newgidmap"
+		mode = os.ModeSetgid
+		cap = capability.CAP_SETGID
+		idtype = "setgid"
 	}
 	path, err := exec.LookPath(tool)
 	if err != nil {
@@ -147,7 +154,13 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err
 
 	if output, err := cmd.CombinedOutput(); err != nil {
 		logrus.Errorf("running `%s`: %s", strings.Join(args, " "), output)
-		return errors.Wrapf(err, "cannot setup namespace using %q", path)
+		errorStr := fmt.Sprintf("cannot setup namespace using %q", path)
+		if isSet, err := unshare.IsSetID(cmd.Path, mode, cap); err != nil {
+			logrus.Errorf("Failed to check for %s on %s: %v", idtype, path, err)
+		} else if !isSet {
+			errorStr = fmt.Sprintf("%s: should have %s or have filecaps %s", errorStr, idtype, idtype)
+		}
+		return errors.Wrapf(err, errorStr)
 	}
 	return nil
 }