9 files changed, 214 insertions, 6 deletions
diff --git a/test/apiv2/01-basic.at b/test/apiv2/01-basic.at
index b8a049cdf..0e94ddb7a 100644
--- a/test/apiv2/01-basic.at
+++ b/test/apiv2/01-basic.at
@@ -41,10 +41,16 @@ t GET    libpod/containers/create  405
 #
 # system info
 #
+# Some day perhaps it will always be runc; for now, cgroupsv2 requires crun
+#
 # FIXME: run 'podman info --format=json', and compare select fields
-t GET info 200           \
-  .OSType=linux          \
-  .DefaultRuntime=runc   \
+runtime=runc
+if have_cgroupsv2; then
+    runtime=crun
+fi
+t GET info 200                \
+  .OSType=linux               \
+  .DefaultRuntime~.*$runtime  \
   .MemTotal~[0-9]\\+
 
 # Timing: make sure server stays responsive
diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at
index a69e8cc99..3a5d5a398 100644
--- a/test/apiv2/20-containers.at
+++ b/test/apiv2/20-containers.at
@@ -22,7 +22,7 @@ t GET libpod/containers/json?all=true 200 \
   .[0].Id~[0-9a-f]\\{12\\} \
   .[0].Image=$IMAGE \
   .[0].Command[0]="true" \
-  .[0].State=exited \
+  .[0].State~\\\(exited\\\|stopped\\\) \
   .[0].ExitCode=0 \
   .[0].IsInfra=false
 
diff --git a/test/apiv2/22-stop.at b/test/apiv2/22-stop.at
new file mode 100644
index 000000000..11318ca81
--- /dev/null
+++ b/test/apiv2/22-stop.at
@@ -0,0 +1,24 @@
+# -*- sh -*-
+#
+# test 'stop' endpoints
+#
+
+podman pull $IMAGE &>/dev/null
+
+# stop, by name
+podman run -dt --name mytop $IMAGE top &>/dev/null
+
+t GET  libpod/containers/mytop/json    200 .State.Status=running
+t POST libpod/containers/mytop/stop "" 204
+t GET  libpod/containers/mytop/json    200 .State.Status~\\\(exited\\\|stopped\\\)
+t DELETE libpod/containers/mytop       204
+
+# stop, by ID
+# Remember that podman() hides all output; we need to get our CID via inspect
+podman run -dt --name mytop $IMAGE top
+
+t GET  libpod/containers/mytop/json   200 .State.Status=running
+cid=$(jq -r .Id <<<"$output")
+t POST libpod/containers/$cid/stop "" 204
+t GET  libpod/containers/mytop/json   200 .State.Status~\\\(exited\\\|stopped\\\)
+t DELETE libpod/containers/mytop      204
diff --git a/test/apiv2/40-pods.at b/test/apiv2/40-pods.at
index 8b5651cff..ab345b8f2 100644
--- a/test/apiv2/40-pods.at
+++ b/test/apiv2/40-pods.at
@@ -23,9 +23,10 @@ t POST libpod/pods/create name=foo 409 .cause="pod already exists"
 
 #t POST libpod/pods/create a=b 400 .cause='bad parameter'  # FIXME: unimplemented
 
-if root; then
+if root || have_cgroupsv2; then
     t POST libpod/pods/foo/pause   '' 204
 else
+    # Rootless cgroupsv1 : unsupported
     t POST libpod/pods/foo/pause '' 500 \
       .cause="this container does not have a cgroup" \
       .message~".*pause pods containing rootless containers with cgroup V1"
diff --git a/test/apiv2/test-apiv2 b/test/apiv2/test-apiv2
index bc2ed142c..f0fb4ae34 100755
--- a/test/apiv2/test-apiv2
+++ b/test/apiv2/test-apiv2
@@ -290,6 +290,12 @@ function rootless() {
     test "$ROOTLESS" = "true"
 }
 
+# True if cgroups v2 are enabled
+function have_cgroupsv2() {
+    cgroup_type=$(stat -f -c %T /sys/fs/cgroup)
+    test "$cgroup_type" = "cgroup2fs"
+}
+
 # END   infrastructure code
 ###############################################################################
 # BEGIN sanity checks
diff --git a/test/e2e/generate_systemd_test.go b/test/e2e/generate_systemd_test.go
index d0dadd09d..31131a68b 100644
--- a/test/e2e/generate_systemd_test.go
+++ b/test/e2e/generate_systemd_test.go
@@ -191,7 +191,7 @@ var _ = Describe("Podman generate systemd", func() {
 		found, _ := session.GrepString("# container-foo.service")
 		Expect(found).To(BeTrue())
 
-		found, _ = session.GrepString("stop --ignore --cidfile /%t/%n-cid -t 42")
+		found, _ = session.GrepString("stop --ignore --cidfile %t/%n-cid -t 42")
 		Expect(found).To(BeTrue())
 	})
 
diff --git a/test/e2e/libpod_suite_test.go b/test/e2e/libpod_suite_test.go
index 43f08bf03..dc5e91c72 100644
--- a/test/e2e/libpod_suite_test.go
+++ b/test/e2e/libpod_suite_test.go
@@ -122,6 +122,8 @@ func populateCache(podman *PodmanTestIntegration) {
 	for _, image := range CACHE_IMAGES {
 		podman.RestoreArtifactToCache(image)
 	}
+	// logformatter uses this to recognize the first test
+	fmt.Printf("-----------------------------\n")
 }
 
 func removeCache() {
diff --git a/test/e2e/run_security_labels.go b/test/e2e/run_security_labels.go
new file mode 100644
index 000000000..a04bdc739
--- /dev/null
+++ b/test/e2e/run_security_labels.go
@@ -0,0 +1,152 @@
+// +build !remoteclient
+
+package integration
+
+import (
+	"os"
+	"strings"
+
+	. "github.com/containers/libpod/test/utils"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Podman generate kube", func() {
+	var (
+		tempdir    string
+		err        error
+		podmanTest *PodmanTestIntegration
+	)
+
+	BeforeEach(func() {
+		tempdir, err = CreateTempDirInTempDir()
+		if err != nil {
+			os.Exit(1)
+		}
+		podmanTest = PodmanTestCreate(tempdir)
+		podmanTest.Setup()
+		podmanTest.SeedImages()
+
+	})
+
+	AfterEach(func() {
+		podmanTest.Cleanup()
+		f := CurrentGinkgoTestDescription()
+		processTestResult(f)
+	})
+
+	It("podman security labels", func() {
+		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"})
+		test1.WaitWithDefaultTimeout()
+		Expect(test1.ExitCode()).To(BeZero())
+
+		inspect := podmanTest.Podman([]string{"inspect", "test1"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect.ExitCode()).To(Equal(0))
+
+		ctr := inspect.InspectContainerToJSON()
+		caps := strings.Join(ctr[0].EffectiveCaps, ",")
+		Expect(caps).To(Equal("CAP_SETUID,CAP_SETGID"))
+	})
+
+	It("podman bad security labels", func() {
+		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})
+		test1.WaitWithDefaultTimeout()
+		Expect(test1.ExitCode()).To(BeZero())
+
+		inspect := podmanTest.Podman([]string{"inspect", "test1"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect.ExitCode()).To(Equal(0))
+
+		ctr := inspect.InspectContainerToJSON()
+		caps := strings.Join(ctr[0].EffectiveCaps, ",")
+		Expect(caps).To(Not(Equal("CAP_SYS_ADMIN")))
+	})
+
+	It("podman --cap-add sys_admin security labels", func() {
+		test1 := podmanTest.Podman([]string{"create", "--cap-add", "SYS_ADMIN", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})
+		test1.WaitWithDefaultTimeout()
+		Expect(test1.ExitCode()).To(BeZero())
+
+		inspect := podmanTest.Podman([]string{"inspect", "test1"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect.ExitCode()).To(Equal(0))
+
+		ctr := inspect.InspectContainerToJSON()
+		caps := strings.Join(ctr[0].EffectiveCaps, ",")
+		Expect(caps).To(Equal("CAP_SYS_ADMIN"))
+	})
+
+	It("podman --cap-drop all sys_admin security labels", func() {
+		test1 := podmanTest.Podman([]string{"create", "--cap-drop", "all", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})
+		test1.WaitWithDefaultTimeout()
+		Expect(test1.ExitCode()).To(BeZero())
+
+		inspect := podmanTest.Podman([]string{"inspect", "test1"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect.ExitCode()).To(Equal(0))
+
+		ctr := inspect.InspectContainerToJSON()
+		caps := strings.Join(ctr[0].EffectiveCaps, ",")
+		Expect(caps).To(Equal(""))
+	})
+
+	It("podman security labels from image", func() {
+		test1 := podmanTest.Podman([]string{"create", "--name", "test1", "alpine", "echo", "test1"})
+		test1.WaitWithDefaultTimeout()
+		Expect(test1.ExitCode()).To(BeZero())
+
+		commit := podmanTest.Podman([]string{"commit", "-c", "label=io.containers.capabilities=sys_chroot,net_raw", "test1", "image1"})
+		commit.WaitWithDefaultTimeout()
+		Expect(commit.ExitCode()).To(BeZero())
+
+		image1 := podmanTest.Podman([]string{"create", "--name", "test2", "image1", "echo", "test1"})
+		image1.WaitWithDefaultTimeout()
+		Expect(image1.ExitCode()).To(BeZero())
+
+		inspect := podmanTest.Podman([]string{"inspect", "test2"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect.ExitCode()).To(Equal(0))
+
+		ctr := inspect.InspectContainerToJSON()
+		caps := strings.Join(ctr[0].EffectiveCaps, ",")
+		Expect(caps).To(Equal("CAP_SYS_CHROOT,CAP_NET_RAW"))
+
+	})
+
+	It("podman --privileged security labels", func() {
+		pull := podmanTest.Podman([]string{"create", "--privileged", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test"})
+		pull.WaitWithDefaultTimeout()
+		Expect(pull.ExitCode()).To(BeZero())
+
+		inspect := podmanTest.Podman([]string{"inspect", "test1"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect.ExitCode()).To(Equal(0))
+
+		ctr := inspect.InspectContainerToJSON()
+		caps := strings.Join(ctr[0].EffectiveCaps, ",")
+		Expect(caps).To(Not(Equal("CAP_SETUID,CAP_SETGID")))
+	})
+
+	It("podman container runlabel (podman --version)", func() {
+		PodmanDockerfile := `
+FROM  alpine:latest
+LABEL io.containers.capabilities=chown,mknod`
+
+		image := "podman-caps:podman"
+		podmanTest.BuildImage(PodmanDockerfile, image, "false")
+
+		test1 := podmanTest.Podman([]string{"create", "--name", "test1", image, "echo", "test1"})
+		test1.WaitWithDefaultTimeout()
+		Expect(test1.ExitCode()).To(BeZero())
+
+		inspect := podmanTest.Podman([]string{"inspect", "test1"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect.ExitCode()).To(Equal(0))
+
+		ctr := inspect.InspectContainerToJSON()
+		caps := strings.Join(ctr[0].EffectiveCaps, ",")
+		Expect(caps).To(Equal("CAP_CHOWN,CAP_MKNOD"))
+	})
+
+})
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index f1e9776c1..b89c76981 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -136,4 +136,21 @@ echo $rand        |   0 | $rand
     run_podman rmi busybox
 }
 
+# 'run --rmi' deletes the image in the end unless it's used by another container.
+@test "podman run --rmi - remove image" {
+    skip_if_remote "podman-remote does not emit 'Trying to pull' msgs"
+    run_podman 0 run --rmi --rm redis /bin/true
+    run_podman 1 image exists redis
+}
+
+
+@test "podman run --rmi - not remove image" {
+    skip_if_remote "podman-remote does not emit 'Trying to pull' msgs"
+    run_podman run redis /bin/true
+    run_podman images | grep redis
+    run_podman run --rmi --rm redis /bin/true
+    run_podman images | grep redis
+    run_podman 0 rm -a
+}
+
 # vim: filetype=sh