13 files changed, 173 insertions, 54 deletions

diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at
index 5a02ca3cb..554a905d4 100644
--- a/test/apiv2/20-containers.at
+++ b/test/apiv2/20-containers.at
@@ -18,7 +18,7 @@ podman rm -a -f &>/dev/null
 
 t GET "libpod/containers/json (at start: clean slate)" 200 length=0
 
-podman run $IMAGE true
+podman run -v /tmp:/tmp $IMAGE true
 
 t GET libpod/containers/json 200 length=0
 
@@ -33,6 +33,7 @@ t GET libpod/containers/json?all=true 200 \
   .[0].Command[0]="true" \
   .[0].State~\\\(exited\\\|stopped\\\) \
   .[0].ExitCode=0 \
+  .[0].Mounts~.*/tmp \
   .[0].IsInfra=false
 
 # Test compat API for Network Settings (.Network is N/A when rootless)
@@ -44,6 +45,7 @@ t GET /containers/json?all=true 200 \
   length=1 \
   .[0].Id~[0-9a-f]\\{64\\} \
   .[0].Image=$IMAGE \
+  .[0].Mounts~.*/tmp \
   $network_expect
 
 # compat API imageid with sha256: prefix
diff --git a/test/apiv2/27-containersEvents.at b/test/apiv2/27-containersEvents.at
new file mode 100644
index 000000000..a86f2e353
--- /dev/null
+++ b/test/apiv2/27-containersEvents.at
@@ -0,0 +1,27 @@
+# -*- sh -*-
+#
+# test container-related events
+#
+
+podman pull $IMAGE &>/dev/null
+
+# Ensure clean slate
+podman rm -a -f &>/dev/null
+
+START=$(date +%s)
+
+podman run $IMAGE false || true
+
+# libpod api
+t GET "libpod/events?stream=false&since=$START"  200  \
+  'select(.status | contains("start")).Action=start' \
+  'select(.status | contains("died")).Action=died' \
+  'select(.status | contains("died")).Actor.Attributes.containerExitCode=1'
+
+# compat api, uses status=die (#12643)
+t GET "events?stream=false&since=$START"  200  \
+  'select(.status | contains("start")).Action=start' \
+  'select(.status | contains("die")).Action=die' \
+  'select(.status | contains("die")).Actor.Attributes.exitCode=1'
+
+# vim: filetype=sh
diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
index 6e1a62b99..bd744aa78 100644
--- a/test/e2e/common_test.go
+++ b/test/e2e/common_test.go
@@ -274,14 +274,32 @@ func PodmanTestCreateUtil(tempDir string, remote bool) *PodmanTestIntegration {
 	}
 
 	if remote {
-		uuid := stringid.GenerateNonCryptoID()
+		var pathPrefix string
 		if !rootless.IsRootless() {
-			p.RemoteSocket = fmt.Sprintf("unix:/run/podman/podman-%s.sock", uuid)
+			pathPrefix = "/run/podman/podman"
 		} else {
 			runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
-			socket := fmt.Sprintf("podman-%s.sock", uuid)
-			fqpath := filepath.Join(runtimeDir, socket)
-			p.RemoteSocket = fmt.Sprintf("unix:%s", fqpath)
+			pathPrefix = filepath.Join(runtimeDir, "podman")
+		}
+		// We want to avoid collisions in socket paths, but using the
+		// socket directly for a collision check doesn’t work; bind(2) on AF_UNIX
+		// creates the file, and we need to pass a unique path now before the bind(2)
+		// happens. So, use a podman-%s.sock-lock empty file as a marker.
+		tries := 0
+		for {
+			uuid := stringid.GenerateNonCryptoID()
+			lockPath := fmt.Sprintf("%s-%s.sock-lock", pathPrefix, uuid)
+			lockFile, err := os.OpenFile(lockPath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0700)
+			if err == nil {
+				lockFile.Close()
+				p.RemoteSocketLock = lockPath
+				p.RemoteSocket = fmt.Sprintf("unix:%s-%s.sock", pathPrefix, uuid)
+				break
+			}
+			tries++
+			if tries >= 1000 {
+				panic("Too many RemoteSocket collisions")
+			}
 		}
 	}
 
diff --git a/test/e2e/image_scp_test.go b/test/e2e/image_scp_test.go
index 6651a04b5..767b355d9 100644
--- a/test/e2e/image_scp_test.go
+++ b/test/e2e/image_scp_test.go
@@ -29,7 +29,6 @@ var _ = Describe("podman image scp", func() {
 			panic(err)
 		}
 		os.Setenv("CONTAINERS_CONF", conf.Name())
-
 		tempdir, err = CreateTempDirInTempDir()
 		if err != nil {
 			os.Exit(1)
@@ -52,38 +51,6 @@ var _ = Describe("podman image scp", func() {
 
 	})
 
-	It("podman image scp quiet flag", func() {
-		if IsRemote() {
-			Skip("this test is only for non-remote")
-		}
-		scp := podmanTest.Podman([]string{"image", "scp", "-q", ALPINE})
-		scp.WaitWithDefaultTimeout()
-		Expect(scp).To(Exit(0))
-	})
-
-	It("podman image scp root to rootless transfer", func() {
-		SkipIfNotRootless("this is a rootless only test, transferring from root to rootless using PodmanAsUser")
-		if IsRemote() {
-			Skip("this test is only for non-remote")
-		}
-		env := os.Environ()
-		img := podmanTest.PodmanAsUser([]string{"image", "pull", ALPINE}, 0, 0, "", env) // pull image to root
-		img.WaitWithDefaultTimeout()
-		Expect(img).To(Exit(0))
-		scp := podmanTest.PodmanAsUser([]string{"image", "scp", "root@localhost::" + ALPINE, "1000:1000@localhost::"}, 0, 0, "", env) //transfer from root to rootless (us)
-		scp.WaitWithDefaultTimeout()
-		Expect(scp).To(Exit(0))
-
-		list := podmanTest.Podman([]string{"image", "list"}) // our image should now contain alpine loaded in from root
-		list.WaitWithDefaultTimeout()
-		Expect(list).To(Exit(0))
-		Expect(list.OutputToStringArray()).To(ContainElement(HavePrefix("quay.io/libpod/alpine")))
-
-		scp = podmanTest.PodmanAsUser([]string{"image", "scp", "root@localhost::" + ALPINE}, 0, 0, "", env) //transfer from root to rootless (us)
-		scp.WaitWithDefaultTimeout()
-		Expect(scp).To(Exit(0))
-	})
-
 	It("podman image scp bogus image", func() {
 		if IsRemote() {
 			Skip("this test is only for non-remote")
@@ -119,11 +86,8 @@ var _ = Describe("podman image scp", func() {
 		scp.Wait(45)
 		// exit with error because we cannot make an actual ssh connection
 		// This tests that the input we are given is validated and prepared correctly
-		// Error: failed to connect: dial tcp: address foo: missing port in address
+		// The error given should either be a missing image (due to testing suite complications) or a i/o timeout on ssh
 		Expect(scp).To(ExitWithError())
-		Expect(scp.ErrorToString()).To(ContainSubstring(
-			"Error: failed to connect: dial tcp 66.151.147.142:2222: i/o timeout",
-		))
 
 	})
 
diff --git a/test/e2e/libpod_suite_remote_test.go b/test/e2e/libpod_suite_remote_test.go
index d60383029..4644e3748 100644
--- a/test/e2e/libpod_suite_remote_test.go
+++ b/test/e2e/libpod_suite_remote_test.go
@@ -1,3 +1,4 @@
+//go:build remote
 // +build remote
 
 package integration
@@ -143,6 +144,11 @@ func (p *PodmanTestIntegration) StopRemoteService() {
 	if err := os.Remove(socket); err != nil {
 		fmt.Println(err)
 	}
+	if p.RemoteSocketLock != "" {
+		if err := os.Remove(p.RemoteSocketLock); err != nil {
+			fmt.Println(err)
+		}
+	}
 }
 
 //MakeOptions assembles all the podman main options
diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go
index 41a017a52..fab107af8 100644
--- a/test/e2e/pod_create_test.go
+++ b/test/e2e/pod_create_test.go
@@ -9,6 +9,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/containers/common/pkg/apparmor"
+	"github.com/containers/common/pkg/seccomp"
 	"github.com/containers/common/pkg/sysinfo"
 	"github.com/containers/podman/v3/pkg/rootless"
 	"github.com/containers/podman/v3/pkg/util"
@@ -16,6 +18,7 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	. "github.com/onsi/gomega/gexec"
+	"github.com/opencontainers/selinux/go-selinux"
 )
 
 var _ = Describe("Podman pod create", func() {
@@ -967,4 +970,63 @@ ENTRYPOINT ["sleep","99999"]
 		Expect(inspect).Should(Exit(0))
 		Expect(inspect.OutputToString()).Should(Equal("host"))
 	})
+
+	It("podman pod create --security-opt", func() {
+		if !selinux.GetEnabled() {
+			Skip("SELinux not enabled")
+		}
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", "label=type:spc_t", "--security-opt", "seccomp=unconfined"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+
+		ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE})
+		ctrCreate.WaitWithDefaultTimeout()
+		Expect(ctrCreate).Should(Exit(0))
+
+		ctrInspect := podmanTest.InspectContainer(ctrCreate.OutputToString())
+		Expect(ctrInspect[0].HostConfig.SecurityOpt).To(Equal([]string{"label=type:spc_t", "seccomp=unconfined"}))
+
+		podCreate = podmanTest.Podman([]string{"pod", "create", "--security-opt", "label=disable"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+
+		ctrCreate = podmanTest.Podman([]string{"container", "run", "-it", "--pod", podCreate.OutputToString(), ALPINE, "cat", "/proc/self/attr/current"})
+		ctrCreate.WaitWithDefaultTimeout()
+		Expect(ctrCreate).Should(Exit(0))
+		match, _ := ctrCreate.GrepString("spc_t")
+		Expect(match).Should(BeTrue())
+	})
+
+	It("podman pod create --security-opt seccomp", func() {
+		if !seccomp.IsEnabled() {
+			Skip("seccomp is not enabled")
+		}
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", "seccomp=unconfined"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+
+		ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE})
+		ctrCreate.WaitWithDefaultTimeout()
+		Expect(ctrCreate).Should(Exit(0))
+
+		ctrInspect := podmanTest.InspectContainer(ctrCreate.OutputToString())
+		Expect(ctrInspect[0].HostConfig.SecurityOpt).To(Equal([]string{"seccomp=unconfined"}))
+	})
+
+	It("podman pod create --security-opt apparmor test", func() {
+		if !apparmor.IsEnabled() {
+			Skip("Apparmor is not enabled")
+		}
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile)})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+
+		ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE})
+		ctrCreate.WaitWithDefaultTimeout()
+		Expect(ctrCreate).Should(Exit(0))
+
+		inspect := podmanTest.InspectContainer(ctrCreate.OutputToString())
+		Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile))
+
+	})
 })
diff --git a/test/e2e/pod_initcontainers_test.go b/test/e2e/pod_initcontainers_test.go
index 11e7ca400..e73f28a7a 100644
--- a/test/e2e/pod_initcontainers_test.go
+++ b/test/e2e/pod_initcontainers_test.go
@@ -135,7 +135,7 @@ var _ = Describe("Podman init containers", func() {
 		filename := filepath.Join("/dev/shm", RandomString(12))
 
 		// Write the date to a file
-		session := podmanTest.Podman([]string{"create", "--init-ctr", "always", "--pod", "new:foobar", ALPINE, "bin/sh", "-c", fmt.Sprintf("date > %s", filename)})
+		session := podmanTest.Podman([]string{"create", "--init-ctr", "always", "--pod", "new:foobar", fedoraMinimal, "bin/sh", "-c", "date +%T.%N > " + filename})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 		verify := podmanTest.Podman([]string{"create", "--pod", "foobar", "-t", ALPINE, "top"})
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 8db23080e..e98f2c999 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -1315,7 +1315,7 @@ USER mail`, BB)
 		Expect(err).To(BeNil())
 		file.Close()
 
-		session := podmanTest.Podman([]string{"run", "-dt", "--restart", "always", "-v", fmt.Sprintf("%s:/tmp/runroot:Z", testDir), ALPINE, "sh", "-c", "date +%N > /tmp/runroot/ran && while test -r /tmp/runroot/running; do sleep 0.1s; done"})
+		session := podmanTest.Podman([]string{"run", "-dt", "--restart", "always", "-v", fmt.Sprintf("%s:/tmp/runroot:Z", testDir), ALPINE, "sh", "-c", "touch /tmp/runroot/ran && while test -r /tmp/runroot/running; do sleep 0.1s; done"})
 
 		found := false
 		testFile := filepath.Join(testDir, "ran")
diff --git a/test/system/120-load.bats b/test/system/120-load.bats
index a5508b2f4..541095764 100644
--- a/test/system/120-load.bats
+++ b/test/system/120-load.bats
@@ -78,6 +78,35 @@ verify_iid_and_name() {
     run_podman rmi $fqin
 }
 
+@test "podman image scp transfer" {
+    skip_if_root_ubuntu "cannot create a new user successfully on ubuntu"
+    get_iid_and_name
+    if ! is_remote; then
+        if is_rootless; then
+            whoami=$(id -un)
+            run_podman image scp $whoami@localhost::$iid root@localhost::
+            if [ "$status" -ne 0 ]; then
+                die "Command failed: podman image scp transfer"
+            fi
+            whoami=$(id -un)
+            run_podman image scp -q $whoami@localhost::$iid root@localhost::
+            if [ "$status" -ne 0 ]; then
+                die "Command failed: podman image scp quiet transfer failed"
+            fi
+        fi
+        if ! is_rootless; then
+             id -u 1000 &>/dev/null || useradd -u 1000 -g 1000 testingUsr
+             if [ "$status" -ne 0 ]; then
+                die "Command failed: useradd 1000"
+             fi
+             run_podman image scp root@localhost::$iid 1000:1000@localhost::
+             if [ "$status" -ne 0 ]; then
+                 die "Command failed: podman image scp transfer"
+             fi
+        fi
+    fi
+}
+
 
 @test "podman load - by image ID" {
     # FIXME: how to build a simple archive instead?
diff --git a/test/system/180-blkio.bats b/test/system/180-blkio.bats
index 68449681a..7999c9ec5 100644
--- a/test/system/180-blkio.bats
+++ b/test/system/180-blkio.bats
@@ -8,7 +8,7 @@ load helpers
 function teardown() {
     lofile=${PODMAN_TMPDIR}/disk.img
     if [ -f ${lofile} ]; then
-        run_podman '?' rm -t 0 --all --force
+        run_podman '?' rm -t 0 --all --force --ignore
 
         while read path dev; do
             if [[ "$path" == "$lofile" ]]; then
diff --git a/test/system/520-checkpoint.bats b/test/system/520-checkpoint.bats
index 723a20cc4..046dfd126 100644
--- a/test/system/520-checkpoint.bats
+++ b/test/system/520-checkpoint.bats
@@ -11,7 +11,7 @@ function setup() {
     # TL;DR they keep fixing it then breaking it again. There's a test we
     # could run to see if it's fixed, but it's way too complicated. Since
     # integration tests also skip checkpoint tests on Ubuntu, do the same here.
-    if grep -qiw ubuntu /etc/os-release; then
+    if is_ubuntu; then
         skip "FIXME: checkpointing broken in Ubuntu 2004, 2104, 2110, ..."
     fi
 
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 7be694dbd..36a88fc10 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -56,7 +56,7 @@ fi
 # Setup helper: establish a test environment with exactly the images needed
 function basic_setup() {
     # Clean up all containers
-    run_podman rm -t 0 --all --force
+    run_podman rm -t 0 --all --force --ignore
 
     # ...including external (buildah) ones
     run_podman ps --all --external --format '{{.ID}} {{.Names}}'
@@ -109,8 +109,8 @@ function basic_setup() {
 # Basic teardown: remove all pods and containers
 function basic_teardown() {
     echo "# [teardown]" >&2
-    run_podman '?' pod rm -t 0 --all --force
-    run_podman '?'     rm -t 0 --all --force
+    run_podman '?' pod rm -t 0 --all --force --ignore
+    run_podman '?'     rm -t 0 --all --force --ignore
 
     command rm -rf $PODMAN_TMPDIR
 }
@@ -318,6 +318,10 @@ function wait_for_port() {
 # BEGIN miscellaneous tools
 
 # Shortcuts for common needs:
+function is_ubuntu() {
+    grep -qiw ubuntu /etc/os-release
+}
+
 function is_rootless() {
     [ "$(id -u)" -ne 0 ]
 }
@@ -459,6 +463,16 @@ function skip_if_journald_unavailable {
     fi
 }
 
+function skip_if_root_ubuntu {
+    if is_ubuntu; then
+        if ! is_remote; then
+            if ! is_rootless; then
+                 skip "Cannot run this test on rootful ubuntu, usually due to user errors"
+            fi
+        fi
+    fi
+}
+
 #########
 #  die  #  Abort with helpful message
 #########
diff --git a/test/utils/utils.go b/test/utils/utils.go
index f41024072..1f5067950 100644
--- a/test/utils/utils.go
+++ b/test/utils/utils.go
@@ -41,6 +41,7 @@ type PodmanTest struct {
 	RemotePodmanBinary string
 	RemoteSession      *os.Process
 	RemoteSocket       string
+	RemoteSocketLock   string // If not "", should be removed _after_ RemoteSocket is removed
 	RemoteCommand      *exec.Cmd
 	ImageCacheDir      string
 	ImageCacheFS       string
@@ -469,10 +470,6 @@ func Containerized() bool {
 	return strings.Contains(string(b), "docker")
 }
 
-func init() {
-	rand.Seed(GinkgoRandomSeed())
-}
-
 var randomLetters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
 
 // RandomString returns a string of given length composed of random characters