Cirrus: Implement podman automation 2.0

Reimplement CI-automation to remove accumulated technical-debt and optimize workflow. The task-dependency graph designed goal was to shorten it's depth and increase width (i.e. more parallelism). A reduction in redundant building (and 3rd party module download) was also realized by caching `$GOPATH` and `$GOCACHE` early on. This cache is then reused in favor of a fresh clone of the repository (when possible). Note: The system tests typically execute MUCH faster than the integration tests. However, contrary to a fail-fast/fail-early principal, they are executed last. This was implemented due to debug-ability related concerns/preferences of the primary (golang-centric) project developers. Signed-off-by: Chris Evich <cevich@redhat.com>
2020-06-25 17:38:33 -04:00 · 2020-06-25 17:38:33 -04:00 · 2c9084e224
parent b58980a43c
commit 2c9084e224
26 changed files with 1203 additions and 1811 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
--- a/.golangci.yml
+++ b/.golangci.yml
@ -11,20 +11,32 @@ run:
    - pkg/varlink
    - pkg/varlinkapi
    - docs/varlink
    - vendor
  skip-files:
    - iopodman.go
    - swagger.go
  modules-download-mode: readonly
 linters:
  enable-all: true
  disable:
    # All these break for one reason or another
    - dupl
    - funlen
    - gochecknoglobals
    - gochecknoinits
    - goconst
    - gocyclo
-    - gosec
+    - golint
    - lll
    - structcheck
    - typecheck
    - unconvert
    - varcheck
    - deadcode
    - depguard
    - errcheck
    - gocritic
    - gosec
    - maligned
 linters-settings:
  errcheck:
--- a/8
+++ b/8
@ -169,7 +169,13 @@ golangci-lint: .gopathok varlink_generate .install.golangci-lint
 .PHONY: gofmt
 gofmt: ## Verify the source code gofmt
-	find . -name '*.go' ! -path './vendor/*' -exec gofmt -s -w {} \+
+	find . -name '*.go' -type f \
 		-not \( \
 			-name '.golangci.yml' -o \
 			-name 'Makefile' -o \
 			-path './vendor/*' -prune -o \
 			-path './contrib/*' -prune \
 		\) -exec gofmt -d -e -s -w {} \+
 	git diff --exit-code
 .PHONY: test/checkseccomp/checkseccomp
--- a/contrib/cirrus/README.md
+++ b/contrib/cirrus/README.md
@ -1,150 +0,0 @@
 ![PODMAN logo](../../logo/podman-logo-source.svg)
 # Cirrus-CI
 Similar to other integrated github CI/CD services, Cirrus utilizes a simple
 YAML-based configuration/description file: ``.cirrus.yml``.  Ref: https://cirrus-ci.org/
 ## Workflow
 All tasks execute in parallel, unless there are conditions or dependencies
 which alter this behavior.  Within each task, each script executes in sequence,
 so long as any previous script exited successfully.  The overall state of each
 task (pass or fail) is set based on the exit status of the last script to execute.
 ### ``gating`` Task
 ***N/B: Steps below are performed by automation***
 1. Launch a purpose-built container in Cirrus's community cluster.
   For container image details, please see
   [the contributors guide](https://github.com/containers/podman/blob/master/CONTRIBUTING.md#go-format-and-lint).
 3. ``validate``: Perform standard `make validate` source verification,
   Should run for less than a minute or two.
 4. ``lint``: Execute regular `make lint` to check for any code cruft.
   Should also run for less than a few minutes.
 5. ``vendor``: runs `make vendor-in-container` followed by `./hack/tree_status.sh` to check
   whether the git tree is clean. The reasoning for that is to make sure that
   the vendor.conf, the code and the vendored packages in ./vendor are in sync
   at all times.
 ### ``meta`` Task
 ***N/B: Steps below are performed by automation***
 1. Launch a container built from definition in ``./contrib/imgts``.
 2. Update VM Image metadata to help track usage across all automation.
 4. Always exits successfully unless there's a major problem.
 ### ``testing`` Task
 ***N/B: Steps below are performed by automation***
 1. After `gating` passes, spin up one VM per
   `matrix: image_name` item. Once accessible, ``ssh``
   into each VM as the `root` user.
 2. ``setup_environment.sh``: Configure root's `.bash_profile`
    for all subsequent scripts (each run in a new shell).  Any
    distribution-specific environment variables are also defined
    here.  For example, setting tags/flags to use compiling.
 5. ``integration_test.sh``: Execute integration-testing.  This is
   much more involved, and relies on access to external
   resources like container images and code from other repositories.
   Total execution time is capped at 2-hours (includes all the above)
   but this script normally completes in less than an hour.
 ### ``special_testing_cross`` Task
 Confirm that cross-compile of podman-remote functions for both `windows`
 and `darwin` targets.
 ### ``special_testing_cgroupv2`` Task
 Use the latest Fedora release with the required kernel options pre-set for
 exercising cgroups v2 with Podman integration tests.  Also depends on
 having `SPECIALMODE` set to 'cgroupv2`
 ### `docs` Task
 Builds swagger API documentation YAML and uploads to google storage (an online
 service for storing unstructured data) for both
 PR's (for testing the process) and the master branch.  For PR's
 the YAML is uploaded into a [dedicated short-pruning cycle
 bucket.](https://storage.googleapis.com/libpod-pr-releases/) for testing purposes
 only.  For the master branch, a [separate bucket is
 used](https://storage.googleapis.com/libpod-master-releases) and provides the
 content rendered on [the API Reference page](https://docs.podman.io/en/latest/_static/api.html)
 The online API reference is presented by javascript to the client.  To prevent hijacking
 of the client by malicious data, the [javascript utilises CORS](https://cloud.google.com/storage/docs/cross-origin).
 This CORS metadata is served by `https://storage.googleapis.com` when configured correctly.
 It will appear in [the request and response headers from the
 client](https://cloud.google.com/storage/docs/configuring-cors#troubleshooting) when accessing
 the API reference page.
 However, when the CORS metadata is missing or incorrectly configured, clients will receive an
 error-message similar to:
 ![Javascript Stack Trace Image](swagger_stack_trace.png)
 For documentation built by Read The Docs from the master branch, CORS metadata is
 set on the `libpod-master-releases` storage bucket.  Viewing or setting the CORS
 metadata on the bucket requires having locally [installed and
 configured the google-cloud SDK](https://cloud.google.com/sdk/docs).  It also requires having
 admin access to the google-storage bucket.  Contact a project owner for help if you are
 unsure of your permissions or need help resolving an error similar to the picture above.
 Assuming the SDK is installed, and you have the required admin access, the following command
 will display the current CORS metadata:
 ```
 gsutil cors get gs://libpod-master-releases
 ```
 To function properly (allow client "trust" of content from `storage.googleapis.com`) the followiing
 metadata JSON should be used.  Following the JSON, is an example of the command used to set this
 metadata on the libpod-master-releases bucket.  For additional information about configuring CORS
 please refer to [the google-storage documentation](https://cloud.google.com/storage/docs/configuring-cors).
 ```JSON
 [
    {
      "origin": ["http://docs.podman.io", "https://docs.podman.io"],
      "responseHeader": ["Content-Type"],
      "method": ["GET"],
      "maxAgeSeconds": 600
    }
 ]
 ```
 ```
 gsutil cors set /path/to/file.json gs://libpod-master-releases
 ```
 ***Note:*** The CORS metadata does _NOT_ change after the `docs` task uploads a new swagger YAML
 file.  Therefore, if it is not functioning or misconfigured, a person must have altered it or
 changes were made to the referring site (e.g. `docs.podman.io`).
 ## `$SPECIALMODE`
 Some tasks alter their behavior based on this value.  A summary of supported
 values follows:
 * `none`: Operate as normal, this is the default value if unspecified.
 * `rootless`: Causes a random, ordinary user account to be created
              and utilized for testing.
 * `in_podman`: Causes testing to occur within a container executed by
 * `windows`: See **darwin**
 * `darwin`: Signals the ``special_testing_cross`` task to cross-compile the remote client.
--- a/contrib/cirrus/add_second_partition.sh
+++ b/contrib/cirrus/add_second_partition.sh
@ -3,6 +3,11 @@
 # N/B: This script could mega f*!@up your disks if run by mistake.
 #      it is left without the execute-bit on purpose!
 set -eo pipefail
 # shellcheck source=./lib.sh
 source $(dirname $0)/lib.sh
 # $SLASH_DEVICE is the disk device to be f*xtuP
 SLASH_DEVICE="/dev/sda"  # Always the case on GCP
@ -11,21 +16,18 @@ SLASH_DEVICE="/dev/sda"  # Always the case on GCP
 NEW_PART_START="50%"
 NEW_PART_END="100%"
 set -eo pipefail
 source $(dirname $0)/lib.sh
 if [[ ! -r "/root" ]] || [[ -r "/root/second_partition_ready" ]]
 then
-    echo "Warning: Ignoring attempted execution of $(basename $0)"
+    warn "Ignoring attempted execution of $(basename $0)"
    exit 0
 fi
-[[ -n "type -P parted" ]] || \
+[[ -x "$(type -P parted)" ]] || \
-    die 2 "The parted command is required."
+    die "The parted command is required."
 [[ ! -b ${SLASH_DEVICE}2 ]] || \
-    die 5 "Found unexpected block device ${SLASH_DEVICE}2"
+    die "Found unexpected block device ${SLASH_DEVICE}2"
 PPRINTCMD="parted --script ${SLASH_DEVICE} print"
 FINDMNTCMD="findmnt --source=${SLASH_DEVICE}1 --mountpoint=/ --canonicalize --evaluate --first-only --noheadings"
@ -34,28 +36,28 @@ trap "rm -f $TMPF" EXIT
 if $FINDMNTCMD | tee $TMPF | egrep -q "^/\s+${SLASH_DEVICE}1"
 then
-    echo "Repartitioning original partition table:"
+    msg "Repartitioning original partition table:"
    $PPRINTCMD
 else
-    die 6 "Unexpected output from '$FINDMNTCMD': $(<$TMPF)"
+    die "Unexpected output from '$FINDMNTCMD': $(<$TMPF)"
 fi
 echo "Adding partition offset within unpartitioned space."
 parted --script --align optimal /dev/sda unit % mkpart primary "" "" "$NEW_PART_START" "$NEW_PART_END"
-echo "New partition table:"
+msg "New partition table:"
 $PPRINTCMD
-echo "Growing ${SLASH_DEVICE}1 meet start of ${SLASH_DEVICE}2"
+msg "Growing ${SLASH_DEVICE}1 meet start of ${SLASH_DEVICE}2"
 growpart ${SLASH_DEVICE} 1
 FSTYPE=$(findmnt --first-only --noheadings --output FSTYPE ${SLASH_DEVICE}1)
 echo "Expanding $FSTYPE filesystem on ${SLASH_DEVICE}1"
 case $FSTYPE in
    ext*) resize2fs ${SLASH_DEVICE}1 ;;
-    *) die 11 "Script $(basename $0) doesn't know how to resize a $FSTYPE filesystem." ;;
+    *) die "Script $(basename $0) doesn't know how to resize a $FSTYPE filesystem." ;;
 esac
 # Must happen last - signals completion to other tooling
-echo "Recording newly available disk partition device into /root/second_partition_ready"
+msg "Recording newly available disk partition device into /root/second_partition_ready"
 echo "${SLASH_DEVICE}2" > /root/second_partition_ready
--- a/contrib/cirrus/apiv2_test.sh
+++ b/contrib/cirrus/apiv2_test.sh
@ -1,65 +0,0 @@
 #!/usr/bin/env bash
 set -e
 source $(dirname $0)/lib.sh
 req_env_var GOSRC SCRIPT_BASE OS_RELEASE_ID OS_RELEASE_VER CONTAINER_RUNTIME VARLINK_LOG
 LOCAL_OR_REMOTE=local
 if [[ "$RCLI" = "true" ]]; then
    LOCAL_OR_REMOTE=remote
 fi
 # Our name must be of the form xxxx_test or xxxx_test.sh, where xxxx is
 # the test suite to run; currently (2019-05) the only option is 'integration'
 # but pr2947 intends to add 'system'.
 TESTSUITE=$(expr $(basename $0) : '\(.*\)_test')
 if [[ -z $TESTSUITE ]]; then
    die 1 "Script name is not of the form xxxx_test.sh"
 fi
 cd "$GOSRC"
 case "$SPECIALMODE" in
    in_podman)
        ${CONTAINER_RUNTIME} run --rm --privileged --net=host --cgroupns=host \
            -v $GOSRC:$GOSRC:Z \
            --workdir $GOSRC \
            -e "CGROUP_MANAGER=cgroupfs" \
            -e "STORAGE_OPTIONS=--storage-driver=vfs" \
            -e "CRIO_ROOT=$GOSRC" \
            -e "PODMAN_BINARY=/usr/bin/podman" \
            -e "CONMON_BINARY=/usr/libexec/podman/conmon" \
            -e "DIST=$OS_RELEASE_ID" \
            -e "CONTAINER_RUNTIME=$CONTAINER_RUNTIME" \
            $IN_PODMAN_IMAGE bash $GOSRC/$SCRIPT_BASE/container_test.sh -b -i -t
        ;;
    rootless)
        req_env_var ROOTLESS_USER
        ssh $ROOTLESS_USER@localhost \
                -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
                -o CheckHostIP=no $GOSRC/$SCRIPT_BASE/rootless_test.sh ${TESTSUITE} ${LOCAL_OR_REMOTE}
        ;;
    endpoint)
        make
        make install PREFIX=/usr ETCDIR=/etc
        make test-binaries
        make endpoint
        ;;
    bindings)
 	    make
        make install PREFIX=/usr ETCDIR=/etc
 	    export PATH=$PATH:`pwd`/hack
 	    cd pkg/bindings/test && ginkgo -trace -noColor -debug  -r
 	;;
    none)
        make
        make install PREFIX=/usr ETCDIR=/etc
        make test-binaries
        make .install.bats
        make ${LOCAL_OR_REMOTE}${TESTSUITE} PODMAN_SERVER_LOG=$PODMAN_SERVER_LOG
        ;;
    *)
        die 110 "Unsupported \$SPECIALMODE: $SPECIALMODE"
 esac
--- a/contrib/cirrus/build_release.sh
+++ b/contrib/cirrus/build_release.sh
@ -1,34 +0,0 @@
 #!/usr/bin/env bash
 set -e
 source $(dirname $0)/lib.sh
 req_env_var RCLI OS_RELEASE_ID GOSRC
 cd $GOSRC
 if [[ "$RCLI" == "true" ]] && [[ -z "$CROSS_PLATFORM" ]]
 then
    CROSS_PLATFORM=linux
 fi
 if [[ -n "$CROSS_PLATFORM" ]]
 then
    # Will fail if $CROSS_PLATFORM is unsupported cross-compile $GOOS value
    make podman-remote-${CROSS_PLATFORM}-release
    echo "Compiling podman-remote release archive for ${CROSS_PLATFORM}"
    if [[ "$CROSS_PLATFORM" == "windows" ]]
    then
        # TODO: Remove next line, part of VM images next time they're built.
        dnf install -y libmsi1 msitools pandoc
        make podman.msi
    fi
 else
    echo "Compiling release archive for $OS_RELEASE_ID"
    make podman-release
 fi
 echo "Preserving build details for later use."
 mv -v release.txt actual_release.txt  # Another 'make' during testing could overwrite it
--- a/contrib/cirrus/build_swagger.sh
+++ b/contrib/cirrus/build_swagger.sh
@ -1,17 +0,0 @@
 #!/usr/bin/env bash
 set -e
 source $(dirname $0)/lib.sh
 # Building this is a PITA, just grab binary for use in automation
 # Ref: https://goswagger.io/install.html#static-binary
 download_url=$(curl -s https://api.github.com/repos/go-swagger/go-swagger/releases/latest | \
  jq -r '.assets[] | select(.name | contains("'"$(uname | tr '[:upper:]' '[:lower:]')"'_amd64")) | .browser_download_url')
 curl -o /usr/local/bin/swagger -L'#' "$download_url"
 chmod +x /usr/local/bin/swagger
 cd $GOSRC
 make swagger
 echo "Preserving build details for later use."
 mv -v release.txt actual_release.txt  # Another 'make' during testing could overwrite it
--- a/contrib/cirrus/cirrus_yaml_test.py
+++ b/contrib/cirrus/cirrus_yaml_test.py
@ -26,6 +26,7 @@ class TestCaseBase(unittest.TestCase):
 class TestDependsOn(TestCaseBase):
    ALL_TASK_NAMES = None
    SUCCESS_DEPS_EXCLUDE = set(['success', 'release', 'release_test'])
    def setUp(self):
        super().setUp()
@ -33,23 +34,29 @@ class TestDependsOn(TestCaseBase):
                                   for key, _ in self.CIRRUS_YAML.items()
                                   if key.endswith('_task')])
-    def test_00_dicts(self):
+    def test_dicts(self):
        """Expected dictionaries are present and non-empty"""
        self.assertIn('success_task', self.CIRRUS_YAML)
        self.assertIn('success_task'.replace('_task', ''), self.ALL_TASK_NAMES)
        self.assertIn('depends_on', self.CIRRUS_YAML['success_task'])
        self.assertGreater(len(self.CIRRUS_YAML['success_task']['depends_on']), 0)
-    def test_01_depends(self):
+    def test_task(self):
        """There is no task named 'task'"""
        self.assertNotIn('task', self.ALL_TASK_NAMES)
    def test_depends(self):
        """Success task depends on all other tasks"""
        success_deps = set(self.CIRRUS_YAML['success_task']['depends_on'])
-        for task_name in self.ALL_TASK_NAMES - set(['success']):
+        for task_name in self.ALL_TASK_NAMES - self.SUCCESS_DEPS_EXCLUDE:
            with self.subTest(task_name=task_name):
                msg=('Please add "{0}" to the "depends_on" list in "success_task"'
                     "".format(task_name))
                self.assertIn(task_name, success_deps, msg=msg)
-
+    def not_task(self):
        """Ensure no task is named 'task'"""
        self.assertNotIn('task', self.ALL_TASK_NAMES)
 if __name__ == "__main__":
    unittest.main()
--- a/contrib/cirrus/container_test.sh
+++ b/contrib/cirrus/container_test.sh
@ -1,142 +0,0 @@
 #!/usr/bin/env bash
 set -xeo pipefail
 export GOPATH=/var/tmp/go
 export PATH=$HOME/gopath/bin:$PATH:$GOPATH/bin
 export GOSRC=$GOPATH/src/github.com/containers/podman
 DIST=${DIST:=""}
 CONTAINER_RUNTIME=${DIST:=""}
 source /etc/os-release
 INTEGRATION_TEST_ENVS=""
 # For all distributions not Fedora, we need to skip USERNS tests
 # for now.
 if [ "${ID}" != "fedora" ] || [ "${CONTAINER_RUNTIME}" != "" ]; then
    INTEGRATION_TEST_ENVS="SKIP_USERNS=1"
 fi
 echo "$(date --rfc-3339=seconds) $(basename $0) started with '$*' and RCLI='${RCLI}'"
 pwd
 # -i install
 # -b build
 # -t integration test
 # -u unit test
 # -v validate
 build=0
 install=0
 integrationtest=0
 unittest=0
 validate=0
 options=0
 remote=0
 install_tools_made=0
 while getopts "bituv" opt; do
    case "$opt" in
    b) build=1
       options=1
       ;;
    i) install=1
       options=1
       ;;
    t) integrationtest=1
       options=1
       ;;
    u) unittest=1
       options=1
       ;;
    v) validate=1
       options=1
       ;;
    esac
 done
 # The RCLI environment variable decides whether
 # to test varlinke
 if [[ "$RCLI" == "true" ]]; then
    remote=1
 fi
 # If no options are passed, do everything
 if [ $options -eq 0 ]; then
    build=1
    install=1
    integrationtest=1
    unittest=1
    validate=1
 fi
 # Make Install tools function used by multiple sections below
 make_install_tools () {
    # Only make the install tools once
    if [ $install_tools_made -eq 0 ]; then
        make install.tools TAGS="${TAGS}"
    fi
    install_tools_made=1
 }
 CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-none}
 if [ "${CONTAINER_RUNTIME}" == "none" ]; then
    mkdir -p /$GOPATH/src/github.com/containers/
    mv /var/tmp/checkout $GOSRC
    cd $GOSRC
    pwd
 fi
 export TAGS="seccomp $($GOSRC/hack/btrfs_tag.sh) $($GOSRC/hack/libdm_tag.sh) $($GOSRC/hack/btrfs_installed_tag.sh) $($GOSRC/hack/selinux_tag.sh)"
 # Validate
 if [ $validate -eq 1 ]; then
    make_install_tools
    # PAPR adds a merge commit, for testing, which fails the
    # short-commit-subject validation test, so tell git-validate.sh to only check
    # up to, but not including, the merge commit.
    export GITVALIDATE_TIP=$(cd $GOSRC; git log -2 --pretty='%H' | tail -n 1)
    make gofmt TAGS="${TAGS}"
    # Only check lint and gitvalidation on more recent
    # distros with updated git and tooling
    if [[ ${DIST} == "Fedora" ]]; then
        HEAD=$GITVALIDATE_TIP make -C $GOSRC .gitvalidation TAGS="${TAGS}"
        make lint
    fi
 fi
 # Unit tests
 if [ $unittest -eq 1 ]; then
    make localunit TAGS="${TAGS}"
 fi
 # Make Podman
 if [ $build -eq 1 ]; then
    make_install_tools
    make TAGS="${TAGS}" GOPATH=$GOPATH
    make podman-remote TAGS="${TAGS}" GOPATH=$GOPATH
 fi
 # Install Podman
 if [ $install -eq 1 ]; then
    make_install_tools
    make TAGS="${TAGS}" install.bin PREFIX=/usr ETCDIR=/etc
    make TAGS="${TAGS}" install.man PREFIX=/usr ETCDIR=/etc
    make TAGS="${TAGS}" install.cni PREFIX=/usr ETCDIR=/etc
    make TAGS="${TAGS}" install.systemd PREFIX=/usr ETCDIR=/etc
 fi
 # Run integration tests
 if [ $integrationtest -eq 1 ]; then
    make TAGS="${TAGS}" test-binaries
    make varlink_generate
    make localintegration $INTEGRATION_TEST_ENVS
    if [ $remote -eq 1 ]; then
        make remoteintegration $INTEGRATION_TEST_ENVS
    fi
 fi
--- a/contrib/cirrus/ext_svc_check.sh
+++ b/contrib/cirrus/ext_svc_check.sh
@ -0,0 +1,30 @@
 #!/bin/bash
 set -eo pipefail
 # This script attempts basic confirmation of functional networking
 # by connecting to a set of essential external servers and failing
 # if any cannot be reached.  It's intended for use early on in the
 # podman CI system, to help prevent wasting time on tests that can't
 # succeede due to some outage or another.
 # shellcheck source=./contrib/cirrus/lib.sh
 source $(dirname $0)/lib.sh
 cat ${CIRRUS_WORKING_DIR}/${SCRIPT_BASE}/required_host_ports.txt | \
    while read host port
    do
        if [[ "$port" -eq "443" ]]
        then
            echo "SSL/TLS to $host:$port"
            echo -n '' | \
                err_retry 9 1000 "" openssl s_client -quiet -no_ign_eof -connect $host:$port
        else
            echo "Connect to $host:$port"
            err_retry 9 1000 1 nc -zv -w 13 $host $port
        fi
    done
 # TODO: Pull images required during testing into /dev/null
 # TODO: Refresh DNF package-cache into /dev/null
--- a/contrib/cirrus/integration_test.sh
+++ b/contrib/cirrus/integration_test.sh
@ -1,65 +0,0 @@
 #!/usr/bin/env bash
 set -e
 source $(dirname $0)/lib.sh
 req_env_var GOSRC SCRIPT_BASE OS_RELEASE_ID OS_RELEASE_VER CONTAINER_RUNTIME VARLINK_LOG
 LOCAL_OR_REMOTE=local
 if [[ "$RCLI" = "true" ]]; then
    LOCAL_OR_REMOTE=remote
 fi
 # Our name must be of the form xxxx_test or xxxx_test.sh, where xxxx is
 # the test suite to run; currently (2019-05) the only option is 'integration'
 # but pr2947 intends to add 'system'.
 TESTSUITE=$(expr $(basename $0) : '\(.*\)_test')
 if [[ -z $TESTSUITE ]]; then
    die 1 "Script name ($basename $0) is not of the form xxxx_test.sh"
 fi
 cd "$GOSRC"
 case "$SPECIALMODE" in
    in_podman)
        ${CONTAINER_RUNTIME} run --rm --privileged --net=host --cgroupns=host \
            -v $GOSRC:$GOSRC:Z \
            --workdir $GOSRC \
            -e "CGROUP_MANAGER=cgroupfs" \
            -e "STORAGE_OPTIONS=--storage-driver=vfs" \
            -e "CRIO_ROOT=$GOSRC" \
            -e "PODMAN_BINARY=/usr/bin/podman" \
            -e "CONMON_BINARY=/usr/libexec/podman/conmon" \
            -e "DIST=$OS_RELEASE_ID" \
            -e "CONTAINER_RUNTIME=$CONTAINER_RUNTIME" \
            $IN_PODMAN_IMAGE bash $GOSRC/$SCRIPT_BASE/container_test.sh -b -i -t
        ;;
    rootless)
        req_env_var ROOTLESS_USER
        ssh $ROOTLESS_USER@localhost \
                -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
                -o CheckHostIP=no $GOSRC/$SCRIPT_BASE/rootless_test.sh ${TESTSUITE} ${LOCAL_OR_REMOTE}
        ;;
    endpoint)
        make
        make install PREFIX=/usr ETCDIR=/etc
        make test-binaries
        make endpoint
        ;;
    bindings)
 	    make
        make install PREFIX=/usr ETCDIR=/etc
 	    export PATH=$PATH:`pwd`/hack
 	    cd pkg/bindings/test && ginkgo -trace -noColor -debug  -r
 	;;
    none)
        make
        make install PREFIX=/usr ETCDIR=/etc
        make test-binaries
        make .install.bats
        make ${LOCAL_OR_REMOTE}${TESTSUITE} PODMAN_SERVER_LOG=$PODMAN_SERVER_LOG
        ;;
    *)
        die 110 "Unsupported \$SPECIALMODE: $SPECIALMODE"
 esac
--- a/contrib/cirrus/lib.sh
+++ b/contrib/cirrus/lib.sh
@ -3,243 +3,161 @@
 # Library of common, shared utility functions.  This file is intended
 # to be sourced by other scripts, not called directly.
-# Global details persist here
+# BEGIN Global export of all variables
-source /etc/environment  # not always loaded under all circumstances
+set -a
-# Automation environment doesn't automatically load for Ubuntu 18
+# Due to differences across platforms and runtime execution environments,
-if [[ -r '/usr/share/automation/environment' ]]; then
+# handling of the (otherwise) default shell setup is non-uniform.  Rather
-    source '/usr/share/automation/environment'
+# than attempt to workaround differences, simply force-load/set required
 # items every time this library is utilized.
 source /etc/profile
 source /etc/environment
 USER="$(whoami)"
 HOME="$(getent passwd $USER | cut -d : -f 6)"
 # Some platforms set and make this read-only
 [[ -n "$UID" ]] || \
    UID=$(getent passwd $USER | cut -d : -f 3)
 GID=$(getent passwd $USER | cut -d : -f 4)
 # During VM Image build, the 'containers/automation' installation
 # was performed.  The final step of that installation sets the
 # installation location in $AUTOMATION_LIB_PATH in /etc/environment
 # or in the default shell profile.
 # shellcheck disable=SC2154
 if [[ -n "$AUTOMATION_LIB_PATH" ]]; then
    for libname in defaults anchors console_output utils; do
        # There's no way shellcheck can process this location
        # shellcheck disable=SC1090
        source $AUTOMATION_LIB_PATH/${libname}.sh
    done
 else
    (
    echo "WARNING: It does not appear that containers/automation was installed."
    echo "         Functionality of most of this library will be negatively impacted"
    echo "         This ${BASH_SOURCE[0]} was loaded by ${BASH_SOURCE[1]}"
    ) > /dev/stderr
 fi
 # Under some contexts these values are not set, make sure they are.
 export USER="$(whoami)"
 export HOME="$(getent passwd $USER | cut -d : -f 6)"
 [[ -n "$UID" ]] || export UID=$(getent passwd $USER | cut -d : -f 3)
 export GID=$(getent passwd $USER | cut -d : -f 4)
 # Essential default paths, many are overridden when executing under Cirrus-CI
 export GOPATH="${GOPATH:-/var/tmp/go}"
 if type -P go &> /dev/null
 then
    # required for go 1.12+
    export GOCACHE="${GOCACHE:-$HOME/.cache/go-build}"
    # called processes like `make` and other tools need these vars.
    eval "export $(go env)"
    # Ensure compiled tooling is reachable
    export PATH="$PATH:$GOPATH/bin"
 fi
 CIRRUS_WORKING_DIR="${CIRRUS_WORKING_DIR:-$GOPATH/src/github.com/containers/podman}"
 export GOSRC="${GOSRC:-$CIRRUS_WORKING_DIR}"
 export PATH="$HOME/bin:$GOPATH/bin:/usr/local/bin:$PATH"
 export LD_LIBRARY_PATH="/usr/local/lib${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}"
 # Saves typing / in case location ever moves
 SCRIPT_BASE=${SCRIPT_BASE:-./contrib/cirrus}
 # Important filepaths
 SETUP_MARKER_FILEPATH="${SETUP_MARKER_FILEPATH:-/var/tmp/.setup_environment_sh_complete}"
 # Downloaded, but not installed packages.
 PACKAGE_DOWNLOAD_DIR=/var/cache/download
 # Log remote-client system test varlink output here
 export VARLINK_LOG=/var/tmp/varlink.log
 cd $GOSRC
 if type -P git &> /dev/null && [[ -d "$GOSRC/.git" ]]
 then
    CIRRUS_CHANGE_IN_REPO=${CIRRUS_CHANGE_IN_REPO:-$(git show-ref --hash=8 HEAD || date +%s)}
 else # pick something unique and obviously not from Cirrus
    CIRRUS_CHANGE_IN_REPO=${CIRRUS_CHANGE_IN_REPO:-unknown_$(date +%s)}
 fi
 # Defaults when not running under CI
 export CI="${CI:-false}"
 CIRRUS_CI="${CIRRUS_CI:-false}"
 DEST_BRANCH="${DEST_BRANCH:-master}"
 CONTINUOUS_INTEGRATION="${CONTINUOUS_INTEGRATION:-false}"
 CIRRUS_REPO_NAME=${CIRRUS_REPO_NAME:-libpod}
 CIRRUS_BASE_SHA=${CIRRUS_BASE_SHA:-unknown$(date +%s)}  # difficult to reliably discover
 CIRRUS_BUILD_ID=${CIRRUS_BUILD_ID:-$RANDOM$(date +%s)}  # must be short and unique
 OS_RELEASE_ID="$(source /etc/os-release; echo $ID)"
 # GCE image-name compatible string representation of distribution _major_ version
 OS_RELEASE_VER="$(source /etc/os-release; echo $VERSION_ID | cut -d '.' -f 1)"
 # Combined to ease soe usage
 OS_REL_VER="${OS_RELEASE_ID}-${OS_RELEASE_VER}"
-# IN_PODMAN container image
+# Essential default paths, many are overridden when executing under Cirrus-CI
-IN_PODMAN_IMAGE="quay.io/libpod/${OS_RELEASE_ID}_podman:$_BUILT_IMAGE_SUFFIX"
+GOPATH="${GOPATH:-/var/tmp/go}"
-# Image for uploading releases
+if type -P go &> /dev/null
 UPLDREL_IMAGE="quay.io/libpod/upldrel:master"
 # This is needed under some environments/contexts
 SUDO=''
 [[ "$UID" -eq 0 ]] || \
    SUDO='sudo -E'
 # Avoid getting stuck waiting for user input
 export DEBIAN_FRONTEND="noninteractive"
 SUDOAPTGET="$SUDO apt-get -qq --yes"
 SUDOAPTADD="$SUDO add-apt-repository --yes"
 # Regex that finds enabled periodic apt configuration items
 PERIODIC_APT_RE='^(APT::Periodic::.+")1"\;'
 # Short-cuts for retrying/timeout calls
 LILTO="timeout_attempt_delay_command 120s 5 30s"
 BIGTO="timeout_attempt_delay_command 300s 5 60s"
 # Safe env. vars. to transfer from root -> $ROOTLESS_USER  (go env handled separately)
 ROOTLESS_ENV_RE='(CIRRUS_.+)|(ROOTLESS_.+)|(.+_IMAGE.*)|(.+_BASE)|(.*DIRPATH)|(.*FILEPATH)|(SOURCE.*)|(DEPEND.*)|(.+_DEPS_.+)|(OS_REL.*)|(.+_ENV_RE)|(TRAVIS)|(CI.+)|(REMOTE.*)'
 # Unsafe env. vars for display
 SECRET_ENV_RE='(ACCOUNT)|(GC[EP]..+)|(SSH)'
 SPECIALMODE="${SPECIALMODE:-none}"
 RCLI="${RCLI:-false}"
 export CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-podman}
 # When running as root, this may be empty or not, as a user, it MUST be set.
 if [[ "$USER" == "root" ]]
 then
-    ROOTLESS_USER="${ROOTLESS_USER:-}"
+    # Cirrus-CI caches $GOPATH contents
-else
+    export GOCACHE="${GOCACHE:-$GOPATH/cache/go-build}"
-    ROOTLESS_USER="${ROOTLESS_USER:-$USER}"
+    # called processes like `make` and other tools need these vars.
    eval "export $(go env)"
    # Ensure compiled tooling is reachable
    PATH="$PATH:$GOPATH/bin:$HOME/.local/bin"
 fi
 CIRRUS_WORKING_DIR="${CIRRUS_WORKING_DIR:-$(realpath $(dirname ${BASH_SOURCE[0]})/../../)}"
 GOSRC="${GOSRC:-$CIRRUS_WORKING_DIR}"
 PATH="$HOME/bin:/usr/local/bin:$PATH"
 LD_LIBRARY_PATH="/usr/local/lib${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}"
 # Saves typing / in case location ever moves
 SCRIPT_BASE=${SCRIPT_BASE:-./contrib/cirrus}
 # Downloaded, but not installed packages.
 PACKAGE_DOWNLOAD_DIR=/var/cache/download
 # Log remote-client system test varlink output here
 PODMAN_SERVER_LOG=$CIRRUS_WORKING_DIR/varlink.log
 # Defaults when not running under CI
 export CI="${CI:-false}"
 CIRRUS_CI="${CIRRUS_CI:-false}"
 DEST_BRANCH="${DEST_BRANCH:-master}"
 CONTINUOUS_INTEGRATION="${CONTINUOUS_INTEGRATION:-false}"
 CIRRUS_REPO_NAME=${CIRRUS_REPO_NAME:-podman}
 CIRRUS_BASE_SHA=${CIRRUS_BASE_SHA:-unknown$(date +%s)}  # difficult to reliably discover
 CIRRUS_BUILD_ID=${CIRRUS_BUILD_ID:-$RANDOM$(date +%s)}  # must be short and unique
 # Needed for linting and code validation
 EPOCH_TEST_COMMIT=${CIRRUS_BASE_SHA:-$CIRRUS_LAST_GREEN_CHANGE}
 # Regex of env. vars. to explicitly pass when executing tests
 # inside a container or as a rootless user
 PASSTHROUGH_ENV_RE='(^CI.*)|(^CIRRUS)|(^DISTRO_NV)|(^GOPATH)|(^GOCACHE)|(^GOSRC)|(^SCRIPT_BASE)|(CGROUP_MANAGER)|(OCI_RUNTIME)|(^TEST.*)|(^PODBIN_NAME)|(^PRIV_NAME)|(^ALT_NAME)|(^ROOTLESS_USER)|(SKIP_USERNS)|(.*_NAME)|(.*_FQIN)'
 # Unsafe env. vars for display
 SECRET_ENV_RE='(ACCOUNT)|(GC[EP]..+)|(SSH)|(PASSWORD)|(TOKEN)'
 # Type of filesystem used for cgroups
 CG_FS_TYPE="$(stat -f -c %T /sys/fs/cgroup)"
-# Pass in a list of one or more envariable names; exit non-zero with
+# Set to 1 in all podman container images
-# helpful error message if any value is empty
+CONTAINER="${CONTAINER:-0}"
 req_env_var() {
    # Provide context. If invoked from function use its name; else script name
    local caller=${FUNCNAME[1]}
    if [[ -n "$caller" ]]; then
        # Indicate that it's a function name
        caller="$caller()"
    else
        # Not called from a function: use script name
        caller=$(basename $0)
    fi
-    # Usage check
+# END Global export of all variables
-    [[ -n "$1" ]] || die 1 "FATAL: req_env_var: invoked without arguments"
+set +a
-    # Each input arg is an envariable name, e.g. HOME PATH etc. Expand each.
+lilto() { err_retry 8 1000 "" "$@"; }  # just over 4 minutes max
-    # If any is empty, bail out and explain why.
+bigto() { err_retry 7 5670 "" "$@"; }  # 12 minutes max
-    for i; do
+
-        if [[ -z "${!i}" ]]; then
+# Print shell-escaped variable=value pairs, one per line, based on
-            die 9 "FATAL: $caller requires \$$i to be non-empty"
+# variable name matching a regex.  This is intended to support
-        fi
+# passthrough of CI variables from host -> container or from root -> user.
 # For all other vars. we rely on tooling to load this library from inside
 # the container or as rootless user to pickup the remainder.
 passthrough_envars(){
    local xchars
    local envname
    local envval
    # Avoid values containing entirely punctuation|control|whitespace
    xchars='[:punct:][:cntrl:][:space:]'
    warn "Will pass env. vars. matching the following regex:
    $PASSTHROUGH_ENV_RE"
    for envname in $(awk 'BEGIN{for(v in ENVIRON) print v}' | \
                         grep -Ev "SETUP_ENVIRONMENT" | \
                         grep -Ev "$SECRET_ENV_RE" | \
                         grep -E "$PASSTHROUGH_ENV_RE"); do
            envval="${!envname}"
            [[ -n $(tr -d "$xchars" <<<"$envval") ]] || continue
            # Properly escape values to prevent injection
            printf -- "$envname=%q\n" "$envval"
    done
 }
 item_test() {
    ITEM="$1"
    shift
    TEST_ARGS="$@"
    req_env_var ITEM TEST_ARGS
    if ERR=$(test "$@" 2>&1)
    then
        echo "ok $ITEM"
        return 0
    else
        RET=$?
        echo -n "not ok $ITEM: $TEST_ARGS"
        if [[ -z "$ERR" ]]
        then
            echo ""
        else  # test command itself failed
            echo -n ":"  # space follows :'s in $ERR
            echo "$ERR" | cut -d : -f 4-  # omit filename, line number, and command
        fi
        return $RET
    fi
 }
 show_env_vars() {
    echo "Showing selection of environment variable definitions:"
    _ENV_VAR_NAMES=$(awk 'BEGIN{for(v in ENVIRON) print v}' | \
        egrep -v "(^PATH$)|(^BASH_FUNC)|(^[[:punct:][:space:]]+)|$SECRET_ENV_RE" | \
        sort -u)
    for _env_var_name in $_ENV_VAR_NAMES
    do
        # Supports older BASH versions
        printf "    ${_env_var_name}=%q\n" "$(printenv $_env_var_name)"
    done
 }
 die() {
    echo "************************************************"
    echo ">>>>> ${2:-FATAL ERROR (but no message given!) in ${FUNCNAME[1]}()}"
    echo "************************************************"
    exit ${1:-1}
 }
 warn() {
    echo ">>>>> ${1:-WARNING (but no message given!) in ${FUNCNAME[1]}()}" > /dev/stderr
 }
 bad_os_id_ver() {
    echo "Unknown/Unsupported distro. $OS_RELEASE_ID and/or version $OS_RELEASE_VER for $(basename $0)"
    exit 42
 }
 stub() {
    echo "STUB: Pretending to do $1"
 }
 timeout_attempt_delay_command() {
    TIMEOUT=$1
    ATTEMPTS=$2
    DELAY=$3
    shift 3
    STDOUTERR=$(mktemp -p '' $(basename $0)_XXXXX)
    req_env_var ATTEMPTS DELAY
    echo "Retrying $ATTEMPTS times with a $DELAY delay, and $TIMEOUT timeout for command: $@"
    for (( COUNT=1 ; COUNT <= $ATTEMPTS ; COUNT++ ))
    do
        echo "##### (attempt #$COUNT)" &>> "$STDOUTERR"
        if timeout --foreground $TIMEOUT "$@" &>> "$STDOUTERR"
        then
            echo "##### (success after #$COUNT attempts)" &>> "$STDOUTERR"
            break
        else
            echo "##### (failed with exit: $?)" &>> "$STDOUTERR"
            sleep $DELAY
        fi
    done
    cat "$STDOUTERR"
    rm -f "$STDOUTERR"
    if (( COUNT > $ATTEMPTS ))
    then
        echo "##### (exceeded $ATTEMPTS attempts)"
        exit 125
    fi
 }
 setup_rootless() {
-    req_env_var ROOTLESS_USER GOPATH GOSRC SECRET_ENV_RE ROOTLESS_ENV_RE
+    req_env_vars ROOTLESS_USER GOPATH GOSRC SECRET_ENV_RE
-    # Only do this once
+    local rootless_uid
    local rootless_gid
    local env_var_val
    # Only do this once; established by setup_environment.sh
    # shellcheck disable=SC2154
    if passwd --status $ROOTLESS_USER
    then
-        echo "Updating $ROOTLESS_USER user permissions on possibly changed libpod code"
+        msg "Updating $ROOTLESS_USER user permissions on possibly changed libpod code"
        chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
        return 0
    fi
-
+    msg "************************************************************"
-    cd $GOSRC
+    msg "Setting up rootless user '$ROOTLESS_USER'"
    msg "************************************************************"
    cd $GOSRC || exit 1
    # Guarantee independence from specific values
-    ROOTLESS_UID=$[RANDOM+1000]
+    rootless_uid=$[RANDOM+1000]
-    ROOTLESS_GID=$[RANDOM+1000]
+    rootless_gid=$[RANDOM+1000]
-    echo "creating $ROOTLESS_UID:$ROOTLESS_GID $ROOTLESS_USER user"
+    msg "creating $rootless_uid:$rootless_gid $ROOTLESS_USER user"
-    groupadd -g $ROOTLESS_GID $ROOTLESS_USER
+    groupadd -g $rootless_gid $ROOTLESS_USER
-    useradd -g $ROOTLESS_GID -u $ROOTLESS_UID --no-user-group --create-home $ROOTLESS_USER
+    useradd -g $rootless_gid -u $rootless_uid --no-user-group --create-home $ROOTLESS_USER
    chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
-    echo "creating ssh key pair for $USER"
+    msg "creating ssh key pair for $USER"
    [[ -r "$HOME/.ssh/id_rsa" ]] || \
        ssh-keygen -P "" -f "$HOME/.ssh/id_rsa"
-    echo "Allowing ssh key for $ROOTLESS_USER"
+    msg "Allowing ssh key for $ROOTLESS_USER"
    (umask 077 && mkdir "/home/$ROOTLESS_USER/.ssh")
    chown -R $ROOTLESS_USER:$ROOTLESS_USER "/home/$ROOTLESS_USER/.ssh"
    install -o $ROOTLESS_USER -g $ROOTLESS_USER -m 0600 \
@ -247,49 +165,38 @@ setup_rootless() {
    # Makes debugging easier
    cat /root/.ssh/authorized_keys >> "/home/$ROOTLESS_USER/.ssh/authorized_keys"
-    echo "Configuring subuid and subgid"
+    msg "Configuring subuid and subgid"
    grep -q "${ROOTLESS_USER}" /etc/subuid || \
-        echo "${ROOTLESS_USER}:$[ROOTLESS_UID * 100]:65536" | \
+        echo "${ROOTLESS_USER}:$[rootless_uid * 100]:65536" | \
            tee -a /etc/subuid >> /etc/subgid
    # Env. vars set by Cirrus and setup_environment.sh must be explicitly
    # transferred to the test-user.
-    echo "Configuring rootless user's environment variables:"
+    msg "Configuring rootless user's environment variables:"
    echo "# Added by $GOSRC/$SCRIPT_PATH/lib.sh setup_rootless()"
    _ENV_VAR_NAMES=$(awk 'BEGIN{for(v in ENVIRON) print v}' | \
        egrep -v "(^PATH$)|(^BASH_FUNC)|(^[[:punct:][:space:]]+)|$SECRET_ENV_RE" | \
        egrep "$ROOTLESS_ENV_RE" | \
        sort -u)
    for _env_var_name in $_ENV_VAR_NAMES
    do
        # Works with older versions of bash
        printf "${_env_var_name}=%q\n" "$(printenv $_env_var_name)" >> "/home/$ROOTLESS_USER/.bashrc"
    done
-    echo "Ensure the systems ssh process is up and running within 5 minutes"
+    (
        echo "# Added by ${BASH_SOURCE[0]} ${FUNCNAME[0]}()"
        echo "export SETUP_ENVIRONMENT=1"
    ) >> "/home/$ROOTLESS_USER/.bashrc"
    while read -r env_var_val; do
        echo "export $env_var_val" >> "/home/$ROOTLESS_USER/.bashrc"
    done <<<"$(passthrough_envars)"
    chown $ROOTLESS_USER:$ROOTLESS_USER "/home/$ROOTLESS_USER/.bashrc"
    cat "/home/$ROOTLESS_USER/.bashrc" | indent 2
    msg "Ensure the systems ssh process is up and running within 5 minutes"
    systemctl start sshd
-    NOW=$(date +%s)
+    lilto ssh $ROOTLESS_USER@localhost \
-    TIMEOUT=$(date --date '+5 minutes' +%s)
+           -o UserKnownHostsFile=/dev/null \
-    while [[ "$(date +%s)" -lt "$TIMEOUT" ]]
+           -o StrictHostKeyChecking=no \
-    do
+           -o CheckHostIP=no true
        if timeout --foreground -k 1s 1s \
            ssh $ROOTLESS_USER@localhost \
            -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no \
            true
        then
            break
        else
            sleep 2s
        fi
    done
    [[ "$(date +%s)" -lt "$TIMEOUT" ]] || \
        die 11 "Timeout exceeded waiting for localhost ssh capability"
 }
 install_test_configs() {
    echo "Installing cni config, policy and registry config"
-    req_env_var GOSRC SCRIPT_BASE
+    req_env_vars GOSRC SCRIPT_BASE
-    cd $GOSRC
+    cd $GOSRC || exit 1
    install -v -D -m 644 ./cni/87-podman-bridge.conflist /etc/cni/net.d/
    # This config must always sort last in the list of networks (podman picks first one
    # as the default).  This config prevents allocation of network address space used
@ -306,7 +213,7 @@ install_test_configs() {
 # can only run the compiled source version.
 remove_packaged_podman_files() {
    echo "Removing packaged podman files to prevent conflicts with source build and testing."
-    req_env_var OS_RELEASE_ID
+    req_env_vars OS_RELEASE_ID
    # If any binaries are resident they could cause unexpected pollution
    for unit in io.podman.service io.podman.socket
@ -324,9 +231,9 @@ remove_packaged_podman_files() {
    if [[ "$OS_RELEASE_ID" =~ "ubuntu" ]]
    then
-        LISTING_CMD="$SUDO dpkg-query -L podman"
+        LISTING_CMD="dpkg-query -L podman"
    else
-        LISTING_CMD="$SUDO rpm -ql podman"
+        LISTING_CMD="rpm -ql podman"
    fi
    # yum/dnf/dpkg may list system directories, only remove files
@ -334,29 +241,9 @@ remove_packaged_podman_files() {
    do
        # Sub-directories may contain unrelated/valuable stuff
        if [[ -d "$fullpath" ]]; then continue; fi
-        ooe.sh $SUDO rm -vf "$fullpath"
+        ooe.sh rm -vf "$fullpath"
    done
    # Be super extra sure and careful vs performant and completely safe
-    sync && echo 3 > /proc/sys/vm/drop_caches
+    sync && echo 3 > /proc/sys/vm/drop_caches || true
 }
 # The version of CRI-O and Kubernetes must always match
 get_kubernetes_version(){
    # TODO: Look up the kube RPM/DEB version installed, or in $PACKAGE_DOWNLOAD_DIR
    #       and retrieve the major-minor version directly.
    local KUBERNETES_VERSION="1.15"
    echo "$KUBERNETES_VERSION"
 }
 canonicalize_image_names() {
    req_env_var IMGNAMES
    echo "Adding all current base images to \$IMGNAMES for timestamp update"
    export IMGNAMES="\
 $IMGNAMES
 $UBUNTU_BASE_IMAGE
 $PRIOR_UBUNTU_BASE_IMAGE
 $FEDORA_BASE_IMAGE
 $PRIOR_FEDORA_BASE_IMAGE
 "
 }
--- a/contrib/cirrus/lib.sh.t
+++ b/contrib/cirrus/lib.sh.t
@ -1,121 +0,0 @@
 #!/usr/bin/env bash
 #
 # Unit tests for some functions in lib.sh
 #
 source $(dirname $0)/lib.sh
 # Iterator and return code; updated in test functions
 testnum=0
 rc=0
 function check_result {
    testnum=$(expr $testnum + 1)
    MSG=$(echo "$1" | tr -d '*>\012'|sed -e 's/^ \+//')
    if [ "$MSG" = "$2" ]; then
        echo "ok $testnum $(echo $3) = $(echo $MSG)"
    else
        echo "not ok $testnum $3"
        echo "#  expected: $2"
        echo "#    actual: $MSG"
        rc=1
    fi
 }
 ###############################################################################
 # tests for die()
 function test_die() {
    local input_status=$1
    local input_msg=$2
    local expected_status=$3
    local expected_msg=$4
    local msg
    msg=$(die $input_status "$input_msg")
    local status=$?
    check_result "$msg" "$expected_msg" "die $input_status $input_msg"
 }
 test_die 1 "a message" 1 "a message"
 test_die 2 ""          2 "FATAL ERROR (but no message given!) in test_die()"
 test_die '' ''         1 "FATAL ERROR (but no message given!) in test_die()"
 ###############################################################################
 # tests for req_env_var()
 function test_rev() {
    local input_args=$1
    local expected_status=$2
    local expected_msg=$3
    # bash gotcha: doing 'local msg=...' on one line loses exit status
    local msg
    msg=$(req_env_var $input_args)
    local status=$?
    check_result "$msg"    "$expected_msg"    "req_env_var $input_args"
    check_result "$status" "$expected_status" "req_env_var $input_args (rc)"
 }
 # error if called with no args
 test_rev '' 1 'FATAL: req_env_var: invoked without arguments'
 # error if desired envariable is unset
 unset FOO BAR
 test_rev FOO 9 'FATAL: test_rev() requires $FOO to be non-empty'
 test_rev BAR 9 'FATAL: test_rev() requires $BAR to be non-empty'
 # OK if desired envariable was unset
 FOO=1
 test_rev FOO 0 ''
 # OK if multiple vars are non-empty
 FOO="stuff"
 BAR="things"
 ENV_VARS="FOO BAR"
 test_rev "$ENV_VARS" 0 ''
 unset BAR
 # ...but error if any single desired one is unset
 test_rev "FOO BAR" 9 'FATAL: test_rev() requires $BAR to be non-empty'
 # ...and OK if all args are set
 BAR=1
 test_rev "FOO BAR" 0 ''
 ###############################################################################
 # tests for item_test()
 function test_item_test {
    local exp_msg=$1
    local exp_ret=$2
    local item=$3
    shift 3
    local test_args="$@"
    local msg
    msg=$(item_test "$item" "$@")
    local status=$?
    check_result "$msg"    "$exp_msg" "test_item $item $test_args"
    check_result "$status" "$exp_ret" "test_item $item $test_args (actual rc $status)"
 }
 # negative tests
 test_item_test "FATAL: item_test() requires \$ITEM to be non-empty" 9 "" ""
 test_item_test "FATAL: item_test() requires \$TEST_ARGS to be non-empty" 9 "foo" ""
 test_item_test "not ok foo: -gt 5 ~= bar: too many arguments" 2 "foo" "-gt" "5" "~=" "bar"
 test_item_test "not ok bar: a -ge 10: a: integer expression expected" 2 "bar" "a" "-ge" "10"
 test_item_test "not ok basic logic: 0 -ne 0" 1 "basic logic" "0" "-ne" "0"
 # positive tests
 test_item_test "ok snafu" 0 "snafu" "foo" "!=" "bar"
 test_item_test "ok foobar" 0 "foobar" "one two three" "=" "one two three"
 test_item_test "ok oh boy" 0 "oh boy" "line 1
 line2" "!=" "line 1
 line2"
 test_item_test "ok okay enough" 0 "okay enough" "line 1
 line2" "=" "line 1
 line2"
 exit $rc
--- a/contrib/cirrus/logcollector.sh
+++ b/contrib/cirrus/logcollector.sh
@ -2,9 +2,10 @@
 set -e
 # shellcheck source=contrib/cirrus/lib.sh
 source $(dirname $0)/lib.sh
-req_env_var CIRRUS_WORKING_DIR OS_RELEASE_ID RCLI
+req_env_vars CIRRUS_WORKING_DIR OS_RELEASE_ID
 # Assume there are other log collection commands to follow - Don't
 # let one break another that may be useful, but also keep any
@ -33,14 +34,9 @@ case $1 in
    ginkgo) showrun cat $CIRRUS_WORKING_DIR/test/e2e/ginkgo-node-*.log ;;
    journal) showrun journalctl -b ;;
    podman) showrun ./bin/podman system info ;;
-    varlink)
+    server)
-       if [[ "$RCLI" == "true" ]]
+      msg "(Trailing 100 lines of $PODMAN_SERVER_LOG)"
-       then
+      if [[ -r "$PODMAN_SERVER_LOG" ]]; then tail -100 $PODMAN_SERVER_LOG; fi
          echo "(Trailing 100 lines of $VARLINK_LOG)"
          showrun tail -100 $VARLINK_LOG
       else
          die 0 "\$RCLI is not 'true': $RCLI"
       fi
       ;;
    packages)
        # These names are common to Fedora and Ubuntu
@ -78,7 +74,7 @@ case $1 in
        echo "Kernel: " $(uname -r)
        echo "Cgroups: " $(stat -f -c %T /sys/fs/cgroup)
        # Any not-present packages will be listed as such
-        $PKG_LST_CMD ${PKG_NAMES[@]} | sort -u
+        $PKG_LST_CMD "${PKG_NAMES[@]}" | sort -u
        ;;
-    *) die 1 "Warning, $(basename $0) doesn't know how to handle the parameter '$1'"
+    *) die "Warning, $(basename $0) doesn't know how to handle the parameter '$1'"
 esac
--- a/contrib/cirrus/networking.sh
+++ b/contrib/cirrus/networking.sh
@ -1,17 +0,0 @@
 #!/usr/bin/env bash
 # This script attempts basic confirmation of functional networking
 # by connecting to a set of essential external servers and failing
 # if any cannot be reached.
 source $(dirname $0)/lib.sh
 while read host port
 do
    if [[ "$port" -eq "443" ]]
    then
        item_test "SSL/TLS to $host:$port" "$(echo -n '' | timeout 60 openssl s_client -quiet -no_ign_eof -connect $host:$port &> /dev/null; echo $?)" -eq "0"
    else
        item_test "Connect to $host:$port" "$(nc -zv -w 13 $host $port &> /dev/null; echo $?)" -eq 0
    fi
 done < ${CIRRUS_WORKING_DIR}/${SCRIPT_BASE}/required_host_ports.txt
--- a/contrib/cirrus/ooe.sh
+++ b/contrib/cirrus/ooe.sh
@ -1,39 +0,0 @@
 #!/usr/bin/env bash
 # This script executes a command while logging all output to a temporary
 # file.  If the command exits non-zero, then all output is sent to the console,
 # before returning the exit code.  If the script itself fails, the exit code 121
 # is returned.
 set -eo pipefail
 SCRIPT_BASEDIR="$(basename $0)"
 badusage() {
    echo "Incorrect usage: $SCRIPT_BASEDIR) <command> [options]" > /dev/stderr
    echo "ERROR: $1"
    exit 121
 }
 COMMAND="$@"
 [[ -n "$COMMAND" ]] || badusage "No command specified"
 OUTPUT_TMPFILE="$(mktemp -p '' ${SCRIPT_BASEDIR}_output_XXXX)"
 output_on_error() {
    RET=$?
    set +e
    if [[ "$RET" -ne "0" ]]
    then
        echo "---------------------------"
        cat "$OUTPUT_TMPFILE"
        echo "[$(date --iso-8601=second)] <exit $RET> $COMMAND"
    fi
    rm -f "$OUTPUT_TMPFILE"
 }
 trap "output_on_error" EXIT
 "$@" 2>&1 | while IFS='' read LINE  # Preserve leading/trailing whitespace
 do
    # Every stdout and (copied) stderr line
    echo "[$(date --iso-8601=second)] $LINE"
 done >> "$OUTPUT_TMPFILE"
--- a/contrib/cirrus/rootless_test.sh
+++ b/contrib/cirrus/rootless_test.sh
@ -1,32 +0,0 @@
 #!/usr/bin/env bash
 set -e
 echo "$(date --rfc-3339=seconds) $(basename $0) started with '$*'"
 source $(dirname $0)/lib.sh
 if [[ "$UID" == "0" ]]
 then
    echo "$(basename $0): Error: Expected to be running as a regular user"
    exit 1
 fi
 TESTSUITE=${1?Missing TESTSUITE argument (arg1)}
 LOCAL_OR_REMOTE=${2?Missing LOCAL_OR_REMOTE argument (arg2)}
 # Ensure environment setup correctly
 req_env_var GOSRC ROOTLESS_USER
 echo "."
 echo "Hello, my name is $USER and I live in $PWD can I be your friend?"
 echo "."
 show_env_vars
 set -x
 cd "$GOSRC"
 make
 make varlink_generate
 make test-binaries
 make ${LOCAL_OR_REMOTE}${TESTSUITE}
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@ -0,0 +1,233 @@
 #!/bin/bash
 set -eo pipefail
 # This script is intended to be called by automation or humans,
 # from a specially configured environment.  Depending on the contents
 # of various variable, entirely different operations will be performed.
 # shellcheck source=contrib/cirrus/lib.sh
 source $(dirname $0)/lib.sh
 exec_container() {
    local var_val
    local cmd
    # Required to be defined by caller
    # shellcheck disable=SC2154
    msg "Re-executing runner inside container: $CTR_FQIN"
    msg "************************************************************"
    req_env_vars CTR_FQIN TEST_ENVIRON CONTAINER SECRET_ENV_RE
    # Line-separated arguments which include shell-escaped special characters
    declare -a envargs
    while read -r var_val; do
        envargs+=("-e $var_val")
    done <<<"$(passthrough_envars)"
    # VM Images and Container images are built using (nearly) identical operations.
    set -x
    # shellcheck disable=SC2154
    exec podman run --rm --privileged --net=host --cgroupns=host \
        -v /dev/fuse:/dev/fuse \
        -v "$GOPATH:$GOPATH:Z" \
        --workdir "$GOSRC" \
        -e "CONTAINER=1" \
        "${envargs[@]}" \
        $CTR_FQIN bash -c "$SCRIPT_BASE/setup_environment.sh && $SCRIPT_BASE/runner.sh"
 }
 build_swagger() {
    local download_url
    # Building this is a PITA, just grab binary for use in automation
    # Ref: https://goswagger.io/install.html#static-binary
    download_url=$(\
        curl -s https://api.github.com/repos/go-swagger/go-swagger/releases/latest | \
        jq -r '.assets[] | select(.name | contains("linux_amd64")) | .browser_download_url')
    curl -o /usr/local/bin/swagger -L'#' "$download_url"
    chmod +x /usr/local/bin/swagger
    cd $GOSRC
    make swagger
 }
 altbuild() {
    req_env_vars ALT_NAME
    # Defined in .cirrus.yml
    # shellcheck disable=SC2154
    msg "Performing alternate build: $ALT_NAME"
    msg "************************************************************"
    cd $GOSRC
    case "$ALT_NAME" in
        *Each*)
            git fetch origin
            make build-all-new-commits GIT_BASE_BRANCH=origin/$DEST_BRANCH
            ;;
        *Windows*)
            make podman-remote-windows-release
            make podman.msi
            ;;
        *Without*)
            make build-no-cgo
            ;;
        *varlink-API)
            export SUGGESTION='remove API.md, then "make varlink_api_generate" and commit changes.'
            make varlink_api_generate BUILDTAGS="varlink"
            ./hack/tree_status.sh
            ;;
        *varlink-binaries)
            make clean BUILDTAGS="varlink" binaries
            ;;
        *RPM*)
            make -f ./.copr/Makefile
            rpmbuild --rebuild ./podman-*.src.rpm
            ;;
        *Static*)
            req_env_vars CTR_FQIN
            [[ "$UID" -eq 0 ]] || \
                die "Static build must execute nixos container as root on host"
            mkdir -p /var/cache/nix
            podman run -i --rm -v /var/cache/nix:/mnt/nix:Z \
                $CTR_FQIN cp -rfT /nix /mnt/nix
            podman run -i --rm -v /var/cache/nix:/nix:Z \
                -v $PWD:$PWD:Z -w $PWD $CTR_FQIN \
                nix --print-build-logs --option cores 4 --option max-jobs 4 \
                    build --file ./nix/
            # result symlink is absolute from container perspective :(
            cp /var/cache/$(readlink result)/bin/podman ./  # for cirrus-ci artifact
            rm result  # makes cirrus puke
            ;;
        *)
            die "Unknown/Unsupported \$$ALT_NAME '$ALT_NAME'"
    esac
 }
 integration_outputfilter() {
    # Use similar format as human-friendly task name from .cirrus.yml
    # shellcheck disable=SC2154
    output_name="$TEST_FLAVOR-$PODBIN_NAME-$DISTRO_NV-$PRIV_NAME-$TEST_ENVIRON"
    # Requires stdin and stderr combined!
    cat - \
        |& awk --file "${CIRRUS_WORKING_DIR}/${SCRIPT_BASE}/timestamp.awk" \
        |& "${CIRRUS_WORKING_DIR}/${SCRIPT_BASE}/logformatter" "$output_name"
 }
 # Handle local|remote integration|system testing in a uniform way
 dotest() {
    local testsuite="$1"
    req_env_vars testsuite CONTAINER TEST_ENVIRON PRIV_NAME
    # shellcheck disable=SC2154
    if ((CONTAINER==0)) && [[ "$TEST_ENVIRON" == "container" ]]; then
        exec_container  # does not return
    fi;
    # shellcheck disable=SC2154
    if [[ "$PRIV_NAME" == "rootless" ]] && [[ "$UID" -eq 0 ]]; then
        req_env_vars ROOTLESS_USER
        msg "Re-executing runner through ssh as user '$ROOTLESS_USER'"
        msg "************************************************************"
        set -x
        exec ssh $ROOTLESS_USER@localhost \
                -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
                -o CheckHostIP=no $GOSRC/$SCRIPT_BASE/runner.sh
        # does not return
    fi
    output_filter="cat"  # no filter
    if [[ "$testsuite" == "integration" ]]; then
        output_filter=integration_outputfilter
    fi
    # containers/automation sets this to 0 for it's dbg() function
    # but the e2e integration tests are also sensitive to it.
    unset DEBUG
    # shellcheck disable=SC2154
    case "$PODBIN_NAME" in
        podman)
            # ginkgo doesn't play nicely with C Go
            make local${testsuite} \
                |& "$output_filter"
            ;;
        remote)
            make remote${testsuite} PODMAN_SERVER_LOG=$PODMAN_SERVER_LOG \
                |& "$output_filter"
            ;;
    esac
 }
 msg "************************************************************"
 # Required to be defined by caller
 # shellcheck disable=SC2154
 msg "Runner executing $TEST_FLAVOR $PODBIN_NAME-tests as $PRIV_NAME on $DISTRO_NV($OS_REL_VER)"
 if ((CONTAINER)); then
    # shellcheck disable=SC2154
    msg "Current environment container image: $CTR_FQIN"
 else
    # shellcheck disable=SC2154
    msg "Current environment VM image: $VM_IMAGE_NAME"
 fi
 msg "************************************************************"
 ((${SETUP_ENVIRONMENT:-0})) || \
    die "Expecting setup_environment.sh to have completed successfully"
 cd "${GOSRC}/"
 case "$TEST_FLAVOR" in
    ext_svc) $SCRIPT_BASE/ext_svc_check.sh ;;
    smoke)
        make gofmt
        make .gitvalidation
        ;;
    automation)
        $SCRIPT_BASE/cirrus_yaml_test.py
        req_env_vars CI DEST_BRANCH IMAGE_SUFFIX TEST_FLAVOR TEST_ENVIRON \
                     PODBIN_NAME PRIV_NAME DISTRO_NV CONTAINER USER HOME \
                     UID GID AUTOMATION_LIB_PATH SCRIPT_BASE OS_RELEASE_ID \
                     OS_RELEASE_VER CG_FS_TYPE
        bigto ooe.sh dnf install -y ShellCheck  # small/quick addition
        $SCRIPT_BASE/shellcheck.sh
        ;;
    altbuild) altbuild ;;
    build)
        make podman-release
        make podman-remote-linux-release
        ;;
    validate)
        # Confirm compiile via prior task + cache
        bin/podman --version
        bin/podman-remote --version
        make validate  # Some items require a build
        ;;
    bindings)
        # shellcheck disable=SC2155
        export PATH=$PATH:$GOSRC/hack
        cd pkg/bindings/test && ginkgo -trace -noColor -debug  -r
        ;;
    endpoint)
        make test-binaries
        make endpoint
        ;;
    swagger)
        build_swagger
        # Cirrus-CI Artifact instruction expects file here
        cp -v $GOSRC/pkg/api/swagger.yaml $GOSRC/
        ;;
    vendor)
        make vendor
        ./hack/tree_status.sh
        ;;
    docker-py) msg "This is docker-py stub, it is only a stub" ;;
    unit) make localunit ;;
    int) dotest integration ;;
    sys) dotest system ;;
    release)
        if bin/podman info |& grep -Eq -- '-dev'; then
            die "Releases must never contain '-dev' in output of 'podman info'"
        fi
        ;;
    *)
        die "Unknown/Unsupported \$TEST_FLAVOR=$TEST_FLAVOR" ;;
 esac
--- a/contrib/cirrus/setup_container_environment.sh
+++ b/contrib/cirrus/setup_container_environment.sh
@ -1,16 +0,0 @@
 #!/usr/bin/env bash
 set -e
 source $(dirname $0)/lib.sh
 req_env_var GOSRC OS_RELEASE_ID CONTAINER_RUNTIME
 # Since CRIU 3.11 has been pushed to Fedora 28 the checkpoint/restore
 # test cases are actually run. As CRIU uses iptables to lock and unlock
 # the network during checkpoint and restore it needs the following two
 # modules loaded.
 modprobe ip6table_nat || :
 modprobe iptable_nat || :
 # Pull the test image
 ${CONTAINER_RUNTIME} pull ${IN_PODMAN_IMAGE}
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@ -2,119 +2,187 @@
 set -e
 # shellcheck source=./contrib/cirrus/lib.sh
 source $(dirname $0)/lib.sh
-req_env_var USER HOME GOSRC SCRIPT_BASE SETUP_MARKER_FILEPATH
+die_unknown() {
-
+    local var_name="$1"
-# Ensure this script only executes successfully once and always logs ending timestamp
+    req_env_vars var_name
-if [[ -e "$SETUP_MARKER_FILEPATH" ]]; then
+    local var_value="${!var_name}"
-    show_env_vars
+    die "Unknown/unsupported \$$var_name '$var_value'"
    exit 0
 fi
 exithandler() {
    RET=$?
    echo "."
    echo "$(basename $0) exit status: $RET"
    [[ "$RET" -eq "0" ]] && date +%s >> "$SETUP_MARKER_FILEPATH"
    show_env_vars
    [[ "$RET" -eq "0" ]] || warn "Non-zero exit caused by error ABOVE env. var. display."
 }
-trap exithandler EXIT
+
 msg "************************************************************"
 msg "Setting up runtime environment"
 msg "************************************************************"
 show_env_vars
 req_env_vars USER HOME GOSRC SCRIPT_BASE TEST_FLAVOR TEST_ENVIRON \
             PODBIN_NAME PRIV_NAME DISTRO_NV
 # Verify basic dependencies
 for depbin in go rsync unzip sha256sum curl make python3 git
 do
    if ! type -P "$depbin" &> /dev/null
    then
-        echo "***** WARNING: $depbin binary not found in $PATH *****"
+        warn "$depbin binary not found in $PATH"
    fi
 done
-# Sometimes environment setup needs to vary between distros
+# This is a possible manual maintenance gaff, check to be sure everything matches.
-# Note: This should only be used for environment variables, and temporary workarounds.
+# shellcheck disable=SC2154
 [[ "$DISTRO_NV" == "$OS_REL_VER" ]] || \
    die "Automation spec. '$DISTRO_NV'; actual host '$OS_REL_VER'"
 # Only allow this script to execute once
 if ((${SETUP_ENVIRONMENT:-0})); then
    # Comes from automation library
    # shellcheck disable=SC2154
    warn "Not executing $SCRIPT_FILENAME again"
    exit 0
 fi
 cd "${GOSRC}/"
 case "${OS_RELEASE_ID}" in
    ubuntu)
        ;;
    fedora)
        # All SELinux distros need this for systemd-in-a-container
        setsebool container_manage_cgroup true
        if [[ "$ADD_SECOND_PARTITION" == "true" ]]; then
            bash "$SCRIPT_BASE/add_second_partition.sh"
        fi
        warn "Forcing systemd cgroup manager"
        X=$(echo "export CGROUP_MANAGER=systemd" | \
            tee -a /etc/environment) && eval "$X" && echo "$X"
        ;;
    centos)  # Current VM is an image-builder-image no local podman/testing
        echo "No further setup required for VM image building"
        exit 0
        ;;
    *) bad_os_id_ver ;;
 esac
 # Reload to incorporate any changes from above
 source "$SCRIPT_BASE/lib.sh"
 # Defined by lib.sh: Does the host support cgroups v1 or v2
 case "$CG_FS_TYPE" in
    tmpfs)
-        warn "Forcing testing with runc instead of crun"
+        if ((CONTAINER==0)); then
-        # On ubuntu, the default runc is usually not new enough.
+            warn "Forcing testing with runc instead of crun"
-        if [[ "$OS_RELEASE_ID" == "ubuntu" ]]; then
+            if [[ "$OS_RELEASE_ID" == "ubuntu" ]]; then
-            X=$(echo "export OCI_RUNTIME=/usr/lib/cri-o-runc/sbin/runc" | \
+                echo "export OCI_RUNTIME=/usr/lib/cri-o-runc/sbin/runc" >> /etc/environment
-                tee -a /etc/environment) && eval "$X" && echo "$X"
+            else
-        else
+                echo "export OCI_RUNTIME=/usr/bin/runc" >> /etc/environment
-            X=$(echo "export OCI_RUNTIME=/usr/bin/runc" | \
+            fi
                tee -a /etc/environment) && eval "$X" && echo "$X"
        fi
        ;;
    cgroup2fs)
-        # This is necessary since we've built/installed from source, which uses runc as the default.
+        if ((CONTAINER==0)); then
-        warn "Forcing testing with crun instead of runc"
+            # This is necessary since we've built/installed from source,
-        X=$(echo "export OCI_RUNTIME=/usr/bin/crun" | \
+            # which uses runc as the default.
-            tee -a /etc/environment) && eval "$X" && echo "$X"
+            warn "Forcing testing with crun instead of runc"
-        ;;
+            echo "export OCI_RUNTIME=/usr/bin/crun" >> /etc/environment
-    *)
+        fi
        die 110 "Unsure how to handle cgroup filesystem type '$CG_FS_TYPE'"
        ;;
    *) die_unknown CG_FS_TYPE
 esac
-# Must execute before possible setup_rootless()
+# Required to be defined by caller: Which distribution are we testing on
-make install.tools
+# shellcheck disable=SC2154
 case "$DISTRO_NV" in
    ubuntu*) ;;
    fedora*)
        if ((CONTAINER==0)); then  # Not yet running inside a container
            msg "Configuring / Expanding host storage."
            # VM is setup to allow flexibility in testing alternate storage.
            # For general use, simply make use of all available space.
            ooe.sh bash "$SCRIPT_BASE/add_second_partition.sh"
-case "$SPECIALMODE" in
+            # All SELinux distros need this for systemd-in-a-container
-    none)
+            msg "Enabling container_manage_cgroup"
-        [[ -n "$CROSS_PLATFORM" ]] || \
+            setsebool container_manage_cgroup true
-            remove_packaged_podman_files
+        fi
        ;;
-    endpoint)
+    *) die_unknown DISTRO_NV
-        remove_packaged_podman_files
+esac
 # Required to be defined by caller: The environment where primary testing happens
 # shellcheck disable=SC2154
 case "$TEST_ENVIRON" in
    host)
        if [[ "$OS_RELEASE_ID" == "fedora" ]]; then
            # The e2e tests wrongly guess `--cgroup-manager cgroupfs`
            msg "Forcing CGROUP_MANAGER=systemd"
            _cgm="export CGROUP_MANAGER=systemd"
            echo "$_cgm" >> /etc/environment
            source /etc/environment
        fi
        ;;
-    bindings)
+    container)
-        remove_packaged_podman_files
+        if ((CONTAINER==0)); then  # not yet inside a container
            msg "Force loading iptables modules"
            # Since CRIU 3.11, uses iptables to lock and unlock
            # the network during checkpoint and restore.  Needs
            # the following two modules loaded on the host.
            modprobe ip6table_nat || :
            modprobe iptable_nat || :
        else
            # The e2e tests wrongly guess `--cgroup-manager systemd`
            msg "Forcing CGROUP_MANAGER=cgroupfs"
            _cgm="export CGROUP_MANAGER=cgroupfs"
            echo "$_cgm" >> /etc/environment
            source /etc/environment
        fi
        ;;
    *) die_unknown TEST_ENVIRON
 esac
 # Required to be defined by caller: Are we testing as root or a regular user
 # shellcheck disable=SC2154
 case "$PRIV_NAME" in
    root)
        if [[ "$TEST_ENVIRON" == "container" ]] && ((container)); then
            # There's no practical way to detect userns w/in a container
            # affected/related tests are sensitive to this variable.
            _suns='export SKIP_USERNS=1'
            echo "$_suns" >> /etc/environment
            source /etc/environment
        fi
        ;;
    rootless)
-        # Only do this once, even if ROOTLESS_USER (somehow) changes
+        _ru="export ROOTLESS_USER='${ROOTLESS_USER:-some${RANDOM}dude}'"
-        if ! grep -q 'ROOTLESS_USER' /etc/environment
+        echo "$_ru" >> /etc/environment
-        then
+        source /etc/environment
-            X=$(echo "export ROOTLESS_USER='${ROOTLESS_USER:-some${RANDOM}dude}'" | \
+        setup_rootless
                tee -a /etc/environment) && eval "$X" && echo "$X"
            X=$(echo "export SPECIALMODE='${SPECIALMODE}'" | \
                tee -a /etc/environment) && eval "$X" && echo "$X"
            X=$(echo "export RCLI='${RCLI}'" | \
                tee -a /etc/environment) && eval "$X" && echo "$X"
            setup_rootless
        fi
        remove_packaged_podman_files
        ;;
-    in_podman)  # Assumed to be Fedora
+    *) die_unknown PRIV_NAME
        $SCRIPT_BASE/setup_container_environment.sh
        ;;
    *)
        die 111 "Unsupported \$SPECIALMODE: $SPECIALMODE"
 esac
-install_test_configs
+# Required to be defined by caller: Are we testing podman or podman-remote client
 # shellcheck disable=SC2154
 case "$PODBIN_NAME" in
    podman) ;;
    remote) ;;
    *) die_unknown PODBIN_NAME
 esac
 # Required to be defined by caller: The primary type of testing that will be performed
 # shellcheck disable=SC2154
 case "$TEST_FLAVOR" in
    ext_svc) ;;
    smoke) ;&
    validate)
        # For some reason, this is also needed for validation
        make .install.pre-commit
        ;;
    automation) ;;
    altbuild)
        # Defined in .cirrus.yml
        # shellcheck disable=SC2154
        if [[ "$ALT_NAME" =~ RPM ]]; then
            bigto dnf install -y glibc-minimal-langpack rpm-build
        fi
        ;&
    docker-py) ;&
    build) make clean ;;
    unit) ;;
    int) ;&
    sys) ;&
    bindings) ;&
    swagger) ;&
    endpoint)
        # Use existing host bits when testing is to happen inside a container
        # since this script will run again in that environment.
        # shellcheck disable=SC2154
        if ((CONTAINER==0)) && [[ "$TEST_ENVIRON" == "host" ]]; then
            remove_packaged_podman_files
            make install PREFIX=/usr ETCDIR=/etc
        fi
        ;;
    vendor) make clean ;;
    release) ;;
    *) die_unknown TEST_FLAVOR
 esac
 # Must be the very last command.  Establishes successful setup.
 echo 'export SETUP_ENVIRONMENT=1' >> /etc/environment
--- a/contrib/cirrus/shellcheck.sh
+++ b/contrib/cirrus/shellcheck.sh
@ -0,0 +1,16 @@
 #!/bin/bash
 set -eo pipefail
 # shellcheck source=./contrib/cirrus/lib.sh
 source $(dirname $0)/lib.sh
 cd $CIRRUS_WORKING_DIR
 shellcheck --color=always --format=tty \
    --shell=bash --external-sources \
    --enable add-default-case,avoid-nullary-conditions,check-unassigned-uppercase \
    --exclude SC2046,SC2034,SC2090,SC2064 \
    --wiki-link-count=0 --severity=warning \
    $SCRIPT_BASE/*.sh
 echo "Shellcheck: PASS"
--- a/contrib/cirrus/system_test.sh
+++ b/contrib/cirrus/system_test.sh
@ -1,65 +0,0 @@
 #!/usr/bin/env bash
 set -e
 source $(dirname $0)/lib.sh
 req_env_var GOSRC SCRIPT_BASE OS_RELEASE_ID OS_RELEASE_VER CONTAINER_RUNTIME VARLINK_LOG
 LOCAL_OR_REMOTE=local
 if [[ "$RCLI" = "true" ]]; then
    LOCAL_OR_REMOTE=remote
 fi
 # Our name must be of the form xxxx_test or xxxx_test.sh, where xxxx is
 # the test suite to run; currently (2019-05) the only option is 'integration'
 # but pr2947 intends to add 'system'.
 TESTSUITE=$(expr $(basename $0) : '\(.*\)_test')
 if [[ -z $TESTSUITE ]]; then
    die 1 "Script name is not of the form xxxx_test.sh"
 fi
 cd "$GOSRC"
 case "$SPECIALMODE" in
    in_podman)
        ${CONTAINER_RUNTIME} run --rm --privileged --net=host --cgroupns=host \
            -v $GOSRC:$GOSRC:Z \
            --workdir $GOSRC \
            -e "CGROUP_MANAGER=cgroupfs" \
            -e "STORAGE_OPTIONS=--storage-driver=vfs" \
            -e "CRIO_ROOT=$GOSRC" \
            -e "PODMAN_BINARY=/usr/bin/podman" \
            -e "CONMON_BINARY=/usr/libexec/podman/conmon" \
            -e "DIST=$OS_RELEASE_ID" \
            -e "CONTAINER_RUNTIME=$CONTAINER_RUNTIME" \
            $IN_PODMAN_IMAGE bash $GOSRC/$SCRIPT_BASE/container_test.sh -b -i -t
        ;;
    rootless)
        req_env_var ROOTLESS_USER
        ssh $ROOTLESS_USER@localhost \
                -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
                -o CheckHostIP=no $GOSRC/$SCRIPT_BASE/rootless_test.sh ${TESTSUITE} ${LOCAL_OR_REMOTE}
        ;;
    endpoint)
        make
        make install PREFIX=/usr ETCDIR=/etc
        make test-binaries
        make endpoint
        ;;
    bindings)
 	    make
        make install PREFIX=/usr ETCDIR=/etc
 	    export PATH=$PATH:`pwd`/hack
 	    cd pkg/bindings/test && ginkgo -trace -noColor -debug  -r
 	;;
    none)
        make
        make install PREFIX=/usr ETCDIR=/etc
        make test-binaries
        make .install.bats
        make ${LOCAL_OR_REMOTE}${TESTSUITE} PODMAN_SERVER_LOG=$PODMAN_SERVER_LOG
        ;;
    *)
        die 110 "Unsupported \$SPECIALMODE: $SPECIALMODE"
 esac
--- a/contrib/cirrus/unit_test.sh
+++ b/contrib/cirrus/unit_test.sh
@ -1,22 +0,0 @@
 #!/usr/bin/env bash
 set -e
 source $(dirname $0)/lib.sh
 req_env_var GOSRC
 cd "$GOSRC"
 make install.tools
 make localunit
 case "$SPECIALMODE" in
    in_podman) ;&
    bindings) ;&
    rootless) ;&
    none)
        make
        ;;
    *)
        die 109 "Unsupported \$SPECIAL_MODE: $SPECIALMODE"
 esac
--- a/contrib/cirrus/update_meta.sh
+++ b/contrib/cirrus/update_meta.sh
@ -1,22 +0,0 @@
 #!/usr/bin/env bash
 source $(dirname $0)/lib.sh
 # N/B: This script is expected to wrap $ENTRYPOINT when executing under the
 #      'meta' Cirrus task on the libpod repo.
 ENTRYPOINT=/usr/local/bin/entrypoint.sh
 req_env_var IMGNAMES BUILDID REPOREF GCPJSON GCPNAME GCPPROJECT CIRRUS_CI
 [[ -x "$ENTRYPOINT" ]] || \
    die 2 "Expecting to find an installed entrypoint script $ENTRYPOINT."
 # A better way of checking isn't compatible with old but functional images
 # in-use by other repos.
 grep -q 'compute images update' "$ENTRYPOINT" || \
    die 3 "Expecting to be running inside a specific imgts container image"
 canonicalize_image_names
 # Executing inside a container; proper hand-off for process control
 exec $ENTRYPOINT
--- a/contrib/cirrus/upload_release_archive.sh
+++ b/contrib/cirrus/upload_release_archive.sh
@ -1,90 +0,0 @@
 #!/usr/bin/env bash
 set -eo pipefail
 source $(dirname $0)/lib.sh
 req_env_var CI UPLDREL_IMAGE CIRRUS_BUILD_ID GOSRC RELEASE_GCPJSON RELEASE_GCPNAME RELEASE_GCPROJECT
 [[ "$CI" == "true" ]] || \
    die 56 "$0 must be run under Cirrus-CI to function"
 SWAGGER_FILEPATH="pkg/api/swagger.yaml"
 # We store "releases" for each PR, mostly to validate the process is functional
 unset PR_OR_BRANCH BUCKET
 if [[ -n "$CIRRUS_PR" ]]
 then
    PR_OR_BRANCH="pr$CIRRUS_PR"
    BUCKET="libpod-pr-releases"
 elif [[ -n "$CIRRUS_BRANCH" ]]
 then
    # Only release binaries for docs
    if [[ $CIRRUS_TASK_NAME =~ "docs" ]]
    then
        PR_OR_BRANCH="$CIRRUS_BRANCH"
        BUCKET="libpod-$CIRRUS_BRANCH-releases"
    else
        warn "" "Skipping release processing for non-docs task."
        exit 0
    fi
 else
    die 1 "Expecting either \$CIRRUS_PR or \$CIRRUS_BRANCH to be non-empty."
 fi
 # Functional local podman required for uploading
 echo "Verifying a local, functional podman, building one if necessary."
 [[ -n "$(type -P podman)" ]] || \
    make install PREFIX=/usr || \
    die 57 "$0 requires working podman binary on path to function"
 TMPF=$(mktemp -p '' $(basename $0)_XXXX.json)
 trap "rm -f $TMPF" EXIT
 set +x
 echo "$RELEASE_GCPJSON" > "$TMPF"
 [[ "$OS_RELEASE_ID" == "ubuntu" ]] || \
    chcon -t container_file_t "$TMPF"
 unset RELEASE_GCPJSON
 cd $GOSRC
 for filename in $(ls -1 $SWAGGER_FILEPATH)
 do
    unset EXT
    EXT=$(echo "$filename" | sed -r -e 's/.+\.(.+$)/\1/g')
    if [[ -z "$EXT" ]] || [[ "$EXT" == "$filename" ]]
    then
        echo "Warning: Not processing $filename (invalid extension '$EXT')"
        continue
    fi
    if [[ "$EXT" =~ "gz" ]]
    then
        EXT="tar.gz"
    fi
    if [[ $filename == $SWAGGER_FILEPATH ]]
    then
        # Support other tools referencing branch and/or version-specific refs.
        TO_FILENAME="swagger-${RELEASE_VERSION}-${PR_OR_BRANCH}.yaml"
        # For doc. ref. this must always be a static filename, e.g. swagger-latest-master.yaml
        ALSO_FILENAME="swagger-latest-${PR_OR_BRANCH}.yaml"
    else
        die "Uploading non-docs files has been disabled"
    fi
    [[ "$OS_RELEASE_ID" == "ubuntu" ]] || \
        chcon -t container_file_t "$filename"
    echo "Running podman ... $UPLDREL_IMAGE for $filename -> $TO_FILENAME"
    podman run -i --rm \
        -e "GCPNAME=$RELEASE_GCPNAME" \
        -e "GCPPROJECT=$RELEASE_GCPROJECT" \
        -e "GCPJSON_FILEPATH=$TMPF" \
        -e "FROM_FILEPATH=/tmp/$filename" \
        -e "TO_FILENAME=$TO_FILENAME" \
        -e "ALSO_FILENAME=$ALSO_FILENAME" \
        -e "PR_OR_BRANCH=$PR_OR_BRANCH" \
        -e "BUCKET=$BUCKET" \
        -v "$TMPF:$TMPF:ro" \
        -v "$(realpath $GOSRC/$filename):/tmp/$filename:ro" \
        $UPLDREL_IMAGE
 done