preparation for remote-client create container

to prepare for being able to remotely run a container, we need to
perform a refactor to get code out of main because it is not
reusable.  the shared location is a good starting spot though
eventually some will likely end up in pkg/spec/ at some point.

Signed-off-by: baude <bbaude@redhat.com>

5 files changed, 1807 insertions, 0 deletions

diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
new file mode 100644
index 000000000..bfd05d53e
--- /dev/null
+++ b/cmd/podman/shared/create.go
@@ -0,0 +1,837 @@
+package shared
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/containers/image/manifest"
+	"github.com/containers/libpod/cmd/podman/cliconfig"
+	"github.com/containers/libpod/cmd/podman/shared/parse"
+	"github.com/containers/libpod/libpod"
+	"github.com/containers/libpod/libpod/image"
+	ann "github.com/containers/libpod/pkg/annotations"
+	"github.com/containers/libpod/pkg/inspect"
+	ns "github.com/containers/libpod/pkg/namespaces"
+	"github.com/containers/libpod/pkg/rootless"
+	cc "github.com/containers/libpod/pkg/spec"
+	"github.com/containers/libpod/pkg/util"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/docker/go-connections/nat"
+	"github.com/docker/go-units"
+	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// getContext returns a non-nil, empty context
+func getContext() context.Context {
+	return context.TODO()
+}
+
+func CreateContainer(ctx context.Context, c *cliconfig.PodmanCommand, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) {
+	var (
+		hasHealthCheck bool
+		healthCheck    *manifest.Schema2HealthConfig
+	)
+	if c.Bool("trace") {
+		span, _ := opentracing.StartSpanFromContext(ctx, "createContainer")
+		defer span.Finish()
+	}
+
+	rtc := runtime.GetConfig()
+	rootfs := ""
+	if c.Bool("rootfs") {
+		rootfs = c.InputArgs[0]
+	}
+
+	var err error
+	var cidFile *os.File
+	if c.IsSet("cidfile") && os.Geteuid() == 0 {
+		cidFile, err = libpod.OpenExclusiveFile(c.String("cidfile"))
+		if err != nil && os.IsExist(err) {
+			return nil, nil, errors.Errorf("container id file exists. Ensure another container is not using it or delete %s", c.String("cidfile"))
+		}
+		if err != nil {
+			return nil, nil, errors.Errorf("error opening cidfile %s", c.String("cidfile"))
+		}
+		defer cidFile.Close()
+		defer cidFile.Sync()
+	}
+
+	imageName := ""
+	var data *inspect.ImageData = nil
+
+	if rootfs == "" && !rootless.SkipStorageSetup() {
+		var writer io.Writer
+		if !c.Bool("quiet") {
+			writer = os.Stderr
+		}
+
+		newImage, err := runtime.ImageRuntime().New(ctx, c.InputArgs[0], rtc.SignaturePolicyPath, "", writer, nil, image.SigningOptions{}, false, nil)
+		if err != nil {
+			return nil, nil, err
+		}
+		data, err = newImage.Inspect(ctx)
+		names := newImage.Names()
+		if len(names) > 0 {
+			imageName = names[0]
+		} else {
+			imageName = newImage.ID()
+		}
+
+		// add healthcheck if it exists AND is correct mediatype
+		_, mediaType, err := newImage.Manifest(ctx)
+		if err != nil {
+			return nil, nil, errors.Wrapf(err, "unable to determine mediatype of image %s", newImage.ID())
+		}
+		if mediaType == manifest.DockerV2Schema2MediaType {
+			healthCheck, err = newImage.GetHealthCheck(ctx)
+			if err != nil {
+				return nil, nil, errors.Wrapf(err, "unable to get healthcheck for %s", c.InputArgs[0])
+			}
+			if healthCheck != nil {
+				hasHealthCheck = true
+			}
+		}
+	}
+	createConfig, err := ParseCreateOpts(ctx, c, runtime, imageName, data)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Because parseCreateOpts does derive anything from the image, we add health check
+	// at this point. The rest is done by WithOptions.
+	createConfig.HasHealthCheck = hasHealthCheck
+	createConfig.HealthCheck = healthCheck
+
+	ctr, err := CreateContainerFromCreateConfig(runtime, createConfig, ctx, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	if cidFile != nil {
+		_, err = cidFile.WriteString(ctr.ID())
+		if err != nil {
+			logrus.Error(err)
+		}
+
+	}
+
+	logrus.Debugf("New container created %q", ctr.ID())
+	return ctr, createConfig, nil
+}
+
+func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
+	var (
+		labelOpts []string
+	)
+
+	if config.PidMode.IsHost() {
+		labelOpts = append(labelOpts, label.DisableSecOpt()...)
+	} else if config.PidMode.IsContainer() {
+		ctr, err := config.Runtime.LookupContainer(config.PidMode.Container())
+		if err != nil {
+			return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
+		}
+		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+		if err != nil {
+			return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+		}
+		labelOpts = append(labelOpts, secopts...)
+	}
+
+	if config.IpcMode.IsHost() {
+		labelOpts = append(labelOpts, label.DisableSecOpt()...)
+	} else if config.IpcMode.IsContainer() {
+		ctr, err := config.Runtime.LookupContainer(config.IpcMode.Container())
+		if err != nil {
+			return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
+		}
+		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+		if err != nil {
+			return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+		}
+		labelOpts = append(labelOpts, secopts...)
+	}
+
+	for _, opt := range securityOpts {
+		if opt == "no-new-privileges" {
+			config.NoNewPrivs = true
+		} else {
+			con := strings.SplitN(opt, "=", 2)
+			if len(con) != 2 {
+				return fmt.Errorf("Invalid --security-opt 1: %q", opt)
+			}
+
+			switch con[0] {
+			case "label":
+				labelOpts = append(labelOpts, con[1])
+			case "apparmor":
+				config.ApparmorProfile = con[1]
+			case "seccomp":
+				config.SeccompProfilePath = con[1]
+			default:
+				return fmt.Errorf("Invalid --security-opt 2: %q", opt)
+			}
+		}
+	}
+
+	if config.SeccompProfilePath == "" {
+		if _, err := os.Stat(libpod.SeccompOverridePath); err == nil {
+			config.SeccompProfilePath = libpod.SeccompOverridePath
+		} else {
+			if !os.IsNotExist(err) {
+				return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompOverridePath)
+			}
+			if _, err := os.Stat(libpod.SeccompDefaultPath); err != nil {
+				if !os.IsNotExist(err) {
+					return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompDefaultPath)
+				}
+			} else {
+				config.SeccompProfilePath = libpod.SeccompDefaultPath
+			}
+		}
+	}
+	config.LabelOpts = labelOpts
+	return nil
+}
+
+func configureEntrypoint(c *cliconfig.PodmanCommand, data *inspect.ImageData) []string {
+	entrypoint := []string{}
+	if c.IsSet("entrypoint") {
+		// Force entrypoint to ""
+		if c.String("entrypoint") == "" {
+			return entrypoint
+		}
+		// Check if entrypoint specified is json
+		if err := json.Unmarshal([]byte(c.String("entrypoint")), &entrypoint); err == nil {
+			return entrypoint
+		}
+		// Return entrypoint as a single command
+		return []string{c.String("entrypoint")}
+	}
+	if data != nil {
+		return data.Config.Entrypoint
+	}
+	return entrypoint
+}
+
+func configurePod(c *cliconfig.PodmanCommand, runtime *libpod.Runtime, namespaces map[string]string, podName string) (map[string]string, error) {
+	pod, err := runtime.LookupPod(podName)
+	if err != nil {
+		return namespaces, err
+	}
+	podInfraID, err := pod.InfraContainerID()
+	if err != nil {
+		return namespaces, err
+	}
+	if (namespaces["pid"] == cc.Pod) || (!c.IsSet("pid") && pod.SharesPID()) {
+		namespaces["pid"] = fmt.Sprintf("container:%s", podInfraID)
+	}
+	if (namespaces["net"] == cc.Pod) || (!c.IsSet("net") && !c.IsSet("network") && pod.SharesNet()) {
+		namespaces["net"] = fmt.Sprintf("container:%s", podInfraID)
+	}
+	if (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) {
+		namespaces["user"] = fmt.Sprintf("container:%s", podInfraID)
+	}
+	if (namespaces["ipc"] == cc.Pod) || (!c.IsSet("ipc") && pod.SharesIPC()) {
+		namespaces["ipc"] = fmt.Sprintf("container:%s", podInfraID)
+	}
+	if (namespaces["uts"] == cc.Pod) || (!c.IsSet("uts") && pod.SharesUTS()) {
+		namespaces["uts"] = fmt.Sprintf("container:%s", podInfraID)
+	}
+	return namespaces, nil
+}
+
+// Parses CLI options related to container creation into a config which can be
+// parsed into an OCI runtime spec
+func ParseCreateOpts(ctx context.Context, c *cliconfig.PodmanCommand, runtime *libpod.Runtime, imageName string, data *inspect.ImageData) (*cc.CreateConfig, error) {
+	var (
+		inputCommand, command                                    []string
+		memoryLimit, memoryReservation, memorySwap, memoryKernel int64
+		blkioWeight                                              uint16
+		namespaces                                               map[string]string
+	)
+	if c.IsSet("restart") {
+		return nil, errors.Errorf("--restart option is not supported.\nUse systemd unit files for restarting containers")
+	}
+
+	idmappings, err := util.ParseIDMapping(c.StringSlice("uidmap"), c.StringSlice("gidmap"), c.String("subuidname"), c.String("subgidname"))
+	if err != nil {
+		return nil, err
+	}
+
+	if c.String("mac-address") != "" {
+		return nil, errors.Errorf("--mac-address option not currently supported")
+	}
+
+	imageID := ""
+
+	inputCommand = c.InputArgs[1:]
+	if data != nil {
+		imageID = data.ID
+	}
+
+	rootfs := ""
+	if c.Bool("rootfs") {
+		rootfs = c.InputArgs[0]
+	}
+
+	sysctl, err := validateSysctl(c.StringSlice("sysctl"))
+	if err != nil {
+		return nil, errors.Wrapf(err, "invalid value for sysctl")
+	}
+
+	if c.String("memory") != "" {
+		memoryLimit, err = units.RAMInBytes(c.String("memory"))
+		if err != nil {
+			return nil, errors.Wrapf(err, "invalid value for memory")
+		}
+	}
+	if c.String("memory-reservation") != "" {
+		memoryReservation, err = units.RAMInBytes(c.String("memory-reservation"))
+		if err != nil {
+			return nil, errors.Wrapf(err, "invalid value for memory-reservation")
+		}
+	}
+	if c.String("memory-swap") != "" {
+		memorySwap, err = units.RAMInBytes(c.String("memory-swap"))
+		if err != nil {
+			return nil, errors.Wrapf(err, "invalid value for memory-swap")
+		}
+	}
+	if c.String("kernel-memory") != "" {
+		memoryKernel, err = units.RAMInBytes(c.String("kernel-memory"))
+		if err != nil {
+			return nil, errors.Wrapf(err, "invalid value for kernel-memory")
+		}
+	}
+	if c.String("blkio-weight") != "" {
+		u, err := strconv.ParseUint(c.String("blkio-weight"), 10, 16)
+		if err != nil {
+			return nil, errors.Wrapf(err, "invalid value for blkio-weight")
+		}
+		blkioWeight = uint16(u)
+	}
+	var mountList []spec.Mount
+	if mountList, err = parseMounts(c.StringArray("mount")); err != nil {
+		return nil, err
+	}
+
+	if err = parseVolumes(c.StringArray("volume")); err != nil {
+		return nil, err
+	}
+
+	if err = parseVolumesFrom(c.StringSlice("volumes-from")); err != nil {
+		return nil, err
+	}
+
+	tty := c.Bool("tty")
+
+	if c.Flag("cpu-period").Changed && c.Flag("cpus").Changed {
+		return nil, errors.Errorf("--cpu-period and --cpus cannot be set together")
+	}
+	if c.Flag("cpu-quota").Changed && c.Flag("cpus").Changed {
+		return nil, errors.Errorf("--cpu-quota and --cpus cannot be set together")
+	}
+
+	// EXPOSED PORTS
+	var portBindings map[nat.Port][]nat.PortBinding
+	if data != nil {
+		portBindings, err = cc.ExposedPorts(c.StringSlice("expose"), c.StringSlice("publish"), c.Bool("publish-all"), data.Config.ExposedPorts)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Kernel Namespaces
+	// TODO Fix handling of namespace from pod
+	// Instead of integrating here, should be done in libpod
+	// However, that also involves setting up security opts
+	// when the pod's namespace is integrated
+	namespaceNet := c.String("network")
+	if c.Flag("net").Changed {
+		namespaceNet = c.String("net")
+	}
+	namespaces = map[string]string{
+		"pid":  c.String("pid"),
+		"net":  namespaceNet,
+		"ipc":  c.String("ipc"),
+		"user": c.String("userns"),
+		"uts":  c.String("uts"),
+	}
+
+	originalPodName := c.String("pod")
+	podName := strings.Replace(originalPodName, "new:", "", 1)
+	// after we strip out :new, make sure there is something left for a pod name
+	if len(podName) < 1 && c.IsSet("pod") {
+		return nil, errors.Errorf("new pod name must be at least one character")
+	}
+	if c.IsSet("pod") {
+		if strings.HasPrefix(originalPodName, "new:") {
+			if rootless.IsRootless() {
+				// To create a new pod, we must immediately create the userns.
+				became, ret, err := rootless.BecomeRootInUserNS()
+				if err != nil {
+					return nil, err
+				}
+				if became {
+					os.Exit(ret)
+				}
+			}
+			// pod does not exist; lets make it
+			var podOptions []libpod.PodCreateOption
+			podOptions = append(podOptions, libpod.WithPodName(podName), libpod.WithInfraContainer(), libpod.WithPodCgroups())
+			if len(portBindings) > 0 {
+				ociPortBindings, err := cc.NatToOCIPortBindings(portBindings)
+				if err != nil {
+					return nil, err
+				}
+				podOptions = append(podOptions, libpod.WithInfraContainerPorts(ociPortBindings))
+			}
+
+			podNsOptions, err := GetNamespaceOptions(strings.Split(DefaultKernelNamespaces, ","))
+			if err != nil {
+				return nil, err
+			}
+			podOptions = append(podOptions, podNsOptions...)
+			// make pod
+			pod, err := runtime.NewPod(ctx, podOptions...)
+			if err != nil {
+				return nil, err
+			}
+			logrus.Debugf("pod %s created by new container request", pod.ID())
+
+			// The container now cannot have port bindings; so we reset the map
+			portBindings = make(map[nat.Port][]nat.PortBinding)
+		}
+		namespaces, err = configurePod(c, runtime, namespaces, podName)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	pidMode := ns.PidMode(namespaces["pid"])
+	if !cc.Valid(string(pidMode), pidMode) {
+		return nil, errors.Errorf("--pid %q is not valid", c.String("pid"))
+	}
+
+	usernsMode := ns.UsernsMode(namespaces["user"])
+	if !cc.Valid(string(usernsMode), usernsMode) {
+		return nil, errors.Errorf("--userns %q is not valid", namespaces["user"])
+	}
+
+	utsMode := ns.UTSMode(namespaces["uts"])
+	if !cc.Valid(string(utsMode), utsMode) {
+		return nil, errors.Errorf("--uts %q is not valid", namespaces["uts"])
+	}
+
+	ipcMode := ns.IpcMode(namespaces["ipc"])
+	if !cc.Valid(string(ipcMode), ipcMode) {
+		return nil, errors.Errorf("--ipc %q is not valid", ipcMode)
+	}
+
+	// Make sure if network is set to container namespace, port binding is not also being asked for
+	netMode := ns.NetworkMode(namespaces["net"])
+	if netMode.IsContainer() {
+		if len(portBindings) > 0 {
+			return nil, errors.Errorf("cannot set port bindings on an existing container network namespace")
+		}
+	}
+
+	// USER
+	user := c.String("user")
+	if user == "" {
+		if data == nil {
+			user = "0"
+		} else {
+			user = data.Config.User
+		}
+	}
+
+	// STOP SIGNAL
+	stopSignal := syscall.SIGTERM
+	signalString := ""
+	if data != nil {
+		signalString = data.Config.StopSignal
+	}
+	if c.IsSet("stop-signal") {
+		signalString = c.String("stop-signal")
+	}
+	if signalString != "" {
+		stopSignal, err = signal.ParseSignal(signalString)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// ENVIRONMENT VARIABLES
+	env := defaultEnvVariables
+	if data != nil {
+		for _, e := range data.Config.Env {
+			split := strings.SplitN(e, "=", 2)
+			if len(split) > 1 {
+				env[split[0]] = split[1]
+			} else {
+				env[split[0]] = ""
+			}
+		}
+	}
+	if err := parse.ReadKVStrings(env, c.StringSlice("env-file"), c.StringSlice("env")); err != nil {
+		return nil, errors.Wrapf(err, "unable to process environment variables")
+	}
+
+	// LABEL VARIABLES
+	labels, err := GetAllLabels(c.StringSlice("label-file"), c.StringArray("label"))
+	if err != nil {
+		return nil, errors.Wrapf(err, "unable to process labels")
+	}
+	if data != nil {
+		for key, val := range data.Config.Labels {
+			if _, ok := labels[key]; !ok {
+				labels[key] = val
+			}
+		}
+	}
+
+	// ANNOTATIONS
+	annotations := make(map[string]string)
+	// First, add our default annotations
+	annotations[ann.ContainerType] = "sandbox"
+	annotations[ann.TTY] = "false"
+	if tty {
+		annotations[ann.TTY] = "true"
+	}
+	if data != nil {
+		// Next, add annotations from the image
+		for key, value := range data.Annotations {
+			annotations[key] = value
+		}
+	}
+	// Last, add user annotations
+	for _, annotation := range c.StringSlice("annotation") {
+		splitAnnotation := strings.SplitN(annotation, "=", 2)
+		if len(splitAnnotation) < 2 {
+			return nil, errors.Errorf("Annotations must be formatted KEY=VALUE")
+		}
+		annotations[splitAnnotation[0]] = splitAnnotation[1]
+	}
+
+	// WORKING DIRECTORY
+	workDir := "/"
+	if c.IsSet("workdir") || c.IsSet("w") {
+		workDir = c.String("workdir")
+	} else if data != nil && data.Config.WorkingDir != "" {
+		workDir = data.Config.WorkingDir
+	}
+
+	entrypoint := configureEntrypoint(c, data)
+	// Build the command
+	// If we have an entry point, it goes first
+	if len(entrypoint) > 0 {
+		command = entrypoint
+	}
+	if len(inputCommand) > 0 {
+		// User command overrides data CMD
+		command = append(command, inputCommand...)
+	} else if data != nil && len(data.Config.Cmd) > 0 && !c.IsSet("entrypoint") {
+		// If not user command, add CMD
+		command = append(command, data.Config.Cmd...)
+	}
+
+	if data != nil && len(command) == 0 {
+		return nil, errors.Errorf("No command specified on command line or as CMD or ENTRYPOINT in this image")
+	}
+
+	// SHM Size
+	shmSize, err := units.FromHumanSize(c.String("shm-size"))
+	if err != nil {
+		return nil, errors.Wrapf(err, "unable to translate --shm-size")
+	}
+
+	// Verify the additional hosts are in correct format
+	for _, host := range c.StringSlice("add-host") {
+		if _, err := parse.ValidateExtraHost(host); err != nil {
+			return nil, err
+		}
+	}
+
+	// Check for . and dns-search domains
+	if util.StringInSlice(".", c.StringSlice("dns-search")) && len(c.StringSlice("dns-search")) > 1 {
+		return nil, errors.Errorf("cannot pass additional search domains when also specifying '.'")
+	}
+
+	// Validate domains are good
+	for _, dom := range c.StringSlice("dns-search") {
+		if _, err := parse.ValidateDomain(dom); err != nil {
+			return nil, err
+		}
+	}
+
+	var ImageVolumes map[string]struct{}
+	if data != nil && c.String("image-volume") != "ignore" {
+		ImageVolumes = data.Config.Volumes
+	}
+
+	var imageVolType = map[string]string{
+		"bind":   "",
+		"tmpfs":  "",
+		"ignore": "",
+	}
+	if _, ok := imageVolType[c.String("image-volume")]; !ok {
+		return nil, errors.Errorf("invalid image-volume type %q. Pick one of bind, tmpfs, or ignore", c.String("image-volume"))
+	}
+
+	var systemd bool
+	if command != nil && c.Bool("systemd") && ((filepath.Base(command[0]) == "init") || (filepath.Base(command[0]) == "systemd")) {
+		systemd = true
+		if signalString == "" {
+			stopSignal, err = signal.ParseSignal("RTMIN+3")
+			if err != nil {
+				return nil, errors.Wrapf(err, "error parsing systemd signal")
+			}
+		}
+	}
+	// This is done because cobra cannot have two aliased flags. So we have to check
+	// both
+	network := c.String("network")
+	if c.Flag("net").Changed {
+		network = c.String("net")
+	}
+
+	var memorySwappiness int64
+	if c.Flags().Lookup("memory-swappiness") != nil {
+		memorySwappiness, _ = c.Flags().GetInt64("memory-swappiness")
+	}
+	config := &cc.CreateConfig{
+		Runtime:           runtime,
+		Annotations:       annotations,
+		BuiltinImgVolumes: ImageVolumes,
+		ConmonPidFile:     c.String("conmon-pidfile"),
+		ImageVolumeType:   c.String("image-volume"),
+		CapAdd:            c.StringSlice("cap-add"),
+		CapDrop:           c.StringSlice("cap-drop"),
+		CgroupParent:      c.String("cgroup-parent"),
+		Command:           command,
+		Detach:            c.Bool("detach"),
+		Devices:           c.StringSlice("device"),
+		DNSOpt:            c.StringSlice("dns-opt"),
+		DNSSearch:         c.StringSlice("dns-search"),
+		DNSServers:        c.StringSlice("dns"),
+		Entrypoint:        entrypoint,
+		Env:               env,
+		//ExposedPorts:   ports,
+		GroupAdd:    c.StringSlice("group-add"),
+		Hostname:    c.String("hostname"),
+		HostAdd:     c.StringSlice("add-host"),
+		IDMappings:  idmappings,
+		Image:       imageName,
+		ImageID:     imageID,
+		Interactive: c.Bool("interactive"),
+		//IP6Address:     c.String("ipv6"), // Not implemented yet - needs CNI support for static v6
+		IPAddress: c.String("ip"),
+		Labels:    labels,
+		//LinkLocalIP:    c.StringSlice("link-local-ip"), // Not implemented yet
+		LogDriver:    c.String("log-driver"),
+		LogDriverOpt: c.StringSlice("log-opt"),
+		MacAddress:   c.String("mac-address"),
+		Name:         c.String("name"),
+		Network:      network,
+		//NetworkAlias:   c.StringSlice("network-alias"), // Not implemented - does this make sense in Podman?
+		IpcMode:        ipcMode,
+		NetMode:        netMode,
+		UtsMode:        utsMode,
+		PidMode:        pidMode,
+		Pod:            podName,
+		Privileged:     c.Bool("privileged"),
+		Publish:        c.StringSlice("publish"),
+		PublishAll:     c.Bool("publish-all"),
+		PortBindings:   portBindings,
+		Quiet:          c.Bool("quiet"),
+		ReadOnlyRootfs: c.Bool("read-only"),
+		Resources: cc.CreateResourceConfig{
+			BlkioWeight:       blkioWeight,
+			BlkioWeightDevice: c.StringSlice("blkio-weight-device"),
+			CPUShares:         c.Uint64("cpu-shares"),
+			CPUPeriod:         c.Uint64("cpu-period"),
+			CPUsetCPUs:        c.String("cpuset-cpus"),
+			CPUsetMems:        c.String("cpuset-mems"),
+			CPUQuota:          c.Int64("cpu-quota"),
+			CPURtPeriod:       c.Uint64("cpu-rt-period"),
+			CPURtRuntime:      c.Int64("cpu-rt-runtime"),
+			CPUs:              c.Float64("cpus"),
+			DeviceReadBps:     c.StringSlice("device-read-bps"),
+			DeviceReadIOps:    c.StringSlice("device-read-iops"),
+			DeviceWriteBps:    c.StringSlice("device-write-bps"),
+			DeviceWriteIOps:   c.StringSlice("device-write-iops"),
+			DisableOomKiller:  c.Bool("oom-kill-disable"),
+			ShmSize:           shmSize,
+			Memory:            memoryLimit,
+			MemoryReservation: memoryReservation,
+			MemorySwap:        memorySwap,
+			MemorySwappiness:  int(memorySwappiness),
+			KernelMemory:      memoryKernel,
+			OomScoreAdj:       c.Int("oom-score-adj"),
+			PidsLimit:         c.Int64("pids-limit"),
+			Ulimit:            c.StringSlice("ulimit"),
+		},
+		Rm:          c.Bool("rm"),
+		StopSignal:  stopSignal,
+		StopTimeout: c.Uint("stop-timeout"),
+		Sysctl:      sysctl,
+		Systemd:     systemd,
+		Tmpfs:       c.StringSlice("tmpfs"),
+		Tty:         tty,
+		User:        user,
+		UsernsMode:  usernsMode,
+		Mounts:      mountList,
+		Volumes:     c.StringArray("volume"),
+		WorkDir:     workDir,
+		Rootfs:      rootfs,
+		VolumesFrom: c.StringSlice("volumes-from"),
+		Syslog:      c.GlobalFlags.Syslog,
+	}
+	if c.Bool("init") {
+		initPath := c.String("init-path")
+		if initPath == "" {
+			initPath = runtime.GetConfig().InitPath
+		}
+		if err := config.AddContainerInitBinary(initPath); err != nil {
+			return nil, err
+		}
+	}
+
+	if config.Privileged {
+		config.LabelOpts = label.DisableSecOpt()
+	} else {
+		if err := parseSecurityOpt(config, c.StringArray("security-opt")); err != nil {
+			return nil, err
+		}
+	}
+	config.SecurityOpts = c.StringArray("security-opt")
+	warnings, err := verifyContainerResources(config, false)
+	if err != nil {
+		return nil, err
+	}
+	for _, warning := range warnings {
+		fmt.Fprintln(os.Stderr, warning)
+	}
+	return config, nil
+}
+
+type namespace interface {
+	IsContainer() bool
+	Container() string
+}
+
+func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *libpod.Runtime) (bool, int, error) {
+	if os.Geteuid() == 0 {
+		return false, 0, nil
+	}
+
+	if createConfig.Pod != "" {
+		pod, err := runtime.LookupPod(createConfig.Pod)
+		if err != nil {
+			return false, -1, err
+		}
+		inspect, err := pod.Inspect()
+		for _, ctr := range inspect.Containers {
+			prevCtr, err := runtime.LookupContainer(ctr.ID)
+			if err != nil {
+				return false, -1, err
+			}
+			s, err := prevCtr.State()
+			if err != nil {
+				return false, -1, err
+			}
+			if s != libpod.ContainerStateRunning && s != libpod.ContainerStatePaused {
+				continue
+			}
+			data, err := ioutil.ReadFile(prevCtr.Config().ConmonPidFile)
+			if err != nil {
+				return false, -1, errors.Wrapf(err, "cannot read conmon PID file %q", prevCtr.Config().ConmonPidFile)
+			}
+			conmonPid, err := strconv.Atoi(string(data))
+			if err != nil {
+				return false, -1, errors.Wrapf(err, "cannot parse PID %q", data)
+			}
+			return rootless.JoinDirectUserAndMountNS(uint(conmonPid))
+		}
+	}
+
+	namespacesStr := []string{string(createConfig.IpcMode), string(createConfig.NetMode), string(createConfig.UsernsMode), string(createConfig.PidMode), string(createConfig.UtsMode)}
+	for _, i := range namespacesStr {
+		if cc.IsNS(i) {
+			return rootless.JoinNSPath(cc.NS(i))
+		}
+	}
+
+	namespaces := []namespace{createConfig.IpcMode, createConfig.NetMode, createConfig.UsernsMode, createConfig.PidMode, createConfig.UtsMode}
+	for _, i := range namespaces {
+		if i.IsContainer() {
+			ctr, err := runtime.LookupContainer(i.Container())
+			if err != nil {
+				return false, -1, err
+			}
+			pid, err := ctr.PID()
+			if err != nil {
+				return false, -1, err
+			}
+			if pid == 0 {
+				if createConfig.Pod != "" {
+					continue
+				}
+				return false, -1, errors.Errorf("dependency container %s is not running", ctr.ID())
+			}
+			return rootless.JoinNS(uint(pid), 0)
+		}
+	}
+	return rootless.BecomeRootInUserNS()
+}
+
+func CreateContainerFromCreateConfig(r *libpod.Runtime, createConfig *cc.CreateConfig, ctx context.Context, pod *libpod.Pod) (*libpod.Container, error) {
+	runtimeSpec, err := cc.CreateConfigToOCISpec(createConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	options, err := createConfig.GetContainerCreateOptions(r, pod)
+	if err != nil {
+		return nil, err
+	}
+	became, ret, err := joinOrCreateRootlessUserNamespace(createConfig, r)
+	if err != nil {
+		return nil, err
+	}
+	if became {
+		os.Exit(ret)
+	}
+
+	ctr, err := r.NewContainer(ctx, runtimeSpec, options...)
+	if err != nil {
+		return nil, err
+	}
+
+	createConfigJSON, err := json.Marshal(createConfig)
+	if err != nil {
+		return nil, err
+	}
+	if err := ctr.AddArtifact("create-config", createConfigJSON); err != nil {
+		return nil, err
+	}
+	return ctr, nil
+}
+
+var defaultEnvVariables = map[string]string{
+	"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+	"TERM": "xterm",
+}
diff --git a/cmd/podman/shared/create_cli.go b/cmd/podman/shared/create_cli.go
new file mode 100644
index 000000000..4f9cb1699
--- /dev/null
+++ b/cmd/podman/shared/create_cli.go
@@ -0,0 +1,394 @@
+package shared
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/containers/libpod/cmd/podman/shared/parse"
+	cc "github.com/containers/libpod/pkg/spec"
+	"github.com/containers/libpod/pkg/sysinfo"
+	"github.com/docker/go-units"
+	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	// It's not kernel limit, we want this 4M limit to supply a reasonable functional container
+	linuxMinMemory = 4194304
+)
+
+// GetAllLabels ...
+func GetAllLabels(labelFile, inputLabels []string) (map[string]string, error) {
+	labels := make(map[string]string)
+	labelErr := parse.ReadKVStrings(labels, labelFile, inputLabels)
+	if labelErr != nil {
+		return labels, errors.Wrapf(labelErr, "unable to process labels from --label and label-file")
+	}
+	return labels, nil
+}
+
+// validateSysctl validates a sysctl and returns it.
+func validateSysctl(strSlice []string) (map[string]string, error) {
+	sysctl := make(map[string]string)
+	validSysctlMap := map[string]bool{
+		"kernel.msgmax":          true,
+		"kernel.msgmnb":          true,
+		"kernel.msgmni":          true,
+		"kernel.sem":             true,
+		"kernel.shmall":          true,
+		"kernel.shmmax":          true,
+		"kernel.shmmni":          true,
+		"kernel.shm_rmid_forced": true,
+	}
+	validSysctlPrefixes := []string{
+		"net.",
+		"fs.mqueue.",
+	}
+
+	for _, val := range strSlice {
+		foundMatch := false
+		arr := strings.Split(val, "=")
+		if len(arr) < 2 {
+			return nil, errors.Errorf("%s is invalid, sysctl values must be in the form of KEY=VALUE", val)
+		}
+		if validSysctlMap[arr[0]] {
+			sysctl[arr[0]] = arr[1]
+			continue
+		}
+
+		for _, prefix := range validSysctlPrefixes {
+			if strings.HasPrefix(arr[0], prefix) {
+				sysctl[arr[0]] = arr[1]
+				foundMatch = true
+				break
+			}
+		}
+		if !foundMatch {
+			return nil, errors.Errorf("sysctl '%s' is not whitelisted", arr[0])
+		}
+	}
+	return sysctl, nil
+}
+
+func addWarning(warnings []string, msg string) []string {
+	logrus.Warn(msg)
+	return append(warnings, msg)
+}
+
+// Format supported.
+// podman run --mount type=bind,src=/etc/resolv.conf,target=/etc/resolv.conf ...
+// podman run --mount type=tmpfs,target=/dev/shm ..
+func parseMounts(mounts []string) ([]spec.Mount, error) {
+	// TODO(vrothberg): the manual parsing can be replaced with a regular expression
+	//                  to allow a more robust parsing of the mount format and to give
+	//                  precise errors regarding supported format versus suppored options.
+	var mountList []spec.Mount
+	errInvalidSyntax := errors.Errorf("incorrect mount format: should be --mount type=<bind|tmpfs>,[src=<host-dir>,]target=<ctr-dir>[,options]")
+	for _, mount := range mounts {
+		var tokenCount int
+		var mountInfo spec.Mount
+
+		arr := strings.SplitN(mount, ",", 2)
+		if len(arr) < 2 {
+			return nil, errors.Wrapf(errInvalidSyntax, "%q", mount)
+		}
+		kv := strings.Split(arr[0], "=")
+		if kv[0] != "type" {
+			return nil, errors.Wrapf(errInvalidSyntax, "%q", mount)
+		}
+		switch kv[1] {
+		case "bind":
+			mountInfo.Type = string(cc.TypeBind)
+		case "tmpfs":
+			mountInfo.Type = string(cc.TypeTmpfs)
+			mountInfo.Source = string(cc.TypeTmpfs)
+			mountInfo.Options = append(mountInfo.Options, []string{"rprivate", "noexec", "nosuid", "nodev", "size=65536k"}...)
+
+		default:
+			return nil, errors.Errorf("invalid filesystem type %q", kv[1])
+		}
+
+		tokens := strings.Split(arr[1], ",")
+		for i, val := range tokens {
+			if i == (tokenCount - 1) {
+				//Parse tokens before options.
+				break
+			}
+			kv := strings.Split(val, "=")
+			switch kv[0] {
+			case "ro", "nosuid", "nodev", "noexec":
+				mountInfo.Options = append(mountInfo.Options, kv[0])
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave", "Z", "z":
+				if mountInfo.Type != "bind" {
+					return nil, errors.Errorf("%s can only be used with bind mounts", kv[0])
+				}
+				mountInfo.Options = append(mountInfo.Options, kv[0])
+			case "tmpfs-mode":
+				if mountInfo.Type != "tmpfs" {
+					return nil, errors.Errorf("%s can only be used with tmpfs mounts", kv[0])
+				}
+				mountInfo.Options = append(mountInfo.Options, fmt.Sprintf("mode=%s", kv[1]))
+			case "tmpfs-size":
+				if mountInfo.Type != "tmpfs" {
+					return nil, errors.Errorf("%s can only be used with tmpfs mounts", kv[0])
+				}
+				shmSize, err := units.FromHumanSize(kv[1])
+				if err != nil {
+					return nil, errors.Wrapf(err, "unable to translate tmpfs-size")
+				}
+
+				mountInfo.Options = append(mountInfo.Options, fmt.Sprintf("size=%d", shmSize))
+
+			case "bind-propagation":
+				if mountInfo.Type != "bind" {
+					return nil, errors.Errorf("%s can only be used with bind mounts", kv[0])
+				}
+				mountInfo.Options = append(mountInfo.Options, kv[1])
+			case "src", "source":
+				if mountInfo.Type == "tmpfs" {
+					return nil, errors.Errorf("cannot use src= on a tmpfs file system")
+				}
+				if err := ValidateVolumeHostDir(kv[1]); err != nil {
+					return nil, err
+				}
+				mountInfo.Source = kv[1]
+			case "target", "dst", "destination":
+				if err := ValidateVolumeCtrDir(kv[1]); err != nil {
+					return nil, err
+				}
+				mountInfo.Destination = kv[1]
+			default:
+				return nil, errors.Errorf("incorrect mount option : %s", kv[0])
+			}
+		}
+		mountList = append(mountList, mountInfo)
+	}
+	return mountList, nil
+}
+
+func parseVolumes(volumes []string) error {
+	for _, volume := range volumes {
+		arr := strings.SplitN(volume, ":", 3)
+		if len(arr) < 2 {
+			return errors.Errorf("incorrect volume format %q, should be host-dir:ctr-dir[:option]", volume)
+		}
+		if err := ValidateVolumeHostDir(arr[0]); err != nil {
+			return err
+		}
+		if err := ValidateVolumeCtrDir(arr[1]); err != nil {
+			return err
+		}
+		if len(arr) > 2 {
+			if err := validateVolumeOpts(arr[2]); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func parseVolumesFrom(volumesFrom []string) error {
+	for _, vol := range volumesFrom {
+		arr := strings.SplitN(vol, ":", 2)
+		if len(arr) == 2 {
+			if strings.Contains(arr[1], "Z") || strings.Contains(arr[1], "private") || strings.Contains(arr[1], "slave") || strings.Contains(arr[1], "shared") {
+				return errors.Errorf("invalid options %q, can only specify 'ro', 'rw', and 'z", arr[1])
+			}
+			if err := validateVolumeOpts(arr[1]); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// ValidateVolumeHostDir ...
+func ValidateVolumeHostDir(hostDir string) error {
+	if len(hostDir) == 0 {
+		return errors.Errorf("host directory cannot be empty")
+	}
+	if filepath.IsAbs(hostDir) {
+		if _, err := os.Stat(hostDir); err != nil {
+			return errors.Wrapf(err, "error checking path %q", hostDir)
+		}
+	}
+	// If hostDir is not an absolute path, that means the user wants to create a
+	// named volume. This will be done later on in the code.
+	return nil
+}
+
+// ValidateVolumeCtrDir ...
+func ValidateVolumeCtrDir(ctrDir string) error {
+	if len(ctrDir) == 0 {
+		return errors.Errorf("container directory cannot be empty")
+	}
+	if !filepath.IsAbs(ctrDir) {
+		return errors.Errorf("invalid container path, must be an absolute path %q", ctrDir)
+	}
+	return nil
+}
+
+func validateVolumeOpts(option string) error {
+	var foundRootPropagation, foundRWRO, foundLabelChange int
+	options := strings.Split(option, ",")
+	for _, opt := range options {
+		switch opt {
+		case "rw", "ro":
+			foundRWRO++
+			if foundRWRO > 1 {
+				return errors.Errorf("invalid options %q, can only specify 1 'rw' or 'ro' option", option)
+			}
+		case "z", "Z":
+			foundLabelChange++
+			if foundLabelChange > 1 {
+				return errors.Errorf("invalid options %q, can only specify 1 'z' or 'Z' option", option)
+			}
+		case "private", "rprivate", "shared", "rshared", "slave", "rslave":
+			foundRootPropagation++
+			if foundRootPropagation > 1 {
+				return errors.Errorf("invalid options %q, can only specify 1 '[r]shared', '[r]private' or '[r]slave' option", option)
+			}
+		default:
+			return errors.Errorf("invalid option type %q", option)
+		}
+	}
+	return nil
+}
+
+func verifyContainerResources(config *cc.CreateConfig, update bool) ([]string, error) {
+	warnings := []string{}
+	sysInfo := sysinfo.New(true)
+
+	// memory subsystem checks and adjustments
+	if config.Resources.Memory != 0 && config.Resources.Memory < linuxMinMemory {
+		return warnings, fmt.Errorf("minimum memory limit allowed is 4MB")
+	}
+	if config.Resources.Memory > 0 && !sysInfo.MemoryLimit {
+		warnings = addWarning(warnings, "Your kernel does not support memory limit capabilities or the cgroup is not mounted. Limitation discarded.")
+		config.Resources.Memory = 0
+		config.Resources.MemorySwap = -1
+	}
+	if config.Resources.Memory > 0 && config.Resources.MemorySwap != -1 && !sysInfo.SwapLimit {
+		warnings = addWarning(warnings, "Your kernel does not support swap limit capabilities,or the cgroup is not mounted. Memory limited without swap.")
+		config.Resources.MemorySwap = -1
+	}
+	if config.Resources.Memory > 0 && config.Resources.MemorySwap > 0 && config.Resources.MemorySwap < config.Resources.Memory {
+		return warnings, fmt.Errorf("minimum memoryswap limit should be larger than memory limit, see usage")
+	}
+	if config.Resources.Memory == 0 && config.Resources.MemorySwap > 0 && !update {
+		return warnings, fmt.Errorf("you should always set the memory limit when using memoryswap limit, see usage")
+	}
+	if config.Resources.MemorySwappiness != -1 {
+		if !sysInfo.MemorySwappiness {
+			msg := "Your kernel does not support memory swappiness capabilities, or the cgroup is not mounted. Memory swappiness discarded."
+			warnings = addWarning(warnings, msg)
+			config.Resources.MemorySwappiness = -1
+		} else {
+			swappiness := config.Resources.MemorySwappiness
+			if swappiness < -1 || swappiness > 100 {
+				return warnings, fmt.Errorf("invalid value: %v, valid memory swappiness range is 0-100", swappiness)
+			}
+		}
+	}
+	if config.Resources.MemoryReservation > 0 && !sysInfo.MemoryReservation {
+		warnings = addWarning(warnings, "Your kernel does not support memory soft limit capabilities or the cgroup is not mounted. Limitation discarded.")
+		config.Resources.MemoryReservation = 0
+	}
+	if config.Resources.MemoryReservation > 0 && config.Resources.MemoryReservation < linuxMinMemory {
+		return warnings, fmt.Errorf("minimum memory reservation allowed is 4MB")
+	}
+	if config.Resources.Memory > 0 && config.Resources.MemoryReservation > 0 && config.Resources.Memory < config.Resources.MemoryReservation {
+		return warnings, fmt.Errorf("minimum memory limit cannot be less than memory reservation limit, see usage")
+	}
+	if config.Resources.KernelMemory > 0 && !sysInfo.KernelMemory {
+		warnings = addWarning(warnings, "Your kernel does not support kernel memory limit capabilities or the cgroup is not mounted. Limitation discarded.")
+		config.Resources.KernelMemory = 0
+	}
+	if config.Resources.KernelMemory > 0 && config.Resources.KernelMemory < linuxMinMemory {
+		return warnings, fmt.Errorf("minimum kernel memory limit allowed is 4MB")
+	}
+	if config.Resources.DisableOomKiller == true && !sysInfo.OomKillDisable {
+		// only produce warnings if the setting wasn't to *disable* the OOM Kill; no point
+		// warning the caller if they already wanted the feature to be off
+		warnings = addWarning(warnings, "Your kernel does not support OomKillDisable. OomKillDisable discarded.")
+		config.Resources.DisableOomKiller = false
+	}
+
+	if config.Resources.PidsLimit != 0 && !sysInfo.PidsLimit {
+		warnings = addWarning(warnings, "Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded.")
+		config.Resources.PidsLimit = 0
+	}
+
+	if config.Resources.CPUShares > 0 && !sysInfo.CPUShares {
+		warnings = addWarning(warnings, "Your kernel does not support CPU shares or the cgroup is not mounted. Shares discarded.")
+		config.Resources.CPUShares = 0
+	}
+	if config.Resources.CPUPeriod > 0 && !sysInfo.CPUCfsPeriod {
+		warnings = addWarning(warnings, "Your kernel does not support CPU cfs period or the cgroup is not mounted. Period discarded.")
+		config.Resources.CPUPeriod = 0
+	}
+	if config.Resources.CPUPeriod != 0 && (config.Resources.CPUPeriod < 1000 || config.Resources.CPUPeriod > 1000000) {
+		return warnings, fmt.Errorf("CPU cfs period cannot be less than 1ms (i.e. 1000) or larger than 1s (i.e. 1000000)")
+	}
+	if config.Resources.CPUQuota > 0 && !sysInfo.CPUCfsQuota {
+		warnings = addWarning(warnings, "Your kernel does not support CPU cfs quota or the cgroup is not mounted. Quota discarded.")
+		config.Resources.CPUQuota = 0
+	}
+	if config.Resources.CPUQuota > 0 && config.Resources.CPUQuota < 1000 {
+		return warnings, fmt.Errorf("CPU cfs quota cannot be less than 1ms (i.e. 1000)")
+	}
+	// cpuset subsystem checks and adjustments
+	if (config.Resources.CPUsetCPUs != "" || config.Resources.CPUsetMems != "") && !sysInfo.Cpuset {
+		warnings = addWarning(warnings, "Your kernel does not support cpuset or the cgroup is not mounted. CPUset discarded.")
+		config.Resources.CPUsetCPUs = ""
+		config.Resources.CPUsetMems = ""
+	}
+	cpusAvailable, err := sysInfo.IsCpusetCpusAvailable(config.Resources.CPUsetCPUs)
+	if err != nil {
+		return warnings, fmt.Errorf("invalid value %s for cpuset cpus", config.Resources.CPUsetCPUs)
+	}
+	if !cpusAvailable {
+		return warnings, fmt.Errorf("requested CPUs are not available - requested %s, available: %s", config.Resources.CPUsetCPUs, sysInfo.Cpus)
+	}
+	memsAvailable, err := sysInfo.IsCpusetMemsAvailable(config.Resources.CPUsetMems)
+	if err != nil {
+		return warnings, fmt.Errorf("invalid value %s for cpuset mems", config.Resources.CPUsetMems)
+	}
+	if !memsAvailable {
+		return warnings, fmt.Errorf("requested memory nodes are not available - requested %s, available: %s", config.Resources.CPUsetMems, sysInfo.Mems)
+	}
+
+	// blkio subsystem checks and adjustments
+	if config.Resources.BlkioWeight > 0 && !sysInfo.BlkioWeight {
+		warnings = addWarning(warnings, "Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded.")
+		config.Resources.BlkioWeight = 0
+	}
+	if config.Resources.BlkioWeight > 0 && (config.Resources.BlkioWeight < 10 || config.Resources.BlkioWeight > 1000) {
+		return warnings, fmt.Errorf("range of blkio weight is from 10 to 1000")
+	}
+	if len(config.Resources.BlkioWeightDevice) > 0 && !sysInfo.BlkioWeightDevice {
+		warnings = addWarning(warnings, "Your kernel does not support Block I/O weight_device or the cgroup is not mounted. Weight-device discarded.")
+		config.Resources.BlkioWeightDevice = []string{}
+	}
+	if len(config.Resources.DeviceReadBps) > 0 && !sysInfo.BlkioReadBpsDevice {
+		warnings = addWarning(warnings, "Your kernel does not support BPS Block I/O read limit or the cgroup is not mounted. Block I/O BPS read limit discarded")
+		config.Resources.DeviceReadBps = []string{}
+	}
+	if len(config.Resources.DeviceWriteBps) > 0 && !sysInfo.BlkioWriteBpsDevice {
+		warnings = addWarning(warnings, "Your kernel does not support BPS Block I/O write limit or the cgroup is not mounted. Block I/O BPS write limit discarded.")
+		config.Resources.DeviceWriteBps = []string{}
+	}
+	if len(config.Resources.DeviceReadIOps) > 0 && !sysInfo.BlkioReadIOpsDevice {
+		warnings = addWarning(warnings, "Your kernel does not support IOPS Block read limit or the cgroup is not mounted. Block I/O IOPS read limit discarded.")
+		config.Resources.DeviceReadIOps = []string{}
+	}
+	if len(config.Resources.DeviceWriteIOps) > 0 && !sysInfo.BlkioWriteIOpsDevice {
+		warnings = addWarning(warnings, "Your kernel does not support IOPS Block I/O write limit or the cgroup is not mounted. Block I/O IOPS write limit discarded.")
+		config.Resources.DeviceWriteIOps = []string{}
+	}
+
+	return warnings, nil
+}
diff --git a/cmd/podman/shared/create_cli_test.go b/cmd/podman/shared/create_cli_test.go
new file mode 100644
index 000000000..fea1a2390
--- /dev/null
+++ b/cmd/podman/shared/create_cli_test.go
@@ -0,0 +1,70 @@
+package shared
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var (
+	Var1 = []string{"ONE=1", "TWO=2"}
+)
+
+func createTmpFile(content []byte) (string, error) {
+	tmpfile, err := ioutil.TempFile(os.TempDir(), "unittest")
+	if err != nil {
+		return "", err
+	}
+
+	if _, err := tmpfile.Write(content); err != nil {
+		return "", err
+
+	}
+	if err := tmpfile.Close(); err != nil {
+		return "", err
+	}
+	return tmpfile.Name(), nil
+}
+
+func TestValidateSysctl(t *testing.T) {
+	strSlice := []string{"net.core.test1=4", "kernel.msgmax=2"}
+	result, _ := validateSysctl(strSlice)
+	assert.Equal(t, result["net.core.test1"], "4")
+}
+
+func TestValidateSysctlBadSysctl(t *testing.T) {
+	strSlice := []string{"BLAU=BLUE", "GELB^YELLOW"}
+	_, err := validateSysctl(strSlice)
+	assert.Error(t, err)
+}
+
+func TestGetAllLabels(t *testing.T) {
+	fileLabels := []string{}
+	labels, _ := GetAllLabels(fileLabels, Var1)
+	assert.Equal(t, len(labels), 2)
+}
+
+func TestGetAllLabelsBadKeyValue(t *testing.T) {
+	inLabels := []string{"=badValue", "="}
+	fileLabels := []string{}
+	_, err := GetAllLabels(fileLabels, inLabels)
+	assert.Error(t, err, assert.AnError)
+}
+
+func TestGetAllLabelsBadLabelFile(t *testing.T) {
+	fileLabels := []string{"/foobar5001/be"}
+	_, err := GetAllLabels(fileLabels, Var1)
+	assert.Error(t, err, assert.AnError)
+}
+
+func TestGetAllLabelsFile(t *testing.T) {
+	content := []byte("THREE=3")
+	tFile, err := createTmpFile(content)
+	defer os.Remove(tFile)
+	assert.NoError(t, err)
+	fileLabels := []string{tFile}
+	result, _ := GetAllLabels(fileLabels, Var1)
+	assert.Equal(t, len(result), 3)
+}
diff --git a/cmd/podman/shared/parse/parse.go b/cmd/podman/shared/parse/parse.go
new file mode 100644
index 000000000..a3751835b
--- /dev/null
+++ b/cmd/podman/shared/parse/parse.go
@@ -0,0 +1,504 @@
+//nolint
+// most of these validate and parse functions have been taken from projectatomic/docker
+// and modified for cri-o
+package parse
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"os"
+	"path"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+const (
+	Protocol_TCP Protocol = 0
+	Protocol_UDP Protocol = 1
+)
+
+type Protocol int32
+
+// PortMapping specifies the port mapping configurations of a sandbox.
+type PortMapping struct {
+	// Protocol of the port mapping.
+	Protocol Protocol `protobuf:"varint,1,opt,name=protocol,proto3,enum=runtime.Protocol" json:"protocol,omitempty"`
+	// Port number within the container. Default: 0 (not specified).
+	ContainerPort int32 `protobuf:"varint,2,opt,name=container_port,json=containerPort,proto3" json:"container_port,omitempty"`
+	// Port number on the host. Default: 0 (not specified).
+	HostPort int32 `protobuf:"varint,3,opt,name=host_port,json=hostPort,proto3" json:"host_port,omitempty"`
+	// Host IP.
+	HostIp string `protobuf:"bytes,4,opt,name=host_ip,json=hostIp,proto3" json:"host_ip,omitempty"`
+}
+
+// Note: for flags that are in the form <number><unit>, use the RAMInBytes function
+// from the units package in docker/go-units/size.go
+
+var (
+	whiteSpaces  = " \t"
+	alphaRegexp  = regexp.MustCompile(`[a-zA-Z]`)
+	domainRegexp = regexp.MustCompile(`^(:?(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]))(:?\.(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])))*)\.?\s*$`)
+)
+
+// validateExtraHost validates that the specified string is a valid extrahost and returns it.
+// ExtraHost is in the form of name:ip where the ip has to be a valid ip (ipv4 or ipv6).
+// for add-host flag
+func ValidateExtraHost(val string) (string, error) { //nolint
+	// allow for IPv6 addresses in extra hosts by only splitting on first ":"
+	arr := strings.SplitN(val, ":", 2)
+	if len(arr) != 2 || len(arr[0]) == 0 {
+		return "", fmt.Errorf("bad format for add-host: %q", val)
+	}
+	if _, err := validateIPAddress(arr[1]); err != nil {
+		return "", fmt.Errorf("invalid IP address in add-host: %q", arr[1])
+	}
+	return val, nil
+}
+
+// validateIPAddress validates an Ip address.
+// for dns, ip, and ip6 flags also
+func validateIPAddress(val string) (string, error) {
+	var ip = net.ParseIP(strings.TrimSpace(val))
+	if ip != nil {
+		return ip.String(), nil
+	}
+	return "", fmt.Errorf("%s is not an ip address", val)
+}
+
+// validateAttach validates that the specified string is a valid attach option.
+// for attach flag
+func validateAttach(val string) (string, error) { //nolint
+	s := strings.ToLower(val)
+	for _, str := range []string{"stdin", "stdout", "stderr"} {
+		if s == str {
+			return s, nil
+		}
+	}
+	return val, fmt.Errorf("valid streams are STDIN, STDOUT and STDERR")
+}
+
+// validate the blkioWeight falls in the range of 10 to 1000
+// for blkio-weight flag
+func validateBlkioWeight(val int64) (int64, error) { //nolint
+	if val >= 10 && val <= 1000 {
+		return val, nil
+	}
+	return -1, errors.Errorf("invalid blkio weight %q, should be between 10 and 1000", val)
+}
+
+func validatePath(val string, validator func(string) bool) (string, error) {
+	var containerPath string
+	var mode string
+
+	if strings.Count(val, ":") > 2 {
+		return val, fmt.Errorf("bad format for path: %s", val)
+	}
+
+	split := strings.SplitN(val, ":", 3)
+	if split[0] == "" {
+		return val, fmt.Errorf("bad format for path: %s", val)
+	}
+	switch len(split) {
+	case 1:
+		containerPath = split[0]
+		val = path.Clean(containerPath)
+	case 2:
+		if isValid := validator(split[1]); isValid {
+			containerPath = split[0]
+			mode = split[1]
+			val = fmt.Sprintf("%s:%s", path.Clean(containerPath), mode)
+		} else {
+			containerPath = split[1]
+			val = fmt.Sprintf("%s:%s", split[0], path.Clean(containerPath))
+		}
+	case 3:
+		containerPath = split[1]
+		mode = split[2]
+		if isValid := validator(split[2]); !isValid {
+			return val, fmt.Errorf("bad mode specified: %s", mode)
+		}
+		val = fmt.Sprintf("%s:%s:%s", split[0], containerPath, mode)
+	}
+
+	if !path.IsAbs(containerPath) {
+		return val, fmt.Errorf("%s is not an absolute path", containerPath)
+	}
+	return val, nil
+}
+
+// validateDNSSearch validates domain for resolvconf search configuration.
+// A zero length domain is represented by a dot (.).
+// for dns-search flag
+func validateDNSSearch(val string) (string, error) { //nolint
+	if val = strings.Trim(val, " "); val == "." {
+		return val, nil
+	}
+	return ValidateDomain(val)
+}
+
+func ValidateDomain(val string) (string, error) {
+	if alphaRegexp.FindString(val) == "" {
+		return "", fmt.Errorf("%s is not a valid domain", val)
+	}
+	ns := domainRegexp.FindSubmatch([]byte(val))
+	if len(ns) > 0 && len(ns[1]) < 255 {
+		return string(ns[1]), nil
+	}
+	return "", fmt.Errorf("%s is not a valid domain", val)
+}
+
+// validateEnv validates an environment variable and returns it.
+// If no value is specified, it returns the current value using os.Getenv.
+// for env flag
+func validateEnv(val string) (string, error) { //nolint
+	arr := strings.Split(val, "=")
+	if len(arr) > 1 {
+		return val, nil
+	}
+	if !doesEnvExist(val) {
+		return val, nil
+	}
+	return fmt.Sprintf("%s=%s", val, os.Getenv(val)), nil
+}
+
+func doesEnvExist(name string) bool {
+	for _, entry := range os.Environ() {
+		parts := strings.SplitN(entry, "=", 2)
+		if parts[0] == name {
+			return true
+		}
+	}
+	return false
+}
+
+// reads a file of line terminated key=value pairs, and overrides any keys
+// present in the file with additional pairs specified in the override parameter
+// for env-file and labels-file flags
+func ReadKVStrings(env map[string]string, files []string, override []string) error {
+	for _, ef := range files {
+		if err := parseEnvFile(env, ef); err != nil {
+			return err
+		}
+	}
+	for _, line := range override {
+		if err := parseEnv(env, line); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func parseEnv(env map[string]string, line string) error {
+	data := strings.SplitN(line, "=", 2)
+
+	// catch invalid variables such as "=" or "=A"
+	if data[0] == "" {
+		return errors.Errorf("invalid environment variable: %q", line)
+	}
+
+	// trim the front of a variable, but nothing else
+	name := strings.TrimLeft(data[0], whiteSpaces)
+	if strings.ContainsAny(name, whiteSpaces) {
+		return errors.Errorf("name %q has white spaces, poorly formatted name", name)
+	}
+
+	if len(data) > 1 {
+		env[name] = data[1]
+	} else {
+		// if only a pass-through variable is given, clean it up.
+		val, _ := os.LookupEnv(name)
+		env[name] = val
+	}
+	return nil
+}
+
+// parseEnvFile reads a file with environment variables enumerated by lines
+func parseEnvFile(env map[string]string, filename string) error {
+	fh, err := os.Open(filename)
+	if err != nil {
+		return err
+	}
+	defer fh.Close()
+
+	scanner := bufio.NewScanner(fh)
+	for scanner.Scan() {
+		// trim the line from all leading whitespace first
+		line := strings.TrimLeft(scanner.Text(), whiteSpaces)
+		// line is not empty, and not starting with '#'
+		if len(line) > 0 && !strings.HasPrefix(line, "#") {
+			if err := parseEnv(env, line); err != nil {
+				return err
+			}
+		}
+	}
+	return scanner.Err()
+}
+
+// validateLabel validates that the specified string is a valid label, and returns it.
+// Labels are in the form on key=value.
+// for label flag
+func validateLabel(val string) (string, error) { //nolint
+	if strings.Count(val, "=") < 1 {
+		return "", fmt.Errorf("bad attribute format: %s", val)
+	}
+	return val, nil
+}
+
+// validateMACAddress validates a MAC address.
+// for mac-address flag
+func validateMACAddress(val string) (string, error) { //nolint
+	_, err := net.ParseMAC(strings.TrimSpace(val))
+	if err != nil {
+		return "", err
+	}
+	return val, nil
+}
+
+// parseLoggingOpts validates the logDriver and logDriverOpts
+// for log-opt and log-driver flags
+func parseLoggingOpts(logDriver string, logDriverOpt []string) (map[string]string, error) { //nolint
+	logOptsMap := convertKVStringsToMap(logDriverOpt)
+	if logDriver == "none" && len(logDriverOpt) > 0 {
+		return map[string]string{}, errors.Errorf("invalid logging opts for driver %s", logDriver)
+	}
+	return logOptsMap, nil
+}
+
+// parsePortSpecs receives port specs in the format of ip:public:private/proto and parses
+// these in to the internal types
+// for publish, publish-all, and expose flags
+func parsePortSpecs(ports []string) ([]*PortMapping, error) { //nolint
+	var portMappings []*PortMapping
+	for _, rawPort := range ports {
+		portMapping, err := parsePortSpec(rawPort)
+		if err != nil {
+			return nil, err
+		}
+
+		portMappings = append(portMappings, portMapping...)
+	}
+	return portMappings, nil
+}
+
+func validateProto(proto string) bool {
+	for _, availableProto := range []string{"tcp", "udp"} {
+		if availableProto == proto {
+			return true
+		}
+	}
+	return false
+}
+
+// parsePortSpec parses a port specification string into a slice of PortMappings
+func parsePortSpec(rawPort string) ([]*PortMapping, error) {
+	var proto string
+	rawIP, hostPort, containerPort := splitParts(rawPort)
+	proto, containerPort = splitProtoPort(containerPort)
+
+	// Strip [] from IPV6 addresses
+	ip, _, err := net.SplitHostPort(rawIP + ":")
+	if err != nil {
+		return nil, fmt.Errorf("Invalid ip address %v: %s", rawIP, err)
+	}
+	if ip != "" && net.ParseIP(ip) == nil {
+		return nil, fmt.Errorf("Invalid ip address: %s", ip)
+	}
+	if containerPort == "" {
+		return nil, fmt.Errorf("No port specified: %s<empty>", rawPort)
+	}
+
+	startPort, endPort, err := parsePortRange(containerPort)
+	if err != nil {
+		return nil, fmt.Errorf("Invalid containerPort: %s", containerPort)
+	}
+
+	var startHostPort, endHostPort uint64 = 0, 0
+	if len(hostPort) > 0 {
+		startHostPort, endHostPort, err = parsePortRange(hostPort)
+		if err != nil {
+			return nil, fmt.Errorf("Invalid hostPort: %s", hostPort)
+		}
+	}
+
+	if hostPort != "" && (endPort-startPort) != (endHostPort-startHostPort) {
+		// Allow host port range iff containerPort is not a range.
+		// In this case, use the host port range as the dynamic
+		// host port range to allocate into.
+		if endPort != startPort {
+			return nil, fmt.Errorf("Invalid ranges specified for container and host Ports: %s and %s", containerPort, hostPort)
+		}
+	}
+
+	if !validateProto(strings.ToLower(proto)) {
+		return nil, fmt.Errorf("invalid proto: %s", proto)
+	}
+
+	protocol := Protocol_TCP
+	if strings.ToLower(proto) == "udp" {
+		protocol = Protocol_UDP
+	}
+
+	var ports []*PortMapping
+	for i := uint64(0); i <= (endPort - startPort); i++ {
+		containerPort = strconv.FormatUint(startPort+i, 10)
+		if len(hostPort) > 0 {
+			hostPort = strconv.FormatUint(startHostPort+i, 10)
+		}
+		// Set hostPort to a range only if there is a single container port
+		// and a dynamic host port.
+		if startPort == endPort && startHostPort != endHostPort {
+			hostPort = fmt.Sprintf("%s-%s", hostPort, strconv.FormatUint(endHostPort, 10))
+		}
+
+		ctrPort, err := strconv.ParseInt(containerPort, 10, 32)
+		if err != nil {
+			return nil, err
+		}
+		hPort, err := strconv.ParseInt(hostPort, 10, 32)
+		if err != nil {
+			return nil, err
+		}
+
+		port := &PortMapping{
+			Protocol:      protocol,
+			ContainerPort: int32(ctrPort),
+			HostPort:      int32(hPort),
+			HostIp:        ip,
+		}
+
+		ports = append(ports, port)
+	}
+	return ports, nil
+}
+
+// parsePortRange parses and validates the specified string as a port-range (8000-9000)
+func parsePortRange(ports string) (uint64, uint64, error) {
+	if ports == "" {
+		return 0, 0, fmt.Errorf("empty string specified for ports")
+	}
+	if !strings.Contains(ports, "-") {
+		start, err := strconv.ParseUint(ports, 10, 16)
+		end := start
+		return start, end, err
+	}
+
+	parts := strings.Split(ports, "-")
+	start, err := strconv.ParseUint(parts[0], 10, 16)
+	if err != nil {
+		return 0, 0, err
+	}
+	end, err := strconv.ParseUint(parts[1], 10, 16)
+	if err != nil {
+		return 0, 0, err
+	}
+	if end < start {
+		return 0, 0, fmt.Errorf("Invalid range specified for the Port: %s", ports)
+	}
+	return start, end, nil
+}
+
+// splitParts separates the different parts of rawPort
+func splitParts(rawport string) (string, string, string) {
+	parts := strings.Split(rawport, ":")
+	n := len(parts)
+	containerport := parts[n-1]
+
+	switch n {
+	case 1:
+		return "", "", containerport
+	case 2:
+		return "", parts[0], containerport
+	case 3:
+		return parts[0], parts[1], containerport
+	default:
+		return strings.Join(parts[:n-2], ":"), parts[n-2], containerport
+	}
+}
+
+// splitProtoPort splits a port in the format of port/proto
+func splitProtoPort(rawPort string) (string, string) {
+	parts := strings.Split(rawPort, "/")
+	l := len(parts)
+	if len(rawPort) == 0 || l == 0 || len(parts[0]) == 0 {
+		return "", ""
+	}
+	if l == 1 {
+		return "tcp", rawPort
+	}
+	if len(parts[1]) == 0 {
+		return "tcp", parts[0]
+	}
+	return parts[1], parts[0]
+}
+
+// takes a local seccomp file and reads its file contents
+// for security-opt flag
+func parseSecurityOpts(securityOpts []string) ([]string, error) { //nolint
+	for key, opt := range securityOpts {
+		con := strings.SplitN(opt, "=", 2)
+		if len(con) == 1 && con[0] != "no-new-privileges" {
+			if strings.Index(opt, ":") != -1 {
+				con = strings.SplitN(opt, ":", 2)
+			} else {
+				return securityOpts, fmt.Errorf("Invalid --security-opt: %q", opt)
+			}
+		}
+		if con[0] == "seccomp" && con[1] != "unconfined" {
+			f, err := ioutil.ReadFile(con[1])
+			if err != nil {
+				return securityOpts, fmt.Errorf("opening seccomp profile (%s) failed: %v", con[1], err)
+			}
+			b := bytes.NewBuffer(nil)
+			if err := json.Compact(b, f); err != nil {
+				return securityOpts, fmt.Errorf("compacting json for seccomp profile (%s) failed: %v", con[1], err)
+			}
+			securityOpts[key] = fmt.Sprintf("seccomp=%s", b.Bytes())
+		}
+	}
+
+	return securityOpts, nil
+}
+
+// convertKVStringsToMap converts ["key=value"] to {"key":"value"}
+func convertKVStringsToMap(values []string) map[string]string {
+	result := make(map[string]string, len(values))
+	for _, value := range values {
+		kv := strings.SplitN(value, "=", 2)
+		if len(kv) == 1 {
+			result[kv[0]] = ""
+		} else {
+			result[kv[0]] = kv[1]
+		}
+	}
+
+	return result
+}
+
+// Takes a stringslice and converts to a uint32slice
+func stringSlicetoUint32Slice(inputSlice []string) ([]uint32, error) {
+	var outputSlice []uint32
+	for _, v := range inputSlice {
+		u, err := strconv.ParseUint(v, 10, 32)
+		if err != nil {
+			return outputSlice, err
+		}
+		outputSlice = append(outputSlice, uint32(u))
+	}
+	return outputSlice, nil
+}
+
+// ValidateFileName returns an error if filename contains ":"
+// as it is currently not supported
+func ValidateFileName(filename string) error {
+	if strings.Contains(filename, ":") {
+		return errors.Errorf("invalid filename (should not contain ':') %q", filename)
+	}
+	return nil
+}
diff --git a/cmd/podman/shared/pod.go b/cmd/podman/shared/pod.go
index 5f65c40ac..4d936d61c 100644
--- a/cmd/podman/shared/pod.go
+++ b/cmd/podman/shared/pod.go
@@ -136,3 +136,5 @@ func CreatePortBindings(ports []string) ([]ocicni.PortMapping, error) {
 	}
 	return portBindings, nil
 }
+
+var DefaultKernelNamespaces = "cgroup,ipc,net,uts"