13 files changed, 73 insertions, 22 deletions
diff --git a/.cirrus.yml b/.cirrus.yml
index d26c1ec11..fe09ea988 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -123,6 +123,9 @@ gating_task:
 
     timeout_in: 20m
 
+    networking_script:  # Don't bother going further if something is down
+        - 'while read host port; do nc -zv -w 13 $host $port || exit 1; done < ${CIRRUS_WORKING_DIR}/${SCRIPT_BASE}/required_host_ports.txt'
+
     gate_script:
         # N/B: entrypoint.sh resets $GOSRC (same as make clean)
         - '/usr/local/bin/entrypoint.sh install.tools |& ${TIMESTAMP}'
diff --git a/README.md b/README.md
index 5e350cad6..ec55e4ab7 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 Libpod provides a library for applications looking to use the Container Pod concept,
 popularized by Kubernetes.  Libpod also contains the Pod Manager tool `(Podman)`. Podman manages pods, containers, container images, and container volumes.
 
-* [Latest Version: 1.2.0](https://github.com/containers/libpod/releases/latest)
+* [Latest Version: 1.3.1](https://github.com/containers/libpod/releases/latest)
 * [Continuous Integration:](contrib/cirrus/README.md) [![Build Status](https://api.cirrus-ci.com/github/containers/libpod.svg)](https://cirrus-ci.com/github/containers/libpod/master)
 
 ## Overview and scope
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 109b61862..5eb85d0bc 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -23,7 +23,7 @@
 
 ## 1.3.0
 ### Features
-- Podman now supports container restart policies! The `--restart-policy` flag on `podman create` and `podman run` allows containers to be restarted after they exit. Please note that Podman cannot restart containers after a system reboot - for that, see our next feature
+- Podman now supports container restart policies! The `--restart` flag on `podman create` and `podman run` allows containers to be restarted after they exit. Please note that Podman cannot restart containers after a system reboot - for that, see our next feature
 - Podman `podman generate systemd` command was added to generate systemd unit files for managing Podman containers
 - The `podman runlabel` command now allows a `$GLOBAL_OPTS` variable, which will be populated by global options passed to the `podman runlabel` command, allowing custom storage configurations to be passed into containers run with `runlabel` ([#2399](https://github.com/containers/libpod/issues/2399))
 - The `podman play kube` command now allows `File` and `FileOrCreate` volumes
diff --git a/cmd/podman/libpodruntime/runtime.go b/cmd/podman/libpodruntime/runtime.go
index b533dc056..b8d77602d 100644
--- a/cmd/podman/libpodruntime/runtime.go
+++ b/cmd/podman/libpodruntime/runtime.go
@@ -107,7 +107,11 @@ func getRuntime(ctx context.Context, c *cliconfig.PodmanCommand, renumber bool,
 	if c.Flags().Changed("cgroup-manager") {
 		options = append(options, libpod.WithCgroupManager(c.GlobalFlags.CGroupManager))
 	} else {
-		if rootless.IsRootless() {
+		unified, err := util.IsCgroup2UnifiedMode()
+		if err != nil {
+			return nil, err
+		}
+		if rootless.IsRootless() && !unified {
 			options = append(options, libpod.WithCgroupManager("cgroupfs"))
 		}
 	}
diff --git a/cmd/podman/shared/create_cli.go b/cmd/podman/shared/create_cli.go
index f731e8db5..7f158b09a 100644
--- a/cmd/podman/shared/create_cli.go
+++ b/cmd/podman/shared/create_cli.go
@@ -7,6 +7,7 @@ import (
 	"github.com/containers/libpod/cmd/podman/shared/parse"
 	cc "github.com/containers/libpod/pkg/spec"
 	"github.com/containers/libpod/pkg/sysinfo"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -76,6 +77,12 @@ func addWarning(warnings []string, msg string) []string {
 
 func verifyContainerResources(config *cc.CreateConfig, update bool) ([]string, error) {
 	warnings := []string{}
+
+	cgroup2, err := util.IsCgroup2UnifiedMode()
+	if err != nil || cgroup2 {
+		return warnings, err
+	}
+
 	sysInfo := sysinfo.New(true)
 
 	// memory subsystem checks and adjustments
diff --git a/contrib/cirrus/required_host_ports.txt b/contrib/cirrus/required_host_ports.txt
new file mode 100644
index 000000000..9248e497a
--- /dev/null
+++ b/contrib/cirrus/required_host_ports.txt
@@ -0,0 +1,4 @@
+github.com 22
+docker.io 443
+quay.io 443
+registry.fedoraproject.org 443
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 20c649f9a..c2c5e0900 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/libpod/pkg/util"
 	pmount "github.com/containers/storage/pkg/mount"
 	"github.com/docker/docker/oci/caps"
 	"github.com/docker/go-units"
@@ -347,10 +348,13 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	}
 
 	if rootless.IsRootless() {
-		if addedResources {
-			return nil, errors.New("invalid configuration, cannot set resources with rootless containers")
+		cgroup2, err := util.IsCgroup2UnifiedMode()
+		if err != nil {
+			return nil, err
+		}
+		if addedResources && !cgroup2 {
+			return nil, errors.New("invalid configuration, cannot set resources with rootless containers not using cgroups v2 unified mode")
 		}
-		configSpec.Linux.Resources = &spec.LinuxResources{}
 	}
 
 	// Make sure that the bind mounts keep options like nosuid, noexec, nodev.
diff --git a/pkg/util/utils_supported.go b/pkg/util/utils_supported.go
index af5e67fc1..8b98658c2 100644
--- a/pkg/util/utils_supported.go
+++ b/pkg/util/utils_supported.go
@@ -11,9 +11,33 @@ import (
 	"github.com/pkg/errors"
 	"os"
 	"path/filepath"
+	"sync"
 	"syscall"
 )
 
+const (
+	_cgroup2SuperMagic = 0x63677270
+)
+
+var (
+	isUnifiedOnce sync.Once
+	isUnified     bool
+	isUnifiedErr  error
+)
+
+// IsCgroup2UnifiedMode returns whether we are running in cgroup 2 unified mode.
+func IsCgroup2UnifiedMode() (bool, error) {
+	isUnifiedOnce.Do(func() {
+		var st syscall.Statfs_t
+		if err := syscall.Statfs("/sys/fs/cgroup", &st); err != nil {
+			isUnified, isUnifiedErr = false, err
+		} else {
+			isUnified, isUnifiedErr = st.Type == _cgroup2SuperMagic, nil
+		}
+	})
+	return isUnified, isUnifiedErr
+}
+
 // GetRootlessRuntimeDir returns the runtime directory when running as non root
 func GetRootlessRuntimeDir() (string, error) {
 	var rootlessRuntimeDirError error
diff --git a/pkg/util/utils_windows.go b/pkg/util/utils_windows.go
index 1e9ccea90..b33733da9 100644
--- a/pkg/util/utils_windows.go
+++ b/pkg/util/utils_windows.go
@@ -10,3 +10,8 @@ import (
 func GetRootlessRuntimeDir() (string, error) {
 	return "", errors.New("this function is not implemented for windows")
 }
+
+// IsCgroup2UnifiedMode returns whether we are running in cgroup 2 unified mode.
+func IsCgroup2UnifiedMode() (bool, error) {
+	return false, errors.New("this function is not implemented for windows")
+}
diff --git a/vendor.conf b/vendor.conf
index b71e947dc..0b1f13304 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -19,7 +19,7 @@ github.com/containers/image v1.5.1
 github.com/vbauerster/mpb v3.3.4
 github.com/mattn/go-isatty v0.0.4
 github.com/VividCortex/ewma v1.1.1
-github.com/containers/storage v1.12.6
+github.com/containers/storage v1.12.7
 github.com/containers/psgo v1.2.1
 github.com/coreos/go-systemd v14
 github.com/coreos/pkg v4
diff --git a/vendor/github.com/containers/storage/layers.go b/vendor/github.com/containers/storage/layers.go
index 7bec0aea6..a35dd476b 100644
--- a/vendor/github.com/containers/storage/layers.go
+++ b/vendor/github.com/containers/storage/layers.go
@@ -402,12 +402,10 @@ func (r *layerStore) Save() error {
 	if err != nil {
 		return err
 	}
+	defer r.Touch()
 	if err := ioutils.AtomicWriteFile(rpath, jldata, 0600); err != nil {
 		return err
 	}
-	if !r.IsReadWrite() {
-		return nil
-	}
 	r.mountsLockfile.Lock()
 	defer r.mountsLockfile.Unlock()
 	defer r.mountsLockfile.Touch()
diff --git a/vendor/github.com/containers/storage/layers_ffjson.go b/vendor/github.com/containers/storage/layers_ffjson.go
index 125b5d8c9..09b5d0f33 100644
--- a/vendor/github.com/containers/storage/layers_ffjson.go
+++ b/vendor/github.com/containers/storage/layers_ffjson.go
@@ -1,5 +1,5 @@
 // Code generated by ffjson <https://github.com/pquerna/ffjson>. DO NOT EDIT.
-// source: layers.go
+// source: ./layers.go
 
 package storage
 
diff --git a/vendor/github.com/containers/storage/store.go b/vendor/github.com/containers/storage/store.go
index 27b00f6fe..9b967db6d 100644
--- a/vendor/github.com/containers/storage/store.go
+++ b/vendor/github.com/containers/storage/store.go
@@ -1197,18 +1197,20 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat
 		}
 		imageID = cimage.ID
 
-		createMappedLayer := imageHomeStore == istore
+		if cimage.TopLayer != "" {
+			createMappedLayer := imageHomeStore == istore
+			ilayer, err := s.imageTopLayerForMapping(cimage, imageHomeStore, createMappedLayer, rlstore, lstores, idMappingsOptions)
+			if err != nil {
+				return nil, err
+			}
+			imageTopLayer = ilayer
 
-		ilayer, err := s.imageTopLayerForMapping(cimage, imageHomeStore, createMappedLayer, rlstore, lstores, idMappingsOptions)
-		if err != nil {
-			return nil, err
-		}
-		imageTopLayer = ilayer
-		if !options.HostUIDMapping && len(options.UIDMap) == 0 {
-			uidMap = ilayer.UIDMap
-		}
-		if !options.HostGIDMapping && len(options.GIDMap) == 0 {
-			gidMap = ilayer.GIDMap
+			if !options.HostUIDMapping && len(options.UIDMap) == 0 {
+				uidMap = ilayer.UIDMap
+			}
+			if !options.HostGIDMapping && len(options.GIDMap) == 0 {
+				gidMap = ilayer.GIDMap
+			}
 		}
 	} else {
 		rlstore.Lock()