5 files changed, 118 insertions, 54 deletions
diff --git a/docs/podman-container.1.md b/docs/podman-container.1.md
index eac3343d5..67d42bfef 100644
--- a/docs/podman-container.1.md
+++ b/docs/podman-container.1.md
@@ -38,7 +38,6 @@ The container command allows you to manage containers
 | stop     | [podman-stop(1)](podman-stop.1.md)                  | Stop one or more running containers.                                         |
 | top      | [podman-top(1)](podman-top.1.md)                    | Display the running processes of a container.                                |
 | umount   | [podman-umount(1)](podman-umount.1.md)              | Unmount a working container's root filesystem.                               |
-| unmount  | [podman-umount(1)](podman-umount.1.md)              | Unmount a working container's root filesystem.                               |
 | unpause  | [podman-unpause(1)](podman-unpause.1.md)            | Unpause one or more containers.                                              |
 | wait     | [podman-wait(1)](podman-wait.1.md)                  | Wait on one or more containers to stop and print their exit codes.           |
 
diff --git a/docs/podman.1.md b/docs/podman.1.md
index c66a9cf05..b7433d850 100644
--- a/docs/podman.1.md
+++ b/docs/podman.1.md
@@ -192,7 +192,7 @@ the exit codes follow the `chroot` standard, see below:
     When Podman runs in rootless mode, the file `$HOME/.config/containers/storage.conf` is also loaded.
 
 ## Rootless mode
-Podman can also be used as non-root user.  When podman runs in rootless mode, an user namespace is automatically created.
+Podman can also be used as non-root user.  When podman runs in rootless mode, a user namespace is automatically created for the user, defined in /etc/subuid and /etc/subgid.
 
 Containers created by a non-root user are not visible to other users and are not seen or managed by podman running as root.
 
@@ -209,13 +209,14 @@ Or just add the content manually.
 	$ echo USERNAME:10000:65536 >> /etc/subuid
 	$ echo USERNAME:10000:65536 >> /etc/subgid
 
+See the `subuid(5)` and `subgid(5)` man pages for more information.
+
 Images are pulled under `XDG_DATA_HOME` when specified, otherwise in the home directory of the user under `.local/share/containers/storage`.
 
-Currently it is not possible to create a network device, so rootless containers need to run in the host network namespace.  If a rootless container creates a network namespace,
-then only the loopback device will be available.
+Currently the slirp4netns package is required to be installed to create a network device, otherwise rootless containers need to run in the network namespace of the host.
 
 ## SEE ALSO
-`containers-mounts.conf(5)`, `containers-registries.conf(5)`, `containers-storage.conf(5)`, `crio(8)`, `libpod.conf(5)`, `oci-hooks(5)`, `policy.json(5)`
+`containers-mounts.conf(5)`, `containers-registries.conf(5)`, `containers-storage.conf(5)`, `crio(8)`, `libpod.conf(5)`, `oci-hooks(5)`, `policy.json(5)`, `subuid(5)`, `subgid(5)`, `slirp4netns(1)`
 
 ## HISTORY
 Dec 2016, Originally compiled by Dan Walsh <dwalsh@redhat.com>
diff --git a/docs/tutorials/podman_tutorial.md b/docs/tutorials/podman_tutorial.md
index d48df289f..5a8f997b8 100644
--- a/docs/tutorials/podman_tutorial.md
+++ b/docs/tutorials/podman_tutorial.md
@@ -5,10 +5,13 @@ Podman is a utility provided as part of the libpod library.  It can be used to c
 containers. The following tutorial will teach you how to set up Podman and perform some basic
 commands with Podman.
 
+**NOTE**: the code samples are intended to be run as a non-root user, and use `sudo` where
+root escalation is required.
+
 ## Install Podman on Fedora from RPM Repositories
 Fedora 27 and later provide Podman via the package manager.
 ```console
-$ sudo dnf install -y podman
+sudo dnf install -y podman
 ```
 
 ## Install Podman on Fedora from Source
@@ -18,10 +21,10 @@ acquire the source, and build it.
 
 ### Installing build and runtime dependencies
 ```console
-$ sudo dnf install -y git runc libassuan-devel golang golang-github-cpuguy83-go-md2man glibc-static \
-                                    gpgme-devel glib2-devel device-mapper-devel libseccomp-devel \
-                                    atomic-registries iptables skopeo-containers containernetworking-cni \
-                                    conmon
+sudo dnf install -y git runc libassuan-devel golang golang-github-cpuguy83-go-md2man glibc-static \
+                                  gpgme-devel glib2-devel device-mapper-devel libseccomp-devel \
+                                  atomic-registries iptables skopeo-containers containernetworking-cni \
+                                  conmon
 ```
 ### Building and installing podman
 
@@ -29,12 +32,12 @@ First, configure a `GOPATH` (if you are using go1.8 or later, this defaults to `
 and make libpod.
 
 ```console
-$ export GOPATH=~/go
-$ mkdir -p $GOPATH
-$ git clone https://github.com/containers/libpod/ $GOPATH/src/github.com/containers/libpod
-$ cd $GOPATH/src/github.com/containers/libpod
-$ make
-$ sudo make install PREFIX=/usr
+export GOPATH=~/go
+mkdir -p $GOPATH
+git clone https://github.com/containers/libpod/ $GOPATH/src/github.com/containers/libpod
+cd $GOPATH/src/github.com/containers/libpod
+make
+sudo make install PREFIX=/usr
 ```
 
 You now have a working podman environment.  Jump to [Familiarizing yourself with Podman](#familiarizing-yourself-with-podman)
@@ -50,8 +53,8 @@ tutorial. For this tutorial, the Ubuntu **artful-server-cloudimg** image was use
 
 #### Installing base packages
 ```console
-$ sudo apt-get update
-$ sudo apt-get install libdevmapper-dev libglib2.0-dev libgpgme11-dev golang libseccomp-dev \
+sudo apt-get update
+sudo apt-get install libdevmapper-dev libglib2.0-dev libgpgme11-dev golang libseccomp-dev \
                         go-md2man libprotobuf-dev libprotobuf-c0-dev libseccomp-dev python3-setuptools
 ```
 #### Building and installing conmon
@@ -59,42 +62,42 @@ First, configure a `GOPATH` (if you are using go1.8 or later, this defaults to `
 and make libpod.
 
 ```console
-$ export GOPATH=~/go
-$ mkdir -p $GOPATH
-$ git clone https://github.com/kubernetes-sigs/cri-o $GOPATH/src/github.com/kubernetes-sigs/cri-o
-$ cd $GOPATH/src/github.com/kubernetes-sigs/cri-o
-$ mkdir bin
-$ make bin/conmon
-$ sudo install -D -m 755 bin/conmon /usr/libexec/podman/conmon
+export GOPATH=~/go
+mkdir -p $GOPATH
+git clone https://github.com/kubernetes-sigs/cri-o $GOPATH/src/github.com/kubernetes-sigs/cri-o
+cd $GOPATH/src/github.com/kubernetes-sigs/cri-o
+mkdir bin
+make bin/conmon
+sudo install -D -m 755 bin/conmon /usr/libexec/podman/conmon
 ```
 #### Adding required configuration files
 ```console
-$ sudo mkdir -p /etc/containers
-$ sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora -o /etc/containers/registries.conf
-$ sudo curl https://raw.githubusercontent.com/containers/skopeo/master/default-policy.json -o /etc/containers/policy.json
+sudo mkdir -p /etc/containers
+sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora -o /etc/containers/registries.conf
+sudo curl https://raw.githubusercontent.com/containers/skopeo/master/default-policy.json -o /etc/containers/policy.json
 ```
 #### Installing CNI plugins
 ```console
-$ git clone https://github.com/containernetworking/plugins.git $GOPATH/src/github.com/containernetworking/plugins
-$ cd $GOPATH/src/github.com/containernetworking/plugins
-$ ./build_linux.sh
-$ sudo mkdir -p /usr/libexec/cni
-$ sudo cp bin/* /usr/libexec/cni
+git clone https://github.com/containernetworking/plugins.git $GOPATH/src/github.com/containernetworking/plugins
+cd $GOPATH/src/github.com/containernetworking/plugins
+./build_linux.sh
+sudo mkdir -p /usr/libexec/cni
+sudo cp bin/* /usr/libexec/cni
 ```
 #### Installing runc
 ```console
-$ git clone https://github.com/opencontainers/runc.git $GOPATH/src/github.com/opencontainers/runc
-$ cd $GOPATH/src/github.com/opencontainers/runc
-$ make BUILDTAGS="seccomp"
-$ sudo cp runc /usr/bin/runc
+git clone https://github.com/opencontainers/runc.git $GOPATH/src/github.com/opencontainers/runc
+cd $GOPATH/src/github.com/opencontainers/runc
+make BUILDTAGS="seccomp"
+sudo cp runc /usr/bin/runc
 ```
 
 ### Building and installing Podman
 ```console
-$ git clone https://github.com/containers/libpod/ $GOPATH/src/github.com/containers/libpod
-$ cd $GOPATH/src/github.com/containers/libpod
-$ make
-$ sudo make install PREFIX=/usr
+git clone https://github.com/containers/libpod/ $GOPATH/src/github.com/containers/libpod
+cd $GOPATH/src/github.com/containers/libpod
+make
+sudo make install PREFIX=/usr
 ```
 
 ## Familiarizing yourself with Podman
@@ -103,10 +106,10 @@ $ sudo make install PREFIX=/usr
 This sample container will run a very basic httpd server that serves only its index
 page.
 ```console
-$ sudo podman run -dt -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
-                    -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
-                    -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
-                    registry.fedoraproject.org/f27/httpd /usr/bin/run-httpd
+sudo podman run -dt -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
+                  -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
+                  -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
+                  registry.fedoraproject.org/f27/httpd /usr/bin/run-httpd
 ```
 Because the container is being run in detached mode, represented by the *-d* in the podman run command, podman
 will print the container ID after it has run.
@@ -114,7 +117,7 @@ will print the container ID after it has run.
 ### Listing running containers
 The Podman *ps* command is used to list creating and running containers.
 ```console
-$ sudo podman ps
+sudo podman ps
 ```
 
 Note: If you add *-a* to the *ps* command, Podman will show all containers.
@@ -134,7 +137,7 @@ Now that we have the IP address of the container, we can test the network commun
 operating system and the container using curl. The following command should display the index page of our
 containerized httpd server.
 ```console
-# curl http://<IP_address>:8080
+curl http://<IP_address>:8080
 ```
 
 ### Viewing the container's logs
@@ -163,7 +166,7 @@ With this a container can later be restored and continue running at exactly the
 checkpoint. This capability requires CRIU 3.11 or later installed on the system.
 To checkpoint the container use:
 ```console
-$ sudo podman container checkpoint <container_id>
+sudo podman container checkpoint <container_id>
 ```
 
 ### Restoring the container
@@ -171,29 +174,29 @@ Restoring a container is only possible for a previously checkpointed container.
 continue to run at exactly the same point in time it was checkpointed.
 To restore the container use:
 ```console
-$ sudo podman container restore <container_id>
+sudo podman container restore <container_id>
 ```
 
 After being restored, the container will answer requests again as it did before checkpointing.
 ```console
-# curl http://<IP_address>:8080
+curl http://<IP_address>:8080
 ```
 
 ### Stopping the container
 To stop the httpd container:
 ```console
-$ sudo podman stop --latest
+sudo podman stop --latest
 ```
 You can also check the status of one or more containers using the *ps* subcommand. In this case, we should
 use the *-a* argument to list all containers.
 ```console
-$ sudo podman ps -a
+sudo podman ps -a
 ```
 
 ### Removing the container
 To remove the httpd container:
 ```console
-$ sudo podman rm --latest
+sudo podman rm --latest
 ```
 You can verify the deletion of the container by running *podman ps -a*.
 
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index 5c45f2694..ff8c8fe34 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -187,6 +187,9 @@ func BecomeRootInUserNS() (bool, int, error) {
 	if username == "" {
 		user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid()))
 		if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" {
+			if os.IsNotExist(err) {
+				return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, see subuid/subgid man pages for information on these files")
+			}
 			return false, 0, errors.Wrapf(err, "could not find user by UID nor USER env was set")
 		}
 		if err == nil {
diff --git a/troubleshooting.md b/troubleshooting.md
index db36d1bb8..574196a69 100644
--- a/troubleshooting.md
+++ b/troubleshooting.md
@@ -10,7 +10,7 @@
 A large number of issues reported against Podman are often found to already be fixed
 in more current versions of the project.  Before reporting an issue, please verify the
 version you are running with `podman version` and compare it to the lastest release
-documented on the top of Podman's [README.md](README.md). 
+documented on the top of Podman's [README.md](README.md).
 
 If they differ, please update your version of PODMAN to the latest possible
 and retry your command before reporting the issue.
@@ -68,4 +68,62 @@ communicate with a registry and not use tls verification.
 
   * Turn off tls verification by passing false to the tls-verification option.
   * I.e. `podman push --tls-verify=false alpine docker://localhost:5000/myalpine:latest`
+
+---
+### 4) Rootless: could not get runtime - database configuration mismatch
+
+In Podman release 0.11.1, a default path for rootless containers was changed,
+potentially causing rootless Podman to be unable to function. The new default
+path is not a problem for new installations, but existing installations will
+need to work around it with the following fix.
+
+#### Symptom
+
+```console
+$ podman info
+could not get runtime: database run root /run/user/1000/run does not match our run root /run/user/1000: database configuration mismatch
+```
+
+#### Solution
+
+To work around the new default path, we can manually set the path Podman is
+expecting in a configuration file.
+
+First, we need to make a new local configuration file for rootless Podman.
+* `mkdir -p ~/.config/containers`
+* `cp /usr/share/containers/libpod.conf ~/.config/containers`
+
+Next, edit the new local configuration file
+(`~/.config/containers/libpod.conf`) with your favorite editor. Comment out the
+line starting with `cgroup_manager` by adding a `#` character at the beginning
+of the line, and change the path in the line starting with `tmp_dir` to point to
+the first path in the error message Podman gave (in this case,
+`/run/user/1000/run`).
+
 ---
+### 4) rootless containers cannot ping hosts
+
+When using the ping command from a non-root container, the command may
+fail because of a lack of privileges.
+
+#### Symptom
+
+```console
+$ podman run --rm fedora ping -W10 -c1 redhat.com
+PING redhat.com (209.132.183.105): 56 data bytes
+
+--- redhat.com ping statistics ---
+1 packets transmitted, 0 packets received, 100% packet loss
+```
+
+#### Solution
+
+It is most likely necessary to enable unprivileged pings on the host.
+Be sure the UID of the user is part of the range in the
+`/proc/sys/net/ipv4/ping_group_range` file.
+
+To change its value you can use something like: `sysctl -w
+"net.ipv4.ping_group_range=0 2000000"`.
+
+To make the change persistent, you'll need to add a file in
+`/etc/sysctl.d` that contains `net.ipv4.ping_group_range=0 $MAX_UID`.