4 files changed, 48 insertions, 13 deletions

diff --git a/docs/source/markdown/podman-container-checkpoint.1.md b/docs/source/markdown/podman-container-checkpoint.1.md
index 200920ca9..e54274775 100644
--- a/docs/source/markdown/podman-container-checkpoint.1.md
+++ b/docs/source/markdown/podman-container-checkpoint.1.md
@@ -9,6 +9,8 @@ podman\-container\-checkpoint - Checkpoints one or more running containers
 ## DESCRIPTION
 **podman container checkpoint** checkpoints all the processes in one or more *containers*. A *container* can be restored from a checkpoint with **[podman-container-restore](podman-container-restore.1.md)**. The *container IDs* or *names* are used as input.
 
+*IMPORTANT: If the container is using __systemd__ as __entrypoint__ checkpointing the container might not be possible.*
+
 ## OPTIONS
 #### **--all**, **-a**
 
@@ -37,7 +39,7 @@ root file-system, if not explicitly disabled using **--ignore-rootfs**.
 
 If a checkpoint is exported to a tar.gz file it is possible with the help of **--ignore-rootfs** to explicitly disable including changes to the root file-system into the checkpoint archive file.\
 The default is **false**.\
-*IMPORTANT: This OPTION only works in combination with **--export, -e**.*
+*IMPORTANT: This OPTION only works in combination with __--export, -e__.*
 
 #### **--ignore-volumes**
 
@@ -122,7 +124,7 @@ The default is **false**.
 
 Check out the *container* with previous criu image files in pre-dump. It only works on `runc 1.0-rc3` or `higher`.\
 The default is **false**.\
-*IMPORTANT: This OPTION is not available with **--pre-checkpoint***.
+*IMPORTANT: This OPTION is not available with __--pre-checkpoint__*.
 
 
 ## EXAMPLES
diff --git a/docs/source/markdown/podman-container-restore.1.md b/docs/source/markdown/podman-container-restore.1.md
index a4630dedf..3dfa063b8 100644
--- a/docs/source/markdown/podman-container-restore.1.md
+++ b/docs/source/markdown/podman-container-restore.1.md
@@ -39,7 +39,7 @@ The default is **false**.\
 
 If a *container* is restored from a checkpoint tar.gz file it is possible that it also contains all root file-system changes. With **--ignore-rootfs** it is possible to explicitly disable applying these root file-system changes to the restored *container*.\
 The default is **false**.\
-*IMPORTANT: This OPTION is only available in combination with **--import, -i**.*
+*IMPORTANT: This OPTION is only available in combination with __--import, -i__.*
 
 #### **--ignore-static-ip**
 
@@ -98,14 +98,14 @@ If the **--name, -n** option is used, Podman will not attempt to assign the same
 address to the *container* it was using before checkpointing as each IP address can only
 be used once and the restored *container* will have another IP address. This also means
 that **--name, -n** cannot be used in combination with **--tcp-established**.\
-*IMPORTANT: This OPTION is only available in combination with **--import, -i**.*
+*IMPORTANT: This OPTION is only available in combination with __--import, -i__.*
 
 #### **--pod**=*name*
 
 Restore a container into the pod *name*. The destination pod for this restore
 has to have the same namespaces shared as the pod this container was checkpointed
-from (see **[podman pod create --share](podman-pod-create.1.md#--share)**).
-*IMPORTANT: This OPTION is only available in combination with **--import, -i**.*
+from (see **[podman pod create --share](podman-pod-create.1.md#--share)**).\
+*IMPORTANT: This OPTION is only available in combination with __--import, -i__.*
 
 This option requires at least CRIU 3.16.
 
@@ -168,7 +168,7 @@ Import a checkpoint file and a pre-checkpoint file.
 # podman container restore --import-previous pre-checkpoint.tar.gz --import checkpoint.tar.gz
 ```
 
-Remove the container "mywebserver". Make a checkpoint of the container and export it. Restore the container with other port ranges from the exported file.
+Start the container "mywebserver". Make a checkpoint of the container and export it. Restore the container with other port ranges from the exported file.
 ```
 $ podman run --rm -p 2345:80 -d webserver
 # podman container checkpoint -l --export=dump.tar
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 331c9393a..577a67bbe 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -9,6 +9,7 @@ import (
 	cdi "github.com/container-orchestrated-devices/container-device-interface/pkg"
 	"github.com/containers/common/libimage"
 	"github.com/containers/podman/v3/libpod"
+	"github.com/containers/podman/v3/pkg/namespaces"
 	"github.com/containers/podman/v3/pkg/specgen"
 	"github.com/containers/podman/v3/pkg/util"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -96,6 +97,12 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
 			return nil, nil, nil, err
 		}
 		s.UserNS = defaultNS
+
+		mappings, err := util.ParseIDMapping(namespaces.UsernsMode(s.UserNS.NSMode), nil, nil, "", "")
+		if err != nil {
+			return nil, nil, nil, err
+		}
+		s.IDMappings = mappings
 	}
 	if s.NetNS.IsDefault() {
 		defaultNS, err := GetDefaultNamespaceMode("net", rtc, pod)
diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
index eb6c4e259..a5be591ef 100644
--- a/test/system/170-run-userns.bats
+++ b/test/system/170-run-userns.bats
@@ -17,7 +17,7 @@ function _require_crun() {
     skip_if_rootless "chroot is not allowed in rootless mode"
     skip_if_remote "--group-add keep-groups not supported in remote mode"
     _require_crun
-    run chroot --groups 1234 / ${PODMAN} run --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id
+    run chroot --groups 1234 / ${PODMAN} run --rm --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id
     is "$output" ".*65534(nobody)" "Check group leaked into user namespace"
 }
 
@@ -25,30 +25,56 @@ function _require_crun() {
     skip_if_rootless "chroot is not allowed in rootless mode"
     skip_if_remote "--group-add keep-groups not supported in remote mode"
     _require_crun
-    run chroot --groups 1234,5678 / ${PODMAN} run --group-add keep-groups $IMAGE id
+    run chroot --groups 1234,5678 / ${PODMAN} run --rm --group-add keep-groups $IMAGE id
     is "$output" ".*1234" "Check group leaked into container"
 }
 
 @test "podman --group-add without keep-groups while in a userns" {
     skip_if_rootless "chroot is not allowed in rootless mode"
     skip_if_remote "--group-add keep-groups not supported in remote mode"
-    run chroot --groups 1234,5678 / ${PODMAN} run --uidmap 0:200000:5000 --group-add 457 $IMAGE id
+    run chroot --groups 1234,5678 / ${PODMAN} run --rm --uidmap 0:200000:5000 --group-add 457 $IMAGE id
     is "$output" ".*457" "Check group leaked into container"
 }
 
 @test "podman --remote --group-add keep-groups " {
     if is_remote; then
-        run_podman 125 run --group-add keep-groups $IMAGE id
+        run_podman 125 run --rm --group-add keep-groups $IMAGE id
         is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups"
     fi
 }
 
 @test "podman --group-add without keep-groups " {
-    run_podman run --group-add 457 $IMAGE id
+    run_podman run --rm --group-add 457 $IMAGE id
     is "$output" ".*457" "Check group leaked into container"
 }
 
 @test "podman --group-add keep-groups plus added groups " {
-    run_podman 125 run --group-add keep-groups --group-add 457 $IMAGE id
+    run_podman 125 run --rm --group-add keep-groups --group-add 457 $IMAGE id
     is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
 }
+
+@test "podman userns=auto in config file" {
+    skip_if_remote "userns=auto is set on the server"
+
+    if is_rootless; then
+        egrep -q "^$(id -un):" /etc/subuid || skip "no IDs allocated for current user"
+    else
+        egrep -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'"
+    fi
+
+    cat > $PODMAN_TMPDIR/userns_auto.conf <<EOF
+[containers]
+userns="auto"
+EOF
+    # First make sure a user namespace is created
+    CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman run -d $IMAGE sleep infinity
+    cid=$output
+
+    run_podman inspect --format '{{.HostConfig.UsernsMode}}' $cid
+    is "$output" "private" "Check that a user namespace was created for the container"
+
+    run_podman rm -t 0 -f $cid
+
+    # Then check that the main user is not mapped into the user namespace
+    CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map
+}