1 files changed, 70 insertions, 18 deletions
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index 54c497ba2..b959b947f 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -208,7 +208,7 @@ Specify the key sequence for detaching a container; _sequence_ is a comma-delimi
 in which each item can be a single character from the [a-Z] range,
 or **ctrl**-_value_, where _value_ is one of: **a-z** or **@^[,_**.
 
-This option can also be set in **libpod.conf**(5) file.
+This option can also be set in **containers.conf**(5) file.
 
 Specifying "" will disable this feature. The default is **ctrl-p,ctrl-q**.
 
@@ -247,6 +247,12 @@ Limit write rate (in bytes per second) to a device (e.g. **--device-write-bps=/d
 
 Limit write rate (in IO operations per second) to a device (e.g. **--device-write-iops=/dev/sda:1000**).
 
+**--disable-content-trust**
+
+This is a Docker specific option to disable image verification to a Docker
+registry and is not supported by Podman.  This flag is a NOOP and provided
+solely for scripting compatibility.
+
 **--dns**=*ipaddr*
 
 Set custom DNS servers. Invalid if using **--dns** with **--network** that is set to **none** or **container:**_id_.
@@ -495,7 +501,7 @@ Tune a container's memory swappiness behavior. Accepts an integer between *0* an
 
 Attach a filesystem mount to the container
 
-Current supported mount TYPEs are **bind**, **volume**, and **tmpfs**.
+Current supported mount TYPEs are **bind**, **volume**, and **tmpfs**. <sup>[[1]](#Footnote1)</sup>
 
        e.g.
 
@@ -561,7 +567,10 @@ Valid _mode_ values are:
 - _network-id_: connect to a user-defined network, multiple networks should be comma separated;
 - **ns:**_path_: path to a network namespace to join;
 - `private`: create a new namespace for the container (default)
-- **slirp4netns**: use **slirp4netns**(1) to create a user network stack.  This is the default for rootless containers.
+- **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack.  This is the default for rootless containers.  It is possible to specify these additional options:
+  **port_handler=rootlesskit**: Use rootlesskit for port forwarding.  Default.
+  **port_handler=slirp4netns**: Use the slirp4netns port forwarding.
+  **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).  Default to false.
 
 **--network-alias**=*alias*
 
@@ -754,9 +763,9 @@ Security Options
 - **label=disable**: Turn off label separation for the container
 - **no-new-privileges**: Disable container processes from gaining additional privileges
 - **seccomp=unconfined**: Turn off seccomp confinement for the container
-- **seccomp**=_profile.json_:  Whitelisted syscalls seccomp JSON file to be used as a seccomp filter
+- **seccomp**=_profile.json_:  Allowed syscall list seccomp JSON file to be used as a seccomp filter
 
-Note: Labeling can be disabled for all containers by setting **label=false** in the **libpod.conf**(5) file.
+Note: Labeling can be disabled for all containers by setting **label=false** in the **containers.conf**(5) file.
 
 **--shm-size**=_number_[_unit_]
 
@@ -871,6 +880,10 @@ standard input.
 
 Set timezone in container. This flag takes area-based timezones, GMT time, as well as `local`, which sets the timezone in the container to match the host machine. See `/usr/share/zoneinfo/` for valid timezones.
 
+**--umask**=*umask*
+
+Set the umask inside the container. Defaults to `0022`.
+
 **--uidmap**=*container_uid*:*host_uid*:*amount*
 
 Run the container in a new user namespace using the supplied mapping. This option conflicts
@@ -924,7 +937,7 @@ container. Similarly, _source-volume_:_/container-dir_ will mount the volume
 in the host to the container. If no such named volume exists, Podman will
 create one.
 
-The _options_ is a comma delimited list and can be:
+The _options_ is a comma delimited list and can be: <sup>[[1]](#Footnote1)</sup>
 
 * **rw**|**ro**
 * **z**|**Z**
@@ -933,6 +946,7 @@ The _options_ is a comma delimited list and can be:
 * [**no**]**exec**
 * [**no**]**dev**
 * [**no**]**suid**
+* [**O**]
 
 The _container-dir_ must be an absolute path.
 
@@ -944,7 +958,7 @@ the container is removed via the **--rm** flag or **podman rm --volumes**.
 If a volume source is specified, it must be a path on the host or the name of a
 named volume. Host paths are allowed to be absolute or relative; relative paths
 are resolved relative to the directory Podman is run in. Any source that does
-not begin with a **.** or **/** it will be treated as the name of a named volume.
+not begin with a **.** or **/** will be treated as the name of a named volume.
 If a volume with that name does not exist, it will be created. Volumes created
 with names are not anonymous and are not removed by **--rm** and
 **podman rm --volumes**.
@@ -955,6 +969,8 @@ container.
 You can add **:ro** or **:rw** option to mount a volume in read-only or
 read-write mode, respectively. By default, the volumes are mounted read-write.
 
+  `Labeling Volume Mounts`
+
 Labeling systems like SELinux require that proper labels are placed on volume
 content mounted into a container. Without a label, the security system might
 prevent the processes running inside the container from using the content. By
@@ -966,15 +982,47 @@ objects on the shared volumes. The **z** option tells Podman that two containers
 share the volume content. As a result, Podman labels the content with a shared
 content label. Shared volume labels allow all containers to read/write content.
 The **Z** option tells Podman to label the content with a private unshared label.
+
+  `Overlay Volume Mounts`
+
+   The `:O` flag tells Podman to mount the directory from the host as a
+temporary storage using the `overlay file system`. The container processes
+can modify content within the mountpoint which is stored in the
+container storage in a separate directory.  In overlay terms, the source
+directory will be the lower, and the container storage directory will be the
+upper. Modifications to the mount point are destroyed when the container
+finishes executing, similar to a tmpfs mount point being unmounted.
+
+  Subsequent executions of the container will see the original source directory
+content, any changes from previous container executions no longer exists.
+
+  One use case of the overlay mount is sharing the package cache from the
+host into the container to allow speeding up builds.
+
+  Note:
+
+     - The `O` flag conflicts with other options listed above.
+Content mounted into the container is labeled with the private label.
+       On SELinux systems, labels in the source directory must be readable
+by the container label. Usually containers can read/execute `container_share_t`
+and can read/write `container_file_t`. If you can not change the labels on a
+source volume, SELinux container separation must be disabled for the container
+to work.
+     - The source directory mounted into the container with an overlay mount
+should not be modified, it can cause unexpected failures.  It is recommended
+that you do not modify the directory until the container finishes running.
+
 Only the current container can use a private volume.
 
-By default bind mounted volumes are **private**. That means any mounts done
+  `Mounts propagation`
+
+By default bind mounted volumes are `private`. That means any mounts done
 inside container will not be visible on host and vice versa. One can change
 this behavior by specifying a volume mount propagation property. Making a
 volume shared mounts done under that volume inside container will be
 visible on host and vice versa. Making a volume **slave** enables only one
 way mount propagation and that is mounts done on host under that volume
-will be visible inside container but not the other way around.
+will be visible inside container but not the other way around. <sup>[[1]](#Footnote1)</sup>
 
 To control mount propagation property of volume one can use [**r**]**shared**,
 [**r**]**slave** or [**r**]**private** propagation flag. Propagation property can
@@ -982,7 +1030,7 @@ be specified only for bind mounted volumes and not for internal volumes or
 named volumes. For mount propagation to work source mount point (mount point
 where source dir is mounted on) has to have right propagation properties. For
 shared volumes, source mount point has to be shared. And for slave volumes,
-source mount has to be either shared or slave.
+source mount has to be either shared or slave. <sup>[[1]](#Footnote1)</sup>
 
 If you want to recursively mount a volume and all of its submounts into a
 container, then you can use the **rbind** option.  By default the bind option is
@@ -1009,7 +1057,7 @@ properties of source mount. If **findmnt**(1) utility is not available, then one
 can look at mount entry for source mount point in _/proc/self/mountinfo_. Look
 at the "optional fields" and see if any propagation properties are specified.
 In there, **shared:N** means the mount is shared, **master:N** means mount
-is slave, and if nothing is there, the mount is private.
+is slave, and if nothing is there, the mount is private. <sup>[[1]](#Footnote1)</sup>
 
 To change propagation properties of a mount point, use **mount**(8) command. For
 example, if one wants to bind mount source directory _/foo_, one can do
@@ -1081,7 +1129,7 @@ the exit codes follow the **chroot**(1) standard, see below:
 
   **Exit code** _contained command_ exit code
 
-    $ podman run busybox /bin/sh -c 'exit 3'
+    $ podman run busybox /bin/sh -c 'exit 3'; echo $?
     3
 
 ## EXAMPLES
@@ -1217,14 +1265,16 @@ $ podman run -p 8080:80 -d -i -t fedora/httpd
 
 To mount a host directory as a container volume, specify the absolute path to
 the directory and the absolute path for the container directory separated by a
-colon. If the source is a named volume maintained by Podman, it's recommended to
-use it's name rather than the path to the volume. Otherwise the volume will be
+colon. If the source is a named volume maintained by Podman, it is recommended to
+use its name rather than the path to the volume. Otherwise the volume will be
 considered as an orphan and wiped if you execute **podman volume prune**:
 
 ```
 $ podman run -v /var/db:/data1 -i -t fedora bash
 
 $ podman run -v data:/data2 -i -t fedora bash
+
+$ podman run -v /var/cache/dnf:/var/cache/dnf:O -ti fedora dnf -y update
 ```
 
 Using **--mount** flags to mount a host directory as a container folder, specify
@@ -1359,9 +1409,10 @@ required for VPN, without it containers need to be run with the **--network=host
 ## ENVIRONMENT
 
 Environment variables within containers can be set using multiple different options,
-in the following order of precedence:
+in the following order of precedence (later entries override earlier entries):
 
 - **--env-host**: Host environment of the process executing Podman is added.
+- **--http-proxy**: By default, several environment variables will be passed in from the host, such as **http_proxy** and **no_proxy**. See **--http-proxy** for details.
 - Container image: Any environment variables specified in the container image.
 - **--env-file**: Any environment variables specified via env-files.  If multiple files specified, then they override each other in order of entry.
 - **--env**: Any environment variables specified will override previous settings.
@@ -1386,7 +1437,7 @@ b
 NOTE: Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`.
 
 ## SEE ALSO
-**subgid**(5), **subuid**(5), **libpod.conf**(5), **systemd.unit**(5), **setsebool**(8), **slirp4netns**(1), **fuse-overlayfs**(1).
+**subgid**(5), **subuid**(5), **containers.conf**(5), **systemd.unit**(5), **setsebool**(8), **slirp4netns**(1), **fuse-overlayfs**(1).
 
 ## HISTORY
 September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
@@ -1395,8 +1446,9 @@ October 2017, converted from Docker documentation to Podman by Dan Walsh for Pod
 
 November 2015, updated by Sally O'Malley <somalley@redhat.com>
 
-July 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
-
 June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
 
 April 2014, Originally compiled by William Henry <whenry@redhat.com> based on docker.com source material and internal work.
+
+## FOOTNOTES
+<a name="Footnote1">1</a>: The Podman project is committed to inclusivity, a core value of open source. The `master` and `slave` mount propagation terminology used here is problematic and divisive, and should be changed. However, these terms are currently used within the Linux kernel and must be used as-is at this time. When the kernel maintainers rectify this usage, Podman will follow suit immediately.