14 files changed, 140 insertions, 37 deletions

diff --git a/docs/libpod.conf.5.md b/docs/libpod.conf.5.md
index d63baeb88..98eb5bece 100644
--- a/docs/libpod.conf.5.md
+++ b/docs/libpod.conf.5.md
@@ -24,6 +24,9 @@ libpod to manage containers.
 **cgroup_manager**=""
   Specify the CGroup Manager to use; valid values are "systemd" and "cgroupfs"
 
+**init_path**=""
+  Path to the container-init binary, which forwards signals and reaps processes within containers.  Note that the container-init binary will only be used when the `--init` for podman-create and podman-run is set.
+
 **hooks_dir**=["*path*", ...]
 
   Each `*.json` file in the path configures a hook for Podman containers.  For more details on the syntax of the JSON files and the semantics of hook injection, see `oci-hooks(5)`.  Podman and libpod currently support both the 1.0.0 and 0.1.0 hook schemas, although the 0.1.0 schema is deprecated.
@@ -34,7 +37,9 @@ libpod to manage containers.
 
   For the bind-mount conditions, only mounts explicitly requested by the caller via `--volume` are considered.  Bind mounts that libpod inserts by default (e.g. `/dev/shm`) are not considered.
 
-  If `hooks_dir` is unset for root callers, Podman and libpod will currently default to `/usr/share/containers/oci/hooks.d` and `/etc/containers/oci/hooks.d` in order of increasing precedence.  Using these defaults is deprecated, and callers should migrate to explicitly setting `hooks_dir`.
+  Podman and libpod currently support an additional `precreate` state which is called before the runtime's `create` operation.  Unlike the other stages, which receive the container state on their standard input, `precreate` hooks receive the proposed runtime configuration on their standard input.  They may alter that configuration as they see fit, and write the altered form to their standard output.
+
+  **WARNING**: the `precreate` hook lets you do powerful things, such as adding additional mounts to the runtime configuration.  That power also makes it easy to break things.  Before reporting libpod errors, try running your container with `precreate` hooks disabled to see if the problem is due to one of your hooks.
 
 **static_dir**=""
   Directory for persistent libpod files (database, etc)
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md
index 97d6e77b1..178542f0d 100644
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@@ -29,7 +29,7 @@ option can be set multiple times.
 Add an annotation to the container. The format is key=value.
 The **--annotation** option can be set multiple times.
 
-**-a**, **--attach**=[]
+**--attach**, **-a**=[]
 
 Attach to STDIN, STDOUT or STDERR.
 
@@ -158,7 +158,7 @@ If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1`
 then processes in your container will only use memory from the first
 two memory nodes.
 
-**-d**, **--detach**=*true*|*false*
+**--detach**, **-d**=*true*|*false*
 
 Detached mode: run the container in the background and print the new container ID. The default is *false*.
 
@@ -230,7 +230,7 @@ ENTRYPOINT.
 
 You need to specify multi option commands in the form of a json string.
 
-**-e**, **--env**=[]
+**--env**, **-e**=[]
 
 Set environment variables
 
@@ -276,7 +276,15 @@ tmpfs: The volume is mounted onto the container as a tmpfs, which allows the use
 content that disappears when the container is stopped.
 ignore: All volumes are just ignored and no action is taken.
 
-**-i**, **--interactive**=*true*|*false*
+**--init**
+
+Run an init inside the container that forwards signals and reaps processes.
+
+**--init-path**=""
+
+Path to the container-init binary.
+
+**--interactive**, **-i**=*true*|*false*
 
 Keep STDIN open even if not attached. The default is *false*.
 
@@ -307,7 +315,7 @@ is not limited. If you specify a limit, it may be rounded up to a multiple
 of the operating system's page size and the value can be very large,
 millions of trillions.
 
-**-l**, **--label**=[]
+**--label**, **-l**=[]
 
 Add metadata to a container (e.g., --label com.example.key=value)
 
@@ -339,7 +347,7 @@ according to RFC4862.
 
 Not currently supported
 
-**-m**, **--memory**=""
+**--memory**, **-m**=""
 
 Memory limit (format: <number>[<unit>], where unit = b, k, m or g)
 
@@ -418,7 +426,7 @@ to the container with **--name** then it will generate a random
 string name. The name is useful any place you need to identify a container.
 This works for both background and foreground containers.
 
-**--net**, **--network**="*bridge*"
+**--network**, **--net**="*bridge*"
 
 Set the Network mode for the container
                 'bridge': create a network stack on the default bridge
@@ -472,7 +480,7 @@ to all devices on the host, turns off graphdriver mount options, as well as
 turning off most of the security measures protecting the host from the
 container.
 
-**-p**, **--publish**=[]
+**--publish**, **-p**=[]
 
 Publish a container's port, or range of ports, to the host
 
@@ -484,7 +492,7 @@ but not `podman run -p 1230-1236:1230-1240 --name RangeContainerPortsBiggerThanR
 With ip: `podman run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t someimage`
 Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPORT`
 
-**-P**, **--publish-all**=*true*|*false*
+**--publish-all**, **-P**=*true*|*false*
 
 Publish all exposed ports to random ports on the host interfaces. The default is *false*.
 
@@ -613,7 +621,7 @@ options are the same as the Linux default `mount` flags. If you do not specify
 any options, the systems uses the following options:
 `rw,noexec,nosuid,nodev,size=65536k`.
 
-**-t**, **--tty**=*true*|*false*
+**--tty**, **-t**=*true*|*false*
 
 Allocate a pseudo-TTY. The default is *false*.
 
@@ -634,7 +642,7 @@ The following example maps uids 0-2000 in the container to the uids 30000-31999
 
 Ulimit options
 
-**-u**, **--user**=""
+**--user**, **-u**=""
 
 Sets the username or UID used and optionally the groupname or GID for the specified command.
 
@@ -657,7 +665,7 @@ Set the UTS mode for the container
     **ns**: specify the usernamespace to use.
     Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure.
 
-**-v**|**--volume**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*]
+**--volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*]
 
 Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, podman
 bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the podman
@@ -756,7 +764,7 @@ If the location of the volume from the source container overlaps with
 data residing on a target container, then the volume hides
 that data on the target.
 
-**-w**, **--workdir**=""
+**--workdir**, **-w**=""
 
 Working directory inside the container
 
diff --git a/docs/podman-exec.1.md b/docs/podman-exec.1.md
index 284fa5a4a..77317b0ca 100644
--- a/docs/podman-exec.1.md
+++ b/docs/podman-exec.1.md
@@ -38,6 +38,14 @@ Sets the username or UID used and optionally the groupname or GID for the specif
 The following examples are all valid:
 --user [user | user:group | uid | uid:gid | user:gid | uid:group ]
 
+**--workdir**, **-w**=""
+
+Working directory inside the container
+
+The default working directory for running binaries within a container is the root directory (/).
+The image developer can set a different default with the WORKDIR instruction, which can be overridden
+when creating the container.
+
 ## SEE ALSO
 podman(1), podman-run(1)
 
diff --git a/docs/podman-image-sign.1.md b/docs/podman-image-sign.1.md
new file mode 100644
index 000000000..232bc87fe
--- /dev/null
+++ b/docs/podman-image-sign.1.md
@@ -0,0 +1,52 @@
+% podman-image-sign(1)
+
+# NAME
+podman-image-sign- Create a signature for an image
+
+# SYNOPSIS
+**podman image sign**
+[**--help**|**-h**]
+[**--directory**|**-d**]
+[**--sign-by**]
+[ IMAGE... ]
+
+# DESCRIPTION
+**podmain image sign** will create a local signature for one or more local images that have
+been pulled from a registry. The signature will be written to a directory
+derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory.
+
+# OPTIONS
+**--help** **-h**
+  Print usage statement.
+
+**--directory** **-d**
+  Store the signatures in the specified directory.  Default: /var/lib/containers/sigstore
+
+**--sign-by**
+  Override the default identity of the signature.
+
+# EXAMPLES
+Sign the busybox image with the identify of foo@bar.com with a user's keyring and save the signature in /tmp/signatures/.
+
+   sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
+
+# RELATED CONFIGURATION
+
+The write (and read) location for signatures is defined in YAML-based
+configuration files in /etc/containers/registries.d/.  When you sign
+an image, podman will use those configuration files to determine
+where to write the signature based on the the name of the originating
+registry or a default storage value unless overriden with the --directory
+option. For example, consider the following configuration file.
+
+docker:
+  privateregistry.example.com:
+    sigstore: file:///var/lib/containers/sigstore
+
+When signing an image preceeded with the registry name 'privateregistry.example.com',
+the signature will be written into subdirectories of
+/var/lib/containers/sigstore/privateregistry.example.com. The use of 'sigstore' also means
+the signature will be 'read' from that same location on a pull-related function.
+
+# HISTORY
+November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
diff --git a/docs/podman-image-trust.1.md b/docs/podman-image-trust.1.md
index 24209698c..3b6564315 100644
--- a/docs/podman-image-trust.1.md
+++ b/docs/podman-image-trust.1.md
@@ -1,7 +1,7 @@
 % podman-image-trust "1"
 
 # NAME
-podman\-trust - Manage container image trust policy
+podman\-trust - Manage container registry image trust policy
 
 
 # SYNOPSIS
diff --git a/docs/podman-image.1.md b/docs/podman-image.1.md
index 19893dfda..5a0c4e5f9 100644
--- a/docs/podman-image.1.md
+++ b/docs/podman-image.1.md
@@ -27,7 +27,8 @@ The image command allows you to manage images
 | rm       | [podman-rm(1)](podman-rmi.1.md)           | Removes one or more locally stored images.                                     |
 | save     | [podman-save(1)](podman-save.1.md)        | Save an image to docker-archive or oci.                                        |
 | tag      | [podman-tag(1)](podman-tag.1.md)          | Add an additional name to a local image.                                       |
-| trust    | [podman-image-trust(1)](podman-image-trust.1.md)  | Manage container image trust policy.
+| trust    | [podman-image-trust(1)](podman-image-trust.1.md)  | Manage container image trust policy.                                   |
+| sign    | [podman-image-sign(1)](podman-image-sign.1.md)  | Sign an image.                                                            |
 
 ## SEE ALSO
 podman
diff --git a/docs/podman-info.1.md b/docs/podman-info.1.md
index 478f79467..836a2c420 100644
--- a/docs/podman-info.1.md
+++ b/docs/podman-info.1.md
@@ -61,6 +61,7 @@ registries:
   - docker.io
   - registry.access.redhat.com
 store:
+  ConfigFile: /etc/containers/storage.conf
   ContainerStore:
     number: 37
   GraphDriverName: overlay
diff --git a/docs/podman-mount.1.md b/docs/podman-mount.1.md
index ccc2d386d..2cccf5ee0 100644
--- a/docs/podman-mount.1.md
+++ b/docs/podman-mount.1.md
@@ -19,10 +19,20 @@ returned.
 
 ## OPTIONS
 
+**--all, a**
+
+Mount all containers.
+
 **--format**
 
 Print the mounted containers in specified format (json)
 
+**--latest, -l**
+
+Instead of providing the container name or ID, use the last created container.
+If you use methods other than Podman to run containers such as CRI-O, the last
+started container could be from either of those methods.
+
 **--notruncate**
 
 Do not truncate IDs in output.
diff --git a/docs/podman-rm.1.md b/docs/podman-rm.1.md
index 56664a8c1..4fcb0b6c5 100644
--- a/docs/podman-rm.1.md
+++ b/docs/podman-rm.1.md
@@ -11,14 +11,14 @@ podman\-rm - Remove one or more containers
 
 ## OPTIONS
 
-**--force, f**
-
-Force the removal of a running and paused containers
-
 **--all, a**
 
 Remove all containers.  Can be used in conjunction with -f as well.
 
+**--force, f**
+
+Force the removal of a running and paused containers
+
 **--latest, -l**
 
 Instead of providing the container name or ID, use the last created container. If you use methods other than Podman
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index c0a466a9c..8b96ea6d9 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -41,7 +41,7 @@ option can be set multiple times.
 Add an annotation to the container. The format is key=value.
 The **--annotation** option can be set multiple times.
 
-**-a**, **--attach**=[]
+**--attach**, **-a**=[]
 
 Attach to STDIN, STDOUT or STDERR.
 
@@ -162,7 +162,7 @@ If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1`
 then processes in your container will only use memory from the first
 two memory nodes.
 
-**-d**, **--detach**=*true*|*false*
+**--detach**, **-d**=*true*|*false*
 
 Detached mode: run the container in the background and print the new container ID. The default is *false*.
 
@@ -235,7 +235,7 @@ ENTRYPOINT.
 
 You need to specify multi option commands in the form of a json string.
 
-**-e**, **--env**=[]
+**--env**, **-e**=[]
 
 Set environment variables
 
@@ -285,7 +285,15 @@ the container for the volumes.
 content that disappears when the container is stopped.
 - `ignore`: All volumes are just ignored and no action is taken.
 
-**-i**, **--interactive**=*true*|*false*
+**--init**
+
+Run an init inside the container that forwards signals and reaps processes.
+
+**--init-path**=""
+
+Path to the container-init binary.
+
+**--interactive**, **-i**=*true*|*false*
 
 Keep STDIN open even if not attached. The default is *false*.
 
@@ -319,7 +327,7 @@ is not limited. If you specify a limit, it may be rounded up to a multiple
 of the operating system's page size and the value can be very large,
 millions of trillions.
 
-**-l**, **--label**=[]
+**--label**, **-l**=[]
 
 Add metadata to a container (e.g., --label com.example.key=value)
 
@@ -351,7 +359,7 @@ according to RFC4862.
 
 Not currently supported
 
-**-m**, **--memory**=""
+**--memory**, **-m**=""
 
 Memory limit (format: <number>[<unit>], where unit = b, k, m or g)
 
@@ -400,7 +408,7 @@ to the container with **--name** then it will generate a random
 string name. The name is useful any place you need to identify a container.
 This works for both background and foreground containers.
 
-**--net**, **--network**="*bridge*"
+**--network**, **--net**="*bridge*"
 
 Set the Network mode for the container:
 - `bridge`: create a network stack on the default bridge
@@ -456,7 +464,7 @@ to all devices on the host, turns off graphdriver mount options, as well as
 turning off most of the security measures protecting the host from the
 container.
 
-**-p**, **--publish**=[]
+**--publish**, **-p**=[]
 
 Publish a container's port, or range of ports, to the host
 
@@ -472,7 +480,7 @@ With ip: `podman run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t s
 
 Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPORT`
 
-**-P**, **--publish-all**=*true*|*false*
+**--publish-all**, **-P**=*true*|*false*
 
 Publish all exposed ports to random ports on the host interfaces. The default is *false*.
 
@@ -615,7 +623,7 @@ options are the same as the Linux default `mount` flags. If you do not specify
 any options, the systems uses the following options:
 `rw,noexec,nosuid,nodev,size=65536k`.
 
-**-t**, **--tty**=*true*|*false*
+**--tty**, **-t**=*true*|*false*
 
 Allocate a pseudo-TTY. The default is *false*.
 
@@ -637,7 +645,7 @@ The example maps uids 0-2000 in the container to the uids 30000-31999 on the hos
 
 Ulimit options
 
-**-u**, **--user**=""
+**--user**, **-u**=""
 
 Sets the username or UID used and optionally the groupname or GID for the specified command.
 
@@ -695,7 +703,7 @@ Current supported mount TYPES are bind, and tmpfs.
 
               · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
 
-**-v**|**--volume**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*]
+**--volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*]
 
 Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, podman
 bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the podman
@@ -794,7 +802,7 @@ If the location of the volume from the source container overlaps with
 data residing on a target container, then the volume hides
 that data on the target.
 
-**-w**, **--workdir**=""
+**--workdir**, **-w**=""
 
 Working directory inside the container
 
diff --git a/docs/podman-start.1.md b/docs/podman-start.1.md
index cfd44ac3a..f16a20efa 100644
--- a/docs/podman-start.1.md
+++ b/docs/podman-start.1.md
@@ -35,7 +35,7 @@ to run containers such as CRI-O, the last started container could be from either
 
 **--sig-proxy**=*true*|*false*
 
-Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is false.
+Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true* when attaching, *false* otherwise.
 
 ## EXAMPLE
 
diff --git a/docs/podman-umount.1.md b/docs/podman-umount.1.md
index 70f30869a..cceb63019 100644
--- a/docs/podman-umount.1.md
+++ b/docs/podman-umount.1.md
@@ -29,6 +29,12 @@ processes have mounted it.
 Note: This could cause other processes that are using the file system to fail,
 as the mount point could be removed without their knowledge.
 
+**--latest, -l**
+
+Instead of providing the container name or ID, use the last created container.
+If you use methods other than Podman to run containers such as CRI-O, the last
+started container could be from either of those methods.
+
 ## EXAMPLE
 
 podman umount containerID
diff --git a/docs/podman.1.md b/docs/podman.1.md
index bde349e6f..74e700fac 100644
--- a/docs/podman.1.md
+++ b/docs/podman.1.md
@@ -43,6 +43,10 @@ For the bind-mount conditions, only mounts explicitly requested by the caller vi
 
 If `--hooks-dir` is unset for root callers, Podman and libpod will currently default to `/usr/share/containers/oci/hooks.d` and `/etc/containers/oci/hooks.d` in order of increasing precedence.  Using these defaults is deprecated, and callers should migrate to explicitly setting `--hooks-dir`.
 
+Podman and libpod currently support an additional `precreate` state which is called before the runtime's `create` operation.  Unlike the other stages, which receive the container state on their standard input, `precreate` hooks receive the proposed runtime configuration on their standard input.  They may alter that configuration as they see fit, and write the altered form to their standard output.
+
+**WARNING**: the `precreate` hook lets you do powerful things, such as adding additional mounts to the runtime configuration.  That power also makes it easy to break things.  Before reporting libpod errors, try running your container with `precreate` hooks disabled to see if the problem is due to one of your hooks.
+
 **--log-level**
 
 Log messages above specified level: debug, info, warn, error (default), fatal or panic
@@ -64,7 +68,7 @@ Default state dir is configured in /etc/containers/storage.conf.
 
 **--runtime**=**value**
 
-Path to the OCI compatible binary used to run containers
+Name of the OCI runtime as specified in libpod.conf or absolute path to the OCI compatible binary used to run containers.
 
 **--storage-driver, -s**=**value**
 
diff --git a/docs/tutorials/podman_tutorial.md b/docs/tutorials/podman_tutorial.md
index f8332c820..2b938319f 100644
--- a/docs/tutorials/podman_tutorial.md
+++ b/docs/tutorials/podman_tutorial.md
@@ -112,7 +112,7 @@ sudo make install PREFIX=/usr
 This sample container will run a very basic httpd server that serves only its index
 page.
 ```console
-sudo podman run -dt -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
+podman run -dt -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
                   -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
                   -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
                   registry.fedoraproject.org/f27/httpd /usr/bin/run-httpd
@@ -123,7 +123,7 @@ will print the container ID after it has run.
 ### Listing running containers
 The Podman *ps* command is used to list creating and running containers.
 ```console
-sudo podman ps
+podman ps
 ```
 
 Note: If you add *-a* to the *ps* command, Podman will show all containers.