22 files changed, 281 insertions, 196 deletions

diff --git a/libpod/boltdb_state.go b/libpod/boltdb_state.go
index 4dda3a7f0..176781f07 100644
--- a/libpod/boltdb_state.go
+++ b/libpod/boltdb_state.go
@@ -66,7 +66,7 @@ func NewBoltState(path string, runtime *Runtime) (State, error) {
 	if err != nil {
 		return nil, errors.Wrapf(err, "error opening database %s", path)
 	}
-	// Everywhere else, we use s.closeDBCon(db) to ensure the state's DB
+	// Everywhere else, we use s.deferredCloseDBCon(db) to ensure the state's DB
 	// mutex is also unlocked.
 	// However, here, the mutex has not been locked, since we just created
 	// the DB connection, and it hasn't left this function yet - no risk of
@@ -141,7 +141,7 @@ func (s *BoltState) Refresh() error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		idBucket, err := getIDBucket(tx)
@@ -253,7 +253,7 @@ func (s *BoltState) GetDBConfig() (*DBConfig, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		configBucket, err := getRuntimeConfigBucket(tx)
@@ -298,7 +298,7 @@ func (s *BoltState) ValidateDBConfig(runtime *Runtime) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	// Check runtime configuration
 	if err := checkRuntimeConfig(db, runtime); err != nil {
@@ -342,7 +342,7 @@ func (s *BoltState) Container(id string) (*Container, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		ctrBucket, err := getCtrBucket(tx)
@@ -378,7 +378,7 @@ func (s *BoltState) LookupContainer(idOrName string) (*Container, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		ctrBucket, err := getCtrBucket(tx)
@@ -484,7 +484,7 @@ func (s *BoltState) HasContainer(id string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	exists := false
 
@@ -549,7 +549,7 @@ func (s *BoltState) RemoveContainer(ctr *Container) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		return s.removeContainer(ctr, nil, tx)
@@ -580,7 +580,7 @@ func (s *BoltState) UpdateContainer(ctr *Container) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		ctrBucket, err := getCtrBucket(tx)
@@ -651,7 +651,7 @@ func (s *BoltState) SaveContainer(ctr *Container) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		ctrBucket, err := getCtrBucket(tx)
@@ -708,7 +708,7 @@ func (s *BoltState) ContainerInUse(ctr *Container) ([]string, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		ctrBucket, err := getCtrBucket(tx)
@@ -759,7 +759,7 @@ func (s *BoltState) AllContainers() ([]*Container, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		allCtrsBucket, err := getAllCtrsBucket(tx)
@@ -833,7 +833,7 @@ func (s *BoltState) RewriteContainerConfig(ctr *Container, newCfg *ContainerConf
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		ctrBkt, err := getCtrBucket(tx)
@@ -877,7 +877,7 @@ func (s *BoltState) RewritePodConfig(pod *Pod, newCfg *PodConfig) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		podBkt, err := getPodBucket(tx)
@@ -920,7 +920,7 @@ func (s *BoltState) Pod(id string) (*Pod, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		podBkt, err := getPodBucket(tx)
@@ -955,7 +955,7 @@ func (s *BoltState) LookupPod(idOrName string) (*Pod, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		podBkt, err := getPodBucket(tx)
@@ -1062,7 +1062,7 @@ func (s *BoltState) HasPod(id string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		podBkt, err := getPodBucket(tx)
@@ -1118,7 +1118,7 @@ func (s *BoltState) PodHasContainer(pod *Pod, id string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		podBkt, err := getPodBucket(tx)
@@ -1180,7 +1180,7 @@ func (s *BoltState) PodContainersByID(pod *Pod) ([]string, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		podBkt, err := getPodBucket(tx)
@@ -1242,7 +1242,7 @@ func (s *BoltState) PodContainers(pod *Pod) ([]*Container, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		podBkt, err := getPodBucket(tx)
@@ -1312,7 +1312,7 @@ func (s *BoltState) AddVolume(volume *Volume) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		volBkt, err := getVolBucket(tx)
@@ -1369,7 +1369,7 @@ func (s *BoltState) RemoveVolume(volume *Volume) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		volBkt, err := getVolBucket(tx)
@@ -1451,7 +1451,7 @@ func (s *BoltState) AllVolumes() ([]*Volume, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		allVolsBucket, err := getAllVolsBucket(tx)
@@ -1512,7 +1512,7 @@ func (s *BoltState) Volume(name string) (*Volume, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		volBkt, err := getVolBucket(tx)
@@ -1547,7 +1547,7 @@ func (s *BoltState) HasVolume(name string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		volBkt, err := getVolBucket(tx)
@@ -1587,7 +1587,7 @@ func (s *BoltState) VolumeInUse(volume *Volume) ([]string, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		volBucket, err := getVolBucket(tx)
@@ -1673,7 +1673,7 @@ func (s *BoltState) AddPod(pod *Pod) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		podBkt, err := getPodBucket(tx)
@@ -1782,7 +1782,7 @@ func (s *BoltState) RemovePod(pod *Pod) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		podBkt, err := getPodBucket(tx)
@@ -1877,7 +1877,7 @@ func (s *BoltState) RemovePodContainers(pod *Pod) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		podBkt, err := getPodBucket(tx)
@@ -2038,7 +2038,7 @@ func (s *BoltState) RemoveContainerFromPod(pod *Pod, ctr *Container) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		return s.removeContainer(ctr, pod, tx)
@@ -2066,7 +2066,7 @@ func (s *BoltState) UpdatePod(pod *Pod) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	podID := []byte(pod.ID())
 
@@ -2126,7 +2126,7 @@ func (s *BoltState) SavePod(pod *Pod) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	podID := []byte(pod.ID())
 
@@ -2168,7 +2168,7 @@ func (s *BoltState) AllPods() ([]*Pod, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.View(func(tx *bolt.Tx) error {
 		allPodsBucket, err := getAllPodsBucket(tx)
diff --git a/libpod/boltdb_state_internal.go b/libpod/boltdb_state_internal.go
index 122bb5935..408ef7224 100644
--- a/libpod/boltdb_state_internal.go
+++ b/libpod/boltdb_state_internal.go
@@ -247,6 +247,15 @@ func (s *BoltState) getDBCon() (*bolt.DB, error) {
 	return db, nil
 }
 
+// deferredCloseDBCon closes the bolt db but instead of returning an
+// error it logs the error. it is meant to be used within the confines
+// of a defer statement only
+func (s *BoltState) deferredCloseDBCon(db *bolt.DB) {
+	if err := s.closeDBCon(db); err != nil {
+		logrus.Errorf("failed to close libpod db: %q", err)
+	}
+}
+
 // Close a connection to the database.
 // MUST be used in place of `db.Close()` to ensure proper unlocking of the
 // state.
@@ -339,7 +348,6 @@ func getRuntimeConfigBucket(tx *bolt.Tx) (*bolt.Bucket, error) {
 }
 
 func (s *BoltState) getContainerFromDB(id []byte, ctr *Container, ctrsBkt *bolt.Bucket) error {
-	valid := true
 	ctrBkt := ctrsBkt.Bucket(id)
 	if ctrBkt == nil {
 		return errors.Wrapf(define.ErrNoSuchCtr, "container %s not found in DB", string(id))
@@ -386,7 +394,7 @@ func (s *BoltState) getContainerFromDB(id []byte, ctr *Container, ctrsBkt *bolt.
 	}
 
 	ctr.runtime = s.runtime
-	ctr.valid = valid
+	ctr.valid = true
 
 	return nil
 }
@@ -480,7 +488,7 @@ func (s *BoltState) addContainer(ctr *Container, pod *Pod) error {
 	if err != nil {
 		return err
 	}
-	defer s.closeDBCon(db)
+	defer s.deferredCloseDBCon(db)
 
 	err = db.Update(func(tx *bolt.Tx) error {
 		idsBucket, err := getIDBucket(tx)
@@ -639,7 +647,7 @@ func (s *BoltState) addContainer(ctr *Container, pod *Pod) error {
 		}
 
 		// Add ctr to pod
-		if pod != nil {
+		if pod != nil && podCtrs != nil {
 			if err := podCtrs.Put(ctrID, ctrName); err != nil {
 				return errors.Wrapf(err, "error adding container %s to pod %s", ctr.ID(), pod.ID())
 			}
@@ -737,7 +745,7 @@ func (s *BoltState) removeContainer(ctr *Container, pod *Pod, tx *bolt.Tx) error
 		}
 	}
 
-	if podDB != nil {
+	if podDB != nil && pod != nil {
 		// Check if the container is in the pod, remove it if it is
 		podCtrs := podDB.Bucket(containersBkt)
 		if podCtrs == nil {
diff --git a/libpod/common_test.go b/libpod/common_test.go
index ae3cb1c87..93ca7bc71 100644
--- a/libpod/common_test.go
+++ b/libpod/common_test.go
@@ -89,13 +89,13 @@ func getTestContainer(id, name string, manager lock.Manager) (*Container, error)
 
 	ctr.config.Labels["test"] = "testing"
 
-	// Allocate a lock for the container
-	lock, err := manager.AllocateLock()
+	// Allocate a containerLock for the container
+	containerLock, err := manager.AllocateLock()
 	if err != nil {
 		return nil, err
 	}
-	ctr.lock = lock
-	ctr.config.LockID = lock.ID()
+	ctr.lock = containerLock
+	ctr.config.LockID = containerLock.ID()
 
 	return ctr, nil
 }
@@ -114,13 +114,13 @@ func getTestPod(id, name string, manager lock.Manager) (*Pod, error) {
 		valid: true,
 	}
 
-	// Allocate a lock for the pod
-	lock, err := manager.AllocateLock()
+	// Allocate a podLock for the pod
+	podLock, err := manager.AllocateLock()
 	if err != nil {
 		return nil, err
 	}
-	pod.lock = lock
-	pod.config.LockID = lock.ID()
+	pod.lock = podLock
+	pod.config.LockID = podLock.ID()
 
 	return pod, nil
 }
diff --git a/libpod/container.go b/libpod/container.go
index bfbc47d76..a9b512de9 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -138,6 +138,9 @@ type Container struct {
 	// being checkpointed. If requestedIP is set it will be used instead
 	// of config.StaticIP.
 	requestedIP net.IP
+
+	// This is true if a container is restored from a checkpoint.
+	restoreFromCheckpoint bool
 }
 
 // ContainerState contains the current state of the container
diff --git a/libpod/container_attach_linux.go b/libpod/container_attach_linux.go
index fc53268c3..43dd7d579 100644
--- a/libpod/container_attach_linux.go
+++ b/libpod/container_attach_linux.go
@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 
 	"github.com/containers/libpod/libpod/define"
+	"github.com/containers/libpod/pkg/errorhandling"
 	"github.com/containers/libpod/pkg/kubeutils"
 	"github.com/containers/libpod/utils"
 	"github.com/docker/docker/pkg/term"
@@ -66,7 +67,7 @@ func (c *Container) attachContainerSocket(resize <-chan remotecommand.TerminalSi
 			logrus.Debugf("Could not open ctl file: %v", err)
 			return
 		}
-		defer controlFile.Close()
+		defer errorhandling.CloseQuiet(controlFile)
 
 		logrus.Debugf("Received a resize event: %+v", size)
 		if _, err = fmt.Fprintf(controlFile, "%d %d %d\n", 1, size.Height, size.Width); err != nil {
@@ -108,7 +109,9 @@ func (c *Container) attachContainerSocket(resize <-chan remotecommand.TerminalSi
 		var err error
 		if streams.AttachInput {
 			_, err = utils.CopyDetachable(conn, streams.InputStream, detachKeys)
-			conn.CloseWrite()
+			if err := conn.CloseWrite(); err != nil {
+				logrus.Error("failed to close write in attach")
+			}
 		}
 		stdinDone <- err
 	}()
@@ -145,7 +148,9 @@ func redirectResponseToOutputStreams(outputStream, errorStream io.Writer, writeO
 			default:
 				logrus.Infof("Received unexpected attach type %+d", buf[0])
 			}
-
+			if dst == nil {
+				return errors.New("output destination cannot be nil")
+			}
 			if doWrite {
 				nw, ew := dst.Write(buf[1:nr])
 				if ew != nil {
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 18e84e1f1..2de78254c 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -206,12 +206,12 @@ func (c *Container) Inspect(size bool) (*InspectContainerData, error) {
 func (c *Container) getContainerInspectData(size bool, driverData *driver.Data) (*InspectContainerData, error) {
 	config := c.config
 	runtimeInfo := c.state
-	spec, err := c.specFromState()
+	stateSpec, err := c.specFromState()
 	if err != nil {
 		return nil, err
 	}
 
-	// Process is allowed to be nil in the spec
+	// Process is allowed to be nil in the stateSpec
 	args := []string{}
 	if config.Spec.Process != nil {
 		args = config.Spec.Process.Args
@@ -244,7 +244,7 @@ func (c *Container) getContainerInspectData(size bool, driverData *driver.Data)
 		}
 	}
 
-	mounts, err := c.getInspectMounts(spec)
+	mounts, err := c.getInspectMounts(stateSpec)
 	if err != nil {
 		return nil, err
 	}
@@ -255,7 +255,7 @@ func (c *Container) getContainerInspectData(size bool, driverData *driver.Data)
 		Path:    path,
 		Args:    args,
 		State: &InspectContainerState{
-			OciVersion: spec.Version,
+			OciVersion: stateSpec.Version,
 			Status:     runtimeInfo.State.String(),
 			Running:    runtimeInfo.State == define.ContainerStateRunning,
 			Paused:     runtimeInfo.State == define.ContainerStatePaused,
@@ -285,9 +285,9 @@ func (c *Container) getContainerInspectData(size bool, driverData *driver.Data)
 		Driver:          driverData.Name,
 		MountLabel:      config.MountLabel,
 		ProcessLabel:    config.ProcessLabel,
-		EffectiveCaps:   spec.Process.Capabilities.Effective,
-		BoundingCaps:    spec.Process.Capabilities.Bounding,
-		AppArmorProfile: spec.Process.ApparmorProfile,
+		EffectiveCaps:   stateSpec.Process.Capabilities.Effective,
+		BoundingCaps:    stateSpec.Process.Capabilities.Bounding,
+		AppArmorProfile: stateSpec.Process.ApparmorProfile,
 		ExecIDs:         execIDs,
 		GraphDriver:     driverData,
 		Mounts:          mounts,
@@ -338,7 +338,7 @@ func (c *Container) getContainerInspectData(size bool, driverData *driver.Data)
 	// Get information on the container's network namespace (if present)
 	data = c.getContainerNetworkInfo(data)
 
-	inspectConfig, err := c.generateInspectContainerConfig(spec)
+	inspectConfig, err := c.generateInspectContainerConfig(stateSpec)
 	if err != nil {
 		return nil, err
 	}
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 611fa9800..c409da96a 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -352,6 +352,16 @@ func (c *Container) setupStorage(ctx context.Context) error {
 		},
 		LabelOpts: c.config.LabelOpts,
 	}
+	if c.restoreFromCheckpoint {
+		// If restoring from a checkpoint, the root file-system
+		// needs to be mounted with the same SELinux labels as
+		// it was mounted previously.
+		if options.Flags == nil {
+			options.Flags = make(map[string]interface{})
+		}
+		options.Flags["ProcessLabel"] = c.config.ProcessLabel
+		options.Flags["MountLabel"] = c.config.MountLabel
+	}
 	if c.config.Privileged {
 		privOpt := func(opt string) bool {
 			for _, privopt := range []string{"nodev", "nosuid", "noexec"} {
@@ -555,7 +565,7 @@ func (c *Container) removeConmonFiles() error {
 		if !os.IsNotExist(err) {
 			return errors.Wrapf(err, "error running stat on container %s exit file", c.ID())
 		}
-	} else if err == nil {
+	} else {
 		// Rename should replace the old exit file (if it exists)
 		if err := os.Rename(exitFile, oldExitFile); err != nil {
 			return errors.Wrapf(err, "error renaming container %s exit file", c.ID())
@@ -568,11 +578,11 @@ func (c *Container) removeConmonFiles() error {
 func (c *Container) export(path string) error {
 	mountPoint := c.state.Mountpoint
 	if !c.state.Mounted {
-		mount, err := c.runtime.store.Mount(c.ID(), c.config.MountLabel)
+		containerMount, err := c.runtime.store.Mount(c.ID(), c.config.MountLabel)
 		if err != nil {
 			return errors.Wrapf(err, "error mounting container %q", c.ID())
 		}
-		mountPoint = mount
+		mountPoint = containerMount
 		defer func() {
 			if _, err := c.runtime.store.Unmount(c.ID(), false); err != nil {
 				logrus.Errorf("error unmounting container %q: %v", c.ID(), err)
@@ -856,18 +866,18 @@ func (c *Container) init(ctx context.Context, retainRetries bool) error {
 	span.SetTag("struct", "container")
 	defer span.Finish()
 
-	// Generate the OCI spec
-	spec, err := c.generateSpec(ctx)
+	// Generate the OCI newSpec
+	newSpec, err := c.generateSpec(ctx)
 	if err != nil {
 		return err
 	}
 
-	// Save the OCI spec to disk
-	if err := c.saveSpec(spec); err != nil {
+	// Save the OCI newSpec to disk
+	if err := c.saveSpec(newSpec); err != nil {
 		return err
 	}
 
-	// With the spec complete, do an OCI create
+	// With the newSpec complete, do an OCI create
 	if err := c.ociRuntime.createContainer(c, c.config.CgroupParent, nil); err != nil {
 		return err
 	}
@@ -1167,8 +1177,8 @@ func (c *Container) cleanupStorage() error {
 		return nil
 	}
 
-	for _, mount := range c.config.Mounts {
-		if err := c.unmountSHM(mount); err != nil {
+	for _, containerMount := range c.config.Mounts {
+		if err := c.unmountSHM(containerMount); err != nil {
 			return err
 		}
 	}
@@ -1399,14 +1409,14 @@ func (c *Container) setupOCIHooks(ctx context.Context, config *spec.Spec) (exten
 				}
 				return nil, err
 			}
-			hooks, err := manager.Hooks(config, c.Spec().Annotations, len(c.config.UserVolumes) > 0)
+			ociHooks, err := manager.Hooks(config, c.Spec().Annotations, len(c.config.UserVolumes) > 0)
 			if err != nil {
 				return nil, err
 			}
-			if len(hooks) > 0 || config.Hooks != nil {
-				logrus.Warnf("implicit hook directories are deprecated; set --hooks-dir=%q explicitly to continue to load hooks from this directory", hDir)
+			if len(ociHooks) > 0 || config.Hooks != nil {
+				logrus.Warnf("implicit hook directories are deprecated; set --ociHooks-dir=%q explicitly to continue to load ociHooks from this directory", hDir)
 			}
-			for i, hook := range hooks {
+			for i, hook := range ociHooks {
 				allHooks[i] = hook
 			}
 		}
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index fad45233a..aa477611f 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -185,9 +185,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	// If network namespace was requested, add it now
 	if c.config.CreateNetNS {
 		if c.config.PostConfigureNetNS {
-			g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, "")
+			if err := g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, ""); err != nil {
+				return nil, err
+			}
 		} else {
-			g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, c.state.NetNS.Path())
+			if err := g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, c.state.NetNS.Path()); err != nil {
+				return nil, err
+			}
 		}
 	}
 
@@ -415,7 +419,9 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 
 	if rootPropagation != "" {
 		logrus.Debugf("set root propagation to %q", rootPropagation)
-		g.SetLinuxRootPropagation(rootPropagation)
+		if err := g.SetLinuxRootPropagation(rootPropagation); err != nil {
+			return nil, err
+		}
 	}
 
 	// Warning: precreate hooks may alter g.Config in place.
@@ -561,7 +567,9 @@ func (c *Container) checkpointRestoreLabelLog(fileName string) (err error) {
 	if err != nil {
 		return errors.Wrapf(err, "failed to create CRIU log file %q", dumpLog)
 	}
-	logFile.Close()
+	if err := logFile.Close(); err != nil {
+		logrus.Errorf("unable to close log file: %q", err)
+	}
 	if err = label.SetFileLabel(dumpLog, c.MountLabel()); err != nil {
 		return errors.Wrapf(err, "failed to label CRIU log file %q", dumpLog)
 	}
@@ -620,12 +628,15 @@ func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointO
 			"config.dump",
 			"spec.dump",
 		}
-		for _, delete := range cleanup {
-			file := filepath.Join(c.bundlePath(), delete)
-			os.Remove(file)
+		for _, del := range cleanup {
+			file := filepath.Join(c.bundlePath(), del)
+			if err := os.Remove(file); err != nil {
+				logrus.Debugf("unable to remove file %s", file)
+			}
 		}
 	}
 
+	c.state.FinishedTime = time.Now()
 	return c.save()
 }
 
@@ -702,7 +713,9 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
 		if err != nil {
 			return err
 		}
-		json.Unmarshal(networkJSON, &networkStatus)
+		if err := json.Unmarshal(networkJSON, &networkStatus); err != nil {
+			return err
+		}
 		// Take the first IP address
 		var IP net.IP
 		if len(networkStatus) > 0 {
@@ -744,7 +757,9 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
 
 	// We want to have the same network namespace as before.
 	if c.config.CreateNetNS {
-		g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, c.state.NetNS.Path())
+		if err := g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, c.state.NetNS.Path()); err != nil {
+			return err
+		}
 	}
 
 	if err := c.makeBindMounts(); err != nil {
@@ -769,7 +784,9 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
 	}
 
 	// Cleanup for a working restore.
-	c.removeConmonFiles()
+	if err := c.removeConmonFiles(); err != nil {
+		return err
+	}
 
 	// Save the OCI spec to disk
 	if err := c.saveSpec(g.Spec()); err != nil {
@@ -793,8 +810,8 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
 			logrus.Debugf("Non-fatal: removal of checkpoint directory (%s) failed: %v", c.CheckpointPath(), err)
 		}
 		cleanup := [...]string{"restore.log", "dump.log", "stats-dump", "stats-restore", "network.status"}
-		for _, delete := range cleanup {
-			file := filepath.Join(c.bundlePath(), delete)
+		for _, del := range cleanup {
+			file := filepath.Join(c.bundlePath(), del)
 			err = os.Remove(file)
 			if err != nil {
 				logrus.Debugf("Non-fatal: removal of checkpoint file (%s) failed: %v", file, err)
@@ -824,14 +841,14 @@ func (c *Container) makeBindMounts() error {
 		// will recreate. Only do this if we aren't sharing them with
 		// another container.
 		if c.config.NetNsCtr == "" {
-			if path, ok := c.state.BindMounts["/etc/resolv.conf"]; ok {
-				if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+			if resolvePath, ok := c.state.BindMounts["/etc/resolv.conf"]; ok {
+				if err := os.Remove(resolvePath); err != nil && !os.IsNotExist(err) {
 					return errors.Wrapf(err, "error removing container %s resolv.conf", c.ID())
 				}
 				delete(c.state.BindMounts, "/etc/resolv.conf")
 			}
-			if path, ok := c.state.BindMounts["/etc/hosts"]; ok {
-				if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+			if hostsPath, ok := c.state.BindMounts["/etc/hosts"]; ok {
+				if err := os.Remove(hostsPath); err != nil && !os.IsNotExist(err) {
 					return errors.Wrapf(err, "error removing container %s hosts", c.ID())
 				}
 				delete(c.state.BindMounts, "/etc/hosts")
@@ -968,10 +985,10 @@ func (c *Container) makeBindMounts() error {
 // generateResolvConf generates a containers resolv.conf
 func (c *Container) generateResolvConf() (string, error) {
 	resolvConf := "/etc/resolv.conf"
-	for _, ns := range c.config.Spec.Linux.Namespaces {
-		if ns.Type == spec.NetworkNamespace {
-			if ns.Path != "" && !strings.HasPrefix(ns.Path, "/proc/") {
-				definedPath := filepath.Join("/etc/netns", filepath.Base(ns.Path), "resolv.conf")
+	for _, namespace := range c.config.Spec.Linux.Namespaces {
+		if namespace.Type == spec.NetworkNamespace {
+			if namespace.Path != "" && !strings.HasPrefix(namespace.Path, "/proc/") {
+				definedPath := filepath.Join("/etc/netns", filepath.Base(namespace.Path), "resolv.conf")
 				_, err := os.Stat(definedPath)
 				if err == nil {
 					resolvConf = definedPath
@@ -1096,10 +1113,10 @@ func (c *Container) generatePasswd() (string, error) {
 	if c.config.User == "" {
 		return "", nil
 	}
-	spec := strings.SplitN(c.config.User, ":", 2)
-	userspec := spec[0]
-	if len(spec) > 1 {
-		groupspec = spec[1]
+	splitSpec := strings.SplitN(c.config.User, ":", 2)
+	userspec := splitSpec[0]
+	if len(splitSpec) > 1 {
+		groupspec = splitSpec[1]
 	}
 	// If a non numeric User, then don't generate passwd
 	uid, err := strconv.ParseUint(userspec, 10, 32)
@@ -1137,7 +1154,7 @@ func (c *Container) generatePasswd() (string, error) {
 	if err != nil {
 		return "", errors.Wrapf(err, "failed to create temporary passwd file")
 	}
-	if os.Chmod(passwdFile, 0644); err != nil {
+	if err := os.Chmod(passwdFile, 0644); err != nil {
 		return "", err
 	}
 	return passwdFile, nil
diff --git a/libpod/healthcheck_linux.go b/libpod/healthcheck_linux.go
index d47a3b7cd..53fb271d1 100644
--- a/libpod/healthcheck_linux.go
+++ b/libpod/healthcheck_linux.go
@@ -4,13 +4,50 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
+	"strconv"
 	"strings"
 
+	"github.com/containers/libpod/pkg/rootless"
 	"github.com/coreos/go-systemd/dbus"
+	godbus "github.com/godbus/dbus"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
 
+func dbusAuthRootlessConnection(createBus func(opts ...godbus.ConnOption) (*godbus.Conn, error)) (*godbus.Conn, error) {
+	conn, err := createBus()
+	if err != nil {
+		return nil, err
+	}
+
+	methods := []godbus.Auth{godbus.AuthExternal(strconv.Itoa(rootless.GetRootlessUID()))}
+
+	err = conn.Auth(methods)
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+
+	return conn, nil
+}
+
+func newRootlessConnection() (*dbus.Conn, error) {
+	return dbus.NewConnection(func() (*godbus.Conn, error) {
+		return dbusAuthRootlessConnection(func(opts ...godbus.ConnOption) (*godbus.Conn, error) {
+			path := filepath.Join(os.Getenv("XDG_RUNTIME_DIR"), "systemd/private")
+			return godbus.Dial(fmt.Sprintf("unix:path=%s", path))
+		})
+	})
+}
+
+func getConnection() (*dbus.Conn, error) {
+	if rootless.IsRootless() {
+		return newRootlessConnection()
+	}
+	return dbus.NewSystemdConnection()
+}
+
 // createTimer systemd timers for healthchecks of a container
 func (c *Container) createTimer() error {
 	if c.disableHealthCheckSystemd() {
@@ -21,9 +58,13 @@ func (c *Container) createTimer() error {
 		return errors.Wrapf(err, "failed to get path for podman for a health check timer")
 	}
 
-	var cmd = []string{"--unit", fmt.Sprintf("%s", c.ID()), fmt.Sprintf("--on-unit-inactive=%s", c.HealthCheckConfig().Interval.String()), "--timer-property=AccuracySec=1s", podman, "healthcheck", "run", c.ID()}
+	var cmd = []string{}
+	if rootless.IsRootless() {
+		cmd = append(cmd, "--user")
+	}
+	cmd = append(cmd, "--unit", fmt.Sprintf("%s", c.ID()), fmt.Sprintf("--on-unit-inactive=%s", c.HealthCheckConfig().Interval.String()), "--timer-property=AccuracySec=1s", podman, "healthcheck", "run", c.ID())
 
-	conn, err := dbus.NewSystemdConnection()
+	conn, err := getConnection()
 	if err != nil {
 		return errors.Wrapf(err, "unable to get systemd connection to add healthchecks")
 	}
@@ -42,7 +83,7 @@ func (c *Container) startTimer() error {
 	if c.disableHealthCheckSystemd() {
 		return nil
 	}
-	conn, err := dbus.NewSystemdConnection()
+	conn, err := getConnection()
 	if err != nil {
 		return errors.Wrapf(err, "unable to get systemd connection to start healthchecks")
 	}
@@ -57,7 +98,7 @@ func (c *Container) removeTimer() error {
 	if c.disableHealthCheckSystemd() {
 		return nil
 	}
-	conn, err := dbus.NewSystemdConnection()
+	conn, err := getConnection()
 	if err != nil {
 		return errors.Wrapf(err, "unable to get systemd connection to remove healthchecks")
 	}
diff --git a/libpod/image/image.go b/libpod/image/image.go
index 76e46f74f..6509134ac 100644
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@@ -323,7 +323,7 @@ func (i *Image) Names() []string {
 // RepoDigests returns a string array of repodigests associated with the image
 func (i *Image) RepoDigests() ([]string, error) {
 	var repoDigests []string
-	digest := i.Digest()
+	imageDigest := i.Digest()
 
 	for _, name := range i.Names() {
 		named, err := reference.ParseNormalizedNamed(name)
@@ -331,7 +331,7 @@ func (i *Image) RepoDigests() ([]string, error) {
 			return nil, err
 		}
 
-		canonical, err := reference.WithDigest(reference.TrimNamed(named), digest)
+		canonical, err := reference.WithDigest(reference.TrimNamed(named), imageDigest)
 		if err != nil {
 			return nil, err
 		}
@@ -462,11 +462,11 @@ func getImageDigest(ctx context.Context, src types.ImageReference, sc *types.Sys
 		return "", err
 	}
 	defer newImg.Close()
-	digest := newImg.ConfigInfo().Digest
-	if err = digest.Validate(); err != nil {
+	imageDigest := newImg.ConfigInfo().Digest
+	if err = imageDigest.Validate(); err != nil {
 		return "", errors.Wrapf(err, "error getting config info")
 	}
-	return "@" + digest.Hex(), nil
+	return "@" + imageDigest.Hex(), nil
 }
 
 // normalizedTag returns the canonical version of tag for use in Image.Names()
@@ -495,7 +495,9 @@ func normalizedTag(tag string) (reference.Named, error) {
 
 // TagImage adds a tag to the given image
 func (i *Image) TagImage(tag string) error {
-	i.reloadImage()
+	if err := i.reloadImage(); err != nil {
+		return err
+	}
 	ref, err := normalizedTag(tag)
 	if err != nil {
 		return err
@@ -508,14 +510,18 @@ func (i *Image) TagImage(tag string) error {
 	if err := i.imageruntime.store.SetNames(i.ID(), tags); err != nil {
 		return err
 	}
-	i.reloadImage()
+	if err := i.reloadImage(); err != nil {
+		return err
+	}
 	defer i.newImageEvent(events.Tag)
 	return nil
 }
 
 // UntagImage removes a tag from the given image
 func (i *Image) UntagImage(tag string) error {
-	i.reloadImage()
+	if err := i.reloadImage(); err != nil {
+		return err
+	}
 	var newTags []string
 	tags := i.Names()
 	if !util.StringInSlice(tag, tags) {
@@ -529,7 +535,9 @@ func (i *Image) UntagImage(tag string) error {
 	if err := i.imageruntime.store.SetNames(i.ID(), newTags); err != nil {
 		return err
 	}
-	i.reloadImage()
+	if err := i.reloadImage(); err != nil {
+		return err
+	}
 	defer i.newImageEvent(events.Untag)
 	return nil
 }
@@ -825,7 +833,7 @@ func (i *Image) GetLabel(ctx context.Context, label string) (string, error) {
 
 // Annotations returns the annotations of an image
 func (i *Image) Annotations(ctx context.Context) (map[string]string, error) {
-	manifest, manifestType, err := i.Manifest(ctx)
+	imageManifest, manifestType, err := i.Manifest(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -833,7 +841,7 @@ func (i *Image) Annotations(ctx context.Context) (map[string]string, error) {
 	switch manifestType {
 	case ociv1.MediaTypeImageManifest:
 		var m ociv1.Manifest
-		if err := json.Unmarshal(manifest, &m); err == nil {
+		if err := json.Unmarshal(imageManifest, &m); err == nil {
 			for k, v := range m.Annotations {
 				annotations[k] = v
 			}
diff --git a/libpod/image/pull.go b/libpod/image/pull.go
index e5765febc..ce8a19fbc 100644
--- a/libpod/image/pull.go
+++ b/libpod/image/pull.go
@@ -263,7 +263,9 @@ func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goa
 		copyOptions.SourceCtx.SystemRegistriesConfPath = systemRegistriesConfPath // FIXME: Set this more globally.  Probably no reason not to have it in every types.SystemContext, and to compute the value just once in one place.
 		// Print the following statement only when pulling from a docker or atomic registry
 		if writer != nil && (imageInfo.srcRef.Transport().Name() == DockerTransport || imageInfo.srcRef.Transport().Name() == AtomicTransport) {
-			io.WriteString(writer, fmt.Sprintf("Trying to pull %s...", imageInfo.image))
+			if _, err := io.WriteString(writer, fmt.Sprintf("Trying to pull %s...", imageInfo.image)); err != nil {
+				return nil, err
+			}
 		}
 		// If the label is not nil, check if the label exists and if not, return err
 		if label != nil {
@@ -277,7 +279,7 @@ func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goa
 			pullErrors = multierror.Append(pullErrors, err)
 			logrus.Errorf("Error pulling image ref %s: %v", imageInfo.srcRef.StringWithinTransport(), err)
 			if writer != nil {
-				io.WriteString(writer, "Failed\n")
+				_, _ = io.WriteString(writer, "Failed\n")
 			}
 		} else {
 			if !goal.pullAllPairs {
diff --git a/libpod/image/search.go b/libpod/image/search.go
index 03a67636b..9984e5234 100644
--- a/libpod/image/search.go
+++ b/libpod/image/search.go
@@ -99,7 +99,9 @@ func SearchImages(term string, options SearchOptions) ([]SearchResult, error) {
 
 	ctx := context.Background()
 	for i := range registries {
-		sem.Acquire(ctx, 1)
+		if err := sem.Acquire(ctx, 1); err != nil {
+			return nil, err
+		}
 		go searchImageInRegistryHelper(i, registries[i])
 	}
 
diff --git a/libpod/kube.go b/libpod/kube.go
index 08ab7a4a4..409937010 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -17,7 +17,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/resource"
 	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -324,22 +323,6 @@ func libpodEnvVarsToKubeEnvVars(envs []string) ([]v1.EnvVar, error) {
 	return envVars, nil
 }
 
-// Is this worth it?
-func libpodMaxAndMinToResourceList(c *Container) (v1.ResourceList, v1.ResourceList) { //nolint
-	// It does not appear we can properly calculate CPU resources from the information
-	// we know in libpod.  Libpod knows CPUs by time, shares, etc.
-
-	// We also only know about a memory limit; no memory minimum
-	maxResources := make(map[v1.ResourceName]resource.Quantity)
-	minResources := make(map[v1.ResourceName]resource.Quantity)
-	config := c.Config()
-	maxMem := config.Spec.Linux.Resources.Memory.Limit
-
-	_ = maxMem
-
-	return maxResources, minResources
-}
-
 // libpodMountsToKubeVolumeMounts converts the containers mounts to a struct kube understands
 func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, []v1.Volume, error) {
 	var vms []v1.VolumeMount
@@ -427,16 +410,14 @@ func determineCapAddDropFromCapabilities(defaultCaps, containerCaps []string) *v
 	// those indicate a dropped cap
 	for _, capability := range defaultCaps {
 		if !util.StringInSlice(capability, containerCaps) {
-			cap := v1.Capability(capability)
-			drop = append(drop, cap)
+			drop = append(drop, v1.Capability(capability))
 		}
 	}
 	// Find caps in the container but not in the defaults; those indicate
 	// an added cap
 	for _, capability := range containerCaps {
 		if !util.StringInSlice(capability, defaultCaps) {
-			cap := v1.Capability(capability)
-			add = append(add, cap)
+			add = append(add, v1.Capability(capability))
 		}
 	}
 
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index 27585b8d5..987c1fc5b 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -5,6 +5,7 @@ package libpod
 import (
 	"crypto/rand"
 	"fmt"
+	"github.com/containers/libpod/pkg/errorhandling"
 	"net"
 	"os"
 	"os/exec"
@@ -168,8 +169,8 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) {
 	if err != nil {
 		return errors.Wrapf(err, "failed to open pipe")
 	}
-	defer syncR.Close()
-	defer syncW.Close()
+	defer errorhandling.CloseQuiet(syncR)
+	defer errorhandling.CloseQuiet(syncW)
 
 	havePortMapping := len(ctr.Config().PortMappings) > 0
 	apiSocket := filepath.Join(ctr.ociRuntime.tmpDir, fmt.Sprintf("%s.net", ctr.config.ID))
@@ -294,14 +295,14 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) {
 				return errors.Wrapf(err, "cannot shutdown the socket %s", apiSocket)
 			}
 			buf := make([]byte, 2048)
-			len, err := conn.Read(buf)
+			readLength, err := conn.Read(buf)
 			if err != nil {
 				return errors.Wrapf(err, "cannot read from control socket %s", apiSocket)
 			}
 			// if there is no 'error' key in the received JSON data, then the operation was
 			// successful.
 			var y map[string]interface{}
-			if err := json.Unmarshal(buf[0:len], &y); err != nil {
+			if err := json.Unmarshal(buf[0:readLength], &y); err != nil {
 				return errors.Wrapf(err, "error parsing error status from slirp4netns")
 			}
 			if e, found := y["error"]; found {
@@ -332,7 +333,9 @@ func (r *Runtime) setupNetNS(ctr *Container) (err error) {
 	if err != nil {
 		return errors.Wrapf(err, "cannot open %s", nsPath)
 	}
-	mountPointFd.Close()
+	if err := mountPointFd.Close(); err != nil {
+		return err
+	}
 
 	if err := unix.Mount(nsProcess, nsPath, "none", unix.MS_BIND, ""); err != nil {
 		return errors.Wrapf(err, "cannot mount %s", nsPath)
@@ -352,12 +355,12 @@ func (r *Runtime) setupNetNS(ctr *Container) (err error) {
 
 // Join an existing network namespace
 func joinNetNS(path string) (ns.NetNS, error) {
-	ns, err := ns.GetNS(path)
+	netNS, err := ns.GetNS(path)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error retrieving network namespace at %s", path)
 	}
 
-	return ns, nil
+	return netNS, nil
 }
 
 // Close a network namespace.
diff --git a/libpod/oci.go b/libpod/oci.go
index fdd783100..6aad79cdf 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -263,7 +263,9 @@ func (r *OCIRuntime) updateContainerStatus(ctr *Container, useRuntime bool) erro
 			return errors.Wrapf(err, "error getting container %s state", ctr.ID())
 		}
 		if strings.Contains(string(out), "does not exist") {
-			ctr.removeConmonFiles()
+			if err := ctr.removeConmonFiles(); err != nil {
+				logrus.Debugf("unable to remove conmon files for container %s", ctr.ID())
+			}
 			ctr.state.ExitCode = -1
 			ctr.state.FinishedTime = time.Now()
 			ctr.state.State = define.ContainerStateExited
@@ -273,7 +275,9 @@ func (r *OCIRuntime) updateContainerStatus(ctr *Container, useRuntime bool) erro
 	}
 	defer cmd.Wait()
 
-	errPipe.Close()
+	if err := errPipe.Close(); err != nil {
+		return err
+	}
 	out, err := ioutil.ReadAll(outPipe)
 	if err != nil {
 		return errors.Wrapf(err, "error reading stdout: %s", ctr.ID())
@@ -433,8 +437,8 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty
 		args = append(args, "--no-new-privs")
 	}
 
-	for _, cap := range capAdd {
-		args = append(args, "--cap", cap)
+	for _, capabilityAdd := range capAdd {
+		args = append(args, "--cap", capabilityAdd)
 	}
 
 	for _, envVar := range env {
@@ -475,7 +479,9 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty
 		for fd := 3; fd < 3+preserveFDs; fd++ {
 			// These fds were passed down to the runtime.  Close them
 			// and not interfere
-			os.NewFile(uintptr(fd), fmt.Sprintf("fd-%d", fd)).Close()
+			if err := os.NewFile(uintptr(fd), fmt.Sprintf("fd-%d", fd)).Close(); err != nil {
+				logrus.Debugf("unable to close file fd-%d", fd)
+			}
 		}
 	}
 
@@ -484,7 +490,9 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty
 
 // checkpointContainer checkpoints the given container
 func (r *OCIRuntime) checkpointContainer(ctr *Container, options ContainerCheckpointOptions) error {
-	label.SetSocketLabel(ctr.ProcessLabel())
+	if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil {
+		return err
+	}
 	// imagePath is used by CRIU to store the actual checkpoint files
 	imagePath := ctr.CheckpointPath()
 	// workPath will be used to store dump.log and stats-dump
diff --git a/libpod/oci_linux.go b/libpod/oci_linux.go
index 24502ef4f..ca13d5517 100644
--- a/libpod/oci_linux.go
+++ b/libpod/oci_linux.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/cgroups"
+	"github.com/containers/libpod/pkg/errorhandling"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/util"
 	"github.com/containers/libpod/utils"
@@ -117,7 +118,7 @@ func (r *OCIRuntime) createContainer(ctr *Container, cgroupParent string, restor
 					if err != nil {
 						return err
 					}
-					defer fd.Close()
+					defer errorhandling.CloseQuiet(fd)
 
 					// create a new mountns on the current thread
 					if err = unix.Unshare(unix.CLONE_NEWNS); err != nil {
@@ -207,8 +208,8 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res
 		return errors.Wrapf(err, "error creating socket pair for start pipe")
 	}
 
-	defer parentPipe.Close()
-	defer parentStartPipe.Close()
+	defer errorhandling.CloseQuiet(parentPipe)
+	defer errorhandling.CloseQuiet(parentStartPipe)
 
 	ociLog := filepath.Join(ctr.state.RunDir, "oci-log")
 	logLevel := logrus.GetLevel()
@@ -342,7 +343,9 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res
 		)
 		plabel, err = selinux.CurrentLabel()
 		if err != nil {
-			childPipe.Close()
+			if err := childPipe.Close(); err != nil {
+				logrus.Errorf("failed to close child pipe: %q", err)
+			}
 			return errors.Wrapf(err, "Failed to get current SELinux label")
 		}
 
@@ -362,20 +365,26 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res
 		err = cmd.Start()
 		// Ignore error returned from SetProcessLabel("") call,
 		// can't recover.
-		label.SetProcessLabel("")
+		if err := label.SetProcessLabel(""); err != nil {
+			_ = err
+		}
 		runtime.UnlockOSThread()
 	} else {
 		err = cmd.Start()
 	}
 	if err != nil {
-		childPipe.Close()
+		errorhandling.CloseQuiet(childPipe)
 		return err
 	}
 	defer cmd.Wait()
 
 	// We don't need childPipe on the parent side
-	childPipe.Close()
-	childStartPipe.Close()
+	if err := childPipe.Close(); err != nil {
+		return err
+	}
+	if err := childStartPipe.Close(); err != nil {
+		return err
+	}
 
 	// Move conmon to specified cgroup
 	if err := r.moveConmonToCgroup(ctr, cgroupParent, cmd); err != nil {
diff --git a/libpod/options.go b/libpod/options.go
index 78634e953..4f8bb42df 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -325,7 +325,7 @@ func WithMaxLogSize(limit int64) RuntimeOption {
 
 // WithNoPivotRoot sets the runtime to use MS_MOVE instead of PIVOT_ROOT when
 // starting containers.
-func WithNoPivotRoot(noPivot bool) RuntimeOption {
+func WithNoPivotRoot() RuntimeOption {
 	return func(rt *Runtime) error {
 		if rt.valid {
 			return config2.ErrRuntimeFinalized
diff --git a/libpod/runtime.go b/libpod/runtime.go
index 6c61e15d3..9196547a2 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -245,7 +245,7 @@ type RuntimeConfig struct {
 	// EventsLogger determines where events should be logged
 	EventsLogger string `toml:"events_logger"`
 	// EventsLogFilePath is where the events log is stored.
-	EventsLogFilePath string `toml:-"events_logfile_path"`
+	EventsLogFilePath string `toml:"-events_logfile_path"`
 	//DetachKeys is the sequence of keys used to detach a container
 	DetachKeys string `toml:"detach_keys"`
 }
@@ -643,7 +643,9 @@ func newRuntimeFromConfig(ctx context.Context, userConfigPath string, options ..
 		}
 
 		if configPath != "" {
-			os.MkdirAll(filepath.Dir(configPath), 0755)
+			if err := os.MkdirAll(filepath.Dir(configPath), 0755); err != nil {
+				return nil, err
+			}
 			file, err := os.OpenFile(configPath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
 			if err != nil && !os.IsExist(err) {
 				return nil, errors.Wrapf(err, "cannot open file %s", configPath)
@@ -652,7 +654,9 @@ func newRuntimeFromConfig(ctx context.Context, userConfigPath string, options ..
 				defer file.Close()
 				enc := toml.NewEncoder(file)
 				if err := enc.Encode(runtime.config); err != nil {
-					os.Remove(configPath)
+					if removeErr := os.Remove(configPath); removeErr != nil {
+						logrus.Debugf("unable to remove %s: %q", configPath, err)
+					}
 				}
 			}
 		}
@@ -1158,6 +1162,13 @@ func (r *Runtime) GetConfig() (*RuntimeConfig, error) {
 	return config, nil
 }
 
+// DeferredShutdown shuts down the runtime without exposing any
+// errors. This is only meant to be used when the runtime is being
+// shutdown within a defer statement; else use Shutdown
+func (r *Runtime) DeferredShutdown(force bool) {
+	_ = r.Shutdown(force)
+}
+
 // Shutdown shuts down the runtime and associated containers and storage
 // If force is true, containers and mounted storage will be shut down before
 // cleaning up; if force is false, an error will be returned if there are
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index 9daac161c..760a07daf 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -52,7 +52,7 @@ func (r *Runtime) RestoreContainer(ctx context.Context, rSpec *spec.Spec, config
 	if err != nil {
 		return nil, errors.Wrapf(err, "error initializing container variables")
 	}
-	return r.setupContainer(ctx, ctr, true)
+	return r.setupContainer(ctx, ctr)
 }
 
 func (r *Runtime) initContainerVariables(rSpec *spec.Spec, config *ContainerConfig) (c *Container, err error) {
@@ -68,6 +68,7 @@ func (r *Runtime) initContainerVariables(rSpec *spec.Spec, config *ContainerConf
 		ctr.config.ShmSize = DefaultShmSize
 	} else {
 		// This is a restore from an imported checkpoint
+		ctr.restoreFromCheckpoint = true
 		if err := JSONDeepCopy(config, ctr.config); err != nil {
 			return nil, errors.Wrapf(err, "error copying container config for restore")
 		}
@@ -119,10 +120,10 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ..
 			return nil, errors.Wrapf(err, "error running container create option")
 		}
 	}
-	return r.setupContainer(ctx, ctr, false)
+	return r.setupContainer(ctx, ctr)
 }
 
-func (r *Runtime) setupContainer(ctx context.Context, ctr *Container, restore bool) (c *Container, err error) {
+func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (c *Container, err error) {
 	// Allocate a lock for the container
 	lock, err := r.lockManager.AllocateLock()
 	if err != nil {
@@ -211,7 +212,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container, restore bo
 		return nil, errors.Wrapf(config2.ErrInvalidArg, "unsupported CGroup manager: %s - cannot validate cgroup parent", r.config.CgroupManager)
 	}
 
-	if restore {
+	if ctr.restoreFromCheckpoint {
 		// Remove information about bind mount
 		// for new container from imported checkpoint
 		g := generate.Generator{Config: ctr.config.Spec}
@@ -236,7 +237,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container, restore bo
 		}
 	}()
 
-	if rootless.IsRootless() && ctr.config.ConmonPidFile == "" {
+	if ctr.config.ConmonPidFile == "" {
 		ctr.config.ConmonPidFile = filepath.Join(ctr.state.RunDir, "conmon.pid")
 	}
 
@@ -430,12 +431,10 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool,
 		// If we're removing the pod, the container will be evicted
 		// from the state elsewhere
 		if !removePod {
-			if err := r.state.RemoveContainerFromPod(pod, c); err != nil {
-				if cleanupErr == nil {
-					cleanupErr = err
-				} else {
-					logrus.Errorf("removing container from pod: %v", err)
-				}
+			if cleanupErr == nil {
+				cleanupErr = err
+			} else {
+				logrus.Errorf("removing container from pod: %v", err)
 			}
 		}
 	} else {
diff --git a/libpod/runtime_migrate.go b/libpod/runtime_migrate.go
index ad45579d3..c363991e6 100644
--- a/libpod/runtime_migrate.go
+++ b/libpod/runtime_migrate.go
@@ -37,7 +37,9 @@ func stopPauseProcess() error {
 		if err := os.Remove(pausePidPath); err != nil {
 			return errors.Wrapf(err, "cannot delete pause pid file %s", pausePidPath)
 		}
-		syscall.Kill(pausePid, syscall.SIGKILL)
+		if err := syscall.Kill(pausePid, syscall.SIGKILL); err != nil {
+			return err
+		}
 	}
 	return nil
 }
diff --git a/libpod/stats.go b/libpod/stats.go
index eb5ed95c4..52af824bb 100644
--- a/libpod/stats.go
+++ b/libpod/stats.go
@@ -46,10 +46,6 @@ func (c *Container) GetContainerStats(previousStats *ContainerStats) (*Container
 		return stats, errors.Wrapf(err, "unable to obtain cgroup stats")
 	}
 	conState := c.state.State
-	if err != nil {
-		return stats, errors.Wrapf(err, "unable to determine container state")
-	}
-
 	netStats, err := getContainerNetIO(c)
 	if err != nil {
 		return nil, err
diff --git a/libpod/util.go b/libpod/util.go
index b0c25074b..b60575264 100644
--- a/libpod/util.go
+++ b/libpod/util.go
@@ -9,8 +9,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/containers/image/signature"
-	"github.com/containers/image/types"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/fsnotify/fsnotify"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -32,24 +30,6 @@ func FuncTimer(funcName string) {
 	fmt.Printf("%s executed in %d ms\n", funcName, elapsed)
 }
 
-// CopyStringStringMap deep copies a map[string]string and returns the result
-func CopyStringStringMap(m map[string]string) map[string]string {
-	n := map[string]string{}
-	for k, v := range m {
-		n[k] = v
-	}
-	return n
-}
-
-// GetPolicyContext creates a signature policy context for the given signature policy path
-func GetPolicyContext(path string) (*signature.PolicyContext, error) {
-	policy, err := signature.DefaultPolicy(&types.SystemContext{SignaturePolicyPath: path})
-	if err != nil {
-		return nil, err
-	}
-	return signature.NewPolicyContext(policy)
-}
-
 // RemoveScientificNotationFromFloat returns a float without any
 // scientific notation if the number has any.
 // golang does not handle conversion of float64s that have scientific