3 files changed, 37 insertions, 1 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index b7d353327..283d38a0f 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -550,6 +550,7 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 			Options:     []string{"bind", "nodev", "noexec", "nosuid"},
 		}
 		g.AddMount(systemdMnt)
+		g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")
 	}
 
 	return nil
diff --git a/libpod/options.go b/libpod/options.go
index ddc5993af..f779b0413 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1014,6 +1014,13 @@ func WithNetNS(portMappings []ocicni.PortMapping, postConfigureNetNS bool, netmo
 		ctr.config.NetMode = namespaces.NetworkMode(netmode)
 		ctr.config.CreateNetNS = true
 		ctr.config.PortMappings = portMappings
+
+		if rootless.IsRootless() {
+			if len(networks) > 0 {
+				return errors.New("cannot use CNI networks with rootless containers")
+			}
+		}
+
 		ctr.config.Networks = networks
 
 		return nil
@@ -1487,6 +1494,8 @@ func WithVolumeLabels(labels map[string]string) VolumeCreateOption {
 }
 
 // WithVolumeOptions sets the options of the volume.
+// If the "local" driver has been selected, options will be validated. There are
+// currently 3 valid options for the "local" driver - o, type, and device.
 func WithVolumeOptions(options map[string]string) VolumeCreateOption {
 	return func(volume *Volume) error {
 		if volume.valid {
@@ -1495,6 +1504,13 @@ func WithVolumeOptions(options map[string]string) VolumeCreateOption {
 
 		volume.config.Options = make(map[string]string)
 		for key, value := range options {
+			switch key {
+			case "type", "device", "o":
+				volume.config.Options[key] = value
+			default:
+				return errors.Wrapf(define.ErrInvalidArg, "unrecognized volume option %q is not supported with local driver", key)
+			}
+
 			volume.config.Options[key] = value
 		}
 
diff --git a/libpod/runtime.go b/libpod/runtime.go
index 8f145a809..a06b2bb51 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -1474,6 +1474,25 @@ func (r *Runtime) GetOCIRuntimePath() string {
 // TODO Once runc has support for cgroups, this function should be removed.
 func cgroupV2Check(configPath string, tmpConfig *RuntimeConfig) error {
 	if !tmpConfig.CgroupCheck && rootless.IsRootless() {
+		if tmpConfig.CgroupManager == SystemdCgroupsManager {
+			// If we are running rootless and the systemd manager is requested, be sure that dbus is accessible
+			session := os.Getenv("DBUS_SESSION_BUS_ADDRESS")
+			hasSession := session != ""
+			if hasSession && strings.HasPrefix(session, "unix:path=") {
+				_, err := os.Stat(strings.TrimPrefix(session, "unix:path="))
+				hasSession = err == nil
+			}
+
+			if !hasSession {
+				logrus.Warningf("The cgroups manager is set to systemd but there is no systemd user session available")
+				logrus.Warningf("For using systemd, you may need to login using an user session")
+				logrus.Warningf("Alternatively, you can enable lingering with: `loginctl enable-linger %d` (possibily as root)", rootless.GetRootlessUID())
+				logrus.Warningf("Falling back to --cgroup-manager=cgroupfs")
+
+				tmpConfig.CgroupManager = CgroupfsCgroupsManager
+			}
+
+		}
 		cgroupsV2, err := cgroups.IsCgroup2UnifiedMode()
 		if err != nil {
 			return err
@@ -1487,7 +1506,7 @@ func cgroupV2Check(configPath string, tmpConfig *RuntimeConfig) error {
 			}
 			tmpConfig.CgroupCheck = true
 			tmpConfig.OCIRuntime = path
-			file, err := os.OpenFile(configPath, os.O_RDWR|os.O_CREATE, 0666)
+			file, err := os.OpenFile(configPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0666)
 			if err != nil {
 				return errors.Wrapf(err, "cannot open file %s", configPath)
 			}