7 files changed, 71 insertions, 6 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go
index b80b23c25..a2c989a1a 100644
--- a/libpod/container_config.go
+++ b/libpod/container_config.go
@@ -107,6 +107,8 @@ type ContainerRootFSConfig struct {
 	// as the container's root.
 	// Conflicts with RootfsImageID.
 	Rootfs string `json:"rootfs,omitempty"`
+	// RootfsOverlay tells if rootfs has to be mounted as an overlay
+	RootfsOverlay bool `json:"rootfs_overlay,omitempty"`
 	// ShmDir is the path to be mounted on /dev/shm in container.
 	// If not set manually at creation time, Libpod will create a tmpfs
 	// with the size specified in ShmSize and populate this with the path of
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 4d1a25541..1033729ae 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -15,6 +15,7 @@ import (
 
 	metadata "github.com/checkpoint-restore/checkpointctl/lib"
 	"github.com/containers/buildah/copier"
+	"github.com/containers/buildah/pkg/overlay"
 	butil "github.com/containers/buildah/util"
 	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/podman/v3/libpod/events"
@@ -293,6 +294,15 @@ func (c *Container) handleRestartPolicy(ctx context.Context) (_ bool, retErr err
 		}
 	}
 
+	// setup rootlesskit port forwarder again since it dies when conmon exits
+	// we use rootlesskit port forwarder only as rootless and when bridge network is used
+	if rootless.IsRootless() && c.config.NetMode.IsBridge() && len(c.config.PortMappings) > 0 {
+		err := c.runtime.setupRootlessPortMappingViaRLK(c, c.state.NetNS.Path())
+		if err != nil {
+			return false, err
+		}
+	}
+
 	if c.state.State == define.ContainerStateStopped {
 		// Reinitialize the container if we need to
 		if err := c.reinit(ctx, true); err != nil {
@@ -1541,6 +1551,32 @@ func (c *Container) mountStorage() (_ string, deferredErr error) {
 	// We need to mount the container before volumes - to ensure the copyup
 	// works properly.
 	mountPoint := c.config.Rootfs
+	// Check if overlay has to be created on top of Rootfs
+	if c.config.RootfsOverlay {
+		overlayDest := c.runtime.store.GraphRoot()
+		contentDir, err := overlay.GenerateStructure(c.runtime.store.GraphRoot(), c.ID(), "rootfs", c.RootUID(), c.RootGID())
+		if err != nil {
+			return "", errors.Wrapf(err, "rootfs-overlay: failed to create TempDir in the %s directory", overlayDest)
+		}
+		overlayMount, err := overlay.Mount(contentDir, c.config.Rootfs, overlayDest, c.RootUID(), c.RootGID(), c.runtime.store.GraphOptions())
+		if err != nil {
+			return "", errors.Wrapf(err, "rootfs-overlay: creating overlay failed %q", c.config.Rootfs)
+		}
+
+		// Seems fuse-overlayfs is not present
+		// fallback to native overlay
+		if overlayMount.Type == "overlay" {
+			overlayMount.Options = append(overlayMount.Options, "nodev")
+			mountOpts := label.FormatMountLabel(strings.Join(overlayMount.Options, ","), c.MountLabel())
+			err = mount.Mount("overlay", overlayMount.Source, overlayMount.Type, mountOpts)
+			if err != nil {
+				return "", errors.Wrapf(err, "rootfs-overlay: creating overlay failed %q from native overlay", c.config.Rootfs)
+			}
+		}
+
+		mountPoint = overlayMount.Source
+	}
+
 	if mountPoint == "" {
 		mountPoint, err = c.mount()
 		if err != nil {
@@ -1714,6 +1750,17 @@ func (c *Container) cleanupStorage() error {
 
 	var cleanupErr error
 
+	// umount rootfs overlay if it was created
+	if c.config.RootfsOverlay {
+		overlayBasePath := c.runtime.store.GraphRoot()
+		overlayBasePath = filepath.Join(overlayBasePath, "rootfs")
+		if err := overlay.Unmount(overlayBasePath); err != nil {
+			// If the container can't remove content report the error
+			logrus.Errorf("Failed to cleanup overlay mounts for %s: %v", c.ID(), err)
+			cleanupErr = err
+		}
+	}
+
 	for _, containerMount := range c.config.Mounts {
 		if err := c.unmountSHM(containerMount); err != nil {
 			if cleanupErr != nil {
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index eabe8efd2..ae029dc62 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -2489,11 +2489,6 @@ func (c *Container) getOCICgroupPath() (string, error) {
 	switch {
 	case c.config.NoCgroups:
 		return "", nil
-	case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)):
-		if !isRootlessCgroupSet(c.config.CgroupParent) {
-			return "", nil
-		}
-		return c.config.CgroupParent, nil
 	case c.config.CgroupsMode == cgroupSplit:
 		if c.config.CgroupParent != "" {
 			return c.config.CgroupParent, nil
@@ -2510,6 +2505,11 @@ func (c *Container) getOCICgroupPath() (string, error) {
 		systemdCgroups := fmt.Sprintf("%s:libpod:%s", path.Base(c.config.CgroupParent), c.ID())
 		logrus.Debugf("Setting CGroups for container %s to %s", c.ID(), systemdCgroups)
 		return systemdCgroups, nil
+	case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)):
+		if c.config.CgroupParent == "" || !isRootlessCgroupSet(c.config.CgroupParent) {
+			return "", nil
+		}
+		fallthrough
 	case cgroupManager == config.CgroupfsCgroupsManager:
 		cgroupPath := filepath.Join(c.config.CgroupParent, fmt.Sprintf("libpod-%s", c.ID()))
 		logrus.Debugf("Setting CGroup path for container %s to %s", c.ID(), cgroupPath)
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index 9aa6cab15..b0d4e0b2d 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -718,6 +718,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) error {
 		// set up port forwarder for CNI-in-slirp4netns
 		netnsPath := ctr.state.NetNS.Path()
 		// TODO: support slirp4netns port forwarder as well
+		// make sure to fix this container.handleRestartPolicy() as well
 		return r.setupRootlessPortMappingViaRLK(ctr, netnsPath)
 	}
 	return nil
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index c00d83f95..831e89223 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1140,6 +1140,7 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
 		if err != nil {
 			return err
 		}
+		filesToClose = append(filesToClose, ports...)
 
 		// Leak the port we bound in the conmon process.  These fd's won't be used
 		// by the container and conmon will keep the ports busy so that another
diff --git a/libpod/oci_util.go b/libpod/oci_util.go
index 1cafd5863..f2843b09b 100644
--- a/libpod/oci_util.go
+++ b/libpod/oci_util.go
@@ -68,6 +68,12 @@ func bindPorts(ports []ocicni.PortMapping) ([]*os.File, error) {
 				return nil, errors.Wrapf(err, "cannot get file for UDP socket")
 			}
 			files = append(files, f)
+			// close the listener
+			// note that this does not affect the fd, see the godoc for server.File()
+			err = server.Close()
+			if err != nil {
+				logrus.Warnf("failed to close connection: %v", err)
+			}
 
 		case "tcp":
 			var (
@@ -96,6 +102,13 @@ func bindPorts(ports []ocicni.PortMapping) ([]*os.File, error) {
 				return nil, errors.Wrapf(err, "cannot get file for TCP socket")
 			}
 			files = append(files, f)
+			// close the listener
+			// note that this does not affect the fd, see the godoc for server.File()
+			err = server.Close()
+			if err != nil {
+				logrus.Warnf("failed to close connection: %v", err)
+			}
+
 		case "sctp":
 			if !notifySCTP {
 				notifySCTP = true
diff --git a/libpod/options.go b/libpod/options.go
index 4cbd2b5e2..7b0c6641a 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1337,7 +1337,7 @@ func WithCommand(command []string) CtrCreateOption {
 
 // WithRootFS sets the rootfs for the container.
 // This creates a container from a directory on disk and not an image.
-func WithRootFS(rootfs string) CtrCreateOption {
+func WithRootFS(rootfs string, overlay bool) CtrCreateOption {
 	return func(ctr *Container) error {
 		if ctr.valid {
 			return define.ErrCtrFinalized
@@ -1346,6 +1346,7 @@ func WithRootFS(rootfs string) CtrCreateOption {
 			return err
 		}
 		ctr.config.Rootfs = rootfs
+		ctr.config.RootfsOverlay = overlay
 		return nil
 	}
 }