9 files changed, 165 insertions, 120 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index fb7eb99a2..04b4e5ab3 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -12,6 +12,7 @@ import (
 	"github.com/containers/common/pkg/parse"
 	"github.com/containers/common/pkg/secrets"
 	"github.com/containers/image/v5/manifest"
+	"github.com/containers/podman/v3/libpod/network/types"
 	ann "github.com/containers/podman/v3/pkg/annotations"
 	"github.com/containers/podman/v3/pkg/specgen"
 	"github.com/containers/podman/v3/pkg/specgen/generate"
@@ -303,6 +304,8 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 	if opts.NetNSIsHost {
 		s.NetNS.NSMode = specgen.Host
 	}
+	// Always set the userns to host since k8s doesn't have support for userns yet
+	s.UserNS.NSMode = specgen.Host
 
 	// Add labels that come from kube
 	if len(s.Labels) == 0 {
@@ -586,8 +589,8 @@ func envVarValue(env v1.EnvVar, opts *CtrSpecGenOptions) (string, error) {
 
 // getPodPorts converts a slice of kube container descriptions to an
 // array of portmapping
-func getPodPorts(containers []v1.Container) []specgen.PortMapping {
-	var infraPorts []specgen.PortMapping
+func getPodPorts(containers []v1.Container) []types.PortMapping {
+	var infraPorts []types.PortMapping
 	for _, container := range containers {
 		for _, p := range container.Ports {
 			if p.HostPort != 0 && p.ContainerPort == 0 {
@@ -596,7 +599,7 @@ func getPodPorts(containers []v1.Container) []specgen.PortMapping {
 			if p.Protocol == "" {
 				p.Protocol = "tcp"
 			}
-			portBinding := specgen.PortMapping{
+			portBinding := types.PortMapping{
 				HostPort:      uint16(p.HostPort),
 				ContainerPort: uint16(p.ContainerPort),
 				Protocol:      strings.ToLower(string(p.Protocol)),
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index f41186ae4..80790dcc1 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -175,6 +175,11 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 		if pod == nil || infraCtr == nil {
 			return nil, errNoInfra
 		}
+		// Inherit the user from the infra container if it is set and --user has not
+		// been set explicitly
+		if infraCtr.User() != "" && s.User == "" {
+			toReturn = append(toReturn, libpod.WithUser(infraCtr.User()))
+		}
 		toReturn = append(toReturn, libpod.WithUserNSFrom(infraCtr))
 	case specgen.FromContainer:
 		userCtr, err := rt.LookupContainer(s.UserNS.Value)
@@ -184,7 +189,10 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 		toReturn = append(toReturn, libpod.WithUserNSFrom(userCtr))
 	}
 
-	if s.IDMappings != nil {
+	// This wipes the UserNS settings that get set from the infra container
+	// when we are inheritting from the pod. So only apply this if the container
+	// is not being created in a pod.
+	if s.IDMappings != nil && pod == nil {
 		toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings))
 	}
 	if s.User != "" {
@@ -234,7 +242,7 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 		}
 		toReturn = append(toReturn, libpod.WithNetNSFrom(netCtr))
 	case specgen.Slirp:
-		portMappings, err := createPortMappings(ctx, s, imageData)
+		portMappings, expose, err := createPortMappings(ctx, s, imageData)
 		if err != nil {
 			return nil, err
 		}
@@ -242,15 +250,15 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 		if s.NetNS.Value != "" {
 			val = fmt.Sprintf("slirp4netns:%s", s.NetNS.Value)
 		}
-		toReturn = append(toReturn, libpod.WithNetNS(portMappings, postConfigureNetNS, val, nil))
+		toReturn = append(toReturn, libpod.WithNetNS(portMappings, expose, postConfigureNetNS, val, nil))
 	case specgen.Private:
 		fallthrough
 	case specgen.Bridge:
-		portMappings, err := createPortMappings(ctx, s, imageData)
+		portMappings, expose, err := createPortMappings(ctx, s, imageData)
 		if err != nil {
 			return nil, err
 		}
-		toReturn = append(toReturn, libpod.WithNetNS(portMappings, postConfigureNetNS, "bridge", s.CNINetworks))
+		toReturn = append(toReturn, libpod.WithNetNS(portMappings, expose, postConfigureNetNS, "bridge", s.CNINetworks))
 	}
 
 	if s.UseImageHosts {
@@ -379,46 +387,8 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
 	}
 
 	// User
-	switch s.UserNS.NSMode {
-	case specgen.Path:
-		if _, err := os.Stat(s.UserNS.Value); err != nil {
-			return errors.Wrap(err, "cannot find specified user namespace path")
-		}
-		if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), s.UserNS.Value); err != nil {
-			return err
-		}
-		// runc complains if no mapping is specified, even if we join another ns.  So provide a dummy mapping
-		g.AddLinuxUIDMapping(uint32(0), uint32(0), uint32(1))
-		g.AddLinuxGIDMapping(uint32(0), uint32(0), uint32(1))
-	case specgen.Host:
-		if err := g.RemoveLinuxNamespace(string(spec.UserNamespace)); err != nil {
-			return err
-		}
-	case specgen.KeepID:
-		var (
-			err      error
-			uid, gid int
-		)
-		s.IDMappings, uid, gid, err = util.GetKeepIDMapping()
-		if err != nil {
-			return err
-		}
-		g.SetProcessUID(uint32(uid))
-		g.SetProcessGID(uint32(gid))
-		fallthrough
-	case specgen.Private:
-		if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
-			return err
-		}
-		if s.IDMappings == nil || (len(s.IDMappings.UIDMap) == 0 && len(s.IDMappings.GIDMap) == 0) {
-			return errors.Errorf("must provide at least one UID or GID mapping to configure a user namespace")
-		}
-		for _, uidmap := range s.IDMappings.UIDMap {
-			g.AddLinuxUIDMapping(uint32(uidmap.HostID), uint32(uidmap.ContainerID), uint32(uidmap.Size))
-		}
-		for _, gidmap := range s.IDMappings.GIDMap {
-			g.AddLinuxGIDMapping(uint32(gidmap.HostID), uint32(gidmap.ContainerID), uint32(gidmap.Size))
-		}
+	if _, err := specgen.SetupUserNS(s.IDMappings, s.UserNS, g); err != nil {
+		return err
 	}
 
 	// Cgroup
@@ -474,7 +444,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
 // GetNamespaceOptions transforms a slice of kernel namespaces
 // into a slice of pod create options. Currently, not all
 // kernel namespaces are supported, and they will be returned in an error
-func GetNamespaceOptions(ns []string) ([]libpod.PodCreateOption, error) {
+func GetNamespaceOptions(ns []string, netnsIsHost bool) ([]libpod.PodCreateOption, error) {
 	var options []libpod.PodCreateOption
 	var erroredOptions []libpod.PodCreateOption
 	if ns == nil {
@@ -486,7 +456,10 @@ func GetNamespaceOptions(ns []string) ([]libpod.PodCreateOption, error) {
 		case "cgroup":
 			options = append(options, libpod.WithPodCgroups())
 		case "net":
-			options = append(options, libpod.WithPodNet())
+			// share the netns setting with other containers in the pod only when it is not set to host
+			if !netnsIsHost {
+				options = append(options, libpod.WithPodNet())
+			}
 		case "mnt":
 			return erroredOptions, errors.Errorf("Mount sharing functionality not supported on pod level")
 		case "pid":
diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go
index aab29499e..426cf1b6d 100644
--- a/pkg/specgen/generate/pod_create.go
+++ b/pkg/specgen/generate/pod_create.go
@@ -27,11 +27,16 @@ func createPodOptions(p *specgen.PodSpecGenerator, rt *libpod.Runtime) ([]libpod
 	)
 	if !p.NoInfra {
 		options = append(options, libpod.WithInfraContainer())
-		nsOptions, err := GetNamespaceOptions(p.SharedNamespaces)
+		nsOptions, err := GetNamespaceOptions(p.SharedNamespaces, p.NetNS.IsHost())
 		if err != nil {
 			return nil, err
 		}
 		options = append(options, nsOptions...)
+		// Use pod user and infra userns only when --userns is not set to host
+		if !p.Userns.IsHost() {
+			options = append(options, libpod.WithPodUser())
+			options = append(options, libpod.WithPodUserns(p.Userns))
+		}
 
 		// Make our exit command
 		storageConfig := rt.StorageConfig()
@@ -154,5 +159,6 @@ func createPodOptions(p *specgen.PodSpecGenerator, rt *libpod.Runtime) ([]libpod
 	if len(p.InfraConmonPidFile) > 0 {
 		options = append(options, libpod.WithInfraConmonPidFile(p.InfraConmonPidFile))
 	}
+
 	return options, nil
 }
diff --git a/pkg/specgen/generate/ports.go b/pkg/specgen/generate/ports.go
index c00ad19fb..a300f8014 100644
--- a/pkg/specgen/generate/ports.go
+++ b/pkg/specgen/generate/ports.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/containers/common/libimage"
+	"github.com/containers/podman/v3/libpod/network/types"
 	"github.com/containers/podman/v3/utils"
 
 	"github.com/containers/podman/v3/pkg/specgen"
@@ -24,7 +25,7 @@ const (
 // Parse port maps to OCICNI port mappings.
 // Returns a set of OCICNI port mappings, and maps of utilized container and
 // host ports.
-func ParsePortMapping(portMappings []specgen.PortMapping) ([]ocicni.PortMapping, map[string]map[string]map[uint16]uint16, map[string]map[string]map[uint16]uint16, error) {
+func ParsePortMapping(portMappings []types.PortMapping) ([]ocicni.PortMapping, map[string]map[string]map[uint16]uint16, map[string]map[string]map[uint16]uint16, error) {
 	// First, we need to validate the ports passed in the specgen, and then
 	// convert them into CNI port mappings.
 	type tempMapping struct {
@@ -253,17 +254,15 @@ func ParsePortMapping(portMappings []specgen.PortMapping) ([]ocicni.PortMapping,
 }
 
 // Make final port mappings for the container
-func createPortMappings(ctx context.Context, s *specgen.SpecGenerator, imageData *libimage.ImageData) ([]ocicni.PortMapping, error) {
+func createPortMappings(ctx context.Context, s *specgen.SpecGenerator, imageData *libimage.ImageData) ([]ocicni.PortMapping, map[uint16][]string, error) {
 	finalMappings, containerPortValidate, hostPortValidate, err := ParsePortMapping(s.PortMappings)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
-	// If not publishing exposed ports, or if we are publishing and there is
-	// nothing to publish - then just return the port mappings we've made so
-	// far.
-	if !s.PublishExposedPorts || (len(s.Expose) == 0 && imageData == nil) {
-		return finalMappings, nil
+	// No exposed ports so return the port mappings we've made so far.
+	if len(s.Expose) == 0 && imageData == nil {
+		return finalMappings, nil, nil
 	}
 
 	logrus.Debugf("Adding exposed ports")
@@ -272,7 +271,7 @@ func createPortMappings(ctx context.Context, s *specgen.SpecGenerator, imageData
 	if imageData != nil {
 		expose, err = GenExposedPorts(imageData.Config.ExposedPorts)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 	}
 
@@ -288,11 +287,11 @@ func createPortMappings(ctx context.Context, s *specgen.SpecGenerator, imageData
 		// Validate protocol first
 		protocols, err := checkProtocol(proto, false)
 		if err != nil {
-			return nil, errors.Wrapf(err, "error validating protocols for exposed port %d", port)
+			return nil, nil, errors.Wrapf(err, "error validating protocols for exposed port %d", port)
 		}
 
 		if port == 0 {
-			return nil, errors.Errorf("cannot expose 0 as it is not a valid port number")
+			return nil, nil, errors.Errorf("cannot expose 0 as it is not a valid port number")
 		}
 
 		// Check to see if the port is already present in existing
@@ -316,6 +315,11 @@ func createPortMappings(ctx context.Context, s *specgen.SpecGenerator, imageData
 		}
 	}
 
+	// If not publishing exposed ports return mappings and exposed ports.
+	if !s.PublishExposedPorts {
+		return finalMappings, toExpose, nil
+	}
+
 	// We now have a final list of ports that we want exposed.
 	// Let's find empty, unallocated host ports for them.
 	for port, protocols := range toExpose {
@@ -331,7 +335,7 @@ func createPortMappings(ctx context.Context, s *specgen.SpecGenerator, imageData
 				// unfortunate for the UDP case.
 				candidate, err := utils.GetRandomPort()
 				if err != nil {
-					return nil, err
+					return nil, nil, err
 				}
 
 				// Check if the host port is already bound
@@ -362,12 +366,12 @@ func createPortMappings(ctx context.Context, s *specgen.SpecGenerator, imageData
 			}
 			if tries == 0 && hostPort == 0 {
 				// We failed to find an open port.
-				return nil, errors.Errorf("failed to find an open port to expose container port %d on the host", port)
+				return nil, nil, errors.Errorf("failed to find an open port to expose container port %d on the host", port)
 			}
 		}
 	}
 
-	return finalMappings, nil
+	return finalMappings, nil, nil
 }
 
 // Check a string to ensure it is a comma-separated set of valid protocols
diff --git a/pkg/specgen/generate/storage.go b/pkg/specgen/generate/storage.go
index 13f336594..de655ad7d 100644
--- a/pkg/specgen/generate/storage.go
+++ b/pkg/specgen/generate/storage.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/containers/common/libimage"
 	"github.com/containers/common/pkg/config"
+	"github.com/containers/common/pkg/parse"
 	"github.com/containers/podman/v3/libpod"
 	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/podman/v3/pkg/specgen"
@@ -59,6 +60,9 @@ func finalizeMounts(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Ru
 	for _, m := range s.Mounts {
 		// Ensure that mount dest is clean, so that it can be
 		// compared against named volumes and avoid duplicate mounts.
+		if err = parse.ValidateVolumeCtrDir(m.Destination); err != nil {
+			return nil, nil, nil, err
+		}
 		cleanDestination := filepath.Clean(m.Destination)
 		if _, ok := unifiedMounts[cleanDestination]; ok {
 			return nil, nil, nil, errors.Wrapf(errDuplicateDest, "conflict in specified mounts - multiple mounts at %q", cleanDestination)
@@ -67,34 +71,54 @@ func finalizeMounts(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Ru
 	}
 
 	for _, m := range commonMounts {
-		if _, ok := unifiedMounts[m.Destination]; !ok {
-			unifiedMounts[m.Destination] = m
+		if err = parse.ValidateVolumeCtrDir(m.Destination); err != nil {
+			return nil, nil, nil, err
+		}
+		cleanDestination := filepath.Clean(m.Destination)
+		if _, ok := unifiedMounts[cleanDestination]; !ok {
+			unifiedMounts[cleanDestination] = m
 		}
 	}
 
 	for _, v := range s.Volumes {
-		if _, ok := unifiedVolumes[v.Dest]; ok {
-			return nil, nil, nil, errors.Wrapf(errDuplicateDest, "conflict in specified volumes - multiple volumes at %q", v.Dest)
+		if err = parse.ValidateVolumeCtrDir(v.Dest); err != nil {
+			return nil, nil, nil, err
 		}
-		unifiedVolumes[v.Dest] = v
+		cleanDestination := filepath.Clean(v.Dest)
+		if _, ok := unifiedVolumes[cleanDestination]; ok {
+			return nil, nil, nil, errors.Wrapf(errDuplicateDest, "conflict in specified volumes - multiple volumes at %q", cleanDestination)
+		}
+		unifiedVolumes[cleanDestination] = v
 	}
 
 	for _, v := range commonVolumes {
-		if _, ok := unifiedVolumes[v.Dest]; !ok {
-			unifiedVolumes[v.Dest] = v
+		if err = parse.ValidateVolumeCtrDir(v.Dest); err != nil {
+			return nil, nil, nil, err
+		}
+		cleanDestination := filepath.Clean(v.Dest)
+		if _, ok := unifiedVolumes[cleanDestination]; !ok {
+			unifiedVolumes[cleanDestination] = v
 		}
 	}
 
 	for _, v := range s.OverlayVolumes {
-		if _, ok := unifiedOverlays[v.Destination]; ok {
-			return nil, nil, nil, errors.Wrapf(errDuplicateDest, "conflict in specified volumes - multiple volumes at %q", v.Destination)
+		if err = parse.ValidateVolumeCtrDir(v.Destination); err != nil {
+			return nil, nil, nil, err
 		}
-		unifiedOverlays[v.Destination] = v
+		cleanDestination := filepath.Clean(v.Destination)
+		if _, ok := unifiedOverlays[cleanDestination]; ok {
+			return nil, nil, nil, errors.Wrapf(errDuplicateDest, "conflict in specified volumes - multiple volumes at %q", cleanDestination)
+		}
+		unifiedOverlays[cleanDestination] = v
 	}
 
 	for _, v := range commonOverlayVolumes {
-		if _, ok := unifiedOverlays[v.Destination]; ok {
-			unifiedOverlays[v.Destination] = v
+		if err = parse.ValidateVolumeCtrDir(v.Destination); err != nil {
+			return nil, nil, nil, err
+		}
+		cleanDestination := filepath.Clean(v.Destination)
+		if _, ok := unifiedOverlays[cleanDestination]; !ok {
+			unifiedOverlays[cleanDestination] = v
 		}
 	}
 
@@ -190,6 +214,9 @@ func getImageVolumes(ctx context.Context, img *libimage.Image, s *specgen.SpecGe
 	}
 	for volume := range inspect.Config.Volumes {
 		logrus.Debugf("Image has volume at %q", volume)
+		if err = parse.ValidateVolumeCtrDir(volume); err != nil {
+			return nil, nil, err
+		}
 		cleanDest := filepath.Clean(volume)
 		switch mode {
 		case "", "anonymous":
@@ -304,9 +331,13 @@ func getVolumesFrom(volumesFrom []string, runtime *libpod.Runtime) (map[string]s
 			if _, ok := finalMounts[namedVol.Dest]; ok {
 				logrus.Debugf("Overriding named volume mount to %s with new named volume from container %s", namedVol.Dest, ctr.ID())
 			}
+			if err = parse.ValidateVolumeCtrDir(namedVol.Dest); err != nil {
+				return nil, nil, err
+			}
 
+			cleanDest := filepath.Clean(namedVol.Dest)
 			newVol := new(specgen.NamedVolume)
-			newVol.Dest = namedVol.Dest
+			newVol.Dest = cleanDest
 			newVol.Options = namedVol.Options
 			newVol.Name = namedVol.Name
 
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
index 76fa66bc7..2f4c48811 100644
--- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go
@@ -1,10 +1,16 @@
 package specgen
 
 import (
+	"fmt"
+	"os"
 	"strings"
 
 	"github.com/containers/podman/v3/pkg/cgroups"
 	"github.com/containers/podman/v3/pkg/rootless"
+	"github.com/containers/podman/v3/pkg/util"
+	"github.com/containers/storage"
+	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
 )
 
@@ -103,6 +109,13 @@ func (n *Namespace) IsKeepID() bool {
 	return n.NSMode == KeepID
 }
 
+func (n *Namespace) String() string {
+	if n.Value != "" {
+		return fmt.Sprintf("%s:%s", n.NSMode, n.Value)
+	}
+	return string(n.NSMode)
+}
+
 func validateUserNS(n *Namespace) error {
 	if n == nil {
 		return nil
@@ -323,3 +336,48 @@ func ParseNetworkString(network string) (Namespace, []string, map[string][]strin
 	}
 	return ns, cniNets, networkOptions, nil
 }
+
+func SetupUserNS(idmappings *storage.IDMappingOptions, userns Namespace, g *generate.Generator) (string, error) {
+	// User
+	var user string
+	switch userns.NSMode {
+	case Path:
+		if _, err := os.Stat(userns.Value); err != nil {
+			return user, errors.Wrap(err, "cannot find specified user namespace path")
+		}
+		if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), userns.Value); err != nil {
+			return user, err
+		}
+		// runc complains if no mapping is specified, even if we join another ns.  So provide a dummy mapping
+		g.AddLinuxUIDMapping(uint32(0), uint32(0), uint32(1))
+		g.AddLinuxGIDMapping(uint32(0), uint32(0), uint32(1))
+	case Host:
+		if err := g.RemoveLinuxNamespace(string(spec.UserNamespace)); err != nil {
+			return user, err
+		}
+	case KeepID:
+		mappings, uid, gid, err := util.GetKeepIDMapping()
+		if err != nil {
+			return user, err
+		}
+		idmappings = mappings
+		g.SetProcessUID(uint32(uid))
+		g.SetProcessGID(uint32(gid))
+		user = fmt.Sprintf("%d:%d", uid, gid)
+		fallthrough
+	case Private:
+		if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
+			return user, err
+		}
+		if idmappings == nil || (len(idmappings.UIDMap) == 0 && len(idmappings.GIDMap) == 0) {
+			return user, errors.Errorf("must provide at least one UID or GID mapping to configure a user namespace")
+		}
+		for _, uidmap := range idmappings.UIDMap {
+			g.AddLinuxUIDMapping(uint32(uidmap.HostID), uint32(uidmap.ContainerID), uint32(uidmap.Size))
+		}
+		for _, gidmap := range idmappings.GIDMap {
+			g.AddLinuxGIDMapping(uint32(gidmap.HostID), uint32(gidmap.ContainerID), uint32(gidmap.Size))
+		}
+	}
+	return user, nil
+}
diff --git a/pkg/specgen/podspecgen.go b/pkg/specgen/podspecgen.go
index 02237afe9..386571d11 100644
--- a/pkg/specgen/podspecgen.go
+++ b/pkg/specgen/podspecgen.go
@@ -3,6 +3,7 @@ package specgen
 import (
 	"net"
 
+	"github.com/containers/podman/v3/libpod/network/types"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -67,6 +68,10 @@ type PodBasicConfig struct {
 	// Optional (defaults to private if unset). This sets the PID namespace of the infra container
 	// This configuration will then be shared with the entire pod if PID namespace sharing is enabled via --share
 	Pid Namespace `json:"pid,omitempty:"`
+	// Userns is used to indicate which kind of Usernamespace to enter.
+	// Any containers created within the pod will inherit the pod's userns settings.
+	// Optional
+	Userns Namespace `json:"userns,omitempty"`
 }
 
 // PodNetworkConfig contains networking configuration for a pod.
@@ -98,7 +103,7 @@ type PodNetworkConfig struct {
 	// container, this will forward the ports to the entire pod.
 	// Only available if NetNS is set to Bridge or Slirp.
 	// Optional.
-	PortMappings []PortMapping `json:"portmappings,omitempty"`
+	PortMappings []types.PortMapping `json:"portmappings,omitempty"`
 	// CNINetworks is a list of CNI networks that the infra container will
 	// join. As, by default, containers share their network with the infra
 	// container, these networks will effectively be joined by the
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index fc647227e..0c30c498a 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -5,6 +5,7 @@ import (
 	"syscall"
 
 	"github.com/containers/image/v5/manifest"
+	nettypes "github.com/containers/podman/v3/libpod/network/types"
 	"github.com/containers/storage/types"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
@@ -184,7 +185,7 @@ type ContainerBasicConfig struct {
 	// Optional.
 	EnvSecrets map[string]string `json:"secret_env,omitempty"`
 	// InitContainerType describes if this container is an init container
-	// and if so, what type: always or oneshot
+	// and if so, what type: always or once
 	InitContainerType string `json:"init_container_type"`
 	// Personality allows users to configure different execution domains.
 	// Execution domains tell Linux how to map signal numbers into signal actions.
@@ -393,7 +394,7 @@ type ContainerNetworkConfig struct {
 	// PortBindings is a set of ports to map into the container.
 	// Only available if NetNS is set to bridge or slirp.
 	// Optional.
-	PortMappings []PortMapping `json:"portmappings,omitempty"`
+	PortMappings []nettypes.PortMapping `json:"portmappings,omitempty"`
 	// PublishExposedPorts will publish ports specified in the image to
 	// random unused ports (guaranteed to be above 1024) on the host.
 	// This is based on ports set in Expose below, and any ports specified
@@ -506,36 +507,6 @@ type SpecGenerator struct {
 	ContainerHealthCheckConfig
 }
 
-// PortMapping is one or more ports that will be mapped into the container.
-type PortMapping struct {
-	// HostIP is the IP that we will bind to on the host.
-	// If unset, assumed to be 0.0.0.0 (all interfaces).
-	HostIP string `json:"host_ip,omitempty"`
-	// ContainerPort is the port number that will be exposed from the
-	// container.
-	// Mandatory.
-	ContainerPort uint16 `json:"container_port"`
-	// HostPort is the port number that will be forwarded from the host into
-	// the container.
-	// If omitted, a random port on the host (guaranteed to be over 1024)
-	// will be assigned.
-	HostPort uint16 `json:"host_port,omitempty"`
-	// Range is the number of ports that will be forwarded, starting at
-	// HostPort and ContainerPort and counting up.
-	// This is 1-indexed, so 1 is assumed to be a single port (only the
-	// Hostport:Containerport mapping will be added), 2 is two ports (both
-	// Hostport:Containerport and Hostport+1:Containerport+1), etc.
-	// If unset, assumed to be 1 (a single port).
-	// Both hostport + range and containerport + range must be less than
-	// 65536.
-	Range uint16 `json:"range,omitempty"`
-	// Protocol is the protocol forward.
-	// Must be either "tcp", "udp", and "sctp", or some combination of these
-	// separated by commas.
-	// If unset, assumed to be TCP.
-	Protocol string `json:"protocol,omitempty"`
-}
-
 type Secret struct {
 	Source string
 	UID    uint32
diff --git a/pkg/specgen/volumes.go b/pkg/specgen/volumes.go
index d85d2bdd1..eca8c0c35 100644
--- a/pkg/specgen/volumes.go
+++ b/pkg/specgen/volumes.go
@@ -1,7 +1,6 @@
 package specgen
 
 import (
-	"path/filepath"
 	"strings"
 
 	"github.com/containers/common/pkg/parse"
@@ -93,11 +92,6 @@ func GenVolumeMounts(volumeFlag []string) (map[string]spec.Mount, map[string]*Na
 				return nil, nil, nil, errors.New("host directory cannot be empty")
 			}
 		}
-		if err := parse.ValidateVolumeCtrDir(dest); err != nil {
-			return nil, nil, nil, err
-		}
-
-		cleanDest := filepath.Clean(dest)
 
 		if strings.HasPrefix(src, "/") || strings.HasPrefix(src, ".") {
 			// This is not a named volume
@@ -120,7 +114,7 @@ func GenVolumeMounts(volumeFlag []string) (map[string]spec.Mount, map[string]*Na
 			if overlayFlag {
 				// This is a overlay volume
 				newOverlayVol := new(OverlayVolume)
-				newOverlayVol.Destination = cleanDest
+				newOverlayVol.Destination = dest
 				newOverlayVol.Source = src
 				newOverlayVol.Options = options
 
@@ -130,7 +124,7 @@ func GenVolumeMounts(volumeFlag []string) (map[string]spec.Mount, map[string]*Na
 				overlayVolumes[newOverlayVol.Destination] = newOverlayVol
 			} else {
 				newMount := spec.Mount{
-					Destination: cleanDest,
+					Destination: dest,
 					Type:        "bind",
 					Source:      src,
 					Options:     options,
@@ -144,7 +138,7 @@ func GenVolumeMounts(volumeFlag []string) (map[string]spec.Mount, map[string]*Na
 			// This is a named volume
 			newNamedVol := new(NamedVolume)
 			newNamedVol.Name = src
-			newNamedVol.Dest = cleanDest
+			newNamedVol.Dest = dest
 			newNamedVol.Options = options
 
 			if _, ok := volumes[newNamedVol.Dest]; ok {