2 files changed, 27 insertions, 27 deletions

diff --git a/pkg/specgenutil/createparse.go b/pkg/specgenutil/createparse.go
index fb5f9c351..132f93771 100644
--- a/pkg/specgenutil/createparse.go
+++ b/pkg/specgenutil/createparse.go
@@ -18,20 +18,5 @@ func validate(c *entities.ContainerCreateOptions) error {
 		return err
 	}
 
-	var imageVolType = map[string]string{
-		"bind":   "",
-		"tmpfs":  "",
-		"ignore": "",
-	}
-	if _, ok := imageVolType[c.ImageVolume]; !ok {
-		switch {
-		case c.IsInfra:
-			c.ImageVolume = "bind"
-		case c.IsClone: // the image volume type will be deduced later from the container we are cloning
-			return nil
-		default:
-			return errors.Errorf("invalid image-volume type %q. Pick one of bind, tmpfs, or ignore", c.ImageVolume)
-		}
-	}
-	return nil
+	return config.ValidateImageVolumeMode(c.ImageVolume)
 }
diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go
index 9cb2f200b..6d70af106 100644
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@@ -229,9 +229,11 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
 }
 
 func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions, args []string) error {
-	var (
-		err error
-	)
+	rtc, err := config.Default()
+	if err != nil {
+		return err
+	}
+
 	// validate flags as needed
 	if err := validate(c); err != nil {
 		return err
@@ -479,8 +481,13 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 	if len(s.HostUsers) == 0 || len(c.HostUsers) != 0 {
 		s.HostUsers = c.HostUsers
 	}
-	if len(s.ImageVolumeMode) == 0 || len(c.ImageVolume) != 0 {
-		s.ImageVolumeMode = c.ImageVolume
+	if len(c.ImageVolume) != 0 {
+		if len(s.ImageVolumeMode) == 0 {
+			s.ImageVolumeMode = c.ImageVolume
+		}
+	}
+	if len(s.ImageVolumeMode) == 0 {
+		s.ImageVolumeMode = rtc.Engine.ImageVolumeMode
 	}
 	if s.ImageVolumeMode == "bind" {
 		s.ImageVolumeMode = "anonymous"
@@ -550,11 +557,6 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 		s.CgroupsMode = c.CgroupsMode
 	}
 	if s.CgroupsMode == "" {
-		rtc, err := config.Default()
-		if err != nil {
-			return err
-		}
-
 		s.CgroupsMode = rtc.Cgroups()
 	}
 
@@ -622,7 +624,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 		if opt == "no-new-privileges" {
 			s.ContainerSecurityConfig.NoNewPrivileges = true
 		} else {
-			con := strings.SplitN(opt, "=", 2)
+			// Docker deprecated the ":" syntax but still supports it,
+			// so we need to as well
+			var con []string
+			if strings.Contains(opt, "=") {
+				con = strings.SplitN(opt, "=", 2)
+			} else {
+				con = strings.SplitN(opt, ":", 2)
+			}
 			if len(con) != 2 {
 				return fmt.Errorf("invalid --security-opt 1: %q", opt)
 			}
@@ -650,6 +659,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 				}
 			case "unmask":
 				s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, con[1:]...)
+			case "no-new-privileges":
+				noNewPrivileges, err := strconv.ParseBool(con[1])
+				if err != nil {
+					return fmt.Errorf("invalid --security-opt 2: %q", opt)
+				}
+				s.ContainerSecurityConfig.NoNewPrivileges = noNewPrivileges
 			default:
 				return fmt.Errorf("invalid --security-opt 2: %q", opt)
 			}