6 files changed, 36 insertions, 27 deletions
diff --git a/pkg/adapter/runtime.go b/pkg/adapter/runtime.go
index 4f5b98dbb..8624981b1 100644
--- a/pkg/adapter/runtime.go
+++ b/pkg/adapter/runtime.go
@@ -333,3 +333,11 @@ func (r *LocalRuntime) LoadImage(ctx context.Context, name string, cli *cliconfi
 	}
 	return r.Runtime.LoadImage(ctx, name, cli.Input, writer, cli.SignaturePolicy)
 }
+
+// IsImageNotFound checks if the error indicates that no image was found.
+func IsImageNotFound(err error) bool {
+	if errors.Cause(err) == image.ErrNoSuchImage {
+		return true
+	}
+	return false
+}
diff --git a/pkg/adapter/runtime_remote.go b/pkg/adapter/runtime_remote.go
index ca2fad852..29b43e9b0 100644
--- a/pkg/adapter/runtime_remote.go
+++ b/pkg/adapter/runtime_remote.go
@@ -796,3 +796,15 @@ func (r *LocalRuntime) LoadImage(ctx context.Context, name string, cli *cliconfi
 	}
 	return names, nil
 }
+
+// IsImageNotFound checks if the error indicates that no image was found.
+func IsImageNotFound(err error) bool {
+	if errors.Cause(err) == image.ErrNoSuchImage {
+		return true
+	}
+	switch err.(type) {
+	case *iopodman.ImageNotFound:
+		return true
+	}
+	return false
+}
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index 9a192c0fa..98692707f 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -93,7 +93,8 @@ func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap)
 		Args: args,
 	}
 
-	if err := cmd.Run(); err != nil {
+	if output, err := cmd.CombinedOutput(); err != nil {
+		logrus.Debugf("error from %s: %s", tool, output)
 		return errors.Wrapf(err, "cannot setup namespace using %s", tool)
 	}
 	return nil
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
index 242953609..3b64f8952 100644
--- a/pkg/secrets/secrets.go
+++ b/pkg/secrets/secrets.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/storage/pkg/idtools"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
@@ -176,7 +177,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
 	// Add FIPS mode secret if /etc/system-fips exists on the host
 	_, err := os.Stat("/etc/system-fips")
 	if err == nil {
-		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil {
+		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
 			logrus.Errorf("error adding FIPS mode secret to container: %v", err)
 		}
 	} else if os.IsNotExist(err) {
@@ -264,13 +265,16 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
 // root filesystem if /etc/system-fips exists on hosts.
 // This enables the container to be FIPS compliant and run openssl in
 // FIPS mode as the host is also in FIPS mode.
-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error {
+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
 	secretsDir := "/run/secrets"
 	ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
 	if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
-		if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
+		if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
 			return errors.Wrapf(err, "making container directory on host failed")
 		}
+		if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
+			return errors.Wrap(err, "error applying correct labels")
+		}
 	}
 	fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
 	// In the event of restart, it is possible for the FIPS mode file to already exist
@@ -284,7 +288,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error
 
 	if !mountExists(*mounts, secretsDir) {
 		m := rspec.Mount{
-			Source:      ctrDirOnHost,
+			Source:      filepath.Join(mountPrefix, secretsDir),
 			Destination: secretsDir,
 			Type:        "bind",
 			Options:     []string{"bind", "rprivate"},
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index 50e07ee74..31039bfdf 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -240,7 +240,7 @@ func (c *CreateConfig) GetVolumeMounts(specMounts []spec.Mount) ([]spec.Mount, e
 	}
 
 	for vol := range c.BuiltinImgVolumes {
-		if libpod.MountExists(specMounts, vol) {
+		if libpod.MountExists(specMounts, vol) || libpod.MountExists(m, vol) {
 			continue
 		}
 
diff --git a/pkg/util/utils.go b/pkg/util/utils.go
index db8a3d5bb..a4576191b 100644
--- a/pkg/util/utils.go
+++ b/pkg/util/utils.go
@@ -259,15 +259,6 @@ func GetRootlessStorageOpts() (storage.StoreOptions, error) {
 	return opts, nil
 }
 
-// GetRootlessVolumePath returns where all the name volumes will be created in rootless mode
-func GetRootlessVolumePath() (string, error) {
-	dataDir, _, err := GetRootlessDirInfo()
-	if err != nil {
-		return "", err
-	}
-	return filepath.Join(dataDir, "containers", "storage", "volumes"), nil
-}
-
 type tomlOptionsConfig struct {
 	MountProgram string `toml:"mount_program"`
 }
@@ -297,25 +288,18 @@ func getTomlStorage(storeOptions *storage.StoreOptions) *tomlConfig {
 	return config
 }
 
-// GetDefaultStoreOptions returns the storage ops for containers and the volume path
-// for the volume API
-// It also returns the path where all named volumes will be created using the volume API
-func GetDefaultStoreOptions() (storage.StoreOptions, string, error) {
+// GetDefaultStoreOptions returns the default storage ops for containers
+func GetDefaultStoreOptions() (storage.StoreOptions, error) {
 	var (
 		defaultRootlessRunRoot   string
 		defaultRootlessGraphRoot string
 		err                      error
 	)
 	storageOpts := storage.DefaultStoreOptions
-	volumePath := filepath.Join(storageOpts.GraphRoot, "volumes")
 	if rootless.IsRootless() {
 		storageOpts, err = GetRootlessStorageOpts()
 		if err != nil {
-			return storageOpts, volumePath, err
-		}
-		volumePath, err = GetRootlessVolumePath()
-		if err != nil {
-			return storageOpts, volumePath, err
+			return storageOpts, err
 		}
 	}
 
@@ -332,7 +316,7 @@ func GetDefaultStoreOptions() (storage.StoreOptions, string, error) {
 			os.MkdirAll(filepath.Dir(storageConf), 0755)
 			file, err := os.OpenFile(storageConf, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
 			if err != nil {
-				return storageOpts, volumePath, errors.Wrapf(err, "cannot open %s", storageConf)
+				return storageOpts, errors.Wrapf(err, "cannot open %s", storageConf)
 			}
 
 			tomlConfiguration := getTomlStorage(&storageOpts)
@@ -353,7 +337,7 @@ func GetDefaultStoreOptions() (storage.StoreOptions, string, error) {
 			}
 		}
 	}
-	return storageOpts, volumePath, nil
+	return storageOpts, nil
 }
 
 // StorageConfigFile returns the path to the storage config file used