7 files changed, 262 insertions, 31 deletions

diff --git a/pkg/api/server/docs.go b/pkg/api/server/docs.go
index 1aaf31117..a99fefd7b 100644
--- a/pkg/api/server/docs.go
+++ b/pkg/api/server/docs.go
@@ -13,7 +13,7 @@
 // You can then use cURL on the socket using requests documented below.
 //
 // NOTE: if you install the package podman-docker, it will create a symbolic
-// link for /var/run/docker.sock to /run/podman/podman.sock
+// link for /run/docker.sock to /run/podman/podman.sock
 //
 // See podman-service(1) for more information.
 //
diff --git a/pkg/netns/netns_linux.go b/pkg/netns/netns_linux.go
index ed5241632..6817a3abd 100644
--- a/pkg/netns/netns_linux.go
+++ b/pkg/netns/netns_linux.go
@@ -45,7 +45,7 @@ func getNSRunDir() (string, error) {
 		}
 		return filepath.Join(rootlessDir, "netns"), nil
 	}
-	return "/var/run/netns", nil
+	return "/run/netns", nil
 }
 
 // NewNS creates a new persistent (bind-mounted) network namespace and returns
@@ -80,7 +80,7 @@ func NewNS() (ns.NetNS, error) {
 			return nil, fmt.Errorf("mount --make-rshared %s failed: %q", nsRunDir, err)
 		}
 
-		// Recursively remount /var/run/netns on itself. The recursive flag is
+		// Recursively remount /run/netns on itself. The recursive flag is
 		// so that any existing netns bindmounts are carried over.
 		err = unix.Mount(nsRunDir, nsRunDir, "none", unix.MS_BIND|unix.MS_REC, "")
 		if err != nil {
diff --git a/pkg/rootless/rootless.go b/pkg/rootless/rootless.go
index 799c793d8..df35c0d6b 100644
--- a/pkg/rootless/rootless.go
+++ b/pkg/rootless/rootless.go
@@ -2,10 +2,12 @@ package rootless
 
 import (
 	"os"
+	"sort"
 	"sync"
 
 	"github.com/containers/storage"
 	"github.com/opencontainers/runc/libcontainer/user"
+	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 )
 
@@ -50,24 +52,151 @@ func TryJoinPauseProcess(pausePidPath string) (bool, int, error) {
 }
 
 var (
-	availableGids     int64
-	availableGidsErr  error
-	availableGidsOnce sync.Once
+	uidMap      []user.IDMap
+	uidMapError error
+	uidMapOnce  sync.Once
+
+	gidMap      []user.IDMap
+	gidMapError error
+	gidMapOnce  sync.Once
 )
 
-// GetAvailableGids returns how many GIDs are available in the
+// GetAvailableUidMap returns the UID mappings in the
 // current user namespace.
-func GetAvailableGids() (int64, error) {
-	availableGidsOnce.Do(func() {
-		idMap, err := user.ParseIDMapFile("/proc/self/gid_map")
+func GetAvailableUidMap() ([]user.IDMap, error) {
+	uidMapOnce.Do(func() {
+		var err error
+		uidMap, err = user.ParseIDMapFile("/proc/self/uid_map")
 		if err != nil {
-			availableGidsErr = err
+			uidMapError = err
 			return
 		}
-		availableGids = int64(0)
-		for _, r := range idMap {
-			availableGids += r.Count
+	})
+	return uidMap, uidMapError
+}
+
+// GetAvailableGidMap returns the GID mappings in the
+// current user namespace.
+func GetAvailableGidMap() ([]user.IDMap, error) {
+	gidMapOnce.Do(func() {
+		var err error
+		gidMap, err = user.ParseIDMapFile("/proc/self/gid_map")
+		if err != nil {
+			gidMapError = err
+			return
 		}
 	})
-	return availableGids, availableGidsErr
+	return gidMap, gidMapError
+}
+
+// GetAvailableIDMaps returns the UID and GID mappings in the
+// current user namespace.
+func GetAvailableIDMaps() ([]user.IDMap, []user.IDMap, error) {
+	u, err := GetAvailableUidMap()
+	if err != nil {
+		return nil, nil, err
+	}
+	g, err := GetAvailableGidMap()
+	if err != nil {
+		return nil, nil, err
+	}
+	return u, g, nil
+}
+
+func countAvailableIDs(mappings []user.IDMap) int64 {
+	availableUids := int64(0)
+	for _, r := range mappings {
+		availableUids += r.Count
+	}
+	return availableUids
+}
+
+// GetAvailableUids returns how many UIDs are available in the
+// current user namespace.
+func GetAvailableUids() (int64, error) {
+	uids, err := GetAvailableUidMap()
+	if err != nil {
+		return -1, err
+	}
+
+	return countAvailableIDs(uids), nil
+}
+
+// GetAvailableGids returns how many GIDs are available in the
+// current user namespace.
+func GetAvailableGids() (int64, error) {
+	gids, err := GetAvailableGidMap()
+	if err != nil {
+		return -1, err
+	}
+
+	return countAvailableIDs(gids), nil
+}
+
+// findIDInMappings find the the mapping that contains the specified ID.
+// It assumes availableMappings is sorted by ID.
+func findIDInMappings(id int64, availableMappings []user.IDMap) *user.IDMap {
+	i := sort.Search(len(availableMappings), func(i int) bool {
+		return availableMappings[i].ID >= id
+	})
+	if i < 0 || i >= len(availableMappings) {
+		return nil
+	}
+	r := &availableMappings[i]
+	if id >= r.ID && id < r.ID+r.Count {
+		return r
+	}
+	return nil
+}
+
+// MaybeSplitMappings checks whether the specified OCI mappings are possible
+// in the current user namespace or the specified ranges must be split.
+func MaybeSplitMappings(mappings []spec.LinuxIDMapping, availableMappings []user.IDMap) []spec.LinuxIDMapping {
+	var ret []spec.LinuxIDMapping
+	var overflow spec.LinuxIDMapping
+	overflow.Size = 0
+	consumed := 0
+	sort.Slice(availableMappings, func(i, j int) bool {
+		return availableMappings[i].ID < availableMappings[j].ID
+	})
+	for {
+		cur := overflow
+		// if there is no overflow left from the previous request, get the next one
+		if cur.Size == 0 {
+			if consumed == len(mappings) {
+				// all done
+				return ret
+			}
+			cur = mappings[consumed]
+			consumed++
+		}
+
+		// Find the range where the first specified ID is present
+		r := findIDInMappings(int64(cur.HostID), availableMappings)
+		if r == nil {
+			// The requested range is not available.  Just return the original request
+			// and let other layers deal with it.
+			return mappings
+		}
+
+		offsetInRange := cur.HostID - uint32(r.ID)
+
+		usableIDs := uint32(r.Count) - offsetInRange
+
+		// the current range can satisfy the whole request
+		if usableIDs >= cur.Size {
+			// reset the overflow
+			overflow.Size = 0
+		} else {
+			// the current range can satisfy the request partially
+			// so move the rest to overflow
+			overflow.Size = cur.Size - usableIDs
+			overflow.ContainerID = cur.ContainerID + usableIDs
+			overflow.HostID = cur.HostID + usableIDs
+
+			// and cap to the usableIDs count
+			cur.Size = usableIDs
+		}
+		ret = append(ret, cur)
+	}
 }
diff --git a/pkg/rootless/rootless_test.go b/pkg/rootless/rootless_test.go
new file mode 100644
index 000000000..ef574099c
--- /dev/null
+++ b/pkg/rootless/rootless_test.go
@@ -0,0 +1,101 @@
+package rootless
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/opencontainers/runc/libcontainer/user"
+	spec "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func TestMaybeSplitMappings(t *testing.T) {
+	mappings := []spec.LinuxIDMapping{
+		{
+			ContainerID: 0,
+			HostID:      0,
+			Size:        2,
+		},
+	}
+	desiredMappings := []spec.LinuxIDMapping{
+		{
+			ContainerID: 0,
+			HostID:      0,
+			Size:        1,
+		},
+		{
+			ContainerID: 1,
+			HostID:      1,
+			Size:        1,
+		},
+	}
+	availableMappings := []user.IDMap{
+		{
+			ID:       1,
+			ParentID: 1000000,
+			Count:    65536,
+		},
+		{
+			ID:       0,
+			ParentID: 1000,
+			Count:    1,
+		},
+	}
+	newMappings := MaybeSplitMappings(mappings, availableMappings)
+	if !reflect.DeepEqual(newMappings, desiredMappings) {
+		t.Fatal("wrong mappings generated")
+	}
+
+	mappings = []spec.LinuxIDMapping{
+		{
+			ContainerID: 0,
+			HostID:      0,
+			Size:        2,
+		},
+	}
+	desiredMappings = []spec.LinuxIDMapping{
+		{
+			ContainerID: 0,
+			HostID:      0,
+			Size:        2,
+		},
+	}
+	availableMappings = []user.IDMap{
+		{
+			ID:       0,
+			ParentID: 1000000,
+			Count:    65536,
+		},
+	}
+	newMappings = MaybeSplitMappings(mappings, availableMappings)
+
+	if !reflect.DeepEqual(newMappings, desiredMappings) {
+		t.Fatal("wrong mappings generated")
+	}
+
+	mappings = []spec.LinuxIDMapping{
+		{
+			ContainerID: 0,
+			HostID:      0,
+			Size:        1,
+		},
+	}
+	desiredMappings = []spec.LinuxIDMapping{
+		{
+			ContainerID: 0,
+			HostID:      0,
+			Size:        1,
+		},
+	}
+	availableMappings = []user.IDMap{
+		{
+			ID:       10000,
+			ParentID: 10000,
+			Count:    65536,
+		},
+	}
+
+	newMappings = MaybeSplitMappings(mappings, availableMappings)
+	if !reflect.DeepEqual(newMappings, desiredMappings) {
+		t.Fatal("wrong mappings generated")
+	}
+}
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 9fceec7b3..390b19beb 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -133,13 +133,13 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	configSpec := g.Config
 	configSpec.Process.Capabilities.Ambient = []string{}
 	configSpec.Process.Capabilities.Bounding = caplist
-	configSpec.Process.Capabilities.Inheritable = caplist
 
 	user := strings.Split(s.User, ":")[0]
 
 	if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
 		configSpec.Process.Capabilities.Effective = caplist
 		configSpec.Process.Capabilities.Permitted = caplist
+		configSpec.Process.Capabilities.Inheritable = caplist
 	} else {
 		userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
 		if err != nil {
@@ -147,6 +147,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		}
 		configSpec.Process.Capabilities.Effective = userCaps
 		configSpec.Process.Capabilities.Permitted = userCaps
+		configSpec.Process.Capabilities.Inheritable = userCaps
 
 		// Ambient capabilities were added to Linux 4.3.  Set ambient
 		// capabilities only when the kernel supports them.
diff --git a/pkg/systemd/generate/containers_test.go b/pkg/systemd/generate/containers_test.go
index b9fb8fee6..b8f3a90f9 100644
--- a/pkg/systemd/generate/containers_test.go
+++ b/pkg/systemd/generate/containers_test.go
@@ -53,7 +53,7 @@ TimeoutStopSec=82
 ExecStart=/usr/bin/podman start 639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401
 ExecStop=/usr/bin/podman stop -t 22 639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401
 ExecStopPost=/usr/bin/podman stop -t 22 639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401
-PIDFile=/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid
+PIDFile=/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid
 Type=forking
 
 [Install]
@@ -76,7 +76,7 @@ TimeoutStopSec=70
 ExecStart=/usr/bin/podman start foobar
 ExecStop=/usr/bin/podman stop -t 10 foobar
 ExecStopPost=/usr/bin/podman stop -t 10 foobar
-PIDFile=/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid
+PIDFile=/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid
 Type=forking
 
 [Install]
@@ -101,7 +101,7 @@ TimeoutStopSec=70
 ExecStart=/usr/bin/podman start foobar
 ExecStop=/usr/bin/podman stop -t 10 foobar
 ExecStopPost=/usr/bin/podman stop -t 10 foobar
-PIDFile=/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid
+PIDFile=/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid
 Type=forking
 
 [Install]
@@ -242,7 +242,7 @@ WantedBy=multi-user.target default.target
 				ServiceName:       "container-639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401",
 				ContainerNameOrID: "639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401",
 				RestartPolicy:     "always",
-				PIDFile:           "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:           "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:       22,
 				PodmanVersion:     "CI",
 				EnvVariable:       EnvVariable,
@@ -257,7 +257,7 @@ WantedBy=multi-user.target default.target
 				ServiceName:       "container-foobar",
 				ContainerNameOrID: "foobar",
 				RestartPolicy:     "always",
-				PIDFile:           "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:           "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:       10,
 				PodmanVersion:     "CI",
 				EnvVariable:       EnvVariable,
@@ -272,7 +272,7 @@ WantedBy=multi-user.target default.target
 				ServiceName:       "container-foobar",
 				ContainerNameOrID: "foobar",
 				RestartPolicy:     "always",
-				PIDFile:           "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:           "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:       10,
 				PodmanVersion:     "CI",
 				BoundToServices:   []string{"pod", "a", "b", "c"},
@@ -287,7 +287,7 @@ WantedBy=multi-user.target default.target
 				Executable:    "/usr/bin/podman",
 				ServiceName:   "639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401",
 				RestartPolicy: "never",
-				PIDFile:       "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:       "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:   10,
 				PodmanVersion: "CI",
 				EnvVariable:   EnvVariable,
@@ -302,7 +302,7 @@ WantedBy=multi-user.target default.target
 				ServiceName:       "jadda-jadda",
 				ContainerNameOrID: "jadda-jadda",
 				RestartPolicy:     "always",
-				PIDFile:           "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:           "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:       10,
 				PodmanVersion:     "CI",
 				CreateCommand:     []string{"I'll get stripped", "container", "run", "--name", "jadda-jadda", "--hostname", "hello-world", "awesome-image:latest", "command", "arg1", "...", "argN", "foo=arg \"with \" space"},
@@ -318,7 +318,7 @@ WantedBy=multi-user.target default.target
 				ServiceName:       "jadda-jadda",
 				ContainerNameOrID: "jadda-jadda",
 				RestartPolicy:     "always",
-				PIDFile:           "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:           "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:       10,
 				PodmanVersion:     "CI",
 				CreateCommand:     []string{"I'll get stripped", "container", "run", "-d", "--name", "jadda-jadda", "--hostname", "hello-world", "awesome-image:latest", "command", "arg1", "...", "argN"},
@@ -334,7 +334,7 @@ WantedBy=multi-user.target default.target
 				ServiceName:       "jadda-jadda",
 				ContainerNameOrID: "jadda-jadda",
 				RestartPolicy:     "always",
-				PIDFile:           "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:           "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:       10,
 				PodmanVersion:     "CI",
 				CreateCommand:     []string{"I'll get stripped", "container", "run", "-d", "--name", "jadda-jadda", "--hostname", "hello-world", "awesome-image:latest", "command", "arg1", "...", "argN"},
@@ -353,7 +353,7 @@ WantedBy=multi-user.target default.target
 				ServiceName:       "jadda-jadda",
 				ContainerNameOrID: "jadda-jadda",
 				RestartPolicy:     "always",
-				PIDFile:           "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:           "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:       10,
 				PodmanVersion:     "CI",
 				CreateCommand:     []string{"I'll get stripped", "container", "run", "--detach", "--name", "jadda-jadda", "--hostname", "hello-world", "awesome-image:latest", "command", "arg1", "...", "argN"},
@@ -369,7 +369,7 @@ WantedBy=multi-user.target default.target
 				ServiceName:       "container-639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401",
 				ContainerNameOrID: "639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401",
 				RestartPolicy:     "always",
-				PIDFile:           "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:           "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:       10,
 				PodmanVersion:     "CI",
 				CreateCommand:     []string{"I'll get stripped", "container", "run", "awesome-image:latest"},
diff --git a/pkg/systemd/generate/pods_test.go b/pkg/systemd/generate/pods_test.go
index 6d925ecd2..93432ef96 100644
--- a/pkg/systemd/generate/pods_test.go
+++ b/pkg/systemd/generate/pods_test.go
@@ -55,7 +55,7 @@ TimeoutStopSec=102
 ExecStart=/usr/bin/podman start jadda-jadda-infra
 ExecStop=/usr/bin/podman stop -t 42 jadda-jadda-infra
 ExecStopPost=/usr/bin/podman stop -t 42 jadda-jadda-infra
-PIDFile=/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid
+PIDFile=/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid
 Type=forking
 
 [Install]
@@ -102,7 +102,7 @@ WantedBy=multi-user.target default.target
 				ServiceName:      "pod-123abc",
 				InfraNameOrID:    "jadda-jadda-infra",
 				RestartPolicy:    "always",
-				PIDFile:          "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:          "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:      42,
 				PodmanVersion:    "CI",
 				RequiredServices: []string{"container-1", "container-2"},
@@ -117,7 +117,7 @@ WantedBy=multi-user.target default.target
 				ServiceName:      "pod-123abc",
 				InfraNameOrID:    "jadda-jadda-infra",
 				RestartPolicy:    "on-failure",
-				PIDFile:          "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
+				PIDFile:          "/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid",
 				StopTimeout:      10,
 				PodmanVersion:    "CI",
 				RequiredServices: []string{"container-1", "container-2"},