18 files changed, 354 insertions, 46 deletions
diff --git a/pkg/adapter/checkpoint_restore.go b/pkg/adapter/checkpoint_restore.go
index 1cac86d12..15f9e8105 100644
--- a/pkg/adapter/checkpoint_restore.go
+++ b/pkg/adapter/checkpoint_restore.go
@@ -11,6 +11,7 @@ import (
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/errorhandling"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/containers/storage/pkg/archive"
 	jsoniter "github.com/json-iterator/go"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -112,7 +113,7 @@ func crImportCheckpoint(ctx context.Context, runtime *libpod.Runtime, input stri
 		return nil, err
 	}
 
-	_, err = runtime.ImageRuntime().New(ctx, config.RootfsImageName, rtc.SignaturePolicyPath, "", writer, nil, image.SigningOptions{}, false, nil)
+	_, err = runtime.ImageRuntime().New(ctx, config.RootfsImageName, rtc.SignaturePolicyPath, "", writer, nil, image.SigningOptions{}, nil, util.PullImageMissing)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/adapter/containers.go b/pkg/adapter/containers.go
index 45a9a54a3..863640f97 100644
--- a/pkg/adapter/containers.go
+++ b/pkg/adapter/containers.go
@@ -342,7 +342,8 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode
 		if err := ctr.Start(ctx, c.IsSet("pod")); err != nil {
 			// This means the command did not exist
 			exitCode = 127
-			if strings.Contains(err.Error(), "permission denied") || strings.Contains(err.Error(), "file not found") {
+			e := strings.ToLower(err.Error())
+			if strings.Contains(e, "permission denied") || strings.Contains(e, "operation not permitted") || strings.Contains(e, "file not found") || strings.Contains(e, "no such file or directory") {
 				exitCode = 126
 			}
 			return exitCode, err
@@ -405,12 +406,13 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode
 		}
 		// This means the command did not exist
 		exitCode = 127
-		if strings.Contains(err.Error(), "permission denied") {
+		e := strings.ToLower(err.Error())
+		if strings.Contains(e, "permission denied") || strings.Contains(e, "operation not permitted") {
 			exitCode = 126
 		}
 		if c.IsSet("rm") {
 			if deleteError := r.Runtime.RemoveContainer(ctx, ctr, true, false); deleteError != nil {
-				logrus.Errorf("unable to remove container %s after failing to start and attach to it", ctr.ID())
+				logrus.Debugf("unable to remove container %s after failing to start and attach to it", ctr.ID())
 			}
 		}
 		return exitCode, err
diff --git a/pkg/adapter/network.go b/pkg/adapter/network.go
new file mode 100644
index 000000000..cf3a1dfdd
--- /dev/null
+++ b/pkg/adapter/network.go
@@ -0,0 +1,147 @@
+// +build !remoteclient
+
+package adapter
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/containernetworking/cni/libcni"
+	"github.com/containers/libpod/cmd/podman/cliconfig"
+	"github.com/containers/libpod/pkg/network"
+	"github.com/pkg/errors"
+)
+
+func getCNIConfDir(r *LocalRuntime) (string, error) {
+	config, err := r.GetConfig()
+	if err != nil {
+		return "", err
+	}
+	configPath := config.CNIConfigDir
+
+	if len(config.CNIConfigDir) < 1 {
+		configPath = network.CNIConfigDir
+	}
+	return configPath, nil
+}
+
+// NetworkList displays summary information about CNI networks
+func (r *LocalRuntime) NetworkList(cli *cliconfig.NetworkListValues) error {
+	cniConfigPath, err := getCNIConfDir(r)
+	if err != nil {
+		return err
+	}
+	networks, err := network.LoadCNIConfsFromDir(cniConfigPath)
+	if err != nil {
+		return err
+	}
+	// quiet means we only print the network names
+	if cli.Quiet {
+		for _, cniNetwork := range networks {
+			fmt.Println(cniNetwork.Name)
+		}
+		return nil
+	}
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 3, ' ', 0)
+	if _, err := fmt.Fprintln(w, "NAME\tVERSION\tPLUGINS"); err != nil {
+		return err
+	}
+	for _, cniNetwork := range networks {
+		if _, err := fmt.Fprintf(w, "%s\t%s\t%s\n", cniNetwork.Name, cniNetwork.CNIVersion, getCNIPlugins(cniNetwork)); err != nil {
+			return err
+		}
+	}
+	return w.Flush()
+}
+
+// NetworkInspect displays the raw CNI configuration for one
+// or more CNI networks
+func (r *LocalRuntime) NetworkInspect(cli *cliconfig.NetworkInspectValues) error {
+	var (
+		rawCNINetworks []map[string]interface{}
+	)
+	cniConfigPath, err := getCNIConfDir(r)
+	if err != nil {
+		return err
+	}
+	for _, name := range cli.InputArgs {
+		b, err := readRawCNIConfByName(name, cniConfigPath)
+		if err != nil {
+			return err
+		}
+		rawList := make(map[string]interface{})
+		if err := json.Unmarshal(b, &rawList); err != nil {
+			return fmt.Errorf("error parsing configuration list: %s", err)
+		}
+		rawCNINetworks = append(rawCNINetworks, rawList)
+	}
+	out, err := json.MarshalIndent(rawCNINetworks, "", "\t")
+	if err != nil {
+		return err
+	}
+	fmt.Printf("%s\n", out)
+	return nil
+}
+
+// NetworkRemove deletes one or more CNI networks
+func (r *LocalRuntime) NetworkRemove(cli *cliconfig.NetworkRmValues) error {
+	cniConfigPath, err := getCNIConfDir(r)
+	if err != nil {
+		return err
+	}
+	for _, name := range cli.InputArgs {
+		cniPath, err := getCNIConfigPathByName(name, cniConfigPath)
+		if err != nil {
+			return err
+		}
+		if err := os.Remove(cniPath); err != nil {
+			return err
+		}
+		fmt.Printf("Deleted: %s\n", name)
+	}
+	return nil
+}
+
+// getCNIConfigPathByName finds a CNI network by name and
+// returns its configuration file path
+func getCNIConfigPathByName(name, cniConfigPath string) (string, error) {
+	files, err := libcni.ConfFiles(cniConfigPath, []string{".conflist"})
+	if err != nil {
+		return "", err
+	}
+	for _, confFile := range files {
+		conf, err := libcni.ConfListFromFile(confFile)
+		if err != nil {
+			return "", err
+		}
+		if conf.Name == name {
+			return confFile, nil
+		}
+	}
+	return "", errors.Errorf("unable to find network configuration for %s", name)
+}
+
+// readRawCNIConfByName reads the raw CNI configuration for a CNI
+// network by name
+func readRawCNIConfByName(name, cniConfigPath string) ([]byte, error) {
+	confFile, err := getCNIConfigPathByName(name, cniConfigPath)
+	if err != nil {
+		return nil, err
+	}
+	b, err := ioutil.ReadFile(confFile)
+	return b, err
+}
+
+// getCNIPlugins returns a list of plugins that a given network
+// has in the form of a string
+func getCNIPlugins(list *libcni.NetworkConfigList) string {
+	var plugins []string
+	for _, plug := range list.Plugins {
+		plugins = append(plugins, plug.Network.Type)
+	}
+	return strings.Join(plugins, ",")
+}
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
index e25238956..ded805de2 100644
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@@ -19,6 +19,7 @@ import (
 	"github.com/containers/libpod/pkg/adapter/shortcuts"
 	ns "github.com/containers/libpod/pkg/namespaces"
 	createconfig "github.com/containers/libpod/pkg/spec"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/containers/storage"
 	"github.com/cri-o/ocicni/pkg/ocicni"
 	"github.com/ghodss/yaml"
@@ -255,6 +256,10 @@ func (r *LocalRuntime) CreatePod(ctx context.Context, cli *cliconfig.PodCreateVa
 		options = append(options, libpod.WithPodName(cli.Name))
 	}
 
+	if cli.Flag("hostname").Changed {
+		options = append(options, libpod.WithPodHostname(cli.Hostname))
+	}
+
 	if cli.Infra {
 		options = append(options, libpod.WithInfraContainer())
 		nsOptions, err := shared.GetNamespaceOptions(strings.Split(cli.Share, ","))
@@ -475,6 +480,12 @@ func (r *LocalRuntime) PlayKubeYAML(ctx context.Context, c *cliconfig.KubePlayVa
 	podOptions = append(podOptions, libpod.WithPodName(podName))
 	// TODO for now we just used the default kernel namespaces; we need to add/subtract this from yaml
 
+	hostname := podYAML.Spec.Hostname
+	if hostname == "" {
+		hostname = podName
+	}
+	podOptions = append(podOptions, libpod.WithPodHostname(hostname))
+
 	nsOptions, err := shared.GetNamespaceOptions(strings.Split(shared.DefaultKernelNamespaces, ","))
 	if err != nil {
 		return nil, err
@@ -578,7 +589,7 @@ func (r *LocalRuntime) PlayKubeYAML(ctx context.Context, c *cliconfig.KubePlayVa
 	}
 
 	for _, container := range podYAML.Spec.Containers {
-		newImage, err := r.ImageRuntime().New(ctx, container.Image, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, false, nil)
+		newImage, err := r.ImageRuntime().New(ctx, container.Image, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, nil, util.PullImageMissing)
 		if err != nil {
 			return nil, err
 		}
@@ -707,6 +718,8 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
 		return nil, errors.Errorf("No command specified in container YAML or as CMD or ENTRYPOINT in this image for %s", containerConfig.Name)
 	}
 
+	containerConfig.UserCommand = containerConfig.Command
+
 	containerConfig.StopSignal = 15
 
 	// If the user does not pass in ID mappings, just set to basics
diff --git a/pkg/adapter/runtime.go b/pkg/adapter/runtime.go
index 03419c0bd..7d4f97b28 100644
--- a/pkg/adapter/runtime.go
+++ b/pkg/adapter/runtime.go
@@ -24,6 +24,7 @@ import (
 	"github.com/containers/libpod/libpod/events"
 	"github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/pkg/errors"
 	"k8s.io/api/core/v1"
@@ -132,8 +133,8 @@ func (r *LocalRuntime) LoadFromArchiveReference(ctx context.Context, srcRef type
 }
 
 // New calls into local storage to look for an image in local storage or to pull it
-func (r *LocalRuntime) New(ctx context.Context, name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *image.DockerRegistryOptions, signingoptions image.SigningOptions, forcePull bool, label *string) (*ContainerImage, error) {
-	img, err := r.Runtime.ImageRuntime().New(ctx, name, signaturePolicyPath, authfile, writer, dockeroptions, signingoptions, forcePull, label)
+func (r *LocalRuntime) New(ctx context.Context, name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *image.DockerRegistryOptions, signingoptions image.SigningOptions, label *string, pullType util.PullType) (*ContainerImage, error) {
+	img, err := r.Runtime.ImageRuntime().New(ctx, name, signaturePolicyPath, authfile, writer, dockeroptions, signingoptions, label, pullType)
 	if err != nil {
 		return nil, err
 	}
@@ -209,7 +210,7 @@ func (r *LocalRuntime) Push(ctx context.Context, srcName, destination, manifestM
 }
 
 // InspectVolumes returns a slice of volumes based on an arg list or --all
-func (r *LocalRuntime) InspectVolumes(ctx context.Context, c *cliconfig.VolumeInspectValues) ([]*Volume, error) {
+func (r *LocalRuntime) InspectVolumes(ctx context.Context, c *cliconfig.VolumeInspectValues) ([]*libpod.InspectVolumeData, error) {
 	var (
 		volumes []*libpod.Volume
 		err     error
@@ -229,7 +230,17 @@ func (r *LocalRuntime) InspectVolumes(ctx context.Context, c *cliconfig.VolumeIn
 	if err != nil {
 		return nil, err
 	}
-	return libpodVolumeToVolume(volumes), nil
+
+	inspectVols := make([]*libpod.InspectVolumeData, 0, len(volumes))
+	for _, vol := range volumes {
+		inspectOut, err := vol.Inspect()
+		if err != nil {
+			return nil, errors.Wrapf(err, "error inspecting volume %s", vol.Name())
+		}
+		inspectVols = append(inspectVols, inspectOut)
+	}
+
+	return inspectVols, nil
 }
 
 // Volumes returns a slice of localruntime volumes
@@ -288,7 +299,11 @@ func (r *LocalRuntime) Build(ctx context.Context, c *cliconfig.BuildValues, opti
 	options.CommonBuildOpts = commonOpts
 	options.SystemContext = systemContext
 
-	options.Runtime = r.GetOCIRuntimePath()
+	if c.GlobalFlags.Runtime != "" {
+		options.Runtime = c.GlobalFlags.Runtime
+	} else {
+		options.Runtime = r.GetOCIRuntimePath()
+	}
 
 	if c.Quiet {
 		options.ReportWriter = ioutil.Discard
diff --git a/pkg/adapter/runtime_remote.go b/pkg/adapter/runtime_remote.go
index 0cafbb2aa..683bf1d35 100644
--- a/pkg/adapter/runtime_remote.go
+++ b/pkg/adapter/runtime_remote.go
@@ -21,11 +21,12 @@ import (
 	"github.com/containers/image/types"
 	"github.com/containers/libpod/cmd/podman/cliconfig"
 	"github.com/containers/libpod/cmd/podman/remoteclientconfig"
-	"github.com/containers/libpod/cmd/podman/varlink"
+	iopodman "github.com/containers/libpod/cmd/podman/varlink"
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/libpod/events"
 	"github.com/containers/libpod/libpod/image"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/containers/libpod/utils"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/opencontainers/go-digest"
@@ -272,7 +273,7 @@ func (r *LocalRuntime) LoadFromArchiveReference(ctx context.Context, srcRef type
 }
 
 // New calls into local storage to look for an image in local storage or to pull it
-func (r *LocalRuntime) New(ctx context.Context, name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *image.DockerRegistryOptions, signingoptions image.SigningOptions, forcePull bool, label *string) (*ContainerImage, error) {
+func (r *LocalRuntime) New(ctx context.Context, name, signaturePolicyPath, authfile string, writer io.Writer, dockeroptions *image.DockerRegistryOptions, signingoptions image.SigningOptions, label *string, pullType util.PullType) (*ContainerImage, error) {
 	var iid string
 	if label != nil {
 		return nil, errors.New("the remote client function does not support checking a remote image for a label")
@@ -668,7 +669,6 @@ func varlinkVolumeToVolume(r *LocalRuntime, volumes []iopodman.Volume) []*Volume
 			MountPoint: v.MountPoint,
 			Driver:     v.Driver,
 			Options:    v.Options,
-			Scope:      v.Scope,
 		}
 		n := remoteVolume{
 			Runtime: r,
@@ -812,7 +812,7 @@ func IsImageNotFound(err error) bool {
 
 // HealthCheck executes a container's healthcheck over a varlink connection
 func (r *LocalRuntime) HealthCheck(c *cliconfig.HealthCheckValues) (string, error) {
-	return "", define.ErrNotImplemented
+	return iopodman.HealthCheckRun().Call(r.Conn, c.InputArgs[0])
 }
 
 // Events monitors libpod/podman events over a varlink connection
diff --git a/pkg/adapter/volumes_remote.go b/pkg/adapter/volumes_remote.go
index beacd943a..58f9ba625 100644
--- a/pkg/adapter/volumes_remote.go
+++ b/pkg/adapter/volumes_remote.go
@@ -29,5 +29,5 @@ func (v *Volume) MountPoint() string {
 
 // Scope returns the scope for an adapter.volume
 func (v *Volume) Scope() string {
-	return v.config.Scope
+	return "local"
 }
diff --git a/pkg/cgroups/cgroups.go b/pkg/cgroups/cgroups.go
index f2c6b548e..085718855 100644
--- a/pkg/cgroups/cgroups.go
+++ b/pkg/cgroups/cgroups.go
@@ -10,6 +10,8 @@ import (
 	"strconv"
 	"strings"
 
+	systemdDbus "github.com/coreos/go-systemd/dbus"
+	"github.com/godbus/dbus"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -352,7 +354,56 @@ func (c *CgroupControl) CreateSystemdUnit(path string) error {
 	if !c.systemd {
 		return fmt.Errorf("the cgroup controller is not using systemd")
 	}
-	return systemdCreate(path)
+
+	conn, err := systemdDbus.New()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	return systemdCreate(path, conn)
+}
+
+// GetUserConnection returns an user connection to D-BUS
+func GetUserConnection(uid int) (*systemdDbus.Conn, error) {
+	return systemdDbus.NewConnection(func() (*dbus.Conn, error) {
+		return dbusAuthConnection(uid, dbus.SessionBusPrivate)
+	})
+}
+
+// CreateSystemdUserUnit creates the systemd cgroup for the specified user
+func (c *CgroupControl) CreateSystemdUserUnit(path string, uid int) error {
+	if !c.systemd {
+		return fmt.Errorf("the cgroup controller is not using systemd")
+	}
+
+	conn, err := GetUserConnection(uid)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	return systemdCreate(path, conn)
+}
+
+func dbusAuthConnection(uid int, createBus func(opts ...dbus.ConnOption) (*dbus.Conn, error)) (*dbus.Conn, error) {
+	conn, err := createBus()
+	if err != nil {
+		return nil, err
+	}
+
+	methods := []dbus.Auth{dbus.AuthExternal(strconv.Itoa(uid))}
+
+	err = conn.Auth(methods)
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+	if err := conn.Hello(); err != nil {
+		return nil, err
+	}
+
+	return conn, nil
 }
 
 // Delete cleans a cgroup
@@ -386,10 +437,11 @@ func rmDirRecursively(path string) error {
 	return nil
 }
 
-// DeleteByPath deletes the specified cgroup path
-func (c *CgroupControl) DeleteByPath(path string) error {
+// DeleteByPathConn deletes the specified cgroup path using the specified
+// dbus connection if needed.
+func (c *CgroupControl) DeleteByPathConn(path string, conn *systemdDbus.Conn) error {
 	if c.systemd {
-		return systemdDestroy(path)
+		return systemdDestroyConn(path, conn)
 	}
 	if c.cgroup2 {
 		return rmDirRecursively(filepath.Join(cgroupRoot, c.path))
@@ -413,6 +465,19 @@ func (c *CgroupControl) DeleteByPath(path string) error {
 	return lastError
 }
 
+// DeleteByPath deletes the specified cgroup path
+func (c *CgroupControl) DeleteByPath(path string) error {
+	if c.systemd {
+		conn, err := systemdDbus.New()
+		if err != nil {
+			return err
+		}
+		defer conn.Close()
+		return c.DeleteByPathConn(path, conn)
+	}
+	return c.DeleteByPathConn(path, nil)
+}
+
 // Update updates the cgroups
 func (c *CgroupControl) Update(resources *spec.LinuxResources) error {
 	for _, h := range handlers {
diff --git a/pkg/cgroups/systemd.go b/pkg/cgroups/systemd.go
index e72e456bc..b8e6db156 100644
--- a/pkg/cgroups/systemd.go
+++ b/pkg/cgroups/systemd.go
@@ -9,13 +9,7 @@ import (
 	"github.com/godbus/dbus"
 )
 
-func systemdCreate(path string) error {
-	c, err := systemdDbus.New()
-	if err != nil {
-		return err
-	}
-	defer c.Close()
-
+func systemdCreate(path string, c *systemdDbus.Conn) error {
 	slice, name := filepath.Split(path)
 	slice = strings.TrimSuffix(slice, "/")
 
@@ -43,7 +37,7 @@ func systemdCreate(path string) error {
 		}
 
 		ch := make(chan string)
-		_, err = c.StartTransientUnit(name, "replace", properties, ch)
+		_, err := c.StartTransientUnit(name, "replace", properties, ch)
 		if err != nil {
 			lastError = err
 			continue
@@ -55,7 +49,7 @@ func systemdCreate(path string) error {
 }
 
 /*
-   systemdDestroy is copied from containerd/cgroups/systemd.go file, that
+   systemdDestroyConn is copied from containerd/cgroups/systemd.go file, that
    has the following license:
 
    Copyright The containerd Authors.
@@ -72,18 +66,11 @@ func systemdCreate(path string) error {
    See the License for the specific language governing permissions and
    limitations under the License.
 */
-
-func systemdDestroy(path string) error {
-	c, err := systemdDbus.New()
-	if err != nil {
-		return err
-	}
-	defer c.Close()
-
+func systemdDestroyConn(path string, c *systemdDbus.Conn) error {
 	name := filepath.Base(path)
 
 	ch := make(chan string)
-	_, err = c.StopUnit(name, "replace", ch)
+	_, err := c.StopUnit(name, "replace", ch)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/hooks/hooks.go b/pkg/hooks/hooks.go
index b962ffa5c..0d26bf4af 100644
--- a/pkg/hooks/hooks.go
+++ b/pkg/hooks/hooks.go
@@ -4,6 +4,7 @@ package hooks
 import (
 	"context"
 	"fmt"
+	"os"
 	"sort"
 	"strings"
 	"sync"
@@ -56,7 +57,7 @@ func New(ctx context.Context, directories []string, extensionStages []string) (m
 
 	for _, dir := range directories {
 		err = ReadDir(dir, manager.extensionStages, manager.hooks)
-		if err != nil {
+		if err != nil && !os.IsNotExist(err) {
 			return nil, err
 		}
 	}
diff --git a/pkg/network/config.go b/pkg/network/config.go
new file mode 100644
index 000000000..d282f66b6
--- /dev/null
+++ b/pkg/network/config.go
@@ -0,0 +1,4 @@
+package network
+
+// CNIConfigDir is the path where CNI config files exist
+const CNIConfigDir = "/etc/cni/net.d"
diff --git a/pkg/network/network.go b/pkg/network/network.go
new file mode 100644
index 000000000..9d04340a3
--- /dev/null
+++ b/pkg/network/network.go
@@ -0,0 +1,26 @@
+package network
+
+import (
+	"sort"
+
+	"github.com/containernetworking/cni/libcni"
+)
+
+// LoadCNIConfsFromDir loads all the CNI configurations from a dir
+func LoadCNIConfsFromDir(dir string) ([]*libcni.NetworkConfigList, error) {
+	var configs []*libcni.NetworkConfigList
+	files, err := libcni.ConfFiles(dir, []string{".conflist"})
+	if err != nil {
+		return nil, err
+	}
+	sort.Strings(files)
+
+	for _, confFile := range files {
+		conf, err := libcni.ConfListFromFile(confFile)
+		if err != nil {
+			return nil, err
+		}
+		configs = append(configs, conf)
+	}
+	return configs, nil
+}
diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go
index a8dc7f4a8..b634f4cac 100644
--- a/pkg/spec/storage.go
+++ b/pkg/spec/storage.go
@@ -168,14 +168,14 @@ func (config *CreateConfig) parseVolumes(runtime *libpod.Runtime) ([]spec.Mount,
 		"/run":     false,
 	}
 	if config.ReadOnlyRootfs && config.ReadOnlyTmpfs {
-		options := []string{"rw", "rprivate", "nosuid", "nodev", "tmpcopyup", "size=65536k"}
+		options := []string{"rw", "rprivate", "nosuid", "nodev", "tmpcopyup"}
 		for dest := range readonlyTmpfs {
 			if _, ok := baseMounts[dest]; ok {
 				continue
 			}
 			localOpts := options
 			if dest == "/run" {
-				localOpts = append(localOpts, "noexec")
+				localOpts = append(localOpts, "noexec", "size=65536k")
 			}
 			baseMounts[dest] = spec.Mount{
 				Destination: dest,
diff --git a/pkg/util/mountOpts.go b/pkg/util/mountOpts.go
index 40c99384d..9b2c734c0 100644
--- a/pkg/util/mountOpts.go
+++ b/pkg/util/mountOpts.go
@@ -92,9 +92,6 @@ func ProcessTmpfsOptions(options []string) ([]string, error) {
 	if !foundWrite {
 		baseOpts = append(baseOpts, "rw")
 	}
-	if !foundSize {
-		baseOpts = append(baseOpts, "size=65536k")
-	}
 	if !foundProp {
 		baseOpts = append(baseOpts, "rprivate")
 	}
diff --git a/pkg/util/utils.go b/pkg/util/utils.go
index 520e41438..3f73639e7 100644
--- a/pkg/util/utils.go
+++ b/pkg/util/utils.go
@@ -356,3 +356,32 @@ func OpenExclusiveFile(path string) (*os.File, error) {
 	}
 	return os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
 }
+
+// PullType whether to pull new image
+type PullType int
+
+const (
+	// PullImageAlways always try to pull new image when create or run
+	PullImageAlways PullType = iota
+	// PullImageMissing pulls image if it is not locally
+	PullImageMissing
+	// PullImageNever will never pull new image
+	PullImageNever
+)
+
+// ValidatePullType check if the pullType from CLI is valid and returns the valid enum type
+// if the value from CLI is invalid returns the error
+func ValidatePullType(pullType string) (PullType, error) {
+	switch pullType {
+	case "always":
+		return PullImageAlways, nil
+	case "missing":
+		return PullImageMissing, nil
+	case "never":
+		return PullImageNever, nil
+	case "":
+		return PullImageMissing, nil
+	default:
+		return PullImageMissing, errors.Errorf("invalid pull type %q", pullType)
+	}
+}
diff --git a/pkg/varlinkapi/containers.go b/pkg/varlinkapi/containers.go
index bb66ff962..2dcdbc089 100644
--- a/pkg/varlinkapi/containers.go
+++ b/pkg/varlinkapi/containers.go
@@ -14,11 +14,13 @@ import (
 	"time"
 
 	"github.com/containers/libpod/cmd/podman/shared"
-	"github.com/containers/libpod/cmd/podman/varlink"
+	iopodman "github.com/containers/libpod/cmd/podman/varlink"
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/libpod/logs"
 	"github.com/containers/libpod/pkg/adapter/shortcuts"
+	"github.com/containers/libpod/pkg/cgroups"
+	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/varlinkapi/virtwriter"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/pkg/errors"
@@ -317,6 +319,13 @@ func (i *LibpodAPI) ExportContainer(call iopodman.VarlinkCall, name, outPath str
 
 // GetContainerStats ...
 func (i *LibpodAPI) GetContainerStats(call iopodman.VarlinkCall, name string) error {
+	cgroupv2, err := cgroups.IsCgroup2UnifiedMode()
+	if err != nil {
+		return call.ReplyErrorOccurred(err.Error())
+	}
+	if rootless.IsRootless() && !cgroupv2 {
+		return call.ReplyErrRequiresCgroupsV2ForRootless("rootless containers cannot report container stats")
+	}
 	ctr, err := i.Runtime.LookupContainer(name)
 	if err != nil {
 		return call.ReplyContainerNotFound(name, err.Error())
@@ -855,3 +864,16 @@ func (i *LibpodAPI) ExecContainer(call iopodman.VarlinkCall, opts iopodman.ExecO
 
 	return ecErr.Error
 }
+
+//HealthCheckRun executes defined container's healthcheck command and returns the container's health status.
+func (i *LibpodAPI) HealthCheckRun(call iopodman.VarlinkCall, nameOrID string) error {
+	hcStatus, err := i.Runtime.HealthCheck(nameOrID)
+	if err != nil && hcStatus != libpod.HealthCheckFailure {
+		return call.ReplyErrorOccurred(err.Error())
+	}
+	status := libpod.HealthCheckUnhealthy
+	if hcStatus == libpod.HealthCheckSuccess {
+		status = libpod.HealthCheckHealthy
+	}
+	return call.ReplyHealthCheckRun(status)
+}
diff --git a/pkg/varlinkapi/images.go b/pkg/varlinkapi/images.go
index b5a711dfd..fe7f11b4d 100644
--- a/pkg/varlinkapi/images.go
+++ b/pkg/varlinkapi/images.go
@@ -658,7 +658,7 @@ func (i *LibpodAPI) PullImage(call iopodman.VarlinkCall, name string) error {
 				imageID = newImage[0].ID()
 			}
 		} else {
-			newImage, err := i.Runtime.ImageRuntime().New(getContext(), name, "", "", output, &dockerRegistryOptions, so, false, nil)
+			newImage, err := i.Runtime.ImageRuntime().New(getContext(), name, "", "", output, &dockerRegistryOptions, so, nil, util.PullImageMissing)
 			if err != nil {
 				foundError = true
 				c <- errors.Wrapf(err, "unable to pull %s", name)
diff --git a/pkg/varlinkapi/volumes.go b/pkg/varlinkapi/volumes.go
index 19ba38e7c..6dd86d831 100644
--- a/pkg/varlinkapi/volumes.go
+++ b/pkg/varlinkapi/volumes.go
@@ -68,7 +68,6 @@ func (i *LibpodAPI) GetVolumes(call iopodman.VarlinkCall, args []string, all boo
 			MountPoint: v.MountPoint(),
 			Name:       v.Name(),
 			Options:    v.Options(),
-			Scope:      v.Scope(),
 		}
 		volumes = append(volumes, newVol)
 	}