4 files changed, 41 insertions, 12 deletions
diff --git a/pkg/lookup/lookup.go b/pkg/lookup/lookup.go
index a9d975b4b..70b97144f 100644
--- a/pkg/lookup/lookup.go
+++ b/pkg/lookup/lookup.go
@@ -99,9 +99,11 @@ func GetContainerGroups(groups []string, containerMount string, override *Overri
 	return uintgids, nil
 }
 
-// GetUser takes a containermount path and user name or id and returns
+// GetUser takes a containermount path and user name or ID and returns
 // a matching User structure from /etc/passwd.  If it cannot locate a user
 // with the provided information, an ErrNoPasswdEntries is returned.
+// When the provided user name was an ID, a User structure with Uid
+// set is returned along with ErrNoPasswdEntries.
 func GetUser(containerMount, userIDorName string) (*user.User, error) {
 	var inputIsName bool
 	uid, err := strconv.Atoi(userIDorName)
@@ -124,12 +126,17 @@ func GetUser(containerMount, userIDorName string) (*user.User, error) {
 	if len(users) > 0 {
 		return &users[0], nil
 	}
+	if !inputIsName {
+		return &user.User{Uid: uid}, user.ErrNoPasswdEntries
+	}
 	return nil, user.ErrNoPasswdEntries
 }
 
-// GetGroup takes ac ontainermount path and a group name or id and returns
-// a match Group struct from /etc/group.  if it cannot locate a group,
-// an ErrNoGroupEntries error is returned.
+// GetGroup takes a containermount path and a group name or ID and returns
+// a match Group struct from /etc/group.  If it cannot locate a group,
+// an ErrNoGroupEntries error is returned.  When the provided group name
+// was an ID, a Group structure with Gid set is returned along with
+// ErrNoGroupEntries.
 func GetGroup(containerMount, groupIDorName string) (*user.Group, error) {
 	var inputIsName bool
 	gid, err := strconv.Atoi(groupIDorName)
@@ -154,5 +161,8 @@ func GetGroup(containerMount, groupIDorName string) (*user.Group, error) {
 	if len(groups) > 0 {
 		return &groups[0], nil
 	}
+	if !inputIsName {
+		return &user.Group{Gid: gid}, user.ErrNoGroupEntries
+	}
 	return nil, user.ErrNoGroupEntries
 }
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index 85b0ef392..07002da3f 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -74,7 +74,7 @@ func GetRootlessUID() int {
 func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) error {
 	path, err := exec.LookPath(tool)
 	if err != nil {
-		return err
+		return errors.Wrapf(err, "cannot find %s", tool)
 	}
 
 	appendTriplet := func(l []string, a, b, c int) []string {
@@ -92,7 +92,11 @@ func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap)
 		Path: path,
 		Args: args,
 	}
-	return cmd.Run()
+
+	if err := cmd.Run(); err != nil {
+		return errors.Wrapf(err, "cannot setup namespace using %s", tool)
+	}
+	return nil
 }
 
 // JoinNS re-exec podman in a new userNS and join the user namespace of the specified
@@ -191,11 +195,13 @@ func BecomeRootInUserNS() (bool, int, error) {
 		return false, -1, errors.Errorf("cannot re-exec process")
 	}
 
+	allowSingleIDMapping := os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") != ""
+
 	var uids, gids []idtools.IDMap
 	username := os.Getenv("USER")
 	if username == "" {
 		user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid()))
-		if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" {
+		if err != nil && !allowSingleIDMapping {
 			if os.IsNotExist(err) {
 				return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, see subuid/subgid man pages for information on these files")
 			}
@@ -206,7 +212,7 @@ func BecomeRootInUserNS() (bool, int, error) {
 		}
 	}
 	mappings, err := idtools.NewIDMappings(username, username)
-	if os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" {
+	if !allowSingleIDMapping {
 		if err != nil {
 			return false, -1, err
 		}
@@ -236,7 +242,11 @@ func BecomeRootInUserNS() (bool, int, error) {
 
 	uidsMapped := false
 	if mappings != nil && uids != nil {
-		uidsMapped = tryMappingTool("newuidmap", pid, os.Getuid(), uids) == nil
+		err := tryMappingTool("newuidmap", pid, os.Getuid(), uids)
+		if !allowSingleIDMapping && err != nil {
+			return false, 0, err
+		}
+		uidsMapped = err == nil
 	}
 	if !uidsMapped {
 		setgroups := fmt.Sprintf("/proc/%d/setgroups", pid)
@@ -254,7 +264,11 @@ func BecomeRootInUserNS() (bool, int, error) {
 
 	gidsMapped := false
 	if mappings != nil && gids != nil {
-		gidsMapped = tryMappingTool("newgidmap", pid, os.Getgid(), gids) == nil
+		err := tryMappingTool("newgidmap", pid, os.Getgid(), gids)
+		if !allowSingleIDMapping && err != nil {
+			return false, 0, err
+		}
+		gidsMapped = err == nil
 	}
 	if !gidsMapped {
 		gidMap := fmt.Sprintf("/proc/%d/gid_map", pid)
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index a0fd40318..25f8cd7a1 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -496,8 +496,13 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]lib
 
 // CreatePortBindings iterates ports mappings and exposed ports into a format CNI understands
 func (c *CreateConfig) CreatePortBindings() ([]ocicni.PortMapping, error) {
+	return NatToOCIPortBindings(c.PortBindings)
+}
+
+// NatToOCIPortBindings iterates a nat.portmap slice and creates []ocicni portmapping slice
+func NatToOCIPortBindings(ports nat.PortMap) ([]ocicni.PortMapping, error) {
 	var portBindings []ocicni.PortMapping
-	for containerPb, hostPb := range c.PortBindings {
+	for containerPb, hostPb := range ports {
 		var pm ocicni.PortMapping
 		pm.ContainerPort = int32(containerPb.Int())
 		for _, i := range hostPb {
diff --git a/pkg/util/utils.go b/pkg/util/utils.go
index de29bc5d8..e483253a4 100644
--- a/pkg/util/utils.go
+++ b/pkg/util/utils.go
@@ -313,7 +313,7 @@ func getTomlStorage(storeOptions *storage.StoreOptions) *tomlConfig {
 	return config
 }
 
-// GetDefaultStoreOptions returns the storage ops for containers
+// GetDefaultStoreOptions returns the default storage options for containers.
 func GetDefaultStoreOptions() (storage.StoreOptions, error) {
 	storageOpts := storage.DefaultStoreOptions
 	if rootless.IsRootless() {