vendor: update containers/storage

update to version 956a1971694f18fd602b1203c0a2d192e2cc88a1

inherit support for IDs shifting when fuse-overlayfs is used.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1177
Approved by: mheon

vendor.conf

@@ -11,7 +11,7 @@ github.com/containerd/continuity master
 github.com/containernetworking/cni v0.7.0-alpha1
 github.com/containernetworking/plugins 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1
 github.com/containers/image 134f99bed228d6297dc01d152804f6f09f185418
-github.com/containers/storage afdedba2d2ad573350aee35033d4e0c58fdbd57b
+github.com/containers/storage 956a1971694f18fd602b1203c0a2d192e2cc88a1
 github.com/containers/psgo 382fc951fe0a8aba62043862ce1a56f77524db87
 github.com/coreos/go-systemd v14
 github.com/cri-o/ocicni master

vendor/github.com/containers/storage/drivers/aufs/aufs.go

@@ -416,7 +416,7 @@ func atomicRemove(source string) error {
 
 // Get returns the rootfs path for the id.
 // This will mount the dir at its given path
-func (a *Driver) Get(id, mountLabel string) (string, error) {
+func (a *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
 	a.locker.Lock(id)
 	defer a.locker.Unlock(id)
 	parents, err := a.getParentLayerPaths(id)
@@ -728,3 +728,8 @@ func useDirperm() bool {
 func (a *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMappings, mountLabel string) error {
 	return fmt.Errorf("aufs doesn't support changing ID mappings")
 }
+
+// SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in an userNS
+func (a *Driver) SupportsShifting() bool {
+	return false
+}

vendor/github.com/containers/storage/drivers/btrfs/btrfs.go

@@ -634,7 +634,7 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get the requested filesystem id.
-func (d *Driver) Get(id, mountLabel string) (string, error) {
+func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
 	dir := d.subvolumesDirID(id)
 	st, err := os.Stat(dir)
 	if err != nil {

vendor/github.com/containers/storage/drivers/chown.go

@@ -114,7 +114,7 @@ func NewNaiveLayerIDMapUpdater(driver ProtoDriver) LayerIDMapUpdater {
 // same "container" IDs.
 func (n *naiveLayerIDMapUpdater) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMappings, mountLabel string) error {
 	driver := n.ProtoDriver
-	layerFs, err := driver.Get(id, mountLabel)
+	layerFs, err := driver.Get(id, mountLabel, nil, nil)
 	if err != nil {
 		return err
 	}
@@ -124,3 +124,8 @@ func (n *naiveLayerIDMapUpdater) UpdateLayerIDMap(id string, toContainer, toHost
 
 	return ChownPathByMaps(layerFs, toContainer, toHost)
 }
+
+// SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in an userNS
+func (n *naiveLayerIDMapUpdater) SupportsShifting() bool {
+	return false
+}

vendor/github.com/containers/storage/drivers/devmapper/driver.go

@@ -163,7 +163,7 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get mounts a device with given id into the root filesystem
-func (d *Driver) Get(id, mountLabel string) (string, error) {
+func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
 	d.locker.Lock(id)
 	defer d.locker.Unlock(id)
 	mp := path.Join(d.home, "mnt", id)

vendor/github.com/containers/storage/drivers/driver.go

@@ -66,8 +66,9 @@ type ProtoDriver interface {
 	Remove(id string) error
 	// Get returns the mountpoint for the layered filesystem referred
 	// to by this id. You can optionally specify a mountLabel or "".
+	// Optionally it gets the mappings used to create the layer.
 	// Returns the absolute path to the mounted layered filesystem.
-	Get(id, mountLabel string) (dir string, err error)
+	Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (dir string, err error)
 	// Put releases the system resources for the specified id,
 	// e.g, unmounting layered filesystem.
 	Put(id string) error
@@ -118,6 +119,10 @@ type LayerIDMapUpdater interface {
 	// relative to a parent layer, but before this method is called, may be discarded
 	// by Diff().
 	UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMappings, mountLabel string) error
+
+	// SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in a
+	// image and it is not required to Chown the files when running in an user namespace.
+	SupportsShifting() bool
 }
 
 // Driver is the interface for layered/snapshot file system drivers.

vendor/github.com/containers/storage/drivers/fsdiff.go

@@ -51,7 +51,7 @@ func (gdw *NaiveDiffDriver) Diff(id string, idMappings *idtools.IDMappings, pare
 		parentMappings = &idtools.IDMappings{}
 	}
 
-	layerFs, err := driver.Get(id, mountLabel)
+	layerFs, err := driver.Get(id, mountLabel, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -78,7 +78,7 @@ func (gdw *NaiveDiffDriver) Diff(id string, idMappings *idtools.IDMappings, pare
 		}), nil
 	}
 
-	parentFs, err := driver.Get(parent, mountLabel)
+	parentFs, err := driver.Get(parent, mountLabel, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -119,7 +119,7 @@ func (gdw *NaiveDiffDriver) Changes(id string, idMappings *idtools.IDMappings, p
 		parentMappings = &idtools.IDMappings{}
 	}
 
-	layerFs, err := driver.Get(id, mountLabel)
+	layerFs, err := driver.Get(id, mountLabel, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -128,7 +128,7 @@ func (gdw *NaiveDiffDriver) Changes(id string, idMappings *idtools.IDMappings, p
 	parentFs := ""
 
 	if parent != "" {
-		parentFs, err = driver.Get(parent, mountLabel)
+		parentFs, err = driver.Get(parent, mountLabel, nil, nil)
 		if err != nil {
 			return nil, err
 		}
@@ -149,7 +149,7 @@ func (gdw *NaiveDiffDriver) ApplyDiff(id string, applyMappings *idtools.IDMappin
 	}
 
 	// Mount the root filesystem so we can apply the diff/layer.
-	layerFs, err := driver.Get(id, mountLabel)
+	layerFs, err := driver.Get(id, mountLabel, nil, nil)
 	if err != nil {
 		return
 	}
@@ -189,7 +189,7 @@ func (gdw *NaiveDiffDriver) DiffSize(id string, idMappings *idtools.IDMappings,
 		return
 	}
 
-	layerFs, err := driver.Get(id, mountLabel)
+	layerFs, err := driver.Get(id, mountLabel, nil, nil)
 	if err != nil {
 		return
 	}

vendor/github.com/containers/storage/drivers/overlay/overlay.go

@@ -3,6 +3,7 @@
 package overlay
 
 import (
+	"bytes"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -590,6 +591,32 @@ func (d *Driver) getLowerDirs(id string) ([]string, error) {
 	return lowersArray, nil
 }
 
+func (d *Driver) optsAppendMappings(opts string, uidMaps, gidMaps []idtools.IDMap) string {
+	if uidMaps == nil {
+		uidMaps = d.uidMaps
+	}
+	if gidMaps == nil {
+		gidMaps = d.gidMaps
+	}
+	if uidMaps != nil {
+		var uids, gids bytes.Buffer
+		for _, i := range uidMaps {
+			if uids.Len() > 0 {
+				uids.WriteString(":")
+			}
+			uids.WriteString(fmt.Sprintf("%d:%d:%d", i.ContainerID, i.HostID, i.Size))
+		}
+		for _, i := range gidMaps {
+			if gids.Len() > 0 {
+				gids.WriteString(":")
+			}
+			gids.WriteString(fmt.Sprintf("%d:%d:%d", i.ContainerID, i.HostID, i.Size))
+		}
+		return fmt.Sprintf("%s,uidmapping=%s,gidmapping=%s", opts, uids.String(), gids.String())
+	}
+	return opts
+}
+
 // Remove cleans the directories that are created for this id.
 func (d *Driver) Remove(id string) error {
 	d.locker.Lock(id)
@@ -615,7 +642,11 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get creates and mounts the required file system for the given id and returns the mount path.
-func (d *Driver) Get(id, mountLabel string) (_ string, retErr error) {
+func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (_ string, retErr error) {
+	return d.get(id, mountLabel, false, uidMaps, gidMaps)
+}
+
+func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMaps []idtools.IDMap) (_ string, retErr error) {
 	d.locker.Lock(id)
 	defer d.locker.Unlock(id)
 	dir := d.dir(id)
@@ -719,24 +750,25 @@ func (d *Driver) Get(id, mountLabel string) (_ string, retErr error) {
 	// the page size. The mount syscall fails if the mount data cannot
 	// fit within a page and relative links make the mount data much
 	// smaller at the expense of requiring a fork exec to chroot.
-	if len(mountData) > pageSize || d.options.mountProgram != "" {
+	if d.options.mountProgram != "" {
+		mountFunc = func(source string, target string, mType string, flags uintptr, label string) error {
+			if !disableShifting {
+				label = d.optsAppendMappings(label, uidMaps, gidMaps)
+			}
+
+			mountProgram := exec.Command(d.options.mountProgram, "-o", label, target)
+			mountProgram.Dir = d.home
+			return mountProgram.Run()
+		}
+	} else if len(mountData) > pageSize {
 		//FIXME: We need to figure out to get this to work with additional stores
 		opts = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", strings.Join(relLowers, ":"), path.Join(id, "diff"), path.Join(id, "work"))
 		mountData = label.FormatMountLabel(opts, mountLabel)
 		if len(mountData) > pageSize {
 			return "", fmt.Errorf("cannot mount layer, mount label too large %d", len(mountData))
 		}
-
+		mountFunc = func(source string, target string, mType string, flags uintptr, label string) error {
-		if d.options.mountProgram != "" {
+			return mountFrom(d.home, source, target, mType, flags, label)
-			mountFunc = func(source string, target string, mType string, flags uintptr, label string) error {
-				mountProgram := exec.Command(d.options.mountProgram, "-o", label, target)
-				mountProgram.Dir = d.home
-				return mountProgram.Run()
-			}
-		} else {
-			mountFunc = func(source string, target string, mType string, flags uintptr, label string) error {
-				return mountFrom(d.home, source, target, mType, flags, label)
-			}
 		}
 		mountTarget = path.Join(id, "merged")
 	}
@@ -920,7 +952,7 @@ func (d *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMapp
 	}
 
 	// Mount the new layer and handle ownership changes and possible copy_ups in it.
-	layerFs, err := d.Get(id, mountLabel)
+	layerFs, err := d.get(id, mountLabel, true, nil, nil)
 	if err != nil {
 		return err
 	}
@@ -957,6 +989,14 @@ func (d *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMapp
 	return nil
 }
 
+// SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in an userNS
+func (d *Driver) SupportsShifting() bool {
+	if os.Getenv("_TEST_FORCE_SUPPORT_SHIFTING") == "yes-please" {
+		return true
+	}
+	return d.options.mountProgram != ""
+}
+
 // dumbJoin is more or less a dumber version of filepath.Join, but one which
 // won't Clean() the path, allowing us to append ".." as a component and trust
 // pathname resolution to do some non-obvious work.

vendor/github.com/containers/storage/drivers/vfs/driver.go

@@ -137,7 +137,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts, ro bool
 		label.SetFileLabel(dir, mountLabel)
 	}
 	if parent != "" {
-		parentDir, err := d.Get(parent, "")
+		parentDir, err := d.Get(parent, "", nil, nil)
 		if err != nil {
 			return fmt.Errorf("%s: %s", parent, err)
 		}
@@ -179,7 +179,7 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get returns the directory for the given id.
-func (d *Driver) Get(id, mountLabel string) (string, error) {
+func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
 	dir := d.dir(id)
 	if st, err := os.Stat(dir); err != nil {
 		return "", err

vendor/github.com/containers/storage/drivers/windows/windows.go

@@ -362,7 +362,7 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get returns the rootfs path for the id. This will mount the dir at its given path.
-func (d *Driver) Get(id, mountLabel string) (string, error) {
+func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
 	panicIfUsedByLcow()
 	logrus.Debugf("WindowsGraphDriver Get() id %s mountLabel %s", id, mountLabel)
 	var dir string
@@ -620,7 +620,7 @@ func (d *Driver) DiffSize(id string, idMappings *idtools.IDMappings, parent stri
 		return
 	}
 
-	layerFs, err := d.Get(id, "")
+	layerFs, err := d.Get(id, "", nil, nil)
 	if err != nil {
 		return
 	}
@@ -954,6 +954,11 @@ func (d *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMapp
 	return fmt.Errorf("windows doesn't support changing ID mappings")
 }
 
+// SupportsShifting tells whether the driver support shifting of the UIDs/GIDs in an userNS
+func (d *Driver) SupportsShifting() bool {
+	return false
+}
+
 type storageOptions struct {
 	size uint64
 }

vendor/github.com/containers/storage/drivers/zfs/zfs.go

@@ -360,7 +360,7 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get returns the mountpoint for the given id after creating the target directories if necessary.
-func (d *Driver) Get(id, mountLabel string) (string, error) {
+func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
 	mountpoint := d.mountPath(id)
 	if count := d.ctr.Increment(mountpoint); count > 1 {
 		return mountpoint, nil

vendor/github.com/containers/storage/layers.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"compress/gzip"
 	"encoding/json"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
@@ -208,7 +209,8 @@ type LayerStore interface {
 	// Mount mounts a layer for use.  If the specified layer is the parent of other
 	// layers, it should not be written to.  An SELinux label to be applied to the
 	// mount can be specified to override the one configured for the layer.
-	Mount(id, mountLabel string) (string, error)
+	// The mappings used by the container can be specified.
+	Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error)
 
 	// Unmount unmounts a layer when it is no longer in use.
 	Unmount(id string, force bool) (bool, error)
@@ -635,7 +637,7 @@ func (r *layerStore) Mounted(id string) (int, error) {
 	return layer.MountCount, nil
 }
 
-func (r *layerStore) Mount(id, mountLabel string) (string, error) {
+func (r *layerStore) Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
 	if !r.IsReadWrite() {
 		return "", errors.Wrapf(ErrStoreIsReadOnly, "not allowed to update mount locations for layers at %q", r.mountspath())
 	}
@@ -650,7 +652,13 @@ func (r *layerStore) Mount(id, mountLabel string) (string, error) {
 	if mountLabel == "" {
 		mountLabel = layer.MountLabel
 	}
-	mountpoint, err := r.driver.Get(id, mountLabel)
+
+	if (uidMaps != nil || gidMaps != nil) && !r.driver.SupportsShifting() {
+		if !reflect.DeepEqual(uidMaps, layer.UIDMap) || !reflect.DeepEqual(gidMaps, layer.GIDMap) {
+			return "", fmt.Errorf("cannot mount layer %v: shifting not enabled", layer.ID)
+		}
+	}
+	mountpoint, err := r.driver.Get(id, mountLabel, uidMaps, gidMaps)
 	if mountpoint != "" && err == nil {
 		if layer.MountPoint != "" {
 			delete(r.bymount, layer.MountPoint)
@@ -937,7 +945,7 @@ func (r *layerStore) newFileGetter(id string) (drivers.FileGetCloser, error) {
 	if getter, ok := r.driver.(drivers.DiffGetterDriver); ok {
 		return getter.DiffGetter(id)
 	}
-	path, err := r.Mount(id, "")
+	path, err := r.Mount(id, "", nil, nil)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/storage/pkg/archive/example_changes.go

@@ -1,97 +0,0 @@
-// +build ignore
-
-// Simple tool to create an archive stream from an old and new directory
-//
-// By default it will stream the comparison of two temporary directories with junk files
-package main
-
-import (
-	"flag"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"path"
-
-	"github.com/containers/storage/pkg/archive"
-	"github.com/sirupsen/logrus"
-)
-
-var (
-	flDebug  = flag.Bool("D", false, "debugging output")
-	flNewDir = flag.String("newdir", "", "")
-	flOldDir = flag.String("olddir", "", "")
-	log      = logrus.New()
-)
-
-func main() {
-	flag.Usage = func() {
-		fmt.Println("Produce a tar from comparing two directory paths. By default a demo tar is created of around 200 files (including hardlinks)")
-		fmt.Printf("%s [OPTIONS]\n", os.Args[0])
-		flag.PrintDefaults()
-	}
-	flag.Parse()
-	log.Out = os.Stderr
-	if (len(os.Getenv("DEBUG")) > 0) || *flDebug {
-		logrus.SetLevel(logrus.DebugLevel)
-	}
-	var newDir, oldDir string
-
-	if len(*flNewDir) == 0 {
-		var err error
-		newDir, err = ioutil.TempDir("", "storage-test-newDir")
-		if err != nil {
-			log.Fatal(err)
-		}
-		defer os.RemoveAll(newDir)
-		if _, err := prepareUntarSourceDirectory(100, newDir, true); err != nil {
-			log.Fatal(err)
-		}
-	} else {
-		newDir = *flNewDir
-	}
-
-	if len(*flOldDir) == 0 {
-		oldDir, err := ioutil.TempDir("", "storage-test-oldDir")
-		if err != nil {
-			log.Fatal(err)
-		}
-		defer os.RemoveAll(oldDir)
-	} else {
-		oldDir = *flOldDir
-	}
-
-	changes, err := archive.ChangesDirs(newDir, oldDir)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	a, err := archive.ExportChanges(newDir, changes)
-	if err != nil {
-		log.Fatal(err)
-	}
-	defer a.Close()
-
-	i, err := io.Copy(os.Stdout, a)
-	if err != nil && err != io.EOF {
-		log.Fatal(err)
-	}
-	fmt.Fprintf(os.Stderr, "wrote archive of %d bytes", i)
-}
-
-func prepareUntarSourceDirectory(numberOfFiles int, targetPath string, makeLinks bool) (int, error) {
-	fileData := []byte("fooo")
-	for n := 0; n < numberOfFiles; n++ {
-		fileName := fmt.Sprintf("file-%d", n)
-		if err := ioutil.WriteFile(path.Join(targetPath, fileName), fileData, 0700); err != nil {
-			return 0, err
-		}
-		if makeLinks {
-			if err := os.Link(path.Join(targetPath, fileName), path.Join(targetPath, fileName+"-link")); err != nil {
-				return 0, err
-			}
-		}
-	}
-	totalSize := numberOfFiles * len(fileData)
-	return totalSize, nil
-}

vendor/github.com/containers/storage/store.go

@@ -896,13 +896,18 @@ func (s *store) PutLayer(id, parent string, names []string, mountLabel string, w
 			gidMap = s.gidMap
 		}
 	}
-	layerOptions := &LayerOptions{
+	var layerOptions *LayerOptions
-		IDMappingOptions: IDMappingOptions{
+	if s.graphDriver.SupportsShifting() {
-			HostUIDMapping: options.HostUIDMapping,
+		layerOptions = &LayerOptions{IDMappingOptions: IDMappingOptions{HostUIDMapping: true, HostGIDMapping: true, UIDMap: nil, GIDMap: nil}}
-			HostGIDMapping: options.HostGIDMapping,
+	} else {
-			UIDMap:         copyIDMap(uidMap),
+		layerOptions = &LayerOptions{
-			GIDMap:         copyIDMap(gidMap),
+			IDMappingOptions: IDMappingOptions{
-		},
+				HostUIDMapping: options.HostUIDMapping,
+				HostGIDMapping: options.HostGIDMapping,
+				UIDMap:         copyIDMap(uidMap),
+				GIDMap:         copyIDMap(gidMap),
+			},
+		}
 	}
 	return rlstore.Put(id, parentLayer, names, mountLabel, nil, layerOptions, writeable, nil, diff)
 }
@@ -964,6 +969,10 @@ func (s *store) CreateImage(id string, names []string, layer, metadata string, o
 
 func (s *store) imageTopLayerForMapping(image *Image, ristore ROImageStore, readWrite bool, rlstore LayerStore, lstores []ROLayerStore, options IDMappingOptions) (*Layer, error) {
 	layerMatchesMappingOptions := func(layer *Layer, options IDMappingOptions) bool {
+		// If the driver supports shifting and the layer has no mappings, we can use it.
+		if s.graphDriver.SupportsShifting() && len(layer.UIDMap) == 0 && len(layer.GIDMap) == 0 {
+			return true
+		}
 		// If we want host mapping, and the layer uses mappings, it's not the best match.
 		if options.HostUIDMapping && len(layer.UIDMap) != 0 {
 			return false
@@ -1036,16 +1045,22 @@ func (s *store) imageTopLayerForMapping(image *Image, ristore ROImageStore, read
 		}
 		rc, err := layerHomeStore.Diff("", layer.ID, &diffOptions)
 		if err != nil {
-			return nil, errors.Wrapf(err, "error reading layer %q to create an ID-mapped version of it")
+			return nil, errors.Wrapf(err, "error reading layer %q to create an ID-mapped version of it", layer.ID)
 		}
 		defer rc.Close()
-		layerOptions := LayerOptions{
+
-			IDMappingOptions: IDMappingOptions{
+		var layerOptions LayerOptions
-				HostUIDMapping: options.HostUIDMapping,
+		if s.graphDriver.SupportsShifting() {
-				HostGIDMapping: options.HostGIDMapping,
+			layerOptions = LayerOptions{IDMappingOptions: IDMappingOptions{HostUIDMapping: true, HostGIDMapping: true, UIDMap: nil, GIDMap: nil}}
-				UIDMap:         copyIDMap(options.UIDMap),
+		} else {
-				GIDMap:         copyIDMap(options.GIDMap),
+			layerOptions = LayerOptions{
-			},
+				IDMappingOptions: IDMappingOptions{
+					HostUIDMapping: options.HostUIDMapping,
+					HostGIDMapping: options.HostGIDMapping,
+					UIDMap:         copyIDMap(options.UIDMap),
+					GIDMap:         copyIDMap(options.GIDMap),
+				},
+			}
 		}
 		mappedLayer, _, err := rlstore.Put("", parentLayer, nil, layer.MountLabel, nil, &layerOptions, false, nil, rc)
 		if err != nil {
@@ -1089,6 +1104,8 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat
 	imageID := ""
 	uidMap := options.UIDMap
 	gidMap := options.GIDMap
+
+	idMappingsOptions := options.IDMappingOptions
 	if image != "" {
 		var imageHomeStore ROImageStore
 		istore, err := s.ImageStore()
@@ -1121,7 +1138,7 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat
 		if err != nil {
 			return nil, err
 		}
-		ilayer, err := s.imageTopLayerForMapping(cimage, imageHomeStore, imageHomeStore == istore, rlstore, lstores, options.IDMappingOptions)
+		ilayer, err := s.imageTopLayerForMapping(cimage, imageHomeStore, imageHomeStore == istore, rlstore, lstores, idMappingsOptions)
 		if err != nil {
 			return nil, err
 		}
@@ -1140,13 +1157,18 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat
 			gidMap = s.gidMap
 		}
 	}
-	layerOptions := &LayerOptions{
+	var layerOptions *LayerOptions
-		IDMappingOptions: IDMappingOptions{
+	if s.graphDriver.SupportsShifting() {
-			HostUIDMapping: options.HostUIDMapping,
+		layerOptions = &LayerOptions{IDMappingOptions: IDMappingOptions{HostUIDMapping: true, HostGIDMapping: true, UIDMap: nil, GIDMap: nil}}
-			HostGIDMapping: options.HostGIDMapping,
+	} else {
-			UIDMap:         copyIDMap(uidMap),
+		layerOptions = &LayerOptions{
-			GIDMap:         copyIDMap(gidMap),
+			IDMappingOptions: IDMappingOptions{
-		},
+				HostUIDMapping: idMappingsOptions.HostUIDMapping,
+				HostGIDMapping: idMappingsOptions.HostGIDMapping,
+				UIDMap:         copyIDMap(uidMap),
+				GIDMap:         copyIDMap(gidMap),
+			},
+		}
 	}
 	clayer, err := rlstore.Create(layer, imageTopLayer, nil, "", nil, layerOptions, true)
 	if err != nil {
@@ -1164,10 +1186,10 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat
 	}
 	options = &ContainerOptions{
 		IDMappingOptions: IDMappingOptions{
-			HostUIDMapping: len(clayer.UIDMap) == 0,
+			HostUIDMapping: len(options.UIDMap) == 0,
-			HostGIDMapping: len(clayer.GIDMap) == 0,
+			HostGIDMapping: len(options.GIDMap) == 0,
-			UIDMap:         copyIDMap(clayer.UIDMap),
+			UIDMap:         copyIDMap(options.UIDMap),
-			GIDMap:         copyIDMap(clayer.GIDMap),
+			GIDMap:         copyIDMap(options.GIDMap),
 		},
 	}
 	container, err := rcstore.Create(id, names, imageID, layer, metadata, options)
@@ -2230,8 +2252,11 @@ func (s *store) Version() ([][2]string, error) {
 }
 
 func (s *store) Mount(id, mountLabel string) (string, error) {
-	if layerID, err := s.ContainerLayerID(id); err == nil {
+	container, err := s.Container(id)
-		id = layerID
+	var uidMap, gidMap []idtools.IDMap
+	if err == nil {
+		uidMap, gidMap = container.UIDMap, container.GIDMap
+		id = container.LayerID
 	}
 	rlstore, err := s.LayerStore()
 	if err != nil {
@@ -2243,7 +2268,7 @@ func (s *store) Mount(id, mountLabel string) (string, error) {
 		rlstore.Load()
 	}
 	if rlstore.Exists(id) {
-		return rlstore.Mount(id, mountLabel)
+		return rlstore.Mount(id, mountLabel, uidMap, gidMap)
 	}
 	return "", ErrLayerUnknown
 }