podman | Kubernetes Ecosystem Directory

Bot releases are hidden (Show)

podman - v4.6.0-rc1

Published by lsm5 over 1 year ago

Features

The podman wait command now supports --condition={healthy,unhealthy}, allowing waits on successful health checks.
The podman push command now supports a new option, --compression-level, which specifies the compression level to use (#18939).
The podman machine start command, when run with --log-level=debug, now creates a console window to display the virtual machine while booting.
Podman now supports a new option, --imagestore, which allows images to be stored in a different directory than the graphroot.
The --ip-range option to the podman network create command now accepts a new syntax, <startIP>-<endIP>, which allows more flexibility when limiting the ip range that Podman assigns.
[Tech Preview] A new command, podmansh, has been added, which executes a user shell within a container when the user logs into the system. The container that the users get added to can be defined via a Podman Quadlet file.
The podman network create command supports a new --option, bclim, for the macvlan driver.
The podman info command now prints network information about the binary path, package version, program version and DNS information (#18443).
The podman info command now displays the number of free locks available, helping to debug lock exhaustion scenarios.
The podman info command now outputs information about pasta, if it exists in helper_binaries_dir or $PATH.
The remote Podman client’s podman build command now accepts Containerfiles that are not in the context directory (#18239).
The remote Podman client’s podman play kube command now supports the --configmap option (#17513).
The podman kube play command now supports multi-doc YAML files for configmap arguments. (#18537).
The podman pod create command now supports a new flag, --restart, which sets the restart policy for all the containers in a pod.
The --format={{.Restarts}} option to the podman ps command now shows the number of times a container has been restarted based on its restart policy.
The --format={{.Restarts}} option to the podman pod ps command now shows the total number of container restarts in a pod.
The podman machine provider can now be specified via the CONTAINERS_MACHINE_PROVIDER environment variable, as well as via the provider field in containers.conf (#17116).
A default list of pasta arguments can now be set in containers.conf via pasta_options.
The podman machine init and podman machine set commands now support a new option, --user-mode-networking, which improves interops with VPN configs that drop traffic from WSL networking, on Windows.
The remote Podman client’s podman push command now supports the --digestfile option (#18216).
Podman now supports a new option, --out, that allows redirection or suppression of STDOUT (#18120).

Changes

The --filter id=xxx option will now treat xxx as a CID prefix, and not as a regular expression (#18471).
The --filter option now requires multiple --filter flags to specify multiple filters. It will no longer support the comma syntax (--filter label=a,label=b).
The slirp4netns binary for will now be searched for in paths specified by the helper_binaries_dir option in containers.conf (#18239).
Podman machine now updates /run/docker.sock within the guest to be consistent with its rootless/rootful setting (#18480).
The podman system df command now counts files which podman generates for use with specific containers as part of the disk space used by those containers, and which can be reclaimed by removing those containers. It also counts space used by files it associates with specific images and volumes as being used by those images and volumes.
The podman build command now returns a clearer error message when the Containerfile cannot be found. (#16354).
Containers created with --pid=host will no longer print errors on podman stop (#18460).
The podman manifest push command no longer requires a destination to be specified. If a destination is not provided, the source is used as the destination (#18360).
The podman system reset command now warns the user that the graphroot and runroot directories will be deleted (#18349), (#18295).

Quadlet

Quadlet now exits with a non-zero exit code when errors are found (#18778).
Rootless podman quadlet files can now be installed in /etc/containers/systemd/users directory.
Quadlet now supports the AutoUpdate option.
Quadlet now supports the Mask and Unmask options.
Quadlet now supports the WorkingDir option, which specifies the default working dir in a container.
Quadlet now supports the Sysctl option, which sets namespaced kernel parameters for containers (#18727).
Quadlet now supports the SecurityLabelNetsted=true option, which allows nested SELinux containers.
Quadlet now supports the Pull option in .container files (#18779).
Quadlet now supports the ExitCode field in .kube files, which reflects the exit codes of failed containers.
Quadlet now supports PodmanArgs field.
Quadlet now supports the HostName field, which sets the container's host name, in .container files (#18486).

Bugfixes

The podman machine start command now waits for systemd-user sessions to be up, addressing flaky machine starts (##17403).
Fixed a bug where setting the --list-tags option in the podman search command would cause the command to ignore the --format option (#18939).
Fixed a bug where the podman machine start command did not properly translate the proxy IP.
Fixed a bug where the podman auto-update command would not restart dependent units (specified via Requires=) on auto update (#18926).
Fixed a bug where the podman pull command would print ids multiple times when using additional stores (#18647).
Fixed a bug where creating a container while setting unmask option to an empty array would cause the create to fail (#18848).
Fixed a bug where the propagation of proxy settings for QEMU VMs was broken.
Fixed a bug where the podman rm -fa command could fail to remove dependency containers such as pod infra containers (#18180).
Fixed a bug where --tz option to the podman create and podman run commands would not create a proper localtime symlink to the zoneinfo file, which was causing some applications (e.g. java) to not read the timezone correctly.
Fixed a bug where lowering the ulimit after container creation would cause the container to fail (#18714).
Fixed a bug where signals were not forwarded correctly in rootless containers (#16091).
Fixed a bug where the --filter volume= option to the podman events command would not display the relevant events (#18618).
Fixed a bug in the podman wait command where containers created with the --restart=always option would result in the container staying in a stopped state.
Fixed a bug where the podman stats command returned an incorrect memory limit after a container update. (#18621).
Fixed a bug in the podman run command where the PODMAN_USERNS environment variable was not ignored when the --pod option was set, resulting in a container created in a different user namespace than its pod (#18580).
Fixed a bug where the podman run command would not create the /run/.containerenv when the tmpfs is mounted on /run (#18531).
Fixed a bug where the $HOME environment variable would be configured inconsistently between container starts if a new passwd entry had to be created for the container.
Fixed a bug where the podman play kube command would restart initContainers based on the restart policy of the pod. initContainers should never be restarted.
Fixed a bug in the remote Podman client’s build command where an invalid platform would be set.
Fixed a bug where the podman history command did not display tags (#17763).
Fixed a bug where the podman machine init command would create invalid machines when run with certain UIDs (#17893).
Fixed a bug in the remote Podman client’s podman manifest push command where an error encountered during the push incorrectly claimed that the error occurred while adding an item to the list.
Fixed a bug where the podman machine rm command would remove the machine connection before the user confirms the removal of the machine (#18330).
Fixed a bug in the sqlite database backend where the first read access may fail (#17859).
Fixed a bug where a podman machine could get stuck in the starting state (#16945).
Fixed a bug where running a container with the --network=container: option would fail when the target container uses the host network mode. The same also now works for the other namespace options (--pid, --uts, --cgroupns, --ipc) (#18027).
Fixed a bug where the --format {{.State}} option to the podman ps command would display the status rather than the state (#18244).
Fixed a bug in the podman commit command where setting a --message while also specifying --format=docker options would incorrectly warn that setting a message is incompatible with OCI image formats (#17773).
Fixed a bug in the --format option to the podman history command, where the {{.CreatedAt}} and {{.Size}} fields were inconsistent with Docker’s output (#17767), (#17768).
Fixed a bug in the remote Podman client where filtering containers would not return all matching containers (#18153).

API

Fixed a bug where the Compat and Libpod Top endpoints for Containers did not correctly report errors.
Fixed a bug in the Compat Pull and Compat Push endpoints where errors were incorrectly handled.
Fixed a bug in the Compat Wait endpoint to correctly handle the "removed" condition (#18889).
Fixed a bug in the Compat Stats endpoint for Containers where the online_cpus field was not set correctly (#15754).
Fixed a bug in the Compat Build endpoint where the pull field accepted a boolean value instead of a string (#17778).
Fixed a bug where the Compat History endpoint for Images did not prefix the image ID with sha256: (#17762).
Fixed a bug in the Libpod Export endpoint for Images where exporting to an oci-dir or a docker-dir format would not export to the correct format (#15897).
The Compat Create endpoint for Containers now supports the platform parameter (#18951).
The Compat Remove endpoint for Images now supports the noprune query parameter, which ensures that dangling parents of the specified image are not removed
The Compat Info endpoint now reports running rootless and SELinux enabled as security options.
Fixed a bug in the Auth endpoint where a nil dereference could potentially occur.

Misc

The podman system service command is now supported on FreeBSD.
Updated the Mac pkginstaller QEMU to v8.0.0
Updated Buildah to v1.31.0
Updated the containers/storage library to v1.48.0
Updated the containers/image library to v5.26.1
Updated the containers/common library to v0.55.1

podman - v4.5.1

Published by lsm5 over 1 year ago

Security

Do not include image annotations when building spec. These annotations can have security implications - crun, for example, allows rootless containers to preserve the user's groups through an annotation.

Quadlet

Fixed a bug in quadlet to recognize the systemd optional prefix '-'.

Bugfixes

Fixed a bug where fully resolving symlink paths included the version number, breaking the path to homebrew-installed qemu files (#18111).
Fixed a bug where Podman was splitting the filter map slightly differently compared to Docker (#18092).
Fixed a bug where running make package did not work on RHEL 8 environments (#18421).
Fixed a bug to allow comma separated dns server IP addresses in podman network create --dns and podman network update --dns-add/--dns-drop (#18663).
Fixed a bug to correctly stop containers created with --restart=always in all cases (#18259).
Fixed a bug in podman-remote logs to correctly display errors reported by the server.
Fixed a bug to correctly tear down the network stack again when an error happened during the setup.
Fixed a bug in the remote API exec inspect call to correctly display updated information, e.g. when the exec process died (#18424).
Fixed a bug so that podman save on windows can now write to stdout by default (#18147).
Fixed a bug where podman machine rm with the qemu backend now correctly removes the machine connection after the confirmation message not before (#18330).
Fixed a problem where podman machine connections would try to connect to the ipv6 localhost ipv6 (::1) (#16470).

API

Fixed a bug in the compat container create endpoint which could result in a "duplicate mount destination" error when the volume path was not "clean", e.g. included a final slash at the end. (#18454).
The compat API now correctly accepts a tag in the images/create?fromSrc endpoint (#18597).

podman - v4.5.0

Published by lsm5 over 1 year ago

Features

The podman kube play command now supports the hostIPC field (#17157).
The podman kube play command now supports a new flag, --wait, that keeps the workload running in foreground until killed with a sigkill or sigterm. The workloads are cleaned up and removed when killed (#14522).
The podman kube generate and podman kube play commands now support SELinux filetype labels.
The podman kube play command now supports sysctl options (#16711).
The podman kube generate command now supports generating the Deployments (#17712).
The podman machine inspect command now shows information about named pipe addresses on Windows (#16860).
The --userns=keep-id option for podman create, run, and kube play now works for root containers by copying the current mapping into a new user namespace (#17337).
A new command has been added, podman secret exists, to verify if a secret with the given name exists.
The podman kube generate and podman kube play commands now support ulimit annotations (#16404).
The podman create, run, pod create, and pod clone commands now support a new option, --shm-size-systemd, that allows limiting tmpfs sizes for systemd-specific mounts (#17037).
The podman create and run commands now support a new option, --group-entry which customizes the entry that is written to the /etc/group file within the container when the --user option is used (#14965).
The podman create and podman run commands now support a new option, --security-opt label=nested, which allows SELinux labeling within a confined container.
A new command, podman machine os apply has been added, which applies OS changes to a Podman machine, from an OCI image.
The podman search command now supports two new options: --cert-dir and --creds.
Defaults for the --cgroup-config option for podman create and podman run can now be set in containers.conf.
Podman now supports auto updates for containers running inside a pod (#17181).
Podman can now use a SQLite database as a backend for increased stability. The default remains the old database, BoltDB. The database to use is selected through the database_backend field in containers.conf.
Netavark plugin support has been added. The netavark network backend now allows users to create custom network drivers. podman network create -d <plugin> can be used to create a network config for your plugin and then Podman will use it like any other config and takes care of setup/teardown on container start/stop. This requires at least Netavark version 1.6.
DHCP with macvlan and the netavark backend is now supported.

Changes

Remote builds using the podman build command no longer allows .containerignore or .dockerignore files to be symlinks outside the build context.
The podman system reset command now clears build caches.
The podman play kube command now adds ctrName as an alias to the pod network (#16544).
The podman kube generate command no longer adds hostPort to the pod spec when generating service kinds.
Using a private cgroup namespace with systemd containers on a cgroups v1 system will explicitly error (this configuration has never worked) (#17727).
The SYS_CHROOT capability has been re-added to the default set of capabilities.
Listing large quantities of images with the podman images command has seen a significant performance improvement (#17828).

Quadlet

Quadlet now supports the Rootfs= option, allowing containers to be based on rootfs in addition to image.
Quadlet now supports the Secret key in the Container group.
Quadlet now supports the Logdriver key in .container and .kube units.
Quadlet now supports the Mount key in .container files (#17632).
Quadlet now supports specifying static IPv4 and IPv6 addresses in .container files via the IP= and IP6= options.
Quadlet now supports health check configuration in .container files.
Quadlet now supports relative paths in the Volume key in .container files (#17418).
Quadlet now supports setting the UID and GID options for --userns=keep-id (#17908).
Quadlet now supports adding tmpfs filesystems through the Tmpfs key in .container files (#17907).
Quadlet now supports the UserNS option in .container files, which will replace the existing RemapGid, RemapUid, RemapUidSize and RemapUsers options in a future release (#17984).
Quadlet now includes a --version option.
Quadlet now forbids specifying SELinux label types, including disabling selinux separation.
Quadlet now does not set log-driver by default.
Fixed a bug where Quadlet did not recognize paths starting with systemd specifiers as absolute (#17906).

Bugfixes

Fixed a bug in the network list API where a race condition would cause the list to fail if a container had just been removed (#17341).
Fixed a bug in the podman image scp command to correctly use identity settings.
Fixed a bug in the remote Podman client's podman build command where building from stdin would fail. podman --remote build -f - now works correctly (#17495).
Fixed a bug in the podman volume prune command where exclusive (!=) filters would fail (#17051).
Fixed a bug in the --volume option in the podman create, run, pod create, and pod clone commands where specifying relative mappings or idmapped mounts would fail (#17517).
Fixed a bug in the podman kube play command where a secret would be created, but nothing would be printed on the terminal (#17071).
Fixed a bug in the podman kube down command where secrets were not removed.
Fixed a bug where cleaning up after an exited container could segfault on non-Linux operating systems.
Fixed a bug where the podman inspect command did not properly list the network configuration of containers created with --net=none or --net=host (#17385).
Fixed a bug where containers created with user-specified SELinux labels that created anonymous or named volumes would create those volumes with incorrect labels.
Fixed a bug where the podman checkpoint restore command could panic.
Fixed a bug in the podman events command where events could be returned more than once after a log file rotation (#17665).
Fixed a bug where errors from systemd when restarting units during a podman auto-update command were not reported.
Fixed a bug where containers created with the --health-on-failure=restart option were not restarting when the health state turned unhealthy (#17777).
Fixed a bug where containers using the slirp4netns network mode with the cidr option and a custom user namespace did not set proper DNS IPs in resolv.conf.
Fixed a bug where the podman auto-update command could fail to restart systemd units (#17607).
Fixed a bug where the podman play kube command did not properly handle secret.items in volumes (#17829).
Fixed a bug where the podman generate kube command could generate pods with invalid names and hostnames (#18054).
Fixed a bug where names of limits (such as RLIMIT_NOFILE) passed to the --ulimit option to podman create and podman run were case-sensitive (#18077).
Fixed a possible corruption issue with the configuration state of podman machine during system failures on Mac, Linux, and Windows.

API

The Compat Stats endpoint for Containers now returns the Id key as lowercase id to match Docker (#17869).
Fixed a bug where the Compat top endpoint incorrectly returned titles as a string instead of a list (#17524).

Misc

The podman version command no longer joins the rootless user namespace (#17657).
The podman-events --stream option is no longer hidden and is now documented.
Updated Buildah to v1.30.0
Updated the containers/storage library to v1.46.1
Updated the containers/image library to v5.25.0
Updated the containers/common library to v0.52.0

podman - v4.5.0-RC2

Published by mheon over 1 year ago

Features

The podman kube play command now supports the hostIPC field (#17157).
The podman kube play command now supports a new flag, --wait, that keeps the workload running in foreground until killed with a sigkill or sigterm. The workloads are cleaned up and removed when killed (#14522).
The podman kube generate and podman kube play commands now support SELinux filetype labels.
The podman kube play command now supports sysctl options (#16711).
The podman kube generate command now supports generating the Deployments (#17712).
The podman machine inspect command now shows information about named pipe addresses on Windows (#16860).
The --userns=keep-id option for podman create, run, and kube play now works for root containers by copying the current mapping into a new user namespace (#17337).
A new command has been added, podman secret exists, to verify if a secret with the given name exists.
The podman kube generate and podman kube play commands now support ulimit annotations (#16404).
The podman create, run, pod create, and pod clone commands now support a new option, --shm-size-systemd, that allows limiting tmpfs sizes for systemd-specific mounts (#17037).
The podman create and run commands now support a new option, --group-entry which customizes the entry that is written to the /etc/group file within the container when the --user option is used (#14965).
The podman create and podman run commands now support a new option, --security-opt label=nested, which allows SELinux labeling within a confined container.
A new command, podman machine os apply has been added, which applies OS changes to a Podman machine, from an OCI image.
The podman search command now supports two new options: --cert-dir and --creds.
Defaults for the --cgroup-config option for podman create and podman run can now be set in containers.conf.
Podman now supports auto updates for containers running inside a pod (#17181).
Podman can now use a SQLite database as a backend for increased stability. The default remains the old database, BoltDB. The database to use is selected through the database_backend field in containers.conf.
Netavark plugin support has been added. The netavark network backend now allows users to create custom network drivers. podman network create -d <plugin> can be used to create a network config for your plugin and then Podman will use it like any other config and takes care of setup/teardown on container start/stop. This requires at least Netavark version 1.6.

Changes

Remote builds using the podman build command no longer allows .containerignore or .dockerignore files to be symlinks outside the build context.
The podman system reset command now clears build caches.
The podman play kube command now adds ctrName as an alias to the pod network (#16544).
The podman kube generate command no longer adds hostPort to the pod spec when generating service kinds.
Using a private cgroup namespace with systemd containers on a cgroups v1 system will explicitly error (this configuration has never worked) (#17727).
The SYS_CHROOT capability has been re-added to the default set of capabilities.
Listing large quantities of images with the podman images command has seen a significant performance improvement (#17828).

Quadlet

Quadlet now supports the Rootfs= option, allowing containers to be based on rootfs in addition to image.
Quadlet now supports the Secret key in the Container group.
Quadlet now supports the Logdriver key in .container and .kube units.
Quadlet now supports the Mount key in .container files (#17632).
Quadlet now supports specifying static IPv4 and IPv6 addresses in .container files via the IP= and IP6= options.
Quadlet now supports health check configuration in .container files.
Quadlet now supports relative paths in the Volume key in .container files (#17418).
Quadlet now supports setting the UID and GID options for --userns=keep-id (#17908).
Quadlet now supports adding tmpfs filesystems through the Tmpfs key in .container files (#17907).
Quadlet now supports the UserNS option in .container files, which will replace the existing RemapGid, RemapUid, RemapUidSize and RemapUsers options in a future release (#17984).
Quadlet now includes a --version option.
Quadlet now forbids specifying SELinux label types, including disabling selinux separation.
Fixed a bug where Quadlet did not recognize paths starting with systemd specifiers as absolute (#17906).

Bugfixes

Fixed a bug in the network list API where a race condition would cause the list to fail if a container had just been removed (#17341).
Fixed a bug in the podman image scp command to correctly use identity settings.
Fixed a bug in the remote Podman client's podman build command where building from stdin would fail. podman --remote build -f - now works correctly (#17495).
Fixed a bug in the podman volume prune command where exclusive (!=) filters would fail (#17051).
Fixed a bug in the --volume option in the podman create, run, pod create, and pod clone commands where specifying relative mappings or idmapped mounts would fail (#17517).
Fixed a bug in the podman kube play command where a secret would be created, but nothing would be printed on the terminal (#17071).
Fixed a bug in the podman kube down command where secrets were not removed.
Fixed a bug where cleaning up after an exited container could segfault on non-Linux operating systems.
Fixed a bug where the podman inspect command did not properly list the network configuration of containers created with --net=none or --net=host (#17385).
Fixed a bug where containers created with user-specified SELinux labels that created anonymous or named volumes would create those volumes with incorrect labels.
Fixed a bug where the podman checkpoint restore command could panic.
Fixed a bug in the podman events command where events could be returned more than once after a log file rotation (#17665).
Fixed a bug where errors from systemd when restarting units during a podman auto-update command were not reported.
Fixed a bug where containers created with the --health-on-failure=restart option were not restarting when the health state turned unhealthy (#17777).
Fixed a bug where containers using the slirp4netns network mode with the cidr option and a custom user namespace did not set proper DNS IPs in resolv.conf.
Fixed a bug where the podman auto-update command could fail to restart systemd units (#17607).
Fixed a bug where the podman play kube command did not properly handle secret.items in volumes (#17829).
Fixed a bug where the podman generate kube command could generate pods with invalid names and hostnames (#18054).
Fixed a bug where names of limits (such as RLIMIT_NOFILE) passed to the --ulimit option to podman create and podman run were case-sensitive (#18077).
Fixed a possible corruption issue with the configuration state of podman machine during system failures on Mac, Linux, and Windows.

API

The Compat Stats endpoint for Containers now returns the Id key as lowercase id to match Docker (#17869).

Misc

The podman version command no longer joins the rootless user namespace (#17657).
The podman-events --stream option is no longer hidden and is now documented.
Updated Buildah to v1.30.0
Updated the containers/storage library to v1.46.1
Updated the containers/image library to v5.25.0
Updated the containers/common library to v0.52.0

podman - v4.5.0-RC1

Published by ashley-cui over 1 year ago

This is the first release candidate of Podman v4.5.0. Full release notes are not available, but will be compiled for the next RC.

podman - v4.4.4

Published by ashley-cui over 1 year ago

Changes

Podman now writes direct mappings for idmapped mounts.

Bugfixes

Fixed a regression which caused the MacOS installer to fail if podman-mac-helper was already installed (#17910).

podman - v4.4.3

Published by ashley-cui over 1 year ago

Security

This release fixes CVE-2022-41723, a vulnerability in the golang.org/x/net package where a maliciously crafted HTTP/2 stream could cause excessive CPU consumption, sufficient to cause a denial of service.

Changes

Added SYS_CHROOT back to the default set of capabilities.

Bugfixes

Fixed a bug where quadlet would not use the default runtime set.
Fixed a bug where podman system service --log-level=trace did not hijack the client connection, causing remote podman run/attach calls to work incorrectly (#17749).
Fixed a bug where the podman-mac-helper returned an incorrect exit code after erroring. podman-mac-helper now exits with 1 on error (#17785).
Fixed a bug where podman run --dns ... --network would not respect the dns option. Podman will no longer add host nameservers to resolv.conf when aardvark-dns is used (#17499).
Fixed a bug where podman logs errored out with the passthrough driver when the container was run from a systemd service.
Fixed a bug where --health-on-failure=restart would not restart the container when the health state turned unhealthy (#17777).
Fixed a bug where podman machine VMs could have their system time drift behind real time. New machines will no longer be affected by this (#11541).

API

Fixed a bug where creating a network with the Compat API would return an incorrect status code. The API call now returns 409 when creating a network with an existing name and when CheckDuplicate is set to true (#17585).
Fixed a bug in the /auth REST API where logging into Docker Hub would fail (#17571).

Misc

Updated the containers/common library to v0.51.1
Updated the Mac pkginstaller QEMU to v7.2.0

podman - v4.4.2

Published by ashley-cui over 1 year ago

Security

This release fixes CVE-2023-0778, which allowed a malicious user to potentially replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.

Bugfixes

Fixed a bug where containers started via the podman-kube systemd template would always use the "passthrough" log driver (#17482).
Fixed a bug where pulls would unexpectedly encounter an EOF error. Now, Podman automatically transparently resumes aborted pull connections.
Fixed a race condition in Podman's signal proxy.

Misc

Updated the containers/image library to v5.24.1.

podman - v4.4.1

Published by ashley-cui over 1 year ago

Changes

Added the podman-systemd.unit man page, which can also be displayed using man quadlet (#17349).
Documented journald identifiers used in the journald backend for the podman events command.
Dropped the CAP_CHROOT, CAP_AUDIT_WRITE, CAP_MKNOD, CAP_MKNOD default capabilities.

Bugfixes

Fixed a bug where the default handling of pids-limit was incorrect.
Fixed a bug where parallel calls to make docs crashed (#17322).
Fixed a regression in the podman kube play command where existing resources got mistakenly removed.

podman - v4.4.0

Published by ashley-cui over 1 year ago

Features

Introduce Quadlet, a new systemd-generator that easily writes and maintains systemd services using Podman.
The podman kube play command now supports hostPID in the pod.spec (#17157).
The podman build command now supports the --group-add option.
A new command, podman network update has been added, which updates networks for containers and pods.
The podman network create command now supports a new option, --network-dns-server, which sets the DNS servers that this network will use.
The podman kube play command now accepts the--publish option, which sets or overrides port publishing.
The podman inspect command now returns an error field (#13729).
The podman update command now accepts the --pids-limit option, which sets the PIDs limit for a container (#16543).
Podman now supports container names beginning with a / to match Docker behaviour (#16663).
The podman events command now supports die as a value (mapping to died) to the --filter option, for better Docker compatibility (#16857).
The podman system dfcommand’s --format "{{ json . }}" option now outputs human-readable format to improve Docker compatibility
The podman rm -f command now also terminates containers in "stopping" state.
Rootless privileged containers will now mount all tty devices, except for the virtual-console related tty devices (/dev/tty[0-9]+) (#16925).
The podman play kube command now supports subpaths when using configmap and hostpath volume types (#16828).
All commands with the --no-heading option now include a short option, -n.
The podman push command no longer ignores the hidden --signature-policy flag.
The podman wait command now supports the --ignore option.
The podman network create command now supports the --ignore option to instruct Podman to not fail when trying to create an already existing network.
The podman kube play command now supports volume subpaths when using named volumes (#12929).
The podman kube play command now supports container startup probes.
A new command, podman buildx version, has been added, which shows the buildah version (#16793).
Remote usage of the podman build command now supports the --volume option (#16694).
The --opt parent=... option is now accepted with the ipvlan network driver in the podman network create command (#16621).
The --init-ctr option for the podman container create command now supports shell completion.
The podman kube play command run with a readOnlyTmpfs Flag in the kube YAML can now write to tmpfs inside of the container.
The podman run command has been extended with support for checkpoint images.
When the new event_audit_container_create option is enabled in containers.conf, the verbosity of the container-create event is increased by adding the inspect data of the container to the event.
Containers can now have startup healthchecks, allowing a command to be run to ensure the container is fully started before the regular healthcheck is activated.
CDI devices can now be specified in containers.conf (#16232).
The podman push command features two new options, --encryption-key and --encrypt-layer, for encrypting an image while pushing it to a registry (#15163).
The podman pull and podman run commands feature a new option, --decryption-key, which decrypts the image while pulling it from a registry (#15163).
Remote usage of the podman manifest annotate command is now supported.
The SSL_CERT_FILE and SSL_CERT_DIR environment variables are now propagated into Podman machine VMs (#16041).
A new environment variable, CONTAINER_PROXY, can be used to specify TCP proxies when using remote Podman.
The runtime automatically detects and switches to crun-wasm if the image is a webassembly image.
The podman machine init command now supports the --quiet option, as well a new option, --no-info which suppresses informational tips (#15525).
The podman volume create command now includes the -d short option for the --driver option.
The podman events command has a new alias, podman system events, for better Docker compatibility.
The --restart-sec option for podman generate systemd now generates RestartSec= for both pod service files and container service files (#16419).
The podman manifest push command now accepts --purge, -p options as aliases for --rm, for Docker compatibility.
The --network option to podman pod create now supports using an existing network namespace via ns:[netns-path] (#16208).
The podman pod rm and podman container rm commands now removes container/pod ID files along with the container/pod (#16387).
The podman manifest inspect command now accepts a new option, --insecure as an alias to--tls-verify=false, improving Docker compatibility (#14917).
A new command, podman kube apply, has been added, which deploys the generated yaml to a k8s cluster.
The --userns=keep-id option in rootless podman create, podman run, podman kube play, podman pod create, and podman pod clone now can be used when only one ID is available.
The podman play kube command now supports the volume.podman.io/import-source annotation to import the contents of tarballs.
The podman volume create command now accepts the --ignore option, which ignores the create request if the named volume already exists.
The --filter option for podman ps now supports regex (#16180).
The podman system df command now accepts --format json and autocompletes for the --format option (#16204).
The podman kube down command accepts a new option, --force, which removes volumes (#16348).
The podman create, podman run, and podman pod create commands now support a new networking mode, pasta, which can be enabled with the --net=pasta option (#14425, #13229).

Changes

CNI is being deprecated from Podman and support will be dropped at a future date. Netavark is now advised and is the default network backend for Podman.
The network name pasta is deprecated and support for it will be removed in the next major release.
The podman network create command no longer accepts default as valid name. It is impossible to use this network name in the podman run/create command because it is parsed as a network mode instead (#17169).
The podman kube generate command will no longer generate built-in annotations, as reserved annotations are used internally by Podman and would have no effect when run with Kubernetes.
The podman kube play command now limits the replica count to 1 when deploying from kubernetes YAML (#16765).
When a container that runs with the --pid=host option is terminated, Podman now sends a SIGKILL to all the active exec sessions
The journald driver for both podman events and podman logs is now more efficient when the --since option is used, as it will now seek directly to the correct time instead of reading all entries from the journal (#16950).
When the --service-container option is set for the podman kube play command, the default log-driver to is now set to passthrough (#16592).
The podman container inspect and podman kube generate commands will no longer list default annotations set to false.
Podman no longer reports errors on short-lived init containers in pods.
Healthchecks are now automatically disabled if on non-systemd systems. If Podman is compiled without the systemd build tag, healthcheck will be disabled at build time (#16644).
Improved atomicity of VM state persistence on Windows now better tolerates FS corruption in cases of power loss or system failure (#16550).
A user namespace is now always created when running with EUID != 0. This is necessary to work in a Kubernetes environment where the POD is "privileged" but it is still running with a non-root user.
Old healthcheck states are now cleaned up during container restart.
The CONTAINER_HOST environment variable defaults to port 22 for SSH style URLs for remote connections, when set (#16509).
The podman kube play command now reuses existing PersistentVolumeClaims instead of erroring.
The podman system reset command will no longer prompt the user if /usr/share/containers/storage.conf file exists.
Existing container/pod id files are now truncated instead of throwing an error.
The --format and --verbose flags in podman system df are no longer allowed to be used in combination.
The podman kube generate command now sets runAsNonRoot=true in the generated yaml when the image has user set as a positive integer (#15231).
Listing containers (e.g, via podman ps) is considerably faster.
The podman push and podman manifest push commands now support a new option, --sign-by-sigstore, which allows using Fulcio and Rekor.

Bugfixes

Fixed a bug where the --dns option was not being set correctly (#16172).
Fixed a race condition that caused podman rm to fail when stopping or killing a container that has already been stopped or has exited (#16142, #15367).
Fixed a bug where podman kube play default environment variables have not been applied to containers (#17016).
Fixed a bug where containers with a restart policy set could still restart even after a manual podman stop (#17069).
Fixed a bug where the runtime was not shutdown correctly on error.
Fixed a bug where a pod couldn't be removed if its service container did not exist anymore (#16964).
Fixed a bug where the output of a non-interactive docker run against a podman backend would be truncated when using Docker Clients on Mac and Windows (#16656).
Fixed a bug where podman logs --since --follow would not follow and just exit with the journald driver.
Fixed a bug where podman logs --until --follow would not exit after the given until time.
Fixed a bug where remote usage of the podman attach and podman start did not sigproxy (#16662).
Fixed a race condition where a container being stopped could be removed from a separate process.
Fixed a bug in the podman ps command’s --filter option where specifying volume as a filter would not return the correct containers (#16019).
Fixed a bug where podman-remote would send an incorrect absolute path as context when it’s an emptydir.
Fixed a bug with the podman export command on MacOS and Windows where it could not export to STDOUT (#16870).
Fixed a bug in the http attach endpoint where it would return an incorrect length when reading logs (#16856).
Fixed a bug where symlinks were not followed on mounted folders on MacOS.
Fixed a bug in the podman container restore command’s --ignore-static-ip and --ignore-static-mac options when restoring a normal container, i.e without --import, where the option was not correctly honored (#16666).
Fixed a bug where containers, pods, and volumes were not cleaned up after an error happens while playing a kube yaml file.
Fixed a bug where system shutdown would be delayed when running health checks on containers running in a systemd unit (#14531).
Fixed a bug where syslog entries may be truncated when the labels map is too large, by increasing event syslog deserialization buffer.
Fixed a bug in podman kube play where secrets were incorrectly unmarshalled (#16269, #16625).
Fixed a bug where barrier sd-notify messages were ignored when using notify policies in kube-play (#16076, #16515).
Fixed a bug where volumes that use idmap were chowned incorrectly to the UID/GID of the root in the container.
Fixed a bug in podman kube play where IpcNS was not being properly set
(#16632).
Fixed a bug in podman kube play that occurred when the optional field of a secret volume was not set in the kube yaml, causing Podman to crash (#16636).
Fixed a bug in the podman stats command where the NetInput and NetOutput fields were swapped.
Fixed a bug in the podman network create command’s --driver option where incorrect shell completion suggestions were given.
Fixed a bug where podman --noout was not suppressing output from certain commands such as podman machine and podman system connection (#16201).
Fixed a bug where a pod was partially created even when its creation has failed (#16502).
Fixed a bug in podman cp when copying directories ending with a "." (#16421).
Fixed a bug where the root --connection option would not work with a cached config (#16282).
Fixed a bug with the --format {{ json .}} option which resulted in different output compared to docker (#16436).
Fixed short name resolution on Windows to docker.io to avoid TTY check failure (#16417).
Fixed a bug with the systemd booted check when /proc is mounted with the hidepid=2 option (#16022).
Fixed a bug where named volumes were not properly idmapped.
Fixed a bug in podman kube play where the sdnotify proxy could cause Podman to deadlock (#16076).
Fixed a bug where the containers.conf files are reloaded redundantly.
Fixed a bug where podman system df reported wrong image sizes (#16135).
Fixed a bug where podman inspect did not correctly remote the IPCMode of containers (#17189).
Fixed a bug where containers created in a pod using the --userns keep-id option were not correctly adding username entries to /etc/passwd within container (#17148).
Fixed a bug where the --publish-all flag in the podman create and podman run commands would occasionally assign colliding ports.
Fixed a bug where podman machine init --image-path on Windows was not correctly handling absolute paths (#15995).
Fixed a bug where the podman machine init would fail on non-systemd Linux distributions due to the lack of timedatectl (#17244).
Fixed a bug where podman machine commands would fail on Windows when the Podman managed VM is set as default in WSL, under some locales (#17227, #17158).
Fixed a bug where the podman ps command’s STATUS output’s human readable output would add “ago” (#17250).
Fixed a bug where the podman events command run with the journald driver could show events from other users.

API

When creating a container with the Compat API, the NetworkMode=default is no longer rewritten to NetworkMode=bridge if the containers.conf configuration file overwrites netns (#16915).
The Compat Create endpoint now supports the MAC address field in the container config. This ensures that the static mac from the docker-compose.yml is used (#16411).
Fixed a bug in the Compat Build endpoint where the chunked response may have included more JSON objects than expected per chunk (#16360).
Fixed a bug in the Compat Create endpoint where DeviceCgroupRules was not correctly set (#17106).

Misc

Fixed WSL auto-installation when run under Windows ARM x86_64 emulation
Add initial support for Windows on ARM64.
Added a systemd unit file that is useful for transient storage mode cleanup.
The podman-remote-static.tar.gz artfact has been renamed to podman-remote-static-linux_{amd64,arm64}.tar.gz (#16612).
The podman-installer-macos-aarch64.pkg artifact has been renamed to podman-installer-macos-arm64.pkg.
The MacOS pkginstaller now installs podman-mac-helper by default (#16547).
Manual overrides of the install location in Windows installer are now allowed.
(#16265).
Continued ongoing work on porting Podman to FreeBSD
Updated the Mac pkginstaller qemu to v7.1.0
Updated the Golang version to 1.18
Updated the containers/image library to v5.24.0
Updated the containers/storage library to v1.45.3
Updated the containers/common library to v0.51.0
Updated Buildah to v1.29.0

podman - v4.4.0-RC3

Published by ashley-cui over 1 year ago

Features

Introduce Quadlet, a new systemd-generator that easily writes and maintains systemd services using Podman.
The podman kube play command now supports hostPID in the pod.spec (#17157).
The podman build command now supports the --group-add option.
A new command, podman network update has been added, which updates networks for containers and pods.
The podman network create command now supports a new option, --network-dns-server sets the DNS servers that this network will use.
The podman kube play command now accepts the--publish option, in order to set or override port publishing.
The podman inspect command now returns an error field (#13729).
The podman update command now accepts the --pids-limit option, which adds the functionality to update the PIDs limit for a container (#16543).
Podman now supports container names beginning with a '/' to match Docker behaviour (#16663).
The podman events command now supports "die" as a value (mapping to "died") to the --filter option, for better Docker compatibility (#16857).
The podman system dfcommand’s --format "{{ json . }}" option now outputs human-readable format to improve Docker compatibility
The podman rm -f command now also terminates containers in "stopping" state.
Rootless privileged containers will now mount all tty devices, except for the virtual-console ones (/dev/tty[0-9]+) (#16925).
The podman play kube command now supports subpaths when using configmap and hostpath volume types (#16828).
A user namespace is now always created when running with EUID != 0. This is necessary to work in a Kubernetes environment where the POD is "privileged" but it is still running with a non-root user.
All commands with the --no-heading option now include a short option, -n.
The podman push command no longer ignores the hidden --signature-policy flag.
The podman wait command now supports the --ignore option.
The podman network create command now supports the --ignore option to instruct Podman to not fail when trying to create an already existing network.
The podman kube play command now supports volume subpaths when using named volumes (#12929).
The podman kube play command now supports container startup probes.
A new command, podman buildx version, has been added, which shows the buildah version (#16793).
Remote usage of the podman build command now supports the --volume option (#16694).
The --opt parent=... option is now accepted with the ipvlan network driver in the podman network create command (#16621).
The --init-ctr option for the podman container create command now supports shell completion.
The podman kube play command run with a readOnlyTmpfs Flag in the kube YAML can now write to tmpfs inside of the container.
The podman run command has been extended with support for checkpoint images.
When the new event_audit_container_create option is enabled in containers.conf, increase the verbosity of the container-create event by adding the inspect data of the container to the event.
Containers can now have startup healthchecks, allowing a command to be run to ensure the container is fully started before the regular healthcheck is activated.
CDI devices can now be specified in containers.conf (#16232).
The podman push command features two new options, --encryption-key and --encrypt-layer, for encrypting an image while pushing it to a registry (#15163).
The podman pull and podman run commands feature a new option, --decryption-key, which decrypts the image while pulling it from a registry (#15163).
The podman manifest annotate command is now supported for podman-remote.
The SSL_CERT_FILE and SSL_CERT_DIR environment variables are now propagated into podman machine VM’s (#16041).
A new environment variable, CONTAINER_PROXY, can be used to specify TCP proxies when using podman-remote.
The runtime automatically detects and switches to crun-wasm if the image is a webassembly image.
The podman machine init command now supports the --quiet option, as well a new option, --no-info which suppresses informational tips (#15525).
The podman volume create command now includes the -d short option for the --driver option.
The podman events command has a new alias, podman system events, for better Docker compatibility.
The --restart-sec option for podman generate systemd now generates RestartSec= for both pod service files and container service files (#16419).
The podman manifest push command now accepts --purge, -p options as aliases for --rm, for Docker compatibility.
The --network option to podman pod create now supports using an existing network namespace via ns:[netns-path] (#16208).
The podman pod rm and podman container rm commands now removes container/pod ID files along with the container/pod (#16387).
The podman manifest inspect command now accepts a new option, --insecure (identical to --tls-verify=false), improving Docker compatibility. (#14917).
A new command, podman kube apply, has been added, which deploys the generated yaml to a k8s cluster.
The --userns=keep-id option in rootless podman create, podman run, podman kube play, podman pod create, and podman pod clone now can be used when only one ID is available.
The podman play kube command now supports the volume.podman.io/import-source annotation to import the contents of tarballs.
The podman volume create command now accepts the --ignore option, which ignores the create request if the named volume already exists.
The --filter option for podman ps now supports regex (#16180).
The podman system df command now accepts --format json and autocompletes for the --format option (#16204).

Changes

CNI is being deprecated from Podman and support will be dropped at a future date. Netavark is now advised and is the default network backend for Podman.
The network name pasta is deprecated and support for it will be removed in the next major release.
The podman network create command no longer accepts default as valid name. It is impossible to use this network name in the podman run/create command because it is parsed as a network mode instead (#17169).
The podman kube generate command will no longer generate built-in annotations, as reserved annotations are used internally by Podman and would have no effect when run with Kubernetes.
The podman kube play command now limits the replica count to 1 when deploying from kubernetes YAML (#16765).
When a container that runs with the --pid=host option is terminated, Podman now sends a SIGKILL to all the active exec sessions
The journald driver for both podman events and podman logs is now more efficient when the --since option is used, as it will now seek directly to the correct time instead of reading all entries from the journal (#16950).
When the --service-container option is set for the podman kube play command, the default log-driver to is now set to passthrough (#16592).
The podman container inspect and podman kube generate commands will no longer list default annotations set to false.
Podman no longer reports errors on short-lived init containers in pods.
Healthchecks are now automatically disabled if on non-systemd systems. If Podman is compiled without the systemd build tag, healthcheck will be disabled at build time (#16644).
Improved atomicity of VM state persistence on Windows to better tolerate FS corruption in cases of power loss or system failure (#16550).
Old healthcheck states are now cleaned up during container restart.
The CONTAINER_HOST environment variable defaults to port 22 for SSH style URLs for remote connections, when set. (#16509).
The podman kube play command now reuses existing PersistentVolumeClaims instead of erroring.
The podman kube down command accepts a new option, --force, which removes volumes (#16348).
The podman create, podman run, and podman pod create commands now support a new networking mode, pasta, which can be enabled with the --net=pasta option (#14425), (#13229).
The podman system reset command will no longer prompt the user if /usr/share/containers/storage.conf file exists.
Existing container/pod id files are now truncated instead of throwing an error.
The --format and --verbose flags in podman system df are no longer allowed to be used in combination.

Bugfixes

Fixed a bug where the --dns option was not being set correctly (#16172).
Fixed a race condition when stopping/killing a container that has already been stopped or has exited (#16142), (#15367).
Fixed a bug where podman kube play default environment variables have not been applied to containers (#17016).
Fixed a bug where containers with a restart policy set could still restart even after a manual podman stop (#17069).
Fixed a bug where the runtime was not shutdown correctly on error.
Fixed a bug where a pod couldn't be removed if its service container did not exist anymore (#16964).
Fixed a bug where the output of a non-interactive docker run against a podman backend would be truncated when using Docker Clients on Mac and Windows (#16656).
Fixed a bug where podman logs --since --follow would not follow and just exit with the journald driver.
Fixed a bug where podman logs --until --follow would not exit after the given until time.
Fixed a bug where remote usage of the podman attach and podman start did not sigproxy (#16662).
Fixed a race condition where a container being stopped could be removed from a separate process.
Fixed a bug in the podman ps command’s --filter option where specifying volume as a filter would not return the correct containers (#16019).
Fixed a bug where podman-remote would send an incorrect absolute path as context when it’s an emptydir.
Fixed a bug with the podman export command on MacOS and Windows where it could not export to STDOUT (#16870).
Fixed a bug in the http attach endpoint where it would return an incorrect length when reading logs (#16856).
Fixed a bug where symlinks were not followed on mounted folders on MacOS.
Fixed a bug in the podman container restore command’s --ignore-static-ip and --ignore-static-mac options when restoring a normal container, i.e without --import, where the option was not correctly honored (#16666).
Fixed bug where containers, pods, and volumes were not cleaned up after an error happens while playing a kube yaml file.
Fixed a bug where system shutdown would be delayed when running health checks on containers running in a systemd unit (#14531).
Fixed a bug where syslog entries may be truncated when the labels map is too large, by increasing event syslog deserialization buffer.
Fixed a bug in podman kube play where secrets were incorrectly unmarshalled (#16269), (#16625).
Fixed a bug where barrier sd-notify messages were ignored when using notify policies in kube-play (#16076), (#16515).
Fixed a bug where volumes that use idmap were chowned incorrectly to the UID/GID of the root in the container.
Fixed a bug in podman kube play where IpcNS was not being properly set
(#16632).
Fixed a bug in podman kube play where if the optional field of a secret volume was not set in the kube yaml, Podman would crash. The optional field is now correctly handled (#16636).
Fixed a bug in the podman stats command where the NetInput and NetOutput fields were swapped.
Fixed a bug in the podman network create command’s --driver option where incorrect shell completion suggestions were given.
Fixed a bug where podman --noout was not suppressing output from certain commands such as podman machine and podman system connection (#16201).
Fixed a bug where a pod was partially created even when its creation has failed (#16502).
Fixed a bug in podman cp when copying directories ending with a ".".
(#16421).
Fixed a bug where the root --connection option would not work with a cached config (#16282).
Fixed a bug with the --format {{ json .}} option which resulted in different output compared to docker (#16436).
Fixed short name resolution on Windows to docker.io to avoid TTY check failure (#16417).
Fixed a bug with the systemd booted check when /proc is mounted with the hidepid=2 option (#16022).
Fixed a bug where named volumes were not properly idmapped.
Fixed a bug in podman kube play where the sdnotify proxy could cause Podman to deadlock (#16076).
Fixed a bug where the containers.conf files are reloaded redundantly.
Fixed a bug where podman system df reported wrong image sizes (#16135).
Fixed a bug where podman inspect did not correctly remote the IPCMode of containers (#17189).
Fixed a bug where containers created in a pod using the --userns keep-id option were not correctly adding username entries to /etc/passwd within container (#17148).

API

When creating a container with the Compat API, the NetworkMode=default is no longer rewritten to NetworkMode=bridge if the containers.conf configuration file overwrites netns (#16915).
The Compat Create endpoint now supports the MAC address field in the container config. This ensures that the static mac from the docker-compose.yml is used (#16411).
Fixed a bug in the Compat Build endpoint where the chunked response may have included more JSON objects than expected per chunk (#16360).

Misc

Fixed WSL auto-installation when run under Windows ARM x86_64 emulation
Add initial support for Windows on ARM64.
Added a systemd unit file that is useful for transient storage mode cleanup.
The podman-release-static.tar.gz artfact has been renamed to podman-release-static-linux_{amd64,arm64}.tar.gz. (#16612).
The podman-installer-macos-aarch64.pkg artifact has been renamed to podman-installer-macos-arm64.pkg.
The MacOS pkginstaller now installs podman-mac-helper by default (#16547).
Manual overrides of the install location in Windows installer are now allowed.
(#16265).
Continued ongoing work on porting Podman to FreeBSD
Updated the Mac pkginstaller qemu to v7.1.0
Updated the Golang version to 1.18.
Updated the containers/image library to v5.24.0
Updated the containers/storage library to v1.45.3
Updated the containers/common library to v0.51.0

podman - v4.4.0-RC2

Published by ashley-cui almost 2 years ago

This is the second release candidate of Podman v4.4.0. Full release notes are not available, but will be compiled for the next RC.

podman - v4.4.0-RC1

Published by ashley-cui almost 2 years ago

This is the first release candidate of Podman v4.4.0. Full release notes are not available, but will be compiled for the next RC.

podman - v4.3.1

Published by ashley-cui almost 2 years ago

Bugfixes

Fixed a deadlock between the podman ps and podman container inspect commands

Misc

Updated the containers/image library to v5.23.1

podman - v4.3.0

Published by mheon almost 2 years ago

Features

A new command, podman generate spec, has been added, which creates a JSON struct based on a given container that can be used with the Podman REST API to create containers.
A new command, podman update, has been added,which makes changes to the resource limits of existing containers. Please note that these changes do not persist if the container is restarted (#15067).
A new command, podman kube down, has been added, which removes pods and containers created by the given Kubernetes YAML (functionality is identical to podman kube play --down, but it now has its own command).
The podman kube play command now supports Kubernetes secrets using Podman's secrets backend.
Systemd-managed pods created by the podman kube play command now integrate with sd-notify, using the io.containers.sdnotify annotation (or io.containers.sdnotify/$name for specific containers).
Systemd-managed pods created by podman kube play can now be auto-updated, using the io.containers.auto-update annotation (or io.containers.auto-update/$name for specific containers).
The podman kube play command can now read YAML from URLs, e.g. podman kube play https://example.com/demo.yml (#14955).
The podman kube play command now supports the emptyDir volume type (#13309).
The podman kube play command now supports the HostUsers field in the pod spec.
The podman play kube command now supports binaryData in ConfigMaps.
The podman pod create command can now set additional resource limits for pods using the new --memory-swap, --cpuset-mems, --device-read-bps, --device-write-bps, --blkio-weight, --blkio-weight-device, and --cpu-shares options.
The podman machine init command now supports a new option, --username, to set the username that will be used to connect to the VM as a non-root user (#15402).
The podman volume create command's -o timeout= option can now set a timeout of 0, indicating volume plugin operations will never time out.
Added support for a new volume driver, image, which allows volumes to be created that are backed by images.
The podman run and podman create commands support a new option, --env-merge, allowing environment variables to be specified relative to other environment variables in the image (e.g. podman run --env-merge "PATH=$PATH:/my/app" ...) (#15288).
The podman run and podman create commands support a new option, --on-failure, to allow action to be taken when a container fails health checks, with the following supported actions: none (take no action, the default), kill (kill the container), restart (restart the container), and stop (stop the container).
The --keep-id option to podman create and podman run now supports new options, uid and gid, to set the UID and GID of the user in the container that will be mapped to the user running Podman (e.g. --userns=keep-id:uid=11 will made the user running Podman to UID 11 in the container) (#15294).
The podman generate systemd command now supports a new option, --env/-e, to set environment variables in the generated unit file (#15523).
The podman pause and podman unpause commands now support the --latest, --cidfile, and --filter options.
The podman restart command now supports the --cidfile and --filter options.
The podman rm command now supports the --filter option to select which containers will be removed.
The podman rmi command now supports a new option, --no-prune, to prevent the removal of dangling parents of removed images.
The --dns-opt option to podman create, podman run, and podman pod create has received a new alias, --dns-option, to improve Docker compatibility.
The podman command now features a new global flag, --debug/-D, which enables debug-level logging (identical to --log-level=debug), improving Docker compatibility.
The podman command now features a new global flag, --config. This flag is ignored, and is only included for Docker compatibility (#14767).
The podman manifest create command now accepts a new option, --amend/-a.
The podman manifest create, podman manifest add and podman manifest push commands now accept a new option, --insecure (identical to --tls-verify=false), improving Docker compatibility.
The podman secret create command's --driver and --format options now have new aliases, -d for --driver and -f for --format.
The podman secret create command now supports a new option, --label/-l, to add labels to created secrets.
The podman secret ls command now accepts the --quiet/-q option.
The podman secret inspect command now accepts a new option, --pretty, to print output in human-readable format.
The podman stats command now accepts the --no-trunc option.
The podman save command now accepts the --signature-policy option (#15869).
The podman pod inspect command now allows multiple arguments to be passed. If so, it will return a JSON array of the inspected pods (#15674).
A series of new hidden commands have been added under podman context as aliases to existing podman system connection commands, to improve Docker compatibility.
The remote Podman client now supports proxying signals for attach sessions when the --sig-proxy option is set (#14707).

Changes

Duplicate volume mounts are now allowed with the -v option to podman run, podman create, and podman pod create, so long as source, destination, and options all match (#4217).
The podman generate kube and podman play kube commands have been renamed to podman kube generate and podman kube play to group Kubernetes-related commands. Aliases have been added to ensure the old command names still function.
A number of Podman commands (podman init, podman container checkpoint, podman container restore, podman container cleanup) now print the user-inputted name of the container, instead of its full ID, on success.
When an unsupported option (e.g. resource limit) is specified for a rootless container on a cgroups v1 system, a warning message is now printed that the limit will not be honored.
The installer for the Windows Podman client has been improved.
The --cpu-rt-period and --cpu-rt-runtime options to podman run and podman create now print a warning and are ignored on cgroups v2 systems (cgroups v2 having dropped support for these controllers) (#15666).
Privileged containers running systemd will no longer mount /dev/tty* devices other than /dev/tty itself into the container (#15878).
Events for containers that are part of a pod now include the ID of the pod in the event.
SSH functionality for podman machine commands has seen a thorough rework, addressing many issues about authentication.
The --network option to podman kube play now allows passing host to set the pod to use host networking, even if the YAML does not request this.
The podman inspect command on containers now includes the digest of the image used to create the container.
Pods created by podman play kube are now, by default, placed into a network named podman-kube. If the podman-kube network does not exist, it will be created. This ensures pods can connect to each other by their names, as the network has DNS enabled.

Bugfixes

Fixed a bug where the podman network prune and podman container prune commands did not properly support the --filter label!= option (#14182).
Fixed a bug where the podman kube generate command added an unnecessary Secret: null line to generated YAML (#15156).
Fixed a bug where the podman kube generate command did not set enableServiceLinks and automountServiceAccountToken to false in generated YAML (#15478 and #15243).
Fixed a bug where the podman kube play command did not properly handle CPU limits (#15726).
Fixed a bug where the podman kube play command did not respect default values for liveness probes (#15855).
Fixed a bug where the podman kube play command did not bind ports if hostPort was not specified but containerPort was (#15942).
Fixed a bug where the podman kube play command sometimes did not create directories on the host for hostPath volumes.
Fixed a bug where the remote Podman client's podman manifest push command did not display progress.
Fixed a bug where the --filter "{{.Config.Healthcheck}}" option to podman image inspect did not print the image's configured healthcheck (#14661).
Fixed a bug where the podman volume create -o timeout= option could be specified even when no volume plugin was in use.
Fixed a bug where the podman rmi command did not emit untag events when removing tagged images (#15485).
Fixed a bug where API forwarding with podman machine VMs on windows could sometimes fail because the pipe was not created in time (#14811).
Fixed a bug where the podman pod rm command could error if removal of a container in the pod was interrupted by a reboot.
Fixed a bug where the exited and exec died events for containers did not include the container's labels (#15617).
Fixed a bug where running Systemd containers on a system not using Systemd as PID 1 could fail (#15647).
Fixed a bug where Podman did not pass all necessary environment variables (including $PATH) to Conmon when starting containers (#15707).
Fixed a bug where the podman events command could function improperly when no events were present (#15688).
Fixed a bug where the --format flag to various Podman commands did not properly handle template strings including a newline (\n) (#13446).
Fixed a bug where Systemd-managed pods would kill every container in a pod when a single container exited (#14546).
Fixed a bug where the podman generate systemd command would generate incorrect YAML for pods created without the --name option.
Fixed a bug where the podman generate systemd --new command did not properly set stop timeout (#16149).
Fixed a bug where a broken OCI spec resulting from the system rebooting while a container is being started could cause the podman inspect command to be unable to inspect the container until it was restarted.
Fixed a bug where creating a container with a working directory on an overlay volume would result in the container being unable to start (#15789).
Fixed a bug where attempting to remove a pod with running containers without --force would not error and instead would result in the pod, and its remaining containers, being placed in an unusable state (#15526).
Fixed a bug where memory limits reported by podman stats could exceed the maximum memory available on the system (#15765).
Fixed a bug where the podman container clone command did not properly handle environment variables whose value contained an = character (#15836).
Fixed a bug where the remote Podman client would not print the container ID when running the podman-remote run --attach stdin command.
Fixed a bug where the podman machine list --format json command did not properly show machine starting status.
Fixed a bug where automatic updates would not error when attempting to update a container with a non-fully qualified image name (#15879).
Fixed a bug where the podman pod logs --latest command could panic (#15556).
Fixed a bug where Podman could leave lingering network namespace mounts on the system if cleaning up the network failed.
Fixed a bug where specifying an unsupported URI scheme for podman system service to listen at would result in a panic.
Fixed a bug where the podman kill command would sometimes not transition containers to the exited state (#16142).

API

Fixed a bug where the Compat DF endpoint reported incorrect reference counts for volumes (#15720).
Fixed a bug in the Compat Inspect endpoint for Networks where an incorrect network option was displayed, causing issues with docker-compose (#15580).
The Libpod Restore endpoint for Containers now features a new query parameter, pod, to set the pod that the container will be restored into (#15018).
Fixed a bug where the REST API could panic while retrieving images.
Fixed a bug where a cancelled connection to several endpoints could induce a memory leak.

Misc

Error messages when attempting to remove an image used by a non-Podman container have been improved (#15006).
Podman will no longer print a warning that / is not a shared mount when run inside a container (#15295).
Work is ongoing to port Podman to FreeBSD.
The output of podman generate systemd has been adjusted to improve readability.
A number of performance improvements have been made to podman create and podman run.
A major reworking of the manpages to ensure duplicated options between commands have the same description text has been performed.
Updated Buildah to v1.28.0
Updated the containers/image library to v5.23.0
Updated the containers/storage library to v1.43.0
Updated the containers/common library to v0.50.1

podman - v4.3.0-RC1

Published by mheon about 2 years ago

This is the first release candidate for Podman v4.3.0. Full release notes are not available, and will be compiled as part of the release.

podman - v4.2.1

Published by mheon about 2 years ago

Features

Added support for Sigstore signatures (sigstoreSigned) to the podman image trust set and podman image trust show commands.`
The podman image trust show command now recognizes new lookaside field names.
The podman image trust show command now recognizes keyPaths in signedBy entries.

Changes

BREAKING CHANGE: podman image trust show may now show multiple entries for the same scope, to better represent separate requirements. GPG IDs on a single row now always represent alternative keys, only one of which is required; if multiple sets of keys are required, each is re
presented by a single line.
The podman generate kube command no longer adds the bind-mount-options annotation to generated Service YAML (#15208).

Bugfixes

Fixed a bug where Podman could deadlock when using podman kill to send signals to containers (#15492).
Fixed a bug where the podman image trust set command would silently discard unknown fields.
Fixed a bug where the podman image trust show command would not show signature enforcement configuration for the default scope.
Fixed a bug where the podman image trust show command would silently ignore multiple kinds of requirements in a single scope.
Fixed a bug where a typo in the [email protected] unit file would cause warnings when running systemctl status on the unit.
Fixed a bug where the --compress option to podman image save was incorrectly allowed with the oci-dir format.
Fixed a bug where the podman container clone command did not properly clone environment variables (#15242).
Fixed a bug where Podman would not accept environment variables with whitespace in their keys (#15251).
Fixed a bug where Podman would not accept file paths containing the : character, preventing some commands from being used with podman machine on Windows (#15247).
Fixed a bug where the podman top command would report new capabilities as unknown.
Fixed a bug where running Podman in a container could cause fatal errors about an inability to create cgroups (#15498).
Fixed a bug where the podman generate kube command could generate incorrect YAML when the bind-mount-options was used (#15170).
Fixed a bug where generated container names were deterministic, instead of random (#15569).
Fixed a bug where the podman events command would not work with custom --format specifiers (#15648).

API

Fixed a bug where the Compat List endpoint for Containers did not sort the HostConfig.Binds field as Docker does.
Fixed a bug where the Compat List endpoint for Containers send the name (instead of ID) of the image the container was based on.
Fixed a bug where the Compat Connect endpoint for Networks would return an error (instead of 200) when attempting to connect a container to a network it was already connected to (#15499).
Fixed a bug where the Compat Events endpoint set an incorrect status for image removal events (remove instead of delete) (#15485).

podman - v4.2.0

Published by mheon about 2 years ago

Podman Desktop

As part of our work to better integrate Podman into MacOS and Windows, we have also been working on a new project, Podman Desktop, which provides a GUI to help developers interact with Podman. Podman Desktop is still in its early days, but already provides capabilities to list your images, interact with containers (access logs, get a terminal), connect to registries (pull private images, push your images) and configure podman settings (proxies).

Features

Podman now supports the Gitlab Runner (using the Docker executor), allowing its use in Gitlab CI/CD pipelines.
A new command has been added, podman pod clone, to create a copy of an existing pod. It supports several options, including --start to start the new pod, --destroy to remove the original pod, and --name to change the name of the new pod (#12843).
A new command has been added, podman volume reload, to sync changes in state between Podman's database and any configured volume plugins (#14207).
A new command has been added, podman machine info, which displays information about the host and the versions of various machine components.
Pods created by podman play kube can now be managed by systemd unit files. This can be done via a new systemd service, [email protected] - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the Kubernetes pod or deployment contained in my.yaml under systemd.
The podman play kube command now honors the RunAsUser, RunAsGroup, and SupplementalGroups setting from the Kubernetes pod's security context.
The podman play kube command now supports volumes with the BlockDevice and CharDevice types (#13951).
The podman play kube command now features a new flag, --userns, to set the user namespace of created pods. Two values are allowed at present: host and auto (#7504).
The podman play kube command now supports setting the type of created init containers via the io.podman.annotations.init.container.type annotation.
Pods now have include an exit policy (configurable via the --exit-policy option to podman pod create), which determines what will happen to the pod's infra container when the entire pod stops. The default, continue, acts as Podman currently does, while a new option, stop, stops the infra container after the last container in the pod stops, and is used by default for pods from podman play kube (#13464).
The podman pod create command now allows the pod's name to be specified as an argument, instead of using the --name option - for example, podman pod create mypod instead of the prior podman pod create --name mypod. Please note that the --name option is not deprecated and will continue to work.
The podman pod create command's --share option now supports adding namespaces to the set by prefacing them with + (as opposed to specifying all namespaces that should be shared) (#13422).
The podman pod create command has a new option, --shm-size, to specify the size of the /dev/shm mount that will be shared if the pod shares its UTS namespace (#14609).
The podman pod create command has a new option, --uts, to configure the UTS namespace that will be shared by containers in the pod.
The podman pod create command now supports setting pod-level resource limits via the --cpus, --cpuset-cpus, and --memory options. These will set a limit for all containers in the pod, while individual containers within the pod are allowed to set further limits. Look forward to more options for resource limits in our next release!
The podman create and podman run commands now include the -c short option for the --cpu-shares option.
The podman create and podman run commands can now create containers from a manifest list (and not an image) as long as the --platform option is specified (#14773).
The podman build command now supports a new option, --cpp-flag, to specify options for the C preprocessor when using Containerfile.in files that require preprocessing.
The podman build command now supports a new option, --build-context, allowing the user to specify an additional build context.
The podman machine inspect command now prints the location of the VM's Podman API socket on the host (#14231).
The podman machine init command on Windows now fetches an image with packages pre-installed (#14698).
Unused, cached Podman machine VM images are now cleaned up automatically. Note that because Podman now caches in a different directory, this will not clean up old images pulled before this change (#14697).
The default for the --image-volume option to podman run and podman create can now have its default set through the image_volume_mode setting in containers.conf (#14230).
Overlay volumes now support two new options, workdir and upperdir, to allow multiple overlay volumes from different containers to reuse the same workdir or upperdir (#14427).
The podman volume create command now supports two new options, copy and nocopy, to control whether contents from the overmounted folder in a container will be copied into the newly-created named volume (copy-up).
Volumes created using a volume plugin can now specify a timeout for all operations that contact the volume plugin (replacing the standard 5 second timeout) via the --opt o=timeout= option to podman volume create (BZ 2080458).
The podman volume ls command's --filter name= option now supports regular expression matching for volume names (#14583).
When used with a podman machine VM, volumes now support specification of the 9p security model using the security_model option to podman create -v and podman run -v.
The remote Podman client's podman push command now supports the --remove-signatures option (#14558).
The remote Podman client now supports the podman image scp command.
The podman image scp command now supports tagging the transferred image with a new name.
The podman network ls command supports a new filter, --filter dangling=, to list networks not presently used by any containers (#14595).
The --condition option to podman wait can now be specified multiple times to wait on any one of multiple conditions.
The podman events command now includes the -f short option for the --filter option.
The podman pull command now includes the -a short option for the --all-tags option.
The podman stop command now includes a new flag, --filter, to filter which containers will be stopped (e.g. podman stop --all --filter label=COM.MY.APP).
The Podman global option --url now has two aliases: -H and --host.
The podman network create command now supports a new option with the default bridge driver, --opt isolate=, which isolates the network by blocking any traffic from it to any other network with the isolate option enabled. This option is enabled by default for networks created using the Docker-compatible API.
Added the ability to create sigstore signatures in podman push and podman manifest push.
Added an option to read image signing passphrase from a file.

Changes

Paused containers can now be killed with the podman kill command.
The podman system prune command now removes unused networks.
The --userns=keep-id and --userns=nomap options to the podman run and podman create commands are no longer allowed (instead of simply being ignored) with root Podman.
If the /run directory for a container is part of a volume, Podman will not create the /run/.containerenv file (#14577).
The podman machine stop command on macOS now waits for the machine to be completely stopped to exit (#14148).
All podman machine commands now only support being run as rootless, given that VMs only functioned when run rootless.
The podman unpause --all command will now only attempt to unpause containers that are paused, not all containers.
Init containers created with podman play kube now default to the once type (#14877).
Pods created with no shared namespaces will no longer create an infra container unless one is explicitly requested (#15048).
The podman create, podman run, and podman cp commands can now autocomplete paths in the image or container via the shell completion.
The libpod/common package has been removed as it's not used anywhere.
The --userns option to podman create and podman run is no longer accepted when an explicit UID or GID mapping is specified (#15233).

Bugfixes

Fixed a bug where bind-mounting /dev into a container which used the --init flag would cause the container to fail to start (#14251).
Fixed a bug where the podman image mount command would not pretty-print its output when multiple images were mounted.
Fixed a bug where the podman volume import command would print an unrelated error when attempting to import into a nonexistent volume (#14411).
Fixed a bug where the podman system reset command could race against other Podman commands (#9075).
Fixed a bug where privileged containers were not able to restart if the layout of host devices changed (#13899).
Fixed a bug where the podman cp command would overwrite directories with non-directories and vice versa. A new --overwrite flag to podman cp allows for retaining the old behavior if needed (#14420).
Fixed a bug where the podman machine ssh command would not preserve the exit code from the command run via ssh (#14401).
Fixed a bug where VMs created by podman machine would fail to start when created with more than 3072MB of RAM on Macs with M1 CPUs (#14303).
Fixed a bug where the podman machine init command would fail when run from C:\Windows\System32 on Windows systems (#14416).
Fixed a bug where the podman machine init --now did not respect proxy environment variables (#14640).
Fixed a bug where the podman machine init command would fail if there is no $HOME/.ssh dir (#14572).
Fixed a bug where the podman machine init command would add a connection even if creating the VM failed (#15154).
Fixed a bug where interrupting the podman machine start command could render the VM unable to start.
Fixed a bug where the podman machine list --format command would still print a heading.
Fixed a bug where the podman machine list command did not properly set the Starting field (#14738).
Fixed a bug where the podman machine start command could fail to start QEMU VMs when the machine name started with a number.
Fixed a bug where Podman Machine VMs with proxy variables could not be started more than once (#14636 and #14837).
Fixed a bug where containers created using the Podman API would, when the Podman API service was managed by systemd, be killed when the API service was stopped (BZ 2052697).
Fixed a bug where the podman -h command did not show help output.
Fixed a bug where the podman wait command (and the associated REST API endpoint) could return before a container had fully exited, breaking some tools like the Gitlab Runner.
Fixed a bug where healthchecks generated exec events, instead of health_status events (#13493).
Fixed a bug where the podman pod ps command could return an error when run at the same time as podman pod rm (#14736).
Fixed a bug where the podman systemd df command incorrectly calculated reclaimable storage for volumes (#13516).
Fixed a bug where an exported container checkpoint using a non-default OCI runtime could not be restored.
Fixed a bug where Podman, when used with a recent runc version, could not remove paused containers.
Fixed a bug where the remote Podman client's podman manifest rm command would remove images, not manifests (#14763).
Fixed a bug where Podman did not correctly parse wildcards for device major number in the podman run and podman create commands' --device-cgroup-rule option.
Fixed a bug where the podman play kube command on 32 bit systems where the total memory was calculated incorrectly (#14819).
Fixed a bug where the podman generate kube command could set ports and hostname incorrectly in generated YAML (#13030).
Fixed a bug where the podman system df --format "{{ json . }}" command would not output the Size and Reclaimable fields (#14769).
Fixed a bug where the remote Podman client's podman pull command would display duplicate progress output.
Fixed a bug where the podman system service command could leak memory when a client unexpectedly closed a connection when reading events or logs (#14879).
Fixed a bug where Podman containers could fail to run if the image did not contain an /etc/passwd file (#14966).
Fixed a bug where the remote Podman client's podman push command did not display progress information (#14971).
Fixed a bug where a lock ordering issue could cause podman pod rm to deadlock if it was run at the same time as a command that attempted to lock multiple containers at once (#14929).
Fixed a bug where the podman rm --force command would exit with a non-0 code if the container in question did not exist (#14612).
Fixed a bug where the podman container restore command would fail when attempting to restore a checkpoint for a container with the same name as an image (#15055).
Fixed a bug where the podman manifest push --rm command could remove image, instead of manifest lists (#15033).
Fixed a bug where the podman run --rm command could fail to remove the container if it failed to start (#15049).
Fixed a bug where the podman generate systemd --new command would create incorrect unit files when the container was created with the --sdnotify parameter (#15052).
Fixed a bug where the podman generate systemd --new command would fail when -h <hostname> was used to create the container (#15124).

API

The Docker-compatible API now supports API version v1.41 (#14204).
Fixed a bug where containers created via the Libpod API had an incorrect umask set (#15036).
Fixed a bug where the remote parameter to the Libpod API's Build endpoint for Images was nonfunctional (#13831).
Fixed a bug where the Libpod List endpoint for Containers did not return the application/json content type header when there were no containers present (#14647).
Fixed a bug where the Compat Stats endpoint for Containers could return incorrect memory limits (#14676).
Fixed a bug where the Compat List and Inspect endpoints for Containers could return incorrect strings for container status.
Fixed a bug where the Compat Create endpoint for Containers did not properly handle disabling healthchecks (#14493).
Fixed a bug where the Compat Create endpoint for Networks did not support the mtu, name, mode, and parent options (#14482).
Fixed a bug where the Compat Create endpoint for Networks did not allow the creation of networks name bridge (#14983).
Fixed a bug where the Compat Inspect endpoint for Networks did not properly set netmasks in the SecondaryIPAddresses and SecondaryIPv6Addresses fields (#14674).
The Libpod Stats endpoint for Pods now supports streaming output via two new parameters, stream and delay (#14674).

Misc

Podman will now check for nameservers in /run/NetworkManager/no-stub-resolv.conf if the /etc/resolv.conf file only contains a localhost server.
The podman build command now supports caching with builds that specify --squash-all by allowing the --layers flag to be used at the same time.
Podman Machine support for QEMU installations at non-default paths has been improved.
The podman machine ssh command no longer prints spurious warnings every time it is run.
When accessing the WSL prompt on Windows, the rootless user will be preferred.
The podman info command now includes a field for information on supported authentication plugins for improved Docker compatibility. Authentication plugins are not presently supported by Podman, so this field is always empty.
The podman system prune command now no longer prints the Deleted Images header if no images were pruned.
The podman system service command now automatically creates and moves to a sub-cgroup when running in the root cgroup (#14573).
Updated Buildah to v1.27.0
Updated the containers/image library to v5.22.0
Updated the containers/storage library to v1.42.0
Updated the containers/common library to v0.49.1
Podman will automatically create a sub-cgroup and move itself into it when it detects that it is running inside a container (#14884).
Fixed an incorrect release note about regexp.
A new MacOS installer (via pkginstaller) is now supported.

podman - v4.2.0-rc3

Published by lsm5 about 2 years ago

Features

Podman now supports the Gitlab Runner (using the Docker executor), allowing its use in Gitlab CI/CD pipelines.
A new command has been added, podman pod clone, to create a copy of an existing pod. It supports several options, including --start to start the new pod, --destroy to remove the original pod, and --name to change the name of the new pod (#12843).
A new command has been added, podman volume reload, to sync changes in state between Podman's database and any configured volume plugins (#14207).
A new command has been added, podman machine info, which displays information about the host and the versions of various machine components.
Pods created by podman play kube can now be managed by systemd unit files. This can be done via a new systemd service, [email protected] - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the Kubernetes pod or deployment contained in my.yaml under systemd.
The podman play kube command now honors the RunAsUser, RunAsGroup, and SupplementalGroups setting from the Kubernetes pod's security context.
The podman play kube command now supports volumes with the BlockDevice and CharDevice types (#13951).
The podman play kube command now features a new flag, --userns, to set the user namespace of created pods. Two values are allowed at present: host and auto (#7504).
The podman play kube command now supports setting the type of created init containers via the io.podman.annotations.init.container.type annotation.
Pods now have include an exit policy (configurable via the --exit-policy option to podman pod create), which determines what will happen to the pod's infra container when the entire pod stops. The default, continue, acts as Podman currently does, while a new option, stop, stops the infra container after the last container in the pod stops, and is used by default for pods from podman play kube (#13464).
The podman pod create command now allows the pod's name to be specified as an argument, instead of using the --name option - for example, podman pod create mypod instead of the prior podman pod create --name mypod. Please note that the --name option is not deprecated and will continue to work.
The podman pod create command's --share option now supports adding namespaces to the set by prefacing them with + (as opposed to specifying all namespaces that should be shared) (#13422).
The podman pod create command has a new option, --shm-size, to specify the size of the /dev/shm mount that will be shared if the pod shares its UTS namespace (#14609).
The podman pod create command has a new option, --uts, to configure the UTS namespace that will be shared by containers in the pod.
The podman pod create command now supports setting pod-level resource limits via the --cpus, --cpuset-cpus, and --memory options. These will set a limit for all containers in the pod, while individual containers within the pod are allowed to set further limits. Look forward to more options for resource limits in our next release!
The podman create and podman run commands now include the -c short option for the --cpu-shares option.
The podman create and podman run commands can now create containers from a manifest list (and not an image) as long as the --platform option is specified (#14773).
The podman build command now supports a new option, --cpp-flag, to specify options for the C preprocessor when using Containerfile.in files that require preprocessing.
The podman build command now supports a new option, --build-context, allowing the user to specify an additional build context.
The podman machine inspect command now prints the location of the VM's Podman API socket on the host (#14231).
The podman machine init command on Windows now fetches an image with packages pre-installed (#14698).
Unused, cached Podman machine VM images are now cleaned up automatically. Note that because Podman now caches in a different directory, this will not clean up old images pulled before this change (#14697).
The default for the --image-volume option to podman run and podman create can now have its default set through the image_volume_mode setting in containers.conf (#14230).
Overlay volumes now support two new options, workdir and upperdir, to allow multiple overlay volumes from different containers to reuse the same workdir or upperdir (#14427).
The podman volume create command now supports two new options, copy and nocopy, to control whether contents from the overmounted folder in a container will be copied into the newly-created named volume (copy-up).
Volumes created using a volume plugin can now specify a timeout for all operations that contact the volume plugin (replacing the standard 5 second timeout) via the --opt o=timeout= option to podman volume create (BZ 2080458).
The podman volume ls command's --filter name= option now supports regular expression matching for volume names (#14583).
When used with a podman machine VM, volumes now support specification of the 9p security model using the security_model option to podman create -v and podman run -v.
The remote Podman client's podman push command now supports the --remove-signatures option (#14558).
The remote Podman client now supports the podman image scp command.
The podman image scp command now supports tagging the transferred image with a new name.
The podman network ls command supports a new filter, --filter dangling=, to list networks not presently used by any containers (#14595).
The --condition option to podman wait can now be specified multiple times to wait on any one of multiple conditions.
The podman events command now includes the -f short option for the --filter option.
The podman pull command now includes the -a short option for the --all-tags option.
The podman stop command now includes a new flag, --filter, to filter which containers will be stopped (e.g. podman stop --all --filter label=COM.MY.APP).
The Podman global option --url now has two aliases: -H and --host.
The podman network create command now supports a new option with the default bridge driver, --opt isolate=, which isolates the network by blocking any traffic from it to any other network with the isolate option enabled. This option is enabled by default for networks created using the Docker-compatible API.
Added the ability to create sigstore signatures in podman push and podman manifest push.
Added an option to read image signing passphrase from a file.

Changes

Paused containers can now be killed with the podman kill command.
The podman system prune command now removes unused networks.
The --userns=keep-id and --userns=nomap options to the podman run and podman create commands are no longer allowed (instead of simply being ignored) with root Podman.
If the /run directory for a container is part of a volume, Podman will not create the /run/.containerenv file (#14577).
The podman machine stop command on macOS now waits for the machine to be completely stopped to exit (#14148).
All podman machine commands now only support being run as rootless, given that VMs only functioned when run rootless.
The podman unpause --all command will now only attempt to unpause containers that are paused, not all containers.
Init containers created with podman play kube now default to the once type (#14877).
Pods created with no shared namespaces will no longer create an infra container unless one is explicitly requested (#15048).
The podman create, podman run, and podman cp commands can now autocomplete paths in the image or container via the shell completion.
The libpod/common package has been removed as it's not used anywhere.

Bugfixes

Fixed a bug where bind-mounting /dev into a container which used the --init flag would cause the container to fail to start (#14251).
Fixed a bug where the podman image mount command would not pretty-print its output when multiple images were mounted.
Fixed a bug where the podman volume import command would print an unrelated error when attempting to import into a nonexistent volume (#14411).
Fixed a bug where the podman system reset command could race against other Podman commands (#9075).
Fixed a bug where privileged containers were not able to restart if the layout of host devices changed (#13899).
Fixed a bug where the podman cp command would overwrite directories with non-directories and vice versa. A new --overwrite flag to podman cp allows for retaining the old behavior if needed (#14420).
Fixed a bug where the podman machine ssh command would not preserve the exit code from the command run via ssh (#14401).
Fixed a bug where VMs created by podman machine would fail to start when created with more than 3072MB of RAM on Macs with M1 CPUs (#14303).
Fixed a bug where the podman machine init command would fail when run from C:\Windows\System32 on Windows systems (#14416).
Fixed a bug where the podman machine init --now did not respect proxy environment variables (#14640).
Fixed a bug where the podman machine init command would fail if there is no $HOME/.ssh dir (#14572).
Fixed a bug where interrupting the podman machine start command could render the VM unable to start.
Fixed a bug where the podman machine list --format command would still print a heading.
Fixed a bug where the podman machine list command did not properly set the Starting field (#14738).
Fixed a bug where the podman machine start command could fail to start QEMU VMs when the machine name started with a number.
Fixed a bug where Podman Machine VMs with proxy variables could not be started more than once (#14636 and #14837).
Fixed a bug where containers created using the Podman API would, when the Podman API service was managed by systemd, be killed when the API service was stopped (BZ 2052697).
Fixed a bug where the podman -h command did not show help output.
Fixed a bug where the podman wait command (and the associated REST API endpoint) could return before a container had fully exited, breaking some tools like the Gitlab Runner.
Fixed a bug where healthchecks generated exec events, instead of health_status events (#13493).
Fixed a bug where the podman pod ps command could return an error when run at the same time as podman pod rm (#14736).
Fixed a bug where the podman systemd df command incorrectly calculated reclaimable storage for volumes (#13516).
Fixed a bug where an exported container checkpoint using a non-default OCI runtime could not be restored.
Fixed a bug where Podman, when used with a recent runc version, could not remove paused containers.
Fixed a bug where the remote Podman client's podman manifest rm command would remove images, not manifests (#14763).
Fixed a bug where Podman did not correctly parse wildcards for device major number in the podman run and podman create commands' --device-cgroup-rule option.
Fixed a bug where the podman play kube command on 32 bit systems where the total memory was calculated incorrectly (#14819).
Fixed a bug where the podman generate kube command could set ports and hostname incorrectly in generated YAML (#13030).
Fixed a bug where the podman system df --format "{{ json . }}" command would not output the Size and Reclaimable fields (#14769).
Fixed a bug where the remote Podman client's podman pull command would display duplicate progress output.
Fixed a bug where the podman system service command could leak memory when a client unexpectedly closed a connection when reading events or logs (#14879).
Fixed a bug where Podman containers could fail to run if the image did not contain an /etc/passwd file (#14966).
Fixed a bug where the remote Podman client's podman push command did not display progress information (#14971).
Fixed a bug where a lock ordering issue could cause podman pod rm to deadlock if it was run at the same time as a command that attempted to lock multiple containers at once (#14929).

API

The Docker-compatible API now supports API version v1.41 (#14204).
Fixed a bug where containers created via the Libpod API had an incorrect umask set (#15036).
Fixed a bug where the remote parameter to the Libpod API's Build endpoint for Images was nonfunctional (#13831).
Fixed a bug where the Libpod List endpoint for Containers did not return the application/json content type header when there were no containers present (#14647).
Fixed a bug where the Compat Stats endpoint for Containers could return incorrect memory limits (#14676).
Fixed a bug where the Compat List and Inspect endpoints for Containers could return incorrect strings for container status.
Fixed a bug where the Compat Create endpoint for Containers did not properly handle disabling healthchecks (#14493).
Fixed a bug where the Compat Create endpoint for Networks did not support the mtu, name, mode, and parent options (#14482).
Fixed a bug where the Compat Create endpoint for Networks did not allow the creation of networks name bridge (#14983).
Fixed a bug where the Compat Inspect endpoint for Networks did not properly set netmasks in the SecondaryIPAddresses and SecondaryIPv6Addresses fields (#14674).
The Libpod Stats endpoint for Pods now supports streaming output via two new parameters, stream and delay (#14674).

Misc

Podman will now check for nameservers in /run/NetworkManager/no-stub-resolv.conf if the /etc/resolv.conf file only contains a localhost server.
The podman build command now supports caching with builds that specify --squash-all by allowing the --layers flag to be used at the same time.
Podman Machine support for QEMU installations at non-default paths has been improved.
The podman machine ssh command no longer prints spurious warnings every time it is run.
The podman info command now includes a field for information on supported authentication plugins for improved Docker compatibility. Authentication plugins are not presently supported by Podman, so this field is always empty.
The podman system prune command now no longer prints the Deleted Images header if no images were pruned.
The podman system service command now automatically creates and moves to a sub-cgroup when running in the root cgroup (#14573).
Podman will automatically create a sub-cgroup and move itself into it when it detects that it is running inside a container (#14884).
Fixed an incorrect release note about regexp.
MacOS pkginstaller support is now included.

podman - v4.2.0-RC2

Published by mheon about 2 years ago

This is the second release candidate for Podman v4.2.0. We expect a further RC next week, and a final release a week later. Preliminary release notes are attached.

Features

Podman now supports the Gitlab Runner (using the Docker executor), allowing its use in Gitlab CI/CD pipelines.
A new command has been added, podman pod clone, to create a copy of an existing pod. It supports several options, including --start to start the new pod, --destroy to remove the original pod, and --name to change the name of the new pod (#12843).
A new command has been added, podman volume reload, to sync changes in state between Podman's database and any configured volume plugins (#14207).
A new command has been added, podman machine info, which displays information about the host and the versions of various machine components.
Pods created by podman play kube can now be managed by systemd unit files. This can be done via a new systemd service, [email protected] - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the Kubernetes pod or deployment contained in my.yaml under systemd.
The podman play kube command now honors the RunAsUser, RunAsGroup, and SupplementalGroups setting from the Kubernetes pod's security context.
The podman play kube command now supports volumes with the BlockDevice and CharDevice types (#13951).
The podman play kube command now features a new flag, --userns, to set the user namespace of created pods. Two values are allowed at present: host and auto (#7504).
The podman play kube command now supports setting the type of created init containers via the io.podman.annotations.init.container.type annotation.
Pods now have include an exit policy (configurable via the --exit-policy option to podman pod create), which determines what will happen to the pod's infra container when the entire pod stops. The default, continue, acts as Podman currently does, while a new option, stop, stops the infra container after the last container in the pod stops, and is used by default for pods from podman play kube (#13464).
The podman pod create command now allows the pod's name to be specified as an argument, instead of using the --name option - for example, podman pod create mypod instead of the prior podman pod create --name mypod. Please note that the --name option is not deprecated and will continue to work.
The podman pod create command's --share option now supports adding namespaces to the set by prefacing them with + (as opposed to specifying all namespaces that should be shared) (#13422).
The podman pod create command has a new option, --shm-size, to specify the size of the /dev/shm mount that will be shared if the pod shares its UTS namespace (#14609).
The podman pod create command has a new option, --uts, to configure the UTS namespace that will be shared by containers in the pod.
The podman pod create command now supports setting pod-level resource limits via the --cpus, --cpuset-cpus, and --memory options. These will set a limit for all containers in the pod, while individual containers within the pod are allowed to set further limits. Look forward to more options for resource limits in our next release!
The podman create and podman run commands now include the -c short option for the --cpu-shares option.
The podman create and podman run commands can now create containers from a manifest list (and not an image) as long as the --platform option is specified (#14773).
The podman build command now supports a new option, --cpp-flag, to specify options for the C preprocessor when using Containerfile.in files that require preprocessing.
The podman build command now supports a new option, --build-contaxt, allowing the user to specify an additional build context.
The podman machine inspect command now prints the location of the VM's Podman API socket on the host (#14231).
The podman machine init command on Windows now fetches an image with packages pre-installed (#14698).
Unused, cached Podman machine VM images are now cleaned up automatically. Note that because Podman now caches in a different directory, this will not clean up old images pulled before this change (#14697).
The default for the --image-volume option to podman run and podman create can now have its default set through the image_volume_mode setting in containers.conf (#14230).
Overlay volumes now support two new options, workdir and upperdir, to allow multiple overlay volumes from different containers to reuse the same workdir or upperdir (#14427).
The podman volume create command now supports two new options, copy and nocopy, to control whether contents from the overmounted folder in a container will be copied into the newly-created named volume (copy-up).
Volumes created using a volume plugin can now specify a timeout for all operations that contact the volume plugin (replacing the standard 5 second timeout) via the --opt o=timeout= option to podman volume create (BZ 2080458).
The podman volume ls command's --filter name= option now supports regular expression matching for volume names (#14583).
When used with a podman machine VM, volumes now support specification of the 9p security model using the security_model option to podman create -v and podman run -v.
The remote Podman client's podman push command now supports the --remove-signatures option (#14558).
The remote Podman client now supports the podman image scp command.
The podman image scp command now supports tagging the transferred image with a new name.
The podman network ls command supports a new filter, --filter dangling=, to list networks not presently used by any containers (#14595).
The --condition option to podman wait can now be specified multiple times to wait on any one of multiple conditions.
The podman events command now includes the -f short option for the --filter option.
The podman pull command now includes the -a short option for the --all-tags option.
The podman stop command now includes a new flag, --filter, to filter which containers will be stopped (e.g. podman stop --all --filter label=COM.MY.APP).
The Podman global option --url now has two aliases: -H and --host.
The podman network create command now supports a new option with the default bridge driver, --opt isolate=, which isolates the network by blocking any traffic from it to any other network with the isolate option enabled. This option is enabled by default for networks created using the Docker-compatible API.

Changes

Paused containers can now be killed with the podman kill command.
The podman system prune command now removes unused networks.
The --userns=keep-id and --userns=nomap options to the podman run and podman create commands are no longer allowed (instead of simply being ignored) with root Podman.
If the /run directory for a container is part of a volume, Podman will not create the /run/.containerenv file (#14577).
The podman machine stop command on macOS now waits for the machine to be completely stopped to exit (#14148).
All podman machine commands now only support being run as rootless, given that VMs only functioned when run rootless.
The podman unpause --all command will now only attempt to unpause containers that are paused, not all containers.
Init containers created with podman play kube now default to the once type (#14877).
Pods created with no shared namespaces will no longer create an infra container unless one is explicitly requested (#15048).
The podman create, podman run, and podman cp commands can now autocomplete paths in the image or container via the shell completion.

Bugfixes

Fixed a bug where bind-mounting /dev into a container which used the --init flag would cause the container to fail to start (#14251).
Fixed a bug where the podman image mount command would not pretty-print its output when multiple images were mounted.
Fixed a bug where the podman volume import command would print an unrelated error when attempting to import into a nonexistent volume (#14411).
Fixed a bug where the podman system reset command could race against other Podman commands (#9075).
Fixed a bug where privileged containers were not able to restart if the layout of host devices changed (#13899).
Fixed a bug where the podman cp command would overwrite directories with non-directories and vice versa. A new --overwrite flag to podman cp allows for retaining the old behavior if needed (#14420).
Fixed a bug where the podman machine ssh command would not preserve the exit code from the command run via ssh (#14401).
Fixed a bug where VMs created by podman machine would fail to start when created with more than 3072MB of RAM on Macs with M1 CPUs (#14303).
Fixed a bug where the podman machine init command would fail when run from C:\Windows\System32 on Windows systems (#14416).
Fixed a bug where the podman machine init --now did not respect proxy environment variables (#14640).
Fixed a bug where the podman machine init command would fail if there is no $HOME/.ssh dir (#14572).
Fixed a bug where interrupting the podman machine start command could render the VM unable to start.
Fixed a bug where the podman machine list --format command would still print a heading.
Fixed a bug where the podman machine list command did not properly set the Starting field (#14738).
Fixed a bug where the podman machine start command could fail to start QEMU VMs when the machine name started with a number.
Fixed a bug where Podman Machine VMs with proxy variables could not be started more than once (#14636 and #14837).
Fixed a bug where containers created using the Podman API would, when the Podman API service was managed by systemd, be killed when the API service was stopped (BZ 2052697).
Fixed a bug where the podman -h command did not show help output.
Fixed a bug where the podman wait command (and the associated REST API endpoint) could return before a container had fully exited, breaking some tools like the Gitlab Runner.
Fixed a bug where healthchecks generated exec events, instead of health_status events (#13493).
Fixed a bug where the podman pod ps command could return an error when run at the same time as podman pod rm (#14736).
Fixed a bug where the podman systemd df command incorrectly calculated reclaimable storage for volumes (#13516).
Fixed a bug where an exported container checkpoint using a non-default OCI runtime could not be restored.
Fixed a bug where Podman, when used with a recent runc version, could not remove paused containers.
Fixed a bug where the remote Podman client's podman manifest rm command would remove images, not manifests (#14763).
Fixed a bug where Podman did not correctly parse wildcards for device major number in the podman run and podman create commands' --device-cgroup-rule option.
Fixed a bug where the podman play kube command on 32 bit systems where the total memory was calculated incorrectly (#14819).
Fixed a bug where the podman generate kube command could set ports and hostname incorrectly in generated YAML (#13030).
Fixed a bug where the podman system df --format "{{ json . }}" command would not output the Size and Reclaimable fields (#14769).
Fixed a bug where the remote Podman client's podman pull command would display duplicate progress output.
Fixed a bug where the podman system service command could leak memory when a client unexpectedly closed a connection when reading events or logs (#14879).
Fixed a bug where Podman containers could fail to run if the image did not contain an /etc/passwd file (#14966).
Fixed a bug where the remote Podman client's podman push command did not display progress information (#14971).
Fixed a bug where a lock ordering issue could cause podman pod rm to deadlock if it was run at the same time as a command that attempted to lock multiple containers at once (#14929).

API

The Docker-compatible API now supports API version v1.41 (#14204).
Fixed a bug where containers created via the Libpod API had an incorrect umask set (#15036).
Fixed a bug where the remote parameter to the Libpod API's Build endpoint for Images was nonfunctional (#13831).
Fixed a bug where the Libpod List endpoint for Containers did not return the application/json content type header when there were no containers present (#14647).
Fixed a bug where the Compat Stats endpoint for Containers could return incorrect memory limits (#14676).
Fixed a bug where the Compat List and Inspect endpoints for Containers could return incorrect strings for container status.
Fixed a bug where the Compat Create endpoint for Containers did not properly handle disabling healthchecks (#14493).
Fixed a bug where the Compat Create endpoint for Networks did not support the mtu, name, mode, and parent options (#14482).
Fixed a bug where the Compat Create endpoint for Networks did not allow the creation of networks name bridge (#14983).
Fixed a bug where the Compat Inspect endpoint for Networks did not properly set netmasks in the SecondaryIPAddresses and SecondaryIPv6Addresses fields (#14674).
The Libpod Stats endpoint for Pods now supports streaming output via two new parameters, stream and delay (#14674).

Misc

Podman will now check for nameservers in /run/NetworkManager/no-stub-resolv.conf if the /etc/resolv.conf file only contains a localhost server.
The podman build command now supports caching with builds that specify --squash-all by allowing the --layers flag to be used at the same time.
Podman Machine support for QEMU installations at non-default paths has been improved.
The podman machine ssh command no longer prints spurious warnings every time it is run.
The podman info command now includes a field for information on supported authentication plugins for improved Docker compatibility. Authentication plugins are not presently supported by Podman, so this field is always empty.
The podman system prune command now no longer prints the Deleted Images header if no images were pruned.
The podman system service command now automatically creates and moves to a sub-cgroup when running in the root cgroup (#14573).
Podman will automatically create a sub-cgroup and move itself into it when it detects that it is running inside a container (#14884).