podman

Bugfixes

• Fixed a bug where podman tag could not tag manifest lists (#12046).
• Fixed a bug where built-in volumes specified by images would not be created correctly under some circumstances.
• Fixed a bug where, when using Podman Machine on OS X, containers in pods did not have working port forwarding from the host (#12207).
• Fixed a bug where the podman network reload command command on containers using the slirp4netns network mode and the rootlessport port forwarding driver would make an unnecessary attempt to restart rootlessport on containers that did not forward ports.
• Fixed a bug where the podman generate kube command would generate YAML including some unnecessary (set to default) fields (e.g. empty SELinux and DNS configuration blocks, and the privileged flag when set to false) (#11995).
• Fixed a bug where the podman pod rm command could, if interrupted at the right moment, leave a reference to an already-removed infra container behind (#12034).
• Fixed a bug where the podman pod rm command would not remove pods with more than one container if all containers save for the infra container were stopped unless --force was specified (#11713).
• Fixed a bug where the --memory flag to podman run and podman create did not accept a limit of 0 (which should specify unlimited memory) (#12002).
• Fixed a bug where the remote Podman client's podman build command could attempt to build a Dockerfile in the working directory of the podman system service instance instead of the Dockerfile specified by the user (#12054).
• Fixed a bug where the podman logs --tail command could function improperly (printing more output than requested) when the journald log driver was used.
• Fixed a bug where containers run using the slirp4netns network mode with IPv6 enabled would not have IPv6 connectivity until several seconds after they started (#11062).
• Fixed a bug where some Podman commands could cause an extra dbus-daemon process to be created (#9727).
• Fixed a bug where rootless Podman would sometimes print warnings about a failure to move the pause process into a given CGroup (#12065).
• Fixed a bug where the checkpointed field in podman inspect on a container was not set to false after a container was restored.
• Fixed a bug where the podman system service command would print overly-verbose logs about request IDs (#12181).
• Fixed a bug where Podman could, when creating a new container without a name explicitly specified by the user, sometimes use an auto-generated name already in use by another container if multiple containers were being created in parallel (#11735).

Bugfixes

• Fixed a bug where podman machine init could, under some circumstances, create invalid machine configurations which could not be started (#11824).
• Fixed a bug where the podman machine list command would not properly populate some output fields.
• Fixed a bug where podman machine rm could leave dangling sockets from the removed machine (#11393).
• Fixed a bug where podman run --pids-limit=-1 was not supported (it now sets the PID limit in the container to unlimited) (#11782).
• Fixed a bug where podman run and podman attach could throw errors about a closed network connection when STDIN was closed by the client (#11856).
• Fixed a bug where the podman stop command could fail when run on a container that had another podman stop command run on it previously.
• Fixed a bug where the --sync flag to podman ps was nonfunctional.
• Fixed a bug where the Windows and OS X remote clients' podman stats command would fail (#11909).
• Fixed a bug where the podman play kube command did not properly handle environment variables whose values contained an = (#11891).
• Fixed a bug where the podman generate kube command could generate invalid annotations when run on containers with volumes that use SELinux relabelling (:z or :Z) (#11929).
• Fixed a bug where the podman generate kube command would generate YAML including some unnecessary (set to default) fields (e.g. user and group, entrypoint, default protocol for forwarded ports) (#11914, #11915, and #11965).
• Fixed a bug where the podman generate kube command could, under some circumstances, generate YAML including an invalid targetPort field for forwarded ports (#11930).
• Fixed a bug where rootless Podman's podman info command could, under some circumstances, not read available CGroup controllers (#11931).
• Fixed a bug where podman container checkpoint --export would fail to checkpoint any container created with --log-driver=none (#11974).

API

• Fixed a bug where the Compat Create endpoint for Containers could panic when no options were passed to a bind mount of tmpfs (#11961).

Features

• Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: "always", which always run before the pod is started, and "once", which only run the first time the pod starts and are subsequently removed. They can be added using the podman create command's --init-ctr option.
• Support for init containers has also been added to podman play kube and podman generate kube - init containers contained in Kubernetes YAML will be created as Podman init containers, and YAML generated by Podman will include any init containers created.
• The podman play kube command now supports building images. If the --build option is given and a directory with the name of the specified image exists in the current working directory and contains a valid Containerfile or Dockerfile, the image will be built and used for the container.
• The podman play kube command now supports a new option, --down, which removes any pods and containers created by the given Kubernetes YAML.
• The podman generate kube command now generates annotations for SELinux mount options on volume (:z and :Z) that are respected by the podman play kube command.
• A new command has been added, podman pod logs, to return logs for all containers in a pod at the same time.
• Two new commands have been added, podman volume export (to export a volume to a tar file) and podman volume import) (to populate a volume from a given tar file).
• The podman auto-update command now supports simple rollbacks. If a container fails to start after an automatic update, it will be rolled back to the previous image and restarted again.
• Pods now share their user namespace by default, and the podman pod create command now supports the --userns option. This allows rootless pods to be created with the --userns=keep-id option.
• The podman pod ps command now supports a new filter with its --filter option, until, which returns pods created before a given timestamp.
• The podman image scp command has been added. This command allows images to be transferred between different hosts.
• The podman stats command supports a new option, --interval, to specify the amount of time before the information is refreshed.
• The podman inspect command now includes ports exposed (but not published) by containers (e.g. ports from --expose when --publish-all is not specified).
• The podman inspect command now has a new boolean value, Checkpointed, which indicates that a container was stopped as a result of a podman container checkpoint operation.
• Volumes created by podman volume create now support setting quotas when run atop XFS. The size and inode options allow the maximum size and maximum number of inodes consumed by a volume to be limited.
• The podman info command now outputs information on what log drivers, network drivers, and volume plugins are available for use (#11265).
• The podman info command now outputs the current log driver in use, and the variant and codename of the distribution in use.
• The parameters of the VM created by podman machine init (amount of disk space, memory, CPUs) can now be set in containers.conf.
• The podman machine ls command now shows additional information (CPUs, memory, disk size) about VMs managed by podman machine.
• The podman ps command now includes healthcheck status in container state for containers that have healthchecks (#11527).

Changes

• The podman build command has a new alias, podman buildx, to improve compatibility with Docker. We have already added support for many docker buildx flags to podman build and aim to continue to do so.
• Cases where Podman is run without a user session or a writable temporary files directory will now produce better error messages.
• The default log driver has been changed from file to journald. The file driver did not properly support log rotation, so this should lead to a better experience. If journald is not available on the system, Podman will automatically revert to the file.
• Podman no longer depends on ip for removing networks (#11403).
• The deprecated --macvlan flag to podman network create now warns when it is used. It will be removed entirely in the Podman 4.0 release.
• The podman machine start command now prints a message when the VM is successfully started.
• The podman stats command can now be used on containers that are paused.
• The podman unshare command will now return the exit code of the command that was run in the user namespace (assuming the command was successfully run).
• Successful healthchecks will no longer add a healthy line to the system log to reduce log spam.
• As a temporary workaround for a lack of shortname prompts in the Podman remote client, VMs created by podman machine now default to only using the docker.io registry.

Bugfixes

• Fixed a bug where whitespace in the definition of sysctls (particularly default sysctls specified in containers.conf) would cause them to be parsed incorrectly.
• Fixed a bug where the Windows remote client improperly validated volume paths (#10900).
• Fixed a bug where the first line of logs from a container run with the journald log driver could be skipped.
• Fixed a bug where images created by podman commit did not include ports exposed by the container.
• Fixed a bug where the podman auto-update command would ignore the io.containers.autoupdate.authfile label when pulling images (#11171).
• Fixed a bug where the --workdir option to podman create and podman run could not be set to a directory where a volume was mounted (#11352).
• Fixed a bug where systemd socket-activation did not properly work with systemd-managed Podman containers (#10443).
• Fixed a bug where environment variable secrets added to a container were not available to exec sessions launched in the container.
• Fixed a bug where rootless containers could fail to start the rootlessport port-forwarding service when XDG_RUNTIME_DIR was set to a long path.
• Fixed a bug where arguments to the --systemd option to podman create and podman run were case-sensitive (#11387).
• Fixed a bug where the podman manifest rm command would also remove images referenced by the manifest, not just the manifest itself (#11344).
• Fixed a bug where the Podman remote client on OS X would not function properly if the TMPDIR environment variable was not set (#11418).
• Fixed a bug where the /etc/hosts file was not guaranteed to contain an entry for localhost (this is still not guaranteed if --net=host is used; such containers will exactly match the host's /etc/hosts) (#11411).
• Fixed a bug where the podman machine start command could print warnings about unsupported CPU features (#11421).
• Fixed a bug where the podman info command could segfault when accessing cgroup information.
• Fixed a bug where the podman logs -f command could hang when a container exited (#11461).
• Fixed a bug where the podman generate systemd command could not be used on containers that specified a restart policy (#11438).
• Fixed a bug where the remote Podman client's podman build command would fail to build containers if the UID and GID on the client were higher than 65536 (#11474).
• Fixed a bug where the remote Podman client's podman build command would fail to build containers if the context directory was a symlink (#11732).
• Fixed a bug where the --network flag to podman play kube was not properly parsed when a non-bridge network configuration was specified.
• Fixed a bug where the podman inspect command could error when the container being inspected was removed as it was being inspected (#11392).
• Fixed a bug where the podman play kube command ignored the default pod infra image specified in containers.conf.
• Fixed a bug where the --format option to podman inspect was nonfunctional under some circumstances (#8785).
• Fixed a bug where the remote Podman client's podman run and podman exec commands could skip a byte of output every 8192 bytes (#11496).
• Fixed a bug where the podman stats command would print nonsensical results if the container restarted while it was running (#11469).
• Fixed a bug where the remote Podman client would error when STDOUT was redirected on a Windows client (#11444).
• Fixed a bug where the podman run command could return 0 when the application in the container exited with 125 (#11540).
• Fixed a bug where containers with --restart=always set using the rootlessport port-forwarding service could not be restarted automatically.
• Fixed a bug where the --cgroups=split option to podman create and podman run was silently discarded if the container was part of a pod.
• Fixed a bug where the podman container runlabel command could fail if the image name given included a tag.
• Fixed a bug where Podman could add an extra 127.0.0.1 entry to /etc/hosts under some circumstances (#11596).
• Fixed a bug where the remote Podman client's podman untag command did not properly handle tags including a digest (#11557).
• Fixed a bug where the --format option to podman ps did not properly support the table argument for tabular output.
• Fixed a bug where the --filter option to podman ps did not properly handle filtering by healthcheck status (#11687).
• Fixed a bug where the podman run and podman start --attach commands could race when retrieving the exit code of a container that had already been removed resulting in an error (e.g. by an external podman rm -f) (#11633).
• Fixed a bug where the podman generate kube command would add default environment variables to generated YAML.
• Fixed a bug where the podman generate kube command would add the default CMD from the image to generated YAML (#11672).
• Fixed a bug where the podman rm --storage command could fail to remove containers under some circumstances (#11207).
• Fixed a bug where the podman machine ssh command could fail when run on Linux (#11731).
• Fixed a bug where the podman stop command would error when used on a container that was already stopped (#11740).
• Fixed a bug where renaming a container in a pod using the podman rename command, then removing the pod using podman pod rm, could cause Podman to believe the new name of the container was permanently in use, despite the container being removed (#11750).

API

• The Libpod Pull endpoint for Images now has a new query parameter, quiet, which (when set to true) suppresses image pull progress reports (#10612).
• The Compat Events endpoint now includes several deprecated fields from the Docker v1.21 API for improved compatibility with older clients.
• The Compat List and Inspect endpoints for Images now prefix image IDs with sha256: for improved Docker compatibility (#11623).
• The Compat Create endpoint for Containers now properly sets defaults for healthcheck-related fields (#11225).
• The Compat Create endpoint for Containers now supports volume options provided by the Mounts field (#10831).
• The Compat List endpoint for Secrets now supports a new query parameter, filter, which allows returned results to be filtered.
• The Compat Auth endpoint now returns the correct response code (500 instead of 400) when logging into a registry fails.
• The Version endpoint now includes information about the OCI runtime and Conmon in use (#11227).
• Fixed a bug where the X-Registry-Config header was not properly handled, leading to errors when pulling images (#11235).
• Fixed a bug where invalid query parameters could cause a null pointer dereference when creating error messages.
• Logging of API requests and responses at trace level has been greatly improved, including the addition of an X-Reference-Id header to correlate requests and responses (#10053).

Misc

• Updated Buildah to v1.23.1
• Updated the containers/storage library to v1.36.0
• Updated the containers/image library to v5.16.0
• Updated the containers/common library to v0.44.0

This is the second release candidate for Podman v3.4.0. Preliminary release notes are below:

Features

• Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: "always", which always run before the pod is started, and "once", which only run the first time the pod starts and are subsequently removed. They can be added using the podman create command's --init-ctr option.
• Support for init containers has also been added to podman play kube and podman generate kube - init containers contained in Kubernetes YAML will be created as Podman init containers, and YAML generated by Podman will include any init containers created.
• The podman play kube command now supports building images. If the --build option is given and a directory with the name of the specified image exists in the current working directory and contains a valid Containerfile or Dockerfile, the image will be built and used for the container.
• The podman play kube command now supports a new option, --teardown, which removes any pods and containers created by the given Kubernetes YAML.
• A new command has been added, podman pod logs, to return logs for all containers in a pod at the same time.
• Two new commands have been added, podman volume export (to export a volume to a tar file) and podman volume import) (to populate a volume from a given tar file).
• The podman auto-update command now supports simple rollbacks. If a container fails to start after an automatic update, it will be rolled back to the previous image and restarted again.
• Pods now share their user namespace by default, and the podman pod create command now supports the --userns option. This allows rootless pods to be created with the --userns=keep-id option.
• The podman pod ps command now supports a new filter with its --filter option, until, which returns pods created before a given timestamp.
• The podman image scp command has been added. This command allows images to be transferred between different hosts.
• The podman stats command supports a new option, --interval, to specify the amount of time before the information is refreshed.
• The podman inspect command now includes ports exposed (but not published) by containers (e.g. ports from --expose when --publish-all is not specified).
• The podman inspect command now has a new boolean value, Checkpointed, which indicates that a container was stopped as a result of a podman container checkpoint operation.
• Volumes created by podman volume create now support setting quotas when run atop XFS. The size and inode options allow the maximum size and maximum number of inodes consumed by a volume to be limited.
• The podman info command now outputs information on what log drivers, network drivers, and volume plugins are available for use (#11265).
• The podman info command now outputs the current log driver in use, and the variant and codename of the distribution in use.

Changes

• The podman build command has a new alias, podman buildx, to improve compatibility with Docker. We have already added support for many docker buildx flags to podman build and aim to continue to do so.
• Podman commands run as root now ignore XDG_RUNTIME_DIR when determining where to place temporary files, which should resolve a number of issues including #10745 and #10806.
• Cases where Podman is run without a user session or a writable temporary files directory will now produce better error messages.
• The default log driver has been changed from file to journald. The file driver did not properly support log rotation, so this should lead to a better experience. If journald is not available on the system, Podman will automatically revert to the file.
• Podman no longer depends on ip for removing networks (#11403).
• The deprecated --macvlan flag to podman network create now warns when it is used. It will be removed entirely in the Podman 4.0 release.
• The podman machine start command now prints a message when the VM is successfully started.
• The podman stats command can now be used on containers that are paused.
• The podman unshare command will now return the exit code of the command that was run in the user namespace (assuming the command was successfully run).
• Successful healthchecks will no longer add a healthy line to the system log to reduce log spam.
• As a temporary workaround for a lack of shortname prompts in the Podman remote client, VMs created by podman machine now default to only using the docker.io registry.

Bugfixes

• Fixed a bug where whitespace in the definition of sysctls (particularly default sysctls specified in containers.conf) would cause them to be parsed incorrectly.
• Fixed a bug where the Windows remote client improperly validated volume paths (#10900).
• Fixed a bug where the first line of logs from a container run with the journald log driver could be skipped.
• Fixed a bug where images created by podman commit did not include ports exposed by the container.
• Fixed a bug where the podman auto-update command would ignore the io.containers.autoupdate.authfile label when pulling images (#11171).
• Fixed a bug where the --workdir option to podman create and podman run could not be set to a directory where a volume was mounted (#11352).
• Fixed a bug where systemd socket-activation did not properly work with systemd-managed Podman containers (#10443).
• Fixed a bug where environment variable secrets added to a container were not available to exec sessions launched in the container.
• Fixed a bug where rootless containers could fail to start the rootlessport port-forwarding service when XDG_RUNTIME_DIR was set to a long path.
• Fixed a bug where arguments to the --systemd option to podman create and podman run were case-sensitive (#11387).
• Fixed a bug where the podman manifest rm command would also remove images referenced by the manifest, not just the manifest itself (#11344).
• Fixed a bug where the Podman remote client on OS X would not function properly if the TMPDIR environment variable was not set (#11418).
• Fixed a bug where the /etc/hosts file was not guaranteed to contain an entry for localhost (this is still not guaranteed if --net=host is used; such containers will exactly match the host's /etc/hosts) (#11411).
• Fixed a bug where the podman machine start command could print warnings about unsupported CPU features (#11421).
• Fixed a bug where the podman info command could segfault when accessing cgroup information.
• Fixed a bug where the podman logs -f command could hang when a container exited (#11461).
• Fixed a bug where the podman generate systemd command could not be used on containers that specified a restart policy (#11438).
• Fixed a bug where the remote Podman client's podman build command would fail to build containers if the UID and GID on the client were higher than 65536 (#11474).
• Fixed a bug where the --network flag to podman play kube was not properly parsed when a non-bridge network configuration was specified.
• Fixed a bug where the podman inspect command could error when the container being inspected was removed as it was being inspected (#11392).
• Fixed a bug where the podman play kube command ignored the default pod infra image specified in containers.conf.
• Fixed a bug where the --format option to podman inspect was nonfunctional under some circumstances (#8785).
• Fixed a bug where the remote Podman client's podman run and podman exec commands could skip a byte of output every 8192 bytes (#11496).
• Fixed a bug where the podman stats command would print nonsensical results if the container restarted while it was running (#11469).
• Fixed a bug where the remote Podman client would error when STDOUT was redirected on a Windows client (#11444).
• Fixed a bug where the podman run command could return 0 when the application in the container exited with 125 (#11540).
• Fixed a bug where containers with --restart=always set using the rootlessport port-forwarding service could not be restarted automatically.
• Fixed a bug where the --cgroups=split option to podman create and podman run was silently discarded if the container was part of a pod.
• Fixed a bug where the podman container runlabel command could fail if the image name given included a tag.
• Fixed a bug where Podman could add an extra 127.0.0.1 entry to /etc/hosts under some circumstances (#11596).
• Fixed a bug where the remote Podman client's podman untag command did not properly handle tags including a digest (#11557).
• Fixed a bug where the --format option to podman ps did not properly support the table argument for tabular output.
• Fixed a bug where the --filter option to podman ps did not properly handle filtering by healthcheck status (#11687).
• Fixed a bug where the podman run and podman start --attach commands could race when retrieving the exit code of a container that had already been removed resulting in an error (e.g. by an external podman rm -f) (#11633).
• Fixed a bug where the podman generate kube command would add default environment variables to generated YAML.

API

• The Libpod Pull endpoint for Images now has a new query parameter, quiet, which (when set to true) suppresses image pull progress reports (#10612).
• The Compat Events endpoint now includes several deprecated fields from the Docker v1.21 API for improved compatibility with older clients.
• The Compat List and Inspect endpoints for Images now prefix image IDs with sha256: for improved Docker compatibility (#11623).
• The Compat Create endpoint for Containers now properly sets defaults for healthcheck-related fields (#11225).
• The Compat Create endpoint for Containers now supports volume options provided by the Mounts field (#10831).
• The Compat List endpoint for Secrets now supports a new query parameter, filter, which allows returned results to be filtered.
• The Compat Auth endpoint now returns the correct response code (500 instead of 400) when logging into a registry fails.
• The Version endpoint now includes information about the OCI runtime and Conmon in use (#11227).
• Fixed a bug where the X-Registry-Config header was not properly handled, leading to errors when pulling images (#11235).
• Fixed a bug where invalid query parameters could cause a null pointer dereference when creating error messages.
• Logging of API requests and responses at trace level has been greatly improved, including the addition of an X-Reference-Id header to correlate requests and responses (#10053).

Misc

• Updated Buildah to v1.23.0
• Updated the containers/storage library to v1.36.0
• Updated the containers/image library to v5.16.0
• Updated the containers/common library to v0.44.0

Features

• Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: "always", which always run before the pod is started, and "once", which only run the first time the pod starts and are subsequently removed. They can be added using the podman create command's --init-ctr option.
• Support for init containers has also been added to podman play kube and podman generate kube - init containers contained in Kubernetes YAML will be created as Podman init containers, and YAML generated by Podman will include any init containers created.
• The podman play kube command now supports building images. If the --build option is given and a directory with the name of the specified image exists in the current working directory and contains a valid Containerfile or Dockerfile, the image will be built and used for the container.
• The podman play kube command now supports a new option, --teardown, which removes any pods and containers created by the given Kubernetes YAML.
• A new command has been added, podman pod logs, to return logs for all containers in a pod at the same time.
• Two new commands have been added, podman volume export (to export a volume to a tar file) and podman volume import) (to populate a volume from a given tar file).
• The podman auto-update command now supports simple rollbacks. If a container fails to start after an automatic update, it will be rolled back to the previous image and restarted again.
• Pods now share their user namespace by default, and the podman pod create command now supports the --userns option. This allows rootless pods to be created with the --userns=keep-id option.
• The podman pod ps command now supports a new filter with its --filter option, until, which returns pods created before a given timestamp.
• The podman image scp command has been added. This command allows images to be transferred between different hosts.
• The podman stats command supports a new option, --interval, to specify the amount of time before the information is refreshed.
• The podman inspect command now includes ports exposed (but not published) by containers (e.g. ports from --expose when --publish-all is not specified).
• The podman inspect command now has a new boolean value, Checkpointed, which indicates that a container was stopped as a result of a podman container checkpoint operation.
• Volumes created by podman volume create now support setting quotas when run atop XFS. The size and inode options allow the maximum size and maximum number of inodes consumed by a volume to be limited.
• The podman info command now outputs information on what log drivers, network drivers, and volume plugins are available for use (#11265).
• The podman info command now outputs the current log driver in use, and the variant and codename of the distribution in use.

Changes

• The podman build command has a new alias, podman buildx, to improve compatibility with Docker. We have already added support for many docker buildx flags to podman build and aim to continue to do so.
• Podman commands run as root now ignore XDG_RUNTIME_DIR when determining where to place temporary files, which should resolve a number of issues including #10745 and #10806.
• Cases where Podman is run without a user session or a writable temporary files directory will now produce better error messages.
• The default log driver has been changed from file to journald. The file driver did not properly support log rotation, so this should lead to a better experience. If journald is not available on the system, Podman will automatically revert to the file.
• Podman no longer depends on ip for removing networks (#11403).
• The deprecated --macvlan flag to podman network create now warns when it is used. It will be removed entirely in the Podman 4.0 release.
• The podman machine start command now prints a message when the VM is successfully started.
• The podman stats command can now be used on containers that are paused.
• The podman unshare command will now return the exit code of the command that was run in the user namespace (assuming the command was successfully run).
• Successful healthchecks will no longer add a healthy line to the system log to reduce log spam.
• As a temporary workaround for a lack of shortname prompts in the Podman remote client, VMs created by podman machine now default to only using the docker.io registry.

Bugfixes

• Fixed a bug where whitespace in the definition of sysctls (particularly default sysctls specified in containers.conf) would cause them to be parsed incorrectly.
• Fixed a bug where the Windows remote client improperly validated volume paths (#10900).
• Fixed a bug where the first line of logs from a container run with the journald log driver could be skipped.
• Fixed a bug where images created by podman commit did not include ports exposed by the container.
• Fixed a bug where the podman auto-update command would ignore the io.containers.autoupdate.authfile label when pulling images (#11171).
• Fixed a bug where the --workdir option to podman create and podman run could not be set to a directory where a volume was mounted (#11352).
• Fixed a bug where systemd socket-activation did not properly work with systemd-managed Podman containers (#10443).
• Fixed a bug where environment variable secrets added to a container were not available to exec sessions launched in the container.
• Fixed a bug where rootless containers could fail to start the rootlessport port-forwarding service when XDG_RUNTIME_DIR was set to a long path.
• Fixed a bug where arguments to the --systemd option to podman create and podman run were case-sensitive (#11387).
• Fixed a bug where the podman manifest rm command would also remove images referenced by the manifest, not just the manifest itself (#11344).
• Fixed a bug where the Podman remote client on OS X would not function properly if the TMPDIR environment variable was not set (#11418).
• Fixed a bug where the /etc/hosts file was not guaranteed to contain an entry for localhost (this is still not guaranteed if --net=host is used; such containers will exactly match the host's /etc/hosts) (#11411).
• Fixed a bug where the podman machine start command could print warnings about unsupported CPU features (#11421).
• Fixed a bug where the podman info command could segfault when accessing cgroup information.
• Fixed a bug where the podman logs -f command could hang when a container exited (#11461).
• Fixed a bug where the podman generate systemd command could not be used on containers that specified a restart policy (#11438).
• Fixed a bug where the remote Podman client's podman build command would fail to build containers if the UID and GID on the client were higher than 65536 (#11474).
• Fixed a bug where the --network flag to podman play kube was not properly parsed when a non-bridge network configuration was specified.
• Fixed a bug where the podman inspect command could error when the container being inspected was removed as it was being inspected (#11392).
• Fixed a bug where the podman play kube command ignored the default pod infra image specified in containers.conf.
• Fixed a bug where the --format option to podman inspect was nonfunctional under some circumstances (#8785).
• Fixed a bug where the remote Podman client's podman run and podman exec commands could skip a byte of output every 8192 bytes (#11496).
• Fixed a bug where the podman stats command would print nonsensical results if the container restarted while it was running (#11469).
• Fixed a bug where the remote Podman client would error when STDOUT was redirected on a Windows client (#11444).
• Fixed a bug where the podman run command could return 0 when the application in the container exited with 125 (#11540).
• Fixed a bug where containers with --restart=always set using the rootlessport port-forwarding service could not be restarted automatically.
• Fixed a bug where the --cgroups=split option to podman create and podman run was silently discarded if the container was part of a pod.

API

• The Libpod Pull endpoint for Images now has a new query parameter, quiet, which (when set to true) suppresses image pull progress reports (#10612).
• The Compat Events endpoint now includes several deprecated fields from the Docker v1.21 API for improved compatibility with older clients.
• The Compat Create endpoint for Containers now properly sets defaults for healthcheck-related fields (#11225).
• The Compat Create endpoint for Containers now supports volume options provided by the Mounts field (#10831).
• The Compat List endpoint for Secrets now supports a new query parameter, filter, which allows returned results to be filtered.
• The Version endpoint now includes information about the OCI runtime and Conmon in use (#11227).
• Fixed a bug where the X-Registry-Config header was not properly handled, leading to errors when pulling images (#11235).
• Fixed a bug where invalid query parameters could cause a null pointer dereference when creating error messages.
• Logging of API requests and responses at trace level has been greatly improved, including the addition of an X-Reference-Id header to correlate requests and responses (#10053).

Misc

• Updated Buildah to v1.23.0
• Updated the containers/storage library to v1.36.0
• Updated the containers/image library to v5.16.0
• Updated the containers/common library to v0.44.0

Bugfixes

• Fixed a bug where unit files created by podman generate systemd could not cleanup shut down containers when stopped by systemctl stop (#11304).
• Fixed a bug where podman machine commands would not properly locate the gvproxy binary in some circumstances.
• Fixed a bug where containers created as part of a pod using the --pod-id-file option would not join the pod's network namespace (#11303).
• Fixed a bug where Podman, when using the systemd cgroups driver, could sometimes leak dbus sessions.
• Fixed a bug where the until filter to podman logs and podman events was improperly handled, requiring input to be negated (#11158).
• Fixed a bug where rootless containers using CNI networking run on systems using systemd-resolved for DNS would fail to start if resolved symlinked /etc/resolv.conf to an absolute path (#11358).

API

• A large number of potential file descriptor leaks from improperly closing client connections have been fixed.

Features

• Containers inside VMs created by podman machine will now automatically handle port forwarding - containers in podman machine VMs that publish ports via --publish or --publish-all will have these ports not just forwarded on the VM, but also on the host system.
• The podman play kube command's --network option now accepts advanced network options (e.g. --network slirp4netns:port_handler=slirp4netns) (#10807).
• The podman play kube commmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks.
• Podman now provides a systemd unit, podman-restart.service, which, when enabled, will restart all containers that were started with --restart=always after the system reboots.
• Rootless Podman can now be configured to use CNI networking by default by using the rootless_networking option in containers.conf.
• Images can now be pulled using image:tag@digest syntax (e.g. podman pull fedora:34@sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a) (#6721).
• The podman container checkpoint and podman container restore commands can now be used to checkpoint containers that are in pods, and restore those containers into pods.
• The podman container restore command now features a new option, --publish, to change the ports that are forwarded to a container that is being restored from an exported checkpoint.
• The podman container checkpoint command now features a new option, --compress, to specify the compression algorithm that will be used on the generated checkpoint.
• The podman pull command can now pull multiple images at once (e.g. podman pull fedora:34 ubi8:latest will pull both specified images).
• THe podman cp command can now copy files from one container into another directly (e.g. podman cp containera:/etc/hosts containerb:/etc/) (#7370).
• The podman cp command now supports a new option, --archive, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container.
• The podman stats command now provides two additional metrics: Average CPU, and CPU time.
• The podman pod create command supports a new flag, --pid, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace.
• The podman pod create command supports a new flag, --infra-name, which allows the name of the pod's infra container to be set (#10794).
• The podman auto-update command has had its output reformatted - it is now much clearer what images were pulled and what containers were updated.
• The podman auto-update command now supports a new option, --dry-run, which reports what would be updated but does not actually perform the update (#9949).
• The podman build command now supports a new option, --secret, to mount secrets into build containers.
• The podman manifest remove command now has a new alias, podman manifest rm.
• The podman login command now supports a new option, --verbose, to print detailed information about where the credentials entered were stored.
• The podman events command now supports a new event, exec_died, which is produced when an exec session exits, and includes the exit code of the exec session.
• The podman system connection add command now supports adding connections that connect using the tcp:// and unix:// URL schemes.
• The podman system connection list command now supports a new flag, --format, to determine how the output is printed.
• The podman volume prune and podman volume ls commands' --filter option now support a new filter, until, that matches volumes created before a certain time (#10579).
• The podman ps --filter option's network filter now accepts a new value: container:, which matches containers that share a network namespace with a specific container (#10361).
• The podman diff command can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed (#10649).
• Podman can now optionally copy-up content from containers into volumes mounted into those containers earlier (at creation time, instead of at runtime) via the prepare_on_create option in containers.conf (#10262).
• A new option, --gpus, has been added to podman create and podman run as a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag.
• If an invalid subcommand is provided, similar commands to try will now be suggested in the error message.

Changes

• The podman system reset command now removes non-Podman (e.g. Buildah and CRI-O) containers as well.
• The new port forwarding offered by podman machine requires gvproxy in order to function.
• Podman will now automatically create the default CNI network if it does not exist, for both root and rootless users. This will only be done once per user - if the network is subsequently removed, it will not be recreated.
• The install.cni makefile option has been removed. It is no longer required to distribute the default 87-podman.conflist CNI configuration file, as Podman will now automatically create it.
• The --root option to Podman will not automatically clear all default storage options when set. Storage options can be set manually using --storage-opt (#10393).
• The output of podman system connection list is now deterministic, with connections being sorted alpabetically by their name.
• The auto-update service (podman-auto-update.service) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once.
• Systemd unit files generated by podman generate systemd now depend on network-online.target by default (#10655).
• Systemd unit files generated by podman generate systemd now use Type=notify by default, instead of using PID files.
• The podman info command's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.

Bugfixes

• Fixed a bug where the podman play kube command did not perform SELinux relabelling of volumes specified with a mountPath that included the :z or :Z options (#9371).
• Fixed a bug where the podman play kube command would ignore the USER and EXPOSE directives in images (#9609).
• Fixed a bug where the podman play kube command would only accept lowercase pull policies.
• Fixed a bug where named volumes mounted into containers with the :z or :Z options were not appropriately relabelled for access from the container (#10273).
• Fixed a bug where the podman logs -f command, with the journald log driver, could sometimes fail to pick up the last line of output from a container (#10323).
• Fixed a bug where running podman rm on a container created with the --rm option would occasionally emit an error message saying the container failed to be removed, when it was successfully removed.
• Fixed a bug where starting a Podman container would segfault if the LISTEN_PID and LISTEN_FDS environment variables were set, but LISTEN_FDNAMES was not (#10435).
• Fixed a bug where exec sessions in containers were sometimes not cleaned up when run without -d and when the associated podman exec process was killed before completion.
• Fixed a bug where podman system service could, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up.
• Fixed a bug where containers run using the REST API using the slirp4netns network mode would leave zombie processes that were not cleaned up until podman system service exited (#9777).
• Fixed a bug where the podman system service command would leave zombie processes after its initial launch that were not cleaned up until it exited (#10575).
• Fixed a bug where VMs created by podman machine could not be started after the host system restarted (#10824).
• Fixed a bug where the podman pod ps command would not show headers for optional information (e.g. container names when the --ctr-names option was given).
• Fixed a bug where the remote Podman client's podman create and podman run commands would ignore timezone configuration from the server's containers.conf file (#11124).
• Fixed a bug where the remote Podman client's podman build command would only respect .containerignore and not .dockerignore files (when both are present, .containerignore will be preferred) (#10907).
• Fixed a bug where the remote Podman client's podman build command would fail to send the Dockerfile being built to the server when it was excluded by the .dockerignore file, resulting in an error (#9867).
• Fixed a bug where the remote Podman client's podman build command could unexpectedly stop streaming the output of the build (#10154).
• Fixed a bug where the remote Podman client's podman build command would fail to build when run on Windows (#11259).
• Fixed a bug where the podman manifest create command accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest).
• Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container (#10776).
• Fixed a bug where named volumes created using a volume plugin would be removed from Podman, even if the plugin reported a failure to remove the volume (#11214).
• Fixed a bug where the remote Podman client's podman exec -i command would hang when input was provided via shell redirection (e.g. podman --remote exec -i foo cat <<<"hello") (#7360).
• Fixed a bug where containers created with --rm were not immediately removed after being started by podman start if they failed to start (#10935).
• Fixed a bug where the --storage-opt flag to podman create and podman run was nonfunctional (#10264).
• Fixed a bug where the --device-cgroup-rule option to podman create and podman run was nonfunctional (#10302).
• Fixed a bug where the --tls-verify option to podman manifest push was nonfunctional.
• Fixed a bug where the podman import command could, in some circumstances, produce empty images (#10994).
• Fixed a bug where images pulled using the docker-daemon: transport had the wrong registry (localhost instead of docker.io/library) (#10998).
• Fixed a bug where operations that pruned images (podman image prune and podman system prune) would prune untagged images with children (#10832).
• Fixed a bug where dual-stack networks created by podman network create did not properly auto-assign an IPv4 subnet when one was not explicitly specified (#11032).
• Fixed a bug where port forwarding using the rootlessport port forwarder would break when a network was disconnected and then reconnected (#10052).
• Fixed a bug where Podman would ignore user-specified SELinux policies for containers using the Kata OCI runtime, or containers using systemd as PID 1 (#11100).
• Fixed a bug where Podman containers created using --net=host would add an entry to /etc/hosts for the container's hostname pointing to 127.0.1.1 (#10319).
• Fixed a bug where the podman unpause --all command would throw an error for every container that was not paused (#11098).
• Fixed a bug where timestamps for the since and until filters using Unix timestamps with a nanoseconds portion could not be parsed (#11131).
• Fixed a bug where the podman info command would sometimes print the wrong path for the slirp4netns binary.
• Fixed a bug where rootless Podman containers joined to a CNI network would not have functional DNS when the host used systemd-resolved without the resolved stub resolver being enabled (#11222).
• Fixed a bug where podman network connect and podman network disconnect of rootless containers could sometimes break port forwarding to the container (#11248).
• Fixed a bug where joining a container to a CNI network by ID and adding network aliases to this network would cause the container to fail to start (#11285).

API

• Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
• Fixed a bug where the Compat Create endpoint for Containers would fail to create containers with the NetworkMode parameter set to default (#10569).
• Fixed a bug where the Compat Create endpoint for Containers did not properly handle healthcheck commands (#10617).
• Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred.
• Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable).
• Fixed a bug where the Compat List endpoint for Images omitted the ContainerConfig field (#10795).
• Fixed a bug where the Compat Build endpoint for Images was too strict when validating the Content-Type header, rejecting content that Docker would have accepted (#11022).
• Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided.
• Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected.
• Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks (#10266).
• Fixed a bug where the Libpod List endpoint for Networks would return nil, instead of an empty list, when no networks were present (#10495).
• The Compat and Libpod Logs endpoints for Containers now support the until query parameter (#10859).
• The Compat Import endpoint for Images now supports the platform, message, and repo query parameters.
• The Compat Pull endpoint for Images now supports the platform query parameter.

Misc

• Updated Buildah to v1.22.3
• Updated the containers/storage library to v1.34.1
• Updated the containers/image library to v5.15.2
• Updated the containers/common library to v0.42.1

This is the third release candidate of Podman v3.3.0

Preliminary release notes follow:

Features

• Containers inside VMs created by podman machine will now automatically handle port forwarding - containers in podman machine VMs that publish ports via --publish or --publish-all will have these ports not just forwarded on the VM, but also on the host system.
• The podman play kube command's --network option now accepts advanced network options (e.g. --network slirp4netns:port_handler=slirp4netns) (#10807).
• The podman play kube commmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks.
• Podman now provides a systemd unit, podman-restart.service, which, when enabled, will restart all containers that were started with --restart=always after the system reboots.
• Rootless Podman can now be configured to use CNI networking by default by using the rootless_networking option in containers.conf.
• Images can now be pulled using image:tag@digest syntax (e.g. podman pull fedora:34@sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a) (#6721).
• The podman container checkpoint and podman container restore commands can now be used to checkpoint containers that are in pods, and restore those containers into pods.
• The podman container restore command now features a new option, --publish, to change the ports that are forwarded to a container that is being restored from an exported checkpoint.
• The podman container checkpoint command now features a new option, --compress, to specify the compression algorithm that will be used on the generated checkpoint.
• The podman pull command can now pull multiple images at once (e.g. podman pull fedora:34 ubi8:latest will pull both specified images).
• THe podman cp command can now copy files from one container into another directly (e.g. podman cp containera:/etc/hosts containerb:/etc/) (#7370).
• The podman cp command now supports a new option, --archive, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container.
• The podman stats command now provides two additional metrics: Average CPU, and CPU time.
• The podman pod create command supports a new flag, --pid, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace.
• The podman pod create command supports a new flag, --infra-name, which allows the name of the pod's infra container to be set (#10794).
• The podman auto-update command has had its output reformatted - it is now much clearer what images were pulled and what containers were updated.
• The podman auto-update command now supports a new option, --dry-run, which reports what would be updated but does not actually perform the update (#9949).
• The podman build command now supports a new option, --secret, to mount secrets into build containers.
• The podman manifest remove command now has a new alias, podman manifest rm.
• The podman login command now supports a new option, --verbose, to print detailed information about where the credentials entered were stored.
• The podman events command now supports a new event, exec_died, which is produced when an exec session exits, and includes the exit code of the exec session.
• The podman system connection add command now supports adding connections that connect using the tcp:// and unix:// URL schemes.
• The podman system connection list command now supports a new flag, --format, to determine how the output is printed.
• The podman volume prune and podman volume ls commands' --filter option now support a new filter, until, that matches volumes created before a certain time (#10579).
• The podman ps --filter option's network filter now accepts a new value: container:, which matches containers that share a network namespace with a specific container (#10361).
• The podman diff command can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed (#10649).
• Podman can now optionally copy-up content from containers into volumes mounted into those containers earlier (at creation time, instead of at runtime) via the prepare_on_create option in containers.conf (#10262).
• A new option, --gpus, has been added to podman create and podman run as a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag.
• If an invalid subcommand is provided, similar commands to try will now be suggested in the error message.

Changes

• The podman system reset command now removes non-Podman (e.g. Buildah and CRI-O) containers as well.
• The new port forwarding offered by podman machine requires gvproxy in order to function.
• Podman will now automatically create the default CNI network if it does not exist, for both root and rootless users. This will only be done once per user - if the network is subsequently removed, it will not be recreated.
• The install.cni makefile option has been removed. It is no longer required to distribute the default 87-podman.conflist CNI configuration file, as Podman will now automatically create it.
• The --root option to Podman will not automatically clear all default storage options when set. Storage options can be set manually using --storage-opt (#10393).
• The output of podman system connection list is now deterministic, with connections being sorted alpabetically by their name.
• The auto-update service (podman-auto-update.service) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once.
• Systemd unit files generated by podman generate systemd now depend on network-online.target by default (#10655).
• The podman info command's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.

Bugfixes

• Fixed a bug where the podman play kube command did not perform SELinux relabelling of volumes specified with a mountPath that included the :z or :Z options (#9371).
• Fixed a bug where the podman play kube command would ignore the USER and EXPOSE directives in images (#9609).
• Fixed a bug where the podman play kube command would only accept lowercase pull policies.
• Fixed a bug where named volumes mounted into containers with the :z or :Z options were not appropriately relabelled for access from the container (#10273).
• Fixed a bug where the podman logs -f command, with the journald log driver, could sometimes fail to pick up the last line of output from a container (#10323).
• Fixed a bug where running podman rm on a container created with the --rm option would occasionally emit an error message saying the container failed to be removed, when it was successfully removed.
• Fixed a bug where starting a Podman container would segfault if the LISTEN_PID and LISTEN_FDS environment variables were set, but LISTEN_FDNAMES was not (#10435).
• Fixed a bug where exec sessions in containers were sometimes not cleaned up when run without -d and when the associated podman exec process was killed before completion.
• Fixed a bug where podman system service could, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up.
• Fixed a bug where containers run using the REST API using the slirp4netns network mode would leave zombie processes that were not cleaned up until podman system service exited (#9777).
• Fixed a bug where the podman system service command would leave zombie processes after its initial launch that were not cleaned up until it exited (#10575).
• Fixed a bug where VMs created by podman machine could not be started after the host system restarted (#10824).
• Fixed a bug where the podman pod ps command would not show headers for optional information (e.g. container names when the --ctr-names option was given).
• Fixed a bug where the remote Podman client's podman create and podman run commands would ignore timezone configuration from the server's containers.conf file (#11124).
• Fixed a bug where the remote Podman client's podman build command would only respect .containerignore and not .dockerignore files (when both are present, .containerignore will be preferred) (#10907).
• Fixed a bug where the remote Podman client's podman build command would fail to send the Dockerfile being built to the server when it was excluded by the .dockerignore file, resulting in an error (#9867).
• Fixed a bug where the remote Podman client's podman build command could unexpectedly stop streaming the output of the build (#10154).
• Fixed a bug where the podman manifest create command accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest).
• Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container (#10776).
• Fixed a bug where the remote Podman client's podman exec -i command would hang when input was provided via shell redirection (e.g. podman --remote exec -i foo cat <<<"hello") (#7360).
• Fixed a bug where containers created with --rm were not immediately removed after being started by podman start if they failed to start (#10935).
• Fixed a bug where the --storage-opt flag to podman create and podman run was nonfunctional (#10264).
• Fixed a bug where the --device-cgroup-rule option to podman create and podman run was nonfunctional (#10302).
• Fixed a bug where the --tls-verify option to podman manifest push was nonfunctional.
• Fixed a bug where the podman import command could, in some circumstances, produce empty images (#10994).
• Fixed a bug where images pulled using the docker-daemon: transport had the wrong registry (localhost instead of docker.io/library) (#10998).
• Fixed a bug where operations that pruned images (podman image prune and podman system prune) would prune untagged images with children (#10832).
• Fixed a bug where dual-stack networks created by podman network create did not properly auto-assign an IPv4 subnet when one was not explicitly specified (#11032).
• Fixed a bug where port forwarding using the rootlessport port forwarder would break when a network was disconnected and then reconnected (#10052).
• Fixed a bug where Podman would ignore user-specified SELinux policies for containers using the Kata OCI runtime, or containers using systemd as PID 1 (#11100).
• Fixed a bug where Podman containers created using --net=host would add an entry to /etc/hosts for the container's hostname pointing to 127.0.1.1 (#10319).
• Fixed a bug where the podman unpause --all command would throw an error for every container that was not paused (#11098).
• Fixed a bug where timestamps for the since and until filters using Unix timestamps with a nanoseconds portion could not be parsed (#11131).
• Fixed a bug where the podman info command would sometimes print the wrong path for the slirp4netns binary.

API

• Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
• Fixed a bug where the Compat Create endpoint for Containers would fail to create containers with the NetworkMode parameter set to default (#10569).
• Fixed a bug where the Compat Create endpoint for Containers did not properly handle healthcheck commands (#10617).
• Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred.
• Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable).
• Fixed a bug where the Compat List endpoint for Images omitted the ContainerConfig field (#10795).
• Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided.
• Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected.
• Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks (#10266).
• Fixed a bug where the Libpod List endpoint for Networks would return nil, instead of an empty list, when no networks were present (#10495).
• The Compat and Libpod Logs endpoints for Containers now support the until query parameter (#10859).
• The Compat Import endpoint for Images now supports the platform, message, and repo query parameters.
• The Compat Pull endpoint for Images now supports the platform query parameter.

Misc

• Updated Buildah to v1.22.0
• Updated the containers/storage library to v1.34.1
• Updated the containers/image library to v5.15.1
• Updated the containers/common library to v0.42.1

Features

• Containers inside VMs created by podman machine will now automatically handle port forwarding - containers in podman machine VMs that publish ports via --publish or --publish-all will have these ports not just forwarded on the VM, but also on the host system.
• The podman play kube command's --network option now accepts advanced network options (e.g. --network slirp4netns:port_handler=slirp4netns) (#10807).
• The podman play kube commmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks.
• Podman now provides a systemd unit, podman-restart.service, which, when enabled, will restart all containers that were started with --restart=always after the system reboots.
• Rootless Podman can now be configured to use CNI networking by default by using the rootless_networking option in containers.conf.
• Images can now be pulled using image:tag@digest syntax (e.g. podman pull fedora:34@sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a) (#6721).
• The podman container checkpoint and podman container restore commands can now be used to checkpoint containers that are in pods, and restore those containers into pods.
• The podman container restore command now features a new option, --publish, to change the ports that are forwarded to a container that is being restored from an exported checkpoint.
• The podman container checkpoint command now features a new option, --compress, to specify the compression algorithm that will be used on the generated checkpoint.
• The podman pull command can now pull multiple images at once (e.g. podman pull fedora:34 ubi8:latest will pull both specified images).
• THe podman cp command can now copy files from one container into another directly (e.g. podman cp containera:/etc/hosts containerb:/etc/) (#7370).
• The podman cp command now supports a new option, --archive, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container.
• The podman stats command now provides two additional metrics: Average CPU, and CPU time.
• The podman pod create command supports a new flag, --pid, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace.
• The podman pod create command supports a new flag, --infra-name, which allows the name of the pod's infra container to be set (#10794).
• The podman auto-update command has had its output reformatted - it is now much clearer what images were pulled and what containers were updated.
• The podman auto-update command now supports a new option, --dry-run, which reports what would be updated but does not actually perform the update (#9949).
• The podman build command now supports a new option, --secret, to mount secrets into build containers.
• The podman manifest remove command now has a new alias, podman manifest rm.
• The podman login command now supports a new option, --verbose, to print detailed information about where the credentials entered were stored.
• The podman events command now supports a new event, exec_died, which is produced when an exec session exits, and includes the exit code of the exec session.
• The podman system connection add command now supports adding connections that connect using the tcp:// and unix:// URL schemes.
• The podman system connection list command now supports a new flag, --format, to determine how the output is printed.
• The podman volume prune and podman volume ls commands' --filter option now support a new filter, until, that matches volumes created before a certain time (#10579).
• The podman ps --filter option's network filter now accepts a new value: container:, which matches containers that share a network namespace with a specific container (#10361).
• The podman diff command can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed (#10649).
• Podman can now optionally copy-up content from containers into volumes mounted into those containers earlier (at creation time, instead of at runtime) via the prepare_on_create option in containers.conf (#10262).
• A new option, --gpus, has been added to podman create and podman run as a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag.
• If an invalid subcommand is provided, similar commands to try will now be suggested in the error message.

Changes

• The podman system reset command now removes non-Podman (e.g. Buildah and CRI-O) containers as well.
• The new port forwarding offered by podman machine requires gvproxy in order to function.
• Podman will now automatically create the default CNI network if it does not exist, for both root and rootless users. This will only be done once per user - if the network is subsequently removed, it will not be recreated.
• The install.cni makefile option has been removed. It is no longer required to distribute the default 87-podman.conflist CNI configuration file, as Podman will now automatically create it.
• The --root option to Podman will not automatically clear all default storage options when set. Storage options can be set manually using --storage-opt (#10393).
• The output of podman system connection list is now deterministic, with connections being sorted alpabetically by their name.
• The auto-update service (podman-auto-update.service) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once.
• Systemd unit files generated by podman generate systemd now depend on network-online.target by default (#10655).
• The podman info command's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.

Bugfixes

• Fixed a bug where the podman play kube command did not perform SELinux relabelling of volumes specified with a mountPath that included the :z or :Z options (#9371).
• Fixed a bug where the podman play kube command would ignore the USER and EXPOSE directives in images (#9609).
• Fixed a bug where the podman play kube command would only accept lowercase pull policies.
• Fixed a bug where named volumes mounted into containers with the :z or :Z options were not appropriately relabelled for access from the container (#10273).
• Fixed a bug where the podman logs -f command, with the journald log driver, could sometimes fail to pick up the last line of output from a container (#10323).
• Fixed a bug where running podman rm on a container created with the --rm option would occasionally emit an error message saying the container failed to be removed, when it was successfully removed.
• Fixed a bug where starting a Podman container would segfault if the LISTEN_PID and LISTEN_FDS environment variables were set, but LISTEN_FDNAMES was not (#10435).
• Fixed a bug where exec sessions in containers were sometimes not cleaned up when run without -d and when the associated podman exec process was killed before completion.
• Fixed a bug where podman system service could, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up.
• Fixed a bug where containers run using the REST API using the slirp4netns network mode would leave zombie processes that were not cleaned up until podman system service exited (#9777).
• Fixed a bug where the podman system service command would leave zombie processes after its initial launch that were not cleaned up until it exited (#10575).
• Fixed a bug where VMs created by podman machine could not be started after the host system restarted (#10824).
• Fixed a bug where the podman pod ps command would not show headers for optional information (e.g. container names when the --ctr-names option was given).
• Fixed a bug where the remote Podman client's podman create and podman run commands would ignore timezone configuration from the server's containers.conf file (#11124).
• Fixed a bug where the remote Podman client's podman build command would only respect .containerignore and not .dockerignore files (when both are present, .containerignore will be preferred) (#10907).
• Fixed a bug where the remote Podman client's podman build command would fail to send the Dockerfile being built to the server when it was excluded by the .dockerignore file, resulting in an error (#9867).
• Fixed a bug where the remote Podman client's podman build command could unexpectedly stop streaming the output of the build (#10154).
• Fixed a bug where the podman manifest create command accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest).
• Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container (#10776).
• Fixed a bug where the remote Podman client's podman exec -i command would hang when input was provided via shell redirection (e.g. podman --remote exec -i foo cat <<<"hello") (#7360).
• Fixed a bug where containers created with --rm were not immediately removed after being started by podman start if they failed to start (#10935).
• Fixed a bug where the --storage-opt flag to podman create and podman run was nonfunctional (#10264).
• Fixed a bug where the --device-cgroup-rule option to podman create and podman run was nonfunctional (#10302).
• Fixed a bug where the --tls-verify option to podman manifest push was nonfunctional.
• Fixed a bug where the podman import command could, in some circumstances, produce empty images (#10994).
• Fixed a bug where images pulled using the docker-daemon: transport had the wrong registry (localhost instead of docker.io/library) (#10998).
• Fixed a bug where operations that pruned images (podman image prune and podman system prune) would prune untagged images with children (#10832).
• Fixed a bug where dual-stack networks created by podman network create did not properly auto-assign an IPv4 subnet when one was not explicitly specified (#11032).
• Fixed a bug where port forwarding using the rootlessport port forwarder would break when a network was disconnected and then reconnected (#10052).
• Fixed a bug where Podman would ignore user-specified SELinux policies for containers using the Kata OCI runtime, or containers using systemd as PID 1 (#11100).
• Fixed a bug where Podman containers created using --net=host would add an entry to /etc/hosts for the container's hostname pointing to 127.0.1.1 (#10319).
• Fixed a bug where the podman unpause --all command would throw an error for every container that was not paused (#11098).
• Fixed a bug where timestamps for the since and until filters using Unix timestamps with a nanoseconds portion could not be parsed (#11131).
• Fixed a bug where the podman info command would sometimes print the wrong path for the slirp4netns binary.

API

• Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
• Fixed a bug where the Compat Create endpoint for Containers would fail to create containers with the NetworkMode parameter set to default (#10569).
• Fixed a bug where the Compat Create endpoint for Containers did not properly handle healthcheck commands (#10617).
• Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred.
• Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable).
• Fixed a bug where the Compat List endpoint for Images omitted the ContainerConfig field (#10795).
• Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided.
• Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected.
• Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks (#10266).
• Fixed a bug where the Libpod List endpoint for Networks would return nil, instead of an empty list, when no networks were present (#10495).
• The Compat and Libpod Logs endpoints for Containers now support the until query parameter (#10859).
• The Compat Import endpoint for Images now supports the platform, message, and repo query parameters.
• The Compat Pull endpoint for Images now supports the platform query parameter.

Misc

• Updated Buildah to v1.22.0
• Updated the containers/storage library to v1.33.1
• Updated the containers/image library to v5.15.0
• Updated the containers/common library to v0.42.1

Security

• This release addresses CVE-2021-3602, an issue with the podman build command with the --isolation chroot flag that results in environment variables from the host leaking into build containers.

Bugfixes

• Fixed a bug where events related to images could occur before the relevant operation had completed (e.g. an image pull event could be written before the pull was finished) (#10812).
• Fixed a bug where podman save would refuse to save images with an architecture different from that of the host (#10835).
• Fixed a bug where the podman import command did not correctly handle images without tags (#10854).
• Fixed a bug where Podman's journald events backend would fail and prevent Podman from running when run on a host with systemd as PID1 but in an environment (e.g. a container) without systemd (#10863).
• Fixed a bug where containers using rootless CNI networking would fail to start when the dnsname CNI plugin was in use and the host system's /etc/resolv.conf was a symlink (#10855 and #10929).
• Fixed a bug where containers using rootless CNI networking could fail to start due to a race in rootless CNI initialization (#10930).

Misc

• Updated Buildah to v1.21.3
• Updated the containers/common library to v0.38.16

Changes

• Podman's handling of the Architecture field of images has been relaxed. Since 3.2.0, Podman required that the architecture of the image match the architecture of the system to run containers based on an image, but images often incorrectly report architecture, causing Podman to reject valid images (#10648 and #10682).
• Podman no longer uses inotify to monitor for changes to CNI configurations. This removes potential issues where Podman cannot be run because a user has exhausted their available inotify sessions (#10686).

Bugfixes

• Fixed a bug where the podman cp would, when given a directory as its source and a target that existed and was a file, copy the contents of the directory into the parent directory of the file; this now results in an error.
• Fixed a bug where the podman logs command would, when following a running container's logs, not include the last line of output from the container when it exited when the k8s-file driver was in use (#10675).
• Fixed a bug where Podman would fail to run containers if systemd-resolved was incorrectly detected as the system's DNS server (#10733).
• Fixed a bug where the podman exec -t command would only resize the exec session's TTY after the session started, leading to a race condition where the terminal would initially not have a size set (#10560).
• Fixed a bug where Podman containers using the slirp4netns network mode would add an incorrect entry to /etc/hosts pointing the container's hostname to the wrong IP address.
• Fixed a bug where Podman would create volumes specified by images with incorrect permissions (#10188 and #10606).
• Fixed a bug where Podman would not respect the uid and gid options to podman volume create -o (#10620).
• Fixed a bug where the podman run command could panic when parsing the system's cgroup configuration (#10666).
• Fixed a bug where the remote Podman client's podman build -f - ... command did not read a Containerfile from STDIN (#10621).
• Fixed a bug where the podman container restore --import command would fail to restore checkpoints created from privileged containers (#10615).
• Fixed a bug where Podman was not respecting the TMPDIR environment variable when pulling images (#10698).
• Fixed a bug where a number of Podman commands did not properly support using Go templates as an argument to the --format option.

API

• Fixed a bug where the Compat Inspect endpoint for Containers did not include information on container healthchecks (#10457).
• Fixed a bug where the Libpod and Compat Build endpoints for Images did not properly handle the devices query parameter (#10614).

Misc

• Fixed a bug where the Makefile's make podman-remote-static target to build a statically-linked podman-remote binary was instead producing dynamic binaries (#10656).
• Updated the containers/common library to v0.38.11

Changes

• Podman now allows corrupt images (e.g. from restarting the system during an image pull) to be replaced by a podman pull of the same image (instead of requiring they be removed first, then re-pulled).

Bugfixes

• Fixed a bug where Podman would fail to start containers if a Seccomp profile was not available at /usr/share/containers/seccomp.json (#10556).
• Fixed a bug where the podman machine start command failed on OS X machines with the AMD64 architecture and certain QEMU versions (#10555).
• Fixed a bug where Podman would always use the slow path for joining the rootless user namespace.
• Fixed a bug where the podman stats command would fail on Cgroups v1 systems when run on a container running systemd (#10602).
• Fixed a bug where pre-checkpoint support for podman container checkpoint did not function correctly.
• Fixed a bug where the remote Podman client's podman build command did not properly handle the -f option (#9871).
• Fixed a bug where the remote Podman client's podman run command would sometimes not resize the container's terminal before execution began (#9859).
• Fixed a bug where the --filter option to the podman image prune command was nonfunctional.
• Fixed a bug where the podman logs -f command would exit before all output for a container was printed when the k8s-file log driver was in use (#10596).
• Fixed a bug where Podman would not correctly detect that systemd-resolved was in use on the host and adjust DNS servers in the container appropriately under some circumstances (#10570).
• Fixed a bug where the podman network connect and podman network disconnect commands acted improperly when containers were in the Created state, marking the changes as done but not actually performing them.

API

• Fixed a bug where the Compat and Libpod Prune endpoints for Networks returned null, instead of an empty array, when nothing was pruned.
• Fixed a bug where the Create API for Images would continue to pull images even if a client closed the connection mid-pull (#7558).
• Fixed a bug where the Events API did not include some information (including labels) when sending events.
• Fixed a bug where the Events API would, when streaming was not requested, send at most one event (#10529).

Misc

• Updated the containers/common library to v0.38.9

Features

• Docker Compose is now supported with rootless Podman (#9169).
• The podman network connect, podman network disconnect, and podman network reload commands have been enabled for rootless Podman.
• An experimental new set of commands, podman machine, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman.
• The podman generate kube command can now be run on Podman named volumes (generating PersistentVolumeClaim YAML), in addition to pods and containers.
• The podman play kube command now supports two new options, --ip and --mac, to set static IPs and MAC addresses for created pods (#8442 and #9731).
• The podman play kube command's support for PersistentVolumeClaim YAML has been greatly improved.
• The podman generate kube command now preserves the label used by podman auto-update to identify containers to update as a Kubernetes annotation, and the podman play kube command will convert this annotation back into a label. This allows podman auto-update to be used with containers created by podman play kube.
• The podman play kube command now supports Kubernetes secretRef YAML (using the secrets support from podman secret) for environment variables.
• Secrets can now be added to containers as environment variables using the type=env option to the --secret flag to podman create and podman run.
• The podman start command now supports the --all option, allowing all containers to be started simultaneously with a single command. The --filter option has also been added to filter which containers to start when --all is used.
• Filtering containers with the --filter option to podman ps and podman start now supports a new filter, restart-policy, to filter containers based on their restart policy.
• The --group-add option to rootless podman run and podman create now accepts a new value, keep-groups, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with the crun OCI runtime.
• The podman run and podman create commands now support a new option, --timeout. This sets a maximum time the container is allowed to run, after which it is killed (#6412).
• The podman run and podman create commands now support a new option, --pidfile. This will create a file when the container is started containing the PID of the first process in the container.
• The podman run and podman create commands now support a new option, --requires. The --requires option adds dependency containers - containers that must be running before the current container. Commands like podman start will automatically start the requirements of a container before starting the container itself.
• Auto-updating containers can now be done with locally-built images, not just images hosted on a registry, by creating containers with the io.containers.autoupdate label set to local.
• Podman now supports the Container Device Interface (CDI) standard.
• Podman now adds an entry to /etc/hosts, host.containers.internal, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) (#5651).
• The podman ps, podman pod ps, podman network list, podman secret list, and podman volume list commands now support a --noheading option, which will cause Podman to omit the heading line including column names.
• The podman unshare command now supports a new flag, --rootless-cni, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking.
• The --security-opt unmask= option to podman run and podman create now supports glob operations to unmask a group of paths at once (e.g. podman run --security-opt unmask=/proc/* ... will unmask all paths in /proc in the container).
• The podman network prune command now supports a --filter option to filter which networks will be pruned.

Changes

• The change in Podman 3.1.2 where the :z and :Z mount options for volumes were ignored for privileged containers has been reverted after discussion in #10209.
• Podman's rootless CNI functionality no longer requires a sidecar container! The removal of the requirement for the rootless-cni-infra container means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image (#8709).
• The Image handling code used by Podman has seen a major rewrite to improve code sharing with our other projects, Buildah and CRI-O. This should result in fewer bugs and performance gains in the long term. Work on this is still ongoing.
• The podman auto-update command now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates (#10190).
• The podman play kube now treats environment variables configured as references to a ConfigMap as mandatory unless the optional parameter was set; this better matches the behavior of Kubernetes.
• Podman now supports the --context=default flag from Docker as a no-op for compatibility purposes.
• When Podman is run as root, but without CAP_SYS_ADMIN being available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright).
• The podman info command now includes the path of the Seccomp profile Podman is using, available cgroup controllers, and whether Podman is connected to a remote service or running containers locally.
• Containers created with the --rm option now automatically use the volatile storage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance.
• The podman generate systemd --new command will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment.
• Podman now requires that Conmon v2.0.24 be available.

Bugfixes

• Fixed a bug where the remote Podman client's podman build command did not support the --arch, --platform, and --os, options.
• Fixed a bug where the remote Podman client's podman build command ignored the --rm=false option (#9869).
• Fixed a bug where the remote Podman client's podman build --iidfile command could include extra output (in addition to just the image ID) in the image ID file written (#10233).
• Fixed a bug where the remote Podman client's podman build command did not preserve hardlinks when moving files into the container via COPY instructions (#9893).
• Fixed a bug where the podman generate systemd --new command could generate extra --iidfile arguments if the container was already created with one.
• Fixed a bug where the podman generate systemd --new command would generate unit files that did not include RequiresMountsFor lines (#10493).
• Fixed a bug where the podman generate kube command produced incorrect YAML for containers which bind-mounted both / and /root from the host system into the container (#9764).
• Fixed a bug where pods created by podman play kube from YAML that specified ShareProcessNamespace would only share the PID namespace (and not also the UTS, Network, and IPC namespaces) (#9128).
• Fixed a bug where the podman network reload command could generate spurious error messages when iptables-nft was in use.
• Fixed a bug where rootless Podman could fail to attach to containers when the user running Podman had a large UID.
• Fixed a bug where the podman ps command could fail with a no such container error due to a race condition with container removal (#10120).
• Fixed a bug where containers using the slirp4netns network mode and setting a custom slirp4netns subnet while using the rootlesskit port forwarder would not be able to forward ports (#9828).
• Fixed a bug where the --filter ancestor= option to podman ps did not require an exact match of the image name/ID to include a container in its results.
• Fixed a bug where the --filter until= option to podman image prune would prune images created after the specified time (instead of before).
• Fixed a bug where setting a custom Seccomp profile via the seccomp_profile option in containers.conf had no effect, and the default profile was used instead.
• Fixed a bug where the --cgroup-parent option to podman create and podman run was ignored in rootless Podman on cgroups v2 systems with the cgroupfs cgroup manager (#10173).
• Fixed a bug where the IMAGE and NAME variables in podman container runlabel were not being correctly substituted (#10192).
• Fixed a bug where Podman could freeze when creating containers with a specific combination of volumes and working directory (#10216).
• Fixed a bug where rootless Podman containers restarted by restart policy (e.g. containers created with --restart=always) would lose networking after being restarted (#8047).
• Fixed a bug where the podman cp command could not copy files into containers created with the --pid=host flag (#9985).
• Fixed a bug where filters to the podman events command could not be specified twice (if a filter is specified more than once, it will match if any of the given values match - logical or) (#10507).
• Fixed a bug where Podman would include IPv6 nameservers in resolv.conf in containers without IPv6 connectivity (#10158).
• Fixed a bug where containers could not be created with static IP addresses when connecting to a network using the macvlan driver (#10283).

API

• Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set (#10110).
• Fixed a bug where the Compat Create endpoint for Containers ignored static IP information provided in the IPAMConfig block (#10245).
• Fixed a bug where the Compat Inspect endpoint for Containers returned null (instead of an empty list) for Networks when the container was not joined to a CNI network (#9837).
• Fixed a bug where the Compat Wait endpoint for Containers could miss containers exiting if they were immediately restarted.
• Fixed a bug where the Compat Create endpoint for Volumes required that the user provide a name for the new volume (#9803).
• Fixed a bug where the Libpod Info handler would sometimes not return the correct path to the Podman API socket.
• Fixed a bug where the Compat Events handler used the wrong name for container exited events (died instead of die) (#10168).
• Fixed a bug where the Compat Push endpoint for Images could leak goroutines if the remote end closed the connection prematurely.

Misc

• Updated Buildah to v1.21.0
• Updated the containers/common library to v0.38.5
• Updated the containers/storage library to v1.31.3

This is the third release candidate for Podman v3.2.0. We expect it will be the final RC.

Preliminary release notes follow:

Features

• Docker Compose is now supported with rootless Podman (#9169).
• The podman network connect, podman network disconnect, and podman network reload commands have been enabled for rootless Podman.
• An experimental new set of commands, podman machine, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman.
• The podman generate kube command can now be run on Podman named volumes (generating PersistentVolumeClaim YAML), in addition to pods and containers.
• The podman play kube command now supports two new options, --ip and --mac, to set static IPs and MAC addresses for created pods (#8442 and #9731).
• The podman play kube command's support for PersistentVolumeClaim YAML has been greatly improved.
• The podman generate kube command now preserves the label used by podman auto-update to identify containers to update as a Kubernetes annotation, and the podman play kube command will convert this annotation back into a label. This allows podman auto-update to be used with containers created by podman play kube.
• The podman play kube command now supports Kubernetes secretRef YAML (using the secrets support from podman secret) for environment variables.
• Secrets can now be added to containers as environment variables using the type=env option to the --secret flag to podman create and podman run.
• The podman start command now supports the --all option, allowing all containers to be started simultaneously with a single command. The --filter option has also been added to filter which containers to start when --all is used.
• Filtering containers with the --filter option to podman ps and podman start now supports a new filter, restart-policy, to filter containers based on their restart policy.
• The --group-add option to rootless podman run and podman create now accepts a new value, keep-groups, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with the crun OCI runtime.
• The podman run and podman create commands now support a new option, --timeout. This sets a maximum time the container is allowed to run, after which it is killed (#6412).
• The podman run and podman create commands now support a new option, --pidfile. This will create a file when the container is started containing the PID of the first process in the container.
• The podman run and podman create commands now support a new option, --requires. The --requires option adds dependency containers - containers that must be running before the current container. Commands like podman start will automatically start the requirements of a container before starting the container itself.
• Auto-updating containers can now be done with locally-built images, not just images hosted on a registry, by creating containers with the io.containers.autoupdate label set to local.
• Podman now supports the Container Device Interface (CDI) standard.
• Podman now adds an entry to /etc/hosts, host.containers.internal, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) (#5651).
• The podman ps, podman pod ps, podman network list, podman secret list, and podman volume list commands now support a --noheading option, which will cause Podman to omit the heading line including column names.
• The podman unshare command now supports a new flag, --rootless-cni, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking.
• The --security-opt unmask= option to podman run and podman create now supports glob operations to unmask a group of paths at once (e.g. podman run --security-opt unmask=/proc/* ... will unmask all paths in /proc in the container).
• The podman network prune command now supports a --filter option to filter which networks will be pruned.

Changes

• The change in Podman 3.1.2 where the :z and :Z mount options for volumes were ignored for privileged containers has been reverted after discussion in #10209.
• Podman's rootless CNI functionality no longer requires a sidecar container! The removal of the requirement for the rootless-cni-infra container means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image (#8709).
• The Image handling code used by Podman has seen a major rewrite to improve code sharing with our other projects, Buildah and CRI-O. This should result in fewer bugs and performance gains in the long term. Work on this is still ongoing.
• The podman auto-update command now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates (#10190).
• The podman play kube now treats environment variables configured as references to a ConfigMap as mandatory unless the optional parameter was set; this better matches the behavior of Kubernetes.
• Podman now supports the --context=default flag from Docker as a no-op for compatibility purposes.
• When Podman is run as root, but without CAP_SYS_ADMIN being available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright).
• The podman info command now includes the path of the Seccomp profile Podman is using, available cgroup controllers, and whether Podman is connected to a remote service or running containers locally.
• Containers created with the --rm option now automatically use the volatile storage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance.
• The podman generate systemd --new command will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment.
• Podman now requires that Conmon v2.0.24 be available.

Bugfixes

• Fixed a bug where the remote Podman client's podman build command did not support the --arch, --platform, and --os, options.
• Fixed a bug where the remote Podman client's podman build command ignored the --rm=false option (#9869).
• Fixed a bug where the remote Podman client's podman build --iidfile command could include extra output (in addition to just the image ID) in the image ID file written (#10233).
• Fixed a bug where the remote Podman client's podman build command did not preserve hardlinks when moving files into the container via COPY instructions (#9893).
• Fixed a bug where the podman generate systemd --new command could generate extra --iidfile arguments if the container was already created with one.
• Fixed a bug where the podman generate kube command produced incorrect YAML for containers which bind-mounted both / and /root from the host system into the container (#9764).
• Fixed a bug where pods created by podman play kube from YAML that specified ShareProcessNamespace would only share the PID namespace (and not also the UTS, Network, and IPC namespaces) (#9128).
• Fixed a bug where the podman network reload command could generate spurious error messages when iptables-nft was in use.
• Fixed a bug where rootless Podman could fail to attach to containers when the user running Podman had a large UID.
• Fixed a bug where the podman ps command could fail with a no such container error due to a race condition with container removal (#10120).
• Fixed a bug where containers using the slirp4netns network mode and setting a custom slirp4netns subnet while using the rootlesskit port forwarder would not be able to forward ports (#9828).
• Fixed a bug where the --filter ancestor= option to podman ps did not require an exact match of the image name/ID to include a container in its results.
• Fixed a bug where the --filter until= option to podman image prune would prune images created after the specified time (instead of before).
• Fixed a bug where setting a custom Seccomp profile via the seccomp_profile option in containers.conf had no effect, and the default profile was used instead.
• Fixed a bug where the --cgroup-parent option to podman create and podman run was ignored in rootless Podman on cgroups v2 systems with the cgroupfs cgroup manager (#10173).
• Fixed a bug where the IMAGE and NAME variables in podman container runlabel were not being correctly substituted (#10192).
• Fixed a bug where Podman could freeze when creating containers with a specific combination of volumes and working directory (#10216).
• Fixed a bug where rootless Podman containers restarted by restart policy (e.g. containers created with --restart=always) would lose networking after being restarted (#8047).
• Fixed a bug where the podman cp command could not copy files into containers created with the --pid=host flag (#9985).

API

• Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set (#10110).
• Fixed a bug where the Compat Create endpoint for Containers ignored static IP information provided in the IPAMConfig block (#10245).
• Fixed a bug where the Compat Inspect endpoint for Containers returned null (instead of an empty list) for Networks when the container was not joined to a CNI network (#9837).
• Fixed a bug where the Compat Wait endpoint for Containers could miss containers exiting if they were immediately restarted.
• Fixed a bug where the Compat Create endpoint for Volumes required that the user provide a name for the new volume (#9803).
• Fixed a bug where the Libpod Info handler would sometimes not return the correct path to the Podman API socket.
• Fixed a bug where the Compat Events handler used the wrong name for container exited events (died instead of die) (#10168).

Misc

• Updated Buildah to v1.21.0
• Updated the containers/common library to v0.38.4
• Updated the containers/storage library to v1.31.1

This is the second release candidate for Podman v3.2.0. We expect a final RC early next week, and a final release late next week if all goes well

Preliminary release notes follow:

Features

• Docker Compose is now supported with rootless Podman (#9169).
• The podman network connect, podman network disconnect, and podman network reload commands have been enabled for rootless Podman.
• An experimental new set of commands, podman machine, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman.
• The podman generate kube command can now be run on Podman named volumes (generating PersistentVolumeClaim YAML), in addition to pods and containers.
• The podman play kube command now supports two new options, --ip and --mac, to set static IPs and MAC addresses for created pods (#8442 and #9731).
• The podman play kube command's support for PersistentVolumeClaim YAML has been greatly improved.
• The podman generate kube command now preserves the label used by podman auto-update to identify containers to update as a Kubernetes annotation, and the podman play kube command will convert this annotation back into a label. This allows podman auto-update to be used with containers created by podman play kube.
• The podman play kube command now supports Kubernetes secretRef YAML (using the secrets support from podman secret) for environment variables.
• Secrets can now be added to containers as environment variables using the type=env option to the --secret flag to podman create and podman run.
• The podman start command now supports the --all option, allowing all containers to be started simultaneously with a single command. The --filter option has also been added to filter which containers to start when --all is used.
• Filtering containers with the --filter option to podman ps and podman start now supports a new filter, restart-policy, to filter containers based on their restart policy.
• The --group-add option to rootless podman run and podman create now accepts a new value, keep-groups, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with the crun OCI runtime.
• The podman run and podman create commands now support a new option, --timeout. This sets a maximum time the container is allowed to run, after which it is killed (#6412).
• The podman run and podman create commands now support a new option, --pidfile. This will create a file when the container is started containing the PID of the first process in the container.
• The podman run and podman create commands now support a new option, --requires. The --requires option adds dependency containers - containers that must be running before the current container. Commands like podman start will automatically start the requirements of a container before starting the container itself.
• Auto-updating containers can now be done with locally-built images, not just images hosted on a registry, by creating containers with the io.containers.autoupdate label set to local.
• Podman now supports the Container Device Interface (CDI) standard.
• Podman now adds an entry to /etc/hosts, host.containers.internal, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) (#5651).
• The podman ps, podman pod ps, podman network list, podman secret list, and podman volume list commands now support a --noheading option, which will cause Podman to omit the heading line including column names.
• The podman unshare command now supports a new flag, --rootless-cni, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking.
• The --security-opt unmask= option to podman run and podman create now supports glob operations to unmask a group of paths at once (e.g. podman run --security-opt unmask=/proc/* ... will unmask all paths in /proc in the container).
• The podman network prune command now supports a --filter option to filter which networks will be pruned.

Changes

• The change in Podman 3.1.2 where the :z and :Z mount options for volumes were ignored for privileged containers has been reverted after discussion in #10209.
• Podman's rootless CNI functionality no longer requires a sidecar container! The removal of the requirement for the rootless-cni-infra container means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image (#8709).
• The Image handling code used by Podman has seen a major rewrite to improve code sharing with our other projects, Buildah and CRI-O. This should result in fewer bugs and performance gains in the long term. Work on this is still ongoing.
• The podman auto-update command now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates (#10190).
• The podman play kube now treats environment variables configured as references to a ConfigMap as mandatory unless the optional parameter was set; this better matches the behavior of Kubernetes.
• Podman now supports the --context=default flag from Docker as a no-op for compatibility purposes.
• When Podman is run as root, but without CAP_SYS_ADMIN being available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright).
• The podman info command now includes the path of the Seccomp profile Podman is using, and whether Podman is connected to a remote service or running containers locally.
• Containers created with the --rm option now automatically use the volatile storage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance.
• The podman generate systemd --new command will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment.
• Podman now requires that Conmon v2.0.24 be available.

Bugfixes

• Fixed a bug where the remote Podman client's podman build command did not support the --arch, --platform, and --os, options.
• Fixed a bug where the remote Podman client's podman build command ignored the --rm=false option (#9869).
• Fixed a bug where the podman generate systemd --new command could generate extra --iidfile arguments if the container was already created with one.
• Fixed a bug where the podman generate kube command produced incorrect YAML for containers which bind-mounted both / and /root from the host system into the container (#9764).
• Fixed a bug where pods created by podman play kube from YAML that specified ShareProcessNamespace would only share the PID namespace (and not also the UTS, Network, and IPC namespaces) (#9128).
• Fixed a bug where the podman network reload command could generate spurious error messages when iptables-nft was in use.
• Fixed a bug where rootless Podman could fail to attach to containers when the user running Podman had a large UID.
• Fixed a bug where the podman ps command could fail with a no such container error due to a race condition with container removal (#10120).
• Fixed a bug where containers using the slirp4netns network mode and setting a custom slirp4netns subnet while using the rootlesskit port forwarder would not be able to forward ports (#9828).
• Fixed a bug where the --filter ancestor= option to podman ps did not require an exact match of the image name/ID to include a container in its results.
• Fixed a bug where the --filter until= option to podman image prune would prune images created after the specified time (instead of before).
• Fixed a bug where setting a custom Seccomp profile via the seccomp_profile option in containers.conf had no effect, and the default profile was used instead.
• Fixed a bug where the --cgroup-parent option to podman create and podman run was ignored in rootless Podman on cgroups v2 systems with the cgroupfs cgroup manager (#10173).
• Fixed a bug where the IMAGE and NAME variables in podman container runlabel were not being correctly substituted (#10192).
• Fixed a bug where the remote Podman client's podman build --iidfile command could include extra output (in addition to just the image ID) in the image ID file written (#10233).
• Fixed a bug where Podman could freeze when creating containers with a specific combination of volumes and working directory (#10216).
• Fixed a bug where rootless Podman containers restarted by restart policy (e.g. containers created with --restart=always) would lose networking after being restarted (#8047).

API

• Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set (#10110).
• Fixed a bug where the Compat Create endpoint for Containers ignored static IP information provided in the IPAMConfig block (#10245).
• Fixed a bug where the Compat Inspect endpoint for Containers returned null (instead of an empty list) for Networks when the container was not joined to a CNI network (#9837).
• Fixed a bug where the Compat Wait endpoint for Containers could miss containers exiting if they were immediately restarted.
• Fixed a bug where the Compat Create endpoint for Volumes required that the user provide a name for the new volume (#9803).
• Fixed a bug where the Libpod Info handler would sometimes not return the correct path to the Podman API socket.
• Fixed a bug where the Compat Events handler used the wrong name for container exited events (died instead of die) (#10168).

Misc

• Updated Buildah to v1.21.0
• Updated the containers/common library to v0.38.4
• Updated the containers/storage library to v1.31.1

This is the first release candidate for the Podman v3.2.0 release. Podman 3.2.0 features improved rootless networking (including support for rootless Docker compose), a rewritten image backend, and numerous other changes.

Full release notes will be available with the release of RC2 next week.

Bugfixes

• Fixed a bug where images with empty layers were stored incorrectly, causing them to be unable to be pushed or saved.
• Fixed a bug where the podman rmi command could fail to remove corrupt images from storage.
• Fixed a bug where the remote Podman client's podman save command did not support the oci-dir and docker-dir formats (#9742).
• Fixed a bug where volume mounts from podman play kube created with a trailing / in the container path were were not properly superceding named volumes from the image (#9618).
• Fixed a bug where Podman could fail to build on 32-bit architectures.

Misc

• Updated the containers/image library to v5.11.1

Changes

• Podman now recognizes trace as a valid argument to the --log-level command. Trace logging is now the most verbose level of logging available.
• The :z and :Z options for volume mounts are now ignored when the container is privileged or is run with SELinux isolation disabled (--security-opt label=disable). This matches better matches Docker's behavior in this case.

Bugfixes

• Fixed a bug where pruning images with the podman image prune or podman system prune commands could cause Podman to panic.
• Fixed a bug where the podman save command did not properly error when the --compress flag was used with incompatible format types.
• Fixed a bug where the --security-opt and --ulimit options to the remote Podman client's podman build command were nonfunctional.
• Fixed a bug where the --log-rusage option to the remote Podman client's podman build command was nonfunctional (#9489).
• Fixed a bug where the podman build command could, in some circumstances, use the wrong OCI runtime (#9459).
• Fixed a bug where the remote Podman client's podman build command could return 0 despite failing (#10029).
• Fixed a bug where the podman container runlabel command did not properly expand the IMAGE and NAME variables in the label (#9405).
• Fixed a bug where poststop OCI hooks would be executed twice on containers started with the --rm argument (#9983).
• Fixed a bug where rootless Podman could fail to launch containers on cgroups v2 systems when the cgroupfs cgroup manager was in use.
• Fixed a bug where the podman stats command could error when statistics tracked exceeded the maximum size of a 32-bit signed integer (#9979).
• Fixed a bug where rootless Podman containers run with --userns=keepid (without a --user flag in addition) would grant exec sessions run in them too many capabilities (#9919).
• Fixed a bug where the --authfile option to podman build did not validate that the path given existed (#9572).
• Fixed a bug where the --storage-opt option to Podman was appending to, instead of overriding (as is documented), the default storage options.
• Fixed a bug where the podman system service connection did not function properly when run in a socket-activated systemd unit file as a non-root user.
• Fixed a bug where the --network option to the podman play kube command of the remote Podman client was being ignored (#9698).
• Fixed a bug where the --log-driver option to the podman play kube command was nonfunctional (#10015).

API

• Fixed a bug where the Libpod Create endpoint for Manifests did not properly validate the image the manifest was being created with.
• Fixed a bug where the Libpod DF endpoint could, in error cases, append an extra null to the JSON response, causing decode errors.
• Fixed a bug where the Libpod and Compat Top endpoint for Containers would return process names that included extra whitespace.
• Fixed a bug where the Compat Prune endpoint for Containers accepted too many types of filter.

Misc

• Updated Buildah to v1.20.1
• Updated the containers/storage library to v1.29.0
• Updated the containers/image library to v5.11.0
• Updated the containers/common library to v0.36.0

Features

• A set of new commands has been added to manage secrets! The podman secret create, podman secret inspect, podman secret ls and podman secret rm commands have been added to handle secrets, along with the --secret option to podman run and podman create to add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release.
• A new command to prune networks, podman network prune, has been added (#8673).
• The -v option to podman run and podman create now supports a new volume option, :U, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues (#7778).
• Three new commands, podman network exists, podman volume exists, and podman manifest exists, have been added to check for the existence of networks, volumes, and manifest lists.
• The podman cp command can now copy files into directories mounted as tmpfs in a running container.
• The podman volume prune command will now list volumes that will be pruned when prompting the user whether to continue and perform the prune (#8913).
• The Podman remote client's podman build command now supports the --disable-compression, --excludes, and --jobs options.
• The Podman remote client's podman push command now supports the --format option.
• The Podman remote client's podman rm command now supports the --all and --ignore options.
• The Podman remote client's podman search command now supports the --no-trunc and --list-tags options.
• The podman play kube command can now read in Kubernetes YAML from STDIN when - is specified as file name (podman play kube -), allowing input to be piped into the command for scripting (#8996).
• The podman generate systemd command now supports a --no-header option, which disables creation of the header comment automatically added by Podman to generated unit files.
• The podman generate kube command can now generate PersistentVolumeClaim YAML for Podman named volumes (#5788).
• The podman generate kube command can now generate YAML files containing multiple resources (pods or deployments) (#9129).

Security

• This release resolves CVE-2021-20291, a deadlock vulnerability in the storage library caused by pulling a specially-crafted container image.

Changes

• The Podman remote client's podman build command no longer allows the -v flag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines.
• The podman kill and podman stop commands now print the name given by the user for each container, instead of the full ID.
• When the --security-opt unmask=ALL or --security-opt unmask=/sys/fs/cgroup options to podman create or podman run are given, Podman will mount cgroups into the container as read-write, instead of read-only (#8441).
• The podman rmi command has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls.
• The podman rename command has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable.
• Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved (#9582).
• The hidden --trace option to podman has been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time.
• The podman generate systemd command now generates RequiresMountsFor lines to ensure necessary storage directories are mounted before systemd starts Podman.
• Podman will now emit a warning when --tty and --interactive are both passed, but STDIN is not a TTY. This will be made into an error in the next major Podman release some time next year.

Bugfixes

• Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports (#9065).
• Fixed a bug where podman network create with the --macvlan flag did not honor the --gateway, --subnet, and --opt options (#9167).
• Fixed a bug where the podman generate kube command generated invalid YAML for privileged containers (#8897).
• Fixed a bug where the podman generate kube command could not be used with containers that were not running.
• Fixed a bug where the podman generate systemd command could duplicate some parameters to Podman in generated unit files (#9776).
• Fixed a bug where Podman did not add annotations specified in containers.conf to containers.
• Foxed a bug where Podman did not respect the no_hosts default in containers.conf when creating containers.
• Fixed a bug where the --tail=0, --since, and --follow options to the podman logs command did not function properly when using the journald log backend.
• Fixed a bug where specifying more than one container to podman logs when the journald log backend was in use did not function correctly.
• Fixed a bug where the podman run and podman create commands would panic if a memory limit was set, but the swap limit was set to unlimited (#9429).
• Fixed a bug where the --network option to podman run, podman create, and podman pod create would error if the user attempted to specify CNI networks by ID, instead of name (#9451).
• Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the podman stats command (#9252).
• Fixed a bug where the podman cp did not properly handle cases where /dev/stdout was specified as the destination (it was treated identically to -) (#9362).
• Fixed a bug where the podman cp command would create files with incorrect ownership (#9526).
• Fixed a bug where the podman cp command did not properly handle cases where the destination directory did not exist.
• Fixed a bug where the podman cp command did not properly evaluate symlinks when copying out of containers.
• Fixed a bug where the podman rm -fa command would error when attempting to remove containers created with --rm (#9479).
• Fixed a bug where the ordering of capabilities was nondeterministic in the CapDrop field of the output of podman inspect on a container (#9490).
• Fixed a bug where the podman network connect command could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with --net=host) (#9496).
• Fixed a bug where DNS search domains required by the dnsname CNI plugin were not being added to container's resolv.conf under some circumstances.
• Fixed a bug where the --ignorefile option to podman build was nonfunctional (#9570).
• Fixed a bug where the --timestamp option to podman build was nonfunctional (#9569).
• Fixed a bug where the --iidfile option to podman build could cause Podman to panic if an error occurred during the build.
• Fixed a bug where the --dns-search option to podman build was nonfunctional (#9574).
• Fixed a bug where the --pull-never option to podman build was nonfunctional (#9573).
• Fixed a bug where the --build-arg option to podman build would, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) (#9571).
• Fixed a bug where the --isolation option to podman build in the remote Podman client was nonfunctional.
• Fixed a bug where the podman network disconnect command could cause errors when the container that had a network removed was stopped and its network was cleaned up (#9602).
• Fixed a bug where the podman network rm command did not properly check what networks a container was present in, resulting in unexpected behavior if podman network connect or podman network disconnect had been used with the network (#9632).
• Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable stopping state (#9615).
• Fixed a bug where the podman load command could return 0 even in cases where an error occurred (#9672).
• Fixed a bug where specifying storage options to Podman using the --storage-opt option would override all storage options. Instead, storage options are now overridden only when the --storage-driver option is used to override the current graph driver (#9657).
• Fixed a bug where containers created with --privileged could request more capabilities than were available to Podman.
• Fixed a bug where podman commit did not use the TMPDIR environment variable to place temporary files created during the commit (#9825).
• Fixed a bug where remote Podman could error when attempting to resize short-lived containers (#9831).
• Fixed a bug where Podman was unusable on kernels built without CONFIG_USER_NS.
• Fixed a bug where the ownership of volumes created by podman volume create and then mounted into a container could be incorrect (#9608).
• Fixed a bug where Podman volumes using a volume plugin could not pass certain options, and could not be used as non-root users.
• Fixed a bug where the --tz option to podman create and podman run did not properly validate its input.

API

• Fixed a bug where the X-Registry-Auth header did not accept null as a valid value.
• A new compat endpoint, /auth, has been added. This endpoint validates credentials against a registry (#9564).
• Fixed a bug where the compat Build endpoint for Images specified labels using the wrong type (array vs map). Both formats will be accepted now.
• Fixed a bug where the compat Build endpoint for Images did not report that it successfully tagged the built image in its response.
• Fixed a bug where the compat Create endpoint for Images did not provide progress information on pulling the image in its response.
• Fixed a bug where the compat Push endpoint for Images did not properly handle the destination (used a query parameter, instead of a path parameter).
• Fixed a bug where the compat Push endpoint for Images did not send the progress of the push and the digest of the pushed image in the response body.
• Fixed a bug where the compat List endpoint for Networks returned null, instead of an empty array ([]), when no networks were present (#9293).
• Fixed a bug where the compat List endpoint for Networks returned nulls, instead of empty maps, for networks that do not have Labels and/or Options.
• The Libpod Inspect endpoint for networks (/libpod/network/$ID/json) now has an alias at /libpod/network/$ID (#9691).
• Fixed a bug where the libpod Inspect endpoint for Networks returned a 1-size array of results, instead of a single result (#9690).
• The Compat List endpoint for Networks now supports the legacy format for filters in parallel with the current filter format (#9526).
• Fixed a bug where the compat Create endpoint for Containers did not properly handle tmpfs filesystems specified with options (#9511).
• Fixed a bug where the compat Create endpoint for Containers did not create bind-mount source directories (#9510).
• Fixed a bug where the compat Create endpoint for Containers did not properly handle the NanoCpus option (#9523).
• Fixed a bug where the Libpod create endpoint for Containers has a misnamed field in its JSON.
• Fixed a bug where the compat List endpoint for Containers did not populate information on forwarded ports (#9553)
• Fixed a bug where the compat List endpoint for Containers did not populate information on container CNI networks (#9529).
• Fixed a bug where the compat and libpod Stop endpoints for Containers would ignore a timeout of 0.
• Fixed a bug where the compat and libpod Resize endpoints for Containers did not set the correct terminal sizes (dimensions were reversed) (#9756).
• Fixed a bug where the compat Remove endpoint for Containers would not return 404 when attempting to remove a container that does not exist (#9675).
• Fixed a bug where the compat Prune endpoint for Volumes would still prune even if an invalid filter was specified.
• Numerous bugs related to filters have been addressed.

Misc

• Updated Buildah to v1.20.0
• Updated the containers/storage library to v1.28.1
• Updated the containers/image library to v5.10.5
• Updated the containers/common library to v0.35.4

This is the second release candidate for Podman v3.1.0

Preliminary release notes are below. Please note that these are subject to change until the final release.

Features

• A set of new commands has been added to manage secrets! The podman secret create, podman secret inspect, podman secret ls and podman secret rm commands have been added to handle secrets, along with the --secret option to podman run and podman create to add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release.
• A new command to prune networks, podman network prune, has been added (#8673).
• The -v option to podman run and podman create now supports a new volume option, :U, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues (#7778).
• Three new commands, podman network exists, podman volume exists, and podman manifest exists, have been added to check for the existence of networks, volumes, and manifest lists.
• The podman cp command can now copy files into directories mounted as tmpfs in a running container.
• The podman volume prune command will now list volumes that will be pruned when prompting the user whether to continue and perform the prune (#8913).
• The Podman remote client's podman build command now supports the --disable-compression, --excludes, and --jobs options.
• The Podman remote client's podman push command now supports the --format option.
• The Podman remote client's podman rm command now supports the --all and --ignore options.
• The Podman remote client's podman search command now supports the --no-trunc and --list-tags options.
• The podman play kube command can now read in Kubernetes YAML from STDIN when - is specified as file name (podman play kube -), allowing input to be piped into the command for scripting (#8996).
• The podman generate systemd command now supports a --no-header option, which disables creation of the header comment automatically added by Podman to generated unit files.

Changes

• The Podman remote client's podman build command no longer allows the -v flag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines.
• The podman kill and podman stop commands now print the name given by the user for each container, instead of the full ID.
• When the --security-opt unmask=ALL or --security-opt unmask=/sys/fs/cgroup options to podman create or podman run are given, Podman will mount cgroups into the container as read-write, instead of read-only (#8441).
• The podman rmi command has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls.
• The podman rename command has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable.
• Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved (#9582).
• The hidden --trace option to podman has been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time.

Bugfixes

• Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports (#9065).
• Fixed a bug where podman network create with the --macvlan flag did not honor the --gateway, --subnet, and --opt options (#9167).
• Fixed a bug where the podman generate kube command generated invalid YAML for privileged containers (#8897).
• Fixed a bug where the podman generate kube command could not be used with containers that were not running.
• Fixed a bug where Podman did not add annotations specified in containers.conf to containers.
• Foxed a bug where Podman did not respect the no_hosts default in containers.conf when creating containers.
• Fixed a bug where the --tail=0, --since, and --follow options to the podman logs command did not function properly when using the journald log backend.
• Fixed a bug where specifying more than one container to podman logs when the journald log backend was in use did not function correctly.
• Fixed a bug where the podman run and podman create commands would panic if a memory limit was set, but the swap limit was set to unlimited (#9429).
• Fixed a bug where the --network option to podman run, podman create, and podman pod create would error if the user attempted to specify CNI networks by ID, instead of name (#9451).
• Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the podman stats command (#9252).
• Fixed a bug where the podman cp did not properly handle cases where /dev/stdout was specified as the destination (it was treated identically to -) (#9362).
• Fixed a bug where the podman cp command would create files with incorrect ownership (#9526).
• Fixed a bug where the podman cp command did not properly handle cases where the destination directory did not exist.
• Fixed a bug where the podman cp command did not properly evaluate symlinks when copying out of containers.
• Fixed a bug where the podman rm -fa command would error when attempting to remove containers created with --rm (#9479).
• Fixed a bug where the ordering of capabilities was nondeterministic in the CapDrop field of the output of podman inspect on a container (#9490).
• Fixed a bug where the podman network connect command could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with --net=host) (#9496).
• Fixed a bug where DNS search domains required by the dnsname CNI plugin were not being added to container's resolv.conf under some circumstances.
• Fixed a bug where the --ignorefile option to podman build was nonfunctional (#9570).
• Fixed a bug where the --timestamp option to podman build was nonfunctional (#9569).
• Fixed a bug where the --iidfile option to podman build could cause Podman to panic if an error occurred during the build.
• Fixed a bug where the --dns-search option to podman build was nonfunctional (#9574).
• Fixed a bug where the --build-arg option to podman build would, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) (#9571).
• Fixed a bug where the podman network disconnect command could cause errors when the container that had a network removed was stopped and its network was cleaned up (#9602).
• Fixed a bug where the podman network rm command did not properly check what networks a container was present in, resulting in unexpected behavior if podman network connect or podman network disconnect had been used with the network (#9632).
• Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable stopping state (#9615).
• Fixed a bug where the podman load command could return 0 even in cases where an error occurred (#9672).
• Fixed a bug where specifying storage options to Podman using the --storage-opt option would override all storage options. Instead, storage options are now overridden only when the --storage-driver option is used to override the current graph driver (#9657).
• Fixed a bug where containers created with --privileged could request more capabilities than were available to Podman.

API

• Fixed a bug where the X-Registry-Auth header did not accept null as a valid value.
• A new compat endpoint, /auth, has been added. This endpoint validates credentials against a registry (#9564).
• Fixed a bug where the compat Build endpoint for Images specified labels using the wrong type (array vs map). Both formats will be accepted now.
• Fixed a bug where the compat Build endpoint for Images did not report that it successfully tagged the built image in its response.
• Fixed a bug where the compat Create endpoint for Images did not provide progress information on pulling the image in its response.
• Fixed a bug where the compat Push endpoint for Images did not properly handle the destination (used a query parameter, instead of a path parameter).
• Fixed a bug where the compat Push endpoint for Images did not send the progress of the push and the digest of the pushed image in the response body.
• Fixed a bug where the compat List endpoint for Networks returned null, instead of an empty array ([]), when no networks were present (#9293).
• Fixed a bug where the compat List endpoint for Networks returned nulls, instead of empty maps, for networks that do not have Labels and/or Options.
• The Libpod Inspect endpoint for networks (/libpod/network/$ID/json) now has an alias at /libpod/network/$ID (#9691).
• Fixed a bug where the libpod Inspect endpoint for Networks returned a 1-size array of results, instead of a single result (#9690).
• The Compat List endpoint for Networks now supports the legacy format for filters in parallel with the current filter format (#9526).
• Fixed a bug where the compat Create endpoint for Containers did not properly handle tmpfs filesystems specified with options (#9511).
• Fixed a bug where the compat Create endpoint for Containers did not create bind-mount source directories (#9510).
• Fixed a bug where the compat Create endpoint for Containers did not properly handle the NanoCpus option (#9523).
• Fixed a bug where the compat List endpoint for Containers did not populate information on forwarded ports (#9553)
• Fixed a bug where the compat List endpoint for Containers did not populate information on container CNI networks (#9529).
• Fixed a bug where the compat and libpod Stop endpoints for Containers would ignore a timeout of 0.
• Fixed a bug where the compat Remove endpoint for Containers would not return 404 when attempting to remove a container that does not exist (#9675).
• Fixed a bug where the compat Prune endpoint for Volumes would still prune even if an invalid filter was specified.

Misc

• Updated Buildah to v1.19.8
• Updated the containers/storage library to v1.28.0
• Updated the containers/image library to v5.10.5
• Updated the containers/common library to v0.35.3