conmon
conmon copied to clipboard
fix(deps): update module github.com/containers/podman/v4 to v5
This PR contains the following updates:
Package | Change | Age | Adoption | Passing | Confidence |
---|---|---|---|---|---|
github.com/containers/podman/v4 | v4.5.0 -> v5.0.0 |
Release Notes
containers/podman (github.com/containers/podman/v4)
v5.0.0
5.0.0
Security
- Fixed CVE-2024-1753 in Buildah and
podman build
which allowed a user to write files to the/
directory of the host machine if selinux was not enabled.
Features
- VMs created by
podman machine
can now use the native Apple hypervisor (applehv
) when run on MacOS. - A new command has been added,
podman machine reset
, which will remove all existingpodman machine
VMs and relevant configurations. - The
podman manifest add
command now supports a new--artifact
option to add OCI artifacts to a manifest list. - The
podman create
,podman run
, andpodman push
commands now support the--retry
and--retry-delay
options to configure retries for pushing and pulling images. - The
podman run
andpodman exec
commands now support a new option,--preserve-fd
, which allows passing a list of file descriptors into the container (as an alternative to--preserve-fds
, which passes a specific number of file descriptors). - Quadlet now supports templated units (#17744).
- The
podman kube play
command can now create image-based volumes using thevolume.podman.io/image
annotation. - Containers created with
podman kube play
can now include volumes from other containers (similar to the--volumes-from
option) using a new annotation,io.podman.annotations.volumes-from
(#16819). - Pods created with
podman kube play
can now set user namespace options through the theio.podman.annotations.userns
annotation in the pod definition (#20658). - Macvlan and ipvlan networks can adjust the name of the network interface created inside containers via the new
containers.conf
fieldinterface_name
(#21313). - The
--gpus
option topodman create
andpodman run
is now compatible with Nvidia GPUs (#21156). - The
--mount
option topodman create
andpodman run
supports a new mount option,no-dereference
, to mount a symlink (instead of its dereferenced target) into a container (#20098). - Podman now supports a new global option,
--config
, to point to a Docker configuration where we can source registry login credentials. - The
podman ps --format
command now supports a new format specifier,.Label
(#20957). - The
uidmapping
andgidmapping
options to thepodman run --userns=auto
option can now map to host IDs by prefixing host IDs with the@
symbol. - Quadlet now supports systemd-style drop-in directories.
- Quadlet now supports creating pods via new
.pod
unit files (#17687). - Quadlet now supports two new keys,
Entrypoint
andStopTimeout
, in.container
files (#20585 and #21134). - Quadlet now supports specifying the
Ulimit
key multiple times in.container
files to set more than one ulimit on a container. - Quadlet now supports setting the
Notify
key tohealthy
in.container
files, to only sdnotify that a container has started when its health check begins passing (#18189).
Breaking Changes
- The backend for the
podman machine
commands has seen extensive rewrites. Configuration files have changed format and VMs from Podman 4.x and earlier are no longer usable.podman machine
VMs must be recreated with Podman 5. - The
podman machine init
command now pulls images as OCI artifacts, instead of using HTTP. As a result, a validpolicy.json
file is required on the host. Windows and Mac installers have been changed to install this file. - QEMU is no longer a supported VM provider for
podman machine
on Mac. Instead, the native Apple hypervisor is supported. - The
ConfigPath
andImage
fields are no longer provided by thepodman machine inspect
command. Users can also no longer use{{ .ConfigPath }}
or{{ .Image }}
as arguments topodman machine inspect --format
. - The output of
podman inspect
for containers has seen a number of breaking changes to improve Docker compatibility, including changingEntrypoint
from a string to an array of strings and StopSignal from an int to a string. - The
podman inspect
command for containers now returns nil for healthchecks when inspecting containers without healthchecks. - The
podman pod inspect
command now outputs a JSON array regardless of the number of pods inspected (previously, inspecting a single pod would omit the array). - It is no longer possible to create new BoltDB databases; attempting to do so will result in an error. All new Podman installations will now use the SQLite database backend. Existing BoltDB databases remain usable.
- Support for CNI networking has been gated by a build tag and will not be enabled by default.
- Podman will now print warnings when used on cgroups v1 systems. Support for cgroups v1 is deprecated and will be removed in a future release. The
PODMAN_CGROUPSV1_WARNING
environment variable can be set to suppress warnings. - Network statistics sent over the Docker API are now per-interface, and not aggregated, improving Docker compatibility.
- The default tool for rootless networking has been swapped from
slirp4netns
topasta
for improved performance. As a result, networks namedpasta
are no longer supported. - The
--image
option replaces the now deprecated--image-path
option forpodman machine init
. - The output of
podman events --format "{{json .}}"
has been changed to improve Docker compatibility, including thetime
andtimeNano
fields (#14993). - The name of
podman machine
VMs and the username used within the VM are now validated and must match this regex:[a-zA-Z0-9][a-zA-Z0-9_.-]*
. - Using multiple filters with the List Images REST API now combines the filters with AND instead of OR, improving Docker compatibility (#18412).
- The parsing for a number of Podman CLI options which accept arrays has been changed to no longer accept string-delineated lists, and instead to require the option to be passed multiple times. These options are
--annotation
topodman manifest annotate
andpodman manifest add
, the--configmap
,--log-opt
, and--annotation
options topodman kube play
, the--pubkeysfile
option topodman image trust set
, the--encryption-key
and--decryption-key
options topodman create
,podman run
,podman push
andpodman pull
, the--env-file
option topodman exec
, the--bkio-weight-device
,--device-read-bps
,--device-write-bps
--device-read-iops
,--device-write-iops
,--device
,--label-file
,--chrootdirs
,--log-opt
, and--env-file
options topodman create
andpodman run
, and the--hooks-dir
and--module
global options.
Changes
- The
podman system reset
command no longer waits for running containers to gracefully stop, and instead immediately sends SIGKILL (#21874). - The
podman network inspect
command now includes running containers using the network in its output (#14126). - The
podman compose
command is now supported on non-AMD64/ARM64 architectures. - VMs created by
podman machine
will now pass HTTP proxy environment variables into the VM for all providers. - The
--no-trunc
option to thepodman kube play
andpodman kube generate
commands has been deprecated. Podman now complies to the Kubernetes specification for annotation size, removing the need for this option. - The
DOCKER_HOST
environment variable will be set by default for rootless users when podman-docker is installed. - Connections from
podman system connection
and farms frompodman farm
are now written to a new configuration file calledpodman-connections.conf
. As a result, Podman no longer writes tocontainers.conf
. Existing connections fromcontainers.conf
will still be respected. - Most
podman farm
subcommands (save forpodman farm build
) no longer need to connect to the machines in the farm to run. - The
podman create
andpodman run
commands no longer require specifying an entrypoint on the command line when the container image does not define one. In this case, an empty command will be passed to the OCI runtime, and the resulting behavior is runtime-specific. - The default SELinux label for content mounted from the host in
podman machine
VMs on Mac is nowsystem_u:object_r:nfs_t:s0
so that it can be shared with all containers without issue. - Newly-created VMs created by
podman machine
will now share a single SSH key key for access. As a result,podman machine rm --save-keys
is deprecated as the key will persist by default.
Bugfixes
- Fixed a bug where the
podman stats
command would not show network statistics when thepasta
network mode was used. - Fixed a bug where
podman machine
VMs using the HyperV provider could not mount shares on directories that did not yet exist. - Fixed a bug where the
podman compose
command did not respect the--connection
and--url
options. - Fixed a bug where the
podman stop -t -1
command would wait for 0 seconds, not infinite seconds, before sending SIGKILL (#21811). - Fixed a bug where Podman could deadlock when cleaning up a container when the
slirp4netns
network mode was used with a restart policy ofalways
orunless-stopped
oron-failure
and a user namespace (#21477). - Fixed a bug where uninstalling Podman on Mac did not remove the
docker.sock
symlink (#20650). - Fixed a bug where preexisting volumes being mounted into a new container using a path that exists in said container would not be properly chowned (#21608).
- Fixed a bug where the
podman image scp
command could fail if there was not sufficient space in the destination machine's/tmp
for the image (#21239). - Fixed a bug where containers killed by running out of memory (including due to a memory limit) were not properly marked as OOM killed in
podman inspect
(#13102). - Fixed a bug where
podman kube play
did not create memory-backed emptyDir volumes using a tmpfs filesystem. - Fixed a bug where containers started with
--rm
were sometimes not removed after a reboot (#21482). - Fixed a bug where the
podman events
command using the remote Podman client did not display the network name associated with network events (#21311). - Fixed a bug where the
podman farm build
did not properly handle the--tls-verify
option and would override server defaults even if the option was not set by the user (#21352). - Fixed a bug where the
podman inspect
command could segfault on FreeBSD (#21117). - Fixed a bug where Quadlet did not properly handle comment lines ending with a backslash (#21555).
- Fixed a bug where Quadlet would sometimes not report errors when malformed quadlet files were present.
- Fixed a bug where Quadlet could hang when given a
.container
file with certain types of trailing whitespace (#21109). - Fixed a bug where Quadlet could panic when generating from Kubernetes YAML containing the
bind-mount-options
key (#21080). - Fixed a bug where Quadlet did not properly strip quoting from values in
.container
files (#20992). - Fixed a bug where the
--publish-all
option topodman kube play
did not function when used with the remote Podman client. - Fixed a bug where the
podman kube play --build
command could not build images whose Dockerfile specified an image from a private registry with a self-signed certificate in aFROM
directive (#20890). - Fixed a bug where container remove events did not have the correct exit code set (#19124).
API
- A new API endpoint,
/libpod/images/$name/resolve
, has been added to resolve a (potential) short name to a list of fully-qualified image references Podman which could be used to pull the image. - Fixed a bug where the List API for Images did not properly handle filters and would discard all but the last listed filter.
- Fixed a bug in the Docker Create API for Containers where entries from
/etc/hosts
were copied into create containers, resulting in incompatibility with network aliases. - Fixed a bug in the Libpod and Docker Exec APIs for Containers which caused incorrect header values to be set when upgrading a connection for an interactive exec session.
- The API bindings have been refactored to reduce code size, leading to smaller binaries (#17167).
Misc
- Failed image pulls will now generate an event including the error.
- The gzip compression library used for sending build contexts, improving performance for remote
podman build
. - Updated Buildah to v1.35.1
- Updated the containers/image library to v5.30.0
- Updated the containers/storage library to v1.53.0
- Updated the containers/common library to v0.58.0
- Updated the libhvee library to v0.7.0
v4.9.3
Features
- The
podman container commit
command now features a--config
option which accepts a filename containing a JSON-encoded container configuration to be merged in to the newly-created image.
v4.9.2
Security
- This release addresses a number of Buildkit vulnerabilities including but not limited to: CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653.
Misc
- Updated Buildah to v1.33.5
- Updated the containers/common library to v0.57.4
v4.9.1
Bugfixes
- Fixed a bug where the
--rootful
option topodman machine set
would not set the machine to use the root connection (#21195). - Fixed a bug where podman would crash when running in a containerized environment with
euid != 0
and capabilities set (#20766). - Fixed a bug where the
podman info
command would crash on if called multiple times when podman was running aseuid=0
withoutCAP_SYS_ADMIN
(#20908). - Fixed a bug where
podman machine
commands were not relayed to the correct machine on AppleHV (#21115). - Fixed a bug where the
podman machine list
andpodman machine inspect
commands would not show the correctLast Up
time on AppleHV (#21244).
Misc
- Updated the Mac pkginstaller QEMU to v8.2.1
- Updated Buildah to v1.33.4
- Updated the containers/image library to v5.29.2
- Updated the containers/common library to v0.57.3
v4.9.0
Features
- The
podman farm
suite of commands for multi-architecture builds is now fully enabled and documented. - Add a network recovery service to Podman Machine VMs using the QEMU backend to detect and recover from an inoperable host networking issues experienced by Mac users when running for long periods of time.
Bugfixes
- Fixed a bug where the HyperV provider for
podman machine
did not forward the API socket to the host machine. - Fixed a bug where improperly formatted annotations passed to
podman kube play
could cause Podman to panic. - Fixed a bug where
podman system reset
could fail if non-Podman containers (e.g. containers created by Buildah) were present.
Misc
- Containers run in
podman machine
VMs now default to a PID limit of unlimited, instead of 2048.
v4.8.3
Security
- Fixed GHSA-45x7-px36-x8w8: CVE-2023-48795 by vendoring golang.org/x/crypto v0.17.0.
v4.8.2
Bugfixes
- Fixed a bug in the MacOS pkginstaller where Podman machine was using a different QEMU binary than the one installed using the installer, if it existed on the system (#20808).
- Fixed a bug on Windows (WSL) with the first-time install of user-mode networking when using the init command, as opposed to set (#20921).
Quadlet
- Fixed a bug where Kube image build failed when starting service with missing image (#20432).
v4.8.1
Bugfixes
- Fixed a bug on Windows (WSL) where wsl.conf/resolv.conf was not restored when user-mode networking was disabled after being enabled (#20625).
- Fixed a bug where currently if user specifies
podman kube play --replace
, the pod is removed on the client side, not the server side (#20705). - Fixed a bug where
podman machine rm -f
would cause a deadlock when running with WSL. - Fixed
database is locked
errors with the new sqlite database backend (#20809). - Fixed a bug where
podman-remote exec
would fail if the server API version is older than 4.8.0 (#20821). - Fixed a bug where Podman would not run any command on systems with a symlinked $HOME (#20872).
v4.8.0
Features
- Podman machine now supports HyperV as a provider on Windows. This option can be set via the
CONTAINERS_MACHINE_PROVIDER
environment variable, or via containers.conf. HyperV requires Powershell to be run as Admin. Note that running WSL and HyperV machines at the same time is not supported. - The
podman build
command now supports Containerfiles with heredoc syntax. - The
podman login
andpodman logout
commands now support a new option,--compat-auth-file
, which allows for editing Docker-compatible config files (#18617). - The
podman machine init
andpodman machine set
commands now support a new option,--usb
, which sets allows USB passthrough for the QEMU provider (#16707). - The
--ulimit
option now supports setting -1 to indicate the maximum limit allowed for the current process (#19319). - The
podman play kube
command now supports theBUILDAH_ISOLATION
environment variable to change build isolation when the--build
option is set (#20024). - The
podman volume create
command now supports--opt o=size=XYZ
on tmpfs file systems (#20449). - The
podman info
command for remote calls now reports client information even if the remote connection is unreachable - Added a new field,
privileged
, to containers.conf, which sets the defaults for the--privileged
flag when creating, running or exec'ing into a container. - The
podman kube play
command now supports setting DefaultMode for volumes (#19313). - The
--opt
option to thepodman network create
command now accepts a new driver specific option,vrf
, which assigns a VRF to the bridge interface. - A new option
--rdt-class=COS
has been added to thepodman create
andpodman run
commands that enables assigning a container to a Class Of Service (COS). The COS has to be pre-configured based on a pseudo-filesystem created by the resctrl kernel driver that enables interacting with the Intel RDT CAT feature. - The
podman kube play
command now supports a new option,--publish-all
, which exposes all containerPorts on the host. - The --filter option now supports
label!=
, which filters for containers without the specified label.
Upcoming Deprecations
- We are beginning development on Podman 5.0, which will include a number of breaking changes and deprecations. We are still finalizing what will be done, but a preliminary list is below. Please note that none of these changes are present in Podman 4.8; this is a preview of upcoming changes.
- Podman 5.0 will deprecate the BoltDB database backend. Exact details on the transition to SQLite are still being decided - expect more news here soon.
- The containers.conf configuration file will be broken up into multiple separate files, ensuring that it will never be rewritten by Podman.
- Support for the CNI network backend and Cgroups V1 are being deprecated and gated by build tags. They will not be enabled in Podman builds by default.
- A variety of small breaking changes to the REST API are planned, both to improve Docker compatibility and to better support
containers.conf
settings when creating and managing containers.
Changes
- Podman now defaults to sqlite as its database backend. For backwards compatibility, if a boltdb database already exists on the system, Podman will continue using it.
- RHEL Subscriptions from the host now flow through to quay.io/podman/* images.
- The
--help
option to thepodman push
command now shows the compression algorithm used. - The remote Podman client’s
commit
command now shows progress messages (#19947). - The
podman kube play
command now sets the pod hostname to the node/machine name when hostNetwork=true in k8s yaml (#19321). - The
--tty,-t
option to thepodman exec
command now defines the TERM environment variable even if the container is not running with a terminal (#20334). - Podman now also uses the
helper_binaries_dir
option in containers.conf to lookup the init binary (catatonit). - Podman healthcheck events are now logged as notices.
- Podman machines no longer automatically update, preventing accidental service interruptions (#20122).
- The amount of CPUs a podman machine uses now defaults to available cores/2 (#17066).
- Podman machine now prohibits using provider names as machine names.
applehv
,qemu
,wsl
, andhyperv
are no longer valid Podman machine names
Quadlet
- Quadlet now supports the
UIDMap
,GIDMap
,SubUIDMap
, andSubGIDMap
options in .container files. - Fixed a bug where symlinks were not resolved in search paths (#20504).
- Quadlet now supports the
ReadOnlyTmpfs
option. - The VolatileTmpfs option is now deprecated.
- Quadlet now supports systemd specifiers in User and Group keys.
- Quadlet now supports
ImageName
for .image files. - Quadlet now supports a new option,
--force
, to the stop command. - Quadlet now supports the
oneshot
service type for .kube files, which allows yaml files without containers. - Quadlet now supports podman level arguments (#20246).
- Fixed a bug where Quadlet would crash when specifying non key-value options (#20104).
- Quadlet now removes anonymous volumes when removing a container (#20070).
- Quadlet now supports a new unit type,
.image
.
Bugfixes
- Fixed a bug where mounted volumes on Podman machines on MacOS would have a max open files limit (#16106).
- Fixed a bug where setting both the
--uts
and--network
options tohost
did not fill /etc/hostname with the host's name (#20448). - Fixed a bug where the remote Podman client’s
build
command would incorrectly parse https paths (#20475). - Fixed a bug where running Docker Compose against a WSL podman machine would fail (#20373).
- Fixed a race condition where parallel tagging and untagging of images would fail (#17515).
- Fixed a bug where the
podman exec
command would leak sessions when the specified command does not existFixed a bug where thepodman exec
command would leak sessions when the specified command does not exist (#20392). - Fixed a bug where the
podman history
command did not display the size of certain layers (#20375). - Fixed a bug where a container with a custom user namespace and
--restart always/on-failure
would not correctly cleanup the netnsm on restart, resulting in leaked ips and network namespaces (#18615). - Fixed a bug where remote calls to the
podman top
command would incorrectly parse options (#19176). - Fixed a bug where the
--read-only-tmpfs
option to thepodman run
command was incorrectly handled when the--read-only
option was set (#20225). - Fixed a bug where creating containers in parallel may cause a deadlock if both containers attempt to use the same named volume (#20313).
- Fixed a bug where a container restarted by the Podman service would occasionally not mount its storage (#17042).
- Fixed a bug where the
--filter
option to thepodman images
command would not correctly filter ids, digests, or intermediates (#19966). - Fixed a bug where setting the
--replace
option to thepodman run
command would print both the old and new container ID. Now, only the new container ID is printed. - Fixed a bug where the
podman machine ls
command would show Creation time as LastUp time for machines that have never been booted. Now, new machines showNever
, with the json value being ZeroTime. - Fixed a bug in the
podman build
command where the default pull policy was not set tomissing
(#20125). - Fixed a bug where setting the static or volume directory in
containers.conf
would lead to cleanup errors (#19938). - Fixed a bug where the
podman kube play
command exposed all containerPorts on the host (#17028). - Fixed a bug where the
podman farm update
command did not verify farm and connection existence before updating (#20080). - Fixed a bug where remote Podman calls would not honor the
--connection
option while theCONTAINER_HOST
environment variable was set. The active destination is not resolved with the correct priority, that is, CLI flags, env vars, ActiveService from containers.conf, RemoteURI (#15588). - Fixed a bug where the
--env-host
option was not honoring the default from containers.conf
API
- Fixed a bug in the Compat Image Prune endpoint where the dangling filter was set twice (#20469).
- Fixed a bug in the Compat API where attempting to connect a container to a network while the connection already exists returned a 200 status code. It now correctly returns a 500 error code.
- Fixed a bug in the Compat API where some responses would not have compatible error details if progress data had not been sent yet (#20013).
- The Libpod Pull endpoint now supports a new option, compatMode which causes the streamed JSON payload to be identical to the Compat endpoint.
- Fixed a bug in the Libpod Container Create endpoint where it would return an incorrect status code if the image was not found. The endpoint now correctly returns 404.
- The Compat Network List endpoint should see a significant performance improvement (#20035).
Misc
- Updated Buildah to v1.33.2
- Updated the containers/storage library to v1.51.0
- Updated the containers/image library to v5.29.0
- Updated the containers/common library to v0.57.0
- Updated the containers/libhvee library to v0.5.0
- Podman Machine now runs with gvproxy v0.7.1
v4.7.2
Security
- Fixed GHSA-jq35-85cj-fj4p.
Bugfixes
- WSL: Fixed
podman compose
command. - Fixed a bug in
podman compose
to try all configured providers before throwing an error (#20502).
v4.7.1
Bugfixes
- Fixed a bug involving non-English locales of Windows where machine installs using user-mode networking were rejected due to erroneous version detection (#20209).
- Fixed a regression in --env-file handling (#19565).
- Fixed a bug where podman inspect would fail when stat'ing a device failed.
API
- The network list compat API endpoint is now much faster (#20035).
v4.7.0
Security
- Now the io.containers.capabilities LABEL in an image can be an empty string.
Features
- New command set:
podman farm [create,list,remove,update]
has been created to "farm" out builds to machines running Podman for different architectures. - New command:
podman compose
as a thin wrapper around an external compose provider such as docker-compose or podman-compose. - FreeBSD:
podman run --device
is now supported. - Linux: Add a new
--module
flag for Podman. - Podmansh: Timeout is now configurable using the
podmansh_timeout
option in containers.conf. - SELinux: Add support for confined users to create containers but restrict them from creating privileged containers.
- WSL: Registers shared socket bindings on Windows, to allow other WSL distributions easy remote access (#15190).
- WSL: Enabling user-mode-networking on older WSL2 generations will now detect an error with upgrade guidance.
- The
podman build
command now supports two new options:--layer-label
and--cw
. - The
podman kube generate
command now supports generation of k8s DaemonSet kind (#18899). - The
podman kube generate
andpodman kube play
commands now support the k8sTerminationGracePeriodSeconds
field (RH BZ#2218061). - The
podman kube generate
andpodman kube play
commands now supportsecurityContext.procMount: Unmasked
(#19881). - The
podman generate kube
command now supports a--podman-only
flag to allow podman-only reserved annotations to be used in the generated YAML file. These annotations cannot be used by Kubernetes. - The
podman kube generate
now supports a--no-trunc
flag that supports YAML files with annotations longer than 63 characters. Warning: if an annotation is longer than 63 chars, then the generated yaml file is not Kubernetes compatible. - An infra name annotation
io.podman.annotations.infra.name
is added in the generated yaml when thepod create
command has--infra-name
set. This annotation can also be used withkube play
when wanting to customize the infra container name (#18312). - The syntax of
--uidmap
and--gidmap
has been extended to lookup the parent user namespace and to extend default mappings (#18333). - The
podman kube
commands now support theList
kind (#19052). - The
podman kube play
command now supports environment variables in kube.yaml (#15983). - The
podman push
andpodman manifest push
commands now support the--force-compression
optionto prevent reusing other blobs (#18860). - The
podman manifest push
command now supports--add-compression
to push with compressed variants. - The
podman manifest push
command now honors theadd_compression
field from containers.conf if--add-compression
is not set. - The
podman run
andpodman create --mount
commands now support theramfs
type (#19659). - When running under systemd (e.g., via Quadlet), Podman will extend the start timeout in 30 second steps up to a maximum of 5 minutes when pulling an image.
- The
--add-host
option now accepts the special stringhost-gateway
instead of an IP Address, which will be mapped to the host IP address. - The
podman generate systemd
command is deprecated. Use Quadlet for running containers and pods under systemd. - The
podman secret rm
command now supports an--ignore
option. - The
--env-file
option now supports multiline variables (#18724). - The
--read-only-tmpfs
flag now affects /dev and /dev/shm as well as /run, /tmp, /var/tmp (#12937). - The Podman
--mount
option now supports bind mounts passed as globs. - The
--mount
option can now be specified in containers.conf using themounts
field. - The
podman stats
now has an--all
option to get all containers stats (#19252). - There is now a new
--sdnotify=healthy
policy where Podman sends the READY message once the container turns healthy (#6160). - Temporary files created when dealing with images in
/var/tmp
will automatically be cleaned up on reboot. - There is now a new filter option
since
forpodman volume ls
andpodman volume prune
(#19228). - The
podman inspect
command now has tab-completion support (#18672). - The
podman kube play
command now has support for the use of reserved annotations in the generated YAML. - The progress bar is now displayed when decompressing a Podman machine image (#19240).
- The
podman secret inspect
command supports a new option--showsecret
which will output the actual secret. - The
podman secret create
now supports a--replace
option, which allows you to modify secrets without replacing containers. - The
podman login
command can now read the secret for a registry from its secret database created withpodman secret create
(#18667). - The remote Podman client’s
podman play kube
command now works with the--userns
option (#17392).
Changes
- The
/tmp
and/var/tmp
inside of apodman kube play
will no longer benoexec
. - The limit of inotify instances has been bumped from 128 to 524288 for podman machine (#19848).
- The
podman kube play
has been improved to only pull a newer image for the "latest" tag (#19801). - Pulling from an
oci
transport will use the optional name for naming the image. - The
podman info
command will always display the existence of the Podman socket. - The echo server example in socket_activation.md has been rewritten to use quadlet instead of
podman generate systemd
. - Kubernetes support table documentation correctly show volumes support.
- The
podman auto-update
manpage and documentation has been updated and now includes references to Quadlet.
Quadlet
- Quadlet now supports setting Ulimit values.
- Quadlet now supports setting the PidsLimit option in a container.
- Quadlet unit files allow DNS field in Network group and DNS, DNSSearch, and DNSOption field in Container group (#19884).
- Quadlet now supports ShmSize option in unit files.
- Quadlet now recursively calls in user directories for unit files.
- Quadlet now allows the user to set the service working directory relative to the YAML or Unit files (17177).
- Quadlet now allows setting user-defined names for
Volume
andNetwork
units via theVolumeName
andNetworkName
directives, respectively. - Kube quadlets can now support autoupdate.
Bugfixes
- Fixed an issue where containers were being restarted after a
podman kill
. - Fixed a bug where events could report incorrect healthcheck results (#19237).
- Fixed a bug where running a container in a pod didn't fail if volumes or mounts were specified in the containers.conf file.
- Fixed a bug where pod cgroup limits were not being honored after a reboot (#19175).
- Fixed a bug where
podman rm -af
could fail to remove containers under some circumstances (#18874). - Fixed a bug in rootless to clamp oom_score_adj to current value if it is too low (#19829).
- Fixed a bug where
--hostuser
was being parsed in base 8 instead of base 10 (#19800). - Fixed a bug where
kube down
would error when an object did not exist (#19711). - Fixed a bug where containers created via DOCKER API without specifying StopTimeout had StopTimeout defaulting to 0 seconds (#19139).
- Fixed a bug in
podman exec
to set umask to match the container it's execing into (#19713). - Fixed a bug where
podman kube play
failed to set a container's Umask to the default0022
. - Fixed a bug to automatically reassign Podman's machine ssh port on Windows when it conflicts with in-use system ports (#19554).
- Fixed a bug where locales weren't passed to conmon correctly, resulting in a crash if some characters were specified over CLI (containers/common/#272).
- Fixed a bug where
podman top
would sometimes not print the full output (#19504). - Fixed a bug were
podman logs --tail
could return incorrect lines when the k8s-file logger is used (#19545). - Fixed a bug where
podman stop
did not ignore cidfile not existing when user specified --ignore flag (#19546). - Fixed a bug where a container with an image volume and an inherited mount from the
--volumes-from
option that used the same path could not be created (#19529). - Fixed a bug where
podman cp
via STDIN did not delete temporary files (#19496). - Fixed a bug where Compatibility API did not accept timeout=-1 for stopping containers (#17542).
- Fixed a bug where
podman run --rmi
did not remove the container (#15640). - Fixed a bug to recover from inconsistent podman-machine states with QEMU (#16054).
- Fixed a bug where CID Files on remote clients are not removed when container is removed (#19420).
- Fixed a bug in
podman inspect
to show a.NetworkSettings.SandboxKey
path for containers created with --net=none (#16716). - Fixed a concurrency bug in
podman machine start
using the QEMU provider (#18662). - Fixed a bug in
podman run
andpodman create
where the command fails if the user specifies a non-existent authfile path (#18938). - Fixed a bug where some distributions added extra quotes around the distribution name removed from
podman info
output (#19340). - Fixed a crash validating --device argument for create and run (#19335).
- Fixed a bug where
.HostConfig.PublishAllPorts
always evaluates tofalse
when inspecting a container created with--publish-all
. - Fixed a bug in
podman image trust
command to allow using the local policy.json file (#19073). - Fixed a bug where the cgroup file system was not correctly mounted when running without a network namespace in rootless mode (#20073).
- Fixed a bug where the
--syslog
flag was not passed to the cleanup process.
API
- Fixed a bug with parsing of the pull query parameter for the compat /build endpoint (#17778).
Misc
- Updated Buildah to v1.32.0.
v4.6.2
Changes
- Fixed a performance issue when calculating diff sizes in overlay. The
podman system df
command should see a significant performance improvement (#19467).
Bugfixes
- Fixed a bug where containers in a pod would use the pod restart policy over the set container restart policy (#19671).
API
- Fixed a bug in the Compat Build endpoint where the pull query parameter did not parse 0/1 as a boolean (#17778).
Misc
- Updated the containers/storage library to v1.48.1
v4.6.1
Quadlet
- Quadlet now selects the first Quadlet file found when multiple Quadlets exist with the same name.
API
- Fixed a bug in the container kill endpoint to correctly return 409 when a container is not running (#19368).
Misc
- Updated Buildah to v1.31.2
- Updated the containers/common library to v0.55.3
v4.6.0
Features
- The
podman manifest inspect
command now supports the--authfile
option, for authentication purposes. - The
podman wait
command now supports--condition={healthy,unhealthy}
, allowing waits on successful health checks. - The
podman push
command now supports a new option,--compression-level
, which specifies the compression level to use (#18939). - The
podman machine start
command, when run with--log-level=debug
, now creates a console window to display the virtual machine while booting. - Podman now supports a new option,
--imagestore
, which allows images to be stored in a different directory than the graphroot. - The
--ip-range
option to thepodman network create
command now accepts a new syntax,<startIP>-<endIP>
, which allows more flexibility when limiting the ip range that Podman assigns. - [Tech Preview] A new command,
podmansh
, has been added, which executes a user shell within a container when the user logs into the system. The container that the users get added to can be defined via a Podman Quadlet file. This feature is currently aTech Preview
which means it's ready for users to try out but changes can be expected in upcoming versions. - The
podman network create
command supports a new--option
,bclim
, for themacvlan
driver. - The
podman network create
command now supports adding static routes using the--route
option. - The
podman network create
command supports a new--option
,no_default_route
for all drivers. - The
podman info
command now prints network information about the binary path, package version, program version and DNS information (#18443). - The
podman info
command now displays the number of free locks available, helping to debug lock exhaustion scenarios. - The
podman info
command now outputs information about pasta, if it exists in helper_binaries_dir or $PATH. - The remote Podman client’s
podman build
command now accepts Containerfiles that are not in the context directory (#18239). - The remote Podman client’s
podman play kube
command now supports the--configmap
option (#17513). - The
podman kube play
command now supports multi-doc YAML files for configmap arguments. (#18537). - The
podman pod create
command now supports a new flag,--restart
, which sets the restart policy for all the containers in a pod. - The
--format={{.Restarts}}
option to thepodman ps
command now shows the number of times a container has been restarted based on its restart policy. - The
--format={{.Restarts}}
option to thepodman pod ps
command now shows the total number of container restarts in a pod. - The podman machine provider can now be specified via the
CONTAINERS_MACHINE_PROVIDER
environment variable, as well as via theprovider
field incontainers.conf
(#17116). - A default list of pasta arguments can now be set in
containers.conf
viapasta_options
. - The
podman machine init
andpodman machine set
commands now support a new option,--user-mode-networking
, which improves interops with VPN configs that drop traffic from WSL networking, on Windows. - The remote Podman client’s
podman push
command now supports the--digestfile
option (#18216). - Podman now supports a new option,
--out
, that allows redirection or suppression of STDOUT (#18120).
Changes
- When looking up an image by digest, the entire repository of the specified value is now considered. This aligns with Docker's behavior since v20.10.20. Previously, both the repository and the tag was ignored and Podman looked for an image with only a matching digest. Ignoring the name, repository, and tag of the specified value can lead to security issues and is considered harmful.
- The
podman system service
command now emits a warning when binding to a TCP socket. This is not a secure configuration and the Podman team recommends against using it. - The
podman top
command no longer depends on ps(1) being present in the container image and now uses the one from the host (#19001). - The
--filter id=xxx
option will now treatxxx
as a CID prefix, and not as a regular expression (#18471). - The
--filter
option now requires multiple--filter
flags to specify multiple filters. It will no longer support the comma syntax (--filter label=a,label=b
). - The
slirp4netns
binary for will now be searched for in paths specified by thehelper_binaries_dir
option incontainers.conf
(#18239). - Podman machine now updates
/run/docker.sock
within the guest to be consistent with its rootless/rootful setting (#18480). - The
podman system df
command now counts files which podman generates for use with specific containers as part of the disk space used by those containers, and which can be reclaimed by removing those containers. It also counts space used by files it associates with specific images and volumes as being used by those images and volumes. - The
podman build
command now returns a clearer error message when the Containerfile cannot be found. (#16354). - Containers created with
--pid=host
will no longer print errors on podman stop (#18460). - The
podman manifest push
command no longer requires a destination to be specified. If a destination is not provided, the source is used as the destination (#18360). - The
podman system reset
command now warns the user that the graphroot and runroot directories will be deleted (#18349), (#18295). - The
package
andpackage-install
targets in Makefile have now been fixed and also renamed torpm
andrpm-install
respectively for clarity (#18817).
Quadlet
- Quadlet now exits with a non-zero exit code when errors are found (#18778).
- Rootless podman quadlet files can now be installed in
/etc/containers/systemd/users
directory. - Quadlet now supports the
AutoUpdate
option. - Quadlet now supports the
Mask
andUnmask
options. - Quadlet now supports the
WorkingDir
option, which specifies the default working dir in a container. - Quadlet now supports the
Sysctl
option, which sets namespaced kernel parameters for containers (#18727). - Quadlet now supports the
SecurityLabelNetsted=true
option, which allows nested SELinux containers. - Quadlet now supports the
Pull
option in.container
files (#18779). - Quadlet now supports the
ExitCode
field in.kube
files, which reflects the exit codes of failed containers. - Quadlet now supports
PodmanArgs
field. - Quadlet now supports the
HostName
field, which sets the container's host name, in.container
files (#18486).
Bugfixes
- Fixed a bug where the
podman machine start
command would fail with a 255 exit code. It now waits for systemd-user sessions to be up, and for SSH to be ready, addressing the flaky machine starts (#17403). - Fixed a bug where the
podman auto update
command did not correctly use authentication files when contacting container registries. - Fixed a bug where
--label
option to thepodman volume ls
command would return volumes that matched any of the filters, not all of them (#19219). - Fixed a bug where the
podman kube play
command did not recognize containerPort names inside Kubernetes liveness probes. Now, liveness probes support both containerPort names as well as port numbers (#18645). - Fixed a bug where the
--dns
option to thepodman run
command was ignored for macvlan networks (#19169). - Fixed a bug in the
podman system service
command where setting LISTEN_FDS when listening on TCP would misbehave. - Fixed a bug where hostnames were not recognized as a network alias. Containers can now resolve other hostnames, in addition to their names (#17370).
- Fixed a bug where the
podman pod run
command would error after a reboot on a non-systemd system (#19175). - Fixed a bug where the
--syslog
option returned a fatal error when no syslog server was found (#19075). - Fixed a bug where the `--moun
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.