275 KiB
		
	
	
	
	
	
			
		
		
	
	
			275 KiB
		
	
	
	
	
	
Release Notes
3.4.0
Features
- Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: "always", which always run before the pod is started, and "once", which only run the first time the pod starts and are subsequently removed. They can be added using the podman createcommand's--init-ctroption.
- Support for init containers has also been added to podman play kubeandpodman generate kube- init containers contained in Kubernetes YAML will be created as Podman init containers, and YAML generated by Podman will include any init containers created.
- The podman play kubecommand now supports building images. If the--buildoption is given and a directory with the name of the specified image exists in the current working directory and contains a valid Containerfile or Dockerfile, the image will be built and used for the container.
- The podman play kubecommand now supports a new option,--teardown, which removes any pods and containers created by the given Kubernetes YAML.
- The podman generate kubecommand now generates annotations for SELinux mount options on volume (:zand:Z) that are respected by thepodman play kubecommand.
- A new command has been added, podman pod logs, to return logs for all containers in a pod at the same time.
- Two new commands have been added, podman volume export(to export a volume to a tar file) andpodman volume import) (to populate a volume from a given tar file).
- The podman auto-updatecommand now supports simple rollbacks. If a container fails to start after an automatic update, it will be rolled back to the previous image and restarted again.
- Pods now share their user namespace by default, and the podman pod createcommand now supports the--usernsoption. This allows rootless pods to be created with the--userns=keep-idoption.
- The podman pod pscommand now supports a new filter with its--filteroption,until, which returns pods created before a given timestamp.
- The podman image scpcommand has been added. This command allows images to be transferred between different hosts.
- The podman statscommand supports a new option,--interval, to specify the amount of time before the information is refreshed.
- The podman inspectcommand now includes ports exposed (but not published) by containers (e.g. ports from--exposewhen--publish-allis not specified).
- The podman inspectcommand now has a new boolean value,Checkpointed, which indicates that a container was stopped as a result of apodman container checkpointoperation.
- Volumes created by podman volume createnow support setting quotas when run atop XFS. Thesizeandinodeoptions allow the maximum size and maximum number of inodes consumed by a volume to be limited.
- The podman infocommand now outputs information on what log drivers, network drivers, and volume plugins are available for use (#11265).
- The podman infocommand now outputs the current log driver in use, and the variant and codename of the distribution in use.
- The parameters of the VM created by podman machine init(amount of disk space, memory, CPUs) can now be set incontainers.conf.
- The podman machine lscommand now shows additional information (CPUs, memory, disk size) about VMs managed bypodman machine.
- The podman pscommand now includes healthcheck status in container state for containers that have healthchecks (#11527).
Changes
- The podman buildcommand has a new alias,podman buildx, to improve compatibility with Docker. We have already added support for manydocker buildxflags topodman buildand aim to continue to do so.
- Cases where Podman is run without a user session or a writable temporary files directory will now produce better error messages.
- The default log driver has been changed from filetojournald. Thefiledriver did not properly support log rotation, so this should lead to a better experience. If journald is not available on the system, Podman will automatically revert to thefile.
- Podman no longer depends on ipfor removing networks (#11403).
- The deprecated --macvlanflag topodman network createnow warns when it is used. It will be removed entirely in the Podman 4.0 release.
- The podman machine startcommand now prints a message when the VM is successfully started.
- The podman statscommand can now be used on containers that are paused.
- The podman unsharecommand will now return the exit code of the command that was run in the user namespace (assuming the command was successfully run).
- Successful healthchecks will no longer add a healthyline to the system log to reduce log spam.
- As a temporary workaround for a lack of shortname prompts in the Podman remote client, VMs created by podman machinenow default to only using thedocker.ioregistry.
Bugfixes
- Fixed a bug where whitespace in the definition of sysctls (particularly default sysctls specified in containers.conf) would cause them to be parsed incorrectly.
- Fixed a bug where the Windows remote client improperly validated volume paths (#10900).
- Fixed a bug where the first line of logs from a container run with the journaldlog driver could be skipped.
- Fixed a bug where images created by podman commitdid not include ports exposed by the container.
- Fixed a bug where the podman auto-updatecommand would ignore theio.containers.autoupdate.authfilelabel when pulling images (#11171).
- Fixed a bug where the --workdiroption topodman createandpodman runcould not be set to a directory where a volume was mounted (#11352).
- Fixed a bug where systemd socket-activation did not properly work with systemd-managed Podman containers (#10443).
- Fixed a bug where environment variable secrets added to a container were not available to exec sessions launched in the container.
- Fixed a bug where rootless containers could fail to start the rootlessportport-forwarding service whenXDG_RUNTIME_DIRwas set to a long path.
- Fixed a bug where arguments to the --systemdoption topodman createandpodman runwere case-sensitive (#11387).
- Fixed a bug where the podman manifest rmcommand would also remove images referenced by the manifest, not just the manifest itself (#11344).
- Fixed a bug where the Podman remote client on OS X would not function properly if the TMPDIRenvironment variable was not set (#11418).
- Fixed a bug where the /etc/hostsfile was not guaranteed to contain an entry forlocalhost(this is still not guaranteed if--net=hostis used; such containers will exactly match the host's/etc/hosts) (#11411).
- Fixed a bug where the podman machine startcommand could print warnings about unsupported CPU features (#11421).
- Fixed a bug where the podman infocommand could segfault when accessing cgroup information.
- Fixed a bug where the podman logs -fcommand could hang when a container exited (#11461).
- Fixed a bug where the podman generate systemdcommand could not be used on containers that specified a restart policy (#11438).
- Fixed a bug where the remote Podman client's podman buildcommand would fail to build containers if the UID and GID on the client were higher than 65536 (#11474).
- Fixed a bug where the remote Podman client's podman buildcommand would fail to build containers if the context directory was a symlink (#11732).
- Fixed a bug where the --networkflag topodman play kubewas not properly parsed when a non-bridge network configuration was specified.
- Fixed a bug where the podman inspectcommand could error when the container being inspected was removed as it was being inspected (#11392).
- Fixed a bug where the podman play kubecommand ignored the default pod infra image specified incontainers.conf.
- Fixed a bug where the --formatoption topodman inspectwas nonfunctional under some circumstances (#8785).
- Fixed a bug where the remote Podman client's podman runandpodman execcommands could skip a byte of output every 8192 bytes (#11496).
- Fixed a bug where the podman statscommand would print nonsensical results if the container restarted while it was running (#11469).
- Fixed a bug where the remote Podman client would error when STDOUT was redirected on a Windows client (#11444).
- Fixed a bug where the podman runcommand could return 0 when the application in the container exited with 125 (#11540).
- Fixed a bug where containers with --restart=alwaysset using the rootlessport port-forwarding service could not be restarted automatically.
- Fixed a bug where the --cgroups=splitoption topodman createandpodman runwas silently discarded if the container was part of a pod.
- Fixed a bug where the podman container runlabelcommand could fail if the image name given included a tag.
- Fixed a bug where Podman could add an extra 127.0.0.1entry to/etc/hostsunder some circumstances (#11596).
- Fixed a bug where the remote Podman client's podman untagcommand did not properly handle tags including a digest (#11557).
- Fixed a bug where the --formatoption topodman psdid not properly support thetableargument for tabular output.
- Fixed a bug where the --filteroption topodman psdid not properly handle filtering by healthcheck status (#11687).
- Fixed a bug where the podman runandpodman start --attachcommands could race when retrieving the exit code of a container that had already been removed resulting in an error (e.g. by an externalpodman rm -f) (#11633).
- Fixed a bug where the podman generate kubecommand would add default environment variables to generated YAML.
- Fixed a bug where the podman generate kubecommand would add the default CMD from the image to generated YAML (#11672).
- Fixed a bug where the podman rm --storagecommand could fail to remove containers under some circumstances (#11207).
- Fixed a bug where the podman machine sshcommand could fail when run on Linux (#11731).
- Fixed a bug where the podman stopcommand would error when used on a container that was already stopped (#11740).
- Fixed a bug where renaming a container in a pod using the podman renamecommand, then removing the pod usingpodman pod rm, could cause Podman to believe the new name of the container was permanently in use, despite the container being removed (#11750).
API
- The Libpod Pull endpoint for Images now has a new query parameter, quiet, which (when set to true) suppresses image pull progress reports (#10612).
- The Compat Events endpoint now includes several deprecated fields from the Docker v1.21 API for improved compatibility with older clients.
- The Compat List and Inspect endpoints for Images now prefix image IDs with sha256:for improved Docker compatibility (#11623).
- The Compat Create endpoint for Containers now properly sets defaults for healthcheck-related fields (#11225).
- The Compat Create endpoint for Containers now supports volume options provided by the Mountsfield (#10831).
- The Compat List endpoint for Secrets now supports a new query parameter, filter, which allows returned results to be filtered.
- The Compat Auth endpoint now returns the correct response code (500 instead of 400) when logging into a registry fails.
- The Version endpoint now includes information about the OCI runtime and Conmon in use (#11227).
- Fixed a bug where the X-Registry-Config header was not properly handled, leading to errors when pulling images (#11235).
- Fixed a bug where invalid query parameters could cause a null pointer dereference when creating error messages.
- Logging of API requests and responses at trace level has been greatly improved, including the addition of an X-Reference-Id header to correlate requests and responses (#10053).
Misc
- Updated Buildah to v1.23.0
- Updated the containers/storage library to v1.36.0
- Updated the containers/image library to v5.16.0
- Updated the containers/common library to v0.44.0
3.3.1
Bugfixes
- Fixed a bug where unit files created by podman generate systemdcould not cleanup shut down containers when stopped bysystemctl stop(#11304).
- Fixed a bug where podman machinecommands would not properly locate thegvproxybinary in some circumstances.
- Fixed a bug where containers created as part of a pod using the --pod-id-fileoption would not join the pod's network namespace (#11303).
- Fixed a bug where Podman, when using the systemd cgroups driver, could sometimes leak dbus sessions.
- Fixed a bug where the untilfilter topodman logsandpodman eventswas improperly handled, requiring input to be negated (#11158).
- Fixed a bug where rootless containers using CNI networking run on systems using systemd-resolvedfor DNS would fail to start if resolved symlinked/etc/resolv.confto an absolute path (#11358).
API
- A large number of potential file descriptor leaks from improperly closing client connections have been fixed.
3.3.0
Features
- Containers inside VMs created by podman machinewill now automatically handle port forwarding - containers inpodman machineVMs that publish ports via--publishor--publish-allwill have these ports not just forwarded on the VM, but also on the host system.
- The podman play kubecommand's--networkoption now accepts advanced network options (e.g.--network slirp4netns:port_handler=slirp4netns) (#10807).
- The podman play kubecommand now supports Kubernetes liveness probes, which will be created as Podman healthchecks.
- Podman now provides a systemd unit, podman-restart.service, which, when enabled, will restart all containers that were started with--restart=alwaysafter the system reboots.
- Rootless Podman can now be configured to use CNI networking by default by using the rootless_networkingoption incontainers.conf.
- Images can now be pulled using image:tag@digestsyntax (e.g.podman pull fedora:34@sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a) (#6721).
- The podman container checkpointandpodman container restorecommands can now be used to checkpoint containers that are in pods, and restore those containers into pods.
- The podman container restorecommand now features a new option,--publish, to change the ports that are forwarded to a container that is being restored from an exported checkpoint.
- The podman container checkpointcommand now features a new option,--compress, to specify the compression algorithm that will be used on the generated checkpoint.
- The podman pullcommand can now pull multiple images at once (e.g.podman pull fedora:34 ubi8:latestwill pull both specified images).
- THe podman cpcommand can now copy files from one container into another directly (e.g.podman cp containera:/etc/hosts containerb:/etc/) (#7370).
- The podman cpcommand now supports a new option,--archive, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container.
- The podman statscommand now provides two additional metrics: Average CPU, and CPU time.
- The podman pod createcommand supports a new flag,--pid, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace.
- The podman pod createcommand supports a new flag,--infra-name, which allows the name of the pod's infra container to be set (#10794).
- The podman auto-updatecommand has had its output reformatted - it is now much clearer what images were pulled and what containers were updated.
- The podman auto-updatecommand now supports a new option,--dry-run, which reports what would be updated but does not actually perform the update (#9949).
- The podman buildcommand now supports a new option,--secret, to mount secrets into build containers.
- The podman manifest removecommand now has a new alias,podman manifest rm.
- The podman logincommand now supports a new option,--verbose, to print detailed information about where the credentials entered were stored.
- The podman eventscommand now supports a new event,exec_died, which is produced when an exec session exits, and includes the exit code of the exec session.
- The podman system connection addcommand now supports adding connections that connect using thetcp://andunix://URL schemes.
- The podman system connection listcommand now supports a new flag,--format, to determine how the output is printed.
- The podman volume pruneandpodman volume lscommands'--filteroption now support a new filter,until, that matches volumes created before a certain time (#10579).
- The podman ps --filteroption'snetworkfilter now accepts a new value:container:, which matches containers that share a network namespace with a specific container (#10361).
- The podman diffcommand can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed (#10649).
- Podman can now optionally copy-up content from containers into volumes mounted into those containers earlier (at creation time, instead of at runtime) via the prepare_on_createoption incontainers.conf(#10262).
- A new option, --gpus, has been added topodman createandpodman runas a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag.
- If an invalid subcommand is provided, similar commands to try will now be suggested in the error message.
Changes
- The podman system resetcommand now removes non-Podman (e.g. Buildah and CRI-O) containers as well.
- The new port forwarding offered by podman machinerequires gvproxy in order to function.
- Podman will now automatically create the default CNI network if it does not exist, for both root and rootless users. This will only be done once per user - if the network is subsequently removed, it will not be recreated.
- The install.cnimakefile option has been removed. It is no longer required to distribute the default87-podman.conflistCNI configuration file, as Podman will now automatically create it.
- The --rootoption to Podman will not automatically clear all default storage options when set. Storage options can be set manually using--storage-opt(#10393).
- The output of podman system connection listis now deterministic, with connections being sorted alpabetically by their name.
- The auto-update service (podman-auto-update.service) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once.
- Systemd unit files generated by podman generate systemdnow depend onnetwork-online.targetby default (#10655).
- Systemd unit files generated by podman generate systemdnow useType=notifyby default, instead of using PID files.
- The podman infocommand's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.
Bugfixes
- Fixed a bug where the podman play kubecommand did not perform SELinux relabelling of volumes specified with amountPaththat included the:zor:Zoptions (#9371).
- Fixed a bug where the podman play kubecommand would ignore theUSERandEXPOSEdirectives in images (#9609).
- Fixed a bug where the podman play kubecommand would only accept lowercase pull policies.
- Fixed a bug where named volumes mounted into containers with the :zor:Zoptions were not appropriately relabelled for access from the container (#10273).
- Fixed a bug where the podman logs -fcommand, with thejournaldlog driver, could sometimes fail to pick up the last line of output from a container (#10323).
- Fixed a bug where running podman rmon a container created with the--rmoption would occasionally emit an error message saying the container failed to be removed, when it was successfully removed.
- Fixed a bug where starting a Podman container would segfault if the LISTEN_PIDandLISTEN_FDSenvironment variables were set, butLISTEN_FDNAMESwas not (#10435).
- Fixed a bug where exec sessions in containers were sometimes not cleaned up when run without -dand when the associatedpodman execprocess was killed before completion.
- Fixed a bug where podman system servicecould, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up.
- Fixed a bug where containers run using the REST API using the slirp4netnsnetwork mode would leave zombie processes that were not cleaned up untilpodman system serviceexited (#9777).
- Fixed a bug where the podman system servicecommand would leave zombie processes after its initial launch that were not cleaned up until it exited (#10575).
- Fixed a bug where VMs created by podman machinecould not be started after the host system restarted (#10824).
- Fixed a bug where the podman pod pscommand would not show headers for optional information (e.g. container names when the--ctr-namesoption was given).
- Fixed a bug where the remote Podman client's podman createandpodman runcommands would ignore timezone configuration from the server'scontainers.conffile (#11124).
- Fixed a bug where the remote Podman client's podman buildcommand would only respect.containerignoreand not.dockerignorefiles (when both are present,.containerignorewill be preferred) (#10907).
- Fixed a bug where the remote Podman client's podman buildcommand would fail to send the Dockerfile being built to the server when it was excluded by the.dockerignorefile, resulting in an error (#9867).
- Fixed a bug where the remote Podman client's podman buildcommand could unexpectedly stop streaming the output of the build (#10154).
- Fixed a bug where the remote Podman client's podman buildcommand would fail to build when run on Windows (#11259).
- Fixed a bug where the podman manifest createcommand accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest).
- Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container (#10776).
- Fixed a bug where named volumes created using a volume plugin would be removed from Podman, even if the plugin reported a failure to remove the volume (#11214).
- Fixed a bug where the remote Podman client's podman exec -icommand would hang when input was provided via shell redirection (e.g.podman --remote exec -i foo cat <<<"hello") (#7360).
- Fixed a bug where containers created with --rmwere not immediately removed after being started bypodman startif they failed to start (#10935).
- Fixed a bug where the --storage-optflag topodman createandpodman runwas nonfunctional (#10264).
- Fixed a bug where the --device-cgroup-ruleoption topodman createandpodman runwas nonfunctional (#10302).
- Fixed a bug where the --tls-verifyoption topodman manifest pushwas nonfunctional.
- Fixed a bug where the podman importcommand could, in some circumstances, produce empty images (#10994).
- Fixed a bug where images pulled using the docker-daemon:transport had the wrong registry (localhostinstead ofdocker.io/library) (#10998).
- Fixed a bug where operations that pruned images (podman image pruneandpodman system prune) would prune untagged images with children (#10832).
- Fixed a bug where dual-stack networks created by podman network createdid not properly auto-assign an IPv4 subnet when one was not explicitly specified (#11032).
- Fixed a bug where port forwarding using the rootlessportport forwarder would break when a network was disconnected and then reconnected (#10052).
- Fixed a bug where Podman would ignore user-specified SELinux policies for containers using the Kata OCI runtime, or containers using systemd as PID 1 (#11100).
- Fixed a bug where Podman containers created using --net=hostwould add an entry to/etc/hostsfor the container's hostname pointing to127.0.1.1(#10319).
- Fixed a bug where the podman unpause --allcommand would throw an error for every container that was not paused (#11098).
- Fixed a bug where timestamps for the sinceanduntilfilters using Unix timestamps with a nanoseconds portion could not be parsed (#11131).
- Fixed a bug where the podman infocommand would sometimes print the wrong path for theslirp4netnsbinary.
- Fixed a bug where rootless Podman containers joined to a CNI network would not have functional DNS when the host used systemd-resolved without the resolved stub resolver being enabled (#11222).
- Fixed a bug where podman network connectandpodman network disconnectof rootless containers could sometimes break port forwarding to the container (#11248).
- Fixed a bug where joining a container to a CNI network by ID and adding network aliases to this network would cause the container to fail to start (#11285).
API
- Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
- Fixed a bug where the Compat Create endpoint for Containers would fail to create containers with the NetworkModeparameter set todefault(#10569).
- Fixed a bug where the Compat Create endpoint for Containers did not properly handle healthcheck commands (#10617).
- Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred.
- Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable).
- Fixed a bug where the Compat List endpoint for Images omitted the ContainerConfigfield (#10795).
- Fixed a bug where the Compat Build endpoint for Images was too strict when validating the Content-Typeheader, rejecting content that Docker would have accepted (#11022).
- Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided.
- Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected.
- Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks (#10266).
- Fixed a bug where the Libpod List endpoint for Networks would return nil, instead of an empty list, when no networks were present (#10495).
- The Compat and Libpod Logs endpoints for Containers now support the untilquery parameter (#10859).
- The Compat Import endpoint for Images now supports the platform,message, andrepoquery parameters.
- The Compat Pull endpoint for Images now supports the platformquery parameter.
Misc
- Updated Buildah to v1.22.3
- Updated the containers/storage library to v1.34.1
- Updated the containers/image library to v5.15.2
- Updated the containers/common library to v0.42.1
3.2.3
Security
- This release addresses CVE-2021-3602, an issue with the podman buildcommand with the--isolation chrootflag that results in environment variables from the host leaking into build containers.
Bugfixes
- Fixed a bug where events related to images could occur before the relevant operation had completed (e.g. an image pull event could be written before the pull was finished) (#10812).
- Fixed a bug where podman savewould refuse to save images with an architecture different from that of the host (#10835).
- Fixed a bug where the podman importcommand did not correctly handle images without tags (#10854).
- Fixed a bug where Podman's journald events backend would fail and prevent Podman from running when run on a host with systemd as PID1 but in an environment (e.g. a container) without systemd (#10863).
- Fixed a bug where containers using rootless CNI networking would fail to start when the dnsnameCNI plugin was in use and the host system's/etc/resolv.confwas a symlink (#10855 and #10929).
- Fixed a bug where containers using rootless CNI networking could fail to start due to a race in rootless CNI initialization (#10930).
Misc
- Updated Buildah to v1.21.3
- Updated the containers/common library to v0.38.16
3.2.2
Changes
- Podman's handling of the Architecture field of images has been relaxed. Since 3.2.0, Podman required that the architecture of the image match the architecture of the system to run containers based on an image, but images often incorrectly report architecture, causing Podman to reject valid images (#10648 and #10682).
- Podman no longer uses inotify to monitor for changes to CNI configurations. This removes potential issues where Podman cannot be run because a user has exhausted their available inotify sessions (#10686).
Bugfixes
- Fixed a bug where the podman cpwould, when given a directory as its source and a target that existed and was a file, copy the contents of the directory into the parent directory of the file; this now results in an error.
- Fixed a bug where the podman logscommand would, when following a running container's logs, not include the last line of output from the container when it exited when thek8s-filedriver was in use (#10675).
- Fixed a bug where Podman would fail to run containers if systemd-resolvedwas incorrectly detected as the system's DNS server (#10733).
- Fixed a bug where the podman exec -tcommand would only resize the exec session's TTY after the session started, leading to a race condition where the terminal would initially not have a size set (#10560).
- Fixed a bug where Podman containers using the slirp4netnsnetwork mode would add an incorrect entry to/etc/hostspointing the container's hostname to the wrong IP address.
- Fixed a bug where Podman would create volumes specified by images with incorrect permissions (#10188 and #10606).
- Fixed a bug where Podman would not respect the uidandgidoptions topodman volume create -o(#10620).
- Fixed a bug where the podman runcommand could panic when parsing the system's cgroup configuration (#10666).
- Fixed a bug where the remote Podman client's podman build -f - ...command did not read a Containerfile from STDIN (#10621).
- Fixed a bug where the podman container restore --importcommand would fail to restore checkpoints created from privileged containers (#10615).
- Fixed a bug where Podman was not respecting the TMPDIRenvironment variable when pulling images (#10698).
- Fixed a bug where a number of Podman commands did not properly support using Go templates as an argument to the --formatoption.
API
- Fixed a bug where the Compat Inspect endpoint for Containers did not include information on container healthchecks (#10457).
- Fixed a bug where the Libpod and Compat Build endpoints for Images did not properly handle the devicesquery parameter (#10614).
Misc
- Fixed a bug where the Makefile's make podman-remote-statictarget to build a statically-linkedpodman-remotebinary was instead producing dynamic binaries (#10656).
- Updated the containers/common library to v0.38.11
3.2.1
Changes
- Podman now allows corrupt images (e.g. from restarting the system during an image pull) to be replaced by a podman pullof the same image (instead of requiring they be removed first, then re-pulled).
Bugfixes
- Fixed a bug where Podman would fail to start containers if a Seccomp profile was not available at /usr/share/containers/seccomp.json(#10556).
- Fixed a bug where the podman machine startcommand failed on OS X machines with the AMD64 architecture and certain QEMU versions (#10555).
- Fixed a bug where Podman would always use the slow path for joining the rootless user namespace.
- Fixed a bug where the podman statscommand would fail on Cgroups v1 systems when run on a container running systemd (#10602).
- Fixed a bug where pre-checkpoint support for podman container checkpointdid not function correctly.
- Fixed a bug where the remote Podman client's podman buildcommand did not properly handle the-foption (#9871).
- Fixed a bug where the remote Podman client's podman runcommand would sometimes not resize the container's terminal before execution began (#9859).
- Fixed a bug where the --filteroption to thepodman image prunecommand was nonfunctional.
- Fixed a bug where the podman logs -fcommand would exit before all output for a container was printed when thek8s-filelog driver was in use (#10596).
- Fixed a bug where Podman would not correctly detect that systemd-resolved was in use on the host and adjust DNS servers in the container appropriately under some circumstances (#10570).
- Fixed a bug where the podman network connectandpodman network disconnectcommands acted improperly when containers were in the Created state, marking the changes as done but not actually performing them.
API
- Fixed a bug where the Compat and Libpod Prune endpoints for Networks returned null, instead of an empty array, when nothing was pruned.
- Fixed a bug where the Create API for Images would continue to pull images even if a client closed the connection mid-pull (#7558).
- Fixed a bug where the Events API did not include some information (including labels) when sending events.
- Fixed a bug where the Events API would, when streaming was not requested, send at most one event (#10529).
Misc
- Updated the containers/common library to v0.38.9
3.2.0
Features
- Docker Compose is now supported with rootless Podman (#9169).
- The podman network connect,podman network disconnect, andpodman network reloadcommands have been enabled for rootless Podman.
- An experimental new set of commands, podman machine, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman.
- The podman generate kubecommand can now be run on Podman named volumes (generatingPersistentVolumeClaimYAML), in addition to pods and containers.
- The podman play kubecommand now supports two new options,--ipand--mac, to set static IPs and MAC addresses for created pods (#8442 and #9731).
- The podman play kubecommand's support forPersistentVolumeClaimYAML has been greatly improved.
- The podman generate kubecommand now preserves the label used bypodman auto-updateto identify containers to update as a Kubernetes annotation, and thepodman play kubecommand will convert this annotation back into a label. This allowspodman auto-updateto be used with containers created bypodman play kube.
- The podman play kubecommand now supports KubernetessecretRefYAML (using the secrets support frompodman secret) for environment variables.
- Secrets can now be added to containers as environment variables using the type=envoption to the--secretflag topodman createandpodman run.
- The podman startcommand now supports the--alloption, allowing all containers to be started simultaneously with a single command. The--filteroption has also been added to filter which containers to start when--allis used.
- Filtering containers with the --filteroption topodman psandpodman startnow supports a new filter,restart-policy, to filter containers based on their restart policy.
- The --group-addoption to rootlesspodman runandpodman createnow accepts a new value,keep-groups, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with thecrunOCI runtime.
- The podman runandpodman createcommands now support a new option,--timeout. This sets a maximum time the container is allowed to run, after which it is killed (#6412).
- The podman runandpodman createcommands now support a new option,--pidfile. This will create a file when the container is started containing the PID of the first process in the container.
- The podman runandpodman createcommands now support a new option,--requires. The--requiresoption adds dependency containers - containers that must be running before the current container. Commands likepodman startwill automatically start the requirements of a container before starting the container itself.
- Auto-updating containers can now be done with locally-built images, not just images hosted on a registry, by creating containers with the io.containers.autoupdatelabel set tolocal.
- Podman now supports the Container Device Interface (CDI) standard.
- Podman now adds an entry to /etc/hosts,host.containers.internal, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) (#5651).
- The podman ps,podman pod ps,podman network list,podman secret list, andpodman volume listcommands now support a--noheadingoption, which will cause Podman to omit the heading line including column names.
- The podman unsharecommand now supports a new flag,--rootless-cni, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking.
- The --security-opt unmask=option topodman runandpodman createnow supports glob operations to unmask a group of paths at once (e.g.podman run --security-opt unmask=/proc/* ...will unmask all paths in/procin the container).
- The podman network prunecommand now supports a--filteroption to filter which networks will be pruned.
Changes
- The change in Podman 3.1.2 where the :zand:Zmount options for volumes were ignored for privileged containers has been reverted after discussion in #10209.
- Podman's rootless CNI functionality no longer requires a sidecar container! The removal of the requirement for the rootless-cni-infracontainer means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image (#8709).
- The Image handling code used by Podman has seen a major rewrite to improve code sharing with our other projects, Buildah and CRI-O. This should result in fewer bugs and performance gains in the long term. Work on this is still ongoing.
- The podman auto-updatecommand now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates (#10190).
- The podman play kubenow treats environment variables configured as references to aConfigMapas mandatory unless theoptionalparameter was set; this better matches the behavior of Kubernetes.
- Podman now supports the --context=defaultflag from Docker as a no-op for compatibility purposes.
- When Podman is run as root, but without CAP_SYS_ADMINbeing available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright).
- The podman infocommand now includes the path of the Seccomp profile Podman is using, available cgroup controllers, and whether Podman is connected to a remote service or running containers locally.
- Containers created with the --rmoption now automatically use thevolatilestorage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance.
- The podman generate systemd --newcommand will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment.
- Podman now requires that Conmon v2.0.24 be available.
Bugfixes
- Fixed a bug where the remote Podman client's podman buildcommand did not support the--arch,--platform, and--os, options.
- Fixed a bug where the remote Podman client's podman buildcommand ignored the--rm=falseoption (#9869).
- Fixed a bug where the remote Podman client's podman build --iidfilecommand could include extra output (in addition to just the image ID) in the image ID file written (#10233).
- Fixed a bug where the remote Podman client's podman buildcommand did not preserve hardlinks when moving files into the container viaCOPYinstructions (#9893).
- Fixed a bug where the podman generate systemd --newcommand could generate extra--iidfilearguments if the container was already created with one.
- Fixed a bug where the podman generate systemd --newcommand would generate unit files that did not includeRequiresMountsForlines (#10493).
- Fixed a bug where the podman generate kubecommand produced incorrect YAML for containers which bind-mounted both/and/rootfrom the host system into the container (#9764).
- Fixed a bug where pods created by podman play kubefrom YAML that specifiedShareProcessNamespacewould only share the PID namespace (and not also the UTS, Network, and IPC namespaces) (#9128).
- Fixed a bug where the podman network reloadcommand could generate spurious error messages wheniptables-nftwas in use.
- Fixed a bug where rootless Podman could fail to attach to containers when the user running Podman had a large UID.
- Fixed a bug where the podman pscommand could fail with ano such containererror due to a race condition with container removal (#10120).
- Fixed a bug where containers using the slirp4netnsnetwork mode and setting a customslirp4netnssubnet while using therootlesskitport forwarder would not be able to forward ports (#9828).
- Fixed a bug where the --filter ancestor=option topodman psdid not require an exact match of the image name/ID to include a container in its results.
- Fixed a bug where the --filter until=option topodman image prunewould prune images created after the specified time (instead of before).
- Fixed a bug where setting a custom Seccomp profile via the seccomp_profileoption incontainers.confhad no effect, and the default profile was used instead.
- Fixed a bug where the --cgroup-parentoption topodman createandpodman runwas ignored in rootless Podman on cgroups v2 systems with thecgroupfscgroup manager (#10173).
- Fixed a bug where the IMAGEandNAMEvariables inpodman container runlabelwere not being correctly substituted (#10192).
- Fixed a bug where Podman could freeze when creating containers with a specific combination of volumes and working directory (#10216).
- Fixed a bug where rootless Podman containers restarted by restart policy (e.g. containers created with --restart=always) would lose networking after being restarted (#8047).
- Fixed a bug where the podman cpcommand could not copy files into containers created with the--pid=hostflag (#9985).
- Fixed a bug where filters to the podman eventscommand could not be specified twice (if a filter is specified more than once, it will match if any of the given values match - logical or) (#10507).
- Fixed a bug where Podman would include IPv6 nameservers in resolv.confin containers without IPv6 connectivity (#10158).
- Fixed a bug where containers could not be created with static IP addresses when connecting to a network using the macvlandriver (#10283).
API
- Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set (#10110).
- Fixed a bug where the Compat Create endpoint for Containers ignored static IP information provided in the IPAMConfigblock (#10245).
- Fixed a bug where the Compat Inspect endpoint for Containers returned null (instead of an empty list) for Networks when the container was not joined to a CNI network (#9837).
- Fixed a bug where the Compat Wait endpoint for Containers could miss containers exiting if they were immediately restarted.
- Fixed a bug where the Compat Create endpoint for Volumes required that the user provide a name for the new volume (#9803).
- Fixed a bug where the Libpod Info handler would sometimes not return the correct path to the Podman API socket.
- Fixed a bug where the Compat Events handler used the wrong name for container exited events (diedinstead ofdie) (#10168).
- Fixed a bug where the Compat Push endpoint for Images could leak goroutines if the remote end closed the connection prematurely.
Misc
- Updated Buildah to v1.21.0
- Updated the containers/common library to v0.38.5
- Updated the containers/storage library to v1.31.3
3.1.2
Bugfixes
- The Compat Export endpoint for Images now supports exporting multiple images at the same time to a single archive.
- Fixed a bug where images with empty layers were stored incorrectly, causing them to be unable to be pushed or saved.
- Fixed a bug where the podman rmicommand could fail to remove corrupt images from storage.
- Fixed a bug where the remote Podman client's podman savecommand did not support theoci-diranddocker-dirformats (#9742).
- Fixed a bug where volume mounts from podman play kubecreated with a trailing/in the container path were were not properly superseding named volumes from the image (#9618).
- Fixed a bug where Podman could fail to build on 32-bit architectures.
Misc
- Updated the containers/image library to v5.11.1
3.1.1
Changes
- Podman now recognizes traceas a valid argument to the--log-levelcommand. Trace logging is now the most verbose level of logging available.
- The :zand:Zoptions for volume mounts are now ignored when the container is privileged or is run with SELinux isolation disabled (--security-opt label=disable). This matches better matches Docker's behavior in this case.
Bugfixes
- Fixed a bug where pruning images with the podman image pruneorpodman system prunecommands could cause Podman to panic.
- Fixed a bug where the podman savecommand did not properly error when the--compressflag was used with incompatible format types.
- Fixed a bug where the --security-optand--ulimitoptions to the remote Podman client'spodman buildcommand were nonfunctional.
- Fixed a bug where the --log-rusageoption to the remote Podman client'spodman buildcommand was nonfunctional (#9489).
- Fixed a bug where the podman buildcommand could, in some circumstances, use the wrong OCI runtime (#9459).
- Fixed a bug where the remote Podman client's podman buildcommand could return 0 despite failing (#10029).
- Fixed a bug where the podman container runlabelcommand did not properly expand theIMAGEandNAMEvariables in the label (#9405).
- Fixed a bug where poststop OCI hooks would be executed twice on containers started with the --rmargument (#9983).
- Fixed a bug where rootless Podman could fail to launch containers on cgroups v2 systems when the cgroupfscgroup manager was in use.
- Fixed a bug where the podman statscommand could error when statistics tracked exceeded the maximum size of a 32-bit signed integer (#9979).
- Fixed a bug where rootless Podman containers run with --userns=keepid(without a--userflag in addition) would grant exec sessions run in them too many capabilities (#9919).
- Fixed a bug where the --authfileoption topodman builddid not validate that the path given existed (#9572).
- Fixed a bug where the --storage-optoption to Podman was appending to, instead of overriding (as is documented), the default storage options.
- Fixed a bug where the podman system serviceconnection did not function properly when run in a socket-activated systemd unit file as a non-root user.
- Fixed a bug where the --networkoption to thepodman play kubecommand of the remote Podman client was being ignored (#9698).
- Fixed a bug where the --log-driveroption to thepodman play kubecommand was nonfunctional (#10015).
API
- Fixed a bug where the Libpod Create endpoint for Manifests did not properly validate the image the manifest was being created with.
- Fixed a bug where the Libpod DF endpoint could, in error cases, append an extra null to the JSON response, causing decode errors.
- Fixed a bug where the Libpod and Compat Top endpoint for Containers would return process names that included extra whitespace.
- Fixed a bug where the Compat Prune endpoint for Containers accepted too many types of filter.
Misc
- Updated Buildah to v1.20.1
- Updated the containers/storage library to v1.29.0
- Updated the containers/image library to v5.11.0
- Updated the containers/common library to v0.36.0
3.1.0
Features
- A set of new commands has been added to manage secrets! The podman secret create,podman secret inspect,podman secret lsandpodman secret rmcommands have been added to handle secrets, along with the--secretoption topodman runandpodman createto add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release.
- A new command to prune networks, podman network prune, has been added (#8673).
- The -voption topodman runandpodman createnow supports a new volume option,:U, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues (#7778).
- Three new commands, podman network exists,podman volume exists, andpodman manifest exists, have been added to check for the existence of networks, volumes, and manifest lists.
- The podman cpcommand can now copy files into directories mounted astmpfsin a running container.
- The podman volume prunecommand will now list volumes that will be pruned when prompting the user whether to continue and perform the prune (#8913).
- The Podman remote client's podman buildcommand now supports the--disable-compression,--excludes, and--jobsoptions.
- The Podman remote client's podman pushcommand now supports the--formatoption.
- The Podman remote client's podman rmcommand now supports the--alland--ignoreoptions.
- The Podman remote client's podman searchcommand now supports the--no-truncand--list-tagsoptions.
- The podman play kubecommand can now read in Kubernetes YAML fromSTDINwhen-is specified as file name (podman play kube -), allowing input to be piped into the command for scripting (#8996).
- The podman generate systemdcommand now supports a--no-headeroption, which disables creation of the header comment automatically added by Podman to generated unit files.
- The podman generate kubecommand can now generatePersistentVolumeClaimYAML for Podman named volumes (#5788).
- The podman generate kubecommand can now generate YAML files containing multiple resources (pods or deployments) (#9129).
Security
- This release resolves CVE-2021-20291, a deadlock vulnerability in the storage library caused by pulling a specially-crafted container image.
Changes
- The Podman remote client's podman buildcommand no longer allows the-vflag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines.
- The podman killandpodman stopcommands now print the name given by the user for each container, instead of the full ID.
- When the --security-opt unmask=ALLor--security-opt unmask=/sys/fs/cgroupoptions topodman createorpodman runare given, Podman will mount cgroups into the container as read-write, instead of read-only (#8441).
- The podman rmicommand has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls.
- The podman renamecommand has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable.
- Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved (#9582).
- The hidden --traceoption topodmanhas been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time.
- The podman generate systemdcommand now generatesRequiresMountsForlines to ensure necessary storage directories are mounted before systemd starts Podman.
- Podman will now emit a warning when --ttyand--interactiveare both passed, butSTDINis not a TTY. This will be made into an error in the next major Podman release some time next year.
Bugfixes
- Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports (#9065).
- Fixed a bug where podman network createwith the--macvlanflag did not honor the--gateway,--subnet, and--optoptions (#9167).
- Fixed a bug where the podman generate kubecommand generated invalid YAML for privileged containers (#8897).
- Fixed a bug where the podman generate kubecommand could not be used with containers that were not running.
- Fixed a bug where the podman generate systemdcommand could duplicate some parameters to Podman in generated unit files (#9776).
- Fixed a bug where Podman did not add annotations specified in containers.confto containers.
- Foxed a bug where Podman did not respect the no_hostsdefault incontainers.confwhen creating containers.
- Fixed a bug where the --tail=0,--since, and--followoptions to thepodman logscommand did not function properly when using thejournaldlog backend.
- Fixed a bug where specifying more than one container to podman logswhen thejournaldlog backend was in use did not function correctly.
- Fixed a bug where the podman runandpodman createcommands would panic if a memory limit was set, but the swap limit was set to unlimited (#9429).
- Fixed a bug where the --networkoption topodman run,podman create, andpodman pod createwould error if the user attempted to specify CNI networks by ID, instead of name (#9451).
- Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the podman statscommand (#9252).
- Fixed a bug where the podman cpdid not properly handle cases where/dev/stdoutwas specified as the destination (it was treated identically to-) (#9362).
- Fixed a bug where the podman cpcommand would create files with incorrect ownership (#9526).
- Fixed a bug where the podman cpcommand did not properly handle cases where the destination directory did not exist.
- Fixed a bug where the podman cpcommand did not properly evaluate symlinks when copying out of containers.
- Fixed a bug where the podman rm -facommand would error when attempting to remove containers created with--rm(#9479).
- Fixed a bug where the ordering of capabilities was nondeterministic in the CapDropfield of the output ofpodman inspecton a container (#9490).
- Fixed a bug where the podman network connectcommand could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with--net=host) (#9496).
- Fixed a bug where DNS search domains required by the dnsnameCNI plugin were not being added to container'sresolv.confunder some circumstances.
- Fixed a bug where the --ignorefileoption topodman buildwas nonfunctional (#9570).
- Fixed a bug where the --timestampoption topodman buildwas nonfunctional (#9569).
- Fixed a bug where the --iidfileoption topodman buildcould cause Podman to panic if an error occurred during the build.
- Fixed a bug where the --dns-searchoption topodman buildwas nonfunctional (#9574).
- Fixed a bug where the --pull-neveroption topodman buildwas nonfunctional (#9573).
- Fixed a bug where the --build-argoption topodman buildwould, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) (#9571).
- Fixed a bug where the --isolationoption topodman buildin the remote Podman client was nonfunctional.
- Fixed a bug where the podman network disconnectcommand could cause errors when the container that had a network removed was stopped and its network was cleaned up (#9602).
- Fixed a bug where the podman network rmcommand did not properly check what networks a container was present in, resulting in unexpected behavior ifpodman network connectorpodman network disconnecthad been used with the network (#9632).
- Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable stoppingstate (#9615).
- Fixed a bug where the podman loadcommand could return 0 even in cases where an error occurred (#9672).
- Fixed a bug where specifying storage options to Podman using the --storage-optoption would override all storage options. Instead, storage options are now overridden only when the--storage-driveroption is used to override the current graph driver (#9657).
- Fixed a bug where containers created with --privilegedcould request more capabilities than were available to Podman.
- Fixed a bug where podman commitdid not use theTMPDIRenvironment variable to place temporary files created during the commit (#9825).
- Fixed a bug where remote Podman could error when attempting to resize short-lived containers (#9831).
- Fixed a bug where Podman was unusable on kernels built without CONFIG_USER_NS.
- Fixed a bug where the ownership of volumes created by podman volume createand then mounted into a container could be incorrect (#9608).
- Fixed a bug where Podman volumes using a volume plugin could not pass certain options, and could not be used as non-root users.
- Fixed a bug where the --tzoption topodman createandpodman rundid not properly validate its input.
API
- Fixed a bug where the X-Registry-Authheader did not acceptnullas a valid value.
- A new compat endpoint, /auth, has been added. This endpoint validates credentials against a registry (#9564).
- Fixed a bug where the compat Build endpoint for Images specified labels using the wrong type (array vs map). Both formats will be accepted now.
- Fixed a bug where the compat Build endpoint for Images did not report that it successfully tagged the built image in its response.
- Fixed a bug where the compat Create endpoint for Images did not provide progress information on pulling the image in its response.
- Fixed a bug where the compat Push endpoint for Images did not properly handle the destination (used a query parameter, instead of a path parameter).
- Fixed a bug where the compat Push endpoint for Images did not send the progress of the push and the digest of the pushed image in the response body.
- Fixed a bug where the compat List endpoint for Networks returned null, instead of an empty array ([]), when no networks were present (#9293).
- Fixed a bug where the compat List endpoint for Networks returned nulls, instead of empty maps, for networks that do not have Labels and/or Options.
- The Libpod Inspect endpoint for networks (/libpod/network/$ID/json) now has an alias at/libpod/network/$ID(#9691).
- Fixed a bug where the libpod Inspect endpoint for Networks returned a 1-size array of results, instead of a single result (#9690).
- The Compat List endpoint for Networks now supports the legacy format for filters in parallel with the current filter format (#9526).
- Fixed a bug where the compat Create endpoint for Containers did not properly handle tmpfs filesystems specified with options (#9511).
- Fixed a bug where the compat Create endpoint for Containers did not create bind-mount source directories (#9510).
- Fixed a bug where the compat Create endpoint for Containers did not properly handle the NanoCpusoption (#9523).
- Fixed a bug where the Libpod create endpoint for Containers has a misnamed field in its JSON.
- Fixed a bug where the compat List endpoint for Containers did not populate information on forwarded ports (#9553)
- Fixed a bug where the compat List endpoint for Containers did not populate information on container CNI networks (#9529).
- Fixed a bug where the compat and libpod Stop endpoints for Containers would ignore a timeout of 0.
- Fixed a bug where the compat and libpod Resize endpoints for Containers did not set the correct terminal sizes (dimensions were reversed) (#9756).
- Fixed a bug where the compat Remove endpoint for Containers would not return 404 when attempting to remove a container that does not exist (#9675).
- Fixed a bug where the compat Prune endpoint for Volumes would still prune even if an invalid filter was specified.
- Numerous bugs related to filters have been addressed.
Misc
- Updated Buildah to v1.20.0
- Updated the containers/storage library to v1.28.1
- Updated the containers/image library to v5.10.5
- Updated the containers/common library to v0.35.4
3.0.1
Changes
- Several frequently-occurring WARNlevel log messages have been downgraded toINFOorDEBUGto not clutter terminal output.
Bugfixes
- Fixed a bug where the Createdfield ofpodman ps --format=jsonwas formatted as a string instead of an Unix timestamp (integer) (#9315).
- Fixed a bug where failing lookups of individual layers during the podman imagescommand would cause the whole command to fail without printing output.
- Fixed a bug where --cgroups=splitdid not function properly on cgroups v1 systems.
- Fixed a bug where mounting a volume over an directory in the container that existed, but was empty, could fail (#9393).
- Fixed a bug where mounting a volume over a directory in the container that existed could copy the entirety of the container's rootfs, instead of just the directory mounted over, into the volume (#9415).
- Fixed a bug where Podman would treat the --entrypoint=[""]option topodman runandpodman createas a literal empty string in the entrypoint, when instead it should have been ignored (#9377).
- Fixed a bug where Podman would set the HOMEenvironment variable to""when the container ran as a user without an assigned home directory (#9378).
- Fixed a bug where specifying a pod infra image that had no tags (by using its ID) would cause podman pod createto panic (#9374).
- Fixed a bug where the --runtimeoption was not properly handled by thepodman buildcommand (#9365).
- Fixed a bug where Podman would incorrectly print an error message related to the remote API when the remote API was not in use and starting Podman failed.
- Fixed a bug where Podman would change ownership of a container's working directory, even if it already existed (#9387).
- Fixed a bug where the podman generate systemd --newcommand would incorrectly escape%twhen generating the path for the PID file (#9373).
- Fixed a bug where Podman could, when run inside a Podman container with the host's containers/storage directory mounted into the container, erroneously detect a reboot and reset container state if the temporary directory was not also mounted in (#9191).
- Fixed a bug where some options of the podman buildcommand (including but not limited to--jobs) were nonfunctional (#9247).
API
- Fixed a breaking change to the Libpod Wait API for Containers where the Conditions parameter changed type in Podman v3.0 (#9351).
- Fixed a bug where the Compat Create endpoint for Containers did not properly handle forwarded ports that did not specify a host port.
- Fixed a bug where the Libpod Wait endpoint for Containers could write duplicate headers after an error occurred.
- Fixed a bug where the Compat Create endpoint for Images would not pull images that already had a matching tag present locally, even if a more recent version was available at the registry (#9232).
- The Compat Create endpoint for Images has had its compatibility with Docker improved, allowing its use with the docker-javalibrary.
Misc
- Updated Buildah to v1.19.4
- Updated the containers/storage library to v1.24.6
3.0.0
Features
- Podman now features initial support for Docker Compose.
- Added the podman renamecommand, which allows containers to be renamed after they are created (#1925).
- The Podman remote client now supports the podman copycommand.
- A new command, podman network reload, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. viafirewall-cmd --reload).
- Podman networks now have IDs. They can be seen in podman network lsand can be used when removing and inspecting networks. Existing networks receive IDs automatically.
- Podman networks now also support labels. They can be added via the --labeloption tonetwork create, andpodman network lscan filter labels based on them.
- The podman network createcommand now supports setting bridge MTU and VLAN through the--optoption (#8454).
- The podman container checkpointandpodman container restorecommands can now checkpoint and restore containers that include volumes.
- The podman container checkpointcommand now supports the--with-previousand--pre-checkpointoptions, and thepodman container restorecommand now support the--import-previousoption. These add support for two-step checkpointing with lowered dump times.
- The podman pushcommand can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails.
- The podman generate kubecommand can now be run on multiple containers at once, and will generate a single pod containing all of them.
- The podman generate kubeandpodman play kubecommands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML (#9132).
- The podman generate kubecommand now properly supports generating YAML for containers and pods creating using host networking (--net=host) (#9077).
- The podman killcommand now supports a--cidfileoption to kill containers given a file containing the container's ID (#8443).
- The podman pod createcommand now supports the--net=noneoption (#9165).
- The podman volume createcommand can now specify volume UID and GID as options with theUIDandGIDfields passed to the the--optoption.
- Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in containers.confand use them to create volumes withpodman volume create --driver.
- The podman runandpodman createcommands now support a new option,--platform, to specify the platform of the image to be used when creating the container.
- The --security-optoption topodman runandpodman createnow supports thesystempaths=unconfinedoption to unrestrict access to all paths in the container, as well asmaskandunmaskoptions to allow more granular restriction of container paths.
- The podman stats --formatcommand now supports a new format specified,MemUsageBytes, which prints the raw bytes of memory consumed by a container without human-readable formatting #8945.
- The podman pscommand can now filter containers based on what pod they are joined to via thepodfilter (#8512).
- The podman pod pscommand can now filter pods based on what networks they are joined to via thenetworkfilter.
- The podman pod pscommand can now print information on what networks a pod is joined to via the.Networksspecifier to the--formatoption.
- The podman system prunecommand now supports filtering what containers, pods, images, and volumes will be pruned.
- The podman volume prunecommands now supports filtering what volumes will be pruned.
- The podman system prunecommand now includes information on space reclaimed (#8658).
- The podman infocommand will now properly print information about packages in use on Gentoo and Arch systems.
- The containers.conffile now contains an option for disabling creation of a new kernel keyring on container creation (#8384).
- The podman image signcommand can now sign multi-arch images by producing a signature for each image in a given manifest list.
- The podman image signcommand, when run as rootless, now supports per-user registry configuration files in$HOME/.config/containers/registries.d.
- Configuration options for slirp4netnscan now be set system-wide via theNetworkCmdOptionsconfiguration option incontainers.conf.
- The MTU of slirp4netnscan now be configured via themtu=network command option (e.g.podman run --net slirp4netns:mtu=9000).
Security
- A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue.
Changes
- Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.
- The podman loadcommand no longer accepts aNAME[:TAG]argument. The presence of this argument broke CLI compatibility with Docker by makingdocker loadcommands unusable with Podman (#7387).
- The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more here.
- The legacy Varlink API has been completely removed from Podman.
- The default log level for Podman has been changed from Error to Warn.
- The podman network createcommand can now createmacvlannetworks using the--driver macvlanoption for Docker compatibility. The existing--macvlanflag has been deprecated and will be removed in Podman 4.0 some time next year.
- The podman inspectcommand has had theLogPathandLogTagfields moved into theLogConfigstructure (from the root of the Inspect structure). The maximum size of the log file is also included.
- The podman generate systemdcommand no longer generates unit files using the deprecatedKillMode=noneoption (#8615).
- The podman stopcommand now releases the container lock while waiting for it to stop - as such, commands likepodman pswill no longer block untilpodman stopcompletes (#8501).
- Networks created with podman network create --internalno longer use thednsnameplugin. This configuration never functioned as expected.
- Error messages for the remote Podman client have been improved when it cannot connect to a Podman service.
- Error messages for podman runwhen an invalid SELinux is specified have been improved.
- Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace.
- Pod infra containers now respect default sysctls specified in containers.confallowing for advanced configuration of the namespaces they will share.
- SSH public key handling for remote Podman has been improved.
Bugfixes
- Fixed a bug where the podman history --no-trunccommand would truncate theCreated Byfield (#9120).
- Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the Networksfield of the output ofpodman inspect(#6618).
- Fixed a bug where, under some circumstances, container working directories specified by the image (via the WORKDIRinstruction) but not present in the image, would not be created (#9040).
- Fixed a bug where the podman generate systemdcommand would generate invalid unit files if the container was creating using a command line that included doubled braces ({{and}}), e.g.--log-opt-tag={{.Name}}(#9034).
- Fixed a bug where the podman generate systemd --newcommand could generate unit files including invalid Podman commands if the container was created using merged short options (e.g.podman run -dt) (#8847).
- Fixed a bug where the podman generate systemd --newcommand could generate unit files that did not handle Podman commands including some special characters (e.g.$) (#9176
- Fixed a bug where rootless containers joining CNI networks could not set a static IP address (#7842).
- Fixed a bug where rootless containers joining CNI networks could not set network aliases (#8567).
- Fixed a bug where the remote client could, under some circumstances, not include the Containerfilewhen sending build context to the server (#8374).
- Fixed a bug where rootless Podman did not mount /sysas a newsysfsin some circumstances where it was acceptable.
- Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error.
- Fixed a bug where the podman play kubecommand did not properly handleCMDandARGSfrom images (#8803).
- Fixed a bug where the podman play kubecommand did not properly handle environment variables from images (#8608).
- Fixed a bug where the podman play kubecommand did not properly print errors that occurred when starting containers.
- Fixed a bug where the podman play kubecommand errored whenhostNetworkwas used (#8790).
- Fixed a bug where the podman play kubecommand would always pull images when the:latesttag was specified, even if the image was available locally (#7838).
- Fixed a bug where the podman play kubecommand did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable (#8710).
- Fixed a bug where the podman generate kubecommand incorrectly populated theargsandcommandfields of generated YAML (#9211).
- Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared /etc/hostsfile every time the container restarted (#8921).
- Fixed a bug where the podman search --list-tagscommand did not support the--formatoption (#8740).
- Fixed a bug where the http_proxyoption incontainers.confwas not being respected, and instead was set unconditionally to true (#8843).
- Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers (#8798).
- Fixed a bug where the podman imagescommand would break and fail to display any images if an empty manifest list was present in storage (#8931).
- Fixed a bug where locale environment variables were not properly passed on to Conmon.
- Fixed a bug where Podman would not build on the MIPS architecture (#8782).
- Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a --uidmapoption that included a mapping beginning with UID0.
- Fixed a bug where the podman logscommand using thek8s-filebackend did not properly handle partial log lines with a length of 1 (#8879).
- Fixed a bug where the podman logscommand with the--followoption did not properly handle log rotation (#8733).
- Fixed a bug where user-specified HOSTNAMEenvironment variables were overwritten by Podman (#8886).
- Fixed a bug where Podman would applied default sysctls from containers.confin too many situations (e.g. applying network sysctls when the container shared its network with a pod).
- Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores (#8176).
- Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container's PID file was not accessible to systemd on the host (#8506).
- Fixed a bug where the --privilegedoption topodman runandpodman createwould, under some circumstances, not disable Seccomp (#8849).
- Fixed a bug where the podman execcommand did not properly add capabilities when the container or exec session were run with--privileged.
- Fixed a bug where rootless Podman would use the --enable-sandboxoption toslirp4netnsunconditionally, even whenpivot_rootwas disabled, renderingslirp4netnsunusable whenpivot_rootwas disabled (#8846).
- Fixed a bug where podman build --logfiledid not actually write the build's log to the logfile.
- Fixed a bug where the podman system servicecommand did not close STDIN, and could display user-interactive prompts (#8700).
- Fixed a bug where the podman system resetcommand could, under some circumstances, remove all the contents of theXDG_RUNTIME_DIRdirectory (#8680).
- Fixed a bug where the podman network createcommand created CNI configurations that did not include a default gateway (#8748).
- Fixed a bug where the podman.servicesystemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started (#8751).
- Fixed a bug where, if the TMPDIRenvironment variable was set for the container engine incontainers.conf, it was being ignored.
- Fixed a bug where the podman eventscommand did not properly handle future times given to the--untiloption (#8694).
- Fixed a bug where the podman logscommand wrote containerSTDERRlogs toSTDOUTinstead ofSTDERR(#8683).
- Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag (#8547).
- Fixed a bug where container capabilities were not set properly when the --cap-add=alland--useroptions topodman createandpodman runwere combined.
- Fixed a bug where the --layersoption topodman buildwas nonfunctional (#8643).
- Fixed a bug where the podman system prunecommand did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call topodman system prune(#7990).
- Fixed a bug where the --publishoption topodman runandpodman createdid not properly handle ports specified as a range of ports with no host port specified (#8650).
- Fixed a bug where --formatdid not support JSON output for individual fields (#8444).
- Fixed a bug where the podman statscommand would fail when run on root containers using theslirp4netnsnetwork mode (#7883).
- Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication (#8498).
- Fixed a bug where the podman statscommand would fail if the system did not support one or more of the cgroup controllers Podman supports (#8588).
- Fixed a bug where the --mountoption topodman createandpodman rundid not ignore theconsistencymount option.
- Fixed a bug where failures during the resizing of a container's TTY would print the wrong error.
- Fixed a bug where the podman network disconnectcommand could cause thepodman inspectcommand to fail for a container until it was restarted (#9234).
- Fixed a bug where containers created from a read-only rootfs (using the --rootfsoption topodman createandpodman run) would fail (#9230).
- Fixed a bug where specifying Go templates to the --formatoption to multiple Podman commands did not support thejoinfunction (#8773).
- Fixed a bug where the podman rmicommand could, when run in parallel on multiple images, returnlayer not knownerrors (#6510).
- Fixed a bug where the podman inspectcommand on containers displayed unlimited ulimits incorrectly (#9303).
- Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories (#6003).
API
- Libpod API version has been bumped to v3.0.0.
- All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error (#8865).
- The Compat API for Containers now supports the Rename and Copy APIs.
- Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses.
- Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a "no such file" error if an invalid executable was passed) (#8281)
- Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored (#8649).
- Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g. container:, correctly.
- Fixed a bug where the Compat Create API for Containers did not set container name properly.
- Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging (the default specified in containers.confis now used).
- Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker.
- Fixed a bug where Podman did not properly clean up after calls to the Events API when the journaldbackend was in use, resulting in a leak of file descriptors (#8864).
- Fixed a bug where the Libpod Pull endpoint for Images could fail with an index out of rangeerror under certain circumstances (#8870).
- Fixed a bug where the Libpod Exists endpoint for Images could panic.
- Fixed a bug where the Compat List API for Containers did not support all filters (#8860).
- Fixed a bug where the Compat List API for Containers did not properly populate the Status field.
- Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters (#7102).
- Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response (#8758).
- Fixed a bug where the Compat Load API for Images did not properly clean up temporary files.
- Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified.
- Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope.
- Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did.
Misc
- Updated Buildah to v1.19.2
- Updated the containers/storage library to v1.24.5
- Updated the containers/image library to v5.10.2
- Updated the containers/common library to v0.33.4
v2.2.1
Changes
- Due to a conflict with a previously-removed field, we were forced to modify the way image volumes (mounting images into containers using --mount type=image) were handled in the database. As a result, containers created in Podman 2.2.0 with image volumes will not have them in v2.2.1, and these containers will need to be re-created.
Bugfixes
- Fixed a bug where rootless Podman would, on systems without the XDG_RUNTIME_DIRenvironment variable defined, use an incorrect path for the PID file of the Podman pause process, causing Podman to fail to start (#8539).
- Fixed a bug where containers created using Podman v1.7 and earlier were unusable in Podman due to JSON decode errors (#8613).
- Fixed a bug where Podman could retrieve invalid cgroup paths, instead of erroring, for containers that were not running.
- Fixed a bug where the podman system resetcommand would print a warning about a duplicate shutdown handler being registered.
- Fixed a bug where rootless Podman would attempt to mount sysfsin circumstances where it was not allowed; some OCI runtimes (notablycrun) would fall back to alternatives and not fail, but others (notablyrunc) would fail to run containers.
- Fixed a bug where the podman runandpodman createcommands would fail to create containers from untagged images (#8558).
- Fixed a bug where remote Podman would prompt for a password even when the server did not support password authentication (#8498).
- Fixed a bug where the podman execcommand did not move the Conmon process for the exec session into the correct cgroup.
- Fixed a bug where shell completion for the ancestoroption topodman ps --filterdid not work correctly.
- Fixed a bug where detached containers would not properly clean themselves up (or remove themselves if --rmwas set) if the Podman command that created them was invoked with--log-level=debug.
API
- Fixed a bug where the Compat Create endpoint for Containers did not properly handle the BindsandMountsparameters inHostConfig.
- Fixed a bug where the Compat Create endpoint for Containers ignored the Namequery parameter.
- Fixed a bug where the Compat Create endpoint for Containers did not properly handle the "default" value for NetworkMode(this value is used extensively bydocker-compose) (#8544).
- Fixed a bug where the Compat Build endpoint for Images would sometimes incorrectly use the targetquery parameter as the image's tag.
Misc
- Podman v2.2.0 vendored a non-released, custom version of the github.com/spf13/cobrapackage; this has been reverted to the latest upstream release to aid in packaging.
- Updated the containers/image library to v5.9.0
2.2.0
Features
- Experimental support for shortname aliasing has been added. This is not enabled by default, but can be turned on by setting the environment variable CONTAINERS_SHORT_NAME_ALIASINGtoon. Documentation is available here.
- Initial support has been added for the podman network connectandpodman network disconnectcommands, which allow existing containers to modify what networks they are connected to. At present, these commands can only be used on running containers that did not specify--network=nonewhen they were created.
- The podman runcommand now supports the--network-aliasoption to set network aliases (additional names the container can be accessed at from other containers via DNS if thednsnameCNI plugin is in use). Aliases can also be added and removed using the newpodman network connectandpodman network disconnectcommands. Please note that this requires a new release (v1.1.0) of thednsnameplugin, and will only work on newly-created CNI networks.
- The podman generate kubecommand now features support for exporting container's memory and CPU limits (#7855).
- The podman play kubecommand now features support for setting CPU and Memory limits for containers (#7742).
- The podman play kubecommand now supports persistent volumes claims using Podman named volumes.
- The podman play kubecommand now supports Kubernetes configmaps via the--configmapoption (#7567).
- The podman play kubecommand now supports a--log-driveroption to set the log driver for created containers.
- The podman play kubecommand now supports a--startoption, enabled by default, to start the pod after creating it. This allows forpodman play kubeto be more easily used in systemd unitfiles.
- The podman network createcommand now supports the--ipv6option to enable dual-stack IPv6 networking for created networks (#7302).
- The podman inspectcommand can now inspect pods, networks, and volumes, in addition to containers and images (#6757).
- The --mountoption forpodman runandpodman createnow supports a new type,image, to mount the contents of an image into the container at a given location.
- The Bash and ZSH completions have been completely reworked and have received significant enhancements! Additionally, support for Fish completions and completions for the podman-remoteexecutable have been added.
- The --log-optoption forpodman createandpodman runnow supports themax-sizeoption to set the maximum size for a container's logs (#7434).
- The --networkoption to thepodman pod createcommand now allows pods to be configured to useslirp4netnsnetworking, even when run as root (#6097).
- The podman pod stop,podman pod pause,podman pod unpause, andpodman pod killcommands now work on multiple containers in parallel and should be significantly faster.
- The podman searchcommand now supports a--list-tagsoption to list all available tags for a single image in a single repository.
- The podman searchcommand can now output JSON using the--format=jsonoption.
- The podman diffandpodman mountcommands now work with all containers in the storage library, including those not created by Podman. This allows them to be used with Buildah and CRI-O containers.
- The podman container existscommand now features a--externaloption to check if a container exists not just in Podman, but also in the storage library. This will allow Podman to identify Buildah and CRI-O containers.
- The --tls-verifyand--authfileoptions have been enabled for use with remote Podman.
- The /etc/hostsfile now includes the container's name and hostname (both pointing to localhost) when the container is run with--net=none(#8095).
- The podman eventscommand now supports filtering events based on the labels of the container they occurred on using the--filter label=key=valueoption.
- The podman volume lscommand now supports filtering volumes based on their labels using the--filter label=key=valueoption.
- The --volumeand--mountoptions topodman runandpodman createnow support two new mount propagation options,unbindableandrunbindable.
- The nameandidfilters forpodman pod psnow match based on a regular expression, instead of requiring an exact match.
- The podman pod pscommand now supports a new filterstatus, that matches pods in a certain state.
Changes
- The podman network rm --forcecommand will now also remove pods that are using the network (#7791).
- The podman volume rm,podman network rm, andpodman pod rmcommands now return exit code 1 if the object specified for removal does not exist, and exit code 2 if the object is in use and the--forceoption was not given.
- If /dev/fuseis passed into Podman containers as a device, Podman will open it before starting the container to ensure that the kernel module is loaded on the host and the device is usable in the container.
- Global Podman options that were not supported with remote operation have been removed from podman-remote(e.g.--cgroup-manager,--storage-driver).
- Many errors have been changed to remove repetition and be more clear as to what has gone wrong.
- The --storageoption topodman rmis now enabled by default, with slightly changed semantics. If the given container does not exist in Podman but does exist in the storage library, it will be removed even without the--storageoption. If the container exists in Podman it will be removed normally. The--storageoption forpodman rmis now deprecated and will be removed in a future release.
- The --storageoption topodman pshas been renamed to--external. An alias has been added so the old form of the option will continue to work.
- Podman now delays the SIGTERM and SIGINT signals during container creation to ensure that Podman is not stopped midway through creating a container resulting in potential resource leakage (#7941).
- The podman savecommand now strips signatures from images it is exporting, as the formats we export to do not support signatures (#7659).
- A new Degradedstate has been added to pods. Pods that have some, but not all, of their containers running are now considered to beDegradedinstead ofRunning.
- Podman will now print a warning when conflicting network options related to port forwarding (e.g. --publishand--net=host) are specified when creating a container.
- The --restart on-failureand--rmoptions for containers no longer conflict. When both are specified, the container will be restarted if it exits with a non-zero error code, and removed if it exits cleanly (#7906).
- Remote Podman will no longer use settings from the client's containers.conf; defaults will instead be provided by the server'scontainers.conf(#7657).
- The podman network rmcommand now has a new alias,podman network remove(#8402).
Bugfixes
- Fixed a bug where podman loadon the remote client did not error when attempting to load a directory, which is not yet supported for remote use.
- Fixed a bug where rootless Podman could hang when the newuidmapbinary was not installed (#7776).
- Fixed a bug where the --pulloption topodman run,podman create, andpodman builddid not match Docker's behavior.
- Fixed a bug where sysctl settings from the containers.confconfiguration file were applied, even if the container did not join the namespace associated with a sysctl.
- Fixed a bug where Podman would not return the text of errors encountered when trying to run a healthcheck for a container.
- Fixed a bug where Podman was accidentally setting the containersenvironment variable in addition to the expectedcontainerenvironment variable.
- Fixed a bug where rootless Podman using CNI networking did not properly clean up DNS entries for removed containers (#7789).
- Fixed a bug where the podman untag --allcommand was not supported with remote Podman.
- Fixed a bug where the podman system servicecommand could time out even if active attach connections were present (#7826).
- Fixed a bug where the podman system servicecommand would sometimes never time out despite no active connections being present.
- Fixed a bug where Podman's handling of capabilities, specifically inheritable, did not match Docker's.
- Fixed a bug where podman runwould fail if the image specified was a manifest list and had already been pulled (#7798).
- Fixed a bug where Podman did not take search registries into account when looking up images locally (#6381).
- Fixed a bug where the podman manifest inspectcommand would fail for images that had already been pulled (#7726).
- Fixed a bug where rootless Podman would not add supplemental GIDs to containers when when a user, but not a group, was set via the --useroption topodman createandpodman runand sufficient GIDs were available to add the groups (#7782).
- Fixed a bug where remote Podman commands did not properly handle cases where the user gave a name that could also be a short ID for a pod or container (#7837).
- Fixed a bug where podman image prunecould leave images ready to be pruned afterpodman image prunewas run (#7872).
- Fixed a bug where the podman logscommand with thejournaldlog driver would not read all available logs (#7476).
- Fixed a bug where the --rmand--restartoptions topodman createandpodman rundid not conflict when a restart policy that is noton-failurewas chosen (#7878).
- Fixed a bug where the --format "table {{ .Field }}"option to numerous Podman commands ceased to function on Podman v2.0 and up.
- Fixed a bug where pods did not properly share an SELinux label between their containers, resulting in containers being unable to see the processes of other containers when the pod shared a PID namespace (#7886).
- Fixed a bug where the --namespaceoption topodman psdid not work with the remote client (#7903).
- Fixed a bug where rootless Podman incorrectly calculated the number of UIDs available in the container if multiple different ranges of UIDs were specified.
- Fixed a bug where the /etc/hostsfile would not be correctly populated for containers in a user namespace (#7490).
- Fixed a bug where the podman network createandpodman network removecommands could race when run in parallel, with unpredictable results (#7807).
- Fixed a bug where the -poption topodman run,podman create, andpodman pod createwould, when given only a single number (e.g.-p 80), assign the same port for both host and container, instead of generating a random host port (#7947).
- Fixed a bug where Podman containers did not properly store the cgroup manager they were created with, causing them to stop functioning after the cgroup manager was changed in containers.confor with the--cgroup-manageroption (#7830).
- Fixed a bug where the podman inspectcommand did not include information on the CNI networks a container was connected to if it was not running.
- Fixed a bug where the podman attachcommand would not print a newline after detaching from the container (#7751).
- Fixed a bug where the HOMEenvironment variable was not set properly in containers when the--userns=keep-idoption was set (#8004).
- Fixed a bug where the podman container restorecommand could panic when the container in question was in a pod (#8026).
- Fixed a bug where the output of the podman image trust show --rawcommand was not properly formatted.
- Fixed a bug where the podman runlabelcommand could panic if a label to run was not given (#8038).
- Fixed a bug where the podman runandpodman start --attachcommands would exit with an error when the user detached manually using the detach keys on remote Podman (#7979).
- Fixed a bug where rootless CNI networking did not use the dnsnameCNI plugin if it was not available on the host, despite it always being available in the container used for rootless networking (#8040).
- Fixed a bug where Podman did not properly handle cases where an OCI runtime is specified by its full path, and could revert to using another OCI runtime with the same binary path that existed in the system $PATHon subsequent invocations.
- Fixed a bug where the --net=hostoption topodman createandpodman runwould cause the/etc/hostsfile to be incorrectly populated (#8054).
- Fixed a bug where the podman inspectcommand did not include container network information when the container shared its network namespace (IE, joined a pod or another container's network namespace via--net=container:...) (#8073).
- Fixed a bug where the podman pscommand did not include information on all ports a container was publishing.
- Fixed a bug where the podman buildcommand incorrectly forwardedSTDINinto build containers fromRUNinstructions.
- Fixed a bug where the podman waitcommand's--intervaloption did not work when units were not specified for the duration (#8088).
- Fixed a bug where the --detach-keysand--detachoptions could be passed topodman createdespite having no effect (and not making sense in that context).
- Fixed a bug where Podman could not start containers if running on a system without a /etc/resolv.conffile (which occurs on some WSL2 images) (#8089).
- Fixed a bug where the --extractoption topodman cpwas nonfunctional.
- Fixed a bug where the --cidfileoption topodman runwould, when the container was not run with--detach, only create the file after the container exited (#8091).
- Fixed a bug where the podman imagesandpodman images -acommands could panic and not list any images when certain improperly-formatted images were present in storage (#8148).
- Fixed a bug where the podman eventscommand could, when thejournaldevents backend was in use, become nonfunctional when a badly-formatted event or a log message that container certain string was present in the journal (#8125).
- Fixed a bug where remote Podman would, when using SSH transport, not authenticate to the server using hostkeys when connecting on a port other than 22 (#8139).
- Fixed a bug where the podman attachcommand would not exit when containers stopped (#8154).
- Fixed a bug where Podman did not properly clean paths before verifying them, resulting in Podman refusing to start if the root or temporary directories were specified with extra trailing /characters (#8160).
- Fixed a bug where remote Podman did not support hashed hostnames in the known_hostsfile on the host for establishing connections (#8159).
- Fixed a bug where the podman image existscommand would return non-zero (false) when multiple potential matches for the given name existed.
- Fixed a bug where the podman manifest inspectcommand on images that are not manifest lists would error instead of inspecting the image (#8023).
- Fixed a bug where the podman system servicecommand would fail if the directory the Unix socket was to be created inside did not exist (#8184).
- Fixed a bug where pods that shared the IPC namespace (which is done by default) did not share a /dev/shmfilesystem between all containers in the pod (#8181).
- Fixed a bug where filters passed to podman volume listwere not inclusive (#6765).
- Fixed a bug where the podman volume createcommand would fail when the volume's data directory already existed (as might occur when a volume was not completely removed) (#8253).
- Fixed a bug where the podman runandpodman createcommands would deadlock when trying to create a container that mounted the same named volume at multiple locations (e.g.podman run -v testvol:/test1 -v testvol:/test2) (#8221).
- Fixed a bug where the parsing of the --netoption topodman buildwas incorrect (#8322).
- Fixed a bug where the podman buildcommand would print the ID of the built image twice when using remote Podman (#8332).
- Fixed a bug where the podman statscommand did not show memory limits for containers (#8265).
- Fixed a bug where the podman pod inspectcommand printed the static MAC address of the pod in a non-human-readable format (#8386).
- Fixed a bug where the --tls-verifyoption of thepodman play kubecommand had its logic inverted (falsewould enforce the use of TLS,truewould disable it).
- Fixed a bug where the podman network rmcommand would error when trying to removemacvlannetworks and rootless CNI networks (#8491).
- Fixed a bug where Podman was not setting sane defaults for missing XDG_environment variables.
- Fixed a bug where remote Podman would check if volume paths to be mounted in the container existed on the host, not the server (#8473).
- Fixed a bug where the podman manifest createandpodman manifest addcommands on local images would drop any images in the manifest not pulled by the host.
- Fixed a bug where networks made by podman network createdid not include thetuningplugin, and as such did not support setting custom MAC addresses (#8385).
- Fixed a bug where container healthchecks did not use $PATHwhen searching for the Podman executable to run the healthcheck.
- Fixed a bug where the --ip-rangeoption topodman network createdid not properly handle non-classful subnets when calculating the last usable IP for DHCP assignment (#8448).
- Fixed a bug where the podman container psalias forpodman pswas missing (#8445).
API
- The Compat Create endpoint for Container has received a major refactor to share more code with the Libpod Create endpoint, and should be significantly more stable.
- A Compat endpoint for exporting multiple images at once, GET /images/get, has been added (#7950).
- The Compat Network Connect and Network Disconnect endpoints have been added.
- Endpoints that deal with image registries now support a X-Registry-Configheader to specify registry authentication configuration.
- The Compat Create endpoint for images now properly supports specifying images by digest.
- The Libpod Build endpoint for images now supports an httpproxyquery parameter which, if set to true, will forward the server's HTTP proxy settings into the build container forRUNinstructions.
- The Libpod Untag endpoint for images will now remove all tags for the given image if no repository and tag are specified for removal.
- Fixed a bug where the Ping endpoint misspelled a header name (Libpod-Buildha-Versioninstead ofLibpod-Buildah-Version).
- Fixed a bug where the Ping endpoint sent an extra newline at the end of its response where Docker did not.
- Fixed a bug where the Compat Logs endpoint for containers did not send a newline character after each log line.
- Fixed a bug where the Compat Logs endpoint for containers would mangle line endings to change newline characters to add a preceding carriage return (#7942).
- Fixed a bug where the Compat Inspect endpoint for Containers did not properly list the container's stop signal (#7917).
- Fixed a bug where the Compat Inspect endpoint for Containers formatted the container's create time incorrectly (#7860).
- Fixed a bug where the Compat Inspect endpoint for Containers did not include the container's Path, Args, and Restart Count.
- Fixed a bug where the Compat Inspect endpoint for Containers prefixed added and dropped capabilities with CAP_(Docker does not do so).
- Fixed a bug where the Compat Info endpoint for the Engine did not include configured registries.
- Fixed a bug where the server could panic if a client closed a connection midway through an image pull (#7896).
- Fixed a bug where the Compat Create endpoint for volumes returned an error when a volume with the same name already existed, instead of succeeding with a 201 code (#7740).
- Fixed a bug where a client disconnecting from the Libpod or Compat events endpoints could result in the server using 100% CPU (#7946).
- Fixed a bug where the "no such image" error message sent by the Compat Inspect endpoint for Images returned a 404 status code with an error that was improperly formatted for Docker compatibility.
- Fixed a bug where the Compat Create endpoint for networks did not properly set a default for the driverparameter if it was not provided by the client.
- Fixed a bug where the Compat Inspect endpoint for images did not populate the RootFS,VirtualSize,ParentId,Architecture,Os, andOsVersionfields of the response.
- Fixed a bug where the Compat Inspect endpoint for images would omit the ParentIdfield if the image had no parent, and theCreatedfield if the image did not have a creation time.
- Fixed a bug where the Compat Remove endpoint for Networks did not support the Forcequery parameter.
Misc
- Updated Buildah to v1.18.0
- Updated the containers/storage library to v1.24.1
- Updated the containers/image library to v5.8.1
- Updated the containers/common library to v0.27.0
2.1.1
Changes
- The podman infocommand now includes the cgroup manager Podman is using.
Bugfixes
- Fixed a bug where Podman would not build with the varlinkbuild tag enabled.
- Fixed a bug where the podman savecommand could, when asked to save multiple images, write its progress bar to the archive instead of the terminal, producing a corrupted archive.
- Fixed a bug where the json-filelog driver did not write logs.
- Fixed a bug where podman-remote start --attachdid not properly handle detaching using the detach keys.
- Fixed a bug where podman pod ps --filter label=...did not work.
- Fixed a bug where the podman buildcommand did not respect the--runtimeflag.
API
- The REST API now includes a Server header in all responses.
- Fixed a bug where the Libpod and Compat Attach endpoints could terminate early, before sending all output from the container.
- Fixed a bug where the Compat Create endpoint for containers did not properly handle the Interactive parameter.
- Fixed a bug where the Compat Kill endpoint for containers could continue to run after a fatal error.
- Fixed a bug where the Limit parameter of the Compat List endpoint for Containers did not properly handle a limit of 0 (returning nothing, instead of all containers) (#7722).
- The Libpod Stats endpoint for containers is being deprecated and will be replaced by a similar endpoint with additional features in a future release.
2.1.0
Features
- A new command, podman image mount, has been added. This allows for an image to be mounted, read-only, to inspect its contents without creating a container from it (#1433).
- The podman saveandpodman loadcommands can now create and load archives containing multiple images (#2669).
- Rootless Podman now supports all podman networkcommands, and rootless containers can now be joined to networks.
- The performance of podman buildonADDandCOPYinstructions has been greatly improved, especially when a.dockerignoreis present.
- The podman runandpodman createcommands now support a new mode for the--cgroupsoption,--cgroups=split. Podman will create two cgroups under the cgroup it was launched in, one for the container and one for Conmon. This mode is useful for running Podman in a systemd unit, as it ensures that all processes are retained in systemd's cgroup hierarchy (#6400).
- The podman runandpodman createcommands can now specify options to slirp4netns by using the--networkoption as follows:--net slirp4netns:opt1,opt2. This allows for, among other things, switching the port forwarder used by slirp4netns away from rootlessport.
- The podman pscommand now features a new option,--storage, to show containers from Buildah, CRI-O and other applications.
- The podman runandpodman createcommands now feature a--sdnotifyoption to control the behavior of systemd's sdnotify with containers, enabling improved support for Podman inType=notifyunits.
- The podman runcommand now features a--preserve-fdsoption to pass file descriptors from the host into the container (#6458).
- The podman runandpodman createcommands can now create overlay volume mounts, by adding the:Ooption to a bind mount (e.g.-v /test:/test:O). Overlay volume mounts will mount a directory into a container from the host and allow changes to it, but not write those changes back to the directory on the host.
- The podman play kubecommand now supports the Socket HostPath type (#7112).
- The podman play kubecommand now supports read-only mounts.
- The podman play kubecommand now supports setting labels on pods from Kubernetes metadata labels.
- The podman play kubecommand now supports setting container restart policy (#7656).
- The podman play kubecommand now properly handlesHostAliasentries.
- The podman generate kubecommand now adds entries to/etc/hostsfrom--host-addgenerated YAML asHostAliasentries.
- The podman play kubeandpodman generate kubecommands now properly supportshareProcessNamespaceto share the PID namespace in pods.
- The podman volume lscommand now supports thedanglingfilter to identify volumes that are dangling (not attached to any container).
- The podman runandpodman createcommands now feature a--umaskoption to set the umask of the created container.
- The podman createandpodman runcommands now feature a--tzoption to set the timezone within the container (#5128).
- Environment variables for Podman can now be added in the containers.confconfiguration file.
- The --mountoption ofpodman runandpodman createnow supports a new mount type,type=devpts, to add adevptsmount to the container. This is useful for containers that want to mount/dev/from the host into the container, but still create a terminal.
- The --security-optflag topodman runandpodman createnow supports a new option,proc-opts, to specify options for the container's/procfilesystem.
- Podman with the crunOCI runtime now supports a new option topodman runandpodman create,--cgroup-conf, which allows for advanced configuration of cgroups on cgroups v2 systems.
- The podman createandpodman runcommands now support a--override-variantoption, to override the architecture variant of the image that will be pulled and ran.
- A new global option has been added to Podman, --runtime-flags, which allows for setting flags to use when the OCI runtime is called.
- The podman manifest addcommand now supports the--cert-dir,--auth-file,--creds, and--tls-verifyoptions.
Security
- This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API.
Changes
- Podman will now retry pulling an image 3 times if a pull fails due to network errors.
- The podman execcommand would previously print error messages (e.g.exec session exited with non-zero exit code -1) when the command run exited with a non-0 exit code. It no longer does this. Thepodman execcommand will still exit with the same exit code as the command run in the container did.
- Error messages when creating a container or pod with a name that is already in use have been improved.
- For read-only containers running systemd init, Podman creates a tmpfs filesystem at /run. This was previously limited to 65k in size and mountednoexec, but is now unlimited size and mountedexec.
- The podman system resetcommand no longer removes configuration files for rootless Podman.
Bugfixes
- Fixed a bug where Podman would not add an entry to /etc/hostsfor a container if it joined another container's network namespace (#66782).
- Fixed a bug where podman save --format oci-dirsaved the image in an incorrect format (#6544).
- Fixed a bug where privileged containers would still configure an AppArmor profile.
- Fixed a bug where the --formatoption ofpodman system dfwas not properly interpreting format codes that included backslashes (#7149).
- Fixed a bug where rootless Podman would ignore errors from newuidmapandnewgidmap, even if/etc/subuidand/etc/subgidcontained valid mappings for the user running Podman.
- Fixed a bug where the podman commitcommand did not properly handle single-character image names (#7114).
- Fixed a bug where the output of podman ps --format=jsondid not include aStatusfield (#6980).
- Fixed a bug where input to the --log-leveloption was no longer case-insensitive.
- Fixed a bug where podman imagescould segfault when an image pull was aborted while incomplete, leaving an image without a manifest (#7444).
- Fixed a bug where rootless Podman would try to create the ~/.configdirectory when it did not exist, despite not placing any configuration files inside the directory.
- Fixed a bug where the output of podman system dfwas inconsistent based on whether the-voption was specified (#7405).
- Fixed a bug where --security-opt apparmor=unconfinedwould error if Apparmor was not enabled on the system (#7545).
- Fixed a bug where running podman stopon multiple containers starting with--rmcould sometimes causeno such containererrors (#7384).
- Fixed a bug where podman-remotewould still try to contact the server when displaying help information about subcommands.
- Fixed a bug where the podman build --logfilecommand would segfault.
- Fixed a bug where the podman generate systemdcommand did not properly handle containers which were created with a name given as--name=$NAMEinstead of--name $NAME(#7157).
- Fixed a bug where the podman pswas ignoring the--latestflag.
- Fixed a bug where the podman-remote killcommand would hang when a signal that did not kill the container was specified (#7135).
- Fixed a bug where the --oom-score-adjoption ofpodman runandpodman createwas nonfunctional.
- Fixed a bug where the --displayoption ofpodman runlabelwas nonfunctional.
- Fixed a bug where the podman runlabelcommand would not pull images that did not exist locally on the system.
- Fixed a bug where podman-remote runwould not exit with the correct code with the container was removed by apodman-remote rm -fwhilepodman-remote runwas still running (#7117).
- Fixed a bug where the podman-remote run --rmcommand would error attempting to remove containers that had already been removed (e.g. bypodman-remote rm --force) (#7340).
- Fixed a bug where podman --userwith a numeric user andpodman run --userns=keepidcould create users in/etc/passwdin the container that belong to groups without a corresponding entry in/etc/group(#7389).
- Fixed a bug where podman run --userns=keepidcould create entries in/etc/passwdwith a UID that was already in use by another user (#7503).
- Fixed a bug where podman --userwith a numeric user andpodman run --userns=keepidcould create users that could not be logged into (#7499).
- Fixed a bug where trying to join another container's user namespace with --userns container:$IDwould fail (#7547).
- Fixed a bug where the podman play kubecommand would trim underscores from container names (#7020).
- Fixed a bug where the podman attachcommand would not show output when attaching to a container with a terminal (#6523).
- Fixed a bug where the podman system dfcommand could be extremely slow when large quantities of images were present (#7406).
- Fixed a bug where podman images -awould break if any image pulled by digest was present in the store (#7651).
- Fixed a bug where the --mountoption topodman runandpodman createrequired thetype=parameter to be passed first (#7628).
- Fixed a bug where the --infra-commandparameter topodman pod createwas nonfunctional.
- Fixed a bug where podman auto-updatewould fail for any container started with--pull=always(#7407).
- Fixed a bug where the podman waitcommand would only accept a single argument.
- Fixed a bug where the parsing of the --volumes-fromoption topodman runandpodman createwas broken, making it impossible to use multiple mount options at the same time (#7701).
- Fixed a bug where the podman execcommand would not join executed processes to the container's supplemental groups if the container was started with both the--userand--group-addoptions.
- Fixed a bug where the --iidfileoption topodman-remote buildwas nonfunctional.
API
- The Libpod API version has been bumped to v2.0.0 due to a breaking change in the Image List API.
- Docker-compatible Volume Endpoints (Create, Inspect, List, Remove, Prune) are now available!
- Added an endpoint for generating systemd unit files for containers.
- The lastparameter to the Libpod container list endpoint now has an alias,limit(#6413).
- The Libpod image list API new returns timestamps in Unix format, as integer, as opposed to as strings
- The Compat Inspect endpoint for containers now includes port information in NetworkSettings.
- The Compat List endpoint for images now features limited support for the (deprecated) filterquery parameter (#6797).
- Fixed a bug where the Compat Create endpoint for containers was not correctly handling bind mounts.
- Fixed a bug where the Compat Create endpoint for containers would not return a 404 when the requested image was not present.
- Fixed a bug where the Compat Create endpoint for containers did not properly handle Entrypoint and Command from images.
- Fixed a bug where name history information was not properly added in the Libpod Image List endpoint.
- Fixed a bug where the Libpod image search endpoint improperly populated the Description field of responses.
- Added a noTruncoption to the Libpod image search endpoint.
- Fixed a bug where the Pod List API would return null, instead of an empty array, when no pods were present (#7392).
- Fixed a bug where endpoints that hijacked would do perform the hijack too early, before being ready to send and receive data (#7195).
- Fixed a bug where Pod endpoints that can operate on multiple containers at once (e.g. Kill, Pause, Unpause, Stop) would not forward errors from individual containers that failed.
- The Compat List endpoint for networks now supports filtering results (#7462).
- Fixed a bug where the Top endpoint for pods would return both a 500 and 404 when run on a nonexistent pod.
- Fixed a bug where Pull endpoints did not stream progress back to the client.
- The Version endpoints (Libpod and Compat) now provide version in a format compatible with Docker.
- All non-hijacking responses to API requests should not include headers with the version of the server.
- Fixed a bug where Libpod and Compat Events endpoints did not send response headers until the first event occurred (#7263).
- Fixed a bug where the Build endpoints (Compat and Libpod) did not stream progress to the client.
- Fixed a bug where the Stats endpoints (Compat and Libpod) did not properly handle clients disconnecting.
- Fixed a bug where the Ignore parameter to the Libpod Stop endpoint was not performing properly.
- Fixed a bug where the Compat Logs endpoint for containers did not stream its output in the correct format (#7196).
Misc
- Updated Buildah to v1.16.1
- Updated the containers/storage library to v1.23.5
- Updated the containers/image library to v5.6.0
- Updated the containers/common library to v0.22.0
2.0.6
Bugfixes
- Fixed a bug where running systemd in a container on a cgroups v1 system would fail.
- Fixed a bug where /etc/passwdcould be re-created every time a container is restarted if the container's/etc/passwddid not contain an entry for the user the container was started as.
- Fixed a bug where containers without an /etc/passwdfile specifying a non-root user would not start.
- Fixed a bug where the --remoteflag would sometimes not make remote connections and would instead attempt to run Podman locally.
Misc
- Updated the containers/common library to v0.14.10
2.0.5
Features
- Rootless Podman will now add an entry to /etc/passwdfor the user who ran Podman if run with--userns=keep-id.
- The podman system connectioncommand has been reworked to support multiple connections, and re-enabled for use!
- Podman now has a new global flag, --connection, to specify a connection to a remote Podman API instance.
Changes
- Podman's automatic systemd integration (activated by the --systemd=trueflag, set by default) will now activate for containers using/usr/local/sbin/initas their command, instead of just/usr/sbin/initand/sbin/init(and any path ending insystemd).
- Seccomp profiles specified by the --security-opt seccomp=...flag topodman createandpodman runwill now be honored even if the container was created using--privileged.
Bugfixes
- Fixed a bug where the podman play kubewould not honor thehostIPfield for port forwarding (#5964).
- Fixed a bug where the podman generate systemdcommand would panic on an invalid restart policy being specified (#7271).
- Fixed a bug where the podman imagescommand could take a very long time (several minutes) to complete when a large number of images were present.
- Fixed a bug where the podman logscommand with the--tailflag would not work properly when a large amount of output would be printed (#7230).
- Fixed a bug where the podman execcommand with remote Podman would not return a non-zero exit code when the exec session failed to start (e.g. invoking a nonexistent command) (#6893).
- Fixed a bug where the podman loadcommand with remote Podman would did not honor user-specified tags (#7124).
- Fixed a bug where the podman system servicecommand, when run as a non-root user by Systemd, did not properly handle the Podman pause process and would not restart properly as a result (#7180).
- Fixed a bug where the --publishflag topodman create,podman run, andpodman pod createdid not properly handle a host IP of 0.0.0.0 (attempting to bind to literal 0.0.0.0, instead of all IPs on the system) (#7104).
- Fixed a bug where the podman start --attachcommand would not print the container's exit code when the command exited due to the container exiting.
- Fixed a bug where the podman rmcommand with remote Podman would not remove volumes, even if the--volumesflag was specified (#7128).
- Fixed a bug where the podman runcommand with remote Podman and the--rmflag could exit before the container was fully removed.
- Fixed a bug where the --pod new:...flag topodman runandpodman createwould create a pod that did not share any namespaces.
- Fixed a bug where the --preserve-fdsflag topodman runandpodman execcould close the wrong file descriptors while trying to close user-provided descriptors after passing them into the container.
- Fixed a bug where default environment variables ($PATHand$TERM) were not set in containers when not provided by the image.
- Fixed a bug where pod infra containers were not properly unmounted after exiting.
- Fixed a bug where networks created with podman network createwith an IPv6 subnet did not properly set an IPv6 default route.
- Fixed a bug where the podman savecommand would not work properly when its output was piped to another command (#7017).
- Fixed a bug where containers using a systemd init on a cgroups v1 system could leak mounts under /sys/fs/cgroup/systemdto the host.
- Fixed a bug where podman buildwould not generate an event on completion (#7022).
- Fixed a bug where the podman historycommand with remote Podman printed incorrect creation times for layers (#7122).
- Fixed a bug where Podman would not create working directories specified by the container image if they did not exist.
- Fixed a bug where Podman did not clear CMDfrom the container image if the user overrodeENTRYPOINT(#7115).
- Fixed a bug where error parsing image names were not fully reported (part of the error message containing the exact issue was dropped).
- Fixed a bug where the podman imagescommand with remote Podman did not support printing image tags in Go templates supplied to the--formatflag (#7123).
- Fixed a bug where the podman rmi --forcecommand would not attempt to unmount containers it was removing, which could cause a failure to remove the image.
- Fixed a bug where the podman generate systemd --newcommand could incorrectly quote arguments to Podman that contained whitespace, leading to nonfunctional unit files (#7285).
- Fixed a bug where the podman versioncommand did not properly include build time and Git commit.
- Fixed a bug where running systemd in a Podman container on a system that did not use the systemdcgroup manager would fail (#6734).
- Fixed a bug where capabilities from --cap-addwere not properly added when a container was started as a non-root user via--user.
- Fixed a bug where Pod infra containers were not properly cleaned up when they stopped, causing networking issues (#7103).
API
- Fixed a bug where the libpod and compat Build endpoints did not accept the application/tarcontent type (instead only acceptingapplication/x-tar) (#7185).
- Fixed a bug where the libpod Exists endpoint would attempt to write a second header in some error conditions (#7197).
- Fixed a bug where compat and libpod Network Inspect and Network Remove endpoints would return a 500 instead of 404 when the requested network was not found.
- Added a versioned _pingendpoint (e.g.http://localhost/v1.40/_ping).
- Fixed a bug where containers started through a systemd-managed instance of the REST API would be shut down when podman system serviceshut down due to its idle timeout (#7294).
- Added stronger parameter verification for the libpod Network Create endpoint to ensure subnet mask is a valid value.
- The PodURL parameter to the Libpod Container List endpoint has been deprecated; the information previously gated by thePodboolean will now be included in the response unconditionally.
Misc
- Updated Buildah to v1.15.1
- Updated containers/image library to v5.5.2
2.0.4
Bugfixes
- Fixed a bug where the output of podman image searchdid not populate the Description field as it was mistakenly assigned to the ID field.
- Fixed a bug where podman build -andpodman buildon an HTTP target would fail.
- Fixed a bug where rootless Podman would improperly chown the copied-up contents of anonymous volumes (#7130).
- Fixed a bug where Podman would sometimes HTML-escape special characters in its CLI output.
- Fixed a bug where the podman start --attach --interactivecommand would print the container ID of the container attached to when exiting (#7068).
- Fixed a bug where podman run --ipc=host --pid=hostwould only set--pid=hostand not--ipc=host(#7100).
- Fixed a bug where the --publishargument topodman run,podman createandpodman pod createwould not allow binding the same container port to more than one host port (#7062).
- Fixed a bug where incorrect arguments to podman images --formatcould cause Podman to segfault.
- Fixed a bug where podman rmi --forceon an image ID with more than one name and at least one container using the image would not completely remove containers using the image (#7153).
- Fixed a bug where memory usage in bytes and memory use percentage were swapped in the output of podman stats --format=json.
API
- Fixed a bug where the libpod and compat events endpoints would fail if no filters were specified (#7078).
- Fixed a bug where the CgroupVersionfield in responses from the compat Info endpoint was prefixed by "v" (instead of just being "1" or "2", as is documented).
2.0.3
Features
- The podman searchcommand now allows wildcards in search terms.
- The podman play kubecommand now supports theIfNotPresentpull type.
Changes
- The --disable-content-trustflag has been added to Podman for Docker compatibility. This is a Docker-specific option and has no effect in Podman; it is provided only to ensure command line compatibility for scripts (#7034).
- Setting a static IP address or MAC address for rootless containers and pods now causes an error; previously, they were silently ignored.
- The /sys/devfolder is now masked in containers to prevent a potential information leak from the host.
Bugfixes
- Fixed a bug where rootless Podman would select the wrong cgroup manager on cgroups v1 systems where the user in question had an active systemd user session (#6982).
- Fixed a bug where systems with Apparmor could not run privileged containers (#6933).
- Fixed a bug where ENTRYPOINT and CMD from images were improperly handled by podman play kube(#6995).
- Fixed a bug where the --pids-limitflag topodman createandpodman runwas parsed incorrectly and was unusable (#6908).
- Fixed a bug where the podman system dfcommand would error if untagged images were present (#7015).
- Fixed a bug where the podman imagescommand would display incorrect tags if a port number was included in the repository.
- Fixed a bug where Podman did not set a default umask and default rlimits (#6989).
- Fixed a bug where protocols in port mappings were not recognized unless they were lower-case (#6948).
- Fixed a bug where information on pod infra containers was not included in the output of podman pod inspect.
- Fixed a bug where Podman's systemd detection (activated by the enabled-by-default --systemd=trueflag) would not flag a container for systemd mode if systemd was part of the entrypoint, not the command (#6920).
- Fixed a bug where podman start --attachwas not defaulting--sig-proxyto true (#6928).
- Fixed a bug where podman inspectwould show an incorrect command (podman system service, the command used to start the server) for containers created by a remote Podman client.
- Fixed a bug where the podman execcommand with the remote client would not print output if the-tor-iflags where not provided.
- Fixed a bug where some variations of the --format {{ json . }}topodman info(involving added or removed whitespace) would not be accepted (#6927).
- Fixed a bug where Entrypoint could not be cleared at the command line (if unset via --entrypoint="", it would be reset to the image's entrypoint) (#6935).
API
- Fixed a bug where the events endpoints (both libpod and compat) could potentially panic on parsing filters.
- Fixed a bug where the compat Create endpoint for containers did not properly handle Entrypoint and Command.
- Fixed a bug where the Logs endpoint for containers (both libpod and compat) would not properly handle client disconnect, resulting in high CPU usage.
- The type of filters on the compat events endpoint has been adjusted to match Docker's implementation (#6899).
- The idle connection counter now properly handles hijacked connections.
- All endpoints that hijack will now properly print headers per RFC 7230 standards.
Misc
- Updated containers/common to v0.14.6
2.0.2
Changes
- The podman system connectioncommand has been temporarily disabled, as it was not functioning as expected.
Bugfixes
- Fixed a bug where the podman pscommand would not truncate long container commands, resulting in display issues as the column could become extremely wide (the--no-truncflag can be used to print the full command).
- Fixed a bug where podman podcommands operating on multiple containers (e.g.podman pod stopandpodman pod kill) would not print errors from individual containers, but only a warning that some containers had failed.
- Fixed a bug where the podman system servicecommand would panic if a connection to the Events endpoint hung up early (#6805).
- Fixed a bug where rootless Podman would create anonymous and named volumes with the wrong owner for containers run with the --userdirective.
- Fixed a bug where the TMPDIRenvironment variable (used for storing temporary files while pulling images) was not being defaulted (if unset) to/var/tmp.
- Fixed a bug where the --publishflag topodman createandpodman runrequired that a host port be specified if an IP address was given (#6806).
- Fixed a bug where in podman-remotecommands performing an attach (podman run,podman attach,podman start --attach,podman exec) did not properly configure the terminal on Windows.
- Fixed a bug where the --remoteflag to Podman required an argument, despite being a boolean (#6704).
- Fixed a bug where the podman generate systemd --newcommand could generate incorrect unit files for a pod if a container in the pod was created using the--pod=...flag (with an =, instead of a space, before the pod ID) (#6766).
- Fixed a bug where NPROCandNOFILErlimits could be improperly set for rootless Podman containers, causing them to fail to start.
- Fixed a bug where podman mountas rootless did not error (thepodman mountcommand cannot be run rootless unless it is run inside apodman unshareshell).
- Fixed a bug where in some cases a race in events handling code could cause error messages related to retrieving events to be lost.
API
- Fixed a bug where the timestamp format for Libpod image list endpoint was incorrect - the format has been switched to Unix time.
- Fixed a bug where the compatibility Create endpoint did not handle empty entrypoints properly.
- Fixed a bug where the compatibility network remove endpoint would improperly handle errors where the network was not found.
- Fixed a bug where containers would be created with improper permissions because of a umask issue (#6787).
2.0.1
Changes
- The podman system connectioncommand was mistakenly omitted from the 2.0 release, and has been included here.
- The podman ps --format=jsoncommand once again includes container's creation time in a human-readable format in theCreatedAtkey.
- The podman inspectcommands on containers now displays forwarded ports in a format compatible withdocker inspect.
- The --log-level=debugflag topodman runandpodman execwill enable syslog for exit commands, ensuring that debug logs are collected for these otherwise-unlogged commands.
Bugfixes
- Fixed a bug where podman builddid not properly handle the--http-proxyand--cgroup-managerflags.
- Fixed a bug where error messages related to a missing or inaccessible /etc/subuidor/etc/subgidfile were very unclear (#6572).
- Fixed a bug where the podman logs --followcommand would not stop when the container being followed exited.
- Fixed a bug where the --privilegedflag had mistakenly been marked as conflicting with--group-addand--security-opt.
- Fixed a bug where the PODMAN_USERNSenvironment variable was not being honored (#6705).
- Fixed a bug where the podman image loadcommand would require one argument be passed, when no arguments is also valid (#6718).
- Fixed a bug where the bash completions did not include the podman networkcommand and its subcommands.
- Fixed a bug where the mount command would not work inside of rootless containers (#6735).
- Fixed a bug where SSH agent authentication support was not properly working in the podman-remoteandpodman --remotecommands.
- Fixed a bug where the podman untagcommand was not erroring when no matching image was found.
- Fixed a bug where stop signal for containers was not being set properly if not explicitly provided.
- Fixed a bug where the podman pscommand was not showing port mappings for containers which share a network namespace with another container (e.g. are part of a pod).
- Fixed a bug where the --remoteflag could unintentionally be forwarded into containers when usingpodman-remote.
- Fixed a bug where unit files generated for pods by podman generate systemdwould not allow individual containers to be restarted (#6770).
- Fixed a bug where the podman runandpodman createcommands did not support all transports thatpodman pulldoes (#6744).
- Fixed a bug where the labeloption to--security-optwould only be shown once inpodman inspect, even if provided multiple times.
API
- Fixed a bug where network endpoint URLs in the compatibility API were mistakenly suffixed with /json.
- Fixed a bug where the Libpod volume creation endpoint returned 200 instead of 201 on success.
Misc
- Updated containers/common to v0.14.3
2.0.0
Features
- The REST API and podman system serviceare no longer experimental, and ready for use!
- The Podman command now supports remotely connections via the REST API using the --remoteflag.
- The Podman remote client has been entirely rewritten to use the HTTP API instead of Varlink.
- The podman system connectioncommand has been added to allow configuring the endpoint thatpodman-remoteandpodman --remotewill connect to.
- The podman generate systemdcommand now supports the--newflag when used with pods, allowing portable services for pods to be created.
- The podman play kubecommand now supports running Kubernetes Deployment YAML.
- The podman execcommand now supports the--detachflag to run commands in the container in the background.
- The -pflag topodman runandpodman createnow supports forwarding ports to IPv6 addresses.
- The podman run,podman createandpodman pod createcommand now support a--replaceflag to remove and replace any existing container (or, forpod create, pod) with the same name
- The --restart-policyflag topodman runandpodman createnow supports theunless-stoppedrestart policy.
- The --log-driverflag topodman runandpodman createnow supports thenonedriver, which does not log the container's output.
- The --mountflag topodman runandpodman createnow acceptsreadonlyoption as an alias toro.
- The podman generate systemdcommand now supports the--container-prefix,--pod-prefix, and--separatorarguments to control the name of generated unit files.
- The podman network lscommand now supports the--filterflag to filter results.
- The podman auto-updatecommand now supports specifying an authfile to use when pulling new images on a per-container basis using theio.containers.autoupdate.authfilelabel.
Changes
- Varlink support, including the podman varlinkcommand, is deprecated and will be removed in the next release.
- As part of the implementation of the REST API, JSON output for some commands (podman ps,podman imagesmost notably) has changed.
- Named and anonymous volumes and tmpfsfilesystems added to containers are no longer mountednoexecby default.
Bugfixes
- Fixed a bug where the podman execcommand would log to journald when run in containers logged to journald (#6555).
- Fixed a bug where the podman auto-updatecommand would not preserve the OS and architecture of the original image when pulling a replacement (#6613).
- Fixed a bug where the podman cpcommand could create an extramergeddirectory when copying into an existing directory (#6596).
- Fixed a bug where the podman pod statscommand would crash on pods run with--network=host(#5652).
- Fixed a bug where containers logs written to journald did not include the name of the container.
- Fixed a bug where the podman network inspectandpodman network rmcommands did not properly handle non-default CNI configuration paths (#6212).
- Fixed a bug where Podman did not properly remove containers when using the Kata containers OCI runtime.
- Fixed a bug where podman inspectwould sometimes incorrectly report the network mode of containers started with--net=none.
- Podman is now better able to deal with cases where conmonis killed before the container it is monitoring.
Misc
- The default Podman CNI configuration now sets HairpinModeto allow communication between containers by connecting to a forwarded port on the host.
- Updated Buildah to v1.15.0
- Updated containers/storage to v1.20.2
- Updated containers/image to v5.5.1
- Updated containers/common to v0.14.0
1.9.3
Bugfixes
- Fixed a bug where, on FIPS enabled hosts, FIPS mode secrets were not properly mounted into containers
- Fixed a bug where builds run over Varlink would hang (#6237)
Misc
- Named volumes and tmpfs filesystems will no longer default to mounting noexecfor improved compatibility with Docker
- Updated Buildah to v1.14.9
1.9.2
Bugfixes
- Fixed a bug where podman savewould fail when the target image was specified by digest (#5234)
- Fixed a bug where rootless containers with ports forwarded to them could panic and dump core due to a concurrency issue (#6018)
- Fixed a bug where rootless Podman could race when opening the rootless user namespace, resulting in commands failing to run
- Fixed a bug where HTTP proxy environment variables forwarded into the container by the --http-proxyflag could not be overridden by--envor--env-file(#6017)
- Fixed a bug where rootless Podman was setting resource limits on cgroups v2 systems that were not using systemd-managed cgroups (and thus did not support resource limits), resulting in containers failing to start
Misc
- Rootless containers will now automatically set their ulimits to the maximum allowed for the user running the container, to match the behavior of containers run as root
- Packages managed by the core Podman team will no longer include a default libpod.conf, instead defaulting tocontainers.conf. The default libpod.conf will remain available in the GitHub repository until the release of Podman 2.0
- The default Podman CNI network configuration now sets HairpinMode to allow containers to access other containers via ports published on the host
- Updated containers/common to v0.8.4
1.9.1
Bugfixes
- Fixed a bug where healthchecks could become nonfunctional if container log paths were manually set with --log-pathand multiple container logs were placed in the same directory (#5915)
- Fixed a bug where rootless Podman could, when using an older libpod.conf, print numerous warning messages about an invalid CGroup manager config
- Fixed a bug where rootless Podman would sometimes fail to close the rootless user namespace when joining it (#5873)
Misc
- Updated containers/common to v0.8.2
1.9.0
Features
- Experimental support has been added for podman run --userns=auto, which automatically allocates a unique UID and GID range for the new container's user namespace
- The podman play kubecommand now has a--networkflag to place the created pod in one or more CNI networks
- The podman commitcommand now supports an--iidfileflag to write the ID of the committed image to a file
- Initial support for the new containers.confconfiguration file has been added.containers.confallows for much more detailed configuration of some Podman functionality
Changes
- There has been a major cleanup of the podman infocommand resulting in breaking changes. Many fields have been renamed to better suit usage with APIv2
- All uses of the --timeoutflag have been switched to prefer the alternative--time. The--timeoutflag will continue to work, but man pages and--helpwill use the--timeflag instead
Bugfixes
- Fixed a bug where some volume mounts from the host would sometimes not properly determine the flags they should use when mounting
- Fixed a bug where Podman was not propagating $PATHto Conmon and the OCI runtime, causing issues for some OCI runtimes that required it
- Fixed a bug where rootless Podman would print error messages about missing support for systemd cgroups when run in a container with no cgroup support (#5488)
- Fixed a bug where podman play kubewould not properly handle container-only port mappings (#5610)
- Fixed a bug where the podman container prunecommand was not pruning containers in thecreatedandconfiguredstates
- Fixed a bug where Podman was not properly removing CNI IP address allocations after a reboot (#5433)
- Fixed a bug where Podman was not properly applying the default Seccomp profile when --security-optwas not given at the command line
HTTP API
- Many Libpod API endpoints have been added, including Changes,Checkpoint,Init, andRestore
- Resolved issues where the podman system servicecommand would time out and exit while there were still active connections
- Stability overall has greatly improved as we prepare the API for a beta release soon with Podman 2.0
Misc
- The default infra image for pods has been upgraded to k8s.gcr.io/pause:3.2(from 3.1) to address a bug in the architecture metadata for non-AMD64 images
- The slirp4netnsnetworking utility in rootless Podman now uses Seccomp filtering where available for improved security
- Updated Buildah to v1.14.8
- Updated containers/storage to v1.18.2
- Updated containers/image to v5.4.3
- Updated containers/common to v0.8.1
1.8.2
Features
- Initial support for automatically updating containers managed via Systemd unit files has been merged. This allows containers to automatically upgrade if a newer version of their image becomes available
Bugfixes
- Fixed a bug where unit files generated by podman generate systemd --newwould not force containers to detach, causing the unit to time out when trying to start
- Fixed a bug where podman system resetcould delete important system directories if run as rootless on installations created by older Podman (#4831)
- Fixed a bug where image built by podman buildwould not properly set the OS and Architecture they were built with (#5503)
- Fixed a bug where attached podman runwith--sig-proxyenabled (the default), when built with Go 1.14, would repeatedly send signal 23 to the process in the container and could generate errors when the container stopped (#5483)
- Fixed a bug where rootless podman runcommands could hang when forwarding ports
- Fixed a bug where rootless Podman would not work when /procwas mounted with thehidepidoption set
- Fixed a bug where the podman system servicecommand would use large amounts of CPU when--timeoutwas set to 0 (#5531)
HTTP API
- Initial support for Libpod endpoints related to creating and operating on image manifest lists has been added
- The Libpod Healthcheck and Events API endpoints are now supported
- The Swagger endpoint can now handle cases where no Swagger documentation has been generated
Misc
- Updated Buildah to v1.14.3
- Updated containers/storage to v1.16.5
- Several performance improvements have been made to creating containers, which should somewhat improve the performance of podman createandpodman run
1.8.1
Features
- Many networking-related flags have been added to podman pod createto enable customization of pod networks, including--add-host,--dns,--dns-opt,--dns-search,--ip,--mac-address,--network, and--no-hosts
- The podman ps --format=jsoncommand now includes the ID of the image containers were created with
- The podman runandpodman createcommands now feature an--rmiflag to remove the image the container was using after it exits (if no other containers are using said image) (#4628)
- The podman createandpodman runcommands now support the--device-cgroup-ruleflag (#4876)
- While the HTTP API remains in alpha, many fixes and additions have landed. These are documented in a separate subsection below
- The podman createandpodman runcommands now feature a--no-healthcheckflag to disable healthchecks for a container (#5299)
- Containers now recognize the io.containers.capabilitieslabel, which specifies a list of capabilities required by the image to run. These capabilities will be used as long as they are more restrictive than the default capabilities used
- YAML produced by the podman generate kubecommand now includes SELinux configuration passed into the container via--security-opt label=...(#4950)
Bugfixes
- Fixed CVE-2020-1726, a security issue where volumes manually populated before first being mounted into a container could have those contents overwritten on first being mounted into a container
- Fixed a bug where Podman containers with user namespaces in CNI networks with the DNS plugin enabled would not have the DNS plugin's nameserver added to their resolv.conf(#5256)
- Fixed a bug where trailing /characters in image volume definitions could cause them to not be overridden by a user-specified mount at the same location (#5219)
- Fixed a bug where the labeloption inlibpod.conf, used to disable SELinux by default, was not being respected (#5087)
- Fixed a bug where the podman loginandpodman logoutcommands required the registry to log into be specified (#5146)
- Fixed a bug where detached rootless Podman containers could not forward ports (#5167)
- Fixed a bug where rootless Podman could fail to run if the pause process had died
- Fixed a bug where Podman ignored labels that were specified with only a key and no value (#3854)
- Fixed a bug where Podman would fail to create named volumes when the backing filesystem did not support SELinux labelling (#5200)
- Fixed a bug where --detach-keys=""would not disable detaching from a container (#5166)
- Fixed a bug where the podman pscommand was too aggressive when filtering containers and would force--allon in too many situations
- Fixed a bug where the podman play kubecommand was ignoring image configuration, including volumes, working directory, labels, and stop signal (#5174)
- Fixed a bug where the CreatedandCreatedTimefields inpodman images --format=jsonwere misnamed, which also broke Go template output for those fields (#5110)
- Fixed a bug where rootless Podman containers with ports forwarded could hang when started (#5182)
- Fixed a bug where podman pullcould fail to parse registry names including port numbers
- Fixed a bug where Podman would incorrectly attempt to validate image OS and architecture when starting containers
- Fixed a bug where Bash completion for podman build -fwould not list available files that could be built (#3878)
- Fixed a bug where podman commit --changewould perform incorrect validation, resulting in valid changes being rejected (#5148)
- Fixed a bug where podman logs --tailcould take large amounts of memory when the log file for a container was large (#5131)
- Fixed a bug where Podman would sometimes incorrectly generate firewall rules on systems using firewalld
- Fixed a bug where the podman inspectcommand would not display network information for containers properly if a container joined multiple CNI networks (#4907)
- Fixed a bug where the --utsflag topodman createandpodman runwould only allow specifying containers by full ID (#5289)
- Fixed a bug where rootless Podman could segfault when passed a large number of file descriptors
- Fixed a bug where the podman portcommand was incorrectly interpreting additional arguments as container names, instead of port numbers
- Fixed a bug where units created by podman generate systemddid not depend on network targets, and so could start before the system network was ready (#4130)
- Fixed a bug where exec sessions in containers which did not specify a user would not inherit supplemental groups added to the container via --group-add
- Fixed a bug where Podman would not respect the $TMPDIRenvironment variable for placing large temporary files during some operations (e.g.podman pull) (#5411)
HTTP API
- Initial support for secure connections to servers via SSH tunneling has been added
- Initial support for the libpod createandlogsendpoints for containers has been added
- Added a /swagger/endpoint to serve API documentation
- The jsonendpoint for containers has received many fixes
- Filtering images and containers has been greatly improved, with many bugs fixed and documentation improved
- Image creation endpoints (commit, pull, etc) have seen many fixes
- Server timeout has been fixed so that long operations will no longer trigger the timeout and shut the server down
- The statsendpoint for containers has seen major fixes and now provides accurate output
- Handling the HTTP 304 status code has been fixed for all endpoints
- Many fixes have been made to API documentation to ensure it matches the code
Misc
- Updated vendored Buildah to v1.14.2
- Updated vendored containers/storage to v1.16.2
- The Createdfield topodman images --format=jsonhas been renamed toCreatedSinceas part of the fix for (#5110). Go templates using the old name should still work
- The CreatedTimefield topodman images --format=jsonhas been renamed toCreatedAtas part of the fix for (#5110). Go templates using the old name should still work
- The beforefilter topodman imageshas been renamed tosincefor Docker compatibility. Usingbeforewill still work, but documentation has been changed to use the newsincefilter
- Using the --passwordflag topodman loginnow warns that passwords are being passed in plaintext
- Some common cases where Podman would deadlock have been fixed to warn the user that podman system renumbermust be run to resolve the deadlock
1.8.0
Features
- The podman system servicecommand has been added, providing a preview of Podman's new Docker-compatible API. This API is still very new, and not yet ready for production use, but is available for early testing
- Rootless Podman now uses Rootlesskit for port forwarding, which should greatly improve performance and capabilities
- The podman untagcommand has been added to remove tags from images without deleting them
- The podman inspectcommand on images now displays previous names they used
- The podman generate systemdcommand now supports a--newoption to generate service files that create and run new containers instead of managing existing containers
- Support for --log-opt tag=to set logging tags has been added to thejournaldlog driver
- Added support for using Seccomp profiles embedded in images for podman runandpodman createvia the new--seccomp-policyCLI flag (#4806)
- The podman play kubecommand now honors pull policy (#4880)
Bugfixes
- Fixed a bug where the podman cpcommand would not copy the contents of directories when paths ending in/.were given (#4717)
- Fixed a bug where the podman play kubecommand did not properly locate Seccomp profiles specified relative to localhost (#4555)
- Fixed a bug where the podman infocommand for remote Podman did not show registry information (#4793)
- Fixed a bug where the podman execcommand did not support having input piped into it (#3302)
- Fixed a bug where the podman cpcommand with rootless Podman on CGroups v2 systems did not properly determine if the container could be paused while copying (#4813)
- Fixed a bug where the podman container prune --forcecommand could possible remove running containers if they were started while the command was running (#4844)
- Fixed a bug where Podman, when run as root, would not properly configure slirp4netnsnetworking when requested (#4853)
- Fixed a bug where podman run --userns=keep-iddid not work when the user had a UID over 65535 (#4838)
- Fixed a bug where rootless podman runandpodman createwith the--userns=keep-idoption could change permissions on/run/user/$UIDand break KDE (#4846)
- Fixed a bug where rootless Podman could not be run in a systemd service on systems using CGroups v2 (#4833)
- Fixed a bug where podman inspectwould show CPUShares as 0, instead of the default (1024), when it was not explicitly set (#4822)
- Fixed a bug where podman-remote pushwould segfault (#4706)
- Fixed a bug where image healthchecks were not shown in the output of podman inspect(#4799)
- Fixed a bug where named volumes created with containers from pre-1.6.3 releases of Podman would be autoremoved with their containers if the --rmflag was given, even if they were given names (#5009)
- Fixed a bug where podman historywas not computing image sizes correctly (#4916)
- Fixed a bug where Podman would not error on invalid values to the --sortflag topodman images
- Fixed a bug where providing a name for the image made by podman commitwas mandatory, not optional as it should be (#5027)
- Fixed a bug where the remote Podman client would append an extra "to%PATH(#4335)
- Fixed a bug where the podman buildcommand would sometimes ignore the-foption and build the wrong Containerfile
- Fixed a bug where the podman ps --filtercommand would only filter running containers, instead of all containers, if--allwas not passed (#5050)
- Fixed a bug where the podman loadcommand on compressed images would leave an extra copy on disk
- Fixed a bug where the podman restartcommand would not properly clean up the network, causing it to function differently frompodman stop; podman start(#5051)
- Fixed a bug where setting the --memory-swapflag topodman createandpodman runto-1(to indicate unlimited) was not supported (#5091)
Misc
- Initial work on version 2 of the Podman remote API has been merged, but is still in an alpha state and not ready for use. Read more here
- Many formatting corrections have been made to the manpages
- The changes to address (#5009) may cause anonymous volumes created by Podman versions 1.6.3 to 1.7.0 to not be removed when their container is removed
- Updated vendored Buildah to v1.13.1
- Updated vendored containers/storage to v1.15.8
- Updated vendored containers/image to v5.2.0
1.7.0
Features
- Added support for setting a static MAC address for containers
- Added support for creating macvlannetworks withpodman network create, allowing Podman containers to be attached directly to networks the host is connected to
- The podman image pruneandpodman container prunecommands now support the--filterflag to filter what will be pruned, and now prompts for confirmation when run without--force(#4410 and #4411)
- Podman now creates CGroup namespaces by default on systems using CGroups v2 (#4363)
- Added the podman system resetcommand to remove all Podman files and perform a factory reset of the Podman installation
- Added the --historyflag topodman imagesto display previous names used by images (#4566)
- Added the --ignoreflag topodman rmandpodman stopto not error when requested containers no longer exist
- Added the --cidfileflag topodman rmandpodman stopto read the IDs of containers to be removed or stopped from a file
- The podman play kubecommand now honors Seccomp annotations (#3111)
- The podman play kubecommand now honorsRunAsUser,RunAsGroup, andselinuxOptions
- The output format of the podman versioncommand has been changed to better matchdocker versionwhen using the--formatflag
- Rootless Podman will no longer initialize containers/storage twice, removing a potential deadlock preventing Podman commands from running while an image was being pulled (#4591)
- Added tmpcopyupandnotmpcopyupoptions to the--tmpfsand--mount type=tmpfsflags topodman createandpodman runto control whether the content of directories are copied into tmpfs filesystems mounted over them
- Added support for disabling detaching from containers by setting empty detach keys via --detach-keys=""
- The podman buildcommand now supports the--pulland--pull-neverflags to control when images are pulled during a build
- The podman ps -pcommand now shows the name of the pod as well as its ID (#4703)
- The podman inspectcommand on containers will now display the command used to create the container
- The podman infocommand now displays information on registry mirrors (#4553)
Bugfixes
- Fixed a bug where Podman would use an incorrect runtime directory as root, causing state to be deleted after root logged out and making Podman in systemd services not function properly
- Fixed a bug where the --changeflag topodman importandpodman commitwas not being parsed properly in many cases
- Fixed a bug where detach keys specified in libpod.confwere not used by thepodman attachandpodman execcommands, which always used the global defaultctrl-p,ctrl-qkey combination (#4556)
- Fixed a bug where rootless Podman was not able to run podman pod statseven on CGroups v2 enabled systems (#4634)
- Fixed a bug where rootless Podman would fail on kernels without the renameat2syscall (#4570)
- Fixed a bug where containers with chained network namespace dependencies (IE, container A using --net container=Band container B using--net container=C) would not properly mount/etc/hostsand/etc/resolv.confinto the container (#4626)
- Fixed a bug where podman runwith the--rmflag and without-dcould, when run in the background, throw a 'container does not exist' error when attempting to remove the container after it exited
- Fixed a bug where named volume locks were not properly reacquired after a reboot, potentially leading to deadlocks when trying to start containers using the volume (#4605 and #4621)
- Fixed a bug where Podman could not completely remove containers if sent SIGKILL during removal, leaving the container name unusable without the podman rm --storagecommand to complete removal (#3906)
- Fixed a bug where checkpointing containers started with --rmwas allowed when--exportwas not specified (the container, and checkpoint, would be removed after checkpointing was complete by--rm) (#3774)
- Fixed a bug where the podman pod prunecommand would fail if containers were present in the pods and the--forceflag was not passed (#4346)
- Fixed a bug where containers could not set a static IP or static MAC address if they joined a non-default CNI network (#4500)
- Fixed a bug where podman system renumberwould always throw an error if a container was mounted when it was run
- Fixed a bug where podman container restorewould fail with containers using a user namespace
- Fixed a bug where rootless Podman would attempt to use the journald events backend even on systems without systemd installed
- Fixed a bug where podman historywould sometimes not properly identify the IDs of layers in an image (#3359)
- Fixed a bug where containers could not be restarted when Conmon v2.0.3 or later was used
- Fixed a bug where Podman did not check image OS and Architecture against the host when starting a container
- Fixed a bug where containers in pods did not function properly with the Kata OCI runtime (#4353)
- Fixed a bug where `podman info --format '{{ json . }}' would not produce JSON output (#4391)
- Fixed a bug where Podman would not verify if files passed to --authfileexisted (#4328)
- Fixed a bug where podman images --digestwould not always print digests when they were available
- Fixed a bug where rootless podman runcould hang due to a race with reading and writing events
- Fixed a bug where rootless Podman would print warning-level logs despite not be instructed to do so (#4456)
- Fixed a bug where podman pullwould attempt to fetch from remote registries when pulling an unqualified image using thedocker-daemontransport (#4434)
- Fixed a bug where podman cpwould not work if STDIN was a pipe
- Fixed a bug where podman execcould stop accepting input if anything was typed between the command being run and the exec session starting (#4397)
- Fixed a bug where podman logs --tail 0would print all lines of a container's logs, instead of no lines (#4396)
- Fixed a bug where the timeout for slirp4netnswas incorrectly set, resulting in an extremely long timeout (#4344)
- Fixed a bug where the podman statscommand would print CPU utilizations figures incorrectly (#4409)
- Fixed a bug where the podman inspect --sizecommand would not print the size of the container's read/write layer if the size was 0 (#4744)
- Fixed a bug where the podman killcommand was not properly validating signals before use (#4746)
- Fixed a bug where the --quietand--formatflags topodman pscould not be used at the same time
- Fixed a bug where the podman stopcommand was not stopping exec sessions when a container was created without a PID namespace (--pid=host)
- Fixed a bug where the podman pod rm --forcecommand was not removing anonymous volumes for containers that were removed
- Fixed a bug where the podman checkpointcommand would not export all changes to the root filesystem of the container if performed more than once on the same container (#4606)
- Fixed a bug where containers started with --rmwould not be automatically removed on being stopped if an exec session was running inside the container (#4666)
Misc
- The fixes to runtime directory path as root can cause strange behavior if an upgrade is performed while containers are running
- Updated vendored Buildah to v1.12.0
- Updated vendored containers/storage library to v1.15.4
- Updated vendored containers/image library to v5.1.0
- Kata Containers runtimes (kata-runtime,kata-qemu, andkata-fc) are now present in the default libpod.conf, but will not be available unless Kata containers is installed on the system
- Podman previously did not allow the creation of containers with a memory limit lower than 4MB. This restriction has been removed, as the crunruntime can create containers with significantly less memory
1.6.3
Features
- Handling of the libpod.confconfiguration file has seen major changes. Most significantly, rootless users will no longer automatically receive a complete configuration file when they first use Podman, and will instead only receive differences from the global configuration.
- Initial support for the CNI DNS plugin, which allows containers to resolve the IPs of other containers via DNS name, has been added
- Podman now supports anonymous named volumes, created by specifying only a destination to the -vflag to thepodman createandpodman runcommands
- Named volumes now support uidandgidoptions in--opt o=...to set UID and GID of the created volume
Bugfixes
- Fixed a bug where the podman startcommand would print container ID, instead of name, when starting containers given their name
- Fixed a bug where named volumes with options did not properly detect issues with mounting the volume, leading to an inconsistent state (#4303)
- Fixed a bug where incorrect Seccomp profiles were used in containers generated by podman play kube
- Fixed a bug where processes started by podman execwould have the wrong SELinux label in some circumstances (#4361)
- Fixed a bug where error messages from slirp4netnswould be lost
- Fixed a bug where podman run --network=$NAMEwould not throw an error in rootless Podman, where CNI networks are not supported
- Fixed a bug where podman network createwould throw confusing errors when trying to create a volume with a name that already exists
- Fixed a bug where Podman would not error if the systemdCGroup manager was specified, but systemd could not be contacted over DBus
- Fixed a bug where image volumes were mounted noexec(#4318)
- Fixed a bug where the podman statscommand required the name of a container to be given, instead of showing all containers when no container was specified (#4274)
- Fixed a bug where the podman volume inspectcommand would not show the options that named volumes were created with
- Fixed a bug where custom storage configuration was not written to storage.confat time of first creation for rootless Podman (#2659)
- Fixed a bug where remote Podman did not support shell redirection of container output
Misc
- Updated vendored containers/image library to v5.0
- Initial support for images using manifest lists has been added, though commands for directly interacting with manifests are still missing
- Support for pushing to and pulling from OSTree has been removed due to deprecation in the containers/image library
- Rootless Podman no longer enables linger on systems with systemd as init by default. As such, containers will now be killed when the user who ran them logs out, unless linger is explicitly enabled using loginctl
- Podman will now check the version of conmonthat is in use to ensure it is sufficient
1.6.2
Features
- Added a --runtimeflag topodman system migrateto allow the OCI runtime for all containers to be reset, to ease transition to thecrunruntime on CGroups V2 systems untilruncgains full support
- The podman rmcommand can now remove containers in broken states which previously could not be removed
- The podman infocommand, when run without root, now shows information on UID and GID mappings in the rootless user namespace
- Added podman build --squash-allflag, which squashes all layers (including those of the base image) into one layer
- The --systemdflag topodman runandpodman createnow accepts a string argument and allows a new value,always, which forces systemd support without checking if the the container entrypoint is systemd
Bugfixes
- Fixed a bug where the podman topcommand did not work on systems using CGroups V2 (#4192)
- Fixed a bug where rootless Podman could double-close a file, leading to a panic
- Fixed a bug where rootless Podman could fail to retrieve some containers while refreshing the state
- Fixed a bug where podman start --attach --sig-proxy=falsewould still proxy signals into the container
- Fixed a bug where Podman would unconditionally use a non-default path for authentication credentials (auth.json), breakingpodman loginintegration withskopeoand other tools using the containers/image library
- Fixed a bug where podman ps --format=jsonandpodman images --format=jsonwould displaynullwhen no results were returned, instead of valid JSON
- Fixed a bug where podman build --squashwas incorrectly squashing all layers into one, instead of only new layers
- Fixed a bug where rootless Podman would allow volumes with options to be mounted (mounting volumes requires root), creating an inconsistent state where volumes reported as mounted but were not (#4248)
- Fixed a bug where volumes which failed to unmount could not be removed (#4247)
- Fixed a bug where Podman incorrectly handled some errors relating to unmounted or missing containers in containers/storage
- Fixed a bug where podman statswas broken on systems running CGroups V2 when run rootless (#4268)
- Fixed a bug where the podman startcommand would print the short container ID, instead of the full ID
- Fixed a bug where containers created with an OCI runtime that is no longer available (uninstalled or removed from the config file) would not appear in podman psand could not be removed viapodman rm
- Fixed a bug where containers restored via podman container restore --importwould retain the CGroup path of the original container, even if their container ID changed; thus, multiple containers created from the same checkpoint would all share the same CGroup
Misc
- The default PID limit for containers is now set to 4096. It can be adjusted back to the old default (unlimited) by passing --pids-limit 0topodman createandpodman run
- The podman start --attachcommand now automatically attachesSTDINif the container was created with-i
- The podman network createcommand now validates network names using the same regular expression as container and pod names
- The --systemdflag topodman runandpodman createwill now only enable systemd mode when the binary being run inside the container is/sbin/init,/usr/sbin/init, or ends insystemd(previously detected any path ending ininitorsystemd)
- Updated vendored Buildah to 1.11.3
- Updated vendored containers/storage to 1.13.5
- Updated vendored containers/image to 4.0.1
1.6.1
Bugfixes
- Fixed a bug where rootless Podman on systems using CGroups V2 would not function with the cgroupfsCGroups manager
- Fixed a bug where rootless Podman could not correctly identify the DBus session address, causing containers to fail to start (#4162)
- Fixed a bug where rootless Podman with slirp4netnsnetworking would fail to start containers due to mount leaks
1.6.0
Features
- The podman network create,podman network rm,podman network inspect, andpodman network lscommands have been added to manage CNI networks used by Podman
- The podman volume createcommand can now create and mount volumes with options, allowing volumes backed by NFS, tmpfs, and many other filesystems
- Podman can now run containers without CGroups for better integration with systemd by using the --cgroups=disabledflag withpodman createandpodman run. This is presently only supported with thecrunOCI runtime
- The podman volume rmandpodman volume inspectcommands can now refer to volumes by an unambiguous partial name, in addition to full name (e.g.podman volume rm myvolto remove a volume namedmyvolume) (#3891)
- The podman runandpodman createcommands now support the--pullflag to allow forced re-pulling of images (#3734)
- Mounting volumes into a container using --volume,--mount, and--tmpfsnow allows thesuid,dev, andexecmount options (the inverse ofnosuid,nodev,noexec) (#3819)
- Mounting volumes into a container using --mountnow allows therelabel=Zandrelabel=zoptions to relabel mounts.
- The podman pushcommand now supports the--digestfileoption to save a file containing the pushed digest
- Pods can now have their hostname set via podman pod create --hostnameor providing Pod YAML with a hostname set topodman play kube(#3732)
- The podman image signcommand now supports the--cert-dirflag
- The podman runandpodman createcommands now support the--security-opt label=filetype:$LABELflag to set the SELinux label for container files
- The remote Podman client now supports healthchecks
Bugfixes
- Fixed a bug where remote podman pullwould panic if a Varlink connection was not available (#4013)
- Fixed a bug where podman execwould not properly set terminal size when creating a new exec session (#3903)
- Fixed a bug where podman execwould not clean up socket symlinks on the host (#3962)
- Fixed a bug where Podman could not run systemd in containers that created a CGroup namespace
- Fixed a bug where podman prune -awould attempt to prune images used by Buildah and CRI-O, causing errors (#3983)
- Fixed a bug where improper permissions on the ~/.configdirectory could cause rootless Podman to use an incorrect directory for storing some files
- Fixed a bug where the bash completions for podman importthrew errors
- Fixed a bug where Podman volumes created with podman volume createwould not copy the contents of their mountpoint the first time they were mounted into a container (#3945)
- Fixed a bug where rootless Podman could not run podman execwhen the container was not run inside a CGroup owned by the user (#3937)
- Fixed a bug where podman play kubewould panic when given Pod YAML without asecurityContext(#3956)
- Fixed a bug where Podman would place files incorrectly when storage.confconfiguration items were set to the empty string (#3952)
- Fixed a bug where podman builddid not correctly inherit Podman's CGroup configuration, causing crashed on CGroups V2 systems (#3938)
- Fixed a bug where podman cpwould improperly copy files on the host when copying a symlink in the container that included a glob operator (#3829)
- Fixed a bug where remote podman run --rmwould exit before the container was completely removed, allowing race conditions when removing container resources (#3870)
- Fixed a bug where rootless Podman would not properly handle changes to /etc/subuidand/etc/subgidafter a container was launched
- Fixed a bug where rootless Podman could not include some devices in a container using the --deviceflag (#3905)
- Fixed a bug where the commitVarlink API would segfault if provided incorrect arguments (#3897)
- Fixed a bug where temporary files were not properly cleaned up after a build using remote Podman (#3869)
- Fixed a bug where podman remote cpcrashed instead of reporting it was not yet supported (#3861)
- Fixed a bug where podman execwould run as the wrong user when execing into a container was started from an image with DockerfileUSER(or a user specified viapodman run --user) (#3838)
- Fixed a bug where images pulled using the oci:transport would be improperly named
- Fixed a bug where podman varlinkwould hang when managed by systemd due to SD_NOTIFY support conflicting with Varlink (#3572)
- Fixed a bug where mounts to the same destination would sometimes not trigger a conflict, causing a race as to which was actually mounted
- Fixed a bug where podman exec --preserve-fdscaused Podman to hang (#4020)
- Fixed a bug where removing an unmounted container that was unmounted might sometimes not properly clean up the container (#4033)
- Fixed a bug where the Varlink server would freeze when run in a systemd unit file (#4005)
- Fixed a bug where Podman would not properly set the $HOMEenvironment variable when the OCI runtime did not set it
- Fixed a bug where rootless Podman would incorrectly print warning messages when an OCI runtime was not found (#4012)
- Fixed a bug where named volumes would conflict with, instead of overriding, tmpfsfilesystems added by the--read-only-tmpfsflag topodman createandpodman run
- Fixed a bug where podman cpwould incorrectly make the target directory when copying to a symlink which pointed to a nonexistent directory (#3894)
- Fixed a bug where remote Podman would incorrectly read STDINwhen the-iflag was not set (#4095)
- Fixed a bug where podman play kubewould create an empty pod when given an unsupported YAML type (#4093)
- Fixed a bug where podman import --changeimproperly parsedCMD(#4000)
Misc
- Significant changes were made to Podman volumes in this release. If you have pre-existing volumes, it is strongly recommended to run podman system renumberafter upgrading.
- Version 0.8.1 or greater of the CNI Plugins is now required for Podman
- Version 2.0.1 or greater of Conmon is strongly recommended
- Updated vendored Buildah to v1.11.2
- Updated vendored containers/storage library to v1.13.4
- Improved error messages when trying to create a pod with no name via podman play kube
- Improved error messages when trying to run podman pauseorpodman statson a rootless container on a system without CGroups V2 enabled
- TMPDIRhas been set to- /var/tmpby default to better handle large temporary files
- podman waithas been optimized to detect stopped containers more rapidly
- Podman containers now include a ContainerManagerannotation indicating they were created bylibpod
- The podman infocommand now includes information aboutslirp4netnsandfuse-overlayfsif they are available
- Podman no longer sets a default size of 65kb for tmpfs filesystems
- The default Podman CNI network has been renamed in an attempt to prevent conflicts with CRI-O when both are run on the same system. This should only take effect on system restart
- The output of podman volume inspecthas been more closely matched todocker volume inspect
1.5.1
Features
- The hostname of pods is now set to the pod's name
Bugfixes
- Fixed a bug where podman runandpodman createdid not honor the--authfileoption (#3730)
- Fixed a bug where containers restored with podman container restore --importwould incorrectly duplicate the Conmon PID file of the original container
- Fixed a bug where podman buildignored the default OCI runtime configured inlibpod.conf
- Fixed a bug where podman run --rm(or force-removing any running container withpodman rm --force) were not retrieving the correct exit code (#3795)
- Fixed a bug where Podman would exit with an error if any configured hooks directory was not present
- Fixed a bug where podman inspectandpodman commitwould not use the correctCMDfor containers run withpodman play kube
- Fixed a bug created pods when using rootless Podman and CGroups V2 (#3801)
- Fixed a bug where the podman eventscommand with the--sinceor--untiloptions could take a very long time to complete
Misc
- Rootless Podman will now inherit OCI runtime configuration from the root configuration (#3781)
- Podman now properly sets a user agent while contacting registries (#3788)
1.5.0
Features
- Podman containers can now join the user namespaces of other containers with --userns=container:$ID, or a user namespace at an arbitrary path with--userns=ns:$PATH
- Rootless Podman can experimentally squash all UIDs and GIDs in an image to a single UID and GID (which does not require use of the newuidmapandnewgidmapexecutables) by passing--storage-opt ignore_chown_errors
- The podman generate kubecommand now produces YAML for any bind mounts the container has created (#2303)
- The podman container restorecommand now features a new flag,--ignore-static-ip, that can be used with--importto import a single container with a static IP multiple times on the same host
- Added the ability for podman eventsto output JSON by specifying--format=json
- If the OCI runtime or conmonbinary cannot be found at the paths specified inlibpod.conf, Podman will now also search for them in the calling user's path
- Added the ability to use podman importwith URLs (#3609)
- The podman pscommand now supports filtering names using regular expressions (#3394)
- Rootless Podman containers with --privilegedset will now mount in all host devices that the user can access
- The podman createandpodman runcommands now support the--env-hostflag to forward all environment variables from the host into the container
- Rootless Podman now supports healthchecks (#3523)
- The format of the HostConfigportion of the output ofpodman inspecton containers has been improved and synced with Docker
- Podman containers now support CGroup namespaces, and can create them by passing --cgroupns=privatetopodman runorpodman create
- The podman createandpodman runcommands now support the--ulimit=hostflag, which uses any ulimits currently set on the host for the container
- The podman rmandpodman rmicommands now use different exit codes to indicate 'no such container' and 'container is running' errors
- Support for CGroups V2 through the crunOCI runtime has been greatly improved, allowing resource limits to be set for rootless containers when the CGroups V2 hierarchy is in use
Bugfixes
- Fixed a bug where a race condition could cause podman restartto fail to start containers with ports
- Fixed a bug where containers restored from a checkpoint would not properly report the time they were started at
- Fixed a bug where podman searchwould return at most 25 results, even when the maximum number of results was set higher
- Fixed a bug where podman play kubewould not honor capabilities set in imported YAML (#3689)
- Fixed a bug where podman run --env, when passed a single key (to use the value from the host), would set the environment variable in the container even if it was not set on the host (#3648)
- Fixed a bug where podman commit --changeswould not properly set environment variables
- Fixed a bug where Podman could segfault while working with images with no history
- Fixed a bug where podman volume rmcould remove arbitrary volumes if given an ambiguous name (#3635)
- Fixed a bug where podman execinvocations leaked memory by not cleaning up files in tmpfs
- Fixed a bug where the --dnsand--net=containerflags topodman runandpodman createwere not mutually exclusive (#3553)
- Fixed a bug where rootless Podman would be unable to run containers when less than 5 UIDs were available
- Fixed a bug where containers in pods could not be removed without removing the entire pod (#3556)
- Fixed a bug where Podman would not properly clean up all CGroup controllers for created cgroups when using the cgroupfsCGroup driver
- Fixed a bug where Podman containers did not properly clean up files in tmpfs, resulting in a memory leak as containers stopped
- Fixed a bug where healthchecks from images would not use default settings for interval, retries, timeout, and start period when they were not provided by the image (#3525)
- Fixed a bug where healthchecks using the HEALTHCHECK CMDformat where not properly supported (#3507)
- Fixed a bug where volume mounts using relative source paths would not be properly resolved (#3504)
- Fixed a bug where podman rundid not use authorization credentials when a custom path was specified (#3524)
- Fixed a bug where containers checkpointed with podman container checkpointdid not properly set their finished time
- Fixed a bug where running podman inspecton any container not created withpodman runorpodman create(for example, pod infra containers) would result in a segfault (#3500)
- Fixed a bug where healthcheck flags for podman createandpodman runwere incorrectly named (#3455)
- Fixed a bug where Podman commands would fail to find targets if a partial ID was specified that was ambiguous between a container and pod (#3487)
- Fixed a bug where restored containers would not have the correct SELinux label
- Fixed a bug where Varlink endpoints were not working properly if morewas not correctly specified
- Fixed a bug where the Varlink PullImage endpoint would crash if an error occurred (#3715)
- Fixed a bug where the --mountflag topodman createandpodman rundid not allow boolean arguments for itsroandrwoptions (#2980)
- Fixed a bug where pods did not properly share the UTS namespace, resulting in incorrect behavior from some utilities which rely on hostname (#3547)
- Fixed a bug where Podman would unconditionally append ENTRYPOINTtoCMDduringpodman commit(and when reportingCMDinpodman inspect) (#3708)
- Fixed a bug where podman eventswith thejournaldevents backend would incorrectly print 6 previous events when only new events were requested (#3616)
- Fixed a bug where podman portwould exit prematurely when a port number was specified (#3747)
- Fixed a bug where passing .as an argument to the--dns-searchflag topodman createandpodman runwas not properly clearing DNS search domains in the container
Misc
- Updated vendored Buildah to v1.10.1
- Updated vendored containers/image to v3.0.2
- Updated vendored containers/storage to v1.13.1
- Podman now requires conmon v2.0.0 or higher
- The podman infocommand now displays the events logger being in use
- The podman inspectcommand on containers now includes the ID of the pod a container has joined and the PID of the container's conmon process
- The -vshort flag forpodman --versionhas been re-added
- Error messages from podman pullshould be significantly clearer
- The podman execcommand is now available in the remote client
1.4.4
Bugfixes
- Fixed a bug where rootless Podman would attempt to use the entire root configuration if no rootless configuration was present for the user, breaking rootless Podman for new installations
- Fixed a bug where rootless Podman's pause process would block SIGTERM, preventing graceful system shutdown and hanging until the system's init send SIGKILL
- Fixed a bug where running Podman as root with sudo -Ewould not work after running rootless Podman at least once
- Fixed a bug where options for tmpfsvolumes added with the--tmpfsflag were being ignored
- Fixed a bug where images with no layers could not properly be displayed and removed by Podman
- Fixed a bug where locks were not properly freed on failure to create a container or pod
Misc
- Updated containers/storage to v1.12.13
1.4.3
Features
- Podman now has greatly improved support for containers using multiple OCI runtimes. Containers now remember if they were created with a different runtime using --runtimeand will always use that runtime
- The cachedanddelegatedoptions for volume mounts are now allowed for Docker compatibility (#3340)
- The podman diffcommand now supports the--latestflag
Bugfixes
- Fixed a bug where podman cpon a single file would create a directory at the target and place the file in it (#3384)
- Fixed a bug where podman inspect --format '{{.Mounts}}'would print a hexadecimal address instead of a container's mounts
- Fixed a bug where rootless Podman would not add an entry to container's /etc/hostsfiles for their own hostname (#3405)
- Fixed a bug where podman ps --syncwould segfault (#3411)
- Fixed a bug where podman generate kubewould produce an invalid ports configuration (#3408)
Misc
- Podman now performs much better on systems with heavy I/O load
- The --cgroup-managerflag topodmannow shows the correct default setting in help if the default was overridden bylibpod.conf
- For backwards compatibility, setting --log-driver=json-fileinpodman runis now supported as an alias for--log-driver=k8s-file. This is considered deprecated, andjson-filewill be moved to a new implementation in the future (#3363)
- Podman's default libpod.conffile now allows the crun OCI runtime to be used if it is installed
1.4.2
Bugfixes
- Fixed a bug where Podman could not run containers using an older version of Systemd as init (#3295)
Misc
- Updated vendored Buildah to v1.9.0 to resolve a critical bug with Dockerfile RUNinstructions
- The error message for running podman killon containers that are not running has been improved
- The Podman remote client can now log to a file if syslog is not available
1.4.1
Features
- The podman execcommand now sets its error code differently based on whether the container does not exist, and the command in the container does not exist
- The podman inspectcommand on containers now outputs Mounts JSON that matches that ofdocker inspect, only including user-specified volumes and differentiating bind mounts and named volumes
- The podman inspectcommand now reports the path to a container's OCI spec with theOCIConfigPathkey (only included when the container is initialized or running)
- The podman run --mountcommand now supports thebind-nonrecursiveoption for bind mounts (#3314)
Bugfixes
- Fixed a bug where podman play kubewould fail to create containers due to an unspecified log driver
- Fixed a bug where Podman would fail to build with musl libc (#3284)
- Fixed a bug where rootless Podman using slirp4netnsnetworking in an environment with no nameservers on the host other than localhost would result in nonfunctional networking (#3277)
- Fixed a bug where podman importwould not properly set environment variables, discarding their values and retaining only keys
- Fixed a bug where Podman would fail to run when built with Apparmor support but run on systems without the Apparmor kernel module loaded (#3331)
Misc
- Remote Podman will now default the username it uses to log in to remote systems to the username of the current user
- Podman now uses JSON logging with OCI runtimes that support it, allowing for better error reporting
- Updated vendored Buildah to v1.8.4
- Updated vendored containers/image to v2.0
1.4.0
Features
- The podman checkpointandpodman restorecommands can now be used to migrate containers between Podman installations on different systems (#1618)
- The podman cpcommand now supports apauseflag to pause containers while copying into them
- The remote client now supports a configuration file for pre-configuring connections to remote Podman installations
Bugfixes
- Fixed CVE-2019-10152 - The podman cpcommand improperly dereferenced symlinks in host context
- Fixed a bug where podman commitcould improperly set environment variables that contained=characters (#3132)
- Fixed a bug where rootless Podman would sometimes fail to start containers with forwarded ports (#2942)
- Fixed a bug where podman versionon the remote client could segfault (#3145)
- Fixed a bug where podman container runlabelwould use/proc/self/exeinstead of the path of the Podman command when printing the command being executed
- Fixed a bug where filtering images by label did not work (#3163)
- Fixed a bug where specifying a bing mount or tmpfs mount over an image volume would cause a container to be unable to start (#3174)
- Fixed a bug where podman generate kubedid not work with containers with named volumes
- Fixed a bug where rootless Podman would receive permission deniederrors accessingconmon.pid(#3187)
- Fixed a bug where podman cpwith a folder specified as target would replace the folder, as opposed to copying into it (#3184)
- Fixed a bug where rootless Podman commands could double-unlock a lock, causing a crash (#3207)
- Fixed a bug where Podman incorrectly set tmpcopyupon/dev/mounts, causing errors when using the Kata containers runtime (#3229)
- Fixed a bug where podman execwould fail on older kernels (#2968)
Misc
- The podman inspectcommand on containers now uses theIdkey (instead ofID) for the container's ID, for better compatibility with the output ofdocker inspect
- The podman commitcommand is now usable with the Podman remote client
- The --signature-policyflag (used with several image-related commands) has been deprecated
- The podman unsharecommand now defines two environment variables in the spawned shell:CONTAINERS_RUNROOTandCONTAINERS_GRAPHROOT, pointing to temporary and permanent storage for rootless containers
- Updated vendored containers/storage and containers/image libraries with numerous bugfixes
- Updated vendored Buildah to v1.8.3
- Podman now requires Conmon v0.2.0
- The podman cpcommand is now aliased aspodman container cp
- Rootless Podman will now default init_pathusing root Podman's configuration files (/etc/containers/libpod.confand/usr/share/containers/libpod.conf) if not overridden in the rootless configuration
1.3.1
Features
- The podman cpcommand can now read input redirected toSTDIN, and output toSTDOUTinstead of a file, using-instead of an argument.
- The Podman remote client now displays version information from both the client and server in podman version
- The podman unsharecommand has been added, allowing easy entry into the user namespace set up by rootless Podman (allowing the removal of files created by rootless Podman, among other things)
Bugfixes
- Fixed a bug where Podman containers with the --rmflag were removing created volumes when they were automatically removed (#3071)
- Fixed a bug where container and pod locks were incorrectly marked as released after a system reboot, causing errors on container and pod removal (#2900)
- Fixed a bug where Podman pods could not be removed if any container in the pod encountered an error during removal (#3088)
- Fixed a bug where Podman pods run with the cgroupfsCGroup driver would encounter a race condition during removal, potentially failing to remove the pod CGroup
- Fixed a bug where the podman container checkpointandpodman container restorecommands were not visible in the remote client
- Fixed a bug where podman remote ps --nswould not print the container's namespaces (#2938)
- Fixed a bug where removing stopped containers with healthchecks could cause an error
- Fixed a bug where the default libpod.conffile was causing parsing errors (#3095)
- Fixed a bug where pod locks were not being freed when pods were removed, potentially leading to lock exhaustion
- Fixed a bug where 'podman run' with SD_NOTIFY set could, on short-running containers, create an inconsistent state rendering the container unusable
Misc
- The remote Podman client now uses the Varlink bridge to establish remote connections by default
1.3.0
Features
- Podman now supports container restart policies! The --restartflag onpodman createandpodman runallows containers to be restarted after they exit. Please note that Podman cannot restart containers after a system reboot - for that, see our next feature
- Podman podman generate systemdcommand was added to generate systemd unit files for managing Podman containers
- The podman runlabelcommand now allows a$GLOBAL_OPTSvariable, which will be populated by global options passed to thepodman runlabelcommand, allowing custom storage configurations to be passed into containers run withrunlabel(#2399)
- The podman play kubecommand now allowsFileandFileOrCreatevolumes
- The podman pod prunecommand was added to prune unused pods
- Added the podman system migratecommand to migrate containers using older configurations to allow their use by newer Libpod versions (#2935)
- Podman containers now forward proxy-related environment variables from the host into the container with the --http-proxyflag (enabled by default)
- Read-only Podman containers can now create tmpfs filesystems on /tmp,/var/tmp, and/runwith the--read-only-tmpfsflag (enabled by default)
- The podman initcommand was added, performing all container pre-start tasks without starting the container to allow pre-run debugging
Bugfixes
- Fixed a bug where podman cpwould not copy folders (#2836)
- Fixed a bug where Podman would panic when the Varlink API attempted too pull a nonexistent image (#2860)
- Fixed a bug where podman rmisometimes did not produce an event when images were deleted
- Fixed a bug where Podman would panic when the Varlink API passed improperly-formatted options when attempting to build (#2869)
- Fixed a bug where podman imageswould not print a header if no images were present (#2877)
- Fixed a bug where the podman imagescommand with--filter dangling=falsewould incorrectly print dangling images instead of images which are not dangling (#2884)
- Fixed a bug where rootless Podman would panic when any command was run after the system was rebooted (#2894)
- Fixed a bug where Podman containers in user namespaces would include undesired directories from the host in /sys/kernel
- Fixed a bug where podman createwould panic when trying to create a container whose name already existed
- Fixed a bug where podman pullwould exit 0 on failing to pull an image (#2785)
- Fixed a bug where podman pullwould not properly print the cause of errors that occurred (#2710)
- Fixed a bug where rootless Podman commands were not properly suspended via ctrl-zin a shell (#2775)
- Fixed a bug where Podman would error when cleaning up containers when some container mountpoints in /sys/were cleaned up already by the closing of the mount namespace
- Fixed a bug where podman play kubewas not including environment variables from the image run (#2930)
- Fixed a bug where podman play kubewould not properly clean up partially-created pods when encountering an error
- Fixed a bug where podman commitwith the--changeflag improperly setCMDwhen a multipart value was provided (#2951)
- Fixed a bug where the --mountflag topodman createandpodman rundid not properly validate its arguments, causing Podman to panic
- Fixed a bug where conflicts between mounts created by the --mount,--volume, and--tmpfsflags were not properly reported
- Fixed a bug where the --mountflag could not be used with named volumes
- Fixed a bug where the --mountflag did not properly set options for created tmpfs filesystems
- Fixed a bug where rootless Podman could close too many file descriptors, causing Podman to panic (#2964)
- Fixed a bug where podman logoutwould not print an error when the login was established bydocker login(#2735)
- Fixed a bug where podman stopwould error when not all containers were running (#2993)
- Fixed a bug where podman pullwould fail to pull images by shortname if they were not present in thedocker.ioregistry
- Fixed a bug where podman loginwould error when credentials were not present if a credential helper was configured (#1675)
- Fixed a bug where the podman system renumbercommand and Podman post-reboot state refreshes would not create events
- Fixed a bug where the podman topcommand was not compatible withdocker topsyntax
Misc
- Updated vendored Buildah to v1.8.2
- Updated vendored containers/storage to v1.12.6
- Updated vendored containers/psgo to v1.2.1
- Updated to sysregistriesv2, including slight changes to the registries.confconfig file
- Rootless Podman now places all containers within a single user namespace. This change will not take effect for existing containers until containers are restarted, and containers that are not restarted may not be fully usable
- The podman run,podman create,podman start,podman restart,podman attach,podman stop,podman port,podman rm,podman top,podman image tree,podman generate kube,podman umount,podman container checkpoint, andpodman container restorecommands are now available in the remote client
- The Podman remote client now builds on Windows
- A major refactor of volumes created using the podman volumecommand was performed. There should be no major user-facing changes, but downgrading from Podman 1.3 to previous versions may render some volumes unable to be removed.
- The podman eventscommand now logs events to journald by default. The old behavior (log to file) can be configured in podman.conf via theevents_loggeroption
- The podman commitcommand, in versions 1.2 and earlier, included all volumes mounted into the container as image volumes in the committed image. This behavior was incorrect and has been disabled by default; it can be re-enabled with the--include-volumesflag
1.2.0
Features
- Podman now supports image healthchecks! The podman healthcheck runcommand was added to manually run healthchecks, and the status of a running healthcheck can be viewed viapodman inspect
- The podman eventscommand was added to show a stream of significant events
- The podman pscommand now supports a--watchflag that will refresh its output on a given interval
- The podman image treecommand was added to show a tree representation of an image's layers
- The podman logscommand can now display logs for multiple containers at the same time (#2219)
- The podman execcommand can now pass file descriptors to the process being executed in the container via the--preserve-fdsoption (#2372)
- The podman imagescommand can now filter images by reference (#2266)
- The podman system dfcommand was added to show disk usage by Podman
- The --add-hostoption can now be used by containers sharing a network namespace (#2504)
- The podman cpcommand now has an--extractoption to extract the contents of a Tar archive and copy them into the container, instead of copying the archive itself (#2520)
- Podman now allows manually specifying the path of the slirp4netnsbinary for rootless networking via the--network-cmd-pathflag (#2506)
- Rootless Podman can now be used with a single UID and GID, without requiring a full 65536 UIDs/GIDs to be allocated in /etc/subuidand/etc/subgid(#1651)
- The podman runlabelcommand now supports the--replaceoption to replace containers using the name requested
- Infrastructure containers for Podman pods will now attempt to use the image's CMDandENTRYPOINTinstead of a fixed command (#2182)
- The podman play kubecommand now supports theHostPathandVolumeMountsYAML fields (#2536)
- Added support to disable creation of resolv.confor/etc/hostsin containers by specifying--dns=noneand--no-hosts, respectively, topodman runandpodman create(#2744)
- The podman versioncommand now supports the{{ json . }}template (which outputs JSON)
- Podman can now forward ports using the SCTP protocol
Bugfixes
- Fixed a bug where directories could not be passed to podman run --device(#2380)
- Fixed a bug where rootless Podman with the --configflag specified would not use appropriate defaults (#2510)
- Fixed a bug where rootless Podman containers using the host network (--net=host) would show SELinux as enabled in the container when there were no privileges to use it
- Fixed a bug where importing very large images from STDINcould cause Podman to run out of memory
- Fixed a bug where some images would fail to run due to symlinks in paths where Podman would normally mount tmpfs filesystems
- Fixed a bug where podman play kubewould sometimes segfault (#2209)
- Fixed a bug where podman runlabeldid not respect the$PWDvariable (#2171)
- Fixed a bug where error messages from refreshing the state in rootless Podman were not properly displayed (#2584)
- Fixed a bug where rootless podman buildcould not access DNS servers whenslirp4netnswas in use (#2572)
- Fixed a bug where rootless podman stopandpodman rmwould not work on containers which specified a non-root user (#2577)
- Fixed a bug where container labels whose values contained commas were incorrectly parsed and caused errors creating containers (#2574)
- Fixed a bug where calling Podman with a nonexistent command would exit 0, instead of with an appropriate error code (#2530)
- Fixed a bug where rootless podman execwould fail when--userwas specified (#2566)
- Fixed a bug where, when a container had a name that was a fragment of another container's ID, Podman would refuse to operate on the first container by name
- Fixed a bug where podman pod createwould fail if a pod shared no namespaces but created an infra container
- Fixed a bug where rootless Podman failed on the S390 and CRIS architectures
- Fixed a bug where podman rmwould exit 0 if no containers specified were found (#2539)
- Fixed a bug where podman runwould fail to enable networking for containers with additional CNI networks specified (#2795)
- Fixed a bug where the podman imagescommand on the remote client was not displaying digests (#2756)
- Fixed a bug where Podman was unable to clean up mounts in containers using user namespaces
- Fixed a bug where podman image savewould, when told to save to a path that exists, return an error, but still delete the file at the given path
- Fixed a bug where specifying environment variables containing commas with --envwould cause parsing errors (#2712)
- Fixed a bug where podman umountwould not error if called with no arguments
- Fixed a bug where the user and environment variables specified by the image used in containers created by podman create kubewas being ignored (#2665)
- Fixed a bug where the podman pod inspectcommand would segfault if not given an argument (#2681)
- Fixed a bug where rootless podman pod topwould fail (#2682)
- Fixed a bug where the podman loadcommand would not error if an input file is not specified and a file was not redirected toSTDIN
- Fixed a bug where rootless podmancould fail if global configuration was altered via flag (for example,--root,--runroot,--storage-driver)
- Fixed a bug where forwarded ports that were part of a range (e.g. 20-30) were displayed individually by podman ps, as opposed to together as a range (#1358)
- Fixed a bug where podman run --rootfscould panic (#2654)
- Fixed a bug where podman buildwould fail if options were specified after the directory to build (#2636)
- Fixed a bug where image volumes made by podman createandpodman runwould have incorrect permissions (#2634)
- Fixed a bug where rootless containers were not using the containers/image blob cache, leading to slower image pulls
- Fixed a bug where the podman image inspectcommand incorrectly allowed the--latest,--type, and--sizeoptions
Misc
- Updated Buildah to v1.7.2
- Updated psgolibrary to v1.2, featuring greatly improved safety during concurrent use
- The podman eventscommand may not show all activity regarding images, as only Podman was instrumented; images created, deleted, or pulled by CRI-O or Buildah will not be shown inpodman events
- The podman pod topandpodman pod statscommands are now usable with the Podman remote client
- The podman killandpodman waitcommands are now usable with the Podman remote client
- Removed the unused restartingstate and mappedstopped(also unused) toexitedinpodman ps --filter status
- Podman container, pod, and volume names may now contain the .(period) character
1.1.2
Bugfixes
- Fixed a bug where the podman image list,podman image rm, andpodman container listhad broken global storage options
- Fixed a bug where the --labeloption topodman createandpodman runwas missing the-lalias
- Fixed a bug where running Podman with the --configflag would not set an appropriate default value fortmp_dir(#2408)
- Fixed a bug where the podman logscommand with the--timestampsflag produced unreadable output (#2500)
- Fixed a bug where the podman cpcommand would automatically extract.tarfiles copied into the container (#2509)
Misc
- The podman container stopcommand is now usable with the Podman remote client
1.1.1
Bugfixes
- Fixed a bug where podman container restorewas erroneously available aspodman restore(#2191)
- Fixed a bug where the volume_pathoption inlibpod.confwas not being respected
- Fixed a bug where Podman failed to build when the varlinktag was not present (#2459)
- Fixed a bug where the podman image loadcommand was listed twice in help text
- Fixed a bug where the podman image signcommand was also listed aspodman sign
- Fixed a bug where the podman image listcommand incorrectly had animagealias
- Fixed a bug where the podman imagescommand incorrectly hadlsandlistaliases
- Fixed a bug where the podman image rmcommand was being displayed aspodman image rmi
- Fixed a bug where the podman createcommand would attempt to parse arguments meant for the container
- Fixed a bug where the combination of FIPS mode and user namespaces resulted in permissions errors
- Fixed a bug where the --timealias for--timeoutfor thepodman restartandpodman stopcommands did not function
- Fixed a bug where the default stop timeout for newly-created containers was being set to 0 seconds (resulting in an immediate SIGKILL on running podman stop)
- Fixed a bug where the output format of podman portwas incorrect, printing full container ID instead of truncated ID
- Fixed a bug where the podman container listcommand did not exist
- Fixed a bug where podman buildcould not build a container from images tagged locally that did not exist in a registry (#2469)
- Fixed a bug where some Podman commands that accept no arguments would not error when provided arguments
- Fixed a bug where podman play kubecould not handle cases where a pod and a container shared a name
Misc
- Usage text for many commands was greatly improved
- Major cleanups were made to Podman manpages, ensuring that command lists are accurate
- Greatly improved debugging output when the newuidmapandnewgidmapbinaries fail when using rootless Podman
- The -salias for the global--storage-driveroption has been removed
- The podman container refreshcommand has been deprecated, as its intended use case is no longer relevant. The command has been hidden and manpages deleted. It will be removed in a future release
- The podman container runlabelcommand will now pull images not available locally even without the--pulloption. The--pulloption has been deprecated
- The podman container checkpointandpodman container restorecommands are now only available on OCI runtimes where they are supported (e.g.runc)
1.1.0
Features
- Added --latestand--allflags topodman mountandpodman umount
- Rootless Podman can now forward ports into containers (using the same -pand-Pflags as root Podman)
- Rootless Podman will now pull some configuration options (for example, OCI runtime path) from the default root libpod.confif they are not explicitly set in the user's ownlibpod.conf(#2174)
- Added an alias -ffor the--formatflag of thepodman infoandpodman versioncommands
- Added an alias -sfor the--sizeflag of thepodman inspectcommand
- Added the podman system infoandpodman system prunecommands
- Added the podman cpcommand to copy files between containers and the host (#613)
- Added the --password-stdinflag topodman login
- Added the --all-tagsflag topodman pull
- The --rmand--detachflags can now be used together withpodman run
- The podman startandpodman runcommands for containers in pods will now start dependency containers if they are stopped
- Added the podman system renumbercommand to handle lock changes
- The --net=hostand--dnsflags forpodman runandpodman createno longer conflict
- Podman now handles mounting the shared /etc/resolv.conf from network namespaces created by ip netns addwhen they are passed in viapodman run --net=ns:
Bugfixes
- Fixed a bug with podman inspectwhere different information would be returned when the container was running versus when it was stopped
- Fixed a bug where errors in Go templates passed to podman inspectwere silently ignored instead of reported to the user (#2159)
- Fixed a bug where rootless Podman with --pid=hostcontainers was incorrectly masking paths in/proc
- Fixed a bug where full errors starting rootless Podmanwere not reported when a refresh was requested
- Fixed a bug where Podman would override the config file-specified storage driver with the driver the backing database was created with without warning users
- Fixed a bug where podman prunewould prune all images not in use by a container, as opposed to only untagged images, by default (#2192)
- Fixed a bug where podman create --quietandpodman run --quietwere not properly suppressing output
- Fixed a bug where the tablekeyword in Go template output ofpodman pswas not working (#2221)
- Fixed a bug where podman inspecton images pulled by digest would double-print@sha256in output when printing digests (#2086)
- Fixed a bug where podman container runlabelwill return a non-0 exit code if the label does not exist
- Fixed a bug where container state was always reset to Created after a reboot (#1703)
- Fixed a bug where /dev/ptswas unconditionally overridden in rootless Podman, which was unnecessary except in very specific cases
- Fixed a bug where Podman run as root was ignoring some options in /etc/containers/storage.conf(#2217)
- Fixed a bug where Podman cleanup processes were not being given the proper OCI runtime path if a custom one was specified
- Fixed a bug where podman images --filter dangling=truewould crash if no dangling images were present (#2246)
- Fixed a bug where podman ps --format "{{.Mounts}}"would not display a container's mounts (#2238)
- Fixed a bug where podman pod statswas ignoring Go templates specified by--format(#2258)
- Fixed a bug where podman generate kubewould fail on containers with--userspecified (#2304)
- Fixed a bug where podman imagesdisplayed incorrect output for images pulled by digest (#2175)
- Fixed a bug where podman portandpodman psdid not properly display ports if the container joined a network namespace from a pod or another container (#846)
- Fixed a bug where detaching from a container using the detach keys would cause Podman to hang until the container exited
- Fixed a bug where podman create --rmdid not work withpodman start --attach
- Fixed a bug where invalid named volumes specified in podman createandpodman runcould cause segfaults (#2301)
- Fixed a bug where the runtimefield inlibpod.confwas being ignored.runtimeis legacy and deprecated, but will continue to be respected for the foreseeable future
- Fixed a bug where podman loginwould sometimes report it logged in successfully when it did not
- Fixed a bug where podman pod createwould not error on receiving unused CLI argument
- Fixed a bug where rootless podman runwith the--podargument would fail if the pod was stopped
- Fixed a bug where podman imagesdid not print a trailing newline when not invoked on a TTY (#2388)
- Fixed a bug where the --runtimeoption was sometimes not overridinglibpod.conf
- Fixed a bug where podman pullandpodman runlabelwould sometimes exit with 0 when they should have exited with an error (#2405)
- Fixed a bug where rootless podman export -owould fail (#2381)
- Fixed a bug where read-only volumes would fail in rootless Podman when the volume originated on a filesystem mounted nosuid,nodev, ornoexec(#2312)
- Fixed a bug where some files used by checkpoint and restore received improper SELinux labels (#2334)
- Fixed a bug where Podman's volume path was not properly changed when containers/storage changed location (#2395)
Misc
- Podman migrated to a new, shared memory locking model in this release. As part of this, if you are running Podman with pods or dependency containers (e.g. --net=container:), you should run thepodman system renumbercommand to migrate your containers to the new model - please reference thepodman-system-renumber(1)man page for further details
- Podman migrated to a new command-line parsing library, and the output format of help and usage text has somewhat changed as a result
- Updated Buildah to v1.7, picking up a number of bugfixes
- Updated containers/image library to v1.5, picking up a number of bugfixes and performance improvements to pushing images
- Updated containers/storage library to v1.10, picking up a number of bugfixes
- Work on the remote Podman client for interacting with Podman remotely over Varlink is progressing steadily, and many image and pod commands are supported - please see the Readme for details
- Added path masking to mounts with the :zand:Zoptions, preventing users from accidentally performing an SELinux relabel of their entire home directory
- The podman container runlabelcommand will not pull an image if it does not contain the requested label
- Many commands' usage information now includes examples
- podman rmcan now delete containers in containers/storage, which can be used to resolve some situations where Podman fails to remove a container
- The podman searchcommand now searches multiple registries in parallel for improved performance
- The podman buildcommand now defaults--pull-alwaysto true
- Containers which share a network namespace (for example, when in a pod) will now share /etc/hosts and /etc/resolv.conf between all containers in the pod, causing changes in one container to propagate to all containers sharing their networks
- The podman rmandpodman rmicommands now return 1 (instead of 127) when all specified container or images are missing
1.0.0
Features
- The podman execcommand now includes a--workdiroption to set working directory for the executed command
- The podman createandpodman runcommands now support the--initflag to use a minimal init process in the container
- Added the podman image signcommand to GPG sign images
- The podman run --deviceflag now accepts directories, and will added any device nodes in the directory to the container
- Added the podman play kubecommand to create pods and containers from Kubernetes pod YAML
Bugfixes
- Fixed a bug where passing podman createorpodman runvolumes with an empty host or container path could cause a segfault
- Fixed a bug where storage.confwas sometimes ignored for rootless containers
- Fixed a bug where Podman run as root would error if CAP_SYS_RESOURCE was not available
- Fixed a bug where Podman would fail to start containers after a system restart due to an out-of-date default Apparmor profile
- Fixed a bug where Podman's bash completions were not working
- Fixed a bug where podman loginwould use existing login credentials even if new credentials were provided
- Fixed a bug where Podman could create some directories with the wrong permissions, breaking containers with user namespaces
- Fixed a bug where podman runlabelwas not properly setting container names when the--namewas specified
- Fixed a bug where podman runlabelsometimes included extra spaces in command output
- Fixed a bug where podman commitwas including invalid port numbers in created images when committing containers with published ports
- Fixed a bug where podman execwas not honoring the container's environment variables
- Fixed a bug where podman run --devicewould fail when a symlink to a device was specified
- Fixed a bug where podman buildwas not properly picking up OCI runtime paths specified inlibpod.conf
- Fixed a bug where Podman would mount /dev/shminto the container read-only for read-only containers (/dev/shmshould always be read-write)
- Fixed a bug where Podman would ignore any mount whose container mountpoint was /dev/shm
- Fixed a bug where podman exportdid not work with the defaultfuse-overlayfsstorage driver
- Fixed a bug where podman inspect -f '{{ json .Config }}'on images would not output anything (it now prints the image's config)
- Fixed a bug where podman rmi -fadisplayed the wrong error message when trying to remove images used by pod infra containers
Misc
- Rootless containers now unconditionally use postrun cleanup processes, ensuring resources are freed when the container stops
- A new version of Buildah is included for podman build, featuring improved build speed and numerous bugfixes
- Pulling images has been parallelized, allowing individual layers to be pulled in parallel
- The podman start --attachcommand now defaults thesig-proxyoption totrue, matchingpodman createandpodman run
- The podman infocommand now prints the path of the configuration file controlling container storage
- Added podman listandpodman lsas aliases forpodman ps, andpodman container psandpodman container listas aliases forpodman container ls
- Changed podman generate kubeto generate Kubernetes service YAML in the same file as pod YAML, generating a single file instead of two
- To improve compatibility with the Docker command line, podman inspect -f '{{ json .ContainerConfig }}'on images is no longer valid; please usepodman inspect -f '{{ json .Config }}'instead
0.12.1.2
Bugfixes
- Fixed a bug where an empty path for named volumes could make it impossible to create containers
- Fixed a bug where containers using another container's network namespace would not also use the other container's /etc/hosts and /etc/resolv.conf
- Fixed a bug where containers with --rmwhich failed to start were not removed
- Fixed a potential race condition attempting to read /etc/passwdinside containers
0.12.1.1
Features
- Added the podman generate kubecommand to generate Kubernetes Pod and Service YAML for Podman containers and pods
- The podman pod stopflag now accepts a--timeoutflag to set the timeout for stopping containers in the pod
Bugfixes
- Fixed a bug where rootless Podman would fail to start if the default OCI hooks directory is not present
0.12.1
Features
- Rootless Podman now creates the storage.conf, libpod.conf, and mounts.conf configuration files automatically in ~/.config/containers/for ease of reconfiguration
- The podman pod createcommand can expose ports in the pod's network namespace, allowing public services to be created in pods
- The podman container checkpointcommand can now keep containers running after they are checkpointed with the--leave-runningflag
- The podman container checkpointandpodman container restorecommands now support the--tcp-establishedflag to checkpoint and restore containers with active TCP connections
- The podman versioncommand now has a--formatflag to produce machine-readable output
- Added the podman container exists,podman pod exists, andpodman image existscommands to easily check for a container/pod/image, respectively, by name or ID
- The podman ps --podflag now has a short alias,-p
- The podman rmiandpodman rmcommands now have a--pruneflag to prune unused images and containers, respectively
- The podman pscommand now has a--syncflag to force a sync of Podman's state against the OCI runtime, resolving some state desync errors
- Added the podman volumeset of commands for creating and managing local-only named volumes
Bugfixes
- Fixed a breaking change in rootless Podman where a change in default paths caused Podman to be unable to function on systems upgraded from 0.10.x or earlier
- Fixed a bug where podman execwithout-twould still use a terminal if the container was created with-t
- Fixed a bug where container root propagation was not being properly adjusted if volumes with root propagation set were mounted into the container
- Fixed a bug where podman execcould hold the container lock longer than necessary waiting for an exited container
- Fixed a bug where rootless containers using slirp4netnsfor networking were reporting usingbridgenetworking inpodman inspect
- Fixed a bug where podman container restore -awas attempting to restore all containers, including created and running ones. It will now only attempt to restore stopped and exited containers
- Fixed a bug where rootless Podman detached containers were not being properly cleaned up
- Fixed a bug where privileged containers were being mounted with incorrect (too restrictive) mount options such as nodev
- Fixed a bug where podman stopwould throw an error attempting to stop a container that had already stopped
- Fixed a bug where NOTIFY_SOCKETwas not properly being passed into Podman containers
- Fixed a bug where /dev/shmwas not properly mounted in rootless containers
- Fixed a bug where rootless Podman would set up the CNI plugins for networking (despite not using them in rootless mode), potentially causing inotifyrelated errors
- Fixed a bug where Podman would error on numeric GIDs that do not exist in the container's /etc/group
- Fixed a bug where containers in pods or created with --net=containerwere not mounting/etc/resolv.confand/etc/hosts
Misc
- podman buildnow defaults the- --force-rmflag to- true
- Improved podman runlabelsupport for labels featuring arguments with whitespace
- Containers without a network namespace will now use the host's resolv.conf
- The slirp4netnsnetwork mode can now be used with containers running as root. It may be useful for container-in-container scenarios where the outer container does not have host networking set
- Podman now uses inotifyto wait for container exit files to be created, instead of polling. Ifinotifycannot be used, Podman will fall back to polling to check if the file has been created
- The podman logscommand now uses improved short-options handling, allowing its flags to be combined if desired (for example,podman logs -lfinstead ofpodman logs -l -f)
- Hardcoded OCI hooks directories used by Podman are now deprecated; they should instead be coded into the libpod.confconfiguration file. They can be specified as an array viahooks_dir
0.11.1.1
Bugfixes
- Fixed a bug where Podman was not correctly adding firewall rules for containers, preventing them from accessing the network
- Fixed a bug where full error messages were being lost when creating containers with user namespaces
- Fixed a bug where container state was not properly updated if a failure occurred during network setup, which could cause mounts to be left behind when the container was removed
- Fixed a bug where podman execcould time out on slower systems by increasing the relevant timeout
Misc
- podman rm -fnow removes paused containers. As such,- podman rm -afcompleting successfully guarantees all Podman containers have been removed
- Added a field to podman infoto show if Podman is being run as rootless
- Made a small output format change to podman images- image sizes now feature a space between number and unit (e.g.123 MBnow instead of123MB)
- Vendored an updated version of containers/storageto fix several bugs reported upstream
0.11.1
Features
- Added --alland--latestflags topodman checkpointandpodman restore
- Added --max-workersflag to all Podman commands that support operating in parallel, allowing the maximum number of parallel workers used to be specified
- Added --allflag topodman restart
Bugfixes
- Fixed a bug where podman port -lwould segfault if no containers were present
- Fixed a bug where podman stats -awould error if containers were present but not running
- Fixed a bug where container status checks would sometimes leave zombie OCI runtime processes
- Fixed checkpoint and restore code to verify an appropriate version of criuis being used
- Fixed a bug where environment variables with no specified value (e.g. -e FOO) caused errors (they are now added as empty)
- Fixed a bug where rootless Podman would attempt to configure the system firewall, causing errors on some systems where iptables is not in the user's PATH
- Fixed a bug where rootless Podman was unable to successfully write the container ID to a file when --cid-filewas specified topodman run
- Fixed a bug where podman unmountwould refuse to unmount a container if it was running (the unmount will now be deferred until the container stops)
- Fixed a bug where rootless podman attachwould fail to attach due to a too-long path name
- Fixed a bug where podman infowas not properly reporting the Git commit Podman was built from
- Fixed a bug where podman run --interactivewas not holding STDIN open when-aflag was specified
- Fixed a bug where Podman with the cgroupfsCGroup driver was sometimes not successfully removing pod CGroups
- Fixed a bug where rootless Podman was unable to run systemd containers (note that this also requires an update to systemd)
- Fixed a bug where podman runwith the--userflag would fail if the container image did not contain/etc/passwdor/etc/group
Misc
- podman rm,- podman restart,- podman kill,- podman pause, and- podman unpausenow operate in parallel, greatly improving speed when multiple containers are specified
- podman create,- podman run, and- podman pshave a number of improvements which should greatly increase their speed
- Greatly improved performance and reduced memory utilization of container status checks, which should improve the speed of most Podman commands
- Improve ability of podman runlabelto run commands that are not Podman
- Podman containers with an IP address now add their hostnames to /etc/hosts
- Changed default location of temporary libpod files in rootless Podman
- Updated the default Podman seccomp profile
Compatibility
Several paths related to rootless Podman had their default values changed in this release. If paths were not hardcoded in libpod.conf, your system may lose track of running containers and believe they are newly-created.
0.10.1.3
Bugfixes
- Fixed a bug where podman buildwould not work while any containers were running
0.10.1.2
Bugfixes
- Fixed cgroup mount for containers using systemd as init to work properly with the systemd cgroup manager
0.10.1.1
Features
- Added handling for running containers as users with numeric UIDs not present in the container's /etc/passwd. This allows getpwuid() to work inside these containers.
- Added support for the REGISTRY_AUTH_FILE environment variable, which specifies the location of credentials for registry login. This is supported by the push,pull,login,logout,runlabel, andsearchcommands
Bugfixes
- Fixed handling for image volumes which are mounted on symlinks. The links are now resolved within the container, not on the host
- Fixed mounts for containers that use systemd as init to properly include all mounts required by systemd to function
Misc
- Updated vendored version of Buildah used to power podman build
0.10.1
Features
- Added the podman container checkpointandpodman container restorecommands to checkpoint and restore containers
- Added the podman container runlabelcommand to run containers based on commands contained in their images
- Added the podman create --ipandpodman run --ipflags to allow setting static IPs for containers
- Added the podman kill --allflag to send a signal to all running containers
Bugfixes
- Fixed Podman cleanup processes for detached containers to properly print debug information when --syslogflag is specified
- Fixed manpages for podman createandpodman runto document existing--netflag as an alias for--network
- Fixed issues with rootless Podman where specifying a single user mapping container was causing all Podman commands to hang
- Fixed an issue with rootless Podman not properly detecting when user namespaces were not enabled
- Fixed an issue where Podman user namespaces were not preserving file capabilities
- Fixed an issue where resolv.confin container would unconditionally forward nameservers into the container, even localhost
- Fixed containers to release resources in the OCI runtime immediately after exiting, improving compatibility with Kata containers
- Fixed OCI runtime handling to fix several issues when using gVisor as an OCI runtime
- Fixed SELinux relabel errors when starting containers after a system restart
- Fixed a crash when initializing hooks on containers running systemd as init
- Fixed an SELinux labelling issue with privileged containers
- Fixed rootless Podman to raise better errors when using CGroup resource limits, which are not currently compatible with rootless
- Fixed a crash when runc was used as the OCI runtime for containers running systemd as init
- Fixed SELinux labelling for containers run with --security-opt label=disableto assign the correct label
Misc
- Changed flag ordering on all Podman commands to ensure flags are alphabetized
- Changed podman stopto work in parallel when multiple containers are specified, greatly speeding up stop for containers that do not stop after SIGINT
- Updated vendored version of Buildah used to power podman build
- Added version of vendored Buildah to podman infoto better debug issues
0.9.3.1
Bugfixes
- Fixed a critical issue where SELinux contexts set on tmpfs volumes were causing runc crashes
0.9.3
Features
- Added a flag to libpod.conf,label, to globally enable/disable SELinux labelling for libpod
- Added --mountflag topodman createandpodman runas a new, more explicit way of specifying volume mounts
Bugfixes
- Fixed a crash during container creation when an image had no names
- Fixed default rootfs mount propagation to for containers to match Docker
- Fixed permissions of /procin containers
- Fixed permissions of some default bind mounts (for example, /etc/hosts) in read-only containers
- Fixed /dev/shmin--ipc=containerand--ipc=hostcontainers to use the correct SHM
- Fixed rootless Podman to properly join the namespaces of other containers
- Fixed the output of podman diffto not display some default changes that will not be committed
- Fixed rootless to better handle cases where insufficient UIDs/GIDs are mapped into the container
0.9.2.1
Bugfixes
- Updated Buildah dependency to fix several bugs in podman build
Misc
- Small performance improvement in image handling code to not recalculate digests
0.9.2
Features
- Added --intervalflag topodman waitto determine the interval between checks for container status
- Added a switch in libpod.confto disable reserving ports for running containers. This lowers the safety of port allocations, but can significantly reduce memory usage.
- Added ability to search all the contents of a registry if no image name is specified when using podman search
Bugfixes
- Further fixes for sharing of UTS namespaces within pods
- Fixed a deadlock in containers/storage that could be caused by numerous parallel Podman processes.
- Fixed Podman running into open file limits when many ports are forwarded
- Fixed default mount propagation on volume mounts
- Fixed default mounts under /dev remaining if /dev is bind-mounted into the container
- Fixed rootless podman createwith no command specified throwing an error
Misc
- Added podman rm --volumesflag for compatibility with Docker. As Podman does not presently support named volumes, this does nothing for now, but provides improved compatibility with the Docker command line.
- Improved error messages from podman pull
Compatibility
- Podman is no longer being built by default with support for the Devicemapper storage driver. If you are using this storage driver, you should investigate switching to overlayfs.
0.9.1.1
Bugfixes
- Added support for configuring iptables and firewalld firewalls to allow container traffic. This should resolve numerous issues with network access in containers.
Note
It is recommended that you restart your system firewall after installing this release to clear any firewall rules created by older Podman versions. If port forwarding to containers does not work, it is recommended that you restart your system.
0.9.1
Features
- Added initial support for the podman podcommand as non-root
Bugfixes
- Fixed regression where invalid Podman commands would still cause a clean exit
- Fixed podman rmi --allto not error if no images are present on the system
- Fixed parsing of container logs with podman logsto properly handle CRI logging, fixing some issues with blank lines in logs
- Fixed a bug creating pod cgroups using the systemd cgroup driver with systemd versions 239 and higher
- Fixed handling of volume mounts that overlapped with default container mounts (for example, podman run -v /dev/:/dev)
- Fixed sharing of UTS namespace in pods
Misc
- Added additional debug information when pulling images if --log-level=debugis specified
- podman buildnow defaults to caching intermediate layers while building
0.8.5
Features
- Added the ability to add a multipart entrypoint with podman run --entrypoint
- Improved help text when invalid commands are specified
- Greatly improved support for containers which use systemd as init
Bugfixes
- Fixed several bugs with rootless podman exec
- Fixed rootless podmanwith a symlinked storage directory crashing
- Fixed bug with podman psand multiple filters where the interface did not match Docker
- Fixed handling of resolv.confon the host to handle symlinks
- Increased open file descriptor and process limits to match Docker and Buildah
- Fixed podman run -hto specify the container's hostname (as it does in Docker) instead of printing help text
- Fixed a bug with image shortname handling where repositories were incorrectly being treated as registries
- Fixed a bug where podman waitwas busywaiting and consuming large amounts of CPU
0.8.4
Features
- Added the podman pod topcommand
- Added the ability to easily share namespaces within a pod
- Added a pod statistics endpoint to the Varlink API
- Added information on container capabilities to the output of podman inspect
Bugfixes
- Fixed a bug with the --device flag in podman runandpodman create
- Fixed podman pod statsto accept partial pod IDs and pod names
- Fixed a bug with OCI hooks handling ALWAYSmatches
- Fixed a bug with privileged rootless containers with --net=hostset
- Fixed a bug where podman exec --userwould not work with usernames, only numeric IDs
- Fixed a bug where Podman was forwarding both TCP and UDP ports to containers when protocol was not specified
- Fixed issues with Apparmor in rootless containers
- Fixed an issue with database encoding causing some containers created by Podman versions 0.8.1 and below to be unusable.
Compatibility:
We switched JSON encoding/decoding to a new library for this release to address a compatibility issue introduced by v0.8.2. However, this may cause issues with containers created in 0.8.2 and 0.8.3 with custom DNS servers.