Releases: containers/podman
Releases · containers/podman
v4.6.0
Features
- The
podman manifest inspect
command now supports the--authfile
option, for authentication purposes. - The
podman wait
command now supports--condition={healthy,unhealthy}
, allowing waits on successful health checks. - The
podman push
command now supports a new option,--compression-level
, which specifies the compression level to use (#18939). - The
podman machine start
command, when run with--log-level=debug
, now creates a console window to display the virtual machine while booting. - Podman now supports a new option,
--imagestore
, which allows images to be stored in a different directory than the graphroot. - The
--ip-range
option to thepodman network create
command now accepts a new syntax,<startIP>-<endIP>
, which allows more flexibility when limiting the ip range that Podman assigns. - [Tech Preview] A new command,
podmansh
, has been added, which executes a user shell within a container when the user logs into the system. The container that the users get added to can be defined via a Podman Quadlet file. This feature is currently aTech Preview
which means it's ready for users to try out but changes can be expected in upcoming versions. - The
podman network create
command supports a new--option
,bclim
, for themacvlan
driver. - The
podman network create
command now supports adding static routes using the--route
option. - The
podman network create
command supports a new--option
,no_default_route
for all drivers. - The
podman info
command now prints network information about the binary path, package version, program version and DNS information (#18443). - The
podman info
command now displays the number of free locks available, helping to debug lock exhaustion scenarios. - The
podman info
command now outputs information about pasta, if it exists in helper_binaries_dir or $PATH. - The remote Podman client’s
podman build
command now accepts Containerfiles that are not in the context directory (#18239). - The remote Podman client’s
podman play kube
command now supports the--configmap
option (#17513). - The
podman kube play
command now supports multi-doc YAML files for configmap arguments. (#18537). - The
podman pod create
command now supports a new flag,--restart
, which sets the restart policy for all the containers in a pod. - The
--format={{.Restarts}}
option to thepodman ps
command now shows the number of times a container has been restarted based on its restart policy. - The
--format={{.Restarts}}
option to thepodman pod ps
command now shows the total number of container restarts in a pod. - The podman machine provider can now be specified via the
CONTAINERS_MACHINE_PROVIDER
environment variable, as well as via theprovider
field incontainers.conf
(#17116). - A default list of pasta arguments can now be set in
containers.conf
viapasta_options
. - The
podman machine init
andpodman machine set
commands now support a new option,--user-mode-networking
, which improves interops with VPN configs that drop traffic from WSL networking, on Windows. - The remote Podman client’s
podman push
command now supports the--digestfile
option (#18216). - Podman now supports a new option,
--out
, that allows redirection or suppression of STDOUT (#18120).
Changes
- When looking up an image by digest, the entire repository of the specified value is now considered. This aligns with Docker's behavior since v20.10.20. Previously, both the repository and the tag was ignored and Podman looked for an image with only a matching digest. Ignoring the name, repository, and tag of the specified value can lead to security issues and is considered harmful.
- The
podman system service
command now emits a warning when binding to a TCP socket. This is not a secure configuration and the Podman team recommends against using it. - The
podman top
command no longer depends on ps(1) being present in the container image and now uses the one from the host (#19001). - The
--filter id=xxx
option will now treatxxx
as a CID prefix, and not as a regular expression (#18471). - The
--filter
option now requires multiple--filter
flags to specify multiple filters. It will no longer support the comma syntax (--filter label=a,label=b
). - The
slirp4netns
binary for will now be searched for in paths specified by thehelper_binaries_dir
option incontainers.conf
(#18239). - Podman machine now updates
/run/docker.sock
within the guest to be consistent with its rootless/rootful setting (#18480). - The
podman system df
command now counts files which podman generates for use with specific containers as part of the disk space used by those containers, and which can be reclaimed by removing those containers. It also counts space used by files it associates with specific images and volumes as being used by those images and volumes. - The
podman build
command now returns a clearer error message when the Containerfile cannot be found. (#16354). - Containers created with
--pid=host
will no longer print errors on podman stop (#18460). - The
podman manifest push
command no longer requires a destination to be specified. If a destination is not provided, the source is used as the destination (#18360). - The
podman system reset
command now warns the user that the graphroot and runroot directories will be deleted (#18349), (#18295). - The
package
andpackage-install
targets in Makefile have now been fixed and also renamed torpm
andrpm-install
respectively for clarity (#18817).
Quadlet
- Quadlet now exits with a non-zero exit code when errors are found (#18778).
- Rootless podman quadlet files can now be installed in
/etc/containers/systemd/users
directory. - Quadlet now supports the
AutoUpdate
option. - Quadlet now supports the
Mask
andUnmask
options. - Quadlet now supports the
WorkingDir
option, which specifies the default working dir in a container. - Quadlet now supports the
Sysctl
option, which sets namespaced kernel parameters for containers (#18727). - Quadlet now supports the
SecurityLabelNetsted=true
option, which allows nested SELinux containers. - Quadlet now supports the
Pull
option in.container
files (#18779). - Quadlet now supports the
ExitCode
field in.kube
files, which reflects the exit codes of failed containers. - Quadlet now supports
PodmanArgs
field. - Quadlet now supports the
HostName
field, which sets the container's host name, in.container
files (#18486).
Bugfixes
- Fixed a bug where the
podman machine start
command would fail with a 255 exit code. It now waits for systemd-user sessions to be up, and for SSH to be ready, addressing the flaky machine starts (#17403). - Fixed a bug where the
podman auto update
command did not correctly use authentication files when contacting container registries. - Fixed a bug where
--label
option to thepodman volume ls
command would return volumes that matched any of the filters, not all of them (#19219). - Fixed a bug where the
podman kube play
command did not recognize containerPort names inside Kubernetes liveness probes. Now, liveness probes support both containerPort names as well as port numbers (#18645). - Fixed a bug where the
--dns
option to thepodman run
command was ignored for macvlan networks (#19169). - Fixed a bug in the
podman system service
command where setting LISTEN_FDS when listening on TCP would misbehave. - Fixed a bug where hostnames were not recognized as a network alias. Containers can now resolve other hostnames, in addition to their names (#17370).
- Fixed a bug where the
podman pod run
command would error after a reboot on a non-systemd system (#19175). - Fixed a bug where the
--syslog
option returned a fatal error when no syslog server was found (#19075). - Fixed a bug where the
--mount
option would parse thereadonly
option incorrectly (#18995). - Fixed a bug where hook executables invoked by the
podman run
command set an incorrect working directory. It now sets the correct working directory pointing to the container bundle directory (#18907). - Fixed a bug where the
-device-cgroup-rule
option was silently ignored in rootless mode ([#18698](https://github.com/containers/podman/issu...
v4.6.0-RC2
Features
- The
podman manifest inspect
command now supports the--authfile
option, for authentication purposes. - The
podman wait
command now supports--condition={healthy,unhealthy}
, allowing waits on successful health checks. - The
podman push
command now supports a new option,--compression-level
, which specifies the compression level to use (#18939). - The
podman machine start
command, when run with--log-level=debug
, now creates a console window to display the virtual machine while booting. - Podman now supports a new option,
--imagestore
, which allows images to be stored in a different directory than the graphroot. - The
--ip-range
option to thepodman network create
command now accepts a new syntax,<startIP>-<endIP>
, which allows more flexibility when limiting the ip range that Podman assigns. - [Tech Preview] A new command,
podmansh
, has been added, which executes a user shell within a container when the user logs into the system. The container that the users get added to can be defined via a Podman Quadlet file. This feature is currently aTech Preview
which means it's ready for users to try out but changes can be expected in upcoming versions. - The
podman network create
command supports a new--option
,bclim
, for themacvlan
driver. - The
podman network create
command now supports adding static routes using the--route
option. - The
podman network create
command supports a new--option
,no_default_route
for all drivers. - The
podman info
command now prints network information about the binary path, package version, program version and DNS information (#18443). - The
podman info
command now displays the number of free locks available, helping to debug lock exhaustion scenarios. - The
podman info
command now outputs information about pasta, if it exists in helper_binaries_dir or $PATH. - The remote Podman client’s
podman build
command now accepts Containerfiles that are not in the context directory (#18239). - The remote Podman client’s
podman play kube
command now supports the--configmap
option (#17513). - The
podman kube play
command now supports multi-doc YAML files for configmap arguments. (#18537). - The
podman pod create
command now supports a new flag,--restart
, which sets the restart policy for all the containers in a pod. - The
--format={{.Restarts}}
option to thepodman ps
command now shows the number of times a container has been restarted based on its restart policy. - The
--format={{.Restarts}}
option to thepodman pod ps
command now shows the total number of container restarts in a pod. - The podman machine provider can now be specified via the
CONTAINERS_MACHINE_PROVIDER
environment variable, as well as via theprovider
field incontainers.conf
(#17116). - A default list of pasta arguments can now be set in
containers.conf
viapasta_options
. - The
podman machine init
andpodman machine set
commands now support a new option,--user-mode-networking
, which improves interops with VPN configs that drop traffic from WSL networking, on Windows. - The remote Podman client’s
podman push
command now supports the--digestfile
option (#18216). - Podman now supports a new option,
--out
, that allows redirection or suppression of STDOUT (#18120).
Changes
- The
--filter id=xxx
option will now treatxxx
as a CID prefix, and not as a regular expression (#18471). - The
--filter
option now requires multiple--filter
flags to specify multiple filters. It will no longer support the comma syntax (--filter label=a,label=b
). - The
slirp4netns
binary for will now be searched for in paths specified by thehelper_binaries_dir
option incontainers.conf
(#18239). - Podman machine now updates
/run/docker.sock
within the guest to be consistent with its rootless/rootful setting (#18480). - The
podman system df
command now counts files which podman generates for use with specific containers as part of the disk space used by those containers, and which can be reclaimed by removing those containers. It also counts space used by files it associates with specific images and volumes as being used by those images and volumes. - The
podman build
command now returns a clearer error message when the Containerfile cannot be found. (#16354). - Containers created with
--pid=host
will no longer print errors on podman stop (#18460). - The
podman manifest push
command no longer requires a destination to be specified. If a destination is not provided, the source is used as the destination (#18360). - The
podman system reset
command now warns the user that the graphroot and runroot directories will be deleted (#18349), (#18295).
Quadlet
- Quadlet now exits with a non-zero exit code when errors are found (#18778).
- Rootless podman quadlet files can now be installed in
/etc/containers/systemd/users
directory. - Quadlet now supports the
AutoUpdate
option. - Quadlet now supports the
Mask
andUnmask
options. - Quadlet now supports the
WorkingDir
option, which specifies the default working dir in a container. - Quadlet now supports the
Sysctl
option, which sets namespaced kernel parameters for containers (#18727). - Quadlet now supports the
SecurityLabelNetsted=true
option, which allows nested SELinux containers. - Quadlet now supports the
Pull
option in.container
files (#18779). - Quadlet now supports the
ExitCode
field in.kube
files, which reflects the exit codes of failed containers. - Quadlet now supports
PodmanArgs
field. - Quadlet now supports the
HostName
field, which sets the container's host name, in.container
files (#18486).
Bugfixes
- Fixed a bug where the
podman machine start
command would fail with a 255 exit code. It now waits for systemd-user sessions to be up, and for SSH to be ready, addressing the flaky machine starts (#17403). - Fixed a bug where the
podman auto update
command did not correctly use authentication files when contacting container registries. - Fixed a bug where the
--dns
option to thepodman run
command was ignored for macvlan networks (#19169). - Fixed a bug in the
podman system service
command where setting LISTEN_FDS when listening on TCP would misbehave. - Fixed a bug where hostnames were not recognized as a network alias. Containers can now resolve other hostnames, in addition to their names (#17370).
- Fixed a bug where the
podman pod run
command would error after a reboot on a non-systemd system (#19175). - Fixed a bug where the
--syslog
option returned a fatal error when no syslog server was found (#19075). - Fixed a bug where the
--mount
option would parse thereadonly
option incorrectly (#18995). - Fixed a bug where hook executables invoked by the
podman run
command set an incorrect working directory. It now sets the correct working directory pointing to the container bundle directory (#18907). - Fixed a bug where the
-device-cgroup-rule
option was silently ignored in rootless mode (#18698). - Listing images is now more resilient towards concurrently running image removals.
- Fixed a bug where the
--force
option to thepodman kube down
command would not remove volumes (#18797). - Fixed a bug where setting the
--list-tags
option in thepodman search
command would cause the command to ignore the--format
option (#18939). - Fixed a bug where the
podman machine start
command did not properly translate the proxy IP. - Fixed a bug where the
podman auto-update
command would not restart dependent units (specified viaRequires=
) on auto update (#18926). - Fixed a bug where the
podman pull
command would print ids multiple times when using additional stores (#18647). - Fixed a bug where creating a container while setting unmask option to an empty array would cause the create to fail (#18848).
- Fixed a bug where the propagation of proxy settings for QEMU VMs was broken.
- Fixed a bug where the
podman rm -fa
command could fail to remove dependency containers such as pod infra containers (#18180). - Fixed a bug where
--tz
option to thepodman create
...
v4.6.0-rc1
Features
- The
podman wait
command now supports--condition={healthy,unhealthy}
, allowing waits on successful health checks. - The
podman push
command now supports a new option,--compression-level
, which specifies the compression level to use (#18939). - The
podman machine start
command, when run with--log-level=debug
, now creates a console window to display the virtual machine while booting. - Podman now supports a new option,
--imagestore
, which allows images to be stored in a different directory than the graphroot. - The
--ip-range
option to thepodman network create
command now accepts a new syntax,<startIP>-<endIP>
, which allows more flexibility when limiting the ip range that Podman assigns. - [Tech Preview] A new command,
podmansh
, has been added, which executes a user shell within a container when the user logs into the system. The container that the users get added to can be defined via a Podman Quadlet file. - The
podman network create
command supports a new--option
,bclim
, for themacvlan
driver. - The
podman info
command now prints network information about the binary path, package version, program version and DNS information (#18443). - The
podman info
command now displays the number of free locks available, helping to debug lock exhaustion scenarios. - The
podman info
command now outputs information about pasta, if it exists in helper_binaries_dir or $PATH. - The remote Podman client’s
podman build
command now accepts Containerfiles that are not in the context directory (#18239). - The remote Podman client’s
podman play kube
command now supports the--configmap
option (#17513). - The
podman kube play
command now supports multi-doc YAML files for configmap arguments. (#18537). - The
podman pod create
command now supports a new flag,--restart
, which sets the restart policy for all the containers in a pod. - The
--format={{.Restarts}}
option to thepodman ps
command now shows the number of times a container has been restarted based on its restart policy. - The
--format={{.Restarts}}
option to thepodman pod ps
command now shows the total number of container restarts in a pod. - The podman machine provider can now be specified via the
CONTAINERS_MACHINE_PROVIDER
environment variable, as well as via theprovider
field incontainers.conf
(#17116). - A default list of pasta arguments can now be set in
containers.conf
viapasta_options
. - The
podman machine init
andpodman machine set
commands now support a new option,--user-mode-networking
, which improves interops with VPN configs that drop traffic from WSL networking, on Windows. - The remote Podman client’s
podman push
command now supports the--digestfile
option (#18216). - Podman now supports a new option,
--out
, that allows redirection or suppression of STDOUT (#18120).
Changes
- The
--filter id=xxx
option will now treatxxx
as a CID prefix, and not as a regular expression (#18471). - The
--filter
option now requires multiple--filter
flags to specify multiple filters. It will no longer support the comma syntax (--filter label=a,label=b
). - The
slirp4netns
binary for will now be searched for in paths specified by thehelper_binaries_dir
option incontainers.conf
(#18239). - Podman machine now updates
/run/docker.sock
within the guest to be consistent with its rootless/rootful setting (#18480). - The
podman system df
command now counts files which podman generates for use with specific containers as part of the disk space used by those containers, and which can be reclaimed by removing those containers. It also counts space used by files it associates with specific images and volumes as being used by those images and volumes. - The
podman build
command now returns a clearer error message when the Containerfile cannot be found. (#16354). - Containers created with
--pid=host
will no longer print errors on podman stop (#18460). - The
podman manifest push
command no longer requires a destination to be specified. If a destination is not provided, the source is used as the destination (#18360). - The
podman system reset
command now warns the user that the graphroot and runroot directories will be deleted (#18349), (#18295).
Quadlet
- Quadlet now exits with a non-zero exit code when errors are found (#18778).
- Rootless podman quadlet files can now be installed in
/etc/containers/systemd/users
directory. - Quadlet now supports the
AutoUpdate
option. - Quadlet now supports the
Mask
andUnmask
options. - Quadlet now supports the
WorkingDir
option, which specifies the default working dir in a container. - Quadlet now supports the
Sysctl
option, which sets namespaced kernel parameters for containers (#18727). - Quadlet now supports the
SecurityLabelNetsted=true
option, which allows nested SELinux containers. - Quadlet now supports the
Pull
option in.container
files (#18779). - Quadlet now supports the
ExitCode
field in.kube
files, which reflects the exit codes of failed containers. - Quadlet now supports
PodmanArgs
field. - Quadlet now supports the
HostName
field, which sets the container's host name, in.container
files (#18486).
Bugfixes
- The
podman machine start
command now waits for systemd-user sessions to be up, addressing flaky machine starts (##17403). - Fixed a bug where setting the
--list-tags
option in thepodman search
command would cause the command to ignore the--format
option (#18939). - Fixed a bug where the
podman machine start
command did not properly translate the proxy IP. - Fixed a bug where the
podman auto-update
command would not restart dependent units (specified viaRequires=
) on auto update (#18926). - Fixed a bug where the
podman pull
command would print ids multiple times when using additional stores (#18647). - Fixed a bug where creating a container while setting unmask option to an empty array would cause the create to fail (#18848).
- Fixed a bug where the propagation of proxy settings for QEMU VMs was broken.
- Fixed a bug where the
podman rm -fa
command could fail to remove dependency containers such as pod infra containers (#18180). - Fixed a bug where
--tz
option to thepodman create
andpodman run
commands would not create a proper localtime symlink to the zoneinfo file, which was causing some applications (e.g. java) to not read the timezone correctly. - Fixed a bug where lowering the ulimit after container creation would cause the container to fail (#18714).
- Fixed a bug where signals were not forwarded correctly in rootless containers (#16091).
- Fixed a bug where the
--filter volume=
option to thepodman events
command would not display the relevant events (#18618). - Fixed a bug in the
podman wait
command where containers created with the--restart=always
option would result in the container staying in a stopped state. - Fixed a bug where the
podman stats
command returned an incorrect memory limit after acontainer update
. (#18621). - Fixed a bug in the
podman run
command where thePODMAN_USERNS
environment variable was not ignored when the--pod
option was set, resulting in a container created in a different user namespace than its pod (#18580). - Fixed a bug where the
podman run
command would not create the/run/.containerenv
when the tmpfs is mounted on/run
(#18531). - Fixed a bug where the
$HOME
environment variable would be configured inconsistently between container starts if a new passwd entry had to be created for the container. - Fixed a bug where the
podman play kube
command would restart initContainers based on the restart policy of the pod. initContainers should never be restarted. - Fixed a bug in the remote Podman client’s
build
command where an invalid platform would be set. - Fixed a bug where the
podman history
command did not display tags (#17763). - Fixed a bug where the
podman machine init
command would create invalid machines when run with certain UIDs (#17893). - Fixed a bug in the remote Podman client’s
podman manifest push
command w...
v4.5.1
Security
- Do not include image annotations when building spec. These annotations can have security implications - crun, for example, allows rootless containers to preserve the user's groups through an annotation.
Quadlet
- Fixed a bug in quadlet to recognize the systemd optional prefix '-'.
Bugfixes
- Fixed a bug where fully resolving symlink paths included the version number, breaking the path to homebrew-installed qemu files (#18111).
- Fixed a bug where Podman was splitting the filter map slightly differently compared to Docker (#18092).
- Fixed a bug where running
make package
did not work on RHEL 8 environments (#18421). - Fixed a bug to allow comma separated dns server IP addresses in
podman network create --dns
andpodman network update --dns-add/--dns-drop
(#18663). - Fixed a bug to correctly stop containers created with --restart=always in all cases (#18259).
- Fixed a bug in podman-remote logs to correctly display errors reported by the server.
- Fixed a bug to correctly tear down the network stack again when an error happened during the setup.
- Fixed a bug in the remote API exec inspect call to correctly display updated information, e.g. when the exec process died (#18424).
- Fixed a bug so that podman save on windows can now write to stdout by default (#18147).
- Fixed a bug where podman machine rm with the qemu backend now correctly removes the machine connection after the confirmation message not before (#18330).
- Fixed a problem where podman machine connections would try to connect to the ipv6 localhost ipv6 (::1) (#16470).
API
v4.5.0
Features
- The
podman kube play
command now supports the hostIPC field (#17157). - The
podman kube play
command now supports a new flag,--wait
, that keeps the workload running in foreground until killed with a sigkill or sigterm. The workloads are cleaned up and removed when killed (#14522). - The
podman kube generate
andpodman kube play
commands now support SELinux filetype labels. - The
podman kube play
command now supports sysctl options (#16711). - The
podman kube generate
command now supports generating the Deployments (#17712). - The
podman machine inspect
command now shows information about named pipe addresses on Windows (#16860). - The
--userns=keep-id
option forpodman create
,run
, andkube play
now works for root containers by copying the current mapping into a new user namespace (#17337). - A new command has been added,
podman secret exists
, to verify if a secret with the given name exists. - The
podman kube generate
andpodman kube play
commands now support ulimit annotations (#16404). - The
podman create
,run
,pod create
, andpod clone
commands now support a new option,--shm-size-systemd
, that allows limiting tmpfs sizes for systemd-specific mounts (#17037). - The
podman create
andrun
commands now support a new option,--group-entry
which customizes the entry that is written to the/etc/group
file within the container when the--user
option is used (#14965). - The
podman create
andpodman run
commands now support a new option,--security-opt label=nested
, which allows SELinux labeling within a confined container. - A new command,
podman machine os apply
has been added, which applies OS changes to a Podman machine, from an OCI image. - The
podman search
command now supports two new options:--cert-dir
and--creds
. - Defaults for the
--cgroup-config
option forpodman create
andpodman run
can now be set incontainers.conf
. - Podman now supports auto updates for containers running inside a pod (#17181).
- Podman can now use a SQLite database as a backend for increased stability. The default remains the old database, BoltDB. The database to use is selected through the
database_backend
field incontainers.conf
. - Netavark plugin support has been added. The netavark network backend now allows users to create custom network drivers.
podman network create -d <plugin>
can be used to create a network config for your plugin and then Podman will use it like any other config and takes care of setup/teardown on container start/stop. This requires at least Netavark version 1.6. - DHCP with macvlan and the netavark backend is now supported.
Changes
- Remote builds using the
podman build
command no longer allows.containerignore
or.dockerignore
files to be symlinks outside the build context. - The
podman system reset
command now clears build caches. - The
podman play kube
command now adds ctrName as an alias to the pod network (#16544). - The
podman kube generate
command no longer adds hostPort to the pod spec when generating service kinds. - Using a private cgroup namespace with systemd containers on a cgroups v1 system will explicitly error (this configuration has never worked) (#17727).
- The
SYS_CHROOT
capability has been re-added to the default set of capabilities. - Listing large quantities of images with the
podman images
command has seen a significant performance improvement (#17828).
Quadlet
- Quadlet now supports the
Rootfs=
option, allowing containers to be based on rootfs in addition to image. - Quadlet now supports the Secret key in the Container group.
- Quadlet now supports the Logdriver key in
.container
and.kube
units. - Quadlet now supports the Mount key in
.container
files (#17632). - Quadlet now supports specifying static IPv4 and IPv6 addresses in
.container
files via the IP= and IP6= options. - Quadlet now supports health check configuration in
.container
files. - Quadlet now supports relative paths in the Volume key in .container files (#17418).
- Quadlet now supports setting the UID and GID options for
--userns=keep-id
(#17908). - Quadlet now supports adding
tmpfs
filesystems through theTmpfs
key in.container
files (#17907). - Quadlet now supports the
UserNS
option in.container
files, which will replace the existingRemapGid
,RemapUid
,RemapUidSize
andRemapUsers
options in a future release (#17984). - Quadlet now includes a
--version
option. - Quadlet now forbids specifying SELinux label types, including disabling selinux separation.
- Quadlet now does not set log-driver by default.
- Fixed a bug where Quadlet did not recognize paths starting with systemd specifiers as absolute (#17906).
Bugfixes
- Fixed a bug in the network list API where a race condition would cause the list to fail if a container had just been removed (#17341).
- Fixed a bug in the
podman image scp
command to correctly use identity settings. - Fixed a bug in the remote Podman client's
podman build
command where building from stdin would fail.podman --remote build -f -
now works correctly (#17495). - Fixed a bug in the
podman volume prune
command where exclusive (!=
) filters would fail (#17051). - Fixed a bug in the
--volume
option in thepodman create
,run
,pod create
, andpod clone
commands where specifying relative mappings or idmapped mounts would fail (#17517). - Fixed a bug in the
podman kube play
command where a secret would be created, but nothing would be printed on the terminal (#17071). - Fixed a bug in the
podman kube down
command where secrets were not removed. - Fixed a bug where cleaning up after an exited container could segfault on non-Linux operating systems.
- Fixed a bug where the
podman inspect
command did not properly list the network configuration of containers created with--net=none
or--net=host
(#17385). - Fixed a bug where containers created with user-specified SELinux labels that created anonymous or named volumes would create those volumes with incorrect labels.
- Fixed a bug where the
podman checkpoint restore
command could panic. - Fixed a bug in the
podman events
command where events could be returned more than once after a log file rotation (#17665). - Fixed a bug where errors from systemd when restarting units during a
podman auto-update
command were not reported. - Fixed a bug where containers created with the
--health-on-failure=restart
option were not restarting when the health state turned unhealthy (#17777). - Fixed a bug where containers using the
slirp4netns
network mode with thecidr
option and a custom user namespace did not set proper DNS IPs inresolv.conf
. - Fixed a bug where the
podman auto-update
command could fail to restart systemd units (#17607). - Fixed a bug where the
podman play kube
command did not properly handlesecret.items
in volumes (#17829). - Fixed a bug where the
podman generate kube
command could generate pods with invalid names and hostnames (#18054). - Fixed a bug where names of limits (such as
RLIMIT_NOFILE
) passed to the--ulimit
option topodman create
andpodman run
were case-sensitive (#18077). - Fixed a possible corruption issue with the configuration state of
podman machine
during system failures on Mac, Linux, and Windows.
API
- The Compat Stats endpoint for Containers now returns the
Id
key as lowercaseid
to match Docker (#17869). - Fixed a bug where the Compat top endpoint incorrectly returned titles as a string instead of a list (#17524).
Misc
- The
podman version
command no longer joins the rootless user namespace (#17657). - The
podman-events --stream
option is no longer hidden and is now documented. - Updated Buildah to v1.30.0
- Updated the containers/storage library to v1.46.1
- Updated the containers/image library to v5.25.0
- Updated the containers/common library to v0.52.0
v4.5.0-RC2
Features
- The
podman kube play
command now supports the hostIPC field (#17157). - The
podman kube play
command now supports a new flag,--wait
, that keeps the workload running in foreground until killed with a sigkill or sigterm. The workloads are cleaned up and removed when killed (#14522). - The
podman kube generate
andpodman kube play
commands now support SELinux filetype labels. - The
podman kube play
command now supports sysctl options (#16711). - The
podman kube generate
command now supports generating the Deployments (#17712). - The
podman machine inspect
command now shows information about named pipe addresses on Windows (#16860). - The
--userns=keep-id
option forpodman create
,run
, andkube play
now works for root containers by copying the current mapping into a new user namespace (#17337). - A new command has been added,
podman secret exists
, to verify if a secret with the given name exists. - The
podman kube generate
andpodman kube play
commands now support ulimit annotations (#16404). - The
podman create
,run
,pod create
, andpod clone
commands now support a new option,--shm-size-systemd
, that allows limiting tmpfs sizes for systemd-specific mounts (#17037). - The
podman create
andrun
commands now support a new option,--group-entry
which customizes the entry that is written to the/etc/group
file within the container when the--user
option is used (#14965). - The
podman create
andpodman run
commands now support a new option,--security-opt label=nested
, which allows SELinux labeling within a confined container. - A new command,
podman machine os apply
has been added, which applies OS changes to a Podman machine, from an OCI image. - The
podman search
command now supports two new options:--cert-dir
and--creds
. - Defaults for the
--cgroup-config
option forpodman create
andpodman run
can now be set incontainers.conf
. - Podman now supports auto updates for containers running inside a pod (#17181).
- Podman can now use a SQLite database as a backend for increased stability. The default remains the old database, BoltDB. The database to use is selected through the
database_backend
field incontainers.conf
. - Netavark plugin support has been added. The netavark network backend now allows users to create custom network drivers.
podman network create -d <plugin>
can be used to create a network config for your plugin and then Podman will use it like any other config and takes care of setup/teardown on container start/stop. This requires at least Netavark version 1.6.
Changes
- Remote builds using the
podman build
command no longer allows.containerignore
or.dockerignore
files to be symlinks outside the build context. - The
podman system reset
command now clears build caches. - The
podman play kube
command now adds ctrName as an alias to the pod network (#16544). - The
podman kube generate
command no longer adds hostPort to the pod spec when generating service kinds. - Using a private cgroup namespace with systemd containers on a cgroups v1 system will explicitly error (this configuration has never worked) (#17727).
- The
SYS_CHROOT
capability has been re-added to the default set of capabilities. - Listing large quantities of images with the
podman images
command has seen a significant performance improvement (#17828).
Quadlet
- Quadlet now supports the
Rootfs=
option, allowing containers to be based on rootfs in addition to image. - Quadlet now supports the Secret key in the Container group.
- Quadlet now supports the Logdriver key in
.container
and.kube
units. - Quadlet now supports the Mount key in
.container
files (#17632). - Quadlet now supports specifying static IPv4 and IPv6 addresses in
.container
files via the IP= and IP6= options. - Quadlet now supports health check configuration in
.container
files. - Quadlet now supports relative paths in the Volume key in .container files (#17418).
- Quadlet now supports setting the UID and GID options for
--userns=keep-id
(#17908). - Quadlet now supports adding
tmpfs
filesystems through theTmpfs
key in.container
files (#17907). - Quadlet now supports the
UserNS
option in.container
files, which will replace the existingRemapGid
,RemapUid
,RemapUidSize
andRemapUsers
options in a future release (#17984). - Quadlet now includes a
--version
option. - Quadlet now forbids specifying SELinux label types, including disabling selinux separation.
- Fixed a bug where Quadlet did not recognize paths starting with systemd specifiers as absolute (#17906).
Bugfixes
- Fixed a bug in the network list API where a race condition would cause the list to fail if a container had just been removed (#17341).
- Fixed a bug in the
podman image scp
command to correctly use identity settings. - Fixed a bug in the remote Podman client's
podman build
command where building from stdin would fail.podman --remote build -f -
now works correctly (#17495). - Fixed a bug in the
podman volume prune
command where exclusive (!=
) filters would fail (#17051). - Fixed a bug in the
--volume
option in thepodman create
,run
,pod create
, andpod clone
commands where specifying relative mappings or idmapped mounts would fail (#17517). - Fixed a bug in the
podman kube play
command where a secret would be created, but nothing would be printed on the terminal (#17071). - Fixed a bug in the
podman kube down
command where secrets were not removed. - Fixed a bug where cleaning up after an exited container could segfault on non-Linux operating systems.
- Fixed a bug where the
podman inspect
command did not properly list the network configuration of containers created with--net=none
or--net=host
(#17385). - Fixed a bug where containers created with user-specified SELinux labels that created anonymous or named volumes would create those volumes with incorrect labels.
- Fixed a bug where the
podman checkpoint restore
command could panic. - Fixed a bug in the
podman events
command where events could be returned more than once after a log file rotation (#17665). - Fixed a bug where errors from systemd when restarting units during a
podman auto-update
command were not reported. - Fixed a bug where containers created with the
--health-on-failure=restart
option were not restarting when the health state turned unhealthy (#17777). - Fixed a bug where containers using the
slirp4netns
network mode with thecidr
option and a custom user namespace did not set proper DNS IPs inresolv.conf
. - Fixed a bug where the
podman auto-update
command could fail to restart systemd units (#17607). - Fixed a bug where the
podman play kube
command did not properly handlesecret.items
in volumes (#17829). - Fixed a bug where the
podman generate kube
command could generate pods with invalid names and hostnames (#18054). - Fixed a bug where names of limits (such as
RLIMIT_NOFILE
) passed to the--ulimit
option topodman create
andpodman run
were case-sensitive (#18077). - Fixed a possible corruption issue with the configuration state of
podman machine
during system failures on Mac, Linux, and Windows.
API
- The Compat Stats endpoint for Containers now returns the
Id
key as lowercaseid
to match Docker (#17869).
Misc
- The
podman version
command no longer joins the rootless user namespace (#17657). - The
podman-events --stream
option is no longer hidden and is now documented. - Updated Buildah to v1.30.0
- Updated the containers/storage library to v1.46.1
- Updated the containers/image library to v5.25.0
- Updated the containers/common library to v0.52.0
v4.5.0-RC1
This is the first release candidate of Podman v4.5.0. Full release notes are not available, but will be compiled for the next RC.
v4.4.4
v4.4.3
Security
- This release fixes CVE-2022-41723, a vulnerability in the golang.org/x/net package where a maliciously crafted HTTP/2 stream could cause excessive CPU consumption, sufficient to cause a denial of service.
Changes
- Added
SYS_CHROOT
back to the default set of capabilities.
Bugfixes
- Fixed a bug where quadlet would not use the default runtime set.
- Fixed a bug where
podman system service --log-level=trace
did not hijack the client connection, causing remotepodman run/attach
calls to work incorrectly (#17749). - Fixed a bug where the podman-mac-helper returned an incorrect exit code after erroring.
podman-mac-helper
now exits with 1 on error (#17785). - Fixed a bug where
podman run --dns ... --network
would not respect the dns option. Podman will no longer add host nameservers to resolv.conf when aardvark-dns is used (#17499). - Fixed a bug where
podman logs
errored out with the passthrough driver when the container was run from a systemd service. - Fixed a bug where
--health-on-failure=restart
would not restart the container when the health state turned unhealthy (#17777). - Fixed a bug where podman machine VMs could have their system time drift behind real time. New machines will no longer be affected by this (#11541).
API
- Fixed a bug where creating a network with the Compat API would return an incorrect status code. The API call now returns 409 when creating a network with an existing name and when CheckDuplicate is set to true (#17585).
- Fixed a bug in the /auth REST API where logging into Docker Hub would fail (#17571).
Misc
- Updated the containers/common library to v0.51.1
- Updated the Mac pkginstaller QEMU to v7.2.0
v4.4.2
Security
- This release fixes CVE-2023-0778, which allowed a malicious user to potentially replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.
Bugfixes
- Fixed a bug where containers started via the
podman-kube
systemd template would always use the "passthrough" log driver (#17482). - Fixed a bug where pulls would unexpectedly encounter an EOF error. Now, Podman automatically transparently resumes aborted pull connections.
- Fixed a race condition in Podman's signal proxy.
Misc
- Updated the containers/image library to v5.24.1.