github containers/podman v2.1.0
on GitHub

latest releases: v5.1.0-rc1, v5.0.3, v5.0.2...
3 years ago

Features

  • A new command, podman image mount, has been added. This allows for an image to be mounted, read-only, to inspect its contents without creating a container from it (#1433).
  • The podman save and podman load commands can now create and load archives containing multiple images (#2669).
  • Rootless Podman now supports all podman network commands, and rootless containers can now be joined to networks.
  • The performance of podman build on ADD and COPY instructions has been greatly improved, especially when a .dockerignore is present.
  • The podman run and podman create commands now support a new mode for the --cgroups option, --cgroups=split. Podman will create two cgroups under the cgroup it was launched in, one for the container and one for Conmon. This mode is useful for running Podman in a systemd unit, as it ensures that all processes are retained in systemd's cgroup hierarchy (#6400).
  • The podman run and podman create commands can now specify options to slirp4netns by using the --network option as follows: --net slirp4netns:opt1,opt2. This allows for, among other things, switching the port forwarder used by slirp4netns away from rootlessport.
  • The podman ps command now features a new option, --storage, to show containers from Buildah, CRI-O and other applications.
  • The podman run and podman create commands now feature a --sdnotify option to control the behavior of systemd's sdnotify with containers, enabling improved support for Podman in Type=notify units.
  • The podman run command now features a --preserve-fds opton to pass file descriptors from the host into the container (#6458).
  • The podman run and podman create commands can now create overlay volume mounts, by adding the :O option to a bind mount (e.g. -v /test:/test:O). Overlay volume mounts will mount a directory into a container from the host and allow changes to it, but not write those changes back to the directory on the host.
  • The podman play kube command now supports the Socket HostPath type (#7112).
  • The podman play kube command now supports read-only mounts.
  • The podman play kube command now supports setting labels on pods from Kubernetes metadata labels.
  • The podman play kube command now supports setting container restart policy (#7656).
  • The podman play kube command now properly handles HostAlias entries.
  • The podman generate kube command now adds entries to /etc/hosts from --host-add generated YAML as HostAlias entries.
  • The podman play kube and podman generate kube commands now properly support shareProcessNamespace to share the PID namespace in pods.
  • The podman volume ls command now supports the dangling filter to identify volumes that are dangling (not attached to any container).
  • The podman run and podman create commands now feature a --umask option to set the umask of the created container.
  • The podman create and podman run commands now feature a --tz option to set the timezone within the container (#5128).
  • Environment variables for Podman can now be added in the containers.conf configuration file.
  • The --mount option of podman run and podman create now supports a new mount type, type=devpts, to add a devpts mount to the container. This is useful for containers that want to mount /dev/ from the host into the container, but still create a terminal.
  • The --security-opt flag to podman run and podman create now supports a new option, proc-opts, to specify options for the container's /proc filesystem.
  • Podman with the crun OCI runtime now supports a new option to podman run and podman create, --cgroup-conf, which allows for advanced configuration of cgroups on cgroups v2 systems.
  • The podman create and podman run commands now support a --override-variant option, to override the architecture variant of the image that will be pulled and ran.
  • A new global option has been added to Podman, --runtime-flags, which allows for setting flags to use when the OCI runtime is called.
  • The podman manifest add command now supports the --cert-dir, --auth-file, --creds, and --tls-verify options.

Security

  • This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API.

Changes

  • Podman will now retry pulling an image 3 times if a pull fails due to network errors.
  • The podman exec command would previously print error messages (e.g. exec session exited with non-zero exit code -1) when the command run exited with a non-0 exit code. It no longer does this. The podman exec command will still exit with the same exit code as the command run in the container did.
  • Error messages when creating a container or pod with a name that is already in use have been improved.
  • For read-only containers running systemd init, Podman creates a tmpfs filesystem at /run. This was previously limited to 65k in size and mounted noexec, but is now unlimited size and mounted exec.
  • The podman system reset command no longer removes configuration files for rootless Podman.

Bugfixes

  • Fixed a bug where Podman would not add an entry to /etc/hosts for a container if it joined another container's network namespace (#66782).
  • Fixed a bug where podman save --format oci-dir saved the image in an incorrect format (#6544).
  • Fixed a bug where privileged containers would still configure an AppArmor profile.
  • Fixed a bug where the --format option of podman system df was not properly interpreting format codes that included backslashes (#7149).
  • Fixed a bug where rootless Podman would ignore errors from newuidmap and newgidmap, even if /etc/subuid and /etc/subgid contained valid mappings for the user running Podman.
  • Fixed a bug where the podman commit command did not properly handle single-character image names (#7114).
  • Fixed a bug where the output of podman ps --format=json did not include a Status field (#6980).
  • Fixed a bug where input to the --log-level option was no longer case-insensitive.
  • Fixed a bug where podman images could segfault when an image pull was aborted while incomplete, leaving an image without a manifest (#7444).
  • Fixed a bug where rootless Podman would try to create the ~/.config directory when it did not exist, despite not placing any configuration files inside the directory.
  • Fixed a bug where the output of podman system df was inconsistent based on whether the -v option was specified (#7405).
  • Fixed a bug where --security-opt apparmor=unconfined would error if Apparmor was not enabled on the system (#7545).
  • Fixed a bug where running podman stop on multiple containers starting with --rm could sometimes cause no such container errors (#7384).
  • Fixed a bug where podman-remote would still try to contact the server when displaying help information about subcommands.
  • Fixed a bug where the podman build --logfile command would segfault.
  • Fixed a bug where the podman generate systemd command did not properly handle containers which were created with a name given as --name=$NAME instead of --name $NAME (#7157).
  • Fixed a bug where the podman ps was ignoring the --latest flag.
  • Fixed a bug where the podman-remote kill command would hang when a signal that did not kill the container was specified (#7135).
  • Fixed a bug where the --oom-score-adj option of podman run and podman create was nonfunctional.
  • Fixed a bug where the --display option of podman runlabel was nonfunctional.
  • Fixed a bug where the podman runlabel command would not pull images that did not exist locally on the system.
  • Fixed a bug where podman-remote run would not exit with the correct code with the container was removed by a podman-remote rm -f while podman-remote run was still running (#7117).
  • Fixed a bug where the podman-remote run --rm command would error attempting to remove containers that had already been removed (e.g. by podman-remote rm --force) (#7340).
  • Fixed a bug where podman --user with a numeric user and podman run --userns=keepid could create users in /etc/passwd in the container that belong to groups without a corresponding entry in /etc/group (#7389).
  • Fixed a bug where podman run --userns=keepid could create entries in /etc/passwd with a UID that was already in use by another user (#7503).
  • Fixed a bug where podman --user with a numeric user and podman run --userns=keepid could create users that could not be logged into (#7499).
  • Fixed a bug where trying to join another container's user namespace with --userns container:$ID would fail (#7547).
  • Fixed a bug where the podman play kube command would trim underscores from container names (#7020).
  • Fixed a bug where the podman attach command would not show output when attaching to a container with a terminal (#6523).
  • Fixed a bug where the podman system df command could be extremely slow when large quantities of images were present (#7406).
  • Fixed a bug where podman images -a would break if any image pulled by digest was present in the store (#7651).
  • Fixed a bug where the --mount option to podman run and podman create required the type= parameter to be passed first (#7628).
  • Fixed a bug where the --infra-command parameter to podman pod create was nonfunctional.
  • Fixed a bug where podman auto-update would fail for any container started with --pull=always (#7407).
  • Fixed a bug where the podman wait command would only accept a single argument.
  • Fixed a bug where the parsing of the --volumes-from option to podman run and podman create was broken, making it impossible to use multiple mount options at the same time (#7701).
  • Fixed a bug where the podman exec command would not join executed processes to the container's supplemental groups if the container was started with both the --user and --group-add options.
  • Fixed a bug where the --iidfile option to podman-remote build was nonfunctional.

API

  • The Libpod API version has been bumped to v2.0.0 due to a breaking change in the Image List API.
  • Docker-compatible Volume Endpoints (Create, Inspect, List, Remove, Prune) are now available!
  • Added an endpoint for generating systemd unit files for containers.
  • The last parameter to the Libpod container list endpoint now has an alias, limit (#6413).
  • The Libpod image list API new returns timestamps in Unix format, as integer, as opposed to as strings
  • The Compat Inspect endpoint for containers now includes port information in NetworkSettings.
  • The Compat List endpoint for images now features limited support for the (deprecated) filter query parameter (#6797).
  • Fixed a bug where the Compat Create endpoint for containers was not correctly handling bind mounts.
  • Fixed a bug where the Compat Create endpoint for containers would not return a 404 when the requested image was not present.
  • Fixed a bug where the Compat Create endpoint for containers did not properly handle Entrypoint and Command from images.
  • Fixed a bug where name history information was not properly added in the Libpod Image List endpoint.
  • Fixed a bug where the Libpod image search endpoint improperly populated the Description field of responses.
  • Added a noTrunc option to the Libpod image search endpoint.
  • Fixed a bug where the Pod List API would return null, instead of an empty array, when no pods were present (#7392).
  • Fixed a bug where endpoints that hijacked would do perform the hijack too early, before being ready to send and receive data (#7195).
  • Fixed a bug where Pod endpoints that can operate on multiple containers at once (e.g. Kill, Pause, Unpause, Stop) would not forward errors from individual containers that failed.
  • The Compat List endpoint for networks now supports filtering results (#7462).
  • Fixed a bug where the Top endpoint for pods would return both a 500 and 404 when run on a non-existant pod.
  • Fixed a bug where Pull endpoints did not stream progress back to the client.
  • The Version endpoints (Libpod and Compat) now provide version in a format compatible with Docker.
  • All non-hijacking responses to API requests should not include headers with the version of the server.
  • Fixed a bug where Libpod and Compat Events endpoints did not send response headers until the first event occurred (#7263).
  • Fixed a bug where the Build endpoints (Compat and Libpod) did not stream progress to the client.
  • Fixed a bug where the Stats endpoints (Compat and Libpod) did not properly handle clients disconnecting.
  • Fixed a bug where the Ignore parameter to the Libpod Stop endpoint was not performing properly.
  • Fixed a bug where the Compat Logs endpoint for containers did not stream its output in the correct format (#7196).

Misc

  • Updated Buildah to v1.16.1
  • Updated the containers/storage library to v1.23.5
  • Updated the containers/image library to v5.6.0
  • Updated the containers/common library to v0.22.0
Check out latest releases or
releases around containers/podman v2.1.0

Don't miss a new podman release

NewReleases is sending notifications on new releases.

Get notifications