Features
- Podman now features initial support for Docker Compose.
- Added the
podman rename
command, which allows containers to be renamed after they are created (#1925). - The Podman remote client now supports the
podman copy
command. - A new command,
podman network reload
, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. viafirewall-cmd --reload
). - Podman networks now have IDs. They can be seen in
podman network ls
and can be used when removing and inspecting networks. Existing networks receive IDs automatically. - Podman networks now also support labels. They can be added via the
--label
option tonetwork create
, andpodman network ls
can filter labels based on them. - The
podman network create
command now supports setting bridge MTU and VLAN through the--opt
option (#8454). - The
podman container checkpoint
andpodman container restore
commands can now checkpoint and restore containers that include volumes. - The
podman container checkpoint
command now supports the--with-previous
and--pre-checkpoint
options, and thepodman container restore
command now support the--import-previous
option. These add support for two-step checkpointing with lowered dump times. - The
podman push
command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails. - The
podman generate kube
command can now be run on multiple containers at once, and will generate a single pod containing all of them. - The
podman generate kube
andpodman play kube
commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML (#9132). - The
podman generate kube
command now properly supports generating YAML for containers and pods creating using host networking (--net=host
) (#9077). - The
podman kill
command now supports a--cidfile
option to kill containers given a file containing the container's ID (#8443). - The
podman pod create
command now supports the--net=none
option (#9165). - The
podman volume create
command can now specify volume UID and GID as options with theUID
andGID
fields passed to the the--opt
option. - Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in
containers.conf
and use them to create volumes withpodman volume create --driver
. - The
podman run
andpodman create
commands now support a new option,--platform
, to specify the platform of the image to be used when creating the container. - The
--security-opt
option topodman run
andpodman create
now supports thesystempaths=unconfined
option to unrestrict access to all paths in the container, as well asmask
andunmask
options to allow more granular restriction of container paths. - The
podman stats --format
command now supports a new format specified,MemUsageBytes
, which prints the raw bytes of memory consumed by a container without human-readable formatting #8945. - The
podman ps
command can now filter containers based on what pod they are joined to via thepod
filter (#8512). - The
podman pod ps
command can now filter pods based on what networks they are joined to via thenetwork
filter. - The
podman pod ps
command can now print information on what networks a pod is joined to via the.Networks
specifier to the--format
option. - The
podman system prune
command now supports filtering what containers, pods, images, and volumes will be pruned. - The
podman volume prune
commands now supports filtering what volumes will be pruned. - The
podman system prune
command now includes information on space reclaimed (#8658). - The
podman info
command will now properly print information about packages in use on Gentoo and Arch systems. - The
containers.conf
file now contains an option for disabling creation of a new kernel keyring on container creation (#8384). - The
podman image sign
command can now sign multi-arch images by producing a signature for each image in a given manifest list. - The
podman image sign
command, when run as rootless, now supports per-user registry configuration files in$HOME/.config/containers/registries.d
. - Configuration options for
slirp4netns
can now be set system-wide via theNetworkCmdOptions
configuration option incontainers.conf
. - The MTU of
slirp4netns
can now be configured via themtu=
network command option (e.g.podman run --net slirp4netns:mtu=9000
).
Security
- A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used
127.0.0.1
as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue.
Changes
- Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.
- The
podman load
command no longer accepts aNAME[:TAG]
argument. The presence of this argument broke CLI compatibility with Docker by makingdocker load
commands unusable with Podman (#7387). - The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more here.
- The legacy Varlink API has been completely removed from Podman.
- The default log level for Podman has been changed from Error to Warn.
- The
podman network create
command can now createmacvlan
networks using the--driver macvlan
option for Docker compatibility. The existing--macvlan
flag has been deprecated and will be removed in Podman 4.0 some time next year. - The
podman inspect
command has had theLogPath
andLogTag
fields moved into theLogConfig
structure (from the root of the Inspect structure). The maximum size of the log file is also included. - The
podman generate systemd
command no longer generates unit files using the deprecatedKillMode=none
option (#8615). - The
podman stop
command now releases the container lock while waiting for it to stop - as such, commands likepodman ps
will no longer block untilpodman stop
completes (#8501). - Networks created with
podman network create --internal
no longer use thednsname
plugin. This configuration never functioned as expected. - Error messages for the remote Podman client have been improved when it cannot connect to a Podman service.
- Error messages for
podman run
when an invalid SELinux is specified have been improved. - Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace.
- Pod infra containers now respect default sysctls specified in
containers.conf
allowing for advanced configuration of the namespaces they will share. - SSH public key handling for remote Podman has been improved.
Bugfixes
- Fixed a bug where the
podman history --no-trunc
command would truncate theCreated By
field (#9120). - Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the
Networks
field of the output ofpodman inspect
(#6618). - Fixed a bug where, under some circumstances, container working directories specified by the image (via the
WORKDIR
instruction) but not present in the image, would not be created (#9040). - Fixed a bug where the
podman generate systemd
command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{
and}}
), e.g.--log-opt-tag={{.Name}}
(#9034). - Fixed a bug where the
podman generate systemd --new
command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g.podman run -dt
) (#8847). - Fixed a bug where the
podman generate systemd --new
command could generate unit files that did not handle Podman commands including some special characters (e.g.$
) (#9176 - Fixed a bug where rootless containers joining CNI networks could not set a static IP address (#7842).
- Fixed a bug where rootless containers joining CNI networks could not set network aliases (#8567).
- Fixed a bug where the remote client could, under some circumstances, not include the
Containerfile
when sending build context to the server (#8374). - Fixed a bug where rootless Podman did not mount
/sys
as a newsysfs
in some circumstances where it was acceptable. - Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error.
- Fixed a bug where the
podman play kube
command did not properly handleCMD
andARGS
from images (#8803). - Fixed a bug where the
podman play kube
command did not properly handle environment variables from images (#8608). - Fixed a bug where the
podman play kube
command did not properly print errors that occurred when starting containers. - Fixed a bug where the
podman play kube
command errored whenhostNetwork
was used (#8790). - Fixed a bug where the
podman play kube
command would always pull images when the:latest
tag was specified, even if the image was available locally (#7838). - Fixed a bug where the
podman play kube
command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable (#8710). - Fixed a bug where the
podman generate kube
command incorrectly populated theargs
andcommand
fields of generated YAML (#9211). - Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared
/etc/hosts
file every time the container restarted (#8921). - Fixed a bug where the
podman search --list-tags
command did not support the--format
option (#8740). - Fixed a bug where the
http_proxy
option incontainers.conf
was not being respected, and instead was set unconditionally to true (#8843). - Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers (#8798).
- Fixed a bug where the
podman images
command would break and fail to display any images if an empty manifest list was present in storage (#8931). - Fixed a bug where locale environment variables were not properly passed on to Conmon.
- Fixed a bug where Podman would not build on the MIPS architecture (#8782).
- Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a
--uidmap
option that included a mapping beginning with UID0
. - Fixed a bug where the
podman logs
command using thek8s-file
backend did not properly handle partial log lines with a length of 1 (#8879). - Fixed a bug where the
podman logs
command with the--follow
option did not properly handle log rotation (#8733). - Fixed a bug where user-specified
HOSTNAME
environment variables were overwritten by Podman (#8886). - Fixed a bug where Podman would applied default sysctls from
containers.conf
in too many situations (e.g. applying network sysctls when the container shared its network with a pod). - Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores (#8176).
- Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container's PID file was not accessible to systemd on the host (#8506).
- Fixed a bug where the
--privileged
option topodman run
andpodman create
would, under some circumstances, not disable Seccomp (#8849). - Fixed a bug where the
podman exec
command did not properly add capabilities when the container or exec session were run with--privileged
. - Fixed a bug where rootless Podman would use the
--enable-sandbox
option toslirp4netns
unconditionally, even whenpivot_root
was disabled, renderingslirp4netns
unusable whenpivot_root
was disabled (#8846). - Fixed a bug where
podman build --logfile
did not actually write the build's log to the logfile. - Fixed a bug where the
podman system service
command did not close STDIN, and could display user-interactive prompts (#8700). - Fixed a bug where the
podman system reset
command could, under some circumstances, remove all the contents of theXDG_RUNTIME_DIR
directory (#8680). - Fixed a bug where the
podman network create
command created CNI configurations that did not include a default gateway (#8748). - Fixed a bug where the
podman.service
systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started (#8751). - Fixed a bug where, if the
TMPDIR
environment variable was set for the container engine incontainers.conf
, it was being ignored. - Fixed a bug where the
podman events
command did not properly handle future times given to the--until
option (#8694). - Fixed a bug where the
podman logs
command wrote containerSTDERR
logs toSTDOUT
instead ofSTDERR
(#8683). - Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag (#8547).
- Fixed a bug where container capabilities were not set properly when the
--cap-add=all
and--user
options topodman create
andpodman run
were combined. - Fixed a bug where the
--layers
option topodman build
was nonfunctional (#8643). - Fixed a bug where the
podman system prune
command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call topodman system prune
(#7990). - Fixed a bug where the
--publish
option topodman run
andpodman create
did not properly handle ports specified as a range of ports with no host port specified (#8650). - Fixed a bug where
--format
did not support JSON output for individual fields (#8444). - Fixed a bug where the
podman stats
command would fail when run on root containers using theslirp4netns
network mode (#7883). - Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication (#8498).
- Fixed a bug where the
podman stats
command would fail if the system did not support one or more of the cgroup controllers Podman supports (#8588). - Fixed a bug where the
--mount
option topodman create
andpodman run
did not ignore theconsistency
mount option. - Fixed a bug where failures during the resizing of a container's TTY would print the wrong error.
- Fixed a bug where the
podman network disconnect
command could cause thepodman inspect
command to fail for a container until it was restarted (#9234). - Fixed a bug where containers created from a read-only rootfs (using the
--rootfs
option topodman create
andpodman run
) would fail (#9230). - Fixed a bug where specifying Go templates to the
--format
option to multiple Podman commands did not support thejoin
function (#8773). - Fixed a bug where the
podman rmi
command could, when run in parallel on multiple images, returnlayer not known
errors (#6510). - Fixed a bug where the
podman inspect
command on containers displayed unlimited ulimits incorrectly (#9303). - Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories (#6003).
API
- Libpod API version has been bumped to v3.0.0.
- All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error (#8865).
- The Compat API for Containers now supports the Rename and Copy APIs.
- Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses.
- Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a "no such file" error if an invalid executable was passed) (#8281)
- Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored (#8649).
- Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g.
container:
, correctly. - Fixed a bug where the Compat Create API for Containers did not set container name properly.
- Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging (the default specified in
containers.conf
is now used). - Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker.
- Fixed a bug where Podman did not properly clean up after calls to the Events API when the
journald
backend was in use, resulting in a leak of file descriptors (#8864). - Fixed a bug where the Libpod Pull endpoint for Images could fail with an
index out of range
error under certain circumstances (#8870). - Fixed a bug where the Libpod Exists endpoint for Images could panic.
- Fixed a bug where the Compat List API for Containers did not support all filters (#8860).
- Fixed a bug where the Compat List API for Containers did not properly populate the Status field.
- Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters (#7102).
- Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response (#8758).
- Fixed a bug where the Compat Load API for Images did not properly clean up temporary files.
- Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified.
- Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope.
- Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did.
Misc
- Updated Buildah to v1.19.2
- Updated the containers/storage library to v1.24.5
- Updated the containers/image library to v5.10.2
- Updated the containers/common library to v0.33.4