Features
- A set of new commands has been added to manage secrets! The
podman secret create,podman secret inspect,podman secret lsandpodman secret rmcommands have been added to handle secrets, along with the--secretoption topodman runandpodman createto add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release. - A new command to prune networks,
podman network prune, has been added (#8673). - The
-voption topodman runandpodman createnow supports a new volume option,:U, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues (#7778). - Three new commands,
podman network exists,podman volume exists, andpodman manifest exists, have been added to check for the existence of networks, volumes, and manifest lists. - The
podman cpcommand can now copy files into directories mounted astmpfsin a running container. - The
podman volume prunecommand will now list volumes that will be pruned when prompting the user whether to continue and perform the prune (#8913). - The Podman remote client's
podman buildcommand now supports the--disable-compression,--excludes, and--jobsoptions. - The Podman remote client's
podman pushcommand now supports the--formatoption. - The Podman remote client's
podman rmcommand now supports the--alland--ignoreoptions. - The Podman remote client's
podman searchcommand now supports the--no-truncand--list-tagsoptions. - The
podman play kubecommand can now read in Kubernetes YAML fromSTDINwhen-is specified as file name (podman play kube -), allowing input to be piped into the command for scripting (#8996). - The
podman generate systemdcommand now supports a--no-headeroption, which disables creation of the header comment automatically added by Podman to generated unit files. - The
podman generate kubecommand can now generatePersistentVolumeClaimYAML for Podman named volumes (#5788). - The
podman generate kubecommand can now generate YAML files containing multiple resources (pods or deployments) (#9129).
Security
- This release resolves CVE-2021-20291, a deadlock vulnerability in the storage library caused by pulling a specially-crafted container image.
Changes
- The Podman remote client's
podman buildcommand no longer allows the-vflag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines. - The
podman killandpodman stopcommands now print the name given by the user for each container, instead of the full ID. - When the
--security-opt unmask=ALLor--security-opt unmask=/sys/fs/cgroupoptions topodman createorpodman runare given, Podman will mount cgroups into the container as read-write, instead of read-only (#8441). - The
podman rmicommand has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls. - The
podman renamecommand has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable. - Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved (#9582).
- The hidden
--traceoption topodmanhas been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time. - The
podman generate systemdcommand now generatesRequiresMountsForlines to ensure necessary storage directories are mounted before systemd starts Podman. - Podman will now emit a warning when
--ttyand--interactiveare both passed, butSTDINis not a TTY. This will be made into an error in the next major Podman release some time next year.
Bugfixes
- Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports (#9065).
- Fixed a bug where
podman network createwith the--macvlanflag did not honor the--gateway,--subnet, and--optoptions (#9167). - Fixed a bug where the
podman generate kubecommand generated invalid YAML for privileged containers (#8897). - Fixed a bug where the
podman generate kubecommand could not be used with containers that were not running. - Fixed a bug where the
podman generate systemdcommand could duplicate some parameters to Podman in generated unit files (#9776). - Fixed a bug where Podman did not add annotations specified in
containers.confto containers. - Foxed a bug where Podman did not respect the
no_hostsdefault incontainers.confwhen creating containers. - Fixed a bug where the
--tail=0,--since, and--followoptions to thepodman logscommand did not function properly when using thejournaldlog backend. - Fixed a bug where specifying more than one container to
podman logswhen thejournaldlog backend was in use did not function correctly. - Fixed a bug where the
podman runandpodman createcommands would panic if a memory limit was set, but the swap limit was set to unlimited (#9429). - Fixed a bug where the
--networkoption topodman run,podman create, andpodman pod createwould error if the user attempted to specify CNI networks by ID, instead of name (#9451). - Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the
podman statscommand (#9252). - Fixed a bug where the
podman cpdid not properly handle cases where/dev/stdoutwas specified as the destination (it was treated identically to-) (#9362). - Fixed a bug where the
podman cpcommand would create files with incorrect ownership (#9526). - Fixed a bug where the
podman cpcommand did not properly handle cases where the destination directory did not exist. - Fixed a bug where the
podman cpcommand did not properly evaluate symlinks when copying out of containers. - Fixed a bug where the
podman rm -facommand would error when attempting to remove containers created with--rm(#9479). - Fixed a bug where the ordering of capabilities was nondeterministic in the
CapDropfield of the output ofpodman inspecton a container (#9490). - Fixed a bug where the
podman network connectcommand could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with--net=host) (#9496). - Fixed a bug where DNS search domains required by the
dnsnameCNI plugin were not being added to container'sresolv.confunder some circumstances. - Fixed a bug where the
--ignorefileoption topodman buildwas nonfunctional (#9570). - Fixed a bug where the
--timestampoption topodman buildwas nonfunctional (#9569). - Fixed a bug where the
--iidfileoption topodman buildcould cause Podman to panic if an error occurred during the build. - Fixed a bug where the
--dns-searchoption topodman buildwas nonfunctional (#9574). - Fixed a bug where the
--pull-neveroption topodman buildwas nonfunctional (#9573). - Fixed a bug where the
--build-argoption topodman buildwould, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) (#9571). - Fixed a bug where the
--isolationoption topodman buildin the remote Podman client was nonfunctional. - Fixed a bug where the
podman network disconnectcommand could cause errors when the container that had a network removed was stopped and its network was cleaned up (#9602). - Fixed a bug where the
podman network rmcommand did not properly check what networks a container was present in, resulting in unexpected behavior ifpodman network connectorpodman network disconnecthad been used with the network (#9632). - Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable
stoppingstate (#9615). - Fixed a bug where the
podman loadcommand could return 0 even in cases where an error occurred (#9672). - Fixed a bug where specifying storage options to Podman using the
--storage-optoption would override all storage options. Instead, storage options are now overridden only when the--storage-driveroption is used to override the current graph driver (#9657). - Fixed a bug where containers created with
--privilegedcould request more capabilities than were available to Podman. - Fixed a bug where
podman commitdid not use theTMPDIRenvironment variable to place temporary files created during the commit (#9825). - Fixed a bug where remote Podman could error when attempting to resize short-lived containers (#9831).
- Fixed a bug where Podman was unusable on kernels built without
CONFIG_USER_NS. - Fixed a bug where the ownership of volumes created by
podman volume createand then mounted into a container could be incorrect (#9608). - Fixed a bug where Podman volumes using a volume plugin could not pass certain options, and could not be used as non-root users.
- Fixed a bug where the
--tzoption topodman createandpodman rundid not properly validate its input.
API
- Fixed a bug where the
X-Registry-Authheader did not acceptnullas a valid value. - A new compat endpoint,
/auth, has been added. This endpoint validates credentials against a registry (#9564). - Fixed a bug where the compat Build endpoint for Images specified labels using the wrong type (array vs map). Both formats will be accepted now.
- Fixed a bug where the compat Build endpoint for Images did not report that it successfully tagged the built image in its response.
- Fixed a bug where the compat Create endpoint for Images did not provide progress information on pulling the image in its response.
- Fixed a bug where the compat Push endpoint for Images did not properly handle the destination (used a query parameter, instead of a path parameter).
- Fixed a bug where the compat Push endpoint for Images did not send the progress of the push and the digest of the pushed image in the response body.
- Fixed a bug where the compat List endpoint for Networks returned null, instead of an empty array (
[]), when no networks were present (#9293). - Fixed a bug where the compat List endpoint for Networks returned nulls, instead of empty maps, for networks that do not have Labels and/or Options.
- The Libpod Inspect endpoint for networks (
/libpod/network/$ID/json) now has an alias at/libpod/network/$ID(#9691). - Fixed a bug where the libpod Inspect endpoint for Networks returned a 1-size array of results, instead of a single result (#9690).
- The Compat List endpoint for Networks now supports the legacy format for filters in parallel with the current filter format (#9526).
- Fixed a bug where the compat Create endpoint for Containers did not properly handle tmpfs filesystems specified with options (#9511).
- Fixed a bug where the compat Create endpoint for Containers did not create bind-mount source directories (#9510).
- Fixed a bug where the compat Create endpoint for Containers did not properly handle the
NanoCpusoption (#9523). - Fixed a bug where the Libpod create endpoint for Containers has a misnamed field in its JSON.
- Fixed a bug where the compat List endpoint for Containers did not populate information on forwarded ports (#9553)
- Fixed a bug where the compat List endpoint for Containers did not populate information on container CNI networks (#9529).
- Fixed a bug where the compat and libpod Stop endpoints for Containers would ignore a timeout of 0.
- Fixed a bug where the compat and libpod Resize endpoints for Containers did not set the correct terminal sizes (dimensions were reversed) (#9756).
- Fixed a bug where the compat Remove endpoint for Containers would not return 404 when attempting to remove a container that does not exist (#9675).
- Fixed a bug where the compat Prune endpoint for Volumes would still prune even if an invalid filter was specified.
- Numerous bugs related to filters have been addressed.
Misc
- Updated Buildah to v1.20.0
- Updated the containers/storage library to v1.28.1
- Updated the containers/image library to v5.10.5
- Updated the containers/common library to v0.35.4