github podman-container-tools/podman v6.0.0-rc1
v6.0.0-RC1
on GitHub

pre-release6 hours ago

Breaking Changes

  • Due to breaking changes in this release, Podman v6.0.0 must be used with Buildah v1.44.0, Skopeo v1.23, Netavark and Aardvark v2.0.0, and configuration files from the container-libs repository's common/v0.68.0 release.
  • Support for BoltDB databases has been dropped. Starting Podman 6 when the BoltDB database is in use will have Podman attempt an automatic migration from SQLite to BoltDB.
  • Support for running on Intel Macs has been removed.
  • Support for running on Windows 10 has been removed.
  • Support for running on cgroups v1 systems has been removed. Please update your system to use cgroups v2.
  • Support for running on iptables has been removed. Please use nftables instead.
  • Support for CNI networking has been removed. Please use Netavark instead.
  • Support for the slirp4netns rootless network stack has been removed. Please use Pasta instead. As part of this, the --network-cmd-path global option, only used with slirp4netns, has been removed.
  • Podman's configuration file parsing logic has seen a major rewrite. Please see this document for exact details.
  • Podman's import path has changed from github.com/containers/podman/v5 to go.podman.io/podman/v6 as part of our move into a CNCF-owned GitHub organization.
  • Network isolation now defaults to enabled, improving Docker compatibility and security. A special workaround for the Docker-compatible API related to isolation being disabled has been removed (#27349).
  • The way the podman quadlet suite of commands functions has been changed. Previously, Quadlets and their associated files were tracked using a .app file, ensuring that removing a Quadlet also removed all associated non-Quadlet files. Now, Quadlets and associated files are placed in subdirectories, which should reduce bugs and make manual management of Quadlets added by podman quadlet install much easier.
  • VMs made by podman machine on Linux now mount volumes from the host using systemd. Volume mounts on existing podman machine VMs on Linux have been broken by this change, and the VM will need to be recreated.
  • The podman volume prune command now matches Docker's behavior by only pruning unused anonymous volumes. Please use the newly-added --all option for the previous behavior (pruning all volumes).
  • The podman volume list command now combines multiple filters using logical AND instead of logical OR (meaning all filters must match for a container to be included in output) (#26786).
  • The label!= filter used in many commands now combines the output of multiple instances of the filter with logical AND instead of logical OR.
  • The --format='{{json .Labels}} option to the podman ps, podman pod ps, and podman volume ls commands now prints its output as comma-separated key=value pairs instead of as a JSON map, improving Docker compatibility (#21847).
  • The --all-providers option to podman machine list has been removed, as machines from all providers can now be accessed by all commands.
  • The MemorySwappiness field of podman inspect is now set to nil when not explicitly set by the user (instead of -1), improving Docker compatibility (#23824).
  • The podman commit command now pauses the container while committing changes, improving security by restricting concurrent modification. The prior behavior can be restored by using podman commit --pause=false ....
  • The Go bindings for the REST API have removed the redundant nameOrID parameter from the artifacts.Remove() function.
  • The minimum Go version required to build Podman is now v1.25.

Features

  • All podman machine commands can now operate on VMs from all providers, regardless of what the current provider is set to. The provider set in the configuration only determines the provider used by newly-created VMs, and can be overridden by the new podman machine init --provider option. This should make operation of Mac and Windows installs mixing use of applehv and libkrun VMs, or hyperv and wsl VMs, much easier.
  • A new command has been added, podman machine os update, which updates the operating system of a podman machine VM. Please note that this is not supported with the wsl provider.
  • A new command has been added, podman system hyperv-prep, allowing Windows administrators to prepare a host for their users to run podman machine VMs using the hyperv provider.
  • When starting a VM with podman machine start and podman machine init --now, if the connection to that VM is not the default, users will be prompted whether they want to change the default to the machine that was just started. This can also be controlled by a new option, --update-connection, which controls whether the default will be updated. If the --update-connection option is set, a user-interactive prompt is not displayed.
  • The podman machine init and podman machine set commands now support a new option, --import-native-ca, which, when set, causes podman machine VMs on Windows, Linux, and Mac to import the host's trusted CA certificates each time the VM boots.
  • The podman exec command now has a new option, --no-session, disabling API session tracking and database operations to increase performance (#26727).
  • The podman image list --format json command now includes two new fields for each image, Repository and Tag (#27632).
  • The manpages for Quadlets have been split into multiple files, one for each type of Quadlet file, and should be much more readable.
  • Quadlet .volume units now support three new keys, UID= and GID= (to set the UID and GID that the volume will be created with) and Options= (to set generic volume options).
  • Quadlet .container units now support mounting anonymous volumes (using a Mount= key with no source specified) (#28497).
  • Two new search paths for Quadlets have been added, /usr/share/containers/systemd/users and /usr/share/containers/systemd/users/${UID}, to allow distributions to more easily package and distribute Quadlets (#27843).
  • The podman quadlet list command now has a new alias, podman quadlet ls.
  • The podman quadlet list command now has a new option, --noheading, which disables printing the table header. This is set automatically if the --format option is used.
  • The pomdan quadlet list command now includes a new field in its output, Pod, which prints the pod a Quadlet .container unit is part of.
  • The podman quadlet list command's --filter option now supports a new filter, status= (#28369).
  • The --gpus option to podman create and podman run is now compatible with AMD GPUs.
  • The podman create, podman run, and podman pod create commands can now specify volumes with a new option, nocreate (e.g. podman run --mount type=volume,src=myvol,dst=/mnt,nocreate) which will error if the specified volume does not exist, instead of creating it.
  • The --log-opt option to the podman run and podman create now supports a new option, label=, to attach additional labels to logged messages (only usable with the journald log driver).
  • Many Podman commands now expose a --tls-details option, allowing custom tuning of TLS settings using a containers-tls-details.yaml(5) file.
  • The died event for Containers now exposes a new attribute, OOMKilled, which (if set) indicates the container was stopped due to running out of memory (#26701).
  • Containers can now set multiple static IP addresses by passing the ip= option to --net multiple times (e.g. --net mynet:ip=10.0.0.2,ip=10.0.0.3,ip=10.0.0.4).
  • The podman volume prune command now includes a new option, --all, to prune all unused volumes, not just anonymous volumes (#24597).
  • The podman volume prune command now includes a new option, --dry-run, which returns the volumes that would be removed but does not actually remove them (#27838).
  • The podman image scp command now includes a new option, --format, to set the archive format used for the image transfer (#28183).
  • A new field has been added to containers.conf, default_host_ips, to set the default host IP that ports are forwarded from if an IP is not specified by the user (#27186).
  • The podman image trust suite of commands now support a new --signature-policy option, which is mandatory for podman image trust set.
  • Events now include artifact lifecycle events (create, pull, push, and remove) (#27260).
  • A new experimental option for the rootless_port_forwarder field in containers.conf has been added, rootless_port_forwarder="pasta". When set, rootless bridge networks will use Pasta's kernel-level port forwarding via Pesto instead of rootlessport, preserving the original client source IP in network traffic in rootless containers. The default remains rootlessport (the default for Podman 5.x), but we will investigate switching at a later date when stability is more certain.
  • A new filter has been added to the podman ps and podman container prune commands, --filter annotation=, to filter containers based on their annotations (#28562).
  • The podman network create command's --route option can now create blackhole, unreachable, and prohibit routes to prevent containers from reaching certain networks (e.g. podman network create --route 10.20.30.40/24,blackhole ...) (#20022).
  • Add support for blackhole, unreachable, and prohibit route types in podman networks. Supported since netavark 2.0.
  • The podman info command now reports CDI spec directories and discovered CDI devices.
  • Events generated by pods and volumes now include the pod/volume's labels as attributes, matching the behavior of container events (#26480).

Changes

  • VMs created by podman machine now mount the host's user configurations (e.g. ~/.config/containers on Linux) into the machine at /etc/containers, allowing users to edit the config files controlling Podman's behavior directly.
  • The default podman machine provider on Macs has been changed to libkrun.
  • Starting and stopping podman machine VMs on Windows with the hyperv provider no longer requires administrator privileges (creating machines still requires admin, however). Operations requiring elevated privileges will prompt for administrator access. Please note that this only works with newly-created VMs.
  • The podman pod inspect command now prints arrays in its output in deterministic order.
  • The podman machine os apply command has been updated, and now uses bootc switch to apply changes. All transports supported by bootc switch can be used for the new image to apply.
  • An experimental feature has been added where, on systems using Kernel 6.18 and newer, rootless Podman will no longer need to create a pause process to hold open the rootless user namespace, instead using an nsfs file handle. This behavior is currently gated behind an environment variable, drop-pause-process, being set.
  • Containers created with --net=host will now use 127.0.0.1 for their host.containers.internal address, instead of a public IP of the machine (#27823).
  • Containers in multiple networks now have these networks configured in a deterministic order based on the order they were passed on the command line.
  • When building an image with process substitution, such as podman build -f <(<<<"FROM scratch") , an empty temporary directory is now used as the context directory (#28113).
  • In Podman versions 5.x and under, image IDs (for both OCI and Docker v2s2 images) were always equal to the SHA256 digest of the image's config data. A future version of Podman will add support for non-SHA256 digests, and image ID format will change for images that are not using the SHA256 digest. The exact format of the new IDs has not yet been decided, but the assumption that image IDs are valid hashes will no longer be true in future Podman versions.

Bugfixes

  • Fixed a bug where creating a Quadlet from a templated .container file that was part of a pod would incorrectly add a dependency on the template used for the container to the pod (#27844).
  • Fixed a bug where Quadlet .pod files would unconditionally set Restart=on-failure even when the user specified an alternative restart policy (#28081).
  • Fixed a bug where starting a podman machine VM on Windows using the hyperv provider would fail if the machine failed to start on first boot (#27930).
  • Fixed a bug where podman machine init and podman machine set allowed creating VMs with more CPUs than were available on the host, creating VMs that could not be started (#28322).
  • Fixed a bug where artifact volumes only checked the validity of the artifact when the container was started, allowing containers to be created that referenced artifacts which did not exist and thus could never be started (#27747).
  • Fixed a bug where containers with environment secrets could lose the value of the secret after a restart under some circumstances (#28075).
  • Fixed a bug where the podman container restore --publish command would silently ignore the --publish option instead of erroring when used without the --import option or a checkpoint image.
  • Fixed a bug where running nested rootless Podman containers on Windows using the wsl provider was not possible (#27411).
  • Fixed a bug where the podman container clone command would fail with containers created with environment secrets (--secret type=env,...) (#28130).
  • Fixed a bug where creating a container with the tag= log option (--log-opt tag=mytag) was allowed when a log driver other than journald was selected.
  • Fixed a bug where the output of --help with some commands was incorrectly formatted (#28178).
  • Fixed a bug where containers in pods with multiple volume mounts could have mount options from one volume mount leak to other mounts.
  • Fixed a bug where the remote Podman client's podman version command would error if the server could not be connected to (e.g. the podman machine VM was shut down). In this case, client version is now printed (#28222).
  • Fixed a bug where rootless Podman would display errors and refuse to launch if the pause process was killed and its PID recycled to another process (#28157).
  • Fixed a bug where running podman kube generate on a container including volumes with . characters in their names produced invalid YAML (#27620).
  • Fixed a bug where patterns in .containerignore and .dockerignore files that began or ended with slashes were silently ignored during remote builds (#25458).
  • Fixed a bug where healthchecks on containers created using the --transient-store option would fail (#28483).
  • Fixed a bug where the podman generate spec command would panic when run on a pod with no infra container (#21609).
  • Fixed a bug where the podman container inspect command could HTML-escape certain characters in its output (#28560).
  • Fixed a bug where pods with entries added to /etc/hosts containing multiple containers would incorrectly remove entries from /etc/hosts for all containers in the pod when any container stopped.
  • Fixed a bug where hosts without /dev/mqueue could be unable to start containers as Podman attempted to add the device unconditionally.
  • Fixed a bug where inspecting networks without a gateway set would show the gateway as <nil> instead of the showing nothing (#28705).
  • Fixed a bug where creating a container or pod with port mappings including duplicated host ports was allowed, when this configuration could never be started due to the port conflict.
  • Fixed a bug where the remote Podman client was unable to connect to any host with a custom HostName in the user's SSH config (#25067).
  • Fixed a bug where the podman inspect --type=all command would, when attempting to inspect multiple networks, output only one of the networks multiple times.
  • Fixed a bug where Quadlet .container files using the http_proxy=true setting did not properly escape special characters in the environment variables added to the container when creating the systemd unit file (#28698).
  • Fixed a bug where containers created using the remote Podman client ignored the log_path setting in containers.conf (#28792).
  • Fixed a bug where the remote Podman client's podman save command would fail on Linux when using the -f oci-dir or -f docker-dir arguments.

Fixed an issue that made podman-remote save -f oci-dir/docker-dir fail on linux.

API

  • An improvement pass has been made over API documentation to document fields which were missing documentation. Look forward to more API documentation improvements in future releases!
  • The supported Docker Compatible API version has been bumped to v1.44.
  • All API requests that accept JSON body parameters will no longer error if an empty body is provided.
  • The Compat List endpoint for Containers now includes a new field in its output, Health, providing information on the status of the container's healthcheck (#27786).
  • Added a new API, POST /libpod/local/artifacts/add, for loading artifacts from the local system (not requiring transmission of a tarball).
  • The POST /libpod/local/images endpoint for loading images from the local system now requires that the path query parameter is an absolute path, not a relative path.
  • The Libpod Pull endpoint for Images can now report pull progress when the pullProgress query parameter is set to true.
  • The Libpod Pull endpoint for Images now returns error status codes on failure to pull imges, instead of always returning HTTP 200.
  • Fixed a bug where the subpath option for volumes when creating containers was ignored (#27171).
  • Fixed a bug where the Libpod Create endpoint for Containers ignored the OCIRuntime field.
  • Fixed a bug where the Compat Create endpoint for Containers returned a 500 (not a 409) when attempting to create a container with a name that was already in use.
  • Fixed a bug where the Compat Create endpoint for Containers incorrectly handled CDI-qualified entries in HostConfig.Devices, greatly improving the reliability of CDI devices when using the Compat API.
  • Fixed a bug where the Compat Info endpoint did not return the location of the Seccomp profile if a non-default profile was in use (#28379).
  • Fixed a bug where the Compat List endpoint for Containers could return an invalid string for container status (#28359).
  • Fixed a bug where the Compat List endpoint for Containers did not include the HostConfig field in its responses.
  • Fixed a bug where the Compat Wait endpoint for Containers would hang indefinitely when waiting for the next-exit condition (#28514).
  • Fixed a bug where the Compat and Libpod Update endpoints for Containers would clear the rlimits of the container if they were not explicitly set in the API request.
  • Fixed a bug where the Compat Push endpoint for Images did not return a final JSON object including tag, digest, and size of the pushed image, as Docker does.

Misc

  • Autocomplete has been enabled for inspecting artifacts with podman inspect.
  • Updated Buildah to v1.44.0
  • Updated the image library to v5.40.0
  • Updated the storage library to v1.63.0
  • Updated the common library to v0.68.0
Check out latest releases or
releases around podman-container-tools/podman v6.0.0-rc1

Don't miss a new podman release

NewReleases is sending notifications on new releases.

Get notifications