Podman: A tool for managing OCI containers and pods

Related tags

podman
Overview

PODMAN logo

Podman: A tool for managing OCI containers and pods

Podman (the POD MANager) is a tool for managing containers and images, volumes mounted into those containers, and pods made from groups of containers. Podman is based on libpod, a library for container lifecycle management that is also contained in this repository. The libpod library provides APIs for managing containers, pods, container images, and volumes.

  • Latest Version: 3.0.0

    • Latest Remote client for Windows
    • Latest Remote client for MacOs
    • Latest Static Remote client for Linux
  • Continuous Integration: Build Status

  • GoDoc: GoDoc

Overview and scope

At a high level, the scope of Podman and libpod is the following:

  • Support for multiple container image formats, including OCI and Docker images.
  • Full management of those images, including pulling from various sources (including trust and verification), creating (built via Containerfile or Dockerfile or committed from a container), and pushing to registries and other storage backends.
  • Full management of container lifecycle, including creation (both from an image and from an exploded root filesystem), running, checkpointing and restoring (via CRIU), and removal.
  • Support for pods, groups of containers that share resources and are managed together.
  • Support for running containers and pods without root or other elevated privileges.
  • Resource isolation of containers and pods.
  • Support for a Docker-compatible CLI interface.
  • No manager daemon, for improved security and lower resource utilization at idle.
  • Support for a REST API providing both a Docker-compatible interface and an improved interface exposing advanced Podman functionality.
  • In the future, integration with CRI-O to share containers and backend code.

Podman presently only supports running containers on Linux. However, we are building a remote client which can run on Windows and OS X and manage Podman containers on a Linux system via the REST API using SSH tunneling.

Roadmap

  1. Further improvements to the REST API, with a focus on bugfixes and implementing missing functionality
  2. Integrate libpod into CRI-O to replace its existing container management backend
  3. Improvements on rootless containers, with a focus on improving the user experience and exposing presently-unavailable features when possible

Communications

If you think you've identified a security issue in the project, please DO NOT report the issue publicly via the GitHub issue tracker, mailing list, or IRC. Instead, send an email with as many details as possible to [email protected]. This is a private mailing list for the core maintainers.

For general questions and discussion, please use the IRC #podman channel on irc.freenode.net.

For discussions around issues/bugs and features, you can use the GitHub issues and PRs tracking system.

There is also a mailing list at lists.podman.io. You can subscribe by sending a message to [email protected] with the subject subscribe.

Rootless

Podman can be easily run as a normal user, without requiring a setuid binary. When run without root, Podman containers use user namespaces to set root in the container to the user running Podman. Rootless Podman runs locked-down containers with no privileges that the user running the container does not have. Some of these restrictions can be lifted (via --privileged, for example), but rootless containers will never have more privileges than the user that launched them. If you run Podman as your user and mount in /etc/passwd from the host, you still won't be able to change it, since your user doesn't have permission to do so.

Almost all normal Podman functionality is available, though there are some shortcomings. Any recent Podman release should be able to run rootless without any additional configuration, though your operating system may require some additional configuration detailed in the install guide.

A little configuration by an administrator is required before rootless Podman can be used, the necessary setup is documented here.

Out of scope

  • Specialized signing and pushing of images to various storage backends. See Skopeo for those tasks.
  • Support for the Kubernetes CRI interface for container management. The CRI-O daemon specializes in that.

OCI Projects Plans

The plan is to use OCI projects and best of breed libraries for different aspects:

  • Runtime: We use the OCI runtime tools to generate OCI runtime configurations that can be used with any OCI-compliant runtime, like crun and runc.
  • Images: Image management uses the containers/image library.
  • Storage: Container and image storage is managed by containers/storage.
  • Networking: Networking support through use of CNI.
  • Builds: Builds are supported via Buildah.
  • Conmon: Conmon is a tool for monitoring OCI runtimes, used by both Podman and CRI-O.
  • Seccomp: A unified Seccomp policy for Podman, Buildah, and CRI-O.

Podman Information for Developers

For blogs, release announcements and more, please checkout the podman.io website!

Installation notes Information on how to install Podman in your environment.

OCI Hooks Support Information on how Podman configures OCI Hooks to run when launching a container.

Podman API Documentation on the Podman REST API.

Podman Commands A list of the Podman commands with links to their man pages and in many cases videos showing the commands in use.

Podman Troubleshooting Guide A list of common issues and solutions for Podman.

Podman Usage Transfer Useful information for ops and dev transfer as it relates to infrastructure that utilizes Podman. This page includes tables showing Docker commands and their Podman equivalent commands.

Tutorials Tutorials on using Podman.

Remote Client A brief how-to on using the Podman remote-client.

Basic Setup and Use of Podman in a Rootless environment A tutorial showing the setup and configuration necessary to run Rootless Podman.

Release Notes Release notes for recent Podman versions.

Contributing Information about contributing to this project.

Buildah and Podman relationship

Buildah and Podman are two complementary open-source projects that are available on most Linux platforms and both projects reside at GitHub.com with Buildah here and Podman here. Both, Buildah and Podman are command line tools that work on Open Container Initiative (OCI) images and containers. The two projects differentiate in their specialization.

Buildah specializes in building OCI images. Buildah's commands replicate all of the commands that are found in a Dockerfile. This allows building images with and without Dockerfiles while not requiring any root privileges. Buildah’s ultimate goal is to provide a lower-level coreutils interface to build images. The flexibility of building images without Dockerfiles allows for the integration of other scripting languages into the build process. Buildah follows a simple fork-exec model and does not run as a daemon but it is based on a comprehensive API in golang, which can be vendored into other tools.

Podman specializes in all of the commands and functions that help you to maintain and modify OCI images, such as pulling and tagging. It also allows you to create, run, and maintain those containers created from those images. For building container images via Dockerfiles, Podman uses Buildah's golang API and can be installed independently from Buildah.

A major difference between Podman and Buildah is their concept of a container. Podman allows users to create "traditional containers" where the intent of these containers is to be long lived. While Buildah containers are really just created to allow content to be added back to the container image. An easy way to think of it is the buildah run command emulates the RUN command in a Dockerfile while the podman run command emulates the docker run command in functionality. Because of this and their underlying storage differences, you can not see Podman containers from within Buildah or vice versa.

In short, Buildah is an efficient way to create OCI images while Podman allows you to manage and maintain those images and containers in a production environment using familiar container cli commands. For more details, see the Container Tools Guide.

Podman Former API (Varlink)

Podman formerly offered a Varlink-based API for remote management of containers. However, this API was replaced by the REST API. Varlink support has been removed as of the 3.0 release. For more details, you can see this blog.

Static Binary Builds

The Cirrus CI integration within this repository contains a static_build job which produces a static Podman binary for testing purposes. Please note that this binary is not officially supported with respect to feature-completeness and functionality and should be only used for testing.

Issues
  • After podman 2 upgrade, systemd fails to start in containers on cgroups v1 hosts

    After podman 2 upgrade, systemd fails to start in containers on cgroups v1 hosts

    Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

    /kind bug

    Description

    I was repeatedly building working containers with podman this morning when my OS (Ubuntu 20.04) notified me that podman 2.0 was available and I elected to install it.

    Shortly afterword, I can no longer SSH to a newly build and launched container. I see this as output to podman container list -a:

    CONTAINER ID  IMAGE                        COMMAND                                       CREATED         STATUS             PORTS                                             NAMES
    0e7692779754  k8s.gcr.io/pause:3.2                                                       21 seconds ago  Up 17 seconds ago  127.0.0.1:2222->22/tcp, 127.0.0.1:3000->3000/tcp  505f2a3b385a-infra
    537b8ed4db9c  localhost/devenv-img:latest  -c exec /sbin/init --log-target=journal 3>&1  20 seconds ago  Up 17 seconds ago                                                    devenv
    

    This is frustrating: I don't any references to a container named "pause", yet one is running and listening on the ports my container had published, yet my container isn't listening on any ports at all.

    I read the podman 2.0 release notes and don't see any notes about a related breaking change.

    I did search the project for references to "infra containers" because I sometimes see that term mentioned in error messages. I find references to "infra containers" in the code, but I can't find references in the documentation.

    They seem related to this issue and it would be great if there was more accessible user documentation about "infra containers"

    Steps to reproduce the issue:

    1. podman run --systemd=always -it -p "127.0.0.1:2222:22" solita/ubuntu-systemd-ssh

    Describe the results you received:

    Initializing machine ID from random generator. Failed to create /user.slice/user-1000.slice/session-8.scope/init.scope control group: Permission denied Failed to allocate manager object: Permission denied [!!!!!!] Failed to allocate manager object.

    Describe the results you expected:

    For this test, the container should boot to the point where this line appears:

      [  OK  ] Reached target Multi-User System.
    

    Additional information you deem important (e.g. issue happens only occasionally):

    Output of podman version:

    podman version 2.0.0
    

    Output of podman info --debug:

    host:
      arch: amd64
      buildahVersion: 1.15.0
      cgroupVersion: v1
      conmon:
        package: 'conmon: /usr/libexec/podman/conmon'
        path: /usr/libexec/podman/conmon
        version: 'conmon version 2.0.18, commit: '
      cpus: 4
      distribution:
        distribution: ubuntu
        version: "20.04"
      eventLogger: file
      hostname: mark-x1
      idMappings:
        gidmap:
        - container_id: 0
          host_id: 1000
          size: 1
        - container_id: 1
          host_id: 100000
          size: 65536
        uidmap:
        - container_id: 0
          host_id: 1000
          size: 1
        - container_id: 1
          host_id: 100000
          size: 65536
      kernel: 5.4.0-37-generic
      linkmode: dynamic
      memFree: 1065062400
      memTotal: 16527003648
      ociRuntime:
        name: runc
        package: 'containerd.io: /usr/bin/runc'
        path: /usr/bin/runc
        version: |-
          runc version 1.0.0-rc10
          commit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
          spec: 1.0.1-dev
      os: linux
      remoteSocket:
        path: /run/user/1000/podman/podman.sock
      rootless: true
      slirp4netns:
        executable: /usr/bin/slirp4netns
        package: 'slirp4netns: /usr/bin/slirp4netns'
        version: |-
          slirp4netns version 1.0.0
          commit: unknown
          libslirp: 4.2.0
      swapFree: 19345408
      swapTotal: 1027600384
      uptime: 72h 32m 43.91s (Approximately 3.00 days)
    registries:
      search:
      - docker.io
      - quay.io
    store:
      configFile: /home/mark/.config/containers/storage.conf
      containerStore:
        number: 2
        paused: 0
        running: 2
        stopped: 0
      graphDriverName: vfs
      graphOptions: {}
      graphRoot: /home/mark/.local/share/containers/storage
      graphStatus: {}
      imageStore:
        number: 122
      runRoot: /run/user/1000/containers
      volumePath: /home/mark/.local/share/containers/storage/volumes
    version:
      APIVersion: 1
      Built: 0
      BuiltTime: Wed Dec 31 19:00:00 1969
      GitCommit: ""
      GoVersion: go1.13.8
      OsArch: linux/amd64
      Version: 2.0.0
    
    

    Package info (e.g. output of rpm -q podman or apt list podman):

    podman/unknown,now 2.0.0~1 amd64 [installed]
    

    Additional environment details (AWS, VirtualBox, physical, etc.):

    kind/bug 
    opened by markstos 148
  • Package up podman for vanilla Debian

    Package up podman for vanilla Debian

    This is separate from the PPA work that's already being done. This issue will track efforts towards getting podman in vanilla Debian.

    Update: Debian tickets

    • https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=wnpp
      • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930440 :: libpod / podman
      • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928083 :: buildah
      • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880199 :: skopeo
    Packaging 
    opened by lsm5 142
  • Tree implementation for podman images

    Tree implementation for podman images

    opened by kunalkushwaha 115
  • "Error: invalid configuration, cannot specify resource limits without cgroups v2 and --cgroup-manager=systemd"

    Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

    /kind bug

    Description

    Steps to reproduce the issue:

    1. podman run -it --rm fedora:32

    Describe the results you received:

    Error: invalid configuration, cannot specify resource limits without cgroups v2 and --cgroup-manager=systemd

    Describe the results you expected:

    #

    Additional information you deem important (e.g. issue happens only occasionally):

    Happens all the time

    Output of podman version:

    Version:            1.9.1
    RemoteAPI Version:  1
    Go Version:         go1.14.2
    OS/Arch:            linux/amd64
    

    Output of podman info --debug:

    debug:
      compiler: gc
      gitCommit: ""
      goVersion: go1.14.2
      podmanVersion: 1.9.1
    host:
      arch: amd64
      buildahVersion: 1.14.8
      cgroupVersion: v2
      conmon:
        package: conmon-2.0.15-1.fc32.x86_64
        path: /usr/bin/conmon
        version: 'conmon version 2.0.15, commit: 33da5ef83bf2abc7965fc37980a49d02fdb71826'
      cpus: 8
      distribution:
        distribution: fedora
        version: "32"
      eventLogger: file
      hostname: tmp.scylladb.com
      idMappings:
        gidmap:
        - container_id: 0
          host_id: 1000
          size: 1
        - container_id: 1
          host_id: 100000
          size: 65536
        uidmap:
        - container_id: 0
          host_id: 1000
          size: 1
        - container_id: 1
          host_id: 100000
          size: 65536
      kernel: 5.6.7-300.fc32.x86_64
      memFree: 5275238400
      memTotal: 33541488640
      ociRuntime:
        name: crun
        package: crun-0.13-2.fc32.x86_64
        path: /usr/bin/crun
        version: |-
          crun version 0.13
          commit: e79e4de4ac16da0ce48777afb72c6241de870525
          spec: 1.0.0
          +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
      os: linux
      rootless: true
      slirp4netns:
        executable: /usr/bin/slirp4netns
        package: slirp4netns-1.0.0-1.fc32.x86_64
        version: |-
          slirp4netns version 1.0.0
          commit: a3be729152a33e692cd28b52f664defbf2e7810a
          libslirp: 4.2.0
      swapFree: 16869486592
      swapTotal: 16869486592
      uptime: 93h 3m 6.55s (Approximately 3.88 days)
    registries:
      search:
      - registry.fedoraproject.org
      - registry.access.redhat.com
      - registry.centos.org
      - docker.io
    store:
      configFile: /home/avi/.config/containers/storage.conf
      containerStore:
        number: 0
        paused: 0
        running: 0
        stopped: 0
      graphDriverName: overlay
      graphOptions:
        overlay.mount_program:
          Executable: /usr/bin/fuse-overlayfs
          Package: fuse-overlayfs-1.0.0-1.fc32.x86_64
          Version: |-
            fusermount3 version: 3.9.1
            fuse-overlayfs: version 1.0.0
            FUSE library version 3.9.1
            using FUSE kernel interface version 7.31
      graphRoot: /home/avi/.local/share/containers/storage
      graphStatus:
        Backing Filesystem: extfs
        Native Overlay Diff: "false"
        Supports d_type: "true"
        Using metacopy: "false"
      imageStore:
        number: 1
      runRoot: /run/user/1000/containers
      volumePath: /home/avi/.local/share/containers/storage/volumes
    

    Package info (e.g. output of rpm -q podman or apt list podman):

    podman-1.9.1-1.fc32.x86_64
    

    Additional environment details (AWS, VirtualBox, physical, etc.):

    Fully updated Fedora 32.

    kind/bug stale-issue 
    opened by avikivity 92
  • Running containers inside of a container environment (with docker-compose.yml) using podman?

    Running containers inside of a container environment (with docker-compose.yml) using podman?

    /kind feature

    Description

    I'd like to be able to run and test batches of containers defined with docker-compose.yml. As it is now, doing this with actual Docker inside an environment that runs through Docker gets rather risky and leaky in all kinds of bad ways.

    For building containers, I'm starting to use buildah for this, but I don't quite yet have an answer for running them. The goal is to be able to build and test in a manner that is consistent with how people can do it on their local machines, and easily transition to OpenShift for production run environments.

    Additional environment details (AWS, VirtualBox, physical, etc.): GitLab CI runners with Docker container (of Fedora with buildah + podman)

    opened by Conan-Kudo 91
  • error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount `/proc` to `/proc`: Operation not permitted

    error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount `/proc` to `/proc`: Operation not permitted

    Hi Team,

    I have created a running rootless openshift container using a Dockerfile. I followed below link for creating Rootless Podman without the privileged flag. I'm able to build java spring application but when I try to build python application using Dockerfile that has pip install then I'm getting below error. Can you please let us know what else config required to resolve below error?

    https://www.redhat.com/sysadmin/podman-inside-kubernetes

    error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount /proc to /proc: Operation not permitted

      • If there is a "pip install" command in a Dockerfile, then Podman build fails with error " mount /proc to /proc: Operation not permitted"
      • Podman build creates docker image, if Dockerfile does not have "pip install" command

    podman --version :: podman version 3.2.2

    podman info ::

    host: arch: amd64 buildahVersion: 1.21.0 cgroupControllers: [] cgroupManager: cgroupfs cgroupVersion: v1 conmon: package: conmon-2.0.27-2.fc34.x86_64 path: /usr/bin/conmon version: 'conmon version 2.0.27, commit: ' cpus: 12 distribution: distribution: fedora version: "34" eventLogger: file hostname: cliservice-7dff79cbd7-n7krd idMappings: gidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 10000 size: 5000 uidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 10000 size: 5000 kernel: 4.18.0-240.22.1.el8_3.x86_64 linkmode: dynamic memFree: 55972347904 memTotal: 67230187520 ociRuntime: name: crun package: crun-0.20.1-1.fc34.x86_64 path: /usr/bin/crun version: |- crun version 0.20.1 commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL os: linux remoteSocket: path: /tmp/podman-run-1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns-1.1.9-1.fc34.x86_64 version: |- slirp4netns version 1.1.8+dev commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876 libslirp: 4.4.0 SLIRP_CONFIG_VERSION_MAX: 3 libseccomp: 2.5.0 swapFree: 0 swapTotal: 0 uptime: 21h 24m 42.97s (Approximately 0.88 days) registries: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com: Blocked: false Insecure: true Location: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com MirrorByDigestOnly: false Mirrors: [] Prefix: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com quay.io: Blocked: false Insecure: true Location: quay.io MirrorByDigestOnly: false Mirrors: [] Prefix: quay.io search:

    • registry.fedoraproject.org
    • registry.access.redhat.com
    • registry.centos.org
    • docker.io
    • quay.io store: configFile: /home/podman/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs Package: fuse-overlayfs-1.5.0-1.fc34.x86_64 Version: |- fusermount3 version: 3.10.4 fuse-overlayfs: version 1.5 FUSE library version 3.10.4 using FUSE kernel interface version 7.31 graphRoot: /home/podman/.local/share/containers/storage graphStatus: Backing Filesystem: overlayfs Native Overlay Diff: "false" Supports d_type: "true" Using metacopy: "false" imageStore: number: 5 runRoot: /tmp/podman-run-1000/containers volumePath: /home/podman/.local/share/containers/storage/volumes version: APIVersion: 3.2.2 Built: 1624664959 BuiltTime: Fri Jun 25 23:49:19 2021 GitCommit: "" GoVersion: go1.16.4 OsArch: linux/amd64 Version: 3.2.2

    ------------------------------------------------------Dockerfile- Start-------------------------------------------

    FROM quay.io/podman/stable:latest

    RUN touch /etc/subgid /etc/subuid
    && chmod g=u /etc/subgid /etc/subuid /etc/passwd
    && echo podman:10000:5000 > /etc/subuid
    && echo podman:10000:5000 > /etc/subgid

    RUN yum install -y
    python3-pip
    python3 python3-wheel
    git
    java-11-openjdk.x86_64

    RUN pip install jupyterlab

    ARG MAVEN_VERSION=3.8.1 ARG BASE_URL=https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries

    RUN mkdir -p /usr/share/maven /usr/share/maven/ref
    && curl -fsSL -o /tmp/apache-maven.tar.gz ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz
    && tar -xzf /tmp/apache-maven.tar.gz -C /usr/share/maven --strip-components=1
    && rm -f /tmp/apache-maven.tar.gz
    && ln -s /usr/share/maven/bin/mvn /usr/bin/mvn
    && yum install wget -y
    && yum install unzip -y
    && wget -q https://services.gradle.org/distributions/gradle-3.3-bin.zip
    && unzip gradle-3.3-bin.zip -d /opt
    && rm gradle-3.3-bin.zip

    ENV JAVA_HOME /usr/lib/jvm/jre-11-openjdk/ ENV MAVEN_HOME /usr/share/maven ENV GRADLE_HOME /opt/gradle-3.3 ENV PATH $PATH:/opt/gradle-3.3/bin

    COPY registries.conf /etc/containers/ COPY login-script.sh /etc/containers/ RUN chmod -R 777 /etc/containers/login-script.sh USER podman

    WORKDIR /data

    ENTRYPOINT ["/etc/containers/login-script.sh"]

    -------------------------------------------Dockerfile End-------------------------------------------

    podman - proc

    stale-issue podman-in-container 
    opened by sachinkaushik 74
  • SELinux: container exits with code 139

    SELinux: container exits with code 139

    kind bug

    Description

    podman run busybox echo hello world returns exit code 139. 139 is not part of the listed exit codes in https://github.com/projectatomic/libpod/blob/master/docs/podman-run.1.md

    Steps to reproduce the issue:

    I'm provisioning a Vagrant Box using the vagrantfile

    Vagrant.configure('2') do |config|
      config.vm.box = "fedora/27-cloud-base"
    
      # Docker
      config.vm.provision :docker
    
      # Install appc tools & rocket
      config.vm.provision :shell,inline: <<EOF
    
    
    EOF
    end
    
    > vagrant ssh
    Last login: Thu Jul 19 20:49:03 2018 from 10.0.2.2
    [[email protected] ~]$ sudo -s
    [[email protected] vagrant]# podman run busybox echo hello world
    [[email protected] vagrant]# echo $?
    139
    

    Output of podman version:

    podman version 0.7.1
    

    Output of podman info:

    host:
      MemFree: 85467136
      MemTotal: 509480960
      SwapFree: 0
      SwapTotal: 0
      arch: amd64
      cpus: 1
      hostname: localhost.localdomain
      kernel: 4.13.9-300.fc27.x86_64
      os: linux
      uptime: 13m 1.36s
    insecure registries:
      registries: []
    registries:
      registries:
      - docker.io
      - registry.fedoraproject.org
      - registry.access.redhat.com
    store:
      ContainerStore:
        number: 2
      GraphDriverName: overlay
      GraphOptions:
      - overlay.override_kernel_check=true
      GraphRoot: /var/lib/containers/storage
      GraphStatus:
        Backing Filesystem: extfs
        Native Overlay Diff: "true"
        Supports d_type: "true"
      ImageStore:
        number: 1
      RunRoot: /var/run/containers/storage```
    
    **Additional environment details (AWS, VirtualBox, physical, etc.):**
    
    see Vagrantfile above
    opened by lukasheinrich 73
  • Cirrus: Support testing of VM cache-image changes

    Cirrus: Support testing of VM cache-image changes

    Previously, it was quite difficult to affect changes to VM cache images without lots of manual work. This commit adds a new optional testing task which mirrors the official-image build task which only runs on master. In contrast, the new task may be run at any time in a PR, but including a magic phrase in the PR description:

    Update documentation to describe the new task and inform on it's usage.

    Signed-off-by: Chris Evich [email protected]

    size/XXL lgtm approved 
    opened by cevich 72
  • No support for journald logging

    No support for journald logging

    Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

    /kind bug

    Description

    I'm running Ubuntu 18.04 and today I updated my packages (podman included) and now I'm getting this error when trying to run any podman command:

    Error: could not get runtime: eventer creation: No support for journald logging

    Steps to reproduce the issue:

    1. Update packages on Ubuntu 18.04.
    2. Run podman ps.

    Describe the results you received: Error on the console.

    Describe the results you expected: The list of containers.

    Additional information you deem important (e.g. issue happens only occasionally):

    Output of podman version:

    Version:            1.3.1-dev
    RemoteAPI Version:  1
    Go Version:         go1.10.4
    OS/Arch:            linux/amd64
    

    Output of podman info --debug:

    Error: could not get runtime: eventer creation: No support for journald logging
    

    Additional environment details (AWS, VirtualBox, physical, etc.):

    kind/bug 
    opened by Shulito 71
  • Ubuntu package issues

    Ubuntu package issues

    /kind bug

    Description

    /usr/share/containers/libpod.conf is not installed by ubuntu podman package

    Steps to reproduce the issue:

    1. apt-get install podman

    2. ls /usr/share/containers/

    Describe the results you received:

    not there (also not in /etc/containers/)

    Describe the results you expected:

    I think it should appear under /usr/share/containers (as it does in Fedora)

    kind/bug 
    opened by cevich 69
  • [TEST] vendor psgo #90

    [TEST] vendor psgo #90

    /hold

    Test: https://github.com/containers/psgo/pull/90

    approved do-not-merge/hold 
    opened by giuseppe 1
  • podman save: add `--oci-accept-uncompressed-layers`

    podman save: add `--oci-accept-uncompressed-layers`

    Add an option to podman save to allow uncompressed layers when copying OCI images. Do the neccessary plumbing for the remote client, add tests and vendor in the latest commit from c/common to fetch the neccessary changes in libimage.

    Closes: #11613 Signed-off-by: Valentin Rothberg [email protected]

    approved 
    opened by vrothberg 2
  • Container logs broken after a checkpoint restore

    Container logs broken after a checkpoint restore

    Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

    /kind bug

    Description

    When trying the https://criu.org/Podman demo I faced a problem: When you restore a container, the new container stdout is no longer available when doing podman logs

    Steps to reproduce the issue:

    1. podman run -d --name looper busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
    2. podman logs -f looper (a new ligne appears every seconds)
    3. podman container checkpoint looper && podman container restore looper
    4. podman logs -f looper (The previous logs are still available but no new lignes appear

    Describe the results you received: Nothing is happening in the podman logs -f looper output

    Describe the results you expected: A new ligne should appears every second with the new counter value

    Additional information you deem important (e.g. issue happens only occasionally): The container seems to be alive, because if I replace the write to stdout by a write to a file:

    podman run -d --name looper -v `pwd`:/test busybox /bin/sh -c 'i=0; while true; do echo $i >> /test/counter.txt; i=$(expr $i + 1); sleep 1; done'
    tail -f counter.txt
    podman container checkpoint looper && podman container restore looper
    tail -f counter.txt
    

    A new ligne appears in counter.txt every seconds after the restore

    I tried in ubuntu 20.04, ubuntu 21.04, with podman 3.0.1 (from the ubuntu repo) and the 3.3.1 with the last criu version

    I tried with all the possible configurations (with/without exporting and with every available options)

    Output of podman version:

    Version:      3.3.1
    API Version:  3.3.1
    Go Version:   go1.16.6
    Built:        Thu Jan  1 01:00:00 1970
    OS/Arch:      linux/amd64
    
    # criu --version
    Version: 3.15
    GitID: v3.14-524-g852d99b35
    

    Output of podman info --debug:

    host:
      arch: amd64
      buildahVersion: 1.22.3
      cgroupControllers:
      - cpuset
      - cpu
      - cpuacct
      - blkio
      - memory
      - devices
      - freezer
      - net_cls
      - perf_event
      - net_prio
      - hugetlb
      - pids
      - rdma
      cgroupManager: systemd
      cgroupVersion: v1
      conmon:
        package: 'conmon: /usr/libexec/podman/conmon'
        path: /usr/libexec/podman/conmon
        version: 'conmon version 2.0.27, commit: '
      cpus: 12
      distribution:
        distribution: ubuntu
        version: "20.04"
      eventLogger: journald
      hostname: nonofr-MS-7B48
      idMappings:
        gidmap: null
        uidmap: null
      kernel: 5.4.0-84-generic
      linkmode: dynamic
      memFree: 26781134848
      memTotal: 33613361152
      ociRuntime:
        name: crun
        package: 'crun: /usr/bin/crun'
        path: /usr/bin/crun
        version: |-
          crun version 0.20.1.5-925d-dirty
          commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e
          spec: 1.0.0
          +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
      os: linux
      remoteSocket:
        path: /run/podman/podman.sock
      security:
        apparmorEnabled: true
        capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
        rootless: false
        seccompEnabled: true
        seccompProfilePath: /usr/share/containers/seccomp.json
        selinuxEnabled: false
      serviceIsRemote: false
      slirp4netns:
        executable: /usr/bin/slirp4netns
        package: 'slirp4netns: /usr/bin/slirp4netns'
        version: |-
          slirp4netns version 1.1.8
          commit: unknown
          libslirp: 4.3.1-git
          SLIRP_CONFIG_VERSION_MAX: 3
          libseccomp: 2.4.3
      swapFree: 2147479552
      swapTotal: 2147479552
      uptime: 15m 29.94s
    registries:
      search:
      - docker.io
      - quay.io
    store:
      configFile: /etc/containers/storage.conf
      containerStore:
        number: 1
        paused: 0
        running: 1
        stopped: 0
      graphDriverName: overlay
      graphOptions:
        overlay.mountopt: nodev,metacopy=on
      graphRoot: /var/lib/containers/storage
      graphStatus:
        Backing Filesystem: extfs
        Native Overlay Diff: "false"
        Supports d_type: "true"
        Using metacopy: "true"
      imageStore:
        number: 1
      runRoot: /run/containers/storage
      volumePath: /var/lib/containers/storage/volumes
    version:
      APIVersion: 3.3.1
      Built: 0
      BuiltTime: Thu Jan  1 01:00:00 1970
      GitCommit: ""
      GoVersion: go1.16.6
      OsArch: linux/amd64
      Version: 3.3.1
    

    Package info (e.g. output of rpm -q podman or apt list podman):

    podman/inconnu,now 100:3.3.1-1 amd64  [installé]
    podman/inconnu 100:3.3.1-1 arm64
    podman/inconnu 100:3.3.1-1 armhf
    podman/inconnu 100:3.3.1-1 s390x
    

    Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

    Yes

    Additional environment details (AWS, VirtualBox, physical, etc.):

    Ubuntu 20.04 physical, Ubuntu 21.04 in VirtualBox

    kind/bug 
    opened by CGNonofr 0
  • Generate kube shouldn't add podman default environment vars

    Generate kube shouldn't add podman default environment vars

    Currently we add the default PATH, TERM and container from Podman to every kubernetes.yaml file. These values should not be recorded in the yaml files.

    Signed-off-by: Daniel J Walsh [email protected]

    approved 
    opened by rhatdan 2
  • Set context dir for play kube build

    Set context dir for play kube build

    When performing an image build with play kube, we need to set the context directory so things like file copies have the correct input path.

    Signed-off-by: Brent Baude [email protected]

    approved 
    opened by baude 4
  • podman rmi <TAB> autocompletion proposes non-existing images

    podman rmi autocompletion proposes non-existing images

    I have Fedora 34.

    $ podman version
    Version:      3.3.1
    API Version:  3.3.1
    Go Version:   go1.16.6
    Built:        Mon Aug 30 23:46:36 2021
    OS/Arch:      linux/amd64
    
    $ podman images 
    REPOSITORY                TAG         IMAGE ID      CREATED        SIZE
    localhost/openldap        2021-09-21  f714eca81fe4  2 minutes ago  5.98 MB
    
    $ podman rmi <TAB>
    localhost/openldap:2021-09-21  ⇐ proposed auto-completeion
    
    $ podman rmi lo<TAB> ⇐ completes to the next line
    
    $ podman rmi localhost/openldap
    Error: localhost/openldap: image not known
    
    $ podman rmi localhost/openldap<TAB> ⇐ completion on the next line
    localhost/openldap             localhost/openldap:2021-09-21
    

    Since rmi cannot delete localhost/openldap, the auto-TAB-completion shall not stop completing at localhost/openldap (or propose this completion), but only offer localhost/openldap:2021-09-21 as completion.

    kind/bug 
    opened by dilyanpalauzov 0
  • podman generate kube emits redundant command: and invents a TERM variable

    podman generate kube emits redundant command: and invents a TERM variable

    I create an OCI image, stored in locals’ containers-storage, which image does not have TERM variable. I start it with

    $ podman run --read-only=true --mount type=bind,src=data,dst=/data,relabel=private --read-only-tmpfs=false -dt -p=3890:3890 localhost/openldap:2021-09-21

    The container is called cranky_goldstine. It executes the default entry point.

    Calling podman generate kube cranky_goldstine prints:

    spec:       
      containers:
      - command: 
        - /libexec/slapd 
        - -d0
        - -h
        - ldap://:3890/
        env:
        - name: PATH                   
          value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
        - name: TERM
          value: xterm
        - name: container
          value: podman
    
    • Since the environment variable TERM was never ever set, it shall not be in the output of podman generate kube.

    According to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container if a command is not specified for a container, the default entry point is used. To be precise, the documentation says “ The docker image's ENTRYPOINT is used if this is not provided.”, I use an OCI image and I guess that the default entry point for OCI images is also applied.

    • Since the default command is used to run the image, the container’s command shall not be emitted by podman generate kube.
    $ podman version 
    Version:      3.3.1
    API Version:  3.3.1
    Go Version:   go1.16.6
    Built:        Mon Aug 30 23:46:36 2021
    OS/Arch:      linux/amd64
    
    opened by dilyanpalauzov 1
  • introduce --replace flag for play kube

    introduce --replace flag for play kube

    [NO TESTS NEEDED] With this flag, users can easily sync up the yaml content with the existing pods.

    Fixes #11481

    opened by chenzhiwei 2
  • Images that update/shutdown themselves on <3.3.0 will not restart and preserve state

    Images that update/shutdown themselves on <3.3.0 will not restart and preserve state

    Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

    /kind bug

    Description

    Before podman 3.3.0, I was able to use this image just fine: https://github.com/tuxpeople/docker-jdownloader-headless

    After 3.3.0, I cannot get this image to start. It launches, the jar inside self updates, and then shuts down, and the container stays "running" and cannot be restart. I created it with this command:

    podman create \
    --name=jdownloader \
    --memory=2g \
    --label io.containers.autoupdate=image \
    --user $(id -u `whoami`) \
    --net=host \
    -e PUID=$(id -u `whoami`) \
    -e PGID=$(id -g `whoami`) \
    -e MYJD_USER=<redacted> \
    -e MYJD_PASSWORD=<redacted>\
    -e MYJD_DEVICE_NAME=<redacted> \
    -e TZ=America/Los_Angeles \
    -v ~/services/jdownloader/config:/opt/JDownloader/cfg:Z \
    -v $MEDIA_MOUNT/downloads/jdownloader:/opt/JDownloader/Downloads \
    -v ~/services/jdownloader/logs:/opt/JDownloader/logs:Z \
    docker.io/tdeutsch/jdownloader-headless
    

    Describe the results you expected:

    I expected the container to restart on it's own and preserve the update state. If I create the container with a generated systemd unit using podman generate systemd --new, it will endlessly restart without preserving update state, which is a regression from before 3.3.0.

    Additional information you deem important (e.g. issue happens only occasionally):

    Output of podman version:

    Version:      3.3.1
    API Version:  3.3.1
    Go Version:   go1.16.6
    Built:        Mon Aug 30 13:46:36 2021
    OS/Arch:      linux/amd64
    

    Output of podman info --debug:

    host:
      arch: amd64
      buildahVersion: 1.22.3
      cgroupControllers: []
      cgroupManager: systemd
      cgroupVersion: v2
      conmon:
        package: conmon-2.0.29-2.fc34.x86_64
        path: /usr/bin/conmon
        version: 'conmon version 2.0.29, commit: '
      cpus: 24
      distribution:
        distribution: fedora
        version: "34"
      eventLogger: journald
      hostname: <redacted>
      idMappings:
        gidmap:
        - container_id: 0
          host_id: 1000
          size: 1
        - container_id: 1
          host_id: 100000
          size: 65536
        uidmap:
        - container_id: 0
          host_id: 1000
          size: 1
        - container_id: 1
          host_id: 100000
          size: 65536
      kernel: 5.13.16-200.fc34.x86_64
      linkmode: dynamic
      memFree: 49219751936
      memTotal: 67361181696
      ociRuntime:
        name: crun
        package: crun-1.0-1.fc34.x86_64
        path: /usr/bin/crun
        version: |-
          crun version 1.0
          commit: 139dc6971e2f1d931af520188763e984d6cdfbf8
          spec: 1.0.0
          +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
      os: linux
      remoteSocket:
        exists: true
        path: /run/user/1000/podman/podman.sock
      security:
        apparmorEnabled: false
        capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
        rootless: true
        seccompEnabled: true
        seccompProfilePath: /usr/share/containers/seccomp.json
        selinuxEnabled: true
      serviceIsRemote: false
      slirp4netns:
        executable: /usr/bin/slirp4netns
        package: slirp4netns-1.1.12-2.fc34.x86_64
        version: |-
          slirp4netns version 1.1.12
          commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
          libslirp: 4.4.0
          SLIRP_CONFIG_VERSION_MAX: 3
          libseccomp: 2.5.0
      swapFree: 8589930496
      swapTotal: 8589930496
      uptime: 1h 16m 7.83s (Approximately 0.04 days)
    registries:
      search:
      - registry.fedoraproject.org
      - registry.access.redhat.com
      - docker.io
      - quay.io
      - nvcr.io
    store:
      configFile: /home/user1/.config/containers/storage.conf
      containerStore:
        number: 16
        paused: 0
        running: 15
        stopped: 1
      graphDriverName: overlay
      graphOptions:
        overlay.mount_program:
          Executable: /usr/bin/fuse-overlayfs
          Package: fuse-overlayfs-1.7.1-2.fc34.x86_64
          Version: |-
            fusermount3 version: 3.10.4
            fuse-overlayfs: version 1.7.1
            FUSE library version 3.10.4
            using FUSE kernel interface version 7.31
      graphRoot: /home/user1/.local/share/containers/storage
      graphStatus:
        Backing Filesystem: extfs
        Native Overlay Diff: "false"
        Supports d_type: "true"
        Using metacopy: "false"
      imageStore:
        number: 184
      runRoot: /run/user/1000/containers
      volumePath: /home/user1/.local/share/containers/storage/volumes
    version:
      APIVersion: 3.3.1
      Built: 1630356396
      BuiltTime: Mon Aug 30 13:46:36 2021
      GitCommit: ""
      GoVersion: go1.16.6
      OsArch: linux/amd64
      Version: 3.3.1
    

    Package info (e.g. output of rpm -q podman or apt list podman):

    podman-3.3.1-1.fc34.x86_64
    

    Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

    Yes

    Additional environment details (AWS, VirtualBox, physical, etc.): Physical

    kind/bug 
    opened by andrew-kennedy 1
  • Fix an issue with podman save trying to store signatures

    Fix an issue with podman save trying to store signatures

    Issue Running the following command:

    podman save registry.redhat.io/openshift-logging/[email protected]:70d57b8062d855c6e1f38d99c796fdf06ddbc8070447770453f7ac37db5e93f8 -o ./tmp/cluster-logging.5.0.7-27/cluster-logging.5.0.7-27.tar
    

    I get:

    Getting image source signatures
    Checking if image destination supports signatures
    Error: Can not copy signatures to docker-archive:./tmp/cluster-logging.5.0.7-27/cluster-logging.5.0.7-27.tar: Storing signatures for docker tar files is not supported
    

    This is similar to what was raised in this issue and should have been fixed with this PR

    Applying this one line code change fixed the issue for me however I am not knowledgeable enough about podman code base to be confident that it is the right way of doing it.

    approved 
    opened by fgiloux 3
Releases(v3.4.0-rc1)
  • v3.4.0-rc1(Sep 16, 2021)

    Features

    • Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: "always", which always run before the pod is started, and "once", which only run the first time the pod starts and are subsequently removed. They can be added using the podman create command's --init-ctr option.
    • Support for init containers has also been added to podman play kube and podman generate kube - init containers contained in Kubernetes YAML will be created as Podman init containers, and YAML generated by Podman will include any init containers created.
    • The podman play kube command now supports building images. If the --build option is given and a directory with the name of the specified image exists in the current working directory and contains a valid Containerfile or Dockerfile, the image will be built and used for the container.
    • The podman play kube command now supports a new option, --teardown, which removes any pods and containers created by the given Kubernetes YAML.
    • A new command has been added, podman pod logs, to return logs for all containers in a pod at the same time.
    • Two new commands have been added, podman volume export (to export a volume to a tar file) and podman volume import) (to populate a volume from a given tar file).
    • The podman auto-update command now supports simple rollbacks. If a container fails to start after an automatic update, it will be rolled back to the previous image and restarted again.
    • Pods now share their user namespace by default, and the podman pod create command now supports the --userns option. This allows rootless pods to be created with the --userns=keep-id option.
    • The podman pod ps command now supports a new filter with its --filter option, until, which returns pods created before a given timestamp.
    • The podman image scp command has been added. This command allows images to be transferred between different hosts.
    • The podman stats command supports a new option, --interval, to specify the amount of time before the information is refreshed.
    • The podman inspect command now includes ports exposed (but not published) by containers (e.g. ports from --expose when --publish-all is not specified).
    • The podman inspect command now has a new boolean value, Checkpointed, which indicates that a container was stopped as a result of a podman container checkpoint operation.
    • Volumes created by podman volume create now support setting quotas when run atop XFS. The size and inode options allow the maximum size and maximum number of inodes consumed by a volume to be limited.
    • The podman info command now outputs information on what log drivers, network drivers, and volume plugins are available for use (#11265).
    • The podman info command now outputs the current log driver in use, and the variant and codename of the distribution in use.

    Changes

    • The podman build command has a new alias, podman buildx, to improve compatibility with Docker. We have already added support for many docker buildx flags to podman build and aim to continue to do so.
    • Podman commands run as root now ignore XDG_RUNTIME_DIR when determining where to place temporary files, which should resolve a number of issues including #10745 and #10806.
    • Cases where Podman is run without a user session or a writable temporary files directory will now produce better error messages.
    • The default log driver has been changed from file to journald. The file driver did not properly support log rotation, so this should lead to a better experience. If journald is not available on the system, Podman will automatically revert to the file.
    • Podman no longer depends on ip for removing networks (#11403).
    • The deprecated --macvlan flag to podman network create now warns when it is used. It will be removed entirely in the Podman 4.0 release.
    • The podman machine start command now prints a message when the VM is successfully started.
    • The podman stats command can now be used on containers that are paused.
    • The podman unshare command will now return the exit code of the command that was run in the user namespace (assuming the command was successfully run).
    • Successful healthchecks will no longer add a healthy line to the system log to reduce log spam.
    • As a temporary workaround for a lack of shortname prompts in the Podman remote client, VMs created by podman machine now default to only using the docker.io registry.

    Bugfixes

    • Fixed a bug where whitespace in the definition of sysctls (particularly default sysctls specified in containers.conf) would cause them to be parsed incorrectly.
    • Fixed a bug where the Windows remote client improperly validated volume paths (#10900).
    • Fixed a bug where the first line of logs from a container run with the journald log driver could be skipped.
    • Fixed a bug where images created by podman commit did not include ports exposed by the container.
    • Fixed a bug where the podman auto-update command would ignore the io.containers.autoupdate.authfile label when pulling images (#11171).
    • Fixed a bug where the --workdir option to podman create and podman run could not be set to a directory where a volume was mounted (#11352).
    • Fixed a bug where systemd socket-activation did not properly work with systemd-managed Podman containers (#10443).
    • Fixed a bug where environment variable secrets added to a container were not available to exec sessions launched in the container.
    • Fixed a bug where rootless containers could fail to start the rootlessport port-forwarding service when XDG_RUNTIME_DIR was set to a long path.
    • Fixed a bug where arguments to the --systemd option to podman create and podman run were case-sensitive (#11387).
    • Fixed a bug where the podman manifest rm command would also remove images referenced by the manifest, not just the manifest itself (#11344).
    • Fixed a bug where the Podman remote client on OS X would not function properly if the TMPDIR environment variable was not set (#11418).
    • Fixed a bug where the /etc/hosts file was not guaranteed to contain an entry for localhost (this is still not guaranteed if --net=host is used; such containers will exactly match the host's /etc/hosts) (#11411).
    • Fixed a bug where the podman machine start command could print warnings about unsupported CPU features (#11421).
    • Fixed a bug where the podman info command could segfault when accessing cgroup information.
    • Fixed a bug where the podman logs -f command could hang when a container exited (#11461).
    • Fixed a bug where the podman generate systemd command could not be used on containers that specified a restart policy (#11438).
    • Fixed a bug where the remote Podman client's podman build command would fail to build containers if the UID and GID on the client were higher than 65536 (#11474).
    • Fixed a bug where the --network flag to podman play kube was not properly parsed when a non-bridge network configuration was specified.
    • Fixed a bug where the podman inspect command could error when the container being inspected was removed as it was being inspected (#11392).
    • Fixed a bug where the podman play kube command ignored the default pod infra image specified in containers.conf.
    • Fixed a bug where the --format option to podman inspect was nonfunctional under some circumstances (#8785).
    • Fixed a bug where the remote Podman client's podman run and podman exec commands could skip a byte of output every 8192 bytes (#11496).
    • Fixed a bug where the podman stats command would print nonsensical results if the container restarted while it was running (#11469).
    • Fixed a bug where the remote Podman client would error when STDOUT was redirected on a Windows client (#11444).
    • Fixed a bug where the podman run command could return 0 when the application in the container exited with 125 (#11540).
    • Fixed a bug where containers with --restart=always set using the rootlessport port-forwarding service could not be restarted automatically.
    • Fixed a bug where the --cgroups=split option to podman create and podman run was silently discarded if the container was part of a pod.

    API

    • The Libpod Pull endpoint for Images now has a new query parameter, quiet, which (when set to true) suppresses image pull progress reports (#10612).
    • The Compat Events endpoint now includes several deprecated fields from the Docker v1.21 API for improved compatibility with older clients.
    • The Compat Create endpoint for Containers now properly sets defaults for healthcheck-related fields (#11225).
    • The Compat Create endpoint for Containers now supports volume options provided by the Mounts field (#10831).
    • The Compat List endpoint for Secrets now supports a new query parameter, filter, which allows returned results to be filtered.
    • The Version endpoint now includes information about the OCI runtime and Conmon in use (#11227).
    • Fixed a bug where the X-Registry-Config header was not properly handled, leading to errors when pulling images (#11235).
    • Fixed a bug where invalid query parameters could cause a null pointer dereference when creating error messages.
    • Logging of API requests and responses at trace level has been greatly improved, including the addition of an X-Reference-Id header to correlate requests and responses (#10053).

    Misc

    • Updated Buildah to v1.23.0
    • Updated the containers/storage library to v1.36.0
    • Updated the containers/image library to v5.16.0
    • Updated the containers/common library to v0.44.0
    Source code(tar.gz)
    Source code(zip)
  • v3.3.1(Aug 30, 2021)

    Bugfixes

    • Fixed a bug where unit files created by podman generate systemd could not cleanup shut down containers when stopped by systemctl stop (#11304).
    • Fixed a bug where podman machine commands would not properly locate the gvproxy binary in some circumstances.
    • Fixed a bug where containers created as part of a pod using the --pod-id-file option would not join the pod's network namespace (#11303).
    • Fixed a bug where Podman, when using the systemd cgroups driver, could sometimes leak dbus sessions.
    • Fixed a bug where the until filter to podman logs and podman events was improperly handled, requiring input to be negated (#11158).
    • Fixed a bug where rootless containers using CNI networking run on systems using systemd-resolved for DNS would fail to start if resolved symlinked /etc/resolv.conf to an absolute path (#11358).

    API

    • A large number of potential file descriptor leaks from improperly closing client connections have been fixed.
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(15.00 MB)
    podman-remote-release-windows.zip(15.96 MB)
    podman-remote-static.tar.gz(15.51 MB)
    podman-v3.3.1.dmg(16.68 MB)
    podman-v3.3.1.msi(16.45 MB)
    shasums(461 bytes)
  • v3.3.0(Aug 20, 2021)

    Features

    • Containers inside VMs created by podman machine will now automatically handle port forwarding - containers in podman machine VMs that publish ports via --publish or --publish-all will have these ports not just forwarded on the VM, but also on the host system.
    • The podman play kube command's --network option now accepts advanced network options (e.g. --network slirp4netns:port_handler=slirp4netns) (#10807).
    • The podman play kube commmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks.
    • Podman now provides a systemd unit, podman-restart.service, which, when enabled, will restart all containers that were started with --restart=always after the system reboots.
    • Rootless Podman can now be configured to use CNI networking by default by using the rootless_networking option in containers.conf.
    • Images can now be pulled using image:[email protected] syntax (e.g. podman pull fedora:[email protected]:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a) (#6721).
    • The podman container checkpoint and podman container restore commands can now be used to checkpoint containers that are in pods, and restore those containers into pods.
    • The podman container restore command now features a new option, --publish, to change the ports that are forwarded to a container that is being restored from an exported checkpoint.
    • The podman container checkpoint command now features a new option, --compress, to specify the compression algorithm that will be used on the generated checkpoint.
    • The podman pull command can now pull multiple images at once (e.g. podman pull fedora:34 ubi8:latest will pull both specified images).
    • THe podman cp command can now copy files from one container into another directly (e.g. podman cp containera:/etc/hosts containerb:/etc/) (#7370).
    • The podman cp command now supports a new option, --archive, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container.
    • The podman stats command now provides two additional metrics: Average CPU, and CPU time.
    • The podman pod create command supports a new flag, --pid, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace.
    • The podman pod create command supports a new flag, --infra-name, which allows the name of the pod's infra container to be set (#10794).
    • The podman auto-update command has had its output reformatted - it is now much clearer what images were pulled and what containers were updated.
    • The podman auto-update command now supports a new option, --dry-run, which reports what would be updated but does not actually perform the update (#9949).
    • The podman build command now supports a new option, --secret, to mount secrets into build containers.
    • The podman manifest remove command now has a new alias, podman manifest rm.
    • The podman login command now supports a new option, --verbose, to print detailed information about where the credentials entered were stored.
    • The podman events command now supports a new event, exec_died, which is produced when an exec session exits, and includes the exit code of the exec session.
    • The podman system connection add command now supports adding connections that connect using the tcp:// and unix:// URL schemes.
    • The podman system connection list command now supports a new flag, --format, to determine how the output is printed.
    • The podman volume prune and podman volume ls commands' --filter option now support a new filter, until, that matches volumes created before a certain time (#10579).
    • The podman ps --filter option's network filter now accepts a new value: container:, which matches containers that share a network namespace with a specific container (#10361).
    • The podman diff command can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed (#10649).
    • Podman can now optionally copy-up content from containers into volumes mounted into those containers earlier (at creation time, instead of at runtime) via the prepare_on_create option in containers.conf (#10262).
    • A new option, --gpus, has been added to podman create and podman run as a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag.
    • If an invalid subcommand is provided, similar commands to try will now be suggested in the error message.

    Changes

    • The podman system reset command now removes non-Podman (e.g. Buildah and CRI-O) containers as well.
    • The new port forwarding offered by podman machine requires gvproxy in order to function.
    • Podman will now automatically create the default CNI network if it does not exist, for both root and rootless users. This will only be done once per user - if the network is subsequently removed, it will not be recreated.
    • The install.cni makefile option has been removed. It is no longer required to distribute the default 87-podman.conflist CNI configuration file, as Podman will now automatically create it.
    • The --root option to Podman will not automatically clear all default storage options when set. Storage options can be set manually using --storage-opt (#10393).
    • The output of podman system connection list is now deterministic, with connections being sorted alpabetically by their name.
    • The auto-update service (podman-auto-update.service) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once.
    • Systemd unit files generated by podman generate systemd now depend on network-online.target by default (#10655).
    • Systemd unit files generated by podman generate systemd now use Type=notify by default, instead of using PID files.
    • The podman info command's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.

    Bugfixes

    • Fixed a bug where the podman play kube command did not perform SELinux relabelling of volumes specified with a mountPath that included the :z or :Z options (#9371).
    • Fixed a bug where the podman play kube command would ignore the USER and EXPOSE directives in images (#9609).
    • Fixed a bug where the podman play kube command would only accept lowercase pull policies.
    • Fixed a bug where named volumes mounted into containers with the :z or :Z options were not appropriately relabelled for access from the container (#10273).
    • Fixed a bug where the podman logs -f command, with the journald log driver, could sometimes fail to pick up the last line of output from a container (#10323).
    • Fixed a bug where running podman rm on a container created with the --rm option would occasionally emit an error message saying the container failed to be removed, when it was successfully removed.
    • Fixed a bug where starting a Podman container would segfault if the LISTEN_PID and LISTEN_FDS environment variables were set, but LISTEN_FDNAMES was not (#10435).
    • Fixed a bug where exec sessions in containers were sometimes not cleaned up when run without -d and when the associated podman exec process was killed before completion.
    • Fixed a bug where podman system service could, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up.
    • Fixed a bug where containers run using the REST API using the slirp4netns network mode would leave zombie processes that were not cleaned up until podman system service exited (#9777).
    • Fixed a bug where the podman system service command would leave zombie processes after its initial launch that were not cleaned up until it exited (#10575).
    • Fixed a bug where VMs created by podman machine could not be started after the host system restarted (#10824).
    • Fixed a bug where the podman pod ps command would not show headers for optional information (e.g. container names when the --ctr-names option was given).
    • Fixed a bug where the remote Podman client's podman create and podman run commands would ignore timezone configuration from the server's containers.conf file (#11124).
    • Fixed a bug where the remote Podman client's podman build command would only respect .containerignore and not .dockerignore files (when both are present, .containerignore will be preferred) (#10907).
    • Fixed a bug where the remote Podman client's podman build command would fail to send the Dockerfile being built to the server when it was excluded by the .dockerignore file, resulting in an error (#9867).
    • Fixed a bug where the remote Podman client's podman build command could unexpectedly stop streaming the output of the build (#10154).
    • Fixed a bug where the remote Podman client's podman build command would fail to build when run on Windows (#11259).
    • Fixed a bug where the podman manifest create command accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest).
    • Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container (#10776).
    • Fixed a bug where named volumes created using a volume plugin would be removed from Podman, even if the plugin reported a failure to remove the volume (#11214).
    • Fixed a bug where the remote Podman client's podman exec -i command would hang when input was provided via shell redirection (e.g. podman --remote exec -i foo cat <<<"hello") (#7360).
    • Fixed a bug where containers created with --rm were not immediately removed after being started by podman start if they failed to start (#10935).
    • Fixed a bug where the --storage-opt flag to podman create and podman run was nonfunctional (#10264).
    • Fixed a bug where the --device-cgroup-rule option to podman create and podman run was nonfunctional (#10302).
    • Fixed a bug where the --tls-verify option to podman manifest push was nonfunctional.
    • Fixed a bug where the podman import command could, in some circumstances, produce empty images (#10994).
    • Fixed a bug where images pulled using the docker-daemon: transport had the wrong registry (localhost instead of docker.io/library) (#10998).
    • Fixed a bug where operations that pruned images (podman image prune and podman system prune) would prune untagged images with children (#10832).
    • Fixed a bug where dual-stack networks created by podman network create did not properly auto-assign an IPv4 subnet when one was not explicitly specified (#11032).
    • Fixed a bug where port forwarding using the rootlessport port forwarder would break when a network was disconnected and then reconnected (#10052).
    • Fixed a bug where Podman would ignore user-specified SELinux policies for containers using the Kata OCI runtime, or containers using systemd as PID 1 (#11100).
    • Fixed a bug where Podman containers created using --net=host would add an entry to /etc/hosts for the container's hostname pointing to 127.0.1.1 (#10319).
    • Fixed a bug where the podman unpause --all command would throw an error for every container that was not paused (#11098).
    • Fixed a bug where timestamps for the since and until filters using Unix timestamps with a nanoseconds portion could not be parsed (#11131).
    • Fixed a bug where the podman info command would sometimes print the wrong path for the slirp4netns binary.
    • Fixed a bug where rootless Podman containers joined to a CNI network would not have functional DNS when the host used systemd-resolved without the resolved stub resolver being enabled (#11222).
    • Fixed a bug where podman network connect and podman network disconnect of rootless containers could sometimes break port forwarding to the container (#11248).
    • Fixed a bug where joining a container to a CNI network by ID and adding network aliases to this network would cause the container to fail to start (#11285).

    API

    • Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
    • Fixed a bug where the Compat Create endpoint for Containers would fail to create containers with the NetworkMode parameter set to default (#10569).
    • Fixed a bug where the Compat Create endpoint for Containers did not properly handle healthcheck commands (#10617).
    • Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred.
    • Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable).
    • Fixed a bug where the Compat List endpoint for Images omitted the ContainerConfig field (#10795).
    • Fixed a bug where the Compat Build endpoint for Images was too strict when validating the Content-Type header, rejecting content that Docker would have accepted (#11022).
    • Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided.
    • Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected.
    • Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks (#10266).
    • Fixed a bug where the Libpod List endpoint for Networks would return nil, instead of an empty list, when no networks were present (#10495).
    • The Compat and Libpod Logs endpoints for Containers now support the until query parameter (#10859).
    • The Compat Import endpoint for Images now supports the platform, message, and repo query parameters.
    • The Compat Pull endpoint for Images now supports the platform query parameter.

    Misc

    • Updated Buildah to v1.22.3
    • Updated the containers/storage library to v1.34.1
    • Updated the containers/image library to v5.15.2
    • Updated the containers/common library to v0.42.1
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(14.99 MB)
    podman-remote-release-windows.zip(15.96 MB)
    podman-remote-static.tar.gz(15.50 MB)
    podman-v3.3.0.msi(16.43 MB)
    shasums(377 bytes)
  • v3.3.0-rc3(Aug 17, 2021)

    This is the third release candidate of Podman v3.3.0

    Preliminary release notes follow:

    Features

    • Containers inside VMs created by podman machine will now automatically handle port forwarding - containers in podman machine VMs that publish ports via --publish or --publish-all will have these ports not just forwarded on the VM, but also on the host system.
    • The podman play kube command's --network option now accepts advanced network options (e.g. --network slirp4netns:port_handler=slirp4netns) (#10807).
    • The podman play kube commmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks.
    • Podman now provides a systemd unit, podman-restart.service, which, when enabled, will restart all containers that were started with --restart=always after the system reboots.
    • Rootless Podman can now be configured to use CNI networking by default by using the rootless_networking option in containers.conf.
    • Images can now be pulled using image:[email protected] syntax (e.g. podman pull fedora:[email protected]:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a) (#6721).
    • The podman container checkpoint and podman container restore commands can now be used to checkpoint containers that are in pods, and restore those containers into pods.
    • The podman container restore command now features a new option, --publish, to change the ports that are forwarded to a container that is being restored from an exported checkpoint.
    • The podman container checkpoint command now features a new option, --compress, to specify the compression algorithm that will be used on the generated checkpoint.
    • The podman pull command can now pull multiple images at once (e.g. podman pull fedora:34 ubi8:latest will pull both specified images).
    • THe podman cp command can now copy files from one container into another directly (e.g. podman cp containera:/etc/hosts containerb:/etc/) (#7370).
    • The podman cp command now supports a new option, --archive, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container.
    • The podman stats command now provides two additional metrics: Average CPU, and CPU time.
    • The podman pod create command supports a new flag, --pid, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace.
    • The podman pod create command supports a new flag, --infra-name, which allows the name of the pod's infra container to be set (#10794).
    • The podman auto-update command has had its output reformatted - it is now much clearer what images were pulled and what containers were updated.
    • The podman auto-update command now supports a new option, --dry-run, which reports what would be updated but does not actually perform the update (#9949).
    • The podman build command now supports a new option, --secret, to mount secrets into build containers.
    • The podman manifest remove command now has a new alias, podman manifest rm.
    • The podman login command now supports a new option, --verbose, to print detailed information about where the credentials entered were stored.
    • The podman events command now supports a new event, exec_died, which is produced when an exec session exits, and includes the exit code of the exec session.
    • The podman system connection add command now supports adding connections that connect using the tcp:// and unix:// URL schemes.
    • The podman system connection list command now supports a new flag, --format, to determine how the output is printed.
    • The podman volume prune and podman volume ls commands' --filter option now support a new filter, until, that matches volumes created before a certain time (#10579).
    • The podman ps --filter option's network filter now accepts a new value: container:, which matches containers that share a network namespace with a specific container (#10361).
    • The podman diff command can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed (#10649).
    • Podman can now optionally copy-up content from containers into volumes mounted into those containers earlier (at creation time, instead of at runtime) via the prepare_on_create option in containers.conf (#10262).
    • A new option, --gpus, has been added to podman create and podman run as a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag.
    • If an invalid subcommand is provided, similar commands to try will now be suggested in the error message.

    Changes

    • The podman system reset command now removes non-Podman (e.g. Buildah and CRI-O) containers as well.
    • The new port forwarding offered by podman machine requires gvproxy in order to function.
    • Podman will now automatically create the default CNI network if it does not exist, for both root and rootless users. This will only be done once per user - if the network is subsequently removed, it will not be recreated.
    • The install.cni makefile option has been removed. It is no longer required to distribute the default 87-podman.conflist CNI configuration file, as Podman will now automatically create it.
    • The --root option to Podman will not automatically clear all default storage options when set. Storage options can be set manually using --storage-opt (#10393).
    • The output of podman system connection list is now deterministic, with connections being sorted alpabetically by their name.
    • The auto-update service (podman-auto-update.service) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once.
    • Systemd unit files generated by podman generate systemd now depend on network-online.target by default (#10655).
    • The podman info command's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.

    Bugfixes

    • Fixed a bug where the podman play kube command did not perform SELinux relabelling of volumes specified with a mountPath that included the :z or :Z options (#9371).
    • Fixed a bug where the podman play kube command would ignore the USER and EXPOSE directives in images (#9609).
    • Fixed a bug where the podman play kube command would only accept lowercase pull policies.
    • Fixed a bug where named volumes mounted into containers with the :z or :Z options were not appropriately relabelled for access from the container (#10273).
    • Fixed a bug where the podman logs -f command, with the journald log driver, could sometimes fail to pick up the last line of output from a container (#10323).
    • Fixed a bug where running podman rm on a container created with the --rm option would occasionally emit an error message saying the container failed to be removed, when it was successfully removed.
    • Fixed a bug where starting a Podman container would segfault if the LISTEN_PID and LISTEN_FDS environment variables were set, but LISTEN_FDNAMES was not (#10435).
    • Fixed a bug where exec sessions in containers were sometimes not cleaned up when run without -d and when the associated podman exec process was killed before completion.
    • Fixed a bug where podman system service could, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up.
    • Fixed a bug where containers run using the REST API using the slirp4netns network mode would leave zombie processes that were not cleaned up until podman system service exited (#9777).
    • Fixed a bug where the podman system service command would leave zombie processes after its initial launch that were not cleaned up until it exited (#10575).
    • Fixed a bug where VMs created by podman machine could not be started after the host system restarted (#10824).
    • Fixed a bug where the podman pod ps command would not show headers for optional information (e.g. container names when the --ctr-names option was given).
    • Fixed a bug where the remote Podman client's podman create and podman run commands would ignore timezone configuration from the server's containers.conf file (#11124).
    • Fixed a bug where the remote Podman client's podman build command would only respect .containerignore and not .dockerignore files (when both are present, .containerignore will be preferred) (#10907).
    • Fixed a bug where the remote Podman client's podman build command would fail to send the Dockerfile being built to the server when it was excluded by the .dockerignore file, resulting in an error (#9867).
    • Fixed a bug where the remote Podman client's podman build command could unexpectedly stop streaming the output of the build (#10154).
    • Fixed a bug where the podman manifest create command accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest).
    • Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container (#10776).
    • Fixed a bug where the remote Podman client's podman exec -i command would hang when input was provided via shell redirection (e.g. podman --remote exec -i foo cat <<<"hello") (#7360).
    • Fixed a bug where containers created with --rm were not immediately removed after being started by podman start if they failed to start (#10935).
    • Fixed a bug where the --storage-opt flag to podman create and podman run was nonfunctional (#10264).
    • Fixed a bug where the --device-cgroup-rule option to podman create and podman run was nonfunctional (#10302).
    • Fixed a bug where the --tls-verify option to podman manifest push was nonfunctional.
    • Fixed a bug where the podman import command could, in some circumstances, produce empty images (#10994).
    • Fixed a bug where images pulled using the docker-daemon: transport had the wrong registry (localhost instead of docker.io/library) (#10998).
    • Fixed a bug where operations that pruned images (podman image prune and podman system prune) would prune untagged images with children (#10832).
    • Fixed a bug where dual-stack networks created by podman network create did not properly auto-assign an IPv4 subnet when one was not explicitly specified (#11032).
    • Fixed a bug where port forwarding using the rootlessport port forwarder would break when a network was disconnected and then reconnected (#10052).
    • Fixed a bug where Podman would ignore user-specified SELinux policies for containers using the Kata OCI runtime, or containers using systemd as PID 1 (#11100).
    • Fixed a bug where Podman containers created using --net=host would add an entry to /etc/hosts for the container's hostname pointing to 127.0.1.1 (#10319).
    • Fixed a bug where the podman unpause --all command would throw an error for every container that was not paused (#11098).
    • Fixed a bug where timestamps for the since and until filters using Unix timestamps with a nanoseconds portion could not be parsed (#11131).
    • Fixed a bug where the podman info command would sometimes print the wrong path for the slirp4netns binary.

    API

    • Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
    • Fixed a bug where the Compat Create endpoint for Containers would fail to create containers with the NetworkMode parameter set to default (#10569).
    • Fixed a bug where the Compat Create endpoint for Containers did not properly handle healthcheck commands (#10617).
    • Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred.
    • Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable).
    • Fixed a bug where the Compat List endpoint for Images omitted the ContainerConfig field (#10795).
    • Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided.
    • Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected.
    • Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks (#10266).
    • Fixed a bug where the Libpod List endpoint for Networks would return nil, instead of an empty list, when no networks were present (#10495).
    • The Compat and Libpod Logs endpoints for Containers now support the until query parameter (#10859).
    • The Compat Import endpoint for Images now supports the platform, message, and repo query parameters.
    • The Compat Pull endpoint for Images now supports the platform query parameter.

    Misc

    • Updated Buildah to v1.22.0
    • Updated the containers/storage library to v1.34.1
    • Updated the containers/image library to v5.15.1
    • Updated the containers/common library to v0.42.1
    Source code(tar.gz)
    Source code(zip)
  • v3.3.0-rc2(Aug 12, 2021)

    Features

    • Containers inside VMs created by podman machine will now automatically handle port forwarding - containers in podman machine VMs that publish ports via --publish or --publish-all will have these ports not just forwarded on the VM, but also on the host system.
    • The podman play kube command's --network option now accepts advanced network options (e.g. --network slirp4netns:port_handler=slirp4netns) (#10807).
    • The podman play kube commmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks.
    • Podman now provides a systemd unit, podman-restart.service, which, when enabled, will restart all containers that were started with --restart=always after the system reboots.
    • Rootless Podman can now be configured to use CNI networking by default by using the rootless_networking option in containers.conf.
    • Images can now be pulled using image:[email protected] syntax (e.g. podman pull fedora:[email protected]:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a) (#6721).
    • The podman container checkpoint and podman container restore commands can now be used to checkpoint containers that are in pods, and restore those containers into pods.
    • The podman container restore command now features a new option, --publish, to change the ports that are forwarded to a container that is being restored from an exported checkpoint.
    • The podman container checkpoint command now features a new option, --compress, to specify the compression algorithm that will be used on the generated checkpoint.
    • The podman pull command can now pull multiple images at once (e.g. podman pull fedora:34 ubi8:latest will pull both specified images).
    • THe podman cp command can now copy files from one container into another directly (e.g. podman cp containera:/etc/hosts containerb:/etc/) (#7370).
    • The podman cp command now supports a new option, --archive, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container.
    • The podman stats command now provides two additional metrics: Average CPU, and CPU time.
    • The podman pod create command supports a new flag, --pid, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace.
    • The podman pod create command supports a new flag, --infra-name, which allows the name of the pod's infra container to be set (#10794).
    • The podman auto-update command has had its output reformatted - it is now much clearer what images were pulled and what containers were updated.
    • The podman auto-update command now supports a new option, --dry-run, which reports what would be updated but does not actually perform the update (#9949).
    • The podman build command now supports a new option, --secret, to mount secrets into build containers.
    • The podman manifest remove command now has a new alias, podman manifest rm.
    • The podman login command now supports a new option, --verbose, to print detailed information about where the credentials entered were stored.
    • The podman events command now supports a new event, exec_died, which is produced when an exec session exits, and includes the exit code of the exec session.
    • The podman system connection add command now supports adding connections that connect using the tcp:// and unix:// URL schemes.
    • The podman system connection list command now supports a new flag, --format, to determine how the output is printed.
    • The podman volume prune and podman volume ls commands' --filter option now support a new filter, until, that matches volumes created before a certain time (#10579).
    • The podman ps --filter option's network filter now accepts a new value: container:, which matches containers that share a network namespace with a specific container (#10361).
    • The podman diff command can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed (#10649).
    • Podman can now optionally copy-up content from containers into volumes mounted into those containers earlier (at creation time, instead of at runtime) via the prepare_on_create option in containers.conf (#10262).
    • A new option, --gpus, has been added to podman create and podman run as a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag.
    • If an invalid subcommand is provided, similar commands to try will now be suggested in the error message.

    Changes

    • The podman system reset command now removes non-Podman (e.g. Buildah and CRI-O) containers as well.
    • The new port forwarding offered by podman machine requires gvproxy in order to function.
    • Podman will now automatically create the default CNI network if it does not exist, for both root and rootless users. This will only be done once per user - if the network is subsequently removed, it will not be recreated.
    • The install.cni makefile option has been removed. It is no longer required to distribute the default 87-podman.conflist CNI configuration file, as Podman will now automatically create it.
    • The --root option to Podman will not automatically clear all default storage options when set. Storage options can be set manually using --storage-opt (#10393).
    • The output of podman system connection list is now deterministic, with connections being sorted alpabetically by their name.
    • The auto-update service (podman-auto-update.service) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once.
    • Systemd unit files generated by podman generate systemd now depend on network-online.target by default (#10655).
    • The podman info command's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.

    Bugfixes

    • Fixed a bug where the podman play kube command did not perform SELinux relabelling of volumes specified with a mountPath that included the :z or :Z options (#9371).
    • Fixed a bug where the podman play kube command would ignore the USER and EXPOSE directives in images (#9609).
    • Fixed a bug where the podman play kube command would only accept lowercase pull policies.
    • Fixed a bug where named volumes mounted into containers with the :z or :Z options were not appropriately relabelled for access from the container (#10273).
    • Fixed a bug where the podman logs -f command, with the journald log driver, could sometimes fail to pick up the last line of output from a container (#10323).
    • Fixed a bug where running podman rm on a container created with the --rm option would occasionally emit an error message saying the container failed to be removed, when it was successfully removed.
    • Fixed a bug where starting a Podman container would segfault if the LISTEN_PID and LISTEN_FDS environment variables were set, but LISTEN_FDNAMES was not (#10435).
    • Fixed a bug where exec sessions in containers were sometimes not cleaned up when run without -d and when the associated podman exec process was killed before completion.
    • Fixed a bug where podman system service could, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up.
    • Fixed a bug where containers run using the REST API using the slirp4netns network mode would leave zombie processes that were not cleaned up until podman system service exited (#9777).
    • Fixed a bug where the podman system service command would leave zombie processes after its initial launch that were not cleaned up until it exited (#10575).
    • Fixed a bug where VMs created by podman machine could not be started after the host system restarted (#10824).
    • Fixed a bug where the podman pod ps command would not show headers for optional information (e.g. container names when the --ctr-names option was given).
    • Fixed a bug where the remote Podman client's podman create and podman run commands would ignore timezone configuration from the server's containers.conf file (#11124).
    • Fixed a bug where the remote Podman client's podman build command would only respect .containerignore and not .dockerignore files (when both are present, .containerignore will be preferred) (#10907).
    • Fixed a bug where the remote Podman client's podman build command would fail to send the Dockerfile being built to the server when it was excluded by the .dockerignore file, resulting in an error (#9867).
    • Fixed a bug where the remote Podman client's podman build command could unexpectedly stop streaming the output of the build (#10154).
    • Fixed a bug where the podman manifest create command accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest).
    • Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container (#10776).
    • Fixed a bug where the remote Podman client's podman exec -i command would hang when input was provided via shell redirection (e.g. podman --remote exec -i foo cat <<<"hello") (#7360).
    • Fixed a bug where containers created with --rm were not immediately removed after being started by podman start if they failed to start (#10935).
    • Fixed a bug where the --storage-opt flag to podman create and podman run was nonfunctional (#10264).
    • Fixed a bug where the --device-cgroup-rule option to podman create and podman run was nonfunctional (#10302).
    • Fixed a bug where the --tls-verify option to podman manifest push was nonfunctional.
    • Fixed a bug where the podman import command could, in some circumstances, produce empty images (#10994).
    • Fixed a bug where images pulled using the docker-daemon: transport had the wrong registry (localhost instead of docker.io/library) (#10998).
    • Fixed a bug where operations that pruned images (podman image prune and podman system prune) would prune untagged images with children (#10832).
    • Fixed a bug where dual-stack networks created by podman network create did not properly auto-assign an IPv4 subnet when one was not explicitly specified (#11032).
    • Fixed a bug where port forwarding using the rootlessport port forwarder would break when a network was disconnected and then reconnected (#10052).
    • Fixed a bug where Podman would ignore user-specified SELinux policies for containers using the Kata OCI runtime, or containers using systemd as PID 1 (#11100).
    • Fixed a bug where Podman containers created using --net=host would add an entry to /etc/hosts for the container's hostname pointing to 127.0.1.1 (#10319).
    • Fixed a bug where the podman unpause --all command would throw an error for every container that was not paused (#11098).
    • Fixed a bug where timestamps for the since and until filters using Unix timestamps with a nanoseconds portion could not be parsed (#11131).
    • Fixed a bug where the podman info command would sometimes print the wrong path for the slirp4netns binary.

    API

    • Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
    • Fixed a bug where the Compat Create endpoint for Containers would fail to create containers with the NetworkMode parameter set to default (#10569).
    • Fixed a bug where the Compat Create endpoint for Containers did not properly handle healthcheck commands (#10617).
    • Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred.
    • Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable).
    • Fixed a bug where the Compat List endpoint for Images omitted the ContainerConfig field (#10795).
    • Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided.
    • Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected.
    • Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks (#10266).
    • Fixed a bug where the Libpod List endpoint for Networks would return nil, instead of an empty list, when no networks were present (#10495).
    • The Compat and Libpod Logs endpoints for Containers now support the until query parameter (#10859).
    • The Compat Import endpoint for Images now supports the platform, message, and repo query parameters.
    • The Compat Pull endpoint for Images now supports the platform query parameter.

    Misc

    • Updated Buildah to v1.22.0
    • Updated the containers/storage library to v1.33.1
    • Updated the containers/image library to v5.15.0
    • Updated the containers/common library to v0.42.1
    Source code(tar.gz)
    Source code(zip)
  • v3.2.3(Jul 16, 2021)

    Security

    • This release addresses CVE-2021-3602, an issue with the podman build command with the --isolation chroot flag that results in environment variables from the host leaking into build containers.

    Bugfixes

    • Fixed a bug where events related to images could occur before the relevant operation had completed (e.g. an image pull event could be written before the pull was finished) (#10812).
    • Fixed a bug where podman save would refuse to save images with an architecture different from that of the host (#10835).
    • Fixed a bug where the podman import command did not correctly handle images without tags (#10854).
    • Fixed a bug where Podman's journald events backend would fail and prevent Podman from running when run on a host with systemd as PID1 but in an environment (e.g. a container) without systemd (#10863).
    • Fixed a bug where containers using rootless CNI networking would fail to start when the dnsname CNI plugin was in use and the host system's /etc/resolv.conf was a symlink (#10855 and #10929).
    • Fixed a bug where containers using rootless CNI networking could fail to start due to a race in rootless CNI initialization (#10930).

    Misc

    • Updated Buildah to v1.21.3
    • Updated the containers/common library to v0.38.16
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(14.72 MB)
    podman-remote-release-windows.zip(14.76 MB)
    podman-remote-static.tar.gz(8.59 MB)
    podman-v3.2.3.msi(15.20 MB)
    shasums(377 bytes)
  • v3.2.2(Jun 25, 2021)

    Changes

    • Podman's handling of the Architecture field of images has been relaxed. Since 3.2.0, Podman required that the architecture of the image match the architecture of the system to run containers based on an image, but images often incorrectly report architecture, causing Podman to reject valid images (#10648 and #10682).
    • Podman no longer uses inotify to monitor for changes to CNI configurations. This removes potential issues where Podman cannot be run because a user has exhausted their available inotify sessions (#10686).

    Bugfixes

    • Fixed a bug where the podman cp would, when given a directory as its source and a target that existed and was a file, copy the contents of the directory into the parent directory of the file; this now results in an error.
    • Fixed a bug where the podman logs command would, when following a running container's logs, not include the last line of output from the container when it exited when the k8s-file driver was in use (#10675).
    • Fixed a bug where Podman would fail to run containers if systemd-resolved was incorrectly detected as the system's DNS server (#10733).
    • Fixed a bug where the podman exec -t command would only resize the exec session's TTY after the session started, leading to a race condition where the terminal would initially not have a size set (#10560).
    • Fixed a bug where Podman containers using the slirp4netns network mode would add an incorrect entry to /etc/hosts pointing the container's hostname to the wrong IP address.
    • Fixed a bug where Podman would create volumes specified by images with incorrect permissions (#10188 and #10606).
    • Fixed a bug where Podman would not respect the uid and gid options to podman volume create -o (#10620).
    • Fixed a bug where the podman run command could panic when parsing the system's cgroup configuration (#10666).
    • Fixed a bug where the remote Podman client's podman build -f - ... command did not read a Containerfile from STDIN (#10621).
    • Fixed a bug where the podman container restore --import command would fail to restore checkpoints created from privileged containers (#10615).
    • Fixed a bug where Podman was not respecting the TMPDIR environment variable when pulling images (#10698).
    • Fixed a bug where a number of Podman commands did not properly support using Go templates as an argument to the --format option.

    API

    • Fixed a bug where the Compat Inspect endpoint for Containers did not include information on container healthchecks (#10457).
    • Fixed a bug where the Libpod and Compat Build endpoints for Images did not properly handle the devices query parameter (#10614).

    Misc

    • Fixed a bug where the Makefile's make podman-remote-static target to build a statically-linked podman-remote binary was instead producing dynamic binaries (#10656).
    • Updated the containers/common library to v0.38.11
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(14.73 MB)
    podman-remote-release-windows.zip(15.67 MB)
    podman-remote-static.tar.gz(15.18 MB)
    podman-v3.2.2.msi(16.16 MB)
    shasums(377 bytes)
  • v3.2.1(Jun 14, 2021)

    Changes

    • Podman now allows corrupt images (e.g. from restarting the system during an image pull) to be replaced by a podman pull of the same image (instead of requiring they be removed first, then re-pulled).

    Bugfixes

    • Fixed a bug where Podman would fail to start containers if a Seccomp profile was not available at /usr/share/containers/seccomp.json (#10556).
    • Fixed a bug where the podman machine start command failed on OS X machines with the AMD64 architecture and certain QEMU versions (#10555).
    • Fixed a bug where Podman would always use the slow path for joining the rootless user namespace.
    • Fixed a bug where the podman stats command would fail on Cgroups v1 systems when run on a container running systemd (#10602).
    • Fixed a bug where pre-checkpoint support for podman container checkpoint did not function correctly.
    • Fixed a bug where the remote Podman client's podman build command did not properly handle the -f option (#9871).
    • Fixed a bug where the remote Podman client's podman run command would sometimes not resize the container's terminal before execution began (#9859).
    • Fixed a bug where the --filter option to the podman image prune command was nonfunctional.
    • Fixed a bug where the podman logs -f command would exit before all output for a container was printed when the k8s-file log driver was in use (#10596).
    • Fixed a bug where Podman would not correctly detect that systemd-resolved was in use on the host and adjust DNS servers in the container appropriately under some circumstances (#10570).
    • Fixed a bug where the podman network connect and podman network disconnect commands acted improperly when containers were in the Created state, marking the changes as done but not actually performing them.

    API

    • Fixed a bug where the Compat and Libpod Prune endpoints for Networks returned null, instead of an empty array, when nothing was pruned.
    • Fixed a bug where the Create API for Images would continue to pull images even if a client closed the connection mid-pull (#7558).
    • Fixed a bug where the Events API did not include some information (including labels) when sending events.
    • Fixed a bug where the Events API would, when streaming was not requested, send at most one event (#10529).

    Misc

    • Updated the containers/common library to v0.38.9
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(14.73 MB)
    podman-remote-release-windows.zip(15.67 MB)
    podman-remote-static.tar.gz(14.74 MB)
    podman-v3.2.1.msi(16.14 MB)
    shasums(377 bytes)
  • v3.2.0(Jun 3, 2021)

    Features

    • Docker Compose is now supported with rootless Podman (#9169).
    • The podman network connect, podman network disconnect, and podman network reload commands have been enabled for rootless Podman.
    • An experimental new set of commands, podman machine, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman.
    • The podman generate kube command can now be run on Podman named volumes (generating PersistentVolumeClaim YAML), in addition to pods and containers.
    • The podman play kube command now supports two new options, --ip and --mac, to set static IPs and MAC addresses for created pods (#8442 and #9731).
    • The podman play kube command's support for PersistentVolumeClaim YAML has been greatly improved.
    • The podman generate kube command now preserves the label used by podman auto-update to identify containers to update as a Kubernetes annotation, and the podman play kube command will convert this annotation back into a label. This allows podman auto-update to be used with containers created by podman play kube.
    • The podman play kube command now supports Kubernetes secretRef YAML (using the secrets support from podman secret) for environment variables.
    • Secrets can now be added to containers as environment variables using the type=env option to the --secret flag to podman create and podman run.
    • The podman start command now supports the --all option, allowing all containers to be started simultaneously with a single command. The --filter option has also been added to filter which containers to start when --all is used.
    • Filtering containers with the --filter option to podman ps and podman start now supports a new filter, restart-policy, to filter containers based on their restart policy.
    • The --group-add option to rootless podman run and podman create now accepts a new value, keep-groups, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with the crun OCI runtime.
    • The podman run and podman create commands now support a new option, --timeout. This sets a maximum time the container is allowed to run, after which it is killed (#6412).
    • The podman run and podman create commands now support a new option, --pidfile. This will create a file when the container is started containing the PID of the first process in the container.
    • The podman run and podman create commands now support a new option, --requires. The --requires option adds dependency containers - containers that must be running before the current container. Commands like podman start will automatically start the requirements of a container before starting the container itself.
    • Auto-updating containers can now be done with locally-built images, not just images hosted on a registry, by creating containers with the io.containers.autoupdate label set to local.
    • Podman now supports the Container Device Interface (CDI) standard.
    • Podman now adds an entry to /etc/hosts, host.containers.internal, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) (#5651).
    • The podman ps, podman pod ps, podman network list, podman secret list, and podman volume list commands now support a --noheading option, which will cause Podman to omit the heading line including column names.
    • The podman unshare command now supports a new flag, --rootless-cni, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking.
    • The --security-opt unmask= option to podman run and podman create now supports glob operations to unmask a group of paths at once (e.g. podman run --security-opt unmask=/proc/* ... will unmask all paths in /proc in the container).
    • The podman network prune command now supports a --filter option to filter which networks will be pruned.

    Changes

    • The change in Podman 3.1.2 where the :z and :Z mount options for volumes were ignored for privileged containers has been reverted after discussion in #10209.
    • Podman's rootless CNI functionality no longer requires a sidecar container! The removal of the requirement for the rootless-cni-infra container means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image (#8709).
    • The Image handling code used by Podman has seen a major rewrite to improve code sharing with our other projects, Buildah and CRI-O. This should result in fewer bugs and performance gains in the long term. Work on this is still ongoing.
    • The podman auto-update command now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates (#10190).
    • The podman play kube now treats environment variables configured as references to a ConfigMap as mandatory unless the optional parameter was set; this better matches the behavior of Kubernetes.
    • Podman now supports the --context=default flag from Docker as a no-op for compatibility purposes.
    • When Podman is run as root, but without CAP_SYS_ADMIN being available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright).
    • The podman info command now includes the path of the Seccomp profile Podman is using, available cgroup controllers, and whether Podman is connected to a remote service or running containers locally.
    • Containers created with the --rm option now automatically use the volatile storage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance.
    • The podman generate systemd --new command will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment.
    • Podman now requires that Conmon v2.0.24 be available.

    Bugfixes

    • Fixed a bug where the remote Podman client's podman build command did not support the --arch, --platform, and --os, options.
    • Fixed a bug where the remote Podman client's podman build command ignored the --rm=false option (#9869).
    • Fixed a bug where the remote Podman client's podman build --iidfile command could include extra output (in addition to just the image ID) in the image ID file written (#10233).
    • Fixed a bug where the remote Podman client's podman build command did not preserve hardlinks when moving files into the container via COPY instructions (#9893).
    • Fixed a bug where the podman generate systemd --new command could generate extra --iidfile arguments if the container was already created with one.
    • Fixed a bug where the podman generate systemd --new command would generate unit files that did not include RequiresMountsFor lines (#10493).
    • Fixed a bug where the podman generate kube command produced incorrect YAML for containers which bind-mounted both / and /root from the host system into the container (#9764).
    • Fixed a bug where pods created by podman play kube from YAML that specified ShareProcessNamespace would only share the PID namespace (and not also the UTS, Network, and IPC namespaces) (#9128).
    • Fixed a bug where the podman network reload command could generate spurious error messages when iptables-nft was in use.
    • Fixed a bug where rootless Podman could fail to attach to containers when the user running Podman had a large UID.
    • Fixed a bug where the podman ps command could fail with a no such container error due to a race condition with container removal (#10120).
    • Fixed a bug where containers using the slirp4netns network mode and setting a custom slirp4netns subnet while using the rootlesskit port forwarder would not be able to forward ports (#9828).
    • Fixed a bug where the --filter ancestor= option to podman ps did not require an exact match of the image name/ID to include a container in its results.
    • Fixed a bug where the --filter until= option to podman image prune would prune images created after the specified time (instead of before).
    • Fixed a bug where setting a custom Seccomp profile via the seccomp_profile option in containers.conf had no effect, and the default profile was used instead.
    • Fixed a bug where the --cgroup-parent option to podman create and podman run was ignored in rootless Podman on cgroups v2 systems with the cgroupfs cgroup manager (#10173).
    • Fixed a bug where the IMAGE and NAME variables in podman container runlabel were not being correctly substituted (#10192).
    • Fixed a bug where Podman could freeze when creating containers with a specific combination of volumes and working directory (#10216).
    • Fixed a bug where rootless Podman containers restarted by restart policy (e.g. containers created with --restart=always) would lose networking after being restarted (#8047).
    • Fixed a bug where the podman cp command could not copy files into containers created with the --pid=host flag (#9985).
    • Fixed a bug where filters to the podman events command could not be specified twice (if a filter is specified more than once, it will match if any of the given values match - logical or) (#10507).
    • Fixed a bug where Podman would include IPv6 nameservers in resolv.conf in containers without IPv6 connectivity (#10158).
    • Fixed a bug where containers could not be created with static IP addresses when connecting to a network using the macvlan driver (#10283).

    API

    • Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set (#10110).
    • Fixed a bug where the Compat Create endpoint for Containers ignored static IP information provided in the IPAMConfig block (#10245).
    • Fixed a bug where the Compat Inspect endpoint for Containers returned null (instead of an empty list) for Networks when the container was not joined to a CNI network (#9837).
    • Fixed a bug where the Compat Wait endpoint for Containers could miss containers exiting if they were immediately restarted.
    • Fixed a bug where the Compat Create endpoint for Volumes required that the user provide a name for the new volume (#9803).
    • Fixed a bug where the Libpod Info handler would sometimes not return the correct path to the Podman API socket.
    • Fixed a bug where the Compat Events handler used the wrong name for container exited events (died instead of die) (#10168).
    • Fixed a bug where the Compat Push endpoint for Images could leak goroutines if the remote end closed the connection prematurely.

    Misc

    • Updated Buildah to v1.21.0
    • Updated the containers/common library to v0.38.5
    • Updated the containers/storage library to v1.31.3
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(14.73 MB)
    podman-remote-release-windows.zip(15.66 MB)
    podman-remote-static.tar.gz(14.74 MB)
    podman-v3.2.0.msi(16.14 MB)
    shasums(377 bytes)
  • v3.2.0-rc3(May 26, 2021)

    This is the third release candidate for Podman v3.2.0. We expect it will be the final RC.

    Preliminary release notes follow:

    Features

    • Docker Compose is now supported with rootless Podman (#9169).
    • The podman network connect, podman network disconnect, and podman network reload commands have been enabled for rootless Podman.
    • An experimental new set of commands, podman machine, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman.
    • The podman generate kube command can now be run on Podman named volumes (generating PersistentVolumeClaim YAML), in addition to pods and containers.
    • The podman play kube command now supports two new options, --ip and --mac, to set static IPs and MAC addresses for created pods (#8442 and #9731).
    • The podman play kube command's support for PersistentVolumeClaim YAML has been greatly improved.
    • The podman generate kube command now preserves the label used by podman auto-update to identify containers to update as a Kubernetes annotation, and the podman play kube command will convert this annotation back into a label. This allows podman auto-update to be used with containers created by podman play kube.
    • The podman play kube command now supports Kubernetes secretRef YAML (using the secrets support from podman secret) for environment variables.
    • Secrets can now be added to containers as environment variables using the type=env option to the --secret flag to podman create and podman run.
    • The podman start command now supports the --all option, allowing all containers to be started simultaneously with a single command. The --filter option has also been added to filter which containers to start when --all is used.
    • Filtering containers with the --filter option to podman ps and podman start now supports a new filter, restart-policy, to filter containers based on their restart policy.
    • The --group-add option to rootless podman run and podman create now accepts a new value, keep-groups, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with the crun OCI runtime.
    • The podman run and podman create commands now support a new option, --timeout. This sets a maximum time the container is allowed to run, after which it is killed (#6412).
    • The podman run and podman create commands now support a new option, --pidfile. This will create a file when the container is started containing the PID of the first process in the container.
    • The podman run and podman create commands now support a new option, --requires. The --requires option adds dependency containers - containers that must be running before the current container. Commands like podman start will automatically start the requirements of a container before starting the container itself.
    • Auto-updating containers can now be done with locally-built images, not just images hosted on a registry, by creating containers with the io.containers.autoupdate label set to local.
    • Podman now supports the Container Device Interface (CDI) standard.
    • Podman now adds an entry to /etc/hosts, host.containers.internal, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) (#5651).
    • The podman ps, podman pod ps, podman network list, podman secret list, and podman volume list commands now support a --noheading option, which will cause Podman to omit the heading line including column names.
    • The podman unshare command now supports a new flag, --rootless-cni, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking.
    • The --security-opt unmask= option to podman run and podman create now supports glob operations to unmask a group of paths at once (e.g. podman run --security-opt unmask=/proc/* ... will unmask all paths in /proc in the container).
    • The podman network prune command now supports a --filter option to filter which networks will be pruned.

    Changes

    • The change in Podman 3.1.2 where the :z and :Z mount options for volumes were ignored for privileged containers has been reverted after discussion in #10209.
    • Podman's rootless CNI functionality no longer requires a sidecar container! The removal of the requirement for the rootless-cni-infra container means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image (#8709).
    • The Image handling code used by Podman has seen a major rewrite to improve code sharing with our other projects, Buildah and CRI-O. This should result in fewer bugs and performance gains in the long term. Work on this is still ongoing.
    • The podman auto-update command now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates (#10190).
    • The podman play kube now treats environment variables configured as references to a ConfigMap as mandatory unless the optional parameter was set; this better matches the behavior of Kubernetes.
    • Podman now supports the --context=default flag from Docker as a no-op for compatibility purposes.
    • When Podman is run as root, but without CAP_SYS_ADMIN being available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright).
    • The podman info command now includes the path of the Seccomp profile Podman is using, available cgroup controllers, and whether Podman is connected to a remote service or running containers locally.
    • Containers created with the --rm option now automatically use the volatile storage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance.
    • The podman generate systemd --new command will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment.
    • Podman now requires that Conmon v2.0.24 be available.

    Bugfixes

    • Fixed a bug where the remote Podman client's podman build command did not support the --arch, --platform, and --os, options.
    • Fixed a bug where the remote Podman client's podman build command ignored the --rm=false option (#9869).
    • Fixed a bug where the remote Podman client's podman build --iidfile command could include extra output (in addition to just the image ID) in the image ID file written (#10233).
    • Fixed a bug where the remote Podman client's podman build command did not preserve hardlinks when moving files into the container via COPY instructions (#9893).
    • Fixed a bug where the podman generate systemd --new command could generate extra --iidfile arguments if the container was already created with one.
    • Fixed a bug where the podman generate kube command produced incorrect YAML for containers which bind-mounted both / and /root from the host system into the container (#9764).
    • Fixed a bug where pods created by podman play kube from YAML that specified ShareProcessNamespace would only share the PID namespace (and not also the UTS, Network, and IPC namespaces) (#9128).
    • Fixed a bug where the podman network reload command could generate spurious error messages when iptables-nft was in use.
    • Fixed a bug where rootless Podman could fail to attach to containers when the user running Podman had a large UID.
    • Fixed a bug where the podman ps command could fail with a no such container error due to a race condition with container removal (#10120).
    • Fixed a bug where containers using the slirp4netns network mode and setting a custom slirp4netns subnet while using the rootlesskit port forwarder would not be able to forward ports (#9828).
    • Fixed a bug where the --filter ancestor= option to podman ps did not require an exact match of the image name/ID to include a container in its results.
    • Fixed a bug where the --filter until= option to podman image prune would prune images created after the specified time (instead of before).
    • Fixed a bug where setting a custom Seccomp profile via the seccomp_profile option in containers.conf had no effect, and the default profile was used instead.
    • Fixed a bug where the --cgroup-parent option to podman create and podman run was ignored in rootless Podman on cgroups v2 systems with the cgroupfs cgroup manager (#10173).
    • Fixed a bug where the IMAGE and NAME variables in podman container runlabel were not being correctly substituted (#10192).
    • Fixed a bug where Podman could freeze when creating containers with a specific combination of volumes and working directory (#10216).
    • Fixed a bug where rootless Podman containers restarted by restart policy (e.g. containers created with --restart=always) would lose networking after being restarted (#8047).
    • Fixed a bug where the podman cp command could not copy files into containers created with the --pid=host flag (#9985).

    API

    • Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set (#10110).
    • Fixed a bug where the Compat Create endpoint for Containers ignored static IP information provided in the IPAMConfig block (#10245).
    • Fixed a bug where the Compat Inspect endpoint for Containers returned null (instead of an empty list) for Networks when the container was not joined to a CNI network (#9837).
    • Fixed a bug where the Compat Wait endpoint for Containers could miss containers exiting if they were immediately restarted.
    • Fixed a bug where the Compat Create endpoint for Volumes required that the user provide a name for the new volume (#9803).
    • Fixed a bug where the Libpod Info handler would sometimes not return the correct path to the Podman API socket.
    • Fixed a bug where the Compat Events handler used the wrong name for container exited events (died instead of die) (#10168).

    Misc

    • Updated Buildah to v1.21.0
    • Updated the containers/common library to v0.38.4
    • Updated the containers/storage library to v1.31.1
    Source code(tar.gz)
    Source code(zip)
  • v3.2.0-rc2(May 20, 2021)

    This is the second release candidate for Podman v3.2.0. We expect a final RC early next week, and a final release late next week if all goes well

    Preliminary release notes follow:

    Features

    • Docker Compose is now supported with rootless Podman (#9169).
    • The podman network connect, podman network disconnect, and podman network reload commands have been enabled for rootless Podman.
    • An experimental new set of commands, podman machine, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman.
    • The podman generate kube command can now be run on Podman named volumes (generating PersistentVolumeClaim YAML), in addition to pods and containers.
    • The podman play kube command now supports two new options, --ip and --mac, to set static IPs and MAC addresses for created pods (#8442 and #9731).
    • The podman play kube command's support for PersistentVolumeClaim YAML has been greatly improved.
    • The podman generate kube command now preserves the label used by podman auto-update to identify containers to update as a Kubernetes annotation, and the podman play kube command will convert this annotation back into a label. This allows podman auto-update to be used with containers created by podman play kube.
    • The podman play kube command now supports Kubernetes secretRef YAML (using the secrets support from podman secret) for environment variables.
    • Secrets can now be added to containers as environment variables using the type=env option to the --secret flag to podman create and podman run.
    • The podman start command now supports the --all option, allowing all containers to be started simultaneously with a single command. The --filter option has also been added to filter which containers to start when --all is used.
    • Filtering containers with the --filter option to podman ps and podman start now supports a new filter, restart-policy, to filter containers based on their restart policy.
    • The --group-add option to rootless podman run and podman create now accepts a new value, keep-groups, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with the crun OCI runtime.
    • The podman run and podman create commands now support a new option, --timeout. This sets a maximum time the container is allowed to run, after which it is killed (#6412).
    • The podman run and podman create commands now support a new option, --pidfile. This will create a file when the container is started containing the PID of the first process in the container.
    • The podman run and podman create commands now support a new option, --requires. The --requires option adds dependency containers - containers that must be running before the current container. Commands like podman start will automatically start the requirements of a container before starting the container itself.
    • Auto-updating containers can now be done with locally-built images, not just images hosted on a registry, by creating containers with the io.containers.autoupdate label set to local.
    • Podman now supports the Container Device Interface (CDI) standard.
    • Podman now adds an entry to /etc/hosts, host.containers.internal, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) (#5651).
    • The podman ps, podman pod ps, podman network list, podman secret list, and podman volume list commands now support a --noheading option, which will cause Podman to omit the heading line including column names.
    • The podman unshare command now supports a new flag, --rootless-cni, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking.
    • The --security-opt unmask= option to podman run and podman create now supports glob operations to unmask a group of paths at once (e.g. podman run --security-opt unmask=/proc/* ... will unmask all paths in /proc in the container).
    • The podman network prune command now supports a --filter option to filter which networks will be pruned.

    Changes

    • The change in Podman 3.1.2 where the :z and :Z mount options for volumes were ignored for privileged containers has been reverted after discussion in #10209.
    • Podman's rootless CNI functionality no longer requires a sidecar container! The removal of the requirement for the rootless-cni-infra container means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image (#8709).
    • The Image handling code used by Podman has seen a major rewrite to improve code sharing with our other projects, Buildah and CRI-O. This should result in fewer bugs and performance gains in the long term. Work on this is still ongoing.
    • The podman auto-update command now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates (#10190).
    • The podman play kube now treats environment variables configured as references to a ConfigMap as mandatory unless the optional parameter was set; this better matches the behavior of Kubernetes.
    • Podman now supports the --context=default flag from Docker as a no-op for compatibility purposes.
    • When Podman is run as root, but without CAP_SYS_ADMIN being available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright).
    • The podman info command now includes the path of the Seccomp profile Podman is using, and whether Podman is connected to a remote service or running containers locally.
    • Containers created with the --rm option now automatically use the volatile storage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance.
    • The podman generate systemd --new command will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment.
    • Podman now requires that Conmon v2.0.24 be available.

    Bugfixes

    • Fixed a bug where the remote Podman client's podman build command did not support the --arch, --platform, and --os, options.
    • Fixed a bug where the remote Podman client's podman build command ignored the --rm=false option (#9869).
    • Fixed a bug where the podman generate systemd --new command could generate extra --iidfile arguments if the container was already created with one.
    • Fixed a bug where the podman generate kube command produced incorrect YAML for containers which bind-mounted both / and /root from the host system into the container (#9764).
    • Fixed a bug where pods created by podman play kube from YAML that specified ShareProcessNamespace would only share the PID namespace (and not also the UTS, Network, and IPC namespaces) (#9128).
    • Fixed a bug where the podman network reload command could generate spurious error messages when iptables-nft was in use.
    • Fixed a bug where rootless Podman could fail to attach to containers when the user running Podman had a large UID.
    • Fixed a bug where the podman ps command could fail with a no such container error due to a race condition with container removal (#10120).
    • Fixed a bug where containers using the slirp4netns network mode and setting a custom slirp4netns subnet while using the rootlesskit port forwarder would not be able to forward ports (#9828).
    • Fixed a bug where the --filter ancestor= option to podman ps did not require an exact match of the image name/ID to include a container in its results.
    • Fixed a bug where the --filter until= option to podman image prune would prune images created after the specified time (instead of before).
    • Fixed a bug where setting a custom Seccomp profile via the seccomp_profile option in containers.conf had no effect, and the default profile was used instead.
    • Fixed a bug where the --cgroup-parent option to podman create and podman run was ignored in rootless Podman on cgroups v2 systems with the cgroupfs cgroup manager (#10173).
    • Fixed a bug where the IMAGE and NAME variables in podman container runlabel were not being correctly substituted (#10192).
    • Fixed a bug where the remote Podman client's podman build --iidfile command could include extra output (in addition to just the image ID) in the image ID file written (#10233).
    • Fixed a bug where Podman could freeze when creating containers with a specific combination of volumes and working directory (#10216).
    • Fixed a bug where rootless Podman containers restarted by restart policy (e.g. containers created with --restart=always) would lose networking after being restarted (#8047).

    API

    • Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set (#10110).
    • Fixed a bug where the Compat Create endpoint for Containers ignored static IP information provided in the IPAMConfig block (#10245).
    • Fixed a bug where the Compat Inspect endpoint for Containers returned null (instead of an empty list) for Networks when the container was not joined to a CNI network (#9837).
    • Fixed a bug where the Compat Wait endpoint for Containers could miss containers exiting if they were immediately restarted.
    • Fixed a bug where the Compat Create endpoint for Volumes required that the user provide a name for the new volume (#9803).
    • Fixed a bug where the Libpod Info handler would sometimes not return the correct path to the Podman API socket.
    • Fixed a bug where the Compat Events handler used the wrong name for container exited events (died instead of die) (#10168).

    Misc

    • Updated Buildah to v1.21.0
    • Updated the containers/common library to v0.38.4
    • Updated the containers/storage library to v1.31.1
    Source code(tar.gz)
    Source code(zip)
  • v3.2.0-rc1(May 5, 2021)

    This is the first release candidate for the Podman v3.2.0 release. Podman 3.2.0 features improved rootless networking (including support for rootless Docker compose), a rewritten image backend, and numerous other changes.

    Full release notes will be available with the release of RC2 next week.

    Source code(tar.gz)
    Source code(zip)
  • v3.1.2(Apr 21, 2021)

    Bugfixes

    • Fixed a bug where images with empty layers were stored incorrectly, causing them to be unable to be pushed or saved.
    • Fixed a bug where the podman rmi command could fail to remove corrupt images from storage.
    • Fixed a bug where the remote Podman client's podman save command did not support the oci-dir and docker-dir formats (#9742).
    • Fixed a bug where volume mounts from podman play kube created with a trailing / in the container path were were not properly superceding named volumes from the image (#9618).
    • Fixed a bug where Podman could fail to build on 32-bit architectures.

    Misc

    • Updated the containers/image library to v5.11.1
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(14.78 MB)
    podman-remote-release-windows.zip(15.88 MB)
    podman-remote-static.tar.gz(15.25 MB)
    podman-v3.1.2.msi(16.42 MB)
    shasums(377 bytes)
  • v3.1.1(Apr 16, 2021)

    Changes

    • Podman now recognizes trace as a valid argument to the --log-level command. Trace logging is now the most verbose level of logging available.
    • The :z and :Z options for volume mounts are now ignored when the container is privileged or is run with SELinux isolation disabled (--security-opt label=disable). This matches better matches Docker's behavior in this case.

    Bugfixes

    • Fixed a bug where pruning images with the podman image prune or podman system prune commands could cause Podman to panic.
    • Fixed a bug where the podman save command did not properly error when the --compress flag was used with incompatible format types.
    • Fixed a bug where the --security-opt and --ulimit options to the remote Podman client's podman build command were nonfunctional.
    • Fixed a bug where the --log-rusage option to the remote Podman client's podman build command was nonfunctional (#9489).
    • Fixed a bug where the podman build command could, in some circumstances, use the wrong OCI runtime (#9459).
    • Fixed a bug where the remote Podman client's podman build command could return 0 despite failing (#10029).
    • Fixed a bug where the podman container runlabel command did not properly expand the IMAGE and NAME variables in the label (#9405).
    • Fixed a bug where poststop OCI hooks would be executed twice on containers started with the --rm argument (#9983).
    • Fixed a bug where rootless Podman could fail to launch containers on cgroups v2 systems when the cgroupfs cgroup manager was in use.
    • Fixed a bug where the podman stats command could error when statistics tracked exceeded the maximum size of a 32-bit signed integer (#9979).
    • Fixed a bug where rootless Podman containers run with --userns=keepid (without a --user flag in addition) would grant exec sessions run in them too many capabilities (#9919).
    • Fixed a bug where the --authfile option to podman build did not validate that the path given existed (#9572).
    • Fixed a bug where the --storage-opt option to Podman was appending to, instead of overriding (as is documented), the default storage options.
    • Fixed a bug where the podman system service connection did not function properly when run in a socket-activated systemd unit file as a non-root user.
    • Fixed a bug where the --network option to the podman play kube command of the remote Podman client was being ignored (#9698).
    • Fixed a bug where the --log-driver option to the podman play kube command was nonfunctional (#10015).

    API

    • Fixed a bug where the Libpod Create endpoint for Manifests did not properly validate the image the manifest was being created with.
    • Fixed a bug where the Libpod DF endpoint could, in error cases, append an extra null to the JSON response, causing decode errors.
    • Fixed a bug where the Libpod and Compat Top endpoint for Containers would return process names that included extra whitespace.
    • Fixed a bug where the Compat Prune endpoint for Containers accepted too many types of filter.

    Misc

    • Updated Buildah to v1.20.1
    • Updated the containers/storage library to v1.29.0
    • Updated the containers/image library to v5.11.0
    • Updated the containers/common library to v0.36.0
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(14.94 MB)
    podman-remote-release-windows.zip(15.79 MB)
    podman-remote-static.tar.gz(15.40 MB)
    podman-v3.1.0.msi(16.33 MB)
    shasums(377 bytes)
  • v3.1.0(Mar 30, 2021)

    Features

    • A set of new commands has been added to manage secrets! The podman secret create, podman secret inspect, podman secret ls and podman secret rm commands have been added to handle secrets, along with the --secret option to podman run and podman create to add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release.
    • A new command to prune networks, podman network prune, has been added (#8673).
    • The -v option to podman run and podman create now supports a new volume option, :U, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues (#7778).
    • Three new commands, podman network exists, podman volume exists, and podman manifest exists, have been added to check for the existence of networks, volumes, and manifest lists.
    • The podman cp command can now copy files into directories mounted as tmpfs in a running container.
    • The podman volume prune command will now list volumes that will be pruned when prompting the user whether to continue and perform the prune (#8913).
    • The Podman remote client's podman build command now supports the --disable-compression, --excludes, and --jobs options.
    • The Podman remote client's podman push command now supports the --format option.
    • The Podman remote client's podman rm command now supports the --all and --ignore options.
    • The Podman remote client's podman search command now supports the --no-trunc and --list-tags options.
    • The podman play kube command can now read in Kubernetes YAML from STDIN when - is specified as file name (podman play kube -), allowing input to be piped into the command for scripting (#8996).
    • The podman generate systemd command now supports a --no-header option, which disables creation of the header comment automatically added by Podman to generated unit files.
    • The podman generate kube command can now generate PersistentVolumeClaim YAML for Podman named volumes (#5788).
    • The podman generate kube command can now generate YAML files containing multiple resources (pods or deployments) (#9129).

    Security

    • This release resolves CVE-2021-20291, a deadlock vulnerability in the storage library caused by pulling a specially-crafted container image.

    Changes

    • The Podman remote client's podman build command no longer allows the -v flag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines.
    • The podman kill and podman stop commands now print the name given by the user for each container, instead of the full ID.
    • When the --security-opt unmask=ALL or --security-opt unmask=/sys/fs/cgroup options to podman create or podman run are given, Podman will mount cgroups into the container as read-write, instead of read-only (#8441).
    • The podman rmi command has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls.
    • The podman rename command has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable.
    • Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved (#9582).
    • The hidden --trace option to podman has been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time.
    • The podman generate systemd command now generates RequiresMountsFor lines to ensure necessary storage directories are mounted before systemd starts Podman.
    • Podman will now emit a warning when --tty and --interactive are both passed, but STDIN is not a TTY. This will be made into an error in the next major Podman release some time next year.

    Bugfixes

    • Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports (#9065).
    • Fixed a bug where podman network create with the --macvlan flag did not honor the --gateway, --subnet, and --opt options (#9167).
    • Fixed a bug where the podman generate kube command generated invalid YAML for privileged containers (#8897).
    • Fixed a bug where the podman generate kube command could not be used with containers that were not running.
    • Fixed a bug where the podman generate systemd command could duplicate some parameters to Podman in generated unit files (#9776).
    • Fixed a bug where Podman did not add annotations specified in containers.conf to containers.
    • Foxed a bug where Podman did not respect the no_hosts default in containers.conf when creating containers.
    • Fixed a bug where the --tail=0, --since, and --follow options to the podman logs command did not function properly when using the journald log backend.
    • Fixed a bug where specifying more than one container to podman logs when the journald log backend was in use did not function correctly.
    • Fixed a bug where the podman run and podman create commands would panic if a memory limit was set, but the swap limit was set to unlimited (#9429).
    • Fixed a bug where the --network option to podman run, podman create, and podman pod create would error if the user attempted to specify CNI networks by ID, instead of name (#9451).
    • Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the podman stats command (#9252).
    • Fixed a bug where the podman cp did not properly handle cases where /dev/stdout was specified as the destination (it was treated identically to -) (#9362).
    • Fixed a bug where the podman cp command would create files with incorrect ownership (#9526).
    • Fixed a bug where the podman cp command did not properly handle cases where the destination directory did not exist.
    • Fixed a bug where the podman cp command did not properly evaluate symlinks when copying out of containers.
    • Fixed a bug where the podman rm -fa command would error when attempting to remove containers created with --rm (#9479).
    • Fixed a bug where the ordering of capabilities was nondeterministic in the CapDrop field of the output of podman inspect on a container (#9490).
    • Fixed a bug where the podman network connect command could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with --net=host) (#9496).
    • Fixed a bug where DNS search domains required by the dnsname CNI plugin were not being added to container's resolv.conf under some circumstances.
    • Fixed a bug where the --ignorefile option to podman build was nonfunctional (#9570).
    • Fixed a bug where the --timestamp option to podman build was nonfunctional (#9569).
    • Fixed a bug where the --iidfile option to podman build could cause Podman to panic if an error occurred during the build.
    • Fixed a bug where the --dns-search option to podman build was nonfunctional (#9574).
    • Fixed a bug where the --pull-never option to podman build was nonfunctional (#9573).
    • Fixed a bug where the --build-arg option to podman build would, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) (#9571).
    • Fixed a bug where the --isolation option to podman build in the remote Podman client was nonfunctional.
    • Fixed a bug where the podman network disconnect command could cause errors when the container that had a network removed was stopped and its network was cleaned up (#9602).
    • Fixed a bug where the podman network rm command did not properly check what networks a container was present in, resulting in unexpected behavior if podman network connect or podman network disconnect had been used with the network (#9632).
    • Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable stopping state (#9615).
    • Fixed a bug where the podman load command could return 0 even in cases where an error occurred (#9672).
    • Fixed a bug where specifying storage options to Podman using the --storage-opt option would override all storage options. Instead, storage options are now overridden only when the --storage-driver option is used to override the current graph driver (#9657).
    • Fixed a bug where containers created with --privileged could request more capabilities than were available to Podman.
    • Fixed a bug where podman commit did not use the TMPDIR environment variable to place temporary files created during the commit (#9825).
    • Fixed a bug where remote Podman could error when attempting to resize short-lived containers (#9831).
    • Fixed a bug where Podman was unusable on kernels built without CONFIG_USER_NS.
    • Fixed a bug where the ownership of volumes created by podman volume create and then mounted into a container could be incorrect (#9608).
    • Fixed a bug where Podman volumes using a volume plugin could not pass certain options, and could not be used as non-root users.
    • Fixed a bug where the --tz option to podman create and podman run did not properly validate its input.

    API

    • Fixed a bug where the X-Registry-Auth header did not accept null as a valid value.
    • A new compat endpoint, /auth, has been added. This endpoint validates credentials against a registry (#9564).
    • Fixed a bug where the compat Build endpoint for Images specified labels using the wrong type (array vs map). Both formats will be accepted now.
    • Fixed a bug where the compat Build endpoint for Images did not report that it successfully tagged the built image in its response.
    • Fixed a bug where the compat Create endpoint for Images did not provide progress information on pulling the image in its response.
    • Fixed a bug where the compat Push endpoint for Images did not properly handle the destination (used a query parameter, instead of a path parameter).
    • Fixed a bug where the compat Push endpoint for Images did not send the progress of the push and the digest of the pushed image in the response body.
    • Fixed a bug where the compat List endpoint for Networks returned null, instead of an empty array ([]), when no networks were present (#9293).
    • Fixed a bug where the compat List endpoint for Networks returned nulls, instead of empty maps, for networks that do not have Labels and/or Options.
    • The Libpod Inspect endpoint for networks (/libpod/network/$ID/json) now has an alias at /libpod/network/$ID (#9691).
    • Fixed a bug where the libpod Inspect endpoint for Networks returned a 1-size array of results, instead of a single result (#9690).
    • The Compat List endpoint for Networks now supports the legacy format for filters in parallel with the current filter format (#9526).
    • Fixed a bug where the compat Create endpoint for Containers did not properly handle tmpfs filesystems specified with options (#9511).
    • Fixed a bug where the compat Create endpoint for Containers did not create bind-mount source directories (#9510).
    • Fixed a bug where the compat Create endpoint for Containers did not properly handle the NanoCpus option (#9523).
    • Fixed a bug where the Libpod create endpoint for Containers has a misnamed field in its JSON.
    • Fixed a bug where the compat List endpoint for Containers did not populate information on forwarded ports (#9553)
    • Fixed a bug where the compat List endpoint for Containers did not populate information on container CNI networks (#9529).
    • Fixed a bug where the compat and libpod Stop endpoints for Containers would ignore a timeout of 0.
    • Fixed a bug where the compat and libpod Resize endpoints for Containers did not set the correct terminal sizes (dimensions were reversed) (#9756).
    • Fixed a bug where the compat Remove endpoint for Containers would not return 404 when attempting to remove a container that does not exist (#9675).
    • Fixed a bug where the compat Prune endpoint for Volumes would still prune even if an invalid filter was specified.
    • Numerous bugs related to filters have been addressed.

    Misc

    • Updated Buildah to v1.20.0
    • Updated the containers/storage library to v1.28.1
    • Updated the containers/image library to v5.10.5
    • Updated the containers/common library to v0.35.4
    Source code(tar.gz)
    Source code(zip)
  • v3.1.0-rc2(Mar 23, 2021)

    This is the second release candidate for Podman v3.1.0

    Preliminary release notes are below. Please note that these are subject to change until the final release.

    Features

    • A set of new commands has been added to manage secrets! The podman secret create, podman secret inspect, podman secret ls and podman secret rm commands have been added to handle secrets, along with the --secret option to podman run and podman create to add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release.
    • A new command to prune networks, podman network prune, has been added (#8673).
    • The -v option to podman run and podman create now supports a new volume option, :U, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues (#7778).
    • Three new commands, podman network exists, podman volume exists, and podman manifest exists, have been added to check for the existence of networks, volumes, and manifest lists.
    • The podman cp command can now copy files into directories mounted as tmpfs in a running container.
    • The podman volume prune command will now list volumes that will be pruned when prompting the user whether to continue and perform the prune (#8913).
    • The Podman remote client's podman build command now supports the --disable-compression, --excludes, and --jobs options.
    • The Podman remote client's podman push command now supports the --format option.
    • The Podman remote client's podman rm command now supports the --all and --ignore options.
    • The Podman remote client's podman search command now supports the --no-trunc and --list-tags options.
    • The podman play kube command can now read in Kubernetes YAML from STDIN when - is specified as file name (podman play kube -), allowing input to be piped into the command for scripting (#8996).
    • The podman generate systemd command now supports a --no-header option, which disables creation of the header comment automatically added by Podman to generated unit files.

    Changes

    • The Podman remote client's podman build command no longer allows the -v flag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines.
    • The podman kill and podman stop commands now print the name given by the user for each container, instead of the full ID.
    • When the --security-opt unmask=ALL or --security-opt unmask=/sys/fs/cgroup options to podman create or podman run are given, Podman will mount cgroups into the container as read-write, instead of read-only (#8441).
    • The podman rmi command has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls.
    • The podman rename command has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable.
    • Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved (#9582).
    • The hidden --trace option to podman has been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time.

    Bugfixes

    • Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports (#9065).
    • Fixed a bug where podman network create with the --macvlan flag did not honor the --gateway, --subnet, and --opt options (#9167).
    • Fixed a bug where the podman generate kube command generated invalid YAML for privileged containers (#8897).
    • Fixed a bug where the podman generate kube command could not be used with containers that were not running.
    • Fixed a bug where Podman did not add annotations specified in containers.conf to containers.
    • Foxed a bug where Podman did not respect the no_hosts default in containers.conf when creating containers.
    • Fixed a bug where the --tail=0, --since, and --follow options to the podman logs command did not function properly when using the journald log backend.
    • Fixed a bug where specifying more than one container to podman logs when the journald log backend was in use did not function correctly.
    • Fixed a bug where the podman run and podman create commands would panic if a memory limit was set, but the swap limit was set to unlimited (#9429).
    • Fixed a bug where the --network option to podman run, podman create, and podman pod create would error if the user attempted to specify CNI networks by ID, instead of name (#9451).
    • Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the podman stats command (#9252).
    • Fixed a bug where the podman cp did not properly handle cases where /dev/stdout was specified as the destination (it was treated identically to -) (#9362).
    • Fixed a bug where the podman cp command would create files with incorrect ownership (#9526).
    • Fixed a bug where the podman cp command did not properly handle cases where the destination directory did not exist.
    • Fixed a bug where the podman cp command did not properly evaluate symlinks when copying out of containers.
    • Fixed a bug where the podman rm -fa command would error when attempting to remove containers created with --rm (#9479).
    • Fixed a bug where the ordering of capabilities was nondeterministic in the CapDrop field of the output of podman inspect on a container (#9490).
    • Fixed a bug where the podman network connect command could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with --net=host) (#9496).
    • Fixed a bug where DNS search domains required by the dnsname CNI plugin were not being added to container's resolv.conf under some circumstances.
    • Fixed a bug where the --ignorefile option to podman build was nonfunctional (#9570).
    • Fixed a bug where the --timestamp option to podman build was nonfunctional (#9569).
    • Fixed a bug where the --iidfile option to podman build could cause Podman to panic if an error occurred during the build.
    • Fixed a bug where the --dns-search option to podman build was nonfunctional (#9574).
    • Fixed a bug where the --build-arg option to podman build would, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) (#9571).
    • Fixed a bug where the podman network disconnect command could cause errors when the container that had a network removed was stopped and its network was cleaned up (#9602).
    • Fixed a bug where the podman network rm command did not properly check what networks a container was present in, resulting in unexpected behavior if podman network connect or podman network disconnect had been used with the network (#9632).
    • Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable stopping state (#9615).
    • Fixed a bug where the podman load command could return 0 even in cases where an error occurred (#9672).
    • Fixed a bug where specifying storage options to Podman using the --storage-opt option would override all storage options. Instead, storage options are now overridden only when the --storage-driver option is used to override the current graph driver (#9657).
    • Fixed a bug where containers created with --privileged could request more capabilities than were available to Podman.

    API

    • Fixed a bug where the X-Registry-Auth header did not accept null as a valid value.
    • A new compat endpoint, /auth, has been added. This endpoint validates credentials against a registry (#9564).
    • Fixed a bug where the compat Build endpoint for Images specified labels using the wrong type (array vs map). Both formats will be accepted now.
    • Fixed a bug where the compat Build endpoint for Images did not report that it successfully tagged the built image in its response.
    • Fixed a bug where the compat Create endpoint for Images did not provide progress information on pulling the image in its response.
    • Fixed a bug where the compat Push endpoint for Images did not properly handle the destination (used a query parameter, instead of a path parameter).
    • Fixed a bug where the compat Push endpoint for Images did not send the progress of the push and the digest of the pushed image in the response body.
    • Fixed a bug where the compat List endpoint for Networks returned null, instead of an empty array ([]), when no networks were present (#9293).
    • Fixed a bug where the compat List endpoint for Networks returned nulls, instead of empty maps, for networks that do not have Labels and/or Options.
    • The Libpod Inspect endpoint for networks (/libpod/network/$ID/json) now has an alias at /libpod/network/$ID (#9691).
    • Fixed a bug where the libpod Inspect endpoint for Networks returned a 1-size array of results, instead of a single result (#9690).
    • The Compat List endpoint for Networks now supports the legacy format for filters in parallel with the current filter format (#9526).
    • Fixed a bug where the compat Create endpoint for Containers did not properly handle tmpfs filesystems specified with options (#9511).
    • Fixed a bug where the compat Create endpoint for Containers did not create bind-mount source directories (#9510).
    • Fixed a bug where the compat Create endpoint for Containers did not properly handle the NanoCpus option (#9523).
    • Fixed a bug where the compat List endpoint for Containers did not populate information on forwarded ports (#9553)
    • Fixed a bug where the compat List endpoint for Containers did not populate information on container CNI networks (#9529).
    • Fixed a bug where the compat and libpod Stop endpoints for Containers would ignore a timeout of 0.
    • Fixed a bug where the compat Remove endpoint for Containers would not return 404 when attempting to remove a container that does not exist (#9675).
    • Fixed a bug where the compat Prune endpoint for Volumes would still prune even if an invalid filter was specified.

    Misc

    • Updated Buildah to v1.19.8
    • Updated the containers/storage library to v1.28.0
    • Updated the containers/image library to v5.10.5
    • Updated the containers/common library to v0.35.3
    Source code(tar.gz)
    Source code(zip)
  • v3.1.0-rc1(Mar 8, 2021)

  • v3.0.1(Feb 18, 2021)

    Changes

    • Several frequently-occurring WARN level log messages have been downgraded to INFO or DEBUG to not clutter terminal output.

    Bugfixes

    • Fixed a bug where the Created field of podman ps --format=json was formatted as a string instead of an Unix timestamp (integer) (#9315).
    • Fixed a bug where failing lookups of individual layers during the podman images command would cause the whole command to fail without printing output.
    • Fixed a bug where --cgroups=split did not function properly on cgroups v1 systems.
    • Fixed a bug where mounting a volume over an directory in the container that existed, but was empty, could fail (#9393).
    • Fixed a bug where mounting a volume over a directory in the container that existed could copy the entirety of the container's rootfs, instead of just the directory mounted over, into the volume (#9415).
    • Fixed a bug where Podman would treat the --entrypoint=[""] option to podman run and podman create as a literal empty string in the entrypoint, when instead it should have been ignored (#9377).
    • Fixed a bug where Podman would set the HOME environment variable to "" when the container ran as a user without an assigned home directory (#9378).
    • Fixed a bug where specifying a pod infra image that had no tags (by using its ID) would cause podman pod create to panic (#9374).
    • Fixed a bug where the --runtime option was not properly handled by the podman build command (#9365).
    • Fixed a bug where Podman would incorrectly print an error message related to the remote API when the remote API was not in use and starting Podman failed.
    • Fixed a bug where Podman would change ownership of a container's working directory, even if it already existed (#9387).
    • Fixed a bug where the podman generate systemd --new command would incorrectly escape %t when generating the path for the PID file (#9373).
    • Fixed a bug where Podman could, when run inside a Podman container with the host's containers/storage directory mounted into the container, erroneously detect a reboot and reset container state if the temporary directory was not also mounted in (#9191).
    • Fixed a bug where some options of the podman build command (including but not limited to --jobs) were nonfunctional (#9247).

    API

    • Fixed a breaking change to the Libpod Wait API for Containers where the Conditions parameter changed type in Podman v3.0 (#9351).
    • Fixed a bug where the Compat Create endpoint for Containers did not properly handle forwarded ports that did not specify a host port.
    • Fixed a bug where the Libpod Wait endpoint for Containers could write duplicate headers after an error occurred.
    • Fixed a bug where the Compat Create endpoint for Images would not pull images that already had a matching tag present locally, even if a more recent version was available at the registry (#9232).
    • The Compat Create endpoint for Images has had its compatibility with Docker improved, allowing its use with the docker-java library.

    Misc

    • Updated Buildah to v1.19.4
    • Updated the containers/storage library to v1.24.6
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(16.94 MB)
    podman-remote-release-windows.zip(17.99 MB)
    podman-remote-static.tar.gz(17.62 MB)
    podman-v3.0.1.msi(18.68 MB)
    shasums(377 bytes)
  • v3.0.0(Feb 11, 2021)

    Features

    • Podman now features initial support for Docker Compose.
    • Added the podman rename command, which allows containers to be renamed after they are created (#1925).
    • The Podman remote client now supports the podman copy command.
    • A new command, podman network reload, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. via firewall-cmd --reload).
    • Podman networks now have IDs. They can be seen in podman network ls and can be used when removing and inspecting networks. Existing networks receive IDs automatically.
    • Podman networks now also support labels. They can be added via the --label option to network create, and podman network ls can filter labels based on them.
    • The podman network create command now supports setting bridge MTU and VLAN through the --opt option (#8454).
    • The podman container checkpoint and podman container restore commands can now checkpoint and restore containers that include volumes.
    • The podman container checkpoint command now supports the --with-previous and --pre-checkpoint options, and the podman container restore command now support the --import-previous option. These add support for two-step checkpointing with lowered dump times.
    • The podman push command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails.
    • The podman generate kube command can now be run on multiple containers at once, and will generate a single pod containing all of them.
    • The podman generate kube and podman play kube commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML (#9132).
    • The podman generate kube command now properly supports generating YAML for containers and pods creating using host networking (--net=host) (#9077).
    • The podman kill command now supports a --cidfile option to kill containers given a file containing the container's ID (#8443).
    • The podman pod create command now supports the --net=none option (#9165).
    • The podman volume create command can now specify volume UID and GID as options with the UID and GID fields passed to the the --opt option.
    • Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in containers.conf and use them to create volumes with podman volume create --driver.
    • The podman run and podman create commands now support a new option, --platform, to specify the platform of the image to be used when creating the container.
    • The --security-opt option to podman run and podman create now supports the systempaths=unconfined option to unrestrict access to all paths in the container, as well as mask and unmask options to allow more granular restriction of container paths.
    • The podman stats --format command now supports a new format specified, MemUsageBytes, which prints the raw bytes of memory consumed by a container without human-readable formatting #8945.
    • The podman ps command can now filter containers based on what pod they are joined to via the pod filter (#8512).
    • The podman pod ps command can now filter pods based on what networks they are joined to via the network filter.
    • The podman pod ps command can now print information on what networks a pod is joined to via the .Networks specifier to the --format option.
    • The podman system prune command now supports filtering what containers, pods, images, and volumes will be pruned.
    • The podman volume prune commands now supports filtering what volumes will be pruned.
    • The podman system prune command now includes information on space reclaimed (#8658).
    • The podman info command will now properly print information about packages in use on Gentoo and Arch systems.
    • The containers.conf file now contains an option for disabling creation of a new kernel keyring on container creation (#8384).
    • The podman image sign command can now sign multi-arch images by producing a signature for each image in a given manifest list.
    • The podman image sign command, when run as rootless, now supports per-user registry configuration files in $HOME/.config/containers/registries.d.
    • Configuration options for slirp4netns can now be set system-wide via the NetworkCmdOptions configuration option in containers.conf.
    • The MTU of slirp4netns can now be configured via the mtu= network command option (e.g. podman run --net slirp4netns:mtu=9000).

    Security

    • A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue.

    Changes

    • Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.
    • The podman load command no longer accepts a NAME[:TAG] argument. The presence of this argument broke CLI compatibility with Docker by making docker load commands unusable with Podman (#7387).
    • The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more here.
    • The legacy Varlink API has been completely removed from Podman.
    • The default log level for Podman has been changed from Error to Warn.
    • The podman network create command can now create macvlan networks using the --driver macvlan option for Docker compatibility. The existing --macvlan flag has been deprecated and will be removed in Podman 4.0 some time next year.
    • The podman inspect command has had the LogPath and LogTag fields moved into the LogConfig structure (from the root of the Inspect structure). The maximum size of the log file is also included.
    • The podman generate systemd command no longer generates unit files using the deprecated KillMode=none option (#8615).
    • The podman stop command now releases the container lock while waiting for it to stop - as such, commands like podman ps will no longer block until podman stop completes (#8501).
    • Networks created with podman network create --internal no longer use the dnsname plugin. This configuration never functioned as expected.
    • Error messages for the remote Podman client have been improved when it cannot connect to a Podman service.
    • Error messages for podman run when an invalid SELinux is specified have been improved.
    • Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace.
    • Pod infra containers now respect default sysctls specified in containers.conf allowing for advanced configuration of the namespaces they will share.
    • SSH public key handling for remote Podman has been improved.

    Bugfixes

    • Fixed a bug where the podman history --no-trunc command would truncate the Created By field (#9120).
    • Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the Networks field of the output of podman inspect (#6618).
    • Fixed a bug where, under some circumstances, container working directories specified by the image (via the WORKDIR instruction) but not present in the image, would not be created (#9040).
    • Fixed a bug where the podman generate systemd command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{ and }}), e.g. --log-opt-tag={{.Name}} (#9034).
    • Fixed a bug where the podman generate systemd --new command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. podman run -dt) (#8847).
    • Fixed a bug where the podman generate systemd --new command could generate unit files that did not handle Podman commands including some special characters (e.g. $) (#9176
    • Fixed a bug where rootless containers joining CNI networks could not set a static IP address (#7842).
    • Fixed a bug where rootless containers joining CNI networks could not set network aliases (#8567).
    • Fixed a bug where the remote client could, under some circumstances, not include the Containerfile when sending build context to the server (#8374).
    • Fixed a bug where rootless Podman did not mount /sys as a new sysfs in some circumstances where it was acceptable.
    • Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error.
    • Fixed a bug where the podman play kube command did not properly handle CMD and ARGS from images (#8803).
    • Fixed a bug where the podman play kube command did not properly handle environment variables from images (#8608).
    • Fixed a bug where the podman play kube command did not properly print errors that occurred when starting containers.
    • Fixed a bug where the podman play kube command errored when hostNetwork was used (#8790).
    • Fixed a bug where the podman play kube command would always pull images when the :latest tag was specified, even if the image was available locally (#7838).
    • Fixed a bug where the podman play kube command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable (#8710).
    • Fixed a bug where the podman generate kube command incorrectly populated the args and command fields of generated YAML (#9211).
    • Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared /etc/hosts file every time the container restarted (#8921).
    • Fixed a bug where the podman search --list-tags command did not support the --format option (#8740).
    • Fixed a bug where the http_proxy option in containers.conf was not being respected, and instead was set unconditionally to true (#8843).
    • Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers (#8798).
    • Fixed a bug where the podman images command would break and fail to display any images if an empty manifest list was present in storage (#8931).
    • Fixed a bug where locale environment variables were not properly passed on to Conmon.
    • Fixed a bug where Podman would not build on the MIPS architecture (#8782).
    • Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a --uidmap option that included a mapping beginning with UID 0.
    • Fixed a bug where the podman logs command using the k8s-file backend did not properly handle partial log lines with a length of 1 (#8879).
    • Fixed a bug where the podman logs command with the --follow option did not properly handle log rotation (#8733).
    • Fixed a bug where user-specified HOSTNAME environment variables were overwritten by Podman (#8886).
    • Fixed a bug where Podman would applied default sysctls from containers.conf in too many situations (e.g. applying network sysctls when the container shared its network with a pod).
    • Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores (#8176).
    • Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container's PID file was not accessible to systemd on the host (#8506).
    • Fixed a bug where the --privileged option to podman run and podman create would, under some circumstances, not disable Seccomp (#8849).
    • Fixed a bug where the podman exec command did not properly add capabilities when the container or exec session were run with --privileged.
    • Fixed a bug where rootless Podman would use the --enable-sandbox option to slirp4netns unconditionally, even when pivot_root was disabled, rendering slirp4netns unusable when pivot_root was disabled (#8846).
    • Fixed a bug where podman build --logfile did not actually write the build's log to the logfile.
    • Fixed a bug where the podman system service command did not close STDIN, and could display user-interactive prompts (#8700).
    • Fixed a bug where the podman system reset command could, under some circumstances, remove all the contents of the XDG_RUNTIME_DIR directory (#8680).
    • Fixed a bug where the podman network create command created CNI configurations that did not include a default gateway (#8748).
    • Fixed a bug where the podman.service systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started (#8751).
    • Fixed a bug where, if the TMPDIR environment variable was set for the container engine in containers.conf, it was being ignored.
    • Fixed a bug where the podman events command did not properly handle future times given to the --until option (#8694).
    • Fixed a bug where the podman logs command wrote container STDERR logs to STDOUT instead of STDERR (#8683).
    • Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag (#8547).
    • Fixed a bug where container capabilities were not set properly when the --cap-add=all and --user options to podman create and podman run were combined.
    • Fixed a bug where the --layers option to podman build was nonfunctional (#8643).
    • Fixed a bug where the podman system prune command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call to podman system prune (#7990).
    • Fixed a bug where the --publish option to podman run and podman create did not properly handle ports specified as a range of ports with no host port specified (#8650).
    • Fixed a bug where --format did not support JSON output for individual fields (#8444).
    • Fixed a bug where the podman stats command would fail when run on root containers using the slirp4netns network mode (#7883).
    • Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication (#8498).
    • Fixed a bug where the podman stats command would fail if the system did not support one or more of the cgroup controllers Podman supports (#8588).
    • Fixed a bug where the --mount option to podman create and podman run did not ignore the consistency mount option.
    • Fixed a bug where failures during the resizing of a container's TTY would print the wrong error.
    • Fixed a bug where the podman network disconnect command could cause the podman inspect command to fail for a container until it was restarted (#9234).
    • Fixed a bug where containers created from a read-only rootfs (using the --rootfs option to podman create and podman run) would fail (#9230).
    • Fixed a bug where specifying Go templates to the --format option to multiple Podman commands did not support the join function (#8773).
    • Fixed a bug where the podman rmi command could, when run in parallel on multiple images, return layer not known errors (#6510).
    • Fixed a bug where the podman inspect command on containers displayed unlimited ulimits incorrectly (#9303).
    • Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories (#6003).

    API

    • Libpod API version has been bumped to v3.0.0.
    • All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error (#8865).
    • The Compat API for Containers now supports the Rename and Copy APIs.
    • Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses.
    • Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a "no such file" error if an invalid executable was passed) (#8281)
    • Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored (#8649).
    • Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g. container:, correctly.
    • Fixed a bug where the Compat Create API for Containers did not set container name properly.
    • Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging (the default specified in containers.conf is now used).
    • Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker.
    • Fixed a bug where Podman did not properly clean up after calls to the Events API when the journald backend was in use, resulting in a leak of file descriptors (#8864).
    • Fixed a bug where the Libpod Pull endpoint for Images could fail with an index out of range error under certain circumstances (#8870).
    • Fixed a bug where the Libpod Exists endpoint for Images could panic.
    • Fixed a bug where the Compat List API for Containers did not support all filters (#8860).
    • Fixed a bug where the Compat List API for Containers did not properly populate the Status field.
    • Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters (#7102).
    • Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response (#8758).
    • Fixed a bug where the Compat Load API for Images did not properly clean up temporary files.
    • Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified.
    • Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope.
    • Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did.

    Misc

    • Updated Buildah to v1.19.2
    • Updated the containers/storage library to v1.24.5
    • Updated the containers/image library to v5.10.2
    • Updated the containers/common library to v0.33.4
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(17.00 MB)
    podman-remote-release-windows.zip(18.03 MB)
    podman-remote-static.tar.gz(17.65 MB)
    podman-v3.0.0.msi(18.73 MB)
    shasums(377 bytes)
  • v3.0.0-rc3(Feb 8, 2021)

    Please note that these release notes are preliminary until v3.0.0 final is released

    Features

    • Podman now features initial support for Docker Compose.
    • Added the podman rename command, which allows containers to be renamed after they are created (#1925).
    • The Podman remote client now supports the podman copy command.
    • A new command, podman network reload, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. via firewall-cmd --reload).
    • Podman networks now have IDs. They can be seen in podman network ls and can be used when removing and inspecting networks. Existing networks receive IDs automatically.
    • Podman networks now also support labels. They can be added via the --label option to network create, and podman network ls can filter labels based on them.
    • The podman network create command now supports setting bridge MTU and VLAN through the --opt option (#8454).
    • The podman container checkpoint and podman container restore commands can now checkpoint and restore containers that include volumes.
    • The podman container checkpoint command now supports the --with-previous and --pre-checkpoint options, and the podman container restore command now support the --import-previous option. These add support for two-step checkpointing with lowered dump times.
    • The podman push command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails.
    • The podman generate kube command can now be run on multiple containers at once, and will generate a single pod containing all of them.
    • The podman generate kube and podman play kube commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML (#9132).
    • The podman generate kube command now properly supports generating YAML for containers and pods creating using host networking (--net=host) (#9077).
    • The podman kill command now supports a --cidfile option to kill containers given a file containing the container's ID (#8443).
    • The podman pod create command now supports the --net=none option (#9165).
    • The podman volume create command can now specify volume UID and GID as options with the UID and GID fields passed to the the --opt option.
    • Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in containers.conf and use them to create volumes with podman volume create --driver.
    • The podman run and podman create commands now support a new option, --platform, to specify the platform of the image to be used when creating the container.
    • The --security-opt option to podman run and podman create now supports the systempaths=unconfined option to unrestrict access to all paths in the container, as well as mask and unmask options to allow more granular restriction of container paths.
    • The podman stats --format command now supports a new format specified, MemUsageBytes, which prints the raw bytes of memory consumed by a container without human-readable formatting #8945.
    • The podman ps command can now filter containers based on what pod they are joined to via the pod filter (#8512).
    • The podman pod ps command can now filter pods based on what networks they are joined to via the network filter.
    • The podman pod ps command can now print information on what networks a pod is joined to via the .Networks specifier to the --format option.
    • The podman system prune command now supports filtering what containers, pods, images, and volumes will be pruned.
    • The podman volume prune commands now supports filtering what volumes will be pruned.
    • The podman system prune command now includes information on space reclaimed (#8658).
    • The podman info command will now properly print information about packages in use on Gentoo and Arch systems.
    • The containers.conf file now contains an option for disabling creation of a new kernel keyring on container creation (#8384).
    • The podman image sign command can now sign multi-arch images by producing a signature for each image in a given manifest list.
    • The podman image sign command, when run as rootless, now supports per-user registry configuration files in $HOME/.config/containers/registries.d.
    • Configuration options for slirp4netns can now be set system-wide via the NetworkCmdOptions configuration option in containers.conf.
    • The MTU of slirp4netns can now be configured via the mtu= network command option (e.g. podman run --net slirp4netns:mtu=9000).

    Security

    • A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue.

    Changes

    • Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.
    • The podman load command no longer accepts a NAME[:TAG] argument. The presence of this argument broke CLI compatibility with Docker by making docker load commands unusable with Podman (#7387).
    • The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more here.
    • The legacy Varlink API has been completely removed from Podman.
    • The default log level for Podman has been changed from Error to Warn.
    • The podman network create command can now create macvlan networks using the --driver macvlan option for Docker compatibility. The existing --macvlan flag has been deprecated and will be removed in Podman 4.0 some time next year.
    • The podman inspect command has had the LogPath and LogTag fields moved into the LogConfig structure (from the root of the Inspect structure). The maximum size of the log file is also included.
    • The podman generate systemd command no longer generates unit files using the deprecated KillMode=none option (#8615).
    • The podman stop command now releases the container lock while waiting for it to stop - as such, commands like podman ps will no longer block until podman stop completes (#8501).
    • Networks created with podman network create --internal no longer use the dnsname plugin. This configuration never functioned as expected.
    • Error messages for the remote Podman client have been improved when it cannot connect to a Podman service.
    • Error messages for podman run when an invalid SELinux is specified have been improved.
    • Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace.
    • Pod infra containers now respect default sysctls specified in containers.conf allowing for advanced configuration of the namespaces they will share.
    • SSH public key handling for remote Podman has been improved.

    Bugfixes

    • Fixed a bug where the podman history --no-trunc command would truncate the Created By field (#9120).
    • Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the Networks field of the output of podman inspect (#6618).
    • Fixed a bug where, under some circumstances, container working directories specified by the image (via the WORKDIR instruction) but not present in the image, would not be created (#9040).
    • Fixed a bug where the podman generate systemd command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{ and }}), e.g. --log-opt-tag={{.Name}} (#9034).
    • Fixed a bug where the podman generate systemd --new command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. podman run -dt) (#8847).
    • Fixed a bug where the podman generate systemd --new command could generate unit files that did not handle Podman commands including some special characters (e.g. $) (#9176
    • Fixed a bug where rootless containers joining CNI networks could not set a static IP address (#7842).
    • Fixed a bug where rootless containers joining CNI networks could not set network aliases (#8567).
    • Fixed a bug where the remote client could, under some circumstances, not include the Containerfile when sending build context to the server (#8374).
    • Fixed a bug where rootless Podman did not mount /sys as a new sysfs in some circumstances where it was acceptable.
    • Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error.
    • Fixed a bug where the podman play kube command did not properly handle CMD and ARGS from images (#8803).
    • Fixed a bug where the podman play kube command did not properly handle environment variables from images (#8608).
    • Fixed a bug where the podman play kube command did not properly print errors that occurred when starting containers.
    • Fixed a bug where the podman play kube command errored when hostNetwork was used (#8790).
    • Fixed a bug where the podman play kube command would always pull images when the :latest tag was specified, even if the image was available locally (#7838).
    • Fixed a bug where the podman play kube command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable (#8710).
    • Fixed a bug where the podman generate kube command incorrectly populated the args and command fields of generated YAML (#9211).
    • Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared /etc/hosts file every time the container restarted (#8921).
    • Fixed a bug where the podman search --list-tags command did not support the --format option (#8740).
    • Fixed a bug where the http_proxy option in containers.conf was not being respected, and instead was set unconditionally to true (#8843).
    • Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers (#8798).
    • Fixed a bug where the podman images command would break and fail to display any images if an empty manifest list was present in storage (#8931).
    • Fixed a bug where locale environment variables were not properly passed on to Conmon.
    • Fixed a bug where Podman would not build on the MIPS architecture (#8782).
    • Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a --uidmap option that included a mapping beginning with UID 0.
    • Fixed a bug where the podman logs command using the k8s-file backend did not properly handle partial log lines with a length of 1 (#8879).
    • Fixed a bug where the podman logs command with the --follow option did not properly handle log rotation (#8733).
    • Fixed a bug where user-specified HOSTNAME environment variables were overwritten by Podman (#8886).
    • Fixed a bug where Podman would applied default sysctls from containers.conf in too many situations (e.g. applying network sysctls when the container shared its network with a pod).
    • Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores (#8176).
    • Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container's PID file was not accessible to systemd on the host (#8506).
    • Fixed a bug where the --privileged option to podman run and podman create would, under some circumstances, not disable Seccomp (#8849).
    • Fixed a bug where the podman exec command did not properly add capabilities when the container or exec session were run with --privileged.
    • Fixed a bug where rootless Podman would use the --enable-sandbox option to slirp4netns unconditionally, even when pivot_root was disabled, rendering slirp4netns unusable when pivot_root was disabled (#8846).
    • Fixed a bug where podman build --logfile did not actually write the build's log to the logfile.
    • Fixed a bug where the podman system service command did not close STDIN, and could display user-interactive prompts (#8700).
    • Fixed a bug where the podman system reset command could, under some circumstances, remove all the contents of the XDG_RUNTIME_DIR directory (#8680).
    • Fixed a bug where the podman network create command created CNI configurations that did not include a default gateway (#8748).
    • Fixed a bug where the podman.service systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started (#8751).
    • Fixed a bug where, if the TMPDIR environment variable was set for the container engine in containers.conf, it was being ignored.
    • Fixed a bug where the podman events command did not properly handle future times given to the --until option (#8694).
    • Fixed a bug where the podman logs command wrote container STDERR logs to STDOUT instead of STDERR (#8683).
    • Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag (#8547).
    • Fixed a bug where container capabilities were not set properly when the --cap-add=all and --user options to podman create and podman run were combined.
    • Fixed a bug where the --layers option to podman build was nonfunctional (#8643).
    • Fixed a bug where the podman system prune command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call to podman system prune (#7990).
    • Fixed a bug where the --publish option to podman run and podman create did not properly handle ports specified as a range of ports with no host port specified (#8650).
    • Fixed a bug where --format did not support JSON output for individual fields (#8444).
    • Fixed a bug where the podman stats command would fail when run on root containers using the slirp4netns network mode (#7883).
    • Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication (#8498).
    • Fixed a bug where the podman stats command would fail if the system did not support one or more of the cgroup controllers Podman supports (#8588).
    • Fixed a bug where the --mount option to podman create and podman run did not ignore the consistency mount option.
    • Fixed a bug where failures during the resizing of a container's TTY would print the wrong error.
    • Fixed a bug where the podman network disconnect command could cause the podman inspect command to fail for a container until it was restarted (#9234).
    • Fixed a bug where containers created from a read-only rootfs (using the --rootfs option to podman create and podman run) would fail (#9230).

    API

    • Libpod API version has been bumped to v3.0.0.
    • All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error (#8865).
    • The Compat API for Containers now supports the Rename and Copy APIs.
    • Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses.
    • Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a "no such file" error if an invalid executable was passed) (#8281)
    • Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored (#8649).
    • Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g. container:, correctly.
    • Fixed a bug where the Compat Create API for Containers did not set container name properly.
    • Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging (the default specified in containers.conf is now used).
    • Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker.
    • Fixed a bug where Podman did not properly clean up after calls to the Events API when the journald backend was in use, resulting in a leak of file descriptors (#8864).
    • Fixed a bug where the Libpod Pull endpoint for Images could fail with an index out of range error under certain circumstances (#8870).
    • Fixed a bug where the Libpod Exists endpoint for Images could panic.
    • Fixed a bug where the Compat List API for Containers did not support all filters (#8860).
    • Fixed a bug where the Compat List API for Containers did not properly populate the Status field.
    • Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters (#7102).
    • Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response (#8758).
    • Fixed a bug where the Compat Load API for Images did not properly clean up temporary files.
    • Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified.
    • Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope.

    Misc

    • Updated Buildah to v1.19.2
    • Updated the containers/storage library to v1.24.5
    • Updated the containers/common library to v0.33.4
    Source code(tar.gz)
    Source code(zip)
  • v3.0.0-rc2(Jan 29, 2021)

  • v3.0.0-rc1(Jan 18, 2021)

    Features

    • Add ability to set system wide options for slirp4netns
    • Add --cidfile to container kill
    • Add commas between mount options
    • Add compose regression to ci
    • Add containerenv information to /run/.containerenv
    • Add default sysctls for pod infra containers
    • Add --filter to podman system prune
    • Adding json formatting to --list-tags option in podman search command.
    • Add mask and unmask option to --security-opt
    • Add 'MemUsageBytes' format option
    • Add more information and examples on podman and pipes
    • Add network filter for podman ps and pod ps
    • Add Networks format placeholder to podman ps and pod ps
    • Add pod filter for ps
    • Add podman network create option for bridge mtu
    • Add podman network create option for bridge vlan
    • Add pre checkpoint
    • Add Security information to podman info
    • Add support for Gentoo file to package query
    • Add support for network ids
    • Add support for pacman package version query
    • Add support for persistent volume claims in kube files
    • Add support for --platform
    • Add systempaths=unconfined option
    • Add volume filters to system prune
    • Add volume prune --filter support
    • Allow podman push to push manifest lists
    • Allow users to specify TMPDIR in containers.conf
    • Always add the default gateway to the cni config file
    • Drop default log-level from error to warn
    • Enable short-name aliasing
    • Generate kube on multiple containers
    • Generate systemd: do not set KillMode
    • Image sign using per user registries.d
    • Implement pod-network-reload
    • Include named volumes in container migration
    • Initial implementation of renaming containers
    • Initial implementation of volume plugins
    • Network connect disconnect on non-running containers
    • Not use local image create/add manifest
    • Podman network label support
    • Prepare support in kube play for other volume types than hostPath
    • Remote copy
    • Remove the ability to use [name:tag] in podman load command
    • Remove varlink support from Podman
    • Sign multi-arch images
    • Support --network=default as if it was private
    • Support Unix timestamps for podman logs --since

    Changes

    • Add LogSize to container inspect
    • Allow image errors to bubble up from lower level functions.
    • Change name of imageVolumes in container config JSON
    • Cleanup CNI Networks on reboot
    • Consolidate filter logic to pkg subdirectory
    • Make podman stats slirp check more robust
    • More /var/run -> /run
    • Prefer read/write images over read/only images
    • Refactor kube.ToSpecGen parameters to struct
    • Rename AutocompletePortCommand func
    • Repeat system pruning until there is nothing removed
    • Switch references of /var/run -> /run
    • Use HTTPProxy settings from containers.conf
    • Use Libpod tmpdir for pause path
    • Use Options as CRImportCheckpoint() argument
    • Use Options as exportCheckpoint() argument
    • Use PasswordCallback instead of Password for ssh
    • Use abi PodPs implementation for libpod/pods/json endpoint
    • Validate that the bridge option is supported
    • archive: move stat-header handling into copy package
    • libpod, conmon: change log level for rootless
    • libpod: change function to accept ExecOptions
    • libpod: handle single user mapped as root
    • make podman play use ENVs from image
    • pkg/copy: introduce a Copier
    • podman events allow future time for --until
    • podman.service should be an exec service not a notify service
    • rewrite podman-cp
    • rootless: add function to retrieve gid/uid mappings
    • rootless: automatically split userns ranges
    • runtime: set XDG_* env variables if missing
    • shell completion for the network flag
    • specgen: improve heuristic for /sys bind mount
    • systemd: make rundir always accessible

    Bugfixes

    • Close image rawSource when each loop ends
    • Containers should not get inheritable caps by default
    • Correct port range logic for port generation
    • Correct which network commands can be run as rootless
    • Disable CGv1 pod stats on net=host post
    • Do not error on installing duplicate shutdown handler
    • Do not ignore infra command from config files
    • Do not mount sysfs as rootless in more cases
    • Do not pull if image domain is localhost
    • Do not use "true" after "syslog" in exit commands
    • Do not validate the volume source path in specgen
    • Don't accidently remove XDG_RUNTIME_DIR when reseting storage
    • Ensure that podman play kube actually reports errors
    • Ensure that user-specified HOSTNAME is honored
    • Ensure we do not edit container config in Exec
    • Exorcise Driver code from libpod/define
    • Expose Height/Width fields to decoder
    • Expose security attribute errors with their own messages
    • Fix Wrong image tag is used when creating a container from an image with multiple tags
    • Fix podman images... missing headers in table templates
    • Fix build for mips architecture
    • Fix build for mips architecture follow-up
    • Fix custom mac address with a custom cni network
    • Fix extra quotation mark in manpages.
    • Fix missing options in volumes display while setting uid and gid
    • Fix missing podman-container-rename man page link
    • Fix network ls --filter invalid value flake
    • Fix option names --subuidname and --subgidname
    • Fix panic in libpod images exists endpoint
    • Fix podman build --logfile
    • Fix podman logs read partial log lines
    • Fix problems reported by staticcheck
    • Fix problems with network remove
    • Fix shell completion for ps --filter ancestor
    • Fix some nit
    • Fix spelling mistakes
    • Fix storage.conf to define driver in the VM
    • Fix support for rpmbuild < 4.12.0.
    • Fix: unpause not supported for CGv1 rootless
    • Fxes /etc/hosts duplicated every time after container restarted in a pod
    • Handle --rm when starting a container
    • Handle podman exec capabilities correctly
    • Honor the --layers flag
    • Ignore containers.conf sysctls when sharing namespaces
    • Improve error message when the the podman service is not enabled
    • Make podman generate systemd --new flag parsing more robust
    • Pass down EnableKeyring from containers.conf to conmon
    • Properly handle --cap-add all when running with a --user flag
    • Revert "Allow multiple --network flags for podman run/create"
    • Revert e6fbc15f26b2a609936dfc11732037c70ee14cba
    • Revert the custom cobra vendor
    • Rework pruning to report reclaimed space
    • Set NetNS mode instead of value
    • The slirp4netns sandbox requires pivot_root
    • close journald when reading
    • container create: do not clear image name
    • container stop: release lock before calling the runtime
    • exec: honor --privileged
    • fix: disable seccomp by default when privileged.
    • image list: ignore bare manifest list
    • network: disallow CNI networks with user namespaces
    • oci: keep LC_ env variables to conmon
    • oci: use /proc/self/fd/FD to open unix socket
    • pass full NetworkMode to ParseNetworkNamespace
    • play kube: fix args/command handling
    • play kube: set entrypoint when interpreting Command
    • podman build --force-rm defaults to true in code
    • podman logs honor stderr correctly
    • podman, exec: move conmon to the correct cgroup
    • podman-remote fix sending tar content
    • podman: drop checking valid rootless UID
    • re-open container log files
    • security: honor systempaths=unconfined for ro paths

    API

    • Add API for communicating with Docker volume plugins
    • Change bindings to stop two API calls for ping
    • Close the stdin/tty when using podman as a restAPI.
    • Compat api containers/json add support for filters
    • Container rename bindings
    • Do not pass name argument to Load API
    • Docker compat API - /images/search returns wrong structure (#7857)
    • Docker compat API - containers create ignores the name
    • Fix some network compat api problems
    • Jira RUN-1106 Container handlers updates
    • Jira RUN-1106 Image handlers updates
    • Jira RUN-1106 Network handlers updates
    • Jira RUN-1106 System handlers updates
    • Jira RUN-1106 Volumes handlers updates
    • Makefile: add target to generate bindings
    • More docker compat API fixes
    • Podman image bindings for 3.0
    • REST API v2 - ping - fix typo in header
    • REST API v2 - ping - remove newline from response to improve Docker compatibility
    • Reduce general binding binary size
    • Restore compatible API for prune endpoints
    • compat create should use bindings
    • hack/podman-socat captures the API stream
    • libpod API: pull: fix channel race
    • misc bindings to podman v3
    • pkg/copy: add parsing API
    • podman v3 container bindings
    • podman v3 pod bindings

    Misc

    • Bump github.com/containernetworking/plugins from 0.8.7 to 0.9.0
    • Bump github.com/containers/common from 0.30.0 to 0.31.1
    • Bump github.com/containers/image/v5 from 5.8.1 to 5.9.0
    • Bump github.com/containers/storage from 1.24.1 to 1.24.5
    • Bump github.com/cri-o/ocicni to latest master
    • Bump github.com/google/uuid from 1.1.2 to 1.1.5
    • Bump github.com/onsi/gomega from 1.10.3 to 1.10.4
    • Bump github.com/opencontainers/selinux from 1.6.0 to 1.8.0
    • Bump github.com/stretchr/testify from 1.6.1 to 1.7.0
    • Bump k8s.io/apimachinery from 0.19.4 to 0.20.2
    • Bump master to v3.0.0-dev
    • Bump to containers/buildah 1.9.2
    • Bump version in README to v2.2.0
    • vendor containers/[email protected]
    Source code(tar.gz)
    Source code(zip)
  • v2.2.1(Dec 8, 2020)

    Changes

    • Due to a conflict with a previously-removed field, we were forced to modify the way image volumes (mounting images into containers using --mount type=image) were handled in the database. As a result, containers created in Podman 2.2.0 with image volumes will not have them in v2.2.1, and these containers will need to be re-created.

    Bugfixes

    • Fixed a bug where rootless Podman would, on systems without the XDG_RUNTIME_DIR environment variable defined, use an incorrect path for the PID file of the Podman pause process, causing Podman to fail to start (#8539).
    • Fixed a bug where containers created using Podman v1.7 and earlier were unusable in Podman due to JSON decode errors (#8613).
    • Fixed a bug where Podman could retrieve invalid cgroup paths, instead of erroring, for containers that were not running.
    • Fixed a bug where the podman system reset command would print a warning about a duplicate shutdown handler being registered.
    • Fixed a bug where rootless Podman would attempt to mount sysfs in circumstances where it was not allowed; some OCI runtimes (notably crun) would fall back to alternatives and not fail, but others (notably runc) would fail to run containers.
    • Fixed a bug where the podman run and podman create commands would fail to create containers from untagged images (#8558).
    • Fixed a bug where remote Podman would prompt for a password even when the server did not support password authentication (#8498).
    • Fixed a bug where the podman exec command did not move the Conmon process for the exec session into the correct cgroup.
    • Fixed a bug where shell completion for the ancestor option to podman ps --filter did not work correctly.
    • Fixed a bug where detached containers would not properly clean themselves up (or remove themselves if --rm was set) if the Podman command that created them was invoked with --log-level=debug.

    API

    • Fixed a bug where the Compat Create endpoint for Containers did not properly handle the Binds and Mounts parameters in HostConfig.
    • Fixed a bug where the Compat Create endpoint for Containers ignored the Name query parameter.
    • Fixed a bug where the Compat Create endpoint for Containers did not properly handle the "default" value for NetworkMode (this value is used extensively by docker-compose) (#8544).
    • Fixed a bug where the Compat Build endpoint for Images would sometimes incorrectly use the target query parameter as the image's tag.

    Misc

    • Podman v2.2.0 vendored a non-released, custom version of the github.com/spf13/cobra package; this has been reverted to the latest upstream release to aid in packaging.
    • Updated the containers/image library to v5.9.0
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(17.82 MB)
    podman-remote-release-windows.zip(18.74 MB)
    podman-remote-static.tar.gz(18.56 MB)
    podman-v2.2.1.msi(19.43 MB)
    shasums(461 bytes)
  • v2.2.0(Nov 30, 2020)

    Features

    • Experimental support for shortname aliasing has been added. This is not enabled by default, but can be turned on by setting the environment variable CONTAINERS_SHORT_NAME_ALIASING to on. Documentation is available here and here.
    • Initial support has been added for the podman network connect and podman network disconnect commands, which allow existing containers to modify what networks they are connected to. At present, these commands can only be used on running containers that did not specify --network=none when they were created.
    • The podman run command now supports the --network-alias option to set network aliases (additional names the container can be accessed at from other containers via DNS if the dnsname CNI plugin is in use). Aliases can also be added and removed using the new podman network connect and podman network disconnect commands. Please note that this requires a new release (v1.1.0) of the dnsname plugin, and will only work on newly-created CNI networks.
    • The podman generate kube command now features support for exporting container's memory and CPU limits (#7855).
    • The podman play kube command now features support for setting CPU and Memory limits for containers (#7742).
    • The podman play kube command now supports persistent volumes claims using Podman named volumes.
    • The podman play kube command now supports Kubernetes configmaps via the --configmap option (#7567).
    • The podman play kube command now supports a --log-driver option to set the log driver for created containers.
    • The podman play kube command now supports a --start option, enabled by default, to start the pod after creating it. This allows for podman play kube to be more easily used in systemd unitfiles.
    • The podman network create command now supports the --ipv6 option to enable dual-stack IPv6 networking for created networks (#7302).
    • The podman inspect command can now inspect pods, networks, and volumes, in addition to containers and images (#6757).
    • The --mount option for podman run and podman create now supports a new type, image, to mount the contents of an image into the container at a given location.
    • The Bash and ZSH completions have been completely reworked and have received significant enhancements! Additionally, support for Fish completions and completions for the podman-remote executable have been added.
    • The --log-opt option for podman create and podman run now supports the max-size option to set the maximum size for a container's logs (#7434).
    • The --network option to the podman pod create command now allows pods to be configured to use slirp4netns networking, even when run as root (#6097).
    • The podman pod stop, podman pod pause, podman pod unpause, and podman pod kill commands now work on multiple containers in parallel and should be significantly faster.
    • The podman search command now supports a --list-tags option to list all available tags for a single image in a single repository.
    • The podman search command can now output JSON using the --format=json option.
    • The podman diff and podman mount commands now work with all containers in the storage library, including those not created by Podman. This allows them to be used with Buildah and CRI-O containers.
    • The podman container exists command now features a --external option to check if a container exists not just in Podman, but also in the storage library. This will allow Podman to identify Buildah and CRI-O containers.
    • The --tls-verify and --authfile options have been enabled for use with remote Podman.
    • The /etc/hosts file now includes the container's name and hostname (both pointing to localhost) when the container is run with --net=none (#8095).
    • The podman events command now supports filtering events based on the labels of the container they occurred on using the --filter label=key=value option.
    • The podman volume ls command now supports filtering volumes based on their labels using the --filter label=key=value option.
    • The --volume and --mount options to podman run and podman create now support two new mount propagation options, unbindable and runbindable.
    • The name and id filters for podman pod ps now match based on a regular expression, instead of requiring an exact match.
    • The podman pod ps command now supports a new filter status, that matches pods in a certain state.

    Changes

    • The podman network rm --force command will now also remove pods that are using the network (#7791).
    • The podman volume rm, podman network rm, and podman pod rm commands now return exit code 1 if the object specified for removal does not exist, and exit code 2 if the object is in use and the --force option was not given.
    • If /dev/fuse is passed into Podman containers as a device, Podman will open it before starting the container to ensure that the kernel module is loaded on the host and the device is usable in the container.
    • Global Podman options that were not supported with remote operation have been removed from podman-remote (e.g. --cgroup-manager, --storage-driver).
    • Many errors have been changed to remove repetition and be more clear as to what has gone wrong.
    • The --storage option to podman rm is now enabled by default, with slightly changed semantics. If the given container does not exist in Podman but does exist in the storage library, it will be removed even without the --storage option. If the container exists in Podman it will be removed normally. The --storage option for podman rm is now deprecated and will be removed in a future release.
    • The --storage option to podman ps has been renamed to --external. An alias has been added so the old form of the option will continue to work.
    • Podman now delays the SIGTERM and SIGINT signals during container creation to ensure that Podman is not stopped midway through creating a container resulting in potential resource leakage (#7941).
    • The podman save command now strips signatures from images it is exporting, as the formats we export to do not support signatures (#7659).
    • A new Degraded state has been added to pods. Pods that have some, but not all, of their containers running are now considered to be Degraded instead of Running.
    • Podman will now print a warning when conflicting network options related to port forwarding (e.g. --publish and --net=host) are specified when creating a container.
    • The --restart on-failure and --rm options for containers no longer conflict. When both are specified, the container will be restarted if it exits with a non-zero error code, and removed if it exits cleanly (#7906).
    • Remote Podman will no longer use settings from the client's containers.conf; defaults will instead be provided by the server's containers.conf (#7657).
    • The podman network rm command now has a new alias, podman network remove (#8402).

    Bugfixes

    • Fixed a bug where podman load on the remote client did not error when attempting to load a directory, which is not yet supported for remote use.
    • Fixed a bug where rootless Podman could hang when the newuidmap binary was not installed (#7776).
    • Fixed a bug where the --pull option to podman run, podman create, and podman build did not match Docker's behavior.
    • Fixed a bug where sysctl settings from the containers.conf configuration file were applied, even if the container did not join the namespace associated with a sysctl.
    • Fixed a bug where Podman would not return the text of errors encounted when trying to run a healthcheck for a container.
    • Fixed a bug where Podman was accidentally setting the containers environment variable in addition to the expected container environment variable.
    • Fixed a bug where rootless Podman using CNI networking did not properly clean up DNS entries for removed containers (#7789).
    • Fixed a bug where the podman untag --all command was not supported with remote Podman.
    • Fixed a bug where the podman system service command could time out even if active attach connections were present (#7826).
    • Fixed a bug where the podman system service command would sometimes never time out despite no active connections being present.
    • Fixed a bug where Podman's handling of capabilities, specifically inheritable, did not match Docker's.
    • Fixed a bug where podman run would fail if the image specified was a manifest list and had already been pulled (#7798).
    • Fixed a bug where Podman did not take search registries into account when looking up images locally (#6381).
    • Fixed a bug where the podman manifest inspect command would fail for images that had already been pulled (#7726).
    • Fixed a bug where rootless Podman would not add supplemental GIDs to containers when when a user, but not a group, was set via the --user option to podman create and podman run and sufficient GIDs were available to add the groups (#7782).
    • Fixed a bug where remote Podman commands did not properly handle cases where the user gave a name that could also be a short ID for a pod or container (#7837).
    • Fixed a bug where podman image prune could leave images ready to be pruned after podman image prune was run (#7872).
    • Fixed a bug where the podman logs command with the journald log driver would not read all available logs (#7476).
    • Fixed a bug where the --rm and --restart options to podman create and podman run did not conflict when a restart policy that is not on-failure was chosen (#7878).
    • Fixed a bug where the --format "table {{ .Field }}" option to numerous Podman commands ceased to function on Podman v2.0 and up.
    • Fixed a bug where pods did not properly share an SELinux label between their containers, resulting in containers being unable to see the processes of other containers when the pod shared a PID namespace (#7886).
    • Fixed a bug where the --namespace option to podman ps did not work with the remote client (#7903).
    • Fixed a bug where rootless Podman incorrectly calculated the number of UIDs available in the container if multiple different ranges of UIDs were specified.
    • Fixed a bug where the /etc/hosts file would not be correctly populated for containers in a user namespace (#7490).
    • Fixed a bug where the podman network create and podman network remove commands could race when run in parallel, with unpredictable results (#7807).
    • Fixed a bug where the -p option to podman run, podman create, and podman pod create would, when given only a single number (e.g. -p 80), assign the same port for both host and container, instead of generating a random host port (#7947).
    • Fixed a bug where Podman containers did not properly store the cgroup manager they were created with, causing them to stop functioning after the cgroup manager was changed in containers.conf or with the --cgroup-manager option (#7830).
    • Fixed a bug where the podman inspect command did not include information on the CNI networks a container was connected to if it was not running.
    • Fixed a bug where the podman attach command would not print a newline after detaching from the container (#7751).
    • Fixed a bug where the HOME environment variable was not set properly in containers when the --userns=keep-id option was set (#8004).
    • Fixed a bug where the podman container restore command could panic when the container in question was in a pod (#8026).
    • Fixed a bug where the output of the podman image trust show --raw command was not properly formatted.
    • Fixed a bug where the podman runlabel command could panic if a label to run was not given (#8038).
    • Fixed a bug where the podman run and podman start --attach commands would exit with an error when the user detached manually using the detach keys on remote Podman (#7979).
    • Fixed a bug where rootless CNI networking did not use the dnsname CNI plugin if it was not available on the host, despite it always being available in the container used for rootless networking (#8040).
    • Fixed a bug where Podman did not properly handle cases where an OCI runtime is specified by its full path, and could revert to using another OCI runtime with the same binary path that existed in the system $PATH on subsequent invocations.
    • Fixed a bug where the --net=host option to podman create and podman run would cause the /etc/hosts file to be incorrectly populated (#8054).
    • Fixed a bug where the podman inspect command did not include container network information when the container shared its network namespace (IE, joined a pod or another container's network namespace via --net=container:...) (#8073).
    • Fixed a bug where the podman ps command did not include information on all ports a container was publishing.
    • Fixed a bug where the podman build command incorrectly forwarded STDIN into build containers from RUN instructions.
    • Fixed a bug where the podman wait command's --interval option did not work when units were not specified for the duration (#8088).
    • Fixed a bug where the --detach-keys and --detach options could be passed to podman create despite having no effect (and not making sense in that context).
    • Fixed a bug where Podman could not start containers if running on a system without a /etc/resolv.conf file (which occurs on some WSL2 images) (#8089).
    • Fixed a bug where the --extract option to podman cp was nonfunctional.
    • Fixed a bug where the --cidfile option to podman run would, when the container was not run with --detach, only create the file after the container exited (#8091).
    • Fixed a bug where the podman images and podman images -a commands could panic and not list any images when certain improperly-formatted images were present in storage (#8148).
    • Fixed a bug where the podman events command could, when the journald events backend was in use, become nonfunctional when a badly-formatted event or a log message that container certain string was present in the journal (#8125).
    • Fixed a bug where remote Podman would, when using SSH transport, not authenticate to the server using hostkeys when connecting on a port other than 22 (#8139).
    • Fixed a bug where the podman attach command would not exit when containers stopped (#8154).
    • Fixed a bug where Podman did not properly clean paths before verifying them, resulting in Podman refusing to start if the root or temporary directories were specified with extra trailing / characters (#8160).
    • Fixed a bug where remote Podman did not support hashed hostnames in the known_hosts file on the host for establishing connections (#8159).
    • Fixed a bug where the podman image exists command would return non-zero (false) when multiple potential matches for the given name existed.
    • Fixed a bug where the podman manifest inspect command on images that are not manifest lists would error instead of inspecting the image (#8023).
    • Fixed a bug where the podman system service command would fail if the directory the Unix socket was to be created inside did not exist (#8184).
    • Fixed a bug where pods that shared the IPC namespace (which is done by default) did not share a /dev/shm filesystem between all containers in the pod (#8181).
    • Fixed a bug where filters passed to podman volume list were not inclusive (#6765).
    • Fixed a bug where the podman volume create command would fail when the volume's data directory already existed (as might occur when a volume was not completely removed) (#8253).
    • Fixed a bug where the podman run and podman create commands would deadlock when trying to create a container that mounted the same named volume at multiple locations (e.g. podman run -v testvol:/test1 -v testvol:/test2) (#8221).
    • Fixed a bug where the parsing of the --net option to podman build was incorrect (#8322).
    • Fixed a bug where the podman build command would print the ID of the built image twice when using remote Podman (#8332).
    • Fixed a bug where the podman stats command did not show memory limits for containers (#8265).
    • Fixed a bug where the podman pod inspect command printed the static MAC address of the pod in a non-human-readable format (#8386).
    • Fixed a bug where the --tls-verify option of the podman play kube command had its logic inverted (false would enforce the use of TLS, true would disable it).
    • Fixed a bug where the podman network rm command would error when trying to remove macvlan networks and rootless CNI networks (#8491).
    • Fixed a bug where Podman was not setting sane defaults for missing XDG_ environment variables.
    • Fixed a bug where remote Podman would check if volume paths to be mounted in the container existed on the host, not the server (#8473).
    • Fixed a bug where the podman manifest create and podman manifest add commands on local images would drop any images in the manifest not pulled by the host.
    • Fixed a bug where networks made by podman network create did not include the tuning plugin, and as such did not support setting custom MAC addresses (#8385).
    • Fixed a bug where container healthchecks did not use $PATH when searching for the Podman executable to run the healthcheck.
    • Fixed a bug where the --ip-range option to podman network create did not properly handle non-classful subnets when calculating the last usable IP for DHCP assignment (#8448).
    • Fixed a bug where the podman container ps alias for podman ps was missing (#8445).

    API

    • The Compat Create endpoint for Container has received a major refactor to share more code with the Libpod Create endpoint, and should be significantly more stable.
    • A Compat endpoint for exporting multiple images at once, GET /images/get, has been added (#7950).
    • The Compat Network Connect and Network Disconnect endpoints have been added.
    • Endpoints that deal with image registries now support a X-Registry-Config header to specify registry authentication configuration.
    • The Compat Create endpoint for images now properly supports specifying images by digest.
    • The Libpod Build endpoint for images now supports an httpproxy query parameter which, if set to true, will forward the server's HTTP proxy settings into the build container for RUN instructions.
    • The Libpod Untag endpoint for images will now remove all tags for the given image if no repository and tag are specified for removal.
    • Fixed a bug where the Ping endpoint misspelled a header name (Libpod-Buildha-Version instead of Libpod-Buildah-Version).
    • Fixed a bug where the Ping endpoint sent an extra newline at the end of its response where Docker did not.
    • Fixed a bug where the Compat Logs endpoint for containers did not send a newline character after each log line.
    • Fixed a bug where the Compat Logs endpoint for containers would mangle line endings to change newline characters to add a preceding carriage return (#7942).
    • Fixed a bug where the Compat Inspect endpoint for Containers did not properly list the container's stop signal (#7917).
    • Fixed a bug where the Compat Inspect endpoint for Containers formatted the container's create time incorrectly (#7860).
    • Fixed a bug where the Compat Inspect endpoint for Containers did not include the container's Path, Args, and Restart Count.
    • Fixed a bug where the Compat Inspect endpoint for Containers prefixed added and dropped capabilities with CAP_ (Docker does not do so).
    • Fixed a bug where the Compat Info endpoint for the Engine did not include configured registries.
    • Fixed a bug where the server could panic if a client closed a connection midway through an image pull (#7896).
    • Fixed a bug where the Compat Create endpoint for volumes returned an error when a volume with the same name already existed, instead of succeeding with a 201 code (#7740).
    • Fixed a bug where a client disconnecting from the Libpod or Compat events endpoints could result in the server using 100% CPU (#7946).
    • Fixed a bug where the "no such image" error message sent by the Compat Inspect endpoint for Images returned a 404 status code with an error that was improperly formatted for Docker compatibility.
    • Fixed a bug where the Compat Create endpoint for networks did not properly set a default for the driver parameter if it was not provided by the client.
    • Fixed a bug where the Compat Inspect endpoint for images did not populate the RootFS field of the response.
    • Fixed a bug where the Compat Inspect endpoint for images would omit the ParentId field if the image had no parent, and the Created field if the image did not have a creation time.
    • Fixed a bug where the Compat Remove endpoint for Networks did not support the Force query parameter.

    Misc

    • Updated Buildah to v1.18.0
    • Updated the containers/storage library to v1.24.1
    • Updated the containers/image library to v5.8.1
    • Updated the containers/common library to v0.27.0
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(17.81 MB)
    podman-remote-release-windows.zip(18.74 MB)
    podman-remote-static.tar.gz(18.55 MB)
    podman-v2.2.0.msi(19.42 MB)
    shasums(377 bytes)
  • v2.2.0-rc2(Nov 24, 2020)

    APIv2

    • Fix Bugs and compatability
    • Fix list of images - mandatory Created attribute
    • Add network connect|disconnect compat endpoints Missing Commands
    • Add alias for podman network rm -> remove
    • Add podman container ps command Missing Options support
    • Align the podman pod ps --filter behavior with podman ps
    • Allow containers to --restart on-failure with --rm
    • Allow multiple --network flags for podman run/create Documentation:
    • Containers.conf settings for remote connections
    • Specify what the replace flag replaces in help text
    • Clarify ps(1) fallback of podman top Improve shell completions Bugs
    • Fix ip-range for classless subnet masks
    • Make c.networks() list include the default network
    • Make podman service log events
    • Set PATH env in systemd timer.
    • Fix container cgroup lookup
    Source code(tar.gz)
    Source code(zip)
  • v2.2.0-rc1(Nov 18, 2020)

    This is the first release candidate for Podman v2.2.0. Preliminary release notes are below:

    2.2.0

    Features

    • Experimental support for shortname aliasing has been added. This is not enabled by default, but can be turned on by setting the environment variable CONTAINERS_SHORT_NAME_ALIASING to on. Documentation is available here.
    • The podman generate kube command now features support for exporting container's memory and CPU limits (#7855).
    • The podman play kube command now features support for setting CPU and Memory limits for containers (#7742).
    • The podman play kube command now supports Kubernetes configmaps via the --configmap option (#7567).
    • The podman play kube command now supports a --log-driver option to set the log driver for created containers.
    • The podman play kube command now supports a --start option, enabled by default, to start the pod after creating it. This allows for podman play kube to be more easily used in systemd unitfiles.
    • The podman run command now supports the --network-alias option to set network aliases (additional names the container can be accessed at from other containers via DNS if the dnsname CNI plugin is in use). Please note that this requires a new release (v1.1.0) of the dnsname plugin, and will only work on newly-created CNI networks.
    • The podman network create command now supports the --ipv6 option to enable dual-stack IPv6 networking for created networks (#7302).
    • The podman inspect command can now inspect pods, networks, and volumes, in addition to containers and images (#6757).
    • The --mount option for podman run and podman create now supports a new type, image, to mount the contents of an image into the container at a given location.
    • The Bash and ZSH completions have been completely reworked and have received significant enhancements! Additionally, support for Fish completions and completions for the podman-remote executable have been added.
    • The --log-opt option for podman create and podman run now supports the max-size option to set the maximum size for a container's logs (#7434).
    • The --network option to the podman pod create command now allows pods to be configured to use slirp4netns networking, even when run as root (#6097).
    • The podman pod stop, podman pod pause, podman pod unpause, and podman pod kill commands now work on multiple containers in parallel and should be significantly faster.
    • The podman search command now supports a --list-tags option to list all available tags for a single image in a single repository.
    • The podman search command can now output JSON using the --format=json option.
    • The podman diff and podman mount commands now work with all containers in the storage library, including those not created by Podman. This allows them to be used with Buildah and CRI-O containers.
    • The podman container exists command now features a --external option to check if a container exists not just in Podman, but also in the storage library. This will allow Podman to identify Buildah and CRI-O containers.
    • The --tls-verify and --authfile options have been enabled for use with remote Podman.
    • The /etc/hosts file now includes the container's name and hostname (both pointing to localhost) when the container is run with --net=none (#8095).
    • The podman events command now supports filtering events based on the labels of the container they occurred on using the --filter label=key=value option.
    • The podman volume ls command now supports filtering volumes based on their labels using the --filter label=key=value option.
    • The --volume and --mount options to podman run and podman create now support two new mount propagation options, unbindable and runbindable.
    • The name filter for podman pod ps now matches based on a regular expression, instead of requiring an exact match.

    Changes

    • The podman network rm --force command will now also remove pods that are using the network (#7791).
    • The podman volume rm, podman network rm, and podman pod rm commands now return exit code 1 if the object specified for removal does not exist, and exit code 2 if the object is in use and the --force option was not given.
    • If /dev/fuse is passed into Podman containers as a device, Podman will open it before starting the container to ensure that the kernel module is loaded on the host and the device is usable in the container.
    • Global Podman options that were not supported with remote operation have been removed from podman-remote (e.g. --cgroup-manager, --storage-driver).
    • Many errors have been changed to remove repetition and be more clear as to what has gone wrong.
    • The --storage option to podman rm is now enabled by default, with slightly changed semantics. If the given container does not exist in Podman but does exist in the storage library, it will be removed even without the --storage option. If the container exists in Podman it will be removed normally. The --storage option for podman rm is now deprecated and will be removed in a future release.
    • The --storage option to podman ps has been renamed to --external. An alias has been added so the old form of the option will continue to work.
    • Podman now delays the SIGTERM and SIGINT signals during container creation to ensure that Podman is not stopped midway through creating a container resulting in potential resource leakage (#7941).
    • The podman save command now strips signatures from images it is exporting, as the formats we export to do not support signatures (#7659).
    • A new Degraded state has been added to pods. Pods that have some, but not all, of their containers running are now considered to be Degraded instead of Running.

    Bugfixes

    • Fixed a bug where podman load on the remote client did not error when attempting to load a directory, which is not yet supported for remote use.
    • Fixed a bug where rootless Podman could hang when the newuidmap binary was not installed (#7776).
    • Fixed a bug where the --pull option to podman run, podman create, and podman build did not match Docker's behavior.
    • Fixed a bug where sysctl settings from the containers.conf configuration file were applied, even if the container did not join the namespace associated with a sysctl.
    • Fixed a bug where Podman would not return the text of errors encounted when trying to run a healthcheck for a container.
    • Fixed a bug where Podman was accidentally setting the containers environment variable in addition to the expected container environment variable.
    • Fixed a bug where rootless Podman using CNI networking did not properly clean up DNS entries for removed containers (#7789).
    • Fixed a bug where the podman untag --all command was not supported with remote Podman.
    • Fixed a bug where the podman system service command could time out even if active attach connections were present (#7826).
    • Fixed a bug where the podman system service command would sometimes never time out despite no active connections being present.
    • Fixed a bug where Podman's handling of capabilities, specifically inheritable, did not match Docker's.
    • Fixed a bug where podman run would fail if the image specified was a manifest list and had already been pulled (#7798).
    • Fixed a bug where Podman did not take search registries into account when looking up images locally (#6381).
    • Fixed a bug where the podman manifest inspect command would fail for images that had already been pulled (#7726).
    • Fixed a bug where rootless Podman would not add supplemental GIDs to containers when when a user, but not a group, was set via the --user option to podman create and podman run and sufficient GIDs were available to add the groups (#7782).
    • Fixed a bug where remote Podman commands did not properly handle cases where the user gave a name that could also be a short ID for a pod or container (#7837).
    • Fixed a bug where podman image prune could leave images ready to be pruned after podman image prune was run (#7872).
    • Fixed a bug where the podman logs command with the journald log driver would not read all available logs (#7476).
    • Fixed a bug where the --rm and --restart options to podman create and podman run did not conflict when a restart policy that is not on-failure was chosen (#7878).
    • Fixed a bug where the --format "table {{ .Field }}" option to numerous Podman commands ceased to function on Podman v2.0 and up.
    • Fixed a bug where pods did not properly share an SELinux label between their containers, resulting in containers being unable to see the processes of other containers when the pod shared a PID namespace (#7886).
    • Fixed a bug where the --namespace option to podman ps did not work with the remote client (#7903).
    • Fixed a bug where rootless Podman incorrectly calculated the number of UIDs available in the container if multiple different ranges of UIDs were specified.
    • Fixed a bug where the /etc/hosts file would not be correctly populated for containers in a user namespace (#7490).
    • Fixed a bug where the podman network create and podman network remove commands could race when run in parallel, with unpredictable results (#7807).
    • Fixed a bug where the -p option to podman run, podman create, and podman pod create would, when given only a single number (e.g. -p 80), assign the same port for both host and container, instead of generating a random host port (#7947).
    • Fixed a bug where Podman containers did not properly store the cgroup manager they were created with, causing them to stop functioning after the cgroup manager was changed in containers.conf or with the --cgroup-manager option (#7830).
    • Fixed a bug where the podman inspect command did not include information on the CNI networks a container was connected to if it was not running.
    • Fixed a bug where the podman attach command would not print a newline after detaching from the container (#7751).
    • Fixed a bug where the HOME environment variable was not set properly in containers when the --userns=keep-id option was set (#8004).
    • Fixed a bug where the podman container restore command could panic when the container in question was in a pod (#8026).
    • Fixed a bug where the output of the podman image trust show --raw command was not properly formatted.
    • Fixed a bug where the podman runlabel command could panic if a label to run was not given (#8038).
    • Fixed a bug where the podman run and podman start --attach commands would exit with an error when the user detached manually using the detach keys on remote Podman (#7979).
    • Fixed a bug where rootless CNI networking did not use the dnsname CNI plugin if it was not available on the host, despite it always being available in the container used for rootless networking (#8040).
    • Fixed a bug where Podman did not properly handle cases where an OCI runtime is specified by its full path, and could revert to using another OCI runtime with the same binary path that existed in the system $PATH on subsequent invocations.
    • Fixed a bug where the --net=host option to podman create and podman run would cause the /etc/hosts file to be incorrectly populated (#8054).
    • Fixed a bug where the podman inspect command did not include container network information when the container shared its network namespace (IE, joined a pod or another container's network namespace via --net=container:...) (#8073).
    • Fixed a bug where the podman ps command did not include information on all ports a container was publishing.
    • Fixed a bug where the podman build command incorrectly forwarded STDIN into build containers from RUN instructions.
    • Fixed a bug where the podman wait command's --interval option did not work when units were not specified for the duration (#8088).
    • Fixed a bug where the --detach-keys and --detach options could be passed to podman create despite having no effect (and not making sense in that context).
    • Fixed a bug where Podman could not start containers if running on a system without a /etc/resolv.conf file (which occurs on some WSL2 images) (#8089).
    • Fixed a bug where the --extract option to podman cp was nonfunctional.
    • Fixed a bug where the --cidfile option to podman run would, when the container was not run with --detach, only create the file after the container exited (#8091).
    • Fixed a bug where the podman images and podman images -a commands could panic and not list any images when certain improperly-formatted images were present in storage (#8148).
    • Fixed a bug where the podman events command could, when the journald events backend was in use, become nonfunctional when a badly-formatted event or a log message that container certain string was present in the journal (#8125).
    • Fixed a bug where remote Podman would, when using SSH transport, not authenticate to the server using hostkeys when connecting on a port other than 22 (#8139).
    • Fixed a bug where the podman attach command would not exit when containers stopped (#8154).
    • Fixed a bug where Podman did not properly clean paths before verifying them, resulting in Podman refusing to start if the root or temporary directories were specified with extra trailing / characters (#8160).
    • Fixed a bug where remote Podman did not support hashed hostnames in the known_hosts file on the host for establishing connections (#8159).
    • Fixed a bug where the podman image exists command would return non-zero (false) when multiple potential matches for the given name existed.
    • Fixed a bug where the podman manifest inspect command on images that are not manifest lists would error instead of inspecting the image (#8023).
    • Fixed a bug where the podman system service command would fail if the directory the Unix socket was to be created inside did not exist (#8184).
    • Fixed a bug where pods that shared the IPC namespace (which is done by default) did not share a /dev/shm filesystem between all containers in the pod (#8181).
    • Fixed a bug where filters passed to podman volume list were not inclusive (#6765).
    • Fixed a bug where the podman volume create command would fail when the volume's data directory already existed (as might occur when a volume was not completely removed) (#8253).
    • Fixed a bug where the podman run and podman create commands would deadlock when trying to create a container that mounted the same named volume at multiple locations (e.g. podman run -v testvol:/test1 -v testvol:/test2) (#8221).
    • Fixed a bug where the parsing of the --net option to podman build was incorrect (#8322).
    • Fixed a bug where the podman build command would print the ID of the built image twice when using remote Podman (#8332).
    • Fixed a bug where the podman stats command did not show memory limits for containers (#8265).
    • Fixed a bug where the podman pod inspect command printed the static MAC address of the pod in a non-human-readable format (#8386).
    • Fixed a bug where the --tls-verify option of the podman play kube command had its logic inverted (false would enforce the use of TLS, true would disable it).

    API

    • The Compat Create endpoint for Container has received a major refactor to share more code with the Libpod Create endpoint, and should be significantly more stable.
    • A Compat endpoint for exporting multiple images at once, GET /images/get, has been added (#7950).
    • The Compat Network Connect and Network Disconnect endpoints have been added.
    • Endpoints that deal with image registries now support a X-Registry-Config header to specify registry authentication configuration.
    • The Compat Create endpoint for images now properly supports specifying images by digest.
    • The Libpod Build endpoint for images now supports an httpproxy query parameter which, if set to true, will forward the server's HTTP proxy settings into the build container for RUN instructions.
    • The Libpod Untag endpoint for images will now remove all tags for the given image if no repository and tag are specified for removal.
    • Fixed a bug where the Compat Logs endpoint for containers did not send a newline character after each log line.
    • Fixed a bug where the Compat Logs endpoint for containers would mangle line endings to change newline characters to add a preceding carriage return (#7942).
    • Fixed a bug where the Compat Inspect endpoint for Containers did not properly list the container's stop signal (#7917).
    • Fixed a bug where the Compat Inspect endpoint for Containers formatted the container's create time incorrectly (#7860).
    • Fixed a bug where the Compat Inspect endpoint for Containers did not include complete network information on the container.
    • Fixed a bug where the server could panic if a client closed a connection midway through an image pull (#7896).
    • Fixed a bug where the Compat Create endpoint for volumes returned an error when a volume with the same name already existed, instead of succeeding with a 201 code (#7740).
    • Fixed a bug where a client disconnecting from the Libpod or Compat events endpoints could result in the server using 100% CPU (#7946).
    • Fixed a bug where the "no such image" error message sent by the Compat Inspect endpoint for Images returned a 404 status code with an error that was improperly formatted for Docker compatibility.
    • Fixed a bug where the Compat Create endpoint for networks did not properly set a default for the driver parameter if it was not provided by the client.
    • Fixed a bug where the Compat Inspect endpoint for images did not populate the RootFS field of the response.

    Misc

    • Updated Buildah to v1.18.0
    • Updated the containers/storage library to v1.24.0
    • Updated the containers/image library to v5.8.0
    • Updated the containers/common library to v0.27.0
    Source code(tar.gz)
    Source code(zip)
  • v2.1.1(Sep 25, 2020)

    Changes

    • The podman info command now includes the cgroup manager Podman is using.

    Bugfixes

    • Fixed a bug where Podman would not build with the varlink build tag enabled.
    • Fixed a bug where the podman save command could, when asked to save multiple images, write its progress bar to the archive instead of the terminal, producing a corrupted archive.
    • Fixed a bug where the json-file log driver did not write logs.
    • Fixed a bug where podman-remote start --attach did not properly handle detaching using the detach keys.
    • Fixed a bug where podman pod ps --filter label=... did not work.
    • Fixed a bug where the podman build command did not respect the --runtime flag.

    API

    • The REST API now includes a Server header in all responses.
    • Fixed a bug where the Libpod and Compat Attach endpoints could terminate early, before sending all output from the container.
    • Fixed a bug where the Compat Create endpoint for containers did not properly handle the Interactive parameter.
    • Fixed a bug where the Compat Kill endpoint for containers could continue to run after a fatal error.
    • Fixed a bug where the Limit parameter of the Compat List endpoint for Containers did not properly handle a limit of 0 (returning nothing, instead of all containers) (#7722).
    • The Libpod Stats endpoint for containers is being deprecated and will be replaced by a similar endpoint with additional features in a future release.
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(17.67 MB)
    podman-remote-release-windows.zip(18.61 MB)
    podman-remote-static.tar.gz(18.41 MB)
    podman-v2.1.1.msi(19.29 MB)
    shasums(377 bytes)
  • v2.1.0(Sep 22, 2020)

    Features

    • A new command, podman image mount, has been added. This allows for an image to be mounted, read-only, to inspect its contents without creating a container from it (#1433).
    • The podman save and podman load commands can now create and load archives containing multiple images (#2669).
    • Rootless Podman now supports all podman network commands, and rootless containers can now be joined to networks.
    • The performance of podman build on ADD and COPY instructions has been greatly improved, especially when a .dockerignore is present.
    • The podman run and podman create commands now support a new mode for the --cgroups option, --cgroups=split. Podman will create two cgroups under the cgroup it was launched in, one for the container and one for Conmon. This mode is useful for running Podman in a systemd unit, as it ensures that all processes are retained in systemd's cgroup hierarchy (#6400).
    • The podman run and podman create commands can now specify options to slirp4netns by using the --network option as follows: --net slirp4netns:opt1,opt2. This allows for, among other things, switching the port forwarder used by slirp4netns away from rootlessport.
    • The podman ps command now features a new option, --storage, to show containers from Buildah, CRI-O and other applications.
    • The podman run and podman create commands now feature a --sdnotify option to control the behavior of systemd's sdnotify with containers, enabling improved support for Podman in Type=notify units.
    • The podman run command now features a --preserve-fds opton to pass file descriptors from the host into the container (#6458).
    • The podman run and podman create commands can now create overlay volume mounts, by adding the :O option to a bind mount (e.g. -v /test:/test:O). Overlay volume mounts will mount a directory into a container from the host and allow changes to it, but not write those changes back to the directory on the host.
    • The podman play kube command now supports the Socket HostPath type (#7112).
    • The podman play kube command now supports read-only mounts.
    • The podman play kube command now supports setting labels on pods from Kubernetes metadata labels.
    • The podman play kube command now supports setting container restart policy (#7656).
    • The podman play kube command now properly handles HostAlias entries.
    • The podman generate kube command now adds entries to /etc/hosts from --host-add generated YAML as HostAlias entries.
    • The podman play kube and podman generate kube commands now properly support shareProcessNamespace to share the PID namespace in pods.
    • The podman volume ls command now supports the dangling filter to identify volumes that are dangling (not attached to any container).
    • The podman run and podman create commands now feature a --umask option to set the umask of the created container.
    • The podman create and podman run commands now feature a --tz option to set the timezone within the container (#5128).
    • Environment variables for Podman can now be added in the containers.conf configuration file.
    • The --mount option of podman run and podman create now supports a new mount type, type=devpts, to add a devpts mount to the container. This is useful for containers that want to mount /dev/ from the host into the container, but still create a terminal.
    • The --security-opt flag to podman run and podman create now supports a new option, proc-opts, to specify options for the container's /proc filesystem.
    • Podman with the crun OCI runtime now supports a new option to podman run and podman create, --cgroup-conf, which allows for advanced configuration of cgroups on cgroups v2 systems.
    • The podman create and podman run commands now support a --override-variant option, to override the architecture variant of the image that will be pulled and ran.
    • A new global option has been added to Podman, --runtime-flags, which allows for setting flags to use when the OCI runtime is called.
    • The podman manifest add command now supports the --cert-dir, --auth-file, --creds, and --tls-verify options.

    Security

    • This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API.

    Changes

    • Podman will now retry pulling an image 3 times if a pull fails due to network errors.
    • The podman exec command would previously print error messages (e.g. exec session exited with non-zero exit code -1) when the command run exited with a non-0 exit code. It no longer does this. The podman exec command will still exit with the same exit code as the command run in the container did.
    • Error messages when creating a container or pod with a name that is already in use have been improved.
    • For read-only containers running systemd init, Podman creates a tmpfs filesystem at /run. This was previously limited to 65k in size and mounted noexec, but is now unlimited size and mounted exec.
    • The podman system reset command no longer removes configuration files for rootless Podman.

    Bugfixes

    • Fixed a bug where Podman would not add an entry to /etc/hosts for a container if it joined another container's network namespace (#66782).
    • Fixed a bug where podman save --format oci-dir saved the image in an incorrect format (#6544).
    • Fixed a bug where privileged containers would still configure an AppArmor profile.
    • Fixed a bug where the --format option of podman system df was not properly interpreting format codes that included backslashes (#7149).
    • Fixed a bug where rootless Podman would ignore errors from newuidmap and newgidmap, even if /etc/subuid and /etc/subgid contained valid mappings for the user running Podman.
    • Fixed a bug where the podman commit command did not properly handle single-character image names (#7114).
    • Fixed a bug where the output of podman ps --format=json did not include a Status field (#6980).
    • Fixed a bug where input to the --log-level option was no longer case-insensitive.
    • Fixed a bug where podman images could segfault when an image pull was aborted while incomplete, leaving an image without a manifest (#7444).
    • Fixed a bug where rootless Podman would try to create the ~/.config directory when it did not exist, despite not placing any configuration files inside the directory.
    • Fixed a bug where the output of podman system df was inconsistent based on whether the -v option was specified (#7405).
    • Fixed a bug where --security-opt apparmor=unconfined would error if Apparmor was not enabled on the system (#7545).
    • Fixed a bug where running podman stop on multiple containers starting with --rm could sometimes cause no such container errors (#7384).
    • Fixed a bug where podman-remote would still try to contact the server when displaying help information about subcommands.
    • Fixed a bug where the podman build --logfile command would segfault.
    • Fixed a bug where the podman generate systemd command did not properly handle containers which were created with a name given as --name=$NAME instead of --name $NAME (#7157).
    • Fixed a bug where the podman ps was ignoring the --latest flag.
    • Fixed a bug where the podman-remote kill command would hang when a signal that did not kill the container was specified (#7135).
    • Fixed a bug where the --oom-score-adj option of podman run and podman create was nonfunctional.
    • Fixed a bug where the --display option of podman runlabel was nonfunctional.
    • Fixed a bug where the podman runlabel command would not pull images that did not exist locally on the system.
    • Fixed a bug where podman-remote run would not exit with the correct code with the container was removed by a podman-remote rm -f while podman-remote run was still running (#7117).
    • Fixed a bug where the podman-remote run --rm command would error attempting to remove containers that had already been removed (e.g. by podman-remote rm --force) (#7340).
    • Fixed a bug where podman --user with a numeric user and podman run --userns=keepid could create users in /etc/passwd in the container that belong to groups without a corresponding entry in /etc/group (#7389).
    • Fixed a bug where podman run --userns=keepid could create entries in /etc/passwd with a UID that was already in use by another user (#7503).
    • Fixed a bug where podman --user with a numeric user and podman run --userns=keepid could create users that could not be logged into (#7499).
    • Fixed a bug where trying to join another container's user namespace with --userns container:$ID would fail (#7547).
    • Fixed a bug where the podman play kube command would trim underscores from container names (#7020).
    • Fixed a bug where the podman attach command would not show output when attaching to a container with a terminal (#6523).
    • Fixed a bug where the podman system df command could be extremely slow when large quantities of images were present (#7406).
    • Fixed a bug where podman images -a would break if any image pulled by digest was present in the store (#7651).
    • Fixed a bug where the --mount option to podman run and podman create required the type= parameter to be passed first (#7628).
    • Fixed a bug where the --infra-command parameter to podman pod create was nonfunctional.
    • Fixed a bug where podman auto-update would fail for any container started with --pull=always (#7407).
    • Fixed a bug where the podman wait command would only accept a single argument.
    • Fixed a bug where the parsing of the --volumes-from option to podman run and podman create was broken, making it impossible to use multiple mount options at the same time (#7701).
    • Fixed a bug where the podman exec command would not join executed processes to the container's supplemental groups if the container was started with both the --user and --group-add options.
    • Fixed a bug where the --iidfile option to podman-remote build was nonfunctional.

    API

    • The Libpod API version has been bumped to v2.0.0 due to a breaking change in the Image List API.
    • Docker-compatible Volume Endpoints (Create, Inspect, List, Remove, Prune) are now available!
    • Added an endpoint for generating systemd unit files for containers.
    • The last parameter to the Libpod container list endpoint now has an alias, limit (#6413).
    • The Libpod image list API new returns timestamps in Unix format, as integer, as opposed to as strings
    • The Compat Inspect endpoint for containers now includes port information in NetworkSettings.
    • The Compat List endpoint for images now features limited support for the (deprecated) filter query parameter (#6797).
    • Fixed a bug where the Compat Create endpoint for containers was not correctly handling bind mounts.
    • Fixed a bug where the Compat Create endpoint for containers would not return a 404 when the requested image was not present.
    • Fixed a bug where the Compat Create endpoint for containers did not properly handle Entrypoint and Command from images.
    • Fixed a bug where name history information was not properly added in the Libpod Image List endpoint.
    • Fixed a bug where the Libpod image search endpoint improperly populated the Description field of responses.
    • Added a noTrunc option to the Libpod image search endpoint.
    • Fixed a bug where the Pod List API would return null, instead of an empty array, when no pods were present (#7392).
    • Fixed a bug where endpoints that hijacked would do perform the hijack too early, before being ready to send and receive data (#7195).
    • Fixed a bug where Pod endpoints that can operate on multiple containers at once (e.g. Kill, Pause, Unpause, Stop) would not forward errors from individual containers that failed.
    • The Compat List endpoint for networks now supports filtering results (#7462).
    • Fixed a bug where the Top endpoint for pods would return both a 500 and 404 when run on a non-existant pod.
    • Fixed a bug where Pull endpoints did not stream progress back to the client.
    • The Version endpoints (Libpod and Compat) now provide version in a format compatible with Docker.
    • All non-hijacking responses to API requests should not include headers with the version of the server.
    • Fixed a bug where Libpod and Compat Events endpoints did not send response headers until the first event occurred (#7263).
    • Fixed a bug where the Build endpoints (Compat and Libpod) did not stream progress to the client.
    • Fixed a bug where the Stats endpoints (Compat and Libpod) did not properly handle clients disconnecting.
    • Fixed a bug where the Ignore parameter to the Libpod Stop endpoint was not performing properly.
    • Fixed a bug where the Compat Logs endpoint for containers did not stream its output in the correct format (#7196).

    Misc

    • Updated Buildah to v1.16.1
    • Updated the containers/storage library to v1.23.5
    • Updated the containers/image library to v5.6.0
    • Updated the containers/common library to v0.22.0
    Source code(tar.gz)
    Source code(zip)
    podman-remote-release-darwin.zip(17.66 MB)
    podman-remote-release-windows.zip(18.61 MB)
    podman-remote-static.tar.gz(18.41 MB)
    podman-v2.1.0.msi(19.30 MB)
    shasums(377 bytes)
  • v2.1.0-rc2(Sep 17, 2020)

  • v2.1.0-rc1(Sep 14, 2020)

    This is the first release candidate of Podman v2.1.0. Preliminary release notes are attached below:

    Features

    • A new command, podman image mount, has been added. This allows for an image to be mounted, read-only, to inspect its contents without creating a container from it (#1433).
    • The podman save and podman load commands can now create and load archives containing multiple images (#2669).
    • Rootless Podman now supports all podman network commands, and rootless containers can now be joined to networks.
    • The performance of podman build on ADD and COPY instructions has been greatly improved, especially when a .dockerignore is present.
    • The podman run and podman create commands now support a new mode for the --cgroups option, --cgroups=split. Podman will create two cgroups under the cgroup it was launched in, one for the container and one for Conmon. This mode is useful for running Podman in a systemd unit, as it ensures that all processes are retained in systemd's cgroup hierarchy (#6400).
    • The podman run and podman create commands can now specify options to slirp4netns by using the --network option as follows: --net slirp4netns:opt1,opt2. This allows for, among other things, switching the port forwarder used by slirp4netns away from rootlessport.
    • The podman ps command now features a new option, --storage, to show containers from Buildah, CRI-O and other applications.
    • The podman run and podman create commands now feature a --sdnotify option to control the behavior of systemd's sdnotify with containers, enabling improved support for Podman in Type=notify units.
    • The podman run command now features a --preserve-fds opton to pass file descriptors from the host into the container (#6458).
    • The podman run and podman create commands can now create overlay volume mounts, by adding the :O option to a bind mount (e.g. -v /test:/test:O). Overlay volume mounts will mount a directory into a container from the host and allow changes to it, but not write those changes back to the directory on the host.
    • The podman play kube command now supports the Socket HostPath type (#7112).
    • The podman play kube command now supports read-only mounts.
    • The podman play kube command now properly handles HostAlias entries.
    • The podman generate kube command now adds entries to /etc/hosts from --host-add generated YAML as HostAlias entries.
    • The podman play kube and podman generate kube commands now properly support shareProcessNamespace to share the PID namespace in pods.
    • The podman volume ls command now supports the dangling filter to identify volumes that are dangling (not attached to any container).
    • The podman run and podman create commands now feature a --umask option to set the umask of the created container.
    • The podman create and podman run commands now feature a --tz option to set the timezone within the container (#5128).
    • Environment variables for Podman can now be added in the containers.conf configuration file.
    • The --mount option of podman run and podman create now supports a new mount type, type=devpts, to add a devpts mount to the container. This is useful for containers that want to mount /dev/ from the host into the container, but still create a terminal.
    • The --security-opt flag to podman run and podman create now supports a new option, proc-opts, to specify options for the container's /proc filesystem.
    • Podman with the crun OCI runtime now supports a new option to podman run and podman create, --cgroup-conf, which allows for advanced configuration of cgroups on cgroups v2 systems.
    • The podman create and podman run commands now support a --override-variant option, to override the architecture variant of the image that will be pulled and ran.
    • A new global option has been added to Podman, --runtime-flags, which allows for setting flags to use when the OCI runtime is called.
    • The podman manifest add command now supports the --cert-dir, --auth-file, --creds, and --tls-verify options.

    Changes

    • Podman will now retry pulling an image 3 times if a pull fails due to network errors.
    • The podman exec command would previously print error messages (e.g. exec session exited with non-zero exit code -1) when the command run exited with a non-0 exit code. It no longer does this. The podman exec command will still exit with the same exit code as the command run in the container did.
    • Error messages when creating a container or pod with a name that is already in use have been improved.
    • For read-only containers running systemd init, Podman creates a tmpfs filesystem at /run. This was previously limited to 65k in size and mounted noexec, but is now unlimited size and mounted exec.
    • The podman system reset command no longer removes configuration files for rootless Podman.

    Bugfixes

    • Fixed a bug where Podman would not add an entry to /etc/hosts for a container if it joined another container's network namespace (#66782).
    • Fixed a bug where podman save --format oci-dir saved the image in an incorrect format (#6544).
    • Fixed a bug where privileged containers would still configure an AppArmor profile.
    • Fixed a bug where the --format option of podman system df was not properly interpreting format codes that included backslashes (#7149).
    • Fixed a bug where rootless Podman would ignore errors from newuidmap and newgidmap, even if /etc/subuid and /etc/subgid contained valid mappings for the user running Podman.
    • Fixed a bug where the podman commit command did not properly handle single-character image names (#7114).
    • Fixed a bug where the output of podman ps --format=json did not include a Status field (#6980).
    • Fixed a bug where input to the --log-level option was no longer case-insensitive.
    • Fixed a bug where podman images could segfault when an image pull was aborted while incomplete, leaving an image without a manifest (#7444).
    • Fixed a bug where rootless Podman would try to create the ~/.config directory when it did not exist, despite not placing any configuration files inside the directory.
    • Fixed a bug where the output of podman system df was inconsistent based on whether the -v option was specified (#7405).
    • Fixed a bug where --security-opt apparmor=unconfined would error if Apparmor was not enabled on the system (#7545).
    • Fixed a bug where running podman stop on multiple containers starting with --rm could sometimes cause no such container errors (#7384).
    • Fixed a bug where podman-remote would still try to contact the server when displaying help information about subcommands.
    • Fixed a bug where the podman build --logfile command would segfault.
    • Fixed a bug where the podman generate systemd command did not properly handle containers which were created with a name given as --name=$NAME instead of --name $NAME (#7157).
    • Fixed a bug where the podman ps was ignoring the --latest flag.
    • Fixed a bug where the podman-remote kill command would hang when a signal that did not kill the container was specified (#7135).
    • Fixed a bug where the --oom-score-adj option of podman run and podman create was nonfunctional.
    • Fixed a bug where the --display option of podman runlabel was nonfunctional.
    • Fixed a bug where the podman runlabel command would not pull images that did not exist locally on the system.
    • Fixed a bug where podman-remote run would not exit with the correct code with the container was removed by a podman-remote rm -f while podman-remote run was still running (#7117).
    • Fixed a bug where the podman-remote run --rm command would error attempting to remove containers that had already been removed (e.g. by podman-remote rm --force) (#7340).
    • Fixed a bug where podman --user with a numeric user and podman run --userns=keepid could create users in /etc/passwd in the container that belong to groups without a corresponding entry in /etc/group (#7389).
    • Fixed a bug where podman run --userns=keepid could create entries in /etc/passwd with a UID that was already in use by another user (#7503).
    • Fixed a bug where podman --user with a numeric user and podman run --userns=keepid could create users that could not be logged into (#7499).
    • Fixed a bug where trying to join another container's user namespace with --userns container:$ID would fail (#7547).
    • Fixed a bug where the podman play kube command would trim underscores from container names (#7020).
    • Fixed a bug where the podman attach command would not show output when attaching to a container with a terminal (#6523).
    • Fixed a bug where the podman system df command could be extremely slow when large quantities of images were present (#7406).

    API

    • Docker-compatible Volume Endpoints (Create, Inspect, List, Remove, Prune) are now available!
    • Added an endpoint for generating systemd unit files for containers.
    • The last parameter to the Libpod container list endpoint now has an alias, limit (#6413).
    • The Libpod image list API new returns timestamps in Unix format, as integer, as opposed to as strings
    • The Compat Inspect endpoint for containers now includes port information in NetworkSettings.
    • The Compat List endpoint for images now features limited support for the (deprecated) filter query parameter (#6797).
    • Fixed a bug where the Compat Create endpoint for containers was not correctly handling bind mounts.
    • Fixed a bug where the Compat Create endpoint for containers would not return a 404 when the requested image was not present.
    • Fixed a bug where the Compat Create endpoint for containers did not properly handle Entrypoint and Command from images.
    • Fixed a bug where name history information was not properly added in the Libpod Image List endpoint.
    • Fixed a bug where the Libpod image search endpoint improperly populated the Description field of responses.
    • Added a noTrunc option to the Libpod image search endpoint.
    • Fixed a bug where the Pod List API would return null, instead of an empty array, when no pods were present (#7392).
    • Fixed a bug where endpoints that hijacked would do perform the hijack too early, before being ready to send and receive data (#7195).
    • Fixed a bug where Pod endpoints that can operate on multiple containers at once (e.g. Kill, Pause, Unpause, Stop) would not forward errors from individual containers that failed.
    • The Compat List endpoint for networks now supports filtering results (#7462).
    • Fixed a bug where the Top endpoint for pods would return both a 500 and 404 when run on a non-existant pod.

    Misc

    • Updated Buildah to v1.16.1
    • Updated the containers/storage library to v1.23.5
    • Updated the containers/common library to v0.22.0
    Source code(tar.gz)
    Source code(zip)
Owner
Containers
Open Repository for Container Tools
Containers
Work with remote images registries - retrieving information, images, signing content

skopeo skopeo is a command line utility that performs various operations on container images and image repositories. skopeo does not require the user

Containers 3.8k Sep 22, 2021
Lima launches Linux virtual machines on macOS, with automatic file sharing, port forwarding, and containerd.

Lima: Linux-on-Mac ("macOS subsystem for Linux", "containerd for Mac")

Akihiro Suda 4.3k Sep 24, 2021
Gorsair hacks its way into remote docker containers that expose their APIs

Gorsair Gorsair is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers. Once it has access

Brendan Le Glaunec 732 Sep 23, 2021
elPrep: a high-performance tool for analyzing sequence alignment/map files in sequencing pipelines.

Overview elPrep is a high-performance tool for analyzing .sam/.bam files (up to and including variant calling) in sequencing pipelines. The key advant

null 244 Sep 22, 2021
Collect and visualize metrics from Brigade 2

Brigade Metrics: Monitoring for Brigade 2 Brigade Metrics adds monitoring capabilities to a Brigade 2 installation. It utilizes Brigade APIs to export

Brigade 3 Sep 24, 2021
Experimental code execution microservice based on Docker containers.

ranna ランナー - Experimental code runner microservice based on Docker containers. ⚠ PLEASE READ BEFORE USE First of all, this project is currently work i

ranna 17 Aug 17, 2021
[TOOL, CLI] - Filter and examine Go type structures, interfaces and their transitive dependencies and relationships. Export structural types as TypeScript value object or bare type representations.

typex Examine Go types and their transitive dependencies. Export results as TypeScript value objects (or types) declaration. Installation go get -u gi

Daniel T. Gorski 134 Aug 24, 2021
A fluxcd controller for managing manifests declared in jsonnet

jsonnet-controller A fluxcd controller for managing manifests declared in jsonnet. Kubecfg (and its internal libraries) as well as Tanka-style directo

Pelotech 29 Sep 15, 2021
Bot to manage team members in GitHub organizations

Team manager Team manager is a utility that allows an organization owner to add or remove people from existing teams and / or assign people for GitHub

Cilium 27 Aug 10, 2021
Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

The Moby Project Moby is an open-source project created by Docker to enable and accelerate software containerization. It provides a "Lego set" of tool

Moby 61.2k Sep 22, 2021
Complete container management platform

Rancher Rancher is an open source project that provides a container management platform built for organizations that deploy containers in production.

Rancher 17.7k Sep 16, 2021
a tool for getting metrics in containers

read metrics in container if environment is container, the cpu ,memory is relative to container, else the metrics is relative to host. juejing link :

null 4 Jul 26, 2021
Wprecon, is a vulnerability recognition tool in CMS Wordpress, 100% developed in Go.

WPrecon (Wordpress Recon) Hello! Welcome. Wprecon (Wordpress Recon), is a vulnerability recognition tool in CMS Wordpress, 100% developed in Go. Featu

blackbinn 158 Sep 23, 2021
A Go project template

Powered by Cookiecutter, Cookiecutter Golang is a framework for jumpstarting production-ready go projects quickly.

Luis Morales 472 Sep 15, 2021
🌍 📋 A web dashboard to inspect Terraform States

?? ?? A web dashboard to inspect Terraform States

Camptocamp 1.4k Sep 26, 2021
Nodebook - Multi-Lang Web REPL + CLI Code runner

nodebook Nodebook - Multi-Language REPL with Web UI + CLI code runner Useful to practice algorithms and datastructures for coding interviews. What is

Jérôme Schneider 1.5k Sep 18, 2021
An simple, easily extensible and concurrent health-check library for Go services

Healthcheck A simple and extensible RESTful Healthcheck API implementation for Go services. Health provides an http.Handlefunc for use as a healthchec

Ether Labs 198 Sep 15, 2021
TUI Client for Docker

docui - TUI Client for Docker Written in Go About docui docui is a TUI Client for Docker. It can do the following: image search/pull/remove save/impor

skanehira 2.1k Sep 23, 2021
Visualize call graph of a Go program using Graphviz

go-callvis go-callvis is a development tool to help visualize call graph of a Go program using interactive view. Introduction The purpose of this tool

Ondrej Fabry 3.5k Sep 26, 2021