This update for libcontainers-common fixes the following issues:
libcontainers-common was updated:
3.3.1:
Bugfixes:
podman generate systemd
could not cleanup shut down containers when stopped by systemctl stop
.podman machine
commands would not properly locate the gvproxy
binary in some circumstances.--pod-id-file
option would not join the pod's network namespace .until
filter to podman logs
and podman events
was improperly handled, requiring input to be negated .systemd-resolved
for DNS would fail to start if resolved symlinked /etc/resolv.conf
to an absolute path .API:
3.3.0:
Features:
podman machine
will now automatically handle port forwarding - containers in podman machine
VMs that publish ports via --publish
or --publish-all
will have these ports not just forwarded on the VM, but also on the host system.podman play kube
command's --network
option now accepts advanced network options (e.g. --network slirp4netns:port_handler=slirp4netns
) .podman play kube
commmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks.podman-restart.service
, which, when enabled, will restart all containers that were started with --restart=always
after the system reboots.rootless_networking
option in containers.conf
.image:tag@digest
syntax (e.g. podman pull fedora:34@sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a
) .podman container checkpoint
and podman container restore
commands can now be used to checkpoint containers that are in pods, and restore those containers into pods.podman container restore
command now features a new option, --publish
, to change the ports that are forwarded to a container that is being restored from an exported checkpoint.podman container checkpoint
command now features a new option, --compress
, to specify the compression algorithm that will be used on the generated checkpoint.podman pull
command can now pull multiple images at once (e.g. podman pull fedora:34 ubi8:latest
will pull both specified images).podman cp
command can now copy files from one container into another directly (e.g. podman cp containera:/etc/hosts containerb:/etc/
) .podman cp
command now supports a new option, --archive
, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container.podman stats
command now provides two additional metrics: Average CPU, and CPU time.podman pod create
command supports a new flag, --pid
, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace.podman pod create
command supports a new flag, --infra-name
, which allows the name of the pod's infra container to be set .podman auto-update
command has had its output reformatted - it is now much clearer what images were pulled and what containers were updated.podman auto-update
command now supports a new option, --dry-run
, which reports what would be updated but does not actually perform the update .podman build
command now supports a new option, --secret
, to mount secrets into build containers.podman manifest remove
command now has a new alias, podman manifest rm
.podman login
command now supports a new option, --verbose
, to print detailed information about where the credentials entered were stored.podman events
command now supports a new event, exec_died
, which is produced when an exec session exits, and includes the exit code of the exec session.podman system connection add
command now supports adding connections that connect using the tcp://
and unix://
URL schemes.podman system connection list
command now supports a new flag, --format
, to determine how the output is printed.podman volume prune
and podman volume ls
commands' --filter
option now support a new filter, until
, that matches volumes created before a certain time .podman ps --filter
option's network
filter now accepts a new value: container:
, which matches containers that share a network namespace with a specific container .podman diff
command can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed .prepare_on_create
option in containers.conf
.--gpus
, has been added to podman create
and podman run
as a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag.If an invalid subcommand is provided, similar commands to try will now be suggested in the error message.
The podman system reset
command now removes non-Podman (e.g. Buildah and CRI-O) containers as well.
podman machine
requires [gvproxy] in order to function.install.cni
makefile option has been removed. It is no longer required to distribute the default 87-podman.conflist
CNI configuration file, as Podman will now automatically create it.--root
option to Podman will not automatically clear all default storage options when set. Storage options can be set manually using --storage-opt
.podman system connection list
is now deterministic, with connections being sorted alpabetically by their name.podman-auto-update.service
) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once.podman generate systemd
now depend on network-online.target
by default .podman generate systemd
now use Type=notify
by default, instead of using PID files.podman info
command's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.Bugfixes:
podman play kube
command did not perform SELinux relabelling of volumes specified with a mountPath
that included the :z
or :Z
options .podman play kube
command would ignore the USER
and EXPOSE
directives in images .podman play kube
command would only accept lowercase pull policies.:z
or :Z
options were not appropriately relabelled for access from the container .podman logs -f
command, with the journald
log driver, could sometimes fail to pick up the last line of output from a container .podman rm
on a container created with the --rm
option would occasionally emit an error message saying the container failed to be removed, when it was successfully removed.LISTEN_PID
and LISTEN_FDS
environment variables were set, but LISTEN_FDNAMES
was not .-d
and when the associated podman exec
process was killed before completion.podman system service
could, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up.slirp4netns
network mode would leave zombie processes that were not cleaned up until podman system service
exited .podman system service
command would leave zombie processes after its initial launch that were not cleaned up until it exited .podman machine
could not be started after the host system restarted .podman pod ps
command would not show headers for optional information (e.g. container names when the --ctr-names
option was given).podman create
and podman run
commands would ignore timezone configuration from the server's containers.conf
file .podman build
command would only respect .containerignore
and not .dockerignore
files (when both are present, .containerignore
will be preferred) .podman build
command would fail to send the Dockerfile being built to the server when it was excluded by the .dockerignore
file, resulting in an error .podman build
command could unexpectedly stop streaming the output of the build .podman build
command would fail to build when run on Windows .podman manifest create
command accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest).podman exec -i
command would hang when input was provided via shell redirection (e.g. podman --remote exec -i foo cat <<<'hello'
) .--rm
were not immediately removed after being started by podman start
if they failed to start .--storage-opt
flag to podman create
and podman run
was nonfunctional .--device-cgroup-rule
option to podman create
and podman run
was nonfunctional .--tls-verify
option to podman manifest push
was nonfunctional.podman import
command could, in some circumstances, produce empty images .docker-daemon:
transport had the wrong registry (localhost
instead of docker.io/library
) .podman image prune
and podman system prune
) would prune untagged images with children .podman network create
did not properly auto-assign an IPv4 subnet when one was not explicitly specified .rootlessport
port forwarder would break when a network was disconnected and then reconnected .--net=host
would add an entry to /etc/hosts
for the container's hostname pointing to 127.0.1.1
.podman unpause --all
command would throw an error for every container that was not paused .since
and until
filters using Unix timestamps with a nanoseconds portion could not be parsed .podman info
command would sometimes print the wrong path for the slirp4netns
binary.podman network connect
and podman network disconnect
of rootless containers could sometimes break port forwarding to the container .Fixed a bug where joining a container to a CNI network by ID and adding network aliases to this network would cause the container to fail to start .
Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
NetworkMode
parameter set to default
.ContainerConfig
field .Content-Type
header, rejecting content that Docker would have accepted .until
query parameter .platform
, message
, and repo
query parameters.platform
query parameter.Misc:
storage was updated to 1.36.0.
Updated image to 5.16.0.
Update podman to 3.2.3:
Security:
podman build
command with the --isolation chroot
flag that results in environment variables from the host leaking into build containers. (bsc#1188520)Bugfixes:
podman save
would refuse to save images with an architecture different from that of the host .podman import
command did not correctly handle images without tags .dnsname
CNI plugin was in use and the host system's /etc/resolv.conf
was a symlink ([#10855] and #10929).Update podman to 3.2.2
3.2.2:
Bugfixes
podman cp
would, when given a directory as its source and a target that existed and was a file, copy the contents of the directory into the parent directory of the file; this now results in an error.podman logs
command would, when following a running container's logs, not include the last line of output from the container when it exited when the k8s-file
driver was in use .systemd-resolved
was incorrectly detected as the system's DNS server .podman exec -t
command would only resize the exec session's TTY after the session started, leading to a race condition where the terminal would initially not have a size set .slirp4netns
network mode would add an incorrect entry to /etc/hosts
pointing the container's hostname to the wrong IP address.uid
and gid
options to podman volume create -o
.podman run
command could panic when parsing the system's cgroup configuration .podman build -f - ...
command did not read a Containerfile from STDIN .podman container restore --import
command would fail to restore checkpoints created from privileged containers .TMPDIR
environment variable when pulling images .--format
option.API:
devices
query parameter .Misc:
make podman-remote-static
target to build a statically-linked podman-remote
binary was instead producing dynamic binaries .3.2.1:
Changes:
- Podman now allows corrupt images (e.g. from restarting the system during an image pull) to be replaced by a podman pull
of the same image (instead of requiring they be removed first, then re-pulled).
Bugfixes:
/usr/share/containers/seccomp.json
.podman machine start
command failed on OS X machines with the AMD64 architecture and certain QEMU versions .podman stats
command would fail on Cgroups v1 systems when run on a container running systemd .podman container checkpoint
did not function correctly.podman build
command did not properly handle the -f
option .podman run
command would sometimes not resize the container's terminal before execution began .--filter
option to the podman image prune
command was nonfunctional.podman logs -f
command would exit before all output for a container was printed when the k8s-file
log driver was in use .podman network connect
and podman network disconnect
commands acted improperly when containers were in the Created state, marking the changes as done but not actually performing them.API:
3.2.0:
Features:
podman network connect
, podman network disconnect
, and podman network reload
commands have been enabled for rootless Podman.podman machine
, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman.podman generate kube
command can now be run on Podman named volumes (generating PersistentVolumeClaim
YAML), in addition to pods and containers.podman play kube
command now supports two new options, --ip
and --mac
, to set static IPs and MAC addresses for created pods ([#8442] and #9731).podman play kube
command's support for PersistentVolumeClaim
YAML has been greatly improved.podman generate kube
command now preserves the label used by podman auto-update
to identify containers to update as a Kubernetes annotation, and the podman play kube
command will convert this annotation back into a label. This allows podman auto-update
to be used with containers created by podman play kube
.podman play kube
command now supports Kubernetes secretRef
YAML (using the secrets support from podman secret
) for environment variables.type=env
option to the --secret
flag to podman create
and podman run
.podman start
command now supports the --all
option, allowing all containers to be started simultaneously with a single command. The --filter
option has also been added to filter which containers to start when --all
is used.--filter
option to podman ps
and podman start
now supports a new filter, restart-policy
, to filter containers based on their restart policy.--group-add
option to rootless podman run
and podman create
now accepts a new value, keep-groups
, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with the crun
OCI runtime.podman run
and podman create
commands now support a new option, --timeout
. This sets a maximum time the container is allowed to run, after which it is killed .podman run
and podman create
commands now support a new option, --pidfile
. This will create a file when the container is started containing the PID of the first process in the container.podman run
and podman create
commands now support a new option, --requires
. The --requires
option adds dependency containers - containers that must be running before the current container. Commands like podman start
will automatically start the requirements of a container before starting the container itself.io.containers.autoupdate
label set to local
./etc/hosts
, host.containers.internal
, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) .podman ps
, podman pod ps
, podman network list
, podman secret list
, and podman volume list
commands now support a --noheading
option, which will cause Podman to omit the heading line including column names.podman unshare
command now supports a new flag, --rootless-cni
, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking.--security-opt unmask=
option to podman run
and podman create
now supports glob operations to unmask a group of paths at once (e.g. podman run --security-opt unmask=/proc/* ...
will unmask all paths in /proc
in the container).The podman network prune
command now supports a --filter
option to filter which networks will be pruned.
The change in Podman 3.1.2 where the :z
and :Z
mount options for volumes were ignored for privileged containers has been reverted after discussion in [#10209].
rootless-cni-infra
container means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image .podman auto-update
command now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates .podman play kube
now treats environment variables configured as references to a ConfigMap
as mandatory unless the optional
parameter was set; this better matches the behavior of Kubernetes.--context=default
flag from Docker as a no-op for compatibility purposes.CAP_SYS_ADMIN
being available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright).podman info
command now includes the path of the Seccomp profile Podman is using, available cgroup controllers, and whether Podman is connected to a remote service or running containers locally.--rm
option now automatically use the volatile
storage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance.podman generate systemd --new
command will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment.Bugfixes:
podman build
command did not support the --arch
, --platform
, and --os
, options.podman build
command ignored the --rm=false
option .podman build --iidfile
command could include extra output (in addition to just the image ID) in the image ID file written .podman build
command did not preserve hardlinks when moving files into the container via COPY
instructions .podman generate systemd --new
command could generate extra --iidfile
arguments if the container was already created with one.podman generate systemd --new
command would generate unit files that did not include RequiresMountsFor
lines .podman generate kube
command produced incorrect YAML for containers which bind-mounted both /
and /root
from the host system into the container .podman play kube
from YAML that specified ShareProcessNamespace
would only share the PID namespace (and not also the UTS, Network, and IPC namespaces) .podman network reload
command could generate spurious error messages when iptables-nft
was in use.podman ps
command could fail with a no such container
error due to a race condition with container removal .slirp4netns
network mode and setting a custom slirp4netns
subnet while using the rootlesskit
port forwarder would not be able to forward ports .--filter ancestor=
option to podman ps
did not require an exact match of the image name/ID to include a container in its results.--filter until=
option to podman image prune
would prune images created after the specified time (instead of before).seccomp_profile
option in containers.conf
had no effect, and the default profile was used instead.--cgroup-parent
option to podman create
and podman run
was ignored in rootless Podman on cgroups v2 systems with the cgroupfs
cgroup manager .IMAGE
and NAME
variables in podman container runlabel
were not being correctly substituted .--restart=always
) would lose networking after being restarted .podman cp
command could not copy files into containers created with the --pid=host
flag .podman events
command could not be specified twice (if a filter is specified more than once, it will match if any of the given values match - logical or) .resolv.conf
in containers without IPv6 connectivity .Fixed a bug where containers could not be created with static IP addresses when connecting to a network using the macvlan
driver .
Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set .
IPAMConfig
block .died
instead of die
) .Update storage to 1.32.5
Update podman to 3.1.2
3.1.2:
Bugfixes:
podman rmi
command could fail to remove corrupt images from storage.podman save
command did not support the oci-dir
and docker-dir
formats .podman play kube
created with a trailing /
in the container path were were not properly superceding named volumes from the image .Update podman to 3.1.1
trace
as a valid argument to the --log-level
command. Trace logging is now the most verbose level of logging available.:z
and :Z
options for volume mounts are now ignored when the container is privileged or is run with SELinux isolation disabled (--security-opt label=disable
). This matches better matches Docker's behavior in this case.Bugfixes
podman image prune
or podman system prune
commands could cause Podman to panic.podman save
command did not properly error when the --compress
flag was used with incompatible format types.--security-opt
and --ulimit
options to the remote Podman client's podman build
command were nonfunctional.--log-rusage
option to the remote Podman client's podman build
command was nonfunctional .podman build
command could, in some circumstances, use the wrong OCI runtime .podman build
command could return 0 despite failing .podman container runlabel
command did not properly expand the IMAGE
and NAME
variables in the label .--rm
argument .cgroupfs
cgroup manager was in use.podman stats
command could error when statistics tracked exceeded the maximum size of a 32-bit signed integer .--userns=keepid
(without a --user
flag in addition) would grant exec sessions run in them too many capabilities .--authfile
option to podman build
did not validate that the path given existed .--storage-opt
option to Podman was appending to, instead of overriding (as is documented), the default storage options.podman system service
connection did not function properly when run in a socket-activated systemd unit file as a non-root user.--network
option to the podman play kube
command of the remote Podman client was being ignored .--log-driver
option to the podman play kube
command was nonfunctional .API
Update podman to 3.1.0
Features:
podman secret create
, podman secret inspect
, podman secret ls
and podman secret rm
commands have been added to handle secrets, along with the --secret
option to podman run
and podman create
to add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release.podman network prune
, has been added .-v
option to podman run
and podman create
now supports a new volume option, :U
, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues .podman network exists
, podman volume exists
, and podman manifest exists
, have been added to check for the existence of networks, volumes, and manifest lists.podman cp
command can now copy files into directories mounted as tmpfs
in a running container.podman volume prune
command will now list volumes that will be pruned when prompting the user whether to continue and perform the prune .podman build
command now supports the --disable-compression
, --excludes
, and --jobs
options.podman push
command now supports the --format
option.podman rm
command now supports the --all
and --ignore
options.podman search
command now supports the --no-trunc
and --list-tags
options.podman play kube
command can now read in Kubernetes YAML from STDIN
when -
is specified as file name (podman play kube -
), allowing input to be piped into the command for scripting .podman generate systemd
command now supports a --no-header
option, which disables creation of the header comment automatically added by Podman to generated unit files.podman generate kube
command can now generate PersistentVolumeClaim
YAML for Podman named volumes .podman generate kube
command can now generate YAML files containing multiple resources (pods or deployments) .Security:
Changes:
podman build
command no longer allows the -v
flag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines.podman kill
and podman stop
commands now print the name given by the user for each container, instead of the full ID.--security-opt unmask=ALL
or --security-opt unmask=/sys/fs/cgroup
options to podman create
or podman run
are given, Podman will mount cgroups into the container as read-write, instead of read-only .podman rmi
command has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls.podman rename
command has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable.--trace
option to podman
has been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time.podman generate systemd
command now generates RequiresMountsFor
lines to ensure necessary storage directories are mounted before systemd starts Podman.Podman will now emit a warning when --tty
and --interactive
are both passed, but STDIN
is not a TTY. This will be made into an error in the next major Podman release some time next year.
Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports .
podman network create
with the --macvlan
flag did not honor the --gateway
, --subnet
, and --opt
options .podman generate kube
command generated invalid YAML for privileged containers .podman generate kube
command could not be used with containers that were not running.podman generate systemd
command could duplicate some parameters to Podman in generated unit files .containers.conf
to containers.no_hosts
default in containers.conf
when creating containers.--tail=0
, --since
, and --follow
options to the podman logs
command did not function properly when using the journald
log backend.podman logs
when the journald
log backend was in use did not function correctly.podman run
and podman create
commands would panic if a memory limit was set, but the swap limit was set to unlimited .--network
option to podman run
, podman create
, and podman pod create
would error if the user attempted to specify CNI networks by ID, instead of name .podman stats
command .podman cp
did not properly handle cases where /dev/stdout
was specified as the destination (it was treated identically to -
) .podman cp
command would create files with incorrect ownership .podman cp
command did not properly handle cases where the destination directory did not exist.podman cp
command did not properly evaluate symlinks when copying out of containers.podman rm -fa
command would error when attempting to remove containers created with --rm
.CapDrop
field of the output of podman inspect
on a container .podman network connect
command could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with --net=host
) .dnsname
CNI plugin were not being added to container's resolv.conf
under some circumstances.--ignorefile
option to podman build
was nonfunctional .--timestamp
option to podman build
was nonfunctional .--iidfile
option to podman build
could cause Podman to panic if an error occurred during the build.--dns-search
option to podman build
was nonfunctional .--pull-never
option to podman build
was nonfunctional .--build-arg
option to podman build
would, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) .--isolation
option to podman build
in the remote Podman client was nonfunctional.podman network disconnect
command could cause errors when the container that had a network removed was stopped and its network was cleaned up .podman network rm
command did not properly check what networks a container was present in, resulting in unexpected behavior if podman network connect
or podman network disconnect
had been used with the network .stopping
state .podman load
command could return 0 even in cases where an error occurred .--storage-opt
option would override all storage options. Instead, storage options are now overridden only when the --storage-driver
option is used to override the current graph driver .--privileged
could request more capabilities than were available to Podman.podman commit
did not use the TMPDIR
environment variable to place temporary files created during the commit .CONFIG_USER_NS
.podman volume create
and then mounted into a container could be incorrect .Fixed a bug where the --tz
option to podman create
and podman run
did not properly validate its input.
Fixed a bug where the X-Registry-Auth
header did not accept null
as a valid value.
/auth
, has been added. This endpoint validates credentials against a registry .[]
), when no networks were present ./libpod/network/$ID/json
) now has an alias at /libpod/network/$ID
.NanoCpus
option .Update podman to 3.0.1
3.0.1:
Changes:
WARN
level log messages have been downgraded to INFO
or DEBUG
to not clutter terminal output.Bugfixes:
Created
field of podman ps --format=json
was formatted as a string instead of an Unix timestamp (integer) .podman images
command would cause the whole command to fail without printing output.--cgroups=split
did not function properly on cgroups v1 systems.--entrypoint=['']
option to podman run
and podman create
as a literal empty string in the entrypoint, when instead it should have been ignored .HOME
environment variable to ''
when the container ran as a user without an assigned home directory .podman pod create
to panic .--runtime
option was not properly handled by the podman build
command .podman generate systemd --new
command would incorrectly escape %t
when generating the path for the PID file .Fixed a bug where some options of the podman build
command (including but not limited to --jobs
) were nonfunctional .
Fixed a breaking change to the Libpod Wait API for Containers where the Conditions parameter changed type in Podman v3.0 .
The Compat Create endpoint for Images has had its compatibility with Docker improved, allowing its use with the docker-java
library.
Updated Buildah to v1.19.4
3.0.0:
Features:
podman rename
command, which allows containers to be renamed after they are created .podman copy
command.podman network reload
, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. via firewall-cmd --reload
).podman network ls
and can be used when removing and inspecting networks. Existing networks receive IDs automatically.--label
option to network create
, and podman network ls
can filter labels based on them.podman network create
command now supports setting bridge MTU and VLAN through the --opt
option .podman container checkpoint
and podman container restore
commands can now checkpoint and restore containers that include volumes.podman container checkpoint
command now supports the --with-previous
and --pre-checkpoint
options, and the podman container restore
command now support the --import-previous
option. These add support for two-step checkpointing with lowered dump times.podman push
command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails.podman generate kube
command can now be run on multiple containers at once, and will generate a single pod containing all of them.podman generate kube
and podman play kube
commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML .podman generate kube
command now properly supports generating YAML for containers and pods creating using host networking (--net=host
) .podman kill
command now supports a --cidfile
option to kill containers given a file containing the container's ID .podman pod create
command now supports the --net=none
option .podman volume create
command can now specify volume UID and GID as options with the UID
and GID
fields passed to the the --opt
option.containers.conf
and use them to create volumes with podman volume create --driver
.podman run
and podman create
commands now support a new option, --platform
, to specify the platform of the image to be used when creating the container.--security-opt
option to podman run
and podman create
now supports the systempaths=unconfined
option to unrestrict access to all paths in the container, as well as mask
and unmask
options to allow more granular restriction of container paths.podman stats --format
command now supports a new format specified, MemUsageBytes
, which prints the raw bytes of memory consumed by a container without human-readable formatting [#8945].podman ps
command can now filter containers based on what pod they are joined to via the pod
filter .podman pod ps
command can now filter pods based on what networks they are joined to via the network
filter.podman pod ps
command can now print information on what networks a pod is joined to via the .Networks
specifier to the --format
option.podman system prune
command now supports filtering what containers, pods, images, and volumes will be pruned.podman volume prune
commands now supports filtering what volumes will be pruned.podman system prune
command now includes information on space reclaimed .podman info
command will now properly print information about packages in use on Gentoo and Arch systems.containers.conf
file now contains an option for disabling creation of a new kernel keyring on container creation .podman image sign
command can now sign multi-arch images by producing a signature for each image in a given manifest list.podman image sign
command, when run as rootless, now supports per-user registry configuration files in $HOME/.config/containers/registries.d
.slirp4netns
can now be set system-wide via the NetworkCmdOptions
configuration option in containers.conf
.slirp4netns
can now be configured via the mtu=
network command option (e.g. podman run --net slirp4netns:mtu=9000
).Security:
127.0.0.1
as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue. (bsc#1181640)Changes:
podman load
command no longer accepts a NAME[:TAG]
argument. The presence of this argument broke CLI compatibility with Docker by making docker load
commands unusable with Podman .podman network create
command can now create macvlan
networks using the --driver macvlan
option for Docker compatibility. The existing --macvlan
flag has been deprecated and will be removed in Podman 4.0 some time next year.podman inspect
command has had the LogPath
and LogTag
fields moved into the LogConfig
structure (from the root of the Inspect structure). The maximum size of the log file is also included.podman generate systemd
command no longer generates unit files using the deprecated KillMode=none
option .podman stop
command now releases the container lock while waiting for it to stop - as such, commands like podman ps
will no longer block until podman stop
completes .podman network create --internal
no longer use the dnsname
plugin. This configuration never functioned as expected.podman run
when an invalid SELinux is specified have been improved.containers.conf
allowing for advanced configuration of the namespaces they will share.SSH public key handling for remote Podman has been improved.
Fixed a bug where the podman history --no-trunc
command would truncate the Created By
field .
Networks
field of the output of podman inspect
.WORKDIR
instruction) but not present in the image, would not be created .podman generate systemd
command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{
and }}
), e.g. --log-opt-tag={{.Name}}
.podman generate systemd --new
command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. podman run -dt
) .podman generate systemd --new
command could generate unit files that did not handle Podman commands including some special characters (e.g. $
) ([#9176]Containerfile
when sending build context to the server ./sys
as a new sysfs
in some circumstances where it was acceptable.podman play kube
command did not properly handle CMD
and ARGS
from images .podman play kube
command did not properly handle environment variables from images .podman play kube
command did not properly print errors that occurred when starting containers.podman play kube
command errored when hostNetwork
was used .podman play kube
command would always pull images when the :latest
tag was specified, even if the image was available locally .podman play kube
command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable .podman generate kube
command incorrectly populated the args
and command
fields of generated YAML ./etc/hosts
file every time the container restarted .podman search --list-tags
command did not support the --format
option .http_proxy
option in containers.conf
was not being respected, and instead was set unconditionally to true .podman images
command would break and fail to display any images if an empty manifest list was present in storage .--uidmap
option that included a mapping beginning with UID 0
.podman logs
command using the k8s-file
backend did not properly handle partial log lines with a length of 1 .podman logs
command with the --follow
option did not properly handle log rotation .HOSTNAME
environment variables were overwritten by Podman .containers.conf
in too many situations (e.g. applying network sysctls when the container shared its network with a pod).--privileged
option to podman run
and podman create
would, under some circumstances, not disable Seccomp .podman exec
command did not properly add capabilities when the container or exec session were run with --privileged
.--enable-sandbox
option to slirp4netns
unconditionally, even when pivot_root
was disabled, rendering slirp4netns
unusable when pivot_root
was disabled .podman build --logfile
did not actually write the build's log to the logfile.podman system service
command did not close STDIN, and could display user-interactive prompts .podman system reset
command could, under some circumstances, remove all the contents of the XDG_RUNTIME_DIR
directory .podman network create
command created CNI configurations that did not include a default gateway .podman.service
systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started .TMPDIR
environment variable was set for the container engine in containers.conf
, it was being ignored.podman events
command did not properly handle future times given to the --until
option .podman logs
command wrote container STDERR
logs to STDOUT
instead of STDERR
.--cap-add=all
and --user
options to podman create
and podman run
were combined.--layers
option to podman build
was nonfunctional .podman system prune
command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call to podman system prune
.--publish
option to podman run
and podman create
did not properly handle ports specified as a range of ports with no host port specified .--format
did not support JSON output for individual fields .podman stats
command would fail when run on root containers using the slirp4netns
network mode .podman stats
command would fail if the system did not support one or more of the cgroup controllers Podman supports .--mount
option to podman create
and podman run
did not ignore the consistency
mount option.podman network disconnect
command could cause the podman inspect
command to fail for a container until it was restarted .--rootfs
option to podman create
and podman run
) would fail .--format
option to multiple Podman commands did not support the join
function .podman rmi
command could, when run in parallel on multiple images, return layer not known
errors .podman inspect
command on containers displayed unlimited ulimits incorrectly .Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories .
All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error .
container:
, correctly.containers.conf
is now used).journald
backend was in use, resulting in a leak of file descriptors .index out of range
error under certain circumstances .