v3.2.0-RC1

This is the first release candidate for the Podman v3.2.0 release. Podman 3.2.0 features improved rootless networking (including support for rootless Docker compose), a rewritten image backend, and numerous other changes.

Full release notes will be available with the release of RC2 next week.

v3.1.2

Bugfixes

• Fixed a bug where images with empty layers were stored incorrectly, causing them to be unable to be pushed or saved.
• Fixed a bug where the podman rmi command could fail to remove corrupt images from storage.
• Fixed a bug where the remote Podman client's podman save command did not support the oci-dir and docker-dir formats (#9742).
• Fixed a bug where volume mounts from podman play kube created with a trailing / in the container path were were not properly superceding named volumes from the image (#9618).
• Fixed a bug where Podman could fail to build on 32-bit architectures.

Misc

• Updated the containers/image library to v5.11.1

v3.1.1

Changes

• Podman now recognizes trace as a valid argument to the --log-level command. Trace logging is now the most verbose level of logging available.
• The :z and :Z options for volume mounts are now ignored when the container is privileged or is run with SELinux isolation disabled (--security-opt label=disable). This matches better matches Docker's behavior in this case.

Bugfixes

• Fixed a bug where pruning images with the podman image prune or podman system prune commands could cause Podman to panic.
• Fixed a bug where the podman save command did not properly error when the --compress flag was used with incompatible format types.
• Fixed a bug where the --security-opt and --ulimit options to the remote Podman client's podman build command were nonfunctional.
• Fixed a bug where the --log-rusage option to the remote Podman client's podman build command was nonfunctional (#9489).
• Fixed a bug where the podman build command could, in some circumstances, use the wrong OCI runtime (#9459).
• Fixed a bug where the remote Podman client's podman build command could return 0 despite failing (#10029).
• Fixed a bug where the podman container runlabel command did not properly expand the IMAGE and NAME variables in the label (#9405).
• Fixed a bug where poststop OCI hooks would be executed twice on containers started with the --rm argument (#9983).
• Fixed a bug where rootless Podman could fail to launch containers on cgroups v2 systems when the cgroupfs cgroup manager was in use.
• Fixed a bug where the podman stats command could error when statistics tracked exceeded the maximum size of a 32-bit signed integer (#9979).
• Fixed a bug where rootless Podman containers run with --userns=keepid (without a --user flag in addition) would grant exec sessions run in them too many capabilities (#9919).
• Fixed a bug where the --authfile option to podman build did not validate that the path given existed (#9572).
• Fixed a bug where the --storage-opt option to Podman was appending to, instead of overriding (as is documented), the default storage options.
• Fixed a bug where the podman system service connection did not function properly when run in a socket-activated systemd unit file as a non-root user.
• Fixed a bug where the --network option to the podman play kube command of the remote Podman client was being ignored (#9698).
• Fixed a bug where the --log-driver option to the podman play kube command was nonfunctional (#10015).

API

• Fixed a bug where the Libpod Create endpoint for Manifests did not properly validate the image the manifest was being created with.
• Fixed a bug where the Libpod DF endpoint could, in error cases, append an extra null to the JSON response, causing decode errors.
• Fixed a bug where the Libpod and Compat Top endpoint for Containers would return process names that included extra whitespace.
• Fixed a bug where the Compat Prune endpoint for Containers accepted too many types of filter.

Misc

• Updated Buildah to v1.20.1
• Updated the containers/storage library to v1.29.0
• Updated the containers/image library to v5.11.0
• Updated the containers/common library to v0.36.0

v3.1.0

Features

• A set of new commands has been added to manage secrets! The podman secret create, podman secret inspect, podman secret ls and podman secret rm commands have been added to handle secrets, along with the --secret option to podman run and podman create to add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release.
• A new command to prune networks, podman network prune, has been added (#8673).
• The -v option to podman run and podman create now supports a new volume option, :U, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues (#7778).
• Three new commands, podman network exists, podman volume exists, and podman manifest exists, have been added to check for the existence of networks, volumes, and manifest lists.
• The podman cp command can now copy files into directories mounted as tmpfs in a running container.
• The podman volume prune command will now list volumes that will be pruned when prompting the user whether to continue and perform the prune (#8913).
• The Podman remote client's podman build command now supports the --disable-compression, --excludes, and --jobs options.
• The Podman remote client's podman push command now supports the --format option.
• The Podman remote client's podman rm command now supports the --all and --ignore options.
• The Podman remote client's podman search command now supports the --no-trunc and --list-tags options.
• The podman play kube command can now read in Kubernetes YAML from STDIN when - is specified as file name (podman play kube -), allowing input to be piped into the command for scripting (#8996).
• The podman generate systemd command now supports a --no-header option, which disables creation of the header comment automatically added by Podman to generated unit files.
• The podman generate kube command can now generate PersistentVolumeClaim YAML for Podman named volumes (#5788).
• The podman generate kube command can now generate YAML files containing multiple resources (pods or deployments) (#9129).

Security

• This release resolves CVE-2021-20291, a deadlock vulnerability in the storage library caused by pulling a specially-crafted container image.

Changes

• The Podman remote client's podman build command no longer allows the -v flag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines.
• The podman kill and podman stop commands now print the name given by the user for each container, instead of the full ID.
• When the --security-opt unmask=ALL or --security-opt unmask=/sys/fs/cgroup options to podman create or podman run are given, Podman will mount cgroups into the container as read-write, instead of read-only (#8441).
• The podman rmi command has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls.
• The podman rename command has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable.
• Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved (#9582).
• The hidden --trace option to podman has been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time.
• The podman generate systemd command now generates RequiresMountsFor lines to ensure necessary storage directories are mounted before systemd starts Podman.
• Podman will now emit a warning when --tty and --interactive are both passed, but STDIN is not a TTY. This will be made into an error in the next major Podman release some time next year.

Bugfixes

• Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports (#9065).
• Fixed a bug where podman network create with the --macvlan flag did not honor the --gateway, --subnet, and --opt options (#9167).
• Fixed a bug where the podman generate kube command generated invalid YAML for privileged containers (#8897).
• Fixed a bug where the podman generate kube command could not be used with containers that were not running.
• Fixed a bug where the podman generate systemd command could duplicate some parameters to Podman in generated unit files (#9776).
• Fixed a bug where Podman did not add annotations specified in containers.conf to containers.
• Foxed a bug where Podman did not respect the no_hosts default in containers.conf when creating containers.
• Fixed a bug where the --tail=0, --since, and --follow options to the podman logs command did not function properly when using the journald log backend.
• Fixed a bug where specifying more than one container to podman logs when the journald log backend was in use did not function correctly.
• Fixed a bug where the podman run and podman create commands would panic if a memory limit was set, but the swap limit was set to unlimited (#9429).
• Fixed a bug where the --network option to podman run, podman create, and podman pod create would error if the user attempted to specify CNI networks by ID, instead of name (#9451).
• Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the podman stats command (#9252).
• Fixed a bug where the podman cp did not properly handle cases where /dev/stdout was specified as the destination (it was treated identically to -) (#9362).
• Fixed a bug where the podman cp command would create files with incorrect ownership (#9526).
• Fixed a bug where the podman cp command did not properly handle cases where the destination directory did not exist.
• Fixed a bug where the podman cp command did not properly evaluate symlinks when copying out of containers.
• Fixed a bug where the podman rm -fa command would error when attempting to remove containers created with --rm (#9479).
• Fixed a bug where the ordering of capabilities was nondeterministic in the CapDrop field of the output of podman inspect on a container (#9490).
• Fixed a bug where the podman network connect command could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with --net=host) (#9496).
• Fixed a bug where DNS search domains required by the dnsname CNI plugin were not being added to container's resolv.conf under some circumstances.
• Fixed a bug where the --ignorefile option to podman build was nonfunctional (#9570).
• Fixed a bug where the --timestamp option to podman build was nonfunctional (#9569).
• Fixed a bug where the --iidfile option to podman build could cause Podman to panic if an error occurred during the build.
• Fixed a bug where the --dns-search option to podman build was nonfunctional (#9574).
• Fixed a bug where the --pull-never option to podman build was nonfunctional (#9573).
• Fixed a bug where the --build-arg option to podman build would, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) (#9571).
• Fixed a bug where the --isolation option to podman build in the remote Podman client was nonfunctional.
• Fixed a bug where the podman network disconnect command could cause errors when the container that had a network removed was stopped and its network was cleaned up (#9602).
• Fixed a bug where the podman network rm command did not properly check what networks a container was present in, resulting in unexpected behavior if podman network connect or podman network disconnect had been used with the network (#9632).
• Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable stopping state (#9615).
• Fixed a bug where the podman load command could return 0 even in cases where an error occurred (#9672).
• Fixed a bug where specifying storage options to Podman using the --storage-opt option would override all storage options. Instead, storage options are now overridden only when the `--stor...

v3.1.0-RC2

This is the second release candidate for Podman v3.1.0

Preliminary release notes are below. Please note that these are subject to change until the final release.

Features

• A set of new commands has been added to manage secrets! The podman secret create, podman secret inspect, podman secret ls and podman secret rm commands have been added to handle secrets, along with the --secret option to podman run and podman create to add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release.
• A new command to prune networks, podman network prune, has been added (#8673).
• The -v option to podman run and podman create now supports a new volume option, :U, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues (#7778).
• Three new commands, podman network exists, podman volume exists, and podman manifest exists, have been added to check for the existence of networks, volumes, and manifest lists.
• The podman cp command can now copy files into directories mounted as tmpfs in a running container.
• The podman volume prune command will now list volumes that will be pruned when prompting the user whether to continue and perform the prune (#8913).
• The Podman remote client's podman build command now supports the --disable-compression, --excludes, and --jobs options.
• The Podman remote client's podman push command now supports the --format option.
• The Podman remote client's podman rm command now supports the --all and --ignore options.
• The Podman remote client's podman search command now supports the --no-trunc and --list-tags options.
• The podman play kube command can now read in Kubernetes YAML from STDIN when - is specified as file name (podman play kube -), allowing input to be piped into the command for scripting (#8996).
• The podman generate systemd command now supports a --no-header option, which disables creation of the header comment automatically added by Podman to generated unit files.

Changes

• The Podman remote client's podman build command no longer allows the -v flag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines.
• The podman kill and podman stop commands now print the name given by the user for each container, instead of the full ID.
• When the --security-opt unmask=ALL or --security-opt unmask=/sys/fs/cgroup options to podman create or podman run are given, Podman will mount cgroups into the container as read-write, instead of read-only (#8441).
• The podman rmi command has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls.
• The podman rename command has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable.
• Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved (#9582).
• The hidden --trace option to podman has been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time.

Bugfixes

• Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports (#9065).
• Fixed a bug where podman network create with the --macvlan flag did not honor the --gateway, --subnet, and --opt options (#9167).
• Fixed a bug where the podman generate kube command generated invalid YAML for privileged containers (#8897).
• Fixed a bug where the podman generate kube command could not be used with containers that were not running.
• Fixed a bug where Podman did not add annotations specified in containers.conf to containers.
• Foxed a bug where Podman did not respect the no_hosts default in containers.conf when creating containers.
• Fixed a bug where the --tail=0, --since, and --follow options to the podman logs command did not function properly when using the journald log backend.
• Fixed a bug where specifying more than one container to podman logs when the journald log backend was in use did not function correctly.
• Fixed a bug where the podman run and podman create commands would panic if a memory limit was set, but the swap limit was set to unlimited (#9429).
• Fixed a bug where the --network option to podman run, podman create, and podman pod create would error if the user attempted to specify CNI networks by ID, instead of name (#9451).
• Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the podman stats command (#9252).
• Fixed a bug where the podman cp did not properly handle cases where /dev/stdout was specified as the destination (it was treated identically to -) (#9362).
• Fixed a bug where the podman cp command would create files with incorrect ownership (#9526).
• Fixed a bug where the podman cp command did not properly handle cases where the destination directory did not exist.
• Fixed a bug where the podman cp command did not properly evaluate symlinks when copying out of containers.
• Fixed a bug where the podman rm -fa command would error when attempting to remove containers created with --rm (#9479).
• Fixed a bug where the ordering of capabilities was nondeterministic in the CapDrop field of the output of podman inspect on a container (#9490).
• Fixed a bug where the podman network connect command could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with --net=host) (#9496).
• Fixed a bug where DNS search domains required by the dnsname CNI plugin were not being added to container's resolv.conf under some circumstances.
• Fixed a bug where the --ignorefile option to podman build was nonfunctional (#9570).
• Fixed a bug where the --timestamp option to podman build was nonfunctional (#9569).
• Fixed a bug where the --iidfile option to podman build could cause Podman to panic if an error occurred during the build.
• Fixed a bug where the --dns-search option to podman build was nonfunctional (#9574).
• Fixed a bug where the --build-arg option to podman build would, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) (#9571).
• Fixed a bug where the podman network disconnect command could cause errors when the container that had a network removed was stopped and its network was cleaned up (#9602).
• Fixed a bug where the podman network rm command did not properly check what networks a container was present in, resulting in unexpected behavior if podman network connect or podman network disconnect had been used with the network (#9632).
• Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable stopping state (#9615).
• Fixed a bug where the podman load command could return 0 even in cases where an error occurred (#9672).
• Fixed a bug where specifying storage options to Podman using the --storage-opt option would override all storage options. Instead, storage options are now overridden only when the --storage-driver option is used to override the current graph driver (#9657).
• Fixed a bug where containers created with --privileged could request more capabilities than were available to Podman.

API

• Fixed a bug where the X-Registry-Auth header did not accept null as a valid value.
• A new compat endpoint, /auth, has been added. This endpoint validates credentials against a registry (#9564).
• Fixed a bug where the compat Build endpoint for Images specified labels using the wrong type (array vs map). Both formats will be accepted now.
• Fixed a bug where the compat Build endpoint for Images did not report that it successfully tagged the built image in its response.
• Fixed a bug where the compat Create endpoint for Images did not provide progress information on pulling the image in its response.
• Fixed a bug where the compat Push endpoint for Images did not properly handle the destination (used a query parameter, instead of a path parameter).
• Fixed a bug where the compat Push endpoint for Images d...

v3.1.0-RC1

This is the first release candidate for Podman v3.1.0. Release is expected later this week.

v3.0.1

Changes

• Several frequently-occurring WARN level log messages have been downgraded to INFO or DEBUG to not clutter terminal output.

Bugfixes

• Fixed a bug where the Created field of podman ps --format=json was formatted as a string instead of an Unix timestamp (integer) (#9315).
• Fixed a bug where failing lookups of individual layers during the podman images command would cause the whole command to fail without printing output.
• Fixed a bug where --cgroups=split did not function properly on cgroups v1 systems.
• Fixed a bug where mounting a volume over an directory in the container that existed, but was empty, could fail (#9393).
• Fixed a bug where mounting a volume over a directory in the container that existed could copy the entirety of the container's rootfs, instead of just the directory mounted over, into the volume (#9415).
• Fixed a bug where Podman would treat the --entrypoint=[""] option to podman run and podman create as a literal empty string in the entrypoint, when instead it should have been ignored (#9377).
• Fixed a bug where Podman would set the HOME environment variable to "" when the container ran as a user without an assigned home directory (#9378).
• Fixed a bug where specifying a pod infra image that had no tags (by using its ID) would cause podman pod create to panic (#9374).
• Fixed a bug where the --runtime option was not properly handled by the podman build command (#9365).
• Fixed a bug where Podman would incorrectly print an error message related to the remote API when the remote API was not in use and starting Podman failed.
• Fixed a bug where Podman would change ownership of a container's working directory, even if it already existed (#9387).
• Fixed a bug where the podman generate systemd --new command would incorrectly escape %t when generating the path for the PID file (#9373).
• Fixed a bug where Podman could, when run inside a Podman container with the host's containers/storage directory mounted into the container, erroneously detect a reboot and reset container state if the temporary directory was not also mounted in (#9191).
• Fixed a bug where some options of the podman build command (including but not limited to --jobs) were nonfunctional (#9247).

API

• Fixed a breaking change to the Libpod Wait API for Containers where the Conditions parameter changed type in Podman v3.0 (#9351).
• Fixed a bug where the Compat Create endpoint for Containers did not properly handle forwarded ports that did not specify a host port.
• Fixed a bug where the Libpod Wait endpoint for Containers could write duplicate headers after an error occurred.
• Fixed a bug where the Compat Create endpoint for Images would not pull images that already had a matching tag present locally, even if a more recent version was available at the registry (#9232).
• The Compat Create endpoint for Images has had its compatibility with Docker improved, allowing its use with the docker-java library.

Misc

• Updated Buildah to v1.19.4
• Updated the containers/storage library to v1.24.6

v3.0.0

Features

• Podman now features initial support for Docker Compose.
• Added the podman rename command, which allows containers to be renamed after they are created (#1925).
• The Podman remote client now supports the podman copy command.
• A new command, podman network reload, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. via firewall-cmd --reload).
• Podman networks now have IDs. They can be seen in podman network ls and can be used when removing and inspecting networks. Existing networks receive IDs automatically.
• Podman networks now also support labels. They can be added via the --label option to network create, and podman network ls can filter labels based on them.
• The podman network create command now supports setting bridge MTU and VLAN through the --opt option (#8454).
• The podman container checkpoint and podman container restore commands can now checkpoint and restore containers that include volumes.
• The podman container checkpoint command now supports the --with-previous and --pre-checkpoint options, and the podman container restore command now support the --import-previous option. These add support for two-step checkpointing with lowered dump times.
• The podman push command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails.
• The podman generate kube command can now be run on multiple containers at once, and will generate a single pod containing all of them.
• The podman generate kube and podman play kube commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML (#9132).
• The podman generate kube command now properly supports generating YAML for containers and pods creating using host networking (--net=host) (#9077).
• The podman kill command now supports a --cidfile option to kill containers given a file containing the container's ID (#8443).
• The podman pod create command now supports the --net=none option (#9165).
• The podman volume create command can now specify volume UID and GID as options with the UID and GID fields passed to the the --opt option.
• Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in containers.conf and use them to create volumes with podman volume create --driver.
• The podman run and podman create commands now support a new option, --platform, to specify the platform of the image to be used when creating the container.
• The --security-opt option to podman run and podman create now supports the systempaths=unconfined option to unrestrict access to all paths in the container, as well as mask and unmask options to allow more granular restriction of container paths.
• The podman stats --format command now supports a new format specified, MemUsageBytes, which prints the raw bytes of memory consumed by a container without human-readable formatting #8945.
• The podman ps command can now filter containers based on what pod they are joined to via the pod filter (#8512).
• The podman pod ps command can now filter pods based on what networks they are joined to via the network filter.
• The podman pod ps command can now print information on what networks a pod is joined to via the .Networks specifier to the --format option.
• The podman system prune command now supports filtering what containers, pods, images, and volumes will be pruned.
• The podman volume prune commands now supports filtering what volumes will be pruned.
• The podman system prune command now includes information on space reclaimed (#8658).
• The podman info command will now properly print information about packages in use on Gentoo and Arch systems.
• The containers.conf file now contains an option for disabling creation of a new kernel keyring on container creation (#8384).
• The podman image sign command can now sign multi-arch images by producing a signature for each image in a given manifest list.
• The podman image sign command, when run as rootless, now supports per-user registry configuration files in $HOME/.config/containers/registries.d.
• Configuration options for slirp4netns can now be set system-wide via the NetworkCmdOptions configuration option in containers.conf.
• The MTU of slirp4netns can now be configured via the mtu= network command option (e.g. podman run --net slirp4netns:mtu=9000).

Security

• A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue.

Changes

• Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.
• The podman load command no longer accepts a NAME[:TAG] argument. The presence of this argument broke CLI compatibility with Docker by making docker load commands unusable with Podman (#7387).
• The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more here.
• The legacy Varlink API has been completely removed from Podman.
• The default log level for Podman has been changed from Error to Warn.
• The podman network create command can now create macvlan networks using the --driver macvlan option for Docker compatibility. The existing --macvlan flag has been deprecated and will be removed in Podman 4.0 some time next year.
• The podman inspect command has had the LogPath and LogTag fields moved into the LogConfig structure (from the root of the Inspect structure). The maximum size of the log file is also included.
• The podman generate systemd command no longer generates unit files using the deprecated KillMode=none option (#8615).
• The podman stop command now releases the container lock while waiting for it to stop - as such, commands like podman ps will no longer block until podman stop completes (#8501).
• Networks created with podman network create --internal no longer use the dnsname plugin. This configuration never functioned as expected.
• Error messages for the remote Podman client have been improved when it cannot connect to a Podman service.
• Error messages for podman run when an invalid SELinux is specified have been improved.
• Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace.
• Pod infra containers now respect default sysctls specified in containers.conf allowing for advanced configuration of the namespaces they will share.
• SSH public key handling for remote Podman has been improved.

Bugfixes

• Fixed a bug where the podman history --no-trunc command would truncate the Created By field (#9120).
• Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the Networks field of the output of podman inspect (#6618).
• Fixed a bug where, under some circumstances, container working directories specified by the image (via the WORKDIR instruction) but not present in the image, would not be created (#9040).
• Fixed a bug where the podman generate systemd command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{ and }}), e.g. --log-opt-tag={{.Name}} (#9034).
• Fixed a bug where the podman generate systemd --new command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. podman run -dt) (#8847).
• Fixed a bug where the podman generate systemd --new command could generate unit files that did not handle Podman commands including some special characters (e.g. $) (#9176
• Fixed a bug where rootless containers joining CNI networks could not set a static IP address (#7842).
• Fixed a bug where rootless containers joining CNI networks could not set network aliases (#8567).
• Fixed a bug where the remote client could, under some circumstances, not include the Containerfile when sending build context to the server (#8374).
• Fixed a bug where rootless Podman did not mount /sys as a new sysfs in some circumstances where it was acceptable.
• Fixed a bug where rootless containers that both joined a user namespace and a CNI networks wo...

v3.0.0-RC3

Please note that these release notes are preliminary until v3.0.0 final is released

Features

• Podman now features initial support for Docker Compose.
• Added the podman rename command, which allows containers to be renamed after they are created (#1925).
• The Podman remote client now supports the podman copy command.
• A new command, podman network reload, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. via firewall-cmd --reload).
• Podman networks now have IDs. They can be seen in podman network ls and can be used when removing and inspecting networks. Existing networks receive IDs automatically.
• Podman networks now also support labels. They can be added via the --label option to network create, and podman network ls can filter labels based on them.
• The podman network create command now supports setting bridge MTU and VLAN through the --opt option (#8454).
• The podman container checkpoint and podman container restore commands can now checkpoint and restore containers that include volumes.
• The podman container checkpoint command now supports the --with-previous and --pre-checkpoint options, and the podman container restore command now support the --import-previous option. These add support for two-step checkpointing with lowered dump times.
• The podman push command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails.
• The podman generate kube command can now be run on multiple containers at once, and will generate a single pod containing all of them.
• The podman generate kube and podman play kube commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML (#9132).
• The podman generate kube command now properly supports generating YAML for containers and pods creating using host networking (--net=host) (#9077).
• The podman kill command now supports a --cidfile option to kill containers given a file containing the container's ID (#8443).
• The podman pod create command now supports the --net=none option (#9165).
• The podman volume create command can now specify volume UID and GID as options with the UID and GID fields passed to the the --opt option.
• Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in containers.conf and use them to create volumes with podman volume create --driver.
• The podman run and podman create commands now support a new option, --platform, to specify the platform of the image to be used when creating the container.
• The --security-opt option to podman run and podman create now supports the systempaths=unconfined option to unrestrict access to all paths in the container, as well as mask and unmask options to allow more granular restriction of container paths.
• The podman stats --format command now supports a new format specified, MemUsageBytes, which prints the raw bytes of memory consumed by a container without human-readable formatting #8945.
• The podman ps command can now filter containers based on what pod they are joined to via the pod filter (#8512).
• The podman pod ps command can now filter pods based on what networks they are joined to via the network filter.
• The podman pod ps command can now print information on what networks a pod is joined to via the .Networks specifier to the --format option.
• The podman system prune command now supports filtering what containers, pods, images, and volumes will be pruned.
• The podman volume prune commands now supports filtering what volumes will be pruned.
• The podman system prune command now includes information on space reclaimed (#8658).
• The podman info command will now properly print information about packages in use on Gentoo and Arch systems.
• The containers.conf file now contains an option for disabling creation of a new kernel keyring on container creation (#8384).
• The podman image sign command can now sign multi-arch images by producing a signature for each image in a given manifest list.
• The podman image sign command, when run as rootless, now supports per-user registry configuration files in $HOME/.config/containers/registries.d.
• Configuration options for slirp4netns can now be set system-wide via the NetworkCmdOptions configuration option in containers.conf.
• The MTU of slirp4netns can now be configured via the mtu= network command option (e.g. podman run --net slirp4netns:mtu=9000).

Security

• A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue.

Changes

• Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.
• The podman load command no longer accepts a NAME[:TAG] argument. The presence of this argument broke CLI compatibility with Docker by making docker load commands unusable with Podman (#7387).
• The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more here.
• The legacy Varlink API has been completely removed from Podman.
• The default log level for Podman has been changed from Error to Warn.
• The podman network create command can now create macvlan networks using the --driver macvlan option for Docker compatibility. The existing --macvlan flag has been deprecated and will be removed in Podman 4.0 some time next year.
• The podman inspect command has had the LogPath and LogTag fields moved into the LogConfig structure (from the root of the Inspect structure). The maximum size of the log file is also included.
• The podman generate systemd command no longer generates unit files using the deprecated KillMode=none option (#8615).
• The podman stop command now releases the container lock while waiting for it to stop - as such, commands like podman ps will no longer block until podman stop completes (#8501).
• Networks created with podman network create --internal no longer use the dnsname plugin. This configuration never functioned as expected.
• Error messages for the remote Podman client have been improved when it cannot connect to a Podman service.
• Error messages for podman run when an invalid SELinux is specified have been improved.
• Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace.
• Pod infra containers now respect default sysctls specified in containers.conf allowing for advanced configuration of the namespaces they will share.
• SSH public key handling for remote Podman has been improved.

Bugfixes

• Fixed a bug where the podman history --no-trunc command would truncate the Created By field (#9120).
• Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the Networks field of the output of podman inspect (#6618).
• Fixed a bug where, under some circumstances, container working directories specified by the image (via the WORKDIR instruction) but not present in the image, would not be created (#9040).
• Fixed a bug where the podman generate systemd command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{ and }}), e.g. --log-opt-tag={{.Name}} (#9034).
• Fixed a bug where the podman generate systemd --new command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. podman run -dt) (#8847).
• Fixed a bug where the podman generate systemd --new command could generate unit files that did not handle Podman commands including some special characters (e.g. $) (#9176
• Fixed a bug where rootless containers joining CNI networks could not set a static IP address (#7842).
• Fixed a bug where rootless containers joining CNI networks could not set network aliases (#8567).
• Fixed a bug where the remote client could, under some circumstances, not include the Containerfile when sending build context to the server (#8374).
• Fixed a bug where rootless Podman did not mount /sys as a new sysfs in some circumstances where it was acceptable.
• Fixed ...

v3.0.0-rc2

This is the second release candidate of Podman v3.0.