v4.4.4

Changes

• Podman now writes direct mappings for idmapped mounts.

Bugfixes

• Fixed a regression which caused the MacOS installer to fail if podman-mac-helper was already installed (#17910).

v4.4.3

Security

• This release fixes CVE-2022-41723, a vulnerability in the golang.org/x/net package where a maliciously crafted HTTP/2 stream could cause excessive CPU consumption, sufficient to cause a denial of service.

Changes

• Added SYS_CHROOT back to the default set of capabilities.

Bugfixes

• Fixed a bug where quadlet would not use the default runtime set.
• Fixed a bug where podman system service --log-level=trace did not hijack the client connection, causing remote podman run/attach calls to work incorrectly (#17749).
• Fixed a bug where the podman-mac-helper returned an incorrect exit code after erroring. podman-mac-helper now exits with 1 on error (#17785).
• Fixed a bug where podman run --dns ... --network would not respect the dns option. Podman will no longer add host nameservers to resolv.conf when aardvark-dns is used (#17499).
• Fixed a bug where podman logs errored out with the passthrough driver when the container was run from a systemd service.
• Fixed a bug where --health-on-failure=restart would not restart the container when the health state turned unhealthy (#17777).
• Fixed a bug where podman machine VMs could have their system time drift behind real time. New machines will no longer be affected by this (#11541).

API

• Fixed a bug where creating a network with the Compat API would return an incorrect status code. The API call now returns 409 when creating a network with an existing name and when CheckDuplicate is set to true (#17585).
• Fixed a bug in the /auth REST API where logging into Docker Hub would fail (#17571).

Misc

• Updated the containers/common library to v0.51.1
• Updated the Mac pkginstaller QEMU to v7.2.0

v4.4.2

Security

• This release fixes CVE-2023-0778, which allowed a malicious user to potentially replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.

Bugfixes

• Fixed a bug where containers started via the podman-kube systemd template would always use the "passthrough" log driver (#17482).
• Fixed a bug where pulls would unexpectedly encounter an EOF error. Now, Podman automatically transparently resumes aborted pull connections.
• Fixed a race condition in Podman's signal proxy.

Misc

• Updated the containers/image library to v5.24.1.

v4.4.1

Changes

• Added the podman-systemd.unit man page, which can also be displayed using man quadlet (#17349).
• Documented journald identifiers used in the journald backend for the podman events command.
• Dropped the CAP_CHROOT, CAP_AUDIT_WRITE, CAP_MKNOD, CAP_MKNOD default capabilities.

Bugfixes

• Fixed a bug where the default handling of pids-limit was incorrect.
• Fixed a bug where parallel calls to make docs crashed (#17322).
• Fixed a regression in the podman kube play command where existing resources got mistakenly removed.

v4.4.0

Features

• Introduce Quadlet, a new systemd-generator that easily writes and maintains systemd services using Podman.
• The podman kube play command now supports hostPID in the pod.spec (#17157).
• The podman build command now supports the --group-add option.
• A new command, podman network update has been added, which updates networks for containers and pods.
• The podman network create command now supports a new option, --network-dns-server, which sets the DNS servers that this network will use.
• The podman kube play command now accepts the--publish option, which sets or overrides port publishing.
• The podman inspect command now returns an error field (#13729).
• The podman update command now accepts the --pids-limit option, which sets the PIDs limit for a container (#16543).
• Podman now supports container names beginning with a / to match Docker behaviour (#16663).
• The podman events command now supports die as a value (mapping to died) to the --filter option, for better Docker compatibility (#16857).
• The podman system dfcommand’s --format "{{ json . }}" option now outputs human-readable format to improve Docker compatibility
• The podman rm -f command now also terminates containers in "stopping" state.
• Rootless privileged containers will now mount all tty devices, except for the virtual-console related tty devices (/dev/tty[0-9]+) (#16925).
• The podman play kube command now supports subpaths when using configmap and hostpath volume types (#16828).
• All commands with the --no-heading option now include a short option, -n.
• The podman push command no longer ignores the hidden --signature-policy flag.
• The podman wait command now supports the --ignore option.
• The podman network create command now supports the --ignore option to instruct Podman to not fail when trying to create an already existing network.
• The podman kube play command now supports volume subpaths when using named volumes (#12929).
• The podman kube play command now supports container startup probes.
• A new command, podman buildx version, has been added, which shows the buildah version (#16793).
• Remote usage of the podman build command now supports the --volume option (#16694).
• The --opt parent=... option is now accepted with the ipvlan network driver in the podman network create command (#16621).
• The --init-ctr option for the podman container create command now supports shell completion.
• The podman kube play command run with a readOnlyTmpfs Flag in the kube YAML can now write to tmpfs inside of the container.
• The podman run command has been extended with support for checkpoint images.
• When the new event_audit_container_create option is enabled in containers.conf, the verbosity of the container-create event is increased by adding the inspect data of the container to the event.
• Containers can now have startup healthchecks, allowing a command to be run to ensure the container is fully started before the regular healthcheck is activated.
• CDI devices can now be specified in containers.conf (#16232).
• The podman push command features two new options, --encryption-key and --encrypt-layer, for encrypting an image while pushing it to a registry (#15163).
• The podman pull and podman run commands feature a new option, --decryption-key, which decrypts the image while pulling it from a registry (#15163).
• Remote usage of the podman manifest annotate command is now supported.
• The SSL_CERT_FILE and SSL_CERT_DIR environment variables are now propagated into Podman machine VMs (#16041).
• A new environment variable, CONTAINER_PROXY, can be used to specify TCP proxies when using remote Podman.
• The runtime automatically detects and switches to crun-wasm if the image is a webassembly image.
• The podman machine init command now supports the --quiet option, as well a new option, --no-info which suppresses informational tips (#15525).
• The podman volume create command now includes the -d short option for the --driver option.
• The podman events command has a new alias, podman system events, for better Docker compatibility.
• The --restart-sec option for podman generate systemd now generates RestartSec= for both pod service files and container service files (#16419).
• The podman manifest push command now accepts --purge, -p options as aliases for --rm, for Docker compatibility.
• The --network option to podman pod create now supports using an existing network namespace via ns:[netns-path] (#16208).
• The podman pod rm and podman container rm commands now removes container/pod ID files along with the container/pod (#16387).
• The podman manifest inspect command now accepts a new option, --insecure as an alias to--tls-verify=false, improving Docker compatibility (#14917).
• A new command, podman kube apply, has been added, which deploys the generated yaml to a k8s cluster.
• The --userns=keep-id option in rootless podman create, podman run, podman kube play, podman pod create, and podman pod clone now can be used when only one ID is available.
• The podman play kube command now supports the volume.podman.io/import-source annotation to import the contents of tarballs.
• The podman volume create command now accepts the --ignore option, which ignores the create request if the named volume already exists.
• The --filter option for podman ps now supports regex (#16180).
• The podman system df command now accepts --format json and autocompletes for the --format option (#16204).
• The podman kube down command accepts a new option, --force, which removes volumes (#16348).
• The podman create, podman run, and podman pod create commands now support a new networking mode, pasta, which can be enabled with the --net=pasta option (#14425, #13229).

Changes

• CNI is being deprecated from Podman and support will be dropped at a future date. Netavark is now advised and is the default network backend for Podman.
• The network name pasta is deprecated and support for it will be removed in the next major release.
• The podman network create command no longer accepts default as valid name. It is impossible to use this network name in the podman run/create command because it is parsed as a network mode instead (#17169).
• The podman kube generate command will no longer generate built-in annotations, as reserved annotations are used internally by Podman and would have no effect when run with Kubernetes.
• The podman kube play command now limits the replica count to 1 when deploying from kubernetes YAML (#16765).
• When a container that runs with the --pid=host option is terminated, Podman now sends a SIGKILL to all the active exec sessions
• The journald driver for both podman events and podman logs is now more efficient when the --since option is used, as it will now seek directly to the correct time instead of reading all entries from the journal (#16950).
• When the --service-container option is set for the podman kube play command, the default log-driver to is now set to passthrough (#16592).
• The podman container inspect and podman kube generate commands will no longer list default annotations set to false.
• Podman no longer reports errors on short-lived init containers in pods.
• Healthchecks are now automatically disabled if on non-systemd systems. If Podman is compiled without the systemd build tag, healthcheck will be disabled at build time (#16644).
• Improved atomicity of VM state persistence on Windows now better tolerates FS corruption in cases of power loss or system failure (#16550).
• A user namespace is now always created when running with EUID != 0. This is necessary to work in a Kubernetes environment where the POD is "privileged" but it is still running with a non-root user.
• Old healthcheck states are now cleaned up during container restart.
• The CONTAINER_HOST environment variable defaults to port 22 for SSH style URLs for remote connections, when set (#16509).
• The podman kube play command now reuses existing PersistentVolumeClaims instead of erroring.
  -...

v4.4.0-RC3

Features

• Introduce Quadlet, a new systemd-generator that easily writes and maintains systemd services using Podman.
• The podman kube play command now supports hostPID in the pod.spec (#17157).
• The podman build command now supports the --group-add option.
• A new command, podman network update has been added, which updates networks for containers and pods.
• The podman network create command now supports a new option, --network-dns-server sets the DNS servers that this network will use.
• The podman kube play command now accepts the--publish option, in order to set or override port publishing.
• The podman inspect command now returns an error field (#13729).
• The podman update command now accepts the --pids-limit option, which adds the functionality to update the PIDs limit for a container (#16543).
• Podman now supports container names beginning with a '/' to match Docker behaviour (#16663).
• The podman events command now supports "die" as a value (mapping to "died") to the --filter option, for better Docker compatibility (#16857).
• The podman system dfcommand’s --format "{{ json . }}" option now outputs human-readable format to improve Docker compatibility
• The podman rm -f command now also terminates containers in "stopping" state.
• Rootless privileged containers will now mount all tty devices, except for the virtual-console ones (/dev/tty[0-9]+) (#16925).
• The podman play kube command now supports subpaths when using configmap and hostpath volume types (#16828).
• A user namespace is now always created when running with EUID != 0. This is necessary to work in a Kubernetes environment where the POD is "privileged" but it is still running with a non-root user.
• All commands with the --no-heading option now include a short option, -n.
• The podman push command no longer ignores the hidden --signature-policy flag.
• The podman wait command now supports the --ignore option.
• The podman network create command now supports the --ignore option to instruct Podman to not fail when trying to create an already existing network.
• The podman kube play command now supports volume subpaths when using named volumes (#12929).
• The podman kube play command now supports container startup probes.
• A new command, podman buildx version, has been added, which shows the buildah version (#16793).
• Remote usage of the podman build command now supports the --volume option (#16694).
• The --opt parent=... option is now accepted with the ipvlan network driver in the podman network create command (#16621).
• The --init-ctr option for the podman container create command now supports shell completion.
• The podman kube play command run with a readOnlyTmpfs Flag in the kube YAML can now write to tmpfs inside of the container.
• The podman run command has been extended with support for checkpoint images.
• When the new event_audit_container_create option is enabled in containers.conf, increase the verbosity of the container-create event by adding the inspect data of the container to the event.
• Containers can now have startup healthchecks, allowing a command to be run to ensure the container is fully started before the regular healthcheck is activated.
• CDI devices can now be specified in containers.conf (#16232).
• The podman push command features two new options, --encryption-key and --encrypt-layer, for encrypting an image while pushing it to a registry (#15163).
• The podman pull and podman run commands feature a new option, --decryption-key, which decrypts the image while pulling it from a registry (#15163).
• The podman manifest annotate command is now supported for podman-remote.
• The SSL_CERT_FILE and SSL_CERT_DIR environment variables are now propagated into podman machine VM’s (#16041).
• A new environment variable, CONTAINER_PROXY, can be used to specify TCP proxies when using podman-remote.
• The runtime automatically detects and switches to crun-wasm if the image is a webassembly image.
• The podman machine init command now supports the --quiet option, as well a new option, --no-info which suppresses informational tips (#15525).
• The podman volume create command now includes the -d short option for the --driver option.
• The podman events command has a new alias, podman system events, for better Docker compatibility.
• The --restart-sec option for podman generate systemd now generates RestartSec= for both pod service files and container service files (#16419).
• The podman manifest push command now accepts --purge, -p options as aliases for --rm, for Docker compatibility.
• The --network option to podman pod create now supports using an existing network namespace via ns:[netns-path] (#16208).
• The podman pod rm and podman container rm commands now removes container/pod ID files along with the container/pod (#16387).
• The podman manifest inspect command now accepts a new option, --insecure (identical to --tls-verify=false), improving Docker compatibility. (#14917).
• A new command, podman kube apply, has been added, which deploys the generated yaml to a k8s cluster.
• The --userns=keep-id option in rootless podman create, podman run, podman kube play, podman pod create, and podman pod clone now can be used when only one ID is available.
• The podman play kube command now supports the volume.podman.io/import-source annotation to import the contents of tarballs.
• The podman volume create command now accepts the --ignore option, which ignores the create request if the named volume already exists.
• The --filter option for podman ps now supports regex (#16180).
• The podman system df command now accepts --format json and autocompletes for the --format option (#16204).

Changes

• CNI is being deprecated from Podman and support will be dropped at a future date. Netavark is now advised and is the default network backend for Podman.
• The network name pasta is deprecated and support for it will be removed in the next major release.
• The podman network create command no longer accepts default as valid name. It is impossible to use this network name in the podman run/create command because it is parsed as a network mode instead (#17169).
• The podman kube generate command will no longer generate built-in annotations, as reserved annotations are used internally by Podman and would have no effect when run with Kubernetes.
• The podman kube play command now limits the replica count to 1 when deploying from kubernetes YAML (#16765).
• When a container that runs with the --pid=host option is terminated, Podman now sends a SIGKILL to all the active exec sessions
• The journald driver for both podman events and podman logs is now more efficient when the --since option is used, as it will now seek directly to the correct time instead of reading all entries from the journal (#16950).
• When the --service-container option is set for the podman kube play command, the default log-driver to is now set to passthrough (#16592).
• The podman container inspect and podman kube generate commands will no longer list default annotations set to false.
• Podman no longer reports errors on short-lived init containers in pods.
• Healthchecks are now automatically disabled if on non-systemd systems. If Podman is compiled without the systemd build tag, healthcheck will be disabled at build time (#16644).
• Improved atomicity of VM state persistence on Windows to better tolerate FS corruption in cases of power loss or system failure (#16550).
• Old healthcheck states are now cleaned up during container restart.
• The CONTAINER_HOST environment variable defaults to port 22 for SSH style URLs for remote connections, when set. (#16509).
• The podman kube play command now reuses existing PersistentVolumeClaims instead of erroring.
  The podman kube down command accepts a new option, --force, which removes volumes (#16348).
• The podman create, podman run, and podman pod create commands now support a new networking mode, pasta, which can be enabled with the --net=pasta option (#14425), ([#13229](#1...

v4.4.0-RC2

This is the second release candidate of Podman v4.4.0. Full release notes are not available, but will be compiled for the next RC.

v4.4.0-RC1

This is the first release candidate of Podman v4.4.0. Full release notes are not available, but will be compiled for the next RC.

v4.3.1

Bugfixes

• Fixed a deadlock between the podman ps and podman container inspect commands

Misc

• Updated the containers/image library to v5.23.1

v4.3.0

Features

• A new command, podman generate spec, has been added, which creates a JSON struct based on a given container that can be used with the Podman REST API to create containers.
• A new command, podman update, has been added,which makes changes to the resource limits of existing containers. Please note that these changes do not persist if the container is restarted (#15067).
• A new command, podman kube down, has been added, which removes pods and containers created by the given Kubernetes YAML (functionality is identical to podman kube play --down, but it now has its own command).
• The podman kube play command now supports Kubernetes secrets using Podman's secrets backend.
• Systemd-managed pods created by the podman kube play command now integrate with sd-notify, using the io.containers.sdnotify annotation (or io.containers.sdnotify/$name for specific containers).
• Systemd-managed pods created by podman kube play can now be auto-updated, using the io.containers.auto-update annotation (or io.containers.auto-update/$name for specific containers).
• The podman kube play command can now read YAML from URLs, e.g. podman kube play https://example.com/demo.yml (#14955).
• The podman kube play command now supports the emptyDir volume type (#13309).
• The podman kube play command now supports the HostUsers field in the pod spec.
• The podman play kube command now supports binaryData in ConfigMaps.
• The podman pod create command can now set additional resource limits for pods using the new --memory-swap, --cpuset-mems, --device-read-bps, --device-write-bps, --blkio-weight, --blkio-weight-device, and --cpu-shares options.
• The podman machine init command now supports a new option, --username, to set the username that will be used to connect to the VM as a non-root user (#15402).
• The podman volume create command's -o timeout= option can now set a timeout of 0, indicating volume plugin operations will never time out.
• Added support for a new volume driver, image, which allows volumes to be created that are backed by images.
• The podman run and podman create commands support a new option, --env-merge, allowing environment variables to be specified relative to other environment variables in the image (e.g. podman run --env-merge "PATH=$PATH:/my/app" ...) (#15288).
• The podman run and podman create commands support a new option, --on-failure, to allow action to be taken when a container fails health checks, with the following supported actions: none (take no action, the default), kill (kill the container), restart (restart the container), and stop (stop the container).
• The --keep-id option to podman create and podman run now supports new options, uid and gid, to set the UID and GID of the user in the container that will be mapped to the user running Podman (e.g. --userns=keep-id:uid=11 will made the user running Podman to UID 11 in the container) (#15294).
• The podman generate systemd command now supports a new option, --env/-e, to set environment variables in the generated unit file (#15523).
• The podman pause and podman unpause commands now support the --latest, --cidfile, and --filter options.
• The podman restart command now supports the --cidfile and --filter options.
• The podman rm command now supports the --filter option to select which containers will be removed.
• The podman rmi command now supports a new option, --no-prune, to prevent the removal of dangling parents of removed images.
• The --dns-opt option to podman create, podman run, and podman pod create has received a new alias, --dns-option, to improve Docker compatibility.
• The podman command now features a new global flag, --debug/-D, which enables debug-level logging (identical to --log-level=debug), improving Docker compatibility.
• The podman command now features a new global flag, --config. This flag is ignored, and is only included for Docker compatibility (#14767).
• The podman manifest create command now accepts a new option, --amend/-a.
• The podman manifest create, podman manifest add and podman manifest push commands now accept a new option, --insecure (identical to --tls-verify=false), improving Docker compatibility.
• The podman secret create command's --driver and --format options now have new aliases, -d for --driver and -f for --format.
• The podman secret create command now supports a new option, --label/-l, to add labels to created secrets.
• The podman secret ls command now accepts the --quiet/-q option.
• The podman secret inspect command now accepts a new option, --pretty, to print output in human-readable format.
• The podman stats command now accepts the --no-trunc option.
• The podman save command now accepts the --signature-policy option (#15869).
• The podman pod inspect command now allows multiple arguments to be passed. If so, it will return a JSON array of the inspected pods (#15674).
• A series of new hidden commands have been added under podman context as aliases to existing podman system connection commands, to improve Docker compatibility.
• The remote Podman client now supports proxying signals for attach sessions when the --sig-proxy option is set (#14707).

Changes

• Duplicate volume mounts are now allowed with the -v option to podman run, podman create, and podman pod create, so long as source, destination, and options all match (#4217).
• The podman generate kube and podman play kube commands have been renamed to podman kube generate and podman kube play to group Kubernetes-related commands. Aliases have been added to ensure the old command names still function.
• A number of Podman commands (podman init, podman container checkpoint, podman container restore, podman container cleanup) now print the user-inputted name of the container, instead of its full ID, on success.
• When an unsupported option (e.g. resource limit) is specified for a rootless container on a cgroups v1 system, a warning message is now printed that the limit will not be honored.
• The installer for the Windows Podman client has been improved.
• The --cpu-rt-period and --cpu-rt-runtime options to podman run and podman create now print a warning and are ignored on cgroups v2 systems (cgroups v2 having dropped support for these controllers) (#15666).
• Privileged containers running systemd will no longer mount /dev/tty* devices other than /dev/tty itself into the container (#15878).
• Events for containers that are part of a pod now include the ID of the pod in the event.
• SSH functionality for podman machine commands has seen a thorough rework, addressing many issues about authentication.
• The --network option to podman kube play now allows passing host to set the pod to use host networking, even if the YAML does not request this.
• The podman inspect command on containers now includes the digest of the image used to create the container.
• Pods created by podman play kube are now, by default, placed into a network named podman-kube. If the podman-kube network does not exist, it will be created. This ensures pods can connect to each other by their names, as the network has DNS enabled.

Bugfixes

• Fixed a bug where the podman network prune and podman container prune commands did not properly support the --filter label!= option (#14182).
• Fixed a bug where the podman kube generate command added an unnecessary Secret: null line to generated YAML (#15156).
• Fixed a bug where the podman kube generate command did not set enableServiceLinks and automountServiceAccountToken to false in generated YAML (#15478 and #15243).
• Fixed a bug where the podman kube play command did not properly handle CPU limits (#15726).
• Fixed a bug where the podman kube play command did not respect default values for liveness probes (#15855).
• Fixed a bug where the podman kube play command did not bind ports if hostPort was not specified but containerPort was (#15942).
• Fixed a bug where the podman kube play command sometimes did not create directories on the host for hostPath volumes.
• Fixed a bug where the remote Podman client's podman manifest push command did not display progress.
• Fixed a bug where the --filter "{{.Config.Healthcheck}}" option to podman image inspect did not print the image's configured healthcheck (#14661).
• Fixed a bug where the podman volume create -o timeout= option could be specified even when no volume plugin was in use.
• Fixed a bug where the podman rmi command did not emit untag events when removing ta...