[SUSE-SU-2022:3312-1] Security update for libcontainers-common
Security update for libcontainers-common
This update for libcontainers-common fixes the following issues:
libcontainers-common was updated:
- common component was updated to 0.44.0.
- storage component was updated to 1.36.0.
- image component was updated to 5.16.0.
- podman component was updated to 3.3.1.
3.3.1:
Bugfixes:
- Fixed a bug where unit files created by
podman generate systemd
could not cleanup shut down containers when stopped bysystemctl stop
. - Fixed a bug where
podman machine
commands would not properly locate thegvproxy
binary in some circumstances. - Fixed a bug where containers created as part of a pod using the
--pod-id-file
option would not join the pod's network namespace . - Fixed a bug where Podman, when using the systemd cgroups driver, could sometimes leak dbus sessions.
- Fixed a bug where the
until
filter topodman logs
andpodman events
was improperly handled, requiring input to be negated . - Fixed a bug where rootless containers using CNI networking run on systems using
systemd-resolved
for DNS would fail to start if resolved symlinked/etc/resolv.conf
to an absolute path .
API:
- A large number of potential file descriptor leaks from improperly closing client connections have been fixed.
3.3.0:
Features:
- Containers inside VMs created by
podman machine
will now automatically handle port forwarding - containers inpodman machine
VMs that publish ports via--publish
or--publish-all
will have these ports not just forwarded on the VM, but also on the host system. - The
podman play kube
command's--network
option now accepts advanced network options (e.g.--network slirp4netns:port_handler=slirp4netns
) . - The
podman play kube
commmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks. - Podman now provides a systemd unit,
podman-restart.service
, which, when enabled, will restart all containers that were started with--restart=always
after the system reboots. - Rootless Podman can now be configured to use CNI networking by default by using the
rootless_networking
option incontainers.conf
. - Images can now be pulled using
image:tag@digest
syntax (e.g.podman pull fedora:34@sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a
) . - The
podman container checkpoint
andpodman container restore
commands can now be used to checkpoint containers that are in pods, and restore those containers into pods. - The
podman container restore
command now features a new option,--publish
, to change the ports that are forwarded to a container that is being restored from an exported checkpoint. - The
podman container checkpoint
command now features a new option,--compress
, to specify the compression algorithm that will be used on the generated checkpoint. - The
podman pull
command can now pull multiple images at once (e.g.podman pull fedora:34 ubi8:latest
will pull both specified images). - THe
podman cp
command can now copy files from one container into another directly (e.g.podman cp containera:/etc/hosts containerb:/etc/
) . - The
podman cp
command now supports a new option,--archive
, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container. - The
podman stats
command now provides two additional metrics: Average CPU, and CPU time. - The
podman pod create
command supports a new flag,--pid
, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace. - The
podman pod create
command supports a new flag,--infra-name
, which allows the name of the pod's infra container to be set . - The
podman auto-update
command has had its output reformatted - it is now much clearer what images were pulled and what containers were updated. - The
podman auto-update
command now supports a new option,--dry-run
, which reports what would be updated but does not actually perform the update . - The
podman build
command now supports a new option,--secret
, to mount secrets into build containers. - The
podman manifest remove
command now has a new alias,podman manifest rm
. - The
podman login
command now supports a new option,--verbose
, to print detailed information about where the credentials entered were stored. - The
podman events
command now supports a new event,exec_died
, which is produced when an exec session exits, and includes the exit code of the exec session. - The
podman system connection add
command now supports adding connections that connect using thetcp://
andunix://
URL schemes. - The
podman system connection list
command now supports a new flag,--format
, to determine how the output is printed. - The
podman volume prune
andpodman volume ls
commands'--filter
option now support a new filter,until
, that matches volumes created before a certain time . - The
podman ps --filter
option'snetwork
filter now accepts a new value:container:
, which matches containers that share a network namespace with a specific container . - The
podman diff
command can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed . - Podman can now optionally copy-up content from containers into volumes mounted into those containers earlier (at creation time, instead of at runtime) via the
prepare_on_create
option incontainers.conf
. - A new option,
--gpus
, has been added topodman create
andpodman run
as a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag. - If an invalid subcommand is provided, similar commands to try will now be suggested in the error message. ### Changes
- The
podman system reset
command now removes non-Podman (e.g. Buildah and CRI-O) containers as well. - The new port forwarding offered by
podman machine
requires [gvproxy] in order to function. - Podman will now automatically create the default CNI network if it does not exist, for both root and rootless users. This will only be done once per user - if the network is subsequently removed, it will not be recreated.
- The
install.cni
makefile option has been removed. It is no longer required to distribute the default87-podman.conflist
CNI configuration file, as Podman will now automatically create it. - The
--root
option to Podman will not automatically clear all default storage options when set. Storage options can be set manually using--storage-opt
. - The output of
podman system connection list
is now deterministic, with connections being sorted alpabetically by their name. - The auto-update service (
podman-auto-update.service
) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once. - Systemd unit files generated by
podman generate systemd
now depend onnetwork-online.target
by default . - Systemd unit files generated by
podman generate systemd
now useType=notify
by default, instead of using PID files. - The
podman info
command's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.
Bugfixes:
- Fixed a bug where the
podman play kube
command did not perform SELinux relabelling of volumes specified with amountPath
that included the:z
or:Z
options . - Fixed a bug where the
podman play kube
command would ignore theUSER
andEXPOSE
directives in images . - Fixed a bug where the
podman play kube
command would only accept lowercase pull policies. - Fixed a bug where named volumes mounted into containers with the
:z
or:Z
options were not appropriately relabelled for access from the container . - Fixed a bug where the
podman logs -f
command, with thejournald
log driver, could sometimes fail to pick up the last line of output from a container . - Fixed a bug where running
podman rm
on a container created with the--rm
option would occasionally emit an error message saying the container failed to be removed, when it was successfully removed. - Fixed a bug where starting a Podman container would segfault if the
LISTEN_PID
andLISTEN_FDS
environment variables were set, butLISTEN_FDNAMES
was not . - Fixed a bug where exec sessions in containers were sometimes not cleaned up when run without
-d
and when the associatedpodman exec
process was killed before completion. - Fixed a bug where
podman system service
could, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up. - Fixed a bug where containers run using the REST API using the
slirp4netns
network mode would leave zombie processes that were not cleaned up untilpodman system service
exited . - Fixed a bug where the
podman system service
command would leave zombie processes after its initial launch that were not cleaned up until it exited . - Fixed a bug where VMs created by
podman machine
could not be started after the host system restarted . - Fixed a bug where the
podman pod ps
command would not show headers for optional information (e.g. container names when the--ctr-names
option was given). - Fixed a bug where the remote Podman client's
podman create
andpodman run
commands would ignore timezone configuration from the server'scontainers.conf
file . - Fixed a bug where the remote Podman client's
podman build
command would only respect.containerignore
and not.dockerignore
files (when both are present,.containerignore
will be preferred) . - Fixed a bug where the remote Podman client's
podman build
command would fail to send the Dockerfile being built to the server when it was excluded by the.dockerignore
file, resulting in an error . - Fixed a bug where the remote Podman client's
podman build
command could unexpectedly stop streaming the output of the build . - Fixed a bug where the remote Podman client's
podman build
command would fail to build when run on Windows . - Fixed a bug where the
podman manifest create
command accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest). - Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container .
- Fixed a bug where named volumes created using a volume plugin would be removed from Podman, even if the plugin reported a failure to remove the volume .
- Fixed a bug where the remote Podman client's
podman exec -i
command would hang when input was provided via shell redirection (e.g.podman --remote exec -i foo cat <<<'hello'
) . - Fixed a bug where containers created with
--rm
were not immediately removed after being started bypodman start
if they failed to start . - Fixed a bug where the
--storage-opt
flag topodman create
andpodman run
was nonfunctional . - Fixed a bug where the
--device-cgroup-rule
option topodman create
andpodman run
was nonfunctional . - Fixed a bug where the
--tls-verify
option topodman manifest push
was nonfunctional. - Fixed a bug where the
podman import
command could, in some circumstances, produce empty images . - Fixed a bug where images pulled using the
docker-daemon:
transport had the wrong registry (localhost
instead ofdocker.io/library
) . - Fixed a bug where operations that pruned images (
podman image prune
andpodman system prune
) would prune untagged images with children . - Fixed a bug where dual-stack networks created by
podman network create
did not properly auto-assign an IPv4 subnet when one was not explicitly specified . - Fixed a bug where port forwarding using the
rootlessport
port forwarder would break when a network was disconnected and then reconnected . - Fixed a bug where Podman would ignore user-specified SELinux policies for containers using the Kata OCI runtime, or containers using systemd as PID 1 .
- Fixed a bug where Podman containers created using
--net=host
would add an entry to/etc/hosts
for the container's hostname pointing to127.0.1.1
. - Fixed a bug where the
podman unpause --all
command would throw an error for every container that was not paused . - Fixed a bug where timestamps for the
since
anduntil
filters using Unix timestamps with a nanoseconds portion could not be parsed . - Fixed a bug where the
podman info
command would sometimes print the wrong path for theslirp4netns
binary. - Fixed a bug where rootless Podman containers joined to a CNI network would not have functional DNS when the host used systemd-resolved without the resolved stub resolver being enabled .
- Fixed a bug where
podman network connect
andpodman network disconnect
of rootless containers could sometimes break port forwarding to the container . - Fixed a bug where joining a container to a CNI network by ID and adding network aliases to this network would cause the container to fail to start . ### API
- Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
- Fixed a bug where the Compat Create endpoint for Containers would fail to create containers with the
NetworkMode
parameter set todefault
. - Fixed a bug where the Compat Create endpoint for Containers did not properly handle healthcheck commands .
- Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred.
- Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable).
- Fixed a bug where the Compat List endpoint for Images omitted the
ContainerConfig
field . - Fixed a bug where the Compat Build endpoint for Images was too strict when validating the
Content-Type
header, rejecting content that Docker would have accepted . - Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided.
- Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected.
- Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks .
- Fixed a bug where the Libpod List endpoint for Networks would return nil, instead of an empty list, when no networks were present .
- The Compat and Libpod Logs endpoints for Containers now support the
until
query parameter . - The Compat Import endpoint for Images now supports the
platform
,message
, andrepo
query parameters. - The Compat Pull endpoint for Images now supports the
platform
query parameter.
Misc:
- Updated Buildah to v1.22.3
- Updated the containers/storage library to v1.34.1
- Updated the containers/image library to v5.15.2
- Updated the containers/common library to v0.42.1
storage was updated to 1.36.0.
Updated image to 5.16.0.
Update podman to 3.2.3:
Security:
- This release addresses CVE-2021-3602, an issue with the
podman build
command with the--isolation chroot
flag that results in environment variables from the host leaking into build containers. (bsc#1188520)
Bugfixes:
- Fixed a bug where events related to images could occur before the relevant operation had completed (e.g. an image pull event could be written before the pull was finished) .
- Fixed a bug where
podman save
would refuse to save images with an architecture different from that of the host . - Fixed a bug where the
podman import
command did not correctly handle images without tags . - Fixed a bug where Podman's journald events backend would fail and prevent Podman from running when run on a host with systemd as PID1 but in an environment (e.g. a container) without systemd .
- Fixed a bug where containers using rootless CNI networking would fail to start when the
dnsname
CNI plugin was in use and the host system's/etc/resolv.conf
was a symlink ([#10855] and #10929). - Fixed a bug where containers using rootless CNI networking could fail to start due to a race in rootless CNI initialization .
Update podman to 3.2.2
3.2.2:
- Podman's handling of the Architecture field of images has been relaxed. Since 3.2.0, Podman required that the architecture of the image match the architecture of the system to run containers based on an image, but images often incorrectly report architecture, causing Podman to reject valid images ([#10648] and #10682).
- Podman no longer uses inotify to monitor for changes to CNI configurations. This removes potential issues where Podman cannot be run because a user has exhausted their available inotify sessions .
Bugfixes
- Fixed a bug where the
podman cp
would, when given a directory as its source and a target that existed and was a file, copy the contents of the directory into the parent directory of the file; this now results in an error. - Fixed a bug where the
podman logs
command would, when following a running container's logs, not include the last line of output from the container when it exited when thek8s-file
driver was in use . - Fixed a bug where Podman would fail to run containers if
systemd-resolved
was incorrectly detected as the system's DNS server . - Fixed a bug where the
podman exec -t
command would only resize the exec session's TTY after the session started, leading to a race condition where the terminal would initially not have a size set . - Fixed a bug where Podman containers using the
slirp4netns
network mode would add an incorrect entry to/etc/hosts
pointing the container's hostname to the wrong IP address. - Fixed a bug where Podman would create volumes specified by images with incorrect permissions ([#10188] and #10606).
- Fixed a bug where Podman would not respect the
uid
andgid
options topodman volume create -o
. - Fixed a bug where the
podman run
command could panic when parsing the system's cgroup configuration . - Fixed a bug where the remote Podman client's
podman build -f - ...
command did not read a Containerfile from STDIN . - Fixed a bug where the
podman container restore --import
command would fail to restore checkpoints created from privileged containers . - Fixed a bug where Podman was not respecting the
TMPDIR
environment variable when pulling images . - Fixed a bug where a number of Podman commands did not properly support using Go templates as an argument to the
--format
option.
API:
- Fixed a bug where the Compat Inspect endpoint for Containers did not include information on container healthchecks .
- Fixed a bug where the Libpod and Compat Build endpoints for Images did not properly handle the
devices
query parameter .
Misc:
- Fixed a bug where the Makefile's
make podman-remote-static
target to build a statically-linkedpodman-remote
binary was instead producing dynamic binaries . - Updated the containers/common library to v0.38.11
3.2.1:
Changes:
- Podman now allows corrupt images (e.g. from restarting the system during an image pull) to be replaced by a podman pull
of the same image (instead of requiring they be removed first, then re-pulled).
Bugfixes:
- Fixed a bug where Podman would fail to start containers if a Seccomp profile was not available at
/usr/share/containers/seccomp.json
. - Fixed a bug where the
podman machine start
command failed on OS X machines with the AMD64 architecture and certain QEMU versions . - Fixed a bug where Podman would always use the slow path for joining the rootless user namespace.
- Fixed a bug where the
podman stats
command would fail on Cgroups v1 systems when run on a container running systemd . - Fixed a bug where pre-checkpoint support for
podman container checkpoint
did not function correctly. - Fixed a bug where the remote Podman client's
podman build
command did not properly handle the-f
option . - Fixed a bug where the remote Podman client's
podman run
command would sometimes not resize the container's terminal before execution began . - Fixed a bug where the
--filter
option to thepodman image prune
command was nonfunctional. - Fixed a bug where the
podman logs -f
command would exit before all output for a container was printed when thek8s-file
log driver was in use . - Fixed a bug where Podman would not correctly detect that systemd-resolved was in use on the host and adjust DNS servers in the container appropriately under some circumstances .
- Fixed a bug where the
podman network connect
andpodman network disconnect
commands acted improperly when containers were in the Created state, marking the changes as done but not actually performing them.
API:
- Fixed a bug where the Compat and Libpod Prune endpoints for Networks returned null, instead of an empty array, when nothing was pruned.
- Fixed a bug where the Create API for Images would continue to pull images even if a client closed the connection mid-pull .
- Fixed a bug where the Events API did not include some information (including labels) when sending events.
- Fixed a bug where the Events API would, when streaming was not requested, send at most one event .
3.2.0:
Features:
- Docker Compose is now supported with rootless Podman .
- The
podman network connect
,podman network disconnect
, andpodman network reload
commands have been enabled for rootless Podman. - An experimental new set of commands,
podman machine
, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman. - The
podman generate kube
command can now be run on Podman named volumes (generatingPersistentVolumeClaim
YAML), in addition to pods and containers. - The
podman play kube
command now supports two new options,--ip
and--mac
, to set static IPs and MAC addresses for created pods ([#8442] and #9731). - The
podman play kube
command's support forPersistentVolumeClaim
YAML has been greatly improved. - The
podman generate kube
command now preserves the label used bypodman auto-update
to identify containers to update as a Kubernetes annotation, and thepodman play kube
command will convert this annotation back into a label. This allowspodman auto-update
to be used with containers created bypodman play kube
. - The
podman play kube
command now supports KubernetessecretRef
YAML (using the secrets support frompodman secret
) for environment variables. - Secrets can now be added to containers as environment variables using the
type=env
option to the--secret
flag topodman create
andpodman run
. - The
podman start
command now supports the--all
option, allowing all containers to be started simultaneously with a single command. The--filter
option has also been added to filter which containers to start when--all
is used. - Filtering containers with the
--filter
option topodman ps
andpodman start
now supports a new filter,restart-policy
, to filter containers based on their restart policy. - The
--group-add
option to rootlesspodman run
andpodman create
now accepts a new value,keep-groups
, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with thecrun
OCI runtime. - The
podman run
andpodman create
commands now support a new option,--timeout
. This sets a maximum time the container is allowed to run, after which it is killed . - The
podman run
andpodman create
commands now support a new option,--pidfile
. This will create a file when the container is started containing the PID of the first process in the container. - The
podman run
andpodman create
commands now support a new option,--requires
. The--requires
option adds dependency containers - containers that must be running before the current container. Commands likepodman start
will automatically start the requirements of a container before starting the container itself. - Auto-updating containers can now be done with locally-built images, not just images hosted on a registry, by creating containers with the
io.containers.autoupdate
label set tolocal
. - Podman now supports the Container Device Interface standard.
- Podman now adds an entry to
/etc/hosts
,host.containers.internal
, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) . - The
podman ps
,podman pod ps
,podman network list
,podman secret list
, andpodman volume list
commands now support a--noheading
option, which will cause Podman to omit the heading line including column names. - The
podman unshare
command now supports a new flag,--rootless-cni
, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking. - The
--security-opt unmask=
option topodman run
andpodman create
now supports glob operations to unmask a group of paths at once (e.g.podman run --security-opt unmask=/proc/* ...
will unmask all paths in/proc
in the container). - The
podman network prune
command now supports a--filter
option to filter which networks will be pruned. ### Changes - The change in Podman 3.1.2 where the
:z
and:Z
mount options for volumes were ignored for privileged containers has been reverted after discussion in [#10209]. - Podman's rootless CNI functionality no longer requires a sidecar container! The removal of the requirement for the
rootless-cni-infra
container means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image . - The Image handling code used by Podman has seen a major rewrite to improve code sharing with our other projects, Buildah and CRI-O. This should result in fewer bugs and performance gains in the long term. Work on this is still ongoing.
- The
podman auto-update
command now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates . - The
podman play kube
now treats environment variables configured as references to aConfigMap
as mandatory unless theoptional
parameter was set; this better matches the behavior of Kubernetes. - Podman now supports the
--context=default
flag from Docker as a no-op for compatibility purposes. - When Podman is run as root, but without
CAP_SYS_ADMIN
being available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright). - The
podman info
command now includes the path of the Seccomp profile Podman is using, available cgroup controllers, and whether Podman is connected to a remote service or running containers locally. - Containers created with the
--rm
option now automatically use thevolatile
storage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance. - The
podman generate systemd --new
command will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment. - Podman now requires that Conmon v2.0.24 be available.
Bugfixes:
- Fixed a bug where the remote Podman client's
podman build
command did not support the--arch
,--platform
, and--os
, options. - Fixed a bug where the remote Podman client's
podman build
command ignored the--rm=false
option . - Fixed a bug where the remote Podman client's
podman build --iidfile
command could include extra output (in addition to just the image ID) in the image ID file written . - Fixed a bug where the remote Podman client's
podman build
command did not preserve hardlinks when moving files into the container viaCOPY
instructions . - Fixed a bug where the
podman generate systemd --new
command could generate extra--iidfile
arguments if the container was already created with one. - Fixed a bug where the
podman generate systemd --new
command would generate unit files that did not includeRequiresMountsFor
lines . - Fixed a bug where the
podman generate kube
command produced incorrect YAML for containers which bind-mounted both/
and/root
from the host system into the container . - Fixed a bug where pods created by
podman play kube
from YAML that specifiedShareProcessNamespace
would only share the PID namespace (and not also the UTS, Network, and IPC namespaces) . - Fixed a bug where the
podman network reload
command could generate spurious error messages wheniptables-nft
was in use. - Fixed a bug where rootless Podman could fail to attach to containers when the user running Podman had a large UID.
- Fixed a bug where the
podman ps
command could fail with ano such container
error due to a race condition with container removal . - Fixed a bug where containers using the
slirp4netns
network mode and setting a customslirp4netns
subnet while using therootlesskit
port forwarder would not be able to forward ports . - Fixed a bug where the
--filter ancestor=
option topodman ps
did not require an exact match of the image name/ID to include a container in its results. - Fixed a bug where the
--filter until=
option topodman image prune
would prune images created after the specified time (instead of before). - Fixed a bug where setting a custom Seccomp profile via the
seccomp_profile
option incontainers.conf
had no effect, and the default profile was used instead. - Fixed a bug where the
--cgroup-parent
option topodman create
andpodman run
was ignored in rootless Podman on cgroups v2 systems with thecgroupfs
cgroup manager . - Fixed a bug where the
IMAGE
andNAME
variables inpodman container runlabel
were not being correctly substituted . - Fixed a bug where Podman could freeze when creating containers with a specific combination of volumes and working directory .
- Fixed a bug where rootless Podman containers restarted by restart policy (e.g. containers created with
--restart=always
) would lose networking after being restarted . - Fixed a bug where the
podman cp
command could not copy files into containers created with the--pid=host
flag . - Fixed a bug where filters to the
podman events
command could not be specified twice (if a filter is specified more than once, it will match if any of the given values match - logical or) . - Fixed a bug where Podman would include IPv6 nameservers in
resolv.conf
in containers without IPv6 connectivity . - Fixed a bug where containers could not be created with static IP addresses when connecting to a network using the
macvlan
driver . ### API - Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set .
- Fixed a bug where the Compat Create endpoint for Containers ignored static IP information provided in the
IPAMConfig
block . - Fixed a bug where the Compat Inspect endpoint for Containers returned null (instead of an empty list) for Networks when the container was not joined to a CNI network .
- Fixed a bug where the Compat Wait endpoint for Containers could miss containers exiting if they were immediately restarted.
- Fixed a bug where the Compat Create endpoint for Volumes required that the user provide a name for the new volume .
- Fixed a bug where the Libpod Info handler would sometimes not return the correct path to the Podman API socket.
- Fixed a bug where the Compat Events handler used the wrong name for container exited events (
died
instead ofdie
) . - Fixed a bug where the Compat Push endpoint for Images could leak goroutines if the remote end closed the connection prematurely.
Update storage to 1.32.5
Update podman to 3.1.2
3.1.2:
Bugfixes:
- Fixed a bug where images with empty layers were stored incorrectly, causing them to be unable to be pushed or saved.
- Fixed a bug where the
podman rmi
command could fail to remove corrupt images from storage. - Fixed a bug where the remote Podman client's
podman save
command did not support theoci-dir
anddocker-dir
formats . - Fixed a bug where volume mounts from
podman play kube
created with a trailing/
in the container path were were not properly superceding named volumes from the image . - Fixed a bug where Podman could fail to build on 32-bit architectures.
Update podman to 3.1.1
- Podman now recognizes
trace
as a valid argument to the--log-level
command. Trace logging is now the most verbose level of logging available. - The
:z
and:Z
options for volume mounts are now ignored when the container is privileged or is run with SELinux isolation disabled (--security-opt label=disable
). This matches better matches Docker's behavior in this case.
Bugfixes
- Fixed a bug where pruning images with the
podman image prune
orpodman system prune
commands could cause Podman to panic. - Fixed a bug where the
podman save
command did not properly error when the--compress
flag was used with incompatible format types. - Fixed a bug where the
--security-opt
and--ulimit
options to the remote Podman client'spodman build
command were nonfunctional. - Fixed a bug where the
--log-rusage
option to the remote Podman client'spodman build
command was nonfunctional . - Fixed a bug where the
podman build
command could, in some circumstances, use the wrong OCI runtime . - Fixed a bug where the remote Podman client's
podman build
command could return 0 despite failing . - Fixed a bug where the
podman container runlabel
command did not properly expand theIMAGE
andNAME
variables in the label . - Fixed a bug where poststop OCI hooks would be executed twice on containers started with the
--rm
argument . - Fixed a bug where rootless Podman could fail to launch containers on cgroups v2 systems when the
cgroupfs
cgroup manager was in use. - Fixed a bug where the
podman stats
command could error when statistics tracked exceeded the maximum size of a 32-bit signed integer . - Fixed a bug where rootless Podman containers run with
--userns=keepid
(without a--user
flag in addition) would grant exec sessions run in them too many capabilities . - Fixed a bug where the
--authfile
option topodman build
did not validate that the path given existed . - Fixed a bug where the
--storage-opt
option to Podman was appending to, instead of overriding (as is documented), the default storage options. - Fixed a bug where the
podman system service
connection did not function properly when run in a socket-activated systemd unit file as a non-root user. - Fixed a bug where the
--network
option to thepodman play kube
command of the remote Podman client was being ignored . - Fixed a bug where the
--log-driver
option to thepodman play kube
command was nonfunctional .
API
- Fixed a bug where the Libpod Create endpoint for Manifests did not properly validate the image the manifest was being created with.
- Fixed a bug where the Libpod DF endpoint could, in error cases, append an extra null to the JSON response, causing decode errors.
- Fixed a bug where the Libpod and Compat Top endpoint for Containers would return process names that included extra whitespace.
- Fixed a bug where the Compat Prune endpoint for Containers accepted too many types of filter.
Update podman to 3.1.0
Features:
- A set of new commands has been added to manage secrets! The
podman secret create
,podman secret inspect
,podman secret ls
andpodman secret rm
commands have been added to handle secrets, along with the--secret
option topodman run
andpodman create
to add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release. - A new command to prune networks,
podman network prune
, has been added . - The
-v
option topodman run
andpodman create
now supports a new volume option,:U
, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues . - Three new commands,
podman network exists
,podman volume exists
, andpodman manifest exists
, have been added to check for the existence of networks, volumes, and manifest lists. - The
podman cp
command can now copy files into directories mounted astmpfs
in a running container. - The
podman volume prune
command will now list volumes that will be pruned when prompting the user whether to continue and perform the prune . - The Podman remote client's
podman build
command now supports the--disable-compression
,--excludes
, and--jobs
options. - The Podman remote client's
podman push
command now supports the--format
option. - The Podman remote client's
podman rm
command now supports the--all
and--ignore
options. - The Podman remote client's
podman search
command now supports the--no-trunc
and--list-tags
options. - The
podman play kube
command can now read in Kubernetes YAML fromSTDIN
when-
is specified as file name (podman play kube -
), allowing input to be piped into the command for scripting . - The
podman generate systemd
command now supports a--no-header
option, which disables creation of the header comment automatically added by Podman to generated unit files. - The
podman generate kube
command can now generatePersistentVolumeClaim
YAML for Podman named volumes . - The
podman generate kube
command can now generate YAML files containing multiple resources (pods or deployments) .
Security:
- This release resolves CVE-2021-20291, a deadlock vulnerability in the storage library caused by pulling a specially-crafted container image. (bsc#1196497)
Changes:
- The Podman remote client's
podman build
command no longer allows the-v
flag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines. - The
podman kill
andpodman stop
commands now print the name given by the user for each container, instead of the full ID. - When the
--security-opt unmask=ALL
or--security-opt unmask=/sys/fs/cgroup
options topodman create
orpodman run
are given, Podman will mount cgroups into the container as read-write, instead of read-only . - The
podman rmi
command has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls. - The
podman rename
command has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable. - Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved .
- The hidden
--trace
option topodman
has been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time. - The
podman generate systemd
command now generatesRequiresMountsFor
lines to ensure necessary storage directories are mounted before systemd starts Podman. - Podman will now emit a warning when
--tty
and--interactive
are both passed, butSTDIN
is not a TTY. This will be made into an error in the next major Podman release some time next year. ### Bugfixes - Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports .
- Fixed a bug where
podman network create
with the--macvlan
flag did not honor the--gateway
,--subnet
, and--opt
options . - Fixed a bug where the
podman generate kube
command generated invalid YAML for privileged containers . - Fixed a bug where the
podman generate kube
command could not be used with containers that were not running. - Fixed a bug where the
podman generate systemd
command could duplicate some parameters to Podman in generated unit files . - Fixed a bug where Podman did not add annotations specified in
containers.conf
to containers. - Foxed a bug where Podman did not respect the
no_hosts
default incontainers.conf
when creating containers. - Fixed a bug where the
--tail=0
,--since
, and--follow
options to thepodman logs
command did not function properly when using thejournald
log backend. - Fixed a bug where specifying more than one container to
podman logs
when thejournald
log backend was in use did not function correctly. - Fixed a bug where the
podman run
andpodman create
commands would panic if a memory limit was set, but the swap limit was set to unlimited . - Fixed a bug where the
--network
option topodman run
,podman create
, andpodman pod create
would error if the user attempted to specify CNI networks by ID, instead of name . - Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the
podman stats
command . - Fixed a bug where the
podman cp
did not properly handle cases where/dev/stdout
was specified as the destination (it was treated identically to-
) . - Fixed a bug where the
podman cp
command would create files with incorrect ownership . - Fixed a bug where the
podman cp
command did not properly handle cases where the destination directory did not exist. - Fixed a bug where the
podman cp
command did not properly evaluate symlinks when copying out of containers. - Fixed a bug where the
podman rm -fa
command would error when attempting to remove containers created with--rm
. - Fixed a bug where the ordering of capabilities was nondeterministic in the
CapDrop
field of the output ofpodman inspect
on a container . - Fixed a bug where the
podman network connect
command could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with--net=host
) . - Fixed a bug where DNS search domains required by the
dnsname
CNI plugin were not being added to container'sresolv.conf
under some circumstances. - Fixed a bug where the
--ignorefile
option topodman build
was nonfunctional . - Fixed a bug where the
--timestamp
option topodman build
was nonfunctional . - Fixed a bug where the
--iidfile
option topodman build
could cause Podman to panic if an error occurred during the build. - Fixed a bug where the
--dns-search
option topodman build
was nonfunctional . - Fixed a bug where the
--pull-never
option topodman build
was nonfunctional . - Fixed a bug where the
--build-arg
option topodman build
would, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) . - Fixed a bug where the
--isolation
option topodman build
in the remote Podman client was nonfunctional. - Fixed a bug where the
podman network disconnect
command could cause errors when the container that had a network removed was stopped and its network was cleaned up . - Fixed a bug where the
podman network rm
command did not properly check what networks a container was present in, resulting in unexpected behavior ifpodman network connect
orpodman network disconnect
had been used with the network . - Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable
stopping
state . - Fixed a bug where the
podman load
command could return 0 even in cases where an error occurred . - Fixed a bug where specifying storage options to Podman using the
--storage-opt
option would override all storage options. Instead, storage options are now overridden only when the--storage-driver
option is used to override the current graph driver . - Fixed a bug where containers created with
--privileged
could request more capabilities than were available to Podman. - Fixed a bug where
podman commit
did not use theTMPDIR
environment variable to place temporary files created during the commit . - Fixed a bug where remote Podman could error when attempting to resize short-lived containers .
- Fixed a bug where Podman was unusable on kernels built without
CONFIG_USER_NS
. - Fixed a bug where the ownership of volumes created by
podman volume create
and then mounted into a container could be incorrect . - Fixed a bug where Podman volumes using a volume plugin could not pass certain options, and could not be used as non-root users.
- Fixed a bug where the
--tz
option topodman create
andpodman run
did not properly validate its input. ### API - Fixed a bug where the
X-Registry-Auth
header did not acceptnull
as a valid value. - A new compat endpoint,
/auth
, has been added. This endpoint validates credentials against a registry . - Fixed a bug where the compat Build endpoint for Images specified labels using the wrong type (array vs map). Both formats will be accepted now.
- Fixed a bug where the compat Build endpoint for Images did not report that it successfully tagged the built image in its response.
- Fixed a bug where the compat Create endpoint for Images did not provide progress information on pulling the image in its response.
- Fixed a bug where the compat Push endpoint for Images did not properly handle the destination (used a query parameter, instead of a path parameter).
- Fixed a bug where the compat Push endpoint for Images did not send the progress of the push and the digest of the pushed image in the response body.
- Fixed a bug where the compat List endpoint for Networks returned null, instead of an empty array (
[]
), when no networks were present . - Fixed a bug where the compat List endpoint for Networks returned nulls, instead of empty maps, for networks that do not have Labels and/or Options.
- The Libpod Inspect endpoint for networks (
/libpod/network/$ID/json
) now has an alias at/libpod/network/$ID
. - Fixed a bug where the libpod Inspect endpoint for Networks returned a 1-size array of results, instead of a single result .
- The Compat List endpoint for Networks now supports the legacy format for filters in parallel with the current filter format .
- Fixed a bug where the compat Create endpoint for Containers did not properly handle tmpfs filesystems specified with options .
- Fixed a bug where the compat Create endpoint for Containers did not create bind-mount source directories .
- Fixed a bug where the compat Create endpoint for Containers did not properly handle the
NanoCpus
option . - Fixed a bug where the Libpod create endpoint for Containers has a misnamed field in its JSON.
- Fixed a bug where the compat List endpoint for Containers did not populate information on forwarded ports
- Fixed a bug where the compat List endpoint for Containers did not populate information on container CNI networks .
- Fixed a bug where the compat and libpod Stop endpoints for Containers would ignore a timeout of 0.
- Fixed a bug where the compat and libpod Resize endpoints for Containers did not set the correct terminal sizes (dimensions were reversed) .
- Fixed a bug where the compat Remove endpoint for Containers would not return 404 when attempting to remove a container that does not exist .
- Fixed a bug where the compat Prune endpoint for Volumes would still prune even if an invalid filter was specified.
- Numerous bugs related to filters have been addressed.
Update podman to 3.0.1
3.0.1:
Changes:
- Several frequently-occurring
WARN
level log messages have been downgraded toINFO
orDEBUG
to not clutter terminal output.
Bugfixes:
- Fixed a bug where the
Created
field ofpodman ps --format=json
was formatted as a string instead of an Unix timestamp (integer) . - Fixed a bug where failing lookups of individual layers during the
podman images
command would cause the whole command to fail without printing output. - Fixed a bug where
--cgroups=split
did not function properly on cgroups v1 systems. - Fixed a bug where mounting a volume over an directory in the container that existed, but was empty, could fail .
- Fixed a bug where mounting a volume over a directory in the container that existed could copy the entirety of the container's rootfs, instead of just the directory mounted over, into the volume .
- Fixed a bug where Podman would treat the
--entrypoint=['']
option topodman run
andpodman create
as a literal empty string in the entrypoint, when instead it should have been ignored . - Fixed a bug where Podman would set the
HOME
environment variable to''
when the container ran as a user without an assigned home directory . - Fixed a bug where specifying a pod infra image that had no tags (by using its ID) would cause
podman pod create
to panic . - Fixed a bug where the
--runtime
option was not properly handled by thepodman build
command . - Fixed a bug where Podman would incorrectly print an error message related to the remote API when the remote API was not in use and starting Podman failed.
- Fixed a bug where Podman would change ownership of a container's working directory, even if it already existed .
- Fixed a bug where the
podman generate systemd --new
command would incorrectly escape%t
when generating the path for the PID file . - Fixed a bug where Podman could, when run inside a Podman container with the host's containers/storage directory mounted into the container, erroneously detect a reboot and reset container state if the temporary directory was not also mounted in .
- Fixed a bug where some options of the
podman build
command (including but not limited to--jobs
) were nonfunctional . ### API - Fixed a breaking change to the Libpod Wait API for Containers where the Conditions parameter changed type in Podman v3.0 .
- Fixed a bug where the Compat Create endpoint for Containers did not properly handle forwarded ports that did not specify a host port.
- Fixed a bug where the Libpod Wait endpoint for Containers could write duplicate headers after an error occurred.
- Fixed a bug where the Compat Create endpoint for Images would not pull images that already had a matching tag present locally, even if a more recent version was available at the registry .
- The Compat Create endpoint for Images has had its compatibility with Docker improved, allowing its use with the
docker-java
library. ### Misc - Updated Buildah to v1.19.4
- Updated the containers/storage library to v1.24.6
3.0.0:
Features:
- Podman now features initial support for Docker Compose.
- Added the
podman rename
command, which allows containers to be renamed after they are created . - The Podman remote client now supports the
podman copy
command. - A new command,
podman network reload
, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. viafirewall-cmd --reload
). - Podman networks now have IDs. They can be seen in
podman network ls
and can be used when removing and inspecting networks. Existing networks receive IDs automatically. - Podman networks now also support labels. They can be added via the
--label
option tonetwork create
, andpodman network ls
can filter labels based on them. - The
podman network create
command now supports setting bridge MTU and VLAN through the--opt
option . - The
podman container checkpoint
andpodman container restore
commands can now checkpoint and restore containers that include volumes. - The
podman container checkpoint
command now supports the--with-previous
and--pre-checkpoint
options, and thepodman container restore
command now support the--import-previous
option. These add support for two-step checkpointing with lowered dump times. - The
podman push
command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails. - The
podman generate kube
command can now be run on multiple containers at once, and will generate a single pod containing all of them. - The
podman generate kube
andpodman play kube
commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML . - The
podman generate kube
command now properly supports generating YAML for containers and pods creating using host networking (--net=host
) . - The
podman kill
command now supports a--cidfile
option to kill containers given a file containing the container's ID . - The
podman pod create
command now supports the--net=none
option . - The
podman volume create
command can now specify volume UID and GID as options with theUID
andGID
fields passed to the the--opt
option. - Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in
containers.conf
and use them to create volumes withpodman volume create --driver
. - The
podman run
andpodman create
commands now support a new option,--platform
, to specify the platform of the image to be used when creating the container. - The
--security-opt
option topodman run
andpodman create
now supports thesystempaths=unconfined
option to unrestrict access to all paths in the container, as well asmask
andunmask
options to allow more granular restriction of container paths. - The
podman stats --format
command now supports a new format specified,MemUsageBytes
, which prints the raw bytes of memory consumed by a container without human-readable formatting [#8945]. - The
podman ps
command can now filter containers based on what pod they are joined to via thepod
filter . - The
podman pod ps
command can now filter pods based on what networks they are joined to via thenetwork
filter. - The
podman pod ps
command can now print information on what networks a pod is joined to via the.Networks
specifier to the--format
option. - The
podman system prune
command now supports filtering what containers, pods, images, and volumes will be pruned. - The
podman volume prune
commands now supports filtering what volumes will be pruned. - The
podman system prune
command now includes information on space reclaimed . - The
podman info
command will now properly print information about packages in use on Gentoo and Arch systems. - The
containers.conf
file now contains an option for disabling creation of a new kernel keyring on container creation . - The
podman image sign
command can now sign multi-arch images by producing a signature for each image in a given manifest list. - The
podman image sign
command, when run as rootless, now supports per-user registry configuration files in$HOME/.config/containers/registries.d
. - Configuration options for
slirp4netns
can now be set system-wide via theNetworkCmdOptions
configuration option incontainers.conf
. - The MTU of
slirp4netns
can now be configured via themtu=
network command option (e.g.podman run --net slirp4netns:mtu=9000
).
Security:
- A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used
127.0.0.1
as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue. (bsc#1181640)
Changes:
- Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.
- The
podman load
command no longer accepts aNAME[:TAG]
argument. The presence of this argument broke CLI compatibility with Docker by makingdocker load
commands unusable with Podman . - The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more [here].
- The legacy Varlink API has been completely removed from Podman.
- The default log level for Podman has been changed from Error to Warn.
- The
podman network create
command can now createmacvlan
networks using the--driver macvlan
option for Docker compatibility. The existing--macvlan
flag has been deprecated and will be removed in Podman 4.0 some time next year. - The
podman inspect
command has had theLogPath
andLogTag
fields moved into theLogConfig
structure (from the root of the Inspect structure). The maximum size of the log file is also included. - The
podman generate systemd
command no longer generates unit files using the deprecatedKillMode=none
option . - The
podman stop
command now releases the container lock while waiting for it to stop - as such, commands likepodman ps
will no longer block untilpodman stop
completes . - Networks created with
podman network create --internal
no longer use thednsname
plugin. This configuration never functioned as expected. - Error messages for the remote Podman client have been improved when it cannot connect to a Podman service.
- Error messages for
podman run
when an invalid SELinux is specified have been improved. - Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace.
- Pod infra containers now respect default sysctls specified in
containers.conf
allowing for advanced configuration of the namespaces they will share. - SSH public key handling for remote Podman has been improved. ### Bugfixes
- Fixed a bug where the
podman history --no-trunc
command would truncate theCreated By
field . - Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the
Networks
field of the output ofpodman inspect
. - Fixed a bug where, under some circumstances, container working directories specified by the image (via the
WORKDIR
instruction) but not present in the image, would not be created . - Fixed a bug where the
podman generate systemd
command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{
and}}
), e.g.--log-opt-tag={{.Name}}
. - Fixed a bug where the
podman generate systemd --new
command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g.podman run -dt
) . - Fixed a bug where the
podman generate systemd --new
command could generate unit files that did not handle Podman commands including some special characters (e.g.$
) ([#9176] - Fixed a bug where rootless containers joining CNI networks could not set a static IP address .
- Fixed a bug where rootless containers joining CNI networks could not set network aliases .
- Fixed a bug where the remote client could, under some circumstances, not include the
Containerfile
when sending build context to the server . - Fixed a bug where rootless Podman did not mount
/sys
as a newsysfs
in some circumstances where it was acceptable. - Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error.
- Fixed a bug where the
podman play kube
command did not properly handleCMD
andARGS
from images . - Fixed a bug where the
podman play kube
command did not properly handle environment variables from images . - Fixed a bug where the
podman play kube
command did not properly print errors that occurred when starting containers. - Fixed a bug where the
podman play kube
command errored whenhostNetwork
was used . - Fixed a bug where the
podman play kube
command would always pull images when the:latest
tag was specified, even if the image was available locally . - Fixed a bug where the
podman play kube
command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable . - Fixed a bug where the
podman generate kube
command incorrectly populated theargs
andcommand
fields of generated YAML . - Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared
/etc/hosts
file every time the container restarted . - Fixed a bug where the
podman search --list-tags
command did not support the--format
option . - Fixed a bug where the
http_proxy
option incontainers.conf
was not being respected, and instead was set unconditionally to true . - Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers .
- Fixed a bug where the
podman images
command would break and fail to display any images if an empty manifest list was present in storage . - Fixed a bug where locale environment variables were not properly passed on to Conmon.
- Fixed a bug where Podman would not build on the MIPS architecture .
- Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a
--uidmap
option that included a mapping beginning with UID0
. - Fixed a bug where the
podman logs
command using thek8s-file
backend did not properly handle partial log lines with a length of 1 . - Fixed a bug where the
podman logs
command with the--follow
option did not properly handle log rotation . - Fixed a bug where user-specified
HOSTNAME
environment variables were overwritten by Podman . - Fixed a bug where Podman would applied default sysctls from
containers.conf
in too many situations (e.g. applying network sysctls when the container shared its network with a pod). - Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores .
- Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container's PID file was not accessible to systemd on the host .
- Fixed a bug where the
--privileged
option topodman run
andpodman create
would, under some circumstances, not disable Seccomp . - Fixed a bug where the
podman exec
command did not properly add capabilities when the container or exec session were run with--privileged
. - Fixed a bug where rootless Podman would use the
--enable-sandbox
option toslirp4netns
unconditionally, even whenpivot_root
was disabled, renderingslirp4netns
unusable whenpivot_root
was disabled . - Fixed a bug where
podman build --logfile
did not actually write the build's log to the logfile. - Fixed a bug where the
podman system service
command did not close STDIN, and could display user-interactive prompts . - Fixed a bug where the
podman system reset
command could, under some circumstances, remove all the contents of theXDG_RUNTIME_DIR
directory . - Fixed a bug where the
podman network create
command created CNI configurations that did not include a default gateway . - Fixed a bug where the
podman.service
systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started . - Fixed a bug where, if the
TMPDIR
environment variable was set for the container engine incontainers.conf
, it was being ignored. - Fixed a bug where the
podman events
command did not properly handle future times given to the--until
option . - Fixed a bug where the
podman logs
command wrote containerSTDERR
logs toSTDOUT
instead ofSTDERR
. - Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag .
- Fixed a bug where container capabilities were not set properly when the
--cap-add=all
and--user
options topodman create
andpodman run
were combined. - Fixed a bug where the
--layers
option topodman build
was nonfunctional . - Fixed a bug where the
podman system prune
command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call topodman system prune
. - Fixed a bug where the
--publish
option topodman run
andpodman create
did not properly handle ports specified as a range of ports with no host port specified . - Fixed a bug where
--format
did not support JSON output for individual fields . - Fixed a bug where the
podman stats
command would fail when run on root containers using theslirp4netns
network mode . - Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication .
- Fixed a bug where the
podman stats
command would fail if the system did not support one or more of the cgroup controllers Podman supports . - Fixed a bug where the
--mount
option topodman create
andpodman run
did not ignore theconsistency
mount option. - Fixed a bug where failures during the resizing of a container's TTY would print the wrong error.
- Fixed a bug where the
podman network disconnect
command could cause thepodman inspect
command to fail for a container until it was restarted . - Fixed a bug where containers created from a read-only rootfs (using the
--rootfs
option topodman create
andpodman run
) would fail . - Fixed a bug where specifying Go templates to the
--format
option to multiple Podman commands did not support thejoin
function . - Fixed a bug where the
podman rmi
command could, when run in parallel on multiple images, returnlayer not known
errors . - Fixed a bug where the
podman inspect
command on containers displayed unlimited ulimits incorrectly . - Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories . ### API
- All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error .
- The Compat API for Containers now supports the Rename and Copy APIs.
- Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses.
- Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a 'no such file' error if an invalid executable was passed)
- Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored .
- Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g.
container:
, correctly. - Fixed a bug where the Compat Create API for Containers did not set container name properly.
- Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging (the default specified in
containers.conf
is now used). - Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker.
- Fixed a bug where Podman did not properly clean up after calls to the Events API when the
journald
backend was in use, resulting in a leak of file descriptors . - Fixed a bug where the Libpod Pull endpoint for Images could fail with an
index out of range
error under certain circumstances . - Fixed a bug where the Libpod Exists endpoint for Images could panic.
- Fixed a bug where the Compat List API for Containers did not support all filters .
- Fixed a bug where the Compat List API for Containers did not properly populate the Status field.
- Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters .
- Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response .
- Fixed a bug where the Compat Load API for Images did not properly clean up temporary files.
- Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified.
- Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope.
- Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did.
Package | Affected Version |
---|---|
pkg:rpm/suse/libcontainers-common?arch=noarch&distro=sles-15&sp=2 | < 20210626-150100.3.15.1 |
pkg:rpm/suse/libcontainers-common?arch=noarch&distro=sles-15&sp=1 | < 20210626-150100.3.15.1 |
- ID
- SUSE-SU-2022:3312-1
- Severity
- moderate
- URL
- https://www.suse.com/support/update/announcement/2022/suse-su-20223312-1/
- Published
-
2022-09-19T15:36:55
(2 years ago) - Modified
-
2022-09-19T15:36:55
(2 years ago) - Rights
- Copyright 2024 SUSE LLC. All rights reserved.
- Other Advisories
-
- ALAS-2021-1555
- ALBA-2022:0348
- ALPINE:CVE-2020-14370
- ALPINE:CVE-2021-20199
- ALPINE:CVE-2021-3602
- ALSA-2021:0531
- ALSA-2021:1796
- ALSA-2021:4154
- ALSA-2021:4221
- ALSA-2021:4222
- ALSA-2022:7954
- ALSA-2022:7955
- ALSA-2022:8008
- ASA-202009-11
- DSA-4865-1
- ELSA-2020-5900
- ELSA-2020-5906
- ELSA-2021-0531
- ELSA-2021-1796
- ELSA-2021-4154
- ELSA-2021-4221
- ELSA-2021-4222
- ELSA-2022-7954
- ELSA-2022-7955
- ELSA-2022-8008
- FEDORA-2020-3a4b8fca5e
- FEDORA-2020-76fcd0ba34
- FEDORA-2020-7b6058fec9
- FEDORA-2021-0c53d8738d
- FEDORA-2021-112557d2c5
- FEDORA-2021-440e34200c
- FEDORA-2021-723a480816
- FEDORA-2021-83b3740389
- FEDORA-2021-a3703b9dc8
- FEDORA-2021-c56a213327
- FEDORA-2021-ec00da7faa
- GO-2021-0100
- GO-2022-0345
- GO-2024-2766
- MS:CVE-2021-20199
- openSUSE-SU-2020:2039-1
- openSUSE-SU-2020:2063-1
- RHBA-2022:0348
- RHSA-2021:0531
- RHSA-2021:1796
- RHSA-2021:4154
- RHSA-2021:4221
- RHSA-2021:4222
- RHSA-2022:7954
- RHSA-2022:7955
- RHSA-2022:8008
- RLBA-2022:0348
- RLSA-2021:0531
- RLSA-2021:1796
- RLSA-2021:4154
- RLSA-2021:4221
- RLSA-2021:4222
- SUSE-SU-2020:3378-1
- SUSE-SU-2021:0445-1
- SUSE-SU-2023:0187-1
- SUSE-SU-2023:0326-1
- USN-4589-1
- USN-4589-2
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/suse/libcontainers-common?arch=noarch&distro=sles-15&sp=2 | suse | libcontainers-common | < 20210626-150100.3.15.1 | sles-15 | noarch | |
Affected | pkg:rpm/suse/libcontainers-common?arch=noarch&distro=sles-15&sp=1 | suse | libcontainers-common | < 20210626-150100.3.15.1 | sles-15 | noarch |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |