You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Podman machine now supports HyperV as a provider on Windows. This option can be set via the CONTAINERS_MACHINE_PROVIDER environment variable, or via containers.conf. HyperV requires Powershell to be run as Admin. Note that running WSL and HyperV machines at the same time is not supported.
The podman build command now supports Containerfiles with heredoc syntax.
The podman login and podman logout commands now support a new option, --compat-auth-file, which allows for editing Docker-compatible config files (#18617).
The podman machine init and podman machine set commands now support a new option, --usb, which sets allows USB passthrough for the QEMU provider (#16707).
The --ulimit option now supports setting -1 to indicate the maximum limit allowed for the current process (#19319).
The podman play kube command now supports the BUILDAH_ISOLATION environment variable to change build isolation when the --build option is set (#20024).
The podman volume create command now supports --opt o=size=XYZ on tmpfs file systems (#20449).
The podman info command for remote calls now reports client information even if the remote connection is unreachable
Added a new field, privileged, to containers.conf, which sets the defaults for the --privileged flag when creating, running or exec'ing into a container.
The podman kube play command now supports setting DefaultMode for volumes (#19313).
The --opt option to the podman network create command now accepts a new driver specific option, vrf, which assigns a VRF to the bridge interface.
A new option --rdt-class=COS has been added to the podman create and podman run commands that enables assigning a container to a Class Of Service (COS). The COS has to be pre-configured based on a pseudo-filesystem created by the resctrl kernel driver that enables interacting with the Intel RDT CAT feature.
The podman kube play command now supports a new option, --publish-all, which exposes all containerPorts on the host.
The --filter option now supports label!=, which filters for containers without the specified label.
Upcoming Deprecations
We are beginning development on Podman 5.0, which will include a number of breaking changes and deprecations. We are still finalizing what will be done, but a preliminary list is below. Please note that none of these changes are present in Podman 4.8; this is a preview of upcoming changes.
Podman 5.0 will deprecate the BoltDB database backend. Exact details on the transition to SQLite are still being decided - expect more news here soon.
The containers.conf configuration file will be broken up into multiple separate files, ensuring that it will never be rewritten by Podman.
Support for the CNI network backend and Cgroups V1 are being deprecated and gated by build tags. They will not be enabled in Podman builds by default.
A variety of small breaking changes to the REST API are planned, both to improve Docker compatibility and to better support containers.conf settings when creating and managing containers.
Changes
Podman now defaults to sqlite as its database backend. For backwards compatibility, if a boltdb database already exists on the system, Podman will continue using it.
RHEL Subscriptions from the host now flow through to quay.io/podman/* images.
The --help option to the podman push command now shows the compression algorithm used.
The remote Podman client’s commit command now shows progress messages (#19947).
The podman kube play command now sets the pod hostname to the node/machine name when hostNetwork=true in k8s yaml (#19321).
The --tty,-t option to the podman exec command now defines the TERM environment variable even if the container is not running with a terminal (#20334).
Podman now also uses the helper_binaries_dir option in containers.conf to lookup the init binary (catatonit).
Podman healthcheck events are now logged as notices.
Podman machines no longer automatically update, preventing accidental service interruptions (#20122).
The amount of CPUs a podman machine uses now defaults to available cores/2 (#17066).
Podman machine now prohibits using provider names as machine names. applehv, qemu, wsl, and hyperv are no longer valid Podman machine names
Quadlet
Quadlet now supports the UIDMap, GIDMap, SubUIDMap, and SubGIDMap options in .container files.
Fixed a bug where symlinks were not resolved in search paths (#20504).
Quadlet now supports the ReadOnlyTmpfs option.
The VolatileTmpfs option is now deprecated.
Quadlet now supports systemd specifiers in User and Group keys.
Quadlet now supports ImageName for .image files.
Quadlet now supports a new option, --force, to the stop command.
Quadlet now supports the oneshot service type for .kube files, which allows yaml files without containers.
Quadlet now supports podman level arguments (#20246).
Fixed a bug where Quadlet would crash when specifying non key-value options (#20104).
Quadlet now removes anonymous volumes when removing a container (#20070).
Quadlet now supports a new unit type, .image.
Bugfixes
Fixed a bug where mounted volumes on Podman machines on MacOS would have a max open files limit (#16106).
Fixed a bug where setting both the --uts and --network options to host did not fill /etc/hostname with the host's name (#20448).
Fixed a bug where the remote Podman client’s build command would incorrectly parse https paths (#20475).
Fixed a bug where running Docker Compose against a WSL podman machine would fail (#20373).
Fixed a race condition where parallel tagging and untagging of images would fail (#17515).
Fixed a bug where the podman exec command would leak sessions when the specified command does not existFixed a bug where the podman exec command would leak sessions when the specified command does not exist (#20392).
Fixed a bug where the podman history command did not display the size of certain layers (#20375).
Fixed a bug where a container with a custom user namespace and --restart always/on-failure would not correctly cleanup the netnsm on restart, resulting in leaked ips and network namespaces (#18615).
Fixed a bug where remote calls to the podman top command would incorrectly parse options (#19176).
Fixed a bug where the --read-only-tmpfs option to the podman run command was incorrectly handled when the --read-only option was set (#20225).
Fixed a bug where creating containers in parallel may cause a deadlock if both containers attempt to use the same named volume (#20313).
Fixed a bug where a container restarted by the Podman service would occasionally not mount its storage (#17042).
Fixed a bug where the --filter option to the podman images command would not correctly filter ids, digests, or intermediates (#19966).
Fixed a bug where setting the --replace option to the podman run command would print both the old and new container ID. Now, only the new container ID is printed.
Fixed a bug where the podman machine ls command would show Creation time as LastUp time for machines that have never been booted. Now, new machines show Never, with the json value being ZeroTime.
Fixed a bug in the podman build command where the default pull policy was not set to missing (#20125).
Fixed a bug where setting the static or volume directory in containers.conf would lead to cleanup errors (#19938).
Fixed a bug where the podman kube play command exposed all containerPorts on the host (#17028).
Fixed a bug where the podman farm update command did not verify farm and connection existence before updating (#20080).
Fixed a bug where remote Podman calls would not honor the --connection option while the CONTAINER_HOST environment variable was set. The active destination is not resolved with the correct priority, that is, CLI flags, env vars, ActiveService from containers.conf, RemoteURI (#15588).
Fixed a bug where the --env-host option was not honoring the default from containers.conf
API
Fixed a bug in the Compat Image Prune endpoint where the dangling filter was set twice (#20469).
Fixed a bug in the Compat API where attempting to connect a container to a network while the connection already exists returned a 200 status code. It now correctly returns a 500 error code.
Fixed a bug in the Compat API where some responses would not have compatible error details if progress data had not been sent yet (#20013).
The Libpod Pull endpoint now supports a new option, compatMode which causes the streamed JSON payload to be identical to the Compat endpoint.
Fixed a bug in the Libpod Container Create endpoint where it would return an incorrect status code if the image was not found. The endpoint now correctly returns 404.
The Compat Network List endpoint should see a significant performance improvement (#20035).
Misc
Updated Buildah to v1.33.2
Updated the containers/storage library to v1.51.0
Updated the containers/image library to v5.29.0
Updated the containers/common library to v0.57.0
Updated the containers/libhvee library to v0.5.0
Podman Machine now runs with gvproxy v0.7.1
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
If you want to rebase/retry this PR, check this box
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<=v1.1.4
Fixed version
Not Fixed
CVSS Score
7
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
Improper Preservation of Permissions
Affected range
<1.1.5
Fixed version
1.1.5
CVSS Score
6.1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Description
Impact
It was found that AppArmor, and potentially SELinux, can be bypassed when /proc inside the container is symlinked with a specific mount configuration.
A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2).
This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set.
Patches
This bug has been fixed in runc 1.1.2. Users should update to this version as soon as possible.
This fix changes runc exec --cap behavior such that the additional capabilities granted to the process being executed (as specified via --cap arguments) do not include inheritable capabilities.
In addition, runc spec is changed to not set any inheritable capabilities in the created example OCI spec (config.json) file.
Email us at [email protected] if you think you’ve found a security bug
Improper Preservation of Permissions
Affected range
<1.1.5
Fixed version
1.1.5
CVSS Score
2.5
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L
Description
Impact
It was found that rootless runc makes /sys/fs/cgroup writable in following conditons:
when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl)
or, when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare)
A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host .
Other users's cgroup hierarchies are not affected.
Patches
v1.1.5 (planned)
Workarounds
Condition 1: Unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts.
Condition 2 (very rare): add /sys/fs/cgroup to maskedPaths
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
>1.16
Fixed version
1.16
CVSS Score
6.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Description
Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.7.2->4.8.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
containers/podman (containers/podman)
v4.8.0Compare Source
Features
CONTAINERS_MACHINE_PROVIDERenvironment variable, or via containers.conf. HyperV requires Powershell to be run as Admin. Note that running WSL and HyperV machines at the same time is not supported.podman buildcommand now supports Containerfiles with heredoc syntax.podman loginandpodman logoutcommands now support a new option,--compat-auth-file, which allows for editing Docker-compatible config files (#18617).podman machine initandpodman machine setcommands now support a new option,--usb, which sets allows USB passthrough for the QEMU provider (#16707).--ulimitoption now supports setting -1 to indicate the maximum limit allowed for the current process (#19319).podman play kubecommand now supports theBUILDAH_ISOLATIONenvironment variable to change build isolation when the--buildoption is set (#20024).podman volume createcommand now supports--opt o=size=XYZon tmpfs file systems (#20449).podman infocommand for remote calls now reports client information even if the remote connection is unreachableprivileged, to containers.conf, which sets the defaults for the--privilegedflag when creating, running or exec'ing into a container.podman kube playcommand now supports setting DefaultMode for volumes (#19313).--optoption to thepodman network createcommand now accepts a new driver specific option,vrf, which assigns a VRF to the bridge interface.--rdt-class=COShas been added to thepodman createandpodman runcommands that enables assigning a container to a Class Of Service (COS). The COS has to be pre-configured based on a pseudo-filesystem created by the resctrl kernel driver that enables interacting with the Intel RDT CAT feature.podman kube playcommand now supports a new option,--publish-all, which exposes all containerPorts on the host.label!=, which filters for containers without the specified label.Upcoming Deprecations
containers.confsettings when creating and managing containers.Changes
--helpoption to thepodman pushcommand now shows the compression algorithm used.commitcommand now shows progress messages (#19947).podman kube playcommand now sets the pod hostname to the node/machine name when hostNetwork=true in k8s yaml (#19321).--tty,-toption to thepodman execcommand now defines the TERM environment variable even if the container is not running with a terminal (#20334).helper_binaries_diroption in containers.conf to lookup the init binary (catatonit).applehv,qemu,wsl, andhypervare no longer valid Podman machine namesQuadlet
UIDMap,GIDMap,SubUIDMap, andSubGIDMapoptions in .container files.ReadOnlyTmpfsoption.ImageNamefor .image files.--force, to the stop command.oneshotservice type for .kube files, which allows yaml files without containers..image.Bugfixes
--utsand--networkoptions tohostdid not fill /etc/hostname with the host's name (#20448).buildcommand would incorrectly parse https paths (#20475).podman execcommand would leak sessions when the specified command does not existFixed a bug where thepodman execcommand would leak sessions when the specified command does not exist (#20392).podman historycommand did not display the size of certain layers (#20375).--restart always/on-failurewould not correctly cleanup the netnsm on restart, resulting in leaked ips and network namespaces (#18615).podman topcommand would incorrectly parse options (#19176).--read-only-tmpfsoption to thepodman runcommand was incorrectly handled when the--read-onlyoption was set (#20225).--filteroption to thepodman imagescommand would not correctly filter ids, digests, or intermediates (#19966).--replaceoption to thepodman runcommand would print both the old and new container ID. Now, only the new container ID is printed.podman machine lscommand would show Creation time as LastUp time for machines that have never been booted. Now, new machines showNever, with the json value being ZeroTime.podman buildcommand where the default pull policy was not set tomissing(#20125).containers.confwould lead to cleanup errors (#19938).podman kube playcommand exposed all containerPorts on the host (#17028).podman farm updatecommand did not verify farm and connection existence before updating (#20080).--connectionoption while theCONTAINER_HOSTenvironment variable was set. The active destination is not resolved with the correct priority, that is, CLI flags, env vars, ActiveService from containers.conf, RemoteURI (#15588).--env-hostoption was not honoring the default from containers.confAPI
Misc
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.