You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
VMs created by podman machine on macOS with Apple silicon can now use Rosetta 2 (a.k.a Rosetta) for high-speed emulation of x86 code. This is enabled by default. If you wish to change this option, you can use the CONTAINERS_MACHINE_ROSETTA environment variable or containers.conf.
Changes made by the podman update command are now persistent, and will survive container restart and be reflected in podman inspect.
The podman update command now includes a new option, --restart, to update the restart policy of existing containers.
Quadlet .container files now support a new key, GroupAdd, to add groups to the container.
Container annotations are now printed by podman inspect.
Image-based mounts using podman run --mount type=image,... now support a new option, subpath, to mount only part of the image into the container.
A new field, healthcheck_events, has been added to containers.conf under the [engine] section to allow users to disable the generation of health_status events to avoid spamming logs on systems with many healthchecks.
A list of images to automatically mount as volumes can now be specified in Kubernetes YAML via the io.podman.annotations.kube.image.automount/$CTRNAME annotation (where $CTRNAME is the name of the container they will be mounted into).
The podman info command now includes the default rootless network command (pasta or slirp4netns).
The podman ps command now shows ports from --expose that have not been published with --publish-all to improve Docker compatibility.
The podman runlabel command now expands $HOME in the label being run to the user's home directory.
A new alias, podman network list, has been added to the podman network ls command.
The name and shell of containers created by podmansh can now be set in containers.conf.
The podman-setup.exe Windows installer now provides 3 new CLI variables, MachineProvider (choose the provider for the machine, windows or wsl, the default), HyperVCheckbox (can be set to 1 to install HyperV if it is not already installed or 0, the default, to not install HyperV), and SkipConfigFileCreation (can be set to 1 to disable the creation of configuration files, or 0, the default).
Changes
Podman now changes volume ownership every time an empty named volume is mounted into a container, not just the first time, matching Docker's behavior.
When running Kubernetes YAML with podman kube play that does not include an imagePullPolicy and does not set a tag for the image, the image is now always pulled (#21211).
When running Kubernetes YAML with podman kube play, pod-level restart policies are now passed down to individual containers within the pod (#20903).
The --runroot global option can now accept paths with lengths longer than 50 characters (#22272).
Updating containers with the podman update command now emits an event.
Bugfixes
Fixed a bug where the --userns=keep-id:uid=0 option to podman create and podman run would generate incorrect UID mappings and cause the container to fail to start (#22078).
Fixed a bug where podman stats could report inaccurate percentages for very large or very small values (#22064).
Fixed a bug where bind-mount volumes defaulted to rbind instead of bind, meaning recursive mounts were allowed by default (#22107).
Fixed a bug where the podman machine rm -f command would fail to remove Hyper-V virtual machines if they were running.
Fixed a bug where the podman ps --sync command could sometimes fail to properly update the status of containers.
Fixed a bug where bind-mount volumes using the :idmap option would sometimes be inaccessible with rootless Podman (#22228).
Fixed a bug where bind-mount volumes using the :U option would have their ownership changed to the owner of the directory in the image being mounted over (#22224).
Fixed a bug where removing multiple containers, pods, or images with the --force option did not work when multiple arguments were given to the command and one of them did not exist (#21529).
Fixed a bug where Podman did not properly clean up old cached Machine images.
Fixed a bug where rapidly-restarting containers with healthchecks could sometimes fail to start their healthchecks after restarting.
Fixed a bug where nested Podman could create its pause.pid file in an incorrect directory (#22327).
Fixed a bug where Podman would panic if an OCI runtime was configured without associated paths in containers.conf (#22561).
Fixed a bug where the podman kube down command would not respect the StopTimeout and StopSignal of containers that it stopped (#22397).
Fixed a bug where Systemd-managed containers could be stuck in the Stopping state, unable to be restarted, if systemd killed the unit before podman stop finished stopping the container (#19629).
Fixed a bug where the remote Podman client's podman farm build command would not updating manifests on the registry that were already pushed (#22647).
Fixed a bug where rootless Podman could fail to re-exec itself when run with a custom argv[0] that is not a valid command path, as might happen when used in podmansh (#22672).
Fixed a bug where podman machine connection URIs could be incorrect after an SSH port conflict, rendering machines inaccessible.
Fixed a bug where the podman events command would not print an error if incorrect values were passed to its --since and --until options.
Fixed a bug where an incorrect host.containers.internal entry could be added when running rootless containers using the bridge network mode (#22653).
API
A new Docker-compatible endpoint, Update, has been added for containers.
The Compat Create endpoint for Containers now supports setting container annotations.
The Libpod List endpoint for Images now includes additional information in its responses (image architecture, OS, and whether the image is a manifest list) (#22184 and #22185).
The Build endpoint for Images no longer saves the build context as a temporary file, substantially improving performance and reducing required filesystem space on the server.
The Inspect API for Containers now returns results compatible with Podman v4.x when a request with version v4.0.0 is made. This allows Podman 4.X remote clients work with a Podman 5.X server (#22657).
Fixed a bug where the Build endpoint for Images would not clean up temporary files created by the build if an error occurred.
Misc
Podman now detects unhandled system reboots and advises the user on proper mitigations.
Improved debugging output for podman machine on Darwin systems when --log-level=debug is used.
The Makefile now allows injecting extra build tags via the EXTRA_BUILD_TAGS environment variable.
Updated Buildah to v1.36.0
Updated the containers/common library to v0.59.0
Updated the containers/image library to v5.31.0
Updated the containers/storage library to v1.54.0
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
If you want to rebase/retry this PR, check this box
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<1.2.0-rc.1
Fixed version
1.2.0-rc.1
CVSS Score
7.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Description
Withdrawn Advisory
This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue here for more information.
Original Description
A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<1.2.0-rc.1
Fixed version
1.2.0-rc.1
CVSS Score
7.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Description
A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<=v1.1.4
Fixed version
Not Fixed
CVSS Score
7
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
Improper Preservation of Permissions
Affected range
<1.1.5
Fixed version
1.1.5
CVSS Score
6.1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Description
Impact
It was found that AppArmor, and potentially SELinux, can be bypassed when /proc inside the container is symlinked with a specific mount configuration.
A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2).
This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set.
Patches
This bug has been fixed in runc 1.1.2. Users should update to this version as soon as possible.
This fix changes runc exec --cap behavior such that the additional capabilities granted to the process being executed (as specified via --cap arguments) do not include inheritable capabilities.
In addition, runc spec is changed to not set any inheritable capabilities in the created example OCI spec (config.json) file.
Email us at [email protected] if you think you’ve found a security bug
Improper Preservation of Permissions
Affected range
<1.1.5
Fixed version
1.1.5
CVSS Score
2.5
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L
Description
Impact
It was found that rootless runc makes /sys/fs/cgroup writable in following conditons:
when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl)
or, when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare)
A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host .
Other users's cgroup hierarchies are not affected.
Patches
v1.1.5 (planned)
Workarounds
Condition 1: Unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts.
Condition 2 (very rare): add /sys/fs/cgroup to maskedPaths
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.0.3->5.1.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
containers/podman (containers/podman)
v5.1.0Compare Source
Features
podman machineon macOS with Apple silicon can now use Rosetta 2 (a.k.a Rosetta) for high-speed emulation of x86 code. This is enabled by default. If you wish to change this option, you can use theCONTAINERS_MACHINE_ROSETTAenvironment variable orcontainers.conf.podman updatecommand are now persistent, and will survive container restart and be reflected inpodman inspect.podman updatecommand now includes a new option,--restart, to update the restart policy of existing containers..containerfiles now support a new key,GroupAdd, to add groups to the container.podman inspect.podman run --mount type=image,...now support a new option,subpath, to mount only part of the image into the container.healthcheck_events, has been added tocontainers.confunder the[engine]section to allow users to disable the generation ofhealth_statusevents to avoid spamming logs on systems with many healthchecks.io.podman.annotations.kube.image.automount/$CTRNAMEannotation (where$CTRNAMEis the name of the container they will be mounted into).podman infocommand now includes the default rootless network command (pastaorslirp4netns).podman pscommand now shows ports from--exposethat have not been published with--publish-allto improve Docker compatibility.podman runlabelcommand now expands$HOMEin the label being run to the user's home directory.podman network list, has been added to thepodman network lscommand.podmanshcan now be set incontainers.conf.podman-setup.exeWindows installer now provides 3 new CLI variables,MachineProvider(choose the provider for the machine,windowsorwsl, the default),HyperVCheckbox(can be set to1to install HyperV if it is not already installed or0, the default, to not install HyperV), andSkipConfigFileCreation(can be set to1to disable the creation of configuration files, or0, the default).Changes
podman kube playthat does not include animagePullPolicyand does not set a tag for the image, the image is now always pulled (#21211).podman kube play, pod-level restart policies are now passed down to individual containers within the pod (#20903).--runrootglobal option can now accept paths with lengths longer than 50 characters (#22272).podman updatecommand now emits an event.Bugfixes
--userns=keep-id:uid=0option topodman createandpodman runwould generate incorrect UID mappings and cause the container to fail to start (#22078).podman statscould report inaccurate percentages for very large or very small values (#22064).rbindinstead ofbind, meaning recursive mounts were allowed by default (#22107).podman machine rm -fcommand would fail to remove Hyper-V virtual machines if they were running.podman ps --synccommand could sometimes fail to properly update the status of containers.:idmapoption would sometimes be inaccessible with rootless Podman (#22228).:Uoption would have their ownership changed to the owner of the directory in the image being mounted over (#22224).--forceoption did not work when multiple arguments were given to the command and one of them did not exist (#21529).pause.pidfile in an incorrect directory (#22327).containers.conf(#22561).podman kube downcommand would not respect theStopTimeoutandStopSignalof containers that it stopped (#22397).podman stopfinished stopping the container (#19629).podman farm buildcommand would not updating manifests on the registry that were already pushed (#22647).argv[0]that is not a valid command path, as might happen when used inpodmansh(#22672).podman machineconnection URIs could be incorrect after an SSH port conflict, rendering machines inaccessible.podman eventscommand would not print an error if incorrect values were passed to its--sinceand--untiloptions.host.containers.internalentry could be added when running rootless containers using thebridgenetwork mode (#22653).API
Misc
podman machineon Darwin systems when--log-level=debugis used.EXTRA_BUILD_TAGSenvironment variable.Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.