Security update for conmon, libcontainers-common, libseccomp, podman

Announcement ID:	SUSE-SU-2022:23018-1
Rating:	moderate
References:	bsc#1176804 bsc#1177598 bsc#1181640 bsc#1182998 bsc#1188520 bsc#1188914 bsc#1193166 bsc#1193273 jsc#SLE-22714
Cross-References:	CVE-2020-14370 CVE-2020-15157 CVE-2021-20199 CVE-2021-20291 CVE-2021-3602 CVE-2021-4024 CVE-2021-41190
CVSS scores:	CVE-2020-14370 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-14370 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-15157 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2020-15157 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-20199 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-20199 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-20291 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-20291 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-3602 ( SUSE ): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-3602 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-4024 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2021-4024 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2021-41190 ( SUSE ): 5.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N CVE-2021-41190 ( NVD ): 3.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
Affected Products:	Basesystem Module 15-SP3 Containers Module 15-SP3 openSUSE Leap 15.3 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.2

An update that solves seven vulnerabilities, contains one feature and has one security fix can now be installed.

Description:

This update for conmon, libcontainers-common, libseccomp, podman fixes the following issues:

podman was updated to 3.4.4.

Security issues fixed:

fix CVE-2021-41190 [bsc#1193273], opencontainers: OCI manifest and index parsing confusion
fix CVE-2021-4024 [bsc#1193166], podman machine spawns gvproxy with port binded to all IPs
fix CVE-2021-20199 [bsc#1181640], Remote traffic to rootless containers is seen as orginating from localhost
Add: Provides: podman:/usr/bin/podman-remote subpackage for a clearer upgrade path from podman < 3.1.2

Update to version 3.4.4:

Bugfixes
- Fixed a bug where the podman exec command would, under some circumstances, print a warning message about failing to move conmon to the appropriate cgroup (#12535).
- Fixed a bug where named volumes created as part of container creation (e.g. podman run --volume avolume:/a/mountpoint or similar) would be mounted with incorrect permissions (#12523).
- Fixed a bug where the podman-remote create and podman-remote run commands did not properly handle the --entrypoint="" option (to clear the container's entrypoint) (#12521).
Update to version 3.4.3:
Security
- This release addresses CVE-2021-4024, where the podman machine command opened the gvproxy API (used to forward ports to podman machine VMs) to the public internet on port 7777.
- This release addresses CVE-2021-41190, where incomplete specification of behavior regarding image manifests could lead to inconsistent decoding on different clients.
Features
- The --secret type=mount option to podman create and podman run supports a new option, target=, which specifies where in the container the secret will be mounted (#12287).
Bugfixes
- Fixed a bug where rootless Podman would occasionally print warning messages about failing to move the pause process to a new cgroup (#12065).
- Fixed a bug where the podman run and podman create commands would, when pulling images, still require TLS even with registries set to Insecure via config file (#11933).
- Fixed a bug where the podman generate systemd command generated units that depended on multi-user.target, which has been removed from some distributions (#12438).
- Fixed a bug where Podman could not run containers with images that had /etc/ as a symlink (#12189).
- Fixed a bug where the podman logs -f command would, when using the journald logs backend, exit immediately if the container had previously been restarted (#12263).
- Fixed a bug where, in containers on VMs created by podman machine, the host.containers.internal name pointed to the VM, not the host system (#11642).
- Fixed a bug where containers and pods created by the podman play kube command in VMs managed by podman machine would not automatically forward ports from the host machine (#12248).
- Fixed a bug where podman machine init would fail on OS X when GNU Coreutils was installed (#12329).
- Fixed a bug where podman machine start would exit before SSH on the started VM was accepting connections (#11532).
- Fixed a bug where the podman run command with signal proxying (--sig-proxy) enabled could print an error if it attempted to send a signal to a container that had just exited (#8086).
- Fixed a bug where the podman stats command would not return correct information for containers running Systemd as PID1 (#12400).
- Fixed a bug where the podman image save command would fail on OS X when writing the image to STDOUT (#12402).
- Fixed a bug where the podman ps command did not properly handle PS arguments which contained whitespace (#12452).
- Fixed a bug where the podman-remote wait command could fail to detect that the container exited and return an error under some circumstances (#12457).
- Fixed a bug where the Windows MSI installer for podman-remote would break the PATH environment variable by adding an extra " (#11416).
API
- The Libpod Play Kube endpoint now also accepts ConfigMap YAML as part of its payload, and will use provided any ConfigMap to configure provided pods and services.
- Fixed a bug where the Compat Create endpoint for Containers would not always create the container's working directory if it did not exist (#11842).
- Fixed a bug where the Compat Create endpoint for Containers returned an incorrect error message with 404 errors when the requested image was not found (#12315).
- Fixed a bug where the Compat Create endpoint for Containers did not properly handle the HostConfig.Mounts field (#12419).
- Fixed a bug where the Compat Archive endpoint for Containers did not properly report errors when the operation failed (#12420).
- Fixed a bug where the Compat Build endpoint for Images ignored the layers query parameter (for caching intermediate layers from the build) (#12378).
- Fixed a bug where the Compat Build endpoint for Images did not report errors in a manner compatible with Docker (#12392).
- Fixed a bug where the Compat Build endpoint for Images would fail to build if the context directory was a symlink (#12409).
- Fixed a bug where the Compat List endpoint for Images included manifest lists (and not just images) in returned results (#12453).
Update to version 3.4.2:
Fixed a bug where podman tag could not tag manifest lists (#12046).
Fixed a bug where built-in volumes specified by images would not be created correctly under some circumstances.
Fixed a bug where, when using Podman Machine on OS X, containers in pods did not have working port forwarding from the host (#12207).
Fixed a bug where the podman network reload command command on containers using the slirp4netns network mode and the rootlessport port forwarding driver would make an unnecessary attempt to restart rootlessport on containers that did not forward ports.
Fixed a bug where the podman generate kube command would generate YAML including some unnecessary (set to default) fields (e.g. empty SELinux and DNS configuration blocks, and the privileged flag when set to false) (#11995).
Fixed a bug where the podman pod rm command could, if interrupted at the right moment, leave a reference to an already-removed infra container behind (#12034).
Fixed a bug where the podman pod rm command would not remove pods with more than one container if all containers save for the infra container were stopped unless --force was specified (#11713).
Fixed a bug where the --memory flag to podman run and podman create did not accept a limit of 0 (which should specify unlimited memory) (#12002).
Fixed a bug where the remote Podman client's podman build command could attempt to build a Dockerfile in the working directory of the podman system service instance instead of the Dockerfile specified by the user (#12054).
Fixed a bug where the podman logs --tail command could function improperly (printing more output than requested) when the journald log driver was used.
Fixed a bug where containers run using the slirp4netns network mode with IPv6 enabled would not have IPv6 connectivity until several seconds after they started (#11062).
Fixed a bug where some Podman commands could cause an extra dbus-daemon process to be created (#9727).
Fixed a bug where rootless Podman would sometimes print warnings about a failure to move the pause process into a given CGroup (#12065).
Fixed a bug where the checkpointed field in podman inspect on a container was not set to false after a container was restored.
Fixed a bug where the podman system service command would print overly-verbose logs about request IDs (#12181).
Fixed a bug where Podman could, when creating a new container without a name explicitly specified by the user, sometimes use an auto-generated name already in use by another container if multiple containers were being created in parallel (#11735).

Update to version 3.4.1:

Bugfixes
- Fixed a bug where podman machine init could, under some circumstances, create invalid machine configurations which could not be started (#11824).
- Fixed a bug where the podman machine list command would not properly populate some output fields.
- Fixed a bug where podman machine rm could leave dangling sockets from the removed machine (#11393).
- Fixed a bug where podman run --pids-limit=-1 was not supported (it now sets the PID limit in the container to unlimited) (#11782).
- Fixed a bug where podman run and podman attach could throw errors about a closed network connection when STDIN was closed by the client (#11856).
- Fixed a bug where the podman stop command could fail when run on a container that had another podman stop command run on it previously.
- Fixed a bug where the --sync flag to podman ps was nonfunctional.
- Fixed a bug where the Windows and OS X remote clients' podman stats command would fail (#11909).
- Fixed a bug where the podman play kube command did not properly handle environment variables whose values contained an = (#11891).
- Fixed a bug where the podman generate kube command could generate invalid annotations when run on containers with volumes that use SELinux relabelling (:z or :Z) (#11929).
- Fixed a bug where the podman generate kube command would generate YAML including some unnecessary (set to default) fields (e.g. user and group, entrypoint, default protocol for forwarded ports) (#11914, #11915, and #11965).
- Fixed a bug where the podman generate kube command could, under some circumstances, generate YAML including an invalid targetPort field for forwarded ports (#11930).
- Fixed a bug where rootless Podman's podman info command could, under some circumstances, not read available CGroup controllers (#11931).
- Fixed a bug where podman container checkpoint --export would fail to checkpoint any container created with --log-driver=none (#11974).
API
- Fixed a bug where the Compat Create endpoint for Containers could panic when no options were passed to a bind mount of tmpfs (#11961).

Update to version 3.4.0:

Features
- Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: "always", which always run before the pod is started, and "once", which only run the first time the pod starts and are subsequently removed. They can be added using the podman create command's --init-ctr option.
- Support for init containers has also been added to podman play kube and podman generate kube - init containers contained in Kubernetes YAML will be created as Podman init containers, and YAML generated by Podman will include any init containers created.
- The podman play kube command now supports building images. If the --build option is given and a directory with the name of the specified image exists in the current working directory and contains a valid Containerfile or Dockerfile, the image will be built and used for the container.
- The podman play kube command now supports a new option, --teardown, which removes any pods and containers created by the given Kubernetes YAML.
- The podman generate kube command now generates annotations for SELinux mount options on volume (:z and :Z) that are respected by the podman play kube command.
- A new command has been added, podman pod logs, to return logs for all containers in a pod at the same time.
- Two new commands have been added, podman volume export (to export a volume to a tar file) and podman volume import) (to populate a volume from a given tar file).
- The podman auto-update command now supports simple rollbacks. If a container fails to start after an automatic update, it will be rolled back to the previous image and restarted again.
- Pods now share their user namespace by default, and the podman pod create command now supports the --userns option. This allows rootless pods to be created with the --userns=keep-id option.
- The podman pod ps command now supports a new filter with its --filter option, until, which returns pods created before a given timestamp.
- The podman image scp command has been added. This command allows images to be transferred between different hosts.
- The podman stats command supports a new option, --interval, to specify the amount of time before the information is refreshed.
- The podman inspect command now includes ports exposed (but not published) by containers (e.g. ports from --expose when --publish-all is not specified).
- The podman inspect command now has a new boolean value, Checkpointed, which indicates that a container was stopped as a result of a podman container checkpoint operation.
- Volumes created by podman volume create now support setting quotas when run atop XFS. The size and inode options allow the maximum size and maximum number of inodes consumed by a volume to be limited.
- The podman info command now outputs information on what log drivers, network drivers, and volume plugins are available for use (#11265).
- The podman info command now outputs the current log driver in use, and the variant and codename of the distribution in use.
- The parameters of the VM created by podman machine init (amount of disk space, memory, CPUs) can now be set in containers.conf.
- The podman machine ls command now shows additional information (CPUs, memory, disk size) about VMs managed by podman machine.
- The podman ps command now includes healthcheck status in container state for containers that have healthchecks (#11527).
Changes
- The podman build command has a new alias, podman buildx, to improve compatibility with Docker. We have already added support for many docker buildx flags to podman build and aim to continue to do so.
- Cases where Podman is run without a user session or a writable temporary files directory will now produce better error messages.
- The default log driver has been changed from file to journald. The file driver did not properly support log rotation, so this should lead to a better experience. If journald is not available on the system, Podman will automatically revert to the file.
- Podman no longer depends on ip for removing networks (#11403).
- The deprecated --macvlan flag to podman network create now warns when it is used. It will be removed entirely in the Podman 4.0 release.
- The podman machine start command now prints a message when the VM is successfully started.
- The podman stats command can now be used on containers that are paused.
- The podman unshare command will now return the exit code of the command that was run in the user namespace (assuming the command was successfully run).
- Successful healthchecks will no longer add a healthy line to the system log to reduce log spam.
- As a temporary workaround for a lack of shortname prompts in the Podman remote client, VMs created by podman machine now default to only using the docker.io registry.
Bugfixes
- Fixed a bug where whitespace in the definition of sysctls (particularly default sysctls specified in containers.conf) would cause them to be parsed incorrectly.
- Fixed a bug where the Windows remote client improperly validated volume paths (#10900).
- Fixed a bug where the first line of logs from a container run with the journald log driver could be skipped.
- Fixed a bug where images created by podman commit did not include ports exposed by the container.
- Fixed a bug where the podman auto-update command would ignore the io.containers.autoupdate.authfile label when pulling images (#11171).
- Fixed a bug where the --workdir option to podman create and podman run could not be set to a directory where a volume was mounted (#11352).
- Fixed a bug where systemd socket-activation did not properly work with systemd-managed Podman containers (#10443).
- Fixed a bug where environment variable secrets added to a container were not available to exec sessions launched in the container.
- Fixed a bug where rootless containers could fail to start the rootlessport port-forwarding service when XDG_RUNTIME_DIR was set to a long path.
- Fixed a bug where arguments to the --systemd option to podman create and podman run were case-sensitive (#11387).
- Fixed a bug where the podman manifest rm command would also remove images referenced by the manifest, not just the manifest itself (#11344).
- Fixed a bug where the Podman remote client on OS X would not function properly if the TMPDIR environment variable was not set (#11418).
- Fixed a bug where the /etc/hosts file was not guaranteed to contain an entry for localhost (this is still not guaranteed if --net=host is used; such containers will exactly match the host's /etc/hosts) (#11411).
- Fixed a bug where the podman machine start command could print warnings about unsupported CPU features (#11421).
- Fixed a bug where the podman info command could segfault when accessing cgroup information.
- Fixed a bug where the podman logs -f command could hang when a container exited (#11461).
- Fixed a bug where the podman generate systemd command could not be used on containers that specified a restart policy (#11438).
- Fixed a bug where the remote Podman client's podman build command would fail to build containers if the UID and GID on the client were higher than 65536 (#11474).
- Fixed a bug where the remote Podman client's podman build command would fail to build containers if the context directory was a symlink (#11732).
- Fixed a bug where the --network flag to podman play kube was not properly parsed when a non-bridge network configuration was specified.
- Fixed a bug where the podman inspect command could error when the container being inspected was removed as it was being inspected (#11392).
- Fixed a bug where the podman play kube command ignored the default pod infra image specified in containers.conf.
- Fixed a bug where the --format option to podman inspect was nonfunctional under some circumstances (#8785).
- Fixed a bug where the remote Podman client's podman run and podman exec commands could skip a byte of output every 8192 bytes (#11496).
- Fixed a bug where the podman stats command would print nonsensical results if the container restarted while it was running (#11469).
- Fixed a bug where the remote Podman client would error when STDOUT was redirected on a Windows client (#11444).
- Fixed a bug where the podman run command could return 0 when the application in the container exited with 125 (#11540).
- Fixed a bug where containers with --restart=always set using the rootlessport port-forwarding service could not be restarted automatically.
- Fixed a bug where the --cgroups=split option to podman create and podman run was silently discarded if the container was part of a pod.
- Fixed a bug where the podman container runlabel command could fail if the image name given included a tag.
- Fixed a bug where Podman could add an extra 127.0.0.1 entry to /etc/hosts under some circumstances (#11596).
- Fixed a bug where the remote Podman client's podman untag command did not properly handle tags including a digest (#11557).
- Fixed a bug where the --format option to podman ps did not properly support the table argument for tabular output.
- Fixed a bug where the --filter option to podman ps did not properly handle filtering by healthcheck status (#11687).
- Fixed a bug where the podman run and podman start --attach commands could race when retrieving the exit code of a container that had already been removed resulting in an error (e.g. by an external podman rm -f) (#11633).
- Fixed a bug where the podman generate kube command would add default environment variables to generated YAML.
- Fixed a bug where the podman generate kube command would add the default CMD from the image to generated YAML (#11672).
- Fixed a bug where the podman rm --storage command could fail to remove containers under some circumstances (#11207).
- Fixed a bug where the podman machine ssh command could fail when run on Linux (#11731).
- Fixed a bug where the podman stop command would error when used on a container that was already stopped (#11740).
- Fixed a bug where renaming a container in a pod using the podman rename command, then removing the pod using podman pod rm, could cause Podman to believe the new name of the container was permanently in use, despite the container being removed (#11750).
API
- The Libpod Pull endpoint for Images now has a new query parameter, quiet, which (when set to true) suppresses image pull progress reports (#10612).
- The Compat Events endpoint now includes several deprecated fields from the Docker v1.21 API for improved compatibility with older clients.
- The Compat List and Inspect endpoints for Images now prefix image IDs with sha256: for improved Docker compatibility (#11623).
- The Compat Create endpoint for Containers now properly sets defaults for healthcheck-related fields (#11225).
- The Compat Create endpoint for Containers now supports volume options provided by the Mounts field (#10831).
- The Compat List endpoint for Secrets now supports a new query parameter, filter, which allows returned results to be filtered.
- The Compat Auth endpoint now returns the correct response code (500 instead of 400) when logging into a registry fails.
- The Version endpoint now includes information about the OCI runtime and Conmon in use (#11227).
- Fixed a bug where the X-Registry-Config header was not properly handled, leading to errors when pulling images (#11235).
- Fixed a bug where invalid query parameters could cause a null pointer dereference when creating error messages.
- Logging of API requests and responses at trace level has been greatly improved, including the addition of an X-Reference-Id header to correlate requests and responses (#10053).

Update to version 3.3.1:

Bugfixes
- Fixed a bug where unit files created by podman generate systemd could not cleanup shut down containers when stopped by systemctl stop (#11304).
- Fixed a bug where podman machine commands would not properly locate the gvproxy binary in some circumstances.
- Fixed a bug where containers created as part of a pod using the --pod-id-file option would not join the pod's network namespace (#11303).
- Fixed a bug where Podman, when using the systemd cgroups driver, could sometimes leak dbus sessions.
- Fixed a bug where the until filter to podman logs and podman events was improperly handled, requiring input to be negated (#11158).
- Fixed a bug where rootless containers using CNI networking run on systems using systemd-resolved for DNS would fail to start if resolved symlinked /etc/resolv.conf to an absolute path (#11358).
API
- A large number of potential file descriptor leaks from improperly closing client connections have been fixed.

Update to version 3.3.0:

Fix network aliases with network id
machine: compute sha256 as we read the image file
machine: check for file exists instead of listing directory
pkg/bindings/images.nTar(): slashify hdr.Name values
Volumes: Only remove from DB if plugin removal succeeds
For compatibility, ignore Content-Type
[v3.3] Bump c/image 5.15.2, buildah v1.22.3
Implement SD-NOTIFY proxy in conmon
Fix rootless cni dns without systemd stub resolver
fix rootlessport flake
Skip stats test in CGv1 container environments
Fix AVC denials in tests of volume mounts
Restore buildah-bud test requiring new images
Revert ".cirrus.yml: use fresh images for all VMs"
Fix device tests using ls test files
Enhance priv. dev. check
Workaround host availability of /dev/kvm
Skip cgroup-parent test due to frequent flakes
Cirrus: Fix not uploading logformatter html

Switch to crun (bsc#1188914)

Update to version 3.2.3:

Bump to v3.2.3
Update release notes for v3.2.3
vendor containers/common@v0.38.16
vendor containers/buildah@v1.21.3
Fix race conditions in rootless cni setup
CNI-in-slirp4netns: fix bind-mount for /run/systemd/resolve/stub-resolv.conf
Make rootless-cni setup more robust
Support uid,gid,mode options for secrets
vendor containers/common@v0.38.15
[CI:DOCS] podman search: clarify that results depend on implementation
vendor containers/common@v0.38.14
vendor containers/common@v0.38.13
[3.2] vendor containers/common@v0.38.12
Bump README to v3.2.2
Bump to v3.2.3-dev
Update to version 3.2.2:
Bump to v3.2.2
fix systemcontext to use correct TMPDIR
Scrub podman commands to use report package
Fix volumes with uid and gid options
Vendor in c/common v0.38.11
Initial release notes for v3.2.2
Fix restoring of privileged containers
Fix handling of podman-remote build --device
Add support for podman remote build -f - .
Fix panic condition in cgroups.getAvailableControllers
Fix permissions on initially created named volumes
Fix building static podman-remote
add correct slirp ip to /etc/hosts
disable tty-size exec checks in system tests
Fix resize race with podman exec -it
Fix documentation of the --format option of podman push
Fix systemd-resolved detection.
Health Check is not handled in the compat LibpodToContainerJSON
Do not use inotify for OCICNI
getContainerNetworkInfo: lock netNsCtr before sync
[NO TESTS NEEDED] Create /etc/mtab with the correct ownership
Create the /etc/mtab file if does not exists
[v3.2] cp: do not allow dir->file copying
create: support images with invalid platform
vendor containers/common@v0.38.10
logs: k8s-file: restore poll sleep
logs: k8s-file: fix spurious error logs
utils: move message from warning to debug
Bump to v3.2.2-dev
Update to version 3.2.1:
Bump to v3.2.1
Updated release notes for v3.2.1
Fix network connect race with docker-compose
Revert "Ensure minimum API version is set correctly in tests"
Fall back to string for dockerfile parameter
remote events: fix --stream=false
[CI:DOCS] fix incorrect network remove api doc
remote: always send resize before the container starts
remote events: support labels
remote pull: cancel pull when connection is closed
Fix network prune api docs
Improve systemd-resolved detection
logs: k8s-file: fix race
Fix image prune --filter cmd behavior
Several shell completion fixes
podman-remote build should handle -f option properly
System tests: deal with crun 0.20.1
Fix build tags for pkg/machine...
Fix pre-checkpointing
container: ignore named hierarchies
[v3.2] vendor containers/common@v0.38.9
rootless: fix fast join userns path
[v3.2] vendor containers/common@v0.38.7
[v3.2] vendor containers/common@v0.38.6
Correct qemu options for Intel macs
Ensure minimum API version is set correctly in tests
Bump to v3.2.1-dev
Update to version 3.2.0:
Bump to v3.2.0
Fix network create macvlan with subnet option
Final release notes updates for v3.2.0
add ipv6 nameservers only when the container has ipv6 enabled
Use request context instead of background
[v.3.2] events: support disjunctive filters
System tests: add :Z to volume mounts
generate systemd: make mounts portable
vendor containers/storage@v1.31.3
vendor containers/common@v0.38.5
Bump to v3.2.0-dev
Bump to v3.2.0-RC3
Update release notes for v3.2.0-RC3
Fix race on podman start --all
Fix race condition in running ls container in a pod
docs: --cert-dir: point to containers-certs.d(5)
Handle hard links in different directories
Improve OCI Runtime error
Handle hard links in remote builds
Podman info add support for status of cgroup controllers
Drop container does not exist on removal to debugf
Downgrade API service routing table logging
add libimage events
docs: generate systemd: XDG_RUNTIME_DIR
Fix problem copying files when container is in host pid namespace
Bump to v3.2.0-dev
Bump to v3.2.0-RC2
update c/common
Update Cirrus DEST_BRANCH to v3.2
Updated vendors of c/image, c/storage, Buildah
Initial release notes for v3.2.0-RC2
Add script for identifying commits in release branches
Add host.containers.internal entry into container's etc/hosts
image prune: remove unused images only with --all
podman network reload add rootless support
Use more recent stale release...
network tutorial: update with rootless cni changes
[CI:DOCS] Update first line in intro page
Use updated VM images + updated automation tooling
auto-update service: prune images
make vendor
fix system upgrade tests
Print "extracting" only on compressed file
podman image tree: restore previous behavior
fix network restart always test
fix incorrect log driver in podman container image
Add support for cli network prune --filter flag
Move filter parsing to common utils
Bump github.com/containers/storage from 1.30.2 to 1.30.3
Update nix pin with make nixpkgs
[CI:DOCS] hack/bats - new helper for running system tests
fix restart always with slirp4netns
Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc94
Bump github.com/coreos/go-systemd/v22 from 22.3.1 to 22.3.2
Add host.serviceIsRemote to podman info results
Add client disconnect to build handler loop
Remove obsolete skips
Fix podman-remote build --rm=false ...
fix: improved "containers/{name}/wait" endpoint
Bump github.com/containers/storage from 1.30.1 to 1.30.2
Add envars to the generated systemd unit
fix: use UTC Time Stamps in response JSON
fix container startup for empty pidfile
Kube like pods should share ipc,net,uts by default
fix: compat API "images/get" for multiple images
Revert escaped double dash man page flag syntax
Report Download complete in Compatibility mode
Add documentation on short-names
Bump github.com/docker/docker
Adds support to preserve auto update labels in generate and play kube
[CI:DOCS] Stop conversion of -- into en dash
Revert Patch to relabel if selinux not enabled
fix per review request
Add support for environment variable secrets
fix pre review request
Fix infinite loop in isPathOnVolume
Add containers.conf information for changing defaults
CI: run rootless tests under ubuntu
Fix wrong macvlan PNG in networking doc.
Add restart-policy to container filters & --filter to podman start
Fixes docker-compose cannot set static ip when use ipam
channel: simplify implementation
build: improve regex for iidfile
Bump github.com/onsi/gomega from 1.11.0 to 1.12.0
cgroup: fix rootless --cgroup-parent with pods
fix: docker APIv2 images/get
codespell cleanup
Minor podmanimage docs updates.
Fix handling of runlabel IMAGE and NAME
Bump to v3.2.0-dev
Bump to v3.2.0-rc1
rootless: improve automatic range split
podman: set volatile storage flag for --rm containers
Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.2
Bump github.com/containers/image/v5 from 5.11.1 to 5.12.0
migrate Podman to containers/common/libimage
Add filepath glob support to --security-opt unmask
Force log_driver to k8s-file for containers in containers
add --mac-address to podman play kube
compat api: Networks must be empty instead of null
System tests: honor $OCI_RUNTIME (for CI)
is this a bug?
system test image: add arm64v8 image
Fix troubleshooting documentation on handling sublemental groups.
Add --all to podman start
Fix variable reference typo. in multi-arch image action
cgroup: always honor --cgroup-parent with cgroupfs
Bump github.com/uber/jaeger-client-go
Don't require tests for github-actions & metadata
Detect if in podman machine virtual vm
Fix multi-arch image workflow typo
[CI:DOCS] Add titles to remote docs (windows)
Remove unused VolumeList* structs
Cirrus: Update F34beta -> F34
Update container image docs + fix unstable execution
Bump github.com/containers/storage from 1.30.0 to 1.30.1
TODO complete
Docker returns 'die' status rather then 'died' status
Check if another VM is running on machine start
[CI:DOCS] Improve titles of command HTML pages
system tests: networking: fix another race condition
Use seccomp_profile as default profile if defined in containers.conf
Bump github.com/json-iterator/go from 1.1.10 to 1.1.11
Vendored
Autoupdate local label functional
System tests: fix two race conditions
Add more documentation on conmon
Allow docker volume create API to pass without name
Cirrus: Update Ubuntu images to 21.04
Skip blkio-weight test when no kernel BFQ support
rootless: Tell the user what was led to the error, not just what it is
Add troubleshooting advice about the --userns option.
Fix images prune filter until
Fix logic for pushing stable multi-arch images
Fixes generate kube incorrect when bind-mounting "/" and "/root"
libpod/image: unit tests: don't use system's registries.conf.d
runtime: create userns when CAP_SYS_ADMIN is not present
rootless: attempt to copy current mappings first
[CI:DOCS] Restore missing content to manpages
[CI:DOCS] Fix Markdown layout bugs
Fix podman ps --filter ancestor to match exact ImageName/ImageID
Add machine-enabled to containers.conf for machine
Several multi-arch image build/push fixes
Add podman run --timeout option
Parse slirp4netns net options with compat api
Fix rootlesskit port forwarder with custom slirp cidr
Fix removal race condition in ListContainers
Add github-action workflow to build/push multi-arch
rootless: if root is not sub?id raise a debug message
Bump github.com/containers/common from 0.36.0 to 0.37.0
Add go template shell completion for --format
Add --group-add keep-groups: suplimentary groups into container
Fixes from make codespell
Typo fix to usage text of --compress option
corrupt-image test: fix an oops
Add --noheading flag to all list commands
Bump github.com/containers/storage from 1.29.0 to 1.30.0
Bump github.com/containers/image/v5 from 5.11.0 to 5.11.1
[CI:DOCS] Fix Markdown table layout bugs
podman-remote should show podman.sock info
rmi: don't break when the image is missing a manifest
[CI:DOCS] Rewrite --uidmap doc in podman-create.1.md and podman-run.1.md
Add support for CDI device configuration
[CI:DOCS] Add missing dash to verbose option
Bump github.com/uber/jaeger-client-go
Remove an advanced layer diff function
Ensure mount destination is clean, no trailing slash
add it for inspect pidfile
[CI:DOCS] Fix introduction page typo
support pidfile on container restore
fix start it
skip pidfile test on remote
improve document
set pidfile default value int containerconfig
add pidfile in inspection
add pidfile it for container start
skip pidfile it on remote
Modify according to comments
WIP: drop test requirement
runtime: bump required conmon version
runtime: return findConmon to libpod
oci: drop ExecContainerCleanup
oci: use --full-path option for conmon
use AttachSocketPath when removing conmon files
hide conmon-pidfile flag on remote mode
Fix possible panic in libpod/image/prune.go
add --ip to podman play kube
add flag autocomplete
add ut
add flag "--pidfile" for podman create/run
Add network bindings tests: remove and list
Fix build with GO111MODULE=off
system tests: build --pull-never: deal with flakes
compose test: diagnose flakes v3
podman play kube apply correct log driver
Fixes podman-remote save to directories does not work
Bump github.com/rootless-containers/rootlesskit from 0.14.1 to 0.14.2
Update documentation of podman-run to reflect volume "U" option
Fix flake on failed podman-remote build : try 2
compose test: ongoing efforts to diagnose flakes
Test that we don't error out on advertised --log-level values
At trace log level, print error text using %+v instead of %v
pkg/errorhandling.JoinErrors: don't throw away context for lone errors
Recognize --log-level=trace
Fix flake on failed podman-remote build
System tests: fix racy podman-inspect
Fixes invalid expression in save command
Bump github.com/containers/common from 0.35.4 to 0.36.0
Update nix pin with make nixpkgs
compose test: try to get useful data from flakes
Remove in-memory state implementation
Fix message about runtime to show only the actual runtime
System tests: setup: better cleanup of stray images
Bump github.com/containers/ocicrypt from 1.1.0 to 1.1.1
Reflect current state of prune implementation in docs
Do not delete container twice
[CI:DOCS] Correct status code for /pods/create
vendor in containers/storage v1.29.0
cgroup: do not set cgroup parent when rootless and cgroupfs
Overhaul Makefile binary and release worflows
Reorganize Makefile with sections and guide
Simplify Makefile help target
Don't shell to obtain current directory
Remove unnecessary/not-needed release.txt target
Fix incorrect version number output
Exclude .gitignore from test req.
Fix handling of $NAME and $IMAGE in runlabel
Update podman image Dockerfile to support Podman in container
Bump github.com/containers/image/v5 from 5.10.5 to 5.11.0
Fix slashes in socket URLs
Add network prune filters support to bindings
Add support for play/generate kube volumes
Update manifest API endpoints
Fix panic when not giving a machine name for ssh
cgroups: force 64 bits to ParseUint
Bump k8s.io/api from 0.20.5 to 0.21.0
[CI:DOCS] Fix formatting of podman-build man page
buildah-bud tests: simplify
Add missing return
Bump github.com/onsi/ginkgo from 1.16.0 to 1.16.1
speed up CI handling of images
Volumes prune endpoint should use only prune filters
Cirrus: Use Fedora 34beta images
Bump go.sum + Makefile for golang 1.16
Exempt Makefile changes from test requirements
Adjust libpod API Container Wait documentation to the code
[CI:DOCS] Update swagger definition of inspect manifest
use updated ubuntu images
podman unshare: add --rootless-cni to join the ns
Update swagger-check
swagger: remove name wildcards
Update buildah-bud diffs
Handle podman-remote --arch, --platform, --os
buildah-bud tests: handle go pseudoversions, plus...
Fix flaking rootless compose test
rootless cni add /usr/sbin to PATH if not present
System tests: special case for RHEL: require runc
Add --requires flag to podman run/create
[CI:DOCS] swagger-check: compare operations
[CI:DOCS] Polish swagger OpertionIDs
[NO TESTS NEEDED] Update nix pin with make nixpkgs
Ensure that --userns=keep-id sets user in config
[CI:DOCS] Set all operation id to be compatibile
Move operationIds to swagger:operation line
swagger: add operationIds that match with docker
Cirrus: Make use of shared get_ci_vm container
Don't relabel volumes if running in a privileged container
Allow users to override default storage opts with --storage-opt
Add support for podman --context default
Verify existence of auth file if specified
fix machine naming conventions
Initial network bindings tests
Update release notes to indicate CVE fix
Move socket activation check into init() and set global condition.
Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.0
Http api tests for network prune with until filter
podman-run.1.md, podman-create.1.md : Adjust Markdown layout for --userns
Fix typos --uidmapping and --gidmapping
Add transport and destination info to manifest doc
Bump github.com/rootless-containers/rootlesskit from 0.14.0 to 0.14.1
Add default template functions
Fix missing podman-remote build options
Bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1
Add ssh connection to root user
Add rootless docker-compose test to the CI
Use the slrip4netns dns in the rootless cni ns
Cleanup the rootless cni namespace
Add new docker-compose test for two networks
Make the docker-compose test work rootless
Remove unused rootless-cni-infra container files
Only use rootless RLK when the container has ports
Fix dnsname test
Enable rootless network connect/disconnect
Move slirp4netns functions into an extra file
Fix pod infra container cni network setup
Add rootless support for cni and --uidmap
rootless cni without infra container
Recreate until container prune tests for bindings
Remove --execute from podman machine ssh
Fixed podman-remote --network flag
Makefile: introduce install.docker-full
Makefile: ensure install.docker creates BINDIR
Fix unmount doc reference in image.rst
Should send the OCI runtime path not just the name to buildah
podman machine shell completion
Fix handling of remove --log-rusage param
Fix bindings prune containers flaky test
[CI:DOCS] Add local html build info to docs/README.md
Add podman machine list
Trim white space from /top endpoint results
Remove semantic version suffices from API calls
podman machine init --ignition-path
Document --volume from podman-remote run/create client
Update main branch to reflect the release of v3.1.0
Silence podman network reload errors with iptables-nft
Containers prune endpoint should use only prune filters
resolve proper aarch64 image names
APIv2 basic test: relax APIVersion check
Add machine support for qemu-system-aarch64
podman machine init user input
manpage xref: helpful diagnostic for unescaped dash-dash
Bump to v3.2.0-dev
swagger: update system version response body
buildah-bud tests: reenable pull-never test
[NO TESTS NEEDED] Shrink the size of podman-remote
Add powershell completions
[NO TESTS NEEDED] Drop Warning to Info, if cgroups not mounted
Fix long option format on docs.podman.io
system tests: friendier messages for 2-arg is()
service: use LISTEN_FDS
man pages: correct seccomp-policy label
rootless: use is_fd_inherited
podman generate systemd --new do not duplicate params
play kube: add support for env vars defined from secrets
play kube: support optional/mandatory env var from config map
play kube: prepare supporting other env source than config maps
Add machine support for more Linux distros
[NO TESTS NEEDED] Use same function podman-remote rmi as podman
Podman machine enhancements
Add problematic volume name to kube play error messages
Fix podman build --pull-never
[NO TESTS NEEDED] Fix for kernel without CONFIG_USER_NS
[NO TESTS NEEDED] Turn on podman-remote build --isolation
Fix list pods filter handling in libpod api
Remove resize race condition
[NO TESTS NEEDED] Vendor in containers/buildah v1.20.0
Use TMPDIR when commiting images
Add RequiresMountsFor= to systemd generate
Bump github.com/vbauerster/mpb/v6 from 6.0.2 to 6.0.3
Fix swapped dimensions from terminal.GetSize
Rename podman machine create to init and clean up
Correct json field name
system tests: new interactive tests
Improvements for machine
libpod/image: unit tests: use a registries.conf for aliases
libpod/image: unit tests: defer cleanup
libpod/image: unit tests: use require.NoError
Add --execute flag to podman machine ssh
introduce podman machine
Podman machine CLI and interface stub
Support multi doc yaml for generate/play kube
Fix filters in image http compat/libpod api endpoints
Bump github.com/containers/common from 0.35.3 to 0.35.4
Bump github.com/containers/storage from 1.28.0 to 1.28.1
Check if stdin is a term in --interactive --tty mode
[NO TESTS NEEDED] Remove /tmp/containers-users-* files on reboot
[NO TESTS NEEDED] Fix rootless volume plugins
Ensure manually-created volumes have correct ownership
Bump github.com/rootless-containers/rootlesskit
Unification of until filter across list/prune endpoints
Unification of label filter across list/prune endpoints
fixup
fix: build endpoint for compat API
[CI:DOCS] Add note to mappings for user/group userns in build
Bump k8s.io/api from 0.20.1 to 0.20.5
Validate passed in timezone from tz option
WIP: run buildah bud tests using podman
Fix containers list/prune http api filter behaviour
Generate Kubernetes PersistentVolumeClaims from named volumes
Update to version 3.1.2:
Bump to v3.1.2
Update release notes for v3.1.2
Ensure mount destination is clean, no trailing slash
Fixes podman-remote save to directories does not work
[CI:DOCS] Add missing dash to verbose option
[CI:DOCS] Fix Markdown table layout bugs
[CI:DOCS] Rewrite --uidmap doc in podman-create.1.md and podman-run.1.md
rmi: don't break when the image is missing a manifest
Bump containers/image to v5.11.1
Bump github.com/coreos/go-systemd from 22.2.0 to 22.3.1
Fix lint
Bump to v3.1.2-dev
Split podman-remote into a subpackage
Add missing scriptlets for systemd unit