Security update for libcontainers-common
| Announcement ID: | SUSE-SU-2022:3312-1 |
|---|---|
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves five vulnerabilities and has one security fix can now be installed.
Description:
This update for libcontainers-common fixes the following issues:
libcontainers-common was updated:
- common component was updated to 0.44.0.
- storage component was updated to 1.36.0.
- image component was updated to 5.16.0.
- podman component was updated to 3.3.1.
3.3.1:
Bugfixes:
- Fixed a bug where unit files created by
podman generate systemdcould not cleanup shut down containers when stopped bysystemctl stop. - Fixed a bug where
podman machinecommands would not properly locate thegvproxybinary in some circumstances. - Fixed a bug where containers created as part of a pod using the
--pod-id-fileoption would not join the pod's network namespace . - Fixed a bug where Podman, when using the systemd cgroups driver, could sometimes leak dbus sessions.
- Fixed a bug where the
untilfilter topodman logsandpodman eventswas improperly handled, requiring input to be negated . - Fixed a bug where rootless containers using CNI networking run on systems using
systemd-resolvedfor DNS would fail to start if resolved symlinked/etc/resolv.confto an absolute path .
API:
- A large number of potential file descriptor leaks from improperly closing client connections have been fixed.
3.3.0:
Features:
- Containers inside VMs created by
podman machinewill now automatically handle port forwarding - containers inpodman machineVMs that publish ports via--publishor--publish-allwill have these ports not just forwarded on the VM, but also on the host system. - The
podman play kubecommand's--networkoption now accepts advanced network options (e.g.--network slirp4netns:port_handler=slirp4netns) . - The
podman play kubecommmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks. - Podman now provides a systemd unit,
podman-restart.service, which, when enabled, will restart all containers that were started with--restart=alwaysafter the system reboots. - Rootless Podman can now be configured to use CNI networking by default by using the
rootless_networkingoption incontainers.conf. - Images can now be pulled using
image:tag@digestsyntax (e.g.podman pull fedora:34@sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a) . - The
podman container checkpointandpodman container restorecommands can now be used to checkpoint containers that are in pods, and restore those containers into pods. - The
podman container restorecommand now features a new option,--publish, to change the ports that are forwarded to a container that is being restored from an exported checkpoint. - The
podman container checkpointcommand now features a new option,--compress, to specify the compression algorithm that will be used on the generated checkpoint. - The
podman pullcommand can now pull multiple images at once (e.g.podman pull fedora:34 ubi8:latestwill pull both specified images). - THe
podman cpcommand can now copy files from one container into another directly (e.g.podman cp containera:/etc/hosts containerb:/etc/) . - The
podman cpcommand now supports a new option,--archive, which controls whether copied files will be chown'd to the UID and GID of the user of the destination container. - The
podman statscommand now provides two additional metrics: Average CPU, and CPU time. - The
podman pod createcommand supports a new flag,--pid, to specify the PID namespace of the pod. If specified, containers that join the pod will automatically share its PID namespace. - The
podman pod createcommand supports a new flag,--infra-name, which allows the name of the pod's infra container to be set . - The
podman auto-updatecommand has had its output reformatted - it is now much clearer what images were pulled and what containers were updated. - The
podman auto-updatecommand now supports a new option,--dry-run, which reports what would be updated but does not actually perform the update . - The
podman buildcommand now supports a new option,--secret, to mount secrets into build containers. - The
podman manifest removecommand now has a new alias,podman manifest rm. - The
podman logincommand now supports a new option,--verbose, to print detailed information about where the credentials entered were stored. - The
podman eventscommand now supports a new event,exec_died, which is produced when an exec session exits, and includes the exit code of the exec session. - The
podman system connection addcommand now supports adding connections that connect using thetcp://andunix://URL schemes. - The
podman system connection listcommand now supports a new flag,--format, to determine how the output is printed. - The
podman volume pruneandpodman volume lscommands'--filteroption now support a new filter,until, that matches volumes created before a certain time . - The
podman ps --filteroption'snetworkfilter now accepts a new value:container:, which matches containers that share a network namespace with a specific container . - The
podman diffcommand can now accept two arguments, allowing two images or two containers to be specified; the diff between the two will be printed . - Podman can now optionally copy-up content from containers into volumes mounted into those containers earlier (at creation time, instead of at runtime) via the
prepare_on_createoption incontainers.conf. - A new option,
--gpus, has been added topodman createandpodman runas a no-op for better compatibility with Docker. If the nvidia-container-runtime package is installed, GPUs should be automatically added to containers without using the flag. - If an invalid subcommand is provided, similar commands to try will now be suggested in the error message.
Changes
- The
podman system resetcommand now removes non-Podman (e.g. Buildah and CRI-O) containers as well. - The new port forwarding offered by
podman machinerequires [gvproxy] in order to function. - Podman will now automatically create the default CNI network if it does not exist, for both root and rootless users. This will only be done once per user - if the network is subsequently removed, it will not be recreated.
- The
install.cnimakefile option has been removed. It is no longer required to distribute the default87-podman.conflistCNI configuration file, as Podman will now automatically create it. - The
--rootoption to Podman will not automatically clear all default storage options when set. Storage options can be set manually using--storage-opt. - The output of
podman system connection listis now deterministic, with connections being sorted alpabetically by their name. - The auto-update service (
podman-auto-update.service) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once. - Systemd unit files generated by
podman generate systemdnow depend onnetwork-online.targetby default . - Systemd unit files generated by
podman generate systemdnow useType=notifyby default, instead of using PID files. - The
podman infocommand's logic for detecting package versions on Gentoo has been improved, and should be significantly faster.
Bugfixes:
- Fixed a bug where the
podman play kubecommand did not perform SELinux relabelling of volumes specified with amountPaththat included the:zor:Zoptions . - Fixed a bug where the
podman play kubecommand would ignore theUSERandEXPOSEdirectives in images . - Fixed a bug where the
podman play kubecommand would only accept lowercase pull policies. - Fixed a bug where named volumes mounted into containers with the
:zor:Zoptions were not appropriately relabelled for access from the container . - Fixed a bug where the
podman logs -fcommand, with thejournaldlog driver, could sometimes fail to pick up the last line of output from a container . - Fixed a bug where running
podman rmon a container created with the--rmoption would occasionally emit an error message saying the container failed to be removed, when it was successfully removed. - Fixed a bug where starting a Podman container would segfault if the
LISTEN_PIDandLISTEN_FDSenvironment variables were set, butLISTEN_FDNAMESwas not . - Fixed a bug where exec sessions in containers were sometimes not cleaned up when run without
-dand when the associatedpodman execprocess was killed before completion. - Fixed a bug where
podman system servicecould, when run in a systemd unit file with sdnotify in use, drop some connections when it was starting up. - Fixed a bug where containers run using the REST API using the
slirp4netnsnetwork mode would leave zombie processes that were not cleaned up untilpodman system serviceexited . - Fixed a bug where the
podman system servicecommand would leave zombie processes after its initial launch that were not cleaned up until it exited . - Fixed a bug where VMs created by
podman machinecould not be started after the host system restarted . - Fixed a bug where the
podman pod pscommand would not show headers for optional information (e.g. container names when the--ctr-namesoption was given). - Fixed a bug where the remote Podman client's
podman createandpodman runcommands would ignore timezone configuration from the server'scontainers.conffile . - Fixed a bug where the remote Podman client's
podman buildcommand would only respect.containerignoreand not.dockerignorefiles (when both are present,.containerignorewill be preferred) . - Fixed a bug where the remote Podman client's
podman buildcommand would fail to send the Dockerfile being built to the server when it was excluded by the.dockerignorefile, resulting in an error . - Fixed a bug where the remote Podman client's
podman buildcommand could unexpectedly stop streaming the output of the build . - Fixed a bug where the remote Podman client's
podman buildcommand would fail to build when run on Windows . - Fixed a bug where the
podman manifest createcommand accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest). - Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container .
- Fixed a bug where named volumes created using a volume plugin would be removed from Podman, even if the plugin reported a failure to remove the volume .
- Fixed a bug where the remote Podman client's
podman exec -icommand would hang when input was provided via shell redirection (e.g.podman --remote exec -i foo cat <<<"hello") . - Fixed a bug where containers created with
--rmwere not immediately removed after being started bypodman startif they failed to start . - Fixed a bug where the
--storage-optflag topodman createandpodman runwas nonfunctional . - Fixed a bug where the
--device-cgroup-ruleoption topodman createandpodman runwas nonfunctional . - Fixed a bug where the
--tls-verifyoption topodman manifest pushwas nonfunctional. - Fixed a bug where the
podman importcommand could, in some circumstances, produce empty images . - Fixed a bug where images pulled using the
docker-daemon:transport had the wrong registry (localhostinstead ofdocker.io/library) . - Fixed a bug where operations that pruned images (
podman image pruneandpodman system prune) would prune untagged images with children . - Fixed a bug where dual-stack networks created by
podman network createdid not properly auto-assign an IPv4 subnet when one was not explicitly specified . - Fixed a bug where port forwarding using the
rootlessportport forwarder would break when a network was disconnected and then reconnected . - Fixed a bug where Podman would ignore user-specified SELinux policies for containers using the Kata OCI runtime, or containers using systemd as PID 1 .
- Fixed a bug where Podman containers created using
--net=hostwould add an entry to/etc/hostsfor the container's hostname pointing to127.0.1.1. - Fixed a bug where the
podman unpause --allcommand would throw an error for every container that was not paused . - Fixed a bug where timestamps for the
sinceanduntilfilters using Unix timestamps with a nanoseconds portion could not be parsed . - Fixed a bug where the
podman infocommand would sometimes print the wrong path for theslirp4netnsbinary. - Fixed a bug where rootless Podman containers joined to a CNI network would not have functional DNS when the host used systemd-resolved without the resolved stub resolver being enabled .
- Fixed a bug where
podman network connectandpodman network disconnectof rootless containers could sometimes break port forwarding to the container . - Fixed a bug where joining a container to a CNI network by ID and adding network aliases to this network would cause the container to fail to start .
API
- Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck.
- Fixed a bug where the Compat Create endpoint for Containers would fail to create containers with the
NetworkModeparameter set todefault. - Fixed a bug where the Compat Create endpoint for Containers did not properly handle healthcheck commands .
- Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred.
- Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable).
- Fixed a bug where the Compat List endpoint for Images omitted the
ContainerConfigfield . - Fixed a bug where the Compat Build endpoint for Images was too strict when validating the
Content-Typeheader, rejecting content that Docker would have accepted . - Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided.
- Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected.
- Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks .
- Fixed a bug where the Libpod List endpoint for Networks would return nil, instead of an empty list, when no networks were present .
- The Compat and Libpod Logs endpoints for Containers now support the
untilquery parameter . - The Compat Import endpoint for Images now supports the
platform,message, andrepoquery parameters. - The Compat Pull endpoint for Images now supports the
platformquery parameter.
Misc:
- Updated Buildah to v1.22.3
- Updated the containers/storage library to v1.34.1
- Updated the containers/image library to v5.15.2
- Updated the containers/common library to v0.42.1
storage was updated to 1.36.0.
Updated image to 5.16.0.
Update podman to 3.2.3:
Security:
- This release addresses CVE-2021-3602, an issue with the
podman buildcommand with the--isolation chrootflag that results in environment variables from the host leaking into build containers. (bsc#1188520)
Bugfixes:
- Fixed a bug where events related to images could occur before the relevant operation had completed (e.g. an image pull event could be written before the pull was finished) .
- Fixed a bug where
podman savewould refuse to save images with an architecture different from that of the host . - Fixed a bug where the
podman importcommand did not correctly handle images without tags . - Fixed a bug where Podman's journald events backend would fail and prevent Podman from running when run on a host with systemd as PID1 but in an environment (e.g. a container) without systemd .
- Fixed a bug where containers using rootless CNI networking would fail to start when the
dnsnameCNI plugin was in use and the host system's/etc/resolv.confwas a symlink ([#10855] and #10929). - Fixed a bug where containers using rootless CNI networking could fail to start due to a race in rootless CNI initialization .
Update podman to 3.2.2
3.2.2:
- Podman's handling of the Architecture field of images has been relaxed. Since 3.2.0, Podman required that the architecture of the image match the architecture of the system to run containers based on an image, but images often incorrectly report architecture, causing Podman to reject valid images ([#10648] and #10682).
- Podman no longer uses inotify to monitor for changes to CNI configurations. This removes potential issues where Podman cannot be run because a user has exhausted their available inotify sessions .
Bugfixes
- Fixed a bug where the
podman cpwould, when given a directory as its source and a target that existed and was a file, copy the contents of the directory into the parent directory of the file; this now results in an error. - Fixed a bug where the
podman logscommand would, when following a running container's logs, not include the last line of output from the container when it exited when thek8s-filedriver was in use . - Fixed a bug where Podman would fail to run containers if
systemd-resolvedwas incorrectly detected as the system's DNS server . - Fixed a bug where the
podman exec -tcommand would only resize the exec session's TTY after the session started, leading to a race condition where the terminal would initially not have a size set . - Fixed a bug where Podman containers using the
slirp4netnsnetwork mode would add an incorrect entry to/etc/hostspointing the container's hostname to the wrong IP address. - Fixed a bug where Podman would create volumes specified by images with incorrect permissions ([#10188] and #10606).
- Fixed a bug where Podman would not respect the
uidandgidoptions topodman volume create -o. - Fixed a bug where the
podman runcommand could panic when parsing the system's cgroup configuration . - Fixed a bug where the remote Podman client's
podman build -f - ...command did not read a Containerfile from STDIN . - Fixed a bug where the
podman container restore --importcommand would fail to restore checkpoints created from privileged containers . - Fixed a bug where Podman was not respecting the
TMPDIRenvironment variable when pulling images . - Fixed a bug where a number of Podman commands did not properly support using Go templates as an argument to the
--formatoption.
API:
- Fixed a bug where the Compat Inspect endpoint for Containers did not include information on container healthchecks .
- Fixed a bug where the Libpod and Compat Build endpoints for Images did not properly handle the
devicesquery parameter .
Misc:
- Fixed a bug where the Makefile's
make podman-remote-statictarget to build a statically-linkedpodman-remotebinary was instead producing dynamic binaries . - Updated the containers/common library to v0.38.11
3.2.1:
Changes:
- Podman now allows corrupt images (e.g. from restarting the system during an image pull) to be replaced by a podman pull of the same image (instead of requiring they be removed first, then re-pulled).
Bugfixes:
- Fixed a bug where Podman would fail to start containers if a Seccomp profile was not available at
/usr/share/containers/seccomp.json. - Fixed a bug where the
podman machine startcommand failed on OS X machines with the AMD64 architecture and certain QEMU versions . - Fixed a bug where Podman would always use the slow path for joining the rootless user namespace.
- Fixed a bug where the
podman statscommand would fail on Cgroups v1 systems when run on a container running systemd . - Fixed a bug where pre-checkpoint support for
podman container checkpointdid not function correctly. - Fixed a bug where the remote Podman client's
podman buildcommand did not properly handle the-foption . - Fixed a bug where the remote Podman client's
podman runcommand would sometimes not resize the container's terminal before execution began . - Fixed a bug where the
--filteroption to thepodman image prunecommand was nonfunctional. - Fixed a bug where the
podman logs -fcommand would exit before all output for a container was printed when thek8s-filelog driver was in use . - Fixed a bug where Podman would not correctly detect that systemd-resolved was in use on the host and adjust DNS servers in the container appropriately under some circumstances .
- Fixed a bug where the
podman network connectandpodman network disconnectcommands acted improperly when containers were in the Created state, marking the changes as done but not actually performing them.
API:
- Fixed a bug where the Compat and Libpod Prune endpoints for Networks returned null, instead of an empty array, when nothing was pruned.
- Fixed a bug where the Create API for Images would continue to pull images even if a client closed the connection mid-pull .
- Fixed a bug where the Events API did not include some information (including labels) when sending events.
- Fixed a bug where the Events API would, when streaming was not requested, send at most one event .
3.2.0:
Features:
- Docker Compose is now supported with rootless Podman .
- The
podman network connect,podman network disconnect, andpodman network reloadcommands have been enabled for rootless Podman. - An experimental new set of commands,
podman machine, was added to assist in managing virtual machines containing a Podman server. These are intended for easing the use of Podman on OS X by handling the creation of a Linux VM for running Podman. - The
podman generate kubecommand can now be run on Podman named volumes (generatingPersistentVolumeClaimYAML), in addition to pods and containers. - The
podman play kubecommand now supports two new options,--ipand--mac, to set static IPs and MAC addresses for created pods ([#8442] and #9731). - The
podman play kubecommand's support forPersistentVolumeClaimYAML has been greatly improved. - The
podman generate kubecommand now preserves the label used bypodman auto-updateto identify containers to update as a Kubernetes annotation, and thepodman play kubecommand will convert this annotation back into a label. This allowspodman auto-updateto be used with containers created bypodman play kube. - The
podman play kubecommand now supports KubernetessecretRefYAML (using the secrets support frompodman secret) for environment variables. - Secrets can now be added to containers as environment variables using the
type=envoption to the--secretflag topodman createandpodman run. - The
podman startcommand now supports the--alloption, allowing all containers to be started simultaneously with a single command. The--filteroption has also been added to filter which containers to start when--allis used. - Filtering containers with the
--filteroption topodman psandpodman startnow supports a new filter,restart-policy, to filter containers based on their restart policy. - The
--group-addoption to rootlesspodman runandpodman createnow accepts a new value,keep-groups, which instructs Podman to retain the supplemental groups of the user running Podman in the created container. This is only supported with thecrunOCI runtime. - The
podman runandpodman createcommands now support a new option,--timeout. This sets a maximum time the container is allowed to run, after which it is killed . - The
podman runandpodman createcommands now support a new option,--pidfile. This will create a file when the container is started containing the PID of the first process in the container. - The
podman runandpodman createcommands now support a new option,--requires. The--requiresoption adds dependency containers - containers that must be running before the current container. Commands likepodman startwill automatically start the requirements of a container before starting the container itself. - Auto-updating containers can now be done with locally-built images, not just images hosted on a registry, by creating containers with the
io.containers.autoupdatelabel set tolocal. - Podman now supports the [Container Device Interface] (CDI) standard.
- Podman now adds an entry to
/etc/hosts,host.containers.internal, pointing to the current gateway (which, for root containers, is usually a bridge interface on the host system) . - The
podman ps,podman pod ps,podman network list,podman secret list, andpodman volume listcommands now support a--noheadingoption, which will cause Podman to omit the heading line including column names. - The
podman unsharecommand now supports a new flag,--rootless-cni, to join the rootless network namespace. This allows commands to be run in the same network environment as rootless containers with CNI networking. - The
--security-opt unmask=option topodman runandpodman createnow supports glob operations to unmask a group of paths at once (e.g.podman run --security-opt unmask=/proc/* ...will unmask all paths in/procin the container). - The
podman network prunecommand now supports a--filteroption to filter which networks will be pruned.
Changes
- The change in Podman 3.1.2 where the
:zand:Zmount options for volumes were ignored for privileged containers has been reverted after discussion in [#10209]. - Podman's rootless CNI functionality no longer requires a sidecar container! The removal of the requirement for the
rootless-cni-infracontainer means that rootless CNI is now usable on all architectures, not just AMD64, and no longer requires pulling an image . - The Image handling code used by Podman has seen a major rewrite to improve code sharing with our other projects, Buildah and CRI-O. This should result in fewer bugs and performance gains in the long term. Work on this is still ongoing.
- The
podman auto-updatecommand now prunes previous versions of images after updating if they are unused, to prevent disk exhaustion after repeated updates . - The
podman play kubenow treats environment variables configured as references to aConfigMapas mandatory unless theoptionalparameter was set; this better matches the behavior of Kubernetes. - Podman now supports the
--context=defaultflag from Docker as a no-op for compatibility purposes. - When Podman is run as root, but without
CAP_SYS_ADMINbeing available, it will run in a user namespace using the same code as rootless Podman (instead of failing outright). - The
podman infocommand now includes the path of the Seccomp profile Podman is using, available cgroup controllers, and whether Podman is connected to a remote service or running containers locally. - Containers created with the
--rmoption now automatically use thevolatilestorage flag when available for their root filesystems, causing them not to write changes to disk as often as they will be removed at completion anyways. This should result in improved performance. - The
podman generate systemd --newcommand will now include environment variables referenced by the container in generated unit files if the value would be looked up from the system environment. - Podman now requires that Conmon v2.0.24 be available.
Bugfixes:
- Fixed a bug where the remote Podman client's
podman buildcommand did not support the--arch,--platform, and--os, options. - Fixed a bug where the remote Podman client's
podman buildcommand ignored the--rm=falseoption . - Fixed a bug where the remote Podman client's
podman build --iidfilecommand could include extra output (in addition to just the image ID) in the image ID file written . - Fixed a bug where the remote Podman client's
podman buildcommand did not preserve hardlinks when moving files into the container viaCOPYinstructions . - Fixed a bug where the
podman generate systemd --newcommand could generate extra--iidfilearguments if the container was already created with one. - Fixed a bug where the
podman generate systemd --newcommand would generate unit files that did not includeRequiresMountsForlines . - Fixed a bug where the
podman generate kubecommand produced incorrect YAML for containers which bind-mounted both/and/rootfrom the host system into the container . - Fixed a bug where pods created by
podman play kubefrom YAML that specifiedShareProcessNamespacewould only share the PID namespace (and not also the UTS, Network, and IPC namespaces) . - Fixed a bug where the
podman network reloadcommand could generate spurious error messages wheniptables-nftwas in use. - Fixed a bug where rootless Podman could fail to attach to containers when the user running Podman had a large UID.
- Fixed a bug where the
podman pscommand could fail with ano such containererror due to a race condition with container removal . - Fixed a bug where containers using the
slirp4netnsnetwork mode and setting a customslirp4netnssubnet while using therootlesskitport forwarder would not be able to forward ports . - Fixed a bug where the
--filter ancestor=option topodman psdid not require an exact match of the image name/ID to include a container in its results. - Fixed a bug where the
--filter until=option topodman image prunewould prune images created after the specified time (instead of before). - Fixed a bug where setting a custom Seccomp profile via the
seccomp_profileoption incontainers.confhad no effect, and the default profile was used instead. - Fixed a bug where the
--cgroup-parentoption topodman createandpodman runwas ignored in rootless Podman on cgroups v2 systems with thecgroupfscgroup manager . - Fixed a bug where the
IMAGEandNAMEvariables inpodman container runlabelwere not being correctly substituted . - Fixed a bug where Podman could freeze when creating containers with a specific combination of volumes and working directory .
- Fixed a bug where rootless Podman containers restarted by restart policy (e.g. containers created with
--restart=always) would lose networking after being restarted . - Fixed a bug where the
podman cpcommand could not copy files into containers created with the--pid=hostflag . - Fixed a bug where filters to the
podman eventscommand could not be specified twice (if a filter is specified more than once, it will match if any of the given values match - logical or) . - Fixed a bug where Podman would include IPv6 nameservers in
resolv.confin containers without IPv6 connectivity . - Fixed a bug where containers could not be created with static IP addresses when connecting to a network using the
macvlandriver .
API
- Fixed a bug where the Compat Create endpoint for Containers did not allow advanced network options to be set .
- Fixed a bug where the Compat Create endpoint for Containers ignored static IP information provided in the
IPAMConfigblock . - Fixed a bug where the Compat Inspect endpoint for Containers returned null (instead of an empty list) for Networks when the container was not joined to a CNI network .
- Fixed a bug where the Compat Wait endpoint for Containers could miss containers exiting if they were immediately restarted.
- Fixed a bug where the Compat Create endpoint for Volumes required that the user provide a name for the new volume .
- Fixed a bug where the Libpod Info handler would sometimes not return the correct path to the Podman API socket.
- Fixed a bug where the Compat Events handler used the wrong name for container exited events (
diedinstead ofdie) . - Fixed a bug where the Compat Push endpoint for Images could leak goroutines if the remote end closed the connection prematurely.
Update storage to 1.32.5
Update podman to 3.1.2
3.1.2:
Bugfixes:
- Fixed a bug where images with empty layers were stored incorrectly, causing them to be unable to be pushed or saved.
- Fixed a bug where the
podman rmicommand could fail to remove corrupt images from storage. - Fixed a bug where the remote Podman client's
podman savecommand did not support theoci-diranddocker-dirformats . - Fixed a bug where volume mounts from
podman play kubecreated with a trailing/in the container path were were not properly superceding named volumes from the image . - Fixed a bug where Podman could fail to build on 32-bit architectures.
Update podman to 3.1.1
- Podman now recognizes
traceas a valid argument to the--log-levelcommand. Trace logging is now the most verbose level of logging available. - The
:zand:Zoptions for volume mounts are now ignored when the container is privileged or is run with SELinux isolation disabled (--security-opt label=disable). This matches better matches Docker's behavior in this case.
Bugfixes
- Fixed a bug where pruning images with the
podman image pruneorpodman system prunecommands could cause Podman to panic. - Fixed a bug where the
podman savecommand did not properly error when the--compressflag was used with incompatible format types. - Fixed a bug where the
--security-optand--ulimitoptions to the remote Podman client'spodman buildcommand were nonfunctional. - Fixed a bug where the
--log-rusageoption to the remote Podman client'spodman buildcommand was nonfunctional . - Fixed a bug where the
podman buildcommand could, in some circumstances, use the wrong OCI runtime . - Fixed a bug where the remote Podman client's
podman buildcommand could return 0 despite failing . - Fixed a bug where the
podman container runlabelcommand did not properly expand theIMAGEandNAMEvariables in the label . - Fixed a bug where poststop OCI hooks would be executed twice on containers started with the
--rmargument . - Fixed a bug where rootless Podman could fail to launch containers on cgroups v2 systems when the
cgroupfscgroup manager was in use. - Fixed a bug where the
podman statscommand could error when statistics tracked exceeded the maximum size of a 32-bit signed integer . - Fixed a bug where rootless Podman containers run with
--userns=keepid(without a--userflag in addition) would grant exec sessions run in them too many capabilities . - Fixed a bug where the
--authfileoption topodman builddid not validate that the path given existed . - Fixed a bug where the
--storage-optoption to Podman was appending to, instead of overriding (as is documented), the default storage options. - Fixed a bug where the
podman system serviceconnection did not function properly when run in a socket-activated systemd unit file as a non-root user. - Fixed a bug where the
--networkoption to thepodman play kubecommand of the remote Podman client was being ignored . - Fixed a bug where the
--log-driveroption to thepodman play kubecommand was nonfunctional .
API
- Fixed a bug where the Libpod Create endpoint for Manifests did not properly validate the image the manifest was being created with.
- Fixed a bug where the Libpod DF endpoint could, in error cases, append an extra null to the JSON response, causing decode errors.
- Fixed a bug where the Libpod and Compat Top endpoint for Containers would return process names that included extra whitespace.
- Fixed a bug where the Compat Prune endpoint for Containers accepted too many types of filter.
Update podman to 3.1.0
Features:
- A set of new commands has been added to manage secrets! The
podman secret create,podman secret inspect,podman secret lsandpodman secret rmcommands have been added to handle secrets, along with the--secretoption topodman runandpodman createto add secrets to containers. The initial driver for secrets does not support encryption - this will be added in a future release. - A new command to prune networks,
podman network prune, has been added . - The
-voption topodman runandpodman createnow supports a new volume option,:U, to chown the volume's source directory on the host to match the UID and GID of the container and prevent permissions issues . - Three new commands,
podman network exists,podman volume exists, andpodman manifest exists, have been added to check for the existence of networks, volumes, and manifest lists. - The
podman cpcommand can now copy files into directories mounted astmpfsin a running container. - The
podman volume prunecommand will now list volumes that will be pruned when prompting the user whether to continue and perform the prune . - The Podman remote client's
podman buildcommand now supports the--disable-compression,--excludes, and--jobsoptions. - The Podman remote client's
podman pushcommand now supports the--formatoption. - The Podman remote client's
podman rmcommand now supports the--alland--ignoreoptions. - The Podman remote client's
podman searchcommand now supports the--no-truncand--list-tagsoptions. - The
podman play kubecommand can now read in Kubernetes YAML fromSTDINwhen-is specified as file name (podman play kube -), allowing input to be piped into the command for scripting . - The
podman generate systemdcommand now supports a--no-headeroption, which disables creation of the header comment automatically added by Podman to generated unit files. - The
podman generate kubecommand can now generatePersistentVolumeClaimYAML for Podman named volumes . - The
podman generate kubecommand can now generate YAML files containing multiple resources (pods or deployments) .
Security:
- This release resolves CVE-2021-20291, a deadlock vulnerability in the storage library caused by pulling a specially-crafted container image. (bsc#1196497)
Changes:
- The Podman remote client's
podman buildcommand no longer allows the-vflag to be used. Volumes are not yet supported with remote Podman when the client and service are on different machines. - The
podman killandpodman stopcommands now print the name given by the user for each container, instead of the full ID. - When the
--security-opt unmask=ALLor--security-opt unmask=/sys/fs/cgroupoptions topodman createorpodman runare given, Podman will mount cgroups into the container as read-write, instead of read-only . - The
podman rmicommand has been changed to better handle cases where an image is incomplete or corrupted, which can be caused by interrupted image pulls. - The
podman renamecommand has been improved to be more atomic, eliminating many race conditions that could potentially render a renamed container unusable. - Detection of which OCI runtimes run using virtual machines and thus require custom SELinux labelling has been improved .
- The hidden
--traceoption topodmanhas been turned into a no-op. It was used in very early versions for performance tracing, but has not been supported for some time. - The
podman generate systemdcommand now generatesRequiresMountsForlines to ensure necessary storage directories are mounted before systemd starts Podman. - Podman will now emit a warning when
--ttyand--interactiveare both passed, butSTDINis not a TTY. This will be made into an error in the next major Podman release some time next year.
Bugfixes
- Fixed a bug where rootless Podman containers joined to CNI networks could not receive traffic from forwarded ports .
- Fixed a bug where
podman network createwith the--macvlanflag did not honor the--gateway,--subnet, and--optoptions . - Fixed a bug where the
podman generate kubecommand generated invalid YAML for privileged containers . - Fixed a bug where the
podman generate kubecommand could not be used with containers that were not running. - Fixed a bug where the
podman generate systemdcommand could duplicate some parameters to Podman in generated unit files . - Fixed a bug where Podman did not add annotations specified in
containers.confto containers. - Foxed a bug where Podman did not respect the
no_hostsdefault incontainers.confwhen creating containers. - Fixed a bug where the
--tail=0,--since, and--followoptions to thepodman logscommand did not function properly when using thejournaldlog backend. - Fixed a bug where specifying more than one container to
podman logswhen thejournaldlog backend was in use did not function correctly. - Fixed a bug where the
podman runandpodman createcommands would panic if a memory limit was set, but the swap limit was set to unlimited . - Fixed a bug where the
--networkoption topodman run,podman create, andpodman pod createwould error if the user attempted to specify CNI networks by ID, instead of name . - Fixed a bug where Podman's cgroup handling for cgroups v1 systems did not properly handle cases where a cgroup existed on some, but not all, controllers, resulting in errors from the
podman statscommand . - Fixed a bug where the
podman cpdid not properly handle cases where/dev/stdoutwas specified as the destination (it was treated identically to-) . - Fixed a bug where the
podman cpcommand would create files with incorrect ownership . - Fixed a bug where the
podman cpcommand did not properly handle cases where the destination directory did not exist. - Fixed a bug where the
podman cpcommand did not properly evaluate symlinks when copying out of containers. - Fixed a bug where the
podman rm -facommand would error when attempting to remove containers created with--rm. - Fixed a bug where the ordering of capabilities was nondeterministic in the
CapDropfield of the output ofpodman inspecton a container . - Fixed a bug where the
podman network connectcommand could be used with containers that were not initially connected to a CNI bridge network (e.g. containers created with--net=host) . - Fixed a bug where DNS search domains required by the
dnsnameCNI plugin were not being added to container'sresolv.confunder some circumstances. - Fixed a bug where the
--ignorefileoption topodman buildwas nonfunctional . - Fixed a bug where the
--timestampoption topodman buildwas nonfunctional . - Fixed a bug where the
--iidfileoption topodman buildcould cause Podman to panic if an error occurred during the build. - Fixed a bug where the
--dns-searchoption topodman buildwas nonfunctional . - Fixed a bug where the
--pull-neveroption topodman buildwas nonfunctional . - Fixed a bug where the
--build-argoption topodman buildwould, when given a key but not a value, error (instead of attempting to look up the key as an environment variable) . - Fixed a bug where the
--isolationoption topodman buildin the remote Podman client was nonfunctional. - Fixed a bug where the
podman network disconnectcommand could cause errors when the container that had a network removed was stopped and its network was cleaned up . - Fixed a bug where the
podman network rmcommand did not properly check what networks a container was present in, resulting in unexpected behavior ifpodman network connectorpodman network disconnecthad been used with the network . - Fixed a bug where some errors with stopping a container could cause Podman to panic, and the container to be stuck in an unusable
stoppingstate . - Fixed a bug where the
podman loadcommand could return 0 even in cases where an error occurred . - Fixed a bug where specifying storage options to Podman using the
--storage-optoption would override all storage options. Instead, storage options are now overridden only when the--storage-driveroption is used to override the current graph driver . - Fixed a bug where containers created with
--privilegedcould request more capabilities than were available to Podman. - Fixed a bug where
podman com