SUSE-SU-2022:3312-1: moderate: Security update for libcontainers-common
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Sep 19 19:25:05 UTC 2022
SUSE Security Update: Security update for libcontainers-common
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:3312-1
Rating: moderate
References: #1176804 #1177598 #1181640 #1182998 #1188520
#1189893
Cross-References: CVE-2020-14370 CVE-2020-15157 CVE-2021-20199
CVE-2021-20291 CVE-2021-3602
CVSS scores:
CVE-2020-14370 (NVD) : 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2020-14370 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE-2020-15157 (NVD) : 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
CVE-2020-15157 (SUSE): 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
CVE-2021-20199 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-20199 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE-2021-20291 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-20291 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-3602 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2021-3602 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected Products:
SUSE CaaS Platform 4.0
SUSE Enterprise Storage 6
SUSE Enterprise Storage 7
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP1-BCL
SUSE Linux Enterprise Server 15-SP1-LTSS
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server for SAP 15-SP1
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Manager Proxy 4.1
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
______________________________________________________________________________
An update that solves 5 vulnerabilities and has one errata
is now available.
Description:
This update for libcontainers-common fixes the following issues:
libcontainers-common was updated:
- common component was updated to 0.44.0.
- storage component was updated to 1.36.0.
- image component was updated to 5.16.0.
- podman component was updated to 3.3.1.
3.3.1:
Bugfixes:
- Fixed a bug where unit files created by `podman generate systemd` could
not cleanup shut down containers when stopped by `systemctl stop` .
- Fixed a bug where `podman machine` commands would not properly locate
the `gvproxy` binary in some circumstances.
- Fixed a bug where containers created as part of a pod using the
`--pod-id-file` option would not join the pod's network namespace .
- Fixed a bug where Podman, when using the systemd cgroups driver, could
sometimes leak dbus sessions.
- Fixed a bug where the `until` filter to `podman logs` and `podman
events` was improperly handled, requiring input to be negated .
- Fixed a bug where rootless containers using CNI networking run on
systems using `systemd-resolved` for DNS would fail to start if resolved
symlinked `/etc/resolv.conf` to an absolute path .
API:
- A large number of potential file descriptor leaks from improperly
closing client connections have been fixed.
3.3.0:
Features:
- Containers inside VMs created by `podman machine` will now automatically
handle port forwarding - containers in `podman machine` VMs that publish
ports via `--publish` or `--publish-all` will have these ports not just
forwarded on the VM, but also on the host system.
- The `podman play kube` command's `--network` option now accepts advanced
network options (e.g. `--network slirp4netns:port_handler=slirp4netns`) .
- The `podman play kube` commmand now supports Kubernetes liveness probes,
which will be created as Podman healthchecks.
- Podman now provides a systemd unit, `podman-restart.service`, which,
when enabled, will restart all containers that were started with
`--restart=always` after the system reboots.
- Rootless Podman can now be configured to use CNI networking by default
by using the `rootless_networking` option in `containers.conf`.
- Images can now be pulled using `image:tag at digest` syntax (e.g. `podman
pull
fedora:34 at sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa
91611a`) .
- The `podman container checkpoint` and `podman container restore`
commands can now be used to checkpoint containers that are in pods, and
restore those containers into pods.
- The `podman container restore` command now features a new option,
`--publish`, to change the ports that are forwarded to a container that
is being restored from an exported checkpoint.
- The `podman container checkpoint` command now features a new option,
`--compress`, to specify the compression algorithm that will be used on
the generated checkpoint.
- The `podman pull` command can now pull multiple images at once (e.g.
`podman pull fedora:34 ubi8:latest` will pull both specified images).
- THe `podman cp` command can now copy files from one container into
another directly (e.g. `podman cp containera:/etc/hosts
containerb:/etc/`) .
- The `podman cp` command now supports a new option, `--archive`, which
controls whether copied files will be chown'd to the UID and GID of the
user of the destination container.
- The `podman stats` command now provides two additional metrics: Average
CPU, and CPU time.
- The `podman pod create` command supports a new flag, `--pid`, to specify
the PID namespace of the pod. If specified, containers that join the pod
will automatically share its PID namespace.
- The `podman pod create` command supports a new flag, `--infra-name`,
which allows the name of the pod's infra container to be set .
- The `podman auto-update` command has had its output reformatted - it is
now much clearer what images were pulled and what containers were
updated.
- The `podman auto-update` command now supports a new option, `--dry-run`,
which reports what would be updated but does not actually perform the
update .
- The `podman build` command now supports a new option, `--secret`, to
mount secrets into build containers.
- The `podman manifest remove` command now has a new alias, `podman
manifest rm`.
- The `podman login` command now supports a new option, `--verbose`, to
print detailed information about where the credentials entered were
stored.
- The `podman events` command now supports a new event, `exec_died`, which
is produced when an exec session exits, and includes the exit code of
the exec session.
- The `podman system connection add` command now supports adding
connections that connect using the `tcp://` and `unix://` URL schemes.
- The `podman system connection list` command now supports a new flag,
`--format`, to determine how the output is printed.
- The `podman volume prune` and `podman volume ls` commands' `--filter`
option now support a new filter, `until`, that matches volumes created
before a certain time .
- The `podman ps --filter` option's `network` filter now accepts a new
value: `container:`, which matches containers that share a network
namespace with a specific container .
- The `podman diff` command can now accept two arguments, allowing two
images or two containers to be specified; the diff between the two will
be printed .
- Podman can now optionally copy-up content from containers into volumes
mounted into those containers earlier (at creation time, instead of at
runtime) via the `prepare_on_create` option in `containers.conf` .
- A new option, `--gpus`, has been added to `podman create` and `podman
run` as a no-op for better compatibility with Docker. If the
nvidia-container-runtime package is installed, GPUs should be
automatically added to containers without using the flag.
- If an invalid subcommand is provided, similar commands to try will now
be suggested in the error message. ### Changes
- The `podman system reset` command now removes non-Podman (e.g. Buildah
and CRI-O) containers as well.
- The new port forwarding offered by `podman machine` requires [gvproxy]
in order to function.
- Podman will now automatically create the default CNI network if it does
not exist, for both root and rootless users. This will only be done once
per user - if the network is subsequently removed, it will not be
recreated.
- The `install.cni` makefile option has been removed. It is no longer
required to distribute the default `87-podman.conflist` CNI
configuration file, as Podman will now automatically create it.
- The `--root` option to Podman will not automatically clear all default
storage options when set. Storage options can be set manually using
`--storage-opt` .
- The output of `podman system connection list` is now deterministic, with
connections being sorted alpabetically by their name.
- The auto-update service (`podman-auto-update.service`) has had its
default timer adjusted so it now starts at a random time up to 15
minutes after midnight, to help prevent system congestion from numerous
daily services run at once.
- Systemd unit files generated by `podman generate systemd` now depend on
`network-online.target` by default .
- Systemd unit files generated by `podman generate systemd` now use
`Type=notify` by default, instead of using PID files.
- The `podman info` command's logic for detecting package versions on
Gentoo has been improved, and should be significantly faster.
Bugfixes:
- Fixed a bug where the `podman play kube` command did not perform SELinux
relabelling of volumes specified with a `mountPath` that included the
`:z` or `:Z` options .
- Fixed a bug where the `podman play kube` command would ignore the `USER`
and `EXPOSE` directives in images .
- Fixed a bug where the `podman play kube` command would only accept
lowercase pull policies.
- Fixed a bug where named volumes mounted into containers with the `:z` or
`:Z` options were not appropriately relabelled for access from the
container .
- Fixed a bug where the `podman logs -f` command, with the `journald` log
driver, could sometimes fail to pick up the last line of output from a
container .
- Fixed a bug where running `podman rm` on a container created with the
`--rm` option would occasionally emit an error message saying the
container failed to be removed, when it was successfully removed.
- Fixed a bug where starting a Podman container would segfault if the
`LISTEN_PID` and `LISTEN_FDS` environment variables were set, but
`LISTEN_FDNAMES` was not .
- Fixed a bug where exec sessions in containers were sometimes not cleaned
up when run without `-d` and when the associated `podman exec` process
was killed before completion.
- Fixed a bug where `podman system service` could, when run in a systemd
unit file with sdnotify in use, drop some connections when it was
starting up.
- Fixed a bug where containers run using the REST API using the
`slirp4netns` network mode would leave zombie processes that were not
cleaned up until `podman system service` exited .
- Fixed a bug where the `podman system service` command would leave zombie
processes after its initial launch that were not cleaned up until it
exited .
- Fixed a bug where VMs created by `podman machine` could not be started
after the host system restarted .
- Fixed a bug where the `podman pod ps` command would not show headers for
optional information (e.g. container names when the `--ctr-names` option
was given).
- Fixed a bug where the remote Podman client's `podman create` and `podman
run` commands would ignore timezone configuration from the server's
`containers.conf` file .
- Fixed a bug where the remote Podman client's `podman build` command
would only respect `.containerignore` and not `.dockerignore` files
(when both are present, `.containerignore` will be preferred) .
- Fixed a bug where the remote Podman client's `podman build` command
would fail to send the Dockerfile being built to the server when it was
excluded by the `.dockerignore` file, resulting in an error .
- Fixed a bug where the remote Podman client's `podman build` command
could unexpectedly stop streaming the output of the build .
- Fixed a bug where the remote Podman client's `podman build` command
would fail to build when run on Windows .
- Fixed a bug where the `podman manifest create` command accepted at most
two arguments (an arbitrary number of images are allowed as arguments,
which will be added to the manifest).
- Fixed a bug where named volumes would not be properly chowned to the UID
and GID of the directory they were mounted over when first mounted into
a container .
- Fixed a bug where named volumes created using a volume plugin would be
removed from Podman, even if the plugin reported a failure to remove the
volume .
- Fixed a bug where the remote Podman client's `podman exec -i` command
would hang when input was provided via shell redirection (e.g. `podman
--remote exec -i foo cat <<<"hello"`) .
- Fixed a bug where containers created with `--rm` were not immediately
removed after being started by `podman start` if they failed to start .
- Fixed a bug where the `--storage-opt` flag to `podman create` and
`podman run` was nonfunctional .
- Fixed a bug where the `--device-cgroup-rule` option to `podman create`
and `podman run` was nonfunctional .
- Fixed a bug where the `--tls-verify` option to `podman manifest push`
was nonfunctional.
- Fixed a bug where the `podman import` command could, in some
circumstances, produce empty images .
- Fixed a bug where images pulled using the `docker-daemon:` transport had
the wrong registry (`localhost` instead of `docker.io/library`) .
- Fixed a bug where operations that pruned images (`podman image prune`
and `podman system prune`) would prune untagged images with children .
- Fixed a bug where dual-stack networks created by `podman network create`
did not properly auto-assign an IPv4 subnet when one was not explicitly
specified .
- Fixed a bug where port forwarding using the `rootlessport` port
forwarder would break when a network was disconnected and then
reconnected .
- Fixed a bug where Podman would ignore user-specified SELinux policies
for containers using the Kata OCI runtime, or containers using systemd
as PID 1 .
- Fixed a bug where Podman containers created using `--net=host` would add
an entry to `/etc/hosts` for the container's hostname pointing to
`127.0.1.1` .
- Fixed a bug where the `podman unpause --all` command would throw an
error for every container that was not paused .
- Fixed a bug where timestamps for the `since` and `until` filters using
Unix timestamps with a nanoseconds portion could not be parsed .
- Fixed a bug where the `podman info` command would sometimes print the
wrong path for the `slirp4netns` binary.
- Fixed a bug where rootless Podman containers joined to a CNI network
would not have functional DNS when the host used systemd-resolved
without the resolved stub resolver being enabled .
- Fixed a bug where `podman network connect` and `podman network
disconnect` of rootless containers could sometimes break port forwarding
to the container .
- Fixed a bug where joining a container to a CNI network by ID and adding
network aliases to this network would cause the container to fail to
start . ### API
- Fixed a bug where the Compat List endpoint for Containers included
healthcheck information for all containers, even those that did not have
a configured healthcheck.
- Fixed a bug where the Compat Create endpoint for Containers would fail
to create containers with the `NetworkMode` parameter set to `default` .
- Fixed a bug where the Compat Create endpoint for Containers did not
properly handle healthcheck commands .
- Fixed a bug where the Compat Wait endpoint for Containers would always
send an empty string error message when no error occurred.
- Fixed a bug where the Libpod Stats endpoint for Containers would not
error when run on rootless containers on cgroups v1 systems (nonsensical
results would be returned, as this configuration cannot be supportable).
- Fixed a bug where the Compat List endpoint for Images omitted the
`ContainerConfig` field .
- Fixed a bug where the Compat Build endpoint for Images was too strict
when validating the `Content-Type` header, rejecting content that Docker
would have accepted .
- Fixed a bug where the Compat Pull endpoint for Images could fail, but
return a 200 status code, if an image name that could not be parsed was
provided.
- Fixed a bug where the Compat Pull endpoint for Images would continue to
pull images after the client disconnected.
- Fixed a bug where the Compat List endpoint for Networks would fail for
non-bridge (e.g. macvlan) networks .
- Fixed a bug where the Libpod List endpoint for Networks would return
nil, instead of an empty list, when no networks were present .
- The Compat and Libpod Logs endpoints for Containers now support the
`until` query parameter .
- The Compat Import endpoint for Images now supports the `platform`,
`message`, and `repo` query parameters.
- The Compat Pull endpoint for Images now supports the `platform` query
parameter.
Misc:
- Updated Buildah to v1.22.3
- Updated the containers/storage library to v1.34.1
- Updated the containers/image library to v5.15.2
- Updated the containers/common library to v0.42.1
storage was updated to 1.36.0.
Updated image to 5.16.0.
Update podman to 3.2.3:
Security:
- This release addresses CVE-2021-3602, an issue with the `podman build`
command with the `--isolation chroot` flag that results in environment
variables from the host leaking into build containers. (bsc#1188520)
Bugfixes:
- Fixed a bug where events related to images could occur before the
relevant operation had completed (e.g. an image pull event could be
written before the pull was finished) .
- Fixed a bug where `podman save` would refuse to save images with an
architecture different from that of the host .
- Fixed a bug where the `podman import` command did not correctly handle
images without tags .
- Fixed a bug where Podman's journald events backend would fail and
prevent Podman from running when run on a host with systemd as PID1 but
in an environment (e.g. a container) without systemd .
- Fixed a bug where containers using rootless CNI networking would fail to
start when the `dnsname` CNI plugin was in use and the host system's
`/etc/resolv.conf` was a symlink ([#10855] and
[#10929](https://github.com/containers/podman/issues/10929)).
- Fixed a bug where containers using rootless CNI networking could fail to
start due to a race in rootless CNI initialization .
Update podman to 3.2.2
3.2.2:
- Podman's handling of the Architecture field of images has been relaxed.
Since 3.2.0, Podman required that the architecture of the image match
the architecture of the system to run containers based on an image, but
images often incorrectly report architecture, causing Podman to reject
valid images ([#10648] and
[#10682](https://github.com/containers/podman/issues/10682)).
- Podman no longer uses inotify to monitor for changes to CNI
configurations. This removes potential issues where Podman cannot be run
because a user has exhausted their available inotify sessions .
Bugfixes
- Fixed a bug where the `podman cp` would, when given a directory as its
source and a target that existed and was a file, copy the contents of
the directory into the parent directory of the file; this now results in
an error.
- Fixed a bug where the `podman logs` command would, when following a
running container's logs, not include the last line of output from the
container when it exited when the `k8s-file` driver was in use .
- Fixed a bug where Podman would fail to run containers if
`systemd-resolved` was incorrectly detected as the system's DNS server .
- Fixed a bug where the `podman exec -t` command would only resize the
exec session's TTY after the session started, leading to a race
condition where the terminal would initially not have a size set .
- Fixed a bug where Podman containers using the `slirp4netns` network mode
would add an incorrect entry to `/etc/hosts` pointing the container's
hostname to the wrong IP address.
- Fixed a bug where Podman would create volumes specified by images with
incorrect permissions ([#10188] and
[#10606](https://github.com/containers/podman/issues/10606)).
- Fixed a bug where Podman would not respect the `uid` and `gid` options
to `podman volume create -o` .
- Fixed a bug where the `podman run` command could panic when parsing the
system's cgroup configuration .
- Fixed a bug where the remote Podman client's `podman build -f - ...`
command did not read a Containerfile from STDIN .
- Fixed a bug where the `podman container restore --import` command would
fail to restore checkpoints created from privileged containers .
- Fixed a bug where Podman was not respecting the `TMPDIR` environment
variable when pulling images .
- Fixed a bug where a number of Podman commands did not properly support
using Go templates as an argument to the `--format` option.
API:
- Fixed a bug where the Compat Inspect endpoint for Containers did not
include information on container healthchecks .
- Fixed a bug where the Libpod and Compat Build endpoints for Images did
not properly handle the `devices` query parameter .
Misc:
- Fixed a bug where the Makefile's `make podman-remote-static` target to
build a statically-linked `podman-remote` binary was instead producing
dynamic binaries .
- Updated the containers/common library to v0.38.11
3.2.1:
Changes:
- Podman now allows corrupt images (e.g. from restarting the system during
an image pull) to be replaced by a `podman pull` of the same image
(instead of requiring they be removed first, then re-pulled).
Bugfixes:
- Fixed a bug where Podman would fail to start containers if a Seccomp
profile was not available at `/usr/share/containers/seccomp.json` .
- Fixed a bug where the `podman machine start` command failed on OS X
machines with the AMD64 architecture and certain QEMU versions .
- Fixed a bug where Podman would always use the slow path for joining the
rootless user namespace.
- Fixed a bug where the `podman stats` command would fail on Cgroups v1
systems when run on a container running systemd .
- Fixed a bug where pre-checkpoint support for `podman container
checkpoint` did not function correctly.
- Fixed a bug where the remote Podman client's `podman build` command did
not properly handle the `-f` option .
- Fixed a bug where the remote Podman client's `podman run` command would
sometimes not resize the container's terminal before execution began .
- Fixed a bug where the `--filter` option to the `podman image prune`
command was nonfunctional.
- Fixed a bug where the `podman logs -f` command would exit before all
output for a container was printed when the `k8s-file` log driver was in
use .
- Fixed a bug where Podman would not correctly detect that
systemd-resolved was in use on the host and adjust DNS servers in the
container appropriately under some circumstances .
- Fixed a bug where the `podman network connect` and `podman network
disconnect` commands acted improperly when containers were in the
Created state, marking the changes as done but not actually performing
them.
API:
- Fixed a bug where the Compat and Libpod Prune endpoints for Networks
returned null, instead of an empty array, when nothing was pruned.
- Fixed a bug where the Create API for Images would continue to pull
images even if a client closed the connection mid-pull .
- Fixed a bug where the Events API did not include some information
(including labels) when sending events.
- Fixed a bug where the Events API would, when streaming was not
requested, send at most one event .
3.2.0:
Features:
- Docker Compose is now supported with rootless Podman .
- The `podman network connect`, `podman network disconnect`, and `podman
network reload` commands have been enabled for rootless Podman.
- An experimental new set of commands, `podman machine`, was added to
assist in managing virtual machines containing a Podman server. These
are intended for easing the use of Podman on OS X by handling the
creation of a Linux VM for running Podman.
- The `podman generate kube` command can now be run on Podman named
volumes (generating `PersistentVolumeClaim` YAML), in addition to pods
and containers.
- The `podman play kube` command now supports two new options, `--ip` and
`--mac`, to set static IPs and MAC addresses for created pods ([#8442]
and [#9731](https://github.com/containers/podman/issues/9731)).
- The `podman play kube` command's support for `PersistentVolumeClaim`
YAML has been greatly improved.
- The `podman generate kube` command now preserves the label used by
`podman auto-update` to identify containers to update as a Kubernetes
annotation, and the `podman play kube` command will convert this
annotation back into a label. This allows `podman auto-update` to be
used with containers created by `podman play kube`.
- The `podman play kube` command now supports Kubernetes `secretRef` YAML
(using the secrets support from `podman secret`) for environment
variables.
- Secrets can now be added to containers as environment variables using
the `type=env` option to the `--secret` flag to `podman create` and
`podman run`.
- The `podman start` command now supports the `--all` option, allowing all
containers to be started simultaneously with a single command. The
`--filter` option has also been added to filter which containers to
start when `--all` is used.
- Filtering containers with the `--filter` option to `podman ps` and
`podman start` now supports a new filter, `restart-policy`, to filter
containers based on their restart policy.
- The `--group-add` option to rootless `podman run` and `podman create`
now accepts a new value, `keep-groups`, which instructs Podman to retain
the supplemental groups of the user running Podman in the created
container. This is only supported with the `crun` OCI runtime.
- The `podman run` and `podman create` commands now support a new option,
`--timeout`. This sets a maximum time the container is allowed to run,
after which it is killed .
- The `podman run` and `podman create` commands now support a new option,
`--pidfile`. This will create a file when the container is started
containing the PID of the first process in the container.
- The `podman run` and `podman create` commands now support a new option,
`--requires`. The `--requires` option adds dependency containers -
containers that must be running before the current container. Commands
like `podman start` will automatically start the requirements of a
container before starting the container itself.
- Auto-updating containers can now be done with locally-built images, not
just images hosted on a registry, by creating containers with the
`io.containers.autoupdate` label set to `local`.
- Podman now supports the [Container Device Interface] (CDI) standard.
- Podman now adds an entry to `/etc/hosts`, `host.containers.internal`,
pointing to the current gateway (which, for root containers, is usually
a bridge interface on the host system) .
- The `podman ps`, `podman pod ps`, `podman network list`, `podman secret
list`, and `podman volume list` commands now support a `--noheading`
option, which will cause Podman to omit the heading line including
column names.
- The `podman unshare` command now supports a new flag, `--rootless-cni`,
to join the rootless network namespace. This allows commands to be run
in the same network environment as rootless containers with CNI
networking.
- The `--security-opt unmask=` option to `podman run` and `podman create`
now supports glob operations to unmask a group of paths at once (e.g.
`podman run --security-opt unmask=/proc/* ...` will unmask all paths in
`/proc` in the container).
- The `podman network prune` command now supports a `--filter` option to
filter which networks will be pruned. ### Changes
- The change in Podman 3.1.2 where the `:z` and `:Z` mount options for
volumes were ignored for privileged containers has been reverted after
discussion in [#10209].
- Podman's rootless CNI functionality no longer requires a sidecar
container! The removal of the requirement for the `rootless-cni-infra`
container means that rootless CNI is now usable on all architectures,
not just AMD64, and no longer requires pulling an image .
- The Image handling code used by Podman has seen a major rewrite to
improve code sharing with our other projects, Buildah and CRI-O. This
should result in fewer bugs and performance gains in the long term. Work
on this is still ongoing.
- The `podman auto-update` command now prunes previous versions of images
after updating if they are unused, to prevent disk exhaustion after
repeated updates .
- The `podman play kube` now treats environment variables configured as
references to a `ConfigMap` as mandatory unless the `optional` parameter
was set; this better matches the behavior of Kubernetes.
- Podman now supports the `--context=default` flag from Docker as a no-op
for compatibility purposes.
- When Podman is run as root, but without `CAP_SYS_ADMIN` being available,
it will run in a user namespace using the same code as rootless Podman
(instead of failing outright).
- The `podman info` command now includes the path of the Seccomp profile
Podman is using, available cgroup controllers, and whether Podman is
connected to a remote service or running containers locally.
- Containers created with the `--rm` option now automatically use the
`volatile` storage flag when available for their root filesystems,
causing them not to write changes to disk as often as they will be
removed at completion anyways. This should result in improved
performance.
- The `podman generate systemd --new` command will now include environment
variables referenced by the container in generated unit files if the
value would be looked up from the system environment.
- Podman now requires that Conmon v2.0.24 be available.
Bugfixes:
- Fixed a bug where the remote Podman client's `podman build` command did
not support the `--arch`, `--platform`, and `--os`, options.
- Fixed a bug where the remote Podman client's `podman build` command
ignored the `--rm=false` option .
- Fixed a bug where the remote Podman client's `podman build --iidfile`
command could include extra output (in addition to just the image ID) in
the image ID file written .
- Fixed a bug where the remote Podman client's `podman build` command did
not preserve hardlinks when moving files into the container via `COPY`
instructions .
- Fixed a bug where the `podman generate systemd --new` command could
generate extra `--iidfile` arguments if the container was already
created with one.
- Fixed a bug where the `podman generate systemd --new` command would
generate unit files that did not include `RequiresMountsFor` lines .
- Fixed a bug where the `podman generate kube` command produced incorrect
YAML for containers which bind-mounted both `/` and `/root` from the
host system into the container .
- Fixed a bug where pods created by `podman play kube` from YAML that
specified `ShareProcessNamespace` would only share the PID namespace
(and not also the UTS, Network, and IPC namespaces) .
- Fixed a bug where the `podman network reload` command could generate
spurious error messages when `iptables-nft` was in use.
- Fixed a bug where rootless Podman could fail to attach to containers
when the user running Podman had a large UID.
- Fixed a bug where the `podman ps` command could fail with a `no such
container` error due to a race condition with container removal .
- Fixed a bug where containers using the `slirp4netns` network mode and
setting a custom `slirp4netns` subnet while using the `rootlesskit` port
forwarder would not be able to forward ports .
- Fixed a bug where the `--filter ancestor=` option to `podman ps` did not
require an exact match of the image name/ID to include a container in
its results.
- Fixed a bug where the `--filter until=` option to `podman image prune`
would prune images created after the specified time (instead of before).
- Fixed a bug where setting a custom Seccomp profile via the
`seccomp_profile` option in `containers.conf` had no effect, and the
default profile was used instead.
- Fixed a bug where the `--cgroup-parent` option to `podman create` and
`podman run` was ignored in rootless Podman on cgroups v2 systems with
the `cgroupfs` cgroup manager .
- Fixed a bug where the `IMAGE` and `NAME` variables in `podman container
runlabel` were not being correctly substituted .
- Fixed a bug where Podman could freeze when creating containers with a
specific combination of volumes and working directory .
- Fixed a bug where rootless Podman containers restarted by restart policy
(e.g. containers created with `--restart=always`) would lose networking
after being restarted .
- Fixed a bug where the `podman cp` command could not copy files into
containers created with the `--pid=host` flag .
- Fixed a bug where filters to the `podman events` command could not be
specified twice (if a filter is specified more than once, it will match
if any of the given values match - logical or) .
- Fixed a bug where Podman would include IPv6 nameservers in `resolv.conf`
in containers without IPv6 connectivity .
- Fixed a bug where containers could not be created with static IP
addresses when connecting to a network using the `macvlan` driver . ###
API
- Fixed a bug where the Compat Create endpoint for Containers did not
allow advanced network options to be set .
- Fixed a bug where the Compat Create endpoint for Containers ignored
static IP information provided in the `IPAMConfig` block .
- Fixed a bug where the Compat Inspect endpoint for Containers returned
null (instead of an empty list) for Networks when the container was not
joined to a CNI network .
- Fixed a bug where the Compat Wait endpoint for Containers could miss
containers exiting if they were immediately restarted.
- Fixed a bug where the Compat Create endpoint for Volumes required that
the user provide a name for the new volume .
- Fixed a bug where the Libpod Info handler would sometimes not return the
correct path to the Podman API socket.
- Fixed a bug where the Compat Events handler used the wrong name for
container exited events (`died` instead of `die`) .
- Fixed a bug where the Compat Push endpoint for Images could leak
goroutines if the remote end closed the connection prematurely.
Update storage to 1.32.5
Update podman to 3.1.2
3.1.2:
Bugfixes:
- Fixed a bug where images with empty layers were stored incorrectly,
causing them to be unable to be pushed or saved.
- Fixed a bug where the `podman rmi` command could fail to remove corrupt
images from storage.
- Fixed a bug where the remote Podman client's `podman save` command did
not support the `oci-dir` and `docker-dir` formats .
- Fixed a bug where volume mounts from `podman play kube` created with a
trailing `/` in the container path were were not properly superceding
named volumes from the image .
- Fixed a bug where Podman could fail to build on 32-bit architectures.
Update podman to 3.1.1
- Podman now recognizes `trace` as a valid argument to the `--log-level`
command. Trace logging is now the most verbose level of logging
available.
- The `:z` and `:Z` options for volume mounts are now ignored when the
container is privileged or is run with SELinux isolation disabled
(`--security-opt label=disable`). This matches better matches Docker's
behavior in this case.
Bugfixes
- Fixed a bug where pruning images with the `podman image prune` or
`podman system prune` commands could cause Podman to panic.
- Fixed a bug where the `podman save` command did not properly error when
the `--compress` flag was used with incompatible format types.
- Fixed a bug where the `--security-opt` and `--ulimit` options to the
remote Podman client's `podman build` command were nonfunctional.
- Fixed a bug where the `--log-rusage` option to the remote Podman
client's `podman build` command was nonfunctional .
- Fixed a bug where the `podman build` command could, in some
circumstances, use the wrong OCI runtime .
- Fixed a bug where the remote Podman client's `podman build` command
could return 0 despite failing .
- Fixed a bug where the `podman container runlabel` command did not
properly expand the `IMAGE` and `NAME` variables in the label .
- Fixed a bug where poststop OCI hooks would be executed twice on
containers started with the `--rm` argument .
- Fixed a bug where rootless Podman could fail to launch containers on
cgroups v2 systems when the `cgroupfs` cgroup manager was in use.
- Fixed a bug where the `podman stats` command could error when statistics
tracked exceeded the maximum size of a 32-bit signed integer .
- Fixed a bug where rootless Podman containers run with `--userns=keepid`
(without a `--user` flag in addition) would grant exec sessions run in
them too many capabilities .
- Fixed a bug where the `--authfile` option to `podman build` did not
validate that the path given existed .
- Fixed a bug where the `--storage-opt` option to Podman was appending to,
instead of overriding (as is documented), the default storage options.
- Fixed a bug where the `podman system service` connection did not
function properly when run in a socket-activated systemd unit file as a
non-root user.
- Fixed a bug where the `--network` option to the `podman play kube`
command of the remote Podman client was being ignored .
- Fixed a bug where the `--log-driver` option to the `podman play kube`
command was nonfunctional .
API
- Fixed a bug where the Libpod Create endpoint for Manifests did not
properly validate the image the manifest was being created with.
- Fixed a bug where the Libpod DF endpoint could, in error cases, append
an extra null to the JSON response, causing decode errors.
- Fixed a bug where the Libpod and Compat Top endpoint for Containers
would return process names that included extra whitespace.
- Fixed a bug where the Compat Prune endpoint for Containers accepted too
many types of filter.
Update podman to 3.1.0
Features:
- A set of new commands has been added to manage secrets! The `podman
secret create`, `podman secret inspect`, `podman secret ls` and `podman
secret rm` commands have been added to handle secrets, along with the
`--secret` option to `podman run` and `podman create` to add secrets to
containers. The initial driver for secrets does not support encryption -
this will be added in a future release.
- A new command to prune networks, `podman network prune`, has been added .
- The `-v` option to `podman run` and `podman create` now supports a new
volume option, `:U`, to chown the volume's source directory on the host
to match the UID and GID of the container and prevent permissions issues
.
- Three new commands, `podman network exists`, `podman volume exists`, and
`podman manifest exists`, have been added to check for the existence of
networks, volumes, and manifest lists.
- The `podman cp` command can now copy files into directories mounted as
`tmpfs` in a running container.
- The `podman volume prune` command will now list volumes that will be
pruned when prompting the user whether to continue and perform the prune
.
- The Podman remote client's `podman build` command now supports the
`--disable-compression`, `--excludes`, and `--jobs` options.
- The Podman remote client's `podman push` command now supports the
`--format` option.
- The Podman remote client's `podman rm` command now supports the `--all`
and `--ignore` options.
- The Podman remote client's `podman search` command now supports the
`--no-trunc` and `--list-tags` options.
- The `podman play kube` command can now read in Kubernetes YAML from
`STDIN` when `-` is specified as file name (`podman play kube -`),
allowing input to be piped into the command for scripting .
- The `podman generate systemd` command now supports a `--no-header`
option, which disables creation of the header comment automatically
added by Podman to generated unit files.
- The `podman generate kube` command can now generate
`PersistentVolumeClaim` YAML for Podman named volumes .
- The `podman generate kube` command can now generate YAML files
containing multiple resources (pods or deployments) .
Security:
- This release resolves CVE-2021-20291, a deadlock vulnerability in the
storage library caused by pulling a specially-crafted container image.
(bsc#1196497)
Changes:
- The Podman remote client's `podman build` command no longer allows the
`-v` flag to be used. Volumes are not yet supported with remote Podman
when the client and service are on different machines.
- The `podman kill` and `podman stop` commands now print the name given by
the user for each container, instead of the full ID.
- When the `--security-opt unmask=ALL` or `--security-opt
unmask=/sys/fs/cgroup` options to `podman create` or `podman run` are
given, Podman will mount cgroups into the container as read-write,
instead of read-only .
- The `podman rmi` command has been changed to better handle cases where
an image is incomplete or corrupted, which can be caused by interrupted
image pulls.
- The `podman rename` command has been improved to be more atomic,
eliminating many race conditions that could potentially render a renamed
container unusable.
- Detection of which OCI runtimes run using virtual machines and thus
require custom SELinux labelling has been improved .
- The hidden `--trace` option to `podman` has been turned into a no-op. It
was used in very early versions for performance tracing, but has not
been supported for some time.
- The `podman generate systemd` command now generates `RequiresMountsFor`
lines to ensure necessary storage directories are mounted before systemd
starts Podman.
- Podman will now emit a warning when `--tty` and `--interactive` are both
passed, but `STDIN` is not a TTY. This will be made into an error in the
next major Podman release some time next year. ### Bugfixes
- Fixed a bug where rootless Podman containers joined to CNI networks
could not receive traffic from forwarded ports .
- Fixed a bug where `podman network create` with the `--macvlan` flag did
not honor the `--gateway`, `--subnet`, and `--opt` options .
- Fixed a bug where the `podman generate kube` command generated invalid
YAML for privileged containers .
- Fixed a bug where the `podman generate kube` command could not be used
with containers that were not running.
- Fixed a bug where the `podman generate systemd` command could duplicate
some parameters to Podman in generated unit files .
- Fixed a bug where Podman did not add annotations specified in
`containers.conf` to containers.
- Foxed a bug where Podman did not respect the `no_hosts` default in
`containers.conf` when creating containers.
- Fixed a bug where the `--tail=0`, `--since`, and `--follow` options to
the `podman logs` command did not function properly when using the
`journald` log backend.
- Fixed a bug where specifying more than one container to `podman logs`
when the `journald` log backend was in use did not function correctly.
- Fixed a bug where the `podman run` and `podman create` commands would
panic if a memory limit was set, but the swap limit was set to unlimited
.
- Fixed a bug where the `--network` option to `podman run`, `podman
create`, and `podman pod create` would error if the user attempted to
specify CNI networks by ID, instead of name .
- Fixed a bug where Podman's cgroup handling for cgroups v1 systems did
not properly handle cases where a cgroup existed on some, but not all,
controllers, resulting in errors from the `podman stats` command .
- Fixed a bug where the `podman cp` did not properly handle cases where
`/dev/stdout` was specified as the destination (it was treated
identically to `-`) .
- Fixed a bug where the `podman cp` command would create files with
incorrect ownership .
- Fixed a bug where the `podman cp` command did not properly handle cases
where the destination directory did not exist.
- Fixed a bug where the `podman cp` command did not properly evaluate
symlinks when copying out of containers.
- Fixed a bug where the `podman rm -fa` command would error when
attempting to remove containers created with `--rm` .
- Fixed a bug where the ordering of capabilities was nondeterministic in
the `CapDrop` field of the output of `podman inspect` on a container .
- Fixed a bug where the `podman network connect` command could be used
with containers that were not initially connected to a CNI bridge
network (e.g. containers created with `--net=host`) .
- Fixed a bug where DNS search domains required by the `dnsname` CNI
plugin were not being added to container's `resolv.conf` under some
circumstances.
- Fixed a bug where the `--ignorefile` option to `podman build` was
nonfunctional .
- Fixed a bug where the `--timestamp` option to `podman build` was
nonfunctional .
- Fixed a bug where the `--iidfile` option to `podman build` could cause
Podman to panic if an error occurred during the build.
- Fixed a bug where the `--dns-search` option to `podman build` was
nonfunctional .
- Fixed a bug where the `--pull-never` option to `podman build` was
nonfunctional .
- Fixed a bug where the `--build-arg` option to `podman build` would, when
given a key but not a value, error (instead of attempting to look up the
key as an environment variable) .
- Fixed a bug where the `--isolation` option to `podman build` in the
remote Podman client was nonfunctional.
- Fixed a bug where the `podman network disconnect` command could cause
errors when the container that had a network removed was stopped and its
network was cleaned up .
- Fixed a bug where the `podman network rm` command did not properly check
what networks a container was present in, resulting in unexpected
behavior if `podman network connect` or `podman network disconnect` had
been used with the network .
- Fixed a bug where some errors with stopping a container could cause
Podman to panic, and the container to be stuck in an unusable `stopping`
state .
- Fixed a bug where the `podman load` command could return 0 even in cases
where an error occurred .
- Fixed a bug where specifying storage options to Podman using the
`--storage-opt` option would override all storage options. Instead,
storage options are now overridden only when the `--storage-driver`
option is used to override the current graph driver .
- Fixed a bug where containers created with `--privileged` could request
more capabilities than were available to Podman.
- Fixed a bug where `podman commit` did not use the `TMPDIR` environment
variable to place temporary files created during the commit .
- Fixed a bug where remote Podman could error when attempting to resize
short-lived containers .
- Fixed a bug where Podman was unusable on kernels built without
`CONFIG_USER_NS`.
- Fixed a bug where the ownership of volumes created by `podman volume
create` and then mounted into a container could be incorrect .
- Fixed a bug where Podman volumes using a volume plugin could not pass
certain options, and could not be used as non-root users.
- Fixed a bug where the `--tz` option to `podman create` and `podman run`
did not properly validate its input. ### API
- Fixed a bug where the `X-Registry-Auth` header did not accept `null` as
a valid value.
- A new compat endpoint, `/auth`, has been added. This endpoint validates
credentials against a registry .
- Fixed a bug where the compat Build endpoint for Images specified labels
using the wrong type (array vs map). Both formats will be accepted now.
- Fixed a bug where the compat Build endpoint for Images did not report
that it successfully tagged the built image in its response.
- Fixed a bug where the compat Create endpoint for Images did not provide
progress information on pulling the image in its response.
- Fixed a bug where the compat Push endpoint for Images did not properly
handle the destination (used a query parameter, instead of a path
parameter).
- Fixed a bug where the compat Push endpoint for Images did not send the
progress of the push and the digest of the pushed image in the response
body.
- Fixed a bug where the compat List endpoint for Networks returned null,
instead of an empty array (`[]`), when no networks were present .
- Fixed a bug where the compat List endpoint for Networks returned nulls,
instead of empty maps, for networks that do not have Labels and/or
Options.
- The Libpod Inspect endpoint for networks (`/libpod/network/$ID/json`)
now has an alias at `/libpod/network/$ID` .
- Fixed a bug where the libpod Inspect endpoint for Networks returned a
1-size array of results, instead of a single result .
- The Compat List endpoint for Networks now supports the legacy format for
filters in parallel with the current filter format .
- Fixed a bug where the compat Create endpoint for Containers did not
properly handle tmpfs filesystems specified with options .
- Fixed a bug where the compat Create endpoint for Containers did not
create bind-mount source directories .
- Fixed a bug where the compat Create endpoint for Containers did not
properly handle the `NanoCpus` option .
- Fixed a bug where the Libpod create endpoint for Containers has a
misnamed field in its JSON.
- Fixed a bug where the compat List endpoint for Containers did not
populate information on forwarded ports
- Fixed a bug where the compat List endpoint for Containers did not
populate information on container CNI networks .
- Fixed a bug where the compat and libpod Stop endpoints for Containers
would ignore a timeout of 0.
- Fixed a bug where the compat and libpod Resize endpoints for Containers
did not set the correct terminal sizes (dimensions were reversed) .
- Fixed a bug where the compat Remove endpoint for Containers would not
return 404 when attempting to remove a container that does not exist .
- Fixed a bug where the compat Prune endpoint for Volumes would still
prune even if an invalid filter was specified.
- Numerous bugs related to filters have been addressed.
Update podman to 3.0.1
3.0.1:
Changes:
- Several frequently-occurring `WARN` level log messages have been
downgraded to `INFO` or `DEBUG` to not clutter terminal output.
Bugfixes:
- Fixed a bug where the `Created` field of `podman ps --format=json` was
formatted as a string instead of an Unix timestamp (integer) .
- Fixed a bug where failing lookups of individual layers during the
`podman images` command would cause the whole command to fail without
printing output.
- Fixed a bug where `--cgroups=split` did not function properly on cgroups
v1 systems.
- Fixed a bug where mounting a volume over an directory in the container
that existed, but was empty, could fail .
- Fixed a bug where mounting a volume over a directory in the container
that existed could copy the entirety of the container's rootfs, instead
of just the directory mounted over, into the volume .
- Fixed a bug where Podman would treat the `--entrypoint=[""]` option to
`podman run` and `podman create` as a literal empty string in the
entrypoint, when instead it should have been ignored .
- Fixed a bug where Podman would set the `HOME` environment variable to
`""` when the container ran as a user without an assigned home directory
.
- Fixed a bug where specifying a pod infra image that had no tags (by
using its ID) would cause `podman pod create` to panic .
- Fixed a bug where the `--runtime` option was not properly handled by the
`podman build` command .
- Fixed a bug where Podman would incorrectly print an error message
related to the remote API when the remote API was not in use and
starting Podman failed.
- Fixed a bug where Podman would change ownership of a container's working
directory, even if it already existed .
- Fixed a bug where the `podman generate systemd --new` command would
incorrectly escape `%t` when generating the path for the PID file .
- Fixed a bug where Podman could, when run inside a Podman container with
the host's containers/storage directory mounted into the container,
erroneously detect a reboot and reset container state if the temporary
directory was not also mounted in .
- Fixed a bug where some options of the `podman build` command (including
but not limited to `--jobs`) were nonfunctional . ### API
- Fixed a breaking change to the Libpod Wait API for Containers where the
Conditions parameter changed type in Podman v3.0 .
- Fixed a bug where the Compat Create endpoint for Containers did not
properly handle forwarded ports that did not specify a host port.
- Fixed a bug where the Libpod Wait endpoint for Containers could write
duplicate headers after an error occurred.
- Fixed a bug where the Compat Create endpoint for Images would not pull
images that already had a matching tag present locally, even if a more
recent version was available at the registry .
- The Compat Create endpoint for Images has had its compatibility with
Docker improved, allowing its use with the `docker-java` library. ###
Misc
- Updated Buildah to v1.19.4
- Updated the containers/storage library to v1.24.6
3.0.0:
Features:
- Podman now features initial support for Docker Compose.
- Added the `podman rename` command, which allows containers to be renamed
after they are created .
- The Podman remote client now supports the `podman copy` command.
- A new command, `podman network reload`, has been added. This command
will re-configure the network of all running containers, and can be used
to recreate firewall rules lost when the system firewall was reloaded
(e.g. via `firewall-cmd --reload`).
- Podman networks now have IDs. They can be seen in `podman network ls`
and can be used when removing and inspecting networks. Existing networks
receive IDs automatically.
- Podman networks now also support labels. They can be added via the
`--label` option to `network create`, and `podman network ls` can filter
labels based on them.
- The `podman network create` command now supports setting bridge MTU and
VLAN through the `--opt` option .
- The `podman container checkpoint` and `podman container restore`
commands can now checkpoint and restore containers that include volumes.
- The `podman container checkpoint` command now supports the
`--with-previous` and `--pre-checkpoint` options, and the `podman
container restore` command now support the `--import-previous` option.
These add support for two-step checkpointing with lowered dump times.
- The `podman push` command can now push manifest lists. Podman will first
attempt to push as an image, then fall back to pushing as a manifest
list if that fails.
- The `podman generate kube` command can now be run on multiple containers
at once, and will generate a single pod containing all of them.
- The `podman generate kube` and `podman play kube` commands now support
Kubernetes DNS configuration, and will preserve custom DNS configuration
when exporting or importing YAML .
- The `podman generate kube` command now properly supports generating YAML
for containers and pods creating using host networking (`--net=host`) .
- The `podman kill` command now supports a `--cidfile` option to kill
containers given a file containing the container's ID .
- The `podman pod create` command now supports the `--net=none` option .
- The `podman volume create` command can now specify volume UID and GID as
options with the `UID` and `GID` fields passed to the the `--opt` option.
- Initial support has been added for Docker Volume Plugins. Podman can now
define available plugins in `containers.conf` and use them to create
volumes with `podman volume create --driver`.
- The `podman run` and `podman create` commands now support a new option,
`--platform`, to specify the platform of the image to be used when
creating the container.
- The `--security-opt` option to `podman run` and `podman create` now
supports the `systempaths=unconfined` option to unrestrict access to all
paths in the container, as well as `mask` and `unmask` options to allow
more granular restriction of container paths.
- The `podman stats --format` command now supports a new format specified,
`MemUsageBytes`, which prints the raw bytes of memory consumed by a
container without human-readable formatting [#8945].
- The `podman ps` command can now filter containers based on what pod they
are joined to via the `pod` filter .
- The `podman pod ps` command can now filter pods based on what networks
they are joined to via the `network` filter.
- The `podman pod ps` command can now print information on what networks a
pod is joined to via the `.Networks` specifier to the `--format` option.
- The `podman system prune` command now supports filtering what
containers, pods, images, and volumes will be pruned.
- The `podman volume prune` commands now supports filtering what volumes
will be pruned.
- The `podman system prune` command now includes information on space
reclaimed .
- The `podman info` command will now properly print information about
packages in use on Gentoo and Arch systems.
- The `containers.conf` file now contains an option for disabling creation
of a new kernel keyring on container creation .
- The `podman image sign` command can now sign multi-arch images by
producing a signature for each image in a given manifest list.
- The `podman image sign` command, when run as rootless, now supports
per-user registry configuration files in
`$HOME/.config/containers/registries.d`.
- Configuration options for `slirp4netns` can now be set system-wide via
the `NetworkCmdOptions` configuration option in `containers.conf`.
- The MTU of `slirp4netns` can now be configured via the `mtu=` network
command option (e.g. `podman run --net slirp4netns:mtu=9000`).
Security:
- A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1
used `127.0.0.1` as the source address for all traffic forwarded into
rootless containers by a forwarded port; this has been changed to
address the issue. (bsc#1181640)
Changes:
- Shortname aliasing support has now been turned on by default. All Podman
commands that must pull an image will, if a TTY is available, prompt the
user about what image to pull.
- The `podman load` command no longer accepts a `NAME[:TAG]` argument. The
presence of this argument broke CLI compatibility with Docker by making
`docker load` commands unusable with Podman .
- The Go bindings for the HTTP API have been rewritten with a focus on
limiting dependency footprint and improving extensibility. Read more
[here].
- The legacy Varlink API has been completely removed from Podman.
- The default log level for Podman has been changed from Error to Warn.
- The `podman network create` command can now create `macvlan` networks
using the `--driver macvlan` option for Docker compatibility. The
existing `--macvlan` flag has been deprecated and will be removed in
Podman 4.0 some time next year.
- The `podman inspect` command has had the `LogPath` and `LogTag` fields
moved into the `LogConfig` structure (from the root of the Inspect
structure). The maximum size of the log file is also included.
- The `podman generate systemd` command no longer generates unit files
using the deprecated `KillMode=none` option .
- The `podman stop` command now releases the container lock while waiting
for it to stop - as such, commands like `podman ps` will no longer block
until `podman stop` completes .
- Networks created with `podman network create --internal` no longer use
the `dnsname` plugin. This configuration never functioned as expected.
- Error messages for the remote Podman client have been improved when it
cannot connect to a Podman service.
- Error messages for `podman run` when an invalid SELinux is specified
have been improved.
- Rootless Podman features improved support for containers with a single
user mapped into the rootless user namespace.
- Pod infra containers now respect default sysctls specified in
`containers.conf` allowing for advanced configuration of the namespaces
they will share.
- SSH public key handling for remote Podman has been improved. ### Bugfixes
- Fixed a bug where the `podman history --no-trunc` command would truncate
the `Created By` field .
- Fixed a bug where root containers that did not explicitly specify a CNI
network to join did not generate an entry for the network in use in the
`Networks` field of the output of `podman inspect` .
- Fixed a bug where, under some circumstances, container working
directories specified by the image (via the `WORKDIR` instruction) but
not present in the image, would not be created .
- Fixed a bug where the `podman generate systemd` command would generate
invalid unit files if the container was creating using a command line
that included doubled braces (`{{` and `}}`), e.g.
`--log-opt-tag={{.Name}}` .
- Fixed a bug where the `podman generate systemd --new` command could
generate unit files including invalid Podman commands if the container
was created using merged short options (e.g. `podman run -dt`) .
- Fixed a bug where the `podman generate systemd --new` command could
generate unit files that did not handle Podman commands including some
special characters (e.g. `$`) ([#9176]
- Fixed a bug where rootless containers joining CNI networks could not set
a static IP address .
- Fixed a bug where rootless containers joining CNI networks could not set
network aliases .
- Fixed a bug where the remote client could, under some circumstances, not
include the `Containerfile` when sending build context to the server .
- Fixed a bug where rootless Podman did not mount `/sys` as a new `sysfs`
in some circumstances where it was acceptable.
- Fixed a bug where rootless containers that both joined a user namespace
and a CNI networks would cause a segfault. These options are
incompatible and now return an error.
- Fixed a bug where the `podman play kube` command did not properly handle
`CMD` and `ARGS` from images .
- Fixed a bug where the `podman play kube` command did not properly handle
environment variables from images .
- Fixed a bug where the `podman play kube` command did not properly print
errors that occurred when starting containers.
- Fixed a bug where the `podman play kube` command errored when
`hostNetwork` was used .
- Fixed a bug where the `podman play kube` command would always pull
images when the `:latest` tag was specified, even if the image was
available locally .
- Fixed a bug where the `podman play kube` command did not properly handle
SELinux configuration, rending YAML with custom SELinux configuration
unusable .
- Fixed a bug where the `podman generate kube` command incorrectly
populated the `args` and `command` fields of generated YAML .
- Fixed a bug where containers in a pod would create a duplicate entry in
the pod's shared `/etc/hosts` file every time the container restarted .
- Fixed a bug where the `podman search --list-tags` command did not
support the `--format` option .
- Fixed a bug where the `http_proxy` option in `containers.conf` was not
being respected, and instead was set unconditionally to true .
- Fixed a bug where rootless Podman could, on systems with a recent Conmon
and users with a long username, fail to attach to containers .
- Fixed a bug where the `podman images` command would break and fail to
display any images if an empty manifest list was present in storage .
- Fixed a bug where locale environment variables were not properly passed
on to Conmon.
- Fixed a bug where Podman would not build on the MIPS architecture .
- Fixed a bug where rootless Podman could fail to properly configure user
namespaces for rootless containers when the user specified a `--uidmap`
option that included a mapping beginning with UID `0`.
- Fixed a bug where the `podman logs` command using the `k8s-file` backend
did not properly handle partial log lines with a length of 1 .
- Fixed a bug where the `podman logs` command with the `--follow` option
did not properly handle log rotation .
- Fixed a bug where user-specified `HOSTNAME` environment variables were
overwritten by Podman .
- Fixed a bug where Podman would applied default sysctls from
`containers.conf` in too many situations (e.g. applying network sysctls
when the container shared its network with a pod).
- Fixed a bug where Podman did not properly handle cases where a secondary
image store was in use and an image was present in both the secondary
and primary stores .
- Fixed a bug where systemd-managed rootless Podman containers where the
user in the container was not root could fail as the container's PID
file was not accessible to systemd on the host .
- Fixed a bug where the `--privileged` option to `podman run` and `podman
create` would, under some circumstances, not disable Seccomp .
- Fixed a bug where the `podman exec` command did not properly add
capabilities when the container or exec session were run with
`--privileged`.
- Fixed a bug where rootless Podman would use the `--enable-sandbox`
option to `slirp4netns` unconditionally, even when `pivot_root` was
disabled, rendering `slirp4netns` unusable when `pivot_root` was
disabled .
- Fixed a bug where `podman build --logfile` did not actually write the
build's log to the logfile.
- Fixed a bug where the `podman system service` command did not close
STDIN, and could display user-interactive prompts .
- Fixed a bug where the `podman system reset` command could, under some
circumstances, remove all the contents of the `XDG_RUNTIME_DIR`
directory .
- Fixed a bug where the `podman network create` command created CNI
configurations that did not include a default gateway .
- Fixed a bug where the `podman.service` systemd unit provided by default
used the wrong service type, and would cause systemd to not correctly
register the service as started .
- Fixed a bug where, if the `TMPDIR` environment variable was set for the
container engine in `containers.conf`, it was being ignored.
- Fixed a bug where the `podman events` command did not properly handle
future times given to the `--until` option .
- Fixed a bug where the `podman logs` command wrote container `STDERR`
logs to `STDOUT` instead of `STDERR` .
- Fixed a bug where containers created from an image with multiple tags
would report that they were created from the wrong tag .
- Fixed a bug where container capabilities were not set properly when the
`--cap-add=all` and `--user` options to `podman create` and `podman run`
were combined.
- Fixed a bug where the `--layers` option to `podman build` was
nonfunctional .
- Fixed a bug where the `podman system prune` command did not act
recursively, and thus would leave images, containers, pods, and volumes
present that would be removed by a subsequent call to `podman system
prune` .
- Fixed a bug where the `--publish` option to `podman run` and `podman
create` did not properly handle ports specified as a range of ports with
no host port specified .
- Fixed a bug where `--format` did not support JSON output for individual
fields .
- Fixed a bug where the `podman stats` command would fail when run on root
containers using the `slirp4netns` network mode .
- Fixed a bug where the Podman remote client would ask for a password even
if the server's SSH daemon did not support password authentication .
- Fixed a bug where the `podman stats` command would fail if the system
did not support one or more of the cgroup controllers Podman supports .
- Fixed a bug where the `--mount` option to `podman create` and `podman
run` did not ignore the `consistency` mount option.
- Fixed a bug where failures during the resizing of a container's TTY
would print the wrong error.
- Fixed a bug where the `podman network disconnect` command could cause
the `podman inspect` command to fail for a container until it was
restarted .
- Fixed a bug where containers created from a read-only rootfs (using the
`--rootfs` option to `podman create` and `podman run`) would fail .
- Fixed a bug where specifying Go templates to the `--format` option to
multiple Podman commands did not support the `join` function .
- Fixed a bug where the `podman rmi` command could, when run in parallel
on multiple images, return `layer not known` errors .
- Fixed a bug where the `podman inspect` command on containers displayed
unlimited ulimits incorrectly .
- Fixed a bug where Podman would fail to start when a volume was mounted
over a directory in a container that contained symlinks that terminated
outside the directory and its subdirectories . ### API
- All Libpod Pod APIs have been modified to properly report errors with
individual containers. Cases where the operation as a whole succeeded
but individual containers failed now report an HTTP 409 error .
- The Compat API for Containers now supports the Rename and Copy APIs.
- Fixed a bug where the Compat Prune APIs (for volumes, containers, and
images) did not return the amount of space reclaimed in their responses.
- Fixed a bug where the Compat and Libpod Exec APIs for Containers would
drop errors that occurred prior to the exec session successfully
starting (e.g. a "no such file" error if an invalid executable was
passed)
- Fixed a bug where the Volumes field in the Compat Create API for
Containers was being ignored .
- Fixed a bug where the NetworkMode field in the Compat Create API for
Containers was not handling some values, e.g. `container:`, correctly.
- Fixed a bug where the Compat Create API for Containers did not set
container name properly.
- Fixed a bug where containers created using the Compat Create API
unconditionally used Kubernetes file logging (the default specified in
`containers.conf` is now used).
- Fixed a bug where the Compat Inspect API for Containers could include
container states not recognized by Docker.
- Fixed a bug where Podman did not properly clean up after calls to the
Events API when the `journald` backend was in use, resulting in a leak
of file descriptors .
- Fixed a bug where the Libpod Pull endpoint for Images could fail with an
`index out of range` error under certain circumstances .
- Fixed a bug where the Libpod Exists endpoint for Images could panic.
- Fixed a bug where the Compat List API for Containers did not support all
filters .
- Fixed a bug where the Compat List API for Containers did not properly
populate the Status field.
- Fixed a bug where the Compat and Libpod Resize APIs for Containers
ignored the height and width parameters .
- Fixed a bug where the Compat Search API for Images returned an
incorrectly-formatted JSON response .
- Fixed a bug where the Compat Load API for Images did not properly clean
up temporary files.
- Fixed a bug where the Compat Create API for Networks could panic when an
empty IPAM configuration was specified.
- Fixed a bug where the Compat Inspect and List APIs for Networks did not
include Scope.
- Fixed a bug where the Compat Wait endpoint for Containers did not
support the same wait conditions that Docker did.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-3312=1
- SUSE Manager Retail Branch Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-3312=1
- SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-3312=1
- SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-3312=1
- SUSE Linux Enterprise Server for SAP 15-SP1:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-3312=1
- SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-3312=1
- SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-3312=1
- SUSE Linux Enterprise Server 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-3312=1
- SUSE Linux Enterprise Server 15-SP1-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-3312=1
- SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-3312=1
- SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-3312=1
- SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-3312=1
- SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-3312=1
- SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-3312=1
- SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2022-3312=1
- SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform 'skuba' tool. It
will inform you if it detects new updates and let you then trigger
updating of the complete cluster in a controlled way.
Package List:
- SUSE Manager Server 4.1 (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Manager Retail Branch Server 4.1 (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Manager Proxy 4.1 (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Linux Enterprise Server for SAP 15-SP2 (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Linux Enterprise Server for SAP 15-SP1 (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Linux Enterprise Server 15-SP2-LTSS (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Linux Enterprise Server 15-SP2-BCL (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Linux Enterprise Server 15-SP1-LTSS (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Linux Enterprise Server 15-SP1-BCL (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Enterprise Storage 7 (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE Enterprise Storage 6 (noarch):
libcontainers-common-20210626-150100.3.15.1
- SUSE CaaS Platform 4.0 (noarch):
libcontainers-common-20210626-150100.3.15.1
References:
https://www.suse.com/security/cve/CVE-2020-14370.html
https://www.suse.com/security/cve/CVE-2020-15157.html
https://www.suse.com/security/cve/CVE-2021-20199.html
https://www.suse.com/security/cve/CVE-2021-20291.html
https://www.suse.com/security/cve/CVE-2021-3602.html
https://bugzilla.suse.com/1176804
https://bugzilla.suse.com/1177598
https://bugzilla.suse.com/1181640
https://bugzilla.suse.com/1182998
https://bugzilla.suse.com/1188520
https://bugzilla.suse.com/1189893
More information about the sle-security-updates
mailing list