SUSE-SU-2022:3312-1: moderate: Security update for libcontainers-common

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Sep 19 19:25:05 UTC 2022


   SUSE Security Update: Security update for libcontainers-common
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3312-1
Rating:             moderate
References:         #1176804 #1177598 #1181640 #1182998 #1188520 
                    #1189893 
Cross-References:   CVE-2020-14370 CVE-2020-15157 CVE-2021-20199
                    CVE-2021-20291 CVE-2021-3602
CVSS scores:
                    CVE-2020-14370 (NVD) : 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2020-14370 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
                    CVE-2020-15157 (NVD) : 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
                    CVE-2020-15157 (SUSE): 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
                    CVE-2021-20199 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2021-20199 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
                    CVE-2021-20291 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2021-20291 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2021-3602 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-3602 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Affected Products:
                    SUSE CaaS Platform 4.0
                    SUSE Enterprise Storage 6
                    SUSE Enterprise Storage 7
                    SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
                    SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
                    SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
                    SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
                    SUSE Linux Enterprise Server 15-SP1-BCL
                    SUSE Linux Enterprise Server 15-SP1-LTSS
                    SUSE Linux Enterprise Server 15-SP2-BCL
                    SUSE Linux Enterprise Server 15-SP2-LTSS
                    SUSE Linux Enterprise Server for SAP 15-SP1
                    SUSE Linux Enterprise Server for SAP 15-SP2
                    SUSE Manager Proxy 4.1
                    SUSE Manager Retail Branch Server 4.1
                    SUSE Manager Server 4.1
______________________________________________________________________________

   An update that solves 5 vulnerabilities and has one errata
   is now available.

Description:

   This update for libcontainers-common fixes the following issues:

   libcontainers-common was updated:

   - common component was updated to 0.44.0.
   - storage component was updated to 1.36.0.
   - image component was updated to 5.16.0.
   - podman component was updated to 3.3.1.

   3.3.1:

   Bugfixes:

   - Fixed a bug where unit files created by `podman generate systemd` could
     not cleanup shut down containers when stopped by `systemctl stop` .
   - Fixed a bug where `podman machine` commands would not properly locate
     the `gvproxy` binary in some circumstances.
   - Fixed a bug where containers created as part of a pod using the
     `--pod-id-file` option would not join the pod's network namespace .
   - Fixed a bug where Podman, when using the systemd cgroups driver, could
     sometimes leak dbus sessions.
   - Fixed a bug where the `until` filter to `podman logs` and `podman
     events` was improperly handled, requiring input to be negated .
   - Fixed a bug where rootless containers using CNI networking run on
     systems using `systemd-resolved` for DNS would fail to start if resolved
     symlinked `/etc/resolv.conf` to an absolute path .

   API:

   - A large number of potential file descriptor leaks from improperly
     closing client connections have been fixed.

   3.3.0:

   Features:

   - Containers inside VMs created by `podman machine` will now automatically
     handle port forwarding - containers in `podman machine` VMs that publish
     ports via `--publish` or `--publish-all` will have these ports not just
     forwarded on the VM, but also on the host system.
   - The `podman play kube` command's `--network` option now accepts advanced
     network options (e.g. `--network slirp4netns:port_handler=slirp4netns`) .
   - The `podman play kube` commmand now supports Kubernetes liveness probes,
     which will be created as Podman healthchecks.
   - Podman now provides a systemd unit, `podman-restart.service`, which,
     when enabled, will restart all containers that were started with
     `--restart=always` after the system reboots.
   - Rootless Podman can now be configured to use CNI networking by default
     by using the `rootless_networking` option in `containers.conf`.
   - Images can now be pulled using `image:tag at digest` syntax (e.g. `podman
     pull
   fedora:34 at sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa
     91611a`) .
   - The `podman container checkpoint` and `podman container restore`
     commands can now be used to checkpoint containers that are in pods, and
     restore those containers into pods.
   - The `podman container restore` command now features a new option,
     `--publish`, to change the ports that are forwarded to a container that
     is being restored from an exported checkpoint.
   - The `podman container checkpoint` command now features a new option,
     `--compress`, to specify the compression algorithm that will be used on
     the generated checkpoint.
   - The `podman pull` command can now pull multiple images at once (e.g.
     `podman pull fedora:34 ubi8:latest` will pull both specified images).
   - THe `podman cp` command can now copy files from one container into
     another directly (e.g. `podman cp containera:/etc/hosts
     containerb:/etc/`) .
   - The `podman cp` command now supports a new option, `--archive`, which
     controls whether copied files will be chown'd to the UID and GID of the
     user of the destination container.
   - The `podman stats` command now provides two additional metrics: Average
     CPU, and CPU time.
   - The `podman pod create` command supports a new flag, `--pid`, to specify
     the PID namespace of the pod. If specified, containers that join the pod
     will automatically share its PID namespace.
   - The `podman pod create` command supports a new flag, `--infra-name`,
     which allows the name of the pod's infra container to be set .
   - The `podman auto-update` command has had its output reformatted - it is
     now much clearer what images were pulled and what containers were
     updated.
   - The `podman auto-update` command now supports a new option, `--dry-run`,
     which reports what would be updated but does not actually perform the
     update .
   - The `podman build` command now supports a new option, `--secret`, to
     mount secrets into build containers.
   - The `podman manifest remove` command now has a new alias, `podman
     manifest rm`.
   - The `podman login` command now supports a new option, `--verbose`, to
     print detailed information about where the credentials entered were
     stored.
   - The `podman events` command now supports a new event, `exec_died`, which
     is produced when an exec session exits, and includes the exit code of
     the exec session.
   - The `podman system connection add` command now supports adding
     connections that connect using the `tcp://` and `unix://` URL schemes.
   - The `podman system connection list` command now supports a new flag,
     `--format`, to determine how the output is printed.
   - The `podman volume prune` and `podman volume ls` commands' `--filter`
     option now support a new filter, `until`, that matches volumes created
     before a certain time .
   - The `podman ps --filter` option's `network` filter now accepts a new
     value: `container:`, which matches containers that share a network
     namespace with a specific container .
   - The `podman diff` command can now accept two arguments, allowing two
     images or two containers to be specified; the diff between the two will
     be printed .
   - Podman can now optionally copy-up content from containers into volumes
     mounted into those containers earlier (at creation time, instead of at
     runtime) via the `prepare_on_create` option in `containers.conf` .
   - A new option, `--gpus`, has been added to `podman create` and `podman
     run` as a no-op for better compatibility with Docker. If the
     nvidia-container-runtime package is installed, GPUs should be
     automatically added to containers without using the flag.
   - If an invalid subcommand is provided, similar commands to try will now
     be suggested in the error message. ### Changes
   - The `podman system reset` command now removes non-Podman (e.g. Buildah
     and CRI-O) containers as well.
   - The new port forwarding offered by `podman machine` requires [gvproxy]
     in order to function.
   - Podman will now automatically create the default CNI network if it does
     not exist, for both root and rootless users. This will only be done once
     per user - if the network is subsequently removed, it will not be
     recreated.
   - The `install.cni` makefile option has been removed. It is no longer
     required to distribute the default `87-podman.conflist` CNI
     configuration file, as Podman will now automatically create it.
   - The `--root` option to Podman will not automatically clear all default
     storage options when set. Storage options can be set manually using
     `--storage-opt` .
   - The output of `podman system connection list` is now deterministic, with
     connections being sorted alpabetically by their name.
   - The auto-update service (`podman-auto-update.service`) has had its
     default timer adjusted so it now starts at a random time up to 15
     minutes after midnight, to help prevent system congestion from numerous
     daily services run at once.
   - Systemd unit files generated by `podman generate systemd` now depend on
     `network-online.target` by default .
   - Systemd unit files generated by `podman generate systemd` now use
     `Type=notify` by default, instead of using PID files.
   - The `podman info` command's logic for detecting package versions on
     Gentoo has been improved, and should be significantly faster.

   Bugfixes:

   - Fixed a bug where the `podman play kube` command did not perform SELinux
     relabelling of volumes specified with a `mountPath` that included the
     `:z` or `:Z` options .
   - Fixed a bug where the `podman play kube` command would ignore the `USER`
     and `EXPOSE` directives in images .
   - Fixed a bug where the `podman play kube` command would only accept
     lowercase pull policies.
   - Fixed a bug where named volumes mounted into containers with the `:z` or
     `:Z` options were not appropriately relabelled for access from the
     container .
   - Fixed a bug where the `podman logs -f` command, with the `journald` log
     driver, could sometimes fail to pick up the last line of output from a
     container .
   - Fixed a bug where running `podman rm` on a container created with the
     `--rm` option would occasionally emit an error message saying the
     container failed to be removed, when it was successfully removed.
   - Fixed a bug where starting a Podman container would segfault if the
     `LISTEN_PID` and `LISTEN_FDS` environment variables were set, but
     `LISTEN_FDNAMES` was not .
   - Fixed a bug where exec sessions in containers were sometimes not cleaned
     up when run without `-d` and when the associated `podman exec` process
     was killed before completion.
   - Fixed a bug where `podman system service` could, when run in a systemd
     unit file with sdnotify in use, drop some connections when it was
     starting up.
   - Fixed a bug where containers run using the REST API using the
     `slirp4netns` network mode would leave zombie processes that were not
     cleaned up until `podman system service` exited .
   - Fixed a bug where the `podman system service` command would leave zombie
     processes after its initial launch that were not cleaned up until it
     exited .
   - Fixed a bug where VMs created by `podman machine` could not be started
     after the host system restarted .
   - Fixed a bug where the `podman pod ps` command would not show headers for
     optional information (e.g. container names when the `--ctr-names` option
     was given).
   - Fixed a bug where the remote Podman client's `podman create` and `podman
     run` commands would ignore timezone configuration from the server's
     `containers.conf` file .
   - Fixed a bug where the remote Podman client's `podman build` command
     would only respect `.containerignore` and not `.dockerignore` files
     (when both are present, `.containerignore` will be preferred) .
   - Fixed a bug where the remote Podman client's `podman build` command
     would fail to send the Dockerfile being built to the server when it was
     excluded by the `.dockerignore` file, resulting in an error .
   - Fixed a bug where the remote Podman client's `podman build` command
     could unexpectedly stop streaming the output of the build .
   - Fixed a bug where the remote Podman client's `podman build` command
     would fail to build when run on Windows .
   - Fixed a bug where the `podman manifest create` command accepted at most
     two arguments (an arbitrary number of images are allowed as arguments,
     which will be added to the manifest).
   - Fixed a bug where named volumes would not be properly chowned to the UID
     and GID of the directory they were mounted over when first mounted into
     a container .
   - Fixed a bug where named volumes created using a volume plugin would be
     removed from Podman, even if the plugin reported a failure to remove the
     volume .
   - Fixed a bug where the remote Podman client's `podman exec -i` command
     would hang when input was provided via shell redirection (e.g. `podman
     --remote exec -i foo cat <<<"hello"`) .
   - Fixed a bug where containers created with `--rm` were not immediately
     removed after being started by `podman start` if they failed to start .
   - Fixed a bug where the `--storage-opt` flag to `podman create` and
     `podman run` was nonfunctional .
   - Fixed a bug where the `--device-cgroup-rule` option to `podman create`
     and `podman run` was nonfunctional .
   - Fixed a bug where the `--tls-verify` option to `podman manifest push`
     was nonfunctional.
   - Fixed a bug where the `podman import` command could, in some
     circumstances, produce empty images .
   - Fixed a bug where images pulled using the `docker-daemon:` transport had
     the wrong registry (`localhost` instead of `docker.io/library`) .
   - Fixed a bug where operations that pruned images (`podman image prune`
     and `podman system prune`) would prune untagged images with children .
   - Fixed a bug where dual-stack networks created by `podman network create`
     did not properly auto-assign an IPv4 subnet when one was not explicitly
     specified .
   - Fixed a bug where port forwarding using the `rootlessport` port
     forwarder would break when a network was disconnected and then
     reconnected .
   - Fixed a bug where Podman would ignore user-specified SELinux policies
     for containers using the Kata OCI runtime, or containers using systemd
     as PID 1 .
   - Fixed a bug where Podman containers created using `--net=host` would add
     an entry to `/etc/hosts` for the container's hostname pointing to
     `127.0.1.1` .
   - Fixed a bug where the `podman unpause --all` command would throw an
     error for every container that was not paused .
   - Fixed a bug where timestamps for the `since` and `until` filters using
     Unix timestamps with a nanoseconds portion could not be parsed .
   - Fixed a bug where the `podman info` command would sometimes print the
     wrong path for the `slirp4netns` binary.
   - Fixed a bug where rootless Podman containers joined to a CNI network
     would not have functional DNS when the host used systemd-resolved
     without the resolved stub resolver being enabled .
   - Fixed a bug where `podman network connect` and `podman network
     disconnect` of rootless containers could sometimes break port forwarding
     to the container .
   - Fixed a bug where joining a container to a CNI network by ID and adding
     network aliases to this network would cause the container to fail to
     start . ### API
   - Fixed a bug where the Compat List endpoint for Containers included
     healthcheck information for all containers, even those that did not have
     a configured healthcheck.
   - Fixed a bug where the Compat Create endpoint for Containers would fail
     to create containers with the `NetworkMode` parameter set to `default` .
   - Fixed a bug where the Compat Create endpoint for Containers did not
     properly handle healthcheck commands .
   - Fixed a bug where the Compat Wait endpoint for Containers would always
     send an empty string error message when no error occurred.
   - Fixed a bug where the Libpod Stats endpoint for Containers would not
     error when run on rootless containers on cgroups v1 systems (nonsensical
     results would be returned, as this configuration cannot be supportable).
   - Fixed a bug where the Compat List endpoint for Images omitted the
     `ContainerConfig` field .
   - Fixed a bug where the Compat Build endpoint for Images was too strict
     when validating the `Content-Type` header, rejecting content that Docker
     would have accepted .
   - Fixed a bug where the Compat Pull endpoint for Images could fail, but
     return a 200 status code, if an image name that could not be parsed was
     provided.
   - Fixed a bug where the Compat Pull endpoint for Images would continue to
     pull images after the client disconnected.
   - Fixed a bug where the Compat List endpoint for Networks would fail for
     non-bridge (e.g. macvlan) networks .
   - Fixed a bug where the Libpod List endpoint for Networks would return
     nil, instead of an empty list, when no networks were present .
   - The Compat and Libpod Logs endpoints for Containers now support the
     `until` query parameter .
   - The Compat Import endpoint for Images now supports the `platform`,
     `message`, and `repo` query parameters.
   - The Compat Pull endpoint for Images now supports the `platform` query
     parameter.

   Misc:

   - Updated Buildah to v1.22.3
   - Updated the containers/storage library to v1.34.1
   - Updated the containers/image library to v5.15.2
   - Updated the containers/common library to v0.42.1

   storage was updated to 1.36.0.

   Updated image to 5.16.0.

   Update podman to 3.2.3:

   Security:

   - This release addresses CVE-2021-3602, an issue with the `podman build`
     command with the `--isolation chroot` flag that results in environment
     variables from the host leaking into build containers. (bsc#1188520)

   Bugfixes:

   - Fixed a bug where events related to images could occur before the
     relevant operation had completed (e.g. an image pull event could be
     written before the pull was finished) .
   - Fixed a bug where `podman save` would refuse to save images with an
     architecture different from that of the host .
   - Fixed a bug where the `podman import` command did not correctly handle
     images without tags .
   - Fixed a bug where Podman's journald events backend would fail and
     prevent Podman from running when run on a host with systemd as PID1 but
     in an environment (e.g. a container) without systemd .
   - Fixed a bug where containers using rootless CNI networking would fail to
     start when the `dnsname` CNI plugin was in use and the host system's
     `/etc/resolv.conf` was a symlink ([#10855] and
     [#10929](https://github.com/containers/podman/issues/10929)).
   - Fixed a bug where containers using rootless CNI networking could fail to
     start due to a race in rootless CNI initialization .

   Update podman to 3.2.2

   3.2.2:

   - Podman's handling of the Architecture field of images has been relaxed.
     Since 3.2.0, Podman required that the architecture of the image match
     the architecture of the system to run containers based on an image, but
     images often incorrectly report architecture, causing Podman to reject
     valid images ([#10648] and
     [#10682](https://github.com/containers/podman/issues/10682)).
   - Podman no longer uses inotify to monitor for changes to CNI
     configurations. This removes potential issues where Podman cannot be run
     because a user has exhausted their available inotify sessions .

   Bugfixes

   - Fixed a bug where the `podman cp` would, when given a directory as its
     source and a target that existed and was a file, copy the contents of
     the directory into the parent directory of the file; this now results in
     an error.
   - Fixed a bug where the `podman logs` command would, when following a
     running container's logs, not include the last line of output from the
     container when it exited when the `k8s-file` driver was in use .
   - Fixed a bug where Podman would fail to run containers if
     `systemd-resolved` was incorrectly detected as the system's DNS server .
   - Fixed a bug where the `podman exec -t` command would only resize the
     exec session's TTY after the session started, leading to a race
     condition where the terminal would initially not have a size set .
   - Fixed a bug where Podman containers using the `slirp4netns` network mode
     would add an incorrect entry to `/etc/hosts` pointing the container's
     hostname to the wrong IP address.
   - Fixed a bug where Podman would create volumes specified by images with
     incorrect permissions ([#10188] and
     [#10606](https://github.com/containers/podman/issues/10606)).
   - Fixed a bug where Podman would not respect the `uid` and `gid` options
     to `podman volume create -o` .
   - Fixed a bug where the `podman run` command could panic when parsing the
     system's cgroup configuration .
   - Fixed a bug where the remote Podman client's `podman build -f - ...`
     command did not read a Containerfile from STDIN .
   - Fixed a bug where the `podman container restore --import` command would
     fail to restore checkpoints created from privileged containers .
   - Fixed a bug where Podman was not respecting the `TMPDIR` environment
     variable when pulling images .
   - Fixed a bug where a number of Podman commands did not properly support
     using Go templates as an argument to the `--format` option.

   API:

   - Fixed a bug where the Compat Inspect endpoint for Containers did not
     include information on container healthchecks .
   - Fixed a bug where the Libpod and Compat Build endpoints for Images did
     not properly handle the `devices` query parameter .

   Misc:

   - Fixed a bug where the Makefile's `make podman-remote-static` target to
     build a statically-linked `podman-remote` binary was instead producing
     dynamic binaries .
   - Updated the containers/common library to v0.38.11

   3.2.1:

   Changes:
   - Podman now allows corrupt images (e.g. from restarting the system during
     an image pull) to be replaced by a `podman pull` of the same image
     (instead of requiring they be removed first, then re-pulled).

   Bugfixes:

   - Fixed a bug where Podman would fail to start containers if a Seccomp
     profile was not available at `/usr/share/containers/seccomp.json` .
   - Fixed a bug where the `podman machine start` command failed on OS X
     machines with the AMD64 architecture and certain QEMU versions .
   - Fixed a bug where Podman would always use the slow path for joining the
     rootless user namespace.
   - Fixed a bug where the `podman stats` command would fail on Cgroups v1
     systems when run on a container running systemd .
   - Fixed a bug where pre-checkpoint support for `podman container
     checkpoint` did not function correctly.
   - Fixed a bug where the remote Podman client's `podman build` command did
     not properly handle the `-f` option .
   - Fixed a bug where the remote Podman client's `podman run` command would
     sometimes not resize the container's terminal before execution began .
   - Fixed a bug where the `--filter` option to the `podman image prune`
     command was nonfunctional.
   - Fixed a bug where the `podman logs -f` command would exit before all
     output for a container was printed when the `k8s-file` log driver was in
     use .
   - Fixed a bug where Podman would not correctly detect that
     systemd-resolved was in use on the host and adjust DNS servers in the
     container appropriately under some circumstances .
   - Fixed a bug where the `podman network connect` and `podman network
     disconnect` commands acted improperly when containers were in the
     Created state, marking the changes as done but not actually performing
     them.

   API:

   - Fixed a bug where the Compat and Libpod Prune endpoints for Networks
     returned null, instead of an empty array, when nothing was pruned.
   - Fixed a bug where the Create API for Images would continue to pull
     images even if a client closed the connection mid-pull .
   - Fixed a bug where the Events API did not include some information
     (including labels) when sending events.
   - Fixed a bug where the Events API would, when streaming was not
     requested, send at most one event .

   3.2.0:

   Features:

   - Docker Compose is now supported with rootless Podman .
   - The `podman network connect`, `podman network disconnect`, and `podman
     network reload` commands have been enabled for rootless Podman.
   - An experimental new set of commands, `podman machine`, was added to
     assist in managing virtual machines containing a Podman server. These
     are intended for easing the use of Podman on OS X by handling the
     creation of a Linux VM for running Podman.
   - The `podman generate kube` command can now be run on Podman named
     volumes (generating `PersistentVolumeClaim` YAML), in addition to pods
     and containers.
   - The `podman play kube` command now supports two new options, `--ip` and
     `--mac`, to set static IPs and MAC addresses for created pods ([#8442]
     and [#9731](https://github.com/containers/podman/issues/9731)).
   - The `podman play kube` command's support for `PersistentVolumeClaim`
     YAML has been greatly improved.
   - The `podman generate kube` command now preserves the label used by
     `podman auto-update` to identify containers to update as a Kubernetes
     annotation, and the `podman play kube` command will convert this
     annotation back into a label. This allows `podman auto-update` to be
     used with containers created by `podman play kube`.
   - The `podman play kube` command now supports Kubernetes `secretRef` YAML
     (using the secrets support from `podman secret`) for environment
     variables.
   - Secrets can now be added to containers as environment variables using
     the `type=env` option to the `--secret` flag to `podman create` and
     `podman run`.
   - The `podman start` command now supports the `--all` option, allowing all
     containers to be started simultaneously with a single command. The
     `--filter` option has also been added to filter which containers to
     start when `--all` is used.
   - Filtering containers with the `--filter` option to `podman ps` and
     `podman start` now supports a new filter, `restart-policy`, to filter
     containers based on their restart policy.
   - The `--group-add` option to rootless `podman run` and `podman create`
     now accepts a new value, `keep-groups`, which instructs Podman to retain
     the supplemental groups of the user running Podman in the created
     container. This is only supported with the `crun` OCI runtime.
   - The `podman run` and `podman create` commands now support a new option,
     `--timeout`. This sets a maximum time the container is allowed to run,
     after which it is killed .
   - The `podman run` and `podman create` commands now support a new option,
     `--pidfile`. This will create a file when the container is started
     containing the PID of the first process in the container.
   - The `podman run` and `podman create` commands now support a new option,
     `--requires`. The `--requires` option adds dependency containers -
     containers that must be running before the current container. Commands
     like `podman start` will automatically start the requirements of a
     container before starting the container itself.
   - Auto-updating containers can now be done with locally-built images, not
     just images hosted on a registry, by creating containers with the
     `io.containers.autoupdate` label set to `local`.
   - Podman now supports the [Container Device Interface] (CDI) standard.
   - Podman now adds an entry to `/etc/hosts`, `host.containers.internal`,
     pointing to the current gateway (which, for root containers, is usually
     a bridge interface on the host system) .
   - The `podman ps`, `podman pod ps`, `podman network list`, `podman secret
     list`, and `podman volume list` commands now support a `--noheading`
     option, which will cause Podman to omit the heading line including
     column names.
   - The `podman unshare` command now supports a new flag, `--rootless-cni`,
     to join the rootless network namespace. This allows commands to be run
     in the same network environment as rootless containers with CNI
     networking.
   - The `--security-opt unmask=` option to `podman run` and `podman create`
     now supports glob operations to unmask a group of paths at once (e.g.
     `podman run --security-opt unmask=/proc/* ...` will unmask all paths in
     `/proc` in the container).
   - The `podman network prune` command now supports a `--filter` option to
     filter which networks will be pruned. ### Changes
   - The change in Podman 3.1.2 where the `:z` and `:Z` mount options for
     volumes were ignored for privileged containers has been reverted after
     discussion in [#10209].
   - Podman's rootless CNI functionality no longer requires a sidecar
     container! The removal of the requirement for the `rootless-cni-infra`
     container means that rootless CNI is now usable on all architectures,
     not just AMD64, and no longer requires pulling an image .
   - The Image handling code used by Podman has seen a major rewrite to
     improve code sharing with our other projects, Buildah and CRI-O. This
     should result in fewer bugs and performance gains in the long term. Work
     on this is still ongoing.
   - The `podman auto-update` command now prunes previous versions of images
     after updating if they are unused, to prevent disk exhaustion after
     repeated updates .
   - The `podman play kube` now treats environment variables configured as
     references to a `ConfigMap` as mandatory unless the `optional` parameter
     was set; this better matches the behavior of Kubernetes.
   - Podman now supports the `--context=default` flag from Docker as a no-op
     for compatibility purposes.
   - When Podman is run as root, but without `CAP_SYS_ADMIN` being available,
     it will run in a user namespace using the same code as rootless Podman
     (instead of failing outright).
   - The `podman info` command now includes the path of the Seccomp profile
     Podman is using, available cgroup controllers, and whether Podman is
     connected to a remote service or running containers locally.
   - Containers created with the `--rm` option now automatically use the
     `volatile` storage flag when available for their root filesystems,
     causing them not to write changes to disk as often as they will be
     removed at completion anyways. This should result in improved
     performance.
   - The `podman generate systemd --new` command will now include environment
     variables referenced by the container in generated unit files if the
     value would be looked up from the system environment.
   - Podman now requires that Conmon v2.0.24 be available.

   Bugfixes:

   - Fixed a bug where the remote Podman client's `podman build` command did
     not support the `--arch`, `--platform`, and `--os`, options.
   - Fixed a bug where the remote Podman client's `podman build` command
     ignored the `--rm=false` option .
   - Fixed a bug where the remote Podman client's `podman build --iidfile`
     command could include extra output (in addition to just the image ID) in
     the image ID file written .
   - Fixed a bug where the remote Podman client's `podman build` command did
     not preserve hardlinks when moving files into the container via `COPY`
     instructions .
   - Fixed a bug where the `podman generate systemd --new` command could
     generate extra `--iidfile` arguments if the container was already
     created with one.
   - Fixed a bug where the `podman generate systemd --new` command would
     generate unit files that did not include `RequiresMountsFor` lines .
   - Fixed a bug where the `podman generate kube` command produced incorrect
     YAML for containers which bind-mounted both `/` and `/root` from the
     host system into the container .
   - Fixed a bug where pods created by `podman play kube` from YAML that
     specified `ShareProcessNamespace` would only share the PID namespace
     (and not also the UTS, Network, and IPC namespaces) .
   - Fixed a bug where the `podman network reload` command could generate
     spurious error messages when `iptables-nft` was in use.
   - Fixed a bug where rootless Podman could fail to attach to containers
     when the user running Podman had a large UID.
   - Fixed a bug where the `podman ps` command could fail with a `no such
     container` error due to a race condition with container removal .
   - Fixed a bug where containers using the `slirp4netns` network mode and
     setting a custom `slirp4netns` subnet while using the `rootlesskit` port
     forwarder would not be able to forward ports .
   - Fixed a bug where the `--filter ancestor=` option to `podman ps` did not
     require an exact match of the image name/ID to include a container in
     its results.
   - Fixed a bug where the `--filter until=` option to `podman image prune`
     would prune images created after the specified time (instead of before).
   - Fixed a bug where setting a custom Seccomp profile via the
     `seccomp_profile` option in `containers.conf` had no effect, and the
     default profile was used instead.
   - Fixed a bug where the `--cgroup-parent` option to `podman create` and
     `podman run` was ignored in rootless Podman on cgroups v2 systems with
     the `cgroupfs` cgroup manager .
   - Fixed a bug where the `IMAGE` and `NAME` variables in `podman container
     runlabel` were not being correctly substituted .
   - Fixed a bug where Podman could freeze when creating containers with a
     specific combination of volumes and working directory .
   - Fixed a bug where rootless Podman containers restarted by restart policy
     (e.g. containers created with `--restart=always`) would lose networking
     after being restarted .
   - Fixed a bug where the `podman cp` command could not copy files into
     containers created with the `--pid=host` flag .
   - Fixed a bug where filters to the `podman events` command could not be
     specified twice (if a filter is specified more than once, it will match
     if any of the given values match - logical or) .
   - Fixed a bug where Podman would include IPv6 nameservers in `resolv.conf`
     in containers without IPv6 connectivity .
   - Fixed a bug where containers could not be created with static IP
     addresses when connecting to a network using the `macvlan` driver . ###
     API
   - Fixed a bug where the Compat Create endpoint for Containers did not
     allow advanced network options to be set .
   - Fixed a bug where the Compat Create endpoint for Containers ignored
     static IP information provided in the `IPAMConfig` block .
   - Fixed a bug where the Compat Inspect endpoint for Containers returned
     null (instead of an empty list) for Networks when the container was not
     joined to a CNI network .
   - Fixed a bug where the Compat Wait endpoint for Containers could miss
     containers exiting if they were immediately restarted.
   - Fixed a bug where the Compat Create endpoint for Volumes required that
     the user provide a name for the new volume .
   - Fixed a bug where the Libpod Info handler would sometimes not return the
     correct path to the Podman API socket.
   - Fixed a bug where the Compat Events handler used the wrong name for
     container exited events (`died` instead of `die`) .
   - Fixed a bug where the Compat Push endpoint for Images could leak
     goroutines if the remote end closed the connection prematurely.


   Update storage to 1.32.5

   Update podman to 3.1.2

   3.1.2:

   Bugfixes:

   - Fixed a bug where images with empty layers were stored incorrectly,
     causing them to be unable to be pushed or saved.
   - Fixed a bug where the `podman rmi` command could fail to remove corrupt
     images from storage.
   - Fixed a bug where the remote Podman client's `podman save` command did
     not support the `oci-dir` and `docker-dir` formats .
   - Fixed a bug where volume mounts from `podman play kube` created with a
     trailing `/` in the container path were were not properly superceding
     named volumes from the image .
   - Fixed a bug where Podman could fail to build on 32-bit architectures.

   Update podman to 3.1.1

   - Podman now recognizes `trace` as a valid argument to the `--log-level`
     command. Trace logging is now the most verbose level of logging
     available.
   - The `:z` and `:Z` options for volume mounts are now ignored when the
     container is privileged or is run with SELinux isolation disabled
     (`--security-opt label=disable`). This matches better matches Docker's
     behavior in this case.

   Bugfixes

   - Fixed a bug where pruning images with the `podman image prune` or
     `podman system prune` commands could cause Podman to panic.
   - Fixed a bug where the `podman save` command did not properly error when
     the `--compress` flag was used with incompatible format types.
   - Fixed a bug where the `--security-opt` and `--ulimit` options to the
     remote Podman client's `podman build` command were nonfunctional.
   - Fixed a bug where the `--log-rusage` option to the remote Podman
     client's `podman build` command was nonfunctional .
   - Fixed a bug where the `podman build` command could, in some
     circumstances, use the wrong OCI runtime .
   - Fixed a bug where the remote Podman client's `podman build` command
     could return 0 despite failing .
   - Fixed a bug where the `podman container runlabel` command did not
     properly expand the `IMAGE` and `NAME` variables in the label .
   - Fixed a bug where poststop OCI hooks would be executed twice on
     containers started with the `--rm` argument .
   - Fixed a bug where rootless Podman could fail to launch containers on
     cgroups v2 systems when the `cgroupfs` cgroup manager was in use.
   - Fixed a bug where the `podman stats` command could error when statistics
     tracked exceeded the maximum size of a 32-bit signed integer .
   - Fixed a bug where rootless Podman containers run with `--userns=keepid`
     (without a `--user` flag in addition) would grant exec sessions run in
     them too many capabilities .
   - Fixed a bug where the `--authfile` option to `podman build` did not
     validate that the path given existed .
   - Fixed a bug where the `--storage-opt` option to Podman was appending to,
     instead of overriding (as is documented), the default storage options.
   - Fixed a bug where the `podman system service` connection did not
     function properly when run in a socket-activated systemd unit file as a
     non-root user.
   - Fixed a bug where the `--network` option to the `podman play kube`
     command of the remote Podman client was being ignored .
   - Fixed a bug where the `--log-driver` option to the `podman play kube`
     command was nonfunctional .

   API

   - Fixed a bug where the Libpod Create endpoint for Manifests did not
     properly validate the image the manifest was being created with.
   - Fixed a bug where the Libpod DF endpoint could, in error cases, append
     an extra null to the JSON response, causing decode errors.
   - Fixed a bug where the Libpod and Compat Top endpoint for Containers
     would return process names that included extra whitespace.
   - Fixed a bug where the Compat Prune endpoint for Containers accepted too
     many types of filter.

   Update podman to 3.1.0

   Features:

   - A set of new commands has been added to manage secrets! The `podman
     secret create`, `podman secret inspect`, `podman secret ls` and `podman
     secret rm` commands have been added to handle secrets, along with the
     `--secret` option to `podman run` and `podman create` to add secrets to
     containers. The initial driver for secrets does not support encryption -
     this will be added in a future release.
   - A new command to prune networks, `podman network prune`, has been added .
   - The `-v` option to `podman run` and `podman create` now supports a new
     volume option, `:U`, to chown the volume's source directory on the host
     to match the UID and GID of the container and prevent permissions issues
     .
   - Three new commands, `podman network exists`, `podman volume exists`, and
     `podman manifest exists`, have been added to check for the existence of
     networks, volumes, and manifest lists.
   - The `podman cp` command can now copy files into directories mounted as
     `tmpfs` in a running container.
   - The `podman volume prune` command will now list volumes that will be
     pruned when prompting the user whether to continue and perform the prune
     .
   - The Podman remote client's `podman build` command now supports the
     `--disable-compression`, `--excludes`, and `--jobs` options.
   - The Podman remote client's `podman push` command now supports the
     `--format` option.
   - The Podman remote client's `podman rm` command now supports the `--all`
     and `--ignore` options.
   - The Podman remote client's `podman search` command now supports the
     `--no-trunc` and `--list-tags` options.
   - The `podman play kube` command can now read in Kubernetes YAML from
     `STDIN` when `-` is specified as file name (`podman play kube -`),
     allowing input to be piped into the command for scripting .
   - The `podman generate systemd` command now supports a `--no-header`
     option, which disables creation of the header comment automatically
     added by Podman to generated unit files.
   - The `podman generate kube` command can now generate
     `PersistentVolumeClaim` YAML for Podman named volumes .
   - The `podman generate kube` command can now generate YAML files
     containing multiple resources (pods or deployments) .

   Security:

   - This release resolves CVE-2021-20291, a deadlock vulnerability in the
     storage library caused by pulling a specially-crafted container image.
     (bsc#1196497)

   Changes:

   - The Podman remote client's `podman build` command no longer allows the
     `-v` flag to be used. Volumes are not yet supported with remote Podman
     when the client and service are on different machines.
   - The `podman kill` and `podman stop` commands now print the name given by
     the user for each container, instead of the full ID.
   - When the `--security-opt unmask=ALL` or `--security-opt
     unmask=/sys/fs/cgroup` options to `podman create` or `podman run` are
     given, Podman will mount cgroups into the container as read-write,
     instead of read-only .
   - The `podman rmi` command has been changed to better handle cases where
     an image is incomplete or corrupted, which can be caused by interrupted
     image pulls.
   - The `podman rename` command has been improved to be more atomic,
     eliminating many race conditions that could potentially render a renamed
     container unusable.
   - Detection of which OCI runtimes run using virtual machines and thus
     require custom SELinux labelling has been improved .
   - The hidden `--trace` option to `podman` has been turned into a no-op. It
     was used in very early versions for performance tracing, but has not
     been supported for some time.
   - The `podman generate systemd` command now generates `RequiresMountsFor`
     lines to ensure necessary storage directories are mounted before systemd
     starts Podman.
   - Podman will now emit a warning when `--tty` and `--interactive` are both
     passed, but `STDIN` is not a TTY. This will be made into an error in the
     next major Podman release some time next year. ### Bugfixes
   - Fixed a bug where rootless Podman containers joined to CNI networks
     could not receive traffic from forwarded ports .
   - Fixed a bug where `podman network create` with the `--macvlan` flag did
     not honor the `--gateway`, `--subnet`, and `--opt` options .
   - Fixed a bug where the `podman generate kube` command generated invalid
     YAML for privileged containers .
   - Fixed a bug where the `podman generate kube` command could not be used
     with containers that were not running.
   - Fixed a bug where the `podman generate systemd` command could duplicate
     some parameters to Podman in generated unit files .
   - Fixed a bug where Podman did not add annotations specified in
     `containers.conf` to containers.
   - Foxed a bug where Podman did not respect the `no_hosts` default in
     `containers.conf` when creating containers.
   - Fixed a bug where the `--tail=0`, `--since`, and `--follow` options to
     the `podman logs` command did not function properly when using the
     `journald` log backend.
   - Fixed a bug where specifying more than one container to `podman logs`
     when the `journald` log backend was in use did not function correctly.
   - Fixed a bug where the `podman run` and `podman create` commands would
     panic if a memory limit was set, but the swap limit was set to unlimited
     .
   - Fixed a bug where the `--network` option to `podman run`, `podman
     create`, and `podman pod create` would error if the user attempted to
     specify CNI networks by ID, instead of name .
   - Fixed a bug where Podman's cgroup handling for cgroups v1 systems did
     not properly handle cases where a cgroup existed on some, but not all,
     controllers, resulting in errors from the `podman stats` command .
   - Fixed a bug where the `podman cp` did not properly handle cases where
     `/dev/stdout` was specified as the destination (it was treated
     identically to `-`) .
   - Fixed a bug where the `podman cp` command would create files with
     incorrect ownership .
   - Fixed a bug where the `podman cp` command did not properly handle cases
     where the destination directory did not exist.
   - Fixed a bug where the `podman cp` command did not properly evaluate
     symlinks when copying out of containers.
   - Fixed a bug where the `podman rm -fa` command would error when
     attempting to remove containers created with `--rm` .
   - Fixed a bug where the ordering of capabilities was nondeterministic in
     the `CapDrop` field of the output of `podman inspect` on a container .
   - Fixed a bug where the `podman network connect` command could be used
     with containers that were not initially connected to a CNI bridge
     network (e.g. containers created with `--net=host`) .
   - Fixed a bug where DNS search domains required by the `dnsname` CNI
     plugin were not being added to container's `resolv.conf` under some
     circumstances.
   - Fixed a bug where the `--ignorefile` option to `podman build` was
     nonfunctional .
   - Fixed a bug where the `--timestamp` option to `podman build` was
     nonfunctional .
   - Fixed a bug where the `--iidfile` option to `podman build` could cause
     Podman to panic if an error occurred during the build.
   - Fixed a bug where the `--dns-search` option to `podman build` was
     nonfunctional .
   - Fixed a bug where the `--pull-never` option to `podman build` was
     nonfunctional .
   - Fixed a bug where the `--build-arg` option to `podman build` would, when
     given a key but not a value, error (instead of attempting to look up the
     key as an environment variable) .
   - Fixed a bug where the `--isolation` option to `podman build` in the
     remote Podman client was nonfunctional.
   - Fixed a bug where the `podman network disconnect` command could cause
     errors when the container that had a network removed was stopped and its
     network was cleaned up .
   - Fixed a bug where the `podman network rm` command did not properly check
     what networks a container was present in, resulting in unexpected
     behavior if `podman network connect` or `podman network disconnect` had
     been used with the network .
   - Fixed a bug where some errors with stopping a container could cause
     Podman to panic, and the container to be stuck in an unusable `stopping`
     state .
   - Fixed a bug where the `podman load` command could return 0 even in cases
     where an error occurred .
   - Fixed a bug where specifying storage options to Podman using the
     `--storage-opt` option would override all storage options. Instead,
     storage options are now overridden only when the `--storage-driver`
     option is used to override the current graph driver .
   - Fixed a bug where containers created with `--privileged` could request
     more capabilities than were available to Podman.
   - Fixed a bug where `podman commit` did not use the `TMPDIR` environment
     variable to place temporary files created during the commit .
   - Fixed a bug where remote Podman could error when attempting to resize
     short-lived containers .
   - Fixed a bug where Podman was unusable on kernels built without
     `CONFIG_USER_NS`.
   - Fixed a bug where the ownership of volumes created by `podman volume
     create` and then mounted into a container could be incorrect .
   - Fixed a bug where Podman volumes using a volume plugin could not pass
     certain options, and could not be used as non-root users.
   - Fixed a bug where the `--tz` option to `podman create` and `podman run`
     did not properly validate its input. ### API
   - Fixed a bug where the `X-Registry-Auth` header did not accept `null` as
     a valid value.
   - A new compat endpoint, `/auth`, has been added. This endpoint validates
     credentials against a registry .
   - Fixed a bug where the compat Build endpoint for Images specified labels
     using the wrong type (array vs map). Both formats will be accepted now.
   - Fixed a bug where the compat Build endpoint for Images did not report
     that it successfully tagged the built image in its response.
   - Fixed a bug where the compat Create endpoint for Images did not provide
     progress information on pulling the image in its response.
   - Fixed a bug where the compat Push endpoint for Images did not properly
     handle the destination (used a query parameter, instead of a path
     parameter).
   - Fixed a bug where the compat Push endpoint for Images did not send the
     progress of the push and the digest of the pushed image in the response
     body.
   - Fixed a bug where the compat List endpoint for Networks returned null,
     instead of an empty array (`[]`), when no networks were present .
   - Fixed a bug where the compat List endpoint for Networks returned nulls,
     instead of empty maps, for networks that do not have Labels and/or
     Options.
   - The Libpod Inspect endpoint for networks (`/libpod/network/$ID/json`)
     now has an alias at `/libpod/network/$ID` .
   - Fixed a bug where the libpod Inspect endpoint for Networks returned a
     1-size array of results, instead of a single result .
   - The Compat List endpoint for Networks now supports the legacy format for
     filters in parallel with the current filter format .
   - Fixed a bug where the compat Create endpoint for Containers did not
     properly handle tmpfs filesystems specified with options .
   - Fixed a bug where the compat Create endpoint for Containers did not
     create bind-mount source directories .
   - Fixed a bug where the compat Create endpoint for Containers did not
     properly handle the `NanoCpus` option .
   - Fixed a bug where the Libpod create endpoint for Containers has a
     misnamed field in its JSON.
   - Fixed a bug where the compat List endpoint for Containers did not
     populate information on forwarded ports
   - Fixed a bug where the compat List endpoint for Containers did not
     populate information on container CNI networks .
   - Fixed a bug where the compat and libpod Stop endpoints for Containers
     would ignore a timeout of 0.
   - Fixed a bug where the compat and libpod Resize endpoints for Containers
     did not set the correct terminal sizes (dimensions were reversed) .
   - Fixed a bug where the compat Remove endpoint for Containers would not
     return 404 when attempting to remove a container that does not exist .
   - Fixed a bug where the compat Prune endpoint for Volumes would still
     prune even if an invalid filter was specified.
   - Numerous bugs related to filters have been addressed.

   Update podman to 3.0.1

   3.0.1:

   Changes:

   - Several frequently-occurring `WARN` level log messages have been
     downgraded to `INFO` or `DEBUG` to not clutter terminal output.

   Bugfixes:

   - Fixed a bug where the `Created` field of `podman ps --format=json` was
     formatted as a string instead of an Unix timestamp (integer) .
   - Fixed a bug where failing lookups of individual layers during the
     `podman images` command would cause the whole command to fail without
     printing output.
   - Fixed a bug where `--cgroups=split` did not function properly on cgroups
     v1 systems.
   - Fixed a bug where mounting a volume over an directory in the container
     that existed, but was empty, could fail .
   - Fixed a bug where mounting a volume over a directory in the container
     that existed could copy the entirety of the container's rootfs, instead
     of just the directory mounted over, into the volume .
   - Fixed a bug where Podman would treat the `--entrypoint=[""]` option to
     `podman run` and `podman create` as a literal empty string in the
     entrypoint, when instead it should have been ignored .
   - Fixed a bug where Podman would set the `HOME` environment variable to
     `""` when the container ran as a user without an assigned home directory
     .
   - Fixed a bug where specifying a pod infra image that had no tags (by
     using its ID) would cause `podman pod create` to panic .
   - Fixed a bug where the `--runtime` option was not properly handled by the
     `podman build` command .
   - Fixed a bug where Podman would incorrectly print an error message
     related to the remote API when the remote API was not in use and
     starting Podman failed.
   - Fixed a bug where Podman would change ownership of a container's working
     directory, even if it already existed .
   - Fixed a bug where the `podman generate systemd --new` command would
     incorrectly escape `%t` when generating the path for the PID file .
   - Fixed a bug where Podman could, when run inside a Podman container with
     the host's containers/storage directory mounted into the container,
     erroneously detect a reboot and reset container state if the temporary
     directory was not also mounted in .
   - Fixed a bug where some options of the `podman build` command (including
     but not limited to `--jobs`) were nonfunctional . ### API
   - Fixed a breaking change to the Libpod Wait API for Containers where the
     Conditions parameter changed type in Podman v3.0 .
   - Fixed a bug where the Compat Create endpoint for Containers did not
     properly handle forwarded ports that did not specify a host port.
   - Fixed a bug where the Libpod Wait endpoint for Containers could write
     duplicate headers after an error occurred.
   - Fixed a bug where the Compat Create endpoint for Images would not pull
     images that already had a matching tag present locally, even if a more
     recent version was available at the registry .
   - The Compat Create endpoint for Images has had its compatibility with
     Docker improved, allowing its use with the `docker-java` library. ###
     Misc
   - Updated Buildah to v1.19.4
   - Updated the containers/storage library to v1.24.6

   3.0.0:

   Features:

   - Podman now features initial support for Docker Compose.
   - Added the `podman rename` command, which allows containers to be renamed
     after they are created .
   - The Podman remote client now supports the `podman copy` command.
   - A new command, `podman network reload`, has been added. This command
     will re-configure the network of all running containers, and can be used
     to recreate firewall rules lost when the system firewall was reloaded
     (e.g. via `firewall-cmd --reload`).
   - Podman networks now have IDs. They can be seen in `podman network ls`
     and can be used when removing and inspecting networks. Existing networks
     receive IDs automatically.
   - Podman networks now also support labels. They can be added via the
     `--label` option to `network create`, and `podman network ls` can filter
     labels based on them.
   - The `podman network create` command now supports setting bridge MTU and
     VLAN through the `--opt` option .
   - The `podman container checkpoint` and `podman container restore`
     commands can now checkpoint and restore containers that include volumes.
   - The `podman container checkpoint` command now supports the
     `--with-previous` and `--pre-checkpoint` options, and the `podman
     container restore` command now support the `--import-previous` option.
     These add support for two-step checkpointing with lowered dump times.
   - The `podman push` command can now push manifest lists. Podman will first
     attempt to push as an image, then fall back to pushing as a manifest
     list if that fails.
   - The `podman generate kube` command can now be run on multiple containers
     at once, and will generate a single pod containing all of them.
   - The `podman generate kube` and `podman play kube` commands now support
     Kubernetes DNS configuration, and will preserve custom DNS configuration
     when exporting or importing YAML .
   - The `podman generate kube` command now properly supports generating YAML
     for containers and pods creating using host networking (`--net=host`) .
   - The `podman kill` command now supports a `--cidfile` option to kill
     containers given a file containing the container's ID .
   - The `podman pod create` command now supports the `--net=none` option .
   - The `podman volume create` command can now specify volume UID and GID as
     options with the `UID` and `GID` fields passed to the the `--opt` option.
   - Initial support has been added for Docker Volume Plugins. Podman can now
     define available plugins in `containers.conf` and use them to create
     volumes with `podman volume create --driver`.
   - The `podman run` and `podman create` commands now support a new option,
     `--platform`, to specify the platform of the image to be used when
     creating the container.
   - The `--security-opt` option to `podman run` and `podman create` now
     supports the `systempaths=unconfined` option to unrestrict access to all
     paths in the container, as well as `mask` and `unmask` options to allow
     more granular restriction of container paths.
   - The `podman stats --format` command now supports a new format specified,
     `MemUsageBytes`, which prints the raw bytes of memory consumed by a
     container without human-readable formatting [#8945].
   - The `podman ps` command can now filter containers based on what pod they
     are joined to via the `pod` filter .
   - The `podman pod ps` command can now filter pods based on what networks
     they are joined to via the `network` filter.
   - The `podman pod ps` command can now print information on what networks a
     pod is joined to via the `.Networks` specifier to the `--format` option.
   - The `podman system prune` command now supports filtering what
     containers, pods, images, and volumes will be pruned.
   - The `podman volume prune` commands now supports filtering what volumes
     will be pruned.
   - The `podman system prune` command now includes information on space
     reclaimed .
   - The `podman info` command will now properly print information about
     packages in use on Gentoo and Arch systems.
   - The `containers.conf` file now contains an option for disabling creation
     of a new kernel keyring on container creation .
   - The `podman image sign` command can now sign multi-arch images by
     producing a signature for each image in a given manifest list.
   - The `podman image sign` command, when run as rootless, now supports
     per-user registry configuration files in
     `$HOME/.config/containers/registries.d`.
   - Configuration options for `slirp4netns` can now be set system-wide via
     the `NetworkCmdOptions` configuration option in `containers.conf`.
   - The MTU of `slirp4netns` can now be configured via the `mtu=` network
     command option (e.g. `podman run --net slirp4netns:mtu=9000`).

   Security:

   - A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1
     used `127.0.0.1` as the source address for all traffic forwarded into
     rootless containers by a forwarded port; this has been changed to
     address the issue. (bsc#1181640)

   Changes:

   - Shortname aliasing support has now been turned on by default. All Podman
     commands that must pull an image will, if a TTY is available, prompt the
     user about what image to pull.
   - The `podman load` command no longer accepts a `NAME[:TAG]` argument. The
     presence of this argument broke CLI compatibility with Docker by making
     `docker load` commands unusable with Podman .
   - The Go bindings for the HTTP API have been rewritten with a focus on
     limiting dependency footprint and improving extensibility. Read more
     [here].
   - The legacy Varlink API has been completely removed from Podman.
   - The default log level for Podman has been changed from Error to Warn.
   - The `podman network create` command can now create `macvlan` networks
     using the `--driver macvlan` option for Docker compatibility. The
     existing `--macvlan` flag has been deprecated and will be removed in
     Podman 4.0 some time next year.
   - The `podman inspect` command has had the `LogPath` and `LogTag` fields
     moved into the `LogConfig` structure (from the root of the Inspect
     structure). The maximum size of the log file is also included.
   - The `podman generate systemd` command no longer generates unit files
     using the deprecated `KillMode=none` option .
   - The `podman stop` command now releases the container lock while waiting
     for it to stop - as such, commands like `podman ps` will no longer block
     until `podman stop` completes .
   - Networks created with `podman network create --internal` no longer use
     the `dnsname` plugin. This configuration never functioned as expected.
   - Error messages for the remote Podman client have been improved when it
     cannot connect to a Podman service.
   - Error messages for `podman run` when an invalid SELinux is specified
     have been improved.
   - Rootless Podman features improved support for containers with a single
     user mapped into the rootless user namespace.
   - Pod infra containers now respect default sysctls specified in
     `containers.conf` allowing for advanced configuration of the namespaces
     they will share.
   - SSH public key handling for remote Podman has been improved. ### Bugfixes
   - Fixed a bug where the `podman history --no-trunc` command would truncate
     the `Created By` field .
   - Fixed a bug where root containers that did not explicitly specify a CNI
     network to join did not generate an entry for the network in use in the
     `Networks` field of the output of `podman inspect` .
   - Fixed a bug where, under some circumstances, container working
     directories specified by the image (via the `WORKDIR` instruction) but
     not present in the image, would not be created .
   - Fixed a bug where the `podman generate systemd` command would generate
     invalid unit files if the container was creating using a command line
     that included doubled braces (`{{` and `}}`), e.g.
     `--log-opt-tag={{.Name}}` .
   - Fixed a bug where the `podman generate systemd --new` command could
     generate unit files including invalid Podman commands if the container
     was created using merged short options (e.g. `podman run -dt`) .
   - Fixed a bug where the `podman generate systemd --new` command could
     generate unit files that did not handle Podman commands including some
     special characters (e.g. `$`) ([#9176]
   - Fixed a bug where rootless containers joining CNI networks could not set
     a static IP address .
   - Fixed a bug where rootless containers joining CNI networks could not set
     network aliases .
   - Fixed a bug where the remote client could, under some circumstances, not
     include the `Containerfile` when sending build context to the server .
   - Fixed a bug where rootless Podman did not mount `/sys` as a new `sysfs`
     in some circumstances where it was acceptable.
   - Fixed a bug where rootless containers that both joined a user namespace
     and a CNI networks would cause a segfault. These options are
     incompatible and now return an error.
   - Fixed a bug where the `podman play kube` command did not properly handle
     `CMD` and `ARGS` from images .
   - Fixed a bug where the `podman play kube` command did not properly handle
     environment variables from images .
   - Fixed a bug where the `podman play kube` command did not properly print
     errors that occurred when starting containers.
   - Fixed a bug where the `podman play kube` command errored when
     `hostNetwork` was used .
   - Fixed a bug where the `podman play kube` command would always pull
     images when the `:latest` tag was specified, even if the image was
     available locally .
   - Fixed a bug where the `podman play kube` command did not properly handle
     SELinux configuration, rending YAML with custom SELinux configuration
     unusable .
   - Fixed a bug where the `podman generate kube` command incorrectly
     populated the `args` and `command` fields of generated YAML .
   - Fixed a bug where containers in a pod would create a duplicate entry in
     the pod's shared `/etc/hosts` file every time the container restarted .
   - Fixed a bug where the `podman search --list-tags` command did not
     support the `--format` option .
   - Fixed a bug where the `http_proxy` option in `containers.conf` was not
     being respected, and instead was set unconditionally to true .
   - Fixed a bug where rootless Podman could, on systems with a recent Conmon
     and users with a long username, fail to attach to containers .
   - Fixed a bug where the `podman images` command would break and fail to
     display any images if an empty manifest list was present in storage .
   - Fixed a bug where locale environment variables were not properly passed
     on to Conmon.
   - Fixed a bug where Podman would not build on the MIPS architecture .
   - Fixed a bug where rootless Podman could fail to properly configure user
     namespaces for rootless containers when the user specified a `--uidmap`
     option that included a mapping beginning with UID `0`.
   - Fixed a bug where the `podman logs` command using the `k8s-file` backend
     did not properly handle partial log lines with a length of 1 .
   - Fixed a bug where the `podman logs` command with the `--follow` option
     did not properly handle log rotation .
   - Fixed a bug where user-specified `HOSTNAME` environment variables were
     overwritten by Podman .
   - Fixed a bug where Podman would applied default sysctls from
     `containers.conf` in too many situations (e.g. applying network sysctls
     when the container shared its network with a pod).
   - Fixed a bug where Podman did not properly handle cases where a secondary
     image store was in use and an image was present in both the secondary
     and primary stores .
   - Fixed a bug where systemd-managed rootless Podman containers where the
     user in the container was not root could fail as the container's PID
     file was not accessible to systemd on the host .
   - Fixed a bug where the `--privileged` option to `podman run` and `podman
     create` would, under some circumstances, not disable Seccomp .
   - Fixed a bug where the `podman exec` command did not properly add
     capabilities when the container or exec session were run with
     `--privileged`.
   - Fixed a bug where rootless Podman would use the `--enable-sandbox`
     option to `slirp4netns` unconditionally, even when `pivot_root` was
     disabled, rendering `slirp4netns` unusable when `pivot_root` was
     disabled .
   - Fixed a bug where `podman build --logfile` did not actually write the
     build's log to the logfile.
   - Fixed a bug where the `podman system service` command did not close
     STDIN, and could display user-interactive prompts .
   - Fixed a bug where the `podman system reset` command could, under some
     circumstances, remove all the contents of the `XDG_RUNTIME_DIR`
     directory .
   - Fixed a bug where the `podman network create` command created CNI
     configurations that did not include a default gateway .
   - Fixed a bug where the `podman.service` systemd unit provided by default
     used the wrong service type, and would cause systemd to not correctly
     register the service as started .
   - Fixed a bug where, if the `TMPDIR` environment variable was set for the
     container engine in `containers.conf`, it was being ignored.
   - Fixed a bug where the `podman events` command did not properly handle
     future times given to the `--until` option .
   - Fixed a bug where the `podman logs` command wrote container `STDERR`
     logs to `STDOUT` instead of `STDERR` .
   - Fixed a bug where containers created from an image with multiple tags
     would report that they were created from the wrong tag .
   - Fixed a bug where container capabilities were not set properly when the
     `--cap-add=all` and `--user` options to `podman create` and `podman run`
     were combined.
   - Fixed a bug where the `--layers` option to `podman build` was
     nonfunctional .
   - Fixed a bug where the `podman system prune` command did not act
     recursively, and thus would leave images, containers, pods, and volumes
     present that would be removed by a subsequent call to `podman system
     prune` .
   - Fixed a bug where the `--publish` option to `podman run` and `podman
     create` did not properly handle ports specified as a range of ports with
     no host port specified .
   - Fixed a bug where `--format` did not support JSON output for individual
     fields .
   - Fixed a bug where the `podman stats` command would fail when run on root
     containers using the `slirp4netns` network mode .
   - Fixed a bug where the Podman remote client would ask for a password even
     if the server's SSH daemon did not support password authentication .
   - Fixed a bug where the `podman stats` command would fail if the system
     did not support one or more of the cgroup controllers Podman supports .
   - Fixed a bug where the `--mount` option to `podman create` and `podman
     run` did not ignore the `consistency` mount option.
   - Fixed a bug where failures during the resizing of a container's TTY
     would print the wrong error.
   - Fixed a bug where the `podman network disconnect` command could cause
     the `podman inspect` command to fail for a container until it was
     restarted .
   - Fixed a bug where containers created from a read-only rootfs (using the
     `--rootfs` option to `podman create` and `podman run`) would fail .
   - Fixed a bug where specifying Go templates to the `--format` option to
     multiple Podman commands did not support the `join` function .
   - Fixed a bug where the `podman rmi` command could, when run in parallel
     on multiple images, return `layer not known` errors .
   - Fixed a bug where the `podman inspect` command on containers displayed
     unlimited ulimits incorrectly .
   - Fixed a bug where Podman would fail to start when a volume was mounted
     over a directory in a container that contained symlinks that terminated
     outside the directory and its subdirectories . ### API
   - All Libpod Pod APIs have been modified to properly report errors with
     individual containers. Cases where the operation as a whole succeeded
     but individual containers failed now report an HTTP 409 error .
   - The Compat API for Containers now supports the Rename and Copy APIs.
   - Fixed a bug where the Compat Prune APIs (for volumes, containers, and
     images) did not return the amount of space reclaimed in their responses.
   - Fixed a bug where the Compat and Libpod Exec APIs for Containers would
     drop errors that occurred prior to the exec session successfully
     starting (e.g. a "no such file" error if an invalid executable was
     passed)
   - Fixed a bug where the Volumes field in the Compat Create API for
     Containers was being ignored .
   - Fixed a bug where the NetworkMode field in the Compat Create API for
     Containers was not handling some values, e.g. `container:`, correctly.
   - Fixed a bug where the Compat Create API for Containers did not set
     container name properly.
   - Fixed a bug where containers created using the Compat Create API
     unconditionally used Kubernetes file logging (the default specified in
     `containers.conf` is now used).
   - Fixed a bug where the Compat Inspect API for Containers could include
     container states not recognized by Docker.
   - Fixed a bug where Podman did not properly clean up after calls to the
     Events API when the `journald` backend was in use, resulting in a leak
     of file descriptors .
   - Fixed a bug where the Libpod Pull endpoint for Images could fail with an
     `index out of range` error under certain circumstances .
   - Fixed a bug where the Libpod Exists endpoint for Images could panic.
   - Fixed a bug where the Compat List API for Containers did not support all
     filters .
   - Fixed a bug where the Compat List API for Containers did not properly
     populate the Status field.
   - Fixed a bug where the Compat and Libpod Resize APIs for Containers
     ignored the height and width parameters .
   - Fixed a bug where the Compat Search API for Images returned an
     incorrectly-formatted JSON response .
   - Fixed a bug where the Compat Load API for Images did not properly clean
     up temporary files.
   - Fixed a bug where the Compat Create API for Networks could panic when an
     empty IPAM configuration was specified.
   - Fixed a bug where the Compat Inspect and List APIs for Networks did not
     include Scope.
   - Fixed a bug where the Compat Wait endpoint for Containers did not
     support the same wait conditions that Docker did.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 4.1:

      zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-3312=1

   - SUSE Manager Retail Branch Server 4.1:

      zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-3312=1

   - SUSE Manager Proxy 4.1:

      zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-3312=1

   - SUSE Linux Enterprise Server for SAP 15-SP2:

      zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-3312=1

   - SUSE Linux Enterprise Server for SAP 15-SP1:

      zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-3312=1

   - SUSE Linux Enterprise Server 15-SP2-LTSS:

      zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-3312=1

   - SUSE Linux Enterprise Server 15-SP2-BCL:

      zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-3312=1

   - SUSE Linux Enterprise Server 15-SP1-LTSS:

      zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-3312=1

   - SUSE Linux Enterprise Server 15-SP1-BCL:

      zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-3312=1

   - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:

      zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-3312=1

   - SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:

      zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-3312=1

   - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:

      zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-3312=1

   - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:

      zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-3312=1

   - SUSE Enterprise Storage 7:

      zypper in -t patch SUSE-Storage-7-2022-3312=1

   - SUSE Enterprise Storage 6:

      zypper in -t patch SUSE-Storage-6-2022-3312=1

   - SUSE CaaS Platform 4.0:

      To install this update, use the SUSE CaaS Platform 'skuba' tool. It
      will inform you if it detects new updates and let you then trigger
      updating of the complete cluster in a controlled way.



Package List:

   - SUSE Manager Server 4.1 (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Manager Retail Branch Server 4.1 (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Manager Proxy 4.1 (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Linux Enterprise Server for SAP 15-SP2 (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Linux Enterprise Server 15-SP2-LTSS (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Linux Enterprise Server 15-SP2-BCL (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Linux Enterprise Server 15-SP1-BCL (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Enterprise Storage 7 (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE Enterprise Storage 6 (noarch):

      libcontainers-common-20210626-150100.3.15.1

   - SUSE CaaS Platform 4.0 (noarch):

      libcontainers-common-20210626-150100.3.15.1


References:

   https://www.suse.com/security/cve/CVE-2020-14370.html
   https://www.suse.com/security/cve/CVE-2020-15157.html
   https://www.suse.com/security/cve/CVE-2021-20199.html
   https://www.suse.com/security/cve/CVE-2021-20291.html
   https://www.suse.com/security/cve/CVE-2021-3602.html
   https://bugzilla.suse.com/1176804
   https://bugzilla.suse.com/1177598
   https://bugzilla.suse.com/1181640
   https://bugzilla.suse.com/1182998
   https://bugzilla.suse.com/1188520
   https://bugzilla.suse.com/1189893



More information about the sle-security-updates mailing list