SUSE-CU-2023:3475-1: Security update of rancher/elemental-teal/5.4
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri Oct 20 10:09:59 UTC 2023
SUSE Container Update Advisory: rancher/elemental-teal/5.4
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3475-1
Container Tags : rancher/elemental-teal/5.4:1.2.2 , rancher/elemental-teal/5.4:1.2.2-3.2.1 , rancher/elemental-teal/5.4:latest
Container Release : 3.2.1
Severity : critical
Type : security
References : 1048046 1051429 1089497 1096726 1102408 1114832 1118897 1118898
1118899 1121967 1123156 1123387 1124308 1131314 1131553 1135460
1136974 1137860 1143386 1149954 1152308 1155217 1160452 1160460
1162432 1164090 1164390 1165738 1167850 1168481 1170940 1171578
1171578 1172380 1172410 1172786 1174075 1175081 1175821 1175821
1175821 1175957 1179466 1179467 1179467 1181594 1181640 1181641
1181677 1181730 1181732 1181749 1181961 1181961 1181961 1182428
1182451 1182476 1182947 1182998 1183024 1183855 1184768 1184962
1185405 1185405 1186606 1187704 1188282 1189743 1190826 1191015
1191121 1191334 1191355 1191434 1192051 1193166 1193273 1193436
1194038 1194609 1194900 1196338 1197093 1197284 1197672 1199232
1199235 1199460 1199565 1199790 1200088 1200145 1200285 1200524
1201399 1202021 1202809 1202809 1202821 1202821 1205536 1207509
1208003 1208194 1208721 1209229 1209307 1209741 1210419 1210702
1210799 1210999 1211576 1211828 1212126 1212434 1213185 1213237
1213286 1213287 1213472 1213487 1213514 1213517 1213575 1213853
1213873 1214054 1214071 1214081 CVE-2018-15664 CVE-2018-16873
CVE-2018-16874 CVE-2018-16875 CVE-2019-10152 CVE-2019-16884 CVE-2019-18466
CVE-2019-19921 CVE-2019-5736 CVE-2019-6778 CVE-2020-10749 CVE-2020-10756
CVE-2020-1726 CVE-2020-1983 CVE-2020-29129 CVE-2020-29130 CVE-2020-29130
CVE-2021-20199 CVE-2021-20206 CVE-2021-20206 CVE-2021-20206 CVE-2021-21284
CVE-2021-21285 CVE-2021-21334 CVE-2021-30465 CVE-2021-30465 CVE-2021-32760
CVE-2021-4024 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092 CVE-2021-41103
CVE-2021-41190 CVE-2021-43784 CVE-2022-1227 CVE-2022-1586 CVE-2022-1587
CVE-2022-1708 CVE-2022-21698 CVE-2022-27191 CVE-2022-27649 CVE-2022-29162
CVE-2022-2989 CVE-2022-2989 CVE-2022-31030 CVE-2022-41409 CVE-2023-2004
CVE-2023-20569 CVE-2023-20593 CVE-2023-31484 CVE-2023-32001 CVE-2023-3446
CVE-2023-34969 CVE-2023-36054 CVE-2023-3817
-----------------------------------------------------------------
The container rancher/elemental-teal/5.4 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:495-1
Released: Tue Feb 26 16:42:35 2019
Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc
Type: security
Severity: important
References: 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:
Security issues fixed:
- CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
- CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
- CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container
breakout (bsc#1121967).
Other changes and fixes:
- Update shell completion to use Group: System/Shells.
- Add daemon.json file with rotation logs configuration (bsc#1114832)
- Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84.
See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
- Update go requirements to >= go1.10
- Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
- Remove the usage of 'cp -r' to reduce noise in the build logs.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2223-1
Released: Tue Aug 27 15:42:56 2019
Summary: Security update for podman, slirp4netns and libcontainers-common
Type: security
Severity: moderate
References: 1096726,1123156,1123387,1135460,1136974,1137860,1143386,CVE-2018-15664,CVE-2019-10152,CVE-2019-6778
This is a version update for podman to version 1.4.4 (bsc#1143386).
Additional changes by SUSE on top:
- Remove fuse-overlayfs because it's (currently) an unsatisfied dependency on
SLE (bsc#1143386)
- Update libpod.conf to use correct infra_command
- Update libpod.conf to use better versioned pause container
- Update libpod.conf to use official kubic pause container
- Update libpod.conf to match latest features set:
detach_keys, lock_type, runtime_supports_json
- Add podman-remote varlink client
Version update podman to v1.4.4:
- Features
- Podman now has greatly improved support for containers using multiple OCI
runtimes. Containers now remember if they were created with a different
runtime using --runtime and will always use that runtime
- The cached and delegated options for volume mounts are now allowed for
Docker compatability (#3340)
- The podman diff command now supports the --latest flag
- Bugfixes
- Fixed a bug where rootless Podman would attempt to use the entire root
configuration if no rootless configuration was present for the user,
breaking rootless Podman for new installations
- Fixed a bug where rootless Podman's pause process would block SIGTERM,
preventing graceful system shutdown and hanging until the system's init
send SIGKILL
- Fixed a bug where running Podman as root with sudo -E would not work after
running rootless Podman at least once
- Fixed a bug where options for tmpfs volumes added with the --tmpfs flag
were being ignored
- Fixed a bug where images with no layers could not properly be displayed
and removed by Podman
- Fixed a bug where locks were not properly freed on failure to create a
container or pod
- Fixed a bug where podman cp on a single file would create a directory at
the target and place the file in it (#3384)
- Fixed a bug where podman inspect --format '{{.Mounts}}' would print a
hexadecimal address instead of a container's mounts
- Fixed a bug where rootless Podman would not add an entry to container's
/etc/hosts files for their own hostname (#3405)
- Fixed a bug where podman ps --sync would segfault (#3411)
- Fixed a bug where podman generate kube would produce an invalid ports
configuration (#3408)
- Misc
- Updated containers/storage to v1.12.13
- Podman now performs much better on systems with heavy I/O load
- The --cgroup-manager flag to podman now shows the correct default setting
in help if the default was overridden by libpod.conf
- For backwards compatability, setting --log-driver=json-file in podman run
is now supported as an alias for --log-driver=k8s-file. This is considered
deprecated, and json-file will be moved to a new implementation in the
future ([#3363](https://github.com/containers/libpo\
d/issues/3363))
- Podman's default libpod.conf file now allows the crun OCI runtime to be
used if it is installed
Update podman to v1.4.2:
- Fixed a bug where Podman could not run containers using an older version of
Systemd as init
- Updated vendored Buildah to v1.9.0 to resolve a critical bug with
Dockerfile RUN instructions
- The error message for running podman kill on containers that are not
running has been improved
- Podman remote client can now log to a file if syslog is not available
- The podman exec command now sets its error code differently based on
whether the container does not exist, and the command in the container does
not exist
- The podman inspect command on containers now outputs Mounts JSON that matches
that of docker inspect, only including user-specified volumes and
differentiating bind mounts and named volumes
- The podman inspect command now reports the path to a container's OCI spec
with the OCIConfigPath key (only included when the container is initialized
or running)
- The podman run --mount command now supports the bind-nonrecursive option for
bind mounts
- Fixed a bug where podman play kube would fail to create containers due to an
unspecified log driver
- Fixed a bug where Podman would fail to build with musl libc
- Fixed a bug where rootless Podman using slirp4netns networking in an
environment with no nameservers on the host other than localhost would
result in nonfunctional networking
- Fixed a bug where podman import would not properly set environment
variables, discarding their values and retaining only keys
- Fixed a bug where Podman would fail to run when built with Apparmor support
but run on systems without the Apparmor kernel module loaded
- Remote Podman will now default the username it uses to log in to remote
systems to the username of the current user
- Podman now uses JSON logging with OCI runtimes that support it, allowing for
better error reporting
- Updated vendored containers/image to v2.0
- Update conmon to v0.3.0
- Support OOM Monitor under cgroup V2
- Add config binary and make target for configuring conmon with a go library
for importing values
Updated podman to version 1.4.0 (bsc#1137860) and (bsc#1135460)
- Podman checkpoint and podman restore commands can now be
used to migrate containers between Podman installations on
different systems.
- The podman cp now supports pause flag.
- The remote client now supports a configuration file for
pre-configuring connections to remote Podman installations
- CVE-2019-10152: Fixed an iproper dereference of symlinks of the
the podman cp command which introduced in version 1.1.0 (bsc#1136974).
- Fixed a bug where podman commit could improperly set environment variables
that contained = characters
- Fixed a bug where rootless podman would sometimes fail to start
containers with forwarded ports
- Fixed a bug where podman version on the remote client could
segfault
- Fixed a bug where podman container runlabel would use /proc/self/exe instead of
the path of the Podman command when printing the command being executed
- Fixed a bug where filtering images by label did not work
- Fixed a bug where specifying a bing mount or tmpfs mount over
an image volume would cause a container to be unable to start
- Fixed a bug where podman generate kube did not work with
containers with named volumes
- Fixed a bug where rootless podman would receive permission
denied errors accessing conmon.pid
- Fixed a bug where podman cp with a folder specified as target
would replace the folder, as opposed to copying into it
- Fixed a bug where rootless Podman commands could double-unlock
a lock, causing a crash
- Fixed a bug where podman incorrectly set tmpcopyup on /dev/
mounts, causing errors when using the Kata containers runtime
- Fixed a bug where podman exec would fail on older kernels
- Podman commit command is now usable with the Podman remote client
- Signature-policy flag has been deprecated
- Updated vendored containers/storage and containers/image libraries
with numerous bugfixes
- Updated vendored Buildah to v1.8.3
- Podman now requires Conmon v0.2.0
- The podman cp command is now aliased as podman container cp
- Rootless podman will now default init_path using root Podman's
configuration files (/etc/containers/libpod.conf and
/usr/share/containers/libpod.conf) if not overridden in the
rootless configuration
- Added fuse-overlayfs dependency to support overlay based rootless image
manipulations
- The podman cp command can now read input redirected to STDIN, and output to
STDOUT instead of a file, using - instead of an argument.
- The podman remote client now displays version information from both the
client and server in podman version
- The podman unshare command has been added, allowing easy entry into the
user namespace set up by rootless Podman (allowing the removal of files
created by rootless podman, among other things)
- Fixed a bug where Podman containers with the --rm flag were removing
created volumes when they were automatically removed
- Fixed a bug where container and pod locks were incorrectly marked as
released after a system reboot, causing errors on container and pod removal
- Fixed a bug where Podman pods could not be removed if any container in the
pod encountered an error during removal
- Fixed a bug where Podman pods run with the cgroupfs CGroup driver would encounter
a race condition during removal, potentially failing to remove the pod CGroup
- Fixed a bug where the podman container checkpoint and podman container
restore commands were not visible in the remote client
- Fixed a bug where podman remote ps --ns would not print the container's namespaces
- Fixed a bug where removing stopped containers with healthchecks could cause an error
- Fixed a bug where the default libpod.conf file was causing parsing errors
- Fixed a bug where pod locks were not being freed when pods were removed,
potentially leading to lock exhaustion
- Fixed a bug where 'podman run' with SD_NOTIFY set could, on short-running
containers, create an inconsistent state rendering the container unusable
- The remote Podman client now uses the Varlink bridge to establish remote
connections by default
- Fixed an issue with apparmor_parser (bsc#1123387)
- Update to libpod v1.4.0 (bsc#1137860):
- The podman checkpoint and podman restore commands can now be
used to migrate containers between Podman installations on
different systems
- The podman cp command now supports a pause flag to pause
containers while copying into them
- The remote client now supports a configuration file for
pre-configuring connections to remote Podman installations
- Fixed CVE-2019-10152 - The podman cp command improperly
dereferenced symlinks in host context
- Fixed a bug where podman commit could improperly set
environment variables that contained = characters
- Fixed a bug where rootless Podman would sometimes fail to start
containers with forwarded ports
- Fixed a bug where podman version on the remote client could
segfault
- Fixed a bug where podman container runlabel would use
/proc/self/exe instead of the path of the Podman command when
printing the command being executed
- Fixed a bug where filtering images by label did not work
- Fixed a bug where specifying a bing mount or tmpfs mount over
an image volume would cause a container to be unable to start
- Fixed a bug where podman generate kube did not work with
containers with named volumes
- Fixed a bug where rootless Podman would receive permission
denied errors accessing conmon.pid
- Fixed a bug where podman cp with a folder specified as target
would replace the folder, as opposed to copying into it
- Fixed a bug where rootless Podman commands could double-unlock
a lock, causing a crash
- Fixed a bug where Podman incorrectly set tmpcopyup on /dev/
mounts, causing errors when using the Kata containers runtime
- Fixed a bug where podman exec would fail on older kernels
- The podman commit command is now usable with the Podman remote
client
- The --signature-policy flag (used with several image-related
commands) has been deprecated
- The podman unshare command now defines two environment
variables in the spawned shell: CONTAINERS_RUNROOT and
CONTAINERS_GRAPHROOT, pointing to temporary and permanent
storage for rootless containers
- Updated vendored containers/storage and containers/image
libraries with numerous bugfixes
- Updated vendored Buildah to v1.8.3
- Podman now requires Conmon v0.2.0
- The podman cp command is now aliased as podman container cp
- Rootless Podman will now default init_path using root Podman's
configuration files (/etc/containers/libpod.conf and
/usr/share/containers/libpod.conf) if not overridden in the
rootless configuration
- Update to image v1.5.1
- Vendor in latest containers/storage
- docker/docker_client: Drop redundant Domain(ref.ref) call
- pkg/blobinfocache: Split implementations into subpackages
- copy: progress bar: show messages on completion
- docs: rename manpages to *.5.command
- add container-certs.d.md manpage
- pkg/docker/config: Bring auth tests from
docker/docker_client_test
- Don't allocate a sync.Mutex separately
Update to storage v1.12.10:
- Add function to parse out mount options from graphdriver
- Merge the disparate parts of all of the Unix-like lockfiles
- Fix unix-but-not-Linux compilation
- Return XDG_RUNTIME_DIR as RootlessRuntimeDir if set
- Cherry-pick moby/moby #39292 for CVE-2018-15664 fixes
- lockfile: add RecursiveLock() API
- Update generated files
- Fix crash on tesing of aufs code
- Let consumers know when Layers and Images came from read-only stores
- chown: do not change owner for the mountpoint
- locks: correctly mark updates to the layers list
- CreateContainer: don't worry about mapping layers unless necessary
- docs: fix manpage for containers-storage.conf
- docs: sort configuration options alphabetically
- docs: document OSTree file deduplication
- Add missing options to man page for containers-storage
- overlay: use the layer idmapping if present
- vfs: prefer layer custom idmappings
- layers: propagate down the idmapping settings
- Recreate symlink when not found
- docs: fix manpage for configuration file
- docs: add special handling for manpages in sect 5
- overlay: fix single-lower test
- Recreate symlink when not found
- overlay: propagate errors from mountProgram
- utils: root in a userns uses global conf file
- Fix handling of additional stores
- Correctly check permissions on rootless directory
- Fix possible integer overflow on 32bit builds
- Evaluate device path for lvm
- lockfile test: make concurrent RW test determinisitc
- lockfile test: make concurrent read tests deterministic
- drivers.DirCopy: fix filemode detection
- storage: move the logic to detect rootless into utils.go
- Don't set (struct flock).l_pid
- Improve documentation of getLockfile
- Rename getLockFile to createLockerForPath, and document it
- Add FILES section to containers-storage.5 man page
- add digest locks
- drivers/copy: add a non-cgo fallback
slirp4netns was updated to 0.3.0:
- CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() (bsc#1123156)
This update also includes:
- fuse3 and fuse-overlayfs to support rootless containers.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2810-1
Released: Tue Oct 29 14:56:44 2019
Summary: Security update for runc
Type: security
Severity: moderate
References: 1131314,1131553,1152308,CVE-2019-16884
This update for runc fixes the following issues:
Security issue fixed:
- CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)
Non-security issues fixed:
- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:697-1
Released: Mon Mar 16 13:17:10 2020
Summary: Security update for cni, cni-plugins, conmon, fuse-overlayfs, podman
Type: security
Severity: moderate
References: 1155217,1160460,1164390,CVE-2019-18466
This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues:
podman was updated to 1.8.0:
- CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the
host when copying a symlink in the container that included a
glob operator (#3829 bsc#1155217)
- The name of the cni-bridge in the default config changed from
'cni0' to 'podman-cni0' with podman-1.6.0. Add a %trigger to
rename the bridge in the system to the new default if it exists.
The trigger is only excuted when updating podman-cni-config
from something older than 1.6.0. This is mainly needed for SLE
where we're updating from 1.4.4 to 1.8.0 (bsc#1160460).
Update podman to v1.8.0 (bsc#1160460):
* Features
- The podman system service command has been added, providing a
preview of Podman's new Docker-compatible API. This API is
still very new, and not yet ready for production use, but is
available for early testing
- Rootless Podman now uses Rootlesskit for port forwarding,
which should greatly improve performance and capabilities
- The podman untag command has been added to remove tags from
images without deleting them
- The podman inspect command on images now displays previous
names they used
- The podman generate systemd command now supports a --new
option to generate service files that create and run new
containers instead of managing existing containers
- Support for --log-opt tag= to set logging tags has been added
to the journald log driver
- Added support for using Seccomp profiles embedded in images
for podman run and podman create via the new --seccomp-policy
CLI flag
- The podman play kube command now honors pull policy
* Bugfixes
- Fixed a bug where the podman cp command would not copy the
contents of directories when paths ending in /. were given
- Fixed a bug where the podman play kube command did not
properly locate Seccomp profiles specified relative to
localhost
- Fixed a bug where the podman info command for remote Podman
did not show registry information
- Fixed a bug where the podman exec command did not support
having input piped into it
- Fixed a bug where the podman cp command with rootless Podman
on CGroups v2 systems did not properly determine if the
container could be paused while copying
- Fixed a bug where the podman container prune --force command
could possible remove running containers if they were started
while the command was running
- Fixed a bug where Podman, when run as root, would not
properly configure slirp4netns networking when requested
- Fixed a bug where podman run --userns=keep-id did not work
when the user had a UID over 65535
- Fixed a bug where rootless podman run and podman create with
the --userns=keep-id option could change permissions on
/run/user/$UID and break KDE
- Fixed a bug where rootless Podman could not be run in a
systemd service on systems using CGroups v2
- Fixed a bug where podman inspect would show CPUShares as 0,
instead of the default (1024), when it was not explicitly set
- Fixed a bug where podman-remote push would segfault
- Fixed a bug where image healthchecks were not shown in the
output of podman inspect
- Fixed a bug where named volumes created with containers from
pre-1.6.3 releases of Podman would be autoremoved with their
containers if the --rm flag was given, even if they were
given names
- Fixed a bug where podman history was not computing image
sizes correctly
- Fixed a bug where Podman would not error on invalid values to
the --sort flag to podman images
- Fixed a bug where providing a name for the image made by
podman commit was mandatory, not optional as it should be
- Fixed a bug where the remote Podman client would append an
extra ' to %PATH
- Fixed a bug where the podman build command would sometimes
ignore the -f option and build the wrong Containerfile
- Fixed a bug where the podman ps --filter command would only
filter running containers, instead of all containers, if
--all was not passed
- Fixed a bug where the podman load command on compressed
images would leave an extra copy on disk
- Fixed a bug where the podman restart command would not
properly clean up the network, causing it to function
differently from podman stop; podman start
- Fixed a bug where setting the --memory-swap flag to podman
create and podman run to -1 (to indicate unlimited) was not
supported
* Misc
- Initial work on version 2 of the Podman remote API has been
merged, but is still in an alpha state and not ready for use.
Read more here
- Many formatting corrections have been made to the manpages
- The changes to address (#5009) may cause anonymous volumes
created by Podman versions 1.6.3 to 1.7.0 to not be removed
when their container is removed
- Updated vendored Buildah to v1.13.1
- Updated vendored containers/storage to v1.15.8
- Updated vendored containers/image to v5.2.0
- Add apparmor-abstractions as required runtime dependency to
have `tunables/global` available.
- fixed the --force flag for the 'container prune' command.
(https://github.com/containers/libpod/issues/4844)
Update podman to v1.7.0
* Features
- Added support for setting a static MAC address for containers
- Added support for creating macvlan networks with podman
network create, allowing Podman containers to be attached
directly to networks the host is connected to
- The podman image prune and podman container prune commands
now support the --filter flag to filter what will be pruned,
and now prompts for confirmation when run without --force
(#4410 and #4411)
- Podman now creates CGroup namespaces by default on systems
using CGroups v2 (#4363)
- Added the podman system reset command to remove all Podman
files and perform a factory reset of the Podman installation
- Added the --history flag to podman images to display previous
names used by images (#4566)
- Added the --ignore flag to podman rm and podman stop to not
error when requested containers no longer exist
- Added the --cidfile flag to podman rm and podman stop to read
the IDs of containers to be removed or stopped from a file
- The podman play kube command now honors Seccomp annotations
(#3111)
- The podman play kube command now honors RunAsUser,
RunAsGroup, and selinuxOptions
- The output format of the podman version command has been
changed to better match docker version when using the
--format flag
- Rootless Podman will no longer initialize containers/storage
twice, removing a potential deadlock preventing Podman
commands from running while an image was being pulled (#4591)
- Added tmpcopyup and notmpcopyup options to the --tmpfs and
--mount type=tmpfs flags to podman create and podman run to
control whether the content of directories are copied into
tmpfs filesystems mounted over them
- Added support for disabling detaching from containers by
setting empty detach keys via --detach-keys=''
- The podman build command now supports the --pull and
--pull-never flags to control when images are pulled during a
build
- The podman ps -p command now shows the name of the pod as
well as its ID (#4703)
- The podman inspect command on containers will now display the
command used to create the container
- The podman info command now displays information on registry
mirrors (#4553)
* Bugfixes
- Fixed a bug where Podman would use an incorrect runtime
directory as root, causing state to be deleted after root
logged out and making Podman in systemd services not function
properly
- Fixed a bug where the --change flag to podman import and
podman commit was not being parsed properly in many cases
- Fixed a bug where detach keys specified in libpod.conf were
not used by the podman attach and podman exec commands, which
always used the global default ctrl-p,ctrl-q key combination
(#4556)
- Fixed a bug where rootless Podman was not able to run podman
pod stats even on CGroups v2 enabled systems (#4634)
- Fixed a bug where rootless Podman would fail on kernels
without the renameat2 syscall (#4570)
- Fixed a bug where containers with chained network namespace
dependencies (IE, container A using --net container=B and
container B using --net container=C) would not properly mount
/etc/hosts and /etc/resolv.conf into the container (#4626)
- Fixed a bug where podman run with the --rm flag and without
-d could, when run in the background, throw a 'container does
not exist' error when attempting to remove the container
after it exited
- Fixed a bug where named volume locks were not properly
reacquired after a reboot, potentially leading to deadlocks
when trying to start containers using the volume (#4605 and
#4621)
- Fixed a bug where Podman could not completely remove
containers if sent SIGKILL during removal, leaving the
container name unusable without the podman rm --storage
command to complete removal (#3906)
- Fixed a bug where checkpointing containers started with --rm
was allowed when --export was not specified (the container,
and checkpoint, would be removed after checkpointing was
complete by --rm) (#3774)
- Fixed a bug where the podman pod prune command would fail if
containers were present in the pods and the --force flag was
not passed (#4346)
- Fixed a bug where containers could not set a static IP or
static MAC address if they joined a non-default CNI network
(#4500)
- Fixed a bug where podman system renumber would always throw
an error if a container was mounted when it was run
- Fixed a bug where podman container restore would fail with
containers using a user namespace
- Fixed a bug where rootless Podman would attempt to use the
journald events backend even on systems without systemd
installed
- Fixed a bug where podman history would sometimes not properly
identify the IDs of layers in an image (#3359)
- Fixed a bug where containers could not be restarted when
Conmon v2.0.3 or later was used
- Fixed a bug where Podman did not check image OS and
Architecture against the host when starting a container
- Fixed a bug where containers in pods did not function
properly with the Kata OCI runtime (#4353)
- Fixed a bug where `podman info --format '{{ json . }}' would
not produce JSON output (#4391)
- Fixed a bug where Podman would not verify if files passed to
--authfile existed (#4328)
- Fixed a bug where podman images --digest would not always
print digests when they were available
- Fixed a bug where rootless podman run could hang due to a
race with reading and writing events
- Fixed a bug where rootless Podman would print warning-level
logs despite not be instructed to do so (#4456)
- Fixed a bug where podman pull would attempt to fetch from
remote registries when pulling an unqualified image using the
docker-daemon transport (#4434)
- Fixed a bug where podman cp would not work if STDIN was a
pipe
- Fixed a bug where podman exec could stop accepting input if
anything was typed between the command being run and the exec
session starting (#4397)
- Fixed a bug where podman logs --tail 0 would print all lines
of a container's logs, instead of no lines (#4396)
- Fixed a bug where the timeout for slirp4netns was incorrectly
set, resulting in an extremely long timeout (#4344)
- Fixed a bug where the podman stats command would print CPU
utilizations figures incorrectly (#4409)
- Fixed a bug where the podman inspect --size command would not
print the size of the container's read/write layer if the
size was 0 (#4744)
- Fixed a bug where the podman kill command was not properly
validating signals before use (#4746)
- Fixed a bug where the --quiet and --format flags to podman ps
could not be used at the same time
- Fixed a bug where the podman stop command was not stopping
exec sessions when a container was created without a PID
namespace (--pid=host)
- Fixed a bug where the podman pod rm --force command was not
removing anonymous volumes for containers that were removed
- Fixed a bug where the podman checkpoint command would not
export all changes to the root filesystem of the container if
performed more than once on the same container (#4606)
- Fixed a bug where containers started with --rm would not be
automatically removed on being stopped if an exec session was
running inside the container (#4666)
* Misc
- The fixes to runtime directory path as root can cause strange
behavior if an upgrade is performed while containers are
running
- Updated vendored Buildah to v1.12.0
- Updated vendored containers/storage library to v1.15.4
- Updated vendored containers/image library to v5.1.0
- Kata Containers runtimes (kata-runtime, kata-qemu, and
kata-fc) are now present in the default libpod.conf, but will
not be available unless Kata containers is installed on the
system
- Podman previously did not allow the creation of containers
with a memory limit lower than 4MB. This restriction has been
removed, as the crun runtime can create containers with
significantly less memory
Update podman to v1.6.4
- Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher
- Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers
- Suppress spurious log messages when running rootless Podman
- Update vendored containers/storage to v1.13.6
- Fix a deadlock related to writing events
- Do not use the journald event logger when it is not available
Update podman to v1.6.2
* Features
- Added a --runtime flag to podman system migrate to allow the
OCI runtime for all containers to be reset, to ease transition
to the crun runtime on CGroups V2 systems until runc gains full
support
- The podman rm command can now remove containers in broken
states which previously could not be removed
- The podman info command, when run without root, now shows
information on UID and GID mappings in the rootless user
namespace
- Added podman build --squash-all flag, which squashes all layers
(including those of the base image) into one layer
- The --systemd flag to podman run and podman create now accepts
a string argument and allows a new value, always, which forces
systemd support without checking if the the container
entrypoint is systemd
* Bugfixes
- Fixed a bug where the podman top command did not work on
systems using CGroups V2 (#4192)
- Fixed a bug where rootless Podman could double-close a file,
leading to a panic
- Fixed a bug where rootless Podman could fail to retrieve some
containers while refreshing the state
- Fixed a bug where podman start --attach --sig-proxy=false would
still proxy signals into the container
- Fixed a bug where Podman would unconditionally use a
non-default path for authentication credentials (auth.json),
breaking podman login integration with skopeo and other tools
using the containers/image library
- Fixed a bug where podman ps --format=json and podman images
--format=json would display null when no results were returned,
instead of valid JSON
- Fixed a bug where podman build --squash was incorrectly
squashing all layers into one, instead of only new layers
- Fixed a bug where rootless Podman would allow volumes with
options to be mounted (mounting volumes requires root),
creating an inconsistent state where volumes reported as
mounted but were not (#4248)
- Fixed a bug where volumes which failed to unmount could not be
removed (#4247)
- Fixed a bug where Podman incorrectly handled some errors
relating to unmounted or missing containers in
containers/storage
- Fixed a bug where podman stats was broken on systems running
CGroups V2 when run rootless (#4268)
- Fixed a bug where the podman start command would print the
short container ID, instead of the full ID
- Fixed a bug where containers created with an OCI runtime that
is no longer available (uninstalled or removed from the config
file) would not appear in podman ps and could not be removed
via podman rm
- Fixed a bug where containers restored via podman container
restore --import would retain the CGroup path of the original
container, even if their container ID changed; thus, multiple
containers created from the same checkpoint would all share the
same CGroup
* Misc
- The default PID limit for containers is now set to 4096. It can
be adjusted back to the old default (unlimited) by passing
--pids-limit 0 to podman create and podman run
- The podman start --attach command now automatically attaches
STDIN if the container was created with -i
- The podman network create command now validates network names
using the same regular expression as container and pod names
- The --systemd flag to podman run and podman create will now
only enable systemd mode when the binary being run inside the
container is /sbin/init, /usr/sbin/init, or ends in systemd
(previously detected any path ending in init or systemd)
- Updated vendored Buildah to 1.11.3
- Updated vendored containers/storage to 1.13.5
- Updated vendored containers/image to 4.0.1
Update podman to v1.6.1
* Features
- The podman network create, podman network rm, podman network
inspect, and podman network ls commands have been added to
manage CNI networks used by Podman
- The podman volume create command can now create and mount
volumes with options, allowing volumes backed by NFS, tmpfs,
and many other filesystems
- Podman can now run containers without CGroups for better
integration with systemd by using the --cgroups=disabled flag
with podman create and podman run. This is presently only
supported with the crun OCI runtime
- The podman volume rm and podman volume inspect commands can now
refer to volumes by an unambiguous partial name, in addition to
full name (e.g. podman volume rm myvol to remove a volume named
myvolume) (#3891)
- The podman run and podman create commands now support the
--pull flag to allow forced re-pulling of images (#3734)
- Mounting volumes into a container using --volume, --mount, and
--tmpfs now allows the suid, dev, and exec mount options (the
inverse of nosuid, nodev, noexec) (#3819)
- Mounting volumes into a container using --mount now allows the
relabel=Z and relabel=z options to relabel mounts.
- The podman push command now supports the --digestfile option to
save a file containing the pushed digest
- Pods can now have their hostname set via podman pod create
--hostname or providing Pod YAML with a hostname set to podman
play kube (#3732)
- The podman image sign command now supports the --cert-dir flag
- The podman run and podman create commands now support the
--security-opt label=filetype:$LABEL flag to set the SELinux
label for container files
- The remote Podman client now supports healthchecks
* Bugfixes
- Fixed a bug where remote podman pull would panic if a Varlink
connection was not available (#4013)
- Fixed a bug where podman exec would not properly set terminal
size when creating a new exec session (#3903)
- Fixed a bug where podman exec would not clean up socket
symlinks on the host (#3962)
- Fixed a bug where Podman could not run systemd in containers
that created a CGroup namespace
- Fixed a bug where podman prune -a would attempt to prune images
used by Buildah and CRI-O, causing errors (#3983)
- Fixed a bug where improper permissions on the ~/.config
directory could cause rootless Podman to use an incorrect
directory for storing some files
- Fixed a bug where the bash completions for podman import threw
errors
- Fixed a bug where Podman volumes created with podman volume
create would not copy the contents of their mountpoint the
first time they were mounted into a container (#3945)
- Fixed a bug where rootless Podman could not run podman exec
when the container was not run inside a CGroup owned by the
user (#3937)
- Fixed a bug where podman play kube would panic when given Pod
YAML without a securityContext (#3956)
- Fixed a bug where Podman would place files incorrectly when
storage.conf configuration items were set to the empty string
(#3952)
- Fixed a bug where podman build did not correctly inherit
Podman's CGroup configuration, causing crashed on CGroups V2
systems (#3938)
- Fixed a bug where remote podman run --rm would exit before the
container was completely removed, allowing race conditions when
removing container resources (#3870)
- Fixed a bug where rootless Podman would not properly handle
changes to /etc/subuid and /etc/subgid after a container was
launched
- Fixed a bug where rootless Podman could not include some
devices in a container using the --device flag (#3905)
- Fixed a bug where the commit Varlink API would segfault if
provided incorrect arguments (#3897)
- Fixed a bug where temporary files were not properly cleaned up
after a build using remote Podman (#3869)
- Fixed a bug where podman remote cp crashed instead of reporting
it was not yet supported (#3861)
- Fixed a bug where podman exec would run as the wrong user when
execing into a container was started from an image with
Dockerfile USER (or a user specified via podman run --user)
(#3838)
- Fixed a bug where images pulled using the oci: transport would
be improperly named
- Fixed a bug where podman varlink would hang when managed by
systemd due to SD_NOTIFY support conflicting with Varlink
(#3572)
- Fixed a bug where mounts to the same destination would
sometimes not trigger a conflict, causing a race as to which
was actually mounted
- Fixed a bug where podman exec --preserve-fds caused Podman to
hang (#4020)
- Fixed a bug where removing an unmounted container that was
unmounted might sometimes not properly clean up the container
(#4033)
- Fixed a bug where the Varlink server would freeze when run in a
systemd unit file (#4005)
- Fixed a bug where Podman would not properly set the $HOME
environment variable when the OCI runtime did not set it
- Fixed a bug where rootless Podman would incorrectly print
warning messages when an OCI runtime was not found (#4012)
- Fixed a bug where named volumes would conflict with, instead of
overriding, tmpfs filesystems added by the --read-only-tmpfs
flag to podman create and podman run
- Fixed a bug where podman cp would incorrectly make the target
directory when copying to a symlink which pointed to a
nonexistent directory (#3894)
- Fixed a bug where remote Podman would incorrectly read STDIN
when the -i flag was not set (#4095)
- Fixed a bug where podman play kube would create an empty pod
when given an unsupported YAML type (#4093)
- Fixed a bug where podman import --change improperly parsed CMD
(#4000)
- Fixed a bug where rootless Podman on systems using CGroups V2
would not function with the cgroupfs CGroups manager
- Fixed a bug where rootless Podman could not correctly identify
the DBus session address, causing containers to fail to start
(#4162)
- Fixed a bug where rootless Podman with slirp4netns networking
would fail to start containers due to mount leaks
* Misc
- Significant changes were made to Podman volumes in this
release. If you have pre-existing volumes, it is strongly
recommended to run podman system renumber after upgrading.
- Version 0.8.1 or greater of the CNI Plugins is now required for
Podman
- Version 2.0.1 or greater of Conmon is strongly recommended
- Updated vendored Buildah to v1.11.2
- Updated vendored containers/storage library to v1.13.4
- Improved error messages when trying to create a pod with no
name via podman play kube
- Improved error messages when trying to run podman pause or
podman stats on a rootless container on a system without
CGroups V2 enabled
- TMPDIR has been set to /var/tmp by default to better handle
large temporary files
- podman wait has been optimized to detect stopped containers
more rapidly
- Podman containers now include a ContainerManager annotation
indicating they were created by libpod
- The podman info command now includes information about
slirp4netns and fuse-overlayfs if they are available
- Podman no longer sets a default size of 65kb for tmpfs
filesystems
- The default Podman CNI network has been renamed in an attempt
to prevent conflicts with CRI-O when both are run on the same
system. This should only take effect on system restart
- The output of podman volume inspect has been more closely
matched to docker volume inspect
- Add katacontainers as a recommended package, and include it as an
additional OCI runtime in the configuration.
Update podman to v1.5.1
* Features
- The hostname of pods is now set to the pod's name
* Bugfixes
- Fixed a bug where podman run and podman create did not honor the --authfile
option (#3730)
- Fixed a bug where containers restored with podman container restore
--import would incorrectly duplicate the Conmon PID file of the original container
- Fixed a bug where podman build ignored the default OCI runtime configured
in libpod.conf
- Fixed a bug where podman run --rm (or force-removing any running container
with podman rm --force) were not retrieving the correct exit code (#3795)
- Fixed a bug where Podman would exit with an error if any configured hooks
directory was not present
- Fixed a bug where podman inspect and podman commit would not use the
correct CMD for containers run with podman play kube
- Fixed a bug created pods when using rootless Podman and CGroups V2 (#3801)
- Fixed a bug where the podman events command with the --since or --until
options could take a very long time to complete
* Misc
- Rootless Podman will now inherit OCI runtime configuration from the root
configuration (#3781)
- Podman now properly sets a user agent while contacting registries (#3788)
- Add zsh completion for podman commands
Update podman to v1.5.0
* Features
- Podman containers can now join the user namespaces of other
containers with --userns=container:$ID, or a user namespace at
an arbitary path with --userns=ns:$PATH
- Rootless Podman can experimentally squash all UIDs and GIDs in
an image to a single UID and GID (which does not require use of
the newuidmap and newgidmap executables) by passing
--storage-opt ignore_chown_errors
- The podman generate kube command now produces YAML for any bind
mounts the container has created (#2303)
- The podman container restore command now features a new flag,
--ignore-static-ip, that can be used with --import to import a
single container with a static IP multiple times on the same
host
- Added the ability for podman events to output JSON by
specifying --format=json
- If the OCI runtime or conmon binary cannot be found at the
paths specified in libpod.conf, Podman will now also search for
them in the calling user's path
- Added the ability to use podman import with URLs (#3609)
- The podman ps command now supports filtering names using
regular expressions (#3394)
- Rootless Podman containers with --privileged set will now mount
in all host devices that the user can access
- The podman create and podman run commands now support the
--env-host flag to forward all environment variables from the
host into the container
- Rootless Podman now supports healthchecks (#3523)
- The format of the HostConfig portion of the output of podman
inspect on containers has been improved and synced with Docker
- Podman containers now support CGroup namespaces, and can create
them by passing --cgroupns=private to podman run or podman
create
- The podman create and podman run commands now support the
--ulimit=host flag, which uses any ulimits currently set on the
host for the container
- The podman rm and podman rmi commands now use different exit
codes to indicate 'no such container' and 'container is
running' errors
- Support for CGroups V2 through the crun OCI runtime has been
greatly improved, allowing resource limits to be set for
rootless containers when the CGroups V2 hierarchy is in use
* Bugfixes
- Fixed a bug where a race condition could cause podman restart
to fail to start containers with ports
- Fixed a bug where containers restored from a checkpoint would
not properly report the time they were started at
- Fixed a bug where podman search would return at most 25
results, even when the maximum number of results was set higher
- Fixed a bug where podman play kube would not honor capabilities
set in imported YAML (#3689)
- Fixed a bug where podman run --env, when passed a single key
(to use the value from the host), would set the environment
variable in the container even if it was not set on the host
(#3648)
- Fixed a bug where podman commit --changes would not properly
set environment variables
- Fixed a bug where Podman could segfault while working with
images with no history
- Fixed a bug where podman volume rm could remove arbitrary
volumes if given an ambiguous name (#3635)
- Fixed a bug where podman exec invocations leaked memory by not
cleaning up files in tmpfs
- Fixed a bug where the --dns and --net=container flags to podman
run and podman create were not mutually exclusive (#3553)
- Fixed a bug where rootless Podman would be unable to run
containers when less than 5 UIDs were available
- Fixed a bug where containers in pods could not be removed
without removing the entire pod (#3556)
- Fixed a bug where Podman would not properly clean up all CGroup
controllers for created cgroups when using the cgroupfs CGroup
driver
- Fixed a bug where Podman containers did not properly clean up
files in tmpfs, resulting in a memory leak as containers
stopped
- Fixed a bug where healthchecks from images would not use
default settings for interval, retries, timeout, and start
period when they were not provided by the image (#3525)
- Fixed a bug where healthchecks using the HEALTHCHECK CMD format
where not properly supported (#3507)
- Fixed a bug where volume mounts using relative source paths
would not be properly resolved (#3504)
- Fixed a bug where podman run did not use authorization
credentials when a custom path was specified (#3524)
- Fixed a bug where containers checkpointed with podman container
checkpoint did not properly set their finished time
- Fixed a bug where running podman inspect on any container not
created with podman run or podman create (for example, pod
infra containers) would result in a segfault (#3500)
- Fixed a bug where healthcheck flags for podman create and
podman run were incorrectly named (#3455)
- Fixed a bug where Podman commands would fail to find targets if
a partial ID was specified that was ambiguous between a
container and pod (#3487)
- Fixed a bug where restored containers would not have the
correct SELinux label
- Fixed a bug where Varlink endpoints were not working properly
if more was not correctly specified
- Fixed a bug where the Varlink PullImage endpoint would crash if
an error occurred (#3715)
- Fixed a bug where the --mount flag to podman create and podman
run did not allow boolean arguments for its ro and rw options
(#2980)
- Fixed a bug where pods did not properly share the UTS
namespace, resulting in incorrect behavior from some utilities
which rely on hostname (#3547)
- Fixed a bug where Podman would unconditionally append
ENTRYPOINT to CMD during podman commit (and when reporting CMD
in podman inspect) (#3708)
- Fixed a bug where podman events with the journald events
backend would incorrectly print 6 previous events when only new
events were requested (#3616)
- Fixed a bug where podman port would exit prematurely when a
port number was specified (#3747)
- Fixed a bug where passing . as an argument to the --dns-search
flag to podman create and podman run was not properly clearing
DNS search domains in the container
* Misc
- Updated vendored Buildah to v1.10.1
- Updated vendored containers/image to v3.0.2
- Updated vendored containers/storage to v1.13.1
- Podman now requires conmon v2.0.0 or higher
- The podman info command now displays the events logger being in
use
- The podman inspect command on containers now includes the ID of
the pod a container has joined and the PID of the container's
conmon process
- The -v short flag for podman --version has been re-added
- Error messages from podman pull should be significantly clearer
- The podman exec command is now available in the remote client
- The podman-v1.5.0.tar.gz file attached is podman packaged for
MacOS. It can be installed using Homebrew.
- Update libpod.conf to support latest path discovery feature for
`runc` and `conmon` binaries.
conmon was included in version 2.0.10. (bsc#1160460, bsc#1164390, jsc#ECO-1048, jsc#SLE-11485, jsc#SLE-11331):
fuse-overlayfs was updated to v0.7.6 (bsc#1160460)
- do not look in lower layers for the ino if there is no origin
xattr set
- attempt to use the file path if the operation on the fd fails
with ENXIO
- do not expose internal xattrs through listxattr and getxattr
- fix fallocate for deleted files.
- ignore O_DIRECT. It causes issues with libfuse not using an
aligned buffer, causing write(2) to fail with EINVAL.
- on copyup, do not copy the opaque xattr.
- fix a wrong lookup for whiteout files, that could happen on a
double unlink.
- fix possible segmentation fault in direct_fsync()
- use the data store to create missing whiteouts
- after a rename, force a directory reload
- introduce inodes cache
- correctly read inode for unix sockets
- avoid hash map lookup when possible
- use st_dev for the ino key
- check whether writeback is supported
- set_attrs: don't require write to S_IFREG
- ioctl: do not reuse fi->fh for directories
- fix skip whiteout deletion optimization
- store the new mode after chmod
- support fuse writeback cache and enable it by default
- add option to disable fsync
- add option to disable xattrs
- add option to skip ino number check in lower layers
- fix fd validity check
- fix memory leak
- fix read after free
- fix type for flistxattr return
- fix warnings reported by lgtm.com
- enable parallel dirops
cni was updated to 0.7.1:
- Set correct CNI version for 99-loopback.conf
Update to version 0.7.1 (bsc#1160460):
* Library changes:
+ invoke : ensure custom envs of CNIArgs are prepended to process envs
+ add GetNetworkListCachedResult to CNI interface
+ delegate : allow delegation funcs override CNI_COMMAND env automatically in heritance
* Documentation & Convention changes:
+ Update cnitool documentation for spec v0.4.0
+ Add cni-route-override to CNI plugin list
Update to version 0.7.0:
* Spec changes:
+ Use more RFC2119 style language in specification (must, should...)
+ add notes about ADD/DEL ordering
+ Make the container ID required and unique.
+ remove the version parameter from ADD and DEL commands.
+ Network interface name matters
+ be explicit about optional and required structure members
+ add CHECK method
+ Add a well-known error for 'try again'
+ SPEC.md: clarify meaning of 'routes'
* Library changes:
+ pkg/types: Makes IPAM concrete type
+ libcni: return error if Type is empty
+ skel: VERSION shouldn't block on stdin
+ non-pointer instances of types.Route now correctly marshal to JSON
+ libcni: add ValidateNetwork and ValidateNetworkList functions
+ pkg/skel: return error if JSON config has no network name
+ skel: add support for plugin version string
+ libcni: make exec handling an interface for better downstream testing
+ libcni: api now takes a Context to allow operations to be timed out or cancelled
+ types/version: add helper to parse PrevResult
+ skel: only print about message, not errors
+ skel,invoke,libcni: implementation of CHECK method
+ cnitool: Honor interface name supplied via CNI_IFNAME environment variable.
+ cnitool: validate correct number of args
+ Don't copy gw from IP4.Gateway to Route.GW When converting from 0.2.0
+ add PrintTo method to Result interface
+ Return a better error when the plugin returns none
- Install sleep binary into CNI plugin directory
cni-plugins was updated to 0.8.4:
Update to version 0.8.4 (bsc#1160460):
* add support for mips64le
* Add missing cniVersion in README example
* bump go-iptables module to v0.4.5
* iptables: add idempotent functions
* portmap doesn't fail if chain doesn't exist
* fix portmap port forward flakiness
* Add Bruce Ma and Piotr Skarmuk as owners
Update to version 0.8.3:
* Enhancements:
* static: prioritize the input sources for IPs (#400).
* tuning: send gratuitous ARP in case of MAC address update (#403).
* bandwidth: use uint64 for Bandwidth value (#389).
* ptp: only override DNS conf if DNS settings provided (#388).
* loopback: When prevResults are not supplied to loopback plugin, create results to return (#383).
* loopback support CNI CHECK and result cache (#374).
* Better input validation:
* vlan: add MTU validation to loadNetConf (#405).
* macvlan: add MTU validation to loadNetConf (#404).
* bridge: check vlan id when loading net conf (#394).
* Bugfixes:
* bugfix: defer after err check, or it may panic (#391).
* portmap: Fix dual-stack support (#379).
* firewall: don't return error in DEL if prevResult is not found (#390).
* bump up libcni back to v0.7.1 (#377).
* Docs:
* contributing doc: revise test script name to run (#396).
* contributing doc: describe cnitool installation (#397).
Update plugins to v0.8.2
+ New features:
* Support 'args' in static and tuning
* Add Loopback DSR support, allow l2tunnel networks
to be used with the l2bridge plugin
* host-local: return error if same ADD request is seen twice
* bandwidth: fix collisions
* Support ips capability in static and mac capability in tuning
* pkg/veth: Make host-side veth name configurable
+ Bug fixes:
* Fix: failed to set bridge addr: could not add IP address to 'cni0': file exists
* host-device: revert name setting to make retries idempotent (#357).
* Vendor update go-iptables. Vendor update go-iptables to
obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10
* Update go.mod & go.sub
* Remove link Down/Up in MAC address change to prevent route flush (#364).
* pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall
error message is 'invalid argument' not 'file exists'
* bump containernetworking/cni to v0.7.1
Updated plugins to v0.8.1:
+ Bugs:
* bridge: fix ipMasq setup to use correct source address
* fix compilation error on 386
* bandwidth: get bandwidth interface in host ns through
container interface
+ Improvements:
* host-device: add pciBusID property
Updated plugins to v0.8.0:
+ New plugins:
* bandwidth - limit incoming and outgoing bandwidth
* firewall - add containers to firewall rules
* sbr - convert container routes to source-based routes
* static - assign a fixed IP address
* win-bridge, win-overlay: Windows plugins
+ Plugin features / changelog:
* CHECK Support
* macvlan:
- Allow to configure empty ipam for macvlan
- Make master config optional
* bridge:
- Add vlan tag to the bridge cni plugin
- Allow the user to assign VLAN tag
- L2 bridge Implementation.
* dhcp:
- Include Subnet Mask option parameter in DHCPREQUEST
- Add systemd unit file to activate socket with systemd
- Add container ifName to the dhcp clientID, making the
clientID value
* flannel:
- Pass through runtimeConfig to delegate
* host-local:
- host-local: add ifname to file tracking IP address used
* host-device:
- Support the IPAM in the host-device
- Handle empty netns in DEL for loopback and host-device
* tuning:
- adds 'ip link' command related feature into tuning
+ Bug fixes & minor changes
* Correctly DEL on ipam failure for all plugins
* Fix bug on ip revert if cmdAdd fails on macvlan and host-device
* host-device: Ensure device is down before rename
* Fix -hostprefix option
* some DHCP servers expect to request for explicit router options
* bridge: release IP in case of error
* change source of ipmasq rule from ipn to ip
from version v0.7.5:
+ This release takes a minor change to the portmap plugin:
* Portmap: append, rather than prepend, entry rules
+ This fixes a potential issue where firewall rules may
be bypassed by port mapping
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:821-1
Released: Tue Mar 31 13:05:59 2020
Summary: Recommended update for podman, slirp4netns
Type: recommended
Severity: moderate
References: 1167850
This update for podman, slirp4netns fixes the following issues:
slirp4netns was updated to 0.4.4 (bsc#1167850):
* libslirp: Update to v4.2.0:
* New API function slirp_add_unix: add a forward rule to a Unix
socket.
* New API function slirp_remove_guestfwd: remove a forward rule
previously added by slirp_add_exec, slirp_add_unix or
slirp_add_guestfwd
* New SlirpConfig.outbound_addr{,6} fields to bind output
socket to a specific address
* socket: do not fallback on host loopback if get_dns_addr()
failed or the address is in slirp network
* ncsi: fix checksum OOB memory access
* tcp_emu(): fix OOB accesses
* tftp: restrict relative path access
* state: fix loading of guestfwd state
Update to 0.4.3:
* api: raise an error if the socket path is too long
* libslirp: update to v4.1.0: Including the fix for libslirp
sends RST to app in response to arriving FIN when containerized
socket is shutdown() with SHUT_WR
* Fix create_sandbox error
Update to 0.4.2:
* Do not propagate mounts to the parent ns in sandbox
Update to 0.4.1:
* Support specifying netns path (slirp4netns --netns-type=path PATH
TAPNAME)
* Support specifying --userns-path
* Vendor https://gitlab.freedesktop.org/slirp/libslirp (QEMU v4.1+)
* Bring up loopback device when --configure is specified
* Support sandboxing by creating a mount namespace
(--enable-sandbox)
* Support seccomp (--enable-seccomp)
- Add new build dependencies libcap-devel and libseccomp-devel
Update to 0.3.3:
* Fix use-after-free in libslirp
Update to 0.3.2:
* Fix heap overflow in `ip_reass` on big packet input
Update to 0.3.1:
* Fix use-after-free
Changes in podman:
- Fixed dependency on slirp4netns. We need at least 0.4.0 now (bsc#1167850)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:944-1
Released: Tue Apr 7 15:49:33 2020
Summary: Security update for runc
Type: security
Severity: moderate
References: 1149954,1160452,CVE-2019-19921
This update for runc fixes the following issues:
runc was updated to v1.0.0~rc10
- CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
- Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1197-1
Released: Wed May 6 13:52:04 2020
Summary: Security update for slirp4netns
Type: security
Severity: important
References: 1170940,CVE-2020-1983
This update for slirp4netns fixes the following issues:
Security issue fixed:
- CVE-2020-1983: Fixed a use-after-free in ip_reass (bsc#1170940).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1915-1
Released: Wed Jul 15 09:34:15 2020
Summary: Security update for slirp4netns
Type: security
Severity: important
References: 1172380,CVE-2020-10756
This update for slirp4netns fixes the following issues:
- Update to 0.4.7 (bsc#1172380)
* libslirp: update to v4.3.1 (Fix CVE-2020-10756)
* Fix config_from_options() to correctly enable ipv6
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1957-1
Released: Mon Jul 20 13:47:31 2020
Summary: Security update for cni-plugins
Type: security
Severity: moderate
References: 1172410,CVE-2020-10749
This update for cni-plugins fixes the following issues:
cni-plugins updated to version 0.8.6
- CVE-2020-10749: Fixed a potential Man-in-the-Middle attacks in IPv4 clusters by spoofing IPv6 router advertisements (bsc#1172410).
Release notes:
https://github.com/containernetworking/plugins/releases/tag/v0.8.6
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2731-1
Released: Thu Sep 24 07:42:32 2020
Summary: Security update for conmon, fuse-overlayfs, libcontainers-common, podman
Type: security
Severity: moderate
References: 1162432,1164090,1165738,1171578,1174075,1175821,1175957,CVE-2020-1726
This update for conmon, fuse-overlayfs, libcontainers-common, podman fixes the following issues:
podman was updated to v2.0.6 (bsc#1175821)
- install missing systemd units for the new Rest API (bsc#1175957)
and a few man-pages that where missing before
- Drop varlink API related bits (in favor of the new API)
- fix install location for zsh completions
* Fixed a bug where running systemd in a container on a cgroups v1 system would fail.
* Fixed a bug where /etc/passwd could be re-created every time a container
is restarted if the container's /etc/passwd did not contain an entry
for the user the container was started as.
* Fixed a bug where containers without an /etc/passwd file specifying
a non-root user would not start.
* Fixed a bug where the --remote flag would sometimes not make
remote connections and would instead attempt to run Podman locally.
Update to v2.0.6:
* Features
- Rootless Podman will now add an entry to /etc/passwd for the user who ran Podman if run with --userns=keep-id.
- The podman system connection command has been reworked to support multiple connections, and reenabled for use!
- Podman now has a new global flag, --connection, to specify a connection to a remote Podman API instance.
* Changes
- Podman's automatic systemd integration (activated by the --systemd=true flag, set by default) will now activate for containers using /usr/local/sbin/init as their command, instead of just /usr/sbin/init and /sbin/init (and any path ending in systemd).
- Seccomp profiles specified by the --security-opt seccomp=... flag to podman create and podman run will now be honored even if the container was created using --privileged.
* Bugfixes
- Fixed a bug where the podman play kube would not honor the hostIP field for port forwarding (#5964).
- Fixed a bug where the podman generate systemd command would panic on an invalid restart policy being specified (#7271).
- Fixed a bug where the podman images command could take a very long time (several minutes) to complete when a large number of images were present.
- Fixed a bug where the podman logs command with the --tail flag would not work properly when a large amount of output would be printed ((#7230)[https://github.com//issues/7230]).
- Fixed a bug where the podman exec command with remote Podman would not return a non-zero exit code when the exec session failed to start (e.g. invoking a non-existent command) (#6893).
- Fixed a bug where the podman load command with remote Podman would did not honor user-specified tags (#7124).
- Fixed a bug where the podman system service command, when run as a non-root user by Systemd, did not properly handle the Podman pause process and would not restart properly as a result (#7180).
- Fixed a bug where the --publish flag to podman create, podman run, and podman pod create did not properly handle a host IP of 0.0.0.0 (attempting to bind to literal 0.0.0.0, instead of all IPs on the system) (#7104).
- Fixed a bug where the podman start --attach command would not print the container's exit code when the command exited due to the container exiting.
- Fixed a bug where the podman rm command with remote Podman would not remove volumes, even if the --volumes flag was specified (#7128).
- Fixed a bug where the podman run command with remote Podman and the --rm flag could exit before the container was fully removed.
- Fixed a bug where the --pod new:... flag to podman run and podman create would create a pod that did not share any namespaces.
- Fixed a bug where the --preserve-fds flag to podman run and podman exec could close the wrong file descriptors while trying to close user-provided descriptors after passing them into the container.
- Fixed a bug where default environment variables ($PATH and $TERM) were not set in containers when not provided by the image.
- Fixed a bug where pod infra containers were not properly unmounted after exiting.
- Fixed a bug where networks created with podman network create with an IPv6 subnet did not properly set an IPv6 default route.
- Fixed a bug where the podman save command would not work properly when its output was piped to another command (#7017).
- Fixed a bug where containers using a systemd init on a cgroups v1 system could leak mounts under /sys/fs/cgroup/systemd to the host.
- Fixed a bug where podman build would not generate an event on completion (#7022).
- Fixed a bug where the podman history command with remote Podman printed incorrect creation times for layers (#7122).
- Fixed a bug where Podman would not create working directories specified by the container image if they did not exist.
- Fixed a bug where Podman did not clear CMD from the container image if the user overrode ENTRYPOINT (#7115).
- Fixed a bug where error parsing image names were not fully reported (part of the error message containing the exact issue was dropped).
- Fixed a bug where the podman images command with remote Podman did not support printing image tags in Go templates supplied to the --format flag (#7123).
- Fixed a bug where the podman rmi --force command would not attempt to unmount containers it was removing, which could cause a failure to remove the image.
- Fixed a bug where the podman generate systemd --new command could incorrectly quote arguments to Podman that contained whitespace, leading to nonfunctional unit files (#7285).
- Fixed a bug where the podman version command did not properly include build time and Git commit.
- Fixed a bug where running systemd in a Podman container on a system that did not use the systemd cgroup manager would fail (#6734).
- Fixed a bug where capabilities from --cap-add were not properly added when a container was started as a non-root user via --user.
- Fixed a bug where Pod infra containers were not properly cleaned up when they stopped, causing networking issues (#7103).
* API
- Fixed a bug where the libpod and compat Build endpoints did not accept the application/tar content type (instead only accepting application/x-tar) (#7185).
- Fixed a bug where the libpod Exists endpoint would attempt to write a second header in some error conditions (#7197).
- Fixed a bug where compat and libpod Network Inspect and Network Remove endpoints would return a 500 instead of 404 when the requested network was not found.
- Added a versioned _ping endpoint (e.g. http://localhost/v1.40/_ping).
- Fixed a bug where containers started through a systemd-managed instance of the REST API would be shut down when podman system service shut down due to its idle timeout (#7294).
- Added stronger parameter verification for the libpod Network Create endpoint to ensure subnet mask is a valid value.
- The Pod URL parameter to the Libpod Container List endpoint has been deprecated; the information previously gated by the Pod boolean will now be included in the response unconditionally.
- Change hard requires for AppArmor to Recommends. They are not
needed for runtime or with SELinux but already installed if
AppArmor is used [jsc#SMO-15]
- Add BuildRequires for pkg-config(libselinux) to build with
SELinux support [jsc#SMO-15]
Update to v2.0.4
* Fixed a bug where the output of podman image search did not
populate the Description field as it was mistakenly assigned to
the ID field.
* Fixed a bug where podman build - and podman build on an HTTP
target would fail.
* Fixed a bug where rootless Podman would improperly chown the
copied-up contents of anonymous volumes (#7130).
* Fixed a bug where Podman would sometimes HTML-escape special
characters in its CLI output.
* Fixed a bug where the podman start --attach --interactive
command would print the container ID of the container attached
to when exiting (#7068).
* Fixed a bug where podman run --ipc=host --pid=host would only
set --pid=host and not --ipc=host (#7100).
* Fixed a bug where the --publish argument to podman run, podman
create and podman pod create would not allow binding the same
container port to more than one host port (#7062).
* Fixed a bug where incorrect arguments to podman images --format
could cause Podman to segfault.
* Fixed a bug where podman rmi --force on an image ID with more
than one name and at least one container using the image would
not completely remove containers using the image (#7153).
* Fixed a bug where memory usage in bytes and memory use
percentage were swapped in the output of podman stats
--format=json.
* Fixed a bug where the libpod and compat events endpoints would
fail if no filters were specified (#7078).
* Fixed a bug where the CgroupVersion field in responses from the
compat Info endpoint was prefixed by 'v' (instead of just being
'1' or '2', as is documented).
- Suggest katacontainers instead of recommending it. It's not
enabled by default, so it's just bloat
Update to v2.0.3
* Fix handling of entrypoint
* log API: add context to allow for cancelling
* fix API: Create container with an invalid configuration
* Remove all instances of named return 'err' from Libpod
* Fix: Correct connection counters for hijacked connections
* Fix: Hijacking v2 endpoints to follow rfc 7230 semantics
* Remove hijacked connections from active connections list
* version/info: format: allow more json variants
* Correctly print STDOUT on non-terminal remote exec
* Fix container and pod create commands for remote create
* Mask out /sys/dev to prevent information leak from the host
* Ensure sig-proxy default is propagated in start
* Add SystemdMode to inspect for containers
* When determining systemd mode, use full command
* Fix lint
* Populate remaining unused fields in `pod inspect`
* Include infra container information in `pod inspect`
* play-kube: add suport for 'IfNotPresent' pull type
* docs: user namespace can't be shared in pods
* Fix 'Error: unrecognized protocol \'TCP\' in port mapping'
* Error on rootless mac and ip addresses
* Fix & add notes regarding problematic language in codebase
* abi: set default umask and rlimits
* Used reference package with errors for parsing tag
* fix: system df error when an image has no name
* Fix Generate API title/description
* Add noop function disable-content-trust
* fix play kube doesn't override dockerfile ENTRYPOINT
* Support default profile for apparmor
* Bump github.com/containers/common to v0.14.6
* events endpoint: backwards compat to old type
* events endpoint: fix panic and race condition
* Switch references from libpod.conf to containers.conf
* podman.service: set type to simple
* podman.service: set doc to podman-system-service
* podman.service: use default registries.conf
* podman.service: use default killmode
* podman.service: remove stop timeout
* systemd: symlink user->system
* vendor golang.org/x/text at v0.3.3
* Fix a bug where --pids-limit was parsed incorrectly
* search: allow wildcards
* [CI:DOCS]Do not copy policy.json into gating image
* Fix systemd pid 1 test
* Cirrus: Rotate keys post repo. rename
* The libpod.conf(5) man page got removed and all references are
now pointing towards containers.conf(5), which will be part
of the libcontainers-common package.
Update to podman v2.0.2
* fix race condition in `libpod.GetEvents(...)`
* Fix bug where `podman mount` didn't error as rootless
* remove podman system connection
* Fix imports to ensure v2 is used with libpod
* Update release notes for v2.0.2
* specgen: fix order for setting rlimits
* Ensure umask is set appropriately for 'system service'
* generate systemd: improve pod-flags filter
* Fix a bug with APIv2 compat network remove to log an ErrNetworkNotFound instead of nil
* Fixes --remote flag issues
* Pids-limit should only be set if the user set it
* Set console mode for windows
* Allow empty host port in --publish flag
* Add a note on the APIs supported by `system service`
* fix: Don't override entrypoint if it's `nil`
* Set TMPDIR to /var/tmp by default if not set
* test: add tests for --user and volumes
* container: move volume chown after spec generation
* libpod: volume copyup honors namespace mappings
* Fix `system service` panic from early hangup in events
* stop podman service in e2e tests
* Print errors from individual containers in pods
* auto-update: clarify systemd-unit requirements
* podman ps truncate the command
* move go module to v2
* Vendor containers/common v0.14.4
* Bump to imagebuilder v1.1.6 on v2 branch
* Account for non-default port number in image name
- Changes since v2.0.1
* Update release notes with further v2.0.1 changes
* Fix inspect to display multiple label: changes
* Set syslog for exit commands on log-level=debug
* Friendly amendment for pr 6751
* podman run/create: support all transports
* systemd generate: allow manual restart of container units in pods
* Revert sending --remote flag to containers
* Print port mappings in `ps` for ctrs sharing network
* vendor github.com/containers/common at v0.14.3
* Update release notes for v2.0.1
* utils: drop default mapping when running uid!=0
* Set stop signal to 15 when not explicitly set
* podman untag: error if tag doesn't exist
* Reformat inspect network settings
* APIv2: Return `StatusCreated` from volume creation
* APIv2:fix: Remove `/json` from compat network EPs
* Fix ssh-agent support
* libpod: specify mappings to the storage
* APIv2:doc: Fix swagger doc to refer to volumes
* Add podman network to bash command completions
* Fix typo in manpage for `podman auto update`.
* Add JSON output field for ps
* V2 podman system connection
* image load: no args required
* Re-add PODMAN_USERNS environment variable
* Fix conflicts between privileged and other flags
* Bump required go version to 1.13
* Add explicit command to alpine container in test case.
* Use POLL_DURATION for timer
* Stop following logs using timers
* 'pod' was being truncated to 'po' in the names of the generated systemd unit files.
* rootless_linux: improve error message
* Fix podman build handling of --http-proxy flag
* correct the absolute path of `rm` executable
* Makefile: allow customizable GO_BUILD
* Cirrus: Change DEST_BRANCH to v2.0
Update to podman v2.0.0
* The `podman generate systemd` command now supports the `--new`
flag when used with pods, allowing portable services for pods
to be created.
* The `podman play kube` command now supports running Kubernetes
Deployment YAML.
* The `podman exec` command now supports the `--detach` flag to
run commands in the container in the background.
* The `-p` flag to `podman run` and `podman create` now supports
forwarding ports to IPv6 addresses.
* The `podman run`, `podman create` and `podman pod create`
command now support a `--replace` flag to remove and replace any
existing container (or, for `pod create`, pod) with the same name
* The `--restart-policy` flag to `podman run` and `podman create`
now supports the `unless-stopped` restart policy.
* The `--log-driver` flag to `podman run` and `podman create`
now supports the `none` driver, which does not log the
container's output.
* The `--mount` flag to `podman run` and `podman create` now
accepts `readonly` option as an alias to `ro`.
* The `podman generate systemd` command now supports the `--container-prefix`,
`--pod-prefix`, and `--separator` arguments to control the
name of generated unit files.
* The `podman network ls` command now supports the `--filter`
flag to filter results.
* The `podman auto-update` command now supports specifying an
authfile to use when pulling new images on a per-container
basis using the `io.containers.autoupdate.authfile` label.
* Fixed a bug where the `podman exec` command would log to journald
when run in containers loggined to journald
([#6555](https://github.com/containers/libpod/issues/6555)).
* Fixed a bug where the `podman auto-update` command would not
preserve the OS and architecture of the original image when
pulling a replacement
([#6613](https://github.com/containers/libpod/issues/6613)).
* Fixed a bug where the `podman cp` command could create an extra
`merged` directory when copying into an existing directory
([#6596](https://github.com/containers/libpod/issues/6596)).
* Fixed a bug where the `podman pod stats` command would crash
on pods run with `--network=host`
([#5652](https://github.com/containers/libpod/issues/5652)).
* Fixed a bug where containers logs written to journald did not
include the name of the container.
* Fixed a bug where the `podman network inspect` and
`podman network rm` commands did not properly handle non-default
CNI configuration paths ([#6212](https://github.com/containers/libpod/issues/6212)).
* Fixed a bug where Podman did not properly remove containers
when using the Kata containers OCI runtime.
* Fixed a bug where `podman inspect` would sometimes incorrectly
report the network mode of containers started with `--net=none`.
* Podman is now better able to deal with cases where `conmon`
is killed before the container it is monitoring.
Update to podman v1.9.3:
* Fixed a bug where, on FIPS enabled hosts, FIPS mode secrets
were not properly mounted into containers
* Fixed a bug where builds run over Varlink would hang
* Fixed a bug where podman save would fail when the target
image was specified by digest
* Fixed a bug where rootless containers with ports forwarded to them
could panic and dump core due to a concurrency issue (#6018)
* Fixed a bug where rootless Podman could race when opening the
rootless user namespace, resulting in commands failing to run
* Fixed a bug where HTTP proxy environment variables forwarded into
the container by the --http-proxy flag could not be overridden by --env or --env-file
* Fixed a bug where rootless Podman was setting resource limits on cgroups
v2 systems that were not using systemd-managed cgroups
(and thus did not support resource limits), resulting in containers failing to start
Update podman to v1.9.1:
* Bugfixes
- Fixed a bug where healthchecks could become nonfunctional if
container log paths were manually set with --log-path and
multiple container logs were placed in the same directory
- Fixed a bug where rootless Podman could, when using an older
libpod.conf, print numerous warning messages about an invalid
CGroup manager config
- Fixed a bug where rootless Podman would sometimes fail to
close the rootless user namespace when joining it
Update podman to v1.9.0:
* Features
- Experimental support has been added for podman run
--userns=auto, which automatically allocates a unique UID and
GID range for the new container's user namespace
- The podman play kube command now has a --network flag to
place the created pod in one or more CNI networks
- The podman commit command now supports an --iidfile flag to
write the ID of the committed image to a file
- Initial support for the new containers.conf configuration
file has been added. containers.conf allows for much more
detailed configuration of some Podman functionality
* Changes
- There has been a major cleanup of the podman info command
resulting in breaking changes. Many fields have been renamed
to better suit usage with APIv2
- All uses of the --timeout flag have been switched to prefer
the alternative --time. The --timeout flag will continue to
work, but man pages and --help will use the --time flag
instead
* Bugfixes
- Fixed a bug where some volume mounts from the host would
sometimes not properly determine the flags they should use
when mounting
- Fixed a bug where Podman was not propagating $PATH to Conmon
and the OCI runtime, causing issues for some OCI runtimes
that required it
- Fixed a bug where rootless Podman would print error messages
about missing support for systemd cgroups when run in a
container with no cgroup support
- Fixed a bug where podman play kube would not properly handle
container-only port mappings (#5610)
- Fixed a bug where the podman container prune command was not
pruning containers in the created and configured states
- Fixed a bug where Podman was not properly removing CNI IP
address allocations after a reboot (#5433)
- Fixed a bug where Podman was not properly applying the
default Seccomp profile when --security-opt was not given at
the command line
* HTTP API
- Many Libpod API endpoints have been added, including Changes,
Checkpoint, Init, and Restore
- Resolved issues where the podman system service command would
time out and exit while there were still active connections
- Stability overall has greatly improved as we prepare the API
for a beta release soon with Podman 2.0
* Misc
- The default infra image for pods has been upgraded to
k8s.gcr.io/pause:3.2 (from 3.1) to address a bug in the
architecture metadata for non-AMD64 images
- The slirp4netns networking utility in rootless Podman now
uses Seccomp filtering where available for improved security
- Updated Buildah to v1.14.8
- Updated containers/storage to v1.18.2
- Updated containers/image to v5.4.3
- Updated containers/common to v0.8.1
- Add 'systemd' BUILDFLAGS to build with support for journald
logging (bsc#1162432)
Update podman to v1.8.2:
* Features
- Initial support for automatically updating containers managed
via Systemd unit files has been merged. This allows
containers to automatically upgrade if a newer version of
their image becomes available
* Bugfixes
- Fixed a bug where unit files generated by podman generate
systemd --new would not force containers to detach, causing
the unit to time out when trying to start
- Fixed a bug where podman system reset could delete important
system directories if run as rootless on installations
created by older Podman (#4831)
- Fixed a bug where image built by podman build would not
properly set the OS and Architecture they were built with
(#5503)
- Fixed a bug where attached podman run with --sig-proxy
enabled (the default), when built with Go 1.14, would
repeatedly send signal 23 to the process in the container and
could generate errors when the container stopped (#5483)
- Fixed a bug where rootless podman run commands could hang
when forwarding ports
- Fixed a bug where rootless Podman would not work when /proc
was mounted with the hidepid option set
- Fixed a bug where the podman system service command would use
large amounts of CPU when --timeout was set to 0 (#5531)
* HTTP API
- Initial support for Libpod endpoints related to creating and
operating on image manifest lists has been added
- The Libpod Healthcheck and Events API endpoints are now
supported
- The Swagger endpoint can now handle cases where no Swagger
documentation has been generated
Update podman to v1.8.1:
* Features
- Many networking-related flags have been added to podman pod
create to enable customization of pod networks, including
--add-host, --dns, --dns-opt, --dns-search, --ip,
--mac-address, --network, and --no-hosts
- The podman ps --format=json command now includes the ID of
the image containers were created with
- The podman run and podman create commands now feature an
--rmi flag to remove the image the container was using after
it exits (if no other containers are using said image)
([#4628](https://github.com/containers/libpod/issues/4628))
- The podman create and podman run commands now support the
--device-cgroup-rule flag (#4876)
- While the HTTP API remains in alpha, many fixes and additions
have landed. These are documented in a separate subsection
below
- The podman create and podman run commands now feature a
--no-healthcheck flag to disable healthchecks for a container
(#5299)
- Containers now recognize the io.containers.capabilities
label, which specifies a list of capabilities required by the
image to run. These capabilities will be used as long as they
are more restrictive than the default capabilities used
- YAML produced by the podman generate kube command now
includes SELinux configuration passed into the container via
--security-opt label=... (#4950)
* Bugfixes
- Fixed CVE-2020-1726, a security issue where volumes manually
populated before first being mounted into a container could
have those contents overwritten on first being mounted into a
container
- Fixed a bug where Podman containers with user namespaces in
CNI networks with the DNS plugin enabled would not have the
DNS plugin's nameserver added to their resolv.conf
([#5256](https://github.com/containers/libpod/issues/5256))
- Fixed a bug where trailing / characters in image volume
definitions could cause them to not be overridden by a
user-specified mount at the same location
([#5219](https://github.com/containers/libpod/issues/5219))
- Fixed a bug where the label option in libpod.conf, used to
disable SELinux by default, was not being respected (#5087)
- Fixed a bug where the podman login and podman logout commands
required the registry to log into be specified (#5146)
- Fixed a bug where detached rootless Podman containers could
not forward ports (#5167)
- Fixed a bug where rootless Podman could fail to run if the
pause process had died
- Fixed a bug where Podman ignored labels that were specified
with only a key and no value (#3854)
- Fixed a bug where Podman would fail to create named volumes
when the backing filesystem did not support SELinux labelling
(#5200)
- Fixed a bug where --detach-keys='' would not disable
detaching from a container (#5166)
- Fixed a bug where the podman ps command was too aggressive
when filtering containers and would force --all on in too
many situations
- Fixed a bug where the podman play kube command was ignoring
image configuration, including volumes, working directory,
labels, and stop signal (#5174)
- Fixed a bug where the Created and CreatedTime fields in
podman images --format=json were misnamed, which also broke
Go template output for those fields
([#5110](https://github.com/containers/libpod/issues/5110))
- Fixed a bug where rootless Podman containers with ports
forwarded could hang when started (#5182)
- Fixed a bug where podman pull could fail to parse registry
names including port numbers
- Fixed a bug where Podman would incorrectly attempt to
validate image OS and architecture when starting containers
- Fixed a bug where Bash completion for podman build -f would
not list available files that could be built (#3878)
- Fixed a bug where podman commit --change would perform
incorrect validation, resulting in valid changes being
rejected (#5148)
- Fixed a bug where podman logs --tail could take large amounts
of memory when the log file for a container was large (#5131)
- Fixed a bug where Podman would sometimes incorrectly generate
firewall rules on systems using firewalld
- Fixed a bug where the podman inspect command would not
display network information for containers properly if a
container joined multiple CNI networks
([#4907](https://github.com/containers/libpod/issues/4907))
- Fixed a bug where the --uts flag to podman create and podman
run would only allow specifying containers by full ID (#5289)
- Fixed a bug where rootless Podman could segfault when passed
a large number of file descriptors
- Fixed a bug where the podman port command was incorrectly
interpreting additional arguments as container names, instead
of port numbers
- Fixed a bug where units created by podman generate systemd
did not depend on network targets, and so could start before
the system network was ready (#4130)
- Fixed a bug where exec sessions in containers which did not
specify a user would not inherit supplemental groups added to
the container via --group-add
- Fixed a bug where Podman would not respect the $TMPDIR
environment variable for placing large temporary files during
some operations (e.g. podman pull)
([#5411](https://github.com/containers/libpod/issues/5411))
* HTTP API
- Initial support for secure connections to servers via SSH
tunneling has been added
- Initial support for the libpod create and logs endpoints for
containers has been added
- Added a /swagger/ endpoint to serve API documentation
- The json endpoint for containers has received many fixes
- Filtering images and containers has been greatly improved,
with many bugs fixed and documentation improved
- Image creation endpoints (commit, pull, etc) have seen many
fixes
- Server timeout has been fixed so that long operations will no
longer trigger the timeout and shut the server down
- The stats endpoint for containers has seen major fixes and
now provides accurate output
- Handling the HTTP 304 status code has been fixed for all
endpoints
- Many fixes have been made to API documentation to ensure it
matches the code
* Misc
- The Created field to podman images --format=json has been
renamed to CreatedSince as part of the fix for (#5110). Go
templates using the old name shou ld still work
- The CreatedTime field to podman images --format=json has been
renamed to CreatedAt as part of the fix for (#5110). Go
templates using the old name should still work
- The before filter to podman images has been renamed to since
for Docker compatibility. Using before will still work, but
documentation has been changed to use the new since filter
- Using the --password flag to podman login now warns that
passwords are being passed in plaintext
- Some common cases where Podman would deadlock have been fixed
to warn the user that podman system renumber must be run to
resolve the deadlock
- Configure br_netfilter for podman automatically (bsc#1165738)
The trigger is only excuted when updating podman-cni-config while the
command was running
conmon was update to v2.0.20 (bsc#1175821)
- journald: fix logging container name
- container logging: Implement none driver - 'off', 'null' or
'none' all work.
- ctrl: warn if we fail to unlink
- Drop fsync calls
- Reap PIDs before running exit command
- Fix log path parsing
- Add --sync option to prevent conmon from double forking
- Add --no-sync-log option to instruct conmon to not sync the
logs of the containers upon shutting down. This feature fixes a
regression where we unconditionally dropped the log sync. It is
possible the container logs could be corrupted on a sudden
power-off. If you need container logs to remain in consistent
state after a sudden shutdown, please update from v2.0.19 to
v2.0.20
- Update to v2.0.17:
- Add option to delay execution of exit command
- Update to v2.0.16:
- tty: flush pending data when fd is ready
- Enable support for journald logging (bsc#1162432)
- Update to v2.0.15:
- store status while waiting for pid
- Update to v2.0.14:
- drop usage of splice(2)
- avoid hanging on stdin
- stdio: sometimes quit main loop after io is done
- ignore sigpipe
- Update to v2.0.12
- oom: fix potential race between verification steps
- Update to v2.0.11
- log: reject --log-tag with k8s-file
- chmod std files pipes
- adjust score to -1000 to prevent conmon from ever being OOM
killed
- container OOM: verify cgroup hasn't been cleaned up before
reporting OOM
- journal logging: write to /dev/null instead of -1
fuse-overlayfs was updated to 1.1.2 (bsc#1175821):
- fix memory leak when creating whiteout files.
- fix lookup for overflow uid when it is different than the overflow gid.
- use openat2(2) when available.
- accept 'ro' as mount option.
- fix set mtime for a symlink.
- fix some issues reported by static analysis.
- fix potential infinite loop on a short read.
- fix creating a directory if the destination already exists
in the upper layer.
- report correctly the number of links for a directory also for
subsequent stat calls
- stop looking up the ino in the lower layers if the file could
not be opened
- make sure the destination is deleted before doing a rename(2).
It prevents a left over directory to cause delete to fail with
EEXIST.
- honor --debug.
libcontainers-common was updated to fix:
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- Added containers/common tarball for containers.conf(5) man page
- Install containers.conf default configuration in
/usr/share/containers
- libpod repository on github got renamed to podman
- Update to image 5.5.1
- Add documentation for credHelpera
- Add defaults for using the rootless policy path
- Update libpod/podman to 2.0.3
- docs: user namespace can't be shared in pods
- Switch references from libpod.conf to containers.conf
- Allow empty host port in --publish flag
- update document login see config.json as valid
- Update storage to 1.20.2
- Add back skip_mount_home
- Remove remaining difference between SLE and openSUSE package and
ship the some mounts.conf default configuration on both platforms.
As the sources for the mount point do not exist on openSUSE by
default this config will basically have no effect on openSUSE.
(jsc#SLE-12122, bsc#1175821)
- Update to image 5.4.4
- Remove registries.conf VERSION 2 references from man page
- Intial authfile man page
- Add $HOME/.config/containers/certs.d to perHostCertDirPath
- Add $HOME/.config/containers/registries.conf to config path
- registries.conf.d: add stances for the registries.conf
- update to libpod 1.9.3
- userns: support --userns=auto
- Switch to using --time as opposed to --timeout to better match Docker
- Add support for specifying CNI networks in podman play kube
- man pages: fix inconsistencies
- Update to storage 1.19.1
- userns: add support for auto
- store: change the default user to containers
- config: honor XDG_CONFIG_HOME
- Remove the /var/lib/ca-certificates/pem/SUSE.pem workaround again.
It never ended up in SLES and a different way to fix the underlying
problem is being worked on.
- Add registry.opensuse.org as default registry [bsc#1171578]
- Add /var/lib/ca-certificates/pem/SUSE.pem to the SLES mounts.
This for making container-suseconnect working in the public
cloud on-demand images. It needs that file for being able to
verify the server certificates of the RMT servers hosted
in the public cloud.
(https://github.com/SUSE/container-suseconnect/issues/41)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2965-1
Released: Tue Oct 20 13:27:21 2020
Summary: Recommended update for cni, cni-plugins
Type: recommended
Severity: moderate
References: 1172786
This update ships cni and cni-plugins to the Public Cloud Module of SUSE Linux Enterprise 15 SP2.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1954-1
Released: Fri Jun 11 10:45:09 2021
Summary: Security update for containerd, docker, runc
Type: security
Severity: important
References: 1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183855,1184768,1184962,1185405,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334,CVE-2021-30465
This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)
* Switch version to use -ce suffix rather than _ce to avoid confusing other
tools (bsc#1182476).
* CVE-2021-21284: Fixed a potential privilege escalation when the root user in
the remapped namespace has access to the host filesystem (bsc#1181732)
* CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest
crashes the dockerd daemon (bsc#1181730).
* btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)
runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962).
* Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
* Fixed /dev/null is not available (bsc#1168481).
* CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).
containerd was updated to v1.4.4
* CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
* Handle a requirement from docker (bsc#1181594).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2962-1
Released: Mon Sep 6 18:23:01 2021
Summary: Recommended update for runc
Type: recommended
Severity: critical
References: 1189743
This update for runc fixes the following issues:
- Fixed an issue when toolbox container fails to start. (bsc#1189743)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3506-1
Released: Mon Oct 25 10:20:22 2021
Summary: Security update for containerd, docker, runc
Type: security
Severity: important
References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md.
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355
- CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)
- Install systemd service file as well (bsc#1190826)
Update to runc v1.0.2. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.2
* Fixed a failure to set CPU quota period in some cases on cgroup v1.
* Fixed the inability to start a container with the 'adding seccomp filter
rule for syscall ...' error, caused by redundant seccomp rules (i.e. those
that has action equal to the default one). Such redundant rules are now
skipped.
* Made release builds reproducible from now on.
* Fixed a rare debug log race in runc init, which can result in occasional
harmful 'failed to decode ...' errors from runc run or exec.
* Fixed the check in cgroup v1 systemd manager if a container needs to be
frozen before Set, and add a setting to skip such freeze unconditionally.
The previous fix for that issue, done in runc 1.0.1, was not working.
Update to runc v1.0.1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.1
* Fixed occasional runc exec/run failure ('interrupted system call') on an
Azure volume.
* Fixed 'unable to find groups ... token too long' error with /etc/group
containing lines longer than 64K characters.
* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
frozen. This is a regression in 1.0.0, not affecting runc itself but some
of libcontainer users (e.g Kubernetes).
* cgroupv2: bpf: Ignore inaccessible existing programs in case of
permission error when handling replacement of existing bpf cgroup
programs. This fixes a regression in 1.0.0, where some SELinux
policies would block runc from being able to run entirely.
* cgroup/systemd/v2: don't freeze cgroup on Set.
* cgroup/systemd/v1: avoid unnecessary freeze on Set.
- fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704
Update to runc v1.0.0. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0
! The usage of relative paths for mountpoints will now produce a warning
(such configurations are outside of the spec, and in future runc will
produce an error when given such configurations).
* cgroupv2: devices: rework the filter generation to produce consistent
results with cgroupv1, and always clobber any existing eBPF
program(s) to fix runc update and avoid leaking eBPF programs
(resulting in errors when managing containers).
* cgroupv2: correctly convert 'number of IOs' statistics in a
cgroupv1-compatible way.
* cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
* cgroupv2: wait for freeze to finish before returning from the freezing
code, optimize the method for checking whether a cgroup is frozen.
* cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
* cgroups/systemd: fixed returning 'unit already exists' error from a systemd
cgroup manager (regression in rc94)
+ cgroupv2: support SkipDevices with systemd driver
+ cgroup/systemd: return, not ignore, stop unit error from Destroy
+ Make 'runc --version' output sane even when built with go get or
otherwise outside of our build scripts.
+ cgroups: set SkipDevices during runc update (so we don't modify
cgroups at all during runc update).
+ cgroup1: blkio: support BFQ weights.
+ cgroupv2: set per-device io weights if BFQ IO scheduler is available.
Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95
This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users). (bsc#1185405)
Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94
Breaking Changes:
* cgroupv1: kernel memory limits are now always ignored, as kmemcg has
been effectively deprecated by the kernel. Users should make use of regular
memory cgroup controls.
Regression Fixes:
* seccomp: fix 32-bit compilation errors
* runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
* runc start: fix 'chdir to cwd: permission denied' for some setups
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4171-1
Released: Thu Dec 23 09:55:13 2021
Summary: Security update for runc
Type: security
Severity: moderate
References: 1193436,CVE-2021-43784
This update for runc fixes the following issues:
Update to runc v1.0.3.
* CVE-2021-43784: Fixed a potential vulnerability related to the internal usage
of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
* Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
* Fixed inability to start when read-only /dev in set in spec.
* Fixed not removing sub-cgroups upon container delete, when rootless cgroup
v2 is used with older systemd.
* Fixed returning error from GetStats when hugetlb is unsupported (which
causes excessive logging for kubernetes).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:943-1
Released: Thu Mar 24 12:52:54 2022
Summary: Security update for slirp4netns
Type: security
Severity: moderate
References: 1179467,CVE-2020-29130
This update for slirp4netns fixes the following issues:
- CVE-2020-29130: Fixed an invalid memory access while processing ARP packets (bsc#1179467).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2341-1
Released: Fri Jul 8 16:09:12 2022
Summary: Security update for containerd, docker and runc
Type: security
Severity: important
References: 1192051,1199460,1199565,1200088,1200145,CVE-2022-29162,CVE-2022-31030
This update for containerd, docker and runc fixes the following issues:
containerd:
- CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145)
docker:
- Update to Docker 20.10.17-ce. See upstream changelog online at
https://docs.docker.com/engine/release-notes/#201017. (bsc#1200145)
runc:
Update to runc v1.1.3.
Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3.
* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
code (this was due to how s390x does syscall multiplexing).
* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
intended; this fix does not affect runc binary itself but is important for
libcontainer users such as Kubernetes.
* Inability to compile with recent clang due to an issue with duplicate
constants in libseccomp-golang.
* When using systemd cgroup driver, skip adding device paths that don't exist,
to stop systemd from emitting warnings about those paths.
* Socket activation was failing when more than 3 sockets were used.
* Various CI fixes.
* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
- Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565)
Update to runc v1.1.2.
Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.2.
Security issue fixed:
- CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. (bsc#1199460)
- `runc spec` no longer sets any inheritable capabilities in the created
example OCI spec (`config.json`) file.
Update to runc v1.1.1.
Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.1.
* runc run/start can now run a container with read-only /dev in OCI spec,
rather than error out. (#3355)
* runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
libcontainer systemd v2 manager no longer errors out if one of the files
listed in /sys/kernel/cgroup/delegate do not exist in container's
cgroup. (#3387, #3404)
* Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported'
error. (#3406)
* libcontainer/cgroups no longer panics in cgroup v1 managers if stat
of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)
Update to runc v1.1.0.
Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0.
- libcontainer will now refuse to build without the nsenter package being
correctly compiled (specifically this requires CGO to be enabled). This
should avoid folks accidentally creating broken runc binaries (and
incorrectly importing our internal libraries into their projects). (#3331)
Update to runc v1.1.0~rc1.
Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.
+ Add support for RDMA cgroup added in Linux 4.11.
* runc exec now produces exit code of 255 when the exec failed.
This may help in distinguishing between runc exec failures
(such as invalid options, non-running container or non-existent
binary etc.) and failures of the command being executed.
+ runc run: new --keep option to skip removal exited containers artefacts.
This might be useful to check the state (e.g. of cgroup controllers) after
the container hasexited.
+ seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
(the latter is just an alias for SCMP_ACT_KILL).
+ seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
users to create sophisticated seccomp filters where syscalls can be
efficiently emulated by privileged processes on the host.
+ checkpoint/restore: add an option (--lsm-mount-context) to set
a different LSM mount context on restore.
+ intelrdt: support ClosID parameter.
+ runc exec --cgroup: an option to specify a (non-top) in-container cgroup
to use for the process being executed.
+ cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
run/exec now adds the container to the appropriate cgroup under it).
+ sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
behaviour.
+ mounts: add support for bind-mounts which are inaccessible after switching
the user namespace. Note that this does not permit the container any
additional access to the host filesystem, it simply allows containers to
have bind-mounts configured for paths the user can access but have
restrictive access control settings for other users.
+ Add support for recursive mount attributes using mount_setattr(2). These
have the same names as the proposed mount(8) options -- just prepend r
to the option name (such as rro).
+ Add runc features subcommand to allow runc users to detect what features
runc has been built with. This includes critical information such as
supported mount flags, hook names, and so on. Note that the output of this
command is subject to change and will not be considered stable until runc
1.2 at the earliest. The runtime-spec specification for this feature is
being developed in opencontainers/runtime-spec#1130.
* system: improve performance of /proc/$pid/stat parsing.
* cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
the ownership of certain cgroup control files (as per
/sys/kernel/cgroup/delegate) to allow for proper deferral to the container
process.
* runc checkpoint/restore: fixed for containers with an external bind mount
which destination is a symlink.
* cgroup: improve openat2 handling for cgroup directory handle hardening.
runc delete -f now succeeds (rather than timing out) on a paused
container.
* runc run/start/exec now refuses a frozen cgroup (paused container in case of
exec). Users can disable this using --ignore-paused.
- Update version data embedded in binary to correctly include the git commit of the release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2360-1
Released: Tue Jul 12 12:01:39 2022
Summary: Security update for pcre2
Type: security
Severity: important
References: 1199232,CVE-2022-1586
This update for pcre2 fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2566-1
Released: Wed Jul 27 15:04:49 2022
Summary: Security update for pcre2
Type: security
Severity: important
References: 1199235,CVE-2022-1587
This update for pcre2 fixes the following issues:
- CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2834-1
Released: Wed Aug 17 16:51:55 2022
Summary: Security update for podman
Type: security
Severity: important
References: 1182428,1196338,1197284,CVE-2022-1227,CVE-2022-21698,CVE-2022-27191
This update for podman fixes the following issues:
Updated to version 3.4.7:
- CVE-2022-1227: Fixed an issue that could allow an attacker to publish
a malicious image to a public registry and run arbitrary code in the
victim's context via the 'podman top' command (bsc#1182428).
- CVE-2022-27191: Fixed a potential crash via SSH under specific
configurations (bsc#1197284).
- CVE-2022-21698: Fixed a potential denial of service that affected
servers that used Prometheus instrumentation (bsc#1196338).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3435-1
Released: Tue Sep 27 14:55:38 2022
Summary: Recommended update for runc
Type: recommended
Severity: important
References: 1202821
This update for runc fixes the following issues:
- Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the
cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd.
- Fix 'permission denied' error from runc run on noexec fs
- Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3820-1
Released: Mon Oct 31 12:52:56 2022
Summary: Security update for podman
Type: security
Severity: moderate
References: 1202809,CVE-2022-2989
This update for podman fixes the following issues:
- CVE-2022-2989: Fixed possible information disclosure and modification (bsc#1202809).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3927-1
Released: Wed Nov 9 14:55:47 2022
Summary: Recommended update for runc
Type: recommended
Severity: moderate
References: 1202021,1202821
This update for runc fixes the following issues:
- Update to runc v1.1.4 (bsc#1202021)
- Fix failed exec after systemctl daemon-reload (bsc#1202821)
- Fix mounting via wrong proc
- Fix 'permission denied' error from runc run on noexec filesystem
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4592-1
Released: Tue Dec 20 16:51:35 2022
Summary: Security update for cni
Type: security
Severity: important
References: 1181961,CVE-2021-20206
This update for cni fixes the following issues:
- CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4593-1
Released: Tue Dec 20 16:55:16 2022
Summary: Security update for cni-plugins
Type: security
Severity: important
References: 1181961,CVE-2021-20206
This update for cni-plugins fixes the following issues:
- CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4618-1
Released: Fri Dec 23 13:02:31 2022
Summary: Recommended update for catatonit
Type: recommended
Severity: moderate
References:
This update for catatonit fixes the following issues:
Update to catatonit v0.1.7:
- This release adds the ability for catatonit to be used as the only
process in a pause container, by passing the -P flag (in this mode no
subprocess is spawned and thus no signal forwarding is done).
Update to catatonit v0.1.6:
- which fixes a few bugs -- mainly ones related to socket activation
or features somewhat adjacent to socket activation (such as passing
file descriptors).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4635-1
Released: Thu Dec 29 12:31:19 2022
Summary: Security update for conmon
Type: security
Severity: moderate
References: 1200285,CVE-2022-1708
This update for conmon fixes the following issues:
conmon was updated to version 2.1.5:
* don't leak syslog_identifier
* logging: do not read more that the buf size
* logging: fix error handling
* Makefile: Fix install for FreeBSD
* signal: Track changes to get_signal_descriptor in the FreeBSD version
* Packit: initial enablement
Update to version 2.1.4:
* Fix a bug where conmon crashed when it got a SIGCHLD
update to 2.1.3:
* Stop using g_unix_signal_add() to avoid threads
* Rename CLI optionlog-size-global-max to log-global-size-max
Update to version 2.1.2:
* add log-global-size-max option to limit the total output conmon processes (CVE-2022-1708 bsc#1200285)
* journald: print tag and name if both are specified
* drop some logs to debug level
Update to version 2.1.0
* logging: buffer partial messages to journald
* exit: close all fds >= 3
* fix: cgroup: Free memory_cgroup_file_path if open fails.
Update to version 2.0.32
* Fix: Avoid mainfd_std{in,out} sharing the same file descriptor.
* exit_command: Fix: unset subreaper attribute before running exit command
Update to version 2.0.31
* logging: new mode -l passthrough
* ctr_logs: use container name or ID as SYSLOG_IDENTIFIER for journald
* conmon: Fix: free userdata files before exec cleanup
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:187-1
Released: Fri Jan 27 11:26:55 2023
Summary: Security update for podman
Type: security
Severity: important
References: 1181640,1181961,1193166,1193273,1197672,1199790,1202809,CVE-2021-20199,CVE-2021-20206,CVE-2021-4024,CVE-2021-41190,CVE-2022-27649,CVE-2022-2989
This update for podman fixes the following issues:
podman was updated to version 4.3.1:
4.3.1:
* Bugfixes
- Fixed a deadlock between the `podman ps` and `podman container inspect` commands
* Misc
- Updated the containers/image library to v5.23.1
4.3.0:
* Features
- A new command, `podman generate spec`, has been added, which creates a JSON struct based on a given container that can be used with the Podman REST API to create containers.
- A new command, `podman update`, has been added,which makes changes to the resource limits of existing containers. Please note that these changes do not persist if the container is restarted
- A new command, `podman kube down`, has been added, which removes pods and containers created by the given Kubernetes YAML (functionality is identical to `podman kube play --down`, but it now has its own command).
- The `podman kube play` command now supports Kubernetes secrets using Podman's secrets backend.
- Systemd-managed pods created by the `podman kube play` command now integrate with sd-notify, using the `io.containers.sdnotify` annotation (or `io.containers.sdnotify/$name` for specific containers).
- Systemd-managed pods created by `podman kube play` can now be auto-updated, using the `io.containers.auto-update` annotation (or `io.containers.auto-update/$name` for specific containers).
- The `podman kube play` command can now read YAML from URLs, e.g. `podman kube play https://example.com/demo.yml`
- The `podman kube play` command now supports the `emptyDir` volume type
- The `podman kube play` command now supports the `HostUsers` field in the pod spec.
- The `podman play kube` command now supports `binaryData` in ConfigMaps.
- The `podman pod create` command can now set additional resource limits for pods using the new `--memory-swap`, `--cpuset-mems`, `--device-read-bps`, `--device-write-bps`, `--blkio-weight`, `--blkio-weight-device`, and `--cpu-shares` options.
- The `podman machine init` command now supports a new option, `--username`, to set the username that will be used to connect to the VM as a non-root user
- The `podman volume create` command's `-o timeout=` option can now set a timeout of 0, indicating volume plugin operations will never time out.
- Added support for a new volume driver, `image`, which allows volumes to be created that are backed by images.
- The `podman run` and `podman create` commands support a new option, `--env-merge`, allowing environment variables to be specified relative to other environment variables in the image (e.g. `podman run --env-merge 'PATH=$PATH:/my/app' ...`)
- The `podman run` and `podman create` commands support a new option, `--on-failure`, to allow action to be taken when a container fails health checks, with the following supported actions: `none` (take no action, the default), `kill` (kill the container), `restart` (restart the container), and `stop` (stop the container).
- The `--keep-id` option to `podman create` and `podman run` now supports new options, `uid` and `gid`, to set the UID and GID of the user in the container that will be mapped to the user running Podman (e.g. `--userns=keep-id:uid=11` will made the user running Podman to UID 11 in the container)
- The `podman generate systemd` command now supports a new option, `--env`/`-e`, to set environment variables in the generated unit file
- The `podman pause` and `podman unpause` commands now support the `--latest`, `--cidfile`, and `--filter` options.
- The `podman restart` command now supports the `--cidfile` and `--filter` options.
- The `podman rm` command now supports the `--filter` option to select which containers will be removed.
- The `podman rmi` command now supports a new option, `--no-prune`, to prevent the removal of dangling parents of removed images.
- The `--dns-opt` option to `podman create`, `podman run`, and `podman pod create` has received a new alias, `--dns-option`, to improve Docker compatibility.
- The `podman` command now features a new global flag, `--debug`/`-D`, which enables debug-level logging (identical to `--log-level=debug`), improving Docker compatibility.
- The `podman` command now features a new global flag, `--config`. This flag is ignored, and is only included for Docker compatibility
- The `podman manifest create` command now accepts a new option, `--amend`/`-a`.
- The `podman manifest create`, `podman manifest add` and `podman manifest push` commands now accept a new option, `--insecure` (identical to `--tls-verify=false`), improving Docker compatibility.
- The `podman secret create` command's `--driver` and `--format` options now have new aliases, `-d` for `--driver` and `-f` for `--format`.
- The `podman secret create` command now supports a new option, `--label`/`-l`, to add labels to created secrets.
- The `podman secret ls` command now accepts the `--quiet`/`-q` option.
- The `podman secret inspect` command now accepts a new option, `--pretty`, to print output in human-readable format.
- The `podman stats` command now accepts the `--no-trunc` option.
- The `podman save` command now accepts the `--signature-policy` option
- The `podman pod inspect` command now allows multiple arguments to be passed. If so, it will return a JSON array of the inspected pods
- A series of new hidden commands have been added under `podman context` as aliases to existing `podman system connection` commands, to improve Docker compatibility.
- The remote Podman client now supports proxying signals for attach sessions when the `--sig-proxy` option is set
### Changes
- Duplicate volume mounts are now allowed with the `-v` option to `podman run`, `podman create`, and `podman pod create`, so long as source, destination, and options all match
- The `podman generate kube` and `podman play kube` commands have been renamed to `podman kube generate` and `podman kube play` to group Kubernetes-related commands. Aliases have been added to ensure the old command names still function.
- A number of Podman commands (`podman init`, `podman container checkpoint`, `podman container restore`, `podman container cleanup`) now print the user-inputted name of the container, instead of its full ID, on success.
- When an unsupported option (e.g. resource limit) is specified for a rootless container on a cgroups v1 system, a warning message is now printed that the limit will not be honored.
- The installer for the Windows Podman client has been improved.
- The `--cpu-rt-period` and `--cpu-rt-runtime` options to `podman run` and `podman create` now print a warning and are ignored on cgroups v2 systems (cgroups v2 having dropped support for these controllers)
- Privileged containers running systemd will no longer mount `/dev/tty*` devices other than `/dev/tty` itself into the container
- Events for containers that are part of a pod now include the ID of the pod in the event.
- SSH functionality for `podman machine` commands has seen a thorough rework, addressing many issues about authentication.
- The `--network` option to `podman kube play` now allows passing `host` to set the pod to use host networking, even if the YAML does not request this.
- The `podman inspect` command on containers now includes the digest of the image used to create the container.
- Pods created by `podman play kube` are now, by default, placed into a network named `podman-kube`. If the `podman-kube` network does not exist, it will be created. This ensures pods can connect to each other by their names, as the network has DNS enabled.
Update to version 4.2.0:
* Features
- Podman now supports the Gitlab Runner (using the Docker executor), allowing its use in Gitlab CI/CD pipelines.
- A new command has been added, podman pod clone, to create a copy of an existing pod. It supports several options, including --start to start the new pod, --destroy to remove the original pod, and --name to change the name of the new pod
- A new command has been added, podman volume reload, to sync changes in state between Podman's database and any configured volume plugins
- A new command has been added, podman machine info, which displays information about the host and the versions of various machine components.
- Pods created by podman play kube can now be managed by systemd unit files. This can be done via a new systemd service, podman-kube at .service - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the Kubernetes pod or deployment contained in my.yaml under systemd.
- The podman play kube command now honors the RunAsUser, RunAsGroup, and SupplementalGroups setting from the Kubernetes pod's security context.
- The podman play kube command now supports volumes with the BlockDevice and CharDevice types
- The podman play kube command now features a new flag, --userns, to set the user namespace of created pods. Two values are allowed at present: host and auto
- The podman play kube command now supports setting the type of created init containers via the io.podman.annotations.init.container.type annotation.
- Pods now have include an exit policy (configurable via the --exit-policy option to podman pod create), which determines what will happen to the pod's infra container when the entire pod stops. The default, continue, acts as Podman currently does, while a new option, stop, stops the infra container after the last container in the pod stops, and is used by default for pods from podman play kube
- The podman pod create command now allows the pod's name to be specified as an argument, instead of using the --name option - for example, podman pod create mypod instead of the prior podman pod create --name mypod. Please note that the --name option is not deprecated and will continue to work.
- The podman pod create command's --share option now supports adding namespaces to the set by prefacing them with + (as opposed to specifying all namespaces that should be shared)
- The podman pod create command has a new option, --shm-size, to specify the size of the /dev/shm mount that will be shared if the pod shares its UTS namespace (#14609).
- The podman pod create command has a new option, --uts, to configure the UTS namespace that will be shared by containers in the pod.
- The podman pod create command now supports setting pod-level resource limits via the --cpus, --cpuset-cpus, and --memory options. These will set a limit for all containers in the pod, while individual containers within the pod are allowed to set further limits. Look forward to more options for resource limits in our next release!
- The podman create and podman run commands now include the -c short option for the --cpu-shares option.
- The podman create and podman run commands can now create containers from a manifest list (and not an image) as long as the --platform option is specified (#14773).
- The podman build command now supports a new option, --cpp-flag, to specify options for the C preprocessor when using Containerfile.in files that require preprocessing.
- The podman build command now supports a new option, --build-context, allowing the user to specify an additional build context.
- The podman machine inspect command now prints the location of the VM's Podman API socket on the host (#14231).
- The podman machine init command on Windows now fetches an image with packages pre-installed (#14698).
- Unused, cached Podman machine VM images are now cleaned up automatically. Note that because Podman now caches in a different directory, this will not clean up old images pulled before this change (#14697).
- The default for the --image-volume option to podman run and podman create can now have its default set through the image_volume_mode setting in containers.conf (#14230).
- Overlay volumes now support two new options, workdir and upperdir, to allow multiple overlay volumes from different containers to reuse the same workdir or upperdir (#14427).
- The podman volume create command now supports two new options, copy and nocopy, to control whether contents from the overmounted folder in a container will be copied into the newly-created named volume (copy-up).
- Volumes created using a volume plugin can now specify a timeout for all operations that contact the volume plugin (replacing the standard 5 second timeout) via the --opt o=timeout= option to podman volume create (BZ 2080458).
- The podman volume ls command's --filter name= option now supports regular expression matching for volume names (#14583).
- When used with a podman machine VM, volumes now support specification of the 9p security model using the security_model option to podman create -v and podman run -v.
- The remote Podman client's podman push command now supports the --remove-signatures option (#14558).
- The remote Podman client now supports the podman image scp command.
- The podman image scp command now supports tagging the transferred image with a new name.
- The podman network ls command supports a new filter, --filter dangling=, to list networks not presently used by any containers (#14595).
- The --condition option to podman wait can now be specified multiple times to wait on any one of multiple conditions.
- The podman events command now includes the -f short option for the --filter option.
- The podman pull command now includes the -a short option for the --all-tags option.
- The podman stop command now includes a new flag, --filter, to filter which containers will be stopped (e.g. podman stop --all --filter label=COM.MY.APP).
- The Podman global option --url now has two aliases: -H and --host.
- The podman network create command now supports a new option with the default bridge driver, --opt isolate=, which isolates the network by blocking any traffic from it to any other network with the isolate option enabled. This option is enabled by default for networks created using the Docker-compatible API.
- Added the ability to create sigstore signatures in podman push and podman manifest push.
- Added an option to read image signing passphrase from a file.
* Changes
- Paused containers can now be killed with the podman kill command.
- The podman system prune command now removes unused networks.
- The --userns=keep-id and --userns=nomap options to the podman run and podman create commands are no longer allowed (instead of simply being ignored) with root Podman.
- If the /run directory for a container is part of a volume, Podman will not create the /run/.containerenv file (#14577).
- The podman machine stop command on macOS now waits for the machine to be completely stopped to exit (#14148).
- All podman machine commands now only support being run as rootless, given that VMs only functioned when run rootless.
- The podman unpause --all command will now only attempt to unpause containers that are paused, not all containers.
- Init containers created with podman play kube now default to the once type (#14877).
- Pods created with no shared namespaces will no longer create an infra container unless one is explicitly requested (#15048).
- The podman create, podman run, and podman cp commands can now autocomplete paths in the image or container via the shell completion.
- The libpod/common package has been removed as it's not used anywhere.
- The --userns option to podman create and podman run is no longer accepted when an explicit UID or GID mapping is specified (#15233).
* Misc
- Podman will now check for nameservers in /run/NetworkManager/no-stub-resolv.conf if the /etc/resolv.conf file only contains a localhost server.
- The podman build command now supports caching with builds that specify --squash-all by allowing the --layers flag to be used at the same time.
- Podman Machine support for QEMU installations at non-default paths has been improved.
- The podman machine ssh command no longer prints spurious warnings every time it is run.
- When accessing the WSL prompt on Windows, the rootless user will be preferred.
- The podman info command now includes a field for information on supported authentication plugins for improved Docker compatibility. Authentication plugins are not presently supported by Podman, so this field is always empty.
- The podman system prune command now no longer prints the Deleted Images header if no images were pruned.
- The podman system service command now automatically creates and moves to a sub-cgroup when running in the root cgroup (#14573).
- Updated Buildah to v1.27.0 (fixes CVE-2022-21698 / bsc#1196338)
- Updated the containers/image library to v5.22.0
- Updated the containers/storage library to v1.42.0 (fixes bsc#1196751)
- Updated the containers/common library to v0.49.1
- Podman will automatically create a sub-cgroup and move itself into it when it detects that it is running inside a container (#14884).
- Fixed an incorrect release note about regexp.
- A new MacOS installer (via pkginstaller) is now supported.
Update to version 4.1.1:
* The output of the podman load command now mirrors that of docker load.
* Podman now supports Docker Compose v2.2 and higher. Please note that it may be necessary to disable the use of Buildkit by setting the environment variable DOCKER_BUILDKIT=0.
* A new container command has been added, podman container clone. This command makes a copy of an existing container, with the ability to change some settings (e.g. resource limits) while doing so.
* Podman now supports sending JSON events related to machines to a Unix socket named machine_events.*\.sock in XDG_RUNTIME_DIR/podman or to a socket whose path is set in the PODMAN_MACHINE_EVENTS_SOCK environment variable.
* Two new volume commands have been added, podman volume mount and podman volume unmount. These allow for Podman-managed named volumes to be mounted and accessed from outside containers.
* The podman container checkpoint and podman container restore options now support checkpointing to and restoring from OCI images. This allows checkpoints to be distributed via standard image registries.
* The podman play kube command now supports environment variables that are specified using the fieldRef and resourceFieldRef sources.
* The podman play kube command will now set default resource limits when the provided YAML does not include them.
* The podman play kube command now supports a new option, --annotation, to add annotations to created containers.
* The podman play kube --build command now supports a new option, --context-dir, which allows the user to specify the context directory to use when building the Containerfile.
* The podman container commit command now supports a new option, --squash, which squashes the generated image into a single layer.
* The podman pod logs command now supports two new options, --names, which identifies which container generated a log message by name, instead of ID and --color, which colors messages based on what container generated them.
* The podman rmi command now supports a new option, --ignore, which will ignore errors caused by missing images.
* The podman network create command now features a new option, --ipam-driver, to specify details about how IP addresses are assigned to containers in the network.
* The podman machine list command now features a new option, --quiet, to print only the names of configured VMs and no other information.
* The --ipc option to the podman create, podman run, and podman pod create commands now supports three new modes: none, private, and shareable. The default IPC mode is now shareable, indicating the the IPC namespace can be shared with other containers.
* The --mount option to the podman create and podman run commands can now set options for created named volumes via the volume-opt parameter.
* The --mount option to the podman create and podman run commands now allows parameters to be passed in CSV format.
* The --userns option to the podman create and podman run commands now supports a new option, nomap, that (only for rootless containers) does not map the UID of the user that started the container into the container, increasing security.
* The podman import command now supports three new options, --arch, --os, and --variant, to specify what system the imported image was built for.
* The podman inspect command now includes information on the network configuration of containers that joined a pre-configured network namespace with the --net ns: option to podman run, podman create, and podman pod create.
* The podman run and podman create commands now support a new option, --chrootdirs, which specifies additional locations where container-specific files managed by Podman (e.g. /etc/hosts, `/etc/resolv.conf, etc) will be mounted inside the container (#12961).
* The podman run and podman create commands now support a new option, --passwd-entry, allowing entries to be added to the container's /etc/passwd file.
* The podman images --format command now accepts two new format directives: {{.CreatedAt}} and {{.CreatedSince}}.
* The podman volume create command's -o option now accepts a new argument, o=noquota, to disable XFS quotas entirely and avoid potential issues when Podman is run on an XFS filesystem with existing quotas defined.
* The podman info command now includes additional information on the machine Podman is running on, including disk utilization on the drive Podman is storing containers and images on, and CPU utilization.
* Fix CVE-2022-27191 / bsc#1197284
- Require catatonit >= 0.1.7 for pause functionality needed by pods
Update to version 4.0.3:
* Security
- This release fixes CVE-2022-27649, where containers run by Podman would have excess inheritable capabilities set.
* Changes
- The podman machine rm --force command will now remove running machines as well (such machines are shut down first, then removed) (#13448).
- When a podman machine VM is started that is using a too-old VM image, it will now start in a reduced functionality mode, and provide instructions on how to recreate it (previously, VMs were effectively unusable) (#13510).
- Updated the containers/common library to v0.47.5
- This release addresses CVE-2021-4024 / bsc#1193166, where the podman machine command opened the gvproxy API (used to forward ports to podman machine VMs) to the public internet on port 7777.
- This release addresses CVE-2021-41190 / bsc#1193273, where incomplete specification of behavior regarding image manifests could lead to inconsistent decoding on different clients.
Update to version 3.1.0: (bsc#1181961, CVE-2021-20206)
- A fix for CVE-2021-20199 / bsc#1181640 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:870-1
Released: Wed Mar 22 09:44:13 2023
Summary: Security update for slirp4netns
Type: security
Severity: moderate
References: 1179466,1179467,CVE-2020-29129,CVE-2020-29130
This update for slirp4netns fixes the following issues:
- CVE-2020-29129: Fixed out-of-bounds access while processing NCSI packets (bsc#1179466).
- CVE-2020-29130: Fixed out-of-bounds access while processing ARP packets (bsc#1179467).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1774-1
Released: Wed Apr 5 13:13:19 2023
Summary: Recommended update for libcontainers-common
Type: recommended
Severity: moderate
References: 1171578,1175821,1182998,1197093,1200524,1205536,1207509
This update for libcontainers-common fixes the following issues:
- Add registry.suse.com to the unqualified-search-registries (bsc#1205536)
- New upstream release 20230214
- bump c/storage to 1.45.3
- bump c/image to 5.24.1
- bump c/common to 0.51.0
- containers.conf:
- add commented out options containers.read_only, engine.platform_to_oci_runtime,
engine.events_container_create_inspect_data, network.volume_plugin_timeout, engine.runtimes.youki, machine.provider
- remove deprecated setting containers.userns_size
- add youki to engine.runtime_supports_json
- shortnames.conf: pull in latest upstream version
- storage.conf: add commented out option storage.transient_store
- correct license to APACHE-2.0
- Changes introduced to c/storage's storage.conf which adds a driver_priority attribute would break consumers of
libcontainer-common as long as those packages are vendoring an older c/storage version. (bsc#1207509)
- storage.conf: Unset 'driver' and set 'driver_priority' to allow podman to use 'btrfs' if available and fallback to
'overlay' if not.
- .spec: rm %post script to set 'btrfs' as storage driver in storage.conf
- Remove registry.suse.com from search unqualified-search-registries
- add requires on util-linux-systemd for findmnt in profile script
- only set storage_driver env when no libpod exists
- add container-storage-driver.sh (bsc#1197093)
- postinstall script: slight cleanup, no functional change
- set detached sigstore attachments for the SUSE controlled registries
- Fix obvious typo in containers.conf
- Resync containers.conf / storage.conf with Fedora
- Create /etc/containers/registries.conf.d and add 000-shortnames.conf to it.
- Use $() again in %post, but with a space for POSIX compliance
- Add missing Requires(post): sed (bsc#1200524)
- Make %post compatible with dash
- Switch registries.conf to v2 format
- Reintroduce SLE specific mounts config, to avoid errors on non-SLE systems
- Require util-linux-systemd for %post scripts (bsc#1182998, jsc#SLE-12122, bsc#1175821)
- Update default registry (bsc#1171578)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1796-1
Released: Fri Apr 7 11:06:47 2023
Summary: Security update for conmon
Type: security
Severity: moderate
References: 1209307
This update for conmon fixes the following issues:
- rebuild against supported go 1.19 (bsc#1209307)
- no functional changes.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2877-1
Released: Wed Jul 19 09:43:42 2023
Summary: Security update for dbus-1
Type: security
Severity: moderate
References: 1212126,CVE-2023-34969
This update for dbus-1 fixes the following issues:
- CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2882-1
Released: Wed Jul 19 11:49:39 2023
Summary: Security update for perl
Type: security
Severity: important
References: 1210999,CVE-2023-31484
This update for perl fixes the following issues:
- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2885-1
Released: Wed Jul 19 16:58:43 2023
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1208721,1209229,1211828
This update for glibc fixes the following issues:
- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bsc#1208721)
- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2891-1
Released: Wed Jul 19 21:14:33 2023
Summary: Security update for curl
Type: security
Severity: moderate
References: 1213237,CVE-2023-32001
This update for curl fixes the following issues:
- CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2918-1
Released: Thu Jul 20 12:00:17 2023
Summary: Recommended update for gpgme
Type: recommended
Severity: moderate
References: 1089497
This update for gpgme fixes the following issues:
gpgme:
- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)
libassuan:
- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2962-1
Released: Tue Jul 25 09:34:53 2023
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1213487,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:
- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3022-1
Released: Fri Jul 28 21:44:59 2023
Summary: Security update for kernel-firmware
Type: security
Severity: moderate
References: 1213286,CVE-2023-20593
This update for kernel-firmware fixes the following issues:
- CVE-2023-20593: Fixed AMD ucode for ZenBleed vulnerability (bsc#1213286).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3170-1
Released: Thu Aug 3 08:02:27 2023
Summary: Recommended update for perl-Bootloader
Type: recommended
Severity: moderate
References: 1201399,1208003,1210799
This update for perl-Bootloader fixes the following issues:
- Use signed grub EFI binary when updating grub in default EFI location (bsc#1210799)
- UEFI: update also default location, if it is controlled by SUSE (bsc#1210799, bsc#1201399)
- Use `fw_platform_size` to distinguish between 32 bit and 64 bit UEFI platforms (bsc#1208003)
- Add basic support for systemd-boot
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3275-1
Released: Fri Aug 11 10:19:36 2023
Summary: Recommended update for apparmor
Type: recommended
Severity: moderate
References: 1213472
This update for apparmor fixes the following issues:
- Add pam_apparmor README (bsc#1213472)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3286-1
Released: Fri Aug 11 10:32:03 2023
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1194038,1194900
This update for util-linux fixes the following issues:
- Fix blkid for floppy drives (bsc#1194900)
- Fix rpmbuild %checks fail when @ in the directory path (bsc#1194038)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3327-1
Released: Wed Aug 16 08:45:25 2023
Summary: Security update for pcre2
Type: security
Severity: moderate
References: 1213514,CVE-2022-41409
This update for pcre2 fixes the following issues:
- CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3360-1
Released: Fri Aug 18 14:48:55 2023
Summary: Security update for kernel-firmware
Type: security
Severity: moderate
References: 1213287,CVE-2023-20569
This update for kernel-firmware fixes the following issues:
- CVE-2023-20569: Fixed AMD 19h ucode to mitigate a side channel vulnerability in some of the AMD CPUs. (bsc#1213287)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3363-1
Released: Fri Aug 18 14:54:16 2023
Summary: Security update for krb5
Type: security
Severity: important
References: 1214054,CVE-2023-36054
This update for krb5 fixes the following issues:
- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3397-1
Released: Wed Aug 23 18:35:56 2023
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1213517,1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:
- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
- Don't pass zero length input to EVP_Cipher because s390x assembler optimized AES cannot handle zero size. (bsc#1213517)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3451-1
Released: Mon Aug 28 12:15:22 2023
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873
This update for systemd fixes the following issues:
- Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
- Decrease devlink priority for iso disks (bsc#1213185)
- Do not ignore mount point paths longer than 255 characters (bsc#1208194)
- Refuse hibernation if there's no possible way to resume (bsc#1186606)
- Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
- Drop some entries no longer needed by YaST (bsc#1194609)
- The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
- Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3461-1
Released: Mon Aug 28 17:25:09 2023
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1210419,CVE-2023-2004
This update for freetype2 fixes the following issues:
- CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3486-1
Released: Tue Aug 29 14:25:23 2023
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1214071
This update for lvm2 fixes the following issues:
- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3538-1
Released: Tue Sep 5 16:37:14 2023
Summary: Recommended update for dracut
Type: recommended
Severity: important
References: 1214081
This update for dracut fixes the following issues:
- Protect against broken links pointing to themselves
- Exit if resolving executable dependencies fails (bsc#1214081)
The following package changes have been done:
- glibc-2.31-150300.52.2 updated
- perl-base-5.26.1-150300.17.14.1 updated
- libuuid1-2.37.2-150400.8.20.1 updated
- libudev1-249.16-150400.8.33.1 updated
- libsmartcols1-2.37.2-150400.8.20.1 updated
- libpcre2-8-0-10.39-150400.4.9.1 added
- libblkid1-2.37.2-150400.8.20.1 updated
- libaudit1-3.0.6-150400.4.13.1 updated
- libapparmor1-3.0.4-150400.5.6.1 updated
- libfdisk1-2.37.2-150400.8.20.1 updated
- libip6tc2-1.8.7-1.1 added
- libassuan0-2.5.5-150000.4.5.2 updated
- libfreetype6-2.10.4-150000.4.15.1 updated
- libnfnetlink0-1.0.1-2.11 added
- elemental-updater-1.2.2-150400.1.1 updated
- libnftnl11-1.2.0-150400.1.6 added
- libselinux1-3.4-150400.1.8 updated
- login_defs-4.8.1-150400.1.7 updated
- libsystemd0-249.16-150400.8.33.1 updated
- libmount1-2.37.2-150400.8.20.1 updated
- liblvm2cmd2_03-2.03.05-150400.188.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.188.1 updated
- libdbus-1-3-1.12.2-150400.18.8.1 updated
- libdevmapper-event1_03-2.03.05_1.02.163-150400.188.1 updated
- sysconfig-0.85.7-150400.1.2 updated
- sysconfig-netconfig-0.85.7-150400.1.2 updated
- catatonit-0.1.7-150300.10.3.1 added
- conmon-2.1.5-150400.3.6.1 added
- elemental-dracut-config-0.11.1-150400.1.1 updated
- elemental-grub-config-0.11.1-150400.1.1 updated
- elemental-immutable-rootfs-0.11.1-150400.1.1 updated
- elemental-register-1.3.4-150400.2.1 updated
- elemental-support-1.3.4-150400.2.1 updated
- elemental-system-agent-0.3.3-150400.2.1 updated
- fillup-1.42-2.18 added
- libburn4-1.5.6-150400.2.1 added
- libfuse3-3-3.10.5-150400.1.7 added
- libparted0-3.2-150300.21.3.1 updated
- libnetfilter_conntrack3-1.0.7-1.38 added
- xtables-plugins-1.8.7-1.1 added
- parted-3.2-150300.21.3.1 updated
- glibc-locale-base-2.31-150300.52.2 updated
- gawk-4.2.1-150000.3.3.1 updated
- perl-Bootloader-0.944-150400.3.6.1 updated
- device-mapper-2.03.05_1.02.163-150400.188.1 updated
- iptables-1.8.7-1.1 added
- libopenssl1_1-1.1.1l-150400.7.53.1 updated
- libcryptsetup12-2.4.3-150400.3.3.1 updated
- krb5-1.19.2-150400.3.6.1 updated
- libcurl4-8.0.1-150400.5.26.1 updated
- shadow-4.8.1-150400.1.7 updated
- dbus-1-1.12.2-150400.18.8.1 updated
- libnm0-1.38.2-150400.3.3.1 updated
- util-linux-2.37.2-150400.8.20.1 updated
- systemd-249.16-150400.8.33.1 updated
- udev-249.16-150400.8.33.1 updated
- util-linux-systemd-2.37.2-150400.8.20.1 updated
- systemd-sysvinit-249.16-150400.8.33.1 updated
- dracut-055+suse.347.gdcb9bdbf-150400.3.28.1 updated
- lvm2-2.03.05-150400.188.1 updated
- kernel-firmware-usb-network-20220509-150400.4.22.1 updated
- kernel-firmware-realtek-20220509-150400.4.22.1 updated
- kernel-firmware-qlogic-20220509-150400.4.22.1 updated
- kernel-firmware-platform-20220509-150400.4.22.1 updated
- kernel-firmware-network-20220509-150400.4.22.1 updated
- kernel-firmware-mellanox-20220509-150400.4.22.1 updated
- kernel-firmware-mediatek-20220509-150400.4.22.1 updated
- kernel-firmware-marvell-20220509-150400.4.22.1 updated
- kernel-firmware-liquidio-20220509-150400.4.22.1 updated
- kernel-firmware-iwlwifi-20220509-150400.4.22.1 updated
- kernel-firmware-intel-20220509-150400.4.22.1 updated
- kernel-firmware-i915-20220509-150400.4.22.1 updated
- kernel-firmware-chelsio-20220509-150400.4.22.1 updated
- kernel-firmware-bnx2-20220509-150400.4.22.1 updated
- NetworkManager-1.38.2-150400.3.3.1 updated
- libcontainers-common-20230214-150400.3.5.2 added
- libisofs6-1.5.6-150400.2.1 added
- mtools-4.0.35-150400.1.11 added
- runc-1.1.4-150000.36.1 added
- slirp4netns-0.4.7-150100.3.18.1 added
- cni-0.7.1-150100.3.8.1 added
- cni-plugins-0.8.6-150100.3.11.1 added
- fuse-overlayfs-1.1.2-3.9.1 added
- libisoburn1-1.5.6-150400.1.1 added
- podman-4.3.1-150400.4.11.1 added
- xorriso-1.5.6-150400.1.1 added
- elemental-cli-0.11.1-150400.2.1 updated
- elemental-init-setup-0.11.1-150400.1.1 updated
- elemental-init-services-0.11.1-150400.1.1 updated
- elemental-init-recovery-0.11.1-150400.1.1 updated
- elemental-init-network-0.11.1-150400.1.1 updated
- elemental-init-live-0.11.1-150400.1.1 updated
- elemental-init-boot-assessment-0.11.1-150400.1.1 updated
- elemental-init-config-0.11.1-150400.1.1 updated
- elemental-toolkit-0.11.1-150400.1.1 updated
- elemental-1.2.2-150400.1.1 updated
- k9s-0.27.4-150400.2.1 updated
- container:suse-sle-micro-rancher-5.4-latest-- added
- container:suse-sle-micro-rancher-5.3-latest-- removed
- libsemanage1-3.1-150400.1.65 removed
- libsepol1-3.1-150400.1.70 removed
More information about the sle-security-updates
mailing list