This update for conmon, libcontainers-common, libseccomp, podman fixes the following issues: podman was updated to 3.4.4. Security issues fixed: - fix CVE-2021-41190 [bsc#1193273], opencontainers: OCI manifest and index parsing confusion - fix CVE-2021-4024 [bsc#1193166], podman machine spawns gvproxy with port binded to all IPs - fix CVE-2021-20199 [bsc#1181640], Remote traffic to rootless containers is seen as orginating from localhost - Add: Provides: podman:/usr/bin/podman-remote subpackage for a clearer upgrade path from podman less than 3.1.2 Update to version 3.4.4: * Bugfixes - Fixed a bug where the podman exec command would, under some circumstances, print a warning message about failing to move conmon to the appropriate cgroup . - Fixed a bug where named volumes created as part of container creation would be mounted with incorrect permissions . - Fixed a bug where the podman-remote create and podman-remote run commands did not properly handle the --entrypoint='' option . - Update to version 3.4.3: * Security - This release addresses CVE-2021-4024, where the podman machine command opened the gvproxy API to the public internet on port 7777. - This release addresses CVE-2021-41190, where incomplete specification of behavior regarding image manifests could lead to inconsistent decoding on different clients. * Features - The --secret type=mount option to podman create and podman run supports a new option, target=, which specifies where in the container the secret will be mounted . * Bugfixes - Fixed a bug where rootless Podman would occasionally print warning messages about failing to move the pause process to a new cgroup . - Fixed a bug where the podman run and podman create commands would, when pulling images, still require TLS even with registries set to Insecure via config file . - Fixed a bug where the podman generate systemd command generated units that depended on multi-user.target, which has been removed from some distributions . - Fixed a bug where Podman could not run containers with images that had /etc/ as a symlink . - Fixed a bug where the podman logs -f command would, when using the journald logs backend, exit immediately if the container had previously been restarted . - Fixed a bug where, in containers on VMs created by podman machine, the host.containers.internal name pointed to the VM, not the host system . - Fixed a bug where containers and pods created by the podman play kube command in VMs managed by podman machine would not automatically forward ports from the host machine . - Fixed a bug where podman machine init would fail on OS X when GNU Coreutils was installed . - Fixed a bug where podman machine start would exit before SSH on the started VM was accepting connections . - Fixed a bug where the podman run command with signal proxying enabled could print an error if it attempted to send a signal to a container that had just exited . - Fixed a bug where the podman stats command would not return correct information for containers running Systemd as PID1 . - Fixed a bug where the podman image save command would fail on OS X when writing the image to STDOUT . - Fixed a bug where the podman ps command did not properly handle PS arguments which contained whitespace . - Fixed a bug where the podman-remote wait command could fail to detect that the container exited and return an error under some circumstances . - Fixed a bug where the Windows MSI installer for podman-remote would break the PATH environment variable by adding an extra ' . * API - The Libpod Play Kube endpoint now also accepts ConfigMap YAML as part of its payload, and will use provided any ConfigMap to configure provided pods and services. - Fixed a bug where the Compat Create endpoint for Containers would not always create the container"s working directory if it did not exist . - Fixed a bug where the Compat Create endpoint for Containers returned an incorrect error message with 404 errors when the requested image was not found . - Fixed a bug where the Compat Create endpoint for Containers did not properly handle the HostConfig.Mounts field . - Fixed a bug where the Compat Archive endpoint for Containers did not properly report errors when the operation failed . - Fixed a bug where the Compat Build endpoint for Images ignored the layers query parameter . - Fixed a bug where the Compat Build endpoint for Images did not report errors in a manner compatible with Docker . - Fixed a bug where the Compat Build endpoint for Images would fail to build if the context directory was a symlink . - Fixed a bug where the Compat List endpoint for Images included manifest lists in returned results . - Update to version 3.4.2: * Fixed a bug where podman tag could not tag manifest lists . * Fixed a bug where built-in volumes specified by images would not be created correctly under some circumstances. * Fixed a bug where, when using Podman Machine on OS X, containers in pods did not have working port forwarding from the host . * Fixed a bug where the podman network reload command command on containers using the slirp4netns network mode and the rootlessport port forwarding driver would make an unnecessary attempt to restart rootlessport on containers that did not forward ports. * Fixed a bug where the podman generate kube command would generate YAML including some unnecessary fields . * Fixed a bug where the podman pod rm command could, if interrupted at the right moment, leave a reference to an already-removed infra container behind . * Fixed a bug where the podman pod rm command would not remove pods with more than one container if all containers save for the infra container were stopped unless --force was specified . * Fixed a bug where the --memory flag to podman run and podman create did not accept a limit of 0 . * Fixed a bug where the remote Podman client"s podman build command could attempt to build a Dockerfile in the working directory of the podman system service instance instead of the Dockerfile specified by the user . * Fixed a bug where the podman logs --tail command could function improperly when the journald log driver was used. * Fixed a bug where containers run using the slirp4netns network mode with IPv6 enabled would not have IPv6 connectivity until several seconds after they started . * Fixed a bug where some Podman commands could cause an extra dbus-daemon process to be created . * Fixed a bug where rootless Podman would sometimes print warnings about a failure to move the pause process into a given CGroup . * Fixed a bug where the checkpointed field in podman inspect on a container was not set to false after a container was restored. * Fixed a bug where the podman system service command would print overly-verbose logs about request IDs . * Fixed a bug where Podman could, when creating a new container without a name explicitly specified by the user, sometimes use an auto-generated name already in use by another container if multiple containers were being created in parallel . Update to version 3.4.1: * Bugfixes - Fixed a bug where podman machine init could, under some circumstances, create invalid machine configurations which could not be started . - Fixed a bug where the podman machine list command would not properly populate some output fields. - Fixed a bug where podman machine rm could leave dangling sockets from the removed machine . - Fixed a bug where podman run --pids-limit=-1 was not supported . - Fixed a bug where podman run and podman attach could throw errors about a closed network connection when STDIN was closed by the client . - Fixed a bug where the podman stop command could fail when run on a container that had another podman stop command run on it previously. - Fixed a bug where the --sync flag to podman ps was nonfunctional. - Fixed a bug where the Windows and OS X remote clients" podman stats command would fail . - Fixed a bug where the podman play kube command did not properly handle environment variables whose values contained an = . - Fixed a bug where the podman generate kube command could generate invalid annotations when run on containers with volumes that use SELinux relabelling . - Fixed a bug where the podman generate kube command would generate YAML including some unnecessary fields . - Fixed a bug where the podman generate kube command could, under some circumstances, generate YAML including an invalid targetPort field for forwarded ports . - Fixed a bug where rootless Podman"s podman info command could, under some circumstances, not read available CGroup controllers . - Fixed a bug where podman container checkpoint --export would fail to checkpoint any container created with --log-driver=none . * API - Fixed a bug where the Compat Create endpoint for Containers could panic when no options were passed to a bind mount of tmpfs . Update to version 3.4.0: * Features - Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: 'always', which always run before the pod is started, and 'once', which only run the first time the pod starts and are subsequently removed. They can be added using the podman create command"s --init-ctr option. - Support for init containers has also been added to podman play kube and podman generate kube - init containers contained in Kubernetes YAML will be created as Podman init containers, and YAML generated by Podman will include any init containers created. - The podman play kube command now supports building images. If the --build option is given and a directory with the name of the specified image exists in the current working directory and contains a valid Containerfile or Dockerfile, the image will be built and used for the container. - The podman play kube command now supports a new option, --teardown, which removes any pods and containers created by the given Kubernetes YAML. - The podman generate kube command now generates annotations for SELinux mount options on volume that are respected by the podman play kube command. - A new command has been added, podman pod logs, to return logs for all containers in a pod at the same time. - Two new commands have been added, podman volume export and podman volume import(to populate a volume from a given tar file(but not published(e.g. ports from --expose when --publish-all is not specified(#11265(amount of disk space, memory, CPUsCPUs, memory, disk size(#11527(#11403(assuming the command was successfully runparticularly default sysctls specified in containers.conf(#10900(#11171#11352(#10443(#11387#11344#11418(this is still not guaranteed if --net=host is used; such containers will exactly match the host"s /etc/hosts#11411(#11421(#11461(#11438(#11474(#11732#11392(#8785(#11496(#11469(#11444(#11540(#11596(#11557(#11687(e.g. by an external podman rm -f(#11633(#11672(#11207(#11731(#11740(#11750(when set to true(#10612(#11623(#11225(#10831(500 instead of 400(#11227(#11235(#10053(#11304#11303(#11158(#11358((bsc#1188914(5(for CI(windows((((integer(#9315(#9393#9415(#9377(#9378(by using its ID(#9374(#9365(#9387#9373(#9191including but not limited to --jobs(#9247(#9351(#9232(#1925(e.g. via firewall-cmd --reload(#8454(#9132--net=host(#9077(#8443#9165(#8512(#8658(#8384(e.g. podman run --net slirp4netns:mtu=9000(#7387(from the root of the Inspect structure(#8615(#8501(#9120(#6618(via the WORKDIR instruction(#9040({{ and }}(#9034(e.g. podman run -dt(#8847(e.g. $(#9176 - Fixed a bug where rootless containers joining CNI networks could not set a static IP address . - Fixed a bug where rootless containers joining CNI networks could not set network aliases . - Fixed a bug where the remote client could, under some circumstances, not include the Containerfile when sending build context to the server . - Fixed a bug where rootless Podman did not mount /sys as a new sysfs in some circumstances where it was acceptable. - Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error. - Fixed a bug where the podman play kube command did not properly handle CMD and ARGS from images . - Fixed a bug where the podman play kube command did not properly handle environment variables from images . - Fixed a bug where the podman play kube command did not properly print errors that occurred when starting containers. - Fixed a bug where the podman play kube command errored when hostNetwork was used . - Fixed a bug where the podman play kube command would always pull images when the :latest tag was specified, even if the image was available locally . - Fixed a bug where the podman play kube command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable . - Fixed a bug where the podman generate kube command incorrectly populated the args and command fields of generated YAML . - Fixed a bug where containers in a pod would create a duplicate entry in the pod"s shared /etc/hosts file every time the container restarted . - Fixed a bug where the podman search --list-tags command did not support the --format option . - Fixed a bug where the http_proxy option in containers.conf was not being respected, and instead was set unconditionally to true . - Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers . - Fixed a bug where the podman images command would break and fail to display any images if an empty manifest list was present in storage . - Fixed a bug where locale environment variables were not properly passed on to Conmon. - Fixed a bug where Podman would not build on the MIPS architecture . - Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a --uidmap option that included a mapping beginning with UID 0. - Fixed a bug where the podman logs command using the k8s-file backend did not properly handle partial log lines with a length of 1 . - Fixed a bug where the podman logs command with the --follow option did not properly handle log rotation . - Fixed a bug where user-specified HOSTNAME environment variables were overwritten by Podman . - Fixed a bug where Podman would applied default sysctls from containers.conf in too many situations . - Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores . - Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container"s PID file was not accessible to systemd on the host . - Fixed a bug where the --privileged option to podman run and podman create would, under some circumstances, not disable Seccomp . - Fixed a bug where the podman exec command did not properly add capabilities when the container or exec session were run with --privileged. - Fixed a bug where rootless Podman would use the --enable-sandbox option to slirp4netns unconditionally, even when pivot_root was disabled, rendering slirp4netns unusable when pivot_root was disabled . - Fixed a bug where podman build --logfile did not actually write the build"s log to the logfile. - Fixed a bug where the podman system service command did not close STDIN, and could display user-interactive prompts . - Fixed a bug where the podman system reset command could, under some circumstances, remove all the contents of the XDG_RUNTIME_DIR directory . - Fixed a bug where the podman network create command created CNI configurations that did not include a default gateway . - Fixed a bug where the podman.service systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started . - Fixed a bug where, if the TMPDIR environment variable was set for the container engine in containers.conf, it was being ignored. - Fixed a bug where the podman events command did not properly handle future times given to the --until option . - Fixed a bug where the podman logs command wrote container STDERR logs to STDOUT instead of STDERR . - Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag . - Fixed a bug where container capabilities were not set properly when the --cap-add=all and --user options to podman create and podman run were combined. - Fixed a bug where the --layers option to podman build was nonfunctional . - Fixed a bug where the podman system prune command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call to podman system prune . - Fixed a bug where the --publish option to podman run and podman create did not properly handle ports specified as a range of ports with no host port specified . - Fixed a bug where --format did not support JSON output for individual fields . - Fixed a bug where the podman stats command would fail when run on root containers using the slirp4netns network mode . - Fixed a bug where the Podman remote client would ask for a password even if the server"s SSH daemon did not support password authentication . - Fixed a bug where the podman stats command would fail if the system did not support one or more of the cgroup controllers Podman supports . - Fixed a bug where the --mount option to podman create and podman run did not ignore the consistency mount option. - Fixed a bug where failures during the resizing of a container"s TTY would print the wrong error. - Fixed a bug where the podman network disconnect command could cause the podman inspect command to fail for a container until it was restarted . - Fixed a bug where containers created from a read-only rootfs would fail . - Fixed a bug where specifying Go templates to the --format option to multiple Podman commands did not support the join function . - Fixed a bug where the podman rmi command could, when run in parallel on multiple images, return layer not known errors . - Fixed a bug where the podman inspect command on containers displayed unlimited ulimits incorrectly . - Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories . API - Libpod API version has been bumped to v3.0.0. - All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error . - The Compat API for Containers now supports the Rename and Copy APIs. - Fixed a bug where the Compat Prune APIs did not return the amount of space reclaimed in their responses. - Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting - Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored . - Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g. container:, correctly. - Fixed a bug where the Compat Create API for Containers did not set container name properly. - Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging . - Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker. - Fixed a bug where Podman did not properly clean up after calls to the Events API when the journald backend was in use, resulting in a leak of file descriptors . - Fixed a bug where the Libpod Pull endpoint for Images could fail with an index out of range error under certain circumstances . - Fixed a bug where the Libpod Exists endpoint for Images could panic. - Fixed a bug where the Compat List API for Containers did not support all filters . - Fixed a bug where the Compat List API for Containers did not properly populate the Status field. - Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters . - Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response . - Fixed a bug where the Compat Load API for Images did not properly clean up temporary files. - Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified. - Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope. - Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did. * Misc - Updated Buildah to v1.19.2 - Updated the containers/storage library to v1.24.5 - Updated the containers/image library to v5.10.2 - Updated the containers/common library to v0.33.4 - Update to v2.2.1 * Changes - Due to a conflict with a previously-removed field, we were forced to modify the way image volumes were handled in the database. As a result, containers created in Podman 2.2.0 with image volume will not have them in v2.2.1, and these containers will need to be re-created. * Bugfixes - Fixed a bug where rootless Podman would, on systems without the XDG_RUNTIME_DIR environment variable defined, use an incorrect path for the PID file of the Podman pause process, causing Podman to fail to start . - Fixed a bug where containers created using Podman v1.7 and earlier were unusable in Podman due to JSON decode errors . - Fixed a bug where Podman could retrieve invalid cgroup paths, instead of erroring, for containers that were not running. - Fixed a bug where the podman system reset command would print a warning about a duplicate shutdown handler being registered. - Fixed a bug where rootless Podman would attempt to mount sysfs in circumstances where it was not allowed; some OCI runtimes would fall back to alternatives and not fail, but others would fail to run containers. - Fixed a bug where the podman run and podman create commands would fail to create containers from untagged images . - Fixed a bug where remote Podman would prompt for a password even when the server did not support password authentication . - Fixed a bug where the podman exec command did not move the Conmon process for the exec session into the correct cgroup. - Fixed a bug where shell completion for the ancestor option to podman ps --filter did not work correctly. - Fixed a bug where detached containers would not properly clean themselves up if the Podman command that created them was invoked with --log-level=debug. * API - Fixed a bug where the Compat Create endpoint for Containers did not properly handle the Binds and Mounts parameters in HostConfig. - Fixed a bug where the Compat Create endpoint for Containers ignored the Name query parameter. - Fixed a bug where the Compat Create endpoint for Containers did not properly handle the 'default' value for NetworkMode . - Fixed a bug where the Compat Build endpoint for Images would sometimes incorrectly use the target query parameter as the image"s tag. * Misc - Podman v2.2.0 vendored a non-released, custom version of the github.com/spf13/cobra package; this has been reverted to the latest upstream release to aid in packaging. - Updated the containers/image library to v5.9.0 - Update to v2.2.0 * Features - Experimental support for shortname aliasing has been added. This is not enabled by default, but can be turned on by setting the environment variable CONTAINERS_SHORT_NAME_ALIASING to on. Documentation is available here and here. - Initial support has been added for the podman network connect and podman network disconnect commands, which allow existing containers to modify what networks they are connected to. At present, these commands can only be used on running containers that did not specify --network=none when they were created. - The podman run command now supports the --network-alias option to set network aliases . Aliases can also be added and removed using the new podman network connect and podman network disconnect commands. Please note that this requires a new release of the dnsname plugin, and will only work on newly-created CNI networks. - The podman generate kube command now features support for exporting container"s memory and CPU limits . - The podman play kube command now features support for setting CPU and Memory limits for containers . - The podman play kube command now supports persistent volumes claims using Podman named volumes. - The podman play kube command now supports Kubernetes configmaps via the --configmap option . - The podman play kube command now supports a --log-driver option to set the log driver for created containers. - The podman play kube command now supports a --start option, enabled by default, to start the pod after creating it. This allows for podman play kube to be more easily used in systemd unitfiles. - The podman network create command now supports the --ipv6 option to enable dual-stack IPv6 networking for created networks . - The podman inspect command can now inspect pods, networks, and volumes, in addition to containers and images . - The --mount option for podman run and podman create now supports a new type, image, to mount the contents of an image into the container at a given location. - The Bash and ZSH completions have been completely reworked and have received significant enhancements! Additionally, support for Fish completions and completions for the podman-remote executable have been added. - The --log-opt option for podman create and podman run now supports the max-size option to set the maximum size for a container"s logs . - The --network option to the podman pod create command now allows pods to be configured to use slirp4netns networking, even when run as root . - The podman pod stop, podman pod pause, podman pod unpause, and podman pod kill commands now work on multiple containers in parallel and should be significantly faster. - The podman search command now supports a --list-tags option to list all available tags for a single image in a single repository. - The podman search command can now output JSON using the --format=json option. - The podman diff and podman mount commands now work with all containers in the storage library, including those not created by Podman. This allows them to be used with Buildah and CRI-O containers. - The podman container exists command now features a --external option to check if a container exists not just in Podman, but also in the storage library. This will allow Podman to identify Buildah and CRI-O containers. - The --tls-verify and --authfile options have been enabled for use with remote Podman. - The /etc/hosts file now includes the container"s name and hostname when the container is run with --net=none . - The podman events command now supports filtering events based on the labels of the container they occurred on using the --filter label=key=value option. - The podman volume ls command now supports filtering volumes based on their labels using the --filter label=key=value option. - The --volume and --mount options to podman run and podman create now support two new mount propagation options, unbindable and runbindable. - The name and id filters for podman pod ps now match based on a regular expression, instead of requiring an exact match. - The podman pod ps command now supports a new filter status, that matches pods in a certain state. * Changes - The podman network rm --force command will now also remove pods that are using the network . - The podman volume rm, podman network rm, and podman pod rm commands now return exit code 1 if the object specified for removal does not exist, and exit code 2 if the object is in use and the --force option was not given. - If /dev/fuse is passed into Podman containers as a device, Podman will open it before starting the container to ensure that the kernel module is loaded on the host and the device is usable in the container. - Global Podman options that were not supported with remote operation have been removed from podman-remote . - Many errors have been changed to remove repetition and be more clear as to what has gone wrong. - The --storage option to podman rm is now enabled by default, with slightly changed semantics. If the given container does not exist in Podman but does exist in the storage library, it will be removed even without the --storage option. If the container exists in Podman it will be removed normally. The --storage option for podman rm is now deprecated and will be removed in a future release. - The --storage option to podman ps has been renamed to --external. An alias has been added so the old form of the option will continue to work. - Podman now delays the SIGTERM and SIGINT signals during container creation to ensure that Podman is not stopped midway through creating a container resulting in potential resource leakage . - The podman save command now strips signatures from images it is exporting, as the formats we export to do not support signatures . - A new Degraded state has been added to pods. Pods that have some, but not all, of their containers running are now considered to be Degraded instead of Running. - Podman will now print a warning when conflicting network options related to port forwarding are specified when creating a container. - The --restart on-failure and --rm options for containers no longer conflict. When both are specified, the container will be restarted if it exits with a non-zero error code, and removed if it exits cleanly . - Remote Podman will no longer use settings from the client"s containers.conf; defaults will instead be provided by the server"s containers.conf . - The podman network rm command now has a new alias, podman network remove . * Bugfixes - Fixed a bug where podman load on the remote client did not error when attempting to load a directory, which is not yet supported for remote use. - Fixed a bug where rootless Podman could hang when the newuidmap binary was not installed . - Fixed a bug where the --pull option to podman run, podman create, and podman build did not match Docker"s behavior. - Fixed a bug where sysctl settings from the containers.conf configuration file were applied, even if the container did not join the namespace associated with a sysctl. - Fixed a bug where Podman would not return the text of errors encounted when trying to run a healthcheck for a container. - Fixed a bug where Podman was accidentally setting the containers environment variable in addition to the expected container environment variable. - Fixed a bug where rootless Podman using CNI networking did not properly clean up DNS entries for removed containers . - Fixed a bug where the podman untag --all command was not supported with remote Podman. - Fixed a bug where the podman system service command could time out even if active attach connections were present . - Fixed a bug where the podman system service command would sometimes never time out despite no active connections being present. - Fixed a bug where Podman"s handling of capabilities, specifically inheritable, did not match Docker"s. - Fixed a bug where podman run would fail if the image specified was a manifest list and had already been pulled . - Fixed a bug where Podman did not take search registries into account when looking up images locally . - Fixed a bug where the podman manifest inspect command would fail for images that had already been pulled . - Fixed a bug where rootless Podman would not add supplemental GIDs to containers when when a user, but not a group, was set via the --user option to podman create and podman run and sufficient GIDs were available to add the groups . - Fixed a bug where remote Podman commands did not properly handle cases where the user gave a name that could also be a short ID for a pod or container . - Fixed a bug where podman image prune could leave images ready to be pruned after podman image prune was run . - Fixed a bug where the podman logs command with the journald log driver would not read all available logs . - Fixed a bug where the --rm and --restart options to podman create and podman run did not conflict when a restart policy that is not on-failure was chosen . - Fixed a bug where the --format 'table {{ .Field }}' option to numerous Podman commands ceased to function on Podman v2.0 and up. - Fixed a bug where pods did not properly share an SELinux label between their containers, resulting in containers being unable to see the processes of other containers when the pod shared a PID namespace . - Fixed a bug where the --namespace option to podman ps did not work with the remote client . - Fixed a bug where rootless Podman incorrectly calculated the number of UIDs available in the container if multiple different ranges of UIDs were specified. - Fixed a bug where the /etc/hosts file would not be correctly populated for containers in a user namespace . - Fixed a bug where the podman network create and podman network remove commands could race when run in parallel, with unpredictable results . - Fixed a bug where the -p option to podman run, podman create, and podman pod create would, when given only a single number , assign the same port for both host and container, instead of generating a random host port . - Fixed a bug where Podman containers did not properly store the cgroup manager they were created with, causing them to stop functioning after the cgroup manager was changed in containers.conf or with the --cgroup-manager option . - Fixed a bug where the podman inspect command did not include information on the CNI networks a container was connected to if it was not running. - Fixed a bug where the podman attach command would not print a newline after detaching from the container . - Fixed a bug where the HOME environment variable was not set properly in containers when the --userns=keep-id option was set . - Fixed a bug where the podman container restore command could panic when the container in question was in a pod . - Fixed a bug where the output of the podman image trust show --raw command was not properly formatted. - Fixed a bug where the podman runlabel command could panic if a label to run was not given . - Fixed a bug where the podman run and podman start --attach commands would exit with an error when the user detached manually using the detach keys on remote Podman . - Fixed a bug where rootless CNI networking did not use the dnsname CNI plugin if it was not available on the host, despite it always being available in the container used for rootless networking . - Fixed a bug where Podman did not properly handle cases where an OCI runtime is specified by its full path, and could revert to using another OCI runtime with the same binary path that existed in the system $PATH on subsequent invocations. - Fixed a bug where the --net=host option to podman create and podman run would cause the /etc/hosts file to be incorrectly populated . - Fixed a bug where the podman inspect command did not include container network information when the container shared its network namespace . - Fixed a bug where the podman ps command did not include information on all ports a container was publishing. - Fixed a bug where the podman build command incorrectly forwarded STDIN into build containers from RUN instructions. - Fixed a bug where the podman wait command"s --interval option did not work when units were not specified for the duration . - Fixed a bug where the --detach-keys and --detach options could be passed to podman create despite having no effect . - Fixed a bug where Podman could not start containers if running on a system without a /etc/resolv.conf file . - Fixed a bug where the --extract option to podman cp was nonfunctional. - Fixed a bug where the --cidfile option to podman run would, when the container was not run with --detach, only create the file after the container exited . - Fixed a bug where the podman images and podman images -a commands could panic and not list any images when certain improperly-formatted images were present in storage . - Fixed a bug where the podman events command could, when the journald events backend was in use, become nonfunctional when a badly-formatted event or a log message that container certain string was present in the journal . - Fixed a bug where remote Podman would, when using SSH transport, not authenticate to the server using hostkeys when connecting on a port other than 22 . - Fixed a bug where the podman attach command would not exit when containers stopped . - Fixed a bug where Podman did not properly clean paths before verifying them, resulting in Podman refusing to start if the root or temporary directories were specified with extra trailing / characters . - Fixed a bug where remote Podman did not support hashed hostnames in the known_hosts file on the host for establishing connections . - Fixed a bug where the podman image exists command would return non-zero when multiple potential matches for the given name existed. - Fixed a bug where the podman manifest inspect command on images that are not manifest lists would error instead of inspecting the image . - Fixed a bug where the podman system service command would fail if the directory the Unix socket was to be created inside did not exist . - Fixed a bug where pods that shared the IPC namespace did not share a /dev/shm filesystem between all containers in the pod . - Fixed a bug where filters passed to podman volume list were not inclusive . - Fixed a bug where the podman volume create command would fail when the volume"s data directory already existed . - Fixed a bug where the podman run and podman create commands would deadlock when trying to create a container that mounted the same named volume at multiple locations . - Fixed a bug where the parsing of the --net option to podman build was incorrect . - Fixed a bug where the podman build command would print the ID of the built image twice when using remote Podman . - Fixed a bug where the podman stats command did not show memory limits for containers . - Fixed a bug where the podman pod inspect command printed the static MAC address of the pod in a non-human-readable format . - Fixed a bug where the --tls-verify option of the podman play kube command had its logic inverted . - Fixed a bug where the podman network rm command would error when trying to remove macvlan networks and rootless CNI networks . - Fixed a bug where Podman was not setting sane defaults for missing XDG_ environment variables. - Fixed a bug where remote Podman would check if volume paths to be mounted in the container existed on the host, not the server . - Fixed a bug where the podman manifest create and podman manifest add commands on local images would drop any images in the manifest not pulled by the host. - Fixed a bug where networks made by podman network create did not include the tuning plugin, and as such did not support setting custom MAC addresses . - Fixed a bug where container healthchecks did not use $PATH when searching for the Podman executable to run the healthcheck. - Fixed a bug where the --ip-range option to podman network create did not properly handle non-classful subnets when calculating the last usable IP for DHCP assignment . - Fixed a bug where the podman container ps alias for podman ps was missing . * API - The Compat Create endpoint for Container has received a major refactor to share more code with the Libpod Create endpoint, and should be significantly more stable. - A Compat endpoint for exporting multiple images at once, GET /images/get, has been added . - The Compat Network Connect and Network Disconnect endpoints have been added. - Endpoints that deal with image registries now support a X-Registry-Config header to specify registry authentication configuration. - The Compat Create endpoint for images now properly supports specifying images by digest. - The Libpod Build endpoint for images now supports an httpproxy query parameter which, if set to true, will forward the server"s HTTP proxy settings into the build container for RUN instructions. - The Libpod Untag endpoint for images will now remove all tags for the given image if no repository and tag are specified for removal. - Fixed a bug where the Ping endpoint misspelled a header name . - Fixed a bug where the Ping endpoint sent an extra newline at the end of its response where Docker did not. - Fixed a bug where the Compat Logs endpoint for containers did not send a newline character after each log line. - Fixed a bug where the Compat Logs endpoint for containers would mangle line endings to change newline characters to add a preceding carriage return . - Fixed a bug where the Compat Inspect endpoint for Containers did not properly list the container"s stop signal . - Fixed a bug where the Compat Inspect endpoint for Containers formatted the container"s create time incorrectly . - Fixed a bug where the Compat Inspect endpoint for Containers did not include the container"s Path, Args, and Restart Count. - Fixed a bug where the Compat Inspect endpoint for Containers prefixed added and dropped capabilities with CAP_ . - Fixed a bug where the Compat Info endpoint for the Engine did not include configured registries. - Fixed a bug where the server could panic if a client closed a connection midway through an image pull . - Fixed a bug where the Compat Create endpoint for volumes returned an error when a volume with the same name already existed, instead of succeeding with a 201 code . - Fixed a bug where a client disconnecting from the Libpod or Compat events endpoints could result in the server using 100% CPU . - Fixed a bug where the 'no such image' error message sent by the Compat Inspect endpoint for Images returned a 404 status code with an error that was improperly formatted for Docker compatibility. - Fixed a bug where the Compat Create endpoint for networks did not properly set a default for the driver parameter if it was not provided by the client. - Fixed a bug where the Compat Inspect endpoint for images did not populate the RootFS field of the response. - Fixed a bug where the Compat Inspect endpoint for images would omit the ParentId field if the image had no parent, and the Created field if the image did not have a creation time. - Fixed a bug where the Compat Remove endpoint for Networks did not support the Force query parameter. - add dependency to timezone package or podman fails to build a - Correct invalid use of %{_libexecdir} to ensure files should be in /usr/lib SELinux support [jsc#SMO-15] libseccomp was updated to release 2.5.3: * Update the syscall table for Linux v5.15 * Fix issues with multiplexed syscalls on mipsel introduced in v2.5.2 * Document that seccomp_rule_add may return -EACCES Update to release 2.5.2 * Update the syscall table for Linux v5.14-rc7 * Add a function, get_notify_fd, to the Python bindings to get the nofication file descriptor. * Consolidate multiplexed syscall handling for all architectures into one location. * Add multiplexed syscall support to PPC and MIPS * The meaning of SECCOMP_IOCTL_NOTIF_ID_VALID changed within the kernel. libseccomp"s fd notification logic was modified to support the kernel"s previous and new usage of SECCOMP_IOCTL_NOTIF_ID_VALID. update to 2.5.1: * Fix a bug where seccomp_load could only be called once * Change the notification fd handling to only request a notification fd if * the filter has a _NOTIFY action * Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule manpage * Clarify the maintainers" GPG keys Update to release 2.5.0 * Add support for the seccomp user notifications, see the seccomp_notify_alloc, seccomp_notify_receive, seccomp_notify_respond manpages for more information * Add support for new filter optimization approaches, including a balanced tree optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for more information * Add support for the 64-bit RISC-V architecture * Performance improvements when adding new rules to a filter thanks to the use of internal shadow transactions and improved syscall lookup tables * Properly document the libseccomp API return values and include them in the stable API promise * Improvements to the s390 and s390x multiplexed syscall handling * Multiple fixes and improvements to the libseccomp manpages * Moved from manually maintained syscall tables to an automatically generated syscall table in CSV format * Update the syscall tables to Linux v5.8.0-rc5 * Python bindings and build now default to Python 3.x * Improvements to the tests have boosted code coverage to over 93% Update to release 2.4.3 * Add list of authorized release signatures to README.md * Fix multiplexing issue with s390/s390x shm* syscalls * Remove the static flag from libseccomp tools compilation * Add define for __SNR_ppoll * Fix potential memory leak identified by clang in the scmp_bpf_sim tool Update to release 2.4.2 * Add support for io-uring related system calls conmon was updated to version 2.0.30: * Remove unreachable code path * exit: report if the exit command was killed * exit: fix race zombie reaper * conn_sock: allow watchdog messages through the notify socket proxy * seccomp: add support for seccomp notify Update to version 2.0.29: * Reset OOM score back to 0 for container runtime * call functions registered with atexit on SIGTERM * conn_sock: fix potential segfault Update to version 2.0.27: * Add CRI-O integration test GitHub action * exec: don"t fail on EBADFD * close_fds: fix close of external fds * Add arm64 static build binary Update to version 2.0.26: * conn_sock: do not fail on EAGAIN * fix segfault from a double freed pointer * Fix a bug where conmon could never spawn a container, because a disagreement between the caller and itself on where the attach socket was. * improve --full-attach to ignore the socket-dir directly. that means callers don"t need to specify a socket dir at all * add full-attach option to allow callers to not truncate a very long path for the attach socket * close only opened FDs * set locale to inherit environment Update to version 2.0.22: * added man page * attach: always chdir * conn_sock: Explicitly free a heap-allocated string * refactor I/O and add SD_NOTIFY proxy support Update to version 2.0.21: * protect against kill * Makefile: enable debuginfo generation * Remove go.sum file and add go.mod * Fail if conmon config could not be written * nix: remove double definition for e2fsprogs * Speedup static build by utilizing CI cache on `/nix` folder * Fix nix build for failing e2fsprogs tests * test: fix CI * Use Podman for building libcontainers-common was updated to include: - common 0.44.0 - image 5.16.0 - podman 3.3.1 - storage 1.36.0 CVEs fixed: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602