diff options
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | RELEASE_NOTES.md | 74 | ||||
| -rwxr-xr-x | contrib/cirrus/pr-should-include-tests | 3 | ||||
| -rwxr-xr-x | contrib/cirrus/runner.sh | 67 | ||||
| -rwxr-xr-x | hack/make-and-check-size | 5 | ||||
| -rw-r--r-- | test/upgrade/test-upgrade.bats | 8 |
6 files changed, 153 insertions, 6 deletions
@@ -5,7 +5,7 @@ Podman (the POD MANager) is a tool for managing containers and images, volumes mounted into those containers, and pods made from groups of containers. Podman is based on libpod, a library for container lifecycle management that is also contained in this repository. The libpod library provides APIs for managing containers, pods, container images, and volumes. -* [Latest Version: 4.0.0](https://github.com/containers/podman/releases/latest) +* [Latest Version: 4.0.3](https://github.com/containers/podman/releases/tag/v4.0.3) * Latest Remote client for Windows * Latest Remote client for macOS * Latest Static Remote client for Linux diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 4c07b033a..e7a496250 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,6 +1,62 @@ # Release Notes +## 4.0.3 +### Security +- This release fixes CVE-2022-27649, where containers run by Podman would have excess inheritable capabilities set. + +### Changes +- The `podman machine rm --force` command will now remove running machines as well (such machines are shut down first, then removed) ([#13448](https://github.com/containers/podman/issues/13448)). +- When a `podman machine` VM is started that is using a too-old VM image, it will now start in a reduced functionality mode, and provide instructions on how to recreate it (previously, VMs were effectively unusable) ([#13510](https://github.com/containers/podman/issues/13510)). + +### Bugfixes +- Fixed a bug where devices added to containers by the `--device` option to `podman run` and `podman create` would not be accessible within the container. +- Fixed a bug where Podman would refuse to create containers when the working directory in the container was a symlink ([#13346](https://github.com/containers/podman/issues/13346)). +- Fixed a bug where pods would be created with cgroups even if cgroups were disabled in `containers.conf` ([#13411](https://github.com/containers/podman/issues/13411)). +- Fixed a bug where the `podman play kube` command would produce confusing errors if invalid YAML with duplicated container named was passed ([#13332](https://github.com/containers/podman/issues/13332)). +- Fixed a bug where the `podman machine rm` command would not remove the Podman API socket on the host that was associated with the VM. +- Fixed a bug where the remote Podman client was unable to properly resize the TTYs of containers on non-Linux OSes. +- Fixed a bug where rootless Podman could hang indefinitely when starting containers on systems with IPv6 disabled ([#13388](https://github.com/containers/podman/issues/13388)). +- Fixed a bug where the `podman version` command could sometimes print excess blank lines as part of its output. +- Fixed a bug where the `podman generate systemd` command would sometimes generate systemd services with names beginning with a hyphen ([#13272](https://github.com/containers/podman/issues/13272)). +- Fixed a bug where locally building the pause image could fail if the current directory contained a `.dockerignore` file ([#13529](https://github.com/containers/podman/issues/13529)). +- Fixed a bug where root containers in VMs created by `podman machine` could not bind ports to specific IPs on the host ([#13543](https://github.com/containers/podman/issues/13543)). +- Fixed a bug where the storage utilization percentages displayed by `podman system df` were incorrect ([#13516](https://github.com/containers/podman/issues/13516)). +- Fixed a bug where the CPU utilization percentages displayed by `podman stats` were incorrect ([#13597](https://github.com/containers/podman/pull/13597)). +- Fixed a bug where containers created with the `--no-healthcheck` option would still display healthcheck status in `podman inspect` ([#13578](https://github.com/containers/podman/issues/13578)). +- Fixed a bug where the `podman pod rm` command could print a warning about a missing cgroup ([#13382](https://github.com/containers/podman/issues/13382)). +- Fixed a bug where the `podman exec` command could sometimes print a `timed out waiting for file` error after the process in the container exited ([#13227](https://github.com/containers/podman/issues/13227)). +- Fixed a bug where virtual machines created by `podman machine` were not tolerant of changes to the path to the qemu binary on the host ([#13394](https://github.com/containers/podman/issues/13394)). +- Fixed a bug where the remote Podman client's `podman build` command did not properly handle the context directory if a Containerfile was manually specified using `-f` ([#13293](https://github.com/containers/podman/issues/13293)). +- Fixed a bug where Podman would not properly detect the use of `systemd` as PID 1 in a container when the entrypoint was prefixed with `/bin/sh -c` ([#13324](https://github.com/containers/podman/issues/13324)). +- Fixed a bug where rootless Podman could, on systems that do not use `systemd` as init, print a warning message about the rootless network namespace ([#13703](https://github.com/containers/podman/issues/13703)). +- Fixed a bug where the default systemd unit file for `podman system service` did not delegate all cgroup controllers, resulting in `podman info` queries against the remote API returning incorrect cgroup controllers ([#13710](https://github.com/containers/podman/issues/13710)). +- Fixed a bug where the `slirp4netns` port forwarder for rootless Podman would only publish the first port of a range ([#13643](https://github.com/containers/podman/issues/13643)). + +### API +- Fixed a bug where the Compat Create API for containers did not properly handle permissions for tmpfs mounts ([#13108](https://github.com/containers/podman/issues/13108)). + +### Misc +- The static binary for Linux is now built with CGo disabled to avoid panics due to a Golang bug ([#13557](https://github.com/containers/podman/issues/13557)). +- Updated Buildah to v1.24.3 +- Updated the containers/storage library to v1.38.3 +- Updated the containers/image library to v5.19.2 +- Updated the containers/common library to v0.47.5 + +## 4.0.2 +### Bugfixes +- Revert "use GetRuntimeDir() from c/common" + +## 4.0.1 +### Bugfixes +- Fixed a bug where the `podman play kube` command did not honor the `mountPropagation` field in Pod YAML ([#13322](https://github.com/containers/podman/issues/13322)). +- Fixed a bug where the `--build=false` option to `podman play kube` was not honored ([#13285](https://github.com/containers/podman/issues/13285)). +- Fixed a bug where a container using volumes from another container (via `--volumes-from`) could, under certain circumstances, exit with errors that it could not delete some volumes if the other container did not exit before it ([#12808](https://github.com/containers/podman/issues/12808)). +- Fixed a bug where the `CONTAINERS_CONF` environment variable was not propagated to Conmon, which could result in Podman cleanup processes being run with incorrect configurations. + ## 4.0.0 +### Security +- This release addresses CVE-2022-1227, where running `podman top` on a container made from a maliciously-crafted image and using a user namespace could allow for code execution in the host context. + ### Features - Podman has seen an extensive rewrite of its network stack to add support for Netavark, a new tool for configuring container networks, in addition to the existing CNI stack. Netavark will be default on new installations when it is available. - The `podman network connect` command now supports three new options, `--ip`, `--ip6`, and `--mac-address`, to specify configuration for the new network that will be attached. @@ -196,6 +252,24 @@ - Updated the containers/common library to v0.47.1 - Updated the containers/psgo library to v1.7.2 +## 3.4.7 +### Security +- This release addresses CVE-2022-1227, where running `podman top` on a container made from a maliciously-crafted image and using a user namespace could allow for code execution in the host context. + +## 3.4.6 +### Security +- This release addresses CVE-2022-27191, where an attacker could potentially cause crashes in remote Podman by using incorrect SSH ciphers. + +## 3.4.5 +### Security +- This release addresses CVE-2022-27649, where Podman would set excess inheritable capabilities for processes in containers. + +### Bugfixes +- Fixed a bug where the `podman images` command could, under some circumstances, take an excessive amount of time to list images ([#11997](https://github.com/containers/podman/issues/11997)). + +### Misc +- Updates the containers/common library to v0.44.5 + ## 3.4.4 ### Bugfixes - Fixed a bug where the `podman exec` command would, under some circumstances, print a warning message about failing to move `conmon` to the appropriate cgroup ([#12535](https://github.com/containers/podman/issues/12535)). diff --git a/contrib/cirrus/pr-should-include-tests b/contrib/cirrus/pr-should-include-tests index 8103df41d..0d39047a6 100755 --- a/contrib/cirrus/pr-should-include-tests +++ b/contrib/cirrus/pr-should-include-tests @@ -30,8 +30,7 @@ fi # Nothing changed under test subdirectory. # # This is OK if the only files being touched are "safe" ones. -filtered_changes=$(git diff --name-status $base $head | - awk '{print $2}' | +filtered_changes=$(git diff --name-only $base $head | fgrep -vx .cirrus.yml | fgrep -vx .gitignore | fgrep -vx Makefile | diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh index f33c6af29..8f956d7f5 100755 --- a/contrib/cirrus/runner.sh +++ b/contrib/cirrus/runner.sh @@ -46,6 +46,8 @@ function _run_validate() { } function _run_unit() { + _bail_if_test_can_be_skipped test/goecho test/version + # shellcheck disable=SC2154 if [[ "$PODBIN_NAME" != "podman" ]]; then # shellcheck disable=SC2154 @@ -55,31 +57,45 @@ function _run_unit() { } function _run_apiv2() { + _bail_if_test_can_be_skipped test/apiv2 + source .venv/requests/bin/activate make localapiv2 |& logformatter } function _run_compose() { + _bail_if_test_can_be_skipped test/compose + ./test/compose/test-compose |& logformatter } function _run_compose_v2() { + _bail_if_test_can_be_skipped test/compose + ./test/compose/test-compose |& logformatter } function _run_int() { + _bail_if_test_can_be_skipped test/e2e + dotest integration } function _run_sys() { + _bail_if_test_can_be_skipped test/system + dotest system } function _run_upgrade_test() { + _bail_if_test_can_be_skipped test/upgrade + bats test/upgrade |& logformatter } function _run_bud() { + _bail_if_test_can_be_skipped test/buildah-bud + ./test/buildah-bud/run-buildah-bud-tests |& logformatter } @@ -217,6 +233,9 @@ function _run_build() { } function _run_altbuild() { + # We can skip all these steps for test-only PRs, but not doc-only ones + _bail_if_test_can_be_skipped docs + local -a arches local arch req_env_vars ALT_NAME @@ -345,6 +364,54 @@ dotest() { |& logformatter } +# Optimization: will exit if the only PR diffs are under docs/ or tests/ +# with the exception of any given arguments. E.g., don't run e2e or upgrade +# or bud tests if the only PR changes are in test/system. +function _bail_if_test_can_be_skipped() { + local head base diffs + + # Cirrus sets these for PRs but not cron. In cron, we never want to skip. + for v in CIRRUS_CHANGE_IN_REPO DEST_BRANCH; do + if [[ -z "${!v}" ]]; then + msg "[ _cannot do selective skip: \$$v is undefined ]" + return 0 + fi + done + # And if this one *is* defined, it means we're not in PR-land; don't skip. + if [[ -n "$CIRRUS_TAG" ]]; then + msg "[ _cannot do selective skip: \$CIRRUS_TAG is defined ]" + return 0 + fi + + head=$CIRRUS_CHANGE_IN_REPO + base=$(git merge-base $DEST_BRANCH $head) + diffs=$(git diff --name-only $base $head) + + # If PR touches any files in an argument directory, we cannot skip + for subdir in "$@"; do + if egrep -q "^$subdir/" <<<"$diffs"; then + return 0 + fi + done + + # PR does not touch any files under our input directories. Now see + # if the PR touches files outside of the following directories, by + # filtering these out from the diff results. + for subdir in docs test; do + # || true needed because we're running with set -e + diffs=$(egrep -v "^$subdir/" <<<"$diffs" || true) + done + + # If we still have diffs, they indicate files outside of docs & test. + # It is not safe to skip. + if [[ -n "$diffs" ]]; then + return 0 + fi + + msg "SKIPPING: This is a doc- and/or test-only PR with no changes under $*" + exit 0 +} + # Nearly every task in .cirrus.yml makes use of this shell script # wrapped by /usr/bin/time to collect runtime statistics. Because the # --output option is used to log stats to a file, every child-process diff --git a/hack/make-and-check-size b/hack/make-and-check-size index f2345b815..5b0021d12 100755 --- a/hack/make-and-check-size +++ b/hack/make-and-check-size @@ -92,9 +92,10 @@ if [[ ! -d $context_dir ]]; then fi # This is the original (and primary) purpose of this check: if 'make' fails, -# there is no point in continuing +# there is no point in continuing. Show at least the commit title since +# the ID may not match anything human recognisable. echo -echo "Building: $(git rev-parse HEAD)" +echo "Building: $(git log -n 1 --no-show-signature --oneline)" make # Determine size of each built file. diff --git a/test/upgrade/test-upgrade.bats b/test/upgrade/test-upgrade.bats index 198d8a169..5efe05d49 100644 --- a/test/upgrade/test-upgrade.bats +++ b/test/upgrade/test-upgrade.bats @@ -146,6 +146,12 @@ EOF # cause connectivity issues since cni and netavark should never be mixed. mkdir -p /run/netns /run/cni /run/containers /var/lib/cni /etc/cni/net.d + # Containers-common around release 1-55 no-longer supplies this file + sconf=/etc/containers/storage.conf + v_sconf= + if [[ -e "$sconf" ]]; then + v_sconf="-v $sconf:$sconf" + fi # # Use new-podman to run the above script under old-podman. @@ -165,7 +171,7 @@ EOF --net=host \ --cgroupns=host \ --pid=host \ - -v /etc/containers/storage.conf:/etc/containers/storage.conf \ + $v_sconf \ -v /dev/fuse:/dev/fuse \ -v /run/crun:/run/crun \ -v /run/netns:/run/netns:rshared \ |