summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md2
-rw-r--r--RELEASE_NOTES.md27
-rw-r--r--cmd/podman/containers/ps.go12
-rw-r--r--test/e2e/common_test.go7
-rw-r--r--test/e2e/ps_test.go17
-rw-r--r--test/e2e/run_test.go31
-rw-r--r--utils/utils_supported.go21
7 files changed, 103 insertions, 14 deletions
diff --git a/README.md b/README.md
index 4dd34d366..8d9c98e81 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
Podman (the POD MANager) is a tool for managing containers and images, volumes mounted into those containers, and pods made from groups of containers.
Podman is based on libpod, a library for container lifecycle management that is also contained in this repository. The libpod library provides APIs for managing containers, pods, container images, and volumes.
-* [Latest Version: 2.2.1](https://github.com/containers/podman/releases/latest)
+* [Latest Version: 3.0.0](https://github.com/containers/podman/releases/latest)
* Latest Remote client for Windows
* Latest Remote client for MacOs
* Latest Static Remote client for Linux
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 82ecd741a..17d90aeca 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -13,7 +13,10 @@
- The `podman container checkpoint` command now supports the `--with-previous` and `--pre-checkpoint` options, and the `podman container restore` command now support the `--import-previous` option. These add support for two-step checkpointing with lowered dump times.
- The `podman push` command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails.
- The `podman generate kube` command can now be run on multiple containers at once, and will generate a single pod containing all of them.
+- The `podman generate kube` and `podman play kube` commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML ([#9132](https://github.com/containers/podman/issues/9132)).
+- The `podman generate kube` command now properly supports generating YAML for containers and pods creating using host networking (`--net=host`) ([#9077](https://github.com/containers/podman/issues/9077)).
- The `podman kill` command now supports a `--cidfile` option to kill containers given a file containing the container's ID ([#8443](https://github.com/containers/podman/issues/8443)).
+- The `podman pod create` command now supports the `--net=none` option ([#9165](https://github.com/containers/podman/issues/9165)).
- The `podman volume create` command can now specify volume UID and GID as options with the `UID` and `GID` fields passed to the the `--opt` option.
- Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in `containers.conf` and use them to create volumes with `podman volume create --driver`.
- The `podman run` and `podman create` commands now support a new option, `--platform`, to specify the platform of the image to be used when creating the container.
@@ -30,6 +33,10 @@
- The `podman image sign` command can now sign multi-arch images by producing a signature for each image in a given manifest list.
- The `podman image sign` command, when run as rootless, now supports per-user registry configuration files in `$HOME/.config/containers/registries.d`.
- Configuration options for `slirp4netns` can now be set system-wide via the `NetworkCmdOptions` configuration option in `containers.conf`.
+- The MTU of `slirp4netns` can now be configured via the `mtu=` network command option (e.g. `podman run --net slirp4netns:mtu=9000`).
+
+### Security
+- A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used `127.0.0.1` as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue.
### Changes
- Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.
@@ -37,6 +44,7 @@
- The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more [here](https://github.com/containers/podman/blob/v3.0/pkg/bindings/README.md).
- The legacy Varlink API has been completely removed from Podman.
- The default log level for Podman has been changed from Error to Warn.
+- The `podman network create` command can now create `macvlan` networks using the `--driver macvlan` option for Docker compatibility. The existing `--macvlan` flag has been deprecated and will be removed in Podman 4.0 some time next year.
- The `podman inspect` command has had the `LogPath` and `LogTag` fields moved into the `LogConfig` structure (from the root of the Inspect structure). The maximum size of the log file is also included.
- The `podman generate systemd` command no longer generates unit files using the deprecated `KillMode=none` option ([#8615](https://github.com/containers/podman/issues/8615)).
- The `podman stop` command now releases the container lock while waiting for it to stop - as such, commands like `podman ps` will no longer block until `podman stop` completes ([#8501](https://github.com/containers/podman/issues/8501)).
@@ -53,6 +61,7 @@
- Fixed a bug where, under some circumstances, container working directories specified by the image (via the `WORKDIR` instruction) but not present in the image, would not be created ([#9040](https://github.com/containers/podman/issues/9040)).
- Fixed a bug where the `podman generate systemd` command would generate invalid unit files if the container was creating using a command line that included doubled braces (`{{` and `}}`), e.g. `--log-opt-tag={{.Name}}` ([#9034](https://github.com/containers/podman/issues/9034)).
- Fixed a bug where the `podman generate systemd --new` command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. `podman run -dt`) ([#8847](https://github.com/containers/podman/issues/8847)).
+- Fixed a bug where the `podman generate systemd --new` command could generate unit files that did not handle Podman commands including some special characters (e.g. `$`) ([#9176](https://github.com/containers/podman/issues/9176)
- Fixed a bug where rootless containers joining CNI networks could not set a static IP address ([#7842](https://github.com/containers/podman/issues/7842)).
- Fixed a bug where rootless containers joining CNI networks could not set network aliases ([#8567](https://github.com/containers/podman/issues/8567)).
- Fixed a bug where the remote client could, under some circumstances, not include the `Containerfile` when sending build context to the server ([#8374](https://github.com/containers/podman/issues/8374)).
@@ -63,6 +72,8 @@
- Fixed a bug where the `podman play kube` command did not properly print errors that occurred when starting containers.
- Fixed a bug where the `podman play kube` command errored when `hostNetwork` was used ([#8790](https://github.com/containers/podman/issues/8790)).
- Fixed a bug where the `podman play kube` command would always pull images when the `:latest` tag was specified, even if the image was available locally ([#7838](https://github.com/containers/podman/issues/7838)).
+- Fixed a bug where the `podman play kube` command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable ([#8710](https://github.com/containers/podman/issues/8710)).
+- Fixed a bug where the `podman generate kube` command incorrectly populated the `args` and `command` fields of generated YAML ([#9211](https://github.com/containers/podman/issues/9211)).
- Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared `/etc/hosts` file every time the container restarted ([#8921](https://github.com/containers/podman/issues/8921)).
- Fixed a bug where the `podman search --list-tags` command did not support the `--format` option ([#8740](https://github.com/containers/podman/issues/8740)).
- Fixed a bug where the `http_proxy` option in `containers.conf` was not being respected, and instead was set unconditionally to true ([#8843](https://github.com/containers/podman/issues/8843)).
@@ -96,8 +107,19 @@
- Fixed a bug where `--format` did not support JSON output for individual fields ([#8444](https://github.com/containers/podman/issues/8444)).
- Fixed a bug where the `podman stats` command would fail when run on root containers using the `slirp4netns` network mode ([#7883](https://github.com/containers/podman/issues/7883)).
- Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication ([#8498](https://github.com/containers/podman/issues/8498)).
+- Fixed a bug where the `podman stats` command would fail if the system did not support one or more of the cgroup controllers Podman supports ([#8588](https://github.com/containers/podman/issues/8588)).
+- Fixed a bug where the `--mount` option to `podman create` and `podman run` did not ignore the `consistency` mount option.
+- Fixed a bug where failures during the resizing of a container's TTY would print the wrong error.
+- Fixed a bug where the `podman network disconnect` command could cause the `podman inspect` command to fail for a container until it was restarted ([#9234](https://github.com/containers/podman/issues/9234)).
+- Fixed a bug where containers created from a read-only rootfs (using the `--rootfs` option to `podman create` and `podman run`) would fail ([#9230](https://github.com/containers/podman/issues/9230)).
+- Fixed a bug where specifying Go templates to the `--format` option to multiple Podman commands did not support the `join` function ([#8773](https://github.com/containers/podman/issues/8773)).
+- Fixed a bug where the `podman rmi` command could, when run in parallel on multiple images, return `layer not known` errors ([#6510](https://github.com/containers/podman/issues/6510)).
+- Fixed a bug where the `podman inspect` command on containers displayed unlimited ulimits incorrectly ([#9303](https://github.com/containers/podman/issues/9303)).
+- Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories ([#6003](https://github.com/containers/podman/issues/6003)).
### API
+- Libpod API version has been bumped to v3.0.0.
+- All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error ([#8865](https://github.com/containers/podman/issues/8865)).
- The Compat API for Containers now supports the Rename and Copy APIs.
- Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses.
- Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a "no such file" error if an invalid executable was passed) ([#8281](https://github.com/containers/podman/issues/8281))
@@ -110,16 +132,19 @@
- Fixed a bug where the Libpod Pull endpoint for Images could fail with an `index out of range` error under certain circumstances ([#8870](https://github.com/containers/podman/issues/8870)).
- Fixed a bug where the Libpod Exists endpoint for Images could panic.
- Fixed a bug where the Compat List API for Containers did not support all filters ([#8860](https://github.com/containers/podman/issues/8860)).
+- Fixed a bug where the Compat List API for Containers did not properly populate the Status field.
- Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters ([#7102](https://github.com/containers/podman/issues/7102)).
- Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response ([#8758](https://github.com/containers/podman/pull/8758)).
- Fixed a bug where the Compat Load API for Images did not properly clean up temporary files.
- Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified.
- Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope.
+- Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did.
### Misc
- Updated Buildah to v1.19.2
- Updated the containers/storage library to v1.24.5
-- Updated the containers/common library to v0.33.1
+- Updated the containers/image library to v5.10.2
+- Updated the containers/common library to v0.33.4
## v2.2.1
### Changes
diff --git a/cmd/podman/containers/ps.go b/cmd/podman/containers/ps.go
index 98aea73b3..bfb821159 100644
--- a/cmd/podman/containers/ps.go
+++ b/cmd/podman/containers/ps.go
@@ -142,11 +142,19 @@ func checkFlags(c *cobra.Command) error {
}
func jsonOut(responses []entities.ListContainer) error {
- r := make([]entities.ListContainer, 0)
+ type jsonFormat struct {
+ entities.ListContainer
+ Created int64
+ }
+ r := make([]jsonFormat, 0)
for _, con := range responses {
con.CreatedAt = units.HumanDuration(time.Since(con.Created)) + " ago"
con.Status = psReporter{con}.Status()
- r = append(r, con)
+ jf := jsonFormat{
+ ListContainer: con,
+ Created: con.Created.UnixNano(),
+ }
+ r = append(r, jf)
}
b, err := json.MarshalIndent(r, "", " ")
if err != nil {
diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
index 53810d882..d033cc646 100644
--- a/test/e2e/common_test.go
+++ b/test/e2e/common_test.go
@@ -619,6 +619,13 @@ func SkipIfNotRootless(reason string) {
}
}
+func SkipIfNotSystemd(manager, reason string) {
+ checkReason(reason)
+ if manager != "systemd" {
+ ginkgo.Skip("[notSystemd]: " + reason)
+ }
+}
+
func SkipIfNotFedora() {
info := GetHostDistributionInfo()
if info.Distribution != "fedora" {
diff --git a/test/e2e/ps_test.go b/test/e2e/ps_test.go
index db3f7a36b..225bd538e 100644
--- a/test/e2e/ps_test.go
+++ b/test/e2e/ps_test.go
@@ -5,6 +5,7 @@ import (
"os"
"regexp"
"sort"
+ "strconv"
"strings"
. "github.com/containers/podman/v2/test/utils"
@@ -210,6 +211,22 @@ var _ = Describe("Podman ps", func() {
Expect(result.IsJSONOutputValid()).To(BeTrue())
})
+ It("podman ps json format Created field is int64", func() {
+ session := podmanTest.RunTopContainer("test1")
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ result := podmanTest.Podman([]string{"ps", "--format", "json"})
+ result.WaitWithDefaultTimeout()
+ Expect(result.ExitCode()).To(Equal(0))
+
+ // Make sure Created field is an int64
+ created, err := result.jq(".[0].Created")
+ Expect(err).To(BeNil())
+ _, err = strconv.ParseInt(created, 10, 64)
+ Expect(err).To(BeNil())
+ })
+
It("podman ps print a human-readable `Status` with json format", func() {
_, ec, _ := podmanTest.RunLsContainer("test1")
Expect(ec).To(Equal(0))
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 934b78202..18db63c15 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -1191,6 +1191,37 @@ USER mail`
Expect(found).To(BeTrue())
})
+ It("podman run with cgroups=split", func() {
+ SkipIfNotSystemd(podmanTest.CgroupManager, "do not test --cgroups=split if not running on systemd")
+ SkipIfRootlessCgroupsV1("Disable cgroups not supported on cgroupv1 for rootless users")
+ SkipIfRemote("--cgroups=split cannot be used in remote mode")
+
+ container := podmanTest.Podman([]string{"run", "--rm", "--cgroups=split", ALPINE, "cat", "/proc/self/cgroup"})
+ container.WaitWithDefaultTimeout()
+ Expect(container.ExitCode()).To(Equal(0))
+ lines := container.OutputToStringArray()
+
+ cgroup := ""
+ for _, line := range lines {
+ parts := strings.SplitN(line, ":", 3)
+ if !CGROUPSV2 {
+ // ignore unified on cgroup v1
+ // both runc and crun do not set it.
+ if parts[1] == "" {
+ continue
+ }
+ }
+ if parts[2] == "/" {
+ continue
+ }
+ if cgroup == "" {
+ cgroup = parts[2]
+ continue
+ }
+ Expect(cgroup).To(Equal(parts[2]))
+ }
+ })
+
It("podman run with cgroups=disabled runs without cgroups", func() {
SkipIfRootless("FIXME: I believe this should work but need to fix this test")
SkipIfRootlessCgroupsV1("Disable cgroups not supported on cgroupv1 for rootless users")
diff --git a/utils/utils_supported.go b/utils/utils_supported.go
index 6f517dc72..73313cf5e 100644
--- a/utils/utils_supported.go
+++ b/utils/utils_supported.go
@@ -81,16 +81,9 @@ func getCgroupProcess(procFile string) (string, error) {
cgroup = line[3:]
break
}
- // root cgroup, skip it
- if parts[2] == "/" {
- continue
- }
- // The process must have the same cgroup path for all controllers
- // The OCI runtime spec file allow us to specify only one path.
- if cgroup != "/" && cgroup != parts[2] {
- return "", errors.Errorf("cgroup configuration not supported, the process is in two different cgroups")
+ if len(parts[2]) > len(cgroup) {
+ cgroup = parts[2]
}
- cgroup = parts[2]
}
if cgroup == "/" {
return "", errors.Errorf("could not find cgroup mount in %q", procFile)
@@ -150,6 +143,11 @@ func moveUnderCgroup(cgroup, subtree string, processes []uint32) error {
// If it is not using unified mode, the cgroup v2 hierarchy is
// usually mounted under /sys/fs/cgroup/unified
cgroupRoot = filepath.Join(cgroupRoot, "unified")
+
+ // Ignore the unified mount if it doesn't exist
+ if _, err := os.Stat(cgroupRoot); err != nil && os.IsNotExist(err) {
+ continue
+ }
} else if parts[1] != "" {
// Assume the controller is mounted at /sys/fs/cgroup/$CONTROLLER.
controller := strings.TrimPrefix(parts[1], "name=")
@@ -161,7 +159,7 @@ func moveUnderCgroup(cgroup, subtree string, processes []uint32) error {
parentCgroup = parts[2]
}
newCgroup := filepath.Join(cgroupRoot, parentCgroup, subtree)
- if err := os.Mkdir(newCgroup, 0755); err != nil && !os.IsExist(err) {
+ if err := os.MkdirAll(newCgroup, 0755); err != nil && !os.IsExist(err) {
return err
}
@@ -183,6 +181,9 @@ func moveUnderCgroup(cgroup, subtree string, processes []uint32) error {
return err
}
for _, pid := range bytes.Split(processesData, []byte("\n")) {
+ if len(pid) == 0 {
+ continue
+ }
if _, err := f.Write(pid); err != nil {
logrus.Warnf("Cannot move process %s to cgroup %q", string(pid), newCgroup)
}