v5.4.0-RC3

This is the final release candidate for Podman v5.4.0. Preliminary release notes follow:

Features

• A preview of Podman's support for OCI artifacts has been added through the podman artifact suite of commands, including add, inspect, ls, pull, push, and rm. This support is very early and not fully complete, and the command line interface for these tools has not been finalized. We welcome feedback on the new artifact experience through our issue tracker!
• The podman update command now supports a wide variety of options related to healthchecks (including --health-cmd to define a new healthcheck and --no-healthcheck to disable an existing healthcheck), allowing healthchecks to be added to, removed from, and otherwise updated on existing containers. You can find full details on the 15 added options in the manpage.
• The --mount type=volume option for the podman run, podman create, and podman volume create commands now supports a new option, subpath=, to make only a subset of the volume visible in the container (#20661).
• The --userns=keep-id option for the podman run, podman create, and podman pod create commands now supports a new option, --userns=keep-id:size=, to configure the size of the user namespace (#24387).
• The podman kube play command now supports Container Device Interface (CDI) devices (#17833).
• The podman machine init command now supports a new option, --playbook, to run an Ansible playbook in the created VM on first boot for initial configuration.
• Quadlet .pod files now support a new field, ShmSize, to specify the size of the pod's shared SHM (#22915).
• The podman run, podman create, and podman pod create commands now support a new option, --hosts-file, to define the base file used for /etc/hosts in the container.
• The podman run, podman create, and podman pod create commands now support a new option, --no-hostname, which disables the creation of /etc/hostname in the container (#25002).
• The podman network create command now supports a new option for bridge networks, --opt mode=unmanaged, which allows Podman to use an existing network bridge on the system without changes.
• The --network option to podman run, podman create, and podman pod create now accepts a new option for bridge networks, host_interface_name, which specifies a name for the network interface created outside the container.
• The podman manifest rm command now supports a new option, --ignore, to not error when removing manifests that do not exist.
• The podman system prune command now supports a new option, --build, to remove build containers leftover from prematurely terminated builds.
• The podman events command now generates events for the creation and removal of networks (#24032).

Breaking Changes

• Due to a lack of availability of hardware to test on, the Podman maintainers are no longer capable of providing full support for Podman on Intel Macs. Binaries and machine images will still be produced, and pull requests related to MacOS on Intel systems will still be merged, but bugs will be fixed on a best effort basis only. We welcome any potential new maintainers who would be able to assist in restoring full support.
• Quadlet previously incorrectly allowed : as a character to define comments. This was a mistake; developer intent and documentation was that # and ; were to be used as comment characters instead, matching systemd. This has been corrected, and semicolons now define comments instead of colons.

Changes

• Podman now passes container hostnames to Netavark, which will use them for any DHCP requests for the container.
• Partial pulls of zstd:chunked images now only happen for images that have a RootFS.DiffID entry in the image's OCI config JSON, and require the layer contents to match. This resolves issues with image ID ambiguity when partial pulls were enabled.
• Packagers can now set the BUILD_ORIGIN environment variable when building podman from the Makefile. This provides information on who built the Podman binary, and is displayed in podman version and podman info. This will help upstream bug reports, allowing maintainers to trace how and where the binary was built and installed from.

Bugfixes

• Fixed a bug where podman machine VMs on WSL could fail to start when using usermode networking could fail to start due to a port conflict (#20327).
• Fixed a bug where overlay mounts could not be made at paths where the image specifies a volume (#24555).
• Fixed a bug where the podman build command did not honor the no_pivot_root setting from containers.conf (#24546).
• Fixed a bug where volumes would have the wrong permissions if podman cp was used to copy into a fresh volume in a container that had never been started.
• Fixed a bug where using podman cp to copy into a named volume requiring a mount (image volumes, volumes backed by a volume plugin, or other volumes with options) would fail when the container being copied into was stopped.
• Fixed a bug where rlimits would be set incorrectly when Podman was run as root but without CAP_SYS_RESOURCE (#24692).
• Fixed a bug where the podman stats --all command would fail if a container started with --cgroups=none was present (#24632).
• Fixed a bug where the podman info command would only return details on one image store even if additional image stores were configured in storage.conf.
• Fixed a bug where the podman update command could reset resource limits that were not being modified to default (#24610).
• Fixed a bug where the remote Podman client's podman update command could not update resource limits on devices mounted into the container (#24734).
• Fixed a bug where the podman manifest annotate command could panic when the --index option was used (#24750).
• Fixed a bug where a Quadlet container reusing another container's network could cause errors if the second container was not already running.
• Fixed a bug where Quadlet files containing lines with a trailing backslash could cause an infinite loop during parsing (#24810).
• Fixed a bug where Quadlet would, when run as a non-root user, not generate for files in subfolders of /etc/containers/systemd/users/ (#24783).
• Fixed a bug where values in Quadlet files containing octal escape sequences were incorrectly unescaped.
• Fixed a bug where podman generate kube could generate persistent volumes with mixed-case names or names containing an underscore, which are not supported by Kubernetes (#16542).
• Fixed a bug where the ptmxmode option to --mount type=devpts did not function.
• Fixed a bug where shell completion on Windows would include .exe in the executable name, breaking completion on some shells.
• Fixed a bug where the output of podman inspect on containers did not include the ID of the network the container was joined to, improving Docker compatibility (#24910).
• Fixed a bug where containers created with the remote API incorrectly included a create command (#25026).
• Fixed a bug where it was possible to specify the libkrun backend for VMs on Intel Macs (libkrun only supports Arm systems).
• Fixed a bug where libkrun and applehv VMs from podman machine could be started at the same time on Macs (#25112).
• Fixed a bug where podman exec commands could not detach from the exec session using the detach keys (#24895).

API

• The Compat and Libpod Build APIs for Images now support a new query parameter, nohosts, which (when set to true) does not create /etc/hosts in the image when building.
• Fixed a bug where the Compat Create API for Containers did not honor CDI devices, preventing (among other things) the use of GPUs with docker compose (#19338).

Misc

• The Docker alias script has been fixed to better handle variable substitution.
• Fixed a bug where podman-restart.service functioned incorrectly when no containers were present.
• Updated Buildah to v1.39.0
• Updated the containers/common library to v0.62.0
• Updated the containers/storage library to v1.57.1
• Updated the containers/image library to v5.34.0

v5.4.0-RC2

This is the second release candidate for Podman v5.4.0. Preliminary release notes follow.

Features

• A preview of Podman's support for OCI artifacts has been added through the podman artifact suite of commands, including add, inspect, ls, pull, push, and rm. This support is very early and not fully complete, and the command line interface for these tools has not been finalized. We welcome feedback on the new artifact experience through our issue tracker!
• The podman update command now supports a wide variety of options related to healthchecks (including --health-cmd to define a new healthcheck and --no-healthcheck to disable an existing healthcheck), allowing healthchecks to be added to, removed from, and otherwise updated on existing containers. You can find full details on the 15 added options in the manpage.
• The --mount type=volume option for the podman run, podman create, and podman volume create commands now supports a new option, subpath=, to make only a subset of the volume visible in the container (#20661).
• The --userns=keep-id option for the podman run, podman create, and podman pod create commands now supports a new option, --userns=keep-id:size=, to configure the size of the user namespace (#24387).
• The podman kube play command now supports Container Device Interface (CDI) devices (#17833).
• Quadlet .pod files now support a new field, ShmSize, to specify the size of the pod's shared SHM (#22915).
• The podman run, podman create, and podman pod create commands now support a new option, --hosts-file, to define the base file used for /etc/hosts in the container.
• The podman run, podman create, and podman pod create commands now support a new option, --no-hostname, which disables the creation of /etc/hostname in the container (#25002).
• The podman network create command now supports a new option for bridge networks, --opt mode=unmanaged, which allows Podman to use an existing network bridge on the system without changes.
• The --network option to podman run, podman create, and podman pod create now accepts a new option for bridge networks, host_interface_name, which specifies a name for the network interface created outside the container.
• The podman manifest rm command now supports a new option, --ignore, to not error when removing manifests that do not exist.
• The podman system prune command now supports a new option, --build, to remove build containers leftover from prematurely terminated builds.
• The podman events command now generates events for the creation and removal of networks (#24032).

Breaking Changes

• Due to a lack of availability of hardware to test on, the Podman maintainers are no longer capable of providing full support for Podman on Intel Macs. Binaries and machine images will still be produced, and pull requests related to MacOS on Intel systems will still be merged, but bugs will be fixed on a best effort basis only. We welcome any potential new maintainers who would be able to assist in restoring full support.
• Quadlet previously incorrectly allowed : as a character to define comments. This was a mistake; developer intent and documentation was that # and ; were to be used as comment characters instead, matching systemd. This has been corrected, and semicolons now define comments instead of colons.

Changes

• Podman now passes container hostnames to Netavark, which will use them for any DHCP requests for the container.
• Partial pulls of zstd:chunked images now only happen for images that have a RootFS.DiffID entry in the image's OCI config JSON, and require the layer contents to match. This resolves issues with image ID ambiguity when partial pulls were enabled.

Bugfixes

• Fixed a bug where podman machine VMs on WSL could fail to start when using usermode networking could fail to start due to a port conflict (#20327).
• Fixed a bug where overlay mounts could not be made at paths where the image specifies a volume (#24555).
• Fixed a bug where the podman build command did not honor the no_pivot_root setting from containers.conf (#24546).
• Fixed a bug where volumes would have the wrong permissions if podman cp was used to copy into a fresh volume in a container that had never been started.
• Fixed a bug where using podman cp to copy into a named volume requiring a mount (image volumes, volumes backed by a volume plugin, or other volumes with options) would fail when the container being copied into was stopped.
• Fixed a bug where rlimits would be set incorrectly when Podman was run as root but without CAP_SYS_RESOURCE (#24692).
• Fixed a bug where the podman stats --all command would fail if a container started with --cgroups=none was present (#24632).
• Fixed a bug where the podman info command would only return details on one image store even if additional image stores were configured in storage.conf.
• Fixed a bug where the podman update command could reset resource limits that were not being modified to default (#24610).
• Fixed a bug where the remote Podman client's podman update command could not update resource limits on devices mounted into the container (#24734).
• Fixed a bug where the podman manifest annotate command could panic when the --index option was used (#24750).
• Fixed a bug where a Quadlet container reusing another container's network could cause errors if the second container was not already running.
• Fixed a bug where Quadlet files containing lines with a trailing backslash could cause an infinite loop during parsing (#24810).
• Fixed a bug where Quadlet would, when run as a non-root user, not generate for files in subfolders of /etc/containers/systemd/users/ (#24783).
• Fixed a bug where values in Quadlet files containing octal escape sequences were incorrectly unescaped.
• Fixed a bug where podman generate kube could generate persistent volumes with mixed-case names or names containing an underscore, which are not supported by Kubernetes (#16542).
• Fixed a bug where the ptmxmode option to --mount type=devpts did not function.
• Fixed a bug where shell completion on Windows would include .exe in the executable name, breaking completion on some shells.
• Fixed a bug where the output of podman inspect on containers did not include the ID of the network the container was joined to, improving Docker compatibility (#24910).
• Fixed a bug where containers created with the remote API incorrectly included a create command (#25026).
• Fixed a bug where it was possible to specify the libkrun backend for VMs on Intel Macs (libkrun only supports Arm systems).

API

• The Compat and Libpod Build APIs for Images now support a new query parameter, nohosts, which (when set to true) does not create /etc/hosts in the image when building.

Misc

• The Docker alias script has been fixed to better handle variable substitution.
• Fixed a bug where podman-restart.service functioned incorrectly when no containers were present.

v5.4.0-RC1

This is the first release candidate of Podman v5.4.0. Full release notes will be available with RC2 next week.

v5.3.2

Security

• This release contains Buildah v1.38.1 which addresses CVE-2024-11218

Bugfixes

• Fixed a bug where Quadlet .build files could create an invalid podman command line when Pull= was used (#24599).
• Fixed a bug where the Mac installer did not install the Podman manpages (#24756).

Misc

• Updated Buildah to v1.38.1
• Updated the containers/common library to v0.61.1
• Updated the containers/storage library to v1.56.1
• Updated the containers/image library to v5.33.1

v5.3.1

• Fixed a bug where the --ignition-path option to podman machine init would prevent creation of necessary files for the VM, rendering it unusable (#23544).
• Fixed a bug where rootless containers using the bridge networking mode would be unable to start due to a panic caused by a nil pointer dereference (#24566).
• Fixed a bug where Podman containers would try to set increased rlimits when started in a user namespace, rendering containers unable to start (#24508).
• Fixed a bug where certain SSH configurations would make the remote Podman client unable to connect to the server (#24567).
• Fixed a bug where the Windows installer could install WSLv2 when upgrading an existing Podman installation that used the Hyper-V virtualization backend.

v5.3.0

Features

• The podman kube generate and podman kube play commands can now create and run Kubernetes Job YAML (#17011).
• The podman kube generate command now includes information on the user namespaces for pods and containers in generated YAML. The podman kube play command uses this information to duplicate the user namespace configuration when creating new pods based on the YAML.
• The podman kube play command now supports Kubernetes volumes of type image (#23775).
• The service name of systemd units generated by Quadlet can now be set with the ServiceName key in all supported Quadlet files (#23414).
• Quadlets can now disable their implicit dependency on network-online.target via a new key, DefaultDependencies, supported by all Quadlet files (#24193).
• Quadlet .container and .pod files now support a new key, AddHost, to add hosts to the container or pod.
• The PublishPort key in Quadlet .container and .pod files can now accept variables in its value (#24081).
• Quadlet .container files now support two new keys, CgroupsMode and StartWithPod, to configure cgroups for the container and whether the container will be started with the pod it is part of (#23664 and #24401).
• Quadlet .container files can now use the network of another container by specifying the .container file of the container to share with in the Network key.
• Quadlet .container files can now mount images managed by .image files into the container by using the Mount=type=image key with a .image target.
• Quadlet .pod files now support six new keys, DNS, DNSOption, DNSSearch, IP, IP6, and UserNS, to configure DNS, static IPs, and user namespace settings for the pod (#23692).
• Quadlet .image files can now give an image multiple times by specifying the ImageTag key multiple times (#23781).
• Quadlets can now be placed in the /run/containers/systemd directory as well as existing directories like $HOME/containers/systemd and /etc/containers/systemd/users.
• Quadlet now properly handles subdirectories of a unit directory being a symlink (#23755).
• The podman manifest inspect command now includes the manifest's annotations in its output.
• The output of the podman inspect command for containers now includes a new field, HostConfig.AutoRemoveImage, which shows whether a container was created with the --rmi option set.
• The output of the podman inspect command for containers now includes a new field, Config.ExposedPorts, which includes all exposed ports from the container, improving Docker compatibility.
• The output of the podman inspect command for containers now includes a new field, Config.StartupHealthCheck, which shows the container's startup healthcheck configuration.
• The output of the podman inspect command for containers now includes a new field in Mounts, SubPath, which contains any subpath set for image or named volumes.
• The podman machine list command now supports a new option, --all-providers, which lists machines from all supported VM providers, not just the one currently in use.
• VMs run by podman machine on Windows will now provide API access by exposing a Unix socket on the host filesystem which forwards into the VM (#23408).
• The podman buildx prune and podman image prune commands now support a new option, --build-cache, which will also clean the build cache.
• The Windows installer has a new radio button to select virtualization provider (WSLv2 or Hyper-V).
• The --add-host option to podman create, podman run, and podman pod create now supports specifying multiple hostnames, semicolon-separated (e.g. podman run --add-host test1;test2:192.168.1.1) (#23770).
• The podman run and podman create commands now support three new options for configuring healthcheck logging: --health-log-destination (specify where logs are stored), --health-max-log-count (specify how many healthchecks worth of logs are stored), and --health-max-log-size (specify the maximum size of the healthcheck log).

Changes

• Podman now uses the Pasta --map-guest-addr option by default which is used for the host.containers.internal entry in /etc/hosts to allow containers to reach the host by default (#19213).
• The names of the infra containers of pods created by Quadlet are changed to the pod name suffixed with -infra (#23665).
• The podman system connection add command now respects HTTP path prefixes specified with tcp:// URLs.
• Proxy environment variables (e.g. https_proxy) declared in containers.conf no longer escape special characters in their values when used with podman machine VMs (#23277).
• The podman images --sort=repository command now also sorts by image tag as well, guaranteeing deterministic output ordering (#23803).
• When a user has a rootless podman machine VM running and second rootful podman machine VM initialized, and the rootless VM is removed, the connection to the second, rootful machine now becomes the default as expected (#22577).
• Environment variable secrets are no longer contained in the output of podman inspect on a container the secret is used in (#23788).
• Podman no longer exits 0 on SIGTERM by default.
• Podman no longer explicitly sets rlimits to their default value, as this could lower the actual value available to containers if it had been set higher previously.
• Quadlet user units now correctly wait for the network to be ready to use via a new service, podman-user-wait-network-online.service, instead of the user session's nonfunctional network-online.target.
• Exposed ports in the output of podman ps are now correctly grouped and deduplicated when they are also published (#23317).
• Quadlet build units no longer use RemainAfterExit=yes by default.

Bugfixes

• Fixed a bug where the --build-context option to podman build did not function properly on Windows, breaking compatibility with Visual Studio Dev Containers (#17313).
• Fixed a bug where Quadlet would generate bad arguments to Podman if the SecurityLabelDisable or SecurityLabelNested keys were used (#23432).
• Fixed a bug where the PODMAN_COMPOSE_WARNING_LOGS environment variable did not suppress warnings printed by podman compose that it was redirecting to an external provider.
• Fixed a bug where, if the podman container cleanup command was run on a container in the process of being removed, an error could be printed.
• Fixed a bug where rootless Quadlet units placed in /etc/containers/systemd/users/ would be loaded for root as well when /etc/containers/systemd was a symlink (#23483).
• Fixed a bug where the remote Podman client's podman stop command would, if called with --cidfile pointing to a non-existent file and the --ignore option set, stop all containers (#23554).
• Fixed a bug where the podman wait would only exit only after 20 second when run on a container which rapidly exits and is then restarted by the on-failure restart policy.
• Fixed a bug where podman volume rm and podman run -v could deadlock when run simultaneously on the same volume (#23613).
• Fixed a bug where running podman mount on a container in the process of being created could cause a nonsensical error indicating the container already existed (#23637).
• Fixed a bug where the podman stop command could deadlock when run on containers with very large annotations (#22246).
• Fixed a bug where the podman machine stop command could segfault on Mac when a VM failed to stop gracefully (#23654).
• Fixed a bug where the podman stop command would not ensure containers created with --rm were removed when it exited (#22852).
• Fixed a bug where the --rmi option to podman run did not function correctly with detached containers.
• Fixed a bug where running podman inspect on a container on FreeBSD would emit an incorrect value for the HostConfig.Device field, breaking compatibility with the Ansible Podman module.
• Fixed a bug where rootless Podman could fail to start containers using the --cgroup-parent option (#23780).
• Fixed a bug where the podman build -v command did not properly handle Windows paths passed as the host directory.
• Fixed a bug where Podman could leak network namespace files if it was interrupted while creating a network namespace (#24044).
• ...

v5.3.0-RC3

Features

• The podman kube generate and podman kube play commands can now create and run Kubernetes Job YAML (#17011).
• The podman kube generate command now includes information on the user namespaces for pods and containers in generated YAML. The podman kube play command uses this information to duplicate the user namespace configuration when creating new pods based on the YAML.
• The podman kube play command now supports Kubernetes volumes of type image (#23775).
• The service name of systemd units generated by Quadlet can now be set with the ServiceName key in all supported Quadlet files (#23414).
• Quadlets can now disable their implicit dependency on network-online.target via a new key, DefaultDependencies, supported by all Quadlet files (#24193).
• Quadlet .container and .pod files now support a new key, AddHost, to add hosts to the container or pod.
• The PublishPort key in Quadlet .container and .pod files can now accept variables in its value (#24081).
• Quadlet .container files now support two new keys, CgroupsMode and StartWithPod, to configure cgroups for the container and whether the container will be started with the pod it is part of ([#23664](htt
  ps://github.com//issues/23664) and #24401).
• Quadlet .container files can now use the network of another container by specifying the .container file of the container to share with in the Network key.
• Quadlet .container files can now mount images managed by .image files into the container by using the Mount=type=image key with a .image target.
• Quadlet .pod files now support six new keys, DNS, DNSOption, DNSSearch, IP, IP6, and UserNS, to configure DNS, static IPs, and user namespace settings for the pod ([#23692](https://github.com/co\
  ntainers/podman/issues/23692)).
• Quadlet .image files can now give an image multiple times by specifying the ImageTag key multiple times (#23781).
• Quadlets can now be placed in the /run/containers/systemd directory as well as existing directories like $HOME/containers/systemd and /etc/containers/systemd/users.
• Quadlet now properly handles subdirectories of a unit directory being a symlink (#23755).
• The podman manifest inspect command now includes the manifest's annotations in its output.
• The output of the podman inspect command for containers now includes a new field, HostConfig.AutoRemoveImage, which shows whether a container was created with the --rmi option set.
• The output of the podman inspect command for containers now includes a new field, Config.ExposedPorts, which includes all exposed ports from the container, improving Docker compatibility.
• The output of the podman inspect command for containers now includes a new field, Config.StartupHealthCheck, which shows the container's startup healthcheck configuration.
• The podman machine list command now supports a new option, --all-providers, which lists machines from all supported VM providers, not just the one currently in use.
• VMs run by podman machine on Windows will now provide API access by exposing a Unix socket on the host filesystem which forwards into the VM (#23408).
• The podman buildx prune and podman image prune commands now support a new option, --build-cache, which will also clean the build cache.
• The Windows installer has a new radio button to select virtualization provider (WSLv2 or Hyper-V).
• The --add-host option to podman create, podman run, and podman pod create now supports specifying multiple hostnames, semicolon-separated (e.g. podman run --add-host test1;test2:192.168.1.1) (#2377
  0).
• The podman run and podman create commands now support three new options for configuring healthcheck logging: --health-log-destination (specify where logs are stored), --health-max-log-count (specify how many healthchecks worth of logs are stored), and --health-max-log-size (specify the maximum size of the healthcheck log).

Changes

• Podman now uses the Pasta --map-guest-addr option by default which is used for the host.containers.internal entry in /etc/hosts to allow containers to reach the host by default (#19213).
• The names of the infra containers of pods created by Quadlet are changed to the pod name suffixed with -infra (#23665).
• The podman system connection add command now respects HTTP path prefixes specified with tcp:// URLs.
• Proxy environment variables (e.g. https_proxy) declared in containers.conf no longer escape special characters in their values when used with podman machine VMs ([#23277](https://github.com/containers/p\
  odman/issues/23277)).
• The podman images --sort=repository command now also sorts by image tag as well, guaranteeing deterministic output ordering (#23803).
• When a user has a rootless podman machine VM running and second rootful podman machine VM initialized, and the rootless VM is removed, the connection to the second, rootful machine now becomes the default as expected (#22577).
• Environment variable secrets are no longer contained in the output of podman inspect on a container the secret is used in (#23788).
• Podman no longer exits 0 on SIGTERM by default.
• Podman no longer explicitly sets rlimits to their default value, as this could lower the actual value available to containers if it had been set higher previously.
• Quadlet user units now correctly wait for the network to be ready to use via a new service, podman-user-wait-network-online.service, instead of the user session's nonfunctional network-online.target.
• Exposed ports in the output of podman ps are now correctly grouped and deduplicated when they are also published (#23317).
• Quadlet build units no longer use RemainAfterExit=yes by default.

Bugfixes

• Fixed a bug where the --build-context option to podman build did not function properly on Windows, breaking compatibility with Visual Studio Dev Containers (#17313).
• Fixed a bug where Quadlet would generate bad arguments to Podman if the SecurityLabelDisable or SecurityLabelNested keys were used (#23432).
• Fixed a bug where the PODMAN_COMPOSE_WARNING_LOGS environment variable did not suppress warnings printed by podman compose that it was redirecting to an external provider.
• Fixed a bug where, if the podman container cleanup command was run on a container in the process of being removed, an error could be printed.
• Fixed a bug where rootless Quadlet units placed in /etc/containers/systemd/users/ would be loaded for root as well when /etc/containers/systemd was a symlink (#23483).
• Fixed a bug where the remote Podman client's podman stop command would, if called with --cidfile pointing to a non-existent file and the --ignore option set, stop all containers (#23554).
• Fixed a bug where the podman wait would only exit only after 20 second when run on a container which rapidly exits and is then restarted by the on-failure restart policy.
• Fixed a bug where podman volume rm and podman run -v could deadlock when run simultaneously on the same volume (#23613).
• Fixed a bug where running podman mount on a container in the process of being created could cause a nonsensical error indicating the container already existed (#23637).
• Fixed a bug where the podman stop command could deadlock when run on containers with very large annotations (#22246).
• Fixed a bug where the podman machine stop command could segfault on Mac when a VM failed to stop gracefully (#23654).
• Fixed a bug where the podman stop command would not ensure containers created with --rm were removed when it exited (#22852).
• Fixed a bug where the --rmi option to podman run did not function correctly with detached containers.
• Fixed a bug where running podman inspect on a container on FreeBSD would emit an incorrect value for the HostConfig.Device field, breaking compatibility with the Ansible Podman module.
• Fixed a bug where rootless Podman could fail to start containers using the --cgroup-parent option (#23780).
• Fixed a bug where the podman build -v command did not properly handle Windows paths passed as the host directory.
• Fixed a bug where Podman could leak network namespace files if it was interrupted while creating a network namespace (#24044).
• Fixed a bug where the remote Podman client's podman run command could sometimes fail to retrieve a container's exit code for containers run with the --rm...

v5.3.0-RC2

This is the second release candidate for Podman v5.3.0. Preliminary release notes are below.

Features

• The podman kube generate and podman kube play commands can now create and run Kubernetes Job YAML (#17011).
• The podman kube generate command now includes information on the user namespaces for pods and containers in generated YAML. The podman kube play command uses this information to duplicate the user namespace configuration when creating new pods based on the YAML.
• The podman kube play command now supports Kubernetes volumes of type image (#23775).
• The service name of systemd units generated by Quadlet can now be set with the ServiceName key in all supported Quadlet files (#23414).
• Quadlets can now disable their implicit dependency on network-online.target via a new key, DefaultDependencies, supported by all Quadlet files (#24193).
• Quadlet .container and .pod files now support a new key, AddHost, to add hosts to the container or pod.
• The PublishPort key in Quadlet .container and .pod files can now accept variables in its value (#24081).
• Quadlet .container files now support a new key, CgroupsMode, to configure cgroups for the container (#23664).
• Quadlet .container files can now use the network of another container by specifying the .container file of the container to share with in the Network key.
• Quadlet .pod files now support six new keys, DNS, DNSOption, DNSSearch, IP, IP6, and UserNS, to configure DNS, static IPs, and user namespace settings for the pod (#23692).
• Quadlet .image files can now give an image multiple times by specifying the ImageTag key multiple times (#23781).
• Quadlets can now be placed in the /run/containers/systemd directory as well as existing directories like $HOME/containers/systemd and /etc/containers/systemd/users.
• Quadlet now properly handles subdirectories of a unit directory being a symlink (#23755).
• The podman manifest inspect command now includes the manifest's annotations in its output.
• The output of the podman inspect command for containers now includes a new field, HostConfig.AutoRemoveImage, which shows whether a container was created with the --rmi option set.
• The output of the podman inspect command for containers now includes a new field, Config.ExposedPorts, which includes all exposed ports from the container, improving Docker compatibility.
• The output of the podman inspect command for containers now includes a new field, Config.StartupHealthCheck, which shows the container's startup healthcheck configuration.
• The podman machine list command now supports a new option, --all-providers, which lists machines from all supported VM providers, not just the one currently in use.
• VMs run by podman machine on Windows will now provide API access by exposing a Unix socket on the host filesystem which forwards into the VM (#23408).
• The podman buildx prune and podman image prune commands now support a new option, --build-cache, which will also clean the build cache.
• The Windows installer has a new radio button to select virtualization provider (WSLv2 or Hyper-V).
• The --add-host option to podman create, podman run, and podman pod create now supports specifying multiple hostnames, semicolon-separated (e.g. podman run --add-host test1;test2:192.168.1.1) (#23770).
• The podman run and podman create commands now support three new options for configuring healthcheck logging: --health-log-destination (specify where logs are stored), --health-max-log-count (specify how many healthchecks worth of logs are stored), and --health-max-log-size (specify the maximum size of the healthcheck log).

Changes

• Podman now uses the Pasta --map-guest-addr option by default which is used for the host.containers.internal entry in /etc/hosts to allow containers to reach the host by default (#19213).
• The names of the infra containers of pods created by Quadlet are changed to the pod name suffixed with -infra (#23665).
• The podman system connection add command now respects HTTP path prefixes specified with tcp:// URLs.
• Proxy environment variables (e.g. https_proxy) declared in containers.conf no longer escape special characters in their values when used with podman machine VMs (#23277).
• The podman images --sort=repository command now also sorts by image tag as well, guaranteeing deterministic output ordering (#23803).
• When a user has a rootless podman machine VM running and second rootful podman machine VM initialized, and the rootless VM is removed, the connection to the second, rootful machine now becomes the default as expected (#22577).
• Environment variable secrets are no longer contained in the output of podman inspect on a container the secret is used in (#23788).
• Podman no longer exits 0 on SIGTERM by default.
• Podman no longer explicitly sets rlimits to their default value, as this could lower the actual value available to containers if it had been set higher previously.
• Quadlet user units now correctly wait for the network to be ready to use via a new service, podman-user-wait-network-online.service, instead of the user session's nonfunctional network-online.target.
• Exposed ports in the output of podman ps are now correctly grouped and deduplicated when they are also published (#23317).

Bugfixes

• Fixed a bug where the --build-context option to podman build did not function properly on Windows, breaking compatibility with Visual Studio Dev Containers (#17313).
• Fixed a bug where Quadlet would generate bad arguments to Podman if the SecurityLabelDisable or SecurityLabelNested keys were used (#23432).
• Fixed a bug where the PODMAN_COMPOSE_WARNING_LOGS environment variable did not suppress warnings printed by podman compose that it was redirecting to an external provider.
• Fixed a bug where, if the podman container cleanup command was run on a container in the process of being removed, an error could be printed.
• Fixed a bug where rootless Quadlet units placed in /etc/containers/systemd/users/ would be loaded for root as well when /etc/containers/systemd was a symlink (#23483).
• Fixed a bug where the remote Podman client's podman stop command would, if called with --cidfile pointing to a non-existent file and the --ignore option set, stop all containers (#23554).
• Fixed a bug where the podman wait would only exit only after 20 second when run on a container which rapidly exits and is then restarted by the on-failure restart policy.
• Fixed a bug where podman volume rm and podman run -v could deadlock when run simultaneously on the same volume (#23613).
• Fixed a bug where running podman mount on a container in the process of being created could cause a nonsensical error indicating the container already existed (#23637).
• Fixed a bug where the podman stop command could deadlock when run on containers with very large annotations (#22246).
• Fixed a bug where the podman machine stop command could segfault on Mac when a VM failed to stop gracefully (#23654).
• Fixed a bug where the podman stop command would not ensure containers created with --rm were removed when it exited (#22852).
• Fixed a bug where the --rmi option to podman run did not function correctly with detached containers.
• Fixed a bug where running podman inspect on a container on FreeBSD would emit an incorrect value for the HostConfig.Device field, breaking compatibility with the Ansible Podman module.
• Fixed a bug where rootless Podman could fail to start containers using the --cgroup-parent option (#23780).
• Fixed a bug where the podman build -v command did not properly handle Windows paths passed as the host directory.
• Fixed a bug where Podman could leak network namespace files if it was interrupted while creating a network namespace (#24044).
• Fixed a bug where the remote Podman client's podman run command could sometimes fail to retrieve a container's exit code for containers run with the --rm option.
• Fixed a bug where podman machine on Windows could fail to run VMs for certain usernames containing special characters.
• Fixed a bug where Quadlet would reject RemapUsers=keep-id when run as root.
• Fixed a bug where XFS quotas on volumes were not unique, meaning that all volumes...

v5.3.0-RC1

This is the first release candidate of Podman v5.3.0. Release notes will be provided next week in Podman v5.3.0-rc2.

v5.2.5

Security

• This release addresses CVE-2024-9675, which allows arbitrary access to the host filesystem from RUN --mount type=cache arguments to a Dockerfile being built.
• This release also addresses CVE-2024-9676, which allows malicious images with a symlink /etc/passwd or /etc/group to potentially cause a denial of service through reading a FIFO on the host.

Misc

• Updated Buildah to v1.37.5
• Updated the containers/storage library to v1.55.1