发布日期: 2024-05-29
版本号: v5.1.0

Podman近期更新包含多项功能增强、行为调整及问题修复。功能方面,Apple芯片的macOS用户在使用podman machine创建虚拟机时默认启用Rosetta 2加速x86代码模拟;podman update命令的修改结果现可持久化并支持通过--restart更新容器重启策略;Quadlet的.container文件新增GroupAdd键以添加容器用户组;镜像挂载支持subpath选项用于部分路径挂载。行为变更中,空命名卷的权限调整行为与Docker一致,kube play在未指定镜像拉取策略时默认强制拉取镜像,且Pod级重启策略会传递至容器。问题修复涉及podman stats数据精度、--userns=keep-id映射错误、podman machine rm -f无法删除Hyper-V虚拟机、绑定卷权限异常等多个稳定性改进。API方面新增兼容Docker的容器更新接口,优化构建端点的临时文件处理。此外,Windows安装程序新增MachineProvider等配置变量,并更新了Buildah至v1.36.0及相关依赖库版本。

更新内容 (中文)

新功能

  • 在配备 Apple 芯片的 macOS 上,由 podman machine 创建的虚拟机现可使用 Rosetta 2(简称 Rosetta)实现 x86 代码的高速模拟。此功能默认启用,如需调整可通过 containers.conf 配置。
  • podman update 命令的修改现具有持久性,容器重启后仍生效且会反映在 podman inspect 结果中。
  • podman update 新增 --restart 选项,用于更新现有容器的重启策略。
  • Quadlet .container 文件新增 GroupAdd 键,支持为容器添加用户组。
  • 容器注解现可通过 podman inspect 查看。
  • 使用 podman run --mount type=image,... 的镜像挂载新增 subpath 选项,支持仅挂载镜像的部分内容至容器。
  • containers.conf[engine] 部分新增 healthcheck_events 字段,允许用户禁用 health_status 事件生成,避免大量健康检查系统的日志冗余。
  • 现可通过 Kubernetes YAML 的 io.podman.annotations.kube.image.automount\/$CTRNAME 注解($CTRNAME 为挂载目标容器名)指定自动挂载为卷的镜像列表。
  • podman info 现显示默认的无根网络命令(pastaslirp4netns)。
  • podman ps 现展示未通过 --publish-all 发布的 --expose 端口,增强 Docker 兼容性。
  • podman runlabel 现支持将运行标签中的 $HOME 扩展为用户主目录。
  • podman network ls 新增别名命令 podman network list
  • podmansh 创建的容器名称与 shell 现可通过 containers.conf 配置。
  • Windows 安装程序 podman-setup.exe 新增三个 CLI 变量:MachineProvider(选择机器提供方,windows 或默认的 wsl)、HyperVCheckbox(设为 1 安装 HyperV,默认 0 不安装)、SkipConfigFileCreation(设为 1 禁用配置文件创建,默认 0)。

变更

  • Podman 现每次挂载空命名卷至容器时均会修改卷所有权(原仅首次挂载时修改),与 Docker 行为保持一致。
  • podman kube play 运行未指定 imagePullPolicy 且镜像未带标签的 Kubernetes YAML 时,现强制拉取镜像(#21211)。
  • podman kube play 运行 Kubernetes YAML 时,Pod 级重启策略现会传递至 Pod 内各容器(#20903)。
  • --runroot 全局选项现支持长度超过 50 字符的路径(#22272)。
  • 通过 podman update 更新容器时,现会触发事件记录。

错误修复

  • 修复 podman createpodman run 使用 --userns=keep-id:uid=0 时生成错误 UID 映射导致容器启动失败的缺陷(#22078)。
  • 修复 podman stats 对极大或极小值统计百分比不准确的缺陷(#22064)。
  • 修复绑定挂载卷默认使用 rbind(允许递归挂载)而非 bind 的缺陷(#22107)。
  • 修复 podman machine rm -f 无法删除运行中的 Hyper-V 虚拟机的缺陷。
  • 修复 podman ps --sync 有时无法正确更新容器状态的缺陷。
  • 修复无根 Podman 使用 :idmap 选项的绑定挂载卷时可能无法访问的缺陷(#22228)。
  • 修复使用 :U 选项的绑定挂载卷所有权被错误修改为被覆盖镜像目录所有者的缺陷(#22224)。
  • 修复使用 --force 删除多个容器/Pod/镜像时,若参数中存在不存在项则操作失败的缺陷(#21529)。
  • 修复 Podman 未正确清理旧 Machine 镜像缓存的缺陷。
  • 修复带健康检查的容器快速重启后可能无法启动健康检查的缺陷。
  • 修复嵌套 Podman 在错误目录创建 pause.pid 文件的缺陷(#22327)。
  • 修复 containers.conf 中未配置 OCI 运行时路径时 Podman 崩溃的缺陷(#22561)。
  • 修复 podman kube down 未遵守容器 StopTimeoutStopSignal 的缺陷(#22397)。
  • 修复 Systemd 管理的容器在 podman stop 完成前被终止时卡在"Stopping"状态且无法重启的缺陷(#19629)。
  • 修复远程 Podman 客户端 podman farm build 未更新已推送清单的缺陷(#22647)。
  • 修复无根 Podman 使用无效 argv[0] 路径时(如 podmansh 中)无法重新执行自身的缺陷(#22672)。
  • 修复 SSH 端口冲突后 podman machine 连接 URI 错误导致机器不可访问的缺陷。
  • 修复 podman events--since--until 参数传入错误值时未报错的缺陷。
  • 修复无根容器使用 bridge 网络模式时错误添加 host.containers.internal 条目的缺陷(#22653)。

API

  • 新增 Docker 兼容的容器更新端点(Update)。
  • 容器创建端点(Compat Create)现支持设置容器注解。
  • 镜像列表端点(Libpod List)响应中新增架构信息、操作系统及是否为清单列表字段(#22184#22185)。
  • 镜像构建端点(Build)不再将构建上下文保存为临时文件,显著提升性能并减少服务端存储需求。
  • 容器检查接口(Inspect)现兼容 Podman v4.x 请求,支持 Podman 4.X 远程客户端连接 5.X 服务端(#22657)。
  • 修复镜像构建端点(Build)在出错时未清理临时文件的缺陷。

其他

  • Podman 现可检测未处理的系统重启事件并提供缓解建议。
  • 提升 Darwin 系统下 podman machine 使用 --log-level=debug 时的调试输出信息。
  • Makefile 现支持通过 EXTRA_BUILD_TAGS 环境变量注入额外构建标签。
  • 更新 Buildah 至 v1.36.0
  • 更新 containers/common 库至 v0.59.0
  • 更新 containers/image 库至 v5.31.0
  • 更新 containers/storage 库至 v1.54.0

更新内容 (原始)

Features

  • VMs created by podman machine on macOS with Apple silicon can now use Rosetta 2 (a.k.a Rosetta) for high-speed emulation of x86 code. This is enabled by default. If you wish to change this option, you can do so in containers.conf.
  • Changes made by the podman update command are now persistent, and will survive container restart and be reflected in podman inspect.
  • The podman update command now includes a new option, --restart, to update the restart policy of existing containers.
  • Quadlet .container files now support a new key, GroupAdd, to add groups to the container.
  • Container annotations are now printed by podman inspect.
  • Image-based mounts using podman run --mount type=image,... now support a new option, subpath, to mount only part of the image into the container.
  • A new field, healthcheck_events, has been added to containers.conf under the [engine] section to allow users to disable the generation of health_status events to avoid spamming logs on systems with many healthchecks.
  • A list of images to automatically mount as volumes can now be specified in Kubernetes YAML via the io.podman.annotations.kube.image.automount/$CTRNAME annotation (where $CTRNAME is the name of the container they will be mounted into).
  • The podman info command now includes the default rootless network command (pasta or slirp4netns).
  • The podman ps command now shows ports from --expose that have not been published with --publish-all to improve Docker compatibility.
  • The podman runlabel command now expands $HOME in the label being run to the user’s home directory.
  • A new alias, podman network list, has been added to the podman network ls command.
  • The name and shell of containers created by podmansh can now be set in containers.conf.
  • The podman-setup.exe Windows installer now provides 3 new CLI variables, MachineProvider (choose the provider for the machine, windows or wsl, the default), HyperVCheckbox (can be set to 1 to install HyperV if it is not already installed or 0, the default, to not install HyperV), and SkipConfigFileCreation (can be set to 1 to disable the creation of configuration files, or 0, the default).

Changes

  • Podman now changes volume ownership every time an empty named volume is mounted into a container, not just the first time, matching Docker’s behavior.
  • When running Kubernetes YAML with podman kube play that does not include an imagePullPolicy and does not set a tag for the image, the image is now always pulled (#21211).
  • When running Kubernetes YAML with podman kube play, pod-level restart policies are now passed down to individual containers within the pod (#20903).
  • The --runroot global option can now accept paths with lengths longer than 50 characters (#22272).
  • Updating containers with the podman update command now emits an event.

Bugfixes

  • Fixed a bug where the --userns=keep-id:uid=0 option to podman create and podman run would generate incorrect UID mappings and cause the container to fail to start (#22078).
  • Fixed a bug where podman stats could report inaccurate percentages for very large or very small values (#22064).
  • Fixed a bug where bind-mount volumes defaulted to rbind instead of bind, meaning recursive mounts were allowed by default (#22107).
  • Fixed a bug where the podman machine rm -f command would fail to remove Hyper-V virtual machines if they were running.
  • Fixed a bug where the podman ps --sync command could sometimes fail to properly update the status of containers.
  • Fixed a bug where bind-mount volumes using the :idmap option would sometimes be inaccessible with rootless Podman (#22228).
  • Fixed a bug where bind-mount volumes using the :U option would have their ownership changed to the owner of the directory in the image being mounted over (#22224).
  • Fixed a bug where removing multiple containers, pods, or images with the --force option did not work when multiple arguments were given to the command and one of them did not exist (#21529).
  • Fixed a bug where Podman did not properly clean up old cached Machine images.
  • Fixed a bug where rapidly-restarting containers with healthchecks could sometimes fail to start their healthchecks after restarting.
  • Fixed a bug where nested Podman could create its pause.pid file in an incorrect directory (#22327).
  • Fixed a bug where Podman would panic if an OCI runtime was configured without associated paths in containers.conf (#22561).
  • Fixed a bug where the podman kube down command would not respect the StopTimeout and StopSignal of containers that it stopped (#22397).
  • Fixed a bug where Systemd-managed containers could be stuck in the Stopping state, unable to be restarted, if systemd killed the unit before podman stop finished stopping the container (#19629).
  • Fixed a bug where the remote Podman client’s podman farm build command would not updating manifests on the registry that were already pushed (#22647).
  • Fixed a bug where rootless Podman could fail to re-exec itself when run with a custom argv[0] that is not a valid command path, as might happen when used in podmansh (#22672).
  • Fixed a bug where podman machine connection URIs could be incorrect after an SSH port conflict, rendering machines inaccessible.
  • Fixed a bug where the podman events command would not print an error if incorrect values were passed to its --since and --until options.
  • Fixed a bug where an incorrect host.containers.internal entry could be added when running rootless containers using the bridge network mode (#22653).

API

  • A new Docker-compatible endpoint, Update, has been added for containers.
  • The Compat Create endpoint for Containers now supports setting container annotations.
  • The Libpod List endpoint for Images now includes additional information in its responses (image architecture, OS, and whether the image is a manifest list) (#22184 and #22185).
  • The Build endpoint for Images no longer saves the build context as a temporary file, substantially improving performance and reducing required filesystem space on the server.
  • The Inspect API for Containers now returns results compatible with Podman v4.x when a request with version v4.0.0 is made. This allows Podman 4.X remote clients work with a Podman 5.X server (#22657).
  • Fixed a bug where the Build endpoint for Images would not clean up temporary files created by the build if an error occurred.

Misc

  • Podman now detects unhandled system reboots and advises the user on proper mitigations.
  • Improved debugging output for podman machine on Darwin systems when --log-level=debug is used.
  • The Makefile now allows injecting extra build tags via the EXTRA_BUILD_TAGS environment variable.
  • Updated Buildah to v1.36.0
  • Updated the containers/common library to v0.59.0
  • Updated the containers/image library to v5.31.0
  • Updated the containers/storage library to v1.54.0

下载链接