发布日期: 2024-11-13
版本号: v5.3.0

Podman近期更新带来多项功能增强与改进:新增支持生成和运行Kubernetes Job YAML,完善用户命名空间配置及镜像类型卷管理;Quadlet功能扩展包括自定义服务名称、禁用网络依赖、新增主机映射、端口变量支持、共享容器网络及挂载镜像等功能,并优化子目录符号链接处理。容器检查命令新增自动移除镜像、暴露端口、启动健康检查等字段,提升Docker兼容性。Windows安装程序增加虚拟化供应商选项,多项命令新增参数支持。改进包括默认启用容器访问宿主机地址,优化Quadlet单元命名规则及网络等待机制,修复构建上下文、安全标签、资源清理等多项问题。API端修复竞态条件及输出格式问题,依赖库更新至Buildah v1.38.0等版本。已知问题涉及Windows安装程序逻辑、SSH连接配置及内存兼容性,预计v5.3.1版本将修复。

更新内容 (中文)

新特性

  • podman kube generatepodman kube play 命令现在支持创建并运行 Kubernetes Job YAML (#17011)。
  • podman kube generate 命令生成的 YAML 现在包含 Pod 和容器的用户命名空间信息。podman kube play 命令将利用此信息在基于 YAML 创建新 Pod 时复现用户命名空间配置。
  • podman kube play 命令现在支持 Kubernetes 类型为 image 的卷 (#23775)。
  • Quadlet 生成的 systemd 单元的服务名称现在可通过所有支持的 Quadlet 文件中的 ServiceName 键设置 (#23414)。
  • Quadlet 现在可通过所有 Quadlet 文件支持的新键 DefaultDependencies 禁用其对 network-online.target 的隐式依赖 (#24193)。
  • Quadlet .container.pod 文件现在支持新键 AddHost,用于向容器或 Pod 添加主机条目。
  • Quadlet .container.pod 文件中的 PublishPort 键现在支持在值中使用变量 (#24081)。
  • Quadlet .container 文件现在支持两个新键 CgroupsModeStartupWithPod,用于配置容器的 cgroups 及容器是否随所属 Pod 启动 (#23664#24401)。
  • Quadlet .container 文件现在可通过在 Network 键中指定共享网络的容器对应的 .container 文件来复用其网络。
  • Quadlet .container 文件现在可通过 Mount=type=image 键将 .image 文件管理的镜像挂载到容器中。
  • Quadlet .pod 文件现在支持六个新键 DNSDNSOptionDNSSearchIPIP6UserNS,用于配置 Pod 的 DNS、静态 IP 及用户命名空间 (#23692)。
  • Quadlet .image 文件现在可通过多次指定 ImageTag 键为镜像添加多个标签 (#23781)。
  • Quadlet 文件现在可放置于 /run/containers/systemd 目录,同时兼容现有目录如 $HOME/containers/systemd/etc/containers/systemd/users
  • Quadlet 现在正确处理单元目录子目录为符号链接的情况 (#23755)。
  • podman manifest inspect 命令的输出现在包含清单的注解信息。
  • podman inspect 命令针对容器的输出新增字段 HostConfig.AutoRemoveImage,显示容器是否通过 --rmi 选项创建。
  • podman inspect 命令针对容器的输出新增字段 Config.ExposedPorts,包含容器所有暴露端口,提升 Docker 兼容性。
  • podman inspect 命令针对容器的输出新增字段 Config.StartupHealthCheck,显示容器的启动健康检查配置。
  • podman inspect 命令针对容器的 Mounts 字段新增 SubPath 子字段,记录镜像或命名卷设置的子路径。
  • podman machine list 命令新增选项 --all-providers,支持列出所有虚拟机提供商创建的机器,而非仅当前使用的提供商。
  • Windows 上通过 podman machine 运行的虚拟机现通过主机文件系统的 Unix 套接字转发至虚拟机内部,提供 API 访问 (#23408)。
  • podman buildx prunepodman image prune 命令新增选项 --build-cache,支持清理构建缓存。
  • Windows 安装程序新增单选按钮以选择虚拟化提供商(WSLv2 或 Hyper-V)。
  • podman createpodman runpodman pod create--add-host 选项现支持分号分隔的多个主机名(例如 podman run --add-host test1;test2:192.168.1.1)(#23770)。
  • podman runpodman create 命令新增三个健康检查日志配置选项:--health-log-destination(指定日志存储位置)、--health-max-log-count(指定保留的健康检查日志数量)和 --health-max-log-size(指定健康检查日志最大尺寸)。

变更

  • Podman 默认使用 Pasta 的 --map-guest-addr 选项,使容器默认可通过 /etc/hosts 中的 host.containers.internal 条目访问主机 (#19213)。
  • Quadlet 创建的 Pod 的基础容器名称变更为 Pod 名称后加 -infra (#23665)。
  • podman system connection add 命令现在正确处理 tcp:// URL 中指定的 HTTP 路径前缀。
  • containers.conf 中声明的代理环境变量(如 https_proxy)在 podman machine 虚拟机中使用时不再转义特殊字符 (#23277)。
  • podman images --sort=repository 命令现在同时按镜像标签排序,确保输出顺序确定性 (#23803)。
  • 当用户同时运行 rootless podman machine 虚拟机和已初始化的 rootful podman machine 虚拟机时,若删除 rootless 虚拟机,第二个 rootful 虚拟机的连接将按预期成为默认连接 (#22577)。
  • 环境变量密钥不再出现在使用该密钥的容器的 podman inspect 输出中 (#23788)。
  • Podman 默认不再在收到 SIGTERM 时返回退出码 0。
  • Podman 不再显式设置 rlimits 为默认值,避免先前设置更高值时实际可用值被降低。
  • Quadlet 用户单元现通过新服务 podman-user-wait-network-online.service 正确等待网络就绪,替代用户会话中无效的 network-online.target
  • podman ps 输出中的暴露端口在同时发布时现正确分组并去重 (#23317)。
  • Quadlet 构建单元默认不再使用 RemainAfterExit=yes

错误修复

  • 修复 Windows 上 podman build--build-context 选项失效问题,恢复与 Visual Studio 开发容器的兼容性 (#17313)。
  • 修复 Quadlet 在使用 SecurityLabelDisableSecurityLabelNested 键时生成错误 Podman 参数的问题 (#23432)。
  • 修复 PODMAN_COMPOSE_WARNING_LOGS 环境变量无法抑制 podman compose 重定向至外部提供商的警告问题。
  • 修复对正在删除的容器执行 podman container cleanup 可能报错的问题。
  • 修复当 /etc/containers/systemd 为符号链接时,/etc/containers/systemd/users/ 中的 rootless Quadlet 单元被 root 加载的问题 (#23483)。
  • 修复远程 Podman 客户端的 podman stop 命令在 --cidfile 指向不存在的文件且 --ignore 启用时停止所有容器的问题 (#23554)。
  • 修复 podman wait 在通过 on-failure 重启策略快速退出并重启的容器上需等待 20 秒才退出的问题。
  • 修复同时执行 podman volume rmpodman run -v 对同一卷可能死锁的问题 (#23613)。
  • 修复对正在创建的容器执行 podman mount 可能报错提示容器已存在的问题 (#23637)。
  • 修复 podman stop 在含超大注解的容器上可能死锁的问题 (#22246)。
  • 修复 Mac 上 podman machine stop 在虚拟机无法正常停止时可能段错误的问题 (#23654)。
  • 修复 podman stop 未确保通过 --rm 创建的容器在退出时被删除的问题 (#22852)。
  • 修复 podman run--rmi 选项在分离式容器中失效的问题。
  • 修复 FreeBSD 上 podman inspect 输出的 HostConfig.Device 字段值错误导致 Ansible Podman 模块兼容性问题。
  • 修复 rootless Podman 使用 --cgroup-parent 选项启动容器失败的问题 (#23780)。
  • 修复 podman build -v 未正确处理 Windows 路径作为宿主机目录的问题。
  • 修复 Podman 在创建网络命名空间时被中断可能导致网络命名空间文件泄漏的问题 (#24044)。
  • 修复远程 Podman 客户端的 podman run 在使用 --rm 选项时可能无法获取容器退出码的问题。
  • 修复 Windows 上 podman machine 对含特殊字符的用户名无法运行虚拟机的问题。
  • 修复 Quadlet 在 root 下拒绝 RemapUsers=keep-id 的问题。
  • 修复卷的 XFS 配额非唯一性问题(所有使用配额的卷共享最新创建卷的最大尺寸和 inode 数)。
  • 修复 Quadlet 文件的 Service 段仅使用默认值而忽略用户输入的问题 (#24322)。
  • 修复 podman volume ls 在卷被同时删除时可能失败的问题。
  • 修复 TZDIR 环境变量设置时 --tz=local 选项不可用的问题。

API

  • Kubernetes YAML 的 Play API 现支持 application/x-tar 压缩的上下文目录 (#24015)。
  • 修复容器附加 API(兼容端点和 Libpod 端点)因竞态条件导致间歇性故障的问题 (#23757)。
  • 修复兼容端点容器 Top API 输出未正确分割为数组的问题 (#23981)。
  • 修复通过套接字激活的 systemd 服务运行 podman system service 时信息 API 可能失败的问题 (#24152)。
  • 修复容器事件和日志端点现立即发送状态码而非等待首个事件或日志行发送的问题 (#23712)。

其他

  • Podman 现需 Golang 1.22 或更高版本构建。
  • 优化 podman machine start 在已有其他虚拟机运行时的输出提示 (#23436)。
  • Quadlet 解析单元目录时不再记录虚假 ENOENT 错误 (#23620)。
  • Docker 别名 shell 脚本现通过检查 $XDG_CONFIG_HOME/containers/nodocker 决定是否显示 Podman 使用警告。
  • podman-auto-update 的 systemd 单元文件已移至仓库的 contrib/systemd/system 目录以保持一致性。
  • 更新 Buildah 至 v1.38.0
  • 更新 containers/common 库至 v0.61.0
  • 更新 containers/storage 库至 v1.56.0
  • 更新 containers/image 库至 v5.33.0

已知问题

  • Windows Podman 安装程序在配置使用 Hyper-V 后端时仍会安装 WSLv2。
  • 部分 SSH 配置可能导致无法连接 podman machine 虚拟机,此问题提供临时解决方案。
  • Mac 的 libkrun 虚拟机提供商当前在 64GB 及以上内存系统中不可用。

预计下周初发布的 Podman v5.3.1 将修复上述问题。

更新内容 (原始)

Features

  • The podman kube generate and podman kube play commands can now create and run Kubernetes Job YAML (#17011).
  • The podman kube generate command now includes information on the user namespaces for pods and containers in generated YAML. The podman kube play command uses this information to duplicate the user namespace configuration when creating new pods based on the YAML.
  • The podman kube play command now supports Kubernetes volumes of type image (#23775).
  • The service name of systemd units generated by Quadlet can now be set with the ServiceName key in all supported Quadlet files (#23414).
  • Quadlets can now disable their implicit dependency on network-online.target via a new key, DefaultDependencies, supported by all Quadlet files (#24193).
  • Quadlet .container and .pod files now support a new key, AddHost, to add hosts to the container or pod.
  • The PublishPort key in Quadlet .container and .pod files can now accept variables in its value (#24081).
  • Quadlet .container files now support two new keys, CgroupsMode and StartWithPod, to configure cgroups for the container and whether the container will be started with the pod it is part of (#23664 and #24401).
  • Quadlet .container files can now use the network of another container by specifying the .container file of the container to share with in the Network key.
  • Quadlet .container files can now mount images managed by .image files into the container by using the Mount=type=image key with a .image target.
  • Quadlet .pod files now support six new keys, DNS, DNSOption, DNSSearch, IP, IP6, and UserNS, to configure DNS, static IPs, and user namespace settings for the pod (#23692).
  • Quadlet .image files can now give an image multiple times by specifying the ImageTag key multiple times (#23781).
  • Quadlets can now be placed in the /run/containers/systemd directory as well as existing directories like $HOME/containers/systemd and /etc/containers/systemd/users.
  • Quadlet now properly handles subdirectories of a unit directory being a symlink (#23755).
  • The podman manifest inspect command now includes the manifest’s annotations in its output.
  • The output of the podman inspect command for containers now includes a new field, HostConfig.AutoRemoveImage, which shows whether a container was created with the --rmi option set.
  • The output of the podman inspect command for containers now includes a new field, Config.ExposedPorts, which includes all exposed ports from the container, improving Docker compatibility.
  • The output of the podman inspect command for containers now includes a new field, Config.StartupHealthCheck, which shows the container’s startup healthcheck configuration.
  • The output of the podman inspect command for containers now includes a new field in Mounts, SubPath, which contains any subpath set for image or named volumes.
  • The podman machine list command now supports a new option, --all-providers, which lists machines from all supported VM providers, not just the one currently in use.
  • VMs run by podman machine on Windows will now provide API access by exposing a Unix socket on the host filesystem which forwards into the VM (#23408).
  • The podman buildx prune and podman image prune commands now support a new option, --build-cache, which will also clean the build cache.
  • The Windows installer has a new radio button to select virtualization provider (WSLv2 or Hyper-V).
  • The --add-host option to podman create, podman run, and podman pod create now supports specifying multiple hostnames, semicolon-separated (e.g. podman run --add-host test1;test2:192.168.1.1) (#23770).
  • The podman run and podman create commands now support three new options for configuring healthcheck logging: --health-log-destination (specify where logs are stored), --health-max-log-count (specify how many healthchecks worth of logs are stored), and --health-max-log-size (specify the maximum size of the healthcheck log).

Changes

  • Podman now uses the Pasta --map-guest-addr option by default which is used for the host.containers.internal entry in /etc/hosts to allow containers to reach the host by default (#19213).
  • The names of the infra containers of pods created by Quadlet are changed to the pod name suffixed with -infra (#23665).
  • The podman system connection add command now respects HTTP path prefixes specified with tcp:// URLs.
  • Proxy environment variables (e.g. https_proxy) declared in containers.conf no longer escape special characters in their values when used with podman machine VMs (#23277).
  • The podman images --sort=repository command now also sorts by image tag as well, guaranteeing deterministic output ordering (#23803).
  • When a user has a rootless podman machine VM running and second rootful podman machine VM initialized, and the rootless VM is removed, the connection to the second, rootful machine now becomes the default as expected (#22577).
  • Environment variable secrets are no longer contained in the output of podman inspect on a container the secret is used in (#23788).
  • Podman no longer exits 0 on SIGTERM by default.
  • Podman no longer explicitly sets rlimits to their default value, as this could lower the actual value available to containers if it had been set higher previously.
  • Quadlet user units now correctly wait for the network to be ready to use via a new service, podman-user-wait-network-online.service, instead of the user session’s nonfunctional network-online.target.
  • Exposed ports in the output of podman ps are now correctly grouped and deduplicated when they are also published (#23317).
  • Quadlet build units no longer use RemainAfterExit=yes by default.

Bugfixes

  • Fixed a bug where the --build-context option to podman build did not function properly on Windows, breaking compatibility with Visual Studio Dev Containers (#17313).
  • Fixed a bug where Quadlet would generate bad arguments to Podman if the SecurityLabelDisable or SecurityLabelNested keys were used (#23432).
  • Fixed a bug where the PODMAN_COMPOSE_WARNING_LOGS environment variable did not suppress warnings printed by podman compose that it was redirecting to an external provider.
  • Fixed a bug where, if the podman container cleanup command was run on a container in the process of being removed, an error could be printed.
  • Fixed a bug where rootless Quadlet units placed in /etc/containers/systemd/users/ would be loaded for root as well when /etc/containers/systemd was a symlink (#23483).
  • Fixed a bug where the remote Podman client’s podman stop command would, if called with --cidfile pointing to a non-existent file and the --ignore option set, stop all containers (#23554).
  • Fixed a bug where the podman wait would only exit only after 20 second when run on a container which rapidly exits and is then restarted by the on-failure restart policy.
  • Fixed a bug where podman volume rm and podman run -v could deadlock when run simultaneously on the same volume (#23613).
  • Fixed a bug where running podman mount on a container in the process of being created could cause a nonsensical error indicating the container already existed (#23637).
  • Fixed a bug where the podman stop command could deadlock when run on containers with very large annotations (#22246).
  • Fixed a bug where the podman machine stop command could segfault on Mac when a VM failed to stop gracefully (#23654).
  • Fixed a bug where the podman stop command would not ensure containers created with --rm were removed when it exited (#22852).
  • Fixed a bug where the --rmi option to podman run did not function correctly with detached containers.
  • Fixed a bug where running podman inspect on a container on FreeBSD would emit an incorrect value for the HostConfig.Device field, breaking compatibility with the Ansible Podman module.
  • Fixed a bug where rootless Podman could fail to start containers using the --cgroup-parent option (#23780).
  • Fixed a bug where the podman build -v command did not properly handle Windows paths passed as the host directory.
  • Fixed a bug where Podman could leak network namespace files if it was interrupted while creating a network namespace (#24044).
  • Fixed a bug where the remote Podman client’s podman run command could sometimes fail to retrieve a container’s exit code for containers run with the --rm option.
  • Fixed a bug where podman machine on Windows could fail to run VMs for certain usernames containing special characters.
  • Fixed a bug where Quadlet would reject RemapUsers=keep-id when run as root.
  • Fixed a bug where XFS quotas on volumes were not unique, meaning that all volumes using a quota shared the same maximum size and inodes (set by the most recent volume with a quota to be created).
  • Fixed a bug where Service section of Quadlet files would only use defaults and not respect user input (#24322).
  • Fixed a bug where podman volume ls would sometimes fail when a volume was removed at the same time it was run.
  • Fixed a bug where the --tz=local option could not be used when the TZDIR environment variable was set.

API

  • The Play API for Kubernetes YAML now supports application/x-tar compressed context directories (#24015).
  • Fixed a bug in the Attach API for Containers (for both Compat and Libpod endpoints) which could cause inconsistent failures due to a race condition (#23757).
  • Fixed a bug where the output for the Compat Top API for Containers did not properly split the output into an array (#23981).
  • Fixed a bug where the Info API could fail when running podman system service via a socket-activated systemd service (#24152).
  • Fixed a bug where the Events and Logs endpoints for Containers now send status codes immediately, as opposed to when the first event or log line is sent (#23712).

Misc

  • Podman now requires Golang 1.22 or higher to build.
  • The output of podman machine start has been improved when trying to start a machine when another is already running (#23436).
  • Quadlet will no longer log spurious ENOENT errors when resolving unit directories (#23620).
  • The Docker alias shell script will now also honor the presence of $XDG_CONFIG_HOME/containers/nodocker when considering whether it should print its warning message that Podman is in use.
  • The podman-auto-update systemd unit files have been moved into the contrib/systemd/system directory in the repo for consistency with our other unit files.
  • Updated Buildah to v1.38.0
  • Updated the containers/common library to v0.61.0
  • Updated the containers/storage library to v1.56.0
  • Updated the containers/image library to v5.33.0

Known Issues

  • The Podman installer for Windows will install WSLv2 even when Podman is configured to use the Hyper-V backend.
  • Certain SSH configurations may make it impossible to connect to a podman machine VM. A workaround is available in this issue.
  • The libkrun VM provider for Mac is presently unusable on systems with 64gb or more of RAM.

We expect a Podman v5.3.1 release early next week with fixes for these issues.

下载链接