发布日期: 2024-11-06
版本号: v5.3.0-rc3

Podman最新版本带来多项功能更新与改进:新增对Kubernetes Job YAML的支持,强化kube generate与kube play命令在用户命名空间和镜像卷的配置能力。Quadlet功能扩展包括自定义服务名、禁用默认网络依赖、新增DNS/IP配置项、支持多镜像标签及共享容器网络等功能。Windows安装程序增加虚拟化提供商选择,新增健康检查日志配置选项与多主机名绑定支持。行为变更包括默认启用容器访问宿主机功能、优化镜像排序规则及修复退出码处理。问题修复涉及Windows构建上下文异常、命令死锁、资源泄漏、路径处理等多项稳定性改进,并优化了API对压缩文件的支持与事件响应机制。系统要求升级至Golang 1.22,同时改进了系统服务单元文件结构。

更新内容 (中文)

新功能

  • podman kube generatepodman kube play 命令现在支持创建和运行 Kubernetes Job YAML(#17011)。
  • podman kube generate 命令现在会在生成的 YAML 中包含 Pod 和容器的用户命名空间信息。podman kube play 命令将利用此信息在基于 YAML 创建新 Pod 时复现用户命名空间配置。
  • podman kube play 命令现在支持类型为 image 的 Kubernetes 卷(#23775)。
  • 现在可以通过所有支持的 Quadlet 文件中的 ServiceName 键设置 Quadlet 生成的 systemd 单元的服务名称(#23414)。
  • 所有 Quadlet 文件现支持通过新键 DefaultDependencies 禁用对 network-online.target 的隐式依赖(#24193)。
  • Quadlet 的 .container.pod 文件现支持新键 AddHost,用于向容器或 Pod 添加主机条目。
  • Quadlet 的 .container.pod 文件中的 PublishPort 键现在支持在值中使用变量(#24081)。
  • Quadlet 的 .container 文件现支持两个新键 CgroupsModeStartWithPod,分别用于配置容器的控制组模式及容器是否随所属 Pod 启动(#23664#24401)。
  • Quadlet 的 .container 文件现在可通过在 Network 键中指定共享网络的容器对应的 .container 文件来复用其网络。
  • Quadlet 的 .container 文件现在可以通过 Mount=type=image 键将 .image 文件管理的镜像挂载到容器中。
  • Quadlet 的 .pod 文件现支持六个新键 DNSDNSOptionDNSSearchIPIP6UserNS,用于配置 Pod 的 DNS、静态 IP 及用户命名空间设置(#23692)。
  • Quadlet 的 .image 文件现在可通过多次指定 ImageTag 键为镜像添加多个标签(#23781)。
  • Quadlet 文件现在可放置在 /run/containers/systemd 目录,同时兼容原有目录如 $HOME/containers/systemd/etc/containers/systemd/users
  • Quadlet 现在能正确处理单元目录中子目录为符号链接的情况(#23755)。
  • podman manifest inspect 命令的输出现在包含清单的注解信息。
  • podman inspect 命令针对容器的输出新增字段 HostConfig.AutoRemoveImage,显示容器是否通过 --rmi 选项创建。
  • podman inspect 命令针对容器的输出新增字段 Config.ExposedPorts,包含容器所有暴露的端口,增强 Docker 兼容性。
  • podman inspect 命令针对容器的输出新增字段 Config.StartupHealthCheck,显示容器的启动健康检查配置。
  • podman machine list 命令新增选项 --all-providers,可列出所有支持的虚拟机提供商的机器。
  • 在 Windows 上通过 podman machine 运行的虚拟机现通过主机文件系统的 Unix 套接字转发提供 API 访问(#23408)。
  • podman buildx prunepodman image prune 命令新增选项 --build-cache,可同时清理构建缓存。
  • Windows 安装程序新增单选按钮用于选择虚拟化提供商(WSLv2 或 Hyper-V)。
  • podman createpodman runpodman pod create--add-host 选项现支持分号分隔的多个主机名(例如 podman run --add-host test1;test2:192.168.1.1)(#23770)。
  • podman runpodman create 命令现支持三个新选项用于配置健康检查日志:--health-log-destination(指定日志存储位置)、--health-max-log-count(指定保留的健康检查日志数量)和 --health-max-log-size(指定日志最大尺寸)。

变更

  • Podman 现在默认使用 Pasta 的 --map-guest-addr 选项,为 /etc/hosts 中的 host.containers.internal 条目提供默认主机访问支持(#19213)。
  • Quadlet 创建的 Pod 的基础容器名称变更为 Pod 名称后加 -infra 后缀(#23665)。
  • podman system connection add 命令现在支持 tcp:// URL 中指定的 HTTP 路径前缀。
  • containers.conf 中声明的代理环境变量(如 https_proxy)在 podman machine 虚拟机中不再转义特殊字符(#23277)。
  • podman images --sort=repository 命令现在同时按镜像标签排序,确保输出顺序确定性(#23803)。
  • 当用户同时运行 rootless podman machine 虚拟机和已初始化的 rootful podman machine 虚拟机时,若删除 rootless 虚拟机,第二个 rootful 虚拟机的连接将自动设为默认(#22577)。
  • 环境变量密钥不再出现在使用该密钥的容器的 podman inspect 输出中(#23788)。
  • Podman 默认不再在收到 SIGTERM 时返回退出码 0。
  • Podman 不再显式设置资源限制为默认值,以避免先前设置更高值时被覆盖。
  • Quadlet 用户单元现通过新服务 podman-user-wait-network-online.service 正确等待网络就绪,替代原用户会话中无效的 network-online.target
  • podman ps 输出中的暴露端口在已发布时会正确分组和去重(#23317)。
  • Quadlet 构建单元默认不再使用 RemainAfterExit=yes

错误修复

  • 修复了 Windows 上 podman build--build-context 选项失效的问题(影响 Visual Studio Dev Containers 兼容性)(#17313)。
  • 修复了使用 SecurityLabelDisableSecurityLabelNested 键时 Quadlet 生成错误 Podman 参数的问题(#23432)。
  • 修复了 PODMAN_COMPOSE_WARNING_LOGS 环境变量无法抑制 podman compose 警告日志的问题。
  • 修复了在移除过程中对容器执行 podman container cleanup 可能报错的问题。
  • 修复了当 /etc/containers/systemd 为符号链接时,rootless Quadlet 单元被错误加载到 root 用户的问题(#23483)。
  • 修复了远程 Podman 客户端的 podman stop 命令在 --cidfile 指向不存在的文件且设置 --ignore 时停止所有容器的问题(#23554)。
  • 修复了 podman wait 在通过 on-failure 重启策略快速退出并重启的容器上需等待 20 秒才退出的问题。
  • 修复了 podman volume rmpodman run -v 同时对同一卷操作时可能死锁的问题(#23613)。
  • 修复了在创建过程中对容器执行 podman mount 可能报错"容器已存在"的问题(#23637)。
  • 修复了 podman stop 在具有超大注解的容器上可能死锁的问题(#22246)。
  • 修复了 macOS 上 podman machine stop 在虚拟机无法正常停止时可能段错误的问题(#23654)。
  • 修复了 podman stop 未确保通过 --rm 创建的容器在退出时被移除的问题(#22852)。
  • 修复了 podman run--rmi 选项在分离式容器中失效的问题。
  • 修复了 FreeBSD 上 podman inspect 输出 HostConfig.Device 字段值错误的问题(影响 Ansible Podman 模块兼容性)。
  • 修复了 rootless Podman 使用 --cgroup-parent 选项启动容器失败的问题(#23780)。
  • 修复了 podman build -v 未正确处理 Windows 路径作为宿主机目录的问题。
  • 修复了 Podman 在创建网络命名空间时被中断可能导致网络命名空间文件泄漏的问题(#24044)。
  • 修复了远程 Podman 客户端的 podman run 在使用 --rm 选项时可能无法获取容器退出码的问题。
  • 修复了 Windows 上 podman machine 对含特殊字符的用户名无法运行虚拟机的问题。
  • 修复了 Quadlet 在 root 用户下拒绝 RemapUsers=keep-id 的问题。
  • 修复了卷的 XFS 配额不唯一的问题(所有使用配额的卷共享最新创建卷的最大尺寸和 inode 数)。
  • 修复了 Quadlet 文件的 Service 段仅使用默认值而忽略用户输入的问题(#24322)。

API

  • Kubernetes YAML 的 Play API 现支持 application/x-tar 压缩上下文目录(#24015)。
  • 修复了容器附加 API(兼容端点和 Libpod 端点)中因竞态条件导致间歇性失败的问题(#23757)。
  • 修复了兼容端点容器 Top API 输出未正确分割为数组的问题(#23981)。
  • 修复了通过套接字激活的 systemd 服务运行 podman system service 时 Info API 可能失败的问题(#24152)。
  • 修复了容器事件和日志端点现在立即发送状态码(原需等待首个事件或日志行发送)(#23712)。

其他

  • Podman 现在要求 Go 1.22 或更高版本进行构建。
  • 优化了在已有虚拟机运行时执行 podman machine start 的输出提示(#23436)。
  • Quadlet 在解析单元目录时不再记录虚假的 ENOENT 错误(#23620)。
  • Docker 别名 shell 脚本现在会检查 $XDG_CONFIG_HOME/containers/nodocker 文件以决定是否显示 Podman 使用警告。
  • podman-auto-update 的 systemd 单元文件已移至仓库的 contrib/systemd/system 目录以保持一致性。

更新内容 (原始)

Features

  • The podman kube generate and podman kube play commands can now create and run Kubernetes Job YAML (#17011).
  • The podman kube generate command now includes information on the user namespaces for pods and containers in generated YAML. The podman kube play command uses this information to duplicate the user namespace configuration when creating new pods based on the YAML.
  • The podman kube play command now supports Kubernetes volumes of type image (#23775).
  • The service name of systemd units generated by Quadlet can now be set with the ServiceName key in all supported Quadlet files (#23414).
  • Quadlets can now disable their implicit dependency on network-online.target via a new key, DefaultDependencies, supported by all Quadlet files (#24193).
  • Quadlet .container and .pod files now support a new key, AddHost, to add hosts to the container or pod.
  • The PublishPort key in Quadlet .container and .pod files can now accept variables in its value (#24081).
  • Quadlet .container files now support two new keys, CgroupsMode and StartWithPod, to configure cgroups for the container and whether the container will be started with the pod it is part of ([#23664](htt
    ps://github.com/containers/podman/issues/23664) and #24401).
  • Quadlet .container files can now use the network of another container by specifying the .container file of the container to share with in the Network key.
  • Quadlet .container files can now mount images managed by .image files into the container by using the Mount=type=image key with a .image target.
  • Quadlet .pod files now support six new keys, DNS, DNSOption, DNSSearch, IP, IP6, and UserNS, to configure DNS, static IPs, and user namespace settings for the pod ([#23692](https://github.com/co
    ntainers/podman/issues/23692)).
  • Quadlet .image files can now give an image multiple times by specifying the ImageTag key multiple times (#23781).
  • Quadlets can now be placed in the /run/containers/systemd directory as well as existing directories like $HOME/containers/systemd and /etc/containers/systemd/users.
  • Quadlet now properly handles subdirectories of a unit directory being a symlink (#23755).
  • The podman manifest inspect command now includes the manifest’s annotations in its output.
  • The output of the podman inspect command for containers now includes a new field, HostConfig.AutoRemoveImage, which shows whether a container was created with the --rmi option set.
  • The output of the podman inspect command for containers now includes a new field, Config.ExposedPorts, which includes all exposed ports from the container, improving Docker compatibility.
  • The output of the podman inspect command for containers now includes a new field, Config.StartupHealthCheck, which shows the container’s startup healthcheck configuration.
  • The podman machine list command now supports a new option, --all-providers, which lists machines from all supported VM providers, not just the one currently in use.
  • VMs run by podman machine on Windows will now provide API access by exposing a Unix socket on the host filesystem which forwards into the VM (#23408).
  • The podman buildx prune and podman image prune commands now support a new option, --build-cache, which will also clean the build cache.
  • The Windows installer has a new radio button to select virtualization provider (WSLv2 or Hyper-V).
  • The --add-host option to podman create, podman run, and podman pod create now supports specifying multiple hostnames, semicolon-separated (e.g. podman run --add-host test1;test2:192.168.1.1) (#2377
    0    ).
  • The podman run and podman create commands now support three new options for configuring healthcheck logging: --health-log-destination (specify where logs are stored), --health-max-log-count (specify how many healthchecks worth of logs are stored), and --health-max-log-size (specify the maximum size of the healthcheck log).

Changes

  • Podman now uses the Pasta --map-guest-addr option by default which is used for the host.containers.internal entry in /etc/hosts to allow containers to reach the host by default (#19213).
  • The names of the infra containers of pods created by Quadlet are changed to the pod name suffixed with -infra (#23665).
  • The podman system connection add command now respects HTTP path prefixes specified with tcp:// URLs.
  • Proxy environment variables (e.g. https_proxy) declared in containers.conf no longer escape special characters in their values when used with podman machine VMs ([#23277](https://github.com/containers/p
    odman/issues/23277)).
  • The podman images --sort=repository command now also sorts by image tag as well, guaranteeing deterministic output ordering (#23803).
  • When a user has a rootless podman machine VM running and second rootful podman machine VM initialized, and the rootless VM is removed, the connection to the second, rootful machine now becomes the default as expected (#22577).
  • Environment variable secrets are no longer contained in the output of podman inspect on a container the secret is used in (#23788).
  • Podman no longer exits 0 on SIGTERM by default.
  • Podman no longer explicitly sets rlimits to their default value, as this could lower the actual value available to containers if it had been set higher previously.
  • Quadlet user units now correctly wait for the network to be ready to use via a new service, podman-user-wait-network-online.service, instead of the user session’s nonfunctional network-online.target.
  • Exposed ports in the output of podman ps are now correctly grouped and deduplicated when they are also published (#23317).
  • Quadlet build units no longer use RemainAfterExit=yes by default.

Bugfixes

  • Fixed a bug where the --build-context option to podman build did not function properly on Windows, breaking compatibility with Visual Studio Dev Containers (#17313).
  • Fixed a bug where Quadlet would generate bad arguments to Podman if the SecurityLabelDisable or SecurityLabelNested keys were used (#23432).
  • Fixed a bug where the PODMAN_COMPOSE_WARNING_LOGS environment variable did not suppress warnings printed by podman compose that it was redirecting to an external provider.
  • Fixed a bug where, if the podman container cleanup command was run on a container in the process of being removed, an error could be printed.
  • Fixed a bug where rootless Quadlet units placed in /etc/containers/systemd/users/ would be loaded for root as well when /etc/containers/systemd was a symlink (#23483).
  • Fixed a bug where the remote Podman client’s podman stop command would, if called with --cidfile pointing to a non-existent file and the --ignore option set, stop all containers (#23554).
  • Fixed a bug where the podman wait would only exit only after 20 second when run on a container which rapidly exits and is then restarted by the on-failure restart policy.
  • Fixed a bug where podman volume rm and podman run -v could deadlock when run simultaneously on the same volume (#23613).
  • Fixed a bug where running podman mount on a container in the process of being created could cause a nonsensical error indicating the container already existed (#23637).
  • Fixed a bug where the podman stop command could deadlock when run on containers with very large annotations (#22246).
  • Fixed a bug where the podman machine stop command could segfault on Mac when a VM failed to stop gracefully (#23654).
  • Fixed a bug where the podman stop command would not ensure containers created with --rm were removed when it exited (#22852).
  • Fixed a bug where the --rmi option to podman run did not function correctly with detached containers.
  • Fixed a bug where running podman inspect on a container on FreeBSD would emit an incorrect value for the HostConfig.Device field, breaking compatibility with the Ansible Podman module.
  • Fixed a bug where rootless Podman could fail to start containers using the --cgroup-parent option (#23780).
  • Fixed a bug where the podman build -v command did not properly handle Windows paths passed as the host directory.
  • Fixed a bug where Podman could leak network namespace files if it was interrupted while creating a network namespace (#24044).
  • Fixed a bug where the remote Podman client’s podman run command could sometimes fail to retrieve a container’s exit code for containers run with the --rm option.
  • Fixed a bug where podman machine on Windows could fail to run VMs for certain usernames containing special characters.
  • Fixed a bug where Quadlet would reject RemapUsers=keep-id when run as root.
  • Fixed a bug where XFS quotas on volumes were not unique, meaning that all volumes using a quota shared the same maximum size and inodes (set by the most recent volume with a quota to be created).
  • Fixed a bug where Service section of Quadlet files would only use defaults and not respect user input (#24322).

API

  • The Play API for Kubernetes YAML now supports application/x-tar compressed context directories (#24015).
  • Fixed a bug in the Attach API for Containers (for both Compat and Libpod endpoints) which could cause inconsistent failures due to a race condition (#23757).
  • Fixed a bug where the output for the Compat Top API for Containers did not properly split the output into an array (#23981).
  • Fixed a bug where the Info API could fail when running podman system service via a socket-activated systemd service (#24152).
  • Fixed a bug where the Events and Logs endpoints for Containers now send status codes immediately, as opposed to when the first event or log line is sent (#23712).

Misc

  • Podman now requires Golang 1.22 or higher to build.
  • The output of podman machine start has been improved when trying to start a machine when another is already running (#23436).
  • Quadlet will no longer log spurious ENOENT errors when resolving unit directories (#23620).
  • The Docker alias shell script will now also honor the presence of $XDG_CONFIG_HOME/containers/nodocker when considering whether it should print its warning message that Podman is in use.
  • The podman-auto-update systemd unit files have been moved into the contrib/systemd/system directory in the repo for consistency with our other unit files.

下载链接