发布日期: 2025-02-11
版本号: v5.4.0

Podman最新更新引入了多项新功能,包括初步支持通过podman artifact命令集管理OCI工件、扩展podman update命令以支持健康检查配置(如添加、移除或修改)、新增subpath=选项以限制卷在容器中的可见范围、支持通过--userns=keep-id:size=配置用户命名空间大小、podman kube play支持CDI设备、podman machine init允许通过--playbook运行Ansible剧本初始化虚拟机,以及多个命令新增--hosts-file--no-hostname等选项。重大变更包括停止对Intel Mac的完整支持(仅保留基础功能),以及Quadlet文件注释符号从:更正为;以匹配systemd规范。其他改进包含网络主机名传递优化、镜像拉取逻辑增强,并允许通过BUILD_ORIGIN标识构建来源。修复了WSL虚拟机启动冲突、卷权限异常、资源限制错误、Quadlet解析问题及Kubernete兼容性等超过20项缺陷,同时更新了Buildah及依赖库版本。API方面新增构建时禁用/etc/hosts生成的参数,并修复了CDI设备兼容性问题。

更新内容 (中文)

新特性

  • 通过 podman artifact 命令集(包括 addinspectlspullpushrm)新增了对 OCI 制品的预览支持。此功能尚处早期阶段且未完全实现,相关命令行接口尚未最终确定。欢迎通过问题跟踪器反馈新制品功能的体验!
  • podman update 命令新增支持多项与健康检查相关的选项(包括定义新健康检查的 --health-cmd 和禁用现有健康检查的 --no-healthcheck),允许在现有容器中添加、移除或更新健康检查。完整新增的 15 项选项详见手册页。
  • podman runpodman createpodman volume create 命令的 --mount type=volume 选项新增 subpath= 参数,支持仅将卷的部分路径暴露于容器内 (#20661)。
  • podman runpodman createpodman pod create 命令的 --userns=keep-id 选项新增 --userns=keep-id:size= 参数,支持配置用户命名空间的大小 (#24387)。
  • podman kube play 命令新增支持容器设备接口 (CDI) 设备 (#17833)。
  • podman machine init 命令新增 --playbook 选项,支持在首次启动时通过 Ansible 剧本对新建虚拟机进行初始配置。
  • Quadlet 的 .pod 文件新增 ShmSize 字段,用于指定 Pod 共享内存的大小 (#22915)。
  • podman runpodman createpodman pod create 命令新增 --hosts-file 选项,用于定义容器内 /etc/hosts 的基准文件。
  • podman runpodman createpodman pod create 命令新增 --no-hostname 选项,可禁用容器内 /etc/hostname 的创建 (#25002)。
  • podman network create 命令为桥接网络新增 --opt mode=unmanaged 选项,允许 Podman 直接使用系统中已有的网络桥接而无需修改。
  • podman runpodman createpodman pod create--network 选项为桥接网络新增 host_interface_name 参数,用于指定容器外网络接口的名称。
  • podman manifest rm 命令新增 --ignore 选项,删除不存在的清单时不再报错。
  • podman system prune 命令新增 --build 选项,用于清理因构建意外终止遗留的构建容器。
  • podman events 命令新增网络创建与移除的事件记录功能 (#24032)。

重大变更

  • 由于缺乏测试硬件支持,Podman 维护者将不再全面支持 Intel 芯片的 Mac 设备。相关二进制文件与虚拟机镜像仍会发布,针对 Intel 系统 macOS 的 PR 仍会被合并,但问题修复仅限尽力而为。欢迎有能力协助恢复全面支持的新维护者加入。
  • Quadlet 此前错误地允许使用 : 作为注释标识符。根据开发文档与设计意图,现更正为使用 #; 作为注释标识符(与 systemd 一致),分号现替代冒号作为注释符号。

变更

  • Podman 现在会将容器主机名传递给 Netavark,用于容器 DHCP 请求的关联处理。
  • zstd:chunked 格式镜像的部分拉取现仅针对镜像 OCI 配置 JSON 中包含 RootFS.DiffID 条目且需校验层内容匹配的场景,解决了启用部分拉取时镜像 ID 歧义问题。
  • 打包者现可通过设置 BUILD_ORIGIN 环境变量(在 Makefile 构建时)标注 Podman 构建来源信息,该信息将显示于 podman versionpodman info 中,便于上游问题溯源。

问题修复

  • 修复 WSL 环境下使用用户模式网络的 podman machine 虚拟机因端口冲突无法启动的问题 (#20327)。
  • 修复镜像指定卷路径时无法进行 overlay 挂载的问题 (#24555)。
  • 修复 podman build 未遵循 containers.confno_pivot_root 配置的问题 (#24546)。
  • 修复从未启动的容器中使用 podman cp 复制到新卷时权限错误的问题。
  • 修复向需挂载的命名卷(镜像卷、插件卷或带选项卷)使用 podman cp 复制时,若目标容器已停止则操作失败的问题。
  • 修复 root 用户运行 Podman 但未拥有 CAP_SYS_RESOURCE 时资源限制设置错误的问题 (#24692)。
  • 修复存在使用 --cgroups=none 启动的容器时,podman stats --all 命令执行失败的问题 (#24632)。
  • 修复 podman info 仅返回单一镜像存储信息的问题(即使 storage.conf 配置了多个存储)。
  • 修复 podman update 可能重置未修改资源的默认限制值的问题 (#24610)。
  • 修复远程 Podman 客户端的 podman update 无法更新容器内挂载设备资源限制的问题 (#24734)。
  • 修复使用 --index 选项时 podman manifest annotate 可能崩溃的问题 (#24750)。
  • 修复 Quadlet 容器复用其他容器网络时,若目标容器未运行则报错的问题。
  • 修复 Quadlet 文件中含尾随反斜杠的行可能导致解析死循环的问题 (#24810)。
  • 修复非 root 用户运行 Quadlet 时未处理 /etc/containers/systemd/users/ 子目录文件的问题 (#24783)。
  • 修复 Quadlet 文件中含八进制转义序列的值被错误解析的问题。
  • 修复 podman generate kube 生成含大写字母或下划线的持久卷名的问题(Kubernetes 不支持此类命名)(#16542)。
  • 修复 --mount type=devptsptmxmode 选项失效的问题。
  • 修复 Windows 环境 shell 补全包含 .exe 后缀导致部分 shell 异常的问题。
  • 修复 podman inspect 容器信息未包含所属网络 ID 的问题,提升 Docker 兼容性 (#24910)。
  • 修复远程 API 创建容器时错误包含创建命令的问题 (#25026)。
  • 修复 Intel Mac 设备错误指定 libkrun 后端的问题(该后端仅支持 Arm 架构)。
  • 修复 Mac 上 podman machinelibkrunapplehv 虚拟机可能同时启动的问题 (#25112)。
  • 修复 podman exec 无法通过分离键退出会话的问题 (#24895)。
  • 修复特定字段配置为空字符串时,Podman 因数据库配置不匹配无法启动的问题 (#24738)。

API

  • 镜像构建的 Compat 和 Libpod API 新增 nohosts 查询参数,设为 true 时构建过程中不创建 /etc/hosts
  • 修复 Compat 容器创建 API 未支持 CDI 设备的问题(此前影响 docker compose 使用 GPU 等功能)(#19338)。

其他

  • 优化 Docker 别名脚本的变量替换处理。
  • 修复无容器时 podman-restart.service 运行异常的问题。
  • 更新 Buildah 至 v1.39.0
  • 更新 containers/common 库至 v0.62.0
  • 更新 containers/storage 库至 v1.57.1
  • 更新 containers/image 库至 v5.34.0

更新内容 (原始)

Features

  • A preview of Podman’s support for OCI artifacts has been added through the podman artifact suite of commands, including add, inspect, ls, pull, push, and rm. This support is very early and not fully complete, and the command line interface for these tools has not been finalized. We welcome feedback on the new artifact experience through our issue tracker!
  • The podman update command now supports a wide variety of options related to healthchecks (including --health-cmd to define a new healthcheck and --no-healthcheck to disable an existing healthcheck), allowing healthchecks to be added to, removed from, and otherwise updated on existing containers. You can find full details on the 15 added options in the manpage.
  • The --mount type=volume option for the podman run, podman create, and podman volume create commands now supports a new option, subpath=, to make only a subset of the volume visible in the container (#20661).
  • The --userns=keep-id option for the podman run, podman create, and podman pod create commands now supports a new option, --userns=keep-id:size=, to configure the size of the user namespace (#24387).
  • The podman kube play command now supports Container Device Interface (CDI) devices (#17833).
  • The podman machine init command now supports a new option, --playbook, to run an Ansible playbook in the created VM on first boot for initial configuration.
  • Quadlet .pod files now support a new field, ShmSize, to specify the size of the pod’s shared SHM (#22915).
  • The podman run, podman create, and podman pod create commands now support a new option, --hosts-file, to define the base file used for /etc/hosts in the container.
  • The podman run, podman create, and podman pod create commands now support a new option, --no-hostname, which disables the creation of /etc/hostname in the container (#25002).
  • The podman network create command now supports a new option for bridge networks, --opt mode=unmanaged, which allows Podman to use an existing network bridge on the system without changes.
  • The --network option to podman run, podman create, and podman pod create now accepts a new option for bridge networks, host_interface_name, which specifies a name for the network interface created outside the container.
  • The podman manifest rm command now supports a new option, --ignore, to not error when removing manifests that do not exist.
  • The podman system prune command now supports a new option, --build, to remove build containers leftover from prematurely terminated builds.
  • The podman events command now generates events for the creation and removal of networks (#24032).

Breaking Changes

  • Due to a lack of availability of hardware to test on, the Podman maintainers are no longer capable of providing full support for Podman on Intel Macs. Binaries and machine images will still be produced, and pull requests related to MacOS on Intel systems will still be merged, but bugs will be fixed on a best effort basis only. We welcome any potential new maintainers who would be able to assist in restoring full support.
  • Quadlet previously incorrectly allowed : as a character to define comments. This was a mistake; developer intent and documentation was that # and ; were to be used as comment characters instead, matching systemd. This has been corrected, and semicolons now define comments instead of colons.

Changes

  • Podman now passes container hostnames to Netavark, which will use them for any DHCP requests for the container.
  • Partial pulls of zstd:chunked images now only happen for images that have a RootFS.DiffID entry in the image’s OCI config JSON, and require the layer contents to match. This resolves issues with image ID ambiguity when partial pulls were enabled.
  • Packagers can now set the BUILD_ORIGIN environment variable when building podman from the Makefile. This provides information on who built the Podman binary, and is displayed in podman version and podman info. This will help upstream bug reports, allowing maintainers to trace how and where the binary was built and installed from.

Bugfixes

  • Fixed a bug where podman machine VMs on WSL could fail to start when using usermode networking could fail to start due to a port conflict (#20327).
  • Fixed a bug where overlay mounts could not be made at paths where the image specifies a volume (#24555).
  • Fixed a bug where the podman build command did not honor the no_pivot_root setting from containers.conf (#24546).
  • Fixed a bug where volumes would have the wrong permissions if podman cp was used to copy into a fresh volume in a container that had never been started.
  • Fixed a bug where using podman cp to copy into a named volume requiring a mount (image volumes, volumes backed by a volume plugin, or other volumes with options) would fail when the container being copied into was stopped.
  • Fixed a bug where rlimits would be set incorrectly when Podman was run as root but without CAP_SYS_RESOURCE (#24692).
  • Fixed a bug where the podman stats --all command would fail if a container started with --cgroups=none was present (#24632).
  • Fixed a bug where the podman info command would only return details on one image store even if additional image stores were configured in storage.conf.
  • Fixed a bug where the podman update command could reset resource limits that were not being modified to default (#24610).
  • Fixed a bug where the remote Podman client’s podman update command could not update resource limits on devices mounted into the container (#24734).
  • Fixed a bug where the podman manifest annotate command could panic when the --index option was used (#24750).
  • Fixed a bug where a Quadlet container reusing another container’s network could cause errors if the second container was not already running.
  • Fixed a bug where Quadlet files containing lines with a trailing backslash could cause an infinite loop during parsing (#24810).
  • Fixed a bug where Quadlet would, when run as a non-root user, not generate for files in subfolders of /etc/containers/systemd/users/ (#24783).
  • Fixed a bug where values in Quadlet files containing octal escape sequences were incorrectly unescaped.
  • Fixed a bug where podman generate kube could generate persistent volumes with mixed-case names or names containing an underscore, which are not supported by Kubernetes (#16542).
  • Fixed a bug where the ptmxmode option to --mount type=devpts did not function.
  • Fixed a bug where shell completion on Windows would include .exe in the executable name, breaking completion on some shells.
  • Fixed a bug where the output of podman inspect on containers did not include the ID of the network the container was joined to, improving Docker compatibility (#24910).
  • Fixed a bug where containers created with the remote API incorrectly included a create command (#25026).
  • Fixed a bug where it was possible to specify the libkrun backend for VMs on Intel Macs (libkrun only supports Arm systems).
  • Fixed a bug where libkrun and applehv VMs from podman machine could be started at the same time on Macs (#25112).
  • Fixed a bug where podman exec commands could not detach from the exec session using the detach keys (#24895).
  • Fixed a bug where Podman would fail to start due to a database configuration mismatch when certain fields were configured to the empty string (#24738).

API

  • The Compat and Libpod Build APIs for Images now support a new query parameter, nohosts, which (when set to true) does not create /etc/hosts in the image when building.
  • Fixed a bug where the Compat Create API for Containers did not honor CDI devices, preventing (among other things) the use of GPUs with docker compose (#19338).

Misc

  • The Docker alias script has been fixed to better handle variable substitution.
  • Fixed a bug where podman-restart.service functioned incorrectly when no containers were present.
  • Updated Buildah to v1.39.0
  • Updated the containers/common library to v0.62.0
  • Updated the containers/storage library to v1.57.1
  • Updated the containers/image library to v5.34.0

下载链接