v5.3.1

• Fixed a bug where the --ignition-path option to podman machine init would prevent creation of necessary files for the VM, rendering it unusable (#23544).
• Fixed a bug where rootless containers using the bridge networking mode would be unable to start due to a panic caused by a nil pointer dereference (#24566).
• Fixed a bug where Podman containers would try to set increased rlimits when started in a user namespace, rendering containers unable to start (#24508).
• Fixed a bug where certain SSH configurations would make the remote Podman client unable to connect to the server (#24567).
• Fixed a bug where the Windows installer could install WSLv2 when upgrading an existing Podman installation that used the Hyper-V virtualization backend.

v5.3.0

Features

• The podman kube generate and podman kube play commands can now create and run Kubernetes Job YAML (#17011).
• The podman kube generate command now includes information on the user namespaces for pods and containers in generated YAML. The podman kube play command uses this information to duplicate the user namespace configuration when creating new pods based on the YAML.
• The podman kube play command now supports Kubernetes volumes of type image (#23775).
• The service name of systemd units generated by Quadlet can now be set with the ServiceName key in all supported Quadlet files (#23414).
• Quadlets can now disable their implicit dependency on network-online.target via a new key, DefaultDependencies, supported by all Quadlet files (#24193).
• Quadlet .container and .pod files now support a new key, AddHost, to add hosts to the container or pod.
• The PublishPort key in Quadlet .container and .pod files can now accept variables in its value (#24081).
• Quadlet .container files now support two new keys, CgroupsMode and StartWithPod, to configure cgroups for the container and whether the container will be started with the pod it is part of (#23664 and #24401).
• Quadlet .container files can now use the network of another container by specifying the .container file of the container to share with in the Network key.
• Quadlet .container files can now mount images managed by .image files into the container by using the Mount=type=image key with a .image target.
• Quadlet .pod files now support six new keys, DNS, DNSOption, DNSSearch, IP, IP6, and UserNS, to configure DNS, static IPs, and user namespace settings for the pod (#23692).
• Quadlet .image files can now give an image multiple times by specifying the ImageTag key multiple times (#23781).
• Quadlets can now be placed in the /run/containers/systemd directory as well as existing directories like $HOME/containers/systemd and /etc/containers/systemd/users.
• Quadlet now properly handles subdirectories of a unit directory being a symlink (#23755).
• The podman manifest inspect command now includes the manifest's annotations in its output.
• The output of the podman inspect command for containers now includes a new field, HostConfig.AutoRemoveImage, which shows whether a container was created with the --rmi option set.
• The output of the podman inspect command for containers now includes a new field, Config.ExposedPorts, which includes all exposed ports from the container, improving Docker compatibility.
• The output of the podman inspect command for containers now includes a new field, Config.StartupHealthCheck, which shows the container's startup healthcheck configuration.
• The output of the podman inspect command for containers now includes a new field in Mounts, SubPath, which contains any subpath set for image or named volumes.
• The podman machine list command now supports a new option, --all-providers, which lists machines from all supported VM providers, not just the one currently in use.
• VMs run by podman machine on Windows will now provide API access by exposing a Unix socket on the host filesystem which forwards into the VM (#23408).
• The podman buildx prune and podman image prune commands now support a new option, --build-cache, which will also clean the build cache.
• The Windows installer has a new radio button to select virtualization provider (WSLv2 or Hyper-V).
• The --add-host option to podman create, podman run, and podman pod create now supports specifying multiple hostnames, semicolon-separated (e.g. podman run --add-host test1;test2:192.168.1.1) (#23770).
• The podman run and podman create commands now support three new options for configuring healthcheck logging: --health-log-destination (specify where logs are stored), --health-max-log-count (specify how many healthchecks worth of logs are stored), and --health-max-log-size (specify the maximum size of the healthcheck log).

Changes

• Podman now uses the Pasta --map-guest-addr option by default which is used for the host.containers.internal entry in /etc/hosts to allow containers to reach the host by default (#19213).
• The names of the infra containers of pods created by Quadlet are changed to the pod name suffixed with -infra (#23665).
• The podman system connection add command now respects HTTP path prefixes specified with tcp:// URLs.
• Proxy environment variables (e.g. https_proxy) declared in containers.conf no longer escape special characters in their values when used with podman machine VMs (#23277).
• The podman images --sort=repository command now also sorts by image tag as well, guaranteeing deterministic output ordering (#23803).
• When a user has a rootless podman machine VM running and second rootful podman machine VM initialized, and the rootless VM is removed, the connection to the second, rootful machine now becomes the default as expected (#22577).
• Environment variable secrets are no longer contained in the output of podman inspect on a container the secret is used in (#23788).
• Podman no longer exits 0 on SIGTERM by default.
• Podman no longer explicitly sets rlimits to their default value, as this could lower the actual value available to containers if it had been set higher previously.
• Quadlet user units now correctly wait for the network to be ready to use via a new service, podman-user-wait-network-online.service, instead of the user session's nonfunctional network-online.target.
• Exposed ports in the output of podman ps are now correctly grouped and deduplicated when they are also published (#23317).
• Quadlet build units no longer use RemainAfterExit=yes by default.

Bugfixes

• Fixed a bug where the --build-context option to podman build did not function properly on Windows, breaking compatibility with Visual Studio Dev Containers (#17313).
• Fixed a bug where Quadlet would generate bad arguments to Podman if the SecurityLabelDisable or SecurityLabelNested keys were used (#23432).
• Fixed a bug where the PODMAN_COMPOSE_WARNING_LOGS environment variable did not suppress warnings printed by podman compose that it was redirecting to an external provider.
• Fixed a bug where, if the podman container cleanup command was run on a container in the process of being removed, an error could be printed.
• Fixed a bug where rootless Quadlet units placed in /etc/containers/systemd/users/ would be loaded for root as well when /etc/containers/systemd was a symlink (#23483).
• Fixed a bug where the remote Podman client's podman stop command would, if called with --cidfile pointing to a non-existent file and the --ignore option set, stop all containers (#23554).
• Fixed a bug where the podman wait would only exit only after 20 second when run on a container which rapidly exits and is then restarted by the on-failure restart policy.
• Fixed a bug where podman volume rm and podman run -v could deadlock when run simultaneously on the same volume (#23613).
• Fixed a bug where running podman mount on a container in the process of being created could cause a nonsensical error indicating the container already existed (#23637).
• Fixed a bug where the podman stop command could deadlock when run on containers with very large annotations (#22246).
• Fixed a bug where the podman machine stop command could segfault on Mac when a VM failed to stop gracefully (#23654).
• Fixed a bug where the podman stop command would not ensure containers created with --rm were removed when it exited (#22852).
• Fixed a bug where the --rmi option to podman run did not function correctly with detached containers.
• Fixed a bug where running podman inspect on a container on FreeBSD would emit an incorrect value for the HostConfig.Device field, breaking compatibility with the Ansible Podman module.
• Fixed a bug where rootless Podman could fail to start containers using the --cgroup-parent option (#23780).
• Fixed a bug where the podman build -v command did not properly handle Windows paths passed as the host directory.
• Fixed a bug where Podman could leak network namespace files if it was interrupted while creating a network namespace (#24044).
• ...

v5.3.0-RC3

Features

• The podman kube generate and podman kube play commands can now create and run Kubernetes Job YAML (#17011).
• The podman kube generate command now includes information on the user namespaces for pods and containers in generated YAML. The podman kube play command uses this information to duplicate the user namespace configuration when creating new pods based on the YAML.
• The podman kube play command now supports Kubernetes volumes of type image (#23775).
• The service name of systemd units generated by Quadlet can now be set with the ServiceName key in all supported Quadlet files (#23414).
• Quadlets can now disable their implicit dependency on network-online.target via a new key, DefaultDependencies, supported by all Quadlet files (#24193).
• Quadlet .container and .pod files now support a new key, AddHost, to add hosts to the container or pod.
• The PublishPort key in Quadlet .container and .pod files can now accept variables in its value (#24081).
• Quadlet .container files now support two new keys, CgroupsMode and StartWithPod, to configure cgroups for the container and whether the container will be started with the pod it is part of ([#23664](htt
  ps://github.com//issues/23664) and #24401).
• Quadlet .container files can now use the network of another container by specifying the .container file of the container to share with in the Network key.
• Quadlet .container files can now mount images managed by .image files into the container by using the Mount=type=image key with a .image target.
• Quadlet .pod files now support six new keys, DNS, DNSOption, DNSSearch, IP, IP6, and UserNS, to configure DNS, static IPs, and user namespace settings for the pod ([#23692](https://github.com/co\
  ntainers/podman/issues/23692)).
• Quadlet .image files can now give an image multiple times by specifying the ImageTag key multiple times (#23781).
• Quadlets can now be placed in the /run/containers/systemd directory as well as existing directories like $HOME/containers/systemd and /etc/containers/systemd/users.
• Quadlet now properly handles subdirectories of a unit directory being a symlink (#23755).
• The podman manifest inspect command now includes the manifest's annotations in its output.
• The output of the podman inspect command for containers now includes a new field, HostConfig.AutoRemoveImage, which shows whether a container was created with the --rmi option set.
• The output of the podman inspect command for containers now includes a new field, Config.ExposedPorts, which includes all exposed ports from the container, improving Docker compatibility.
• The output of the podman inspect command for containers now includes a new field, Config.StartupHealthCheck, which shows the container's startup healthcheck configuration.
• The podman machine list command now supports a new option, --all-providers, which lists machines from all supported VM providers, not just the one currently in use.
• VMs run by podman machine on Windows will now provide API access by exposing a Unix socket on the host filesystem which forwards into the VM (#23408).
• The podman buildx prune and podman image prune commands now support a new option, --build-cache, which will also clean the build cache.
• The Windows installer has a new radio button to select virtualization provider (WSLv2 or Hyper-V).
• The --add-host option to podman create, podman run, and podman pod create now supports specifying multiple hostnames, semicolon-separated (e.g. podman run --add-host test1;test2:192.168.1.1) (#2377
  0).
• The podman run and podman create commands now support three new options for configuring healthcheck logging: --health-log-destination (specify where logs are stored), --health-max-log-count (specify how many healthchecks worth of logs are stored), and --health-max-log-size (specify the maximum size of the healthcheck log).

Changes

• Podman now uses the Pasta --map-guest-addr option by default which is used for the host.containers.internal entry in /etc/hosts to allow containers to reach the host by default (#19213).
• The names of the infra containers of pods created by Quadlet are changed to the pod name suffixed with -infra (#23665).
• The podman system connection add command now respects HTTP path prefixes specified with tcp:// URLs.
• Proxy environment variables (e.g. https_proxy) declared in containers.conf no longer escape special characters in their values when used with podman machine VMs ([#23277](https://github.com/containers/p\
  odman/issues/23277)).
• The podman images --sort=repository command now also sorts by image tag as well, guaranteeing deterministic output ordering (#23803).
• When a user has a rootless podman machine VM running and second rootful podman machine VM initialized, and the rootless VM is removed, the connection to the second, rootful machine now becomes the default as expected (#22577).
• Environment variable secrets are no longer contained in the output of podman inspect on a container the secret is used in (#23788).
• Podman no longer exits 0 on SIGTERM by default.
• Podman no longer explicitly sets rlimits to their default value, as this could lower the actual value available to containers if it had been set higher previously.
• Quadlet user units now correctly wait for the network to be ready to use via a new service, podman-user-wait-network-online.service, instead of the user session's nonfunctional network-online.target.
• Exposed ports in the output of podman ps are now correctly grouped and deduplicated when they are also published (#23317).
• Quadlet build units no longer use RemainAfterExit=yes by default.

Bugfixes

• Fixed a bug where the --build-context option to podman build did not function properly on Windows, breaking compatibility with Visual Studio Dev Containers (#17313).
• Fixed a bug where Quadlet would generate bad arguments to Podman if the SecurityLabelDisable or SecurityLabelNested keys were used (#23432).
• Fixed a bug where the PODMAN_COMPOSE_WARNING_LOGS environment variable did not suppress warnings printed by podman compose that it was redirecting to an external provider.
• Fixed a bug where, if the podman container cleanup command was run on a container in the process of being removed, an error could be printed.
• Fixed a bug where rootless Quadlet units placed in /etc/containers/systemd/users/ would be loaded for root as well when /etc/containers/systemd was a symlink (#23483).
• Fixed a bug where the remote Podman client's podman stop command would, if called with --cidfile pointing to a non-existent file and the --ignore option set, stop all containers (#23554).
• Fixed a bug where the podman wait would only exit only after 20 second when run on a container which rapidly exits and is then restarted by the on-failure restart policy.
• Fixed a bug where podman volume rm and podman run -v could deadlock when run simultaneously on the same volume (#23613).
• Fixed a bug where running podman mount on a container in the process of being created could cause a nonsensical error indicating the container already existed (#23637).
• Fixed a bug where the podman stop command could deadlock when run on containers with very large annotations (#22246).
• Fixed a bug where the podman machine stop command could segfault on Mac when a VM failed to stop gracefully (#23654).
• Fixed a bug where the podman stop command would not ensure containers created with --rm were removed when it exited (#22852).
• Fixed a bug where the --rmi option to podman run did not function correctly with detached containers.
• Fixed a bug where running podman inspect on a container on FreeBSD would emit an incorrect value for the HostConfig.Device field, breaking compatibility with the Ansible Podman module.
• Fixed a bug where rootless Podman could fail to start containers using the --cgroup-parent option (#23780).
• Fixed a bug where the podman build -v command did not properly handle Windows paths passed as the host directory.
• Fixed a bug where Podman could leak network namespace files if it was interrupted while creating a network namespace (#24044).
• Fixed a bug where the remote Podman client's podman run command could sometimes fail to retrieve a container's exit code for containers run with the --rm...

v5.3.0-RC2

This is the second release candidate for Podman v5.3.0. Preliminary release notes are below.

Features

• The podman kube generate and podman kube play commands can now create and run Kubernetes Job YAML (#17011).
• The podman kube generate command now includes information on the user namespaces for pods and containers in generated YAML. The podman kube play command uses this information to duplicate the user namespace configuration when creating new pods based on the YAML.
• The podman kube play command now supports Kubernetes volumes of type image (#23775).
• The service name of systemd units generated by Quadlet can now be set with the ServiceName key in all supported Quadlet files (#23414).
• Quadlets can now disable their implicit dependency on network-online.target via a new key, DefaultDependencies, supported by all Quadlet files (#24193).
• Quadlet .container and .pod files now support a new key, AddHost, to add hosts to the container or pod.
• The PublishPort key in Quadlet .container and .pod files can now accept variables in its value (#24081).
• Quadlet .container files now support a new key, CgroupsMode, to configure cgroups for the container (#23664).
• Quadlet .container files can now use the network of another container by specifying the .container file of the container to share with in the Network key.
• Quadlet .pod files now support six new keys, DNS, DNSOption, DNSSearch, IP, IP6, and UserNS, to configure DNS, static IPs, and user namespace settings for the pod (#23692).
• Quadlet .image files can now give an image multiple times by specifying the ImageTag key multiple times (#23781).
• Quadlets can now be placed in the /run/containers/systemd directory as well as existing directories like $HOME/containers/systemd and /etc/containers/systemd/users.
• Quadlet now properly handles subdirectories of a unit directory being a symlink (#23755).
• The podman manifest inspect command now includes the manifest's annotations in its output.
• The output of the podman inspect command for containers now includes a new field, HostConfig.AutoRemoveImage, which shows whether a container was created with the --rmi option set.
• The output of the podman inspect command for containers now includes a new field, Config.ExposedPorts, which includes all exposed ports from the container, improving Docker compatibility.
• The output of the podman inspect command for containers now includes a new field, Config.StartupHealthCheck, which shows the container's startup healthcheck configuration.
• The podman machine list command now supports a new option, --all-providers, which lists machines from all supported VM providers, not just the one currently in use.
• VMs run by podman machine on Windows will now provide API access by exposing a Unix socket on the host filesystem which forwards into the VM (#23408).
• The podman buildx prune and podman image prune commands now support a new option, --build-cache, which will also clean the build cache.
• The Windows installer has a new radio button to select virtualization provider (WSLv2 or Hyper-V).
• The --add-host option to podman create, podman run, and podman pod create now supports specifying multiple hostnames, semicolon-separated (e.g. podman run --add-host test1;test2:192.168.1.1) (#23770).
• The podman run and podman create commands now support three new options for configuring healthcheck logging: --health-log-destination (specify where logs are stored), --health-max-log-count (specify how many healthchecks worth of logs are stored), and --health-max-log-size (specify the maximum size of the healthcheck log).

Changes

• Podman now uses the Pasta --map-guest-addr option by default which is used for the host.containers.internal entry in /etc/hosts to allow containers to reach the host by default (#19213).
• The names of the infra containers of pods created by Quadlet are changed to the pod name suffixed with -infra (#23665).
• The podman system connection add command now respects HTTP path prefixes specified with tcp:// URLs.
• Proxy environment variables (e.g. https_proxy) declared in containers.conf no longer escape special characters in their values when used with podman machine VMs (#23277).
• The podman images --sort=repository command now also sorts by image tag as well, guaranteeing deterministic output ordering (#23803).
• When a user has a rootless podman machine VM running and second rootful podman machine VM initialized, and the rootless VM is removed, the connection to the second, rootful machine now becomes the default as expected (#22577).
• Environment variable secrets are no longer contained in the output of podman inspect on a container the secret is used in (#23788).
• Podman no longer exits 0 on SIGTERM by default.
• Podman no longer explicitly sets rlimits to their default value, as this could lower the actual value available to containers if it had been set higher previously.
• Quadlet user units now correctly wait for the network to be ready to use via a new service, podman-user-wait-network-online.service, instead of the user session's nonfunctional network-online.target.
• Exposed ports in the output of podman ps are now correctly grouped and deduplicated when they are also published (#23317).

Bugfixes

• Fixed a bug where the --build-context option to podman build did not function properly on Windows, breaking compatibility with Visual Studio Dev Containers (#17313).
• Fixed a bug where Quadlet would generate bad arguments to Podman if the SecurityLabelDisable or SecurityLabelNested keys were used (#23432).
• Fixed a bug where the PODMAN_COMPOSE_WARNING_LOGS environment variable did not suppress warnings printed by podman compose that it was redirecting to an external provider.
• Fixed a bug where, if the podman container cleanup command was run on a container in the process of being removed, an error could be printed.
• Fixed a bug where rootless Quadlet units placed in /etc/containers/systemd/users/ would be loaded for root as well when /etc/containers/systemd was a symlink (#23483).
• Fixed a bug where the remote Podman client's podman stop command would, if called with --cidfile pointing to a non-existent file and the --ignore option set, stop all containers (#23554).
• Fixed a bug where the podman wait would only exit only after 20 second when run on a container which rapidly exits and is then restarted by the on-failure restart policy.
• Fixed a bug where podman volume rm and podman run -v could deadlock when run simultaneously on the same volume (#23613).
• Fixed a bug where running podman mount on a container in the process of being created could cause a nonsensical error indicating the container already existed (#23637).
• Fixed a bug where the podman stop command could deadlock when run on containers with very large annotations (#22246).
• Fixed a bug where the podman machine stop command could segfault on Mac when a VM failed to stop gracefully (#23654).
• Fixed a bug where the podman stop command would not ensure containers created with --rm were removed when it exited (#22852).
• Fixed a bug where the --rmi option to podman run did not function correctly with detached containers.
• Fixed a bug where running podman inspect on a container on FreeBSD would emit an incorrect value for the HostConfig.Device field, breaking compatibility with the Ansible Podman module.
• Fixed a bug where rootless Podman could fail to start containers using the --cgroup-parent option (#23780).
• Fixed a bug where the podman build -v command did not properly handle Windows paths passed as the host directory.
• Fixed a bug where Podman could leak network namespace files if it was interrupted while creating a network namespace (#24044).
• Fixed a bug where the remote Podman client's podman run command could sometimes fail to retrieve a container's exit code for containers run with the --rm option.
• Fixed a bug where podman machine on Windows could fail to run VMs for certain usernames containing special characters.
• Fixed a bug where Quadlet would reject RemapUsers=keep-id when run as root.
• Fixed a bug where XFS quotas on volumes were not unique, meaning that all volumes...

v5.3.0-RC1

This is the first release candidate of Podman v5.3.0. Release notes will be provided next week in Podman v5.3.0-rc2.

v5.2.5

Security

• This release addresses CVE-2024-9675, which allows arbitrary access to the host filesystem from RUN --mount type=cache arguments to a Dockerfile being built.
• This release also addresses CVE-2024-9676, which allows malicious images with a symlink /etc/passwd or /etc/group to potentially cause a denial of service through reading a FIFO on the host.

Misc

• Updated Buildah to v1.37.5
• Updated the containers/storage library to v1.55.1

v5.2.4

Security

• This release addresses CVE-2024-9407, which allows arbitrary access to the host filesystem from RUN --mount arguments to a Dockerfile being built.
• This release also addresses CVE-2024-9341, allowing the mounting of arbitrary directories from the host into containers on FIPS enabled systems using a malicious image with crafted symlinks.

Misc

• Updated Buildah to v1.37.4
• Updated the containers/common library to v0.60.4

v5.2.3

Bugfixes

• Fixed a bug that could cause network namespaces to fail to unmount, resulting in Podman commands hanging.
• Fixed a bug where Podman could not run images which included SCTP exposed ports.
• Fixed a bug where containers run by the root user, but inside a user namespace (including inside a container), could not use the pasta network mode.
• Fixed a bug where volume copy-up did not properly chown empty volumes when the :idmap mount option was used.

Misc

• Updated Buildah to v1.37.3

v5.2.2

Bugfixes

• Fixed a bug where rootless Podman could fail to validate the runtime's volume path on systems with a symlinked /home (#23515).

Misc

• Updated Buildah to v1.37.2
• Updated the containers/common library to v0.60.2
• Updated the containers/image library to v5.32.2

v5.2.1

Bugfixes

• Fixed a bug where Podman could sometimes save an incorrect container state to the database, which could cause a number of issues including but not limited to attempting to clean up containers twice (#21569).

Misc

• Updated Buildah to v1.37.1
• Updated the containers/common library to v0.60.1
• Updated the containers/image library to v5.32.1