Chapter 5. Containers


The following chapter contains the most notable changes to containers between RHEL 9 and RHEL 10.

The Podman v5.0 deprecations

In RHEL 10.0 Beta, the following is deprecated in Podman v5.0:

  • The system connections and farm information stored in the containers.conf file are now read-only. The system connections and farm information will now be stored in the podman.connections.json file, managed only by Podman. Podman continues to support the old configuration options such as [engine.service_destinations] and the [farms] section. You can still add connections or farms manually if needed; however, it is not possible to delete a connection from the containers.conf file with the podman system connection rm command.
  • The slirp4netns network mode is deprecated and will be removed in a future major release of RHEL. The pasta network mode is the default network mode for rootless containers.
  • The cgroups v1 for rootless containers is deprecated and will be removed in a future major release of RHEL.
  • The containernetworking-plugins package and the CNI network stack are no longer supported.

    • If you upgrade from the previous RHEL versions to RHEL 10.0 Beta or if you have a fresh installation of RHEL 10.0 Beta, the CNI is no longer available. As a result, you have to run the podman rmi --all --force command to remove all images and containers that are using those images.
    • If present, the cni value in the containers.conf file for the network_backend option must be changed to netavark or can be unset.

The runc container runtime has been removed

The runc container runtime is removed. The default container runtime is crun. If you upgrade from the previous RHEL versions to RHEL 10.0 Beta, you have to run the podman system migrate --new-runtime=crun command to set a new OCI runtime for all containers.

Default settings changes for Podman v5.0

In RHEL 10.0 Beta, the following default settings changes for Podman v5.0:

  • cgroups v2 is used by default instead of cgroups v1
  • pasta is the default network used by rootless containers instead of slirp4netns

tzdata package is no longer installed by default in the minimal container images

The tzdata package is no longer installed in the registry.access.redhat.com/ubi10-beta-minimal container image. As a consequence, if you migrate your minimal container builds from a previous RHEL release to RHEL 10.0 Beta, and you enter the microdnf reinstall tzdata command to reinstall the tzdata package, you get an error message because the tzdata package is no longer installed by default. In this case, enter the microdnf install tzdata command to install tzdata.

Podman and Buildah support adding OCI artifacts to image indexes

With this update, you can create artifact manifests and add them to image indexes.

The buildah manifest add command now supports the following options:

  • the --artifact option to create artifact manifests
  • the --artifact-type, --artifact-config-type, --artifact-layer-type, --artifact-exclude-titles, and --subject options to finetune the contents of the artifact manifests it creates.

The buildah manifest annotate command now supports the following options:

  • the --index option to set annotations on the index itself instead of a one of the entries in the image index
  • the --subject option for setting the subject field of an image index.

The buildah manifest create command now supports the --annotation option to add annotations to the new image index.

composefs filesystem is available as a Technology Preview

composefs is the default backend for container storage. The key technologies composefs uses are:

  • OverlayFS as the kernel interface
  • Enhanced Read-Only File System (EROFS) for a mountable metadata tree
  • The fs-verity feature (optional) from the lower filesystem

Key advantages of composefs:

  • Separation between metadata and data. composefs does not store any persistent data. The underlying metadata and data files are stored in a valid lower Linux filesystem such as ext4, xfs, btrfs, and so on.
  • Mounting multiple composefs with a shared storage.
  • Data files are shared in the page cache to enable multiple container images to share their memory.
  • Support fs-verity validation of the content files.

Runtime resource changes in Podman are persistent

The updates of container configuration by using the podman update command are persistent. Note that this enhancement is for both SQLite and BoltDB database backends.

Quadlets for pods in Podman are available

Beginning with Podman v5.0, you can use Quadlet to automatically generate a systemd service file from a pod description.

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is now available. Podman v5.0 contains the following notable bug fixes and enhancements over the previous version:

  • The podman manifest add command now supports a new --artifact option to add OCI artifacts to a manifest list.
  • The podman create, podman run, and podman push commands now support the --retry and --retry-delay options to configure retries for pushing and pulling images.
  • The podman run and podman exec commands now support the --preserve-fd option to pass a list of file descriptors into the container. It is an alternative to --preserve-fds, which passes a specific number of file descriptors.
  • Quadlet now supports templated units.
  • The podman kube play command can now create image-based volumes by using the volume.podman.io/image annotation.
  • Containers created with the podman kube play command can now include volumes from other containers by using a new annotation, io.podman.annotations.volumes-from.
  • Pods created with the podman kube play command can now set user namespace options by using the io.podman.annotations.userns annotation in the pod definition.
  • The --gpus option to podman create and podman run is now compatible with Nvidia GPUs.
  • The --mount option to podman create and podman run supports a new mount option, no-dereference, to mount a symlink instead of its dereferenced target into a container.
  • Podman now supports the new --config global option to point to a Docker configuration where registry login credentials can be sourced.
  • The podman ps --format command now supports the new .Label format specifier.
  • The uidmapping and gidmapping options to the podman run --userns=auto option can now map to host IDs by prefixing host IDs with the @ symbol.
  • Quadlet now supports systemd-style drop-in directories.
  • Quadlet now supports creating pods by using the new .pod unit files.
  • Quadlet now supports two new keys, Entrypoint and StopTimeout, in .container files.
  • Quadlet now supports specifying the Ulimit key multiple times in .container files to set more than one ulimit on a container.
  • Quadlet now supports setting the Notify key to healthy in .container files, to only notify that a container has started when its health check begins passing.
  • The output of the podman inspect command for containers has changed. The Entrypoint field changes from a string to an array of strings and StopSignal from an integer to a string.
  • The podman inspect command for containers now returns nil for health checks when inspecting containers without health checks.
  • It is no longer possible to create new BoltDB databases. Attempting to do so results in an error. All new Podman installations now use the SQLite database backend. Existing BoltDB databases remain usable.
  • Support for CNI networking is gated by a build tag and is not enabled by default.
  • Podman now prints warnings when used on cgroups v1 systems. Support for cgroups v1 is deprecated and will be removed in a future release. You can set the PODMAN_IGNORE_CGROUPSV1_WARNING environment variable to suppress warnings.
  • Network statistics sent over the Docker-compatible API are now per-interface, and not aggregated, which improves Docker compatibility.
  • The default tool for rootless networking has been changed from slirp4netns to pasta for improved performance. As a result, networks named pasta are no longer supported.
  • Using multiple filters with the List Images REST API now combines the filters with AND instead of OR, improving Docker compatibility.
  • The parsing for a number of Podman CLI options which accept arrays has been changed to no longer accept string-delimited lists, and instead to require the option to be passed multiple times. These options are:

    • The --annotation option to podman manifest annotate and podman manifest add
    • The --configmap, --log-opt, and --annotation options to podman kube play
  • The --pubkeysfile option to podman image trust set

    • The --encryption-key and --decryption-key options to podman create, podman run, podman push and podman pull
    • The --env-file option to podman exec, the --bkio-weight-device, --device-read-bps, --device-write-bps, --device-read-iops, --device-write-iops, --device, --label-file, --chrootdirs, --log-opt, --env-file options to podman create and podman run
    • The --hooks-dir and --module global options
  • The podman system reset command no longer waits for running containers to stop, and instead immediately sends the SIGKILL signal.
  • The podman network inspect command now includes running containers that use the network in its output.
  • The podman compose command is now supported on other architectures in addition to AMD and Intel 64-bit architectures (x86-64-v2) and the 64-bit ARM architecture (ARMv8.0-A).
  • The --no-trunc option to the podman kube play and podman kube generate commands has been deprecated. Podman now complies to the Kubernetes specification for annotation size, which removes the need for this option.
  • Connections from the podman system connection command and farms from the podman farm command are now written to a new configuration file called podman-connections.conf file. As a result, Podman no longer writes to the containers.conf file. Podman still respects existing connections from containers.conf.
  • Most podman farm subcommands no longer need to connect to the machines in the farm to run.
  • The podman create and podman run commands no longer require specifying an entrypoint on the command line when the container image does not define one. In this case, an empty command is passed to the OCI runtime, and the resulting behavior is runtime-specific.
  • A new API endpoint, /libpod/images/$name/resolve, has been added to resolve a potential short name to a list of fully-qualified image references Podman, which you can use to pull the image.

For more information about notable changes, see upstream release notes.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.