Chapter 5. Containers
The following chapter contains the most notable changes to containers between RHEL 9 and RHEL 10.
The Podman v5.0 deprecations
In RHEL 10.0 Beta, the following is deprecated in Podman v5.0:
-
The system connections and farm information stored in the
containers.conf
file are now read-only. The system connections and farm information will now be stored in thepodman.connections.json
file, managed only by Podman. Podman continues to support the old configuration options such as[engine.service_destinations]
and the[farms]
section. You can still add connections or farms manually if needed; however, it is not possible to delete a connection from thecontainers.conf
file with thepodman system connection rm
command. -
The
slirp4netns
network mode is deprecated and will be removed in a future major release of RHEL. Thepasta
network mode is the default network mode for rootless containers. - The cgroups v1 for rootless containers is deprecated and will be removed in a future major release of RHEL.
The
containernetworking-plugins
package and the CNI network stack are no longer supported.-
If you upgrade from the previous RHEL versions to RHEL 10.0 Beta or if you have a fresh installation of RHEL 10.0 Beta, the CNI is no longer available. As a result, you have to run the
podman rmi --all --force
command to remove all images and containers that are using those images. -
If present, the
cni
value in the containers.conf file for thenetwork_backend
option must be changed tonetavark
or can be unset.
-
If you upgrade from the previous RHEL versions to RHEL 10.0 Beta or if you have a fresh installation of RHEL 10.0 Beta, the CNI is no longer available. As a result, you have to run the
The runc
container runtime has been removed
The runc
container runtime is removed. The default container runtime is crun
. If you upgrade from the previous RHEL versions to RHEL 10.0 Beta, you have to run the podman system migrate --new-runtime=crun
command to set a new OCI runtime for all containers.
Default settings changes for Podman v5.0
In RHEL 10.0 Beta, the following default settings changes for Podman v5.0:
- cgroups v2 is used by default instead of cgroups v1
-
pasta
is the default network used by rootless containers instead ofslirp4netns
tzdata
package is no longer installed by default in the minimal container images
The tzdata
package is no longer installed in the registry.access.redhat.com/ubi10-beta-minimal
container image. As a consequence, if you migrate your minimal container builds from a previous RHEL release to RHEL 10.0 Beta, and you enter the microdnf reinstall tzdata
command to reinstall the tzdata
package, you get an error message because the tzdata
package is no longer installed by default. In this case, enter the microdnf install tzdata
command to install tzdata
.
Podman and Buildah support adding OCI artifacts to image indexes
With this update, you can create artifact manifests and add them to image indexes.
The buildah manifest add
command now supports the following options:
-
the
--artifact
option to create artifact manifests -
the
--artifact-type
,--artifact-config-type
,--artifact-layer-type
,--artifact-exclude-titles
, and--subject
options to finetune the contents of the artifact manifests it creates.
The buildah manifest annotate
command now supports the following options:
-
the
--index
option to set annotations on the index itself instead of a one of the entries in the image index -
the
--subject
option for setting the subject field of an image index.
The buildah manifest create
command now supports the --annotation
option to add annotations to the new image index.
composefs
filesystem is available as a Technology Preview
composefs
is the default backend for container storage. The key technologies composefs
uses are:
- OverlayFS as the kernel interface
- Enhanced Read-Only File System (EROFS) for a mountable metadata tree
-
The
fs-verity
feature (optional) from the lower filesystem
Key advantages of composefs
:
-
Separation between metadata and data.
composefs
does not store any persistent data. The underlying metadata and data files are stored in a valid lower Linux filesystem such asext4
,xfs
,btrfs
, and so on. -
Mounting multiple
composefs
with a shared storage. - Data files are shared in the page cache to enable multiple container images to share their memory.
-
Support
fs-verity
validation of the content files.
Runtime resource changes in Podman are persistent
The updates of container configuration by using the podman update
command are persistent. Note that this enhancement is for both SQLite and BoltDB database backends.
Quadlets for pods in Podman are available
Beginning with Podman v5.0, you can use Quadlet to automatically generate a systemd
service file from a pod description.
The Container Tools packages have been updated
The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun
, and runc
tools, is now available. Podman v5.0 contains the following notable bug fixes and enhancements over the previous version:
-
The
podman manifest add
command now supports a new--artifact
option to add OCI artifacts to a manifest list. -
The
podman create
,podman run
, andpodman push
commands now support the--retry
and--retry-delay
options to configure retries for pushing and pulling images. -
The
podman run
andpodman exec
commands now support the--preserve-fd
option to pass a list of file descriptors into the container. It is an alternative to--preserve-fds
, which passes a specific number of file descriptors. - Quadlet now supports templated units.
-
The
podman kube play
command can now create image-based volumes by using thevolume.podman.io/image
annotation. -
Containers created with the
podman kube play
command can now include volumes from other containers by using a new annotation,io.podman.annotations.volumes-from
. -
Pods created with the
podman kube play
command can now set user namespace options by using theio.podman.annotations.userns annotation
in the pod definition. -
The
--gpus
option topodman create
andpodman run
is now compatible with Nvidia GPUs. -
The
--mount
option topodman create
andpodman run
supports a new mount option,no-dereference
, to mount a symlink instead of its dereferenced target into a container. -
Podman now supports the new
--config
global option to point to a Docker configuration where registry login credentials can be sourced. -
The
podman ps --format
command now supports the new.Label
format specifier. -
The
uidmapping
andgidmapping
options to thepodman run --userns=auto
option can now map to host IDs by prefixing host IDs with the@
symbol. - Quadlet now supports systemd-style drop-in directories.
-
Quadlet now supports creating pods by using the new
.pod
unit files. -
Quadlet now supports two new keys,
Entrypoint
andStopTimeout
, in.container
files. -
Quadlet now supports specifying the
Ulimit
key multiple times in.container
files to set more than oneulimit
on a container. -
Quadlet now supports setting the
Notify
key tohealthy
in.container
files, to only notify that a container has started when its health check begins passing. -
The output of the
podman inspect
command for containers has changed. TheEntrypoint
field changes from a string to an array of strings andStopSignal
from an integer to a string. -
The
podman inspect
command for containers now returns nil for health checks when inspecting containers without health checks. - It is no longer possible to create new BoltDB databases. Attempting to do so results in an error. All new Podman installations now use the SQLite database backend. Existing BoltDB databases remain usable.
- Support for CNI networking is gated by a build tag and is not enabled by default.
-
Podman now prints warnings when used on
cgroups v1
systems. Support forcgroups v1
is deprecated and will be removed in a future release. You can set thePODMAN_IGNORE_CGROUPSV1_WARNING
environment variable to suppress warnings. - Network statistics sent over the Docker-compatible API are now per-interface, and not aggregated, which improves Docker compatibility.
-
The default tool for rootless networking has been changed from
slirp4netns
topasta
for improved performance. As a result, networks namedpasta
are no longer supported. - Using multiple filters with the List Images REST API now combines the filters with AND instead of OR, improving Docker compatibility.
The parsing for a number of Podman CLI options which accept arrays has been changed to no longer accept string-delimited lists, and instead to require the option to be passed multiple times. These options are:
-
The
--annotation
option topodman manifest annotate
andpodman manifest add
-
The
--configmap
,--log-opt
, and--annotation
options topodman kube play
-
The
The
--pubkeysfile
option topodman image trust set
-
The
--encryption-key
and--decryption-key
options topodman create
,podman run
,podman push
andpodman pull
-
The
--env-file
option topodman exec
, the--bkio-weight-device
,--device-read-bps
,--device-write-bps
,--device-read-iops
,--device-write-iops
,--device
,--label-file
,--chrootdirs
,--log-opt
,--env-file
options topodman create
andpodman run
-
The
--hooks-dir
and--module
global options
-
The
-
The
podman system reset
command no longer waits for running containers to stop, and instead immediately sends theSIGKILL
signal. -
The
podman network inspect
command now includes running containers that use the network in its output. -
The
podman compose
command is now supported on other architectures in addition to AMD and Intel 64-bit architectures (x86-64-v2) and the 64-bit ARM architecture (ARMv8.0-A). -
The
--no-trunc
option to thepodman kube play
andpodman kube generate
commands has been deprecated. Podman now complies to the Kubernetes specification for annotation size, which removes the need for this option. -
Connections from the
podman system connection
command and farms from thepodman farm
command are now written to a new configuration file calledpodman-connections.conf
file. As a result, Podman no longer writes to thecontainers.conf
file. Podman still respects existing connections fromcontainers.conf
. -
Most
podman farm
subcommands no longer need to connect to the machines in the farm to run. -
The
podman create
andpodman run
commands no longer require specifying an entrypoint on the command line when the container image does not define one. In this case, an empty command is passed to the OCI runtime, and the resulting behavior is runtime-specific. -
A new API endpoint,
/libpod/images/$name/resolve
, has been added to resolve a potential short name to a list of fully-qualified image references Podman, which you can use to pull the image.
For more information about notable changes, see upstream release notes.